def main():
"""Main function
"""
params = demisto.params()
# handle params
url = "https://www.threathq.com"
credentials = params.get("credentials", {})
auth = (credentials.get("identifier"), credentials.get("password"))
verify = not params.get("insecure")
proxy = params.get("proxy")
threat_type = params.get("threat_type")
client = Client(url, auth=auth, verify=verify, proxy=proxy, threat_type=threat_type)
demisto.info(f"Command being called is {demisto.command()}")
try:
if demisto.command() == "test-module":
return_outputs(*test_module(client))
elif demisto.command() == "fetch-indicators":
begin_time, end_time = build_fetch_times(params.get("fetch_time", "3 days"))
indicators = fetch_indicators_command(client, begin_time, end_time)
# Send indicators to demisto
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
elif demisto.command() == "cofense-get-indicators":
# dummy command for testing
readable_outputs, raw_response = get_indicators_command(client, demisto.args())
return_outputs(readable_outputs, {}, raw_response=raw_response)
except Exception as err:
return_error(f"Error in {INTEGRATION_NAME} integration:\n{str(err)}\n\nTrace:{traceback.format_exc()}")
def main():
"""
PARSE AND VALIDATE INTEGRATION PARAMS
"""
params = demisto.params()
base_url = params.get("url")
insecure = not params.get("insecure", False)
proxy = params.get("proxy", False)
command = demisto.command()
demisto.info(f"Command being called is {command}")
try:
client = Client(base_url=base_url, verify=insecure, proxy=proxy, )
commands: Dict[
str, Callable[[Client, Dict[str, str], Dict[str, str]], Tuple[str, Dict[Any, Any], Dict[Any, Any]]]
] = {"test-module": test_module, "zoom-get-indicators": get_indicators_command}
if command in commands:
return_outputs(*commands[command](client, demisto.params(), demisto.args()))
elif command == "fetch-indicators":
indicators = fetch_indicators_command(client, demisto.params())
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f"Command {command} is not implemented.")
except Exception as err:
err_msg = f"Error in {INTEGRATION_NAME} Integration. [{err}]"
return_error(err_msg)
def main():
params = demisto.params()
args = demisto.args()
base_url = "https://rules.emergingthreats.net/"
client = Client(
base_url=base_url,
auth_code=params.get("auth_code"),
verify=not params.get("insecure", False),
proxy=params.get("proxy"),
)
command = demisto.command()
demisto.info("Command being called is {}".format(command))
# Switch case
try:
if command == "fetch-indicators":
indicators = fetch_indicators_command(client,
params.get("indicator_type"))
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
elif command == "test-module":
return_outputs(
module_test_command(client, params.get("indicator_type")))
elif command == "proofpoint-get-indicators":
readable_output, outputs, raw_response = get_indicators_command(
client, args)
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
return_error(
f"Error in {SOURCE_NAME} Integration - Encountered an issue with createIndicators"
if "failed to create" in
str(e) else f"Error in {SOURCE_NAME} Integration [{e}]")
def main():
max_indicators = get_limit(
demisto.params().get("maxIndicators", MAX_INDICATORS), MAX_INDICATORS)
SESSION.proxies = handle_proxy()
client = SixgillFeedClient(demisto.params()["client_id"],
demisto.params()["client_secret"],
CHANNEL_CODE,
FeedStream.DVEFEED,
bulk_size=max_indicators,
session=SESSION,
logger=demisto,
verify=VERIFY)
command = demisto.command()
demisto.info(f"Command being called is {command}")
tags = argToList(demisto.params().get("feedTags", []))
tlp_color = demisto.params().get("tlp_color")
commands: Dict[str, Callable] = {
"test-module": module_command_test,
"cybersixgill-get-indicators": get_indicators_command
}
try:
if demisto.command() == "fetch-indicators":
indicators = fetch_indicators_command(client,
tags=tags,
tlp_color=tlp_color)
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args())
return_outputs(readable_output, outputs, raw_response)
except Exception as err:
demisto.error(traceback.format_exc())
return_error(
f"Error failed to execute {demisto.command()}, error: [{err}]")
def main():
"""
main function, parses params and runs command functions
"""
params = demisto.params()
base_url = urljoin(params.get('url').rstrip('/'), '/')
timeout = arg_to_number(params.get('timeout', 60))
insecure = not params.get('insecure', False)
proxy = params.get('proxy', False)
command = demisto.command()
args = demisto.args()
demisto.debug(f'Command being called is {command}')
try:
client = Client(base_url=base_url, verify=insecure, proxy=proxy, timeout=timeout)
if command == 'test-module':
return_results(test_module(client, params))
elif command == 'misp-feed-get-indicators':
return_results(get_attributes_command(client, args, params))
elif command == 'fetch-indicators':
indicators = fetch_attributes_command(client, params)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
except Exception as e:
demisto.error(traceback.format_exc())
return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def main():
params = demisto.params()
url = params.get('url', 'https://public-dns.info/nameservers-all.txt')
tags = argToList(params.get('feedTags'))
tlp_color = params.get('tlp_color')
use_ssl = not params.get('insecure', False)
command = demisto.command()
demisto.info(f'Command being called is {command}')
try:
client = Client(url, tags, tlp_color, use_ssl)
commands: Dict = {
'test-module': test_module,
'public-dns-get-indicators': get_indicators_command
}
if command in commands:
return_outputs(*commands[command](client))
elif command == 'fetch-indicators':
indicators = fetch_indicators_command(client)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
except Exception as err:
err_msg = f'Error in {INTEGRATION_NAME} Integration. [{err}]'
return_error(err_msg)
def main():
params = demisto.params()
args = demisto.args()
url = 'https://cti-taxii.mitre.org'
proxies = handle_proxy()
verify_certificate = not params.get('insecure', False)
tags = argToList(params.get('feedTags', []))
tlp_color = params.get('tlp_color')
create_relationships = argToBoolean(params.get('create_relationships'))
command = demisto.command()
demisto.info(f'Command being called is {command}')
try:
client = Client(url, proxies, verify_certificate, tags, tlp_color)
client.initialise()
if demisto.command() == 'mitre-get-indicators':
get_indicators_command(client, args)
elif demisto.command() == 'mitre-show-feeds':
show_feeds_command(client)
elif demisto.command() == 'test-module':
test_module(client)
elif demisto.command() == 'fetch-indicators':
indicators = fetch_indicators(client, create_relationships)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
# Log exceptions
except Exception as e:
return_error(e)
def main():
"""
main function, parses params and runs command functions
"""
params = demisto.params()
# Get the service API url
base_url = params.get('url')
# If your Client class inherits from BaseClient, SSL verification is
# handled out of the box by it, just pass ``verify_certificate`` to
# the Client constructor
insecure = not params.get('insecure', False)
# If your Client class inherits from BaseClient, system proxy is handled
# out of the box by it, just pass ``proxy`` to the Client constructor
proxy = params.get('proxy', False)
command = demisto.command()
args = demisto.args()
# INTEGRATION DEVELOPER TIP
# You can use functions such as ``demisto.debug()``, ``demisto.info()``,
# etc. to print information in the XSOAR server log. You can set the log
# level on the server configuration
# See: https://xsoar.pan.dev/docs/integrations/code-conventions#logging
demisto.debug(f'Command being called is {command}')
try:
client = Client(
base_url=base_url,
verify=insecure,
proxy=proxy,
)
if command == 'test-module':
# This is the call made when pressing the integration Test button.
return_results(test_module(client))
elif command == 'helloworld-get-indicators':
# This is the command that fetches a limited number of indicators from the feed source
# and displays them in the war room.
return_results(get_indicators_command(client, params, args))
elif command == 'fetch-indicators':
# This is the command that initiates a request to the feed endpoint and create new indicators objects from
# the data fetched. If the integration instance is configured to fetch indicators, then this is the command
# that will be executed at the specified feed fetch interval.
indicators = fetch_indicators_command(client, params)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
# Log exceptions and return errors
except Exception as e:
demisto.error(traceback.format_exc()) # Print the traceback
return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def main():
params = demisto.params()
feed_tags = argToList(params.get('feedTags'))
tlp_color = params.get('tlp_color')
target_countries = params.get('target_countries')
target_industries = params.get('target_industries')
custom_filter = params.get('custom_filter')
client = Client(params)
command = demisto.command()
demisto.info(f'Command being called is {command}')
# Switch case
commands = {
'test-module': test_module,
'crowdstrike-falcon-intel-get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators(client,
feed_tags,
tlp_color,
target_countries=target_countries,
target_industries=target_industries,
custom_filter=custom_filter)
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args(), feed_tags, tlp_color) # type: ignore
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
raise Exception(f'Error in CrowdStrike falcon intel Integration [{e}]')
def main():
params = demisto.params()
client = Client(params.get('indicator_type'), params.get('api_token'),
params.get('sub_feeds'), params.get('risk_rule'),
params.get('fusion_file_path'), params.get('insecure'),
params.get('polling_timeout'), params.get('proxy'),
params.get('threshold'))
command = demisto.command()
demisto.info('Command being called is {}'.format(command))
# Switch case
commands = {
'test-module': test_module,
'rf-feed-get-indicators': get_indicators_command,
'rf-feed-get-risk-rules': get_risk_rules_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client,
client.indicator_type, None)
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args()) # type:ignore
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
err_msg = f'Error in {INTEGRATION_NAME} Integration [{e}] \n Traceback: {traceback.format_exc()}'
return_error(err_msg)
def feed_main(feed_name, params=None, prefix=''):
if not params:
params = assign_params(**demisto.params())
if 'feed_name' not in params:
params['feed_name'] = feed_name
client = Client(**params)
command = demisto.command()
if command != 'fetch-indicators':
demisto.info('Command being called is {}'.format(command))
if prefix and not prefix.endswith('-'):
prefix += '-'
# Switch case
commands: dict = {
'test-module': test_module,
f'{prefix}get-indicators': get_indicators_command
}
try:
if command == 'fetch-indicators':
indicators = fetch_indicators_command(client,
params.get('indicator_type'))
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
args = demisto.args()
args['feed_name'] = feed_name
readable_output, outputs, raw_response = commands[command](client,
args)
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
err_msg = f'Error in {feed_name} integration [{e}]\nTrace\n:{traceback.format_exc()}'
return_error(err_msg)
def feed_main(feed_name, params=None, prefix=''):
if not params:
params = {k: v for k, v in demisto.params().items() if v is not None}
handle_proxy()
client = Client(**params)
command = demisto.command()
if command != 'fetch-indicators':
demisto.info('Command being called is {}'.format(command))
if prefix and not prefix.endswith('-'):
prefix += '-'
# Switch case
commands: dict = {
'test-module': module_test_command,
f'{prefix}get-indicators': get_indicators_command
}
try:
if command == 'fetch-indicators':
indicators = fetch_indicators_command(client, params.get('indicator_type'))
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b) # type: ignore
else:
args = demisto.args()
args['feed_name'] = feed_name
readable_output, outputs, raw_response = commands[command](client, args)
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
err_msg = f'Error in {feed_name} Integration - Encountered an issue with createIndicators' if \
'failed to create' in str(e) else f'Error in {feed_name} Integration [{e}]'
return_error(err_msg)
def main():
max_indicators = get_limit(
demisto.params().get('maxIndicators', MAX_INDICATORS), MAX_INDICATORS)
SESSION.proxies = handle_proxy()
client = SixgillFeedClient(demisto.params()['client_id'],
demisto.params()['client_secret'], CHANNEL_CODE,
FeedStream.DARKFEED, demisto, max_indicators,
SESSION, VERIFY)
command = demisto.command()
demisto.info(f'Command being called is {command}')
commands: Dict[str, Callable] = {
'test-module': test_module_command,
'sixgill-get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client)
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args())
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
demisto.error(traceback.format_exc())
return_error(
f'Error failed to execute {demisto.command()}, error: [{e}]')
def fetch_indicators_command(client: Client,
time_to_stop_fetch: datetime = None):
"""Retrieves indicators from the feed
Args:
client: Client object with request
time_to_stop_fetch: Time to stop the fetch before it falls on the docker timeout
Returns:
List. Processed indicator from feed.
"""
current_date = arg_to_datetime('now').date() # type:ignore
while client.first_fetch.date() <= current_date:
indicators, status = fetch_indicators(client, time_to_stop_fetch)
if not status:
return
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
# Each request returns one day's indicators, so we'll keep the date of the next day in IntegrationContext.
next_fetch = (dateparser.parse(
'tomorrow', settings={'RELATIVE_BASE':
client.first_fetch})) # type:ignore
if client.first_fetch.date() < current_date:
demisto.setIntegrationContext(
{'last_fetch': next_fetch.isoformat()}) # type:ignore
client.first_fetch = next_fetch
demisto.debug(f'{len(indicators)} XSOAR Indicators were created.')
return
def workday_first_run_command(client, mapper_in, report_url,
workday_date_format):
report_data = client.get_full_report(report_url)
indicators = report_to_indicators(report_data.get('Report_Entry'),
mapper_in, workday_date_format)
for b in batch(indicators, batch_size=BATCH_SIZE):
demisto.createIndicators(b)
def main():
params = demisto.params()
feed_tags = argToList(params.get('feedTags'))
client = Client(api_key=params.get('api_key'),
insecure=params.get('insecure'))
command = demisto.command()
demisto.info(f'Command being called is {command}')
# Switch case
commands = {
'test-module': module_test_command,
'autofocus-daily-get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client, feed_tags)
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](client, demisto.args(),
feed_tags) # type: ignore
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
raise Exception(f'Error in AutoFocusFeed Daily Integration [{e}]')
def main() -> None:
"""main function, parses params and runs command functions
"""
params = demisto.params()
command = demisto.command()
args = demisto.args()
verify_certificate = not params.get('insecure', False)
proxy = params.get('proxy', False)
auth = params.get('auth', {})
username = auth.get('identifier', '')
password = auth.get('password', '')
base_url = params.get('url', '')
timeout = int(params.get('timeout', 60))
tlp_color = demisto.params().get('tlp_color')
feedTags = argToList(demisto.params().get('feedTags'))
first_fetch = params.get('first_fetch', '3 days ago')
limit = int(params.get('max_fetch', 50))
metadata = argToBoolean(params.get('indicatorMetadata', False))
enrichment = argToBoolean(params.get('indicatorRelationships', False))
types = argToList(params.get('type'))
demisto.debug(f'Command being called is {command}')
try:
client = MandiantClient(base_url=base_url,
verify=verify_certificate,
proxy=proxy,
username=username,
password=password,
timeout=timeout,
tags=feedTags,
tlp_color=tlp_color,
first_fetch=first_fetch,
limit=limit,
metadata=metadata,
enrichment=enrichment,
types=types)
if command == 'test-module':
result = test_module(client, args)
return_results(result)
elif command == 'feed-mandiant-get-indicators':
return_results(fetch_indicators(client, args))
elif command == 'fetch-indicators':
indicators = fetch_indicators(client)
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
# Log exceptions and return errors
except Exception as e:
demisto.error(traceback.format_exc()) # print the traceback
return_error(
f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}'
)
def main():
"""
PARSE AND VALIDATE INTEGRATION PARAMS
"""
params = demisto.params()
use_ssl = not params.get('insecure', False)
tags = argToList(params.get('feedTags'))
tlp_color = params.get('tlp_color')
command = demisto.command()
demisto.info(f'Command being called is {command}')
try:
client = Client(use_ssl, tags, tlp_color)
commands: Dict[str, Callable[[Client, Dict[str, str]],
Tuple[str, Dict[Any, Any],
Dict[Any, Any]]]] = {
'test-module': test_module,
'webex-get-indicators':
get_indicators_command
}
if command in commands:
return_outputs(*commands[command](client, demisto.args()))
elif command == 'fetch-indicators':
indicators = fetch_indicators_command(client)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
except Exception as err:
err_msg = f'Error in {INTEGRATION_NAME} Integration. [{err}]'
return_error(err_msg)
def fetch_indicators_command(client, feed_type, src_val, src_type,
default_type, last_fetch):
"""Implements fetch-indicators command"""
last_fetch_timestamp = get_last_fetch_timestamp(last_fetch,
client.time_method,
client.fetch_time)
now = datetime.now()
ioc_lst: list = []
ioc_enrch_lst: list = []
if FEED_TYPE_GENERIC not in feed_type:
# Insight is the name of the indicator object as it's saved into the database
search = get_scan_insight_format(client, now, last_fetch_timestamp,
feed_type)
for hit in search.scan():
hit_lst, hit_enrch_lst = extract_indicators_from_insight_hit(hit)
ioc_lst.extend(hit_lst)
ioc_enrch_lst.extend(hit_enrch_lst)
else:
search = get_scan_generic_format(client, now, last_fetch_timestamp)
for hit in search.scan():
ioc_lst.extend(
extract_indicators_from_generic_hit(hit, src_val, src_type,
default_type))
if ioc_lst:
for b in batch(ioc_lst, batch_size=2000):
demisto.createIndicators(b)
if ioc_enrch_lst:
ioc_enrch_batches = create_enrichment_batches(ioc_enrch_lst)
for enrch_batch in ioc_enrch_batches:
# ensure batch sizes don't exceed 2000
for b in batch(enrch_batch, batch_size=2000):
demisto.createIndicators(b)
demisto.setLastRun({'time': now.timestamp() * 1000})
def main():
params = {k: v for k, v in demisto.params().items() if v is not None}
handle_proxy()
client = Client(**params)
command = demisto.command()
demisto.info('Command being called is {}'.format(command))
# Switch case
commands = {
'test-module': module_test_command,
'get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client,
params.get('indicator_type'))
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args())
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
err_msg = f'Error in {SOURCE_NAME} Integration - Encountered an issue with createIndicators' if \
'failed to create' in str(e) else f'Error in {SOURCE_NAME} Integration [{e}]'
if command == 'fetch-indicators':
raise Exception(err_msg)
else:
return_error(err_msg)
def main():
params = demisto.params()
client = Client(api_key=params.get('api_key'),
insecure=params.get('insecure'),
proxy=params.get('proxy'),
indicator_feeds=params.get('indicator_feeds'),
custom_feed_urls=params.get('custom_feed_urls'),
scope_type=params.get('scope_type'),
sample_query=params.get('sample_query'))
command = demisto.command()
demisto.info(f'Command being called is {command}')
# Switch case
commands = {
'test-module': module_test_command,
'autofocus-get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client)
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args()) # type: ignore
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
raise Exception(f'Error in {SOURCE_NAME} Integration [{e}]')
def main():
client = Client(
demisto.getParam("api_access_id"),
demisto.getParam("api_secret_key"),
demisto.getParam("tc_api_path"),
)
command = demisto.command()
demisto.info(f'Command being called is {command}')
commands = {
'test-module': module_test_command,
f'{INTEGRATION_COMMAND_NAME}-get-indicators': get_indicators_command,
f'{INTEGRATION_COMMAND_NAME}-get-owners': get_owners_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client)
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](client)
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
return_error(
f'Integration {INTEGRATION_NAME} Failed to execute {command} command. Error: {str(e)}'
)
def main():
params = demisto.params()
tags = argToList(params.get('feedTags'))
tlp_color = params.get('tlp_color')
client = Client(params.get('api_key'), params.get('collections'), params.get('insecure'), params.get('proxy'),
params.get('all_collections'), tags=tags, tlp_color=tlp_color)
command = demisto.command()
demisto.info(f'Command being called is {command}')
# Switch case
commands = {
'test-module': module_test_command,
'alienvaultotx-get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client)
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
readable_output, outputs, raw_response = commands[command](client, demisto.args())
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
raise Exception(f'Error in {SOURCE_NAME} Integration [{e}]')
def main():
# Write configure here
params = {k: v for k, v in demisto.params().items() if v is not None}
handle_proxy()
client = TAXIIClient(**params)
command = demisto.command()
demisto.info('Command being called is {command}'.format(command=command))
# Switch case
commands = {
'test-module': test_module,
'get-indicators': get_indicators_command
}
try:
if demisto.command() == 'fetch-indicators':
indicators = fetch_indicators_command(client)
# we submit the indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
demisto.setLastRun({'time': client.last_taxii_run})
else:
readable_output, outputs, raw_response = commands[command](
client, demisto.args())
return_outputs(readable_output, outputs, raw_response)
except Exception as e:
err_msg = f'Error in {INTEGRATION_NAME} Integration [{e}]'
raise Exception(err_msg)
def main():
"""
main function, parses params and runs command functions
"""
params = demisto.params()
# If your Client class inherits from BaseClient, SSL verification is
# handled out of the box by it, just pass ``verify_certificate`` to
# the Client constructor
insecure = not params.get('insecure', False)
# If your Client class inherits from BaseClient, system proxy is handled
# out of the box by it, just pass ``proxy`` to the Client constructor
proxy = params.get('proxy', False)
command = demisto.command()
args = demisto.args()
demisto.debug(f'Command being called is {command}')
try:
client = Client(base_url='https://www.virustotal.com/api/v3/',
verify=insecure,
proxy=proxy,
headers={
'x-apikey': params['credentials']['password'],
'x-tool': 'CortexVirusTotalRetrohuntFeed',
})
if command == 'test-module':
# This is the call made when pressing the integration Test button.
return_results(test_module(client, {}))
elif command == 'vt-retrohunt-get-indicators':
# This is the command that fetches a limited number of indicators
# from the feed source and displays them in the war room.
return_results(get_indicators_command(client, params, args))
elif command == "vt-retrohunt-reset-fetch-indicators":
return_results(reset_last_job_id())
elif command == 'fetch-indicators':
# This is the command that initiates a request to the feed endpoint
# and create new indicators objects from the data fetched. If the
# integration instance is configured to fetch indicators, then this
# is the commandthat will be executed at the specified feed fetch
# interval.
indicators = fetch_indicators_command(client, params)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
# Log exceptions and return errors
except Exception as e:
demisto.error(traceback.format_exc()) # Print the traceback
return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def fetch_indicators_command(client, params, manual_run=False):
indicators_unparsed = list()
indicators = list()
now = datetime.utcnow()
create_date = dateparser.parse(f"{client.history} days ago", settings={
'RELATIVE_BASE': now}).strftime("%Y-%m-%dT%H:%M:%S.000+0000")
object_fields = None
if client.fields:
object_fields = client.fields.split(",")
else:
object_fields = sorted([x['name'] for x in client.get_object_description()['fields']])
if "id" not in object_fields and "Id" not in object_fields:
object_fields.append("id")
if client.query_filter:
search_criteria = f"{client.query_filter}"
else:
search_criteria = f"CreatedDate > {create_date}"
indicators_raw = client.query_object(object_fields, client.object_name, search_criteria)
if indicators_raw.get('totalSize', 0) > 0:
for indicator in indicators_raw.get('records', []):
indicators_unparsed.append({k: v for k, v in indicator.items() if k != 'attributes'})
more_records = True if indicators_raw.get('nextRecordsUrl', None) else False
while more_records:
next_records = "/".join(indicators_raw.get('nextRecordsUrl').split("/")[-2:])
indicators_raw = client.raw_query(next_records, raw_query=True)
for indicator in indicators_raw.get('records', []):
indicators_unparsed.append({k: v for k, v in indicator.items() if k != 'attributes'})
more_records = True if indicators_raw.get('nextRecordsUrl', None) else False
for item in indicators_unparsed:
try:
value = item[client.key_field] if client.key_field in item else None
if value:
item['object_name'] = client.object_name
indicator = {
"value": value,
"type": client.object_name,
"rawJSON": item,
"score": client.score
}
indicators.append(indicator)
except Exception:
pass
if not manual_run:
# We submit indicators in batches
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
demisto.results({
"SFDC.Indicators": indicators,
"Count": len(indicators)
})
def main():
params = demisto.params()
base_url = params.get("url", "https://api-feeds.cyren.com/v1/feed")
api_token = params.get("apikey")
feed_name = params.get("feed_name")
feed_name = FEED_OPTION_TO_FEED.get(feed_name, "")
max_indicators = int(params.get("max_indicators", MAX_API_COUNT))
if max_indicators > MAX_API_COUNT:
demisto.info(
f"using a maximum value for max_indicators of {MAX_API_COUNT} instead of {max_indicators}!"
)
max_indicators = MAX_API_COUNT
proxy = params.get("proxy", False)
verify_certificate = not params.get("insecure", False)
headers = dict(Authorization=f"Bearer {api_token}")
demisto.info(f"using feed {feed_name}, max {max_indicators}")
commands: Dict[str, Callable] = {
"cyren-threat-indepth-get-indicators": get_indicators_command,
}
command = demisto.command()
demisto.info(f"Command being called is {command}")
error = None
try:
client = Client(feed_name=feed_name,
base_url=base_url,
verify=verify_certificate,
headers=headers,
proxy=proxy)
if command == "fetch-indicators":
indicators = fetch_indicators_command(
client=client,
initial_count=0,
max_indicators=max_indicators,
update_context=True)
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
elif command == "test-module":
return_outputs(test_module_command(client))
else:
return_results(commands[command](client, demisto.args()))
except InvalidAPITokenException:
error = "Invalid API token!"
except InvalidAPIUrlException:
error = "Invalid API URL!"
except Exception as e:
demisto.error(traceback.format_exc())
error = f"Error failed to execute {command}, error: [{e}]"
if error:
return_error(error)
def main() -> None:
"""main function, parses params and runs command functions
:return:
:rtype:
"""
params = demisto.params()
command = demisto.command()
api_key = params.get("apikey")
base_url = urljoin(params["url"], "/api")
verify_certificate = not params.get("insecure", False)
proxy = params.get("proxy", False)
max_indicators_param = params.get('max_fetch')
min_last_observed_param = params.get('min_last_observed')
tlp_color = params.get('tlp_color')
feed_tags = params.get('feedTags', '')
try:
client = Client(
api_key=api_key, base_url=base_url, verify=verify_certificate, proxy=proxy
)
client.authenticate()
if command == "test-module":
result = test_module(client, max_indicators_param, min_last_observed_param, tlp_color)
return_results(result)
elif command == "fetch-indicators":
max_indicators = validate_max_indicators(max_indicators_param)
if validate_max_indicators is None:
raise ValueError("Invalid value for max indicators")
min_last_observed = validate_min_last_observed(min_last_observed_param)
if min_last_observed is None:
raise ValueError("Invalid value for last observed day range")
indicator_batch = []
for indicator in indicator_generator(client, tlp_color=tlp_color, feed_tags=feed_tags, max_indicators=max_indicators):
indicator_batch.append(indicator)
if len(indicator_batch) == 2000:
demisto.createIndicators(indicator_batch)
indicator_batch = []
if len(indicator_batch) != 0:
demisto.createIndicators(indicator_batch)
elif command == "feedexpanse-get-indicators":
return_results(get_indicators_command(client, demisto.args(), tlp_color=tlp_color, feed_tags=feed_tags))
else:
raise NotImplementedError(f'Command {command} is not implemented.')
# Log exceptions and return errors
except Exception as e:
return_error(
f"Failed to execute {command} command.\nError:\n{str(e)}"
)
def fetch_indicators_command():
search, now = get_indicators_search_scan()
ioc_lst: list = []
for hit in search.scan():
ioc_lst.extend(extract_indicators_from_insight_hit(hit))
if ioc_lst:
for b in batch(ioc_lst, batch_size=2000):
demisto.createIndicators(b)
demisto.setLastRun({'time': now})
def main():
"""
PARSE AND VALIDATE INTEGRATION PARAMS
"""
params = demisto.params()
username = params.get('credentials').get('identifier')
password = params.get('credentials').get('password')
proxy = params.get('proxy', False)
verify_certificate = not params.get('insecure', False)
base_url = str(params.get("url"))
indicator_collections = params.get('indicator_collections', [])
indicators_first_fetch = params.get('indicators_first_fetch',
'3 days').strip()
requests_count = int(params.get('requests_count', 2))
args = demisto.args()
command = demisto.command()
LOG(f'Command being called is {command}')
try:
client = Client(base_url=base_url,
verify=verify_certificate,
auth=(username, password),
proxy=proxy,
headers={"Accept": "*/*"})
commands = {'gibtia-get-indicators': get_indicators_command}
if command == 'test-module':
# This is the call made when pressing the integration Test button.
result = test_module(client)
demisto.results(result)
elif command == 'fetch-indicators':
# Set and define the fetch incidents command to run after activated via integration settings.
common_fields = {
'trafficlightprotocol': params.get("tlp_color"),
'tags': argToList(params.get("feedTags")),
}
next_run, indicators = fetch_indicators_command(
client=client,
last_run=get_integration_context(),
first_fetch_time=indicators_first_fetch,
indicator_collections=indicator_collections,
requests_count=requests_count,
common_fields=common_fields)
set_integration_context(next_run)
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
else:
return_results(commands[command](client, args))
# Log exceptions
except Exception as e:
return_error(
f'Failed to execute {demisto.command()} command. Error: {str(e)}')
