RemoveFileWrapper

This script allows removing specified files using Cortex XDR, CrowdStrike and Microsoft Defender (Advanced Threat Protection).

python · Malware Core

Source

from CommonServerPython import *

""" STANDALONE FUNCTION """


def create_commands(device_ids: List[str], file_path: str, file_hash: str) -> List[CommandRunner.Command]:
    """
    Create a list of `Command` of the remove file command to `Cortex XDR` and `CrowdstrikeFalcon`

    :param device_ids: device IDs to run on
    :param file_path: path of the file to delete
    :param file_hash: hash of the file to delete
    :return: A list of `Command` for the script
    """
    cs_os_to_ids = get_crowdstrike_os_to_id(device_ids)
    incident_id = demisto.incident()["id"]

    # creating a command object for each supported integration
    xdr_command = CommandRunner.Command(
        commands="xdr-run-script-delete-file",
        args_lst={
            "endpoint_ids": ",".join(device_ids),
            "file_path": file_path,
        },
    )

    falcon_command = CommandRunner.Command(
        commands="cs-falcon-rtr-remove-file",
        args_lst=[
            {
                "host_ids": ",".join(ids),
                "file_path": file_path,
                "os": os_,
            }
            for os_, ids in cs_os_to_ids.items()
        ],
    )

    microsoft_atp_command = CommandRunner.Command(
        commands="microsoft-atp-stop-and-quarantine-file",
        args_lst={
            "machine_id": ",".join(device_ids),
            "file_hash": file_hash,
            "comment": f"Action was taken by Cortex XSOAR - incident #{incident_id}",
        },
    )

    path_based_commands = {xdr_command, falcon_command}
    hash_based_commands = {microsoft_atp_command}

    commands = set()
    if file_path:
        commands.update(path_based_commands)
    if file_hash:
        commands.update(hash_based_commands)

    return list(commands)


def get_crowdstrike_os_to_id(device_ids: List[str]) -> Dict[str, Set[str]]:
    """
    Get the OS for each device id

    :param device_ids: List of device ids
    :return: A mapping between the OS (Windows, Linux, Mac) and the devices
    """
    endpoint_executor = CommandRunner.Command(
        brand="CrowdstrikeFalcon", commands="endpoint", args_lst={"id": ",".join(device_ids)}
    )
    endpoint_results, _ = CommandRunner.execute_commands(endpoint_executor, extract_contents=True)
    os_to_ids: Dict[str, Set[str]] = {}
    for endpoint_res in endpoint_results:
        if not isinstance(endpoint_res.result, dict):
            continue
        for endpoints in endpoint_res.result.get("resources", []):
            if not isinstance(endpoints, list):
                endpoints = [endpoints]
            for endpoint in endpoints:
                os_ = endpoint.get("platform_name")
                if os_ not in os_to_ids:
                    os_to_ids[os_] = set()
                os_to_ids[os_].add(endpoint.get("device_id"))
    return os_to_ids


def run_remove_file(device_ids: List[str], file_path: str, file_hash: str) -> list:
    """
    Given arguments to the command, returns a list of results to return
    :param device_ids: List of device ids to remove the file from
    :param file_path: Path of the file to remove
    :param file_hash: Hash of the file to remove (only supported on MSDE)
    :return: list of results to return
    :rtype: ``list``
    """
    command_executors = create_commands(device_ids, file_path, file_hash)
    return CommandRunner.run_commands_with_summary(command_executors)


""" MAIN FUNCTION """


def main():  # pragma: no cover
    try:
        args = demisto.args()
        if not argToBoolean(args.get("approve_action", False)):
            raise ValueError("approve_action must be `yes`")
        device_ids = argToList(args.get("device_ids"))
        file_path = args.get("file_path", "")
        file_hash = args.get("file_hash", "")
        if not device_ids:
            raise ValueError("Device id is not specified")
        if not (file_path or file_hash):
            raise ValueError("Neither path nor hash(es) of the file(s) to delete were specified.")
        return_results(run_remove_file(device_ids, file_path, file_hash))
    except Exception as e:
        return_error(f"Failed to execute RemoveFileWrapper. Error: {e!s}")


""" ENTRY POINT """

if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

This script is a wrapper for Cortex XDR and CrowdStrike to remove files in given path.

Script Data


Name Description
Script Type python3
Tags basescript
Cortex XSOAR Version 6.0.0

Inputs


Argument Name Description
device_ids List of device IDs.
file_path The file path of the file.

Outputs


Path Description Type
PaloAltoNetworksXDR.ScriptRun.action_id The ID of the initiated action. Number
PaloAltoNetworksXDR.ScriptRun.endpoints_count The number of endpoints the action was initiated on. Number
CrowdStrike.Command.rm.HostID The host ID. String
CrowdStrike.Command.rm.Error The error message raised if the command failed. String

Script Examples

Example command

!RemoveFileWrapper device_ids=0bde2c4645294245aca522971ccc44c4 file_path=/tmp/a.txt

Context Example

{
    "CrowdStrike": {
        "Command": {
            "rm": {
                "HostID": "0bde2c4645294245aca522971ccc44c4", 
                "Error": "Success"
            }
        }
    }
}

Human Readable Output

Results Summary

Instance Command Result Comment
CrowdstrikeFalcon: CrowdstrikeFalcon_instance_1 command: cs-falcon-rtr-remove-file
args:
host_ids: 0bde2c4645294245aca522971ccc44c4
file_path: /tmp/a.txt
os: Linux
Success  
Cortex XDR - IR: Cortex XDR - IR_instance_1 command: xdr-run-script-delete-file
args:
endpoint_ids: 0bde2c4645294245aca522971ccc44c4
file_path: /tmp/a.txt
Error Error in API call [00] - Internal Server Error
{"reply": {"err_code": 00, "err_msg": "An error occurred while processing XDR public API - No endpoint was found for creating the requested action", "err_extra": "can't create group action id for SCRIPT_EXECUTION"}}
Cortex XDR - IR: Cortex XDR - IR_instance_1_copy command: xdr-run-script-delete-file
args:
endpoint_ids: 0bde2c4645294245aca522971ccc44c4
file_path: /tmp/a.txt
Error Error in API call [00] - Internal Server Error
{"reply": {"err_code": 00, "err_msg": "An error occurred while processing XDR public API - No endpoint was found for creating the requested action", "err_extra": "can't create group action id for SCRIPT_EXECUTION"}}

CrowdStrike Falcon rm over the file: /tmp/a.txt

HostID Error
0bde2c4645294245aca522971ccc44c4 Success