Creating the app
About this task
Make sure to create your playbook components, such as message destination, function, workflow, and rule or playbook before you start the following procedure. The URLhaus app, with the app name of fn_urlhaus, is used in the example code. Substitute it with your own app name.
Procedure
Results
The resulting AppFunctionComponent code is available and is similar to the
following example code.
# -*- coding: utf-8 -*-
"""AppFunction implementation"""
from resilient_circuits import AppFunctionComponent, app_function, FunctionResult
from resilient_lib import IntegrationError, validate_fields
PACKAGE_NAME = "fn_urlhaus"
FN_NAME = "fn_urlhaus"
ARTIFACT_TYPE_MAP = {
"DNS Name": "host",
"IP Address": "host",
"Malware MD5 Hash": "payload:md5_hash",
"Malware SHA-256 Hash": "payload:sha256_hash",
"Server Name": "host",
"String": "tag",
"URL": "url"
}
class FunctionComponent(AppFunctionComponent):
"""Component that implements function 'fn_urlhaus'"""
def __init__(self, opts):
super(FunctionComponent, self).__init__(opts, PACKAGE_NAME)
@app_function(FN_NAME)
def _app_function(self, fn_inputs):
"""
Function: Perform a lookup on several artifacts of types
Inputs:
- fn_inputs.urlhaus_artifact_value
- fn_inputs.urlhaus_artifact_type
"""
yield self.status_message("Starting App Function: '{0}'".format(FN_NAME))
# Example validating app_configs
validate_fields([
{"name": "base_url", "placeholder": "<api-base-url>"}],
self.app_configs)
yield self.status_message("base_url: '{0}'".format(self.app_configs.base_url))
# Example validating required fn_inputs
validate_fields(["urlhaus_artifact_type", "urlhaus_artifact_value"], fn_inputs)
##############################################
# PUT YOUR FUNCTION IMPLEMENTATION CODE HERE #
##############################################
headers = {"Content-Type": "application/x-www-form-urlencoded"}
url = "{0}/{1}".format(self.app_configs.base_url, ARTIFACT_TYPE_MAP.get(fn_inputs.urlhaus_artifact_type, ""))
payload = {
ARTIFACT_TYPE_MAP.get(fn_inputs.urlhaus_artifact_type, ""): fn_inputs.urlhaus_artifact_value
}
response = self.rc.execute(
method="post",
headers=headers,
url=url,
data=payload
)
results = response.json()
yield self.status_message("Endpoint reached successfully and returning results for App Function: '{0}'".format(FN_NAME))
yield FunctionResult(results)