IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Extracting delta of two files

    Posted Wed April 10, 2019 05:09 AM
    ​Hello team,

    I have created function allowing me to to push artifact value to a text file and I am using the IOC parser function to compare this file with an input of IOCs contained in a file attachment and extract the delta between them. Here is the code I added to the IOC parser function:

        # Read self.filepath and return contents

        inputStream = open(tempiocoutput.name)

        inputStream2 = open('/usr/share/integration/components/whitelist.txt')

        contents = inputStream.readlines()

        results = []

        input = [line.strip() for line in contents]

        whitelist = [line.strip() for line in inputStream2]

     

        for line in input:

        if line not in whitelist:

        newline = ast.literal_eval(line)

        results.append(newline)


        log.info("Return results to Resilient")

        yield FunctionResult({"value": results})


    I don't see what's wrong about this code as it is supposed to do its job and extract the delta between two files. So I suspect Resilient for preventing the code from working correctly. Or maybe I missed Something I shouldn't have.

    Thanks in advance for your help.


    ------------------------------
    Zohra SMAIL
    ------------------------------


  • 2.  RE: Extracting delta of two files

    Posted Wed April 10, 2019 11:06 AM
    Hi Zohra,

    Without testing your code sample it looks like you are not reading lines from inputStream2; this is just opening the file which returns a file object.

    Also when dealing with files it is better practice to handle the opening and closing of files when done using. This can be handled easily with something like below: 

    with open('/usr/share/integration/components/whitelist.txt') as inputStream2:
    contents2 = inputStream2.readlines()


    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 3.  RE: Extracting delta of two files

    Posted Wed April 10, 2019 05:12 PM
    ​Hi Brian,

    Thanks for helping.

    I had actually copied the wrong code. Here is  what I had and that is supposed to work:

                # Read self.filepath and return contents

            inputStream = open(tempiocoutput.name)
	    inputStream2 = open('/usr/share/integration/components/whitelist.txt')
            contents = inputStream.readlines()
	    contents2 = inputStream2.readlines()
            results = []
	    
	    input = [line.strip() for line in contents]

	    for line in input:
                for line2 in contents2:
		    if line != line2:
		        newline = ast.literal_eval(line)
		        results.append(newline)
			break
	    
	    log.info("Return results to Resilient")
            yield FunctionResult({"value": results})

    I still have the whole content of my IOCs file in the Artifacts tab, so no comparison was made with the whitelist.



    ------------------------------
    Zohra SMAIL
    ------------------------------

    Original Message


  • 4.  RE: Extracting delta of two files

    Posted Thu April 11, 2019 05:20 PM
    Hi Zohra,

    This looks like it could be a Python thing.  I don't have the files your testing against so it is hard to say for sure. Can you step through your code and verify if it is seeing the lines as equal to each other.

    My guess is you are using.strip() on the lines <g class="gr_ gr_427 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="427" data-gr-id="427">in </g>contents<g class="gr_ gr_427 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="427" data-gr-id="427"> but</g> not <g class="gr_ gr_467 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="467" data-gr-id="467">in </g>contents2<g class="gr_ gr_467 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="467" data-gr-id="467">,</g> so when comparing the lines it thinks they are different.

    It could also be your for loop, where it looks like it will add the line from contents <g class="gr_ gr_791 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="791" data-gr-id="791">to </g>results<g class="gr_ gr_791 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="791" data-gr-id="791"> even</g> if that line exists later in <g class="gr_ gr_668 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="668" data-gr-id="668">the </g>contents2<g class="gr_ gr_668 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="668" data-gr-id="668"> list</g>. I am not sure if that is the behavior you want. The below example will only add the line if it does not exist at all in contents2:


    ...

results = []
input = [line.strip() for line in contents]
whitelist_input = [line.strip() for line in whitelist]

for line in input:
    if line not in whitelist_input:
        newline = ast.literal_eval(line)
        results.append(line)
        break


    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 5.  RE: Extracting delta of two files

    Posted Fri April 12, 2019 08:02 AM
    Edited by Zohra SMAIL Fri April 12, 2019 10:26 AM
    ​Hi Bria,

    I actually had already tried that possibility and every other python possibility that was supposed to work elsewhere. Here is what I get with the code above for instace:

    https://www.io67676767.com

    When I am supposed to have the whole following list:

    https://www.knowbe4.com
    https://www.google.com
    https://www.io.com
    https://www.gfdfgdg.com
    https://www.jljklkl.com
    https://www.io67676767.com
    https://www.zozozozozoz.com
    https://www.tototototot.com
    https://www.opopopopopop.com

    Here is the content of both files:

    The input:
    https://www.knowbe4.com
    https://www.google.com
    https://www.io.com
    https://www.gfdfgdg.com
    https://www.jljklkl.com
    https://www.io67676767.com
    https://www.zozozozozoz.com
    https://www.tototototot.com
    https://www.opopopopopop.com
    www.blabla.com
    89.44.122.33

    Whitelist:
    www.blabla.com
    89.44.122.33

    ------------------------------
    Zohra SMAIL
    ------------------------------

    Original Message


  • 6.  RE: Extracting delta of two files

    Posted Fri April 12, 2019 03:49 PM
    Hi Zohra,

    I ran a quick test with the input you listed <g class="gr_ gr_91 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="91" data-gr-id="91">in </g>input.txt<g class="gr_ gr_91 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="91" data-gr-id="91"> and</g> the whitelist you listed <g class="gr_ gr_97 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="97" data-gr-id="97">in </g>whitelist.txt<g class="gr_ gr_97 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="97" data-gr-id="97">.</g> I got the output you are expecting in results:

    https://www.knowbe4.com
    https://www.google.com
    https://www.io.com
    https://www.gfdfgdg.com
    https://www.jljklkl.com
    https://www.io67676767.com
    https://www.zozozozozoz.com
    https://www.tototototot.com
    https://www.opopopopopop.com

    This is the code I tested and produced the results:
    with open("/tmp/imput.txt") as inputStream:
    contents = inputStream.readlines()
with open("/tmp/whitelist.txt") as inputStream2:
    whitelist = inputStream2.readlines()

results = []
input = [line.strip() for line in contents]
whitelist_input = [line.strip() for line in whitelist]

for line in input:
    if line not in whitelist_input:
        results.append(line)

print(results)


    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


Related Content