Top malicious ratio indicators (#1750)

* Top malicious ratio indicators * Fix script schema validation * remove script schema validatiom * fix CR * add widget to display script results * add fromversion filter 0 malicious ratio * add widget from version * fix file format
demisto · Jul 24, 2018 · 5b90b82 · 5b90b82
1 parent 9d0900f
commit 5b90b82
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 0 deletions.
diff --git a/Scripts/script-TopMaliciousRatioIndicators.yml b/Scripts/script-TopMaliciousRatioIndicators.yml
@@ -0,0 +1,61 @@
+commonfields:
+  id: TopMaliciousRatioIndicators
+  version: -1
+name: TopMaliciousRatioIndicators
+fromversion: "4.0.0"
+script: |
+  from datetime import datetime, timedelta
+  import json, random
+
+  def select_indicator_columns(indicator):
+      display_indicator = {}
+      display_indicator['ID'] = indicator['id']
+      display_indicator['Type'] = indicator['indicator_type']
+      display_indicator['Malicious Ratio'] = '%.2f' % float(indicator['maliciousRatio'])
+      display_indicator['Value'] = indicator['value']
+      display_indicator['Last Seen'] = indicator['lastSeen']
+      return display_indicator
+
+  MAX_INDICATORS = int(demisto.args()['maxNumberOfIndicators'])
+  MIN_NUMBER_OF_INVS = int(demisto.args()['minimumNumberOfInvs'])
+  MAX_RESULTS = int(demisto.args()['maximumNumberOfResults'])
+
+  from_date = demisto.args().get('from', '"30 days ago"')
+  res = demisto.executeCommand("findIndicators", {'query':'lastSeen:>=%s' % from_date, 'size': MAX_INDICATORS})
+  indicators = res[0]['Contents']
+  indicators = [i for i in indicators if len(i.get('investigationIDs') or []) >= MIN_NUMBER_OF_INVS]
+  indicators_map = {}
+  for i in indicators:
+      indicators_map[i['id']] = i
+
+  res = demisto.executeCommand("maliciousRatio", {'id': ",".join(indicators_map.keys())})
+  malicious_ratio_result = res[0]['Contents']
+  for mr in malicious_ratio_result:
+      indicators_map[mr['indicatorId']]['maliciousRatio'] = mr['maliciousRatio']
+      indicators_map[mr['indicatorId']]['from_date'] = from_date
+
+  sorted_indicators = sorted(indicators_map.values(), key=lambda x: x['maliciousRatio'], reverse=True)
+  sorted_indicators = [x for x in sorted_indicators if x['maliciousRatio'] > 0]
+  sorted_indicators = sorted_indicators[:MAX_RESULTS]
+  sorted_indicators = map(select_indicator_columns, sorted_indicators)
+  demisto.results(json.dumps({"total": len(sorted_indicators), "data": sorted_indicators}))
+type: python
+tags:
+- widget
+comment: |-
+  Find the top malicious ratio indicators.
+  Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
+enabled: true
+args:
+- name: maxNumberOfIndicators
+  description: Maximum number of indicators for malicious ratio calculation.
+  defaultValue: "10000"
+- name: minimumNumberOfInvs
+  description: Minimum number of investigation the indicator has to appear in.
+  defaultValue: "3"
+- name: maximumNumberOfResults
+  description: Maximum number of results to display.
+  defaultValue: "100"
+scripttarget: 0
+runonce: false
+releaseNotes: "Adding top malicious ratio indicators script"
diff --git a/Widgets/widget-TopMaliciousRationIndicators.json b/Widgets/widget-TopMaliciousRationIndicators.json
@@ -0,0 +1,58 @@
+{
+  "id": "TopMaliciousRatioIndicators",
+  "fromVersion": "4.0.0",
+  "version": -1,
+  "modified": "2018-07-03T14:52:05.828225489+03:00",
+  "name": "TopMaliciousRatioIndicators",
+  "dataType": "scripts",
+  "widgetType": "table",
+  "query": "TopMaliciousRatioIndicators",
+  "sort": null,
+  "isPredefined": false,
+  "dateRange": {
+      "fromDate": "0001-01-01T00:00:00Z",
+      "toDate": "0001-01-01T00:00:00Z",
+      "period": {
+          "byTo": "",
+          "byFrom": "days",
+          "toValue": null,
+          "fromValue": 180,
+          "field": ""
+      },
+      "fromDateLicense": "0001-01-01T00:00:00Z"
+  },
+  "params": {
+  "tableColumns": [
+        {
+          "displayed": true,
+          "isDefault": true,
+          "key": "ID"
+        },
+        {
+          "displayed": true,
+          "isDefault": true,
+          "key": "Type"
+        },
+        {
+          "displayed": true,
+          "isDefault": true,
+          "key": "Value"
+        },
+        {
+          "displayed": true,
+          "isDefault": true,
+          "key": "Malicious Ratio"
+        },
+        {
+          "displayed": true,
+          "isDefault": true,
+          "key": "Last Seen"
+        }
+      ],
+      "maxNumberOfIndicators": 10000,
+      "minimumNumberOfInvs": 3,
+      "maximumNumberOfResults": 50
+  },
+  "size": 10,
+  "category": ""
+}