8000 Threat Vault - Handle errors gracefully, add outputs by bakatzir · Pull Request #10722 · demisto/content · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Threat Vault - Handle errors gracefully, add outputs #10722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
m 8000 erged 6 commits into from
Jan 5, 2021
Merged

Threat Vault - Handle errors gracefully, add outputs #10722

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f19a1dc
Threat Vault - Handle errors gracefully, add outputs
bakatzir Jan 4, 2021
e3926f4
add outptus to readme
bakatzir Jan 4, 2021
1ace2ac
add outptus to readme2
bakatzir Jan 4, 2021
2b77ebb
lint fixes
bakatzir Jan 4, 2021
6db58c7
rn update
bakatzir Jan 4, 2021
2905f21
Merge remote-tracking branch 'origin/master' into threat_vault_404
bakatzir Jan 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions Packs/PaloAltoNetworks_Threat_Vault/Integrations/Threat_Vault/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -384,8 +384,12 @@ Check IP location.

| **Path** | **Type** | **Description** |
| --- | --- | --- |
| IP.Address | unknown | The IP address. |
| IP.Geo.Country | unknown | The country of the IP address. |
| IP.Address | String | The IP address. |
| IP.Geo.Country | String | The country of the IP address. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Indicator | String | The indicator that was tested. |


#### Command Example
Expand Down
50 changes: 28 additions & 22 deletions Packs/PaloAltoNetworks_Threat_Vault/Integrations/Threat_Vault/Threat_Vault.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,8 @@ def file_command(client: Client, args: Dict) -> List[CommandResults]:
sha256=sha256,
dbot_score=dbot_score
)
readable_output = tableToMarkdown(name=f"SHA256 {sha256} Antivirus reputation:", t=response, removeNull=True)
readable_output = tableToMarkdown(name=f"SHA256 {sha256} Antivirus reputation:", t=response,
removeNull=True)
except Exception as err:
if 'Error in API call [404] - Not Found' in str(err):
response = {}
Expand Down Expand Up @@ -453,7 +454,7 @@ def antispyware_signature_search(client: Client, args: dict) -> CommandResults:
)


def signature_search_results(client: Client, args: dict) -> CommandResults:
def signature_search_results(client: Client, args: dict):
"""Retrieve signature search results.

Args:
Expand All @@ -466,27 +467,32 @@ def signature_search_results(client: Client, args: dict) -> CommandResults:
search_request_id = str(args.get('search_request_id', ''))
search_type = str(args.get('search_type', ''))

response = client.signature_search_results_request(search_type, search_request_id)

outputs = response
outputs.update({'search_request_id': search_request_id})
if response.get('status') == 'submitted': # search was not completed
readable_output = f'Search {search_request_id} is still in progress.'
else:
headers = ['signatureId', 'signatureName', 'domainName', 'cve', 'signatureType', 'status', 'category',
'firstReleaseTime', 'latestReleaseTime']
outputs.update({'status': 'completed'})
title = f'Signature search are showing {outputs.get("page_count")} of {outputs.get("total_count")} results:'
readable_output = tableToMarkdown(name=title, t=outputs.get('signatures'),
headers=headers, removeNull=True)
try:
response = client.signature_search_results_request(search_type, search_request_id)

return CommandResults(
outputs_prefix=f'{client.name}.Search',
outputs_key_field='search_request_id',
outputs=outputs,
readable_output=readable_output,
raw_response=response
)
outputs = response
outputs.update({'search_request_id': search_request_id})
if response.get('status') == 'submitted': # search was not completed
readable_output = f'Search {search_request_id} is still in progress.'
else:
headers = ['signatureId', 'signatureName', 'domainName', 'cve', 'signatureType', 'status', 'category',
'firstReleaseTime', 'latestReleaseTime']
outputs.update({'status': 'completed'})
title = f'Signature search are showing {outputs.get("page_count")} of {outputs.get("total_count")} results:'
readable_output = tableToMarkdown(name=title, t=outputs.get('signatures'),
headers=headers, removeNull=True)
return CommandResults(
outputs_prefix=f'{client.name}.Search',
outputs_key_field='search_request_id',
outputs=outputs,
readable_output=readable_output,
raw_response=response
)
except Exception as err:
if 'Not Found' in str(err):
return_warning(f'Search request ID {search_request_id} was not found.')
else:
raise


def test_module(client: Client, *_) -> str:
Expand Down
16 changes: 15 additions & 1 deletion Packs/PaloAltoNetworks_Threat_Vault/Integrations/Threat_Vault/Threat_Vault.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,8 +206,22 @@ script:
outputs:
- contextPath: IP.Address
description: The IP address.
type: String
- contextPath: IP.Geo.Country
description: The country of the IP address.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the score.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- arguments:
- default: false
description: The signature name to search.
Expand Down Expand Up @@ -357,7 +371,7 @@ script:
- contextPath: ThreatVault.Searchf.signatures
description: A list of all the signatures found for this specific search.
type: Unknown
dockerimage: demisto/python3:3.8.6.12176
dockerimage: demisto/python3:3.9.1.14969
isfetch: false
longRunning: false
longRunningPort: false
Expand Down
6 changes: 6 additions & 0 deletions Packs/PaloAltoNetworks_Threat_Vault/ReleaseNotes/1_0_2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Integrations
##### Palo Alto Networks Threat Vault
- Handle errors in the command ***threatvault-signature-search-results*** gracefully.
- Added missing outputs in the ***ip*** command.
- Upgraded the docker image to: *demisto/python3:3.9.1.14969*.
11 changes: 8 additions & 3 deletions Packs/PaloAltoNetworks_Threat_Vault/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Palo Alto Networks Threat Vault",
"description": "Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent.",
"support": "xsoar",
"currentVersion": "1.0.1",
"currentVersion": "1.0.2",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand All @@ -12,11 +12,16 @@
],
"tags": [],
"useCases": [],
"keywords": ["logs", "antispyware", "antivirus", "pan-os"],
"keywords": [
"logs",
"antispyware",
"antivirus",
"pan-os"
],
"dependencies": {
"CommonScripts": {
"mandatory": true,
"display_name": "Common Scripts"
}
}
}
}
0