PanoramaCVECoverage

Check coverage given a list of CVEs.

python · PAN-OS by Palo Alto Networks

Source

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401

OUTPUT_HEADERS = ["Threat Name", "Link", "Severity", "Threat ID", "Default Action"]


def main():
    try:
        # Input arguments
        args = demisto.args()
        cve_list = argToList(args.get("CVE_List"))
        pan_os_output = args.get("Result_file")
        output_format = args.get("outputFormat", "table")

        # read the file content
        read_file_output = demisto.executeCommand("ReadFile", {"entryID": pan_os_output, "maxFileSize": "100000000"})
        if isError(read_file_output):
            return_error(f"Failed to execute ReadFile command: {get_error(read_file_output)}")

        pan_os_output = read_file_output[0].get("EntryContext").get("FileData")

        # CVE data from the firewall
        data = json.loads(pan_os_output)

        findings: Dict[str, List] = {}

        # Correlating the corresponding CVE list to reference link, severity, threat_id, and default action.
        for entry in data["threats"]["vulnerability"]["entry"]:
            if "cve" in entry:
                cve = entry["cve"]["member"]
                if cve in cve_list:
                    link = "http://cve.circl.lu/api/cve/" + cve
                    threat_name = entry.get("threatname")
                    severity = entry.get("severity")
                    threat_id = entry.get("@name")
                    action = entry.get("default-action", "No Action Defined")
                    output_fields = {
                        "threat_name": threat_name,
                        "link": link,
                        "severity": severity,
                        "threat_id": threat_id,
                        "default_action": action,
                    }
                    if cve in findings:
                        findings[cve].append(output_fields)
                    else:
                        findings[cve] = [output_fields]

        # Start of markdown output formatting
        res = "## CVE Coverage\n"
        for queriedCVE in cve_list:
            if queriedCVE in findings:
                if output_format == "table":
                    section = tableToMarkdown(queriedCVE, findings[queriedCVE], headerTransform=string_to_table_header)
                else:
                    section = f"### {queriedCVE}\n"
                    rows = [",".join([entry[fieldName] for fieldName in entry]) for entry in findings[queriedCVE]]
                    section += "\n".join(rows)
                res += section
            else:
                res += f"### {queriedCVE}\nNo coverage for {queriedCVE}"
            res += "\n"
        res += "\n\n"

        # create the context outputs
        outputs = []
        for queried_CVE in findings:
            outputs.append({"CVE": queried_CVE, "Coverage": findings[queried_CVE]})
    except Exception as e:
        return_error(str(e))

    return_results(
        CommandResults(readable_output=res, outputs_key_field="CVE", outputs=outputs, outputs_prefix="Panorama.CVECoverage")
    )


# python2 uses __builtin__ python3 uses builtins
if __name__ == "__builtin__" or __name__ == "builtins":
    main()

README

Check coverage given a list of CVEs.

Script Data


Name Description
Script Type python3
Tags  
Demisto Version 5.0.0

Used In


This script is used in the following playbook and script.
NetOps Panorama coverage by CVE

Inputs


Argument Name Description
CVE_List A comma-separated list of CVEs to find.
Result_file Entry ID of the output file from the panorama command.
outputFormat Raw output of the panorama command into a file.

Outputs


Path Description Type
Panorama.CVECoverage.CVE The CVE value. String
Panorama.CVECoverage.Coverage.threat_name The threat name. String
Panorama.CVECoverage.Coverage.link Link address to the threat in CVE site. String
Panorama.CVECoverage.Coverage.severity The threat severity. String
Panorama.CVECoverage.Coverage.threat_id The threat ID. Number
Panorama.CVECoverage.Coverage.default_action The threat default action. String