forked from shaniacht1/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
automation-CSIndicators.yml
72 lines (72 loc) · 2.96 KB
/
automation-CSIndicators.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
args:
- default: true
description: |-
Based on what parameter to search.
See CrowdStrike documentation for details.
Can be one of indicator, type, report, actor, malicious_confidence, published_date, last_updated, malware_family, kill_chain, labels, DomainType, EmailAddressType, IntelNews, IPAddressType, Malware, Status, Target, ThreatType, Vulnerability
name: parameter
required: true
- description: Can be either match, equal, gt(e), lt(e)
name: filter
required: true
- description: The value for the given parameter
name: value
required: true
- description: Sort by a field. Should be field_name.order where order is either asc
or desc. Fields are indicator, type, report, actor, malicious_confidence, published_date,
last_updated.
name: sort
- description: The page to retrieve - 1 based
name: page
- description: The size of the page to retrieve
name: pageSize
comment: Query CrowdStrike indicators based on given parameters.
commonfields:
id: CSIndicators
version: -1
dependson:
must:
- cs-indicators
deprecated: true
name: CSIndicators
runonce: false
script: |-
import time
def formatDate(t):
if t:
return time.ctime(t)
return ''
def formatLabels(labels):
res = ''
first = True
if labels:
for l in labels:
if first:
first = False
else:
res += ', '
res += demisto.gets(l, 'name')
return res
res = '## CrowdStrike Falcon Intelligence'
entry = demisto.executeCommand('cs-indicators', demisto.args())[0]
if entry['Type'] != entryTypes['error'] and entry['ContentsFormat'] == formats['json']:
indicators = demisto.get(entry, 'Contents')
if indicators:
res += '\n\n### Indicators'
res += '\n|Indicator|Type|Published|Updated|Confidence|Reports|Actors|Malware Families|Kill Chains|Domain Types|IP Address Types|Labels|'
res += '\n|---------|----|---------|-------|----------|-------|------|----------------|-----------|------------|----------------|------|'
for i in indicators:
res += '\n| ' + demisto.gets(i, 'indicator') + ' | ' + demisto.gets(i, 'type') + ' | ' + formatDate(demisto.get(i, 'published_date')) + ' | ' + \
formatDate(demisto.get(i, 'last_updated')) + ' | ' + demisto.gets(i, 'malicious_confidence') + ' | ' + ','.join(demisto.get(i, 'reports')) + ' | ' + \
','.join(demisto.get(i, 'actors')) + ' | ' + ','.join(demisto.get(i, 'malware_families')) + ' | ' + ','.join(demisto.get(i, 'kill_chains')) + ' | ' + \
','.join(demisto.get(i, 'domain_types')) + ' | ' + ','.join(demisto.get(i, 'ip_address_types')) + ' | ' + formatLabels(demisto.get(i, 'labels')) + ' |'
demisto.results({'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'], 'Contents': res})
else:
demisto.results(entry)
scripttarget: 0
system: true
tags:
- server
- threat-intel
- crowdstrike
type: python