IsMaliciousIndicatorFound

Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.

javascript · Common Scripts

Source

minScore = (args.includeSuspicious == 'yes') ? 2 : 3;

// Gather malicious indicators
files = dq(invContext, "DBotScore(val.Type.toLowerCase()=='file' && val.Score>=" + minScore + ")");
hashes = dq(invContext, "DBotScore(val.Type.toLowerCase()=='hash' && val.Score>=" + minScore + ")");
ips = dq(invContext, "DBotScore(val.Type.toLowerCase()=='ip' && val.Score>=" + minScore + ")");
urls = dq(invContext, "DBotScore(val.Type.toLowerCase()=='url' && val.Score>=" + minScore + ")");
domains = dq(invContext, "DBotScore(val.Type.toLowerCase()=='domain' && val.Score>=" + minScore + ")");
emails = dq(invContext, "DBotScore(val.Type.toLowerCase()=='email' && val.Score>=" + minScore + ")");

var filesIndicators = [];
for (var indicatorObject in files) {
    if (files[indicatorObject] && files[indicatorObject].Indicator && filesIndicators.indexOf(files[indicatorObject].Indicator) === -1) {
        filesIndicators.push(files[indicatorObject].Indicator);
    }
}
var hashesIndicators = [];
for (var indicatorObject in hashes) {
    if (hashes[indicatorObject] && hashes[indicatorObject].Indicator && hashesIndicators.indexOf(hashes[indicatorObject].Indicator) === -1) {
        hashesIndicators.push(hashes[indicatorObject].Indicator);
    }
}
var ipsIndicators = [];
for (var indicatorObject in ips) {
    if (ips[indicatorObject] && ips[indicatorObject].Indicator && ipsIndicators.indexOf(ips[indicatorObject].Indicator) === -1) {
        ipsIndicators.push(ips[indicatorObject].Indicator);
    }
}
var urlsIndicators = [];
for (var indicatorObject in urls) {
    if (urls[indicatorObject] && urls[indicatorObject].Indicator && urlsIndicators.indexOf(urls[indicatorObject].Indicator) === -1) {
        urlsIndicators.push(urls[indicatorObject].Indicator);
    }
}
var domainsIndicators = [];
for (var indicatorObject in domains) {
    if (domains[indicatorObject] && domains[indicatorObject].Indicator && domainsIndicators.indexOf(domains[indicatorObject].Indicator) === -1) {
        domainsIndicators.push(domains[indicatorObject].Indicator);
    }
}
var emailsIndicators = [];
for (var indicatorObject in emails) {
    if (emails[indicatorObject] && emails[indicatorObject].Indicator && emailsIndicators.indexOf(emails[indicatorObject].Indicator) === -1) {
        emailsIndicators.push(emails[indicatorObject].Indicator);
    }
}

// Unite into one array
maliciousIndicators = []
maliciousIndicators = maliciousIndicators.concat(filesIndicators);
maliciousIndicators = maliciousIndicators.concat(hashesIndicators);
maliciousIndicators = maliciousIndicators.concat(ipsIndicators);
maliciousIndicators = maliciousIndicators.concat(urlsIndicators);
maliciousIndicators = maliciousIndicators.concat(domainsIndicators);
maliciousIndicators = maliciousIndicators.concat(emailsIndicators);

// Remove Manually remidated indicators
if (args.includeManual == 'yes') {
    manualFiles = dq(invContext, "DBotScore(val.Type.toLowerCase()=='file' && val.Vendor=='Manual' && val.Score<" + minScore + ")");
    manualHashes = dq(invContext, "DBotScore(val.Type.toLowerCase()=='hash' && val.Vendor=='Manual' && val.Score<" + minScore + ")");
    manualIps = dq(invContext, "DBotScore(val.Type.toLowerCase()=='ip' && val.Vendor=='Manual' && val.Score<" + minScore + ")");
    manualUrls = dq(invContext, "DBotScore(val.Type.toLowerCase()=='url' && val.Vendor=='Manual' && val.Score<" + minScore + ")");
    manualDomains = dq(invContext, "DBotScore(val.Type.toLowerCase()=='domain' && val.Vendor=='Manual' && val.Score<" + minScore + ")");
    manualEmails = dq(invContext, "DBotScore(val.Type.toLowerCase()=='email' && val.Vendor=='Manual' && val.Score<" + minScore + ")");

    for (var indicatorObject in manualFiles) {
        if (manualFiles[indicatorObject] && maliciousIndicators.indexOf(manualFiles[indicatorObject].Indicator) !== -1) {
            maliciousIndicators.splice(maliciousIndicators.indexOf(manualFiles[indicatorObject].Indicator), 1);
        }
    }

    for (var indicatorObject in manualHashes) {
        if (manualHashes[indicatorObject] && maliciousIndicators.indexOf(manualHashes[indicatorObject].Indicator) !== -1) {
             maliciousIndicators.splice(maliciousIndicators.indexOf(manualHashes[indicatorObject].Indicator),1);
        }
    }
    for (var indicatorObject in manualIps) {
        if (manualIps[indicatorObject] && maliciousIndicators.indexOf(manualIps[indicatorObject].Indicator) !== -1) {
             maliciousIndicators.splice(maliciousIndicators.indexOf(manualIps[indicatorObject].Indicator),1);
        }
    }
    for (var indicatorObject in manualUrls) {
        if (manualUrls[indicatorObject] && maliciousIndicators.indexOf(manualUrls[indicatorObject].Indicator) !== -1) {
             maliciousIndicators.splice(maliciousIndicators.indexOf(manualUrls[indicatorObject].Indicator),1);
        }
    }
    for (var indicatorObject in manualDomains) {
        if (manualDomains[indicatorObject] && maliciousIndicators.indexOf(manualDomains[indicatorObject].Indicator) !== -1) {
             maliciousIndicators.splice(maliciousIndicators.indexOf(manualDomains[indicatorObject].Indicator),1);
        }
    }
    for (var indicatorObject in manualEmails) {
        if (manualEmails[indicatorObject] && maliciousIndicators.indexOf(manualEmails[indicatorObject].Indicator) !== -1) {
             maliciousIndicators.splice(maliciousIndicators.indexOf(manualEmails[indicatorObject].Indicator),1);
        }
    }
}

if (maliciousIndicators.length > 0)
    return 'yes';

if (args.queryIndicators == 'yes') {
    var query = "(reputation:Bad"
    if (args.includeSuspicious == 'yes') {
        query = query + " or reputation:Suspicious"
    }
    query = query + ")"

    if ((args.maliciousQueryOverride) && (args.maliciousQueryOverride.length > 0)) {
        query = args.maliciousQueryOverride
    }

    var indicatorsRes = executeCommand("findIndicators", {"query":query+" and investigationIDs:"+investigation.id,"size":1})
    if (indicatorsRes && indicatorsRes[0] && indicatorsRes[0].Contents[0]) {
        // we have results, so we found a maliciuos indicator for this investigation
        return 'yes'
    }
}

return 'no'

README

Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). It will returns “yes” if at least one malicious indicator is found.

Script Data


Name Description
Script Type javascript
Tags Utility, Condition

Inputs


Argument Name Description
includeSuspicious Whether to check suspicious indicators. The default is “no”.
queryIndicators Queries all indicators in an investigation. This is relevant if it is running in a sub-playbook.
maliciousQueryOverride Whether to override the default query for malicious indicators in Cortex XSOAR (Indicators page).
includeManual Whether to check manually edited indicators. The default is “yes”.

Outputs


Path Description Type
yes Whether any malicious indicators were found in the investigation. Unknown
no Whether any malicious indicators were found in the investigation. Unknown