Skip to content

Commit

Permalink
PAPP-34631: changes to json and adding a requirement
Browse files Browse the repository at this point in the history
  • Loading branch information
@tapishj-splunk
tapishj-splunk committed Oct 4, 2024
1 parent 1dd38e3 commit c07c170
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 21 deletions.
2 changes: 1 addition & 1 deletion requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
httpx[http2]==0.27.2
pydantic==1.10.13
cryptography
cryptography==43.0.1
17 changes: 6 additions & 11 deletions talosintelligence.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"product_version_regex": ".*",
"publisher": "Splunk Community",
"license": "Copyright (c) Splunk Community, 2024",
"app_version": "1.0.0",
"app_version": "1.0.1",
"utctime_updated": "2024-06-21T18:40:03.685771Z",
"package_name": "phantom_ciscotalosintelligence",
"main_module": "talosintelligence_connector.py",
Expand Down Expand Up @@ -78,7 +78,8 @@
"required": true,
"primary": true,
"contains": [
"ip"
"ip",
"ipv6"
],
"value_list": [],
"default": "",
Expand Down Expand Up @@ -140,7 +141,7 @@
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"IP successfully queried"
"72.163.4.185 has a Favorable threat level"
]
}
],
Expand Down Expand Up @@ -176,9 +177,6 @@
"description": "Corresponding IPs to the domain. A domain may have a different reputation based on the IP it resolves to. Passing an IP can improve the accuracy of the response",
"data_type": "string",
"primary": true,
"contains": [
"ip"
],
"value_list": [],
"default": "",
"order": 1,
Expand Down Expand Up @@ -247,7 +245,7 @@
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"Domain successfully queried"
"splunk.com has a Favorable threat level"
]
}
],
Expand Down Expand Up @@ -282,9 +280,6 @@
"description": "Corresponding IPs to the url. A domain may have a different reputation based on the IP it resolves to. Passing an IP can improve the accuracy of the response",
"data_type": "string",
"primary": true,
"contains": [
"ip"
],
"value_list": [],
"default": "",
"order": 1,
Expand Down Expand Up @@ -352,7 +347,7 @@
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"URL successfully queried"
"https://splunk.com has a Favorable threat level"
]
}
],
Expand Down
30 changes: 21 additions & 9 deletions talosintelligence_connector.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,12 @@ def _handle_test_connectivity(self, param):
self._state = {}
return action_result.set_status(phantom.APP_SUCCESS)

def format_ip_type(self, ip_addr):
if isinstance(ip_addr, ipaddress.IPv4Address):
return {"ipv4_addr": int(ip_addr)}
else:
return {"ipv6_addr": ip_addr.packed.hex()}

def _handle_ip_reputation(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))
Expand All @@ -242,12 +248,13 @@ def _handle_ip_reputation(self, param):

try:
ip_addr = ipaddress.ip_address(ip)
big_endian = int(ip_addr)
ip_request = self.format_ip_type(ip_addr)
except Exception as exc:
return action_result.set_status(phantom.APP_ERROR, f"Please provide a valid IP Address. Error: {exc}")
self.debug_print(f"ip request is {ip_request}")

payload = {
"urls": { "endpoint": [{"ipv4_addr": big_endian}]},
"urls": { "endpoint": [ip_request]},
"app_info": self._appinfo
}

Expand All @@ -256,7 +263,10 @@ def _handle_ip_reputation(self, param):
return action_result.get_status()

summary = action_result.update_summary({})
summary["Message"] = "IP successfully queried"
summary["Message"] = "IP WORKED"
threat_level = action_result.get_data()[0]["Threat_Level"]
summary["Message"] = f"{ip} has a {threat_level} threat level"

return action_result.set_status(phantom.APP_SUCCESS)

def _is_valid_domain(self, domain):
Expand All @@ -280,8 +290,8 @@ def _handle_domain_reputation(self, param):
for ip in ips_list:
try:
ip_addr = ipaddress.ip_address(ip)
big_endian = int(ip_addr)
endpoints.append({"ipv4_addr": big_endian})
ip_request = self.format_ip_type(ip_addr)
endpoints.append(ip_request)
except Exception as exc:
self.debug_print(f"{ip} is not a valid ip address got. Error: {exc}")

Expand All @@ -299,7 +309,8 @@ def _handle_domain_reputation(self, param):
return action_result.get_status()

summary = action_result.update_summary({})
summary["Message"] = "Domain successfully queried"
threat_level = action_result.get_data()[0]["Threat_Level"]
summary["Message"] = f"{domain} has a {threat_level} threat level"
return action_result.set_status(phantom.APP_SUCCESS)

def _is_valid_url(self, url):
Expand All @@ -322,8 +333,8 @@ def _handle_url_reputation(self, param):
for ip in ips_list:
try:
ip_addr = ipaddress.ip_address(ip)
big_endian = int(ip_addr)
endpoints.append({"ipv4_addr": big_endian})
ip_request = self.format_ip_type(ip_addr)
endpoints.append(ip_request)
except Exception as exc:
self.debug_print(f"{ip} is not a valid ip address. Error: {exc}")

Expand All @@ -341,7 +352,8 @@ def _handle_url_reputation(self, param):
return action_result.get_status()

summary = action_result.update_summary({})
summary["Message"] = "URL successfully queried"
threat_level = action_result.get_data()[0]["Threat_Level"]
summary["Message"] = f"{url} has a {threat_level} threat level"
return action_result.set_status(phantom.APP_SUCCESS)

def _query_reputation(self, action_result, payload, observable=None):
Expand Down

0 comments on commit c07c170

Please sign in to comment.