@@ -42,6 +42,9 @@ script:
4242 import json
4343 import trustar
4444 import os
45+ import collections
46+ from trustar.models.indicator import Indicator
47+ from trustar.models.page import Page
4548
4649 if not demisto.params()['proxy']:
4750 del os.environ['HTTP_PROXY']
@@ -71,6 +74,7 @@ script:
7174 for indicator in ts_indicators:
7275 current_indicator = indicator.to_dict(remove_nones=True)
7376 indicator_type = current_indicator['indicatorType']
77+ priority_level = current_indicator.get('priorityLevel')
7478 value = current_indicator['value']
7579 if indicator_type == 'SOFTWARE':
7680 # Extracts the filename out of file path
@@ -79,33 +83,40 @@ script:
7983 else:
8084 file_name = value.split('/')[-1] # Handles file path with slash
8185 current_indicator['value'] = file_name
82- file_context.append({
83- 'Name': file_name
84- })
86+ context_dict = {'Name': file_name}
87+ if priority_level:
88+ context_dict.update({'priorityLevel': priority_level})
89+ file_context.append(context_dict)
8590 elif indicator_type in {'SHA256', 'SHA1', 'MD5'}:
86- file_context.append({
87- indicator_type: value
88- })
91+ context_dict = {indicator_type: value}
92+ if priority_level:
93+ context_dict.update({'priorityLevel': priority_level})
94+ file_context.append(context_dict)
8995 elif indicator_type == 'URL':
90- url_context.append({
91- 'Address': value
92- })
96+ context_dict = {'Address': value}
97+ if priority_level:
98+ context_dict.update({'priorityLevel': priority_level})
99+ url_context.append(context_dict)
93100 elif indicator_type == 'IP':
94- ip_context.append({
95- 'Address': value
96- })
101+ context_dict = {'Address': value}
102+ if priority_level:
103+ context_dict.update({'priorityLevel': priority_level})
104+ ip_context.append(context_dict)
97105 elif indicator_type == 'EMAIL_ADDRESS':
98- email_context.append({
99- 'Address': value
100- })
106+ context_dict = {'Address': value}
107+ if priority_level:
108+ context_dict.update({'priorityLevel': priority_level})
109+ email_context.append(context_dict)
101110 elif indicator_type == 'REGISTRY_KEY':
102- key_context.append({
103- 'Path': value
104- })
111+ context_dict = {'Path': value}
112+ if priority_level:
113+ context_dict.update({'priorityLevel': priority_level})
114+ key_context.append(context_dict)
105115 elif indicator_type == 'CVE':
106- cve_context.append({
107- 'ID': value
108- })
116+ context_dict = {'ID': value}
117+ if priority_level:
118+ context_dict.update({'priorityLevel': priority_level})
119+ cve_context.append(context_dict)
109120 indicators.append(current_indicator)
110121 # Build Entry Context
111122 ec = {}
@@ -139,7 +150,24 @@ script:
139150
140151 ''' FUNCTIONS '''
141152 def get_related_indicators(indicators, enclave_ids, page_size, page_number):
142- response = ts.get_related_indicators_page(indicators, enclave_ids, page_size, page_number)
153+ # To display priority score
154+ items_list = []
155+ indicators_json = dict()
156+ related_indicator_response = ts.get_related_indicators_page(indicators, enclave_ids, page_size, page_number)
157+ for related_indicator in related_indicator_response:
158+ current_indicator = related_indicator.to_dict(remove_nones=True)
159+ search_indicator_response = ts.search_indicators_page(current_indicator['value'], enclave_ids, page_size,
160+ page_number)
161+ for found_indicator in search_indicator_response:
162+ current_found_indicator = found_indicator.to_dict(remove_nones=True)
163+ if current_indicator['value'] == current_found_indicator['value']:
164+ current_indicator['priorityLevel'] = current_found_indicator['priorityLevel']
165+ break
166+ if not current_indicator.get('priorityLevel'):
167+ current_indicator['priorityLevel'] = "NOT_FOUND"
168+ items_list.append(current_indicator)
169+ indicators_json.update({'items': items_list})
170+ response = Page.from_dict(indicators_json, content_type=Indicator)
143171 related_indicators, ec = translate_indicators(response)
144172 if related_indicators:
145173 title = 'TruSTAR indicators related to ' + indicators
@@ -198,16 +226,17 @@ script:
198226 title=title,
199227 body=report_body,
200228 enclave_ids=[enclave_ids] if enclave_ids else enclave_ids,
201- is_enclave=True if distribution_type== 'ENCLAVE' else False,
229+ is_enclave=True if distribution_type == 'ENCLAVE' else False,
202230 time_began=time_began,
203231 external_url=external_url
204232 )
205233 response = ts.submit_report(ts_report)
206- report = {
207- 'reportTitle': title,
208- 'reportBody': report_body,
209- 'id': response.id
210- }
234+ deep_link = '{server_url}/constellation/reports/{report_id}'.format(server_url=SERVER, report_id=response.id)
235+ report = collections.OrderedDict()
236+ report['id'] = response.id
237+ report['reportTitle'] = title
238+ report['reportDeepLink'] = '[{}]({})'.format(deep_link, deep_link)
239+ report['reportBody'] = report_body
211240 ec = {
212241 'TruSTAR.Report(val.id && val.id === obj.id)': report
213242 }
@@ -228,16 +257,17 @@ script:
228257 title=title,
229258 body=report_body,
230259 enclave_ids=[enclave_ids] if enclave_ids else enclave_ids,
231- is_enclave=True if distribution_type== 'ENCLAVE' else False,
260+ is_enclave=True if distribution_type == 'ENCLAVE' else False,
232261 time_began=time_began,
233262 external_url=external_url
234263 )
235264 response = ts.update_report(ts_report)
236- report = {
237- 'reportTitle': title,
238- 'reportBody': report_body,
239- 'id': report_id
240- }
265+ deep_link = '{server_url}/constellation/reports/{report_id}'.format(server_url=SERVER, report_id=report_id)
266+ report = collections.OrderedDict()
267+ report['id'] = report_id
268+ report['reportTitle'] = title
269+ report['reportDeepLink'] = '[{}]({})'.format(deep_link, deep_link)
270+ report['reportBody'] = report_body
241271 ec = {
242272 'TruSTAR.Report(val.id && val.id === obj.id)': report
243273 }
@@ -254,12 +284,22 @@ script:
254284
255285 def get_report_details(report_id, id_type):
256286 response = ts.get_report_details(report_id, id_type)
257- report_details = response.to_dict(remove_nones=True)
258- if report_details['enclaveIds']:
259- report_details['enclaveIds'] = ', '.join(report_details['enclaveIds']) # Prettify list of enclave IDs
260- report_details['updated'] = normalize_time(report_details['updated'])
261- report_details['created'] = normalize_time(report_details['created'])
262- report_details['timeBegan'] = normalize_time(report_details['timeBegan'])
287+ current_report_dict = response.to_dict(remove_nones=True)
288+ report_details = collections.OrderedDict()
289+ report_details['id'] = current_report_dict['id']
290+ report_details['title'] = current_report_dict['title']
291+ deep_link = '{server_url}/constellation/reports/{report_id}'.format(server_url=SERVER,
292+ report_id=current_report_dict['id'])
293+ report_details['reportDeepLink'] = '[{}]({})'.format(deep_link, deep_link)
294+ if current_report_dict['enclaveIds']:
295+ report_details['enclaveIds'] = ', '.join(current_report_dict['enclaveIds']) # Prettify list of enclave IDs
296+ report_details['updated'] = normalize_time(current_report_dict['updated'])
297+ report_details['created'] = normalize_time(current_report_dict['created'])
298+ report_details['timeBegan'] = normalize_time(current_report_dict['timeBegan'])
299+ report_details['distributionType'] = current_report_dict['distributionType']
300+ if current_report_dict.get('externalUrl'):
301+ report_details['externalUrl'] = current_report_dict['externalUrl']
302+ report_details['reportBody'] = current_report_dict['reportBody']
263303 report_context = {
264304 'reportTitle': report_details['title'],
265305 'reportBody': report_details['reportBody'],
@@ -284,19 +324,28 @@ script:
284324 return 'Report ' + report_id + ' was successfully deleted'
285325
286326 def get_reports(from_time, to_time, enclave_ids, distribution_type, tags, excluded_tags):
287- is_encalve = True if distribution_type== 'ENCLAVE' else False
327+ is_encalve = True if distribution_type == 'ENCLAVE' else False
288328 from_time = date_to_unix(from_time) if from_time else from_time
289329 to_time = date_to_unix(to_time) if to_time else to_time
290330 response = ts.get_reports(is_encalve, enclave_ids, tags, excluded_tags, from_time, to_time)
291331 reports = []
292332 reports_context = []
293333 for report in response:
294- current_report = report.to_dict(remove_nones=True)
295- if current_report['enclaveIds']:
296- current_report['enclaveIds'] = ', '.join(current_report['enclaveIds']) # Prettify list of enclave IDs
297- current_report['updated'] = normalize_time(current_report['updated'])
298- current_report['created'] = normalize_time(current_report['created'])
299- current_report['timeBegan'] = normalize_time(current_report['timeBegan'])
334+ current_report_dict = report.to_dict(remove_nones=True)
335+ current_report = collections.OrderedDict()
336+ current_report['id'] = current_report_dict['id']
337+ current_report['title'] = current_report_dict['title']
338+ deep_link = '{server_url}/constellation/reports/{report_id}'.format(server_url=SERVER, report_id=current_report_dict['id'])
339+ current_report['reportDeepLink'] = '[{}]({})'.format(deep_link, deep_link)
340+ if current_report_dict['enclaveIds']:
341+ current_report['enclaveIds'] = ', '.join(current_report_dict['enclaveIds']) # Prettify list of enclave IDs
342+ current_report['updated'] = normalize_time(current_report_dict['updated'])
343+ current_report['created'] = normalize_time(current_report_dict['created'])
344+ current_report['timeBegan'] = normalize_time(current_report_dict['timeBegan'])
345+ current_report['distributionType'] = current_report_dict['distributionType']
346+ if current_report_dict.get('externalUrl'):
347+ current_report['externalUrl'] = current_report_dict['externalUrl']
348+ current_report['reportBody'] = current_report_dict['reportBody']
300349 reports.append(current_report)
301350 reports_context.append({
302351 'reportTitle': current_report['title'],
@@ -515,21 +564,39 @@ script:
515564 - contextPath : File.SHA256
516565 description : File SHA256
517566 type : string
567+ - contextPath : File.priorityLevel
568+ description : File priority level
569+ type : string
518570 - contextPath : URL.Address
519571 description : URL address
520572 type : string
573+ - contextPath : URL.priorityLevel
574+ description : URL priority level
575+ type : string
521576 - contextPath : IP.Address
522577 description : IP address
523578 type : string
579+ - contextPath : IP.priorityLevel
580+ description : IP priority level
581+ type : string
524582 - contextPath : Account.Email.Address
525583 description : Email address
526584 type : string
585+ - contextPath : Account.Email.priorityLevel
586+ description : Email priority level
587+ type : string
527588 - contextPath : RegistryKey.Path
528589 description : Registry key path
529590 type : string
591+ - contextPath : RegistryKey.priorityLevel
592+ description : Registry key priority level
593+ type : string
530594 - contextPath : CVE.ID
531595 description : CVE ID
532596 type : string
597+ - contextPath : CVE.priorityLevel
598+ description : CVE priority level
599+ type : string
533600 description : Search all TruSTAR incident reports for provided indicators and return
534601 all correlated indicators from search results. Two indicators are considered
535602 “correlated” if they can be found in a common report.
@@ -844,3 +911,4 @@ script:
844911 description : Returns the list of all enclaves that the user has access to, as
845912 well as whether they can read, create, and update reports in that enclave.
846913 dockerimage : demisto/trustar
914+ releaseNotes : " Added priority level and deep links to related-indicators command"
0 commit comments