diff --git a/Packs/CommonScripts/Scripts/IsIntegrationAvailable/README.md b/Packs/CommonScripts/Scripts/IsIntegrationAvailable/README.md index ee132bb08d24..3a6a70787f22 100644 --- a/Packs/CommonScripts/Scripts/IsIntegrationAvailable/README.md +++ b/Packs/CommonScripts/Scripts/IsIntegrationAvailable/README.md @@ -59,7 +59,7 @@ MITRE ATT&CK CoA - T1135 - Network Share Discovery MITRE ATT&CK CoA - T1083 - File and Directory Discovery Cyren Inbox Security Default Get User Devices by Email Address - Generic -FireEye ETP - Indicators Hunting +Trellix Email Security Cloud - Indicators Hunting FireEye HX - Isolate Endpoint MITRE ATT&CK CoA - T1133 - External Remote Services FireEye HX - Execution Flow Indicators Hunting diff --git a/Packs/CommonScripts/Scripts/ProvidesCommand/TestData/integration_search.json b/Packs/CommonScripts/Scripts/ProvidesCommand/TestData/integration_search.json index c3a44b1fcef1..faa966122dcd 100644 --- a/Packs/CommonScripts/Scripts/ProvidesCommand/TestData/integration_search.json +++ b/Packs/CommonScripts/Scripts/ProvidesCommand/TestData/integration_search.json @@ -1 +1 @@ -[{"ModuleName": "Demisto REST API_instance_1", "Brand": "Demisto REST API", "Category": "Utilities", "ID": "", "Version": 0, "Type": 1, "Contents": {"response": {"configurations": [{"brand": "", "canGetSamples": true, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "https://api.abuseipdb.com/api/v2/", "display": "AbuseIP server URL", "hidden": false, "name": "server", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "API Key (v2)", "hidden": false, "name": "apikey", "options": null, "required": true, "type": 4}, {"defaultValue": "80", "display": "Minimum score threshold", "hidden": false, "name": "threshold", "options": null, "required": false, "type": 0}, {"defaultValue": "30", "display": "Maximum reports age (in days)", "hidden": false, "name": "days", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "Disregard quota errors", "hidden": false, "name": "disregard_quota", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Trust any certificate (not secure)", "hidden": false, "name": "insecure", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Use system proxy settings", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}], "description": "Central repository to report and identify IP addresses that have been associated with malicious activity online. Check the Detailed Information section for more information on how to configure the integration.", "detailedDescription": "- Minimum score threshold \n- Minimum score from AbuseIPDB for the IP to be considered malicious. (Must be above 20). \n \n \n - Searching an entire subnet far back in time (e.g. Days=365) will likely cause a server timeout,\n and you will receive a 500 Internal Server Error response from AbuseIPDB server.\n \n \n \n - [Report Categories](https://www.abuseipdb.com/categories).\n", "display": "AbuseIPDB", "hidden": false, "icon": "", "id": "AbuseIPDB", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAYAAACXpx/YAAAAAXNSR0IArs4c6QAAEoFJREFUeAHtWgt0VEWa/qtu3dvdSYCk84IkgIjIAh5eQUH0jALrg2HGOS4bBF3n6I7oeHZcHzO+1l1tx6OIoKPozM7oqqzOKg+dZXytjq6CQkRARB2XBEwC5B3yoEO6O337VtV+1UmHEHHOzp6zI2f21knl1q13ff+7bhP5yUfAR8BHwEfAR8BHwEfAR8BHwEfAR8BHwEfAR8BHwEfAR8BHwEfAR8BH4P8WAfbHTF9HlBu26fSgorEOp1BmrGQkexS19Xi0t5KoeQmRzLT5z5MfAXY4QKdHBd2TtGmPsimhbdJDM+plSlBDwqZnWwQt2EWUdfIf7c9/h39QgvcTFY60aVmA6O9sotMNHEpTLyS2ySOqR/koqhy0jRSMxnKiEf19OnoZvZxM0eNhot+bOj+dZAi0BWhCwqJfSpuOGmn1bDrYY9NjzUTnf0aUp4kGmAOqO9jk0KSoTTdCyrdjjAuJ1q6grZD8iyJEoL2fThoEjEoGodaCSEkQK4nyui6iaYM2aKGcj2ykeiIyBLWP4IeyqKRH0J2eQ3WGMVI27YhZtCjTjqefvkkEWoiK4oJWg7AxQyAQOdUp6K1/sugasqzlnPPHsL93kQ8h9yAnkGuRf4Y8GZlgf+0jDi0BY3yaJjLGdwiaa9r89A0iALXLoYavch2q9QQlkoI6oJpjRt2+bpGezZm2LEsHAgGdnZ2ts7KyVCgU0sFgUOOpUP8Gtj/bHCFCJHocugISXGU0QS/UO7ig2LT56U+HgBi8VL1DkwsUfQeV41JEm5o1PRXQdHEup+ULOQUtpfW9UtKHUlEqlSLbtskQ2xAZhGfRaPSCZDLZgDlbIkQHr3Dp1TJBp3FGt8AIzy+06AMEUC8NXtOUIxHin4hwaY5NpYrrOPNU/Qt3RmEVjqWKB0YWBkKJ0VrzVKxb12+KHDlyrPWbKVVsICtUm1eaZKyEW+xIz7DAoeHNvcLNoTLLo1ymCDKDBC+UMe4yqVrdRGfbxgi5pnrZ6pICnYqPJsZD6b7oxzHG1TqWHdD1a28+dkazllMXHqVtVqJ7tTGRfQljLM2TcZuarcr2to0bjw9RB5yfDeg3XNNcVMyRmlpcRm8vk/TetzU1/kKSa9C8kBO7D1OfwzQppTSIqbu7u6m1tZU1NTXpWAzWlugi5AuQrQlE3ZjnLcWoEg0TLUbnVBMVoO24tDeraFxWgN2nLFbJyHrTY+Jyc6DBnQRPXaTJXs+4eNIJ8rSWGNz+TZSH1RVkuYz/EMTdAv5eEYzGT1dBa6rN2WNc8G1k4zwBZMZwPaA/wvl22dn5qy57oCAdkZByL+C2tS7d10E/ziq1xT600S/pWR8sW114w6UPDDO+DgUPFgcl5z/QHswj5uWYlwc4xvBKCMWOgKd32LMK7ql4JL90MBYDBJ6UTQVghqk2o5G4pdgTI9r9Ieb9RFHhCkVZa1DZgZELDJEx6jzOGHG8cK5xgD5OxSnQZTTyPOTxyNSQot97ij5C0QXFJuUKAt2PT5huOly0ckyJifQoi7M5/MCIU47vlZ487blrfcyDH9rnT/3+tXthWmpFB7SntypJ25WiFhyuEKK8nAt99VU/y81FO+s/SQJyV608/YHy6GOpeBTQngFo73aEs7wiUpiTPtex/i3Soy2eq1/Tnnob5TpoySJoih8Kl1228AYKZHAYUNHDXCoFycaARGAi2vtWiurRyThG5e2Qxsc1U1JqdoNFbB62NRw2+MnSUvYOxL2pvl73JoyvNZBmoDQded8UOGJxTlXo1mDmz1JYgwi805euiuTmJknO0oqNhwXoJQtU5jSDeZaZoybTzzxBXeyOpCW4VbE6PBmcXgKmaayPdtRtjlCv6VPxYN4IO+DkC+0leXdHx1rUVzxSFgpRIqyl5xyNsa6Mer98xZg8ZsdO00oVpiTvtaVT0+Q1N2IuhPl96dpfldvRaP0Yrr1TpbaSAStR9fytPW2Zdpwpw9yZKtDQFFlMa/2r/XmdD++6lrylK4umklB3gYUXc8GmxHrFeAG/BoQxQWSDp9lP193a8YLRXGJ/3hTNrdsZ10uEYN+WIbUTnbajH4QJJca3JaV378Y7uz43K122Ku8Mpfk9JPVitE/IGV2YR3QY/rKZuj+FNIXBYWGuqet1RXnXED2IpueRz0PWHWDVJwDvo5J0GxYpT8TYVXU1dFpdLQ0hrpHo8bDJuLGkM5FFUlErnq2YOx8rFhtzgPd06h3mTLZsKrcsxNuMXgJem4HYaVANsy9fMQIbHZQULlqUHoN/9zuMbQUvvI2DfVCSXXD/0hW5p0QixM26THnvaeJPJkJhw2TkpFLTwPxPast+LxjkFQbEJQ+GL9JW/GUw01YrYL3uBNh/UjBVWRIquHPZ/dlpZ/CKleGynuiBuy2utlkB/jsnoDd7LPDuspXhq78bKckatLMTFjUnNaw5TRQ9olfsh4RWQ/mkcL4Qs2Rw8KC0NKNi4xKSL97V9RlkaRM4uhqwnw64J/ZmKYbyADNxMEdmPCebg1GgTlkvKjuSsOGZNpEphC0SliJru6YRP1d0OZwsu6ysjObNm8di8Rht2byFOjs79RqIWRxA/5hpdrb02D2gCGwseweLOw5uOyZNovnz5ztVVVWL33zzzdng4qdf0fTplRy3XpqCOZqyK0B0rCsrNlRYdODdGSDsVAC9n1JsnUd6hs31uSRYOYgyFf22ZPaIAxqWHA2zkIA2WSelClucL0CdCeG6vigsfFTEASsjB3PaYNg0A0t4ZoKbgI052CanmsJxdkD9DfYzW6bYb5jH/0MqOcsO0F8xi13mqkDVlaty3khp9X1LqB9h1U4vSU8xUjmWYy0goW/KomQUUvp2Zm9Dn9gqaED5xaH8CYtXKfuoSp4LG/sdXPIGcK7D0FCHgYLRZidMYIQm7L8JZxmH/kW9h+1gdnavNmBLUudybf3z0pUFEAqcS8mxUAWlkPg3JGO/eeW2dnPDmE4DBEYB+pFosyYHRE5zR15enl60aBE7e+7ZrGpvFX355ZdUjdzV0EBbDtbS9/btp7nd3ezhnBzafcklbMwPrqGZM2dSdVUVPOMIaKuNwb/9aUX1k+GFl0MAofvUgfTS4KDG98fiAGehMh+qa71UyR0WgbFt/V9QN1OVEuUVEfow43WCCUw65Gm1csNtnc8se7SoWLvenVDr10NtT9Nx7xQocKMfzP7TZ0iPMP/MmVADkEFhPRyqbDjWNg1CKn2YC/qFTqqnFBe98WRnI1kFf4EgYQ4A1WCkJ+SuzjVidkmeksl/hLRdi3Fz4sS2Ywqw+/EpzYiKsnH+W0DnGx3NbW7DY8HWIBM1WrJ3Wt3DtaNEASA5ceJMQmszD3NhlHYk4aa/PwGH4nRO7x//zFPhUkqSIzwZwjmNbU+ff2DQEXjKAN81sp3sm0hXV1fTmjVrVEtLCz/zzDNpwYIFbOHChZSbl0d5OD3967NEq1fR1PoGmnroIDUeqKOXamr0M888Qzt37swAHEDPCUZ3wE9rhlcdhZcFBYF315tuCZoBkUvgOHlcBBYypUeqFCkQIB9tZ/Gc/FOhdapMf2N/kA7CrTtoCl7Jee3iwLs1UNVRUC8PHH+8SjedhiRwPAsJrxZB/h5h6/NEkP011P5i5VKn4tZOeKS/HhYY8YbkrBiRAlQ1C0LorxKzwn8J4sI9YRMsoUMWt4qBaK4FcTJoDk2ogRJhUei3KDaeUh47qiQYV/MXg/HDmzfDzi97aOioY++WxukJ103EgAVLWWSDPLIPA5gnmaTnEVHVMsRI+EAwnnFrGRhoEQtZsMkFkfXUvtvMNkDgbk5txfjkNwU7A6JkEHVdlyorK2nXrl2qqKiIxo4dy8LhMIVB4OG5uUTxOE3JzmGLwCyllduoeds2vQmE/LBfA5gFkHQJ5izBTnHiVhfeJOqUcYbgKc4CN09AIBe0g+xKcOWVhu/AieiBUEzTDO2xmXhLExhPMwtAxqEGJSNCBuKBuLO/DeF6hskGeqMPW3vTkeglDxWsDkm2k0taipXOQahTAim+mEmaJZldrKWqNegYQpnNaNgF+BDGDO4BsXZooXbYKdmroNMHJu8vpBmR4YJI6zXJwPA1o60Dicc7wdSRr0r70LGZd6m9UfBnR+G9G6u2spAL02osLcSTsRatvMoNd3UNfMhZurLQhRY8BZhNBDgTMe54Ane61JgvqPZCRu4BWO1HjKHoXw2E1g1Qy8hfASwbAHwOEbwVeRZY9j6822C0V4GEoVMYx5+GXIYMCatzJdWZaYVlT+ZclgMxBiJuhfrYhb0rZTxFrQtwiLmwKePAFLMrHshJ27o+1cfGQWlNOD9C7wUPvh+GzR4PEoxA/w7FeAfm6E86G/3S4QW3ZCEoVGRIBSbSVzwULoUZOFN6PA/2a0UW44cSxOdoV92CxS+2OJ0qldrLmNUG0BLY+lpvZ/vjwbOKg0mmyoWCipRsDxbCZQxmPFFKq0jm1mcdiG26rk9jnahbps7sy5TTXnt77USo5+/idQKYZVtKyi8QGkCx4TteX+IK1DfFSIT4brsI4Zc0cjkCUhRVWqY1pGkHj/alGUTRTk6fZIMIP4Ijg13vv0eRA7tsuMEcwmxgAL6+UURGpT8LSTFxxW0g8gwQOWLcfxD5tyDeLIyZizqhqQdzfYaQq+b8yPlC689nYofGuapJKbVm/W2dGzNzGukWmt8BqbqZwcOGzzTdrIx4EpqIRkFp/WRkVn55SqZyhMPngfBxOF174onAweys1BFwfBR10yFb1y99MP9b4OoLIITTQPwWzIEwwy6D83QdRPIC12XvJkitxwFyta0LcYSj0lOtPOjuVsngp0zQfCb49XxWuMzDF+9A0PoedjLcS7IHswL66VgSQGdgzxyg72k0Fju1mdjHx9cPvMGWwyKBRRTuDhT9FHv9++5oXQjrlUJB52OCFjDaa3BNd+BrO1QxhAFraS3PR6T466Ur8+N74TNlc5kPsR4Jm4/4V3+mJccHv740mPt0G6ePQKjtWYxCkMjuFyxaiW4/QUYclo4zTf+v5DjqnsPiK6Ara7BhSCy7G9u5g1PLck6tkGwNlvoUeesUxMUlgb1jMMssdC/EAT71PJaO5zB3Om28oysKSfoYfLMPhJmsiE+HUhaQJnN5sAdEOggAFjshvgTLWYixn9WefPHVSFPc0nIb+Oo1KBDPDvBLrQC7CZojDnB2GB4xjk5jYtIur8db43n0vhD0LfR7yg7RKmiBcWCU5zjz1r14U6xVSfYcRjwD0Aqx1o9FiN8Iex2SLv0ySepFnXJSkCRslcFcAwTD2HDisA6wTvsRKH59Skut0VpEAZxtPEzEbEB3BqTWUQp21tN3eFI/vfGWhvQlA+pNX/yxPJDaCMcc1M3AWmUQgG6ozH+Trn50/T+078usOpT3WJdDl2Zpijh9X4Y2QLnch05NGADa0NnIJrYci2ziwMEHwBUstdyLcOt6i2Yiri5DuxFs0IiO4vL14X0ePToNQv+3KwuGxRxdxhI0XHLVTB93NQ69QzW3N4FcXQrPNs/ldissWoIPY7ivw8WJSrVzW5/ClCgTnDdEj7btfzUCIvanip8X5tjdeqJ0aJQlWUOOGlbXIzpzuRL53U6i8RUQz3TFBUjYkokJ4NiRIKYnharL7umsXdt/adLfJ+So+DiQbZzSQqe0rqFEe53x7E08be0Ll/AsNoqncBWfcOoLQ65lziZ6KQeOWuO629ohw8fh1L9Lou8/UZqf7ImVCdxFSwnuBYNAMnttJ3Wkq6ur/bgzYa1QQ/7IZJJKoFW4ubOGPUuBoZPM4jLuULcVbe8w+xpY4ESFL4hy8D33dnwFOoyvQG6voJe6+oh6ou5fqQPFxVGbrsOXqPrM50YXP+NpM5cXfjo5EGjJoSIQ+QF8KuwynwpBoN1dNl1d3/dh/2s3uQtS3STowpigf4eDfxTZA6Ff7vkjGORrJ/cb/lcIDFXRA5NU46tPoaDl2fg9lsOoFHo+kWL0OeLZ37matkPf7wPhunEtEQwIKoVneZbgtDAArxdmbgTUcgy/y9qQSNGqAqK9AxP7hZMHAXy9D+CXGBdDTb8FaRz4NSWkWuIHATEpqB31UeSUUccmo2wkvhoSf/OX+HXIyXOa/587+VoJHgxHdDiFcX09DxJagV9PzrU1jYRjgluWvgS3Du4tCM3oM9yk/zbh0aZiotpMu//85hD4HxE4s70NCEkQL4cPW3QO1O41RYzm41a7Dl+X/iWYolfhSDXM6wunMkP8p4+Aj4CPgI+Aj4CPgI+Aj4CPgI+Aj4CPgI+Aj4CPgI+Aj4CPgI+Aj4CPgI/AnzkC/w1FMhrWkp06JAAAAABJRU5ErkJggg==", "integrationScript": {"commands": [{"arguments": [{"default": true, "deprecated": false, "description": "The IP address to check.", "name": "ip", "required": false, "secret": false}, {"default": false, "defaultValue": "30", "deprecated": false, "description": "The time range to return reports (in days). Default is 30.", "name": "days", "required": false, "secret": false}, {"auto": "PREDEFINED", "default": false, "defaultValue": "true", "deprecated": false, "description": "The length of the report. \"true\" returns the full report, \"false\" does not return reported categories. Default is \"true\".", "name": "verbose", "predefined": ["true", "false"], "required": false, "secret": false}, {"default": false, "defaultValue": "80", "deprecated": false, "description": "The minimum score from AbuseIPDB to consider whether the IP address is malicious (must be greater than 20). Default is 80.", "name": "threshold", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Checks the specified IP address against the AbuseIP database.", "execution": false, "hidden": false, "important": null, "name": "ip", "outputs": [{"contentPath": "", "contextPath": "IP.Address", "description": "The address of the IP.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Geo.Country", "description": "The country in which the IP address is located.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Malicious.Vendor", "description": "The vendor reporting the IP address as malicious.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Malicious.Detections", "description": "The Detections that led to the verdict.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Address", "description": "The IP address fetched from AbuseIPDB.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.AbuseConfidenceScore", "description": "The confidence score fetched from AbuseIPDB.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.TotalReports", "description": "The number of times the address has been reported.", "type": "Number"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Geo.Country", "description": "The country associated with the IP Address.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Reports", "description": "The reports summary (for \"verbose\" reports).", "type": "String"}, {"contentPath": "", "contextPath": "DBotScore.Score", "description": "The actual score.", "type": "Number"}, {"contentPath": "", "contextPath": "DBotScore.Vendor", "description": "The vendor used to calculate the score.", "type": "String"}, {"contentPath": "", "contextPath": "DBotScore.Indicator", "description": "The indicator that was tested.", "type": "String"}, {"contentPath": "", "contextPath": "DBotScore.Type", "description": "The indicator type.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Malicious.Vendor", "description": "The vendor that determined this IP address to be malicious.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Malicious.Detections", "description": "The Detections that led to the verdict.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Malicious.Description", "description": "A description explaining why the IP address was reported as malicious.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Malicious.Description", "description": "A description explaining why the IP address was reported as malicious.", "type": "String"}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "IPv4 Address Block in CIDR notation.", "name": "network", "required": true, "secret": false}, {"default": false, "defaultValue": "30", "deprecated": false, "description": "The time range to return reports (in days). Default is 30.", "name": "days", "required": false, "secret": false}, {"default": false, "defaultValue": "40", "deprecated": false, "description": "The maximum number of IPs to check. Default is 40.", "name": "limit", "required": false, "secret": false}, {"default": false, "defaultValue": "80", "deprecated": false, "description": "The minimum score from AbuseIPDB to consider whether the IP address is malicious (must be greater than 20). Default is 80.", "name": "threshold", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Queries a block of IP addresses to check against the database.", "execution": false, "hidden": false, "important": null, "name": "abuseipdb-check-cidr-block", "outputs": [{"contentPath": "", "contextPath": "IP.Address", "description": "The IP address.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Geo.Country", "description": "The country in which the IP address is located.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Malicious.Vendor", "description": "The vendor reporting the IP address as malicious.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Malicious.Detections", "description": "The Detections that led to the verdict.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Address", "description": "The IP address fetched from AbuseIPDB.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.AbuseConfidenceScore", "description": "The confidence score fetched from AbuseIPDB.", "type": "Unknown"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.TotalReports", "description": "The number of times this address has been reported.", "type": "Unknown"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Geo.Country", "description": "The country associated with this IP Address.", "type": "Unknown"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Reports", "description": "Reports summary (for \"verbose\" reports).", "type": "Unknown"}, {"contentPath": "", "contextPath": "DBotScore.Score", "description": "The actual score.", "type": "Number"}, {"contentPath": "", "contextPath": "DBotScore.Vendor", "description": "The vendor used to calculate the score.", "type": "String"}, {"contentPath": "", "contextPath": "DBotScore.Indicator", "description": "The indicator that was tested.", "type": "String"}, {"contentPath": "", "contextPath": "DBotScore.Type", "description": "The indicator type.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Malicious.Vendor", "description": "The vendor used to calculate the score.", "type": "String"}, {"contentPath": "", "contextPath": "AbuseIPDB.IP.Malicious.Detections", "description": "The Detections that led to the verdict.", "type": "String"}, {"contentPath": "", "contextPath": "IP.Malicious.Description", "description": "A description explaining why the IP address was reported as malicious.", "type": "String"}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The IP address to report.", "name": "ip", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "A CSV list of category IDs. For more information, see https://www.abuseipdb.com/categories.", "name": "categories", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Reports an IP address to AbuseIPDB.", "execution": false, "hidden": false, "important": null, "name": "abuseipdb-report-ip", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "defaultValue": "30", "deprecated": false, "description": "The time range to return reports (in days). Default is 30.", "name": "days", "required": false, "secret": false}, {"default": false, "defaultValue": "50", "deprecated": false, "description": "The maximum number of IPs to retrieve. Default is 50. ", "name": "limit", "required": false, "secret": false}, {"auto": "PREDEFINED", "default": false, "defaultValue": "false", "deprecated": false, "description": "Whether to save a list of blacklisted IPs in the Context Data in Demisto. Default is false.", "name": "saveToContext", "predefined": ["true", "false"], "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Returns a list of the most reported IP addresses.", "execution": false, "hidden": false, "important": null, "name": "abuseipdb-get-blacklist", "outputs": [{"contentPath": "", "contextPath": "AbuseIPDB.Blacklist", "description": "A list of blacklisted IP addresses.", "type": "Unknown"}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [], "cartesian": false, "deprecated": false, "description": "Returns a list of report categories from AbuseIPDB.", "execution": false, "hidden": false, "important": null, "name": "abuseipdb-get-categories", "outputs": [{"contentPath": "", "contextPath": "AbuseIPDB.Categories", "description": "The list of AbuseIPDB categories.", "type": "string"}], "permitted": false, "sensitive": false, "timeout": 0}], "isFetch": false, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "\n\n''' IMPORTS '''\nimport requests\nimport os\nimport csv\n\n# disable insecure warnings\nrequests.packages.urllib3.disable_warnings()\n\n''' GLOBALS '''\nVERBOSE = True\nSERVER = demisto.params().get('server')\nif not SERVER.endswith('/'):\n SERVER += '/'\nAPI_KEY = demisto.params().get('apikey')\nMAX_AGE = demisto.params().get('days')\nTHRESHOLD = demisto.params().get('threshold')\nINSECURE = demisto.params().get('insecure')\nTEST_IP = \"127.0.0.2\"\nBLACKLIST_SCORE = 3\nCHECK_CMD = \"check\"\nCHECK_BLOCK_CMD = \"check-block\"\nREPORT_CMD = \"report\"\nBLACKLIST_CMD = 'blacklist'\nANALYSIS_TITLE = \"AbuseIPDB Analysis\"\nBLACKLIST_TITLE = \"AbuseIPDB Blacklist\"\nREPORT_SUCCESS = \"IP address reported successfully.\"\n\nHEADERS = {\n 'Key': API_KEY,\n 'Accept': 'application/json'\n}\n\nPROXY = demisto.params().get('proxy')\nif not demisto.params().get('proxy', False):\n del os.environ['HTTP_PROXY']\n del os.environ['HTTPS_PROXY']\n del os.environ['http_proxy']\n del os.environ['https_proxy']\n\nCATEGORIES_NAME = {\n 3: 'Frad_Orders',\n 4: 'DDoS_Attack',\n 5: 'FTP_Brute-Force',\n 6: 'Ping of Death',\n 7: 'Phishing',\n 8: 'Fraud VoIP',\n 9: 'Open_Proxy',\n 10: 'Web_Spam',\n 11: 'Email_Spam',\n 12: 'Blog_Spam',\n 13: 'VPN IP',\n 14: 'Port_Scan',\n 15: 'Hacking',\n 16: 'SQL Injection',\n 17: 'Spoofing',\n 18: 'Brute_Force',\n 19: 'Bad_Web_Bot',\n 20: 'Exploited_Host',\n 21: 'Web_App_Attack',\n 22: 'SSH',\n 23: 'IoT_Targeted'\n}\n\nCATEGORIES_ID = {\n \"Frad_Orders\": \"3\",\n \"DDoS_Attack\": \"4\",\n \"FTP_Brute\": \"5\",\n \"Ping of Death\": \"6\",\n \"Phishing\": \"7\",\n \"Fraud VoIP\": \"8\",\n \"Open_Proxy\": \"9\",\n \"Web_Spam\": \"10\",\n \"Email_Spam\": \"11\",\n \"Blog_Spam\": \"12\",\n \"VPN IP\": \"13\",\n \"Port_Scan\": \"14\",\n \"Hacking\": \"15\",\n \"SQL Injection\": \"16\",\n \"Spoofing\": \"17\",\n \"Brute_Force\": \"18\",\n \"Bad_Web_Bot\": \"19\",\n \"Exploited_Host\": \"20\",\n \"Web_App_Attack\": \"21\",\n \"SSH\": \"22\",\n \"IoT_Targeted\": \"23\"\n}\n\nsession = requests.session()\n\n\n''' HELPER FUNCTIONS '''\n\n\ndef http_request(method, url_suffix, params=None, headers=HEADERS, threshold=THRESHOLD):\n LOG('running request with url=%s' % (SERVER + url_suffix))\n try:\n analysis = session.request(method, SERVER + url_suffix, headers=headers, params=params, verify=not INSECURE)\n\n if analysis.status_code not in {200, 204, 429}:\n return_error('Bad connection attempet. Status code: ' + str(analysis.status_code))\n if analysis.status_code == 429:\n if demisto.params().get('disregard_quota'):\n return 'Too many requests (possibly bad API key). Status code: ' + str(analysis.status_code)\n else:\n return_error('Too many requests (possibly bad API key). Status code: ' + str(analysis.status_code))\n\n return REPORT_SUCCESS if url_suffix == REPORT_CMD else analysis.json()\n except Exception as e:\n LOG(e)\n return_error(e.message)\n\n\ndef analysis_to_entry(info, threshold=THRESHOLD, verbose=VERBOSE):\n if not isinstance(info, list):\n info = [info]\n\n context_ip_generic, context_ip, human_readable, dbot_scores = [], [], [], []\n for analysis in info:\n ip_ec = {\n \"Address\": analysis.get(\"ipAddress\"),\n \"Geo\": {\"Country\": analysis.get(\"countryName\") or analysis.get(\"countryCode\")}\n }\n abuse_ec = {\n \"IP\": {\n \"Address\": analysis.get(\"ipAddress\"),\n \"Geo\": {\"Country\": analysis.get(\"countryName\") or analysis.get(\"countryCode\")},\n 'AbuseConfidenceScore': analysis.get('abuseConfidenceScore'),\n \"TotalReports\": analysis.get(\"totalReports\") or analysis.get(\"numReports\") or \"0\"\n }\n }\n\n if verbose:\n reports = sum([report_dict.get(\"categories\") for report_dict in analysis.get(\"reports\")], []) # type: list\n categories = set(reports)\n abuse_ec[\"IP\"][\"Reports\"] = {CATEGORIES_NAME[c]: reports.count(c) for c in categories}\n\n human_readable.append(abuse_ec['IP'])\n\n dbot_score = getDBotScore(analysis, threshold)\n if dbot_score == 3:\n ip_ec[\"Malicious\"] = abuse_ec[\"IP\"][\"Malicious\"] = {\n 'Vendor': \"AbuseIPDB\",\n 'Detections': 'The address was reported as Malicious by AbuseIPDB.',\n 'Description': 'The address was reported as Malicious by AbuseIPDB.'\n\n }\n dbot_scores.append({\n \"Score\": dbot_score,\n \"Vendor\": \"AbuseIPDB\",\n \"Indicator\": analysis.get(\"ipAddress\"),\n \"Type\": \"ip\"\n })\n context_ip.append(abuse_ec)\n context_ip_generic.append(ip_ec)\n\n return createEntry(context_ip, context_ip_generic, human_readable, dbot_scores, title=ANALYSIS_TITLE)\n\n\ndef blacklist_to_entry(data, saveToContext):\n if not isinstance(data, list):\n data = [data]\n\n ips = [d.get(\"ipAddress\") for d in data]\n context = {\"Blacklist\": ips}\n temp = demisto.uniqueFile()\n with open(demisto.investigation()['id'] + '_' + temp, 'wb') as f:\n wr = csv.writer(f, quoting=csv.QUOTE_ALL)\n for ip in ips:\n wr.writerow([ip])\n entry = {\n 'HumanReadable': '',\n 'Contents': ips,\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['file'],\n 'File': \"Blacklist.csv\",\n 'FileID': temp,\n 'EntryContext': {'AbuseIPDB': createContext(context if saveToContext else None, removeNull=True)}\n }\n return entry\n\n\ndef getDBotScore(analysis, threshold=THRESHOLD):\n total_reports = analysis.get(\"totalReports\") or analysis.get(\"numReports\") or 0\n abuse_score = int(analysis.get(\"abuseConfidenceScore\"))\n dbot_score = 0 if total_reports == 0 else 1 if abuse_score < 20 else 2 if abuse_score < int(threshold) else 3\n return dbot_score\n\n\ndef createEntry(context_ip, context_ip_generic, human_readable, dbot_scores, title):\n entry = {\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['note'],\n 'Contents': context_ip,\n 'ReadableContentsFormat': formats['markdown'],\n 'HumanReadable': tableToMarkdown(title, human_readable, removeNull=True),\n 'EntryContext': {\n 'IP(val.Address && val.Address == obj.Address)': createContext(context_ip_generic, removeNull=True),\n 'AbuseIPDB(val.IP.Address && val.IP.Address == obj.IP.Address)': createContext(context_ip, removeNull=True),\n 'DBotScore': createContext(dbot_scores, removeNull=True)\n }\n }\n return entry\n\n\n''' FUNCTIONS '''\n\n\ndef check_ip_command(ip, days=MAX_AGE, verbose=VERBOSE, threshold=THRESHOLD):\n params = {\n \"ipAddress\": ip,\n \"maxAgeInDays\": days\n }\n if verbose:\n params['verbose'] = \"verbose\"\n analysis = http_request(\"GET\", url_suffix=CHECK_CMD, params=params).get(\"data\")\n return analysis_to_entry(analysis, verbose=verbose, threshold=threshold)\n\n\ndef check_block_command(network, limit, days=MAX_AGE, threshold=THRESHOLD):\n params = {\n \"network\": network,\n \"maxAgeInDays\": days\n }\n analysis = http_request(\"GET\", url_suffix=CHECK_BLOCK_CMD, params=params).get(\"data\").get(\"reportedAddress\")\n return analysis_to_entry(analysis[:int(limit) if limit.isdigit() else 40], verbose=False, threshold=threshold)\n\n\ndef report_ip_command(ip, categories):\n params = {\n \"ip\": ip,\n \"categories\": \",\".join([CATEGORIES_ID[c] if c in CATEGORIES_ID else c for c in categories.split()])\n }\n analysis = http_request(\"POST\", url_suffix=REPORT_CMD, params=params)\n return analysis\n\n\ndef get_blacklist_command(limit, days, saveToContext):\n params = {\n 'maxAgeInDays': days,\n \"limit\": limit\n }\n analysis = http_request(\"GET\", url_suffix=BLACKLIST_CMD, params=params)\n return analysis if type(analysis) is str else blacklist_to_entry(analysis.get(\"data\"), saveToContext)\n\n\ndef test_module():\n try:\n check_ip_command(ip=TEST_IP, verbose=False)\n except Exception as e:\n LOG(e)\n return_error(e.message)\n demisto.results('ok')\n\n\ndef get_categories_command():\n categories = {str(key): value for key, value in CATEGORIES_NAME.items()}\n entry = {\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['note'],\n 'Contents': categories,\n 'ReadableContentsFormat': formats['markdown'],\n 'HumanReadable': tableToMarkdown(\"AbuseIPDB report categories\", categories, removeNull=True),\n 'EntryContext': {'AbuseIPDB.Categories(val && val == obj)': createContext(categories, removeNull=True),\n }\n }\n return entry\n\n\ntry:\n if demisto.command() == 'test-module':\n # Tests connectivity and credentails on login\n test_module()\n elif demisto.command() == 'ip':\n demisto.results(check_ip_command(**demisto.args()))\n elif demisto.command() == 'abuseipdb-check-cidr-block':\n demisto.results(check_block_command(**demisto.args()))\n elif demisto.command() == 'abuseipdb-report-ip':\n demisto.results(report_ip_command(**demisto.args()))\n elif demisto.command() == 'abuseipdb-get-blacklist':\n demisto.results(get_blacklist_command(**demisto.args()))\n elif demisto.command() == 'abuseipdb-get-categories':\n demisto.results(get_categories_command(**demisto.args())) # type:ignore\n\nexcept Exception as e:\n LOG.print_log()\n return_error(e.message)", "subtype": "python2", "type": "python"}, "modified": "2019-10-18T15:51:41.34248721-04:00", "name": "AbuseIPDB", "prevName": "AbuseIPDB", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 6}, {"brand": "", "canGetSamples": false, "category": "Authentication", "commitMessage": "", "configuration": [{"defaultValue": "", "display": "Server IP (e.g. 192.168.0.1)", "hidden": false, "name": "LDAPServer", "options": null, "required": true, "type": 0}, {"defaultValue": "389", "display": "Port", "hidden": false, "name": "LDAPServerPort", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "", "hidden": false, "name": "Credentials", "options": null, "required": true, "type": 9}, {"defaultValue": "", "display": "Base DN (e.g. DC=domain,DC=com)", "hidden": false, "name": "LDAPBaseDN", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Default Domain", "hidden": false, "name": "LDAPDefaultDomain", "options": null, "required": false, "type": 0}, {"defaultValue": "none", "display": "Security Type (none/ssl/tls)", "hidden": false, "name": "LDAPSecurity", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Do not validate server certificate (insecure)", "hidden": false, "name": "LDAPSInsecure", "options": null, "required": false, "type": 8}, {"defaultValue": "true", "display": "Auto populate groups", "hidden": false, "name": "LDAPSFetchGroups", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Full path for CA certificate of Active Directory server (type pem)", "hidden": false, "name": "LDAPCaCertFile", "options": null, "required": false, "type": 0}], "description": "Authenticate using Active Directory", "display": "Active Directory Authentication", "hidden": false, "icon": "activedirectory.png", "id": "activedir-login", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHMAAAAcCAYAAABS4YBpAAAHQUlEQVR4Ae3ZBXAUeRaA8RfF3d3d3S2Lu7tbsbi7u0uFrOGamR6cHAkawyEenEPWd8NGsdO5L8f/qvoaiQ2c7GzVr8ZnevnyWuVj/LcqIs55RnB0vklXfi2/PCy2wcDAuP5u52PW1fOK8rp+/0EZiO3ZpenDC679mmva1Wd1hl2O69bBN2ZMy7O/LW5yJsZS8mRMRLbDcTGulvg/O2rxVjHD9NyazfzM6nsjtBXEzvaSfMOwwKgsU2/GV+kXGNvNIzKq2eF7zxw/Oxe3pdzJmJu5DsdEOVvi/k4sgiUAJpihKZZ/eW7NrkVZfW+GtYTY2Z4sD41y2nT/ZZY5N6NLTb0e3aGjb/Tsjhefb63tE2uu6BUTkPtI7A/pLHF/FSarh9fjGxsu3MvhbIr/UczPjcGSQEwLkxkU2hJiZ3tS69SzY9mPxkdlOBz36s3qEJ4wJ0AXy/zC2uPU47DNfvdypdPiv3vzfDxSEFNLjBnWEmJne1LkaMwdMRknLB6AeqxiPnkT00JM4qjXUhAz6iPGtJOix6Nvi6bCfIhxMo2vJxVWe7Oa9SMmRBHZei8PHJEfmSBJyIOcEDuD1MZM1meMMbV3xuyK4hiM+iiD8qiKciiJiuq2DDrDDbkgdmmNqV/NJntVa5hMyJZ7jipUP7TGQLRDUzREK9RUz/VGY3REVeSF2L03ZnwKYiakcjJDW0IgsvmeAwuRAUWQFVlQGKXghBIoqG4LoRwyIydyQ+yMMc0JKYwZ9937D0viU703ywK1RDtIKgxAbUgaNcd8zMIQ5IcorpiOHP/Fk5mQxtVsso8zP3jSgAXyRxAcIUkYhboQpQMqQdJoG2bCDePgh84QuGAoskJsYJltllkpxKGJeL60iukFwRST7hZihudra3evx+Eb/O7kcTEl/Cgm3WeSYgLvz2aKTozZDmKkwizHFjSH6FTARAxHRpSDDzahGxxRGllRClUhSmY0giAbhmISKkNg9A3qQ5TSCERu3bI4Ih1qoAEm6aa1PaaiDUSnCiZjENKjFsKwAh3hCEELTMFAZIXABTVQHRPQyLCMTmgmswKeTp7kfXvbZJ87Hh8yzvvutu0B4dNMQQ+dJ5x/PH+y9+2v1WvJMtH7zhezT9/6MjjyVmmIkYrYBG7YDFEq4RjGYj3GowYuYS/GQrAaTVEVZojSHesg2IGVGAdvVEwqpuKBoRDsQSZkwTUcwFzkwec4iCE4rG4F1eCD0bo/wEa4j20YAcEYHMZgfKUI0sEXhzAfPXEILhCUwmEZ7ft93+Fnnk4bcfbppA8ZdObpDPfLD9tCBp/7YRjPTcWk5Bp25umU8ReejLn6+PtMED01MSeQGVmhIQsEOzEUomSEYAlaQ5S1aAnBYRSHYB0aYyDWQpQu2J7MmIsUwS5kQnZcQG7dBB+HCwR5cA7O2KpbNgfde0yoB0FhHEV6iLIbDeGACygNUTagCwRzMVqdAUpcHT5/P43XTa/YZj69scnvXg5XM6tZ83s+o4HXuIX+NVazWrTVPziiOURPTY8XPlN8MAgCMxpADJYaY+oeT8UEZIUnBGvgh8VYoUIuSWbMtRhtiJkb+yFKW9zHYqzCengiGw6hIMTArItZD99AdNagCxxxABkgSleshMAbZT/xDtA/r5q0gnF7eQSz0As9VagDEJjQIYUxK8KCz7EcgmW66XKFYzK3mdngjcJw0MXMhQNwgKAxvCBwgTNEsaACxMCii1kVByA67nCDM4wxXbEfXbD+P7M3azg0Ef6i4AMXiOKIEyiOsdBQEI10E7IIs5DbGFP5Cr4oBUEFnEM15EEdFIYYbMMglEZDHMR0CFyxRzeZB+EAUY5gIHKiIqpBMBZ7kR8t0FH3W0ORG044jtHIi/bwQhZkxEF1KzqL8R0afdqY2rsPTdRqtRfEoDc6QzAR+/ElakNQFjuxAoJeqAJRGmMBRMcN2+COzSgHMRiCnXDHerhBFGeMQjpkwViITlFshge+RBfd5+ZiHzxQyfD/sBCCwnDHLnigPAQZMBauEJ3qCEOm1MfUdDHtl8D+Y9QULzOcAUo6jPESmPGSWdKTaY9pa2p6m0AX0xAGqV/NavaYn4ruMAYociwmrVdNdOKTszfbEmJne1L5ZFSwoynWKp78g5vUMSJEA5FTtc3Ukt4BsrM9ORH6oNSRgKCRW/wi1k85e393n1NP/tDK6/vI6se+j89n+cXqYo4hcgKxX3Ju9kn4ugt3czubE34gtk0OTexs551P3gsLdQoJul7I72pQQ3NAcG/3gNvj5p2/7/514K0Fe689ca19/JfQXNqvVidzbGJoPMe/TbRi3Ju1T+bHlKoP3Qz/Yz7/a9fdPC+G93P3vz154YV7a8aeeejd6eTjx5WP/JCQ+1DUX121WKuDOU7FTgz9yprN/JvxDJDt2WPaxsOw0AzhocGF/K8HVz52KbjJwSuRozb5R24Z733Hu/WJJ6ENjn3708Xg8IYQO9v7B0hP6f7QVrafAAAAAElFTkSuQmCC", "integrationScript": null, "modified": "2019-10-28T16:18:38.469114945-04:00", "name": "activedir-login", "prevName": "activedir-login", "shouldCommit": false, "sortValues": null, "vcShouldIgnore": false, "version": 57}, {"brand": "", "canGetSamples": false, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "", "display": "Server IP (e.g. 192.168.0.1)", "hidden": false, "name": "LDAPServer", "options": null, "required": true, "type": 0}, {"defaultValue": "389", "display": "Port", "hidden": false, "name": "LDAPServerPort", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "", "hidden": false, "name": "Credentials", "options": null, "required": true, "type": 9}, {"defaultValue": "", "display": "Base DN (e.g. DC=domain,DC=com)", "hidden": false, "name": "LDAPBaseDN", "options": null, "required": true, "type": 0}, {"defaultValue": "none", "display": "Security Type (none/ssl/tls)", "hidden": false, "name": "LDAPSecurity", "options": null, "required": true, "type": 0}, {"defaultValue": "500", "display": "Page Size", "hidden": false, "name": "LDAPPageSize", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "Do not validate server certificate (insecure)", "hidden": false, "name": "LDAPSInsecure", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Full path for CA certificate of Active Directory server (type pem)", "hidden": false, "name": "LDAPCaCertFile", "options": null, "required": false, "type": 0}], "deprecated": true, "description": "Query LDAP directory servers", "display": "Active Directory Query (Deprecated)", "hidden": false, "icon": "activedirectory.png", "id": "activedir", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHMAAAAcCAYAAABS4YBpAAAHQUlEQVR4Ae3ZBXAUeRaA8RfF3d3d3S2Lu7tbsbi7u0uFrOGamR6cHAkawyEenEPWd8NGsdO5L8f/qvoaiQ2c7GzVr8ZnevnyWuVj/LcqIs55RnB0vklXfi2/PCy2wcDAuP5u52PW1fOK8rp+/0EZiO3ZpenDC679mmva1Wd1hl2O69bBN2ZMy7O/LW5yJsZS8mRMRLbDcTGulvg/O2rxVjHD9NyazfzM6nsjtBXEzvaSfMOwwKgsU2/GV+kXGNvNIzKq2eF7zxw/Oxe3pdzJmJu5DsdEOVvi/k4sgiUAJpihKZZ/eW7NrkVZfW+GtYTY2Z4sD41y2nT/ZZY5N6NLTb0e3aGjb/Tsjhefb63tE2uu6BUTkPtI7A/pLHF/FSarh9fjGxsu3MvhbIr/UczPjcGSQEwLkxkU2hJiZ3tS69SzY9mPxkdlOBz36s3qEJ4wJ0AXy/zC2uPU47DNfvdypdPiv3vzfDxSEFNLjBnWEmJne1LkaMwdMRknLB6AeqxiPnkT00JM4qjXUhAz6iPGtJOix6Nvi6bCfIhxMo2vJxVWe7Oa9SMmRBHZei8PHJEfmSBJyIOcEDuD1MZM1meMMbV3xuyK4hiM+iiD8qiKciiJiuq2DDrDDbkgdmmNqV/NJntVa5hMyJZ7jipUP7TGQLRDUzREK9RUz/VGY3REVeSF2L03ZnwKYiakcjJDW0IgsvmeAwuRAUWQFVlQGKXghBIoqG4LoRwyIydyQ+yMMc0JKYwZ9937D0viU703ywK1RDtIKgxAbUgaNcd8zMIQ5IcorpiOHP/Fk5mQxtVsso8zP3jSgAXyRxAcIUkYhboQpQMqQdJoG2bCDePgh84QuGAoskJsYJltllkpxKGJeL60iukFwRST7hZihudra3evx+Eb/O7kcTEl/Cgm3WeSYgLvz2aKTozZDmKkwizHFjSH6FTARAxHRpSDDzahGxxRGllRClUhSmY0giAbhmISKkNg9A3qQ5TSCERu3bI4Ih1qoAEm6aa1PaaiDUSnCiZjENKjFsKwAh3hCEELTMFAZIXABTVQHRPQyLCMTmgmswKeTp7kfXvbZJ87Hh8yzvvutu0B4dNMQQ+dJ5x/PH+y9+2v1WvJMtH7zhezT9/6MjjyVmmIkYrYBG7YDFEq4RjGYj3GowYuYS/GQrAaTVEVZojSHesg2IGVGAdvVEwqpuKBoRDsQSZkwTUcwFzkwec4iCE4rG4F1eCD0bo/wEa4j20YAcEYHMZgfKUI0sEXhzAfPXEILhCUwmEZ7ft93+Fnnk4bcfbppA8ZdObpDPfLD9tCBp/7YRjPTcWk5Bp25umU8ReejLn6+PtMED01MSeQGVmhIQsEOzEUomSEYAlaQ5S1aAnBYRSHYB0aYyDWQpQu2J7MmIsUwS5kQnZcQG7dBB+HCwR5cA7O2KpbNgfde0yoB0FhHEV6iLIbDeGACygNUTagCwRzMVqdAUpcHT5/P43XTa/YZj69scnvXg5XM6tZ83s+o4HXuIX+NVazWrTVPziiOURPTY8XPlN8MAgCMxpADJYaY+oeT8UEZIUnBGvgh8VYoUIuSWbMtRhtiJkb+yFKW9zHYqzCengiGw6hIMTArItZD99AdNagCxxxABkgSleshMAbZT/xDtA/r5q0gnF7eQSz0As9VagDEJjQIYUxK8KCz7EcgmW66XKFYzK3mdngjcJw0MXMhQNwgKAxvCBwgTNEsaACxMCii1kVByA67nCDM4wxXbEfXbD+P7M3azg0Ef6i4AMXiOKIEyiOsdBQEI10E7IIs5DbGFP5Cr4oBUEFnEM15EEdFIYYbMMglEZDHMR0CFyxRzeZB+EAUY5gIHKiIqpBMBZ7kR8t0FH3W0ORG044jtHIi/bwQhZkxEF1KzqL8R0afdqY2rsPTdRqtRfEoDc6QzAR+/ElakNQFjuxAoJeqAJRGmMBRMcN2+COzSgHMRiCnXDHerhBFGeMQjpkwViITlFshge+RBfd5+ZiHzxQyfD/sBCCwnDHLnigPAQZMBauEJ3qCEOm1MfUdDHtl8D+Y9QULzOcAUo6jPESmPGSWdKTaY9pa2p6m0AX0xAGqV/NavaYn4ruMAYociwmrVdNdOKTszfbEmJne1L5ZFSwoynWKp78g5vUMSJEA5FTtc3Ukt4BsrM9ORH6oNSRgKCRW/wi1k85e393n1NP/tDK6/vI6se+j89n+cXqYo4hcgKxX3Ju9kn4ugt3czubE34gtk0OTexs551P3gsLdQoJul7I72pQQ3NAcG/3gNvj5p2/7/514K0Fe689ca19/JfQXNqvVidzbGJoPMe/TbRi3Ju1T+bHlKoP3Qz/Yz7/a9fdPC+G93P3vz154YV7a8aeeejd6eTjx5WP/JCQ+1DUX121WKuDOU7FTgz9yprN/JvxDJDt2WPaxsOw0AzhocGF/K8HVz52KbjJwSuRozb5R24Z733Hu/WJJ6ENjn3708Xg8IYQO9v7B0hP6f7QVrafAAAAAElFTkSuQmCC", "integrationScript": null, "isPasswordProtected": true, "modified": "2019-10-28T16:18:38.46569023-04:00", "name": "activedir", "prevName": "activedir", "shouldCommit": false, "sortValues": null, "vcShouldIgnore": false, "version": 57}, {"brand": "", "canGetSamples": true, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "", "display": "Server IP address (e.g., 192.168.0.1)", "hidden": false, "name": "server_ip", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Port. If not specified, default the port is 389, or 636 for LDAPS.", "hidden": false, "name": "port", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "Credentials", "hidden": false, "name": "credentials", "options": null, "required": true, "type": 9}, {"defaultValue": "", "display": "NTLM authentication", "hidden": false, "name": "ntlm", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Base DN (for example \"dc=company,dc=com\")", "hidden": false, "name": "base_dn", "options": null, "required": true, "type": 0}, {"defaultValue": "500", "display": "Page size", "hidden": false, "name": "page_size", "options": null, "required": true, "type": 0}, {"defaultValue": "SSL", "display": "Secure Connection", "hidden": false, "name": "secure_connection", "options": ["None", "SSL"], "required": true, "type": 15}, {"defaultValue": "", "display": "Trust any certificate (not secure)", "hidden": false, "name": "unsecure", "options": null, "required": false, "type": 8}], "description": "Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers).", "detailedDescription": "Active Directory search uses paging. You set the page size by specifying the 'page size' parameter in the instance settings.\n", "display": "Active Directory Query v2", "hidden": false, "icon": "", "id": "Active Directory Query v2", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAYAAACXpx/YAAAAAXNSR0IArs4c6QAADQlJREFUeAHtWntwVcUZ/3b3nPvIzTsBAiS5yU3iA5xSReuzijiKMmr1n3TaCiSAo1UHtdqx9XnVobZD1QrFNhJuQoJTSR/DVKF26IxiR8UWrVpw0CT35gUIIZDHTXLvPWd3++1JbriJNyFWkKhnZ849e/Z8u/vt7/ft7rffuQB2shGwEbARsBGwEbARsBGwEbARsBGwEbARsBGwEbARsBGwEbARsBE47QiQ06GBBKB/a2zUfx/KzGnXU2YVGF0H/npN4YHTocvXvU/tVA1Qkfju7t1sdVd+Vjulswc4LeyXrCQqaek0QopjnxAvB5hBqTOrjMdWox6PnCpdvsntfiGCFYnw2muU7FwgbrqiO71R6heGY7w0xuEMJNFnHCJek5AZ3IAcoTuYYBpIICClQMyRXsnBQRhIIb+QHt9kAk809hMCiyQS8C9gP7pqU9onRtb0cMTwxijxRQQtzQXmk9zp+/6loep/R3KCBx2ebQaTINkwiQJJFAIIQUINA3VRl2owIUmknCLvdjolCCQlWJF61qtHbuyl7u/kmKJMSOEze1meCTgTqcclmQOEhiQKCQzJ9BjyLNQuyDkHGYtaio4i8ZSobjc6GQSSEgx+PztkOlb3pqbMRRqRyOGZiEsqIInAB0dIJMSNefXCTlMRATqeUpKQCERwzsYGgZgxIALzuJx+6UnKEy8GaxudX7peX5EOk8/g06y8FmhaaEYG/qPpafPMTe3tUPVxD7jZkDESjUG0PwopWRS6DQ5u4dQkzINAU5+ZGt0N5XNjp1n9KdX9lCQYqE6Yy3OpJJRoBi8wNTodOAmDpNm4G/Rr1JMO0QgDl+g3ORBJNErQOZhSyE4RZaYkwQ4mPzJAm2WY/IhTcA0JTgFBYqDpe4CbXiT1IFDpAcpMpFdyLdoCwpEGkRwdcbVncIJxTUmCB5YUHUQd1QXRmpALPB4NyqeHh/XuGr5PfFN7d32wAIK+A+An6ED8n0nt7yksD51LDdykD5aWHh5pye+n4FuSDy7ffignU9LRHNfJGhnEac5QAU+RcLhmUmpUBy+HuMO1rslBTfIQzGjOnlTdcYRYun4L07Uq6tDvpUJfQ2tbNkDdgUJL3HezmxrkYTjSlj5O9ckX14QyYWPLxZOvMDnJcQlGc2QCo0z8hBcepAhGtAShnE5GfqwMOskSO0mWNnXkYKQk03pV01z2GZHAwWmgZrhKDe1u3LLvgXTIt8pWlUVFqn4P3F7SCdvHeNkNDQyqpFrOh9KG4Ayo2n38OV6OdyllLvDYH0Rl0V1iWWEFEfIfzIhWQd2nHlg6r1+YR++BO7zHUBADQjijGySD6r3HjQr1ggbUc2xS/dU1TR8pFubZlMjbYeO+tFG6VLdng7oS02vDkT9VrsY/VveGvQ7wS4vb5Ev0nDkyn0Q6OIgCKYcCF4ntJ+YZuCGNiMNp1Oz28d5OIFFqRSIThSbIa9INGYx3JxNhRuRqSdkuHPgA4vc9jIf92pJDa6cSHgVNaBjxTKO1TdUybM6VjM0lRHuQcP4ml7KGBkKPi9qWR6mkj7NA4xZjedl7qj7tm/8w01tfNqqDXZTAQ6A7I2BmZ4iNzetgRcnu0brgaMiwARKiDvxbsN1rGB9YiGGdV6ij1S/WNj4CNc3TaeGS+yAcxA5cLrF+7/3M6b5S9vOb0PwHIBDiIjXjMSjP7oHa1vlUiDsBHGEIBNE/5L+hgi1HczqPap5fMOmoN/x736de9wPoY8wEilpuDB4V/fwJQMOloeBPYWMoHXQyGzeG7VLPuUhsb3wAFpdFYf3hVNrXv0b4Prwfx9GflGBSXs6f3LlvlYfpOYYVYhw95MQnRnD0cqAxm+mRFGZeKzkfd1VIrBfP67oOxBhoij8n3iWjCwWINWCSXsLI85al3na+QaW8C+MvzWLp7PVqFgjOsqGyaAOtDV2ObDwEFUWH4IV3NdCyClRgFN3svbgS3YxtvwfPt2ZJIr5lhL2/pGnB9ULKACyd/RZUN5VSQp4UVbuXAvaRqEeS/AcYTz8b234ZIFQAaRjW4zhjCFwnGPshLCt8D6pbiwQRS+UxthR+UjBIA80/puHuW0VDw7Okj/8c5R7DfvdCbeNcCJvdwuV8jjJuilD+3cJPJAuEbsU+3KKiAA0Bbaam5WmWypaggVWjwZ2Lg2oUwcblMGeBpH2hhdqn2kXoaOzUnP2XCQJRtbqoekkJln6/NmNg9gth5vw2MRKcUhXnGBN2oA4XWSQ7nvqQZ75/UPO8JIZDlarxySTN5YaFZtuTKLt2lHxdS7E0IQsH0gluE31oLSodOfNRZhde5wga/ZklP+T0HIZKfAoEJWhczTiJxqBec+gzHTzDvY2YRjUuo5QFWheg3/2+zOugMkzmUcouwXqXqO8mEsRMcOSo41bSFUU1aCWJwjTuuKlJrUARaKn0DajwvgsVuL/VtJwrKMuhmebt2D4D3TULzIgDBi/OIxg5khXevVZbFWVD95rmWXgMlOgQ4kKFcxngEiTqaWss+CwCTX/CTtUoq/HqxhB/HfivtJxHUtO8FaPGN2D5TsHEIgF0K+atlJRg9SYiIGeQsdz46mRJjyFXacFw383kvBi/Gu2LAMvlgNtpXC6JQVjtJPzo+KVB58bshCIrSw25SOp6NjUNP8QYwXw6NWM34Oh3qW5BpiOwSZJrTLgtTaOwLL+LBIIdsq71Qgn8MqHRTWAItXcP4n7yDh63LFBNw9wGK8t6LGNJ0vRIERXn4HTdIqx9LjRSjHioEQ8lKZ1I1QEqzV3AHOijCIwFkhCYRoZFX1wufkcAQUvQXQoH0powRqbylp5WP4Qj0EOJs/BOaqZV4H5chHHlXMgz346/G5dg5AhXGJwMeE2U0OnAXtGKcXBEbVdqAz4+zNH5JA2p+milCQNBIb/UJGm5Wpr8Vrm8OGhVU44LTalXTgXOz3YqB6/CSrVQ1ZwBDjoTKov3oZwDeoYjXkN9jWwXOFO34lHnXizuhFDxHoDXKXiLukwR64UVvg8sceWsqNk/KqlvXcPAK+cm1HYTrgAZZl7xGwAtDhy1WpqH05Bjox644P8llP7AbC99Jz4rrS1GS+2XRM+F6qAXVvpacYkuAYenB3gkiltRSrwlbHMfBe16RPMjVYYDuRmP/P8aei9GxmU9q+U4EPwA5/9qlHwHFpeMOE7jEjzU0GR+x+AxmSonkvF2nI2YdcpK7xC5Sn7l3KMkENrDuLjUpK5nGYmuo3X7zwNuZGIYazOuVfuQnLeoTp9GuR28rageCoI9EFMWBGCmhP/Jwq4n0JpeGQZcyJrQrwjRHya1bR+jJXrQAIII6DolH09osIeF5ipHx+oCaG1Xs6pXGHQVLCZRy4Ml0IPbgAS3zoHy3ng9WFm6h2wM7iCFrZtgU1tIzSy0hBfNCu+bdGNzlWBkHanvCIIZSxWDvY9CGg9BzAW0/sAzTEReMgz9t5Qaz9Latt8h2bjHm2FOyYtW+5L0ghbfIoZ6FNz8C6Xanfjl77ERHTBzEggeMd/Edr9Y3gNNonNAeYGjkujW/CLfyVTQgzfIchBdJRDuPiSQfCUoKoufgxfby6DX6FEkis3oWS4v7YPb8CXGqHlV82I4o9VyPqyGK4t3yaoDy3AxLQYjOgD7W9ut8oQfbhzbDK6C7ejwYKDDE7a84Pj7yuKo2Nz1AKzKieLxqE182uSPv1J3scK3Do0gD4gDj1rykFg+s1OV8xUlf4ZA4xt4MsiFouJGuHKILPHMW3dAblGRcOstsKxgEI1tGXrPZ4JOY7DcF1J1VRL94nHIKz0+DqtQx2+3sANPAc2W0PBPUnaUk5V5wX27+phrvvqSNFHCowDcIoNrX+fT/t7BPNv453SydHSybjSan2q4ruzBifqx302MAK0JPoK7eCuv8NUlSp6EGZzYnJ0/XQig9/NHiHa1je3fJngsIl/V5yEn8zPaj0swnkOc4FSBIkzKk7Y8ZHUAPAVO1WfUsgtOFgLJCfb7+RWvVq7pF4OLwiBKe4DNDBOWPUh0z6Duxu9xFEwMveLRDr1y3MY5xl8x2dSfLFpOXjtJCUbKJFzrrUPC6uFicMG6HY4tPVm5nxBP/n7u8B2VtOiY0M9EX70wAp4CN4X9msllqs5gAP+jZeKxkavTiTqn2zP/5LH1f7SUlOB4OxbRb8MgnH+1+pddD17KBd+p3iN9BIrACfWvuJvyzhygXV1OPnB0WafQzuiWtKxPasU9oE0bkHTGALraEeaEGNGQfBUEwJk/TD7DZux06hCYkOCJurXIb4EIfPf6yLCcip5YLjpySJF8B2xocG5xeWfsiWXkH8LZ3mNqJUcEK+kDrSRMMNwNNNfAzycOcjwCNFGf9rvPj8CXPn1GyH9pu2MrL5j2YdRRlMl4291XzGn8/OrbNWwEbARsBGwEbARsBGwEbARsBGwEbARsBGwEbARsBGwEbARsBL4eCPwPVA1/wgqb9w0AAAAASUVORK5CYII=", "integrationScript": {"commands": [{"arguments": [{"default": false, "deprecated": false, "description": "The username (samAccountName) of the user to modify", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g., DC=domain,DC=com)", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Expires the password of an Active Directory user.", "execution": false, "hidden": false, "important": null, "name": "ad-expire-password", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username (samAccountName) of the user to be modified", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The initial password to set for the user. The user will be asked to change the password after login.", "name": "password", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The user's DN", "name": "user-dn", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The user's display name", "name": "display-name", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Short description of the user", "name": "description", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "User email.", "name": "email", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The user's telephone number", "name": "telephone-number", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The user's job title", "name": "title", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Sets basic or custom attributes of the user object. For example, custom-attributes=\"{\\\"notes\\\":\\\"a note about the contact\\\",\\\"company\\\":\\\"company name\\\"}\"", "name": "custom-attributes", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Creates an Active Directory user. This command requires a secure connection (SSL,TLS). in order to use this command.", "execution": false, "hidden": false, "important": null, "name": "ad-create-user", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "Enables you to define search criteria in the Query Active Directory using Active Directory syntax. For example, the following query searches for all user objects, except Andy: \"(&(objectCategory=person)(objectClass=user)(!(cn=andy)))\". NOTE if you have special characters such as \"*\",\"(\",or \"\\\" the character must be preceded by two backslashes \"\\\\\". For example, to use \"*\", type \"\\\\*\". For more information about search filters, see syntax: https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax", "name": "filter", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g. DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "CSV list of the object attributes to return, e.g., \"dn,memberOf\". To get all objects atributes, specify 'ALL'.", "name": "attributes", "required": false, "secret": false}, {"default": false, "defaultValue": "50", "deprecated": false, "description": "Maximum number of records to return", "name": "size-limit", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Maximum time to pull records (in seconds)", "name": "time-limit", "required": false, "secret": false}, {"auto": "PREDEFINED", "default": false, "defaultValue": "yes", "deprecated": false, "description": "If set to 'no' will not output the the results of the search to the context.", "name": "context-output", "predefined": ["yes", "no"], "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Runs Active Directory queries.", "execution": false, "hidden": false, "important": null, "name": "ad-search", "outputs": [{"contentPath": "", "contextPath": "ActiveDirectory.Search.dn", "description": "The distinguished names that match the query.", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Search", "description": "Result of the search.", "type": "unknown"}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username of the user to add to the group. If this argument is not specified, the computer name argument must be specified.\t", "name": "username", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The name of the computer to add to the group. If this argument is not specified, the username argument must be specified.", "name": "computer-name", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The name of the group to add the user to", "name": "group-cn", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g., DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Adds an Active Directory user or computer to a group.", "execution": false, "hidden": false, "important": null, "name": "ad-add-to-group", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The name of the user to remove from the group. If this argument is not specified, the computer name argument must be specified.\t", "name": "username", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The name of the computer to remove from the group. If this argument is not specified, the username argument must be specified.", "name": "computer-name", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The name of the group to remove the user from\t", "name": "group-cn", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g., DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Removes an Active Directory user or computer from a group.", "execution": false, "hidden": false, "important": null, "name": "ad-remove-from-group", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username of the account to update (sAMAccountName)\t", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The name of the attribute to modify (e.g., sn, displayName, mail, etc.)", "name": "attribute-name", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The value the attribute should be changed to\t", "name": "attribute-value", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g. DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Updates attributes of an existing Active Directory user.", "execution": false, "hidden": false, "important": null, "name": "ad-update-user", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The DN of the user to delete", "name": "user-dn", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Deletes an Active Directory user.", "execution": false, "hidden": false, "important": null, "name": "ad-delete-user", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The contact's DN\t", "name": "contact-dn", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The contact's display name\t", "name": "display-name", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Short description of the contact", "name": "description", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The contact's email address", "name": "email", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The contact's telephone number", "name": "telephone-number", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Sets basic or custom attributes of the contact object. For example, custom-attributes=\"{\\\"notes\\\":\\\"some note about the contact\\\",\\\"company\\\":\\\"some company\\\"}\"", "name": "custom-attributes", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The contact's job title", "name": "title", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Creates an Active Directory contact.", "execution": false, "hidden": false, "important": null, "name": "ad-create-contact", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The contact's DN\t", "name": "contact-dn", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The attribute name to update\t", "name": "attribute-name", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The attribute value to be updated\t", "name": "attribute-value", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Updates attributes of an existing Active Directory contact.", "execution": false, "hidden": false, "important": null, "name": "ad-update-contact", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username of the account to disable (sAMAccountName)\t", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g., DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Disables an Active Directory user account.", "execution": false, "hidden": false, "important": null, "name": "ad-disable-account", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username of the account to enable (sAMAccountName)\t", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g., DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Enables a previously disabled Active Directory account.", "execution": false, "hidden": false, "important": null, "name": "ad-enable-account", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username of the account to unlock (sAMAccountName)\t", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g., DC=domain,DC=com). By default, the Base DN configured for the instance will be used.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Unlocks a previously locked Active Directory user account.", "execution": false, "hidden": false, "important": null, "name": "ad-unlock-account", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The username of the account to be disabled (sAMAccountName)\t", "name": "username", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The password to set for the user\t", "name": "password", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Root (e.g. DC=domain,DC=com). Base DN configured for the instance will be used as default.", "name": "base-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Sets a new password for an Active Directory user. This command requires a secure connection (SSL,TLS).", "execution": false, "hidden": false, "important": null, "name": "ad-set-new-password", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The computer name\t", "name": "computer-name", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "Superior DN, e.g., OU=computers,DC=domain,DC=com (The specified domain must be the same as the current computer domain)", "name": "full-superior-dn", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Modifies the computer organizational unit within a domain.", "execution": false, "hidden": false, "important": null, "name": "ad-modify-computer-ou", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "Query by the user's Active Directory Distinguished Name", "name": "dn", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Query by the user's name", "name": "name", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Include these AD attributes of the resulting objects in addition to the default attributes", "name": "attributes", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Query users by this custom field type", "name": "custom-field-type", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Query users by this custom field data (relevant only if the `custom-field-type` argument is provided)", "name": "custom-field-data", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Query users by the samAccountName attribute", "name": "username", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Maximum number of objects to return (default is 20)", "name": "limit", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Query by the user's email address", "name": "email", "required": false, "secret": false}, {"auto": "PREDEFINED", "default": false, "defaultValue": "false", "deprecated": false, "description": "Include verbose translation for UserAccountControl flags", "name": "user-account-control-out", "predefined": ["true", "false"], "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Retrieves detailed information about a user account. The user can be specified by name, email address, or as an Active Directory Distinguished Name (DN). If no filter is specified, all users are returned.", "execution": false, "hidden": false, "important": null, "name": "ad-get-user", "outputs": [{"contentPath": "", "contextPath": "ActiveDirectory.Users.dn", "description": "The user's distinguished name", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.displayName", "description": "The user's display name", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.name", "description": "The user's common name", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.sAMAccountName", "description": "The user's sAMAccountName", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.userAccountControl", "description": "The user's account control flag", "type": "number"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.mail", "description": "The user's email address", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.manager", "description": "The user's manager", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Users.memberOf", "description": "Groups the user is member of", "type": "string"}, {"contentPath": "", "contextPath": "Account.DisplayName", "description": "The user's display name", "type": "string"}, {"contentPath": "", "contextPath": "Account.Groups", "description": "Groups the user is member of", "type": "string"}, {"contentPath": "", "contextPath": "Account.Manager", "description": "The user's manager", "type": "string"}, {"contentPath": "", "contextPath": "Account.ID", "description": "The user's distinguished name", "type": "string"}, {"contentPath": "", "contextPath": "Account.Username", "description": "The user's samAccountName", "type": "string"}, {"contentPath": "", "contextPath": "Account.Email", "description": "The user's email address", "type": "string"}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The computer's DN", "name": "dn", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Name of the computer to get information for", "name": "name", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Include these AD attributes of the resulting objects in addition to the default attributes", "name": "attributes", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Search computers by this custom field data (relevant only if the `customFieldType` argument is provided)", "name": "custom-field-data", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "Search computer by this custom field type", "name": "custom-field-type", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Retrieves detailed information about a computer account. The computer can be specified by name, email address, or as an Active Directory Distinguished Name (DN). If no filters are provided, all computers are returned. ", "execution": false, "hidden": false, "important": null, "name": "ad-get-computer", "outputs": [{"contentPath": "", "contextPath": "ActiveDirectory.Computers.dn", "description": "The computer distinguished name", "type": ""}, {"contentPath": "", "contextPath": "ActiveDirectory.Computers.memberOf", "description": "Groups the computer is listed as a member", "type": ""}, {"contentPath": "", "contextPath": "ActiveDirectory.Computers.name", "description": "The computer name", "type": ""}, {"contentPath": "", "contextPath": "Endpoint.ID", "description": "The computer DN", "type": ""}, {"contentPath": "", "contextPath": "Endpoint.Hostname", "description": "The computer name", "type": ""}, {"contentPath": "", "contextPath": "Endpoint.Groups", "description": "Groups the computer is listed as a member of", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "Group's Active Directory Distinguished Name", "name": "group-dn", "required": true, "secret": false}, {"auto": "PREDEFINED", "default": false, "defaultValue": "person", "deprecated": false, "description": "Which members type to query", "name": "member-type", "predefined": ["person", "computer"], "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "CSV list of attributes to include in the results, in addition to the default attributes", "name": "attributes", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Retrieves the list of users or computers that are members of the specified group", "execution": false, "hidden": false, "important": null, "name": "ad-get-group-members", "outputs": [{"contentPath": "", "contextPath": "ActiveDirectory.Groups.dn", "description": "The group DN", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Groups.members.dn", "description": "The group member DN", "type": "string"}, {"contentPath": "", "contextPath": "ActiveDirectory.Groups.members.category", "description": "Person/computer", "type": "string"}], "permitted": false, "sensitive": false, "timeout": 0}], "dockerImage": "demisto/ldap:1.0.0.75", "isFetch": false, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "\n\nfrom typing import *\nfrom ldap3 import Server, Connection, NTLM, SUBTREE, ALL_ATTRIBUTES, Tls, Entry\nfrom ldap3.extend import microsoft\nimport ssl\nfrom datetime import datetime\nimport traceback\nimport os\nfrom ldap3.utils.log import (set_library_log_detail_level, get_library_log_detail_level,\n set_library_log_hide_sensitive_data, EXTENDED)\n\n# global connection\nconn: Optional[Connection] = None\n\n''' GLOBAL VARS '''\n\n# userAccountControl is a bitmask used to store a number of settings.\n# find more at:\n# https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro\n\nCOOMON_ACCOUNT_CONTROL_FLAGS = {\n 512: \"Enabled Account\",\n 514: \"Disabled account\",\n 544: \"Account Enabled - Require user to change password at first logon\",\n 4096: \"Workstation/server\",\n 66048: \"Enabled, password never expires\",\n 66050: \"Disabled, password never expires\",\n 66080: \"Enables, password never expires, password not required.\",\n 532480: \"Domain controller\"\n}\nNORMAL_ACCOUNT = 512\nDISABLED_ACCOUNT = 514\n\n# common attributes for specific AD objects\nDEFAULT_PERSON_ATTRIBUTES = [\n 'name',\n 'displayName',\n 'memberOf',\n 'mail',\n 'samAccountName',\n 'manager',\n 'userAccountControl'\n]\nDEFAULT_COMPUTER_ATTRIBUTES = [\n 'name',\n 'memberOf'\n]\n\n''' HELPER FUNCTIONS '''\n\n\ndef initialize_server(host, port, secure_connection, unsecure):\n \"\"\"\n uses the instance configuration to initialize the LDAP server\n\n :param host: host or ip\n :type host: string\n :param port: port or None\n :type port: number\n :param secure_connection: SSL or None\n :type secure_connection: string\n :param unsecure: trust any cert\n :type unsecure: boolean\n :return: ldap3 Server\n :rtype: Server\n \"\"\"\n\n if secure_connection == \"SSL\":\n # intialize server with ssl\n # port is configured by default as 389 or as 636 for LDAPS if not specified in configuration\n demisto.debug(\"initializing sever with ssl (unsecure: {}). port: {}\". format(unsecure, port or 'default(636)'))\n if not unsecure:\n demisto.debug(\"will require server certificate.\")\n tls = Tls(validate=ssl.CERT_REQUIRED, ca_certs_file=os.environ.get('SSL_CERT_FILE'))\n if port:\n return Server(host, port=port, use_ssl=True, tls=tls)\n return Server(host, use_ssl=True, tls=tls)\n if port:\n return Server(host, port=port, use_ssl=True)\n return Server(host, use_ssl=True)\n demisto.debug(\"initializing server without secure connection. port: {}\". format(port or 'default(389)'))\n if port:\n return Server(host, port=port)\n return Server(host)\n\n\ndef account_entry(person_object, custome_attributes):\n # create an account entry from a person objects\n account = {\n 'Type': 'AD',\n 'ID': person_object.get('dn'),\n 'Email': person_object.get('mail'),\n 'Username': person_object.get('samAccountName'),\n 'DisplayName': person_object.get('displayName'),\n 'Managr': person_object.get('manager'),\n 'Manager': person_object.get('manager'),\n 'Groups': person_object.get('memberOf')\n }\n\n for attr in custome_attributes:\n account[attr] = person_object[attr]\n\n return account\n\n\ndef endpoint_entry(computer_object, custome_attributes):\n # create an endpoint entry from a computer object\n endpoint = {\n 'Type': 'AD',\n 'ID': computer_object.get('dn'),\n 'Hostname': computer_object.get('name'),\n 'Groups': computer_object.get('memberOf')\n }\n\n for attr in custome_attributes:\n endpoint[attr] = computer_object[attr]\n\n return endpoint\n\n\ndef base_dn_verified(base_dn):\n # serch AD with a simple query to test base DN is configured correctly\n try:\n search(\n \"(objectClass=user)\",\n base_dn,\n size_limit=1\n )\n except Exception as e:\n demisto.info(str(e))\n return False\n return True\n\n\n''' COMMANDS '''\n\n''' SEARCH '''\n\n\ndef search(search_filter, search_base, attributes=None, size_limit=0, time_limit=0):\n \"\"\"\n find entries in the DIT\n\n Args:\n search_base: the location in the DIT where the search will start\n search_filte: LDAP query string\n attributes: the attributes to specify for each entry found in the DIT\n\n \"\"\"\n assert conn is not None\n success = conn.search(\n search_base=search_base,\n search_filter=search_filter,\n attributes=attributes,\n size_limit=size_limit,\n time_limit=time_limit\n )\n\n if not success:\n raise Exception(\"Search failed\")\n return conn.entries\n\n\ndef search_with_paging(search_filter, search_base, attributes=None, page_size=100, size_limit=0, time_limit=0):\n \"\"\"\n find entries in the DIT\n\n Args:\n search_base: the location in the DIT where the search will start\n search_filte: LDAP query string\n attributes: the attributes to specify for each entrxy found in the DIT\n\n \"\"\"\n assert conn is not None\n total_entries = 0\n cookie = None\n start = datetime.now()\n\n entries: List[Entry] = []\n entries_left_to_fetch = size_limit\n while True:\n if 0 < entries_left_to_fetch < page_size:\n page_size = entries_left_to_fetch\n\n conn.search(\n search_base,\n search_filter,\n search_scope=SUBTREE,\n attributes=attributes,\n paged_size=page_size,\n paged_cookie=cookie\n )\n\n entries_left_to_fetch -= len(conn.entries)\n total_entries += len(conn.entries)\n cookie = conn.result['controls']['1.2.840.113556.1.4.319']['value']['cookie']\n time_diff = (start - datetime.now()).seconds\n\n entries.extend(conn.entries)\n\n # stop when: 1.reached size limit 2.reached time limit 3. no cookie\n if (size_limit and size_limit <= total_entries) or (time_limit and time_diff >= time_limit) or (not cookie):\n break\n\n # keep the raw entry for raw content (backward compatability)\n raw = []\n # flaten the entries\n flat = []\n\n for entry in entries:\n entry = json.loads(entry.entry_to_json())\n\n flat_entry = {\n 'dn': entry['dn']\n }\n\n for attr in entry.get('attributes', {}):\n flat_entry[attr] = entry['attributes'][attr]\n\n raw.append(entry)\n flat.append(flat_entry)\n\n return {\n \"raw\": raw,\n \"flat\": flat\n }\n\n\ndef user_dn(sam_account_name, search_base):\n search_filter = '(&(objectClass=user)(sAMAccountName={}))'.format(sam_account_name)\n entries = search(\n search_filter,\n search_base\n )\n if not entries:\n raise Exception(\"Could not get full DN for user with sAMAccountName '{}'\".format(sam_account_name))\n entry = json.loads(entries[0].entry_to_json())\n return entry['dn']\n\n\ndef computer_dn(compuer_name, search_base):\n search_filter = '(&(objectClass=user)(objectCategory=computer)(name={}))'.format(compuer_name)\n entries = search(\n search_filter,\n search_base\n )\n if not entries:\n raise Exception(\"Could not get full DN for computer with name '{}'\".format(compuer_name))\n entry = json.loads(entries[0].entry_to_json())\n return entry['dn']\n\n\ndef group_dn(group_name, search_base):\n search_filter = '(&(objectClass=group)(cn={}))'.format(group_name)\n entries = search(\n search_filter,\n search_base\n )\n if not entries:\n raise Exception(\"Could not get full DN for group with name '{}'\".format(group_name))\n entry = json.loads(entries[0].entry_to_json())\n return entry['dn']\n\n\ndef convert_special_chars_to_unicode(search_filter):\n # We allow users to use special chars without explicitly typing their unicode values\n chars_to_replace = {\n '\\\\(': '\\\\28',\n '\\\\)': '\\\\29',\n '\\\\*': '\\\\2a',\n '\\\\/': '\\\\2f',\n '\\\\\\\\': '\\\\5c'\n }\n for i, j in chars_to_replace.items():\n search_filter = search_filter.replace(i, j)\n\n return search_filter\n\n\ndef free_search(default_base_dn, page_size):\n\n args = demisto.args()\n\n search_filter = args.get('filter')\n size_limit = int(args.get('size-limit', '0'))\n time_limit = int(args.get('time-limit', '0'))\n search_base = args.get('base-dn') or default_base_dn\n attributes = args.get('attributes')\n context_output = args.get('context-output')\n\n search_filter = convert_special_chars_to_unicode(search_filter)\n\n # if ALL was specified - get all the object's attributes, else expect a string of comma separated values\n if attributes:\n attributes = ALL_ATTRIBUTES if attributes == 'ALL' else attributes.split(',')\n\n entries = search_with_paging(\n search_filter,\n search_base,\n attributes=attributes,\n size_limit=size_limit,\n time_limit=time_limit,\n page_size=page_size\n )\n\n ec = {} if context_output == 'no' else {'ActiveDirectory.Search(obj.dn == val.dn)': entries['flat']}\n demisto_entry = {\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['note'],\n 'Contents': entries['raw'],\n 'ReadableContentsFormat': formats['markdown'],\n 'HumanReadable': tableToMarkdown(\"Active Directory Search\", entries['flat']),\n 'EntryContext': ec\n }\n demisto.results(demisto_entry)\n\n\ndef search_users(default_base_dn, page_size):\n # this command is equivalant to script ADGetUser\n # will preform a custom search to find users by a specific (one) attribute specified by the user\n\n args = demisto.args()\n\n attributes: List[str] = []\n custom_attributes: List[str] = []\n\n # zero is actually no limitation\n limit = int(args.get('limit', '0'))\n\n # default query - list all users\n query = \"(&(objectClass=User)(objectCategory=person))\"\n\n # query by user DN\n if args.get('dn'):\n query = \"(&(objectClass=User)(objectCategory=person)(distinguishedName={}))\".format(args['dn'])\n\n # query by name\n if args.get('name'):\n query = \"(&(objectClass=User)(objectCategory=person)(cn={}))\".format(args['name'])\n\n # query by email\n if args.get('email'):\n query = \"(&(objectClass=User)(objectCategory=person)(mail={}))\".format(args['email'])\n\n # query by sAMAccountName\n if args.get('username'):\n query = \"(&(objectClass=User)(objectCategory=person)(sAMAccountName={}))\".format(args['username'])\n\n # query by custom object attribute\n if args.get('custom-field-type'):\n if not args.get('custom-field-data'):\n raise Exception('Please specify \"custom-field-data\" as well when quering by \"custom-field-type\"')\n query = \"(&(objectClass=User)(objectCategory=person)({}={}))\".format(\n args['custom-field-type'], args['custom-field-data'])\n\n if args.get('attributes'):\n custom_attributes = args['attributes'].split(\",\")\n\n attributes = list(set(custom_attributes + DEFAULT_PERSON_ATTRIBUTES))\n\n entries = search_with_paging(\n query,\n default_base_dn,\n attributes=attributes,\n size_limit=limit,\n page_size=page_size\n )\n\n accounts = [account_entry(entry, custom_attributes) for entry in entries['flat']]\n\n if args.get('user-account-control-out', '') == 'true':\n # display a literal translation of the numeric account control flag\n for i, user in enumerate(entries['flat']):\n flag_no = user.get('userAccountControl')[0]\n entries['flat'][i]['userAccountControl'] = COOMON_ACCOUNT_CONTROL_FLAGS.get(flag_no) or flag_no\n\n demisto_entry = {\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['note'],\n 'Contents': entries['raw'],\n 'ReadableContentsFormat': formats['markdown'],\n 'HumanReadable': tableToMarkdown(\"Active Directory - Get Users\", entries['flat']),\n 'EntryContext': {\n 'ActiveDirectory.Users(obj.dn == val.dn)': entries['flat'],\n # 'backward compatability' with ADGetUser script\n 'Account(obj.ID == val.ID)': accounts\n }\n }\n demisto.results(demisto_entry)\n\n\ndef search_computers(default_base_dn, page_size):\n # this command is equivalent to ADGetComputer script\n\n args = demisto.args()\n\n attributes: List[str] = []\n custome_attributes: List[str] = []\n\n # default query - list all users (computer category)\n query = \"(&(objectClass=user)(objectCategory=computer))\"\n\n # query by user DN\n if args.get('dn'):\n query = \"(&(objectClass=user)(objectCategory=computer)(dn={}))\".format(args['dn'])\n\n # query by name\n if args.get('name'):\n query = \"(&(objectClass=user)(objectCategory=computer)(name={}))\".format(args['name'])\n\n # query by custom object attribute\n if args.get('custom-field-type'):\n if not args.get('custom-field-data'):\n raise Exception('Please specify \"custom-field-data\" as well when quering by \"custom-field-type\"')\n query = \"(&(objectClass=user)(objectCategory=computer)({}={}))\".format(\n args['custom-field-type'], args['ustom-field-data'])\n\n if args.get('attributes'):\n custome_attributes = args['attributes'].split(\",\")\n\n attributes = list(set(custome_attributes + DEFAULT_COMPUTER_ATTRIBUTES))\n\n entries = search_with_paging(\n query,\n default_base_dn,\n attributes=attributes,\n page_size=page_size\n )\n\n endpoints = [endpoint_entry(entry, custome_attributes) for entry in entries['flat']]\n\n demisto_entry = {\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['note'],\n 'Contents': entries['raw'],\n 'ReadableContentsFormat': formats['markdown'],\n 'HumanReadable': tableToMarkdown(\"Active Directory - Get Computers\", entries['flat']),\n 'EntryContext': {\n 'ActiveDirectory.Computers(obj.dn == val.dn)': entries['flat'],\n # 'backward compatability' with ADGetComputer script\n 'Endpoint(obj.ID == val.ID)': endpoints\n }\n }\n demisto.results(demisto_entry)\n\n\ndef search_group_members(default_base_dn, page_size):\n # this command is equivalent to ADGetGroupMembers script\n\n args = demisto.args()\n member_type = args.get('member-type')\n group_dn = args.get('group-dn')\n\n custome_attributes: List[str] = []\n default_attributes = DEFAULT_PERSON_ATTRIBUTES if member_type == 'person' else DEFAULT_COMPUTER_ATTRIBUTES\n\n if args.get('attributes'):\n custome_attributes = args['attributes'].split(\",\")\n\n attributes = list(set(custome_attributes + default_attributes))\n\n # neasted search\n query = \"(&(objectCategory={})(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:={}))\".format(member_type,\n group_dn)\n\n entries = search_with_paging(\n query,\n default_base_dn,\n attributes=attributes,\n page_size=page_size\n )\n\n members = [{'dn': entry['dn'], 'category': member_type} for entry in entries['flat']]\n\n demisto_entry = {\n 'ContentsFormat': formats['json'],\n 'Type': entryTypes['note'],\n 'Contents': entries['raw'],\n 'ReadableContentsFormat': formats['markdown'],\n 'HumanReadable': tableToMarkdown(\"Active Directory - Get Group Members\", entries['flat']),\n 'EntryContext': {\n 'ActiveDirectory.Groups(obj.dn ==' + group_dn + ')': {\n 'dn': group_dn,\n 'members': members\n }\n }\n }\n\n if member_type == 'person':\n demisto_entry['EntryContext']['ActiveDirectory.Users(obj.dn == val.dn)'] = entries['flat']\n demisto_entry['EntryContext']['Account'] = [account_entry(\n entry, custome_attributes) for entry in entries['flat']]\n else:\n demisto_entry['EntryContext']['ActiveDirectory.Computers(obj.dn == val.dn)'] = entries['flat']\n demisto_entry['EntryContext']['Endpoint'] = [endpoint_entry(\n entry, custome_attributes) for entry in entries['flat']]\n\n demisto.results(demisto_entry)\n\n\n''' DATABASE OPERATIONS '''\n\n''' CREATE OBJECT'''\n\n\ndef create_user():\n assert conn is not None\n args = demisto.args()\n\n object_classes = [\"top\", \"person\", \"organizationalPerson\", \"user\"]\n user_dn = args.get('user-dn')\n username = args.get(\"username\")\n password = args.get(\"password\")\n custome_attributes = args.get('custom-attributes')\n attributes = {\n \"samAccountName\": username\n }\n\n # set common user attributes\n if args.get('display-name'):\n attributes['displayName'] = args['display-name']\n if args.get('description'):\n attributes['description'] = args['description']\n if args.get('email'):\n attributes['mail'] = args['email']\n if args.get('telephone-number'):\n attributes['telephoneNumber'] = args['telephone-number']\n if args.get('title'):\n attributes['title'] = args['title']\n\n # set user custome attributes\n if custome_attributes:\n try:\n custome_attributes = json.loads(custome_attributes)\n except Exception as e:\n demisto.info(str(e))\n raise Exception(\n \"Failed to parse custom attributes argument. Please see an example of this argument in the description.\"\n )\n for attribute_name, attribute_value in custome_attributes.items():\n # can run default attribute stting\n attributes[attribute_name] = attribute_value\n\n # add user\n success = conn.add(user_dn, object_classes, attributes)\n if not success:\n raise Exception(\"Failed to create user\")\n\n # set user password\n success = conn.extend.microsoft.modify_password(user_dn, password)\n if not success:\n raise Exception(\"Failed to reset user password\")\n\n # enable user and expire password\n modification = {\n # enable user\n 'userAccountControl': [('MODIFY_REPLACE', NORMAL_ACCOUNT)],\n # set to 0, to force password change on next login\n \"pwdLastSet\": [('MODIFY_REPLACE', \"0\")]\n }\n modify_object(user_dn, modification)\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Created user with DN: {}\".format(user_dn)\n }\n demisto.results(demisto_entry)\n\n\ndef create_contact():\n assert conn is not None\n args = demisto.args()\n\n object_classes = [\"top\", \"person\", \"organizationalPerson\", \"contact\"]\n contact_dn = args.get('contact-dn')\n\n # set contact attributes\n attributes: Dict = {}\n if args.get('custom-attributes'):\n try:\n attributes = json.loads(args['custom-attributes'])\n except Exception as e:\n demisto.info(str(e))\n raise Exception(\n 'Failed to parse custom attributes argument. Please see an example of this argument in the argument.'\n )\n\n # set common user attributes\n if args.get('display-name'):\n attributes['displayName'] = args['display-name']\n if args.get('description'):\n attributes['description'] = args['description']\n if args.get('email'):\n attributes['mail'] = args['email']\n if args.get('telephone-number'):\n attributes['telephoneNumber'] = args['telephone-number']\n if args.get('title'):\n attributes['title'] = args['title']\n\n # add contact\n\n success = conn.add(contact_dn, object_classes, attributes)\n if not success:\n raise Exception(\"Failed to create contact\")\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Created contact with DN: {}\".format(contact_dn)\n }\n demisto.results(demisto_entry)\n\n\n''' UPDATE OBJECT '''\n\n\ndef modify_object(dn, modification):\n \"\"\"\n modifys object in the DIT\n \"\"\"\n assert conn is not None\n success = conn.modify(dn, modification)\n if not success:\n raise Exception(\"Failed to update object {} with the following modofication: {}\".format(\n dn, json.dumps(modification)))\n\n\ndef update_user(default_base_dn):\n args = demisto.args()\n\n # get user DN\n sam_account_name = args.get('username')\n attribute_name = args.get('attribute-name')\n attribute_value = args.get('attribute-value')\n search_base = args.get('base-dn') or default_base_dn\n dn = user_dn(sam_account_name, search_base)\n\n modification = {}\n modification[attribute_name] = [('MODIFY_REPLACE', attribute_value)]\n\n # modify user\n modify_object(dn, modification)\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Updated user's {} to {} \".format(attribute_name, attribute_value)\n }\n demisto.results(demisto_entry)\n\n\ndef update_contact():\n args = demisto.args()\n\n contact_dn = args.get('contact-dn')\n modification = {}\n modification[args.get('attribute-name')] = [('MODIFY_REPLACE', args.get('attribute-value'))]\n\n # modify\n modify_object(contact_dn, modification)\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Updated contact's {} to: {} \".format(args.get('attribute-name'), args.get('attribute-value'))\n }\n demisto.results(demisto_entry)\n\n\ndef modify_computer_ou(default_base_dn):\n assert conn is not None\n args = demisto.args()\n\n computer_name = args.get('computer-name')\n dn = computer_dn(computer_name, args.get('base-dn') or default_base_dn)\n\n success = conn.modify_dn(dn, \"CN={}\".format(computer_name), new_superior=args.get('full-superior-dn'))\n if not success:\n raise Exception(\"Failed to modify computer OU\")\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Moved computer {} to {}\".format(computer_name, args.get('full-superior-dn'))\n }\n demisto.results(demisto_entry)\n\n\ndef expire_user_password(default_base_dn):\n args = demisto.args()\n\n # get user DN\n sam_account_name = args.get('username')\n search_base = args.get('base-dn') or default_base_dn\n dn = user_dn(sam_account_name, search_base)\n\n modification = {\n # set to 0, to force password change on next login\n \"pwdLastSet\": [('MODIFY_REPLACE', \"0\")]\n }\n\n # modify user\n modify_object(dn, modification)\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Expired password successfully\"\n }\n demisto.results(demisto_entry)\n\n\ndef set_user_password(default_base_dn):\n assert conn is not None\n args = demisto.args()\n\n # get user DN\n sam_account_name = args.get('username')\n password = args.get('password')\n search_base = args.get('base-dn') or default_base_dn\n dn = user_dn(sam_account_name, search_base)\n\n # set user password\n success = conn.extend.microsoft.modify_password(dn, password)\n if not success:\n raise Exception(\"Failed to reset user password\")\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"User password successfully set\"\n }\n demisto.results(demisto_entry)\n\n\ndef enable_user(default_base_dn):\n args = demisto.args()\n\n # get user DN\n sam_account_name = args.get('username')\n search_base = args.get('base-dn') or default_base_dn\n dn = user_dn(sam_account_name, search_base)\n\n # modify user\n modification = {\n 'userAccountControl': [('MODIFY_REPLACE', NORMAL_ACCOUNT)]\n }\n modify_object(dn, modification)\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"User {} was enabled\".format(sam_account_name)\n }\n demisto.results(demisto_entry)\n\n\ndef disable_user(default_base_dn):\n args = demisto.args()\n\n # get user DN\n sam_account_name = args.get('username')\n search_base = args.get('base-dn') or default_base_dn\n dn = user_dn(sam_account_name, search_base)\n\n # modify user\n modification = {\n 'userAccountControl': [('MODIFY_REPLACE', DISABLED_ACCOUNT)]\n }\n modify_object(dn, modification)\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"User {} was disabled\".format(sam_account_name)\n }\n demisto.results(demisto_entry)\n\n\ndef add_member_to_group(default_base_dn):\n\n args = demisto.args()\n\n search_base = args.get('base-dn') or default_base_dn\n\n # get the dn of the member - either user or computer\n args_err = \"Pleade provide either username or computer-name\"\n member_dn = ''\n\n if args.get('username') and args.get('computer-name'):\n # both arguments passed\n raise Exception(args_err)\n if args.get('username'):\n member_dn = user_dn(args['username'], search_base)\n elif args.get('computer-name'):\n member_dn = computer_dn(args['computer-name'], search_base)\n else:\n # none of the arguments passed\n raise Exception(args_err)\n\n grp_dn = group_dn(args.get('group-cn'), search_base)\n\n success = microsoft.addMembersToGroups.ad_add_members_to_groups(conn, [member_dn], [grp_dn])\n if not success:\n raise Exception(\"Failed to add {} to group {]}\".format(\n args.get('username') or args.get('computer-name'),\n args.get('group_name')\n ))\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Object with dn {} was added to group {}\".format(member_dn, args.get('group-cn'))\n }\n demisto.results(demisto_entry)\n\n\ndef remove_member_from_group(default_base_dn):\n\n args = demisto.args()\n\n search_base = args.get('base-dn') or default_base_dn\n\n # get the dn of the member - either user or computer\n args_err = \"Pleade provide either username or computer-name\"\n member_dn = ''\n\n if args.get('username') and args.get('computer-name'):\n # both arguments passed\n raise Exception(args_err)\n if args.get('username'):\n member_dn = user_dn(args['username'], search_base)\n elif args.get('computer-name'):\n member_dn = computer_dn(args['computer-name'], search_base)\n else:\n # none of the arguments passed\n raise Exception(args_err)\n\n grp_dn = group_dn(args.get('group-cn'), search_base)\n\n success = microsoft.removeMembersFromGroups.ad_remove_members_from_groups(conn, [member_dn], [grp_dn], True)\n if not success:\n raise Exception(\"Failed to remove {member} from group {group_name}\".format({\n \"member\": args.get('username') or args.get('computer-name'),\n \"group_name\": args.get('group_name')\n }))\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Object with dn {} removed from group {}\".format(member_dn, args.get('group-cn'))\n }\n demisto.results(demisto_entry)\n\n\ndef unlock_account(default_base_dn):\n args = demisto.args()\n\n # get user DN\n sam_account_name = args.get('username')\n search_base = args.get('base-dn') or default_base_dn\n dn = user_dn(sam_account_name, search_base)\n\n success = microsoft.unlockAccount.ad_unlock_account(conn, dn)\n if not success:\n raise Exception(\"Failed to unlock user {}\".format(sam_account_name))\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Unlocked user {}\".format(sam_account_name)\n }\n demisto.results(demisto_entry)\n\n\n''' DELETE OBJECT '''\n\n\ndef delete_user():\n # can acually delete any object...\n assert conn is not None\n success = conn.delete(demisto.args().get('user-dn'))\n if not success:\n raise Exception('Failed to delete user')\n\n demisto_entry = {\n 'ContentsFormat': formats['text'],\n 'Type': entryTypes['note'],\n 'Contents': \"Deleted object with dn {}\".format(demisto.args().get('user-dn'))\n }\n demisto.results(demisto_entry)\n\n\n'''\n TEST CONFIGURATION\n authenticate user credentials while initializing connection wiith AD server\n verify base DN is configured correctly\n'''\n\n\ndef main():\n ''' INSTANCE CONFIGURATION '''\n SERVER_IP = demisto.params().get('server_ip')\n USERNAME = demisto.params().get('credentials')['identifier']\n PASSWORD = demisto.params().get('credentials')['password']\n DEFAULT_BASE_DN = demisto.params().get('base_dn')\n SECURE_CONNECTION = demisto.params().get('secure_connection')\n DEFAULT_PAGE_SIZE = int(demisto.params().get('page_size'))\n NTLM_AUTH = demisto.params().get('ntlm')\n UNSECURE = demisto.params().get('unsecure', False)\n PORT = demisto.params().get('port')\n\n if PORT:\n # port was configured, cast to int\n PORT = int(PORT)\n last_log_detail_level = None\n try:\n try:\n set_library_log_hide_sensitive_data(True)\n if is_debug_mode():\n demisto.info('debug-mode: setting library log detail to EXTENDED')\n last_log_detail_level = get_library_log_detail_level()\n set_library_log_detail_level(EXTENDED)\n server = initialize_server(SERVER_IP, PORT, SECURE_CONNECTION, UNSECURE)\n except Exception as e:\n return_error(str(e))\n return\n global conn\n if NTLM_AUTH:\n # intialize connection to LDAP server with NTLM authentication\n # user example: domain\\user\n domain_user = SERVER_IP + '\\\\' + USERNAME if '\\\\' not in USERNAME else USERNAME\n conn = Connection(server, user=domain_user, password=PASSWORD, authentication=NTLM)\n else:\n # here username should be the user dn\n conn = Connection(server, user=USERNAME, password=PASSWORD)\n\n # bind operation is the \u201cauthenticate\u201d operation.\n try:\n # open socket and bind to server\n if not conn.bind():\n message = \"Failed to bind to server. Please validate the credentials configured correctly.\\n{}\".format(\n json.dumps(conn.result))\n return_error(message)\n return\n except Exception as e:\n exc_msg = str(e)\n demisto.info(\"Failed bind to: {}:{}. {}: {}\".format(SERVER_IP, PORT, type(e), exc_msg\n + \"\\nTrace:\\n{}\".format(traceback.format_exc())))\n message = \"Failed to access LDAP server. Please validate the server host and port are configured correctly\"\n if 'ssl wrapping error' in exc_msg:\n message = \"Failed to access LDAP server. SSL error.\"\n if not UNSECURE:\n message += ' Try using: \"Trust any certificate\" option.'\n return_error(message)\n return\n\n demisto.info('Established connection with AD LDAP server')\n\n if not base_dn_verified(DEFAULT_BASE_DN):\n message = \"Failed to verify the base DN configured for the instance.\\n\" \\\n \"Last connection result: {}\\n\" \\\n \"Last error from LDAP server: {}\".format(json.dumps(conn.result), json.dumps(conn.last_error))\n return_error(message)\n return\n\n demisto.info('Verfied base DN \"{}\"'.format(DEFAULT_BASE_DN))\n\n ''' COMMAND EXECUTION '''\n\n if demisto.command() == 'test-module':\n if conn.user == '':\n # Empty response means you have no authentication status on the server, so you are an anonymous user.\n raise Exception(\"Failed to authenticate user\")\n demisto.results('ok')\n\n if demisto.command() == 'ad-search':\n free_search(DEFAULT_BASE_DN, DEFAULT_PAGE_SIZE)\n\n if demisto.command() == 'ad-expire-password':\n expire_user_password(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-set-new-password':\n set_user_password(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-unlock-account':\n unlock_account(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-disable-account':\n disable_user(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-enable-account':\n enable_user(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-remove-from-group':\n remove_member_from_group(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-add-to-group':\n add_member_to_group(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-create-user':\n create_user()\n\n if demisto.command() == 'ad-delete-user':\n delete_user()\n\n if demisto.command() == 'ad-update-user':\n update_user(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-modify-computer-ou':\n modify_computer_ou(DEFAULT_BASE_DN)\n\n if demisto.command() == 'ad-create-contact':\n create_contact()\n\n if demisto.command() == 'ad-update-contact':\n update_contact()\n\n if demisto.command() == 'ad-get-user':\n search_users(DEFAULT_BASE_DN, DEFAULT_PAGE_SIZE)\n\n if demisto.command() == 'ad-get-computer':\n search_computers(DEFAULT_BASE_DN, DEFAULT_PAGE_SIZE)\n\n if demisto.command() == 'ad-get-group-members':\n search_group_members(DEFAULT_BASE_DN, DEFAULT_PAGE_SIZE)\n\n except Exception as e:\n message = str(e)\n if conn:\n message += \"\\nLast connection result: {}\\nLast error from LDAP server: {}\".format(\n json.dumps(conn.result), conn.last_error)\n return_error(message)\n return\n finally:\n # disconnect and close the connection\n if conn:\n conn.unbind()\n if last_log_detail_level:\n set_library_log_detail_level(last_log_detail_level)\n\n\n# python2 uses __builtin__ python3 uses builtins\nif __name__ == \"__builtin__\" or __name__ == \"builtins\":\n main()", "subtype": "python3", "type": "python"}, "modified": "2019-10-18T15:51:33.995147038-04:00", "name": "Active Directory Query v2", "prevName": "Active Directory Query v2", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 8}, {"brand": "", "canGetSamples": true, "category": "Messaging", "commitMessage": "", "configuration": [{"defaultValue": "", "display": "Server IP (e.g. 192.168.0.1)", "hidden": false, "name": "hostname", "options": null, "required": true, "type": 0}, {"defaultValue": "61613", "display": "Port", "hidden": false, "name": "port", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "Username", "hidden": false, "name": "credentials", "options": null, "required": false, "type": 9}, {"defaultValue": "Demisto", "display": "Client ID", "hidden": false, "name": "client-id", "options": null, "required": false, "type": 0}, {"defaultValue": "1", "display": "Subscription ID", "hidden": false, "name": "subscription-id", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "Topic Name (for subscription)", "hidden": false, "name": "topic-name", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "Fetch incidents", "hidden": false, "name": "isFetch", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Incident type", "hidden": false, "name": "incidentType", "options": null, "required": false, "type": 13}, {"defaultValue": "false", "display": "Use system proxy settings", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}], "description": "Integration with ActiveMQ queue", "detailedDescription": "This integration uses ActiveMQ STOMP protocol, that must be enabled (usually port 61613 by default) in order to work.\nFetch incidents is based on using Durable Topic Subscribers, in order to fetch messages, and convert to Demisto incidents.", "display": "ActiveMQ", "hidden": false, "icon": "", "id": "ActiveMQ", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAYAAACXpx/YAAAAAXNSR0IArs4c6QAAEzhJREFUeAHtWwl4FVWWPrW/l4QXQthJgEAIgbDFoLIqQQQj4uAC7kqPjfbYKtrMSPeIgnQ32h9uKNrdtti2IzRuSKO4K5sDqIiQhNWAEEA0BEhC8vLeq63/U6mqvASYTxnIfN/4TvjfvffUrXurzrnnnLsURAlKSCAhgYQEEhJISCAhgYQEEhJISCAhgR8nAeHHVW9auyR30DBJoJVEtmrzJRtEFOasKAi6LuiXDNy27TMuJ+j/RgLi6XY729GhdZ8sCg3K5YYEh5Lxm6yIUmvZkmZA4f+rQXS6z5e4r0ECpy384pz+E1VRWmoJtuBYbzOJcsOiLVgG6RP77dj6VrPLiWILSeC0LHhDdnYIlvtbQRJOqlx+dla6KAki2dKcLR0GJLfQ+yS6aSaB01Jwspx0pyrJ/QzL8puzdYPsaJRs0/R5Oq5rsjRIaGPe5jMTmRaVwI9WcHH3/rm4abpuNTpmOxqj4HkF1Hn+YxQcnE+sbI84J5E4Y2N2v54eL5G2nATk5l1NfzSnbahtyjjbcidHlmEIpDhmiZAajT2rd28dVtpECSzMme2YTmIoROk/u5lSx1xExqFDFF67ngSloWkLVhwQlQ62aI1AX7ub95con10JnKDg1LSUh4KadIdpeBaqNj6BKNHKG+2HJjxlfi5J5nlWUKOkEcNI6dyJji1+lYyKSjr68hISkoL+PbIoUr2hbzkcO/4Pn5nItJgEmih4zgsF54ui/bNoxGTjPIFEUaC6NOvm8h6RBTmp5xQoA/tJ0T17qfq1pZhRwRW3aU1mRQUJUCoTz6QRky2ThAcL9+6tcphn7kfh5oHGeHDm2v5/05Ifg2/7c4Ei2ObvJFEInky5tm2SrkepU6vuWeqjM8aouX0+DS9fQeFP/9tx1YKswi3D2iXJFw6WUaQTLRuws/htn9k0MxTFuU1ZP7h0KWqe+4Nr/0Qr+hbcWbaukyRpjOG7ZtabSaYVg2hESgm2p6xOQxzr/HLXq8MP7Nv2m4Kq1gNEVU1z9q8cATaaPY8c3TBrJEOfBUtunG43FfRoFLsCOcBB4GaA/fu3wGvABCAL2ASsBi4BzgHWAbz0ugq4EIALoXLgRiAN4HX3DuAnT44F//u8Ae2xpH0wXhqs3FZJnahv9/HUK6OQcrqOpopjX1PJ7uUUiVSEvh7brkhX6GUN7hjblQ7gwUlCiwwNP5ZgLui7e3tpfLtx+W7Is5KeB8YCrFhW1hJgINAbYKVXA7cA/QG22r8CW4AAsA9YBVwOXAHwYPkGmAYkCBJwLLhVG/FBWRZ7GoblC8UwIzRy0O1UkDuRNpQuoRXrHiBZCkJ5CiGokizb41ffIE8dvbDVbEOTkkUpIErdcrIjtG6nZBoG7N6gcNWTfoMnZsaBxQoZDgwCPgIOAGy93wF9gXyA3ftIoAPAcfwQwISnoG3AXuACoCMQBY4BfwcSBAk4CjZM4TVJtKYIAiV78VeEIvccXEdtW3enmtrvKbfrOCr/fiPFjDpSZI10S9+TteHcDpHk9KkxshTBFCn4rarVC+cMxR4lGKIdSYnuIipZdBJJK+B1BqYDRwC2UFZoN4Ctry3AbncwwJbLceIr4DxgBsAHGKxsVqgN1ADvAz8HsoHEcgxCYIJTbaDZC/PnB1Tpbl33rNgmWQxQduYFVLrnbcpsX0Ad0/vQocptdOjYZks9rM666PkLJ8Nw+xsmFs2qRGlFA+nYiq8wc+Z7RYqaZlmdGRsyZsczrMR44tDALrkujskbITcBfwG4fgQIASnAUbfMz5sJVLhlJA5p+GVlJwHpwPcAD4qfPDkWzFKIGZFHRNKuxEQrw3J3qURRxrEfgPTA4U10GDG4Z+Yw6tT55h2d5usZNlX0j0G5PE4EGBL/WW4agx8PSHK2Rea9qDCT+4gjvomVywrLAHjqzVbN7pjjrkdsmQyP2FpZ2WztrEh20+WAZ7GsaKZOgD94HU7THwNF7icVSHMvVSLlZ+IBxAOQBwiHC+4znvhZ+Zm5fe5/P9AG4Laa1wXLqXcYae2rkyZJHTa166wqqhSzDcGSa+sLt77I4cin2TRbHNnncGaSrQhcR1ek8JjS+Txgm9DKvEkpWjSzlx2w22G+pCumefDdHe3KcL9noU59fhGH5t6+/ZBtCXPdJazHdlJ+E0lUybAiVFr+Tp2xqvyVtK49bghNGEBiskZWDPLiXa247Uu+UYeSZUH85eped/RxGjrxZwBYm4AtwGfALIAFeDJiAf4W4LobgA+Aj4FiYC3ArvwegONyKVAC8DWuz+Cyhw+R50navwGbXVyPlF91kVveiDQHaE6jwOB7uM1HAKZfAx6P+/T68Z7hCq6UujM9XdXUT7B63BKQlc2a3Xrtyu5TeO7g09i8yotDkrpZQJ0UVd2cLIrP+BeRQf3A+ry7ZiQLXTdKmvUZZj7va4LyCUnqpqJ+NSvX5d05Lr6+r2BmVh0PvBjTzc81TcQkSgCcEyGkDWUtgF1lW3u9w5/EPseWfZ5SX36E2l5eQKFhPbEGRp0QPCQCuUdszaqktJZVdRaGduMFrwLRZGQ53oZc8MOx0ptTOhjLgJlAD4CfuwzYCbBr9iZqPHrZilUXrZB6bbNCPT6nbG3Mi7/OFsnKZx4L/kqgOV0LRmuA67zlXuTQ4LXDefZGXl/8PM6glSwNrk4ISYIUwpl5KKgo2YGk0CRcbyRL/oUMmYmCGBJRzzJtDlEOvZo3SdWSQgsDcvARRRR78wtELX2naZv7JUlMxr7DBQqpy9fl3nWde4sjKC9PT/xqfT22JqbrMfMtXTfetizx3YDS+ktd11G2V9QZ0cWDl+dtVjT5KkOyKVy8nw6/DsOzBeo28yrKnDae2l0zhKz6xvAXMw28qTTpsz53F/kdNWT4wa92eewadYAFw0pvTnPAGOUytyK9CGCLzQPygfuACuCPwLnAYBdfIGVixd0CMJ+vjwd4YMQPOpYX0xKg1sk1rLP5mTxqi8ylbqEc6ftu3ruXi7MAr38v/YdbjwSbd+fdUAavJwjSrWyVfH1N72kDcMQ6TofMvFCHkey73Ay7y41BWbseCqWoYew1LX1MtDStn1wf7q+bsV8blmHiflWQpCc+7X1nZ27Tj8FcYFr5xiy0IcuWblIoVZaSR2WKa5d1lUT42iiicdbBbcc7Skfhk6EMLHytehzpV0E/sFw7qpMVwaU4K+Y2cUhhm5LE98TTKBR6uYwFSAuB8wC2mt8DtQBTBsDuk6kemAqs54JLe5HO8wpIWdEeeW2wAnYC7DLjKV7BHn8XMmsAVuRAgJXk9TcGeUdwSJcDx4Dm9A0Ypc2Z8WUJcRArybKobSTh2HWgnZw6FteXK5J4a5KkBjExLcFhTxect7fx7ls5apQsVtAUnucI/GmURbOH73iGn5Noj7NX8Id1efeOCpBwiSbJHaK2xXJ6CAOkkc4veioka9YTkiwVSapUZAni2JpaI1/SpEslRbokWZOv/WvX3gUUib4s6zYFuqVTu2uHIG1H5XPfpP0L3qEjy74gMaD4jeIFyLCtRcNLn/jAZzZk2I2wgNmSFgKeu8tBfhTgUV9k2CUysYI4Vv9QilfgCYP5FI3wYPi7e43vmRRXj90zEw9WtvST0f1gfgTw/IDBA6EL4JPIry3Y+2ASiwKYwKJw60dZ0zqAOzlmwrIs8y9QTMy/AZloWc+QLQq92bJjpllXRfWr469zHub2AU93+Zwe5wYs36YuOlVp+0tRVvNMI0KWpWPShEN8uAMbecvUycRetK1bN60ddn5J2sRB1a3ys6j60+107L1iMmujsF54WXzE4RG/SMwwK+2oNcfjuSlb5Tg3z5OZr4G3Ae+lrnevceIpl/PfAb7LYsZZovfR7rdu2xOQJgFdgVEAE0+wPPfvMOJ+eEByCBntgu/nuUATgjIRl60Xa2ORWiilMCVJmAfH2REfSWxUDOtDG0ua+Bu0QFISdBt0eALVpyhCdfx1zmOOe5jHDg8C0xa6M8/XxqjL/yvbFuXp8V9koJ5PvMsFY6SR53ZOUccO/Nfjx6N/q1r6JcUOVZOo4QLvU7Jrxj+P8OEdOrIeH1729G6P56aXIU138yuQ8suUAcUuj10WDwIm+H+f4pXtM89C5jDa5AHH1BMYAlwM8Eye6VXAG4wOI+5nMfJ3Afe4uAMpD8wmZGISNmTr09sskd6BYlthUnWTs8y07IVhSa6GGH3d8I0S1UYRsmFBLGJRtQ3Nidtc9ggKDrHO2IrhHfgdGhtRBWW2rMjp7Nw90rHG5XNhExsXfXLb0LjR3SlcH6Vlb+zu9+A2cZcgmps0GaGYu3Sb9fJ8khSxjBLLrFngteemGLnkuTpm3Q1sB9gq+gBMrHweBEy7gLCTa4iJvdz82U7YTbMweMj+HPC8ynHklwKnInbJ/M7zXfDErwpoQqIresy5njNwwsNxOWqZBy3l8OsQdxPr5RvTtdpqbA7uZfliZwIDwtnebdImNpdG8iDBDBse2FnuNfQydvySazGbuwYfb/g36LDYwhEZdNXlvWnSxBxKDWn08apyKi6txMGCLVelpf1irxZaKJr6N2QbB+DOD0gKHcF3lAdw7LifDHMf/PnMETtfYIHEU38U2CI8ao9MFtADiB+VPAh4MLD1vwcwsQU9A3TjgkssjPHAUI9xhtINaKfEbYvj8IVufiVS9janIh6caXHgiVKDaz3JHUPbt1kNqa+SbbEW8fDFkSWLj7UyTH7vJpS39bWYTeLrPDAw+cJkWZj5cc69fmxfn3vXlVjZXs4KRlg8GrOFP3EDHOHJVuwrJFmULUzPPeLdrIL8jpTbuy1t3VFJS5buRHgVSMWamOOyJgh9FmfmVQ4L1yzA+AvyXGFEbl7/DRmRrbF6LAVEin1dL7IwmhMrzhuhv0P+LcBz7Jw+DrCyhgA8GDYDvwF4RtsTYFfJwucYGAWygUHA7cB64ExRBA29AnC/jpzchtkF/0/0e1y8H/DeiV3ts8AcoAnZqCOsmm2szLltsiAF0iqrIwebVGhWqAvXPisEk8YnyepwbIQMg2GtW5937xeYU6ciOl4gipIKD2yboj2zcNuTe/l258H1WGQaZl3nC4LcjZXHpGLjYuFLxfTJ6nKqC8foisuyaefXR2lX2THEYg0ztegbuTF9TG0wfappNwyMgwfDVCOnkBlEvIbGO1Kdiqb4hT1iC5zsFtht8Shr/lKLwGMF8yC4AWAFs5u+FHgYKAI6AhMAjw4hs8crxKWeYjj1BB53uWEDwmU0iXku702kDwKeZzmA/Ifutfgk3uJa4wIjntiqPVL4a2KQ92xUuOu5SpQZDsED4nNkScHKFE9t+/Uu3vNc9Uf9pl0lmLG5+Bz96oCidFUEqSvmOTyzhk7MA8jPGL51vj8I/ZceO3HRbaIc/DO2Nb1+4McR1fkgAX+hFIUGDWhPKSkqfVVaUSnsOvJAD02ZB4+Rwm6BaeBFWVS6eh/iNu7Bw1mmeSQmWufPe3eKN8lKQbXBAL9hDbARaE68I1TgMnkQfNWsQh7KbFUdAB5ZZcAm4HugOeWDwe6SYynX4T7jqQcK3V0GDyJWYDyxfM4DkgDOHwG2AM0pB4wMoEEQTa/yfeVAGe9EZVKXc/HymiVR1dDiJ/mZTqB1GfcGrTbGYBzOKuGIeGTkrsdP6HNDj7t7SUF5gGEanW1JuC5Z1oZGzNjOcMQcU1j2tP8e3LlDRUVPaaba/hNJUYfxkqg5YQbHX2hQRpdUmjA2601p39HMbWu+HRw+Xo9tUNYX/CQUXOIqmMsK9q/R6d8efu+mKVxO0NmRwJo+93TC8eyKNC2QXxULb8enVZeN3PVHx6M1aAb9vvvu3VjIWg9YlgHt+nr3n4hXQFpAo/Jva4rXPPv5hoo9NYPzCrtQd1g1Hw8aMbgIWC7igX+PgfWzRML1/1H0woU+M5E54xK4YPuThzARv/q4Hp4tS+IySZR6eZ2coMmx/7L4ZVlLuYE3OeL1zG7agvKCsch9OCOcYppCXxl751n5HahVmyBV7q+h/oVZtHpxCdUeqeeZntMHx2LT0NfW1VSOe2L9r+q9jhNpy0jAD+Bed6ZdN92KiEuxLQZztGQF/w+UryHoY51m1eXX64MkLdjXEvDpO9bIO9YdoOS0AF3znyOpV35nqvruOK1aVEpqsKFpEwNFktWRgdR2F6MZXiMmqAUlcIKCP14+lScrS0/1DCPGLTxoGNEZ+PY5xGciMr7kqDsaobWvbKXao/W0e9Mhwqjwb8eRFzZK9H1iWG8+WfLrJDJnTwInuOgf0tX9l7z0sCJpOJ6K+dVNfOrD8VfELgpOnnw+u2jdiE2d+/4tz/vMRKbFJNBoaj+iy0ik/jHdiu1h6/RI4gN/WHNT5SrY0NI/VQ8EX/LqJdKWlcBpKfixVbdXIj7PwVcJp3xaZ1JmWlFDtO6fvXVyo6mf8o7EhbMhgdNSMD9IjVC9BLF1Nbvgk5Eze7aNRX94Z8qak11P8FpGAqet4KexbrZsax52q2pxIlKH+BtGCHYWwWzZUH6NIUcfbZnXSPSSkEBCAgkJJCSQkEBCAgkJJCSQkEBCAgkJnCkJ/BPMSbcSevtHhwAAAABJRU5ErkJggg==", "integrationScript": {"commands": [{"arguments": [{"default": false, "deprecated": false, "description": "The message destination (such as a message queue - for example \u2018/queue/test\u2019 - or a message topic)", "name": "destination", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The content of the message to be sent", "name": "body", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Send messag to topic or queue", "execution": false, "hidden": false, "important": null, "name": "activemq-send", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "defaultValue": "1", "deprecated": false, "description": "The identifier to uniquely identify the subscription", "name": "subscription-id", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The topic to subscribe to", "name": "topic-name", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Subscribe and read messages from topic", "execution": false, "hidden": false, "important": null, "name": "activemq-subscribe", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}], "dockerImage": "demisto/stomp", "isFetch": true, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "''' IMPORTS '''\n\nimport stomp\nimport os\n\nif not demisto.params()['proxy']:\n del os.environ['HTTP_PROXY']\n del os.environ['HTTPS_PROXY']\n del os.environ['http_proxy']\n del os.environ['https_proxy']\n\n''' GLOBAL VARS '''\n\nHOSTNAME = demisto.params()['hostname']\nPORT = int(demisto.params()['port'])\nUSERNAME = demisto.params()['credentials']['identifier']\nPASSWORD = demisto.params()['credentials']['password']\n\nclass MsgListener(stomp.ConnectionListener):\n def __init__(self):\n self.result_arr = []\n self.msg_ids = []\n\n def on_error(self, headers, message):\n demisto.results('received an error \"%s\"' % message)\n def on_message(self, headers, message):\n self.result_arr.append(message)\n self.msg_ids.append(headers['message-id'])\n\n''' HELPER FUNCTIONS '''\n\ndef create_connection():\n conn = stomp.Connection([(HOSTNAME, PORT)])\n return conn\n\ndef connect(conn, client_id=None):\n conn.start()\n if client_id and len(client_id) > 0:\n conn.connect(USERNAME, PASSWORD, wait=True, headers = {'client-id': client_id })\n else:\n conn.connect(USERNAME, PASSWORD, wait=True)\n return conn\n\n''' FUNCTIONS '''\n\ndef send_message():\n\n txid = conn.begin()\n dest = demisto.args()['destination']\n body = demisto.args()['body']\n conn.send(dest, body, transaction=txid)\n conn.commit(txid)\n demisto.results('Message sent to ActiveMQ destination: ' + dest + ' with transaction ID: ' + txid)\n\ndef subscribe():\n\n listener = MsgListener()\n if client and len(client) > 0:\n conn.set_listener('Demisto', listener)\n subscription_id = demisto.args()['subscription-id']\n topic_name = demisto.args()['topic-name']\n conn.subscribe('/topic/'+topic_name, subscription_id, ack='client-individual', headers={'activemq.subscriptionName': client})\n time.sleep(1)\n for msg in listener.result_arr:\n demisto.results(msg)\n for msg_id in listener.msg_ids:\n conn.ack(msg_id, subscription_id)\n\ndef fetch_incidents():\n\n subscription_id = demisto.params()['subscription-id']\n listener = MsgListener()\n if client and len(client) > 0:\n conn.set_listener('Demisto', listener)\n topic_name = demisto.params()['topic-name']\n conn.subscribe(\n '/topic/' + topic_name,\n subscription_id,\n ack='client-individual',\n headers={'activemq.subscriptionName': client}\n )\n incidents = []\n time.sleep(3)\n for i in range(len(listener.result_arr)):\n msg = listener.result_arr[i]\n msg_id = listener.msg_ids[i]\n incidents.append({\n 'Name': 'ActiveMQ incident:' + msg_id,\n 'rawJSON': msg,\n 'details': msg\n })\n demisto.incidents(incidents)\n last_msg_id = \"\"\n for msg_id in listener.msg_ids:\n conn.ack(msg_id, subscription_id)\n last_msg_id = msg_id\n\n''' EXECUTION CODE '''\nclient = 'Demisto'\nif demisto.get(demisto.params(), 'client-id'):\n client = demisto.params()['client-id']\n\nconn = create_connection()\n\nLOG('command is %s' % (demisto.command(), ))\n\ntry:\n if demisto.command() == 'test-module':\n # Test connectivity\n connect(conn)\n demisto.results('ok')\n\n elif demisto.command() == 'activemq-send':\n connect(conn)\n send_message()\n\n elif demisto.command() == 'activemq-subscribe':\n connect(conn, client)\n subscribe()\n\n elif demisto.command() == 'fetch-incidents':\n connect(conn, client)\n fetch_incidents()\n\nexcept Exception, e:\n LOG(e.message)\n LOG.print_log()\n raise\n\nfinally:\n conn.disconnect()", "subtype": "", "type": "python"}, "modified": "2019-10-15T04:54:09.842836044-04:00", "name": "ActiveMQ", "prevName": "ActiveMQ", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 3}, {"brand": "", "canGetSamples": true, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "", "display": "Server URL (e.g. https://starlight.companyname.com:8889)", "hidden": false, "name": "url", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "User name", "hidden": false, "name": "credentials", "options": null, "required": true, "type": 9}, {"defaultValue": "", "display": "Fetch incidents", "hidden": false, "name": "isFetch", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Incident type", "hidden": false, "name": "incidentType", "options": null, "required": false, "type": 13}, {"defaultValue": "15", "display": "Fetching interval in minutes (default is 15, minimum is 15 )", "hidden": false, "name": "fetch_interval", "options": null, "required": false, "type": 0}, {"defaultValue": "", "display": "The specific security event to look for. Default is all events", "hidden": false, "name": "event_name", "options": null, "required": false, "type": 0}, {"defaultValue": "50", "display": "Security event severity threshold, between 0-100", "hidden": false, "name": "severity", "options": null, "required": false, "type": 0}, {"defaultValue": "true", "display": "Trust any certificate (unsecure)", "hidden": false, "name": "insecure", "options": null, "required": false, "type": 8}, {"defaultValue": "false", "display": "Use system proxy settings", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}], "description": "Aella Star Light Integration", "display": "Aella Star Light", "hidden": false, "icon": "", "id": "Aella Star Light", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAANUAAAAuCAYAAAC/FVxZAAAACXBIWXMAAAWJAAAFiQFtaJ36AAAOgUlEQVR42u1dS29bxxX++JJESRYph0HsODJpNK5RFA0ZYJrWXUQM+ti0DVnkB4hapOhOzLItUFPbbiyvUsAL0Q36QFHDtIHs2phOgBopBghZIEldoxGZh23ZtEValkiKIm8XOlcaXc19kLqkEvUegJBEDueee+Z8c745c+bKpSgK7BDXud++ieMnlwFUARQ0H0cAROD2PAPf0JvKbOJfcMSRQypeWwA1+3oSoeM/BXDCsKHPB0xMNgGkHdM7cljFbVM/cTypbpq28g2XAcQdszvigMpckmjUw2ib4Gp4ZAxA1HX53YhjekccUOlTvxiAMADg4f26bkOPB3B7QtsgdMQRB1S6ktr+7cGdin6U8q9Iv+OIIw6oJNRPlSe1KV0K6B9rC385FNARB1Sm1E8VGQXcTf3gUEBHHFBZoX5GFHA39XMooCMOqCxRPyMKuJv6ORTQkUMtezZ//7xc+8mYx/3E7It/K3zwwh7qp9LCRw+aytPHhw2oHwDgO09N/LLcaP3Joq6l8IivZOfNM8bSAM5LPjrFOS8d5MAwxjIAzonvcc5d3bbpk25xANctNK1hp7qmACDPOc/9X4FqfulBxAX85ajPs/bcsDfkcemPz/e+FV1eSssDzfOjQ/cDXs8UABwb8q48O+ydlLWbGvH9GMDPLepaKzdakfCIr2rj/acNaG3GmXO7Ao1MggCm6fdpAHOMsRqABQALnPPqIJVljMUABDnn+UFGqrgC+B+22v7qZqf29VFfwO+WM8TPmi2PXqeVjfZUwLv18VGfZx2AFFS1zc6JSa/Hqq4BAFm7Ehw024YdUO1LCpzzuAVbR7BVSRMHMEPRNcUYS3LOCwPUd4HA3ddo7tZLHrQVJfDx2ga+aG7WZF/88EkzpNfparuzxfxcLoy4Xbr1gI8321CAehf6JsqNll11g0aJkjBjzMlO2iSc8xLnPMs5TwE4BeAqTWh5ih6HM1Exv/QgIoTqbVne2Ax8vNasbHR2qtk3OsrKw1Zbt9O2omCt3fls0us2BcyTdqfSpc6ZcqO1rwQHYyxoIeKlHDj0DWBJAJeIfeRpPA4fqAzWF6h3lNCHa816dbO9DgBLjY22WceVjXboKZ/HFDAPW+2pLnUOUBjfjySpH1GK2qh42Ab7SwauFIAbNo3nlw9U80sPgmYzswL4P6m3RkuN1kpxtREy67jRUfxjHrcpYHqggLBhvaOdQMo6fTrRqr+SpGTHDK27DoV4BScLWPnCneYmLt9/XHlpYjQ04dXf5nphfLg+6nFX1tsdU2A9aXcqRywAUGWq4RFfz4tbGryodgHLOc8xxsqa5EW6l1mUIlyKFuZi1UkRW9mybL8zUAa6xciZ49g6PKrqdkNNPpA9SgOIVlXGWBbAHNk6bYGyx+ilinooNqdNetB3xLZBej8uSbhUdXxFvaYI+pJwzT12clOUsrz4/2it0a53lNB71bX1/9Y3GnrtzgZGK0e9npCVPruggMXwiM/uKAUAOc1PMWER69Jp02T08wASGpBGsZX9us4Yyw9ydmaMBRljeQAfYCv7Nq3RbZpecwCWSL9B0N+sELX0dM+QTRdJP1WvCNn4HIAPGGM5jc4xbO2nqS91Mr2uecUktloAsETjOKPpc4beX6J2u0F1r7n5u/V2J2DVAv+s1UMA0AFGP1prjvyjtl5paY7k+91uRPy+qYDX7bfSZxcU0A46pu2jKMw2WYsg1Bv8LBnbij2nARQGkf0iR8vLElEm+vUdWBRdajSBBXVsqm5wzwKY5JzHOOdxznmENrtnicInNGNYAPCK8FLXza9oXgXJJDtH7X/GOXfR9eKc86DmmnME+h3690Wz9Yt7GzgKuJjXhcdGBthsbfjuvX+jtSvKAPi7C/Asf972tJoNABjz+9v4za/f8rhcWPh3+QcfP157zsy4z4/7H7z10jfeNmhS2A/towGSJSiy4gBLKGCSMRY026gkw87oRViaXcOSpEueMRbrM93KSygvsHvzNiLRL0oOFu8z7gsE4hjpCoGmzZDzxvTGgHOeZYzlqJ8E2VOldGJ/VWqfNxjHFOlSBBA3uWaB+k8zxrY3s73XoierAH70avHTdFuRluxsy+d3736BxvqeDdMWgNbEUaBaqeHhcmCtiksqTXtn+ZEatg3lbr0ZDo/4vt3nwUsZUD/tLCU6flIniomDf07isGnOeVbD0bOaiKFuavfFcclJohLdklrnovvIamkhYywyANBPC7ROO14ps0mN1mcZ8rUkjCs9rCTBkhauWRDWhNsTwnam4Vr05AKAF7E3tbzj+HfvGD/YJRgKYOprlbFTZwoGTqsrrsvv9m3DlahFQvP2VYmzZHugnRmJ08ZFQNEglKgC4aqWakkWz3aJrN+4bLam92R0d1Brv5gkO1juIqlTssFHwjp+YTQh7F5TiX9ci54s0CBc0jbsdDr1e/fumF5h/EQkdOKHifkzN28nAUB57eWqEVAlRjzIKKVy/KLE6SMG2cRpSTaxYJIsqfW6dutSqpTZU19XTXQbaD2eiQT2C5QeQV3Yx0Swt0qd6GDq1eKnOZq1AwBQqdyvADDN0gVOTH1G7a6cuXn7As3i6gL+IEGVtgIqIVqdl3w/bVHnBRPaUKJMnBg5E31KBKRtsNOBSA8V9/F9Xi+P7usCI6agEsCVe7X4aYwcL1oulyylvUcnQ2IafQ5A/Phk8Fd3VyxNgAHX5XeTymsv23o8gDJsYQn101MqJwFVUsfh4hLqF2OMWYkge/QcZIGpWrWNnT2rOPSLjAch1R7vIwiTfa4+2C5CAWPGMqgIWCUAse++/d61e+VPforhEWPq9/QxuNx70ujRI37/H+ub7XvV1dVjFqOV3Wdu0gYZOz2pYXemMExV1VrdghLKcr1HPYN9doQU2TcCeTbwoMSUdpETqxu/ESFCxIRxKtp5XzTpqNeLCeMj0v0bWvpv6Qm17//191tl508900AwNGKB+u35KDQ+rlQVVwVrqyEYP2o6abMj6RXPJnqgXKk+AH4Qs2qKKKmV/bPyAUSriF6igbZB0hrHLVJUq9J9lQiQwX1MaOI11agX1oBH1TEv/Ixor2kKKtfs6ztZs4fLI1itVXAiEoLbY0b9dmdEXAgODw2h6ZmsYW01gM3WoChg0qIzWZGEhT0rs4N7ttMfC4DS29JQndPQSfoM+CBFl5o24yboXgYwD0kpkqZ93AZ9skTpigTYnFEmUJbA8lp0yh3ZaIRQutXA8fAI/GNm1G83t/F6KssdJYTxCaBZr6G+HhgABUzZ7AcpC4mIOL4EQg4r03UeOidvD6CwNSVLGgmAMtyEtdleCwSoS1RF3xNl7x5UAKAoI7hTAiYmK3j62ZAJ9duWIx63Z1n9Y9gfgNe3RQc7nb5QQJ10d7kLoMWxd1NXW2Sb11wjYKUCY0Aii9LznPPMQa3rDNa7Wc37qo7JAdpyjiJmNxNxrBdQ6a87Hq+EsP6kgmMnQ0bUT6CAk8NuF5rqgUePN4SJyTrWVhW0NkY1FDCuvPZyvg8JipzVzUQqQ9GCKqzJ0hV0rpuxSDO2wc45tztKyPrLWZhIBhVJM7RuKUrGJEw2KXU5ifSqS1yYJLEfULlN1lPmSm62Qr7HD+sut7tlRYMJr3tZ85YfY0dGMTpewe4HzdgRrWR9ZK1+mWbIq0ZgpWzgno1cIxpFWSVtKjbfB7+tWgSaGNmTAwKUyAL0UuGlLru1g+oXuriHiCzouO1Afutx9T+02Lxh1vaIxy1/0svQcAhHghV4vLaAirJG2ixWuYd9IBkIk5qKau26JYCtCvSkjjPJAJTpg+/K7nVBtqAnXQuQZ/4iNgMqJUTMNwyYQ7CLPi2fCdQ5GVDt4V6la2tbQAUge+vs6dKts6fjtAjWFa/LFfLpPfrM7Q7hSGAdw/4GgLDr8rv7ORaRsmoEk2gli0QB0Ta0RilK2lxhjCl0NinPGCtRZk07+LP9KFjVcdYwts5zlTR6XTFwygVqF9snmCJUTb5I15rnnOuNyVUAUSsZPQLpeR1WIZtkYhJbqUdQklaOuxB9Twj+HjFdUxH1s5qK3ubpt86ezpy5eTuPvdXOO9HK61551GpP6vQ1Cv8o4PU+wtpqCj3skusUz1pZTxjd34wEtFnNWiQP+eaj0TmmN7SFtzbLLOQp9TD096O0G98ByKvIgxacXj19mxRsU8ZWBX/OhCEkAORo0z2vM87bGTuK9glsPf4sC6CqSXJkKRmxQBUvOc3nC0RJ84yxtM41I9QuAeACjfk5AmMOQNBrQ5QqKosXd82yt86ezp+5eTsmGGa3lb3u9qOWybNjfENH4R9LorfSE1mUKu4jGshAtetIBB09iAuDbCZlAJk+A0o99xMkhwtY0ClFILBSqxlFd3ta4t6P2bGKHGNMnRCu0zm3Ar0i9FInqwtqjSNjTK1wWKLlSFyMRkKfiwAWCVyvcM7znPMM2WqOrqk+/qCEnaqKKE06s+rYkW4JACsAbtgBKqlT3Dp7ugogeebm7bR2QFUK2DL7J95DQ+/sY4E+b1cigAZ4XmetUdIkNlKU1UrTIExrIoD6jAozMFnRN29R/wWaudPYeW6GWNqjPm9BjRx54QGYUUHvkpBAmO9iLArQeQ6EhQkhL9gyTs6rrt3fIFtWhe/EaX0Yk60phQONSUgqOTjnabJVSoiwAbpmSWdSiAl2zbtk/52eqN8Vi/d+ShuptCJErW1qVGm1jShgEUBa+f4383DEka+YuO2mfjpRSz2ndUGkgDrNLwCIO4By5Ksq3n5QPwM6mFaTGBIKWKPolHWGxZFDFanovyN2nfXrAlw54p43nhnafoJtjaKTAyhHDi39Ex/f9KKyeNGFvUfsy1aonw6wSrfOno4PuV1/GFfaFQJUwRkORw6DSBMVuo1nX89iJ118QVm8mHZM6Igj1iKVVJTFiykhYjlUzRFH9huphIiVURYvZhzzOeLIXvkf8C/oAqGVi1cAAAAASUVORK5CYII=", "integrationScript": {"commands": [{"arguments": [{"default": false, "deprecated": false, "description": "event id from the Star Light incident", "name": "event_id", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query the details for a specific Start Light event", "execution": false, "hidden": false, "important": null, "name": "aella-get-event", "outputs": [{"contentPath": "", "contextPath": "Aella.Event.event_name", "description": "The event name", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.severity", "description": "The severity score", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.dstip", "description": "The Destination IP", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.srcip", "description": "The source IP", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.tenantid", "description": "The tenant ID", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.srcip_reputation", "description": "The source IP reputation", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.dstip_reputation", "description": "The destination IP reputation", "type": "string"}, {"contentPath": "", "contextPath": "Aella.Event.dstip_geo", "description": "The destination IP geo location", "type": ""}, {"contentPath": "", "contextPath": "Aella.Event.srcip_geo", "description": "The source IP geo location", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}], "isFetch": true, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "import requests\nimport json\nimport time\nimport datetime\nimport os\n\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nif not demisto.params()['proxy']:\n del os.environ['HTTP_PROXY']\n del os.environ['HTTPS_PROXY']\n del os.environ['http_proxy']\n del os.environ['https_proxy']\n\n''' GLOBAL VARS '''\nURL = demisto.getParam('url') + '/aellaelastic'\nUSERNAME = demisto.getParam('credentials')['identifier']\nPASSWORD = demisto.getParam('credentials')['password']\nFETCH_INTERVAL = demisto.getParam('fetch_interval')\nVALIDATE_CERT = not demisto.params().get('insecure', True)\n\n''' HELPER FUNCTIONS '''\ndef make_rest_call(end_point, username, password, action_result,\n headers={}, params=None,\n data=None, method='get'):\n headers.update({'Accept': 'application/json'})\n headers.update({'Content-Type': 'application/json'})\n\n resp_json = None\n request_func = getattr(requests, method)\n if (not request_func):\n action_result['status']='Unsupported method {}'.format(method)\n return\n try:\n r = request_func(end_point, auth=(username, password),\n data=json.dumps(data) if data else None,\n headers=headers,\n verify=VALIDATE_CERT,params=params)\n except Exception as e:\n action_result['status']='Server REST API exception {}'.format(e)\n return\n\n if r is not None:\n action_result['r_text']=r.text\n action_result['headers']=r.headers\n action_result['r_status_code']=r.status_code\n\n try:\n resp_json = r.json()\n except Exception as e:\n action_result['status']='Json parse error {}'.format(\n r.text.replace('{', ' ').replace('}', ' '))\n return\n\n if (200 <= r.status_code <= 399):\n action_result['status'] = 'Success'\n else:\n action_result['status'] = 'Failed'\n\n action_result['data'] = resp_json\n return\n\n''' FUNCTIONS '''\ndef fetch_incidents_command():\n fetch_interval = demisto.getParam('fetch_interval')\n if fetch_interval is None:\n fetch_interval = 15 * 60 # 15 minutes\n else:\n try:\n fetch_interval = int(fetch_interval) * 60\n if fetch_interval < 15 * 60:\n # Min is 15 minutes\n fetch_interval = 15 * 60\n except:\n fetch_interval = 15 * 60\n\n cur_t = time.time()\n\n checkTime = cur_t - fetch_interval\n\n event = demisto.getParam('event_name')\n if event is None:\n event = '*'\n\n score = demisto.getParam('severity')\n if score:\n try:\n score = int(score)\n if score < 0 or score > 100:\n score = 50\n except:\n score = 50\n else:\n # Default score\n score = 50\n\n index_str = 'aella-ser*'\n\n query_str = 'event_name:{} AND severity:>{}'.format(event, score)\n\n ts_str = str(long(checkTime * 1000))\n\n query_json = { 'query':\n { 'bool':\n { 'must':\n [ { 'query_string':\n {\n 'query': query_str,\n 'analyze_wildcard': True\n }\n },\n { 'range':\n { 'timestamp':\n { 'gt': ts_str }\n }\n }\n ]\n }\n }\n }\n end_point = URL + '/{0}/{1}/_search'.format(index_str, 'amsg')\n\n action_result = {}\n make_rest_call(end_point,\n USERNAME, PASSWORD, action_result, data=query_json\n )\n\n if action_result['status'] == 'Success':\n demisto.info('Poll incidents ok')\n data = action_result.get('data')\n if not isinstance(data, dict):\n demisto.error('Data returned in wrong format {}'.format(data))\n demisto.incidents([])\n return\n hits = data.get('hits', {}).get('hits', [])\n incidents = []\n\n try:\n cached_event = demisto.getLastRun().get(\"cached_event\", {})\n except:\n cached_event = {}\n\n new_cached_event = {}\n\n for hit in hits:\n source = hit.get('_source', None)\n if not source:\n continue\n event_name = source.get('event_name', None)\n try:\n event_severity = int(source.get('severity', None))\n if event_severity > 75:\n severity = 3\n elif event_severity > 50:\n severity = 2\n else:\n severity = 1\n except:\n severity = 0\n\n if not event_name:\n continue\n eid = hit['_id']\n\n new_cached_event[eid] = True\n if cached_event.get(eid, False):\n continue\n\n sdi = '{}_{}'.format(event_name, eid)\n incident = {\n 'name' : sdi,\n 'severity' : severity,\n 'rawJSON':json.dumps({ 'name':sdi,\n 'label':'Starlight event',\n 'aella_eid': eid,\n 'aella_event':event_name,\n 'event_severity': event_severity\n })\n }\n incidents.append(incident)\n demisto.info('Incidents is {}'.format(incidents))\n demisto.setLastRun({'cached_event': new_cached_event})\n demisto.incidents(incidents)\n\n else:\n demisto.info('Poll incidents failed {}'.format(action_result))\n demisto.incidents([])\n\ndef aella_get_event_command():\n demisto.info('Aella started get-event with {}'.format(demisto.args()['event_id']))\n event_id = demisto.args()['event_id']\n query_json = { 'query': { 'match': { '_id': event_id } } }\n end_point = URL + '/{0}/{1}/_search'.format('aella-ser*', 'amsg')\n\n action_result = {}\n make_rest_call(end_point,\n USERNAME, PASSWORD, action_result, data=query_json\n )\n if action_result['status'] == 'Success':\n demisto.info('Run Query is successful')\n response = action_result.get('data')\n timed_out = response.get('timed_out', False)\n hits = response.get('hits', {}).get('hits', [])\n source = {}\n dbot_scores = []\n if len(hits) == 0:\n demisto.info('Get event got empty result')\n for item in hits:\n index = item.get('_index', '')\n source = item.get('_source', {})\n if index:\n source['_index'] = index\n source['timed_out'] = timed_out\n demisto.debug('This is my run_query result aellaEvent {}'.format(source))\n\n # Check url reputation\n url_str = source.get('url', '')\n if url_str:\n url_reputation = source.get('url_reputation', '')\n if url_reputation and url_reputation != 'Good':\n dbot_score = {\n 'Vendor' : 'Aella Data',\n 'Indicator' : url_str,\n 'Type' : 'url',\n 'Score' : 3,\n 'Malicious' : {\n 'Vendor' : 'Aella Data',\n 'Detections' : 'URL reputation {0}'.format(url_reputation),\n 'URL' : url_str\n }\n }\n else:\n dbot_score = {\n 'Vendor' : 'Aella Data',\n 'Indicator' : url_str,\n 'Type' : 'url',\n 'Malicious' : None\n }\n if url_reputation is None:\n # Unknonw\n dbot_score['Score'] = 0\n else:\n # Good\n dbot_score['Score'] = 1\n dbot_scores.append(dbot_score)\n\n # Check src ip reputation\n srcip_str = source.get('srcip', '')\n if srcip_str:\n srcip_reputation = source.get('srcip_reputation', '')\n if srcip_reputation and srcip_reputation != 'Good':\n dbot_score = {\n 'Vendor' : 'Aella Data',\n 'Indicator' : srcip_str,\n 'Type' : 'ip',\n 'Score' : 3,\n 'Malicious' : {\n 'Vendor' : 'Aella Data',\n 'Detections' : 'Source IP reputation {0}'.format(srcip_reputation),\n 'IP' : srcip_str\n }\n }\n else:\n dbot_score = {\n 'Vendor' : 'Aella Data',\n 'Indicator' : srcip_str,\n 'Type' : 'ip',\n 'Malicious' : None\n }\n if srcip_reputation is None:\n # Unknonw\n dbot_score['Score'] = 0\n else:\n # Good\n dbot_score['Score'] = 1\n dbot_scores.append(dbot_score)\n\n # Check dst ip reputation\n dstip_str = source.get('dstip', '')\n if dstip_str:\n dstip_reputation = source.get('dstip_reputation', '')\n if dstip_reputation and dstip_reputation != 'Good':\n dbot_score = {\n 'Vendor' : 'Aella Data',\n 'Indicator' : dstip_str,\n 'Type' : 'ip',\n 'Score' : 3,\n 'Malicious' : {\n 'Vendor' : 'Aella Data',\n 'Detections' : 'Destination IP reputation {0}'.format(dstip_reputation),\n 'IP' : dstip_str\n }\n }\n else:\n dbot_score = {\n 'Vendor' : 'Aella Data',\n 'Indicator' : dstip_str,\n 'Type' : 'ip',\n 'Malicious' : None\n }\n if dstip_reputation is None:\n # Unknonw\n dbot_score['Score'] = 0\n else:\n # Good\n dbot_score['Score'] = 1\n dbot_scores.append(dbot_score)\n\n break\n demisto.results({\n 'Type': entryTypes['note'],\n 'ContentsFormat': formats['json'],\n 'Contents': source,\n 'HumanReadable': tableToMarkdown('Aella Star Light Event <{0}>'.format(event_id), source),\n 'EntryContext': {\n 'Aella.Event(val._id==obj._id)': source,\n 'DBotScore' : createContext(dbot_scores, removeNull=True),\n }\n })\n else:\n demisto.info('Get event failed {}'.format(action_result))\n demisto.results(return_error('Failed to get event'))\n\n''' EXECUTION CODE '''\ndemisto.info('Command is {}'.format(demisto.command()))\n\nif demisto.command() == 'test-module':\n # This is the call made when pressing the integration test button.\n action_result = {}\n make_rest_call(URL + '/_cluster/health',\n USERNAME, PASSWORD, action_result\n )\n\n if action_result['status'] == 'Success':\n demisto.results('ok')\n else:\n demisto.results('failed')\n\nif demisto.command() == 'fetch-incidents':\n fetch_incidents_command()\n\nif demisto.command() == 'aella-get-event':\n aella_get_event_command()", "subtype": "", "type": "python"}, "modified": "2019-10-15T04:54:02.577442423-04:00", "name": "Aella Star Light", "prevName": "Aella Star Light", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 3}, {"brand": "", "canGetSamples": true, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "2000000", "display": "Sensitivity threshold for configuring which domains are suspicious versus trusted.", "hidden": false, "name": "threshold", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Use System Proxy", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Trust any certificate (Not Secure)", "hidden": false, "name": "insecure", "options": null, "required": false, "type": 8}], "description": "Alexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence.", "detailedDescription": "To use this integration, simply call ```!domain```. !domain accepts\n \"domain\" as a parameter to query. Threshold is the point where a domain will be\n considered unknown versus suspicious.\n", "display": "Alexa Rank Indicator", "hidden": false, "icon": "", "id": "Alexa Rank Indicator", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAuCAIAAABs0UpvAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABkAAAAZAAPlsXdAAAAB3RJTUUH4wQdCiwPr+4Z5wAAEhFJREFUeNrtW3l0lFWWv+/bakmlUkmqUiSVpLIDSQiEGCIE2UQE8eBuK3NYlF7GcWS04cyAKK2Mtp7WOdruHhXa0xFGxwVBSBQFEsGYOGQhGkKSiiFkJUmlKrVXfd+788dHikpIgNB2bOfkd+rU+eq9+9333u/dd999SxFEhCsFBQAA5orlJ3EBk6xNELjxCI+vV+SRQn7uFv6DYNKiJwjjsmgAGIehTtpyKCYteoIwfoueNNSrwqRFTxDGJHrs8JoOBdQAOOSyhz1eKcYK4YPp44nx/9ExJtFknC7iKjwKGaOMYHqowC+ddDLeBgSDDhwCQQYYAkARkRDCMJPuaBRcDdGIQCkAA5QABWCG/AYDwMimTYEdjW25J+RvGDLSi+06WCUy3mE1aoXHKGWCMX6iESkhEoDNBdX1Zxtb2wYdHkmSBAVn0Ommp6XMyowUABgEcmX+J7QCE0BHsJsnGOMjWqIgMTDohff+u7j6+/qI6JgoQ4ygVBFCJEnyOBx93V004F52/YKbb5jNATAIzBiNkiSpt7dXoVBERkaGUoCI/f39oihqNBqNRjPxjPydwAyLIi4JSQSJgW9/cKx58Km6M93XzC9MiI/yD7b3t520njnpOdek4dwzZ07NnJ236+Ov/uXxt845gBKgwbBkqEdFUQSAN998Mz09PTc3t7e3NzQ3EAgsWbIkPT392WefDQpfAuMyFHlS+VmIvtIFS4AC5eBoRduWHc/PX3JDlI4rOfhJwGFVsqjkCMewwBAEjnLKSKN52Q3XHzla9uuNT7783B8S9MAhMOSCW2BZFhF37tzpdDqdTue+ffs2bNggSRLLsjIXg4ODTqfT4/GM7GlJCjpchmGCCuV0QkhQgyRJAMAwjDwzU0opvWBMwfSJBDP0uRQkpJSBExZpyx9fTpma6uhv2b/nLVf3j4zP6bZZ+3u6+3t7XHab32XzDnSfPfXdVx+/NT05pt/DbHrqdZsfRABpqJmSJBFCampqqqureZ5nGKaoqAgAGIajQ7E7x3GEEI67YASyJbIsy3Ecx3Esy8pORiZdTmdZVmZTfpfjOIZhzsdFQykyCCGhvE8MLm/RFIESxiHCc6/uFFnV2dbTg+cskUp2sN9pFyWzOdGgN3k8nra2Np/PowvXAsuIjv7jR4q5iIz6pta3dx96aP0NCgB2iDIA2LNnj9xUSunx48cbG5szMtJEisFoHBGDXASnr4MHD3777beBQCA7O/v2229XqVQA0NbWVlRUJAhCamrqbbfdRint7u7evXs3AJjN5jvvvJMQcvLkyUOHDvX09AiCkJ6evnLlSr1eP9GzIo4NSiki+ii6EP9SUjPzzu2xC38bnpKXM/e61KycZStX/c8n+744XPrpgZLKqtqm5pZtj23PmZ137fzrCgrn5y9crk0pnHnzxsJ1/1nZjR5EefwiotfrTU1NJYSsWLFi+vTpAPDUU39ERL/fL+empKQAwObNmxExEAhIkuR2u2+99dbQas+YMcNisSCiw+GYNWuWnFhXV4eIq1atkn/u3bsXEV966aURTTaZTJWVlZRS2edMDOCyEh7Ec4j3bnt99j1/gKi8MNO0lKmZWbPyuvoGar7/wZyaFp+UmpCccvhIKUW87a67zalpmTkzs/PmknCTbtqSWf/09BN7qpyIkiSJokgpLSkpkRtcWlq6adMmQsiMGTNF8UI3JCcnB4n2eDyI+NhjjwGAIAgPPPDAli1b9Ho9ACxcuFBmqq2tLTo6mmGYu+66q6SkRLbTxx9/XHbWlZWVcXFx+fn5W7ZsWb9+vRzJzJ8/X879uYiWEKXhv6kLsawTr/vnP2Ws+B3wJkEXqwrX3f/b34mIfooPPfJ7nd4QHhm18d8ekSg+/uQOVbg2MS0tNjEZODWEJ01d/fStT35gRZToeZtdu3YtAOj1ep/Pd+DAAQAghBw7dgwRKaUjLFqSJJfLlZCQwDDMiy++KNeqrKxMdrVVVVVyyttvvw0APM+Hh4cDwMyZM30+nyiKMpV2u10Wo5Ru27aNYRij0Wiz2XBo1E4ALu+jJYCm9j4PJXZrF6DH7xEh4KmoqLDZB3UR2o72btuAA6g4MGAnBGhA9LhcA/1Wt9sNKILH4fC4rE5nr41qdQzP81artbi4GABWr14tCMKKFStSU1MtFsuePXsKCwvxotiLYZjW1taOjg5K6enTp5955hlE9Pl8PM9TSuvr63NzcwOBwIYNG0pKSj788ENRFCMjI3ft2iUIgjzxAkBHR8eePXt6e3tZlq2rq6OUiqJ42cDxp8UIohkYcYRCCTIw4HSLDONxOwFFkERg4Ifak9ddt1Cp1NbW1s3KLZg+feqtt98CADyvAIpuh1NCEQgLBLwBv18SBx0u1IUjwGeffdbb28swjDF2ypHSoyxh0tLSLBbLJ5988swzz4SHh1/MtcvlopQSQl5//fURWW63GwAkSeJ5fs2aNR999BHLsllZWbm5uaIoEkIIIa+88srGjRtHqJVzf0aiz1M8oq0SYViFAuU8QgGBMMypuu9X3Hzbn4++HG+Kraur5XkWABggAMAwjCSeDyEkAsDx0pDKoqIiOTLb9uijMNSrLMt2dnZ+/vnnd9xxR9AMGYaR+dVoNCzLSpL0xhtv5OXl+Xw+QRDCwsIcDkdycjIi8jw/ODi4adMmRBRF8dixY++8886GDRsQsa+vb+vWrYh4//33r1u3TqVS7d69+8UXX+R5Hid25TI8gh4qWu5rRJR7PUyjYAVOqdUB4YCwDALPMW+99eaB/R+0n2lcsqjwlptXvLvrbQLgcjvkF2UxAFBFRLBqpVKpJAAtP7aUfl0GACqVyhhjNMYYjUZjTEyMHBcXFe2Wg2JEJIS4XC55VZKUlGQymViWrampueaaawoLC/Pz87u6ugoKCmJiYuSVzubNm5ubm3U6XXZ2NgBs2rTpxx9/JIR0dnZ6PB5CyNq1axcsWJCfn3++gRO/3THMY1PE4XMDpTiIuL9NXPT42+m/ehhUsaDWATDbt29HxHff/SsAQxgFEGHd2g2IuHXrNoblFUo1sAJwAujMGQ+/euMLB84EkCI+91/PMxxLCNm3b9/g4KDVarVarXa7/Z577mFZNjIyuqOjCxELCwsBwGAwLF26tKSkBIeiDgAoKChYs2bNnDlzAOCmm25yu92IWFxcLK/0Hn300ba2NoVCQQhZvnw5ItpsNoPBAAApKSkPPvjgLbfI/o3X6/X9/f0/4WQY1DOWQrjs+x7ERgnvfn53/qOvQ+wsUOiAsLV1J31+8folNwIoWF7PcJGHD38jUbzv/l8vXrL03/9jK3ACKHVC3rJrnih64OPq/pAAOT4+PhAIhJayd+9eeXjt2PEUIpaWlsbExMjMvvbaa4jodrvXr18faoY6nW7Hjh1+v7+lpUWO2Ewmk8zd9u3bZZt98sknKaU7d+4UBCH4otlsBgCGYXp7e0fl5Uqov4ruuUzUQQghAHoG8rIzzlQ3axbd6Pz0r8AF2rt7ZmTPuHf1mrpTZzKy8jY+/Psem5MSSE2flj5tunXABowKFNHZi5erWbj+mhkcQCAQePrppyVJMpvNHMdJkiQvkQkhy5Yte//99yUJTaZYRFywYEFtbW1lZaXL5Zo7dy4AKJXKXbt2bdy4saamxul0GgyGefPmJSYmAoDP53v11Vc5jsvOzo6KigKArVu3ZmZmIqJSqaSU3nfffXPnzi0vL/f5fHPmzImKijp+/LhSqZQDwWDnYchCUX6mlI61JRLcTw/dXh/VW1wQGKW7hvuPAKIXscaNhX/ed+2bX8L8O0FtnJp/bVNzq0ix34vNTnzrQMPspf/6Xb07QPFMZ19kYgZo4jW/eTr/5eKH3jvcheg5r0wK+aAkScHl4nBIIQ8SpaIkBS4SkIJh8oVUSbo4ZcTooVQM1oEOQV5MhYrJP2kI5NoG6xx8CBWQJIlSkVLxYqsfZT/64hsyFMFGYHejc+e+Lwy68C8+KILyQ8Cwy26+e3pOvpsN8/jJQEd/d7tFJdiPHT8ETnfir9YlzruBuh0vrFuRrQEBgEU8cGB/Y2OjTqdLS0uLioqSJy7ZaQCAKIrV1dUxMXqWZY8ePbp69eri4uKVK1fKEmVlZXPmzFEq1YGAjxBy+PDhxYsX8zwPwAQCvvfe27N48UKzORnOn/mM8i2bV2dnZyAQsNvtOTk5IaXT86EtosPhOHjwoNfrjY+PX7p0qUzAWDpHfCNKIcbOhrLKPvHEExdTPGIkyCMjPVoQCV9+piu5cKk/McPV77M0nmuxibwuTh01xWp317d1NNVUQWpm8gObY7NnC7aeh29flqfnVAAcAKU0LS3VYrEsXLhQr9d/8OH7HZ0dU6YYTzc2fFNerg5TRUVG9/X1tbWd8frctbU1CYnxZ9vbWJb56svDERERVVVVJ6q+EwOi2WwmhJSXl6tUqiNHv7I0W3x+T8W3FVnZ0z8v+dw60Mcy7L79e20DthNV3zU1Nv1QX+d2uQOi78svv3S5HSdP1p46VR9nivV6Pfv2f+r2uJBiccmBpqamxMQEQeA//XSv2Zy4fPmNXV2dCoWwf/++nnNdarW6uORA4+nG042nenp6/AFvcXFxb1+PNlxb9vXRhoaGMI2qrLSs9mQ1Aj3X2xMRoa2pqYmLMyGi7GmGEQ0X2XIQDIAAkJEQ5dcY65p/NMSZE/PnRqdncZFGO8N2u70OpGqTMfn6JRkLF6BKrSH+R25Zel0sHwYgDOlkWcZisaSkpFBKvT7vtGnTvv7666amJm2EtqHhdO6smVpt+Imq7wghWVlZFRUVKSkpR44c0esNDQ0NKrVi1apVFRXfxpliw9Sa1tZWt8ep0Wg04WEDAwPmpMSGhobly2/s7u7+5pvj06ZNCwT8Wq22r7936tSplpZmpVLp9rhOnz5tMpni4uK6u7urq6vvvvvupqamyu8qsrOzvT4PRckYM6WiomLRokUqlcpsNn/88cdLrl/kcrlKy46azWafz2swGOyDtpaWloKCOU6n82x7m0KhsFiaHQ6HKAUyMjKampoGBwfb2tp4TkhIiEcEhiEwIo4mY98akImOAPhNlu5PdyzMi2QE6uDNemXuVMxKD0xPYmZN1cycykVrlKL9thTdC/fOXxDDaAD4kKgcALxeryiKgUAgIlyn00YSYMPU4eFh2sT4BERUq9U2m81ut8/Mya2tqTMnJgu8MkyjSkg0eb3e9vZ2pITnFAAgbzYZjUatVivXUKPRdHR0uN1ulUoVGxsbFhYm5xoMBo7jTpw4IZ+3ISV9vVakRKlQt7e3+3w+lTLMoDdqNBr5uCApKam45EDD6fq/vLtTUHDnzp1zOp1hYWEGg0Gn0xkMBp7neZ7v6+sTRbG9vb2/v1+pVHq9Xr1eHxERodVqM9KnfV12vKCgAACCs+n4zgwRQALwAFgBagah8uxAS7990OMXEZQcq1crM6fo88yKTBY0cN4vD5/KsaWlZcqUKZRSu90eFhbm9/s9Hs+pU6dmz54th3Stra2CIMTFxdXW1ubk5Jw9e7a+vn5Wbo7L6amvr8/MzExNTUXEM2fO8DyvUiuQEq/PDchERkUcOVyalJw4xRgHhEoi8gLrGHRFResGrHavz93ddU6n0xmNxubmZpPJpNPpSktLp03PiNRFsyzr9/uDB5jl5eXdPZ3XFswzxEQf+uKrKbExyUmp/oBXElFQcF6P/39PVJ7r6Zs7ryAxIammtkqt0kTrI5UKtbxetVqt33///b333jt0bMSMm2iZaz+ABOADCAx9KAALIABwAAKAAoADYH/Ke3p0jGOgERMRe7kpa8S7o8xaF2seMZ0CMBZLk9EYq9GoRysFDh48OG/ePJ1Oh0guXAa6CqIheIGGABm6UoBAEQjBy6xuMeRSR+izvAEUKiOHsXKcJMezoWI4/JKC/BMveWgilyjrHHpLDhKYUFUAIEdm8gZA8HgstKygmLwhI6cPVUwKqUOI5vESPSpro/TDlb/yCwRe8lKOvBc2IvdvOgy+LGUX9+LVsfy3WMPFGi6r7dICYw2sIIIn9KG5V0n08LujITdDhgcul3UjV0jQCD1XzjuOdrvssp19aYFLqxqrblfpOoZ7CDrWlPKTO4pfruf5SYi+NCb/nTjZ/gnE+P/DAgD/P//I8vcdeZMWPUH4yX30pEceHZOMTBD+D4gYRvYAumOkAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTA0LTI5VDEwOjQ0OjE1LTA0OjAw16nnCQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wNC0yOVQxMDo0NDoxNS0wNDowMKb0X7UAAAAASUVORK5CYII=", "integrationScript": {"commands": [{"arguments": [{"default": false, "deprecated": false, "description": "domain to search", "name": "domain", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Provides an Alexa ranking of the Domain in question.", "execution": false, "hidden": false, "important": null, "name": "domain", "outputs": [{"contentPath": "", "contextPath": "Domain.Name", "description": "The Domain being checked", "type": "string"}, {"contentPath": "", "contextPath": "DBotScore.Score", "description": "DBot score returned", "type": "number"}, {"contentPath": "", "contextPath": "DBotScore.Vendor", "description": "Vendor reporting the score", "type": "string"}, {"contentPath": "", "contextPath": "DBotScore.Domain", "description": "Domain being reported", "type": "string"}, {"contentPath": "", "contextPath": "Alexa.Domain.Data", "description": "The Domain being checked", "type": "string"}, {"contentPath": "", "contextPath": "Alexa.Domain.Rank", "description": "Alexa rank as determined by Amazon", "type": "string"}], "permitted": false, "sensitive": false, "timeout": 0}], "isFetch": false, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "\n\n\n\nimport xml.etree.ElementTree as ET # type: ignore\nimport requests\n\n# Disable insecure warnings\nrequests.packages.urllib3.disable_warnings()\n\n\n\"\"\"GLOBAL VARIABLES/CONSTANTS\"\"\"\nTHRESHOLD = int(demisto.params().get('threshold'))\nUSE_SSL = not demisto.params().get('insecure', False)\n\n\n\"\"\"COMMAND FUNCTIONS\"\"\"\n\n\ndef alexa_domain_command():\n domain = demisto.args().get('domain')\n resp = requests.request('GET', 'https://data.alexa.com/data?cli=10&dat=s&url={}'.format(domain), verify=USE_SSL)\n root = ET.fromstring(str(resp.content))\n try:\n rank = root.find(\"SD[0]/POPULARITY\").attrib['TEXT'] # type: ignore\n if int(rank) > THRESHOLD:\n dbot_score = 2\n dbot_score_text = 'suspicious'\n else:\n dbot_score = 0\n dbot_score_text = 'unknown'\n except AttributeError:\n rank = 'Unknown'\n dbot_score = 2\n dbot_score_text = 'suspicious'\n dom_ec = {'Name': domain}\n dbot_ec = {\n 'Score': dbot_score,\n 'Vendor': 'Alexa Rank Indicator',\n 'Domain': domain,\n 'Type': 'domain'\n }\n ec = {\n 'Domain(val.Name && val.Name == obj.Name)': dom_ec,\n 'DBotScore': dbot_ec,\n 'Alexa.Domain(val.Name && val.Name == obj.Domain.Name)': {\n 'Name': domain,\n 'Rank': rank\n }\n }\n hr_string = ('The Alexa rank of {} is {} and has been marked as {}'\n ' while the threshold is {}'.format(domain, rank, dbot_score_text, THRESHOLD))\n demisto.results({\n 'Type': entryTypes['note'],\n 'ContentsFormat': formats['markdown'],\n 'Contents': xml2json(resp.content),\n 'HumanReadable': hr_string,\n 'EntryContext': ec\n })\n\n\ndef test_module_command():\n domain = 'google.com'\n resp = requests.request('GET', 'https://data.alexa.com/data?cli=10&dat=s&url={}'.format(domain), verify=USE_SSL)\n root = ET.fromstring(str(resp.content))\n rank = root.find(\"SD[0]/POPULARITY\").attrib['TEXT'] # type: ignore\n if rank == '1':\n result = 'ok'\n else:\n result = 'An error has occurred'\n return result\n\n\n\"\"\"EXECUTION BLOCK\"\"\"\ntry:\n handle_proxy()\n if demisto.command() == 'test-module':\n test_result = test_module_command()\n demisto.results(test_result)\n if demisto.command() == 'domain':\n alexa_domain_command()\nexcept Exception as e:\n LOG(e)\n LOG.print_log(False)\n return_error(e.message)", "subtype": "", "type": "python"}, "modified": "2019-10-15T04:54:10.330318-04:00", "name": "Alexa Rank Indicator", "prevName": "Alexa Rank Indicator", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 5}, {"brand": "", "canGetSamples": true, "category": "Network Security", "commitMessage": "", "configuration": [{"defaultValue": "", "display": "Server URL (e.g. https://192.168.0.1)", "hidden": false, "name": "server", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Credentials", "hidden": false, "name": "credentials", "options": null, "required": true, "type": 9}, {"defaultValue": "", "display": "Trust any certificate (unsecure)", "hidden": false, "name": "insecure", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Use system proxy settings", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}], "description": "Algosec BusinessFlow(ABF), Firewall Analyzer (AFA) and FireFlow(AFF).", "display": "AlgoSec", "hidden": false, "icon": "", "id": "AlgoSec", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAApCAYAAAD+tu2AAAATjUlEQVR4Ae2bBXRb15aGd7AUZnhcZuY2XGbGMDMzMzMnZmaO2TEzMyexZUkWmTGk+ber49FoKYbpKztrfVfKRa37n43nmNr6dzqlavzWaPWhWQGK0C885cXvukoVH7pJpVN8y1NXhanszqRWzbLIqh4JqIvfJ0Z32uXUjJnhXx4AMW9OdCrTvuVcpn3HRap9W+9zQst+qfZbb7lkd2zFxgR5Yx9AXfy+4E0rgVfrux9OrNzyibvsOgv7HsRkcSfhO4s91bc8/wtPWQXvf99Vqn0PtIjtWKZddlkZ6VZQ+yig3w9dtH5JVTR13xNbcXocxGLR3oWILNyPvuWSrdGa/QcSKl66kFY1cH2E2mc89rPA+ox1lGi/8ZZf8yqqewbQ74MuWr+YZFRvHOsgYatli2XR6vfEafZFljWMBCRYE6byNiYww4Njul95XnHV9eGAfnu6aNkEXWt4DS64+R3E1PGwRCRRud5F9WMAGbI6TCUs2Chv2ku0++IrLAH99nRBCbLG7ktDVIEs2jiA7DjCo7BuNCCBa35NT0CgXYHZtYNbYaUNYwD9tnRBoSX1ryNZujXWoUy7KFiZmKVuHgKICbhWfz8Etdwdq3kGELPKqMAy/myF77UjVmMD6LelCzqaVLn/DbjVr73ksnBJ40OAANx2/RucNHGmvCpU/Twg0K4FM29z+eQjV8TJGocD+u3oguYHKUNfs5NofYrrZgBiIiQNL3/lLVeykJ95yBrWhKufBQQ6JPB7AMnabducmrcB/XZ0QR+5y2RzAhUp6crmXoAkNTdGTPZVFLKIEKlF4LUQGBDokMAMZ+KnU6vmAPpvEBUV1dvc3HzeoYMH3fD9PUDt0wUhsapxL6xbBIjZFauxetP+pzqYXS03PVaHqZ8DBDoqMK7n5odqLaCfS11dXS+Tixct582dq509a5bW28trFqD26YK+9JJdSVU0PwLI/2rd2Hdcym6yuJ+6y6o+cpNVfeklL98QoXkaEOiwwNzSXB+uXgno5xIXG/vh/HnztEsWL9YuXLBA63vp0lRA7dMFx1X3q1U3+gPaEaOxfdlWol0drg5wzqsddjG9eqhFVs0wvyt1PQGBDsdgdtGWWTWTAf1czp09e2rB/PnaZUuXdlLgLuhAQuVqxLh7Y6SNA3+4JJdxibMuXOXhkFv7jXV2zRT7vJrvQ0rqBgECHRMY1gvrv2GTXfMyoJ/LoUOHnBdB2M4L3AVFSRsfxwRD942R6pc+dpfdYHHeAWyB3Iv+AIKtDFU9BQgg0VJ5tScwT1TMDlDkltTcuAeQMby8vPpu37ZtxMYNG0Y5Ojj0B3Qnjh454riwkwJHRkbevXvXruEb1q8fdfLEiSFxcXE9AXUUUxOTQevWrh118cKFQYA6imNubfcFQcrh3/nIR1pk1vQB1BGCSup7zgtSDP8e18Fr9QHUGcwzqu+a5lc+cg7u4VFU3wsQQ+LL1kjNBGTUSI7+b1fqU2TRO6Ir3t0Wrfk7aua/I+kJnuDUtsDsBY4lV+4AJAgJDu7j6uo67tixY7thkUHbt2/PXr1qVcnKFSskW7dsyUV27IdEan5wUFAfQPocO3rUoSMCe3t73w1hvsGAsN+ze3fqmtWrS1YsX14GkYv37d2bePToURsTE5MZCQkJwwAZgkFxr62N7TxcH4SBV4DfVrZp48bCw4cOBVtZWS0MDQ29D5AxkuSNAzF3vmGWvyLuc09ZCYxFMt1PkYUy1PVEctWPl4rrBgIy5ERy5dOYwDm8IEiRiOuuietWhqmc8M4/B9QWZ9OrHoImRzAHkAKtSvnZswMVSah4jplmVD9F2DCcPT+DxKpJCKzP197yCsz7KvCp/Ag967bE5enFr7zk6nBJwz8BMZWVlT3OnzvnxOIwc+fM0c5jkBWLfcyihQu1ECI2Nzf3QUCCjgick539DCw2ihMxTsjmzJ7dek+O3/rPObB/f3JOTk4/QILS0tKH9+7ZE8PH+XqGf5/4zvsxaOKKiooeB6RPnLThsZn+inT2XJMAvwP+zq3fCYA/YRwbAOmDgb8CZWg1nzsGEz0t1+Na/s5GxFXMthiNdVntjb6ADEEI/Q5JsFI886f5en6epGVOYG6gMp6waSG5vOkuuNUMPMRoRoyLAeJrW6WRznqd82sXAtLHztb2yMwZM7Rr16yp37F9e/KRw4ftYbHnDx444Lp+3bqyxRCCBWTxjxw5ElFSUnIPINCuwNeuXXsGFieDECwon3cT1zibmZquRO285NTJkxdhjQ18/eJFi7R4njI9PX0YIObq1avDd+7YkcWCLl2yhM/hgXbZwsLi+P59+4J5Hw8cPo6wklteXj4KEJOnae6zOFgZN8ahTAxw7gqWLr+ssp8fpPD4ylOu4Pfnd6X+NUAC65yaFSzE27rBgF5E6rIQ5aHFIcoDi3A/Fo2NjbuMmKq1BKQP+szv43gzn8ea8MCAEcoxXx811a88FaH2BgbQfsJGwHXw7HH4oWJCvzO8B3jk7YrTWFY33eoBSJ+szMzHYMVbEVOfCQsN7QFI4OXpOfr0qVO+QkQWKTAw8DNAjKHAlyAwIKa0pKQfLC+FXz6LsHLlyjrs/xKQAALfBZHyhXhwu9K09PShgBhbW9szqK/1B9AGuN3ugENLNxxfy/fm4+wZrK2tLwJi7HJrvxZGwS8beUr8hfTqfwBirLJr/4UVMlNy1M29ADHo8z8NV1z3NqyNLfVkStXFWGljP0AMGk737ImrMJnIIuvE8y6q+wAQwD2uD5x8SZ4/UZcj8aDaEKE2Nc2s/gdgg+p5LrVqbISk8X7CppXKplu9NkepHcbYSzossrBwTry2RKnt4mUN9wHqNPHxryxfvvwGi8CWaG1peQYQaFPggICABfPmzOVjLde5u7ntA6QPrunLAvM5QuDMzMyhgMLCwu5fvXp1taixYbEJarW6B6BWNJpuiMvRohZHXK9TycoeArQwRHmMXzC/B7bGUylVkwG1BabxTNjT8XVIjHLx3vsA0kfVcHMILFLKXpONDkmwMyDAAs7lffxMDBBeTRORo7reC5Ahhjs48PddH6m2Fkt12nLJb+vO+Rhx5Gxa1YZEWVMPQP8fUpKTByAZ0rAAHDPPnjnjA4gxFNjHx2cqoOrq6h6HDx+OEi9+1apVdYWFhQ8B0gfi9sO1/yvwpk3SjIyMoYCcnZ0XtNbY+LS2stoIyBBPT881/Bw+j8/3cnFcDOgHP+UFdqX8nniQexfX/QDoThRX3hiEiZhSfr8szv74ih2AjLE9RuMyXufGkV1LuZQFPKPnx88SFQsWbHzX7ooOQ44nVc1C4pD4gZtUxAm2VF5o95Pw+I5kqnxZqMrMMa/2OUCdxc/Xb5CFucXzB/fv/8TZyWnTqpUrG9iCWURkroGAwB1jcEpKygPIlOuE9e3duzcpPCysFyB9cN0dBYb7thYC82dycvKHgAxJTEx8Xz+E7N210xbQkZS6DRP0Xjay33jPoroRgIzhkl/3Bp8rBgUs+mNAxsAqmx0cp/k8VDjXjyVVPJupar7vx0vlch4guAfvr8G++wEZgzd3BLMR98Cnvw7XuxKcmuVfbrsCgm6IVO86lFD5tXtB7d8AdQYXZ+dR6EzNgyv0gKuULF+27Da/dI5tIs61J7C/v/9UwLHzfVyvXapzz7B2d0CGGArMLhrJ1RBAKNtiWFgeWEjEbtjY2LwMyBA7O7uXcbxZDMB9e/bEA4qRNT+CTLiOX/gHujgMAXJ2xmimR5U1DgCkz9YozbR3RLKKhYwnk6ueBiRALjRod5zmMcTUSSiDXDn+8rkfuMl48mb8eZRFn3rIW6odfiYSqnz3groBgIzBm18FJEs9HOztVyDbLWMLYEE5c962bVsRyg83CHF2zZo1dR2x4ODg4KmAUEfP5H1COCRbJoAMMWbBiL+DYJk9kD3n8D15cHGG7+jo+DQgQzw9PJ7A8VZvsWfXzryMzKx7AJlm1UzjjFZ/JerbAPVo3qHEivmRksYegAC73uXsBWHFvFL1OpKp9ShRV6OWNZsbqIhA3C1BPVvPsZfdMN+LkzFOtvbGVbyDOvsliH2LRefnLQhWJiXIm3oDMgZvfnGQ6XIdfH4+Ml0Wl18Qukse+DcezYn+gKIiIwds3LhRDQHaFTgoKGgqIJy/iAeEEA4l1xlAhtxJ4IiIiN7btm7Nx28SAte6u7s/CcgQPz+/x9euXVvD5/H5KPUKLgcH9QXEoJnxDgSKZDGE0KIbCI9nr2m8eTegTVGa1W/rBP4A8Pc3UX1wrczJLe//xENWg3VxhQiRoUtClBeXhig3olv1jVVWTX94h4k457YICQuxCidD1dwLkDF484uDOPgDu1BhnRDbFC+4OyBBTHT0P1CfcpLVYQteuXz5PH0LRqPDBJABRl004u9g1L/dUO9mCAtGPG+0tLB4DpAhTk5Oz+B4vbBgXJddXFTUG5DAJb+ml31uzQdLLyv92PJYZIZrWSShewHti6tY8FPWLeNj3ETKg4iWa8LU29C4mLw/vvKNVaGqByyza/oDMmR5qHIM4u4NUfvOClBkYtnzfe2ui/6lkMtkXGIEQ2BhJRWFBQX/BqRPTExMhwUODAiYCujM6dNf8D4eOBxHT5065QnIkLaSrAMHDgSLGIzfdxueYSwgQ86fP/8mYvAt8Sz8rsuAjOFaUNP9ZErlAbZgsYSJmxDIafohvn4AYXUljkR7Lq1qDaCOEnit/iF0r+o44WXQ2FCGljaMBmQM3vyiKJXK/ug1l7Jb45eL76koO3oD0qczAvv5+k4FdDkk5Alk3s3CqhBv06Kjo3sD0qctgdFNO95a/uAzJCRkGiBDkEN8p/sNoow7BehOYGp1BIRQsQjvAlQjNzBD92RexfXRcMENvI9jLOpaD0AdBT3ve6b5KfLeah08ZbfRHJkIyBi8+UWRSCSDNm/aJGsVeOvWFCQtvQDp0xmBRaOjuLioN3exhAWiAdGIevoZQPrg2YYuulXgiPDwT1H/6gSer0WGbw3IEGTS57hbJn4DBtfngO4EKoZ+LY0KXTmDeHvLOqf2BUBLL6uiOTaz+EioapPkTU8A6ijbozUm43RdLG54IHEzBWQM3vyiyOXynsiSU0ScQ+Zbhcb+g4D0iYuPHwWBO5Rk6feikd2uFC+ehcZskh0gfZAQ9cSzcwzKpKGApFJpPxwvFL8PHqH66pUrzwISZGZkPIImjPhtnPkXS0pL+gPKrbjRxyqrejQgfVDn/whhefqVXTT3p5W+V+pHA24mzRIJFbtx9J/DfYrrRwMyAs6vHwlIEHytYSLueZsHDvOxm6wBf+n5CSBBorypu7T2Rk/C5hcHTYxtXBYtQ80Ka2Lx/ODy7gckiI2JeQLzr9wy7JTA6FQNQMKTJtwsW/LxY8dMML33lI21dR9XZ+dB9vb2H8C6VXzMUGDALngmT3Is0yWBu3buzDc1Nf3RzMzsBSRY3+zcvj1LPJ8HU1Bg4BxAjFN+7VQse5KgZj2yL07zHVbIfHYgvmIXYmPV27ra+HWIeSSp8jwgpvHm7bvRjQrh3r3IhpE152F50hrMJb+PeeGJswLKP90UqV6GBMwL2XR+ZFnjKEDM9Vvablh946qb4BBr5+rx3EPgaxybAy8R4Jpf+xVh84uDKb8hECFurq6ZwaszYBFKWPYlCGiBWtQLblzCAjB42VzyRAACbQrMJCUmPg3rv8YWzALyIIKnqMM9C/GcUojbcl9jLloAIS+weOL6JTifs2q+ToQXPm5hbm6qLJd3AxQjbboLAsS+jmXHYmKAO39sldzMYOvinvPsgPJUdePNkYAEacqmf88LVCQjDuNc8Se6XBvLtB+7S2/xp+jxcxaOMmwpIB0QuuEfk33Ls8Tq13dBS3mmmxt4tWXplcqHsPlVwMzMCLjL83jxleIlspA8iyOm+Xg/xLiJKblkWN00QAyycA8RZ/kT8Xc2IH2cHR0f5IGATLd+8cJFWuFOAWfuVdjPbdA7CpyXl9cdz1qPgaLgcxghOAPvonBwcNioX95ZZtXei78eOPOZp0zD1gp0Qv30HTNGTVjiZJumbB4NyBCsPx+yLlx9Eh5AzecLQYXovI8tFJP5mXviNJMB6XM+rfrfaJC4c13MA4p7261/HYrfgK6jM2Hzq4Ia+AFbG5spiHsHkLxcxHytGQQ8u2Xz5j14gdNR/jzv7+d3DyAB5mW/gug7d+/evZU/MQP0LCBjoIX5uJub2xTcc/3p06dXozX6pauLy1M8j4tBJASWoYs1DJAhWEv8T6z6mA03fQJu2mznzp0n8TknMiLiX4CMgZh7/+mUqh/Q6NiLztIZzBCd3BKtWY669jlAHeB+tCGno+14BBP8ZluRRE33Lz+K9vCSvXGVYy5mVPcDdCdQPo1dHqragYaK6c44zcXFl1XbzDKqJ2HhZG/C5k8P5qKHwDIr9LpQaRgEdwP6s8ObPz1oVGwSSRi7XStLS3NAfwV484cHMXgOL6jDypC34PJHIfHqE+Dv3wfdp38gJGyAsJwstcZw1NzjAf0V4M0fmqqqqr7IxnNmz5zZYqFwxXL8P203QGLEjRPO3Fuzc16eA+ivAm/+0GAm6jUI2cSWKRDZ8xJdBqwrn24iWTqtUCjuBfRXgTd/aAoKC3tiOu9luOMtqKk9MP2Xhm5UKZoWCl7XjN530rlz5y5gyc14QH81/gdcgGx5OyOHFAAAAABJRU5ErkJggg==", "integrationScript": {"commands": [{"arguments": [{"default": true, "deprecated": false, "description": "ID of requested change request", "name": "ticketId", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Retrieves a FireFlow change request by its ID", "execution": false, "hidden": false, "important": null, "name": "algosec-get-ticket", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "A free text description of the issue", "name": "description", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "A list of device names, on which the change should be made", "name": "devices", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "The device action to perform for the traffic. This can be either\nof the following: \\U0010FC00 1 - Allow the traffic \\U0010FC00 0 - Block the\ntraffic\n", "name": "action", "predefined": ["0", "1"], "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The destination address to perform the action on", "name": "destAddress", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The source address to perform the action on", "name": "sourceAddress", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The email address of the requestor", "name": "requestor", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The change request's title", "name": "subject", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The device service or port for the connection, for example, \"http\" or \ufffc\ufffc\ufffc\ufffc\ufffc\ufffc\ufffc\ufffcMandatory \"tcp/123\"", "name": "service", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The user for the connection", "name": "user", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "The application for the connection", "name": "application", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Creates a new FireFlow change request", "execution": false, "hidden": false, "important": null, "name": "algosec-create-ticket", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "The IP/Subnet to search", "name": "address", "required": true, "secret": false}, {"auto": "PREDEFINED", "default": false, "deprecated": false, "description": "The search method for the address", "name": "type", "predefined": ["INTERSECT", "CONTAINED", "CONTAINING", "EXACT"], "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Find applications containing network objects related to IP address using BusinessFlow", "execution": false, "hidden": false, "important": null, "name": "algosec-get-applications", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "The IP/Subnet to search", "name": "address", "required": true, "secret": false}, {"auto": "PREDEFINED", "default": false, "deprecated": false, "description": "The search method for the address (default is INTERSECT)", "name": "type", "predefined": ["INTERSECT", "CONTAINED", "CONTAINING", "EXACT"], "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Find network objects related to IP address", "execution": false, "hidden": false, "important": null, "name": "algosec-get-network-object", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "source(s) for the query. Multiple values are separated by commas (,)", "name": "source", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "destination(s) for the query. Multiple values are separated by commas (,)", "name": "destination", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "service(s) for the query. Multiple values are separated by commas (,)", "name": "service", "required": true, "secret": false}, {"default": false, "deprecated": false, "description": "user for the query", "name": "user", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "application for the query", "name": "application", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Performs a batch traffic simulation query using Firewall Analyzer", "execution": false, "hidden": false, "important": null, "name": "algosec-query", "outputs": null, "permitted": false, "sensitive": false, "timeout": 0}], "isFetch": false, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "var username = params.credentials.identifier;\nvar password = params.credentials.password;\nvar server = params.server.replace(/[\\/]+$/, '');\nvar insecure = params.insecure;\nvar proxy = params.proxy;\nvar baseAFF = server + '/WebServices/WSDispatcher.pl';\nvar baseAFA = server + '/afa/php/ws.php';\nvar baseBF = server + '/BusinessFlow/rest/v1/network_objects/find';\n\nfunction fillInSoapContent(content, service) {\n var request = service === 'AFF' ? '%content%' : '%content%';\n return replaceInTemplates(request, {content: content});\n}\n\nfunction fillInSOAPRequestTemplate(method, content, service) {\n var template = service === 'AFF' ? '1%content%' : '%content%';\n return fillInSoapContent(replaceInTemplates(template, {content: content, method: method}), service);\n}\n\nvar responseDict = {\n 'authenticate': /(.*)<\\/sessionId/,\n 'getTicket': /((.|\\n)*)<\\/soap:Body/,\n 'createTicket': /((.|\\n)*)<\\/soap:Body/,\n 'ConnectRequest': /(.*)<\\/SessionID/,\n 'DisconnectRequest': /(.*)<\\/ns1:DisconnectResponse/,\n 'QueryRequest': /((.|\\n)*)<\\/SOAP-ENV:Body/\n};\n\nvar commandToMethod = {\n 'algosec-get-ticket': 'getTicket',\n 'algosec-create-ticket': 'createTicket',\n 'algosec-query': 'QueryRequest'\n};\n\nvar commandToURL = {\n 'algosec-get-applications': '/applications',\n 'algosec-get-network-object': ''\n};\n\nvar sessionData = '%sessionId%';\nvar methodDict = {\n 'authenticate': '%username%%password%',\n 'getTicket': sessionData + '%ticketId%',\n 'trafficLines': '%action%
%destAddress%
ftp
%sourceAddress%
%user%%application%',\n 'createTicket': sessionData + '%requestor%%subject%%trafficLines%',\n 'ConnectRequest': '%username%%password%',\n 'DisconnectRequest': '%sessionId%',\n 'QueryRequest': '%sessionId%%query%',\n 'QueryInput': '%source%%destination%%service%'\n};\n\nvar affCommands = ['algosec-create-ticket', 'algosec-get-ticket'];\nvar bfCommands = ['algosec-get-applications', 'algosec-get-network-object'];\n\nfunction createTemplate(method, args) {\n switch (method) {\n case 'createTicket':\n var trafficLines =\n (args.description ? '\"%description%\"' : '') +\n methodDict['trafficLines'];\n return replaceInTemplates(methodDict[method], {trafficLines: trafficLines});\n case 'QueryRequest':\n var query = methodDict['QueryInput'] +\n (args.user ? '%user%' : '') +\n (args.application ? '%application%' : '');\n return replaceInTemplates(methodDict[method], {query: query});\n default:\n return methodDict[method];\n }\n}\n\nfunction sendSOAPRequest(method, args, service) {\n var req = fillInSOAPRequestTemplate(method, replaceInTemplates(createTemplate(method, args), args), service);\n var res = http(\n service === 'AFF' ? baseAFF : baseAFA,\n {\n Method: 'POST',\n Body: req\n },\n insecure,\n proxy\n );\n if (res.StatusCode < 200 || res.StatusCode >= 300) {\n throw 'Failed to ' + method + ', request status code: ' + res.StatusCode + ' and Body: ' + res.Body + '.';\n }\n return res.Body;\n}\n\nfunction sendRESTRequest(url, args) {\n var res = http(\n baseBF + url + encodeToURLQuery(args),\n {\n Method: 'GET',\n Username: username,\n Password: password\n },\n insecure,\n proxy\n );\n if (res.StatusCode < 200 || res.StatusCode >= 300) {\n throw 'Failed to ' + url + ', request status code: ' + res.StatusCode + ' and Body: ' + res.Body + '.';\n }\n return res.Body;\n}\n\nfunction sendAndParse(method, args, service) {\n var responseXML = sendSOAPRequest(method, args, service);\n var match = responseDict[method].exec(responseXML);\n if (match && match[1]) {\n return match[1];\n }\n throw method +' failed';\n}\n\nif (command === 'test-module') {\n if (sendAndParse('authenticate', {username: username, password: password}, 'AFF')) {\n return 'ok';\n }\n return 'something is wrong';\n}\n\nif (affCommands.indexOf(command) !== -1) {\n args.sessionId = sendAndParse('authenticate', {username: username, password: password}, 'AFF');\n return JSON.parse(x2j(sendAndParse(commandToMethod[command], args, 'AFF')));\n}\n\nif (bfCommands.indexOf(command) !== -1) {\n return JSON.parse(sendRESTRequest(commandToURL[command] ,args));\n}\n\nargs.sessionId = sendAndParse('ConnectRequest', {username: username, password: password}, 'AFA');\nres = JSON.parse(x2j(sendAndParse(commandToMethod[command], args)));\nsendAndParse('DisconnectRequest', {sessionId: args.sessionId}, 'AFA');\nreturn res;", "subtype": "", "type": "javascript"}, "modified": "2019-02-06T17:46:15.191691973-05:00", "name": "AlgoSec", "prevName": "AlgoSec", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 1}, {"brand": "", "canGetSamples": true, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "https://otx.alienvault.com", "display": "Server URL (e.g. https://192.168.0.1)", "hidden": false, "name": "server", "options": null, "required": true, "type": 0}, {"defaultValue": "443", "display": "Port", "hidden": false, "name": "port", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "API key", "hidden": false, "name": "apikey", "options": null, "required": true, "type": 4}, {"defaultValue": "", "display": "Trust any certificate (unsecure)", "hidden": false, "name": "insecure", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Use system proxy settings", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}], "description": "Query IOCs in AlienVault", "detailedDescription": "To get Your API Key, go to [AlienVault OTX](https://otx.alienvault.com).\nAfter you login (or sign in), under Your profile settings You will find a OTX Key section.\nThis section contain Your key.\n", "display": "AlienVault OTX", "hidden": false, "icon": "", "id": "AlienVault OTX", "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAArCAYAAACzfkyLAAAGMUlEQVR4Ae3aY5AkSxfG8Xdsz1zbtm3btm3btm3ftW3btm3vnvcfcc+HiozOnmJjtz/8Fp2ncrLzma7Kzqr/ichGLEP/AdzTZcfj8DRexAsZaeOcuAFTUIc7IBlp6+V4AT+JOZCMtLUWO9gC/gjLIRlp7TBbwO9jKUQtwFN4CA8nwUNoBnH4K8njed74EEzDo9qerDF1gzgcgHPxII6JF/CgZK/+GMO1EIczUmBMUyCqcwqM53mIw37YC4/inHgBD/H5A/fAZXgEj+EGHIICH33dBnG4KEZNIQpUfsDJykOBQ06MnzUVorqlQMCvQRwOMWtCCZj6i9AX6yAxjMHL2CpowNq2NfpjEiZgIsbhOp8TdZyOcaKjv5HYb5MOmLpt0Rji0mxcEELAO2IDxDABhT4m6hNIDEdusgFTcygmQzxag6uDBKzt31v6v9LjJFVhFsTQf5M9RdO+O+ZCfNqASwMGvJ/lktDL4yTda984iCZgjq3BLqo2pQLWwQ2CBLQUBwZcZP1l6fsMlxNUgrEQwwJs6yVgPRMcgqNxKLZHlqN9b9yHHtr/WrUAXfAA9k+FgN+EhGQECgMEvDtWQQx9oZNrp5MqMTxj1FoD1raTMQ2i5qETLkAFvsM6l2e231GblIB5PR+jICG61m/AWveHpd9T6pmcgjif3jqPATeHoCtOQQ2ysB0GQDwaju2TEfCpkJB1DBjwoVgPMTSuZ3Iuh8TwrtZ4CbgPBK85XitCX4hPbZIR8IeQkC3H1n4D1tqWEMN8VFjqs9DLMpYdPQRs/vw1uExfuxoS0A2JDrgrJAKnBQrY/mm8xlJ/vKX+e63xGvArELUaV2ILdIcEMAWlCQlYr1mTIBG4M2DAm1u+tg1GYYxPb0vLp3cvnwFvhfFGf6+iCvcb13qvbkpUwGWYg3VYAwloPdZC8HSQgLX+CTenOV0ESQyfmH16/Jq0LxYZfQ7C4cjV8S2GeNQiUQGXaMDXY1ccgWvxs/HG4umDR3As9sRuGIwnQwi4DvMhhgHIcdQ1ghhWYNcgAWvNaVgNMXyBKmyJphAPRiM3EQFnYQzOjdG2Sz3Xm2m42DLIobguaMB6zNu2jQ9tL7U8udJQ+wgUsNadYfmFn4cHteZotIG4MBn5iVpkNcd9lrYitLYsFHaLsys2HweGFPAOWAExtK5nZXtbWAFr7f4YDYmhB07RuiPQEBLHSJyG4xMR8CP4M84b2wyzjZ2ZU+LUX4+ZKAgjYD3uO8v1/mB0hhhmoSrkgAtQjV4Qi164ANk4AD9gCcTQE3UYgnuiDrgO03FOnDf3kJtTn95qnIMXjLagAe9kWcxMwVqIQSct1ICvwscow+UYBrEYp/N/KHbEqXgZIyB43XF9F5wZ9V70H1iGYyztu2BtPd9Dt0F/7afWR8B+7++aJqEogoBrsAK9cIDjF38WJI7eWrcrSnEIShz9jsZw5EQZ8GkQrMJz2Nxoz3FMxH4xjr8YUyB4UV8PO+DddHxSj0f0mDADNr+2rccX2Azl+MLlE6yD8SZuwLm4GrOwAlVR3w9uaqwOf8Y1OBr7YSIEZ+EQXIRX0AeipqIyioD1+F8hccxFdYQB1xkr9iV4A0Xa9iRGQjzqjpyoA95FByz+6Q3/6AI+BmKl17aoAtZjTnTOq5qG57Gl1hyCT8ydMItZODBRj+zcAfHpJ+0nyoCLMQ0SwzJsG3XAetxhGA4xrEYLXIYyVOIgXIVX8BOaoSG+wM3YItEP3T0H8agtCqMOWPu4B2Iyr/1RBWzsAl6E5pa1wWy8hcqUe2yW2q8gLi00N/QjDrgYU+w39KMP2KQr5AtwF+7BZdjb2I5MqYCz8S+kHstwQlgPvnvo53Gjn3e895N58L0cvSEWc8yttgQGXGvchNg/E7CHgI3biT9ZtuT20LrEBqz03qxgsLlxnwnYI72+NEUnPGRMaLICzsep2Oa/1zIBD0qBwd8IcTgnyePJMhZsXVJgjl7yG/Bk7I7tfdrOYXufXoY4PITtk2h/41o+BDsleUzfuQ34QyyLcYttTRKJKcnjWQ8xrE2xOTrUFvDbRsDpKWMfW8AH43tI2srogLyYAWvIpXgYn+MLfJ4WMr7A88ZtWyPgjVbG/wFla7PquLj6qAAAAABJRU5ErkJggg==", "integrationScript": {"commands": [{"arguments": [{"default": true, "deprecated": false, "description": "ip to query", "name": "ip", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query IP in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "ip", "outputs": [{"contentPath": "", "contextPath": "IP.Address", "description": "IP Address", "type": ""}, {"contentPath": "", "contextPath": "IP.ASN", "description": "IP ASN", "type": ""}, {"contentPath": "", "contextPath": "IP.Geo.Country", "description": "IP country", "type": ""}, {"contentPath": "", "contextPath": "IP.Geo.Latitude", "description": "IP latitude", "type": ""}, {"contentPath": "", "contextPath": "IP.Geo.Longitude", "description": "IP longitude", "type": ""}, {"contentPath": "", "contextPath": "AlienVaultOTX.Reputation", "description": "IP reputation", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "domain to query", "name": "domain", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query domain in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "domain", "outputs": [{"contentPath": "", "contextPath": "Domain.Name", "description": "Domain name", "type": ""}, {"contentPath": "", "contextPath": "Domain.AlienVaultOTX.Alexa", "description": "Alexa URL for domain data", "type": ""}, {"contentPath": "", "contextPath": "Domain.AlienVaultOTX.Whois", "description": "Whois URL for domain data", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "ip to query", "name": "ip", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query IP in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "ipv6", "outputs": [{"contentPath": "", "contextPath": "IP.Address", "description": "IP Address", "type": ""}, {"contentPath": "", "contextPath": "IP.ASN", "description": "IP ASN", "type": ""}, {"contentPath": "", "contextPath": "IP.AlienVaultOTX.Reputation", "description": "AlienVault IP reputation", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "hostname to query", "name": "hostname", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query hostname in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "hostname", "outputs": [{"contentPath": "", "contextPath": "Endpoint.Hostname", "description": "Endpoint hostname", "type": ""}, {"contentPath": "", "contextPath": "Endpoint.AlienVaultOTX.Alexa", "description": "Endpoint Alexa URL", "type": ""}, {"contentPath": "", "contextPath": "Endpoint.AlienVaultOTX.Whois", "description": "Endpoint Whois URL", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "md5 to query", "name": "file", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query file in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "file", "outputs": [{"contentPath": "", "contextPath": "File.MD5", "description": "File md5", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "File md5", "name": "md5", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "File sha1", "name": "sha1", "required": false, "secret": false}, {"default": false, "deprecated": false, "description": "File sha256", "name": "sha256", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query file in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "alienvault-query-file", "outputs": [{"contentPath": "", "contextPath": "File.MD5", "description": "File md5", "type": ""}, {"contentPath": "", "contextPath": "File.SHA1", "description": "File sha1", "type": ""}, {"contentPath": "", "contextPath": "File.SHA256", "description": "File sha256", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "The page of pulses to get", "name": "page", "required": false, "secret": false}], "cartesian": false, "deprecated": false, "description": "Search for pulses in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "alienvault-search-pulses", "outputs": [{"contentPath": "", "contextPath": "AlienVault.Pulses.ID", "description": "Pulse ID", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Author.ID", "description": "Author ID", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Author.Username", "description": "Author username", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Count", "description": "Pulse count", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Modified", "description": "Pulse modification date", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Name", "description": "Pulse name", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Source", "description": "Pulse source", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.SubscriberCount", "description": "Pulse subscriber count", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Tags", "description": "Pulse tags", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Description", "description": "Pulse description", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": false, "deprecated": false, "description": "ID of desired pules\"", "name": "pulse-id", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Get pulse details (pulse are alian vault's entities)", "execution": false, "hidden": false, "important": null, "name": "alienvault-get-pulse-details", "outputs": [{"contentPath": "", "contextPath": "AlienVault.Pulses.Description", "description": "Pulse description", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Created", "description": "Pulse created", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Author.Username", "description": "Pulse author username", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.ID", "description": "Pulse ID", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Name", "description": "Pulse name", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Tags", "description": "Pulse tags", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.TargetedCountries", "description": "Pulse targeted countries", "type": ""}, {"contentPath": "", "contextPath": "AlienVault.Pulses.Description", "description": "Pulse description", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}, {"arguments": [{"default": true, "deprecated": false, "description": "url to query", "name": "url", "required": true, "secret": false}], "cartesian": false, "deprecated": false, "description": "Query url in AlienVault OTX", "execution": false, "hidden": false, "important": null, "name": "url", "outputs": [{"contentPath": "", "contextPath": "URL.Data", "description": "URL ", "type": ""}], "permitted": false, "sensitive": false, "timeout": 0}], "isFetch": false, "isFetchCredentials": false, "longRunning": false, "longRunningPortMapping": false, "runOnce": false, "script": "function getArgName(args) {\n options = ['md5', 'sha1', 'sha256'];\n for (var k in options) {\n if (args[options[k]]) {\n return options[k];\n }\n }\n throw 'You must provide either sha1, sha256 or md5';\n}\n\nindicatorsCommands = {\n 'ip': {\n type: 'IPv4',\n argName: 'ip',\n contextKey: outputPaths.ip,\n translator: [\n {to: 'Address', from: 'indicator'},\n {to: 'ASN', from: 'asn'},\n {to: 'Geo-Country', from: 'country_name'},\n {to: 'Geo-Latitude', from: 'latitude'},\n {to: 'Geo-Longitude', from: 'longitude'},\n {to: 'AlienVaultOTX-Reputation', from: 'reputation'},\n ],\n tableTitle: 'AlienVault ip response %Address%',\n },\n 'url': {\n type: 'url',\n argName: 'url',\n contextKey: outputPaths.url,\n translator: [\n {to: 'Data', from: 'indicator'},\n ],\n tableTitle: 'AlienVault url response %Data%',\n },\n 'ipv6': {\n type: 'IPv6',\n argName: 'ip',\n contextKey: outputPaths.ip,\n translator: [\n {to: 'Address', from: 'indicator'},\n {to: 'ASN', from: 'asn'},\n {to: 'AlienVaultOTX-Reputation', from: 'reputation'},\n ],\n tableTitle: 'AlienVault ip response %Address%',\n },\n 'domain': {\n type: 'domain',\n argName: 'domain',\n contextKey: outputPaths.domain,\n translator: [\n {to: 'Name', from: 'indicator'},\n {to: 'AlienVaultOTX-Alexa', from: 'alexa'},\n {to: 'AlienVaultOTX-Whois', from: 'whois'},\n ],\n tableTitle: 'AlienVault domain response %Name%',\n },\n 'hostname': {\n type: 'hostname',\n argName: 'hostname',\n contextKey: 'Endpoint(val.Hostname==obj.Hostname)',\n translator: [\n {to: 'Hostname', from: 'indicator'},\n {to: 'AlienVaultOTX-Alexa', from: 'alexa'},\n {to: 'AlienVaultOTX-Whois', from: 'whois'},\n ],\n tableTitle: 'AlienVault hostname response %Hostname%',\n },\n 'file': {\n type: 'file',\n argName: 'file',\n contextKey: outputPaths.file,\n translator: [\n {to: 'MD5', from: 'indicator'},\n ],\n tableTitle: 'AlienVault file response %MD5%',\n },\n 'alienvault-query-file': {\n type: 'file',\n argName: getArgName,\n contextKey: outputPaths.file,\n translator: function(args) {\n return [\n {to: getArgName(args).toUpperCase(), from: 'indicator'},\n ];\n },\n tableTitle: function(args) {\n return 'AlienVault file response %' + getArgName(args).toUpperCase() + '%';\n },\n },\n};\n\nsearchCommands = {\n 'alienvault-search-pulses': {\n url: 'search/pulses',\n contextKey: 'AlienVault.Pulses(val.ID==obj.ID)',\n translator: [\n {to: 'ID', from: 'id'},\n {to: 'Author-ID', from: 'author.id'},\n {to: 'Author-Username', from: 'author.username'},\n {to: 'Count', from: 'indicator_count'},\n {to: 'Modified', from: 'modified'},\n {to: 'Name', from: 'name'},\n {to: 'Source', from: 'pulse_source'},\n {to: 'SubscriberCount', from: 'subscriber_count'},\n {to: 'Tags', from: 'tags'},\n {to: 'Description', from: 'description'},\n ],\n innerPath: 'results',\n tableTitle: 'AlienVault pulses',\n },\n 'alienvault-get-pulse-details': {\n url: 'pulses/%pulse-id%',\n contextKey: 'AlienVault.Pulses(val.ID==obj.ID)',\n translator: [\n {to: 'ID', from: 'id'},\n {to: 'Created', from: 'created'},\n {to: 'Author-Username', from: 'author_name'},\n {to: 'Description', from: 'description'},\n {to: 'Modified', from: 'modified'},\n {to: 'Name', from: 'name'},\n {to: 'Tags', from: 'tags'},\n {to: 'TargetedCountries', from: 'targeted_countries'},\n ],\n tableTitle: 'AlienVault pulse %ID%',\n },\n}\n\nvar mapObjFunction = function(mapFields) {\n var transformSingleObj= function(obj) {\n var res = {};\n mapFields.forEach(function(f) {\n res[f.to] = dq(obj, f.from);\n });\n return res;\n };\n return function(obj) {\n if (obj instanceof Array) {\n var res = [];\n for (var j=0; j < obj.length; j++) {\n res.push(transformSingleObj(obj[j]));\n }\n return res;\n }\n return transformSingleObj(obj);\n }\n}\n\nvar createContext = function(data) {\n var createContextSingle = function(obj) {\n var res = {};\n var keys = Object.keys(obj);\n keys.forEach(function(k) {\n var values = k.split('-');\n var current = res;\n for (var j = 0; j= 300) {\n throw 'Request to ' + url + ' failed, request status code: ' + res.StatusCode + ' and Body: ' + res.Body + '.';\n }\n // If we have a body, it should have application/json content type.\n if (res.Body &&\n (!res.Headers['Content-Type'] || !res.Headers['Content-Type'][0] || res.Headers['Content-Type'][0].indexOf('application/json') === -1) || res.Body.indexOf('Google Tag Manager') != -1) {\n log('Response body: ' + res.Body);\n throw 'Check your URL (excepting base URL) - got invalid content type, expected application/json.';\n }\n return res.Body ? JSON.parse(res.Body) : 'empty';\n}\n\nfunction queryIndicators(type, indicator, section) {\n return sendRequest('indicators/' + type + '/' + domain_from_url(indicator) + '/general');\n}\n\nif (command === 'test-module') {\n res = queryIndicators('IPv4', '8.8.8.8');\n return res !== 'Not found' ? 'ok' : 'Not found';\n}\n\ncurrentCommand = indicatorsCommands[command] || searchCommands[command];\nargName = currentCommand.argName instanceof Function ? currentCommand.argName(args) : currentCommand.argName;\nvar raw;\nif (indicatorsCommands[command]) {\n raw = queryIndicators(currentCommand.type, args[argName]);\n} else {\n raw = sendRequest(replaceInTemplatesAndRemove(currentCommand.url, args));\n}\nentry = {\n Type: entryTypes.note,\n Contents: raw,\n ContentsFormat: formats.json,\n ReadableContentsFormat: formats.markdown,\n};\n\ntranslator = currentCommand.translator instanceof Function ? currentCommand.translator(args) : currentCommand.translator;\ntableTitle = currentCommand.tableTitle instanceof Function ? currentCommand.tableTitle(args) : currentCommand.tableTitle;\ntranslated = mapObjFunction(translator)(currentCommand.innerPath ? raw[currentCommand.innerPath] : raw);\nentry.HumanReadable = tableToMarkdown(replaceInTemplates(tableTitle, translated), translated);\nif (currentCommand.contextKey) {\n ec = {};\n contextKey = currentCommand.getContextKey instanceof Function ? currentCommand.contextKey(args) : currentCommand.contextKey;\n outputPath = outputPaths.file;\n if (argName) {\n switch (argName) {\n case 'ip':\n outputPath = outputPaths.ip;\n break;\n case 'domain':\n outputPath = outputPaths.domain;\n break;\n case 'url':\n outputPath = outputPaths.url;\n break;\n }\n\n ec[contextKey] = createContext(translated);\n }\n entry.EntryContext = ec;\n if (ec && ec[contextKey] && ec[contextKey].Geo && ec[contextKey].Geo.Latitude && ec[contextKey].Geo.Longitude) {\n entry = [\n entry,\n {\n Type: entryTypes.map,\n Contents: {lat: parseFloat(ec[contextKey].Geo.Latitude),\n lng: parseFloat(ec[contextKey].Geo.Longitude)},\n ContentsFormat: formats.json\n }\n ];\n }\n}\n\nreturn entry;", "subtype": "", "type": "javascript"}, "modified": "2019-06-27T09:58:30.811824015-04:00", "name": "AlienVault OTX", "prevName": "AlienVault OTX", "shouldCommit": false, "sortValues": null, "system": true, "vcShouldIgnore": false, "version": 4}, {"brand": "", "canGetSamples": true, "category": "Data Enrichment & Threat Intelligence", "commitMessage": "", "configuration": [{"defaultValue": "https://www.example.com", "display": "Server URL (e.g., https://www.example.com)", "hidden": false, "name": "url", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Client ID", "hidden": false, "name": "client_id", "options": null, "required": true, "type": 0}, {"defaultValue": "", "display": "Client Secret", "hidden": false, "name": "client_secret", "options": null, "required": true, "type": 4}, {"defaultValue": "", "display": "Trust any certificate (not secure)", "hidden": false, "name": "insecure", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Use system proxy settings", "hidden": false, "name": "proxy", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Fetch incidents", "hidden": false, "name": "isFetch", "options": null, "required": false, "type": 8}, {"defaultValue": "", "display": "Incident type", "hidden": false, "name": "incidentType", "options": null, "required": false, "type": 13}, {"defaultValue": "3 days", "display": "First fetch timestamp (