Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zscaler: Feature - List Actions #15

Merged
merged 7 commits into from
Aug 12, 2024
Merged

Zscaler: Feature - List Actions #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
285ee67
PAPP-34458: inital work
tapishj-splunk Aug 5, 2024
1e02979
Update README.md
Aug 5, 2024
aae9e0c
PAPP-34458: get blacklist and get whitelist working
tapishj-splunk Aug 6, 2024
8d21be3
Merge branch 'tapishj/PAPP-34458' of https://github.com/splunk-soar-c…
tapishj-splunk Aug 6, 2024
a09bd24
Update README.md
Aug 6, 2024
d15fbc8
Merge branch 'tapishj/PAPP-34457-new-zscaler-actions' into tapishj/PA…
tapishj-splunk Aug 12, 2024
8484f70
Update README.md
Aug 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,8 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
[get groups](#action-get-groups) - Gets a list of groups
[add group user](#action-add-group-user) - Add user to group
[remove group user](#action-remove-group-user) - Remove user from group
[get whitelist](#action-get-whitelist) - get urls on the allow list
[get blacklist](#action-get-blacklist) - get urls on the deny list
[update user](#action-update-user) - Update user with given id
[add category url](#action-add-category-url) - Add urls to a cetgory
[add category ip](#action-add-category-ip) - Add IPs to a cetgory
Expand Down Expand Up @@ -759,6 +761,49 @@ summary.message | string | |
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1

## action: 'get whitelist'
get urls on the allow list

Type: **investigate**
Read only: **True**

#### Action Parameters
No parameters are required for this action

#### Action Output
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
--------- | ---- | -------- | --------------
action_result.status | string | | test success test failed
action_result.data.\*.whitelistUrl | string | |
action_result.summary.total_whitelist_items | numeric | | 10
action_result.summary.message | string | | Whitelist retrieved
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1

## action: 'get blacklist'
get urls on the deny list

Type: **investigate**
Read only: **True**

#### Action Parameters
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
--------- | -------- | ----------- | ---- | --------
**filter** | optional | Filter results be url or ip | string |
**query** | optional | Regular expression to match url or ip against | string |

#### Action Output
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
--------- | ---- | -------- | --------------
action_result.status | string | | test success test failed
action_result.parameter.query | string | | 8...8
action_result.parameter.filter | string | |
action_result.data.\*.blacklistUrl | string | |
action_result.summary.message | string | | Blacklist retrieved
action_result.summary.total_blacklist_items | numeric | | 10
summary.total_objects | numeric | | 1
summary.total_objects_successful | numeric | | 1

## action: 'update user'
Update user with given id

Expand Down
150 changes: 149 additions & 1 deletion zscaler.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3020,6 +3020,155 @@
},
"versions": "EQ(*)"
},
{
"action": "get whitelist",
"identifier": "get_whitelist",
"description": "get urls on the allow list",
"type": "investigate",
"read_only": true,
"parameters": {},
"output": [
{
"data_path": "action_result.status",
"data_type": "string",
"example_values": [
"test success",
"test failed"
]
},
{
"data_path": "action_result.data.*.whitelistUrl",
"data_type": "string"
},
{
"data_path": "action_result.summary.total_whitelist_items",
"data_type": "numeric",
"example_values": [
10
]
},
{
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"Whitelist retrieved"
]
},
{
"data_path": "summary.total_objects",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "summary.total_objects_successful",
"data_type": "numeric",
"example_values": [
1
]
}
],
"render": {
"title": "List URL Categories",
"type": "table"
},
"versions": "EQ(*)"
},
{
"action": "get blacklist",
"identifier": "get_blacklist",
"description": "get urls on the deny list",
"type": "investigate",
"read_only": true,
"parameters": {
"filter": {
"description": "Filter results be url or ip",
"data_type": "string",
"primary": true,
"value_list": [
"url",
"ip"
],
"order": 0
},
"query": {
"description": "Regular expression to match url or ip against",
"data_type": "string",
"primary": true,
"example_values": [
"8...8"
],
"order": 1
}
},
"output": [
{
"data_path": "action_result.status",
"data_type": "string",
"example_values": [
"test success",
"test failed"
]
},
{
"data_path": "action_result.parameter.query",
"data_type": "string",
"column_name": "Query",
"example_values": [
"8...8"
],
"column_order": 1
},
{
"data_path": "action_result.parameter.filter",
"data_type": "string",
"column_name": "Filter",
"value_list": [
"url",
"ip"
],
"column_order": 0
},
{
"data_path": "action_result.data.*.blacklistUrl",
"data_type": "string"
},
{
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"Blacklist retrieved"
]
},
{
"data_path": "action_result.summary.total_blacklist_items",
"data_type": "numeric",
"example_values": [
10
]
},
{
"data_path": "summary.total_objects",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "summary.total_objects_successful",
"data_type": "numeric",
"example_values": [
1
]
}
],
"render": {
"title": "List URL Categories",
"type": "table"
},
"versions": "EQ(*)"
},
{
"action": "update user",
"identifier": "update_user",
Expand Down Expand Up @@ -4440,7 +4589,6 @@
"type": "table"
},
"versions": "EQ(*)"

}
],
"pip_dependencies": {
Expand Down
70 changes: 68 additions & 2 deletions zscaler_connector.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@
import json
import re
import time
import ipaddress

import phantom.app as phantom
import phantom.rules as phantom_rules
import requests
from bs4 import BeautifulSoup
from phantom.action_result import ActionResult
from phantom.base_connector import BaseConnector

from zscaler_consts import *


Expand Down Expand Up @@ -999,6 +999,66 @@ def _handle_remove_group_user(self, param):

return action_result.set_status(phantom.APP_SUCCESS)

def _handle_get_whitelist(self, param):
"""
This action is used to get the default whitelist in zscalar
:return: status phantom.APP_ERROR/phantom.APP_SUCCESS(along with appropriate message)
"""
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ret_val, response = self._get_allowlist(action_result)
if phantom.is_fail(ret_val):
return RetVal(ret_val, None)

whitelist = response.get('whitelistUrls', [])
for allowed in whitelist:
action_result.add_data(allowed)
summary = action_result.update_summary({})
summary['total_whitelist_items'] = action_result.get_data_size()
summary['message'] = "Whitelist retrieved"

return action_result.set_status(phantom.APP_SUCCESS)

def _is_ip_address(self, address):
try:
ipaddress.ip_address(address)
return True
except ValueError:
return False

def _handle_get_blacklist(self, param):
"""
This action is used to get the blacklist in zscalar
:return: status phantom.APP_ERROR/phantom.APP_SUCCESS(along with appropriate message)
"""
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ret_val, response = self._get_blocklist(action_result)
if phantom.is_fail(ret_val):
return RetVal(ret_val, None)

filter = param.get("filter")
query = param.get("query")

summary = action_result.update_summary({})
summary['message'] = "Blacklist retrieved"

blocklist = response.get('blacklistUrls', [])
for blocked in blocklist:
is_ip = self._is_ip_address(blocked)
if filter == "ip" and not is_ip:
continue
if filter == "url" and is_ip:
continue
if query and not re.fullmatch(query, blocked):
continue
action_result.add_data(blocked)

summary['total_blacklist_items'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)

def _handle_update_user(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))
Expand Down Expand Up @@ -1261,7 +1321,7 @@ def _handle_list_destination_group(self, param):
"""
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ip_group_ids = param.get("ip_group_ids", "")
ip_ids_lst = [item.strip() for item in ip_group_ids.split(',') if item.strip()]
exclude_type = param.get("exclude_type", "")
Expand Down Expand Up @@ -1444,6 +1504,12 @@ def handle_action(self, param):
elif action_id == 'remove_group_user':
ret_val = self._handle_remove_group_user(param)

elif action_id == 'get_whitelist':
ret_val = self._handle_get_whitelist(param)

elif action_id == 'get_blacklist':
ret_val = self._handle_get_blacklist(param)

elif action_id == "update_user":
ret_val = self._handle_update_user(param)

Expand Down