IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Cisco Umbrella Investigate Function Returns NoneType

    Posted Thu January 04, 2024 12:14 PM

    Hello,

    I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

    However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

    I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

    Can I get some assistance on this please?

    Regards,

    Iqra



    ------------------------------
    Iqra Haq
    ------------------------------


  • 2.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Thu January 04, 2024 03:44 PM

    Hi Iqra,

    Can you give an example of the input you are trying? 

    Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

    I can see if I can get a trial token to test it.



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Thu January 04, 2024 05:13 PM

    Hi again Iqra

    I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table).  So it seems that that the function is working...does this app work for you out of the box?  Perhaps you can give more information on the playbook you are writing?  Perhaps there is an issue in there.



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 4.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Fri January 05, 2024 08:42 AM

    Hi AnnMarie,

    Thank you again for helping me out and going out of your way to get that test token to check the function. I appreciate the efforts.

    The playbook I am writing is with the aims to get any URL and DNS Name artifacts and run a search against them with Umbrella Investigate. If it comes back with certain categories (such as Phishing), I want to add a Hit to the artifact.

    My thought process is to extract any domains from URLs before processing them (and directly processing DNS names as I assume they are in the correct format). However, I can't seem to get either to work, as I still get 'NoneType'.

    I'm not too sure if I've used the addHit function properly either, I was hoping to get the previous steps working first against a simulation case before checking my use of the function.

    Below is the function and the post-process script:

    import json
    
    result = playbook.functions.results.artifact_status_and_category.content
    
    ##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ##
    # https://investigate-api.readme.io/docs/domain-status-and-categorization-1
    # umbrella_domain_status_and_category - Domain
    # Example where inputs.umbinv_domains = artifact.value =  amazon.com
    
    """
    Result: {'domains': [u'amazon.com'],
             'query_execution_time'
             'statuses': {u'amazon.com': {u'status': 1,
                                          u'content_categories': [u'Ecommerce/Shopping'],
                                          u'security_categories': []
                                          }
    
                          }
            }
    """
    ##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ##
    # umbrella_domain_status_and_category - domain
    #  Globals
    # List of fields in datatable umbinv_categories_for_a_domain for reference only
    DATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]
    
    # Processing
    statuses = result.statuses
    domains = result.domains
    
    if statuses is not None and domains is not None:
        result_dict = json.loads(result)
        for domain in result_dict['domains']:
            if 'Phishing' in result_dict['statuses'][domain]['security_categories']:
                artifact.addHit("Cisco Umbrella Investigate", {"URL Name", "string", "{}".format(artifact.value)})
    
    

    Thanks again for looking into this.

    Much appreciated,

    Iqra



    ------------------------------
    Iqra Haq
    ------------------------------



  • 5.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Fri January 05, 2024 10:08 AM

    Hi Iqra

    I see a few issues with the script you post.  You don't need to get the results from content and you do not need to do json.loads as "domains" is a list in the statuses json.  I put an incident.addNote after result so you can see the actual results that are passed to the script. I am able to create hits with this post script in a playbook.  Hope this helps!

    ##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ##
    # https://investigate-api.readme.io/docs/domain-status-and-categorization-1
    # umbrella_domain_status_and_category - Domain
    # Example where inputs.umbinv_domains = artifact.value =  amazon.com
    
    """
    Result: {'domains': [u'amazon.com'],
             'query_execution_time'
             'statuses': {u'amazon.com': {u'status': 1,
                                          u'content_categories': [u'Ecommerce/Shopping'],
                                          u'security_categories': []
                                          }
    
                          }
            }
    """
    results = playbook.functions.results.get_status_and_category
    
    ##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ##
    # umbrella_domain_status_and_category - domain
    #  Globals
    # List of fields in datatable umbinv_categories_for_a_domain for reference only
    DATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]
    
    incident.addNote("results = {}".format(results))
    
    # Processing
    statuses = results.statuses
    domains = results.domains
    query_execution_time = results.query_execution_time
    
    
    if statuses is not None and domains is not None:
        for domain in domains:
            domain_statuses = statuses.get(domain, None)
            if domain_statuses:
                security_categories = domain_statuses.get("security_categories", [])
                content_categories = domain_statuses.get("content_categories", [])
                if 'Phishing' in security_categories:
                    hit_list = [
                      {
                      "name": "Artifact Value",
                      "type": "string",
                      "value": "{}".format(artifact.value)
                      }
                    ]
    
                    artifact.addHit("Cisco Umbrella Investigate", hit_list)
    



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 6.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Fri January 05, 2024 10:23 AM

    Hi AnnMarie,

    Thank you for the code and the explanation. Just by looking at it, I knew it would work. I've tested it with DNS Name artifacts and it does indeed work! Gahhh, how exciting!!

    However, I seem to be having issues converting URLs into a format that the function will accept... (I seem to keep getting the error below)

    from urllib.parse import urlparse
    
    if artifact.value == "URL":
      inputs.umbinv_domains = urlparse(artifact.value).netloc
    else:
      inputs.umbinv_domains = artifact.value
    
    inputs.umbinv_showlabels = True
    inputs.umbinv_status_endpoint = "categorization"

    Any ideas?

    Cheers,

    Iqra



    ------------------------------
    Iqra Haq
    ------------------------------



  • 7.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Fri January 05, 2024 11:00 AM

    I think you should be testing artifact.type == "URL", not artifact.value !



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 8.  RE: Cisco Umbrella Investigate Function Returns NoneType

    Posted Fri January 05, 2024 11:40 AM

    Good spot. That works great now! Thanks again :D



    ------------------------------
    Iqra Haq
    ------------------------------