def get_data_breach(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
date_range = param['date_range']
param_reposted_credentials = None if 'reposted_credentials' not in param else param[
'reposted_credentials'].split(',')
param_severities = None if 'severities' not in param else param.get(
'severities').split(',')
param_statuses = None if 'statuses' not in param else param.get(
'statuses').split(',')
param_user_name = None if 'user_name' not in param else param.get(
'user_name').split(',')
try:
breach_service = DataBreachService(self._ds_api_key,
self._ds_api_secret_key)
breach_view = DataBreachService.data_breach_view(
published=date_range,
reposted_credentials=param_reposted_credentials,
severities=param_severities,
statuses=param_statuses,
username=param_user_name)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
try:
breach_pages = breach_service.find_all_pages(view=breach_view)
breach_total = len(breach_pages)
except StopIteration:
error_message = 'No DataBreach objects retrieved from the Digital Shadows API in page groups'
return action_result.set_status(
phantom.APP_ERROR, "Error Details: {0}".format(error_message))
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {}".format(error_message))
if breach_total > 0:
summary = {
'data_breach_count': breach_total,
'data_breach_found': True
}
action_result.update_summary(summary)
for breach_page in breach_pages:
for breach in breach_page:
action_result.add_data(breach.payload)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_BREACH_SUCCESS)
else:
summary = {'data_breach_count': 0, 'data_breach_found': False}
action_result.update_summary(summary)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_BREACH_NOT_FOUND)
return action_result.get_status()
def lookup_username(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
username_to_lookup = param.get('username')
username_service = DataBreachUsernameService(self._ds_api_key,
self._ds_api_secret_key)
view = username_service.data_breach_username_view(
username=username_to_lookup)
found_username = next(
(data_breach_username
for data_breach_username in username_service.find_all(view=view)
if data_breach_username.username == username_to_lookup), None)
if found_username is not None:
summary, data = self._lookup_success(username_to_lookup,
found_username)
action_result.update_summary(summary)
action_result.add_data(data)
action_result.set_status(phantom.APP_SUCCESS,
DS_LOOKUP_USERNAME_SUCCESS)
else:
summary, data = self._lookup_failure(username_to_lookup)
action_result.update_summary(summary)
action_result.add_data(data)
action_result.set_status(phantom.APP_SUCCESS,
DS_LOOKUP_USERNAME_NOT_FOUND)
return action_result.get_status()
def get_intel_incident_ioc_by_id(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
param_types = None if 'types' not in param else param.get(
'types').split(',')
try:
intelligence_incident_service = IntelligenceIncidentService(
self._ds_api_key, self._ds_api_secret_key)
intelligence_incident_view = IntelligenceIncidentService.intelligence_incident_ioc_view(
types=param_types)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
intel_incident_id = param['intel_incident_id']
# validate 'intel_incident_id' action parameter
ret_val, intel_incident_id = self._handle_exception_object.validate_integer(
action_result, intel_incident_id, INTEL_INCIDENT_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
intelligence_incident_ioc_pages = intelligence_incident_service.find_intel_incident_ioc_by_id(
intel_incident_id=intel_incident_id,
view=intelligence_incident_view)
intelligence_incident_ioc_total = len(
intelligence_incident_ioc_pages)
self._connector.save_progress(
"II IoC Total: {}".format(intelligence_incident_ioc_total))
except StopIteration:
error_message = 'No Incident review objects retrieved from the Digital Shadows API'
return action_result.set_status(
phantom.APP_ERROR, "Error Details: {0}".format(error_message))
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {}".format(error_message))
if intelligence_incident_ioc_total > 0:
summary = {
'intelligence_incident_ioc_count':
intelligence_incident_ioc_total,
'intelligence_incident_ioc_found': True
}
action_result.update_summary(summary)
for intelligence_incident_ioc_page in intelligence_incident_ioc_pages:
for intelligence_incident_ioc in intelligence_incident_ioc_page:
self._connector.save_progress("loop id: {}".format(
intelligence_incident_ioc.payload))
action_result.add_data(intelligence_incident_ioc.payload)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INTELLIGENCE_INCIDENT_SUCCESS)
return action_result.get_status()
def post_incident_review(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
incident_service = IncidentService(self._ds_api_key,
self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
incident_id = param.get('incident_id')
# validate 'incident_id' action parameter
ret_val, incident_id = self._handle_exception_object.validate_integer(
action_result, incident_id, INCIDENT_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
post_data = {
'note': param.get('review_note'),
'status': param.get('review_status')
}
self._connector.save_progress("post_data: {}".format(post_data))
try:
response = incident_service.post_incident_review(
post_data, incident_id=incident_id)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
self._connector.save_progress("response: {}".format(response))
try:
summary = {
'incident_reviews_status_code': response['status'],
'incident_reviews_message': response['message']
}
action_result.update_summary(summary)
action_result.add_data(response['content'][0])
if response['message'] == "SUCCESS":
action_result.set_status(
phantom.APP_SUCCESS,
"Digital Shadows Incident review posted successfully")
else:
action_result.set_status(
phantom.APP_SUCCESS,
"Error in incident review post request")
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error occurred while fetching data from response. {}".format(
error_message))
return action_result.get_status()
def get_data_breach_record_by_id(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
breach_record_service = DataBreachRecordService(
self._ds_api_key, self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
breach_id = param['breach_id']
# validate 'breach_id' action parameter
ret_val, breach_id = self._handle_exception_object.validate_integer(
action_result, breach_id, BREACH_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
breach_record_pages = breach_record_service.find_all_pages(
breach_id)
breach_record_total = len(breach_record_pages)
except StopIteration:
error_message = 'No data breach record retrieved from the Digital Shadows API in page groups'
return action_result.set_status(
phantom.APP_ERROR, "Error Details: {0}".format(error_message))
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {}".format(error_message))
if breach_record_total > 0:
summary = {
'data_breach_record_count': breach_record_total,
'data_breach_record_found': True
}
action_result.update_summary(summary)
for breach_record_page in breach_record_pages:
for breach_record in breach_record_page:
action_result.add_data(breach_record.payload)
action_result.set_status(
phantom.APP_SUCCESS,
"Digital Shadows data breach records fetched")
else:
summary = {
'data_breach_record_count': 0,
'data_breach_record_found': False
}
action_result.update_summary(summary)
action_result.set_status(
phantom.APP_SUCCESS,
"Data breach record not found in Digital Shadows")
return action_result.get_status()
def _list_policies(self, param):
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
# gets the full information for the Nessus policies
ret_val, list_policies = self._make_rest_call('policies/',
action_result)
if (phantom.is_fail(ret_val)):
return action_result.get_status()
policies = list_policies.get('policies', [])
if (type(policies) != list):
policies = [policies]
policy_counter = 0
for curr_item in policies:
action_result.add_data(curr_item)
if curr_item.get("id"):
policy_counter = policy_counter + 1
# creates an empty list to add the summary elements to
summary = action_result.update_summary({})
summary['policy_count'] = policy_counter
action_result.set_status(phantom.APP_SUCCESS)
return action_result.get_status()
def get_infrastructure_ip_ports(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
infrastructure_service = InfrastructureService(self._ds_api_key,
self._ds_api_secret_key)
infrastructure_view = InfrastructureService.infrastructure_view()
infrastructure_pages = infrastructure_service.find_all_pages(
view=infrastructure_view)
infrastructure_total = len(infrastructure_pages)
if infrastructure_total > 0:
summary = {
'infrastructure_count': infrastructure_total,
'infrastructure_found': True
}
action_result.update_summary(summary)
for infrastructure_page in infrastructure_pages:
for infrastructure in infrastructure_page:
data = {
'id': infrastructure.id,
'ipAddress': infrastructure.ip_address,
'portNumber': str(infrastructure.port_number),
'transport': infrastructure.transport,
'discoveredOpen': infrastructure.discovered_open,
'incident': {
'id': infrastructure.incident_id,
'scope': infrastructure.incident_scope,
'type': infrastructure.incident_type,
'subType': infrastructure.incident_sub_type,
'severity': infrastructure.incident_severity,
'title': infrastructure.incident_title,
}
}
action_result.add_data(data)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INFRASTRUCTURE_SUCCESS)
else:
summary = {
'infrastructure_count': 0,
'infrastructure_found': False
}
action_result.update_summary(summary)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INFRASTRUCTURE_NOT_FOUND)
return action_result.get_status()
def _whois_object(self, param, json_key):
self.debug_print("param", param)
# Add an action result to the App Run
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
input_object = param[json_key]
try:
self._parsed_whois_domain(input_object, action_result)
except Exception as e:
self.debug_print(e)
try:
if not action_result.get_status() == phantom.APP_SUCCESS:
self._regular_whois_domain(input_object, action_result)
except Exception as e:
message = 'Error while querying input_object'
action_result.set_status(phantom.APP_ERROR, message, e)
return action_result.get_status()
if (phantom.is_fail(action_result.get_status())):
return action_result.get_status()
data = action_result.get_data()
if (not data):
return action_result.get_status()
response = data[0]
if response and 'registrant' in response:
# get the registrant
summary = {'organization': response['registrant']}
if 'parsed_whois' in response:
contacts = response['parsed_whois'].get('contacts', {})
if type(contacts) == list:
registrant = contacts[0]
else:
registrant = contacts.get('registrant')
summary['city'] = registrant.get('city')
summary['country'] = registrant.get('country')
action_result.update_summary(summary)
return action_result.get_status()
def post_breach_record_review(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
breach_record_service = DataBreachRecordService(
self._ds_api_key, self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
post_data = {
'note': param.get('review_note'),
'status': param.get('review_status')
}
breach_record_id = param.get('breach_record_id')
# validate 'breach_record_id' action parameter
ret_val, breach_record_id = self._handle_exception_object.validate_integer(
action_result, breach_record_id, BREACH_RECORD_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
response = breach_record_service.post_data_breach_record_review(
post_data, breach_record_id=breach_record_id)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
summary = {
'breach_record_reviews_status_code': response['status'],
'breach_record_reviews_message': response['message']
}
action_result.update_summary(summary)
if response['message'] == "SUCCESS":
action_result.set_status(
phantom.APP_SUCCESS,
"Digital Shadows breach record review posted successfully")
else:
action_result.set_status(
phantom.APP_SUCCESS,
"Error in breach record review post request")
def listStaticBlackHoledIPs(self, param):
"""
"""
action_result = ActionResult(
dict(param)) # Add an action result to the App Run
self.add_action_result(action_result)
config = self.get_config()
self.debug_print(config)
try:
self.username = config["username"]
self.password = config["password"]
self.device = config["trigger_host"]
self.next_hop_IP = config['route_to_null']
except KeyError:
self.debug_print("Error: {0}".format(KeyError))
self.debug_print("Device: {0}, User: {1}, Password: {2}".format(
self.device, self.username, self.password))
# Get the current list of static routes from the Target Host
route_list = self._get_StaticBlackHoledIPs(self.username,
self.password, self.device,
self.next_hop_IP)
self.debug_print(
"listStaticBlackHoledIP's result RAW: {0}".format(route_list))
# Even if the query was successfull the data might not be available
if len(route_list) == 0:
return action_result.set_status(
phantom.APP_ERROR, 'CISCO_CSR_ERR_QUERY_RETURNED_NO_DATA')
else:
for dest in route_list:
action_result.add_data({'blackholed-network': dest})
summary = "Query returned %s routes" % len(route_list)
action_result.update_summary({'message': summary})
self.set_status_save_progress(phantom.APP_SUCCESS, summary)
#action_result.set_status(phantom.APP_SUCCESS)
return action_result.get_status()
def get_incident_review_by_id(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
incident_id = param['incident_id']
# validate 'incident_id' action parameter
ret_val, incident_id = self._handle_exception_object.validate_integer(
action_result, incident_id, INCIDENT_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
incident_service = IncidentService(self._ds_api_key,
self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
try:
incident_reviews = incident_service.find_all_reviews(incident_id)
incident_reviews_total = len(incident_reviews)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
if incident_reviews_total > 0:
summary = {
'incident_reviews_count': incident_reviews_total,
'incident_reviews_found': True
}
action_result.update_summary(summary)
for incident_review in incident_reviews:
action_result.add_data(incident_review)
action_result.set_status(
phantom.APP_SUCCESS,
"Digital Shadows incident reviews fetched for the Incident ID: {}"
.format(incident_id))
return action_result.get_status()
def get_data_breach_record_reviews(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
breach_record_service = DataBreachRecordService(
self._ds_api_key, self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
breach_record_id = param['breach_record_id']
# validate 'breach_record_id' action parameter
ret_val, breach_record_id = self._handle_exception_object.validate_integer(
action_result, breach_record_id, BREACH_RECORD_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
breach_record_reviews = breach_record_service.find_data_breach_record_reviews(
breach_record_id)
breach_record_reviews_total = len(breach_record_reviews)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
if breach_record_reviews_total > 0:
summary = {
'breach_record_reviews_count': breach_record_reviews_total,
'breach_record_reviews_found': True
}
action_result.update_summary(summary)
for breach_record_review in breach_record_reviews:
action_result.add_data(breach_record_review)
action_result.set_status(
phantom.APP_SUCCESS,
"Digital Shadows breach record reviews fetched for the Breach Record ID: {}"
.format(breach_record_id))
return action_result.get_status()
def _handle_get_report(self, param):
# type: (Dict[Text, Any]) -> bool
submission_id = int(param["submission_id"])
try:
timeout = int(param["timeout"])
if timeout < 0:
timeout = DEFAULT_TIMEOUT
except Exception:
timeout = DEFAULT_TIMEOUT
status, res = self._get_report(submission_id, timeout)
if status == phantom.APP_ERROR:
error_msg, exc = res
self.set_status(phantom.APP_ERROR, error_msg, exc)
return self.get_status()
analyses = res["analyses"]
reputation_lookup = res["reputation_lookup"]
severity = res["severity"]
submission_url = res["submission_url"]
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
for analysis in analyses:
action_result.add_data({"analysis": analysis})
if reputation_lookup:
action_result.add_data({"reputation_lookup": reputation_lookup[0]})
action_result.update_summary({
"severity": severity,
"submission_id": submission_id,
"url": submission_url
})
action_result.set_status(phantom.APP_SUCCESS)
return action_result.get_status()
def get_data_breach_by_id(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
breach_service = DataBreachService(self._ds_api_key,
self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
breach_id = param['breach_id']
# validate 'breach_id' action parameter
ret_val, breach_id = self._handle_exception_object.validate_integer(
action_result, breach_id, BREACH_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
breach = breach_service.find_data_breach_by_id(breach_id)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
if 'id' in breach:
summary = {'data_breach_count': 1, 'data_breach_found': True}
action_result.update_summary(summary)
action_result.add_data(breach)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_BREACH_SUCCESS)
else:
summary = {'data_breach_count': 0, 'data_breach_found': False}
action_result.update_summary(summary)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_BREACH_NOT_FOUND)
return action_result.get_status()
def get_incident_by_id(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
incident_service = IncidentService(self._ds_api_key,
self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
incident_id = param['incident_id']
# validate 'incident_id' action parameter
ret_val, incident_id = self._handle_exception_object.validate_integer(
action_result, incident_id, INCIDENT_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
incident = incident_service.find_incident_by_id(incident_id)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
if 'id' in incident:
summary = {'incident_found': True}
action_result.update_summary(summary)
action_result.add_data(incident)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INCIDENT_SUCCESS)
return action_result.get_status()
def _handle_scan_host(self, param):
self.debug_print("param", param)
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
# target to scan
host_to_scan = param[TARGET_TO_SCAN]
# lets get the id of the scan policy to use
policy_id = param[POLICY_ID]
# these are the options needed to create the scan launched. The scan uses the policy id and targets from
# Phantom. The UUID does not need to be changed as it comes from the advanced scan template
scanOptions = {
"uuid": "ab4bacd2-05f6-425c-9d79-3ba3940ad1c24e51e1f403febe40",
"settings": {
"name": "Scan Launched from Phantom",
"enabled": "true",
"scanner_id": "1",
"policy_id": str(policy_id),
"text_targets": str(host_to_scan),
"launch_now": "true"
}
}
self.save_progress("Launching scan against " + str(host_to_scan))
ret_val, running_scan_data = self._make_rest_call('scans',
action_result,
method='post',
data=scanOptions)
if (phantom.is_fail(ret_val)):
return action_result.get_status()
# Once the scan has been launched and is running it is assigned an id which is gathered below
scan_id = running_scan_data['scan']['id']
completed = " "
hosts = []
# this checks every 30 seconds to see if the scan is still running.
while completed != "completed":
ret_val, scanStatus = self._make_rest_call(
'scans/{0}'.format(str(scan_id)), action_result)
if (phantom.is_fail(ret_val)):
self.save_progress(
"There was an error checking for the status of the scan")
return action_result.get_status()
completed = scanStatus["info"]
if completed['status'] != 'completed':
self.send_progress("scan still in progress")
time.sleep(30)
else:
completed = "completed"
self.send_progress("scan completed")
hosts = scanStatus.get('hosts', [])
if (type(hosts) != list):
hosts = [hosts]
for curr_item in hosts:
action_result.add_data(curr_item)
if (hosts):
scan_final_data = hosts[-1]
total = scan_final_data["low"] + scan_final_data[
"medium"] + scan_final_data["high"] + scan_final_data[
"critical"]
summary = action_result.update_summary({})
summary['total_vulns'] = total
else:
return action_result.set_status(
phantom.APP_ERROR,
"Response is empty. Please check the input parameters.")
return action_result.set_status(phantom.APP_SUCCESS)
def search_entities(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
self._connector.save_progress("process started...!!! ")
# type = param.get('types').split(',')
type = ["CLIENT_INCIDENT", "DATA_BREACH", "AGGREGATE_DATA_BREACH", "INTELLIGENCE", "TECHNICAL_SOURCE", "WEB_SOURCE"]
date_range = param.get('date_range')
query = param.get('query')
"""
incident_types = param.get('incident_types')
incident_subtypes = param.get('incident_subtypes')
incident_severities = param.get('incident_severities')
web_page_networks = param.get('web_page_networks')
forum_post_networks = param.get('forum_post_networks')
marketplace_listing_networks = param.get('marketplace_listing_networks')
market_places = param.get('marketplaces')
chat_protocols = param.get('chat_protocols')
chat_servers = param.get('chat_servers')
chat_channels = param.get('chat_channels')
threat_level_types = param.get('threat_level_types')
web_page_site_categories = param.get('web_page_site_categories')
forum_post_site_categories = param.get('forum_post_site_categories')
blog_names = param.get('blog_names')
date_period = param.get('date_period')
start_date = param.get('from')
end_date = param.get('until')
"""
try:
search_service = SearchEntitiesService(self._ds_api_key, self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(e)
return action_result.set_status(phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message))
try:
search_view = search_service.search_entity_view(dateRange=date_range, query_string=query, types=type)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(e)
return action_result.set_status(phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message))
"""
search_view = search_service.search_entity_view(types=type, dateRange=date_range, incidentTypes=incident_types, incidentSubtypes=incident_subtypes,
incidentSeverities=incident_severities, webPageNetworks=web_page_networks,
forumPostNetworks=forum_post_networks, marketplaceListingNetworks=marketplace_listing_networks,
marketplaces=market_places, chatProtocols=chat_protocols, chatServers=chat_servers,
chatChannels=chat_channels, threatLevelTypes=threat_level_types,
webPageSiteCategories=web_page_site_categories, forumPostSiteCategories=forum_post_site_categories,
blogNames=blog_names, datePeriod=date_period, from_date=start_date,
until=end_date, query_string=query)
"""
self._connector.save_progress("View: {}".format(search_view))
try:
search_entity_pages = search_service.find_all_pages(view=search_view)
# self._connector.save_progress("entity: " + str(search_entity_pages))
entity_total = len(search_entity_pages)
except StopIteration:
error_message = 'No Search Entity objects retrieved from the Digital Shadows API in page groups'
return action_result.set_status(phantom.APP_ERROR, "Error Details: {0}".format(error_message))
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(e)
return action_result.set_status(phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message))
if entity_total > 0:
summary = {
'entity_count': entity_total,
'entity_found': True
}
action_result.update_summary(summary)
for entity_page in search_entity_pages:
for entity in entity_page:
# self._connector.save_progress("entity payload: " + str(entity.payload))
action_result.add_data(entity.payload)
action_result.set_status(phantom.APP_SUCCESS, 'String search entities are fetched')
else:
summary = {
'entity_count': 0,
'entity_found': False
}
action_result.update_summary(summary)
action_result.set_status(phantom.APP_SUCCESS, 'Entities not found for search string')
return action_result.get_status()
def _handle_get_info(self, param):
# type: (Dict[Text, Any]) -> bool
status, api = self._get_api()
if api is None:
return status
self.debug_print("param", param)
try:
timeout = int(param["timeout"])
if timeout < 0:
timeout = DEFAULT_TIMEOUT
except Exception:
timeout = DEFAULT_TIMEOUT
hsh = param["hash"]
self.save_progress("Searching %s" % (hsh))
if len(hsh) == 32:
res = api.get_sample_by_md5(hsh)
elif len(hsh) == 40:
res = api.get_sample_by_sha1(hsh)
elif len(hsh) == 64:
res = api.get_sample_by_sha256(hsh)
else:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_UNSUPPORTED_HASH)
return self.get_status()
if len(res) == 0:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_SAMPLE_NOT_FOUND)
return self.get_status()
self.save_progress("Check for finished submissions")
has_finished_submission = False
seconds_waited = 0
while True:
submissions = api.call(
"GET", "/rest/submission/sample/%u" % res[0]["sample_id"])
if not submissions:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_NO_SUBMISSIONS)
return self.get_status()
has_finished_submission = any(
[sub.get("submission_finished", False) for sub in submissions])
if has_finished_submission or timeout == 0:
break
elif seconds_waited >= timeout:
break
else:
self.send_progress("No submission finished yet")
time_to_wait = min(30, timeout - seconds_waited)
seconds_waited += time_to_wait
self.send_progress("Waited %d/%d seconds" %
(seconds_waited, timeout))
time.sleep(time_to_wait)
if not has_finished_submission:
self.set_status(phantom.APP_ERROR,
VMRAY_ERR_SUBMISSION_NOT_FINISHED)
return self.get_status()
sample_info = api.get_sample(res[0]["sample_id"])
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
action_result.add_data(sample_info)
action_result.update_summary({
"score": sample_info["sample_score"],
"severity": sample_info["sample_severity"]
})
action_result.set_status(phantom.APP_SUCCESS)
return action_result.get_status()
def get_intelligence_incident_by_id(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
intelligence_incident_service = IntelligenceIncidentService(
self._ds_api_key, self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
intel_incident_id = param['intel_incident_id']
# validate 'intel_incident_id' action parameter
ret_val, intel_incident_id = self._handle_exception_object.validate_integer(
action_result, intel_incident_id, INTEL_INCIDENT_ID_KEY)
if phantom.is_fail(ret_val):
return action_result.get_status()
try:
intelligence_incident = intelligence_incident_service.find_intel_incident_by_id(
intel_incident_id)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {0}".format(error_message))
# intelligence_incident_total = len(intelligence_incident_pages)
# if intelligence_incident_total > 0:
if 'id' in intelligence_incident:
summary = {
'intelligence_incident_count': 1,
'intelligence_incident_found': True
}
action_result.update_summary(summary)
action_result.add_data(intelligence_incident)
"""
for intelligence_incident_page in intelligence_incident_pages:
for intelligence_incident in intelligence_incident_page:
data = {
'incident_id': intelligence_incident.id,
'type': intelligence_incident.payload['type'],
'severity': intelligence_incident.payload['severity'],
'title': intelligence_incident.payload['title'],
'summary': unidecode(intelligence_incident.payload['summary']),
'published': intelligence_incident.payload['published'],
'modified': intelligence_incident.payload['modified'],
'occurred': intelligence_incident.payload['occurred'],
'verified': intelligence_incident.payload['verified'],
'description': unidecode(intelligence_incident.payload['description']),
'entitysummary': {
'source': intelligence_incident.payload['entitySummary']['source'],
'summarytext': intelligence_incident.payload['entitySummary']['summarytext'] if 'summarytext' in intelligence_incident.payload['entitySummary'] else '',
'domain': intelligence_incident.payload['entitySummary']['domain'],
'sourceDate': intelligence_incident.payload['entitySummary']['sourceDate'],
'type': intelligence_incident.payload['entitySummary']['type']
}
}
action_result.add_data(data)
"""
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INTELLIGENCE_INCIDENT_SUCCESS)
return action_result.get_status()
def get_intelligence_incident(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
# interval_startdate = date.today() - timedelta(int(param['date_range']))
date_ranges = param.get('date_range')
incident_types = []
if param.get('incident_types') is not None:
param_incident_types = param.get('incident_types').split(',')
for inc_type in param_incident_types:
if inc_type == "DATA_LEAKAGE":
incident_types.append({
'type': 'DATA_LEAKAGE',
'subTypes': DS_DL_SUBTYPE
})
if inc_type == "BRAND_PROTECTION":
incident_types.append({
'type': 'BRAND_PROTECTION',
'subTypes': DS_BP_SUBTYPE
})
if inc_type == "INFRASTRUCTURE":
incident_types.append({
'type': 'INFRASTRUCTURE',
'subTypes': DS_INFR_SUBTYPE
})
if inc_type == "PHYSICAL_SECURITY":
incident_types.append({
'type': 'PHYSICAL_SECURITY',
'subTypes': DS_PS_SUBTYPE
})
if inc_type == "SOCIAL_MEDIA_COMPLIANCE":
incident_types.append({
'type': 'SOCIAL_MEDIA_COMPLIANCE',
'subTypes': DS_SMC_SUBTYPE
})
if inc_type == "CYBER_THREAT":
incident_types.append({'type': 'CYBER_THREAT'})
else:
param_incident_types = None
try:
intelligence_incident_service = IntelligenceIncidentService(
self._ds_api_key, self._ds_api_secret_key)
intelligence_incident_view = IntelligenceIncidentService.intelligence_incidents_view(
date_range=date_ranges,
date_range_field='published',
types=incident_types)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
try:
intelligence_incident_pages = intelligence_incident_service.find_all_pages(
view=intelligence_incident_view)
intelligence_incident_total = len(intelligence_incident_pages)
except StopIteration:
error_message = 'No IntelligenceIncident objects retrieved from the Digital Shadows API in page groups'
return action_result.set_status(
phantom.APP_ERROR, "Error Details: {0}".format(error_message))
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {}".format(error_message))
if intelligence_incident_total > 0:
summary = {
'intelligence_incident_count': intelligence_incident_total,
'intelligence_incident_found': True
}
action_result.update_summary(summary)
for intelligence_incident_page in intelligence_incident_pages:
for intelligence_incident in intelligence_incident_page:
action_result.add_data(intelligence_incident.payload)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INTELLIGENCE_INCIDENT_SUCCESS)
return action_result.get_status()
def _handle_post_url(self, param):
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
params = dict()
params['url'] = param["url"]
params['key'] = self._api_key
# Check if we have a size
sizes = {
"tiny": "T",
"small": "S",
"normal": "N",
"medium": "M",
"large": "L",
"full page": "F"
}
test = param.get("size")
if not test:
self.save_progress(
"Size was blank, using the default \"full page\" size.")
test = "full page"
if not sizes.get(test.lower()):
self.save_progress(
"Given size not found, using the default \"full page\" size.")
params['size'] = "F"
else:
params['size'] = sizes[test.lower()]
# Check if we have a Secret Phrase
if self._api_phrase is None:
params['hash'] = ""
else:
params['hash'] = str(
hashlib.md5(params['url'] + self._api_phrase).hexdigest())
params['cacheLimit'] = '0'
params['format'] = 'JPG'
params['timeout'] = '200'
ret_val, image = self._make_rest_call('',
action_result,
params,
method='post',
stream=True)
if (phantom.is_fail(ret_val)):
return action_result.get_status()
permalink = None
# only create a permalink if the hash is used
if params['hash']:
permalink = self._get_sspermalink('', params=params, method='post')
file_name = param["url"] + "_screenshot.jpg"
if hasattr(Vault, "create_attachment"):
vault_ret = Vault.create_attachment(image,
self.get_container_id(),
file_name=file_name)
else:
if hasattr(Vault, 'get_vault_tmp_dir'):
temp_dir = Vault.get_vault_tmp_dir()
else:
temp_dir = '/opt/phantom/vault/tmp'
temp_dir = temp_dir + '/{}'.format(uuid.uuid4())
os.makedirs(temp_dir)
file_path = os.path.join(temp_dir, 'tempimage.jpg')
with open(file_path, 'wb') as f:
f.write(image)
vault_ret = Vault.add_attachment(file_path,
self.get_container_id(),
file_name=file_name)
if vault_ret.get('succeeded'):
action_result.set_status(phantom.APP_SUCCESS,
"Downloaded screenshot")
summary = {
phantom.APP_JSON_VAULT_ID:
vault_ret[phantom.APP_JSON_HASH],
phantom.APP_JSON_NAME:
file_name,
'vault_file_path':
Vault.get_file_path(vault_ret[phantom.APP_JSON_HASH]),
phantom.APP_JSON_SIZE:
vault_ret.get(phantom.APP_JSON_SIZE)
}
if permalink:
summary['permalink'] = permalink
action_result.update_summary(summary)
return action_result.get_status()
def get_infrastructure_ssl(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
infrastructure_ssl_service = InfrastructureSSLService(
self._ds_api_key, self._ds_api_secret_key)
infrastructure_ssl_view = InfrastructureSSLService.infrastructure_ssl_view(
)
infrastructure_ssl_pages = infrastructure_ssl_service.find_all_pages(
view=infrastructure_ssl_view)
infrastructure_ssl_total = len(infrastructure_ssl_pages)
if infrastructure_ssl_total > 0:
summary = {
'infrastructure_ssl_count': infrastructure_ssl_total,
'infrastructure_ssl_found': True
}
action_result.update_summary(summary)
for infrastructure_ssl_page in infrastructure_ssl_pages:
for infrastructure_ssl in infrastructure_ssl_page:
data = {
'id':
infrastructure_ssl.id,
'domainName':
infrastructure_ssl.payload['domainName'],
'ipAddress':
infrastructure_ssl.payload['ipAddress'],
'portNumber':
infrastructure_ssl.payload['portNumber'],
'transport':
infrastructure_ssl.payload['transport'],
'discovered':
infrastructure_ssl.payload['discovered'],
'grade':
infrastructure_ssl.payload['grade'],
'certificateCommonName':
infrastructure_ssl.payload['certificateCommonName'],
'expires':
infrastructure_ssl.payload['expires'],
'incident': {
'id':
infrastructure_ssl.payload['incident']['id'],
'scope':
infrastructure_ssl.payload['incident']['scope'],
'type':
infrastructure_ssl.payload['incident']['type'],
'subType':
infrastructure_ssl.payload['incident']['subType'],
'severity':
infrastructure_ssl.payload['incident']['severity'],
'title':
infrastructure_ssl.payload['incident']['title'],
}
}
action_result.add_data(data)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INFRASTRUCTURE_SSL_SUCCESS)
else:
summary = {
'infrastructure_ssl_count': 0,
'infrastructure_ssl_found': False
}
action_result.update_summary(summary)
action_result.set_status(phantom.APP_SUCCESS,
DS_GET_INFRASTRUCTURE_SSL_NOT_FOUND)
return action_result.get_status()
def get_infrastructure_vulnerabilities(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
infrastructure_vulnerabilities_service = InfrastructureVulnerabilitiesService(
self._ds_api_key, self._ds_api_secret_key)
infrastructure_vulnerabilities_view = InfrastructureVulnerabilitiesService.infrastructure_vulnerabilities_view(
)
infrastructure_vulnerabilities_pages = infrastructure_vulnerabilities_service.find_all_pages(
view=infrastructure_vulnerabilities_view)
infrastructure_vulnerabilities_total = len(
infrastructure_vulnerabilities_pages)
if infrastructure_vulnerabilities_total > 0:
summary = {
'infrastructure_vulnerabilities_count':
infrastructure_vulnerabilities_total,
'infrastructure_vulnerabilities_found': True
}
action_result.update_summary(summary)
for infrastructure_vulnerabilities_page in infrastructure_vulnerabilities_pages:
for infrastructure_vulnerabilities in infrastructure_vulnerabilities_page:
data = {
'id':
infrastructure_vulnerabilities.id,
'reverseDomainName':
infrastructure_vulnerabilities.
payload['reverseDomainName'],
'ipAddress':
infrastructure_vulnerabilities.payload['ipAddress'],
'cveId':
infrastructure_vulnerabilities.payload['cveId'],
'discovered':
infrastructure_vulnerabilities.payload['discovered'],
'determinedResolved':
infrastructure_vulnerabilities.
payload['determinedResolved'],
'incident': {
'id':
infrastructure_vulnerabilities.payload['incident']
['id'],
'scope':
infrastructure_vulnerabilities.payload['incident']
['scope'],
'type':
infrastructure_vulnerabilities.payload['incident']
['type'],
'subType':
infrastructure_vulnerabilities.payload['incident']
['subType'],
'severity':
infrastructure_vulnerabilities.payload['incident']
['severity'],
'title':
infrastructure_vulnerabilities.payload['incident']
['title'],
'published':
infrastructure_vulnerabilities.payload['incident']
['published'],
'closedSource':
infrastructure_vulnerabilities.payload['incident']
['closedSource'],
}
}
action_result.add_data(data)
action_result.set_status(
phantom.APP_SUCCESS,
DS_GET_INFRASTRUCTURE_VULNERABILITIES_SUCCESS)
else:
summary = {
'infrastructure_vulnerabilities_count': 0,
'infrastructure_vulnerabilities_found': False
}
action_result.update_summary(summary)
action_result.set_status(
phantom.APP_SUCCESS,
DS_GET_INFRASTRUCTURE_VULNERABILITIES_NOT_FOUND)
return action_result.get_status()
def get_data_breach_record_by_username(self, param):
action_result = ActionResult(dict(param))
self._connector.add_action_result(action_result)
try:
breach_record_service = DataBreachRecordService(
self._ds_api_key, self._ds_api_secret_key)
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG,
error_message))
user_name = param['user_name']
domain_names_param = None if 'domain_names' not in param else param[
'domain_names'].split(',')
review_statuses_param = None if 'review_statuses' not in param else param[
'review_statuses'].split(',')
published_date_range = param.get('published_date_range', 'ALL')
try:
breach_record_view = DataBreachRecordService.data_breach_records_view(
username=user_name,
published=published_date_range,
domain_names=domain_names_param,
review_statuses=review_statuses_param)
self._connector.save_progress(
"Breach record View: {}".format(breach_record_view))
breach_record_pages = breach_record_service.read_all_records(
view=breach_record_view)
except StopIteration:
error_message = 'No DataBreach objects retrieved from the Digital Shadows API in page groups'
return action_result.set_status(
phantom.APP_ERROR, "Error Details: {0}".format(error_message))
except Exception as e:
error_message = self._handle_exception_object.get_error_message_from_exception(
e)
return action_result.set_status(
phantom.APP_ERROR,
"Error Connecting to server. {}".format(error_message))
breach_record_total = len(breach_record_pages)
if breach_record_total > 0:
summary = {
'data_breach_record_count': breach_record_total,
'data_breach_record_found': True
}
action_result.update_summary(summary)
for breach_record_page in breach_record_pages:
for breach_record in breach_record_page:
action_result.add_data(breach_record.payload)
action_result.set_status(
phantom.APP_SUCCESS,
"Digital Shadows data breach records fetched")
else:
summary = {
'data_breach_record_count': 0,
'data_breach_record_found': False
}
action_result.update_summary(summary)
action_result.set_status(
phantom.APP_SUCCESS,
"Data breach record not found in Digital Shadows")
return action_result.get_status()
def _handle_detonate_url(self, param):
# type: (Dict[Text, Any]) -> bool
status, api = self._get_api()
if api is None:
return status
url = param["url"]
self.save_progress("Submitting url %s" % url)
params = {"reanalyze": True}
if param.get("comment", None) is not None:
params["comment"] = param["comment"]
if param.get("tags", None) is not None:
params["tags"] = param["tags"]
if param.get("config", "") != "":
params["user_config"] = param["config"]
if param.get("jobrules", "") != "":
params["jobrule_entries"] = param["jobrules"]
try:
res = api.submit_url(url, params=params)
except Exception as exc:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_SUBMIT_FILE, exc)
return self.get_status()
if res["errors"]:
errors = [
err.get("error_msg", "NO_ERROR_MSG_GIVEN")
for err in res["errors"]
]
self.set_status(phantom.APP_ERROR, ";".join(errors))
return self.get_status()
submission_id = res["submissions"][0]["submission_id"]
submission_url = res["submissions"][0]["submission_webif_url"]
submission_finished = True
status, report = self._get_report(submission_id, DEFAULT_TIMEOUT)
if status == phantom.APP_ERROR:
error_msg, _exc = report
if error_msg == VMRAY_ERR_SUBMISSION_NOT_FINISHED:
submission_finished = False
else:
self.set_status(phantom.APP_ERROR, error_msg, _exc)
return self.get_status()
report = None
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
if report is not None:
for analysis in report["analyses"]:
action_result.add_data({"analysis": analysis})
if report["reputation_lookup"]:
action_result.add_data(
{"reputation_lookup": report["reputation_lookup"][0]})
action_result.update_summary({"severity": report["severity"]})
action_result.update_summary({
"submission_id": submission_id,
"url": submission_url,
"submission_finished": submission_finished
})
action_result.set_status(phantom.APP_SUCCESS)
return action_result.get_status()
def _handle_post_url(self, param):
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
params = dict()
params['url'] = param["url"]
params['filename'] = param.get('filename')
params['key'] = self._api_key
# Check if we have a size
sizes = {"tiny": "T", "small": "S", "normal": "N", "medium": "M", "large": "L", "full page": "F"}
test = param.get("size")
if not test:
self.save_progress("Size was blank, using the default \"full page\" size")
test = "full page"
if not sizes.get(test.lower()):
self.save_progress("Given size not found, using the default \"full page\" size")
params['size'] = "F"
else:
params['size'] = sizes[test.lower()]
# Check if we have a Secret Phrase
if self._api_phrase is None:
params['hash'] = ""
else:
params['hash'] = str(hashlib.md5((params['url'] + self._api_phrase).encode('utf-8')).hexdigest())
params['cacheLimit'] = '0'
params['format'] = 'JPG'
params['timeout'] = '200'
ret_val, image = self._make_rest_call('', action_result, params, method='post', stream=True)
if phantom.is_fail(ret_val):
return action_result.get_status()
permalink = None
# only create a permalink if the hash is used
if params['hash']:
permalink = self._get_sspermalink('', params=params, method='post')
if params['filename']:
file_name = "{}.jpg".format(params['filename'])
else:
file_name = "{0}{1}".format(param["url"], "_screenshot.jpg")
is_download = False
if hasattr(Vault, "create_attachment"):
vault_ret = Vault.create_attachment(image, self.get_container_id(), file_name=file_name)
if vault_ret.get('succeeded'):
action_result.set_status(phantom.APP_SUCCESS, "Downloaded screenshot")
_, _, vault_meta_info = ph_rules.vault_info(container_id=self.get_container_id(), vault_id=vault_ret[phantom.APP_JSON_HASH])
if not vault_meta_info:
self.debug_print("Error while fetching meta information for vault ID: {}".format(vault_ret[phantom.APP_JSON_HASH]))
return action_result.set_status(phantom.APP_ERROR, "Could not find meta information of the downloaded screenshot's Vault")
vault_path = list(vault_meta_info)[0]['path']
summary = {
phantom.APP_JSON_VAULT_ID: vault_ret[phantom.APP_JSON_HASH],
phantom.APP_JSON_NAME: file_name,
'vault_file_path': vault_path,
phantom.APP_JSON_SIZE: vault_ret.get(phantom.APP_JSON_SIZE)}
if permalink:
summary['permalink'] = permalink
action_result.update_summary(summary)
is_download = True
else:
is_download = False
if not is_download:
if hasattr(Vault, 'get_vault_tmp_dir'):
temp_dir = Vault.get_vault_tmp_dir()
else:
temp_dir = '/opt/phantom/vault/tmp'
temp_dir = "{0}{1}".format(temp_dir, '/{}'.format(uuid.uuid4()))
os.makedirs(temp_dir)
file_path = os.path.join(temp_dir, 'tempimage.jpg')
with open(file_path, 'wb') as f:
f.write(image)
success, message, vault_id = ph_rules.vault_add(container=self.get_container_id(), file_location=file_path, file_name=file_name)
if success:
action_result.set_status(phantom.APP_SUCCESS, "Downloaded screenshot")
_, _, vault_meta_info = ph_rules.vault_info(container_id=self.get_container_id(), vault_id=vault_id)
if not vault_meta_info:
self.debug_print("Error while fetching meta information for vault ID: {}".format(vault_id))
return action_result.set_status(phantom.APP_ERROR, "Could not find meta information of the downloaded screenshot's Vault")
vault_path = list(vault_meta_info)[0]['path']
summary = {
phantom.APP_JSON_VAULT_ID: vault_id,
phantom.APP_JSON_NAME: file_name,
'vault_file_path': vault_path}
if permalink:
summary['permalink'] = permalink
action_result.update_summary(summary)
else:
return action_result.set_status(phantom.APP_ERROR, "Error occurred while saving file to vault: {}".format(message))
return action_result.get_status()
def _handle_get_file(self, param):
# type: (Dict[Text, Any]) -> bool
status, api = self._get_api()
if api is None:
return status
self.debug_print("param", param)
hsh = param["hash"]
self.save_progress("Searching %s" % (hsh))
if len(hsh) == 32:
res = api.get_sample_by_md5(hsh)
elif len(hsh) == 40:
res = api.get_sample_by_sha1(hsh)
elif len(hsh) == 64:
res = api.get_sample_by_sha256(hsh)
else:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_UNSUPPORTED_HASH)
return self.get_status()
if len(res) == 0 or "sample_id" not in res[0]:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_SAMPLE_NOT_FOUND)
return self.get_status()
if res[0]["sample_is_multipart"]:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_MULTIPART)
return self.get_status()
self.save_progress("Downloading file")
zip_file_location = os.path.join(VAULT_TMP_FOLDER, "%s.zip" % hsh)
file_location = os.path.join(VAULT_TMP_FOLDER, hsh)
if os.path.exists(zip_file_location) or os.path.exists(file_location):
self.set_status(phantom.APP_ERROR, VMRAY_ERR_FILE_EXISTS)
return self.get_status()
# added b"wb" otherwise mypy complains
with api.get_sample_file(res[0]["sample_id"]) as data:
with open(zip_file_location, str("wb")) as fobj:
fobj.write(data.read())
try:
# again wiredness due to mypy
zifi = zipfile.ZipFile(str(zip_file_location), str("r"))
except Exception as exc:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_OPEN_ZIP, exc)
os.remove(zip_file_location)
return self.get_status()
zf_names = zifi.namelist()
if len(zf_names) != 1:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_MALFORMED_ZIP)
zifi.close()
os.remove(zip_file_location)
return self.get_status()
self.save_progress("Extracting file")
try:
# pylint: disable=bad-continuation
with zifi.open(zf_names[0], str("r"),
VMRAY_DEFAULT_PASSWORD) as ifobj:
with open(file_location, str("wb")) as ofobj:
ofobj.write(ifobj.read())
except Exception as exc:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_MALFORMED_ZIP, exc)
if os.path.exists(file_location):
os.remove(file_location)
return self.get_status()
finally:
zifi.close()
os.remove(zip_file_location)
vmray_sampletypes = [x["sample_type"] for x in res]
phantom_sampletypes = []
for st in vmray_sampletypes:
if st == "PDF Document":
phantom_sampletypes.append("pdf")
elif st == "Word Document":
phantom_sampletypes.append("doc")
elif st == "Excel Document":
phantom_sampletypes.append("xls")
elif st == "Powerpoint Document":
phantom_sampletypes.append("ppt")
elif st == "Java Archive":
phantom_sampletypes.append("jar")
elif st == "JScript":
phantom_sampletypes.append("javascript")
elif st.startswith("Windows Exe"):
phantom_sampletypes.append("pe file")
elif st.startswith("Windows DLL"):
phantom_sampletypes.append("pe file")
elif st.startswith("Windows Driver"):
phantom_sampletypes.append("pe file")
phantom_sampletypes = list(set(phantom_sampletypes))
self.save_progress("Adding file to vault")
vlt_res = Vault.add_attachment(file_location,
self.get_container_id(),
file_name=res[0]["sample_filename"],
metadata={
"size": res[0]["sample_filesize"],
"contains": phantom_sampletypes
})
if not vlt_res["succeeded"]:
self.set_status(phantom.APP_ERROR, VMRAY_ERR_ADD_VAULT)
os.remove(file_location)
return self.get_status()
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
action_result.add_data({"vault_id": vlt_res["vault_id"]})
action_result.update_summary({"vault_id": vlt_res["vault_id"]})
action_result.set_status(phantom.APP_SUCCESS)
# the vault removes the file after successfully finishing. so
# so we do not need to remove it manually
# os.remove(file_location)
self.save_progress("Finished")
return action_result.get_status()
