-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-ATDDetonate.yml
195 lines (185 loc) · 6.58 KB
/
automation-ATDDetonate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
args:
- default: true
description: Analyzer profile ID. The profile ID number can be found in the UI Policy/Analyzer
Profile page, OR using command atd-list-analyzer-profiles, under vmProfileid key
result
name: vmProfileList
- auto: PREDEFINED
description: This parameter accepts four values — '0', '1', '2' and '3'. • 0 — Regular
file upload • 1 — URL submission — URL link is processed inside analyzer VM •
2 — Submit file with URL • 3 — URL Download — File from URL is firstly downloaded
and then analyzed
name: submitType
predefined:
- "0"
- "1"
- "2"
- "3"
required: true
- description: Any valid web URL.
name: url
- description: Maximum 128-character string.
name: messageId
- description: ' IPv4 address of the source system or gateway from where the file
is downloaded.'
name: srcIp
- description: ' IPv4 address of the target endpoint.'
name: dstIp
- auto: PREDEFINED
description: Value '0' indicates corresponding taskid in API response. Value '1'
indicates -1 as taskid in API response.
name: skipTaskId
predefined:
- "0"
- "1"
- auto: PREDEFINED
description: Value '0' indicates skip sample analysis if it is analyzed previously
. Value '1' indicates do not skip sample analysis if it is not analyzed previously.
name: analyzeAgain
predefined:
- "0"
- "1"
- auto: PREDEFINED
description: Value '0' indicates no user interaction is needed during sample analysis.
Value '1' indicates user interaction is needed during sample analysis.
name: xMode
predefined:
- "0"
- "1"
- auto: PREDEFINED
description: ' This parameter indicates priority of sample analysis. run_now assigns
highest priority (i.e., sample is analyzed right away), add_to_q puts sample in
waiting state if there is a waiting queue of samples, default is run_now'
name: filePriorityQ
predefined:
- run_now
- add_to_q
- description: entry ID
name: entryID
- auto: PREDEFINED
defaultValue: json
description: 'iType can be one of the following types: • html — HTML report • txt
— Text report • xml — XML report • zip — All files packaged in a single zip file
• json — Same as xml but in the JSON format • ioc - Indicators of Compromise format
• stix - Structured Threat Information expression. Stix generation is disabled,
by default. Use set stixreportstatus enable to enable it. • pdf - Portable Document
Format • sample - Download sample from McAfee Advanced Threat Defense'
name: reportType
predefined:
- html
- txt
- xml
- zip
- json
- ioc
- stix
- pdf
- sample
required: true
- description: Timeout in seconds. Default is 10 minutes.
name: timeout
- description: Interval to poll for results. Default is 10 seconds.
name: interval
comment: Detonate File or URL through McAfee ATD
commonfields:
id: ATDDetonate
version: -1
dependson:
must:
- atd-file-upload
- atd-check-status
- atd-get-report
name: ATDDetonate
outputs:
- contextPath: File.Name
description: Filename (only in case of report type=json)
- contextPath: File.Type
description: File type e.g. "PE" (only in case of report type=json)
- contextPath: File.Size
description: File size (only in case of report type=json)
- contextPath: File.MD5
description: MD5 hash of the file (only in case of report type=json)
- contextPath: File.SHA1
description: SHA1 hash of the file (only in case of report type=json)
- contextPath: File.SHA256
description: SHA256 hash of the file (only in case of report type=json)
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision
- contextPath: File.Malicious.Description
description: For malicious files, the reason for the vendor to make the decision
- contextPath: DBotScore.Indicator
description: The indicator we tested (only in case of report type=json)
- contextPath: DBotScore.Type
description: The type of the indicator (only in case of report type=json)
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score (only in case of report type=json)
- contextPath: DBotScore.Score
description: The actual score (only in case of report type=json)
runonce: false
script: |-
import json
from time import sleep
res = []
timeout = 960
dArgs = demisto.args()
if 'timeout' in demisto.args():
timeout = int(demisto.args()['timeout'])
interval = 10
if 'interval' in demisto.args():
interval = int(demisto.args()['interval'])
file = demisto.get(demisto.args(),'file')
atdDone = False
taskID = ""
### Upload file/url and get taskID
resp = demisto.executeCommand('atd-file-upload', dArgs)
if isError(resp[0]):
demisto.results(resp)
sys.exit(0)
else:
upload_res = demisto.get(resp[0],'Contents.results')
if upload_res and isinstance(upload_res,list):
taskID = demisto.get(upload_res[0],'taskId')
else:
demisto.results({ "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : "Coudn't extract TaskID from upload" })
sys.exit(0)
if taskID == "-1":
demisto.results({ "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : "File type not supported" })
sys.exit(0)
############ Poll stage ############
status = None
istate = None
sec = 0
while sec < timeout and not atdDone:
######## Get status
resp = demisto.executeCommand('atd-check-status',{'taskId':taskID})
if isError(resp[0]):
demisto.results(resp)
sys.exit(0)
status = demisto.get(resp[0],'Contents.results.status')
istate = demisto.get(resp[0],'Contents.results.istate')
##### find status
if int(istate) in [1,2]:
atdDone = True
### continue loop
else:
sec += interval
sleep(interval)
############ Get results ############
if not atdDone:
demisto.results( { "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : 'Could not retrieve results from ATD (may be due to timeout). last status = {0}'.format(status) } )
sys.exit(0)
if istate and int(istate) in [1,2]:
reportType = 'json'
if demisto.get(demisto.args(),'reportType'):
reportType = demisto.args()['reportType']
demisto.results(demisto.executeCommand('atd-get-report',{'taskId':taskID, 'type' : reportType}))
else:
demisto.results({ "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : 'ATD: Failed to detonate source, exit status = {0}'.format(status) })
scripttarget: 0
system: true
tags:
- file
- enhancement
- atd
timeout: 960ns
type: python