From a6b068f3487955225c4b96fa15cca89792624fbd Mon Sep 17 00:00:00 2001 From: Presian Yankulov Date: Sat, 27 Jul 2019 12:53:40 +0300 Subject: [PATCH 1/5] Fixing Unexpected Error: get() takes exactly 1 argument (2 given) --- analyzers/Threatcrowd/threatcrowd_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/Threatcrowd/threatcrowd_analyzer.py b/analyzers/Threatcrowd/threatcrowd_analyzer.py index ec4ba54da..865dadeb8 100755 --- a/analyzers/Threatcrowd/threatcrowd_analyzer.py +++ b/analyzers/Threatcrowd/threatcrowd_analyzer.py @@ -42,7 +42,7 @@ def run(self): threatcrowd_data_type = self.data_type if self.data_type != 'mail' else 'email' try: response = requests.get("{}/{}/report/".format(self.URI, threatcrowd_data_type), - {threatcrowd_data_type: self.get_data()}) + params = {threatcrowd_data_type: self.get_data()}) self.report(response.json()) except Exception as e: self.unexpectedError(e) From 871fdf657522c0a144d0f5d598dbbe5692520635 Mon Sep 17 00:00:00 2001 From: Chuck Woodraska Date: Tue, 10 Mar 2020 11:22:05 -0700 Subject: [PATCH 2/5] Small changes to the json config files that clean up extraneous config values that could be confusing. --- .../DomainToolsIris_Pivot.json | 8 ---- .../DomainToolsIris_AddRiskyDNSTag.json | 21 +++++++++ .../domaintoolsiris_responder.py | 41 +++++++++++++++++ .../requirements.txt | 0 .../DomainToolsIris_CheckMaliciousTags.json | 20 ++++++++ .../domaintoolsiris_responder.py | 46 +++++++++++++++++++ .../requirements.txt | 0 7 files changed, 128 insertions(+), 8 deletions(-) create mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json create mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py create mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/requirements.txt diff --git a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json index 0eed41a42..d6e6c053c 100644 --- a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json +++ b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json @@ -25,14 +25,6 @@ "type": "string", "multi": false, "required": true - }, - { - "name": "pivot_count_threshold", - "description": "Pivot count threshold.", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 500 } ] } \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json new file mode 100644 index 000000000..be634926d --- /dev/null +++ b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json @@ -0,0 +1,21 @@ +{ + "name": "DomainToolsIris_AddRiskyDNSTag", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the case contains a risky DNS.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "high_risk_threshold", + "description": "Risk score threshold to be considered high risk.", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 70 + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py new file mode 100644 index 000000000..38062a18c --- /dev/null +++ b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "Risk Score": + if int(x["value"]) > int(self.get_param("config.high_risk_threshold")): + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Risky DNS") + ) + build_list.append( + self.build_operation("AddTagToArtifact", tag="DT:Risky DNS") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt b/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt new file mode 100644 index 000000000..e69de29bb diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json new file mode 100644 index 000000000..402bfa357 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json @@ -0,0 +1,20 @@ +{ + "name": "DomainToolsIris_CheckMaliciousTags", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "monitored_iris_tags", + "description": "Monitored Iris tags.", + "type": "string", + "multi": true, + "required": false + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py new file mode 100644 index 000000000..8490a0a24 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "IrisTags": + malicious_tags_set = set(self.get_param("config.monitored_iris_tags")) + domain_tags_set = set(x["value"].split(",")) + + if len(malicious_tags_set.intersection(domain_tags_set)): + build_list.append( + self.build_operation( + "AddTagToArtifact", tag="DT:Malicious Domain" + ) + ) + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Malicious Domain") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt new file mode 100644 index 000000000..e69de29bb From 4febba53f8950237a39a8137e1afe225f5f3d24b Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Sun, 15 Mar 2020 18:29:53 +0100 Subject: [PATCH 3/5] Revert "[ThreatCrowd ] Fixing Unexpected Error: get() takes exactly 1 argument (2 given)" --- analyzers/Threatcrowd/threatcrowd_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/Threatcrowd/threatcrowd_analyzer.py b/analyzers/Threatcrowd/threatcrowd_analyzer.py index c4f3bf85a..75c0266e5 100755 --- a/analyzers/Threatcrowd/threatcrowd_analyzer.py +++ b/analyzers/Threatcrowd/threatcrowd_analyzer.py @@ -42,7 +42,7 @@ def run(self): threatcrowd_data_type = self.data_type if self.data_type != 'mail' else 'email' try: response = requests.get("{}/{}/report/".format(self.URI, threatcrowd_data_type), - params = {threatcrowd_data_type: self.get_data()}) + {threatcrowd_data_type: self.get_data()}) self.report(response.json()) except Exception as e: self.unexpectedError(e) From 26174fec189f761a40168a1600d4cfc4651e6e58 Mon Sep 17 00:00:00 2001 From: Jerome Leonard Date: Mon, 23 Mar 2020 09:56:55 +0100 Subject: [PATCH 4/5] Revert "DomainToolsIris config cleanup" --- .../DomainToolsIris_Pivot.json | 8 ++++ .../DomainToolsIris_AddRiskyDNSTag.json | 21 --------- .../domaintoolsiris_responder.py | 41 ----------------- .../requirements.txt | 0 .../DomainToolsIris_CheckMaliciousTags.json | 20 -------- .../domaintoolsiris_responder.py | 46 ------------------- .../requirements.txt | 0 7 files changed, 8 insertions(+), 128 deletions(-) delete mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json delete mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py delete mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt delete mode 100644 responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json delete mode 100644 responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py delete mode 100644 responders/DomainToolsIris_CheckMaliciousTags/requirements.txt diff --git a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json index d6e6c053c..0eed41a42 100644 --- a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json +++ b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json @@ -25,6 +25,14 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "pivot_count_threshold", + "description": "Pivot count threshold.", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 500 } ] } \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json deleted file mode 100644 index be634926d..000000000 --- a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "name": "DomainToolsIris_AddRiskyDNSTag", - "version": "1.0", - "author": "DomainTools", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add Tag saying that the case contains a risky DNS.", - "dataTypeList": ["thehive:case_artifact"], - "command": "DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py", - "baseConfig": "DomainToolsIris", - "configurationItems": [ - { - "name": "high_risk_threshold", - "description": "Risk score threshold to be considered high risk.", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 70 - } - ] -} \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py deleted file mode 100644 index 38062a18c..000000000 --- a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env python3 -# encoding: utf-8 - - -from cortexutils.responder import Responder - - -class DomainToolsIris(Responder): - def __init__(self): - Responder.__init__(self) - - def run(self): - Responder.run(self) - if self.get_param("data.dataType") == "domain": - self.report({"data": self.get_data()}) - else: - self.report({"data": 'Can only operate on "domain" observables'}) - - def operations(self, raw): - build_list = [] - taxonomies = ( - raw.get("data", {}) - .get("reports", {}) - .get("DomainToolsIris_Investigate_1_0", {}) - .get("taxonomies", None) - ) - - for x in taxonomies: - if x["predicate"] == "Risk Score": - if int(x["value"]) > int(self.get_param("config.high_risk_threshold")): - build_list.append( - self.build_operation("AddTagToCase", tag="DT:Risky DNS") - ) - build_list.append( - self.build_operation("AddTagToArtifact", tag="DT:Risky DNS") - ) - return build_list - - -if __name__ == "__main__": - DomainToolsIris().run() diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt b/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json deleted file mode 100644 index 402bfa357..000000000 --- a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "name": "DomainToolsIris_CheckMaliciousTags", - "version": "1.0", - "author": "DomainTools", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", - "dataTypeList": ["thehive:case_artifact"], - "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py", - "baseConfig": "DomainToolsIris", - "configurationItems": [ - { - "name": "monitored_iris_tags", - "description": "Monitored Iris tags.", - "type": "string", - "multi": true, - "required": false - } - ] -} \ No newline at end of file diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py deleted file mode 100644 index 8490a0a24..000000000 --- a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env python3 -# encoding: utf-8 - - -from cortexutils.responder import Responder - - -class DomainToolsIris(Responder): - def __init__(self): - Responder.__init__(self) - - def run(self): - Responder.run(self) - if self.get_param("data.dataType") == "domain": - self.report({"data": self.get_data()}) - else: - self.report({"data": 'Can only operate on "domain" observables'}) - - def operations(self, raw): - build_list = [] - taxonomies = ( - raw.get("data", {}) - .get("reports", {}) - .get("DomainToolsIris_Investigate_1_0", {}) - .get("taxonomies", None) - ) - - for x in taxonomies: - if x["predicate"] == "IrisTags": - malicious_tags_set = set(self.get_param("config.monitored_iris_tags")) - domain_tags_set = set(x["value"].split(",")) - - if len(malicious_tags_set.intersection(domain_tags_set)): - build_list.append( - self.build_operation( - "AddTagToArtifact", tag="DT:Malicious Domain" - ) - ) - build_list.append( - self.build_operation("AddTagToCase", tag="DT:Malicious Domain") - ) - return build_list - - -if __name__ == "__main__": - DomainToolsIris().run() diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt deleted file mode 100644 index e69de29bb..000000000 From 383847cab89742679b7d2f5839d24d5de10ade7b Mon Sep 17 00:00:00 2001 From: Jerome Leonard Date: Mon, 23 Mar 2020 09:59:35 +0100 Subject: [PATCH 5/5] Revert "Revert "DomainToolsIris config cleanup"" --- .../DomainToolsIris_Pivot.json | 8 ---- .../DomainToolsIris_AddRiskyDNSTag.json | 21 +++++++++ .../domaintoolsiris_responder.py | 41 +++++++++++++++++ .../requirements.txt | 0 .../DomainToolsIris_CheckMaliciousTags.json | 20 ++++++++ .../domaintoolsiris_responder.py | 46 +++++++++++++++++++ .../requirements.txt | 0 7 files changed, 128 insertions(+), 8 deletions(-) create mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json create mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py create mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/requirements.txt diff --git a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json index 0eed41a42..d6e6c053c 100644 --- a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json +++ b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json @@ -25,14 +25,6 @@ "type": "string", "multi": false, "required": true - }, - { - "name": "pivot_count_threshold", - "description": "Pivot count threshold.", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 500 } ] } \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json new file mode 100644 index 000000000..be634926d --- /dev/null +++ b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json @@ -0,0 +1,21 @@ +{ + "name": "DomainToolsIris_AddRiskyDNSTag", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the case contains a risky DNS.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "high_risk_threshold", + "description": "Risk score threshold to be considered high risk.", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 70 + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py new file mode 100644 index 000000000..38062a18c --- /dev/null +++ b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "Risk Score": + if int(x["value"]) > int(self.get_param("config.high_risk_threshold")): + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Risky DNS") + ) + build_list.append( + self.build_operation("AddTagToArtifact", tag="DT:Risky DNS") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt b/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt new file mode 100644 index 000000000..e69de29bb diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json new file mode 100644 index 000000000..402bfa357 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json @@ -0,0 +1,20 @@ +{ + "name": "DomainToolsIris_CheckMaliciousTags", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "monitored_iris_tags", + "description": "Monitored Iris tags.", + "type": "string", + "multi": true, + "required": false + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py new file mode 100644 index 000000000..8490a0a24 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "IrisTags": + malicious_tags_set = set(self.get_param("config.monitored_iris_tags")) + domain_tags_set = set(x["value"].split(",")) + + if len(malicious_tags_set.intersection(domain_tags_set)): + build_list.append( + self.build_operation( + "AddTagToArtifact", tag="DT:Malicious Domain" + ) + ) + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Malicious Domain") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt new file mode 100644 index 000000000..e69de29bb