def test_clean_no_exceptions():
helper.clean({
"one": [1, None, "", {
"two": None
}, {
"three": 3
}],
"four": 4
})
def search_threats(self, identifiers):
threats = self._call_api(
"GET", f"{self.url}/threats/v2?page=1&page_size=100",
"threat:list").get("page_items")
matching_threats = []
for identifier in identifiers:
if match('^[a-fA-F\d]{32}$', identifier):
for threat in threats:
if identifier.upper() == threat.get('md5'):
matching_threats.append(threat)
elif match('^[A-Fa-f0-9]{64}$', identifier):
for threat in threats:
if identifier.upper() == threat.get('sha256'):
matching_threats.append(threat)
else:
for threat in threats:
if identifier.upper() == threat.get('name').upper():
matching_threats.append(threat)
if len(matching_threats) == 0:
raise PluginException(
cause="Threat not found.",
assistance=
f"Unable to find any threats using identifier provided: {identifier}."
)
return clean(matching_threats)
def send_request(self, method: str, path: str, params: dict = None, payload: dict = None) -> dict:
try:
response = self.session.request(
method.upper(),
"https://api.pagerduty.com" + path,
params=params,
json=payload,
headers=self.headers,
)
if response.status_code == 401:
raise PluginException(preset=PluginException.Preset.USERNAME_PASSWORD, data=response.text)
if response.status_code == 403:
raise PluginException(preset=PluginException.Preset.API_KEY, data=response.text)
if response.status_code == 404:
raise PluginException(preset=PluginException.Preset.NOT_FOUND, data=response.text)
if 400 <= response.status_code < 500:
raise PluginException(
preset=PluginException.Preset.UNKNOWN,
data=response.text,
)
if response.status_code >= 500:
raise PluginException(preset=PluginException.Preset.SERVER_ERROR, data=response.text)
if 200 <= response.status_code < 300:
return clean(json.loads(response.content))
raise PluginException(preset=PluginException.Preset.UNKNOWN, data=response.text)
except json.decoder.JSONDecodeError as e:
raise PluginException(preset=PluginException.Preset.INVALID_JSON, data=e)
except requests.exceptions.HTTPError as e:
raise PluginException(preset=PluginException.Preset.UNKNOWN, data=e)
def get_agent_details(self, agent):
devices = [{}]
if len(agent) == 36 and match(
r"((?:[[\da-fA-F]{8}-([\da-fA-F]{4}-){3}[\da-fA-F]{12}))",
agent):
devices = [
self._call_api("GET", f"{self.url}/devices/v2/{agent}",
"device:read")
]
elif match(r"((?:[\da-fA-F]{2}[:\-]){5}[\da-fA-F]{2})", agent):
ret = self._call_api("GET",
f"{self.url}/devices/v2/macaddress/{agent}",
"device:read")
if len(ret) > 0:
devices = ret
else:
ret = self._call_api("GET",
f"{self.url}/devices/v2/hostname/{agent}",
"device:read")
if len(ret) > 0:
devices = ret
if len(devices) > 1:
self.logger.info(
f"Multiple agents found that matched the query: {devices}. We will act upon the first match."
)
return clean(devices[0])
def run(self, params={}):
alert_id = params.get(Input.ALERT_ID)
try:
alert = clean(self.connection.client.alerts.get(alert_id))
except (ThreatStackAPIError, ThreatStackClientError,
APIRateLimitError) as e:
raise PluginException(cause="An error occurred!", assistance=e)
return {Output.ALERT: alert}
def test_clean_not_equal_list_successful():
sample = ["one", {"two": "", "three": None}, {"four": 4}, None]
assert sample != helper.clean(
["one", {
"two": "",
"three": None
}, {
"four": 4
}, None])
def run(self, params={}):
alert_id = params.get(Input.ALERT_ID)
try:
events = self.connection.client.alerts.events(alert_id=alert_id).get("events", [])
except (ThreatStackAPIError, ThreatStackClientError, APIRateLimitError) as e:
raise PluginException(cause="An error occurred!", assistance=e)
events = clean([self._add_miscellaneous_values(event=event) for event in events])
return {Output.EVENTS: events, Output.COUNT: len(events)}
def test_clean_not_equal_dict_successful():
sample = {"one": [1, None, "", {"two": None}, {"three": 3}], "four": 4}
assert sample != helper.clean({
"one": [1, None, "", {
"two": None
}, {
"three": 3
}],
"four":
4
})
def run(self, params={}):
start = params.get(Input.START)
end = params.get(Input.END)
try:
alerts = clean([alert for alert in self.connection.client.alerts.list(start=start, end=end)])
except (ThreatStackAPIError, ThreatStackClientError, APIRateLimitError) as e:
raise PluginException(cause="An error occurred!",
assistance=e)
return {Output.ALERTS: alerts, Output.COUNT: len(alerts)}
def run(self, params={}):
start, end = params.get(Input.START), params.get(Input.END)
try:
agents = self.connection.client.agents.list(start=start, end=end)
except (ThreatStackAPIError, ThreatStackClientError,
APIRateLimitError) as e:
raise PluginException(cause="An error occurred!", assistance=e)
# Consume the generator
agents = [clean(agent) for agent in agents]
return {Output.AGENTS: agents, Output.COUNT: len(agents)}
def send_request(self,
method: str,
path: str,
params: dict = None,
payload: dict = None) -> dict:
if payload:
payload["apiKey"] = self.api_key
try:
response = requests.request(
method.upper(),
urljoin(self.url, path),
params=params,
json=payload,
headers=self.headers,
)
if response.status_code == 401:
raise PluginException(
preset=PluginException.Preset.USERNAME_PASSWORD,
data=response.text)
if response.status_code == 403:
raise PluginException(preset=PluginException.Preset.API_KEY,
data=response.text)
if response.status_code == 404:
raise PluginException(preset=PluginException.Preset.NOT_FOUND,
data=response.text)
if 400 <= response.status_code < 500:
raise PluginException(
preset=PluginException.Preset.UNKNOWN,
data=response.text,
)
if response.status_code >= 500:
raise PluginException(
preset=PluginException.Preset.SERVER_ERROR,
data=response.text)
if 200 <= response.status_code < 300:
error_message = response.json().get("errorMessage")
if error_message:
raise PluginException(
cause="CheckPhish API Returned as error message.",
assistance=f"The error message is: {error_message}",
)
return clean(json.loads(response.content))
raise PluginException(preset=PluginException.Preset.UNKNOWN,
data=response.text)
except json.decoder.JSONDecodeError as e:
raise PluginException(preset=PluginException.Preset.INVALID_JSON,
data=e)
except requests.exceptions.HTTPError as e:
raise PluginException(preset=PluginException.Preset.UNKNOWN,
data=e)
def run(self, params={}):
rule_id, ruleset_id = params.get(Input.RULE_ID), params.get(
Input.RULESET_ID)
try:
rule = clean(
self.connection.client.rulesets.rules(ruleset_id=ruleset_id,
rule_id=rule_id))
except (ThreatStackAPIError, ThreatStackClientError,
APIRateLimitError) as e:
raise PluginException(cause="An error occurred!", assistance=e)
return {Output.RULE: rule}
def run(self, params={}):
query = params.get(Input.AGENT)
is_mac = self._is_search_mac_address(query=query)
try:
if is_mac:
match: Optional[Agent] = self.connection.api_client.get_computer(mac_address=query)
else: # hostname
match: Optional[Agent] = self.connection.api_client.get_computer(computer_name=query)
if not match:
return {}
return {Output.AGENT: clean(match)}
except APIException as e:
raise PluginException(cause="An error occurred while attempting to get agent details!",
assistance=e.message)
def test_clean_equal_list_successful():
sample = ["one", {"two": "", "three": None}, {"four": 4}, None]
assert ["one", {}, {"four": 4}] == helper.clean(sample)
def post_service_request(self, payload: dict) -> dict:
return clean(
self._call_api("POST",
"odata/businessobject/servicereqs",
json_data=payload))
def model_breaches(self, params):
return self._call_api("GET", "modelbreaches", params=clean(params))
def run(self, params={}):
result = self.connection.mcafee_atd_api.list_analyzer_profiles()
return {
Output.PROFILER_RESULTS: helper.clean(result.get("results", [])),
Output.SUCCESS: result.get("success", False),
}
def post_incident(self, payload: dict) -> dict:
return clean(
self._call_api("POST",
"odata/businessobject/incidents",
json_data=payload))
def post_journal_note(self, payload: dict) -> dict:
return clean(
self._call_api("POST",
"odata/businessobject/journal__Notess",
json_data=payload))
def update_incident(self, incident_number: str, payload: dict) -> dict:
return clean(
self._call_api(
"PUT",
f"odata/businessobject/incidents('{incident_number}')",
json_data=payload))
