From 9990c391bc73677c50cb154c15e9d009ef2435a1 Mon Sep 17 00:00:00 2001 From: Kyle Parrish Date: Fri, 18 Oct 2019 16:28:05 -0400 Subject: [PATCH 1/3] Update UmbrellaBlacklister to include FQDN and URL data_types. --- .../UmbrellaBlacklister.py | 31 ++++++++++++++----- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/responders/UmbrellaBlacklister/UmbrellaBlacklister.py b/responders/UmbrellaBlacklister/UmbrellaBlacklister.py index 31a4cd11b..2ac802ca4 100644 --- a/responders/UmbrellaBlacklister/UmbrellaBlacklister.py +++ b/responders/UmbrellaBlacklister/UmbrellaBlacklister.py @@ -5,19 +5,32 @@ import requests from datetime import datetime + class UmbrellaBlacklister(Responder): def __init__(self): Responder.__init__(self) - self.integration_url = self.get_param('config.integration_url', None, "Integration URL Missing") + self.integration_url = self.get_param( + 'config.integration_url', None, "Integration URL Missing") def run(self): Responder.run(self) - if self.get_param('data.dataType') == 'domain': + data_type = self.get_param('data.dataType') + ioc_types = {"domain": "domain", "url": "url","fqdn": "fqdn"} + if data_type in ioc_types: + + if data_type == "domain" or data_type == "fqdn": + domain = self.get_param( + 'data.data', None, 'No artifacts available') + + dstUrl = "http://" + domain - domain = self.get_param('data.data', None, 'No artifacts available') + elif data_type == "url": + dstUrl = self.get_param( + 'data.data', None, 'No artifacts available') + + domain = dstUrl.split('/')[2] - dstUrl = "http://" + domain date = datetime.now().strftime("%Y-%m-%dT%XZ") headers = { @@ -36,16 +49,18 @@ def run(self): "providerName": "Security Platform" } - r = requests.post(self.integration_url, json=payload, headers=headers) + r = requests.post(self.integration_url, + json=payload, headers=headers) if r.status_code == 200 | 202: self.report({'message': 'Blacklisted in Umbrella.'}) else: self.error('Failed to add to blacklist.') - else: - self.error('Incorrect dataType. "Domain" expexted.') + else: + self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.') def operations(self, raw): return [self.build_operation('AddTagToArtifact', tag='Umbrella:blocked')] + if __name__ == '__main__': - UmbrellaBlacklister().run() + UmbrellaBlacklister().run() From 7c09aa308cebfffc9ed22d850a685e836d73bc0e Mon Sep 17 00:00:00 2001 From: Kyle Parrish Date: Fri, 18 Oct 2019 16:28:38 -0400 Subject: [PATCH 2/3] Update minor version --- responders/UmbrellaBlacklister/UmbrellaBlacklister.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/responders/UmbrellaBlacklister/UmbrellaBlacklister.json b/responders/UmbrellaBlacklister/UmbrellaBlacklister.json index 2d030b428..0c2e0046e 100644 --- a/responders/UmbrellaBlacklister/UmbrellaBlacklister.json +++ b/responders/UmbrellaBlacklister/UmbrellaBlacklister.json @@ -1,6 +1,6 @@ { "name": "Umbrella Blacklister", - "version": "1.0", + "version": "1.1", "author": "Kyle Parrish", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", From 6f930a36b8b7508c836556344ed96584aa5a07e1 Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Thu, 5 Mar 2020 14:38:47 +0100 Subject: [PATCH 3/3] Keep ioc_types in list instead of dict --- responders/UmbrellaBlacklister/UmbrellaBlacklister.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/responders/UmbrellaBlacklister/UmbrellaBlacklister.py b/responders/UmbrellaBlacklister/UmbrellaBlacklister.py index 2ac802ca4..72e6794e6 100644 --- a/responders/UmbrellaBlacklister/UmbrellaBlacklister.py +++ b/responders/UmbrellaBlacklister/UmbrellaBlacklister.py @@ -16,7 +16,7 @@ def run(self): Responder.run(self) data_type = self.get_param('data.dataType') - ioc_types = {"domain": "domain", "url": "url","fqdn": "fqdn"} + ioc_types = ["domain", "url", "fqdn"] if data_type in ioc_types: if data_type == "domain" or data_type == "fqdn":