@@ -268,150 +268,13 @@ script:
268268 'threat-grid-get-specific-feed': 'feeds/%feed-name%-%feed-period%.%output-type%',
269269 };
270270
271- var SHORTCUT_DATA = "[InternetShortcut]\nURL=";
272-
273- function calcScore(tg_score) {
274- if (tg_score >= 95) {
275- return 3;
276- };
277- if (tg_score >= 75) {
278- return 2;
279- }
280- return 1;
281- }
282-
283- function get_sample_state(id) {
284- var rawResponse = sendRequest(
285- 'GET',
286- 'samples/' + id + '/state',
287- args,
288- null
289- );
290- return rawResponse.data.state;
291- }
292-
293- function wait_for_report(id, delay, timeout) {
294- var time = 0;
295- var done = false;
296- do {
297- var state = get_sample_state(id);
298- if (state == 'fail')
299- throw "Threat Grid failed to process the sample (sample state: fail).";
300- done = state == 'succ';
301- if (done)
302- break;
303- wait(delay);
304- time += delay;
305- } while (!done && time < timeout);
306- if (!done) {
307- throw "Timeout while waiting for report. Sample ID: " + id;
308- }
309- }
310-
311- function get_report(id, type) { //Complete
312- if (type.lower() == 'html') {
313- rawResponse = sendRequest(
314- 'GET',
315- 'samples/' + id + '/report.html',
316- args,
317- id + '-report.html'
318- );
319- var fileId = rawResponse.FileID;
320- return ({Type: 3, FileID: fileId, File: 'ThreatGridReport.html', Contents: 'ThreatGridReport.html'});
321- }
322- rawResponse = sendRequest(
323- 'GET',
324- 'samples/' + id + '/analysis.json',
325- args,
326- null
327- );
328- return {
329- Type: entryTypes.note,
330- ContentsFormat: formats.json,
331- Contents: rawResponse,
332- ReadableContentsFormat: formats.markdown,
333- HumanReadable: createHR(command, returnObject),
334- EntryContext: (contextData && returnObject && ec) ? ec : undefined
335- };
336- }
337-
338- function get_threat_summary(id) {
339- var contextData = {
340- ContextPath: 'ThreatGrid.Sample(val.ID == obj.ID)',
341- ContentPath: 'data',
342- };
343- var ec = {};
344- var returnObject = mapObjFunction([
345- {to: 'MaxConfidence', from: 'max-confidence'},
346- {to: 'MaxSeverity', from: 'max-severity'},
347- {to: 'Score', from: 'score'},
348- {to: 'Count', from: 'count'},
349- {to: 'ID', from: 'sample'},
350- ])(dq(rawResponse, contextData.ContentPath));
351- ec[contextData.ContextPath] = returnObject;
352- returnObject.ID = id;
353- ec['DBotScore'] = {
354- 'Indicator': returnObject.ID,
355- 'Score': calcScore(returnObject.Score),
356- 'Type': 'Sample ID',
357- 'Vendor': 'ThreatGrid'
358- };
359- return {
360- Type: entryTypes.note,
361- ContentsFormat: formats.table,
362- Contents: [
363- {'key': 'Sample ID', 'value': rawResponse.data.sample},
364- {'key': 'Threat Grid Score', 'value': returnObject.Score},
365- {'key': 'DBot Score', 'value': calcScore(returnObject.Score)}
366- ],
367- EntryContext: ec
368- }
369- }
370-
371-
372271 var rawResponse;
373272 var id = args.id;
374273 switch (command) {
375274 case 'test-module':
376275 args.limit = 1;
377276 sendRequest(methodDictionary['test-module'], urlDict['test-module'], args);
378277 return 'ok';
379-
380- case 'threat-grid-url-to-file':
381- var url = args['url'];
382- delete(args['url']);
383- return { Type: 3, FileID: saveFile(SHORTCUT_DATA + url), File: 'url_as_file', Contents: 'url_as_file' };
384-
385- case 'threat-grid-detonate-file':
386- args['api_key'] = params.token;
387- var entryId = args['file-entry-id'];
388- delete(args['file-entry-id']);
389- var res = httpMultipart(
390- url + 'samples',
391- entryId,
392- {
393- Method: 'POST',
394- },
395- args,
396- params.insecure,
397- params.proxy,
398- undefined,
399- 'sample',
400- args.filename
401- );
402- if (res.StatusCode == 503) {
403- throw 'Sample upload failed: File was already uploaded.';
404- }
405- if (res.StatusCode < 200 || res.StatusCode >= 300) {
406- throw 'Sample upload failed, request status code: ' + res.StatusCode + ' and Body: ' + res.Body + '.';
407- }
408- rawResponse = JSON.parse(res.Body);
409- sampleId = rawResponse.data.id;
410- wait_for_report(sampleId, parseInt(args.delay), parseInt(args.timeout));
411- var type = args['report-file-type'];
412- delete(args['report-file-type']);
413- return get_threat_summary(sampleId, type);
414-
415278 case 'threat-grid-upload-sample':
416279 args['api_key'] = params.token;
417280 var fileId = args['file-id'];
@@ -467,30 +330,12 @@ script:
467330 if (returnObject && !returnObject.ID) {
468331 returnObject.ID = id;
469332 }
470- if (command === 'threat-grid-get-threat-summary-by-id') {
471- if ( returnObject.Score >= TERSHOLD) {
472- var md5 = dq(invContext, "ThreatGrid.Sample(val=val.ID=='" + returnObject.ID + "').MD5");
473- addMalicious(ec, outputPaths.file, {
474- MD5: Array.isArray(md5) ? md5[0] : md5,
475- Malicious: {Vendor: 'ThreatGrid', Description: 'Sample has score of ' + returnObject.Score + ' which is higher than treshold (80)'}
476- });
477- }
478- ec['DBotScore'] = {
479- 'Indicator': returnObject.ID,
480- 'Score': calcScore(returnObject.Score),
481- 'Type': 'Sample ID',
482- 'Vendor': 'ThreatGrid'
483- };
484- return {
485- Type: entryTypes.note,
486- ContentsFormat: formats.table,
487- Contents: [
488- {'key': 'Sample ID', 'value': rawResponse.data.sample},
489- {'key': 'Threat Grid Score', 'value': returnObject.Score},
490- {'key': 'DBot Score', 'value': calcScore(returnObject.Score)}
491- ],
492- EntryContext: ec
493- }
333+ if (command === 'threat-grid-get-threat-summary-by-id' && returnObject.Score >= TERSHOLD) {
334+ var md5 = dq(invContext, "ThreatGrid.Sample(val=val.ID=='" + returnObject.ID + "').MD5");
335+ addMalicious(ec, outputPaths.file, {
336+ MD5: Array.isArray(md5) ? md5[0] : md5,
337+ Malicious: {Vendor: 'ThreatGrid', Description: 'Sample has score of ' + returnObject.Score + ' which is higher than treshold (80)'}
338+ });
494339 }
495340
496341 return {
@@ -940,31 +785,18 @@ script:
940785 outputs :
941786 - contextPath : ThreatGrid.Sample.ID
942787 description : The sample id
943- type : string
944788 - contextPath : ThreatGrid.Sample.MaxSeverity
945789 description : The sample max severity
946- type : number
947790 - contextPath : ThreatGrid.Sample.Score
948791 description : The sample score
949- type : number
950792 - contextPath : ThreatGrid.Sample.Count
951793 description : The sample count
952- type : number
953794 - contextPath : ThreatGrid.Sample.MaxConfidence
954795 description : The sample max confidence
955- type : number
956- - contextPath : DBotScore.Indicator
957- description : The indicator value
958- type : string
959- - contextPath : DBotScore.Score
960- description : The indicator's score
961- type : number
962- - contextPath : DBotScore.Vendor
963- description : The indicator's vendor
964- type : string
965- - contextPath : DBotScore.Type
966- description : The indicator's type
967- type : string
796+ - contextPath : File.Malicious.Vendor
797+ description : For malicious files, the vendor that made the decision
798+ - contextPath : File.Malicious.Description
799+ description : For malicious files, the reason for the vendor to make the decision
968800 description : Returns a summary of the threats detected during analysis
969801 - name : threat-grid-get-html-report-by-id
970802 arguments :
@@ -1099,61 +931,4 @@ script:
1099931 description : The output type
1100932 defaultValue : json
1101933 description : Gets a specific threat feed
1102- - name : threat-grid-detonate-file
1103- arguments :
1104- - name : file-entry-id
1105- required : true
1106- default : true
1107- description : Entry ID of the uploaded file (e.g. the message in the war room
1108- with the uploaded file's details).
1109- - name : delay
1110- description : Time to wait between status checks (in seconds)
1111- defaultValue : " 20"
1112- - name : timeout
1113- description : Total wait time (in seconds)
1114- defaultValue : " 660"
1115- - name : report-file-type
1116- auto : PREDEFINED
1117- predefined :
1118- - html
1119- - json
1120- description : File type of report to return
1121- defaultValue : html
1122- outputs :
1123- - contextPath : ThreatGrid.Sample.ID
1124- description : The sample id
1125- type : string
1126- - contextPath : ThreatGrid.Sample.MaxSeverity
1127- description : The sample max severity
1128- type : number
1129- - contextPath : ThreatGrid.Sample.Score
1130- description : The sample score
1131- type : number
1132- - contextPath : ThreatGrid.Sample.Count
1133- description : The sample count
1134- type : number
1135- - contextPath : ThreatGrid.Sample.MaxConfidence
1136- description : The sample max confidence
1137- type : number
1138- - contextPath : DBotScore.Indicator
1139- description : The indicator value
1140- type : string
1141- - contextPath : DBotScore.Score
1142- description : The indicator's score
1143- type : number
1144- - contextPath : DBotScore.Vendor
1145- description : The indicator's vendor
1146- type : string
1147- - contextPath : DBotScore.Type
1148- description : The indicator's type
1149- type : string
1150- description : Detonates URL address through Threat Grid
1151- - name : threat-grid-url-to-file
1152- arguments :
1153- - name : url
1154- required : true
1155- default : true
1156- description : The URL to convert.
1157- description : Convert a URL into a file for Threat Grid file detonation.
1158- runonce : false
1159- releaseNotes : " Added threat-grid-detonate-file and threat-grid-url-to-file commands."
934+ releaseNotes : " -"
0 commit comments