From b29e7fac70da23252946e301aabfdb0b7e5d900f Mon Sep 17 00:00:00 2001 From: Anar Azadaliyev Date: Mon, 6 Nov 2023 14:26:38 +0200 Subject: [PATCH] improve email squatting script faster (#30615) * improve email squatting script faster * format yml * format script * Bump pack from version CommonScripts to 1.12.40. * remove usage of Array.from since it is not supported in 6.9 --------- Co-authored-by: Content Bot --- Packs/CommonScripts/ReleaseNotes/1_12_40.md | 6 ++ .../EmailDomainSquattingReputation.js | 60 +++++++++++++------ .../EmailDomainSquattingReputation.yml | 34 ++++++----- Packs/CommonScripts/pack_metadata.json | 2 +- 4 files changed, 68 insertions(+), 34 deletions(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_12_40.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_12_40.md b/Packs/CommonScripts/ReleaseNotes/1_12_40.md new file mode 100644 index 000000000000..76b97e211312 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_12_40.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### EmailDomainSquattingReputation + +- Improved implementation and the performance of the script by using native JavaScript code. diff --git a/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.js b/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.js index 5fa9161d2e94..bb145b937255 100644 --- a/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.js +++ b/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.js @@ -1,3 +1,37 @@ +function levenshtein(str1, str2) { + const len1 = str1.length; + const len2 = str2.length; + + // Create a 2D array to store the edit distances + const matrix = new Array(len1 + 1); + for (let i = 0; i <= len1; i++) { + matrix[i] = new Array(len2 + 1); + } + + // Initialize the matrix + for (let i = 0; i <= len1; i++) { + matrix[i][0] = i; + } + + for (let j = 0; j <= len2; j++) { + matrix[0][j] = j; + } + + // Fill in the matrix using dynamic programming + for (let i = 1; i <= len1; i++) { + for (let j = 1; j <= len2; j++) { + const cost = (str1[i - 1] === str2[j - 1]) ? 0 : 1; + matrix[i][j] = Math.min( + matrix[i - 1][j] + 1, // Deletion + matrix[i][j - 1] + 1, // Insertion + matrix[i - 1][j - 1] + cost // Substitution + ); + } + } + + // The final edit distance is in the bottom-right cell of the matrix + return matrix[len1][len2]; +} var email = args.email; var domains = argToList(args.domain); @@ -20,24 +54,16 @@ var emailObj = { }; domains.forEach(function(domain){ - if(domain) { - var resp = executeCommand("GetStringsDistance", {inputString: emailObj.Domain, compareString: domain.toLowerCase()}); - - if(isError(resp[0])){ - return resp; - } - - data = [dq(resp[0], "Contents.Distances")]; - data.forEach(function(entry) - { - emailObj.Distance.push( - { - Domain : dq(entry,"StringB"), - Value : dq(entry,"LevenshteinDistance") - }); - }); - } + if(domain) { + let levenshteinForDomain = levenshtein(emailObj.Domain, domain.toLowerCase()); + emailObj.Distance.push( + { + Domain : domain, + Value : levenshteinForDomain + }); + } }); + var ec = {}; var suspicious = dq(emailObj,"Distance(val.Value > 0 && val.Value < {0}).Value".format(threshold)); var dbotScore = 0; diff --git a/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.yml b/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.yml index 477d38b4b87f..5d4f874101ea 100644 --- a/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.yml +++ b/Packs/CommonScripts/Scripts/EmailDomainSquattingReputation/EmailDomainSquattingReputation.yml @@ -7,54 +7,56 @@ type: javascript tags: - email - reputation -comment: Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm +comment: Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. system: true args: - name: email required: true default: true - description: The email address to check + description: The email address to check. - name: domain required: true - description: The domain list to check against for squatting (comma separated) + description: The domain list to check against for squatting (comma separated). isArray: true - name: threshold - description: The similarity threshold + description: The similarity threshold. defaultValue: "3" outputs: - contextPath: Account - description: 'A user account ' + description: 'A user account.' - contextPath: Account.Email - description: The account email object + description: The account email object. - contextPath: Account.Email.Username - description: The account email username + description: The account email username. type: string - contextPath: Account.Email.Address - description: The account email address + description: The account email address. type: string - contextPath: Account.Email.Domain - description: The account email domain + description: The account email domain. type: string - contextPath: Account.Email.Distance - description: The email address distance compare to the domains in query + description: The email address distance compare to the domains in query. type: number - contextPath: Account.Email.Distance.Domain - description: The compared domain + description: The compared domain. type: string - contextPath: Account.Email.Distance.Value - description: 'The distance between the email domain and the compared domain ' + description: 'The distance between the email domain and the compared domain.' type: number - contextPath: DBotScore.Indicator - description: The Indicator + description: The Indicator. type: string - contextPath: DBotScore.Type - description: The Indicator Type + description: The Indicator Type. type: string - contextPath: DBotScore.Vendor - description: The DBot score vendor + description: The DBot score vendor. type: string - contextPath: DBotScore.Score - description: The DBot score + description: The DBot score. type: number scripttarget: 0 fromversion: 5.0.0 +tests: +- EmailDomainSquattingReputation-Test diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index a076abf86fcd..f51322524193 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.12.39", + "currentVersion": "1.12.40", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",