ExtractAttackPattern
Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
python · Common Scripts
Source
import demistomock as demisto import urllib3 from CommonServerPython import * # Disable insecure warnings urllib3.disable_warnings() def get_mitre_results(items): return execute_command("mitre-get-indicator-name", {"attack_ids": items}) def is_valid_attack_pattern(items) -> list: try: results = get_mitre_results(items) values = [content.get("value") for content in results] return values if values else [] except ValueError as e: if "verify you have proper integration enabled to support it" in str(e): demisto.info( "Unsupported Command : mitre-get-indicator-name, " "verify you have proper integration (MITRE ATTACK v2) enabled to support it. " "This Is needed in order to auto extract MITRE IDs and translate them to Attack Pattern IOCs" ) else: demisto.info(f"MITRE Attack formatting script, {e!s}") return [] except Exception as e: demisto.info(f"MITRE Attack formatting script, {e!s}") return [] def main(): the_input = demisto.args().get("input") entries_list = is_valid_attack_pattern(the_input) if entries_list: return_results(entries_list) else: return_results("") if __name__ in ("__builtin__", "builtins"): main()
README
Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | indicator-format |
| Cortex XSOAR Version | 5.5.0 |
Inputs
| Argument Name | Description |
|---|---|
| input | A comma-separated list of Attack Pattern IDs. |
Outputs
There are no outputs for this script.