Skip to content

Commit

Permalink
trigger fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@bradchiappetta
bradchiappetta committed Oct 30, 2024
1 parent 5bda87b commit 4d8ea55
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 45 deletions.
8 changes: 6 additions & 2 deletions plugins/greynoise/.CHECKSUM
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"spec": "f37bf67b1e097131c4812f195332e490",
"manifest": "4264325d8b444f91b006285f2b0f8c68",
"spec": "3cf89fa29af9f0ac11fa185624810226",
"manifest": "a3a078aff38b7dd7cb3d26c2d506a97c",
"setup": "7d0148b4efc7745f17003a77e9e73c55",
"schemas": [
{
Expand Down Expand Up @@ -42,6 +42,10 @@
{
"identifier": "connection/schema.py",
"hash": "f7a3e43e3b17d8e2059b6499b67e7e5a"
},
{
"identifier": "greynoise_alert/schema.py",
"hash": "749cccab54d160242c64555a942be69f"
}
]
}
15 changes: 8 additions & 7 deletions plugins/greynoise/help.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -603,24 +603,25 @@ Example output:
### Triggers


#### Trigger a GreyNoise Alert
#### Monitor IP list in GreyNoise

This trigger is used to trigger a GreyNoise Alert based on IP List every interval
This trigger is used to query a list of IPs in GreyNoise based on IP List every interval to identify if any of them are
actively scanning the internet

##### Input

|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
|interval|integer|3600|True|How frequently (in seconds) to trigger a greeting|None|3600|None|None|
|ip_list|[]string|None|True|List of IP Addresses or CIDR blocks to check for scanning activity|None|1.2.3.4,5.2.3.0/24|None|None|
|lookback_days|integer|1|True|Number of Days to look back for scanning activity|None|1|None|None|
|ip_list|[]string|None|True|List of IP Addresses or CIDR blocks to check for scanning activity|None|[1.2.3.4,5.2.3.0/24]|None|None|
|lookback_days|integer|1|True|Number of Days to look back for scanning activity. Recommended "1", Max "90"|None|1|None|None|

Example input:

```
{
"interval": 3600,
"ip_list": "1.2.3.4,5.2.3.0/24",
"ip_list": "[1.2.3.4,5.2.3.0/24]",
"lookback_days": 1
}
```
Expand All @@ -629,13 +630,13 @@ Example input:

|Name|Type|Required|Description|Example|
| :--- | :--- | :--- | :--- | :--- |
|ip_list|[]string|True|The list of IPs that were found scanning|1.2.3.4,5.2.3.0/24|
|alert_ip_list|[]string|True|The list of IPs that were found scanning|1.2.3.4,5.2.3.5|

Example output:

```
{
"ip_list": "1.2.3.4,5.2.3.0/24"
"alert_ip_list": "1.2.3.4,5.2.3.5"
}
```
### Tasks
Expand Down
2 changes: 1 addition & 1 deletion plugins/greynoise/icon_greynoise/triggers/greynoise_alert/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
from .trigger import GreynoiseAlert
from .trigger import GreynoiseAlert
10 changes: 5 additions & 5 deletions plugins/greynoise/icon_greynoise/triggers/greynoise_alert/schema.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@


class Component:
DESCRIPTION = "Trigger a GreyNoise Alert based on IP List every interval"
DESCRIPTION = "Query a list of IPs in GreyNoise based on IP List every interval to identify if any of them are actively scanning the internet"


class Input:
Expand All @@ -14,7 +14,7 @@ class Input:


class Output:
IP_LIST = "ip_list"
ALERT_IP_LIST = "alert_ip_list"


class GreynoiseAlertInput(insightconnect_plugin_runtime.Input):
Expand Down Expand Up @@ -42,7 +42,7 @@ class GreynoiseAlertInput(insightconnect_plugin_runtime.Input):
"lookback_days": {
"type": "integer",
"title": "Number of days",
"description": "Number of Days to look back for scanning activity",
"description": "Number of Days to look back for scanning activity. Recommended \"1\", Max \"90\"",
"default": 1,
"order": 3
}
Expand All @@ -66,7 +66,7 @@ class GreynoiseAlertOutput(insightconnect_plugin_runtime.Output):
"type": "object",
"title": "Variables",
"properties": {
"ip_list": {
"alert_ip_list": {
"type": "array",
"title": "List of IPs",
"description": "The list of IPs that were found scanning",
Expand All @@ -77,7 +77,7 @@ class GreynoiseAlertOutput(insightconnect_plugin_runtime.Output):
}
},
"required": [
"ip_list"
"alert_ip_list"
],
"definitions": {}
}
Expand Down
59 changes: 35 additions & 24 deletions plugins/greynoise/icon_greynoise/triggers/greynoise_alert/trigger.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,37 +17,48 @@ def __init__(self):

def run(self, params={}):
# START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION
interval = params.get(Input.INTERVAL, 3600)
interval = params.get(Input.INTERVAL)
ip_list = params.get(Input.IP_LIST)
lookback_days = params.get(Input.LOOKBACK_DAYS)
# END INPUT BINDING - DO NOT REMOVE

self.logger.info("Loading GreyNoise Alert Trigger")
while True:
query_ips = ""
counter = 0
for ip in ip_list:
if counter == 0:
query_ips = str(ip)
counter = counter + 1
else:
query_ips = query_ips + " OR " + str(ip)
counter = counter + 1
try:
int(lookback_days)
except Exception:
query_ips = ""
counter = 0
for ip in ip_list:
if counter == 0:
query_ips = "(" + str(ip)
counter = counter + 1
else:
query_ips = query_ips + " OR " + str(ip)
counter = counter + 1
query_ips = query_ips + ")"
try:
int(lookback_days)
except Exception:
raise PluginException(
cause=f"Lookback Days value is not a valid integer.",
assistance="Please check the input and try again.",
)

self.logger.info("Checking GreyNoise for IP list")
query = query_ips + " last_seen:" + str(lookback_days) + "d"
response = self.connection.gn_client.query(query)

if response.get("count") != 0:
self.logger.info("IPs found in GreyNoise")
alert_ip_list = []
for item in response["data"]:
alert_ip_list.append(item["ip"])
self.send({
Output.ALERT_IP_LIST: alert_ip_list,
})
except Exception as e:
raise PluginException(
cause=f"Lookback Days value is not a valid integer.",
cause=f"Plugin exception occurred: {e}",
assistance="Please check the input and try again.",
)

query = query_ips + "last_seen:" + str(lookback_days) + "d"
response = self.connection.gn_client.query(query)

if response.get(count) != "0":
alert_ip_list = []
for item in response["data"]:
alert_ip_list.append(item["ip"])
self.send({
Output.IP_LIST: alert_ip_list,
})
time.sleep(interval)

12 changes: 6 additions & 6 deletions plugins/greynoise/plugin.spec.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -691,8 +691,8 @@ connection:
example: abcdefghijklmnopqrstuvwxyz0123456789
triggers:
greynoise_alert:
title: Trigger a GreyNoise Alert
description: Trigger a GreyNoise Alert based on IP List every interval
title: Monitor IP list in GreyNoise
description: Query a list of IPs in GreyNoise based on IP List every interval to identify if any of them are actively scanning the internet
input:
interval:
title: Interval
Expand All @@ -706,21 +706,21 @@ triggers:
description: List of IP Addresses or CIDR blocks to check for scanning activity
type: "[]string"
required: true
example: "1.2.3.4,5.2.3.0/24"
example: "[1.2.3.4,5.2.3.0/24]"
lookback_days:
title: Number of days
description: Number of Days to look back for scanning activity
description: Number of Days to look back for scanning activity. Recommended "1", Max "90"
type: integer
required: true
default: 1
example: 1
output:
ip_list:
alert_ip_list:
title: List of IPs
description: The list of IPs that were found scanning
type: "[]string"
required: true
example: "1.2.3.4,5.2.3.0/24"
example: "1.2.3.4,5.2.3.5"
actions:
context_lookup:
title: Context IP Lookup
Expand Down

0 comments on commit 4d8ea55

Please sign in to comment.