forked from shaniacht1/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathautomation-AbuseIPDBPopulateIndicators.yml
47 lines (44 loc) · 1.24 KB
/
automation-AbuseIPDBPopulateIndicators.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
args:
- defaultValue: "30"
description: Time range to return reports for (in days), default is 30
name: days
- defaultValue: "200"
description: 'Maximum number of IPs to retrieve, default is 50 '
name: limit
comment: Extracts blacklisted IP addresses from AbuseIPDB, and Populates Indicators
accordingly.
commonfields:
id: AbuseIPDBPopulateIndicators
version: -1
dependson:
must:
- '|||abuseipdb-get-blacklist'
- Builtin|||createNewIndicator
enabled: true
name: AbuseIPDBPopulateIndicators
runas: DBotWeakRole
runonce: false
script: |-
BLACKLISTED = "Bad"
res = demisto.executeCommand("abuseipdb-get-blacklist", {
"days" : demisto.args().get("days"),
"limit" : demisto.args().get("limit")
})
ips = res[0]['Contents']
if not ips or "Too many requests" in ips:
return_error("No Indicators were created (possibly bad API key)")
# Extract IPs into new Indicators
for ip in ips:
demisto.executeCommand("createNewIndicator", {
"type" : 'ip',
"value" : ip,
"source" : 'AbuseIPDB',
"reputation" : BLACKLISTED,
"seenNow" : "true",
});
demisto.results("All Indicators were created successfully")
scripttarget: 0
system: true
tags: []
timeout: 900ns
type: python