def __init__(self, params: Dict):
url = params.get('url')
if not url:
url = "http://" + demisto.getLicenseCustomField("Core.ApiHost") + "/api/webapp/"
self._base_url: str = urljoin(url, '/public_api/v1/indicators/')
self._verify_cert: bool = not params.get('insecure', False)
self._params = params
handle_proxy()
def main():
"""
main function, parses params and runs command functions
"""
params = demisto.params()
insecure = not params.get('insecure', False)
proxy = params.get('proxy', False)
api_key = params.get('api_key', {}).get('password', '')
base_url = params.get('url')
if not api_key:
if is_demisto_version_ge('6.5.0'):
api_key = demisto.getLicenseCustomField(
'AutoFocusTagsFeed.api_key')
if not api_key:
raise DemistoException(
'Could not resolve the API key from the license nor the instance configuration.'
)
else:
raise DemistoException(
'An API key must be specified in order to use this integration'
)
command = demisto.command()
args = demisto.args()
demisto.debug(f'Command being called is {command}')
try:
client = Client(
api_key=api_key,
base_url=base_url,
verify=insecure,
proxy=proxy,
)
if command == 'test-module':
return_results(test_module(client))
elif command == 'autofocus-tags-feed-get-indicators':
return_results(get_indicators_command(client, params, args))
elif command == 'fetch-indicators':
# This is the command that initiates a request to the feed endpoint and create new indicators objects from
# the data fetched. If the integration instance is configured to fetch indicators, then this is the command
# that will be executed at the specified feed fetch interval.
indicators = fetch_indicators_command(client, params)
for iter_ in batch(indicators, batch_size=2000):
demisto.createIndicators(iter_)
else:
raise NotImplementedError(f'Command {command} is not implemented.')
except Exception as e:
demisto.error(traceback.format_exc()) # Print the traceback
return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def get_headers(params: Dict) -> Dict:
api_key: str = str(params.get('apikey'))
api_key_id: str = str(params.get('apikey_id'))
if not api_key or not api_key_id:
headers = {
"HOST": demisto.getLicenseCustomField("Core.ApiHostName"),
demisto.getLicenseCustomField("Core.ApiHeader"): demisto.getLicenseCustomField("Core.ApiKey"),
"Content-Type": "application/json"
}
add_sensitive_log_strs(demisto.getLicenseCustomField("Core.ApiKey"))
else:
headers = {
"Content-Type": "application/json",
"x-xdr-auth-id": str(api_key_id),
"Authorization": api_key
}
add_sensitive_log_strs(api_key)
return headers
def main(): # pragma: no cover
"""
Executes an integration command
"""
command = demisto.command()
LOG(f'Command being called is {command}')
args = demisto.args()
args["integration_context_brand"] = INTEGRATION_CONTEXT_BRAND
args["integration_name"] = INTEGRATION_NAME
api_key = demisto.params().get('apikey')
api_key_id = demisto.params().get('apikey_id')
url = demisto.params().get('url')
url_suffix = '/xsiam' if command in PREVALENCE_COMMANDS else "/public_api/v1"
if not api_key or not api_key_id or not url:
headers = {
"HOST":
demisto.getLicenseCustomField("Core.ApiHostName"),
demisto.getLicenseCustomField("Core.ApiHeader"):
demisto.getLicenseCustomField("Core.ApiKey"),
"Content-Type":
"application/json"
}
url = "http://" + demisto.getLicenseCustomField(
"Core.ApiHost") + "/api/webapp/"
add_sensitive_log_strs(demisto.getLicenseCustomField("Core.ApiKey"))
else:
headers = {
"Content-Type": "application/json",
"x-xdr-auth-id": str(api_key_id),
"Authorization": api_key
}
add_sensitive_log_strs(api_key)
base_url = urljoin(url, url_suffix)
proxy = demisto.params().get('proxy')
verify_cert = not demisto.params().get('insecure', False)
try:
timeout = int(demisto.params().get('timeout', 120))
except ValueError as e:
demisto.debug(
f'Failed casting timeout parameter to int, falling back to 120 - {e}'
)
timeout = 120
client = Client(base_url=base_url,
proxy=proxy,
verify=verify_cert,
headers=headers,
timeout=timeout)
try:
if command == 'test-module':
client.test_module()
demisto.results('ok')
elif command == 'core-get-endpoints':
return_results(get_endpoints_command(client, args))
elif command == 'core-isolate-endpoint':
polling_args = {
**args, "endpoint_id_list": args.get('endpoint_id')
}
return_results(
run_polling_command(client=client,
args=polling_args,
cmd="core-isolate-endpoint",
command_function=isolate_endpoint_command,
command_decision_field="action_id",
results_function=get_endpoints_command,
polling_field="is_isolated",
polling_value=["AGENT_ISOLATED"],
stop_polling=True))
elif command == 'core-unisolate-endpoint':
polling_args = {
**args, "endpoint_id_list": args.get('endpoint_id')
}
return_results(
run_polling_command(
client=client,
args=polling_args,
cmd="core-unisolate-endpoint",
command_function=unisolate_endpoint_command,
command_decision_field="action_id",
results_function=get_endpoints_command,
polling_field="is_isolated",
polling_value=[
"AGENT_UNISOLATED", "CANCELLED", "ֿPENDING_ABORT",
"ABORTED", "EXPIRED", "COMPLETED_PARTIAL",
"COMPLETED_SUCCESSFULLY", "FAILED", "TIMEOUT"
],
stop_polling=True))
elif command == 'core-get-distribution-url':
return_outputs(*get_distribution_url_command(client, args))
elif command == 'core-get-create-distribution-status':
return_outputs(*get_distribution_status_command(client, args))
elif command == 'core-get-distribution-versions':
return_outputs(*get_distribution_versions_command(client, args))
elif command == 'core-create-distribution':
return_outputs(*create_distribution_command(client, args))
elif command == 'core-get-audit-management-logs':
return_outputs(*get_audit_management_logs_command(client, args))
elif command == 'core-get-audit-agent-reports':
return_outputs(*get_audit_agent_reports_command(client, args))
elif command == 'core-blocklist-files':
return_results(blocklist_files_command(client, args))
elif command == 'core-allowlist-files':
return_results(allowlist_files_command(client, args))
elif command == 'core-quarantine-files':
polling_args = {
**args, "endpoint_id":
argToList(args.get("endpoint_id_list"))[0]
}
return_results(
run_polling_command(
client=client,
args=polling_args,
cmd="core-quarantine-files",
command_function=quarantine_files_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-get-quarantine-status':
return_results(get_quarantine_status_command(client, args))
elif command == 'core-restore-file':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-restore-file",
command_function=restore_file_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-endpoint-scan':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-endpoint-scan",
command_function=endpoint_scan_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-endpoint-scan-abort':
return_results(endpoint_scan_abort_command(client, args))
elif command == 'update-remote-system':
return_results(update_remote_system_command(client, args))
elif command == 'core-delete-endpoints':
return_outputs(*delete_endpoints_command(client, args))
elif command == 'core-get-policy':
return_outputs(*get_policy_command(client, args))
elif command == 'core-get-endpoint-device-control-violations':
return_outputs(
*get_endpoint_device_control_violations_command(client, args))
elif command == 'core-retrieve-files':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-retrieve-files",
command_function=retrieve_files_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-retrieve-file-details':
return_entry, file_results = retrieve_file_details_command(
client, args, False)
demisto.results(return_entry)
if file_results:
demisto.results(file_results)
elif command == 'core-get-scripts':
return_outputs(*get_scripts_command(client, args))
elif command == 'core-get-script-metadata':
return_outputs(*get_script_metadata_command(client, args))
elif command == 'core-get-script-code':
return_outputs(*get_script_code_command(client, args))
elif command == 'core-action-status-get':
return_results(action_status_get_command(client, args))
elif command == 'core-run-script':
return_results(run_script_command(client, args))
elif command == 'core-run-snippet-code-script':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-run-snippet-code-script",
command_function=run_snippet_code_script_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-get-script-execution-status':
return_results(get_script_execution_status_command(client, args))
elif command == 'core-get-script-execution-results':
return_results(get_script_execution_results_command(client, args))
elif command == 'core-get-script-execution-result-files':
return_results(
get_script_execution_result_files_command(client, args))
elif command == 'core-run-script-execute-commands':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-run-script-execute-commands",
command_function=run_script_execute_commands_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-run-script-delete-file':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-run-script-delete-file",
command_function=run_script_delete_file_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-run-script-file-exists':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-run-script-file-exists",
command_function=run_script_file_exists_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'core-run-script-kill-process':
return_results(
run_polling_command(
client=client,
args=args,
cmd="core-run-script-kill-process",
command_function=run_script_kill_process_command,
command_decision_field="action_id",
results_function=action_status_get_command,
polling_field="status",
polling_value=["PENDING", "IN_PROGRESS", "PENDING_ABORT"]))
elif command == 'endpoint':
return_results(endpoint_command(client, args))
elif command == 'core-report-incorrect-wildfire':
return_results(report_incorrect_wildfire_command(client, args))
elif command == 'core-remove-blocklist-files':
return_results(remove_blocklist_files_command(client, args))
elif command == 'core-remove-allowlist-files':
return_results(remove_allowlist_files_command(client, args))
elif command == 'core-add-exclusion':
return_results(add_exclusion_command(client, args))
elif command == 'core-delete-exclusion':
return_results(delete_exclusion_command(client, args))
elif command == 'core-get-exclusion':
return_results(get_exclusion_command(client, args))
elif command == 'core-get-cloud-original-alerts':
return_results(get_original_alerts_command(client, args))
elif command == 'core-get-dynamic-analysis':
return_results(get_dynamic_analysis_command(client, args))
elif command in PREVALENCE_COMMANDS:
return_results(handle_prevalence_command(client, command, args))
except Exception as err:
demisto.error(traceback.format_exc())
return_error(str(err))