def add_siemplify_results(siemplify, vt_instance, entity, report, threshold): is_risky = False entity.additional_properties.update( add_prefix_to_dict(vt_instance.build_url_enrichment(report), VT_PREFIX)) entity.is_enriched = True entity_table = vt_instance.build_engine_csv(report['scans']) siemplify.result.add_entity_table(entity.identifier, entity_table) web_link = report.get('permalink', 'No permalink found in results.') siemplify.result.add_entity_link(entity.identifier, web_link) if int(threshold) <= report.get('positives', 0): is_risky = True entity.is_suspicious = True insight_msg = 'VirusTotal - URL was marked as malicious by {0} of {1} engines. Threshold set to - {2}'.format( report.get('positives'), report.get('total'), threshold) siemplify.add_entity_insight(entity, insight_msg, triggered_by='VirusTotal') return is_risky
def main(): siemplify = SiemplifyAction() json_data = siemplify.parameters.get("Enrichment JSON") enrichment_json = json.loads(json_data) # we assume to have a list here key_path_raw = siemplify.parameters.get("Identifier KeyPath") separator = siemplify.parameters.get("Separator") list_of_key_lists = [ key_path.split(separator) for key_path in key_path_raw.split("\n") ] prefix = siemplify.parameters.get("PrefixForEnrichment") updated_entities = [] for entity in siemplify.target_entities: for curr_enrich_json in enrichment_json: json_identifier = None for key_list in list_of_key_lists: json_identifier = find_key_path_in_json( key_list, curr_enrich_json) if json_identifier: if json_identifier.lower() == entity.identifier.lower(): if prefix: entity.additional_properties.update( add_prefix_to_dict( dict_to_flat(curr_enrich_json), prefix)) else: entity.additional_properties.update( dict_to_flat(curr_enrich_json)) updated_entities.append(entity) break # Exit JSON loop and continue to the next entity count_updated_entities = len(updated_entities) if count_updated_entities > 0: siemplify.update_entities(updated_entities) siemplify.end( '{0} entities were successfully enriched'.format( count_updated_entities), count_updated_entities, EXECUTION_STATE_COMPLETED)
def main(): siemplify = SiemplifyAction() configurations = siemplify.get_configuration('CheckPoint SandBlast') api_url = configurations['api_url'] api_key = configurations['api_key'] siemplify.script_name = SCRIPT_NAME result_value = False output_message = "No entities were enriched" json_result = {} successful_entities = [] script_directory = siemplify.run_folder sb_features = ["te", "av", "extraction"] req = None sbmanager = SandBlast_Manager(api_key=api_key, url=api_url) siemplify.LOGGER.info("----------------- Main - Started -----------------") file_hash = "" entity_objs = [] for entity in siemplify.target_entities: if entity.entity_type == EntityTypes.FILEHASH: file_hash = entity.identifier entity_objs.append(entity) file_hash = entity.identifier file_name = "untitled.doc" req = sbmanager.query(file_hash, file_name) if not req: continue successful_entities.append(entity) json_result[entity.identifier] = req for feature in sb_features: if feature in req.keys(): feature_name = get_feature_name(feature) feature_res = get_results(feature, req) insight_text = feature_name.upper() + "\n" + dict2str( feature_res) cp_severity = get_severity(feature, req) siemplify.create_case_insight( triggered_by="Checkpoint SandBlast", title=feature_name, content=insight_text, severity=0, insight_type=1, entity_identifier=file_hash) if cp_severity > 0 or req[feature].get( "combined_verdict") == "malicious": entity.is_suspicious = True result_value = True entity.additional_properties.update( add_prefix_to_dict(dict_to_flat(feature_res), "CP_{}".format(feature_name))) if successful_entities: siemplify.update_entities(successful_entities) output_message = "Following entities were enriched:\n{}".format( "\n".join([x.identifier for x in successful_entities])) siemplify.result.add_result_json( convert_dict_to_json_result_dict(json_result)) siemplify.end(output_message, result_value)
def main(): siemplify = SiemplifyAction() siemplify.script_name = SCRIPT_NAME #conf = siemplify.get_configuration(IDENTIFIER) #api_key = conf['Api Key'] api_key = "f6d290c8f2d0c4d887a42449efdaf9eb37b13cf8fbc041814d789647ae5cc1f3" use_ssl = True vt = VirusTotalManager(api_key, use_ssl) entities_to_update = [] result_value = 'false' error = False json_results = {} missing_entities = [] output_massage = "" for entity in siemplify.target_entities: # Search a domains in virus total. if entity.entity_type == EntityTypes.HOSTNAME or entity.entity_type == EntityTypes.USER: try: domain_report = vt.get_domain_report(get_domain_from_entity(entity).lower()) if domain_report: result_value = 'true' json_results[entity.identifier] = domain_report enrichment_object = vt.build_domain_enrichment(domain_report) # Scan flat data - update enrichment entity.additional_properties.update(add_prefix_to_dict(enrichment_object, VT_PREFIX)) entities_to_update.append(entity) entity.is_enriched = True # Scan detections_information siemplify.result.add_entity_table('{0} Score Report'.format(entity.identifier), flat_dict_to_csv(enrichment_object)) web_link = DOMAIN_RESULT_URL_FORMAT.format(get_domain_from_entity(entity)) siemplify.result.add_entity_link("{0} Link to web report".format(entity.identifier), web_link) else: # If report is none, and error not raised - probably entity can't be found. missing_entities.append(entity.identifier) except Exception as e: # An error occurred - skip entity and continue siemplify.LOGGER.error("An error occurred on entity: {}.\n{}.".format(entity.identifier, str(e))) siemplify.LOGGER.exception(e) error = True if entities_to_update: siemplify.update_entities(entities_to_update) entities_names = [entity.identifier for entity in entities_to_update] output_massage += 'The following Domains were submitted and analyzed in VirusTotal: \n' + '\n'.join( entities_names) + '\n \n *Check online report for full details.\n' if missing_entities: output_massage += 'The following Domains NOT found in VirusTotal: \n{0}'.format('\n'.join(missing_entities)) if error: output_massage += "\n\nErrors Accrued check logs for more information" # add json siemplify.result.add_result_json(convert_dict_to_json_result_dict(json_results)) siemplify.end(output_massage, result_value)
def main(): siemplify = SiemplifyAction() siemplify.script_name = SCRIPT_NAME siemplify.LOGGER.info( "[ INFO ] ================= Main - Param Init =================") # INIT INTEGRATION CONFIGURATION: client_key = siemplify.extract_configuration_param( provider_name=INTEGRATION_NAME, param_name="Client Key") api_root = siemplify.extract_configuration_param( provider_name=INTEGRATION_NAME, param_name="API Root") cp_manager = CheckPoint_TR_Manager(client_key=client_key, api_root=api_root) confidence_threshold = 0 siemplify.LOGGER.info( "[ INFO ] ----------------- Main - Started -----------------") try: status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status output_message = "output message :" # human readable message, showed in UI as the action result result_value = None # Set a simple result value, used for playbook if\else and placeholders. failed_entities = [ ] # In case this actions contains entity based logic, collect failed entity.identifiers successfull_entities = [ ] # In case this actions contains entity based logic, collect successfull entity.identifiers white_list_class = ["Benign", "Unclassified"] error_messages = [] json_result = {} for entity in siemplify.target_entities: siemplify.LOGGER.info( "[ INFO ] Started processing entity: {}".format( entity.identifier)) if entity.entity_type == EntityTypes.URL: try: rep_data = cp_manager.get_url_rep( entity.identifier)['response'][0] rep_data_string = """Classification: {} Confidence: {} Severity: {} Risk: {} """.format( rep_data['reputation']['classification'], rep_data['reputation']['confidence'], rep_data['reputation']['severity'], rep_data['risk']) try: indications = "\n".join( rep_data['context']['indications']) rep_data_string = rep_data_string + "\n" + indications except Exception as e: # print("No indications insight added.") pass siemplify.add_entity_insight(entity, rep_data_string) # siemplify.result.add_result_json(rep_data) json_result[entity.identifier] = rep_data entity.additional_properties.update( add_prefix_to_dict( dict_to_flat(rep_data['reputation']), "CP_ThreatReputation")) if rep_data['risk'] > confidence_threshold and rep_data[ 'reputation'][ 'classification'] not in white_list_class: entity.is_suspicious = True successfull_entities.append(entity) except Exception as e: failed_entities.append(entity.identifier) error_messages.append("{}: {}".format( entity.identifier, str(e))) if successfull_entities: siemplify.update_entities(successfull_entities) output_message += "\nSuccessfully processed entities:\n {}".format( "\n ".join( list(map(lambda x: x.identifier, successfull_entities)))) else: output_message += "\nNo entities where processed." result_value = len(successfull_entities) if failed_entities: output_message += "\nFailed processing entities:\n {}".format( "\n ".join(failed_entities)) output_message += "\nErrors: {}".format(", ".join(error_messages)) if not successfull_entities: status = EXECUTION_STATE_FAILED except Exception as e: siemplify.LOGGER.error( "[ ERROR ] General error performing action {}".format(SCRIPT_NAME)) siemplify.LOGGER.exception(e) raise # used to return entire error details - including stacktrace back to client UI. Best for most usecases # in case you want to handle the error yourself, don't raise, and handle error result ouputs: status = EXECUTION_STATE_FAILED result_value = "Failed" output_message += "\n unknown failure" siemplify.end(output_message, result_value, status)