DarkmonFilterUnseen

Filters items by ID against an XSOAR List (state) and optionally by domain match or allowlist. Updates the List with new IDs. Outputs NewAccounts.

python · Darkmon

Source

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401


def main():
    args = demisto.args()
    items = argToList(args.get("items")) or []
    id_field = args.get("id_field", "id")
    seen_list_name = args.get("seen_list")
    domain_filter_list = args.get("domain_filter_list")
    domain_match_field = args.get("domain_match_field", "username")
    allowlist_name = args.get("allowlist")
    allowlist_match_field = args.get("allowlist_match_field", "username")

    def _get_list(name):
        if not name:
            return set()
        try:
            res = demisto.executeCommand("getList", {"listName": name})
            content = res[0].get("Contents", "") if res else ""
            return {line.strip() for line in (content or "").replace(",", "\n").splitlines() if line.strip()}
        except Exception:
            return set()

    seen = _get_list(seen_list_name)
    customer_domains = _get_list(domain_filter_list) if domain_filter_list else None
    allowlist = _get_list(allowlist_name) if allowlist_name else set()

    new_items = []
    new_ids = []
    for it in items:
        iid = str(it.get(id_field, "")).strip()
        if not iid or iid in seen:
            continue
        match_val = str(it.get(allowlist_match_field, "")).lower()
        if any(a.lower() in match_val for a in allowlist):
            continue
        if customer_domains is not None:
            uval = str(it.get(domain_match_field, "")).lower()
            if not any(d.lower() in uval for d in customer_domains):
                continue
        new_items.append(it)
        new_ids.append(iid)

    if new_ids and seen_list_name:
        merged = "\n".join(sorted(seen | set(new_ids)))
        demisto.executeCommand("setList", {"listName": seen_list_name, "listData": merged})

    return_results({"NewAccounts": new_items})


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

Filters items by ID against an XSOAR List (state) and optionally by domain match or allowlist. Updates the List with new IDs. Outputs NewAccounts.

Script Data


Name Description
Script Type python3
Tags darkmon
Cortex XSOAR Version 6.5.0

Used In


This script is used in the following playbooks and scripts.

  • Darkmon - Critical CVE Pipeline
  • Darkmon - Ransomware Mentions Watch
  • Darkmon - Brand-Targeted NRD Watch
  • Darkmon - Compromised Employee Auto-Disable
  • Darkmon - Compromised Credentials Sweep
  • Darkmon - Ransomware Victim Response

Inputs


Argument Name Description
items Items to process.
id_field Field name to use as the dedup key.
seen_list Name of the XSOAR List storing already-seen IDs.
domain_filter_list Optional - list of customer domains to filter username matches.
domain_match_field Field on each item to match against domain_filter_list.
allowlist Optional list of usernames/DNs that must NEVER be actioned.
allowlist_match_field Field to match against the allowlist.
incident_type Incident type for newly created incidents.
severity Severity (1=Low, 2=Medium, 3=High, 4=Critical).
name_template Incident name template (supports ${field} interpolation).
field_map Comma-separated ‘fieldCli=sourcePath’ pairs.
emails Email addresses to fan out per VIP fetch.
domains  
brands_list  
max_distance  
min_cvss  
tech_stack_list  

Outputs


Path Description Type
NewAccounts   unknown
CreatedIncidents   unknown
Count   number
Typosquats   unknown
FilteredCVEs   unknown
VIPCreated   number