forked from demisto/demisto-py
-
Notifications
You must be signed in to change notification settings - Fork 0
/
indicators_search_example.py
81 lines (69 loc) · 2.62 KB
/
indicators_search_example.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python2.7
# example
# An example to search indicators based on given query
# Works on Demisto 2.5 onwards
#
# Author: Slavik Markovich
# Version: 1.0
#
import argparse
import csv
from datetime import datetime, timedelta
import demisto
def p(what):
if verbose:
print(what)
def options_handler():
parser = argparse.ArgumentParser(description='Integrations and commands')
parser.add_argument(
'key', help='The API key to access the server')
parser.add_argument(
'server', help='The server URL to connect to')
parser.add_argument(
'-q', '--quiet', action='store_false',
dest='verbose', help="no extra prints")
parser.add_argument(
'-o', '--output', help='The output CSV file', default='indicators.csv')
parser.add_argument(
'-f', '--filter', help='The filter to use when searching indicators')
parser.add_argument(
'-d', '--delta', help='The delta period we should search for - acceptible values are 1d, 5h, 30m, etc.', default='7d')
options = parser.parse_args()
global verbose
verbose = options.verbose
return options
def fromDate(delta):
fromD = datetime.now()
d = int(delta[:-1])
t = delta[-1:]
if t == 'm':
fromD = fromD - timedelta(minutes=d)
elif t == 'h':
fromD = fromD - timedelta(hours=d)
elif t == 'd':
fromD = fromD - timedelta(days=d)
else:
fromD = fromD - timedelta(days=7)
return fromD.strftime('%Y-%m-%dT%H:%M:%SZ')
def main():
options = options_handler()
c = demisto.DemistoClient(options.key, options.server)
postData = {'sort': [{'field': 'value', 'asc': True}]}
if options.filter:
postData['query'] = options.filter
if options.delta:
postData['fromDate'] = fromDate(options.delta)
indicatorsResponse = c.req('POST', 'indicators/search', postData)
if indicatorsResponse.status_code != 200:
raise RuntimeError('Error getting indicators data - %d (%s)' %
(indicatorsResponse.status_code, indicatorsResponse.reason))
indicators = indicatorsResponse.json()
with open(options.output, 'w') as csvfile:
writer = csv.DictWriter(csvfile, fieldnames=[
'Value', 'Type', 'Source', 'FirstSeen', 'LastSeen', 'Score'])
writer.writeheader()
for i in indicators['iocObjects']:
writer.writerow({'Value': i['value'], 'Type': i['indicator_type'], 'Source': i['source'],
'FirstSeen': i['firstSeen'], 'LastSeen': i['lastSeen'], 'Score': i['score']})
if __name__ == '__main__':
main()