FireEyeDetonateFile

Detonate File or URL through FireEye.

python · FireEye (AX Series)

Source

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401
import json
from time import sleep


TIMEOUT = 960
INTERVAL = 10


def detonate_file(args):
    should_continue = True
    file = demisto.get(args, "file")
    feDone = False
    feSubmissionKeys = {}
    # profiles = ['win10x64','win7-sp1','win7x64-sp1','winxp-sp3']
    profiles = argToList(args["profiles"])
    analysistype = args.get("analysistype", 0)
    prefetch = args.get("prefetch", 1)

    # Make sure fireeye available
    if demisto.executeCommand("IsIntegrationAvailable", {"brandname": "fireeye"})[0]["Contents"] != "yes":
        feDone = True

    # Upload file and get submission_key
    if not feDone:
        bArgs = {
            "analysistype": analysistype,
            "application": "0",
            "force": "true",
            "prefetch": prefetch,
            "priority": "1",
            "timeout": "180",
            "upload": file,
        }

        for profile in profiles:
            bArgs["profiles"] = profile
            resp = demisto.executeCommand("fe-submit", bArgs)
            if isError(resp[0]):
                demisto.results(resp)
                should_continue = False
                break
            feSubmissionKey = demisto.get(resp[0], "Contents")
            if isinstance(feSubmissionKey, str):
                feSubmissionKey = json.loads(feSubmissionKey)
            feSubmissionKeys[profile] = demisto.get(feSubmissionKey[0], "ID")
    else:
        demisto.results(
            {"Type": entryTypes["error"], "ContentsFormat": formats["text"], "Contents": "FireEye: Integration not available."}
        )
        should_continue = False
    if should_continue:
        poll_stage(feDone, feSubmissionKeys, profiles, file)


def poll_stage(feDone, feSubmissionKeys, profiles, file):
    should_continue = True
    status = None
    sec = 0
    stauses = {}
    while sec < TIMEOUT and feSubmissionKeys:
        if not feDone:
            status = "Done"
            # Get status
            for profile in profiles:
                resp = demisto.executeCommand("fe-submit-status", {"submission_Key": feSubmissionKeys[profile]})
                if isError(resp[0]):
                    demisto.results(resp)
                    should_continue = False
                    break

                stauses[profile] = demisto.get(resp[0], "Contents.submissionStatus")
                if stauses[profile] in ["In Progress"]:
                    status = "In Progress"
            if not should_continue:
                break
            # find status
            if status in ["In Progress"]:
                sec += INTERVAL
                sleep(INTERVAL)  # pylint: disable=sleep-exists
                # continue loop
            else:
                # loop done failed
                feDone = True
        else:
            break
    if should_continue:
        get_results(feDone, profiles, stauses, feSubmissionKeys, file)


def get_results(feDone, profiles, stauses, feSubmissionKeys, file):
    if not feDone:
        demisto.results(
            {
                "Type": entryTypes["error"],
                "ContentsFormat": formats["text"],
                "Contents": "Could not retrieve results from FireEye (may be due to timeout).",
            }
        )

    for profile in profiles:
        status = stauses[profile]
        if status in ["Done"]:
            resp = demisto.executeCommand("fe-submit-result ", {"submission_Key": feSubmissionKeys[profile]})
            if isError(resp[0]):
                demisto.results(resp)
            else:
                data = demisto.get(resp[0], "Contents.alerts.alert")
                if data:
                    data = data if isinstance(data, list) else [data]
                    data = [{k: formatCell(row[k]).replace("\n", "<br>") for k in row} for row in data]
                    data = tblToMd(profile, data)
                    demisto.results({"ContentsFormat": formats["markdown"], "Type": entryTypes["note"], "Contents": data})
                else:
                    demisto.results("No results.")
        else:
            demisto.results(
                {
                    "Type": entryTypes["error"],
                    "ContentsFormat": formats["text"],
                    "Contents": f"FireEye: Failed to detonate file {file}, exit status = {status}",
                }
            )


def main():  # pragma: no cover
    args = demisto.args()
    try:
        detonate_file(args)
    except Exception as e:
        err_msg = f"Encountered an error while running the script: [{e}]"
        return_error(err_msg, error=e)


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

Detonates a file or URL through FireEye.

Script Data


Name Description
Script Type python
Tags fireeye, file, enhancement

Dependencies


This script uses the following commands and scripts.

  • fe-submit-result
  • fe-submit-status
  • fe-submit

Inputs


Argument Name Description
file The file/entry ID to detonate.
profiles The FireEye profiles to use (comma-separated).
analysistype Specifies live or sandbox analysis mode. “Sandbox”, analyzes suspected malware objects in a closed, protected environment. “Live”, analyzes suspected malware objects live within the MAS Multivector Virtual Execution (MVX) analysis engine.
prefetch Whether to determine the file target based on an internal determination rather than browsing to the target location. Can be, “No” or “Yes”.

Outputs


There are no outputs for this script.