ExtractAttackPattern

Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.

python · Common Scripts

Source

import demistomock as demisto
import urllib3
from CommonServerPython import *

# Disable insecure warnings
urllib3.disable_warnings()


def get_mitre_results(items):
    return execute_command("mitre-get-indicator-name", {"attack_ids": items})


def is_valid_attack_pattern(items) -> list:
    try:
        results = get_mitre_results(items)
        values = [content.get("value") for content in results]
        return values if values else []

    except ValueError as e:
        if "verify you have proper integration enabled to support it" in str(e):
            demisto.info(
                "Unsupported Command : mitre-get-indicator-name, "
                "verify you have proper integration (MITRE ATTACK v2) enabled to support it. "
                "This Is needed in order to auto extract MITRE IDs and translate them to Attack Pattern IOCs"
            )
        else:
            demisto.info(f"MITRE Attack formatting script, {e!s}")
        return []
    except Exception as e:
        demisto.info(f"MITRE Attack formatting script, {e!s}")
        return []


def main():
    the_input = demisto.args().get("input")

    entries_list = is_valid_attack_pattern(the_input)

    if entries_list:
        return_results(entries_list)
    else:
        return_results("")


if __name__ in ("__builtin__", "builtins"):
    main()

README

Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.

Script Data


Name Description
Script Type python3
Tags indicator-format
Cortex XSOAR Version 5.5.0

Inputs


Argument Name Description
input A comma-separated list of Attack Pattern IDs.

Outputs


There are no outputs for this script.