IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Adding a condition point within Virus Total Predifined Playbook

  • 1.  Adding a condition point within Virus Total Predifined Playbook

    Posted Mon October 16, 2023 05:24 AM
      |   view attached

    Greetings

    I am new to IBM SOAR and I am trying to run a demo using the Virus Total predefined playbook.

    I need to add a condition point that looks into the  vt_scan_results and returns True if 'malicious' is greater than 0 and returns False if ('malicious': 0)

    If the result is True I will write the artifact value to a reference set on Qradar else go to the endpoint

    The predefined function and scripts are as below:

    Function:

    typeLookup = { 'Email Attachment': 'file', 'Malware Sample': 'file', 'Malware MD5 Hash': 'hash', 'Malware SHA-1 Hash': 'hash', 'Malware SHA-256 Hash': 'hash', 'Other File': 'file', 'RCF 822 Email Message File': 'file', 'File Name': 'filename',
     'URL': 'url', 'IP Address': 'ip', 'DNS Name':'domain'}
    if artifact.type in typeLookup:
      inputs.vt_type = typeLookup.get(artifact.type, artifact.type)
    else:
      inputs.vt_type = artifact.type
    inputs.incident_id = incident.id
    inputs.artifact_id = artifact.id
    inputs.vt_data = artifact.value
    Script:
    import datetime
    import json
    VIRUSTOTAL_GUI_URL = "https://www.virustotal.com/gui"
    results = playbook.functions.results.vt_scan_results
    # Uncomment the following 2 lines to have the results json printed formatted to a note.
    #pretty_results = json.dumps(results, indent=4, sort_keys=True)
    #incident.addNote(helper.createRichText(u"<p>VirusTotal scan of {0}: {1} with artifact_id: {2}</p><div>{3}</div>".format(artifact.type, artifact.value, artifact.id, pretty_results)))
    msg = u"<p>VirusTotal scan of {0}: <b>{1}</b> with artifact_id: {2}</p>".format(artifact.type, artifact.value, artifact.id)
    scan = results.get("scan",  {})
    if not scan:
      raise Exception("No scan data returned VirusTotal scan {0}: {1} with artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))   
    data = scan.get("data", {})
    scan_error = scan.get("error", {})
    if scan_error:
      msg = "{0}Error returned: {1}".format(msg, scan_error)
      #helper.fail("Error returned from VirusTotal scan {0}: {1}: {2}".format(artifact.type, artifact.value, scan_error))
    stats = {}
    attributes = {}
    if data:
      attributes = data.get("attributes", {})
      if attributes:
        # If this a report the stats are in last_analysis_stats otherwise they are in stats
        stats = attributes.get("last_analysis_stats", {})
        if stats == {}:
        stats = attributes.get("stats", {})
    # Write statistics to the note
    for k,v in stats.items():
      if k.lower() == "malicious":
        msg = "{0}{1}: <span style='color:red'>{2}</span><br>".format(msg, k, v)
      else:
        msg = "{0}{1}: {2}<br>".format(msg, k, v)
    # Write the last analysis time to the note
    last_analysis_date = attributes.get("last_analysis_date", None)
    if last_analysis_date:
      last_analysis_date_str = datetime.datetime.fromtimestamp(last_analysis_date).strftime('%Y-%b-%d %H:%M:%S')
      msg = "{0}<br>Last analysis date: {1}".format(msg, last_analysis_date_str)
    # Add VirusTotal Report link to the note
    if data:
      uriLookup = { 'Email Attachment': 'file', 
                    'Malware Sample': 'file', 
                    'Malware MD5 Hash': 'file', 
                    'Malware SHA-1 Hash': 'file', 
                    'Malware SHA-256 Hash': 'file', 
                    'Other File': 'file',
                    'RCF 822 Email Message File': 'file', 
                    'File Name': 'file',
                    'URL': 'url', 
                    'IP Address': 'ip-address', 
                    'DNS Name':'domain'}
      uri_fragment = uriLookup.get(artifact.type, None)
      vt_id = data.get("id", None)
      if vt_id and uri_fragment:
        link_back = "<a href='{0}/{1}/{2}'>VirusTotal Report</a>".format(VIRUSTOTAL_GUI_URL, uri_fragment, vt_id)
        msg = "{0}<br>{1}".format(msg, link_back)
      
    if not stats:
      msg = "{0}No stats returned from scan {1}: {2} with artifact_id: {3}".format(msg, artifact.type, artifact.value, artifact.id)  
    incident.addNote(helper.createRichText("<div>{0}</div>".format(msg)))
    # Create artifacts from results
    last_http_response_content_sha256 = attributes.get("last_http_response_content_sha256", None)
    if last_http_response_content_sha256:
        incident.addArtifact('Malware SHA-256 Hash', last_http_response_content_sha256, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))
    sha256 = attributes.get("sha256", None) 
    if sha256:
        incident.addArtifact('Malware SHA-256 Hash', sha256, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))
    md5 = attributes.get("md5", None)
    if md5:
        incident.addArtifact('Malware MD5 Hash', md5, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))
    sha1 = attributes.get("sha1", None)
    if sha1:
        incident.addArtifact('Malware SHA-1 Hash', sha1, "Created by VirusTotal scan of artifact type: {0} value: {1} artifact_id: {2}".format(artifact.type, artifact.value, artifact.id))
    I need to have the below playbook:
    Any hints on what could be the first condition script in order to get the IP address written to a reference set 


    ------------------------------
    Nabil Nehme
    ------------------------------


  • 2.  RE: Adding a condition point within Virus Total Predifined Playbook

    Posted Tue October 17, 2023 02:13 PM

    Hi Nabil,

    It looks like you're really close! I can't tell exactly what would work for you, but I can give you general guidance that hopefully will get you to the proper place.

    You'll switch the condition type of your "Condition Point" to be a "Script builder" rather than "Condition builder". From there, the goal is to set the value of a variable results to True in one case, and False in all other cases.

    I don't know what part of the results will contain the "malicious" information, but something to the effect of:

    There could be more to it obviously.. The key is just to eventually set results



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 3.  RE: Adding a condition point within Virus Total Predifined Playbook

    Posted Wed October 18, 2023 02:12 AM

    Just would like to add: if you need to pass data between nodes, for example, if you need to pass the IP Address or the result processed by script node to "Qradar Add Reference Set Item" function, you can use playbook.addProperty(<propertyName>, <propertyValue>)  in script node, and then use playbook.properties.<propertyName> to get the value as function input. 

    See more details here: https://www.ibm.com/docs/en/sqsp/50?topic=scripts-playbook-operations



    ------------------------------
    Gilbert Liao
    ------------------------------