Are there any resources out there demonstrating use of the Python plugin? I’d love to see some practical examples.
Here’s what I’ve read so far:
I used it a number of times in my phishing workflow, also just used it today in a new workflow I am building out to strip characters from a string. These are a few examples, I have also used the Beautiful Soup module in workflows as well.
Header Parser
def run(params={}):
from email.parser import Parser
import socket
header_file = params.get('header')
bad_chars = [">"]
parser = Parser()
msg = parser.parsestr(header_file)
d = {}
d['Date'] = msg["Date"]
d['From'] = msg["From"]
d['Subject'] = msg["Subject"]
try:
d['SenderDomain'] = msg['From'].split("@")[1]
except:
d['SenderDomain'] = msg['From']
for i in bad_chars:
d['SenderDomain'] = d['SenderDomain'].replace(i, '')
d['Auth-Results'] = msg['Authentication-Results']
d['Received-SPF'] = msg['Received-SPF']
try:
d['Smtp'] = msg['Authentication-Results'].split(";")[0].split("=")[2]
except:
d['Smtp'] = msg['From']
d['Return-Path'] = msg['Return-Path']
d['Received'] = msg['Received']
try:
d['ipaddr'] = socket.gethostbyname(str(d['Smtp']))
except:
try:
d['ipaddr'] = socket.gethostbyname(str(d['SenderDomain']))
except:
d['ipaddr'] = "Domain will not resolve!!!!"
return d
URL Deduplication / Sorting
def run(params={}):
exturllist = {}
unfiltered = []
urls = params.get('urls') # get urls from extractit
for item in urls:
if (item.lower().startswith("https://urldefense.proofpoint.com")): # checks for any external Proofpoint encoded URLs and adds them to a list
unfiltered.append(item)
return{'sorted_urls' : sorted(unfiltered)} # sorts and deduplicates external URL list
This is exactly the sort of thing I was thinking of. Thank you very much @Michael-Cochran-Rapid7.
You’re welcome, I taught myself Python by building out Python steps within ICON.
I use this with the DateTime module added to the python connection. I use it to define out of hours
My use case: IDR alerts, if the alert is within working hours…do something…
# ------------------------------------------------------------------------ #
# Working Hours #
# ------------------------------------------------------------------------ #
from datetime import datetime
# ----------------------------------- Vars ----------------------------------- #
the_time = datetime.now(tz=None) # Current Day/Time
the_day = (datetime.today().strftime('%A')) # Day of week
weekday_work_hours = [*range(6, 21, 1)] # Week Day Working Hours 06:00-20:59
weekend_work_hours = [*range(8, 17, 1)] # Weekend Working Hours 08:00-16:59
hour = the_time.hour # Current Hour of the Day
# -------------------------------- Print Vars -------------------------------- #
print("Work Hours:",weekday_work_hours)
print("Weekend Hours:",weekend_work_hours)
print("Day of Week: ",the_day)
print("Hour of day: ",hour)
def WeekdayWorkHours(hour):
if hour in weekday_work_hours:
return True
else:
return False
def WeekEndWorkHours(hour):
if hour in weekend_work_hours:
return True
else:
return False
if the_day == 'Monday':
output=WeekdayWorkHours(hour)
print("Within Working Hours: ",output)
elif the_day == 'Tuesday':
output=WeekdayWorkHours(hour)
print("Within Working Hours: ",output)
elif the_day == 'Wednesday':
output=WeekdayWorkHours(hour)
print("Within Working Hours: ",output)
elif the_day == 'Thursday':
output=WeekdayWorkHours(hour)
print("Within Working Hours: ",output)
elif the_day == 'Friday':
output=WeekdayWorkHours(hour)
print("Within Working Hours: ",output)
elif the_day == 'Saturday':
output=WeekEndWorkHours(hour)
print("Within Working Hours: ",output)
elif the_day == 'Sunday':
output=WeekEndWorkHours(hour)
print("Within Working Hours: ",output)
else:
print("Unknown Day")
I had a similar script before the human time out decision functionality was implemented that would check day/time and prompt via the icon platform or send a slack message to take actions on alerts.