def main(): """Main function """ params = demisto.params() # handle params url = "https://www.threathq.com" credentials = params.get("credentials", {}) auth = (credentials.get("identifier"), credentials.get("password")) verify = not params.get("insecure") proxy = params.get("proxy") threat_type = params.get("threat_type") client = Client(url, auth=auth, verify=verify, proxy=proxy, threat_type=threat_type) demisto.info(f"Command being called is {demisto.command()}") try: if demisto.command() == "test-module": return_outputs(*test_module(client)) elif demisto.command() == "fetch-indicators": begin_time, end_time = build_fetch_times(params.get("fetch_time", "3 days")) indicators = fetch_indicators_command(client, begin_time, end_time) # Send indicators to demisto for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) elif demisto.command() == "cofense-get-indicators": # dummy command for testing readable_outputs, raw_response = get_indicators_command(client, demisto.args()) return_outputs(readable_outputs, {}, raw_response=raw_response) except Exception as err: return_error(f"Error in {INTEGRATION_NAME} integration:\n{str(err)}\n\nTrace:{traceback.format_exc()}")
def main(): """ PARSE AND VALIDATE INTEGRATION PARAMS """ params = demisto.params() base_url = params.get("url") insecure = not params.get("insecure", False) proxy = params.get("proxy", False) command = demisto.command() demisto.info(f"Command being called is {command}") try: client = Client(base_url=base_url, verify=insecure, proxy=proxy, ) commands: Dict[ str, Callable[[Client, Dict[str, str], Dict[str, str]], Tuple[str, Dict[Any, Any], Dict[Any, Any]]] ] = {"test-module": test_module, "zoom-get-indicators": get_indicators_command} if command in commands: return_outputs(*commands[command](client, demisto.params(), demisto.args())) elif command == "fetch-indicators": indicators = fetch_indicators_command(client, demisto.params()) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) else: raise NotImplementedError(f"Command {command} is not implemented.") except Exception as err: err_msg = f"Error in {INTEGRATION_NAME} Integration. [{err}]" return_error(err_msg)
def main(): params = demisto.params() args = demisto.args() base_url = "https://rules.emergingthreats.net/" client = Client( base_url=base_url, auth_code=params.get("auth_code"), verify=not params.get("insecure", False), proxy=params.get("proxy"), ) command = demisto.command() demisto.info("Command being called is {}".format(command)) # Switch case try: if command == "fetch-indicators": indicators = fetch_indicators_command(client, params.get("indicator_type")) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) elif command == "test-module": return_outputs( module_test_command(client, params.get("indicator_type"))) elif command == "proofpoint-get-indicators": readable_output, outputs, raw_response = get_indicators_command( client, args) return_outputs(readable_output, outputs, raw_response) except Exception as e: return_error( f"Error in {SOURCE_NAME} Integration - Encountered an issue with createIndicators" if "failed to create" in str(e) else f"Error in {SOURCE_NAME} Integration [{e}]")
def main(): max_indicators = get_limit( demisto.params().get("maxIndicators", MAX_INDICATORS), MAX_INDICATORS) SESSION.proxies = handle_proxy() client = SixgillFeedClient(demisto.params()["client_id"], demisto.params()["client_secret"], CHANNEL_CODE, FeedStream.DVEFEED, bulk_size=max_indicators, session=SESSION, logger=demisto, verify=VERIFY) command = demisto.command() demisto.info(f"Command being called is {command}") tags = argToList(demisto.params().get("feedTags", [])) tlp_color = demisto.params().get("tlp_color") commands: Dict[str, Callable] = { "test-module": module_command_test, "cybersixgill-get-indicators": get_indicators_command } try: if demisto.command() == "fetch-indicators": indicators = fetch_indicators_command(client, tags=tags, tlp_color=tlp_color) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args()) return_outputs(readable_output, outputs, raw_response) except Exception as err: demisto.error(traceback.format_exc()) return_error( f"Error failed to execute {demisto.command()}, error: [{err}]")
def main(): """ main function, parses params and runs command functions """ params = demisto.params() base_url = urljoin(params.get('url').rstrip('/'), '/') timeout = arg_to_number(params.get('timeout', 60)) insecure = not params.get('insecure', False) proxy = params.get('proxy', False) command = demisto.command() args = demisto.args() demisto.debug(f'Command being called is {command}') try: client = Client(base_url=base_url, verify=insecure, proxy=proxy, timeout=timeout) if command == 'test-module': return_results(test_module(client, params)) elif command == 'misp-feed-get-indicators': return_results(get_attributes_command(client, args, params)) elif command == 'fetch-indicators': indicators = fetch_attributes_command(client, params) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) else: raise NotImplementedError(f'Command {command} is not implemented.') except Exception as e: demisto.error(traceback.format_exc()) return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def main(): params = demisto.params() url = params.get('url', 'https://public-dns.info/nameservers-all.txt') tags = argToList(params.get('feedTags')) tlp_color = params.get('tlp_color') use_ssl = not params.get('insecure', False) command = demisto.command() demisto.info(f'Command being called is {command}') try: client = Client(url, tags, tlp_color, use_ssl) commands: Dict = { 'test-module': test_module, 'public-dns-get-indicators': get_indicators_command } if command in commands: return_outputs(*commands[command](client)) elif command == 'fetch-indicators': indicators = fetch_indicators_command(client) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) else: raise NotImplementedError(f'Command {command} is not implemented.') except Exception as err: err_msg = f'Error in {INTEGRATION_NAME} Integration. [{err}]' return_error(err_msg)
def main(): params = demisto.params() args = demisto.args() url = 'https://cti-taxii.mitre.org' proxies = handle_proxy() verify_certificate = not params.get('insecure', False) tags = argToList(params.get('feedTags', [])) tlp_color = params.get('tlp_color') create_relationships = argToBoolean(params.get('create_relationships')) command = demisto.command() demisto.info(f'Command being called is {command}') try: client = Client(url, proxies, verify_certificate, tags, tlp_color) client.initialise() if demisto.command() == 'mitre-get-indicators': get_indicators_command(client, args) elif demisto.command() == 'mitre-show-feeds': show_feeds_command(client) elif demisto.command() == 'test-module': test_module(client) elif demisto.command() == 'fetch-indicators': indicators = fetch_indicators(client, create_relationships) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) # Log exceptions except Exception as e: return_error(e)
def main(): """ main function, parses params and runs command functions """ params = demisto.params() # Get the service API url base_url = params.get('url') # If your Client class inherits from BaseClient, SSL verification is # handled out of the box by it, just pass ``verify_certificate`` to # the Client constructor insecure = not params.get('insecure', False) # If your Client class inherits from BaseClient, system proxy is handled # out of the box by it, just pass ``proxy`` to the Client constructor proxy = params.get('proxy', False) command = demisto.command() args = demisto.args() # INTEGRATION DEVELOPER TIP # You can use functions such as ``demisto.debug()``, ``demisto.info()``, # etc. to print information in the XSOAR server log. You can set the log # level on the server configuration # See: https://xsoar.pan.dev/docs/integrations/code-conventions#logging demisto.debug(f'Command being called is {command}') try: client = Client( base_url=base_url, verify=insecure, proxy=proxy, ) if command == 'test-module': # This is the call made when pressing the integration Test button. return_results(test_module(client)) elif command == 'helloworld-get-indicators': # This is the command that fetches a limited number of indicators from the feed source # and displays them in the war room. return_results(get_indicators_command(client, params, args)) elif command == 'fetch-indicators': # This is the command that initiates a request to the feed endpoint and create new indicators objects from # the data fetched. If the integration instance is configured to fetch indicators, then this is the command # that will be executed at the specified feed fetch interval. indicators = fetch_indicators_command(client, params) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) else: raise NotImplementedError(f'Command {command} is not implemented.') # Log exceptions and return errors except Exception as e: demisto.error(traceback.format_exc()) # Print the traceback return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def main(): params = demisto.params() feed_tags = argToList(params.get('feedTags')) tlp_color = params.get('tlp_color') target_countries = params.get('target_countries') target_industries = params.get('target_industries') custom_filter = params.get('custom_filter') client = Client(params) command = demisto.command() demisto.info(f'Command being called is {command}') # Switch case commands = { 'test-module': test_module, 'crowdstrike-falcon-intel-get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators(client, feed_tags, tlp_color, target_countries=target_countries, target_industries=target_industries, custom_filter=custom_filter) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args(), feed_tags, tlp_color) # type: ignore return_outputs(readable_output, outputs, raw_response) except Exception as e: raise Exception(f'Error in CrowdStrike falcon intel Integration [{e}]')
def main(): params = demisto.params() client = Client(params.get('indicator_type'), params.get('api_token'), params.get('sub_feeds'), params.get('risk_rule'), params.get('fusion_file_path'), params.get('insecure'), params.get('polling_timeout'), params.get('proxy'), params.get('threshold')) command = demisto.command() demisto.info('Command being called is {}'.format(command)) # Switch case commands = { 'test-module': test_module, 'rf-feed-get-indicators': get_indicators_command, 'rf-feed-get-risk-rules': get_risk_rules_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client, client.indicator_type, None) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args()) # type:ignore return_outputs(readable_output, outputs, raw_response) except Exception as e: err_msg = f'Error in {INTEGRATION_NAME} Integration [{e}] \n Traceback: {traceback.format_exc()}' return_error(err_msg)
def feed_main(feed_name, params=None, prefix=''): if not params: params = assign_params(**demisto.params()) if 'feed_name' not in params: params['feed_name'] = feed_name client = Client(**params) command = demisto.command() if command != 'fetch-indicators': demisto.info('Command being called is {}'.format(command)) if prefix and not prefix.endswith('-'): prefix += '-' # Switch case commands: dict = { 'test-module': test_module, f'{prefix}get-indicators': get_indicators_command } try: if command == 'fetch-indicators': indicators = fetch_indicators_command(client, params.get('indicator_type')) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: args = demisto.args() args['feed_name'] = feed_name readable_output, outputs, raw_response = commands[command](client, args) return_outputs(readable_output, outputs, raw_response) except Exception as e: err_msg = f'Error in {feed_name} integration [{e}]\nTrace\n:{traceback.format_exc()}' return_error(err_msg)
def feed_main(feed_name, params=None, prefix=''): if not params: params = {k: v for k, v in demisto.params().items() if v is not None} handle_proxy() client = Client(**params) command = demisto.command() if command != 'fetch-indicators': demisto.info('Command being called is {}'.format(command)) if prefix and not prefix.endswith('-'): prefix += '-' # Switch case commands: dict = { 'test-module': module_test_command, f'{prefix}get-indicators': get_indicators_command } try: if command == 'fetch-indicators': indicators = fetch_indicators_command(client, params.get('indicator_type')) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) # type: ignore else: args = demisto.args() args['feed_name'] = feed_name readable_output, outputs, raw_response = commands[command](client, args) return_outputs(readable_output, outputs, raw_response) except Exception as e: err_msg = f'Error in {feed_name} Integration - Encountered an issue with createIndicators' if \ 'failed to create' in str(e) else f'Error in {feed_name} Integration [{e}]' return_error(err_msg)
def main(): max_indicators = get_limit( demisto.params().get('maxIndicators', MAX_INDICATORS), MAX_INDICATORS) SESSION.proxies = handle_proxy() client = SixgillFeedClient(demisto.params()['client_id'], demisto.params()['client_secret'], CHANNEL_CODE, FeedStream.DARKFEED, demisto, max_indicators, SESSION, VERIFY) command = demisto.command() demisto.info(f'Command being called is {command}') commands: Dict[str, Callable] = { 'test-module': test_module_command, 'sixgill-get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args()) return_outputs(readable_output, outputs, raw_response) except Exception as e: demisto.error(traceback.format_exc()) return_error( f'Error failed to execute {demisto.command()}, error: [{e}]')
def fetch_indicators_command(client: Client, time_to_stop_fetch: datetime = None): """Retrieves indicators from the feed Args: client: Client object with request time_to_stop_fetch: Time to stop the fetch before it falls on the docker timeout Returns: List. Processed indicator from feed. """ current_date = arg_to_datetime('now').date() # type:ignore while client.first_fetch.date() <= current_date: indicators, status = fetch_indicators(client, time_to_stop_fetch) if not status: return for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) # Each request returns one day's indicators, so we'll keep the date of the next day in IntegrationContext. next_fetch = (dateparser.parse( 'tomorrow', settings={'RELATIVE_BASE': client.first_fetch})) # type:ignore if client.first_fetch.date() < current_date: demisto.setIntegrationContext( {'last_fetch': next_fetch.isoformat()}) # type:ignore client.first_fetch = next_fetch demisto.debug(f'{len(indicators)} XSOAR Indicators were created.') return
def workday_first_run_command(client, mapper_in, report_url, workday_date_format): report_data = client.get_full_report(report_url) indicators = report_to_indicators(report_data.get('Report_Entry'), mapper_in, workday_date_format) for b in batch(indicators, batch_size=BATCH_SIZE): demisto.createIndicators(b)
def main(): params = demisto.params() feed_tags = argToList(params.get('feedTags')) client = Client(api_key=params.get('api_key'), insecure=params.get('insecure')) command = demisto.command() demisto.info(f'Command being called is {command}') # Switch case commands = { 'test-module': module_test_command, 'autofocus-daily-get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client, feed_tags) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command](client, demisto.args(), feed_tags) # type: ignore return_outputs(readable_output, outputs, raw_response) except Exception as e: raise Exception(f'Error in AutoFocusFeed Daily Integration [{e}]')
def main() -> None: """main function, parses params and runs command functions """ params = demisto.params() command = demisto.command() args = demisto.args() verify_certificate = not params.get('insecure', False) proxy = params.get('proxy', False) auth = params.get('auth', {}) username = auth.get('identifier', '') password = auth.get('password', '') base_url = params.get('url', '') timeout = int(params.get('timeout', 60)) tlp_color = demisto.params().get('tlp_color') feedTags = argToList(demisto.params().get('feedTags')) first_fetch = params.get('first_fetch', '3 days ago') limit = int(params.get('max_fetch', 50)) metadata = argToBoolean(params.get('indicatorMetadata', False)) enrichment = argToBoolean(params.get('indicatorRelationships', False)) types = argToList(params.get('type')) demisto.debug(f'Command being called is {command}') try: client = MandiantClient(base_url=base_url, verify=verify_certificate, proxy=proxy, username=username, password=password, timeout=timeout, tags=feedTags, tlp_color=tlp_color, first_fetch=first_fetch, limit=limit, metadata=metadata, enrichment=enrichment, types=types) if command == 'test-module': result = test_module(client, args) return_results(result) elif command == 'feed-mandiant-get-indicators': return_results(fetch_indicators(client, args)) elif command == 'fetch-indicators': indicators = fetch_indicators(client) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: raise NotImplementedError(f'Command {command} is not implemented.') # Log exceptions and return errors except Exception as e: demisto.error(traceback.format_exc()) # print the traceback return_error( f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}' )
def main(): """ PARSE AND VALIDATE INTEGRATION PARAMS """ params = demisto.params() use_ssl = not params.get('insecure', False) tags = argToList(params.get('feedTags')) tlp_color = params.get('tlp_color') command = demisto.command() demisto.info(f'Command being called is {command}') try: client = Client(use_ssl, tags, tlp_color) commands: Dict[str, Callable[[Client, Dict[str, str]], Tuple[str, Dict[Any, Any], Dict[Any, Any]]]] = { 'test-module': test_module, 'webex-get-indicators': get_indicators_command } if command in commands: return_outputs(*commands[command](client, demisto.args())) elif command == 'fetch-indicators': indicators = fetch_indicators_command(client) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) else: raise NotImplementedError(f'Command {command} is not implemented.') except Exception as err: err_msg = f'Error in {INTEGRATION_NAME} Integration. [{err}]' return_error(err_msg)
def fetch_indicators_command(client, feed_type, src_val, src_type, default_type, last_fetch): """Implements fetch-indicators command""" last_fetch_timestamp = get_last_fetch_timestamp(last_fetch, client.time_method, client.fetch_time) now = datetime.now() ioc_lst: list = [] ioc_enrch_lst: list = [] if FEED_TYPE_GENERIC not in feed_type: # Insight is the name of the indicator object as it's saved into the database search = get_scan_insight_format(client, now, last_fetch_timestamp, feed_type) for hit in search.scan(): hit_lst, hit_enrch_lst = extract_indicators_from_insight_hit(hit) ioc_lst.extend(hit_lst) ioc_enrch_lst.extend(hit_enrch_lst) else: search = get_scan_generic_format(client, now, last_fetch_timestamp) for hit in search.scan(): ioc_lst.extend( extract_indicators_from_generic_hit(hit, src_val, src_type, default_type)) if ioc_lst: for b in batch(ioc_lst, batch_size=2000): demisto.createIndicators(b) if ioc_enrch_lst: ioc_enrch_batches = create_enrichment_batches(ioc_enrch_lst) for enrch_batch in ioc_enrch_batches: # ensure batch sizes don't exceed 2000 for b in batch(enrch_batch, batch_size=2000): demisto.createIndicators(b) demisto.setLastRun({'time': now.timestamp() * 1000})
def main(): params = {k: v for k, v in demisto.params().items() if v is not None} handle_proxy() client = Client(**params) command = demisto.command() demisto.info('Command being called is {}'.format(command)) # Switch case commands = { 'test-module': module_test_command, 'get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client, params.get('indicator_type')) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args()) return_outputs(readable_output, outputs, raw_response) except Exception as e: err_msg = f'Error in {SOURCE_NAME} Integration - Encountered an issue with createIndicators' if \ 'failed to create' in str(e) else f'Error in {SOURCE_NAME} Integration [{e}]' if command == 'fetch-indicators': raise Exception(err_msg) else: return_error(err_msg)
def main(): params = demisto.params() client = Client(api_key=params.get('api_key'), insecure=params.get('insecure'), proxy=params.get('proxy'), indicator_feeds=params.get('indicator_feeds'), custom_feed_urls=params.get('custom_feed_urls'), scope_type=params.get('scope_type'), sample_query=params.get('sample_query')) command = demisto.command() demisto.info(f'Command being called is {command}') # Switch case commands = { 'test-module': module_test_command, 'autofocus-get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args()) # type: ignore return_outputs(readable_output, outputs, raw_response) except Exception as e: raise Exception(f'Error in {SOURCE_NAME} Integration [{e}]')
def main(): client = Client( demisto.getParam("api_access_id"), demisto.getParam("api_secret_key"), demisto.getParam("tc_api_path"), ) command = demisto.command() demisto.info(f'Command being called is {command}') commands = { 'test-module': module_test_command, f'{INTEGRATION_COMMAND_NAME}-get-indicators': get_indicators_command, f'{INTEGRATION_COMMAND_NAME}-get-owners': get_owners_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command](client) return_outputs(readable_output, outputs, raw_response) except Exception as e: return_error( f'Integration {INTEGRATION_NAME} Failed to execute {command} command. Error: {str(e)}' )
def main(): params = demisto.params() tags = argToList(params.get('feedTags')) tlp_color = params.get('tlp_color') client = Client(params.get('api_key'), params.get('collections'), params.get('insecure'), params.get('proxy'), params.get('all_collections'), tags=tags, tlp_color=tlp_color) command = demisto.command() demisto.info(f'Command being called is {command}') # Switch case commands = { 'test-module': module_test_command, 'alienvaultotx-get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: readable_output, outputs, raw_response = commands[command](client, demisto.args()) return_outputs(readable_output, outputs, raw_response) except Exception as e: raise Exception(f'Error in {SOURCE_NAME} Integration [{e}]')
def main(): # Write configure here params = {k: v for k, v in demisto.params().items() if v is not None} handle_proxy() client = TAXIIClient(**params) command = demisto.command() demisto.info('Command being called is {command}'.format(command=command)) # Switch case commands = { 'test-module': test_module, 'get-indicators': get_indicators_command } try: if demisto.command() == 'fetch-indicators': indicators = fetch_indicators_command(client) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) demisto.setLastRun({'time': client.last_taxii_run}) else: readable_output, outputs, raw_response = commands[command]( client, demisto.args()) return_outputs(readable_output, outputs, raw_response) except Exception as e: err_msg = f'Error in {INTEGRATION_NAME} Integration [{e}]' raise Exception(err_msg)
def main(): """ main function, parses params and runs command functions """ params = demisto.params() # If your Client class inherits from BaseClient, SSL verification is # handled out of the box by it, just pass ``verify_certificate`` to # the Client constructor insecure = not params.get('insecure', False) # If your Client class inherits from BaseClient, system proxy is handled # out of the box by it, just pass ``proxy`` to the Client constructor proxy = params.get('proxy', False) command = demisto.command() args = demisto.args() demisto.debug(f'Command being called is {command}') try: client = Client(base_url='https://www.virustotal.com/api/v3/', verify=insecure, proxy=proxy, headers={ 'x-apikey': params['credentials']['password'], 'x-tool': 'CortexVirusTotalRetrohuntFeed', }) if command == 'test-module': # This is the call made when pressing the integration Test button. return_results(test_module(client, {})) elif command == 'vt-retrohunt-get-indicators': # This is the command that fetches a limited number of indicators # from the feed source and displays them in the war room. return_results(get_indicators_command(client, params, args)) elif command == "vt-retrohunt-reset-fetch-indicators": return_results(reset_last_job_id()) elif command == 'fetch-indicators': # This is the command that initiates a request to the feed endpoint # and create new indicators objects from the data fetched. If the # integration instance is configured to fetch indicators, then this # is the commandthat will be executed at the specified feed fetch # interval. indicators = fetch_indicators_command(client, params) for iter_ in batch(indicators, batch_size=2000): demisto.createIndicators(iter_) else: raise NotImplementedError(f'Command {command} is not implemented.') # Log exceptions and return errors except Exception as e: demisto.error(traceback.format_exc()) # Print the traceback return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
def fetch_indicators_command(client, params, manual_run=False): indicators_unparsed = list() indicators = list() now = datetime.utcnow() create_date = dateparser.parse(f"{client.history} days ago", settings={ 'RELATIVE_BASE': now}).strftime("%Y-%m-%dT%H:%M:%S.000+0000") object_fields = None if client.fields: object_fields = client.fields.split(",") else: object_fields = sorted([x['name'] for x in client.get_object_description()['fields']]) if "id" not in object_fields and "Id" not in object_fields: object_fields.append("id") if client.query_filter: search_criteria = f"{client.query_filter}" else: search_criteria = f"CreatedDate > {create_date}" indicators_raw = client.query_object(object_fields, client.object_name, search_criteria) if indicators_raw.get('totalSize', 0) > 0: for indicator in indicators_raw.get('records', []): indicators_unparsed.append({k: v for k, v in indicator.items() if k != 'attributes'}) more_records = True if indicators_raw.get('nextRecordsUrl', None) else False while more_records: next_records = "/".join(indicators_raw.get('nextRecordsUrl').split("/")[-2:]) indicators_raw = client.raw_query(next_records, raw_query=True) for indicator in indicators_raw.get('records', []): indicators_unparsed.append({k: v for k, v in indicator.items() if k != 'attributes'}) more_records = True if indicators_raw.get('nextRecordsUrl', None) else False for item in indicators_unparsed: try: value = item[client.key_field] if client.key_field in item else None if value: item['object_name'] = client.object_name indicator = { "value": value, "type": client.object_name, "rawJSON": item, "score": client.score } indicators.append(indicator) except Exception: pass if not manual_run: # We submit indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: demisto.results({ "SFDC.Indicators": indicators, "Count": len(indicators) })
def main(): params = demisto.params() base_url = params.get("url", "https://api-feeds.cyren.com/v1/feed") api_token = params.get("apikey") feed_name = params.get("feed_name") feed_name = FEED_OPTION_TO_FEED.get(feed_name, "") max_indicators = int(params.get("max_indicators", MAX_API_COUNT)) if max_indicators > MAX_API_COUNT: demisto.info( f"using a maximum value for max_indicators of {MAX_API_COUNT} instead of {max_indicators}!" ) max_indicators = MAX_API_COUNT proxy = params.get("proxy", False) verify_certificate = not params.get("insecure", False) headers = dict(Authorization=f"Bearer {api_token}") demisto.info(f"using feed {feed_name}, max {max_indicators}") commands: Dict[str, Callable] = { "cyren-threat-indepth-get-indicators": get_indicators_command, } command = demisto.command() demisto.info(f"Command being called is {command}") error = None try: client = Client(feed_name=feed_name, base_url=base_url, verify=verify_certificate, headers=headers, proxy=proxy) if command == "fetch-indicators": indicators = fetch_indicators_command( client=client, initial_count=0, max_indicators=max_indicators, update_context=True) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) elif command == "test-module": return_outputs(test_module_command(client)) else: return_results(commands[command](client, demisto.args())) except InvalidAPITokenException: error = "Invalid API token!" except InvalidAPIUrlException: error = "Invalid API URL!" except Exception as e: demisto.error(traceback.format_exc()) error = f"Error failed to execute {command}, error: [{e}]" if error: return_error(error)
def main() -> None: """main function, parses params and runs command functions :return: :rtype: """ params = demisto.params() command = demisto.command() api_key = params.get("apikey") base_url = urljoin(params["url"], "/api") verify_certificate = not params.get("insecure", False) proxy = params.get("proxy", False) max_indicators_param = params.get('max_fetch') min_last_observed_param = params.get('min_last_observed') tlp_color = params.get('tlp_color') feed_tags = params.get('feedTags', '') try: client = Client( api_key=api_key, base_url=base_url, verify=verify_certificate, proxy=proxy ) client.authenticate() if command == "test-module": result = test_module(client, max_indicators_param, min_last_observed_param, tlp_color) return_results(result) elif command == "fetch-indicators": max_indicators = validate_max_indicators(max_indicators_param) if validate_max_indicators is None: raise ValueError("Invalid value for max indicators") min_last_observed = validate_min_last_observed(min_last_observed_param) if min_last_observed is None: raise ValueError("Invalid value for last observed day range") indicator_batch = [] for indicator in indicator_generator(client, tlp_color=tlp_color, feed_tags=feed_tags, max_indicators=max_indicators): indicator_batch.append(indicator) if len(indicator_batch) == 2000: demisto.createIndicators(indicator_batch) indicator_batch = [] if len(indicator_batch) != 0: demisto.createIndicators(indicator_batch) elif command == "feedexpanse-get-indicators": return_results(get_indicators_command(client, demisto.args(), tlp_color=tlp_color, feed_tags=feed_tags)) else: raise NotImplementedError(f'Command {command} is not implemented.') # Log exceptions and return errors except Exception as e: return_error( f"Failed to execute {command} command.\nError:\n{str(e)}" )
def fetch_indicators_command(): search, now = get_indicators_search_scan() ioc_lst: list = [] for hit in search.scan(): ioc_lst.extend(extract_indicators_from_insight_hit(hit)) if ioc_lst: for b in batch(ioc_lst, batch_size=2000): demisto.createIndicators(b) demisto.setLastRun({'time': now})
def main(): """ PARSE AND VALIDATE INTEGRATION PARAMS """ params = demisto.params() username = params.get('credentials').get('identifier') password = params.get('credentials').get('password') proxy = params.get('proxy', False) verify_certificate = not params.get('insecure', False) base_url = str(params.get("url")) indicator_collections = params.get('indicator_collections', []) indicators_first_fetch = params.get('indicators_first_fetch', '3 days').strip() requests_count = int(params.get('requests_count', 2)) args = demisto.args() command = demisto.command() LOG(f'Command being called is {command}') try: client = Client(base_url=base_url, verify=verify_certificate, auth=(username, password), proxy=proxy, headers={"Accept": "*/*"}) commands = {'gibtia-get-indicators': get_indicators_command} if command == 'test-module': # This is the call made when pressing the integration Test button. result = test_module(client) demisto.results(result) elif command == 'fetch-indicators': # Set and define the fetch incidents command to run after activated via integration settings. common_fields = { 'trafficlightprotocol': params.get("tlp_color"), 'tags': argToList(params.get("feedTags")), } next_run, indicators = fetch_indicators_command( client=client, last_run=get_integration_context(), first_fetch_time=indicators_first_fetch, indicator_collections=indicator_collections, requests_count=requests_count, common_fields=common_fields) set_integration_context(next_run) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) else: return_results(commands[command](client, args)) # Log exceptions except Exception as e: return_error( f'Failed to execute {demisto.command()} command. Error: {str(e)}')