def syslog_send_notification(manager: SyslogManager, min_severity: int):
"""
Send a message to syslog
:param manager: Syslog manager
:param min_severity: Minimum severity of incidents to send messages about
"""
message = demisto.args().get('message', '')
entry = demisto.args().get('entry')
ignore_add_url = demisto.args().get('ignoreAddURL', False)
log_level = demisto.args().get('log_level', 'INFO')
severity = demisto.args().get('severity') # From server
message_type = demisto.args().get('messageType', '') # From server
if severity:
try:
severity = int(severity)
except Exception:
severity = None
if message_type == INCIDENT_OPENED and (severity is not None
and severity < min_severity):
return
if not message:
message = ''
message = message.replace('\n', ' ').replace('\r', ' ').replace('`', '')
investigation = demisto.investigation()
if investigation:
investigation_id = investigation.get('id')
if entry:
message = f'{entry}, {message}'
message = f'{investigation_id}, {message}'
if ignore_add_url and isinstance(ignore_add_url, str):
ignore_add_url = bool(strtobool(ignore_add_url))
if not ignore_add_url:
investigation = demisto.investigation()
server_links = demisto.demistoUrls()
if investigation:
if investigation.get('type') != PLAYGROUND_INVESTIGATION_TYPE:
link = server_links.get('warRoom')
if link:
if entry:
link += '/' + entry
message += f' {link}'
else:
link = server_links.get('server', '')
if link:
message += f' {link}#/home'
if not message:
raise ValueError('No message received')
send_log(manager, message, log_level)
demisto.results('Message sent to Syslog successfully.')
def write_log_json():
""" Gather Args, form json document, write document to MondoDB """
investigation = demisto.investigation()
investigation_id = investigation.get('id')
investigation_user = investigation.get('user')
timestamp = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S+00:00")
id_ = demisto.args().get('id', investigation_id)
playbook = demisto.args().get('playbook')
action = demisto.args().get('action')
user = demisto.args().get('user', investigation_user)
message = demisto.args().get('message')
logjson = {
'timestamp': timestamp,
'id': id_,
'playbook': playbook,
'action': action,
'user': user,
'message': message
}
# Add json to the document collection in MondoDB
result = COLLECTION.insert_one(logjson)
entry_id = result.inserted_id
context = {
'EntryID': str(entry_id),
'Timestamp': timestamp,
'ID': id_,
'Playbook': playbook,
'Action': action,
'User': user,
'Message': message
}
ec = {'MongoDB.Entry(val.EntryID === obj.EntryID)': context}
return 'MongoDB Log - 1 document/record added', ec, {}
def close_channel():
"""
Archives a mirrored slack channel by its incident ID.
"""
investigation = demisto.investigation()
if investigation.get('type') == PLAYGROUND_INVESTIGATION_TYPE:
return_error('Can not perform this action in playground.')
integration_context = demisto.getIntegrationContext()
if not integration_context or not integration_context.get('mirrors', []):
return_error('No mirrors found for this incident.')
mirrors = json.loads(integration_context['mirrors'])
mirror = list(
filter(lambda m: investigation.get('id') == m['investigation_id'],
mirrors))
if not mirror:
return_error('Could not find the mirrored Slack conversation.')
mirror = mirrors.pop(mirrors.index(mirror[0]))
conversation_id = mirror['channel_id']
CHANNEL_CLIENT.conversations_archive(channel=conversation_id)
# Check for other mirrors on the archived channel
channel_mirrors = list(
filter(lambda m: conversation_id == m['channel_id'], mirrors))
for mirror in channel_mirrors:
mirrors.remove(mirror)
set_to_latest_integration_context('mirrors', mirrors)
demisto.results('Channel successfully archived.')
def send_ms_teams_message(entitlement, task, user_id, message):
investigation_id: str = demisto.investigation()['id']
adaptive_card: dict = {
'contentType': 'application/vnd.microsoft.card.adaptive',
'content': {
'$schema':
'http://adaptivecards.io/schemas/adaptive-card.json',
'version':
'1.0',
'type':
'AdaptiveCard',
'msteams': {
'width': 'Full'
},
'body': [{
'type': 'TextBlock',
'text': message,
'wrap': True
}],
'actions': [{
'type': 'Action.Submit',
'title': 'Yes',
'data': {
'response': 'Yes',
'entitlement': entitlement,
'investigation_id': investigation_id,
'task_id': task
}
}, {
'type': 'Action.Submit',
'title': 'No',
'data': {
'response': 'No',
'entitlement': entitlement,
'investigation_id': investigation_id,
'task_id': task
}
}]
}
}
command_arguments: dict = {
'adaptive_card': json.dumps(adaptive_card),
'using-brand': 'Microsoft Teams'
}
if user_id:
command_arguments['team_member'] = user_id
demisto.results(
demisto.executeCommand('send-notification', command_arguments))
else:
raise Exception('A user must be provided.')
def find_mirror_by_investigation() -> dict:
mirror: dict = {}
investigation = demisto.investigation()
if investigation:
integration_context = demisto.getIntegrationContext()
if integration_context.get('mirrors'):
mirrors = json.loads(integration_context['mirrors'])
investigation_filter = list(
filter(
lambda m: investigation.get('id') == m['investigation_id'],
mirrors))
if investigation_filter:
mirror = investigation_filter[0]
return mirror
def main():
args = demisto.args()
entry_id = args.get('entry_id', '')
file_path = demisto.getFilePath(entry_id).get('path')
wpa_password = args.get('wpa_password', '')
rsa_decrypt_key_entry_id = args.get('rsa_decrypt_key_entry_id', '')
rsa_key_file_path = None
if rsa_decrypt_key_entry_id:
rsa_key_file_path = demisto.getFilePath(rsa_decrypt_key_entry_id).get(
'path')
conversation_number_to_display = int(args.get('convs_to_display', '15'))
extracted_protocols = argToList(args.get('protocol_output', ''))
if 'All' in extracted_protocols:
extracted_protocols = ALL_SUPPORTED_PROTOCOLS
is_flows = True
is_reg_extract = args.get('extract_strings', 'False') == 'True'
pcap_filter = args.get('pcap_filter', '')
homemade_regex = args.get('custom_regex', '') # 'Layer (.+):'
pcap_filter_new_file_path = ''
pcap_filter_new_file_name = args.get('filtered_file_name', '')
unique_ips = args.get('extract_ips', 'False') == 'True'
if pcap_filter_new_file_name:
temp = demisto.uniqueFile()
pcap_filter_new_file_path = demisto.investigation()['id'] + '_' + temp
try:
pcap = PCAP(is_reg_extract, extracted_protocols, homemade_regex,
unique_ips, entry_id)
pcap.mine(file_path, wpa_password, rsa_key_file_path, is_flows,
is_reg_extract, pcap_filter, pcap_filter_new_file_path)
hr, ec, raw = pcap.get_outputs(conversation_number_to_display,
is_flows, is_reg_extract)
return_outputs(hr, ec, raw)
except Exception as e:
return_error(f'Unexpected error: {str(e)}',
error=traceback.format_exc())
if pcap_filter_new_file_name:
demisto.results({
'Contents': '',
'ContentsFormat': formats['text'],
'Type': 3,
'File': pcap_filter_new_file_name,
'FileID': temp
})
def main():
script_arguments: dict = demisto.args()
team_member: str = script_arguments.get('team_member', '')
channel: str = script_arguments.get('channel', '')
if not (team_member or channel):
raise ValueError('Either team member or channel must be provided.')
if team_member and channel:
raise ValueError('Either team member or channel should be provided, not both.')
persistent: bool = script_arguments.get('persistent', '') == 'true'
response: list = demisto.executeCommand('addEntitlement', {'persistent': persistent})
if isError(response[0]):
demisto.results(response)
return
entitlement: str = response[0]['Contents']
investigation_id: str = demisto.investigation()['id']
task_id: str = script_arguments.get('task_id', '')
message_text: str = script_arguments.get('message', '')
first_option: str = script_arguments.get('option1', '')
second_option: str = script_arguments.get('option2', '')
options: list = [first_option, second_option]
additional_options: list = argToList(script_arguments.get('additional_options'))
options.extend(additional_options)
message: dict = {
'message_text': message_text,
'options': options,
'entitlement': entitlement,
'investigation_id': investigation_id,
'task_id': task_id
}
command_arguments: dict = {
'message': json.dumps(message),
'using-brand': 'Microsoft Teams'
}
if channel:
command_arguments['channel'] = channel
elif team_member:
command_arguments['team_member'] = team_member
demisto.results(demisto.executeCommand('send-notification', command_arguments))
def mirror_investigation():
"""
Update the integration context with a new or existing mirror.
"""
mirror_type = demisto.args().get('type', 'all')
investigation = demisto.investigation()
if investigation.get('type') == PLAYGROUND_INVESTIGATION_TYPE:
return_error('Can not perform this action in the playground.')
investigation_id = investigation.get('id')
demisto.mirrorInvestigation(investigation_id, f'{mirror_type}:FromDemisto',
False)
demisto.results('Investigation mirrored to Syslog successfully.')
def send_message(destinations: list, entry: str, ignore_add_url: bool,
integration_context: dict, message: str, thread_id: str):
"""
Sends a message to Slack.
:param destinations: The destinations to send to.
:param entry: A WarRoom entry to send.
:param ignore_add_url: Do not add a Demisto URL to the message.
:param integration_context: Current integration context.
:param message: The message to send.
:param thread_id: The Slack thread ID to send the message to.
:return: The Slack send response.
"""
if not message:
message = '\n'
if ignore_add_url and isinstance(ignore_add_url, str):
ignore_add_url = bool(strtobool(ignore_add_url))
if not ignore_add_url:
investigation = demisto.investigation()
server_links = demisto.demistoUrls()
if investigation:
if investigation.get('type') != PLAYGROUND_INVESTIGATION_TYPE:
link = server_links.get('warRoom')
if link:
if entry:
link += '/' + entry
message += '\n{} {}'.format('View it on:', link)
else:
link = server_links.get('server', '')
if link:
message += '\n{} {}'.format('View it on:', link + '#/home')
try:
response = send_message_to_destinations(destinations, message,
thread_id)
except SlackApiError as e:
if str(e).find('not_in_channel') == -1 and str(e).find(
'channel_not_found') == -1:
raise
bot_id = integration_context.get('bot_id')
if not bot_id:
bot_id = get_bot_id()
for dest in destinations:
invite_users_to_conversation(dest, [bot_id])
response = send_message_to_destinations(destinations, message,
thread_id)
return response
def save_file(file_name, file_content) -> str:
"""
save attachment to the war room and return the file internal path.
Args:
file_name (str): The name of the file to be created.
file_content (str/bytes): the file data.
Returns:
str: the file internal path
"""
created_file = fileResult(file_name, file_content)
file_id = created_file.get('FileID')
attachment_internal_path = demisto.investigation().get('id') + '_' + file_id
demisto.results(created_file)
return attachment_internal_path
def main():
res = demisto.executeCommand(
'addEntitlement', {
'persistent': demisto.get(demisto.args(), 'persistent'),
'replyEntriesTag': demisto.get(demisto.args(), 'replyEntriesTag')
})
if isError(res[0]):
demisto.results(res)
sys.exit(0)
entitlement = demisto.get(res[0], 'Contents')
option1 = demisto.get(demisto.args(), 'option1')
if not option1:
option1 = 'yes'
option2 = demisto.get(demisto.args(), 'option2')
if not option2:
option2 = 'no'
entitlementString = entitlement + '@' + demisto.investigation()['id']
if demisto.get(demisto.args(), 'task'):
entitlementString += '|' + demisto.get(demisto.args(), 'task')
message = '%s - Please reply to this thread with `%s` or `%s`' % (
demisto.args()['message'], option1, option2)
to = demisto.get(demisto.args(), 'user')
channel = demisto.get(demisto.args(), 'channel')
args = {
'message':
json.dumps({
'message': message,
'entitlement': entitlementString
}),
'ignoreAddURL':
'true'
}
if to:
args['to'] = to
elif channel:
args['channel'] = channel
else:
return_error('Either a user or a channel must be provided.')
demisto.results(demisto.executeCommand('send-notification', args))
def main():
entry_id = demisto.args()["entry_id"]
out_format = demisto.args().get('format', 'pdf')
all_files = demisto.args().get('all_files', 'no') == 'yes'
# URLS
try:
result = demisto.getFilePath(entry_id)
if not result:
return_error("Couldn't find entry id: {}".format(entry_id))
demisto.debug('going to convert: {}'.format(result))
file_path = result['path']
file_path_name_only = os.path.splitext(os.path.basename(file_path))[0]
file_name = result.get('name')
if file_name: # remove the extension
file_name = os.path.splitext(file_name)[0]
with tempfile.TemporaryDirectory() as outdir:
files = convert_file(file_path, out_format, all_files, outdir)
if not files:
return_error(
'No file result returned for convert format: {}'.format(
out_format))
return
for f in files:
temp = demisto.uniqueFile()
shutil.copy(f, demisto.investigation()['id'] + '_' + temp)
name = os.path.basename(f)
if file_name:
name = name.replace(file_path_name_only, file_name)
demisto.results({
'Contents': '',
'ContentsFormat': formats['text'],
'Type': entryTypes['file'],
'File': name,
'FileID': temp
})
except subprocess.CalledProcessError as e:
return_error("Failed converting file. Output: {}. Error: {}".format(
e.output, e))
except Exception as e:
return_error(
"Failed converting file. General exception: {}.\n\nTrace:\n{}".
format(e, traceback.format_exc()))
def viper_upload(path, name, entry_id):
"""
Performs upload of file to Viper database.
"""
# Get absolute filepath for upload
new_path = os.path.abspath(path)
files = {'file': (name, open(new_path, 'rb'))}
incident_name = demisto.get(demisto.investigation(), 'name')
# Create some basic demisto-related tags to attach to file details on initial upload
data = {
'tag_list':
entry_id + ',' + str(date.today()) + ',' + 'demisto' + ',' +
incident_name
}
upload = http_post('project/default/malware/upload/',
None,
data=data,
files=files)
return upload
def blacklist_to_entry(data, saveToContext):
if not isinstance(data, list):
data = [data]
ips = [d.get("ipAddress") for d in data]
context = {"Blacklist": ips}
temp = demisto.uniqueFile()
with open(demisto.investigation()['id'] + '_' + temp, 'wb') as f:
wr = csv.writer(f, quoting=csv.QUOTE_ALL)
for ip in ips:
wr.writerow([ip])
entry = {
'HumanReadable': '',
'Contents': ips,
'ContentsFormat': formats['json'],
'Type': entryTypes['file'],
'File': "Blacklist.csv",
'FileID': temp,
'EntryContext': {'AbuseIPDB': createContext(context if saveToContext else None, removeNull=True)}
}
return entry
def mirror_investigation():
"""
Updates the integration context with a new or existing mirror.
"""
mirror_type = demisto.args().get('type', 'all')
auto_close = demisto.args().get('autoclose', 'true')
mirror_direction = demisto.args().get('direction', 'both')
mirror_to = demisto.args().get('mirrorTo', 'group')
channel_name = demisto.args().get('channelName', '')
channel_topic = demisto.args().get('channelTopic', '')
investigation = demisto.investigation()
if investigation.get('type') == PLAYGROUND_INVESTIGATION_TYPE:
return_error('Can not perform this action in playground.')
integration_context = demisto.getIntegrationContext()
if not integration_context or not integration_context.get('mirrors', []):
mirrors: list = []
else:
mirrors = json.loads(integration_context['mirrors'])
if not integration_context or not integration_context.get(
'conversations', []):
conversations: list = []
else:
conversations = json.loads(integration_context['conversations'])
investigation_id = investigation.get('id')
slack_users = []
for user in investigation.get('users'):
slack_user = get_user_by_name(user, integration_context)
if not slack_user:
demisto.results({
'Type':
11, # Warning
'Contents':
'User {} not found in Slack'.format(user),
'ContentsFormat':
formats['text']
})
else:
slack_users.append(slack_user)
users_to_invite = list(map(lambda u: u.get('id'), slack_users))
current_mirror = list(
filter(lambda m: m['investigation_id'] == investigation_id, mirrors))
channel_filter: list = []
if channel_name:
channel_filter = list(
filter(lambda m: m['channel_name'] == channel_name, mirrors))
if not current_mirror:
channel_name = channel_name or 'incident-{}'.format(investigation_id)
if not channel_filter:
if mirror_to == 'channel':
conversation = CHANNEL_CLIENT.channels_create(
name=channel_name).get('channel', {})
else:
conversation = CHANNEL_CLIENT.groups_create(
name=channel_name).get('group', {})
conversation_name = conversation.get('name')
conversation_id = conversation.get('id')
conversations.append(conversation)
else:
mirrored_channel = channel_filter[0]
conversation_id = mirrored_channel['channel_id']
conversation_name = mirrored_channel['channel_name']
mirror = {
'channel_id': conversation_id,
'channel_name': conversation_name,
'investigation_id': investigation.get('id'),
'mirror_type': mirror_type,
'mirror_direction': mirror_direction,
'mirror_to': mirror_to,
'auto_close': bool(strtobool(auto_close)),
'mirrored': False
}
else:
mirror = mirrors.pop(mirrors.index(current_mirror[0]))
conversation_id = mirror['channel_id']
if mirror_type:
mirror['mirror_type'] = mirror_type
if auto_close:
mirror['auto_close'] = bool(strtobool(auto_close))
if mirror_direction:
mirror['mirror_direction'] = mirror_direction
if mirror_to and mirror['mirror_to'] != mirror_to:
return_error('Cannot change the Slack channel type from Demisto.')
if channel_name:
return_error('Cannot change the Slack channel name from Demisto.')
if channel_topic:
return_error('Cannot change the Slack channel topic from Demisto.')
conversation_name = mirror['channel_name']
mirror['mirrored'] = False
set_topic = False
if channel_topic:
set_topic = True
else:
mirror_name = 'incident-{}'.format(investigation_id)
channel_filter = list(
filter(lambda m: m['channel_name'] == conversation_name, mirrors))
if 'channel_topic' in mirror:
channel_topic = mirror['channel_topic']
elif channel_filter:
channel_mirror = channel_filter[0]
channel_topic = channel_mirror['channel_topic']
else:
channel_topic = ''
mirrored_investigations_ids = list(
map(lambda m: 'incident-{}'.format(m['investigation_id']),
channel_filter))
if not channel_topic or channel_topic.find('incident-') != -1:
new_topic = ', '.join(mirrored_investigations_ids + [mirror_name])
if channel_topic != new_topic:
channel_topic = new_topic
set_topic = True
if set_topic:
CHANNEL_CLIENT.conversations_setTopic(channel=conversation_id,
topic=channel_topic)
mirror['channel_topic'] = channel_topic
if mirror_type != 'none':
if integration_context.get('bot_id'):
bot_id = integration_context['bot_id']
else:
bot_id = get_bot_id()
users_to_invite += [bot_id]
invite_users_to_conversation(conversation_id, users_to_invite)
integration_context['bot_id'] = bot_id
mirrors.append(mirror)
set_to_latest_integration_context('mirrors', mirrors)
set_to_latest_integration_context('conversations', conversations)
demisto.results('Investigation mirrored successfully, channel: {}'.format(
conversation_name))
managerName = demisto.get(res[0]['Contents'][0], 'displayname')
if not managerDN:
demisto.results('Unable to get manager email from DN - ' + managerDN)
sys.exit(0)
allowReply = demisto.get(demisto.args(), 'allowReply')
if allowReply:
res = demisto.executeCommand('addEntitlement', {'persistent': demisto.get(demisto.args(), 'persistent'),
'replyEntriesTag': demisto.get(demisto.args(), 'replyEntriesTag')})
if isError(res[0]):
demisto.results(res)
sys.exit(0)
entitlement = demisto.get(res[0], 'Contents')
if not entitlement:
demisto.results('Unable to get entitlement')
sys.exit(0)
subject = demisto.gets(demisto.incidents()[0], 'name') + ' - #' + demisto.investigation()['id'] + ' ' + entitlement
else:
subject = demisto.gets(demisto.incidents()[0], 'name') + ' - #' + demisto.investigation()['id']
body = demisto.get(demisto.args(), 'body')
if not body:
body = """\
Hi $managerName,
We've received the following request below from $empName. Please reply to this email with either "approve" or "deny".
Cheers,
Your friendly security team"""
actualBody = Template(body)
empRequest = demisto.get(demisto.args(), 'request')
if not empRequest:
empRequest = demisto.incidents()[0]['details']
demisto.results(demisto.executeCommand('send-mail', {'to': managerEmail, 'subject': subject, 'body': textwrap.dedent(
if allowReply:
res = demisto.executeCommand(
'addEntitlement', {
'persistent': demisto.get(demisto.args(), 'persistent'),
'replyEntriesTag': demisto.get(demisto.args(), 'replyEntriesTag')
})
if isError(res[0]):
demisto.results(res)
sys.exit(0)
entitlement = demisto.get(res[0], 'Contents')
if not entitlement:
demisto.results('Unable to get entitlement')
sys.exit(0)
subject = demisto.gets(
demisto.incidents()[0],
'name') + ' - #' + demisto.investigation()['id'] + ' ' + entitlement
else:
subject = demisto.gets(demisto.incidents()[0],
'name') + ' - #' + demisto.investigation()['id']
body = demisto.get(demisto.args(), 'body')
if not body:
body = """\
Hi $managerName,
We've received the following request below from $empName. Please reply to this email with either "approve" or "deny".
Cheers,
Your friendly security team"""
actualBody = Template(body)
empRequest = demisto.get(demisto.args(), 'request')
if not empRequest:
empRequest = demisto.incidents()[0]['details']
def main():
res = demisto.executeCommand(
'addEntitlement', {
'persistent': demisto.get(demisto.args(), 'persistent'),
'replyEntriesTag': demisto.get(demisto.args(), 'replyEntriesTag')
})
if isError(res[0]):
demisto.results(res)
sys.exit(0)
entitlement = demisto.get(res[0], 'Contents')
option1 = demisto.get(demisto.args(), 'option1')
option2 = demisto.get(demisto.args(), 'option2')
extra_options = argToList(demisto.args().get('additionalOptions', ''))
reply = demisto.get(demisto.args(), 'reply')
response_type = demisto.get(demisto.args(), 'responseType')
lifetime = demisto.get(demisto.args(), 'lifetime')
slack_instance = demisto.get(demisto.args(), 'slackInstance')
slack_version = demisto.args().get('slackVersion', 'SlackV3')
try:
parsed_date = dateparser.parse('in ' + lifetime,
settings={'TIMEZONE': 'UTC'})
assert parsed_date is not None, f'could not parse in {lifetime}'
expiry = datetime.strftime(parsed_date, DATE_FORMAT)
except Exception:
parsed_date = dateparser.parse('in 1 day',
settings={'TIMEZONE': 'UTC'})
assert parsed_date is not None
expiry = datetime.strftime(parsed_date, DATE_FORMAT)
default_response = demisto.get(demisto.args(), 'defaultResponse')
entitlement_string = entitlement + '@' + demisto.investigation()['id']
if demisto.get(demisto.args(), 'task'):
entitlement_string += '|' + demisto.get(demisto.args(), 'task')
args = {'ignoreAddURL': 'true', 'using-brand': slack_version}
if slack_instance:
args.update({'using': slack_instance})
user_options = [option1, option2]
options = []
if extra_options:
user_options += extra_options
if response_type == 'thread':
for option in user_options:
options.append(option.split('#')[0])
string_options = ' or '.join(
list(map(lambda o: '`{}`'.format(o), options)))
message = '{} - Please reply to this thread with {}.'.format(
demisto.args()['message'], string_options)
args['message'] = json.dumps({
'message': message,
'entitlement': entitlement_string,
'reply': reply,
'expiry': expiry,
'default_response': default_response
})
else:
for option in user_options:
option = option.split('#')
button = {'text': option[0]}
if len(option) > 1:
style = STYLES_DICT.get(option[1])
if style:
button['style'] = style
options.append(button)
blocks = json.dumps(
create_blocks(demisto.args()['message'], entitlement_string,
options, reply))
args['blocks'] = json.dumps({
'blocks': blocks,
'entitlement': entitlement_string,
'reply': reply,
'expiry': expiry,
'default_response': default_response
})
args['message'] = demisto.args()['message']
to = demisto.get(demisto.args(), 'user')
channel = demisto.get(demisto.args(), 'channel')
channel_id = demisto.get(demisto.args(), 'channel_id')
if to:
args['to'] = to
elif channel_id:
args['channel_id'] = channel_id
elif channel:
args['channel'] = channel
else:
return_error('Either a user or a channel must be provided.')
try:
demisto.results(demisto.executeCommand('send-notification', args))
except ValueError as e:
if 'Unsupported Command' in str(e):
return_error(
'The command is unsupported by this script. If you have SlackV2 enabled, '
'please use SlackAsk instead.')
else:
return_error(
'An error has occurred while executing the send-notification command',
error=e)
def main() -> None:
"""
main function, parses params and runs command functions
"""
params = demisto.params()
# Authentication
api_key = params.get("apikey")
# get the service API url
base_url = urljoin(params["url"], "/api/1.5/")
verify_certificate = not params.get("insecure", False)
proxy = params.get("proxy", False)
comment_tag = params.get("comment_tag")
escalate_tag = params.get("escalate_tag")
input_tag = params.get("input_tag")
get_attachments = params.get("get_attachments", False)
close_incident = params.get("close_incident", False)
reopen_incident = params.get("reopen_incident", False)
reopen_group = params.get("reopen_group", "Default")
demisto.debug(f"Command being called is {demisto.command()}")
try:
client = Client(
base_url=base_url,
verify_certificate=verify_certificate,
api_key=api_key,
proxy=proxy,
comment_tag=comment_tag,
escalate_tag=escalate_tag,
input_tag=input_tag,
get_attachments=get_attachments,
close_incident=close_incident,
reopen_incident=reopen_incident,
reopen_group=reopen_group,
)
if demisto.command() == "test-module":
# This is the call made when pressing the integration Test button.
result = test_module(client)
return_results(result)
elif demisto.command() == "fetch-incidents":
max_fetch = params.get("max_fetch", 100)
last_run = demisto.getLastRun()
first_fetch_timestamp = params.get("first_fetch_timestamp",
"7 days").strip()
mirror_direction = MIRROR_DIRECTION.get(
demisto.params().get("mirror_direction", "None"), None)
integration_instance = demisto.integrationInstance()
incidents, new_last_run = fetch_incidents(
client=client,
last_run=last_run,
max_fetch=max_fetch,
first_fetch_time=first_fetch_timestamp,
mirror_direction=mirror_direction,
integration_instance=integration_instance,
)
demisto.setLastRun(new_last_run)
demisto.incidents(incidents)
elif demisto.command() == "get-mapping-fields":
result = get_mapping_fields()
return_results(result)
elif demisto.command() == "get-remote-data":
investigation = demisto.investigation()
result = get_remote_data(client, investigation, demisto.args())
return_results(result)
elif demisto.command() == "get-modified-remote-data":
result = get_modified_remote_data(client, demisto.args())
return_results(result)
elif demisto.command() == "update-remote-system":
investigation = demisto.investigation()
result = update_remote_system(client, investigation,
demisto.args())
return_results(result)
elif demisto.command() == "ztap-get-alert-entries":
result = ztap_get_alert_entries(client, demisto.args())
return_results(result)
# Log exceptions and return errors
except Exception as e:
demisto.error(traceback.format_exc()) # print the traceback
return_error(
f"Failed to execute {demisto.command()} command.\nError:\n{str(e)}"
)
def main():
res = demisto.executeCommand(
'addEntitlement', {
'persistent': demisto.get(demisto.args(), 'persistent'),
'replyEntriesTag': demisto.get(demisto.args(), 'replyEntriesTag')
})
if isError(res[0]):
demisto.results(res)
sys.exit(0)
entitlement = demisto.get(res[0], 'Contents')
option1 = demisto.get(demisto.args(), 'option1')
option2 = demisto.get(demisto.args(), 'option2')
extra_options = argToList(demisto.args().get('additionalOptions', ''))
reply = demisto.get(demisto.args(), 'reply')
response_type = demisto.get(demisto.args(), 'responseType')
lifetime = demisto.get(demisto.args(), 'lifetime')
try:
expiry = datetime.strftime(
dateparser.parse('in ' + lifetime, settings={'TIMEZONE': 'UTC'}),
DATE_FORMAT)
except Exception:
expiry = datetime.strftime(
dateparser.parse('in 1 day', settings={'TIMEZONE': 'UTC'}),
DATE_FORMAT)
default_response = demisto.get(demisto.args(), 'defaultResponse')
entitlement_string = entitlement + '@' + demisto.investigation()['id']
if demisto.get(demisto.args(), 'task'):
entitlement_string += '|' + demisto.get(demisto.args(), 'task')
args = {'ignoreAddURL': 'true'}
user_options = [option1, option2]
options = []
if extra_options:
user_options += extra_options
if response_type == 'thread':
for option in user_options:
options.append(option.split('#')[0])
string_options = ' or '.join(
list(map(lambda o: '`{}`'.format(o), options)))
message = '{} - Please reply to this thread with {}.'.format(
demisto.args()['message'], string_options)
args['message'] = json.dumps({
'message': message,
'entitlement': entitlement_string,
'reply': reply,
'expiry': expiry,
'default_response': default_response
})
else:
for option in user_options:
option = option.split('#')
button = {'text': option[0]}
if len(option) > 1:
style = STYLES_DICT.get(option[1])
if style:
button['style'] = style
options.append(button)
blocks = json.dumps(
create_blocks(demisto.args()['message'], entitlement_string,
options, reply))
args['blocks'] = json.dumps({
'blocks': blocks,
'entitlement': entitlement_string,
'reply': reply,
'expiry': expiry,
'default_response': default_response
})
args['message'] = demisto.args()['message']
to = demisto.get(demisto.args(), 'user')
channel = demisto.get(demisto.args(), 'channel')
if to:
args['to'] = to
elif channel:
args['channel'] = channel
else:
return_error('Either a user or a channel must be provided.')
demisto.results(demisto.executeCommand('send-notification', args))
def get_investigation_id():
investigation = demisto.investigation()
investigation_id = investigation.get('id')
return investigation_id
})
if isError(res[0]):
demisto.results(res)
sys.exit(0)
entitlement = demisto.get(res[0], 'Contents')
option1 = demisto.get(demisto.args(), 'option1')
if not option1:
option1 = 'yes'
option2 = demisto.get(demisto.args(), 'option2')
if not option2:
option2 = 'no'
entitlementString = entitlement + '@' + demisto.investigation()['id']
if demisto.get(demisto.args(), 'task'):
entitlementString += '|' + demisto.get(demisto.args(), 'task')
message = '%s - Please reply `%s %s` or `%s %s`' % (demisto.args()['message'],
option1, entitlementString,
option2, entitlementString)
demisto.results(
demisto.executeCommand(
'send-notification', {
'to': demisto.get(demisto.args(), 'user'),
'message': message,
'ignoreAddURL': 'true',
'using-brand': 'mattermost'
}))
