RemoveFileWrapper
This script allows removing specified files using Cortex XDR, CrowdStrike and Microsoft Defender (Advanced Threat Protection).
python · Malware Core
Source
from CommonServerPython import * """ STANDALONE FUNCTION """ def create_commands(device_ids: List[str], file_path: str, file_hash: str) -> List[CommandRunner.Command]: """ Create a list of `Command` of the remove file command to `Cortex XDR` and `CrowdstrikeFalcon` :param device_ids: device IDs to run on :param file_path: path of the file to delete :param file_hash: hash of the file to delete :return: A list of `Command` for the script """ cs_os_to_ids = get_crowdstrike_os_to_id(device_ids) incident_id = demisto.incident()["id"] # creating a command object for each supported integration xdr_command = CommandRunner.Command( commands="xdr-run-script-delete-file", args_lst={ "endpoint_ids": ",".join(device_ids), "file_path": file_path, }, ) falcon_command = CommandRunner.Command( commands="cs-falcon-rtr-remove-file", args_lst=[ { "host_ids": ",".join(ids), "file_path": file_path, "os": os_, } for os_, ids in cs_os_to_ids.items() ], ) microsoft_atp_command = CommandRunner.Command( commands="microsoft-atp-stop-and-quarantine-file", args_lst={ "machine_id": ",".join(device_ids), "file_hash": file_hash, "comment": f"Action was taken by Cortex XSOAR - incident #{incident_id}", }, ) path_based_commands = {xdr_command, falcon_command} hash_based_commands = {microsoft_atp_command} commands = set() if file_path: commands.update(path_based_commands) if file_hash: commands.update(hash_based_commands) return list(commands) def get_crowdstrike_os_to_id(device_ids: List[str]) -> Dict[str, Set[str]]: """ Get the OS for each device id :param device_ids: List of device ids :return: A mapping between the OS (Windows, Linux, Mac) and the devices """ endpoint_executor = CommandRunner.Command( brand="CrowdstrikeFalcon", commands="endpoint", args_lst={"id": ",".join(device_ids)} ) endpoint_results, _ = CommandRunner.execute_commands(endpoint_executor, extract_contents=True) os_to_ids: Dict[str, Set[str]] = {} for endpoint_res in endpoint_results: if not isinstance(endpoint_res.result, dict): continue for endpoints in endpoint_res.result.get("resources", []): if not isinstance(endpoints, list): endpoints = [endpoints] for endpoint in endpoints: os_ = endpoint.get("platform_name") if os_ not in os_to_ids: os_to_ids[os_] = set() os_to_ids[os_].add(endpoint.get("device_id")) return os_to_ids def run_remove_file(device_ids: List[str], file_path: str, file_hash: str) -> list: """ Given arguments to the command, returns a list of results to return :param device_ids: List of device ids to remove the file from :param file_path: Path of the file to remove :param file_hash: Hash of the file to remove (only supported on MSDE) :return: list of results to return :rtype: ``list`` """ command_executors = create_commands(device_ids, file_path, file_hash) return CommandRunner.run_commands_with_summary(command_executors) """ MAIN FUNCTION """ def main(): # pragma: no cover try: args = demisto.args() if not argToBoolean(args.get("approve_action", False)): raise ValueError("approve_action must be `yes`") device_ids = argToList(args.get("device_ids")) file_path = args.get("file_path", "") file_hash = args.get("file_hash", "") if not device_ids: raise ValueError("Device id is not specified") if not (file_path or file_hash): raise ValueError("Neither path nor hash(es) of the file(s) to delete were specified.") return_results(run_remove_file(device_ids, file_path, file_hash)) except Exception as e: return_error(f"Failed to execute RemoveFileWrapper. Error: {e!s}") """ ENTRY POINT """ if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
This script is a wrapper for Cortex XDR and CrowdStrike to remove files in given path.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | basescript |
| Cortex XSOAR Version | 6.0.0 |
Inputs
| Argument Name | Description |
|---|---|
| device_ids | List of device IDs. |
| file_path | The file path of the file. |
Outputs
| Path | Description | Type |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | The ID of the initiated action. | Number |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | The number of endpoints the action was initiated on. | Number |
| CrowdStrike.Command.rm.HostID | The host ID. | String |
| CrowdStrike.Command.rm.Error | The error message raised if the command failed. | String |
Script Examples
Example command
!RemoveFileWrapper device_ids=0bde2c4645294245aca522971ccc44c4 file_path=/tmp/a.txt
Context Example
{
"CrowdStrike": {
"Command": {
"rm": {
"HostID": "0bde2c4645294245aca522971ccc44c4",
"Error": "Success"
}
}
}
}
Human Readable Output
Results Summary
| Instance | Command | Result | Comment |
|---|---|---|---|
| CrowdstrikeFalcon: CrowdstrikeFalcon_instance_1 | command: cs-falcon-rtr-remove-file args: host_ids: 0bde2c4645294245aca522971ccc44c4 file_path: /tmp/a.txt os: Linux |
Success | |
| Cortex XDR - IR: Cortex XDR - IR_instance_1 | command: xdr-run-script-delete-file args: endpoint_ids: 0bde2c4645294245aca522971ccc44c4 file_path: /tmp/a.txt |
Error | Error in API call [00] - Internal Server Error {"reply": {"err_code": 00, "err_msg": "An error occurred while processing XDR public API - No endpoint was found for creating the requested action", "err_extra": "can't create group action id for SCRIPT_EXECUTION"}} |
| Cortex XDR - IR: Cortex XDR - IR_instance_1_copy | command: xdr-run-script-delete-file args: endpoint_ids: 0bde2c4645294245aca522971ccc44c4 file_path: /tmp/a.txt |
Error | Error in API call [00] - Internal Server Error {"reply": {"err_code": 00, "err_msg": "An error occurred while processing XDR public API - No endpoint was found for creating the requested action", "err_extra": "can't create group action id for SCRIPT_EXECUTION"}} |
CrowdStrike Falcon rm over the file: /tmp/a.txt
| HostID | Error |
|---|---|
| 0bde2c4645294245aca522971ccc44c4 | Success |