def get_data_breach(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) date_range = param['date_range'] param_reposted_credentials = None if 'reposted_credentials' not in param else param[ 'reposted_credentials'].split(',') param_severities = None if 'severities' not in param else param.get( 'severities').split(',') param_statuses = None if 'statuses' not in param else param.get( 'statuses').split(',') param_user_name = None if 'user_name' not in param else param.get( 'user_name').split(',') try: breach_service = DataBreachService(self._ds_api_key, self._ds_api_secret_key) breach_view = DataBreachService.data_breach_view( published=date_range, reposted_credentials=param_reposted_credentials, severities=param_severities, statuses=param_statuses, username=param_user_name) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) try: breach_pages = breach_service.find_all_pages(view=breach_view) breach_total = len(breach_pages) except StopIteration: error_message = 'No DataBreach objects retrieved from the Digital Shadows API in page groups' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if breach_total > 0: summary = { 'data_breach_count': breach_total, 'data_breach_found': True } action_result.update_summary(summary) for breach_page in breach_pages: for breach in breach_page: action_result.add_data(breach.payload) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_SUCCESS) else: summary = {'data_breach_count': 0, 'data_breach_found': False} action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_NOT_FOUND) return action_result.get_status()
def lookup_username(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) username_to_lookup = param.get('username') username_service = DataBreachUsernameService(self._ds_api_key, self._ds_api_secret_key) view = username_service.data_breach_username_view( username=username_to_lookup) found_username = next( (data_breach_username for data_breach_username in username_service.find_all(view=view) if data_breach_username.username == username_to_lookup), None) if found_username is not None: summary, data = self._lookup_success(username_to_lookup, found_username) action_result.update_summary(summary) action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_LOOKUP_USERNAME_SUCCESS) else: summary, data = self._lookup_failure(username_to_lookup) action_result.update_summary(summary) action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_LOOKUP_USERNAME_NOT_FOUND) return action_result.get_status()
def get_intel_incident_ioc_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) param_types = None if 'types' not in param else param.get( 'types').split(',') try: intelligence_incident_service = IntelligenceIncidentService( self._ds_api_key, self._ds_api_secret_key) intelligence_incident_view = IntelligenceIncidentService.intelligence_incident_ioc_view( types=param_types) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) intel_incident_id = param['intel_incident_id'] # validate 'intel_incident_id' action parameter ret_val, intel_incident_id = self._handle_exception_object.validate_integer( action_result, intel_incident_id, INTEL_INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: intelligence_incident_ioc_pages = intelligence_incident_service.find_intel_incident_ioc_by_id( intel_incident_id=intel_incident_id, view=intelligence_incident_view) intelligence_incident_ioc_total = len( intelligence_incident_ioc_pages) self._connector.save_progress( "II IoC Total: {}".format(intelligence_incident_ioc_total)) except StopIteration: error_message = 'No Incident review objects retrieved from the Digital Shadows API' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if intelligence_incident_ioc_total > 0: summary = { 'intelligence_incident_ioc_count': intelligence_incident_ioc_total, 'intelligence_incident_ioc_found': True } action_result.update_summary(summary) for intelligence_incident_ioc_page in intelligence_incident_ioc_pages: for intelligence_incident_ioc in intelligence_incident_ioc_page: self._connector.save_progress("loop id: {}".format( intelligence_incident_ioc.payload)) action_result.add_data(intelligence_incident_ioc.payload) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INTELLIGENCE_INCIDENT_SUCCESS) return action_result.get_status()
def post_incident_review(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: incident_service = IncidentService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) incident_id = param.get('incident_id') # validate 'incident_id' action parameter ret_val, incident_id = self._handle_exception_object.validate_integer( action_result, incident_id, INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() post_data = { 'note': param.get('review_note'), 'status': param.get('review_status') } self._connector.save_progress("post_data: {}".format(post_data)) try: response = incident_service.post_incident_review( post_data, incident_id=incident_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) self._connector.save_progress("response: {}".format(response)) try: summary = { 'incident_reviews_status_code': response['status'], 'incident_reviews_message': response['message'] } action_result.update_summary(summary) action_result.add_data(response['content'][0]) if response['message'] == "SUCCESS": action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows Incident review posted successfully") else: action_result.set_status( phantom.APP_SUCCESS, "Error in incident review post request") except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error occurred while fetching data from response. {}".format( error_message)) return action_result.get_status()
def get_data_breach_record_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_record_service = DataBreachRecordService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) breach_id = param['breach_id'] # validate 'breach_id' action parameter ret_val, breach_id = self._handle_exception_object.validate_integer( action_result, breach_id, BREACH_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: breach_record_pages = breach_record_service.find_all_pages( breach_id) breach_record_total = len(breach_record_pages) except StopIteration: error_message = 'No data breach record retrieved from the Digital Shadows API in page groups' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if breach_record_total > 0: summary = { 'data_breach_record_count': breach_record_total, 'data_breach_record_found': True } action_result.update_summary(summary) for breach_record_page in breach_record_pages: for breach_record in breach_record_page: action_result.add_data(breach_record.payload) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows data breach records fetched") else: summary = { 'data_breach_record_count': 0, 'data_breach_record_found': False } action_result.update_summary(summary) action_result.set_status( phantom.APP_SUCCESS, "Data breach record not found in Digital Shadows") return action_result.get_status()
def _list_policies(self, param): action_result = ActionResult(dict(param)) self.add_action_result(action_result) # gets the full information for the Nessus policies ret_val, list_policies = self._make_rest_call('policies/', action_result) if (phantom.is_fail(ret_val)): return action_result.get_status() policies = list_policies.get('policies', []) if (type(policies) != list): policies = [policies] policy_counter = 0 for curr_item in policies: action_result.add_data(curr_item) if curr_item.get("id"): policy_counter = policy_counter + 1 # creates an empty list to add the summary elements to summary = action_result.update_summary({}) summary['policy_count'] = policy_counter action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def get_infrastructure_ip_ports(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) infrastructure_service = InfrastructureService(self._ds_api_key, self._ds_api_secret_key) infrastructure_view = InfrastructureService.infrastructure_view() infrastructure_pages = infrastructure_service.find_all_pages( view=infrastructure_view) infrastructure_total = len(infrastructure_pages) if infrastructure_total > 0: summary = { 'infrastructure_count': infrastructure_total, 'infrastructure_found': True } action_result.update_summary(summary) for infrastructure_page in infrastructure_pages: for infrastructure in infrastructure_page: data = { 'id': infrastructure.id, 'ipAddress': infrastructure.ip_address, 'portNumber': str(infrastructure.port_number), 'transport': infrastructure.transport, 'discoveredOpen': infrastructure.discovered_open, 'incident': { 'id': infrastructure.incident_id, 'scope': infrastructure.incident_scope, 'type': infrastructure.incident_type, 'subType': infrastructure.incident_sub_type, 'severity': infrastructure.incident_severity, 'title': infrastructure.incident_title, } } action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_SUCCESS) else: summary = { 'infrastructure_count': 0, 'infrastructure_found': False } action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_NOT_FOUND) return action_result.get_status()
def _whois_object(self, param, json_key): self.debug_print("param", param) # Add an action result to the App Run action_result = ActionResult(dict(param)) self.add_action_result(action_result) input_object = param[json_key] try: self._parsed_whois_domain(input_object, action_result) except Exception as e: self.debug_print(e) try: if not action_result.get_status() == phantom.APP_SUCCESS: self._regular_whois_domain(input_object, action_result) except Exception as e: message = 'Error while querying input_object' action_result.set_status(phantom.APP_ERROR, message, e) return action_result.get_status() if (phantom.is_fail(action_result.get_status())): return action_result.get_status() data = action_result.get_data() if (not data): return action_result.get_status() response = data[0] if response and 'registrant' in response: # get the registrant summary = {'organization': response['registrant']} if 'parsed_whois' in response: contacts = response['parsed_whois'].get('contacts', {}) if type(contacts) == list: registrant = contacts[0] else: registrant = contacts.get('registrant') summary['city'] = registrant.get('city') summary['country'] = registrant.get('country') action_result.update_summary(summary) return action_result.get_status()
def post_breach_record_review(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_record_service = DataBreachRecordService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) post_data = { 'note': param.get('review_note'), 'status': param.get('review_status') } breach_record_id = param.get('breach_record_id') # validate 'breach_record_id' action parameter ret_val, breach_record_id = self._handle_exception_object.validate_integer( action_result, breach_record_id, BREACH_RECORD_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: response = breach_record_service.post_data_breach_record_review( post_data, breach_record_id=breach_record_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) summary = { 'breach_record_reviews_status_code': response['status'], 'breach_record_reviews_message': response['message'] } action_result.update_summary(summary) if response['message'] == "SUCCESS": action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows breach record review posted successfully") else: action_result.set_status( phantom.APP_SUCCESS, "Error in breach record review post request")
def listStaticBlackHoledIPs(self, param): """ """ action_result = ActionResult( dict(param)) # Add an action result to the App Run self.add_action_result(action_result) config = self.get_config() self.debug_print(config) try: self.username = config["username"] self.password = config["password"] self.device = config["trigger_host"] self.next_hop_IP = config['route_to_null'] except KeyError: self.debug_print("Error: {0}".format(KeyError)) self.debug_print("Device: {0}, User: {1}, Password: {2}".format( self.device, self.username, self.password)) # Get the current list of static routes from the Target Host route_list = self._get_StaticBlackHoledIPs(self.username, self.password, self.device, self.next_hop_IP) self.debug_print( "listStaticBlackHoledIP's result RAW: {0}".format(route_list)) # Even if the query was successfull the data might not be available if len(route_list) == 0: return action_result.set_status( phantom.APP_ERROR, 'CISCO_CSR_ERR_QUERY_RETURNED_NO_DATA') else: for dest in route_list: action_result.add_data({'blackholed-network': dest}) summary = "Query returned %s routes" % len(route_list) action_result.update_summary({'message': summary}) self.set_status_save_progress(phantom.APP_SUCCESS, summary) #action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def get_incident_review_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) incident_id = param['incident_id'] # validate 'incident_id' action parameter ret_val, incident_id = self._handle_exception_object.validate_integer( action_result, incident_id, INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: incident_service = IncidentService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) try: incident_reviews = incident_service.find_all_reviews(incident_id) incident_reviews_total = len(incident_reviews) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if incident_reviews_total > 0: summary = { 'incident_reviews_count': incident_reviews_total, 'incident_reviews_found': True } action_result.update_summary(summary) for incident_review in incident_reviews: action_result.add_data(incident_review) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows incident reviews fetched for the Incident ID: {}" .format(incident_id)) return action_result.get_status()
def get_data_breach_record_reviews(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_record_service = DataBreachRecordService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) breach_record_id = param['breach_record_id'] # validate 'breach_record_id' action parameter ret_val, breach_record_id = self._handle_exception_object.validate_integer( action_result, breach_record_id, BREACH_RECORD_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: breach_record_reviews = breach_record_service.find_data_breach_record_reviews( breach_record_id) breach_record_reviews_total = len(breach_record_reviews) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if breach_record_reviews_total > 0: summary = { 'breach_record_reviews_count': breach_record_reviews_total, 'breach_record_reviews_found': True } action_result.update_summary(summary) for breach_record_review in breach_record_reviews: action_result.add_data(breach_record_review) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows breach record reviews fetched for the Breach Record ID: {}" .format(breach_record_id)) return action_result.get_status()
def _handle_get_report(self, param): # type: (Dict[Text, Any]) -> bool submission_id = int(param["submission_id"]) try: timeout = int(param["timeout"]) if timeout < 0: timeout = DEFAULT_TIMEOUT except Exception: timeout = DEFAULT_TIMEOUT status, res = self._get_report(submission_id, timeout) if status == phantom.APP_ERROR: error_msg, exc = res self.set_status(phantom.APP_ERROR, error_msg, exc) return self.get_status() analyses = res["analyses"] reputation_lookup = res["reputation_lookup"] severity = res["severity"] submission_url = res["submission_url"] action_result = ActionResult(dict(param)) self.add_action_result(action_result) for analysis in analyses: action_result.add_data({"analysis": analysis}) if reputation_lookup: action_result.add_data({"reputation_lookup": reputation_lookup[0]}) action_result.update_summary({ "severity": severity, "submission_id": submission_id, "url": submission_url }) action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def get_data_breach_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_service = DataBreachService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) breach_id = param['breach_id'] # validate 'breach_id' action parameter ret_val, breach_id = self._handle_exception_object.validate_integer( action_result, breach_id, BREACH_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: breach = breach_service.find_data_breach_by_id(breach_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if 'id' in breach: summary = {'data_breach_count': 1, 'data_breach_found': True} action_result.update_summary(summary) action_result.add_data(breach) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_SUCCESS) else: summary = {'data_breach_count': 0, 'data_breach_found': False} action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_BREACH_NOT_FOUND) return action_result.get_status()
def get_incident_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: incident_service = IncidentService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) incident_id = param['incident_id'] # validate 'incident_id' action parameter ret_val, incident_id = self._handle_exception_object.validate_integer( action_result, incident_id, INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: incident = incident_service.find_incident_by_id(incident_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) if 'id' in incident: summary = {'incident_found': True} action_result.update_summary(summary) action_result.add_data(incident) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INCIDENT_SUCCESS) return action_result.get_status()
def _handle_scan_host(self, param): self.debug_print("param", param) action_result = ActionResult(dict(param)) self.add_action_result(action_result) # target to scan host_to_scan = param[TARGET_TO_SCAN] # lets get the id of the scan policy to use policy_id = param[POLICY_ID] # these are the options needed to create the scan launched. The scan uses the policy id and targets from # Phantom. The UUID does not need to be changed as it comes from the advanced scan template scanOptions = { "uuid": "ab4bacd2-05f6-425c-9d79-3ba3940ad1c24e51e1f403febe40", "settings": { "name": "Scan Launched from Phantom", "enabled": "true", "scanner_id": "1", "policy_id": str(policy_id), "text_targets": str(host_to_scan), "launch_now": "true" } } self.save_progress("Launching scan against " + str(host_to_scan)) ret_val, running_scan_data = self._make_rest_call('scans', action_result, method='post', data=scanOptions) if (phantom.is_fail(ret_val)): return action_result.get_status() # Once the scan has been launched and is running it is assigned an id which is gathered below scan_id = running_scan_data['scan']['id'] completed = " " hosts = [] # this checks every 30 seconds to see if the scan is still running. while completed != "completed": ret_val, scanStatus = self._make_rest_call( 'scans/{0}'.format(str(scan_id)), action_result) if (phantom.is_fail(ret_val)): self.save_progress( "There was an error checking for the status of the scan") return action_result.get_status() completed = scanStatus["info"] if completed['status'] != 'completed': self.send_progress("scan still in progress") time.sleep(30) else: completed = "completed" self.send_progress("scan completed") hosts = scanStatus.get('hosts', []) if (type(hosts) != list): hosts = [hosts] for curr_item in hosts: action_result.add_data(curr_item) if (hosts): scan_final_data = hosts[-1] total = scan_final_data["low"] + scan_final_data[ "medium"] + scan_final_data["high"] + scan_final_data[ "critical"] summary = action_result.update_summary({}) summary['total_vulns'] = total else: return action_result.set_status( phantom.APP_ERROR, "Response is empty. Please check the input parameters.") return action_result.set_status(phantom.APP_SUCCESS)
def search_entities(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) self._connector.save_progress("process started...!!! ") # type = param.get('types').split(',') type = ["CLIENT_INCIDENT", "DATA_BREACH", "AGGREGATE_DATA_BREACH", "INTELLIGENCE", "TECHNICAL_SOURCE", "WEB_SOURCE"] date_range = param.get('date_range') query = param.get('query') """ incident_types = param.get('incident_types') incident_subtypes = param.get('incident_subtypes') incident_severities = param.get('incident_severities') web_page_networks = param.get('web_page_networks') forum_post_networks = param.get('forum_post_networks') marketplace_listing_networks = param.get('marketplace_listing_networks') market_places = param.get('marketplaces') chat_protocols = param.get('chat_protocols') chat_servers = param.get('chat_servers') chat_channels = param.get('chat_channels') threat_level_types = param.get('threat_level_types') web_page_site_categories = param.get('web_page_site_categories') forum_post_site_categories = param.get('forum_post_site_categories') blog_names = param.get('blog_names') date_period = param.get('date_period') start_date = param.get('from') end_date = param.get('until') """ try: search_service = SearchEntitiesService(self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception(e) return action_result.set_status(phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) try: search_view = search_service.search_entity_view(dateRange=date_range, query_string=query, types=type) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception(e) return action_result.set_status(phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) """ search_view = search_service.search_entity_view(types=type, dateRange=date_range, incidentTypes=incident_types, incidentSubtypes=incident_subtypes, incidentSeverities=incident_severities, webPageNetworks=web_page_networks, forumPostNetworks=forum_post_networks, marketplaceListingNetworks=marketplace_listing_networks, marketplaces=market_places, chatProtocols=chat_protocols, chatServers=chat_servers, chatChannels=chat_channels, threatLevelTypes=threat_level_types, webPageSiteCategories=web_page_site_categories, forumPostSiteCategories=forum_post_site_categories, blogNames=blog_names, datePeriod=date_period, from_date=start_date, until=end_date, query_string=query) """ self._connector.save_progress("View: {}".format(search_view)) try: search_entity_pages = search_service.find_all_pages(view=search_view) # self._connector.save_progress("entity: " + str(search_entity_pages)) entity_total = len(search_entity_pages) except StopIteration: error_message = 'No Search Entity objects retrieved from the Digital Shadows API in page groups' return action_result.set_status(phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception(e) return action_result.set_status(phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if entity_total > 0: summary = { 'entity_count': entity_total, 'entity_found': True } action_result.update_summary(summary) for entity_page in search_entity_pages: for entity in entity_page: # self._connector.save_progress("entity payload: " + str(entity.payload)) action_result.add_data(entity.payload) action_result.set_status(phantom.APP_SUCCESS, 'String search entities are fetched') else: summary = { 'entity_count': 0, 'entity_found': False } action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, 'Entities not found for search string') return action_result.get_status()
def _handle_get_info(self, param): # type: (Dict[Text, Any]) -> bool status, api = self._get_api() if api is None: return status self.debug_print("param", param) try: timeout = int(param["timeout"]) if timeout < 0: timeout = DEFAULT_TIMEOUT except Exception: timeout = DEFAULT_TIMEOUT hsh = param["hash"] self.save_progress("Searching %s" % (hsh)) if len(hsh) == 32: res = api.get_sample_by_md5(hsh) elif len(hsh) == 40: res = api.get_sample_by_sha1(hsh) elif len(hsh) == 64: res = api.get_sample_by_sha256(hsh) else: self.set_status(phantom.APP_ERROR, VMRAY_ERR_UNSUPPORTED_HASH) return self.get_status() if len(res) == 0: self.set_status(phantom.APP_ERROR, VMRAY_ERR_SAMPLE_NOT_FOUND) return self.get_status() self.save_progress("Check for finished submissions") has_finished_submission = False seconds_waited = 0 while True: submissions = api.call( "GET", "/rest/submission/sample/%u" % res[0]["sample_id"]) if not submissions: self.set_status(phantom.APP_ERROR, VMRAY_ERR_NO_SUBMISSIONS) return self.get_status() has_finished_submission = any( [sub.get("submission_finished", False) for sub in submissions]) if has_finished_submission or timeout == 0: break elif seconds_waited >= timeout: break else: self.send_progress("No submission finished yet") time_to_wait = min(30, timeout - seconds_waited) seconds_waited += time_to_wait self.send_progress("Waited %d/%d seconds" % (seconds_waited, timeout)) time.sleep(time_to_wait) if not has_finished_submission: self.set_status(phantom.APP_ERROR, VMRAY_ERR_SUBMISSION_NOT_FINISHED) return self.get_status() sample_info = api.get_sample(res[0]["sample_id"]) action_result = ActionResult(dict(param)) self.add_action_result(action_result) action_result.add_data(sample_info) action_result.update_summary({ "score": sample_info["sample_score"], "severity": sample_info["sample_severity"] }) action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def get_intelligence_incident_by_id(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: intelligence_incident_service = IntelligenceIncidentService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) intel_incident_id = param['intel_incident_id'] # validate 'intel_incident_id' action parameter ret_val, intel_incident_id = self._handle_exception_object.validate_integer( action_result, intel_incident_id, INTEL_INCIDENT_ID_KEY) if phantom.is_fail(ret_val): return action_result.get_status() try: intelligence_incident = intelligence_incident_service.find_intel_incident_by_id( intel_incident_id) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {0}".format(error_message)) # intelligence_incident_total = len(intelligence_incident_pages) # if intelligence_incident_total > 0: if 'id' in intelligence_incident: summary = { 'intelligence_incident_count': 1, 'intelligence_incident_found': True } action_result.update_summary(summary) action_result.add_data(intelligence_incident) """ for intelligence_incident_page in intelligence_incident_pages: for intelligence_incident in intelligence_incident_page: data = { 'incident_id': intelligence_incident.id, 'type': intelligence_incident.payload['type'], 'severity': intelligence_incident.payload['severity'], 'title': intelligence_incident.payload['title'], 'summary': unidecode(intelligence_incident.payload['summary']), 'published': intelligence_incident.payload['published'], 'modified': intelligence_incident.payload['modified'], 'occurred': intelligence_incident.payload['occurred'], 'verified': intelligence_incident.payload['verified'], 'description': unidecode(intelligence_incident.payload['description']), 'entitysummary': { 'source': intelligence_incident.payload['entitySummary']['source'], 'summarytext': intelligence_incident.payload['entitySummary']['summarytext'] if 'summarytext' in intelligence_incident.payload['entitySummary'] else '', 'domain': intelligence_incident.payload['entitySummary']['domain'], 'sourceDate': intelligence_incident.payload['entitySummary']['sourceDate'], 'type': intelligence_incident.payload['entitySummary']['type'] } } action_result.add_data(data) """ action_result.set_status(phantom.APP_SUCCESS, DS_GET_INTELLIGENCE_INCIDENT_SUCCESS) return action_result.get_status()
def get_intelligence_incident(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) # interval_startdate = date.today() - timedelta(int(param['date_range'])) date_ranges = param.get('date_range') incident_types = [] if param.get('incident_types') is not None: param_incident_types = param.get('incident_types').split(',') for inc_type in param_incident_types: if inc_type == "DATA_LEAKAGE": incident_types.append({ 'type': 'DATA_LEAKAGE', 'subTypes': DS_DL_SUBTYPE }) if inc_type == "BRAND_PROTECTION": incident_types.append({ 'type': 'BRAND_PROTECTION', 'subTypes': DS_BP_SUBTYPE }) if inc_type == "INFRASTRUCTURE": incident_types.append({ 'type': 'INFRASTRUCTURE', 'subTypes': DS_INFR_SUBTYPE }) if inc_type == "PHYSICAL_SECURITY": incident_types.append({ 'type': 'PHYSICAL_SECURITY', 'subTypes': DS_PS_SUBTYPE }) if inc_type == "SOCIAL_MEDIA_COMPLIANCE": incident_types.append({ 'type': 'SOCIAL_MEDIA_COMPLIANCE', 'subTypes': DS_SMC_SUBTYPE }) if inc_type == "CYBER_THREAT": incident_types.append({'type': 'CYBER_THREAT'}) else: param_incident_types = None try: intelligence_incident_service = IntelligenceIncidentService( self._ds_api_key, self._ds_api_secret_key) intelligence_incident_view = IntelligenceIncidentService.intelligence_incidents_view( date_range=date_ranges, date_range_field='published', types=incident_types) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) try: intelligence_incident_pages = intelligence_incident_service.find_all_pages( view=intelligence_incident_view) intelligence_incident_total = len(intelligence_incident_pages) except StopIteration: error_message = 'No IntelligenceIncident objects retrieved from the Digital Shadows API in page groups' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) if intelligence_incident_total > 0: summary = { 'intelligence_incident_count': intelligence_incident_total, 'intelligence_incident_found': True } action_result.update_summary(summary) for intelligence_incident_page in intelligence_incident_pages: for intelligence_incident in intelligence_incident_page: action_result.add_data(intelligence_incident.payload) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INTELLIGENCE_INCIDENT_SUCCESS) return action_result.get_status()
def _handle_post_url(self, param): action_result = ActionResult(dict(param)) self.add_action_result(action_result) params = dict() params['url'] = param["url"] params['key'] = self._api_key # Check if we have a size sizes = { "tiny": "T", "small": "S", "normal": "N", "medium": "M", "large": "L", "full page": "F" } test = param.get("size") if not test: self.save_progress( "Size was blank, using the default \"full page\" size.") test = "full page" if not sizes.get(test.lower()): self.save_progress( "Given size not found, using the default \"full page\" size.") params['size'] = "F" else: params['size'] = sizes[test.lower()] # Check if we have a Secret Phrase if self._api_phrase is None: params['hash'] = "" else: params['hash'] = str( hashlib.md5(params['url'] + self._api_phrase).hexdigest()) params['cacheLimit'] = '0' params['format'] = 'JPG' params['timeout'] = '200' ret_val, image = self._make_rest_call('', action_result, params, method='post', stream=True) if (phantom.is_fail(ret_val)): return action_result.get_status() permalink = None # only create a permalink if the hash is used if params['hash']: permalink = self._get_sspermalink('', params=params, method='post') file_name = param["url"] + "_screenshot.jpg" if hasattr(Vault, "create_attachment"): vault_ret = Vault.create_attachment(image, self.get_container_id(), file_name=file_name) else: if hasattr(Vault, 'get_vault_tmp_dir'): temp_dir = Vault.get_vault_tmp_dir() else: temp_dir = '/opt/phantom/vault/tmp' temp_dir = temp_dir + '/{}'.format(uuid.uuid4()) os.makedirs(temp_dir) file_path = os.path.join(temp_dir, 'tempimage.jpg') with open(file_path, 'wb') as f: f.write(image) vault_ret = Vault.add_attachment(file_path, self.get_container_id(), file_name=file_name) if vault_ret.get('succeeded'): action_result.set_status(phantom.APP_SUCCESS, "Downloaded screenshot") summary = { phantom.APP_JSON_VAULT_ID: vault_ret[phantom.APP_JSON_HASH], phantom.APP_JSON_NAME: file_name, 'vault_file_path': Vault.get_file_path(vault_ret[phantom.APP_JSON_HASH]), phantom.APP_JSON_SIZE: vault_ret.get(phantom.APP_JSON_SIZE) } if permalink: summary['permalink'] = permalink action_result.update_summary(summary) return action_result.get_status()
def get_infrastructure_ssl(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) infrastructure_ssl_service = InfrastructureSSLService( self._ds_api_key, self._ds_api_secret_key) infrastructure_ssl_view = InfrastructureSSLService.infrastructure_ssl_view( ) infrastructure_ssl_pages = infrastructure_ssl_service.find_all_pages( view=infrastructure_ssl_view) infrastructure_ssl_total = len(infrastructure_ssl_pages) if infrastructure_ssl_total > 0: summary = { 'infrastructure_ssl_count': infrastructure_ssl_total, 'infrastructure_ssl_found': True } action_result.update_summary(summary) for infrastructure_ssl_page in infrastructure_ssl_pages: for infrastructure_ssl in infrastructure_ssl_page: data = { 'id': infrastructure_ssl.id, 'domainName': infrastructure_ssl.payload['domainName'], 'ipAddress': infrastructure_ssl.payload['ipAddress'], 'portNumber': infrastructure_ssl.payload['portNumber'], 'transport': infrastructure_ssl.payload['transport'], 'discovered': infrastructure_ssl.payload['discovered'], 'grade': infrastructure_ssl.payload['grade'], 'certificateCommonName': infrastructure_ssl.payload['certificateCommonName'], 'expires': infrastructure_ssl.payload['expires'], 'incident': { 'id': infrastructure_ssl.payload['incident']['id'], 'scope': infrastructure_ssl.payload['incident']['scope'], 'type': infrastructure_ssl.payload['incident']['type'], 'subType': infrastructure_ssl.payload['incident']['subType'], 'severity': infrastructure_ssl.payload['incident']['severity'], 'title': infrastructure_ssl.payload['incident']['title'], } } action_result.add_data(data) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_SSL_SUCCESS) else: summary = { 'infrastructure_ssl_count': 0, 'infrastructure_ssl_found': False } action_result.update_summary(summary) action_result.set_status(phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_SSL_NOT_FOUND) return action_result.get_status()
def get_infrastructure_vulnerabilities(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) infrastructure_vulnerabilities_service = InfrastructureVulnerabilitiesService( self._ds_api_key, self._ds_api_secret_key) infrastructure_vulnerabilities_view = InfrastructureVulnerabilitiesService.infrastructure_vulnerabilities_view( ) infrastructure_vulnerabilities_pages = infrastructure_vulnerabilities_service.find_all_pages( view=infrastructure_vulnerabilities_view) infrastructure_vulnerabilities_total = len( infrastructure_vulnerabilities_pages) if infrastructure_vulnerabilities_total > 0: summary = { 'infrastructure_vulnerabilities_count': infrastructure_vulnerabilities_total, 'infrastructure_vulnerabilities_found': True } action_result.update_summary(summary) for infrastructure_vulnerabilities_page in infrastructure_vulnerabilities_pages: for infrastructure_vulnerabilities in infrastructure_vulnerabilities_page: data = { 'id': infrastructure_vulnerabilities.id, 'reverseDomainName': infrastructure_vulnerabilities. payload['reverseDomainName'], 'ipAddress': infrastructure_vulnerabilities.payload['ipAddress'], 'cveId': infrastructure_vulnerabilities.payload['cveId'], 'discovered': infrastructure_vulnerabilities.payload['discovered'], 'determinedResolved': infrastructure_vulnerabilities. payload['determinedResolved'], 'incident': { 'id': infrastructure_vulnerabilities.payload['incident'] ['id'], 'scope': infrastructure_vulnerabilities.payload['incident'] ['scope'], 'type': infrastructure_vulnerabilities.payload['incident'] ['type'], 'subType': infrastructure_vulnerabilities.payload['incident'] ['subType'], 'severity': infrastructure_vulnerabilities.payload['incident'] ['severity'], 'title': infrastructure_vulnerabilities.payload['incident'] ['title'], 'published': infrastructure_vulnerabilities.payload['incident'] ['published'], 'closedSource': infrastructure_vulnerabilities.payload['incident'] ['closedSource'], } } action_result.add_data(data) action_result.set_status( phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_VULNERABILITIES_SUCCESS) else: summary = { 'infrastructure_vulnerabilities_count': 0, 'infrastructure_vulnerabilities_found': False } action_result.update_summary(summary) action_result.set_status( phantom.APP_SUCCESS, DS_GET_INFRASTRUCTURE_VULNERABILITIES_NOT_FOUND) return action_result.get_status()
def get_data_breach_record_by_username(self, param): action_result = ActionResult(dict(param)) self._connector.add_action_result(action_result) try: breach_record_service = DataBreachRecordService( self._ds_api_key, self._ds_api_secret_key) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "{0} {1}".format(SERVICE_ERR_MSG, error_message)) user_name = param['user_name'] domain_names_param = None if 'domain_names' not in param else param[ 'domain_names'].split(',') review_statuses_param = None if 'review_statuses' not in param else param[ 'review_statuses'].split(',') published_date_range = param.get('published_date_range', 'ALL') try: breach_record_view = DataBreachRecordService.data_breach_records_view( username=user_name, published=published_date_range, domain_names=domain_names_param, review_statuses=review_statuses_param) self._connector.save_progress( "Breach record View: {}".format(breach_record_view)) breach_record_pages = breach_record_service.read_all_records( view=breach_record_view) except StopIteration: error_message = 'No DataBreach objects retrieved from the Digital Shadows API in page groups' return action_result.set_status( phantom.APP_ERROR, "Error Details: {0}".format(error_message)) except Exception as e: error_message = self._handle_exception_object.get_error_message_from_exception( e) return action_result.set_status( phantom.APP_ERROR, "Error Connecting to server. {}".format(error_message)) breach_record_total = len(breach_record_pages) if breach_record_total > 0: summary = { 'data_breach_record_count': breach_record_total, 'data_breach_record_found': True } action_result.update_summary(summary) for breach_record_page in breach_record_pages: for breach_record in breach_record_page: action_result.add_data(breach_record.payload) action_result.set_status( phantom.APP_SUCCESS, "Digital Shadows data breach records fetched") else: summary = { 'data_breach_record_count': 0, 'data_breach_record_found': False } action_result.update_summary(summary) action_result.set_status( phantom.APP_SUCCESS, "Data breach record not found in Digital Shadows") return action_result.get_status()
def _handle_detonate_url(self, param): # type: (Dict[Text, Any]) -> bool status, api = self._get_api() if api is None: return status url = param["url"] self.save_progress("Submitting url %s" % url) params = {"reanalyze": True} if param.get("comment", None) is not None: params["comment"] = param["comment"] if param.get("tags", None) is not None: params["tags"] = param["tags"] if param.get("config", "") != "": params["user_config"] = param["config"] if param.get("jobrules", "") != "": params["jobrule_entries"] = param["jobrules"] try: res = api.submit_url(url, params=params) except Exception as exc: self.set_status(phantom.APP_ERROR, VMRAY_ERR_SUBMIT_FILE, exc) return self.get_status() if res["errors"]: errors = [ err.get("error_msg", "NO_ERROR_MSG_GIVEN") for err in res["errors"] ] self.set_status(phantom.APP_ERROR, ";".join(errors)) return self.get_status() submission_id = res["submissions"][0]["submission_id"] submission_url = res["submissions"][0]["submission_webif_url"] submission_finished = True status, report = self._get_report(submission_id, DEFAULT_TIMEOUT) if status == phantom.APP_ERROR: error_msg, _exc = report if error_msg == VMRAY_ERR_SUBMISSION_NOT_FINISHED: submission_finished = False else: self.set_status(phantom.APP_ERROR, error_msg, _exc) return self.get_status() report = None action_result = ActionResult(dict(param)) self.add_action_result(action_result) if report is not None: for analysis in report["analyses"]: action_result.add_data({"analysis": analysis}) if report["reputation_lookup"]: action_result.add_data( {"reputation_lookup": report["reputation_lookup"][0]}) action_result.update_summary({"severity": report["severity"]}) action_result.update_summary({ "submission_id": submission_id, "url": submission_url, "submission_finished": submission_finished }) action_result.set_status(phantom.APP_SUCCESS) return action_result.get_status()
def _handle_post_url(self, param): action_result = ActionResult(dict(param)) self.add_action_result(action_result) params = dict() params['url'] = param["url"] params['filename'] = param.get('filename') params['key'] = self._api_key # Check if we have a size sizes = {"tiny": "T", "small": "S", "normal": "N", "medium": "M", "large": "L", "full page": "F"} test = param.get("size") if not test: self.save_progress("Size was blank, using the default \"full page\" size") test = "full page" if not sizes.get(test.lower()): self.save_progress("Given size not found, using the default \"full page\" size") params['size'] = "F" else: params['size'] = sizes[test.lower()] # Check if we have a Secret Phrase if self._api_phrase is None: params['hash'] = "" else: params['hash'] = str(hashlib.md5((params['url'] + self._api_phrase).encode('utf-8')).hexdigest()) params['cacheLimit'] = '0' params['format'] = 'JPG' params['timeout'] = '200' ret_val, image = self._make_rest_call('', action_result, params, method='post', stream=True) if phantom.is_fail(ret_val): return action_result.get_status() permalink = None # only create a permalink if the hash is used if params['hash']: permalink = self._get_sspermalink('', params=params, method='post') if params['filename']: file_name = "{}.jpg".format(params['filename']) else: file_name = "{0}{1}".format(param["url"], "_screenshot.jpg") is_download = False if hasattr(Vault, "create_attachment"): vault_ret = Vault.create_attachment(image, self.get_container_id(), file_name=file_name) if vault_ret.get('succeeded'): action_result.set_status(phantom.APP_SUCCESS, "Downloaded screenshot") _, _, vault_meta_info = ph_rules.vault_info(container_id=self.get_container_id(), vault_id=vault_ret[phantom.APP_JSON_HASH]) if not vault_meta_info: self.debug_print("Error while fetching meta information for vault ID: {}".format(vault_ret[phantom.APP_JSON_HASH])) return action_result.set_status(phantom.APP_ERROR, "Could not find meta information of the downloaded screenshot's Vault") vault_path = list(vault_meta_info)[0]['path'] summary = { phantom.APP_JSON_VAULT_ID: vault_ret[phantom.APP_JSON_HASH], phantom.APP_JSON_NAME: file_name, 'vault_file_path': vault_path, phantom.APP_JSON_SIZE: vault_ret.get(phantom.APP_JSON_SIZE)} if permalink: summary['permalink'] = permalink action_result.update_summary(summary) is_download = True else: is_download = False if not is_download: if hasattr(Vault, 'get_vault_tmp_dir'): temp_dir = Vault.get_vault_tmp_dir() else: temp_dir = '/opt/phantom/vault/tmp' temp_dir = "{0}{1}".format(temp_dir, '/{}'.format(uuid.uuid4())) os.makedirs(temp_dir) file_path = os.path.join(temp_dir, 'tempimage.jpg') with open(file_path, 'wb') as f: f.write(image) success, message, vault_id = ph_rules.vault_add(container=self.get_container_id(), file_location=file_path, file_name=file_name) if success: action_result.set_status(phantom.APP_SUCCESS, "Downloaded screenshot") _, _, vault_meta_info = ph_rules.vault_info(container_id=self.get_container_id(), vault_id=vault_id) if not vault_meta_info: self.debug_print("Error while fetching meta information for vault ID: {}".format(vault_id)) return action_result.set_status(phantom.APP_ERROR, "Could not find meta information of the downloaded screenshot's Vault") vault_path = list(vault_meta_info)[0]['path'] summary = { phantom.APP_JSON_VAULT_ID: vault_id, phantom.APP_JSON_NAME: file_name, 'vault_file_path': vault_path} if permalink: summary['permalink'] = permalink action_result.update_summary(summary) else: return action_result.set_status(phantom.APP_ERROR, "Error occurred while saving file to vault: {}".format(message)) return action_result.get_status()
def _handle_get_file(self, param): # type: (Dict[Text, Any]) -> bool status, api = self._get_api() if api is None: return status self.debug_print("param", param) hsh = param["hash"] self.save_progress("Searching %s" % (hsh)) if len(hsh) == 32: res = api.get_sample_by_md5(hsh) elif len(hsh) == 40: res = api.get_sample_by_sha1(hsh) elif len(hsh) == 64: res = api.get_sample_by_sha256(hsh) else: self.set_status(phantom.APP_ERROR, VMRAY_ERR_UNSUPPORTED_HASH) return self.get_status() if len(res) == 0 or "sample_id" not in res[0]: self.set_status(phantom.APP_ERROR, VMRAY_ERR_SAMPLE_NOT_FOUND) return self.get_status() if res[0]["sample_is_multipart"]: self.set_status(phantom.APP_ERROR, VMRAY_ERR_MULTIPART) return self.get_status() self.save_progress("Downloading file") zip_file_location = os.path.join(VAULT_TMP_FOLDER, "%s.zip" % hsh) file_location = os.path.join(VAULT_TMP_FOLDER, hsh) if os.path.exists(zip_file_location) or os.path.exists(file_location): self.set_status(phantom.APP_ERROR, VMRAY_ERR_FILE_EXISTS) return self.get_status() # added b"wb" otherwise mypy complains with api.get_sample_file(res[0]["sample_id"]) as data: with open(zip_file_location, str("wb")) as fobj: fobj.write(data.read()) try: # again wiredness due to mypy zifi = zipfile.ZipFile(str(zip_file_location), str("r")) except Exception as exc: self.set_status(phantom.APP_ERROR, VMRAY_ERR_OPEN_ZIP, exc) os.remove(zip_file_location) return self.get_status() zf_names = zifi.namelist() if len(zf_names) != 1: self.set_status(phantom.APP_ERROR, VMRAY_ERR_MALFORMED_ZIP) zifi.close() os.remove(zip_file_location) return self.get_status() self.save_progress("Extracting file") try: # pylint: disable=bad-continuation with zifi.open(zf_names[0], str("r"), VMRAY_DEFAULT_PASSWORD) as ifobj: with open(file_location, str("wb")) as ofobj: ofobj.write(ifobj.read()) except Exception as exc: self.set_status(phantom.APP_ERROR, VMRAY_ERR_MALFORMED_ZIP, exc) if os.path.exists(file_location): os.remove(file_location) return self.get_status() finally: zifi.close() os.remove(zip_file_location) vmray_sampletypes = [x["sample_type"] for x in res] phantom_sampletypes = [] for st in vmray_sampletypes: if st == "PDF Document": phantom_sampletypes.append("pdf") elif st == "Word Document": phantom_sampletypes.append("doc") elif st == "Excel Document": phantom_sampletypes.append("xls") elif st == "Powerpoint Document": phantom_sampletypes.append("ppt") elif st == "Java Archive": phantom_sampletypes.append("jar") elif st == "JScript": phantom_sampletypes.append("javascript") elif st.startswith("Windows Exe"): phantom_sampletypes.append("pe file") elif st.startswith("Windows DLL"): phantom_sampletypes.append("pe file") elif st.startswith("Windows Driver"): phantom_sampletypes.append("pe file") phantom_sampletypes = list(set(phantom_sampletypes)) self.save_progress("Adding file to vault") vlt_res = Vault.add_attachment(file_location, self.get_container_id(), file_name=res[0]["sample_filename"], metadata={ "size": res[0]["sample_filesize"], "contains": phantom_sampletypes }) if not vlt_res["succeeded"]: self.set_status(phantom.APP_ERROR, VMRAY_ERR_ADD_VAULT) os.remove(file_location) return self.get_status() action_result = ActionResult(dict(param)) self.add_action_result(action_result) action_result.add_data({"vault_id": vlt_res["vault_id"]}) action_result.update_summary({"vault_id": vlt_res["vault_id"]}) action_result.set_status(phantom.APP_SUCCESS) # the vault removes the file after successfully finishing. so # so we do not need to remove it manually # os.remove(file_location) self.save_progress("Finished") return action_result.get_status()