Update UmbrellaBlacklister to include FQDN and URL data_types.

2024-11-06 09:05:19 +00:00 · 2019-10-18 16:28:05 -04:00 · 2019-10-18 16:28:05 -04:00 · 9990c391bc
commit 9990c391bc
parent bcfc3dd5d4
1 changed files with 23 additions and 8 deletions
--- a/responders/UmbrellaBlacklister/UmbrellaBlacklister.py
+++ b/responders/UmbrellaBlacklister/UmbrellaBlacklister.py
@ -5,19 +5,32 @@ from cortexutils.responder import Responder
 import requests
 from datetime import datetime

+
 class UmbrellaBlacklister(Responder):
    def __init__(self):
        Responder.__init__(self)
-        self.integration_url = self.get_param('config.integration_url', None, "Integration URL Missing")
+        self.integration_url = self.get_param(
+            'config.integration_url', None, "Integration URL Missing")

    def run(self):
        Responder.run(self)

-        if self.get_param('data.dataType') == 'domain':
+        data_type = self.get_param('data.dataType')
+        ioc_types = {"domain": "domain", "url": "url","fqdn": "fqdn"}
+        if data_type in ioc_types:

-            domain = self.get_param('data.data', None, 'No artifacts available')
+            if data_type == "domain" or data_type == "fqdn":
+                domain = self.get_param(
+                    'data.data', None, 'No artifacts available')
+
+                dstUrl = "http://" + domain
+
+            elif data_type == "url":
+                dstUrl = self.get_param(
+                    'data.data', None, 'No artifacts available')
+
+                domain = dstUrl.split('/')[2]

-            dstUrl = "http://" + domain
            date = datetime.now().strftime("%Y-%m-%dT%XZ")

            headers = {
@ -36,16 +49,18 @@ class UmbrellaBlacklister(Responder):
                "providerName": "Security Platform"
            }

-            r = requests.post(self.integration_url, json=payload, headers=headers)
+            r = requests.post(self.integration_url,
+                              json=payload, headers=headers)
            if r.status_code == 200 | 202:
                self.report({'message': 'Blacklisted in Umbrella.'})
            else:
                self.error('Failed to add to blacklist.')
-	else:
-	    self.error('Incorrect dataType. "Domain" expexted.')
+        else:
+            self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.')

    def operations(self, raw):
        return [self.build_operation('AddTagToArtifact', tag='Umbrella:blocked')]

+
 if __name__ == '__main__':
-        UmbrellaBlacklister().run()
+    UmbrellaBlacklister().run()