def run(self,data,persistentData,actionResult):
domainName = helpers.evalString(self.domainName,{"data" : data})
apiToken = auth.getPasswordFromENC(self.apiToken)
result = ip2whois._ip2whois(apiToken).whois(domainName)
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["whois"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 404
actionResult["msg"] = "Failed to get a valid response from ip2whois API"
return actionResult
def run(self, data, persistentData, actionResult):
apiToken = auth.getPasswordFromENC(self.apiToken)
dropletID = helpers.evalString(self.dropletID, {"data": data})
result = digitalocean._digitalocean(apiToken).getDroplet(dropletID,
network=True)
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["droplet"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 500
actionResult["msg"] = "Failed to get a valid response from API"
return actionResult
def doAction(self, data):
message = helpers.evalString(self.message, {"data": data["flowData"]})
url = auth.getPasswordFromENC(self.url)
result = microsoftteamswebhooks._microsoftteamswebhooks(
url).postMessage(message)
if result:
return {"result": True, "rc": 0, "msg": "Message posted."}
else:
return {
"result": False,
"rc": 400,
"msg": "Invalid response from web service, check your url."
}
def doAction(self, data):
host = helpers.evalString(self.host, {"data": data["flowData"]})
user = helpers.evalString(self.user, {"data": data["flowData"]})
password = auth.getPasswordFromENC(self.password)
client = windows.windows(host, user, password)
if client.client != None:
data["eventData"]["remote"] = {"client": client}
return {"result": True, "rc": 0, "msg": "Connection successful"}
else:
return {
"result": False,
"rc": 403,
"msg": "Connection failed - {0}".format(client.error)
}
def run(self, data, persistentData, actionResult):
ip = helpers.evalString(self.ip, {"data": data})
apiToken = auth.getPasswordFromENC(self.apiToken)
result = whoisxmlapi._whoisxmlapi(apiToken).ipGeolocation(ip)
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["apiResult"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 404
actionResult[
"msg"] = "Failed to get a valid response from whoisxmlapi API"
return actionResult
def run(self, data, persistentData, actionResult):
domainName = helpers.evalString(self.domainName, {"data": data})
apiToken = auth.getPasswordFromENC(self.apiToken)
result = whoisxmlapi._whoisxmlapi(apiToken).websiteContacts(domainName)
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["base64Image"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 404
actionResult[
"msg"] = "Failed to get a valid response from whoisxmlapi API"
return actionResult
def run(self,data,persistentData,actionResult):
if not hasattr(self,"plain_apiToken"):
self.plain_apiToken = auth.getPasswordFromENC(self.apiToken)
targetURL = helpers.evalString(self.targetURL,{"data" : data})
screenshotClass = screenshotapi._screenshotapi(self.plain_apiToken)
response = screenshotClass.takeScreenshot(targetURL)
if response:
actionResult["filename"] = screenshotClass.downloadScreenshot(response["screenshot"])
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["msg"] = "Screenshot taken and saved"
return actionResult
actionResult["result"] = False
actionResult["rc"] = 1
actionResult["msg"] = "Error taking screenshot"
return actionResult
def run(self, data, persistentData, actionResult):
mailServerFQDN = helpers.evalString(self.mailServerFQDN,
{"data": data})
apiToken = auth.getPasswordFromENC(self.apiToken)
result = whoisxmlapi._whoisxmlapi(apiToken).reverseMXLookup(
mailServerFQDN)
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["apiResult"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 404
actionResult[
"msg"] = "Failed to get a valid response from whoisxmlapi API"
return actionResult
def run(self, data, persistentData, actionResult):
endpointID = helpers.evalString(self.endpointID, {"data": data})
tenant = helpers.evalString(self.tenant, {"data": data})
client_secret = auth.getPasswordFromENC(self.client_secret)
sophos = sophosApi.sophos(None, self.client_id, client_secret,
self.XOrganizationID)
sophos.setTenant(tenant)
res = sophos.postTamperProtection(
endpointID, {
"enabled": self.enable_protection,
"regeneratePassword": self.regenerate_password
})
if res["result"]:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["data"] = res["data"]
return actionResult
def run(self, data, persistentData, actionResult):
domainName = helpers.evalString(self.domainName, {"data": data})
lookupType = helpers.evalString(self.lookupType, {"data": data})
apiToken = auth.getPasswordFromENC(self.apiToken)
result = whoisxmlapi._whoisxmlapi(apiToken).dnsLookup(
domainName, lookupType)
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["apiResult"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 404
actionResult[
"msg"] = "Failed to get a valid response from whoisxmlapi API"
return actionResult
def check(self):
password = auth.getPasswordFromENC(self.splunkPassword)
secure = not self.insecure
s = splunk.splunkClass(self.splunkHost,
self.splunkPort,
self.splunkUsername,
password,
secure=secure,
ca=self.ca)
if not s:
if logging.debugEnabled:
logging.debug(
"Unable to authenticate to Splunk instance. actionID={0}".
format(self._id), 1)
return
jobID = s.startJob(self.searchQuery)
if s.waitJob(jobID):
pollResult = s.getJob(jobID)
self.result["events"] = pollResult["results"]
def run(self, data, persistentData, actionResult):
host = helpers.evalString(self.host, {"data": data})
user = helpers.evalString(self.user, {"data": data})
password = auth.getPasswordFromENC(self.password)
client = windows.windows(host, user, password)
if client.client != None:
persistentData["remote"] = {}
persistentData["remote"]["client"] = client
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["msg"] = "Connection successful"
return actionResult
else:
actionResult["result"] = False
actionResult["rc"] = 403
actionResult["msg"] = "Connection failed - {0}".format(
client.error)
return actionResult
def run(self, data, persistentData, actionResult):
apiToken = auth.getPasswordFromENC(self.apiToken)
dropletName = helpers.evalString(self.dropletName, {"data": data})
region = helpers.evalString(self.region, {"data": data})
image = helpers.evalString(self.image, {"data": data})
size = helpers.evalString(self.size, {"data": data})
ssh_key = int(helpers.evalString(self.ssh_key, {"data": data}))
result = digitalocean._digitalocean(apiToken).createDroplet(
dropletName, region, image, size, [ssh_key])
if result:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["dropletID"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 500
actionResult["msg"] = "Failed to get a valid response from API"
return actionResult
def check(self):
password = auth.getPasswordFromENC(self.password)
client = windows.windows(self.server, self.username, password)
now = int(time.time())
command = "powershell.exe -C \"Get-WinEvent -FilterHashtable @{Logname='" + self.eventName + "'} -MaxEvents " + str(
self.maxEvents
) + " -oldest | ForEach-Object { '<345start768>';($_ | format-list);'<678end546>' };\""
if self.lastPull > 0:
command = "powershell.exe -C \"Get-WinEvent -FilterHashtable @{Logname='" + self.eventName + "';'startTime'=((Get-Date 01.01.1970)+([System.TimeSpan]::fromseconds(" + str(
self.lastPull
) + ")))} -MaxEvents " + str(
self.maxEvents
) + " -oldest | ForEach-Object { '<345start768>';($_ | format-list);'<678end546>' };\""
exitCode, stdout, stderr = client.command(command)
client.disconnect()
events = re.findall(r'(<345start768>[\W\w\D\r\n]*?<678end546>)',
stdout, re.MULTILINE)
self.result["events"] = events
self.lastPull = now
self.update(["lastPull"])
def run(self, data, persistentData, actionResult):
import pyodbc
host = helpers.evalString(self.host, {"data": data})
username = helpers.evalString(self.username, {"data": data})
connectionDetails = helpers.evalDict(self.connectionDetails,
{"data": data})
dbType = helpers.evalString(self.dbType, {"data": data})
search = helpers.evalString(self.search, {"data": data})
password = auth.getPasswordFromENC(self.password)
timeout = 30
if self.timeout != 0:
timeout = self.timeout
actionResult["result"] = False
actionResult["rc"] = 404
actionResult["msg"] = "could not connect"
dbControl = database.control(dbType, host, username, password,
connectionDetails, timeout)
if dbControl.isConnected():
rc, results = dbControl.query(search, self.limit)
if rc:
if self.limit == 1:
if self.count:
actionResult["count"] = 1
else:
actionResult["row"] = results[0]
else:
if self.count:
actionResult["count"] = len(results)
else:
actionResult["rows"] = results
actionResult["rc"] = 0
actionResult["msg"] = "success"
actionResult["result"] = True
else:
actionResult["msg"] = results
else:
actionResult["msg"] = dbControl.message
return actionResult
def run(self, data, persistentData, actionResult):
apiToken = auth.getPasswordFromENC(self.apiToken)
dropletName = helpers.evalString(self.dropletName, {"data": data})
result = digitalocean._digitalocean(apiToken).listDroplets(
name=dropletName)
if result:
if "error" in result:
actionResult["result"] = False
actionResult["msg"] = result["msg"]
actionResult["rc"] = result["error"]
else:
actionResult["result"] = True
actionResult["rc"] = 0
actionResult["droplet"] = result
else:
actionResult["result"] = False
actionResult["rc"] = 500
actionResult[
"msg"] = "Unable to get droplet by name, it likely does not exist"
return actionResult
def run(self, data, persistentData, actionResult):
if not hasattr(self, "plain_humioAPIToken"):
self.plain_humio_ingest_token = auth.getPasswordFromENC(
self.humio_ingest_token)
# Get data dict
if len(self.custom_data) > 0:
dataToSend = helpers.evalDict(self.custom_data, {"data": data})
else:
if len(self.field) > 0:
dataToSend = helpers.getDictValue(self.field[0],
{"data": data})
else:
dataToSend = data
# Apply flatten
if self.flatten_field:
for key, value in data[self.flatten_field].items():
dataToSend[key] = value
del dataToSend[self.flatten_field]
# Send events
if type(dataToSend) is list:
events = []
for entry in dataToSend:
events.append(self.buildEvents(entry))
if not self.shippingHandlerBulk(events):
actionResult["result"] = False
actionResult["rc"] = 1
return actionResult
elif type(dataToSend) is dict:
if not self.shippingHandler(dataToSend):
actionResult["result"] = False
actionResult["rc"] = 2
return actionResult
actionResult["result"] = True
actionResult["rc"] = 0
return actionResult
def run(self, data, persistentData, actionResult):
if not hasattr(self, "plain_apiToken"):
self.plain_apiToken = auth.getPasswordFromENC(self.apiToken)
queryString = helpers.evalString(self.queryString, {"data": data})
facetsString = helpers.evalString(self.facetsString, {"data": data})
sapi = shodan._shodanapi(self.plain_apiToken)
response = sapi.hostSearch(queryString, facetsString)
responseData = response.text
if response.status_code == 200:
responseData = json.loads(responseData)
for x, responseDataItem in enumerate(responseData["matches"]):
responseData["matches"][x] = helpers.unicodeEscapeDict(
responseDataItem)
try:
responseData["matches"][x]["ssl"]["cert"]["serial"] = str(
responseDataItem["ssl"]["cert"]["serial"])
except:
pass
actionResult["result"] = True
actionResult["rc"] = response.status_code
actionResult["data"] = responseData
return actionResult
def check(self):
if not hasattr(self,"client_secret_plain"):
self.client_secret_plain = auth.getPasswordFromENC(self.client_secret)
sophosAPI = sophos.sophos(certSettings["ca"],self.client_id,self.client_secret_plain,self.XOrganizationID)
self.filters.append("view=full")
for tenant in self.tenants:
computers = []
if sophosAPI.setTenant(tenant):
computers = sophosAPI.getEndpoints(filters=self.filters)
if computers["result"]:
for computer in computers["data"]:
result = {}
# Name
if "hostname" in computer:
result["name"] = computer["hostname"].lower()
# LastSeen converted to epoch
if "lastSeenAt" in computer:
result["lastSeen"] = int(datetime.datetime.strptime(computer["lastSeenAt"],"%Y-%m-%dT%H:%M:%S.%fZ").timestamp()*1000)
# OS
if "os" in computer:
if "platform" in computer["os"]:
result["platform"] = computer["os"]["platform"].lower()
if result["platform"] == "windows":
if "name" in computer["os"]:
os = re.search('(.*) ((pro|enterprise|standard|datacenter))', computer["os"]["name"], re.IGNORECASE)
if os:
result["operatingSystem"] = os.group(1).lower()
result["operatingSystemEdition"] = os.group(2).lower()
if "build" in computer["os"]:
result["operatingSystemBuild"] = computer["os"]["build"]
if "majorVersion" in computer["os"] and "minorVersion" in computer["os"]:
result["operatingSystemVersion"] = "{0}.{1}".format(computer["os"]["majorVersion"],computer["os"]["minorVersion"])
elif result["platform"] == "linux":
if "name" in computer["os"]:
os = re.search('(.*) ((pro|enterprise|standard|datacenter)).*([0-9]\.[0-9]*)', computer["os"]["name"], re.IGNORECASE)
if os:
result["operatingSystem"] = os.group(1).lower()
result["operatingSystemEdition"] = os.group(2).lower()
result["operatingSystemVersion"] = os.group(2)
elif result["platform"] == "macOS":
result["operatingSystem"] = result["platform"]
if "majorVersion" in computer["os"] and "minorVersion" in computer["os"]:
result["operatingSystemVersion"] = "{0}.{1}".format(computer["os"]["majorVersion"],computer["os"]["minorVersion"])
if "build" in computer["os"]:
result["operatingSystemBuild"] = computer["os"]["build"]
# IP
if "ipv4Addresses" in computer:
if type(computer["ipv4Addresses"]) is list:
result["src_ip"] = computer["ipv4Addresses"][0]
# User
if "associatedPerson" in computer:
if "viaLogin" in computer["associatedPerson"]:
if "\\" in computer["associatedPerson"]["viaLogin"]:
userInfo = re.search('(.*)\\\\(.*)', computer["associatedPerson"]["viaLogin"], re.IGNORECASE)
if userInfo:
user = userInfo.group(2)
domain = userInfo.group(1)
else:
user = computer["associatedPerson"]["viaLogin"]
result["user"] = user.lower()
result["domain"] = domain.lower()
# Estate
result["estate"] = tenant
# Other Sophos Values
if "tamperProtectionEnabled" in computer:
result["tamperProtection"] = computer["tamperProtectionEnabled"]
versions = {}
if "assignedProducts" in computer:
for product in computer["assignedProducts"]:
if product["status"] == "installed":
versions[product["code"]] = product["version"]
result["versions"] = versions
if "health" in computer:
result["health"] = computer["health"]["overall"]
result["sophos_id"] = computer["id"]
self.result["events"].append(result)
def run(self, data, persistentData, actionResult):
observable = helpers.evalString(self.observable, {"data": data})
resultType = helpers.evalString(self.resultType, {"data": data})
apiKey = helpers.evalString(self.apiKey, {"data": data})
#Helpers
paramMap = {
"current results only": "report",
"current + previous results": "history"
}
if resultType != None:
param = paramMap[resultType]
if self.apiPass.startswith("ENC"):
apiPass = auth.getPasswordFromENC(self.apiPass)
data_string = f"{apiKey}:{apiPass}"
data_bytes = data_string.encode("ascii")
token = base64.b64encode(data_bytes).decode("ascii")
appjson = "application/json"
proxies = {"http": "http://", "https": "http://"}
certPath = "/"
xForceClient = xForce._IBMxForce(token,
appjson,
proxy=proxies,
ca=certPath)
# xForceClient = xForce._IBMxForce(token,appjson)
if xForceClient != None:
persistentData["xForce"] = {}
persistentData["xForce"]["client"] = xForceClient
try:
if self.isValidIp(observable):
result = xForceClient.checkReuptationHistoryIP(
param, observable)
actionResult["xforceResults"] = result
actionResult["result"] = True
actionResult["rc"] = 200
elif self.isValidDomain(
observable): #if self.isValidDomain(observable):
result = xForceClient.checkReuptationHistoryURL(
param, observable)
actionResult["xforceResults"] = result
actionResult["result"] = True
actionResult["rc"] = 200
else:
result = xForceClient.checkMalwareFileHash(observable)
# could be an invalid type returned
if result != None:
actionResult["xforceResults"] = result
actionResult["result"] = True
actionResult["rc"] = 200
except Exception as e:
line_number = sys.exc_info()[-1].tb_lineno
print(
f"(xForce Action) Exception has been raised on Line : {line_number}\nWith the following message: {e}"
)
self.resultMessage(actionResult, False, 400,
f"an Error has occured\n{e}")
return actionResult
def check(self):
if not self.humioOverrideSettings:
if "ca" in humioSettings:
h = humio.humioClass(humioSettings["host"],
humioSettings["port"],
humioSettings["apiToken"],
humioSettings["secure"],
humioSettings["ca"],
humioSettings["requestTimeout"])
else:
h = humio.humioClass(
humioSettings["host"],
humioSettings["port"],
humioSettings["apiToken"],
humioSettings["secure"],
requestTimeout=humioSettings["requestTimeout"])
else:
humioTimeout = 30
if self.humioTimeout > 0:
humioTimeout = self.humioTimeout
if not hasattr(self, "plain_humioAPIToken"):
self.plain_humioAPIToken = auth.getPasswordFromENC(
self.humioAPIToken)
if "ca" in humioSettings:
h = humio.humioClass(self.humioHost, self.humioPort,
self.plain_humioAPIToken, True,
humioSettings["ca"], humioTimeout)
else:
h = humio.humioClass(self.humioHost,
self.humioPort,
self.plain_humioAPIToken,
True,
requestTimeout=humioTimeout)
if "000000000001010000000000" in self._id:
self.humioJob = ""
if not self.humioJob or not self.searchLive:
logging.debug(
"Humio No Existing Job Found, class={0}".format(
self.parse(True)), 10)
kwargs = {}
# Skipping any undefined search values
if self.searchQuery:
kwargs["searchQuery"] = self.searchQuery
if self.searchStart:
kwargs["searchStart"] = self.searchStart
if self.searchLive:
kwargs["searchLive"] = self.searchLive
if self.searchEnd:
kwargs["searchEnd"] = self.searchEnd
createJobResult = h.createJob(self.searchRepository, **kwargs)
if createJobResult[0] == 200:
self.humioJob = createJobResult[1]
self.update(["humioJob"])
logging.debug(
"Humio Job Created, jobID={0}, class={1}".format(
self.humioJob, self.parse(True)), 8)
time.sleep(self.jobStartWaitTime)
else:
raise humio.jobCreateException(self._id, self.name,
self.searchQuery)
if self.humioJob:
logging.debug(
"Humio polling..., class={0}".format(self.parse(True)), 15)
wait = False
if not self.searchLive:
wait = True
pollResult = h.pollJob(self.searchRepository, self.humioJob, wait)
if pollResult[0] == 200 and "events" in pollResult[1]:
if self.onlyNew:
events = []
if len(pollResult[1]["events"]) > 0:
for event in pollResult[1]["events"]:
if int(event["@timestamp"]
) > self.lastEventTimestamp:
events.append(event)
self.lastEventTimestamp = int(
pollResult[1]["events"][-1]["@timestamp"]) / 1000
self.update(["lastEventTimestamp"])
self.result["events"] = events
else:
self.result["events"] = pollResult[1]["events"]
self.result["plugin"]["humio"] = {
"searchQuery": self.searchQuery,
"searchRepository": str(self.searchRepository)
}
else:
self.humioJob = ""
self.update(["humioJob"])
raise humio.jobPollException(self._id, self.name,
self.humioJob)
def run(self, data, persistentData, actionResult):
apiKey = helpers.evalString(self.apiKey, {"data": data})
if self.apiPass.startswith("ENC"):
apiPass = auth.getPasswordFromENC(self.apiPass)
#Use previous class obj in flow
if self.usePersistentData == True:
if "xForce" in persistentData:
if "client" in persistentData["xForce"]:
xForceClient = persistentData["xForce"]["client"]
creditsRemaining = xForceClient.checkApiUsage()
freeCreditsRemaining = creditsRemaining[0][
"quotaRemaining"]
if self.useThreshold == True:
if self.threshold != None:
if self.threshold > int(freeCreditsRemaining):
actionResult["data"][
"xforceCredits"] = freeCreditsRemaining
actionResult["data"][
"xforceAPIUsage"] = creditsRemaining
self.resultMessage(
actionResult, False, 308,
"User specified threshold hit - exiting")
return actionResult
else:
self.resultMessage(
actionResult, False, 308,
"Threshold enabled but max number not supplied - exiting"
)
return actionResult
actionResult["data"][
"xforceCredits"] = freeCreditsRemaining
actionResult["data"]["xforceAPIUsage"] = creditsRemaining
actionResult["result"] = True
actionResult["rc"] = 200
#Could not find config
else:
self.resultMessage(actionResult, False, 400,
"Could not find condig")
# Using User supplied conf
else:
try:
if self.apiPass == "" or apiKey == "":
self.resultMessage(actionResult, False, 400,
"Please supply credentials")
else:
data_string = f"{apiKey}:{apiPass}"
data_bytes = data_string.encode("ascii")
token = base64.b64encode(data_bytes).decode("ascii")
appjson = "application/json"
xForceClient = xForce._IBMxForce(token, appjson)
creditsRemaining = xForceClient.checkApiUsage()
if int(threshold) < int(creditsRemaining):
actionResult["data"][
"xforceCredits"] = creditsRemaining
self.resultMessage(
actionResult, False, 308,
"User specified threshold hit - exiting")
return actionResult
actionResult["data"]["xforceCredits"] = creditsRemaining
actionResult["result"] = True
actionResult["rc"] = 200
except Exception as e:
line_number = sys.exc_info()[-1].tb_lineno
print(
f"(xForce Action) Exception has been raised on Line : {line_number}\nWith the following message: {e}"
)
self.resultMessage(actionResult, False, 400,
"Could not check API")
return actionResult
def run(self, data, persistentData, actionResult):
apiKey = helpers.evalString(self.apiKey, {"data": data})
#Helpers
if self.apiPass.startswith("ENC"):
apiPass = auth.getPasswordFromENC(self.apiPass)
data_string = f"{apiKey}:{apiPass}"
data_bytes = data_string.encode("ascii")
token = base64.b64encode(data_bytes).decode("ascii")
appjson = "application/json"
proxies = {"http": "http://", "https": "http://"}
certPath = "/"
xForceClient = xForce._IBMxForce(token,
appjson,
proxy=proxies,
ca=certPath)
# xForceClient = xForce._IBMxForce(token,appjson)
# scanResults = gvmscan._gvmscan().query(query={ "gvmTarget" : scanName })["results"]
xForceThreatIntel = ibmXforce._ibmXforceThreatIntel().query(
query={"intelSource": "command_and_control_IPV4"})["results"]
if not xForceThreatIntel:
document = {"intelSource": "command_and_control_IPV4"}
ibmXforce._ibmXforceThreatIntel()._dbCollection.insert_one(
document)
if xForceClient != None:
persistentData["xForce"] = {}
persistentData["xForce"]["client"] = xForceClient
try:
response = xForceClient.premiumFetchCNCData()
# response = "IP_List"
epochTime = time.time()
queryDate = datetime.datetime.now()
if "IP_List" in response:
ipList = response["IP_List"]
indicatorCount = response["indicatorCount"]
if "data" in xForceThreatIntel[0]:
currentIndicators = set(xForceThreatIntel[0]["data"])
newIndicators = set(ipList)
difference = newIndicators.difference(currentIndicators)
combinedIndicators = currentIndicators.union(newIndicators)
ibmXforce._ibmXforceThreatIntel().api_update(
query={"intelSource": "command_and_control_IPV4"},
update={
"$set": {
"data": list(combinedIndicators),
"queryDateHumanReadible": f"{queryDate}",
"queryDate": f"{epochTime}"
}
})
actionResult["xforceResults"] = list(combinedIndicators)
actionResult["xforceCNCnewIOCs"] = len(difference)
actionResult["result"] = True
actionResult["rc"] = 200
#IPV4 Intel Is Null - populate
else:
ibmXforce._ibmXforceThreatIntel().api_update(
query={"intelSource": "command_and_control_IPV4"},
update={
"$set": {
"data": ipList,
"queryDateHumanReadible": f"{queryDate}",
"queryDate": f"{epochTime}"
}
})
actionResult["xforceResults"] = ipList
actionResult["result"] = True
actionResult["rc"] = 200
except Exception as e:
line_number = sys.exc_info()[-1].tb_lineno
print(
f"(xForce Action) Exception has been raised on Line : {line_number}\nWith the following message: {e}"
)
self.resultMessage(actionResult, False, 400,
f"an Error has occured\n{e}")
return actionResult
def run(self, data, persistentData, actionResult):
observableType = helpers.evalString(self.observabletype,
{"data": data})
observable = helpers.evalString(self.observable, {"data": data})
resultType = helpers.evalString(self.resultType, {"data": data})
apiKey = helpers.evalString(self.apiKey, {"data": data})
#Helpers
paramMap = {
"current results only": "report",
"current + previous results": "history"
}
if resultType != None:
param = paramMap[resultType]
# if observableType or observable or resultType == None:
# actionResult["result"] = False
# actionResult["rc"] = 400
# actionResult["message"] = "Parameters cannot be null"
if self.apiPass.startswith("ENC"):
apiPass = auth.getPasswordFromENC(self.apiPass)
data_string = f"{apiKey}:{apiPass}"
data_bytes = data_string.encode("ascii")
token = base64.b64encode(data_bytes).decode("ascii")
xForceResults = ibmXforce._ibmXforce().query(
query={"observable": observable})[
"results"] #, "queryType": observableType })["results"]
# if observable != "":
# if not xForceResults:
# ibmXforce._ibmXforce().new(f"{observable}") #Not working ????
appjson = "application/json"
proxies = {"http": "http://", "https": "http://"}
certPath = "//"
xForceClient = xForce._IBMxForce(token,
appjson,
proxy=proxies,
ca=certPath)
# xForceClient = xForce._IBMxForce(token,appjson)
if xForceClient != None:
persistentData["xForce"] = {}
persistentData["xForce"]["client"] = xForceClient
if observableType == "IPV4 Address" or observableType == "IPV6 Address":
if self.isValidIp(observable):
result = xForceClient.checkReuptationHistoryIP(
param, observable)
actionResult["xforceResults"] = result
actionResult["result"] = True
actionResult["rc"] = 200
else:
self.resultMessage(actionResult, False, 400, "not valid IP")
elif observableType == "Domain":
if self.isValidDomain(
observable): #if self.isValidDomain(observable):
result = xForceClient.checkReuptationHistoryURL(
param, observable)
actionResult["xforceResults"] = result
actionResult["result"] = True
actionResult["rc"] = 200
else:
self.resultMessage(actionResult, False, 400,
"not valid domain")
elif observableType == "Hash":
result = xForceClient.checkMalwareFileHash(observable)
if result != None:
actionResult["xforceResults"] = result
actionResult["result"] = True
actionResult["rc"] = 200
else:
self.resultMessage(actionResult, False, 400,
"an Error has occured")
return actionResult
def run(self, data, persistentData, actionResult):
searchQuery = helpers.evalString(self.searchQuery, {"data": data})
searchRepository = helpers.evalString(self.searchRepository,
{"data": data})
searchStart = helpers.evalString(self.searchStart, {"data": data})
searchEnd = helpers.evalString(self.searchEnd, {"data": data})
if not self.humioOverrideSettings:
if "ca" in humioSettings:
h = humio.humioClass(humioSettings["host"],
humioSettings["port"],
humioSettings["apiToken"],
humioSettings["secure"],
humioSettings["ca"],
humioSettings["requestTimeout"])
else:
h = humio.humioClass(
humioSettings["host"],
humioSettings["port"],
humioSettings["apiToken"],
humioSettings["secure"],
requestTimeout=humioSettings["requestTimeout"])
else:
humioTimeout = 30
if self.humioTimeout > 0:
humioTimeout = self.humioTimeout
if not hasattr(self, "plain_humioAPIToken"):
self.plain_humioAPIToken = auth.getPasswordFromENC(
self.humioAPIToken)
if "ca" in humioSettings:
h = humio.humioClass(self.humioHost, self.humioPort,
self.plain_humioAPIToken, True,
humioSettings["ca"], humioTimeout)
else:
h = humio.humioClass(self.humioHost,
self.humioPort,
self.plain_humioAPIToken,
True,
requestTimeout=humioTimeout)
if not self.searchLive:
kwargs = {}
# Skipping any undefined search values
if searchQuery:
kwargs["searchQuery"] = searchQuery
if searchStart:
kwargs["searchStart"] = searchStart
kwargs["searchLive"] = self.searchLive
if searchEnd:
kwargs["searchEnd"] = searchEnd
createJobResult = h.createJob(searchRepository, **kwargs)
if createJobResult[0] == 200:
humioJob = createJobResult[1]
wait = True
pollResult = h.pollJob(searchRepository, humioJob, wait)
if pollResult[0] == 200 and "events" in pollResult[1]:
actionResult["events"] = pollResult[1]["events"]
actionResult["rc"] = 0
actionResult["result"] = True
return actionResult
else:
if not self.humioJob:
logging.debug(
"Humio No Existing Job Found, class={0}".format(
self.parse(True)), 10)
kwargs = {}
# Skipping any undefined search values
if self.searchQuery:
kwargs["searchQuery"] = self.searchQuery
if self.searchStart:
kwargs["searchStart"] = self.searchStart
if self.searchLive:
kwargs["searchLive"] = self.searchLive
if self.searchEnd:
kwargs["searchEnd"] = self.searchEnd
createJobResult = h.createJob(self.searchRepository, **kwargs)
if createJobResult[0] == 200:
self.humioJob = createJobResult[1]
self.update(["humioJob"])
logging.debug(
"Humio Job Created, jobID={0}, class={1}".format(
self.humioJob, self.parse(True)), 8)
else:
raise humio.jobCreateException(self._id, self.name,
self.searchQuery)
if self.humioJob:
logging.debug(
"Humio polling..., class={0}".format(self.parse(True)), 15)
wait = False
if not self.searchLive:
wait = True
pollResult = h.pollJob(self.searchRepository, self.humioJob,
wait)
if pollResult[0] == 200 and "events" in pollResult[1]:
actionResult["events"] = pollResult[1]["events"]
actionResult["humio"] = {
"searchQuery": self.searchQuery,
"searchRepository": str(self.searchRepository)
}
actionResult["rc"] = 0
actionResult["result"] = True
else:
self.humioJob = ""
self.update(["humioJob"])
actionResult[
"msg"] = "Error: Unable to poll humio job. job='{0}'".format(
self.humioJob)
actionResult["rc"] = -1
actionResult["result"] = False
