Fetch Indicator Integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Fetch Indicator Integration

L1 Bithead

Hello 

 

i plan to implement a custom integration which fetches IP Indicators. So far so good i was able to create the indicators with no issue. However i would like to update some fields eg. Hostname and also some custom fields like a Gridfield of Vulnerabilities. 

But for some reason i can't update any field by side the verdict. 

Thats my function:

def fetch_indicators(client: Client, reportName: str, firstFetch: str = '3 days'):
    indicators = []
    last_run = demisto.getLastRun()
    if not last_run:
        last_run = {}
    if 'scan_id' not in last_run:
        # get timestamp in seconds
        last_id = 0
    else:
        last_id = int(last_run['scan_id'])

    demisto.debug(f"Looking for scans since ID:{last_id}")
    scans = client.list_scans()["response"]
    scans = sorted(get_elements(scans, "true"), key=lambda x: x['id'], reverse=True)

    if len(scans) == 0 or int(scans[0]['id']) <= last_id:
        # scan id is same or lower as the last run (lower shouldn't apear at all tbh)
        # however we can skip this run
        demisto.debug(f"Didn't found a new ID doing nothing. {last_id=}, max_id={scans[0]['id']}, lowest_id={scans[-1]['id']}")
        return

    demisto.debug(f"found a new scan since last update. downloading the report")
    results = client.download_report(scans[0]['id'])
    #loop over all rows of the report. it contains each vuln for each ip, so we need a dict where we can access the ip easily.
    vulns = {}
    for r in results:
        if r["IP Address"] not in vulns:
            vulns[r["IP Address"]] = []
        vulns[r["IP Address"]].append({
            "Name": r["Plugin Name"], # use Value
            "Severity": r["Severity"], # use Severity
            "Solution": r["Solution"], # use Solution
            "Descirption": r["Description"], # use short description
            "CVEs": r["CVE"].split(","), # new
            "CVSS Score": r["CVSS V3 Base Score"], # use CVSS Score
            "CVSS Vector": r["CVSS V3 Vector"], # use CVSS Vectore
            "CVSS Version": "V3", # use CVSS Version
            "Exploitable": r["Exploit?"], # new
            "Discovered": r["First Discovered"], #new
            "LastObserved": r["Last Observed"], #new
            "Synopsis": r["Synopsis"], #new
            "FurtherInfo": r["See Also"] #new
        })

    demisto.debug("Vulnerabilites mapped to the IPs")
    demisto.debug(json.dumps(vulns))
    indicators = generate_indicator(vulns)
    demisto.debug("Vulns converted to IP indicators")
    demisto.setLastRun({'scan_id': int(scans[0]['id'])})
    for b in batch(indicators, batch_size=2000):
        demisto.createIndicators(b)
    demisto.debug("Should have created new IP indicators")



def generate_indicator(vulns: Dict[str, any]):
    integration_name = get_integration_name()
    ips = []
    for ip in vulns:
        score = Common.DBotScore(indicator=ip, indicator_type=DBotScoreType.IP, integration_name="Tenable.sc", score=0)
        ip_obj = Common.IP(ip=ip,hostname="TenableIP",updated_date=datetime.now(),dbot_score=score)
        ip_obj["customFields"] = {'vulnerabilityinformations': vulns[ip]}
        ips.append(ip_obj)

    demisto.debug(f"Final Indciator Objects: {json.dumps(ips)}")
    return ips

currently i get the error message
"Exception: Failed to execute fetch-indicators command. Error: 'IP' object does not support item assignment"

Thats because i assign just the ["customFields"] key in the IP Object. 

Does anybody has done this? 

Yes, i know that there is a Tenanble.sc Integration, however this default integration don't offers the option to fetch indicators.

 

Greetings

2 REPLIES 2

L3 Networker

@JBoehm, you will need to create first a new indicator field called vulnerabilityinformations and then add it as a custom field to the IP indicator type in the indicator type profile settings (https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Indicator...). Once it's there, you should be able to create the mapping to the field vulnerabilityinformations in your code.

@AbelSantamarina 
I did this, as you can see here 

JBoehm_0-1720073167418.png

its a grid field type indicator field on our IP indicators. However i can't just append the key to IP object because the error i mentioned in the inital post.

"Exception: Failed to execute fetch-indicators command. Error: 'IP' object does not support item assignment"

To create the mapping is basically my question, how do i do this? If i look in the common server python file on github, i cant see a way to fill up customFields to an indicator on creation. But there is no command which would update an indicator from an integration script.

JBoehm_1-1720073447020.png

 

So even if i would create the Indicator, then search it and add my custom field. I wouldnt be able to update the Indicator.

  • 595 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!