New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Core get-prevalence #19543
Core get-prevalence #19543
Changes from 16 commits
540b789
4cb01ec
083d588
927afe4
1a29d4d
aa32fe5
8b16d63
92def40
1f327b3
e1771cf
e0b3d57
05b2fd7
f6d4a45
f480a8e
ae2a057
346d0c3
ffde330
4340c2c
dc515c7
6cb9f52
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -10,14 +10,22 @@ | |||||||||
INTEGRATION_CONTEXT_BRAND = 'Core' | ||||||||||
INTEGRATION_NAME = 'Cortex Core - IR' | ||||||||||
|
||||||||||
|
||||||||||
XSOAR_RESOLVED_STATUS_TO_Core = { | ||||||||||
'Other': 'resolved_other', | ||||||||||
'Duplicate': 'resolved_duplicate', | ||||||||||
'False Positive': 'resolved_false_positive', | ||||||||||
'Resolved': 'resolved_true_positive', | ||||||||||
} | ||||||||||
|
||||||||||
PREVALENCE_COMMANDS = { | ||||||||||
'core-get-hash-analytics-prevalence': 'hash', | ||||||||||
'core-get-IP-analytics-prevalence': 'ip', | ||||||||||
'core-get-domain-analytics-prevalence': 'domain', | ||||||||||
'core-get-process-analytics-prevalence': 'process', | ||||||||||
'core-get-registry-analytics-prevalence': 'registry', | ||||||||||
'core-get-cmd-analytics-prevalence': 'cmd', | ||||||||||
} | ||||||||||
|
||||||||||
|
||||||||||
class Client(CoreClient): | ||||||||||
|
||||||||||
|
@@ -49,6 +57,10 @@ def report_incorrect_wildfire(self, file_hash: str, new_verdict: int, reason: st | |||||||||
|
||||||||||
return reply | ||||||||||
|
||||||||||
def get_prevalence(self, request_data: dict): | ||||||||||
reply = self._http_request(method='POST', json_data={'request_data': request_data}, headers=self._headers) | ||||||||||
return json.loads(reply) # TODO should be change once the XDR fix it on their side | ||||||||||
|
||||||||||
|
||||||||||
def report_incorrect_wildfire_command(client: Client, args) -> CommandResults: | ||||||||||
file_hash = args.get('file_hash') | ||||||||||
|
@@ -69,6 +81,59 @@ def report_incorrect_wildfire_command(client: Client, args) -> CommandResults: | |||||||||
) | ||||||||||
|
||||||||||
|
||||||||||
def handle_prevalence_command(client: Client, command: str, args: dict): | ||||||||||
key_names_in_response = { | ||||||||||
'ip': 'ip_address', | ||||||||||
'domain': 'domain_name', | ||||||||||
'process': 'process_name', | ||||||||||
'cmd': 'process_command_line', | ||||||||||
'hash': 'sha256', | ||||||||||
'registry': 'key_name' | ||||||||||
} | ||||||||||
args.pop('integration_context_brand', None) | ||||||||||
args.pop('integration_name', None) | ||||||||||
if command == 'core-get-registry-analytics-prevalence': | ||||||||||
# arg list should in the following structure: | ||||||||||
# args: [ | ||||||||||
# {"key_name": "some_key1", "value_name": "some_value1"}, | ||||||||||
# {"key_name": "some_key2", "value_name": "some_value2"} | ||||||||||
# ] | ||||||||||
|
||||||||||
args_list = [] | ||||||||||
keys = argToList(args.get('key_name')) | ||||||||||
values = argToList(args.get('value_name')) | ||||||||||
if len(keys) != len(values): | ||||||||||
raise DemistoException('Number of elements in key_name argument should be equal to the number ' | ||||||||||
'of elements in value_name argument.') | ||||||||||
for i in range(len(keys)): | ||||||||||
args_list.append({'key_name': keys[i], 'value_name': values[i]}) | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is python, not C.
Suggested change
|
||||||||||
else: | ||||||||||
args_list = [] | ||||||||||
for key, value in args.items(): | ||||||||||
values = argToList(value) | ||||||||||
for val in values: | ||||||||||
args_list.append({key: val}) | ||||||||||
|
||||||||||
request_body = { | ||||||||||
'api_id': command, | ||||||||||
'args': args_list | ||||||||||
} | ||||||||||
res = client.get_prevalence(request_body).get('results', []) | ||||||||||
command_type = PREVALENCE_COMMANDS[command] | ||||||||||
return CommandResults( | ||||||||||
readable_output=tableToMarkdown(string_to_table_header(f'{command_type} Prevalence'), | ||||||||||
[{ | ||||||||||
key_names_in_response[command_type]: item.get('args', {}).get( | ||||||||||
key_names_in_response[command_type]), | ||||||||||
'Prevalence': item.get('value') | ||||||||||
} for item in res], | ||||||||||
headerTransform=string_to_table_header), | ||||||||||
outputs_prefix=f'{INTEGRATION_CONTEXT_BRAND}.AnalyticsPrevalence.{command_type.title()}', | ||||||||||
outputs=res, | ||||||||||
raw_response=res, | ||||||||||
) | ||||||||||
|
||||||||||
|
||||||||||
def main(): # pragma: no cover | ||||||||||
""" | ||||||||||
Executes an integration command | ||||||||||
|
@@ -81,6 +146,8 @@ def main(): # pragma: no cover | |||||||||
api_key = demisto.params().get('apikey') | ||||||||||
api_key_id = demisto.params().get('apikey_id') | ||||||||||
url = demisto.params().get('url') | ||||||||||
url_suffix = '/xsiam/' if command in PREVALENCE_COMMANDS else "/public_api/v1" | ||||||||||
|
||||||||||
if not api_key or not api_key_id or not url: | ||||||||||
headers = { | ||||||||||
"HOST": demisto.getLicenseCustomField("Core.ApiHostName"), | ||||||||||
|
@@ -97,7 +164,7 @@ def main(): # pragma: no cover | |||||||||
} | ||||||||||
add_sensitive_log_strs(api_key) | ||||||||||
|
||||||||||
base_url = urljoin(url, '/public_api/v1') | ||||||||||
base_url = urljoin(url, url_suffix) | ||||||||||
proxy = demisto.params().get('proxy') | ||||||||||
verify_cert = not demisto.params().get('insecure', False) | ||||||||||
|
||||||||||
|
@@ -372,6 +439,9 @@ def main(): # pragma: no cover | |||||||||
elif command == 'core-get-dynamic-analysis': | ||||||||||
return_results(get_dynamic_analysis_command(client, args)) | ||||||||||
|
||||||||||
elif command in PREVALENCE_COMMANDS: | ||||||||||
return_results(handle_prevalence_command(client, command, args)) | ||||||||||
|
||||||||||
except Exception as err: | ||||||||||
demisto.error(traceback.format_exc()) | ||||||||||
return_error(str(err)) | ||||||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -3088,6 +3088,146 @@ script: | |||||
- contextPath: Core.DynamicAnalysis.osSpawnerSigner | ||||||
description: '' | ||||||
type: String | ||||||
- arguments: | ||||||
- default: false | ||||||
description: The sha256 of a file. | ||||||
isArray: true | ||||||
name: sha256 | ||||||
required: true | ||||||
secret: false | ||||||
deprecated: false | ||||||
description: Get the prevalence of a file, identified by sha256. | ||||||
execution: false | ||||||
hidden: false | ||||||
name: core-get-hash-analytics-prevalence | ||||||
outputs: | ||||||
- contextPath: Core.AnalyticsPrevalence.Hash.value | ||||||
description: Whether the hash is prevalent or not. | ||||||
type: Boolean | ||||||
- contextPath: Core.AnalyticsPrevalence.Hash.data.global_prevalence | ||||||
description: The global prevalence of the hash. | ||||||
type: Unknown | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. update all output typing (unless they are not simple types) |
||||||
- contextPath: Core.AnalyticsPrevalence.Hash.data.local_prevalence | ||||||
description: The local prevalence of the hash. | ||||||
type: Unknown | ||||||
- arguments: | ||||||
- default: false | ||||||
description: The IP address. | ||||||
isArray: true | ||||||
name: ip_address | ||||||
predefined: | ||||||
- '' | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
required: true | ||||||
secret: false | ||||||
deprecated: false | ||||||
description: Get the prevalence of an ip, identified by ip_address. | ||||||
execution: false | ||||||
hidden: false | ||||||
name: core-get-IP-analytics-prevalence | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. commands should be all lower-case.
Suggested change
|
||||||
outputs: | ||||||
- contextPath: Core.AnalyticsPrevalence.Ip.value | ||||||
description: Whether the IP address is prevalent or not. | ||||||
type: Boolean | ||||||
- contextPath: Core.AnalyticsPrevalence.Ip.data.global_prevalence | ||||||
description: The global prevalence of the IP. | ||||||
type: Unknown | ||||||
- contextPath: Core.AnalyticsPrevalence.Ip.data.local_prevalence | ||||||
description: The local prevalence of the IP. | ||||||
type: Unknown | ||||||
- arguments: | ||||||
- default: false | ||||||
description: The domain name. | ||||||
isArray: true | ||||||
name: domain_name | ||||||
required: true | ||||||
secret: false | ||||||
deprecated: false | ||||||
description: Get the prevalence of a domain, identified by domain_name. | ||||||
execution: false | ||||||
hidden: false | ||||||
name: core-get-domain-analytics-prevalence | ||||||
outputs: | ||||||
- contextPath: Core.AnalyticsPrevalence.Domain.value | ||||||
description: Whether the domain is prevalent or not. | ||||||
type: Boolean | ||||||
- contextPath: Core.AnalyticsPrevalence.Domain.data.global_prevalence | ||||||
description: The global prevalence of the domain. | ||||||
type: Unknown | ||||||
- contextPath: Core.AnalyticsPrevalence.Domain.data.local_prevalence | ||||||
description: The local prevalence of the domain. | ||||||
type: Unknown | ||||||
- arguments: | ||||||
- default: false | ||||||
description: The process name. | ||||||
isArray: true | ||||||
name: process_name | ||||||
required: true | ||||||
secret: false | ||||||
deprecated: false | ||||||
description: Get the prevalence of a process, identified by process_name. | ||||||
execution: false | ||||||
hidden: false | ||||||
name: core-get-process-analytics-prevalence | ||||||
outputs: | ||||||
- contextPath: Core.AnalyticsPrevalence.Process.value | ||||||
description: Whether the process is prevalent or not. | ||||||
type: Boolean | ||||||
- contextPath: Core.AnalyticsPrevalence.Process.data.global_prevalence | ||||||
description: The global prevalence of the process. | ||||||
type: Unknown | ||||||
- contextPath: Core.AnalyticsPrevalence.Process.data.local_prevalence | ||||||
description: The local prevalence of the process. | ||||||
type: Unknown | ||||||
- arguments: | ||||||
- default: false | ||||||
description: The key name of a registry path. | ||||||
isArray: true | ||||||
name: key_name | ||||||
required: true | ||||||
secret: false | ||||||
- default: false | ||||||
description: The value name of a registry path. | ||||||
isArray: true | ||||||
name: value_name | ||||||
required: true | ||||||
secret: false | ||||||
deprecated: false | ||||||
description: Get the prevalence of a registry_path, identified by key_name, value_name. | ||||||
execution: false | ||||||
hidden: false | ||||||
name: core-get-registry-analytics-prevalence | ||||||
outputs: | ||||||
- contextPath: Core.AnalyticsPrevalence.Registry.value | ||||||
description: Whether the registry is prevalent or not. | ||||||
type: Boolean | ||||||
- contextPath: Core.AnalyticsPrevalence.Registry.data.global_prevalence | ||||||
description: The global prevalence of the registry. | ||||||
type: Unknown | ||||||
- contextPath: Core.AnalyticsPrevalence.Registry.data.local_prevalence | ||||||
description: The local prevalence of the registry. | ||||||
type: Unknown | ||||||
- arguments: | ||||||
- default: false | ||||||
description: The process command line. | ||||||
isArray: true | ||||||
name: process_command_line | ||||||
required: true | ||||||
secret: false | ||||||
deprecated: false | ||||||
description: Get the prevalence of a process_command_line, identified by process_command_line. | ||||||
execution: false | ||||||
hidden: false | ||||||
name: core-get-cmd-analytics-prevalence | ||||||
outputs: | ||||||
- contextPath: Core.AnalyticsPrevalence.Cmd.value | ||||||
description: Whether the CMD is prevalent or not. | ||||||
type: Boolean | ||||||
- contextPath: Core.AnalyticsPrevalence.Cmd.data.global_prevalence | ||||||
description: The global prevalence of the CMD. | ||||||
type: Unknown | ||||||
- contextPath: Core.AnalyticsPrevalence.Cmd.data.local_prevalence | ||||||
description: The local prevalence of the CDM. | ||||||
type: Unknown | ||||||
feed: false | ||||||
isfetch: false | ||||||
longRunning: false | ||||||
|
@@ -3096,7 +3236,7 @@ script: | |||||
script: '-' | ||||||
subtype: python3 | ||||||
type: python | ||||||
dockerimage: demisto/python3:3.10.4.29342 | ||||||
dockerimage: demisto/python3:3.10.4.30607 | ||||||
tests: | ||||||
- No tests | ||||||
fromversion: 6.2.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PEP8