def get_events_command():
alert_id = demisto.getArg('alert_id')
limit = demisto.getArg('limit')
offset = demisto.getArg('offset')
results = IRON_DEFENSE.get_events(alert_id=alert_id, limit=limit, offset=offset)
events = results.get('events')
total_count = results.get('constraint').get('total')
offset = results.get('constraint').get('offset')
for i, event in enumerate(events):
vue_markdown_link = IRON_DEFENSE.create_markdown_link("Open in IronVue", event.get("vue_url"))
event_readable_output = tableToMarkdown(f'IronDefense Event {i + offset + 1}/{total_count}\n'
f'{vue_markdown_link}', event)
# Send each event
return_outputs(readable_output=event_readable_output,
outputs={
'IronDefense.Event(val.id == obj.id)': event,
},
raw_response=event)
# Send constraints
constraint = results.get('constraint')
return_outputs(readable_output=tableToMarkdown('Query Constraints', constraint),
outputs={
'IronDefense.Query.GetEvents': constraint,
},
raw_response=constraint)
def get_event_command():
# get event data from IronAPI
event_id = demisto.getArg('event_id')
results = IRON_DEFENSE.get_event(event_id)
# Output the event data
event = results.get('event')
vue_markdown_link = IRON_DEFENSE.create_markdown_link("Open in IronVue", event.get("vue_url"))
event_readable_output = tableToMarkdown(f'IronDefense Event: {event.get("category")} -'
f' {event.get("sub_category")}\n'
f'{vue_markdown_link}', event)
return_outputs(readable_output=event_readable_output,
outputs={
'IronDefense.Event(val.id == obj.id)': event,
},
raw_response=event)
# Output each context table
context_tables = results.get('context')
for table in context_tables:
if IRON_DEFENSE.event_context_table_contains_multi_columns(table):
output_table = IRON_DEFENSE.event_context_table_to_dict_list(table)
headers = [*output_table[0]]
else:
output_table = IRON_DEFENSE.event_context_table_to_dict(table)
headers = []
return_outputs(readable_output=tableToMarkdown(f'Event Context: {table.get("name")}', output_table,
headers=headers),
outputs={
'IronDefense.Event.Context(val.name == obj.name)': table,
},
raw_response=table)
def test_return_outputs_only_md(self, mocker):
mocker.patch.object(demisto, 'results')
md = 'md'
return_outputs(md)
results = demisto.results.call_args[0][0]
assert len(demisto.results.call_args[0]) == 1
assert demisto.results.call_count == 1
assert md == results['HumanReadable']
assert 'text' == results['ContentsFormat']
def test_return_outputs_raw_none(self, mocker):
mocker.patch.object(demisto, 'results')
md = 'md'
outputs = {'Event': 1}
return_outputs(md, outputs, None)
results = demisto.results.call_args[0][0]
assert len(demisto.results.call_args[0]) == 1
assert demisto.results.call_count == 1
assert outputs == results['Contents']
assert outputs == results['EntryContext']
assert md == results['HumanReadable']
def test_return_outputs_timeline(self, mocker):
mocker.patch.object(demisto, 'results')
md = 'md'
outputs = {'Event': 1}
raw_response = {'event': 1}
timeline = [{'Value': 'blah', 'Message': 'test', 'Category': 'test'}]
return_outputs(md, outputs, raw_response, timeline)
results = demisto.results.call_args[0][0]
assert len(demisto.results.call_args[0]) == 1
assert demisto.results.call_count == 1
assert raw_response == results['Contents']
assert outputs == results['EntryContext']
assert md == results['HumanReadable']
assert timeline == results['IndicatorTimeline']
def test_return_outputs_ignore_auto_extract(self, mocker):
mocker.patch.object(demisto, 'results')
md = 'md'
outputs = {'Event': 1}
raw_response = {'event': 1}
ignore_auto_extract = True
return_outputs(md,
outputs,
raw_response,
ignore_auto_extract=ignore_auto_extract)
results = demisto.results.call_args[0][0]
assert len(demisto.results.call_args[0]) == 1
assert demisto.results.call_count == 1
assert raw_response == results['Contents']
assert outputs == results['EntryContext']
assert md == results['HumanReadable']
assert ignore_auto_extract == results['IgnoreAutoExtract']
def get_alert_irondome_information_command():
alert_id = demisto.getArg('alert_id')
results = IRON_DEFENSE.get_alert_irondome_information(alert_id)
if len(results.get('correlations')) == 0 and \
len(results.get('correlation_participation')) == 0 and \
len(results.get('community_comments')) == 0 and \
len(results.get('dome_notifications')) == 0:
demisto.results(f'No correlations found for alert ID: {alert_id}')
return
# Output correlations
correlations = results.get('correlations')
for correlation in correlations:
dome_tag = correlation.get('dome_tag')
correlation_data = correlation.get('correlations')
output = {
'alert_id': alert_id,
'correlation': correlation
}
ip_correlations = list(filter(lambda corr: corr.get('ip') is not None, correlation_data))
domain_correlations = list(filter(lambda corr: corr.get('domain') is not None, correlation_data))
behavior_correlations = list(filter(lambda corr: corr.get('behavior') is not None, correlation_data))
if len(ip_correlations) != 0:
return_outputs(readable_output=tableToMarkdown(f'IronDome IP Correlations in "{dome_tag}"', ip_correlations,
headers=[*ip_correlations[0]]),
outputs={
'IronDome.Correlations(val.alert_id = obj.alert.id)': output
},
raw_response=correlation)
if len(domain_correlations) != 0:
return_outputs(readable_output=tableToMarkdown(f'IronDome Domain Correlations in "{dome_tag}"',
domain_correlations,
headers=[*domain_correlations[0]]),
outputs={
'IronDome.Correlations(val.alert_id = obj.alert.id)': output
},
raw_response=correlation)
if len(behavior_correlations) != 0:
return_outputs(readable_output=tableToMarkdown(f'IronDome Behavior Correlations in "{dome_tag}"',
behavior_correlations,
headers=[*behavior_correlations[0]]),
outputs={
'IronDome.Correlations(val.alert_id = obj.alert.id)': output
},
raw_response=correlation)
# Output correlation participation
correlation_participation = results.get('correlation_participation')
for participant in correlation_participation:
dome_tag = participant.get('dome_tag')
output = {
'alert_id': alert_id,
'correlation_participation': participant
}
table_data = []
# append each correlation context to display in the table, if it exists
behavior = participant.get('behavior')
if behavior is not None:
table_data.append(behavior)
domain = participant.get('behavior')
if domain is not None:
table_data.append(domain)
ip = participant.get('ip')
if ip is not None:
table_data.append(ip)
# Send the participant info
return_outputs(readable_output=tableToMarkdown(f'IronDome Correlation Participation in "{dome_tag}"',
table_data,
headers=[*table_data[0]]),
outputs={
'IronDome.CorrelationParticipation(val.alert_id = obj.alert.id)': output
},
raw_response=participant)
# Output comments
community_comments = results.get('community_comments')
community_comments_output = {
'alert_id': alert_id,
'community_comments': community_comments,
}
if len(community_comments) > 0:
return_outputs(readable_output=tableToMarkdown('IronDome Community Comments', community_comments,
headers=[*community_comments[0]]),
outputs={
'IronDome.CommunityComments(val.alert_id = obj.alert.id)': community_comments_output
},
raw_response=community_comments)
# Output cognitive system score
cognitive_system_score = results.get('cognitive_system_score')
cognitive_system_score_output = {
'alert_id': alert_id,
'cognitive_system_score': cognitive_system_score,
}
return_outputs(readable_output=f'### Cognitive System Score: {cognitive_system_score}',
outputs={
'IronDome.CognitiveSystemScore(val.alert_id = obj.alert.id)': cognitive_system_score_output
},
raw_response=cognitive_system_score)
# Output dome notifications
dome_notifications = results.get('dome_notifications')
for notification in dome_notifications:
category = notification.get('category')
output = {
'alert_id': alert_id,
'dome_notification': notification
}
return_outputs(readable_output=tableToMarkdown(f'IronDome Notification: {category}', notification),
outputs={
'IronDome.Notification(val.alert_id = obj.alert.id)': output
},
raw_response=notification)
return_outputs(readable_output=IRON_DEFENSE.create_dome_markdown_link('Open IronDome information in IronVue',
alert_id),
outputs={})
def get_alerts_command():
alert_id = demisto.getArg('alert_id')
category = demisto.getArg('category')
sub_category = demisto.getArg('sub_category')
status = demisto.getArg('status')
analyst_severity = demisto.getArg('analyst_severity')
analyst_expectation = demisto.getArg('analyst_expectation')
min_severity = demisto.getArg('min_severity')
max_severity = demisto.getArg('max_severity')
min_created = demisto.getArg('min_created')
max_created = demisto.getArg('max_created')
min_updated = demisto.getArg('min_updated')
max_updated = demisto.getArg('max_updated')
min_first_event_created = demisto.getArg('min_first_event_created')
max_first_event_created = demisto.getArg('max_first_event_created')
min_last_event_created = demisto.getArg('min_last_event_created')
max_last_event_created = demisto.getArg('max_last_event_created')
min_first_event_start_time = demisto.getArg('min_first_event_start_time')
max_first_event_start_time = demisto.getArg('max_first_event_start_time')
min_last_event_end_time = demisto.getArg('min_last_event_end_time')
max_last_event_end_time = demisto.getArg('max_last_event_end_time')
analytic_version = demisto.getArg('analytic_version')
limit = demisto.getArg('limit')
offset = demisto.getArg('offset')
sort = demisto.getArg('sort')
results = IRON_DEFENSE.get_alerts(alert_id=alert_id, category=category, sub_category=sub_category, status=status,
analyst_severity=analyst_severity,
analyst_expectation=analyst_expectation, min_severity=min_severity,
max_severity=max_severity, min_created=min_created, max_created=max_created,
min_updated=min_updated, max_updated=max_updated,
min_first_event_created=min_first_event_created,
max_first_event_created=max_first_event_created,
min_last_event_created=min_last_event_created,
max_last_event_created=max_last_event_created,
min_first_event_start_time=min_first_event_start_time,
max_first_event_start_time=max_first_event_start_time,
min_last_event_end_time=min_last_event_end_time,
max_last_event_end_time=max_last_event_end_time,
analytic_version=analytic_version,
limit=limit, offset=offset, sort=sort)
alerts = results.get('alerts')
total_count = results.get('constraint').get('total')
offset = results.get('constraint').get('offset')
for i, alert in enumerate(alerts):
# Send each alert
vue_markdown_link = IRON_DEFENSE.create_markdown_link("Open in IronVue", alert.get("vue_url"))
alert_readable_output = tableToMarkdown(f'IronDefense Alert {i + offset + 1}/{total_count}: {alert.get("category")} -'
f' {alert.get("sub_category")}\n'
f'{vue_markdown_link}', alert)
return_outputs(readable_output=alert_readable_output,
outputs={
'IronDefense.Alert(val.id == obj.id)': alert,
},
raw_response=alert)
# Send constraints
constraint = results.get('constraint')
return_outputs(readable_output=tableToMarkdown('Query Constraints', constraint),
outputs={
'IronDefense.Query.GetAlerts': constraint,
},
raw_response=constraint)
