def main():
channel_code = "d5cd46c205c20c87006b55a18b106428"
params = demisto.params()
command = demisto.command()
verify = not params.get("insecure", True)
session = requests.Session()
session.proxies = handle_proxy()
client = SixgillEnrichClient(params.get("client_id"),
params.get("client_secret"), channel_code,
demisto, session, verify)
LOG(f"Command being called is {demisto.command()}")
try:
if command == "cybersixgill-cve-enrich":
return_results(cve_enrich_command(client, demisto.args()))
elif command == "test-module":
return_results(
test_module(params.get("client_id"),
params.get("client_secret"), channel_code, session,
verify))
# Log exceptions
except Exception as e:
return_error(f"Failed to execute {command} command. Error: {str(e)}")
def test_postid_reputation_command(mocker):
"""
Given:
- an post_id
When:
- running sixgill-get-post-id command and validate whether the post_id is malicious
Then:
- return command results containing indicator
"""
mocker.patch.object(demisto, "params", return_value=init_params())
mocker.patch("requests.sessions.Session.send", new=mocked_request)
from Sixgill_Darkfeed_Enrichment import postid_reputation_command
from sixgill.sixgill_enrich_client import SixgillEnrichClient
client = SixgillEnrichClient("client_id", "client_secret", "some_channel")
output = postid_reputation_command(client, {
"post_id": "<some postid>",
"skip": 0
})
assert output[0].outputs == json.loads(mock_response).get("items")
def test_cve_enrich_command(mocker):
mocker.patch.object(demisto, "params", return_value=init_params())
mocker.patch.object(demisto, "args", return_value=args)
mocker.patch("requests.sessions.Session.send", new=mocked_request)
from CybersixgillDVEEnrichment import cve_enrich_command
from sixgill.sixgill_enrich_client import SixgillEnrichClient
client = SixgillEnrichClient(demisto.params()["client_id"],
demisto.params()["client_secret"],
channel_code, demisto)
output = cve_enrich_command(client, demisto.args())
assert output[0].outputs == expected_enrich_output
def file_reputation_command(client: SixgillEnrichClient,
args) -> List[CommandResults]:
files = argToList(args.get("file"))
skip = int(args.get("skip"))
if len(files) == 0:
raise ValueError("HASH(s) not specified")
command_results: List[CommandResults] = []
for file_hash in files:
file_data = client.enrich_ioc("hash", file_hash, skip)
score = 0
if len(file_data) != 0:
score = max(list(map(get_score, file_data)))
file_hash_types = get_file_hashes(file_data)
dbot_score = Common.DBotScore(
indicator=file_hash,
indicator_type=DBotScoreType.FILE,
integration_name="SixgillDarkfeedEnrichment",
score=score,
malicious_description="; ".join(
{ioc.get("description")
for ioc in file_data}))
file_standard_context = Common.File(
md5=file_hash_types.get("md5"),
sha256=file_hash_types.get("sha256"),
sha1=file_hash_types.get("sha1"),
sha512=file_hash_types.get("sha512"),
ssdeep=file_hash_types.get("ssdeep"),
dbot_score=dbot_score,
)
readable_output = tableToMarkdown("File", file_data)
command_results.append(
CommandResults(
readable_output=readable_output,
outputs_prefix="Sixgill.File",
outputs_key_field="file",
outputs=file_data,
indicator=file_standard_context,
))
return command_results
def main():
channel_code = "7698e8287dfde53dcd13082be750a85a"
verify = not demisto.params().get("insecure", True)
session = requests.Session()
session.proxies = handle_proxy()
client = SixgillEnrichClient(demisto.params()["client_id"],
demisto.params()["client_secret"],
channel_code, demisto, session, verify)
command = demisto.command()
demisto.info(f"Command being called is {command}")
try:
if command == "ip":
return_results(ip_reputation_command(client, demisto.args()))
elif command == "test-module":
return_results(
test_module_command(demisto.params()["client_id"],
demisto.params()["client_secret"],
channel_code, session, verify))
elif command == "domain":
return_results(domain_reputation_command(client, demisto.args()))
elif command == "url":
return_results(url_reputation_command(client, demisto.args()))
elif command == "file":
return_results(file_reputation_command(client, demisto.args()))
elif command == "sixgill-get-actor":
return_results(actor_reputation_command(client, demisto.args()))
elif command == "sixgill-get-post-id":
return_results(postid_reputation_command(client, demisto.args()))
except Exception as e:
demisto.error(traceback.format_exc())
return_error(
f"Error failed to execute {demisto.command()}, error: [{e}]")
def domain_reputation_command(client: SixgillEnrichClient,
args) -> List[CommandResults]:
domains = argToList(args.get("domain"))
skip = int(args.get("skip"))
if len(domains) == 0:
raise ValueError("DOMAIN(s) not specified")
command_results: List[CommandResults] = []
for domain in domains:
domain_data = client.enrich_ioc("domain", domain, skip)
score = 0
if len(domain_data) != 0:
score = max(list(map(get_score, domain_data)))
dbot_score = Common.DBotScore(
indicator=domain,
indicator_type=DBotScoreType.DOMAIN,
integration_name="SixgillDarkfeedEnrichment",
score=score,
malicious_description="; ".join(
{ioc.get("description")
for ioc in domain_data}))
domain_standard_context = Common.Domain(domain=domain,
dbot_score=dbot_score)
readable_output = tableToMarkdown("Domain", domain_data)
command_results.append(
CommandResults(
readable_output=readable_output,
outputs_prefix="Sixgill.Domain",
outputs_key_field="domain",
outputs=domain_data,
indicator=domain_standard_context,
))
return command_results
def url_reputation_command(client: SixgillEnrichClient,
args) -> List[CommandResults]:
urls = argToList(args.get("url"))
skip = int(args.get("skip"))
if len(urls) == 0:
raise ValueError("URL(s) not specified")
command_results: List[CommandResults] = []
for url in urls:
url_data = client.enrich_ioc("url", url, skip)
score = 0
if len(url_data) != 0:
score = max(list(map(get_score, url_data)))
dbot_score = Common.DBotScore(
indicator=url,
indicator_type=DBotScoreType.URL,
integration_name="SixgillDarkfeedEnrichment",
score=score,
malicious_description="; ".join(
{ioc.get("description")
for ioc in url_data}))
url_standard_context = Common.URL(url=url, dbot_score=dbot_score)
readable_output = tableToMarkdown("URL", url_data)
command_results.append(
CommandResults(
readable_output=readable_output,
outputs_prefix="Sixgill.URL",
outputs_key_field="url",
outputs=url_data,
indicator=url_standard_context,
))
return command_results
def postid_reputation_command(client: SixgillEnrichClient,
args) -> List[CommandResults]:
postids = argToList(args.get("post_id"))
skip = int(args.get("skip"))
if len(postids) == 0:
raise ValueError("POSTID(s) not specified")
command_results: List[CommandResults] = []
for post_id in postids:
post_id_data = client.enrich_postid(post_id, skip)
readable_output = tableToMarkdown("Postid", post_id_data)
command_results.append(
CommandResults(
readable_output=readable_output,
outputs_prefix="Sixgill.Postid",
outputs_key_field="postid",
outputs=post_id_data,
))
return command_results
def actor_reputation_command(client: SixgillEnrichClient,
args) -> List[CommandResults]:
actors = argToList(args.get("actor"))
skip = int(args.get("skip"))
if len(actors) == 0:
raise ValueError("ACTOR(s) not specified")
command_results: List[CommandResults] = []
for actor in actors:
actor_data = client.enrich_actor(actor, skip)
readable_output = tableToMarkdown("Actor", actor_data)
command_results.append(
CommandResults(
readable_output=readable_output,
outputs_prefix="Sixgill.Actor",
outputs_key_field="actor",
outputs=actor_data,
))
return command_results
def cve_enrich_command(client: SixgillEnrichClient,
args) -> List[CommandResults]:
cve_ids = argToList(args.get("cve_id"))
if len(cve_ids) == 0:
raise ValueError("CVE_ID(s) not specified")
command_results: List[CommandResults] = []
final_data_list = []
for cve_id in cve_ids:
cve_id_data = client.enrich_dve(cve_id)
final_data = stix_to_indicator(cve_id_data)
final_data_list.append(final_data)
readable_output = tableToMarkdown("Enriched results for cve_id:",
final_data_list)
command_results.append(
CommandResults(
readable_output=readable_output,
outputs_prefix="Sixgill.CVE",
outputs_key_field="CVE_ID",
outputs=final_data_list,
))
return command_results
def _enrich_indicator_object(self):
return SixgillEnrichClient(self._sixgill_client_id,
self._sixgill_api_secret_key,
self._sixgill_phantom_channel_id)
