def fetch_incidents(): last_run = demisto.getLastRun() # Get the last fetch time, if exists last_fetch = last_run.get('time') # Handle first time fetch, fetch incidents retroactively if last_fetch is None: last_fetch, _ = parse_date_range(FETCH_TIME, date_format='%Y-%m-%dT%H:%M:%S') latest = datetime.strptime(last_fetch, '%Y-%m-%dT%H:%M:%S') demisto.debug('getting alarms since {}'.format(last_fetch)) incidents = [] items = list_alerts(time_frame='Custom', start_time=last_fetch) demisto.debug('got {} new alarms'.format(len(items))) for item in items: incident_date = datetime.strptime(item['ALERT_TIME'], '%Y-%m-%d %H:%M:%S') incident = { 'Type': 'Fidelis', 'name': '{} {}'.format(item['ALERT_ID'], item['SUMMARY']), 'occurred': incident_date.strftime('%Y-%m-%dT%H:%M:%SZ'), 'rawJSON': json.dumps(item), } latest = max(latest, incident_date) incidents.append(incident) if latest != last_fetch: last_fetch = (latest + timedelta(seconds=1)).strftime('%Y-%m-%dT%H:%M:%S') demisto.setLastRun({'time': last_fetch}) demisto.incidents(incidents)
def fetch_incidents(): param_dict = {} now_time = datetime.utcnow() now = datetime.isoformat(now_time) lastRunObject = demisto.getLastRun() if lastRunObject: param_dict['since'] = lastRunObject['time'] else: param_dict['since'] = datetime.isoformat(now_time - timedelta(minutes=int(FETCH_INTERVAL))) param_dict['until'] = now url = SERVER_URL + GET_INCIDENTS_SUFFIX + configure_status() res = http_request('GET', url, param_dict) _, parsed_incidents, raw_responses = parse_incident_data(res.get('incidents', [])) incidents = [] for incident, raw_response in zip(parsed_incidents, raw_responses): incidents.append({ 'name': incident['ID'] + ' - ' + incident['Title'], 'occurred': incident['created_at'], 'severity': translate_severity(incident['urgency']), 'rawJSON': json.dumps(raw_response) }) demisto.incidents(incidents) demisto.setLastRun({'time': now})
def fetch(): """ Query viewer should be defined in ArcSight ESM. fetch incidents fetches the results of query viewer and converts them to Demisto incidents. We can query Cases or Events. If Cases are fetched then the query viewer query must return fields ID and Create Time. If Events are fetched then Event ID and Start Time. """ events_query_viewer_id = demisto.params().get('viewerId') cases_query_viewer_id = demisto.params().get('casesQueryViewerId') type_of_incident = 'case' if events_query_viewer_id else 'event' last_run = json.loads(demisto.getLastRun().get('value', '{}')) already_fetched = last_run.get('already_fetched', []) fields, query_results = get_query_viewer_results(events_query_viewer_id or cases_query_viewer_id) # sort query_results by creation time query_results.sort(key=lambda k: int(k.get('Start Time') or k.get('Create Time'))) incidents = [] for result in query_results: # convert case or event to demisto incident r_id = result.get('ID') or result.get('Event ID') if r_id not in already_fetched: create_time_epoch = int(result.get('Start Time') or result.get('Create Time')) result['Create Time'] = parse_timestamp_to_datestring(create_time_epoch) incident_name = result.get('Name') or 'New {} from arcsight at {}'.format(type_of_incident, datetime.now()) labels = [{'type': key.encode('utf-8'), 'value': value.encode('utf-8') if value else value} for key, value in result.items()] incident = { 'name': incident_name, 'occurred': result['Create Time'], 'labels': labels, 'rawJSON': json.dumps(result) } incidents.append(incident) if len(incidents) >= FETCH_CHUNK_SIZE: break if len(already_fetched) > MAX_UNIQUE: already_fetched.pop(0) already_fetched.append(r_id) last_run = { 'already_fetched': already_fetched, } demisto.setLastRun({'value': json.dumps(last_run)}) decode_arcsight_output(incidents) if demisto.command() == 'as-fetch-incidents': contents = { 'last_run': last_run, 'last_run_updated': demisto.getLastRun(), 'incidents': incidents, 'already_fetched': already_fetched } return_outputs(readable_output='', outputs={}, raw_response=contents) else: demisto.incidents(incidents)
def main(): global ADMIN_EMAIL, PRIVATE_KEY_CONTENT, GAPPS_ID ADMIN_EMAIL = demisto.params()['adminEmail'].get('identifier', '') PRIVATE_KEY_CONTENT = demisto.params()['adminEmail'].get('password', '{}') GAPPS_ID = demisto.params().get('gappsID') ''' EXECUTION CODE ''' COMMANDS = { 'gmail-list-users': list_users_command, 'gmail-get-user': get_user_command, 'gmail-create-user': create_user_command, 'gmail-delete-user': delete_user_command, 'gmail-get-user-roles': get_user_role_command, 'gmail-revoke-user-role': revoke_user_roles_command, 'gmail-get-tokens-for-user': get_user_tokens_command, 'gmail-search-all-mailboxes': search_all_mailboxes, 'gmail-search': search_command, 'gmail-get-mail': get_mail_command, 'gmail-get-attachments': get_attachments_command, 'gmail-move-mail': move_mail_command, 'gmail-move-mail-to-mailbox': move_mail_to_mailbox_command, 'gmail-delete-mail': delete_mail_command, 'gmail-get-thread': get_thread_command, 'gmail-add-filter': add_filter_command, 'gmail-add-delete-filter': add_delete_filter_command, 'gmail-list-filters': list_filters_command, 'gmail-remove-filter': remove_filter_command, } command = demisto.command() LOG('GMAIL: command is %s' % (command, )) try: if command == 'test-module': list_users(ADMIN_EMAIL.split('@')[1]) demisto.results('ok') sys.exit(0) if command == 'fetch-incidents': demisto.incidents(fetch_incidents()) sys.exit(0) cmd_func = COMMANDS.get(command) if cmd_func is None: raise NotImplementedError( 'Command "{}" is not implemented.'.format(command)) else: demisto.results(cmd_func()) except Exception as e: import traceback if command == 'fetch-incidents': LOG(traceback.format_exc(e)) LOG.print_log() raise else: return_error('GMAIL: {}'.format(str(e)), traceback.format_exc(e))
def fetch_incidents(): last_fetched_event_timestamp = demisto.getLastRun().get('last_fetched_event_timestamp') if last_fetched_event_timestamp is not None: last_fetched_event_timestamp = datetime.strptime(last_fetched_event_timestamp, '%Y-%m-%dT%H:%M:%S.%f') else: last_fetched_event_timestamp, _ = parse_date_range(FIRST_FETCH_TIMESTAMP) # Need sometime in the future, so the timestamp will be taken from the query service_end_date_epoch = int(datetime.now().strftime('%s')) + 1000 global FETCH_QUERY if 'panw.' in FETCH_QUERY: service_start_date_epoch = int(last_fetched_event_timestamp.strftime('%s')) FETCH_QUERY += f' WHERE receive_time>{service_start_date_epoch}' elif 'tms.' in FETCH_QUERY: service_start_date_iso = last_fetched_event_timestamp.strftime('%Y-%m-%dT%H:%M:%S.%fZ') FETCH_QUERY += f" WHERE serverTime>'{service_start_date_iso}'" query_data = { 'query': FETCH_QUERY, 'startTime': 0, 'endTime': service_end_date_epoch, } response = query_loggings(query_data) try: result = response.json()['result'] pages = result['esResult']['hits']['hits'] except ValueError: raise Exception('Failed to parse the response from Cortex') incident_pairs = [] max_fetched_event_timestamp = last_fetched_event_timestamp for page in pages: incident, time_received = convert_log_to_incident(page) if 'panw.' in FETCH_QUERY: time_received_dt = datetime.fromtimestamp(time_received) elif 'tms.' in FETCH_QUERY: time_received_dt = datetime.strptime(time_received, '%Y-%m-%dT%H:%M:%S.%fZ') incident_pairs.append((incident, time_received_dt)) if incident_pairs: incidents, max_fetched_event_timestamp = process_incident_pairs(incident_pairs, 100) # max 100 per run demisto.setLastRun({ 'last_fetched_event_timestamp': max_fetched_event_timestamp.strftime('%Y-%m-%dT%H:%M:%S.%f') }) demisto.incidents(incidents) else: demisto.incidents([])
def fetch_incidents(query, id_offset=None, fetch_by_created=None, **_): last_run = demisto.getLastRun() demisto.debug(f"last_run: {last_run}" if last_run else 'last_run is empty') id_offset = last_run.get("idOffset") if (last_run and last_run.get("idOffset")) else id_offset incidents, max_results = [], 50 if id_offset: query = f'{query} AND id >= {id_offset}' if fetch_by_created: query = f'{query} AND created>-1m' res = run_query(query, '', max_results) for ticket in res.get('issues'): id_offset = max(id_offset, ticket.get("id")) incidents.append(create_incident_from_ticket(ticket)) demisto.setLastRun({"idOffset": id_offset}) demisto.incidents(incidents)
def fetch_incidents(): query_id = GetEventQuery() res = GetIncidentsByOrg(query_id) known_ids = demisto.getLastRun().get('ids', None) if known_ids is None or not known_ids: known_ids = [] incidents = [] for inc in res: if inc.get('incidentId') not in known_ids: incidents.append({"name": inc.get('eventName', 'New FortiSIEM Event'), "rawJSON": json.dumps(inc)}) if len(known_ids) >= 1000: known_ids.pop(0) known_ids.append(inc.get('incidentId')) demisto.setLastRun({ 'ids': known_ids, 'extended_keys': EXTENDED_KEYS }) demisto.incidents(incidents) sys.exit(0)
def fetch_incidents(): incidents = [] last_run = demisto.getLastRun() if last_run and last_run['time_stamp']: last_update_time = last_run['time_stamp'] else: # In first run last_update_time, _ = parse_date_range(FETCH_TIME, date_format='%Y-%m-%dT%H:%M:%S.%f'[:-3]) max_timestamp = last_update_time if FETCH_BEHAVIORS: params = 'behaviors.time_stamp>' + last_update_time behaviors = fetch_behaviors_request(params) for behavior in behaviors.get('results'): incident = behavior_to_incident(behavior) # 0 corresponds to never triggered time_stamp = behavior.get('behaviors.time_stamp')[:-5] # comapre time_stamp if time_stamp > max_timestamp: max_timestamp = time_stamp incidents.append(incident) if FETCH_NOTIFICATIONS: params = 'notifications.time_stamp>' + last_update_time notifications = search_notifications_request(params) for notification in notifications.get('results'): incident = notifications_to_incidents(notification) time_stamp = notification.get('notifications.time_stamp')[:-5] if time_stamp > max_timestamp: max_timestamp = time_stamp incidents.append(incident) demisto.setLastRun({ 'time_stamp': max_timestamp }) demisto.incidents(incidents)
def fetch_incidents(): """ Fetch events from this integration and return them as Demisto incidents returns: Demisto incidents """ # demisto.getLastRun() will returns an obj with the previous run in it. last_run = demisto.getLastRun() # Get the last fetch time and data if it exists last_fetch = last_run.get('last_fetched_data_timestamp') last_fetched_data = last_run.get('last_fetched_data') # Handle first time fetch, fetch incidents retroactively if not last_fetch: last_fetch, _ = parse_date_range(FETCH_TIME, to_timestamp=True) args = {'rows': MAX_ROWS, 'query': FETCH_QUERY} column_descriptions, data = snowflake_query(args) data.sort(key=lambda k: k[DATETIME_COLUMN]) # convert the data/events to demisto incidents incidents = [] for row in data: incident = row_to_incident(column_descriptions, row) incident_timestamp = incident.get('timestamp') # Update last run and add incident if the incident is newer than last fetch if incident_timestamp and incident_timestamp >= last_fetch: last_fetch = incident_timestamp if incident.get('rawJSON') != last_fetched_data: last_fetched_data = incident.get('rawJSON') del incident['timestamp'] incidents.append(incident) this_run = { 'last_fetched_data': last_fetched_data, 'last_fetched_data_timestamp': last_fetch } demisto.setLastRun(this_run) demisto.incidents(incidents)
def fetch_incidents_command(): """ Fetch alerts from Canary Tools as incidents in Demisto last_fetch: The latest fetched alert creation time """ last_fetch = demisto.getLastRun().get('time') if last_fetch is None: last_fetch = parse_date_range(FETCH_DELTA, '%Y-%m-%d-%H:%M:%S')[0] # All alerts retrieved from get_alerts are newer than last_fetch and are in a chronological order alerts = get_alerts(last_fetch) incidents = [] current_fetch = last_fetch for alert in alerts: current_fetch = 1000 * (int(demisto.get(alert, 'description.created'))) current_fetch = timestamp_to_datestring(current_fetch, '%Y-%m-%d-%H:%M:%S') incident = create_incident(alert) incidents.append(incident) demisto.incidents(incidents) demisto.setLastRun({'time': current_fetch})
def fetch_incidents(): # API is handling last run by marking items that was read and not receiving the same items. max_incidents = get_limit(demisto.params().get('maxIncidents', MAX_INCIDENTS), MAX_INCIDENTS) sixgill_alerts_client = SixgillAlertClient(demisto.params()['client_id'], demisto.params()['client_secret'], CHANNEL_CODE, bulk_size=max_incidents, logger=demisto) filter_alerts_kwargs = get_incident_init_params() incidents: List[Dict[str, Any]] = [] for raw_incident in sixgill_alerts_client.get_alert(**filter_alerts_kwargs): incident = item_to_incident(raw_incident) sixgill_alerts_client.mark_digested_item(raw_incident) incidents.append(incident) if len(incidents) >= max_incidents: sixgill_alerts_client.commit_digested_items(force=True) break demisto.incidents(incidents)
def fetch_incidents_command(): """ Fetch alerts from Canary Tools as incidents in Demisto last_fetch: The latest fetched alert creation time """ last_fetch = demisto.getLastRun().get('time') if last_fetch is None: last_fetch = parse_date_range(FETCH_DELTA, '%Y-%m-%d-%H:%M:%S')[0] # All alerts retrieved from get_alerts are newer than last_fetch and are in a chronological order alerts = get_alerts(last_fetch) incidents = [] current_fetch = last_fetch for alert in alerts: current_fetch = 1000 * (int(demisto.get(alert, 'description.created')) + 1) current_fetch = timestamp_to_datestring(current_fetch, '%Y-%m-%d-%H:%M:%S') incident = create_incident(alert) incidents.append(incident) demisto.incidents(incidents) demisto.setLastRun({'time': current_fetch})
def fetch_incidents(query, id_offset=0, fetch_by_created=None, **_): last_run = demisto.getLastRun() demisto.debug(f"last_run: {last_run}" if last_run else 'last_run is empty') id_offset = last_run.get("idOffset") if ( last_run and last_run.get("idOffset")) else id_offset incidents, max_results = [], 50 if id_offset: query = f'{query} AND id >= {id_offset}' if fetch_by_created: query = f'{query} AND created>-1m' res = run_query(query, '', max_results) curr_id = id_offset for ticket in res.get('issues'): ticket_id = int(ticket.get("id")) if ticket_id == curr_id: continue id_offset = max(int(id_offset), ticket_id) incidents.append(create_incident_from_ticket(ticket)) demisto.setLastRun({"idOffset": id_offset}) demisto.incidents(incidents)
def update_empty_fields(): """ Update the campaign dynamic section empty field with default values in order for them to appear in the page """ incident = demisto.incidents()[0] custom_fields = incident.get('customFields', {}) for field in DEFAULT_CUSTOM_FIELDS.keys(): if not custom_fields.get(field): custom_fields[field] = DEFAULT_CUSTOM_FIELDS[field] demisto.executeCommand('setIncident', { 'id': incident['id'], 'customFields': custom_fields })
def fetch_incidents(client, conn, subscription_id, queue_name, topic_name): if not queue_name and not topic_name: raise ValueError( 'To fetch incidents you must provide either Queue Name or Topic Name' ) if queue_name and topic_name: raise ValueError('Can\'t provide both Queue Name and Topic name.') # conn = stomp.Connection(heartbeats=(4000, 4000)) listener = MsgListener() if client and len(client) > 0: conn.set_listener('Demisto', listener) if queue_name: conn.subscribe('/queue/' + queue_name, subscription_id, ack='client-individual') else: conn.subscribe('/topic/' + topic_name, subscription_id, ack='client-individual', headers={'activemq.subscriptionName': client}) incidents = [] time.sleep(10) for i in range(len(listener.result_arr)): msg = listener.result_arr[i] msg_id = listener.msg_ids[i] incidents.append({ 'Name': 'ActiveMQ incident:' + msg_id, 'rawJSON': msg, 'details': msg }) demisto.incidents(incidents) for msg_id in listener.msg_ids: conn.ack(msg_id, subscription_id)
def fetch_incidents(): """ Generates and fetches phishing email-like incidents Generates phishing email-like incidents, with the number of incidents, the speed of generation and the recurring time period all set by the values entered in the integration instance parameters. This method operates under the assumption that fetch-incidents is called once per minute. returns: Email-like incidents """ try: update_parameters() minutes_of_generation = MAX_NUM_OF_INCIDENTS / float( INCIDENTS_PER_MINUTE) if not FREQUENCY or minutes_of_generation > FREQUENCY: # Run once last_run = 0 if not demisto.getLastRun() else demisto.getLastRun( ).get('numOfIncidentsCreated', 0) num_of_incidents_created, incidents = generate_incidents(last_run) demisto.incidents(incidents) demisto.setLastRun( {'numOfIncidentsCreated': last_run + num_of_incidents_created}) return else: run_counter = 0 if not demisto.getLastRun( ) else demisto.getLastRun().get('run_count', 0) last_run = 0 if not demisto.getLastRun() else demisto.getLastRun( ).get('numOfIncidentsCreated', 0) should_run = run_counter % FREQUENCY if should_run < math.ceil( minutes_of_generation): # then should run if should_run == 0: last_run = 0 num_of_incidents_created, incidents = generate_incidents( last_run) demisto.incidents(incidents) total_incidents_created = last_run + num_of_incidents_created updated_run_count = run_counter + 1 demisto.setLastRun({ 'numOfIncidentsCreated': total_incidents_created, 'run_count': updated_run_count }) return else: updated_run_count = run_counter + 1 demisto.setLastRun({ 'numOfIncidentsCreated': last_run, 'run_count': updated_run_count }) demisto.incidents([]) except Exception: raise
def main(): """ Main Function""" try: demisto.info('Command is %s' % (demisto.command(), )) params = demisto.params() print_debug_msg('Received parameters') print_debug_msg(params) credentials = params.get('credentials') client = Client(BASE_URL, credentials, params.get('insecure'), params.get('proxy')) args = demisto.args() if demisto.command() == 'pan-dlp-get-report': report_id = args.get('report_id') fetch_snippets = argToBoolean(args.get('fetch_snippets')) report_json, status_code = client.get_dlp_report( report_id, fetch_snippets) return_results(parse_dlp_report(report_json)) elif demisto.command() == 'fetch-incidents': demisto.incidents(fetch_incidents_command()) elif demisto.command() == 'long-running-execution': long_running_execution_command(client, params) elif demisto.command() == 'pan-dlp-update-incident': return_results(update_incident_command(client, args)) elif demisto.command() == 'pan-dlp-exemption-eligible': return_results(exemption_eligible_command(args, params)) elif demisto.command() == 'pan-dlp-slack-message': return_results(slack_bot_message_command(args, params)) elif demisto.command() == 'pan-dlp-reset-last-run': return_results(reset_last_run_command()) elif demisto.command() == "test-module": test(client) except Exception as e: return_error( f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}' )
def main(): params = demisto.params() base_url = urljoin(params.get('url'), 'idapi/v1') verify_ssl = not params.get('insecure', False) proxy = params.get('proxy') client = Client(base_url=base_url, verify=verify_ssl, proxy=proxy, auth=(params.get('credentials', {}).get('identifier'), params.get('credentials', {}).get('password'))) command = demisto.command() demisto.debug(f'Command being called is {command}') commands = { 'test-module': test_module_command, f'{INTEGRATION_COMMAND_NAME}-get-incidents': get_incidents_command, f'{INTEGRATION_COMMAND_NAME}-get-incident-by-id': get_incident_by_id_command } try: if command == 'fetch-incidents': incidents, new_last_run = fetch_incidents_command( client, fetch_time=params.get('fetchTime'), last_run=demisto.getLastRun().get('lastRun'), limit=params.get('fetchLimit')) demisto.incidents(incidents) demisto.setLastRun(new_last_run) else: readable_output, outputs, raw_response = commands[command]( client=client, **demisto.args()) return_outputs(readable_output, outputs, raw_response) # Log exceptions except Exception as e: err_msg = f'Error in {INTEGRATION_NAME} Integration [{e}]' return_error(err_msg, error=e)
def main() -> None: params = demisto.params() client_args = { 'client_id': params.get('credentials').get('identifier'), 'client_secret': params.get('credentials').get('password') } remote = params.get('remote', QWATCH_REMOTE) proxy = params.get('proxy', False) verify_ssl = not params.get('insecure', False) command = demisto.command() demisto.debug(f'Command being called is {command}') try: client = Client(remote, verify_ssl, proxy, **client_args) args = demisto.args() if command == 'test-module': demisto.results(test_module(client)) elif command == 'fetch-incidents': demisto.incidents(fetch_incidents(client, params)) elif command == 'qintel-qwatch-exposures': return_results(search_exposures(client, args, params)) # Log exceptions except Exception as e: demisto.error(traceback.format_exc()) return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def main(): global BASE_URL, API_KEY, USE_SSL BASE_URL = urljoin(demisto.params().get('domain', ''), '/openapi/v3') API_KEY = demisto.params().get('api_key') USE_SSL = not demisto.params().get('insecure', False) ''' EXECUTION CODE ''' COMMANDS = { 'test-module': test_integration, 'fetch-incidents': fetch_incidents, 'redcanary-list-detections': list_detections_command, 'redcanary-list-endpoints': list_endpoints_command, 'redcanary-get-endpoint': get_endpoint_command, 'redcanary-get-endpoint-detections': get_endpoint_detections_command, 'redcanary-get-detection': get_detection_command, 'redcanary-acknowledge-detection': acknowledge_detection_command, 'redcanary-update-remediation-state': remediate_detection_command, 'redcanary-execute-playbook': execute_playbook_command, } try: handle_proxy() LOG('command is %s' % (demisto.command(), )) command_func = COMMANDS.get(demisto.command()) if command_func is not None: if demisto.command() == 'fetch-incidents': initial_last_run = demisto.getLastRun() last_run, incidents = fetch_incidents(initial_last_run) demisto.incidents(incidents) demisto.setLastRun(last_run) else: demisto.results(command_func()) except Exception as e: LOG(str(e)) if demisto.command() != 'test-module': LOG.print_log() return_error('error has occurred: {}'.format(str(e)))
def fetch_incidents(): last_run = demisto.getLastRun() # Get the last fetch time, if exists last_fetch = last_run.get('time') # Handle first time fetch, fetch incidents retroactively if last_fetch is None: last_fetch, _ = parse_date_range(FETCH_TIME, date_format='%Y-%m-%dT%H:%M:%SZ') incidents = [] items = search_alarms(start_time=date_to_timestamp( last_fetch, date_format='%Y-%m-%dT%H:%M:%SZ'), direction='asc') for item in items: incident = item_to_incident(item) incidents.append(incident) if incidents: # updating according to latest incident last_fetch = incidents[-1]['occurred'] demisto.setLastRun({'time': last_fetch}) demisto.incidents(incidents)
def main(): ''' EXECUTION ''' LOG('command is %s' % (demisto.command(), )) try: client = Client(base_url=BASE_URL, verify=verify_certificate, headers=headers, proxy=proxy) if demisto.command() == "fetch-incidents": incident_results = fetch_incidents_command(client) demisto.incidents(incident_results) return_results("Incidents fetched successfully!!") # return_results(fetch_incidents_command(client)) if demisto.command() == "armorblox-check-remediation-action": incident_id = demisto.args().get('incident_id') return_results(get_remediation_action(client, incident_id)) elif demisto.command() == 'test-module': result = test_module(client) return_results(result) except Exception as e: return_error(str(e))
def perform_link_unlink(ids, action): ids = ','.join(ids) res = demisto.executeCommand( "linkIncidents", { "incidentId": demisto.incidents()[0]["id"], "linkedIncidentIDs": ids, "action": action }) if isError(res): return_error( COMMAND_ERROR_MSG.format(action=action, ids=ids, error=get_error(res))) return COMMAND_SUCCESS.format(action=f'{action}ed', ids=ids)
def main() -> None: try: dbotscore = demisto.incidents()[0].get('CustomFields').get( 'chronicledbotscore', 0) html = get_html_representation(dbotscore) demisto.results({ "Type": 1, "ContentsFormat": formats["html"], "Contents": html }) except Exception as e: demisto.error(traceback.format_exc()) return_error(f'Could not load widget:\n{e}')
def main(): incident = demisto.incidents() query = incident[0].get('CustomFields', {}).get('healthchecktotaloutdatedpacks', 0) if not query: html = f"<h1 style={GREEN_HTML_STYLE}0</h1>" else: html = f"<h1 style={ORANGE_HTML_STYLE}{str(query)}</h1>" demisto.results({ 'ContentsFormat': formats['html'], 'Type': entryTypes['note'], 'Contents': html })
def fetch_incidents(): last_run = demisto.getLastRun() # Get the last fetch time, if exists last_fetch = last_run.get('timestamp') # Handle first time fetch, fetch incidents retroactively # OR # Handle first time after release if last_fetch is None: time_field = last_run.get('time') if time_field: last_fetch = date_to_timestamp(time_field, parse_time(time_field)) else: last_fetch, _ = parse_date_range(FETCH_TIME, to_timestamp=True) incidents = [] limit = dict_value_to_int(demisto.params(), 'fetch_limit') items = search_alarms(start_time=last_fetch, direction='asc', limit=limit) for item in items: incident = item_to_incident(item) incidents.append(incident) if incidents: # updating according to latest incident time_str = str(incidents[-1].get('occurred')) # add one second to last incident occurred time to avoid duplications occurred = datetime.strptime(time_str, '%Y-%m-%dT%H:%M:%S.%fZ') occurred = occurred + timedelta(seconds=1) time_str = occurred.strftime("%Y-%m-%dT%H:%M:%S.000Z") last_fetch = str( date_to_timestamp(time_str, date_format=parse_time(time_str))) demisto.setLastRun({'timestamp': last_fetch}) demisto.incidents(incidents)
def get_current_table(grid_id: str) -> List[Dict[Any, Any]]: """ Get current Data from the grid Args: grid_id: Grid ID to retrieve data from. Returns: list: Exsiting grid data. """ current_table: Optional[List[dict]] = demisto.incidents()[0].get( "CustomFields", {}).get(grid_id) if current_table is None: raise ValueError(f"The grid id isn't valid: {grid_id}") return pd.DataFrame(current_table)
def main() -> None: """main function, parses params and runs command functions :return: :rtype: """ demisto.debug(f'Command being called is {demisto.command()}') try: client = Client(demisto) if demisto.command() == 'fetch-incidents': str_first_fetch_violation = demisto.params().get('first_fetch', 1) str_max_results = demisto.params().get('max_fetch', 10) next_run_violation, incidents = fetch_incidents( client=client, last_run_violation=demisto.getLastRun(), str_first_fetch_violation=str_first_fetch_violation, str_max_results=str_max_results) demisto.setLastRun(next_run_violation) demisto.incidents(incidents) elif demisto.command() == "test-module": result = test_module(client) return_results(result) else: return_results( Command.run(demisto.command(), client, demisto.args())) except Exception as e: demisto.error(traceback.format_exc()) # print the traceback return_error( f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}' )
def main(): incident = demisto.incidents() query = incident[0].get('CustomFields', {}).get('numberofentriesiderrors', 0) if not query: html = f"<h1 style={GREEN_HTML_STYLE}0</h1>" else: html = f"<h1 style={RED_HTML_STYLE}{str(query)}</h1>" demisto.results({ 'ContentsFormat': formats['html'], 'Type': entryTypes['note'], 'Contents': html })
def fetch_incidents(): try: client = aws_session() incidents = [] response = client.list_detectors() detector = response['DetectorIds'] list_findings = client.list_findings( DetectorId=detector[0], FindingCriteria={ 'Criterion': { 'service.archived': { 'Eq': ['false', 'false'] }, 'severity': { 'Gt': gd_severity_mapping(AWS_GD_SEVERITY) } } }) get_findings = client.get_findings( DetectorId=detector[0], FindingIds=list_findings['FindingIds']) for finding in get_findings['Findings']: incident = parse_incident_from_finding(finding) incidents.append(incident) # Create demisto incidents demisto.incidents(incidents) if incidents is not None: # Archive findings client.archive_findings(DetectorId=detector[0], FindingIds=list_findings['FindingIds']) except Exception as e: return raise_error(e)
def get_campaign_incidents(): """ Get the campaign incidents form the incident's context :rtype: ``list`` :return: list of campaign incidents """ incident_id = demisto.incidents()[0]['id'] res = demisto.executeCommand('getContext', {'id': incident_id}) if isError(res): return_error( f'Error occurred while trying to get the incident context: {get_error(res)}' ) return demisto.get(res[0], 'Contents.context.EmailCampaign.incidents')
def main(): incident = demisto.incidents() query = incident[0].get('CustomFields', {}).get('totalindicatorcount', 0) if not query: html = f"<div style={GREEN_HTML_STYLE}{0}</div>" elif int(query) == 0: html = f"<div style={GREEN_HTML_STYLE}{str(query)}</div>" else: html = f"<div style={GREEN_HTML_STYLE}{str(query)}</div>" demisto.results({ 'ContentsFormat': formats['html'], 'Type': entryTypes['note'], 'Contents': html })
def fetch_incidents(): """ Generates and fetches phishing email-like incidents Generates phishing email-like incidents, with the number of incidents, the speed of generation and the recurring time period all set by the values entered in the integration instance parameters. This method operates under the assumption that fetch-incidents is called once per minute. returns: Email-like incidents """ try: update_parameters() if not FREQUENCY: # Run once last_run = 0 if not demisto.getLastRun() else demisto.getLastRun().get('numOfIncidentsCreated', 0) num_of_incidents_created, incidents = generate_incidents(last_run) demisto.incidents(incidents) demisto.setLastRun({'numOfIncidentsCreated': last_run + num_of_incidents_created}) return else: minutes_of_generation = MAX_NUM_OF_INCIDENTS / float(INCIDENTS_PER_MINUTE) if minutes_of_generation > FREQUENCY: err_msg = 'The maximum number of incidents divided by the incidents to generate per minute' err_msg += ' exceeds every how often incidents should be generated. Please increase the value' err_msg += ' entered for how often the integration should generate incidents.' raise Exception(err_msg) run_counter = 0 if not demisto.getLastRun() else demisto.getLastRun().get('run_count', 0) last_run = 0 if not demisto.getLastRun() else demisto.getLastRun().get('numOfIncidentsCreated', 0) should_run = run_counter % FREQUENCY if should_run < math.ceil(minutes_of_generation): # then should run if should_run == 0: last_run = 0 num_of_incidents_created, incidents = generate_incidents(last_run) demisto.incidents(incidents) total_incidents_created = last_run + num_of_incidents_created updated_run_count = run_counter + 1 demisto.setLastRun({ 'numOfIncidentsCreated': total_incidents_created, 'run_count': updated_run_count }) return else: updated_run_count = run_counter + 1 demisto.setLastRun({ 'numOfIncidentsCreated': last_run, 'run_count': updated_run_count }) demisto.incidents([]) except Exception: raise
def main(): incident = demisto.incidents()[0] account_name = incident.get('account') account_name = f'acc_{account_name}/' if account_name != "" else "" res = execute_command('demisto-api-get', {'uri': f'{account_name}health/containers'}) containers = res['response'] return CommandResults( readable_output=tableToMarkdown('Containers Status', [containers], headers=['all', 'inactive', 'running']), outputs_prefix='containers', outputs=[containers], raw_response=containers, )
def get_current_table(grid_id: str) -> List[Dict[Any, Any]]: """ Get current Data from the grid Args: grid_id: Grid ID to retrieve data from. Returns: list: Existing grid data. """ current_table: Optional[List[dict]] = demisto.incidents()[0].get("CustomFields", {}).get(grid_id) if current_table is None: raise ValueError(f"The following grid id was not found: {grid_id}. Please make sure you entered the correct " f"incident type with the \"Machine name\" as it appears in the incident field editor in " f"Settings->Advanced ->Fields (Incident). Also make sure that this value appears in the " f"incident Context Data under incident - if not then please consult with support.") return pd.DataFrame(current_table)
def isAdminAPIInstance(): isAdminExist = False incident = demisto.incidents()[0] accountName = incident.get('account') accountName = f"acc_{accountName}" if accountName != "" else "" res = demisto.executeCommand("demisto-api-post", { "uri": f"{accountName}/user/preferences", "body": { "size": 500 }, }) for module in res: if module['Contents']['response']['id'] == 'admin': isAdminExist = True return isAdminExist
def main(): global EMAIL_BODY_FIELD, EMAIL_SUBJECT_FIELD, EMAIL_HTML_FIELD, FROM_FIELD, MIN_TEXT_LENGTH, FROM_POLICY input_args = demisto.args() EMAIL_BODY_FIELD = input_args.get('emailBody', EMAIL_BODY_FIELD) EMAIL_SUBJECT_FIELD = input_args.get('emailSubject', EMAIL_SUBJECT_FIELD) EMAIL_HTML_FIELD = input_args.get('emailBodyHTML', EMAIL_HTML_FIELD) FROM_FIELD = input_args.get('emailFrom', FROM_FIELD) FROM_POLICY = input_args.get('fromPolicy', FROM_POLICY) new_incident = demisto.incidents()[0] existing_incidents = get_existing_incidents( input_args, new_incident.get('type', IGNORE_INCIDENT_TYPE_VALUE)) demisto.debug('found {} incidents by query'.format( len(existing_incidents))) if len(existing_incidents) == 0: create_new_incident() return if not incident_has_text_fields(new_incident): create_new_incident_no_text_fields() return new_incident_df = preprocess_incidents_df([new_incident]) if len(new_incident_df ) == 0: # len(new_incident_df)==0 means new incident is too short create_new_incident_too_short() return existing_incidents_df = preprocess_incidents_df(existing_incidents) existing_incidents_df = filter_out_same_incident(existing_incidents_df, new_incident) existing_incidents_df = filter_newer_incidents(existing_incidents_df, new_incident) if len(existing_incidents_df) == 0: create_new_incident() return new_incident_preprocessed = new_incident_df.iloc[0].to_dict() duplicate_incident_row, similarity = find_duplicate_incidents( new_incident_preprocessed, existing_incidents_df) if duplicate_incident_row is None: create_new_incident() return if similarity < SIMILARITY_THRESHOLD: create_new_incident_low_similarity(duplicate_incident_row, similarity) else: return close_new_incident_and_link_to_existing(new_incident_df.iloc[0], duplicate_incident_row, similarity)
def get_campaign_incident_ids(context_path): """ Collect the campaign incidents ids form the context :rtype: ``list`` :return: list of campaign incident ids if exist, None otherwise """ incident_id = demisto.incidents()[0]['id'] res = demisto.executeCommand('getContext', {'id': incident_id}) if isError(res): return_error(f'Error occurred while trying to get the incident context: {get_error(res)}') incidents = demisto.get(res[0], context_path) if incidents: ids = [str(incident.get('id')) for incident in incidents] ids.sort(key=lambda val: int(val)) return ids return None
def main(): incident = demisto.incidents()[0] custom_fields = incident.get('CustomFields') linked_incident = custom_fields.get('similarincident') if linked_incident: main_integration_grid, main_incident_grid = create_grids( custom_fields, linked_incident) demisto.executeCommand( "setIncident", {'customFields': { 'integrationstestgrid': main_integration_grid }}) demisto.executeCommand( "setIncident", {'customFields': { 'playbooktaskserrors': main_incident_grid }})
def main(): try: incident = demisto.incidents()[0] custom_fields = incident.get('CustomFields', {}) emailto = custom_fields.get('campaignemailto') subject = custom_fields.get('campaignemailsubject') email_body = custom_fields.get('campaignemailbody') if not emailto: return_error(INVALID_EMAIL_TO_MSG) demisto.executeCommand("send-mail", { "to": emailto, "subject": subject, "body": email_body }) except Exception as ex: return_error( f'Failed to execute SendEmailToCampaignRecipients. Error: {str(ex)}' )
def load_current_incident(incident_id: str, populate_fields: List[str], from_date: str, to_date: str): """ Load current incident if incident_id given or load current incident investigated :param incident_id: incident_id :param populate_fields: populate_fields :param from_date: from_date :param to_date: to_date :return: """ if not incident_id: incident = demisto.incidents()[0] cf = incident.pop('CustomFields', {}) or {} incident.update(cf) incident = {k: v for k, v in incident.items() if k in populate_fields} incident_id = incident['id'] else: incident = get_incident_by_id(incident_id, populate_fields, from_date, to_date) if not incident: return None, incident_id return incident, incident_id
def fetch_incidents(): query_params = {} incidents = [] if FETCH_TIME: fetch_time = FETCH_TIME else: fetch_time = DEFAULTS['fetch_time'] last_run = demisto.getLastRun() if 'time' not in last_run: snow_time, _ = parse_date_range(fetch_time, '%Y-%m-%d %H:%M:%S') else: snow_time = last_run['time'] query = '' if SYSPARM_QUERY: query += SYSPARM_QUERY + '^' query += 'ORDERBY{0}^{0}>{1}'.format(TIMESTAMP_FIELD, snow_time) if query: query_params['sysparm_query'] = query query_params['sysparm_limit'] = SYSPARM_LIMIT path = 'table/' + TICKET_TYPE res = send_request(path, 'get', params=query_params) count = 0 parsed_snow_time = datetime.strptime(snow_time, '%Y-%m-%d %H:%M:%S') for result in res.get('result', []): labels = [] if TIMESTAMP_FIELD not in result: raise ValueError("The timestamp field [{}]" " does not exist in the ticket".format(TIMESTAMP_FIELD)) if count > SYSPARM_LIMIT: break try: if datetime.strptime(result[TIMESTAMP_FIELD], '%Y-%m-%d %H:%M:%S') < parsed_snow_time: continue except Exception: pass for k, v in result.iteritems(): if isinstance(v, basestring): labels.append({ 'type': k, 'value': v }) else: labels.append({ 'type': k, 'value': json.dumps(v) }) severity = SEVERITY_MAP.get(result.get('severity', ''), 0) file_names = [] if GET_ATTACHMENTS: file_entries = get_ticket_attachment_entries(result['sys_id']) for file_result in file_entries: if file_result['Type'] == entryTypes['error']: raise Exception('Error getting attachment: ' + str(file_result['Contents'])) file_names.append({ 'path': file_result['FileID'], 'name': file_result['File'] }) incidents.append({ 'name': 'ServiceNow Incident ' + result.get('number'), 'labels': labels, 'details': json.dumps(result), 'severity': severity, 'attachment': file_names, 'rawJSON': json.dumps(result) }) count += 1 snow_time = result[TIMESTAMP_FIELD] demisto.incidents(incidents) demisto.setLastRun({'time': snow_time})
def save_incidents(objects_to_save): final_incidents = [] for obj in objects_to_save: final_incidents.append(object_to_incident(obj)) demisto.incidents(final_incidents) return