Skip to content

Commit b470897

Browse files
content-botdavidt99davidt99kgal-panJasBeilin
authored
feat(intezer): add phishing email playbook, deprecates scan host (demisto#21117)
Co-authored-by: davidt99 <[email protected]> Co-authored-by: davidt99 <[email protected]> Co-authored-by: Kobbi Gal <[email protected]> Co-authored-by: kgal-pan <[email protected]> Co-authored-by: Jas Beilin <[email protected]> Co-authored-by: Jasmine Beilin <[email protected]>
1 parent c994717 commit b470897

22 files changed

Lines changed: 1245 additions & 424 deletions

Packs/Intezer/Integrations/IntezerV2/IntezerV2.py

Lines changed: 40 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,13 @@
11
from collections import defaultdict
22
from http import HTTPStatus
33
from typing import Callable
4-
from typing import Dict
5-
from typing import List
64
from typing import Tuple
75

86
from intezer_sdk import consts
97
from intezer_sdk.analysis import FileAnalysis
108
from intezer_sdk.analysis import UrlAnalysis
119
from intezer_sdk.api import IntezerApi
10+
from intezer_sdk.endpoint_analysis import EndpointAnalysis
1211
from intezer_sdk.errors import AnalysisIsAlreadyRunning
1312
from intezer_sdk.errors import AnalysisIsStillRunning
1413
from intezer_sdk.errors import FamilyNotFoundError
@@ -82,19 +81,30 @@ def _get_missing_analysis_result(analysis_id: str, sub_analysis_id: str = None)
8281
)
8382

8483

84+
def _get_missing_endpoint_analysis_result(analysis_id: str) -> CommandResults:
85+
output = f'Could not find the endpoint analysis \'{analysis_id}\''
86+
87+
return CommandResults(
88+
readable_output=output
89+
)
90+
91+
8592
def _get_missing_family_result(family_id: str) -> CommandResults:
8693
return CommandResults(
8794
readable_output=f'The Family {family_id} was not found on Intezer Analyze'
8895
)
8996

9097

91-
def _get_analysis_running_result(analysis_id: str = None, response: requests.Response = None) -> CommandResults:
98+
def _get_analysis_running_result(analysis_type: str,
99+
analysis_id: str = None,
100+
response: requests.Response = None) -> CommandResults:
92101
if response:
93102
analysis_id = response.json()['result_url'].split('/')[2]
94103

95104
context_json = {
96105
'ID': analysis_id,
97-
'Status': 'InProgress'
106+
'Status': 'InProgress',
107+
'Type': analysis_type
98108
}
99109

100110
return CommandResults(
@@ -135,7 +145,7 @@ def analyze_by_hash_command(intezer_api: IntezerApi, args: Dict[str, str]) -> Co
135145
context_json = {
136146
'ID': analysis.analysis_id,
137147
'Status': 'Created',
138-
'type': 'File'
148+
'Type': 'File'
139149
}
140150

141151
return CommandResults(
@@ -147,7 +157,7 @@ def analyze_by_hash_command(intezer_api: IntezerApi, args: Dict[str, str]) -> Co
147157
except HashDoesNotExistError:
148158
return _get_missing_file_result(file_hash)
149159
except AnalysisIsAlreadyRunning as error:
150-
return _get_analysis_running_result(response=error.response)
160+
return _get_analysis_running_result(analysis_type='File', response=error.response)
151161

152162

153163
def analyze_url_command(intezer_api: IntezerApi, args: Dict[str, str]) -> CommandResults:
@@ -165,7 +175,7 @@ def analyze_url_command(intezer_api: IntezerApi, args: Dict[str, str]) -> Comman
165175
context_json = {
166176
'ID': analysis.analysis_id,
167177
'Status': 'Created',
168-
'type': 'Url'
178+
'Type': 'Url'
169179
}
170180

171181
return CommandResults(
@@ -175,7 +185,7 @@ def analyze_url_command(intezer_api: IntezerApi, args: Dict[str, str]) -> Comman
175185
readable_output='Analysis created successfully: {}'.format(analysis_id)
176186
)
177187
except AnalysisIsAlreadyRunning as error:
178-
return _get_analysis_running_result(response=error.response)
188+
return _get_analysis_running_result('Url', response=error.response)
179189
except ServerError as ex:
180190
return _get_missing_url_result(url, ex)
181191

@@ -200,13 +210,13 @@ def analyze_by_uploaded_file_command(intezer_api: IntezerApi, args: dict) -> Com
200210
file_data = demisto.getFilePath(file_id)
201211

202212
try:
203-
analysis = FileAnalysis(file_path=file_data['path'], api=intezer_api)
213+
analysis = FileAnalysis(file_path=file_data['path'], file_name=file_data['name'], api=intezer_api)
204214
analysis.send(requester=REQUESTER)
205215

206216
context_json = {
207217
'ID': analysis.analysis_id,
208218
'Status': 'Created',
209-
'type': 'File'
219+
'Type': 'File'
210220
}
211221

212222
return CommandResults(
@@ -216,7 +226,7 @@ def analyze_by_uploaded_file_command(intezer_api: IntezerApi, args: dict) -> Com
216226
readable_output='Analysis created successfully: {}'.format(analysis.analysis_id)
217227
)
218228
except AnalysisIsAlreadyRunning as error:
219-
return _get_analysis_running_result(response=error.response)
229+
return _get_analysis_running_result('File', response=error.response)
220230

221231

222232
def check_analysis_status_and_get_results_command(intezer_api: IntezerApi, args: dict) -> List[CommandResults]:
@@ -230,8 +240,11 @@ def check_analysis_status_and_get_results_command(intezer_api: IntezerApi, args:
230240
for analysis_id in analysis_ids:
231241
try:
232242
if analysis_type == 'Endpoint':
233-
response = intezer_api.get_url_result(f'/endpoint-analyses/{analysis_id}')
234-
analysis_result = response.json()['result']
243+
analysis = EndpointAnalysis.from_analysis_id(analysis_id, intezer_api)
244+
if not analysis:
245+
command_results.append(_get_missing_endpoint_analysis_result(analysis_id))
246+
continue
247+
analysis_result = analysis.result()
235248
elif analysis_type == 'Url':
236249
analysis = UrlAnalysis.from_analysis_id(analysis_id, api=intezer_api)
237250
if not analysis:
@@ -259,13 +272,13 @@ def check_analysis_status_and_get_results_command(intezer_api: IntezerApi, args:
259272

260273
except HTTPError as http_error:
261274
if http_error.response.status_code == HTTPStatus.CONFLICT:
262-
command_results.append(_get_analysis_running_result(analysis_id=analysis_id))
275+
command_results.append(_get_analysis_running_result(analysis_type, analysis_id=analysis_id))
263276
elif http_error.response.status_code == HTTPStatus.NOT_FOUND:
264277
command_results.append(_get_missing_analysis_result(analysis_id))
265278
else:
266279
raise http_error
267280
except AnalysisIsStillRunning:
268-
command_results.append(_get_analysis_running_result(analysis_id=analysis_id))
281+
command_results.append(_get_analysis_running_result(analysis_type, analysis_id=analysis_id))
269282

270283
return command_results
271284

@@ -278,7 +291,7 @@ def get_analysis_sub_analyses_command(intezer_api: IntezerApi, args: dict) -> Co
278291
if not analysis:
279292
return _get_missing_analysis_result(analysis_id=str(analysis_id))
280293
except AnalysisIsStillRunning:
281-
return _get_analysis_running_result(analysis_id=str(analysis_id))
294+
return _get_analysis_running_result('File', analysis_id=str(analysis_id))
282295

283296
sub_analyses: List[SubAnalysis] = analysis.get_sub_analyses()
284297

@@ -304,19 +317,14 @@ def get_analysis_code_reuse_command(intezer_api: IntezerApi, args: dict) -> Comm
304317
sub_analysis_id = args.get('sub_analysis_id', 'root')
305318

306319
try:
307-
sub_analysis: SubAnalysis = SubAnalysis(analysis_id=sub_analysis_id,
308-
composed_analysis_id=analysis_id,
309-
sha256='',
310-
source='',
311-
extraction_info=None,
312-
api=intezer_api)
320+
sub_analysis: SubAnalysis = SubAnalysis.from_analysis_id(sub_analysis_id, analysis_id, api=intezer_api)
313321

314322
sub_analysis_code_reuse = sub_analysis.code_reuse
315323
except HTTPError as error:
316324
if error.response.status_code == HTTPStatus.NOT_FOUND:
317325
return _get_missing_analysis_result(analysis_id=str(analysis_id))
318326
elif error.response.status_code == HTTPStatus.CONFLICT:
319-
return _get_analysis_running_result(analysis_id=str(analysis_id))
327+
return _get_analysis_running_result('File', analysis_id=str(analysis_id))
320328
raise
321329

322330
if not sub_analysis_code_reuse:
@@ -376,7 +384,7 @@ def get_analysis_metadata_command(intezer_api: IntezerApi, args: dict) -> Comman
376384
if error.response.status_code == HTTPStatus.NOT_FOUND:
377385
return _get_missing_analysis_result(analysis_id=str(analysis_id))
378386
elif error.response.status_code == HTTPStatus.CONFLICT:
379-
return _get_analysis_running_result(analysis_id=str(analysis_id))
387+
return _get_analysis_running_result('File', analysis_id=str(analysis_id))
380388
raise
381389
metadata_table = tableToMarkdown('Analysis Metadata', sub_analysis_metadata)
382390

@@ -412,7 +420,7 @@ def get_analysis_iocs_command(intezer_api: IntezerApi, args: dict) -> CommandRes
412420
analysis = FileAnalysis.from_analysis_id(analysis_id, api=intezer_api)
413421
except HTTPError as error:
414422
if error.response.status_code == HTTPStatus.CONFLICT:
415-
return _get_analysis_running_result(analysis_id=str(analysis_id))
423+
return _get_analysis_running_result('File', analysis_id=str(analysis_id))
416424
raise
417425

418426
if not analysis:
@@ -564,8 +572,7 @@ def enrich_dbot_and_display_url_analysis_results(intezer_result, intezer_api):
564572
'Type': 'Url',
565573
'Indicator': submitted_url,
566574
'Score': dbot_score_by_verdict.get(verdict, 0)
567-
}
568-
]
575+
}]
569576

570577
if scanned_url != submitted_url:
571578
dbot.append({
@@ -575,7 +582,7 @@ def enrich_dbot_and_display_url_analysis_results(intezer_result, intezer_api):
575582
'Score': dbot_score_by_verdict.get(verdict, 0)
576583
})
577584

578-
url = {'URL': submitted_url, 'Metadata': intezer_result, 'ExistsInIntezer': True}
585+
url = {'URL': submitted_url, 'Data': submitted_url, 'Metadata': intezer_result, 'ExistsInIntezer': True}
579586

580587
if verdict == 'malicious':
581588
url['Malicious'] = {'Vendor': 'Intezer'}
@@ -697,7 +704,11 @@ def main():
697704
use_ssl = not demisto.params().get('insecure', False)
698705
analyze_base_url = intezer_base_url_param or consts.BASE_URL
699706

700-
intezer_api = IntezerApi(consts.API_VERSION, intezer_api_key, analyze_base_url, use_ssl)
707+
intezer_api = IntezerApi(consts.API_VERSION,
708+
intezer_api_key,
709+
analyze_base_url,
710+
use_ssl,
711+
user_agent=get_pack_version())
701712

702713
command_handlers: Dict[str, Callable[[IntezerApi, dict], Union[List[CommandResults], CommandResults, str]]] = {
703714
'test-module': check_is_available,

0 commit comments

Comments
 (0)