RiskSenseGetRansomewareCVEScript

This script is a helper script of Ransomware Exposure - RiskSense playbook and retrieve information of cves and trending cves from host finding details.

python · RiskSense

Source

from CommonServerPython import *
from collections import defaultdict
from datetime import date


def header_transform(key: str) -> str:
    """
    Function returns header key in human readable

    :param key: header key
    :return: translated headers
    """
    header_dict = {
        "Cve": "CVE ID",
        "CVSS": "CVSS Score",
        "VRR": "VRR Score",
        "ThreatCount": "Threat Count",
        "VulnLastTrendingOn": "Last Trending On Date",
        "Trending": "Trending",
    }

    return header_dict.get(key, "")


def get_ransomware_trending_cves(ransomware_cves) -> list:
    """
    Filter last 7 days trending reansomware cves from ransomware cves.

    :param ransomware_cves: list of ransomware cves.
    :return: list of trending ransomware.
    """
    ransomware_trending = []

    today_date = date.today()
    week_ago_date = today_date - timedelta(days=7)
    demisto.setContext("Date.CurrentDate", str(today_date))
    demisto.setContext("Date.WeekAgoDate", str(week_ago_date))

    for cve in ransomware_cves:
        if cve.get("VulnLastTrendingOn") and cve.get("VulnLastTrendingOn") != "Not Found":
            vuln_last_trending_on_date = datetime.strptime(cve.get("VulnLastTrendingOn", "2000-01-01"), "%Y-%m-%d").date()
            if (today_date - vuln_last_trending_on_date).days <= 7:
                ransomware_trending.append(cve)

    return ransomware_trending


def get_ransomware_cves(host_findings):
    """
    Retrieves ransomware cves from host findings details.

    :param host_findings: list of host findings details
    :return: list of ransomware cves
    """
    all_cves: dict = defaultdict(dict)

    for findings in host_findings:
        risk_rating = findings.get("RiskRating", 0)
        threat_list = defaultdict(list)

        threats = findings.get("Threat") if findings.get("Threat", []) else []
        vulns = findings.get("Vulnerability") if findings.get("Vulnerability", []) else []

        # if dict response receive from context data then convert it to list
        threats = [threats] if isinstance(threats, dict) else threats
        vulns = [vulns] if isinstance(vulns, dict) else vulns

        for threat in threats:
            for cve in threat.get("Cve", []):
                threat_list[cve].append(
                    {
                        "Title": threat.get("Title", ""),
                        "Category": threat.get("Category", ""),
                        "Severity": threat.get("Severity", ""),
                        "Description": threat.get("Description", ""),
                        "Cve": threat.get("Cve", ""),
                        "Source": threat.get("Source", ""),
                        "Published": threat.get("Published", ""),
                        "Updated": threat.get("Updated", ""),
                        "ThreatLastTrendingOn": threat.get("ThreatLastTrendingOn", ""),
                        "Trending": threat.get("Trending", ""),
                    }
                )

        for vulnerability in vulns:
            last_trending = vulnerability.get("VulnLastTrendingOn", "")
            all_cves[vulnerability.get("Cve", "No ID Found")] = {
                "Cve": vulnerability.get("Cve", ""),
                "CVSS": vulnerability.get("BaseScore", ""),
                "VRR": risk_rating,
                "ThreatCount": len(threat_list.get(vulnerability.get("Cve", ""), [])),
                "Trending": vulnerability.get("Trending", ""),
                "VulnLastTrendingOn": last_trending if last_trending else "Not Found",
                "Threats": threat_list.get(vulnerability.get("Cve", ""), []),
                "Description": vulnerability.get("Description", ""),
            }
    cve_list = []
    for cve in all_cves.values():
        if isinstance(cve, list):
            cve_list.extend(cve)
        else:
            cve_list.append(cve)
    ransomware_cves = []
    for cve in cve_list:
        for threat in cve.get("Threats", []):
            if threat.get("Category", "").lower() == "ransomware":
                ransomware_cves.append(cve)
                break
    return ransomware_cves


def display_ransomware_cve_results(ransomware_cves):
    """
    Set context data and human readable for ransomware cves.
    will raise an error message if no ransomware cves found.

    :param ransomware_cves: list of ransomware cves
    :return: standard output
    """
    ransomware_cves_count = len(ransomware_cves)
    if ransomware_cves_count <= 0:
        return_results("No ransomware CVEs found.")

    demisto.setContext("CVECount", ransomware_cves_count)
    readable_output = "### Total CVEs found: " + str(len(ransomware_cves)) + "\n"
    readable_output += tableToMarkdown(
        "List of CVEs that have ransomware threat",
        ransomware_cves,
        ["Cve", "CVSS", "VRR", "ThreatCount", "VulnLastTrendingOn", "Trending"],
        header_transform,
        removeNull=True,
    )
    return CommandResults(
        outputs_prefix="RiskSense.RansomwareCves",
        outputs_key_field="Cve",
        outputs=ransomware_cves,
        readable_output=readable_output,
        raw_response={},
    )


def display_ransomware_trending_cve_results(ransomware_cves):
    """
    Retrieve trending ransomware cves and Set context data and human readable for trending ransomware cves.
    will raise an error message if no trending ransomware cves found.

    :param ransomware_cves: list of ransomware cves.
    :return: standard output.
    """
    ransomware_trending = get_ransomware_trending_cves(ransomware_cves)
    ransomware_trending_cves_count = len(ransomware_trending)
    if ransomware_trending_cves_count <= 0:
        return_results("No CVEs found With trending ransomware.")

    demisto.setContext("TrendingCVECount", ransomware_trending_cves_count)
    readable_output = "### Total CVEs found: " + str(len(ransomware_trending)) + "\n"
    readable_output += tableToMarkdown(
        "List of CVEs that are ransomware trending",
        ransomware_trending,
        ["Cve", "CVSS", "VRR", "ThreatCount", "VulnLastTrendingOn", "Trending"],
        header_transform,
        removeNull=True,
    )
    return CommandResults(
        outputs_prefix="RiskSense.RansomwareTrendingCves",
        outputs_key_field="Cve",
        outputs=ransomware_trending,
        readable_output=readable_output,
        raw_response={},
    )


def main() -> None:
    LOG("Start RiskSense get ransomeware cves script")

    # Fetch Parameter
    trending = demisto.args().get("trending")

    results = demisto.executeCommand(
        "risksense-get-host-findings",
        {"fieldname": "threat_categories", "operator": "EXACT", "value": "Ransomware", "size": 1000, "status": "Open"},
    )

    host_findings = results[0].get("EntryContext", {}).get("RiskSense.HostFinding(val.ID == obj.ID)")

    if not host_findings:
        return_results("Key [RiskSense.HostFinding] was not found in context data.")

    host_findings = [host_findings] if isinstance(host_findings, dict) else host_findings

    ransomware_cves = get_ransomware_cves(host_findings)

    if argToBoolean(trending):
        result = display_ransomware_trending_cve_results(ransomware_cves)
        return_results(result)
    else:
        result = display_ransomware_cve_results(ransomware_cves)
        return_results(result)


if __name__ == "__builtin__" or __name__ == "builtins":
    main()

README

This script is a helper script for the Ransomware Exposure - RiskSense playbook and retrieves information of CVEs and trending CVEs from host finding details.

Script Data


Name Description
Script Type python3
Tags RiskSense
Cortex XSOAR Version 5.0.0

Inputs


Argument Name Description
trending Trending is defined by RiskSense as vulnerabilities that are being actively abused by attackers in the wild based on activity in hacker forums and Twitter feeds, as well as analysis of 3rd party threat intelligence sources.

Outputs


Path Description Type
RiskSense.RansomwareCves.Cve The ID of the CVE. String
RiskSense.RansomwareCves.CVSS The CVSS score of the CVE. Number
RiskSense.RansomwareCves.VRR The risk rate of the host finding. Number
RiskSense.RansomwareCves.ThreatCount The total number of threats associated with the CVE. Number
RiskSense.RansomwareCves.Trending This signifies whether the vulnerability (which is associated with the hostFinding) has been reported by our internal functions as being trending. boolean
RiskSense.RansomwareCves.VulnLastTrendingOn Date when last trending vulnerability was found. String
RiskSense.RansomwareCves.Description A description of the CVE. String
RiskSense.RansomwareCves.Threats.Title The title of the threat. String
RiskSense.RansomwareCves.Threats.Category The threat category. String
RiskSense.RansomwareCves.Threats.Severity The severity level of the threat. String
RiskSense.RansomwareCves.Threats.Description The threat description. String
RiskSense.RansomwareCves.Threats.Cve List of CVEs that contain particular threat. Unknown
RiskSense.RansomwareCves.Threats.Source The source of the threat. String
RiskSense.RansomwareCves.Threats.Published The time when the threat was published. String
RiskSense.RansomwareCves.Threats.Updated The time when the threat was last updated. String
RiskSense.RansomwareCves.Threats.ThreatLastTrendingOn The last time when threat was in trending. String
RiskSense.RansomwareCves.Threats.Trending Whether the threat is trending. boolean
RiskSense.RansomwareTrendingCves.Cve The ID of the CVE. String
RiskSense.RansomwareTrendingCves.CVSS The CVSS score of the CVE. Number
RiskSense.RansomwareTrendingCves.VRR The risk rate of the host finding. Number
RiskSense.RansomwareTrendingCves.ThreatCount The total number of threats associated with the CVE. Number
RiskSense.RansomwareTrendingCves.Trending This signifies whether the vulnerability (which is associated with the hostFinding) has been reported by our internal functions as being trending. boolean
RiskSense.RansomwareTrendingCves.VulnLastTrendingOn Date when last trending vulnerability was found. String
RiskSense.RansomwareTrendingCves.Description A description of the CVE. String
RiskSense.RansomwareTrendingCves.Threats.Title The title of the threat. String
RiskSense.RansomwareTrendingCves.Threats.Category The threat category. String
RiskSense.RansomwareTrendingCves.Threats.Severity The severity level of the threat. String
RiskSense.RansomwareTrendingCves.Threats.Description The threat description. String
RiskSense.RansomwareTrendingCves.Threats.Cve List of CVEs that contain particular threat. Unknown
RiskSense.RansomwareTrendingCves.Threats.Source The source of the threat. String
RiskSense.RansomwareTrendingCves.Threats.Published The time when the threat was published. String
RiskSense.RansomwareTrendingCves.Threats.Updated The time when the threat was last updated. String
RiskSense.RansomwareTrendingCves.Threats.ThreatLastTrendingOn The last time when threat was in trending. String
RiskSense.RansomwareTrendingCves.Threats.Trending Whether the threat is trending. boolean
Date.CurrentDate The current date String
Date.WeekAgoDate The date that was 7 days ago starting from current date. String
CVECount The count of the CVEs. Number
TrendingCVECount The count of the trending CVEs. Number