diff --git a/requirements.txt b/requirements.txt index 0075057..63ded50 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ httpx[http2]==0.27.2 pydantic==1.10.13 -cryptography \ No newline at end of file +cryptography==43.0.1 \ No newline at end of file diff --git a/talosintelligence.json b/talosintelligence.json index 3605ee1..28ea4c4 100644 --- a/talosintelligence.json +++ b/talosintelligence.json @@ -11,7 +11,7 @@ "product_version_regex": ".*", "publisher": "Splunk Community", "license": "Copyright (c) Splunk Community, 2024", - "app_version": "1.0.0", + "app_version": "1.0.1", "utctime_updated": "2024-06-21T18:40:03.685771Z", "package_name": "phantom_ciscotalosintelligence", "main_module": "talosintelligence_connector.py", @@ -78,7 +78,8 @@ "required": true, "primary": true, "contains": [ - "ip" + "ip", + "ipv6" ], "value_list": [], "default": "", @@ -140,7 +141,7 @@ "data_path": "action_result.summary.message", "data_type": "string", "example_values": [ - "IP successfully queried" + "72.163.4.185 has a Favorable threat level" ] } ], @@ -176,9 +177,6 @@ "description": "Corresponding IPs to the domain. A domain may have a different reputation based on the IP it resolves to. Passing an IP can improve the accuracy of the response", "data_type": "string", "primary": true, - "contains": [ - "ip" - ], "value_list": [], "default": "", "order": 1, @@ -247,7 +245,7 @@ "data_path": "action_result.summary.message", "data_type": "string", "example_values": [ - "Domain successfully queried" + "splunk.com has a Favorable threat level" ] } ], @@ -282,9 +280,6 @@ "description": "Corresponding IPs to the url. A domain may have a different reputation based on the IP it resolves to. Passing an IP can improve the accuracy of the response", "data_type": "string", "primary": true, - "contains": [ - "ip" - ], "value_list": [], "default": "", "order": 1, @@ -352,7 +347,7 @@ "data_path": "action_result.summary.message", "data_type": "string", "example_values": [ - "URL successfully queried" + "https://splunk.com has a Favorable threat level" ] } ], diff --git a/talosintelligence_connector.py b/talosintelligence_connector.py index 735a5ee..173810a 100644 --- a/talosintelligence_connector.py +++ b/talosintelligence_connector.py @@ -234,6 +234,12 @@ def _handle_test_connectivity(self, param): self._state = {} return action_result.set_status(phantom.APP_SUCCESS) + def format_ip_type(self, ip_addr): + if isinstance(ip_addr, ipaddress.IPv4Address): + return {"ipv4_addr": int(ip_addr)} + else: + return {"ipv6_addr": ip_addr.packed.hex()} + def _handle_ip_reputation(self, param): self.save_progress("In action handler for: {0}".format(self.get_action_identifier())) action_result = self.add_action_result(ActionResult(dict(param))) @@ -242,12 +248,13 @@ def _handle_ip_reputation(self, param): try: ip_addr = ipaddress.ip_address(ip) - big_endian = int(ip_addr) + ip_request = self.format_ip_type(ip_addr) except Exception as exc: return action_result.set_status(phantom.APP_ERROR, f"Please provide a valid IP Address. Error: {exc}") + self.debug_print(f"ip request is {ip_request}") payload = { - "urls": { "endpoint": [{"ipv4_addr": big_endian}]}, + "urls": { "endpoint": [ip_request]}, "app_info": self._appinfo } @@ -256,7 +263,10 @@ def _handle_ip_reputation(self, param): return action_result.get_status() summary = action_result.update_summary({}) - summary["Message"] = "IP successfully queried" + summary["Message"] = "IP WORKED" + threat_level = action_result.get_data()[0]["Threat_Level"] + summary["Message"] = f"{ip} has a {threat_level} threat level" + return action_result.set_status(phantom.APP_SUCCESS) def _is_valid_domain(self, domain): @@ -280,8 +290,8 @@ def _handle_domain_reputation(self, param): for ip in ips_list: try: ip_addr = ipaddress.ip_address(ip) - big_endian = int(ip_addr) - endpoints.append({"ipv4_addr": big_endian}) + ip_request = self.format_ip_type(ip_addr) + endpoints.append(ip_request) except Exception as exc: self.debug_print(f"{ip} is not a valid ip address got. Error: {exc}") @@ -299,7 +309,8 @@ def _handle_domain_reputation(self, param): return action_result.get_status() summary = action_result.update_summary({}) - summary["Message"] = "Domain successfully queried" + threat_level = action_result.get_data()[0]["Threat_Level"] + summary["Message"] = f"{domain} has a {threat_level} threat level" return action_result.set_status(phantom.APP_SUCCESS) def _is_valid_url(self, url): @@ -322,8 +333,8 @@ def _handle_url_reputation(self, param): for ip in ips_list: try: ip_addr = ipaddress.ip_address(ip) - big_endian = int(ip_addr) - endpoints.append({"ipv4_addr": big_endian}) + ip_request = self.format_ip_type(ip_addr) + endpoints.append(ip_request) except Exception as exc: self.debug_print(f"{ip} is not a valid ip address. Error: {exc}") @@ -341,7 +352,8 @@ def _handle_url_reputation(self, param): return action_result.get_status() summary = action_result.update_summary({}) - summary["Message"] = "URL successfully queried" + threat_level = action_result.get_data()[0]["Threat_Level"] + summary["Message"] = f"{url} has a {threat_level} threat level" return action_result.set_status(phantom.APP_SUCCESS) def _query_reputation(self, action_result, payload, observable=None):