- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
07-02-2024 01:25 AM
Hello
i plan to implement a custom integration which fetches IP Indicators. So far so good i was able to create the indicators with no issue. However i would like to update some fields eg. Hostname and also some custom fields like a Gridfield of Vulnerabilities.
But for some reason i can't update any field by side the verdict.
Thats my function:
def fetch_indicators(client: Client, reportName: str, firstFetch: str = '3 days'):
indicators = []
last_run = demisto.getLastRun()
if not last_run:
last_run = {}
if 'scan_id' not in last_run:
# get timestamp in seconds
last_id = 0
else:
last_id = int(last_run['scan_id'])
demisto.debug(f"Looking for scans since ID:{last_id}")
scans = client.list_scans()["response"]
scans = sorted(get_elements(scans, "true"), key=lambda x: x['id'], reverse=True)
if len(scans) == 0 or int(scans[0]['id']) <= last_id:
# scan id is same or lower as the last run (lower shouldn't apear at all tbh)
# however we can skip this run
demisto.debug(f"Didn't found a new ID doing nothing. {last_id=}, max_id={scans[0]['id']}, lowest_id={scans[-1]['id']}")
return
demisto.debug(f"found a new scan since last update. downloading the report")
results = client.download_report(scans[0]['id'])
#loop over all rows of the report. it contains each vuln for each ip, so we need a dict where we can access the ip easily.
vulns = {}
for r in results:
if r["IP Address"] not in vulns:
vulns[r["IP Address"]] = []
vulns[r["IP Address"]].append({
"Name": r["Plugin Name"], # use Value
"Severity": r["Severity"], # use Severity
"Solution": r["Solution"], # use Solution
"Descirption": r["Description"], # use short description
"CVEs": r["CVE"].split(","), # new
"CVSS Score": r["CVSS V3 Base Score"], # use CVSS Score
"CVSS Vector": r["CVSS V3 Vector"], # use CVSS Vectore
"CVSS Version": "V3", # use CVSS Version
"Exploitable": r["Exploit?"], # new
"Discovered": r["First Discovered"], #new
"LastObserved": r["Last Observed"], #new
"Synopsis": r["Synopsis"], #new
"FurtherInfo": r["See Also"] #new
})
demisto.debug("Vulnerabilites mapped to the IPs")
demisto.debug(json.dumps(vulns))
indicators = generate_indicator(vulns)
demisto.debug("Vulns converted to IP indicators")
demisto.setLastRun({'scan_id': int(scans[0]['id'])})
for b in batch(indicators, batch_size=2000):
demisto.createIndicators(b)
demisto.debug("Should have created new IP indicators")
def generate_indicator(vulns: Dict[str, any]):
integration_name = get_integration_name()
ips = []
for ip in vulns:
score = Common.DBotScore(indicator=ip, indicator_type=DBotScoreType.IP, integration_name="Tenable.sc", score=0)
ip_obj = Common.IP(ip=ip,hostname="TenableIP",updated_date=datetime.now(),dbot_score=score)
ip_obj["customFields"] = {'vulnerabilityinformations': vulns[ip]}
ips.append(ip_obj)
demisto.debug(f"Final Indciator Objects: {json.dumps(ips)}")
return ips
currently i get the error message
"Exception: Failed to execute fetch-indicators command. Error: 'IP' object does not support item assignment"
Thats because i assign just the ["customFields"] key in the IP Object.
Does anybody has done this?
Yes, i know that there is a Tenanble.sc Integration, however this default integration don't offers the option to fetch indicators.
Greetings
07-03-2024 07:48 AM
@JBoehm, you will need to create first a new indicator field called vulnerabilityinformations and then add it as a custom field to the IP indicator type in the indicator type profile settings (https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Indicator...). Once it's there, you should be able to create the mapping to the field vulnerabilityinformations in your code.
07-03-2024 11:11 PM
@AbelSantamarina
I did this, as you can see here
its a grid field type indicator field on our IP indicators. However i can't just append the key to IP object because the error i mentioned in the inital post.
"Exception: Failed to execute fetch-indicators command. Error: 'IP' object does not support item assignment"
To create the mapping is basically my question, how do i do this? If i look in the common server python file on github, i cant see a way to fill up customFields to an indicator on creation. But there is no command which would update an indicator from an integration script.
So even if i would create the Indicator, then search it and add my custom field. I wouldnt be able to update the Indicator.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!