Trend Micro Vision One InsightConnect 2.0.1 plugin update

.github/workflows/plugin_release.yml

@@ -189,6 +189,14 @@ jobs:
           export KOMAND_SOURCE_BRANCH="$source_branch"
           export KOMAND_TARGET_BRANCH="$target_branch"
 
+      - name: Get Source and Target Branches
+        id: getSourceAndTargetBranches
+        run: |
+          source_branch=${{ github.head_ref }}
+          target_branch=${{ github.base_ref }}
+          export KOMAND_SOURCE_BRANCH="$source_branch"
+          export KOMAND_TARGET_BRANCH="$target_branch"
+
       - name: Setup Python
         id: setupPython
         uses: actions/setup-python@v4

.github/workflows/plugin_release_staging.yml

@@ -166,6 +166,14 @@ jobs:
           export KOMAND_SOURCE_BRANCH="$source_branch"
           export KOMAND_TARGET_BRANCH="$target_branch"
 
+      - name: Get Source and Target Branches
+        id: getSourceAndTargetBranches
+        run: |
+          source_branch=${{ github.head_ref }}
+          target_branch=${{ github.base_ref }}
+          export KOMAND_SOURCE_BRANCH="$source_branch"
+          export KOMAND_TARGET_BRANCH="$target_branch"
+
       - name: Setup Python
         id: setupPython
         uses: actions/setup-python@v4

plugins/armorblox/.CHECKSUM

@@ -0,0 +1,19 @@
+{
+	"spec": "cdf4d5d0aa4fb40b0a8d9ee3761ad09b",
+	"manifest": "433b5ba19020a0a518c333be03af4eab",
+	"setup": "67d906e679bb88b8e56aa98bc008d58b",
+	"schemas": [
+		{
+			"identifier": "get_remediation_action/schema.py",
+			"hash": "6ac6405d0147b2df173e4e2fd5df44b5"
+		},
+		{
+			"identifier": "connection/schema.py",
+			"hash": "96db429999d91d2e040fc52f6e02fec7"
+		},
+		{
+			"identifier": "get_incidents/schema.py",
+			"hash": "af802290919168df0cbffcb432629043"
+		}
+	]
+}

plugins/armorblox/.dockerignore

@@ -0,0 +1,9 @@
+unit_test/**/*
+unit_test
+examples/**/*
+examples
+tests
+tests/**/*
+**/*.json
+**/*.tar
+**/*.gz

plugins/armorblox/Dockerfile

@@ -0,0 +1,28 @@
+FROM rapid7/insightconnect-python-3-38-plugin:4
+# Refer to the following documentation for available SDK parent images: https://komand.github.io/python/sdk.html#version
+
+LABEL organization=rapid7
+LABEL sdk=python
+
+# Add any custom package dependencies here
+# NOTE: Add pip packages to requirements.txt
+
+# End package dependencies
+
+# Add source code
+WORKDIR /python/src
+ADD ./plugin.spec.yaml /plugin.spec.yaml
+ADD . /python/src
+
+RUN apt-get update && apt-get install -y git
+
+# Install pip dependencies
+RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+# Install plugin
+RUN python setup.py build && python setup.py install
+
+# User to run plugin code. The two supported users are: root, nobody
+USER nobody
+
+ENTRYPOINT ["/usr/local/bin/icon_armorblox"]

plugins/armorblox/Makefile

@@ -0,0 +1,53 @@
+# Include other Makefiles for improved functionality
+INCLUDE_DIR = ../../tools/Makefiles
+MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk)
+# We can't guarantee customers will have the include files
+# - prefix to ignore Makefiles when not present
+# https://www.gnu.org/software/make/manual/html_node/Include.html
+-include $(MAKEFILES)
+
+ifneq ($(MAKEFILES),)
+  $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets)
+  $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES))
+  $(info --)
+else
+  $(warning Makefile includes directory not present: $(INCLUDE_DIR))
+endif
+
+VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //')
+NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //')
+VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //')
+CWD?=$(shell basename $(PWD))
+_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }')
+PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz
+
+# Set default target explicitly. Make's default behavior is the first target in the Makefile.
+# We don't want that behavior due to includes which are read first
+.DEFAULT_GOAL := default # Make >= v3.80 (make -version)
+
+
+default: image tarball
+
+tarball:
+	$(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball)
+	rm -rf build
+	rm -rf $(PKG)
+	tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh *
+
+image:
+	$(info [$(YELLOW)*$(NORMAL)] Building plugin image)
+	docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) .
+	docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest
+
+regenerate:
+	$(info [$(YELLOW)*$(NORMAL)] Regenerating schema from plugin.spec.yaml)
+	icon-plugin generate python --regenerate
+
+export: image
+	$(info [$(YELLOW)*$(NORMAL)] Exporting docker image)
+	@printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n"
+	@docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar
+
+# Make will not run a target if a file of the same name exists unless setting phony targets
+# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html
+.PHONY: default tarball image regenerate

plugins/armorblox/bin/icon_armorblox

@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+# GENERATED BY KOMAND SDK - DO NOT EDIT
+import os
+import json
+from sys import argv
+
+Name = "Armorblox"
+Vendor = "armorblox"
+Version = "1.0.0"
+Description = "Armorblox is an API-based platform that stops targeted email attacks, protects sensitive data, and automates incident response"
+
+
+def main():
+    if 'http' in argv:
+        if os.environ.get("GUNICORN_CONFIG_FILE"):
+            with open(os.environ.get("GUNICORN_CONFIG_FILE")) as gf:
+                gunicorn_cfg = json.load(gf)
+                if gunicorn_cfg.get("worker_class", "sync") == "gevent":
+                    from gevent import monkey
+                    monkey.patch_all()
+        elif 'gevent' in argv:
+            from gevent import monkey
+            monkey.patch_all()
+
+    import insightconnect_plugin_runtime
+    from icon_armorblox import connection, actions, triggers
+
+    class ICONArmorblox(insightconnect_plugin_runtime.Plugin):
+        def __init__(self):
+            super(self.__class__, self).__init__(
+                name=Name,
+                vendor=Vendor,
+                version=Version,
+                description=Description,
+                connection=connection.Connection()
+            )
+            self.add_trigger(triggers.GetIncidents())
+
+            self.add_action(actions.GetRemediationAction())
+
+
+    """Run plugin"""
+    cli = insightconnect_plugin_runtime.CLI(ICONArmorblox())
+    cli.run()
+
+
+if __name__ == "__main__":
+    main()

plugins/armorblox/help.md

@@ -0,0 +1,165 @@
+# Description
+
+Armorblox is an API-based platform that stops targeted email attacks, protects sensitive data, and automates incident response
+
+# Key Features
+
+* Fetches incidents detected by Armorblox for the given tenant.
+* Retrieves the remediation action for a given incident.
+
+# Requirements
+
+* Requires an API key from the product.
+
+# Supported Product Versions
+
+* 1.0.0
+
+# Documentation
+
+## Setup
+
+The connection configuration accepts the following parameters:
+
+|Name|Type|Default|Required|Description|Enum|Example|
+|----|----|-------|--------|-----------|----|-------|
+|api_key|credential_secret_key|None|True|Armorblox API Key|None|9de5069c5afe602b2ea0a04b66beb2c0|
+|tenant_name|string|None|True|Armorblox Tenant Name|None|my-tenant-name|
+
+Example input:
+
+```
+{
+  "api_key": "9de5069c5afe602b2ea0a04b66beb2c0",
+  "tenant_name": "my-tenant-name"
+}
+```
+## Technical Details
+
+### Actions
+
+#### Get Remediation Action
+
+This action is used to fetch remediation action of an incident identified by Armorblox.
+
+##### Input
+
+|Name|Type|Default|Required|Description|Enum|Example|
+|----|----|-------|--------|-----------|----|-------|
+|incident_id|string|None|True|An integer number identifying the incident|None|3490|
+
+Example input:
+
+```
+{
+  "incident_id": 3490
+}
+```
+
+##### Output
+
+|Name|Type|Required|Description|Example|
+|----|----|--------|-----------|-------|
+|remediation_details|string|True|Remediation action of the requested incident identified by Armorblox|ALERT|
+
+Example output:
+```
+{
+  "remediation_details": "ALERT"
+}
+```
+
+### Triggers
+
+#### Get Incidents
+
+This trigger is used to get a list of incidents identified by Armorblox. By default, it starts querying for all the incidents since the previous day.
+
+##### Input
+
+|Name|Type|Default|Required|Description|Enum|Example|
+|----|----|-------|--------|-----------|----|-------|
+|interval|integer|600|False|Polling interval in seconds|None|600|
+
+Example input:
+
+```
+{
+  "interval": 600
+}
+```
+
+##### Output
+
+|Name|Type|Required|Description|Example|
+|----|----|--------|-----------|-------|
+|incidents|[]incident|True|A list of incidents identified by Armorblox|{"incidents": "some incidents"}|
+
+Example output:
+
+```
+{
+  "incidents": "some incidents"
+}
+```
+
+### Custom Output Types
+
+#### engagement
+
+|Name|Type|Required|Description|
+|----|----|--------|-----------|
+|Forwarded Mail Count|string|False|Forwarded Mail Count|
+|Reply Mail Count|string|False|Reply Mail Count|
+
+#### final_detection_tag
+
+|Name|Type|Required|Description|
+|----|----|--------|-----------|
+|Detection tag ID|string|False|Detection tag ID|
+|Detection tag name|string|False|Detection tag name|
+
+#### incident
+
+|Name|Type|Required|Description|
+|----|----|--------|-----------|
+|App Name|string|False|App Name|
+|Incident Date|date|False|None|
+|Engagements|engagement|False|Engagements|
+|External senders|[]string|False|List of external senders|
+|External users|[]user|False|List of external users|
+|Detection tags|[]final_detection_tag|False|Detection tags|
+|Folder categories|[]string|False|Folder categories|
+|Incident ID|string|False|Incident ID|
+|Incident Type|string|False|Incident Type|
+|Object Type|string|False|Object Type|
+|policy_names|[]string|False|List of policies|
+|Priority|string|False|Priority of the incident|
+|Remediation Action|[]string|False|Remediation Action|
+|resolution_state|string|False|Resolution State|
+|SCL Score|integer|False|None|
+|Is email tagged|boolean|False|Is email tagged|
+|Subject|string|False|Subject|
+|users|[]user|False|List of users|
+
+#### user
+
+|Name|Type|Required|Description|
+|----|----|--------|-----------|
+|User email|string|False|User email|
+|Is User VIP|boolean|False|Is User VIP|
+|user name|string|False|User name|
+
+
+## Troubleshooting
+
+_This plugin does not contain any troubleshooting information._
+
+# Version History
+
+* 1.0.0 - Initial plugin
+
+# Links
+
+* [Armorblox](https://www.armorblox.com/)
+## References

plugins/armorblox/icon_armorblox/__init__.py

@@ -0,0 +1 @@
+# GENERATED BY KOMAND SDK - DO NOT EDIT

plugins/armorblox/icon_armorblox/actions/__init__.py

@@ -0,0 +1,2 @@
+# GENERATED BY KOMAND SDK - DO NOT EDIT
+from .get_remediation_action.action import GetRemediationAction

plugins/armorblox/icon_armorblox/actions/get_remediation_action/__init__.py

@@ -0,0 +1,2 @@
+# GENERATED BY KOMAND SDK - DO NOT EDIT
+from .action import GetRemediationAction

plugins/armorblox/icon_armorblox/actions/get_remediation_action/action.py

@@ -0,0 +1,18 @@
+import insightconnect_plugin_runtime
+from .schema import GetRemediationActionInput, GetRemediationActionOutput, Input, Output, Component
+
+# Custom imports below
+
+
+class GetRemediationAction(insightconnect_plugin_runtime.Action):
+    def __init__(self):
+        super(self.__class__, self).__init__(
+            name="get_remediation_action",
+            description=Component.DESCRIPTION,
+            input=GetRemediationActionInput(),
+            output=GetRemediationActionOutput(),
+        )
+
+    def run(self, params={}):
+        remediation_details = self.connection.api.get_remediation_action(params.get(Input.INCIDENT_ID))
+        return {Output.REMEDIATION_DETAILS: remediation_details}