def add_siemplify_results(siemplify, vt_instance, entity, report, threshold):
is_risky = False
entity.additional_properties.update(
add_prefix_to_dict(vt_instance.build_url_enrichment(report),
VT_PREFIX))
entity.is_enriched = True
entity_table = vt_instance.build_engine_csv(report['scans'])
siemplify.result.add_entity_table(entity.identifier, entity_table)
web_link = report.get('permalink', 'No permalink found in results.')
siemplify.result.add_entity_link(entity.identifier, web_link)
if int(threshold) <= report.get('positives', 0):
is_risky = True
entity.is_suspicious = True
insight_msg = 'VirusTotal - URL was marked as malicious by {0} of {1} engines. Threshold set to - {2}'.format(
report.get('positives'), report.get('total'), threshold)
siemplify.add_entity_insight(entity,
insight_msg,
triggered_by='VirusTotal')
return is_risky
def main():
siemplify = SiemplifyAction()
json_data = siemplify.parameters.get("Enrichment JSON")
enrichment_json = json.loads(json_data) # we assume to have a list here
key_path_raw = siemplify.parameters.get("Identifier KeyPath")
separator = siemplify.parameters.get("Separator")
list_of_key_lists = [
key_path.split(separator) for key_path in key_path_raw.split("\n")
]
prefix = siemplify.parameters.get("PrefixForEnrichment")
updated_entities = []
for entity in siemplify.target_entities:
for curr_enrich_json in enrichment_json:
json_identifier = None
for key_list in list_of_key_lists:
json_identifier = find_key_path_in_json(
key_list, curr_enrich_json)
if json_identifier:
if json_identifier.lower() == entity.identifier.lower():
if prefix:
entity.additional_properties.update(
add_prefix_to_dict(
dict_to_flat(curr_enrich_json), prefix))
else:
entity.additional_properties.update(
dict_to_flat(curr_enrich_json))
updated_entities.append(entity)
break # Exit JSON loop and continue to the next entity
count_updated_entities = len(updated_entities)
if count_updated_entities > 0:
siemplify.update_entities(updated_entities)
siemplify.end(
'{0} entities were successfully enriched'.format(
count_updated_entities), count_updated_entities,
EXECUTION_STATE_COMPLETED)
def main():
siemplify = SiemplifyAction()
configurations = siemplify.get_configuration('CheckPoint SandBlast')
api_url = configurations['api_url']
api_key = configurations['api_key']
siemplify.script_name = SCRIPT_NAME
result_value = False
output_message = "No entities were enriched"
json_result = {}
successful_entities = []
script_directory = siemplify.run_folder
sb_features = ["te", "av", "extraction"]
req = None
sbmanager = SandBlast_Manager(api_key=api_key, url=api_url)
siemplify.LOGGER.info("----------------- Main - Started -----------------")
file_hash = ""
entity_objs = []
for entity in siemplify.target_entities:
if entity.entity_type == EntityTypes.FILEHASH:
file_hash = entity.identifier
entity_objs.append(entity)
file_hash = entity.identifier
file_name = "untitled.doc"
req = sbmanager.query(file_hash, file_name)
if not req:
continue
successful_entities.append(entity)
json_result[entity.identifier] = req
for feature in sb_features:
if feature in req.keys():
feature_name = get_feature_name(feature)
feature_res = get_results(feature, req)
insight_text = feature_name.upper() + "\n" + dict2str(
feature_res)
cp_severity = get_severity(feature, req)
siemplify.create_case_insight(
triggered_by="Checkpoint SandBlast",
title=feature_name,
content=insight_text,
severity=0,
insight_type=1,
entity_identifier=file_hash)
if cp_severity > 0 or req[feature].get(
"combined_verdict") == "malicious":
entity.is_suspicious = True
result_value = True
entity.additional_properties.update(
add_prefix_to_dict(dict_to_flat(feature_res),
"CP_{}".format(feature_name)))
if successful_entities:
siemplify.update_entities(successful_entities)
output_message = "Following entities were enriched:\n{}".format(
"\n".join([x.identifier for x in successful_entities]))
siemplify.result.add_result_json(
convert_dict_to_json_result_dict(json_result))
siemplify.end(output_message, result_value)
def main():
siemplify = SiemplifyAction()
siemplify.script_name = SCRIPT_NAME
#conf = siemplify.get_configuration(IDENTIFIER)
#api_key = conf['Api Key']
api_key = "f6d290c8f2d0c4d887a42449efdaf9eb37b13cf8fbc041814d789647ae5cc1f3"
use_ssl = True
vt = VirusTotalManager(api_key, use_ssl)
entities_to_update = []
result_value = 'false'
error = False
json_results = {}
missing_entities = []
output_massage = ""
for entity in siemplify.target_entities:
# Search a domains in virus total.
if entity.entity_type == EntityTypes.HOSTNAME or entity.entity_type == EntityTypes.USER:
try:
domain_report = vt.get_domain_report(get_domain_from_entity(entity).lower())
if domain_report:
result_value = 'true'
json_results[entity.identifier] = domain_report
enrichment_object = vt.build_domain_enrichment(domain_report)
# Scan flat data - update enrichment
entity.additional_properties.update(add_prefix_to_dict(enrichment_object, VT_PREFIX))
entities_to_update.append(entity)
entity.is_enriched = True
# Scan detections_information
siemplify.result.add_entity_table('{0} Score Report'.format(entity.identifier), flat_dict_to_csv(enrichment_object))
web_link = DOMAIN_RESULT_URL_FORMAT.format(get_domain_from_entity(entity))
siemplify.result.add_entity_link("{0} Link to web report".format(entity.identifier), web_link)
else:
# If report is none, and error not raised - probably entity can't be found.
missing_entities.append(entity.identifier)
except Exception as e:
# An error occurred - skip entity and continue
siemplify.LOGGER.error("An error occurred on entity: {}.\n{}.".format(entity.identifier, str(e)))
siemplify.LOGGER.exception(e)
error = True
if entities_to_update:
siemplify.update_entities(entities_to_update)
entities_names = [entity.identifier for entity in entities_to_update]
output_massage += 'The following Domains were submitted and analyzed in VirusTotal: \n' + '\n'.join(
entities_names) + '\n \n *Check online report for full details.\n'
if missing_entities:
output_massage += 'The following Domains NOT found in VirusTotal: \n{0}'.format('\n'.join(missing_entities))
if error:
output_massage += "\n\nErrors Accrued check logs for more information"
# add json
siemplify.result.add_result_json(convert_dict_to_json_result_dict(json_results))
siemplify.end(output_massage, result_value)
def main():
siemplify = SiemplifyAction()
siemplify.script_name = SCRIPT_NAME
siemplify.LOGGER.info(
"[ INFO ] ================= Main - Param Init =================")
# INIT INTEGRATION CONFIGURATION:
client_key = siemplify.extract_configuration_param(
provider_name=INTEGRATION_NAME, param_name="Client Key")
api_root = siemplify.extract_configuration_param(
provider_name=INTEGRATION_NAME, param_name="API Root")
cp_manager = CheckPoint_TR_Manager(client_key=client_key,
api_root=api_root)
confidence_threshold = 0
siemplify.LOGGER.info(
"[ INFO ] ----------------- Main - Started -----------------")
try:
status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status
output_message = "output message :" # human readable message, showed in UI as the action result
result_value = None # Set a simple result value, used for playbook if\else and placeholders.
failed_entities = [
] # In case this actions contains entity based logic, collect failed entity.identifiers
successfull_entities = [
] # In case this actions contains entity based logic, collect successfull entity.identifiers
white_list_class = ["Benign", "Unclassified"]
error_messages = []
json_result = {}
for entity in siemplify.target_entities:
siemplify.LOGGER.info(
"[ INFO ] Started processing entity: {}".format(
entity.identifier))
if entity.entity_type == EntityTypes.URL:
try:
rep_data = cp_manager.get_url_rep(
entity.identifier)['response'][0]
rep_data_string = """Classification: {}
Confidence: {}
Severity: {}
Risk: {}
""".format(
rep_data['reputation']['classification'],
rep_data['reputation']['confidence'],
rep_data['reputation']['severity'], rep_data['risk'])
try:
indications = "\n".join(
rep_data['context']['indications'])
rep_data_string = rep_data_string + "\n" + indications
except Exception as e:
# print("No indications insight added.")
pass
siemplify.add_entity_insight(entity, rep_data_string)
# siemplify.result.add_result_json(rep_data)
json_result[entity.identifier] = rep_data
entity.additional_properties.update(
add_prefix_to_dict(
dict_to_flat(rep_data['reputation']),
"CP_ThreatReputation"))
if rep_data['risk'] > confidence_threshold and rep_data[
'reputation'][
'classification'] not in white_list_class:
entity.is_suspicious = True
successfull_entities.append(entity)
except Exception as e:
failed_entities.append(entity.identifier)
error_messages.append("{}: {}".format(
entity.identifier, str(e)))
if successfull_entities:
siemplify.update_entities(successfull_entities)
output_message += "\nSuccessfully processed entities:\n {}".format(
"\n ".join(
list(map(lambda x: x.identifier, successfull_entities))))
else:
output_message += "\nNo entities where processed."
result_value = len(successfull_entities)
if failed_entities:
output_message += "\nFailed processing entities:\n {}".format(
"\n ".join(failed_entities))
output_message += "\nErrors: {}".format(", ".join(error_messages))
if not successfull_entities:
status = EXECUTION_STATE_FAILED
except Exception as e:
siemplify.LOGGER.error(
"[ ERROR ] General error performing action {}".format(SCRIPT_NAME))
siemplify.LOGGER.exception(e)
raise # used to return entire error details - including stacktrace back to client UI. Best for most usecases
# in case you want to handle the error yourself, don't raise, and handle error result ouputs:
status = EXECUTION_STATE_FAILED
result_value = "Failed"
output_message += "\n unknown failure"
siemplify.end(output_message, result_value, status)