diff --git a/zscaler.json b/zscaler.json index cc6ab14..8326859 100644 --- a/zscaler.json +++ b/zscaler.json @@ -3018,14 +3018,21 @@ ] }, { - "data_path": "action_result.data.*.whitelistUrls", + "data_path": "action_result.data.*.whitelistUrl", "data_type": "string" }, { - "data_path": "action_result.message", + "data_path": "action_result.summary.total_whitelist_items", + "data_type": "numeric", + "example_values": [ + 10 + ] + }, + { + "data_path": "action_result.summary.message", "data_type": "string", "example_values": [ - "test Total url categories: 97" + "Whitelist retrieved" ] }, { @@ -3050,7 +3057,7 @@ "versions": "EQ(*)" }, { - "action": "get blakclist", + "action": "get blacklist", "identifier": "get_blacklist", "description": "get urls on the deny list", "type": "investigate", @@ -3060,13 +3067,10 @@ "description": "Filter results be url or ip", "data_type": "string", "primary": true, - "contains": [ + "value_list": [ "url", "ip" ], - "example_values": [ - "127.0.0.1" - ], "order": 0 }, "query": { @@ -3089,14 +3093,40 @@ ] }, { - "data_path": "action_result.data.*.whitelistUrls", + "data_path": "action_result.parameter.query", + "data_type": "string", + "column_name": "Query", + "example_values": [ + "8...8" + ], + "column_order": 1 + }, + { + "data_path": "action_result.parameter.filter", + "data_type": "string", + "column_name": "Filter", + "value_list": [ + "url", + "ip" + ], + "column_order": 0 + }, + { + "data_path": "action_result.data.*.blacklistUrl", "data_type": "string" }, { - "data_path": "action_result.message", + "data_path": "action_result.summary.message", "data_type": "string", "example_values": [ - "test Total url categories: 97" + "Blacklist retrieved" + ] + }, + { + "data_path": "action_result.summary.total_blacklist_items", + "data_type": "numeric", + "example_values": [ + 10 ] }, { diff --git a/zscaler_connector.py b/zscaler_connector.py index d0b15c9..269e95c 100644 --- a/zscaler_connector.py +++ b/zscaler_connector.py @@ -18,6 +18,7 @@ import json import re import time +import ipaddress import phantom.app as phantom import phantom.rules as phantom_rules @@ -25,7 +26,6 @@ from bs4 import BeautifulSoup from phantom.action_result import ActionResult from phantom.base_connector import BaseConnector -import socket from zscaler_consts import * @@ -998,14 +998,26 @@ def _handle_get_whitelist(self, param): self.save_progress("In action handler for: {0}".format(self.get_action_identifier())) action_result = self.add_action_result(ActionResult(dict(param))) - ret_val, response = self._make_rest_call_helper('/api/v1/settings', action_result) + ret_val, response = self._get_allowlist(action_result) if phantom.is_fail(ret_val): - return action_result.get_status() + return RetVal(ret_val, None) - self.debug_print(response) + whitelist = response.get('whitelistUrls', []) + for allowed in whitelist: + action_result.add_data(allowed) + summary = action_result.update_summary({}) + summary['total_whitelist_items'] = action_result.get_data_size() + summary['message'] = "Whitelist retrieved" return action_result.set_status(phantom.APP_SUCCESS) + def _is_ip_address(self, address): + try: + ipaddress.ip_address(address) + return True + except ValueError: + return False + def _handle_get_blacklist(self, param): """ This action is used to get the blacklist in zscalar @@ -1014,29 +1026,28 @@ def _handle_get_blacklist(self, param): self.save_progress("In action handler for: {0}".format(self.get_action_identifier())) action_result = self.add_action_result(ActionResult(dict(param))) - ret_val, response = self._make_rest_call_helper('/api/v1/settings/advanced', action_result) + ret_val, response = self._get_blocklist(action_result) if phantom.is_fail(ret_val): - return action_result.get_status() + return RetVal(ret_val, None) filter = param.get("filter") query = param.get("query") - self.debug_print(response) - if not filter and not query: - return action_result.set_status(phantom.APP_SUCCESS) - - parsed_data = [] - - self.debug_print(response) - for entry in response: - self.debug_print(entry) - url = entry.get(url, "") - ip = socket.socket.gethostbyname(url) - if url == filter or ip == filter: - parsed_data.append(entry) - elif query and (re.fullmatch(query, url) or re.fullmatch(query, ip)): - parsed_data.append(entry) + summary = action_result.update_summary({}) + summary['message'] = "Blacklist retrieved" + blocklist = response.get('blacklistUrls', []) + for blocked in blocklist: + is_ip = self._is_ip_address(blocked) + if filter == "ip" and not is_ip: + continue + if filter == "url" and is_ip: + continue + if query and not re.fullmatch(query, blocked): + continue + action_result.add_data(blocked) + + summary['total_blacklist_items'] = action_result.get_data_size() return action_result.set_status(phantom.APP_SUCCESS) def handle_action(self, param):