Little issue in namespace configuration of ./playbooks/threat_intel/virustotal-to-email.yml

r0psteev commented 1 month ago

Description

Hello, there is a little issue in this workflow definition about the namespace from which the function analyze_url should be imported, and it causes a commit error.

(tracecat) developer@pc:~/Documents/tracecat$ tracecat workflow create --commit playbooks/threat_intel/virustotal-to-email.yml --title 'Virustotal email #1' --webhook --activate
Created workflow
{
    'id': 'wf-c399a3920a724b06ad550292406fb69f',
    'title': 'Virustotal email #1',
    'description': 'New workflow created Jul 21, 2024, 02:29:26',
    'status': 'offline',
    'icon_url': None,
    'created_at': '2024-07-21T02:29:26.128782Z',
    'updated_at': '2024-07-21T02:29:26.128782Z',
    'version': None
}
Failed to commit to workflow 'wf-c399a3920a724b06ad550292406fb69f'!
{
  "workflow_id": "wf-c399a3920a724b06ad550292406fb69f",
  "status": "failure",
  "message": "2 validation error(s)",
  "errors": [
    {
      "ok": false,
      "message": "Could not find UDF 'integrations.enrich.virustotal.analyze_url' in registry. Is this UDF 
registered?",
      "detail": {}
    },
  ....
  ],
  "metadata": {
    "filename": "virustotal-to-email.yml"
  }
}
(tracecat) developer@pc:~/Documents/tracecat$

In file ./tracecat/actions/integrations/enrichment/virustotal.py namespace is integrations.virustotal for the function analyze_url

33 @registry.register(
 32     default_title="Analyze URL",
 31     description="Analyze a URL using VirusTotal.",
 30     display_group="VirusTotal",
 29     namespace="integrations.virustotal",
 28     secrets=[virustotal_secret],
 27 )
 26 async def analyze_url(
 25     url: Annotated[str, Field(..., description="The URL to analyze")],
 24 ) -> dict[str, Any]:
 23     url_id = base64.urlsafe_b64encode(url.encode()).decode().strip("=")
 22     async with create_virustotal_client() as client:
 21         response = await client.get(f"/v3/urls/{url_id}")
 20         response.raise_for_status()
 19         return response.json()
 18

Quick fix

Quick fix in playbook can be to change namespace to that used in ./tracecat/actions/integrations/enrichment/virustotal.py

(tracecat) developer@pc:~/Documents/tracecat$ git diff
diff --git a/playbooks/threat_intel/virustotal-to-email.yml b/playbooks/threat_intel/virustotal-to-email.yml
index e572da8..e8827c9 100644
--- a/playbooks/threat_intel/virustotal-to-email.yml
+++ b/playbooks/threat_intel/virustotal-to-email.yml
@@ -12,7 +12,7 @@ actions:
   # Using the hash from the webhook trigger, we'll make
   # an API call to Virustotal
   - ref: call_virustotal
-    action: integrations.enrich.virustotal.analyze_url
+    action: integrations.virustotal.analyze_url
     args:
       url: ${{ TRIGGER.url }} # Pulls from the webhoo

(tracecat) developer@pc:~/Documents/tracecat$

daryllimyt commented 1 month ago

Hey, thanks for catching this! Happy to accept a PR to fix this :) otherwise it will be fixed in the next release

r0psteev commented 1 month ago

sure for PR

TracecatHQ / tracecat

Little issue in namespace configuration of ./playbooks/threat_intel/virustotal-to-email.yml #255