-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-CYFileRep.yml
80 lines (80 loc) · 3.12 KB
/
automation-CYFileRep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
args:
- default: true
description: The ID of a file entry to upload
name: entry
required: true
comment: Retrieve file reputation and upload the file if required for analysis
commonfields:
id: CYFileRep
version: -1
dependson:
must:
- cylance|||file
- cy-upload
name: CYFileRep
outputs:
- contextPath: File.MD5
description: Bad hash MD5
- contextPath: File.SHA1
description: Bad hash SHA1
- contextPath: File.SHA256
description: Bad hash SHA256
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision
- contextPath: File.Malicious.Description
description: For malicious files, the reason for the vendor to make the decision
- contextPath: DBotScore.Indicator
description: The indicator we tested
- contextPath: DBotScore.Type
description: The type of the indicator
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score
- contextPath: DBotScore.Score
description: The actual score
runonce: false
script: |-
# Retrieve file entry reputation using Cylance
# First, get the file entry, check with Cylance if the file is known and if not, upload the file, wait 5 seconds and check again
import time
e = demisto.args()['entry']
fileEntry = demisto.executeCommand('getEntry', {'id': e})
if fileEntry and len(fileEntry) == 1 and fileEntry[0]['Type'] != entryTypes['error']:
fe = fileEntry[0]
if fe['File'] and demisto.get(fe, 'FileMetadata.md5'):
rep = demisto.executeCommand('file', {'file': demisto.get(fe, 'FileMetadata.md5'), 'using-brand': brands['cy']})
if rep and len(rep) == 1 and rep[0]['Type'] != entryTypes['error']:
contents = demisto.get(rep[0], 'Contents')
k = contents.keys()
if k and len(k) > 0:
v = contents[k[0]]
if demisto.get(v, 'status') == 'NEEDFILE' and demisto.get(v, 'confirmcode'):
upload = demisto.executeCommand('cy-upload', {'entry': e, 'confirmCode': demisto.get(v, 'confirmcode')})
if upload and len(upload) == 1 and upload[0]['Type'] != entryTypes['error']:
contents = demisto.get(upload[0], 'Contents')
k = contents.keys()
if k and len(k) > 0:
v1 = contents[k[0]]
if demisto.get(v1, 'status') == 'ACCEPTED':
time.sleep(10)
rep = demisto.executeCommand('file', {'file': demisto.get(fe, 'FileMetadata.md5'), 'using-brand': brands['cy']})
demisto.results(rep)
else:
demisto.results(upload)
else:
demisto.results(upload)
else:
demisto.results(rep)
else:
demisto.results(rep)
else:
demisto.results('Entry is not a file')
else:
demisto.results('Unable to retrieve entry')
scripttarget: 0
system: true
tags:
- server
- threat-intel
- cylance
- file
type: python