-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-CheckURLs.yml
73 lines (73 loc) · 2.42 KB
/
automation-CheckURLs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
args:
- default: true
description: Raw text from which to extract URLs using the appropriate regular expression.
If omitted, will scan Incident Details instead.
name: data
comment: Check the URLs in the incident, or raw text provided as argument, for malicious
URLs
commonfields:
id: CheckURLs
version: -1
dependson:
should:
- url
- pt-malware
deprecated: true
name: CheckURLs
runonce: false
script: |-
import re
strURLRegex = r'(?i)(?:(?:https?|ftp):\/\/|www\.|ftp\.)(?:\([-A-Z0-9+&@#\/%=~_|$?!:,.]*\)|[-A-Z0-9+&@#\/%=~_|$?!:,.])*(?:\([-A-Z0-9+&@#\/%=~_|$?!:,.]*\)|[A-Z0-9+&@#\/%=~_|$])'
res = []
urls = []
badUrls = []
filtered = ['http://schemas.microsoft.com/office/2004/12/omml', 'http://www.w3.org/TR/REC-html40']
data = demisto.args()['data'] if demisto.get(demisto.args(), 'data') else demisto.incidents()[0]['details']
if isinstance(data, list):
urls = data[:]
else:
for m in re.finditer(strURLRegex, data, re.I):
u = m.group(0)
if u in filtered:
continue
if u in urls:
continue
if 'mailto:' in u:
continue
urls.append(u)
for u in urls:
if isCommandAvailable('url'):
rep = demisto.executeCommand('url', {'url': u})
for r in rep:
if positiveUrl(r):
badUrls.append(u)
res.append(shortUrl(r))
if isCommandAvailable('pt-malware'):
ptRep = demisto.executeCommand('pt-malware', {'query': u})
if not isError(ptRep[0]) and demisto.get(ptRep[0], 'Contents.results'):
badUrls.append(u)
contents = flattenTable(demisto.get(ptRep[0], 'Contents.results'))
res.append( {'ContentsFormat': formats['table'], 'Type': entryTypes['note'], 'Contents': contents} )
if len(res) > 0:
res.extend(['yes', 'Found malicious URLs!'])
currUrls = demisto.get(demisto.context(), 'bad_urls')
if currUrls and isinstance(currUrls, list):
currUrls += [u for u in badUrls if u not in currUrls]
else:
currUrls = badUrls
demisto.setContext('bad_urls', currUrls)
else:
res.append('no')
if urls:
res.append('Only clean URLs found: \n' + '\n'.join(urls))
else:
res.append('No URLs found within data. Nothing to check.')
demisto.results(res)
scripttarget: 0
system: true
tags:
- server
- threat-intel
- xfe
- virustotal
type: python