-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-CBPFindRule.yml
44 lines (44 loc) · 1.32 KB
/
automation-CBPFindRule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
args:
- default: true
description: The hash value(s) to check.
name: hash
required: true
comment: Find the rule state for a hash value in CBEP/Bit9.
commonfields:
id: CBPFindRule
version: -1
dependson:
must:
- cbp-fileRule-search
name: CBPFindRule
runonce: false
script: |
STATES = { 1: "Unapproved", 2: "Approved", 3: "Banned" }
res = []
found = []
md = ''
t = []
limit = demisto.args()["limit"] if "limit" in demisto.args() else "10"
hashes = argToList(demisto.args()["hash"])
for h in hashes:
resSearch = demisto.executeCommand("cbp-fileRule-search", { "query": "hash:" + h })
for entry in resSearch:
if isError(entry):
res.append(entry)
else:
for rule in entry["Contents"]:
t.append(rule)
found.append(rule["hash"])
md += "Hash " + rule["hash"] + " is in state **" + STATES[rule["fileState"]] + "**\n"
if found:
appendContext('found_hashes', ','.join(found), dedup=True)
res.append({ "Type" : entryTypes["note"], "ContentsFormat" : formats["markdown"], "Contents" : md })
res.append({ "Type" : entryTypes["note"], "ContentsFormat" : formats["table"], "Contents" : t })
demisto.results(res)
scripttarget: 0
system: true
tags:
- carbon-black-protection
- bit9
- enhancement
type: python