forked from shaniacht1/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
automation-CBFindHash.yml
47 lines (47 loc) · 1.38 KB
/
automation-CBFindHash.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
args:
- default: true
description: md5 hash(es) to find (comma-separated)
name: md5
required: true
comment: Search Carbon Black for connection to specified md5 hash(es).
commonfields:
id: CBFindHash
version: -1
dependson:
must:
- cb-binary
deprecated: true
name: CBFindHash
runonce: false
script: |-
import json
res = []
t = []
found = []
fileData = {}
md5s = argToList(demisto.args()['md5'])
for md5 in md5s:
for e in demisto.executeCommand('cb-binary',{'query': 'md5:' + md5}):
if isError(e):
res.append(e)
else:
myData = demisto.get(e, 'Contents')
if myData:
found.append(md5)
myData = json.loads(myData)
fileData[md5] = (myData[0]['observed_filename'][0], myData[0]['endpoint'][0].split('|')[0])
t += [{k: formatCell(row[k]) for k in row} for row in myData]
if t:
appendContext("found_hashes", ','.join(found), dedup=True)
demisto.setContext("found_file_locations", json.dumps(fileData))
demisto.results( {'ContentsFormat': formats['table'], 'Type': entryTypes['note'], 'Contents': t} )
else:
demisto.results( {'ContentsFormat': formats['text'], 'Type': entryTypes['note'], 'Contents': 'No results.'} )
demisto.results(res)
scripttarget: 0
system: true
tags:
- carbon-black
- endpoint
- enhancement
type: python