DarkmonVIPFanOut
For each protected email, calls dmontip-get-boardemails three times (accounts, combo-lists, public-breaches), filters new entries, creates incidents.
python · Darkmon
Source
import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 def _get_seen(seen_list_name): try: res = demisto.executeCommand("getList", {"listName": seen_list_name}) content = res[0].get("Contents", "") if res else "" return {line.strip() for line in (content or "").splitlines() if line.strip()} except Exception: return set() def _put_seen(seen_list_name, seen): demisto.executeCommand("setList", {"listName": seen_list_name, "listData": "\n".join(sorted(seen))}) def main(): args = demisto.args() emails = argToList(args.get("emails")) or [] seen_list_name = args.get("seen_list") incident_type = args.get("incident_type", "Darkmon VIP Email Leak") seen = _get_seen(seen_list_name) new_seen = set(seen) created = 0 for email in emails: for leak_type in ("accounts", "combo-lists", "public-breaches"): try: res = demisto.executeCommand( "dmontip-get-boardemails", {"type": leak_type, "email": email, "size": "100"}, ) ctx = res[0].get("EntryContext", {}) if res else {} singular = { "accounts": "Account", "combo-lists": "ComboList", "public-breaches": "PublicBreach", }[leak_type] items = ctx.get(f"Darkmon.BoardLeak.{singular}") or [] except Exception as e: demisto.error(f"VIP fetch failed for {email}/{leak_type}: {e}") continue for it in items: composite = f"{email}::{leak_type}::{it.get('id')}" if composite in new_seen: continue new_seen.add(composite) demisto.executeCommand( "createNewIncident", { "name": f"Darkmon VIP leak: {email} ({leak_type})", "type": incident_type, "customFields": { "darkmonprotectedemail": email, "darkmonleaktype": leak_type, "darkmonleakid": str(it.get("id", "")), "darkmonsourcename": str(it.get("source", "")), }, }, ) created += 1 if seen_list_name and new_seen != seen: _put_seen(seen_list_name, new_seen) return_results({"VIPCreated": created}) if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
For each protected email, calls dmontip-get-boardemails three times (accounts, combo-lists, public-breaches), filters new entries, creates incidents.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | darkmon |
| Cortex XSOAR Version | 6.5.0 |
Dependencies
This script uses the following commands and scripts.
- Darkmon
- dmontip-get-boardemails
Used In
This script is used in the following playbooks and scripts.
- Darkmon - VIP Email Monitor
Inputs
| Argument Name | Description |
|---|---|
| items | Items to process. |
| id_field | Field name to use as the dedup key. |
| seen_list | Name of the XSOAR List storing already-seen IDs. |
| domain_filter_list | Optional - list of customer domains to filter username matches. |
| domain_match_field | Field on each item to match against domain_filter_list. |
| allowlist | Optional list of usernames/DNs that must NEVER be actioned. |
| allowlist_match_field | Field to match against the allowlist. |
| incident_type | Incident type for newly created incidents. |
| severity | Severity (1=Low, 2=Medium, 3=High, 4=Critical). |
| name_template | Incident name template (supports ${field} interpolation). |
| field_map | Comma-separated ‘fieldCli=sourcePath’ pairs. |
| emails | Email addresses to fan out per VIP fetch. |
| domains | |
| brands_list | |
| max_distance | |
| min_cvss | |
| tech_stack_list |
Outputs
| Path | Description | Type |
|---|---|---|
| NewAccounts | unknown | |
| CreatedIncidents | unknown | |
| Count | number | |
| Typosquats | unknown | |
| FilteredCVEs | unknown | |
| VIPCreated | number |