def get_events_command(): alert_id = demisto.getArg('alert_id') limit = demisto.getArg('limit') offset = demisto.getArg('offset') results = IRON_DEFENSE.get_events(alert_id=alert_id, limit=limit, offset=offset) events = results.get('events') total_count = results.get('constraint').get('total') offset = results.get('constraint').get('offset') for i, event in enumerate(events): vue_markdown_link = IRON_DEFENSE.create_markdown_link("Open in IronVue", event.get("vue_url")) event_readable_output = tableToMarkdown(f'IronDefense Event {i + offset + 1}/{total_count}\n' f'{vue_markdown_link}', event) # Send each event return_outputs(readable_output=event_readable_output, outputs={ 'IronDefense.Event(val.id == obj.id)': event, }, raw_response=event) # Send constraints constraint = results.get('constraint') return_outputs(readable_output=tableToMarkdown('Query Constraints', constraint), outputs={ 'IronDefense.Query.GetEvents': constraint, }, raw_response=constraint)
def get_event_command(): # get event data from IronAPI event_id = demisto.getArg('event_id') results = IRON_DEFENSE.get_event(event_id) # Output the event data event = results.get('event') vue_markdown_link = IRON_DEFENSE.create_markdown_link("Open in IronVue", event.get("vue_url")) event_readable_output = tableToMarkdown(f'IronDefense Event: {event.get("category")} -' f' {event.get("sub_category")}\n' f'{vue_markdown_link}', event) return_outputs(readable_output=event_readable_output, outputs={ 'IronDefense.Event(val.id == obj.id)': event, }, raw_response=event) # Output each context table context_tables = results.get('context') for table in context_tables: if IRON_DEFENSE.event_context_table_contains_multi_columns(table): output_table = IRON_DEFENSE.event_context_table_to_dict_list(table) headers = [*output_table[0]] else: output_table = IRON_DEFENSE.event_context_table_to_dict(table) headers = [] return_outputs(readable_output=tableToMarkdown(f'Event Context: {table.get("name")}', output_table, headers=headers), outputs={ 'IronDefense.Event.Context(val.name == obj.name)': table, }, raw_response=table)
def test_return_outputs_only_md(self, mocker): mocker.patch.object(demisto, 'results') md = 'md' return_outputs(md) results = demisto.results.call_args[0][0] assert len(demisto.results.call_args[0]) == 1 assert demisto.results.call_count == 1 assert md == results['HumanReadable'] assert 'text' == results['ContentsFormat']
def test_return_outputs_raw_none(self, mocker): mocker.patch.object(demisto, 'results') md = 'md' outputs = {'Event': 1} return_outputs(md, outputs, None) results = demisto.results.call_args[0][0] assert len(demisto.results.call_args[0]) == 1 assert demisto.results.call_count == 1 assert outputs == results['Contents'] assert outputs == results['EntryContext'] assert md == results['HumanReadable']
def test_return_outputs_timeline(self, mocker): mocker.patch.object(demisto, 'results') md = 'md' outputs = {'Event': 1} raw_response = {'event': 1} timeline = [{'Value': 'blah', 'Message': 'test', 'Category': 'test'}] return_outputs(md, outputs, raw_response, timeline) results = demisto.results.call_args[0][0] assert len(demisto.results.call_args[0]) == 1 assert demisto.results.call_count == 1 assert raw_response == results['Contents'] assert outputs == results['EntryContext'] assert md == results['HumanReadable'] assert timeline == results['IndicatorTimeline']
def test_return_outputs_ignore_auto_extract(self, mocker): mocker.patch.object(demisto, 'results') md = 'md' outputs = {'Event': 1} raw_response = {'event': 1} ignore_auto_extract = True return_outputs(md, outputs, raw_response, ignore_auto_extract=ignore_auto_extract) results = demisto.results.call_args[0][0] assert len(demisto.results.call_args[0]) == 1 assert demisto.results.call_count == 1 assert raw_response == results['Contents'] assert outputs == results['EntryContext'] assert md == results['HumanReadable'] assert ignore_auto_extract == results['IgnoreAutoExtract']
def get_alert_irondome_information_command(): alert_id = demisto.getArg('alert_id') results = IRON_DEFENSE.get_alert_irondome_information(alert_id) if len(results.get('correlations')) == 0 and \ len(results.get('correlation_participation')) == 0 and \ len(results.get('community_comments')) == 0 and \ len(results.get('dome_notifications')) == 0: demisto.results(f'No correlations found for alert ID: {alert_id}') return # Output correlations correlations = results.get('correlations') for correlation in correlations: dome_tag = correlation.get('dome_tag') correlation_data = correlation.get('correlations') output = { 'alert_id': alert_id, 'correlation': correlation } ip_correlations = list(filter(lambda corr: corr.get('ip') is not None, correlation_data)) domain_correlations = list(filter(lambda corr: corr.get('domain') is not None, correlation_data)) behavior_correlations = list(filter(lambda corr: corr.get('behavior') is not None, correlation_data)) if len(ip_correlations) != 0: return_outputs(readable_output=tableToMarkdown(f'IronDome IP Correlations in "{dome_tag}"', ip_correlations, headers=[*ip_correlations[0]]), outputs={ 'IronDome.Correlations(val.alert_id = obj.alert.id)': output }, raw_response=correlation) if len(domain_correlations) != 0: return_outputs(readable_output=tableToMarkdown(f'IronDome Domain Correlations in "{dome_tag}"', domain_correlations, headers=[*domain_correlations[0]]), outputs={ 'IronDome.Correlations(val.alert_id = obj.alert.id)': output }, raw_response=correlation) if len(behavior_correlations) != 0: return_outputs(readable_output=tableToMarkdown(f'IronDome Behavior Correlations in "{dome_tag}"', behavior_correlations, headers=[*behavior_correlations[0]]), outputs={ 'IronDome.Correlations(val.alert_id = obj.alert.id)': output }, raw_response=correlation) # Output correlation participation correlation_participation = results.get('correlation_participation') for participant in correlation_participation: dome_tag = participant.get('dome_tag') output = { 'alert_id': alert_id, 'correlation_participation': participant } table_data = [] # append each correlation context to display in the table, if it exists behavior = participant.get('behavior') if behavior is not None: table_data.append(behavior) domain = participant.get('behavior') if domain is not None: table_data.append(domain) ip = participant.get('ip') if ip is not None: table_data.append(ip) # Send the participant info return_outputs(readable_output=tableToMarkdown(f'IronDome Correlation Participation in "{dome_tag}"', table_data, headers=[*table_data[0]]), outputs={ 'IronDome.CorrelationParticipation(val.alert_id = obj.alert.id)': output }, raw_response=participant) # Output comments community_comments = results.get('community_comments') community_comments_output = { 'alert_id': alert_id, 'community_comments': community_comments, } if len(community_comments) > 0: return_outputs(readable_output=tableToMarkdown('IronDome Community Comments', community_comments, headers=[*community_comments[0]]), outputs={ 'IronDome.CommunityComments(val.alert_id = obj.alert.id)': community_comments_output }, raw_response=community_comments) # Output cognitive system score cognitive_system_score = results.get('cognitive_system_score') cognitive_system_score_output = { 'alert_id': alert_id, 'cognitive_system_score': cognitive_system_score, } return_outputs(readable_output=f'### Cognitive System Score: {cognitive_system_score}', outputs={ 'IronDome.CognitiveSystemScore(val.alert_id = obj.alert.id)': cognitive_system_score_output }, raw_response=cognitive_system_score) # Output dome notifications dome_notifications = results.get('dome_notifications') for notification in dome_notifications: category = notification.get('category') output = { 'alert_id': alert_id, 'dome_notification': notification } return_outputs(readable_output=tableToMarkdown(f'IronDome Notification: {category}', notification), outputs={ 'IronDome.Notification(val.alert_id = obj.alert.id)': output }, raw_response=notification) return_outputs(readable_output=IRON_DEFENSE.create_dome_markdown_link('Open IronDome information in IronVue', alert_id), outputs={})
def get_alerts_command(): alert_id = demisto.getArg('alert_id') category = demisto.getArg('category') sub_category = demisto.getArg('sub_category') status = demisto.getArg('status') analyst_severity = demisto.getArg('analyst_severity') analyst_expectation = demisto.getArg('analyst_expectation') min_severity = demisto.getArg('min_severity') max_severity = demisto.getArg('max_severity') min_created = demisto.getArg('min_created') max_created = demisto.getArg('max_created') min_updated = demisto.getArg('min_updated') max_updated = demisto.getArg('max_updated') min_first_event_created = demisto.getArg('min_first_event_created') max_first_event_created = demisto.getArg('max_first_event_created') min_last_event_created = demisto.getArg('min_last_event_created') max_last_event_created = demisto.getArg('max_last_event_created') min_first_event_start_time = demisto.getArg('min_first_event_start_time') max_first_event_start_time = demisto.getArg('max_first_event_start_time') min_last_event_end_time = demisto.getArg('min_last_event_end_time') max_last_event_end_time = demisto.getArg('max_last_event_end_time') analytic_version = demisto.getArg('analytic_version') limit = demisto.getArg('limit') offset = demisto.getArg('offset') sort = demisto.getArg('sort') results = IRON_DEFENSE.get_alerts(alert_id=alert_id, category=category, sub_category=sub_category, status=status, analyst_severity=analyst_severity, analyst_expectation=analyst_expectation, min_severity=min_severity, max_severity=max_severity, min_created=min_created, max_created=max_created, min_updated=min_updated, max_updated=max_updated, min_first_event_created=min_first_event_created, max_first_event_created=max_first_event_created, min_last_event_created=min_last_event_created, max_last_event_created=max_last_event_created, min_first_event_start_time=min_first_event_start_time, max_first_event_start_time=max_first_event_start_time, min_last_event_end_time=min_last_event_end_time, max_last_event_end_time=max_last_event_end_time, analytic_version=analytic_version, limit=limit, offset=offset, sort=sort) alerts = results.get('alerts') total_count = results.get('constraint').get('total') offset = results.get('constraint').get('offset') for i, alert in enumerate(alerts): # Send each alert vue_markdown_link = IRON_DEFENSE.create_markdown_link("Open in IronVue", alert.get("vue_url")) alert_readable_output = tableToMarkdown(f'IronDefense Alert {i + offset + 1}/{total_count}: {alert.get("category")} -' f' {alert.get("sub_category")}\n' f'{vue_markdown_link}', alert) return_outputs(readable_output=alert_readable_output, outputs={ 'IronDefense.Alert(val.id == obj.id)': alert, }, raw_response=alert) # Send constraints constraint = results.get('constraint') return_outputs(readable_output=tableToMarkdown('Query Constraints', constraint), outputs={ 'IronDefense.Query.GetAlerts': constraint, }, raw_response=constraint)