From 54b57931921798aefe30b0242e95f6c5d2279f86 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Thu, 11 Jul 2024 01:02:31 +0200 Subject: [PATCH] Add scripts --- .../Scripts/SekoiaXDRAddComment/README.md | 0 .../SekoiaXDRAddComment/add_comment.py | 27 ++++++++++ .../SekoiaXDRAddComment/add_comment.yml | 26 ++++++++++ .../Scripts/SekoiaXDRChangeStatus/README.md | 0 .../SekoiaXDRChangeStatus.py | 49 +++++++++++++++++++ .../SekoiaXDRChangeStatus.yml | 32 ++++++++++++ .../Scripts/SekoiaXDRCloseAlert/README.md | 0 .../SekoiaXDRCloseAlert.py | 44 +++++++++++++++++ .../SekoiaXDRCloseAlert.yml | 19 +++++++ .../Scripts/SekoiaXDRPrintAssets/README.md | 0 .../SekoiaXDRPrintAssets.py | 41 ++++++++++++++++ .../SekoiaXDRPrintAssets.yml | 19 +++++++ .../Scripts/SekoiaXDRPrintCase/README.md | 0 .../SekoiaXDRPrintCase/SekoiaXDRPrintCase.py | 37 ++++++++++++++ .../SekoiaXDRPrintCase/SekoiaXDRPrintCase.yml | 19 +++++++ .../Scripts/SekoiaXDRPrintComments/README.md | 0 .../SekoiaXDRPrintComments.py | 40 +++++++++++++++ .../SekoiaXDRPrintComments.yml | 19 +++++++ 18 files changed, 372 insertions(+) create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/README.md create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.py create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.yml create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/README.md create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.yml create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/README.md create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.yml create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/README.md create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.py create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.yml create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/README.md create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.py create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.yml create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/README.md create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.py create mode 100644 Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.yml diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/README.md b/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.py new file mode 100644 index 000000000000..b3cb5ecda6d1 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.py @@ -0,0 +1,27 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + + +def main(): + + alert_short_id = demisto.args().get("short_id") + comment = demisto.args().get("comment") + + user = execute_command("getUsers", {"current": "true"})[0]["name"] + execute_command( + "sekoia-xdr-post-comment-alert", + {"id": alert_short_id, "comment": comment, "author": user}, + ) + + readable_output = f"### Comment added by {user}:\n {comment}" + demisto.results( + { + "ContentsFormat": formats["markdown"], + "Type": entryTypes["note"], + "Contents": readable_output, + } + ) + + +if __name__ in ["__main__", "builtin", "builtins"]: + main() diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.yml b/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.yml new file mode 100644 index 000000000000..43d3a113050e --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.yml @@ -0,0 +1,26 @@ +commonfields: + id: c82c5535-89e8-48a6-829b-05929bd88f8e + version: 5 +vcShouldKeepItemLegacyProdMachine: false +name: script-SekoiaXDRAddComment +script: '' +type: python +tags: +- incident-action-button +comment: Script to add a comment to an alert in Sekoia, including the name of the person who made the comment. +enabled: true +args: +- name: short_id + required: true + description: The short ID of the alert. +- name: comment + required: true + description: The comment you want to send to an alert. +scripttarget: 0 +subtype: python3 +pswd: '' +runonce: false +dockerimage: demisto/python3:3.10.14.97374 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/README.md b/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py new file mode 100644 index 000000000000..7882a80b2087 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py @@ -0,0 +1,49 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + + +def main(): + incident = demisto.incidents()[0] # type: ignore + isMirrorEnable = incident.get("dbotMirrorDirection") + alert_short_id = demisto.args().get("short_id") + new_status = demisto.args().get("status") + comment = demisto.args().get("comment") + + if new_status in ["Ongoing", "Acknowledged"]: + if comment: + user = execute_command("getUsers", {"current": "true"})[0]["name"] # type: ignore + execute_command( + "sekoia-xdr-post-comment-alert", + {"id": alert_short_id, "comment": comment, "author": user}, + ) + if isMirrorEnable in ["Out", "Both"]: + execute_command("setIncident", {"sekoiaalertstatus": new_status}) + elif isMirrorEnable == "In": + execute_command( + "sekoia-xdr-update-status-alert", + {"id": alert_short_id, "status": new_status}, + ) + else: + execute_command( + "sekoia-xdr-update-status-alert", + {"id": alert_short_id, "status": new_status}, + ) + execute_command("setIncident", {"sekoiaalertstatus": new_status}) + readable_output = f"### Status of the alert changed to:\n {new_status}" + demisto.results( + { + "ContentsFormat": formats["markdown"], + "Type": entryTypes["note"], + "Contents": readable_output, + } + ) + else: + raise Exception( + "Sorry, the alert was not possible to be changed to that status.\n \ + If you want to reject or close the Sekoia Alert please do it \ + by closing the XSOAR incident with the XSOAR close incident button." + ) + + +if __name__ in ["__main__", "builtin", "builtins"]: + main() diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.yml b/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.yml new file mode 100644 index 000000000000..d9bb19207f09 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.yml @@ -0,0 +1,32 @@ +commonfields: + id: b4e28711-18ee-4ae4-8ccb-1c5f647b55f1 + version: 4 +vcShouldKeepItemLegacyProdMachine: false +name: script-SekoiaXDRChangeStatus +script: '' +type: python +tags: +- incident-action-button +comment: This script changes the status of the Sekoia alert. +enabled: true +args: +- name: short_id + required: true + description: The short ID of the alert. +- name: status + required: true + auto: PREDEFINED + predefined: + - Ongoing + - Acknowledged + description: Status to change on the Sekoia alert. +- name: comment + description: The comment to add to the alert on the status change. +scripttarget: 0 +subtype: python3 +pswd: '' +runonce: false +dockerimage: demisto/python3:3.10.9.46032 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/README.md b/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py new file mode 100644 index 000000000000..653b7025b46a --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py @@ -0,0 +1,44 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + +incident = demisto.incidents()[0] # type: ignore +isMirrorEnable = incident.get("dbotMirrorDirection") +alert_short_id = incident.get("CustomFields", {}).get("alertid") +reject = demisto.getArg("sekoiaalertreject") +close_reason = demisto.getArg("closeReason") +close_notes = demisto.getArg("closeNotes") +owner = demisto.getArg("owner") +username = demisto.getArg("closingUserId") + +# Check if the owner is set when closing the incident otherwise raise an error. +if not owner or owner == "Assign owner" or not incident.get("owner"): + raise Exception( + "**** Please select a owner, the incident can't be closed without an owner. ****" + ) + +# Check if the Sekoia Alert is closed and if not then make a comment and close it +get_alert = execute_command("sekoia-xdr-get-alert", {"id": alert_short_id}) +alert_status = get_alert["status"]["name"] # type: ignore +if alert_status not in ["Closed", "Rejected"]: + # Check if the mirror Out or Both is enabled in which case the sekoiaalertstatus + # field will be changed and in the period of 1 minute the mirror out will send the changes to Sekoia XDR. + if isMirrorEnable in ["Out", "Both"]: + # IF reject is False then close the sekoia alert and if reject is True then reject the sekoia alert. + if reject == "false": + execute_command("setIncident", {"sekoiaalertstatus": "Closed"}) + if reject == "true": + execute_command("setIncident", {"sekoiaalertstatus": "Rejected"}) + + # Send the close reason and notes as a comment to the Sekoia XDR alert using the name of the person who closed the incident. + user = execute_command("getUserByUsername", {"username": username}) + comment = execute_command( + "sekoia-xdr-post-comment-alert", + { + "id": alert_short_id, + "comment": f"{close_reason}-{close_notes}", + "author": user["name"], # type: ignore + }, + ) +else: + # If the alert is already closed or rejected then raise an error. + raise Exception("**** The alert is already closed or rejected. ****") diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.yml b/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.yml new file mode 100644 index 000000000000..0979f8ee9ffa --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.yml @@ -0,0 +1,19 @@ +commonfields: + id: 0fa7a002-c00c-45c8-80ab-a7ebcfaa11f7 + version: 10 +vcShouldKeepItemLegacyProdMachine: false +name: postScript-CloseSekoiaAlert +script: '' +type: python +tags: +- post-processing +comment: Post-processing script to close Sekoia Alert after the XSOAR incident is closed. +enabled: true +scripttarget: 0 +subtype: python3 +pswd: '' +runonce: false +dockerimage: demisto/python3:3.10.14.97374 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/README.md b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.py new file mode 100644 index 000000000000..57bf9f257ba0 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.py @@ -0,0 +1,41 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + + +def main(): + incident = demisto.incident() + alert_uuid = incident.get("CustomFields", {}).get("alertuuid") + readable_output = ( + "### {{color:green}}(There is no case information related to this alert.)" + ) + + try: + alert_infos = execute_command("sekoia-xdr-get-alert", {"id": alert_uuid}) + except Exception as e: + return_error(f"Failed to get alert information: {str(e)}") + + assets_infos = [] + assets_ids = alert_infos.get("assets") # type: ignore + if assets_ids: + for asset in assets_ids: + asset_infos = execute_command("sekoia-xdr-get-asset", {"asset_uuid": asset}) + asset_dict = { + "name": asset_infos["name"], # type: ignore + "description": asset_infos["description"], # type: ignore + } + assets_infos.append(asset_dict) + + headers = ["name", "description"] + readable_output = tableToMarkdown( + "Impacted assets:", assets_infos, headers=headers + ) + + command_results = CommandResults(readable_output=readable_output) + + return_results(command_results) + + +""" ENTRY POINT """ + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.yml b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.yml new file mode 100644 index 000000000000..e84e52d02c40 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.yml @@ -0,0 +1,19 @@ +commonfields: + id: 13fe424a-a6dd-4b0a-8c60-7701d82a0ebc + version: 22 +vcShouldKeepItemLegacyProdMachine: false +name: SekoiaXDRPrintAssets +script: '' +type: python +tags: +- dynamic-section +comment: Print all assets by incident +enabled: true +scripttarget: 0 +subtype: python3 +pswd: '' +runonce: false +dockerimage: demisto/python3:3.10.14.97374 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/README.md b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.py new file mode 100644 index 000000000000..8de716c82d64 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.py @@ -0,0 +1,37 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + + +def main(): + incident = demisto.incident() + alert_uuid = incident.get("CustomFields", {}).get("alertuuid") + readable_output = ( + "### {{color:green}}(There is no case information related to this alert.)" + ) + + try: + cases = execute_command("sekoia-xdr-get-cases-alert", {"alert_id": alert_uuid}) + except Exception as e: + return_error(f"Failed to get case information: {str(e)}") + + if cases: + for case in cases: + case_title = case["title"] # type: ignore + case_description = case["description"] # type: ignore + case_id = case["short_id"] # type: ignore + case_status = case["status"] # type: ignore + case_priority = case["priority"] # type: ignore + alerts = [alert["short_id"] for alert in case["alerts"]] # type: ignore + + readable_output = f"### Case {case_id}:\n|Case title:|Case description:|Case status:\ + |Case priority:|Related Alerts:|\n|---|---|---|---|---|\n| \ + {case_title} | {case_description} | {case_status.capitalize()} | {case_priority.capitalize()} | {', '.join(alerts)}" + + command_results = CommandResults(readable_output=readable_output) + return_results(command_results) + + +""" ENTRY POINT """ + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.yml b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.yml new file mode 100644 index 000000000000..1db847ed5c34 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.yml @@ -0,0 +1,19 @@ +commonfields: + id: 37b383c0-16a2-4962-8f46-7245f8e187a0 + version: 16 +vcShouldKeepItemLegacyProdMachine: false +name: script-SekoiaXDRPrintCase +script: '' +type: python +tags: +- dynamic-section +comment: Prints case details from the Sekoia alert. +enabled: true +scripttarget: 0 +subtype: python3 +pswd: '' +runonce: false +dockerimage: demisto/python3:3.10.14.97374 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/README.md b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.py b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.py new file mode 100644 index 000000000000..fefe87396569 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.py @@ -0,0 +1,40 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + + +def main(): + + incident = demisto.incident() + alert_short_id = incident.get("CustomFields", {}).get("alertid") + readable_output = ( + "### Comments:\n ### {{color:green}}(There is no comments in this alert.)" + ) + + try: + comments = execute_command("sekoia-xdr-get-comments", {"id": alert_short_id}) + except Exception as e: + return_error(f"Failed to get comments: {str(e)}") + + if len(comments) > 0: # type: ignore + readable_comment = [] + for comment in comments: # type: ignore + new_item = { + "date": comment["date"], # type: ignore + "comment": comment["content"], # type: ignore + "user": comment["user"], # type: ignore + } + readable_comment.append(new_item) + + headers = ["date", "comment", "user"] + readable_output = tableToMarkdown( + "Comments:", readable_comment, headers=headers + ) + + command_results = CommandResults(readable_output=readable_output) + return_results(command_results) + + +""" ENTRY POINT """ + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.yml b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.yml new file mode 100644 index 000000000000..756fdf2af918 --- /dev/null +++ b/Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.yml @@ -0,0 +1,19 @@ +commonfields: + id: 146130dc-9f3a-41e9-8a81-fbea9b933d0c + version: 12 +vcShouldKeepItemLegacyProdMachine: false +name: script-SekoiaXDRPrintComments +script: '' +type: python +tags: +- dynamic-section +comment: Prints the comments fetched from the Sekoia alert in a table format. +enabled: true +scripttarget: 0 +subtype: python3 +pswd: '' +runonce: false +dockerimage: demisto/python3:3.10.14.97374 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {}