GatewatcherAlertEngine
python · Gatewatcher AionIQ
Source
import json import traceback from typing import Any import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 def gatewatcherAlertEngine() -> CommandResults: incident = demisto.incident() d = json.loads(str(incident["CustomFields"]["GatewatcherRawEvent"])) ret_fields: dict[Any, Any] = {} if d["event"]["module"] == "active_cti": ret_fields = { "dns.query": d.get("dns", {}).get("query", []), "flow.bytes_toclient": d.get("flow", {}).get("bytes_toclient", 0), "flow.bytes_toserver": d.get("flow", {}).get("bytes_toserver", 0), "flow.pkts_toclient": d.get("flow", {}).get("pkts_toclient", 0), "flow.pkts_toserver": d.get("flow", {}).get("pkts_toserver", 0), "flow.start": d.get("flow", {}).get("start", ""), "sigflow.action": d.get("sigflow", {}).get("action", ""), "sigflow.category": d.get("sigflow", {}).get("category", ""), "sigflow.gid": d.get("sigflow", {}).get("gid", 0), "sigflow.metadata": d.get("sigflow", {}).get("metadata", {}), "sigflow.payload": d.get("sigflow", {}).get("payload", ""), "sigflow.payload_printable": d.get("sigflow", {}).get("payload_printable", ""), "sigflow.rev": d.get("sigflow", {}).get("rev", 0), "sigflow.signature": d.get("sigflow", {}).get("signature", ""), "sigflow.signature_id": d.get("sigflow", {}).get("signature_id", 0), "sigflow.stream": d.get("sigflow", {}).get("stream", 0), } if d["event"]["module"] == "malcore": ret_fields = { "malcore.analyzed_clean": d["malcore"].get("analyzed_clean", 0), "malcore.analyzed_error": d["malcore"].get("analyzed_error", 0), "malcore.analyzed_infected": d["malcore"].get("analyzed_infected", 0), "malcore.analyzed_other": d["malcore"].get("analyzed_other", 0), "malcore.analyzed_suspicious": d["malcore"].get("analyzed_suspicious", 0), "malcore.analyzers_up": d["malcore"].get("analyzers_up", 0), "malcore.code": d["malcore"].get("code", 0), "malcore.detail_scan_time": d["malcore"].get("detail_scan_time", 0), "malcore.detail_threat_found": d["malcore"].get("detail_threat_found", ""), "malcore.detail_wait_time": d["malcore"].get("detail_wait_time", 0), "malcore.engine_id": d["malcore"].get("engine_id", {}), "malcore.engines_last_update_date": d["malcore"].get("engines_last_update_date", ""), "malcore.file_type": d["malcore"].get("file_type", ""), "malcore.file_type_description": d["malcore"].get("file_type_description", ""), "malcore.magic_details": d["malcore"].get("magic_details", ""), "malcore.processing_time": d["malcore"].get("processing_time", 0), "malcore.reporting_token": d["malcore"].get("reporting_token", ""), "malcore.state": d["malcore"].get("state", ""), "malcore.total_found": d["malcore"].get("total_found", ""), } if d["event"]["module"] == "malcore_retroanalyzer": ret_fields = { "malcore_retroanalyzer.analyzed_clean": d["malcore_retroanalyzer"].get("analyzed_clean", 0), "malcore_retroanalyzer.analyzed_error": d["malcore_retroanalyzer"].get("analyzed_error", 0), "malcore_retroanalyzer.analyzed_infected": d["malcore_retroanalyzer"].get("analyzed_infected", 0), "malcore_retroanalyzer.analyzed_other": d["malcore_retroanalyzer"].get("analyzed_other", 0), "malcore_retroanalyzer.analyzed_suspicious": d["malcore_retroanalyzer"].get("analyzed_suspicious", 0), "malcore_retroanalyzer.analyzers_up": d["malcore_retroanalyzer"].get("analyzers_up", 0), "malcore_retroanalyzer.code": d["malcore_retroanalyzer"].get("code", 0), "malcore_retroanalyzer.detail_scan_time": d["malcore_retroanalyzer"].get("detail_scan_time", 0), "malcore_retroanalyzer.detail_threat_found": d["malcore_retroanalyzer"].get("detail_threat_found", ""), "malcore_retroanalyzer.detail_wait_time": d["malcore_retroanalyzer"].get("detail_wait_time", 0), "malcore_retroanalyzer.engine_id": d["malcore_retroanalyzer"].get("engine_id", {}), "malcore_retroanalyzer.engines_last_update_date": d["malcore_retroanalyzer"].get("engines_last_update_date", ""), "malcore_retroanalyzer.file_type": d["malcore_retroanalyzer"].get("file_type", ""), "malcore_retroanalyzer.file_type_description": d["malcore_retroanalyzer"].get("file_type_description", ""), "malcore_retroanalyzer.magic_details": d["malcore_retroanalyzer"].get("magic_details", ""), "malcore_retroanalyzer.processing_time": d["malcore_retroanalyzer"].get("processing_time", 0), "malcore_retroanalyzer.reporting_token": d["malcore_retroanalyzer"].get("reporting_token", ""), "malcore_retroanalyzer.state": d["malcore_retroanalyzer"].get("state", ""), "malcore_retroanalyzer.total_found": d["malcore_retroanalyzer"].get("total_found", ""), } if d["event"]["module"] == "shellcode_detect": ret_fields = { "shellcode.analysis": d["shellcode"].get("analysis", {}), "shellcode.encodings": d["shellcode"].get("encodings", []), "shellcode.id": d["shellcode"].get("id", ""), "shellcode.sample_id": d["shellcode"].get("sample_id", ""), "shellcode.sub_type": d["shellcode"].get("sub_type", ""), } if d["event"]["module"] == "malicious_powershell_detect": ret_fields = { "malicious_powershell.id": d["malicious_powershell"].get("id", ""), "malicious_powershell.proba_obfuscated": d["malicious_powershell"].get("proba_obfuscated", 0), "malicious_powershell.sample_id": d["malicious_powershell"].get("sample_id", ""), "malicious_powershell.score": d["malicious_powershell"].get("score", 0), "malicious_powershell.score_details": d["malicious_powershell"].get("score_details", {}), } if d["event"]["module"] == "sigflow_alert": ret_fields = { "sigflow.action": d["sigflow"].get("action", ""), "sigflow.category": d["sigflow"].get("category", ""), "sigflow.gid": d["sigflow"].get("gid", 0), "sigflow.metadata": d["sigflow"].get("metadata", {}), "sigflow.payload": d["sigflow"].get("payload", ""), "sigflow.payload_printable": d["sigflow"].get("payload_printable", ""), "sigflow.rev": d["sigflow"].get("rev", 0), "sigflow.signature": d["sigflow"].get("signature", ""), "sigflow.signature_id": d["sigflow"].get("signature_id", 0), "sigflow.stream": d["sigflow"].get("stream", 0), } if d["event"]["module"] == "dga_detect": ret_fields = { "dga.dga_count": d["dga"].get("dga_count", 0), "dga.dga_ratio": d["dga"].get("dga_ratio", 0), "dga.malware_behavior_confidence": d["dga"].get("malware_behavior_confidence", 0), "dga.nx_domain_count": d["dga"].get("nx_domain_count", 0), "dga.top_DGA": d["dga"].get("top_DGA", []), } if d["event"]["module"] == "ioc": ret_fields = { "ioc.campaigns": d["ioc"].get("campaigns", []), "ioc.case_id": d["ioc"].get("case_id", ""), "ioc.categories": d["ioc"].get("categories", []), "ioc.creation_date": d["ioc"].get("creation_date", ""), "ioc.description": d["ioc"].get("description", ""), "ioc.external_links": d["ioc"].get("external_links", []), "ioc.families": d["ioc"].get("families", []), "ioc.id": d["ioc"].get("id", ""), "ioc.kill_chain_phases": d["ioc"].get("kill_chain_phases", []), "ioc.meta_data": d["ioc"].get("meta_data", {}), "ioc.package_date": d["ioc"].get("package_date", ""), "ioc.relations": d["ioc"].get("relations", []), "ioc.signature": d["ioc"].get("signature", ""), "ioc.tags": d["ioc"].get("tags", []), "ioc.targeted_countries": d["ioc"].get("targeted_countries", []), "ioc.targeted_organizations": d["ioc"].get("targeted_organizations", []), "ioc.targeted_platforms": d["ioc"].get("targeted_platforms", []), "ioc.targeted_sectors": d["ioc"].get("targeted_sectors", []), "ioc.threat_actor": d["ioc"].get("threat_actor", []), "ioc.tlp": d["ioc"].get("tlp", ""), "ioc.ttp": d["ioc"].get("ttp", []), "ioc.type": d["ioc"].get("type", ""), "ioc.updated_date": d["ioc"].get("updated_date", ""), "ioc.usage_mode": d["ioc"].get("usage_mode", ""), "ioc.value": d["ioc"].get("value", ""), "ioc.vulnerabilities": d["ioc"].get("vulnerabilities", []), } if d["event"]["module"] == "ransomware_detect": ret_fields = { "ransomware.alert_threshold": d["ransomware"].get("alert_threshold", 0), "ransomware.malicious_behavior_confidence": d["ransomware"].get("malicious_behavior_confidence", 0), "ransomware.session_score": d["ransomware"].get("session_score", 0), } if d["event"]["module"] == "beacon_detect": ret_fields = { "beacon.active": d["beacon"].get("active", ""), "beacon.hostname_resolution": d["beacon"].get("hostname_resolution", ""), "beacon.id": d["beacon"].get("id", ""), "beacon.mean_time_interval": d["beacon"].get("mean_time_interval", 0), "beacon.possible_cnc": d["beacon"].get("possible_cnc", ""), "beacon.session_count": d["beacon"].get("session_count", 0), "beacon.type": d["beacon"].get("type", ""), } if d["event"]["module"] == "retrohunt": ret_fields = { "ioc.campaigns": d.get("ioc", {}).get("campaigns", []), "ioc.case_id": d.get("ioc", {}).get("case_id", ""), "ioc.categories": d.get("ioc", {}).get("categories", []), "ioc.creation_date": d.get("ioc", {}).get("creation_date", ""), "ioc.description": d.get("ioc", {}).get("description", ""), "ioc.external_links": d.get("ioc", {}).get("external_links", []), "ioc.families": d.get("ioc", {}).get("families", []), "ioc.id": d.get("ioc", {}).get("id", ""), "ioc.kill_chain_phases": d.get("ioc", {}).get("kill_chain_phases", []), "ioc.meta_data": d.get("ioc", {}).get("meta_data", {}), "ioc.package_date": d.get("ioc", {}).get("package_date", ""), "ioc.relations": d.get("ioc", {}).get("relations", []), "ioc.signature": d.get("ioc", {}).get("signature", ""), "ioc.tags": d.get("ioc", {}).get("tags", []), "ioc.targeted_countries": d.get("ioc", {}).get("targeted_countries", []), "ioc.targeted_organizations": d.get("ioc", {}).get("targeted_organizations", []), "ioc.targeted_platforms": d.get("ioc", {}).get("targeted_platforms", []), "ioc.targeted_sectors": d.get("ioc", {}).get("targeted_sectors", []), "ioc.threat_actor": d.get("ioc", {}).get("threat_actor", []), "ioc.tlp": d.get("ioc", {}).get("tlp", ""), "ioc.ttp": d.get("ioc", {}).get("ttp", []), "ioc.type": d.get("ioc", {}).get("type", ""), "ioc.updated_date": d.get("ioc", {}).get("updated_date", ""), "ioc.usage_mode": d.get("ioc", {}).get("usage_mode", ""), "ioc.value": d.get("ioc", {}).get("value", ""), "ioc.vulnerabilities": d.get("ioc", {}).get("vulnerabilities", []), "matched_event.content": d["matched_event"].get("content", {}), "matched_event.id": d["matched_event"].get("id", ""), } return CommandResults(raw_response=ret_fields) def main(): try: return_results(gatewatcherAlertEngine()) except Exception as ex: demisto.error(traceback.format_exc()) # print the traceback return_error(f"Failed to execute Gate. Error: {ex!s}") if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
GatewatcherAlertEngine script
Automation script for displaying engine fields on the Alert layout.