UseCaseAdoptionMetrics

python · Use Case Builder

Source

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401

# Function to check if there is at least one incident with the "Phishing" type


def check_phishing_incidents():
    incident_type = "Phishing"
    res = demisto.executeCommand("getIncidents", {"type": incident_type, "size": 1})
    incidents = res[0]["Contents"]["data"]
    return bool(incidents)


def is_rapid_breach_response_installed():
    res = demisto.executeCommand("core-api-get", {"uri": "/contentpacks/metadata/installed"})
    installed_packs = res[0]["Contents"]["response"]
    return any(pack["name"] == "Rapid Breach Response" for pack in installed_packs)


modules = demisto.getModules()

use_cases_in_production = set()
at_risk = []

phishing_incidents = check_phishing_incidents()

for _module, details in modules.items():
    if details.get("brand").lower() != "builtin" and details.get("state") == "active" and details.get("category") != "Utilities":
        if details.get("category") in ["Forensic & Malware Analysis", "Endpoint"]:
            use_cases_in_production.add("Ransomware & Malware Coverage")
        elif details.get("category") in ["Email", "Messaging", "Messaging and Conferencing"] and "phishing" in details.get(
            "incident_types", []
        ):
            if phishing_incidents:
                use_cases_in_production.add("Business Email Compromise Coverage")
            else:
                at_risk.append(
                    "[Business Email Compromise Coverage](https://xsoar.pan.dev/marketplace/?category=Email%2C%20Messaging)"
                )
        elif details.get("category") == "Network Security":
            use_cases_in_production.add("Network Security")
        elif details.get("category") == "Analytics & SIEM":
            use_cases_in_production.add("Analytics & SIEM")
        elif details.get("category") == "Data Enrichment & Threat Intelligence":
            use_cases_in_production.add("Data Enrichment & Threat Intelligence")
        elif details.get("category") == "Vulnerability Management":
            use_cases_in_production.add("Vulnerability Management")
        elif details.get("category") == "Case Management":
            use_cases_in_production.add("Case Management")

if is_rapid_breach_response_installed():
    use_cases_in_production.add("Rapid Breach Response")

use_case_dict = {
    "Ransomware & Malware Coverage": "https://cortex.marketplace.pan.dev/marketplace/?useCase=Malware",
    "Business Email Compromise Coverage": "https://cortex.marketplace.pan.dev/marketplace/?useCase=Phishing",
    "Network Security": "https://xsoar.pan.dev/marketplace/?category=Network%20Security",
    "Analytics & SIEM": "https://cortex.marketplace.pan.dev/marketplace/?category=Analytics+%26+SIEM",
    "Data Enrichment & Threat Intelligence": "https://cortex.marketplace.pan.dev/marketplace/?category=Data+Enrichment+%26+Threat+Intelligence",
    "Vulnerability Management": "https://xsoar.pan.dev/marketplace/?category=Vulnerability%20Management",
    "Case Management": "https://cortex.marketplace.pan.dev/marketplace/?category=Case+Management",
    "Rapid Breach Response": "https://cortex.marketplace.pan.dev/marketplace/details/MajorBreachesInvestigationandResponse/",
}

for use_case, url in use_case_dict.items():
    if use_case not in use_cases_in_production:
        at_risk.append(f"[{use_case}]({url})")

table = "| Use Case Adoption & Coverage | Status |\n"
table += "|---|---|\n"
for use_case in use_cases_in_production:
    table += f"| {use_case} | ✅ |\n"

for use_case in at_risk:
    table += f"| {use_case} | ❌ |\n"

if at_risk:
    table += "\n"

demisto.results(table)