Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Group-IB hot fix integration #30878

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@

import demistomock as demisto
from CommonServerPython import *
from CommonServerUserPython import *

""" IMPORTS """

import json
Expand Down Expand Up @@ -40,6 +35,9 @@
"add_fields": ["events.cnc.ipv4.asn", "events.cnc.ipv4.countryName", "events.cnc.ipv4.region"],
"add_fields_types": ["asn", "geocountry", "geolocation"]
},
{
"main_field": "events.client.ipv4.ip",
}
]
},
"compromised/card": {
Expand Down Expand Up @@ -430,14 +428,14 @@
STATUS_LIST_TO_RETRY = [429, 500]


class Client(BaseClient):

Check failure on line 431 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:431:14: F821 Undefined name `BaseClient`
"""
Client will implement the service API, and should not contain any Demisto logic.
Should only do requests and return data.
"""

def _create_update_generator(self, collection_name: str, max_requests: int,
date_from: Optional[str] = None, seq_update: Union[int, str] = None,
date_from: str | None = None, seq_update: int | str = None,
limit: int = 200) -> Generator:
"""
Creates generator of lists with feeds class objects for an update session
Expand All @@ -461,7 +459,7 @@
while True:
if requests_count >= max_requests:
break
session = requests.Session()

Check failure on line 462 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:462:23: F821 Undefined name `requests`
session.auth = HTTPBasicAuth(self._auth[0], self._auth[1])

session.headers["Accept"] = "*/*"
Expand Down Expand Up @@ -514,7 +512,7 @@
params = {'resultId': result_id}
else:
params = {'df': starting_date_from, 'dt': date_to}
params = assign_params(**params)

Check failure on line 515 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:515:30: F821 Undefined name `assign_params`
portion = self._http_request(method="GET", url_suffix=collection_name,
params=params, timeout=TIMEOUT, retries=RETRIES,
status_list_to_retry=STATUS_LIST_TO_RETRY)
Expand All @@ -525,7 +523,7 @@
params = {'resultId': result_id}
else:
params = {'df': starting_date_from, 'dt': date_to}
params = assign_params(**params)

Check failure on line 526 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:526:22: F821 Undefined name `assign_params`
portion = self._http_request(method="GET", url_suffix=collection_name,
params=params, timeout=TIMEOUT, retries=RETRIES,
status_list_to_retry=STATUS_LIST_TO_RETRY)
Expand Down Expand Up @@ -624,7 +622,7 @@
if not last_fetch:
date_from = dateparser.parse(kwargs.get("first_fetch_time")) # type: ignore
if date_from is None:
raise DemistoException('Inappropriate first_fetch format, '

Check failure on line 625 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:625:23: F821 Undefined name `DemistoException`
'please use something like this: 2020-01-01 or January 1 2020 or 3 days')
date_from = date_from.strftime('%Y-%m-%d') # type: ignore

Expand Down Expand Up @@ -666,12 +664,12 @@
result_id = None
while True:
params = {'df': date_from, 'dt': date_to, 'resultId': result_id, 'q': query}
params = assign_params(**params)

Check failure on line 667 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:667:22: F821 Undefined name `assign_params`
portion = self._http_request(method="GET", url_suffix=collection_name,
params=params, timeout=TIMEOUT, retries=RETRIES,
status_list_to_retry=STATUS_LIST_TO_RETRY)
if portion.get('count') > 2000:
raise DemistoException('Portion is too large (count > 2000), this can cause timeout in Demisto.'

Check failure on line 672 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:672:23: F821 Undefined name `DemistoException`
'Please, change or set date_from/date_to arguments or change query.')
if len(portion.get('items')) == 0:
break
Expand Down Expand Up @@ -814,8 +812,8 @@

output = parse_to_outputs(iocs, ioc_type, fields)
if output:
results = [CommandResults(

Check failure on line 815 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:815:24: F821 Undefined name `CommandResults`
readable_output=tableToMarkdown(f"{ioc_type} indicator", {"value": iocs, **fields}),

Check failure on line 816 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:816:33: F821 Undefined name `tableToMarkdown`
indicator=output,
ignore_auto_extract=True
)]
Expand All @@ -828,7 +826,7 @@
def calculate_dbot_score(type_):
severity = fields.get("severity")
if severity == "green":
score = Common.DBotScore.GOOD

Check failure on line 829 in Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py

View workflow job for this annotation

GitHub Actions / pre-commit

Ruff (F821)

Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py:829:21: F821 Undefined name `Common`
elif severity == "orange":
score = Common.DBotScore.SUSPICIOUS
elif severity == "red":
Expand All @@ -839,7 +837,7 @@
return Common.DBotScore(
indicator=value,
indicator_type=type_,
integration_name="GIB TI",
integration_name="GIB TI&A",
score=score
)

Expand Down Expand Up @@ -1032,16 +1030,13 @@
:return: next_run will be last_run in the next fetch-incidents; incidents and indicators will be created in Demisto.
"""
incidents = []
next_run: dict[str, dict[str, Union[int, Any]]] = {"last_fetch": {}}
next_run: dict[str, dict[str, int | Any]] = {"last_fetch": {}}
for collection_name in incident_collections:
last_fetch = last_run.get("last_fetch", {}).get(collection_name)

portions = client.create_poll_generator(collection_name=collection_name, max_requests=requests_count,
last_fetch=last_fetch, first_fetch_time=first_fetch_time)
for portion, last_fetch in portions:
last_test = last_fetch
for last in last_test:
set(last)
for feed in portion:
mapping = MAPPING.get(collection_name, {})
if collection_name == "compromised/breached":
Expand Down Expand Up @@ -1086,7 +1081,7 @@
return next_run, incidents


def get_available_collections_command(client: Client):
def get_available_collections_command(client: Client, args):
"""
Returns list of available collections to context and War Room.

Expand Down
Loading
Loading