-
Notifications
You must be signed in to change notification settings - Fork 0
/
automation-BuildWebAppID.yml
138 lines (126 loc) · 4.36 KB
/
automation-BuildWebAppID.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
commonfields:
id: 185a55a0-116e-48a6-8592-48455467c175
version: -1
dockerimage: jinja
enabled: true
name: BuildWebAppID
pswd: ""
runas: DBotWeakRole
runonce: false
script: |-
import jinja2
from jinja2 import Template
def main():
apps=[]
#getting incident fields
inc_id = demisto.args().get('incident_id', demisto.incidents()[0]['id'])
res = demisto.executeCommand("getIncidents", {'id': inc_id})
incident_data = res[0].get('Contents').get('data')
app_name = key = demisto.get(incident_data[0]['CustomFields'], 'urlappidname')
app_sig = key = demisto.get(incident_data[0]['CustomFields'], 'website')
app = {}
app['category'] = 'networking'
app['sub_category'] = 'encrypted-tunnel'
app['technology'] = 'browser-based'
app['risk'] = '4'
app['protocols'] = [ {'protocol_selected': 'tcp', 'port_number': 'dynamic'} ]
sig_ssl = {}
app['signatures'] = []
app['custom_app_name'] = app_name
sig_ssl['signature_name'] = 'ssl'
sig_ssl['selected_string'] = app_sig.replace(".", "\.")
sig_ssl['context'] = 'ssl-req-client-hello'
sig_ssl['scope'] = 'session'
app['signatures'].append(sig_ssl)
sig_http = {}
sig_http['signature_name'] = 'http'
sig_http['selected_string'] = app_sig.replace(".", "\.")
sig_http['context'] = 'http-req-host-header'
sig_http['scope'] = 'session'
app['signatures'].append(sig_http)
app['flags'] = [ 'used-by-malware', 'able-to-transfer-file', 'has-known-vulnerability', 'tunnel-other-application']
apps.append(app)
template = get_template()
tm = Template(template)
app_xml = tm.render(apps=apps)
app_xpath = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']"
demisto.setContext('appidxml', app_xml)
demisto.setContext('appidxpath', app_xpath)
# Simply returns the current jinja template
def get_template():
template = '''
{%- for app in apps %}
<application>
<entry name="{{ app.custom_app_name }}">
<default>
<port>
{%- for protocol in app.protocols %}
<member>{{ protocol.protocol_selected }}/{{ protocol.port_number }}</member>
{%- endfor %}
</port>
</default>
<signature>
{%- for signature in app.signatures %}
<entry name="{{ signature.signature_name }}">
<and-condition>
<entry name="And Condition 1">
<or-condition>
<entry name="Or Condition 1">
<operator>
<pattern-match>
{%- if signature.selected_string is defined %}
<pattern>{{ signature.selected_string }}</pattern>
{%- endif %}
{%- if signature.selected_hex_string is defined %}
<pattern>\\x{{ signature.selected_hex_string }}\\x</pattern>
{%- endif %}
<context>{{ signature.context }}</context>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<scope>{{ signature.scope }}</scope>
<order-free>no</order-free>
</entry>
{%- endfor %}
</signature>
<subcategory>{{ app.sub_category }}</subcategory>
<category>{{ app.category }}</category>
<technology>{{ app.technology }}</technology>
<risk>{{ app.risk }}</risk>
{%- if app.description is defined %}
<description>{{ app.description }}</description>
{%- endif %}
{%- if app.timeout is defined %}
<timeout>{{ app.timeout }}</timeout>
{%- endif %}
{%- if app.tcp_timeout is defined %}
<tcp-timeout>{{ app.tcp_timeout }}</tcp-timeout>
{%- endif %}
{%- if app.udp_timeout is defined %}
<udp-timeout>{{ app.udp_timeout }}</udp-timeout>
{%- endif %}
{%- if app.tcp_half_closed_timeout is defined %}
<tcp-half-closed-timeout>{{ app.tcp_half_closed_timeout }}</tcp-half-closed-timeout>
{%- endif %}
{%- if app.tcp_time_wait_timeout is defined %}
<tcp-time-wait-timeout>{{ app.tcp_time_wait_timeout }}</tcp-time-wait-timeout>
{%- endif %}
{%- if app.parent_app is defined %}
<parent-app>{{ app.parent_app }}</parent-app>
{%- endif %}
{%- for flag in app.flags %}
<{{ flag }}>yes</{{ flag }}>
{%- endfor %}
</entry>
</application>
{%- endfor %}
'''
return(template)
main()
scripttarget: 0
subtype: python3
tags: []
type: python