-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-CSCountDevicesForIOC.yml
42 lines (42 loc) · 1.17 KB
/
automation-CSCountDevicesForIOC.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
args:
- default: true
description: One of sha256, sha1, md5, domain
name: type
required: true
- description: The IOC to find
name: value
required: true
comment: |
List the number devices that match each IOC in query - limited to sha256, sha1, md5 and domain types
commonfields:
id: CSCountDevicesForIOC
version: -1
dependson:
must:
- cs-device-count-ioc
deprecated: true
name: CSCountDevicesForIOC
runonce: false
script: |-
res = []
t = []
for v in argToList(demisto.args()['value']):
e = demisto.executeCommand("cs-device-count-ioc", {"type": demisto.args()['type'], "value": v})[0]
if isError(e):
if not '404 (Not Found)' in e['Contents']: # Skip 404 errors - it just means the IOC wasn't found
res += [e]
else:
myData = demisto.get(e, 'Contents.resources')
if myData:
myData = [{k: formatCell(row[k]) for k in row} for row in myData]
t += myData
if t:
res.append({'ContentsFormat': formats['table'], 'Type': entryTypes['note'], 'Contents': t} )
else:
res.append('No results.')
demisto.results(res)
scripttarget: 0
system: true
tags:
- crowdstrike
type: python