Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reverted addition of threat-grid-detonate-file and threat-grid-url-to-file commands #1726

Merged
merged 1 commit into from
Jun 26, 2018
Merged

Reverted addition of threat-grid-detonate-file and threat-grid-url-to-file commands #1726

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
247 changes: 11 additions & 236 deletions Integrations/integration-Threat_Grid.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,150 +268,13 @@ script:
'threat-grid-get-specific-feed': 'feeds/%feed-name%-%feed-period%.%output-type%',
};

var SHORTCUT_DATA = "[InternetShortcut]\nURL=";

function calcScore(tg_score) {
if (tg_score >= 95) {
return 3;
};
if (tg_score >= 75) {
return 2;
}
return 1;
}

function get_sample_state(id) {
var rawResponse = sendRequest(
'GET',
'samples/' + id + '/state',
args,
null
);
return rawResponse.data.state;
}

function wait_for_report(id, delay, timeout) {
var time = 0;
var done = false;
do {
var state = get_sample_state(id);
if (state == 'fail')
throw "Threat Grid failed to process the sample (sample state: fail).";
done = state == 'succ';
if (done)
break;
wait(delay);
time += delay;
} while (!done && time < timeout);
if (!done) {
throw "Timeout while waiting for report. Sample ID: " + id;
}
}

function get_report(id, type) { //Complete
if (type.lower() == 'html') {
rawResponse = sendRequest(
'GET',
'samples/' + id + '/report.html',
args,
id + '-report.html'
);
var fileId = rawResponse.FileID;
return ({Type: 3, FileID: fileId, File: 'ThreatGridReport.html', Contents: 'ThreatGridReport.html'});
}
rawResponse = sendRequest(
'GET',
'samples/' + id + '/analysis.json',
args,
null
);
return {
Type: entryTypes.note,
ContentsFormat: formats.json,
Contents: rawResponse,
ReadableContentsFormat: formats.markdown,
HumanReadable: createHR(command, returnObject),
EntryContext: (contextData && returnObject && ec) ? ec : undefined
};
}

function get_threat_summary(id) {
var contextData = {
ContextPath: 'ThreatGrid.Sample(val.ID == obj.ID)',
ContentPath: 'data',
};
var ec = {};
var returnObject = mapObjFunction([
{to: 'MaxConfidence', from: 'max-confidence'},
{to: 'MaxSeverity', from: 'max-severity'},
{to: 'Score', from: 'score'},
{to: 'Count', from: 'count'},
{to: 'ID', from: 'sample'},
])(dq(rawResponse, contextData.ContentPath));
ec[contextData.ContextPath] = returnObject;
returnObject.ID = id;
ec['DBotScore'] = {
'Indicator': returnObject.ID,
'Score': calcScore(returnObject.Score),
'Type': 'Sample ID',
'Vendor': 'ThreatGrid'
};
return {
Type: entryTypes.note,
ContentsFormat: formats.table,
Contents: [
{'key': 'Sample ID', 'value': rawResponse.data.sample},
{'key': 'Threat Grid Score', 'value': returnObject.Score},
{'key': 'DBot Score', 'value': calcScore(returnObject.Score)}
],
EntryContext: ec
}
}


var rawResponse;
var id = args.id;
switch (command) {
case 'test-module':
args.limit = 1;
sendRequest(methodDictionary['test-module'], urlDict['test-module'], args);
return 'ok';

case 'threat-grid-url-to-file':
var url = args['url'];
delete(args['url']);
return { Type: 3, FileID: saveFile(SHORTCUT_DATA + url), File: 'url_as_file', Contents: 'url_as_file' };

case 'threat-grid-detonate-file':
args['api_key'] = params.token;
var entryId = args['file-entry-id'];
delete(args['file-entry-id']);
var res = httpMultipart(
url + 'samples',
entryId,
{
Method: 'POST',
},
args,
params.insecure,
params.proxy,
undefined,
'sample',
args.filename
);
if (res.StatusCode == 503) {
throw 'Sample upload failed: File was already uploaded.';
}
if (res.StatusCode < 200 || res.StatusCode >= 300) {
throw 'Sample upload failed, request status code: ' + res.StatusCode + ' and Body: ' + res.Body + '.';
}
rawResponse = JSON.parse(res.Body);
sampleId = rawResponse.data.id;
wait_for_report(sampleId, parseInt(args.delay), parseInt(args.timeout));
var type = args['report-file-type'];
delete(args['report-file-type']);
return get_threat_summary(sampleId, type);

case 'threat-grid-upload-sample':
args['api_key'] = params.token;
var fileId = args['file-id'];
Expand Down Expand Up @@ -467,30 +330,12 @@ script:
if (returnObject && !returnObject.ID) {
returnObject.ID = id;
}
if (command === 'threat-grid-get-threat-summary-by-id') {
if ( returnObject.Score >= TERSHOLD) {
var md5 = dq(invContext, "ThreatGrid.Sample(val=val.ID=='" + returnObject.ID + "').MD5");
addMalicious(ec, outputPaths.file, {
MD5: Array.isArray(md5) ? md5[0] : md5,
Malicious: {Vendor: 'ThreatGrid', Description: 'Sample has score of ' + returnObject.Score + ' which is higher than treshold (80)'}
});
}
ec['DBotScore'] = {
'Indicator': returnObject.ID,
'Score': calcScore(returnObject.Score),
'Type': 'Sample ID',
'Vendor': 'ThreatGrid'
};
return {
Type: entryTypes.note,
ContentsFormat: formats.table,
Contents: [
{'key': 'Sample ID', 'value': rawResponse.data.sample},
{'key': 'Threat Grid Score', 'value': returnObject.Score},
{'key': 'DBot Score', 'value': calcScore(returnObject.Score)}
],
EntryContext: ec
}
if (command === 'threat-grid-get-threat-summary-by-id' && returnObject.Score >= TERSHOLD) {
var md5 = dq(invContext, "ThreatGrid.Sample(val=val.ID=='" + returnObject.ID + "').MD5");
addMalicious(ec, outputPaths.file, {
MD5: Array.isArray(md5) ? md5[0] : md5,
Malicious: {Vendor: 'ThreatGrid', Description: 'Sample has score of ' + returnObject.Score + ' which is higher than treshold (80)'}
});
}

return {
Expand Down Expand Up @@ -940,31 +785,18 @@ script:
outputs:
- contextPath: ThreatGrid.Sample.ID
description: The sample id
type: string
- contextPath: ThreatGrid.Sample.MaxSeverity
description: The sample max severity
type: number
- contextPath: ThreatGrid.Sample.Score
description: The sample score
type: number
- contextPath: ThreatGrid.Sample.Count
description: The sample count
type: number
- contextPath: ThreatGrid.Sample.MaxConfidence
description: The sample max confidence
type: number
- contextPath: DBotScore.Indicator
description: The indicator value
type: string
- contextPath: DBotScore.Score
description: The indicator's score
type: number
- contextPath: DBotScore.Vendor
description: The indicator's vendor
type: string
- contextPath: DBotScore.Type
description: The indicator's type
type: string
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision
- contextPath: File.Malicious.Description
description: For malicious files, the reason for the vendor to make the decision
description: Returns a summary of the threats detected during analysis
- name: threat-grid-get-html-report-by-id
arguments:
Expand Down Expand Up @@ -1099,61 +931,4 @@ script:
description: The output type
defaultValue: json
description: Gets a specific threat feed
- name: threat-grid-detonate-file
arguments:
- name: file-entry-id
required: true
default: true
description: Entry ID of the uploaded file (e.g. the message in the war room
with the uploaded file's details).
- name: delay
description: Time to wait between status checks (in seconds)
defaultValue: "20"
- name: timeout
description: Total wait time (in seconds)
defaultValue: "660"
- name: report-file-type
auto: PREDEFINED
predefined:
- html
- json
description: File type of report to return
defaultValue: html
outputs:
- contextPath: ThreatGrid.Sample.ID
description: The sample id
type: string
- contextPath: ThreatGrid.Sample.MaxSeverity
description: The sample max severity
type: number
- contextPath: ThreatGrid.Sample.Score
description: The sample score
type: number
- contextPath: ThreatGrid.Sample.Count
description: The sample count
type: number
- contextPath: ThreatGrid.Sample.MaxConfidence
description: The sample max confidence
type: number
- contextPath: DBotScore.Indicator
description: The indicator value
type: string
- contextPath: DBotScore.Score
description: The indicator's score
type: number
- contextPath: DBotScore.Vendor
description: The indicator's vendor
type: string
- contextPath: DBotScore.Type
description: The indicator's type
type: string
description: Detonates URL address through Threat Grid
- name: threat-grid-url-to-file
arguments:
- name: url
required: true
default: true
description: The URL to convert.
description: Convert a URL into a file for Threat Grid file detonation.
runonce: false
releaseNotes: "Added threat-grid-detonate-file and threat-grid-url-to-file commands."
releaseNotes: "-"
Loading