From 32116a69de30ab61342492b0bc28cc00a1f44fc2 Mon Sep 17 00:00:00 2001 From: igorski-r7 <99184344+igorski-r7@users.noreply.github.com> Date: Thu, 31 Oct 2024 16:39:34 +0100 Subject: [PATCH] Crowdstrike Falcon Intelligence - 16877 - New action added: Upload Malware Sample | Updated SDK to the latest version (#2918) --- .../crowdstrike_falcon_intelligence/.CHECKSUM | 26 +- .../Dockerfile | 18 +- .../bin/icon_crowdstrike_falcon_intelligence | 28 +- .../crowdstrike_falcon_intelligence/help.md | 800 +++--- .../actions/__init__.py | 18 +- .../actions/checkAnalysisStatus/__init__.py | 2 +- .../actions/checkAnalysisStatus/schema.py | 356 +-- .../actions/downloadArtifact/__init__.py | 2 +- .../actions/downloadArtifact/schema.py | 29 +- .../actions/getFullReport/__init__.py | 2 +- .../actions/getFullReport/schema.py | 2425 ++++------------- .../actions/getReportsIDs/__init__.py | 2 +- .../actions/getReportsIDs/schema.py | 16 +- .../actions/getShortReport/__init__.py | 2 +- .../actions/getShortReport/schema.py | 358 +-- .../actions/getSubmissionsIDs/__init__.py | 2 +- .../actions/getSubmissionsIDs/schema.py | 16 +- .../actions/submitAnalysis/__init__.py | 2 +- .../actions/submitAnalysis/schema.py | 378 +-- .../actions/uploadMalwareSample/__init__.py | 2 + .../actions/uploadMalwareSample/action.py | 32 + .../actions/uploadMalwareSample/schema.py | 115 + .../connection/__init__.py | 2 +- .../connection/schema.py | 18 +- .../tasks/__init__.py | 2 + .../triggers/__init__.py | 3 +- .../util/api.py | 48 +- .../util/endpoints.py | 1 + .../plugin.spec.yaml | 115 +- .../requirements.txt | 3 +- .../crowdstrike_falcon_intelligence/setup.py | 4 +- .../expected/upload_malware_sample.json.exp | 4 + .../inputs/upload_malware_sample.json.inp | 9 + .../responses/upload_malware_sample.json.resp | 13 + .../unit_test/test_check_analysis_status.py | 20 +- .../unit_test/test_download_artifact.py | 20 +- .../unit_test/test_get_full_report.py | 20 +- .../unit_test/test_get_reports_ids.py | 20 +- .../unit_test/test_get_short_report.py | 20 +- .../unit_test/test_get_submissions_ids.py | 20 +- .../unit_test/test_helpers.py | 4 +- .../unit_test/test_submit_analysis.py | 26 +- .../unit_test/test_upload_malware_sample.py | 53 + .../unit_test/util.py | 39 +- 44 files changed, 1850 insertions(+), 3245 deletions(-) mode change 100755 => 100644 plugins/crowdstrike_falcon_intelligence/help.md create mode 100644 plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/__init__.py create mode 100644 plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/action.py create mode 100644 plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/schema.py create mode 100644 plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/tasks/__init__.py create mode 100644 plugins/crowdstrike_falcon_intelligence/unit_test/expected/upload_malware_sample.json.exp create mode 100644 plugins/crowdstrike_falcon_intelligence/unit_test/inputs/upload_malware_sample.json.inp create mode 100644 plugins/crowdstrike_falcon_intelligence/unit_test/responses/upload_malware_sample.json.resp create mode 100644 plugins/crowdstrike_falcon_intelligence/unit_test/test_upload_malware_sample.py diff --git a/plugins/crowdstrike_falcon_intelligence/.CHECKSUM b/plugins/crowdstrike_falcon_intelligence/.CHECKSUM index 865471ca2b..e07c42b0b3 100644 --- a/plugins/crowdstrike_falcon_intelligence/.CHECKSUM +++ b/plugins/crowdstrike_falcon_intelligence/.CHECKSUM @@ -1,39 +1,43 @@ { - "spec": "7c7b6f205e09b0c7f5deb31fe0f99610", - "manifest": "afec6aa4a72f7d5adfcaa33e693e49d4", - "setup": "5b4346fa75c78350298f5de8407d989b", + "spec": "bca05caa222aec0f714b712f496460c2", + "manifest": "afdb962b3049ec3c26e64bd74f3845f0", + "setup": "97a6c06a57546bbc57a253436e4ca559", "schemas": [ { "identifier": "checkAnalysisStatus/schema.py", - "hash": "b33491d2d597f6e98afc65a472df3cef" + "hash": "12fd58e742d161c70cc8ec7cda83757a" }, { "identifier": "downloadArtifact/schema.py", - "hash": "2ca7c6d488baaf4f6e20bf3f96dc694c" + "hash": "5ea60d06ef05140eaf3a1f01fd445e63" }, { "identifier": "getFullReport/schema.py", - "hash": "6e729794f718416ff53344586ef9cc78" + "hash": "035f4efe2488b60ac649df07bfac8313" }, { "identifier": "getReportsIDs/schema.py", - "hash": "2edc81eb0a7546bb0b9b14d0b985c5a5" + "hash": "b5636243ce257e3cb52f51f31d57868f" }, { "identifier": "getShortReport/schema.py", - "hash": "2f85634b911c8eabbdbcf6204f0a25c0" + "hash": "8fcd82d864a2a039734a5bc2336fb323" }, { "identifier": "getSubmissionsIDs/schema.py", - "hash": "b53506b55ad8003fd347bf0bc95ef19e" + "hash": "bcd8d0c7824a9f85c70f8cec4237614f" }, { "identifier": "submitAnalysis/schema.py", - "hash": "115798e956c58449ba2eef7a288ec95f" + "hash": "405eb43871561756ca0bdbd41af48058" + }, + { + "identifier": "uploadMalwareSample/schema.py", + "hash": "dff311370f3503cc5b4d506ec0a4e8f3" }, { "identifier": "connection/schema.py", - "hash": "137057253a8e6ce38707b2ad62d4a4b0" + "hash": "39ebbb9d8b8ba4c668ea6b6986841962" } ] } \ No newline at end of file diff --git a/plugins/crowdstrike_falcon_intelligence/Dockerfile b/plugins/crowdstrike_falcon_intelligence/Dockerfile index 4d3070dab5..f67a83b62c 100755 --- a/plugins/crowdstrike_falcon_intelligence/Dockerfile +++ b/plugins/crowdstrike_falcon_intelligence/Dockerfile @@ -1,26 +1,20 @@ -FROM rapid7/insightconnect-python-3-38-plugin:4 -# Refer to the following documentation for available SDK parent images: https://komand.github.io/python/sdk.html#version +FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.1.4 LABEL organization=rapid7 LABEL sdk=python -# Add any custom package dependencies here -# NOTE: Add pip packages to requirements.txt - -# End package dependencies - -# Add source code WORKDIR /python/src + ADD ./plugin.spec.yaml /plugin.spec.yaml -ADD . /python/src +ADD ./requirements.txt /python/src/requirements.txt -# Install pip dependencies RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi -# Install plugin +ADD . /python/src + RUN python setup.py build && python setup.py install # User to run plugin code. The two supported users are: root, nobody USER nobody -ENTRYPOINT ["/usr/local/bin/icon_crowdstrike_falcon_intelligence"] \ No newline at end of file +ENTRYPOINT ["/usr/local/bin/icon_crowdstrike_falcon_intelligence"] diff --git a/plugins/crowdstrike_falcon_intelligence/bin/icon_crowdstrike_falcon_intelligence b/plugins/crowdstrike_falcon_intelligence/bin/icon_crowdstrike_falcon_intelligence index f8b170aa47..def01ba645 100755 --- a/plugins/crowdstrike_falcon_intelligence/bin/icon_crowdstrike_falcon_intelligence +++ b/plugins/crowdstrike_falcon_intelligence/bin/icon_crowdstrike_falcon_intelligence @@ -1,12 +1,12 @@ #!/usr/bin/env python -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import os import json from sys import argv Name = "CrowdStrike Falcon Intelligence" Vendor = "rapid7" -Version = "1.0.0" +Version = "1.1.0" Description = "CrowdStrike Falcon Intelligence is used to automatically investigate incidents and accelerate alert triage and response. Built into the Falcon Platform, it is operational in seconds" @@ -23,7 +23,7 @@ def main(): monkey.patch_all() import insightconnect_plugin_runtime - from icon_crowdstrike_falcon_intelligence import connection, actions, triggers + from icon_crowdstrike_falcon_intelligence import connection, actions, triggers, tasks class ICONCrowdstrikeFalconIntelligence(insightconnect_plugin_runtime.Plugin): def __init__(self): @@ -34,20 +34,22 @@ def main(): description=Description, connection=connection.Connection() ) - self.add_action(actions.CheckAnalysisStatus()) - self.add_action(actions.DownloadArtifact()) - + + self.add_action(actions.GetShortReport()) + self.add_action(actions.GetFullReport()) - + + self.add_action(actions.CheckAnalysisStatus()) + + self.add_action(actions.SubmitAnalysis()) + self.add_action(actions.GetReportsIDs()) - - self.add_action(actions.GetShortReport()) - + self.add_action(actions.GetSubmissionsIDs()) - - self.add_action(actions.SubmitAnalysis()) - + + self.add_action(actions.UploadMalwareSample()) + """Run plugin""" cli = insightconnect_plugin_runtime.CLI(ICONCrowdstrikeFalconIntelligence()) diff --git a/plugins/crowdstrike_falcon_intelligence/help.md b/plugins/crowdstrike_falcon_intelligence/help.md old mode 100755 new mode 100644 index 8885cc49b8..534f02d808 --- a/plugins/crowdstrike_falcon_intelligence/help.md +++ b/plugins/crowdstrike_falcon_intelligence/help.md @@ -1,6 +1,6 @@ # Description -CrowdStrike Falcon Intelligence is used to automatically investigate incidents and accelerate alert triage and response. Built into the Falcon Platform, it is operational in seconds. +CrowdStrike Falcon Intelligence is used to automatically investigate incidents and accelerate alert triage and response. Built into the Falcon Platform, it is operational in seconds # Key Features @@ -12,7 +12,6 @@ CrowdStrike Falcon Intelligence is used to automatically investigate incidents a # Requirements -The following information are required for using this plugin: * URL of your Crowdstrike Platform instance * Client ID * Client Secret @@ -25,13 +24,13 @@ The following information are required for using this plugin: ## Setup -The connection configuration accepts the following parameters: +The connection configuration accepts the following parameters: -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|baseUrl|string|https://example.com|True|The Base URL provided in the API Clients and Keys settings|None|https://example.com| -|clientId|string|None|True|CrowdStrike Client ID|None|eXaMpl3Cli3ntID| -|clientSecret|credential_secret_key|None|True|CrowdStrike Secret Key|None|eXaMpl3S3cr3tK3Y| +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|baseUrl|string|https://api.crowdstrike.com|True|The Base URL provided in the API Clients and Keys settings|None|https://api.crowdstrike.com|None|None| +|clientId|string|None|True|CrowdStrike Client ID|None|eXaMpl3Cli3ntID|None|None| +|clientSecret|credential_secret_key|None|True|CrowdStrike Secret Key|None|eXaMpl3S3cr3tK3Y|None|None| Example input: @@ -47,95 +46,18 @@ Example input: ### Actions -#### Get Submissions IDs - -This action is used to find submissions IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match your criteria. - -##### Input - -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|filter|string|None|False|Filter and sort criteria in the form of an FQL query. For more information about FQL queries, see https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql|None|state: 'running'| -|limit|integer|None|False|Maximum number of report IDs to return - less or equal to 5000|None|324| -|offset|integer|None|False|The offset to start retrieving reports from|None|5| - -Example input: - -``` -{ - "filter": "state: 'running'", - "limit": 324, - "offset": 5 -} -``` - -##### Output - -|Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|submissionIds|[]string|True|List of submission IDs|["9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104"]| - -Example output: - -``` -{ - "submissionIds": [ - "9382986b58cb4b44935c2eba079842f3_0a54f7a33701461299899f294c2eb53d", - "9382986b58cb4b44935c2eba079842f3_a17b8037186f4c8a9129d88b9d40fc9d", - "9382986b58cb4b44935c2eba079842f3_11f08e0a490d4bc9912a7375af4664bc", - ] -} -``` - -#### Get Reports IDs - -This action is used to find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria. - -##### Input - -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|filter|string|None|False|Filter and sort criteria in the form of an FQL query. For more information about FQL queries, see https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql|None|verdict: 'no verdict'| -|limit|integer|None|False|Maximum number of report IDs to return - less or equal to 5000|None|324| -|offset|integer|None|False|The offset to start retrieving reports from|None|5| - -Example input: - -``` -{ - "filter": "verdict: 'no verdict'", - "limit": 324, - "offset": 5 -} -``` - -##### Output - -|Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|reportIds|[]string|True|List of report IDs|["9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104"]| - -Example output: - -``` -{ - "reportIds": [ - "9de5069c5afe602b2ea0a04b612eb2c0_9de5069c5afe602b2bb0a04b66beb2c0", - "9de5069c5afe602b2ea0a04b612eb2c0_9de5069c5afe602b2bb0a04b66beb2c0", - ] -} -``` #### Check Analysis Status -This action is used to check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. +This action is used to check the status of a sandbox analysis. Time required for analysis varies but is usually less +than 15 minutes ##### Input -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|ids|[]string|None|True|List of submitted malware samples ids. Find a submission ID from the response when submitting a malware sample or search with `Get Submissions IDs` action|None|Md29sKvzxiddHJ0k3qnC8iDyhfZ3UZrFqOSSdKn3NhLrQR4eCsvQvOesmuXX5pra| - +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|ids|[]string|None|True|List of submitted malware samples ids. Find a submission ID from the response when submitting a malware sample or search with `Get Submissions IDs` action|None|Md29sKvzxiddHJ0k3qnC8iDyhfZ3UZrFqOSSdKn3NhLrQR4eCsvQvOesmuXX5pra|None|None| + Example input: ``` @@ -147,47 +69,47 @@ Example input: ##### Output |Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|submissions|[]submission|True|List of submissions|[]| - +| :--- | :--- | :--- | :--- | :--- | +|submissions|[]submission|True|List of submissions|[{"id":"9382986b58cb4b44935e7eba079842f3_7c6d4bf5ab0c4459b855aaa345f4bcf9","cid":"9382986b58cb4b44935e7eba079842f3","userId":"3e7da174cb6944e8a4cd8a5a59a76727","userName":"user@example.com","userUuid":"a149764d-21ee-42af-ac9f-023f5d23ab81","origin":"uiproxy","state":"error","createdTimestamp":"2022-08-30T09:25:35Z","sandbox":[{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","environmentId":300,"submitName":"action.py"}]},{"id":"9382986b58cb4b44935e7eba079842f3_63aca0772bf342648b2a8779c7bfcadd","cid":"9382986b58cb4b44935e7eba079842f3","userId":"3e7da174cb6944e8a4cd8a5a59a76727","userName":"user@example.com","userUuid":"a149764d-21ee-42af-ac9f-023f5d23ab81","origin":"uiproxy","state":"error","createdTimestamp":"2022-08-30T09:21:00Z","sandbox":[{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","environmentId":100,"submitName":"Archive.zip"}]}]| + Example output: ``` { "submissions": [ { - "id": "9382986b58cb4b44935e7eba079842f3_7c6d4bf5ab0c4459b855aaa345f4bcf9", "cid": "9382986b58cb4b44935e7eba079842f3", - "userId": "3e7da174cb6944e8a4cd8a5a59a76727", - "userName": "user@example.com", - "userUuid": "a149764d-21ee-42af-ac9f-023f5d23ab81", - "origin": "uiproxy", - "state": "error", "createdTimestamp": "2022-08-30T09:25:35Z", + "id": "9382986b58cb4b44935e7eba079842f3_7c6d4bf5ab0c4459b855aaa345f4bcf9", + "origin": "uiproxy", "sandbox": [ { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "environmentId": 300, + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "submitName": "action.py" } - ] + ], + "state": "error", + "userId": "3e7da174cb6944e8a4cd8a5a59a76727", + "userName": "user@example.com", + "userUuid": "a149764d-21ee-42af-ac9f-023f5d23ab81" }, { - "id": "9382986b58cb4b44935e7eba079842f3_63aca0772bf342648b2a8779c7bfcadd", "cid": "9382986b58cb4b44935e7eba079842f3", - "userId": "3e7da174cb6944e8a4cd8a5a59a76727", - "userName": "user@example.com", - "userUuid": "a149764d-21ee-42af-ac9f-023f5d23ab81", - "origin": "uiproxy", - "state": "error", "createdTimestamp": "2022-08-30T09:21:00Z", + "id": "9382986b58cb4b44935e7eba079842f3_63aca0772bf342648b2a8779c7bfcadd", + "origin": "uiproxy", "sandbox": [ { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "environmentId": 100, + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "submitName": "Archive.zip" } - ] + ], + "state": "error", + "userId": "3e7da174cb6944e8a4cd8a5a59a76727", + "userName": "user@example.com", + "userUuid": "a149764d-21ee-42af-ac9f-023f5d23ab81" } ] } @@ -195,14 +117,14 @@ Example output: #### Download Artifact -This action is used to download IOC packs, PCAP files, memory dumps, and other analysis artifacts. Find an artifact ID with `Get Full Report` action +This action is used to download IOC packs, PCAP files, memory dumps, and other analysis artifacts ##### Input -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|id|string|None|True|ID of an JSON artifact, such as an IOC pack, PCAP file, memory dump, or actor image. Find an artifact ID with `Get Full Report` action|None|Md29sKvzxiddHJ0k3qnC8iDyhfZ3UZrFqOSSdKn3NhLrQR4eCsvQvOesmuXX5pra| - +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|id|string|None|True|ID of an JSON artifact, such as an IOC pack, PCAP file, memory dump, or actor image. Find an artifact ID with `Get Full Report` action|None|Md29sKvzxiddHJ0k3qnC8iDyhfZ3UZrFqOSSdKn3NhLrQR4eCsvQvOesmuXX5pra|None|None| + Example input: ``` @@ -214,9 +136,9 @@ Example input: ##### Output |Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|artifacts|[]artifact|True|List of artifacts|[]| - +| :--- | :--- | :--- | :--- | :--- | +|artifacts|[]artifact|True|List of artifacts|[{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"input","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"runtime","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"runtime","type":"sha256"}]| + Example output: ``` @@ -303,14 +225,14 @@ Example output: #### Get Full Report -This action is used to get a full sandbox report. +This action is used to get a full sandbox report ##### Input -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|ids|[]string|None|True|List of summary IDs. Find a summary ID from the response when submitting a malware sample or search with `Get Reports IDs` action|None|["9de5069c5afe602b2ea0a11b66beb2c0_9aa5069c5afe602b2ea0a04b66beb2c0"]| - +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|ids|[]string|None|True|List of summary IDs. Find a summary ID from the response when submitting a malware sample or search with `Get Reports IDs` action|None|["9de5069c5afe602b2ea0a11b66beb2c0_9aa5069c5afe602b2ea0a04b66beb2c0"]|None|None| + Example input: ``` @@ -324,51 +246,68 @@ Example input: ##### Output |Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|reports|[]report|True|List of sandbox reports|[]| - +| :--- | :--- | :--- | :--- | :--- | +|reports|[]report|True|List of sandbox reports|["9de5069c5afe602b2ea0a11b66beb2c0_9aa5069c5afe602b2ea0a04b66beb2c0"]| + Example output: ``` { "reports": [ - { - "id": "9de5069c5afe602b2ea0a11b66beb2c0_9aa5069c5afe602b2ea0a04b66beb2c0", - "cid": "9de5069c5afe602b2ea0a11b66beb2c0", - "created_timestamp": "2022-11-30T14:09:35Z", - "origin": "apigateway", - "verdict": "whitelisted", - "sandbox": [ - { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", - "environment_id": 100, - "environment_description": "Windows 7 32 bit", - "file_type": "data", - "file_type_short": [ - "data" - ], - "submit_name": "Test Analysis", - "submission_type": "file", - "error_message": "File \"Test Analysis\" was detected as \"raw data\", this format is not supported on WINDOWS", - "error_type": "FILE_TYPE_BAD_ERROR", - "error_origin": "CLIENT" - } - ] - } + "9de5069c5afe602b2ea0a11b66beb2c0_9aa5069c5afe602b2ea0a04b66beb2c0" ] } ``` -#### Get Short Report +#### Get Reports IDs -This action is used to get a short summary version of a sandbox report. +This action is used to find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs +that match your criteria ##### Input -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|ids|[]string|None|True|List of summary IDs. Find a summary ID from the response when submitting a malware sample or search with `Get Reports IDs` action|None|["9382986b58cb4bb4935e7eba079842f3_d1ce821d74484545897f2fd5db40d0a7"]| +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|filter|string|None|False|Filter and sort criteria in the form of an FQL query. For more information about FQL queries, see https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql|None|verdict: 'no verdict'|None|None| +|limit|integer|None|False|Maximum number of report IDs to return - less or equal to 5000|None|324|None|None| +|offset|integer|None|False|The offset to start retrieving reports from|None|5|None|None| + +Example input: + +``` +{ + "filter": "verdict: 'no verdict'", + "limit": 324, + "offset": 5 +} +``` + +##### Output + +|Name|Type|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | +|reportIds|[]string|True|List of report IDs|["9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104"]| + +Example output: + +``` +{ + "reportIds": [ + "9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104" + ] +} +``` + +#### Get Short Report + +This action is used to get a short summary version of a sandbox report +##### Input + +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|ids|[]string|None|True|List of summary IDs. Find a summary ID from the response when submitting a malware sample or search with `Get Reports IDs` action|None|["9382986b58cb4bb4935e7eba079842f3_d1ce821d74484545897f2fd5db40d0a7"]|None|None| + Example input: ``` @@ -382,9 +321,9 @@ Example input: ##### Output |Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|reports|[]reportShort|True|List of short sandbox reports|[]| - +| :--- | :--- | :--- | :--- | :--- | +|reports|[]reportShort|True|List of short sandbox reports|[{"cid":"9382986b58cb4bb4935e7eba079842f3","createdTimestamp":"2022-09-28T07:45:34Z","id":"9382986b58cb4bb4935e7eba079842f3_d1ce821d74484545897f2fd5db40d0a7","origin":"uiproxy","sandbox":[{"environmentDescription":"Windows 7 32 bit","environmentId":100,"errorMessage":"The file \"Dockerfile\" has the file format \"text\", which is not supported","errorOrigin":"CLIENT","errorType":"FILE_TYPE_BAD_ERROR","fileType":"ASCII text","sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","submissionType":"file","submitName":"Dockerfile"}],"userId":"9de5069c5afe602b2ea0a04b66beb2c0","userName":"https://example.com","verdict":"no verdict"}]| + Example output: ``` @@ -416,24 +355,64 @@ Example output: } ``` -#### Submit Analysis +#### Get Submissions IDs -This action is used to submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. +This action is used to find submissions IDs for uploaded files by providing an FQL filter and paging details. Returns a + set of submission IDs that match your criteria ##### Input -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|actionScript|string|None|False|Runtime script for sandbox analysis|['default', 'default_maxantievasion', 'default_randomfiles', 'default_randomtheme', 'default_openie', '']|default_openie| -|commandLine|string|None|False|Command line script passed to the submitted file at runtime. Max length is 2048 characters|None|/example /command| -|documentPassword|password|None|False|Auto-filled for Adobe or Office files that prompt for a password. Max length is 32 characters|None|3xamp13Pa55w0rd| -|environmentId|integer|None|True|Specifies the sandbox environment used for analysis. Example values 300 - Linux Ubuntu 16.04, 64-bit; 200 - Android (static analysis); 160 - Windows 10, 64-bit; 110 - Windows 7, 64-bit; 100 - Windows 7, 32-bit|[100, 110, 160, 200, 300]|110| -|networkSettings|string|None|False|Specifies the sandbox network_settings used for analysis|['default', 'tor', 'simulated', 'offline', '']|tor| -|submitName|string|None|False|Name of the malware sample that's used for file type detection and analysis|None|my_sample| -|sha256|string|None|False|ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with `Get Submissions IDs` action. The `url` parameter must be unset if `sha256` is used|None|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f| -|url|string|None|False|A web page or file URL. It can be HTTP(S) or FTP. The `SHA256` parameter must be unset if `url` is used|None|https://www.example.com/images/default/sample.pdf| -|systemDateTime|date|None|False|System date and time|None|2022-11-01 00:00:00+02:00| +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|filter|string|None|False|Filter and sort criteria in the form of an FQL query. For more information about FQL queries, see https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql|None|state: 'running'|None|None| +|limit|integer|None|False|Maximum number of report IDs to return - less or equal to 5000|None|324|None|None| +|offset|integer|None|False|The offset to start retrieving reports from|None|5|None|None| + +Example input: +``` +{ + "filter": "state: 'running'", + "limit": 324, + "offset": 5 +} +``` + +##### Output + +|Name|Type|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | +|submissionIds|[]string|True|List of submission IDs|["9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104"]| + +Example output: + +``` +{ + "submissionIds": [ + "9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104" + ] +} +``` + +#### Submit Analysis + +This action is used to submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is +usually less than 15 minutes + +##### Input + +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|actionScript|string|None|False|Runtime script for sandbox analysis|["", "default", "default_maxantievasion", "default_randomfiles", "default_randomtheme", "default_openie"]|default_openie|None|None| +|commandLine|string|None|False|Command line script passed to the submitted file at runtime. Max length is 2048 characters|None|/example /command|None|None| +|documentPassword|password|None|False|Auto-filled for Adobe or Office files that prompt for a password. Max length is 32 characters|None|3xamp13Pa55w0rd|None|None| +|environmentId|integer|None|True|Specifies the sandbox environment used for analysis. Example values 300 - Linux Ubuntu 16.04, 64-bit; 200 - Android (static analysis); 160 - Windows 10, 64-bit; 110 - Windows 7, 64-bit; 100 - Windows 7, 32-bit|[100, 110, 160, 200, 300]|110|None|None| +|networkSettings|string|None|False|Specifies the sandbox network_settings used for analysis|["", "default", "tor", "simulated", "offline"]|tor|None|None| +|sha256|string|None|False|ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with `Get Submissions IDs` action. The `url` parameter must be unset if `sha256` is used|None|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f|None|None| +|submitName|string|None|False|Name of the malware sample that's used for file type detection and analysis|None|my_sample|None|None| +|systemDateTime|date|None|False|System date and time|None|2022-11-01 00:00:00+02:00|None|None| +|url|string|None|False|A web page or file URL. It can be HTTP(S) or FTP. The `SHA256` parameter must be unset if `url` is used|None|https://www.example.com/images/default/sample.pdf|None|None| + Example input: ``` @@ -445,7 +424,7 @@ Example input: "networkSettings": "tor", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "submitName": "my_sample", - "systemDateTime": "2022-11-01T00:00:00+02:00", + "systemDateTime": "2022-11-01 00:00:00+02:00", "url": "https://www.example.com/images/default/sample.pdf" } ``` @@ -453,9 +432,9 @@ Example input: ##### Output |Name|Type|Required|Description|Example| -|----|----|--------|-----------|-----| -|submission|submission|True|Submission|{}| - +| :--- | :--- | :--- | :--- | :--- | +|submission|submission|True|Submission|{"cid":"9de5069c5mne602b2ea0a04b66beb2c0","createdTimestamp":"2022-11-22T06:10:42Z","id":"9de5069c5mne602b2ea0a04b66beb2c0_8de5069c5afe602b2ea0a04b66beb2c0","origin":"apigateway","sandbox":[{"actionScript":"default_openie","environmentId":110,"networkSettings":"tor","sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","submitName":"my_sample","systemDate":"2022-12-22","systemTime":"17:33"}],"state":"created"}| + Example output: ``` @@ -481,227 +460,269 @@ Example output: } ``` -### Triggers +#### Upload Malware Samples -_This plugin does not contain any triggers._ - -### Custom Output Types - -#### artifact - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|IOC|string|False|IOC| -|Source|string|False|Source| -|Type|string|False|Type| - -#### extractedFiles - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Description|string|False|Description| -|File Path|string|False|File path| -|File Size|integer|False|File size| -|MD5|string|False|MD5| -|Runtime Process|string|False|Runtime process| -|SHA1|string|False|SHA1| -|SHA256|string|False|SHA256| -|Threat Level Readable|string|False|Threat level readable| -|Type Tags|[]string|False|Type tags| - -#### extractedInterestingStrings - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Process|string|False|Process| -|Source|string|False|Source| -|Type|string|False|Type| -|Value|string|False|Value| - -#### fileAccess - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Mask|string|False|Mask| -|Path|string|False|Path| -|Type|string|False|Type| - -#### handle - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|ID|integer|False|ID| -|Path|string|False|Path| -|Type|string|False|Type| - -#### malquery - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Input|string|False|Input| -|Type|string|False|Type| -|Verdict|string|False|Verdict| - -#### process - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Command Line|string|False|Command line| -|File Accesses|[]fileAccess|False|File accesses| -|Handles|[]handle|False|Handles| -|Icon Artifact ID|string|False|Icon artifact ID| -|Mutants|[]string|False|Mutants| -|Normalized Path|string|False|Normalized path| -|PID|integer|False|PID| -|Registry|[]registry|False|Registry| -|SHA256|string|False|SHA256| -|UID|string|False|UID| - -#### registry - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Key|string|False|Key| -|Operation|string|False|Operation| -|Path|string|False|Path| -|Status|string|False|Status| -|Status Human Readable|string|False|Status human readable| - -#### report - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|CID|string|False|CID of the report| -|Created Timestamp|date|False|Time when the report was created| -|ID|string|False|ID of the report| -|IOC Report Broad CSV Artifact ID|string|False|IOC report broad CSV artifact ID| -|IOC Report Broad JSON Artifact ID|string|False|IOC report broad JSON artifact ID| -|IOC Report Broad Maec Artifact ID|string|False|IOC report broad maec artifact ID| -|IOC Report Broad STIX Artifact ID|string|False|IOC report broad STIX artifact ID| -|IOC Report Strict CSV Artifact ID|string|False|IOC report strict CSV artifact ID| -|IOC Report Strict JSON Artifact ID|string|False|IOC report strict JSON artifact ID| -|IOC Report Strict Maec Artifact ID|string|False|IOC report strict maec artifact ID| -|IOC Report Strict STIX Artifact ID|string|False|IOC report strict STIX artifact ID| -|Malquery|[]malquery|False|Malquery| -|Origin|string|False|Origin| -|Sandbox|[]sandbox|False|Sandbox details| -|User ID|string|False|ID of the user| -|User Name|string|False|Name of the user| -|User UUID|string|False|UUID of the user| -|Verdict|string|False|Verdict of the report| - -#### reportShort - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|CID|string|False|CID of the report| -|Created Timestamp|date|False|Time when the report was created| -|ID|string|False|ID of the report| -|IOC Report Broad CSV Artifact ID|string|False|IOC report broad CSV artifact ID| -|IOC Report Broad JSON Artifact ID|string|False|IOC report broad JSON artifact ID| -|IOC Report Broad Maec Artifact ID|string|False|IOC report broad maec artifact ID| -|IOC Report Broad STIX Artifact ID|string|False|IOC report broad STIX artifact ID| -|IOC Report Strict CSV Artifact ID|string|False|IOC report strict CSV artifact ID| -|IOC Report Strict JSON Artifact ID|string|False|IOC report strict JSON artifact ID| -|IOC Report Strict Maec Artifact ID|string|False|IOC report strict maec artifact ID| -|IOC Report Strict STIX Artifact ID|string|False|IOC report strict STIX artifact ID| -|Origin|string|False|Origin| -|Sandbox|[]sandboxShort|False|Sandbox details| -|User ID|string|False|ID of the user| -|User Name|string|False|Name of the user| -|Verdict|string|False|Verdict of the report| - -#### sandbox - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Architecture|string|False|Architecture| -|Environment Description|string|False|Environment description| -|Environment ID|integer|False|Environment ID| -|Error Message|string|False|Error message| -|Error Origin|string|False|Error origin| -|Error Type|string|False|Error type| -|Extracted Files|[]extractedFiles|False|Extracted files| -|Extracted Interesting Strings|[]extractedInterestingStrings|False|Extracted interesting strings| -|File Size|integer|False|File size| -|File Type|string|False|File type| -|File Type Short|[]string|False|File type short| -|Memory Dumps Artifact ID|string|False|Memory dumps artifact ID| -|Memory Strings Artifact ID|string|False|Memory strings artifact ID| -|Network Settings|string|False|Network settings| -|PCAP Report Artifact ID|string|False|PCAP report artifact ID| -|Processes|[]process|False|Processes| -|Sample Flags|[]string|False|Sample flags| -|Screenshots Artifact IDs|[]string|False|Screenshots artifact IDs| -|SHA256|string|False|SHA256| -|Signatures|[]signature|False|Signatures| -|Submission Type|string|False|Submission type| -|Submit Name|string|False|Submit name| -|Submit URL|string|False|Submit URL| -|Verdict|string|False|Verdict| -|Windows Version Bitness|integer|False|Windows version bitness| -|Windows Version Edition|string|False|Windows version edition| -|Windows Version Name|string|False|Windows version name| -|Windows Version Service Pack|string|False|Windows version service pack| -|Windows Version Version|string|False|Windows version version| - -#### sandboxShort - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Action Script|string|False|Action script| -|Document Password|string|False|Document password| -|Environment Description|string|False|Environment description| -|Environment ID|integer|False|Environment ID| -|Error Message|string|False|Error message| -|Error Origin|string|False|Error origin| -|Error Type|string|False|Error type| -|File Type|string|False|File type| -|Network Settings|string|False|Network settings| -|Sample Flags|[]string|False|Sample flags| -|SHA256|string|False|SHA256| -|Submission Type|string|False|Submission type| -|Submit Name|string|False|Submit name| -|Submit URL|string|False|Submit URL| -|System Date|string|False|System date| -|System Time|string|False|System time| -|URL|string|False|URL| -|Verdict|string|False|Verdict| - -#### signature - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Category|string|False|Category| -|Description|string|False|Description| -|Identifier|string|False|Identifier| -|Origin|string|False|Origin| -|Relevance|integer|False|Relevance| -|Threat Level Human|string|False|Threat level human| -|Type|integer|False|Type| - -#### submission - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|Cid|string|False|Cid| -|Created Timestamp|string|False|Created timestamp| -|ID|string|False|ID| -|Origin|string|False|Origin| -|Sandbox|[]sandboxShort|False|Sandbox| -|State|string|False|State| -|User ID|string|False|User ID| -|User Name|string|False|User name| -|User Tags|[]string|False|User Tags| -|User UUID|string|False|User UUID| +This action is used to upload malware sample +##### Input -## Troubleshooting +|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|comment|string|None|True|A descriptive comment to identify the file for other users|None|ExampleComment|None|None| +|filename|string|None|True|The name of file to be used to override the default filename|None|ExampleFilename.exe|None|None| +|isConfidential|boolean|True|False|Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. `True` means that file is only shown to users within your customer account. `False` means that file can be seen by other CrowdStrike customers|None|True|None|None| +|sample|file|None|True|The samples of file to be sent for analysis (max file size is 256 MB)|None|UmFwaWQ3IEluc2lnaHRDb25uZWN0Cg==|None|None| + +Example input: + +``` +{ + "comment": "ExampleComment", + "filename": "ExampleFilename.exe", + "isConfidential": true, + "sample": "UmFwaWQ3IEluc2lnaHRDb25uZWN0Cg==" +} +``` + +##### Output + +|Name|Type|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | +|fileName|string|True|The name of uploaded malware sample file|ExampleMalwareSampleFile.exe| +|sha256|string|True|The ID of the sample, which is a SHA256 hash value|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f| + +Example output: -_This plugin does not contain any troubleshooting information._ +``` +{ + "fileName": "ExampleMalwareSampleFile.exe", + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" +} +``` +### Triggers + +*This plugin does not contain any triggers.* +### Tasks + +*This plugin does not contain any tasks.* + +### Custom Types + +**extractedInterestingStrings** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Process|string|None|False|Process|AcroRd32.exe| +|Source|string|None|False|Source|Runtime Data| +|Type|string|None|False|Type|Ansi| +|Value|string|None|False|Value|%GUID:"Computer"%| + +**extractedFiles** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Description|string|None|False|Description|data| +|File Path|string|None|False|File path|%APPDATA%\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl| +|File Size|integer|None|False|File size|637| +|MD5|string|None|False|MD5|44d88612fea8a8f36de82e1278abb02f| +|Runtime Process|string|None|False|Runtime process|AcroRd32.exe (PID: 2464)| +|SHA1|string|None|False|SHA1|3395856ce81f2b7382dee72602f798b642f14140| +|SHA256|string|None|False|SHA256|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f| +|Threat Level Readable|string|None|False|Threat level readable|no specific threat| +|Type Tags|[]string|None|False|Type tags|["data"]| + +**fileAccess** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Mask|string|None|False|Mask|FILE_READ_DATA| +|Path|string|None|False|Path|\DEVICE\NETBT_TCPIP_{E29AC6C2-7037-11DE-816D-806E6F6E6963}| +|Type|string|None|False|Type|CREATE| + +**handle** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|ID|integer|None|False|ID|1| +|Path|string|None|False|Path|HKCU\Software\Adobe\CommonFiles\Usage\Reader DC| +|Type|string|None|False|Type|KeyHandle| + +**registry** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Key|string|None|False|Key|DEBUGPROCESSHEAPONLY| +|Operation|string|None|False|Operation|Query| +|Path|string|None|False|Path|HKLM/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENTVERSION/IMAGE FILE EXECUTION OPTIONS/ACRORD32.EXE/DEBUGPROCESSHEAPONLY| +|Status|string|None|False|Status|c0000034| +|Status Human Readable|string|None|False|Status human readable|STATUS_OBJECT_NAME_NOT_FOUND| + +**process** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Command Line|string|None|False|Command line|C:/test.pdf| +|File Accesses|[]fileAccess|None|False|File accesses|[]| +|Handles|[]handle|None|False|Handles|[]| +|Icon Artifact ID|string|None|False|Icon artifact ID|fb3d245e52890c452df97787e773961f60a1d0a2449a3cac6b259df43adda88a| +|Mutants|[]string|None|False|Mutants|["/Sessions/1/BaseNamedObjects/Local/Acrobat Instance Mutex", "/Session/s1/BaseNamedObjects/DBWinMutex", "DBWinMutex", "Local/Acrobat Instance Mutex"]| +|Normalized Path|string|None|False|Normalized path|%PROGRAMFILES%/Adobe/Acrobat Reader DC/Reader/AcroRd32.exe/| +|PID|integer|None|False|PID|2464| +|Registry|[]registry|None|False|Registry|[]| +|SHA256|string|None|False|SHA256|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f| +|UID|string|None|False|UID|00000000-00002464| + +**signature** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Category|string|None|False|Category|General| +|Description|string|None|False|Description|Spawned process "RdrCEF.exe" with commandline "--backgroundcolor=16448250"(UID: 00000000-00003660)\n Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=9C6380B3089134F0668BD8E2 ..." (UID: 00000000-00003632)\n Spawned process "RdrCEF.exe" with commandline "--type=renderer\--primordial-pipe-token=2A1B0CA713F65BDBBEF8417F ..."| +|Identifier|string|None|False|Identifier|target-25| +|Origin|string|None|False|Origin|Monitored Target| +|Relevance|integer|None|False|Relevance|3| +|Threat Level Human|string|None|False|Threat level human|informative| +|Type|integer|None|False|Type|9| + +**sandbox** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Architecture|string|None|False|Architecture|WINDOWS| +|Environment Description|string|None|False|Environment description|Windows 7 32 bit| +|Environment ID|integer|None|False|Environment ID|100| +|Error Message|string|None|False|Error message|The file "Dockerfile" has the file format "text", which is not supported| +|Error Origin|string|None|False|Error origin|CLIENT| +|Error Type|string|None|False|Error type|FILE_TYPE_BAD_ERROR| +|Extracted Files|[]extractedFiles|None|False|Extracted files|[]| +|Extracted Interesting Strings|[]extractedInterestingStrings|None|False|Extracted interesting strings|[]| +|File Size|integer|None|False|File size|15007| +|File Type|string|None|False|File type|PDF document, version 1.5| +|File Type Short|[]string|None|False|File type short|["pdf"]| +|Memory Dumps Artifact ID|string|None|False|Memory dumps artifact ID|774fb1bb4d52bd1de58385abbef347ed0a557bbaef1f2330520da1e5d96ad26b| +|Memory Strings Artifact ID|string|None|False|Memory strings artifact ID|b588943e02558755f0c4c84adc5b42ff6642f216313c78b70ff02231ff129f9e| +|Network Settings|string|None|False|Network settings|default| +|PCAP Report Artifact ID|string|None|False|PCAP report artifact ID|31481ec4027e67cf7acf76d56ccebbbf133bb7b36dea1c750c1699f53abe6403| +|Processes|[]process|None|False|Processes|[]| +|Sample Flags|[]string|None|False|Sample flags|["Extracted Files"]| +|Screenshots Artifact IDs|[]string|None|False|Screenshots artifact IDs|["22782c460dc9e2662ae9c5420142c1ecdf84c122745ab0b61780f1685a2e8751","d7e025e31e87ddffb56f6203f5e69acc639c423ce9128068186071d1b94bcae3"]| +|SHA256|string|None|False|SHA256|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f| +|Signatures|[]signature|None|False|Signatures|[]| +|Submission Type|string|None|False|Submission type|file| +|Submit Name|string|None|False|Submit name|test.pdf| +|Submit URL|string|None|False|Submit URL|https://example.com/test.pdf| +|Verdict|string|None|False|Verdict|no specific threat| +|Windows Version Bitness|integer|None|False|Windows version bitness|32| +|Windows Version Edition|string|None|False|Windows version edition|Professional| +|Windows Version Name|string|None|False|Windows version name|Windows 7| +|Windows Version Service Pack|string|None|False|Windows version service pack|Service Pack 1| +|Windows Version Version|string|None|False|Windows version version|6.1 (build 7601)| + +**sandboxShort** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Action Script|string|None|False|Action script|default_randomfiles| +|Environment Description|string|None|False|Environment description|Windows 7 32 bit| +|Environment ID|integer|None|False|Environment ID|100| +|Error Message|string|None|False|Error message|The file "Dockerfile" has the file format "text", which is not supported| +|Error Origin|string|None|False|Error origin|CLIENT| +|Error Type|string|None|False|Error type|FILE_TYPE_BAD_ERROR| +|File Type|string|None|False|File type|PDF document, version 1.5| +|Network Settings|string|None|False|Network settings|default| +|Sample Flags|[]string|None|False|Sample flags|["Extracted Files"]| +|SHA256|string|None|False|SHA256|275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f| +|Submission Type|string|None|False|Submission type|file| +|Submit Name|string|None|False|Submit name|test.pdf| +|Submit URL|string|None|False|Submit URL|https://example.com/test.pdf| +|System Date|string|None|False|System date|2022-09-22 00:00:00| +|System Time|string|None|False|System time|!!python/object/apply:datetime.time !!binary | DDcAAAAA| +|URL|string|None|False|URL|https://example.com/test.pdf| +|Verdict|string|None|False|Verdict|no specific threat| + +**submission** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Cid|string|None|False|Cid|9382986b58cb4b44935e7eba079842f3| +|Created Timestamp|string|None|False|Created timestamp|2022-08-30T10:09:18Z| +|ID|string|None|False|ID|9382986b58cb4b44935e7eba079842f3_a345bda609ba46d3a6df3dcf38e30145| +|Origin|string|None|False|Origin|uiproxy| +|Sandbox|[]sandboxShort|None|False|Sandbox|[]| +|State|string|None|False|State|success| +|User ID|string|None|False|User ID|6f888e357b5043c6906c51b204c4091b| +|User Name|string|None|False|User name|user@example.com| +|User Tags|[]string|None|False|User tags|["my_tag"]| +|User UUID|string|None|False|User UUID|a149764d-21ee-42af-ac9f-023f5d23ab81| + +**artifact** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|IOC|string|None|False|IOC|974e8536b8767ac5be204f35d16f73e8| +|Source|string|None|False|Source|extracted| +|Type|string|None|False|Type|md5| + +**malquery** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Input|string|None|False|Input|53d23839e0f75e7772d1c4ea9e7384f5468ba911c7a6ff16c83e077aa53959d7| +|Type|string|None|False|Type|sha256| +|Verdict|string|None|False|Verdict|unknown| + +**reportShort** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|CID|string|None|False|CID of the report|9382986b58cb4b44447ereba079842f3| +|Created Timestamp|date|None|False|Time when the report was created|2022-08-30T10:08:49Z| +|ID|string|None|False|ID of the report|9382986b58cb4b44447ereba079842f3_4c95cb1fc7314509a5b9012352e9c4ff| +|IOC Report Broad CSV Artifact ID|string|None|False|IOC report broad CSV artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Broad JSON Artifact ID|string|None|False|IOC report broad JSON artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Broad Maec Artifact ID|string|None|False|IOC report broad maec artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Broad STIX Artifact ID|string|None|False|IOC report broad STIX artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict CSV Artifact ID|string|None|False|IOC report strict CSV artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict JSON Artifact ID|string|None|False|IOC report strict JSON artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict Maec Artifact ID|string|None|False|IOC report strict maec artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict STIX Artifact ID|string|None|False|IOC report strict STIX artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|Origin|string|None|False|Origin|uiproxy| +|Sandbox|[]sandboxShort|None|False|Sandbox details|[]| +|User ID|string|None|False|ID of the user|6f998e327b5043c6906c51b204p4091b| +|User Name|string|None|False|Name of the user|user@example.com| +|Verdict|string|None|False|Verdict of the report|no specific threat| + +**report** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|CID|string|None|False|CID of the report|9382986b58cb4b44447ereba079842f3| +|Created Timestamp|date|None|False|Time when the report was created|2022-08-30T10:08:49Z| +|ID|string|None|False|ID of the report|9382986b58cb4b44447ereba079842f3_4c95cb1fc7314509a5b9012352e9c4ff| +|IOC Report Broad CSV Artifact ID|string|None|False|IOC report broad CSV artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Broad JSON Artifact ID|string|None|False|IOC report broad JSON artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Broad Maec Artifact ID|string|None|False|IOC report broad maec artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Broad STIX Artifact ID|string|None|False|IOC report broad STIX artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict CSV Artifact ID|string|None|False|IOC report strict CSV artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict JSON Artifact ID|string|None|False|IOC report strict JSON artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict Maec Artifact ID|string|None|False|IOC report strict maec artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|IOC Report Strict STIX Artifact ID|string|None|False|IOC report strict STIX artifact ID|1248b73905ba1b8ef5fdca2d3604e41a331bhy43659ccfc714467153c706d00| +|Malquery|[]malquery|None|False|Malquery|[]| +|Origin|string|None|False|Origin|uiproxy| +|Sandbox|[]sandbox|None|False|Sandbox details|[]| +|User ID|string|None|False|ID of the user|6f998e327b5043c6906c51b204p4091b| +|User Name|string|None|False|Name of the user|user@example.com| +|User UUID|string|None|False|UUID of the user|a149114d-21ee-42af-ac9f-04kf5d23ab81| +|Verdict|string|None|False|Verdict of the report|no specific threat| + + +## Troubleshooting + +*This plugin does not contain a troubleshooting.* # Version History +* 1.1.0 - New action added: `Upload Malware Sample` | Updated SDK to the latest version * 1.0.0 - Initial plugin | Check Analysis Status, Download Artifact, Get Full Report, Get Reports IDs, Get Short Report, Get Submissions IDs, Submit Analysis # Links @@ -710,5 +731,4 @@ _This plugin does not contain any troubleshooting information._ ## References -* [CrowdStrike Falcon Intelligence](https://www.crowdstrike.com/products/threat-intelligence/falcon-intelligence-automated-intelligence/) - +* [CrowdStrike Falcon Intelligence](https://www.crowdstrike.com/products/threat-intelligence/falcon-intelligence-automated-intelligence/) \ No newline at end of file diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/__init__.py index 2e28314da4..b32aa941fb 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/__init__.py @@ -1,8 +1,18 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .checkAnalysisStatus.action import CheckAnalysisStatus +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT + from .downloadArtifact.action import DownloadArtifact + +from .getShortReport.action import GetShortReport + from .getFullReport.action import GetFullReport + +from .checkAnalysisStatus.action import CheckAnalysisStatus + +from .submitAnalysis.action import SubmitAnalysis + from .getReportsIDs.action import GetReportsIDs -from .getShortReport.action import GetShortReport + from .getSubmissionsIDs.action import GetSubmissionsIDs -from .submitAnalysis.action import SubmitAnalysis + +from .uploadMalwareSample.action import UploadMalwareSample + diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/__init__.py index a48615f8d3..93d58c4d94 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import CheckAnalysisStatus diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/schema.py index f2e8ef5820..b3a31eac98 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/checkAnalysisStatus/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -9,14 +9,14 @@ class Component: class Input: IDS = "ids" - + class Output: SUBMISSIONS = "submissions" - + class CheckAnalysisStatusInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -33,7 +33,8 @@ class CheckAnalysisStatusInput(insightconnect_plugin_runtime.Input): }, "required": [ "ids" - ] + ], + "definitions": {} } """) @@ -42,7 +43,7 @@ def __init__(self): class CheckAnalysisStatusOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -61,91 +62,106 @@ class CheckAnalysisStatusOutput(insightconnect_plugin_runtime.Output): "submissions" ], "definitions": { - "sandboxShort": { + "submission": { "type": "object", - "title": "sandboxShort", + "title": "submission", "properties": { - "actionScript": { + "id": { "type": "string", - "title": "Action Script", - "description": "Action script", - "order": 4 + "title": "ID", + "description": "ID", + "order": 1 }, - "environmentDescription": { + "cid": { "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 9 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 8 + "title": "Cid", + "description": "Cid", + "order": 2 }, - "errorMessage": { + "userId": { "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 15 + "title": "User ID", + "description": "User ID", + "order": 3 }, - "errorOrigin": { + "userName": { "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 17 + "title": "User Name", + "description": "User name", + "order": 4 }, - "errorType": { + "userUuid": { "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 16 + "title": "User UUID", + "description": "User UUID", + "order": 5 }, - "fileType": { + "origin": { "type": "string", - "title": "File Type", - "description": "File type", - "order": 10 + "title": "Origin", + "description": "Origin", + "order": 6 }, - "networkSettings": { + "state": { "type": "string", - "title": "Network Settings", - "description": "Network settings", + "title": "State", + "description": "State", "order": 7 }, - "sampleFlags": { + "createdTimestamp": { + "type": "string", + "title": "Created Timestamp", + "description": "Created timestamp", + "order": 8 + }, + "sandbox": { "type": "array", - "title": "Sample Flags", - "description": "Sample flags", + "title": "Sandbox", + "description": "Sandbox", "items": { - "type": "string" + "$ref": "#/definitions/sandboxShort" }, - "order": 14 + "order": 9 }, + "userTags": { + "type": "array", + "title": "User Tags", + "description": "User tags", + "items": { + "type": "string" + }, + "order": 10 + } + } + }, + "sandboxShort": { + "type": "object", + "title": "sandboxShort", + "properties": { "sha256": { "type": "string", "title": "SHA256", "description": "SHA256", "order": 1 }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 12 - }, - "submitName": { - "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 11 - }, "submitUrl": { "type": "string", "title": "Submit URL", "description": "Submit URL", "order": 2 }, + "url": { + "type": "string", + "title": "URL", + "description": "URL", + "order": 3 + }, + "actionScript": { + "type": "string", + "title": "Action Script", + "description": "Action script", + "order": 4 + }, "systemDate": { "type": "string", "title": "System Date", @@ -158,202 +174,74 @@ class CheckAnalysisStatusOutput(insightconnect_plugin_runtime.Output): "description": "System time", "order": 6 }, - "url": { - "type": "string", - "title": "URL", - "description": "URL", - "order": 3 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 13 - } - } - }, - "submission": { - "type": "object", - "title": "submission", - "properties": { - "cid": { + "networkSettings": { "type": "string", - "title": "Cid", - "description": "Cid", - "order": 2 + "title": "Network Settings", + "description": "Network settings", + "order": 7 }, - "createdTimestamp": { - "type": "string", - "title": "Created Timestamp", - "description": "Created timestamp", + "environmentId": { + "type": "integer", + "title": "Environment ID", + "description": "Environment ID", "order": 8 }, - "id": { + "environmentDescription": { "type": "string", - "title": "ID", - "description": "ID", - "order": 1 + "title": "Environment Description", + "description": "Environment description", + "order": 9 }, - "origin": { + "fileType": { "type": "string", - "title": "Origin", - "description": "Origin", - "order": 6 - }, - "sandbox": { - "type": "array", - "title": "Sandbox", - "description": "Sandbox", - "items": { - "$ref": "#/definitions/sandboxShort" - }, - "order": 9 + "title": "File Type", + "description": "File type", + "order": 10 }, - "state": { + "submitName": { "type": "string", - "title": "State", - "description": "State", - "order": 7 + "title": "Submit Name", + "description": "Submit name", + "order": 11 }, - "userId": { + "submissionType": { "type": "string", - "title": "User ID", - "description": "User ID", - "order": 3 + "title": "Submission Type", + "description": "Submission type", + "order": 12 }, - "userName": { + "verdict": { "type": "string", - "title": "User Name", - "description": "User name", - "order": 4 + "title": "Verdict", + "description": "Verdict", + "order": 13 }, - "userTags": { + "sampleFlags": { "type": "array", - "title": "User Tags", - "description": "User tags", + "title": "Sample Flags", + "description": "Sample flags", "items": { "type": "string" }, - "order": 10 + "order": 14 }, - "userUuid": { + "errorMessage": { "type": "string", - "title": "User UUID", - "description": "User UUID", - "order": 5 - } - }, - "definitions": { - "sandboxShort": { - "type": "object", - "title": "sandboxShort", - "properties": { - "actionScript": { - "type": "string", - "title": "Action Script", - "description": "Action script", - "order": 4 - }, - "environmentDescription": { - "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 9 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 8 - }, - "errorMessage": { - "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 15 - }, - "errorOrigin": { - "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 17 - }, - "errorType": { - "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 16 - }, - "fileType": { - "type": "string", - "title": "File Type", - "description": "File type", - "order": 10 - }, - "networkSettings": { - "type": "string", - "title": "Network Settings", - "description": "Network settings", - "order": 7 - }, - "sampleFlags": { - "type": "array", - "title": "Sample Flags", - "description": "Sample flags", - "items": { - "type": "string" - }, - "order": 14 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 1 - }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 12 - }, - "submitName": { - "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 11 - }, - "submitUrl": { - "type": "string", - "title": "Submit URL", - "description": "Submit URL", - "order": 2 - }, - "systemDate": { - "type": "string", - "title": "System Date", - "description": "System date", - "order": 5 - }, - "systemTime": { - "type": "string", - "title": "System Time", - "description": "System time", - "order": 6 - }, - "url": { - "type": "string", - "title": "URL", - "description": "URL", - "order": 3 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 13 - } - } + "title": "Error Message", + "description": "Error message", + "order": 15 + }, + "errorType": { + "type": "string", + "title": "Error Type", + "description": "Error type", + "order": 16 + }, + "errorOrigin": { + "type": "string", + "title": "Error Origin", + "description": "Error origin", + "order": 17 } } } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/__init__.py index 071e8e944a..8c65393683 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import DownloadArtifact diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/schema.py index 015a2a2a3c..178b0eb61f 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/downloadArtifact/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -9,14 +9,14 @@ class Component: class Input: ID = "id" - + class Output: ARTIFACTS = "artifacts" - + class DownloadArtifactInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -30,7 +30,8 @@ class DownloadArtifactInput(insightconnect_plugin_runtime.Input): }, "required": [ "id" - ] + ], + "definitions": {} } """) @@ -39,7 +40,7 @@ def __init__(self): class DownloadArtifactOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -62,11 +63,11 @@ class DownloadArtifactOutput(insightconnect_plugin_runtime.Output): "type": "object", "title": "artifact", "properties": { - "ioc": { + "type": { "type": "string", - "title": "IOC", - "description": "IOC", - "order": 3 + "title": "Type", + "description": "Type", + "order": 1 }, "source": { "type": "string", @@ -74,11 +75,11 @@ class DownloadArtifactOutput(insightconnect_plugin_runtime.Output): "description": "Source", "order": 2 }, - "type": { + "ioc": { "type": "string", - "title": "Type", - "description": "Type", - "order": 1 + "title": "IOC", + "description": "IOC", + "order": 3 } } } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/__init__.py index 520a2cb44f..15a8033510 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import GetFullReport diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/schema.py index cb4db51b29..1be04ba431 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getFullReport/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -9,14 +9,14 @@ class Component: class Input: IDS = "ids" - + class Output: REPORTS = "reports" - + class GetFullReportInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -33,7 +33,8 @@ class GetFullReportInput(insightconnect_plugin_runtime.Input): }, "required": [ "ids" - ] + ], + "definitions": {} } """) @@ -42,7 +43,7 @@ def __init__(self): class GetFullReportOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -61,2137 +62,653 @@ class GetFullReportOutput(insightconnect_plugin_runtime.Output): "reports" ], "definitions": { - "extractedFiles": { + "report": { "type": "object", - "title": "extractedFiles", + "title": "report", "properties": { - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 9 - }, - "filePath": { + "id": { "type": "string", - "title": "File Path", - "description": "File path", + "title": "ID", + "description": "ID of the report", "order": 1 }, - "fileSize": { - "type": "integer", - "title": "File Size", - "description": "File size", + "cid": { + "type": "string", + "title": "CID", + "description": "CID of the report", "order": 2 }, - "md5": { + "createdTimestamp": { "type": "string", - "title": "MD5", - "description": "MD5", - "order": 4 + "format": "date-time", + "displayType": "date", + "title": "Created Timestamp", + "description": "Time when the report was created", + "order": 3 }, - "runtimeProcess": { + "origin": { "type": "string", - "title": "Runtime Process", - "description": "Runtime process", - "order": 6 + "title": "Origin", + "description": "Origin", + "order": 4 }, - "sha1": { + "userId": { "type": "string", - "title": "SHA1", - "description": "SHA1", + "title": "User ID", + "description": "ID of the user", "order": 5 }, - "sha256": { + "userName": { "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 3 + "title": "User Name", + "description": "Name of the user", + "order": 6 }, - "threatLevelReadable": { + "userUuid": { "type": "string", - "title": "Threat Level Readable", - "description": "Threat level readable", - "order": 8 - }, - "typeTags": { - "type": "array", - "title": "Type Tags", - "description": "Type tags", - "items": { - "type": "string" - }, + "title": "User UUID", + "description": "UUID of the user", "order": 7 - } - } - }, - "extractedInterestingStrings": { - "type": "object", - "title": "extractedInterestingStrings", - "properties": { - "process": { + }, + "verdict": { "type": "string", - "title": "Process", - "description": "Process", - "order": 4 + "title": "Verdict", + "description": "Verdict of the report", + "order": 8 }, - "source": { + "iocReportStrictCsvArtifactId": { "type": "string", - "title": "Source", - "description": "Source", - "order": 3 + "title": "IOC Report Strict CSV Artifact ID", + "description": "IOC report strict CSV artifact ID", + "order": 9 }, - "type": { + "iocReportBroadCsvArtifactId": { "type": "string", - "title": "Type", - "description": "Type", - "order": 2 + "title": "IOC Report Broad CSV Artifact ID", + "description": "IOC report broad CSV artifact ID", + "order": 10 }, - "value": { + "iocReportStrictJsonArtifactId": { "type": "string", - "title": "Value", - "description": "Value", - "order": 1 - } - } - }, - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { + "title": "IOC Report Strict JSON Artifact ID", + "description": "IOC report strict JSON artifact ID", + "order": 11 + }, + "iocReportBroadJsonArtifactId": { "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 + "title": "IOC Report Broad JSON Artifact ID", + "description": "IOC report broad JSON artifact ID", + "order": 12 }, - "path": { + "iocReportStrictStixArtifactId": { "type": "string", - "title": "Path", - "description": "Path", - "order": 2 + "title": "IOC Report Strict STIX Artifact ID", + "description": "IOC report strict STIX artifact ID", + "order": 13 }, - "type": { + "iocReportBroadStixArtifactId": { "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 + "title": "IOC Report Broad STIX Artifact ID", + "description": "IOC report broad STIX artifact ID", + "order": 14 }, - "path": { + "iocReportStrictMaecArtifactId": { "type": "string", - "title": "Path", - "description": "Path", - "order": 3 + "title": "IOC Report Strict Maec Artifact ID", + "description": "IOC report strict maec artifact ID", + "order": 15 }, - "type": { + "iocReportBroadMaecArtifactId": { "type": "string", - "title": "Type", - "description": "Type", - "order": 2 + "title": "IOC Report Broad Maec Artifact ID", + "description": "IOC report broad maec artifact ID", + "order": 16 + }, + "sandbox": { + "type": "array", + "title": "Sandbox", + "description": "Sandbox details", + "items": { + "$ref": "#/definitions/sandbox" + }, + "order": 17 + }, + "malquery": { + "type": "array", + "title": "Malquery", + "description": "Malquery", + "items": { + "$ref": "#/definitions/malquery" + }, + "order": 18 } } }, - "malquery": { + "sandbox": { "type": "object", - "title": "malquery", + "title": "sandbox", "properties": { - "input": { + "sha256": { "type": "string", - "title": "Input", - "description": "Input", + "title": "SHA256", + "description": "SHA256", + "order": 1 + }, + "environmentId": { + "type": "integer", + "title": "Environment ID", + "description": "Environment ID", "order": 2 }, - "type": { + "environmentDescription": { "type": "string", - "title": "Type", - "description": "Type", + "title": "Environment Description", + "description": "Environment description", "order": 3 }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 1 - } - } - }, - "process": { - "type": "object", - "title": "process", - "properties": { - "commandLine": { + "fileSize": { + "type": "integer", + "title": "File Size", + "description": "File size", + "order": 4 + }, + "fileType": { "type": "string", - "title": "Command Line", - "description": "Command line", - "order": 3 + "title": "File Type", + "description": "File type", + "order": 5 }, - "fileAccesses": { + "fileTypeShort": { "type": "array", - "title": "File Accesses", - "description": "File accesses", + "title": "File Type Short", + "description": "File type short", "items": { - "$ref": "#/definitions/fileAccess" + "type": "string" }, - "order": 10 + "order": 6 }, - "handles": { - "type": "array", - "title": "Handles", - "description": "Handles", - "items": { - "$ref": "#/definitions/handle" - }, + "submitName": { + "type": "string", + "title": "Submit Name", + "description": "Submit name", + "order": 7 + }, + "submitUrl": { + "type": "string", + "title": "Submit URL", + "description": "Submit URL", + "order": 8 + }, + "submissionType": { + "type": "string", + "title": "Submission Type", + "description": "Submission type", "order": 9 }, - "iconArtifactId": { + "verdict": { "type": "string", - "title": "Icon Artifact ID", - "description": "Icon artifact ID", - "order": 6 + "title": "Verdict", + "description": "Verdict", + "order": 10 }, - "mutants": { + "windowsVersionName": { + "type": "string", + "title": "Windows Version Name", + "description": "Windows version name", + "order": 11 + }, + "windowsVersionEdition": { + "type": "string", + "title": "Windows Version Edition", + "description": "Windows version edition", + "order": 12 + }, + "windowsVersionServicePack": { + "type": "string", + "title": "Windows Version Service Pack", + "description": "Windows version service pack", + "order": 13 + }, + "windowsVersionVersion": { + "type": "string", + "title": "Windows Version Version", + "description": "Windows version version", + "order": 14 + }, + "windowsVersionBitness": { + "type": "integer", + "title": "Windows Version Bitness", + "description": "Windows version bitness", + "order": 15 + }, + "extractedFiles": { "type": "array", - "title": "Mutants", - "description": "Mutants", + "title": "Extracted Files", + "description": "Extracted files", + "items": { + "$ref": "#/definitions/extractedFiles" + }, + "order": 16 + }, + "extractedInterestingStrings": { + "type": "array", + "title": "Extracted Interesting Strings", + "description": "Extracted interesting strings", + "items": { + "$ref": "#/definitions/extractedInterestingStrings" + }, + "order": 17 + }, + "signatures": { + "type": "array", + "title": "Signatures", + "description": "Signatures", + "items": { + "$ref": "#/definitions/signature" + }, + "order": 18 + }, + "processes": { + "type": "array", + "title": "Processes", + "description": "Processes", + "items": { + "$ref": "#/definitions/process" + }, + "order": 19 + }, + "screenshotsArtifactIds": { + "type": "array", + "title": "Screenshots Artifact IDs", + "description": "Screenshots artifact IDs", "items": { "type": "string" }, - "order": 8 + "order": 20 }, - "normalizedPath": { + "architecture": { "type": "string", - "title": "Normalized Path", - "description": "Normalized path", - "order": 2 - }, - "pid": { - "type": "integer", - "title": "PID", - "description": "PID", - "order": 5 + "title": "Architecture", + "description": "Architecture", + "order": 21 }, - "registry": { + "sampleFlags": { "type": "array", - "title": "Registry", - "description": "Registry", + "title": "Sample Flags", + "description": "Sample flags", "items": { - "$ref": "#/definitions/registry" + "type": "string" }, - "order": 7 + "order": 22 }, - "sha256": { + "pcapReportArtifactId": { "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 4 + "title": "PCAP Report Artifact ID", + "description": "PCAP report artifact ID", + "order": 23 }, - "uid": { + "memoryStringsArtifactId": { "type": "string", - "title": "UID", - "description": "UID", - "order": 1 - } - }, - "definitions": { - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } + "title": "Memory Strings Artifact ID", + "description": "Memory strings artifact ID", + "order": 24 }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { + "memoryDumpsArtifactId": { "type": "string", - "title": "Key", - "description": "Key", - "order": 3 + "title": "Memory Dumps Artifact ID", + "description": "Memory dumps artifact ID", + "order": 25 }, - "operation": { + "networkSettings": { "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 + "title": "Network Settings", + "description": "Network settings", + "order": 26 }, - "path": { + "errorMessage": { "type": "string", - "title": "Path", - "description": "Path", - "order": 2 + "title": "Error Message", + "description": "Error message", + "order": 27 }, - "status": { + "errorType": { "type": "string", - "title": "Status", - "description": "Status", - "order": 4 + "title": "Error Type", + "description": "Error type", + "order": 28 }, - "statusHumanReadable": { + "errorOrigin": { "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 + "title": "Error Origin", + "description": "Error origin", + "order": 29 } } }, - "report": { + "extractedFiles": { "type": "object", - "title": "report", + "title": "extractedFiles", "properties": { - "cid": { - "type": "string", - "title": "CID", - "description": "CID of the report", - "order": 2 - }, - "createdTimestamp": { - "type": "string", - "title": "Created Timestamp", - "displayType": "date", - "description": "Time when the report was created", - "format": "date-time", - "order": 3 - }, - "id": { + "filePath": { "type": "string", - "title": "ID", - "description": "ID of the report", + "title": "File Path", + "description": "File path", "order": 1 }, - "iocReportBroadCsvArtifactId": { - "type": "string", - "title": "IOC Report Broad CSV Artifact ID", - "description": "IOC report broad CSV artifact ID", - "order": 10 - }, - "iocReportBroadJsonArtifactId": { - "type": "string", - "title": "IOC Report Broad JSON Artifact ID", - "description": "IOC report broad JSON artifact ID", - "order": 12 - }, - "iocReportBroadMaecArtifactId": { - "type": "string", - "title": "IOC Report Broad Maec Artifact ID", - "description": "IOC report broad maec artifact ID", - "order": 16 - }, - "iocReportBroadStixArtifactId": { - "type": "string", - "title": "IOC Report Broad STIX Artifact ID", - "description": "IOC report broad STIX artifact ID", - "order": 14 + "fileSize": { + "type": "integer", + "title": "File Size", + "description": "File size", + "order": 2 }, - "iocReportStrictCsvArtifactId": { + "sha256": { "type": "string", - "title": "IOC Report Strict CSV Artifact ID", - "description": "IOC report strict CSV artifact ID", - "order": 9 + "title": "SHA256", + "description": "SHA256", + "order": 3 }, - "iocReportStrictJsonArtifactId": { + "md5": { "type": "string", - "title": "IOC Report Strict JSON Artifact ID", - "description": "IOC report strict JSON artifact ID", - "order": 11 + "title": "MD5", + "description": "MD5", + "order": 4 }, - "iocReportStrictMaecArtifactId": { + "sha1": { "type": "string", - "title": "IOC Report Strict Maec Artifact ID", - "description": "IOC report strict maec artifact ID", - "order": 15 + "title": "SHA1", + "description": "SHA1", + "order": 5 }, - "iocReportStrictStixArtifactId": { + "runtimeProcess": { "type": "string", - "title": "IOC Report Strict STIX Artifact ID", - "description": "IOC report strict STIX artifact ID", - "order": 13 + "title": "Runtime Process", + "description": "Runtime process", + "order": 6 }, - "malquery": { + "typeTags": { "type": "array", - "title": "Malquery", - "description": "Malquery", + "title": "Type Tags", + "description": "Type tags", "items": { - "$ref": "#/definitions/malquery" + "type": "string" }, - "order": 18 + "order": 7 }, - "origin": { + "threatLevelReadable": { "type": "string", - "title": "Origin", - "description": "Origin", - "order": 4 - }, - "sandbox": { - "type": "array", - "title": "Sandbox", - "description": "Sandbox details", - "items": { - "$ref": "#/definitions/sandbox" - }, - "order": 17 + "title": "Threat Level Readable", + "description": "Threat level readable", + "order": 8 }, - "userId": { + "description": { "type": "string", - "title": "User ID", - "description": "ID of the user", - "order": 5 - }, - "userName": { + "title": "Description", + "description": "Description", + "order": 9 + } + } + }, + "extractedInterestingStrings": { + "type": "object", + "title": "extractedInterestingStrings", + "properties": { + "value": { "type": "string", - "title": "User Name", - "description": "Name of the user", - "order": 6 + "title": "Value", + "description": "Value", + "order": 1 }, - "userUuid": { + "type": { "type": "string", - "title": "User UUID", - "description": "UUID of the user", - "order": 7 + "title": "Type", + "description": "Type", + "order": 2 }, - "verdict": { + "source": { "type": "string", - "title": "Verdict", - "description": "Verdict of the report", - "order": 8 - } - }, - "definitions": { - "extractedFiles": { - "type": "object", - "title": "extractedFiles", - "properties": { - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 9 - }, - "filePath": { - "type": "string", - "title": "File Path", - "description": "File path", - "order": 1 - }, - "fileSize": { - "type": "integer", - "title": "File Size", - "description": "File size", - "order": 2 - }, - "md5": { - "type": "string", - "title": "MD5", - "description": "MD5", - "order": 4 - }, - "runtimeProcess": { - "type": "string", - "title": "Runtime Process", - "description": "Runtime process", - "order": 6 - }, - "sha1": { - "type": "string", - "title": "SHA1", - "description": "SHA1", - "order": 5 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 3 - }, - "threatLevelReadable": { - "type": "string", - "title": "Threat Level Readable", - "description": "Threat level readable", - "order": 8 - }, - "typeTags": { - "type": "array", - "title": "Type Tags", - "description": "Type tags", - "items": { - "type": "string" - }, - "order": 7 - } - } - }, - "extractedInterestingStrings": { - "type": "object", - "title": "extractedInterestingStrings", - "properties": { - "process": { - "type": "string", - "title": "Process", - "description": "Process", - "order": 4 - }, - "source": { - "type": "string", - "title": "Source", - "description": "Source", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - }, - "value": { - "type": "string", - "title": "Value", - "description": "Value", - "order": 1 - } - } - }, - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } - }, - "malquery": { - "type": "object", - "title": "malquery", - "properties": { - "input": { - "type": "string", - "title": "Input", - "description": "Input", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 3 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 1 - } - } + "title": "Source", + "description": "Source", + "order": 3 }, "process": { - "type": "object", - "title": "process", - "properties": { - "commandLine": { - "type": "string", - "title": "Command Line", - "description": "Command line", - "order": 3 - }, - "fileAccesses": { - "type": "array", - "title": "File Accesses", - "description": "File accesses", - "items": { - "$ref": "#/definitions/fileAccess" - }, - "order": 10 - }, - "handles": { - "type": "array", - "title": "Handles", - "description": "Handles", - "items": { - "$ref": "#/definitions/handle" - }, - "order": 9 - }, - "iconArtifactId": { - "type": "string", - "title": "Icon Artifact ID", - "description": "Icon artifact ID", - "order": 6 - }, - "mutants": { - "type": "array", - "title": "Mutants", - "description": "Mutants", - "items": { - "type": "string" - }, - "order": 8 - }, - "normalizedPath": { - "type": "string", - "title": "Normalized Path", - "description": "Normalized path", - "order": 2 - }, - "pid": { - "type": "integer", - "title": "PID", - "description": "PID", - "order": 5 - }, - "registry": { - "type": "array", - "title": "Registry", - "description": "Registry", - "items": { - "$ref": "#/definitions/registry" - }, - "order": 7 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 4 - }, - "uid": { - "type": "string", - "title": "UID", - "description": "UID", - "order": 1 - } - }, - "definitions": { - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - }, - "sandbox": { - "type": "object", - "title": "sandbox", - "properties": { - "architecture": { - "type": "string", - "title": "Architecture", - "description": "Architecture", - "order": 21 - }, - "environmentDescription": { - "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 3 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 2 - }, - "errorMessage": { - "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 27 - }, - "errorOrigin": { - "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 29 - }, - "errorType": { - "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 28 - }, - "extractedFiles": { - "type": "array", - "title": "Extracted Files", - "description": "Extracted files", - "items": { - "$ref": "#/definitions/extractedFiles" - }, - "order": 16 - }, - "extractedInterestingStrings": { - "type": "array", - "title": "Extracted Interesting Strings", - "description": "Extracted interesting strings", - "items": { - "$ref": "#/definitions/extractedInterestingStrings" - }, - "order": 17 - }, - "fileSize": { - "type": "integer", - "title": "File Size", - "description": "File size", - "order": 4 - }, - "fileType": { - "type": "string", - "title": "File Type", - "description": "File type", - "order": 5 - }, - "fileTypeShort": { - "type": "array", - "title": "File Type Short", - "description": "File type short", - "items": { - "type": "string" - }, - "order": 6 - }, - "memoryDumpsArtifactId": { - "type": "string", - "title": "Memory Dumps Artifact ID", - "description": "Memory dumps artifact ID", - "order": 25 - }, - "memoryStringsArtifactId": { - "type": "string", - "title": "Memory Strings Artifact ID", - "description": "Memory strings artifact ID", - "order": 24 - }, - "networkSettings": { - "type": "string", - "title": "Network Settings", - "description": "Network settings", - "order": 26 - }, - "pcapReportArtifactId": { - "type": "string", - "title": "PCAP Report Artifact ID", - "description": "PCAP report artifact ID", - "order": 23 - }, - "processes": { - "type": "array", - "title": "Processes", - "description": "Processes", - "items": { - "$ref": "#/definitions/process" - }, - "order": 19 - }, - "sampleFlags": { - "type": "array", - "title": "Sample Flags", - "description": "Sample flags", - "items": { - "type": "string" - }, - "order": 22 - }, - "screenshotsArtifactIds": { - "type": "array", - "title": "Screenshots Artifact IDs", - "description": "Screenshots artifact IDs", - "items": { - "type": "string" - }, - "order": 20 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 1 - }, - "signatures": { - "type": "array", - "title": "Signatures", - "description": "Signatures", - "items": { - "$ref": "#/definitions/signature" - }, - "order": 18 - }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 9 - }, - "submitName": { - "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 7 - }, - "submitUrl": { - "type": "string", - "title": "Submit URL", - "description": "Submit URL", - "order": 8 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 10 - }, - "windowsVersionBitness": { - "type": "integer", - "title": "Windows Version Bitness", - "description": "Windows version bitness", - "order": 15 - }, - "windowsVersionEdition": { - "type": "string", - "title": "Windows Version Edition", - "description": "Windows version edition", - "order": 12 - }, - "windowsVersionName": { - "type": "string", - "title": "Windows Version Name", - "description": "Windows version name", - "order": 11 - }, - "windowsVersionServicePack": { - "type": "string", - "title": "Windows Version Service Pack", - "description": "Windows version service pack", - "order": 13 - }, - "windowsVersionVersion": { - "type": "string", - "title": "Windows Version Version", - "description": "Windows version version", - "order": 14 - } - }, - "definitions": { - "extractedFiles": { - "type": "object", - "title": "extractedFiles", - "properties": { - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 9 - }, - "filePath": { - "type": "string", - "title": "File Path", - "description": "File path", - "order": 1 - }, - "fileSize": { - "type": "integer", - "title": "File Size", - "description": "File size", - "order": 2 - }, - "md5": { - "type": "string", - "title": "MD5", - "description": "MD5", - "order": 4 - }, - "runtimeProcess": { - "type": "string", - "title": "Runtime Process", - "description": "Runtime process", - "order": 6 - }, - "sha1": { - "type": "string", - "title": "SHA1", - "description": "SHA1", - "order": 5 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 3 - }, - "threatLevelReadable": { - "type": "string", - "title": "Threat Level Readable", - "description": "Threat level readable", - "order": 8 - }, - "typeTags": { - "type": "array", - "title": "Type Tags", - "description": "Type tags", - "items": { - "type": "string" - }, - "order": 7 - } - } - }, - "extractedInterestingStrings": { - "type": "object", - "title": "extractedInterestingStrings", - "properties": { - "process": { - "type": "string", - "title": "Process", - "description": "Process", - "order": 4 - }, - "source": { - "type": "string", - "title": "Source", - "description": "Source", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - }, - "value": { - "type": "string", - "title": "Value", - "description": "Value", - "order": 1 - } - } - }, - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } - }, - "process": { - "type": "object", - "title": "process", - "properties": { - "commandLine": { - "type": "string", - "title": "Command Line", - "description": "Command line", - "order": 3 - }, - "fileAccesses": { - "type": "array", - "title": "File Accesses", - "description": "File accesses", - "items": { - "$ref": "#/definitions/fileAccess" - }, - "order": 10 - }, - "handles": { - "type": "array", - "title": "Handles", - "description": "Handles", - "items": { - "$ref": "#/definitions/handle" - }, - "order": 9 - }, - "iconArtifactId": { - "type": "string", - "title": "Icon Artifact ID", - "description": "Icon artifact ID", - "order": 6 - }, - "mutants": { - "type": "array", - "title": "Mutants", - "description": "Mutants", - "items": { - "type": "string" - }, - "order": 8 - }, - "normalizedPath": { - "type": "string", - "title": "Normalized Path", - "description": "Normalized path", - "order": 2 - }, - "pid": { - "type": "integer", - "title": "PID", - "description": "PID", - "order": 5 - }, - "registry": { - "type": "array", - "title": "Registry", - "description": "Registry", - "items": { - "$ref": "#/definitions/registry" - }, - "order": 7 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 4 - }, - "uid": { - "type": "string", - "title": "UID", - "description": "UID", - "order": 1 - } - }, - "definitions": { - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - }, - "signature": { - "type": "object", - "title": "signature", - "properties": { - "category": { - "type": "string", - "title": "Category", - "description": "Category", - "order": 2 - }, - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 6 - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "Identifier", - "order": 3 - }, - "origin": { - "type": "string", - "title": "Origin", - "description": "Origin", - "order": 7 - }, - "relevance": { - "type": "integer", - "title": "Relevance", - "description": "Relevance", - "order": 5 - }, - "threatLevelHuman": { - "type": "string", - "title": "Threat Level Human", - "description": "Threat level human", - "order": 1 - }, - "type": { - "type": "integer", - "title": "Type", - "description": "Type", - "order": 4 - } - } - } - } - }, - "signature": { - "type": "object", - "title": "signature", - "properties": { - "category": { - "type": "string", - "title": "Category", - "description": "Category", - "order": 2 - }, - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 6 - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "Identifier", - "order": 3 - }, - "origin": { - "type": "string", - "title": "Origin", - "description": "Origin", - "order": 7 - }, - "relevance": { - "type": "integer", - "title": "Relevance", - "description": "Relevance", - "order": 5 - }, - "threatLevelHuman": { - "type": "string", - "title": "Threat Level Human", - "description": "Threat level human", - "order": 1 - }, - "type": { - "type": "integer", - "title": "Type", - "description": "Type", - "order": 4 - } - } + "type": "string", + "title": "Process", + "description": "Process", + "order": 4 } } }, - "sandbox": { + "signature": { "type": "object", - "title": "sandbox", + "title": "signature", "properties": { - "architecture": { + "threatLevelHuman": { "type": "string", - "title": "Architecture", - "description": "Architecture", - "order": 21 + "title": "Threat Level Human", + "description": "Threat level human", + "order": 1 }, - "environmentDescription": { + "category": { "type": "string", - "title": "Environment Description", - "description": "Environment description", + "title": "Category", + "description": "Category", + "order": 2 + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "Identifier", "order": 3 }, - "environmentId": { + "type": { "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 2 + "title": "Type", + "description": "Type", + "order": 4 }, - "errorMessage": { - "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 27 + "relevance": { + "type": "integer", + "title": "Relevance", + "description": "Relevance", + "order": 5 }, - "errorOrigin": { + "description": { "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 29 + "title": "Description", + "description": "Description", + "order": 6 }, - "errorType": { + "origin": { "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 28 - }, - "extractedFiles": { - "type": "array", - "title": "Extracted Files", - "description": "Extracted files", - "items": { - "$ref": "#/definitions/extractedFiles" - }, - "order": 16 - }, - "extractedInterestingStrings": { - "type": "array", - "title": "Extracted Interesting Strings", - "description": "Extracted interesting strings", - "items": { - "$ref": "#/definitions/extractedInterestingStrings" - }, - "order": 17 - }, - "fileSize": { - "type": "integer", - "title": "File Size", - "description": "File size", - "order": 4 - }, - "fileType": { + "title": "Origin", + "description": "Origin", + "order": 7 + } + } + }, + "process": { + "type": "object", + "title": "process", + "properties": { + "uid": { "type": "string", - "title": "File Type", - "description": "File type", - "order": 5 - }, - "fileTypeShort": { - "type": "array", - "title": "File Type Short", - "description": "File type short", - "items": { - "type": "string" - }, - "order": 6 + "title": "UID", + "description": "UID", + "order": 1 }, - "memoryDumpsArtifactId": { + "normalizedPath": { "type": "string", - "title": "Memory Dumps Artifact ID", - "description": "Memory dumps artifact ID", - "order": 25 + "title": "Normalized Path", + "description": "Normalized path", + "order": 2 }, - "memoryStringsArtifactId": { + "commandLine": { "type": "string", - "title": "Memory Strings Artifact ID", - "description": "Memory strings artifact ID", - "order": 24 + "title": "Command Line", + "description": "Command line", + "order": 3 }, - "networkSettings": { + "sha256": { "type": "string", - "title": "Network Settings", - "description": "Network settings", - "order": 26 + "title": "SHA256", + "description": "SHA256", + "order": 4 }, - "pcapReportArtifactId": { + "pid": { + "type": "integer", + "title": "PID", + "description": "PID", + "order": 5 + }, + "iconArtifactId": { "type": "string", - "title": "PCAP Report Artifact ID", - "description": "PCAP report artifact ID", - "order": 23 + "title": "Icon Artifact ID", + "description": "Icon artifact ID", + "order": 6 }, - "processes": { + "registry": { "type": "array", - "title": "Processes", - "description": "Processes", + "title": "Registry", + "description": "Registry", "items": { - "$ref": "#/definitions/process" + "$ref": "#/definitions/registry" }, - "order": 19 + "order": 7 }, - "sampleFlags": { + "mutants": { "type": "array", - "title": "Sample Flags", - "description": "Sample flags", + "title": "Mutants", + "description": "Mutants", "items": { "type": "string" }, - "order": 22 + "order": 8 }, - "screenshotsArtifactIds": { + "handles": { "type": "array", - "title": "Screenshots Artifact IDs", - "description": "Screenshots artifact IDs", + "title": "Handles", + "description": "Handles", "items": { - "type": "string" + "$ref": "#/definitions/handle" }, - "order": 20 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 1 + "order": 9 }, - "signatures": { + "fileAccesses": { "type": "array", - "title": "Signatures", - "description": "Signatures", + "title": "File Accesses", + "description": "File accesses", "items": { - "$ref": "#/definitions/signature" + "$ref": "#/definitions/fileAccess" }, - "order": 18 - }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 9 - }, - "submitName": { + "order": 10 + } + } + }, + "registry": { + "type": "object", + "title": "registry", + "properties": { + "operation": { "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 7 + "title": "Operation", + "description": "Operation", + "order": 1 }, - "submitUrl": { + "path": { "type": "string", - "title": "Submit URL", - "description": "Submit URL", - "order": 8 + "title": "Path", + "description": "Path", + "order": 2 }, - "verdict": { + "key": { "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 10 - }, - "windowsVersionBitness": { - "type": "integer", - "title": "Windows Version Bitness", - "description": "Windows version bitness", - "order": 15 + "title": "Key", + "description": "Key", + "order": 3 }, - "windowsVersionEdition": { + "status": { "type": "string", - "title": "Windows Version Edition", - "description": "Windows version edition", - "order": 12 + "title": "Status", + "description": "Status", + "order": 4 }, - "windowsVersionName": { + "statusHumanReadable": { "type": "string", - "title": "Windows Version Name", - "description": "Windows version name", - "order": 11 + "title": "Status Human Readable", + "description": "Status human readable", + "order": 5 + } + } + }, + "handle": { + "type": "object", + "title": "handle", + "properties": { + "id": { + "type": "integer", + "title": "ID", + "description": "ID", + "order": 1 }, - "windowsVersionServicePack": { + "type": { "type": "string", - "title": "Windows Version Service Pack", - "description": "Windows version service pack", - "order": 13 + "title": "Type", + "description": "Type", + "order": 2 }, - "windowsVersionVersion": { + "path": { "type": "string", - "title": "Windows Version Version", - "description": "Windows version version", - "order": 14 - } - }, - "definitions": { - "extractedFiles": { - "type": "object", - "title": "extractedFiles", - "properties": { - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 9 - }, - "filePath": { - "type": "string", - "title": "File Path", - "description": "File path", - "order": 1 - }, - "fileSize": { - "type": "integer", - "title": "File Size", - "description": "File size", - "order": 2 - }, - "md5": { - "type": "string", - "title": "MD5", - "description": "MD5", - "order": 4 - }, - "runtimeProcess": { - "type": "string", - "title": "Runtime Process", - "description": "Runtime process", - "order": 6 - }, - "sha1": { - "type": "string", - "title": "SHA1", - "description": "SHA1", - "order": 5 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 3 - }, - "threatLevelReadable": { - "type": "string", - "title": "Threat Level Readable", - "description": "Threat level readable", - "order": 8 - }, - "typeTags": { - "type": "array", - "title": "Type Tags", - "description": "Type tags", - "items": { - "type": "string" - }, - "order": 7 - } - } - }, - "extractedInterestingStrings": { - "type": "object", - "title": "extractedInterestingStrings", - "properties": { - "process": { - "type": "string", - "title": "Process", - "description": "Process", - "order": 4 - }, - "source": { - "type": "string", - "title": "Source", - "description": "Source", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - }, - "value": { - "type": "string", - "title": "Value", - "description": "Value", - "order": 1 - } - } - }, - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } - }, - "process": { - "type": "object", - "title": "process", - "properties": { - "commandLine": { - "type": "string", - "title": "Command Line", - "description": "Command line", - "order": 3 - }, - "fileAccesses": { - "type": "array", - "title": "File Accesses", - "description": "File accesses", - "items": { - "$ref": "#/definitions/fileAccess" - }, - "order": 10 - }, - "handles": { - "type": "array", - "title": "Handles", - "description": "Handles", - "items": { - "$ref": "#/definitions/handle" - }, - "order": 9 - }, - "iconArtifactId": { - "type": "string", - "title": "Icon Artifact ID", - "description": "Icon artifact ID", - "order": 6 - }, - "mutants": { - "type": "array", - "title": "Mutants", - "description": "Mutants", - "items": { - "type": "string" - }, - "order": 8 - }, - "normalizedPath": { - "type": "string", - "title": "Normalized Path", - "description": "Normalized path", - "order": 2 - }, - "pid": { - "type": "integer", - "title": "PID", - "description": "PID", - "order": 5 - }, - "registry": { - "type": "array", - "title": "Registry", - "description": "Registry", - "items": { - "$ref": "#/definitions/registry" - }, - "order": 7 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 4 - }, - "uid": { - "type": "string", - "title": "UID", - "description": "UID", - "order": 1 - } - }, - "definitions": { - "fileAccess": { - "type": "object", - "title": "fileAccess", - "properties": { - "mask": { - "type": "string", - "title": "Mask", - "description": "Mask", - "order": 3 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 1 - } - } - }, - "handle": { - "type": "object", - "title": "handle", - "properties": { - "id": { - "type": "integer", - "title": "ID", - "description": "ID", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 3 - }, - "type": { - "type": "string", - "title": "Type", - "description": "Type", - "order": 2 - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - } - } - }, - "registry": { - "type": "object", - "title": "registry", - "properties": { - "key": { - "type": "string", - "title": "Key", - "description": "Key", - "order": 3 - }, - "operation": { - "type": "string", - "title": "Operation", - "description": "Operation", - "order": 1 - }, - "path": { - "type": "string", - "title": "Path", - "description": "Path", - "order": 2 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 4 - }, - "statusHumanReadable": { - "type": "string", - "title": "Status Human Readable", - "description": "Status human readable", - "order": 5 - } - } - }, - "signature": { - "type": "object", - "title": "signature", - "properties": { - "category": { - "type": "string", - "title": "Category", - "description": "Category", - "order": 2 - }, - "description": { - "type": "string", - "title": "Description", - "description": "Description", - "order": 6 - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "Identifier", - "order": 3 - }, - "origin": { - "type": "string", - "title": "Origin", - "description": "Origin", - "order": 7 - }, - "relevance": { - "type": "integer", - "title": "Relevance", - "description": "Relevance", - "order": 5 - }, - "threatLevelHuman": { - "type": "string", - "title": "Threat Level Human", - "description": "Threat level human", - "order": 1 - }, - "type": { - "type": "integer", - "title": "Type", - "description": "Type", - "order": 4 - } - } + "title": "Path", + "description": "Path", + "order": 3 } } }, - "signature": { + "fileAccess": { "type": "object", - "title": "signature", + "title": "fileAccess", "properties": { - "category": { + "type": { "type": "string", - "title": "Category", - "description": "Category", - "order": 2 + "title": "Type", + "description": "Type", + "order": 1 }, - "description": { + "path": { "type": "string", - "title": "Description", - "description": "Description", - "order": 6 + "title": "Path", + "description": "Path", + "order": 2 }, - "identifier": { + "mask": { "type": "string", - "title": "Identifier", - "description": "Identifier", + "title": "Mask", + "description": "Mask", "order": 3 - }, - "origin": { + } + } + }, + "malquery": { + "type": "object", + "title": "malquery", + "properties": { + "verdict": { "type": "string", - "title": "Origin", - "description": "Origin", - "order": 7 - }, - "relevance": { - "type": "integer", - "title": "Relevance", - "description": "Relevance", - "order": 5 + "title": "Verdict", + "description": "Verdict", + "order": 1 }, - "threatLevelHuman": { + "input": { "type": "string", - "title": "Threat Level Human", - "description": "Threat level human", - "order": 1 + "title": "Input", + "description": "Input", + "order": 2 }, "type": { - "type": "integer", + "type": "string", "title": "Type", "description": "Type", - "order": 4 + "order": 3 } } } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/__init__.py index ed3652cebb..1500414cb0 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import GetReportsIDs diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/schema.py index 541771fe02..7d709aaae3 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getReportsIDs/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -11,14 +11,14 @@ class Input: FILTER = "filter" LIMIT = "limit" OFFSET = "offset" - + class Output: REPORTIDS = "reportIds" - + class GetReportsIDsInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -41,7 +41,8 @@ class GetReportsIDsInput(insightconnect_plugin_runtime.Input): "description": "The offset to start retrieving reports from", "order": 2 } - } + }, + "definitions": {} } """) @@ -50,7 +51,7 @@ def __init__(self): class GetReportsIDsOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -67,7 +68,8 @@ class GetReportsIDsOutput(insightconnect_plugin_runtime.Output): }, "required": [ "reportIds" - ] + ], + "definitions": {} } """) diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/__init__.py index 3d3c05d8d4..7a72d0cf0a 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import GetShortReport diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/schema.py index c53512ca78..ff14c81c19 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getShortReport/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -9,14 +9,14 @@ class Component: class Input: IDS = "ids" - + class Output: REPORTS = "reports" - + class GetShortReportInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -33,7 +33,8 @@ class GetShortReportInput(insightconnect_plugin_runtime.Input): }, "required": [ "ids" - ] + ], + "definitions": {} } """) @@ -42,7 +43,7 @@ def __init__(self): class GetShortReportOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -65,6 +66,12 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "type": "object", "title": "reportShort", "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "ID of the report", + "order": 1 + }, "cid": { "type": "string", "title": "CID", @@ -73,41 +80,35 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): }, "createdTimestamp": { "type": "string", - "title": "Created Timestamp", + "format": "date-time", "displayType": "date", + "title": "Created Timestamp", "description": "Time when the report was created", - "format": "date-time", "order": 3 }, - "id": { - "type": "string", - "title": "ID", - "description": "ID of the report", - "order": 1 - }, - "iocReportBroadCsvArtifactId": { + "origin": { "type": "string", - "title": "IOC Report Broad CSV Artifact ID", - "description": "IOC report broad CSV artifact ID", - "order": 9 + "title": "Origin", + "description": "Origin", + "order": 4 }, - "iocReportBroadJsonArtifactId": { + "userId": { "type": "string", - "title": "IOC Report Broad JSON Artifact ID", - "description": "IOC report broad JSON artifact ID", - "order": 11 + "title": "User ID", + "description": "ID of the user", + "order": 5 }, - "iocReportBroadMaecArtifactId": { + "userName": { "type": "string", - "title": "IOC Report Broad Maec Artifact ID", - "description": "IOC report broad maec artifact ID", - "order": 15 + "title": "User Name", + "description": "Name of the user", + "order": 6 }, - "iocReportBroadStixArtifactId": { + "verdict": { "type": "string", - "title": "IOC Report Broad STIX Artifact ID", - "description": "IOC report broad STIX artifact ID", - "order": 13 + "title": "Verdict", + "description": "Verdict of the report", + "order": 7 }, "iocReportStrictCsvArtifactId": { "type": "string", @@ -115,17 +116,23 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "description": "IOC report strict CSV artifact ID", "order": 8 }, + "iocReportBroadCsvArtifactId": { + "type": "string", + "title": "IOC Report Broad CSV Artifact ID", + "description": "IOC report broad CSV artifact ID", + "order": 9 + }, "iocReportStrictJsonArtifactId": { "type": "string", "title": "IOC Report Strict JSON Artifact ID", "description": "IOC report strict JSON artifact ID", "order": 10 }, - "iocReportStrictMaecArtifactId": { + "iocReportBroadJsonArtifactId": { "type": "string", - "title": "IOC Report Strict Maec Artifact ID", - "description": "IOC report strict maec artifact ID", - "order": 14 + "title": "IOC Report Broad JSON Artifact ID", + "description": "IOC report broad JSON artifact ID", + "order": 11 }, "iocReportStrictStixArtifactId": { "type": "string", @@ -133,11 +140,23 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "description": "IOC report strict STIX artifact ID", "order": 12 }, - "origin": { + "iocReportBroadStixArtifactId": { "type": "string", - "title": "Origin", - "description": "Origin", - "order": 4 + "title": "IOC Report Broad STIX Artifact ID", + "description": "IOC report broad STIX artifact ID", + "order": 13 + }, + "iocReportStrictMaecArtifactId": { + "type": "string", + "title": "IOC Report Strict Maec Artifact ID", + "description": "IOC report strict maec artifact ID", + "order": 14 + }, + "iocReportBroadMaecArtifactId": { + "type": "string", + "title": "IOC Report Broad Maec Artifact ID", + "description": "IOC report broad maec artifact ID", + "order": 15 }, "sandbox": { "type": "array", @@ -147,137 +166,6 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "$ref": "#/definitions/sandboxShort" }, "order": 16 - }, - "userId": { - "type": "string", - "title": "User ID", - "description": "ID of the user", - "order": 5 - }, - "userName": { - "type": "string", - "title": "User Name", - "description": "Name of the user", - "order": 6 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict of the report", - "order": 7 - } - }, - "definitions": { - "sandboxShort": { - "type": "object", - "title": "sandboxShort", - "properties": { - "actionScript": { - "type": "string", - "title": "Action Script", - "description": "Action script", - "order": 4 - }, - "environmentDescription": { - "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 9 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 8 - }, - "errorMessage": { - "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 15 - }, - "errorOrigin": { - "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 17 - }, - "errorType": { - "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 16 - }, - "fileType": { - "type": "string", - "title": "File Type", - "description": "File type", - "order": 10 - }, - "networkSettings": { - "type": "string", - "title": "Network Settings", - "description": "Network settings", - "order": 7 - }, - "sampleFlags": { - "type": "array", - "title": "Sample Flags", - "description": "Sample flags", - "items": { - "type": "string" - }, - "order": 14 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 1 - }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 12 - }, - "submitName": { - "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 11 - }, - "submitUrl": { - "type": "string", - "title": "Submit URL", - "description": "Submit URL", - "order": 2 - }, - "systemDate": { - "type": "string", - "title": "System Date", - "description": "System date", - "order": 5 - }, - "systemTime": { - "type": "string", - "title": "System Time", - "description": "System time", - "order": 6 - }, - "url": { - "type": "string", - "title": "URL", - "description": "URL", - "order": 3 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 13 - } - } } } }, @@ -285,47 +173,41 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "type": "object", "title": "sandboxShort", "properties": { - "actionScript": { + "sha256": { "type": "string", - "title": "Action Script", - "description": "Action script", - "order": 4 + "title": "SHA256", + "description": "SHA256", + "order": 1 }, - "environmentDescription": { + "submitUrl": { "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 9 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 8 + "title": "Submit URL", + "description": "Submit URL", + "order": 2 }, - "errorMessage": { + "url": { "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 15 + "title": "URL", + "description": "URL", + "order": 3 }, - "errorOrigin": { + "actionScript": { "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 17 + "title": "Action Script", + "description": "Action script", + "order": 4 }, - "errorType": { + "systemDate": { "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 16 + "title": "System Date", + "description": "System date", + "order": 5 }, - "fileType": { + "systemTime": { "type": "string", - "title": "File Type", - "description": "File type", - "order": 10 + "title": "System Time", + "description": "System time", + "order": 6 }, "networkSettings": { "type": "string", @@ -333,26 +215,23 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "description": "Network settings", "order": 7 }, - "sampleFlags": { - "type": "array", - "title": "Sample Flags", - "description": "Sample flags", - "items": { - "type": "string" - }, - "order": 14 + "environmentId": { + "type": "integer", + "title": "Environment ID", + "description": "Environment ID", + "order": 8 }, - "sha256": { + "environmentDescription": { "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 1 + "title": "Environment Description", + "description": "Environment description", + "order": 9 }, - "submissionType": { + "fileType": { "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 12 + "title": "File Type", + "description": "File type", + "order": 10 }, "submitName": { "type": "string", @@ -360,35 +239,44 @@ class GetShortReportOutput(insightconnect_plugin_runtime.Output): "description": "Submit name", "order": 11 }, - "submitUrl": { + "submissionType": { "type": "string", - "title": "Submit URL", - "description": "Submit URL", - "order": 2 + "title": "Submission Type", + "description": "Submission type", + "order": 12 }, - "systemDate": { + "verdict": { "type": "string", - "title": "System Date", - "description": "System date", - "order": 5 + "title": "Verdict", + "description": "Verdict", + "order": 13 }, - "systemTime": { + "sampleFlags": { + "type": "array", + "title": "Sample Flags", + "description": "Sample flags", + "items": { + "type": "string" + }, + "order": 14 + }, + "errorMessage": { "type": "string", - "title": "System Time", - "description": "System time", - "order": 6 + "title": "Error Message", + "description": "Error message", + "order": 15 }, - "url": { + "errorType": { "type": "string", - "title": "URL", - "description": "URL", - "order": 3 + "title": "Error Type", + "description": "Error type", + "order": 16 }, - "verdict": { + "errorOrigin": { "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 13 + "title": "Error Origin", + "description": "Error origin", + "order": 17 } } } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/__init__.py index 9b621b61c8..21694f7905 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import GetSubmissionsIDs diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/schema.py index 90d7310233..fd1fea6f59 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/getSubmissionsIDs/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -11,14 +11,14 @@ class Input: FILTER = "filter" LIMIT = "limit" OFFSET = "offset" - + class Output: SUBMISSIONIDS = "submissionIds" - + class GetSubmissionsIDsInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -41,7 +41,8 @@ class GetSubmissionsIDsInput(insightconnect_plugin_runtime.Input): "description": "The offset to start retrieving reports from", "order": 2 } - } + }, + "definitions": {} } """) @@ -50,7 +51,7 @@ def __init__(self): class GetSubmissionsIDsOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -67,7 +68,8 @@ class GetSubmissionsIDsOutput(insightconnect_plugin_runtime.Output): }, "required": [ "submissionIds" - ] + ], + "definitions": {} } """) diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/__init__.py index 9c8b617fd0..f628890b6f 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .action import SubmitAnalysis diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/schema.py index 435d60dbbb..689f4796d8 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/submitAnalysis/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -17,14 +17,14 @@ class Input: SUBMITNAME = "submitName" SYSTEMDATETIME = "systemDateTime" URL = "url" - + class Output: SUBMISSION = "submission" - + class SubmitAnalysisInput(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -34,12 +34,12 @@ class SubmitAnalysisInput(insightconnect_plugin_runtime.Input): "title": "Action Script", "description": "Runtime script for sandbox analysis", "enum": [ + "", "default", "default_maxantievasion", "default_randomfiles", "default_randomtheme", - "default_openie", - "" + "default_openie" ], "order": 4 }, @@ -50,11 +50,9 @@ class SubmitAnalysisInput(insightconnect_plugin_runtime.Input): "order": 5 }, "documentPassword": { - "type": "string", + "$ref": "#/definitions/password", "title": "Document Password", - "displayType": "password", "description": "Auto-filled for Adobe or Office files that prompt for a password. Max length is 32 characters", - "format": "password", "order": 6 }, "environmentId": { @@ -75,11 +73,11 @@ class SubmitAnalysisInput(insightconnect_plugin_runtime.Input): "title": "Network Settings", "description": "Specifies the sandbox network_settings used for analysis", "enum": [ + "", "default", "tor", "simulated", - "offline", - "" + "offline" ], "order": 7 }, @@ -97,10 +95,10 @@ class SubmitAnalysisInput(insightconnect_plugin_runtime.Input): }, "systemDateTime": { "type": "string", - "title": "System Date Time", + "format": "date-time", "displayType": "date", + "title": "System Date Time", "description": "System date and time", - "format": "date-time", "order": 9 }, "url": { @@ -112,7 +110,14 @@ class SubmitAnalysisInput(insightconnect_plugin_runtime.Input): }, "required": [ "environmentId" - ] + ], + "definitions": { + "password": { + "type": "string", + "format": "password", + "displayType": "password" + } + } } """) @@ -121,7 +126,7 @@ def __init__(self): class SubmitAnalysisOutput(insightconnect_plugin_runtime.Output): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -137,91 +142,106 @@ class SubmitAnalysisOutput(insightconnect_plugin_runtime.Output): "submission" ], "definitions": { - "sandboxShort": { + "submission": { "type": "object", - "title": "sandboxShort", + "title": "submission", "properties": { - "actionScript": { + "id": { "type": "string", - "title": "Action Script", - "description": "Action script", - "order": 4 + "title": "ID", + "description": "ID", + "order": 1 }, - "environmentDescription": { + "cid": { "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 9 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 8 + "title": "Cid", + "description": "Cid", + "order": 2 }, - "errorMessage": { + "userId": { "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 15 + "title": "User ID", + "description": "User ID", + "order": 3 }, - "errorOrigin": { + "userName": { "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 17 + "title": "User Name", + "description": "User name", + "order": 4 }, - "errorType": { + "userUuid": { "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 16 + "title": "User UUID", + "description": "User UUID", + "order": 5 }, - "fileType": { + "origin": { "type": "string", - "title": "File Type", - "description": "File type", - "order": 10 + "title": "Origin", + "description": "Origin", + "order": 6 }, - "networkSettings": { + "state": { "type": "string", - "title": "Network Settings", - "description": "Network settings", + "title": "State", + "description": "State", "order": 7 }, - "sampleFlags": { + "createdTimestamp": { + "type": "string", + "title": "Created Timestamp", + "description": "Created timestamp", + "order": 8 + }, + "sandbox": { "type": "array", - "title": "Sample Flags", - "description": "Sample flags", + "title": "Sandbox", + "description": "Sandbox", "items": { - "type": "string" + "$ref": "#/definitions/sandboxShort" }, - "order": 14 + "order": 9 }, + "userTags": { + "type": "array", + "title": "User Tags", + "description": "User tags", + "items": { + "type": "string" + }, + "order": 10 + } + } + }, + "sandboxShort": { + "type": "object", + "title": "sandboxShort", + "properties": { "sha256": { "type": "string", "title": "SHA256", "description": "SHA256", "order": 1 }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 12 - }, - "submitName": { - "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 11 - }, "submitUrl": { "type": "string", "title": "Submit URL", "description": "Submit URL", "order": 2 }, + "url": { + "type": "string", + "title": "URL", + "description": "URL", + "order": 3 + }, + "actionScript": { + "type": "string", + "title": "Action Script", + "description": "Action script", + "order": 4 + }, "systemDate": { "type": "string", "title": "System Date", @@ -234,202 +254,74 @@ class SubmitAnalysisOutput(insightconnect_plugin_runtime.Output): "description": "System time", "order": 6 }, - "url": { - "type": "string", - "title": "URL", - "description": "URL", - "order": 3 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 13 - } - } - }, - "submission": { - "type": "object", - "title": "submission", - "properties": { - "cid": { + "networkSettings": { "type": "string", - "title": "Cid", - "description": "Cid", - "order": 2 + "title": "Network Settings", + "description": "Network settings", + "order": 7 }, - "createdTimestamp": { - "type": "string", - "title": "Created Timestamp", - "description": "Created timestamp", + "environmentId": { + "type": "integer", + "title": "Environment ID", + "description": "Environment ID", "order": 8 }, - "id": { + "environmentDescription": { "type": "string", - "title": "ID", - "description": "ID", - "order": 1 + "title": "Environment Description", + "description": "Environment description", + "order": 9 }, - "origin": { + "fileType": { "type": "string", - "title": "Origin", - "description": "Origin", - "order": 6 - }, - "sandbox": { - "type": "array", - "title": "Sandbox", - "description": "Sandbox", - "items": { - "$ref": "#/definitions/sandboxShort" - }, - "order": 9 + "title": "File Type", + "description": "File type", + "order": 10 }, - "state": { + "submitName": { "type": "string", - "title": "State", - "description": "State", - "order": 7 + "title": "Submit Name", + "description": "Submit name", + "order": 11 }, - "userId": { + "submissionType": { "type": "string", - "title": "User ID", - "description": "User ID", - "order": 3 + "title": "Submission Type", + "description": "Submission type", + "order": 12 }, - "userName": { + "verdict": { "type": "string", - "title": "User Name", - "description": "User name", - "order": 4 + "title": "Verdict", + "description": "Verdict", + "order": 13 }, - "userTags": { + "sampleFlags": { "type": "array", - "title": "User Tags", - "description": "User tags", + "title": "Sample Flags", + "description": "Sample flags", "items": { "type": "string" }, - "order": 10 + "order": 14 }, - "userUuid": { + "errorMessage": { "type": "string", - "title": "User UUID", - "description": "User UUID", - "order": 5 - } - }, - "definitions": { - "sandboxShort": { - "type": "object", - "title": "sandboxShort", - "properties": { - "actionScript": { - "type": "string", - "title": "Action Script", - "description": "Action script", - "order": 4 - }, - "environmentDescription": { - "type": "string", - "title": "Environment Description", - "description": "Environment description", - "order": 9 - }, - "environmentId": { - "type": "integer", - "title": "Environment ID", - "description": "Environment ID", - "order": 8 - }, - "errorMessage": { - "type": "string", - "title": "Error Message", - "description": "Error message", - "order": 15 - }, - "errorOrigin": { - "type": "string", - "title": "Error Origin", - "description": "Error origin", - "order": 17 - }, - "errorType": { - "type": "string", - "title": "Error Type", - "description": "Error type", - "order": 16 - }, - "fileType": { - "type": "string", - "title": "File Type", - "description": "File type", - "order": 10 - }, - "networkSettings": { - "type": "string", - "title": "Network Settings", - "description": "Network settings", - "order": 7 - }, - "sampleFlags": { - "type": "array", - "title": "Sample Flags", - "description": "Sample flags", - "items": { - "type": "string" - }, - "order": 14 - }, - "sha256": { - "type": "string", - "title": "SHA256", - "description": "SHA256", - "order": 1 - }, - "submissionType": { - "type": "string", - "title": "Submission Type", - "description": "Submission type", - "order": 12 - }, - "submitName": { - "type": "string", - "title": "Submit Name", - "description": "Submit name", - "order": 11 - }, - "submitUrl": { - "type": "string", - "title": "Submit URL", - "description": "Submit URL", - "order": 2 - }, - "systemDate": { - "type": "string", - "title": "System Date", - "description": "System date", - "order": 5 - }, - "systemTime": { - "type": "string", - "title": "System Time", - "description": "System time", - "order": 6 - }, - "url": { - "type": "string", - "title": "URL", - "description": "URL", - "order": 3 - }, - "verdict": { - "type": "string", - "title": "Verdict", - "description": "Verdict", - "order": 13 - } - } + "title": "Error Message", + "description": "Error message", + "order": 15 + }, + "errorType": { + "type": "string", + "title": "Error Type", + "description": "Error type", + "order": 16 + }, + "errorOrigin": { + "type": "string", + "title": "Error Origin", + "description": "Error origin", + "order": 17 } } } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/__init__.py new file mode 100644 index 0000000000..d0dbe29b40 --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/__init__.py @@ -0,0 +1,2 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +from .action import UploadMalwareSample diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/action.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/action.py new file mode 100644 index 0000000000..0012bda2ce --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/action.py @@ -0,0 +1,32 @@ +import insightconnect_plugin_runtime +from .schema import UploadMalwareSampleInput, UploadMalwareSampleOutput, Input, Output, Component + +# Custom imports below + + +class UploadMalwareSample(insightconnect_plugin_runtime.Action): + def __init__(self): + super(self.__class__, self).__init__( + name="uploadMalwareSample", + description=Component.DESCRIPTION, + input=UploadMalwareSampleInput(), + output=UploadMalwareSampleOutput(), + ) + + def run(self, params={}): + # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION + sample = params.get(Input.SAMPLE, {}) + comment = params.get(Input.COMMENT, "") + filename = params.get(Input.FILENAME, "") + is_confidential = params.get(Input.ISCONFIDENTIAL, True) + # END INPUT BINDING - DO NOT REMOVE + + response = self.connection.api_client.upload_malware_sample(sample, filename, comment, is_confidential).get( + "resources", [] + ) + result = next(iter(response), {}) + + return { + Output.SHA256: result.get("sha256", ""), + Output.FILENAME: result.get("file_name", ""), + } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/schema.py new file mode 100644 index 0000000000..1f64da4478 --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/actions/uploadMalwareSample/schema.py @@ -0,0 +1,115 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +import insightconnect_plugin_runtime +import json + + +class Component: + DESCRIPTION = "Upload malware sample" + + +class Input: + COMMENT = "comment" + FILENAME = "filename" + ISCONFIDENTIAL = "isConfidential" + SAMPLE = "sample" + + +class Output: + FILENAME = "fileName" + SHA256 = "sha256" + + +class UploadMalwareSampleInput(insightconnect_plugin_runtime.Input): + schema = json.loads(r""" + { + "type": "object", + "title": "Variables", + "properties": { + "comment": { + "type": "string", + "title": "Comment", + "description": "A descriptive comment to identify the file for other users", + "order": 3 + }, + "filename": { + "type": "string", + "title": "Filename", + "description": "The name of file to be used to override the default filename", + "order": 2 + }, + "isConfidential": { + "type": "boolean", + "title": "Is Confidential", + "description": "Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. `True` means that file is only shown to users within your customer account. `False` means that file can be seen by other CrowdStrike customers", + "default": true, + "order": 4 + }, + "sample": { + "$ref": "#/definitions/file", + "title": "Sample", + "description": "The samples of file to be sent for analysis (max file size is 256 MB)", + "order": 1 + } + }, + "required": [ + "comment", + "filename", + "sample" + ], + "definitions": { + "file": { + "id": "file", + "type": "object", + "title": "File", + "description": "File Object", + "properties": { + "filename": { + "type": "string", + "title": "Filename", + "description": "Name of file" + }, + "content": { + "type": "string", + "format": "bytes", + "title": "Content", + "description": "File contents" + } + } + } + } +} + """) + + def __init__(self): + super(self.__class__, self).__init__(self.schema) + + +class UploadMalwareSampleOutput(insightconnect_plugin_runtime.Output): + schema = json.loads(r""" + { + "type": "object", + "title": "Variables", + "properties": { + "fileName": { + "type": "string", + "title": "Filename", + "description": "The name of uploaded malware sample file", + "order": 2 + }, + "sha256": { + "type": "string", + "title": "SHA256", + "description": "The ID of the sample, which is a SHA256 hash value", + "order": 1 + } + }, + "required": [ + "fileName", + "sha256" + ], + "definitions": {} +} + """) + + def __init__(self): + super(self.__class__, self).__init__(self.schema) diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/__init__.py index a515dcf6b0..c78d3356be 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/__init__.py @@ -1,2 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from .connection import Connection diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/schema.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/schema.py index a0c385729d..e382771ce8 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/schema.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/connection/schema.py @@ -1,4 +1,4 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT import insightconnect_plugin_runtime import json @@ -7,10 +7,10 @@ class Input: BASEURL = "baseUrl" CLIENTID = "clientId" CLIENTSECRET = "clientSecret" - + class ConnectionSchema(insightconnect_plugin_runtime.Input): - schema = json.loads(""" + schema = json.loads(r""" { "type": "object", "title": "Variables", @@ -46,18 +46,18 @@ class ConnectionSchema(insightconnect_plugin_runtime.Input): "type": "object", "title": "Credential: Secret Key", "description": "A shared secret key", + "required": [ + "secretKey" + ], "properties": { "secretKey": { "type": "string", "title": "Secret Key", - "displayType": "password", "description": "The shared secret key", - "format": "password" + "format": "password", + "displayType": "password" } - }, - "required": [ - "secretKey" - ] + } } } } diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/tasks/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/tasks/__init__.py new file mode 100644 index 0000000000..7020c9a4ad --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/tasks/__init__.py @@ -0,0 +1,2 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT + diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/triggers/__init__.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/triggers/__init__.py index bace8db897..7020c9a4ad 100755 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/triggers/__init__.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/triggers/__init__.py @@ -1 +1,2 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT + diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/api.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/api.py index fcbec163b2..401b548e25 100644 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/api.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/api.py @@ -1,20 +1,23 @@ import json +from base64 import b64decode from logging import Logger -from typing import Union +from typing import Dict, Union import requests from insightconnect_plugin_runtime.exceptions import PluginException +from requests_toolbelt import MultipartEncoder -from icon_crowdstrike_falcon_intelligence.util.helpers import clean_dict from icon_crowdstrike_falcon_intelligence.util.endpoints import ( - AUTHENTICATION_ENDPOINT, ARTIFACTS_ENDPOINT, + AUTHENTICATION_ENDPOINT, + REPORT_SUMMARIES_ENDPOINT, REPORTS_ENDPOINT, REPORTS_QUERY_ENDPOINT, - REPORT_SUMMARIES_ENDPOINT, SUBMISSIONS_ENDPOINT, SUBMISSIONS_QUERY_ENDPOINT, + UPLOAD_MALWARE_ENDPOINT, ) +from icon_crowdstrike_falcon_intelligence.util.helpers import clean_dict class CrowdStrikeAPI: @@ -109,20 +112,41 @@ def get_submissions_ids(self, offset: int = None, limit: int = None, filter_quer params={"limit": limit, "offset": offset, "filter": filter_query}, ).get("resources") + def upload_malware_sample(self, sample: Dict[str, str], filename: str, comment: str, is_confidential: bool = True): + headers = self.get_headers() + self._logger.info("Uploading malware sample for analysis...") + multipart_form_data = MultipartEncoder( + fields={ + "sample": (sample.get("filename", ""), b64decode(sample.get("content", "")), "text/plain"), + "file_name": filename, + "comment": comment, + "is_confidential": f"{is_confidential}".lower(), + } + ) + response = self.make_json_request( + "POST", + f"{self._base_url}{UPLOAD_MALWARE_ENDPOINT}", + data=multipart_form_data, + headers={**headers, "Content-Type": multipart_form_data.content_type}, + ) + self._logger.info("Uploading completed.") + return response + def make_request( - self, - method: str, - url: str, - params: dict = None, - json_data: dict = None, + self, method: str, url: str, *args, params: dict = None, json_data: dict = None, headers: dict = None, **kwargs ) -> requests.Response: try: + if not headers: + headers = self.get_headers() + response = requests.request( + *args, method=method, url=url, - headers=self.get_headers(), + headers=headers, params=clean_dict(params), json=clean_dict(json_data), + **kwargs, ) if response.status_code == 400: @@ -155,10 +179,10 @@ def make_request( raise PluginException(preset=PluginException.Preset.UNKNOWN, data=error) def make_json_request( - self, method: str, url: str, params: dict = None, json_data: dict = None + self, method: str, url: str, *args, params: dict = None, json_data: dict = None, **kwargs ) -> Union[list, dict]: try: - response = self.make_request(method=method, url=url, params=params, json_data=json_data) + response = self.make_request(method=method, url=url, params=params, json_data=json_data, *args, **kwargs) return response.json() except json.decoder.JSONDecodeError as error: raise PluginException(preset=PluginException.Preset.INVALID_JSON, data=error) diff --git a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/endpoints.py b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/endpoints.py index d04d99ed24..e276f0e565 100644 --- a/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/endpoints.py +++ b/plugins/crowdstrike_falcon_intelligence/icon_crowdstrike_falcon_intelligence/util/endpoints.py @@ -5,3 +5,4 @@ SUBMISSIONS_ENDPOINT = "/falconx/entities/submissions/v1" REPORTS_QUERY_ENDPOINT = "/falconx/queries/reports/v1" SUBMISSIONS_QUERY_ENDPOINT = "/falconx/queries/submissions/v1" +UPLOAD_MALWARE_ENDPOINT = "/samples/entities/samples/v2" diff --git a/plugins/crowdstrike_falcon_intelligence/plugin.spec.yaml b/plugins/crowdstrike_falcon_intelligence/plugin.spec.yaml index e14e7f8ae9..c89dac7412 100644 --- a/plugins/crowdstrike_falcon_intelligence/plugin.spec.yaml +++ b/plugins/crowdstrike_falcon_intelligence/plugin.spec.yaml @@ -4,7 +4,8 @@ products: [insightconnect] name: crowdstrike_falcon_intelligence title: CrowdStrike Falcon Intelligence description: CrowdStrike Falcon Intelligence is used to automatically investigate incidents and accelerate alert triage and response. Built into the Falcon Platform, it is operational in seconds -version: 1.0.0 +version: 1.1.0 +connection_version: 1 supported_versions: ["2022-11-28 Crowdstrike API v2"] vendor: rapid7 support: rapid7 @@ -19,7 +20,27 @@ hub_tags: use_cases: [threat_detection_and_response] keywords: [antivirus, cloud_enabled] features: [] - +sdk: + type: slim + version: 6.1.4 + user: nobody +key_features: + - "Get full or short report" + - "Submit file for analysis" + - "Check analysis status" + - "Get submissions ids" + - "Get reports ids" +requirements: + - "URL of your Crowdstrike Platform instance" + - "Client ID" + - "Client Secret" +version_history: + - "1.1.0 - New action added: `Upload Malware Sample` | Updated SDK to the latest version" + - "1.0.0 - Initial plugin | Check Analysis Status, Download Artifact, Get Full Report, Get Reports IDs, Get Short Report, Get Submissions IDs, Submit Analysis" +links: + - "[CrowdStrike Falcon Intelligence](https://www.crowdstrike.com/products/threat-intelligence/falcon-intelligence-automated-intelligence/)" +references: + - "[CrowdStrike Falcon Intelligence](https://www.crowdstrike.com/products/threat-intelligence/falcon-intelligence-automated-intelligence/)" types: extractedInterestingStrings: value: @@ -576,7 +597,7 @@ types: description: User name type: string required: false - example: mike_rinehart@rapid7.com + example: user@example.com userUuid: title: User UUID description: User UUID @@ -895,7 +916,7 @@ actions: description: List of artifacts type: '[]artifact' required: true - example: '[]' + example: '[{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"44d88612fea8a8f36de82e1278abb02f","source":"extracted","type":"md5"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"3395856ce81f2b7382dee72602f798b642f14140","source":"extracted","type":"sha1"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"extracted","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"input","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"runtime","type":"sha256"},{"ioc":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","source":"runtime","type":"sha256"}]' getShortReport: title: Get Short Report description: Get a short summary version of a sandbox report @@ -912,7 +933,7 @@ actions: description: List of short sandbox reports type: '[]reportShort' required: true - example: '[]' + example: '[{"cid":"9382986b58cb4bb4935e7eba079842f3","createdTimestamp":"2022-09-28T07:45:34Z","id":"9382986b58cb4bb4935e7eba079842f3_d1ce821d74484545897f2fd5db40d0a7","origin":"uiproxy","sandbox":[{"environmentDescription":"Windows 7 32 bit","environmentId":100,"errorMessage":"The file \"Dockerfile\" has the file format \"text\", which is not supported","errorOrigin":"CLIENT","errorType":"FILE_TYPE_BAD_ERROR","fileType":"ASCII text","sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","submissionType":"file","submitName":"Dockerfile"}],"userId":"9de5069c5afe602b2ea0a04b66beb2c0","userName":"https://example.com","verdict":"no verdict"}]' getFullReport: title: Get Full Report description: Get a full sandbox report @@ -929,7 +950,7 @@ actions: description: List of sandbox reports type: '[]report' required: true - example: '[]' + example: '["9de5069c5afe602b2ea0a11b66beb2c0_9aa5069c5afe602b2ea0a04b66beb2c0"]' checkAnalysisStatus: title: Check Analysis Status description: Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes @@ -946,7 +967,7 @@ actions: description: List of submissions type: '[]submission' required: true - example: '[]' + example: '[{"id":"9382986b58cb4b44935e7eba079842f3_7c6d4bf5ab0c4459b855aaa345f4bcf9","cid":"9382986b58cb4b44935e7eba079842f3","userId":"3e7da174cb6944e8a4cd8a5a59a76727","userName":"user@example.com","userUuid":"a149764d-21ee-42af-ac9f-023f5d23ab81","origin":"uiproxy","state":"error","createdTimestamp":"2022-08-30T09:25:35Z","sandbox":[{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","environmentId":300,"submitName":"action.py"}]},{"id":"9382986b58cb4b44935e7eba079842f3_63aca0772bf342648b2a8779c7bfcadd","cid":"9382986b58cb4b44935e7eba079842f3","userId":"3e7da174cb6944e8a4cd8a5a59a76727","userName":"user@example.com","userUuid":"a149764d-21ee-42af-ac9f-023f5d23ab81","origin":"uiproxy","state":"error","createdTimestamp":"2022-08-30T09:21:00Z","sandbox":[{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","environmentId":100,"submitName":"Archive.zip"}]}]' submitAnalysis: title: Submit Analysis description: Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes @@ -958,11 +979,11 @@ actions: required: true example: 110 enum: - - 100 - - 110 - - 160 - - 200 - - 300 + - 100 + - 110 + - 160 + - 200 + - 300 sha256: title: SHA256 description: ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with `Get Submissions IDs` action. The `url` parameter must be unset if `sha256` is used @@ -982,12 +1003,12 @@ actions: required: false example: default_openie enum: - - default - - default_maxantievasion - - default_randomfiles - - default_randomtheme - - default_openie - - '' + - "" + - default + - default_maxantievasion + - default_randomfiles + - default_randomtheme + - default_openie commandLine: title: Command Line description: Command line script passed to the submitted file at runtime. Max length is 2048 characters @@ -1007,11 +1028,11 @@ actions: required: false example: tor enum: - - default - - tor - - simulated - - offline - - '' + - "" + - default + - tor + - simulated + - offline submitName: title: Submit Name description: Name of the malware sample that's used for file type detection and analysis @@ -1030,7 +1051,7 @@ actions: description: Submission type: 'submission' required: true - example: '{}' + example: '{"cid":"9de5069c5mne602b2ea0a04b66beb2c0","createdTimestamp":"2022-11-22T06:10:42Z","id":"9de5069c5mne602b2ea0a04b66beb2c0_8de5069c5afe602b2ea0a04b66beb2c0","origin":"apigateway","sandbox":[{"actionScript":"default_openie","environmentId":110,"networkSettings":"tor","sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","submitName":"my_sample","systemDate":"2022-12-22","systemTime":"17:33"}],"state":"created"}' getReportsIDs: title: Get Reports IDs description: Find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria @@ -1078,7 +1099,7 @@ actions: example: 5 limit: title: Limit - description: Maximum number of report IDs to return - less or equal to 5000 + description: Maximum number of report IDs to return - less or equal to 5000 type: integer required: false example: 324 @@ -1088,4 +1109,46 @@ actions: description: List of submission IDs type: '[]string' required: true - example: ['9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104'] + example: '["9382986b58cb4b44935e7eba071142f3_92c8b7525e2b4888bd9e2jj7391c7104"]' + uploadMalwareSample: + title: Upload Malware Samples + description: Upload malware sample + input: + sample: + title: Sample + description: The samples of file to be sent for analysis (max file size is 256 MB) + type: file + required: true + example: UmFwaWQ3IEluc2lnaHRDb25uZWN0Cg== + filename: + title: Filename + description: The name of file to be used to override the default filename + type: string + required: true + example: ExampleFilename.exe + comment: + title: Comment + description: A descriptive comment to identify the file for other users + type: string + required: true + example: ExampleComment + isConfidential: + title: Is Confidential + description: Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. `True` means that file is only shown to users within your customer account. `False` means that file can be seen by other CrowdStrike customers + type: boolean + required: false + example: true + default: true + output: + sha256: + title: SHA256 + description: The ID of the sample, which is a SHA256 hash value + type: string + required: true + example: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f + fileName: + title: Filename + description: The name of uploaded malware sample file + type: string + required: true + example: ExampleMalwareSampleFile.exe diff --git a/plugins/crowdstrike_falcon_intelligence/requirements.txt b/plugins/crowdstrike_falcon_intelligence/requirements.txt index adbecb2141..eddc570a4f 100755 --- a/plugins/crowdstrike_falcon_intelligence/requirements.txt +++ b/plugins/crowdstrike_falcon_intelligence/requirements.txt @@ -1,4 +1,5 @@ # List third-party dependencies here, separated by newlines. # All dependencies must be version-pinned, eg. requests==1.2.0 # See: https://pip.pypa.io/en/stable/user_guide/#requirements-files -parameterized==0.8.1 \ No newline at end of file +parameterized==0.8.1 +requests-toolbelt==1.0.0 diff --git a/plugins/crowdstrike_falcon_intelligence/setup.py b/plugins/crowdstrike_falcon_intelligence/setup.py index 75a30b814b..c2c022cb36 100755 --- a/plugins/crowdstrike_falcon_intelligence/setup.py +++ b/plugins/crowdstrike_falcon_intelligence/setup.py @@ -1,9 +1,9 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT from setuptools import setup, find_packages setup(name="crowdstrike_falcon_intelligence-rapid7-plugin", - version="1.0.0", + version="1.1.0", description="CrowdStrike Falcon Intelligence is used to automatically investigate incidents and accelerate alert triage and response. Built into the Falcon Platform, it is operational in seconds", author="rapid7", author_email="", diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/expected/upload_malware_sample.json.exp b/plugins/crowdstrike_falcon_intelligence/unit_test/expected/upload_malware_sample.json.exp new file mode 100644 index 0000000000..aa98ea298f --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/expected/upload_malware_sample.json.exp @@ -0,0 +1,4 @@ +{ + "sha256": "12345", + "fileName": "test_malware_sample.py" +} diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/inputs/upload_malware_sample.json.inp b/plugins/crowdstrike_falcon_intelligence/unit_test/inputs/upload_malware_sample.json.inp new file mode 100644 index 0000000000..6fe710876e --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/inputs/upload_malware_sample.json.inp @@ -0,0 +1,9 @@ +{ + "sample": { + "content": "MTIzNDU=", + "filename": "test_malware.py" + }, + "filename": "test_malware_sample.py", + "comment": "This is a test", + "isConfidential": true +} diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/responses/upload_malware_sample.json.resp b/plugins/crowdstrike_falcon_intelligence/unit_test/responses/upload_malware_sample.json.resp new file mode 100644 index 0000000000..c572bd36d7 --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/responses/upload_malware_sample.json.resp @@ -0,0 +1,13 @@ +{ + "meta": { + "query_time": 1e-8, + "trace_id": "ExampleTraceID" + }, + "resources": [ + { + "sha256": "12345", + "file_name": "test_malware_sample.py" + } + ], + "errors": [] +} diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_check_analysis_status.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_check_analysis_status.py index f68aff1d6a..77b22d388f 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_check_analysis_status.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_check_analysis_status.py @@ -1,15 +1,18 @@ -import sys import os +import sys +from typing import Any, Dict from unittest import TestCase -from unittest.mock import patch +from unittest.mock import MagicMock, patch from insightconnect_plugin_runtime.exceptions import PluginException sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized from icon_crowdstrike_falcon_intelligence.actions.checkAnalysisStatus import CheckAnalysisStatus +from jsonschema import validate +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -32,8 +35,11 @@ def setUpClass(cls) -> None: ], ] ) - def test_check_analysis_status(self, mock_request, test_name, input_params, expected): + def test_check_analysis_status( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -46,7 +52,9 @@ def test_check_analysis_status(self, mock_request, test_name, input_params, expe ] ] ) - def test_check_analysis_status_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_check_analysis_status_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause.format(analysis_ids=input_parameters.get("ids"))) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_download_artifact.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_download_artifact.py index 9a7ae324a9..4f9df4fb30 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_download_artifact.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_download_artifact.py @@ -1,15 +1,18 @@ -import sys import os +import sys +from typing import Any, Dict from unittest import TestCase -from unittest.mock import patch +from unittest.mock import MagicMock, patch from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized from icon_crowdstrike_falcon_intelligence.actions.downloadArtifact import DownloadArtifact +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -27,8 +30,11 @@ def setUpClass(cls) -> None: ] ] ) - def test_download_artifact(self, mock_request, test_name, input_params, expected): + def test_download_artifact( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -41,7 +47,9 @@ def test_download_artifact(self, mock_request, test_name, input_params, expected ] ] ) - def test_download_artifact_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_download_artifact_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_full_report.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_full_report.py index bf46c7b2c4..7dc91fc5a9 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_full_report.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_full_report.py @@ -1,15 +1,18 @@ -import sys import os +import sys +from typing import Any, Dict from unittest import TestCase -from unittest.mock import patch +from unittest.mock import MagicMock, patch from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized from icon_crowdstrike_falcon_intelligence.actions.getFullReport import GetFullReport +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -32,8 +35,11 @@ def setUpClass(cls) -> None: ], ] ) - def test_get_full_report(self, mock_request, test_name, input_params, expected): + def test_get_full_report( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -46,7 +52,9 @@ def test_get_full_report(self, mock_request, test_name, input_params, expected): ] ] ) - def test_get_full_report_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_get_full_report_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause.format(reports_ids=input_parameters.get("ids"))) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_reports_ids.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_reports_ids.py index 9c63a66e51..2e3fd1966f 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_reports_ids.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_reports_ids.py @@ -1,15 +1,18 @@ -import sys import os +import sys +from typing import Any, Dict from unittest import TestCase -from unittest.mock import patch +from unittest.mock import MagicMock, patch from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized from icon_crowdstrike_falcon_intelligence.actions.getReportsIDs import GetReportsIDs +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -27,8 +30,11 @@ def setUpClass(cls) -> None: ] ] ) - def test_get_reports_ids(self, mock_request, test_name, input_params, expected): + def test_get_reports_ids( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -41,7 +47,9 @@ def test_get_reports_ids(self, mock_request, test_name, input_params, expected): ] ] ) - def test_get_reports_ids_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_get_reports_ids_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_short_report.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_short_report.py index 453563a4e4..6e8132e427 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_short_report.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_short_report.py @@ -1,15 +1,18 @@ -import sys import os +import sys +from typing import Any, Dict from unittest import TestCase -from unittest.mock import patch +from unittest.mock import MagicMock, patch from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized from icon_crowdstrike_falcon_intelligence.actions.getShortReport import GetShortReport +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -32,8 +35,11 @@ def setUpClass(cls) -> None: ], ] ) - def test_get_short_report(self, mock_request, test_name, input_params, expected): + def test_get_short_report( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -46,7 +52,9 @@ def test_get_short_report(self, mock_request, test_name, input_params, expected) ] ] ) - def test_get_short_report_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_get_short_report_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause.format(reports_ids=input_parameters.get("ids"))) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_submissions_ids.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_submissions_ids.py index 73a43f65f1..e634f2572b 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_submissions_ids.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_get_submissions_ids.py @@ -1,15 +1,18 @@ -import sys import os +import sys +from typing import Any, Dict from unittest import TestCase -from unittest.mock import patch +from unittest.mock import MagicMock, patch from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized from icon_crowdstrike_falcon_intelligence.actions.getSubmissionsIDs import GetSubmissionsIDs +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -27,8 +30,11 @@ def setUpClass(cls) -> None: ] ] ) - def test_get_submission_ids(self, mock_request, test_name, input_params, expected): + def test_get_submission_ids( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -41,7 +47,9 @@ def test_get_submission_ids(self, mock_request, test_name, input_params, expecte ] ] ) - def test_get_submission_ids_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_get_submission_ids_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_helpers.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_helpers.py index 6c3db0047d..e24dde07d5 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_helpers.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_helpers.py @@ -7,10 +7,10 @@ sys.path.append(os.path.abspath("../")) from icon_crowdstrike_falcon_intelligence.util.helpers import ( - clean_dict, camel_to_snake_case, - snake_to_camel_case, + clean_dict, convert_dict_keys_case, + snake_to_camel_case, split_utc_date_time, ) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_submit_analysis.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_submit_analysis.py index f021fd2394..6e6c55f272 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/test_submit_analysis.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_submit_analysis.py @@ -1,15 +1,18 @@ -import sys import os -from unittest import TestCase -from unittest.mock import patch - -from insightconnect_plugin_runtime.exceptions import PluginException +import sys sys.path.append(os.path.abspath("../")) -from unit_test.util import Util -from parameterized import parameterized +from typing import Any, Dict +from unittest import TestCase +from unittest.mock import MagicMock, patch + from icon_crowdstrike_falcon_intelligence.actions.submitAnalysis import SubmitAnalysis +from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate +from parameterized import parameterized + +from util import Util @patch("requests.request", side_effect=Util.mock_request) @@ -27,8 +30,11 @@ def setUpClass(cls) -> None: ] ] ) - def test_submit_analysis(self, mock_request, test_name, input_params, expected): + def test_submit_analysis( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: actual = self.action.run(input_params) + validate(actual, self.action.output.schema) self.assertEqual(actual, expected) @parameterized.expand( @@ -41,7 +47,9 @@ def test_submit_analysis(self, mock_request, test_name, input_params, expected): ] ] ) - def test_submit_analysis_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + def test_submit_analysis_raise_exception( + self, mock_request: MagicMock, test_name: str, input_parameters: Dict[str, Any], cause: str, assistance: str + ) -> None: with self.assertRaises(PluginException) as error: self.action.run(input_parameters) self.assertEqual(error.exception.cause, cause) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/test_upload_malware_sample.py b/plugins/crowdstrike_falcon_intelligence/unit_test/test_upload_malware_sample.py new file mode 100644 index 0000000000..ef1d3a2839 --- /dev/null +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/test_upload_malware_sample.py @@ -0,0 +1,53 @@ +import os +import sys + +sys.path.append(os.path.abspath("../")) + +from typing import Any, Dict +from unittest import TestCase +from unittest.mock import MagicMock, patch + +from icon_crowdstrike_falcon_intelligence.actions.uploadMalwareSample import UploadMalwareSample +from insightconnect_plugin_runtime.exceptions import PluginException +from jsonschema import validate +from parameterized import parameterized + +from util import Util + + +@patch("requests.request", side_effect=Util.mock_request) +class TestUploadMalwareSample(TestCase): + def setUp(self) -> None: + self.action = Util.default_connector(UploadMalwareSample()) + + @parameterized.expand( + [ + [ + "valid_parameters", + Util.read_file_to_dict("inputs/upload_malware_sample.json.inp"), + Util.read_file_to_dict("expected/upload_malware_sample.json.exp"), + ] + ] + ) + def test_submit_analysis( + self, mock_request: MagicMock, test_name: str, input_params: Dict[str, Any], expected: Dict[str, Any] + ) -> None: + response = self.action.run(input_params) + validate(response, self.action.output.schema) + self.assertEqual(response, expected) + + # @parameterized.expand( + # [ + # [ + # "invalid_filter", + # Util.read_file_to_dict("inputs/submit_analysis_url_and_hash.json.inp"), + # "Sha256 and URL parameters used together", + # "Please provide sha256 or URL parameter (not both) and try again. If the issue persists, please contact support.", + # ] + # ] + # ) + # def test_submit_analysis_raise_exception(self, mock_request, test_name, input_parameters, cause, assistance): + # with self.assertRaises(PluginException) as error: + # self.action.run(input_parameters) + # self.assertEqual(error.exception.cause, cause) + # self.assertEqual(error.exception.assistance, assistance) diff --git a/plugins/crowdstrike_falcon_intelligence/unit_test/util.py b/plugins/crowdstrike_falcon_intelligence/unit_test/util.py index f979bd2040..c21245ba02 100644 --- a/plugins/crowdstrike_falcon_intelligence/unit_test/util.py +++ b/plugins/crowdstrike_falcon_intelligence/unit_test/util.py @@ -1,7 +1,7 @@ import json import logging -import sys import os +import sys import insightconnect_plugin_runtime @@ -10,16 +10,18 @@ from icon_crowdstrike_falcon_intelligence.connection import Connection from icon_crowdstrike_falcon_intelligence.connection.schema import Input +DEFAULT_CONNECTION_PARAMS = { + Input.BASEURL: "https://crowdstrike_url", + Input.CLIENTSECRET: {"secretKey": "my-api-key"}, + Input.CLIENTID: "my_id", +} + class Util: @staticmethod def default_connector(action: insightconnect_plugin_runtime.Action, params=None): if not params: - params = { - Input.BASEURL: "https://crowdstrike_url", - Input.CLIENTSECRET: {"secretKey": "my-api-key"}, - Input.CLIENTID: "my_id", - } + params = DEFAULT_CONNECTION_PARAMS action.connection = Connection() action.connection.meta = "{}" action.connection.logger = logging.getLogger("connection logger") @@ -54,45 +56,52 @@ def json(self): url = kwargs.get("url") params = kwargs.get("params", {}) - if url == "https://crowdstrike_url/oauth2/token": + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/oauth2/token": return MockResponse(201, "auth_token.json.resp") - if url == "https://crowdstrike_url/falconx/entities/submissions/v1" and method == "GET": + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/entities/submissions/v1" and method == "GET": if params.get("ids")[0].startswith("404"): return MockResponse(200, "check_analysis_status_invalid_id.json.resp") if len(params.get("ids")) == 1: return MockResponse(200, "check_analysis_status.json.resp") if len(params.get("ids")) == 5: return MockResponse(200, "check_analysis_status_many_ids.json.resp") - if url == "https://crowdstrike_url/falconx/entities/artifacts/v1" and method == "GET": + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/entities/artifacts/v1" and method == "GET": if params.get("id").startswith("404"): return MockResponse(500, "") else: return MockResponse(200, "download_artifact.json.resp") - if url == "https://crowdstrike_url/falconx/entities/reports/v1" and method == "GET": + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/entities/reports/v1" and method == "GET": if params.get("ids")[0].startswith("404"): return MockResponse(200, "get_full_report_invalid_id.json.resp") if len(params.get("ids")) == 1: return MockResponse(200, "get_full_report.json.resp") if len(params.get("ids")) == 2: return MockResponse(200, "get_full_report_many_ids.json.resp") - if url == "https://crowdstrike_url/falconx/queries/reports/v1" and method == "GET": + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/queries/reports/v1" and method == "GET": if params.get("filter") == "verdict: 'no verdict'": return MockResponse(200, "get_reports_ids.json.resp") elif params.get("filter") == "invalid: filter": return MockResponse(400, "get_reports_ids_invalid_filter.json.resp") - if url == "https://crowdstrike_url/falconx/entities/report-summaries/v1" and method == "GET": + if ( + url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/entities/report-summaries/v1" + and method == "GET" + ): if params.get("ids")[0].startswith("404"): return MockResponse(200, "get_short_report_invalid_id.json.resp") if len(params.get("ids")) == 1: return MockResponse(200, "get_short_report.json.resp") if len(params.get("ids")) == 4: return MockResponse(200, "get_short_report_many_ids.json.resp") - if url == "https://crowdstrike_url/falconx/queries/submissions/v1" and method == "GET": + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/queries/submissions/v1" and method == "GET": if params.get("filter") == "state: 'error'": return MockResponse(200, "get_submissions_ids.json.resp") elif params.get("filter") == "invalid: filter": return MockResponse(400, "get_submissions_ids_invalid_filter.json.resp") - if url == "https://crowdstrike_url/falconx/entities/submissions/v1" and method == "POST": + if ( + url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/falconx/entities/submissions/v1" + and method == "POST" + ): return MockResponse(200, "submit_analysis.json.resp") - + if url == f"{DEFAULT_CONNECTION_PARAMS.get(Input.BASEURL)}/samples/entities/samples/v2" and method == "POST": + return MockResponse(200, "upload_malware_sample.json.resp") raise NotImplementedError("Not implemented", kwargs)