automation-AnalyzeOSX.yml

args:
- default: true
  description: Ask OSXCollector for a specific section
  name: section
- description: Timeout to be passed to OSXCollector script
  name: timeout
- description: Maximum amount of files/urls to verify
  name: maxchecks
- description: OSX System to be used
  name: system
comment: "Get file and url reputation for osxcollector result.\n will use VirusTotal
  for Url checks, and IBM XForce for MD5 checks.\n maxchecks : for \n system  : system
  name to run agent on.\n section : the type check that OSXCollector should run."
commonfields:
  id: AnalyzeOSX
  version: -1
dependson:
  must:
  - file
  - url
name: AnalyzeOSX
runonce: false
script: |-
  var osx_report = executeCommand('Osxcollector', {section: args.section, system: args.system, timeout: args.timeout});
  var res = [];
  var maxchecks = 10;
  if (args.maxchecks) {
    maxchecks = args.maxchecks;
  }
  for (var i=0; i<osx_report.length; i++) {
    if (osx_report[i].ContentsFormat == formats.json) {
      var content = osx_report[i].Contents;
      if (content.osxcollector_result){
        for (var j=0; j<content.osxcollector_result.length && j < maxchecks; j++) {
          if (content.osxcollector_result[j].md5) {
            var rep = executeCommand('file', {file: content.osxcollector_result[j].md5});
            if (rep && Array.isArray(rep)) {
              for (var r = 0; r < rep.length; r++) {
                if (positiveFile(rep[r])) {
                  res.push(shortFile(rep[r]));
                }
              }
            }
          }
          var u = content.osxcollector_result[j].url;
          if (u && u.indexOf("http") === 0) {
            var rep = executeCommand('url', {url: u});
            if (rep && Array.isArray(rep)) {
              for (var r = 0; r < rep.length; r++) {
                if (positiveUrl(rep[r])) {
                  res.push(shortUrl(rep[r]));
                }
              }
            }
          }
        }
      }
    }
  }
  if (res.length > 0) {
    return res;
  }
  return 'No infected files or malicious urls detected on OSX machine: '+args.system;
scripttarget: 0
system: true
tags:
- osx
type: javascript