コード例 #1
0
    def _lookup_domain(self, params):
        action_result = self.add_action_result(ActionResult(dict(params)))
        domain = params[HAVEIBEENPWNED_ACTION_PARAM_DOMAIN]
        if phantom.is_url(domain):
            domain = phantom.get_host_from_url(domain).replace("www.", "")

        if "www." in domain:
            domain = domain.replace("www.", "")

        endpoint = HAVEIBEENPWNED_API_ENDPOINT_LOOKUP_DOMAIN
        kwargs = {HAVEIBEENPWEND_PARAM_DOMAIN_KEY: domain}
        ret_val, response = self._make_rest_call(endpoint, params=kwargs)

        if (phantom.is_fail(ret_val)):
            return action_result.set_status(phantom.APP_ERROR,
                                            HAVEIBEENPWNED_REST_CALL_ERR,
                                            response)

        for item in response:
            action_result.add_data(item)

        action_result.set_summary(
            {HAVEIBEENPWNED_TOTAL_BREACHES: len(response)})

        return action_result.set_status(phantom.APP_SUCCESS,
                                        HAVEIBEENPWNED_LOOKUP_DOMAIN_SUCCESS)
コード例 #2
0
    def _extract_urls_domains(self, file_data, urls, domains):

        if not self._config[
                PROC_EMAIL_JSON_EXTRACT_DOMAINS] and not self._config[
                    PROC_EMAIL_JSON_EXTRACT_URLS]:
            return

        # try to load the email
        try:
            soup = BeautifulSoup(file_data, "html.parser")
        except Exception as e:
            self._base_connector.debug_print(e)
            return

        uris = []
        # get all tags that have hrefs
        links = soup.find_all(href=True)
        if links:
            # it's html, so get all the urls
            uris = [
                x['href'] for x in links
                if (not x['href'].startswith('mailto:'))
            ]
            # work on the text part of the link, they might be http links different from the href
            # and were either missed by the uri_regexc while parsing text or there was no text counterpart
            # in the email
            uri_text = [self._clean_url(x.get_text()) for x in links]
            if uri_text:
                uri_text = [x for x in uri_text if x.startswith('http')]
                if uri_text:
                    uris.extend(uri_text)
        else:
            # Parse it as a text file
            uris = re.findall(uri_regexc, file_data)
            if uris:
                uris = [self._clean_url(x) for x in uris]

        if self._config[PROC_EMAIL_JSON_EXTRACT_URLS]:
            # add the uris to the urls
            urls |= set(uris)

        if self._config[PROC_EMAIL_JSON_EXTRACT_DOMAINS]:
            for uri in uris:
                domain = phantom.get_host_from_url(uri)
                if domain and not self._is_ip(domain):
                    domains.add(domain)
            # work on any mailto urls if present
            if links:
                mailtos = [
                    x['href'] for x in links
                    if (x['href'].startswith('mailto:'))
                ]
                for curr_email in mailtos:
                    domain = curr_email[curr_email.find('@') + 1:]
                    if domain and not self._is_ip(domain):
                        domains.add(domain)

        return
コード例 #3
0
    def _domain_reputation(self, param):

        action_result = self.add_action_result(ActionResult(dict(param)))
        summary_data = action_result.update_summary({})

        # Getting mandatory input params
        domain = param[DEEPSIGHT_JSON_DOMAIN]

        # Convert URL to domain
        if phantom.is_url(domain):
            domain = phantom.get_host_from_url(domain)

        return_val, resp = self._make_rest_call(
            DEEPSIGHT_ENDPOINT_DOMAINS.format(domain=domain), action_result)

        # Something went wrong with the request
        if phantom.is_fail(return_val):
            return action_result.get_status()

        # Resource not found is treated as app success
        if (resp.get(DEEPSIGHT_JSON_RESOURCE_NOT_FOUND)):
            return action_result.set_status(
                phantom.APP_SUCCESS,
                DEEPSIGHT_REST_RESP_RESOURCE_NOT_FOUND_MSG)

        json_resp = resp.get(DEEPSIGHT_JSON_RESPONSE)

        action_result.add_data(json_resp)

        if 'reputation' in json_resp:
            summary_data['reputation'] = json_resp['reputation']
        if 'confidence' in json_resp:
            summary_data['confidence'] = json_resp['confidence']
        if 'hostility' in json_resp:
            summary_data['hostility'] = json_resp['hostility']
        if 'whitelisted' in json_resp:
            summary_data['whitelisted'] = json_resp['whitelisted']
        if 'lastSeen' in json_resp:
            summary_data['last_seen'] = json_resp['lastSeen']

        return action_result.set_status(phantom.APP_SUCCESS)
コード例 #4
0
    def _whois_domain(self, param):

        action_result = self.add_action_result(ActionResult(dict(param)))

        # Progress
        self.save_progress(INVESTIGATE_USING_BASE_URL, base_url=self._base_url)

        # Connectivity
        self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, self._host)

        domain = param[INVESTIGATE_JSON_DOMAIN]

        # Assume that it is a url
        hostname = phantom.get_host_from_url(domain)
        # If it is a URL then the hostname will get extracted else use the domain as is
        if (hostname):
            domain = hostname

        slash_pos = domain.find('/')

        if (slash_pos != -1):
            domain = domain[:slash_pos]

        endpoint = '/whois/{0}'.format(domain)

        ret_val, response, status_code = self._make_rest_call(endpoint, None, action_result)

        if (phantom.is_fail(ret_val)):
            self.debug_print(action_result.get_message())
            return action_result.set_status(phantom.APP_ERROR, action_result.get_message())

        action_result.add_data(response)

        summary = action_result.update_summary({})

        summary[INVESTIGATE_REG_ORG] = response.get('registrantOrganization', '')
        summary[INVESTIGATE_REG_CITY] = response.get('registrantCity', '')
        summary[INVESTIGATE_REG_COUNTRY] = response.get('registrantCountry', '')

        return action_result.set_status(phantom.APP_SUCCESS)
コード例 #5
0
    def _hunt_domain(self, param):

        action_result = self.add_action_result(ActionResult(dict(param)))
        summary_data = action_result.update_summary({})

        # Getting mandatory input params
        domain = param[PHISHME_JSON_DOMAIN]

        # Convert URL to domain
        if phantom.is_url(domain):
            domain = phantom.get_host_from_url(domain)

        # Getting optional parameter
        max_threat_cnt = int(param.get(PHISHME_JSON_MAX_THREAT_COUNT, PHISHME_DEFAULT_MAX_THREAT_COUNT))

        data = {'domain': domain}

        return_value, json_resp = self._threat_search(data, max_threat_cnt, action_result)

        # Something went wrong with the request
        if phantom.is_fail(return_value):
            self.debug_print(action_result.get_message())
            return action_result.get_status()

        # Resource not found is treated as app success
        # Empty threats is also treated as app success
        if not json_resp or not json_resp["data"]["threats"]:
            return action_result.set_status(phantom.APP_SUCCESS, PHISHME_REST_RESP_RESOURCE_NOT_FOUND_MSG)

        # Get the required data to dump in action result
        data_to_add = self._parse_response(json_resp, ioc_type='Domain Name', param_value=domain)

        action_result.add_data(data_to_add)
        total_threats = len(json_resp["data"]["threats"])

        summary_data['total_threats'] = total_threats

        return action_result.set_status(phantom.APP_SUCCESS)
コード例 #6
0
def _extract_domain_from_url(url):
    domain = phantom.get_host_from_url(url)
    if domain and not _is_ip(domain):
        return domain
    return None