-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-BinaryReputationPy.yml
90 lines (88 loc) · 3.03 KB
/
automation-BinaryReputationPy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
args:
- default: true
description: If provided, checks only files whose names are in the list. The names
should be comma-separated.
name: fileNames
- description: Time to wait and poll if any Default 5 minutes.
name: maxwait
comment: Get reputation for any hash or file in the incident details
commonfields:
id: BinaryReputationPy
version: -1
dependson:
must:
- file
deprecated: true
name: BinaryReputationPy
runonce: false
script: |-
from time import sleep
# Look for various hashes in the incident
# Inspect labels and attachments for hashes and check the hash reputation
import re
strHashRegex = r'\b[a-fA-F\d]{32}\b'
# Iterate on all the labels and find hashes
hashRe = re.compile(strHashRegex, re.I)
hashes = set()
DEFAULT_WAIT = 5
maxwait = int(demisto.args()['maxwait']) if 'maxwait' in demisto.args() else DEFAULT_WAIT
inc = demisto.incidents()
if inc and 'labels' in inc[0]:
labels = inc[0]['labels']
if labels:
for t in labels:
for h in hashRe.finditer(t['value']):
hashes.add(h.group(0))
# Find hashes in the details
for h in hashRe.finditer(demisto.incidents()[0]['details']):
hashes.add(h.group(0))
fileNames = []
if 'fileNames' in demisto.args():
fileNames = demisto.args()['fileNames'].split(',')
# Also get hashes of files in war room entries
entries = demisto.executeCommand('getEntries', {})
for entry in entries:
if entry['File'] and demisto.get(entry, 'FileMetadata.md5') and (len(fileNames) == 0 or entry['File'] in fileNames):
hashes.add(demisto.get(entry, 'FileMetadata.md5'))
badHashes = []
res = []
Malicious = False
for h in hashes:
Answered = False
rep = demisto.executeCommand('file', {'file': h})
for r in rep:
if r['Brand'] == 'virustotal':
wait = 0
while isError(r) and '204 (No Content)' in r['Contents'] and wait < maxwait:
demisto.log('Encountered VirusTotal Free API key rate limit. Waiting 1 minute and trying again.')
sleep(60)
r = demisto.executeCommand('file', {'file': h, 'using-brand': 'virustotal'})[0]
wait += 1
if wait > 0:
demisto.log ('Waited ' + str(wait) + ' minutes to query VirusTotal for ' + h + '.')
if isError(r):
res.append(r)
continue
Answered = True
if positiveFile(r):
Malicious = True
badHashes.append(h)
res.append(shortFile(r))
if not Answered:
res.append( { "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : "No reputation sources returned a valid answer for " + h } )
if Malicious:
res.extend(['yes', 'Found malicious hashes!'])
appendContext('bad_hashes', badHashes, dedup = True)
else:
res.extend(['No suspicious files found', 'no'])
demisto.results(res)
scripttarget: 0
system: true
tags:
- hash
- server
- threat-intel
- virustotal
- xfe
- wildfire
type: python