CyrenThreatInDepthRandomHunt
This script will take a random Cyren Threat InDepth feed indicator and its relationships and create a threat hunting incident for you. The main query parameters for the resulting, internal indicator query are: 1. Seen for the first time by the feed source within the last 7 days. 2. No investigation on it yet. 3. Must have relationships to other indicators.
Source
from enum import Enum from random import randrange import demistomock as demisto import yaml from CommonServerPython import * from CommonServerUserPython import * class FeedName(str, Enum): IP_REPUTATION = "ip_reputation" PHISHING_URLS = "phishing_urls" MALWARE_URLS = "malware_urls" MALWARE_FILES = "malware_files" def simple_result(text): return CommandResults(readable_output=text) def create_random_hunt_incident(args): indicator_type = args.get("indicator_type") incident_type = args.get("incident_type", "Hunt") assignee = args.get("assignee") query_parts = [ 'lastseenbysource:>="7 days ago"', "sourceBrands:CyrenThreatInDepth ", 'investigationIDs:""', "cyrensourcetags:primary", "-cyrensourcetags:related", "cyrenfeedaction:add", 'cyrenfeedrelationships.timestamp:>="2000-01-01T00:00:00 +0100"', ] if indicator_type == FeedName.IP_REPUTATION: query_parts.append("type:IP") query_parts.append("cyreniprisk:>80") elif indicator_type == FeedName.MALWARE_URLS: query_parts.append("tags:malware") query_parts.append("type:URL") elif indicator_type == FeedName.PHISHING_URLS: query_parts.append("tags:phishing") query_parts.append("type:URL") elif indicator_type == FeedName.MALWARE_FILES: query_parts.append("type:File") query = " ".join(query_parts) random_page = randrange(10) + 1 res = demisto.executeCommand("findIndicators", {"query": query, "size": 1, "page": random_page}) if isError(res[0]): raise DemistoException(f"Could not find any indicators: {res}") indicators = res[0]["Contents"] if not any(indicators): return simple_result(f'Could not find any indicators for "{query}"!') incident = {"name": "Cyren Threat InDepth Threat Hunt", "type": incident_type, "details": yaml.dump(indicators[0])} if assignee: incident["owner"] = assignee else: res = demisto.executeCommand("getUsers", {"current": True}) if not isError(res[0]): current_user = res[0]["Contents"][0] current_user_id = current_user.get("id") incident["owner"] = current_user_id res = demisto.executeCommand("createNewIncident", incident) if isError(res[0]): raise DemistoException(f"Could not create new incident: {res}") created_incident = res[0] id = created_incident.get("EntryContext", {}).get("CreatedIncidentID") data = f"Successfully created incident {incident['name']}.\nClick here to investigate: [{id}](#/incident/{id})." res = demisto.executeCommand("investigate", {"id": id}) if isError(res[0]): data = data + "\n(An investigation has not been started.)" return simple_result(text=data) def main(args): try: return_results(create_random_hunt_incident(args)) except Exception as e: return_error(f"Failed to execute CyrenThreatInDepthRandomHunt. Error: {e!s}") if __name__ in ("__main__", "__builtin__", "builtins"): main(demisto.args())
README
This script will take a random Cyren Threat InDepth feed indicator and its relationships
and create a threat hunting incident for you.
The main query parameters for the resulting, internal indicator query are:
- Seen for the first time by the feed source within the last 7 days.
- No investigation on it yet.
- Must have relationships to other indicators.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | incidents, ioc, cyren, hunt |
| XSOAR Version | 6.0.0 |
Inputs
| Argument Name | Description |
|---|---|
| indicator_type | Optional: One of ip_reputation, malware_files, malware_urls, phishing_urls, will determine the Cyren Threat InDepth feed the indicator is taken from (if not provided a random indicator type is chosen) |
| incident_type | Optional: If not provided, an incident of type “Hunt” is created |
Outputs
There are no outputs for this script.
Human Readable Output
Successfully created incident Cyren Threat InDepth Threat Hunt.
Click here to investigate: 1234.