def _lookup_domain(self, params):
action_result = self.add_action_result(ActionResult(dict(params)))
domain = params[HAVEIBEENPWNED_ACTION_PARAM_DOMAIN]
if phantom.is_url(domain):
domain = phantom.get_host_from_url(domain).replace("www.", "")
if "www." in domain:
domain = domain.replace("www.", "")
endpoint = HAVEIBEENPWNED_API_ENDPOINT_LOOKUP_DOMAIN
kwargs = {HAVEIBEENPWEND_PARAM_DOMAIN_KEY: domain}
ret_val, response = self._make_rest_call(endpoint, params=kwargs)
if (phantom.is_fail(ret_val)):
return action_result.set_status(phantom.APP_ERROR,
HAVEIBEENPWNED_REST_CALL_ERR,
response)
for item in response:
action_result.add_data(item)
action_result.set_summary(
{HAVEIBEENPWNED_TOTAL_BREACHES: len(response)})
return action_result.set_status(phantom.APP_SUCCESS,
HAVEIBEENPWNED_LOOKUP_DOMAIN_SUCCESS)
def _extract_urls_domains(self, file_data, urls, domains):
if not self._config[
PROC_EMAIL_JSON_EXTRACT_DOMAINS] and not self._config[
PROC_EMAIL_JSON_EXTRACT_URLS]:
return
# try to load the email
try:
soup = BeautifulSoup(file_data, "html.parser")
except Exception as e:
self._base_connector.debug_print(e)
return
uris = []
# get all tags that have hrefs
links = soup.find_all(href=True)
if links:
# it's html, so get all the urls
uris = [
x['href'] for x in links
if (not x['href'].startswith('mailto:'))
]
# work on the text part of the link, they might be http links different from the href
# and were either missed by the uri_regexc while parsing text or there was no text counterpart
# in the email
uri_text = [self._clean_url(x.get_text()) for x in links]
if uri_text:
uri_text = [x for x in uri_text if x.startswith('http')]
if uri_text:
uris.extend(uri_text)
else:
# Parse it as a text file
uris = re.findall(uri_regexc, file_data)
if uris:
uris = [self._clean_url(x) for x in uris]
if self._config[PROC_EMAIL_JSON_EXTRACT_URLS]:
# add the uris to the urls
urls |= set(uris)
if self._config[PROC_EMAIL_JSON_EXTRACT_DOMAINS]:
for uri in uris:
domain = phantom.get_host_from_url(uri)
if domain and not self._is_ip(domain):
domains.add(domain)
# work on any mailto urls if present
if links:
mailtos = [
x['href'] for x in links
if (x['href'].startswith('mailto:'))
]
for curr_email in mailtos:
domain = curr_email[curr_email.find('@') + 1:]
if domain and not self._is_ip(domain):
domains.add(domain)
return
def _domain_reputation(self, param):
action_result = self.add_action_result(ActionResult(dict(param)))
summary_data = action_result.update_summary({})
# Getting mandatory input params
domain = param[DEEPSIGHT_JSON_DOMAIN]
# Convert URL to domain
if phantom.is_url(domain):
domain = phantom.get_host_from_url(domain)
return_val, resp = self._make_rest_call(
DEEPSIGHT_ENDPOINT_DOMAINS.format(domain=domain), action_result)
# Something went wrong with the request
if phantom.is_fail(return_val):
return action_result.get_status()
# Resource not found is treated as app success
if (resp.get(DEEPSIGHT_JSON_RESOURCE_NOT_FOUND)):
return action_result.set_status(
phantom.APP_SUCCESS,
DEEPSIGHT_REST_RESP_RESOURCE_NOT_FOUND_MSG)
json_resp = resp.get(DEEPSIGHT_JSON_RESPONSE)
action_result.add_data(json_resp)
if 'reputation' in json_resp:
summary_data['reputation'] = json_resp['reputation']
if 'confidence' in json_resp:
summary_data['confidence'] = json_resp['confidence']
if 'hostility' in json_resp:
summary_data['hostility'] = json_resp['hostility']
if 'whitelisted' in json_resp:
summary_data['whitelisted'] = json_resp['whitelisted']
if 'lastSeen' in json_resp:
summary_data['last_seen'] = json_resp['lastSeen']
return action_result.set_status(phantom.APP_SUCCESS)
def _whois_domain(self, param):
action_result = self.add_action_result(ActionResult(dict(param)))
# Progress
self.save_progress(INVESTIGATE_USING_BASE_URL, base_url=self._base_url)
# Connectivity
self.save_progress(phantom.APP_PROG_CONNECTING_TO_ELLIPSES, self._host)
domain = param[INVESTIGATE_JSON_DOMAIN]
# Assume that it is a url
hostname = phantom.get_host_from_url(domain)
# If it is a URL then the hostname will get extracted else use the domain as is
if (hostname):
domain = hostname
slash_pos = domain.find('/')
if (slash_pos != -1):
domain = domain[:slash_pos]
endpoint = '/whois/{0}'.format(domain)
ret_val, response, status_code = self._make_rest_call(endpoint, None, action_result)
if (phantom.is_fail(ret_val)):
self.debug_print(action_result.get_message())
return action_result.set_status(phantom.APP_ERROR, action_result.get_message())
action_result.add_data(response)
summary = action_result.update_summary({})
summary[INVESTIGATE_REG_ORG] = response.get('registrantOrganization', '')
summary[INVESTIGATE_REG_CITY] = response.get('registrantCity', '')
summary[INVESTIGATE_REG_COUNTRY] = response.get('registrantCountry', '')
return action_result.set_status(phantom.APP_SUCCESS)
def _hunt_domain(self, param):
action_result = self.add_action_result(ActionResult(dict(param)))
summary_data = action_result.update_summary({})
# Getting mandatory input params
domain = param[PHISHME_JSON_DOMAIN]
# Convert URL to domain
if phantom.is_url(domain):
domain = phantom.get_host_from_url(domain)
# Getting optional parameter
max_threat_cnt = int(param.get(PHISHME_JSON_MAX_THREAT_COUNT, PHISHME_DEFAULT_MAX_THREAT_COUNT))
data = {'domain': domain}
return_value, json_resp = self._threat_search(data, max_threat_cnt, action_result)
# Something went wrong with the request
if phantom.is_fail(return_value):
self.debug_print(action_result.get_message())
return action_result.get_status()
# Resource not found is treated as app success
# Empty threats is also treated as app success
if not json_resp or not json_resp["data"]["threats"]:
return action_result.set_status(phantom.APP_SUCCESS, PHISHME_REST_RESP_RESOURCE_NOT_FOUND_MSG)
# Get the required data to dump in action result
data_to_add = self._parse_response(json_resp, ioc_type='Domain Name', param_value=domain)
action_result.add_data(data_to_add)
total_threats = len(json_resp["data"]["threats"])
summary_data['total_threats'] = total_threats
return action_result.set_status(phantom.APP_SUCCESS)
def _extract_domain_from_url(url):
domain = phantom.get_host_from_url(url)
if domain and not _is_ip(domain):
return domain
return None