IncapWhitelistCompliance

Get all sites from Incapsula. For each site, the script, through a ssh server (one that should NOT be in the allow list), make sure the site is compliant ( allow list is being enforced ). If not, a warning mail will be sent to the domain owner.

python · Imperva Incapsula

Source

import re

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401

# Consts
COMPLIANCE_LABEL = "Compliance"
CURL_GET_COMMAND = 'curl --insecure -L -I -m 1 http://{0} | grep -C 1 "200 OK"'
HTTP_OK = "200 OK"
MAIL_TO_RECIPIENT = "IncapsulaUpdates@demisto.com"
INCAPSULA_WARNING = "****Incapsula Warning****"
BASIC_WARNING_MAIL = """
WARNING
Your Site {0} is not compliant to the Incapsula allow list policy
please update your settings

--DBot
"""


def sendMail(to, subject, body="", bcc=""):
    return demisto.executeCommand("SendEmail", {"to": to, "subject": subject, "body": body, "bcc": bcc})


def escalation(url, severity, owner_mail):
    if isinstance(owner_mail, list):
        owner_mail = "".join([str(x) + ", " for x in owner_mail[:-1]] + [str(owner_mail[-1])])

    if severity == 0:
        return None
    else:
        return sendMail(MAIL_TO_RECIPIENT, INCAPSULA_WARNING, BASIC_WARNING_MAIL.format(url), owner_mail)


def main():
    URL_REGEX = (
        "(?i)(?:\\([-A-Z0-9+&@#\\/%=~_|$?!:,.]*\\)|[-A-Z0-9+&@#\\/%=~_|$?!:,.])*"
        "(?:\\([-A-Z0-9+&@#\\/%=~_|$?!:,.]*\\)|[A-Z0-9+&@#\\/%=~_|$])"
    )

    res = []
    res_errors = []

    ctx = demisto.context()
    compliance_table = demisto.get(ctx, COMPLIANCE_LABEL)
    if not compliance_table:
        compliance_table = {}

    dArgs = {"ssh_server": demisto.args()["SSHValidationServer"]}

    # Calling a command - returns a list of one or more entries
    resp = demisto.executeCommand("incap-list-sites", {})

    if isError(resp[0]):
        demisto.results(resp)
    else:
        data = demisto.get(resp[0], "Contents.sites")
        for site in data:
            domain = site["domain"]
            if not re.match(URL_REGEX, str(domain)):
                res_errors.append(str(domain) + " - is not a valid url")

                temp_res = demisto.executeCommand(
                    "RemoteExec", {"cmd": CURL_GET_COMMAND.format(str(domain)), "system": dArgs["ssh_server"]}
                )
                if not isError(temp_res[0]):
                    temp_data = demisto.get(temp_res[0], "Contents")
                    if temp_data.find(HTTP_OK) == -1:
                        # remove from non copliance table
                        pass
                    else:
                        if domain in compliance_table:
                            compliance_table[domain] += 1
                        else:
                            compliance_table[domain] = 1
                        temp_res = demisto.executeCommand("incap-get-domain-approver-email", {"domain": domain})
                        if isError(temp_res[0]):
                            res_errors.append(str(temp_res))
                        else:
                            emails = demisto.get(temp_res[0], "Contents.domain_emails")
                            if emails:
                                temp_res = escalation(domain, compliance_table[domain], emails)
                                if isError(temp_res[0]):
                                    res_errors.append(str(temp_res))
                            else:
                                res_errors.append(str(temp_res[0]))

        demisto.setContext(COMPLIANCE_LABEL, compliance_table)

        markdownString = "## Incapsula Whitelist Compliance - validation results\n"
        markdownString += tblToMd("Non-Compliant Sites - number of days not compliant", [compliance_table])

        res.append({"ContentsFormat": formats["markdown"], "Type": entryTypes["note"], "Contents": markdownString})

    demisto.results(res)


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

Get all sites from Incapsula.
For each site, the script, through a ssh server (one that should NOT be in the allow list), make sure the site is compliant ( allow list is being enforced ).
If not, a warning mail will be sent to the domain owner.

Script Data


Name Description
Script Type python3
Tags Incapsula
Cortex XSOAR Version 5.0.0

Dependencies


This script uses the following commands and scripts.

  • incap-list-sites
  • RemoteExec
  • SendEmail
  • incap-get-domain-approver-email

Inputs


Argument Name Description
SSHValidationServer Name of the non-allow list SSH server instance

Outputs


There are no outputs for this script.