content/automation-CheckSenderDomainDistance.yml at master · mmomin-crest/content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
args:
- default: true
  description: The domain to be measured against the domain in the sender's email
    address.Usually the domain used by the company for email, e.g. acme.com when users
    are assigned jane@acme.com (could be multiple domains with a comma separator)
  name: domain
  required: true
- description: Sender email address
  name: sender
  required: true
- defaultValue: "3"
  description: Distance that is considered close
  name: distance
comment: Get the string distance for the sender from our domain
commonfields:
  id: CheckSenderDomainDistance
  version: -1
name: CheckSenderDomainDistance
outputs:
- contextPath: LevenshteinDistance
  description: The closeness of the sender domain to our configured domains
runonce: false
script: |-
  import re

  def levenshtein(s1, s2):
      l1 = len(s1)
      l2 = len(s2)
      matrix = [range(l1 + 1)] * (l2 + 1)
      for zz in range(l2 + 1):
          matrix[zz] = range(zz,zz + l1 + 1)
      for zz in range(0,l2):
          for sz in range(0,l1):
              if s1[sz] == s2[zz]:
                  matrix[zz+1][sz+1] = min(matrix[zz+1][sz] + 1, matrix[zz][sz+1] + 1, matrix[zz][sz])
              else:
                  matrix[zz+1][sz+1] = min(matrix[zz+1][sz] + 1, matrix[zz][sz+1] + 1, matrix[zz][sz] + 1)
      return matrix[l2][l1]

  res = []
  found = False

  domains = argToList(demisto.get(demisto.args(), 'domain'))
  if not domains:
      res.append({'Type': entryTypes['error'], 'ContentsFormat': formats['text'], 'Contents': 'Unable to extract domain from arguments'})
  else:
      sender = demisto.get(demisto.args(), 'sender')
      if sender:
          parts = sender.split('@')
          if len(parts) == 2:
              if not parts[1] in domains:
                  distances = []
                  for domain in domains:
                      distance = levenshtein(domain, parts[1])
                      distances.append(distance)
                      closeDistance = demisto.get(demisto.args(), 'distance')
                      closeDistanceInt = int(closeDistance) if closeDistance else 3
                      if distance > 0 and distance < closeDistanceInt:
                          res.append({'Type': entryTypes['note'], 'ContentsFormat': formats['text'], 'Contents': 'Domain ' + parts[1] + ' is suspiciously close to ' + domain})
                          found = True
                  if len(distances) > 0:
                      # Override the context on each run
                      demisto.setContext('LevenshteinDistance', distances if len(distances) > 1 else distances[0])
          else:
              res.append({'Type': entryTypes['error'], 'ContentsFormat': formats['text'], 'Contents': 'Unable to extract domain from sender - ' + sender})
      else:
          res.append({'Type': entryTypes['error'], 'ContentsFormat': formats['text'], 'Contents': 'Unable to find sender in email'})
  if found:
      res.append('yes')
  else:
      res.append('no')
  demisto.results(res)
scripttarget: 0
system: true
tags:
- server
- phishing
- Condition
type: python