hippox-drivers 0.3.3

🦛All indivisible atomic driver units in Hippox.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

//! Threat intelligence query Driver

use anyhow::Result;
use serde_json::{Value, json};
use std::collections::HashMap;

use crate::{
    DriverCallback, DriverCategory, DriverContext, operating_system_security::common::query_threat_intel, types::{Driver, DriverParameter}
};

#[derive(Debug)]
pub struct ThreatIntelDriver;

#[async_trait::async_trait]
impl Driver for ThreatIntelDriver {
    fn name(&self) -> &str {
        "security_threat_intel"
    }

    fn description(&self) -> &str {
        "Query threat intelligence for IP, domain, or file hash"
    }

    fn usage_hint(&self) -> &str {
        "Use this skill to check if an IP address, domain name, or file hash is known to be malicious."
    }

    fn parameters(&self) -> Vec<DriverParameter> {
        vec![DriverParameter {
            name: "indicator".to_string(),
            param_type: "string".to_string(),
            description: "IP address, domain name, or file hash (MD5, SHA-1, SHA-256)".to_string(),
            required: true,
            default: None,
            example: Some(Value::String("185.130.5.253".to_string())),
            enum_values: None,
        }]
    }

    fn example_call(&self) -> Value {
        json!({
            "action": "security_threat_intel",
            "parameters": {
                "indicator": "185.130.5.253"
            }
        })
    }

    fn example_output(&self) -> String {
        "Indicator: 185.130.5.253\nType: ip\nMalicious: Yes\nConfidence: 95%\nThreat Type: malware\nFirst Seen: 2024-01-01\nSource: Internal Threat Intelligence Database".to_string()
    }

    fn category(&self) -> DriverCategory {
        DriverCategory::OperatingSystemSecurity
    }

    async fn execute(
        &self,
        parameters: &HashMap<String, Value>,
        callback: Option<&dyn DriverCallback>,
        context: Option<&DriverContext>,
    ) -> Result<String> {
        let indicator = parameters
            .get("indicator")
            .and_then(|v| v.as_str())
            .ok_or_else(|| anyhow::anyhow!("Missing 'indicator' parameter"))?;
        let result = query_threat_intel(indicator);
        let mut output = String::new();
        output.push_str(&format!("Indicator: {}\n", result.indicator));
        output.push_str(&format!("Type: {}\n", result.indicator_type));
        output.push_str(&format!(
            "Malicious: {}\n",
            if result.malicious { "Yes" } else { "No" }
        ));
        output.push_str(&format!("Confidence: {:.0}%\n", result.confidence * 100.0));
        output.push_str(&format!(
            "Threat Types: {}\n",
            result.threat_type.join(", ")
        ));
        if let Some(first_seen) = result.first_seen {
            output.push_str(&format!("First Seen: {}\n", first_seen));
        }
        if let Some(last_seen) = result.last_seen {
            output.push_str(&format!("Last Seen: {}\n", last_seen));
        }
        if !result.related_indicators.is_empty() {
            output.push_str(&format!(
                "Related Indicators: {}\n",
                result.related_indicators.join(", ")
            ));
        }
        output.push_str(&format!("Source: {}", result.source));
        Ok(output)
    }
}