def fetch_incidents():
last_run = demisto.getLastRun()
# Get the last fetch time, if exists
last_fetch = last_run.get('time')
# Handle first time fetch, fetch incidents retroactively
if last_fetch is None:
last_fetch, _ = parse_date_range(FETCH_TIME, date_format='%Y-%m-%dT%H:%M:%S')
latest = datetime.strptime(last_fetch, '%Y-%m-%dT%H:%M:%S')
demisto.debug('getting alarms since {}'.format(last_fetch))
incidents = []
items = list_alerts(time_frame='Custom', start_time=last_fetch)
demisto.debug('got {} new alarms'.format(len(items)))
for item in items:
incident_date = datetime.strptime(item['ALERT_TIME'], '%Y-%m-%d %H:%M:%S')
incident = {
'Type': 'Fidelis',
'name': '{} {}'.format(item['ALERT_ID'], item['SUMMARY']),
'occurred': incident_date.strftime('%Y-%m-%dT%H:%M:%SZ'),
'rawJSON': json.dumps(item),
}
latest = max(latest, incident_date)
incidents.append(incident)
if latest != last_fetch:
last_fetch = (latest + timedelta(seconds=1)).strftime('%Y-%m-%dT%H:%M:%S')
demisto.setLastRun({'time': last_fetch})
demisto.incidents(incidents)
def fetch_incidents():
param_dict = {}
now_time = datetime.utcnow()
now = datetime.isoformat(now_time)
lastRunObject = demisto.getLastRun()
if lastRunObject:
param_dict['since'] = lastRunObject['time']
else:
param_dict['since'] = datetime.isoformat(now_time - timedelta(minutes=int(FETCH_INTERVAL)))
param_dict['until'] = now
url = SERVER_URL + GET_INCIDENTS_SUFFIX + configure_status()
res = http_request('GET', url, param_dict)
_, parsed_incidents, raw_responses = parse_incident_data(res.get('incidents', []))
incidents = []
for incident, raw_response in zip(parsed_incidents, raw_responses):
incidents.append({
'name': incident['ID'] + ' - ' + incident['Title'],
'occurred': incident['created_at'],
'severity': translate_severity(incident['urgency']),
'rawJSON': json.dumps(raw_response)
})
demisto.incidents(incidents)
demisto.setLastRun({'time': now})
def fetch():
"""
Query viewer should be defined in ArcSight ESM. fetch incidents fetches the results of query viewer
and converts them to Demisto incidents. We can query Cases or Events. If Cases are fetched then the
query viewer query must return fields ID and Create Time. If Events are fetched then Event ID and Start Time.
"""
events_query_viewer_id = demisto.params().get('viewerId')
cases_query_viewer_id = demisto.params().get('casesQueryViewerId')
type_of_incident = 'case' if events_query_viewer_id else 'event'
last_run = json.loads(demisto.getLastRun().get('value', '{}'))
already_fetched = last_run.get('already_fetched', [])
fields, query_results = get_query_viewer_results(events_query_viewer_id or cases_query_viewer_id)
# sort query_results by creation time
query_results.sort(key=lambda k: int(k.get('Start Time') or k.get('Create Time')))
incidents = []
for result in query_results:
# convert case or event to demisto incident
r_id = result.get('ID') or result.get('Event ID')
if r_id not in already_fetched:
create_time_epoch = int(result.get('Start Time') or result.get('Create Time'))
result['Create Time'] = parse_timestamp_to_datestring(create_time_epoch)
incident_name = result.get('Name') or 'New {} from arcsight at {}'.format(type_of_incident, datetime.now())
labels = [{'type': key.encode('utf-8'), 'value': value.encode('utf-8') if value else value} for key, value
in result.items()]
incident = {
'name': incident_name,
'occurred': result['Create Time'],
'labels': labels,
'rawJSON': json.dumps(result)
}
incidents.append(incident)
if len(incidents) >= FETCH_CHUNK_SIZE:
break
if len(already_fetched) > MAX_UNIQUE:
already_fetched.pop(0)
already_fetched.append(r_id)
last_run = {
'already_fetched': already_fetched,
}
demisto.setLastRun({'value': json.dumps(last_run)})
decode_arcsight_output(incidents)
if demisto.command() == 'as-fetch-incidents':
contents = {
'last_run': last_run,
'last_run_updated': demisto.getLastRun(),
'incidents': incidents,
'already_fetched': already_fetched
}
return_outputs(readable_output='', outputs={}, raw_response=contents)
else:
demisto.incidents(incidents)
def main():
global ADMIN_EMAIL, PRIVATE_KEY_CONTENT, GAPPS_ID
ADMIN_EMAIL = demisto.params()['adminEmail'].get('identifier', '')
PRIVATE_KEY_CONTENT = demisto.params()['adminEmail'].get('password', '{}')
GAPPS_ID = demisto.params().get('gappsID')
''' EXECUTION CODE '''
COMMANDS = {
'gmail-list-users': list_users_command,
'gmail-get-user': get_user_command,
'gmail-create-user': create_user_command,
'gmail-delete-user': delete_user_command,
'gmail-get-user-roles': get_user_role_command,
'gmail-revoke-user-role': revoke_user_roles_command,
'gmail-get-tokens-for-user': get_user_tokens_command,
'gmail-search-all-mailboxes': search_all_mailboxes,
'gmail-search': search_command,
'gmail-get-mail': get_mail_command,
'gmail-get-attachments': get_attachments_command,
'gmail-move-mail': move_mail_command,
'gmail-move-mail-to-mailbox': move_mail_to_mailbox_command,
'gmail-delete-mail': delete_mail_command,
'gmail-get-thread': get_thread_command,
'gmail-add-filter': add_filter_command,
'gmail-add-delete-filter': add_delete_filter_command,
'gmail-list-filters': list_filters_command,
'gmail-remove-filter': remove_filter_command,
}
command = demisto.command()
LOG('GMAIL: command is %s' % (command, ))
try:
if command == 'test-module':
list_users(ADMIN_EMAIL.split('@')[1])
demisto.results('ok')
sys.exit(0)
if command == 'fetch-incidents':
demisto.incidents(fetch_incidents())
sys.exit(0)
cmd_func = COMMANDS.get(command)
if cmd_func is None:
raise NotImplementedError(
'Command "{}" is not implemented.'.format(command))
else:
demisto.results(cmd_func())
except Exception as e:
import traceback
if command == 'fetch-incidents':
LOG(traceback.format_exc(e))
LOG.print_log()
raise
else:
return_error('GMAIL: {}'.format(str(e)), traceback.format_exc(e))
def fetch_incidents():
last_fetched_event_timestamp = demisto.getLastRun().get('last_fetched_event_timestamp')
if last_fetched_event_timestamp is not None:
last_fetched_event_timestamp = datetime.strptime(last_fetched_event_timestamp, '%Y-%m-%dT%H:%M:%S.%f')
else:
last_fetched_event_timestamp, _ = parse_date_range(FIRST_FETCH_TIMESTAMP)
# Need sometime in the future, so the timestamp will be taken from the query
service_end_date_epoch = int(datetime.now().strftime('%s')) + 1000
global FETCH_QUERY
if 'panw.' in FETCH_QUERY:
service_start_date_epoch = int(last_fetched_event_timestamp.strftime('%s'))
FETCH_QUERY += f' WHERE receive_time>{service_start_date_epoch}'
elif 'tms.' in FETCH_QUERY:
service_start_date_iso = last_fetched_event_timestamp.strftime('%Y-%m-%dT%H:%M:%S.%fZ')
FETCH_QUERY += f" WHERE serverTime>'{service_start_date_iso}'"
query_data = {
'query': FETCH_QUERY,
'startTime': 0,
'endTime': service_end_date_epoch,
}
response = query_loggings(query_data)
try:
result = response.json()['result']
pages = result['esResult']['hits']['hits']
except ValueError:
raise Exception('Failed to parse the response from Cortex')
incident_pairs = []
max_fetched_event_timestamp = last_fetched_event_timestamp
for page in pages:
incident, time_received = convert_log_to_incident(page)
if 'panw.' in FETCH_QUERY:
time_received_dt = datetime.fromtimestamp(time_received)
elif 'tms.' in FETCH_QUERY:
time_received_dt = datetime.strptime(time_received, '%Y-%m-%dT%H:%M:%S.%fZ')
incident_pairs.append((incident, time_received_dt))
if incident_pairs:
incidents, max_fetched_event_timestamp = process_incident_pairs(incident_pairs, 100) # max 100 per run
demisto.setLastRun({
'last_fetched_event_timestamp': max_fetched_event_timestamp.strftime('%Y-%m-%dT%H:%M:%S.%f')
})
demisto.incidents(incidents)
else:
demisto.incidents([])
def fetch_incidents(query, id_offset=None, fetch_by_created=None, **_):
last_run = demisto.getLastRun()
demisto.debug(f"last_run: {last_run}" if last_run else 'last_run is empty')
id_offset = last_run.get("idOffset") if (last_run and last_run.get("idOffset")) else id_offset
incidents, max_results = [], 50
if id_offset:
query = f'{query} AND id >= {id_offset}'
if fetch_by_created:
query = f'{query} AND created>-1m'
res = run_query(query, '', max_results)
for ticket in res.get('issues'):
id_offset = max(id_offset, ticket.get("id"))
incidents.append(create_incident_from_ticket(ticket))
demisto.setLastRun({"idOffset": id_offset})
demisto.incidents(incidents)
def fetch_incidents():
query_id = GetEventQuery()
res = GetIncidentsByOrg(query_id)
known_ids = demisto.getLastRun().get('ids', None)
if known_ids is None or not known_ids:
known_ids = []
incidents = []
for inc in res:
if inc.get('incidentId') not in known_ids:
incidents.append({"name": inc.get('eventName', 'New FortiSIEM Event'), "rawJSON": json.dumps(inc)})
if len(known_ids) >= 1000:
known_ids.pop(0)
known_ids.append(inc.get('incidentId'))
demisto.setLastRun({
'ids': known_ids,
'extended_keys': EXTENDED_KEYS
})
demisto.incidents(incidents)
sys.exit(0)
def fetch_incidents():
incidents = []
last_run = demisto.getLastRun()
if last_run and last_run['time_stamp']:
last_update_time = last_run['time_stamp']
else:
# In first run
last_update_time, _ = parse_date_range(FETCH_TIME, date_format='%Y-%m-%dT%H:%M:%S.%f'[:-3])
max_timestamp = last_update_time
if FETCH_BEHAVIORS:
params = 'behaviors.time_stamp>' + last_update_time
behaviors = fetch_behaviors_request(params)
for behavior in behaviors.get('results'):
incident = behavior_to_incident(behavior)
# 0 corresponds to never triggered
time_stamp = behavior.get('behaviors.time_stamp')[:-5] # comapre time_stamp
if time_stamp > max_timestamp:
max_timestamp = time_stamp
incidents.append(incident)
if FETCH_NOTIFICATIONS:
params = 'notifications.time_stamp>' + last_update_time
notifications = search_notifications_request(params)
for notification in notifications.get('results'):
incident = notifications_to_incidents(notification)
time_stamp = notification.get('notifications.time_stamp')[:-5]
if time_stamp > max_timestamp:
max_timestamp = time_stamp
incidents.append(incident)
demisto.setLastRun({
'time_stamp': max_timestamp
})
demisto.incidents(incidents)
def fetch_incidents():
"""
Fetch events from this integration and return them as Demisto incidents
returns:
Demisto incidents
"""
# demisto.getLastRun() will returns an obj with the previous run in it.
last_run = demisto.getLastRun()
# Get the last fetch time and data if it exists
last_fetch = last_run.get('last_fetched_data_timestamp')
last_fetched_data = last_run.get('last_fetched_data')
# Handle first time fetch, fetch incidents retroactively
if not last_fetch:
last_fetch, _ = parse_date_range(FETCH_TIME, to_timestamp=True)
args = {'rows': MAX_ROWS, 'query': FETCH_QUERY}
column_descriptions, data = snowflake_query(args)
data.sort(key=lambda k: k[DATETIME_COLUMN])
# convert the data/events to demisto incidents
incidents = []
for row in data:
incident = row_to_incident(column_descriptions, row)
incident_timestamp = incident.get('timestamp')
# Update last run and add incident if the incident is newer than last fetch
if incident_timestamp and incident_timestamp >= last_fetch:
last_fetch = incident_timestamp
if incident.get('rawJSON') != last_fetched_data:
last_fetched_data = incident.get('rawJSON')
del incident['timestamp']
incidents.append(incident)
this_run = {
'last_fetched_data': last_fetched_data,
'last_fetched_data_timestamp': last_fetch
}
demisto.setLastRun(this_run)
demisto.incidents(incidents)
def fetch_incidents_command():
"""
Fetch alerts from Canary Tools as incidents in Demisto
last_fetch: The latest fetched alert creation time
"""
last_fetch = demisto.getLastRun().get('time')
if last_fetch is None:
last_fetch = parse_date_range(FETCH_DELTA, '%Y-%m-%d-%H:%M:%S')[0]
# All alerts retrieved from get_alerts are newer than last_fetch and are in a chronological order
alerts = get_alerts(last_fetch)
incidents = []
current_fetch = last_fetch
for alert in alerts:
current_fetch = 1000 * (int(demisto.get(alert, 'description.created')))
current_fetch = timestamp_to_datestring(current_fetch, '%Y-%m-%d-%H:%M:%S')
incident = create_incident(alert)
incidents.append(incident)
demisto.incidents(incidents)
demisto.setLastRun({'time': current_fetch})
def fetch_incidents():
# API is handling last run by marking items that was read and not receiving the same items.
max_incidents = get_limit(demisto.params().get('maxIncidents', MAX_INCIDENTS), MAX_INCIDENTS)
sixgill_alerts_client = SixgillAlertClient(demisto.params()['client_id'], demisto.params()['client_secret'],
CHANNEL_CODE, bulk_size=max_incidents, logger=demisto)
filter_alerts_kwargs = get_incident_init_params()
incidents: List[Dict[str, Any]] = []
for raw_incident in sixgill_alerts_client.get_alert(**filter_alerts_kwargs):
incident = item_to_incident(raw_incident)
sixgill_alerts_client.mark_digested_item(raw_incident)
incidents.append(incident)
if len(incidents) >= max_incidents:
sixgill_alerts_client.commit_digested_items(force=True)
break
demisto.incidents(incidents)
def fetch_incidents_command():
"""
Fetch alerts from Canary Tools as incidents in Demisto
last_fetch: The latest fetched alert creation time
"""
last_fetch = demisto.getLastRun().get('time')
if last_fetch is None:
last_fetch = parse_date_range(FETCH_DELTA, '%Y-%m-%d-%H:%M:%S')[0]
# All alerts retrieved from get_alerts are newer than last_fetch and are in a chronological order
alerts = get_alerts(last_fetch)
incidents = []
current_fetch = last_fetch
for alert in alerts:
current_fetch = 1000 * (int(demisto.get(alert, 'description.created')) + 1)
current_fetch = timestamp_to_datestring(current_fetch, '%Y-%m-%d-%H:%M:%S')
incident = create_incident(alert)
incidents.append(incident)
demisto.incidents(incidents)
demisto.setLastRun({'time': current_fetch})
def fetch_incidents(query, id_offset=0, fetch_by_created=None, **_):
last_run = demisto.getLastRun()
demisto.debug(f"last_run: {last_run}" if last_run else 'last_run is empty')
id_offset = last_run.get("idOffset") if (
last_run and last_run.get("idOffset")) else id_offset
incidents, max_results = [], 50
if id_offset:
query = f'{query} AND id >= {id_offset}'
if fetch_by_created:
query = f'{query} AND created>-1m'
res = run_query(query, '', max_results)
curr_id = id_offset
for ticket in res.get('issues'):
ticket_id = int(ticket.get("id"))
if ticket_id == curr_id:
continue
id_offset = max(int(id_offset), ticket_id)
incidents.append(create_incident_from_ticket(ticket))
demisto.setLastRun({"idOffset": id_offset})
demisto.incidents(incidents)
def update_empty_fields():
"""
Update the campaign dynamic section empty field with default values in order for them to appear in the page
"""
incident = demisto.incidents()[0]
custom_fields = incident.get('customFields', {})
for field in DEFAULT_CUSTOM_FIELDS.keys():
if not custom_fields.get(field):
custom_fields[field] = DEFAULT_CUSTOM_FIELDS[field]
demisto.executeCommand('setIncident', {
'id': incident['id'],
'customFields': custom_fields
})
def fetch_incidents(client, conn, subscription_id, queue_name, topic_name):
if not queue_name and not topic_name:
raise ValueError(
'To fetch incidents you must provide either Queue Name or Topic Name'
)
if queue_name and topic_name:
raise ValueError('Can\'t provide both Queue Name and Topic name.')
# conn = stomp.Connection(heartbeats=(4000, 4000))
listener = MsgListener()
if client and len(client) > 0:
conn.set_listener('Demisto', listener)
if queue_name:
conn.subscribe('/queue/' + queue_name,
subscription_id,
ack='client-individual')
else:
conn.subscribe('/topic/' + topic_name,
subscription_id,
ack='client-individual',
headers={'activemq.subscriptionName': client})
incidents = []
time.sleep(10)
for i in range(len(listener.result_arr)):
msg = listener.result_arr[i]
msg_id = listener.msg_ids[i]
incidents.append({
'Name': 'ActiveMQ incident:' + msg_id,
'rawJSON': msg,
'details': msg
})
demisto.incidents(incidents)
for msg_id in listener.msg_ids:
conn.ack(msg_id, subscription_id)
def fetch_incidents():
"""
Generates and fetches phishing email-like incidents
Generates phishing email-like incidents, with the number of incidents, the
speed of generation and the recurring time period all set by the values
entered in the integration instance parameters. This method operates
under the assumption that fetch-incidents is called once per minute.
returns:
Email-like incidents
"""
try:
update_parameters()
minutes_of_generation = MAX_NUM_OF_INCIDENTS / float(
INCIDENTS_PER_MINUTE)
if not FREQUENCY or minutes_of_generation > FREQUENCY: # Run once
last_run = 0 if not demisto.getLastRun() else demisto.getLastRun(
).get('numOfIncidentsCreated', 0)
num_of_incidents_created, incidents = generate_incidents(last_run)
demisto.incidents(incidents)
demisto.setLastRun(
{'numOfIncidentsCreated': last_run + num_of_incidents_created})
return
else:
run_counter = 0 if not demisto.getLastRun(
) else demisto.getLastRun().get('run_count', 0)
last_run = 0 if not demisto.getLastRun() else demisto.getLastRun(
).get('numOfIncidentsCreated', 0)
should_run = run_counter % FREQUENCY
if should_run < math.ceil(
minutes_of_generation): # then should run
if should_run == 0:
last_run = 0
num_of_incidents_created, incidents = generate_incidents(
last_run)
demisto.incidents(incidents)
total_incidents_created = last_run + num_of_incidents_created
updated_run_count = run_counter + 1
demisto.setLastRun({
'numOfIncidentsCreated': total_incidents_created,
'run_count': updated_run_count
})
return
else:
updated_run_count = run_counter + 1
demisto.setLastRun({
'numOfIncidentsCreated': last_run,
'run_count': updated_run_count
})
demisto.incidents([])
except Exception:
raise
def main():
""" Main Function"""
try:
demisto.info('Command is %s' % (demisto.command(), ))
params = demisto.params()
print_debug_msg('Received parameters')
print_debug_msg(params)
credentials = params.get('credentials')
client = Client(BASE_URL, credentials, params.get('insecure'),
params.get('proxy'))
args = demisto.args()
if demisto.command() == 'pan-dlp-get-report':
report_id = args.get('report_id')
fetch_snippets = argToBoolean(args.get('fetch_snippets'))
report_json, status_code = client.get_dlp_report(
report_id, fetch_snippets)
return_results(parse_dlp_report(report_json))
elif demisto.command() == 'fetch-incidents':
demisto.incidents(fetch_incidents_command())
elif demisto.command() == 'long-running-execution':
long_running_execution_command(client, params)
elif demisto.command() == 'pan-dlp-update-incident':
return_results(update_incident_command(client, args))
elif demisto.command() == 'pan-dlp-exemption-eligible':
return_results(exemption_eligible_command(args, params))
elif demisto.command() == 'pan-dlp-slack-message':
return_results(slack_bot_message_command(args, params))
elif demisto.command() == 'pan-dlp-reset-last-run':
return_results(reset_last_run_command())
elif demisto.command() == "test-module":
test(client)
except Exception as e:
return_error(
f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}'
)
def main():
params = demisto.params()
base_url = urljoin(params.get('url'), 'idapi/v1')
verify_ssl = not params.get('insecure', False)
proxy = params.get('proxy')
client = Client(base_url=base_url,
verify=verify_ssl,
proxy=proxy,
auth=(params.get('credentials', {}).get('identifier'),
params.get('credentials', {}).get('password')))
command = demisto.command()
demisto.debug(f'Command being called is {command}')
commands = {
'test-module':
test_module_command,
f'{INTEGRATION_COMMAND_NAME}-get-incidents':
get_incidents_command,
f'{INTEGRATION_COMMAND_NAME}-get-incident-by-id':
get_incident_by_id_command
}
try:
if command == 'fetch-incidents':
incidents, new_last_run = fetch_incidents_command(
client,
fetch_time=params.get('fetchTime'),
last_run=demisto.getLastRun().get('lastRun'),
limit=params.get('fetchLimit'))
demisto.incidents(incidents)
demisto.setLastRun(new_last_run)
else:
readable_output, outputs, raw_response = commands[command](
client=client, **demisto.args())
return_outputs(readable_output, outputs, raw_response)
# Log exceptions
except Exception as e:
err_msg = f'Error in {INTEGRATION_NAME} Integration [{e}]'
return_error(err_msg, error=e)
def main() -> None:
params = demisto.params()
client_args = {
'client_id': params.get('credentials').get('identifier'),
'client_secret': params.get('credentials').get('password')
}
remote = params.get('remote', QWATCH_REMOTE)
proxy = params.get('proxy', False)
verify_ssl = not params.get('insecure', False)
command = demisto.command()
demisto.debug(f'Command being called is {command}')
try:
client = Client(remote, verify_ssl, proxy, **client_args)
args = demisto.args()
if command == 'test-module':
demisto.results(test_module(client))
elif command == 'fetch-incidents':
demisto.incidents(fetch_incidents(client, params))
elif command == 'qintel-qwatch-exposures':
return_results(search_exposures(client, args, params))
# Log exceptions
except Exception as e:
demisto.error(traceback.format_exc())
return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def main():
global BASE_URL, API_KEY, USE_SSL
BASE_URL = urljoin(demisto.params().get('domain', ''), '/openapi/v3')
API_KEY = demisto.params().get('api_key')
USE_SSL = not demisto.params().get('insecure', False)
''' EXECUTION CODE '''
COMMANDS = {
'test-module': test_integration,
'fetch-incidents': fetch_incidents,
'redcanary-list-detections': list_detections_command,
'redcanary-list-endpoints': list_endpoints_command,
'redcanary-get-endpoint': get_endpoint_command,
'redcanary-get-endpoint-detections': get_endpoint_detections_command,
'redcanary-get-detection': get_detection_command,
'redcanary-acknowledge-detection': acknowledge_detection_command,
'redcanary-update-remediation-state': remediate_detection_command,
'redcanary-execute-playbook': execute_playbook_command,
}
try:
handle_proxy()
LOG('command is %s' % (demisto.command(), ))
command_func = COMMANDS.get(demisto.command())
if command_func is not None:
if demisto.command() == 'fetch-incidents':
initial_last_run = demisto.getLastRun()
last_run, incidents = fetch_incidents(initial_last_run)
demisto.incidents(incidents)
demisto.setLastRun(last_run)
else:
demisto.results(command_func())
except Exception as e:
LOG(str(e))
if demisto.command() != 'test-module':
LOG.print_log()
return_error('error has occurred: {}'.format(str(e)))
def fetch_incidents():
last_run = demisto.getLastRun()
# Get the last fetch time, if exists
last_fetch = last_run.get('time')
# Handle first time fetch, fetch incidents retroactively
if last_fetch is None:
last_fetch, _ = parse_date_range(FETCH_TIME,
date_format='%Y-%m-%dT%H:%M:%SZ')
incidents = []
items = search_alarms(start_time=date_to_timestamp(
last_fetch, date_format='%Y-%m-%dT%H:%M:%SZ'),
direction='asc')
for item in items:
incident = item_to_incident(item)
incidents.append(incident)
if incidents:
# updating according to latest incident
last_fetch = incidents[-1]['occurred']
demisto.setLastRun({'time': last_fetch})
demisto.incidents(incidents)
def main():
''' EXECUTION '''
LOG('command is %s' % (demisto.command(), ))
try:
client = Client(base_url=BASE_URL,
verify=verify_certificate,
headers=headers,
proxy=proxy)
if demisto.command() == "fetch-incidents":
incident_results = fetch_incidents_command(client)
demisto.incidents(incident_results)
return_results("Incidents fetched successfully!!")
# return_results(fetch_incidents_command(client))
if demisto.command() == "armorblox-check-remediation-action":
incident_id = demisto.args().get('incident_id')
return_results(get_remediation_action(client, incident_id))
elif demisto.command() == 'test-module':
result = test_module(client)
return_results(result)
except Exception as e:
return_error(str(e))
def perform_link_unlink(ids, action):
ids = ','.join(ids)
res = demisto.executeCommand(
"linkIncidents", {
"incidentId": demisto.incidents()[0]["id"],
"linkedIncidentIDs": ids,
"action": action
})
if isError(res):
return_error(
COMMAND_ERROR_MSG.format(action=action,
ids=ids,
error=get_error(res)))
return COMMAND_SUCCESS.format(action=f'{action}ed', ids=ids)
def main() -> None:
try:
dbotscore = demisto.incidents()[0].get('CustomFields').get(
'chronicledbotscore', 0)
html = get_html_representation(dbotscore)
demisto.results({
"Type": 1,
"ContentsFormat": formats["html"],
"Contents": html
})
except Exception as e:
demisto.error(traceback.format_exc())
return_error(f'Could not load widget:\n{e}')
def main():
incident = demisto.incidents()
query = incident[0].get('CustomFields', {}).get('healthchecktotaloutdatedpacks', 0)
if not query:
html = f"<h1 style={GREEN_HTML_STYLE}0</h1>"
else:
html = f"<h1 style={ORANGE_HTML_STYLE}{str(query)}</h1>"
demisto.results({
'ContentsFormat': formats['html'],
'Type': entryTypes['note'],
'Contents': html
})
def fetch_incidents():
last_run = demisto.getLastRun()
# Get the last fetch time, if exists
last_fetch = last_run.get('timestamp')
# Handle first time fetch, fetch incidents retroactively
# OR
# Handle first time after release
if last_fetch is None:
time_field = last_run.get('time')
if time_field:
last_fetch = date_to_timestamp(time_field, parse_time(time_field))
else:
last_fetch, _ = parse_date_range(FETCH_TIME, to_timestamp=True)
incidents = []
limit = dict_value_to_int(demisto.params(), 'fetch_limit')
items = search_alarms(start_time=last_fetch, direction='asc', limit=limit)
for item in items:
incident = item_to_incident(item)
incidents.append(incident)
if incidents:
# updating according to latest incident
time_str = str(incidents[-1].get('occurred'))
# add one second to last incident occurred time to avoid duplications
occurred = datetime.strptime(time_str, '%Y-%m-%dT%H:%M:%S.%fZ')
occurred = occurred + timedelta(seconds=1)
time_str = occurred.strftime("%Y-%m-%dT%H:%M:%S.000Z")
last_fetch = str(
date_to_timestamp(time_str, date_format=parse_time(time_str)))
demisto.setLastRun({'timestamp': last_fetch})
demisto.incidents(incidents)
def get_current_table(grid_id: str) -> List[Dict[Any, Any]]:
""" Get current Data from the grid
Args:
grid_id: Grid ID to retrieve data from.
Returns:
list: Exsiting grid data.
"""
current_table: Optional[List[dict]] = demisto.incidents()[0].get(
"CustomFields", {}).get(grid_id)
if current_table is None:
raise ValueError(f"The grid id isn't valid: {grid_id}")
return pd.DataFrame(current_table)
def main() -> None:
"""main function, parses params and runs command functions
:return:
:rtype:
"""
demisto.debug(f'Command being called is {demisto.command()}')
try:
client = Client(demisto)
if demisto.command() == 'fetch-incidents':
str_first_fetch_violation = demisto.params().get('first_fetch', 1)
str_max_results = demisto.params().get('max_fetch', 10)
next_run_violation, incidents = fetch_incidents(
client=client,
last_run_violation=demisto.getLastRun(),
str_first_fetch_violation=str_first_fetch_violation,
str_max_results=str_max_results)
demisto.setLastRun(next_run_violation)
demisto.incidents(incidents)
elif demisto.command() == "test-module":
result = test_module(client)
return_results(result)
else:
return_results(
Command.run(demisto.command(), client, demisto.args()))
except Exception as e:
demisto.error(traceback.format_exc()) # print the traceback
return_error(
f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}'
)
def main():
incident = demisto.incidents()
query = incident[0].get('CustomFields', {}).get('numberofentriesiderrors', 0)
if not query:
html = f"<h1 style={GREEN_HTML_STYLE}0</h1>"
else:
html = f"<h1 style={RED_HTML_STYLE}{str(query)}</h1>"
demisto.results({
'ContentsFormat': formats['html'],
'Type': entryTypes['note'],
'Contents': html
})
def fetch_incidents():
try:
client = aws_session()
incidents = []
response = client.list_detectors()
detector = response['DetectorIds']
list_findings = client.list_findings(
DetectorId=detector[0],
FindingCriteria={
'Criterion': {
'service.archived': {
'Eq': ['false', 'false']
},
'severity': {
'Gt': gd_severity_mapping(AWS_GD_SEVERITY)
}
}
})
get_findings = client.get_findings(
DetectorId=detector[0], FindingIds=list_findings['FindingIds'])
for finding in get_findings['Findings']:
incident = parse_incident_from_finding(finding)
incidents.append(incident)
# Create demisto incidents
demisto.incidents(incidents)
if incidents is not None:
# Archive findings
client.archive_findings(DetectorId=detector[0],
FindingIds=list_findings['FindingIds'])
except Exception as e:
return raise_error(e)
def get_campaign_incidents():
"""
Get the campaign incidents form the incident's context
:rtype: ``list``
:return: list of campaign incidents
"""
incident_id = demisto.incidents()[0]['id']
res = demisto.executeCommand('getContext', {'id': incident_id})
if isError(res):
return_error(
f'Error occurred while trying to get the incident context: {get_error(res)}'
)
return demisto.get(res[0], 'Contents.context.EmailCampaign.incidents')
def main():
incident = demisto.incidents()
query = incident[0].get('CustomFields', {}).get('totalindicatorcount', 0)
if not query:
html = f"<div style={GREEN_HTML_STYLE}{0}</div>"
elif int(query) == 0:
html = f"<div style={GREEN_HTML_STYLE}{str(query)}</div>"
else:
html = f"<div style={GREEN_HTML_STYLE}{str(query)}</div>"
demisto.results({
'ContentsFormat': formats['html'],
'Type': entryTypes['note'],
'Contents': html
})
def fetch_incidents():
"""
Generates and fetches phishing email-like incidents
Generates phishing email-like incidents, with the number of incidents, the
speed of generation and the recurring time period all set by the values
entered in the integration instance parameters. This method operates
under the assumption that fetch-incidents is called once per minute.
returns:
Email-like incidents
"""
try:
update_parameters()
if not FREQUENCY: # Run once
last_run = 0 if not demisto.getLastRun() else demisto.getLastRun().get('numOfIncidentsCreated', 0)
num_of_incidents_created, incidents = generate_incidents(last_run)
demisto.incidents(incidents)
demisto.setLastRun({'numOfIncidentsCreated': last_run + num_of_incidents_created})
return
else:
minutes_of_generation = MAX_NUM_OF_INCIDENTS / float(INCIDENTS_PER_MINUTE)
if minutes_of_generation > FREQUENCY:
err_msg = 'The maximum number of incidents divided by the incidents to generate per minute'
err_msg += ' exceeds every how often incidents should be generated. Please increase the value'
err_msg += ' entered for how often the integration should generate incidents.'
raise Exception(err_msg)
run_counter = 0 if not demisto.getLastRun() else demisto.getLastRun().get('run_count', 0)
last_run = 0 if not demisto.getLastRun() else demisto.getLastRun().get('numOfIncidentsCreated', 0)
should_run = run_counter % FREQUENCY
if should_run < math.ceil(minutes_of_generation): # then should run
if should_run == 0:
last_run = 0
num_of_incidents_created, incidents = generate_incidents(last_run)
demisto.incidents(incidents)
total_incidents_created = last_run + num_of_incidents_created
updated_run_count = run_counter + 1
demisto.setLastRun({
'numOfIncidentsCreated': total_incidents_created,
'run_count': updated_run_count
})
return
else:
updated_run_count = run_counter + 1
demisto.setLastRun({
'numOfIncidentsCreated': last_run,
'run_count': updated_run_count
})
demisto.incidents([])
except Exception:
raise
def main():
incident = demisto.incidents()[0]
account_name = incident.get('account')
account_name = f'acc_{account_name}/' if account_name != "" else ""
res = execute_command('demisto-api-get',
{'uri': f'{account_name}health/containers'})
containers = res['response']
return CommandResults(
readable_output=tableToMarkdown('Containers Status', [containers],
headers=['all', 'inactive',
'running']),
outputs_prefix='containers',
outputs=[containers],
raw_response=containers,
)
def get_current_table(grid_id: str) -> List[Dict[Any, Any]]:
""" Get current Data from the grid
Args:
grid_id: Grid ID to retrieve data from.
Returns:
list: Existing grid data.
"""
current_table: Optional[List[dict]] = demisto.incidents()[0].get("CustomFields", {}).get(grid_id)
if current_table is None:
raise ValueError(f"The following grid id was not found: {grid_id}. Please make sure you entered the correct "
f"incident type with the \"Machine name\" as it appears in the incident field editor in "
f"Settings->Advanced ->Fields (Incident). Also make sure that this value appears in the "
f"incident Context Data under incident - if not then please consult with support.")
return pd.DataFrame(current_table)
def isAdminAPIInstance():
isAdminExist = False
incident = demisto.incidents()[0]
accountName = incident.get('account')
accountName = f"acc_{accountName}" if accountName != "" else ""
res = demisto.executeCommand("demisto-api-post", {
"uri": f"{accountName}/user/preferences",
"body": {
"size": 500
},
})
for module in res:
if module['Contents']['response']['id'] == 'admin':
isAdminExist = True
return isAdminExist
def main():
global EMAIL_BODY_FIELD, EMAIL_SUBJECT_FIELD, EMAIL_HTML_FIELD, FROM_FIELD, MIN_TEXT_LENGTH, FROM_POLICY
input_args = demisto.args()
EMAIL_BODY_FIELD = input_args.get('emailBody', EMAIL_BODY_FIELD)
EMAIL_SUBJECT_FIELD = input_args.get('emailSubject', EMAIL_SUBJECT_FIELD)
EMAIL_HTML_FIELD = input_args.get('emailBodyHTML', EMAIL_HTML_FIELD)
FROM_FIELD = input_args.get('emailFrom', FROM_FIELD)
FROM_POLICY = input_args.get('fromPolicy', FROM_POLICY)
new_incident = demisto.incidents()[0]
existing_incidents = get_existing_incidents(
input_args, new_incident.get('type', IGNORE_INCIDENT_TYPE_VALUE))
demisto.debug('found {} incidents by query'.format(
len(existing_incidents)))
if len(existing_incidents) == 0:
create_new_incident()
return
if not incident_has_text_fields(new_incident):
create_new_incident_no_text_fields()
return
new_incident_df = preprocess_incidents_df([new_incident])
if len(new_incident_df
) == 0: # len(new_incident_df)==0 means new incident is too short
create_new_incident_too_short()
return
existing_incidents_df = preprocess_incidents_df(existing_incidents)
existing_incidents_df = filter_out_same_incident(existing_incidents_df,
new_incident)
existing_incidents_df = filter_newer_incidents(existing_incidents_df,
new_incident)
if len(existing_incidents_df) == 0:
create_new_incident()
return
new_incident_preprocessed = new_incident_df.iloc[0].to_dict()
duplicate_incident_row, similarity = find_duplicate_incidents(
new_incident_preprocessed, existing_incidents_df)
if duplicate_incident_row is None:
create_new_incident()
return
if similarity < SIMILARITY_THRESHOLD:
create_new_incident_low_similarity(duplicate_incident_row, similarity)
else:
return close_new_incident_and_link_to_existing(new_incident_df.iloc[0],
duplicate_incident_row,
similarity)
def get_campaign_incident_ids(context_path):
"""
Collect the campaign incidents ids form the context
:rtype: ``list``
:return: list of campaign incident ids if exist, None otherwise
"""
incident_id = demisto.incidents()[0]['id']
res = demisto.executeCommand('getContext', {'id': incident_id})
if isError(res):
return_error(f'Error occurred while trying to get the incident context: {get_error(res)}')
incidents = demisto.get(res[0], context_path)
if incidents:
ids = [str(incident.get('id')) for incident in incidents]
ids.sort(key=lambda val: int(val))
return ids
return None
def main():
incident = demisto.incidents()[0]
custom_fields = incident.get('CustomFields')
linked_incident = custom_fields.get('similarincident')
if linked_incident:
main_integration_grid, main_incident_grid = create_grids(
custom_fields, linked_incident)
demisto.executeCommand(
"setIncident",
{'customFields': {
'integrationstestgrid': main_integration_grid
}})
demisto.executeCommand(
"setIncident",
{'customFields': {
'playbooktaskserrors': main_incident_grid
}})
def main():
try:
incident = demisto.incidents()[0]
custom_fields = incident.get('CustomFields', {})
emailto = custom_fields.get('campaignemailto')
subject = custom_fields.get('campaignemailsubject')
email_body = custom_fields.get('campaignemailbody')
if not emailto:
return_error(INVALID_EMAIL_TO_MSG)
demisto.executeCommand("send-mail", {
"to": emailto,
"subject": subject,
"body": email_body
})
except Exception as ex:
return_error(
f'Failed to execute SendEmailToCampaignRecipients. Error: {str(ex)}'
)
def load_current_incident(incident_id: str, populate_fields: List[str], from_date: str, to_date: str):
"""
Load current incident if incident_id given or load current incident investigated
:param incident_id: incident_id
:param populate_fields: populate_fields
:param from_date: from_date
:param to_date: to_date
:return:
"""
if not incident_id:
incident = demisto.incidents()[0]
cf = incident.pop('CustomFields', {}) or {}
incident.update(cf)
incident = {k: v for k, v in incident.items() if k in populate_fields}
incident_id = incident['id']
else:
incident = get_incident_by_id(incident_id, populate_fields, from_date, to_date)
if not incident:
return None, incident_id
return incident, incident_id
def fetch_incidents():
query_params = {}
incidents = []
if FETCH_TIME:
fetch_time = FETCH_TIME
else:
fetch_time = DEFAULTS['fetch_time']
last_run = demisto.getLastRun()
if 'time' not in last_run:
snow_time, _ = parse_date_range(fetch_time, '%Y-%m-%d %H:%M:%S')
else:
snow_time = last_run['time']
query = ''
if SYSPARM_QUERY:
query += SYSPARM_QUERY + '^'
query += 'ORDERBY{0}^{0}>{1}'.format(TIMESTAMP_FIELD, snow_time)
if query:
query_params['sysparm_query'] = query
query_params['sysparm_limit'] = SYSPARM_LIMIT
path = 'table/' + TICKET_TYPE
res = send_request(path, 'get', params=query_params)
count = 0
parsed_snow_time = datetime.strptime(snow_time, '%Y-%m-%d %H:%M:%S')
for result in res.get('result', []):
labels = []
if TIMESTAMP_FIELD not in result:
raise ValueError("The timestamp field [{}]"
" does not exist in the ticket".format(TIMESTAMP_FIELD))
if count > SYSPARM_LIMIT:
break
try:
if datetime.strptime(result[TIMESTAMP_FIELD], '%Y-%m-%d %H:%M:%S') < parsed_snow_time:
continue
except Exception:
pass
for k, v in result.iteritems():
if isinstance(v, basestring):
labels.append({
'type': k,
'value': v
})
else:
labels.append({
'type': k,
'value': json.dumps(v)
})
severity = SEVERITY_MAP.get(result.get('severity', ''), 0)
file_names = []
if GET_ATTACHMENTS:
file_entries = get_ticket_attachment_entries(result['sys_id'])
for file_result in file_entries:
if file_result['Type'] == entryTypes['error']:
raise Exception('Error getting attachment: ' + str(file_result['Contents']))
file_names.append({
'path': file_result['FileID'],
'name': file_result['File']
})
incidents.append({
'name': 'ServiceNow Incident ' + result.get('number'),
'labels': labels,
'details': json.dumps(result),
'severity': severity,
'attachment': file_names,
'rawJSON': json.dumps(result)
})
count += 1
snow_time = result[TIMESTAMP_FIELD]
demisto.incidents(incidents)
demisto.setLastRun({'time': snow_time})
def save_incidents(objects_to_save):
final_incidents = []
for obj in objects_to_save:
final_incidents.append(object_to_incident(obj))
demisto.incidents(final_incidents)
return
