Skip to content

Commit

Permalink
Merge pull request #547 from arnydo/update_umbrellablacklister
Browse files Browse the repository at this point in the history 
Update UmbrellaBlacklister
  • Loading branch information
@garanews
garanews authored Mar 5, 2020
2 parents 899a5b1 + 6f930a3 commit da200e1
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 9 deletions.
2 changes: 1 addition & 1 deletion responders/UmbrellaBlacklister/UmbrellaBlacklister.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "Umbrella Blacklister",
"version": "1.0",
"version": "1.1",
"author": "Kyle Parrish",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
Expand Down
31 changes: 23 additions & 8 deletions responders/UmbrellaBlacklister/UmbrellaBlacklister.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,32 @@
import requests
from datetime import datetime


class UmbrellaBlacklister(Responder):
def __init__(self):
Responder.__init__(self)
self.integration_url = self.get_param('config.integration_url', None, "Integration URL Missing")
self.integration_url = self.get_param(
'config.integration_url', None, "Integration URL Missing")

def run(self):
Responder.run(self)

if self.get_param('data.dataType') == 'domain':
data_type = self.get_param('data.dataType')
ioc_types = ["domain", "url", "fqdn"]
if data_type in ioc_types:

if data_type == "domain" or data_type == "fqdn":
domain = self.get_param(
'data.data', None, 'No artifacts available')

dstUrl = "http://" + domain

domain = self.get_param('data.data', None, 'No artifacts available')
elif data_type == "url":
dstUrl = self.get_param(
'data.data', None, 'No artifacts available')

domain = dstUrl.split('/')[2]

dstUrl = "http://" + domain
date = datetime.now().strftime("%Y-%m-%dT%XZ")

headers = {
Expand All @@ -36,16 +49,18 @@ def run(self):
"providerName": "Security Platform"
}

r = requests.post(self.integration_url, json=payload, headers=headers)
r = requests.post(self.integration_url,
json=payload, headers=headers)
if r.status_code == 200 | 202:
self.report({'message': 'Blacklisted in Umbrella.'})
else:
self.error('Failed to add to blacklist.')
else:
self.error('Incorrect dataType. "Domain" expexted.')
else:
self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.')

def operations(self, raw):
return [self.build_operation('AddTagToArtifact', tag='Umbrella:blocked')]


if __name__ == '__main__':
UmbrellaBlacklister().run()
UmbrellaBlacklister().run()

0 comments on commit da200e1

Please sign in to comment.