ATDDetonate

Detonate File or URL through McAfee ATD.

python · McAfee Advanced Threat Defense

Source

from time import sleep

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401


def main():
    dArgs = demisto.args()

    timeout = 960
    if "timeout" in demisto.args():
        timeout = int(demisto.args()["timeout"])
    interval = 10
    if "interval" in demisto.args():
        interval = int(demisto.args()["interval"])

    taskID = ""

    # Upload file/url and get taskID
    resp = demisto.executeCommand("atd-file-upload", dArgs)
    if isError(resp[0]):
        demisto.results(resp)
        sys.exit(0)
    else:
        upload_res = demisto.get(resp[0], "Contents.results")
        if upload_res and isinstance(upload_res, list):
            taskID = demisto.get(upload_res[0], "taskId")
        else:
            demisto.results(
                {"Type": entryTypes["error"], "ContentsFormat": formats["text"], "Contents": "Coudn't extract TaskID from upload"}
            )
            sys.exit(0)

    if taskID == "-1":
        demisto.results({"Type": entryTypes["error"], "ContentsFormat": formats["text"], "Contents": "File type not supported"})
        sys.exit(0)

    # Poll stage ############
    status = None
    istate = None
    sec = 0

    atdDone = False
    while sec < timeout and not atdDone:
        # Get status
        resp = demisto.executeCommand("atd-check-status", {"taskId": taskID})
        if isError(resp[0]):
            demisto.results(resp)
            sys.exit(0)

        status = demisto.get(resp[0], "Contents.results.status")
        istate = demisto.get(resp[0], "Contents.results.istate")

        # find status
        if istate and int(istate) in [1, 2]:
            atdDone = True
        # continue loop
        else:
            sec += interval
            sleep(interval)  # pylint: disable=sleep-exists
    # Get results ############
    if not atdDone:
        demisto.results(
            {
                "Type": entryTypes["error"],
                "ContentsFormat": formats["text"],
                "Contents": f"Could not retrieve results from ATD (may be due to timeout). last status = {status}",
            }
        )
        sys.exit(0)
    if istate and int(istate) in [1, 2]:
        reportType = "json"
        if demisto.get(demisto.args(), "reportType"):
            reportType = demisto.args()["reportType"]
        demisto.results(demisto.executeCommand("atd-get-report", {"taskId": taskID, "type": reportType}))
    else:
        demisto.results(
            {
                "Type": entryTypes["error"],
                "ContentsFormat": formats["text"],
                "Contents": f"ATD: Failed to detonate source, exit status = {status}",
            }
        )


if __name__ == "__builtin__" or __name__ == "builtins":
    main()

README

Detonates a file or URL through McAfee ATD.

Script Data


Name Description
Script Type python
Tags file, enhancement, atd

Dependencies


This script uses the following commands and scripts.

  • atd-get-report
  • atd-check-status
  • atd-file-upload

Inputs


Argument Name Description
vmProfileList The analyzer of a profile’s ID. The profile ID number can be found in the UI Policy/Analyzer Profile page, Or using the command atd-list-analyzer-profiles, under vmProfileid key result.
submitType This parameter accepts four values. Can be, “0”, “1”, “2” and “3”. “0” - a regular file upload. “1” - a URL submission. The URL link is processed inside analyzer VM. “2” - Will submit a file with a URL. “3” - A URL will download. The file from the URL is first downloaded and then analyzed.
url Any valid web URL.
messageId The maximum number character string which is 128.
srcIp The IPv4 address of the source system or gateway from where the file is downloaded.
dstIp The IPv4 address of the target endpoint.
skipTaskId The value “0” indicates corresponding taskID in API response. The value “1” indicates -1 as a taskID in API response.
analyzeAgain The value “0” indicates to skip sample analysis if it was analyzed previously . The value “2” indicates to not skip sample analysis if it was not analyzed previously.
xMode The Value “0” indicates no user interaction is needed during sample analysis. The value “1” indicates user interaction is needed during sample analysis.
filePriorityQ The priority of the sample analysis. The run_now command assigns the highest priority. For example, a sample is analyzed right away. The add_to_q command puts the sample in a waiting state if there is a waiting queue of samples. The default is run_now.
entryID The entry ID.
reportType The report type can be, “html” - a HTML report, “txt” - a text report, “xml” - a XML report, “zip” - all the files packaged into a single zip file, “json” - the same report as xml but in the JSON format, “ioc” - an Indicators of Compromise format, “stix” - a Structured Threat Information Expression. By default, STIX generation is disabled. Use set stixreportstatus enable to enable it. “pdf” - Portable Document Format, “sample” - downloads a sample from McAfee Advanced Threat Defense.
timeout The timeout length (in seconds). The default is 10 minutes.
interval The interval to poll for results. The default is 10 seconds.

Outputs


Path Description Type
File.Name The filename (only in the case of report type=json). Unknown
File.Type The file type. For example, “PE” (only in the case of a report type=json). Unknown
File.Size The file size(only in the case of a report type=json). Unknown
File.MD5 The MD5 file hash of the file (only in the case of a report type=json). Unknown
File.SHA1 The SHA1 file hash of the file (only in the case of a report type=json). Unknown
File.SHA256 The SHA256 file hash of the file (only in the case of a report type=json). Unknown
File.Malicious.Vendor The vendor that made the decision that the file is malicious. Unknown
File.Malicious.Description The reason that the vendor decided that the files are malicious. Unknown
DBotScore.Indicator The indicator that was tested (only in the case of a report type=json). Unknown
DBotScore.Type The type of the indicator (only in the case of a report type=json). Unknown
DBotScore.Vendor The vendor used to calculate the score (only in the case of a report type=json). Unknown
DBotScore.Score The actual score (only in the case of a report type=json). Unknown