Exemple #1
0
def sixgill_get_indicators_command():
    max_indicators = get_limit(
        demisto.args().get('maxIndicators', MAX_INDICATORS), MAX_INDICATORS)

    sixgill_darkfeed_client = SixgillFeedClient(
        demisto.params()['client_id'],
        demisto.params()['client_secret'], CHANNEL_CODE, FeedStream.DARKFEED,
        demisto, max_indicators, SESSION, VERIFY)

    bundle = sixgill_darkfeed_client.get_bundle()
    sixgill_darkfeed_client.commit_indicators()
    num_of_indicators = 0

    for stix_item in bundle.get("objects"):
        if is_indicator(stix_item):
            num_of_indicators += 1

            if stix_item.get("sixgill_severity"):
                stix_item['score'] = to_demisto_score(
                    stix_item.get("sixgill_severity", 0))

    human_readable = f"# Fetched {num_of_indicators} DarkFeed indicators"
    bundle_id = bundle.get("id", "bundle")
    entry = fileResult(f'{bundle_id}.json', json.dumps(bundle),
                       entryTypes['entryInfoFile'])

    entry["HumanReadable"] = human_readable
    entry["ContentsFormat"] = formats["markdown"]

    demisto.results(entry)
def fetch_indicators_command(client: SixgillFeedClient,
                             limit: int = 0,
                             get_indicators_mode: bool = False,
                             tags: list = []):
    bundle = client.get_bundle()
    indicators_to_create: List = []
    indicator_values_set: Set = set()

    for stix_indicator in bundle.get("objects"):
        if is_indicator(stix_indicator):
            demisto_indicators = stix2_to_demisto_indicator(
                stix_indicator, demisto, tags)

            for indicator in demisto_indicators:
                if indicator.get("value") not in indicator_values_set:
                    indicator_values_set.add(indicator.get("value"))
                    indicators_to_create.append(indicator)

        if get_indicators_mode and len(indicators_to_create) == limit:
            break

    if not get_indicators_mode:
        client.commit_indicators()

    return indicators_to_create
def fetch_indicators_command(client: SixgillFeedClient,
                             limit: int = 0,
                             get_indicators_mode: bool = False):
    bundle = client.get_bundle()
    indicators_to_create: List = []

    for stix_indicator in bundle.get("objects"):
        if is_indicator(stix_indicator):
            demisto_indicators = stix2_to_demisto_indicator(
                stix_indicator, demisto)
            indicators_to_create.extend(demisto_indicators)

        if get_indicators_mode and len(indicators_to_create) == limit:
            break

    if not get_indicators_mode:
        client.commit_indicators()

    return indicators_to_create
Exemple #4
0
    def on_poll(self, param):
        """This method ingest/update/delete the Sixgill Darkfeed Intelligence

        Arguments:
            param - paramter of the SixgillDarkfeed configuration

        Returns:
            action_result status -- Returns the 'action_result' status
        """
        self._connector.debug_print(param)

        action_result = ActionResult(dict(param))
        self._connector.add_action_result(action_result)

        # Setting up the limit to the SixgillFeedClient which defaults to 2000
        if CONTAINER_COUNT in param and param.get(CONTAINER_COUNT) < 2000:
            self._limit = param.get(CONTAINER_COUNT)
        try:
            darkfeed_client = SixgillFeedClient(
                self._sixgill_client_id,
                self._sixgill_api_secret_key,
                self._sixgill_phantom_channel_id,
                FeedStream.DARKFEED,
                bulk_size=self._limit,
            )
            indicator_object = darkfeed_client.get_bundle().get("objects")
        except Exception as e:
            err = self._connector._get_error_message_from_exception(e)
            return action_result.set_status(phantom.APP_ERROR, err)

        sixgill_container = SixgillContainer(self._connector)
        sixgill_artifact = SixgillArtifact(self._connector)
        sixgill_utils = SixgillUtils(self._connector)
        self._connector.save_progress(
            "Ingesting Sixgill Darkfeed Intelligence ...")
        failuer_indicator_list = []
        if len(indicator_object) > 2:
            for indicator in indicator_object:
                if sixgill.sixgill_utils.is_indicator(indicator):
                    self._indicator_id = sixgill_utils.sixgill_delimit_id(
                        indicator.get(SIXGILL_FEED_ID))
                    try:
                        indicator_list = self._sixgill_get_sixgill_pattern_type(
                            indicator)
                    except:
                        self._connector.debug_print(
                            "Error occurred while processing sixgill indicator"
                        )
                    container = sixgill_container.prepare_container(indicator)

                    # Search the phantom if the indicator from API does exist in the phantom SOAR platform
                    # Retry search functionality for 5 times in case of a network issue
                    for count in range(int(TRY_AGAIN)):
                        try:
                            feed_dict = sixgill_utils.search_feed(
                                self._indicator_id)
                            if len(feed_dict) > 0:
                                break
                        except:
                            self._connector.debug_print(
                                "Error occurred while searching for the feed")

                    if feed_dict:
                        try:
                            # If the indicator includes a "revoked" = true flag, the indicator will get deleted from the phantom SOAR platform
                            sixgill_utils.delete_event(feed_dict, indicator,
                                                       sixgill_container,
                                                       sixgill_artifact,
                                                       self._verify_ssl)
                            # Update the event and the artifact if the source ID of the indicator exists in phantom SOAR platform
                            sixgill_utils.update_event(
                                feed_dict,
                                indicator_list,
                                indicator,
                                container,
                                sixgill_container,
                                sixgill_artifact,
                                self._verify_ssl,
                            )
                        except:
                            self._connector.debug_print(
                                "Error occurred while deleting or updating the event"
                            )
                        action_result.set_status(phantom.APP_SUCCESS)
                    else:
                        try:
                            # Ingest the indicator in to the phantom if the indicator does not exist in the phantom SOAR platform
                            container_status, container_message, container_id = self._connector.save_container(
                                container)
                        except:
                            self._connector.debug_print(
                                "Error occurred while creating the container")

                        if container_status == phantom.APP_SUCCESS:
                            for indicator_dict in indicator_list:
                                try:
                                    artifacts = sixgill_artifact.prepare_artifact(
                                        container_id, container["severity"],
                                        indicator, indicator_dict)
                                    artifact_status, artifact_message, artifact_id_list = self._connector.save_artifacts(
                                        artifacts)
                                except:
                                    self._connector.debug_print(
                                        "Error occurred while creating the artifact"
                                    )
                            action_result.set_status(phantom.APP_SUCCESS)
                        else:
                            # Return error status if the indicator didn't get ingested
                            action_result.set_status(phantom.APP_ERROR)
        else:
            self._connector.save_progress(
                "There is no new Threat Intelligence available")
            action_result.set_status(phantom.APP_SUCCESS)
        self._connector.debug_print(
            f"Indicators Failed to ingest log: {failuer_indicator_list}")
        self._connector.save_progress("Sixgill Darkfeed Intelligence ingested")

        try:
            # Indicators which got ingested into the Phantom SOAR platform will get commited to the Sixgill Darkfeed API end point
            darkfeed_client.commit_indicators()
        except Exception as e:
            err = self._connector._get_error_message_from_exception(e)
            return action_result.set_status(
                phantom.APP_ERROR,
                "Error occurred while committing the indicator(s). {}".format(
                    err))

        return action_result.get_status()