Fetch Indicator Integration

JBoehm — Tue, 02 Jul 2024 08:25:11 GMT

Hello

i plan to implement a custom integration which fetches IP Indicators. So far so good i was able to create the indicators with no issue. However i would like to update some fields eg. Hostname and also some custom fields like a Gridfield of Vulnerabilities.

But for some reason i can't update any field by side the verdict.

Thats my function:

def fetch_indicators(client: Client, reportName: str, firstFetch: str = '3 days'): indicators = [] last_run = demisto.getLastRun() if not last_run: last_run = {} if 'scan_id' not in last_run: # get timestamp in seconds last_id = 0 else: last_id = int(last_run['scan_id']) demisto.debug(f"Looking for scans since ID:{last_id}") scans = client.list_scans()["response"] scans = sorted(get_elements(scans, "true"), key=lambda x: x['id'], reverse=True) if len(scans) == 0 or int(scans[0]['id']) <= last_id: # scan id is same or lower as the last run (lower shouldn't apear at all tbh) # however we can skip this run demisto.debug(f"Didn't found a new ID doing nothing. {last_id=}, max_id={scans[0]['id']}, lowest_id={scans[-1]['id']}") return demisto.debug(f"found a new scan since last update. downloading the report") results = client.download_report(scans[0]['id']) #loop over all rows of the report. it contains each vuln for each ip, so we need a dict where we can access the ip easily. vulns = {} for r in results: if r["IP Address"] not in vulns: vulns[r["IP Address"]] = [] vulns[r["IP Address"]].append({ "Name": r["Plugin Name"], # use Value "Severity": r["Severity"], # use Severity "Solution": r["Solution"], # use Solution "Descirption": r["Description"], # use short description "CVEs": r["CVE"].split(","), # new "CVSS Score": r["CVSS V3 Base Score"], # use CVSS Score "CVSS Vector": r["CVSS V3 Vector"], # use CVSS Vectore "CVSS Version": "V3", # use CVSS Version "Exploitable": r["Exploit?"], # new "Discovered": r["First Discovered"], #new "LastObserved": r["Last Observed"], #new "Synopsis": r["Synopsis"], #new "FurtherInfo": r["See Also"] #new }) demisto.debug("Vulnerabilites mapped to the IPs") demisto.debug(json.dumps(vulns)) indicators = generate_indicator(vulns) demisto.debug("Vulns converted to IP indicators") demisto.setLastRun({'scan_id': int(scans[0]['id'])}) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) demisto.debug("Should have created new IP indicators") def generate_indicator(vulns: Dict[str, any]): integration_name = get_integration_name() ips = [] for ip in vulns: score = Common.DBotScore(indicator=ip, indicator_type=DBotScoreType.IP, integration_name="Tenable.sc", score=0) ip_obj = Common.IP(ip=ip,hostname="TenableIP",updated_date=datetime.now(),dbot_score=score) ip_obj["customFields"] = {'vulnerabilityinformations': vulns[ip]} ips.append(ip_obj) demisto.debug(f"Final Indciator Objects: {json.dumps(ips)}") return ips

currently i get the error message
"Exception: Failed to execute fetch-indicators command. Error: 'IP' object does not support item assignment"

Thats because i assign just the ["customFields"] key in the IP Object.

Does anybody has done this?

Yes, i know that there is a Tenanble.sc Integration, however this default integration don't offers the option to fetch indicators.

Greetings

Re: Fetch Indicator Integration

AbelSantamarina — Wed, 03 Jul 2024 14:48:58 GMT

@JBoehm, you will need to create first a new indicator field called vulnerabilityinformations and then add it as a custom field to the IP indicator type in the indicator type profile settings (https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Indicator-type-profile). Once it's there, you should be able to create the mapping to the field vulnerabilityinformations in your code.

Re: Fetch Indicator Integration

JBoehm — Thu, 04 Jul 2024 06:11:39 GMT

@AbelSantamarina
I did this, as you can see here

its a grid field type indicator field on our IP indicators. However i can't just append the key to IP object because the error i mentioned in the inital post.

"Exception: Failed to execute fetch-indicators command. Error: 'IP' object does not support item assignment"

To create the mapping is basically my question, how do i do this? If i look in the common server python file on github, i cant see a way to fill up customFields to an indicator on creation. But there is no command which would update an indicator from an integration script.

So even if i would create the Indicator, then search it and add my custom field. I wouldnt be able to update the Indicator.

topic Re: Fetch Indicator Integration in Cortex XSOAR Discussions

Fetch Indicator Integration

Re: Fetch Indicator Integration

Re: Fetch Indicator Integration