Hi @Jared Fagel,
Thanks a lot for your response.
Firstly, the Workflow and Rule should be of what object type ? Ideally i believe, it should be on Attachment Type. But when i use the Object Type as Attachment i am getting an error that artifact is unknown. So, i tried using the Object Type as Artifact and it may be working i have made few appends as below:
When the ioc_parser function was created it auto populated 3 inputs "inputType", "artifact_id", "incidentId". However the code was using "artifactId" instead of the auto added "artifact_id" hence the error. I have replaced that and used the code accordingly.
Pre-Processing Script:inputType = str(artifact.name).split(".")[-1] # artifact.type may also work?
inputs.artifactId = artifact.id
inputs.incidentId = incident.id
#inputs.inputType = inputType # select, values: "pdf", "txt", "html"
Post-Processing Script:def _ioc_parser(FunctionResult):
newline = ast.literal_eval(line.strip())
results.append(newline)
log.info("Return results to Resilient")
yield FunctionResult({"value": results})
for event in results.value:
incident.addArtifact(artifact.get("type"), artifact.get("value"), "From IOC document")
The actions shows Completed but No
output is returned. Can you please help here to make required modifications to the Post Processing script.
------------------------------
Thanks and Regards
David Joshua Edithi
------------------------------
Original Message:
Sent: 03-05-2019 05:46 PM
From: Jared Fagel
Subject: IOC Parser Functions for Resilient
For post processor, see this:
for line in contents:
# Convert string to dict.The ioc parser produces lines of json however becasue
# we write it to a temp file and read it back it gets read in as a string The ioc been read from the file is a string.
# This safely evaluates the string to make sure it can be tranformed into a dict.
newline = ast.literal_eval(line.strip())
results.append(newline)
log.info("Return results to Resilient")
yield FunctionResult({"value": results})
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
Original Message:
Sent: 03-05-2019 05:45 PM
From: Jared Fagel
Subject: IOC Parser Functions for Resilient
The following is from the ioc_parser.py function:
if kwargs.get("artifactId") is None:
raise ValueError('artifactId is empty')
if kwargs.get("incidentId") is None:
raise ValueError('incidentId is empty')
if kwargs.get("inputType") is None:
raise ValueError('inputType is empty')
As you can see it takes three required parameters (so do this in pre-processor):
input_type = str(artifact.name).split(".")[-1] # artifact.type may also work?
inputs.artifactId= artifact.id
inputs.incidentId = incident.id
inputs.inputType = input_type # select, values: "pdf", "txt", "html"
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
Original Message:
Sent: 03-05-2019 03:25 AM
From: David Joshua Edithi
Subject: IOC Parser Functions for Resilient
https://exchange.xforce.ibmcloud.com/hub/extension/5bc5472251e3928ff43a4c902b6c57aa
IOC Parser Functions for Resilient, we are unable to run the mentioned app. Have installed it successfully and app.config, functions are updated. I have created a workflow and rule to use this function.
However, no pre and post processing scripts are available in the documentation as well.
-------------------
FunctionException_: <Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/fn_ioc_parser/components/ioc_parser.py", line 43, in _ioc_parser_function raise ValueError('artifactId is empty') ValueError: artifactId is empty > File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 856, in processTask raise value.extract()
-------------------
Can someone please suggest here. If any additional details has to be passed here either in pre or post processing script.
------------------------------
Thanks and Regards
David Joshua Edithi
------------------------------