diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 13ffd89..bbd5d67 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ repos: - id: org-hook - id: package-app-dependencies - repo: https://github.com/Yelp/detect-secrets - rev: v1.3.0 + rev: v1.4.0 hooks: - id: detect-secrets args: ['--no-verify', '--exclude-files', '^cybereason.json$'] diff --git a/LICENSE b/LICENSE index fea88a6..5d4e3ac 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright (c) Cybereason, 2018-2021 + Copyright (c) Cybereason, 2018-2022 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 001d114..cf6fe0b 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ # Cybereason Publisher: Cybereason -Connector Version: 2\.2\.0 +Connector Version: 2\.3\.0 Product Vendor: Cybereason Product Name: Cybereason Product Version Supported (regex): "\.\*" -Minimum Product Version: 5\.3\.0 +Minimum Product Version: 5\.3\.5 This app integrates with the Cybereason platform to perform investigative, contain, and corrective actions on Malop and Malware events @@ -132,13 +132,13 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- -action\_result\.parameter\.malop\_id | string | `cybereason malop id` +action\_result\.status | string | action\_result\.parameter\.machine\_name | string | `cybereason machine name` -action\_result\.data\.\*\.remediation\_id | string | `cybereason remediation id` +action\_result\.parameter\.malop\_id | string | `cybereason malop id` action\_result\.data\.\*\.initiating\_user | string | `cybereason user` -action\_result\.status | string | -action\_result\.message | string | +action\_result\.data\.\*\.remediation\_id | string | `cybereason remediation id` action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -158,13 +158,13 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.malop\_id | string | `cybereason malop id` -action\_result\.data\.\*\.machine\_name | string | `cybereason machine name` action\_result\.data\.\*\.machine\_id | string | `cybereason machine id` +action\_result\.data\.\*\.machine\_name | string | `cybereason machine name` action\_result\.data\.\*\.status | string | `cybereason sensor status` -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -183,12 +183,12 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- -action\_result\.parameter\.malop\_id | string | `cybereason malop id` +action\_result\.status | string | action\_result\.parameter\.comment | string | +action\_result\.parameter\.malop\_id | string | `cybereason malop id` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -207,12 +207,12 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.malop\_id | string | `cybereason malop id` action\_result\.parameter\.status | string | `cybereason malop status` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -230,11 +230,11 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.malop\_id | string | `cybereason malop id` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -252,11 +252,11 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.malop\_id | string | `cybereason malop id` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -274,11 +274,11 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.machine\_name\_or\_ip | string | `cybereason machine name or ip` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -296,11 +296,11 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.machine\_name\_or\_ip | string | `cybereason machine name or ip` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -321,15 +321,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- -action\_result\.parameter\.malop\_id | string | `cybereason malop id` -action\_result\.parameter\.remediation\_user | string | `cybereason user` +action\_result\.status | string | action\_result\.parameter\.machine\_id | string | `cybereason machine id` +action\_result\.parameter\.malop\_id | string | `cybereason malop id` action\_result\.parameter\.process\_id | string | `cybereason process id` +action\_result\.parameter\.remediation\_user | string | `cybereason user` action\_result\.data\.\*\.remediation\_id | string | `cybereason remediation id` action\_result\.data\.\*\.remediation\_status | string | `cybereason remediation status` -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -349,14 +349,14 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.malop\_id | string | `cybereason malop id` -action\_result\.parameter\.remediation\_user | string | `cybereason user` action\_result\.parameter\.remediation\_id | string | `cybereason remediation id` -action\_result\.data\.\*\.remediation\_status | string | `cybereason remediation status` +action\_result\.parameter\.remediation\_user | string | `cybereason user` action\_result\.data\.\*\.remediation\_message | string | -action\_result\.status | string | -action\_result\.message | string | +action\_result\.data\.\*\.remediation\_status | string | `cybereason remediation status` action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -375,12 +375,12 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- -action\_result\.parameter\.reputation\_item\_hash | string | `hash` +action\_result\.status | string | action\_result\.parameter\.custom\_reputation | string | +action\_result\.parameter\.reputation\_item\_hash | string | `hash` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -398,14 +398,14 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.malop\_id | string | `cybereason malop id` -action\_result\.data\.\*\.process\_id | string | `cybereason process id` -action\_result\.data\.\*\.process\_name | string | `cybereason process name` action\_result\.data\.\*\.owner\_machine\_id | string | `cybereason machine id` action\_result\.data\.\*\.owner\_machine\_name | string | `cybereason machine name` -action\_result\.status | string | -action\_result\.message | string | +action\_result\.data\.\*\.process\_id | string | `cybereason process id` +action\_result\.data\.\*\.process\_name | string | `cybereason process name` action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -423,15 +423,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.name | string | +action\_result\.data\.\*\.is\_connected\_to\_cybereason | string | action\_result\.data\.\*\.machine\_id | string | `cybereason machine id` action\_result\.data\.\*\.machine\_name | string | action\_result\.data\.\*\.os\_version | string | action\_result\.data\.\*\.platform\_architecture | string | -action\_result\.data\.\*\.is\_connected\_to\_cybereason | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -449,15 +449,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.machine\_ip | string | `ip` +action\_result\.data\.\*\.is\_connected\_to\_cybereason | string | action\_result\.data\.\*\.machine\_id | string | `cybereason machine id` action\_result\.data\.\*\.machine\_name | string | action\_result\.data\.\*\.os\_version | string | action\_result\.data\.\*\.platform\_architecture | string | -action\_result\.data\.\*\.is\_connected\_to\_cybereason | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -475,15 +475,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.user | string | `cybereason user` -action\_result\.data\.\*\.element\_name | string | action\_result\.data\.\*\.domain | string | `domain` +action\_result\.data\.\*\.element\_name | string | action\_result\.data\.\*\.last\_machine\_logged\_into | string | -action\_result\.data\.\*\.organization | string | action\_result\.data\.\*\.local\_system | string | -action\_result\.status | string | -action\_result\.message | string | +action\_result\.data\.\*\.organization | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -501,18 +501,18 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.file\_name | string | `file name` -action\_result\.data\.\*\.element\_name | string | -action\_result\.data\.\*\.suspicion\_count | string | -action\_result\.data\.\*\.signed | string | action\_result\.data\.\*\.SHA1\_signature | string | -action\_result\.data\.\*\.size | string | +action\_result\.data\.\*\.company\_name | string | +action\_result\.data\.\*\.element\_name | string | action\_result\.data\.\*\.path | string | action\_result\.data\.\*\.product\_name | string | -action\_result\.data\.\*\.company\_name | string | -action\_result\.status | string | -action\_result\.message | string | +action\_result\.data\.\*\.signed | string | +action\_result\.data\.\*\.size | string | +action\_result\.data\.\*\.suspicion\_count | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -530,15 +530,15 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.domain\_name | string | `domain` action\_result\.data\.\*\.element\_name | string | -action\_result\.data\.\*\.malicious\_classification\_type | string | action\_result\.data\.\*\.is\_internal\_domain | string | +action\_result\.data\.\*\.malicious\_classification\_type | string | action\_result\.data\.\*\.was\_ever\_resolved | string | action\_result\.data\.\*\.was\_ever\_resolved\_as\_second\_level\_domain | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -556,21 +556,21 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.connection\_name | string | -action\_result\.data\.\*\.element\_name | string | action\_result\.data\.\*\.direction | string | -action\_result\.data\.\*\.server\_address | string | -action\_result\.data\.\*\.server\_port | string | +action\_result\.data\.\*\.dns\_query | string | +action\_result\.data\.\*\.element\_name | string | +action\_result\.data\.\*\.owner\_machine | string | +action\_result\.data\.\*\.owner\_process | string | action\_result\.data\.\*\.port\_type | string | `port` action\_result\.data\.\*\.received\_bytes | string | -action\_result\.data\.\*\.transmitted\_bytes | string | action\_result\.data\.\*\.remote\_address | string | -action\_result\.data\.\*\.owner\_machine | string | -action\_result\.data\.\*\.owner\_process | string | -action\_result\.data\.\*\.dns\_query | string | -action\_result\.status | string | -action\_result\.message | string | +action\_result\.data\.\*\.server\_address | string | +action\_result\.data\.\*\.server\_port | string | +action\_result\.data\.\*\.transmitted\_bytes | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -590,11 +590,11 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.pylumid | string | `cybereason sensor pylum id` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | @@ -614,10 +614,10 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS #### Action Output DATA PATH | TYPE | CONTAINS --------- | ---- | -------- +action\_result\.status | string | action\_result\.parameter\.pylumid | string | `cybereason sensor pylum id` action\_result\.data | string | -action\_result\.status | string | -action\_result\.message | string | action\_result\.summary | string | +action\_result\.message | string | summary\.total\_objects | numeric | summary\.total\_objects\_successful | numeric | \ No newline at end of file diff --git a/cybereason.json b/cybereason.json index 24b8509..dd09716 100644 --- a/cybereason.json +++ b/cybereason.json @@ -10,12 +10,12 @@ "python_version": "3", "product_version_regex": ".*", "publisher": "Cybereason", - "license": "Copyright (c) Cybereason, 2018-2021", - "app_version": "2.2.0", + "license": "Copyright (c) Cybereason, 2018-2022", + "app_version": "2.3.0", "utctime_updated": "2022-01-07T20:19:08.000000Z", "package_name": "phantom_cybereason", "main_module": "cybereason_connector.py", - "min_phantom_version": "5.3.0", + "min_phantom_version": "5.3.5", "app_wizard_version": "1.0.0", "fips_compliant": false, "configuration": { @@ -149,13 +149,14 @@ }, "output": [ { - "data_path": "action_result.parameter.malop_id", + "data_path": "action_result.status", "data_type": "string", - "contains": [ - "cybereason malop id" - ], - "column_name": "Malop ID", - "column_order": 0 + "column_name": "Status", + "column_order": 4, + "example_values": [ + "success", + "failed" + ] }, { "data_path": "action_result.parameter.machine_name", @@ -167,13 +168,13 @@ "column_order": 1 }, { - "data_path": "action_result.data.*.remediation_id", + "data_path": "action_result.parameter.malop_id", "data_type": "string", "contains": [ - "cybereason remediation id" + "cybereason malop id" ], - "column_name": "Remediation ID", - "column_order": 2 + "column_name": "Malop ID", + "column_order": 0 }, { "data_path": "action_result.data.*.initiating_user", @@ -185,21 +186,20 @@ "column_order": 3 }, { - "data_path": "action_result.status", + "data_path": "action_result.data.*.remediation_id", "data_type": "string", - "column_name": "Status", - "column_order": 4, - "example_values": [ - "success", - "failed" - ] + "contains": [ + "cybereason remediation id" + ], + "column_name": "Remediation ID", + "column_order": 2 }, { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -242,6 +242,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 4, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.malop_id", "data_type": "string", @@ -252,22 +262,22 @@ "column_order": 0 }, { - "data_path": "action_result.data.*.machine_name", + "data_path": "action_result.data.*.machine_id", "data_type": "string", "contains": [ - "cybereason machine name" + "cybereason machine id" ], - "column_name": "Machine Name", - "column_order": 1 + "column_name": "Machine ID", + "column_order": 2 }, { - "data_path": "action_result.data.*.machine_id", + "data_path": "action_result.data.*.machine_name", "data_type": "string", "contains": [ - "cybereason machine id" + "cybereason machine name" ], - "column_name": "Machine ID", - "column_order": 2 + "column_name": "Machine Name", + "column_order": 1 }, { "data_path": "action_result.data.*.status", @@ -283,21 +293,11 @@ ] }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 4, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -345,13 +345,14 @@ }, "output": [ { - "data_path": "action_result.parameter.malop_id", + "data_path": "action_result.status", "data_type": "string", - "contains": [ - "cybereason malop id" - ], - "column_name": "Malop ID", - "column_order": 0 + "column_name": "Status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] }, { "data_path": "action_result.parameter.comment", @@ -360,27 +361,26 @@ "column_order": 1 }, { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", + "data_path": "action_result.parameter.malop_id", "data_type": "string", - "column_name": "Status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] + "contains": [ + "cybereason malop id" + ], + "column_name": "Malop ID", + "column_order": 0 }, { - "data_path": "action_result.message", + "data_path": "action_result.data", "data_type": "string" }, { "data_path": "action_result.summary", "data_type": "string" }, + { + "data_path": "action_result.message", + "data_type": "string" + }, { "data_path": "summary.total_objects", "data_type": "numeric", @@ -438,6 +438,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.malop_id", "data_type": "string", @@ -461,21 +471,11 @@ "data_type": "string" }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -518,6 +518,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.malop_id", "data_type": "string", @@ -532,21 +542,11 @@ "data_type": "string" }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -589,6 +589,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.malop_id", "data_type": "string", @@ -603,21 +613,11 @@ "data_type": "string" }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -660,6 +660,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.machine_name_or_ip", "data_type": "string", @@ -674,21 +684,11 @@ "data_type": "string" }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -731,6 +731,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.machine_name_or_ip", "data_type": "string", @@ -745,21 +755,11 @@ "data_type": "string" }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -832,22 +832,14 @@ }, "output": [ { - "data_path": "action_result.parameter.malop_id", - "data_type": "string", - "contains": [ - "cybereason malop id" - ], - "column_name": "Malop ID", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.remediation_user", + "data_path": "action_result.status", "data_type": "string", - "contains": [ - "cybereason user" - ], - "column_name": "Remediation User", - "column_order": 1 + "column_name": "Status", + "column_order": 6, + "example_values": [ + "success", + "failed" + ] }, { "data_path": "action_result.parameter.machine_id", @@ -858,6 +850,15 @@ "column_name": "Machine ID", "column_order": 2 }, + { + "data_path": "action_result.parameter.malop_id", + "data_type": "string", + "contains": [ + "cybereason malop id" + ], + "column_name": "Malop ID", + "column_order": 0 + }, { "data_path": "action_result.parameter.process_id", "data_type": "string", @@ -867,6 +868,15 @@ "column_name": "Process ID", "column_order": 3 }, + { + "data_path": "action_result.parameter.remediation_user", + "data_type": "string", + "contains": [ + "cybereason user" + ], + "column_name": "Remediation User", + "column_order": 1 + }, { "data_path": "action_result.data.*.remediation_id", "data_type": "string", @@ -886,21 +896,11 @@ "column_order": 5 }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 6, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -962,6 +962,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 5, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.malop_id", "data_type": "string", @@ -971,15 +981,6 @@ "column_name": "Malop ID", "column_order": 0 }, - { - "data_path": "action_result.parameter.remediation_user", - "data_type": "string", - "contains": [ - "cybereason user" - ], - "column_name": "Remediation User", - "column_order": 1 - }, { "data_path": "action_result.parameter.remediation_id", "data_type": "string", @@ -990,13 +991,13 @@ "column_order": 2 }, { - "data_path": "action_result.data.*.remediation_status", + "data_path": "action_result.parameter.remediation_user", "data_type": "string", "contains": [ - "cybereason remediation status" + "cybereason user" ], - "column_name": "Remediation Status", - "column_order": 3 + "column_name": "Remediation User", + "column_order": 1 }, { "data_path": "action_result.data.*.remediation_message", @@ -1005,21 +1006,20 @@ "column_order": 4 }, { - "data_path": "action_result.status", + "data_path": "action_result.data.*.remediation_status", "data_type": "string", - "column_name": "Status", - "column_order": 5, - "example_values": [ - "success", - "failed" - ] + "contains": [ + "cybereason remediation status" + ], + "column_name": "Remediation Status", + "column_order": 3 }, { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -1073,13 +1073,14 @@ }, "output": [ { - "data_path": "action_result.parameter.reputation_item_hash", + "data_path": "action_result.status", "data_type": "string", - "contains": [ - "hash" - ], - "column_name": "Reputation Item Hash", - "column_order": 0 + "column_name": "Status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] }, { "data_path": "action_result.parameter.custom_reputation", @@ -1088,27 +1089,26 @@ "column_order": 1 }, { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", + "data_path": "action_result.parameter.reputation_item_hash", "data_type": "string", - "column_name": "Status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] + "contains": [ + "hash" + ], + "column_name": "Reputation Item Hash", + "column_order": 0 }, { - "data_path": "action_result.message", + "data_path": "action_result.data", "data_type": "string" }, { "data_path": "action_result.summary", "data_type": "string" }, + { + "data_path": "action_result.message", + "data_type": "string" + }, { "data_path": "summary.total_objects", "data_type": "numeric", @@ -1148,6 +1148,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 1, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.malop_id", "data_type": "string", @@ -1157,24 +1167,6 @@ "column_name": "Malop ID", "column_order": 0 }, - { - "data_path": "action_result.data.*.process_id", - "data_type": "string", - "contains": [ - "cybereason process id" - ], - "column_name": "Process ID", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.process_name", - "data_type": "string", - "contains": [ - "cybereason process name" - ], - "column_name": "Process Name", - "column_order": 3 - }, { "data_path": "action_result.data.*.owner_machine_id", "data_type": "string", @@ -1194,23 +1186,31 @@ "column_order": 5 }, { - "data_path": "action_result.status", + "data_path": "action_result.data.*.process_id", "data_type": "string", - "column_name": "Status", - "column_order": 1, - "example_values": [ - "success", - "failed" - ] + "contains": [ + "cybereason process id" + ], + "column_name": "Process ID", + "column_order": 2 }, { - "data_path": "action_result.message", - "data_type": "string" + "data_path": "action_result.data.*.process_name", + "data_type": "string", + "contains": [ + "cybereason process name" + ], + "column_name": "Process Name", + "column_order": 3 }, { "data_path": "action_result.summary", "data_type": "string" }, + { + "data_path": "action_result.message", + "data_type": "string" + }, { "data_path": "summary.total_objects", "data_type": "numeric", @@ -1246,12 +1246,28 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 6, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.name", "data_type": "string", "column_name": "Name", "column_order": 5 }, + { + "data_path": "action_result.data.*.is_connected_to_cybereason", + "data_type": "string", + "column_name": "Is Connected To Cybereason", + "column_order": 4 + }, { "data_path": "action_result.data.*.machine_id", "data_type": "string", @@ -1280,27 +1296,11 @@ "column_order": 3 }, { - "data_path": "action_result.data.*.is_connected_to_cybereason", - "data_type": "string", - "column_name": "Is Connected To Cybereason", - "column_order": 4 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 6, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -1342,6 +1342,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 6, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.machine_ip", "data_type": "string", @@ -1351,6 +1361,12 @@ "column_name": "Machine IP", "column_order": 5 }, + { + "data_path": "action_result.data.*.is_connected_to_cybereason", + "data_type": "string", + "column_name": "Is Connected To Cybereason", + "column_order": 4 + }, { "data_path": "action_result.data.*.machine_id", "data_type": "string", @@ -1379,27 +1395,11 @@ "column_order": 3 }, { - "data_path": "action_result.data.*.is_connected_to_cybereason", - "data_type": "string", - "column_name": "Is Connected To Cybereason", - "column_order": 4 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 6, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -1441,6 +1441,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 6, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.user", "data_type": "string", @@ -1450,12 +1460,6 @@ "column_name": "User", "column_order": 5 }, - { - "data_path": "action_result.data.*.element_name", - "data_type": "string", - "column_name": "Element Name", - "column_order": 0 - }, { "data_path": "action_result.data.*.domain", "data_type": "string", @@ -1466,16 +1470,16 @@ "column_order": 1 }, { - "data_path": "action_result.data.*.last_machine_logged_into", + "data_path": "action_result.data.*.element_name", "data_type": "string", - "column_name": "Last Machine Logged Into", - "column_order": 2 + "column_name": "Element Name", + "column_order": 0 }, { - "data_path": "action_result.data.*.organization", + "data_path": "action_result.data.*.last_machine_logged_into", "data_type": "string", - "column_name": "Organization", - "column_order": 3 + "column_name": "Last Machine Logged Into", + "column_order": 2 }, { "data_path": "action_result.data.*.local_system", @@ -1484,21 +1488,17 @@ "column_order": 4 }, { - "data_path": "action_result.status", + "data_path": "action_result.data.*.organization", "data_type": "string", - "column_name": "Status", - "column_order": 6, - "example_values": [ - "success", - "failed" - ] + "column_name": "Organization", + "column_order": 3 }, { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -1540,6 +1540,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 9, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.file_name", "data_type": "string", @@ -1549,24 +1559,6 @@ "column_name": "File Name", "column_order": 8 }, - { - "data_path": "action_result.data.*.element_name", - "data_type": "string", - "column_name": "Element Name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.suspicion_count", - "data_type": "string", - "column_name": "Suspicion Count", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.signed", - "data_type": "string", - "column_name": "Signed", - "column_order": 2 - }, { "data_path": "action_result.data.*.SHA1_signature", "data_type": "string", @@ -1574,10 +1566,16 @@ "column_order": 3 }, { - "data_path": "action_result.data.*.size", + "data_path": "action_result.data.*.company_name", "data_type": "string", - "column_name": "Size", - "column_order": 4 + "column_name": "Company Name", + "column_order": 7 + }, + { + "data_path": "action_result.data.*.element_name", + "data_type": "string", + "column_name": "Element Name", + "column_order": 0 }, { "data_path": "action_result.data.*.path", @@ -1592,29 +1590,31 @@ "column_order": 6 }, { - "data_path": "action_result.data.*.company_name", + "data_path": "action_result.data.*.signed", "data_type": "string", - "column_name": "Company Name", - "column_order": 7 + "column_name": "Signed", + "column_order": 2 }, { - "data_path": "action_result.status", + "data_path": "action_result.data.*.size", "data_type": "string", - "column_name": "Status", - "column_order": 9, - "example_values": [ - "success", - "failed" - ] + "column_name": "Size", + "column_order": 4 }, { - "data_path": "action_result.message", - "data_type": "string" + "data_path": "action_result.data.*.suspicion_count", + "data_type": "string", + "column_name": "Suspicion Count", + "column_order": 1 }, { "data_path": "action_result.summary", "data_type": "string" }, + { + "data_path": "action_result.message", + "data_type": "string" + }, { "data_path": "summary.total_objects", "data_type": "numeric", @@ -1654,6 +1654,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 6, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.domain_name", "data_type": "string", @@ -1669,18 +1679,18 @@ "column_name": "Element Name", "column_order": 0 }, - { - "data_path": "action_result.data.*.malicious_classification_type", - "data_type": "string", - "column_name": "Malicious Classification Type", - "column_order": 1 - }, { "data_path": "action_result.data.*.is_internal_domain", "data_type": "string", "column_name": "Is Internal Domain", "column_order": 2 }, + { + "data_path": "action_result.data.*.malicious_classification_type", + "data_type": "string", + "column_name": "Malicious Classification Type", + "column_order": 1 + }, { "data_path": "action_result.data.*.was_ever_resolved", "data_type": "string", @@ -1694,21 +1704,11 @@ "column_order": 4 }, { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "Status", - "column_order": 6, - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -1747,16 +1747,20 @@ }, "output": [ { - "data_path": "action_result.parameter.connection_name", + "data_path": "action_result.status", "data_type": "string", - "column_name": "Connection Name", - "column_order": 11 + "column_name": "Status", + "column_order": 12, + "example_values": [ + "success", + "failed" + ] }, { - "data_path": "action_result.data.*.element_name", + "data_path": "action_result.parameter.connection_name", "data_type": "string", - "column_name": "Element Name", - "column_order": 0 + "column_name": "Connection Name", + "column_order": 11 }, { "data_path": "action_result.data.*.direction", @@ -1765,16 +1769,28 @@ "column_order": 1 }, { - "data_path": "action_result.data.*.server_address", + "data_path": "action_result.data.*.dns_query", "data_type": "string", - "column_name": "Server Address", - "column_order": 2 + "column_name": "Dns Query", + "column_order": 10 }, { - "data_path": "action_result.data.*.server_port", + "data_path": "action_result.data.*.element_name", "data_type": "string", - "column_name": "Server Port", - "column_order": 3 + "column_name": "Element Name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.owner_machine", + "data_type": "string", + "column_name": "Owner Machine", + "column_order": 8 + }, + { + "data_path": "action_result.data.*.owner_process", + "data_type": "string", + "column_name": "Owner Process", + "column_order": 9 }, { "data_path": "action_result.data.*.port_type", @@ -1791,12 +1807,6 @@ "column_name": "Received Bytes", "column_order": 5 }, - { - "data_path": "action_result.data.*.transmitted_bytes", - "data_type": "string", - "column_name": "Transmitted Bytes", - "column_order": 6 - }, { "data_path": "action_result.data.*.remote_address", "data_type": "string", @@ -1804,39 +1814,29 @@ "column_order": 7 }, { - "data_path": "action_result.data.*.owner_machine", - "data_type": "string", - "column_name": "Owner Machine", - "column_order": 8 - }, - { - "data_path": "action_result.data.*.owner_process", + "data_path": "action_result.data.*.server_address", "data_type": "string", - "column_name": "Owner Process", - "column_order": 9 + "column_name": "Server Address", + "column_order": 2 }, { - "data_path": "action_result.data.*.dns_query", + "data_path": "action_result.data.*.server_port", "data_type": "string", - "column_name": "Dns Query", - "column_order": 10 + "column_name": "Server Port", + "column_order": 3 }, { - "data_path": "action_result.status", + "data_path": "action_result.data.*.transmitted_bytes", "data_type": "string", - "column_name": "Status", - "column_order": 12, - "example_values": [ - "success", - "failed" - ] + "column_name": "Transmitted Bytes", + "column_order": 6 }, { - "data_path": "action_result.message", + "data_path": "action_result.summary", "data_type": "string" }, { - "data_path": "action_result.summary", + "data_path": "action_result.message", "data_type": "string" }, { @@ -1879,6 +1879,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.pylumid", "data_type": "string", @@ -1895,14 +1905,10 @@ "column_order": 1 }, { - "data_path": "action_result.status", + "data_path": "action_result.summary", "data_type": "string", - "column_name": "Status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] + "column_name": "Summary", + "column_order": 3 }, { "data_path": "action_result.message", @@ -1910,12 +1916,6 @@ "column_name": "Message", "column_order": 4 }, - { - "data_path": "action_result.summary", - "data_type": "string", - "column_name": "Summary", - "column_order": 3 - }, { "data_path": "summary.total_objects", "data_type": "numeric", @@ -1956,6 +1956,16 @@ } }, "output": [ + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "Status", + "column_order": 2, + "example_values": [ + "success", + "failed" + ] + }, { "data_path": "action_result.parameter.pylumid", "data_type": "string", @@ -1972,14 +1982,10 @@ "column_order": 1 }, { - "data_path": "action_result.status", + "data_path": "action_result.summary", "data_type": "string", - "column_name": "Status", - "column_order": 2, - "example_values": [ - "success", - "failed" - ] + "column_name": "Summary", + "column_order": 3 }, { "data_path": "action_result.message", @@ -1987,12 +1993,6 @@ "column_name": "Message", "column_order": 4 }, - { - "data_path": "action_result.summary", - "data_type": "string", - "column_name": "Summary", - "column_order": 3 - }, { "data_path": "summary.total_objects", "data_type": "numeric", @@ -2022,7 +2022,7 @@ }, { "module": "certifi", - "input_file": "wheels/py3/certifi-2022.6.15-py3-none-any.whl" + "input_file": "wheels/py3/certifi-2022.9.24-py3-none-any.whl" }, { "module": "chardet", @@ -2042,7 +2042,7 @@ }, { "module": "urllib3", - "input_file": "wheels/shared/urllib3-1.26.11-py2.py3-none-any.whl" + "input_file": "wheels/shared/urllib3-1.26.13-py2.py3-none-any.whl" } ] } diff --git a/cybereason_connector.py b/cybereason_connector.py index 1097136..0e52d96 100644 --- a/cybereason_connector.py +++ b/cybereason_connector.py @@ -99,32 +99,32 @@ def _get_error_message_from_exception(self, e): :return: error message """ - error_code = ERR_CODE_MSG - error_msg = ERR_MSG_UNAVAILABLE + error_code = ERROR_CODE_MESSAGE + error_message = ERROR_MESSAGE_UNAVAILABLE try: if e.args: if len(e.args) > 1: error_code = e.args[0] - error_msg = e.args[1] + error_message = e.args[1] elif len(e.args) == 1: - error_msg = e.args[0] + error_message = e.args[0] except: pass - return "Error Code: {0}. Error Message: {1}".format(error_code, error_msg) + return "Error Code: {0}. Error Message: {1}".format(error_code, error_message) def _validate_integer(self, action_result, parameter, key): if parameter is not None: try: if not float(parameter).is_integer(): - return action_result.set_status(phantom.APP_ERROR, INVALID_INTEGER_ERR_MSG.format(key)), None + return action_result.set_status(phantom.APP_ERROR, INVALID_INTEGER_ERROR_MESSAGE.format(key)), None parameter = int(parameter) except: - return action_result.set_status(phantom.APP_ERROR, INVALID_INTEGER_ERR_MSG.format(key)), None + return action_result.set_status(phantom.APP_ERROR, INVALID_INTEGER_ERROR_MESSAGE.format(key)), None if parameter < 0: - return action_result.set_status(phantom.APP_ERROR, INVALID_NON_NEGATIVE_INTEGER_ERR_MSG.format(key)), None + return action_result.set_status(phantom.APP_ERROR, INVALID_NON_NEGATIVE_INTEGER_ERROR_MESSAGE.format(key)), None return phantom.APP_SUCCESS, parameter @@ -236,9 +236,9 @@ def _handle_delete_registry_key(self, param): "initiating_user": result["initiatingUser"] }) except Exception as e: - err = self._get_error_message_from_exception(e) - self.debug_print("Error occurred: {}".format(err)) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + self.debug_print("Error occurred: {}".format(error)) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -307,8 +307,8 @@ def _handle_get_sensor_status(self, param): "status": "Online" if machine_details["simpleValues"]["isConnected"]["values"][0] == "true" else "Offline" }) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -337,11 +337,11 @@ def _handle_add_malop_comment(self, param): self._process_response(res, action_result) return action_result.get_status() except requests.exceptions.ConnectionError: - err = "Error Details: Connection refused from the server" - return action_result.set_status(phantom.APP_ERROR, err) + error = "Error Details: Connection refused from the server" + return action_result.set_status(phantom.APP_ERROR, error) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS, "Add malop comment action executed successfully") @@ -375,8 +375,8 @@ def _handle_update_malop_status(self, param): return action_result.get_status() except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS, "Update malop status action executed successfully") @@ -405,8 +405,8 @@ def _handle_isolate_machine(self, param): return action_result.get_status() except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -435,8 +435,8 @@ def _handle_unisolate_machine(self, param): return action_result.get_status() except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -477,8 +477,8 @@ def _handle_isolate_specific_machine(self, param): "response_from_server": res.json() }) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -517,8 +517,8 @@ def _handle_unisolate_specific_machine(self, param): "response_from_server": res.json() }) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -561,10 +561,10 @@ def _handle_kill_process(self, param): "remediation_status": result["statusLog"][0]["status"] }) except Exception as e: - err = self._get_error_message_from_exception(e) - self.debug_print(err) + error = self._get_error_message_from_exception(e) + self.debug_print(error) self.debug_print(traceback.format_exc()) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -595,13 +595,13 @@ def _handle_get_remediation_status(self, param): "remediation_message": error_obj.get("message", "Unknown error") if error_obj is not None else "No error message" }) except requests.exceptions.ConnectionError: - err = "Error Details: Connection refused from the server" - return action_result.set_status(phantom.APP_ERROR, err) + error = "Error Details: Connection refused from the server" + return action_result.set_status(phantom.APP_ERROR, error) except Exception as e: - err = self._get_error_message_from_exception(e) - self.debug_print(err) + error = self._get_error_message_from_exception(e) + self.debug_print(error) self.debug_print(traceback.format_exc()) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS) @@ -638,8 +638,8 @@ def _handle_set_reputation(self, param): self.save_progress("{0}ed...".format(custom_reputation)) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS, "Set reputation action executed successfully") @@ -699,9 +699,9 @@ def _get_malop_sensor_ids(self, malop_id, action_result): sensor_ids.append(str(machine_details['simpleValues']['pylumId']['values'][0])) except Exception as e: - err = self._get_error_message_from_exception(e) - self.save_progress(err) - return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)), None) + error = self._get_error_message_from_exception(e) + self.save_progress(error) + return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)), None) return RetVal(action_result.set_status(phantom.APP_SUCCESS), sensor_ids) @@ -720,9 +720,9 @@ def _get_machine_sensor_ids(self, machine_name_or_ip, action_result): "sensor_ids_by_machine_name": sensors_by_name }) except Exception as e: - err = self._get_error_message_from_exception(e) - self.save_progress(err) - return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)), []) + error = self._get_error_message_from_exception(e) + self.save_progress(error) + return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)), []) return RetVal(action_result.set_status(phantom.APP_SUCCESS), sensor_ids) @@ -757,9 +757,9 @@ def _get_pylumid_by_machine_name(self, machine_name, action_result): sensor_ids.append(sensor['pylumId']) except Exception as e: - err = self._get_error_message_from_exception(e) - self.save_progress(err) - return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)), []) + error = self._get_error_message_from_exception(e) + self.save_progress(error) + return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)), []) return RetVal(action_result.set_status(phantom.APP_SUCCESS), sensor_ids) @@ -795,9 +795,9 @@ def _get_pylumid_by_machine_ip(self, machine_ip, action_result): sensor_ids.append(sensor['pylumId']) except Exception as e: - err = self._get_error_message_from_exception(e) - self.save_progress(err) - return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)), []) + error = self._get_error_message_from_exception(e) + self.save_progress(error) + return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)), []) return RetVal(action_result.set_status(phantom.APP_SUCCESS), sensor_ids) @@ -850,8 +850,8 @@ def _handle_upgrade_sensor(self, param): action_result.add_data(json_res) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS, "Successfully requested for sensor upgrade") @@ -905,8 +905,8 @@ def _handle_restart_sensor(self, param): action_result.add_data(json_res) except Exception as e: - err = self._get_error_message_from_exception(e) - return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)) + error = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)) return action_result.set_status(phantom.APP_SUCCESS, "Successfully requested for sensor restart") @@ -942,9 +942,9 @@ def _get_machine_name_by_machine_ip(self, machine_ip, action_result): machine_names.append(str(sensor_details['machineName'])) except Exception as e: - err = self._get_error_message_from_exception(e) - self.save_progress(err) - return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(err)), None) + error = self._get_error_message_from_exception(e) + self.save_progress(error) + return RetVal(action_result.set_status(phantom.APP_ERROR, "Error occurred. {}".format(error)), None) return RetVal(action_result.set_status(phantom.APP_SUCCESS), machine_names) diff --git a/cybereason_consts.py b/cybereason_consts.py index fcb827c..93ab44f 100644 --- a/cybereason_consts.py +++ b/cybereason_consts.py @@ -22,12 +22,12 @@ CUSTOM_REPUTATION_LIST = ["whitelist", "blacklist", "remove"] # Constants relating to '_get_error_message_from_exception' -ERR_CODE_MSG = "Error code unavailable" -ERR_MSG_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters" +ERROR_CODE_MESSAGE = "Error code unavailable" +ERROR_MESSAGE_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters" # Constants relating to '_validate_integer' -INVALID_INTEGER_ERR_MSG = "Please provide a valid integer value in the {}" -INVALID_NON_NEGATIVE_INTEGER_ERR_MSG = "Please provide a valid non-negative integer value in the {}" +INVALID_INTEGER_ERROR_MESSAGE = "Please provide a valid integer value in the {}" +INVALID_NON_NEGATIVE_INTEGER_ERROR_MESSAGE = "Please provide a valid non-negative integer value in the {}" MALOP_HISTORICAL_DAYS_KEY = "malop_historical_days asset configuration parameter" MALWARE_HISTORICAL_DAYS_KEY = "malware_historical_days asset configuration parameter" diff --git a/cybereason_poller.py b/cybereason_poller.py index aee243a..e2b04c1 100755 --- a/cybereason_poller.py +++ b/cybereason_poller.py @@ -80,7 +80,7 @@ def do_poll(self, connector, param): # When called as a scheduled poll, max_container count comes as 4294967295 which causes a Cybereason API error. container_count = min(int(param.get(phantom.APP_JSON_CONTAINER_COUNT)), 5000) success = success & self._fetch_and_ingest_malops( - connector, config, malop_start_time_microsec_timestamp, container_count) + connector, config, malop_start_time_microsec_timestamp, current_time.timestamp() * 1000, container_count) success = success & self._fetch_and_ingest_malwares( connector, config, malware_millisec_since_last_poll, container_count) except Exception as e: @@ -101,10 +101,10 @@ def do_poll(self, connector, param): "Error when polling for Malop and Malware. Please refer the logs for more details" ) - def _fetch_and_ingest_malops(self, connector, config, start_time_microsec_timestamp, container_count): + def _fetch_and_ingest_malops(self, connector, config, start_time_microsec_timestamp, end_time_microsec, container_count): # Fetch Malops success = True - malops_dict = self._get_malops(connector, start_time_microsec_timestamp, container_count) + malops_dict = self._get_malops(connector, start_time_microsec_timestamp, end_time_microsec, container_count) malop_ids = list(malops_dict.keys()) connector.save_progress("Fetched {number_of_malops} malops from Cybereason console", number_of_malops=len(malop_ids)) @@ -152,7 +152,7 @@ def _get_decision_feature_translation(self, connector, decision_feature): try: if not self.feature_translation: url = "{0}/rest/translate/features/all".format(connector._base_url) - self.feature_translation = self.cr_session.get(url).json() + self.feature_translation = self.cr_session.get(url, timeout=DEFAULT_REQUEST_TIMEOUT).json() # At this point we are guaranteed to have a feature translation (decision_feature_type, decision_feature_key) = self._get_decision_feature_details(decision_feature) feature_description = self.feature_translation[decision_feature_type][decision_feature_key]["translatedName"] @@ -194,7 +194,7 @@ def _get_sensor_details(self, connector, machine_name): iterCount = 0 try: while hasMoreSensors and iterCount < 100: - response = self.cr_session.post(url=url, json=query, headers=connector._headers) + response = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) result = response.json() sensors = sensors + result["sensors"] hasMoreSensors = result["hasMoreResults"] @@ -242,7 +242,7 @@ def _get_process_details(self, connector, malop_id): } process_details = {} try: - res = self.cr_session.post(url=url, json=query, headers=connector._headers) + res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) process_details = res.json()["data"]["resultIdToElementDataMap"] except Exception as e: err = connector._get_error_message_from_exception(e) @@ -297,7 +297,7 @@ def _get_connection_details_for_malop(self, connector, malop_id): } connection_details = {} try: - res = self.cr_session.post(url=url, json=query, headers=connector._headers) + res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) connection_details = res.json()["data"]["resultIdToElementDataMap"] except Exception as e: err = connector._get_error_message_from_exception(e) @@ -346,7 +346,7 @@ def _get_user_details_for_malop(self, connector, malop_id): } user_details = {} try: - res = self.cr_session.post(url=url, json=query, headers=connector._headers) + res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) user_details = res.json()["data"]["resultIdToElementDataMap"] except Exception as e: err = connector._get_error_message_from_exception(e) @@ -459,52 +459,68 @@ def _get_artifact(self, connector, config, source_data_identifier, container_id) connector.debug_print("Exception when parsing artifact results: {0}".format(err)) return None - def _get_malops(self, connector, malop_timestamp, max_number_malops): + def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malops): malops_dict = {} - url = "{0}/rest/crimes/unified".format(connector._base_url) - query = { - "templateContext": "OVERVIEW", - "queryPath": [ - { - "requestedType": "MalopProcess", - "guidList": [], - "filters": [ - { - "values": [malop_timestamp], - "filterType": "GreaterThan", - "facetName": "malopLastUpdateTime" - } - ], - "result": True + url = f"{connector._base_url}/rest/detection/inbox" + query = {"startTime": start_timestamp, "endTime": end_timestamp} + malop_res = self.cr_session.post(url=url, json=query, headers=connector._headers) + malops = json.loads(malop_res.content) + connector.save_progress(f"Malops response: {len(malops['malops'])}") + + for malop in malops["malops"]: + connector.debug_print(f"Malop EDR: {malop['edr']}") + if malop['edr']: + url = "{0}/rest/crimes/unified".format(connector._base_url) + query = { + "templateContext": "OVERVIEW", + "queryPath": [{ + "requestedType": "MalopProcess", + "guidList": ["{}".format(malop['guid'])], + "result": True + }], + "totalResultLimit": max_number_malops, + "perGroupLimit": max_number_malops, + "perFeatureLimit": max_number_malops } - ], - "totalResultLimit": max_number_malops, - "perGroupLimit": max_number_malops, - "perFeatureLimit": max_number_malops - } - res = self.cr_session.post(url=url, json=query, headers=connector._headers) - malops_dict = res.json()["data"]["resultIdToElementDataMap"] + res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) + malops_dict[malop['guid']] = res.json()["data"]["resultIdToElementDataMap"][malop['guid']] + else: + malops_dict[malop['guid']] = malop + return malops_dict def _get_container_dict_for_malop(self, connector, config, malop_id, malop_data): connector.debug_print("Building container for malop {0}".format(malop_id)) # Build the container JSON container_json = {} - container_json["name"] = malop_data["elementValues"]["primaryRootCauseElements"]["elementValues"][0]["name"] container_json["data"] = malop_data - decision_feature = malop_data["simpleValues"]["decisionFeature"]["values"][0] - container_json["description"] = self._get_decision_feature_translation(connector, decision_feature) container_json["source_data_identifier"] = malop_id - container_json["label"] = config.get("ingest", {}).get("container_label") - status_map = self._get_status_map_malop() - container_json["status"] = status_map.get(malop_data["simpleValues"]["managementStatus"]["values"][0], "New") - severity_map = self._get_severity_map_malop(connector, config) - (_, decision_feature_key) = self._get_decision_feature_details(decision_feature) - container_json["start_time"] = self._phtimestamp_from_crtimestamp( - malop_data["simpleValues"]["malopStartTime"]["values"][0] - ) - container_json["severity"] = severity_map.get(decision_feature_key, "High") - container_json["artifacts"] = self._get_artifacts_for_malop(connector, malop_id, malop_data) + container_json["label"] = config.get("ingest", {}).get("container_label", "") + + if malop_data.get("elementValues", False): + container_json["name"] = malop_data["elementValues"]["primaryRootCauseElements"]["elementValues"][0]["name"] + container_json["artifacts"] = self._get_artifacts_for_malop(connector, malop_id, malop_data) + else: + container_json["name"] = malop_data.get("displayName", "") + container_json["artifacts"] = malop_data.get('machines', []) + container_json["artifacts"] = container_json["artifacts"] + malop_data.get('users', []) + + if malop_data.get("simpleValues", False): + decision_feature = malop_data["simpleValues"]["decisionFeature"]["values"][0] + container_json["description"] = self._get_decision_feature_translation(connector, decision_feature) + status_map = self._get_status_map_malop() + container_json["status"] = status_map.get(malop_data["simpleValues"]["managementStatus"]["values"][0], "New") + (_, decision_feature_key) = self._get_decision_feature_details(decision_feature) + severity_map = self._get_severity_map_malop(connector, config) + container_json["severity"] = severity_map.get(decision_feature_key, "High") + container_json["start_time"] = self._phtimestamp_from_crtimestamp( + malop_data["simpleValues"]["malopStartTime"]["values"][0] + ) + else: + container_json["description"] = "None" + container_json["status"] = malop_data['status'] + container_json["severity"] = malop_data['severity'] + container_json["start_time"] = self._phtimestamp_from_crtimestamp(malop_data['creationTime']) return container_json @@ -669,7 +685,7 @@ def _get_comments_artifacts(self, connector, malop_id): url = "{0}/rest/crimes/get-comments".format(connector._base_url) query = malop_id try: - res = self.cr_session.post(url=url, data=query, headers=connector._headers) + res = self.cr_session.post(url=url, data=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) comments = res.json() for comment in comments: cef = { @@ -696,7 +712,7 @@ def _get_link_to_cr_artifacts(self, connector, malop_id): artifacts = [] url = "{0}/#/malop/{1}".format(connector._base_url.rstrip("/"), malop_id) link_artifact = { - "source_data_identifier": hashlib.sha1(url.encode()).hexdigest(), # Just using the URL does not work for some reason + "source_data_identifier": hashlib.sha1(url.encode()).hexdigest(), # nosemgrep # Just using the URL does not work for some reason "name": url, "description": "Link to view the Malop in the Cybereason console", "type": "malop_link", @@ -800,7 +816,7 @@ def _get_affected_host_artifact_for_malware(self, connector, malware): } composite_uid = "{0} {1}".format(malware["guid"], malware["machineName"]) affected_machine_artifact = { - "source_data_identifier": hashlib.sha1(composite_uid.encode()).hexdigest(), + "source_data_identifier": hashlib.sha1(composite_uid.encode()).hexdigest(), # nosemgrep "name": malware["machineName"], "description": "Details of the machine affected by the Malop", "type": "machine", diff --git a/release_notes/2.3.0.md b/release_notes/2.3.0.md new file mode 100644 index 0000000..2283531 --- /dev/null +++ b/release_notes/2.3.0.md @@ -0,0 +1 @@ +* Added polling for EPP Malops along with EDR Malops \ No newline at end of file diff --git a/wheels/py3/certifi-2022.6.15-py3-none-any.whl b/wheels/py3/certifi-2022.6.15-py3-none-any.whl deleted file mode 100644 index 6e70631..0000000 Binary files a/wheels/py3/certifi-2022.6.15-py3-none-any.whl and /dev/null differ diff --git a/wheels/py3/certifi-2022.9.24-py3-none-any.whl b/wheels/py3/certifi-2022.9.24-py3-none-any.whl new file mode 100644 index 0000000..d32fe4f Binary files /dev/null and b/wheels/py3/certifi-2022.9.24-py3-none-any.whl differ diff --git a/wheels/shared/urllib3-1.26.11-py2.py3-none-any.whl b/wheels/shared/urllib3-1.26.13-py2.py3-none-any.whl similarity index 64% rename from wheels/shared/urllib3-1.26.11-py2.py3-none-any.whl rename to wheels/shared/urllib3-1.26.13-py2.py3-none-any.whl index 7c66bd9..887f782 100644 Binary files a/wheels/shared/urllib3-1.26.11-py2.py3-none-any.whl and b/wheels/shared/urllib3-1.26.13-py2.py3-none-any.whl differ