Skip to content

Commit

Permalink
enable automation on artifacts
Browse files Browse the repository at this point in the history
  • Loading branch information
DNRRomero committed Dec 18, 2024
1 parent da9393a commit 4faf782
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 37 deletions.
1 change: 1 addition & 0 deletions release_notes/3.6.1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* Enabled automations for created artifacts
6 changes: 4 additions & 2 deletions zerofox.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"name": "Diego Ramirez"
},
{
"name": "Felipe Garrido"
"name": "Leonardo de Requesens"
}
],
"license": "Copyright (c) ZeroFox, 2024",
Expand All @@ -26,7 +26,9 @@
"min_phantom_version": "6.1.1",
"fips_compliant": false,
"app_wizard_version": "1.0.0",
"pip_dependencies": {},
"pip_dependencies": {
"wheel": []
},
"configuration": {
"zerofox_api_token": {
"description": "ZeroFox API Token",
Expand Down
74 changes: 39 additions & 35 deletions zerofox_connector.py
Original file line number Diff line number Diff line change
Expand Up @@ -102,13 +102,14 @@ def build_artifact(self, container_id, alert):
artifact["label"] = "alert"
artifact["name"] = alert["rule_name"]
artifact["description"] = alert["offending_content_url"]
artifact["severity"] = self._phantom_severity_transform(alert["severity"])
artifact["severity"] = self._phantom_severity_transform(
alert["severity"])
artifact["label"] = "event"
artifact["type"] = alert["network"]
artifact["tags"] = [alert["network"]]
artifact["start_time"] = now.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
artifact["source_data_identifier"] = alert["id"]
artifact["run_automation"] = False
artifact["run_automation"] = True

# get screenshot from metadata
try:
Expand Down Expand Up @@ -196,12 +197,15 @@ def prepare_alert_container(self, alert):
"alert_url"
] = f"https://cloud.zerofox.com/alerts/{alert['id']}"

container["severity"] = self._phantom_severity_transform(alert["severity"])
container["severity"] = self._phantom_severity_transform(
alert["severity"])
container["source_data_identifier"] = alert["id"]
container["asset_name"] = alert["entity"]["name"]
container["tags"] = alert["tags"]
date_time_obj = datetime.strptime(alert["timestamp"], "%Y-%m-%dT%H:%M:%S+00:00")
container["start_time"] = date_time_obj.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
date_time_obj = datetime.strptime(
alert["timestamp"], "%Y-%m-%dT%H:%M:%S+00:00")
container["start_time"] = date_time_obj.strftime(
"%Y-%m-%dT%H:%M:%S.%fZ")
container["ingest_app_id"] = self.app_id

return container
Expand Down Expand Up @@ -426,7 +430,8 @@ def _save_alert(self, alert):
def _on_poll(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress(f"In action handler for: {self.get_action_identifier()}")
self.save_progress(
f"In action handler for: {self.get_action_identifier()}")

self.debug_print(f"Param: {param}")

Expand All @@ -446,7 +451,8 @@ def _on_poll(self, param):

else:
self.save_progress("Start to create alerts")
self.save_progress(f"incident interval_days: {self._history_days_interval}")
self.save_progress(
f"incident interval_days: {self._history_days_interval}")

history_date = datetime.utcnow() - timedelta(
int(self._history_days_interval)
Expand All @@ -455,7 +461,8 @@ def _on_poll(self, param):
# reformat date to use with last_modified_min_date
interval_startdate = history_date.strftime("%Y-%m-%d %H:%M:%S")

self.save_progress(f"incident interval_startdate: {interval_startdate}")
self.save_progress(
f"incident interval_startdate: {interval_startdate}")

alert_types = []
alert_types.append({"type": "ALL", "subTypes": "ALL"})
Expand Down Expand Up @@ -580,16 +587,19 @@ def _on_poll(self, param):
self.debug_print(f"alert_id: {alert_id}")

# create container
status, message, container_id = self._save_alert(alert)
status, message, container_id = self._save_alert(
alert)

if status == phantom.APP_SUCCESS:
num_processed += 1
self.save_progress(
f"ZeroFOX Alert {alert_id} ingested ({num_processed} of {alert_total})"
)
else:
self.error_print(f"Did not ingest alert {alert_id}")
action_result.set_status(phantom.APP_ERROR, message)
self.error_print(
f"Did not ingest alert {alert_id}")
action_result.set_status(
phantom.APP_ERROR, message)
self.add_action_result(action_result)
return action_result.get_status()

Expand Down Expand Up @@ -627,7 +637,8 @@ def _get_alert_by_id(self, param):
action_result = ActionResult(dict(param))
self.add_action_result(action_result)
self.debug_print(
"Initial action_result dictionary: {}".format(action_result.get_dict())
"Initial action_result dictionary: {}".format(
action_result.get_dict())
)

alert_id = param.get("alert_id", 0.0)
Expand Down Expand Up @@ -688,7 +699,8 @@ def _get_alert_by_id(self, param):
def _modify_alert_tag(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress(f"In action handler for: {self.get_action_identifier()}")
self.save_progress(
f"In action handler for: {self.get_action_identifier()}")

self.debug_print(f"Param: {param}")

Expand Down Expand Up @@ -750,18 +762,15 @@ def _modify_alert_tag(self, param):
# Return success, no need to set the message, only the status
self.save_progress("Alert Tag Passed")

self.debug_print(
"-------------------------------------------------------------"
)
self.debug_print("%s response: %s" % (self._banner, response))
self.debug_print(
"-------------------------------------------------------------"
)
self.debug_print("--------------------")
self.debug_print(f"{self._banner} response: {response}")
self.debug_print("--------------------")

return action_result.set_status(phantom.APP_SUCCESS)

def _threat_submit(self, param):
self.save_progress(f"In action handler for: {self.get_action_identifier()}")
self.save_progress(
f"In action handler for: {self.get_action_identifier()}")

self.debug_print(f"Param: {param}")

Expand Down Expand Up @@ -825,13 +834,10 @@ def _threat_submit(self, param):
# Return success, no need to set the message, only the status
self.save_progress("Threat Submit Passed")

self.debug_print(
"-------------------------------------------------------------"
)
self.debug_print("--------------------")

self.debug_print("%s response: %s" % (self._banner, response))
self.debug_print(
"-------------------------------------------------------------"
)
self.debug_print("--------------------")

return action_result.set_status(phantom.APP_SUCCESS)

Expand Down Expand Up @@ -920,7 +926,8 @@ def _modify_notes(self, param):
def _take_alert_action(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress(f"In action handler for: {self.get_action_identifier()}")
self.save_progress(
f"In action handler for: {self.get_action_identifier()}")

self.debug_print(f"Param: {param}")

Expand Down Expand Up @@ -973,13 +980,9 @@ def _take_alert_action(self, param):
# Return success, no need to set the message, only the status
self.save_progress("Alert Action Passed")

self.debug_print(
"-------------------------------------------------------------"
)
self.debug_print("--------------------")
self.debug_print("%s response: %s" % (self._banner, response))
self.debug_print(
"-------------------------------------------------------------"
)
self.debug_print("--------------------")

return action_result.set_status(phantom.APP_SUCCESS)

Expand Down Expand Up @@ -1104,7 +1107,8 @@ def finalize(self):
headers["Referer"] = login_url

print("Logging into Platform to get the session id")
r2 = requests.post(login_url, verify=verify, data=data, headers=headers)
r2 = requests.post(login_url, verify=verify,
data=data, headers=headers)
session_id = r2.cookies["sessionid"]
except Exception as e:
print(f"Unable to get session id from the platform. Error: {e}")
Expand Down

0 comments on commit 4faf782

Please sign in to comment.