def main(): channel_code = "d5cd46c205c20c87006b55a18b106428" params = demisto.params() command = demisto.command() verify = not params.get("insecure", True) session = requests.Session() session.proxies = handle_proxy() client = SixgillEnrichClient(params.get("client_id"), params.get("client_secret"), channel_code, demisto, session, verify) LOG(f"Command being called is {demisto.command()}") try: if command == "cybersixgill-cve-enrich": return_results(cve_enrich_command(client, demisto.args())) elif command == "test-module": return_results( test_module(params.get("client_id"), params.get("client_secret"), channel_code, session, verify)) # Log exceptions except Exception as e: return_error(f"Failed to execute {command} command. Error: {str(e)}")
def test_postid_reputation_command(mocker): """ Given: - an post_id When: - running sixgill-get-post-id command and validate whether the post_id is malicious Then: - return command results containing indicator """ mocker.patch.object(demisto, "params", return_value=init_params()) mocker.patch("requests.sessions.Session.send", new=mocked_request) from Sixgill_Darkfeed_Enrichment import postid_reputation_command from sixgill.sixgill_enrich_client import SixgillEnrichClient client = SixgillEnrichClient("client_id", "client_secret", "some_channel") output = postid_reputation_command(client, { "post_id": "<some postid>", "skip": 0 }) assert output[0].outputs == json.loads(mock_response).get("items")
def test_cve_enrich_command(mocker): mocker.patch.object(demisto, "params", return_value=init_params()) mocker.patch.object(demisto, "args", return_value=args) mocker.patch("requests.sessions.Session.send", new=mocked_request) from CybersixgillDVEEnrichment import cve_enrich_command from sixgill.sixgill_enrich_client import SixgillEnrichClient client = SixgillEnrichClient(demisto.params()["client_id"], demisto.params()["client_secret"], channel_code, demisto) output = cve_enrich_command(client, demisto.args()) assert output[0].outputs == expected_enrich_output
def file_reputation_command(client: SixgillEnrichClient, args) -> List[CommandResults]: files = argToList(args.get("file")) skip = int(args.get("skip")) if len(files) == 0: raise ValueError("HASH(s) not specified") command_results: List[CommandResults] = [] for file_hash in files: file_data = client.enrich_ioc("hash", file_hash, skip) score = 0 if len(file_data) != 0: score = max(list(map(get_score, file_data))) file_hash_types = get_file_hashes(file_data) dbot_score = Common.DBotScore( indicator=file_hash, indicator_type=DBotScoreType.FILE, integration_name="SixgillDarkfeedEnrichment", score=score, malicious_description="; ".join( {ioc.get("description") for ioc in file_data})) file_standard_context = Common.File( md5=file_hash_types.get("md5"), sha256=file_hash_types.get("sha256"), sha1=file_hash_types.get("sha1"), sha512=file_hash_types.get("sha512"), ssdeep=file_hash_types.get("ssdeep"), dbot_score=dbot_score, ) readable_output = tableToMarkdown("File", file_data) command_results.append( CommandResults( readable_output=readable_output, outputs_prefix="Sixgill.File", outputs_key_field="file", outputs=file_data, indicator=file_standard_context, )) return command_results
def main(): channel_code = "7698e8287dfde53dcd13082be750a85a" verify = not demisto.params().get("insecure", True) session = requests.Session() session.proxies = handle_proxy() client = SixgillEnrichClient(demisto.params()["client_id"], demisto.params()["client_secret"], channel_code, demisto, session, verify) command = demisto.command() demisto.info(f"Command being called is {command}") try: if command == "ip": return_results(ip_reputation_command(client, demisto.args())) elif command == "test-module": return_results( test_module_command(demisto.params()["client_id"], demisto.params()["client_secret"], channel_code, session, verify)) elif command == "domain": return_results(domain_reputation_command(client, demisto.args())) elif command == "url": return_results(url_reputation_command(client, demisto.args())) elif command == "file": return_results(file_reputation_command(client, demisto.args())) elif command == "sixgill-get-actor": return_results(actor_reputation_command(client, demisto.args())) elif command == "sixgill-get-post-id": return_results(postid_reputation_command(client, demisto.args())) except Exception as e: demisto.error(traceback.format_exc()) return_error( f"Error failed to execute {demisto.command()}, error: [{e}]")
def domain_reputation_command(client: SixgillEnrichClient, args) -> List[CommandResults]: domains = argToList(args.get("domain")) skip = int(args.get("skip")) if len(domains) == 0: raise ValueError("DOMAIN(s) not specified") command_results: List[CommandResults] = [] for domain in domains: domain_data = client.enrich_ioc("domain", domain, skip) score = 0 if len(domain_data) != 0: score = max(list(map(get_score, domain_data))) dbot_score = Common.DBotScore( indicator=domain, indicator_type=DBotScoreType.DOMAIN, integration_name="SixgillDarkfeedEnrichment", score=score, malicious_description="; ".join( {ioc.get("description") for ioc in domain_data})) domain_standard_context = Common.Domain(domain=domain, dbot_score=dbot_score) readable_output = tableToMarkdown("Domain", domain_data) command_results.append( CommandResults( readable_output=readable_output, outputs_prefix="Sixgill.Domain", outputs_key_field="domain", outputs=domain_data, indicator=domain_standard_context, )) return command_results
def url_reputation_command(client: SixgillEnrichClient, args) -> List[CommandResults]: urls = argToList(args.get("url")) skip = int(args.get("skip")) if len(urls) == 0: raise ValueError("URL(s) not specified") command_results: List[CommandResults] = [] for url in urls: url_data = client.enrich_ioc("url", url, skip) score = 0 if len(url_data) != 0: score = max(list(map(get_score, url_data))) dbot_score = Common.DBotScore( indicator=url, indicator_type=DBotScoreType.URL, integration_name="SixgillDarkfeedEnrichment", score=score, malicious_description="; ".join( {ioc.get("description") for ioc in url_data})) url_standard_context = Common.URL(url=url, dbot_score=dbot_score) readable_output = tableToMarkdown("URL", url_data) command_results.append( CommandResults( readable_output=readable_output, outputs_prefix="Sixgill.URL", outputs_key_field="url", outputs=url_data, indicator=url_standard_context, )) return command_results
def postid_reputation_command(client: SixgillEnrichClient, args) -> List[CommandResults]: postids = argToList(args.get("post_id")) skip = int(args.get("skip")) if len(postids) == 0: raise ValueError("POSTID(s) not specified") command_results: List[CommandResults] = [] for post_id in postids: post_id_data = client.enrich_postid(post_id, skip) readable_output = tableToMarkdown("Postid", post_id_data) command_results.append( CommandResults( readable_output=readable_output, outputs_prefix="Sixgill.Postid", outputs_key_field="postid", outputs=post_id_data, )) return command_results
def actor_reputation_command(client: SixgillEnrichClient, args) -> List[CommandResults]: actors = argToList(args.get("actor")) skip = int(args.get("skip")) if len(actors) == 0: raise ValueError("ACTOR(s) not specified") command_results: List[CommandResults] = [] for actor in actors: actor_data = client.enrich_actor(actor, skip) readable_output = tableToMarkdown("Actor", actor_data) command_results.append( CommandResults( readable_output=readable_output, outputs_prefix="Sixgill.Actor", outputs_key_field="actor", outputs=actor_data, )) return command_results
def cve_enrich_command(client: SixgillEnrichClient, args) -> List[CommandResults]: cve_ids = argToList(args.get("cve_id")) if len(cve_ids) == 0: raise ValueError("CVE_ID(s) not specified") command_results: List[CommandResults] = [] final_data_list = [] for cve_id in cve_ids: cve_id_data = client.enrich_dve(cve_id) final_data = stix_to_indicator(cve_id_data) final_data_list.append(final_data) readable_output = tableToMarkdown("Enriched results for cve_id:", final_data_list) command_results.append( CommandResults( readable_output=readable_output, outputs_prefix="Sixgill.CVE", outputs_key_field="CVE_ID", outputs=final_data_list, )) return command_results
def _enrich_indicator_object(self): return SixgillEnrichClient(self._sixgill_client_id, self._sixgill_api_secret_key, self._sixgill_phantom_channel_id)