-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathautomation-PhishLabsPopulateIndicators.yml
132 lines (118 loc) · 4.59 KB
/
automation-PhishLabsPopulateIndicators.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
commonfields:
id: PhishLabsPopulateIndicators
version: -1
name: PhishLabsPopulateIndicators
script: |2-
from distutils.util import strtobool
since = demisto.args().get('since')
delete_false_positive = bool(strtobool(demisto.args().get('delete_false_positive', 'false')))
limit = demisto.args().get('limit')
indicator_type = demisto.args().get('indicator_type')
remove_protocol = demisto.args().get('remove_protocol')
remove_query = demisto.args().get('remove_query')
command_args = {}
if since:
command_args['since'] = since
if limit:
command_args['limit'] = int(limit)
if indicator_type:
command_args['indicator_type'] = indicator_type
if remove_protocol:
command_args['remove_protocol'] = remove_protocol
if remove_query:
command_args['remove_query'] = remove_query
if delete_false_positive:
command_args['false_positive'] = 'true'
entry = demisto.executeCommand('phishlabs-global-feed', command_args)[0]
if isError(entry):
demisto.results('Failed getting the global feed from PhishLabs - {}'.format(entry['Contents']))
else:
content = entry.get('Contents')
if not content or not isinstance(content, dict):
return_error('No indicators found')
feed = content.get('data', [])
if delete_false_positive:
false_positives = list(filter(lambda f: bool(strtobool(str(f.get('falsePositive', 'false')))) is True, feed))
for false_positive in false_positives:
delete_res = demisto.executeCommand('deleteIndicators',
{'query': 'source:"PhishLabs" and value:"{}"'
.format(false_positive.get('value')),
'reason': 'Classified as false positive by PhishLabs'})
if isError(delete_res[0]):
return_error('Error deleting PhishLabs indicators - {}'.format(delete_res[0]['Contents']))
else:
for indicator in feed:
indicator_type = indicator.get('type')
indicator_value = indicator.get('value')
indicator_timestamp = None
if indicator.get('createdAt'):
indicator_timestamp = datetime.strptime(indicator['createdAt'], '%Y-%m-%dT%H:%M:%SZ')
if indicator_type == 'Attachment':
indicator_type = 'File MD5'
file_md5_attribute = list(filter(lambda f: f.get('name') == 'md5', indicator.get('attributes', [])))
indicator_value = file_md5_attribute[0].get('value') if file_md5_attribute else ''
demisto_indicator = {
'type': indicator_type,
'value': indicator_value,
'source': 'PhishLabs',
'reputation': 'Bad',
'seenNow': 'true',
'comment': 'From PhishLabs Global Feed'
}
if indicator_timestamp:
demisto_indicator['sourceTimeStamp'] = datetime.strftime(indicator_timestamp, '%Y-%m-%dT%H:%M:%SZ')
indicator_res = demisto.executeCommand('createNewIndicator', demisto_indicator)
if isError(indicator_res[0]):
return_error('Error creating indicator - {}'.format(indicator_res[0]['Contents']))
demisto.results('Successfully populated indicators')
type: python
tags:
- PhishLabs
comment: Populate indicators by the PhishLabs IOC global feed.
enabled: true
system: true
args:
- name: since
description: Get indicators updated within this duration (from now).
defaultValue: 1h
- name: limit
description: Maximum number of results to return.
- name: delete_false_positive
auto: PREDEFINED
predefined:
- "true"
- "false"
description: If true, the indicators that were updated to be false positive will
be whitelisted in Demisto. No new indicators will be created.
defaultValue: "false"
- name: indicator_type
auto: PREDEFINED
predefined:
- Domain
- URL
- Attachment
description: Filter by indicator type.
- name: remove_query
auto: PREDEFINED
predefined:
- "true"
- "false"
description: Removes the query string part from indicators, when the rules can be
applied.
defaultValue: "false"
- name: remove_protocol
auto: PREDEFINED
predefined:
- "true"
- "false"
description: Removes the protocol part from indicators, when the rule can be applied.
defaultValue: "false"
scripttarget: 0
dependson:
must: []
should:
- PhishLabs IOC|||phishlabs-global-feed
timeout: 3.6µs
runonce: false
dockerimage: demisto/python3:3.7.3.221
runas: DBotWeakRole