Exemple #1
0
def sixgill_get_indicators_command():
    max_indicators = get_limit(
        demisto.args().get('maxIndicators', MAX_INDICATORS), MAX_INDICATORS)

    sixgill_darkfeed_client = SixgillFeedClient(
        demisto.params()['client_id'],
        demisto.params()['client_secret'], CHANNEL_CODE, FeedStream.DARKFEED,
        demisto, max_indicators, SESSION, VERIFY)

    bundle = sixgill_darkfeed_client.get_bundle()
    sixgill_darkfeed_client.commit_indicators()
    num_of_indicators = 0

    for stix_item in bundle.get("objects"):
        if is_indicator(stix_item):
            num_of_indicators += 1

            if stix_item.get("sixgill_severity"):
                stix_item['score'] = to_demisto_score(
                    stix_item.get("sixgill_severity", 0))

    human_readable = f"# Fetched {num_of_indicators} DarkFeed indicators"
    bundle_id = bundle.get("id", "bundle")
    entry = fileResult(f'{bundle_id}.json', json.dumps(bundle),
                       entryTypes['entryInfoFile'])

    entry["HumanReadable"] = human_readable
    entry["ContentsFormat"] = formats["markdown"]

    demisto.results(entry)
def fetch_indicators_command(client: SixgillFeedClient,
                             limit: int = 0,
                             get_indicators_mode: bool = False,
                             tags: list = []):
    bundle = client.get_bundle()
    indicators_to_create: List = []
    indicator_values_set: Set = set()

    for stix_indicator in bundle.get("objects"):
        if is_indicator(stix_indicator):
            demisto_indicators = stix2_to_demisto_indicator(
                stix_indicator, demisto, tags)

            for indicator in demisto_indicators:
                if indicator.get("value") not in indicator_values_set:
                    indicator_values_set.add(indicator.get("value"))
                    indicators_to_create.append(indicator)

        if get_indicators_mode and len(indicators_to_create) == limit:
            break

    if not get_indicators_mode:
        client.commit_indicators()

    return indicators_to_create
Exemple #3
0
def main():
    max_indicators = get_limit(
        demisto.params().get("maxIndicators", MAX_INDICATORS), MAX_INDICATORS)
    SESSION.proxies = handle_proxy()
    client = SixgillFeedClient(demisto.params()["client_id"],
                               demisto.params()["client_secret"],
                               CHANNEL_CODE,
                               FeedStream.DVEFEED,
                               bulk_size=max_indicators,
                               session=SESSION,
                               logger=demisto,
                               verify=VERIFY)
    command = demisto.command()
    demisto.info(f"Command being called is {command}")
    tags = argToList(demisto.params().get("feedTags", []))
    tlp_color = demisto.params().get("tlp_color")
    commands: Dict[str, Callable] = {
        "test-module": module_command_test,
        "cybersixgill-get-indicators": get_indicators_command
    }
    try:
        if demisto.command() == "fetch-indicators":
            indicators = fetch_indicators_command(client,
                                                  tags=tags,
                                                  tlp_color=tlp_color)
            for b in batch(indicators, batch_size=2000):
                demisto.createIndicators(b)
        else:
            readable_output, outputs, raw_response = commands[command](
                client, demisto.args())
            return_outputs(readable_output, outputs, raw_response)
    except Exception as err:
        demisto.error(traceback.format_exc())
        return_error(
            f"Error failed to execute {demisto.command()}, error: [{err}]")
def test_feed_tags(mocker):
    """
    Given:
    - feedTags parameter
    When:
    - Executing fetch command on feed
    Then:
    - Validate the tags supplied are added to the tags list in addition to the tags that were there before
    """
    global bundle_index
    global submitted_indicators

    mocker.patch.object(demisto, 'params', return_value=init_params())
    mocker.patch('requests.sessions.Session.send', new=mocked_request)

    from Sixgill_Darkfeed import fetch_indicators_command
    from sixgill.sixgill_feed_client import SixgillFeedClient
    from sixgill.sixgill_constants import FeedStream

    client = SixgillFeedClient("client_id", "client_secret", "some_channel",
                               FeedStream.DARKFEED, demisto, 1000)

    output = fetch_indicators_command(client, tags=['tag1', 'tag2'])
    assert all(item in output[0]['fields']['tags']
               for item in ['tag1', 'tag2'])
    assert any(item in output[0]['fields']['tags']
               for item in ['compromised', 'ip', 'url'])
def main():
    max_indicators = get_limit(
        demisto.params().get('maxIndicators', MAX_INDICATORS), MAX_INDICATORS)

    SESSION.proxies = handle_proxy()

    client = SixgillFeedClient(demisto.params()['client_id'],
                               demisto.params()['client_secret'], CHANNEL_CODE,
                               FeedStream.DARKFEED, demisto, max_indicators,
                               SESSION, VERIFY)

    command = demisto.command()
    demisto.info(f'Command being called is {command}')

    commands: Dict[str, Callable] = {
        'test-module': test_module_command,
        'sixgill-get-indicators': get_indicators_command
    }
    try:
        if demisto.command() == 'fetch-indicators':
            indicators = fetch_indicators_command(client)
            for b in batch(indicators, batch_size=2000):
                demisto.createIndicators(b)
        else:
            readable_output, outputs, raw_response = commands[command](
                client, demisto.args())

            return_outputs(readable_output, outputs, raw_response)
    except Exception as e:
        demisto.error(traceback.format_exc())
        return_error(
            f'Error failed to execute {demisto.command()}, error: [{e}]')
def test_fetch_indicators_command(mocker):
    global bundle_index
    global submitted_indicators

    mocker.patch.object(demisto, "params", return_value=init_params())
    mocker.patch("requests.sessions.Session.send", new=mocked_request)

    from CybersixgillDVEFeed import fetch_indicators_command
    from sixgill.sixgill_feed_client import SixgillFeedClient
    from sixgill.sixgill_constants import FeedStream

    client = SixgillFeedClient(
        demisto.params()["client_id"],
        demisto.params()["client_secret"],
        "some_channel",
        FeedStream.DVEFEED,
        demisto,
        1000,
    )

    output = fetch_indicators_command(client)

    bundle_index = 0
    submitted_indicators = 0
    assert output == expected_ioc_output
def fetch_indicators_command(client: SixgillFeedClient,
                             limit: int = 0,
                             get_indicators_mode: bool = False):
    bundle = client.get_bundle()
    indicators_to_create: List = []

    for stix_indicator in bundle.get("objects"):
        if is_indicator(stix_indicator):
            demisto_indicators = stix2_to_demisto_indicator(
                stix_indicator, demisto)
            indicators_to_create.extend(demisto_indicators)

        if get_indicators_mode and len(indicators_to_create) == limit:
            break

    if not get_indicators_mode:
        client.commit_indicators()

    return indicators_to_create
def test_get_indicators_command(mocker):
    global bundle_index
    global submitted_indicators

    mocker.patch.object(demisto, 'params', return_value=init_params())
    mocker.patch('requests.sessions.Session.send', new=mocked_request)

    from Sixgill_Darkfeed import get_indicators_command
    from sixgill.sixgill_feed_client import SixgillFeedClient
    from sixgill.sixgill_constants import FeedStream

    client = SixgillFeedClient("client_id", "client_secret", "some_channel",
                               FeedStream.DARKFEED, demisto, 1000)

    output = get_indicators_command(client, {"limit": 10})

    bundle_index = 0
    submitted_indicators = 0

    assert output[2] == expected_ioc_output
def test_feed_tags_and_tlp_color(mocker, tlp_color):
    """
    Given:
    - feedTags parameter
    When:
    - Executing fetch command on feed
    Then:
    - Validate the tags supplied are added to the tags list in addition to the tags that were there before
    """

    global bundle_index
    global submitted_indicators

    mocker.patch.object(demisto, "params", return_value=init_params())
    mocker.patch("requests.sessions.Session.send", new=mocked_request)

    from CybersixgillDVEFeed import fetch_indicators_command
    from sixgill.sixgill_feed_client import SixgillFeedClient
    from sixgill.sixgill_constants import FeedStream

    client = SixgillFeedClient(
        demisto.params()["client_id"],
        demisto.params()["client_secret"],
        "some_channel",
        FeedStream.DVEFEED,
        demisto,
        1000,
    )

    output = fetch_indicators_command(client,
                                      tags=["tag1", "tag2"],
                                      tlp_color=tlp_color)
    assert all(item in output[0]["fields"]["tags"]
               for item in ["tag1", "tag2"])
    if tlp_color:
        assert output[0]["fields"]["trafficlightprotocol"] == tlp_color
    else:
        assert not output[0]["fields"].get("trafficlightprotocol")
        bundle_index -= 1
Exemple #10
0
    def on_poll(self, param):
        """This method ingest/update/delete the Sixgill Darkfeed Intelligence

        Arguments:
            param - paramter of the SixgillDarkfeed configuration

        Returns:
            action_result status -- Returns the 'action_result' status
        """
        self._connector.debug_print(param)

        action_result = ActionResult(dict(param))
        self._connector.add_action_result(action_result)

        # Setting up the limit to the SixgillFeedClient which defaults to 2000
        if CONTAINER_COUNT in param and param.get(CONTAINER_COUNT) < 2000:
            self._limit = param.get(CONTAINER_COUNT)
        try:
            darkfeed_client = SixgillFeedClient(
                self._sixgill_client_id,
                self._sixgill_api_secret_key,
                self._sixgill_phantom_channel_id,
                FeedStream.DARKFEED,
                bulk_size=self._limit,
            )
            indicator_object = darkfeed_client.get_bundle().get("objects")
        except Exception as e:
            err = self._connector._get_error_message_from_exception(e)
            return action_result.set_status(phantom.APP_ERROR, err)

        sixgill_container = SixgillContainer(self._connector)
        sixgill_artifact = SixgillArtifact(self._connector)
        sixgill_utils = SixgillUtils(self._connector)
        self._connector.save_progress(
            "Ingesting Sixgill Darkfeed Intelligence ...")
        failuer_indicator_list = []
        if len(indicator_object) > 2:
            for indicator in indicator_object:
                if sixgill.sixgill_utils.is_indicator(indicator):
                    self._indicator_id = sixgill_utils.sixgill_delimit_id(
                        indicator.get(SIXGILL_FEED_ID))
                    try:
                        indicator_list = self._sixgill_get_sixgill_pattern_type(
                            indicator)
                    except:
                        self._connector.debug_print(
                            "Error occurred while processing sixgill indicator"
                        )
                    container = sixgill_container.prepare_container(indicator)

                    # Search the phantom if the indicator from API does exist in the phantom SOAR platform
                    # Retry search functionality for 5 times in case of a network issue
                    for count in range(int(TRY_AGAIN)):
                        try:
                            feed_dict = sixgill_utils.search_feed(
                                self._indicator_id)
                            if len(feed_dict) > 0:
                                break
                        except:
                            self._connector.debug_print(
                                "Error occurred while searching for the feed")

                    if feed_dict:
                        try:
                            # If the indicator includes a "revoked" = true flag, the indicator will get deleted from the phantom SOAR platform
                            sixgill_utils.delete_event(feed_dict, indicator,
                                                       sixgill_container,
                                                       sixgill_artifact,
                                                       self._verify_ssl)
                            # Update the event and the artifact if the source ID of the indicator exists in phantom SOAR platform
                            sixgill_utils.update_event(
                                feed_dict,
                                indicator_list,
                                indicator,
                                container,
                                sixgill_container,
                                sixgill_artifact,
                                self._verify_ssl,
                            )
                        except:
                            self._connector.debug_print(
                                "Error occurred while deleting or updating the event"
                            )
                        action_result.set_status(phantom.APP_SUCCESS)
                    else:
                        try:
                            # Ingest the indicator in to the phantom if the indicator does not exist in the phantom SOAR platform
                            container_status, container_message, container_id = self._connector.save_container(
                                container)
                        except:
                            self._connector.debug_print(
                                "Error occurred while creating the container")

                        if container_status == phantom.APP_SUCCESS:
                            for indicator_dict in indicator_list:
                                try:
                                    artifacts = sixgill_artifact.prepare_artifact(
                                        container_id, container["severity"],
                                        indicator, indicator_dict)
                                    artifact_status, artifact_message, artifact_id_list = self._connector.save_artifacts(
                                        artifacts)
                                except:
                                    self._connector.debug_print(
                                        "Error occurred while creating the artifact"
                                    )
                            action_result.set_status(phantom.APP_SUCCESS)
                        else:
                            # Return error status if the indicator didn't get ingested
                            action_result.set_status(phantom.APP_ERROR)
        else:
            self._connector.save_progress(
                "There is no new Threat Intelligence available")
            action_result.set_status(phantom.APP_SUCCESS)
        self._connector.debug_print(
            f"Indicators Failed to ingest log: {failuer_indicator_list}")
        self._connector.save_progress("Sixgill Darkfeed Intelligence ingested")

        try:
            # Indicators which got ingested into the Phantom SOAR platform will get commited to the Sixgill Darkfeed API end point
            darkfeed_client.commit_indicators()
        except Exception as e:
            err = self._connector._get_error_message_from_exception(e)
            return action_result.set_status(
                phantom.APP_ERROR,
                "Error occurred while committing the indicator(s). {}".format(
                    err))

        return action_result.get_status()