def get_all_user_profiles(): query = 'type:\"User Profile\"' employee_id_to_user_profile = {} email_to_user_profile = {} def handle_batch(user_profiles): for user_profile in user_profiles: user_profile = user_profile.get('CustomFields', {}) employee_id = user_profile.get('employeeid') email = user_profile.get('email') employee_id_to_user_profile[employee_id] = user_profile email_to_user_profile[email] = user_profile query_result = demisto.searchIndicators(query=query, size=BATCH_SIZE) handle_batch(query_result.get('iocs', [])) while query_result.get('searchAfter') is not None: query_result = demisto.searchIndicators( query=query, size=BATCH_SIZE, searchAfter=query_result.get('searchAfter')) handle_batch(query_result.get('iocs', [])) return employee_id_to_user_profile, email_to_user_profile
def find_indicators_with_limit_loop(indicator_query: str, limit: int, total_fetched: int = 0, next_page: int = 0, last_found_len: int = PAGE_SIZE): """ Finds indicators using while loop with demisto.searchIndicators, and returns result and last page """ iocs: List[dict] = [] if not last_found_len: last_found_len = total_fetched while last_found_len == PAGE_SIZE and limit and total_fetched < limit: fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs') iocs.extend(fetched_iocs) last_found_len = len(fetched_iocs) total_fetched += last_found_len next_page += 1 return iocs, next_page
def get_indicators(indicators: str) -> List: if indicators: iocs: list = [] not_found = [] for indicator in indicators.split(','): data = demisto.searchIndicators(value=indicator).get('iocs') if data: iocs.extend(data) else: not_found.append(indicator) if not_found: return_warning('The following indicators were not found: {}'.format(', '.join(not_found))) else: return iocs return []
def cyren_feed_relationship(args) -> CommandResults: if "indicator" not in args: raise ValueError("Please provide 'indicator' argument!") indicator = args["indicator"] relationships = indicator.get("CustomFields", {}).get( "cyrenfeedrelationships", []) or [] content = [] for item in relationships: ioc_value = item.get("value", "") results = demisto.searchIndicators(value=ioc_value).get("iocs", []) if results: result = results[0] ioc_score = result.get("score") ioc_id = result.get("id") content.append( create_relationship_object( value=f"[{ioc_value}](#/indicator/{ioc_id})" if ioc_value else "", relationship_type=item.get("relationshiptype"), indicator_type=item.get("indicatortype"), timestamp=item.get("timestamp"), entity_category=item.get("entitycategory"), reputation=ioc_score, )) else: # In case that no related indicators were found, return the table without the link. content.append( create_relationship_object( value=ioc_value, relationship_type=item.get("relationshiptype"), indicator_type=item.get("indicatortype"), timestamp=item.get("timestamp"), entity_category=item.get("entitycategory"), )) headers = [ "Indicator Type", "Value", "Reputation", "Relationship Type", "Entity Category", "Timestamp UTC" ] output = tableToMarkdown("", content, headers, removeNull=True) return CommandResults(readable_output=output)
def get_feeds_for_incident(incident_id: int) -> set: """ Retrieves a list feeds based on indicators that appear in a given incident. :param incident_id: int Incident ID to query by. :return: set List of feeds that have indicators in the given incident. """ indicator_query = f'sourceBrands:*Feed* and incident.id:{incident_id}' fetched_iocs = demisto.searchIndicators(query=indicator_query).get('iocs') feeds = set() for indicator in fetched_iocs: source_brands = indicator.get('sourceBrands') for brand in source_brands: if 'Feed' in brand: feeds.add(brand) return feeds
def find_indicators_to_limit_loop(indicator_query: str, limit: int, total_fetched: int = 0, next_page: int = 0, last_found_len: int = None): """ Finds indicators using while loop with demisto.searchIndicators, and returns result and last page Parameters: indicator_query (str): Query that determines which indicators to include in the EDL (Cortex XSOAR indicator query syntax) limit (int): The maximum number of indicators to include in the EDL total_fetched (int): The amount of indicators already fetched next_page (int): The page we are up to in the loop last_found_len (int): The amount of indicators found in the last fetch Returns: (tuple): The iocs and the last page """ iocs: List[dict] = [] if last_found_len is None: last_found_len = PAGE_SIZE if not last_found_len: last_found_len = total_fetched # last_found_len should be PAGE_SIZE (or PAGE_SIZE - 1, as observed for some users) for full pages while last_found_len in (PAGE_SIZE, PAGE_SIZE - 1) and limit and total_fetched < limit: fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs') # In case the result from searchIndicators includes the key `iocs` but it's value is None fetched_iocs = fetched_iocs or [] # save only the value and type of each indicator iocs.extend({ 'value': ioc.get('value'), 'indicator_type': ioc.get('indicator_type') } for ioc in fetched_iocs) last_found_len = len(fetched_iocs) total_fetched += last_found_len next_page += 1 return iocs, next_page
def find_indicators_loop(indicator_query: str): """ Find indicators in a loop according to a query. Args: indicator_query: The indicator query. Returns: Indicator query results from Demisto. """ iocs: List[dict] = [] total_fetched = 0 next_page = 0 last_found_len = PAGE_SIZE while last_found_len == PAGE_SIZE: fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs') iocs.extend(fetched_iocs) last_found_len = len(fetched_iocs) total_fetched += last_found_len next_page += 1 return iocs
def feed_related_indicator(args) -> CommandResults: indicator = args['indicator'] feed_related_indicators = indicator.get('CustomFields', {}).get('feedrelatedindicators', []) ioc = list(filter(lambda x: x.get('value'), feed_related_indicators)) ioc_value = ioc[0].get('value') if ioc else '' content = [] results = demisto.searchIndicators(value=ioc_value).get('iocs', []) urls = demisto.demistoUrls() server_url = urls.get('server', '') if results: ioc_id = results[0].get('id') for item in feed_related_indicators: content.append({ 'Value': f"[{item.get('value')}]({server_url}/#/indicator/{ioc_id})" if item.get('value') else '', 'Type': item.get('type'), 'Description': f"[{item.get('description')}]({item.get('description')})\n\n" }) else: # In case that no related indicators were found, return the table without the link. for item in feed_related_indicators: content.append({ 'Value': item.get('value', ''), 'Type': item.get('type'), 'Description': f"[{item.get('description')}]({item.get('description')})\n\n" }) output = tableToMarkdown('', content, ['Type', 'Value', 'Description'], removeNull=True) return CommandResults(readable_output=output)
def get_indicators_list(indicator_query, limit, page): """ Get Demisto indicators list using demisto.searchIndicators Args: indicator_query (str): The query demisto.searchIndicators use to find indicators limit (int): The amount of indicators the user want to add to reference set page (int): Page's number the user would like to start from Returns: list, list: List of indicators values and a list with all indicators data """ indicators_values_list = [] indicators_data_list = [] fetched_iocs = demisto.searchIndicators(query=indicator_query, page=page, size=limit).get('iocs') for indicator in fetched_iocs: indicators_values_list.append(indicator['value']) indicators_data_list.append({ 'Value': indicator['value'], 'Type': indicator['indicator_type'] }) return indicators_values_list, indicators_data_list
def get_indicator_xdr_score(indicator: str, xdr_server: int): """ the goal is to avoid reliability changes. for example if some feed with reliability 'C' give as the indicator 88.88.88.88 with score 1 (good) we dont wont that xdr will also return with 1 and reliability 'A' so the score will be 0 (unknown). and we will update only on a case that someone really changed th indicator in xdr. :param indicator: the indicator (e.g. 88.88.88.88) :param xdr_server: the score in xdr (e.g. GOOD, BAD ...) :return: the current score (0 - 3) """ xdr_local: int = 0 score = 0 if indicator: ioc = demisto.searchIndicators(value=indicator).get('iocs') if ioc: ioc = ioc[0] score = ioc.get('score', 0) temp: Dict = next(filter(is_xdr_data, ioc.get('moduleToFeedMap', {}).values()), {}) xdr_local = temp.get('score', 0) if xdr_server != score: return xdr_server else: return xdr_local
def get_iocs(page=0, size=200, query=None) -> List: return demisto.searchIndicators(query=query if query else Client.query, page=page, size=size).get('iocs', [])
def get_iocs_size(query=None) -> int: return demisto.searchIndicators(query=query if query else Client.query, page=0, size=1).get('total', 0)
import demistomock as demisto from CommonServerPython import * res = demisto.searchIndicators(query='type:"MITRE ATT&CK" and investigationsCount:>0') indicators = [] for ind in res['iocs']: indicators.append({ 'Value': dict_safe_get(ind, ['value']), 'Name': dict_safe_get(ind, ['CustomFields', 'mitrename']), 'Phase Name': dict_safe_get(ind, ['CustomFields', 'mitrekillchainphases', 0, 'phase_name']), 'Description': dict_safe_get(ind, ['CustomFields', 'mitredescription']), }) temp = tableToMarkdown('MITRE ATT&CK techniques by open Incidents', indicators, headers=['Value', 'Name', 'Phase Name', 'Description']) return_outputs(temp)