diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2966629dd8db..1fcf8a7074de 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -46,11 +46,11 @@ references:
SERVER_BRANCH_NAME: << pipeline.parameters.server_branch_name >>
BACKWARD_COMPATIBILITY: << pipeline.parameters.backward_compatibility >>
MEM_CHECK: << pipeline.parameters.mem_check >>
- TIME_TO_LIVE: << pipeline.parameters.time_to_live >>
CONTRIB_BRANCH: << pipeline.parameters.contrib_branch >>
CONTRIB_PACK_NAME: << pipeline.parameters.contrib_pack_name >>
# Giving different names to the following pipeline parameters to avoid collision, handling such collision case
# is done in 'Prepare Environment' step.
+ TIME_TO_LIVE_PARAMETER: << pipeline.parameters.time_to_live >>
NIGHTLY_PARAMETER: << pipeline.parameters.nightly >>
INSTANCE_TESTS_PARAMETER: << pipeline.parameters.instance_tests >>
DEMISTO_SDK_NIGHTLY_PARAMETER: << pipeline.parameters.demisto_sdk_nightly >>
@@ -97,6 +97,10 @@ references:
then
echo 'export DEMISTO_SDK_NIGHTLY=true' >> $BASH_ENV
fi
+ if [ -n "${TIME_TO_LIVE_PARAMETER}" ];
+ then
+ echo "export TIME_TO_LIVE=$TIME_TO_LIVE_PARAMETER" >> $BASH_ENV
+ fi
echo "=== sourcing $BASH_ENV ==="
source $BASH_ENV
sudo mkdir -p -m 777 $CIRCLE_ARTIFACTS
@@ -392,9 +396,32 @@ jobs:
then
python3 ./Tests/scripts/verify_base_branch_for_contribution.py $CIRCLE_BRANCH
fi
+ - unless:
+ condition:
+ or:
+ - << pipeline.parameters.instance_tests >>
+ - equal:
+ - master
+ - << pipeline.git.branch >>
+ steps:
+ - run:
+ name: validate content-test-conf branch merged
+ shell: /bin/bash
+ when: always
+ command: |
+ # replace slashes ('/') in the branch name, if exist, with underscores ('_')
+ UNDERSCORE_CIRCLE_BRANCH=${CIRCLE_BRANCH//\//_}
+ wget --header "Accept: application/vnd.github.v3.raw" --header "Authorization: token $GITHUB_TOKEN" "https://github.com/demisto/content-test-conf/archive/$UNDERSCORE_CIRCLE_BRANCH.zip" --no-check-certificate -q
+ if [ "$?" != "0" ]; then
+ echo "No such branch in content-test-conf: $UNDERSCORE_CIRCLE_BRANCH"
+ exit 0
+ else
+ echo "ERROR: Found a branch with the same name in contest-test-conf conf.json - $UNDERSCORE_CIRCLE_BRANCH.\n Merge it in order to merge the current branch into content repo."
+ exit 1
+ fi
Create Instances:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- checkout
@@ -495,7 +522,7 @@ jobs:
- *persist_to_workspace
Server 4_1:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- setup_remote_docker
@@ -543,7 +570,7 @@ jobs:
- *store_artifacts
Server 4_5:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- setup_remote_docker
@@ -590,7 +617,7 @@ jobs:
- *store_artifacts
Server 5_0:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- setup_remote_docker
@@ -642,7 +669,7 @@ jobs:
- *store_artifacts
Server 5_5:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- setup_remote_docker
@@ -688,17 +715,11 @@ jobs:
else
echo "Not AMI run, can't run on this version"
fi
- - run:
- name: Slack Notifier
- shell: /bin/bash
- command: |
- ./Tests/scripts/slack_notifier.sh 'test_playbooks' ./env_results.json
- when: always
- *destroy_instances
- *store_artifacts
Server 6_0:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- setup_remote_docker
@@ -759,11 +780,17 @@ jobs:
python3 ./Tests/Marketplace/upload_packs.py -a $PACK_ARTIFACTS -e $EXTRACT_FOLDER -b 'marketplace-dist' -d $PACKS_DEPENDENCIES -i $ID_SET -s $GCS_PATH -n $CIRCLE_BUILD_NUM -k $PACK_SIGNING_KEY -pb 'marketplace-dist-private'
rm $GCS_PATH
when: on_success
+ - run:
+ name: Slack Notifier
+ shell: /bin/bash
+ command: |
+ ./Tests/scripts/slack_notifier.sh 'test_playbooks' ./env_results.json
+ when: always
- *destroy_instances
- *store_artifacts
Instance Test:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- setup_remote_docker
@@ -801,7 +828,7 @@ jobs:
Demisto SDK Nightly:
<<: *container_config
- resource_class: medium+
+ resource_class: medium
<<: *environment
steps:
- checkout
@@ -911,6 +938,7 @@ workflows:
- Create Instances:
context: nightly_env
- Run Unit Testing And Lint:
+ context: nightly_env
requires:
- Prepare Environment
- Run Validations:
diff --git a/Packs/Base/ReleaseNotes/1_1_4.md b/Packs/Base/ReleaseNotes/1_1_4.md
new file mode 100644
index 000000000000..2944d71bf214
--- /dev/null
+++ b/Packs/Base/ReleaseNotes/1_1_4.md
@@ -0,0 +1,3 @@
+#### Scripts
+##### SaneDocReports
+- Added additional arguments for increased functionality when using logos
diff --git a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py
index 4c78571284ee..34c5fb52a635 100644
--- a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py
+++ b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py
@@ -12,16 +12,19 @@
try:
sane_json_b64 = demisto.args().get('sane_docx_report_base64', '').encode(
'utf-8')
- orientation = demisto.args().get('orientation', 'portrait').encode(
- 'utf-8')
- paper_size = demisto.args().get('paperSize', 'A4').encode(
- 'utf-8')
+ orientation = demisto.args().get('orientation', 'portrait')
+ paper_size = demisto.args().get('paperSize', 'A4')
+ demistoLogo = demisto.args().get('demistoLogo', '')
+ customerLogo = demisto.args().get('customerLogo', '')
+
with open('sane.json', 'wb') as f:
f.write(base64.b64decode(sane_json_b64))
run('sane.json', OUTPUT_FILE_PATH, {
- 'orientation': orientation.decode('utf-8', 'ignore'),
- 'paper_size': paper_size.decode('utf-8', 'ignore')
+ 'orientation': orientation,
+ 'paper_size': paper_size,
+ 'demistoLogo': demistoLogo,
+ 'customerLogo': customerLogo,
})
with open(OUTPUT_FILE_PATH, 'rb') as f:
diff --git a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml
index 438f29924541..1a6c47ef8a77 100644
--- a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml
+++ b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml
@@ -14,11 +14,23 @@ args:
secret: false
- default: false
defaultValue: A4
- description: the paper size of the report
+ description: The paper size for the report.
isArray: false
name: paperSize
required: false
secret: false
+- default: false
+ description: Custom logo image.
+ isArray: false
+ name: customerLogo
+ required: false
+ secret: false
+- default: false
+ description: The logo for XSOAR.
+ isArray: false
+ name: demistoLogo
+ required: false
+ secret: false
comment: Parse Sane-json-reports and export them as docx files (used internally, thus deprecated).
commonfields:
id: SaneDocReports
@@ -34,10 +46,10 @@ tags:
timeout: '0'
type: python
subtype: python3
-dockerimage: demisto/sane-doc-reports:1.0.0.6861
+dockerimage: demisto/sane-doc-reports:1.0.0.9678
runas: DBotWeakRole
runonce: false
tests:
- No Test
deprecated: true
-fromversion: 5.5.0
\ No newline at end of file
+fromversion: 5.5.0
diff --git a/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml b/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml
index b789c77fea61..989db52fc46e 100644
--- a/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml
+++ b/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml
@@ -68,7 +68,7 @@ tags:
- pdf
timeout: '0'
type: python
-dockerimage: demisto/sane-pdf-reports:1.0.0.9507
+dockerimage: demisto/sane-pdf-reports:1.0.0.9768
runas: DBotWeakRole
runonce: false
tests:
diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json
index 1a58cb57da15..26a7918e08dd 100644
--- a/Packs/Base/pack_metadata.json
+++ b/Packs/Base/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Base",
"description": "The base pack for Cortex XSOAR.",
"support": "xsoar",
- "currentVersion": "1.1.3",
+ "currentVersion": "1.1.4",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/BluelivThreatContext/.pack-ignore b/Packs/BluelivThreatContext/.pack-ignore
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/BluelivThreatContext/.secrets-ignore b/Packs/BluelivThreatContext/.secrets-ignore
new file mode 100644
index 000000000000..f8cb8a6c2f19
--- /dev/null
+++ b/Packs/BluelivThreatContext/.secrets-ignore
@@ -0,0 +1,10 @@
+103.76.228.28
+25.20.116.113
+https://attack.mitre.org
+https://mytenant.blueliv.com
+ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1
+http://www.priceminister.com
+103.143.173.25
+http://uk.ask.com
+http://seclists.org
+192.168.56.102
diff --git a/Packs/BluelivThreatContext/CHANGELOG.md b/Packs/BluelivThreatContext/CHANGELOG.md
new file mode 100644
index 000000000000..723f2f878c2b
--- /dev/null
+++ b/Packs/BluelivThreatContext/CHANGELOG.md
@@ -0,0 +1 @@
+## [Unreleased]
\ No newline at end of file
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py
new file mode 100644
index 000000000000..0fe2916d6d1e
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py
@@ -0,0 +1,1120 @@
+''' IMPORTS '''
+import demistomock as demisto
+from CommonServerPython import *
+from CommonServerUserPython import *
+import json
+import urllib3
+
+''' PARAM DEFINITION '''
+SEARCHABLE_BY_NAME = 'threat-actor,campaign,attack-pattern,tool,signature'
+SEARCHABLE_BY_HASH = 'sha256,sha1,md5'
+
+urllib3.disable_warnings()
+
+
+class Client(BaseClient):
+ def authenticate(self, username: str, password: str):
+ body = {
+ 'username': username,
+ 'password': password
+ }
+ res = self._http_request(method='POST', url_suffix='/auth', json_data=body)
+ self._headers = {"Content-Type": "application/json", "x-cookie": str(res.get('token'))}
+ return str(res.get('token'))
+
+ def _query_gateway(self, url):
+ body = {"apiId": "THIAPP", "url": "/api/v1/" + url, "requestType": "GET"}
+ demisto.debug("Gateway call to " + json.dumps(body))
+ res = self._http_request(method='POST', url_suffix='/gateway', json_data=body, headers=self._headers)
+ return res
+
+ def get_threat_actor_info(self, threat_actor_id):
+ url = "threat-actor/{}".format(threat_actor_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_campaign_info(self, campaign_id: str):
+ url = "campaign/{}".format(campaign_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_malware_hash_info(self, file_hash, hash_type="md5"):
+ url = "malware/?dork={}%3A%22{}%22".format(hash_type, file_hash)
+ result = self._query_gateway(url)
+ return result
+
+ def get_malware_info(self, malware_id):
+ url = "malware/{}".format(malware_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_ip_info(self, ip_id):
+ url = "ip/{}".format(ip_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_fqdn_info(self, fqdn_id):
+ url = "fqdn/{}".format(fqdn_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_crime_server_info(self, cs_id):
+ url = "crime-server/{}".format(cs_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_attack_pattern_info(self, attack_pattern_id):
+ url = "attack-pattern/{}".format(attack_pattern_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_tool_info(self, tool_id):
+ url = "tool/{}".format(tool_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_signature_info(self, signature_id):
+ url = "signature/{}".format(signature_id)
+ result = self._query_gateway(url)
+ return result
+
+ def get_cve_info(self, cve_id):
+ url = "cve/{}".format(cve_id)
+ result = self._query_gateway(url)
+ return result
+
+ def search_by_name(self, key, value):
+ if value:
+ value = value.replace(' ', '+')
+ else:
+ value = ""
+
+ if key in SEARCHABLE_BY_NAME:
+ url = "{}/?fuzzy_filter%5Bname%5D={}".format(key, value)
+ if key in SEARCHABLE_BY_HASH:
+ url = "indicator/?fuzzy_filter%5Bvalue%5D={}".format(value)
+ if key == 'crime-server':
+ url = "crime-server/?fuzzy_filter%5Bcrime_server_url%5D={}".format(value)
+ if key == 'fqdn':
+ url = "fqdn/?fuzzy_filter%5Bdomain%5D={}".format(value)
+ if key == 'ip':
+ url = "ip/?fuzzy_filter%5Baddress%5D={}".format(value)
+
+ result = self._query_gateway(url)
+ return result.get("data", [])[0].get("id", "0")
+
+ def get_relationships(self, object_name, value, of):
+ url = "{}/{}/relationships/{}/".format(object_name, value, of)
+ result = self._query_gateway(url)
+ ids = ""
+ if result != "error":
+ ids = ','.join(str(item['id']) for item in result['data'])
+
+ return ids
+
+
+def getHuman(result):
+ human = {"id": result.get("data", {}).get("id"),
+ "links": result.get("data", {}).get("links"),
+ "type": result.get("data", {}).get("type")}
+ human.update(result.get("data", {}).get("attributes"))
+
+ return human
+
+
+# This function return false when there are no results to display
+def notFound():
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': "No results found.",
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': "No results found.",
+ 'EntryContext': {
+ 'BluelivThreatContext': {}
+ }
+ })
+ sys.exit(0)
+
+
+# Get information about threat actors #
+def blueliv_threatActor(client: Client, args):
+ threatActorId = args.get('threatActor_id', '')
+ threatActorName = args.get('threatActor', '')
+
+ if not threatActorId and not threatActorName:
+ notFound()
+
+ if not threatActorId:
+ threatActorId = client.search_by_name('threat-actor', threatActorName)
+
+ if not threatActorId:
+ notFound()
+ else:
+ result = client.get_threat_actor_info(threatActorId)
+
+ if result:
+ name = str(demisto.get(result, "data.attributes.name"))
+ description = str(demisto.get(result, "data.attributes.description"))
+ objective = str(demisto.get(result, "data.attributes.objective"))
+ sophistication = str(demisto.get(result, "data.attributes.sophistication"))
+ lastSeen = str(demisto.get(result, "data.attributes.last_seen"))
+ active = str(demisto.get(result, "data.attributes.active"))
+
+ milestoneIds = ""
+ milestones = demisto.get(result, "data.relationships.milestones.meta.count")
+ if milestones:
+ milestoneIds = client.get_relationships("threat-actor", threatActorId, "milestone")
+
+ toolIds = ""
+ tools = demisto.get(result, "data.relationships.tools.meta.count")
+ if tools:
+ toolIds = client.get_relationships("threat-actor", threatActorId, "tools")
+
+ campaigns = demisto.get(result, "data.relationships.campaigns.meta.count")
+ campaignIds = ""
+ if campaigns:
+ campaignIds = client.get_relationships("threat-actor", threatActorId, "campaign")
+
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("threat-actor", threatActorId, "signature")
+
+ onlineServiceIds = ""
+ onlineServices = demisto.get(result, "data.relationships.online_services.meta.count")
+ if onlineServices:
+ onlineServiceIds = client.get_relationships("threat-actor", threatActorId, "online-service")
+
+ malwareIds = ""
+ malware = demisto.get(result, "data.relationships.malware.meta.count")
+ if malware:
+ malwareIds = client.get_relationships("threat-actor", threatActorId, "malware")
+
+ threatTypeIds = ""
+ threatTypes = demisto.get(result, "data.relationships.threat_types.meta.count")
+ if threatTypes:
+ threatTypeIds = client.get_relationships("threat-actor", threatActorId, "threat-type")
+
+ fqdnIds = ""
+ fqdns = demisto.get(result, "data.relationships.fqdns.meta.count")
+ if fqdns:
+ fqdnIds = client.get_relationships("threat-actor", threatActorId, "fqdn")
+
+ attackPatternIds = ""
+ attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count")
+ if attackPatterns:
+ attackPatternIds = client.get_relationships("threat-actor", threatActorId, "attack-pattern")
+
+ ipIds = ""
+ ips = demisto.get(result, "data.relationships.ips.meta.count")
+ if ips:
+ ipIds = client.get_relationships("threat-actor", threatActorId, "ip")
+
+ targetIds = ""
+ targets = demisto.get(result, "data.relationships.targets.meta.count")
+ if targets:
+ targetIds = client.get_relationships("threat-actor", threatActorId, "target")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv Threat Actor info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.threatActor(val.name && val.id == obj.id)': {
+ 'id': threatActorId,
+ 'name': name,
+ 'description': description,
+ 'objective': objective,
+ 'sophistication': sophistication,
+ 'lastSeen': lastSeen,
+ 'active': active,
+ 'milestones': milestones,
+ 'milestoneIds': milestoneIds,
+ 'tools': tools,
+ 'toolIds': toolIds,
+ 'campaigns': campaigns,
+ 'campaignIds': campaignIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'onlineServices': onlineServices,
+ 'onlineServiceIds': onlineServiceIds,
+ 'malware': malware,
+ 'malwareIds': malwareIds,
+ 'threatTypes': threatTypes,
+ 'threatTypeIds': threatTypeIds,
+ 'fqdns': fqdns,
+ 'fqdnIds': fqdnIds,
+ 'attackPatterns': attackPatterns,
+ 'attackPatternIds': attackPatternIds,
+ 'ips': ips,
+ 'ipIds': ipIds,
+ 'targets': targets,
+ 'targetIds': targetIds
+ }
+ }
+ })
+ else:
+ notFound()
+
+
+# Get campaign information
+def blueliv_campaign(client: Client, args):
+ campaignName = args.get('campaign', '')
+ campaignId = args.get('campaign_id', '')
+
+ if not campaignId:
+ campaignId = client.search_by_name('campaign', campaignName)
+ if not campaignId:
+ notFound()
+ else:
+ result = client.get_campaign_info(campaignId)
+
+ if result:
+ lastSeen = demisto.get(result, "data.attributes.last_seen")
+ name = demisto.get(result, "data.attributes.name")
+ description = demisto.get(result, "data.attributes.description")
+
+ # BOTNETS #
+ botnetIds = ""
+ botnets = demisto.get(result, "data.relationships.botnets.meta.count")
+ if botnets:
+ botnetIds = client.get_relationships("campaign", campaignId, "botnet")
+
+ # SIGNATURES #
+ signatureIds = ""
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ if signatures:
+ signatureIds = client.get_relationships("campaign", campaignId, "signature")
+
+ # IPs #
+ ipIds = ""
+ ips = demisto.get(result, "data.relationships.ips.meta.count")
+ if ips:
+ ipIds = client.get_relationships("campaign", campaignId, "ip")
+
+ # MALWARE #
+ malwareIds = ""
+ malware = demisto.get(result, "data.relationships.malware.meta.count")
+ if malware:
+ malwareIds = client.get_relationships("campaign", campaignId, "malware")
+
+ # ATTACK PATTERNS
+ attackPatternIds = ""
+ attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count")
+ if attackPatterns:
+ attackPatternIds = client.get_relationships("campaign", campaignId, "attack-pattern")
+
+ # TOOLS #
+ toolIds = ""
+ tools = demisto.get(result, "data.relationships.tools.meta.count")
+ if tools:
+ toolIds = client.get_relationships("campaign", campaignId, "tool")
+
+ # FQDNs #
+ fqdnIds = ""
+ fqdns = demisto.get(result, "data.relationships.fqdns.meta.count")
+ if fqdns:
+ fqdnIds = client.get_relationships("campaign", campaignId, "fqdn")
+
+ # THREAT ACTORS #
+ threatActorId = demisto.get(result, "data.relationships.threat_actor.data.id")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv Campaign info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.campaign(val.id && val.id == obj.id)': {
+ 'id': campaignId,
+ 'name': name,
+ 'description': description,
+ 'lastSeen': lastSeen,
+ 'botnets': botnets,
+ 'botnetIds': botnetIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'ips': ips,
+ 'ipIds': ipIds,
+ 'malware': malware,
+ 'malwareIds': malwareIds,
+ 'attackPatterns': attackPatterns,
+ 'attackPatternIds': attackPatternIds,
+ 'tools': tools,
+ 'toolIds': toolIds,
+ 'fqdns': fqdns,
+ 'fqdnIds': fqdnIds,
+ 'threatActorId': threatActorId
+ }
+ }
+ })
+ else:
+ notFound()
+
+
+# Get detailed malware information #
+def blueliv_malware(client: Client, args):
+ hashValue = args.get('hash', '')
+ malwareId = args.get('hash_id', '')
+
+ if hashValue:
+ if len(hashValue) == 40:
+ hash_type = 'sha1'
+ elif len(hashValue) == 64:
+ hash_type = 'sha256'
+ elif len(hashValue) == 32:
+ hash_type = 'md5'
+ else:
+ notFound()
+
+ if not malwareId:
+ result = client.get_malware_hash_info(hashValue, hash_type)
+
+ if not result:
+ notFound()
+
+ if result.get("data", []):
+ malwareId = demisto.get(result.get("data")[0], "id")
+
+ if malwareId:
+ result = client.get_malware_info(malwareId)
+
+ if result:
+ # lastSeen = demisto.get(result, "data.attributes.last_seen")
+ sha256 = demisto.get(result, "data.attributes.sha256")
+ sha1 = demisto.get(result, "data.attributes.sha1")
+ md5 = demisto.get(result, "data.attributes.md5")
+ fileType = demisto.get(result, "data.attributes.file_type")
+ hasCandC = demisto.get(result, "data.attributes.has_c_and_c")
+ memory = demisto.get(result, "data.attributes.memory")
+ procMemory = demisto.get(result, "data.attributes.proc_memory")
+ analysisStatus = demisto.get(result, "data.attributes.analysis_status")
+ dropped = demisto.get(result, "data.attributes.dropped")
+ buffers = demisto.get(result, "data.attributes.buffers")
+ hasNetwork = demisto.get(result, "data.attributes.has_network")
+ risk = demisto.get(result, "data.attributes.risk")
+ # Malware uses sha256 likes malwareId, so we need to use this field to call getIds function
+
+ # CAMPAIGNS #
+ campaigns = demisto.get(result, "data.relationships.campaigns.meta.count")
+ campaignIds = ""
+ if campaigns:
+ campaignIds = client.get_relationships("malware", sha256, "campaign")
+
+ # SIGNATURES #
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("malware", sha256, "signature")
+
+ # THREAT ACTORS #
+ threatActorIds = ""
+ threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count")
+ if threatActors:
+ threatActorIds = client.get_relationships("malware", sha256, "threat-actor")
+
+ # SOURCES #
+ sourceIds = ""
+ sources = demisto.get(result, "data.relationships.sources.meta.count")
+ if sources:
+ sourceIds = client.get_relationships("malware", sha256, "source")
+
+ # TAGS #
+ tagIds = ""
+ tags = demisto.get(result, "data.relationships.tags.meta.count")
+ if tags:
+ tagIds = client.get_relationships("malware", sha256, "tag")
+
+ # CRIME SERVERS #
+ crimeServerIds = ""
+ crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count")
+ if crimeServers:
+ crimeServerIds = client.get_relationships("mwlware", sha256, "crime-server")
+
+ # FQDNs #
+ fqdnIds = ""
+ fqdns = demisto.get(result, "data.relationships.fqdns.meta.count")
+ if fqdns:
+ fqdnIds = client.get_relationships("malware", sha256, "fqdn")
+
+ # TYPES #
+ typeIds = ""
+ types = demisto.get(result, "data.relationships.types.meta.count")
+ if types:
+ typeIds = client.get_relationships("malware", sha256, "type")
+
+ # SPARKS #
+ sparkIds = ""
+ sparks = demisto.get(result, "data.relationships.sparks.meta.count")
+ if sparks:
+ sparkIds = client.get_relationships("malware", sha256, "spark")
+
+ # IPs #
+ ipIds = ""
+ ips = demisto.get(result, "data.relationships.ips.meta.count")
+ if ips:
+ ipIds = client.get_relationships("malware", sha256, "ip")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv Malware file info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.malware(val.id && val.id == obj.id)': {
+ 'id': malwareId,
+ 'hash.sha256': sha256,
+ 'hash.sha1': sha1,
+ 'hash.md5': md5,
+ 'fileType': fileType,
+ 'hasCandC': hasCandC,
+ 'memory': memory,
+ 'procMemory': procMemory,
+ 'analysisStatus': analysisStatus,
+ 'dropped': dropped,
+ 'buffers': buffers,
+ 'hasNetwork': hasNetwork,
+ 'risk': risk,
+ 'campaigns': campaigns,
+ 'campaignIds': campaignIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'threatActors': threatActors,
+ 'threatActorIds': threatActorIds,
+ 'sources': sources,
+ 'sourceIds': sourceIds,
+ 'tags': tags,
+ 'tagIds': tagIds,
+ 'crimeServers': crimeServers,
+ 'crimeserverIds': crimeServerIds,
+ 'fqdns': fqdns,
+ 'fqdnIds': fqdnIds,
+ 'types': types,
+ 'typeIds': typeIds,
+ 'sparks': sparks,
+ 'sparkIds': sparkIds,
+ 'ips': ips,
+ 'ipIds': ipIds
+ }
+ }
+ })
+ else:
+ notFound()
+ else:
+ notFound()
+
+
+def blueliv_indicatorIp(client: Client, args):
+ nameIP = args.get('IP', '')
+ valueIP = args.get('IP_id', '')
+
+ if not valueIP and not nameIP:
+ notFound()
+ if nameIP:
+ valueIP = nameIP # client.search_by_name('fqdn', nameIP)
+
+ if not valueIP:
+ notFound()
+
+ result = client.get_ip_info(valueIP)
+
+ if result:
+ lastSeen = str(demisto.get(result, "data.attributes.last_seen"))
+ latitude = str(demisto.get(result, "data.attributes.latitude"))
+ longitude = str(demisto.get(result, "data.attributes.longitude"))
+ risk = str(demisto.get(result, "data.attributes.risk"))
+ countryId = str(demisto.get(result, "data.relationships.country.data.id"))
+
+ # CAMPAIGNS #
+ campaigns = demisto.get(result, "data.relationships.campaigns.meta.count")
+ campaignIds = ""
+ if campaigns:
+ campaignIds = client.get_relationships("ip", valueIP, "campaign")
+
+ # SIGNATURES #
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("ip", valueIP, "signature")
+
+ # THREAT ACTORS #
+ threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count")
+ threatActorIds = ""
+ if threatActors:
+ client.get_relationships("ip", valueIP, "threat-actor")
+
+ # TAGS #
+ tags = demisto.get(result, "data.relationships.tags.meta.count")
+ tagIds = ""
+ if tags:
+ tagIds = client.get_relationships("ip", valueIP, "tag")
+
+ # FQDNs #
+ fqdnIds = ""
+ fqdns = demisto.get(result, "data.relationships.fqdns.meta.count")
+ if fqdns:
+ fqdnIds = client.get_relationships("ip", valueIP, "fqdn")
+
+ # SPARKS #
+ sparks = demisto.get(result, "data.relationships.sparks.meta.count")
+ sparkIds = ""
+ if sparks:
+ sparkIds = client.get_relationships("ip", valueIP, "spark")
+
+ # BOTS #
+ bots = demisto.get(result, "data.relationships.bots.meta.count")
+ botIds = ""
+ if bots:
+ botIds = client.get_relationships("ip", valueIP, "bot")
+
+ human = getHuman(result)
+ ipName = valueIP.replace(".", "")
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv IP info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.indicator(val.ipName && val.ipName == obj.ipName)': {
+ "ipName": ipName,
+ 'lastSeen': lastSeen,
+ 'risk': risk,
+ 'latitude': latitude,
+ 'longitude': longitude,
+ 'countryId': countryId,
+ 'campaigns': campaigns,
+ 'campaignIds': campaignIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'threatActors': threatActors,
+ 'threatActorIds': threatActorIds,
+ 'tags': tags,
+ 'tagIds': tagIds,
+ 'fqdns': fqdns,
+ 'fqdnIds': fqdnIds,
+ 'sparks': sparks,
+ 'sparkIds': sparkIds,
+ 'bots': bots,
+ 'botIds': botIds
+ }
+ }
+ })
+ else:
+ notFound()
+
+
+def blueliv_indicatorFqdn(client: Client, args):
+ nameFQDN = args.get('FQDN', '')
+ valueFQDN = args.get('FQDN_id', '')
+
+ if not valueFQDN and not nameFQDN:
+ notFound()
+ if not valueFQDN and nameFQDN:
+ valueFQDN = client.search_by_name('fqdn', nameFQDN)
+ if not valueFQDN:
+ notFound()
+ sys.exit()
+
+ result = client.get_fqdn_info(valueFQDN)
+ if result:
+ # PARAMETROS GENERALES #
+ lastSeen = str(demisto.get(result, "data.attributes.last_seen"))
+ risk = str(demisto.get(result, "data.attributes.risk"))
+
+ # CAMPAIGNS #
+ campaigns = demisto.get(result, "data.relationships.campaigns.meta.count")
+ campaignIds = ""
+ if campaigns:
+ campaignIds = client.get_relationships("fqdn", valueFQDN, "campaign")
+
+ # SIGNATURES #
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("fqdn", valueFQDN, "signature")
+
+ # THREAT ACTORS #
+ threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count")
+ threatActorIds = ""
+ if threatActors:
+ threatActorIds = client.get_relationships("fqdn", valueFQDN, "threat-actor")
+
+ # TAGS #
+ tags = demisto.get(result, "data.relationships.tags.meta.count")
+ tagIds = ""
+ if tags:
+ tagIds = client.get_relationships("fqdn", valueFQDN, "tag")
+
+ # CRIME SERVERS #
+ crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count")
+ crimeServerIds = ""
+ if crimeServers:
+ crimeServerIds = client.get_relationships("fqdn", valueFQDN, "crime-server")
+
+ # SPARKS #
+ sparks = demisto.get(result, "data.relationships.sparks.meta.count")
+ sparkIds = ""
+ if sparks:
+ sparkIds = client.get_relationships("fqdn", valueFQDN, "spark")
+
+ # IPs #
+ ips = demisto.get(result, "data.relationships.ips.meta.count")
+ ipIds = ""
+ if ips:
+ ipIds = client.get_relationships("fqdn", valueFQDN, "ip")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv FQDN info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.indicator(val.id && val.id == obj.id)': {
+ 'id': valueFQDN,
+ 'lastSeen': lastSeen,
+ 'risk': risk,
+ 'campaigns': campaigns,
+ 'campaignIds': campaignIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'threatActors': threatActors,
+ 'threatActorIds': threatActorIds,
+ 'tags': tags,
+ 'tagids': tagIds,
+ 'crimeServers': crimeServers,
+ 'crimeServerIds': crimeServerIds,
+ 'sparks': sparks,
+ 'sparkIds': sparkIds,
+ 'ips': ips,
+ 'ipIds': ipIds
+ }
+ }
+ })
+ else:
+ notFound()
+
+
+# Get information about the crime server related with the provided URL
+def blueliv_indicatorCs(client: Client, args):
+ nameCS = args.get('CS', '')
+ valueCS = args.get('CS_id', '')
+
+ if not valueCS and not nameCS:
+ notFound()
+ if not valueCS and nameCS:
+ valueCS = client.search_by_name('crime-server', nameCS)
+ if not valueCS:
+ notFound()
+ sys.exit()
+
+ result = client.get_crime_server_info(valueCS)
+
+ if result:
+ lastSeen = str(demisto.get(result, "data.attributes.last_seen"))
+ status = str(demisto.get(result, "data.attributes.status"))
+ risk = str(demisto.get(result, "data.attributes.risk"))
+ isFalsePositive = str(demisto.get(result, "data.attributes.is_false_positive"))
+ crimeServerUrl = str(demisto.get(result, "data.attributes.crime_server_url"))
+ creditCardsCount = str(demisto.get(result, "data.attributes.credit_cards_count"))
+ credentialsCount = str(demisto.get(result, "data.attributes.credentials_count"))
+ botsCount = str(demisto.get(result, "data.attributes.bots_count"))
+ fqdnId = demisto.get(result, "data.relationships.fqdn.data.id")
+
+ # SOURCES #
+ sourceIds = ""
+ sources = demisto.get(result, "data.relationships.sources.meta.count")
+ if sources:
+ sourceIds = client.get_relationships("crime-server", valueCS, "source")
+
+ # MALWARE #
+ malwareIds = ""
+ malware = demisto.get(result, "data.relationships.malware.meta.count")
+ if malware:
+ malwareIds = client.get_relationships("crime-server", valueCS, "malware")
+
+ # TAGS #
+ tags = demisto.get(result, "data.relationships.tags.meta.count")
+ tagIds = ""
+ if tags:
+ tagIds = client.get_relationships("crime-server", valueCS, "tag")
+
+ # SPARKS #
+ sparks = demisto.get(result, "data.relationships.sparks.meta.count")
+ sparkIds = ""
+ if sparks:
+ sparkIds = client.get_relationships("crime-server", valueCS, "spark")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv Crime Server info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.indicator(val.id && val.id == obj.id)': {
+ 'id': valueCS,
+ 'lastSeen': lastSeen,
+ 'status': status,
+ 'risk': risk,
+ 'isFalsePositive': isFalsePositive,
+ 'crimeServerUrl': crimeServerUrl,
+ 'creditCardsCount': creditCardsCount,
+ 'credentialsCount': credentialsCount,
+ 'botsCount': botsCount,
+ 'fqdnId': fqdnId,
+ 'malware': malware,
+ 'malwareIds': malwareIds,
+ 'tags': tags,
+ 'tagIds': tagIds,
+ 'sparks': sparks,
+ 'sparkIds': sparkIds,
+ 'sources': sources,
+ 'sourceIds': sourceIds
+ }
+ }
+ })
+ else:
+ notFound()
+
+
+# Get information about attack patterns
+def blueliv_attackPattern(client: Client, args):
+ attackPatternName = args.get('attackPattern', '')
+ attackPatternId = args.get('attackPattern_id', '')
+
+ if attackPatternId:
+ attackPatternId = int(attackPatternId)
+
+ if not attackPatternId:
+ attackPatternId = client.search_by_name('attack-pattern', attackPatternName)
+
+ if attackPatternId:
+ result = client.get_attack_pattern_info(attackPatternId)
+
+ if result:
+ updatedAt = demisto.get(result, "data.attributes.updated_at")
+ name = demisto.get(result, "data.attributes.name")
+ description = demisto.get(result, "data.attributes.description")
+ serverity = demisto.get(result, "data.attributes.severity")
+
+ # SIGNATURES #
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("attack-pattern", str(attackPatternId), "signature")
+
+ # CAMPAIGNS #
+ campaigns = demisto.get(result, "data.relationships.campaigns.meta.count")
+ campaignIds = ""
+ if campaigns:
+ campaignIds = client.get_relationships("attack-pattern", str(attackPatternId), "campaign")
+
+ # THREAT ACTORS #
+ threatActorIds = ""
+ threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count")
+ if threatActors:
+ threatActorIds = client.get_relationships("attack-pattern", str(attackPatternId), "threat-actor")
+
+ # CVEs #
+ cveIds = ""
+ cves = demisto.get(result, "data.relationships.cves.meta.count")
+ if cves:
+ cves = client.get_relationships("attack-pattern", str(attackPatternId), "cve")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv Attack Pattern info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.attackPattern(val.id && val.id == obj.id)': {
+ 'id': attackPatternId,
+ 'name': name,
+ 'description': description,
+ 'updatedAt': updatedAt,
+ 'serverity': serverity,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'campaigns': campaigns,
+ 'campaignIds': campaignIds,
+ 'threatActors': threatActors,
+ 'threatActorIds': threatActorIds,
+ 'cves': cves,
+ 'cveIds': cveIds
+ }
+ }
+ })
+ else:
+ notFound()
+ else:
+ notFound()
+
+
+# Get information about tools
+def blueliv_tool(client: Client, args):
+ toolName = args.get('tool', '')
+ toolId = args.get('tool_id', '')
+
+ if not toolId:
+ toolId = client.search_by_name('tool', toolName)
+
+ if toolId:
+ result = client.get_tool_info(toolId)
+
+ if result:
+ name = demisto.get(result, "data.attributes.name")
+ description = demisto.get(result, "data.attributes.description")
+ lastSeen = demisto.get(result, "data.attributes.last_seen")
+
+ # CAMPAIGNS #
+ campaigns = demisto.get(result, "data.relationships.campaigns.meta.count")
+ campaignIds = ""
+ if campaigns:
+ campaignIds = client.get_relationships("tool", str(toolId), "campaign")
+
+ # SIGNATURES #
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("tool", str(toolId), "signature")
+
+ # THREAT ACTORS #
+ threatActorIds = ""
+ threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count")
+ if threatActors:
+ threatActorIds = client.get_relationships("tool", str(toolId), "threat-actor")
+
+ human = getHuman(result)
+ demisto.results({
+ 'ContentsFormat': formats['json'],
+ 'Type': entryTypes['note'],
+ 'Contents': result,
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': tableToMarkdown("Blueliv Tool info", human),
+ 'EntryContext': {
+ 'BluelivThreatContext.tool(val.id && val.id == obj.id)': {
+ 'id': toolId,
+ 'name': name,
+ 'description': description,
+ 'lastSeen': lastSeen,
+ 'campaigns': campaigns,
+ 'campaignIds': campaignIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'threatActors': threatActors,
+ 'threatActorIds': threatActorIds
+ }
+ }
+ })
+ else:
+ notFound()
+ else:
+ notFound()
+
+
+def blueliv_signature(client: Client, args):
+ signatureName = args.get('signature', '')
+ signatureId = args.get('signature_id', '')
+
+ if not signatureId:
+ signatureId = client.search_by_name('signature', signatureName)
+
+ if signatureId:
+ result = client.get_signature_info(signatureId)
+
+ if result:
+ name = demisto.get(result, "data.attributes.name")
+ signatureType = demisto.get(result, "data.attributes.type")
+ updatedAt = demisto.get(result, "data.attributes.updated_at")
+
+ # MALWARE #
+ malwareIds = ""
+ malware = demisto.get(result, "data.relationships.malware.meta.count")
+ if malware:
+ malwareIds = client.get_relationships("signature", str(signatureId), "malware")
+
+ human = getHuman(result)
+ demisto.results({
+ "Type": entryTypes["note"],
+ 'Contents': result,
+ "ContentsFormat": formats["json"],
+ 'HumanReadable': tableToMarkdown("Blueliv Signature info", human),
+ 'ReadableContentsFormat': formats['markdown'],
+ 'EntryContext': {
+ 'BluelivThreatContext.signature(val.id && val.id == obj.id)': {
+ 'id': signatureId,
+ 'name': name,
+ 'type': signatureType,
+ 'updatedAt': updatedAt,
+ 'malware': malware,
+ 'malwareIds': malwareIds
+ }
+ }
+ })
+ else:
+ notFound()
+ else:
+ notFound()
+
+
+# Get inforamtion abouth the provided CVE code
+def blueliv_cve(client: Client, args):
+ cveCode = args.get('CVE', '')
+ vulnId = args.get('CVE_id', '')
+
+ if not vulnId:
+ vulnId = cveCode
+
+ result = client.get_cve_info(vulnId)
+
+ if result:
+ name = demisto.get(result, "data.attributes.name")
+ description = demisto.get(result, "data.attributes.description")
+ updatedAt = demisto.get(result, "data.attributes.updated_at")
+ score = demisto.get(result, "data.attributes.score")
+ exploitsTableData = demisto.get(result, "data.attributes.exploits")
+ platformsTableData = demisto.get(result, "data.attributes.platforms")
+
+ # ATTACK PATTERNS
+ attackPatternIds = ""
+ attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count")
+ if attackPatterns:
+ attackPatternIds = client.get_relationships("cve", str(vulnId), "attack-pattern")
+
+ # SIGNATURES #
+ signatures = demisto.get(result, "data.relationships.signatures.meta.count")
+ signatureIds = ""
+ if signatures:
+ signatureIds = client.get_relationships("cve", str(vulnId), "signature")
+
+ # TAGS #
+ tagIds = ""
+ tags = demisto.get(result, "data.relationships.tags.meta.count")
+ if tags:
+ tagIds = client.get_relationships("cve", str(vulnId), "tag")
+
+ # CRIME SERVERS #
+ crimeServerIds = ""
+ crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count")
+ if crimeServers:
+ crimeServerIds = client.get_relationships("cve", str(vulnId), "crime-server")
+
+ # SPARKS #
+ sparkIds = ""
+ sparks = demisto.get(result, "data.relationships.sparks.meta.count")
+ if sparks:
+ sparkIds = client.get_relationships("cve", vulnId, "spark")
+
+ # MALWARE #
+ malwareIds = ""
+ malware = demisto.get(result, "data.relationships.malware.meta.count")
+ if malware:
+ malwareIds = client.get_relationships("cve", vulnId, "malware")
+
+ human = getHuman(result)
+ demisto.results({
+ "Type": entryTypes["note"],
+ 'Contents': result,
+ "ContentsFormat": formats["json"],
+ 'HumanReadable': tableToMarkdown("Blueliv CVE info", human),
+ 'ReadableContentsFormat': formats['markdown'],
+ 'EntryContext': {
+ 'BluelivThreatContext.cve(val.id && val.id == obj.id)': {
+ 'id': vulnId,
+ 'name': name,
+ 'description': description,
+ 'updatedAt': updatedAt,
+ 'score': score,
+ 'attackPatterns': attackPatterns,
+ 'attackPatternIds': attackPatternIds,
+ 'signatures': signatures,
+ 'signatureIds': signatureIds,
+ 'tags': tags,
+ 'tagIds': tagIds,
+ 'crimeServers': crimeServers,
+ 'crimeServerIds,': crimeServerIds,
+ 'sparks': sparks,
+ 'sparkIds': sparkIds,
+ 'malware': malware,
+ 'malwareIds': malwareIds,
+ 'exploits': exploitsTableData,
+ 'platforms': platformsTableData
+ }
+ }
+ })
+ else:
+ notFound()
+
+
+# DEMISTO command evaluation
+def main():
+ params = demisto.params()
+ server_url = params.get('url')
+ verify_ssl = not params.get('unsecure', '')
+ proxy = params.get('proxy')
+ username = params['credentials']['identifier']
+ password = params['credentials']['password']
+
+ client = Client(server_url, verify_ssl, proxy, headers={'Accept': 'application/json'})
+ token = client.authenticate(username, password)
+
+ args = demisto.args()
+ if demisto.command() == 'test-module':
+ # Checks if the user is correctly authenticated. If the execution gets here all is correct.
+ demisto.results("ok")
+
+ if demisto.command() == 'blueliv-authenticate':
+ demisto.results({
+ "Type": entryTypes["note"],
+ 'Contents': token,
+ "ContentsFormat": formats["text"],
+ 'EntryContext': {'BluelivThreatContext.token': token}
+ })
+
+ elif demisto.command() == 'blueliv-tc-threat-actor':
+ blueliv_threatActor(client, args)
+
+ elif demisto.command() == 'blueliv-tc-campaign':
+ blueliv_campaign(client, args)
+
+ elif demisto.command() == 'blueliv-tc-malware':
+ blueliv_malware(client, args)
+
+ elif demisto.command() == 'blueliv-tc-indicator-ip':
+ blueliv_indicatorIp(client, args)
+
+ elif demisto.command() == 'blueliv-tc-indicator-fqdn':
+ blueliv_indicatorFqdn(client, args)
+
+ elif demisto.command() == 'blueliv-tc-indicator-cs':
+ blueliv_indicatorCs(client, args)
+
+ elif demisto.command() == 'blueliv-tc-attack-pattern':
+ blueliv_attackPattern(client, args)
+
+ elif demisto.command() == 'blueliv-tc-tool':
+ blueliv_tool(client, args)
+
+ elif demisto.command() == 'blueliv-tc-signature':
+ blueliv_signature(client, args)
+
+ elif demisto.command() == 'blueliv-tc-cve':
+ blueliv_cve(client, args)
+
+
+if __name__ in ('__main__', '__builtin__', 'builtins'):
+ main()
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml
new file mode 100644
index 000000000000..c330c03a1303
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml
@@ -0,0 +1,754 @@
+category: Data Enrichment & Threat Intelligence
+commonfields:
+ id: Blueliv ThreatContext
+ version: -1
+configuration:
+- defaultvalue: https://demisto.blueliv.com/api/v2
+ display: Server URL (e.g. https://demisto.blueliv.com/api/v2)
+ name: url
+ required: true
+ type: 0
+- display: Username
+ name: credentials
+ required: true
+ type: 9
+- defaultvalue: 'false'
+ display: Trust any certificate (not secure)
+ name: unsecure
+ required: false
+ type: 8
+- display: Use system proxy settings
+ hidden: false
+ name: proxy
+ required: false
+ type: 8
+description: The Threat Context module provides SOC, Incident Response, and Threat
+ Intelligence teams with continuously updated and intuitive information around threat
+ actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.
+display: Blueliv ThreatContext
+name: Blueliv ThreatContext
+script:
+ commands:
+ - deprecated: false
+ description: Authenticates and gets the API token.
+ execution: false
+ name: blueliv-authenticate
+ outputs:
+ - contextPath: BluelivThreatContext.token
+ description: Authentication token.
+ type: String
+ - arguments:
+ - default: false
+ description: Internal Blueliv malware hash ID.
+ isArray: false
+ name: hash_id
+ required: false
+ secret: false
+ - default: false
+ description: Malware file hash to search for.
+ isArray: false
+ name: hash
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about malware, by ID.
+ execution: false
+ name: blueliv-tc-malware
+ outputs:
+ - contextPath: BluelivThreatContext.malware.hash.sha256
+ description: File SHA256 hash.
+ type: String
+ - contextPath: BluelivThreatContext.malware.hash.sha1
+ description: File SHA1 hash.
+ type: String
+ - contextPath: BluelivThreatContext.malware.hash.md5
+ description: File MD5 hash.
+ type: String
+ - contextPath: BluelivThreatContext.malware.type
+ description: Malware type.
+ type: String
+ - contextPath: BluelivThreatContext.malware.hasCandC
+ description: Whether there is an associated C&C.
+ type: Boolean
+ - contextPath: BluelivThreatContext.malware.memory
+ description: Malware memory.
+ type: String
+ - contextPath: BluelivThreatContext.malware.procMemory
+ description: Malware proc memory.
+ type: String
+ - contextPath: BluelivThreatContext.malware.analysisStatus
+ description: Malware analysis status.
+ type: String
+ - contextPath: BluelivThreatContext.malware.dropped
+ description: Malware dropped.
+ type: Boolean
+ - contextPath: BluelivThreatContext.malware.buffers
+ description: Malware buffers.
+ type: Boolean
+ - contextPath: BluelivThreatContext.malware.hasNetwork
+ description: Whether the malware has Network information.
+ type: Boolean
+ - contextPath: BluelivThreatContext.malware.risk
+ description: Malware associated risk.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.campaigns
+ description: Malware related campaigns.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.campaignIds
+ description: Malware related campaigns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.signatures
+ description: Malware signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.sigantureIds
+ description: Malware sigantures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.threatActors
+ description: Malware threat actors.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.threatActorIds
+ description: Malware threat actors' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.sources
+ description: Malware sources.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.sourceIds
+ description: Malware sources' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.tags
+ description: Malware tags.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.tagIds
+ description: Malware tags' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.crimeServers
+ description: Malware related crime servers.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.crimeServerIds
+ description: Malware crime servers' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.fqdns
+ description: Malware FQDNs.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.fqdnIds
+ description: Malware FQDNs internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.types
+ description: Malware types.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.typeIds
+ description: Malware types' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.sparks
+ description: Malware sparks.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.sparkIds
+ description: Malware sparks' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.malware.ips
+ description: Malware IP addresses.
+ type: Number
+ - contextPath: BluelivThreatContext.malware.ipIds
+ description: Malware IP addresses' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: Internal Blueliv IP address ID.
+ isArray: false
+ name: IP_id
+ required: false
+ secret: false
+ - default: false
+ description: IP address to get information for.
+ isArray: false
+ name: IP
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about an IP address.
+ execution: false
+ name: blueliv-tc-indicator-ip
+ outputs:
+ - contextPath: BluelivThreatContext.indicator.lastSeen
+ description: Indicator last seen date.
+ type: Date
+ - contextPath: BluelivThreatContext.indicator.risk
+ description: Indicator risk
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.latitude
+ description: Indicator latitude.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.longitude
+ description: Indicator longitude.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.countryId
+ description: Indicator countries' internal IDs.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.campaigns
+ description: Indicator campaigns.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.campaignIds
+ description: Indicator campaigns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.signatures
+ description: Indicator signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.signatureIds
+ description: Indicator signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.threatActors
+ description: Indicator threat actors.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.threatActorIds
+ description: Indicator threat actors' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.tags
+ description: Indicator tags.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.tagIds
+ description: Indicator tags' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.fqdns
+ description: Indicator FQDNs.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.fqdnIds
+ description: Indicator FQDNs' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.sparks
+ description: Indicator sparks.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.sparkIds
+ description: Indicator sparks' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.bots
+ description: Indicator bots.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.botIds
+ description: Indicator bots' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: CVE to get information for.
+ isArray: false
+ name: CVE
+ required: false
+ secret: false
+ - default: false
+ description: Internal Blueliv CVE ID.
+ isArray: false
+ name: CVE_id
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about a CVE.
+ execution: false
+ name: blueliv-tc-cve
+ outputs:
+ - contextPath: BluelivThreatContext.cve.name
+ description: CVE name.
+ type: String
+ - contextPath: BluelivThreatContext.cve.description
+ description: CVE description.
+ type: String
+ - contextPath: BluelivThreatContext.cve.updatedAt
+ description: Date the CVE was last updated.
+ type: Date
+ - contextPath: BluelivThreatContext.cve.score
+ description: CVE score.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.attackPatterns
+ description: CVE attack patterns.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.attackPatternIds
+ description: CVE attack patterns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.cve.signatures
+ description: CVE signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.signatureIds
+ description: CVE signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.cve.tags
+ description: CVE tags.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.tagIds
+ description: CVE tags' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.cve.crimeServers
+ description: CVE crime servers.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.crimeServerIds
+ description: CVE crime servers' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.cve.sparks
+ description: CVE sparks.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.sparkIds
+ description: CVE sparks' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.cve.malware
+ description: CVE malware.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.malwareIds
+ description: CVE malwares' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.cve.exploits
+ description: CVE exploits.
+ type: Number
+ - contextPath: BluelivThreatContext.cve.platforms
+ description: CVE platforms.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: Internal Blueliv FQDN ID.
+ isArray: false
+ name: FQDN_id
+ required: false
+ secret: false
+ - default: false
+ description: FQDN to get information for.
+ isArray: false
+ name: FQDN
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about an FQDN.
+ execution: false
+ name: blueliv-tc-indicator-fqdn
+ outputs:
+ - contextPath: BluelivThreatContext.indicator.lastSeen
+ description: Date the indicator was last seen.
+ type: Date
+ - contextPath: BluelivThreatContext.indicator.risk
+ description: Indicator risk.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.campaigns
+ description: Indicator campaigns.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.campaignIds
+ description: Indicator campaigns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.signatures
+ description: Indicator signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.signatureIds
+ description: Indicator signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.threatActors
+ description: Indicator threat actors.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.threatActorIds
+ description: Indicator threat actors' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.tags
+ description: Indicator tags.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.tagIds
+ description: Indicator tags' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.crimeServers
+ description: Indicator crime servers.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.crimeServerIds
+ description: Indicator crime servers' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.sparks
+ description: Indicator sparks.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.sparkIds
+ description: Indicator sparks' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.ips
+ description: Indicator IP addresses.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.ipIds
+ description: Indicator IP addresses' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: Internal Blueliv Crime Server ID.
+ isArray: false
+ name: CS_id
+ required: false
+ secret: false
+ - default: false
+ description: The name of the Crime Server to get information for.
+ isArray: false
+ name: CS
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about a Crime Server.
+ execution: false
+ name: blueliv-tc-indicator-cs
+ outputs:
+ - contextPath: BluelivThreatContext.indicator.lastSeen
+ description: Date the indicator was last seen.
+ type: Date
+ - contextPath: BluelivThreatContext.indicator.status
+ description: Indicator status.
+ type: String
+ - contextPath: BluelivThreatContext.indicator.risk
+ description: Indicator risk.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.isFalsePositive
+ description: Whether the indicator is a false positive.
+ type: Boolean
+ - contextPath: BluelivThreatContext.indicator.crimeServerUrl
+ description: Indicator Crime Server URL.
+ type: String
+ - contextPath: BluelivThreatContext.indicator.creditCardsCount
+ description: Indicator credit cards count.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.credentialsCount
+ description: Indicator credentials count.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.botsCount
+ description: Indicator bots count.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.fqdnId
+ description: Indicator FQDNs internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.malware
+ description: Indicator malware.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.malwareIds
+ description: Indicator malware internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.tags
+ description: Indicator tags.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.tagIds
+ description: Indicator tags' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.sparks
+ description: Indicator sparks.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.sparkIds
+ description: Indicator sparks' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.indicator.sources
+ description: Indicator sources.
+ type: Number
+ - contextPath: BluelivThreatContext.indicator.sourceIds
+ description: Indicator sources' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: Threat actor to get information for.
+ isArray: false
+ name: threatActor
+ required: false
+ secret: false
+ - default: false
+ description: Internal Blueliv Threat Actor ID.
+ isArray: false
+ name: threatActor_id
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about a Threat Actor.
+ execution: false
+ name: blueliv-tc-threat-actor
+ outputs:
+ - contextPath: BluelivThreatContext.threatActor.name
+ description: Threat actor name.
+ type: String
+ - contextPath: BluelivThreatContext.threatActor.description
+ description: Threat actor description.
+ type: String
+ - contextPath: BluelivThreatContext.threatActor.objective
+ description: Threat actor objective.
+ type: String
+ - contextPath: BluelivThreatContext.threatActor.sophistication
+ description: Threat actor sophistication.
+ type: String
+ - contextPath: BluelivThreatContext.threatActor.lastSeen
+ description: Date the threat actor was last seen.
+ type: Date
+ - contextPath: BluelivThreatContext.threatActor.active
+ description: Threat actor active.
+ type: Boolean
+ - contextPath: BluelivThreatContext.threatActor.milestones
+ description: Threat actor milestones.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.milestoneIds
+ description: Threat actor milestones' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.tools
+ description: Threat actor tools.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.toolIds
+ description: Threat actor tools' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.campaigns
+ description: Threat actor campaigns.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.campaignIds
+ description: Threat actor campaigns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.signatures
+ description: Threat actor signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.signatureIds
+ description: Threat actor signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.onlineServices
+ description: Threat actor online services.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.onlineServiceIds
+ description: Threat actor online services' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.malware
+ description: Threat actor malware.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.malwareIds
+ description: Threat actor malware internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.threatTypes
+ description: Threat actor threat types.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.threatTypeIds
+ description: Threat actor threat types' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.fqdns
+ description: Threat actor FQDNs.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.fqdnIds
+ description: Threat actor FQDNs' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.attackPatterns
+ description: Threat actor attack patterns.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.attackPatternIds
+ description: Threat actor attack patterns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.ips
+ description: Threat actor IP addresses.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.ipIds
+ description: Threat actor IP addresses' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.threatActor.targets
+ description: Threat actor targets.
+ type: Number
+ - contextPath: BluelivThreatContext.threatActor.targetIds
+ description: Threat actor targets' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: Name of the campaign to get information for.
+ isArray: false
+ name: campaign
+ required: false
+ secret: false
+ - default: false
+ description: Blueliv internal campaign ID.
+ isArray: false
+ name: campaign_id
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about a campaign.
+ execution: false
+ name: blueliv-tc-campaign
+ outputs:
+ - contextPath: BluelivThreatContext.campaign.name
+ description: Campaign name.
+ type: String
+ - contextPath: BluelivThreatContext.campaign.description
+ description: Campaign description.
+ type: String
+ - contextPath: BluelivThreatContext.campaign.lastSeen
+ description: Date the campaign was last seen.
+ type: Date
+ - contextPath: BluelivThreatContext.campaign.botnets
+ description: Campaign botnets.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.botnetIds
+ description: Campaign botnets' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.signatures
+ description: Campaign signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.signatureIds
+ description: Campaign signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.ips
+ description: Campaign IP addresses.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.ipIds
+ description: Campaign IP addresses' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.malware
+ description: Campaign malware.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.malwareIds
+ description: Campaign malware internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.attackPatterns
+ description: Campaign attack patterns.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.attackPatternIds
+ description: Campaign attack patterns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.tools
+ description: Campaign tools.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.toolIds
+ description: Campaign tools' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.fqdns
+ description: Campaign FQDNs.
+ type: Number
+ - contextPath: BluelivThreatContext.campaign.fqdnIds
+ description: Campaign FQDNs' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.campaign.threatActorId
+ description: Campaign threat actors' internal IDs.
+ type: Number
+ - arguments:
+ - default: false
+ description: The name of the Attack Pattern name to get information for.
+ isArray: false
+ name: attackPattern
+ required: false
+ secret: false
+ - default: false
+ description: Interanl Blueliv ID for the Attack Pattern.
+ isArray: false
+ name: attackPattern_id
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about an Attack Pattern.
+ execution: false
+ name: blueliv-tc-attack-pattern
+ outputs:
+ - contextPath: BluelivThreatContext.attackPattern.name
+ description: Attack pattern name.
+ type: String
+ - contextPath: BluelivThreatContext.attackPattern.description
+ description: Attack pattern description.
+ type: String
+ - contextPath: BluelivThreatContext.attackPattern.updatedAt
+ description: Date the attack pattern was last updated.
+ type: Date
+ - contextPath: BluelivThreatContext.attackPattern.severity
+ description: Attack pattern severity.
+ type: String
+ - contextPath: BluelivThreatContext.attackPattern.signatures
+ description: Attack pattern signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.attackPattern.signatureIds
+ description: Attack pattern signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.attackPattern.campaigns
+ description: Attack pattern campaigns.
+ type: Number
+ - contextPath: BluelivThreatContext.attackPattern.campaignIds
+ description: Attack pattern campaigns'. internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.attackPattern.threatActors
+ description: Attack pattern threat actors.
+ type: Number
+ - contextPath: BluelivThreatContext.attackPattern.threatActorIds
+ description: Attack pattern threat actors'. internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.attackPattern.cves
+ description: Attack pattern CVEs.
+ type: Number
+ - contextPath: BluelivThreatContext.attackPattern.cveIds
+ description: Attack pattern CVEs' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: The name of the tool to get information for.
+ isArray: false
+ name: tool
+ required: false
+ secret: false
+ - default: false
+ description: Internal Blueliv ID of the tool.
+ isArray: false
+ name: tool_id
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about a Tool.
+ execution: false
+ name: blueliv-tc-tool
+ outputs:
+ - contextPath: BluelivThreatContext.tool.name
+ description: Tool name.
+ type: String
+ - contextPath: BluelivThreatContext.tool.description
+ description: Tool description.
+ type: String
+ - contextPath: BluelivThreatContext.tool.lastSeen
+ description: Date the tool was last seen.
+ type: Date
+ - contextPath: BluelivThreatContext.tool.campaigns
+ description: Tool campaigns.
+ type: Number
+ - contextPath: BluelivThreatContext.tool.campaignIds
+ description: Tool campaigns' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.tool.signatures
+ description: Tool signatures.
+ type: Number
+ - contextPath: BluelivThreatContext.tool.signatureIds
+ description: Tool signatures' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.tool.threatActors
+ description: Tool threat actors.
+ type: Number
+ - contextPath: BluelivThreatContext.tool.threatActorIds
+ description: Tool threat actors' internal IDs.
+ type: Unknown
+ - arguments:
+ - default: false
+ description: Name of the signature to get information for.
+ isArray: false
+ name: signature
+ required: false
+ secret: false
+ - default: false
+ description: Internal Blueliv ID for the signature.
+ isArray: false
+ name: signature_id
+ required: false
+ secret: false
+ deprecated: false
+ description: Gets information about a Signature.
+ execution: false
+ name: blueliv-tc-signature
+ outputs:
+ - contextPath: BluelivThreatContext.signature.name
+ description: Signature name.
+ type: String
+ - contextPath: BluelivThreatContext.signature.updatedAt
+ description: Date the signature was last updated.
+ type: Date
+ - contextPath: BluelivThreatContext.signature.ipIds
+ description: Signature IP addresses' internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.signature.malware
+ description: Signature malware.
+ type: Number
+ - contextPath: BluelivThreatContext.signature.malwareIds
+ description: Signature malware internal IDs.
+ type: Unknown
+ - contextPath: BluelivThreatContext.signature.type
+ description: Signature type.
+ type: String
+ dockerimage: demisto/python3:3.8.3.9324
+ feed: false
+ isfetch: false
+ longRunning: false
+ longRunningPort: false
+ runonce: false
+ script: '-'
+ subtype: python3
+ type: python
+fromversion: 5.0.0
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md
new file mode 100644
index 000000000000..402213af8396
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md
@@ -0,0 +1,45 @@
+## Overview
+---
+Use Blueliv ThreatContext integration to get threats information
+
+## To set up Blueliv ThreatContext to work with Cortex XSOAR:
+---
+
+You need the following information:
+
+1. platform credentials
+2. your tenant URL
+3. Specify proxy server (if required)
+
+## To set up the integration on Cortex XSOAR:
+---
+
+1. Navigate to __Settings__ > __Integrations__ > __Servers & Services__.
+2. Search for Blueliv ThreatContext integration.
+3. Click __Add instance__ to create and configure a new integration instance.
+ * __Name__: a textual name for the integration instance.
+ * __Server URL (e.g., https://mytenant.blueliv.com)__
+ * __Username__
+ * __Password__
+ * __Trust any certificate (not secure)__
+ * __Use system proxy settings__
+
+4. Click __Test__ to validate the URLs, token, and connection.
+
+## Fetched Incidents Data
+---
+
+## Use Cases
+---
+1. Get attack patterns information
+2. Get malware campaigns information
+3. Get information about specific CVE
+4. Get information about crimeservers (C&C)
+5. Get information about differnt indicators of compromise like IPs, FQDN,hashes...
+6. Get information about malware signatures
+7. Get information about threat actors
+8. Get information about hacking tools
+
+## Known Limitations
+---
+Currently is not possible to create a user with a passwod that doesn't expire, so you need to remember to change the password and update the integration credentials used to generate the token.
\ No newline at end of file
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png
new file mode 100644
index 000000000000..ca790faca385
Binary files /dev/null and b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png differ
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py
new file mode 100644
index 000000000000..7b3c707f2e96
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py
@@ -0,0 +1,1348 @@
+import demistomock as demisto
+from BluelivThreatContext import Client, blueliv_threatActor, blueliv_campaign, blueliv_malware, blueliv_indicatorIp, \
+ blueliv_indicatorFqdn, blueliv_indicatorCs, blueliv_attackPattern, blueliv_tool, \
+ blueliv_signature, blueliv_cve
+
+
+def test_blueliv_threatActor(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "active": True,
+ "aliases": [
+ "Vendetta"
+ ],
+ "country_name": "Italy",
+ "created_at": "2020-06-10T11:23:22.584500Z",
+ "description": "Vendetta is a threat actor based on Italy or Turkey discovered in April 2020",
+ "first_seen": "2020-04-01T00:00:00Z",
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/",
+ "last_seen": "2020-06-15T00:00:00Z",
+ "modus_operandi": "Vendetta uses well designed phishing campaigns to target businessuals. ",
+ "name": "Vendetta",
+ "objective": "This threat actor appears to be focused on stealing informatio using.",
+ "references": [
+ {
+ "link": "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/",
+ "title": "Vendetta-new threat actor from Europe"
+ },
+ {
+ "link": "https://business.blogthinkbig.com/vendetta-group-covid-19-phishing-emails/",
+ "title": "Vendetta Group and the COVID-19 Phishing Emails"
+ }
+ ],
+ "sophistication": "intermediate",
+ "tlp": "white",
+ "types": [
+ "hacker"
+ ],
+ "updated_at": "2020-06-16T08:57:08.536868Z",
+ "uuid": None
+ },
+ "id": "232",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/"
+ },
+ "relationships": {
+ "attack_patterns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/attack-pattern/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/attack-pattern/"
+ },
+ "meta": {"count": 0}
+ },
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/campaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "country": {
+ "data": {
+ "id": "108",
+ "type": "Country"
+ },
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/country/108/"
+ }
+ },
+ "cves": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/cve/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/cve/"
+ },
+ "meta": {"count": 0}
+ },
+ "fqdns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/fqdn/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/fqdn/"
+ },
+ "meta": {"count": 0}
+ },
+ "ips": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ip/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/ip/"
+ },
+ "meta": {"count": 0}
+ },
+ "malware": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/malware/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/malware/"
+ },
+ "meta": {"count": 0}
+ },
+ "milestones": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/milestone/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/milestone/"
+ },
+ "meta": {"count": 0}
+ },
+ "online_services": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/online-service/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/online-service/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "targets": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/target/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/target/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_types": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/threat-type/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/threat-type/"
+ },
+ "meta": {"count": 0}
+ },
+ "tools": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/tool/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/tool/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "ThreatActor"
+ }
+ }
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"threatActor_id": 232}
+ blueliv_threatActor(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.threatActor(val.name && val.id == obj.id)', {})
+ assert demisto.get(ind, "sophistication") == "intermediate"
+ assert str(demisto.get(ind, "lastSeen")) == "2020-06-15T00:00:00Z"
+
+
+def test_blueliv_campaign(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "created_at": "2020-05-28T21:24:11.307288Z",
+ "description": "\u003cp\u003eA distribution campaign for the GRANDOREIRO banking Trojan.",
+ "first_seen": "2020-04-16T00:00:00Z",
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/",
+ "last_seen": "2020-05-28T00:00:00Z",
+ "name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain",
+ "tlp": "white",
+ "updated_at": "2020-05-28T23:58:36.883515Z",
+ "uuid": None
+ },
+ "id": "152",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/"
+ },
+ "relationships": {
+ "attack_patterns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/attack-pattern/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/attack-pattern/"
+ },
+ "meta": {"count": 0}
+ },
+ "botnets": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/botnet/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/botnet/"
+ },
+ "meta": {"count": 0}
+ },
+ "cves": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/cve/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/cve/"
+ },
+ "meta": {"count": 0}
+ },
+ "fqdns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/fqdn/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/fqdn/"
+ },
+ "meta": {"count": 0}
+ },
+ "ips": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/ip/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/ip/"
+ },
+ "meta": {"count": 0}
+ },
+ "malware": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/malware/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/malware/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actor": {
+ "data": {
+ "id": "226",
+ "type": "ThreatActor"
+ },
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/226/"
+ }
+ },
+ "tools": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/tool/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/tool/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "Campaign"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"campaign_id": 152}
+ blueliv_campaign(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.campaign(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "name") == "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain"
+ assert demisto.get(ind, "threatActorId") == "226"
+
+
+def test_blueliv_malware(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "analysis_date": "2020-06-15T16:30:22.770000Z",
+ "analysis_delivered_date": "2020-06-15T16:22:00.220000Z",
+ "analysis_signatures": [
+ "Signature severity - Informative",
+ "Signature severity - Malicious"
+ ],
+ "analysis_status": "FINISHED_SUCCESSFULLY",
+ "at_afapi": True,
+ "behaviors": [],
+ "buffers": False,
+ "cerberus": 0.9645,
+ "created_at": "2020-06-15T16:27:20.074884Z",
+ "created_at_afapi": "2020-06-15T16:21:38.209000Z",
+ "dropped": False,
+ "file_type": "PE",
+ "first_seen": "2020-06-15T16:21:38.209000Z",
+ "has_c_and_c": False,
+ "has_network": True,
+ "has_other_urls": False,
+ "hash": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1",
+ "ioa": {
+ "attack_patterns": [
+ {
+ "id": "T1022",
+ "name": "Data Encrypted"
+ },
+ {
+ "id": "T1093",
+ "name": "Process Hollowing"
+ }
+ ],
+ "certificates": [],
+ "connections": {
+ "tcp": [],
+ "tcp_dead": [
+ "25.20.116.113:957",
+ "103.143.173.25:80"
+ ],
+ "udp": []
+ },
+ "domain": [],
+ "email": [],
+ "host": [
+ "25.20.116.113",
+ "103.143.173.25"
+ ],
+ "ip": [
+ "25.20.116.113",
+ "103.143.173.25",
+ "192.168.56.102"
+ ],
+ "metadata": {
+ "crc32": {
+ "original": "B7CACEE9",
+ "unpacked": {}
+ },
+ "file_type": {
+ "original": "PE32 executable (GUI) Intel 80386, for MS Windows",
+ "unpacked": {}
+ },
+ "names": {
+ "author": [],
+ "common_name": [],
+ "company_name": None,
+ "country": [],
+ "creator": [],
+ "internal_name": None,
+ "legal_copyright": None,
+ "legal_trademarks": None,
+ "locality": [],
+ "organization": [],
+ "organizational_unit": [],
+ "original_filename": None,
+ "private_build": None,
+ "producer": [],
+ "product_name": None,
+ "special_build": None,
+ "subject": [],
+ "title": []
+ },
+ "pe_imphash": "e5b4359a3773764a372173074ae9b6bd",
+ "pe_timestamp": "2012-06-07 17:59:53",
+ "peid_signatures": [],
+ "postal_code": None,
+ "signing_date": "",
+ "ssdeep": {
+ "original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FxuVVjfFoynPaVBUR8f+kN10EBO",
+ "unpacked": {}
+ }
+ },
+ "mutex": [
+ "DCPERSFWBP",
+ "DC_MUTEX-K5CAEA3",
+ "Local\\MSCTF.Asm.MutexDefault1"
+ ],
+ "path": {
+ "filepaths": {
+ "directory_created": [
+ "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches"
+ ],
+ "directory_enumerated": [],
+ "directory_queried": [
+ "C:\\Users\\Administrator",
+ "C:\\Users"
+ ],
+ "directory_removed": [],
+ "dll_loaded": [
+ "kernel32",
+ "OLEACC.dll"
+ ],
+ "file_copied": [
+ "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe"
+ ],
+ "file_created": [
+ "C:\\Windows\\System32\\oleaccrc.dll",
+ "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db"
+ ],
+ "file_deleted": [],
+ "file_exists": [
+ "C:\\Windows\\System32\\oleaccrc.dll",
+ "C:\\Users\\Administrator\\Documents\\MSDCSC"
+ ],
+ "file_moved": [],
+ "file_opened": [
+ "C:\\Windows\\System32\\oleaccrc.dll",
+ "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db"
+ ],
+ "file_read": [
+ "C:\\Users\\desktop.ini",
+ "C:\\Users\\Administrator\\Documents\\desktop.ini"
+ ],
+ "file_written": []
+ },
+ "pdb_path": []
+ },
+ "ports": {
+ "tcp": [],
+ "tcp_dead": [
+ 80,
+ 957
+ ],
+ "udp": []
+ },
+ "process_name": [
+ "msdcsc.exe",
+ "sXPFvH.exe",
+ "notepad.exe"
+ ],
+ "registry": [],
+ "regkeys": {
+ "regkey_created": [
+ "HKEY_CURRENT_USER\\Software"
+ ],
+ "regkey_deleted": [],
+ "regkey_enumerated": [
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP"
+ ],
+ "regkey_opened": [
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
+ "HKEY_CURRENT_USER\\Software\\DC2_USERS"
+ ],
+ "regkey_read": [
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\21082CA9",
+ "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey"
+ ],
+ "regkey_written": [
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"
+ ]
+ },
+ "url": [
+ "http://uk.ask.com/favicon.ico",
+ "http://www.priceminister.com/"
+ ],
+ "yara": {
+ "generic": [],
+ "memory": [
+ "darkcomet_memory_1",
+ "darkcomet_memory_3"
+ ],
+ "misc": {
+ "crypto": [
+ "RIPEMD160_Constants",
+ "SHA1_Constants"
+ ],
+ "misc": [
+ "dbgdetect_funcs_ig"
+ ],
+ "packer": [
+ "MinGW_1",
+ "borland_delphi"
+ ]
+ },
+ "pre_analysis": [],
+ "url": []
+ }
+ },
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/malware/ioc/",
+ "last_risk_scoring": "2020-06-15T16:48:42.527191Z",
+ "last_seen": "2020-06-23T23:52:30.123694Z",
+ "malfind": False,
+ "malicious_category": 2,
+ "md5": "36a40cc55e2ffe7d44d007c6e37afd7f",
+ "memory": False,
+ "metadata": {},
+ "number_properties": 0,
+ "pcap": "https://tctrustoylo.blueliv.com/api/v1/malware//pcap/",
+ "priority_at_afapi": 3,
+ "proc_memory": False,
+ "properties": [],
+ "report": "https://tctrustoylo.blueliv.com/api/v1/malware/report/",
+ "risk": 7,
+ "sample": "https://tctrustoylo.blueliv.com/api/v1/malware/sample/",
+ "scans_link": "https://tctrustoylo.blueliv.com/api/v1/malware/ad536nrichment/scans/",
+ "seen_at_analyzer": False,
+ "sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055",
+ "sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1",
+ "sha512": "e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b10391b7a3073cc6",
+ "slugs_tags": [],
+ "sources_representation": [
+ "virustotalAPI"
+ ],
+ "subtype": "DARKCOMET",
+ "target": False,
+ "tlp": "white",
+ "types_names": [
+ "DARKCOMET"
+ ],
+ "updated_at": "2020-06-23T23:52:30.137745Z",
+ "updated_at_afapi": "2020-06-15T16:30:33.293000Z",
+ "uuid": None,
+ "version": "none",
+ "vt_matches": [
+ "darkkomet",
+ "fynloski",
+ "genmalicious"
+ ]
+ },
+ "id": "59770710",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/6e749976bade1/"
+ },
+ "relationships": {
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/a49976bade1/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad51/relationships/campaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "crime_servers": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660-server/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8dhips/crime-server/"
+ },
+ "meta": {"count": 0}
+ },
+ "fqdns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7eqdn/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1n/"
+ },
+ "meta": {"count": 0}
+ },
+ "ips": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed1re/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bonships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "solr_type": {
+ "data": {
+ "id": "62",
+ "type": "ThreatType"
+ },
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-type/DARKCOMET/"
+ }
+ },
+ "sources": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2rce/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f2ce/"
+ },
+ "meta": {"count": 0}
+ },
+ "sparks": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd51/spark/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53614bde1/relationships/spark/"
+ },
+ "meta": {"count": 0}
+ },
+ "tags": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad5376bade1/tag/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6976bade1/relationships/tag/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660bade1/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6eat-actor/"
+ },
+ "meta": {"count": 0}
+ },
+ "types": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6976bade1/type/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2edtionships/threat-type/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "Malware"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"hash_id": 59770710}
+ blueliv_malware(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.malware(val.id && val.id == obj.id)', {})
+ assert ind.get("hash.sha1") == "5c0be68316ce77584a7b966ff40e7d61a8a98055"
+ assert demisto.get(ind, "fileType") == "PE"
+
+
+def test_blueliv_indicatorIp(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "address": "103.76.228.28",
+ "asn_number": "394695",
+ "asn_owner": "PDR",
+ "at_afapi": False,
+ "created_at": "2019-05-03T09:57:46.834135Z",
+ "created_at_afapi": None,
+ "first_seen": "2019-04-11T04:12:09.830000Z",
+ "history_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/",
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/",
+ "last_risk_scoring": "2020-06-15T15:17:47.624936Z",
+ "last_seen": "2020-06-18T23:36:37Z",
+ "latitude": 20,
+ "longitude": 77,
+ "passive_dns_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/",
+ "risk": 4,
+ "slugs_tags": [],
+ "tlp": "amber",
+ "updated_at": "2020-06-18T21:47:29.968912Z",
+ "updated_at_afapi": None,
+ "virus_total_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/",
+ "whois_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/"
+ },
+ "id": "70236228",
+ "links": {"self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/"},
+ "relationships": {
+ "bots": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/bot/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/bot/"
+ },
+ "meta": {"count": 0}
+ },
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/campaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "country": {
+ "data": {"id": "103", "type": "Country"},
+ "links": {"related": "https://tctrustoylo.blueliv.com/api/v1/country/103/"}
+ },
+ "fqdns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/fqdn/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/fqdn/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "sparks": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/spark/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/spark/"
+ },
+ "meta": {"count": 0}
+ },
+ "tags": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/tag/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/tag/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/threat-actor/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "IP"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"IP": "103.76.228.28"}
+ blueliv_indicatorIp(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.indicator(val.ipName && val.ipName == obj.ipName)', {})
+ assert str(demisto.get(ind, "countryId")) == "103"
+ assert str(demisto.get(ind, "ipName")) == "1037622828"
+
+
+def test_blueliv_indicatorFqdn(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "active_dns_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/enrichment/dns/",
+ "created_at": "2018-08-07T22:41:25.933804Z",
+ "domain": "rayanmarketing.com",
+ "first_seen": "2018-08-07T22:41:25.933689Z",
+ "history_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/history/",
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/ioc/",
+ "last_risk_scoring": "2020-07-02T11:34:14.339528Z",
+ "last_seen": "2018-08-07T22:41:25.933696Z",
+ "passive_dns_link": "https://tctrustoylo.blueliv.com/m/enrichment/passive-dns/",
+ "risk": 2.5,
+ "slugs_tags": [],
+ "tlp": "white",
+ "updated_at": "2020-07-02T11:34:14.339963Z",
+ "virus_total_link": "https://tctrustoylo.blueliv.com/api/v1/frichment/virus-total/",
+ "whois_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/enrichment/whois/"
+ },
+ "id": "5783887",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/"
+ },
+ "relationships": {
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relampaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "crime_servers": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/crime-server/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.cops/crime-server/"
+ },
+ "meta": {"count": 0}
+ },
+ "ips": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/ip/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/ip/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketionships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "sparks": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/spark/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/spark/"
+ },
+ "meta": {"count": 0}
+ },
+ "tags": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/tag/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/tag/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/ing.com/relationships/threat-actor/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "FQDN"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"FQDN_id": 5783887}
+ blueliv_indicatorFqdn(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.indicator(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "lastSeen") == "2018-08-07T22:41:25.933696Z"
+ assert demisto.get(ind, "risk") == "2.5"
+
+
+def test_blueliv_indicatorCs(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "at_feed": True,
+ "at_free_feed": True,
+ "bots_count": 0,
+ "confidence": 1,
+ "created_at": "2020-06-15T17:02:40.327300Z",
+ "created_at_afapi": "2020-06-15T16:46:06.119000Z",
+ "credentials_count": 0,
+ "credit_cards_count": 0,
+ "crime_server_url": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php",
+ "false_positive_modification_time": "2020-06-15T17:02:38.524874Z",
+ "first_seen": "2020-06-15T16:44:25Z",
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/",
+ "is_false_positive": False,
+ "last_log_timestamp": None,
+ "last_risk_scoring": "2020-06-15T17:14:36.146566Z",
+ "last_seen": "2020-06-15T17:02:21.737000Z",
+ "main_type": "c_and_c",
+ "risk": 4,
+ "scans_link": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/",
+ "service_scans": {},
+ "slugs_tags": [],
+ "status": "offline",
+ "subtype_name": "ANUBIS",
+ "target_status": None,
+ "tlp": "amber",
+ "updated_at": "2020-06-19T09:35:04.675771Z",
+ "updated_at_afapi": "2020-06-15T17:02:21.737000Z"
+ },
+ "id": "6626263",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/"
+ },
+ "relationships": {
+ "fqdn": {
+ "data": {
+ "id": "9633658",
+ "type": "FQDN"
+ },
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/saveback.xyz/"
+ }
+ },
+ "malware": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/malware/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/malware/"
+ },
+ "meta": {"count": 0}
+ },
+ "sources": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/source/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/source/"
+ },
+ "meta": {"count": 0}
+ },
+ "sparks": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/spark/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/spark/"
+ },
+ "meta": {"count": 0}
+ },
+ "subtype": {
+ "data": {
+ "id": "7458",
+ "type": "ThreatType"
+ },
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/threat-type/ANUBIS/"
+ }
+ },
+ "tags": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/tag/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/tag/"
+ },
+ "meta": {"count": 0}
+ },
+ "vendor_analysis": {
+ "meta": {
+ "count": []
+ }
+ }
+ },
+ "type": "CrimeServer"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"CS_id": 6626263}
+ blueliv_indicatorCs(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.indicator(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "fqdnId") == "9633658"
+ assert demisto.get(ind, "status") == "offline"
+
+
+def test_blueliv_attackPattern(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "attack_phases": {},
+ "attacker_skills_or_knowledge_required": [],
+ "capec_id": None,
+ "created_at": "2018-12-24T23:00:02.352087Z",
+ "description": "Adversaries may attempt to get a listing of local system or domain accounts.",
+ "name": "Account Discovery",
+ "prerequisites": [],
+ "purposes": [],
+ "references": [],
+ "related_vulnerabilities": [],
+ "related_weaknesses": [],
+ "severity": "Medium",
+ "solutions_and_mitigations": [],
+ "tlp": "white",
+ "updated_at": "2018-12-24T23:00:02.352102Z",
+ "uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
+ },
+ "id": "686",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/"
+ },
+ "relationships": {
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/campaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "cves": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/cve/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/cve/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/threat-actor/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "AttackPattern"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"attackPattern_id": 686}
+ blueliv_attackPattern(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.attackPattern(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "name") == "Account Discovery"
+ assert demisto.get(ind, "serverity") == "Medium"
+
+
+def test_blueliv_tool(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "created_at": "2020-02-26T14:35:55.698486Z",
+ "description": "\u003cp\u003eACEHASH is a credential theft/password hash dumping utility.",
+ "discovery_date": None,
+ "first_seen": "2012-12-01T00:00:00Z",
+ "last_seen": "2019-12-01T00:00:00Z",
+ "name": "ACEHASH",
+ "references": [
+ {
+ "link": "https://content.fireeye.com/apt-41/rpt-apt41",
+ "title": "Double Dragon: APT41, a dual espionage and cyber crime operation"
+ }
+ ],
+ "targeted_platforms": [],
+ "tlp": "white",
+ "updated_at": "2020-02-26T14:35:55.698549Z",
+ "uuid": None,
+ "version": ""
+ },
+ "id": "532",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/"
+ },
+ "relationships": {
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/campaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "cves": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/cve/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/cve/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/threat-actor/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "Tool"
+ }
+ }
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"tool_id": 532}
+ blueliv_tool(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.tool(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "name") == "ACEHASH"
+ assert demisto.get(ind, "lastSeen") == "2019-12-01T00:00:00Z"
+
+
+def test_blueliv_signature(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "created_at": "2020-06-15T02:11:21.962302Z",
+ "name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)",
+ "references": [],
+ "sid": 2030333,
+ "signature": "alert udp $HOME_NET any -\u003e any 53 (m depth:1; ack_target C_at 2020_06_12;)",
+ "status": "enabled",
+ "tlp": "white",
+ "type": "snort",
+ "updated_at": "2020-06-15T02:11:21.962364Z",
+ "version": 2
+ },
+ "id": "84458",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/"
+ },
+ "relationships": {
+ "attack_patterns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/attack-pattern/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/attack-pattern/"
+ },
+ "meta": {"count": 0}
+ },
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/campaign/"
+ },
+ "meta": {"count": 0}
+ },
+ "cves": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/cve/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/cve/"
+ },
+ "meta": {"count": 0}
+ },
+ "fqdns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/fqdn/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/fqdn/"
+ },
+ "meta": {"count": 0}
+ },
+ "ips": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/ip/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/ip/"
+ },
+ "meta": {"count": 0}
+ },
+ "malware": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/malware/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/malware/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/threat-actor/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_types": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/threat-type/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/threat-type/"
+ },
+ "meta": {"count": 0}
+ },
+ "tools": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/tool/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/tool/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "Signature"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"signature_id": 84458}
+ blueliv_signature(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.signature(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "type") == "snort"
+ assert demisto.get(ind, "updatedAt") == "2020-06-15T02:11:21.962364Z"
+
+
+def test_blueliv_cve(mocker, requests_mock):
+ blueliv_response = {
+ "data": {
+ "attributes": {
+ "bl_score": 96,
+ "created_at": "2020-02-26T01:12:25.635599Z",
+ "cvss": {
+ "v2": {
+ "accessComplexity": "LOW",
+ "accessVector": "NETWORK",
+ "authentication": "NONE",
+ "availabilityImpact": "COMPLETE",
+ "baseScore": 10,
+ "confidentialityImpact": "COMPLETE",
+ "integrityImpact": "COMPLETE",
+ "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+ "version": "2.0"
+ },
+ "v3": None
+ },
+ "description": "OpenSMTPD before 6.6.4 allows remote code execution because of an out-s read in.",
+ "exploits": [
+ {
+ "author": "Qualys Corporation",
+ "date": "2020-02-26",
+ "id": None,
+ "name": "OpenSMTPD \u003c 6.6.3p1 - Local Privilege Escalation + Remote Code Execution",
+ "platform": "openbsd",
+ "port": "",
+ "type": "remote",
+ "url": "https://github.com/offensive-security/exploitdb/blo/openbsd/remote/48140.c"
+ }
+ ],
+ "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/ioc/",
+ "microsoft_bulletins": [],
+ "name": "CVE-2020-8794",
+ "num_crime_servers": 0,
+ "num_malware": 0,
+ "platforms": [
+ {
+ "id": "cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*",
+ "title": "cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*"
+ }
+ ],
+ "published_at": "2020-02-25T17:15:00Z",
+ "references": [
+ {
+ "id": "https://www.openbsd.org/security.html",
+ "type": "MISC",
+ "url": "https://www.openbsd.org/security.html"
+ },
+ {
+ "id": "https://www.openwall.com/lists/oss-security/2020/02/24/5",
+ "type": "MISC",
+ "url": "https://www.openwall.com/lists/oss-security/2020/02/24/5"
+ },
+ {
+ "id": "[oss-security] 20200226 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)",
+ "type": "MLIST",
+ "url": "http://www.openwall.com/lists/oss-security/2020/02/26/1"
+ },
+ {
+ "id": "DSA-4634",
+ "type": "DEBIAN",
+ "url": "https://www.debian.org/security/2020/dsa-4634"
+ },
+ {
+ "id": "20200227 LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)",
+ "type": "FULLDISC",
+ "url": "http://seclists.org/fulldisclosure/2020/Feb/32"
+ },
+ {
+ "id": "[oss-security] 20200301 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)",
+ "type": "MLIST",
+ "url": "http://www.openwall.com/lists/oss-security/2020/03/01/1"
+ },
+ {
+ "id": "[oss-security] 20200301 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)",
+ "type": "MLIST",
+ "url": "http://www.openwall.com/lists/oss-security/2020/03/01/2"
+ },
+ {
+ "id": "http://packetstormsecurity.com/files/156633/OpenSMRead-Local-Privilege-Escalation.html",
+ "type": "MISC",
+ "url": "http://packetstormsecurity.com/files/156633/OpenSMTPDivilege-Escalation.html"
+ }
+ ],
+ "score": 10,
+ "tags_slugs": [],
+ "updated_at": "2020-03-09T15:17:41.667962Z",
+ "uuid": None
+ },
+ "id": "139511",
+ "links": {
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/"
+ },
+ "relationships": {
+ "attack_patterns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/attack-pattern/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/attackattern/"
+ },
+ "meta": {"count": 0}
+ },
+ "campaigns": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/campaign/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/campaigns/"
+ },
+ "meta": {"count": 0}
+ },
+ "crime_servers": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/crime-server/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/crime-server/"
+ },
+ "meta": {"count": 0}
+ },
+ "malware": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/malware/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/malware/"
+ },
+ "meta": {"count": 0}
+ },
+ "mentions": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/mention/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/mentions/"
+ },
+ "meta": {"count": 0}
+ },
+ "signatures": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/signature/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/signature/"
+ },
+ "meta": {"count": 0}
+ },
+ "sparks": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/spark/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/spark/"
+ },
+ "meta": {"count": 0}
+ },
+ "tags": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/tag/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/tags/"
+ },
+ "meta": {"count": 0}
+ },
+ "threat_actors": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/threat-actor/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/threat-actors/"
+ },
+ "meta": {"count": 0}
+ },
+ "tools": {
+ "links": {
+ "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/tool/",
+ "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/tools/"
+ },
+ "meta": {"count": 0}
+ }
+ },
+ "type": "CVE"
+ }
+ }
+
+ mocker.patch.object(demisto, 'results')
+ requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response)
+
+ client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False)
+ args = {"CVE": "CVE-2020-8794"}
+ blueliv_cve(client, args)
+
+ results = demisto.results.call_args[0][0]
+
+ entry_context = results.get('EntryContext', {})
+ ind = entry_context.get('BluelivThreatContext.cve(val.id && val.id == obj.id)', {})
+ assert demisto.get(ind, "updatedAt") == "2020-03-09T15:17:41.667962Z"
+ assert str(demisto.get(ind, "score")) == "10"
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md
new file mode 100644
index 000000000000..7ca011be317b
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md
@@ -0,0 +1,12 @@
+## [20.06.08] - 2020-06-08
+Added initial support for Blueliv ThreatContext with the following commands:
+ * __blueliv-tc-threat-actor__: Allows searching by threat actors.
+ * __blueliv-tc-campaign__: Allows searching by campaigns.
+ * __blueliv-tc-malware__: Allows searching by malware hashes.
+ * __blueliv-tc-indicator-ip__: Allows searching by IP.
+ * __blueliv-tc-indicator-fqdn__: Allows searching by FQDNs.
+ * __blueliv-tc-indicator-cs__: Allows searching by crime servers.
+ * __blueliv-tc-attack-pattern__: Allows searching by MITRE attack patterns.
+ * __blueliv-tc-tool__: Allows searching by used tools.
+ * __blueliv-tc-signature__: Allows searching detection signatures.
+ * __blueliv-tc-cve__: Allows searching by CVEs.
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile
new file mode 100644
index 000000000000..3523d3b6b93b
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile
@@ -0,0 +1,18 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+pylint = "*"
+pytest = "==5.0.1"
+pytest-mock = "*"
+requests-mock = "*"
+pytest-asyncio = "*"
+
+[packages]
+pytest = "*"
+requests = "*"
+
+[requires]
+python_version = "3.7"
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock
new file mode 100644
index 000000000000..6bdb9313414e
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock
@@ -0,0 +1,369 @@
+{
+ "_meta": {
+ "hash": {
+ "sha256": "278db815bec49c11262633d34305f9b33f09432a223bedd5329a04f758f78b55"
+ },
+ "pipfile-spec": 6,
+ "requires": {
+ "python_version": "3.7"
+ },
+ "sources": [
+ {
+ "name": "pypi",
+ "url": "https://pypi.org/simple",
+ "verify_ssl": true
+ }
+ ]
+ },
+ "default": {
+ "atomicwrites": {
+ "hashes": [
+ "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4",
+ "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6"
+ ],
+ "version": "==1.3.0"
+ },
+ "attrs": {
+ "hashes": [
+ "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
+ "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
+ ],
+ "version": "==19.1.0"
+ },
+ "certifi": {
+ "hashes": [
+ "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50",
+ "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef"
+ ],
+ "version": "==2019.9.11"
+ },
+ "chardet": {
+ "hashes": [
+ "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+ "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ ],
+ "version": "==3.0.4"
+ },
+ "idna": {
+ "hashes": [
+ "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+ "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
+ ],
+ "version": "==2.8"
+ },
+ "importlib-metadata": {
+ "hashes": [
+ "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb",
+ "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f"
+ ],
+ "markers": "python_version < '3.8'",
+ "version": "==0.22"
+ },
+ "more-itertools": {
+ "hashes": [
+ "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832",
+ "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4"
+ ],
+ "version": "==7.2.0"
+ },
+ "packaging": {
+ "hashes": [
+ "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9",
+ "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe"
+ ],
+ "version": "==19.1"
+ },
+ "pluggy": {
+ "hashes": [
+ "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6",
+ "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34"
+ ],
+ "version": "==0.13.0"
+ },
+ "py": {
+ "hashes": [
+ "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa",
+ "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53"
+ ],
+ "version": "==1.8.0"
+ },
+ "pyparsing": {
+ "hashes": [
+ "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80",
+ "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4"
+ ],
+ "version": "==2.4.2"
+ },
+ "pytest": {
+ "hashes": [
+ "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210",
+ "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865"
+ ],
+ "index": "pypi",
+ "version": "==5.1.2"
+ },
+ "requests": {
+ "hashes": [
+ "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
+ "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
+ ],
+ "index": "pypi",
+ "version": "==2.22.0"
+ },
+ "six": {
+ "hashes": [
+ "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+ "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
+ ],
+ "version": "==1.12.0"
+ },
+ "urllib3": {
+ "hashes": [
+ "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
+ "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
+ ],
+ "version": "==1.25.3"
+ },
+ "wcwidth": {
+ "hashes": [
+ "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e",
+ "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c"
+ ],
+ "version": "==0.1.7"
+ },
+ "zipp": {
+ "hashes": [
+ "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e",
+ "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335"
+ ],
+ "version": "==0.6.0"
+ }
+ },
+ "develop": {
+ "astroid": {
+ "hashes": [
+ "sha256:6560e1e1749f68c64a4b5dee4e091fce798d2f0d84ebe638cf0e0585a343acf4",
+ "sha256:b65db1bbaac9f9f4d190199bb8680af6f6f84fd3769a5ea883df8a91fe68b4c4"
+ ],
+ "version": "==2.2.5"
+ },
+ "atomicwrites": {
+ "hashes": [
+ "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4",
+ "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6"
+ ],
+ "version": "==1.3.0"
+ },
+ "attrs": {
+ "hashes": [
+ "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
+ "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
+ ],
+ "version": "==19.1.0"
+ },
+ "certifi": {
+ "hashes": [
+ "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50",
+ "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef"
+ ],
+ "version": "==2019.9.11"
+ },
+ "chardet": {
+ "hashes": [
+ "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+ "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ ],
+ "version": "==3.0.4"
+ },
+ "idna": {
+ "hashes": [
+ "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+ "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
+ ],
+ "version": "==2.8"
+ },
+ "importlib-metadata": {
+ "hashes": [
+ "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb",
+ "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f"
+ ],
+ "markers": "python_version < '3.8'",
+ "version": "==0.22"
+ },
+ "isort": {
+ "hashes": [
+ "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1",
+ "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd"
+ ],
+ "version": "==4.3.21"
+ },
+ "lazy-object-proxy": {
+ "hashes": [
+ "sha256:02b260c8deb80db09325b99edf62ae344ce9bc64d68b7a634410b8e9a568edbf",
+ "sha256:18f9c401083a4ba6e162355873f906315332ea7035803d0fd8166051e3d402e3",
+ "sha256:1f2c6209a8917c525c1e2b55a716135ca4658a3042b5122d4e3413a4030c26ce",
+ "sha256:2f06d97f0ca0f414f6b707c974aaf8829c2292c1c497642f63824119d770226f",
+ "sha256:616c94f8176808f4018b39f9638080ed86f96b55370b5a9463b2ee5c926f6c5f",
+ "sha256:63b91e30ef47ef68a30f0c3c278fbfe9822319c15f34b7538a829515b84ca2a0",
+ "sha256:77b454f03860b844f758c5d5c6e5f18d27de899a3db367f4af06bec2e6013a8e",
+ "sha256:83fe27ba321e4cfac466178606147d3c0aa18e8087507caec78ed5a966a64905",
+ "sha256:84742532d39f72df959d237912344d8a1764c2d03fe58beba96a87bfa11a76d8",
+ "sha256:874ebf3caaf55a020aeb08acead813baf5a305927a71ce88c9377970fe7ad3c2",
+ "sha256:9f5caf2c7436d44f3cec97c2fa7791f8a675170badbfa86e1992ca1b84c37009",
+ "sha256:a0c8758d01fcdfe7ae8e4b4017b13552efa7f1197dd7358dc9da0576f9d0328a",
+ "sha256:a4def978d9d28cda2d960c279318d46b327632686d82b4917516c36d4c274512",
+ "sha256:ad4f4be843dace866af5fc142509e9b9817ca0c59342fdb176ab6ad552c927f5",
+ "sha256:ae33dd198f772f714420c5ab698ff05ff900150486c648d29951e9c70694338e",
+ "sha256:b4a2b782b8a8c5522ad35c93e04d60e2ba7f7dcb9271ec8e8c3e08239be6c7b4",
+ "sha256:c462eb33f6abca3b34cdedbe84d761f31a60b814e173b98ede3c81bb48967c4f",
+ "sha256:fd135b8d35dfdcdb984828c84d695937e58cc5f49e1c854eb311c4d6aa03f4f1"
+ ],
+ "version": "==1.4.2"
+ },
+ "mccabe": {
+ "hashes": [
+ "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42",
+ "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"
+ ],
+ "version": "==0.6.1"
+ },
+ "more-itertools": {
+ "hashes": [
+ "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832",
+ "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4"
+ ],
+ "version": "==7.2.0"
+ },
+ "packaging": {
+ "hashes": [
+ "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9",
+ "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe"
+ ],
+ "version": "==19.1"
+ },
+ "pluggy": {
+ "hashes": [
+ "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6",
+ "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34"
+ ],
+ "version": "==0.13.0"
+ },
+ "py": {
+ "hashes": [
+ "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa",
+ "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53"
+ ],
+ "version": "==1.8.0"
+ },
+ "pylint": {
+ "hashes": [
+ "sha256:5d77031694a5fb97ea95e828c8d10fc770a1df6eb3906067aaed42201a8a6a09",
+ "sha256:723e3db49555abaf9bf79dc474c6b9e2935ad82230b10c1138a71ea41ac0fff1"
+ ],
+ "index": "pypi",
+ "version": "==2.3.1"
+ },
+ "pyparsing": {
+ "hashes": [
+ "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80",
+ "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4"
+ ],
+ "version": "==2.4.2"
+ },
+ "pytest": {
+ "hashes": [
+ "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210",
+ "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865"
+ ],
+ "index": "pypi",
+ "version": "==5.1.2"
+ },
+ "pytest-asyncio": {
+ "hashes": [
+ "sha256:9fac5100fd716cbecf6ef89233e8590a4ad61d729d1732e0a96b84182df1daaf",
+ "sha256:d734718e25cfc32d2bf78d346e99d33724deeba774cc4afdf491530c6184b63b"
+ ],
+ "index": "pypi",
+ "version": "==0.10.0"
+ },
+ "pytest-mock": {
+ "hashes": [
+ "sha256:43ce4e9dd5074993e7c021bb1c22cbb5363e612a2b5a76bc6d956775b10758b7",
+ "sha256:5bf5771b1db93beac965a7347dc81c675ec4090cb841e49d9d34637a25c30568"
+ ],
+ "index": "pypi",
+ "version": "==1.10.4"
+ },
+ "requests": {
+ "hashes": [
+ "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
+ "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
+ ],
+ "index": "pypi",
+ "version": "==2.22.0"
+ },
+ "requests-mock": {
+ "hashes": [
+ "sha256:510df890afe08d36eca5bb16b4aa6308a6f85e3159ad3013bac8b9de7bd5a010",
+ "sha256:88d3402dd8b3c69a9e4f9d3a73ad11b15920c6efd36bc27bf1f701cf4a8e4646"
+ ],
+ "index": "pypi",
+ "version": "==1.7.0"
+ },
+ "six": {
+ "hashes": [
+ "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+ "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
+ ],
+ "version": "==1.12.0"
+ },
+ "typed-ast": {
+ "hashes": [
+ "sha256:18511a0b3e7922276346bcb47e2ef9f38fb90fd31cb9223eed42c85d1312344e",
+ "sha256:262c247a82d005e43b5b7f69aff746370538e176131c32dda9cb0f324d27141e",
+ "sha256:2b907eb046d049bcd9892e3076c7a6456c93a25bebfe554e931620c90e6a25b0",
+ "sha256:354c16e5babd09f5cb0ee000d54cfa38401d8b8891eefa878ac772f827181a3c",
+ "sha256:4e0b70c6fc4d010f8107726af5fd37921b666f5b31d9331f0bd24ad9a088e631",
+ "sha256:630968c5cdee51a11c05a30453f8cd65e0cc1d2ad0d9192819df9978984529f4",
+ "sha256:66480f95b8167c9c5c5c87f32cf437d585937970f3fc24386f313a4c97b44e34",
+ "sha256:71211d26ffd12d63a83e079ff258ac9d56a1376a25bc80b1cdcdf601b855b90b",
+ "sha256:95bd11af7eafc16e829af2d3df510cecfd4387f6453355188342c3e79a2ec87a",
+ "sha256:bc6c7d3fa1325a0c6613512a093bc2a2a15aeec350451cbdf9e1d4bffe3e3233",
+ "sha256:cc34a6f5b426748a507dd5d1de4c1978f2eb5626d51326e43280941206c209e1",
+ "sha256:d755f03c1e4a51e9b24d899561fec4ccaf51f210d52abdf8c07ee2849b212a36",
+ "sha256:d7c45933b1bdfaf9f36c579671fec15d25b06c8398f113dab64c18ed1adda01d",
+ "sha256:d896919306dd0aa22d0132f62a1b78d11aaf4c9fc5b3410d3c666b818191630a",
+ "sha256:ffde2fbfad571af120fcbfbbc61c72469e72f550d676c3342492a9dfdefb8f12"
+ ],
+ "markers": "implementation_name == 'cpython'",
+ "version": "==1.4.0"
+ },
+ "urllib3": {
+ "hashes": [
+ "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
+ "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
+ ],
+ "version": "==1.25.3"
+ },
+ "wcwidth": {
+ "hashes": [
+ "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e",
+ "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c"
+ ],
+ "version": "==0.1.7"
+ },
+ "wrapt": {
+ "hashes": [
+ "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1"
+ ],
+ "version": "==1.11.2"
+ },
+ "zipp": {
+ "hashes": [
+ "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e",
+ "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335"
+ ],
+ "version": "==0.6.0"
+ }
+ }
+}
diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md
new file mode 100644
index 000000000000..732f06f343b5
--- /dev/null
+++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md
@@ -0,0 +1,811 @@
+The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.
+This integration was integrated and tested with version xx of Blueliv ThreatContext
+## Configure Blueliv ThreatContext on Cortex XSOAR
+
+1. Navigate to **Settings** > **Integrations** > **Servers & Services**.
+2. Search for Blueliv ThreatContext.
+3. Click **Add instance** to create and configure a new integration instance.
+
+| **Parameter** | **Description** | **Required** |
+| --- | --- | --- |
+| url | Server URL \(e.g. https://demisto.blueliv.com/api/v2\) | False |
+| credentials | Username | False |
+| unsecure | Trust any certificate \(not secure\) | False |
+
+4. Click **Test** to validate the URLs, token, and connection.
+## Commands
+You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
+After you successfully execute a command, a DBot message appears in the War Room with the command details.
+### blueliv-authenticate
+***
+Authenticate and get the API token
+
+
+#### Base Command
+
+`blueliv-authenticate`
+#### Input
+
+There are no input arguments for this command.
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| token | string | Authentication token |
+
+
+#### Command Example
+```!blueliv-authenticate```
+
+#### Context Example
+```
+{}
+```
+
+#### Human Readable Output
+
+>981bfb934723091e606c0e35998217bdcafc8697d1a6d0911ff5b2fedb5a16c
+
+### blueliv-tc-malware
+***
+Gets information about malware by ID
+
+
+#### Base Command
+
+`blueliv-tc-malware`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| hash_id | Internal Blueliv's malware hash ID | Optional |
+| hash | Malware file hash to search for | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| malware.hash.sha256 | Unknown | File SHA256 |
+| malware.hash.sha1 | Unknown | File SHA1 |
+| malware.hash.md5 | Unknown | File MD5 |
+| malware.type | Unknown | Malware Type |
+| malware.hasCandC | unknown | If there is a C&C associated |
+| malware.memory | Unknown | Malware memory |
+| malware.procMemory | Unknown | Malware proc memory |
+| malware.analysisStatus | Unknown | Malware analysis status |
+| malware.dropped | Unknown | Malware dropped |
+| malware.buffers | Unknown | Malware buffers |
+| malware.hasNetwork | Unknown | If the malware has Network informations |
+| malware.risk | Unknown | Malware associated risk |
+| malware.campaigns | Unknown | Malware related campaigns |
+| malware.campaignIds | Unknown | Malware related campaigns internal IDs |
+| malware.signatures | Unknown | Malware signatures |
+| malware.sigantureIds | Unknown | Malware sigantures internal IDs |
+| malware.threatActors | Unknown | Malware threat actors |
+| malware.threatActorIds | Unknown | Malware threat actors internal IDs |
+| malware.sources | Unknown | Malware sources |
+| malware.sourceIds | Unknown | Malware sources internal IDs |
+| malware.tags | Unknown | Malware tags |
+| malware.tagIds | Unknown | Malware tags internal IDs |
+| malware.crimeServers | Unknown | Malware related crime servers |
+| malware.crimeServerIds | Unknown | Malware crime servers internal IDs |
+| malware.fqdns | Unknown | Malware FQDNs |
+| malware.fqdnIds | Unknown | Malware FQDNs internal IDs |
+| malware.types | Unknown | Malware types |
+| malware.typeIds | Unknown | Malware types internal IDs |
+| malware.sparks | Unknown | Malware sparks |
+| malware.sparkIds | Unknown | Malware sparks internal IDs |
+| malware.ips | Unknown | Malware IPs |
+| malware.ipIds | Unknown | Malware IPs internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-malware hash=ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1```
+
+#### Context Example
+```
+{
+ "malware": {
+ "analysisStatus": "FINISHED_SUCCESSFULLY",
+ "buffers": false,
+ "campaignIds": "",
+ "campaigns": 0,
+ "crimeServers": 0,
+ "crimeserverIds": "",
+ "dropped": false,
+ "fileType": "PE",
+ "fqdnIds": "",
+ "fqdns": 0,
+ "hasCandC": false,
+ "hasNetwork": true,
+ "hash": {
+ "md5": "36a40cc55e2ffe7d44d007c6e37afd7f",
+ "sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055",
+ "sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1"
+ },
+ "ipIds": "92269700,100333500,",
+ "ips": 2,
+ "memory": false,
+ "procMemory": false,
+ "risk": 7,
+ "signatureIds": "",
+ "signatures": 0,
+ "sourceIds": "1958672,",
+ "sources": 1,
+ "sparkIds": "",
+ "sparks": 0,
+ "tagIds": "",
+ "tags": 0,
+ "threatActorIds": "",
+ "threatActors": 0,
+ "typeIds": "62,",
+ "types": 1
+ },
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Malware file info
+>|analysis_date|analysis_delivered_date|analysis_signatures|analysis_status|at_afapi|behaviors|buffers|cerberus|created_at|created_at_afapi|dropped|file_type|first_seen|has_c_and_c|has_network|has_other_urls|hash|id|ioa|ioc_link|last_risk_scoring|last_seen|links|malfind|malicious_category|md5|memory|metadata|number_properties|pcap|priority_at_afapi|proc_memory|properties|report|risk|sample|scans_link|seen_at_analyzer|sha1|sha256|sha512|slugs_tags|sources_representation|subtype|target|tlp|type|types_names|updated_at|updated_at_afapi|uuid|version|vt_matches|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| 2020-06-15T16:30:22.770000Z | 2020-06-15T16:22:00.220000Z | Signature severity - Informative,
Detected dead hosts,
Detects the presence of a Debugger,
Clipboard access capabilities,
Creates Mutants,
Detected cryptographic algorithm,
Has the ability to retrieve keyboard strokes,
Has the ability to reboot/shutdown the Operating System,
Detected Packer,
Detected PE anomalies,
Reads configuration files,
Loads Visual Basic Runtime environment,
Detected injected process,
Signature severity - Suspicious,
Allocates memory with Read-Write-Execute permissions,
Attempts to delay the analysis task,
Clipboard modification capabilities,
Spawns processes,
Classified by Blueliv,
Allocates memory with write/execute permissions in a remote process,
Machine Learning scoring,
Detected Keylogger,
Detected Autorun Persistence,
Writes data to a remote process,
Detected RunPE injection technique,
VirusTotal matches,
Signature severity - Malicious | FINISHED_SUCCESSFULLY | true | | false | 0.9645 | 2020-06-15T16:27:20.074884Z | 2020-06-15T16:21:38.209000Z | false | PE | 2020-06-15T16:21:38.209000Z | false | true | false | ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 | 59770710 | ip: 25.20.116.113,
103.143.173.25,
192.168.56.102
url: http://uk.ask.com/favicon.ico,
http://www.priceminister.com/,
http://ru.wikipedia.org/,
http://www.merlin.com.pl/favicon.ico,
http://www.cnet.com/favicon.ico,
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0,
http://search.nifty.com/,
http://ns.adobe.com/exif/1.0/,
http://www.shopzilla.com/,
http://crl.chambersign.org/publicnotaryroot.crl0,
http://search.goo.ne.jp/,
http://fr.wikipedia.org/favicon.ico,
http://busca.estadao.com.br/favicon.ico,
http://search.hanafos.com/favicon.ico,
http://search.chol.com/favicon.ico,
http://search.livedoor.com/favicon.ico,
http://amazon.fr/,
http://www.amazon.co.jp/,
http://www.e-szigno.hu/SZSZ/0,
http://busqueda.aol.com.mx/,
http://search.live.com/results.aspx?FORM=SOLTDF,
http://msdn.microsoft.com/,
http://www.sogou.com/favicon.ico,
http://yellowpages.superpages.com/,
http://www.expedia.com/favicon.ico,
http://crl.chambersign.org/chambersroot.crl0,
http://search.aol.com/,
http://browse.guardian.co.uk/,
http://www.mercadolibre.com.mx/,
http://www.asharqalawsat.com/,
http://www.facebook.com/,
http://search.auone.jp/,
http://www.rtl.de/favicon.ico,
http://search.msn.com/results.aspx?q=,
http://www.microsoft.com.,
http://search.naver.com/favicon.ico,
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0,
http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0,
http://en.wikipedia.org/favicon.ico,
http://si.wikipedia.org/w/api.php?action=opensearch,
http://www.signatur.rtr.at/de/directory/cps.html0,
http://udn.com/favicon.ico,
http://rover.ebay.com,
http://search.ebay.fr/,
http://www.univision.com/,
http://pt.wikipedia.org/w/api.php?action=opensearch,
http://www.certplus.com/CRL/class3TS.crl0,
http://it.wikipedia.org/favicon.ico,
http://uk.ask.com/,
http://www.google.co.uk/,
http://cnweb.search.live.com/results.aspx?q=,
http://www.google.cz/,
http://www.google.co.jp/,
http://search.ebay.co.uk/,
http://www.weather.com/,
http://www.taobao.com/favicon.ico,
http://www.news.com.au/favicon.ico,
http://www.priceminister.com/favicon.ico,
http://www.e-me.lv/repository0,
http://video.globo.com/,
http://search.ebay.de/,
http://www.taobao.com/,
http://find.joins.com/,
http://corp.naukri.com/favicon.ico,
http://www.servicios.clarin.com/,
http://localhost,
http://www.rambler.ru/favicon.ico,
http://www.linternaute.com/favicon.ico,
http://ns.adobe.com/photoshop/1.0/,
http://www.etmall.com.tw/,
http://www.amazon.com/gp/search?ie=UTF8,
http://search.live.com/results.aspx?FORM=SO2TDF,
http://www.quovadis.bm0,
http://www.chambersign.org1,
http://www.excite.co.jp/,
http://cs.wikipedia.org/,
http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0,
http://www.gismeteo.ru/favicon.ico,
http://www.cjmall.com/favicon.ico,
http://suche.t-online.de/,
http://www.ya.com/favicon.ico,
http://search.orange.co.uk/favicon.ico,
http://www.trustcenter.de/guidelines0,
http://www.mercadolibre.com.mx/favicon.ico,
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl,
https://ocsp.quovadisoffshore.com0,
http://www.e-trust.be/CPS/QNcerts,
http://ns.adobe.com/tiff/1.0/,
http://www.otto.de/favicon.ico,
http://search.lycos.com/favicon.ico,
http://www.iask.com/,
http://www.arrakis.com/,
http://it.search.dada.net/,
http://support.microsoft.com/kb/9311250,
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0,
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity,
http://search.ebay.es/,
http://search.gamer.com.tw/,
http://busca.igbusca.com.br//app/static/images/favicon.ico,
http://ns.adobe.com/xap/1.0/,
http://www.soso.com/favicon.ico,
http://www.echoworx.com/ca/root2/cps.pdf0,
http://recherche.tf1.fr/,
http://si.wikipedia.org/,
http://list.taobao.com/browse/search_visual.htm?n=15,
http://www.registradores.org/scr/normativa/cp_f2.htm0,
http://crl.microsoft.com/pki/crl/products/TrustListPCA.crl0O,
http://www.usertrust.com1604,
http://search.centrum.cz/,
http://www.auction.co.kr/auction.ico,
http://www.paginasamarillas.es/favicon.ico,
http://ja.wikipedia.org/favicon.ico,
http://www.abril.com.br/favicon.ico,
http://clients5.google.com/complete/search?hl=,
http://www.ozon.ru/,
http://search.alice.it/,
http://www.ssc.lt/cps03,
http://www.microsoft.com/windowsxp/expertzone/,
http://search.yahoo.co.jp/favicon.ico,
http://cnet.search.com/,
http://www.walmart.com/,
http://www.microsoft.com/pki/certs/TrustListPCA.crt0,
http://espn.go.com/favicon.ico,
http://www.pkioverheid.nl/policies/root-policy0,
http://www.mtv.com/favicon.ico,
http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp),
http://search.interpark.com/,
http://www.gmarket.co.kr/favicon.ico,
http://www.certplus.com/CRL/class3.crl0,
http://www.neckermann.de/favicon.ico,
http://sitesearch.timesonline.co.uk/,
http://cn.bing.com/search?q=,
http://video.globo.com/favicon.ico,
http://www.passport.com,
http://es.wikipedia.org/,
http://img.atlas.cz/favicon.ico,
https://www.catcert.net/verarrel,
http://searchresults.news.com.au/,
http://search.rediff.com/,
http://search.lycos.co.uk/,
http://en.wikipedia.org/,
http://www.google.com.tw/,
http://www.tchibo.de/,
http://www.google.com/,
http://buscador.terra.es/,
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0,
http://crl.ssc.lt/root-a/cacrl.crl0,
http://search.msn.co.jp/results.aspx?q=,
http://www.mercadolivre.com.br/favicon.ico,
http://ja.wikipedia.org/,
http://search.chol.com/,
http://crl.usertrust.com/UTN-USERFirst-Object.crl0),
http://search.espn.go.com/,
http://www.google.com.sa/,
http://jobsearch.monster.com/,
http://buscador.terra.com/,
http://www.google.co.in/,
http://suche.freenet.de/,
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0,
http://www.cdiscount.com/favicon.ico,
http://asp.usatoday.com/,
http://vachercher.lycos.fr/,
http://www.yam.com/favicon.ico,
http://search.sify.com/,
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0,
http://search.ebay.com/favicon.ico,
http://www.paginasamarillas.es/,
http://nl.wikipedia.org/,
http://search.alice.it/favicon.ico,
http://www.ask.com/,
http://www.so-net.ne.jp/share/favicon.ico,
http://espanol.search.yahoo.com/,
http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0,
http://www.alarabiya.net/favicon.ico,
http://pt.wikipedia.org/favicon.ico,
http://ocnsearch.goo.ne.jp/,
http://list.taobao.com/,
http://certificates.starfieldtech.com/repository/1604,
http://buscador.terra.com.br/,
http://search.msn.co.uk/results.aspx?q=,
http://www.google.de/,
http://www.tiscali.it/favicon.ico,
http://search.naver.com/,
http://ie8.ebay.com/open-search/output-xml.php?q=,
http://www.rambler.ru/,
http://esearch.rakuten.co.jp/,
http://www.pki.gva.es/cps0,
http://www.cdiscount.com/,
http://www.mercadolivre.com.br/,
http://www.facebook.com/favicon.ico,
http://www.t-online.de/favicon.ico,
http://search.hanafos.com/,
http://sads.myspace.com/,
http://repository.swisssign.com/0,
http://www.acabogacia.org0,
http://crl.ssc.lt/root-c/cacrl.crl0,
http://suche.web.de/,
http://recherche.tf1.fr/favicon.ico,
http://cs.wikipedia.org/w/api.php?action=opensearch,
http://search.dreamwiz.com/,
http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService,
http://www.yandex.ru/,
http://www.e-szigno.hu/RootCA.crl,
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0,
http://www.trustdst.com/certificates/policy/ACES-index.html0,
http://www.baidu.com/favicon.ico,
http://ariadna.elmundo.es/,
http://www.rtl.de/,
http://www.kkbox.com.tw/favicon.ico,
http://p.zhongsou.com/,
http://www.ancert.com/cps0,
https://ca.sia.it/secsrv/repository/CPS0,
http://www.timesonline.co.uk/img/favicon.ico,
http://buscar.ozu.es/,
http://so-net.search.goo.ne.jp/,
http://cgi.search.biglobe.ne.jp/favicon.ico,
http://search.livedoor.com/,
http://www.soso.com/,
http://www.afisha.ru/App_Themes/Default/images/favicon.ico,
http://img.shopzilla.com/shopzilla/shopzilla.ico,
http://wellformedweb.org/CommentAPI/,
http://crl.oces.certifikat.dk/oces.crl0,
http://ca.sia.it/seccli/repository/CRL.der0J,
http://search.orange.co.uk/,
http://www.myspace.com/favicon.ico,
http://ariadna.elmundo.es/favicon.ico,
http://www.e-szigno.hu/RootCA.crt0,
http://search.gismeteo.ru/,
http://www3.fnac.com/favicon.ico,
http://en.wikipedia.org/w/api.php?action=opensearch,
http://repository.infonotary.com/cps/qcps.html0,
http://ocsp.pki.gva.es0,
http://support.microsoft.com,
http://in.search.yahoo.com/,
http://www.etmall.com.tw/favicon.ico,
http://www.ceneo.pl/favicon.ico,
http://service2.bfast.com/,
http://tw.search.yahoo.com/,
http://es.ask.com/,
http://www.ozu.es/favicon.ico,
http://www.iask.com/favicon.ico,
http://www.dailymail.co.uk/favicon.ico,
http://google.pchome.com.tw/,
http://crl.ssc.lt/root-b/cacrl.crl0,
http://p.zhongsou.com/favicon.ico,
http://crl.securetrust.com/STCA.crl0,
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=,
http://search.ebay.com/,
http://br.search.yahoo.com/,
http://suche.lycos.de/,
http://users.ocsp.d-trust.net03,
http://www.asharqalawsat.com/favicon.ico,
http://mail.live.com/,
http://ru.search.yahoo.com,
http://de.wikipedia.org/,
http://crl.comodo.net/AAACertificateServices.crl0,
http://ns.adobe.com/xap/1.0/mm/,
http://cps.chambersign.org/cps/chambersroot.html0,
http://www.google.ru/,
http://search.empas.com/favicon.ico,
http://search.seznam.cz/,
http://de.wikipedia.org/w/api.php?action=opensearch,
http://www.expedia.com/,
http://www.clarin.com/favicon.ico,
http://www.acabogacia.org/doc0,
http://busca.uol.com.br/,
http://www.sk.ee/cps/0,
http://mail.live.com/?rru=compose%3Fsubject%3D,
https://www.catcert.net/verarrel05,
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0,
http://crl.securetrust.com/SGCA.crl0,
http://buscador.terra.com/favicon.ico,
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0,
http://crl.globalsign.net/root-r2.crl0,
http://purl.org/rss/1.0/modules/slash/,
http://www.d-trust.net0,
http://es.search.yahoo.com/,
http://www.ocn.ne.jp/favicon.ico,
http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0,
http://corp.naukri.com/,
http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended,
http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity,
http://www.recherche.aol.fr/,
http://pl.wikipedia.org/w/api.php?action=opensearch,
http://www.weather.com/favicon.ico,
http://search.centrum.cz/favicon.ico,
http://search.yam.com/,
http://uk.search.yahoo.com/,
http://busca.uol.com.br/favicon.ico,
http://es.wikipedia.org/favicon.ico,
http://images.joins.com/ui_c/fvc_joins.ico,
http://cgi.search.biglobe.ne.jp/,
http://www.microsoft.com/pki/crl/products/TrustListPCA.crl,
http://msk.afisha.ru/,
http://es.wikipedia.org/w/api.php?action=opensearch,
http://www.globaltrust.info0,
http://www.google.pl/,
http://www.arrakis.com/favicon.ico,
http://search.microsoft.com/,
http://search.goo.ne.jp/favicon.ico,
http://image.excite.co.jp/jp/favicon/lep.ico,
https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0,
http://www.merlin.com.pl/,
http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01,
http://www.amazon.de/,
http://www.sogou.com/,
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0,
http://cerca.lycos.it/,
http://www.usertrust.com1,
http://www.orange.fr/,
http://spaces.live.com/BlogIt.aspx,
http://www.microsofttranslator.com/?ref=IE8Activity,
http://www.rakuten.co.jp/favicon.ico,
http://search.nate.com/,
http://www.nate.com/favicon.ico,
http://de.wikipedia.org/favicon.ico,
http://www.dnie.es/dpc0,
http://www.najdi.si/,
http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity,
http://search.daum.net/favicon.ico,
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E,
http://nl.wikipedia.org/favicon.ico,
http://crl.pki.wellsfargo.com/wsprca.crl0,
http://it.search.yahoo.com/,
http://www.google.it/,
http://www.d-trust.net/crl/d-trust_root_class_3_ca_2007.crl0,
http://suche.web.de/favicon.ico,
http://search.seznam.cz/favicon.ico,
http://purl.org/rss/1.0/,
http://search.lycos.com/,
http://fr.wikipedia.org/w/api.php?action=opensearch,
http://qual.ocsp.d-trust.net0,
http://search.dreamwiz.com/favicon.ico,
http://www.kkbox.com.tw/,
http://suche.aol.de/,
http://www.entrust.net/CRL/net1.crl0,
http://www.entrust.net/CRL/Client1.crl0,
http://crl.xrampsecurity.com/XGCA.crl0,
http://search.empas.com/,
http://yellowpages.superpages.com/favicon.ico,
http://arianna.libero.it/,
http://www.dailymail.co.uk/,
http://ru.wikipedia.org/favicon.ico,
http://purl.org/rss/1.0/modules/content/,
http://search.auction.co.kr/,
http://www.certplus.com/CRL/class1.crl0,
http://ocsp.infonotary.com/responder.cgi0V,
http://search.yahoo.co.jp,
http://asp.usatoday.com/favicon.ico,
http://www.signatur.rtr.at/current.crl0,
http://search.msn.com.cn/results.aspx?q=,
http://crl.microsoft.com/pki/crl/products/tspca.crl0H,
http://www.a-cert.at/certificate-policy.html0,
https://localhost,
http://cn.bing.com/favicon.ico,
http://www.firmaprofesional.com0,
http://search2.estadao.com.br/,
http://www.microsoft.com/pki/certs/tspca.crt0,
http://search.cn.yahoo.com/,
http://www.rootca.or.kr/rca/cps.html0,
http://ie.search.yahoo.com/os?command=,
http://www.tesco.com/,
http://search-dyn.tiscali.it/,
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl,
http://search.ipop.co.kr/favicon.ico,
http://arianna.libero.it/favicon.ico,
http://www.sk.ee/juur/crl/0,
http://it.wikipedia.org/,
http://crl.comodo.net/TrustedCertificateServices.crl0,
http://busca.orange.es/,
http://www.microsoft.com/schemas/rss/core/2005/internal,
http://www.baidu.com/,
http://home.altervista.org/,
http://it.search.dada.net/favicon.ico,
http://www.gmarket.co.kr/,
http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01,
http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0,
http://www.google.com.br/,
http://buscar.ya.com/,
http://images.monster.com/favicon.ico,
http://search.ebay.it/,
http://www.alarabiya.net/,
http://ru.wikipedia.org/w/api.php?action=opensearch,
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0,
http://www.maktoob.com/favicon.ico,
http://price.ru/favicon.ico,
http://ns.adobe.com/pdf/1.3/,
http://www.microsoft.com/schemas/ie8tldlistdescription/1.0,
http://logo.verisign.com/vslogo.gif0,
http://price.ru/,
http://www.disig.sk/ca/crl/ca_disig.crl0,
http://www.najdi.si/favicon.ico,
http://kr.search.yahoo.com/,
http://www.aol.com/favicon.ico,
http://www.ozon.ru/favicon.ico,
http://pl.wikipedia.org/,
http://www.target.com/favicon.ico,
http://fr.search.yahoo.com/,
http://crl.usertrust.com/UTN-DATACorpSGC.crl0,
http://search.daum.net/,
http://www.certicamara.com/certicamaraca.crl0,
http://de.search.yahoo.com/,
http://suche.freenet.de/favicon.ico,
http://www.post.trust.ie/reposit/cps.html0,
http://busca.buscape.com.br/favicon.ico,
http://www2.public-trust.com/crl/ct/ctroot.crl0,
http://www.microsoft.com/favicon.ico,
http://www.certicamara.com0,
http://auone.jp/favicon.ico,
http://buscador.lycos.es/,
http://search.yahoo.com/,
http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp),
http://search.rediff.com/favicon.ico,
http://si.wikipedia.org/favicon.ico,
http://www3.fnac.com/,
http://web.ask.com/,
http://ca.sia.it/secsrv/repository/CRL.der0J,
http://search.books.com.tw/,
http://search.ebay.in/,
http://search.about.com/,
http://www.neckermann.de/,
http://www.disig.sk/ca0f,
http://browse.guardian.co.uk/favicon.ico,
http://www.tesco.com/favicon.ico,
http://search.ipop.co.kr/,
https://www.example.com.,
http://www.target.com/,
http://www.amazon.com/favicon.ico,
http://recherche.linternaute.com/,
http://www.google.fr/,
http://www.certicamara.com/dpc/0Z,
http://openimage.interpark.com/interpark.ico,
http://www.google.si/,
http://www.yandex.ru/favicon.ico,
http://www.google.com/favicon.ico,
http://www.walmart.com/favicon.ico,
http://udn.com/,
http://purl.org/dc/elements/1.1/,
http://www.wellsfargo.com/certpolicy0,
http://fedir.comsign.co.il/crl/ComSignCA.crl0,
http://www.google.es/,
http://www.cnet.co.uk/,
http://www.mtv.com/,
http://search.live.com/results.aspx?FORM=IEFM1,
http://www.abril.com.br/,
https://www.netlock.hu/docs/,
http://search1.taobao.com/,
http://www.a-cert.at0E,
http://www.amazon.co.uk/,
http://it.wikipedia.org/w/api.php?action=opensearch,
http://www.tchibo.de/favicon.ico,
http://www.pchome.com.tw/favicon.ico,
http://pt.wikipedia.org/,
http://fr.wikipedia.org/,
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0,
https://rca.e-szigno.hu/ocsp0-,
http://ja.wikipedia.org/w/api.php?action=opensearch,
https://ca.sia.it/seccli/repository/CPS0,
http://www.chennaionline.com/ncommon/images/collogo.ico,
http://www.cjmall.com/,
http://search.live.com/results.aspx?q=,
http://www.comsign.co.il/cps0,
http://www.certifikat.dk/repository0,
http://cps.chambersign.org/cps/publicnotaryroot.html0,
http://search.yahoo.com/favicon.ico,
http://www.quovadisglobal.com/cps0,
http://busca.igbusca.com.br/,
http://ca.disig.sk/ca/crl/ca_disig.crl0,
http://www.nifty.com/favicon.ico,
http://cps.chambersign.org/cps/chambersignroot.html0,
http://www.sify.com/favicon.ico,
http://www.certplus.com/CRL/class2.crl0,
http://home.altervista.org/favicon.ico,
http://search.gamer.com.tw/favicon.ico,
http://busca.buscape.com.br/,
http://search.atlas.cz/,
http://www.ceneo.pl/,
http://crl.chambersign.org/chambersignroot.crl0,
http://www.certplus.com/CRL/class3P.crl0,
https://www.netlock.net/docs,
http://pl.wikipedia.org/favicon.ico,
http://ns.adobe.com/iX/1.0/,
http://search.books.com.tw/favicon.ico,
http://search.aol.in/,
http://crl.comodoca.com/TrustedCertificateServices.crl0:,
https://example.com,
http://cs.wikipedia.org/favicon.ico,
http://spaces.live.com/,
http://www.valicert.com/1,
http://crl.comodoca.com/AAACertificateServices.crl06,
http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity,
http://www.crc.bg0,
http://z.about.com/m/a08.ico,
http://www.univision.com/favicon.ico,
http://crl.comodoca.com/COMODOCertificationAuthority.crl0,
http://nl.wikipedia.org/w/api.php?action=opensearch,
http://search.aol.co.uk/
host: 25.20.116.113,
103.143.173.25
path: {"pdb_path": [], "filepaths": {"file_read": ["C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini"], "dll_loaded": ["kernel32", "gdi32.dll", "kernel32.dll", "UxTheme.dll", "oleaut32.dll", "C:\\Windows\\system32\\ole32.dll", "NTDLL.DLL", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "USER32.DLL", "C:\\Windows\\system32\\uxtheme.dll", "ntmarta.dll", "C:\\Windows\\system32\\MSCTF.dll", "KERNEL32.DLL", "C:\\ogxses\\bin\\monitor-x86.dll", "KERNELBASE.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "user32", "OLEAUT32.DLL", "advapi32.dll", "comctl32", "ole32.dll", "IMM32.dll", "C:\\Windows\\system32\\notepad.exe", "EXPLORER.EXE", "C:\\Windows\\system32\\xmllite.dll", "OLEAUT32.dll", "SHELL32.dll", "DUser.dll", "comctl32.dll", "C:\\Windows\\system32\\DUser.dll", "User32.dll", "USER32", "ADVAPI32.dll", "rpcrt4.dll", "SETUPAPI.dll", "user32.dll", "OLEACC.dll"], "file_moved": [], "file_copied": ["C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_exists": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\Documents\\MSDCSC", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\Administrator\\AppData\\Roaming", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\MSDCSC\\", "C:\\Users\\Administrator\\Documents\\MSDCSC\\rEj9MRKQ3Kzp\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe", "C:\\Users\\Administrator\\Documents\\MSDCSC\\rEj9MRKQ3Kzp.dcp", "C:\\Users\\Administrator", "C:\\Users\\Administrator\\Documents", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\notepad", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs\\", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\rEj9MRKQ3Kzp.dcp", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs"], "file_opened": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_created": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_deleted": [], "file_written": [], "directory_created": ["C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches", "C:\\Users\\Administrator\\Documents\\MSDCSC", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs"], "directory_queried": ["C:\\Users\\Administrator", "C:\\Users\\Administrator\\Documents", "C:\\Users"], "directory_removed": [], "directory_enumerated": []}}
yara: {"url": [], "misc": {"misc": ["dbgdetect_funcs_ig"], "crypto": ["RIPEMD160_Constants", "SHA1_Constants", "DES_Long", "MD5_Constants", "VC8_Random", "RijnDael_AES_LONG", "Delphi_Random", "BASE64_table", "CRC32_table", "RijnDael_AES_CHAR", "MD5_API"], "packer": ["MinGW_1", "borland_delphi"]}, "memory": ["darkcomet_memory_1", "darkcomet_memory_3", "darkcomet_memory_2", "darkcomet_memory_4"], "generic": [], "pre_analysis": []}
email:
mutex: DCPERSFWBP,
DC_MUTEX-K5CAEA3,
Local\MSCTF.Asm.MutexDefault1
ports: {"tcp": [], "udp": [], "tcp_dead": [80, 957]}
domain:
regkeys: {"regkey_read": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\21082CA9", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfOutPrecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\StatusBar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfOrientation", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfUnderline", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentConfig", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginTop", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fSaveWindowPositions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginBottom", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginLeft", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC\\{e29ac6c0-7037-11de-816d-806e6f6e6963-4234460882}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo\\DockingState", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\HwProfileGuid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfClipPrecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfCharSet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fMLE_is_broken", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfItalic", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfWeight", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\FriendlyName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfStrikeOut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iPointSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginRight", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfQuality", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\szTrailer", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosX", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fWrap", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\LdapClientIntegrity", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\szHeader", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosDY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosDX", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfEscapement", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate"], "regkey_opened": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\DC2_USERS", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses", "HKEY_CLASSES_ROOT\\Folder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows", "HKEY_CLASSES_ROOT\\Directory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\Software\\Borland\\Locales", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{FA445657-9379-11D6-B41A-00065B83EE53}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\IDConfigDB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo", "HKEY_LOCAL_MACHINE\\Software\\Borland\\Locales", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\notepad.exe", "HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales", "HKEY_CLASSES_ROOT\\AllFilesystemObjects", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace"], "regkey_created": ["HKEY_CURRENT_USER\\Software", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"], "regkey_deleted": [], "regkey_written": ["HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"], "regkey_enumerated": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys"]}
metadata: {"crc32": {"original": "B7CACEE9", "unpacked": {}}, "names": {"title": [], "author": [], "country": [], "creator": [], "subject": [], "locality": [], "producer": [], "common_name": [], "company_name": null, "organization": [], "product_name": null, "internal_name": null, "private_build": null, "special_build": null, "legal_copyright": null, "legal_trademarks": null, "original_filename": null, "organizational_unit": []}, "ssdeep": {"original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hPA:JZ1xuVVjfFoynPaVBUR8f+kN10EBO", "unpacked": {}}, "file_type": {"original": "PE32 executable (GUI) Intel 80386, for MS Windows", "unpacked": {}}, "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", "postal_code": null, "pe_timestamp": "2012-06-07 17:59:53", "signing_date": "", "peid_signatures": []}
registry:
connections: {"tcp": [], "udp": [], "tcp_dead": ["25.20.116.113:957", "103.143.173.25:80"]}
certificates:
process_name: msdcsc.exe,
sXPFvH.exe,
notepad.exe
attack_patterns: {'id': 'T1022', 'name': 'Data Encrypted'},
{'id': 'T1056', 'name': 'Input Capture'},
{'id': 'T1529', 'name': 'System Shutdown/Reboot'},
{'id': 'T1027', 'name': 'Obfuscated Files or Information'},
{'id': 'T1045', 'name': 'Software Packing'},
{'id': 'T1055', 'name': 'Process Injection'},
{'id': 'T1497', 'name': 'Virtualization/Sandbox Evasion'},
{'id': 'T1115', 'name': 'Clipboard Data'},
{'id': 'T1060', 'name': 'Registry Run Keys / Startup Folder'},
{'id': 'T1093', 'name': 'Process Hollowing'} | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ioc/ | 2020-06-15T16:48:42.527191Z | 2020-06-15T18:25:32Z | self: https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ | false | 2 | 36a40cc55e2ffe7d44d007c6e37afd7f | false | | 0 | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/pcap/ | 3 | false | | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/report/ | 7.0 | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/sample/ | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/enrichment/scans/ | false | 5c0be68316ce77584a7b966ff40e7d61a8a98055 | ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 | e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b103913240173b2bafbcaac689d83828654ecf054cb7a30766c4a3cc6 | | virustotalAPI | DARKCOMET | false | white | Malware | DARKCOMET | 2020-06-15T17:12:28.893118Z | 2020-06-15T16:30:33.293000Z | | none | darkkomet,
fynloski,
genmalicious |
+
+
+### blueliv-tc-indicator-ip
+***
+Gets information about an IP
+
+
+#### Base Command
+
+`blueliv-tc-indicator-ip`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| IP_id | Internal Blueliv's IP ID | Required |
+| IP | IP to search | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| indicator.lastSeen | Unknown | Indicator last seen |
+| indicator.risk | Unknown | Indicator risk |
+| indicator.latitude | Unknown | Indicator latitude |
+| indicator.longitude | Unknown | Indicator longitude |
+| indicator.countryId | Unknown | Indicator countryes internal IDs |
+| indicator.campaigns | Unknown | Indicator campaigns |
+| indicator.campaignIds | Unknown | Indicator campaigns internal IDs |
+| indicator.signatures | Unknown | Indicator signatures |
+| indicator.signatureIds | Unknown | Indicator signatures internal IDs |
+| indicator.threatActors | Unknown | Indicator threat actors |
+| indicator.threatActorIds | Unknown | Indicator threat actors internal IDs |
+| indicator.tags | Unknown | Indicator tags |
+| indicator.tagIds | Unknown | Indicator tags internal IDs |
+| indicator.fqdns | Unknown | Indicator FQDNs |
+| indicator.fqdnIds | Unknown | Indicator FQDNs internal IDs |
+| indicator.sparks | Unknown | Indicator sparks |
+| indicator.sparkIds | Unknown | Indicator sparks internal IDs |
+| indicator.bots | Unknown | Indicator bots |
+| indicator.botIds | Unknown | Indicator bots internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-indicator-ip IP="103.76.228.28"```
+
+#### Context Example
+```
+{
+ "indicator": {
+ "botIds": "",
+ "bots": 0,
+ "campaignIds": "",
+ "campaigns": 0,
+ "countryId": "103",
+ "fqdnIds": "",
+ "fqdns": 0,
+ "lastSeen": "2020-06-15T18:25:00Z",
+ "latitude": "20.0",
+ "longitude": "77.0",
+ "risk": "4.0",
+ "signatureIds": "",
+ "signatures": 0,
+ "sparkIds": "",
+ "sparks": 0,
+ "tagIds": "",
+ "tags": 0,
+ "threatActorIds": "",
+ "threatActors": 0
+ },
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv IP info
+>|address|asn_number|asn_owner|at_afapi|created_at|created_at_afapi|first_seen|history_link|id|ioc_link|last_risk_scoring|last_seen|latitude|links|longitude|passive_dns_link|risk|slugs_tags|tlp|type|updated_at|updated_at_afapi|virus_total_link|whois_link|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| 103.76.228.28 | 394695 | PDR | false | 2019-05-03T09:57:46.834135Z | | 2019-04-11T04:12:09.830000Z | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/ | 70236228 | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/ | 2020-06-15T15:17:47.624936Z | 2020-06-15T18:25:00Z | 20.0 | self: https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ | 77.0 | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/ | 4.0 | | amber | IP | 2020-06-15T16:44:49.623167Z | | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/ | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/ |
+
+
+### blueliv-tc-cve
+***
+Gets information about CVE
+
+
+#### Base Command
+
+`blueliv-tc-cve`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| CVE | CVE to search | Optional |
+| CVE_id | Internal Blueliv's CVE ID | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| cve.name | Unknown | CVE name |
+| cve.description | Unknown | CVE description |
+| cve.updatedAt | Unknown | CVE updated at |
+| cve.score | Unknown | CVE score |
+| cve.attackPatterns | Unknown | CVE attack patterns |
+| cve.attackPatternIds | Unknown | CVE attackp patterns internal IDs |
+| cve.signatures | Unknown | CVE signatures |
+| cve.signatureIds | Unknown | CVE signatures internal IDs |
+| cve.tags | Unknown | CVE tags |
+| cve.tagIds | Unknown | CVE tags internal IDs |
+| cve.crimeServers | Unknown | CVE Crime servers |
+| cve.crimeServerIds | Unknown | CVE crime servers internal IDs |
+| cve.sparks | Unknown | CVE sparks |
+| cve.sparkIds | Unknown | CVE sparks internal IDs |
+| cve.malware | Unknown | CVE malware |
+| cve.malwareIds | Unknown | CVE malwares internal IDs |
+| cve.exploits | Unknown | CVE exploits |
+| cve.platforms | Unknown | CVE platforms |
+
+
+#### Command Example
+```!blueliv-tc-cve CVE="CVE-2020-8794"```
+
+#### Context Example
+```
+{}
+```
+
+#### Human Readable Output
+
+>{"apiId": "THIAPP", "url": "/api/v1/cve/CVE-2020-8794/relationships/attack-pattern/", "requestType": "GET"}
+
+### blueliv-tc-indicator-fqdn
+***
+Gets information about FQDN
+
+
+#### Base Command
+
+`blueliv-tc-indicator-fqdn`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| FQDN_id | Internal Blueliv's FQDN id | Optional |
+| FQDN | FQDN to search | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| indicator.lastSeen | Unknown | Indicator last seen |
+| indicator.risk | Unknown | Indicator risk |
+| indicator.campaigns | Unknown | Indicator campaigns |
+| indicator.campaignIds | Unknown | Indicator campaigns internal IDs |
+| indicator.signatures | Unknown | Indicator signatures |
+| indicator.signatureIds | Unknown | Indicator signatures internal IDs |
+| indicator.threatActors | Unknown | Indicator threat actors |
+| indicator.threatActorIds | Unknown | Indicator threat actors internal IDs |
+| indicator.tags | Unknown | Indicator tags |
+| indicator.tagIds | Unknown | Indicator tags internal IDs |
+| indicator.crimeServers | Unknown | Indicator crime servers |
+| indicator.crimeServerIds | Unknown | Indicator crime servers internal IDs |
+| indicator.sparks | Unknown | Indicator sparks |
+| indicator.sparkIds | Unknown | Indicator sparks internal IDs |
+| indicator.ips | Unknown | Indicator IPs |
+| indicator.ipIds | Unknown | Indicator IPs internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-indicator-fqdn FQDN="self-repair.r53-2.services.mozilla.com"```
+
+#### Context Example
+```
+{
+ "indicator": {
+ "campaignIds": "",
+ "campaigns": 0,
+ "crimeServerIds": "",
+ "crimeServers": 0,
+ "ipIds": "",
+ "ips": 0,
+ "lastSeen": "2018-08-07T22:40:47.580489Z",
+ "risk": "2.5",
+ "signatureIds": "",
+ "signatures": 0,
+ "sparkIds": "",
+ "sparks": 0,
+ "tagids": "",
+ "tags": 0,
+ "threatActorIds": "",
+ "threatActors": 0
+ },
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv FQDN info
+>|active_dns_link|created_at|domain|first_seen|history_link|id|ioc_link|last_risk_scoring|last_seen|links|passive_dns_link|risk|slugs_tags|tlp|type|updated_at|virus_total_link|whois_link|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/dns/ | 2018-08-07T22:40:47.580640Z | anad.ir | 2018-08-07T22:40:47.580479Z | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/history/ | 5783871 | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ioc/ | 2020-06-15T17:25:37.498738Z | 2018-08-07T22:40:47.580489Z | self: https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/passive-dns/ | 2.5 | | white | FQDN | 2020-06-15T17:25:37.499246Z | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/virus-total/ | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/whois/ |
+
+
+### blueliv-tc-indicator-cs
+***
+Gets information about a Crime Server
+
+
+#### Base Command
+
+`blueliv-tc-indicator-cs`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| CS_id | Internal Blueliv's Crime Server id | Required |
+| CS | The name of the Crime Server to search | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| indicator.lastSeen | Unknown | Indicator lastSeen |
+| indicator.status | Unknown | Indicator status |
+| indicator.risk | Unknown | Indicator risk |
+| indicator.isFalsePositive | Unknown | Indicator is a false positive |
+| indicator.crimeServerUrl | Unknown | Indicator crime server URL |
+| indicator.creditCardsCount | Unknown | Indicator credit cards count |
+| indicator.credentialsCount | Unknown | Indicator credentials count |
+| indicator.botsCount | Unknown | Indicator bots count |
+| indicator.fqdnId | Unknown | Indicator FQDNs internal IDs |
+| indicator.malware | Unknown | Indicator malware |
+| indicator.malwareIds | Unknown | Indicator malwares internal IDs |
+| indicator.tags | Unknown | Indicator tags |
+| indicator.tagIds | Unknown | Indicator tags internal IDs |
+| indicator.sparks | Unknown | Indicator sparks |
+| indicator.sparkIds | Unknown | Indicator sparks internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-indicator-cs CS_id=6626263```
+
+#### Context Example
+```
+{
+ "indicator": {
+ "botsCount": "0",
+ "credentialsCount": "0",
+ "creditCardsCount": "0",
+ "crimeServerUrl": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php",
+ "fqdnId": "9633658",
+ "isFalsePositive": "False",
+ "lastSeen": "2020-06-15T16:46:06.170000Z",
+ "malware": 0,
+ "malwareIds": "",
+ "risk": "4.0",
+ "sourceIds": "642676,",
+ "sources": 1,
+ "sparkIds": "",
+ "sparks": 0,
+ "status": "online",
+ "tagIds": "",
+ "tags": 0
+ },
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Crime Server info
+>|at_feed|at_free_feed|bots_count|confidence|created_at|created_at_afapi|credentials_count|credit_cards_count|crime_server_url|false_positive_modification_time|first_seen|id|ioc_link|is_false_positive|last_log_timestamp|last_risk_scoring|last_seen|links|main_type|risk|scans_link|service_scans|slugs_tags|status|subtype_name|target_status|tlp|type|updated_at|updated_at_afapi|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| true | true | 0 | 1 | 2020-06-15T17:02:40.327300Z | 2020-06-15T16:46:06.119000Z | 0 | 0 | http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php | 2020-06-15T17:02:38.524874Z | 2020-06-15T16:44:25Z | 6626263 | https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/ | false | | 2020-06-15T17:14:36.146566Z | 2020-06-15T16:46:06.170000Z | self: https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ | c_and_c | 4.0 | https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/ | | | online | ANUBIS | | amber | CrimeServer | 2020-06-15T17:14:36.149943Z | 2020-06-15T16:46:06.170000Z |
+
+
+### blueliv-tc-threat-actor
+***
+Gets information about a Threat Actor
+
+
+#### Base Command
+
+`blueliv-tc-threat-actor`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| threatActor | Threat Actor to search | Optional |
+| threatActor_id | Internal Blueliv's Threat Actor id | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| threatActor.name | Unknown | Threat actor name |
+| threatActor.description | Unknown | Threat actor description |
+| threatActor.objective | Unknown | Threat actor objective |
+| threatActor.sophistication | Unknown | Threat actor sophistication |
+| threatActor.lastSeen | Unknown | Threat actor last seen |
+| threatActor.active | Unknown | Threat actor active |
+| threatActor.milestones | Unknown | Threat actor milestones |
+| threatActor.milestoneIds | Unknown | Threat actor milestones internal IDs |
+| threatActor.tools | Unknown | Threat actor tools |
+| threatActor.toolIds | Unknown | Threat actor tools internal IDs |
+| threatActor.campaigns | Unknown | Threat actor campaigns |
+| threatActor.campaignIds | Unknown | Threat actor campaigns internal IDs |
+| threatActor.signatures | Unknown | Threat actor signatures |
+| threatActor.signatureIds | Unknown | Threat actor signatures internal IDs |
+| threatActor.onlineServices | Unknown | Threat actor online services |
+| threatActor.onlineServiceIds | Unknown | Threat actor online services internal IDs |
+| threatActor.malware | Unknown | Threat actor malware |
+| threatActor.malwareIds | Unknown | Threat actor malwares internal IDs |
+| threatActor.threatTypes | Unknown | Threat actor threat types |
+| threatActor.threatTypeIds | Unknown | Threat actor threat types internal IDs |
+| threatActor.fqdns | Unknown | Threat actor FQDNs |
+| threatActor.fqdnIds | Unknown | Threat actor FQDNs internal IDs |
+| threatActor.attackPatterns | Unknown | Threat actor attack patterns |
+| threatActor.attackPatternIds | Unknown | Threat actor attack patterns internal IDs |
+| threatActor.ips | Unknown | Threat actor IPs |
+| threatActor.ipIds | Unknown | Threat actor IPs internal IDs |
+| threatActor.targets | Unknown | Threat actor targets |
+| threatActor.targetIds | Unknown | Threat actor targets internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-threat-actor threatActor=Vendetta```
+
+#### Context Example
+```
+{
+ "threatAactor": {
+ "onlineServices": 0,
+ "threatTypes": 0
+ },
+ "threatActor": {
+ "active": "True",
+ "attackPatternIds": "511,529,603,613,703,705,735,",
+ "attackPatterns": 7,
+ "campaignIds": "",
+ "campaigns": 0,
+ "description": "Key Points
\n\n\n\t- \n\t
Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.
\n\t \n\t- \n\t
Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.
\n\t \n\t- The threat actor uses social engineering techniques to infect the victims with a RAT.
\n
\n\nAssessment
\n\nVendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:
\n\nC:\\Users\\Vendetta\\source\\repos\\{project name}\\*\\obj\\Debug\\{project name}.pdb
\n\nBased on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.
\n\nVendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.
",
+ "fqdnIds": "9607329,",
+ "fqdns": 1,
+ "ips": 1,
+ "lastSeen": "2020-06-10T00:00:00Z",
+ "malware": 56,
+ "malwareIds": "55048892,55954618,56069689,56081184,56101608,56174304,56435633,56482393,56528142,56528442,56660508,56822336,56834251,56895357,56906597,56921822,56963320,57023523,57143218,57500808,57531883,57577157,57992940,58151119,59402651,59402653,59402654,59402655,59402656,59406230,59406231,59406232,59406233,59406234,59406235,59406236,59421287,59421291,59421298,59421308,59421351,59421352,59421389,59421399,59421403,59421435,59421463,59421467,59421471,59421474,59421499,59421511,59421557,59421568,59421605,59468951,",
+ "milestoneIds": "",
+ "milestones": 0,
+ "name": "Vendetta",
+ "objective": "This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.
",
+ "onlineServiceIds": "",
+ "signatureIds": "",
+ "signatures": 0,
+ "sophistication": "intermediate",
+ "targetIds": "13,14,36,46,62,98,120,154,163,186,188,220,225,227,254,257,259,268,293,301,1164,",
+ "targets": 21,
+ "threatTypeIds": "",
+ "toolIds": "136,193,",
+ "tools": 2
+ },
+ "threatActor,ipIds": "96161121,",
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Threat Actor info
+>|active|aliases|country_name|created_at|description|first_seen|id|ioc_link|last_seen|links|modus_operandi|name|objective|references|sophistication|tlp|type|types|updated_at|uuid|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| true | Vendetta | Italy | 2020-06-10T11:23:22.584500Z | Key Points
Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.
Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.
- The threat actor uses social engineering techniques to infect the victims with a RAT.
Assessment
Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:
C:\Users\Vendetta\source\repos\{project name}\*\obj\Debug\{project name}.pdb
Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.
Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.
| 2020-04-01T00:00:00Z | 232 | https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/ | 2020-06-10T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ | Vendetta uses well designed phishing campaigns to target businesses and individuals. The phishing emails contain a malicious payload that, once unleashed, will install a RAT in the infected computer.
| Vendetta | This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.
| {'link': 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'title': 'Vendetta-new threat actor from Europe'} | intermediate | white | ThreatActor | hacker | 2020-06-10T12:29:16.463528Z | |
+
+
+### blueliv-tc-campaign
+***
+Gets information about a Campaign
+
+
+#### Base Command
+
+`blueliv-tc-campaign`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| campaign | Name of the Campaign to search for | Optional |
+| campaign_id | Blueliv's internal Campaign id | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| campaign.name | Unknown | Campaign name |
+| campaign.description | Unknown | Campaign description |
+| campaign.lastSeen | Unknown | Campaign last seen |
+| campaign.botnets | Unknown | Campaign botnets |
+| campaign.botnetIds | Unknown | Campaign botnets internal IDs |
+| campaign.signatures | Unknown | Campaign signatures |
+| campaign.signatureIds | Unknown | Campaign signatures internal IDs |
+| campaign.ips | Unknown | Campaign IPs |
+| campaign.ipIds | Unknown | Campaign IPs internal IDs |
+| campaign.malware | Unknown | Campaign malware |
+| campaign.malwareIds | Unknown | Campaign malwares internal IDs |
+| campaign.attackPatterns | Unknown | Campaign attack patterns |
+| campaign.attackPatternIds | Unknown | Campaign attack patterns internal IDs |
+| campaign.tools | Unknown | Campaign tools |
+| campaign.toolIds | Unknown | Campaign tools internal IDs |
+| campaign.fqdns | Unknown | Campaign FQDNs |
+| campaign.fqdnIds | Unknown | Campaign FQDNs internal IDs |
+| campaign.threatActorId | Unknown | Campaign threat actors internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-campaign campaign_id=152```
+
+#### Context Example
+```
+{
+ "campaign": {
+ "attackPatternIds": "",
+ "attackPatterns": 0,
+ "botnetIds": "",
+ "botnets": 0,
+ "description": "A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.
\n\nThere are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.
\n\nThis ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.
\n\nSometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.
",
+ "fqdnIds": "138612,9322638,9394712,9549083,9549084,9549097,9549098,9549099,",
+ "fqdns": 8,
+ "ips": 0,
+ "lastSeen": "2020-05-28T00:00:00Z",
+ "malware": 9,
+ "malwareIds": "55800558,55800615,58635752,58635753,58635754,58635755,58635756,58635757,58635758,",
+ "name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain",
+ "signatureIds": "",
+ "signatures": 0,
+ "threatActorId": "226",
+ "toolIds": "673,",
+ "tools": 1
+ },
+ "campaign,ipIds": "",
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Campaign info
+>|created_at|description|first_seen|id|ioc_link|last_seen|links|name|tlp|type|updated_at|uuid|
+>|---|---|---|---|---|---|---|---|---|---|---|---|
+>| 2020-05-28T21:24:11.307288Z | A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.
There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.
This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.
Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.
| 2020-04-16T00:00:00Z | 152 | https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/ | 2020-05-28T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/campaign/152/ | 2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain | white | Campaign | 2020-05-28T23:58:36.883515Z | |
+
+
+### blueliv-tc-attack-pattern
+***
+Gets information about a Attack Pattern
+
+
+#### Base Command
+
+`blueliv-tc-attack-pattern`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| attackPattern | The Attack Pattern's name to search for | Optional |
+| attackPatternId | Interanl Blueliv's ID for the Attack Pattern | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| attackPattern.name | Unknown | Attack pattern name |
+| attackPattern.description | Unknown | Attack pattern description |
+| attackPattern.updatedAt | Unknown | Attack pattern updated at |
+| attackPattern.severity | Unknown | Attack pattern severity |
+| attackPattern.signatures | Unknown | Attack pattern signatures |
+| attackPattern.signatureIds | Unknown | Attack pattern signatures internal IDs |
+| attackPattern.campaigns | Unknown | Attack pattern campaigns |
+| attackPattern.campaignIds | Unknown | Attack pattern campaigns internal IDs |
+| attackPattern.threatActors | Unknown | Attack pattern threat actors |
+| attackPattern.threatActorIds | Unknown | Attack pattern threat actors internal IDs |
+| attackPattern.cves | Unknown | Attack pattern CVEs |
+| attackPattern.cveIds | Unknown | Attack pattern CVEs internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-attack-pattern attackPattern="Account Discovery"```
+
+#### Context Example
+```
+{
+ "attackPattern": {
+ "campaignIds": "95,81,82,83,3,",
+ "campaigns": 5,
+ "cveIds": "",
+ "cves": 0,
+ "description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.\n\nAlso, groups can be enumerated through the groups and id commands.",
+ "name": "Account Discovery",
+ "serverity": "Medium",
+ "signatureIds": "",
+ "signatures": 0,
+ "threatActorIds": "1,34,62,21,131,56,89,191,47,8,81,10,50,28,37,194,228,190,",
+ "threatActors": 18,
+ "updatedAt": "2018-12-24T23:00:02.352102Z"
+ },
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Attack Pattern info
+>|attack_phases|attacker_skills_or_knowledge_required|capec_id|created_at|description|id|links|name|prerequisites|purposes|references|related_vulnerabilities|related_weaknesses|severity|solutions_and_mitigations|tlp|type|updated_at|uuid|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| | | | 2018-12-24T23:00:02.352087Z | Adversaries may attempt to get a listing of local system or domain accounts.
### Windows
Example commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.
### Mac
On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.
### Linux
On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.
Also, groups can be enumerated through the groups and id commands. | 686 | self: https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/ | Account Discovery | | | | | | Medium | | white | AttackPattern | 2018-12-24T23:00:02.352102Z | 72b74d71-8169-42aa-92e0-e7b04b9f5a08 |
+
+
+### blueliv-tc-tool
+***
+Gets information about a Tool
+
+
+#### Base Command
+
+`blueliv-tc-tool`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| tool | Tool's name to search for | Optional |
+| tool_id | Internal Blueliv's id of the tool | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| tool.Name | Unknown | Tool Name |
+| tool.description | Unknown | Tool description |
+| tool.lastSeen | Unknown | Tool last seen |
+| tool.campaigns | Unknown | Tool campaigns |
+| tool.campaignIds | Unknown | Tool campaigns internal IDs |
+| tool.signatures | Unknown | Tool signatures |
+| tool.signatureIds | Unknown | Tool signatures internal IDs |
+| tool.threatActors | Unknown | Tool threat actors |
+| tool.threatActorIds | Unknown | Tool threat actors internal IDs |
+
+
+#### Command Example
+```!blueliv-tc-tool tool=ACEHASH```
+
+#### Context Example
+```
+{
+ "threatContext": {
+ "hasResults": "true"
+ },
+ "tool": {
+ "campaignIds": "",
+ "campaigns": 0,
+ "description": "ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.
",
+ "lastSeen": "2019-12-01T00:00:00Z",
+ "name": "ACEHASH",
+ "signatureIds": "",
+ "signatures": 0,
+ "threatActorIds": "194,",
+ "threatActors": 1
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Tool info
+>|created_at|description|discovery_date|first_seen|id|last_seen|links|name|references|targeted_platforms|tlp|type|updated_at|uuid|version|
+>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+>| 2020-02-26T14:35:55.698486Z | ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.
| | 2012-12-01T00:00:00Z | 532 | 2019-12-01T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/tool/532/ | ACEHASH | {'link': 'https://content.fireeye.com/apt-41/rpt-apt41', 'title': 'Double Dragon: APT41, a dual espionage and cyber crime operation'} | | white | Tool | 2020-02-26T14:35:55.698549Z | | |
+
+
+### blueliv-tc-signature
+***
+Gets information about a Signature
+
+
+#### Base Command
+
+`blueliv-tc-signature`
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| signature | Signature's name to search for | Optional |
+| signature_id | Internal Blueliv's ID for the signature | Optional |
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| signature.name | Unknown | Signature name |
+| signature.updatedAt | Unknown | Signature updated at |
+| signature.ipIds | Unknown | Signature IPs internal IDs |
+| signature.malware | Unknown | Signature malware |
+| signature.malwareIds | Unknown | Signature malwares internal IDs |
+| signature.score | Unknown | Signature score |
+
+
+#### Command Example
+```!blueliv-tc-signature signature_id=84458```
+
+#### Context Example
+```
+{
+ "signature": {
+ "malware": 0,
+ "malwareIds": "",
+ "name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)",
+ "type": "snort",
+ "updatedAt": "2020-06-15T02:11:21.962364Z"
+ },
+ "threatContext": {
+ "hasResults": "true"
+ }
+}
+```
+
+#### Human Readable Output
+
+>### Blueliv Signature info
+>|created_at|id|links|name|references|sid|signature|status|tlp|type|updated_at|version|
+>|---|---|---|---|---|---|---|---|---|---|---|---|
+>| 2020-06-15T02:11:21.962302Z | 84458 | self: https://tctrustoylo.blueliv.com/api/v1/signature/84458/ | ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333) | | 2030333 | alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DonotGroup Staging Domain in DNS Query"; content:"\|01\|"; offset:2; depth:1; content:"\|00 01 00 00 00 00 00\|"; distance:1; within:7; content:"\|0c\|yourcontents\|03\|xyz\|00\|"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2030333; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_06_12, updated_at 2020_06_12;) | enabled | white | snort | 2020-06-15T02:11:21.962364Z | 2 |
+
diff --git a/Packs/BluelivThreatContext/README.md b/Packs/BluelivThreatContext/README.md
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml b/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml
new file mode 100644
index 000000000000..815778af522f
--- /dev/null
+++ b/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml
@@ -0,0 +1,411 @@
+id: Blueliv_ThreatContext_test
+version: -1
+name: Blueliv_ThreatContext_test
+description: Test all commands from Blueliv ThreatContext integration.
+starttaskid: "0"
+tasks:
+ "0":
+ id: "0"
+ taskid: 22e35a94-75e3-4089-8e8d-6ac2c69b2989
+ type: start
+ task:
+ id: 22e35a94-75e3-4089-8e8d-6ac2c69b2989
+ version: -1
+ name: ""
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "7"
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 60
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "2":
+ id: "2"
+ taskid: 51ae9209-8831-4f95-8ec9-9419f4217f20
+ type: regular
+ task:
+ id: 51ae9209-8831-4f95-8ec9-9419f4217f20
+ version: -1
+ name: Check IP
+ description: Gets information about an IP
+ script: '|||blueliv-tc-indicator-ip'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "3"
+ scriptarguments:
+ IP:
+ simple: 103.76.228.28
+ IP_id: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 390
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "3":
+ id: "3"
+ taskid: e2479e96-2909-4980-8bf9-aacd094ca3a4
+ type: regular
+ task:
+ id: e2479e96-2909-4980-8bf9-aacd094ca3a4
+ version: -1
+ name: Check Threat Actor
+ description: Gets information about a Threat Actor
+ script: '|||blueliv-tc-threat-actor'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "4"
+ scriptarguments:
+ threatActor:
+ simple: Vendetta
+ threatActor_id: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 570
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "4":
+ id: "4"
+ taskid: d43499ae-253f-4dc0-827d-f415490feb7f
+ type: regular
+ task:
+ id: d43499ae-253f-4dc0-827d-f415490feb7f
+ version: -1
+ name: Get Tools
+ description: Gets information about a Tool
+ script: '|||blueliv-tc-tool'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "5"
+ scriptarguments:
+ tool:
+ simple: ACEHASH
+ tool_id: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "5":
+ id: "5"
+ taskid: 0c44a276-72e0-4632-8e55-fb77e7de07ce
+ type: regular
+ task:
+ id: 0c44a276-72e0-4632-8e55-fb77e7de07ce
+ version: -1
+ name: Get CVE
+ description: Gets information about CVE
+ script: '|||blueliv-tc-cve'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "6"
+ scriptarguments:
+ CVE:
+ simple: CVE-2020-8794
+ CVE_id: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 940
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "6":
+ id: "6"
+ taskid: ec703143-3dfe-48de-84b6-73a4012d0bd4
+ type: regular
+ task:
+ id: ec703143-3dfe-48de-84b6-73a4012d0bd4
+ version: -1
+ name: Get malware hash
+ description: Gets information about malware by ID
+ script: '|||blueliv-tc-malware'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ hash:
+ simple: ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1
+ hash_id: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 1120
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "7":
+ id: "7"
+ taskid: f72e2020-bc63-49bb-8de8-464a6a2eed61
+ type: regular
+ task:
+ id: f72e2020-bc63-49bb-8de8-464a6a2eed61
+ version: -1
+ name: Delete Context
+ description: Delete field from context
+ scriptName: DeleteContext
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "2"
+ scriptarguments:
+ all:
+ simple: "yes"
+ index: {}
+ key: {}
+ keysToKeep: {}
+ subplaybook: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 210
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "8":
+ id: "8"
+ taskid: e1a14b28-4856-4647-81ba-9d72f0cebb09
+ type: regular
+ task:
+ id: e1a14b28-4856-4647-81ba-9d72f0cebb09
+ version: -1
+ name: Get FQDN
+ description: Gets information about FQDN
+ script: '|||blueliv-tc-indicator-fqdn'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "9"
+ scriptarguments:
+ FQDN:
+ simple: self-repair.r53-2.services.mozilla.com
+ FQDN_id: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 1310
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "9":
+ id: "9"
+ taskid: c163d4e9-deaf-4d77-8056-4d156976a995
+ type: regular
+ task:
+ id: c163d4e9-deaf-4d77-8056-4d156976a995
+ version: -1
+ name: Get attack pattern
+ description: Gets information about a Attack Pattern
+ script: '|||blueliv-tc-attack-pattern'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "10"
+ scriptarguments:
+ attackPattern:
+ simple: Account Discovery
+ attackPatternId: {}
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 1510
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "10":
+ id: "10"
+ taskid: 79a2af8f-a658-4410-8a27-15d172d229f0
+ type: regular
+ task:
+ id: 79a2af8f-a658-4410-8a27-15d172d229f0
+ version: -1
+ name: Get signature
+ description: Gets information about a Signature
+ script: '|||blueliv-tc-signature'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "11"
+ scriptarguments:
+ signature: {}
+ signature_id:
+ simple: "84458"
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 1700
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "11":
+ id: "11"
+ taskid: 32a9fbaa-2097-4d09-8b78-3eb6cc2f8242
+ type: regular
+ task:
+ id: 32a9fbaa-2097-4d09-8b78-3eb6cc2f8242
+ version: -1
+ name: Get Campaign
+ description: Gets information about a Campaign
+ script: '|||blueliv-tc-campaign'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "12"
+ scriptarguments:
+ campaign: {}
+ campaign_id:
+ simple: "152"
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 1870
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ "12":
+ id: "12"
+ taskid: f6c08518-db12-4cdb-820c-68807fc21036
+ type: regular
+ task:
+ id: f6c08518-db12-4cdb-820c-68807fc21036
+ version: -1
+ name: Get Crime Server
+ description: Gets information about a Crime Server
+ script: '|||blueliv-tc-indicator-cs'
+ type: regular
+ iscommand: true
+ brand: ""
+ scriptarguments:
+ CS: {}
+ CS_id:
+ simple: "6626263"
+ separatecontext: false
+ view: |-
+ {
+ "position": {
+ "x": 600,
+ "y": 2060
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+view: |-
+ {
+ "linkLabelsPosition": {},
+ "paper": {
+ "dimensions": {
+ "height": 2095,
+ "width": 380,
+ "x": 600,
+ "y": 60
+ }
+ }
+ }
+inputs: []
+outputs: []
+fromversion: 5.0.0
diff --git a/Packs/BluelivThreatContext/pack_metadata.json b/Packs/BluelivThreatContext/pack_metadata.json
new file mode 100644
index 000000000000..c6b2816e9f4e
--- /dev/null
+++ b/Packs/BluelivThreatContext/pack_metadata.json
@@ -0,0 +1,16 @@
+{
+ "name": "Blueliv ThreatContext",
+ "description": "The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. Analysts can rapidly gather enriched, contextualized information to enhance cybersecurity processes before, during and after an attack.",
+ "support": "community",
+ "currentVersion": "1.0.0",
+ "author": "Trust Oylo",
+ "url": "",
+ "email": "demisto@trustoylo.com",
+ "created": "2020-06-08T15:37:54Z",
+ "categories": [
+ "Data Enrichment & Threat Intelligence"
+ ],
+ "tags": [],
+ "useCases": [],
+ "keywords": []
+}
\ No newline at end of file
diff --git a/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml b/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml
index 443f54cd1e71..a6f3961a7cc6 100644
--- a/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml
+++ b/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml
@@ -944,5 +944,4 @@ script:
description: Delete rule from firewall
runonce: false
tests:
-- blockip_test_playbook
- CheckpointFW-test
diff --git a/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md b/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md
new file mode 100644
index 000000000000..61c7c5f83633
--- /dev/null
+++ b/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md
@@ -0,0 +1,5 @@
+
diff --git a/Packs/CheckpointFirewall/pack_metadata.json b/Packs/CheckpointFirewall/pack_metadata.json
index 076cae73aea9..ac16fc914c8f 100644
--- a/Packs/CheckpointFirewall/pack_metadata.json
+++ b/Packs/CheckpointFirewall/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Check Point Firewall",
"description": "Manage Check Point firewall via API",
"support": "xsoar",
- "currentVersion": "1.0.3",
+ "currentVersion": "1.1.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json b/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json
index e9eb4acb4b47..98cda5edf85f 100644
--- a/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json
+++ b/Packs/Code42/IncidentFields/incidentfield-Code42_Username.json
@@ -1,6 +1,8 @@
{
"associatedToAll": false,
- "associatedTypes": null,
+ "associatedTypes": [
+ "Code42 Security Alert"
+ ],
"breachScript": "",
"caseInsensitive": true,
"cliName": "code42username",
@@ -37,4 +39,4 @@
"validationRegex": "",
"version": -1,
"fromVersion": "5.0.0"
-}
\ No newline at end of file
+}
diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py
index 2cad184ea20f..207c837fb73e 100644
--- a/Packs/Code42/Integrations/Code42/Code42.py
+++ b/Packs/Code42/Integrations/Code42/Code42.py
@@ -3,6 +3,7 @@
""" IMPORTS """
import json
+import os
import requests
import py42.sdk
import py42.settings
@@ -149,12 +150,6 @@ def _get_all_high_risk_employees_from_page(page, risk_tags):
return res
-def _try_convert_str_list_to_list(str_list):
- if isinstance(str_list, str):
- return str_list.split(",")
- return str_list
-
-
class Code42Client(BaseClient):
"""
Client will implement the service API, should not contain Cortex XSOAR logic.
@@ -171,7 +166,15 @@ def __init__(self, sdk, base_url, auth, verify=True, proxy=False):
if not self._sdk
else None
)
+
+ if not proxy:
+ _clear_env_var_if_exists('HTTP_PROXY')
+ _clear_env_var_if_exists('HTTPS_PROXY')
+ _clear_env_var_if_exists('http_proxy')
+ _clear_env_var_if_exists('https_proxy')
+
py42.settings.set_user_agent_suffix("Cortex XSOAR")
+ py42.settings.verify_ssl_certs = verify
def _get_sdk(self):
if self._sdk is None:
@@ -219,19 +222,19 @@ def remove_user_from_high_risk_employee(self, username):
return user_id
def add_user_risk_tags(self, username, risk_tags):
- risk_tags = _try_convert_str_list_to_list(risk_tags)
+ risk_tags = argToList(risk_tags)
user_id = self._get_user_id(username)
self._get_sdk().detectionlists.add_user_risk_tags(user_id, risk_tags)
return user_id
def remove_user_risk_tags(self, username, risk_tags):
- risk_tags = _try_convert_str_list_to_list(risk_tags)
+ risk_tags = argToList(risk_tags)
user_id = self._get_user_id(username)
self._get_sdk().detectionlists.remove_user_risk_tags(user_id, risk_tags)
return user_id
def get_all_high_risk_employees(self, risk_tags, results, filter_type):
- risk_tags = _try_convert_str_list_to_list(risk_tags)
+ risk_tags = argToList(risk_tags)
results = int(results) if results else 50
filter_type = filter_type if filter_type else "OPEN"
res = []
@@ -327,7 +330,7 @@ def get_org(self, org_name):
page_json = json.loads(org_page.text)
orgs = page_json.get("orgs")
for org in orgs:
- if org.get("orgName") == org_name:
+ if org.get("orgName", "") == org_name:
return org
raise Code42OrgNotFoundError(org_name)
@@ -529,7 +532,7 @@ def _create_hash_filter(hash_arg):
def _create_exposure_filter(exposure_arg):
# Because the CLI can't accept lists, convert the args to a list if the type is string.
- exposure_arg = [arg.strip() for arg in exposure_arg.split(",")]
+ exposure_arg = argToList(exposure_arg)
if "All" in exposure_arg:
return ExposureType.exists()
return ExposureType.is_in(exposure_arg)
@@ -658,6 +661,11 @@ def _convert_date_arg_to_epoch(date_arg):
).total_seconds()
+def _clear_env_var_if_exists(var):
+ if os.environ.get(var):
+ del os.environ[var]
+
+
@logger
def map_to_code42_event_context(obj):
code42_context = _map_obj_to_context(obj, CODE42_EVENT_CONTEXT_FIELD_MAPPER)
@@ -1354,7 +1362,7 @@ def create_client():
)
-def run_code42_integration():
+def main():
client = create_client()
commands = get_command_map()
command_key = demisto.command()
@@ -1367,9 +1375,5 @@ def run_code42_integration():
run_command(lambda: commands[command_key](client, demisto.args()))
-def main():
- run_code42_integration()
-
-
if __name__ in ("__main__", "__builtin__", "builtins"):
main()
diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml
index 16fe7ab78465..0635a1acb749 100644
--- a/Packs/Code42/Integrations/Code42/Code42.yml
+++ b/Packs/Code42/Integrations/Code42/Code42.yml
@@ -731,6 +731,37 @@ script:
description: Downloads a file from Code42 servers.
execution: false
name: code42-download-file
+ outputs:
+ - contextPath: File.Size
+ description: The size of the file.
+ type: Number
+ - contextPath: File.SHA1
+ description: The SHA1 hash of the file.
+ type: String
+ - contextPath: File.SHA256
+ description: The SHA256 hash of the file.
+ type: String
+ - contextPath: File.Name
+ description: The name of the file.
+ type: String
+ - contextPath: File.SSDeep
+ description: The SSDeep hash of the file.
+ type: String
+ - contextPath: File.EntryID
+ description: The entry ID of the file.
+ type: String
+ - contextPath: File.Info
+ description: File information.
+ type: String
+ - contextPath: File.Type
+ description: The file type.
+ type: String
+ - contextPath: File.MD5
+ description: The MD5 hash of the file.
+ type: String
+ - contextPath: File.Extension
+ description: The file extension.
+ type: String
- arguments:
- default: false
description: Email id of the user.
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml
index 39c6242fab1c..bfc58cd65030 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml
@@ -27,8 +27,27 @@ inputs:
required: false
value: {}
name: Code42 File Download
-outputs: []
-sourceplaybookid: Code42 File Search
+outputs:
+- contextPath: File.Size
+ description: The size of the file.
+- contextPath: File.SHA1
+ description: The SHA1 hash of the file.
+- contextPath: File.SHA256
+ description: The SHA256 hash of the file.
+- contextPath: File.Name
+ description: The name of the file.
+- contextPath: File.SSDeep
+ description: The SSDeep hash of the file.
+- contextPath: File.EntryID
+ description: The entry ID of the file.
+- contextPath: File.Info
+ description: File information.
+- contextPath: File.Type
+ description: The file type.
+- contextPath: File.MD5
+ description: The MD5 hash of the file.
+- contextPath: File.Extension
+ description: The file extension.
starttaskid: "0"
tasks:
"0":
@@ -43,12 +62,12 @@ tasks:
skipunavailable: false
task:
brand: ""
- id: 6d1ecdee-78b1-4275-8411-f802589a0a45
+ description: ""
+ id: f45944a7-0362-48e3-8adb-7022ef46ef0e
iscommand: false
name: ""
version: -1
- description: ""
- taskid: 6d1ecdee-78b1-4275-8411-f802589a0a45
+ taskid: f45944a7-0362-48e3-8adb-7022ef46ef0e
timertriggers: []
type: start
view: |-
@@ -97,12 +116,12 @@ tasks:
task:
brand: ""
description: Checks to see if a Code42 Integration is active.
- id: dc6b6ed4-b67e-46b2-8bf5-b2fbbc2e0d8e
+ id: 22138dd2-186a-4001-83b5-006026235ffc
iscommand: false
name: Is Code42 Integration Active?
type: condition
version: -1
- taskid: dc6b6ed4-b67e-46b2-8bf5-b2fbbc2e0d8e
+ taskid: 22138dd2-186a-4001-83b5-006026235ffc
timertriggers: []
type: condition
view: |-
@@ -112,73 +131,45 @@ tasks:
"y": 195
}
}
- "2":
+ "3":
conditions:
- condition:
- - left:
iscontext: true
value:
- simple: inputs.SHA256
+ simple: inputs.MD5
operator: isNotEmpty
- label: "yes"
- id: "2"
- ignoreworker: false
- nexttasks:
- '#default#':
- - "7"
- "yes":
- - "5"
- note: false
- quietmode: 0
- separatecontext: false
- skipunavailable: false
- task:
- brand: ""
- description: Checks to see if a SHA256 hash exists in the inputs.
- id: 7b90d431-46df-45ae-8e2c-d2e888bd6d9c
- iscommand: false
- name: Does SHA256 Exist?
- type: condition
- version: -1
- taskid: 7b90d431-46df-45ae-8e2c-d2e888bd6d9c
- timertriggers: []
- type: condition
- view: |-
- {
- "position": {
- "x": 592.5,
- "y": 545
- }
- }
- "3":
- conditions:
+ label: MD5
- condition:
- - left:
iscontext: true
value:
- simple: inputs.MD5
+ simple: inputs.SHA256
operator: isNotEmpty
- label: "yes"
+ label: SHA256
id: "3"
ignoreworker: false
nexttasks:
'#default#':
- - "2"
- "yes":
+ - "7"
+ MD5:
- "6"
+ SHA256:
+ - "5"
note: false
quietmode: 0
separatecontext: false
skipunavailable: false
task:
brand: ""
- description: Checks to see if a MD5 hash exists in the inputs.
- id: a6ccfe5a-31b5-4bb1-81c4-6eeadf53420e
+ description: Check whether the values provided in arguments are equal. If either
+ of the arguments are missing, no is returned.
+ id: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84
iscommand: false
- name: Does MD5 Exist?
+ name: What type of hash was supplied?
type: condition
version: -1
- taskid: a6ccfe5a-31b5-4bb1-81c4-6eeadf53420e
+ taskid: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84
timertriggers: []
type: condition
view: |-
@@ -211,20 +202,20 @@ tasks:
task:
brand: Code42
description: Downloads a file from Code42 servers.
- id: 577615d3-3345-4ecc-8a37-a7d36ae6f898
+ id: 3b2c3188-d267-4e9d-8f27-54993aa266ee
iscommand: true
name: Code42 Download by SHA256
script: Code42|||code42-download-file
type: regular
version: -1
- taskid: 577615d3-3345-4ecc-8a37-a7d36ae6f898
+ taskid: 3b2c3188-d267-4e9d-8f27-54993aa266ee
timertriggers: []
type: regular
view: |-
{
"position": {
- "x": 480,
- "y": 720
+ "x": 630,
+ "y": 600
}
}
"6":
@@ -250,20 +241,20 @@ tasks:
task:
brand: Code42
description: Downloads a file from Code42 servers.
- id: c1c84eb4-4b64-41d0-8b07-99be768b4c53
+ id: 6b09d948-56b3-4236-87d5-06469c6a67b2
iscommand: true
name: Code42 Download by MD5
script: Code42|||code42-download-file
type: regular
version: -1
- taskid: c1c84eb4-4b64-41d0-8b07-99be768b4c53
+ taskid: 6b09d948-56b3-4236-87d5-06469c6a67b2
timertriggers: []
type: regular
view: |-
{
"position": {
- "x": 50,
- "y": 720
+ "x": 100,
+ "y": 590
}
}
"7":
@@ -275,20 +266,20 @@ tasks:
skipunavailable: false
task:
brand: ""
- id: 05d51ceb-6a80-4e24-8264-f43e2865ffdb
+ description: ""
+ id: a31058a7-f7d7-4c3b-8d52-633b15b8b385
iscommand: false
name: Complete
type: title
version: -1
- description: ""
- taskid: 05d51ceb-6a80-4e24-8264-f43e2865ffdb
+ taskid: a31058a7-f7d7-4c3b-8d52-633b15b8b385
timertriggers: []
type: title
view: |-
{
"position": {
- "x": 480,
- "y": 895
+ "x": 377.5,
+ "y": 775
}
}
version: -1
@@ -297,9 +288,9 @@ view: |-
"linkLabelsPosition": {},
"paper": {
"dimensions": {
- "height": 910,
- "width": 922.5,
- "x": 50,
+ "height": 790,
+ "width": 910,
+ "x": 100,
"y": 50
}
}
diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md b/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md
index 2e6b6513046b..1a9ac1b7994d 100644
--- a/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md
+++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md
@@ -29,50 +29,16 @@ This playbook does not use any scripts.
| **Path** | **Description** | **Type** |
| --- | --- | --- |
-| Code42.SecurityData | Returned File Results | unknown |
-| Code42.SecurityData.EventTimestamp | Timestamp for event | unknown |
-| Code42.SecurityData.FileCreated | File creation date | unknown |
-| Code42.SecurityData.EndpointID | Code42 device ID | unknown |
-| Code42.SecurityData.DeviceUsername | Username that device is associated with in Code42 | unknown |
-| Code42.SecurityData.EmailFrom | Sender email address for email exfiltration events | unknown |
-| Code42.SecurityData.EmailTo | Recipient emial address for email exfiltration events | unknown |
-| Code42.SecurityData.EmailSubject | Email subject line for email exfiltration events | unknown |
-| Code42.SecurityData.EventID | Security Data event ID | unknown |
-| Code42.SecurityData.EventType | Type of Security Data event | unknown |
-| Code42.SecurityData.FileCategory | Type of file as determined by Code42 engine | unknown |
-| Code42.SecurityData.FileOwner | Owner of file | unknown |
-| Code42.SecurityData.FileName | File name | unknown |
-| Code42.SecurityData.FilePath | Path to file | unknown |
-| Code42.SecurityData.FileSize | Size of file in bytes | unknown |
-| Code42.SecurityData.FileModified | File modification date | unknown |
-| Code42.SecurityData.FileMD5 | MD5 hash of file | unknown |
-| Code42.SecurityData.FileHostname | Hostname where file event was captured | unknown |
-| Code42.SecurityData.DevicePrivateIPAddress | Private IP addresses of device where event was captured | unknown |
-| Code42.SecurityData.DevicePublicIPAddress | Public IP address of device where event was captured | unknown |
-| Code42.SecurityData.RemovableMediaType | Type of removate media | unknown |
-| Code42.SecurityData.RemovableMediaCapacity | Total capacity of removable media in bytes | unknown |
-| Code42.SecurityData.RemovableMediaMediaName | Full name of removable media | unknown |
-| Code42.SecurityData.RemovableMediaName | Name of removable media | unknown |
-| Code42.SecurityData.RemovableMediaSerialNumber | Serial number for removable medial device | unknown |
-| Code42.SecurityData.RemovableMediaVendor | Vendor name for removable device | unknown |
-| Code42.SecurityData.FileSHA256 | SHA256 hash of file | unknown |
-| Code42.SecurityData.FileShared | Whether file is shared using cloud file service | unknown |
-| Code42.SecurityData.FileSharedWith | Accounts that file is shared with on cloud file service | unknown |
-| Code42.SecurityData.Source | Source of file event, Cloud or Endpoint | unknown |
-| Code42.SecurityData.ApplicationTabURL | URL associated with application read event | unknown |
-| Code42.SecurityData.ProcessName | Process name for application read event | unknown |
-| Code42.SecurityData.ProcessOwner | Process owner for application read event | unknown |
-| Code42.SecurityData.WindowTitle | Process name for application read event | unknown |
-| Code42.SecurityData.FileURL | URL of file on cloud file service | unknown |
-| Code42.SecurityData.Exposure | Exposure type for event | unknown |
-| Code42.SecurityData.SharingTypeAdded | Type of sharing added to file | unknown |
-| File | The file object. | unknown |
-| File.Name | File name | unknown |
-| File.Path | File path | unknown |
| File.Size | File size in bytes | unknown |
-| File.MD5 | MD5 hash of file | unknown |
+| File.SHA1 | The SHA1 hash of the file. | unknown |
| File.SHA256 | SHA256 hash of file | unknown |
-| File.Hostname | Hostname where file event was captured | unknown |
+| File.Name | File name | unknown |
+| File.SSDeep | The SSDeep hash of the file. | unknown |
+| File.EntryID | The entry ID of the file. | unknown |
+| File.Info | File information. | unknown |
+| File.Type | The file type. | unknown |
+| File.MD5 | The MD5 hash of the file. | unknown |
+| File.Extension | The file extension. | unknown |
## Playbook Image
---
diff --git a/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml b/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml
index 71472728efc6..c96fb4f5a459 100644
--- a/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml
+++ b/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml
@@ -111,3 +111,5 @@ script:
script: ''
type: python
subtype: python2
+tests:
+ - No tests
diff --git a/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml b/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml
index 26db2061c43f..65936fd2310d 100644
--- a/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml
+++ b/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml
@@ -890,4 +890,4 @@ script:
type: python
subtype: python3
tests:
-- ExtraHop-Test
+- No tests
diff --git a/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml b/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml
index a55ebf4725ea..f497d978e3ea 100644
--- a/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml
+++ b/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml
@@ -1772,5 +1772,5 @@ script:
type: python
subtype: python3
tests:
-- Palo Alto Networks Cortex Test
+- No tests
fromversion: 4.1.0
diff --git a/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml b/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml
index 5acb4fe52ebf..c5f34db41daa 100644
--- a/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml
+++ b/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml
@@ -488,4 +488,4 @@ script:
type: python
subtype: python2
tests:
-- minemeld_test
+- No tests
diff --git a/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml b/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml
index 63a1b8170dea..de841fe0e07d 100644
--- a/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml
+++ b/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml
@@ -461,4 +461,4 @@ script:
runonce: false
fromversion: 3.0.1
tests:
- - AlienVaultOTX Test
+ - No tests
diff --git a/Packs/DeprecatedContent/Integrations/integration-Shodan.yml b/Packs/DeprecatedContent/Integrations/integration-Shodan.yml
index 15038b0b0377..49221175a08c 100644
--- a/Packs/DeprecatedContent/Integrations/integration-Shodan.yml
+++ b/Packs/DeprecatedContent/Integrations/integration-Shodan.yml
@@ -142,4 +142,4 @@ script:
description: Returns all services that have been found on the given host IP.
runonce: false
tests:
- - ShodanTest
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml b/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml
index a1a7672c023f..0f2a88616805 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml
@@ -238,4 +238,4 @@ outputs:
description: The account's manager.
type: string
tests:
- - Account Enrichment - Generic v2 - Test
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml
index 4ad4042a7447..d28806cfef44 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml
@@ -361,4 +361,4 @@ outputs:
description: Model list name in Demisto
fromversion: 4.1.0
tests:
- - CreatePhishingClassifierMLTest
\ No newline at end of file
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml
index 52a9131c2d98..eb229c324f18 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml
@@ -185,4 +185,4 @@ inputs: []
outputs: []
fromversion: 4.1.0
tests:
- - CreatePhishingClassifierMLTest
\ No newline at end of file
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml b/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml
index 91a9a5527ec9..a70d9e7cd3bf 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml
@@ -196,4 +196,4 @@ outputs:
- contextPath: isSimilarIncidentFound
description: Is similar incident found? (true\false)
tests:
- - test_similar_incidents
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml b/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml
index 088f4d379cb5..bb22e40a710d 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml
@@ -381,4 +381,4 @@ outputs:
description: The similar incident.
type: unknown
tests:
- - dedup_-_generic_-_test
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml b/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml
index f5f0fa568a29..d1263dba2e85 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml
@@ -622,4 +622,4 @@ outputs:
description: The DBot score.
type: number
tests:
- - Email Address Enrichment - Generic v2 - Test
+ - No tests
diff --git a/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml b/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml
index 801122d458ef..31df28bfe808 100644
--- a/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml
+++ b/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml
@@ -1536,7 +1536,7 @@ tasks:
type: condition
task:
id: 7c07c4aa-f0d0-4b3f-8066-06638dc7dd4d
- description: Is Cortex Data Lake enabled?
+ description: Is Cortex Data Lake enabled?
version: -1
name: Is Cortex Data Lake enabled?
type: condition
@@ -3479,4 +3479,4 @@ outputs:
type: string
tests:
-- PANW - Hunting and threat detection by indicator type Test
+- No tests
diff --git a/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md b/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md
new file mode 100644
index 000000000000..33cd9e03bef1
--- /dev/null
+++ b/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md
@@ -0,0 +1,32 @@
+
diff --git a/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml b/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml
index 493b92bcd1f8..1eadbe2702af 100644
--- a/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml
+++ b/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml
@@ -60,5 +60,5 @@ deprecated: true
dockerimage: demisto/dl:1.1
runonce: false
tests:
-- CreatePhishingClassifierMLTest
+- No tests
fromversion: 4.1.0
diff --git a/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml b/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml
index 31cb7f28e1d6..25d79290404f 100644
--- a/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml
+++ b/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml
@@ -18,5 +18,5 @@ outputs:
description: Decoded URLs
scripttarget: 0
tests:
- - ProofpointDecodeURL-Test
+ - No tests
deprecated: true
diff --git a/Packs/DeprecatedContent/Scripts/script-BlockIP.yml b/Packs/DeprecatedContent/Scripts/script-BlockIP.yml
index 76e8657251e8..7e6704d1deec 100644
--- a/Packs/DeprecatedContent/Scripts/script-BlockIP.yml
+++ b/Packs/DeprecatedContent/Scripts/script-BlockIP.yml
@@ -66,4 +66,4 @@ dependson:
- panorama
- checkpoint
tests:
-- blockip_test_playbook
+- No tests
diff --git a/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml b/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml
index 632891d2baf9..bdb51059cc74 100644
--- a/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml
+++ b/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml
@@ -104,4 +104,4 @@ dependson:
must:
- checkpoint
tests:
-- blockip_test_playbook
\ No newline at end of file
+- No tests
diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml b/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml
index d285ee817e69..b68d7e4eb1fb 100644
--- a/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml
+++ b/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml
@@ -163,4 +163,4 @@ dockerimage: demisto/dl:1.1
deprecated: true
fromversion: 4.1.0
tests:
- - CreatePhishingClassifierMLTest
+ - No tests
diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml b/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml
index 80a3b48c830c..49887e089ebe 100644
--- a/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml
+++ b/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml
@@ -107,4 +107,4 @@ dockerimage: demisto/dl:1.1
deprecated: true
fromversion: 4.1.0
tests:
- - CreatePhishingClassifierMLTest
+ - No tests
diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml b/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml
index 030ebf5126dd..009becc7ddbe 100644
--- a/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml
+++ b/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml
@@ -222,4 +222,4 @@ dockerimage: demisto/dl:1.1
deprecated: true
fromversion: 4.1.0
tests:
- - CreatePhishingClassifierMLTest
+ - No tests
diff --git a/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml b/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml
index 9eb29956af35..5057dce8d3b4 100644
--- a/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml
+++ b/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml
@@ -118,4 +118,4 @@ dockerimage: demisto/dl:1.1
deprecated: true
fromversion: 4.1.0
tests:
- - CreatePhishingClassifierMLTest
\ No newline at end of file
+ - No tests
diff --git a/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml b/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml
index e95f99e5f328..5b33afc4a140 100644
--- a/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml
+++ b/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml
@@ -91,5 +91,4 @@ dependson:
must:
- panorama
tests:
-- palo_alto_firewall_test_pb
-- blockip_test_playbook
\ No newline at end of file
+- No tests
diff --git a/Packs/DeprecatedContent/pack_metadata.json b/Packs/DeprecatedContent/pack_metadata.json
index afd3604e0c22..d80edbb28466 100644
--- a/Packs/DeprecatedContent/pack_metadata.json
+++ b/Packs/DeprecatedContent/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Deprecated Content",
"description": "Deprecated Cortex XSOAR content pack.",
"support": "xsoar",
- "currentVersion": "1.2.0",
+ "currentVersion": "1.3.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/Jira/ReleaseNotes/1_0_1.md b/Packs/Jira/ReleaseNotes/1_0_1.md
new file mode 100644
index 000000000000..dd3dccef2f5a
--- /dev/null
+++ b/Packs/Jira/ReleaseNotes/1_0_1.md
@@ -0,0 +1,5 @@
+
diff --git a/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml b/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml
index ae44ec1a2deb..cedd43f06ab6 100644
--- a/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml
+++ b/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml
@@ -94,4 +94,4 @@ dependson:
- jira-delete-issue
runonce: false
tests:
- - JiraCreateIssue-example-test
\ No newline at end of file
+ - No tests
diff --git a/Packs/Jira/pack_metadata.json b/Packs/Jira/pack_metadata.json
index 05ca2df52049..3f650ad4a0f6 100644
--- a/Packs/Jira/pack_metadata.json
+++ b/Packs/Jira/pack_metadata.json
@@ -1,16 +1,16 @@
{
- "name": "Atlassian Jira",
- "description": "Use the Jira integration to manage issues and create Demisto incidents from projects.",
- "support": "xsoar",
- "currentVersion": "1.0.0",
- "author": "Cortex XSOAR",
- "url": "https://www.paloaltonetworks.com/cortex",
- "email": "",
- "created": "2020-04-14T00:00:00Z",
- "categories": [
- "Case Management"
- ],
- "tags": [],
- "useCases": [],
- "keywords": []
+ "name": "Atlassian Jira",
+ "description": "Use the Jira integration to manage issues and create Demisto incidents from projects.",
+ "support": "xsoar",
+ "currentVersion": "1.0.1",
+ "author": "Cortex XSOAR",
+ "url": "https://www.paloaltonetworks.com/cortex",
+ "email": "",
+ "created": "2020-04-14T00:00:00Z",
+ "categories": [
+ "Case Management"
+ ],
+ "tags": [],
+ "useCases": [],
+ "keywords": []
}
diff --git a/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py b/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py
index 6a5764f33314..b5bce208a493 100644
--- a/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py
+++ b/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py
@@ -124,13 +124,17 @@ def prepare_args(command, args):
:rtype: ``dict``
"""
if command in ['msgraph-mail-create-draft', 'send-mail']:
+ if args.get('htmlBody', None):
+ email_body = args.get('htmlBody')
+ else:
+ email_body = args.get('body', '')
return {
'to_recipients': argToList(args.get('to')),
'cc_recipients': argToList(args.get('cc')),
'bcc_recipients': argToList(args.get('bcc')),
'subject': args.get('subject', ''),
- 'body': args.get('body', ''),
- 'body_type': args.get('body_type', 'text'),
+ 'body': email_body,
+ 'body_type': args.get('body_type', 'html'),
'flag': args.get('flag', 'notFlagged'),
'importance': args.get('importance', 'Low'),
'internet_message_headers': argToList(args.get('headers')),
diff --git a/Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md b/Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md
new file mode 100644
index 000000000000..2ebe838e3dfe
--- /dev/null
+++ b/Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md
@@ -0,0 +1,3 @@
+#### Integrations
+##### Microsoft Graph Mail Single User
+- Fixed and issue where communication tasks were sending emails in text format only.
\ No newline at end of file
diff --git a/Packs/MicrosoftGraphListener/pack_metadata.json b/Packs/MicrosoftGraphListener/pack_metadata.json
index 95a8645c3323..4b3b28e76ecc 100644
--- a/Packs/MicrosoftGraphListener/pack_metadata.json
+++ b/Packs/MicrosoftGraphListener/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Microsoft Graph Mail Single User",
"description": "Microsoft Graph grants Demisto authorized access to a user's Microsoft Outlook mail data in a personal account or organization account.",
"support": "xsoar",
- "currentVersion": "1.0.3",
+ "currentVersion": "1.0.4",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py b/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py
index 4e2fa9297d60..11a3d2c642e7 100644
--- a/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py
+++ b/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py
@@ -1308,13 +1308,17 @@ def prepare_args(command, args):
:rtype: ``dict``
"""
if command in ['create-draft', 'send-mail']:
+ if args.get('htmlBody', None):
+ email_body = args.get('htmlBody')
+ else:
+ email_body = args.get('body', '')
return {
'to_recipients': argToList(args.get('to')),
'cc_recipients': argToList(args.get('cc')),
'bcc_recipients': argToList(args.get('bcc')),
'subject': args.get('subject', ''),
- 'body': args.get('body', ''),
- 'body_type': args.get('bodyType', 'text'),
+ 'body': email_body,
+ 'body_type': args.get('bodyType', 'html'),
'flag': args.get('flag', 'notFlagged'),
'importance': args.get('importance', 'Low'),
'internet_message_headers': argToList(args.get('headers')),
diff --git a/Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md b/Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md
new file mode 100644
index 000000000000..a7cb0dc5b9a9
--- /dev/null
+++ b/Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md
@@ -0,0 +1,3 @@
+#### Integrations
+##### MicrosoftGraphMail
+- Fixed and issue where communication tasks were sending emails in text format only.
diff --git a/Packs/MicrosoftGraphMail/pack_metadata.json b/Packs/MicrosoftGraphMail/pack_metadata.json
index 2767777ccb38..10f558ce94a3 100644
--- a/Packs/MicrosoftGraphMail/pack_metadata.json
+++ b/Packs/MicrosoftGraphMail/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Microsoft Graph Mail",
"description": "Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.",
"support": "xsoar",
- "currentVersion": "1.0.1",
+ "currentVersion": "1.0.2",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml b/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml
index c9a496e263e1..ef23061f7598 100644
--- a/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml
+++ b/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml
@@ -146,5 +146,5 @@ type: python
subtype: python2
runonce: false
tests:
-- dedup_-_generic_-_test
-toversion: 4.1.0
\ No newline at end of file
+- No tests
+toversion: 4.1.0
diff --git a/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml b/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml
index e45d58ec2e80..11dcb8752296 100644
--- a/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml
+++ b/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml
@@ -143,4 +143,4 @@ scripttarget: 0
runonce: false
dockerimage: demisto/pdfx
tests:
- - ReadPDFFile-Test
+ - No tests
diff --git a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml
index d9005ee8c107..d989c27a6fef 100644
--- a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml
+++ b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml
@@ -4,7 +4,7 @@ fromversion: 5.0.0
name: NetOps - Upgrade PAN-OS Firewall Device
description: 'Network operations playbook that upgrades the firewall.
You must have Superuser permissions to update the PAN-OS version.
- Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key. '
+ Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key.'
starttaskid: "0"
tasks:
"0":
diff --git a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md
index d590966b802a..2c532574695c 100644
--- a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md
+++ b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md
@@ -1,7 +1,6 @@
## [Unreleased]
-
-
## [20.2.4] - 2020-02-25
Updated playbook descriptions and task names.
diff --git a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml
index 6be3eacd1ab9..d77a4ec03992 100644
--- a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml
+++ b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml
@@ -406,7 +406,7 @@ tasks:
simple: "10"
dt:
simple: Panorama.Content.Install(val.Status !== 'Completed' && val.Status
- != ‘Failed’).JobID
+ !== 'Failed').JobID
separatecontext: true
loop:
iscommand: false
@@ -494,8 +494,8 @@ tasks:
Timeout:
simple: "20"
dt:
- simple: Panorama.PANOS.Download(val.Status !== 'Completed' && val.Status !=
- ‘Failed’).JobID
+ simple: Panorama.PANOS.Download(val.Status !== 'Completed' && val.Status !==
+ 'Failed').JobID
separatecontext: true
loop:
iscommand: false
@@ -550,8 +550,8 @@ tasks:
Timeout:
simple: "20"
dt:
- simple: Panorama.PANOS.Install(val.Status !== 'Completed' && val.Status !=
- ‘Failed’).JobID
+ simple: Panorama.PANOS.Install(val.Status !== 'Completed' && val.Status !==
+ 'Failed').JobID
separatecontext: true
loop:
iscommand: false
diff --git a/Packs/PAN-OS/ReleaseNotes/1_4_1.md b/Packs/PAN-OS/ReleaseNotes/1_4_1.md
new file mode 100644
index 000000000000..398563852c84
--- /dev/null
+++ b/Packs/PAN-OS/ReleaseNotes/1_4_1.md
@@ -0,0 +1,4 @@
+
+#### Playbooks
+##### NetOps - Firewall Version and Content Upgrade
+ - Fixed DT syntax issues.
diff --git a/Packs/PAN-OS/pack_metadata.json b/Packs/PAN-OS/pack_metadata.json
index 5f79f3d19a66..5d964f8f13d2 100644
--- a/Packs/PAN-OS/pack_metadata.json
+++ b/Packs/PAN-OS/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "PAN-OS",
"description": "Manage Palo Alto Networks Firewall and Panorama. For more information see Panorama documentation.",
"support": "xsoar",
- "currentVersion": "1.4.0",
+ "currentVersion": "1.4.1",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml b/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml
index b0d3436f4934..40bdedb3cbfc 100644
--- a/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml
+++ b/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml
@@ -3435,4 +3435,4 @@ outputs:
description: External host names detected based on fields and inputs in your search.
type: string
tests:
-- PANW - Hunting and threat detection by indicator type Test
+- No tests
diff --git a/Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md b/Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md
new file mode 100644
index 000000000000..708f689d0b7d
--- /dev/null
+++ b/Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md
@@ -0,0 +1,5 @@
+
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_v2_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_v2_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_v2_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_v2_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-DocumentationTest.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-DocumentationTest.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-DocumentationTest.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-DocumentationTest.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-PostgreSQL-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-PostgreSQL-Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-PostgreSQL-Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-PostgreSQL-Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test_CHANGELOG.md
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test_CHANGELOG.md
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test_CHANGELOG.md
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-TestCreatePhishingClassifierML.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-TestCreatePhishingClassifierML.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-TestCreatePhishingClassifierML.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-TestCreatePhishingClassifierML.yml
diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Test_Similar_Incidents.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Test_Similar_Incidents.yml
similarity index 100%
rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Test_Similar_Incidents.yml
rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Test_Similar_Incidents.yml
diff --git a/Tests/conf.json b/Tests/conf.json
index 4d51d84f9ce3..eeb7645fa7f7 100644
--- a/Tests/conf.json
+++ b/Tests/conf.json
@@ -371,10 +371,6 @@
"integrations": "Akamai WAF SIEM",
"playbookID": "Akamai_WAF_SIEM-Test"
},
- {
- "integrations": "AlienVault OTX",
- "playbookID": "AlienVaultOTX Test"
- },
{
"integrations": "Cofense Triage v2",
"playbookID": "Cofense Triage v2 Test"
@@ -427,9 +423,6 @@
"integrations": "RSA NetWitness Packets and Logs",
"playbookID": "rsa_packets_and_logs_test"
},
- {
- "playbookID": "test_similar_incidents"
- },
{
"playbookID": "CheckpointFW-test",
"integrations": "Check Point"
@@ -443,10 +436,6 @@
{
"playbookID": "RandomStringGenerateTest"
},
- {
- "playbookID": "DocumentationTest",
- "integrations": "ipinfo"
- },
{
"playbookID": "playbook-checkEmailAuthenticity-test"
},
@@ -534,10 +523,6 @@
"integrations": "ServiceNow",
"playbookID": "servicenow_test_new"
},
- {
- "integrations": "ExtraHop",
- "playbookID": "ExtraHop-Test"
- },
{
"integrations": "ExtraHop v2",
"playbookID": "ExtraHop_v2-Test"
@@ -572,14 +557,6 @@
"integrations": "Attivo Botsink",
"playbookID": "AttivoBotsinkTest"
},
- {
- "playbookID": "CreatePhishingClassifierMLTest",
- "timeout": 2400
- },
- {
- "integrations": "Cymon",
- "playbookID": "playbook-Cymon_Test"
- },
{
"integrations": "FortiGate",
"playbookID": "Fortigate Test"
@@ -630,9 +607,6 @@
"playbookID": "CreateEmailHtmlBody_test_pb",
"fromversion": "4.1.0"
},
- {
- "playbookID": "ReadPDFFile-Test"
- },
{
"playbookID": "ReadPDFFileV2-Test",
"timeout": 1000
@@ -822,18 +796,6 @@
{
"playbookID": "Detonate File - No Files test"
},
- {
- "integrations": [
- "Panorama",
- "Check Point"
- ],
- "instance_names": "palo_alto_firewall",
- "playbookID": "blockip_test_playbook"
- },
- {
- "integrations": "Palo Alto Minemeld",
- "playbookID": "minemeld_test"
- },
{
"integrations": "SentinelOne V2",
"playbookID": "SentinelOne V2 - test"
@@ -962,11 +924,6 @@
"integrations": "ThreatExchange",
"playbookID": "ThreatExchange-test"
},
- {
- "integrations": "ThreatExchange",
- "playbookID": "extract_indicators_-_generic_-_test",
- "timeout": 240
- },
{
"integrations": "Joe Security",
"playbookID": "JoeSecurityTestPlaybook",
@@ -1066,13 +1023,6 @@
"playbookID": "Test IP Indicator Fields",
"fromversion": "5.0.0"
},
- {
- "integrations": "Shodan",
- "playbookID": "ShodanTest"
- },
- {
- "playbookID": "dedup_-_generic_-_test"
- },
{
"playbookID": "Dedup - Generic v2 - Test",
"fromversion": "5.0.0"
@@ -1111,9 +1061,6 @@
"integrations": "FalconIntel",
"playbookID": "CrowdStrike Falcon Intel v2"
},
- {
- "playbookID": "ContextGetters_Test"
- },
{
"integrations": [
"Mail Sender (New)",
@@ -1241,10 +1188,6 @@
"integrations": "Rasterize",
"timeout": 240
},
- {
- "integrations": "activedir",
- "playbookID": "account_enrichment_-_generic_test"
- },
{
"integrations": "FalconHost",
"playbookID": "search_endpoints_by_hash_-_crowdstrike_-_test",
@@ -1296,9 +1239,6 @@
"integrations": "jira",
"playbookID": "VerifyHumanReadableFormat"
},
- {
- "playbookID": "ExtractURL Test"
- },
{
"playbookID": "strings-test"
},
@@ -1372,10 +1312,6 @@
"integrations": "TCPIPUtils",
"playbookID": "TCPUtils-Test"
},
- {
- "playbookID": "ProofpointDecodeURL-Test",
- "timeout": 300
- },
{
"playbookID": "listExecutedCommands-Test"
},
@@ -1407,9 +1343,6 @@
{
"playbookID": "UnzipFile-Test"
},
- {
- "playbookID": "ExtractDomainTest"
- },
{
"playbookID": "Test-IsMaliciousIndicatorFound",
"fromversion": "5.0.0"
@@ -1731,10 +1664,6 @@
"playbookID": "AbuseIPDB PopulateIndicators Test",
"nightly": true
},
- {
- "integrations": "jira",
- "playbookID": "JiraCreateIssue-example-test"
- },
{
"integrations": "LogRhythm",
"playbookID": "LogRhythm-Test-Playbook",
@@ -1970,9 +1899,6 @@
"integrations": "mysql",
"playbookID": "MySQL Test"
},
- {
- "playbookID": "Email Address Enrichment - Generic v2 - Test"
- },
{
"playbookID": "Email Address Enrichment - Generic v2.1 - Test",
"integrations": "Active Directory Query v2",
@@ -2125,6 +2051,9 @@
{
"playbookID": "CheckDockerImageAvailableTest"
},
+ {
+ "playbookID": "ExtractDomainFromEmailTest"
+ },
{
"playbookID": "Account Enrichment - Generic v2 - Test",
"integrations": "activedir"
@@ -2214,11 +2143,6 @@
"integrations": "Zoom",
"playbookID": "Zoom_Test"
},
- {
- "integrations": "Palo Alto Networks Cortex",
- "playbookID": "Palo Alto Networks Cortex Test",
- "fromversion": "4.1.0"
- },
{
"playbookID": "IP Enrichment - Generic v2 - Test",
"integrations": "Threat Crowd",
@@ -2635,10 +2559,6 @@
"integrations": "PaloAltoNetworks_PrismaCloudCompute",
"playbookID": "PaloAltoNetworks_PrismaCloudCompute-Test"
},
- {
- "playbookID": "Indicator Feed - Test",
- "fromversion": "5.5.0"
- },
{
"integrations": "Recorded Future Feed",
"playbookID": "RecordedFutureFeed - Test",
@@ -2960,7 +2880,6 @@
"NetWitness Endpoint Test": "Issue 19878",
"TestUptycs": "Issue 19750",
"InfoArmorVigilanteATITest": "Test issue 17358",
- "Lastline - testplaybook": "Checking the integration via Generic detonation playbooks, don't want to load the daily quota",
"ArcSight Logger test": "Issue 19117",
"TruSTAR Test": "Issue 19777",
"TestDedupIncidentsByName": "skipped on purpose - this is part of the TestDedupIncidentsPlaybook - no need to execute separately as a test",
@@ -2988,7 +2907,7 @@
"Cortex XDR - IOC - Test": "issue #25598"
},
"skipped_integrations": {
-
+
"_comment1": "~~~ NO INSTANCE ~~~",
"Symantec Management Center": "Issue 23960",
"PerceptionPoint": "Issue 25795",
@@ -3038,6 +2957,7 @@
"ExtraHop v2": "No instance",
"Minerva Labs Anti-Evasion Platform": "Issue 18835",
"PolySwarm": "contribution",
+ "Blueliv ThreatContext": "contribution",
"Silverfort": "contribution",
"fireeye": "Issue 19839",
"DomainTools": "Issue 8298",
@@ -3083,7 +3003,7 @@
"VxStream": "Issue #23795",
"Bambenek Consulting Feed": "Issue 26184",
"AWS - Athena - Beta": "Issue 19834",
-
+
"_comment2": "~~~ UNSTABLE ~~~",
"ServiceNow": "Instance goes to hibernate every few hours",
"Tenable.sc": "unstable instance",
@@ -3096,14 +3016,14 @@
"Google Resource Manager": "Cannot create projects because have reached alloted quota.",
"Looker": "Warehouse 'DEMO_WH' cannot be resumed because resource monitor 'LIMITER' has exceeded its quota.",
"Ipstack": "Issue 26266",
-
+
"_comment4": "~~~ NO INSTANCE - SUPPORTED BY THE COMMUNITY ~~~",
"Zabbix": "Supported by external developer",
"SafeBreach v2": "it is a partner integration, no instance",
"IllusiveNetworks": "supported by partner",
"Humio": "supported by the partner",
"Digital Guardian": "partner integration",
-
+
"_comment5": "~~~ OTHER ~~~",
"XFE": "We have the new integration XFE_v2, so no need to test the old one because they use the same quote",
"Cisco ASA": "Issue 25741",
@@ -3256,10 +3176,11 @@
"Prisma Access Egress IP feed",
"Lastline v2",
"McAfee DXL",
- "GCP Whitelist Feed"
+ "GCP Whitelist Feed",
+ "Cortex Data Lake"
],
"docker_thresholds": {
-
+
"_comment": "Add here docker images which are specific to an integration and require a non-default threshold (such as rasterize or ews). That way there is no need to define this multiple times. You can specify full image name with version or without.",
"images": {
"demisto/chromium": {
@@ -3276,4 +3197,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/Tests/scripts/download_demisto_conf.sh b/Tests/scripts/download_demisto_conf.sh
index 1a11f8c0b59c..48508dacdc93 100755
--- a/Tests/scripts/download_demisto_conf.sh
+++ b/Tests/scripts/download_demisto_conf.sh
@@ -36,11 +36,6 @@ if [ "$?" != "0" ]; then
cp -r ./content-test-conf-$UNDERSCORE_CIRCLE_BRANCH/signDirectory $DEMISTO_PACK_SIGNATURE_UTIL_PATH
rm -rf ./content-test-conf-$UNDERSCORE_CIRCLE_BRANCH
rm -rf ./test_configuration.zip
- if [ "$UNDERSCORE_CIRCLE_BRANCH" != "master" ]; then
- echo "ERROR: Found a branch with the same name in contest-test-conf conf.json - $UNDERSCORE_CIRCLE_BRANCH.\n Merge it in order to merge the current branch into content repo."
- exit 1
- fi
-
fi
set -e
diff --git a/Tests/secrets_white_list.json b/Tests/secrets_white_list.json
index 083b1b22cecc..a86963e0212c 100644
--- a/Tests/secrets_white_list.json
+++ b/Tests/secrets_white_list.json
@@ -553,7 +553,9 @@
"0.154.17.105",
"104.218.120.128",
"10.2.2.20",
- "122.8.170.14"
+ "122.8.170.14",
+ "103.76.228.28",
+ "25.20.116.113"
],
"ipv6": [
"2001:db8:1234:1a00::",
@@ -1820,6 +1822,8 @@
"https://m2crypto.readthedocs.io",
"https://raw.user.com",
"platform.risksense",
+ "https://attack.mitre.org",
+ "https://mytenant.blueliv.com",
"https://api.dehashed.com",
"https://www.dehashed.com."
],
@@ -1861,7 +1865,8 @@
"ebb031c3945e884e695dbc63c52a5efcd075375046c49729980073585ee13c52",
"b2ac43820cdf8634e1a437b9723ec110513d3dd7a2f8d4fa3192babe3eaa4b8e",
"2d8bb37078ff9efd02d9361975c9e625ae56bd8a8a65d50fc568341bc88392ae",
- "10676cf66244cfa91567fbc1a937f4cb19438338b35b69d4bcc2cf0d3a44af5e"
+ "10676cf66244cfa91567fbc1a937f4cb19438338b35b69d4bcc2cf0d3a44af5e",
+ "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1"
],
"ssdeep": [
"48:uuHYx6sS1bioEX7gyLatSqAc8kHRgd5peJB80t9qeM:uuHYx6sS1bUJBqus8v9",