def get_vulnerabilities_by_asset_command():
hostname, ip, date_range = demisto.getArg('hostname'), demisto.getArg(
'ip'), demisto.getArg('dateRange')
params, indicator = args_to_request_params(hostname, ip, date_range)
asset_id = get_asset_id(params)
if not asset_id:
return 'No Vulnerabilities for asset {}'.format(indicator)
info = send_asset_vuln_request(asset_id, date_range)
if 'error' in info:
return_error(info['error'])
vulns = convert_severity_values(
replace_keys(info['vulnerabilities'], ASSET_VULNS_NAMES_MAP))
if vulns:
entry = get_entry_for_object(
'Vulnerabilities for asset {}'.format(indicator),
'TenableIO.Vulnerabilities', vulns, ASSET_VULNS_HEADERS)
entry['EntryContext'][
'TenableIO.Assets(val.Hostname === obj.Hostname)'] = {
'Vulnerabilities':
map(lambda x: x['plugin_id'], info['vulnerabilities']),
'Hostname':
indicator
}
return entry
def assign_alert():
"""
Assign alert to an Assignee ID
"""
alert_id = demisto.getArg('alert-id')
assignee_email = demisto.getArg('assignee-email')
is_mssp = demisto.getArg('is-mssp-optional')
assignee_id = get_assignee_id(assignee_email)
assign_details = {'ID': alert_id, 'Assignees.AssigneeID': assignee_id}
url = 'public/v1/data/alerts/assign-alert/' + alert_id
if is_mssp:
url += '?IsMssp=' + is_mssp
req('PATCH', url, json_data={'AssigneeID': assignee_id})
demisto.results({
'Type':
entryTypes['note'],
'EntryContext': {
'IntSights.Alerts(val.ID === obj.ID)': assign_details
},
'Contents':
assign_details,
'HumanReadable':
tableToMarkdown(
'IntSights Assign Alert: The Alert has been successfully assigned to assigneeID',
[assign_details], ['ID', 'Assignees.AssigneeID']),
'ContentsFormat':
formats['json']
})
def main():
# Following methods raise exceptions so no need to check for return codes
# But we do need to catch them
global SERVER
FROM = demisto.getParam('from')
FQDN = demisto.params().get('fqdn')
FQDN = (FQDN and FQDN.strip()) or None
stderr_org = None
try:
if demisto.command() == 'test-module':
stderr_org = swap_stderr(LOG)
smtplib.SMTP.debuglevel = 1
SERVER = SMTP(demisto.getParam('host'), int(demisto.params().get('port', 0)), local_hostname=FQDN)
SERVER.ehlo()
# TODO - support for non-valid certs
if demisto.getParam('tls'):
SERVER.starttls()
user, password = get_user_pass()
if user:
SERVER.login(user, password)
except Exception as e:
# also reset at the bottom finally
swap_stderr(stderr_org) # type: ignore
smtplib.SMTP.debuglevel = 0
demisto.error('Failed test: {}\nStack trace: {}'.format(e, traceback.format_exc()))
return_error_mail_sender(e)
return # so mypy knows that we don't continue after this
# -- COMMANDS --
try:
if demisto.command() == 'test-module':
msg = MIMEText('This is a test mail from Demisto\nRegards\nDBot') # type: Message
msg['Subject'] = 'Test mail from Demisto'
msg['From'] = FROM
msg['To'] = FROM
SERVER.sendmail(FROM, [FROM], msg.as_string())
SERVER.quit()
demisto.results('ok')
elif demisto.command() == 'send-mail':
raw_message = demisto.getArg('raw_message')
if raw_message:
to = argToList(demisto.getArg('to'))
cc = argToList(demisto.getArg('cc'))
bcc = argToList(demisto.getArg('bcc'))
str_msg = raw_message
else:
(str_msg, to, cc, bcc) = create_msg()
SERVER.sendmail(FROM, to + cc + bcc, str_msg) # type: ignore
SERVER.quit() # type: ignore
demisto.results('Mail sent successfully')
else:
return_error_mail_sender('Command not recognized')
except SMTPRecipientsRefused as e:
error_msg = ''.join('{}\n'.format(val) for key, val in e.recipients.iteritems())
return_error_mail_sender("Encountered error: {}".format(error_msg))
except Exception as e:
return_error_mail_sender(e)
finally:
swap_stderr(stderr_org) # type: ignore
smtplib.SMTP.debuglevel = 0
def search_entities():
"""
Search entities using the available filters
"""
q = _add_time_to_q('*')
q = _add_list_to_q(q, {'asset_type': 'entity-type'})
query = QUERY.copy()
query['q'] = q
query['offset'] = demisto.getArg('offset')
query['limit'] = demisto.getArg('limit')
query['sort_by'] = demisto.getArg('sort')
resp_json = req('GET', 'search/assets', query)
entities = []
for entity in resp_json['objects']:
readable = entity_to_readable(entity)
readable['IpAddress'] = entity.get('ip')
entities.append(readable)
ec = {'Jask.Entity(val.Id === obj.Id)': entities}
demisto.results({
'Type':
entryTypes['note'],
'ContentsFormat':
formats['json'],
'Contents':
resp_json,
'EntryContext':
ec,
'HumanReadable':
tableToMarkdown('Entities', entities, [
'Id', 'Name', 'FirstSeen', 'LastSeen', 'Source', 'EntityType',
'PrimaryEntityType', 'Hostname', 'RiskScore', 'IsWhitelisted',
'Groups', 'IpAddress'
])
})
def close_alert():
"""
Close an alert
"""
alert_id = demisto.getArg('alert-id')
reason = demisto.getArg('reason')
free_text = demisto.getArg('free-text')
is_hidden = demisto.getArg('is-hidden')
rate = demisto.getArg('rate')
close_details = {'ID': alert_id, 'Close Reason': reason, 'Closed FreeText': free_text, 'Closed Rate': rate,
'IsHidden': is_hidden}
close_details_context = {'ID': alert_id, 'Closed': {'Reason': reason, 'FreeText': free_text, 'Rate': rate},
'IsHidden': is_hidden}
url = 'public/v1/data/alerts/close-alert/' + alert_id
json_data = {'Reason': reason}
if free_text:
json_data['FreeText'] = free_text
if free_text:
json_data['IsHidden'] = is_hidden
if free_text:
json_data['Rate'] = rate
req('PATCH', url, json_data)
demisto.results({
'Type': entryTypes['note'],
'EntryContext': {'IntSights.Alerts(val.ID === obj.ID)': close_details},
'Contents': close_details_context,
'HumanReadable': tableToMarkdown('IntSights Close Alert: The Alert has successfully been closed.',
[close_details],
['ID', 'Close Reason', 'Closed FreeText', 'Closed Rate', 'IsHidden']),
'ContentsFormat': formats['json']
})
def get_scans_command():
folder_id, last_modification_date = demisto.getArg(
'folderId'), demisto.getArg('lastModificationDate')
if last_modification_date:
last_modification_date = int(
time.mktime(
datetime.strptime(last_modification_date[0:len('YYYY-MM-DD')],
"%Y-%m-%d").timetuple()))
response = send_scan_request(folder_id=folder_id,
last_modification_date=last_modification_date)
scan_entries = map(get_scan_info, response['scans'])
valid_scans = filter(lambda x: x is not None, scan_entries)
invalid_scans = [
k for k, v in zip(response['scans'], scan_entries) if v is None
]
res = [
get_entry_for_object('Tenable.io - List of Scans',
'TenableIO.Scan(val.Id && val.Id === obj.Id)',
replace_keys(valid_scans), GET_SCANS_HEADERS)
]
if invalid_scans:
res.append(
get_entry_for_object(
'Inactive Web Applications Scans - Renew WAS license to use these scans',
'TenableIO.Scan(val.Id && val.Id === obj.Id)',
replace_keys(invalid_scans),
GET_SCANS_HEADERS,
remove_null=True))
return res
def reopen_alerts():
"""
Reopen the given list of alerts based on given filter
"""
ids = argToList(demisto.getArg('alert-id'))
policies = argToList(demisto.getArg('policy-id'))
payload = {'alerts': ids, 'policies': policies, 'filter': {}}
demisto.args().pop('alert-id', None)
handle_filters(payload['filter'])
handle_time_filter(payload['filter'], {'type': 'to_now', 'value': 'epoch'})
if not ids and not policies:
return_error(
'You must specify either alert-id or policy-id for re-opening alerts'
)
r = req('POST', 'alert/reopen', payload, None)
ec = {}
if ids:
ec['Redlock.ReopenedAlert.ID'] = ids
demisto.results({
'Type': entryTypes['note'],
'ContentsFormat': formats['json'],
'Contents': r,
'EntryContext': ec,
'HumanReadable': '### Alerts re-opened successfully.'
})
def ask_analyst():
"""
Send question to an analyst about the requested alert
"""
alert_id = demisto.getArg('alert-id')
question = demisto.getArg('question')
req('POST',
'public/v1/data/alerts/ask-the-analyst/' + alert_id,
json_data={'Question': question})
question_details = {'ID': alert_id, 'Question': question}
demisto.results({
'Type':
entryTypes['note'],
'EntryContext': {
'IntSights.Alerts(val.ID === obj.ID)': question_details
},
'Contents':
question_details,
'HumanReadable':
tableToMarkdown(
'IntSights Ask the Analyst: Your question has been successfully sent to an analyst about the requested alert',
[question_details], ['ID', 'Question']),
'ContentsFormat':
formats['json']
})
def change_severity():
"""
Change severity of an alert
"""
alert_id = demisto.getArg('alert-id')
severity = demisto.getArg('severity')
req('PATCH',
'public/v1/data/alerts/change-severity/' + alert_id,
json_data={'Severity': severity})
severity_details = {'ID': alert_id, 'Severity': severity}
demisto.results({
'Type':
entryTypes['note'],
'EntryContext': {
'IntSights.Alerts(val.ID === obj.ID)': severity_details
},
'Contents':
severity_details,
'HumanReadable':
tableToMarkdown(
'IntSights Update Alert Severity: The Alert severity has been successfully updated.',
[severity_details], ['ID', 'Severity']),
'ContentsFormat':
formats['json']
})
def get_response_policies_command():
start = demisto.getArg('start')
count = demisto.getArg('count')
raw_response_policies = get_response_policies(start, count)
response_policies, hr = create_response_policies_result(
raw_response_policies)
return_outputs(hr, response_policies, raw_response_policies)
def handle_filters(foundDateFrom=None):
"""
Apply filters to alert list
"""
argsConversion = {
'alert-type': 'alertType',
'source-type': 'sourceType',
'network-type': 'networkType',
'source-date-from': 'sourceDateFrom',
'source-date-to': 'sourceDateTo',
'found-date-from': 'foundDateFrom',
'found-date-to': 'foundDateTo',
'is-flagged': 'isFlagged',
'is-closed': 'isClosed',
'source-ID': 'sourceId',
'first-seen-from': 'firstSeenFrom',
'first-seen-to': 'firstSeenTo',
'last-seen-from': 'lastSeenFrom',
'last-seen-to': 'lastSeenTo',
'value': 'iocValue',
}
params = {}
for k in demisto.args():
if demisto.getArg(k):
params[argsConversion.get(k) or k] = demisto.getArg(k)
if demisto.getArg('time-delta'):
time_delta_in_days = demisto.getArg('time-delta')
update_params_dict_according_to_delta_arg(params,
int(time_delta_in_days))
elif foundDateFrom:
params['foundDateFrom'] = foundDateFrom
return params
def get_report_by_id_command(triage_instance) -> None:
report_id = int(demisto.getArg('report_id')) # type: int
verbose = demisto.getArg('verbose') == "true"
report = TriageReport.fetch(triage_instance, report_id)
if not report:
raise TriageRequestEmptyResponse(report_id, "Report")
if verbose:
report_attrs = report.attrs
else:
report_attrs = report.terse_attrs
if report.attachment:
demisto.results({
**report.attachment,
**{
"HumanReadable":
"### Cofense HTML Report:\nHTML report download request has been completed"
},
})
del report_attrs["report_body"]
hr = tableToMarkdown("Report Summary:",
report_attrs,
headerTransform=split_snake,
removeNull=True)
ec = {
"Cofense.Report(val.ID && val.ID == obj.ID)":
snake_to_camel_keys([report_attrs])
}
return_outputs(readable_output=hr,
outputs=ec,
raw_response=report.to_json())
def get_report_command():
scan_id, info, detailed = demisto.getArg('scanId'), demisto.getArg('info'), demisto.getArg('detailed')
results = []
scan_details = send_scan_request(scan_id)
if info == 'yes':
scan_details['info']['id'] = scan_id
scan_details['info'] = replace_keys(scan_details['info'])
results.append(
get_entry_for_object('Scan basic info', 'TenableIO.Scan(val.Id && val.Id === obj.Id)', scan_details['info'],
SCAN_REPORT_INFO_HEADERS))
if 'vulnerabilities' not in scan_details:
return "No vulnerabilities found."
vuln_info, vulns_not_found = get_vuln_info(scan_details['vulnerabilities'])
vuln_info = convert_severity_values(replace_keys(vuln_info))
results.append(get_entry_for_object('Vulnerabilities', 'TenableIO.Vulnerabilities', vuln_info,
SCAN_REPORT_VULNERABILITIES_HEADERS))
if len(vulns_not_found) > 0:
vulns_not_found = replace_keys(vulns_not_found)
results.append(get_entry_for_object('Vulnerabilities - Missing From Workbench', 'TenableIO.Vulnerabilities',
vulns_not_found, SCAN_REPORT_VULNERABILITIES_HEADERS, True))
if detailed == 'yes':
assets = replace_keys(scan_details['hosts'] + scan_details['comphosts'])
results.append(get_entry_for_object('Assets', 'TenableIO.Assets', assets, SCAN_REPORT_HOSTS_HEADERS))
if 'remediations' in scan_details and 'remediations' in scan_details['remediations'] and len(
scan_details['remediations']['remediations']) > 0:
remediations = replace_keys(scan_details['remediations']['remediations'], REMEDIATIONS_NAMES_MAP)
results.append(get_entry_for_object('Remediations', 'TenableIO.Remediations', remediations,
SCAN_REPORT_REMEDIATIONS_HEADERS))
return results
def handle_filters(payload):
"""
Add filters to the filter object based on received arguments
"""
argsConversion = {
'alert-status': 'alert.status',
'policy-name': 'policy.name',
'policy-label': 'policy.label',
'policy-compliance-standard': 'policy.complianceStandard',
'cloud-account': 'cloud.account',
'cloud-region': 'cloud.region',
'alert-rule-name': 'alertRule.name',
'resource-id': 'resource.id',
'resource-name': 'resource.name',
'resource-type': 'resource.type',
'alert-id': 'alert.id',
'cloud-type': 'cloud.type',
'risk-grade': 'risk.grade',
'policy-type': 'policy.type',
'policy-severity': 'policy.severity'
}
payload['filters'] = []
for k in demisto.args():
if k in ('policy-name', 'policy-label', 'policy-compliance-standard',
'cloud-account', 'cloud-region', 'alert-rule-name',
'resource-id', 'resource-name', 'resource-type',
'alert-status', 'alert-id', 'cloud-type', 'risk-grade',
'policy-type', 'policy-severity') and demisto.getArg(k):
payload['filters'].append({
'name': argsConversion[k],
'operator': '=',
'value': demisto.getArg(k)
})
def expression_search_command():
expression_search = ExpressionSearch(host=TICLOUD_URL,
username=USERNAME,
password=PASSWORD)
query = demisto.getArg("query")
date = demisto.getArg("date")
limit = demisto.getArg("result_limit")
query_list = query.split(" ")
try:
result_list = expression_search.search_aggregated(
query=query_list, date=date, max_results=int(limit))
except Exception as e:
return_error(str(e))
results = CommandResults(
outputs_prefix='ReversingLabs',
outputs={'expression_search': result_list},
readable_output="Full report is returned in a downloadable file")
file_results = fileResult('Expression Search report file',
json.dumps(result_list, indent=4),
file_type=EntryType.ENTRY_INFO_FILE)
return_results([results, file_results])
def rasterize_email_request(html, friendly_name):
global RETURN_CODE, ERROR_MESSAGE
with open('htmlBody.html', 'w') as f:
f.write('<html style="background:white";>' + html + '</html>')
proxy_flag = "--proxy={}".format(HTTP_PROXY) if PROXY else ""
demisto.debug('rasterize proxy settings: {}'.format(proxy_flag))
command = [
'phantomjs', proxy_flag, '/usr/local/bin/rasterize.js',
'htmlBody.html', friendly_name
]
if demisto.getArg('width') and demisto.getArg('height'):
command.append(
demisto.getArg('width') + '*' + demisto.getArg('height'))
try:
demisto.debug(
subprocess.check_output(command,
stderr=subprocess.STDOUT)) # type: ignore
except Exception as e:
RETURN_CODE = -1
ERROR_MESSAGE = str(
e
) + '\nYou can choose to receive this errors as warnings in the instance settings'
def main():
try:
date = demisto.getArg('date')
date_format = demisto.getArg('date_format')
time_zone = demisto.getArg('timezone')
time_zone = pytz.timezone(time_zone)
# Initialize datetime
date = datetime.strptime(date, date_format)
# Convert to timezone aware date
localized_date = time_zone.localize(date)
# Convert to UTC timezone
utc_converted_date = localized_date.astimezone(pytz.timezone("UTC"))
epoch_time = utc_converted_date.strftime('%s')
# Initialize entry context to return
entry_context = {
'UTCDate': utc_converted_date.strftime(date_format),
'UTCDateEpoch': epoch_time,
}
return_results({
'Contents': json.dumps(entry_context),
'ContentsFormat': formats['json'],
'EntryContext': entry_context,
})
except Exception as exc:
demisto.error(traceback.format_exc()) # print the traceback
return_error(f'Failed to execute ConvertDateToUTC. Error: {str(exc)}')
def search_signals():
"""
Search signals using available filters
"""
q = _add_time_to_q('*')
q = _add_list_to_q(q, {'source_type': 'source', 'category': 'category'})
query = QUERY.copy()
query['q'] = q
query['offset'] = demisto.getArg('offset')
query['limit'] = demisto.getArg('limit')
query['sort_by'] = demisto.getArg('sort')
resp_json = req('GET', 'search/signals', query)
signals = [signal_to_readable(signal) for signal in resp_json['objects']]
ec = {'Jask.Signal(val.Id === object.Id)': signals}
demisto.results({
'Type':
entryTypes['note'],
'ContentsFormat':
formats['json'],
'Contents':
resp_json,
'EntryContext':
ec,
'HumanReadable':
tableToMarkdown('Signals', signals, [
'Id', 'Name', 'Category', 'Description', 'Score', 'SourceType',
'Timestamp', 'ThreatIndicators'
])
})
def sandbox_report_command():
md5 = demisto.getArg('md5')
details = demisto.getArg('details')
res = sandbox_report(md5, details)
report = 'Full Details' if details == 'full' else 'Summary'
ctype = demisto.get(res, '{}.Classification.Type'.format(report))
dbot_score = 3 if ctype == "MALICIOUS" else 2 if ctype == "SUSPICIOUS" else 1 if ctype == "BENIGN" else 0
ec = {
outputPaths['dbotscore']: {
'Indicator': md5,
'Type': 'file',
'Vendor': 'Zscaler',
'Score': dbot_score
}
}
human_readable_report = ec['DBotScore'].copy()
human_readable_report["Detected Malware"] = str(
demisto.get(res, '{}.Classification.DetectedMalware'.format(report)))
human_readable_report["Zscaler Score"] = demisto.get(
res, '{}.Classification.Score'.format(report))
human_readable_report["Category"] = demisto.get(
res, '{}.Classification.Category'.format(report))
ec[outputPaths['file']] = {
'MD5': md5,
'Zscaler': {
'DetectedMalware':
demisto.get(res,
'{}.Classification.DetectedMalware'.format(report)),
'FileType':
demisto.get(res, '{}.File Properties.File Type'.format(report)),
}
}
if dbot_score == 3:
ec[outputPaths['file']]['Malicious'] = {
'Vendor':
'Zscaler',
'Description':
'Classified as Malicious, with threat score: ' +
str(human_readable_report["Zscaler Score"])
}
demisto.results({
'Type':
entryTypes['note'],
'Contents':
res,
'ContentsFormat':
formats['json'],
'ReadableContentsFormat':
formats['markdown'],
'HumanReadable':
tableToMarkdown('Full Sandbox Report',
human_readable_report,
removeNull=True),
'EntryContext':
ec
})
def get_attachment_command(triage_instance) -> None:
attachment_id = str(demisto.getArg('attachment_id')) # type: str
file_name = demisto.getArg('file_name') or attachment_id # type: str
res = triage_instance.request(f'attachment/{attachment_id}', raw_response=True)
result = fileResult(file_name, res.content)
demisto.results(result)
def get_vulnerability_details_command():
plugin_id, date_range = demisto.getArg('vulnerabilityId'), demisto.getArg('dateRange')
info = send_vuln_details_request(plugin_id, date_range)
if 'error' in info:
return_error(info['error'])
return get_entry_for_object('Vulnerability details - {}'.format(plugin_id), 'TenableIO.Vulnerabilities',
convert_severity_values(replace_keys(flatten(info['info']))),
VULNERABILITY_DETAILS_HEADERS)
def set_alert_status_command():
alert_id = demisto.getArg('alert_id')
status = demisto.getArg('status')
comments = demisto.getArg('comments')
share_irondome_arg = demisto.getArg('share_comment_with_irondome')
share_irondome = True if share_irondome_arg.lower() == 'true' else False
results = IRON_DEFENSE.set_alert_status(alert_id, status=status, comments=comments,
share_irondome=share_irondome)
demisto.results(results)
def handle_filters():
"""
Handle filters associated with samples
"""
params = {'api_key': API_KEY}
for k in demisto.args():
if demisto.getArg(k):
params[k] = demisto.getArg(k)
return params
def add_comment_to_alert_command():
alert_id = demisto.getArg('alert_id')
comment = demisto.getArg('comment')
share_irondome_arg = demisto.getArg('share_comment_with_irondome')
share_irondome = True if share_irondome_arg.lower() == 'true' else False
results = IRON_DEFENSE.add_comment_to_alert(alert_id,
comment=comment,
share_irondome=share_irondome)
demisto.results(results)
def download():
share, path = split_path(demisto.getArg('file_path'))
with tempfile.NamedTemporaryFile() as file_obj:
file_attributes, filesize = conn.retrieveFile(share, path, file_obj)
file_obj.seek(0)
filename = path.split('/')[-1] if '/' in path else path.split('\\')[-1]
if demisto.getArg('download_and_attach') == "yes":
demisto.results(fileResult(filename, file_obj.read()))
else:
demisto.results(file_obj.read())
def exabeam_lockouts():
""" Return lockouts """
res = http_request(
'GET', URL_UBA + 'lockouts/accountLockouts', {
'numberOfResults': demisto.getArg('number-of-results'),
'unit': demisto.getArg('unit'),
'num': demisto.getArg('num')
})
if res.get('lockouts'):
lockouts = [{
'Name':
demisto.get(l, 'user.info.fullName'),
'Username':
demisto.get(l, 'user.username'),
'Email':
demisto.get(l, 'user.info.email'),
'Department':
demisto.get(l, 'user.info.department'),
'DN':
demisto.get(l, 'user.info.dn'),
'Title':
demisto.get(l, 'user.info.title'),
'RiskScore':
demisto.get(l, 'user.riskScore'),
'Executive':
demisto.get(l, 'isUserExecutive'),
'LockoutTime':
convert_unix_to_date(demisto.get(l, 'firstLockoutEvent.time')),
'Host':
demisto.get(l, 'firstLockoutEvent.host'),
'LockoutRisk':
demisto.get(l, 'lockoutInfo.riskScore'),
'LoginHost':
demisto.get(l, 'lockoutInfo.loginHost')
} for l in res['lockouts']]
demisto.results({
'Type':
entryTypes['note'],
'ContentsFormat':
formats['json'],
'Contents':
res,
'HumanReadable':
tableToMarkdown('Lockouts', lockouts, [
'User', 'Username', 'Email', 'Department', 'DN', 'Title',
'RiskScore', 'Executive', 'LockoutTime', 'Host', 'LockoutRisk',
'LoginHost'
]),
'EntryContext': {
'Exabeam.Lockout': res['lockouts']
}
})
else:
demisto.results('No lockouts found in the requested period')
def move_client_to_group_command(token):
group_id = demisto.getArg('groupID')
hardware_key = demisto.getArg('hardwareKey')
response, message = move_client_to_group(token, group_id, hardware_key)
demisto.results({
'Type': entryTypes['note'],
'ContentsFormat': formats['text'],
'Contents': response,
'HumanReadable': message,
'IgnoreAutoExtract': True,
})
def update_analyst_ratings_command():
alert_id = demisto.getArg('alert_id')
severity = demisto.getArg('severity')
expectation = demisto.getArg('expectation')
comments = demisto.getArg('comments')
share_irondome_arg = demisto.getArg('share_comment_with_irondome')
share_irondome = True if share_irondome_arg.lower() == 'true' else False
results = IRON_DEFENSE.update_analyst_ratings(alert_id, severity=severity, expectation=expectation,
comments=comments,
share_irondome=share_irondome)
demisto.results(results)
def apply_search_filters():
"""
Helper for applying search filters
"""
params = {'api_key': API_KEY}
for k in demisto.args():
if demisto.getArg(k):
params['term'] = k
params['query'] = demisto.getArg(k)
break
return params
def create_issue_command():
url = 'rest/api/latest/issue'
issue = get_issue_fields(issue_creating=True, **demisto.args())
result = jira_req('POST', url, json.dumps(issue))
j_res = result.json()
md_and_context = generate_md_context_create_issue(j_res, project_key=demisto.getArg('projectKey'),
project_name=demisto.getArg('issueTypeName'))
human_readable = tableToMarkdown(demisto.command(), md_and_context['md'], "")
contents = j_res
outputs = md_and_context['context']
return_outputs(readable_output=human_readable, outputs=outputs, raw_response=contents)
def create_issue_command():
url = 'rest/api/latest/issue'
issue = get_issue_fields(issue_creating=True, **demisto.args())
result = jira_req('POST', url, json.dumps(issue))
j_res = result.json()
md_and_context = generate_md_context_create_issue(j_res, project_key=demisto.getArg('projectKey'),
project_name=demisto.getArg('issueTypeName'))
human_readable = tableToMarkdown(demisto.command(), md_and_context['md'], "")
contents = j_res
outputs = md_and_context['context']
return_outputs(readable_output=human_readable, outputs=outputs, raw_response=contents)
def create_user_command():
required_properties = {
'accountEnabled': demisto.getArg('account_enabled'),
'displayName': demisto.getArg('display_name'),
'onPremisesImmutableId': demisto.getArg('on_premises_immutable_id'),
'mailNickname': demisto.getArg('mail_nickname'),
'passwordProfile': {
"forceChangePasswordNextSignIn": 'true',
"password": demisto.getArg('password')
},
'userPrincipalName': demisto.getArg('user_principal_name')
}
other_properties = {}
for key_value in demisto.getArg('other_properties').split(','):
key, value = key_value.split('=', 2)
other_properties[key] = value
# create the user
required_properties.update(other_properties)
create_user(required_properties)
# display the new user and it's properties
user = required_properties.get('userPrincipalName')
user_data = get_user(user, '*')
user_readable, user_outputs = parse_outputs(user_data)
human_readable = tableToMarkdown(name=f"{user} was created successfully:", t=user_readable, removeNull=True)
outputs = {'MSGraphUser(val.ID == obj.ID)': user_outputs}
return_outputs(readable_output=human_readable, outputs=outputs, raw_response=user_data)
def unblock_user_command():
user = demisto.getArg('user')
unblock_user(user)
return_outputs(
readable_output=f'"{user}" unblocked. It might take several minutes for the changes to take affect across '
'all applications.',
outputs=NO_OUTPUTS
)
def get_user_command():
user = demisto.getArg('user')
properties = demisto.args().get('properties', '*')
user_data = get_user(user, properties)
user_readable, user_outputs = parse_outputs(user_data)
human_readable = tableToMarkdown(name=f"{user} data", t=user_readable, removeNull=True)
outputs = {'MSGraphUser(val.ID == obj.ID)': user_outputs}
return_outputs(readable_output=human_readable, outputs=outputs, raw_response=user_data)
def get_delta_command():
properties = demisto.getArg('properties') + ',userPrincipalName'
users_data = get_delta(properties)
headers = list(set([camel_case_to_readable(p) for p in argToList(properties)] + ['ID', 'User Principal Name']))
users_readable, users_outputs = parse_outputs(users_data)
hr = tableToMarkdown(name='All Graph Users', headers=headers, t=users_readable, removeNull=True)
outputs = {'MSGraphUser(val.ID == obj.ID)': users_outputs}
return_outputs(readable_output=hr, outputs=outputs, raw_response=users_data)
def extract_text_command() -> dict:
langs = argToList(demisto.getArg('langs')) or argToList(demisto.getParam('langs'))
demisto.debug("Using langs settings: {}".format(langs))
entry_id = demisto.args()['entryid']
file_path = demisto.getFilePath(entry_id)
if not file_path:
return_error("Couldn't find entry id: {}".format(entry_id))
demisto.debug('Extracting text from file: {}'.format(file_path))
res = extract_text(file_path['path'], langs)
file_entry = {'EntryID': entry_id, 'Text': res}
return {
'Type': entryTypes['note'],
'Contents': res,
'ContentsFormat': formats['text'],
'ReadableContentsFormat': formats['markdown'],
'HumanReadable': "## Image OCR Extracted Text\n\n" + res,
"EntryContext": {"File(val.EntryID == obj.EntryID)": file_entry},
}
def terminate_user_session_command():
user = demisto.getArg('user')
terminate_user_session(user)
return_outputs(readable_output=f'user: "******" session has been terminated successfully', outputs=NO_OUTPUTS)
def delete_user_command():
user = demisto.getArg('user')
delete_user(user)
return_outputs(readable_output=f'user: "******" was deleted successfully', outputs=NO_OUTPUTS)
def update_user_command():
user = demisto.getArg('user')
updated_fields = demisto.getArg('updated_fields')
update_user(user, updated_fields)
get_user_command()
