def get_all_user_profiles():
query = 'type:\"User Profile\"'
employee_id_to_user_profile = {}
email_to_user_profile = {}
def handle_batch(user_profiles):
for user_profile in user_profiles:
user_profile = user_profile.get('CustomFields', {})
employee_id = user_profile.get('employeeid')
email = user_profile.get('email')
employee_id_to_user_profile[employee_id] = user_profile
email_to_user_profile[email] = user_profile
query_result = demisto.searchIndicators(query=query, size=BATCH_SIZE)
handle_batch(query_result.get('iocs', []))
while query_result.get('searchAfter') is not None:
query_result = demisto.searchIndicators(
query=query,
size=BATCH_SIZE,
searchAfter=query_result.get('searchAfter'))
handle_batch(query_result.get('iocs', []))
return employee_id_to_user_profile, email_to_user_profile
def find_indicators_with_limit_loop(indicator_query: str, limit: int, total_fetched: int = 0, next_page: int = 0,
last_found_len: int = PAGE_SIZE):
"""
Finds indicators using while loop with demisto.searchIndicators, and returns result and last page
"""
iocs: List[dict] = []
if not last_found_len:
last_found_len = total_fetched
while last_found_len == PAGE_SIZE and limit and total_fetched < limit:
fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs')
iocs.extend(fetched_iocs)
last_found_len = len(fetched_iocs)
total_fetched += last_found_len
next_page += 1
return iocs, next_page
def get_indicators(indicators: str) -> List:
if indicators:
iocs: list = []
not_found = []
for indicator in indicators.split(','):
data = demisto.searchIndicators(value=indicator).get('iocs')
if data:
iocs.extend(data)
else:
not_found.append(indicator)
if not_found:
return_warning('The following indicators were not found: {}'.format(', '.join(not_found)))
else:
return iocs
return []
def cyren_feed_relationship(args) -> CommandResults:
if "indicator" not in args:
raise ValueError("Please provide 'indicator' argument!")
indicator = args["indicator"]
relationships = indicator.get("CustomFields", {}).get(
"cyrenfeedrelationships", []) or []
content = []
for item in relationships:
ioc_value = item.get("value", "")
results = demisto.searchIndicators(value=ioc_value).get("iocs", [])
if results:
result = results[0]
ioc_score = result.get("score")
ioc_id = result.get("id")
content.append(
create_relationship_object(
value=f"[{ioc_value}](#/indicator/{ioc_id})"
if ioc_value else "",
relationship_type=item.get("relationshiptype"),
indicator_type=item.get("indicatortype"),
timestamp=item.get("timestamp"),
entity_category=item.get("entitycategory"),
reputation=ioc_score,
))
else:
# In case that no related indicators were found, return the table without the link.
content.append(
create_relationship_object(
value=ioc_value,
relationship_type=item.get("relationshiptype"),
indicator_type=item.get("indicatortype"),
timestamp=item.get("timestamp"),
entity_category=item.get("entitycategory"),
))
headers = [
"Indicator Type", "Value", "Reputation", "Relationship Type",
"Entity Category", "Timestamp UTC"
]
output = tableToMarkdown("", content, headers, removeNull=True)
return CommandResults(readable_output=output)
def get_feeds_for_incident(incident_id: int) -> set:
"""
Retrieves a list feeds based on indicators that appear in a given incident.
:param incident_id: int
Incident ID to query by.
:return: set
List of feeds that have indicators in the given incident.
"""
indicator_query = f'sourceBrands:*Feed* and incident.id:{incident_id}'
fetched_iocs = demisto.searchIndicators(query=indicator_query).get('iocs')
feeds = set()
for indicator in fetched_iocs:
source_brands = indicator.get('sourceBrands')
for brand in source_brands:
if 'Feed' in brand:
feeds.add(brand)
return feeds
def find_indicators_to_limit_loop(indicator_query: str,
limit: int,
total_fetched: int = 0,
next_page: int = 0,
last_found_len: int = None):
"""
Finds indicators using while loop with demisto.searchIndicators, and returns result and last page
Parameters:
indicator_query (str): Query that determines which indicators to include in
the EDL (Cortex XSOAR indicator query syntax)
limit (int): The maximum number of indicators to include in the EDL
total_fetched (int): The amount of indicators already fetched
next_page (int): The page we are up to in the loop
last_found_len (int): The amount of indicators found in the last fetch
Returns:
(tuple): The iocs and the last page
"""
iocs: List[dict] = []
if last_found_len is None:
last_found_len = PAGE_SIZE
if not last_found_len:
last_found_len = total_fetched
# last_found_len should be PAGE_SIZE (or PAGE_SIZE - 1, as observed for some users) for full pages
while last_found_len in (PAGE_SIZE, PAGE_SIZE -
1) and limit and total_fetched < limit:
fetched_iocs = demisto.searchIndicators(query=indicator_query,
page=next_page,
size=PAGE_SIZE).get('iocs')
# In case the result from searchIndicators includes the key `iocs` but it's value is None
fetched_iocs = fetched_iocs or []
# save only the value and type of each indicator
iocs.extend({
'value': ioc.get('value'),
'indicator_type': ioc.get('indicator_type')
} for ioc in fetched_iocs)
last_found_len = len(fetched_iocs)
total_fetched += last_found_len
next_page += 1
return iocs, next_page
def find_indicators_loop(indicator_query: str):
"""
Find indicators in a loop according to a query.
Args:
indicator_query: The indicator query.
Returns:
Indicator query results from Demisto.
"""
iocs: List[dict] = []
total_fetched = 0
next_page = 0
last_found_len = PAGE_SIZE
while last_found_len == PAGE_SIZE:
fetched_iocs = demisto.searchIndicators(query=indicator_query, page=next_page, size=PAGE_SIZE).get('iocs')
iocs.extend(fetched_iocs)
last_found_len = len(fetched_iocs)
total_fetched += last_found_len
next_page += 1
return iocs
def feed_related_indicator(args) -> CommandResults:
indicator = args['indicator']
feed_related_indicators = indicator.get('CustomFields',
{}).get('feedrelatedindicators',
[])
ioc = list(filter(lambda x: x.get('value'), feed_related_indicators))
ioc_value = ioc[0].get('value') if ioc else ''
content = []
results = demisto.searchIndicators(value=ioc_value).get('iocs', [])
urls = demisto.demistoUrls()
server_url = urls.get('server', '')
if results:
ioc_id = results[0].get('id')
for item in feed_related_indicators:
content.append({
'Value':
f"[{item.get('value')}]({server_url}/#/indicator/{ioc_id})"
if item.get('value') else '',
'Type':
item.get('type'),
'Description':
f"[{item.get('description')}]({item.get('description')})\n\n"
})
else:
# In case that no related indicators were found, return the table without the link.
for item in feed_related_indicators:
content.append({
'Value':
item.get('value', ''),
'Type':
item.get('type'),
'Description':
f"[{item.get('description')}]({item.get('description')})\n\n"
})
output = tableToMarkdown('',
content, ['Type', 'Value', 'Description'],
removeNull=True)
return CommandResults(readable_output=output)
def get_indicators_list(indicator_query, limit, page):
"""
Get Demisto indicators list using demisto.searchIndicators
Args:
indicator_query (str): The query demisto.searchIndicators use to find indicators
limit (int): The amount of indicators the user want to add to reference set
page (int): Page's number the user would like to start from
Returns:
list, list: List of indicators values and a list with all indicators data
"""
indicators_values_list = []
indicators_data_list = []
fetched_iocs = demisto.searchIndicators(query=indicator_query, page=page, size=limit).get('iocs')
for indicator in fetched_iocs:
indicators_values_list.append(indicator['value'])
indicators_data_list.append({
'Value': indicator['value'],
'Type': indicator['indicator_type']
})
return indicators_values_list, indicators_data_list
def get_indicator_xdr_score(indicator: str, xdr_server: int):
"""
the goal is to avoid reliability changes.
for example if some feed with reliability 'C' give as the indicator 88.88.88.88 with score 1 (good)
we dont wont that xdr will also return with 1 and reliability 'A' so the score will be 0 (unknown).
and we will update only on a case that someone really changed th indicator in xdr.
:param indicator: the indicator (e.g. 88.88.88.88)
:param xdr_server: the score in xdr (e.g. GOOD, BAD ...)
:return: the current score (0 - 3)
"""
xdr_local: int = 0
score = 0
if indicator:
ioc = demisto.searchIndicators(value=indicator).get('iocs')
if ioc:
ioc = ioc[0]
score = ioc.get('score', 0)
temp: Dict = next(filter(is_xdr_data, ioc.get('moduleToFeedMap', {}).values()), {})
xdr_local = temp.get('score', 0)
if xdr_server != score:
return xdr_server
else:
return xdr_local
def get_iocs(page=0, size=200, query=None) -> List:
return demisto.searchIndicators(query=query if query else Client.query, page=page, size=size).get('iocs', [])
def get_iocs_size(query=None) -> int:
return demisto.searchIndicators(query=query if query else Client.query, page=0, size=1).get('total', 0)
import demistomock as demisto
from CommonServerPython import *
res = demisto.searchIndicators(query='type:"MITRE ATT&CK" and investigationsCount:>0')
indicators = []
for ind in res['iocs']:
indicators.append({
'Value': dict_safe_get(ind, ['value']),
'Name': dict_safe_get(ind, ['CustomFields', 'mitrename']),
'Phase Name': dict_safe_get(ind, ['CustomFields', 'mitrekillchainphases', 0, 'phase_name']),
'Description': dict_safe_get(ind, ['CustomFields', 'mitredescription']),
})
temp = tableToMarkdown('MITRE ATT&CK techniques by open Incidents', indicators,
headers=['Value', 'Name', 'Phase Name', 'Description'])
return_outputs(temp)
