Latest community apps

ibmresilient · Apr 2, 2019 · f161e79 · f161e79
1 parent 531d8f5
commit f161e79
Show file tree

Hide file tree

Showing 155 changed files with 10,779 additions and 0 deletions.
diff --git a/fn_bluecoat_site_review/MANIFEST.in b/fn_bluecoat_site_review/MANIFEST.in
@@ -0,0 +1,3 @@
+include README.md
+include fn_bluecoat_site_review/util/*
+include fn_bluecoat_site_review/LICENSE
diff --git a/fn_bluecoat_site_review/README.md b/fn_bluecoat_site_review/README.md
@@ -0,0 +1,203 @@
+# Bluecoat Site Review
+## Introduction
+This function provides data enrichment on DNS Names and URLs available from Symantec [WebPulse (formally Bluecoat) Site Review](https://sitereview.bluecoat.com) to enrich 
+artifact values. 
+
+## Installation
+
+Install the function package by first unpacking the .zip file exposing the .tar.gz file.
+
+To install in "development mode"
+
+    [sudo] pip install -e ./fn_bluecoat_site_review/
+
+or to the python libraries
+
+    [sudo] pip install fn_bluecoat_site_review-1.0.0.tar.gz
+
+To configure `app.conf`, run
+
+    resilient-circuits config [-c or -u] -l fn-bluecoat-site-review
+
+To load Resilient with all the object definitions needed for use, run
+
+    resilient-circuits customize -l fn-bluecoat-site-review
+
+After installation, the package will be loaded and executed with `resilient-circuits run`.
+
+To uninstall:
+
+    [sudo] pip uninstall fn-bluecoat-site-review
+
+## Components
+The following components are loaded into Resilient
+
++ Function: Bluecoat Site Review Lookup
++ Workflow: Example: Bluecoat Site Review Search
++ Rule: Example: Bluecoat Site Review
+
+The sample rule is enabled for DNS and URL type artifacts
+
+## Results
+The resulting data is appended in the artifact's description field. Your process may parse
+and process the data differently. A sample note in the description field is:
+
+```
+Bluecoat Categorization: Suspicious, Spam
+```
+
+This is produced by the following post-processing script:
+
+```
+if isinstance(results.content['CategorizationResult']['categorization']['categorization'],list):
+  categorization_list = [categorization['name'] for categorization in results.content['CategorizationResult']['categorization']['categorization']]
+  categorization_name = u", ".join(categorization_list)
+else:
+  categorization_name = results.content['CategorizationResult']['categorization']['categorization']['name']
+  
+existing_description = artifact.description.content+'\n' if artifact.description else ""
+
+artifact.description = u"{}Bluecoat Categorization: {}".format(existing_description, categorization_name)
+```
+
+Below is a sample result from the function returning multiple categorizations:
+
+### Sample results
+```
+{
+  'inputs': {
+    u'incident_id': 2104,
+    u'artifact_value': u'http://avts.vn/hejxjrzjys/3978861743009/OCRjH-YuO_VcE-MgR/'
+  },
+  'metrics': {
+    'package': 'fn-bluecoat-site-review',
+    'timestamp': '2019-03-25 19:28:28',
+    'package_version': '1.0.0',
+    'host': 'marks-mbp.cambridge.ibm.com',
+    'version': '1.0',
+    'execution_time_ms': 139
+  },
+  'success': True,
+  'content': {
+    u'CategorizationResult': {
+      u'categorization': {
+        u'categorization': [
+          {
+            u'num': u'92',
+            u'name': u'Suspicious'
+          },
+          {
+            u'num': u'101',
+            u'name': u'Spam'
+          }
+        ]
+      },
+      u'locked': u'false',
+      u'translatedCategories': {
+        u'fr': [
+          {
+            u'num': u'92',
+            u'name': u'Suspect (Suspicious)'
+          },
+          {
+            u'num': u'101',
+            u'name': u'Spam (Spam)'
+          }
+        ],
+        u'de': [
+          {
+            u'num': u'92',
+            u'name': u'Verd\xe4chtig (Suspicious)'
+          },
+          {
+            u'num': u'101',
+            u'name': u'Spam (Spam)'
+          }
+        ],
+        u'zh': [
+          {
+            u'num': u'92',
+            u'name': u'\u53ef\u7591 (Suspicious)'
+          },
+          {
+            u'num': u'101',
+            u'name': u'\u5783\u573e\u90ae\u4ef6 (Spam)'
+          }
+        ],
+        u'zh_TW': [
+          {
+            u'num': u'92',
+            u'name': u'\u53ef\u7591 (Suspicious)'
+          },
+          {
+            u'num': u'101',
+            u'name': u'\u5783\u573e\u90f5\u4ef6 (Spam)'
+          }
+        ],
+        u'en': [
+          {
+            u'num': u'92',
+            u'name': u'Suspicious'
+          },
+          {
+            u'num': u'101',
+            u'name': u'Spam'
+          }
+        ],
+        u'ja': [
+          {
+            u'num': u'92',
+            u'name': u'\u7591\u308f\u3057\u3044 (Suspicious)'
+          },
+          {
+            u'num': u'101',
+            u'name': u'\u30b9\u30d1\u30e0 (Spam)'
+          }
+        ],
+        u'es': [
+          {
+            u'num': u'92',
+            u'name': u'Sospechoso (Suspicious)'
+          },
+          {
+            u'num': u'101',
+            u'name': u'Spam (Spam)'
+          }
+        ]
+      },
+      u'url': u'http://avts.vn/hejxjrzjys/3978861743009/OCRjH-YuO_VcE-MgR/',
+      u'rateDate': u"Last Time Rated/Reviewed: > {{days}} days {{legacy}}The URL submitted for review was rated more than {{days}} days ago.  The default setting for Symantec SG clients to download rating changes is once a day.  There is no need to show ratings older than this. Since Symantec's desktop client K9 and certain OEM partners update differently, ratings may differ from those of a Symantec SG as well as those present on the Site Review Tool.",
+      u'followedUrl': None,
+      u'lockedSpecialNote': None,
+      u'threatriskLevelEn': None,
+      u'linkable': u'false',
+      u'resolvedDetail': {
+        u'resolveEnabled': u'true',
+        u'ipAddress': u'103.28.36.58'
+      },
+      u'securityCategoryIds': {
+        u'securityCategoryIds': [
+          u'43',
+          u'102',
+          u'44',
+          u'92',
+          u'18'
+        ]
+      },
+      u'multipleMessage': None,
+      u'suggestion': None,
+      u'securityCategory': u'true',
+      u'ratingDtsCutoff': u'7',
+      u'multiple': u'false',
+      u'unrated': u'false',
+      u'curTrackingId': u'478710',
+      u'ratingDts': u'OLDER',
+      u'lockedMessage': None,
+      u'threatriskLevel': None
+    }
+  },
+  'raw': '{"CategorizationResult": {"categorization": {"categorization": [{"num": "92", "name": "Suspicious"}, {"num": "101", "name": "Spam"}]}, "locked": "false", "translatedCategories": {"fr": [{"num": "92", "name": "Suspect (Suspicious)"}, {"num": "101", "name": "Spam (Spam)"}], "de": [{"num": "92", "name": "Verd\\u00e4chtig (Suspicious)"}, {"num": "101", "name": "Spam (Spam)"}], "zh": [{"num": "92", "name": "\\u53ef\\u7591 (Suspicious)"}, {"num": "101", "name": "\\u5783\\u573e\\u90ae\\u4ef6 (Spam)"}], "zh_TW": [{"num": "92", "name": "\\u53ef\\u7591 (Suspicious)"}, {"num": "101", "name": "\\u5783\\u573e\\u90f5\\u4ef6 (Spam)"}], "en": [{"num": "92", "name": "Suspicious"}, {"num": "101", "name": "Spam"}], "ja": [{"num": "92", "name": "\\u7591\\u308f\\u3057\\u3044 (Suspicious)"}, {"num": "101", "name": "\\u30b9\\u30d1\\u30e0 (Spam)"}], "es": [{"num": "92", "name": "Sospechoso (Suspicious)"}, {"num": "101", "name": "Spam (Spam)"}]}, "url": "http://avts.vn/hejxjrzjys/3978861743009/OCRjH-YuO_VcE-MgR/", "rateDate": "Last Time Rated/Reviewed: > {{days}} days {{legacy}}The URL submitted for review was rated more than {{days}} days ago.  The default setting for Symantec SG clients to download rating changes is once a day.  There is no need to show ratings older than this. Since Symantec\'s desktop client K9 and certain OEM partners update differently, ratings may differ from those of a Symantec SG as well as those present on the Site Review Tool.", "followedUrl": null, "lockedSpecialNote": null, "threatriskLevelEn": null, "linkable": "false", "resolvedDetail": {"resolveEnabled": "true", "ipAddress": "103.28.36.58"}, "securityCategoryIds": {"securityCategoryIds": ["43", "102", "44", "92", "18"]}, "multipleMessage": null, "suggestion": null, "securityCategory": "true", "ratingDtsCutoff": "7", "multiple": "false", "unrated": "false", "curTrackingId": "478710", "ratingDts": "OLDER", "lockedMessage": null, "threatriskLevel": null}}',
+  'reason': None,
+  'version': '1.0'
+}
+```
diff --git a/fn_bluecoat_site_review/README.pdf b/fn_bluecoat_site_review/README.pdf
diff --git a/fn_bluecoat_site_review/fn_bluecoat_site_review/LICENSE b/fn_bluecoat_site_review/fn_bluecoat_site_review/LICENSE
@@ -0,0 +1,19 @@
+Copyright © IBM Corporation 2010, 2019
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+IN THE SOFTWARE.
diff --git a/fn_bluecoat_site_review/fn_bluecoat_site_review/__init__.py b/fn_bluecoat_site_review/fn_bluecoat_site_review/__init__.py
@@ -0,0 +1,5 @@
+import pkg_resources
+try:
+    __version__ = pkg_resources.get_distribution(__name__).version
+except pkg_resources.DistributionNotFound:
+    pass
diff --git a/fn_bluecoat_site_review/fn_bluecoat_site_review/components/__init__.py b/fn_bluecoat_site_review/fn_bluecoat_site_review/components/__init__.py
@@ -0,0 +1 @@
+#
diff --git a/fn_bluecoat_site_review/fn_bluecoat_site_review/components/bluecoat_site_review_lookup.py b/fn_bluecoat_site_review/fn_bluecoat_site_review/components/bluecoat_site_review_lookup.py
@@ -0,0 +1,79 @@
+# -*- coding: utf-8 -*-
+# (c) Copyright IBM Corporation 2010, 2019. All Rights Reserved.
+# pragma pylint: disable=unused-argument, no-self-use
+"""Function implementation"""
+
+import logging
+import json
+import xmltodict
+from resilient_lib import RequestsCommon, ResultPayload
+from resilient_circuits import ResilientComponent, function, handler, StatusMessage, FunctionResult, FunctionError
+
+
+PACKAGE = "fn_bluecoat_site_review"
+HEADERS = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/json"}
+
+
+class FunctionComponent(ResilientComponent):
+    """Component that implements Resilient function 'bluecoat_site_review_lookup"""
+
+    def __init__(self, opts):
+        """constructor provides access to the configuration options"""
+        super(FunctionComponent, self).__init__(opts)
+        self.opts = opts
+        self.options = opts.get(PACKAGE, {})
+
+    @handler("reload")
+    def _reload(self, event, opts):
+        """Configuration options have changed, save new values"""
+        self.opts = opts
+        self.options = opts.get(PACKAGE, {})
+
+    @function("bluecoat_site_review_lookup")
+    def _bluecoat_site_review_lookup_function(self, event, *args, **kwargs):
+        """Function: This function takes an artifact of type URL or DNS name and returns those results as a json object."""
+
+        try:
+            # Get the function parameters:
+            artifact_value = kwargs.get("artifact_value")  # text
+
+            log = logging.getLogger(__name__)
+            log.info("artifact_value: %s", artifact_value)
+
+            fr = ResultPayload(PACKAGE, **kwargs)
+            # Assignment for successful completion of the code
+            results_flag = True
+
+            yield StatusMessage("starting...")
+
+            response_json = self.sitereview(self.options['url'], artifact_value)
+
+            # handles if there is no result in the JSON Return Object:
+            msg = None
+            if response_json is None:
+                msg = "There were no results..."
+                log.debug(msg)
+                results_flag = False
+            else:
+                # This handles if the categorizaton is a list in the JSON object that needs to be traversed/isolated or not
+                if response_json.get('FailedResult'):
+                    results_flag = False
+                    msg = response_json.get('FailedResult')
+
+            yield StatusMessage("done...")
+
+            results_payload = fr.done(results_flag, response_json, msg)
+            # Produce a FunctionResult with the results
+            yield FunctionResult(results_payload)
+        except Exception:
+            yield FunctionError()
+
+    def sitereview(self, url, value):
+        payload = {"url": value, "captcha":""}
+
+        rc = RequestsCommon(self.opts, self.options)
+
+        result = rc.execute_call('post', url, payload=payload, headers=HEADERS, resp_type='text')
+
+        dict_to_str = json.dumps(xmltodict.parse(result))
+        return json.loads(dict_to_str)
diff --git a/fn_bluecoat_site_review/fn_bluecoat_site_review/util/__init__.py b/fn_bluecoat_site_review/fn_bluecoat_site_review/util/__init__.py
@@ -0,0 +1 @@
+#
diff --git a/fn_bluecoat_site_review/fn_bluecoat_site_review/util/config.py b/fn_bluecoat_site_review/fn_bluecoat_site_review/util/config.py
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# (c) Copyright IBM Corporation 2010, 2019. All Rights Reserved.
+
+"""Generate a default configuration-file section for fn_bluecoat_site_review"""
+
+from __future__ import print_function
+
+
+def config_section_data():
+    """Produce the default configuration section for app.config,
+       when called by `resilient-circuits config [-c|-u]`
+    """
+    config_data = u"""[fn_bluecoat_site_review]
+url=https://sitereview.bluecoat.com/resource/lookup
+"""
+    return config_data
+