CreateHashIndicatorWrapper

This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike.

python · Malware Core

Source

from CommonServerPython import *

""" STANDALONE FUNCTION """

INCIDENT_ID = demisto.incident().get("id")

XDR_ACTIONS = {"allow": "xdr-whitelist-files", "block": "xdr-blacklist-files"}

MSDE_ACTIONS = {
    "allow": "Allowed",
    "block": "AlertAndBlock",
}

CROWDSTRIKE_ACTIONS = {
    "allow": {"action": "allow", "description": f"Whitelisted based on XSOAR inc {INCIDENT_ID}", "severity": "low"},
    "block": {"action": "prevent", "description": f"Blacklisted based on XSOAR inc {INCIDENT_ID}", "severity": "high"},
}


def create_commands(hashes: List[str], action: str) -> List[CommandRunner.Command]:
    """
    Create a list of `Command` of the allow/block hash command to `Cortex XDR`, `CrowdstrikeFalcon`,
     `Microsoft Defender Advanced Threat Protection`

    :param hashes: The hashes list
    :param action: The action to have (one of {'allow', 'block'})
    :return: A list of `Command`
    """

    msde_action = MSDE_ACTIONS.get(action)
    crowdstrike_commands, crowdstrike_args_lst = get_crowdstrike_commands_args(hashes, action)
    return [
        CommandRunner.Command(commands=XDR_ACTIONS.get(action), args_lst={"hash_list": ",".join(hashes)}),
        CommandRunner.Command(
            commands="microsoft-atp-sc-indicator-create",
            args_lst=[
                {
                    "indicator_value": h,
                    "indicator_type": "FileSha256",
                    "action": msde_action,
                    "indicator_description": f"XSOAR - related incident {INCIDENT_ID}",
                    "indicator_title": f"XSOAR - related incident {INCIDENT_ID}",
                }
                for h in hashes
            ],
        ),
        CommandRunner.Command(commands=crowdstrike_commands, args_lst=crowdstrike_args_lst),
    ]


def get_crowdstrike_commands_args(hashes: List[str], action: str) -> tuple[List[str], List[dict]]:
    """
    Get the commands and args that supposed to run the action on the hashes in CrowdstrikeFalcon

    :param hashes: The hashes list
    :param action: The action to have (one of {'allow', 'block'})
    :return: A tuple: first is a list of commands to run, and the second is the list of args to run
    """
    cs_search_command_executer = CommandRunner.Command(
        commands="cs-falcon-search-custom-iocs", args_lst={"values": ",".join(hashes)}, brand="CrowdstrikeFalcon"
    )
    search_results, errors_search = CommandRunner.execute_commands(cs_search_command_executer, extract_contents=True)
    commands, args_lst = [], []
    ioc_metadata = CROWDSTRIKE_ACTIONS[action]
    for search_res in search_results:
        search_results_hashes = [ioc.get("value") for ioc in search_res.result.get("resources", [])]
        new_hashes = [h for h in hashes if h not in search_results_hashes]
        for h in new_hashes:
            commands.append("cs-falcon-upload-custom-ioc")
            args_lst.append(
                {"ioc_type": "sha256", "platforms": "linux,mac,windows", "applied_globally": "true", "value": h, **ioc_metadata}
            )
        for ioc in search_res.result.get("resources", []):
            commands.append("cs-falcon-update-custom-ioc")
            args_lst.append({"ioc_id": ioc.get("id"), **ioc_metadata})
    return commands, args_lst


def run_hash_action(hashes: List[str], action: str) -> list:
    """
    Given arguments to the command, returns a list of results to return

    :param action: action to perform (allow or block)
    :param hashes: list of hashes

    :return: list of results to return
    :rtype: ``list``
    """
    commands = create_commands(hashes, action)
    return CommandRunner.run_commands_with_summary(commands)


""" MAIN FUNCTION """


def main():  # pragma: no cover
    args = demisto.args()
    hashes = argToList(args.get("hash"))
    action = args.get("action")
    if not hashes:
        raise ValueError("hash not specified")
    if not action or action not in {"allow", "block"}:
        raise ValueError("Action not specified or not in allowed actions")
    try:
        return_results(run_hash_action(hashes, action))
    except Exception as ex:
        return_error(f"Failed to execute HashWrapper. Error: {ex!s}")


""" ENTRY POINT """

if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike.

Script Data


Name Description
Script Type python3
Tags basescript
Cortex XSOAR Version 6.0.0

Inputs


Argument Name Description
hash Array of SHA256 hashes.
action The action to apply to the hash - allow or block.

Outputs


Path Description Type
MicrosoftATP.Indicators.id Created by the system when the indicator is ingested. Generated GUID/unique identifier. String
MicrosoftATP.Indicators.action The action to apply if the indicator is matched within the targetProduct security tool. Possible values: “unknown”, “allow”, “block”, or “alert”. String
MicrosoftATP.Indicators.additionalInformation A catchall area where extra data from the indicator not covered by the other indicator properties may be placed. Data placed into additionalInformation is typically not utilized by the targetProduct security tool. String
MicrosoftATP.Indicators.azureTenantId Stamped by the system when the indicator is ingested. The Entra ID submitting client tenant ID. String
MicrosoftATP.Indicators.confidence An integer representing confidence the indicator data accurately identifies malicious behavior. Possible values are 0 – 100, with 100 being the highest. Number
MicrosoftATP.Indicators.description Brief description (100 characters or less) of the threat represented by the indicator. String
MicrosoftATP.Indicators.diamondModel The area of the Diamond Model in which this indicator exists. Possible values: “unknown”, “adversary”, “capability”, “infrastructure”, and “victim”. String
MicrosoftATP.Indicators.domainName Domain name associated with this indicator. Should be in the format subdomain.domain.topleveldomain. String
MicrosoftATP.Indicators.expirationDateTime DateTime string indicating when the indicator expires. To avoid stale indicators persisting in the system, all indicators must have an expiration date. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ‘2014-01-01T00:00:00Z’ Date
MicrosoftATP.Indicators.externalId An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key). String
MicrosoftATP.Indicators.fileCompileDateTime DateTime the file was compiled. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ‘2014-01-01T00:00:00Z’ Date
MicrosoftATP.Indicators.fileCreatedDateTime DateTime the file was created.The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ‘2014-01-01T00:00:00Z’ Date
MicrosoftATP.Indicators.fileHashType The type of hash stored in fileHashValue. Possible values: “unknown”, “sha1”, “sha256”, “md5”, “authenticodeHash256”, “lsHash”, and “ctph”. String
MicrosoftATP.Indicators.fileHashValue The file hash value. String
MicrosoftATP.Indicators.fileMutexName The Mutex name used in file-based detections. String
MicrosoftATP.Indicators.fileName The name of the file if the indicator is file-based. Multiple file names may be delimited by commas. String
MicrosoftATP.Indicators.filePacker The packer used to build the file in question. String
MicrosoftATP.Indicators.filePath The path of the file indicating a compromise. Can be a Windows or *nix style path. String
MicrosoftATP.Indicators.fileSize The size of the file in bytes. Number
MicrosoftATP.Indicators.fileType The text description of the type of file. For example, “Word Document” or “Binary”. String
MicrosoftATP.Indicators.ingestedDateTime The timestamp the indicator was ingested into the system. The Timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ‘2014-01-01T00:00:00Z’ Date
MicrosoftATP.Indicators.isActive Used to deactivate indicators within the system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. Boolean
MicrosoftATP.Indicators.knownFalsePositives Scenarios in which the indicator may cause false positives. This should be human-readable text. String
MicrosoftATP.Indicators.lastReportedDateTime The last time the indicator was seen. The timestamp type represents date and time information in ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 looks like: ‘2014-01-01T00:00:00Z’ Date
MicrosoftATP.Indicators.networkCidrBlock The CIDR Block notation representation of the network referenced in this indicator. Use only if the source and destination cannot be identified. String
MicrosoftATP.Indicators.networkDestinationAsn The destination autonomous system identifier of the network referenced in the indicator. Number
MicrosoftATP.Indicators.networkDestinationCidrBlock The CIDR Block notation representation of the destination network in this indicator. String
MicrosoftATP.Indicators.networkDestinationIPv4 The IPv4 IP address destination. String
MicrosoftATP.Indicators.networkDestinationIPv6 The IPv6 IP address destination. String
MicrosoftATP.Indicators.networkDestinationPort The TCP port destination. Number
MicrosoftATP.Indicators.networkIPv4 The IPv4 IP address. String
MicrosoftATP.Indicators.networkIPv6 The IPv6 IP address. String
MicrosoftATP.Indicators.networkPort The TCP port. Number
MicrosoftATP.Indicators.networkProtocol The decimal representation of the protocol field in the IPv4 header. Number
MicrosoftATP.Indicators.networkSourceAsn The source autonomous system identifier of the network referenced in the indicator. Number
MicrosoftATP.Indicators.networkSourceCidrBlock The CIDR Block notation representation of the source network in this indicator. String
MicrosoftATP.Indicators.networkSourceIPv4 The IPv4 IP address source. String
MicrosoftATP.Indicators.networkSourceIPv6 The IPv6 IP address source. String
MicrosoftATP.Indicators.networkSourcePort The TCP port source. Number
MicrosoftATP.Indicators.passiveOnly Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools do not notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they simply log that a match occurred but do not perform the action. Default value is false. Boolean
MicrosoftATP.Indicators.severity An integer representing the severity of the malicious behavior identified by the data within the indicator. Possible values: “Informational”, “Low”, “MediumLow”, “MediumHigh”, and “High”, where High is the most severe and Informational is not severe at all. Number
MicrosoftATP.Indicators.targetProduct A string representing a single security product to which the indicator should be applied. String
MicrosoftATP.Indicators.threatType Each indicator must have a valid Indicator Threat Type. Possible values: “Botnet”, “C2”, “CryptoMining”, “Darknet”, “DDoS”, “MaliciousUrl”, “Malware”, “Phishing”, “Proxy”, “PUA”, and “WatchList”. String
MicrosoftATP.Indicators.tlpLevel Traffic Light Protocol value for the indicator. Possible values: “unknown”, “white”, “green”, “amber”, and “red”. String
MicrosoftATP.Indicators.url Uniform Resource Locator. This URL complies with RFC 1738. String
MicrosoftATP.Indicators.userAgent User-Agent string from a web request that could indicate compromise. String
MicrosoftATP.Indicators.vendorInformation Information about the vendor. String
File.Name The full file name (including file extension). String
File.Size The size of the file in bytes. Number
File.MD5 The MD5 hash of the file. String
File.SHA1 The SHA1 hash of the file. String
File.SHA256 The SHA256 hash of the file. String
File.SHA512 The SHA512 hash of the file. String
File.Type The file type, as determined by libmagic (same as displayed in file entries). String
File.Path The path where the file is located. String
CrowdStrike.IOC.Type The type of the IOC. string
CrowdStrike.IOC.Value The string representation of the indicator. string
CrowdStrike.IOC.ID The full ID of the indicator (type:value). string
CrowdStrike.IOC.Policy The policy of the indicator. string
CrowdStrike.IOC.Source The source of the IOC. string
CrowdStrike.IOC.ShareLevel The level at which the indicator will be shared. string
CrowdStrike.IOC.Expiration The datetime the indicator will expire. string
CrowdStrike.IOC.Description The description of the IOC. string
CrowdStrike.IOC.CreatedTime The datetime the IOC was created. string
CrowdStrike.IOC.CreatedBy The identity of the user/process who created the IOC. string
CrowdStrike.IOC.ModifiedTime The date and time the indicator was last modified. string
CrowdStrike.IOC.ModifiedBy The identity of the user/process who last updated the IOC. string

Script Examples

Example command

!CreateHashIndicatorWrapper action=block hash=9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a

Context Example

{
    "PaloAltoNetworksXDR": {
        "blackList": {
            "fileHash": [
                "9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a"
            ]
        }
    }, 
    "CrowdStrike": {
        "IOC": [
            {
                "Description": "Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "ModifiedTime": "2022-03-27T09:58:22.418527196Z", 
                "Platforms": [
                    "linux", 
                    "mac", 
                    "windows"
                ], 
                "Value": "73c8c51f9084ec745ddb86c9f1a8da3281b6cf5276300e3df0e32ae44b76f63f", 
                "CreatedTime": "2022-03-09T09:58:04.151795968Z", 
                "ModifiedBy": "2bf188d347e44e08946f2e61ef590c24", 
                "CreatedBy": "2bf188d347e44e08946f2e61ef590c24", 
                "Action": "prevent", 
                "Type": "sha256", 
                "ID": "aa6ab986d7a9bf41d96e0140f373e2806d2d2b8a389eeff160d02d88b4229586", 
                "Severity": "high"
            }, 
            {
                "Description": "Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "ModifiedTime": "2022-03-27T09:58:22.83074978Z", 
                "Platforms": [
                    "linux", 
                    "mac", 
                    "windows"
                ], 
                "Value": "006a103a9f4b9b6273d55b16ba01a704ad3e4fad59f198a77e8b64177a1064ef", 
                "CreatedTime": "2022-03-09T09:58:03.608685951Z", 
                "ModifiedBy": "2bf188d347e44e08946f2e61ef590c24", 
                "CreatedBy": "2bf188d347e44e08946f2e61ef590c24", 
                "Action": "prevent", 
                "Type": "sha256", 
                "ID": "5e6bf43f5de8b64e3d6f37177171d7edceed67d6bcac06a953c3d369151f6f39", 
                "Severity": "high"
            }, 
            {
                "Description": "Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "ModifiedTime": "2022-03-27T10:00:24.023778625Z", 
                "Platforms": [
                    "linux", 
                    "mac", 
                    "windows"
                ], 
                "Value": "9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a", 
                "CreatedTime": "2022-03-27T10:00:24.023778625Z", 
                "ModifiedBy": "2bf188d347e44e08946f2e61ef590c24", 
                "CreatedBy": "2bf188d347e44e08946f2e61ef590c24", 
                "Action": "prevent", 
                "Type": "sha256", 
                "ID": "aaad9ddaf078c49f1d728fb0082a85efa6a9f413106ecca87f5dbdf33626178a", 
                "Severity": "high"
            }
        ]
    }, 
    "DBotScore": [
        {
            "Vendor": "Microsoft Defender Advanced Threat Protection", 
            "Indicator": "006a103a9f4b9b6273d55b16ba01a704ad3e4fad59f198a77e8b64177a1064ef", 
            "Score": 0, 
            "Type": "file"
        }, 
        {
            "Vendor": "Microsoft Defender Advanced Threat Protection", 
            "Indicator": "73c8c51f9084ec745ddb86c9f1a8da3281b6cf5276300e3df0e32ae44b76f63f", 
            "Score": 0, 
            "Type": "file"
        }, 
        {
            "Vendor": "Microsoft Defender Advanced Threat Protection", 
            "Indicator": "9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a", 
            "Score": 0, 
            "Type": "file"
        }
    ], 
    "File": [
        {
            "SHA256": "006a103a9f4b9b6273d55b16ba01a704ad3e4fad59f198a77e8b64177a1064ef"
        }, 
        {
            "SHA256": "73c8c51f9084ec745ddb86c9f1a8da3281b6cf5276300e3df0e32ae44b76f63f"
        }, 
        {
            "SHA256": "9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a"
        }
    ], 
    "MicrosoftATP": {
        "Indicators": [
            {
                "mitreTechniques": [], 
                "description": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "historicalDetection": false, 
                "title": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "creationTimeDateTimeUtc": "2022-03-27T09:58:21.8200142Z", 
                "generateAlert": true, 
                "rbacGroupIds": [], 
                "@^^^odata.context^^^": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity", 
                "createdBySource": "PublicApi", 
                "rbacGroupNames": [], 
                "indicatorValue": "006a103a9f4b9b6273d55b16ba01a704ad3e4fad59f198a77e8b64177a1064ef", 
                "indicatorType": "FileSha256", 
                "createdBy": "2f48b784-5da5-4e61-9957-012d2630f1e4", 
                "lastUpdateTime": "2022-03-27T09:58:21.8292459Z", 
                "action": "BlockAndRemediate", 
                "expirationTime": "2022-04-10T09:58:21Z", 
                "id": "5299", 
                "createdByDisplayName": "MS Graph ATP DEV", 
                "severity": "Informational"
            }, 
            {
                "mitreTechniques": [], 
                "description": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "historicalDetection": false, 
                "title": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "creationTimeDateTimeUtc": "2022-03-27T09:58:22.071616Z", 
                "generateAlert": true, 
                "rbacGroupIds": [], 
                "@^^^odata.context^^^": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity", 
                "createdBySource": "PublicApi", 
                "rbacGroupNames": [], 
                "indicatorValue": "73c8c51f9084ec745ddb86c9f1a8da3281b6cf5276300e3df0e32ae44b76f63f", 
                "indicatorType": "FileSha256", 
                "createdBy": "2f48b784-5da5-4e61-9957-012d2630f1e4", 
                "lastUpdateTime": "2022-03-27T09:58:22.079299Z", 
                "action": "BlockAndRemediate", 
                "expirationTime": "2022-04-10T09:58:21Z", 
                "id": "5300", 
                "createdByDisplayName": "MS Graph ATP DEV", 
                "severity": "Informational"
            }, 
            {
                "mitreTechniques": [], 
                "description": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "historicalDetection": false, 
                "title": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116", 
                "creationTimeDateTimeUtc": "2022-03-27T10:00:23.6840683Z", 
                "generateAlert": true, 
                "rbacGroupIds": [], 
                "@^^^odata.context^^^": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity", 
                "createdBySource": "PublicApi", 
                "rbacGroupNames": [], 
                "indicatorValue": "9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a", 
                "indicatorType": "FileSha256", 
                "createdBy": "2f48b784-5da5-4e61-9957-012d2630f1e4", 
                "lastUpdateTime": "2022-03-27T10:00:23.6924233Z", 
                "action": "BlockAndRemediate", 
                "expirationTime": "2022-04-10T10:00:23Z", 
                "id": "5301", 
                "createdByDisplayName": "MS Graph ATP DEV", 
                "severity": "Informational"
            }
        ]
    }
}

Human Readable Output

Results Summary

Instance Command Result Comment
Cortex XDR - IR: Cortex XDR - IR_instance_1_copy command: xdr-blacklist-files
args:
hash_list: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a
Success  
Cortex XDR - IR: Cortex XDR - IR_instance_1 command: xdr-blacklist-files
args:
hash_list: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a
Success  
Microsoft Defender Advanced Threat Protection: Microsoft Defender Advanced Threat Protection_instance_1 command: microsoft-atp-sc-indicator-create
args:
indicator_value: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a
indicator_type: FileSha256
action: AlertAndBlock
indicator_description: XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116
indicator_title: XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116
Success  
CrowdstrikeFalcon: CrowdstrikeFalcon_instance_1 command: cs-falcon-upload-custom-ioc
args:
ioc_type: sha256
platforms: linux,mac,windows
applied_globally: true
value: 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a
action: prevent
description: Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116
severity: high
Success  

Blacklist Files

File Hash
9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a

Indicator 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a was updated successfully

id action indicatorValue indicatorType severity title description
5301 BlockAndRemediate 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a FileSha256 Informational XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116 XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116

Custom IOC 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a was created successfully

Action CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Platforms Severity Type Value
prevent 2bf188d347e44e08946f2e61ef590c24 2022-03-27T10:00:24.023778625Z Blacklisted based on XSOAR inc ab57e22c-ad03-4aba-8b6c-b42bd895a116 aaad9ddaf078c49f1d728fb0082a85efa6a9f413106ecca87f5dbdf33626178a 2bf188d347e44e08946f2e61ef590c24 2022-03-27T10:00:24.023778625Z linux,
mac,
windows
high sha256 9310daf6d10f4fbfaf390e74bcf1c4d9acc023d7db3e26030f8772528572a22a