def _get_substring(self, param): self.debug_print('{}'.format(inspect.stack()[0][3])) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: # Find a better way to validate the inputs. Especially if they are left blank. sourceString = param[PYTHONUTILITIES_SOURCE_STRING] start = 0 end = len(sourceString) - 1 step = 1 if PYTHONUTILITIES_SOURCE_STRING_START in param: start = int(param[PYTHONUTILITIES_SOURCE_STRING_START]) if PYTHONUTILITIES_SOURCE_STRING_END in param: end = int(param[PYTHONUTILITIES_SOURCE_STRING_END]) if PYTHONUTILITIES_SOURCE_STRING_STEP in param: step = int(param[PYTHONUTILITIES_SOURCE_STRING_STEP]) self.debug_print('string {}, start {}, end {}'.format( sourceString, start, end)) sub_dict = {'substring': sourceString[start:end:step]} self.debug_print('substring {}'.format(sub_dict)) action_result.add_data(sub_dict) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def unblock_ip(self, param): """ Allow the IP address by deleting the rule which originally blocked the source IP address. URL https://10.255.111.100/mgmt/tm/security/firewall/policy/~Common~Phantom_Inbound/rules/sourceIP_8.8.8.8 """ config = self.get_config() self.debug_print("%s UNBLOCK_IP parameters:\n%s \nconfig:%s" % (F5_Connector.BANNER, param, config)) action_result = ActionResult(dict(param)) # Add an action result to the App Run self.add_action_result(action_result) URL = "/mgmt/tm/security/firewall/policy/~%s~%s/rules/%s" % (param["partition"], param["policy"], param["rule name"]) self.debug_print("%s UNBLOCK_IP URL: %s" % (F5_Connector.BANNER, URL)) F5 = iControl.BIG_IP(host=config.get("device"), username=config.get("username"), password=config.get("password"), uri=URL, method="DELETE") if F5.genericDELETE(): action_result.set_status(phantom.APP_SUCCESS) else: action_result.set_status(phantom.APP_ERROR) action_result.add_data(F5.response) self.debug_print("%s UNBLOCK_IP code: %s \nresponse: %s" % (F5_Connector.BANNER, F5.status_code, F5.response)) return
def _find_string(self, param): self.debug_print('{}'.format(inspect.stack()[0][3])) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: searchString = param[PYTHONUTILITIES_SEARCH_STRING] sourceString = param[PYTHONUTILITIES_SOURCE_STRING] start = 0 end = len(sourceString) if PYTHONUTILITIES_SOURCE_STRING_START in param: start = int(param[PYTHONUTILITIES_SOURCE_STRING_START]) if PYTHONUTILITIES_SOURCE_STRING_END in param: end = int(param[PYTHONUTILITIES_SOURCE_STRING_END]) results_dict = {} result_index = sourceString.find(searchString, start, end) results_dict.update({'search_string_index': result_index}) action_result.add_data(results_dict) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def lookup_username(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) username_to_lookup = param.get('username') username_service = DataBreachUsernameService(self._ds_api_key, self._ds_api_secret_key) view = username_service.data_breach_username_view( username=username_to_lookup) found_username = next( (data_breach_username for data_breach_username in username_service.find_all(view=view) if data_breach_username.username == username_to_lookup), None) if found_username is not None: summary, data = self._lookup_success(username_to_lookup, found_username) action_result.update_summary(summary) action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_LOOKUP_USERNAME_SUCCESS) else: summary, data = self._lookup_failure(username_to_lookup) action_result.update_summary(summary) action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_LOOKUP_USERNAME_NOT_FOUND) return action_result.get_status()
def unblock_ip(self, param): """ Allow the IP address by deleting the rule which originally blocked the source IP address. URL https://10.255.111.100/mgmt/tm/security/firewall/policy/~Common~Phantom_Inbound/rules/sourceIP_8.8.8.8 """ config = self.get_config() self.debug_print("%s UNBLOCK_IP parameters:\n%s \nconfig:%s" % (F5_Connector.BANNER, param, config)) action_result = ActionResult( dict(param)) # Add an action result to the App Run self.add_action_result(action_result) URL = "/mgmt/tm/security/firewall/policy/~%s~%s/rules/%s" % ( param["partition"], param["policy"], param["rule name"]) self.debug_print("%s UNBLOCK_IP URL: %s" % (F5_Connector.BANNER, URL)) F5 = iControl.BIG_IP(host=config.get("device"), username=config.get("username"), password=config.get("password"), uri=URL, method="DELETE") if F5.genericDELETE(): action_result.set_status(phantom.APP_SUCCESS) else: action_result.set_status(phantom.APP_ERROR) action_result.add_data(F5.response) self.debug_print("%s UNBLOCK_IP code: %s \nresponse: %s" % (F5_Connector.BANNER, F5.status_code, F5.response)) return
def get_intel_incident_ioc_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) param_types = None if 'types' not in param else param.get( 'types').split(',') try: intelligence_incident_service = IntelligenceIncidentService( self._ds_api_key, self._ds_api_secret_key) intelligence_incident_view = IntelligenceIncidentService.intelligence_incident_ioc_view( types=param_types) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) intel_incident_id = param['intel_incident_id'] # validate 'intel_incident_id' action parameter ret_val, intel_incident_id = self._handle_exception_object.validate_integer( action_result, intel_incident_id, INTEL_INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: intelligence_incident_ioc_pages = intelligence_incident_service.find_intel_incident_ioc_by_id( intel_incident_id=intel_incident_id, view=intelligence_incident_view) intelligence_incident_ioc_total = len( intelligence_incident_ioc_pages) self._connector.save_progress( "II IoC Total: {}".format(intelligence_incident_ioc_total)) except StopIteration: error_message = 'No Incident review objects retrieved from the Digital Shadows API' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if intelligence_incident_ioc_total > 0: summary = { 'intelligence_incident_ioc_count': intelligence_incident_ioc_total, 'intelligence_incident_ioc_found': True } action_result.update_summary(summary) for intelligence_incident_ioc_page in intelligence_incident_ioc_pages: for intelligence_incident_ioc in intelligence_incident_ioc_page: self._connector.save_progress("loop id: {}".format( intelligence_incident_ioc.payload)) action_result.add_data(intelligence_incident_ioc.payload) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INTELLIGENCE_INCIDENT_SUCCESS) return action_result.get_status()
def _list_switches(self, url, param): action_result = ActionResult(param) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) # switch_list = floodlight_rest.FloodlightRest(url=url).get('switches') self.save_progress("done.") if switch_list is None: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_NO_DATA) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e) # Rearrange into a table-friendly format here. # This should definitely change if we ever get a "tree" render type result = {"switches": [], "success": True} for switch in switch_list: addrmatch = re.match("/([^:]+):([0-9]+)", switch["inetAddress"]) if not addrmatch: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_PARSE, switch["inetAddress"]) result["switches"].append( { "ip": addrmatch.group(1), "port": addrmatch.group(2), "connectedSince": datetime.fromtimestamp(int(switch["connectedSince"]) / 1000).strftime('%Y-%m-%d %H:%M:%S'), "switchDPID": "dpid:{}".format(switch["switchDPID"]) }) action_result.add_data(result) return action_result.set_status(phantom.APP_SUCCESS, OC2SDN_SUCC)
def _list_policies(self, param): action_result = ActionResult(dict(param)) self.add_action_result(action_result) # gets the full information for the Nessus policies ret_val, list_policies = self._make_rest_call('policies/', action_result) if (phantom.is_fail(ret_val)): return action_result.get_status() policies = list_policies.get('policies', []) if (type(policies) != list): policies = [policies] policy_counter = 0 for curr_item in policies: action_result.add_data(curr_item) if curr_item.get("id"): policy_counter = policy_counter + 1 # creates an empty list to add the summary elements to summary = action_result.update_summary({}) summary['policy_count'] = policy_counter action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def _handle_getIndicators(self, param): self.debug_print("param", param) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: # Attempt to log into server self.save_progress("Logging in...") msg, client = self.login() cybereason_data = client.getIndicators() except: action_result.set_status(phantom.APP_ERROR, "Error") return action_result.get_status() # The data is returned in a list format, so # this extracts the data from the list, and formats it into a # dictionary object where it can be added to the "action_result" object for i in cybereason_data: i = json.dumps(i, default=_json_fallback) i = json.loads(i) action_result.add_data(i) # set_status updates the current status and outputs to "message" action_result.set_status(phantom.APP_SUCCESS, "Successfully grabbed data.") return action_result.get_status()
def _get_html_text(self, param): self.debug_print('_get_html_text() called.') # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) # Get the data from the params to parse data = param[BS4_SOURCE_STRING] if not data: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() try: parsed_html = BeautifulSoup(data, 'html.parser') plain_text = parsed_html.get_text() # .encode('ascii', 'ignore') # self.debug_print('soup text - {}'.format(plain_text)) action_result.add_data(plain_text) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def _get_html_urls(self, param): self.debug_print('_get_urls() called.') # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) # Get the data from the params to parse data = param[BS4_SOURCE_STRING] urls = [] if not data: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() try: parsed_html = BeautifulSoup(data, "html.parser") for link in parsed_html.find_all('a'): urls.append(link.get('href')) action_result.add_data(urls) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def get_data_breach(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) date_range = param['date_range'] param_reposted_credentials = None if 'reposted_credentials' not in param else param[ 'reposted_credentials'].split(',') param_severities = None if 'severities' not in param else param.get( 'severities').split(',') param_statuses = None if 'statuses' not in param else param.get( 'statuses').split(',') param_user_name = None if 'user_name' not in param else param.get( 'user_name').split(',') try: breach_service = DataBreachService(self._ds_api_key, self._ds_api_secret_key) breach_view = DataBreachService.data_breach_view( published=date_range, reposted_credentials=param_reposted_credentials, severities=param_severities, statuses=param_statuses, username=param_user_name) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) try: breach_pages = breach_service.find_all_pages(view=breach_view) breach_total = len(breach_pages) except StopIteration: error_message = 'No DataBreach objects retrieved from the Digital Shadows API in page groups' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if breach_total > 0: summary = { 'data_breach_count': breach_total, 'data_breach_found': True } action_result.update_summary(summary) for breach_page in breach_pages: for breach in breach_page: action_result.add_data(breach.payload) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_SUCCESS) else: summary = {'data_breach_count': 0, 'data_breach_found': False} action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_NOT_FOUND) return action_result.get_status()
def _find_strings(self, param): self.debug_print('_find_string() called.') # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) # Get the data from the params to parse data = param[BS4_SOURCE_STRING] search_string = param[BS4_SEARCH_STRING] strings = [] if not data: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() try: parsed_html = BeautifulSoup(data, "html.parser") for link in parsed_html.find_all(): self.debug_print('link -- {}'.format(link.find(search_string))) if link.find(search_string) != -1: strings.append(link) self.debug_print('data raw - {}'.format( parsed_html.find_all(search_string))) self.debug_print('strings - {}'.format(strings)) action_result.add_data(strings) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def post_incident_review(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: incident_service = IncidentService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) incident_id = param.get('incident_id') # validate 'incident_id' action parameter ret_val, incident_id = self._handle_exception_object.validate_integer( action_result, incident_id, INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() post_data = { 'note': param.get('review_note'), 'status': param.get('review_status') } self._connector.save_progress("post_data: {}".format(post_data)) try: response = incident_service.post_incident_review( post_data, incident_id=incident_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) self._connector.save_progress("response: {}".format(response)) try: summary = { 'incident_reviews_status_code': response['status'], 'incident_reviews_message': response['message'] } action_result.update_summary(summary) action_result.add_data(response['content'][0]) if response['message'] == "SUCCESS": action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows Incident review posted successfully") else: action_result.set_status( phantom.APP_SUCCESS, "Error in incident review post request") except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error occurred while fetching data from response. {}".format( error_message)) return action_result.get_status()
def _handle_lookup_url(self, param): action_result = ActionResult(dict(param)) self.add_action_result(action_result) # check for required input param url = param["url"] # build full REST endpoint with Auth signature # make GET request to CTIX OpenAPI try: endpoint = "/search/?Expires={}&AccessID={}&Signature={}&url={}".format( self._expires, self._access_id, self._generate_signature(self._access_id, self._secret_key, self._expires), url) status_code, response = self._make_request( "GET", "{}{}".format(self._baseurl, endpoint), self._verify, action_result) except Exception as e: err_msg = self._get_error_message_from_exception(e) self.save_progress(CYWARE_GET_REQ_FAILED.format(err_msg)) return action_result.set_status( phantom.APP_ERROR, "URL Lookup failed. {}".format(err_msg)) if phantom.is_fail(status_code): return action_result.get_status() # check response status_code if status_code == 200: try: if isinstance(response, list): response = response[0] if not isinstance(response, dict): return action_result.set_status( phantom.APP_ERROR, CYWARE_RESP_FROM_SERVER_NOT_JSON) # commit action_result action_result.set_summary({"message": response['message']}) action_result.add_data(response) self.save_progress(phantom.APP_SUCCESS, "URL Lookup Successful") return action_result.set_status(phantom.APP_SUCCESS, "URL Lookup Successful") except Exception as e: err_msg = self._get_error_message_from_exception(e) self.save_progress( CYWARE_ADDING_RESP_DATA_TO_ACTION_RESULT_FAILED.format( err_msg)) return action_result.set_status( phantom.APP_ERROR, CYWARE_ADDING_RESP_DATA_TO_ACTION_RESULT_FAILED.format( err_msg)) else: self.save_progress( CYWARE_GET_REQ_FAILED_WITH_NON_200_STATUS.format(status_code)) return action_result.set_status( phantom.APP_ERROR, CYWARE_GET_REQ_FAILED_WITH_NON_200_STATUS.format(status_code))
def get_data_breach_record_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_record_service = DataBreachRecordService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) breach_id = param['breach_id'] # validate 'breach_id' action parameter ret_val, breach_id = self._handle_exception_object.validate_integer( action_result, breach_id, BREACH_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: breach_record_pages = breach_record_service.find_all_pages( breach_id) breach_record_total = len(breach_record_pages) except StopIteration: error_message = 'No data breach record retrieved from the Digital Shadows API in page groups' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if breach_record_total > 0: summary = { 'data_breach_record_count': breach_record_total, 'data_breach_record_found': True } action_result.update_summary(summary) for breach_record_page in breach_record_pages: for breach_record in breach_record_page: action_result.add_data(breach_record.payload) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows data breach records fetched") else: summary = { 'data_breach_record_count': 0, 'data_breach_record_found': False } action_result.update_summary(summary) action_result.set_status( phantom.APP_SUCCESS, "Data breach record not found in Digital Shadows") return action_result.get_status()
def _get_date(self, param): self.debug_print('{}'.format(inspect.stack()[0][3])) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) format_string = param.get('format_string', "%A, %d %B %Y %I:%M%p") # List of local time items local_dt = datetime.now() local_iso = local_dt.isocalendar() local_tt = local_dt.timetuple() local_time = { "local_year": local_tt[0], "local_month": local_tt[1], "local_day": local_tt[2], "local_hour": local_tt[3], "local_minute": local_tt[4], "local_second": local_tt[5], "local_weekday": local_tt[6], "local_day_number": local_tt[7], "local_tz": local_tt[8], "local_iso_week": local_iso[1], "local_iso_weekday": local_iso[2], "local_custom": local_dt.strftime(format_string) } # List of UTC time items utc_dt = datetime.utcnow() utc_iso = utc_dt.isocalendar() utc_tt = utc_dt.timetuple() utc_time = { "utc_year": utc_tt[0], "utc_month": utc_tt[1], "utc_day": utc_tt[2], "utc_hour": utc_tt[3], "utc_minute": utc_tt[4], "utc_second": utc_tt[5], "utc_weekday": utc_tt[6], "utc_day_number": utc_tt[7], "utc_tz": utc_tt[8], "utc_iso_week": utc_iso[1], "utc_iso_weekday": utc_iso[2], "utc_custom": utc_dt.strftime(format_string) } # Add time values to results action_result.add_data(local_time) action_result.add_data(utc_time) action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def locate_device(self, param): """ Locating client devices means walking a tree based on the API Key. The key is associated with one or more organizations, an organization can have one or more networks, each network can have multiple devices, and each device can have one or more client machines. Depending on the timespan specified, you may see differing results. Larger timespans may show the same client connected to multiple devices. Small timespans, may not return any results. """ self.debug_print("%s LOCATE_DEVICE parameters:\n%s" % (Meraki_Connector.BANNER, param)) action_result = ActionResult( dict(param)) # Add an action result to the App Run self.add_action_result(action_result) try: param["search_string"] # User left search_string empty except KeyError: param["search_string"] = "*" org_id_list = self.get_org_ids() for organization in org_id_list: networks_list = self.get_networks(organization["id"]) for network in networks_list: device_list = self.get_devices(network["id"]) for device in device_list: client_list = self.get_clients(device["serial"], param["timespan"]) for client in client_list: response = self.build_output_record( param["search_string"], organization, network, device, client) if response: action_result.add_data(response) if action_result.get_data_size() > 0: action_result.set_status(phantom.APP_SUCCESS) self.set_status_save_progress( phantom.APP_SUCCESS, "Returned: %s clients" % action_result.get_data_size()) else: action_result.set_status(phantom.APP_ERROR) self.set_status_save_progress( phantom.APP_ERROR, "Returned: %s clients" % action_result.get_data_size()) self.debug_print( "%s Data size: %s" % (Meraki_Connector.BANNER, action_result.get_data_size())) return action_result.get_status()
def modify_smartflow_policy(self, param, LADS, CRUD): " Modify the Smartflow Policy " action_result = ActionResult( dict(param)) # Add an action result to the App Run self.add_action_result(action_result) source_ip = self.normalize_ip( param["source"]) # 8.8.8.8/32 or 192.0.2.0/24 or 4.4.4.4 app_name = param["application"] # WWT-API host_name = param["host"] # default-host service_name = param["service"] # default-service smartflow_name = param["smartflow"] # default-smartflow try: rule_action = param[ "action"] # 'deny' or 'allow', not specified for unblock except KeyError: rule_action = None uri = "/api/v2/applications/%s/hosts/%s/services/%s/smartflows/%s/policies" % ( app_name, host_name, service_name, smartflow_name) if LADS.genericGET( uri=uri): # Successfully retrieved the Smartflow policy LADS.separate_access_policy(LADS.response) if LADS.modify_access_policy(CRUD, rule_action, source_ip): LADS.include_access_policy() uri += "/_import" if LADS.genericPOST(uri=uri, body=json.dumps(LADS.smartflow_policies)): action_result.set_status(phantom.APP_SUCCESS) LADS.separate_access_policy( LADS.response) # Isolate the access policy else: action_result.set_status(phantom.APP_ERROR) else: action_result.set_status( phantom.APP_ERROR) # Failure in modifying access policy else: action_result.set_status( phantom.APP_ERROR) # Failed to retrieve Smartflow policy action_result.add_data( LADS.access_policy ) # Put the current access policy in the result data self.debug_print( "%s modify_smartflow_policy code: %s \nresponse: %s" % (A10_LADS_Connector.BANNER, LADS.status_code, LADS.response)) return
def _split_string(self, param): self.debug_print('{}'.format(inspect.stack()[0][3])) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: source_string = param[PYTHONUTILITIES_SOURCE_STRING] result = source_string.split(PYTHONUTILITIES_SPLIT_VALUE) action_result.add_data({'list': result}) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def _item_length(self, param): self.debug_print('{}'.format(inspect.stack()[0][3])) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: user_item = param[PYTHONUTILITIES_ITEM] result = len(user_item) action_result.add_data({'length': result}) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def _dictionary_to_list(self, param): self.debug_print('{}'.format(inspect.stack()[0][3])) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: dictionary = param[PYTHONUTILITIES_ITEM] result = dictionary.items() action_result.add_data({'result': result}) action_result.set_status(phantom.APP_SUCCESS) except Exception as e: action_result.set_status(phantom.APP_ERROR, '', e) return action_result.get_status() return action_result.get_status()
def _call_function_as_action(self, url, funct, param={}): action_result = ActionResult(param) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) result = funct() self.save_progress("done.") if result is None: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_NO_DATA) action_result.add_data(result) return action_result.set_status(phantom.APP_SUCCESS, OC2SDN_SUCC) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e)
def get_infrastructure_ip_ports(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) infrastructure_service = InfrastructureService(self._ds_api_key, self._ds_api_secret_key) infrastructure_view = InfrastructureService.infrastructure_view() infrastructure_pages = infrastructure_service.find_all_pages( view=infrastructure_view) infrastructure_total = len(infrastructure_pages) if infrastructure_total > 0: summary = { 'infrastructure_count': infrastructure_total, 'infrastructure_found': True } action_result.update_summary(summary) for infrastructure_page in infrastructure_pages: for infrastructure in infrastructure_page: data = { 'id': infrastructure.id, 'ipAddress': infrastructure.ip_address, 'portNumber': str(infrastructure.port_number), 'transport': infrastructure.transport, 'discoveredOpen': infrastructure.discovered_open, 'incident': { 'id': infrastructure.incident_id, 'scope': infrastructure.incident_scope, 'type': infrastructure.incident_type, 'subType': infrastructure.incident_sub_type, 'severity': infrastructure.incident_severity, 'title': infrastructure.incident_title, } } action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_SUCCESS) else: summary = { 'infrastructure_count': 0, 'infrastructure_found': False } action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_NOT_FOUND) return action_result.get_status()
def _list_devices(self, url, param): action_result = ActionResult(param) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) # device_list = floodlight_rest.FloodlightRest(url=url).get('devices') self.save_progress("done.") if device_list is None: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_NO_DATA) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e) # Floodlight v1.2 and earlier returns a list. Later versions return a root object containing a list. if isinstance(device_list, dict): device_list = device_list["devices"] # Rearrange into a table-friendly format here. # This should definitely change if we ever get a "tree" render type result = {"devices": [], "success": True} for device in device_list: for mac in device["mac"]: for vlan in device["vlan"]: for ap in device["attachmentPoint"]: for ip4 in device["ipv4"]: result["devices"].append( {"mac": mac, "vlan": vlan, "ip": ip4, "lastSeen": datetime.utcfromtimestamp(int(device["lastSeen"]) / 1000) .strftime('%Y-%m-%d %H:%M:%S UTC'), "attachmentPoint": {"port": ap["port"], "switchDPID": "dpid:{}".format(ap["switchDPID"])} }) for ip6 in device["ipv6"]: result["devices"].append( {"mac": mac, "vlan": vlan, "ip": ip6, "lastSeen": datetime.utcfromtimestamp(int(device["lastSeen"]) / 1000) .strftime('%Y-%m-%d %H:%M:%S UTC'), "attachmentPoint": {"port": ap["port"], "switchDPID": "dpid:{}".format(ap["switchDPID"])} }) action_result.add_data(result) return action_result.set_status(phantom.APP_SUCCESS, OC2SDN_SUCC)
def _block_flow(self, url, param): action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) # result = floodlight_firewall.add_rule(url, "deny", param) self.save_progress("done.") msg = result.get("status", OC2SDN_ERR_NO_STATUS) if msg == u'Rule added': action_result.add_data({"activityid": result["activityid"]}) return action_result.set_status(phantom.APP_SUCCESS, msg) return action_result.set_status(phantom.APP_ERROR, msg) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e)
def run_job(self, param): """ Optionally set the dead interval, logon, determine if the user specified a job template name or the numeric id. Launch the job template. If the job was accepted (202 status_code), wait up to the dead interval for the job to complete and report back the job id. This numeric job id is specified on the Jobs tab in Ansible Tower. """ self.debug_print("%s RUN_JOB parameters:\n%s" % (Tower_Connector.BANNER, param)) action_result = ActionResult(dict(param)) # Add an action result to the App Run self.add_action_result(action_result) self.set_dead_interval(param) self.aaaLogin() if not self.token: # token will be null if we failed to login action_result.set_status(phantom.APP_ERROR) self.set_status_save_progress(phantom.APP_ERROR, status_message="Failed to logon") return try: # Job template id used to identify the job template job_template_id = int(param["job template id"]) except ValueError: # Job template name is used to identify the job template job_template_id = self.get_job_template_id(param["job template id"], self.query_api("/api/v1/job_templates/")["results"]) # Launch the job specified status = self.launch_job(param, job_template_id) if status in Tower_Connector.GOOD_LAUNCH_STATES: results = self.wait_for_completion() if results: msg = "job id: %s status: %s name: %s elapsed time: %s sec ended: %s" % (self.job_id, results["status"], results["name"], results["elapsed"], results["finished"]) action_result.add_data({"job_stats": {"id": self.job_id, "status": results["status"], "name": results["name"], "elapsed": results["elapsed"]}}) if results["status"] in Tower_Connector.FAILED_JOB_STATES: action_result.set_status(phantom.APP_ERROR) self.set_status_save_progress(phantom.APP_ERROR, status_message=msg) else: action_result.set_status(phantom.APP_SUCCESS) self.set_status_save_progress(phantom.APP_SUCCESS, status_message=msg) else: # nothing to do here, results are None due to an error which has been reported pass else: self.set_status_save_progress(phantom.APP_ERROR, status_message="Job failed to launch: %s" % status) return
def _delete_firewall_rule(self, url, param): action_result = ActionResult(param) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) # result = floodlight_firewall.delete_rule(url, None, param) self.save_progress("done.") if result is None: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_NO_DATA) action_result.add_data(result) if result.get("success") is not True: return action_result.set_status(phantom.APP_ERROR, result.get("status")) return action_result.set_status(phantom.APP_SUCCESS, OC2SDN_SUCC) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e)
def _handle_updateIndicators(self, param, choice): key = str(param['key']) reputation = str(param['reputation']) prevention = str(param['prevention']) comment = "null" action_result = ActionResult(dict(param)) self.add_action_result(action_result) try: # Attempt to log into server msg, client = self.login() except: action_result.set_status(phantom.APP_ERROR, "Unable to login.") # Formatting the data if choice: # REMOVING remove = 'true' else: # ADDING remove = 'false' prevention = prevention.lower() remove = remove.lower() # Setting up to add the the table widget, must in a list, and must contain dictionary tempObj = [{'key': key, 'reputation': reputation, 'prevention': prevention, 'comment': comment}] # Adding to object to action result so it can be read into the table for i in tempObj: i = json.dumps(i, default=_json_fallback) i = json.loads(i) action_result.add_data(i) try: # Updating the cybereason client client.updateIndicators(key, reputation, prevention, remove) action_result.set_status(phantom.APP_SUCCESS, "Successful") except: action_result.set_status(phantom.APP_ERROR, "Error with updateIndicator function") return action_result.get_status() return action_result.get_status()
def listStaticBlackHoledIPs(self, param): """ """ action_result = ActionResult( dict(param)) # Add an action result to the App Run self.add_action_result(action_result) config = self.get_config() self.debug_print(config) try: self.username = config["username"] self.password = config["password"] self.device = config["trigger_host"] self.next_hop_IP = config['route_to_null'] except KeyError: self.debug_print("Error: {0}".format(KeyError)) self.debug_print("Device: {0}, User: {1}, Password: {2}".format( self.device, self.username, self.password)) # Get the current list of static routes from the Target Host route_list = self._get_StaticBlackHoledIPs(self.username, self.password, self.device, self.next_hop_IP) self.debug_print( "listStaticBlackHoledIP's result RAW: {0}".format(route_list)) # Even if the query was successfull the data might not be available if len(route_list) == 0: return action_result.set_status( phantom.APP_ERROR, 'CISCO_CSR_ERR_QUERY_RETURNED_NO_DATA') else: for dest in route_list: action_result.add_data({'blackholed-network': dest}) summary = "Query returned %s routes" % len(route_list) action_result.update_summary({'message': summary}) self.set_status_save_progress(phantom.APP_SUCCESS, summary) #action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def get_incident_review_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) incident_id = param['incident_id'] # validate 'incident_id' action parameter ret_val, incident_id = self._handle_exception_object.validate_integer( action_result, incident_id, INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: incident_service = IncidentService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) try: incident_reviews = incident_service.find_all_reviews(incident_id) incident_reviews_total = len(incident_reviews) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if incident_reviews_total > 0: summary = { 'incident_reviews_count': incident_reviews_total, 'incident_reviews_found': True } action_result.update_summary(summary) for incident_review in incident_reviews: action_result.add_data(incident_review) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows incident reviews fetched for the Incident ID: {}" .format(incident_id)) return action_result.get_status()
def get_data_breach_record_reviews(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_record_service = DataBreachRecordService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) breach_record_id = param['breach_record_id'] # validate 'breach_record_id' action parameter ret_val, breach_record_id = self._handle_exception_object.validate_integer( action_result, breach_record_id, BREACH_RECORD_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: breach_record_reviews = breach_record_service.find_data_breach_record_reviews( breach_record_id) breach_record_reviews_total = len(breach_record_reviews) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if breach_record_reviews_total > 0: summary = { 'breach_record_reviews_count': breach_record_reviews_total, 'breach_record_reviews_found': True } action_result.update_summary(summary) for breach_record_review in breach_record_reviews: action_result.add_data(breach_record_review) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows breach record reviews fetched for the Breach Record ID: {}" .format(breach_record_id)) return action_result.get_status()
def block_ip(self, param): """ Block a source IP address, a simple call to update a security policy in place. The firewall policy is called "Phantom_Inbound" which currently is tied to an inbound VIP in the "Common" partition. POST URL https://10.255.111.100/mgmt/tm/security/firewall/policy/~Common~Phantom_Inbound/rules body {"name":"DYNAMIC_BLOCK_NAME","action":"reject","place-after":"first","source":{"addresses":[{"name": "8.8.8.8/32"}" """ config = self.get_config() self.debug_print("%s BLOCK_IP parameters:\n%s \nconfig:%s" % (F5_Connector.BANNER, param, config)) action_result = ActionResult( dict(param)) # Add an action result to the App Run self.add_action_result(action_result) URL = "/mgmt/tm/security/firewall/policy/~%s~%s/rules" % ( param["partition"], param["policy"]) body = '{"name":"%s","action":"%s","place-after":"first","source":{"addresses":[{"name":"%s/32"}]}}' \ % (param["rule name"], param["action"], param["source"]) self.debug_print("%s BLOCK_IP URL: %s \nbody:%s" % (F5_Connector.BANNER, URL, body)) F5 = iControl.BIG_IP(host=config.get("device"), username=config.get("username"), password=config.get("password"), uri=URL, method="POST") if F5.genericPOST(body): action_result.set_status(phantom.APP_SUCCESS) else: action_result.set_status(phantom.APP_ERROR) action_result.add_data(F5.response) self.debug_print("%s BLOCK_IP code: %s \nresponse: %s" % (F5_Connector.BANNER, F5.status_code, F5.response)) return
def _get_uptime(self, url, param): action_result = ActionResult(param) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) # result = floodlight_rest.FloodlightRest(url=url).get("uptime") self.save_progress("done.") if result is None: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_NO_DATA) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e) # Add a human-readable timestamp uptime = datetime.utcfromtimestamp(0) + timedelta(microseconds=int(result["systemUptimeMsec"]) * 1000) result["hhmmss"] = uptime.strftime('%H:%M:%S.%f')[:-3] result["success"] = True action_result.add_data(result) return action_result.set_status(phantom.APP_SUCCESS, OC2SDN_SUCC)
def get_data_breach_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_service = DataBreachService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) breach_id = param['breach_id'] # validate 'breach_id' action parameter ret_val, breach_id = self._handle_exception_object.validate_integer( action_result, breach_id, BREACH_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: breach = breach_service.find_data_breach_by_id(breach_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if 'id' in breach: summary = {'data_breach_count': 1, 'data_breach_found': True} action_result.update_summary(summary) action_result.add_data(breach) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_SUCCESS) else: summary = {'data_breach_count': 0, 'data_breach_found': False} action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_NOT_FOUND) return action_result.get_status()
def _list_external_links(self, url, param): action_result = ActionResult(param) self.add_action_result(action_result) try: self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, url) # link_list = floodlight_rest.FloodlightRest(url=url).get('external_links') self.save_progress("done.") if link_list is None: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_NO_DATA) except Exception as e: return action_result.set_status(phantom.APP_ERROR, OC2SDN_ERR_SERVER_CONNECTION, e) result = {"links": link_list, "success": True} # Add "dpid" namespaces to src-switch and dst-switch. for link in link_list: link["src-switch"] = "dpid:{}".format(link["src-switch"]) link["dst-switch"] = "dpid:{}".format(link["dst-switch"]) action_result.add_data(result) return action_result.set_status(phantom.APP_SUCCESS, OC2SDN_SUCC)
def locate_device(self, param): """ Locating client devices means walking a tree based on the API Key. The key is associated with one or more organizations, an organization can have one or more networks, each network can have multiple devices, and each device can have one or more client machines. Depending on the timespan specified, you may see differing results. Larger timespans may show the same client connected to multiple devices. Small timespans, may not return any results. """ self.debug_print("%s LOCATE_DEVICE parameters:\n%s" % (Meraki_Connector.BANNER, param)) action_result = ActionResult(dict(param)) # Add an action result to the App Run self.add_action_result(action_result) try: param["search_string"] # User left search_string empty except KeyError: param["search_string"] = "*" org_id_list = self.get_org_ids() for organization in org_id_list: networks_list = self.get_networks(organization["id"]) for network in networks_list: device_list = self.get_devices(network["id"]) for device in device_list: client_list = self.get_clients(device["serial"], param["timespan"]) for client in client_list: response = self.build_output_record(param["search_string"], organization, network, device, client) if response: action_result.add_data(response) if action_result.get_data_size() > 0: action_result.set_status(phantom.APP_SUCCESS) self.set_status_save_progress(phantom.APP_SUCCESS, "Returned: %s clients" % action_result.get_data_size()) else: action_result.set_status(phantom.APP_ERROR) self.set_status_save_progress(phantom.APP_ERROR, "Returned: %s clients" % action_result.get_data_size()) self.debug_print("%s Data size: %s" % (Meraki_Connector.BANNER, action_result.get_data_size())) return action_result.get_status()
def modify_smartflow_policy(self, param, LADS, CRUD): " Modify the Smartflow Policy " action_result = ActionResult(dict(param)) # Add an action result to the App Run self.add_action_result(action_result) source_ip = self.normalize_ip(param["source"]) # 8.8.8.8/32 or 192.0.2.0/24 or 4.4.4.4 app_name = param["application"] # WWT-API host_name = param["host"] # default-host service_name = param["service"] # default-service smartflow_name = param["smartflow"] # default-smartflow try: rule_action = param["action"] # 'deny' or 'allow', not specified for unblock except KeyError: rule_action = None uri = "/api/v2/applications/%s/hosts/%s/services/%s/smartflows/%s/policies" % (app_name, host_name, service_name, smartflow_name) if LADS.genericGET(uri=uri): # Successfully retrieved the Smartflow policy LADS.separate_access_policy(LADS.response) if LADS.modify_access_policy(CRUD, rule_action, source_ip): LADS.include_access_policy() uri += "/_import" if LADS.genericPOST(uri=uri, body=json.dumps(LADS.smartflow_policies)): action_result.set_status(phantom.APP_SUCCESS) LADS.separate_access_policy(LADS.response) # Isolate the access policy else: action_result.set_status(phantom.APP_ERROR) else: action_result.set_status(phantom.APP_ERROR) # Failure in modifying access policy else: action_result.set_status(phantom.APP_ERROR) # Failed to retrieve Smartflow policy action_result.add_data(LADS.access_policy) # Put the current access policy in the result data self.debug_print("%s modify_smartflow_policy code: %s \nresponse: %s" % (A10_LADS_Connector.BANNER, LADS.status_code, LADS.response)) return
def block_ip(self, param): """ Block a source IP address, a simple call to update a security policy in place. The firewall policy is called "Phantom_Inbound" which currently is tied to an inbound VIP in the "Common" partition. POST URL https://10.255.111.100/mgmt/tm/security/firewall/policy/~Common~Phantom_Inbound/rules body {"name":"DYNAMIC_BLOCK_NAME","action":"reject","place-after":"first","source":{"addresses":[{"name": "8.8.8.8/32"}" """ config = self.get_config() self.debug_print("%s BLOCK_IP parameters:\n%s \nconfig:%s" % (F5_Connector.BANNER, param, config)) action_result = ActionResult(dict(param)) # Add an action result to the App Run self.add_action_result(action_result) URL = "/mgmt/tm/security/firewall/policy/~%s~%s/rules" % (param["partition"], param["policy"]) body = '{"name":"%s","action":"%s","place-after":"first","source":{"addresses":[{"name":"%s/32"}]}}' \ % (param["rule name"], param["action"], param["source"]) self.debug_print("%s BLOCK_IP URL: %s \nbody:%s" % (F5_Connector.BANNER, URL, body)) F5 = iControl.BIG_IP(host=config.get("device"), username=config.get("username"), password=config.get("password"), uri=URL, method="POST") if F5.genericPOST(body): action_result.set_status(phantom.APP_SUCCESS) else: action_result.set_status(phantom.APP_ERROR) action_result.add_data(F5.response) self.debug_print("%s BLOCK_IP code: %s \nresponse: %s" % (F5_Connector.BANNER, F5.status_code, F5.response)) return