-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
DragosWorldview.yml
196 lines (196 loc) · 6.23 KB
/
DragosWorldview.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
category: Data Enrichment & Threat Intelligence
commonfields:
id: Dragos Worldview
version: -1
configuration:
- defaultvalue: https://portal.dragos.com
display: Server URL (e.g. https://portal.dragos.com)
name: url
required: true
type: 0
- display: API Token
name: credential_token
required: false
type: 9
displaypassword: API Token
hiddenusername: true
- display: API Key
name: credential_key
required: false
type: 9
displaypassword: API Key
hiddenusername: true
- display: API Token
name: apitoken
required: false
type: 4
hidden: true
- display: API Key
name: apikey
required: false
type: 4
hidden: true
- display: First fetch time
name: first_fetch
required: false
type: 0
defaultvalue: 3 days
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
- display: Incidents Fetch Interval
name: incidentFetchInterval
type: 19
required: false
defaultvalue: '1'
- display: Traffic Light Protocol Color
name: tlp_color
type: 15
required: false
additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators
options:
- RED
- AMBER
- GREEN
- WHITE
- display: Fetch incidents
name: isFetch
type: 8
required: false
- display: Incident type
name: incidentType
type: 13
required: false
- display: Fetch Limit
name: max_fetch
type: 0
required: false
defaultvalue: '50'
description: 'Custom integration designed to pull in reports from the Dragos Worldview API as incidents.'
display: Dragos Worldview
name: Dragos Worldview
script:
commands:
- arguments:
- description: Exclude indicators that are only associated with Suspect Domain Reports (API default false).
name: exclude_suspect_domain
auto: PREDEFINED
predefined:
- 'true'
- 'false'
- description: Page number to start at (API default 1).
name: page
- description: Page size (API default 500) (must be less than 1001).
name: page_size
- description: UTC timestamp in YYYY-mm-dd (optionally with HH:mm:ss) to filter to recent indicators (default is within the last 48 hours).
name: updated_after
- description: Search for indicators that match a specific value.
name: value
- auto: PREDEFINED
description: Search for indicators of a specific type.
name: type
predefined:
- domain
- filename
- hostname
- ip
- md5
- sha1
- sha256
- description: List of Dragos report serial number to get indicators from.
isArray: true
name: serial
- description: List of tags to search for indicators.
isArray: true
name: tags
description: Get Indicators from the Dragos WorldView API, if no arguments are provided the command will retrieve all indicators from the last 48 hours.
name: dragos-get-indicators
outputs:
- contextPath: Dragos.Indicators.activity_groups
description: A list of activity groups.
- contextPath: Dragos.Indicators.attack_techniques
description: A list of attack techniques.
- contextPath: Dragos.Indicators.category
description: The Dragos Indicator's category.
type: string
- contextPath: Dragos.Indicators.comment
description: The Dragos Indicator's comment.
type: string
- contextPath: Dragos.Indicators.confidence
description: The Dragos Indicator's confidence.
type: string
- contextPath: Dragos.Indicators.first_seen
description: The first time the Indicator was seen in Dragos (yyyy-mm-ddThh:mm:ss.sssZ).
type: string
- contextPath: Dragos.Indicators.ics_attack_techniques
description: A list of ics attack techniques.
- contextPath: Dragos.Indicators.indicator_id
description: The Dragos Indicator's id.
type: number
- contextPath: Dragos.Indicators.indicator_type
description: The Dragos Indicator's type.
type: string
- contextPath: Dragos.Indicators.kill_chain
description: The Dragos Indicator's kill chain.
type: string
- contextPath: Dragos.Indicators.kill_chains
description: A list of kill chains.
- contextPath: Dragos.Indicators.last_seen
description: The last time the Indicator was seen in Dragos (yyyy-mm-ddThh:mm:ss.sssZ).
type: string
- contextPath: Dragos.Indicators.pre_attack_techniques
description: A list of pre-attack techniques.
- contextPath: Dragos.Indicators.products
description: A list of dictionaries, usually containing the serial numbers of related Dragos reports.
- contextPath: Dragos.Indicators.products.serial
description: The serial numbers of related Dragos reports.
- contextPath: Dragos.Indicators.severity
description: The Dragos Indicator's severity.
type: string
- contextPath: Dragos.Indicators.status
description: The Dragos Indicator's status.
type: string
- contextPath: Dragos.Indicators.threat_groups
description: A list of threat groups.
- contextPath: Dragos.Indicators.updated_at
description: The last time the Indicator was updated in Dragos (yyyy-mm-ddThh:mm:ss.sssZ).
type: string
- contextPath: Dragos.Indicators.uuid
description: The Dragos Indicator's uuid.
type: string
- contextPath: Dragos.Indicators.value
description: The Dragos Indicator's value.
type: string
- arguments:
- description: Serial number for the report to retrieve.
name: serial
required: true
description: Get the report file from the given serial number.
name: dragos-get-full-report
- arguments:
- description: Serial number of the report from which to get the file.
name: serial
required: true
description: Get csv file with indicators from a given report.
name: dragos-get-ioc-csv
- arguments:
- description: Serial number of the report from which to retrieve the file.
name: serial
required: true
description: Get the stix2 json bundle of indicators from a given report.
name: dragos-get-stix2
dockerimage: demisto/python3:3.10.13.78960
isFetchSamples: true
isfetch: true
script: ''
subtype: python3
type: python
runonce: false
fromversion: 6.2.0
tests:
- No tests (auto formatted)