Skip to content

Commit

Permalink
Merge pull request #15 from splunk-soar-connectors/tapishj/PAPP-34458
Browse files Browse the repository at this point in the history 
Zscaler: Feature - List Actions
  • Loading branch information
@tapishj-splunk
tapishj-splunk authored Aug 12, 2024
2 parents 6dd48ec + 8484f70 commit 2478967
Show file tree
Hide file tree
Showing 3 changed files with 262 additions and 3 deletions.
45 changes: 45 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,8 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
[get groups](#action-get-groups) - Gets a list of groups
[add group user](#action-add-group-user) - Add user to group
[remove group user](#action-remove-group-user) - Remove user from group
[get whitelist](#action-get-whitelist) - get urls on the allow list
[get blacklist](#action-get-blacklist) - get urls on the deny list
[update user](#action-update-user) - Update user with given id
[add category url](#action-add-category-url) - Add urls to a cetgory
[add category ip](#action-add-category-ip) - Add IPs to a cetgory
Expand Down Expand Up @@ -759,6 +761,49 @@ summary.message | string | |
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1

## action: 'get whitelist'
get urls on the allow list

Type: **investigate**
Read only: **True**

#### Action Parameters
No parameters are required for this action

#### Action Output
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
--------- | ---- | -------- | --------------
action_result.status | string | | test success test failed
action_result.data.\*.whitelistUrl | string | |
action_result.summary.total_whitelist_items | numeric | | 10
action_result.summary.message | string | | Whitelist retrieved
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1

## action: 'get blacklist'
get urls on the deny list

Type: **investigate**
Read only: **True**

#### Action Parameters
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
--------- | -------- | ----------- | ---- | --------
**filter** | optional | Filter results be url or ip | string |
**query** | optional | Regular expression to match url or ip against | string |

#### Action Output
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
--------- | ---- | -------- | --------------
action_result.status | string | | test success test failed
action_result.parameter.query | string | | 8...8
action_result.parameter.filter | string | |
action_result.data.\*.blacklistUrl | string | |
action_result.summary.message | string | | Blacklist retrieved
action_result.summary.total_blacklist_items | numeric | | 10
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1

## action: 'update user'
Update user with given id

Expand Down
150 changes: 149 additions & 1 deletion zscaler.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3020,6 +3020,155 @@
},
"versions": "EQ(*)"
},
{
"action": "get whitelist",
"identifier": "get_whitelist",
"description": "get urls on the allow list",
"type": "investigate",
"read_only": true,
"parameters": {},
"output": [
{
"data_path": "action_result.status",
"data_type": "string",
"example_values": [
"test success",
"test failed"
]
},
{
"data_path": "action_result.data.*.whitelistUrl",
"data_type": "string"
},
{
"data_path": "action_result.summary.total_whitelist_items",
"data_type": "numeric",
"example_values": [
10
]
},
{
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"Whitelist retrieved"
]
},
{
"data_path": "summary.total_objects",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "summary.total_objects_successful",
"data_type": "numeric",
"example_values": [
1
]
}
],
"render": {
"title": "List URL Categories",
"type": "table"
},
"versions": "EQ(*)"
},
{
"action": "get blacklist",
"identifier": "get_blacklist",
"description": "get urls on the deny list",
"type": "investigate",
"read_only": true,
"parameters": {
"filter": {
"description": "Filter results be url or ip",
"data_type": "string",
"primary": true,
"value_list": [
"url",
"ip"
],
"order": 0
},
"query": {
"description": "Regular expression to match url or ip against",
"data_type": "string",
"primary": true,
"example_values": [
"8...8"
],
"order": 1
}
},
"output": [
{
"data_path": "action_result.status",
"data_type": "string",
"example_values": [
"test success",
"test failed"
]
},
{
"data_path": "action_result.parameter.query",
"data_type": "string",
"column_name": "Query",
"example_values": [
"8...8"
],
"column_order": 1
},
{
"data_path": "action_result.parameter.filter",
"data_type": "string",
"column_name": "Filter",
"value_list": [
"url",
"ip"
],
"column_order": 0
},
{
"data_path": "action_result.data.*.blacklistUrl",
"data_type": "string"
},
{
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"Blacklist retrieved"
]
},
{
"data_path": "action_result.summary.total_blacklist_items",
"data_type": "numeric",
"example_values": [
10
]
},
{
"data_path": "summary.total_objects",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "summary.total_objects_successful",
"data_type": "numeric",
"example_values": [
1
]
}
],
"render": {
"title": "List URL Categories",
"type": "table"
},
"versions": "EQ(*)"
},
{
"action": "update user",
"identifier": "update_user",
Expand Down Expand Up @@ -4440,7 +4589,6 @@
"type": "table"
},
"versions": "EQ(*)"

}
],
"pip_dependencies": {
Expand Down
70 changes: 68 additions & 2 deletions zscaler_connector.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@
import json
import re
import time
import ipaddress

import phantom.app as phantom
import phantom.rules as phantom_rules
import requests
from bs4 import BeautifulSoup
from phantom.action_result import ActionResult
from phantom.base_connector import BaseConnector

from zscaler_consts import *


Expand Down Expand Up @@ -999,6 +999,66 @@ def _handle_remove_group_user(self, param):

return action_result.set_status(phantom.APP_SUCCESS)

def _handle_get_whitelist(self, param):
"""
This action is used to get the default whitelist in zscalar
:return: status phantom.APP_ERROR/phantom.APP_SUCCESS(along with appropriate message)
"""
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ret_val, response = self._get_allowlist(action_result)
if phantom.is_fail(ret_val):
return RetVal(ret_val, None)

whitelist = response.get('whitelistUrls', [])
for allowed in whitelist:
action_result.add_data(allowed)
summary = action_result.update_summary({})
summary['total_whitelist_items'] = action_result.get_data_size()
summary['message'] = "Whitelist retrieved"

return action_result.set_status(phantom.APP_SUCCESS)

def _is_ip_address(self, address):
try:
ipaddress.ip_address(address)
return True
except ValueError:
return False

def _handle_get_blacklist(self, param):
"""
This action is used to get the blacklist in zscalar
:return: status phantom.APP_ERROR/phantom.APP_SUCCESS(along with appropriate message)
"""
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ret_val, response = self._get_blocklist(action_result)
if phantom.is_fail(ret_val):
return RetVal(ret_val, None)

filter = param.get("filter")
query = param.get("query")

summary = action_result.update_summary({})
summary['message'] = "Blacklist retrieved"

blocklist = response.get('blacklistUrls', [])
for blocked in blocklist:
is_ip = self._is_ip_address(blocked)
if filter == "ip" and not is_ip:
continue
if filter == "url" and is_ip:
continue
if query and not re.fullmatch(query, blocked):
continue
action_result.add_data(blocked)

summary['total_blacklist_items'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)

def _handle_update_user(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))
Expand Down Expand Up @@ -1261,7 +1321,7 @@ def _handle_list_destination_group(self, param):
"""
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ip_group_ids = param.get("ip_group_ids", "")
ip_ids_lst = [item.strip() for item in ip_group_ids.split(',') if item.strip()]
exclude_type = param.get("exclude_type", "")
Expand Down Expand Up @@ -1444,6 +1504,12 @@ def handle_action(self, param):
elif action_id == 'remove_group_user':
ret_val = self._handle_remove_group_user(param)

elif action_id == 'get_whitelist':
ret_val = self._handle_get_whitelist(param)

elif action_id == 'get_blacklist':
ret_val = self._handle_get_blacklist(param)

elif action_id == "update_user":
ret_val = self._handle_update_user(param)

Expand Down

0 comments on commit 2478967

Please sign in to comment.