DarkmonFilterUnseen
Filters items by ID against an XSOAR List (state) and optionally by domain match or allowlist. Updates the List with new IDs. Outputs NewAccounts.
python · Darkmon
Source
import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 def main(): args = demisto.args() items = argToList(args.get("items")) or [] id_field = args.get("id_field", "id") seen_list_name = args.get("seen_list") domain_filter_list = args.get("domain_filter_list") domain_match_field = args.get("domain_match_field", "username") allowlist_name = args.get("allowlist") allowlist_match_field = args.get("allowlist_match_field", "username") def _get_list(name): if not name: return set() try: res = demisto.executeCommand("getList", {"listName": name}) content = res[0].get("Contents", "") if res else "" return {line.strip() for line in (content or "").replace(",", "\n").splitlines() if line.strip()} except Exception: return set() seen = _get_list(seen_list_name) customer_domains = _get_list(domain_filter_list) if domain_filter_list else None allowlist = _get_list(allowlist_name) if allowlist_name else set() new_items = [] new_ids = [] for it in items: iid = str(it.get(id_field, "")).strip() if not iid or iid in seen: continue match_val = str(it.get(allowlist_match_field, "")).lower() if any(a.lower() in match_val for a in allowlist): continue if customer_domains is not None: uval = str(it.get(domain_match_field, "")).lower() if not any(d.lower() in uval for d in customer_domains): continue new_items.append(it) new_ids.append(iid) if new_ids and seen_list_name: merged = "\n".join(sorted(seen | set(new_ids))) demisto.executeCommand("setList", {"listName": seen_list_name, "listData": merged}) return_results({"NewAccounts": new_items}) if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
Filters items by ID against an XSOAR List (state) and optionally by domain match or allowlist. Updates the List with new IDs. Outputs NewAccounts.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | darkmon |
| Cortex XSOAR Version | 6.5.0 |
Used In
This script is used in the following playbooks and scripts.
- Darkmon - Critical CVE Pipeline
- Darkmon - Ransomware Mentions Watch
- Darkmon - Brand-Targeted NRD Watch
- Darkmon - Compromised Employee Auto-Disable
- Darkmon - Compromised Credentials Sweep
- Darkmon - Ransomware Victim Response
Inputs
| Argument Name | Description |
|---|---|
| items | Items to process. |
| id_field | Field name to use as the dedup key. |
| seen_list | Name of the XSOAR List storing already-seen IDs. |
| domain_filter_list | Optional - list of customer domains to filter username matches. |
| domain_match_field | Field on each item to match against domain_filter_list. |
| allowlist | Optional list of usernames/DNs that must NEVER be actioned. |
| allowlist_match_field | Field to match against the allowlist. |
| incident_type | Incident type for newly created incidents. |
| severity | Severity (1=Low, 2=Medium, 3=High, 4=Critical). |
| name_template | Incident name template (supports ${field} interpolation). |
| field_map | Comma-separated ‘fieldCli=sourcePath’ pairs. |
| emails | Email addresses to fan out per VIP fetch. |
| domains | |
| brands_list | |
| max_distance | |
| min_cvss | |
| tech_stack_list |
Outputs
| Path | Description | Type |
|---|---|---|
| NewAccounts | unknown | |
| CreatedIncidents | unknown | |
| Count | number | |
| Typosquats | unknown | |
| FilteredCVEs | unknown | |
| VIPCreated | number |