-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
MaliciousRatioReputation.py
48 lines (39 loc) · 1.47 KB
/
MaliciousRatioReputation.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import demistomock as demisto # noqa: F401
from CommonServerPython import * # noqa: F401
def get_indicator_from_value(indicator_value):
try:
res = demisto.executeCommand("findIndicators", {'value': indicator_value})
indicator = res[0]['Contents'][0]
return indicator
except Exception:
pass
def get_indicator_result(indicator):
res = demisto.executeCommand("maliciousRatio", {'value': indicator['value']})
mr_score = res[0]['Contents'][0]['maliciousRatio']
if mr_score > float(demisto.args()['threshold']):
ec = {}
ec['DBotScore'] = {
'Type': indicator['indicator_type'].lower(),
'Score': 2, # suspicious
'Vendor': 'DBot-MaliciousRatio',
'Indicator': indicator['value']
}
entry = {
'Type': entryTypes['note'],
'EntryContext': ec,
'Contents': ec['DBotScore']['Score'],
'ContentsFormat': formats['text'],
'HumanReadable': 'Malicious ratio for %s is %.2f' % (indicator['value'], mr_score),
'ReadableContentsFormat': formats['markdown']
}
return entry
def main():
indicator_value = demisto.args().get('input')
indicator = get_indicator_from_value(indicator_value)
if indicator:
try:
demisto.results(get_indicator_result(indicator))
except Exception:
pass
if __name__ == "__builtin__" or __name__ == "builtins":
main()