ThreatstreamBuildIocImportJson
Builds A JSON array based on the values provided by the user for the 'threatstream-import-indicator-without-approval' command.
python · Anomali ThreatStream
Source
import demistomock as demisto from CommonServerPython import * from CommonServerUserPython import * POPULATE_INDICATOR_FIELDS = ["indicator_type", "value", "id"] INDICATOR_TYPES = ["Domain", "Email", "File MD", "IP", "IPv6", "IPv6CIDR", "URL"] """ STANDALONE FUNCTION """ def execute_get_indicators_by_query(query: str, indicators_types: dict) -> list: """ Executes GetIndicatorsByQuery and returns a list of indicators. Args: query: a query from the user. indicators_types: A dict of in indicators types. Returns: A list of indicators. """ indicator_list = [] res = demisto.executeCommand("GetIndicatorsByQuery", args={"populateFields": POPULATE_INDICATOR_FIELDS, "query": query}) indicators = res[0]["Contents"] for indicator in indicators: indicator_type = indicator.get("indicator_type") indicator_value = indicator.get("value") if indicator_type in INDICATOR_TYPES: indicator_list.append( { "value": indicator_value, "itype": indicators_types.get("ip") if indicator_type.lower() in {"ip", "ipv6", "ipv6cidr"} else indicators_types.get(indicator_type.lower()), } ) return indicator_list def validate_indicators(email_list: list, md5_list: list, ip_list: list, url_list: list, domain_list: list) -> None: """ Validates users indicators input. Args: email_list: A list of emails. md5_list: A list of md5s. ip_list: A list of IPs. url_list: A list of URLs. domain_list: A list of domains. """ invalid_indicators = [] for email in email_list: if not re.match(emailRegex, email): invalid_indicators.append(email) for md5 in md5_list: if not re.match(md5Regex, md5): invalid_indicators.append(md5) for ip in ip_list: if FeedIndicatorType.ip_to_indicator_type(ip) is None: invalid_indicators.append(ip) for url in url_list: if not re.match(urlRegex, url): invalid_indicators.append(url) for domain in domain_list: if not re.match(domainRegex, domain): invalid_indicators.append(domain) if len(invalid_indicators) > 0: raise DemistoException(f'Invalid indicators values: {", ".join(map(str,invalid_indicators))}') def get_indicators_from_user(args: dict, indicators_types: dict) -> list: """ Validate and returns a list of indicators from user args. Args: args: Arguments provided by user. indicators_types: A dict of in indicators types. Returns: A list of indicators. """ indicator_list: list[dict] = [] indicators = { "email_list": argToList(args.get("email_values", [])), "md5_list": argToList(args.get("md5_values", [])), "ip_list": argToList(args.get("ip_values", [])), "url_list": argToList(args.get("url_values", [])), "domain_list": argToList(args.get("domain_values", [])), } validate_indicators(**indicators) for indicator_list_name, indicators_list in indicators.items(): indicator_type = indicator_list_name.split("_")[0] indicator_list.extend( { "value": indicator_value, "itype": indicators_types.get(indicator_type), } for indicator_value in indicators_list ) return indicator_list def get_indicators_and_build_json(args: dict) -> CommandResults: """ Gets a list of indicators and builds JSON. Args: args: Arguments provided by user. Returns: A CommandResults object with the relevant JSON. """ list_indicators = [] indicators_types = { "email": args.get("email_indicator_type", "mal_email"), "md5": args.get("md5_indicator_type", "mal_md5"), "ip": args.get("ip_indicator_type", "mal_ip"), "url": args.get("url_indicator_type", "mal_url"), "domain": args.get("domain_indicator_type", "mal_domain"), } if indicator_query := args.get("indicator_query"): list_indicators = execute_get_indicators_by_query(indicator_query, indicators_types) else: list_indicators = get_indicators_from_user(args, indicators_types) outputs = str({"objects": list_indicators}) return CommandResults( outputs_key_field="ThreatstreamBuildIocImportJson", outputs={"ThreatstreamBuildIocImportJson": outputs}, readable_output=outputs, ) """ MAIN FUNCTION """ def main(): try: args = demisto.args() return_results(get_indicators_and_build_json(args)) except Exception as ex: return_error(f"Failed to execute ThreatstreamBuildIocImportJson. Error: {ex!s}") """ ENTRY POINT """ if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
Builds A JSON array based on the values provided by the user for the ‘threatstream-import-indicator-without-approval’ command.
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | basescript |
| Cortex XSOAR Version | 6.8.0 |
Inputs
| Argument Name | Description |
|---|---|
| email_values | A comma-separated list of emails. |
| md5_values | A comma-separated list of MD5 hashes. |
| ip_values | A comma-separated list of IPs. |
| url_values | A comma-separated list of URLs. |
| domain_values | A comma-separated list of domains. |
| email_indicator_type | The indicator type (Itype) of the emails provided. By default the type will be “Malware Email” (mal_email). |
| md5_indicator_type | The indicator type (Itype) of the hashes provided. By default the type will be “Malware MD5” (mal_md5). |
| ip_indicator_type | The indicator type (Itype) of the ip provided. By default the type will be “Malware IP” (mal_ip). |
| url_indicator_type | The indicator type (Itype) of the URLs provided. By default the type will be “Malware URL” (mal_url). |
| domain_indicator_type | The indicator type (Itype) of the domains provided. By default the type will be “Malware Domain” (mal_domain). |
| indicator_query | The indicators query, based lucene search syntax. |
Note: If both a query (indicator_query) and values (e.g., email_values) are provided as arguments, the values will be ignored.
Outputs
| Path | Description | Type |
|---|---|---|
| ThreatstreamBuildIocImportJson | The string output represents a JSON object. | String |
Script Examples
Example command
!ThreatstreamBuildIocImportJson indicator_query="type: Domain"
Context Example
{
"ThreatstreamBuildIocImportJson": "{'objects': [{'value': 'my.domain1.com', 'itype': 'mal_domain'}, {'value': 'my.domain2.com', 'itype': 'mal_domain'}]}"
}
Human Readable Output
{‘objects’: [{‘value’: ‘my.domain1.com’, ‘itype’: ‘mal_domain’}, {‘value’: ‘my.domain2.com’, ‘itype’: ‘mal_domain’}]}
Example command
!ThreatstreamBuildIocImportJson indicator_query="type: Domain" domain_indicator_type=spam_domain
Context Example
{
"ThreatstreamBuildIocImportJson": "{'objects': [{'value': 'my.domain1.com', 'itype': 'spam_domain'}, {'value': 'my.domain2.com', 'itype': 'spam_domain'}]}"
}
Human Readable Output
{‘objects’: [{‘value’: ‘my.domain1.com’, ‘itype’: ‘spam_domain’}, {‘value’: ‘my.domain2.com’, ‘itype’: ‘spam_domain’}]}