From dc4b9726816716bfc1b81eea35703b24be56ed83 Mon Sep 17 00:00:00 2001 From: Agam Date: Fri, 10 Jul 2020 00:30:37 +0300 Subject: [PATCH 01/23] Update sane doc (#7837) * Update pdf docker tag * Add release notes * Add release notes, updated documentation * Fix for lint * Update Packs/Base/ReleaseNotes/1_1_4.md Co-authored-by: Bar Saar * Update from master and add newer sane-pdf-reports docker image Co-authored-by: Agam More Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Co-authored-by: Bar Saar --- Packs/Base/ReleaseNotes/1_1_4.md | 3 +++ .../Scripts/SaneDocReportV2/SaneDocReportV2.py | 15 +++++++++------ .../SaneDocReportV2/SaneDocReportV2.yml | 18 +++++++++++++++--- .../Scripts/SanePdfReport/SanePdfReport.yml | 2 +- Packs/Base/pack_metadata.json | 2 +- 5 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 Packs/Base/ReleaseNotes/1_1_4.md diff --git a/Packs/Base/ReleaseNotes/1_1_4.md b/Packs/Base/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..2944d71bf214 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_1_4.md @@ -0,0 +1,3 @@ +#### Scripts +##### SaneDocReports +- Added additional arguments for increased functionality when using logos diff --git a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py index 4c78571284ee..34c5fb52a635 100644 --- a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py +++ b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py @@ -12,16 +12,19 @@ try: sane_json_b64 = demisto.args().get('sane_docx_report_base64', '').encode( 'utf-8') - orientation = demisto.args().get('orientation', 'portrait').encode( - 'utf-8') - paper_size = demisto.args().get('paperSize', 'A4').encode( - 'utf-8') + orientation = demisto.args().get('orientation', 'portrait') + paper_size = demisto.args().get('paperSize', 'A4') + demistoLogo = demisto.args().get('demistoLogo', '') + customerLogo = demisto.args().get('customerLogo', '') + with open('sane.json', 'wb') as f: f.write(base64.b64decode(sane_json_b64)) run('sane.json', OUTPUT_FILE_PATH, { - 'orientation': orientation.decode('utf-8', 'ignore'), - 'paper_size': paper_size.decode('utf-8', 'ignore') + 'orientation': orientation, + 'paper_size': paper_size, + 'demistoLogo': demistoLogo, + 'customerLogo': customerLogo, }) with open(OUTPUT_FILE_PATH, 'rb') as f: diff --git a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml index 438f29924541..1a6c47ef8a77 100644 --- a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml +++ b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml @@ -14,11 +14,23 @@ args: secret: false - default: false defaultValue: A4 - description: the paper size of the report + description: The paper size for the report. isArray: false name: paperSize required: false secret: false +- default: false + description: Custom logo image. + isArray: false + name: customerLogo + required: false + secret: false +- default: false + description: The logo for XSOAR. + isArray: false + name: demistoLogo + required: false + secret: false comment: Parse Sane-json-reports and export them as docx files (used internally, thus deprecated). commonfields: id: SaneDocReports @@ -34,10 +46,10 @@ tags: timeout: '0' type: python subtype: python3 -dockerimage: demisto/sane-doc-reports:1.0.0.6861 +dockerimage: demisto/sane-doc-reports:1.0.0.9678 runas: DBotWeakRole runonce: false tests: - No Test deprecated: true -fromversion: 5.5.0 \ No newline at end of file +fromversion: 5.5.0 diff --git a/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml b/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml index b789c77fea61..989db52fc46e 100644 --- a/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml +++ b/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml @@ -68,7 +68,7 @@ tags: - pdf timeout: '0' type: python -dockerimage: demisto/sane-pdf-reports:1.0.0.9507 +dockerimage: demisto/sane-pdf-reports:1.0.0.9768 runas: DBotWeakRole runonce: false tests: diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index 1a58cb57da15..26a7918e08dd 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From a2467f4acd68cff40eb4361e9e727705cbc87de9 Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Fri, 10 Jul 2020 14:39:00 +0300 Subject: [PATCH 02/23] Fix for html email bodies (#7934) --- .../MicrosoftGraphListener/MicrosoftGraphListener.py | 8 ++++++-- Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md | 3 +++ Packs/MicrosoftGraphListener/pack_metadata.json | 2 +- .../Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py | 8 ++++++-- Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md | 3 +++ Packs/MicrosoftGraphMail/pack_metadata.json | 2 +- 6 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md create mode 100644 Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md diff --git a/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py b/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py index 6a5764f33314..b5bce208a493 100644 --- a/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py +++ b/Packs/MicrosoftGraphListener/Integrations/MicrosoftGraphListener/MicrosoftGraphListener.py @@ -124,13 +124,17 @@ def prepare_args(command, args): :rtype: ``dict`` """ if command in ['msgraph-mail-create-draft', 'send-mail']: + if args.get('htmlBody', None): + email_body = args.get('htmlBody') + else: + email_body = args.get('body', '') return { 'to_recipients': argToList(args.get('to')), 'cc_recipients': argToList(args.get('cc')), 'bcc_recipients': argToList(args.get('bcc')), 'subject': args.get('subject', ''), - 'body': args.get('body', ''), - 'body_type': args.get('body_type', 'text'), + 'body': email_body, + 'body_type': args.get('body_type', 'html'), 'flag': args.get('flag', 'notFlagged'), 'importance': args.get('importance', 'Low'), 'internet_message_headers': argToList(args.get('headers')), diff --git a/Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md b/Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..2ebe838e3dfe --- /dev/null +++ b/Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### Microsoft Graph Mail Single User +- Fixed and issue where communication tasks were sending emails in text format only. \ No newline at end of file diff --git a/Packs/MicrosoftGraphListener/pack_metadata.json b/Packs/MicrosoftGraphListener/pack_metadata.json index 95a8645c3323..4b3b28e76ecc 100644 --- a/Packs/MicrosoftGraphListener/pack_metadata.json +++ b/Packs/MicrosoftGraphListener/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Graph Mail Single User", "description": "Microsoft Graph grants Demisto authorized access to a user's Microsoft Outlook mail data in a personal account or organization account.", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py b/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py index 4e2fa9297d60..11a3d2c642e7 100644 --- a/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py +++ b/Packs/MicrosoftGraphMail/Integrations/MicrosoftGraphMail/MicrosoftGraphMail.py @@ -1308,13 +1308,17 @@ def prepare_args(command, args): :rtype: ``dict`` """ if command in ['create-draft', 'send-mail']: + if args.get('htmlBody', None): + email_body = args.get('htmlBody') + else: + email_body = args.get('body', '') return { 'to_recipients': argToList(args.get('to')), 'cc_recipients': argToList(args.get('cc')), 'bcc_recipients': argToList(args.get('bcc')), 'subject': args.get('subject', ''), - 'body': args.get('body', ''), - 'body_type': args.get('bodyType', 'text'), + 'body': email_body, + 'body_type': args.get('bodyType', 'html'), 'flag': args.get('flag', 'notFlagged'), 'importance': args.get('importance', 'Low'), 'internet_message_headers': argToList(args.get('headers')), diff --git a/Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md b/Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md new file mode 100644 index 000000000000..a7cb0dc5b9a9 --- /dev/null +++ b/Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md @@ -0,0 +1,3 @@ +#### Integrations +##### MicrosoftGraphMail +- Fixed and issue where communication tasks were sending emails in text format only. diff --git a/Packs/MicrosoftGraphMail/pack_metadata.json b/Packs/MicrosoftGraphMail/pack_metadata.json index 2767777ccb38..10f558ce94a3 100644 --- a/Packs/MicrosoftGraphMail/pack_metadata.json +++ b/Packs/MicrosoftGraphMail/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Graph Mail", "description": "Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 94a1558390c8d340f20a00b916d62c29a79e18bd Mon Sep 17 00:00:00 2001 From: Lior Blobstein Date: Fri, 10 Jul 2020 15:14:45 +0300 Subject: [PATCH 03/23] Fixed DT syntax error (#7938) * Fixed DT syntax error (#7909) * Fixed DT syntax error * Fixed DT syntax error * Fixed DT syntax error Co-authored-by: Adam Burt - Demisto * change * unreleased * RN * fix version in pack_metadata.json * fix RN after review Co-authored-by: Adam Burt - Demisto <53576129+aburt-demisto@users.noreply.github.com> Co-authored-by: Adam Burt - Demisto Co-authored-by: ybenshalom --- .../Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml | 2 +- .../playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md | 1 - ...ybook-NetOps_-_Firewall_Version_Content_Upgrade.yml | 10 +++++----- Packs/PAN-OS/ReleaseNotes/1_4_1.md | 4 ++++ Packs/PAN-OS/pack_metadata.json | 2 +- 5 files changed, 11 insertions(+), 8 deletions(-) create mode 100644 Packs/PAN-OS/ReleaseNotes/1_4_1.md diff --git a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml index d9005ee8c107..d989c27a6fef 100644 --- a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml +++ b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade.yml @@ -4,7 +4,7 @@ fromversion: 5.0.0 name: NetOps - Upgrade PAN-OS Firewall Device description: 'Network operations playbook that upgrades the firewall. You must have Superuser permissions to update the PAN-OS version. - Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key. ' + Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key.' starttaskid: "0" tasks: "0": diff --git a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md index d590966b802a..2c532574695c 100644 --- a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md +++ b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Upgrade_CHANGELOG.md @@ -1,7 +1,6 @@ ## [Unreleased] - - ## [20.2.4] - 2020-02-25 Updated playbook descriptions and task names. diff --git a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml index 6be3eacd1ab9..d77a4ec03992 100644 --- a/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml +++ b/Packs/PAN-OS/Playbooks/playbook-NetOps_-_Firewall_Version_Content_Upgrade.yml @@ -406,7 +406,7 @@ tasks: simple: "10" dt: simple: Panorama.Content.Install(val.Status !== 'Completed' && val.Status - != ‘Failed’).JobID + !== 'Failed').JobID separatecontext: true loop: iscommand: false @@ -494,8 +494,8 @@ tasks: Timeout: simple: "20" dt: - simple: Panorama.PANOS.Download(val.Status !== 'Completed' && val.Status != - ‘Failed’).JobID + simple: Panorama.PANOS.Download(val.Status !== 'Completed' && val.Status !== + 'Failed').JobID separatecontext: true loop: iscommand: false @@ -550,8 +550,8 @@ tasks: Timeout: simple: "20" dt: - simple: Panorama.PANOS.Install(val.Status !== 'Completed' && val.Status != - ‘Failed’).JobID + simple: Panorama.PANOS.Install(val.Status !== 'Completed' && val.Status !== + 'Failed').JobID separatecontext: true loop: iscommand: false diff --git a/Packs/PAN-OS/ReleaseNotes/1_4_1.md b/Packs/PAN-OS/ReleaseNotes/1_4_1.md new file mode 100644 index 000000000000..398563852c84 --- /dev/null +++ b/Packs/PAN-OS/ReleaseNotes/1_4_1.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### NetOps - Firewall Version and Content Upgrade + - Fixed DT syntax issues. diff --git a/Packs/PAN-OS/pack_metadata.json b/Packs/PAN-OS/pack_metadata.json index 5f79f3d19a66..5d964f8f13d2 100644 --- a/Packs/PAN-OS/pack_metadata.json +++ b/Packs/PAN-OS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "PAN-OS", "description": "Manage Palo Alto Networks Firewall and Panorama. For more information see Panorama documentation.", "support": "xsoar", - "currentVersion": "1.4.0", + "currentVersion": "1.4.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 7265171fc2a8ea7000cf95c20889864a27182ae7 Mon Sep 17 00:00:00 2001 From: hod Date: Fri, 10 Jul 2020 16:35:45 +0300 Subject: [PATCH 04/23] fix slack notifications for nightly (#7945) Co-authored-by: hod-alpert --- .circleci/config.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2966629dd8db..95595122c0a6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -688,12 +688,6 @@ jobs: else echo "Not AMI run, can't run on this version" fi - - run: - name: Slack Notifier - shell: /bin/bash - command: | - ./Tests/scripts/slack_notifier.sh 'test_playbooks' ./env_results.json - when: always - *destroy_instances - *store_artifacts Server 6_0: @@ -759,6 +753,12 @@ jobs: python3 ./Tests/Marketplace/upload_packs.py -a $PACK_ARTIFACTS -e $EXTRACT_FOLDER -b 'marketplace-dist' -d $PACKS_DEPENDENCIES -i $ID_SET -s $GCS_PATH -n $CIRCLE_BUILD_NUM -k $PACK_SIGNING_KEY -pb 'marketplace-dist-private' rm $GCS_PATH when: on_success + - run: + name: Slack Notifier + shell: /bin/bash + command: | + ./Tests/scripts/slack_notifier.sh 'test_playbooks' ./env_results.json + when: always - *destroy_instances - *store_artifacts Instance Test: @@ -911,6 +911,7 @@ workflows: - Create Instances: context: nightly_env - Run Unit Testing And Lint: + context: nightly_env requires: - Prepare Environment - Run Validations: From 55e2bf4b4f5257df46ec67d96d844f21603e56cb Mon Sep 17 00:00:00 2001 From: hod Date: Sun, 12 Jul 2020 10:02:03 +0300 Subject: [PATCH 05/23] CDL is a read only integration, adding it to parallel integrations (#7947) Co-authored-by: hod-alpert --- Tests/conf.json | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/Tests/conf.json b/Tests/conf.json index 4d51d84f9ce3..fc3462cbfbd3 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -2988,7 +2988,7 @@ "Cortex XDR - IOC - Test": "issue #25598" }, "skipped_integrations": { - + "_comment1": "~~~ NO INSTANCE ~~~", "Symantec Management Center": "Issue 23960", "PerceptionPoint": "Issue 25795", @@ -3083,7 +3083,7 @@ "VxStream": "Issue #23795", "Bambenek Consulting Feed": "Issue 26184", "AWS - Athena - Beta": "Issue 19834", - + "_comment2": "~~~ UNSTABLE ~~~", "ServiceNow": "Instance goes to hibernate every few hours", "Tenable.sc": "unstable instance", @@ -3096,14 +3096,14 @@ "Google Resource Manager": "Cannot create projects because have reached alloted quota.", "Looker": "Warehouse 'DEMO_WH' cannot be resumed because resource monitor 'LIMITER' has exceeded its quota.", "Ipstack": "Issue 26266", - + "_comment4": "~~~ NO INSTANCE - SUPPORTED BY THE COMMUNITY ~~~", "Zabbix": "Supported by external developer", "SafeBreach v2": "it is a partner integration, no instance", "IllusiveNetworks": "supported by partner", "Humio": "supported by the partner", "Digital Guardian": "partner integration", - + "_comment5": "~~~ OTHER ~~~", "XFE": "We have the new integration XFE_v2, so no need to test the old one because they use the same quote", "Cisco ASA": "Issue 25741", @@ -3256,10 +3256,11 @@ "Prisma Access Egress IP feed", "Lastline v2", "McAfee DXL", - "GCP Whitelist Feed" + "GCP Whitelist Feed", + "Cortex Data Lake" ], "docker_thresholds": { - + "_comment": "Add here docker images which are specific to an integration and require a non-default threshold (such as rasterize or ews). That way there is no need to define this multiple times. You can specify full image name with version or without.", "images": { "demisto/chromium": { @@ -3276,4 +3277,4 @@ } } } -} \ No newline at end of file +} From ae741c396b91ba9daab7de045af4538458e6dd2d Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Sun, 12 Jul 2020 10:54:11 +0300 Subject: [PATCH 06/23] [blueliv-177] [717938] New Blueliv ThreatContext integration (#7879) * [blueliv-177] [717938] New Blueliv ThreatContext integration (#7638) * Integration commit * Added secrets to integration Pack file * Updated solving the PR requested changes. * Updated with the comments from the PR. * Update Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py Co-authored-by: Shai Yaakovi <30797606+yaakovi@users.noreply.github.com> * Updated * Updated test functions * Some corrections on tests mock Co-authored-by: URi Co-authored-by: OriolCampderros Co-authored-by: Shai Yaakovi <30797606+yaakovi@users.noreply.github.com> Co-authored-by: Alex Fiedler <38628621+kirbles19@users.noreply.github.com> * updated docker image * skip integration - no instance Co-authored-by: oylosoar <66620770+oylosoar@users.noreply.github.com> Co-authored-by: URi Co-authored-by: OriolCampderros Co-authored-by: Shai Yaakovi <30797606+yaakovi@users.noreply.github.com> Co-authored-by: Alex Fiedler <38628621+kirbles19@users.noreply.github.com> Co-authored-by: syaakovi --- Packs/BluelivThreatContext/.pack-ignore | 0 Packs/BluelivThreatContext/.secrets-ignore | 10 + Packs/BluelivThreatContext/CHANGELOG.md | 1 + .../BluelivThreatContext.py | 1120 ++++++++++++++ .../BluelivThreatContext.yml | 754 +++++++++ .../BluelivThreatContext_description.md | 45 + .../BluelivThreatContext_image.png | Bin 0 -> 4907 bytes .../BluelivThreatContext_test.py | 1348 +++++++++++++++++ .../BluelivThreatContext/CHANGELOG.md | 12 + .../Integrations/BluelivThreatContext/Pipfile | 18 + .../BluelivThreatContext/Pipfile.lock | 369 +++++ .../BluelivThreatContext/README.md | 811 ++++++++++ Packs/BluelivThreatContext/README.md | 0 .../Blueliv_ThreatContext_test.yml | 411 +++++ Packs/BluelivThreatContext/pack_metadata.json | 16 + Tests/conf.json | 1 + Tests/secrets_white_list.json | 9 +- 17 files changed, 4923 insertions(+), 2 deletions(-) create mode 100644 Packs/BluelivThreatContext/.pack-ignore create mode 100644 Packs/BluelivThreatContext/.secrets-ignore create mode 100644 Packs/BluelivThreatContext/CHANGELOG.md create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md create mode 100644 Packs/BluelivThreatContext/README.md create mode 100644 Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml create mode 100644 Packs/BluelivThreatContext/pack_metadata.json diff --git a/Packs/BluelivThreatContext/.pack-ignore b/Packs/BluelivThreatContext/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/BluelivThreatContext/.secrets-ignore b/Packs/BluelivThreatContext/.secrets-ignore new file mode 100644 index 000000000000..f8cb8a6c2f19 --- /dev/null +++ b/Packs/BluelivThreatContext/.secrets-ignore @@ -0,0 +1,10 @@ +103.76.228.28 +25.20.116.113 +https://attack.mitre.org +https://mytenant.blueliv.com +ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 +http://www.priceminister.com +103.143.173.25 +http://uk.ask.com +http://seclists.org +192.168.56.102 diff --git a/Packs/BluelivThreatContext/CHANGELOG.md b/Packs/BluelivThreatContext/CHANGELOG.md new file mode 100644 index 000000000000..723f2f878c2b --- /dev/null +++ b/Packs/BluelivThreatContext/CHANGELOG.md @@ -0,0 +1 @@ +## [Unreleased] \ No newline at end of file diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py new file mode 100644 index 000000000000..0fe2916d6d1e --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py @@ -0,0 +1,1120 @@ +''' IMPORTS ''' +import demistomock as demisto +from CommonServerPython import * +from CommonServerUserPython import * +import json +import urllib3 + +''' PARAM DEFINITION ''' +SEARCHABLE_BY_NAME = 'threat-actor,campaign,attack-pattern,tool,signature' +SEARCHABLE_BY_HASH = 'sha256,sha1,md5' + +urllib3.disable_warnings() + + +class Client(BaseClient): + def authenticate(self, username: str, password: str): + body = { + 'username': username, + 'password': password + } + res = self._http_request(method='POST', url_suffix='/auth', json_data=body) + self._headers = {"Content-Type": "application/json", "x-cookie": str(res.get('token'))} + return str(res.get('token')) + + def _query_gateway(self, url): + body = {"apiId": "THIAPP", "url": "/api/v1/" + url, "requestType": "GET"} + demisto.debug("Gateway call to " + json.dumps(body)) + res = self._http_request(method='POST', url_suffix='/gateway', json_data=body, headers=self._headers) + return res + + def get_threat_actor_info(self, threat_actor_id): + url = "threat-actor/{}".format(threat_actor_id) + result = self._query_gateway(url) + return result + + def get_campaign_info(self, campaign_id: str): + url = "campaign/{}".format(campaign_id) + result = self._query_gateway(url) + return result + + def get_malware_hash_info(self, file_hash, hash_type="md5"): + url = "malware/?dork={}%3A%22{}%22".format(hash_type, file_hash) + result = self._query_gateway(url) + return result + + def get_malware_info(self, malware_id): + url = "malware/{}".format(malware_id) + result = self._query_gateway(url) + return result + + def get_ip_info(self, ip_id): + url = "ip/{}".format(ip_id) + result = self._query_gateway(url) + return result + + def get_fqdn_info(self, fqdn_id): + url = "fqdn/{}".format(fqdn_id) + result = self._query_gateway(url) + return result + + def get_crime_server_info(self, cs_id): + url = "crime-server/{}".format(cs_id) + result = self._query_gateway(url) + return result + + def get_attack_pattern_info(self, attack_pattern_id): + url = "attack-pattern/{}".format(attack_pattern_id) + result = self._query_gateway(url) + return result + + def get_tool_info(self, tool_id): + url = "tool/{}".format(tool_id) + result = self._query_gateway(url) + return result + + def get_signature_info(self, signature_id): + url = "signature/{}".format(signature_id) + result = self._query_gateway(url) + return result + + def get_cve_info(self, cve_id): + url = "cve/{}".format(cve_id) + result = self._query_gateway(url) + return result + + def search_by_name(self, key, value): + if value: + value = value.replace(' ', '+') + else: + value = "" + + if key in SEARCHABLE_BY_NAME: + url = "{}/?fuzzy_filter%5Bname%5D={}".format(key, value) + if key in SEARCHABLE_BY_HASH: + url = "indicator/?fuzzy_filter%5Bvalue%5D={}".format(value) + if key == 'crime-server': + url = "crime-server/?fuzzy_filter%5Bcrime_server_url%5D={}".format(value) + if key == 'fqdn': + url = "fqdn/?fuzzy_filter%5Bdomain%5D={}".format(value) + if key == 'ip': + url = "ip/?fuzzy_filter%5Baddress%5D={}".format(value) + + result = self._query_gateway(url) + return result.get("data", [])[0].get("id", "0") + + def get_relationships(self, object_name, value, of): + url = "{}/{}/relationships/{}/".format(object_name, value, of) + result = self._query_gateway(url) + ids = "" + if result != "error": + ids = ','.join(str(item['id']) for item in result['data']) + + return ids + + +def getHuman(result): + human = {"id": result.get("data", {}).get("id"), + "links": result.get("data", {}).get("links"), + "type": result.get("data", {}).get("type")} + human.update(result.get("data", {}).get("attributes")) + + return human + + +# This function return false when there are no results to display +def notFound(): + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': "No results found.", + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': "No results found.", + 'EntryContext': { + 'BluelivThreatContext': {} + } + }) + sys.exit(0) + + +# Get information about threat actors # +def blueliv_threatActor(client: Client, args): + threatActorId = args.get('threatActor_id', '') + threatActorName = args.get('threatActor', '') + + if not threatActorId and not threatActorName: + notFound() + + if not threatActorId: + threatActorId = client.search_by_name('threat-actor', threatActorName) + + if not threatActorId: + notFound() + else: + result = client.get_threat_actor_info(threatActorId) + + if result: + name = str(demisto.get(result, "data.attributes.name")) + description = str(demisto.get(result, "data.attributes.description")) + objective = str(demisto.get(result, "data.attributes.objective")) + sophistication = str(demisto.get(result, "data.attributes.sophistication")) + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + active = str(demisto.get(result, "data.attributes.active")) + + milestoneIds = "" + milestones = demisto.get(result, "data.relationships.milestones.meta.count") + if milestones: + milestoneIds = client.get_relationships("threat-actor", threatActorId, "milestone") + + toolIds = "" + tools = demisto.get(result, "data.relationships.tools.meta.count") + if tools: + toolIds = client.get_relationships("threat-actor", threatActorId, "tools") + + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("threat-actor", threatActorId, "campaign") + + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("threat-actor", threatActorId, "signature") + + onlineServiceIds = "" + onlineServices = demisto.get(result, "data.relationships.online_services.meta.count") + if onlineServices: + onlineServiceIds = client.get_relationships("threat-actor", threatActorId, "online-service") + + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("threat-actor", threatActorId, "malware") + + threatTypeIds = "" + threatTypes = demisto.get(result, "data.relationships.threat_types.meta.count") + if threatTypes: + threatTypeIds = client.get_relationships("threat-actor", threatActorId, "threat-type") + + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("threat-actor", threatActorId, "fqdn") + + attackPatternIds = "" + attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count") + if attackPatterns: + attackPatternIds = client.get_relationships("threat-actor", threatActorId, "attack-pattern") + + ipIds = "" + ips = demisto.get(result, "data.relationships.ips.meta.count") + if ips: + ipIds = client.get_relationships("threat-actor", threatActorId, "ip") + + targetIds = "" + targets = demisto.get(result, "data.relationships.targets.meta.count") + if targets: + targetIds = client.get_relationships("threat-actor", threatActorId, "target") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Threat Actor info", human), + 'EntryContext': { + 'BluelivThreatContext.threatActor(val.name && val.id == obj.id)': { + 'id': threatActorId, + 'name': name, + 'description': description, + 'objective': objective, + 'sophistication': sophistication, + 'lastSeen': lastSeen, + 'active': active, + 'milestones': milestones, + 'milestoneIds': milestoneIds, + 'tools': tools, + 'toolIds': toolIds, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'onlineServices': onlineServices, + 'onlineServiceIds': onlineServiceIds, + 'malware': malware, + 'malwareIds': malwareIds, + 'threatTypes': threatTypes, + 'threatTypeIds': threatTypeIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'attackPatterns': attackPatterns, + 'attackPatternIds': attackPatternIds, + 'ips': ips, + 'ipIds': ipIds, + 'targets': targets, + 'targetIds': targetIds + } + } + }) + else: + notFound() + + +# Get campaign information +def blueliv_campaign(client: Client, args): + campaignName = args.get('campaign', '') + campaignId = args.get('campaign_id', '') + + if not campaignId: + campaignId = client.search_by_name('campaign', campaignName) + if not campaignId: + notFound() + else: + result = client.get_campaign_info(campaignId) + + if result: + lastSeen = demisto.get(result, "data.attributes.last_seen") + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + + # BOTNETS # + botnetIds = "" + botnets = demisto.get(result, "data.relationships.botnets.meta.count") + if botnets: + botnetIds = client.get_relationships("campaign", campaignId, "botnet") + + # SIGNATURES # + signatureIds = "" + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + if signatures: + signatureIds = client.get_relationships("campaign", campaignId, "signature") + + # IPs # + ipIds = "" + ips = demisto.get(result, "data.relationships.ips.meta.count") + if ips: + ipIds = client.get_relationships("campaign", campaignId, "ip") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("campaign", campaignId, "malware") + + # ATTACK PATTERNS + attackPatternIds = "" + attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count") + if attackPatterns: + attackPatternIds = client.get_relationships("campaign", campaignId, "attack-pattern") + + # TOOLS # + toolIds = "" + tools = demisto.get(result, "data.relationships.tools.meta.count") + if tools: + toolIds = client.get_relationships("campaign", campaignId, "tool") + + # FQDNs # + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("campaign", campaignId, "fqdn") + + # THREAT ACTORS # + threatActorId = demisto.get(result, "data.relationships.threat_actor.data.id") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Campaign info", human), + 'EntryContext': { + 'BluelivThreatContext.campaign(val.id && val.id == obj.id)': { + 'id': campaignId, + 'name': name, + 'description': description, + 'lastSeen': lastSeen, + 'botnets': botnets, + 'botnetIds': botnetIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'ips': ips, + 'ipIds': ipIds, + 'malware': malware, + 'malwareIds': malwareIds, + 'attackPatterns': attackPatterns, + 'attackPatternIds': attackPatternIds, + 'tools': tools, + 'toolIds': toolIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'threatActorId': threatActorId + } + } + }) + else: + notFound() + + +# Get detailed malware information # +def blueliv_malware(client: Client, args): + hashValue = args.get('hash', '') + malwareId = args.get('hash_id', '') + + if hashValue: + if len(hashValue) == 40: + hash_type = 'sha1' + elif len(hashValue) == 64: + hash_type = 'sha256' + elif len(hashValue) == 32: + hash_type = 'md5' + else: + notFound() + + if not malwareId: + result = client.get_malware_hash_info(hashValue, hash_type) + + if not result: + notFound() + + if result.get("data", []): + malwareId = demisto.get(result.get("data")[0], "id") + + if malwareId: + result = client.get_malware_info(malwareId) + + if result: + # lastSeen = demisto.get(result, "data.attributes.last_seen") + sha256 = demisto.get(result, "data.attributes.sha256") + sha1 = demisto.get(result, "data.attributes.sha1") + md5 = demisto.get(result, "data.attributes.md5") + fileType = demisto.get(result, "data.attributes.file_type") + hasCandC = demisto.get(result, "data.attributes.has_c_and_c") + memory = demisto.get(result, "data.attributes.memory") + procMemory = demisto.get(result, "data.attributes.proc_memory") + analysisStatus = demisto.get(result, "data.attributes.analysis_status") + dropped = demisto.get(result, "data.attributes.dropped") + buffers = demisto.get(result, "data.attributes.buffers") + hasNetwork = demisto.get(result, "data.attributes.has_network") + risk = demisto.get(result, "data.attributes.risk") + # Malware uses sha256 likes malwareId, so we need to use this field to call getIds function + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("malware", sha256, "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("malware", sha256, "signature") + + # THREAT ACTORS # + threatActorIds = "" + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + if threatActors: + threatActorIds = client.get_relationships("malware", sha256, "threat-actor") + + # SOURCES # + sourceIds = "" + sources = demisto.get(result, "data.relationships.sources.meta.count") + if sources: + sourceIds = client.get_relationships("malware", sha256, "source") + + # TAGS # + tagIds = "" + tags = demisto.get(result, "data.relationships.tags.meta.count") + if tags: + tagIds = client.get_relationships("malware", sha256, "tag") + + # CRIME SERVERS # + crimeServerIds = "" + crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count") + if crimeServers: + crimeServerIds = client.get_relationships("mwlware", sha256, "crime-server") + + # FQDNs # + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("malware", sha256, "fqdn") + + # TYPES # + typeIds = "" + types = demisto.get(result, "data.relationships.types.meta.count") + if types: + typeIds = client.get_relationships("malware", sha256, "type") + + # SPARKS # + sparkIds = "" + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + if sparks: + sparkIds = client.get_relationships("malware", sha256, "spark") + + # IPs # + ipIds = "" + ips = demisto.get(result, "data.relationships.ips.meta.count") + if ips: + ipIds = client.get_relationships("malware", sha256, "ip") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Malware file info", human), + 'EntryContext': { + 'BluelivThreatContext.malware(val.id && val.id == obj.id)': { + 'id': malwareId, + 'hash.sha256': sha256, + 'hash.sha1': sha1, + 'hash.md5': md5, + 'fileType': fileType, + 'hasCandC': hasCandC, + 'memory': memory, + 'procMemory': procMemory, + 'analysisStatus': analysisStatus, + 'dropped': dropped, + 'buffers': buffers, + 'hasNetwork': hasNetwork, + 'risk': risk, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'sources': sources, + 'sourceIds': sourceIds, + 'tags': tags, + 'tagIds': tagIds, + 'crimeServers': crimeServers, + 'crimeserverIds': crimeServerIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'types': types, + 'typeIds': typeIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'ips': ips, + 'ipIds': ipIds + } + } + }) + else: + notFound() + else: + notFound() + + +def blueliv_indicatorIp(client: Client, args): + nameIP = args.get('IP', '') + valueIP = args.get('IP_id', '') + + if not valueIP and not nameIP: + notFound() + if nameIP: + valueIP = nameIP # client.search_by_name('fqdn', nameIP) + + if not valueIP: + notFound() + + result = client.get_ip_info(valueIP) + + if result: + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + latitude = str(demisto.get(result, "data.attributes.latitude")) + longitude = str(demisto.get(result, "data.attributes.longitude")) + risk = str(demisto.get(result, "data.attributes.risk")) + countryId = str(demisto.get(result, "data.relationships.country.data.id")) + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("ip", valueIP, "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("ip", valueIP, "signature") + + # THREAT ACTORS # + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + threatActorIds = "" + if threatActors: + client.get_relationships("ip", valueIP, "threat-actor") + + # TAGS # + tags = demisto.get(result, "data.relationships.tags.meta.count") + tagIds = "" + if tags: + tagIds = client.get_relationships("ip", valueIP, "tag") + + # FQDNs # + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("ip", valueIP, "fqdn") + + # SPARKS # + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + sparkIds = "" + if sparks: + sparkIds = client.get_relationships("ip", valueIP, "spark") + + # BOTS # + bots = demisto.get(result, "data.relationships.bots.meta.count") + botIds = "" + if bots: + botIds = client.get_relationships("ip", valueIP, "bot") + + human = getHuman(result) + ipName = valueIP.replace(".", "") + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv IP info", human), + 'EntryContext': { + 'BluelivThreatContext.indicator(val.ipName && val.ipName == obj.ipName)': { + "ipName": ipName, + 'lastSeen': lastSeen, + 'risk': risk, + 'latitude': latitude, + 'longitude': longitude, + 'countryId': countryId, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'tags': tags, + 'tagIds': tagIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'bots': bots, + 'botIds': botIds + } + } + }) + else: + notFound() + + +def blueliv_indicatorFqdn(client: Client, args): + nameFQDN = args.get('FQDN', '') + valueFQDN = args.get('FQDN_id', '') + + if not valueFQDN and not nameFQDN: + notFound() + if not valueFQDN and nameFQDN: + valueFQDN = client.search_by_name('fqdn', nameFQDN) + if not valueFQDN: + notFound() + sys.exit() + + result = client.get_fqdn_info(valueFQDN) + if result: + # PARAMETROS GENERALES # + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + risk = str(demisto.get(result, "data.attributes.risk")) + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("fqdn", valueFQDN, "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("fqdn", valueFQDN, "signature") + + # THREAT ACTORS # + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + threatActorIds = "" + if threatActors: + threatActorIds = client.get_relationships("fqdn", valueFQDN, "threat-actor") + + # TAGS # + tags = demisto.get(result, "data.relationships.tags.meta.count") + tagIds = "" + if tags: + tagIds = client.get_relationships("fqdn", valueFQDN, "tag") + + # CRIME SERVERS # + crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count") + crimeServerIds = "" + if crimeServers: + crimeServerIds = client.get_relationships("fqdn", valueFQDN, "crime-server") + + # SPARKS # + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + sparkIds = "" + if sparks: + sparkIds = client.get_relationships("fqdn", valueFQDN, "spark") + + # IPs # + ips = demisto.get(result, "data.relationships.ips.meta.count") + ipIds = "" + if ips: + ipIds = client.get_relationships("fqdn", valueFQDN, "ip") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv FQDN info", human), + 'EntryContext': { + 'BluelivThreatContext.indicator(val.id && val.id == obj.id)': { + 'id': valueFQDN, + 'lastSeen': lastSeen, + 'risk': risk, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'tags': tags, + 'tagids': tagIds, + 'crimeServers': crimeServers, + 'crimeServerIds': crimeServerIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'ips': ips, + 'ipIds': ipIds + } + } + }) + else: + notFound() + + +# Get information about the crime server related with the provided URL +def blueliv_indicatorCs(client: Client, args): + nameCS = args.get('CS', '') + valueCS = args.get('CS_id', '') + + if not valueCS and not nameCS: + notFound() + if not valueCS and nameCS: + valueCS = client.search_by_name('crime-server', nameCS) + if not valueCS: + notFound() + sys.exit() + + result = client.get_crime_server_info(valueCS) + + if result: + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + status = str(demisto.get(result, "data.attributes.status")) + risk = str(demisto.get(result, "data.attributes.risk")) + isFalsePositive = str(demisto.get(result, "data.attributes.is_false_positive")) + crimeServerUrl = str(demisto.get(result, "data.attributes.crime_server_url")) + creditCardsCount = str(demisto.get(result, "data.attributes.credit_cards_count")) + credentialsCount = str(demisto.get(result, "data.attributes.credentials_count")) + botsCount = str(demisto.get(result, "data.attributes.bots_count")) + fqdnId = demisto.get(result, "data.relationships.fqdn.data.id") + + # SOURCES # + sourceIds = "" + sources = demisto.get(result, "data.relationships.sources.meta.count") + if sources: + sourceIds = client.get_relationships("crime-server", valueCS, "source") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("crime-server", valueCS, "malware") + + # TAGS # + tags = demisto.get(result, "data.relationships.tags.meta.count") + tagIds = "" + if tags: + tagIds = client.get_relationships("crime-server", valueCS, "tag") + + # SPARKS # + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + sparkIds = "" + if sparks: + sparkIds = client.get_relationships("crime-server", valueCS, "spark") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Crime Server info", human), + 'EntryContext': { + 'BluelivThreatContext.indicator(val.id && val.id == obj.id)': { + 'id': valueCS, + 'lastSeen': lastSeen, + 'status': status, + 'risk': risk, + 'isFalsePositive': isFalsePositive, + 'crimeServerUrl': crimeServerUrl, + 'creditCardsCount': creditCardsCount, + 'credentialsCount': credentialsCount, + 'botsCount': botsCount, + 'fqdnId': fqdnId, + 'malware': malware, + 'malwareIds': malwareIds, + 'tags': tags, + 'tagIds': tagIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'sources': sources, + 'sourceIds': sourceIds + } + } + }) + else: + notFound() + + +# Get information about attack patterns +def blueliv_attackPattern(client: Client, args): + attackPatternName = args.get('attackPattern', '') + attackPatternId = args.get('attackPattern_id', '') + + if attackPatternId: + attackPatternId = int(attackPatternId) + + if not attackPatternId: + attackPatternId = client.search_by_name('attack-pattern', attackPatternName) + + if attackPatternId: + result = client.get_attack_pattern_info(attackPatternId) + + if result: + updatedAt = demisto.get(result, "data.attributes.updated_at") + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + serverity = demisto.get(result, "data.attributes.severity") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("attack-pattern", str(attackPatternId), "signature") + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("attack-pattern", str(attackPatternId), "campaign") + + # THREAT ACTORS # + threatActorIds = "" + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + if threatActors: + threatActorIds = client.get_relationships("attack-pattern", str(attackPatternId), "threat-actor") + + # CVEs # + cveIds = "" + cves = demisto.get(result, "data.relationships.cves.meta.count") + if cves: + cves = client.get_relationships("attack-pattern", str(attackPatternId), "cve") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Attack Pattern info", human), + 'EntryContext': { + 'BluelivThreatContext.attackPattern(val.id && val.id == obj.id)': { + 'id': attackPatternId, + 'name': name, + 'description': description, + 'updatedAt': updatedAt, + 'serverity': serverity, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'cves': cves, + 'cveIds': cveIds + } + } + }) + else: + notFound() + else: + notFound() + + +# Get information about tools +def blueliv_tool(client: Client, args): + toolName = args.get('tool', '') + toolId = args.get('tool_id', '') + + if not toolId: + toolId = client.search_by_name('tool', toolName) + + if toolId: + result = client.get_tool_info(toolId) + + if result: + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + lastSeen = demisto.get(result, "data.attributes.last_seen") + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("tool", str(toolId), "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("tool", str(toolId), "signature") + + # THREAT ACTORS # + threatActorIds = "" + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + if threatActors: + threatActorIds = client.get_relationships("tool", str(toolId), "threat-actor") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Tool info", human), + 'EntryContext': { + 'BluelivThreatContext.tool(val.id && val.id == obj.id)': { + 'id': toolId, + 'name': name, + 'description': description, + 'lastSeen': lastSeen, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds + } + } + }) + else: + notFound() + else: + notFound() + + +def blueliv_signature(client: Client, args): + signatureName = args.get('signature', '') + signatureId = args.get('signature_id', '') + + if not signatureId: + signatureId = client.search_by_name('signature', signatureName) + + if signatureId: + result = client.get_signature_info(signatureId) + + if result: + name = demisto.get(result, "data.attributes.name") + signatureType = demisto.get(result, "data.attributes.type") + updatedAt = demisto.get(result, "data.attributes.updated_at") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("signature", str(signatureId), "malware") + + human = getHuman(result) + demisto.results({ + "Type": entryTypes["note"], + 'Contents': result, + "ContentsFormat": formats["json"], + 'HumanReadable': tableToMarkdown("Blueliv Signature info", human), + 'ReadableContentsFormat': formats['markdown'], + 'EntryContext': { + 'BluelivThreatContext.signature(val.id && val.id == obj.id)': { + 'id': signatureId, + 'name': name, + 'type': signatureType, + 'updatedAt': updatedAt, + 'malware': malware, + 'malwareIds': malwareIds + } + } + }) + else: + notFound() + else: + notFound() + + +# Get inforamtion abouth the provided CVE code +def blueliv_cve(client: Client, args): + cveCode = args.get('CVE', '') + vulnId = args.get('CVE_id', '') + + if not vulnId: + vulnId = cveCode + + result = client.get_cve_info(vulnId) + + if result: + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + updatedAt = demisto.get(result, "data.attributes.updated_at") + score = demisto.get(result, "data.attributes.score") + exploitsTableData = demisto.get(result, "data.attributes.exploits") + platformsTableData = demisto.get(result, "data.attributes.platforms") + + # ATTACK PATTERNS + attackPatternIds = "" + attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count") + if attackPatterns: + attackPatternIds = client.get_relationships("cve", str(vulnId), "attack-pattern") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("cve", str(vulnId), "signature") + + # TAGS # + tagIds = "" + tags = demisto.get(result, "data.relationships.tags.meta.count") + if tags: + tagIds = client.get_relationships("cve", str(vulnId), "tag") + + # CRIME SERVERS # + crimeServerIds = "" + crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count") + if crimeServers: + crimeServerIds = client.get_relationships("cve", str(vulnId), "crime-server") + + # SPARKS # + sparkIds = "" + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + if sparks: + sparkIds = client.get_relationships("cve", vulnId, "spark") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("cve", vulnId, "malware") + + human = getHuman(result) + demisto.results({ + "Type": entryTypes["note"], + 'Contents': result, + "ContentsFormat": formats["json"], + 'HumanReadable': tableToMarkdown("Blueliv CVE info", human), + 'ReadableContentsFormat': formats['markdown'], + 'EntryContext': { + 'BluelivThreatContext.cve(val.id && val.id == obj.id)': { + 'id': vulnId, + 'name': name, + 'description': description, + 'updatedAt': updatedAt, + 'score': score, + 'attackPatterns': attackPatterns, + 'attackPatternIds': attackPatternIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'tags': tags, + 'tagIds': tagIds, + 'crimeServers': crimeServers, + 'crimeServerIds,': crimeServerIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'malware': malware, + 'malwareIds': malwareIds, + 'exploits': exploitsTableData, + 'platforms': platformsTableData + } + } + }) + else: + notFound() + + +# DEMISTO command evaluation +def main(): + params = demisto.params() + server_url = params.get('url') + verify_ssl = not params.get('unsecure', '') + proxy = params.get('proxy') + username = params['credentials']['identifier'] + password = params['credentials']['password'] + + client = Client(server_url, verify_ssl, proxy, headers={'Accept': 'application/json'}) + token = client.authenticate(username, password) + + args = demisto.args() + if demisto.command() == 'test-module': + # Checks if the user is correctly authenticated. If the execution gets here all is correct. + demisto.results("ok") + + if demisto.command() == 'blueliv-authenticate': + demisto.results({ + "Type": entryTypes["note"], + 'Contents': token, + "ContentsFormat": formats["text"], + 'EntryContext': {'BluelivThreatContext.token': token} + }) + + elif demisto.command() == 'blueliv-tc-threat-actor': + blueliv_threatActor(client, args) + + elif demisto.command() == 'blueliv-tc-campaign': + blueliv_campaign(client, args) + + elif demisto.command() == 'blueliv-tc-malware': + blueliv_malware(client, args) + + elif demisto.command() == 'blueliv-tc-indicator-ip': + blueliv_indicatorIp(client, args) + + elif demisto.command() == 'blueliv-tc-indicator-fqdn': + blueliv_indicatorFqdn(client, args) + + elif demisto.command() == 'blueliv-tc-indicator-cs': + blueliv_indicatorCs(client, args) + + elif demisto.command() == 'blueliv-tc-attack-pattern': + blueliv_attackPattern(client, args) + + elif demisto.command() == 'blueliv-tc-tool': + blueliv_tool(client, args) + + elif demisto.command() == 'blueliv-tc-signature': + blueliv_signature(client, args) + + elif demisto.command() == 'blueliv-tc-cve': + blueliv_cve(client, args) + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml new file mode 100644 index 000000000000..c330c03a1303 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml @@ -0,0 +1,754 @@ +category: Data Enrichment & Threat Intelligence +commonfields: + id: Blueliv ThreatContext + version: -1 +configuration: +- defaultvalue: https://demisto.blueliv.com/api/v2 + display: Server URL (e.g. https://demisto.blueliv.com/api/v2) + name: url + required: true + type: 0 +- display: Username + name: credentials + required: true + type: 9 +- defaultvalue: 'false' + display: Trust any certificate (not secure) + name: unsecure + required: false + type: 8 +- display: Use system proxy settings + hidden: false + name: proxy + required: false + type: 8 +description: The Threat Context module provides SOC, Incident Response, and Threat + Intelligence teams with continuously updated and intuitive information around threat + actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. +display: Blueliv ThreatContext +name: Blueliv ThreatContext +script: + commands: + - deprecated: false + description: Authenticates and gets the API token. + execution: false + name: blueliv-authenticate + outputs: + - contextPath: BluelivThreatContext.token + description: Authentication token. + type: String + - arguments: + - default: false + description: Internal Blueliv malware hash ID. + isArray: false + name: hash_id + required: false + secret: false + - default: false + description: Malware file hash to search for. + isArray: false + name: hash + required: false + secret: false + deprecated: false + description: Gets information about malware, by ID. + execution: false + name: blueliv-tc-malware + outputs: + - contextPath: BluelivThreatContext.malware.hash.sha256 + description: File SHA256 hash. + type: String + - contextPath: BluelivThreatContext.malware.hash.sha1 + description: File SHA1 hash. + type: String + - contextPath: BluelivThreatContext.malware.hash.md5 + description: File MD5 hash. + type: String + - contextPath: BluelivThreatContext.malware.type + description: Malware type. + type: String + - contextPath: BluelivThreatContext.malware.hasCandC + description: Whether there is an associated C&C. + type: Boolean + - contextPath: BluelivThreatContext.malware.memory + description: Malware memory. + type: String + - contextPath: BluelivThreatContext.malware.procMemory + description: Malware proc memory. + type: String + - contextPath: BluelivThreatContext.malware.analysisStatus + description: Malware analysis status. + type: String + - contextPath: BluelivThreatContext.malware.dropped + description: Malware dropped. + type: Boolean + - contextPath: BluelivThreatContext.malware.buffers + description: Malware buffers. + type: Boolean + - contextPath: BluelivThreatContext.malware.hasNetwork + description: Whether the malware has Network information. + type: Boolean + - contextPath: BluelivThreatContext.malware.risk + description: Malware associated risk. + type: Number + - contextPath: BluelivThreatContext.malware.campaigns + description: Malware related campaigns. + type: Number + - contextPath: BluelivThreatContext.malware.campaignIds + description: Malware related campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.signatures + description: Malware signatures. + type: Number + - contextPath: BluelivThreatContext.malware.sigantureIds + description: Malware sigantures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.threatActors + description: Malware threat actors. + type: Number + - contextPath: BluelivThreatContext.malware.threatActorIds + description: Malware threat actors' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.sources + description: Malware sources. + type: Number + - contextPath: BluelivThreatContext.malware.sourceIds + description: Malware sources' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.tags + description: Malware tags. + type: Number + - contextPath: BluelivThreatContext.malware.tagIds + description: Malware tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.crimeServers + description: Malware related crime servers. + type: Number + - contextPath: BluelivThreatContext.malware.crimeServerIds + description: Malware crime servers' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.fqdns + description: Malware FQDNs. + type: Number + - contextPath: BluelivThreatContext.malware.fqdnIds + description: Malware FQDNs internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.types + description: Malware types. + type: Number + - contextPath: BluelivThreatContext.malware.typeIds + description: Malware types' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.sparks + description: Malware sparks. + type: Number + - contextPath: BluelivThreatContext.malware.sparkIds + description: Malware sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.ips + description: Malware IP addresses. + type: Number + - contextPath: BluelivThreatContext.malware.ipIds + description: Malware IP addresses' internal IDs. + type: Unknown + - arguments: + - default: false + description: Internal Blueliv IP address ID. + isArray: false + name: IP_id + required: false + secret: false + - default: false + description: IP address to get information for. + isArray: false + name: IP + required: false + secret: false + deprecated: false + description: Gets information about an IP address. + execution: false + name: blueliv-tc-indicator-ip + outputs: + - contextPath: BluelivThreatContext.indicator.lastSeen + description: Indicator last seen date. + type: Date + - contextPath: BluelivThreatContext.indicator.risk + description: Indicator risk + type: Number + - contextPath: BluelivThreatContext.indicator.latitude + description: Indicator latitude. + type: Number + - contextPath: BluelivThreatContext.indicator.longitude + description: Indicator longitude. + type: Number + - contextPath: BluelivThreatContext.indicator.countryId + description: Indicator countries' internal IDs. + type: Number + - contextPath: BluelivThreatContext.indicator.campaigns + description: Indicator campaigns. + type: Number + - contextPath: BluelivThreatContext.indicator.campaignIds + description: Indicator campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.signatures + description: Indicator signatures. + type: Number + - contextPath: BluelivThreatContext.indicator.signatureIds + description: Indicator signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.threatActors + description: Indicator threat actors. + type: Number + - contextPath: BluelivThreatContext.indicator.threatActorIds + description: Indicator threat actors' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.tags + description: Indicator tags. + type: Number + - contextPath: BluelivThreatContext.indicator.tagIds + description: Indicator tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.fqdns + description: Indicator FQDNs. + type: Number + - contextPath: BluelivThreatContext.indicator.fqdnIds + description: Indicator FQDNs' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sparks + description: Indicator sparks. + type: Number + - contextPath: BluelivThreatContext.indicator.sparkIds + description: Indicator sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.bots + description: Indicator bots. + type: Number + - contextPath: BluelivThreatContext.indicator.botIds + description: Indicator bots' internal IDs. + type: Unknown + - arguments: + - default: false + description: CVE to get information for. + isArray: false + name: CVE + required: false + secret: false + - default: false + description: Internal Blueliv CVE ID. + isArray: false + name: CVE_id + required: false + secret: false + deprecated: false + description: Gets information about a CVE. + execution: false + name: blueliv-tc-cve + outputs: + - contextPath: BluelivThreatContext.cve.name + description: CVE name. + type: String + - contextPath: BluelivThreatContext.cve.description + description: CVE description. + type: String + - contextPath: BluelivThreatContext.cve.updatedAt + description: Date the CVE was last updated. + type: Date + - contextPath: BluelivThreatContext.cve.score + description: CVE score. + type: Number + - contextPath: BluelivThreatContext.cve.attackPatterns + description: CVE attack patterns. + type: Number + - contextPath: BluelivThreatContext.cve.attackPatternIds + description: CVE attack patterns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.signatures + description: CVE signatures. + type: Number + - contextPath: BluelivThreatContext.cve.signatureIds + description: CVE signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.tags + description: CVE tags. + type: Number + - contextPath: BluelivThreatContext.cve.tagIds + description: CVE tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.crimeServers + description: CVE crime servers. + type: Number + - contextPath: BluelivThreatContext.cve.crimeServerIds + description: CVE crime servers' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.sparks + description: CVE sparks. + type: Number + - contextPath: BluelivThreatContext.cve.sparkIds + description: CVE sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.malware + description: CVE malware. + type: Number + - contextPath: BluelivThreatContext.cve.malwareIds + description: CVE malwares' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.exploits + description: CVE exploits. + type: Number + - contextPath: BluelivThreatContext.cve.platforms + description: CVE platforms. + type: Unknown + - arguments: + - default: false + description: Internal Blueliv FQDN ID. + isArray: false + name: FQDN_id + required: false + secret: false + - default: false + description: FQDN to get information for. + isArray: false + name: FQDN + required: false + secret: false + deprecated: false + description: Gets information about an FQDN. + execution: false + name: blueliv-tc-indicator-fqdn + outputs: + - contextPath: BluelivThreatContext.indicator.lastSeen + description: Date the indicator was last seen. + type: Date + - contextPath: BluelivThreatContext.indicator.risk + description: Indicator risk. + type: Number + - contextPath: BluelivThreatContext.indicator.campaigns + description: Indicator campaigns. + type: Number + - contextPath: BluelivThreatContext.indicator.campaignIds + description: Indicator campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.signatures + description: Indicator signatures. + type: Number + - contextPath: BluelivThreatContext.indicator.signatureIds + description: Indicator signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.threatActors + description: Indicator threat actors. + type: Number + - contextPath: BluelivThreatContext.indicator.threatActorIds + description: Indicator threat actors' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.tags + description: Indicator tags. + type: Number + - contextPath: BluelivThreatContext.indicator.tagIds + description: Indicator tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.crimeServers + description: Indicator crime servers. + type: Number + - contextPath: BluelivThreatContext.indicator.crimeServerIds + description: Indicator crime servers' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sparks + description: Indicator sparks. + type: Number + - contextPath: BluelivThreatContext.indicator.sparkIds + description: Indicator sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.ips + description: Indicator IP addresses. + type: Number + - contextPath: BluelivThreatContext.indicator.ipIds + description: Indicator IP addresses' internal IDs. + type: Unknown + - arguments: + - default: false + description: Internal Blueliv Crime Server ID. + isArray: false + name: CS_id + required: false + secret: false + - default: false + description: The name of the Crime Server to get information for. + isArray: false + name: CS + required: false + secret: false + deprecated: false + description: Gets information about a Crime Server. + execution: false + name: blueliv-tc-indicator-cs + outputs: + - contextPath: BluelivThreatContext.indicator.lastSeen + description: Date the indicator was last seen. + type: Date + - contextPath: BluelivThreatContext.indicator.status + description: Indicator status. + type: String + - contextPath: BluelivThreatContext.indicator.risk + description: Indicator risk. + type: Number + - contextPath: BluelivThreatContext.indicator.isFalsePositive + description: Whether the indicator is a false positive. + type: Boolean + - contextPath: BluelivThreatContext.indicator.crimeServerUrl + description: Indicator Crime Server URL. + type: String + - contextPath: BluelivThreatContext.indicator.creditCardsCount + description: Indicator credit cards count. + type: Number + - contextPath: BluelivThreatContext.indicator.credentialsCount + description: Indicator credentials count. + type: Number + - contextPath: BluelivThreatContext.indicator.botsCount + description: Indicator bots count. + type: Number + - contextPath: BluelivThreatContext.indicator.fqdnId + description: Indicator FQDNs internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.malware + description: Indicator malware. + type: Number + - contextPath: BluelivThreatContext.indicator.malwareIds + description: Indicator malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.tags + description: Indicator tags. + type: Number + - contextPath: BluelivThreatContext.indicator.tagIds + description: Indicator tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sparks + description: Indicator sparks. + type: Number + - contextPath: BluelivThreatContext.indicator.sparkIds + description: Indicator sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sources + description: Indicator sources. + type: Number + - contextPath: BluelivThreatContext.indicator.sourceIds + description: Indicator sources' internal IDs. + type: Unknown + - arguments: + - default: false + description: Threat actor to get information for. + isArray: false + name: threatActor + required: false + secret: false + - default: false + description: Internal Blueliv Threat Actor ID. + isArray: false + name: threatActor_id + required: false + secret: false + deprecated: false + description: Gets information about a Threat Actor. + execution: false + name: blueliv-tc-threat-actor + outputs: + - contextPath: BluelivThreatContext.threatActor.name + description: Threat actor name. + type: String + - contextPath: BluelivThreatContext.threatActor.description + description: Threat actor description. + type: String + - contextPath: BluelivThreatContext.threatActor.objective + description: Threat actor objective. + type: String + - contextPath: BluelivThreatContext.threatActor.sophistication + description: Threat actor sophistication. + type: String + - contextPath: BluelivThreatContext.threatActor.lastSeen + description: Date the threat actor was last seen. + type: Date + - contextPath: BluelivThreatContext.threatActor.active + description: Threat actor active. + type: Boolean + - contextPath: BluelivThreatContext.threatActor.milestones + description: Threat actor milestones. + type: Number + - contextPath: BluelivThreatContext.threatActor.milestoneIds + description: Threat actor milestones' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.tools + description: Threat actor tools. + type: Number + - contextPath: BluelivThreatContext.threatActor.toolIds + description: Threat actor tools' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.campaigns + description: Threat actor campaigns. + type: Number + - contextPath: BluelivThreatContext.threatActor.campaignIds + description: Threat actor campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.signatures + description: Threat actor signatures. + type: Number + - contextPath: BluelivThreatContext.threatActor.signatureIds + description: Threat actor signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.onlineServices + description: Threat actor online services. + type: Number + - contextPath: BluelivThreatContext.threatActor.onlineServiceIds + description: Threat actor online services' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.malware + description: Threat actor malware. + type: Number + - contextPath: BluelivThreatContext.threatActor.malwareIds + description: Threat actor malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.threatTypes + description: Threat actor threat types. + type: Number + - contextPath: BluelivThreatContext.threatActor.threatTypeIds + description: Threat actor threat types' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.fqdns + description: Threat actor FQDNs. + type: Number + - contextPath: BluelivThreatContext.threatActor.fqdnIds + description: Threat actor FQDNs' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.attackPatterns + description: Threat actor attack patterns. + type: Number + - contextPath: BluelivThreatContext.threatActor.attackPatternIds + description: Threat actor attack patterns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.ips + description: Threat actor IP addresses. + type: Number + - contextPath: BluelivThreatContext.threatActor.ipIds + description: Threat actor IP addresses' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.targets + description: Threat actor targets. + type: Number + - contextPath: BluelivThreatContext.threatActor.targetIds + description: Threat actor targets' internal IDs. + type: Unknown + - arguments: + - default: false + description: Name of the campaign to get information for. + isArray: false + name: campaign + required: false + secret: false + - default: false + description: Blueliv internal campaign ID. + isArray: false + name: campaign_id + required: false + secret: false + deprecated: false + description: Gets information about a campaign. + execution: false + name: blueliv-tc-campaign + outputs: + - contextPath: BluelivThreatContext.campaign.name + description: Campaign name. + type: String + - contextPath: BluelivThreatContext.campaign.description + description: Campaign description. + type: String + - contextPath: BluelivThreatContext.campaign.lastSeen + description: Date the campaign was last seen. + type: Date + - contextPath: BluelivThreatContext.campaign.botnets + description: Campaign botnets. + type: Number + - contextPath: BluelivThreatContext.campaign.botnetIds + description: Campaign botnets' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.signatures + description: Campaign signatures. + type: Number + - contextPath: BluelivThreatContext.campaign.signatureIds + description: Campaign signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.ips + description: Campaign IP addresses. + type: Number + - contextPath: BluelivThreatContext.campaign.ipIds + description: Campaign IP addresses' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.malware + description: Campaign malware. + type: Number + - contextPath: BluelivThreatContext.campaign.malwareIds + description: Campaign malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.attackPatterns + description: Campaign attack patterns. + type: Number + - contextPath: BluelivThreatContext.campaign.attackPatternIds + description: Campaign attack patterns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.tools + description: Campaign tools. + type: Number + - contextPath: BluelivThreatContext.campaign.toolIds + description: Campaign tools' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.fqdns + description: Campaign FQDNs. + type: Number + - contextPath: BluelivThreatContext.campaign.fqdnIds + description: Campaign FQDNs' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.threatActorId + description: Campaign threat actors' internal IDs. + type: Number + - arguments: + - default: false + description: The name of the Attack Pattern name to get information for. + isArray: false + name: attackPattern + required: false + secret: false + - default: false + description: Interanl Blueliv ID for the Attack Pattern. + isArray: false + name: attackPattern_id + required: false + secret: false + deprecated: false + description: Gets information about an Attack Pattern. + execution: false + name: blueliv-tc-attack-pattern + outputs: + - contextPath: BluelivThreatContext.attackPattern.name + description: Attack pattern name. + type: String + - contextPath: BluelivThreatContext.attackPattern.description + description: Attack pattern description. + type: String + - contextPath: BluelivThreatContext.attackPattern.updatedAt + description: Date the attack pattern was last updated. + type: Date + - contextPath: BluelivThreatContext.attackPattern.severity + description: Attack pattern severity. + type: String + - contextPath: BluelivThreatContext.attackPattern.signatures + description: Attack pattern signatures. + type: Number + - contextPath: BluelivThreatContext.attackPattern.signatureIds + description: Attack pattern signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.attackPattern.campaigns + description: Attack pattern campaigns. + type: Number + - contextPath: BluelivThreatContext.attackPattern.campaignIds + description: Attack pattern campaigns'. internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.attackPattern.threatActors + description: Attack pattern threat actors. + type: Number + - contextPath: BluelivThreatContext.attackPattern.threatActorIds + description: Attack pattern threat actors'. internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.attackPattern.cves + description: Attack pattern CVEs. + type: Number + - contextPath: BluelivThreatContext.attackPattern.cveIds + description: Attack pattern CVEs' internal IDs. + type: Unknown + - arguments: + - default: false + description: The name of the tool to get information for. + isArray: false + name: tool + required: false + secret: false + - default: false + description: Internal Blueliv ID of the tool. + isArray: false + name: tool_id + required: false + secret: false + deprecated: false + description: Gets information about a Tool. + execution: false + name: blueliv-tc-tool + outputs: + - contextPath: BluelivThreatContext.tool.name + description: Tool name. + type: String + - contextPath: BluelivThreatContext.tool.description + description: Tool description. + type: String + - contextPath: BluelivThreatContext.tool.lastSeen + description: Date the tool was last seen. + type: Date + - contextPath: BluelivThreatContext.tool.campaigns + description: Tool campaigns. + type: Number + - contextPath: BluelivThreatContext.tool.campaignIds + description: Tool campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.tool.signatures + description: Tool signatures. + type: Number + - contextPath: BluelivThreatContext.tool.signatureIds + description: Tool signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.tool.threatActors + description: Tool threat actors. + type: Number + - contextPath: BluelivThreatContext.tool.threatActorIds + description: Tool threat actors' internal IDs. + type: Unknown + - arguments: + - default: false + description: Name of the signature to get information for. + isArray: false + name: signature + required: false + secret: false + - default: false + description: Internal Blueliv ID for the signature. + isArray: false + name: signature_id + required: false + secret: false + deprecated: false + description: Gets information about a Signature. + execution: false + name: blueliv-tc-signature + outputs: + - contextPath: BluelivThreatContext.signature.name + description: Signature name. + type: String + - contextPath: BluelivThreatContext.signature.updatedAt + description: Date the signature was last updated. + type: Date + - contextPath: BluelivThreatContext.signature.ipIds + description: Signature IP addresses' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.signature.malware + description: Signature malware. + type: Number + - contextPath: BluelivThreatContext.signature.malwareIds + description: Signature malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.signature.type + description: Signature type. + type: String + dockerimage: demisto/python3:3.8.3.9324 + feed: false + isfetch: false + longRunning: false + longRunningPort: false + runonce: false + script: '-' + subtype: python3 + type: python +fromversion: 5.0.0 diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md new file mode 100644 index 000000000000..402213af8396 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md @@ -0,0 +1,45 @@ +## Overview +--- +Use Blueliv ThreatContext integration to get threats information + +## To set up Blueliv ThreatContext to work with Cortex XSOAR: +--- + +You need the following information: + +1. platform credentials +2. your tenant URL +3. Specify proxy server (if required) + +## To set up the integration on Cortex XSOAR: +--- + +1. Navigate to __Settings__ > __Integrations__ > __Servers & Services__. +2. Search for Blueliv ThreatContext integration. +3. Click __Add instance__ to create and configure a new integration instance. + * __Name__: a textual name for the integration instance. + * __Server URL (e.g., https://mytenant.blueliv.com)__ + * __Username__ + * __Password__ + * __Trust any certificate (not secure)__ + * __Use system proxy settings__ + +4. Click __Test__ to validate the URLs, token, and connection. + +## Fetched Incidents Data +--- + +## Use Cases +--- +1. Get attack patterns information +2. Get malware campaigns information +3. Get information about specific CVE +4. Get information about crimeservers (C&C) +5. Get information about differnt indicators of compromise like IPs, FQDN,hashes... +6. Get information about malware signatures +7. Get information about threat actors +8. Get information about hacking tools + +## Known Limitations +--- +Currently is not possible to create a user with a passwod that doesn't expire, so you need to remember to change the password and update the integration credentials used to generate the token. \ No newline at end of file diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png new file mode 100644 index 0000000000000000000000000000000000000000..ca790faca385a2203c0e09aebbb1f346913ded0a GIT binary patch literal 4907 zcmV+`6V&X9P)`Pkw7w2zeRZz%2d|Gl$! zJ`=HWg#k=bAn|{e_{qs&kR<$5?xCF!Ij|r1R5Ji$&KX?a|1IR(x8d2cB`UXR%kOt( z@PF2Z9RSY1b`1@hwN}a59g5a6G(*)&6)-wF8e?N$gTded(B{aP8AE=4J{q)WV+R;A zdUolARY}X}w*TRam`p}`MkabjL}~zLh#eV)=~LoBBy{84Pq;ZN9)_Yq?&ua-g6FVd zsNAgwWZ5;V{TZ9SuK>%8aoXzFCk*ow;$hGe6A1LKT)A>5z@eS6YWYJ7Fc@N^qcCGi z94wLn2$UhzPRKsta?{5Ip0IkONM z(a%P|k0ih&qA+7>9E{9@>mSC${KH8|JQq<v81xb< z`Bc^zg+2LVij3R0Z^L9V@r@~xBC<*7P^Wfn?A!G@JoF-g5&*Z;P&Cl?|F3(r1X>yZc8!X&Vgn@#>` z!Wei~3*pN+c*+O@)*N3L%{Km|c>gSG!Ef zEugZ7f`{2;!i5VLke8RopW)}{hZ;3%z~JGbiWBr~ZQ15Ji>AfJs1z+S5L$}Dbp%Q@ z`DaWB9zq*nU_20$<1k)F(~9IWf-{|=0>z>1G%*Pj^xUmHO3$JhcuWm$+z4Nm0kFWA zVbSsx_<-s}j*7%T+puyOLOOMF17HQItJ1Lbi=9xItm-8U@w29(e!Y5k0IV>E$?s0Z z>6{!$ik{!E*Xgh^Ed?GP9uB1p0Z!@PZ|5&yMe0gy-?ayqE?$B{U{C=h$sFX+&M)G% zkt0y=x!O*2T1uHjS+tsD(SHAR`ZVI+dmoG$1iBLN_lVvYGH@VDjKvrlJsL&DMpz)h zz|8RUu7H(EiKtYuqD$xDrRBA2cr_*lMx))jYd%#COXep)){}vhPy6=_FfF90s0cm! z4#4+0=Rl;3+M4y3?kTu@_#)Q$BJmGcDF{8%5fo){Ksu$Cq(vlaUTWA;804oYMY}tzO zZ@mMVj9$IQjgH2OP0$h4Wo5!UBf#xw%-fBoW85z9S-1 z!I9CqeQT`$GzmJLu;{X~XhLw>tdEhHvdR{#2%Mdp*SQ3kF$G}*B9U?8gbgqc0{B#h z4PZ`h7Bgmi{0Ww&q}cAW+KN>*rK-lkei%dKpn;e-YZ`Pq0$C`_cL*I$9(*)C9lZt( zaq#|0fB_QsW1vrX7?%Dcf&bY#3|SO2hD68Un|=GaL~4-? zkYT~0-8)dHcAa~rXvaEOA|rOe2He;9=l0l1f2-)_jjjJ&hb9f{LXt#0D;r>7+N{|~ zOj&6=pz;7FRVg#e4lsG}&l-R!$xB)FDW=YxO|r1PR9Pj>9*KS`=Y}? z_|*>l<;eiIJh(i7DFK@{dk&J8r#cv1O5y_a?B3%J4_>`)J>HlygNHkjv@y(?J_S+3 zhu)R8eUD0(Q~yu3fVM4yv2^hQJQ?6;Ynk0&fGr4%7=nz<6EZD zIKx?s)>1Si9LY#W??FQx5+5x^lQDh&<4*|b)elhYVo~qzU6HhSzFHBG%~6613>XrH z!$*(vKU3VU;B7$0{;yFjkPOcK%RLV!j&qr?Y4bQudyz?K+Mq7BY+MVUN|o+EMZ=7q z1BN0i^CTBntR8%p0QU4kVPPSfwrbD+&+(FUXw#w@K3lUIUItOB5G&odaTA-jZAa>w zHOR^N*?wvqUfO(5iv7l?;2xMpfV0)Ku#fr!}ybr#W zefg>g;ER{?(7atIo*)VXl@Qi71Sv}v@#OVxu5tkm2nfKSzF|B@I4jh&nEWgGICktf ze!Y0n_FmGYb&462CXU6V3FH4%fW5uEap=$?3>fl?!#SiZPehMU5?vU6`OkTzt>1`E zoBoL_1=qQ^QsQI1NS2_OS3RH#j_m&m-rg0FnVIF-O>*|&asU>VW=8U=G)$fOvBsDr zBrS|budp!aWC3vM%1<$6=4{(N7D++cvP5(Z?R?j*)iNlW>rrUdn3Sx|E{(=Iu2)=K zjJW9^VC}|Dyx~B$eKgu1i;3x|k1%r`)Z^W>{m_2>!9~uF=ZvazSGCU?0dv<^0kR`58T7<4$LUH-(p9k=wrOEg({u2%B zIH)9cfSH79{#AHeb8uuN{#x@XAuVc*fY(&z)xmB8Y<=;LUAqt!GlAE#6bdMlT9Pmu z{riPu`SKJ@pA!$OdQC?0)#sb>e3SY-mvBeD($a02TC}@TB|T74%y=bs9Cm%V&o;Y6 zpC>PxhwvU@<#@1ynX~6&adL{o#t%m-hVK%zWbL=yS7ubC$@dD z1Ea=IWla$ctUn}kl9F^hE0c>W zR;`-|-6mDuCBTKZZ=+R*5M0c^rlxy9NT&{1ot%j9z5|h&{e!w^CKA2fyKM7aMkb^Z zx&*f$ly7%oK*WX*01RZJn)6 zOd9&;b*s^Lz~5o!jUEBe`)|FDaj`Krz$me1R2cIc?1>@O*`$AP!<1A#+<7kA8DJ(W zXx^yoW&_zrNl6K&e>4{>($)ywR4rXdaXEGT0IK=)M4q7I z_tH<=hR-l}-h41V07zcT@NBJTuz6D&^h|$WJ(wst>r^&+^o_8|yR?UT&(+15GdZf! zD$pAYIJR#$YSyS}4=aj-pKlf7)vX6%guPK=(Ob~tDPK%|AqaYn(p9F=K{OQT=Z`); zyYm;^Q6@=ZTJreubez9%30wvg$HNnd;Gm}XV#`L3_vQR6XjsNX$HlzM2!0_1Mq{yt zUKDic^dcsVACG5h{S8;I7GT4M4M383 zU}_w~!+VL0lmUfBMMzt}9v{Zfhsk8-2QK z+>2fHe4PO{navnEW*olUy_bs?wu>=T^AEstwQKW+?dh{QxKeP{;hAKRf2&yoU+>%s zUmx<4`wg%tnf|eC1wNXapaEF3OfV!S%tgPx;ST*^GQFIFTWGrS8<;h{Wa`4bQYR40 z!&*7?nB4+cZD;ehYxQTXh;P+|MYv;#9M~W8W`D@zTzLTVem*nfr<`+msZW1UT`ew+ z(P$F~7vH*Y2AJYg{?!}k7dZq!p0TS`qzX|8<6%t9r;B}Qo>{@m8yi=zK=bB75W>;@ z1=u?8cK$*hf;$Ms%GqeE_*O*bp#$*sp#;!AfM5eSbuUa>fT3VSooZzRe6`>j>IJpp zVg=0{Xk5wFA4LO%dxts&LCppU7&-K1y!Y-Dco?ibRpG()G!#ul*n{Sxlb5Q7BWQ8c z_AfAD(qt5y6h66N6;rH|Btb!n&tGdkjbH!sn|QY*Vz9Pd$R|B0G!ztI^q7e_bo4kB znZTv5n5a`DR&Xhyq}aHC#8bKCIKDv> z9%l;*(KPidn6*?4hT(MrkQCO&p~>Um!31zaQjVC8Pjk3?(KJP%zdzcyZH?hW2P3Fy zQ-_Iu>)?As&EUJtBy#7y|{x)E(w?1fRbV41Kl=mi8im?H=y{FwHCdntPsS z!jAM?Hq@lV_*SU`FY;LH0Gj4ktdkYLozHc6Pz7&qkk+kp7%3H5t+6Fjsy@LzhW|V1@fzCnsq72C zDpeq>Lj$f(v81F3zx{rZPl8y(1Q|??8r7kbb;27ptYD%DXfos9#YOPcQn#eQSJK0u zhU_&B2?u~hNo?)@-c8qn#$`nYEf(pr_2ig_tAlxhfgJA_?N9q!#1qMLM2<_tfMkK% zDG2f9wo=}!c4@4!R@)yI>Hs~i?Dg~KtI=AGDS}YdK|k?+O;A_A3c%~^GS9@K8OF1k zfLNic{czz$5oW0M3o9G((SXuC*j-9~eBZ-!0*}7{{_tS+hgSL+;6HS156>?>2KeE@ d>JP2-{{h{egC*^SHdX)t002ovPDHLkV1h=YW>EkD literal 0 HcmV?d00001 diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py new file mode 100644 index 000000000000..7b3c707f2e96 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py @@ -0,0 +1,1348 @@ +import demistomock as demisto +from BluelivThreatContext import Client, blueliv_threatActor, blueliv_campaign, blueliv_malware, blueliv_indicatorIp, \ + blueliv_indicatorFqdn, blueliv_indicatorCs, blueliv_attackPattern, blueliv_tool, \ + blueliv_signature, blueliv_cve + + +def test_blueliv_threatActor(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "active": True, + "aliases": [ + "Vendetta" + ], + "country_name": "Italy", + "created_at": "2020-06-10T11:23:22.584500Z", + "description": "Vendetta is a threat actor based on Italy or Turkey discovered in April 2020", + "first_seen": "2020-04-01T00:00:00Z", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/", + "last_seen": "2020-06-15T00:00:00Z", + "modus_operandi": "Vendetta uses well designed phishing campaigns to target businessuals. ", + "name": "Vendetta", + "objective": "This threat actor appears to be focused on stealing informatio using.", + "references": [ + { + "link": "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "title": "Vendetta-new threat actor from Europe" + }, + { + "link": "https://business.blogthinkbig.com/vendetta-group-covid-19-phishing-emails/", + "title": "Vendetta Group and the COVID-19 Phishing Emails" + } + ], + "sophistication": "intermediate", + "tlp": "white", + "types": [ + "hacker" + ], + "updated_at": "2020-06-16T08:57:08.536868Z", + "uuid": None + }, + "id": "232", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/attack-pattern/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "country": { + "data": { + "id": "108", + "type": "Country" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/country/108/" + } + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/cve/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/ip/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/malware/" + }, + "meta": {"count": 0} + }, + "milestones": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/milestone/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/milestone/" + }, + "meta": {"count": 0} + }, + "online_services": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/online-service/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/online-service/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/signature/" + }, + "meta": {"count": 0} + }, + "targets": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/target/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/target/" + }, + "meta": {"count": 0} + }, + "threat_types": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/threat-type/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/threat-type/" + }, + "meta": {"count": 0} + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/tool/" + }, + "meta": {"count": 0} + } + }, + "type": "ThreatActor" + } + } + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"threatActor_id": 232} + blueliv_threatActor(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.threatActor(val.name && val.id == obj.id)', {}) + assert demisto.get(ind, "sophistication") == "intermediate" + assert str(demisto.get(ind, "lastSeen")) == "2020-06-15T00:00:00Z" + + +def test_blueliv_campaign(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "created_at": "2020-05-28T21:24:11.307288Z", + "description": "\u003cp\u003eA distribution campaign for the GRANDOREIRO banking Trojan.", + "first_seen": "2020-04-16T00:00:00Z", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/", + "last_seen": "2020-05-28T00:00:00Z", + "name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain", + "tlp": "white", + "updated_at": "2020-05-28T23:58:36.883515Z", + "uuid": None + }, + "id": "152", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/attack-pattern/" + }, + "meta": {"count": 0} + }, + "botnets": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/botnet/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/botnet/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/cve/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/ip/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/malware/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/signature/" + }, + "meta": {"count": 0} + }, + "threat_actor": { + "data": { + "id": "226", + "type": "ThreatActor" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/226/" + } + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/tool/" + }, + "meta": {"count": 0} + } + }, + "type": "Campaign" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"campaign_id": 152} + blueliv_campaign(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.campaign(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "name") == "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain" + assert demisto.get(ind, "threatActorId") == "226" + + +def test_blueliv_malware(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "analysis_date": "2020-06-15T16:30:22.770000Z", + "analysis_delivered_date": "2020-06-15T16:22:00.220000Z", + "analysis_signatures": [ + "Signature severity - Informative", + "Signature severity - Malicious" + ], + "analysis_status": "FINISHED_SUCCESSFULLY", + "at_afapi": True, + "behaviors": [], + "buffers": False, + "cerberus": 0.9645, + "created_at": "2020-06-15T16:27:20.074884Z", + "created_at_afapi": "2020-06-15T16:21:38.209000Z", + "dropped": False, + "file_type": "PE", + "first_seen": "2020-06-15T16:21:38.209000Z", + "has_c_and_c": False, + "has_network": True, + "has_other_urls": False, + "hash": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1", + "ioa": { + "attack_patterns": [ + { + "id": "T1022", + "name": "Data Encrypted" + }, + { + "id": "T1093", + "name": "Process Hollowing" + } + ], + "certificates": [], + "connections": { + "tcp": [], + "tcp_dead": [ + "25.20.116.113:957", + "103.143.173.25:80" + ], + "udp": [] + }, + "domain": [], + "email": [], + "host": [ + "25.20.116.113", + "103.143.173.25" + ], + "ip": [ + "25.20.116.113", + "103.143.173.25", + "192.168.56.102" + ], + "metadata": { + "crc32": { + "original": "B7CACEE9", + "unpacked": {} + }, + "file_type": { + "original": "PE32 executable (GUI) Intel 80386, for MS Windows", + "unpacked": {} + }, + "names": { + "author": [], + "common_name": [], + "company_name": None, + "country": [], + "creator": [], + "internal_name": None, + "legal_copyright": None, + "legal_trademarks": None, + "locality": [], + "organization": [], + "organizational_unit": [], + "original_filename": None, + "private_build": None, + "producer": [], + "product_name": None, + "special_build": None, + "subject": [], + "title": [] + }, + "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", + "pe_timestamp": "2012-06-07 17:59:53", + "peid_signatures": [], + "postal_code": None, + "signing_date": "", + "ssdeep": { + "original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FxuVVjfFoynPaVBUR8f+kN10EBO", + "unpacked": {} + } + }, + "mutex": [ + "DCPERSFWBP", + "DC_MUTEX-K5CAEA3", + "Local\\MSCTF.Asm.MutexDefault1" + ], + "path": { + "filepaths": { + "directory_created": [ + "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches" + ], + "directory_enumerated": [], + "directory_queried": [ + "C:\\Users\\Administrator", + "C:\\Users" + ], + "directory_removed": [], + "dll_loaded": [ + "kernel32", + "OLEACC.dll" + ], + "file_copied": [ + "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe" + ], + "file_created": [ + "C:\\Windows\\System32\\oleaccrc.dll", + "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" + ], + "file_deleted": [], + "file_exists": [ + "C:\\Windows\\System32\\oleaccrc.dll", + "C:\\Users\\Administrator\\Documents\\MSDCSC" + ], + "file_moved": [], + "file_opened": [ + "C:\\Windows\\System32\\oleaccrc.dll", + "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" + ], + "file_read": [ + "C:\\Users\\desktop.ini", + "C:\\Users\\Administrator\\Documents\\desktop.ini" + ], + "file_written": [] + }, + "pdb_path": [] + }, + "ports": { + "tcp": [], + "tcp_dead": [ + 80, + 957 + ], + "udp": [] + }, + "process_name": [ + "msdcsc.exe", + "sXPFvH.exe", + "notepad.exe" + ], + "registry": [], + "regkeys": { + "regkey_created": [ + "HKEY_CURRENT_USER\\Software" + ], + "regkey_deleted": [], + "regkey_enumerated": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP" + ], + "regkey_opened": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", + "HKEY_CURRENT_USER\\Software\\DC2_USERS" + ], + "regkey_read": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\21082CA9", + "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey" + ], + "regkey_written": [ + "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate", + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit" + ] + }, + "url": [ + "http://uk.ask.com/favicon.ico", + "http://www.priceminister.com/" + ], + "yara": { + "generic": [], + "memory": [ + "darkcomet_memory_1", + "darkcomet_memory_3" + ], + "misc": { + "crypto": [ + "RIPEMD160_Constants", + "SHA1_Constants" + ], + "misc": [ + "dbgdetect_funcs_ig" + ], + "packer": [ + "MinGW_1", + "borland_delphi" + ] + }, + "pre_analysis": [], + "url": [] + } + }, + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/malware/ioc/", + "last_risk_scoring": "2020-06-15T16:48:42.527191Z", + "last_seen": "2020-06-23T23:52:30.123694Z", + "malfind": False, + "malicious_category": 2, + "md5": "36a40cc55e2ffe7d44d007c6e37afd7f", + "memory": False, + "metadata": {}, + "number_properties": 0, + "pcap": "https://tctrustoylo.blueliv.com/api/v1/malware//pcap/", + "priority_at_afapi": 3, + "proc_memory": False, + "properties": [], + "report": "https://tctrustoylo.blueliv.com/api/v1/malware/report/", + "risk": 7, + "sample": "https://tctrustoylo.blueliv.com/api/v1/malware/sample/", + "scans_link": "https://tctrustoylo.blueliv.com/api/v1/malware/ad536nrichment/scans/", + "seen_at_analyzer": False, + "sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055", + "sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1", + "sha512": "e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b10391b7a3073cc6", + "slugs_tags": [], + "sources_representation": [ + "virustotalAPI" + ], + "subtype": "DARKCOMET", + "target": False, + "tlp": "white", + "types_names": [ + "DARKCOMET" + ], + "updated_at": "2020-06-23T23:52:30.137745Z", + "updated_at_afapi": "2020-06-15T16:30:33.293000Z", + "uuid": None, + "version": "none", + "vt_matches": [ + "darkkomet", + "fynloski", + "genmalicious" + ] + }, + "id": "59770710", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/6e749976bade1/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/a49976bade1/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad51/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "crime_servers": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660-server/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8dhips/crime-server/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7eqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1n/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed1re/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bonships/signature/" + }, + "meta": {"count": 0} + }, + "solr_type": { + "data": { + "id": "62", + "type": "ThreatType" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-type/DARKCOMET/" + } + }, + "sources": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2rce/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f2ce/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd51/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53614bde1/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad5376bade1/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6976bade1/relationships/tag/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660bade1/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6eat-actor/" + }, + "meta": {"count": 0} + }, + "types": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6976bade1/type/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2edtionships/threat-type/" + }, + "meta": {"count": 0} + } + }, + "type": "Malware" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"hash_id": 59770710} + blueliv_malware(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.malware(val.id && val.id == obj.id)', {}) + assert ind.get("hash.sha1") == "5c0be68316ce77584a7b966ff40e7d61a8a98055" + assert demisto.get(ind, "fileType") == "PE" + + +def test_blueliv_indicatorIp(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "address": "103.76.228.28", + "asn_number": "394695", + "asn_owner": "PDR", + "at_afapi": False, + "created_at": "2019-05-03T09:57:46.834135Z", + "created_at_afapi": None, + "first_seen": "2019-04-11T04:12:09.830000Z", + "history_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/", + "last_risk_scoring": "2020-06-15T15:17:47.624936Z", + "last_seen": "2020-06-18T23:36:37Z", + "latitude": 20, + "longitude": 77, + "passive_dns_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/", + "risk": 4, + "slugs_tags": [], + "tlp": "amber", + "updated_at": "2020-06-18T21:47:29.968912Z", + "updated_at_afapi": None, + "virus_total_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/", + "whois_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/" + }, + "id": "70236228", + "links": {"self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/"}, + "relationships": { + "bots": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/bot/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/bot/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "country": { + "data": {"id": "103", "type": "Country"}, + "links": {"related": "https://tctrustoylo.blueliv.com/api/v1/country/103/"} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/signature/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/tag/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "IP" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"IP": "103.76.228.28"} + blueliv_indicatorIp(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.indicator(val.ipName && val.ipName == obj.ipName)', {}) + assert str(demisto.get(ind, "countryId")) == "103" + assert str(demisto.get(ind, "ipName")) == "1037622828" + + +def test_blueliv_indicatorFqdn(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "active_dns_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/enrichment/dns/", + "created_at": "2018-08-07T22:41:25.933804Z", + "domain": "rayanmarketing.com", + "first_seen": "2018-08-07T22:41:25.933689Z", + "history_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/history/", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/ioc/", + "last_risk_scoring": "2020-07-02T11:34:14.339528Z", + "last_seen": "2018-08-07T22:41:25.933696Z", + "passive_dns_link": "https://tctrustoylo.blueliv.com/m/enrichment/passive-dns/", + "risk": 2.5, + "slugs_tags": [], + "tlp": "white", + "updated_at": "2020-07-02T11:34:14.339963Z", + "virus_total_link": "https://tctrustoylo.blueliv.com/api/v1/frichment/virus-total/", + "whois_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/enrichment/whois/" + }, + "id": "5783887", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relampaign/" + }, + "meta": {"count": 0} + }, + "crime_servers": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/crime-server/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.cops/crime-server/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/ip/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketionships/signature/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/tag/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/ing.com/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "FQDN" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"FQDN_id": 5783887} + blueliv_indicatorFqdn(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.indicator(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "lastSeen") == "2018-08-07T22:41:25.933696Z" + assert demisto.get(ind, "risk") == "2.5" + + +def test_blueliv_indicatorCs(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "at_feed": True, + "at_free_feed": True, + "bots_count": 0, + "confidence": 1, + "created_at": "2020-06-15T17:02:40.327300Z", + "created_at_afapi": "2020-06-15T16:46:06.119000Z", + "credentials_count": 0, + "credit_cards_count": 0, + "crime_server_url": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php", + "false_positive_modification_time": "2020-06-15T17:02:38.524874Z", + "first_seen": "2020-06-15T16:44:25Z", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/", + "is_false_positive": False, + "last_log_timestamp": None, + "last_risk_scoring": "2020-06-15T17:14:36.146566Z", + "last_seen": "2020-06-15T17:02:21.737000Z", + "main_type": "c_and_c", + "risk": 4, + "scans_link": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/", + "service_scans": {}, + "slugs_tags": [], + "status": "offline", + "subtype_name": "ANUBIS", + "target_status": None, + "tlp": "amber", + "updated_at": "2020-06-19T09:35:04.675771Z", + "updated_at_afapi": "2020-06-15T17:02:21.737000Z" + }, + "id": "6626263", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/" + }, + "relationships": { + "fqdn": { + "data": { + "id": "9633658", + "type": "FQDN" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/saveback.xyz/" + } + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/malware/" + }, + "meta": {"count": 0} + }, + "sources": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/source/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/source/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/spark/" + }, + "meta": {"count": 0} + }, + "subtype": { + "data": { + "id": "7458", + "type": "ThreatType" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-type/ANUBIS/" + } + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/tag/" + }, + "meta": {"count": 0} + }, + "vendor_analysis": { + "meta": { + "count": [] + } + } + }, + "type": "CrimeServer" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"CS_id": 6626263} + blueliv_indicatorCs(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.indicator(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "fqdnId") == "9633658" + assert demisto.get(ind, "status") == "offline" + + +def test_blueliv_attackPattern(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "attack_phases": {}, + "attacker_skills_or_knowledge_required": [], + "capec_id": None, + "created_at": "2018-12-24T23:00:02.352087Z", + "description": "Adversaries may attempt to get a listing of local system or domain accounts.", + "name": "Account Discovery", + "prerequisites": [], + "purposes": [], + "references": [], + "related_vulnerabilities": [], + "related_weaknesses": [], + "severity": "Medium", + "solutions_and_mitigations": [], + "tlp": "white", + "updated_at": "2018-12-24T23:00:02.352102Z", + "uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" + }, + "id": "686", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/cve/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/signature/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "AttackPattern" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"attackPattern_id": 686} + blueliv_attackPattern(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.attackPattern(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "name") == "Account Discovery" + assert demisto.get(ind, "serverity") == "Medium" + + +def test_blueliv_tool(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "created_at": "2020-02-26T14:35:55.698486Z", + "description": "\u003cp\u003eACEHASH is a credential theft/password hash dumping utility.", + "discovery_date": None, + "first_seen": "2012-12-01T00:00:00Z", + "last_seen": "2019-12-01T00:00:00Z", + "name": "ACEHASH", + "references": [ + { + "link": "https://content.fireeye.com/apt-41/rpt-apt41", + "title": "Double Dragon: APT41, a dual espionage and cyber crime operation" + } + ], + "targeted_platforms": [], + "tlp": "white", + "updated_at": "2020-02-26T14:35:55.698549Z", + "uuid": None, + "version": "" + }, + "id": "532", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/cve/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/signature/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "Tool" + } + } + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"tool_id": 532} + blueliv_tool(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.tool(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "name") == "ACEHASH" + assert demisto.get(ind, "lastSeen") == "2019-12-01T00:00:00Z" + + +def test_blueliv_signature(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "created_at": "2020-06-15T02:11:21.962302Z", + "name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)", + "references": [], + "sid": 2030333, + "signature": "alert udp $HOME_NET any -\u003e any 53 (m depth:1; ack_target C_at 2020_06_12;)", + "status": "enabled", + "tlp": "white", + "type": "snort", + "updated_at": "2020-06-15T02:11:21.962364Z", + "version": 2 + }, + "id": "84458", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/attack-pattern/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/cve/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/ip/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/malware/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/threat-actor/" + }, + "meta": {"count": 0} + }, + "threat_types": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/threat-type/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/threat-type/" + }, + "meta": {"count": 0} + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/tool/" + }, + "meta": {"count": 0} + } + }, + "type": "Signature" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"signature_id": 84458} + blueliv_signature(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.signature(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "type") == "snort" + assert demisto.get(ind, "updatedAt") == "2020-06-15T02:11:21.962364Z" + + +def test_blueliv_cve(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "bl_score": 96, + "created_at": "2020-02-26T01:12:25.635599Z", + "cvss": { + "v2": { + "accessComplexity": "LOW", + "accessVector": "NETWORK", + "authentication": "NONE", + "availabilityImpact": "COMPLETE", + "baseScore": 10, + "confidentialityImpact": "COMPLETE", + "integrityImpact": "COMPLETE", + "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "version": "2.0" + }, + "v3": None + }, + "description": "OpenSMTPD before 6.6.4 allows remote code execution because of an out-s read in.", + "exploits": [ + { + "author": "Qualys Corporation", + "date": "2020-02-26", + "id": None, + "name": "OpenSMTPD \u003c 6.6.3p1 - Local Privilege Escalation + Remote Code Execution", + "platform": "openbsd", + "port": "", + "type": "remote", + "url": "https://github.com/offensive-security/exploitdb/blo/openbsd/remote/48140.c" + } + ], + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/ioc/", + "microsoft_bulletins": [], + "name": "CVE-2020-8794", + "num_crime_servers": 0, + "num_malware": 0, + "platforms": [ + { + "id": "cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*", + "title": "cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*" + } + ], + "published_at": "2020-02-25T17:15:00Z", + "references": [ + { + "id": "https://www.openbsd.org/security.html", + "type": "MISC", + "url": "https://www.openbsd.org/security.html" + }, + { + "id": "https://www.openwall.com/lists/oss-security/2020/02/24/5", + "type": "MISC", + "url": "https://www.openwall.com/lists/oss-security/2020/02/24/5" + }, + { + "id": "[oss-security] 20200226 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2020/02/26/1" + }, + { + "id": "DSA-4634", + "type": "DEBIAN", + "url": "https://www.debian.org/security/2020/dsa-4634" + }, + { + "id": "20200227 LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2020/Feb/32" + }, + { + "id": "[oss-security] 20200301 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2020/03/01/1" + }, + { + "id": "[oss-security] 20200301 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2020/03/01/2" + }, + { + "id": "http://packetstormsecurity.com/files/156633/OpenSMRead-Local-Privilege-Escalation.html", + "type": "MISC", + "url": "http://packetstormsecurity.com/files/156633/OpenSMTPDivilege-Escalation.html" + } + ], + "score": 10, + "tags_slugs": [], + "updated_at": "2020-03-09T15:17:41.667962Z", + "uuid": None + }, + "id": "139511", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/attackattern/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/campaigns/" + }, + "meta": {"count": 0} + }, + "crime_servers": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/crime-server/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/crime-server/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/malware/" + }, + "meta": {"count": 0} + }, + "mentions": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/mention/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/mentions/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/signature/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/tags/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/threat-actors/" + }, + "meta": {"count": 0} + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/tools/" + }, + "meta": {"count": 0} + } + }, + "type": "CVE" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"CVE": "CVE-2020-8794"} + blueliv_cve(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.cve(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "updatedAt") == "2020-03-09T15:17:41.667962Z" + assert str(demisto.get(ind, "score")) == "10" diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md new file mode 100644 index 000000000000..7ca011be317b --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md @@ -0,0 +1,12 @@ +## [20.06.08] - 2020-06-08 +Added initial support for Blueliv ThreatContext with the following commands: + * __blueliv-tc-threat-actor__: Allows searching by threat actors. + * __blueliv-tc-campaign__: Allows searching by campaigns. + * __blueliv-tc-malware__: Allows searching by malware hashes. + * __blueliv-tc-indicator-ip__: Allows searching by IP. + * __blueliv-tc-indicator-fqdn__: Allows searching by FQDNs. + * __blueliv-tc-indicator-cs__: Allows searching by crime servers. + * __blueliv-tc-attack-pattern__: Allows searching by MITRE attack patterns. + * __blueliv-tc-tool__: Allows searching by used tools. + * __blueliv-tc-signature__: Allows searching detection signatures. + * __blueliv-tc-cve__: Allows searching by CVEs. diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile new file mode 100644 index 000000000000..3523d3b6b93b --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile @@ -0,0 +1,18 @@ +[[source]] +name = "pypi" +url = "https://pypi.org/simple" +verify_ssl = true + +[dev-packages] +pylint = "*" +pytest = "==5.0.1" +pytest-mock = "*" +requests-mock = "*" +pytest-asyncio = "*" + +[packages] +pytest = "*" +requests = "*" + +[requires] +python_version = "3.7" diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock new file mode 100644 index 000000000000..6bdb9313414e --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock @@ -0,0 +1,369 @@ +{ + "_meta": { + "hash": { + "sha256": "278db815bec49c11262633d34305f9b33f09432a223bedd5329a04f758f78b55" + }, + "pipfile-spec": 6, + "requires": { + "python_version": "3.7" + }, + "sources": [ + { + "name": "pypi", + "url": "https://pypi.org/simple", + "verify_ssl": true + } + ] + }, + "default": { + "atomicwrites": { + "hashes": [ + "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4", + "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6" + ], + "version": "==1.3.0" + }, + "attrs": { + "hashes": [ + "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79", + "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399" + ], + "version": "==19.1.0" + }, + "certifi": { + "hashes": [ + "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50", + "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef" + ], + "version": "==2019.9.11" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "importlib-metadata": { + "hashes": [ + "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb", + "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f" + ], + "markers": "python_version < '3.8'", + "version": "==0.22" + }, + "more-itertools": { + "hashes": [ + "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832", + "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4" + ], + "version": "==7.2.0" + }, + "packaging": { + "hashes": [ + "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9", + "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe" + ], + "version": "==19.1" + }, + "pluggy": { + "hashes": [ + "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6", + "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34" + ], + "version": "==0.13.0" + }, + "py": { + "hashes": [ + "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa", + "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53" + ], + "version": "==1.8.0" + }, + "pyparsing": { + "hashes": [ + "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80", + "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4" + ], + "version": "==2.4.2" + }, + "pytest": { + "hashes": [ + "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", + "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" + ], + "index": "pypi", + "version": "==5.1.2" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "index": "pypi", + "version": "==2.22.0" + }, + "six": { + "hashes": [ + "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", + "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + ], + "version": "==1.12.0" + }, + "urllib3": { + "hashes": [ + "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1", + "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232" + ], + "version": "==1.25.3" + }, + "wcwidth": { + "hashes": [ + "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e", + "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c" + ], + "version": "==0.1.7" + }, + "zipp": { + "hashes": [ + "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e", + "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335" + ], + "version": "==0.6.0" + } + }, + "develop": { + "astroid": { + "hashes": [ + "sha256:6560e1e1749f68c64a4b5dee4e091fce798d2f0d84ebe638cf0e0585a343acf4", + "sha256:b65db1bbaac9f9f4d190199bb8680af6f6f84fd3769a5ea883df8a91fe68b4c4" + ], + "version": "==2.2.5" + }, + "atomicwrites": { + "hashes": [ + "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4", + "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6" + ], + "version": "==1.3.0" + }, + "attrs": { + "hashes": [ + "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79", + "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399" + ], + "version": "==19.1.0" + }, + "certifi": { + "hashes": [ + "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50", + "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef" + ], + "version": "==2019.9.11" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "importlib-metadata": { + "hashes": [ + "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb", + "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f" + ], + "markers": "python_version < '3.8'", + "version": "==0.22" + }, + "isort": { + "hashes": [ + "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1", + "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd" + ], + "version": "==4.3.21" + }, + "lazy-object-proxy": { + "hashes": [ + "sha256:02b260c8deb80db09325b99edf62ae344ce9bc64d68b7a634410b8e9a568edbf", + "sha256:18f9c401083a4ba6e162355873f906315332ea7035803d0fd8166051e3d402e3", + "sha256:1f2c6209a8917c525c1e2b55a716135ca4658a3042b5122d4e3413a4030c26ce", + "sha256:2f06d97f0ca0f414f6b707c974aaf8829c2292c1c497642f63824119d770226f", + "sha256:616c94f8176808f4018b39f9638080ed86f96b55370b5a9463b2ee5c926f6c5f", + "sha256:63b91e30ef47ef68a30f0c3c278fbfe9822319c15f34b7538a829515b84ca2a0", + "sha256:77b454f03860b844f758c5d5c6e5f18d27de899a3db367f4af06bec2e6013a8e", + "sha256:83fe27ba321e4cfac466178606147d3c0aa18e8087507caec78ed5a966a64905", + "sha256:84742532d39f72df959d237912344d8a1764c2d03fe58beba96a87bfa11a76d8", + "sha256:874ebf3caaf55a020aeb08acead813baf5a305927a71ce88c9377970fe7ad3c2", + "sha256:9f5caf2c7436d44f3cec97c2fa7791f8a675170badbfa86e1992ca1b84c37009", + "sha256:a0c8758d01fcdfe7ae8e4b4017b13552efa7f1197dd7358dc9da0576f9d0328a", + "sha256:a4def978d9d28cda2d960c279318d46b327632686d82b4917516c36d4c274512", + "sha256:ad4f4be843dace866af5fc142509e9b9817ca0c59342fdb176ab6ad552c927f5", + "sha256:ae33dd198f772f714420c5ab698ff05ff900150486c648d29951e9c70694338e", + "sha256:b4a2b782b8a8c5522ad35c93e04d60e2ba7f7dcb9271ec8e8c3e08239be6c7b4", + "sha256:c462eb33f6abca3b34cdedbe84d761f31a60b814e173b98ede3c81bb48967c4f", + "sha256:fd135b8d35dfdcdb984828c84d695937e58cc5f49e1c854eb311c4d6aa03f4f1" + ], + "version": "==1.4.2" + }, + "mccabe": { + "hashes": [ + "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42", + "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f" + ], + "version": "==0.6.1" + }, + "more-itertools": { + "hashes": [ + "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832", + "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4" + ], + "version": "==7.2.0" + }, + "packaging": { + "hashes": [ + "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9", + "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe" + ], + "version": "==19.1" + }, + "pluggy": { + "hashes": [ + "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6", + "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34" + ], + "version": "==0.13.0" + }, + "py": { + "hashes": [ + "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa", + "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53" + ], + "version": "==1.8.0" + }, + "pylint": { + "hashes": [ + "sha256:5d77031694a5fb97ea95e828c8d10fc770a1df6eb3906067aaed42201a8a6a09", + "sha256:723e3db49555abaf9bf79dc474c6b9e2935ad82230b10c1138a71ea41ac0fff1" + ], + "index": "pypi", + "version": "==2.3.1" + }, + "pyparsing": { + "hashes": [ + "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80", + "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4" + ], + "version": "==2.4.2" + }, + "pytest": { + "hashes": [ + "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", + "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" + ], + "index": "pypi", + "version": "==5.1.2" + }, + "pytest-asyncio": { + "hashes": [ + "sha256:9fac5100fd716cbecf6ef89233e8590a4ad61d729d1732e0a96b84182df1daaf", + "sha256:d734718e25cfc32d2bf78d346e99d33724deeba774cc4afdf491530c6184b63b" + ], + "index": "pypi", + "version": "==0.10.0" + }, + "pytest-mock": { + "hashes": [ + "sha256:43ce4e9dd5074993e7c021bb1c22cbb5363e612a2b5a76bc6d956775b10758b7", + "sha256:5bf5771b1db93beac965a7347dc81c675ec4090cb841e49d9d34637a25c30568" + ], + "index": "pypi", + "version": "==1.10.4" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "index": "pypi", + "version": "==2.22.0" + }, + "requests-mock": { + "hashes": [ + "sha256:510df890afe08d36eca5bb16b4aa6308a6f85e3159ad3013bac8b9de7bd5a010", + "sha256:88d3402dd8b3c69a9e4f9d3a73ad11b15920c6efd36bc27bf1f701cf4a8e4646" + ], + "index": "pypi", + "version": "==1.7.0" + }, + "six": { + "hashes": [ + "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", + "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + ], + "version": "==1.12.0" + }, + "typed-ast": { + "hashes": [ + "sha256:18511a0b3e7922276346bcb47e2ef9f38fb90fd31cb9223eed42c85d1312344e", + "sha256:262c247a82d005e43b5b7f69aff746370538e176131c32dda9cb0f324d27141e", + "sha256:2b907eb046d049bcd9892e3076c7a6456c93a25bebfe554e931620c90e6a25b0", + "sha256:354c16e5babd09f5cb0ee000d54cfa38401d8b8891eefa878ac772f827181a3c", + "sha256:4e0b70c6fc4d010f8107726af5fd37921b666f5b31d9331f0bd24ad9a088e631", + "sha256:630968c5cdee51a11c05a30453f8cd65e0cc1d2ad0d9192819df9978984529f4", + "sha256:66480f95b8167c9c5c5c87f32cf437d585937970f3fc24386f313a4c97b44e34", + "sha256:71211d26ffd12d63a83e079ff258ac9d56a1376a25bc80b1cdcdf601b855b90b", + "sha256:95bd11af7eafc16e829af2d3df510cecfd4387f6453355188342c3e79a2ec87a", + "sha256:bc6c7d3fa1325a0c6613512a093bc2a2a15aeec350451cbdf9e1d4bffe3e3233", + "sha256:cc34a6f5b426748a507dd5d1de4c1978f2eb5626d51326e43280941206c209e1", + "sha256:d755f03c1e4a51e9b24d899561fec4ccaf51f210d52abdf8c07ee2849b212a36", + "sha256:d7c45933b1bdfaf9f36c579671fec15d25b06c8398f113dab64c18ed1adda01d", + "sha256:d896919306dd0aa22d0132f62a1b78d11aaf4c9fc5b3410d3c666b818191630a", + "sha256:ffde2fbfad571af120fcbfbbc61c72469e72f550d676c3342492a9dfdefb8f12" + ], + "markers": "implementation_name == 'cpython'", + "version": "==1.4.0" + }, + "urllib3": { + "hashes": [ + "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1", + "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232" + ], + "version": "==1.25.3" + }, + "wcwidth": { + "hashes": [ + "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e", + "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c" + ], + "version": "==0.1.7" + }, + "wrapt": { + "hashes": [ + "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1" + ], + "version": "==1.11.2" + }, + "zipp": { + "hashes": [ + "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e", + "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335" + ], + "version": "==0.6.0" + } + } +} diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md new file mode 100644 index 000000000000..732f06f343b5 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md @@ -0,0 +1,811 @@ +The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. +This integration was integrated and tested with version xx of Blueliv ThreatContext +## Configure Blueliv ThreatContext on Cortex XSOAR + +1. Navigate to **Settings** > **Integrations** > **Servers & Services**. +2. Search for Blueliv ThreatContext. +3. Click **Add instance** to create and configure a new integration instance. + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| url | Server URL \(e.g. https://demisto.blueliv.com/api/v2\) | False | +| credentials | Username | False | +| unsecure | Trust any certificate \(not secure\) | False | + +4. Click **Test** to validate the URLs, token, and connection. +## Commands +You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. +### blueliv-authenticate +*** +Authenticate and get the API token + + +#### Base Command + +`blueliv-authenticate` +#### Input + +There are no input arguments for this command. + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| token | string | Authentication token | + + +#### Command Example +```!blueliv-authenticate``` + +#### Context Example +``` +{} +``` + +#### Human Readable Output + +>981bfb934723091e606c0e35998217bdcafc8697d1a6d0911ff5b2fedb5a16c + +### blueliv-tc-malware +*** +Gets information about malware by ID + + +#### Base Command + +`blueliv-tc-malware` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hash_id | Internal Blueliv's malware hash ID | Optional | +| hash | Malware file hash to search for | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| malware.hash.sha256 | Unknown | File SHA256 | +| malware.hash.sha1 | Unknown | File SHA1 | +| malware.hash.md5 | Unknown | File MD5 | +| malware.type | Unknown | Malware Type | +| malware.hasCandC | unknown | If there is a C&C associated | +| malware.memory | Unknown | Malware memory | +| malware.procMemory | Unknown | Malware proc memory | +| malware.analysisStatus | Unknown | Malware analysis status | +| malware.dropped | Unknown | Malware dropped | +| malware.buffers | Unknown | Malware buffers | +| malware.hasNetwork | Unknown | If the malware has Network informations | +| malware.risk | Unknown | Malware associated risk | +| malware.campaigns | Unknown | Malware related campaigns | +| malware.campaignIds | Unknown | Malware related campaigns internal IDs | +| malware.signatures | Unknown | Malware signatures | +| malware.sigantureIds | Unknown | Malware sigantures internal IDs | +| malware.threatActors | Unknown | Malware threat actors | +| malware.threatActorIds | Unknown | Malware threat actors internal IDs | +| malware.sources | Unknown | Malware sources | +| malware.sourceIds | Unknown | Malware sources internal IDs | +| malware.tags | Unknown | Malware tags | +| malware.tagIds | Unknown | Malware tags internal IDs | +| malware.crimeServers | Unknown | Malware related crime servers | +| malware.crimeServerIds | Unknown | Malware crime servers internal IDs | +| malware.fqdns | Unknown | Malware FQDNs | +| malware.fqdnIds | Unknown | Malware FQDNs internal IDs | +| malware.types | Unknown | Malware types | +| malware.typeIds | Unknown | Malware types internal IDs | +| malware.sparks | Unknown | Malware sparks | +| malware.sparkIds | Unknown | Malware sparks internal IDs | +| malware.ips | Unknown | Malware IPs | +| malware.ipIds | Unknown | Malware IPs internal IDs | + + +#### Command Example +```!blueliv-tc-malware hash=ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1``` + +#### Context Example +``` +{ + "malware": { + "analysisStatus": "FINISHED_SUCCESSFULLY", + "buffers": false, + "campaignIds": "", + "campaigns": 0, + "crimeServers": 0, + "crimeserverIds": "", + "dropped": false, + "fileType": "PE", + "fqdnIds": "", + "fqdns": 0, + "hasCandC": false, + "hasNetwork": true, + "hash": { + "md5": "36a40cc55e2ffe7d44d007c6e37afd7f", + "sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055", + "sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1" + }, + "ipIds": "92269700,100333500,", + "ips": 2, + "memory": false, + "procMemory": false, + "risk": 7, + "signatureIds": "", + "signatures": 0, + "sourceIds": "1958672,", + "sources": 1, + "sparkIds": "", + "sparks": 0, + "tagIds": "", + "tags": 0, + "threatActorIds": "", + "threatActors": 0, + "typeIds": "62,", + "types": 1 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Malware file info +>|analysis_date|analysis_delivered_date|analysis_signatures|analysis_status|at_afapi|behaviors|buffers|cerberus|created_at|created_at_afapi|dropped|file_type|first_seen|has_c_and_c|has_network|has_other_urls|hash|id|ioa|ioc_link|last_risk_scoring|last_seen|links|malfind|malicious_category|md5|memory|metadata|number_properties|pcap|priority_at_afapi|proc_memory|properties|report|risk|sample|scans_link|seen_at_analyzer|sha1|sha256|sha512|slugs_tags|sources_representation|subtype|target|tlp|type|types_names|updated_at|updated_at_afapi|uuid|version|vt_matches| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-06-15T16:30:22.770000Z | 2020-06-15T16:22:00.220000Z | Signature severity - Informative,
Detected dead hosts,
Detects the presence of a Debugger,
Clipboard access capabilities,
Creates Mutants,
Detected cryptographic algorithm,
Has the ability to retrieve keyboard strokes,
Has the ability to reboot/shutdown the Operating System,
Detected Packer,
Detected PE anomalies,
Reads configuration files,
Loads Visual Basic Runtime environment,
Detected injected process,
Signature severity - Suspicious,
Allocates memory with Read-Write-Execute permissions,
Attempts to delay the analysis task,
Clipboard modification capabilities,
Spawns processes,
Classified by Blueliv,
Allocates memory with write/execute permissions in a remote process,
Machine Learning scoring,
Detected Keylogger,
Detected Autorun Persistence,
Writes data to a remote process,
Detected RunPE injection technique,
VirusTotal matches,
Signature severity - Malicious | FINISHED_SUCCESSFULLY | true | | false | 0.9645 | 2020-06-15T16:27:20.074884Z | 2020-06-15T16:21:38.209000Z | false | PE | 2020-06-15T16:21:38.209000Z | false | true | false | ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 | 59770710 | ip: 25.20.116.113,
103.143.173.25,
192.168.56.102
url: http://uk.ask.com/favicon.ico,
http://www.priceminister.com/,
http://ru.wikipedia.org/,
http://www.merlin.com.pl/favicon.ico,
http://www.cnet.com/favicon.ico,
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0,
http://search.nifty.com/,
http://ns.adobe.com/exif/1.0/,
http://www.shopzilla.com/,
http://crl.chambersign.org/publicnotaryroot.crl0,
http://search.goo.ne.jp/,
http://fr.wikipedia.org/favicon.ico,
http://busca.estadao.com.br/favicon.ico,
http://search.hanafos.com/favicon.ico,
http://search.chol.com/favicon.ico,
http://search.livedoor.com/favicon.ico,
http://amazon.fr/,
http://www.amazon.co.jp/,
http://www.e-szigno.hu/SZSZ/0,
http://busqueda.aol.com.mx/,
http://search.live.com/results.aspx?FORM=SOLTDF,
http://msdn.microsoft.com/,
http://www.sogou.com/favicon.ico,
http://yellowpages.superpages.com/,
http://www.expedia.com/favicon.ico,
http://crl.chambersign.org/chambersroot.crl0,
http://search.aol.com/,
http://browse.guardian.co.uk/,
http://www.mercadolibre.com.mx/,
http://www.asharqalawsat.com/,
http://www.facebook.com/,
http://search.auone.jp/,
http://www.rtl.de/favicon.ico,
http://search.msn.com/results.aspx?q=,
http://www.microsoft.com.,
http://search.naver.com/favicon.ico,
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0,
http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0,
http://en.wikipedia.org/favicon.ico,
http://si.wikipedia.org/w/api.php?action=opensearch,
http://www.signatur.rtr.at/de/directory/cps.html0,
http://udn.com/favicon.ico,
http://rover.ebay.com,
http://search.ebay.fr/,
http://www.univision.com/,
http://pt.wikipedia.org/w/api.php?action=opensearch,
http://www.certplus.com/CRL/class3TS.crl0,
http://it.wikipedia.org/favicon.ico,
http://uk.ask.com/,
http://www.google.co.uk/,
http://cnweb.search.live.com/results.aspx?q=,
http://www.google.cz/,
http://www.google.co.jp/,
http://search.ebay.co.uk/,
http://www.weather.com/,
http://www.taobao.com/favicon.ico,
http://www.news.com.au/favicon.ico,
http://www.priceminister.com/favicon.ico,
http://www.e-me.lv/repository0,
http://video.globo.com/,
http://search.ebay.de/,
http://www.taobao.com/,
http://find.joins.com/,
http://corp.naukri.com/favicon.ico,
http://www.servicios.clarin.com/,
http://localhost,
http://www.rambler.ru/favicon.ico,
http://www.linternaute.com/favicon.ico,
http://ns.adobe.com/photoshop/1.0/,
http://www.etmall.com.tw/,
http://www.amazon.com/gp/search?ie=UTF8,
http://search.live.com/results.aspx?FORM=SO2TDF,
http://www.quovadis.bm0,
http://www.chambersign.org1,
http://www.excite.co.jp/,
http://cs.wikipedia.org/,
http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0,
http://www.gismeteo.ru/favicon.ico,
http://www.cjmall.com/favicon.ico,
http://suche.t-online.de/,
http://www.ya.com/favicon.ico,
http://search.orange.co.uk/favicon.ico,
http://www.trustcenter.de/guidelines0,
http://www.mercadolibre.com.mx/favicon.ico,
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl,
https://ocsp.quovadisoffshore.com0,
http://www.e-trust.be/CPS/QNcerts,
http://ns.adobe.com/tiff/1.0/,
http://www.otto.de/favicon.ico,
http://search.lycos.com/favicon.ico,
http://www.iask.com/,
http://www.arrakis.com/,
http://it.search.dada.net/,
http://support.microsoft.com/kb/9311250,
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0,
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity,
http://search.ebay.es/,
http://search.gamer.com.tw/,
http://busca.igbusca.com.br//app/static/images/favicon.ico,
http://ns.adobe.com/xap/1.0/,
http://www.soso.com/favicon.ico,
http://www.echoworx.com/ca/root2/cps.pdf0,
http://recherche.tf1.fr/,
http://si.wikipedia.org/,
http://list.taobao.com/browse/search_visual.htm?n=15,
http://www.registradores.org/scr/normativa/cp_f2.htm0,
http://crl.microsoft.com/pki/crl/products/TrustListPCA.crl0O,
http://www.usertrust.com1604,
http://search.centrum.cz/,
http://www.auction.co.kr/auction.ico,
http://www.paginasamarillas.es/favicon.ico,
http://ja.wikipedia.org/favicon.ico,
http://www.abril.com.br/favicon.ico,
http://clients5.google.com/complete/search?hl=,
http://www.ozon.ru/,
http://search.alice.it/,
http://www.ssc.lt/cps03,
http://www.microsoft.com/windowsxp/expertzone/,
http://search.yahoo.co.jp/favicon.ico,
http://cnet.search.com/,
http://www.walmart.com/,
http://www.microsoft.com/pki/certs/TrustListPCA.crt0,
http://espn.go.com/favicon.ico,
http://www.pkioverheid.nl/policies/root-policy0,
http://www.mtv.com/favicon.ico,
http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp),
http://search.interpark.com/,
http://www.gmarket.co.kr/favicon.ico,
http://www.certplus.com/CRL/class3.crl0,
http://www.neckermann.de/favicon.ico,
http://sitesearch.timesonline.co.uk/,
http://cn.bing.com/search?q=,
http://video.globo.com/favicon.ico,
http://www.passport.com,
http://es.wikipedia.org/,
http://img.atlas.cz/favicon.ico,
https://www.catcert.net/verarrel,
http://searchresults.news.com.au/,
http://search.rediff.com/,
http://search.lycos.co.uk/,
http://en.wikipedia.org/,
http://www.google.com.tw/,
http://www.tchibo.de/,
http://www.google.com/,
http://buscador.terra.es/,
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0,
http://crl.ssc.lt/root-a/cacrl.crl0,
http://search.msn.co.jp/results.aspx?q=,
http://www.mercadolivre.com.br/favicon.ico,
http://ja.wikipedia.org/,
http://search.chol.com/,
http://crl.usertrust.com/UTN-USERFirst-Object.crl0),
http://search.espn.go.com/,
http://www.google.com.sa/,
http://jobsearch.monster.com/,
http://buscador.terra.com/,
http://www.google.co.in/,
http://suche.freenet.de/,
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0,
http://www.cdiscount.com/favicon.ico,
http://asp.usatoday.com/,
http://vachercher.lycos.fr/,
http://www.yam.com/favicon.ico,
http://search.sify.com/,
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0,
http://search.ebay.com/favicon.ico,
http://www.paginasamarillas.es/,
http://nl.wikipedia.org/,
http://search.alice.it/favicon.ico,
http://www.ask.com/,
http://www.so-net.ne.jp/share/favicon.ico,
http://espanol.search.yahoo.com/,
http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0,
http://www.alarabiya.net/favicon.ico,
http://pt.wikipedia.org/favicon.ico,
http://ocnsearch.goo.ne.jp/,
http://list.taobao.com/,
http://certificates.starfieldtech.com/repository/1604,
http://buscador.terra.com.br/,
http://search.msn.co.uk/results.aspx?q=,
http://www.google.de/,
http://www.tiscali.it/favicon.ico,
http://search.naver.com/,
http://ie8.ebay.com/open-search/output-xml.php?q=,
http://www.rambler.ru/,
http://esearch.rakuten.co.jp/,
http://www.pki.gva.es/cps0,
http://www.cdiscount.com/,
http://www.mercadolivre.com.br/,
http://www.facebook.com/favicon.ico,
http://www.t-online.de/favicon.ico,
http://search.hanafos.com/,
http://sads.myspace.com/,
http://repository.swisssign.com/0,
http://www.acabogacia.org0,
http://crl.ssc.lt/root-c/cacrl.crl0,
http://suche.web.de/,
http://recherche.tf1.fr/favicon.ico,
http://cs.wikipedia.org/w/api.php?action=opensearch,
http://search.dreamwiz.com/,
http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService,
http://www.yandex.ru/,
http://www.e-szigno.hu/RootCA.crl,
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0,
http://www.trustdst.com/certificates/policy/ACES-index.html0,
http://www.baidu.com/favicon.ico,
http://ariadna.elmundo.es/,
http://www.rtl.de/,
http://www.kkbox.com.tw/favicon.ico,
http://p.zhongsou.com/,
http://www.ancert.com/cps0,
https://ca.sia.it/secsrv/repository/CPS0,
http://www.timesonline.co.uk/img/favicon.ico,
http://buscar.ozu.es/,
http://so-net.search.goo.ne.jp/,
http://cgi.search.biglobe.ne.jp/favicon.ico,
http://search.livedoor.com/,
http://www.soso.com/,
http://www.afisha.ru/App_Themes/Default/images/favicon.ico,
http://img.shopzilla.com/shopzilla/shopzilla.ico,
http://wellformedweb.org/CommentAPI/,
http://crl.oces.certifikat.dk/oces.crl0,
http://ca.sia.it/seccli/repository/CRL.der0J,
http://search.orange.co.uk/,
http://www.myspace.com/favicon.ico,
http://ariadna.elmundo.es/favicon.ico,
http://www.e-szigno.hu/RootCA.crt0,
http://search.gismeteo.ru/,
http://www3.fnac.com/favicon.ico,
http://en.wikipedia.org/w/api.php?action=opensearch,
http://repository.infonotary.com/cps/qcps.html0,
http://ocsp.pki.gva.es0,
http://support.microsoft.com,
http://in.search.yahoo.com/,
http://www.etmall.com.tw/favicon.ico,
http://www.ceneo.pl/favicon.ico,
http://service2.bfast.com/,
http://tw.search.yahoo.com/,
http://es.ask.com/,
http://www.ozu.es/favicon.ico,
http://www.iask.com/favicon.ico,
http://www.dailymail.co.uk/favicon.ico,
http://google.pchome.com.tw/,
http://crl.ssc.lt/root-b/cacrl.crl0,
http://p.zhongsou.com/favicon.ico,
http://crl.securetrust.com/STCA.crl0,
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=,
http://search.ebay.com/,
http://br.search.yahoo.com/,
http://suche.lycos.de/,
http://users.ocsp.d-trust.net03,
http://www.asharqalawsat.com/favicon.ico,
http://mail.live.com/,
http://ru.search.yahoo.com,
http://de.wikipedia.org/,
http://crl.comodo.net/AAACertificateServices.crl0,
http://ns.adobe.com/xap/1.0/mm/,
http://cps.chambersign.org/cps/chambersroot.html0,
http://www.google.ru/,
http://search.empas.com/favicon.ico,
http://search.seznam.cz/,
http://de.wikipedia.org/w/api.php?action=opensearch,
http://www.expedia.com/,
http://www.clarin.com/favicon.ico,
http://www.acabogacia.org/doc0,
http://busca.uol.com.br/,
http://www.sk.ee/cps/0,
http://mail.live.com/?rru=compose%3Fsubject%3D,
https://www.catcert.net/verarrel05,
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0,
http://crl.securetrust.com/SGCA.crl0,
http://buscador.terra.com/favicon.ico,
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0,
http://crl.globalsign.net/root-r2.crl0,
http://purl.org/rss/1.0/modules/slash/,
http://www.d-trust.net0,
http://es.search.yahoo.com/,
http://www.ocn.ne.jp/favicon.ico,
http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0,
http://corp.naukri.com/,
http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended,
http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity,
http://www.recherche.aol.fr/,
http://pl.wikipedia.org/w/api.php?action=opensearch,
http://www.weather.com/favicon.ico,
http://search.centrum.cz/favicon.ico,
http://search.yam.com/,
http://uk.search.yahoo.com/,
http://busca.uol.com.br/favicon.ico,
http://es.wikipedia.org/favicon.ico,
http://images.joins.com/ui_c/fvc_joins.ico,
http://cgi.search.biglobe.ne.jp/,
http://www.microsoft.com/pki/crl/products/TrustListPCA.crl,
http://msk.afisha.ru/,
http://es.wikipedia.org/w/api.php?action=opensearch,
http://www.globaltrust.info0,
http://www.google.pl/,
http://www.arrakis.com/favicon.ico,
http://search.microsoft.com/,
http://search.goo.ne.jp/favicon.ico,
http://image.excite.co.jp/jp/favicon/lep.ico,
https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0,
http://www.merlin.com.pl/,
http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01,
http://www.amazon.de/,
http://www.sogou.com/,
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0,
http://cerca.lycos.it/,
http://www.usertrust.com1,
http://www.orange.fr/,
http://spaces.live.com/BlogIt.aspx,
http://www.microsofttranslator.com/?ref=IE8Activity,
http://www.rakuten.co.jp/favicon.ico,
http://search.nate.com/,
http://www.nate.com/favicon.ico,
http://de.wikipedia.org/favicon.ico,
http://www.dnie.es/dpc0,
http://www.najdi.si/,
http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity,
http://search.daum.net/favicon.ico,
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E,
http://nl.wikipedia.org/favicon.ico,
http://crl.pki.wellsfargo.com/wsprca.crl0,
http://it.search.yahoo.com/,
http://www.google.it/,
http://www.d-trust.net/crl/d-trust_root_class_3_ca_2007.crl0,
http://suche.web.de/favicon.ico,
http://search.seznam.cz/favicon.ico,
http://purl.org/rss/1.0/,
http://search.lycos.com/,
http://fr.wikipedia.org/w/api.php?action=opensearch,
http://qual.ocsp.d-trust.net0,
http://search.dreamwiz.com/favicon.ico,
http://www.kkbox.com.tw/,
http://suche.aol.de/,
http://www.entrust.net/CRL/net1.crl0,
http://www.entrust.net/CRL/Client1.crl0,
http://crl.xrampsecurity.com/XGCA.crl0,
http://search.empas.com/,
http://yellowpages.superpages.com/favicon.ico,
http://arianna.libero.it/,
http://www.dailymail.co.uk/,
http://ru.wikipedia.org/favicon.ico,
http://purl.org/rss/1.0/modules/content/,
http://search.auction.co.kr/,
http://www.certplus.com/CRL/class1.crl0,
http://ocsp.infonotary.com/responder.cgi0V,
http://search.yahoo.co.jp,
http://asp.usatoday.com/favicon.ico,
http://www.signatur.rtr.at/current.crl0,
http://search.msn.com.cn/results.aspx?q=,
http://crl.microsoft.com/pki/crl/products/tspca.crl0H,
http://www.a-cert.at/certificate-policy.html0,
https://localhost,
http://cn.bing.com/favicon.ico,
http://www.firmaprofesional.com0,
http://search2.estadao.com.br/,
http://www.microsoft.com/pki/certs/tspca.crt0,
http://search.cn.yahoo.com/,
http://www.rootca.or.kr/rca/cps.html0,
http://ie.search.yahoo.com/os?command=,
http://www.tesco.com/,
http://search-dyn.tiscali.it/,
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl,
http://search.ipop.co.kr/favicon.ico,
http://arianna.libero.it/favicon.ico,
http://www.sk.ee/juur/crl/0,
http://it.wikipedia.org/,
http://crl.comodo.net/TrustedCertificateServices.crl0,
http://busca.orange.es/,
http://www.microsoft.com/schemas/rss/core/2005/internal,
http://www.baidu.com/,
http://home.altervista.org/,
http://it.search.dada.net/favicon.ico,
http://www.gmarket.co.kr/,
http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01,
http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0,
http://www.google.com.br/,
http://buscar.ya.com/,
http://images.monster.com/favicon.ico,
http://search.ebay.it/,
http://www.alarabiya.net/,
http://ru.wikipedia.org/w/api.php?action=opensearch,
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0,
http://www.maktoob.com/favicon.ico,
http://price.ru/favicon.ico,
http://ns.adobe.com/pdf/1.3/,
http://www.microsoft.com/schemas/ie8tldlistdescription/1.0,
http://logo.verisign.com/vslogo.gif0,
http://price.ru/,
http://www.disig.sk/ca/crl/ca_disig.crl0,
http://www.najdi.si/favicon.ico,
http://kr.search.yahoo.com/,
http://www.aol.com/favicon.ico,
http://www.ozon.ru/favicon.ico,
http://pl.wikipedia.org/,
http://www.target.com/favicon.ico,
http://fr.search.yahoo.com/,
http://crl.usertrust.com/UTN-DATACorpSGC.crl0,
http://search.daum.net/,
http://www.certicamara.com/certicamaraca.crl0,
http://de.search.yahoo.com/,
http://suche.freenet.de/favicon.ico,
http://www.post.trust.ie/reposit/cps.html0,
http://busca.buscape.com.br/favicon.ico,
http://www2.public-trust.com/crl/ct/ctroot.crl0,
http://www.microsoft.com/favicon.ico,
http://www.certicamara.com0,
http://auone.jp/favicon.ico,
http://buscador.lycos.es/,
http://search.yahoo.com/,
http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp),
http://search.rediff.com/favicon.ico,
http://si.wikipedia.org/favicon.ico,
http://www3.fnac.com/,
http://web.ask.com/,
http://ca.sia.it/secsrv/repository/CRL.der0J,
http://search.books.com.tw/,
http://search.ebay.in/,
http://search.about.com/,
http://www.neckermann.de/,
http://www.disig.sk/ca0f,
http://browse.guardian.co.uk/favicon.ico,
http://www.tesco.com/favicon.ico,
http://search.ipop.co.kr/,
https://www.example.com.,
http://www.target.com/,
http://www.amazon.com/favicon.ico,
http://recherche.linternaute.com/,
http://www.google.fr/,
http://www.certicamara.com/dpc/0Z,
http://openimage.interpark.com/interpark.ico,
http://www.google.si/,
http://www.yandex.ru/favicon.ico,
http://www.google.com/favicon.ico,
http://www.walmart.com/favicon.ico,
http://udn.com/,
http://purl.org/dc/elements/1.1/,
http://www.wellsfargo.com/certpolicy0,
http://fedir.comsign.co.il/crl/ComSignCA.crl0,
http://www.google.es/,
http://www.cnet.co.uk/,
http://www.mtv.com/,
http://search.live.com/results.aspx?FORM=IEFM1,
http://www.abril.com.br/,
https://www.netlock.hu/docs/,
http://search1.taobao.com/,
http://www.a-cert.at0E,
http://www.amazon.co.uk/,
http://it.wikipedia.org/w/api.php?action=opensearch,
http://www.tchibo.de/favicon.ico,
http://www.pchome.com.tw/favicon.ico,
http://pt.wikipedia.org/,
http://fr.wikipedia.org/,
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0,
https://rca.e-szigno.hu/ocsp0-,
http://ja.wikipedia.org/w/api.php?action=opensearch,
https://ca.sia.it/seccli/repository/CPS0,
http://www.chennaionline.com/ncommon/images/collogo.ico,
http://www.cjmall.com/,
http://search.live.com/results.aspx?q=,
http://www.comsign.co.il/cps0,
http://www.certifikat.dk/repository0,
http://cps.chambersign.org/cps/publicnotaryroot.html0,
http://search.yahoo.com/favicon.ico,
http://www.quovadisglobal.com/cps0,
http://busca.igbusca.com.br/,
http://ca.disig.sk/ca/crl/ca_disig.crl0,
http://www.nifty.com/favicon.ico,
http://cps.chambersign.org/cps/chambersignroot.html0,
http://www.sify.com/favicon.ico,
http://www.certplus.com/CRL/class2.crl0,
http://home.altervista.org/favicon.ico,
http://search.gamer.com.tw/favicon.ico,
http://busca.buscape.com.br/,
http://search.atlas.cz/,
http://www.ceneo.pl/,
http://crl.chambersign.org/chambersignroot.crl0,
http://www.certplus.com/CRL/class3P.crl0,
https://www.netlock.net/docs,
http://pl.wikipedia.org/favicon.ico,
http://ns.adobe.com/iX/1.0/,
http://search.books.com.tw/favicon.ico,
http://search.aol.in/,
http://crl.comodoca.com/TrustedCertificateServices.crl0:,
https://example.com,
http://cs.wikipedia.org/favicon.ico,
http://spaces.live.com/,
http://www.valicert.com/1,
http://crl.comodoca.com/AAACertificateServices.crl06,
http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity,
http://www.crc.bg0,
http://z.about.com/m/a08.ico,
http://www.univision.com/favicon.ico,
http://crl.comodoca.com/COMODOCertificationAuthority.crl0,
http://nl.wikipedia.org/w/api.php?action=opensearch,
http://search.aol.co.uk/
host: 25.20.116.113,
103.143.173.25
path: {"pdb_path": [], "filepaths": {"file_read": ["C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini"], "dll_loaded": ["kernel32", "gdi32.dll", "kernel32.dll", "UxTheme.dll", "oleaut32.dll", "C:\\Windows\\system32\\ole32.dll", "NTDLL.DLL", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "USER32.DLL", "C:\\Windows\\system32\\uxtheme.dll", "ntmarta.dll", "C:\\Windows\\system32\\MSCTF.dll", "KERNEL32.DLL", "C:\\ogxses\\bin\\monitor-x86.dll", "KERNELBASE.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "user32", "OLEAUT32.DLL", "advapi32.dll", "comctl32", "ole32.dll", "IMM32.dll", "C:\\Windows\\system32\\notepad.exe", "EXPLORER.EXE", "C:\\Windows\\system32\\xmllite.dll", "OLEAUT32.dll", "SHELL32.dll", "DUser.dll", "comctl32.dll", "C:\\Windows\\system32\\DUser.dll", "User32.dll", "USER32", "ADVAPI32.dll", "rpcrt4.dll", "SETUPAPI.dll", "user32.dll", "OLEACC.dll"], "file_moved": [], "file_copied": ["C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_exists": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\Documents\\MSDCSC", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\Administrator\\AppData\\Roaming", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\MSDCSC\\", "C:\\Users\\Administrator\\Documents\\MSDCSC\\rEj9MRKQ3Kzp\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe", "C:\\Users\\Administrator\\Documents\\MSDCSC\\rEj9MRKQ3Kzp.dcp", "C:\\Users\\Administrator", "C:\\Users\\Administrator\\Documents", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\notepad", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs\\", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\rEj9MRKQ3Kzp.dcp", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs"], "file_opened": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_created": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_deleted": [], "file_written": [], "directory_created": ["C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches", "C:\\Users\\Administrator\\Documents\\MSDCSC", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs"], "directory_queried": ["C:\\Users\\Administrator", "C:\\Users\\Administrator\\Documents", "C:\\Users"], "directory_removed": [], "directory_enumerated": []}}
yara: {"url": [], "misc": {"misc": ["dbgdetect_funcs_ig"], "crypto": ["RIPEMD160_Constants", "SHA1_Constants", "DES_Long", "MD5_Constants", "VC8_Random", "RijnDael_AES_LONG", "Delphi_Random", "BASE64_table", "CRC32_table", "RijnDael_AES_CHAR", "MD5_API"], "packer": ["MinGW_1", "borland_delphi"]}, "memory": ["darkcomet_memory_1", "darkcomet_memory_3", "darkcomet_memory_2", "darkcomet_memory_4"], "generic": [], "pre_analysis": []}
email:
mutex: DCPERSFWBP,
DC_MUTEX-K5CAEA3,
Local\MSCTF.Asm.MutexDefault1
ports: {"tcp": [], "udp": [], "tcp_dead": [80, 957]}
domain:
regkeys: {"regkey_read": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\21082CA9", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfOutPrecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\StatusBar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfOrientation", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfUnderline", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentConfig", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginTop", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fSaveWindowPositions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginBottom", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginLeft", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC\\{e29ac6c0-7037-11de-816d-806e6f6e6963-4234460882}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo\\DockingState", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\HwProfileGuid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfClipPrecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfCharSet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fMLE_is_broken", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfItalic", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfWeight", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\FriendlyName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfStrikeOut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iPointSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginRight", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfQuality", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\szTrailer", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosX", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fWrap", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\LdapClientIntegrity", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\szHeader", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosDY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosDX", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfEscapement", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate"], "regkey_opened": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\DC2_USERS", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses", "HKEY_CLASSES_ROOT\\Folder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows", "HKEY_CLASSES_ROOT\\Directory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\Software\\Borland\\Locales", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{FA445657-9379-11D6-B41A-00065B83EE53}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\IDConfigDB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo", "HKEY_LOCAL_MACHINE\\Software\\Borland\\Locales", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\notepad.exe", "HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales", "HKEY_CLASSES_ROOT\\AllFilesystemObjects", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace"], "regkey_created": ["HKEY_CURRENT_USER\\Software", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"], "regkey_deleted": [], "regkey_written": ["HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"], "regkey_enumerated": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys"]}
metadata: {"crc32": {"original": "B7CACEE9", "unpacked": {}}, "names": {"title": [], "author": [], "country": [], "creator": [], "subject": [], "locality": [], "producer": [], "common_name": [], "company_name": null, "organization": [], "product_name": null, "internal_name": null, "private_build": null, "special_build": null, "legal_copyright": null, "legal_trademarks": null, "original_filename": null, "organizational_unit": []}, "ssdeep": {"original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hPA:JZ1xuVVjfFoynPaVBUR8f+kN10EBO", "unpacked": {}}, "file_type": {"original": "PE32 executable (GUI) Intel 80386, for MS Windows", "unpacked": {}}, "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", "postal_code": null, "pe_timestamp": "2012-06-07 17:59:53", "signing_date": "", "peid_signatures": []}
registry:
connections: {"tcp": [], "udp": [], "tcp_dead": ["25.20.116.113:957", "103.143.173.25:80"]}
certificates:
process_name: msdcsc.exe,
sXPFvH.exe,
notepad.exe
attack_patterns: {'id': 'T1022', 'name': 'Data Encrypted'},
{'id': 'T1056', 'name': 'Input Capture'},
{'id': 'T1529', 'name': 'System Shutdown/Reboot'},
{'id': 'T1027', 'name': 'Obfuscated Files or Information'},
{'id': 'T1045', 'name': 'Software Packing'},
{'id': 'T1055', 'name': 'Process Injection'},
{'id': 'T1497', 'name': 'Virtualization/Sandbox Evasion'},
{'id': 'T1115', 'name': 'Clipboard Data'},
{'id': 'T1060', 'name': 'Registry Run Keys / Startup Folder'},
{'id': 'T1093', 'name': 'Process Hollowing'} | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ioc/ | 2020-06-15T16:48:42.527191Z | 2020-06-15T18:25:32Z | self: https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ | false | 2 | 36a40cc55e2ffe7d44d007c6e37afd7f | false | | 0 | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/pcap/ | 3 | false | | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/report/ | 7.0 | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/sample/ | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/enrichment/scans/ | false | 5c0be68316ce77584a7b966ff40e7d61a8a98055 | ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 | e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b103913240173b2bafbcaac689d83828654ecf054cb7a30766c4a3cc6 | | virustotalAPI | DARKCOMET | false | white | Malware | DARKCOMET | 2020-06-15T17:12:28.893118Z | 2020-06-15T16:30:33.293000Z | | none | darkkomet,
fynloski,
genmalicious | + + +### blueliv-tc-indicator-ip +*** +Gets information about an IP + + +#### Base Command + +`blueliv-tc-indicator-ip` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| IP_id | Internal Blueliv's IP ID | Required | +| IP | IP to search | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| indicator.lastSeen | Unknown | Indicator last seen | +| indicator.risk | Unknown | Indicator risk | +| indicator.latitude | Unknown | Indicator latitude | +| indicator.longitude | Unknown | Indicator longitude | +| indicator.countryId | Unknown | Indicator countryes internal IDs | +| indicator.campaigns | Unknown | Indicator campaigns | +| indicator.campaignIds | Unknown | Indicator campaigns internal IDs | +| indicator.signatures | Unknown | Indicator signatures | +| indicator.signatureIds | Unknown | Indicator signatures internal IDs | +| indicator.threatActors | Unknown | Indicator threat actors | +| indicator.threatActorIds | Unknown | Indicator threat actors internal IDs | +| indicator.tags | Unknown | Indicator tags | +| indicator.tagIds | Unknown | Indicator tags internal IDs | +| indicator.fqdns | Unknown | Indicator FQDNs | +| indicator.fqdnIds | Unknown | Indicator FQDNs internal IDs | +| indicator.sparks | Unknown | Indicator sparks | +| indicator.sparkIds | Unknown | Indicator sparks internal IDs | +| indicator.bots | Unknown | Indicator bots | +| indicator.botIds | Unknown | Indicator bots internal IDs | + + +#### Command Example +```!blueliv-tc-indicator-ip IP="103.76.228.28"``` + +#### Context Example +``` +{ + "indicator": { + "botIds": "", + "bots": 0, + "campaignIds": "", + "campaigns": 0, + "countryId": "103", + "fqdnIds": "", + "fqdns": 0, + "lastSeen": "2020-06-15T18:25:00Z", + "latitude": "20.0", + "longitude": "77.0", + "risk": "4.0", + "signatureIds": "", + "signatures": 0, + "sparkIds": "", + "sparks": 0, + "tagIds": "", + "tags": 0, + "threatActorIds": "", + "threatActors": 0 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv IP info +>|address|asn_number|asn_owner|at_afapi|created_at|created_at_afapi|first_seen|history_link|id|ioc_link|last_risk_scoring|last_seen|latitude|links|longitude|passive_dns_link|risk|slugs_tags|tlp|type|updated_at|updated_at_afapi|virus_total_link|whois_link| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 103.76.228.28 | 394695 | PDR | false | 2019-05-03T09:57:46.834135Z | | 2019-04-11T04:12:09.830000Z | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/ | 70236228 | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/ | 2020-06-15T15:17:47.624936Z | 2020-06-15T18:25:00Z | 20.0 | self: https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ | 77.0 | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/ | 4.0 | | amber | IP | 2020-06-15T16:44:49.623167Z | | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/ | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/ | + + +### blueliv-tc-cve +*** +Gets information about CVE + + +#### Base Command + +`blueliv-tc-cve` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| CVE | CVE to search | Optional | +| CVE_id | Internal Blueliv's CVE ID | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| cve.name | Unknown | CVE name | +| cve.description | Unknown | CVE description | +| cve.updatedAt | Unknown | CVE updated at | +| cve.score | Unknown | CVE score | +| cve.attackPatterns | Unknown | CVE attack patterns | +| cve.attackPatternIds | Unknown | CVE attackp patterns internal IDs | +| cve.signatures | Unknown | CVE signatures | +| cve.signatureIds | Unknown | CVE signatures internal IDs | +| cve.tags | Unknown | CVE tags | +| cve.tagIds | Unknown | CVE tags internal IDs | +| cve.crimeServers | Unknown | CVE Crime servers | +| cve.crimeServerIds | Unknown | CVE crime servers internal IDs | +| cve.sparks | Unknown | CVE sparks | +| cve.sparkIds | Unknown | CVE sparks internal IDs | +| cve.malware | Unknown | CVE malware | +| cve.malwareIds | Unknown | CVE malwares internal IDs | +| cve.exploits | Unknown | CVE exploits | +| cve.platforms | Unknown | CVE platforms | + + +#### Command Example +```!blueliv-tc-cve CVE="CVE-2020-8794"``` + +#### Context Example +``` +{} +``` + +#### Human Readable Output + +>{"apiId": "THIAPP", "url": "/api/v1/cve/CVE-2020-8794/relationships/attack-pattern/", "requestType": "GET"} + +### blueliv-tc-indicator-fqdn +*** +Gets information about FQDN + + +#### Base Command + +`blueliv-tc-indicator-fqdn` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| FQDN_id | Internal Blueliv's FQDN id | Optional | +| FQDN | FQDN to search | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| indicator.lastSeen | Unknown | Indicator last seen | +| indicator.risk | Unknown | Indicator risk | +| indicator.campaigns | Unknown | Indicator campaigns | +| indicator.campaignIds | Unknown | Indicator campaigns internal IDs | +| indicator.signatures | Unknown | Indicator signatures | +| indicator.signatureIds | Unknown | Indicator signatures internal IDs | +| indicator.threatActors | Unknown | Indicator threat actors | +| indicator.threatActorIds | Unknown | Indicator threat actors internal IDs | +| indicator.tags | Unknown | Indicator tags | +| indicator.tagIds | Unknown | Indicator tags internal IDs | +| indicator.crimeServers | Unknown | Indicator crime servers | +| indicator.crimeServerIds | Unknown | Indicator crime servers internal IDs | +| indicator.sparks | Unknown | Indicator sparks | +| indicator.sparkIds | Unknown | Indicator sparks internal IDs | +| indicator.ips | Unknown | Indicator IPs | +| indicator.ipIds | Unknown | Indicator IPs internal IDs | + + +#### Command Example +```!blueliv-tc-indicator-fqdn FQDN="self-repair.r53-2.services.mozilla.com"``` + +#### Context Example +``` +{ + "indicator": { + "campaignIds": "", + "campaigns": 0, + "crimeServerIds": "", + "crimeServers": 0, + "ipIds": "", + "ips": 0, + "lastSeen": "2018-08-07T22:40:47.580489Z", + "risk": "2.5", + "signatureIds": "", + "signatures": 0, + "sparkIds": "", + "sparks": 0, + "tagids": "", + "tags": 0, + "threatActorIds": "", + "threatActors": 0 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv FQDN info +>|active_dns_link|created_at|domain|first_seen|history_link|id|ioc_link|last_risk_scoring|last_seen|links|passive_dns_link|risk|slugs_tags|tlp|type|updated_at|virus_total_link|whois_link| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/dns/ | 2018-08-07T22:40:47.580640Z | anad.ir | 2018-08-07T22:40:47.580479Z | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/history/ | 5783871 | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ioc/ | 2020-06-15T17:25:37.498738Z | 2018-08-07T22:40:47.580489Z | self: https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/passive-dns/ | 2.5 | | white | FQDN | 2020-06-15T17:25:37.499246Z | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/virus-total/ | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/whois/ | + + +### blueliv-tc-indicator-cs +*** +Gets information about a Crime Server + + +#### Base Command + +`blueliv-tc-indicator-cs` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| CS_id | Internal Blueliv's Crime Server id | Required | +| CS | The name of the Crime Server to search | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| indicator.lastSeen | Unknown | Indicator lastSeen | +| indicator.status | Unknown | Indicator status | +| indicator.risk | Unknown | Indicator risk | +| indicator.isFalsePositive | Unknown | Indicator is a false positive | +| indicator.crimeServerUrl | Unknown | Indicator crime server URL | +| indicator.creditCardsCount | Unknown | Indicator credit cards count | +| indicator.credentialsCount | Unknown | Indicator credentials count | +| indicator.botsCount | Unknown | Indicator bots count | +| indicator.fqdnId | Unknown | Indicator FQDNs internal IDs | +| indicator.malware | Unknown | Indicator malware | +| indicator.malwareIds | Unknown | Indicator malwares internal IDs | +| indicator.tags | Unknown | Indicator tags | +| indicator.tagIds | Unknown | Indicator tags internal IDs | +| indicator.sparks | Unknown | Indicator sparks | +| indicator.sparkIds | Unknown | Indicator sparks internal IDs | + + +#### Command Example +```!blueliv-tc-indicator-cs CS_id=6626263``` + +#### Context Example +``` +{ + "indicator": { + "botsCount": "0", + "credentialsCount": "0", + "creditCardsCount": "0", + "crimeServerUrl": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php", + "fqdnId": "9633658", + "isFalsePositive": "False", + "lastSeen": "2020-06-15T16:46:06.170000Z", + "malware": 0, + "malwareIds": "", + "risk": "4.0", + "sourceIds": "642676,", + "sources": 1, + "sparkIds": "", + "sparks": 0, + "status": "online", + "tagIds": "", + "tags": 0 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Crime Server info +>|at_feed|at_free_feed|bots_count|confidence|created_at|created_at_afapi|credentials_count|credit_cards_count|crime_server_url|false_positive_modification_time|first_seen|id|ioc_link|is_false_positive|last_log_timestamp|last_risk_scoring|last_seen|links|main_type|risk|scans_link|service_scans|slugs_tags|status|subtype_name|target_status|tlp|type|updated_at|updated_at_afapi| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| true | true | 0 | 1 | 2020-06-15T17:02:40.327300Z | 2020-06-15T16:46:06.119000Z | 0 | 0 | http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php | 2020-06-15T17:02:38.524874Z | 2020-06-15T16:44:25Z | 6626263 | https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/ | false | | 2020-06-15T17:14:36.146566Z | 2020-06-15T16:46:06.170000Z | self: https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ | c_and_c | 4.0 | https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/ | | | online | ANUBIS | | amber | CrimeServer | 2020-06-15T17:14:36.149943Z | 2020-06-15T16:46:06.170000Z | + + +### blueliv-tc-threat-actor +*** +Gets information about a Threat Actor + + +#### Base Command + +`blueliv-tc-threat-actor` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| threatActor | Threat Actor to search | Optional | +| threatActor_id | Internal Blueliv's Threat Actor id | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| threatActor.name | Unknown | Threat actor name | +| threatActor.description | Unknown | Threat actor description | +| threatActor.objective | Unknown | Threat actor objective | +| threatActor.sophistication | Unknown | Threat actor sophistication | +| threatActor.lastSeen | Unknown | Threat actor last seen | +| threatActor.active | Unknown | Threat actor active | +| threatActor.milestones | Unknown | Threat actor milestones | +| threatActor.milestoneIds | Unknown | Threat actor milestones internal IDs | +| threatActor.tools | Unknown | Threat actor tools | +| threatActor.toolIds | Unknown | Threat actor tools internal IDs | +| threatActor.campaigns | Unknown | Threat actor campaigns | +| threatActor.campaignIds | Unknown | Threat actor campaigns internal IDs | +| threatActor.signatures | Unknown | Threat actor signatures | +| threatActor.signatureIds | Unknown | Threat actor signatures internal IDs | +| threatActor.onlineServices | Unknown | Threat actor online services | +| threatActor.onlineServiceIds | Unknown | Threat actor online services internal IDs | +| threatActor.malware | Unknown | Threat actor malware | +| threatActor.malwareIds | Unknown | Threat actor malwares internal IDs | +| threatActor.threatTypes | Unknown | Threat actor threat types | +| threatActor.threatTypeIds | Unknown | Threat actor threat types internal IDs | +| threatActor.fqdns | Unknown | Threat actor FQDNs | +| threatActor.fqdnIds | Unknown | Threat actor FQDNs internal IDs | +| threatActor.attackPatterns | Unknown | Threat actor attack patterns | +| threatActor.attackPatternIds | Unknown | Threat actor attack patterns internal IDs | +| threatActor.ips | Unknown | Threat actor IPs | +| threatActor.ipIds | Unknown | Threat actor IPs internal IDs | +| threatActor.targets | Unknown | Threat actor targets | +| threatActor.targetIds | Unknown | Threat actor targets internal IDs | + + +#### Command Example +```!blueliv-tc-threat-actor threatActor=Vendetta``` + +#### Context Example +``` +{ + "threatAactor": { + "onlineServices": 0, + "threatTypes": 0 + }, + "threatActor": { + "active": "True", + "attackPatternIds": "511,529,603,613,703,705,735,", + "attackPatterns": 7, + "campaignIds": "", + "campaigns": 0, + "description": "
Key Points
\n\n
    \n\t
  • \n\t

    Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.

    \n\t
    • \n\t
  • \n\t

    Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.

    \n\t
    • \n\t
  • The threat actor uses social engineering techniques to infect the victims with a RAT.
    • \n
\n\n
Assessment
\n\n

Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:

\n\n
C:\\Users\\Vendetta\\source\\repos\\{project name}\\*\\obj\\Debug\\{project name}.pdb
\n\n

Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.

\n\n

Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.

", + "fqdnIds": "9607329,", + "fqdns": 1, + "ips": 1, + "lastSeen": "2020-06-10T00:00:00Z", + "malware": 56, + "malwareIds": "55048892,55954618,56069689,56081184,56101608,56174304,56435633,56482393,56528142,56528442,56660508,56822336,56834251,56895357,56906597,56921822,56963320,57023523,57143218,57500808,57531883,57577157,57992940,58151119,59402651,59402653,59402654,59402655,59402656,59406230,59406231,59406232,59406233,59406234,59406235,59406236,59421287,59421291,59421298,59421308,59421351,59421352,59421389,59421399,59421403,59421435,59421463,59421467,59421471,59421474,59421499,59421511,59421557,59421568,59421605,59468951,", + "milestoneIds": "", + "milestones": 0, + "name": "Vendetta", + "objective": "

This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.

", + "onlineServiceIds": "", + "signatureIds": "", + "signatures": 0, + "sophistication": "intermediate", + "targetIds": "13,14,36,46,62,98,120,154,163,186,188,220,225,227,254,257,259,268,293,301,1164,", + "targets": 21, + "threatTypeIds": "", + "toolIds": "136,193,", + "tools": 2 + }, + "threatActor,ipIds": "96161121,", + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Threat Actor info +>|active|aliases|country_name|created_at|description|first_seen|id|ioc_link|last_seen|links|modus_operandi|name|objective|references|sophistication|tlp|type|types|updated_at|uuid| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| true | Vendetta | Italy | 2020-06-10T11:23:22.584500Z |
Key Points




  • Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.




  • Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.



  • The threat actor uses social engineering techniques to infect the victims with a RAT.



Assessment


Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:



C:\Users\Vendetta\source\repos\{project name}\*\obj\Debug\{project name}.pdb


Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.



Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.

| 2020-04-01T00:00:00Z | 232 | https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/ | 2020-06-10T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ |

Vendetta uses well designed phishing campaigns to target businesses and individuals. The phishing emails contain a malicious payload that, once unleashed, will install a RAT in the infected computer.

| Vendetta |

This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.

| {'link': 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'title': 'Vendetta-new threat actor from Europe'} | intermediate | white | ThreatActor | hacker | 2020-06-10T12:29:16.463528Z | | + + +### blueliv-tc-campaign +*** +Gets information about a Campaign + + +#### Base Command + +`blueliv-tc-campaign` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| campaign | Name of the Campaign to search for | Optional | +| campaign_id | Blueliv's internal Campaign id | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| campaign.name | Unknown | Campaign name | +| campaign.description | Unknown | Campaign description | +| campaign.lastSeen | Unknown | Campaign last seen | +| campaign.botnets | Unknown | Campaign botnets | +| campaign.botnetIds | Unknown | Campaign botnets internal IDs | +| campaign.signatures | Unknown | Campaign signatures | +| campaign.signatureIds | Unknown | Campaign signatures internal IDs | +| campaign.ips | Unknown | Campaign IPs | +| campaign.ipIds | Unknown | Campaign IPs internal IDs | +| campaign.malware | Unknown | Campaign malware | +| campaign.malwareIds | Unknown | Campaign malwares internal IDs | +| campaign.attackPatterns | Unknown | Campaign attack patterns | +| campaign.attackPatternIds | Unknown | Campaign attack patterns internal IDs | +| campaign.tools | Unknown | Campaign tools | +| campaign.toolIds | Unknown | Campaign tools internal IDs | +| campaign.fqdns | Unknown | Campaign FQDNs | +| campaign.fqdnIds | Unknown | Campaign FQDNs internal IDs | +| campaign.threatActorId | Unknown | Campaign threat actors internal IDs | + + +#### Command Example +```!blueliv-tc-campaign campaign_id=152``` + +#### Context Example +``` +{ + "campaign": { + "attackPatternIds": "", + "attackPatterns": 0, + "botnetIds": "", + "botnets": 0, + "description": "

A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.

\n\n

There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.

\n\n

This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.

\n\n

Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.

", + "fqdnIds": "138612,9322638,9394712,9549083,9549084,9549097,9549098,9549099,", + "fqdns": 8, + "ips": 0, + "lastSeen": "2020-05-28T00:00:00Z", + "malware": 9, + "malwareIds": "55800558,55800615,58635752,58635753,58635754,58635755,58635756,58635757,58635758,", + "name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain", + "signatureIds": "", + "signatures": 0, + "threatActorId": "226", + "toolIds": "673,", + "tools": 1 + }, + "campaign,ipIds": "", + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Campaign info +>|created_at|description|first_seen|id|ioc_link|last_seen|links|name|tlp|type|updated_at|uuid| +>|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-05-28T21:24:11.307288Z |

A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.



There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.



This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.



Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.

| 2020-04-16T00:00:00Z | 152 | https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/ | 2020-05-28T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/campaign/152/ | 2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain | white | Campaign | 2020-05-28T23:58:36.883515Z | | + + +### blueliv-tc-attack-pattern +*** +Gets information about a Attack Pattern + + +#### Base Command + +`blueliv-tc-attack-pattern` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| attackPattern | The Attack Pattern's name to search for | Optional | +| attackPatternId | Interanl Blueliv's ID for the Attack Pattern | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| attackPattern.name | Unknown | Attack pattern name | +| attackPattern.description | Unknown | Attack pattern description | +| attackPattern.updatedAt | Unknown | Attack pattern updated at | +| attackPattern.severity | Unknown | Attack pattern severity | +| attackPattern.signatures | Unknown | Attack pattern signatures | +| attackPattern.signatureIds | Unknown | Attack pattern signatures internal IDs | +| attackPattern.campaigns | Unknown | Attack pattern campaigns | +| attackPattern.campaignIds | Unknown | Attack pattern campaigns internal IDs | +| attackPattern.threatActors | Unknown | Attack pattern threat actors | +| attackPattern.threatActorIds | Unknown | Attack pattern threat actors internal IDs | +| attackPattern.cves | Unknown | Attack pattern CVEs | +| attackPattern.cveIds | Unknown | Attack pattern CVEs internal IDs | + + +#### Command Example +```!blueliv-tc-attack-pattern attackPattern="Account Discovery"``` + +#### Context Example +``` +{ + "attackPattern": { + "campaignIds": "95,81,82,83,3,", + "campaigns": 5, + "cveIds": "", + "cves": 0, + "description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.\n\nAlso, groups can be enumerated through the groups and id commands.", + "name": "Account Discovery", + "serverity": "Medium", + "signatureIds": "", + "signatures": 0, + "threatActorIds": "1,34,62,21,131,56,89,191,47,8,81,10,50,28,37,194,228,190,", + "threatActors": 18, + "updatedAt": "2018-12-24T23:00:02.352102Z" + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Attack Pattern info +>|attack_phases|attacker_skills_or_knowledge_required|capec_id|created_at|description|id|links|name|prerequisites|purposes|references|related_vulnerabilities|related_weaknesses|severity|solutions_and_mitigations|tlp|type|updated_at|uuid| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| | | | 2018-12-24T23:00:02.352087Z | Adversaries may attempt to get a listing of local system or domain accounts.

### Windows

Example commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.

### Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

### Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands. | 686 | self: https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/ | Account Discovery | | | | | | Medium | | white | AttackPattern | 2018-12-24T23:00:02.352102Z | 72b74d71-8169-42aa-92e0-e7b04b9f5a08 | + + +### blueliv-tc-tool +*** +Gets information about a Tool + + +#### Base Command + +`blueliv-tc-tool` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| tool | Tool's name to search for | Optional | +| tool_id | Internal Blueliv's id of the tool | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| tool.Name | Unknown | Tool Name | +| tool.description | Unknown | Tool description | +| tool.lastSeen | Unknown | Tool last seen | +| tool.campaigns | Unknown | Tool campaigns | +| tool.campaignIds | Unknown | Tool campaigns internal IDs | +| tool.signatures | Unknown | Tool signatures | +| tool.signatureIds | Unknown | Tool signatures internal IDs | +| tool.threatActors | Unknown | Tool threat actors | +| tool.threatActorIds | Unknown | Tool threat actors internal IDs | + + +#### Command Example +```!blueliv-tc-tool tool=ACEHASH``` + +#### Context Example +``` +{ + "threatContext": { + "hasResults": "true" + }, + "tool": { + "campaignIds": "", + "campaigns": 0, + "description": "

ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.

", + "lastSeen": "2019-12-01T00:00:00Z", + "name": "ACEHASH", + "signatureIds": "", + "signatures": 0, + "threatActorIds": "194,", + "threatActors": 1 + } +} +``` + +#### Human Readable Output + +>### Blueliv Tool info +>|created_at|description|discovery_date|first_seen|id|last_seen|links|name|references|targeted_platforms|tlp|type|updated_at|uuid|version| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-02-26T14:35:55.698486Z |

ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.

| | 2012-12-01T00:00:00Z | 532 | 2019-12-01T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/tool/532/ | ACEHASH | {'link': 'https://content.fireeye.com/apt-41/rpt-apt41', 'title': 'Double Dragon: APT41, a dual espionage and cyber crime operation'} | | white | Tool | 2020-02-26T14:35:55.698549Z | | | + + +### blueliv-tc-signature +*** +Gets information about a Signature + + +#### Base Command + +`blueliv-tc-signature` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| signature | Signature's name to search for | Optional | +| signature_id | Internal Blueliv's ID for the signature | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| signature.name | Unknown | Signature name | +| signature.updatedAt | Unknown | Signature updated at | +| signature.ipIds | Unknown | Signature IPs internal IDs | +| signature.malware | Unknown | Signature malware | +| signature.malwareIds | Unknown | Signature malwares internal IDs | +| signature.score | Unknown | Signature score | + + +#### Command Example +```!blueliv-tc-signature signature_id=84458``` + +#### Context Example +``` +{ + "signature": { + "malware": 0, + "malwareIds": "", + "name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)", + "type": "snort", + "updatedAt": "2020-06-15T02:11:21.962364Z" + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Signature info +>|created_at|id|links|name|references|sid|signature|status|tlp|type|updated_at|version| +>|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-06-15T02:11:21.962302Z | 84458 | self: https://tctrustoylo.blueliv.com/api/v1/signature/84458/ | ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333) | | 2030333 | alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DonotGroup Staging Domain in DNS Query"; content:"\|01\|"; offset:2; depth:1; content:"\|00 01 00 00 00 00 00\|"; distance:1; within:7; content:"\|0c\|yourcontents\|03\|xyz\|00\|"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2030333; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_06_12, updated_at 2020_06_12;) | enabled | white | snort | 2020-06-15T02:11:21.962364Z | 2 | + diff --git a/Packs/BluelivThreatContext/README.md b/Packs/BluelivThreatContext/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml b/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml new file mode 100644 index 000000000000..815778af522f --- /dev/null +++ b/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml @@ -0,0 +1,411 @@ +id: Blueliv_ThreatContext_test +version: -1 +name: Blueliv_ThreatContext_test +description: Test all commands from Blueliv ThreatContext integration. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 22e35a94-75e3-4089-8e8d-6ac2c69b2989 + type: start + task: + id: 22e35a94-75e3-4089-8e8d-6ac2c69b2989 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "7" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 60 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "2": + id: "2" + taskid: 51ae9209-8831-4f95-8ec9-9419f4217f20 + type: regular + task: + id: 51ae9209-8831-4f95-8ec9-9419f4217f20 + version: -1 + name: Check IP + description: Gets information about an IP + script: '|||blueliv-tc-indicator-ip' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + IP: + simple: 103.76.228.28 + IP_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: e2479e96-2909-4980-8bf9-aacd094ca3a4 + type: regular + task: + id: e2479e96-2909-4980-8bf9-aacd094ca3a4 + version: -1 + name: Check Threat Actor + description: Gets information about a Threat Actor + script: '|||blueliv-tc-threat-actor' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + threatActor: + simple: Vendetta + threatActor_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "4": + id: "4" + taskid: d43499ae-253f-4dc0-827d-f415490feb7f + type: regular + task: + id: d43499ae-253f-4dc0-827d-f415490feb7f + version: -1 + name: Get Tools + description: Gets information about a Tool + script: '|||blueliv-tc-tool' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + tool: + simple: ACEHASH + tool_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "5": + id: "5" + taskid: 0c44a276-72e0-4632-8e55-fb77e7de07ce + type: regular + task: + id: 0c44a276-72e0-4632-8e55-fb77e7de07ce + version: -1 + name: Get CVE + description: Gets information about CVE + script: '|||blueliv-tc-cve' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + CVE: + simple: CVE-2020-8794 + CVE_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: ec703143-3dfe-48de-84b6-73a4012d0bd4 + type: regular + task: + id: ec703143-3dfe-48de-84b6-73a4012d0bd4 + version: -1 + name: Get malware hash + description: Gets information about malware by ID + script: '|||blueliv-tc-malware' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + hash: + simple: ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 + hash_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "7": + id: "7" + taskid: f72e2020-bc63-49bb-8de8-464a6a2eed61 + type: regular + task: + id: f72e2020-bc63-49bb-8de8-464a6a2eed61 + version: -1 + name: Delete Context + description: Delete field from context + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + all: + simple: "yes" + index: {} + key: {} + keysToKeep: {} + subplaybook: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 210 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "8": + id: "8" + taskid: e1a14b28-4856-4647-81ba-9d72f0cebb09 + type: regular + task: + id: e1a14b28-4856-4647-81ba-9d72f0cebb09 + version: -1 + name: Get FQDN + description: Gets information about FQDN + script: '|||blueliv-tc-indicator-fqdn' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + FQDN: + simple: self-repair.r53-2.services.mozilla.com + FQDN_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "9": + id: "9" + taskid: c163d4e9-deaf-4d77-8056-4d156976a995 + type: regular + task: + id: c163d4e9-deaf-4d77-8056-4d156976a995 + version: -1 + name: Get attack pattern + description: Gets information about a Attack Pattern + script: '|||blueliv-tc-attack-pattern' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + attackPattern: + simple: Account Discovery + attackPatternId: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "10": + id: "10" + taskid: 79a2af8f-a658-4410-8a27-15d172d229f0 + type: regular + task: + id: 79a2af8f-a658-4410-8a27-15d172d229f0 + version: -1 + name: Get signature + description: Gets information about a Signature + script: '|||blueliv-tc-signature' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + signature: {} + signature_id: + simple: "84458" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1700 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "11": + id: "11" + taskid: 32a9fbaa-2097-4d09-8b78-3eb6cc2f8242 + type: regular + task: + id: 32a9fbaa-2097-4d09-8b78-3eb6cc2f8242 + version: -1 + name: Get Campaign + description: Gets information about a Campaign + script: '|||blueliv-tc-campaign' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "12" + scriptarguments: + campaign: {} + campaign_id: + simple: "152" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1870 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "12": + id: "12" + taskid: f6c08518-db12-4cdb-820c-68807fc21036 + type: regular + task: + id: f6c08518-db12-4cdb-820c-68807fc21036 + version: -1 + name: Get Crime Server + description: Gets information about a Crime Server + script: '|||blueliv-tc-indicator-cs' + type: regular + iscommand: true + brand: "" + scriptarguments: + CS: {} + CS_id: + simple: "6626263" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 2060 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 2095, + "width": 380, + "x": 600, + "y": 60 + } + } + } +inputs: [] +outputs: [] +fromversion: 5.0.0 diff --git a/Packs/BluelivThreatContext/pack_metadata.json b/Packs/BluelivThreatContext/pack_metadata.json new file mode 100644 index 000000000000..c6b2816e9f4e --- /dev/null +++ b/Packs/BluelivThreatContext/pack_metadata.json @@ -0,0 +1,16 @@ +{ + "name": "Blueliv ThreatContext", + "description": "The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. Analysts can rapidly gather enriched, contextualized information to enhance cybersecurity processes before, during and after an attack.", + "support": "community", + "currentVersion": "1.0.0", + "author": "Trust Oylo", + "url": "", + "email": "demisto@trustoylo.com", + "created": "2020-06-08T15:37:54Z", + "categories": [ + "Data Enrichment & Threat Intelligence" + ], + "tags": [], + "useCases": [], + "keywords": [] +} \ No newline at end of file diff --git a/Tests/conf.json b/Tests/conf.json index fc3462cbfbd3..3f7b5b0a64bf 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -3038,6 +3038,7 @@ "ExtraHop v2": "No instance", "Minerva Labs Anti-Evasion Platform": "Issue 18835", "PolySwarm": "contribution", + "Blueliv ThreatContext": "contribution", "Silverfort": "contribution", "fireeye": "Issue 19839", "DomainTools": "Issue 8298", diff --git a/Tests/secrets_white_list.json b/Tests/secrets_white_list.json index 083b1b22cecc..a86963e0212c 100644 --- a/Tests/secrets_white_list.json +++ b/Tests/secrets_white_list.json @@ -553,7 +553,9 @@ "0.154.17.105", "104.218.120.128", "10.2.2.20", - "122.8.170.14" + "122.8.170.14", + "103.76.228.28", + "25.20.116.113" ], "ipv6": [ "2001:db8:1234:1a00::", @@ -1820,6 +1822,8 @@ "https://m2crypto.readthedocs.io", "https://raw.user.com", "platform.risksense", + "https://attack.mitre.org", + "https://mytenant.blueliv.com", "https://api.dehashed.com", "https://www.dehashed.com." ], @@ -1861,7 +1865,8 @@ "ebb031c3945e884e695dbc63c52a5efcd075375046c49729980073585ee13c52", "b2ac43820cdf8634e1a437b9723ec110513d3dd7a2f8d4fa3192babe3eaa4b8e", "2d8bb37078ff9efd02d9361975c9e625ae56bd8a8a65d50fc568341bc88392ae", - "10676cf66244cfa91567fbc1a937f4cb19438338b35b69d4bcc2cf0d3a44af5e" + "10676cf66244cfa91567fbc1a937f4cb19438338b35b69d4bcc2cf0d3a44af5e", + "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1" ], "ssdeep": [ "48:uuHYx6sS1bioEX7gyLatSqAc8kHRgd5peJB80t9qeM:uuHYx6sS1bUJBqus8v9", From 13c7c48f4d7ec4015a663e0a27aefc489945d6ed Mon Sep 17 00:00:00 2001 From: Dan Tavori <38749041+dantavori@users.noreply.github.com> Date: Sun, 12 Jul 2020 11:16:23 +0300 Subject: [PATCH 07/23] Move deprecated tests to noncircle dir (#7639) * skipping tpb * Revert "skipping tpb" This reverts commit 858f9a1b * - moved deprecated tests to be under NonCircleTests folder - removed them from conf.json and tests fields in the relevant yml files - TODO: Jira-CreateIssue-generic-Test * - Jira-CreateIssue-generic-Test - release notes * test fix for create artifacts * removed jira createissue example from conf * removed jira createissue example from tests field in script * reverted things in conf.json and jira * Jira RN * config back to last sdk release Co-authored-by: ybenshalom --- .../integration-CheckpointFirewall.yml | 1 - .../CheckpointFirewall/ReleaseNotes/1_1_0.md | 5 ++ Packs/CheckpointFirewall/pack_metadata.json | 2 +- .../Integrations/Cymon/Cymon.yml | 2 + .../Integrations/ExtraHop/ExtraHop.yml | 2 +- .../PaloAltoNetworksCortex.yml | 2 +- .../PaloAlto_MineMeld/PaloAlto_MineMeld.yml | 2 +- .../integration-AlienVaultOTX.yml | 2 +- .../Integrations/integration-Shodan.yml | 2 +- ...aybook-Account_Enrichment_-_Generic_v2.yml | 2 +- .../playbook-DBotCreatePhishingClassifier.yml | 2 +- ...aybook-DBotCreatePhishingClassifierJob.yml | 2 +- .../Playbooks/playbook-DeDup_incidents.yml | 2 +- .../Playbooks/playbook-Dedup_-_Generic.yml | 2 +- ...-Email_Address_Enrichment_-_Generic_v2.yml | 2 +- ...and_threat_detection_by_indicator_type.yml | 4 +- Packs/DeprecatedContent/ReleaseNotes/1_3_0.md | 32 +++++++ .../DBotPredictPhishingLabel.yml | 2 +- .../ProofpointDecodeURL.yml | 2 +- .../Scripts/script-BlockIP.yml | 2 +- .../Scripts/script-CPBlockIP.yml | 2 +- .../script-DBotPredictPhishingEvaluation.yml | 2 +- .../Scripts/script-DBotPredictTextLabel.yml | 2 +- .../script-DBotPreparePhishingData.yml | 2 +- .../script-DBotTrainTextClassifier.yml | 2 +- .../Scripts/script-PanoramaBlockIP.yml | 3 +- Packs/DeprecatedContent/pack_metadata.json | 2 +- Packs/Jira/ReleaseNotes/1_0_1.md | 5 ++ .../Scripts/script-JiraCreaetIssueGeneric.yml | 2 +- Packs/Jira/pack_metadata.json | 28 +++--- .../FindSimilarIncidents.yml | 4 +- .../Scripts/script-ReadPDFFile_4_0.yml | 2 +- ..._threat_detection_by_indicator_type_V2.yml | 2 +- .../ReleaseNotes/1_1_0.md | 5 ++ ...book-Account_Enrichment_-_Generic_Test.yml | 0 ...k-Account_Enrichment_-_Generic_v2_Test.yml | 0 .../playbook-AlienVaultOTX_Test.yml | 0 .../playbook-AlienVaultOTX_Test_CHANGELOG.md | 0 .../Deprecated}/playbook-BlockIP_test.yml | 0 .../playbook-BlockIP_test_CHANGELOG.md | 0 .../playbook-ContextGetters-Test.yml | 0 .../playbook-ContextGetters-Test_CHANGELOG.md | 0 .../Deprecated}/playbook-Cymon_Test.yml | 0 .../playbook-Cymon_Test_CHANGELOG.md | 0 .../playbook-Dedup_-_Generic_-_Test.yml | 0 ...aybook-Dedup_-_Generic_-_Test_CHANGELOG.md | 0 .../playbook-DocumentationTest.yml | 0 ...Address_Enrichment_-_Generic_v2_-_Test.yml | 0 ...ndpoint_Enrichment_-_Generic_v2_-_Test.yml | 0 .../Deprecated}/playbook-ExtraHop-Test.yml | 0 .../playbook-ExtraHop-Test_CHANGELOG.md | 0 .../Deprecated}/playbook-ExtractURL_Test.yml | 0 .../playbook-ExtractURL_Test_CHANGELOG.md | 0 .../playbook-Extract_Domain_Test.yml | 0 .../playbook-Extract_Domain_Test_CHANGELOG.md | 0 ...ok-Extract_Indicators_-_Generic_-_Test.yml | 0 ...t_Indicators_-_Generic_-_Test_CHANGELOG.md | 0 .../playbook-Indicator_Feed_-_Test.yml | 0 ...laybook-Indicator_Feed_-_Test_CHANGELOG.md | 0 ...playbook-Jira-CreateIssue-generic-Test.yml | 0 ...Jira-CreateIssue-generic-Test_CHANGELOG.md | 0 .../playbook-Lastline-test-playbook.yml | 0 ...aybook-Lastline-test-playbook_CHANGELOG.md | 0 .../Deprecated}/playbook-Minemeld_Test.yml | 0 .../playbook-Minemeld_Test_CHANGELOG.md | 0 ...hreat_detection_by_indicator_type_Test.yml | 0 ...laybook-Palo_Alto_Networks_Cortex_Test.yml | 0 ...alo_Alto_Networks_Cortex_Test_CHANGELOG.md | 0 .../playbook-PostgreSQL-Test_CHANGELOG.md | 0 .../playbook-ProofpointDecodeURL-Test.yml | 0 ...book-ProofpointDecodeURL-Test_CHANGELOG.md | 0 .../Deprecated}/playbook-ReadPDFFile_Test.yml | 0 .../playbook-ReadPDFFile_Test_CHANGELOG.md | 0 .../Deprecated}/playbook-Shodan-Test.yml | 0 .../playbook-Shodan-Test_CHANGELOG.md | 0 ...laybook-TestCreatePhishingClassifierML.yml | 0 .../playbook-Test_Similar_Incidents.yml | 0 Tests/conf.json | 87 +------------------ 78 files changed, 95 insertions(+), 129 deletions(-) create mode 100644 Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md create mode 100644 Packs/DeprecatedContent/ReleaseNotes/1_3_0.md create mode 100644 Packs/Jira/ReleaseNotes/1_0_1.md create mode 100644 Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Account_Enrichment_-_Generic_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Account_Enrichment_-_Generic_v2_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-AlienVaultOTX_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-AlienVaultOTX_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-BlockIP_test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-BlockIP_test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ContextGetters-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ContextGetters-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Cymon_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Cymon_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Dedup_-_Generic_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-DocumentationTest.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtraHop-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtraHop-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtractURL_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtractURL_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Domain_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Domain_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Indicators_-_Generic_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Indicator_Feed_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Indicator_Feed_-_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Jira-CreateIssue-generic-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Lastline-test-playbook.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Lastline-test-playbook_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Minemeld_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Minemeld_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Palo_Alto_Networks_Cortex_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-PostgreSQL-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ProofpointDecodeURL-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ProofpointDecodeURL-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ReadPDFFile_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ReadPDFFile_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Shodan-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Shodan-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-TestCreatePhishingClassifierML.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Test_Similar_Incidents.yml (100%) diff --git a/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml b/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml index 443f54cd1e71..a6f3961a7cc6 100644 --- a/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml +++ b/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml @@ -944,5 +944,4 @@ script: description: Delete rule from firewall runonce: false tests: -- blockip_test_playbook - CheckpointFW-test diff --git a/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md b/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md new file mode 100644 index 000000000000..61c7c5f83633 --- /dev/null +++ b/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md @@ -0,0 +1,5 @@ + diff --git a/Packs/CheckpointFirewall/pack_metadata.json b/Packs/CheckpointFirewall/pack_metadata.json index 076cae73aea9..ac16fc914c8f 100644 --- a/Packs/CheckpointFirewall/pack_metadata.json +++ b/Packs/CheckpointFirewall/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Check Point Firewall", "description": "Manage Check Point firewall via API", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.1.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml b/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml index 71472728efc6..c96fb4f5a459 100644 --- a/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml +++ b/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml @@ -111,3 +111,5 @@ script: script: '' type: python subtype: python2 +tests: + - No tests diff --git a/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml b/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml index 26db2061c43f..65936fd2310d 100644 --- a/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml +++ b/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml @@ -890,4 +890,4 @@ script: type: python subtype: python3 tests: -- ExtraHop-Test +- No tests diff --git a/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml b/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml index a55ebf4725ea..f497d978e3ea 100644 --- a/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml +++ b/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml @@ -1772,5 +1772,5 @@ script: type: python subtype: python3 tests: -- Palo Alto Networks Cortex Test +- No tests fromversion: 4.1.0 diff --git a/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml b/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml index 5acb4fe52ebf..c5f34db41daa 100644 --- a/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml +++ b/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml @@ -488,4 +488,4 @@ script: type: python subtype: python2 tests: -- minemeld_test +- No tests diff --git a/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml b/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml index 63a1b8170dea..de841fe0e07d 100644 --- a/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml +++ b/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml @@ -461,4 +461,4 @@ script: runonce: false fromversion: 3.0.1 tests: - - AlienVaultOTX Test + - No tests diff --git a/Packs/DeprecatedContent/Integrations/integration-Shodan.yml b/Packs/DeprecatedContent/Integrations/integration-Shodan.yml index 15038b0b0377..49221175a08c 100644 --- a/Packs/DeprecatedContent/Integrations/integration-Shodan.yml +++ b/Packs/DeprecatedContent/Integrations/integration-Shodan.yml @@ -142,4 +142,4 @@ script: description: Returns all services that have been found on the given host IP. runonce: false tests: - - ShodanTest + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml b/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml index a1a7672c023f..0f2a88616805 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml @@ -238,4 +238,4 @@ outputs: description: The account's manager. type: string tests: - - Account Enrichment - Generic v2 - Test + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml index 4ad4042a7447..d28806cfef44 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml @@ -361,4 +361,4 @@ outputs: description: Model list name in Demisto fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest \ No newline at end of file + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml index 52a9131c2d98..eb229c324f18 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml @@ -185,4 +185,4 @@ inputs: [] outputs: [] fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest \ No newline at end of file + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml b/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml index 91a9a5527ec9..a70d9e7cd3bf 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml @@ -196,4 +196,4 @@ outputs: - contextPath: isSimilarIncidentFound description: Is similar incident found? (true\false) tests: - - test_similar_incidents + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml b/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml index 088f4d379cb5..bb22e40a710d 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml @@ -381,4 +381,4 @@ outputs: description: The similar incident. type: unknown tests: - - dedup_-_generic_-_test + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml b/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml index f5f0fa568a29..d1263dba2e85 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml @@ -622,4 +622,4 @@ outputs: description: The DBot score. type: number tests: - - Email Address Enrichment - Generic v2 - Test + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml b/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml index 801122d458ef..31df28bfe808 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml @@ -1536,7 +1536,7 @@ tasks: type: condition task: id: 7c07c4aa-f0d0-4b3f-8066-06638dc7dd4d - description: Is Cortex Data Lake enabled? + description: Is Cortex Data Lake enabled? version: -1 name: Is Cortex Data Lake enabled? type: condition @@ -3479,4 +3479,4 @@ outputs: type: string tests: -- PANW - Hunting and threat detection by indicator type Test +- No tests diff --git a/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md b/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md new file mode 100644 index 000000000000..33cd9e03bef1 --- /dev/null +++ b/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md @@ -0,0 +1,32 @@ + diff --git a/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml b/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml index 493b92bcd1f8..1eadbe2702af 100644 --- a/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml +++ b/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml @@ -60,5 +60,5 @@ deprecated: true dockerimage: demisto/dl:1.1 runonce: false tests: -- CreatePhishingClassifierMLTest +- No tests fromversion: 4.1.0 diff --git a/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml b/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml index 31cb7f28e1d6..25d79290404f 100644 --- a/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml +++ b/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml @@ -18,5 +18,5 @@ outputs: description: Decoded URLs scripttarget: 0 tests: - - ProofpointDecodeURL-Test + - No tests deprecated: true diff --git a/Packs/DeprecatedContent/Scripts/script-BlockIP.yml b/Packs/DeprecatedContent/Scripts/script-BlockIP.yml index 76e8657251e8..7e6704d1deec 100644 --- a/Packs/DeprecatedContent/Scripts/script-BlockIP.yml +++ b/Packs/DeprecatedContent/Scripts/script-BlockIP.yml @@ -66,4 +66,4 @@ dependson: - panorama - checkpoint tests: -- blockip_test_playbook +- No tests diff --git a/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml b/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml index 632891d2baf9..bdb51059cc74 100644 --- a/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml +++ b/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml @@ -104,4 +104,4 @@ dependson: must: - checkpoint tests: -- blockip_test_playbook \ No newline at end of file +- No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml b/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml index d285ee817e69..b68d7e4eb1fb 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml @@ -163,4 +163,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml b/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml index 80a3b48c830c..49887e089ebe 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml @@ -107,4 +107,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml b/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml index 030ebf5126dd..009becc7ddbe 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml @@ -222,4 +222,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml b/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml index 9eb29956af35..5057dce8d3b4 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml @@ -118,4 +118,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest \ No newline at end of file + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml b/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml index e95f99e5f328..5b33afc4a140 100644 --- a/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml +++ b/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml @@ -91,5 +91,4 @@ dependson: must: - panorama tests: -- palo_alto_firewall_test_pb -- blockip_test_playbook \ No newline at end of file +- No tests diff --git a/Packs/DeprecatedContent/pack_metadata.json b/Packs/DeprecatedContent/pack_metadata.json index afd3604e0c22..d80edbb28466 100644 --- a/Packs/DeprecatedContent/pack_metadata.json +++ b/Packs/DeprecatedContent/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Deprecated Content", "description": "Deprecated Cortex XSOAR content pack.", "support": "xsoar", - "currentVersion": "1.2.0", + "currentVersion": "1.3.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Jira/ReleaseNotes/1_0_1.md b/Packs/Jira/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..dd3dccef2f5a --- /dev/null +++ b/Packs/Jira/ReleaseNotes/1_0_1.md @@ -0,0 +1,5 @@ + diff --git a/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml b/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml index ae44ec1a2deb..cedd43f06ab6 100644 --- a/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml +++ b/Packs/Jira/Scripts/script-JiraCreaetIssueGeneric.yml @@ -94,4 +94,4 @@ dependson: - jira-delete-issue runonce: false tests: - - JiraCreateIssue-example-test \ No newline at end of file + - No tests diff --git a/Packs/Jira/pack_metadata.json b/Packs/Jira/pack_metadata.json index 05ca2df52049..3f650ad4a0f6 100644 --- a/Packs/Jira/pack_metadata.json +++ b/Packs/Jira/pack_metadata.json @@ -1,16 +1,16 @@ { - "name": "Atlassian Jira", - "description": "Use the Jira integration to manage issues and create Demisto incidents from projects.", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-04-14T00:00:00Z", - "categories": [ - "Case Management" - ], - "tags": [], - "useCases": [], - "keywords": [] + "name": "Atlassian Jira", + "description": "Use the Jira integration to manage issues and create Demisto incidents from projects.", + "support": "xsoar", + "currentVersion": "1.0.1", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-04-14T00:00:00Z", + "categories": [ + "Case Management" + ], + "tags": [], + "useCases": [], + "keywords": [] } diff --git a/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml b/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml index c9a496e263e1..ef23061f7598 100644 --- a/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml +++ b/Packs/NonSupported/Scripts/FindSimilarIncidents/FindSimilarIncidents.yml @@ -146,5 +146,5 @@ type: python subtype: python2 runonce: false tests: -- dedup_-_generic_-_test -toversion: 4.1.0 \ No newline at end of file +- No tests +toversion: 4.1.0 diff --git a/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml b/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml index e45d58ec2e80..11dcb8752296 100644 --- a/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml +++ b/Packs/NonSupported/Scripts/script-ReadPDFFile_4_0.yml @@ -143,4 +143,4 @@ scripttarget: 0 runonce: false dockerimage: demisto/pdfx tests: - - ReadPDFFile-Test + - No tests diff --git a/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml b/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml index b0d3436f4934..40bdedb3cbfc 100644 --- a/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml +++ b/Packs/PANWComprehensiveInvestigation/Playbooks/PANW_-_Hunting_and_threat_detection_by_indicator_type_V2.yml @@ -3435,4 +3435,4 @@ outputs: description: External host names detected based on fields and inputs in your search. type: string tests: -- PANW - Hunting and threat detection by indicator type Test +- No tests diff --git a/Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md b/Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md new file mode 100644 index 000000000000..708f689d0b7d --- /dev/null +++ b/Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md @@ -0,0 +1,5 @@ + diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_v2_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_v2_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Account_Enrichment_-_Generic_v2_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Account_Enrichment_-_Generic_v2_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-AlienVaultOTX_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-AlienVaultOTX_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-BlockIP_test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-BlockIP_test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ContextGetters-Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ContextGetters-Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Cymon_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Cymon_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-DocumentationTest.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-DocumentationTest.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-DocumentationTest.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-DocumentationTest.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtraHop-Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtraHop-Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ExtractURL_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ExtractURL_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Domain_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Domain_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Indicator_Feed_-_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Indicator_Feed_-_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Lastline-test-playbook_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Lastline-test-playbook_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Minemeld_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Minemeld_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-PostgreSQL-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-PostgreSQL-Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-PostgreSQL-Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-PostgreSQL-Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ProofpointDecodeURL-Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ProofpointDecodeURL-Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-ReadPDFFile_Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-ReadPDFFile_Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test_CHANGELOG.md b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test_CHANGELOG.md similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Shodan-Test_CHANGELOG.md rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Shodan-Test_CHANGELOG.md diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-TestCreatePhishingClassifierML.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-TestCreatePhishingClassifierML.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-TestCreatePhishingClassifierML.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-TestCreatePhishingClassifierML.yml diff --git a/Packs/DeprecatedContent/TestPlaybooks/playbook-Test_Similar_Incidents.yml b/TestPlaybooks/NonCircleTests/Deprecated/playbook-Test_Similar_Incidents.yml similarity index 100% rename from Packs/DeprecatedContent/TestPlaybooks/playbook-Test_Similar_Incidents.yml rename to TestPlaybooks/NonCircleTests/Deprecated/playbook-Test_Similar_Incidents.yml diff --git a/Tests/conf.json b/Tests/conf.json index 3f7b5b0a64bf..eeb7645fa7f7 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -371,10 +371,6 @@ "integrations": "Akamai WAF SIEM", "playbookID": "Akamai_WAF_SIEM-Test" }, - { - "integrations": "AlienVault OTX", - "playbookID": "AlienVaultOTX Test" - }, { "integrations": "Cofense Triage v2", "playbookID": "Cofense Triage v2 Test" @@ -427,9 +423,6 @@ "integrations": "RSA NetWitness Packets and Logs", "playbookID": "rsa_packets_and_logs_test" }, - { - "playbookID": "test_similar_incidents" - }, { "playbookID": "CheckpointFW-test", "integrations": "Check Point" @@ -443,10 +436,6 @@ { "playbookID": "RandomStringGenerateTest" }, - { - "playbookID": "DocumentationTest", - "integrations": "ipinfo" - }, { "playbookID": "playbook-checkEmailAuthenticity-test" }, @@ -534,10 +523,6 @@ "integrations": "ServiceNow", "playbookID": "servicenow_test_new" }, - { - "integrations": "ExtraHop", - "playbookID": "ExtraHop-Test" - }, { "integrations": "ExtraHop v2", "playbookID": "ExtraHop_v2-Test" @@ -572,14 +557,6 @@ "integrations": "Attivo Botsink", "playbookID": "AttivoBotsinkTest" }, - { - "playbookID": "CreatePhishingClassifierMLTest", - "timeout": 2400 - }, - { - "integrations": "Cymon", - "playbookID": "playbook-Cymon_Test" - }, { "integrations": "FortiGate", "playbookID": "Fortigate Test" @@ -630,9 +607,6 @@ "playbookID": "CreateEmailHtmlBody_test_pb", "fromversion": "4.1.0" }, - { - "playbookID": "ReadPDFFile-Test" - }, { "playbookID": "ReadPDFFileV2-Test", "timeout": 1000 @@ -822,18 +796,6 @@ { "playbookID": "Detonate File - No Files test" }, - { - "integrations": [ - "Panorama", - "Check Point" - ], - "instance_names": "palo_alto_firewall", - "playbookID": "blockip_test_playbook" - }, - { - "integrations": "Palo Alto Minemeld", - "playbookID": "minemeld_test" - }, { "integrations": "SentinelOne V2", "playbookID": "SentinelOne V2 - test" @@ -962,11 +924,6 @@ "integrations": "ThreatExchange", "playbookID": "ThreatExchange-test" }, - { - "integrations": "ThreatExchange", - "playbookID": "extract_indicators_-_generic_-_test", - "timeout": 240 - }, { "integrations": "Joe Security", "playbookID": "JoeSecurityTestPlaybook", @@ -1066,13 +1023,6 @@ "playbookID": "Test IP Indicator Fields", "fromversion": "5.0.0" }, - { - "integrations": "Shodan", - "playbookID": "ShodanTest" - }, - { - "playbookID": "dedup_-_generic_-_test" - }, { "playbookID": "Dedup - Generic v2 - Test", "fromversion": "5.0.0" @@ -1111,9 +1061,6 @@ "integrations": "FalconIntel", "playbookID": "CrowdStrike Falcon Intel v2" }, - { - "playbookID": "ContextGetters_Test" - }, { "integrations": [ "Mail Sender (New)", @@ -1241,10 +1188,6 @@ "integrations": "Rasterize", "timeout": 240 }, - { - "integrations": "activedir", - "playbookID": "account_enrichment_-_generic_test" - }, { "integrations": "FalconHost", "playbookID": "search_endpoints_by_hash_-_crowdstrike_-_test", @@ -1296,9 +1239,6 @@ "integrations": "jira", "playbookID": "VerifyHumanReadableFormat" }, - { - "playbookID": "ExtractURL Test" - }, { "playbookID": "strings-test" }, @@ -1372,10 +1312,6 @@ "integrations": "TCPIPUtils", "playbookID": "TCPUtils-Test" }, - { - "playbookID": "ProofpointDecodeURL-Test", - "timeout": 300 - }, { "playbookID": "listExecutedCommands-Test" }, @@ -1407,9 +1343,6 @@ { "playbookID": "UnzipFile-Test" }, - { - "playbookID": "ExtractDomainTest" - }, { "playbookID": "Test-IsMaliciousIndicatorFound", "fromversion": "5.0.0" @@ -1731,10 +1664,6 @@ "playbookID": "AbuseIPDB PopulateIndicators Test", "nightly": true }, - { - "integrations": "jira", - "playbookID": "JiraCreateIssue-example-test" - }, { "integrations": "LogRhythm", "playbookID": "LogRhythm-Test-Playbook", @@ -1970,9 +1899,6 @@ "integrations": "mysql", "playbookID": "MySQL Test" }, - { - "playbookID": "Email Address Enrichment - Generic v2 - Test" - }, { "playbookID": "Email Address Enrichment - Generic v2.1 - Test", "integrations": "Active Directory Query v2", @@ -2125,6 +2051,9 @@ { "playbookID": "CheckDockerImageAvailableTest" }, + { + "playbookID": "ExtractDomainFromEmailTest" + }, { "playbookID": "Account Enrichment - Generic v2 - Test", "integrations": "activedir" @@ -2214,11 +2143,6 @@ "integrations": "Zoom", "playbookID": "Zoom_Test" }, - { - "integrations": "Palo Alto Networks Cortex", - "playbookID": "Palo Alto Networks Cortex Test", - "fromversion": "4.1.0" - }, { "playbookID": "IP Enrichment - Generic v2 - Test", "integrations": "Threat Crowd", @@ -2635,10 +2559,6 @@ "integrations": "PaloAltoNetworks_PrismaCloudCompute", "playbookID": "PaloAltoNetworks_PrismaCloudCompute-Test" }, - { - "playbookID": "Indicator Feed - Test", - "fromversion": "5.5.0" - }, { "integrations": "Recorded Future Feed", "playbookID": "RecordedFutureFeed - Test", @@ -2960,7 +2880,6 @@ "NetWitness Endpoint Test": "Issue 19878", "TestUptycs": "Issue 19750", "InfoArmorVigilanteATITest": "Test issue 17358", - "Lastline - testplaybook": "Checking the integration via Generic detonation playbooks, don't want to load the daily quota", "ArcSight Logger test": "Issue 19117", "TruSTAR Test": "Issue 19777", "TestDedupIncidentsByName": "skipped on purpose - this is part of the TestDedupIncidentsPlaybook - no need to execute separately as a test", From fde2960e023c5cecb463332c1960dc060a7369df Mon Sep 17 00:00:00 2001 From: hod Date: Sun, 12 Jul 2020 11:23:29 +0300 Subject: [PATCH 08/23] Not failing instance creation when a test-conf branch exists (#7948) * Not failing instance creation when a test-conf branch exists * Replacing resource_class from medium+ to medium Co-authored-by: hod-alpert --- .circleci/config.yml | 39 ++++++++++++++++++++------ Tests/scripts/download_demisto_conf.sh | 5 ---- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 95595122c0a6..b287c178a0c0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -392,9 +392,32 @@ jobs: then python3 ./Tests/scripts/verify_base_branch_for_contribution.py $CIRCLE_BRANCH fi + - unless: + condition: + or: + - << pipeline.parameters.instance_tests >> + - equal: + - master + - << pipeline.git.branch >> + steps: + - run: + name: validate content-test-conf branch merged + shell: /bin/bash + when: always + command: | + # replace slashes ('/') in the branch name, if exist, with underscores ('_') + UNDERSCORE_CIRCLE_BRANCH=${CIRCLE_BRANCH//\//_} + wget --header "Accept: application/vnd.github.v3.raw" --header "Authorization: token $GITHUB_TOKEN" "https://github.com/demisto/content-test-conf/archive/$UNDERSCORE_CIRCLE_BRANCH.zip" --no-check-certificate -q + if [ "$?" != "0" ]; then + echo "No such branch in content-test-conf: $UNDERSCORE_CIRCLE_BRANCH" + exit 0 + else + echo "ERROR: Found a branch with the same name in contest-test-conf conf.json - $UNDERSCORE_CIRCLE_BRANCH.\n Merge it in order to merge the current branch into content repo." + exit 1 + fi Create Instances: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - checkout @@ -495,7 +518,7 @@ jobs: - *persist_to_workspace Server 4_1: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - setup_remote_docker @@ -543,7 +566,7 @@ jobs: - *store_artifacts Server 4_5: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - setup_remote_docker @@ -590,7 +613,7 @@ jobs: - *store_artifacts Server 5_0: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - setup_remote_docker @@ -642,7 +665,7 @@ jobs: - *store_artifacts Server 5_5: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - setup_remote_docker @@ -692,7 +715,7 @@ jobs: - *store_artifacts Server 6_0: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - setup_remote_docker @@ -763,7 +786,7 @@ jobs: - *store_artifacts Instance Test: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - setup_remote_docker @@ -801,7 +824,7 @@ jobs: Demisto SDK Nightly: <<: *container_config - resource_class: medium+ + resource_class: medium <<: *environment steps: - checkout diff --git a/Tests/scripts/download_demisto_conf.sh b/Tests/scripts/download_demisto_conf.sh index 1a11f8c0b59c..48508dacdc93 100755 --- a/Tests/scripts/download_demisto_conf.sh +++ b/Tests/scripts/download_demisto_conf.sh @@ -36,11 +36,6 @@ if [ "$?" != "0" ]; then cp -r ./content-test-conf-$UNDERSCORE_CIRCLE_BRANCH/signDirectory $DEMISTO_PACK_SIGNATURE_UTIL_PATH rm -rf ./content-test-conf-$UNDERSCORE_CIRCLE_BRANCH rm -rf ./test_configuration.zip - if [ "$UNDERSCORE_CIRCLE_BRANCH" != "master" ]; then - echo "ERROR: Found a branch with the same name in contest-test-conf conf.json - $UNDERSCORE_CIRCLE_BRANCH.\n Merge it in order to merge the current branch into content repo." - exit 1 - fi - fi set -e From 630643fc69c003425146903e4cabf66dd49e8532 Mon Sep 17 00:00:00 2001 From: avidan-H <46294017+avidan-H@users.noreply.github.com> Date: Sun, 12 Jul 2020 12:21:10 +0300 Subject: [PATCH 09/23] Update contrib/code42_download-file Base Branch (#7953) Co-authored-by: Alex Fiedler <38628621+kirbles19@users.noreply.github.com> Co-authored-by: Itay Keren Co-authored-by: Bar Katzir <37335599+bakatzir@users.noreply.github.com> Co-authored-by: yuvalbenshalom Co-authored-by: ikeren Co-authored-by: yaron-libman <43783884+yaron-libman@users.noreply.github.com> Co-authored-by: Chris Co-authored-by: ronykoz Co-authored-by: Edwin Abot Co-authored-by: hernantain Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Co-authored-by: Rony Kozakish <37589583+ronykoz@users.noreply.github.com> Co-authored-by: roysagi <50295826+roysagi@users.noreply.github.com> Co-authored-by: Guillermo Serrano <23130911+DctrG@users.noreply.github.com> Co-authored-by: Shai Yaakovi <30797606+yaakovi@users.noreply.github.com> Co-authored-by: Beni Co-authored-by: dbaumstein Co-authored-by: Anar Azadaliyev Co-authored-by: crestdatasystems <60967033+crestdatasystems@users.noreply.github.com> Co-authored-by: santosh.giri <61006659+crestsantoshgiri@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: guykeller Co-authored-by: Guy Lichtman <1395797+glicht@users.noreply.github.com> Co-authored-by: hod-alpert Co-authored-by: Spaghett <32481037+adambaumeister@users.noreply.github.com> Co-authored-by: Bar Chen <54398957+barchen1@users.noreply.github.com> Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> Co-authored-by: Orel Haim <60567860+ohaim1008@users.noreply.github.com> Co-authored-by: halpert Co-authored-by: Bar Saar Co-authored-by: Agam More Co-authored-by: Adam Burt - Demisto Co-authored-by: Adam Burt - Demisto <53576129+aburt-demisto@users.noreply.github.com> Co-authored-by: ybenshalom Co-authored-by: URi Co-authored-by: OriolCampderros Co-authored-by: oylosoar <66620770+oylosoar@users.noreply.github.com> Co-authored-by: syaakovi Co-authored-by: Guy Freund <53565845+guyfreund@users.noreply.github.com> Co-authored-by: Bar Hochman <11165655+jochman@users.noreply.github.com> Co-authored-by: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Co-authored-by: Dean Arbel Co-authored-by: EliorKedar <60568193+EliorKedar@users.noreply.github.com> Co-authored-by: Lior Blobstein Co-authored-by: Bargenish Co-authored-by: David Baumstein <51712181+David-BMS@users.noreply.github.com> Co-authored-by: darkushin <61732335+darkushin@users.noreply.github.com> Co-authored-by: altmannyarden <61933087+altmannyarden@users.noreply.github.com> Co-authored-by: Guy Keller <33782301+guykeller@users.noreply.github.com> Co-authored-by: Shelly Berman <45915502+Shellyber@users.noreply.github.com> Co-authored-by: hod Co-authored-by: reut shalem <50294648+reutshal@users.noreply.github.com> Co-authored-by: mayagoldb <43776787+mayagoldb@users.noreply.github.com> Co-authored-by: Agam Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> --- .circleci/config.yml | 1924 ++++---- Documentation/docs_site_update.sh | 2 +- Packs/AccessInvestigation/README.md | 20 + .../AccessInvestigation/ReleaseNotes/1_1_3.md | 3 + Packs/AccessInvestigation/pack_metadata.json | 2 +- Packs/ApiModules/.secrets-ignore | 17 + Packs/ApiModules/ReleaseNotes/1_0_3.md | 4 + .../CSVFeedApiModule/CSVFeedApiModule.py | 23 +- .../CSVFeedApiModule/CSVFeedApiModule.yml | 7 +- .../CSVFeedApiModule/CSVFeedApiModule_test.py | 76 +- .../Scripts/TAXII2ApiModule/README.md | 14 + .../TAXII2ApiModule/TAXII2ApiModule.py | 514 +++ .../TAXII2ApiModule/TAXII2ApiModule.yml | 16 + .../TAXII2ApiModule/TAXII2ApiModule_test.py | 322 ++ .../cortex_parsed_indicators_17-19.json | 597 +++ ...ortex_parsed_indicators_complex_20-19.json | 702 +++ ...rsed_indicators_complex_skipped_14-19.json | 492 +++ .../test_data/stix_envelope_17-19.json | 433 ++ .../stix_envelope_complex_20-19.json | 433 ++ .../stix_envelope_no_indicators.json | 25 + Packs/ApiModules/pack_metadata.json | 2 +- .../AzureSecurityCenter_v2.py | 1315 +++--- .../AzureSecurityCenter_v2.yml | 48 +- .../AzureSecurityCenter_v2_test.py | 63 + .../AzureSecurityCenter_v2/CHANGELOG.md | 2 +- .../AzureSecurityCenter_v2/README.md | 30 +- .../AzureSecurityCenter/ReleaseNotes/1_0_1.md | 7 + .../playbook-AzureSCTestPlaybook.yml | 3 +- Packs/AzureSecurityCenter/pack_metadata.json | 30 +- Packs/Base/ReleaseNotes/1_1_4.md | 3 + .../SaneDocReportV2/SaneDocReportV2.py | 15 +- .../SaneDocReportV2/SaneDocReportV2.yml | 18 +- .../Scripts/SanePdfReport/SanePdfReport.yml | 2 +- Packs/Base/pack_metadata.json | 2 +- Packs/BluelivThreatContext/.pack-ignore | 0 Packs/BluelivThreatContext/.secrets-ignore | 10 + Packs/BluelivThreatContext/CHANGELOG.md | 1 + .../BluelivThreatContext.py | 1120 +++++ .../BluelivThreatContext.yml | 754 ++++ .../BluelivThreatContext_description.md | 45 + .../BluelivThreatContext_image.png | Bin 0 -> 4907 bytes .../BluelivThreatContext_test.py | 1348 ++++++ .../BluelivThreatContext/CHANGELOG.md | 12 + .../Integrations/BluelivThreatContext/Pipfile | 18 + .../BluelivThreatContext/Pipfile.lock | 369 ++ .../BluelivThreatContext/README.md | 811 ++++ Packs/BluelivThreatContext/README.md | 0 .../Blueliv_ThreatContext_test.yml | 411 ++ Packs/BluelivThreatContext/pack_metadata.json | 16 + Packs/BreachNotification-US/README.md | 2 +- .../ReleaseNotes/1_0_4.md | 3 + .../BreachNotification-US/pack_metadata.json | 2 +- Packs/BruteForce/README.md | 22 + Packs/BruteForce/ReleaseNotes/1_1_1.md | 3 + Packs/BruteForce/pack_metadata.json | 2 +- ...bon_black_Protection_Rapid_IOC_Hunting.yml | 4 +- .../CarbonBlackProtect/ReleaseNotes/1_0_2.md | 4 + Packs/CarbonBlackProtect/pack_metadata.json | 2 +- .../integration-CheckpointFirewall.yml | 1 - .../CheckpointFirewall/ReleaseNotes/1_1_0.md | 5 + Packs/CheckpointFirewall/pack_metadata.json | 2 +- .../playbook-Block_IP_-_Generic_v2.yml | 169 +- .../playbook-Block_IP_-_Generic_v2_README.md | 100 +- .../playbook-Detonate_File_-_Generic.yml | 2242 +++++----- ...playbook-Detonate_File_-_Generic_README.md | 315 +- .../playbook-Detonate_URL_-_Generic.yml | 1367 +++--- .../playbook-Detonate_URL_-_Generic_README.md | 239 +- Packs/CommonPlaybooks/ReleaseNotes/1_5_1.md | 4 + Packs/CommonPlaybooks/ReleaseNotes/1_5_2.md | 6 + Packs/CommonPlaybooks/pack_metadata.json | 588 +-- Packs/CommonScripts/ReleaseNotes/1_1_11.md | 2 + Packs/CommonScripts/ReleaseNotes/1_1_13.md | 9 +- Packs/CommonScripts/ReleaseNotes/1_2_2.md | 4 + Packs/CommonScripts/ReleaseNotes/1_2_3.md | 5 + .../FindSimilarIncidentsV2/CHANGELOG.md | 2 + .../FindSimilarIncidentsV2.py | 3 +- .../FindSimilarIncidentsV2.yml | 2 +- .../find_similar_incidents_test.py | 43 +- .../Scripts/JSONtoCSV/JSONtoCSV.py | 68 + .../Scripts/JSONtoCSV/JSONtoCSV.yml | 38 + .../Scripts/JSONtoCSV/JSONtoCSV_test.py | 19 + .../README.md} | 0 .../Scripts/script-JSONtoCSV.yml | 96 - .../Scripts/script-JSONtoCSV_CHANGELOG.md | 5 - Packs/CommonScripts/pack_metadata.json | 2 +- .../incidentfield-feedrelatedindicators.json | 97 + .../layout-indicatorsDetails-domain.json | 46 +- .../Layouts/layout-indicatorsDetails-ip.json | 46 +- .../layout-indicatorsDetails-unifiedFile.json | 42 +- .../Layouts/layout-indicatorsDetails-url.json | 30 +- Packs/CommonTypes/ReleaseNotes/1_4_0.md | 10 + Packs/CommonTypes/ReleaseNotes/1_4_1.md | 5 + Packs/CommonTypes/pack_metadata.json | 372 +- Packs/Compliance/README.md | 4 + Packs/Compliance/ReleaseNotes/1_0_3.md | 3 + Packs/Compliance/pack_metadata.json | 4 +- .../Integrations/CortexDataLake/README.md | 2 +- .../PaloAltoNetworks_XDR/README.md | 20 +- Packs/CrowdStrikeFalconX/.pack-ignore | 0 Packs/CrowdStrikeFalconX/.secrets-ignore | 9 + Packs/CrowdStrikeFalconX/CHANGELOG.md | 2 + .../CrowdStrikeFalconX/CHANGELOG.md | 3 + .../CrowdStrikeFalconX/CrowdStrikeFalconX.py | 874 ++++ .../CrowdStrikeFalconX/CrowdStrikeFalconX.yml | 613 +++ .../CrowdStrikeFalconX_description.md | 10 + .../CrowdStrikeFalconX_image.png | Bin 0 -> 4182 bytes .../CrowdStrikeFalconX_test.py | 132 + .../Integrations/CrowdStrikeFalconX/Pipfile | 18 + .../CrowdStrikeFalconX/Pipfile.lock | 369 ++ .../Integrations/CrowdStrikeFalconX/README.md | 2809 ++++++++++++ .../CrowdStrikeFalconX/TestsInput/context.py | 102 + .../TestsInput/http_responses.py | 675 +++ .../CrowdStrikeFalconX/example.txt | 10 + .../Detonate_File_-_CrowdStrike_Falcon_X.yml | 555 +++ .../Detonate_URL_-_CrowdStrike_Falcon_X.yml | 387 ++ Packs/CrowdStrikeFalconX/README.md | 0 ...owdStrike_Falcon_X_-Test-Detonate_File.yml | 154 + ...rowdStrike_Falcon_X_-Test-Detonate_URL.yml | 144 + Packs/CrowdStrikeFalconX/pack_metadata.json | 21 + Packs/CrowdStrikeHost/.secrets-ignore | 1 + .../integration-CrowdStrikeHost.yml | 16 +- .../integration-CrowdStrikeHost_README.md | 15 +- Packs/CrowdStrikeHost/ReleaseNotes/1_1_2.md | 8 + .../playbook-CrowdStrike_FalconHost_test.yml | 318 +- Packs/CrowdStrikeHost/pack_metadata.json | 28 +- .../Integrations/Cylance_Protect_v2/README.md | 2 +- .../Integrations/Cymon/Cymon.yml | 2 + .../Integrations/ExtraHop/ExtraHop.yml | 2 +- .../PaloAltoNetworksCortex.yml | 2 +- .../PaloAlto_MineMeld/PaloAlto_MineMeld.yml | 2 +- .../integration-AlienVaultOTX.yml | 2 +- .../Integrations/integration-Shodan.yml | 2 +- ...aybook-Account_Enrichment_-_Generic_v2.yml | 2 +- .../playbook-DBotCreatePhishingClassifier.yml | 2 +- ...aybook-DBotCreatePhishingClassifierJob.yml | 2 +- .../Playbooks/playbook-DeDup_incidents.yml | 2 +- .../Playbooks/playbook-Dedup_-_Generic.yml | 2 +- ...-Email_Address_Enrichment_-_Generic_v2.yml | 2 +- ...and_threat_detection_by_indicator_type.yml | 4 +- Packs/DeprecatedContent/ReleaseNotes/1_3_0.md | 32 + .../DBotPredictPhishingLabel.yml | 2 +- .../ProofpointDecodeURL.yml | 2 +- .../Scripts/script-BlockIP.yml | 2 +- .../Scripts/script-CPBlockIP.yml | 2 +- .../script-DBotPredictPhishingEvaluation.yml | 2 +- .../Scripts/script-DBotPredictTextLabel.yml | 2 +- .../script-DBotPreparePhishingData.yml | 2 +- .../script-DBotTrainTextClassifier.yml | 2 +- .../Scripts/script-PanoramaBlockIP.yml | 3 +- Packs/DeprecatedContent/pack_metadata.json | 2 +- .../Integrations/DuoAdminApi/DuoAdminApi.py | 11 +- .../Integrations/DuoAdminApi/DuoAdminApi.yml | 4 +- Packs/DuoAdminApi/ReleaseNotes/2_0_0.md | 4 + Packs/DuoAdminApi/pack_metadata.json | 30 +- Packs/EDL/Integrations/EDL/README.md | 2 +- Packs/EWS/Integrations/EWSO365/EWSO365.yml | 2 +- Packs/EWS/Integrations/EWSO365/README.md | 43 +- Packs/EWS/ReleaseNotes/1_1_3.md | 4 + Packs/EWS/pack_metadata.json | 2 +- .../Integrations/EclecticIQ/README.md | 6 +- .../FeedAWS/Integrations/FeedAWS/FeedAWS.yml | 10 +- Packs/FeedAWS/ReleaseNotes/1_0_2.md | 4 + Packs/FeedAWS/pack_metadata.json | 2 +- .../FeedAlienVaultOTXTaxii.py | 18 +- .../FeedAlienVaultOTXTaxii.yml | 28 +- .../FeedAlienVaultOTXTaxii_test.py | 23 +- Packs/FeedAlienVault/ReleaseNotes/1_0_1.md | 4 + ...playbook-AlienVaultReputationFeed_Test.yml | 45 +- Packs/FeedAlienVault/pack_metadata.json | 34 +- .../FeedBambenekConsulting.yml | 7 +- .../ReleaseNotes/1_0_1.md | 4 + .../FeedBambenekConsulting/pack_metadata.json | 34 +- .../FeedCSV/Integrations/FeedCSV/FeedCSV.yml | 18 +- Packs/FeedCSV/ReleaseNotes/1_0_2.md | 4 + Packs/FeedCSV/pack_metadata.json | 2 +- .../Integrations/FeedCofense/FeedCofense.py | 12 +- .../Integrations/FeedCofense/FeedCofense.yml | 8 +- .../FeedCofense/FeedCofense_test.py | 4 +- Packs/FeedCofense/ReleaseNotes/1_0_4.md | 4 + Packs/FeedCofense/pack_metadata.json | 2 +- .../FeedElasticsearch/FeedElasticsearch.py | 34 +- .../FeedElasticsearch/FeedElasticsearch.yml | 8 +- .../FeedElasticsearch_test.py | 20 +- Packs/FeedElasticsearch/ReleaseNotes/1_0_3.md | 4 + Packs/FeedElasticsearch/pack_metadata.json | 2 +- .../FeedFeodoTrackerHashes_image.png | Bin 4248 -> 4341 bytes .../FeedFeodoTrackerIPBlocklist_image.png | Bin 4248 -> 4614 bytes ...incidentfield-mitreexternalreferences.json | 7 - .../FeedMitreAttack/FeedMitreAttack.py | 65 +- Packs/FeedMitreAttack/ReleaseNotes/1_0_5.md | 4 + ...tre_Attack_List_2_Indicators_Feed_Test.yml | 102 +- Packs/FeedMitreAttack/pack_metadata.json | 2 +- .../FeedOffice365/FeedOffice365.py | 39 +- .../FeedOffice365/FeedOffice365.yml | 13 +- .../FeedOffice365/FeedOffice365_test.py | 23 + Packs/FeedOffice365/ReleaseNotes/1_1_2.md | 4 + Packs/FeedOffice365/pack_metadata.json | 2 +- .../FeedProofpoint/FeedProofpoint.py | 15 +- .../FeedProofpoint/FeedProofpoint.yml | 7 +- .../FeedProofpoint/FeedProofpoint_test.py | 22 + Packs/FeedProofpoint/ReleaseNotes/1_0_1.md | 4 + Packs/FeedProofpoint/pack_metadata.json | 28 +- .../FeedRecordedFuture/FeedRecordedFuture.py | 66 +- .../FeedRecordedFuture/FeedRecordedFuture.yml | 7 +- .../FeedRecordedFuture_test.py | 19 + .../FeedRecordedFuture/ReleaseNotes/1_0_2.md | 4 + Packs/FeedRecordedFuture/pack_metadata.json | 2 +- Packs/FeedTAXII/.secrets-ignore | 20 + .../Integrations/FeedTAXII/FeedTAXII.py | 60 +- .../Integrations/FeedTAXII/FeedTAXII.yml | 14 +- .../Integrations/FeedTAXII/FeedTAXII_test.py | 23 +- .../TestCommands/indicators_results.json | 1352 +++--- .../Integrations/FeedTAXII2/FeedTAXII2.py | 312 ++ .../Integrations/FeedTAXII2/FeedTAXII2.yml | 220 + .../FeedTAXII2/FeedTAXII2_description.md | 9 + .../FeedTAXII2/FeedTAXII2_image.png | Bin 0 -> 4706 bytes .../FeedTAXII2/FeedTAXII2_test.py | 236 + .../FeedTAXII/Integrations/FeedTAXII2/Pipfile | 18 + .../Integrations/FeedTAXII2/Pipfile.lock | 369 ++ .../Integrations/FeedTAXII2/README.md | 143 + .../test_data/cortex_indicators_1.json | 198 + .../test_data/cortex_indicators_2.json | 254 ++ .../FeedTAXII2/test_data/results.json | 3259 ++++++++++++++ Packs/FeedTAXII/ReleaseNotes/1_0_1.md | 4 + .../playbook-TAXII2_Feed_Test.yml | 224 + Packs/FeedTAXII/pack_metadata.json | 2 +- Packs/FeedUnit42/.pack-ignore | 0 Packs/FeedUnit42/.secrets-ignore | 2 + .../Integrations/FeedUnit42/FeedUnit42.py | 246 ++ .../Integrations/FeedUnit42/FeedUnit42.yml | 104 + .../FeedUnit42/FeedUnit42_description.md | 9 + .../FeedUnit42/FeedUnit42_image.png | Bin 0 -> 3362 bytes .../FeedUnit42/FeedUnit42_test.py | 119 + .../Integrations/FeedUnit42/README.md | 55 + .../FeedUnit42/commands_examples.txt | 1 + .../FeedUnit42/test_data/feed_data.py | 118 + Packs/FeedUnit42/README.md | 0 .../TestPlaybooks/Unit42_Feed_test.yml | 105 + Packs/FeedUnit42/pack_metadata.json | 22 + Packs/FeedZoom/.secrets-ignore | 8 +- .../Integrations/FeedZoom/FeedZoom.py | 103 +- .../test_data/zoom_endpoint_mock.html | 1087 ++--- Packs/FeedZoom/ReleaseNotes/1_1_0.md | 4 + Packs/FeedZoom/pack_metadata.json | 2 +- .../Feedsslabusech/Feedsslabusech_image.png | Bin 3282 -> 3786 bytes Packs/GDPR/README.md | 20 + Packs/GDPR/ReleaseNotes/1_0_2.md | 3 + .../doc_files/GDPR_Breach_Notification.png | Bin 0 -> 393527 bytes Packs/GDPR/pack_metadata.json | 2 +- .../Integrations/GenericSQL/GenericSQL.py | 148 +- .../Integrations/GenericSQL/GenericSQL.yml | 14 +- .../GenericSQL/GenericSQL_description.md | 20 +- .../GenericSQL/GenericSQL_test.py | 35 +- .../Integrations/GenericSQL/Pipfile | 7 +- .../Integrations/GenericSQL/Pipfile.lock | 392 +- .../Integrations/GenericSQL/README.md | 68 +- Packs/GenericSQL/ReleaseNotes/1_0_3.md | 5 + ...generic-sql-mssql-encrypted-connection.yml | 1 + .../GenericSQL/TestPlaybooks/generic-sql.yml | 138 +- Packs/GenericSQL/pack_metadata.json | 2 +- .../Gmail/Integrations/Gmail/Gmail_image.png | Bin 3834 -> 2229 bytes .../GmailSingleUser/GmailSingleUser_image.png | Bin 3834 -> 3355 bytes Packs/HIPAA-BreachNotification/README.md | 2 +- .../ReleaseNotes/1_0_3.md | 3 + .../pack_metadata.json | 2 +- .../Integrations/HelloWorld/HelloWorld.py | 5 +- .../Integrations/HelloWorld/HelloWorld.yml | 2 +- Packs/HelloWorld/ReleaseNotes/1_1_7.md | 5 + Packs/HelloWorld/pack_metadata.json | 2 +- .../Integrations/Infocyte/Infocyte.ps1 | 16 +- .../Infocyte/Integrations/Infocyte/README.md | 6 +- Packs/Infocyte/ReleaseNotes/1_0_1.md | 4 + Packs/Infocyte/pack_metadata.json | 2 +- Packs/Jira/ReleaseNotes/1_0_1.md | 5 + .../Scripts/script-JiraCreaetIssueGeneric.yml | 2 +- Packs/Jira/pack_metadata.json | 28 +- .../Integrations/JsonWhoIs/JsonWhoIs.py | 25 +- .../Integrations/JsonWhoIs/JsonWhoIs.yml | 2 +- Packs/JsonWhoIs/ReleaseNotes/1_0_3.md | 4 + Packs/JsonWhoIs/pack_metadata.json | 2 +- .../Lastline_v2/Lastline_v2_description.md | 12 +- Packs/Lastline/ReleaseNotes/1_0_2.md | 5 + Packs/Lastline/pack_metadata.json | 2 +- .../Integrations/LogRhythmRest/README.md | 1793 ++++++++ Packs/Lokpath_Keylight/.secrets-ignore | 1 + .../Lockpath_KeyLight_v2/README.md | 4 +- Packs/Lost_Stolen_Device/README.md | 18 + .../Lost_Stolen_Device/ReleaseNotes/1_0_3.md | 4 + Packs/Lost_Stolen_Device/pack_metadata.json | 2 +- Packs/Malware/pack_metadata.json | 52 +- .../MicrosoftGraphListener.py | 8 +- .../MicrosoftGraphListener_image.png | Bin 3125 -> 3928 bytes .../ReleaseNotes/1_0_4.md | 3 + .../MicrosoftGraphListener/pack_metadata.json | 2 +- .../MicrosoftGraphMail/MicrosoftGraphMail.py | 8 +- .../MicrosoftGraphMail_image.png | Bin 3125 -> 3757 bytes .../MicrosoftGraphMail/ReleaseNotes/1_0_2.md | 3 + Packs/MicrosoftGraphMail/pack_metadata.json | 2 +- .../MicrosoftManagementActivity/CHANGELOG.md | 2 +- .../MicrosoftManagementActivity.py | 19 +- .../MicrosoftManagementActivity.yml | 2 +- .../MicrosoftManagementActivity/README.md | 25 +- .../ReleaseNotes/1_0_1.md | 4 + .../pack_metadata.json | 30 +- .../MicrosoftTeams/MicrosoftTeams.py | 6 +- .../MicrosoftTeams/MicrosoftTeams.yml | 2 +- .../Integrations/MicrosoftTeams/README.md | 5 + Packs/MicrosoftTeams/ReleaseNotes/1_0_3.md | 6 + Packs/MicrosoftTeams/pack_metadata.json | 2 +- .../Integrations/MimecastV2/MimecastV2.py | 61 +- .../Integrations/MimecastV2/README.md | 2 +- .../mimecast-update-policy.jpg | Bin .../Integrations/MimecastV2/mimecast_test.py | 49 +- Packs/Mimecast/ReleaseNotes/1_1_0.md | 4 + Packs/Mimecast/pack_metadata.json | 2 +- .../Integrations/MongoDB/MongoDB_image.png | Bin 1663 -> 3527 bytes .../MongoDBKeyValueStore.png | Bin 1663 -> 0 bytes .../MongoDBKeyValueStore_image.png | Bin 0 -> 4411 bytes .../Integrations/MongoDBLog/MongoDBLog.png | Bin 1663 -> 0 bytes .../MongoDBLog/MongoDBLog_image.png | Bin 0 -> 3963 bytes Packs/NIST/README.md | 29 + Packs/NIST/ReleaseNotes/1_0_1.md | 3 + .../NIST_-_Handling_an_Incident_Template.png | Bin 0 -> 160115 bytes Packs/NIST/pack_metadata.json | 2 +- Packs/NonSupported/.pack-ignore | 3 + .../integration-SandBlastAppliance_3_1_0.yml | 2 +- ...playbook-Detonate_File_-_Generic_4_9_9.yml | 1101 +++++ ...ok-Detonate_File_-_Generic_4_9_9_README.md | 195 + ...ook-Detonate_URL_-_Generic_4_9_9_README.md | 156 + .../playbook-Detonate_url_-_Generic_4_9_9.yml | 664 +++ .../FindSimilarIncidents.yml | 4 +- .../Scripts/script-ReadPDFFile_4_0.yml | 2 +- ...rch_Endpoints_By_Hash_-_Generic_-_Test.yml | 249 -- Packs/OTRS/Integrations/OTRS/README.md | 11 +- Packs/Okta/Integrations/integration-Okta.yml | 26 +- .../integration-Okta_CHANGELOG.md | 1 - Packs/Okta/ReleaseNotes/1_0_3.md | 3 + Packs/Okta/pack_metadata.json | 2 +- .../integration-OpsGenie_README.md | 4 +- .../PAN-OS/Integrations/Panorama/Panorama.py | 129 + .../PAN-OS/Integrations/Panorama/Panorama.yml | 93 + .../Integrations/Panorama/Panorama_test.py | 52 +- .../playbook-NetOps_-_Firewall_Upgrade.yml | 2 +- ...ook-NetOps_-_Firewall_Upgrade_CHANGELOG.md | 1 - ...Ops_-_Firewall_Version_Content_Upgrade.yml | 10 +- Packs/PAN-OS/ReleaseNotes/1_3_0.md | 7 + Packs/PAN-OS/ReleaseNotes/1_4_0.md | 5 + Packs/PAN-OS/ReleaseNotes/1_4_1.md | 4 + .../playbook-palo_alto_firewall_test_pb.yml | 397 +- Packs/PAN-OS/pack_metadata.json | 2 +- ..._threat_detection_by_indicator_type_V2.yml | 2 +- .../ReleaseNotes/1_1_0.md | 5 + .../incidentfield-PCAP_Encryption_Key.json | 2 +- .../incidentfield-PCAP_End_Time.json | 2 +- .../incidentfield-PCAP_File.json | 2 +- .../incidentfield-PCAP_File_Name.json | 2 +- .../incidentfield-PCAP_File_Size.json | 2 +- .../incidentfield-PCAP_Flows.json | 2 +- .../incidentfield-PCAP_Number_Of_Packets.json | 2 +- .../incidentfield-PCAP_Number_Of_Streams.json | 2 +- .../incidentfield-PCAP_Start_Time.json | 2 +- .../incidenttype-PCAP_Analysis.json | 2 +- ...-PCAP_Parsing_And_Indicator_Enrichment.yml | 2274 ++++++++++ ...Parsing_And_Indicator_Enrichment_README.md | 58 + .../Playbooks/playbook-PCAP_Search.yml | 2 +- .../Playbooks/playbook-PCAP_Search_README.md | 9 +- Packs/PcapAnalysis/README.md | 2 +- Packs/PcapAnalysis/ReleaseNotes/2_1_0.md | 35 + Packs/PcapAnalysis/ReleaseNotes/2_1_1.md | 3 + .../PcapFileExtractor/PcapFileExtractor.py | 104 + .../PcapFileExtractor/PcapFileExtractor.yml | 76 + .../PcapFileExtractor_test.py | 32 + .../Scripts/PcapFileExtractor/README.md | 39 + .../PcapFileExtractor/TestData/tftp_rrq.pcap | Bin 0 -> 31463 bytes .../PcapMinerV2/TestData/nb6-http.pcap | Bin 0 -> 8809 bytes ..._Parsing_And_Indicator_Enrichment_Test.yml | 222 + .../TestPlaybooks/PCAP_Search_test.yml | 2 +- .../PCAP_Parsing_And_Indicator_Enrichment.png | Bin 0 -> 733754 bytes Packs/PcapAnalysis/pack_metadata.json | 215 +- .../PhishLabsIOC/PhishLabsIOC_image.png | Bin 4007 -> 4490 bytes .../PhishLabsIOC_DRP_image.png | Bin 4007 -> 4003 bytes .../PhishLabsIOC_EIR_image.png | Bin 4007 -> 3906 bytes .../Phishing_v2_-_Test_-_Incident_Starter.yml | 68 +- Packs/PortScan/README.md | 18 + Packs/PortScan/ReleaseNotes/1_0_1.md | 3 + Packs/PortScan/pack_metadata.json | 4 +- .../PrismaAccess/PrismaAccess_image.png | Bin 1476 -> 1919 bytes .../PrismaAccessEgressIPFeed_image.png | Bin 1476 -> 2413 bytes Packs/Pwned/Integrations/PwnedV2/PwnedV2.py | 21 +- .../Integrations/PwnedV2/PwnedV2_test.py | 19 + Packs/Pwned/Integrations/PwnedV2/README.md | 3 - Packs/Pwned/ReleaseNotes/1_0_1.md | 4 + Packs/Pwned/pack_metadata.json | 30 +- .../Integrations/QuestKace/QuestKace.yml | 2 +- .../Integrations/QuestKace/README.md | 2 +- Packs/QuestKace/ReleaseNotes/1_0_2.md | 4 + Packs/QuestKace/pack_metadata.json | 4 +- Packs/RiskSense/.secrets-ignore | 21 + .../Integrations/RiskSense/CHANGELOG.md | 10 +- .../Integrations/RiskSense/README.md | 436 +- .../Integrations/RiskSense/RiskSense.py | 369 +- .../Integrations/RiskSense/RiskSense.yml | 3921 +++++++++-------- .../RiskSense/RiskSense_image.png | Bin 3129 -> 3649 bytes .../Integrations/RiskSense/RiskSense_test.py | 88 +- .../RiskSense/TestData/create_tag_resp.json | 178 + .../TestData/host_finding_details_ec.json | 13 +- .../RiskSense/TestData/host_finding_ec.json | 39 +- .../RiskSense/TestData/search_tag_resp.json | 39 + .../RiskSense/TestData/tag_asset_ec.json | 7 + .../RiskSense/TestData/unique_cves_ec.json | 2 +- .../playbook-CVE_Exposure_-_RiskSense.yml | 545 +++ ...laybook-CVE_Exposure_-_RiskSense_README.md | 39 + ...aybook-Ransomware_Exposure_-_RiskSense.yml | 412 ++ ...-Ransomware_Exposure_-_RiskSense_README.md | 36 + Packs/RiskSense/ReleaseNotes/1_0_1.md | 18 + .../RiskSenseDisplayCVEChartScript/README.md | 21 + .../RiskSenseDisplayCVEChartScript.py | 45 + .../RiskSenseDisplayCVEChartScript.yml | 31 + .../RiskSenseDisplayCVEChartScript_test.py | 38 + .../README.md | 60 + .../RiskSenseGetRansomewareCVEScript.py | 196 + .../RiskSenseGetRansomewareCVEScript.yml | 148 + .../RiskSenseGetRansomewareCVEScript_test.py | 97 + .../playbook-RiskSenseApplyTag-Test.yml | 275 ++ .../playbook-RiskSenseGetApps-Test.yml | 15 +- .../playbook-RiskSenseGetAppsDetail-Test.yml | 8 +- .../playbook-RiskSenseGetHostDetail-Test.yml | 7 +- ...ook-RiskSenseGetHostFindingDetail-Test.yml | 9 +- ...playbook-RiskSenseGetHostFindings-Test.yml | 12 +- .../playbook-RiskSenseGetHosts-Test.yml | 10 +- .../playbook-RiskSenseGetUniqueCves-Test.yml | 10 +- ...ok-RiskSenseGetUniqueOpenFindings-Test.yml | 10 +- .../doc_files/CVE_Exposure_-_RiskSense.png | Bin 0 -> 98423 bytes .../Ransomware_Exposure_-_RiskSense.png | Bin 0 -> 80183 bytes Packs/RiskSense/pack_metadata.json | 30 +- Packs/SANS/README.md | 32 + Packs/SANS/ReleaseNotes/1_0_1.md | 3 + ...-_Incident_Handler's_Handbook_Template.png | Bin 0 -> 136070 bytes Packs/SANS/pack_metadata.json | 2 +- .../Integrations/integration-Sandblast.yml | 2 +- Packs/Sandblast/ReleaseNotes/1_0_1.md | 5 + Packs/Sandblast/pack_metadata.json | 28 +- Packs/ServiceDeskPlus/.pack-ignore | 0 Packs/ServiceDeskPlus/.secrets-ignore | 3 + .../Integrations/ServiceDeskPlus/README.md | 778 ++++ .../ServiceDeskPlus/ServiceDeskPlus.py | 865 ++++ .../ServiceDeskPlus/ServiceDeskPlus.yml | 863 ++++ .../ServiceDeskPlus_description.md | 21 + .../ServiceDeskPlus/ServiceDeskPlus_image.png | Bin 0 -> 9599 bytes .../ServiceDeskPlus/ServiceDeskPlus_test.py | 303 ++ .../ServiceDeskPlus/command_examples.txt | 12 + .../test_data/response_constants.py | 807 ++++ .../test_data/result_constants.py | 427 ++ Packs/ServiceDeskPlus/README.md | 0 Packs/ServiceDeskPlus/ReleaseNotes/1_1_0.md | 4 + .../playbook-Service_Desk_Plus.yml | 1793 ++++++++ Packs/ServiceDeskPlus/pack_metadata.json | 16 + .../Integrations/ServiceNowv2/README.md | 11 +- .../ServiceNowv2/ServiceNowv2.yml | 2 +- Packs/ServiceNow/ReleaseNotes/1_1_6.md | 4 + Packs/ServiceNow/pack_metadata.json | 4 +- .../Integrations/SymantecDLP/README.md | 9 + ...-TIM_-_Add_All_Indicator_Types_To_SIEM.yml | 2 +- Packs/TIM_SIEM/ReleaseNotes/1_0_2.md | 3 + Packs/TIM_SIEM/pack_metadata.json | 2 +- .../ThreatConnect/ThreatConnect.yml | 2 +- .../ThreatQ_v2/ThreatQ_v2_image.png | Bin 3243 -> 3596 bytes .../Integrations/integration-ThreatQ.yml | 2 +- Packs/TruSTAR/.secrets-ignore | 33 +- .../TruSTAR/Integrations/TruSTAR/TruSTAR.yml | 8 +- Packs/TruSTAR/Integrations/TruSTAR_V2/Pipfile | 40 + .../Integrations/TruSTAR_V2/Pipfile.lock | 523 +++ .../TruSTAR/Integrations/TruSTAR_V2/README.md | 2818 ++++++++++++ .../Integrations/TruSTAR_V2/TruSTAR_V2.py | 896 ++++ .../Integrations/TruSTAR_V2/TruSTAR_V2.yml | 947 ++++ .../TruSTAR_V2/TruSTAR_V2_description.md | 9 + .../TruSTAR_V2/TruSTAR_V2_image.png | Bin 0 -> 4469 bytes .../TruSTAR_V2/TruSTAR_V2_test.py | 492 +++ .../TruSTAR_V2/command_examples.txt | 22 + Packs/TruSTAR/ReleaseNotes/2_0_0.md | 32 + .../playbook-TruSTAR_V2_Test.yml | 674 +++ Packs/TruSTAR/pack_metadata.json | 2 +- .../VirusTotal-Private_API/README.md | 4 +- .../VirusTotal-Private_API.yml | 4 +- .../ReleaseNotes/1_0_1.md | 4 + .../playbook-virusTotalPrivateAPI-test.yml | 2891 ++---------- .../VirusTotal-Private_API/pack_metadata.json | 2 +- ...laybook-VirusTotal_detonate_file-test.yml} | 2 +- Pipfile | 2 +- ...book-Account_Enrichment_-_Generic_Test.yml | 0 ...k-Account_Enrichment_-_Generic_v2_Test.yml | 0 .../playbook-AlienVaultOTX_Test.yml | 0 .../playbook-AlienVaultOTX_Test_CHANGELOG.md | 0 .../Deprecated}/playbook-BlockIP_test.yml | 0 .../playbook-BlockIP_test_CHANGELOG.md | 0 .../playbook-ContextGetters-Test.yml | 0 .../playbook-ContextGetters-Test_CHANGELOG.md | 0 .../Deprecated}/playbook-Cymon_Test.yml | 0 .../playbook-Cymon_Test_CHANGELOG.md | 0 .../playbook-Dedup_-_Generic_-_Test.yml | 0 ...aybook-Dedup_-_Generic_-_Test_CHANGELOG.md | 0 .../playbook-DocumentationTest.yml | 0 ...Address_Enrichment_-_Generic_v2_-_Test.yml | 0 ...ndpoint_Enrichment_-_Generic_v2_-_Test.yml | 0 .../Deprecated}/playbook-ExtraHop-Test.yml | 0 .../playbook-ExtraHop-Test_CHANGELOG.md | 0 .../Deprecated}/playbook-ExtractURL_Test.yml | 0 .../playbook-ExtractURL_Test_CHANGELOG.md | 0 .../playbook-Extract_Domain_Test.yml | 0 .../playbook-Extract_Domain_Test_CHANGELOG.md | 0 ...ok-Extract_Indicators_-_Generic_-_Test.yml | 0 ...t_Indicators_-_Generic_-_Test_CHANGELOG.md | 0 .../playbook-Indicator_Feed_-_Test.yml | 0 ...laybook-Indicator_Feed_-_Test_CHANGELOG.md | 0 ...playbook-Jira-CreateIssue-generic-Test.yml | 0 ...Jira-CreateIssue-generic-Test_CHANGELOG.md | 0 .../playbook-Lastline-test-playbook.yml | 0 ...aybook-Lastline-test-playbook_CHANGELOG.md | 0 .../Deprecated}/playbook-Minemeld_Test.yml | 0 .../playbook-Minemeld_Test_CHANGELOG.md | 0 ...hreat_detection_by_indicator_type_Test.yml | 0 ...laybook-Palo_Alto_Networks_Cortex_Test.yml | 0 ...alo_Alto_Networks_Cortex_Test_CHANGELOG.md | 0 .../playbook-PostgreSQL-Test_CHANGELOG.md | 0 .../playbook-ProofpointDecodeURL-Test.yml | 0 ...book-ProofpointDecodeURL-Test_CHANGELOG.md | 0 .../Deprecated}/playbook-ReadPDFFile_Test.yml | 0 .../playbook-ReadPDFFile_Test_CHANGELOG.md | 0 .../Deprecated}/playbook-Shodan-Test.yml | 0 .../playbook-Shodan-Test_CHANGELOG.md | 0 ...laybook-TestCreatePhishingClassifierML.yml | 0 .../playbook-Test_Similar_Incidents.yml | 0 .../playbook-ThreatConnect_Test.yml | 0 .../Tests/marketplace_services_test.py | 270 ++ Tests/Marketplace/marketplace_services.py | 24 +- Tests/conf.json | 215 +- ...onfigure_and_test_integration_instances.py | 24 +- Tests/mock_server.py | 7 + .../collect_tests_and_content_packs.py | 5 +- Tests/scripts/destroy_instances.py | 5 +- .../prepare_content_packs_for_testing.sh | 6 +- Tests/scripts/run_tests.sh | 4 +- Tests/scripts/server_get_artifact.sh | 6 +- Tests/scripts/slack_notifier.py | 62 +- Tests/scripts/slack_notifier.sh | 3 +- Tests/scripts/wait_until_server_ready.py | 4 +- Tests/secrets_white_list.json | 9 +- Tests/test_content.py | 12 +- Tests/test_integration.py | 6 +- ...er_content_build_with_no_backward_check.sh | 17 +- ...trigger_content_build_with_time_to_live.sh | 29 +- Utils/trigger_content_nightly_build.sh | 18 +- ...igger_content_nightly_build_with_memory.sh | 18 +- .../trigger_content_nightly_instance_tests.sh | 13 +- Utils/trigger_content_non_ami_build.sh | 21 +- ...trigger_content_non_ami_build_by_number.sh | 20 +- Utils/trigger_nightly_sdk_build.sh | 14 +- 557 files changed, 55750 insertions(+), 12298 deletions(-) create mode 100644 Packs/AccessInvestigation/ReleaseNotes/1_1_3.md create mode 100644 Packs/ApiModules/ReleaseNotes/1_0_3.md create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/README.md create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.yml create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_17-19.json create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_20-19.json create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_skipped_14-19.json create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json create mode 100644 Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json create mode 100644 Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2_test.py create mode 100644 Packs/AzureSecurityCenter/ReleaseNotes/1_0_1.md create mode 100644 Packs/Base/ReleaseNotes/1_1_4.md create mode 100644 Packs/BluelivThreatContext/.pack-ignore create mode 100644 Packs/BluelivThreatContext/.secrets-ignore create mode 100644 Packs/BluelivThreatContext/CHANGELOG.md create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock create mode 100644 Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md create mode 100644 Packs/BluelivThreatContext/README.md create mode 100644 Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml create mode 100644 Packs/BluelivThreatContext/pack_metadata.json create mode 100644 Packs/BreachNotification-US/ReleaseNotes/1_0_4.md create mode 100644 Packs/BruteForce/ReleaseNotes/1_1_1.md create mode 100644 Packs/CarbonBlackProtect/ReleaseNotes/1_0_2.md create mode 100644 Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md create mode 100644 Packs/CommonPlaybooks/ReleaseNotes/1_5_1.md create mode 100644 Packs/CommonPlaybooks/ReleaseNotes/1_5_2.md create mode 100644 Packs/CommonScripts/ReleaseNotes/1_2_2.md create mode 100644 Packs/CommonScripts/ReleaseNotes/1_2_3.md create mode 100644 Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.py create mode 100644 Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.yml create mode 100644 Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV_test.py rename Packs/CommonScripts/Scripts/{script-JSONtoCSV_README.md => JSONtoCSV/README.md} (100%) delete mode 100644 Packs/CommonScripts/Scripts/script-JSONtoCSV.yml delete mode 100644 Packs/CommonScripts/Scripts/script-JSONtoCSV_CHANGELOG.md create mode 100644 Packs/CommonTypes/IndicatorFields/incidentfield-feedrelatedindicators.json create mode 100644 Packs/CommonTypes/ReleaseNotes/1_4_0.md create mode 100644 Packs/CommonTypes/ReleaseNotes/1_4_1.md create mode 100644 Packs/Compliance/ReleaseNotes/1_0_3.md create mode 100644 Packs/CrowdStrikeFalconX/.pack-ignore create mode 100644 Packs/CrowdStrikeFalconX/.secrets-ignore create mode 100644 Packs/CrowdStrikeFalconX/CHANGELOG.md create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CHANGELOG.md create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.py create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.yml create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_description.md create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_image.png create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_test.py create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile.lock create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/README.md create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/context.py create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/http_responses.py create mode 100644 Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/example.txt create mode 100644 Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_X.yml create mode 100644 Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_X.yml create mode 100644 Packs/CrowdStrikeFalconX/README.md create mode 100644 Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_File.yml create mode 100644 Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_URL.yml create mode 100644 Packs/CrowdStrikeFalconX/pack_metadata.json create mode 100644 Packs/CrowdStrikeHost/ReleaseNotes/1_1_2.md create mode 100644 Packs/DeprecatedContent/ReleaseNotes/1_3_0.md create mode 100644 Packs/DuoAdminApi/ReleaseNotes/2_0_0.md create mode 100644 Packs/EWS/ReleaseNotes/1_1_3.md create mode 100644 Packs/FeedAWS/ReleaseNotes/1_0_2.md create mode 100644 Packs/FeedAlienVault/ReleaseNotes/1_0_1.md create mode 100644 Packs/FeedBambenekConsulting/ReleaseNotes/1_0_1.md create mode 100644 Packs/FeedCSV/ReleaseNotes/1_0_2.md create mode 100644 Packs/FeedCofense/ReleaseNotes/1_0_4.md create mode 100644 Packs/FeedElasticsearch/ReleaseNotes/1_0_3.md rename Packs/{CommonTypes => FeedMitreAttack}/IndicatorFields/incidentfield-mitreexternalreferences.json (96%) create mode 100644 Packs/FeedMitreAttack/ReleaseNotes/1_0_5.md create mode 100644 Packs/FeedOffice365/ReleaseNotes/1_1_2.md create mode 100644 Packs/FeedProofpoint/ReleaseNotes/1_0_1.md create mode 100644 Packs/FeedRecordedFuture/ReleaseNotes/1_0_2.md create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.py create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.yml create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2_description.md create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2_image.png create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2_test.py create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/Pipfile create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/Pipfile.lock create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/README.md create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/test_data/cortex_indicators_1.json create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/test_data/cortex_indicators_2.json create mode 100644 Packs/FeedTAXII/Integrations/FeedTAXII2/test_data/results.json create mode 100644 Packs/FeedTAXII/ReleaseNotes/1_0_1.md create mode 100644 Packs/FeedTAXII/TestPlaybooks/playbook-TAXII2_Feed_Test.yml create mode 100644 Packs/FeedUnit42/.pack-ignore create mode 100644 Packs/FeedUnit42/.secrets-ignore create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/FeedUnit42.py create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/FeedUnit42.yml create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/FeedUnit42_description.md create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/FeedUnit42_image.png create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/FeedUnit42_test.py create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/README.md create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/commands_examples.txt create mode 100644 Packs/FeedUnit42/Integrations/FeedUnit42/test_data/feed_data.py create mode 100644 Packs/FeedUnit42/README.md create mode 100644 Packs/FeedUnit42/TestPlaybooks/Unit42_Feed_test.yml create mode 100644 Packs/FeedUnit42/pack_metadata.json create mode 100644 Packs/FeedZoom/ReleaseNotes/1_1_0.md create mode 100644 Packs/GDPR/ReleaseNotes/1_0_2.md create mode 100644 Packs/GDPR/doc_files/GDPR_Breach_Notification.png create mode 100644 Packs/GenericSQL/ReleaseNotes/1_0_3.md create mode 100644 Packs/HIPAA-BreachNotification/ReleaseNotes/1_0_3.md create mode 100644 Packs/HelloWorld/ReleaseNotes/1_1_7.md create mode 100644 Packs/Infocyte/ReleaseNotes/1_0_1.md create mode 100644 Packs/Jira/ReleaseNotes/1_0_1.md create mode 100644 Packs/JsonWhoIs/ReleaseNotes/1_0_3.md create mode 100644 Packs/Lastline/ReleaseNotes/1_0_2.md create mode 100644 Packs/LogRhythmRest/Integrations/LogRhythmRest/README.md create mode 100644 Packs/Lost_Stolen_Device/ReleaseNotes/1_0_3.md create mode 100644 Packs/MicrosoftGraphListener/ReleaseNotes/1_0_4.md create mode 100644 Packs/MicrosoftGraphMail/ReleaseNotes/1_0_2.md create mode 100644 Packs/MicrosoftManagementActivity/ReleaseNotes/1_0_1.md create mode 100644 Packs/MicrosoftTeams/ReleaseNotes/1_0_3.md rename Packs/Mimecast/Integrations/MimecastV2/{ => doc_files}/mimecast-update-policy.jpg (100%) create mode 100644 Packs/Mimecast/ReleaseNotes/1_1_0.md delete mode 100644 Packs/MongoDB/Integrations/MongoDBKeyValueStore/MongoDBKeyValueStore.png create mode 100644 Packs/MongoDB/Integrations/MongoDBKeyValueStore/MongoDBKeyValueStore_image.png delete mode 100644 Packs/MongoDB/Integrations/MongoDBLog/MongoDBLog.png create mode 100644 Packs/MongoDB/Integrations/MongoDBLog/MongoDBLog_image.png create mode 100644 Packs/NIST/ReleaseNotes/1_0_1.md create mode 100644 Packs/NIST/doc_files/NIST_-_Handling_an_Incident_Template.png create mode 100644 Packs/NonSupported/Playbooks/playbook-Detonate_File_-_Generic_4_9_9.yml create mode 100644 Packs/NonSupported/Playbooks/playbook-Detonate_File_-_Generic_4_9_9_README.md create mode 100644 Packs/NonSupported/Playbooks/playbook-Detonate_URL_-_Generic_4_9_9_README.md create mode 100644 Packs/NonSupported/Playbooks/playbook-Detonate_url_-_Generic_4_9_9.yml delete mode 100644 Packs/NonSupported/TestPlaybooks/playbook-Search_Endpoints_By_Hash_-_Generic_-_Test.yml create mode 100644 Packs/Okta/ReleaseNotes/1_0_3.md create mode 100644 Packs/PAN-OS/ReleaseNotes/1_3_0.md create mode 100644 Packs/PAN-OS/ReleaseNotes/1_4_0.md create mode 100644 Packs/PAN-OS/ReleaseNotes/1_4_1.md create mode 100644 Packs/PANWComprehensiveInvestigation/ReleaseNotes/1_1_0.md create mode 100644 Packs/PcapAnalysis/Playbooks/playbook-PCAP_Parsing_And_Indicator_Enrichment.yml create mode 100644 Packs/PcapAnalysis/Playbooks/playbook-PCAP_Parsing_And_Indicator_Enrichment_README.md create mode 100644 Packs/PcapAnalysis/ReleaseNotes/2_1_0.md create mode 100644 Packs/PcapAnalysis/ReleaseNotes/2_1_1.md create mode 100644 Packs/PcapAnalysis/Scripts/PcapFileExtractor/PcapFileExtractor.py create mode 100644 Packs/PcapAnalysis/Scripts/PcapFileExtractor/PcapFileExtractor.yml create mode 100644 Packs/PcapAnalysis/Scripts/PcapFileExtractor/PcapFileExtractor_test.py create mode 100644 Packs/PcapAnalysis/Scripts/PcapFileExtractor/README.md create mode 100644 Packs/PcapAnalysis/Scripts/PcapFileExtractor/TestData/tftp_rrq.pcap create mode 100644 Packs/PcapAnalysis/Scripts/PcapMinerV2/TestData/nb6-http.pcap create mode 100644 Packs/PcapAnalysis/TestPlaybooks/PCAP_Parsing_And_Indicator_Enrichment_Test.yml create mode 100644 Packs/PcapAnalysis/doc_files/PCAP_Parsing_And_Indicator_Enrichment.png create mode 100644 Packs/PortScan/ReleaseNotes/1_0_1.md create mode 100644 Packs/Pwned/ReleaseNotes/1_0_1.md create mode 100644 Packs/QuestKace/ReleaseNotes/1_0_2.md create mode 100644 Packs/RiskSense/Integrations/RiskSense/TestData/create_tag_resp.json create mode 100644 Packs/RiskSense/Integrations/RiskSense/TestData/search_tag_resp.json create mode 100644 Packs/RiskSense/Integrations/RiskSense/TestData/tag_asset_ec.json create mode 100644 Packs/RiskSense/Playbooks/playbook-CVE_Exposure_-_RiskSense.yml create mode 100644 Packs/RiskSense/Playbooks/playbook-CVE_Exposure_-_RiskSense_README.md create mode 100644 Packs/RiskSense/Playbooks/playbook-Ransomware_Exposure_-_RiskSense.yml create mode 100644 Packs/RiskSense/Playbooks/playbook-Ransomware_Exposure_-_RiskSense_README.md create mode 100644 Packs/RiskSense/ReleaseNotes/1_0_1.md create mode 100644 Packs/RiskSense/Scripts/RiskSenseDisplayCVEChartScript/README.md create mode 100644 Packs/RiskSense/Scripts/RiskSenseDisplayCVEChartScript/RiskSenseDisplayCVEChartScript.py create mode 100644 Packs/RiskSense/Scripts/RiskSenseDisplayCVEChartScript/RiskSenseDisplayCVEChartScript.yml create mode 100644 Packs/RiskSense/Scripts/RiskSenseDisplayCVEChartScript/RiskSenseDisplayCVEChartScript_test.py create mode 100644 Packs/RiskSense/Scripts/RiskSenseGetRansomewareCVEScript/README.md create mode 100644 Packs/RiskSense/Scripts/RiskSenseGetRansomewareCVEScript/RiskSenseGetRansomewareCVEScript.py create mode 100644 Packs/RiskSense/Scripts/RiskSenseGetRansomewareCVEScript/RiskSenseGetRansomewareCVEScript.yml create mode 100644 Packs/RiskSense/Scripts/RiskSenseGetRansomewareCVEScript/RiskSenseGetRansomewareCVEScript_test.py create mode 100644 Packs/RiskSense/TestPlaybooks/playbook-RiskSenseApplyTag-Test.yml create mode 100644 Packs/RiskSense/doc_files/CVE_Exposure_-_RiskSense.png create mode 100644 Packs/RiskSense/doc_files/Ransomware_Exposure_-_RiskSense.png create mode 100644 Packs/SANS/ReleaseNotes/1_0_1.md create mode 100644 Packs/SANS/doc_files/SANS_-_Incident_Handler's_Handbook_Template.png create mode 100644 Packs/Sandblast/ReleaseNotes/1_0_1.md create mode 100644 Packs/ServiceDeskPlus/.pack-ignore create mode 100644 Packs/ServiceDeskPlus/.secrets-ignore create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/README.md create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus.py create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus.yml create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus_description.md create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus_image.png create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus_test.py create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/command_examples.txt create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/test_data/response_constants.py create mode 100644 Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/test_data/result_constants.py create mode 100644 Packs/ServiceDeskPlus/README.md create mode 100644 Packs/ServiceDeskPlus/ReleaseNotes/1_1_0.md create mode 100644 Packs/ServiceDeskPlus/TestPlaybooks/playbook-Service_Desk_Plus.yml create mode 100644 Packs/ServiceDeskPlus/pack_metadata.json create mode 100644 Packs/ServiceNow/ReleaseNotes/1_1_6.md create mode 100644 Packs/TIM_SIEM/ReleaseNotes/1_0_2.md create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/Pipfile create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/Pipfile.lock create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/README.md create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/TruSTAR_V2.py create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/TruSTAR_V2.yml create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/TruSTAR_V2_description.md create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/TruSTAR_V2_image.png create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/TruSTAR_V2_test.py create mode 100644 Packs/TruSTAR/Integrations/TruSTAR_V2/command_examples.txt create mode 100644 Packs/TruSTAR/ReleaseNotes/2_0_0.md create mode 100644 Packs/TruSTAR/TestPlaybooks/playbook-TruSTAR_V2_Test.yml create mode 100644 Packs/VirusTotal-Private_API/ReleaseNotes/1_0_1.md rename Packs/VirusTotal/TestPlaybooks/{playbook-VirusTotal_detonate_file.yml => playbook-VirusTotal_detonate_file-test.yml} (99%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Account_Enrichment_-_Generic_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Account_Enrichment_-_Generic_v2_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-AlienVaultOTX_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-AlienVaultOTX_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-BlockIP_test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-BlockIP_test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ContextGetters-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ContextGetters-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Cymon_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Cymon_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Dedup_-_Generic_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Dedup_-_Generic_-_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-DocumentationTest.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Email_Address_Enrichment_-_Generic_v2_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Endpoint_Enrichment_-_Generic_v2_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtraHop-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtraHop-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtractURL_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ExtractURL_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Domain_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Domain_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Indicators_-_Generic_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Extract_Indicators_-_Generic_-_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Indicator_Feed_-_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Indicator_Feed_-_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Jira-CreateIssue-generic-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Jira-CreateIssue-generic-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Lastline-test-playbook.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Lastline-test-playbook_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Minemeld_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Minemeld_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Palo_Alto_Networks_Cortex_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Palo_Alto_Networks_Cortex_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-PostgreSQL-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ProofpointDecodeURL-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ProofpointDecodeURL-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ReadPDFFile_Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-ReadPDFFile_Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Shodan-Test.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Shodan-Test_CHANGELOG.md (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-TestCreatePhishingClassifierML.yml (100%) rename {Packs/DeprecatedContent/TestPlaybooks => TestPlaybooks/NonCircleTests/Deprecated}/playbook-Test_Similar_Incidents.yml (100%) rename {Packs/ThreatConnect/TestPlaybooks => TestPlaybooks/NonCircleTests}/playbook-ThreatConnect_Test.yml (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml index 110ac1a7d94d..95595122c0a6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,16 +9,51 @@ parameters: server_branch_name: type: string default: "" + backward_compatibility: + type: string + default: "" + nightly: + type: string + default: "" + instance_tests: + type: string + default: "" + demisto_sdk_nightly: + type: string + default: "" + mem_check: + type: string + default: "" + time_to_live: + type: string + default: "" + contrib_branch: + type: string + default: "" + contrib_pack_name: + type: string + default: "" + references: environment: &environment environment: - CONTENT_VERSION: "20.6.1" + CONTENT_VERSION: "20.7.0" SERVER_VERSION: "5.5.0" - GIT_SHA1: "85b138633bcc10cedb4d6f4ed6e7074c28dd13d7" # guardrails-disable-line disable-secrets-detection + GIT_SHA1: "1f9f72106210397ee6134fd4a82b07876226e584" # guardrails-disable-line disable-secrets-detection NON_AMI_RUN: << pipeline.parameters.non_ami_run >> ARTIFACT_BUILD_NUM: << pipeline.parameters.artifact_build_num >> SERVER_BRANCH_NAME: << pipeline.parameters.server_branch_name >> + BACKWARD_COMPATIBILITY: << pipeline.parameters.backward_compatibility >> + MEM_CHECK: << pipeline.parameters.mem_check >> + TIME_TO_LIVE: << pipeline.parameters.time_to_live >> + CONTRIB_BRANCH: << pipeline.parameters.contrib_branch >> + CONTRIB_PACK_NAME: << pipeline.parameters.contrib_pack_name >> + # Giving different names to the following pipeline parameters to avoid collision, handling such collision case + # is done in 'Prepare Environment' step. + NIGHTLY_PARAMETER: << pipeline.parameters.nightly >> + INSTANCE_TESTS_PARAMETER: << pipeline.parameters.instance_tests >> + DEMISTO_SDK_NIGHTLY_PARAMETER: << pipeline.parameters.demisto_sdk_nightly >> container_config: &container_config docker: @@ -46,15 +81,22 @@ references: name: Prepare Environment when: always command: | - if [ -n "${INSTANCE_TESTS}" ] && [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - instance tests tasks are running only in container number 0" - exit 0 - fi echo 'export CIRCLE_ARTIFACTS="/home/circleci/project/artifacts"' >> $BASH_ENV echo 'export PATH="/home/circleci/.local/bin:${PWD}/node_modules/.bin:${PATH}"' >> $BASH_ENV # disable-secrets-detection echo 'export PYTHONPATH="/home/circleci/project:${PYTHONPATH}"' >> $BASH_ENV echo 'export DEMISTO_README_VALIDATION=true' >> $BASH_ENV + if [ -n "${NIGHTLY_PARAMETER}" ]; + then + echo 'export NIGHTLY=true' >> $BASH_ENV + fi + if [ -n "${INSTANCE_TESTS_PARAMETER}" ]; + then + echo 'export INSTANCE_TESTS=true' >> $BASH_ENV + fi + if [ -n "${DEMISTO_SDK_NIGHTLY_PARAMETER}" ]; + then + echo 'export DEMISTO_SDK_NIGHTLY=true' >> $BASH_ENV + fi echo "=== sourcing $BASH_ENV ===" source $BASH_ENV sudo mkdir -p -m 777 $CIRCLE_ARTIFACTS @@ -81,7 +123,7 @@ references: fi echo "========== Build Parameters ==========" - echo "Parameters: NIGHTLY: $NIGHTLY, INSTANCE_TESTS: $INSTANCE_TESTS, NON_AMI_RUN: $NON_AMI_RUN, SERVER_BRANCH_NAME: $SERVER_BRANCH_NAME, ARTIFACT_BUILD_NUM: $ARTIFACT_BUILD_NUM, DEMISTO_SDK_NIGHTLY: $DEMISTO_SDK_NIGHTLY, TIME_TO_LIVE: $TIME_TO_LIVE, CONTRIB_BRANCH: $CONTRIB_BRANCH" + set | grep -E "^NIGHTLY=|^INSTANCE_TESTS=|^NON_AMI_RUN=|^SERVER_BRANCH_NAME=|^ARTIFACT_BUILD_NUM=|^DEMISTO_SDK_NIGHTLY=|^TIME_TO_LIVE=|^CONTRIB_BRANCH=" python --version python3 --version demisto-sdk --version @@ -104,6 +146,16 @@ references: run: name: Destroy Instances command: | + if [ -n "${TIME_TO_LIVE}" ] + then + echo "Skipping - Time to live was set to $TIME_TO_LIVE minutes" + exit 0 + fi + if [ -n "${DEMISTO_SDK_NIGHTLY}" ] + then + echo "Skipping - not running in demisto-sdk nightly" + exit 0 + fi echo "$INSTANCE_ROLE" export TEMP=$(cat ./Tests/filter_envs.json | jq '."$INSTANCE_ROLE"') if [[ "$TEMP" == "false" ]]; @@ -123,1203 +175,707 @@ references: root: /home/circleci/ paths: - project + + Secrets: &Secrets + run: + name: Secrets + when: always + command: | + demisto-sdk secrets --post-commit --ignore-entropy + validate_files_and_yaml: &validate_files_and_yaml + run: + name: Validate Files and Yaml + when: always + command: | + if [ -n "${NIGHTLY}" ]; + then + echo "Skipping - not running in Nightly run" + exit 0 + fi + # Run flake8 on all excluding Packs (Integraions and Scripts) - they will be handled in linting + ./Tests/scripts/pyflake.sh *.py + find . -maxdepth 1 -type d -not \( -path . -o -path ./Packs -o -path ./venv \) | xargs ./Tests/scripts/pyflake.sh + + [ -n "${BACKWARD_COMPATIBILITY}" ] && CHECK_BACKWARD="false" || CHECK_BACKWARD="true" + ./Tests/scripts/validate.sh + run_unit_testing_and_lint: &run_unit_testing_and_lint + run: + name: Run Unit Testing and Lint + when: always + no_output_timeout: 5h + command: | + echo "demisto-sdk version: $(demisto-sdk --version)" + echo "mypy version: $(mypy --version)" + echo "flake8 py2 version: $(python2 -m flake8 --version)" + echo "flake8 py3 version: $(python3 -m flake8 --version)" + echo "bandit py2 version: $(python2 -m bandit --version 2>&1)" + echo "bandit py3 version: $(python3 -m bandit --version 2>&1)" + echo "vulture py2 version: $(python2 -m vulture --version) 2>&1" + echo "vulture py3 version: $(python3 -m vulture --version) 2>&1" + SHOULD_LINT_ALL=$(./Tests/scripts/should_lint_all.sh) + mkdir ./unit-tests + if [ -n "$SHOULD_LINT_ALL" ]; then + echo -e "----------\nLinting all because:\n${SHOULD_LINT_ALL}\n----------" + demisto-sdk lint -p 8 -a -q --test-xml ./unit-tests --log-path ./artifacts --failure-report ./artifacts + else + demisto-sdk lint -p 8 -g -v --test-xml ./unit-tests --log-path ./artifacts --failure-report ./artifacts + fi + infrastructure_testing: &infrastructure_testing + run: + name: Infrastructure testing + when: always + command: | + python3 -m pytest ./Tests/scripts/infrastructure_tests/ -v + python3 -m pytest ./Tests/Marketplace/Tests/ -v + + if [ -n "${DEMISTO_SDK_NIGHTLY}" ] ; then + ./Tests/scripts/sdk_pylint_check.sh + fi + create_id_set: &create_id_set + run: + name: Create ID Set + when: always + command: | + demisto-sdk create-id-set -o ./Tests/id_set.json + build_content_descriptor: &build_content_descriptor + run: + name: Build Content Descriptor + when: always + command: | + if [ -n "${GITHUB_TOKEN}" ] ; + then + # new release notes summary generator in packs format + python3 Utils/release_notes_generator.py $CONTENT_VERSION $GIT_SHA1 $CIRCLE_BUILD_NUM --output $CIRCLE_ARTIFACTS/packs-release-notes.md --github-token $GITHUB_TOKEN + else + # new release notes summary generator in packs format + python3 Utils/release_notes_generator.py $CONTENT_VERSION $GIT_SHA1 $CIRCLE_BUILD_NUM --output $CIRCLE_ARTIFACTS/packs-release-notes.md + fi + common_server_documentation: &common_server_documentation + run: + name: Common Server Documentation + when: always + command: | + ./Documentation/commonServerDocs.sh + collect_test_list_and_content_packs: &collect_test_list_and_content_packs + run: + name: Collect Test List And Content Packs + when: always + command: | + if [ -n "${INSTANCE_TESTS}" ]; + then + echo "Skipping - not running in INSTANCE_TESTS build" + exit 0 + fi + + [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false + python3 ./Tests/scripts/collect_tests_and_content_packs.py -n $IS_NIGHTLY + calculate_packs_dependencies: &calculate_packs_dependencies + run: + name: Calculate Packs Dependencies + when: always + command: | + python3 ./Tests/Marketplace/packs_dependencies.py -i ./Tests/id_set.json -o $CIRCLE_ARTIFACTS/packs_dependencies.json + update_tests_step: &update_tests_step + run: + name: Update Tests step + when: always + command: | + python3 ./Tests/scripts/update_conf_json.py + cp "./Tests/conf.json" "$CIRCLE_ARTIFACTS/conf.json" jobs: - build: + Prepare Environment: <<: *container_config - parallelism: 2 + resource_class: medium+ <<: *environment steps: - checkout - setup_remote_docker - - restore_cache: - key: venv-{{ checksum "dev-requirements-py2.txt" }}-{{ checksum "dev-requirements-py3.txt" }}-{{ checksum ".circleci/build-requirements.txt" }}-{{ checksum "package-lock.json" }} + - *restore_cache - *prepare_environment - save_cache: paths: - venv - node_modules key: venv-{{ checksum "dev-requirements-py2.txt" }}-{{ checksum "dev-requirements-py3.txt" }}-{{ checksum ".circleci/build-requirements.txt" }}-{{ checksum "package-lock.json" }} - - add_ssh_keys: - fingerprints: - - "02:df:a5:6a:53:9a:f5:5d:bd:a6:fc:b2:db:9b:c9:47" # disable-secrets-detection - - "f5:25:6a:e5:ac:4b:84:fb:60:54:14:82:f1:e9:6c:f9" # disable-secrets-detection - - run: - name: Get Contributor pack - when: always - command: | - if [ -z $CONTRIB_BRANCH ] - then - echo "Skipping, contributor branch not given." - exit 0 - else - USER=$(echo $CONTRIB_BRANCH | cut -d ":" -f 1) - BRANCH=$(echo $CONTRIB_BRANCH | cut -d ":" -f 2) - PACK=$(echo $CONTRIB_BRANCH | cut -d ":" -f 3) - - echo 'Copy the changes from the contributor branch $USER/$BRANCH in the pack $PACK' - git remote add $USER git@github.com:$USER/content.git - git fetch $USER $BRANCH - git checkout $USER/$BRANCH $PACK - exit 0 - fi - - - run: - name: Check if CircleCI's config file is up to date - when: always - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping, Should not run on contributor's branch." - exit 0 - fi - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - # Checks if there's any diff from master - if [[ `git diff origin/master -- .circleci/config.yml` ]]; then - # Checks if part of the branch's changes - if [[ -z `git diff origin/master..."$CIRCLE_BRANCH" --name-only | grep .circleci/config.yml` ]]; then - echo ".circleci/config.yml has been changed. Merge from master" - exit 1 - else - echo ".circleci/config.yml is part of the branch changes, proceeding" + - when: + condition: << pipeline.parameters.contrib_branch >> + steps: + - run: + name: Get Contributor pack + when: always + command: | + USER=$(echo $CONTRIB_BRANCH | cut -d ":" -f 1) + BRANCH=$(echo $CONTRIB_BRANCH | cut -d ":" -f 2) + PACK=$(echo $CONTRIB_BRANCH | cut -d ":" -f 3) + echo 'Copy the changes from the contributor branch $USER/$BRANCH in the pack $PACK' + git remote add $USER git@github.com:$USER/content.git + git fetch $USER $BRANCH + git checkout $USER/$BRANCH $PACK exit 0 - fi - else - echo ".circleci/config.yml is up to date!" - fi - - run: - name: Update Tests step - when: always - command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - running only in container number 0" - exit 0 - fi - python3 ./Tests/scripts/update_conf_json.py - cp "./Tests/conf.json" "$CIRCLE_ARTIFACTS/conf.json" - - run: - name: Create ID Set - when: always - command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - running only in container number 0" - exit 0 - fi - demisto-sdk create-id-set -o ./Tests/id_set.json - - run: - name: Infrastructure testing - when: always - command: | - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - not running in INSTANCE_TESTS build or unit-tests container" - exit 0 - fi - - python3 -m pytest ./Tests/scripts/infrastructure_tests/ -v - python3 -m pytest ./Tests/Marketplace/Tests/ -v + - *add_ssh_keys + - *persist_to_workspace - if [ -n "${DEMISTO_SDK_NIGHTLY}" ] ; then - ./Tests/scripts/sdk_pylint_check.sh - fi - exit 0 + Run Unit Testing And Lint: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - *attach_workspace + - unless: + condition: << pipeline.parameters.instance_tests >> + steps: + - setup_remote_docker + - *restore_cache + - *add_ssh_keys + - *prepare_environment + - *infrastructure_testing + - *run_unit_testing_and_lint + - store_test_results: + path: ./unit-tests + - run: + name: Slack Notifier + shell: /bin/bash + command: | + ./Tests/scripts/slack_notifier.sh 'unittests' ./env_results.json + when: always + - *store_artifacts + Run Validations: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - *attach_workspace + - unless: + condition: << pipeline.parameters.instance_tests >> + steps: + - setup_remote_docker + - *restore_cache + - *add_ssh_keys + - *prepare_environment + - *Secrets + - *validate_files_and_yaml + - run: + name: Content Docs Site + when: always + command: | + ./Documentation/docs_site_update.sh + - run: + name: Spell Checks + command: | + python3 ./Tests/scripts/circleci_spell_checker.py $CIRCLE_BRANCH + - run: + name: Check if CircleCI's config file is up to date + when: always + command: | + if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then + echo "Skipping, Should not run on contributor's branch." + exit 0 + fi + # Checks if there's any diff from master + if [[ `git diff origin/master -- .circleci/config.yml` ]]; then + # Checks if part of the branch's changes + if [[ -z `git diff origin/master..."$CIRCLE_BRANCH" --name-only | grep .circleci/config.yml` ]]; then + echo ".circleci/config.yml has been changed. Merge from master" + exit 1 + else + echo ".circleci/config.yml is part of the branch changes, proceeding" + exit 0 + fi + else + echo ".circleci/config.yml is up to date!" + fi + - run: + name: Verify Base Branch for Contribution + when: always + command: | + if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]] ; + then + python3 ./Tests/scripts/verify_base_branch_for_contribution.py $CIRCLE_BRANCH + fi + Create Instances: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - checkout + - setup_remote_docker + - *restore_cache + - *prepare_environment + - *restore_cache + - *add_ssh_keys + - *prepare_environment + - *update_tests_step + - *create_id_set + - *build_content_descriptor + - *common_server_documentation + - *create_artifact - run: - name: Validate Files and Yaml + name: Download Configuration when: always command: | - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] || [ -n "${NIGHTLY}" ]; + if ./Tests/scripts/is_ami.sh ; then - echo "Skipping - not running in INSTANCE_TESTS build or unit-tests container or Nightly run" - exit 0 - fi - - # Run flake8 on all excluding Packs (Integraions and Scripts) - they will be handled in linting - ./Tests/scripts/pyflake.sh *.py - find . -maxdepth 1 -type d -not \( -path . -o -path ./Packs -o -path ./venv \) | xargs ./Tests/scripts/pyflake.sh + ./Tests/scripts/download_demisto_conf.sh - [ -n "${BACKWARD_COMPATIBILITY}" ] && CHECK_BACKWARD="false" || CHECK_BACKWARD="true" - ./Tests/scripts/validate.sh - - run: - name: Secrets - when: always - command: | - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - not running in INSTANCE_TESTS build or unit-tests container" - exit 0 + else + ./Tests/lastest_server_build_scripts/download_demisto_conf.sh fi - - demisto-sdk secrets --post-commit --ignore-entropy - run: - name: Collect Test List And Content Packs + name: Download Artifacts when: always command: | - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] ; + if ./Tests/scripts/is_ami.sh ; then - echo "Skipping - not running in INSTANCE_TESTS build or unit-tests container" - exit 0 - fi + echo "Using AMI - Not downloading artifacts" - [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false - python3 ./Tests/scripts/collect_tests_and_content_packs.py -n $IS_NIGHTLY - - run: - name: Spell Checks - command: | - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - not running in INSTANCE_TESTS build or unit-tests container" - exit 0 - fi - python3 ./Tests/scripts/circleci_spell_checker.py $CIRCLE_BRANCH - - run: - name: Build Content Descriptor - when: always - command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - running only in container number 0" - exit 0 - fi - if [ -n "${GITHUB_TOKEN}" ] ; - then - # new release notes summary generator in packs format - python3 Utils/release_notes_generator.py $CONTENT_VERSION $GIT_SHA1 $CIRCLE_BUILD_NUM --output $CIRCLE_ARTIFACTS/packs-release-notes.md --github-token $GITHUB_TOKEN else - # new release notes summary generator in packs format - python3 Utils/release_notes_generator.py $CONTENT_VERSION $GIT_SHA1 $CIRCLE_BUILD_NUM --output $CIRCLE_ARTIFACTS/packs-release-notes.md + ./Tests/scripts/server_get_artifact.sh $SERVER_CI_TOKEN + cp demistoserver.sh ./Tests/scripts/awsinstancetool/ansibleinstall/demistoserver.sh fi + - *collect_test_list_and_content_packs + - *calculate_packs_dependencies + - unless: + condition: << pipeline.parameters.demisto_sdk_nightly >> + steps: + - run: + name: Prepare Content Packs For Testing + when: always + command: | + ./Tests/scripts/prepare_content_packs_for_testing.sh + echo "$CIRCLE_BUILD_NUM" > create_instances_build_num.txt # so that later jobs in this workflow could configure the right path + - run: + name: Zip Content Packs From GCS + command: | + GCS_PATH=$(mktemp) + ZIP_FOLDER=$(mktemp -d) + echo $GCS_MARKET_KEY > $GCS_PATH + python3 ./Tests/Marketplace/zip_packs.py -b 'marketplace-ci-build' -z $ZIP_FOLDER -a $CIRCLE_ARTIFACTS -s $GCS_PATH -n $CIRCLE_BUILD_NUM -br $CIRCLE_BRANCH + rm $GCS_PATH + when: always + - run: + name: Store Artifacts to GCS + command: ./Tests/scripts/upload_artifacts.sh + when: always + - run: + name: Create Instance + when: always + command: | + [ -n "${TIME_TO_LIVE}" ] && TTL=${TIME_TO_LIVE} || TTL=180 + if ./Tests/scripts/is_ami.sh ; + then + if [ -n "${NIGHTLY}" ] ; + then + export IFRA_ENV_TYPE=Nightly # disable-secrets-detection + elif [ -n "${INSTANCE_TESTS}" ] ; + then + export IFRA_ENV_TYPE="Demisto PreGA" # disable-secrets-detection + elif [ -n "${CONTRIB_BRANCH}" ] ; + then + export IFRA_ENV_TYPE="Demisto Marketplace" # disable-secrets-detection + else + export IFRA_ENV_TYPE=Content-Env # disable-secrets-detection + fi + python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType "$IFRA_ENV_TYPE" -timetolive $TTL -outfile ./env_results.json + + else + . ./Tests/scripts/server_get_artifact.sh $SERVER_CI_TOKEN + python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType CustomBuild -custombuild true -circleurl $SERVER_DOWNLOAD_LINK -circleToken $SERVER_CI_TOKEN -timetolive $TTL -outfile ./env_results.json + fi + - run: + name: Setup Instance + when: always + command: | + if ./Tests/scripts/is_ami.sh ; + then + python3 ./Tests/scripts/run_content_installation.py + else + ./Tests/lastest_server_build_scripts/run_installer_on_instance.sh + fi + - *store_artifacts + - *persist_to_workspace + Server 4_1: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - setup_remote_docker + - unless: + condition: + or: + - << pipeline.parameters.instance_tests >> + - << pipeline.parameters.contrib_branch >> + - << pipeline.parameters.demisto_sdk_nightly >> + - << pipeline.parameters.nightly >> + - << pipeline.parameters.non_ami_run >> + steps: + - *attach_workspace + - *restore_cache + - *add_ssh_keys + - *prepare_environment + - run: + name: Wait until server ready + shell: /bin/bash + when: always + command: | + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto two before GA" + - run: + name: Run Tests - Server 4.1 + shell: /bin/bash + when: always + command: | + echo 'export INSTANCE_ROLE="Demisto two before GA"' >> $BASH_ENV + source $BASH_ENV + export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto two before GA"') + echo "Demisto two before GA filter=$TEMP" + if [[ "$TEMP" == "false" ]]; + then + echo "Skipping - instance was not setup" + exit 0 + fi + if ./Tests/scripts/is_ami.sh ; + then + ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" + + else + echo "Not AMI run, can't run on this version" + fi + - *destroy_instances + - *store_artifacts + Server 4_5: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - setup_remote_docker + - unless: + condition: + or: + - << pipeline.parameters.instance_tests >> + - << pipeline.parameters.contrib_branch >> + - << pipeline.parameters.demisto_sdk_nightly >> + - << pipeline.parameters.nightly >> + - << pipeline.parameters.non_ami_run >> + steps: + - *attach_workspace + - *add_ssh_keys + - *prepare_environment + - run: + name: Wait until server ready + shell: /bin/bash + when: always + command: | + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto one before GA" + - run: + name: Run Tests - Server 4.5 + shell: /bin/bash + when: always + command: | + echo 'export INSTANCE_ROLE="Demisto one before GA"' >> $BASH_ENV + source $BASH_ENV + export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto one before GA"') + echo "Demisto one before GA filter=$TEMP" + if [[ "$TEMP" == "false" ]]; + then + echo "Skipping - instance was not setup" + exit 0 + fi + if ./Tests/scripts/is_ami.sh ; + then + ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" + + else + echo "Not AMI run, can't run on this version" + fi + - *destroy_instances + - *store_artifacts + Server 5_0: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - setup_remote_docker + - unless: + condition: + or: + - << pipeline.parameters.instance_tests >> + - << pipeline.parameters.contrib_branch >> + - << pipeline.parameters.demisto_sdk_nightly >> + - << pipeline.parameters.nightly >> + steps: + - *attach_workspace + - *restore_cache + - *add_ssh_keys + - *prepare_environment + - run: + name: Wait until server ready + shell: /bin/bash + when: always + command: | + if ./Tests/scripts/is_ami.sh ; + then + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto GA" + else + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto" + fi + - run: + name: Run Tests - Server 5.0 + shell: /bin/bash + when: always + command: | + export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto GA"') + echo "Demisto GA filter=$TEMP" + if [[ "$TEMP" == "false" ]]; + then + echo "Skipping - instance was not setup" + exit 0 + fi + if ./Tests/scripts/is_ami.sh ; + then + echo 'export INSTANCE_ROLE="Demisto GA"' >> $BASH_ENV + else + 'export INSTANCE_ROLE="master"' >> $BASH_ENV + fi + source $BASH_ENV + ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" + + - *destroy_instances + - *store_artifacts + Server 5_5: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - setup_remote_docker + - unless: + condition: + or: + - << pipeline.parameters.instance_tests >> + - << pipeline.parameters.contrib_branch >> + - << pipeline.parameters.demisto_sdk_nightly >> + - << pipeline.parameters.nightly >> + - << pipeline.parameters.non_ami_run >> + steps: + - *attach_workspace + - *add_ssh_keys + - *prepare_environment + - run: + name: Wait until server ready + shell: /bin/bash + when: always + command: | + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto PreGA" + - run: + name: Run Tests - 5.5 + shell: /bin/bash + when: always + command: | + echo 'export INSTANCE_ROLE="Demisto PreGA"' >> $BASH_ENV + source $BASH_ENV + export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto PreGA"') + echo "Demisto PreGA filter=$TEMP" + if [[ "$TEMP" == "false" ]]; + then + echo "Skipping - instance was not setup" + exit 0 + fi + if ./Tests/scripts/is_ami.sh ; + then + ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" + export RETVAL=$? + cp ./Tests/failed_tests.txt $CIRCLE_ARTIFACTS/failed_tests.txt + exit $RETVAL + + else + echo "Not AMI run, can't run on this version" + fi + - *destroy_instances + - *store_artifacts + Server 6_0: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - setup_remote_docker + - unless: + condition: + or: + - << pipeline.parameters.instance_tests >> + - << pipeline.parameters.demisto_sdk_nightly >> + - << pipeline.parameters.non_ami_run >> + steps: + - *attach_workspace + - *add_ssh_keys + - *prepare_environment + - run: + name: Wait until server ready + shell: /bin/bash + when: always + command: | + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto Marketplace" + - run: + name: Run Tests - Demisto 6.0 + shell: /bin/bash + when: always + no_output_timeout: 5h + command: | + echo 'export INSTANCE_ROLE="Demisto Marketplace"' >> $BASH_ENV + source $BASH_ENV + export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto Marketplace"') + echo "Demisto Marketplace filter=$TEMP" + if [[ "$TEMP" == "false" ]]; + then + echo "Skipping - instance was not setup" + exit 0 + fi + if ./Tests/scripts/is_ami.sh ; + then + ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" + export RETVAL=$? + cp ./Tests/failed_tests.txt $CIRCLE_ARTIFACTS/failed_tests.txt + exit $RETVAL + else + echo "Not AMI run, can't run on this version" + fi + - run: + name: Upload Packs To Marketplace Storage + command: | + if [[ $CIRCLE_BRANCH != master ]]; then + echo "Skipping packs uploading on non master branch" + exit 0 + fi + + EXTRACT_FOLDER=$(mktemp -d) + PACK_ARTIFACTS=$CIRCLE_ARTIFACTS/content_packs.zip + PACKS_DEPENDENCIES=$CIRCLE_ARTIFACTS/packs_dependencies.json + ID_SET=$CIRCLE_ARTIFACTS/id_set.json + GCS_PATH=$(mktemp) + echo $GCS_MARKET_KEY > $GCS_PATH + python3 ./Tests/Marketplace/upload_packs.py -a $PACK_ARTIFACTS -e $EXTRACT_FOLDER -b 'marketplace-dist' -d $PACKS_DEPENDENCIES -i $ID_SET -s $GCS_PATH -n $CIRCLE_BUILD_NUM -k $PACK_SIGNING_KEY -pb 'marketplace-dist-private' + rm $GCS_PATH + when: on_success + - run: + name: Slack Notifier + shell: /bin/bash + command: | + ./Tests/scripts/slack_notifier.sh 'test_playbooks' ./env_results.json + when: always + - *destroy_instances + - *store_artifacts + Instance Test: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - setup_remote_docker + - *attach_workspace + - *add_ssh_keys + - *prepare_environment - run: - name: Common Server Documentation + name: Wait until server ready + shell: /bin/bash when: always command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - running only in container number 0" - exit 0 + if [ -z $INSTANCE_TESTS ] + then + echo "Skipping, contributor branch not given." + exit 0 fi - ./Documentation/commonServerDocs.sh + python3 ./Tests/scripts/wait_until_server_ready.py "Demisto PreGA" + echo 'export INSTANCE_ROLE="Demisto PreGA"' >> $BASH_ENV + source $BASH_ENV - run: - name: Content Docs Site - when: always + name: Instance Test command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ]; - then - echo "Skipping - running only in container number 0" - exit 0 + if [ -z $INSTANCE_TESTS ] + then + echo "Skipping, contributor branch not given." + exit 0 fi - ./Documentation/docs_site_update.sh - - run: - name: Create Content Artifacts + ./Tests/scripts/instance_test.sh + export RETVAL=$? + cp ./Tests/failed_instances.txt $CIRCLE_ARTIFACTS/failed_instances.txt + exit $RETVAL when: always - command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - running only in container number 0" - exit 0 - fi - demisto-sdk create-content-artifacts -a $CIRCLE_ARTIFACTS - # create zip with contents of content_new.zip and content_test.zip for use in updating content on instances - cp "$CIRCLE_ARTIFACTS/content_new.zip" "$CIRCLE_ARTIFACTS/all_content.zip" - unzip -q "$CIRCLE_ARTIFACTS/content_test.zip" -d "test_content_dir" - zip -j "$CIRCLE_ARTIFACTS/all_content.zip" test_content_dir/* - rm -r test_content_dir + - *destroy_instances + - *store_artifacts + + Demisto SDK Nightly: + <<: *container_config + resource_class: medium+ + <<: *environment + steps: + - checkout + - setup_remote_docker + - *restore_cache + - *prepare_environment + - *Secrets + - *validate_files_and_yaml + - *run_unit_testing_and_lint + - *infrastructure_testing + - *create_id_set + - *build_content_descriptor + - *common_server_documentation + - *collect_test_list_and_content_packs + - *calculate_packs_dependencies + - *update_tests_step + - *store_artifacts - run: - name: Calculate Packs Dependencies - when: always + name: Slack Notifier + shell: /bin/bash command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo "Skipping - running only in container number 0" - exit 0 - fi - python3 ./Tests/Marketplace/packs_dependencies.py -i ./Tests/id_set.json -o $CIRCLE_ARTIFACTS/packs_dependencies.json - - run: - name: Run Unit Testing and Lint + ./Tests/scripts/slack_notifier.sh 'sdk_unittests' ./env_results.json + ./Tests/scripts/slack_notifier.sh 'sdk_faild_steps' ./env_results.json when: always - no_output_timeout: 5h - command: | - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 1 ] ; - then - echo "Skipping - unit tests are running only in container number 1" - exit 0 - fi - echo "demisto-sdk version: $(demisto-sdk --version)" - echo "mypy version: $(mypy --version)" - echo "flake8 py2 version: $(python2 -m flake8 --version)" - echo "flake8 py3 version: $(python3 -m flake8 --version)" - echo "bandit py2 version: $(python2 -m bandit --version 2>&1)" - echo "bandit py3 version: $(python3 -m bandit --version 2>&1)" - echo "vulture py2 version: $(python2 -m vulture --version) 2>&1" - echo "vulture py3 version: $(python3 -m vulture --version) 2>&1" - SHOULD_LINT_ALL=$(./Tests/scripts/should_lint_all.sh) - mkdir ./unit-tests - if [ -n "$SHOULD_LINT_ALL" ]; then - echo -e "----------\nLinting all because:\n${SHOULD_LINT_ALL}\n----------" - demisto-sdk lint -p 8 -a -q --test-xml ./unit-tests --log-path ./artifacts --failure-report ./artifacts - else - demisto-sdk lint -p 8 -g -v --test-xml ./unit-tests --log-path ./artifacts --failure-report ./artifacts - fi - - store_test_results: - path: ./unit-tests - - store_artifacts: - path: artifacts - destination: artifacts - - run: - name: Verify Base Branch for Contribution - when: always - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]] ; - then - python3 ./Tests/scripts/verify_base_branch_for_contribution.py $CIRCLE_BRANCH - fi - - run: - name: Download Configuration - when: always - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/download_demisto_conf.sh - - else - ./Tests/lastest_server_build_scripts/download_demisto_conf.sh - fi - - run: - name: Download Artifacts - when: always - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - if ./Tests/scripts/is_ami.sh ; - then - echo "Using AMI - Not downloading artifacts" - else - ./Tests/scripts/server_get_artifact.sh $SERVER_CI_TOKEN - cp demistoserver.sh ./Tests/scripts/awsinstancetool/ansibleinstall/demistoserver.sh - fi - - run: - name: Prepare Content Packs For Testing - when: always - command: | - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping, Should not run on contributor's branch." - exit 0 - fi - ./Tests/scripts/prepare_content_packs_for_testing.sh - - store_artifacts: - path: artifacts - destination: artifacts - when: always - - run: - name: Create Instance - when: always - command: | - [ -n "${TIME_TO_LIVE}" ] && TTL=${TIME_TO_LIVE} || TTL=180 - - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - if ./Tests/scripts/is_ami.sh ; - then - if [ -n "${NIGHTLY}" ] ; - then - export IFRA_ENV_TYPE=Nightly # disable-secrets-detection - elif [ -n "${INSTANCE_TESTS}" ] ; - then - export IFRA_ENV_TYPE="Demisto PreGA" # disable-secrets-detection - - elif [ -n "${CONTRIB_BRANCH}" ] ; - then - export IFRA_ENV_TYPE="Demisto Marketplace" # disable-secrets-detection - - else - export IFRA_ENV_TYPE=Content-Env # disable-secrets-detection - fi - python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType "$IFRA_ENV_TYPE" -timetolive $TTL -outfile ./env_results.json - - else - . ./Tests/scripts/server_get_artifact.sh $SERVER_CI_TOKEN - python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType CustomBuild -custombuild true -circleurl $SERVER_DOWNLOAD_LINK -circleToken $SERVER_CI_TOKEN -timetolive $TTL -outfile ./env_results.json - fi - - run: - name: Setup Instance - when: always - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - if ./Tests/scripts/is_ami.sh ; - then - python3 ./Tests/scripts/run_content_installation.py - else - ./Tests/lastest_server_build_scripts/run_installer_on_instance.sh - fi - python3 ./Tests/scripts/wait_until_server_ready.py - - run: - name: Run Tests - Server 4.1 - shell: /bin/bash - when: always - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] || [ -n "${NIGHTLY}" ] || [ -n "${CONTRIB_BRANCH}" ]; - then - echo "Skipping - not running in INSTANCE_TESTS build, unit-tests container, Nightly run or contributor branch" - exit 0 - fi - export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto two before GA"') - echo "Demisto two before GA filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "Demisto two before GA" - - else - echo "Not AMI run, can't run on this version" - fi - - run: - name: Run Tests - Server 4.5 - shell: /bin/bash - when: always - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] || [ -n "${NIGHTLY}" ] || [ -n "${CONTRIB_BRANCH}" ]; - then - echo "Skipping - not running in INSTANCE_TESTS build, unit-tests container, Nightly run or contributor branch" - exit 0 - fi - export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto one before GA"') - echo "Demisto one before GA filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "Demisto one before GA" - - else - echo "Not AMI run, can't run on this version" - fi - - run: - name: Run Tests - Server 5.0 - shell: /bin/bash - when: always - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] || [ -n "${NIGHTLY}" ] || [ -n "${CONTRIB_BRANCH}" ]; - then - echo "Skipping - not running in INSTANCE_TESTS build, unit-tests container, Nightly run or on contributor branch" - exit 0 - fi - export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto GA"') - echo "Demisto GA filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "Demisto GA" - - else - ./Tests/scripts/run_tests.sh "master" - fi - - run: - name: Run Tests - Server 5.5 - shell: /bin/bash - when: always - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ] || [ -n "${NIGHTLY}" ] || [ -n "${CONTRIB_BRANCH}" ]; - then - echo "Skipping - not running in INSTANCE_TESTS build, unit-tests container, Nightly run or contributor branch" - exit 0 - fi - export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto PreGA"') - echo "Demisto PreGA filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "Demisto PreGA" - export RETVAL=$? - cp ./Tests/failed_tests.txt $CIRCLE_ARTIFACTS/failed_tests.txt - exit $RETVAL - - else - echo "Not AMI run, can't run on this version" - fi - - run: - name: Run Tests - Demisto Marketplace - shell: /bin/bash - when: always - no_output_timeout: 5h - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${INSTANCE_TESTS}" ] || [ $CIRCLE_NODE_INDEX -ne 0 ]; - then - echo "Skipping - not running in INSTANCE_TESTS build or unit-tests container" - exit 0 - fi - export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto Marketplace"') - echo "Demisto Marketplace filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "Demisto Marketplace" - export RETVAL=$? - cp ./Tests/failed_tests.txt $CIRCLE_ARTIFACTS/failed_tests.txt - exit $RETVAL - - else - echo "Not AMI run, can't run on this version" - fi - - store_artifacts: - path: artifacts - destination: artifacts - when: always - - run: - name: Slack Notifier - shell: /bin/bash - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${INSTANCE_TESTS}" ] ; - then - echo "Skipping - not running in INSTANCE_TESTS build" - exit 0 - fi - ./Tests/scripts/slack_notifier.sh $CIRCLE_NODE_INDEX ./env_results.json - - when: always - - run: - name: Instance Test - command: | - if [ -n "${INSTANCE_TESTS}" ] && [ $CIRCLE_NODE_INDEX -ne 1 ] ; - then - ./Tests/scripts/instance_test.sh - export RETVAL=$? - cp ./Tests/failed_instances.txt $CIRCLE_ARTIFACTS/failed_instances.txt - exit $RETVAL - else - echo "Skipping instance tests" - exit 0 - fi - when: always - - run: - name: Destroy Instances - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping instance tests for forked PRs" - exit 0 - fi - if [ -n "${TIME_TO_LIVE}" ] - then - echo "Skipping - Time to live was set to $TIME_TO_LIVE minutes" - exit 0 - fi - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - else - python3 ./Tests/scripts/destroy_instances.py $CIRCLE_ARTIFACTS ./env_results.json - - export PSWD=$(jq .serverLogsZipPassword < $(cat secret_conf_path) | cut -d \" -f 2) - zip -P $PSWD $CIRCLE_ARTIFACTS/ServerLogs.zip $CIRCLE_ARTIFACTS/server*.log - rm -f $CIRCLE_ARTIFACTS/server*.log - fi - when: always - - run: - name: Upload Packs To Marketplace Storage - command: | - if [ -n "${DEMISTO_SDK_NIGHTLY}" ]; then - echo "Skipping instance tests for sdk nightly build" - exit 0 - fi - - if [[ $CIRCLE_BRANCH != master ]]; then - echo "Skipping packs uploading on non master branch" - exit 0 - fi - - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - EXTRACT_FOLDER=$(mktemp -d) - PACK_ARTIFACTS=$CIRCLE_ARTIFACTS/content_packs.zip - PACKS_DEPENDENCIES=$CIRCLE_ARTIFACTS/packs_dependencies.json - ID_SET=$CIRCLE_ARTIFACTS/id_set.json - GCS_PATH=$(mktemp) - echo $GCS_MARKET_KEY > $GCS_PATH - python3 ./Tests/Marketplace/upload_packs.py -a $PACK_ARTIFACTS -e $EXTRACT_FOLDER -b 'marketplace-dist' -d $PACKS_DEPENDENCIES -i $ID_SET -s $GCS_PATH -n $CIRCLE_BUILD_NUM -k $PACK_SIGNING_KEY -pb 'marketplace-dist-private' - rm $GCS_PATH - when: on_success - - run: - name: Zip Content Packs From GCS - command: | - if [[ $CIRCLE_BRANCH != master ]]; then - echo "Skipping packs zipping on non master branch" - exit 0 - fi - - if [ $CIRCLE_NODE_INDEX -ne 0 ] ; - then - echo 'Skipping - running only in container number 0.' - exit 0; - fi - GCS_PATH=$(mktemp) - ZIP_FOLDER=$(mktemp -d) - echo $GCS_MARKET_KEY > $GCS_PATH - python3 ./Tests/Marketplace/zip_packs.py -b 'marketplace-dist' -z $ZIP_FOLDER -a $CIRCLE_ARTIFACTS -s $GCS_PATH -gp content/packs -rt False - rm $GCS_PATH - when: always - - store_artifacts: - path: artifacts - destination: artifacts - when: always - - run: - name: Store Artifacts to GCS - command: ./Tests/scripts/upload_artifacts.sh - when: always - - Prepare Environment: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - checkout - - setup_remote_docker - - *restore_cache - - *prepare_environment - - save_cache: - paths: - - venv - - node_modules - key: venv-{{ checksum "dev-requirements-py2.txt" }}-{{ checksum "dev-requirements-py3.txt" }}-{{ checksum ".circleci/build-requirements.txt" }}-{{ checksum "package-lock.json" }} - - *add_ssh_keys - - *persist_to_workspace - - Run Unit Testing And Lint: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - *attach_workspace - - setup_remote_docker - - *restore_cache - - *add_ssh_keys - - *prepare_environment - - run: - name: Infrastructure testing - when: always - command: | - python3 -m pytest ./Tests/scripts/infrastructure_tests/ -v - python3 -m pytest ./Tests/Marketplace/Tests/ -v - - if [ -n "${DEMISTO_SDK_NIGHTLY}" ] ; then - ./Tests/scripts/sdk_pylint_check.sh - fi - exit 0 - - run: - name: Run Unit Testing and Lint - when: always - no_output_timeout: 5h - command: | - echo "demisto-sdk version: $(demisto-sdk --version)" - echo "mypy version: $(mypy --version)" - echo "flake8 py2 version: $(python2 -m flake8 --version)" - echo "flake8 py3 version: $(python3 -m flake8 --version)" - echo "bandit py2 version: $(python2 -m bandit --version 2>&1)" - echo "bandit py3 version: $(python3 -m bandit --version 2>&1)" - echo "vulture py2 version: $(python2 -m vulture --version) 2>&1" - echo "vulture py3 version: $(python3 -m vulture --version) 2>&1" - SHOULD_LINT_ALL=$(./Tests/scripts/should_lint_all.sh) - mkdir ./unit-tests - if [ -n "$SHOULD_LINT_ALL" ]; then - echo -e "----------\nLinting all because:\n${SHOULD_LINT_ALL}\n----------" - demisto-sdk lint -p 8 -a -q --test-xml ./unit-tests --log-path ./artifacts --failure-report ./artifacts - else - demisto-sdk lint -p 8 -g -v --test-xml ./unit-tests --log-path ./artifacts --failure-report ./artifacts - fi - - store_test_results: - path: ./unit-tests - - run: - name: Slack Notifier - shell: /bin/bash - command: | - ./Tests/scripts/slack_notifier.sh 'unittests' ./env_results.json - when: always - - *store_artifacts - Run Validations: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - *attach_workspace - - setup_remote_docker - - *restore_cache - - *add_ssh_keys - - *prepare_environment - - run: - name: Secrets - when: always - command: | - demisto-sdk secrets --post-commit --ignore-entropy - - run: - name: Validate Files and Yaml - when: always - command: | - if [ -n "${NIGHTLY}" ]; - then - echo "Skipping - not running in Nightly run" - exit 0 - fi - # Run flake8 on all excluding Packs (Integraions and Scripts) - they will be handled in linting - ./Tests/scripts/pyflake.sh *.py - find . -maxdepth 1 -type d -not \( -path . -o -path ./Packs -o -path ./venv \) | xargs ./Tests/scripts/pyflake.sh - - [ -n "${BACKWARD_COMPATIBILITY}" ] && CHECK_BACKWARD="false" || CHECK_BACKWARD="true" - ./Tests/scripts/validate.sh - - run: - name: Content Docs Site - when: always - command: | - ./Documentation/docs_site_update.sh - - run: - name: Spell Checks - command: | - python3 ./Tests/scripts/circleci_spell_checker.py $CIRCLE_BRANCH - - run: - name: Check if CircleCI's config file is up to date - when: always - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]]; then - echo "Skipping, Should not run on contributor's branch." - exit 0 - fi - # Checks if there's any diff from master - if [[ `git diff origin/master -- .circleci/config.yml` ]]; then - # Checks if part of the branch's changes - if [[ -z `git diff origin/master..."$CIRCLE_BRANCH" --name-only | grep .circleci/config.yml` ]]; then - echo ".circleci/config.yml has been changed. Merge from master" - exit 1 - else - echo ".circleci/config.yml is part of the branch changes, proceeding" - exit 0 - fi - else - echo ".circleci/config.yml is up to date!" - fi - - run: - name: Verify Base Branch for Contribution - when: always - command: | - if [[ $CIRCLE_BRANCH =~ pull/[0-9]+ ]] ; - then - python3 ./Tests/scripts/verify_base_branch_for_contribution.py $CIRCLE_BRANCH - fi - Create Instances: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - checkout - - setup_remote_docker - - *restore_cache - - *prepare_environment - - *restore_cache - - *add_ssh_keys - - *prepare_environment - - run: - name: Update Tests step - when: always - command: | - python3 ./Tests/scripts/update_conf_json.py - cp "./Tests/conf.json" "$CIRCLE_ARTIFACTS/conf.json" - - run: - name: Create ID Set - when: always - command: | - demisto-sdk create-id-set -o ./Tests/id_set.json - - run: - name: Build Content Descriptor - when: always - command: | - if [ -n "${GITHUB_TOKEN}" ] ; - then - # new release notes summary generator in packs format - python3 Utils/release_notes_generator.py $CONTENT_VERSION $GIT_SHA1 $CIRCLE_BUILD_NUM --output $CIRCLE_ARTIFACTS/packs-release-notes.md --github-token $GITHUB_TOKEN - else - # new release notes summary generator in packs format - python3 Utils/release_notes_generator.py $CONTENT_VERSION $GIT_SHA1 $CIRCLE_BUILD_NUM --output $CIRCLE_ARTIFACTS/packs-release-notes.md - fi - - run: - name: Common Server Documentation - when: always - command: | - ./Documentation/commonServerDocs.sh - - *create_artifact - - run: - name: Download Configuration - when: always - command: | - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/download_demisto_conf.sh - - else - ./Tests/lastest_server_build_scripts/download_demisto_conf.sh - fi - - run: - name: Download Artifacts - when: always - command: | - if ./Tests/scripts/is_ami.sh ; - then - echo "Using AMI - Not downloading artifacts" - - else - ./Tests/scripts/server_get_artifact.sh $SERVER_CI_TOKEN - cp demistoserver.sh ./Tests/scripts/awsinstancetool/ansibleinstall/demistoserver.sh - fi - - run: - name: Collect Test List And Content Packs - when: always - command: | - if [ -n "${INSTANCE_TESTS}" ]; - then - echo "Skipping - not running in INSTANCE_TESTS build" - exit 0 - fi - - [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false - python3 ./Tests/scripts/collect_tests_and_content_packs.py -n $IS_NIGHTLY - - run: - name: Calculate Packs Dependencies - when: always - command: | - python3 ./Tests/Marketplace/packs_dependencies.py -i ./Tests/id_set.json -o $CIRCLE_ARTIFACTS/packs_dependencies.json - - run: - name: Prepare Content Packs For Testing - when: always - command: | - ./Tests/scripts/prepare_content_packs_for_testing.sh - echo "$CIRCLE_BUILD_NUM" > create_instances_build_num.txt # so that later jobs in this workflow could configure the right path - - run: - name: Zip Content Packs From GCS - command: | - GCS_PATH=$(mktemp) - ZIP_FOLDER=$(mktemp -d) - echo $GCS_MARKET_KEY > $GCS_PATH - python3 ./Tests/Marketplace/zip_packs.py -b 'marketplace-ci-build' -z $ZIP_FOLDER -a $CIRCLE_ARTIFACTS -s $GCS_PATH -n $CIRCLE_BUILD_NUM -br $CIRCLE_BRANCH - rm $GCS_PATH - when: always - - run: - name: Store Artifacts to GCS - command: ./Tests/scripts/upload_artifacts.sh - when: always - - run: - name: Create Instance - when: always - command: | - if ./Tests/scripts/is_ami.sh ; - then - if [ -n "${NIGHTLY}" ] ; - then - export IFRA_ENV_TYPE=Nightly # disable-secrets-detection - elif [ -n "${INSTANCE_TESTS}" ] ; - then - export IFRA_ENV_TYPE="Demisto PreGA" # disable-secrets-detection - - else - export IFRA_ENV_TYPE=Content-Env # disable-secrets-detection - fi - python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType "$IFRA_ENV_TYPE" -outfile ./env_results.json - - else - . ./Tests/scripts/server_get_artifact.sh $SERVER_CI_TOKEN - python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType CustomBuild -custombuild true -circleurl $SERVER_DOWNLOAD_LINK -circleToken $SERVER_CI_TOKEN -outfile ./env_results.json - fi - - run: - name: Setup Instance - when: always - command: | - if ./Tests/scripts/is_ami.sh ; - then - python3 ./Tests/scripts/run_content_installation.py - else - ./Tests/lastest_server_build_scripts/run_installer_on_instance.sh - fi - - *store_artifacts - - *persist_to_workspace - Server 4_1: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - setup_remote_docker - - *attach_workspace - - *restore_cache - - *add_ssh_keys - - *prepare_environment - - run: - name: Wait until server ready - shell: /bin/bash - when: always - command: | - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto two before GA" - - run: - name: Run Tests - Server 4.1 - shell: /bin/bash - when: always - command: | - echo 'export INSTANCE_ROLE="Demisto two before GA"' >> $BASH_ENV - source $BASH_ENV - export TEMP=$(cat ./Tests/filter_envs.json | jq '."$INSTANCE_ROLE"') - echo "$INSTANCE_ROLE filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" - - else - echo "Not AMI run, can't run on this version" - fi - - *destroy_instances - - *store_artifacts - Server 4_5: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - setup_remote_docker - - *attach_workspace - - *add_ssh_keys - - *prepare_environment - - run: - name: Wait until server ready - shell: /bin/bash - when: always - command: | - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto one before GA" - - run: - name: Run Tests - Server 4.5 - shell: /bin/bash - when: always - command: | - echo 'export INSTANCE_ROLE="Demisto one before GA"' >> $BASH_ENV - source $BASH_ENV - export TEMP=$(cat ./Tests/filter_envs.json | jq '."$INSTANCE_ROLE"') - echo "$INSTANCE_ROLE filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" - - else - echo "Not AMI run, can't run on this version" - fi - - *destroy_instances - - *store_artifacts - Server 5_0: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - *attach_workspace - - setup_remote_docker - - *restore_cache - - *add_ssh_keys - - *prepare_environment - - run: - name: Wait until server ready - shell: /bin/bash - when: always - command: | - if ./Tests/scripts/is_ami.sh ; - then - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto GA" - else - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto" - fi - - run: - name: Run Tests - Server 5.0 - shell: /bin/bash - when: always - command: | - export TEMP=$(cat ./Tests/filter_envs.json | jq '."Demisto GA"') - echo "Demisto GA filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - echo 'export INSTANCE_ROLE="Demisto GA"' >> $BASH_ENV - else - 'export INSTANCE_ROLE="master"' >> $BASH_ENV - fi - source $BASH_ENV - ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" - - - *destroy_instances - - *store_artifacts - Server 5_5: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - setup_remote_docker - - *attach_workspace - - *add_ssh_keys - - *prepare_environment - - run: - name: Wait until server ready - shell: /bin/bash - when: always - command: | - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto PreGA" - - run: - name: Run Tests - 5.5 - shell: /bin/bash - when: always - command: | - echo 'export INSTANCE_ROLE="Demisto PreGA"' >> $BASH_ENV - source $BASH_ENV - export TEMP=$(cat ./Tests/filter_envs.json | jq '."$INSTANCE_ROLE"') - echo "$INSTANCE_ROLE filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" - export RETVAL=$? - cp ./Tests/failed_tests.txt $CIRCLE_ARTIFACTS/failed_tests.txt - exit $RETVAL - - else - echo "Not AMI run, can't run on this version" - fi - - run: - name: Slack Notifier - shell: /bin/bash - command: | - ./Tests/scripts/slack_notifier.sh 'test_playbooks' ./env_results.json - when: always - - *destroy_instances - - *store_artifacts - Server 6_0: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - setup_remote_docker - - *attach_workspace - - *add_ssh_keys - - *prepare_environment - - run: - name: Wait until server ready - shell: /bin/bash - when: always - command: | - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto Marketplace" - - run: - name: Run Tests - Demisto 6.0 - shell: /bin/bash - when: always - no_output_timeout: 5h - command: | - echo 'export INSTANCE_ROLE="Demisto Marketplace"' >> $BASH_ENV - source $BASH_ENV - export TEMP=$(cat ./Tests/filter_envs.json | jq '."$INSTANCE_ROLE"') - echo "$INSTANCE_ROLE filter=$TEMP" - if [[ "$TEMP" == "false" ]]; - then - echo "Skipping - instance was not setup" - exit 0 - fi - if ./Tests/scripts/is_ami.sh ; - then - ./Tests/scripts/run_tests.sh "$INSTANCE_ROLE" - export RETVAL=$? - cp ./Tests/failed_tests.txt $CIRCLE_ARTIFACTS/failed_tests.txt - exit $RETVAL - else - echo "Not AMI run, can't run on this version" - fi - - run: - name: Upload Packs To Marketplace Storage - command: | - if [[ $CIRCLE_BRANCH != master ]]; then - echo "Skipping packs uploading on non master branch" - exit 0 - fi - EXTRACT_FOLDER=$(mktemp -d) - PACK_ARTIFACTS=$CIRCLE_ARTIFACTS/content_packs.zip - PACKS_DEPENDENCIES=$CIRCLE_ARTIFACTS/packs_dependencies.json - ID_SET=$CIRCLE_ARTIFACTS/id_set.json - GCS_PATH=$(mktemp) - echo $GCS_MARKET_KEY > $GCS_PATH - python3 ./Tests/Marketplace/upload_packs.py -a $PACK_ARTIFACTS -e $EXTRACT_FOLDER -b 'marketplace-dist' -d $PACKS_DEPENDENCIES -i $ID_SET -s $GCS_PATH -n $CIRCLE_BUILD_NUM -k $PACK_SIGNING_KEY -pb 'marketplace-dist-private' - rm $GCS_PATH - when: on_success - - *destroy_instances - - *store_artifacts - Instance Test: - <<: *container_config - resource_class: medium+ - <<: *environment - steps: - - setup_remote_docker - - *attach_workspace - - *add_ssh_keys - - *prepare_environment - - run: - name: Wait until server ready - shell: /bin/bash - when: always - command: | - python3 ./Tests/scripts/wait_until_server_ready.py "Demisto PreGA" - echo 'export INSTANCE_ROLE="Demisto PreGA"' >> $BASH_ENV - source $BASH_ENV - - run: - name: Instance Test - command: | - ./Tests/scripts/instance_test.sh - export RETVAL=$? - cp ./Tests/failed_instances.txt $CIRCLE_ARTIFACTS/failed_instances.txt - exit $RETVAL - when: always - - *destroy_instances - - *store_artifacts workflows: version: 2 commit: jobs: - - build + - Prepare Environment + - Create Instances: + filters: + branches: + ignore: /pull\/[0-9]+/ + - Run Unit Testing And Lint: + requires: + - Prepare Environment + - Run Validations: + requires: + - Prepare Environment + - Server 4_1: + filters: + branches: + ignore: /pull\/[0-9]+/ + requires: + - Create Instances + - Server 4_5: + filters: + branches: + ignore: /pull\/[0-9]+/ + requires: + - Create Instances + - Server 5_0: + filters: + branches: + ignore: /pull\/[0-9]+/ + requires: + - Create Instances + - Server 5_5: + filters: + branches: + ignore: /pull\/[0-9]+/ + requires: + - Create Instances + - Server 6_0: + filters: + branches: + ignore: /pull\/[0-9]+/ + requires: + - Create Instances + - Instance Test: + requires: + - Create Instances instances_testing: # for details of triggered builds see https://circleci.com/docs/2.0/workflows/#nightly-example @@ -1333,8 +889,12 @@ workflows: only: - master jobs: - - build: + - Create Instances: context: instances_test_env + - Instance Test: + context: instances_test_env + requires: + - Create Instances nightly: triggers: @@ -1345,37 +905,13 @@ workflows: branches: only: - master - jobs: - - build: - context: nightly_env - sdk_nightly: - triggers: - - schedule: - # should trigger every day at 12 AM UTC (3 AM Israel Time) - cron: "0 0 * * *" - filters: - branches: - only: - - master - jobs: - - build: - context: sdk_nightly_env - - nightly-workflows: - triggers: - - schedule: - # should trigger every day at 20:00 PM UTC (11:00 PM Israel Time) - cron: "0 20 * * *" - filters: - branches: - only: - - config_yaml jobs: - Prepare Environment: context: nightly_env - Create Instances: context: nightly_env - Run Unit Testing And Lint: + context: nightly_env requires: - Prepare Environment - Run Validations: @@ -1385,3 +921,17 @@ workflows: requires: - Create Instances context: nightly_env + + sdk_nightly: + triggers: + - schedule: + # should trigger every day at 12 AM UTC (3 AM Israel Time) + cron: "0 0 * * *" + filters: + branches: + only: + - master + jobs: + - Demisto SDK Nightly: + context: sdk_nightly_env + diff --git a/Documentation/docs_site_update.sh b/Documentation/docs_site_update.sh index df6292b201fd..1d7a09ba83ee 100755 --- a/Documentation/docs_site_update.sh +++ b/Documentation/docs_site_update.sh @@ -22,7 +22,7 @@ elif [ "$CIRCLE_BRANCH" == "master" ]; then if [ -z "$CIRCLE_COMPARE_URL" ]; then DIFF_COMPARE="HEAD^1...HEAD" else - DIFF_COMPARE=$(echo "$CIRCLE_COMPARE_URL" | sed 's:^.*/compare/::g') + DIFF_COMPARE=$(echo "$CIRCLE_COMPARE_URL" | sed 's:^.*/compare/::g') if [ -z "${DIFF_COMPARE}" ]; then echo "Failed: extracting diff compare from CIRCLE_COMPARE_URL: ${CIRCLE_COMPARE_URL}. Fail.." exit 1 diff --git a/Packs/AccessInvestigation/README.md b/Packs/AccessInvestigation/README.md index e69de29bb2d1..519c6af9e903 100644 --- a/Packs/AccessInvestigation/README.md +++ b/Packs/AccessInvestigation/README.md @@ -0,0 +1,20 @@ +An unauthorised access to a cloud asset, a server or a physical endpoint can compromise an entire organization. +Access investigations require security teams to reconcile data from multiple sources, gather user and network data, and communicate with users and other relevant parties. Valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest. +This Access Investigation content pack contains the ‘Access Investigation - Generic’ playbook, that automates response to an unauthorised access incident. The pack also contains the corresponding custom Access incident type to facilitate analyst investigation. +The Access playbook orchestrates across multiple products to extract and enrich IOCs, interact with the suspected user and calculate the incident’s severity. + + +##### What does this pack do? +The playbooks included in this pack help you save time and automate repetitive tasks associated with Malware incidents: +- Create an Access incident within Cortex XSOAR associated with the unauthorized access. +- Extract and enrich user information, and retrieve the user’s manager details. +- Extract and enrich IP information. +- Interact with the user to gather more information regarding the suspected access. +- Calculate the incident’s severity based on the enriched information and information received from the user. +- Assign the investigation to an analyst. + +As part of this pack, you will also get out-of-the-box Access incident type, which is easily customizable to suit the needs of your organization. + +_For more information, visit our [Cortex XSOAR Developer Docs](https://xsoar.pan.dev/docs/reference/playbooks/access-investigation---generic)_ + +![Access_Investigation_-_Generic](https://raw.githubusercontent.com/demisto/content/a5e419535b376b08764f65670c24ea364072e869/Packs/AccessInvestigation/doc_files/Access_Investigation_-_Generic_4_5.png) diff --git a/Packs/AccessInvestigation/ReleaseNotes/1_1_3.md b/Packs/AccessInvestigation/ReleaseNotes/1_1_3.md new file mode 100644 index 000000000000..e43e9209459b --- /dev/null +++ b/Packs/AccessInvestigation/ReleaseNotes/1_1_3.md @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/Packs/AccessInvestigation/pack_metadata.json b/Packs/AccessInvestigation/pack_metadata.json index adfed798b3ec..36d2cffe4760 100644 --- a/Packs/AccessInvestigation/pack_metadata.json +++ b/Packs/AccessInvestigation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Access Investigation", "description": "Investigates an access incident by gathering user and IP information and interacting with the user to confirm whether or not they initiated the access action.", "support": "xsoar", - "currentVersion": "1.1.2", + "currentVersion": "1.1.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ApiModules/.secrets-ignore b/Packs/ApiModules/.secrets-ignore index f798a8843c7c..c33c47d36a8b 100644 --- a/Packs/ApiModules/.secrets-ignore +++ b/Packs/ApiModules/.secrets-ignore @@ -1713,3 +1713,20 @@ https://ipstack1.com https://ipstack2.com https://localhost https://docs..org +51.81.53.159 +51.75.71.205 +45.142.213.11 +117.141.112.155 +134.209.37.102 +144.91.106.47 +141.98.81.208 +45.143.220.246 +89.163.242.76 +23.129.64.217 +140.224.183.58 +195.123.227.186 +67.207.94.201 +157.245.250.190 +173.212.206.89 +104.168.173.252 +161.35.22.86 diff --git a/Packs/ApiModules/ReleaseNotes/1_0_3.md b/Packs/ApiModules/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..8a6bc6756795 --- /dev/null +++ b/Packs/ApiModules/ReleaseNotes/1_0_3.md @@ -0,0 +1,4 @@ + +#### Scripts +##### CSVFeedApiModule +Added the *Tags* parameter. diff --git a/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.py b/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.py index f975248c7bb4..63958424d463 100644 --- a/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.py +++ b/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.py @@ -7,18 +7,20 @@ import gzip import urllib3 from dateutil.parser import parse -from typing import Optional, Pattern, Dict, Any, Tuple, Union +from typing import Optional, Pattern, Dict, Any, Tuple, Union, List # disable insecure warnings urllib3.disable_warnings() +# Globals + class Client(BaseClient): def __init__(self, url: str, feed_url_to_config: Optional[Dict[str, dict]] = None, fieldnames: str = '', insecure: bool = False, credentials: dict = None, ignore_regex: str = None, encoding: str = 'latin-1', delimiter: str = ',', doublequote: bool = True, escapechar: str = '', quotechar: str = '"', skipinitialspace: bool = False, polling_timeout: int = 20, proxy: bool = False, - **kwargs): + feedTags: Optional[str] = None, **kwargs): """ :param url: URL of the feed. :param feed_url_to_config: for each URL, a configuration of the feed that contains @@ -60,6 +62,7 @@ def __init__(self, url: str, feed_url_to_config: Optional[Dict[str, dict]] = Non :param polling_timeout: timeout of the polling request in seconds. Default: 20 :param proxy: Sets whether use proxy when sending requests """ + self.tags: List[str] = argToList(feedTags) if not credentials: credentials = {} @@ -268,13 +271,19 @@ def fetch_indicators_command(client: Client, default_indicator_type: str, auto_d 'rawJSON': raw_json, 'fields': create_fields_mapping(raw_json, mapping) if mapping else {} } + indicator['fields']['tags'] = client.tags indicators.append(indicator) return indicators -def get_indicators_command(client, args): +def get_indicators_command(client, args: dict, tags: Optional[List[str]] = None): + if tags is None: + tags = [] itype = args.get('indicator_type', demisto.params().get('indicator_type')) - limit = int(args.get('limit')) + try: + limit = int(args.get('limit', 50)) + except ValueError: + raise ValueError('The limit argument must be a number.') auto_detect = demisto.params().get('auto_detect_type') indicators_list = fetch_indicators_command(client, itype, auto_detect) entry_result = indicators_list[:limit] @@ -299,7 +308,11 @@ def feed_main(feed_name, params=None, prefix=''): } try: if command == 'fetch-indicators': - indicators = fetch_indicators_command(client, params.get('indicator_type'), params.get('auto_detect_type')) + indicators = fetch_indicators_command( + client, + params.get('indicator_type'), + params.get('auto_detect_type') + ) # we submit the indicators in batches for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) # type: ignore diff --git a/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.yml b/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.yml index 422487fb007b..0f298112cbdd 100644 --- a/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.yml +++ b/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule.yml @@ -8,9 +8,12 @@ subtype: python3 tags: - infra - server -comment: Common code that will be appended into each CSV feed integration when it's deployed +comment: Common code that will be appended into each CSV feed integration when it's + deployed system: true scripttarget: 0 dependson: {} timeout: 0s -dockerimage: demisto/jmespath:1.0.0.6980 \ No newline at end of file +dockerimage: demisto/jmespath:1.0.0.8854 +tests: +- No tests (auto formatted) diff --git a/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule_test.py b/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule_test.py index 989ae85fc2e5..97bb615c0151 100644 --- a/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule_test.py +++ b/Packs/ApiModules/Scripts/CSVFeedApiModule/CSVFeedApiModule_test.py @@ -1,4 +1,3 @@ -import requests import requests_mock from CSVFeedApiModule import * @@ -156,3 +155,78 @@ def test_date_format_parsing(): formatted_date = date_format_parsing('2020-02-01 12:13:14.11111') assert formatted_date == '2020-02-01T12:13:14Z' + + +class TestTagsParam: + def test_tags_exists(self): + """ + Given: + - tags ['tag1', 'tag2'] params + + When: + - Running get indicators/fetch indicators + + Then: + - Validating tags key exists with given tags + """ + tags = ['tag1', 'tag2'] + feed_url_to_config = { + 'https://ipstack.com': { + 'fieldnames': ['value'], + 'indicator_type': 'IP' + } + } + + with open('test_data/ip_ranges.txt') as ip_ranges_txt: + ip_ranges = ip_ranges_txt.read().encode('utf8') + + with requests_mock.Mocker() as m: + itype = 'IP' + args = { + 'indicator_type': itype, + 'limit': 35 + } + m.get('https://ipstack.com', content=ip_ranges) + client = Client( + url="https://ipstack.com", + feed_url_to_config=feed_url_to_config, + feedTags=tags + ) + _, _, indicators = get_indicators_command(client, args, tags) + assert tags == indicators[0]['fields']['tags'] + + def test_tags_not_exists(self): + """ + Given: + - No tags param + + When: + - Running get indicators/fetch indicators + + Then: + - Validating tags key exists with an empty list. + """ + feed_url_to_config = { + 'https://ipstack.com': { + 'fieldnames': ['value'], + 'indicator_type': 'IP' + } + } + + with open('test_data/ip_ranges.txt') as ip_ranges_txt: + ip_ranges = ip_ranges_txt.read().encode('utf8') + + with requests_mock.Mocker() as m: + itype = 'IP' + args = { + 'indicator_type': itype, + 'limit': 35 + } + m.get('https://ipstack.com', content=ip_ranges) + client = Client( + url="https://ipstack.com", + feed_url_to_config=feed_url_to_config, + feedTags=[] + ) + _, _, indicators = get_indicators_command(client, args) + assert [] == indicators[0]['fields']['tags'] diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/README.md b/Packs/ApiModules/Scripts/TAXII2ApiModule/README.md new file mode 100644 index 000000000000..d219a42e491b --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/README.md @@ -0,0 +1,14 @@ +To use the common TAXII 2 Server logic (authentication and API requests), run the following command to import the `TAXII2ApiModule`. + +```python +def main(): + ... + + +from TAXII2ApiModule import * # noqa: E402 + +if __name__ in ["builtins", "__main__"]: + main() +``` + +Then, the `TAXII2ApiModule` will be available for usage. For examples, see the `TAXII 2 Feed` integration. diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py new file mode 100644 index 000000000000..fe5a8a6bcce2 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py @@ -0,0 +1,514 @@ +import demistomock as demisto +from CommonServerPython import * +from CommonServerUserPython import * + +from typing import Union, Optional, List, Dict, Tuple +from requests.sessions import merge_setting, CaseInsensitiveDict +import re +import copy +import types +import urllib3 +from taxii2client import v20, v21 +from taxii2client.common import TokenAuth, _HTTPConnection + +# disable insecure warnings +urllib3.disable_warnings() + +# CONSTANTS +TAXII_VER_2_0 = "2.0" +TAXII_VER_2_1 = "2.1" + +DFLT_LIMIT_PER_REQUEST = 100 +API_USERNAME = "_api_token_key" +HEADER_USERNAME = "_header:" + +ERR_NO_COLL = "No collection is available for this user, please make sure you entered the configuration correctly" + +# Pattern Regexes - used to extract indicator type and value +INDICATOR_OPERATOR_VAL_FORMAT_PATTERN = r"(\w.*?{value}{operator})'(.*?)'" +INDICATOR_EQUALS_VAL_PATTERN = INDICATOR_OPERATOR_VAL_FORMAT_PATTERN.format( + value="value", operator="=" +) +CIDR_ISSUBSET_VAL_PATTERN = INDICATOR_OPERATOR_VAL_FORMAT_PATTERN.format( + value="value", operator="ISSUBSET" +) +CIDR_ISUPPERSET_VAL_PATTERN = INDICATOR_OPERATOR_VAL_FORMAT_PATTERN.format( + value="value", operator="ISUPPERSET" +) +HASHES_EQUALS_VAL_PATTERN = INDICATOR_OPERATOR_VAL_FORMAT_PATTERN.format( + value=r"hashes\..*?", operator="=" +) + +TAXII_TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" +TAXII_TIME_FORMAT_NO_MS = "%Y-%m-%dT%H:%M:%SZ" + +STIX_2_TYPES_TO_CORTEX_TYPES = { + "ipv4-addr": FeedIndicatorType.IP, + "ipv6-addr": FeedIndicatorType.IPv6, + "domain": FeedIndicatorType.Domain, + "domain-name": FeedIndicatorType.Domain, + "url": FeedIndicatorType.URL, + "md5": FeedIndicatorType.File, + "sha-1": FeedIndicatorType.File, + "sha-256": FeedIndicatorType.File, + "file:hashes": FeedIndicatorType.File, +} + +STIX_2_TYPES_TO_CORTEX_CIDR_TYPES = { + "ipv4-addr": FeedIndicatorType.CIDR, + "ipv6-addr": FeedIndicatorType.IPv6CIDR, +} + + +class Taxii2FeedClient: + def __init__( + self, + url: str, + collection_to_fetch, + proxies, + verify: bool, + skip_complex_mode: bool = False, + username: Optional[str] = None, + password: Optional[str] = None, + field_map: Optional[dict] = None, + tags: Optional[list] = None, + limit_per_request: int = DFLT_LIMIT_PER_REQUEST, + ): + """ + TAXII 2 Client used to poll and parse indicators in XSOAR formar + :param url: discovery service URL + :param collection_to_fetch: Collection to fetch objects from + :param proxies: proxies used in request + :param skip_complex_mode: if set to True will skip complex observations + :param verify: verify https + :param username: username used for basic authentication OR api_key used for authentication + :param password: password used for basic authentication + :param field_map: map used to create fields entry ({field_name: field_value}) + :param tags: custom tags to be added to the created indicator + :param limit_per_request: Limit the objects requested per poll request + """ + self._conn = None + self.server = None + self.api_root = None + self.collections = None + self.last_fetched_indicator__modified = None + + self.collection_to_fetch = collection_to_fetch + self.skip_complex_mode = skip_complex_mode + if not limit_per_request: + limit_per_request = DFLT_LIMIT_PER_REQUEST + self.limit_per_request = limit_per_request + + self.base_url = url + self.proxies = proxies + self.verify = verify + + self.auth = None + self.auth_header = None + self.auth_key = None + if username and password: + # authentication methods: + # 1. API Token + # 2. Authentication Header + # 3. Basic + if username == API_USERNAME: + self.auth = TokenAuth(key=password) + elif username.startswith(HEADER_USERNAME): + self.auth_header = username.split(HEADER_USERNAME)[1] + self.auth_key = password + else: + self.auth = requests.auth.HTTPBasicAuth(username, password) + + self.field_map = field_map if field_map else {} + self.tags = tags if tags else [] + self.indicator_regexes = [ + re.compile(INDICATOR_EQUALS_VAL_PATTERN), + re.compile(HASHES_EQUALS_VAL_PATTERN), + ] + self.cidr_regexes = [ + re.compile(CIDR_ISSUBSET_VAL_PATTERN), + re.compile(CIDR_ISUPPERSET_VAL_PATTERN), + ] + + def init_server(self, version=TAXII_VER_2_0): + """ + Initializes a server in the requested version + :param version: taxii version key (either 2.0 or 2.1) + """ + server_url = urljoin(self.base_url) + self._conn = _HTTPConnection( + verify=self.verify, proxies=self.proxies, version=version, auth=self.auth + ) + if self.auth_header: + # add auth_header to the session object + self._conn.session.headers = ( # type: ignore[attr-defined] + merge_setting( + self._conn.session.headers, # type: ignore[attr-defined] + {self.auth_header: self.auth_key}, + dict_class=CaseInsensitiveDict, + ), + ) + if version is TAXII_VER_2_0: + self.server = v20.Server( + server_url, verify=self.verify, proxies=self.proxies, conn=self._conn, + ) + else: + self.server = v21.Server( + server_url, verify=self.verify, proxies=self.proxies, conn=self._conn, + ) + + def init_roots(self): + """ + Initializes the api roots (used to get taxii server objects) + """ + if not self.server: + self.init_server() + try: + # try TAXII 2.0 + self.api_root = self.server.api_roots[0] # type: ignore[union-attr, attr-defined] + # override _conn - api_root isn't initialized with the right _conn + self.api_root._conn = self._conn # type: ignore[attr-defined] + # (TAXIIServiceException, HTTPError) should suffice, but sometimes it raises another type of HTTPError + except Exception as e: + if "406 Client Error" not in str(e): + raise e + # switch to TAXII 2.1 + self.init_server(version=TAXII_VER_2_1) + self.api_root = self.server.api_roots[0] # type: ignore[union-attr, attr-defined] + # override _conn - api_root isn't initialized with the right _conn + self.api_root._conn = self._conn # type: ignore[attr-defined] + + def init_collections(self): + """ + Collects available taxii collections + """ + self.collections = [x for x in self.api_root.collections] # type: ignore[union-attr, attr-defined, assignment] + + def init_collection_to_fetch(self, collection_to_fetch=None): + """ + Tries to initialize `collection_to_fetch` if possible + """ + if collection_to_fetch is None and isinstance(self.collection_to_fetch, str): + # self.collection_to_fetch will be changed from str -> Union[v20.Collection, v21.Collection] + collection_to_fetch = self.collection_to_fetch + if not self.collections: + raise DemistoException(ERR_NO_COLL) + if collection_to_fetch: + collection_found = False + for collection in self.collections: + if collection.title == collection_to_fetch: + self.collection_to_fetch = collection + collection_found = True + break + if not collection_found: + raise DemistoException( + "Could not find the provided Collection name in the available collections. " + "Please make sure you entered the name correctly." + ) + + def initialise(self): + self.init_server() + self.init_roots() + self.init_collections() + self.init_collection_to_fetch() + + def build_iterator(self, limit: int = -1, **kwargs) -> List[Dict[str, str]]: + """ + Polls the taxii server and builds a list of cortex indicators objects from the result + :param limit: max amount of indicators to fetch + :return: Cortex indicators list + """ + if not isinstance(self.collection_to_fetch, (v20.Collection, v21.Collection)): + raise DemistoException( + "Could not find a collection to fetch from. " + "Please make sure you provided a collection." + ) + if limit is None: + limit = -1 + + page_size = self.get_page_size(limit, limit) + if page_size <= 0: + return [] + envelope = self.poll_collection(page_size, **kwargs) + indicators = self.extract_indicators_from_envelope_and_parse(envelope, limit) + return indicators + + def extract_indicators_from_envelope_and_parse( + self, envelope: Union[types.GeneratorType, Dict[str, str]], limit: int = -1 + ) -> List[Dict[str, str]]: + """ + Extract indicators from an 2.0 envelope generator, or 2.1 envelope (which then polls and repeats process) + and parses them as cortex indicators + :param envelope: envelope containing stix objects + :param limit: max amount of indicators to fetch + :return: Cortex indicators list + """ + indicators = [] + obj_cnt = 0 + # TAXII 2.0 + if isinstance(envelope, types.GeneratorType): + for sub_envelope in envelope: + stix_objects = sub_envelope.get("objects") + if not stix_objects: + # no fetched objects + break + obj_cnt += len(stix_objects) + indicators.extend( + self.parse_indicators_list( + self.extract_indicators_from_stix_objects(stix_objects) + ) + ) + if 0 < limit <= len(indicators): + break + # TAXII 2.1 + elif isinstance(envelope, Dict): + cur_limit = limit + stix_objects = envelope.get("objects") + obj_cnt += len(stix_objects) + indicators_list = self.extract_indicators_from_stix_objects(stix_objects) + indicators = self.parse_indicators_list(indicators_list) + while envelope.get("more", False): + page_size = self.get_page_size(limit, cur_limit) + envelope = self.collection_to_fetch.get_objects( + limit=page_size, next=envelope.get("next", "") + ) + if isinstance(envelope, Dict): + stix_objects = envelope.get("objects") + obj_cnt += len(stix_objects) + extracted_iocs = self.extract_indicators_from_stix_objects( + stix_objects + ) + parsed_iocs = self.parse_indicators_list(extracted_iocs) + indicators.extend(parsed_iocs) + + if limit > -1: + cur_limit -= len(envelope) # type: ignore + if cur_limit < 0: + break + else: + raise DemistoException( + "Error: TAXII 2 client received the following response while requesting " + f"indicators: {str(envelope)}\n\nExpected output is json" + ) + demisto.debug( + f"TAXII 2 Feed has extracted {len(indicators)} indicators / {obj_cnt} stix objects" + ) + if limit > -1: + return indicators[:limit] + return indicators + + def poll_collection( + self, page_size: int, **kwargs + ) -> Union[types.GeneratorType, Dict[str, str]]: + """ + Polls a taxii collection + :param page_size: size of the request page + """ + get_objects = self.collection_to_fetch.get_objects + if isinstance(self.collection_to_fetch, v20.Collection): + envelope = v20.as_pages(get_objects, per_request=page_size, **kwargs) + else: + envelope = get_objects(limit=page_size, **kwargs) + return envelope + + def get_page_size(self, max_limit: int, cur_limit: int) -> int: + """ + Get a page size given the limit on entries `max_limit` and the limit on the current poll + :param max_limit: max amount of entries allowed overall + :param cur_limit: max amount of entries allowed in a page + :return: page size + """ + return ( + min(self.limit_per_request, cur_limit) + if max_limit > -1 + else self.limit_per_request + ) + + @staticmethod + def extract_indicators_from_stix_objects( + stix_objs: List[Dict[str, str]] + ) -> List[Dict[str, str]]: + """ + Extracts indicators from taxii objects + :param stix_objs: taxii objects + :return: indicators in json format + """ + indicators_objs = [ + item for item in stix_objs if item.get("type") == "indicator" + ] # retrieve only indicators + + return indicators_objs + + def parse_indicators_list( + self, indicators_objs: List[Dict[str, str]] + ) -> List[Dict[str, str]]: + """ + Parses a list of indicator objects, and updates the client.latest_fetched_indicator_created + :param indicators_objs: indicator objects + :return: Parsed list of indicators + """ + indicators = [] + if indicators_objs: + for indicator_obj in indicators_objs: + indicators.extend(self.parse_single_indicator(indicator_obj)) + indicator_modified_str = indicator_obj.get("modified") + if self.last_fetched_indicator__modified is None: + self.last_fetched_indicator__modified = indicator_modified_str # type: ignore[assignment] + else: + last_datetime = self.stix_time_to_datetime( + self.last_fetched_indicator__modified + ) + indicator_created_datetime = self.stix_time_to_datetime( + indicator_modified_str + ) + if indicator_created_datetime > last_datetime: + self.last_fetched_indicator__modified = indicator_modified_str + return indicators + + def parse_single_indicator( + self, indicator_obj: Dict[str, str] + ) -> List[Dict[str, str]]: + """ + Parses a single indicator object + :param indicator_obj: indicator object + :return: list of indicators extracted from the object in cortex format + """ + field_map = self.field_map if self.field_map else {} + pattern = indicator_obj.get("pattern") + indicators = [] + if pattern: + # this is done in case the server doesn't properly space the operator, + # supported indicators have no spaces, so this action shouldn't affect extracted values + trimmed_pattern = pattern.replace(" ", "") + + indicator_groups = self.extract_indicator_groups_from_pattern( + trimmed_pattern, self.indicator_regexes + ) + indicators.extend( + self.get_indicators_from_indicator_groups( + indicator_groups, + indicator_obj, + STIX_2_TYPES_TO_CORTEX_TYPES, + field_map, + ) + ) + + cidr_groups = self.extract_indicator_groups_from_pattern( + trimmed_pattern, self.cidr_regexes + ) + indicators.extend( + self.get_indicators_from_indicator_groups( + cidr_groups, + indicator_obj, + STIX_2_TYPES_TO_CORTEX_CIDR_TYPES, + field_map, + ) + ) + + return indicators + + def get_indicators_from_indicator_groups( + self, + indicator_groups: List[Tuple[str, str]], + indicator_obj: Dict[str, str], + indicator_types: Dict[str, str], + field_map: Dict[str, str], + ) -> List[Dict[str, str]]: + """ + Get indicators from indicator regex groups + :param indicator_groups: caught regex group in pattern of: [`type`, `indicator`] + :param indicator_obj: taxii indicator object + :param indicator_types: supported indicator types -> cortex types + :param field_map: map used to create fields entry ({field_name: field_value}) + :return: Indicators list + """ + indicators = [] + if indicator_groups: + for term in indicator_groups: + for taxii_type in indicator_types.keys(): + # term should be list with 2 argument parsed with regex - [`type`, `indicator`] + if len(term) == 2 and taxii_type in term[0]: + type_ = indicator_types[taxii_type] + value = term[1] + indicator = self.create_indicator( + indicator_obj, type_, value, field_map + ) + indicators.append(indicator) + break + if self.skip_complex_mode and len(indicators) > 1: + # we managed to pull more than a single indicator - indicating complex relationship + return [] + return indicators + + def create_indicator(self, indicator_obj, type_, value, field_map): + """ + Create a cortex indicator from a stix indicator + :param indicator_obj: rawJSON value of the indicator + :param type_: cortex type of the indicator + :param value: indicator value + :param field_map: field map used for mapping fields ({field_name: field_value}) + :return: Cortex indicator + """ + ioc_obj_copy = copy.deepcopy(indicator_obj) + ioc_obj_copy["value"] = value + ioc_obj_copy["type"] = type_ + indicator = { + "value": value, + "type": type_, + "rawJSON": ioc_obj_copy, + } + fields = {} + tags = list(self.tags) + # create tags from labels: + for label in ioc_obj_copy.get("labels", []): + tags.append(label) + + # add description if able + if "description" in ioc_obj_copy: + fields["description"] = ioc_obj_copy["description"] + + # add field_map fields + for field_name, field_path in field_map.items(): + if field_path in ioc_obj_copy: + fields[field_name] = ioc_obj_copy.get(field_path) + + # union of tags and labels + if "tags" in fields: + field_tag = fields.get("tags") + if isinstance(field_tag, list): + tags.extend(field_tag) + else: + tags.append(field_tag) + + fields["tags"] = tags + indicator["fields"] = fields + return indicator + + @staticmethod + def extract_indicator_groups_from_pattern( + pattern: str, regexes: List + ) -> List[Tuple[str, str]]: + """ + Extracts indicator [`type`, `indicator`] groups from pattern + :param pattern: stix pattern + :param regexes: regexes to run to pattern + :return: extracted indicators list from pattern + """ + groups: List[Tuple[str, str]] = [] + for regex in regexes: + find_result = regex.findall(pattern) + if find_result: + groups.extend(find_result) + return groups + + @staticmethod + def stix_time_to_datetime(s_time): + """ + Converts datetime to str in "%Y-%m-%dT%H:%M:%S.%fZ" format + :param s_time: time in string format + :return: datetime + """ + try: + return datetime.strptime(s_time, TAXII_TIME_FORMAT) + except ValueError: + return datetime.strptime(s_time, TAXII_TIME_FORMAT_NO_MS) diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.yml b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.yml new file mode 100644 index 000000000000..53a9f94f5883 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.yml @@ -0,0 +1,16 @@ +commonfields: + id: TAXII2ApiModule + version: -1 +name: TAXII2ApiModule +script: '' +type: python +subtype: python3 +tags: +- infra +- server +comment: Common TAXII 2 code that will be appended into each TAXII 2 integration when it's deployed +system: true +scripttarget: 0 +dependson: {} +timeout: 0s +dockerimage: demisto/taxii2:1.0.0.9219 diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py new file mode 100644 index 000000000000..acd5bc846bb1 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py @@ -0,0 +1,322 @@ +from CommonServerPython import * +from TAXII2ApiModule import Taxii2FeedClient, TAXII_VER_2_1, HEADER_USERNAME +from taxii2client import v20, v21 +import pytest +import json + +with open('test_data/stix_envelope_no_indicators.json', 'r') as f: + STIX_ENVELOPE_NO_IOCS = json.load(f) + +with open('test_data/stix_envelope_17-19.json', 'r') as f: + STIX_ENVELOPE_17_IOCS_19_OBJS = json.load(f) + +with open('test_data/stix_envelope_complex_20-19.json', 'r') as f: + STIX_ENVELOPE_20_IOCS_19_OBJS = json.load(f) + +with open('test_data/cortex_parsed_indicators_17-19.json', 'r') as f: + CORTEX_17_IOCS_19_OBJS = json.load(f) + +with open('test_data/cortex_parsed_indicators_complex_20-19.json', 'r') as f: + CORTEX_COMPLEX_20_IOCS_19_OBJS = json.load(f) + +with open('test_data/cortex_parsed_indicators_complex_skipped_14-19.json', 'r') as f: + CORTEX_COMPLEX_14_IOCS_19_OBJS = json.load(f) + + +class MockCollection: + def __init__(self, id_, title): + self.id = id_ + self.title = title + + +class TestInitCollectionsToFetch: + """ + Scenario: Initialize collections to fetch + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch='default', proxies=[], verify=False) + default_id = 1 + nondefault_id = 2 + mock_client.collections = [MockCollection(nondefault_id, 'not_default'), + MockCollection(default_id, 'default')] + + def test_default_collection(self): + """ + Scenario: Initialize with collection name provided in class __init__ + + Given + - collection name is provided via __init__ (title: default) + - collection is available + + When + - Initializing collection to fetch + + Then + - Ensure initialized collection to fetch with collection provided in __init__ + """ + self.mock_client.init_collection_to_fetch() + assert self.mock_client.collection_to_fetch.id == self.default_id + + def test_non_default_collection(self): + """ + Scenario: Initialize with collection name provided via argument + + Given: + - collection name is provided via argument (title: non_default) + - collection is available + + When + - Initializing collection to fetch + + Then + - Ensure initialized collection to fetch with collection provided in argument + """ + self.mock_client.init_collection_to_fetch('not_default') + assert self.mock_client.collection_to_fetch.id == self.nondefault_id + + def test_collection_not_found(self): + """ + Scenario: Fail to initialize with a collection that is not available + + Given: + - collection name is provided via argument (title: not_found) + - collection is NOT available + + When + - Initializing collection to fetch + + Then: + - Ensure exception is raised with proper error message + """ + with pytest.raises(DemistoException, match="Could not find the provided Collection name"): + self.mock_client.init_collection_to_fetch('not_found') + + def test_no_collections_available(self): + """ + Scenario: Fail to initialize when there is no collection available + + Given: + - collection name is provided via __init__ (title: default) + - NO collection is available + + When + - Initializing collection to fetch + + Then: + - Ensure exception is raised with proper error message + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch='default', proxies=[], verify=False) + with pytest.raises(DemistoException, match="No collection is available for this user"): + mock_client.init_collection_to_fetch('not_found') + + +class TestBuildIterator: + """ + Scenario: Get indicators via build_iterator method + """ + def test_no_collection_to_fetch(self): + """ + Scenario: Fail to build iterator when there is no collection to fetch from + + Given: + - Collection to fetch is empty + + When: + - Calling build_iterators + + Then: + - Ensure exception is raised with proper error message + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch=None, proxies=[], verify=False) + with pytest.raises(DemistoException, match='Could not find a collection to fetch from.'): + mock_client.build_iterator() + + def test_limit_0_v20(self, mocker): + """ + Scenario: Call build iterator when limit is 0 and the collection is v20.Collection + + Given: + - Limit is 0 + - Collection to fetch is of type v20.Collection + + When + - Initializing collection to fetch + + Then: + - Ensure 0 iocs are returned + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch=None, proxies=[], verify=False) + mocker.patch.object(mock_client, "collection_to_fetch", spec=v20.Collection) + iocs = mock_client.build_iterator(limit=0) + assert iocs == [] + + def test_limit_0_v21(self, mocker): + """ + Scenario: Call build iterator when limit is 0 and the collection is v21.Collection + + Given: + - Limit is 0 + - Collection to fetch is of type v21.Collection + + When + - Initializing collection to fetch + + Then: + - Ensure 0 iocs are returned + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch=None, proxies=[], verify=False) + mocker.patch.object(mock_client, "collection_to_fetch", spec=v21.Collection) + iocs = mock_client.build_iterator(limit=0) + assert iocs == [] + + +class TestInitServer: + """ + Scenario: Initialize server + """ + def test_default_v20(self): + """ + Scenario: Intialize server with the default option + + Given: + - no version is provided to init_server + + Then: + - initalize with v20.Server + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False) + mock_client.init_server() + assert isinstance(mock_client.server, v20.Server) + + def test_v21(self): + """ + Scenario: Intialize server with v21 + + Given: + - v21 version is provided to init_server + + Then: + - initalize with v21.Server + """ + mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False) + mock_client.init_server(TAXII_VER_2_1) + assert isinstance(mock_client.server, v21.Server) + + def test_auth_key(self): + """ + Scenario: Intialize server with the default option with an auth key + + Given: + - no version is provided to init_server + - client is set with `auth_key` and `auth_header` + + Then: + - initialize with v20.Server with _conn.headers set with the auth_header + """ + mock_auth_header_key = 'mock_auth' + mock_username = f'{HEADER_USERNAME}{mock_auth_header_key}' + mock_password = 'mock_pass' + mock_client = Taxii2FeedClient( + url='', + username=mock_username, + password=mock_password, + collection_to_fetch='', + proxies=[], + verify=False + ) + mock_client.init_server() + assert isinstance(mock_client.server, v20.Server) + assert mock_auth_header_key in mock_client.server._conn.session.headers[0] + assert mock_client.server._conn.session.headers[0].get(mock_auth_header_key) == mock_password + + +class TestExtractIndicatorsAndParse: + """ + Scenario: Test extract_indicators_from_envelope_and_parse + """ + def test_21_empty(self): + """ + Scenario: Test 21 envelope extract + + Given: + - Envelope with 0 STIX2 objects + + When: + - extract_indicators_from_envelope_and_parse is called + + Then: + - Extract and parse the indicators from the envelope + + """ + expected = [] + mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False) + actual = mock_client.extract_indicators_from_envelope_and_parse(STIX_ENVELOPE_NO_IOCS) + + assert len(actual) == 0 + assert expected == actual + + def test_21_simple(self): + """ + Scenario: Test 21 envelope extract + + Given: + - Envelope with 19 STIX2 objects - out of them 17 are iocs + + When: + - extract_indicators_from_envelope_and_parse is called + + Then: + - Extract and parse the indicators from the envelope + + """ + expected = CORTEX_17_IOCS_19_OBJS + mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False) + actual = mock_client.extract_indicators_from_envelope_and_parse(STIX_ENVELOPE_17_IOCS_19_OBJS) + + assert len(actual) == 17 + assert expected == actual + + def test_21_complex_not_skipped(self): + """ + Scenario: Test 21 envelope complex extract without skip + + Given: + - Envelope with 19 STIX2 objects - 14 normal iocs, 3 are complex indicators (x2 iocs), and 2 aren't indicators + - skip is False + + When: + - extract_indicators_from_envelope_and_parse is called + + Then: + - Extract and parse the indicators from the envelope with the complex iocs + + """ + expected = CORTEX_COMPLEX_20_IOCS_19_OBJS + mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False) + envelope = STIX_ENVELOPE_20_IOCS_19_OBJS + actual = mock_client.extract_indicators_from_envelope_and_parse(envelope) + + assert len(actual) == 20 + assert actual == expected + + def test_21_complex_skipped(self): + """ + Scenario: Test 21 envelope complex extract with skip + + Given: + - Envelope with 19 STIX2 objects - 14 normal iocs, 3 are complex indicators (x2 iocs), and 2 aren't indicators + - skip is True + + When: + - extract_indicators_from_envelope_and_parse is called + + Then: + - Extract and parse the indicators from the envelope with the complex iocs + + """ + expected = CORTEX_COMPLEX_14_IOCS_19_OBJS + mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, skip_complex_mode=True) + envelope = STIX_ENVELOPE_20_IOCS_19_OBJS + actual = mock_client.extract_indicators_from_envelope_and_parse(envelope) + + assert len(actual) == 14 + assert actual == expected diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_17-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_17-19.json new file mode 100644 index 000000000000..d98aa7695330 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_17-19.json @@ -0,0 +1,597 @@ +[ + { + "value": "195.123.227.186", + "type": "IP", + "rawJSON": { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "195.123.227.186" + }, + "fields": { + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "134.209.37.102", + "type": "IP", + "rawJSON": { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "134.209.37.102" + }, + "fields": { + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "117.141.112.155", + "type": "IP", + "rawJSON": { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "117.141.112.155" + }, + "fields": { + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "23.129.64.217", + "type": "IP", + "rawJSON": { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "23.129.64.217" + }, + "fields": { + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "45.142.213.11", + "type": "IP", + "rawJSON": { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "45.142.213.11" + }, + "fields": { + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "157.245.250.190", + "type": "IP", + "rawJSON": { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "157.245.250.190" + }, + "fields": { + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "144.91.106.47", + "type": "IP", + "rawJSON": { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "144.91.106.47" + }, + "fields": { + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "141.98.81.208", + "type": "IP", + "rawJSON": { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "141.98.81.208" + }, + "fields": { + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "51.81.53.159", + "type": "IP", + "rawJSON": { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "51.81.53.159" + }, + "fields": { + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "104.168.173.252", + "type": "IP", + "rawJSON": { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "104.168.173.252" + }, + "fields": { + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "173.212.206.89", + "type": "IP", + "rawJSON": { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "173.212.206.89" + }, + "fields": { + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "67.207.94.201", + "type": "IP", + "rawJSON": { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "67.207.94.201" + }, + "fields": { + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "89.163.242.76", + "type": "IP", + "rawJSON": { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "89.163.242.76" + }, + "fields": { + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "51.75.71.205", + "type": "IP", + "rawJSON": { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "51.75.71.205" + }, + "fields": { + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "140.224.183.58", + "type": "IP", + "rawJSON": { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "140.224.183.58" + }, + "fields": { + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "161.35.22.86", + "type": "IP", + "rawJSON": { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "161.35.22.86" + }, + "fields": { + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "45.143.220.246", + "type": "IP", + "rawJSON": { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "45.143.220.246" + }, + "fields": { + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + } +] diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_20-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_20-19.json new file mode 100644 index 000000000000..dd92ba05e5d4 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_20-19.json @@ -0,0 +1,702 @@ +[ + { + "value": "195.123.227.186", + "type": "IP", + "rawJSON": { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186' AND ipv4-addr:value = '1.1.1.1']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "195.123.227.186" + }, + "fields": { + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "1.1.1.1", + "type": "IP", + "rawJSON": { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186' AND ipv4-addr:value = '1.1.1.1']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "1.1.1.1" + }, + "fields": { + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "134.209.37.102", + "type": "IP", + "rawJSON": { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102' OR ipv4-addr:value = '2.2.2.2']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "134.209.37.102" + }, + "fields": { + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "2.2.2.2", + "type": "IP", + "rawJSON": { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102' OR ipv4-addr:value = '2.2.2.2']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "2.2.2.2" + }, + "fields": { + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "117.141.112.155", + "type": "IP", + "rawJSON": { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155' FOLLOWEDBY ipv4-addr:value = '3.3.3.3']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "117.141.112.155" + }, + "fields": { + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "3.3.3.3", + "type": "IP", + "rawJSON": { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155' FOLLOWEDBY ipv4-addr:value = '3.3.3.3']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "3.3.3.3" + }, + "fields": { + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "23.129.64.217", + "type": "IP", + "rawJSON": { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "23.129.64.217" + }, + "fields": { + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "45.142.213.11", + "type": "IP", + "rawJSON": { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "45.142.213.11" + }, + "fields": { + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "157.245.250.190", + "type": "IP", + "rawJSON": { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "157.245.250.190" + }, + "fields": { + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "144.91.106.47", + "type": "IP", + "rawJSON": { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "144.91.106.47" + }, + "fields": { + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "141.98.81.208", + "type": "IP", + "rawJSON": { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "141.98.81.208" + }, + "fields": { + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "51.81.53.159", + "type": "IP", + "rawJSON": { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "51.81.53.159" + }, + "fields": { + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "104.168.173.252", + "type": "IP", + "rawJSON": { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "104.168.173.252" + }, + "fields": { + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "173.212.206.89", + "type": "IP", + "rawJSON": { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "173.212.206.89" + }, + "fields": { + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "67.207.94.201", + "type": "IP", + "rawJSON": { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "67.207.94.201" + }, + "fields": { + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "89.163.242.76", + "type": "IP", + "rawJSON": { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "89.163.242.76" + }, + "fields": { + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "51.75.71.205", + "type": "IP", + "rawJSON": { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "51.75.71.205" + }, + "fields": { + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "140.224.183.58", + "type": "IP", + "rawJSON": { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "140.224.183.58" + }, + "fields": { + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "161.35.22.86", + "type": "IP", + "rawJSON": { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "161.35.22.86" + }, + "fields": { + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "45.143.220.246", + "type": "IP", + "rawJSON": { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "45.143.220.246" + }, + "fields": { + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + } +] diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_skipped_14-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_skipped_14-19.json new file mode 100644 index 000000000000..bfa66a565024 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/cortex_parsed_indicators_complex_skipped_14-19.json @@ -0,0 +1,492 @@ +[ + { + "value": "23.129.64.217", + "type": "IP", + "rawJSON": { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "23.129.64.217" + }, + "fields": { + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "45.142.213.11", + "type": "IP", + "rawJSON": { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "45.142.213.11" + }, + "fields": { + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "157.245.250.190", + "type": "IP", + "rawJSON": { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "157.245.250.190" + }, + "fields": { + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "144.91.106.47", + "type": "IP", + "rawJSON": { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "144.91.106.47" + }, + "fields": { + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "141.98.81.208", + "type": "IP", + "rawJSON": { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "141.98.81.208" + }, + "fields": { + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "51.81.53.159", + "type": "IP", + "rawJSON": { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "51.81.53.159" + }, + "fields": { + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "104.168.173.252", + "type": "IP", + "rawJSON": { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "104.168.173.252" + }, + "fields": { + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "173.212.206.89", + "type": "IP", + "rawJSON": { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "173.212.206.89" + }, + "fields": { + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "67.207.94.201", + "type": "IP", + "rawJSON": { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "67.207.94.201" + }, + "fields": { + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "89.163.242.76", + "type": "IP", + "rawJSON": { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "89.163.242.76" + }, + "fields": { + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "51.75.71.205", + "type": "IP", + "rawJSON": { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "51.75.71.205" + }, + "fields": { + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "140.224.183.58", + "type": "IP", + "rawJSON": { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "140.224.183.58" + }, + "fields": { + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "161.35.22.86", + "type": "IP", + "rawJSON": { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "161.35.22.86" + }, + "fields": { + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + }, + { + "value": "45.143.220.246", + "type": "IP", + "rawJSON": { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "IP", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1", + "value": "45.143.220.246" + }, + "fields": { + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "tags": [ + "low" + ] + } + } +] diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json new file mode 100644 index 000000000000..7bf5797fe341 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json @@ -0,0 +1,433 @@ +{ + "objects": [ + { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "amber" + }, + "type": "marking-definition", + "spec_version": "2.1" + }, + { + "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "green" + }, + "type": "marking-definition", + "spec_version": "2.1" + } + ], + "more": false +} diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json new file mode 100644 index 000000000000..5acaa155427a --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json @@ -0,0 +1,433 @@ +{ + "objects": [ + { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186' AND ipv4-addr:value = '1.1.1.1']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102' OR ipv4-addr:value = '2.2.2.2']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155' FOLLOWEDBY ipv4-addr:value = '3.3.3.3']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "amber" + }, + "type": "marking-definition", + "spec_version": "2.1" + }, + { + "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "green" + }, + "type": "marking-definition", + "spec_version": "2.1" + } + ], + "more": false +} diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json new file mode 100644 index 000000000000..880413ab4b21 --- /dev/null +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json @@ -0,0 +1,25 @@ +{ + "objects": [ + { + "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "amber" + }, + "type": "marking-definition", + "spec_version": "2.1" + }, + { + "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "green" + }, + "type": "marking-definition", + "spec_version": "2.1" + } + ], + "more": false +} diff --git a/Packs/ApiModules/pack_metadata.json b/Packs/ApiModules/pack_metadata.json index b98165781835..4fdbc965f4e6 100644 --- a/Packs/ApiModules/pack_metadata.json +++ b/Packs/ApiModules/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ApiModules", "description": "API Modules", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.py b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.py index 617cc7d677aa..dd5655740eda 100644 --- a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.py +++ b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.py @@ -1,33 +1,13 @@ +import demistomock as demisto from CommonServerPython import * - -""" IMPORTS """ -import requests -import base64 -import os -from cryptography.hazmat.primitives.ciphers.aead import AESGCM import ast -from datetime import datetime # disable insecure warnings requests.packages.urllib3.disable_warnings() """ GLOBAL VARS """ -PARAMS = demisto.params() -TENANT_ID = PARAMS.get("tenant_id") -AUTH_AND_TOKEN_URL = PARAMS.get("auth_id", "").split("@") -AUTH_ID = AUTH_AND_TOKEN_URL[0] -ENC_KEY = PARAMS.get("enc_key") -if len(AUTH_AND_TOKEN_URL) != 2: - TOKEN_RETRIEVAL_URL = "https://oproxy.demisto.ninja/obtain-token" # disable-secrets-detection -else: - TOKEN_RETRIEVAL_URL = AUTH_AND_TOKEN_URL[1] -# Remove trailing slash to prevent wrong URL path to service -SERVER = PARAMS.get("server_url", "") - APP_NAME = "ms-azure-sc" -USE_SSL = not PARAMS.get("unsecure", False) -SUBSCRIPTION_ID = demisto.args().get("subscription_id") or PARAMS.get("default_sub_id") # API Versions SUBSCRIPTION_API_VERSION = "2015-01-01" @@ -42,138 +22,6 @@ """ HELPER FUNCTIONS """ -def epoch_seconds(d=None): - """ - Return the number of seconds for given date. If no date, return current. - """ - if not d: - d = datetime.utcnow() - return int((d - datetime.utcfromtimestamp(0)).total_seconds()) - - -def get_encrypted(content: str, key: str) -> str: - """ - Encrypt content using a specified key - """ - def create_nonce() -> bytes: - return os.urandom(12) - - def encrypt(string: str, enc_key: str) -> bytes: - # String to bytes - enc_key = base64.b64decode(enc_key) - # Create key - aes_gcm = AESGCM(enc_key) - # Create nonce - nonce = create_nonce() - # Create ciphered data - data = string.encode() - ct = aes_gcm.encrypt(nonce, data, None) - return base64.b64encode(nonce + ct) - now = epoch_seconds() - encrypted = encrypt(f'{now}:{content}', key).decode('utf-8') - return encrypted - - -def get_access_token(): - integration_context = demisto.getIntegrationContext() - access_token = integration_context.get('access_token') - valid_until = integration_context.get('valid_until') - calling_context = demisto.callingContext.get('context', {}) # type: ignore[attr-defined] - brand_name = calling_context.get('IntegrationBrand', '') - instance_name = calling_context.get('IntegrationInstance', '') - if access_token and valid_until: - if epoch_seconds() < valid_until: - return access_token - headers = {'Accept': 'application/json'} - headers['X-Content-Version'] = CONTENT_RELEASE_VERSION - headers['X-Branch-Name'] = CONTENT_BRANCH_NAME - headers['X-Content-Name'] = brand_name or instance_name or 'Name not found' - - dbot_response = requests.post( - TOKEN_RETRIEVAL_URL, - headers=headers, - data=json.dumps({ - 'app_name': APP_NAME, - 'registration_id': AUTH_ID, - 'encrypted_token': get_encrypted(TENANT_ID, ENC_KEY) - }), - verify=USE_SSL - ) - if dbot_response.status_code not in {200, 201}: - msg = 'Error in authentication. Try checking the credentials you entered.' - try: - demisto.info('Authentication failure from server: {} {} {}'.format( - dbot_response.status_code, dbot_response.reason, dbot_response.text)) - err_response = dbot_response.json() - server_msg = err_response.get('message') - if not server_msg: - title = err_response.get('title') - detail = err_response.get('detail') - if title: - server_msg = f'{title}. {detail}' - if server_msg: - msg += ' Server message: {}'.format(server_msg) - except Exception as ex: - demisto.error('Failed parsing error response - Exception: {}'.format(ex)) - raise Exception(msg) - try: - gcloud_function_exec_id = dbot_response.headers.get('Function-Execution-Id') - demisto.info(f'Google Cloud Function Execution ID: {gcloud_function_exec_id}') - parsed_response = dbot_response.json() - except ValueError: - raise Exception( - 'There was a problem in retrieving an updated access token.\n' - 'The response from the Demistobot server did not contain the expected content.' - ) - access_token = parsed_response.get('access_token') - expires_in = parsed_response.get('expires_in', 3595) - time_now = epoch_seconds() - time_buffer = 5 # seconds by which to shorten the validity period - if expires_in - time_buffer > 0: - # err on the side of caution with a slightly shorter access token validity period - expires_in = expires_in - time_buffer - - demisto.setIntegrationContext({ - 'access_token': access_token, - 'valid_until': time_now + expires_in - }) - return access_token - - -def http_request(method, url_suffix, body=None, params=None, add_subscription=True): - """ - Generic request to the graph - """ - token = get_access_token() - headers = { - "Authorization": "Bearer " + token, - "Content-Type": "application/json", - "Accept": "application/json", - } - - if add_subscription: - url = "{}subscriptions/{}/{}".format(SERVER, SUBSCRIPTION_ID, url_suffix) - else: - url = SERVER + url_suffix - - r = requests.request(method, url, json=body, params=params, headers=headers, verify=USE_SSL) - if r.status_code not in {200, 201, 202, 204}: - if r.status_code in {401, 403}: - return_error( - "Permission error in API call to Azure Security Center, make sure the application has access " - "to the relevant resources.") - return_error( - "Error in API call to Azure Security Center [{}] - {}".format( - r.status_code, r.text - ) - ) - try: - r = r.json() - return r - except ValueError: - return dict() - - # Format ports in JIT access policy rule to (portNum, protocol, allowedAddress, maxDuration) def format_jit_port_rule(ports): port_array = list() @@ -220,11 +68,355 @@ def normalize_context_key(string): return tmp.replace(" ", "") +class MsClient: + """ + Microsoft Client enables authorized access to Azure Security Center. + """ + + def __init__(self, tenant_id, auth_id, enc_key, app_name, server, verify, proxy, self_deployed, subscription_id, + ok_codes): + base_url_with_subscription = f"{server}subscriptions/{subscription_id}/" + self.ms_client = MicrosoftClient( + tenant_id=tenant_id, auth_id=auth_id, enc_key=enc_key, app_name=app_name, + base_url=base_url_with_subscription, verify=verify, proxy=proxy, self_deployed=self_deployed, + ok_codes=ok_codes, scope="https://management.azure.com/.default") + self.server = server + self.subscription_id = subscription_id + + def get_alert(self, resource_group_name, asc_location, alert_id): + """ + Args: + resource_group_name (str): ResourceGroupName + asc_location (str): Azure Security Center location + alert_id (str): Alert ID + + Returns: + response body (dict) + + """ + cmd_url = f"/resourceGroups/{resource_group_name}" if resource_group_name else "" + cmd_url += f"/providers/Microsoft.Security/locations/{asc_location}/alerts/{alert_id}" + params = {'api-version': ALERT_API_VERSION} + return self.ms_client.http_request( + method="GET", url_suffix=cmd_url, params=params) + + def get_alerts(self, resource_group_name, asc_location, filter_query, select_query, expand_query): + """ + Args: + resource_group_name (str): ResourceGroupName + asc_location (str): Azure Security Center location + filter_query (str): what to filter + select_query (str): what to select + expand_query (str): what to expand + + Returns: + dict: contains response body + """ + if resource_group_name: + cmd_url = f"/resourceGroups/{resource_group_name}/providers/Microsoft.Security" + # ascLocation must be using with specifying resourceGroupName + if asc_location: + cmd_url += f"/locations/{asc_location}" + cmd_url += "/alerts" + else: + cmd_url = "/providers/Microsoft.Security/alerts" + + params = {'api-version': ALERT_API_VERSION} + if filter_query: + params['$filter'] = filter_query + if select_query: + params['$select'] = select_query + if expand_query: + params['$expand'] = expand_query + + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def list_alerts(self, resource_group_name, asc_location, filter_query, select_query, expand_query): + """Listing alerts + + Args: + resource_group_name (str): ResourceGroupName + asc_location (str): Azure Security Center location + filter_query (str): what to filter + select_query (str): what to select + expand_query (str): what to expand + + Returns: + dict: contains response body + """ + if resource_group_name: + cmd_url = "/resourceGroups/{}/providers/Microsoft.Security".format( + resource_group_name + ) + # ascLocation must be using with specifying resourceGroupName + if asc_location: + cmd_url += f"/locations/{asc_location}" + cmd_url += "/alerts" + else: + cmd_url = "/providers/Microsoft.Security/alerts" + + params = {'api-version': ALERT_API_VERSION} + if filter_query: + params['$filter'] = filter_query + if select_query: + params['$select'] = select_query + if expand_query: + params['$expand'] = expand_query + + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def update_alert(self, resource_group_name, asc_location, alert_id, alert_update_action_type): + """ + Args: + resource_group_name (str): Resource Name Group + asc_location (str): Azure Security Center Location + alert_id (str): Alert ID + alert_update_action_type (str): What update type need to update + + Returns: + dict: response body + """ + cmd_url = f"/resourceGroups/{resource_group_name}" if resource_group_name else "" + cmd_url += f"/providers/Microsoft.Security/locations/{asc_location}/alerts/{alert_id}/" \ + f"{alert_update_action_type}" + params = {"api-version": ALERT_API_VERSION} + # Using resp_type=response to avoid parsing error. + self.ms_client.http_request(method="POST", url_suffix=cmd_url, params=params, resp_type='response') + + def list_locations(self): + """ + Returns: + dict: response body + """ + cmd_url = "/providers/Microsoft.Security/locations" + params = {"api-version": LOCATION_API_VERSION} + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def update_atp(self, resource_group_name, storage_account, setting_name, is_enabled): + """ + Args: + resource_group_name (str): Resource Group Name + storage_account (str): Storange Account + setting_name (str): Setting Name + is_enabled (str): true/false + + Returns: + dict: respones body + """ + cmd_url = f"/resourceGroups/{resource_group_name}/providers/Microsoft.Storage/storageAccounts/" \ + f"{storage_account}/providers/Microsoft.Security/advancedThreatProtectionSettings/{setting_name}" + params = {"api-version": ATP_API_VERSION} + data = { + "id": f"/subscriptions/{self.subscription_id}/resourceGroups/{resource_group_name}/providers/" + f"Microsoft.Storage/storageAccounts/{storage_account}/providers/Microsoft.Security/" + f"advancedThreatProtectionSettings/{setting_name}", + "name": setting_name, + "type": "Microsoft.Security/advancedThreatProtectionSettings", + "properties": {"isEnabled": is_enabled}, + } + + # Using resp_type=response to avoid parsing error. + return self.ms_client.http_request(method="PUT", url_suffix=cmd_url, json_data=data, params=params) + + def get_atp(self, resource_group_name, storage_account, setting_name): + """ + Args: + resource_group_name (str): Resource Group Name + storage_account (str): Storange Account + setting_name (str): Setting Name + + Returns: + + """ + cmd_url = f"/resourceGroups/{resource_group_name}/providers/Microsoft.Storage/storageAccounts" \ + f"/{storage_account}/providers/Microsoft.Security/advancedThreatProtectionSettings/{setting_name}" + params = {"api-version": ATP_API_VERSION} + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def update_aps(self, setting_name, auto_provision): + """ + Args: + setting_name (str): Setting name + auto_provision (str): Auto provision setting (On/Off) + + Returns: + dict: response body + """ + cmd_url = f"/providers/Microsoft.Security/autoProvisioningSettings/{setting_name}" + params = {"api-version": APS_API_VERSION} + + data = {"properties": {"autoProvision": auto_provision}} + + return self.ms_client.http_request(method="PUT", url_suffix=cmd_url, json_data=data, params=params) + + def list_aps(self): + """ + Returns: + dict: response body + """ + cmd_url = "/providers/Microsoft.Security/autoProvisioningSettings" + params = {"api-version": APS_API_VERSION} + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def get_aps(self, setting_name): + """ + Args: + setting_name: Setting name + + Returns: + dict: response body + """ + cmd_url = f"/providers/Microsoft.Security/autoProvisioningSettings/{setting_name}" + params = {"api-version": APS_API_VERSION} + + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def list_ipp(self, management_group=None): + """ + Args: + management_group: Managment group to pull (if needed) + + Returns: + dict: response body + + """ + params = {"api-version": IPP_API_VERSION} + cmd_url = "/providers/Microsoft.Security/informationProtectionPolicies" + if management_group: + full_url = f"{self.server}/providers/Microsoft.Management/managementGroups/{management_group}" + full_url += cmd_url + return self.ms_client.http_request(method="GET", full_url=full_url, url_suffix="", params=params) + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def get_ipp(self, policy_name, management_group): + """ + Args: + policy_name (str): Policy name + management_group (str): Managment group + + Returns: + dict: respone body + """ + params = {"api-version": IPP_API_VERSION} + + cmd_url = f"/providers/Microsoft.Security/informationProtectionPolicies/{policy_name}" + if management_group: + full_url = f"{self.server}/providers/Microsoft.Management/managementGroups/{management_group}" + full_url += cmd_url + return self.ms_client.http_request(method="GET", full_url=full_url, url_suffix="", params=params) + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def list_jit(self, asc_location, resource_group_name): + """ + Args: + asc_location: Machine location + resource_group_name: Resource group name + + Returns: + dict: response body + """ + params = {"api-version": JIT_API_VERSION} + cmd_url = f"/resourceGroups/{resource_group_name}" if resource_group_name else "" + cmd_url += f"/providers/Microsoft.Security/locations/{asc_location}" if asc_location else "" + cmd_url += "/providers/Microsoft.Security/jitNetworkAccessPolicies" + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def get_jit(self, policy_name, asc_location, resource_group_name): + """ + Args: + policy_name: Policy name + asc_location: Machine location + resource_group_name: Resource name group + + Returns: + dict: response body + """ + cmd_url = f"/resourceGroups/{resource_group_name}/providers/Microsoft.Security/locations/{asc_location}/" \ + f"jitNetworkAccessPolicies/{policy_name}" + params = {"api-version": JIT_API_VERSION} + + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def initiate_jit(self, resource_group_name, asc_location, policy_name, vm_id, port, source_address, duration): + """Starting new Just-in-time machine + + Args: + resource_group_name: Resource group name + asc_location: Machine location + policy_name: Policy name + vm_id: Virtual Machine ID + port: ports to be used + source_address: Source address + duration: Time in + + Returns: + dict: response body + """ + cmd_url = f"/resourceGroups/{resource_group_name}/providers/Microsoft.Security/locations/{asc_location}/" \ + f"jitNetworkAccessPolicies/{policy_name}/initiate" + params = {"api-version": JIT_API_VERSION} + + # only supports init access for one vm and one port now + data = { + "virtualMachines": [ + { + "ID": vm_id, + "ports": [ + { + "number": port, + "duration": duration, + "allowedSourceAddressPrefix": source_address, + } + ], + } + ] + } + # response code should be 202 Accepted + return self.ms_client.http_request(method="POST", url_suffix=cmd_url, json_data=data, params=params, + resp_type="response") + + def delete_jit(self, asc_location, resource_group_name, policy_name): + """ + Args: + asc_location: Machine location + resource_group_name: Resource group name + policy_name: Policy name + """ + cmd_url = f"/resourceGroups/{resource_group_name}/providers/Microsoft.Security/locations/{asc_location}/" \ + f"jitNetworkAccessPolicies/{policy_name}" + + params = {"api-version": JIT_API_VERSION} + + # Using resp_type=text to avoid parsing error. response should be 204 + self.ms_client.http_request(method="DELETE", url_suffix=cmd_url, params=params, resp_type='text') + + def list_sc_storage(self): + """ + Returns: + dict: response body + + """ + cmd_url = "/providers/Microsoft.Storage/storageAccounts" + params = {"api-version": STORAGE_API_VERSION} + return self.ms_client.http_request(method="GET", url_suffix=cmd_url, params=params) + + def list_sc_subscriptions(self): + """ + Returns: + dict: response body + + """ + full_url = f"{self.server}/subscriptions" + params = {"api-version": SUBSCRIPTION_API_VERSION} + return self.ms_client.http_request(method="GET", full_url=full_url, url_suffix="", params=params) + + """ FUNCTIONS """ + """ Alert Start """ -def get_alert_command(args): +def get_alert_command(client: MsClient, args: dict): """Getting specified alert from API Args args (dict): dictionary containing commands args @@ -232,7 +424,7 @@ def get_alert_command(args): resource_group_name = args.get("resource_group_name") asc_location = args.get("asc_location") alert_id = args.get("alert_id") - alert = get_alert(resource_group_name, asc_location, alert_id) + alert = client.get_alert(resource_group_name, asc_location, alert_id) final_output = list() # Basic Property Table @@ -281,14 +473,10 @@ def get_alert_command(args): "AssociatedResource", "AlertName", "InstanceID", - "ID", - ], - removeNull=True, - ) + "ID"], + removeNull=True) - ec = { - "AzureSecurityCenter.Alert(val.ID && val.ID === obj.ID)": basic_table_output - } + ec = {"AzureSecurityCenter.Alert(val.ID && val.ID === obj.ID)": basic_table_output} basic_table_entry = { "Type": entryTypes["note"], @@ -302,9 +490,9 @@ def get_alert_command(args): # Extended Properties Table if ( - alert.get("properties") - and alert.get("properties") - and alert.get("properties").get("extendedProperties") + alert.get("properties") + and alert.get("properties") + and alert.get("properties").get("extendedProperties") ): extended_properties = dict() properties = alert.get("properties") @@ -354,33 +542,11 @@ def get_alert_command(args): demisto.results(final_output) -def get_alert(resource_group_name, asc_location, alert_id): - """Building query - - Args: - resource_group_name (str): ResourceGroupName - asc_location (str): Azure Security Center location - alert_id (str): Alert ID - subscription (str): Subscription ID - - Returns: - response body (dict) - - """ - cmd_url = "" - if resource_group_name: - cmd_url += "/resourceGroups/{}".format(resource_group_name) - cmd_url += "/providers/Microsoft.Security/locations/{}/alerts/{}?api-version={}".format( - asc_location, alert_id, ALERT_API_VERSION - ) - response = http_request("GET", cmd_url) - return response - - -def list_alerts_command(args): +def list_alerts_command(client: MsClient, args: dict): """Getting all alerts Args: + client: args (dict): usually demisto.args() """ resource_group_name = args.get("resource_group_name") @@ -389,7 +555,7 @@ def list_alerts_command(args): select_query = args.get("select") expand_query = args.get("expand") - alerts = list_alerts( + alerts = client.list_alerts( resource_group_name, asc_location, filter_query, select_query, expand_query ).get("value") outputs = list() @@ -425,141 +591,27 @@ def list_alerts_command(args): removeNull=True, ) ec = {"AzureSecurityCenter.Alert(val.ID && val.ID === obj.ID)": outputs} - entry = { - "Type": entryTypes["note"], - "Contents": alerts, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) + return md, ec, alerts -def get_alerts( - resource_group_name, asc_location, filter_query, select_query, expand_query -): - """Building query - - Args: - resource_group_name (str): ResourceGroupName - asc_location (str): Azure Security Center location - filter_query (str): what to filter - select_query (str): what to select - expand_query (str): what to expand - - Returns: - dict: contains response body - """ - cmd_url = "" - if resource_group_name: - cmd_url += "/resourceGroups/{}/providers/Microsoft.Security".format( - resource_group_name - ) - # ascLocation muse be using with specifying resourceGroupName - if asc_location: - cmd_url += "/locations/{}".format(asc_location) - else: - cmd_url += "/providers/Microsoft.Security" - cmd_url += "/alerts?api-version={}".format(ALERT_API_VERSION) - - if filter_query: - cmd_url += "&$filter={}".format(filter_query) - if select_query: - cmd_url += "&$select={}".format(select_query) - if expand_query: - cmd_url += "&$expand={}".format(expand_query) - - response = http_request("GET", cmd_url) - return response - - -def list_alerts( - resource_group_name, asc_location, filter_query, select_query, expand_query -): - """Listing alerts - - Args: - resource_group_name (str): ResourceGroupName - asc_location (str): Azure Security Center location - filter_query (str): what to filter - select_query (str): what to select - expand_query (str): what to expand - - Returns: - dict: contains response body - """ - cmd_url = "" - if resource_group_name: - cmd_url += "/resourceGroups/{}/providers/Microsoft.Security".format( - resource_group_name - ) - # ascLocation must be using with specifying resourceGroupName - if asc_location: - cmd_url += "/locations/{}".format(asc_location) - else: - cmd_url += "/providers/Microsoft.Security" - cmd_url += "/alerts?api-version={}".format(ALERT_API_VERSION) - - if filter_query: - cmd_url += "&$filter={}".format(filter_query) - if select_query: - cmd_url += "&$select={}".format(select_query) - if expand_query: - cmd_url += "&$expand={}".format(expand_query) - - response = http_request("GET", cmd_url) - return response - - -def update_alert_command(args): +# There's a Microsoft API bug for reactivate alert - +# https://social.msdn.microsoft.com/Forums/windows/en-US/c2139e1b-b26c-4264-a558-fa4b180b70e7/issue-while-setting-security-alert-state-from-dismiss-to-active?forum=AzureSecurityCenter +def update_alert_command(client: MsClient, args: dict): """Update given alert Args: + client: MsClient args (dict): usually demisto.args() """ resource_group_name = args.get("resource_group_name") asc_location = args.get("asc_location") alert_id = args.get("alert_id") alert_update_action_type = args.get("alert_update_action_type") - response = update_alert( - resource_group_name, asc_location, alert_id, alert_update_action_type - ) - outputs = {"ID": response.get("id"), "ActionTaken": alert_update_action_type} + client.update_alert(resource_group_name, asc_location, alert_id, alert_update_action_type) + outputs = {"ID": alert_id, "ActionTaken": alert_update_action_type} ec = {"AzureSecurityCenter.Alert(val.ID && val.ID === obj.ID)": outputs} - - demisto.results( - { - "Type": entryTypes["note"], - "Contents": "Alert - {} has been set to {}.".format( - alert_id, alert_update_action_type - ), - "ContentsFormat": formats["text"], - "EntryContext": ec, - } - ) - - -def update_alert(resource_group_name, asc_location, alert_id, alert_update_action_type): - """Building query - - Args: - resource_group_name (str): Resource Name Group - asc_location (str): Azure Security Center Location - alert_id (str): Alert ID - alert_update_action_type (str): What update type need to update - - Returns: - dict: response body - """ - cmd_url = "" - if resource_group_name: - cmd_url += "/resourceGroups/{}".format(resource_group_name) - cmd_url += "/providers/Microsoft.Security/locations/{}/alerts/{}/{}?api-version={}".format( - asc_location, alert_id, alert_update_action_type, ALERT_API_VERSION - ) - return http_request("POST", cmd_url) + return f"Alert - {alert_id} has been set to {alert_update_action_type}.", ec, None """ Alert End """ @@ -567,15 +619,15 @@ def update_alert(resource_group_name, asc_location, alert_id, alert_update_actio """ Location Start """ -def list_locations_command(): +def list_locations_command(client: MsClient): """Getting all locations """ - locations = list_locations().get("value") + locations = client.list_locations().get("value") outputs = list() if locations: for location in locations: if location.get("properties") and location.get("properties").get( - "homeRegionName" + "homeRegionName" ): home_region_name = location.get("properties").get("homeRegionName") else: @@ -594,30 +646,9 @@ def list_locations_command(): removeNull=True, ) ec = {"AzureSecurityCenter.Location(val.ID && val.ID === obj.ID)": outputs} - entry = { - "Type": entryTypes["note"], - "Contents": locations, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) + return md, ec, locations else: - demisto.results("No locations found") - - -def list_locations(): - """Building query - - Returns: - dict: response body - """ - cmd_url = "/providers/Microsoft.Security/locations?api-version={}".format( - LOCATION_API_VERSION - ) - response = http_request("GET", cmd_url) - return response + return "No locations found", None, None """ Location End """ @@ -625,19 +656,18 @@ def list_locations(): """ Advanced Threat Protection Start """ -def update_atp_command(args): +def update_atp_command(client: MsClient, args: dict): """Updating given Advanced Threat Protection (enable/disable) Args: + client: args (dict): usually demisto.args() """ resource_group_name = args.get("resource_group_name") setting_name = args.get("setting_name") is_enabled = args.get("is_enabled") storage_account = args.get("storage_account") - response = update_atp( - resource_group_name, storage_account, setting_name, is_enabled - ) + response = client.update_atp(resource_group_name, storage_account, setting_name, is_enabled) outputs = { "ID": response.get("id"), "Name": response.get("name"), @@ -652,60 +682,20 @@ def update_atp_command(args): ec = { "AzureSecurityCenter.AdvancedThreatProtection(val.ID && val.ID === obj.ID)": outputs } - - demisto.results( - { - "Type": entryTypes["note"], - "Contents": response, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - ) - - -def update_atp(resource_group_name, storage_account, setting_name, is_enabled): - """Building query - - Args: - resource_group_name (str): Resource Group Name - storage_account (str): Storange Account - setting_name (str): Setting Name - is_enabled (str): true/false - - Returns: - dict: respones body - """ - cmd_url = ( - "/resourceGroups/{}/providers/Microsoft.Storage/storageAccounts/{}" - "/providers/Microsoft.Security/advancedThreatProtectionSettings/{}?api-version={}".format( - resource_group_name, storage_account, setting_name, ATP_API_VERSION - ) - ) - data = { - "id": "/subscriptions/{}/resourceGroups/{}/providers/Microsoft.Storage" - "/storageAccounts/{}/providers/Microsoft.Security/advancedThreatProtectionSettings/{}".format( - SUBSCRIPTION_ID, resource_group_name, storage_account, setting_name - ), - "name": setting_name, - "type": "Microsoft.Security/advancedThreatProtectionSettings", - "properties": {"is_enabled": is_enabled}, - } - response = http_request("PUT", cmd_url, body=data) - return response + return md, ec, response -def get_atp_command(args): +def get_atp_command(client: MsClient, args: dict): """Get given Advanced Threat Protection settings Args: + client: args (dict): usually demisto.args() """ resource_group_name = args.get("resource_group_name") setting_name = args.get("setting_name") storage_account = args.get("storage_account") - response = get_atp(resource_group_name, storage_account, setting_name) + response = client.get_atp(resource_group_name, storage_account, setting_name) outputs = { "ID": response.get("id"), "Name": response.get("name"), @@ -722,37 +712,7 @@ def get_atp_command(args): ec = { "AzureSecurityCenter.AdvancedThreatProtection(val.ID && val.ID === obj.ID)": outputs } - demisto.results( - { - "Type": entryTypes["note"], - "Contents": response, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - ) - - -def get_atp(resource_group_name, storage_account, setting_name): - """Building query - - Args: - resource_group_name (str): Resource Group Name - storage_account (str): Storange Account - setting_name (str): Setting Name - - Returns: - - """ - cmd_url = ( - "/resourceGroups/{}/providers/Microsoft.Storage/storageAccounts" - "/{}/providers/Microsoft.Security/advancedThreatProtectionSettings/{}?api-version={}".format( - resource_group_name, storage_account, setting_name, ATP_API_VERSION - ) - ) - response = http_request("GET", cmd_url) - return response + return md, ec, response """ Advanced Threat Protection End """ @@ -760,21 +720,21 @@ def get_atp(resource_group_name, storage_account, setting_name): """ Auto Provisioning Settings Start """ -def update_aps_command(args): +def update_aps_command(client: MsClient, args: dict): """Updating Analytics Platform System Args: + client: args (dict): usually demisto.args() """ setting_name = args.get("setting_name") auto_provision = args.get("auto_provision") - setting = update_aps(setting_name, auto_provision) + setting = client.update_aps(setting_name, auto_provision) outputs = [ { "Name": setting.get("name"), "AutoProvision": setting["properties"]["auto_provision"] - if setting.get("properties") - and setting.get("properties").get("auto_provision") + if setting.get("properties") and setting.get("properties").get("auto_provision") else None, "ID": setting.get("id"), } @@ -789,49 +749,21 @@ def update_aps_command(args): ec = { "AzureSecurityCenter.AutoProvisioningSetting(val.ID && val.ID === obj.ID)": outputs } - entry = { - "Type": entryTypes["note"], - "Contents": setting, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) - + return md, ec, setting -def update_aps(setting_name, auto_provision): - """Building query - Args: - setting_name (str): Setting name - auto_provision (str): Auto provision setting (On/Off) - - Returns: - dict: response body - """ - cmd_url = "/providers/Microsoft.Security/autoProvisioningSettings/{}?api-version={}".format( - setting_name, APS_API_VERSION - ) - data = {"properties": {"autoProvision": auto_provision}} - response = http_request("PUT", cmd_url, body=data) - return response - - -def list_aps_command(): +def list_aps_command(client: MsClient): """List all Analytics Platform System """ - settings = list_aps().get("value") + settings = client.list_aps().get("value") outputs = [] for setting in settings: outputs.append( { "Name": setting.get("name"), "AutoProvision": setting.get("properties").get("autoProvision") - if setting.get("properties") - and setting.get("properties").get("autoProvision") - else None, + if setting.get("properties") and setting.get("properties").get("autoProvision") else None, "ID": setting.get("id"), } ) @@ -846,46 +778,23 @@ def list_aps_command(): ec = { "AzureSecurityCenter.AutoProvisioningSetting(val.ID && val.ID === obj.ID)": outputs } - - entry = { - "Type": entryTypes["note"], - "Contents": settings, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) - - -def list_aps(): - """Build query - - Returns: - dict: response body - """ - cmd_url = "/providers/Microsoft.Security/autoProvisioningSettings?api-version={}".format( - APS_API_VERSION - ) - response = http_request("GET", cmd_url) - return response + return md, ec, settings -def get_aps_command(args): +def get_aps_command(client: MsClient, args: dict): """Get given Analytics Platform System setting Args: + client: args (dict): usually demisto.args() """ setting_name = args.get("setting_name") - setting = get_aps(setting_name) + setting = client.get_aps(setting_name) outputs = [ { "Name": setting.get("name"), "AutoProvision": setting.get("properties").get("autoProvision") - if setting.get("properties") - and setting.get("properties").get("autoProvision") - else None, + if setting.get("properties") and setting.get("properties").get("autoProvision") else None, "ID": setting["id"], } ] @@ -899,31 +808,7 @@ def get_aps_command(args): "AzureSecurityCenter.AutoProvisioningSetting(val.ID && val.ID === obj.ID)": outputs } - entry = { - "Type": entryTypes["note"], - "Contents": setting, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) - - -def get_aps(setting_name): - """Build query - - Args: - setting_name: Setting name - - Returns: - dict: response body - """ - cmd_url = "/providers/Microsoft.Security/autoProvisioningSettings/{}?api-version={}".format( - setting_name, APS_API_VERSION - ) - response = http_request("GET", cmd_url) - return response + return md, ec, setting """ Auto Provisioning Settings End """ @@ -931,14 +816,16 @@ def get_aps(setting_name): """ Information Protection Policies Start """ -def list_ipp_command(args): +# Unsupported command. issue: issues/24583 +def list_ipp_command(client: MsClient, args: dict): """Listing all Internet Presence Provider Args: + client: args (dict): usually demisto.args() """ management_group = args.get("management_group") - policies = list_ipp(management_group).get("value") + policies = client.list_ipp(management_group).get("value") outputs = list() if policies: for policy in policies: @@ -963,9 +850,7 @@ def list_ipp_command(args): "Labels": label_names, "InformationTypeNames": information_type_names, "InformationTypes": policy.get("properties").get("informationTypes") - if policy.get("properties") - and policy.get("properties").get("informationTypes") - else None, + if policy.get("properties") and policy.get("properties").get("informationTypes") else None, "ID": policy["id"], } ) @@ -993,38 +878,16 @@ def list_ipp_command(args): demisto.results("No policies found") -def list_ipp(management_group=None): - """Building query - - Args: - management_group: Managment group to pull (if needed) - - Returns: - dict: response body - - """ - cmd_url = str() - scope_is_subscription = True - if management_group: - cmd_url += "/providers/Microsoft.Management/managementGroups/{}".format( - management_group - ) - scope_is_subscription = False - cmd_url += "/providers/Microsoft.Security/informationProtectionPolicies?api-version={}".format( - IPP_API_VERSION - ) - response = http_request("GET", cmd_url, add_subscription=scope_is_subscription) - return response - - -def get_ipp_command(args): +# Unsupported command. issue: issues/24583 +def get_ipp_command(client: MsClient, args: dict): """Getting Internet Presence Provider information Args: + client: args (dict): usually demisto.args() """ policy_name = args.get("policy_name") management_group = args.get("management_group") - policy = get_ipp(policy_name, management_group) + policy = client.get_ipp(policy_name, management_group) properties = policy.get("properties") labels = properties.get("labels") if properties and isinstance(labels, dict): @@ -1062,15 +925,8 @@ def get_ipp_command(args): info_type_table_output = list() for information_type_data in properties.get("informationTypes").values(): keywords = ", ".join( - [ - ( - str(keyword.get("displayName")) - + str(keyword.get("custom")) - + str(keyword.get("canBeNumeric")) - ) - for keyword in information_type_data.get("keywords") - ] - ) + [(str(keyword.get("displayName")) + str(keyword.get("custom")) + str(keyword.get("canBeNumeric"))) + for keyword in information_type_data.get("keywords", [])]) info_type_table_output.append( { "DisplayName": information_type_data.get("displayname"), @@ -1098,44 +954,21 @@ def get_ipp_command(args): demisto.results("No properties found in {}".format(management_group)) -def get_ipp(policy_name, management_group): - """Building query - - Args: - policy_name (str): Policy name - management_group (str): Managment group - - Returns: - dict: respone body - """ - cmd_url = "" - score_is_subscription = True - if management_group: - cmd_url += "/providers/Microsoft.Management/managementGroups/{}".format( - management_group - ) - score_is_subscription = False - cmd_url += "/providers/Microsoft.Security/informationProtectionPolicies/{}?api-version={}".format( - policy_name, IPP_API_VERSION - ) - response = http_request("GET", cmd_url, add_subscription=score_is_subscription) - return response - - """ Information Protection Policies End """ """ Jit Network Access Policies Start """ -def list_jit_command(args): +def list_jit_command(client: MsClient, args: dict): """Lists all Just-in-time Virtual Machines Args: + client: args (dict): usually demisto.args() """ asc_location = args.get("asc_location") resource_group_name = args.get("resource_group_name") - policies = list_jit(asc_location, resource_group_name)["value"] + policies = client.list_jit(asc_location, resource_group_name)["value"] outputs = [] for policy in policies: # summarize rules in (VMName: allowPort,...) format @@ -1170,49 +1003,21 @@ def list_jit_command(args): removeNull=True, ) ec = {"AzureSecurityCenter.JITPolicy(val.ID && val.ID === obj.ID)": outputs} - entry = { - "Type": entryTypes["note"], - "Contents": policies, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) - + return md, ec, policies -def list_jit(asc_location, resource_group_name): - """Building query - Args: - asc_location: Machine location - resource_group_name: Resource group name - - Returns: - dict: response body - """ - cmd_url = "" - if resource_group_name: - cmd_url += "/resourceGroups/{}".format(resource_group_name) - if asc_location: - cmd_url += "/providers/Microsoft.Security/locations/{}".format(asc_location) - cmd_url += "/providers/Microsoft.Security/jitNetworkAccessPolicies?api-version={}".format( - JIT_API_VERSION - ) - response = http_request("GET", cmd_url) - return response - - -def get_jit_command(args): +# Unsupported command. issue: issues/24583 +def get_jit_command(client: MsClient, args: dict): """Getting given Just-in-time machine Args: + client: args (dict): usually demisto.args() """ policy_name = args.get("policy_name") asc_location = args.get("asc_location") resource_group_name = args.get("resource_group_name") - policy = get_jit(policy_name, asc_location, resource_group_name) + policy = client.get_jit(policy_name, asc_location, resource_group_name) # Property table property_table_output = [ @@ -1220,16 +1025,12 @@ def get_jit_command(args): "Name": policy.get("name"), "Kind": policy.get("kind"), "ProvisioningState": policy.get("properties").get("provisioningState") - if policy.get("properties") - and policy.get("properties").get("provisioningState") - else None, + if policy.get("properties") and policy.get("properties", {}).get("provisioningState") else None, "Location": policy.get("location"), "Rules": policy.get("properties").get("virtualMachines") - if policy.get("properties") - and policy.get("properties").get("virtualMachines") - else None, + if policy.get("properties") and policy.get("properties", {}).get("virtualMachines") else None, "Requests": policy.get("properties").get("requests") - if policy.get("properties") and policy.get("properties").get("requests") + if policy.get("properties") and policy.get("properties", {}).get("requests") else None, "ID": policy.get("id"), } @@ -1315,28 +1116,8 @@ def get_jit_command(args): demisto.results([property_table_entry, rules_table_entry, requests_table_entry]) -def get_jit(policy_name, asc_location, resource_group_name): - """Building query - - Args: - policy_name: Policy name - asc_location: Machine location - resource_group_name: Resource name group - - Returns: - dict: response body - """ - cmd_url = ( - "/resourceGroups/{}/providers/Microsoft.Security/locations/{}/jitNetworkAccessPolicies/" - "{}?api-version={}".format( - resource_group_name, asc_location, policy_name, JIT_API_VERSION - ) - ) - response = http_request("GET", cmd_url) - return response - - -def initiate_jit_command(args): +# Unsupported command. issue: issues/24583 +def initiate_jit_command(client: MsClient, args: dict): resource_group_name = args.get("resource_group_name") asc_location = args.get("asc_location") policy_name = args.get("policy_name") @@ -1344,7 +1125,7 @@ def initiate_jit_command(args): port = args.get("port") source_address = args.get("source_address") duration = args.get("duration") - response = initiate_jit( + response = client.initiate_jit( resource_group_name, asc_location, policy_name, @@ -1353,12 +1134,8 @@ def initiate_jit_command(args): source_address, duration, ) - policy_id = ( - "/subscriptions/{}/resourceGroups/{}/providers/" - "Microsoft.Security/locations/{}/jitNetworkAccessPolicies/{}".format( - SUBSCRIPTION_ID, resource_group_name, asc_location, policy_name - ) - ) + policy_id = f"/subscriptions/{client.subscription_id}/resourceGroups/{resource_group_name}/providers/" \ + f"Microsoft.Security/locations/{asc_location}/jitNetworkAccessPolicies/{policy_name}" virtual_machines = response.get("virtualMachines") if virtual_machines and len(virtual_machines) > 0: machine = virtual_machines[0] @@ -1407,71 +1184,21 @@ def initiate_jit_command(args): ) -def initiate_jit( - resource_group_name, - asc_location, - policy_name, - vm_id, - port, - source_address, - duration, -): - """Starting new Just-in-time machine - - Args: - resource_group_name: Resource group name - asc_location: Machine location - policy_name: Policy name - vm_id: Virtual Machine ID - port: ports to be used - source_address: Source address - duration: Time in - - Returns: - dict: response body - """ - cmd_url = ( - "/resourceGroups/{}/providers/Microsoft.Security/" - "locations/{}/jitNetworkAccessPolicies/{}/initiate?api-version={}".format( - resource_group_name, asc_location, policy_name, JIT_API_VERSION - ) - ) - # only supports init access for one vm and one port now - data = { - "virtualMachines": [ - { - "ID": vm_id, - "ports": [ - { - "number": port, - "duration": duration, - "allowedSourceAddressPrefix": source_address, - } - ], - } - ] - } - response = http_request("POST", cmd_url, body=data) - return response - - -def delete_jit_command(args): +# Unsupported command. issue: issues/24583 +def delete_jit_command(client: MsClient, args: dict): """Deletes a Just-in-time machine Args: + client: args (dict): usually demisto.args() """ asc_location = args.get("asc_location") resource_group_name = args.get("resource_group_name") policy_name = args.get("policy_name") - delete_jit(asc_location, resource_group_name, policy_name) + client.delete_jit(asc_location, resource_group_name, policy_name) - policy_id = ( - "/subscriptions/{}/resourceGroups/" - "{}/providers/Microsoft.Security/locations/{}/jitNetworkAccessPolicies/{}".format( - SUBSCRIPTION_ID, resource_group_name, asc_location, policy_name - ) - ) + policy_id = f"/subscriptions/{client.subscription_id}/resourceGroups/{resource_group_name}/providers/" \ + f"Microsoft.Security/locations/{asc_location}/jitNetworkAccessPolicies/{policy_name}" outputs = {"ID": policy_id, "Action": "deleted"} @@ -1486,39 +1213,21 @@ def delete_jit_command(args): ) -def delete_jit(asc_location, resource_group_name, policy_name): - """Building query - - Args: - asc_location: Machine location - resource_group_name: Resource group name - policy_name: Policy name - """ - cmd_url = ( - "/resourceGroups/{}/providers/Microsoft.Security/" - "locations/{}/jitNetworkAccessPolicies/{}?api-version={}" - "".format(resource_group_name, asc_location, policy_name, JIT_API_VERSION) - ) - http_request("DELETE", cmd_url) - - """ Jit Network Access Policies End """ """ Storage Start """ # Add this command to security center integration because ATP-related command requires storage account info -def list_sc_storage_command(): +def list_sc_storage_command(client: MsClient): """Listing all Security Center Storages """ - accounts = list_sc_storage().get("value") + accounts = client.list_sc_storage().get("value") outputs = list() for account in accounts: account_id_array = account.get("id", str()).split("/") - resource_group_name = account_id_array[ - account_id_array.index("resourceGroups") + 1 - ] + resource_group_name = account_id_array[account_id_array.index("resourceGroups") + 1] outputs.append( { "Name": account.get("name"), @@ -1535,29 +1244,7 @@ def list_sc_storage_command(): ) ec = {"AzureSecurityCenter.Storage(val.ID && val.ID === obj.ID)": outputs} - entry = { - "Type": entryTypes["note"], - "Contents": accounts, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) - - -def list_sc_storage(): - """Building query - - Returns: - dict: response body - - """ - cmd_url = "/providers/Microsoft.Storage/storageAccounts?api-version={}".format( - STORAGE_API_VERSION - ) - response = http_request("GET", cmd_url) - return response + return md, ec, accounts """ Storage End """ @@ -1565,11 +1252,11 @@ def list_sc_storage(): """ Subscriptions Start """ -def list_sc_subscriptions_command(): +def list_sc_subscriptions_command(client: MsClient): """Listing Subscriptions for this application """ - subscriptions = list_sc_subscriptions().get("value") + subscriptions = client.list_sc_subscriptions().get("value") outputs = list() for sub in subscriptions: outputs.append( @@ -1587,80 +1274,78 @@ def list_sc_subscriptions_command(): ) ec = {"Azure.Subscription(val.ID && val.ID === obj.ID)": outputs} - entry = { - "Type": entryTypes["note"], - "Contents": subscriptions, - "ContentsFormat": formats["json"], - "ReadableContentsFormat": formats["markdown"], - "HumanReadable": md, - "EntryContext": ec, - } - demisto.results(entry) - - -def list_sc_subscriptions(): - """Building query - - Returns: - dict: response body - - """ - cmd_url = "/subscriptions?api-version={}".format( - SUBSCRIPTION_API_VERSION - ) - response = http_request("GET", cmd_url, add_subscription=False) - return response + return md, ec, subscriptions """ Subscriptions end """ -""" Functions start """ -try: - handle_proxy() - - if not SUBSCRIPTION_ID: - return_error("A subscription ID must be provided.") - - if demisto.command() == "test-module": - # If the command will fail, error will be thrown from the request itself - list_locations() - demisto.results("ok") - elif demisto.command() == "azure-sc-get-alert": - get_alert_command(demisto.args()) - elif demisto.command() == "azure-sc-list-alert": - list_alerts_command(demisto.args()) - elif demisto.command() == "azure-sc-update-alert": - update_alert_command(demisto.args()) - elif demisto.command() == "azure-sc-list-location": - list_locations_command() - elif demisto.command() == "azure-sc-update-atp": - update_atp_command(demisto.args()) - elif demisto.command() == "azure-sc-get-atp": - get_atp_command(demisto.args()) - elif demisto.command() == "azure-sc-update-aps": - update_aps_command(demisto.args()) - elif demisto.command() == "azure-sc-list-aps": - list_aps_command() - elif demisto.command() == "azure-sc-get-aps": - get_aps_command(demisto.args()) - elif demisto.command() == "azure-sc-list-ipp": - list_ipp_command(demisto.args()) - elif demisto.command() == "azure-sc-get-ipp": - get_ipp_command(demisto.args()) - elif demisto.command() == "azure-sc-list-jit": - list_jit_command(demisto.args()) - elif demisto.command() == "azure-sc-get-jit": - get_jit_command(demisto.args()) - elif demisto.command() == "azure-sc-initiate-jit": - initiate_jit_command(demisto.args()) - elif demisto.command() == "azure-sc-delete-jit": - delete_jit_command(demisto.args()) - elif demisto.command() == "azure-sc-list-storage": - list_sc_storage_command() - elif demisto.command() == "azure-list-subscriptions": - list_sc_subscriptions_command() -except Exception as e: - LOG(str(e)) - LOG.print_log() - return_error(str(e)) +def main(): + params: dict = demisto.params() + server = params.get('server_url', '').rstrip('/') + '/' + tenant = params.get('tenant_id') + auth_and_token_url = params.get('auth_id', '') + enc_key = params.get('enc_key') + use_ssl = not params.get('unsecure', False) + self_deployed: bool = params.get('self_deployed', False) + proxy = params.get('proxy', False) + subscription_id = demisto.args().get("subscription_id") or params.get("default_sub_id") + ok_codes = (200, 201, 202, 204) + + try: + if not subscription_id: + raise Exception("A subscription ID must be provided.") + + client = MsClient(tenant_id=tenant, auth_id=auth_and_token_url, enc_key=enc_key, app_name=APP_NAME, proxy=proxy, + server=server, verify=use_ssl, self_deployed=self_deployed, subscription_id=subscription_id, + ok_codes=ok_codes) + + if demisto.command() == "test-module": + # If the command will fail, error will be thrown from the request itself + client.list_locations() + demisto.results("ok") + elif demisto.command() == "azure-sc-get-alert": + get_alert_command(client, demisto.args()) + elif demisto.command() == "azure-sc-list-alert": + return_outputs(*list_alerts_command(client, demisto.args())) + elif demisto.command() == "azure-sc-update-alert": + return_outputs(*update_alert_command(client, demisto.args())) + elif demisto.command() == "azure-sc-list-location": + return_outputs(*list_locations_command(client)) + elif demisto.command() == "azure-sc-update-atp": + return_outputs(*update_atp_command(client, demisto.args())) + elif demisto.command() == "azure-sc-get-atp": + return_outputs(*get_atp_command(client, demisto.args())) + elif demisto.command() == "azure-sc-update-aps": + return_outputs(*update_aps_command(client, demisto.args())) + elif demisto.command() == "azure-sc-list-aps": + return_outputs(*list_aps_command(client)) + elif demisto.command() == "azure-sc-get-aps": + return_outputs(*get_aps_command(client, demisto.args())) + elif demisto.command() == "azure-sc-list-ipp": + list_ipp_command(client, demisto.args()) + elif demisto.command() == "azure-sc-get-ipp": + get_ipp_command(client, demisto.args()) + elif demisto.command() == "azure-sc-list-jit": + return_outputs(*list_jit_command(client, demisto.args())) + elif demisto.command() == "azure-sc-get-jit": + get_jit_command(client, demisto.args()) + elif demisto.command() == "azure-sc-initiate-jit": + initiate_jit_command(client, demisto.args()) + elif demisto.command() == "azure-sc-delete-jit": + delete_jit_command(client, demisto.args()) + elif demisto.command() == "azure-sc-list-storage": + return_outputs(*list_sc_storage_command(client)) + elif demisto.command() == "azure-list-subscriptions": + return_outputs(*list_sc_subscriptions_command(client)) + + except Exception as err: + LOG(str(err)) + LOG.print_log() + return_error(str(err)) + + +from MicrosoftApiModule import * # noqa: E402 + +if __name__ in ['__main__', 'builtin', 'builtins']: + main() diff --git a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.yml b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.yml index 21d934313b2a..ef7a293fe95e 100644 --- a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.yml +++ b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.yml @@ -33,6 +33,10 @@ configuration: name: proxy required: false type: 8 +- display: Use a self-deployed Azure Application + name: self_deployed + required: false + type: 8 description: Unified security management and advanced threat protection across hybrid cloud workloads. display: Azure Security Center v2 @@ -103,6 +107,48 @@ script: - contextPath: AzureSecurityCenter.Alert.ID description: The alert ID. type: string + - arguments: + - default: false + description: The name of the resource group within the user's subscription. + The name is case insensitive. + isArray: false + name: resource_group_name + required: false + secret: false + - default: false + description: The location where Azure Security Center stores the data of the + subscription. Run the 'azure-sc-list-location' command to get the ascLocation. + This command requires the resourceGroupName argument. + isArray: false + name: asc_location + required: true + secret: false + - default: false + description: The alert ID. + isArray: false + name: alert_id + required: true + secret: false + - default: false + description: The update action type. + isArray: false + name: alert_update_action_type + required: true + auto: PREDEFINED + predefined: + - dismiss +# - reactivate + deprecated: false + description: Update an alert's state. + execution: false + name: azure-sc-update-alert + outputs: + - contextPath: AzureSecurityCenter.Alert.ActionTaken + description: The action that was taken on the alert. + type: string + - contextPath: AzureSecurityCenter.Alert.ID + description: The alert ID. + type: string - arguments: - default: false description: Resource group name @@ -373,7 +419,7 @@ script: For each subscription there is only one responsible location. execution: false name: azure-sc-list-location - dockerimage: demisto/crypto:1.0.0.4187 + dockerimage: demisto/crypto:1.0.0.8854 isfetch: false longRunning: false longRunningPort: false diff --git a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2_test.py b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2_test.py new file mode 100644 index 000000000000..a82a4d90f1cd --- /dev/null +++ b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2_test.py @@ -0,0 +1,63 @@ +from AzureSecurityCenter_v2 import MsClient, get_atp_command, get_aps_command, update_atp_command + + +# get atp command data +GET_ATP_COMMAND_RAW_RESPONSE = {'properties': {'isEnabled': False}, + 'id': '/subscriptions/subscription_id/resourceGroups/resource_group' + '/providers/Microsoft.Storage/storageAccounts/storage_account/providers' + '/Microsoft.Security/advancedThreatProtectionSettings/current', + 'name': 'current', 'type': 'Microsoft.Security/advancedThreatProtectionSettings'} +EXPECTED_GET_ATP_COMMAND_CONTEXT = {'AzureSecurityCenter.AdvancedThreatProtection(val.ID && val.ID === obj.ID)': { + 'ID': '/subscriptions/subscription_id/resourceGroups/resource_group/providers/Microsoft.Storage' + '/storageAccounts/storage_account/providers/Microsoft.Security/advancedThreatProtectionSettings/current', + 'Name': 'current', 'IsEnabled': None}} + +# get aps command data +GET_APS_RAW_RESPONSE = { + 'id': '/subscriptions/subscription_id/providers/Microsoft.Security/autoProvisioningSettings/default', + 'name': 'default', 'type': 'Microsoft.Security/autoProvisioningSettings', 'properties': {'autoProvision': 'Off'}} + +EXPECTED_GET_APS_CONTEXT = {'AzureSecurityCenter.AutoProvisioningSetting(val.ID && val.ID === obj.ID)': [ + {'Name': 'default', 'AutoProvision': 'Off', + 'ID': '/subscriptions/subscription_id/providers/Microsoft.Security/autoProvisioningSettings/default'}]} + +# Update atp command data +UPDATE_ATP_RAW = {'properties': {'isEnabled': True}, + 'id': '/subscriptions/subscription_id/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft' + '.Storage/storageAccounts/storage_account/providers/Microsoft.Security' + '/advancedThreatProtectionSettings/current', + 'name': 'current', 'type': 'Microsoft.Security/advancedThreatProtectionSettings'} + +EXPECTED_UPDATE_ATP_CONTEXT = {'AzureSecurityCenter.AdvancedThreatProtection(val.ID && val.ID === obj.ID)': { + 'ID': '/subscriptions/subscription_id/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Storage' + '/storageAccounts/storage_account/providers/Microsoft.Security/advancedThreatProtectionSettings/current', + 'Name': 'current', 'IsEnabled': None}} +client = MsClient( + server="url", tenant_id="tenant", auth_id="auth_id", enc_key="enc_key", app_name="APP_NAME", verify="verify", + proxy="proxy", self_deployed="self_deployed", subscription_id="subscription_id", ok_codes=(1, 3)) + + +def test_get_atp_command(mocker): + mocker.patch.object(client, 'get_atp', return_value=GET_ATP_COMMAND_RAW_RESPONSE) + args = {"resource_group_name": 'test', + "setting_name": 'test', + "storage_account": 'test'} + _, ec, _ = get_atp_command(client, args) + assert EXPECTED_GET_ATP_COMMAND_CONTEXT == ec + + +def test_update_atp_command(mocker): + mocker.patch.object(client, 'update_atp', return_value=UPDATE_ATP_RAW) + args = {"resource_group_name": "test", + "setting_name": "test", + "is_enabled": "test", + "storage_account": "test"} + _, ec, _ = update_atp_command(client, args) + assert EXPECTED_UPDATE_ATP_CONTEXT == ec + + +def test_get_aps_command(mocker): + mocker.patch.object(client, 'get_aps', return_value=GET_APS_RAW_RESPONSE) + args = {"setting_name": 'test'} + _, ec, _ = get_aps_command(client, args) + assert EXPECTED_GET_APS_CONTEXT == ec diff --git a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/CHANGELOG.md b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/CHANGELOG.md index 80f22f27e465..56fd26e472d4 100644 --- a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/CHANGELOG.md +++ b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/CHANGELOG.md @@ -1,5 +1,5 @@ ## [Unreleased] -- +Added support to authenticate using a self-deployed Azure application. ## [20.4.0] - 2020-04-14 diff --git a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/README.md b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/README.md index b4d35ce90531..0ebb4c056283 100644 --- a/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/README.md +++ b/Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/README.md @@ -1,11 +1,8 @@ -

Unified security management and advanced threat protection across hybrid cloud workloads. -

Use Case

With Security Center, you can apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks.

Detailed Description

-
  • To allow us access to Azure Security Center, an admin has to approve our app using an admin consent flow, by clicking on the following [link](https://oproxy.demisto.ninja/ms-azure-sc).
  • After authorizing the Demisto app, you will get an ID, Token, and Key, which should be inserted in the integration instance configuration's corresponding fields. After giving consent, the application has to have a role assigned so it can access the relevant resources per subscription.
  • In order to assign a role to the application after consent was given: @@ -13,7 +10,7 @@ With Security Center, you can apply security policies across your workloads, lim
  • Go to the Azure Portal UI.
  • Go to Subscriptions, and then Access Control (IAM).
  • Click Add.
    • -
  • Select a role that includes the following permissions:
    • +
  • Select a role that includes the following permissions:
    • Microsoft.Security/locations/read
    • Microsoft.Security/alerts/read
      • @@ -24,7 +21,7 @@ With Security Center, you can apply security policies across your workloads, lim
    • Microsoft.Security/informationProtectionPolicies/read
    • Microsoft.Security/locations/jitNetworkAccessPolicies/*
    • Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
      • -
    +
  • Select the Azure Secruity Center application.
    • @@ -50,6 +47,14 @@ With Security Center, you can apply security policies across your workloads, lim Click Test to validate the new instance. + +

    Use a Self-Deployed Azure Application

    +

    To use a self-configured Azure application, a need to add a new Azure App Registration in the Azure Portal. To add the registration refer to the +Microsoft documentation

    +

    The Tenant ID, Client ID, and Client secret are required for the integration. When you configure the integration in Demisto enter those parameters in the appropriate fields (instead of how you received them from the admin consent in the current doc).

    ID - Client ID
    +Token - Tenant ID
    +Key - Client Secret

    +

    Commands

    You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. @@ -231,7 +236,6 @@ With Security Center, you can apply security policies across your workloads, lim image --> -

    2. azure-sc-update-atp

    @@ -510,8 +514,8 @@ With Security Center, you can apply security policies across your workloads, lim ] } +
    Human Readable Output
    -

    Azure Security Center - Update Auto Provisioning Setting

    @@ -533,7 +537,6 @@ With Security Center, you can apply security policies across your workloads, lim image --> -

    5. azure-sc-get-aps

    @@ -625,7 +628,6 @@ With Security Center, you can apply security policies across your workloads, lim }
    Human Readable Output
    -

    Azure Security Center - Get Auto Provisioning Setting

    @@ -649,7 +651,6 @@ With Security Center, you can apply security policies across your workloads, lim image --> -

    6. azure-sc-list-aps

    @@ -736,7 +737,6 @@ With Security Center, you can apply security policies across your workloads, lim }
    Human Readable Output
    -

    Azure Security Center - List Auto Provisioning Settings

    @@ -760,7 +760,6 @@ With Security Center, you can apply security policies across your workloads, lim image --> -

    7. azure-sc-list-jit

    @@ -854,7 +853,6 @@ With Security Center, you can apply security policies across your workloads, lim image --> -

    8. azure-sc-list-storage

    @@ -942,7 +940,6 @@ With Security Center, you can apply security policies across your workloads, lim }
    Human Readable Output
    -

    Azure Security Center - List Storage Accounts

    @@ -976,7 +973,6 @@ With Security Center, you can apply security policies across your workloads, lim image --> -

    9. azure-list-subscriptions

    @@ -1041,7 +1037,6 @@ There are no input arguments for this command. }
    Human Readable Output
    -

    Azure Security Center - Subscriptions

    @@ -1083,7 +1078,6 @@ There are no input arguments for this command. image --> -

    10. azure-sc-list-location

    @@ -1116,7 +1110,6 @@ There are no context output for this command. }
    Human Readable Output
    -

    Azure Security Center - List Locations

    @@ -1140,6 +1133,5 @@ There are no context output for this command. image --> -

    Additional Information

    For more information regarding roles, see the microsoft documentation. \ No newline at end of file diff --git a/Packs/AzureSecurityCenter/ReleaseNotes/1_0_1.md b/Packs/AzureSecurityCenter/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..8fb69a7c014c --- /dev/null +++ b/Packs/AzureSecurityCenter/ReleaseNotes/1_0_1.md @@ -0,0 +1,7 @@ + +#### Integrations +##### Azure Security Center v2 +- Added support to authenticate using a self-deployed Azure application. +- Fixed an issue where the ***azure-sc-update-atp*** command failed due to an incorrect parameter being passed in the request body. + + diff --git a/Packs/AzureSecurityCenter/TestPlaybooks/playbook-AzureSCTestPlaybook.yml b/Packs/AzureSecurityCenter/TestPlaybooks/playbook-AzureSCTestPlaybook.yml index 7e128584e4d2..ce4ac0d44eb7 100644 --- a/Packs/AzureSecurityCenter/TestPlaybooks/playbook-AzureSCTestPlaybook.yml +++ b/Packs/AzureSecurityCenter/TestPlaybooks/playbook-AzureSCTestPlaybook.yml @@ -14,6 +14,7 @@ tasks: name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" @@ -281,4 +282,4 @@ view: |- } } inputs: [] -outputs: [] +outputs: [] \ No newline at end of file diff --git a/Packs/AzureSecurityCenter/pack_metadata.json b/Packs/AzureSecurityCenter/pack_metadata.json index afe9b9c314e1..a5ef3f177015 100644 --- a/Packs/AzureSecurityCenter/pack_metadata.json +++ b/Packs/AzureSecurityCenter/pack_metadata.json @@ -1,16 +1,16 @@ { - "name": "Azure Security Center", - "description": "Unified security management and advanced threat protection across hybrid cloud workloads.", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-04-14T00:00:00Z", - "categories": [ - "Analytics & SIEM" - ], - "tags": [], - "useCases": [], - "keywords": [] -} + "name": "Azure Security Center", + "description": "Unified security management and advanced threat protection across hybrid cloud workloads.", + "support": "xsoar", + "currentVersion": "1.0.1", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-04-14T00:00:00Z", + "categories": [ + "Analytics & SIEM" + ], + "tags": [], + "useCases": [], + "keywords": [] +} \ No newline at end of file diff --git a/Packs/Base/ReleaseNotes/1_1_4.md b/Packs/Base/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..2944d71bf214 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_1_4.md @@ -0,0 +1,3 @@ +#### Scripts +##### SaneDocReports +- Added additional arguments for increased functionality when using logos diff --git a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py index 4c78571284ee..34c5fb52a635 100644 --- a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py +++ b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.py @@ -12,16 +12,19 @@ try: sane_json_b64 = demisto.args().get('sane_docx_report_base64', '').encode( 'utf-8') - orientation = demisto.args().get('orientation', 'portrait').encode( - 'utf-8') - paper_size = demisto.args().get('paperSize', 'A4').encode( - 'utf-8') + orientation = demisto.args().get('orientation', 'portrait') + paper_size = demisto.args().get('paperSize', 'A4') + demistoLogo = demisto.args().get('demistoLogo', '') + customerLogo = demisto.args().get('customerLogo', '') + with open('sane.json', 'wb') as f: f.write(base64.b64decode(sane_json_b64)) run('sane.json', OUTPUT_FILE_PATH, { - 'orientation': orientation.decode('utf-8', 'ignore'), - 'paper_size': paper_size.decode('utf-8', 'ignore') + 'orientation': orientation, + 'paper_size': paper_size, + 'demistoLogo': demistoLogo, + 'customerLogo': customerLogo, }) with open(OUTPUT_FILE_PATH, 'rb') as f: diff --git a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml index 438f29924541..1a6c47ef8a77 100644 --- a/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml +++ b/Packs/Base/Scripts/SaneDocReportV2/SaneDocReportV2.yml @@ -14,11 +14,23 @@ args: secret: false - default: false defaultValue: A4 - description: the paper size of the report + description: The paper size for the report. isArray: false name: paperSize required: false secret: false +- default: false + description: Custom logo image. + isArray: false + name: customerLogo + required: false + secret: false +- default: false + description: The logo for XSOAR. + isArray: false + name: demistoLogo + required: false + secret: false comment: Parse Sane-json-reports and export them as docx files (used internally, thus deprecated). commonfields: id: SaneDocReports @@ -34,10 +46,10 @@ tags: timeout: '0' type: python subtype: python3 -dockerimage: demisto/sane-doc-reports:1.0.0.6861 +dockerimage: demisto/sane-doc-reports:1.0.0.9678 runas: DBotWeakRole runonce: false tests: - No Test deprecated: true -fromversion: 5.5.0 \ No newline at end of file +fromversion: 5.5.0 diff --git a/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml b/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml index b789c77fea61..989db52fc46e 100644 --- a/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml +++ b/Packs/Base/Scripts/SanePdfReport/SanePdfReport.yml @@ -68,7 +68,7 @@ tags: - pdf timeout: '0' type: python -dockerimage: demisto/sane-pdf-reports:1.0.0.9507 +dockerimage: demisto/sane-pdf-reports:1.0.0.9768 runas: DBotWeakRole runonce: false tests: diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index 1a58cb57da15..26a7918e08dd 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BluelivThreatContext/.pack-ignore b/Packs/BluelivThreatContext/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/BluelivThreatContext/.secrets-ignore b/Packs/BluelivThreatContext/.secrets-ignore new file mode 100644 index 000000000000..f8cb8a6c2f19 --- /dev/null +++ b/Packs/BluelivThreatContext/.secrets-ignore @@ -0,0 +1,10 @@ +103.76.228.28 +25.20.116.113 +https://attack.mitre.org +https://mytenant.blueliv.com +ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 +http://www.priceminister.com +103.143.173.25 +http://uk.ask.com +http://seclists.org +192.168.56.102 diff --git a/Packs/BluelivThreatContext/CHANGELOG.md b/Packs/BluelivThreatContext/CHANGELOG.md new file mode 100644 index 000000000000..723f2f878c2b --- /dev/null +++ b/Packs/BluelivThreatContext/CHANGELOG.md @@ -0,0 +1 @@ +## [Unreleased] \ No newline at end of file diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py new file mode 100644 index 000000000000..0fe2916d6d1e --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.py @@ -0,0 +1,1120 @@ +''' IMPORTS ''' +import demistomock as demisto +from CommonServerPython import * +from CommonServerUserPython import * +import json +import urllib3 + +''' PARAM DEFINITION ''' +SEARCHABLE_BY_NAME = 'threat-actor,campaign,attack-pattern,tool,signature' +SEARCHABLE_BY_HASH = 'sha256,sha1,md5' + +urllib3.disable_warnings() + + +class Client(BaseClient): + def authenticate(self, username: str, password: str): + body = { + 'username': username, + 'password': password + } + res = self._http_request(method='POST', url_suffix='/auth', json_data=body) + self._headers = {"Content-Type": "application/json", "x-cookie": str(res.get('token'))} + return str(res.get('token')) + + def _query_gateway(self, url): + body = {"apiId": "THIAPP", "url": "/api/v1/" + url, "requestType": "GET"} + demisto.debug("Gateway call to " + json.dumps(body)) + res = self._http_request(method='POST', url_suffix='/gateway', json_data=body, headers=self._headers) + return res + + def get_threat_actor_info(self, threat_actor_id): + url = "threat-actor/{}".format(threat_actor_id) + result = self._query_gateway(url) + return result + + def get_campaign_info(self, campaign_id: str): + url = "campaign/{}".format(campaign_id) + result = self._query_gateway(url) + return result + + def get_malware_hash_info(self, file_hash, hash_type="md5"): + url = "malware/?dork={}%3A%22{}%22".format(hash_type, file_hash) + result = self._query_gateway(url) + return result + + def get_malware_info(self, malware_id): + url = "malware/{}".format(malware_id) + result = self._query_gateway(url) + return result + + def get_ip_info(self, ip_id): + url = "ip/{}".format(ip_id) + result = self._query_gateway(url) + return result + + def get_fqdn_info(self, fqdn_id): + url = "fqdn/{}".format(fqdn_id) + result = self._query_gateway(url) + return result + + def get_crime_server_info(self, cs_id): + url = "crime-server/{}".format(cs_id) + result = self._query_gateway(url) + return result + + def get_attack_pattern_info(self, attack_pattern_id): + url = "attack-pattern/{}".format(attack_pattern_id) + result = self._query_gateway(url) + return result + + def get_tool_info(self, tool_id): + url = "tool/{}".format(tool_id) + result = self._query_gateway(url) + return result + + def get_signature_info(self, signature_id): + url = "signature/{}".format(signature_id) + result = self._query_gateway(url) + return result + + def get_cve_info(self, cve_id): + url = "cve/{}".format(cve_id) + result = self._query_gateway(url) + return result + + def search_by_name(self, key, value): + if value: + value = value.replace(' ', '+') + else: + value = "" + + if key in SEARCHABLE_BY_NAME: + url = "{}/?fuzzy_filter%5Bname%5D={}".format(key, value) + if key in SEARCHABLE_BY_HASH: + url = "indicator/?fuzzy_filter%5Bvalue%5D={}".format(value) + if key == 'crime-server': + url = "crime-server/?fuzzy_filter%5Bcrime_server_url%5D={}".format(value) + if key == 'fqdn': + url = "fqdn/?fuzzy_filter%5Bdomain%5D={}".format(value) + if key == 'ip': + url = "ip/?fuzzy_filter%5Baddress%5D={}".format(value) + + result = self._query_gateway(url) + return result.get("data", [])[0].get("id", "0") + + def get_relationships(self, object_name, value, of): + url = "{}/{}/relationships/{}/".format(object_name, value, of) + result = self._query_gateway(url) + ids = "" + if result != "error": + ids = ','.join(str(item['id']) for item in result['data']) + + return ids + + +def getHuman(result): + human = {"id": result.get("data", {}).get("id"), + "links": result.get("data", {}).get("links"), + "type": result.get("data", {}).get("type")} + human.update(result.get("data", {}).get("attributes")) + + return human + + +# This function return false when there are no results to display +def notFound(): + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': "No results found.", + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': "No results found.", + 'EntryContext': { + 'BluelivThreatContext': {} + } + }) + sys.exit(0) + + +# Get information about threat actors # +def blueliv_threatActor(client: Client, args): + threatActorId = args.get('threatActor_id', '') + threatActorName = args.get('threatActor', '') + + if not threatActorId and not threatActorName: + notFound() + + if not threatActorId: + threatActorId = client.search_by_name('threat-actor', threatActorName) + + if not threatActorId: + notFound() + else: + result = client.get_threat_actor_info(threatActorId) + + if result: + name = str(demisto.get(result, "data.attributes.name")) + description = str(demisto.get(result, "data.attributes.description")) + objective = str(demisto.get(result, "data.attributes.objective")) + sophistication = str(demisto.get(result, "data.attributes.sophistication")) + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + active = str(demisto.get(result, "data.attributes.active")) + + milestoneIds = "" + milestones = demisto.get(result, "data.relationships.milestones.meta.count") + if milestones: + milestoneIds = client.get_relationships("threat-actor", threatActorId, "milestone") + + toolIds = "" + tools = demisto.get(result, "data.relationships.tools.meta.count") + if tools: + toolIds = client.get_relationships("threat-actor", threatActorId, "tools") + + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("threat-actor", threatActorId, "campaign") + + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("threat-actor", threatActorId, "signature") + + onlineServiceIds = "" + onlineServices = demisto.get(result, "data.relationships.online_services.meta.count") + if onlineServices: + onlineServiceIds = client.get_relationships("threat-actor", threatActorId, "online-service") + + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("threat-actor", threatActorId, "malware") + + threatTypeIds = "" + threatTypes = demisto.get(result, "data.relationships.threat_types.meta.count") + if threatTypes: + threatTypeIds = client.get_relationships("threat-actor", threatActorId, "threat-type") + + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("threat-actor", threatActorId, "fqdn") + + attackPatternIds = "" + attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count") + if attackPatterns: + attackPatternIds = client.get_relationships("threat-actor", threatActorId, "attack-pattern") + + ipIds = "" + ips = demisto.get(result, "data.relationships.ips.meta.count") + if ips: + ipIds = client.get_relationships("threat-actor", threatActorId, "ip") + + targetIds = "" + targets = demisto.get(result, "data.relationships.targets.meta.count") + if targets: + targetIds = client.get_relationships("threat-actor", threatActorId, "target") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Threat Actor info", human), + 'EntryContext': { + 'BluelivThreatContext.threatActor(val.name && val.id == obj.id)': { + 'id': threatActorId, + 'name': name, + 'description': description, + 'objective': objective, + 'sophistication': sophistication, + 'lastSeen': lastSeen, + 'active': active, + 'milestones': milestones, + 'milestoneIds': milestoneIds, + 'tools': tools, + 'toolIds': toolIds, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'onlineServices': onlineServices, + 'onlineServiceIds': onlineServiceIds, + 'malware': malware, + 'malwareIds': malwareIds, + 'threatTypes': threatTypes, + 'threatTypeIds': threatTypeIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'attackPatterns': attackPatterns, + 'attackPatternIds': attackPatternIds, + 'ips': ips, + 'ipIds': ipIds, + 'targets': targets, + 'targetIds': targetIds + } + } + }) + else: + notFound() + + +# Get campaign information +def blueliv_campaign(client: Client, args): + campaignName = args.get('campaign', '') + campaignId = args.get('campaign_id', '') + + if not campaignId: + campaignId = client.search_by_name('campaign', campaignName) + if not campaignId: + notFound() + else: + result = client.get_campaign_info(campaignId) + + if result: + lastSeen = demisto.get(result, "data.attributes.last_seen") + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + + # BOTNETS # + botnetIds = "" + botnets = demisto.get(result, "data.relationships.botnets.meta.count") + if botnets: + botnetIds = client.get_relationships("campaign", campaignId, "botnet") + + # SIGNATURES # + signatureIds = "" + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + if signatures: + signatureIds = client.get_relationships("campaign", campaignId, "signature") + + # IPs # + ipIds = "" + ips = demisto.get(result, "data.relationships.ips.meta.count") + if ips: + ipIds = client.get_relationships("campaign", campaignId, "ip") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("campaign", campaignId, "malware") + + # ATTACK PATTERNS + attackPatternIds = "" + attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count") + if attackPatterns: + attackPatternIds = client.get_relationships("campaign", campaignId, "attack-pattern") + + # TOOLS # + toolIds = "" + tools = demisto.get(result, "data.relationships.tools.meta.count") + if tools: + toolIds = client.get_relationships("campaign", campaignId, "tool") + + # FQDNs # + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("campaign", campaignId, "fqdn") + + # THREAT ACTORS # + threatActorId = demisto.get(result, "data.relationships.threat_actor.data.id") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Campaign info", human), + 'EntryContext': { + 'BluelivThreatContext.campaign(val.id && val.id == obj.id)': { + 'id': campaignId, + 'name': name, + 'description': description, + 'lastSeen': lastSeen, + 'botnets': botnets, + 'botnetIds': botnetIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'ips': ips, + 'ipIds': ipIds, + 'malware': malware, + 'malwareIds': malwareIds, + 'attackPatterns': attackPatterns, + 'attackPatternIds': attackPatternIds, + 'tools': tools, + 'toolIds': toolIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'threatActorId': threatActorId + } + } + }) + else: + notFound() + + +# Get detailed malware information # +def blueliv_malware(client: Client, args): + hashValue = args.get('hash', '') + malwareId = args.get('hash_id', '') + + if hashValue: + if len(hashValue) == 40: + hash_type = 'sha1' + elif len(hashValue) == 64: + hash_type = 'sha256' + elif len(hashValue) == 32: + hash_type = 'md5' + else: + notFound() + + if not malwareId: + result = client.get_malware_hash_info(hashValue, hash_type) + + if not result: + notFound() + + if result.get("data", []): + malwareId = demisto.get(result.get("data")[0], "id") + + if malwareId: + result = client.get_malware_info(malwareId) + + if result: + # lastSeen = demisto.get(result, "data.attributes.last_seen") + sha256 = demisto.get(result, "data.attributes.sha256") + sha1 = demisto.get(result, "data.attributes.sha1") + md5 = demisto.get(result, "data.attributes.md5") + fileType = demisto.get(result, "data.attributes.file_type") + hasCandC = demisto.get(result, "data.attributes.has_c_and_c") + memory = demisto.get(result, "data.attributes.memory") + procMemory = demisto.get(result, "data.attributes.proc_memory") + analysisStatus = demisto.get(result, "data.attributes.analysis_status") + dropped = demisto.get(result, "data.attributes.dropped") + buffers = demisto.get(result, "data.attributes.buffers") + hasNetwork = demisto.get(result, "data.attributes.has_network") + risk = demisto.get(result, "data.attributes.risk") + # Malware uses sha256 likes malwareId, so we need to use this field to call getIds function + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("malware", sha256, "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("malware", sha256, "signature") + + # THREAT ACTORS # + threatActorIds = "" + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + if threatActors: + threatActorIds = client.get_relationships("malware", sha256, "threat-actor") + + # SOURCES # + sourceIds = "" + sources = demisto.get(result, "data.relationships.sources.meta.count") + if sources: + sourceIds = client.get_relationships("malware", sha256, "source") + + # TAGS # + tagIds = "" + tags = demisto.get(result, "data.relationships.tags.meta.count") + if tags: + tagIds = client.get_relationships("malware", sha256, "tag") + + # CRIME SERVERS # + crimeServerIds = "" + crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count") + if crimeServers: + crimeServerIds = client.get_relationships("mwlware", sha256, "crime-server") + + # FQDNs # + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("malware", sha256, "fqdn") + + # TYPES # + typeIds = "" + types = demisto.get(result, "data.relationships.types.meta.count") + if types: + typeIds = client.get_relationships("malware", sha256, "type") + + # SPARKS # + sparkIds = "" + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + if sparks: + sparkIds = client.get_relationships("malware", sha256, "spark") + + # IPs # + ipIds = "" + ips = demisto.get(result, "data.relationships.ips.meta.count") + if ips: + ipIds = client.get_relationships("malware", sha256, "ip") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Malware file info", human), + 'EntryContext': { + 'BluelivThreatContext.malware(val.id && val.id == obj.id)': { + 'id': malwareId, + 'hash.sha256': sha256, + 'hash.sha1': sha1, + 'hash.md5': md5, + 'fileType': fileType, + 'hasCandC': hasCandC, + 'memory': memory, + 'procMemory': procMemory, + 'analysisStatus': analysisStatus, + 'dropped': dropped, + 'buffers': buffers, + 'hasNetwork': hasNetwork, + 'risk': risk, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'sources': sources, + 'sourceIds': sourceIds, + 'tags': tags, + 'tagIds': tagIds, + 'crimeServers': crimeServers, + 'crimeserverIds': crimeServerIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'types': types, + 'typeIds': typeIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'ips': ips, + 'ipIds': ipIds + } + } + }) + else: + notFound() + else: + notFound() + + +def blueliv_indicatorIp(client: Client, args): + nameIP = args.get('IP', '') + valueIP = args.get('IP_id', '') + + if not valueIP and not nameIP: + notFound() + if nameIP: + valueIP = nameIP # client.search_by_name('fqdn', nameIP) + + if not valueIP: + notFound() + + result = client.get_ip_info(valueIP) + + if result: + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + latitude = str(demisto.get(result, "data.attributes.latitude")) + longitude = str(demisto.get(result, "data.attributes.longitude")) + risk = str(demisto.get(result, "data.attributes.risk")) + countryId = str(demisto.get(result, "data.relationships.country.data.id")) + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("ip", valueIP, "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("ip", valueIP, "signature") + + # THREAT ACTORS # + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + threatActorIds = "" + if threatActors: + client.get_relationships("ip", valueIP, "threat-actor") + + # TAGS # + tags = demisto.get(result, "data.relationships.tags.meta.count") + tagIds = "" + if tags: + tagIds = client.get_relationships("ip", valueIP, "tag") + + # FQDNs # + fqdnIds = "" + fqdns = demisto.get(result, "data.relationships.fqdns.meta.count") + if fqdns: + fqdnIds = client.get_relationships("ip", valueIP, "fqdn") + + # SPARKS # + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + sparkIds = "" + if sparks: + sparkIds = client.get_relationships("ip", valueIP, "spark") + + # BOTS # + bots = demisto.get(result, "data.relationships.bots.meta.count") + botIds = "" + if bots: + botIds = client.get_relationships("ip", valueIP, "bot") + + human = getHuman(result) + ipName = valueIP.replace(".", "") + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv IP info", human), + 'EntryContext': { + 'BluelivThreatContext.indicator(val.ipName && val.ipName == obj.ipName)': { + "ipName": ipName, + 'lastSeen': lastSeen, + 'risk': risk, + 'latitude': latitude, + 'longitude': longitude, + 'countryId': countryId, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'tags': tags, + 'tagIds': tagIds, + 'fqdns': fqdns, + 'fqdnIds': fqdnIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'bots': bots, + 'botIds': botIds + } + } + }) + else: + notFound() + + +def blueliv_indicatorFqdn(client: Client, args): + nameFQDN = args.get('FQDN', '') + valueFQDN = args.get('FQDN_id', '') + + if not valueFQDN and not nameFQDN: + notFound() + if not valueFQDN and nameFQDN: + valueFQDN = client.search_by_name('fqdn', nameFQDN) + if not valueFQDN: + notFound() + sys.exit() + + result = client.get_fqdn_info(valueFQDN) + if result: + # PARAMETROS GENERALES # + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + risk = str(demisto.get(result, "data.attributes.risk")) + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("fqdn", valueFQDN, "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("fqdn", valueFQDN, "signature") + + # THREAT ACTORS # + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + threatActorIds = "" + if threatActors: + threatActorIds = client.get_relationships("fqdn", valueFQDN, "threat-actor") + + # TAGS # + tags = demisto.get(result, "data.relationships.tags.meta.count") + tagIds = "" + if tags: + tagIds = client.get_relationships("fqdn", valueFQDN, "tag") + + # CRIME SERVERS # + crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count") + crimeServerIds = "" + if crimeServers: + crimeServerIds = client.get_relationships("fqdn", valueFQDN, "crime-server") + + # SPARKS # + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + sparkIds = "" + if sparks: + sparkIds = client.get_relationships("fqdn", valueFQDN, "spark") + + # IPs # + ips = demisto.get(result, "data.relationships.ips.meta.count") + ipIds = "" + if ips: + ipIds = client.get_relationships("fqdn", valueFQDN, "ip") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv FQDN info", human), + 'EntryContext': { + 'BluelivThreatContext.indicator(val.id && val.id == obj.id)': { + 'id': valueFQDN, + 'lastSeen': lastSeen, + 'risk': risk, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'tags': tags, + 'tagids': tagIds, + 'crimeServers': crimeServers, + 'crimeServerIds': crimeServerIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'ips': ips, + 'ipIds': ipIds + } + } + }) + else: + notFound() + + +# Get information about the crime server related with the provided URL +def blueliv_indicatorCs(client: Client, args): + nameCS = args.get('CS', '') + valueCS = args.get('CS_id', '') + + if not valueCS and not nameCS: + notFound() + if not valueCS and nameCS: + valueCS = client.search_by_name('crime-server', nameCS) + if not valueCS: + notFound() + sys.exit() + + result = client.get_crime_server_info(valueCS) + + if result: + lastSeen = str(demisto.get(result, "data.attributes.last_seen")) + status = str(demisto.get(result, "data.attributes.status")) + risk = str(demisto.get(result, "data.attributes.risk")) + isFalsePositive = str(demisto.get(result, "data.attributes.is_false_positive")) + crimeServerUrl = str(demisto.get(result, "data.attributes.crime_server_url")) + creditCardsCount = str(demisto.get(result, "data.attributes.credit_cards_count")) + credentialsCount = str(demisto.get(result, "data.attributes.credentials_count")) + botsCount = str(demisto.get(result, "data.attributes.bots_count")) + fqdnId = demisto.get(result, "data.relationships.fqdn.data.id") + + # SOURCES # + sourceIds = "" + sources = demisto.get(result, "data.relationships.sources.meta.count") + if sources: + sourceIds = client.get_relationships("crime-server", valueCS, "source") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("crime-server", valueCS, "malware") + + # TAGS # + tags = demisto.get(result, "data.relationships.tags.meta.count") + tagIds = "" + if tags: + tagIds = client.get_relationships("crime-server", valueCS, "tag") + + # SPARKS # + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + sparkIds = "" + if sparks: + sparkIds = client.get_relationships("crime-server", valueCS, "spark") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Crime Server info", human), + 'EntryContext': { + 'BluelivThreatContext.indicator(val.id && val.id == obj.id)': { + 'id': valueCS, + 'lastSeen': lastSeen, + 'status': status, + 'risk': risk, + 'isFalsePositive': isFalsePositive, + 'crimeServerUrl': crimeServerUrl, + 'creditCardsCount': creditCardsCount, + 'credentialsCount': credentialsCount, + 'botsCount': botsCount, + 'fqdnId': fqdnId, + 'malware': malware, + 'malwareIds': malwareIds, + 'tags': tags, + 'tagIds': tagIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'sources': sources, + 'sourceIds': sourceIds + } + } + }) + else: + notFound() + + +# Get information about attack patterns +def blueliv_attackPattern(client: Client, args): + attackPatternName = args.get('attackPattern', '') + attackPatternId = args.get('attackPattern_id', '') + + if attackPatternId: + attackPatternId = int(attackPatternId) + + if not attackPatternId: + attackPatternId = client.search_by_name('attack-pattern', attackPatternName) + + if attackPatternId: + result = client.get_attack_pattern_info(attackPatternId) + + if result: + updatedAt = demisto.get(result, "data.attributes.updated_at") + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + serverity = demisto.get(result, "data.attributes.severity") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("attack-pattern", str(attackPatternId), "signature") + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("attack-pattern", str(attackPatternId), "campaign") + + # THREAT ACTORS # + threatActorIds = "" + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + if threatActors: + threatActorIds = client.get_relationships("attack-pattern", str(attackPatternId), "threat-actor") + + # CVEs # + cveIds = "" + cves = demisto.get(result, "data.relationships.cves.meta.count") + if cves: + cves = client.get_relationships("attack-pattern", str(attackPatternId), "cve") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Attack Pattern info", human), + 'EntryContext': { + 'BluelivThreatContext.attackPattern(val.id && val.id == obj.id)': { + 'id': attackPatternId, + 'name': name, + 'description': description, + 'updatedAt': updatedAt, + 'serverity': serverity, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds, + 'cves': cves, + 'cveIds': cveIds + } + } + }) + else: + notFound() + else: + notFound() + + +# Get information about tools +def blueliv_tool(client: Client, args): + toolName = args.get('tool', '') + toolId = args.get('tool_id', '') + + if not toolId: + toolId = client.search_by_name('tool', toolName) + + if toolId: + result = client.get_tool_info(toolId) + + if result: + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + lastSeen = demisto.get(result, "data.attributes.last_seen") + + # CAMPAIGNS # + campaigns = demisto.get(result, "data.relationships.campaigns.meta.count") + campaignIds = "" + if campaigns: + campaignIds = client.get_relationships("tool", str(toolId), "campaign") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("tool", str(toolId), "signature") + + # THREAT ACTORS # + threatActorIds = "" + threatActors = demisto.get(result, "data.relationships.threat_actors.meta.count") + if threatActors: + threatActorIds = client.get_relationships("tool", str(toolId), "threat-actor") + + human = getHuman(result) + demisto.results({ + 'ContentsFormat': formats['json'], + 'Type': entryTypes['note'], + 'Contents': result, + 'ReadableContentsFormat': formats['markdown'], + 'HumanReadable': tableToMarkdown("Blueliv Tool info", human), + 'EntryContext': { + 'BluelivThreatContext.tool(val.id && val.id == obj.id)': { + 'id': toolId, + 'name': name, + 'description': description, + 'lastSeen': lastSeen, + 'campaigns': campaigns, + 'campaignIds': campaignIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'threatActors': threatActors, + 'threatActorIds': threatActorIds + } + } + }) + else: + notFound() + else: + notFound() + + +def blueliv_signature(client: Client, args): + signatureName = args.get('signature', '') + signatureId = args.get('signature_id', '') + + if not signatureId: + signatureId = client.search_by_name('signature', signatureName) + + if signatureId: + result = client.get_signature_info(signatureId) + + if result: + name = demisto.get(result, "data.attributes.name") + signatureType = demisto.get(result, "data.attributes.type") + updatedAt = demisto.get(result, "data.attributes.updated_at") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("signature", str(signatureId), "malware") + + human = getHuman(result) + demisto.results({ + "Type": entryTypes["note"], + 'Contents': result, + "ContentsFormat": formats["json"], + 'HumanReadable': tableToMarkdown("Blueliv Signature info", human), + 'ReadableContentsFormat': formats['markdown'], + 'EntryContext': { + 'BluelivThreatContext.signature(val.id && val.id == obj.id)': { + 'id': signatureId, + 'name': name, + 'type': signatureType, + 'updatedAt': updatedAt, + 'malware': malware, + 'malwareIds': malwareIds + } + } + }) + else: + notFound() + else: + notFound() + + +# Get inforamtion abouth the provided CVE code +def blueliv_cve(client: Client, args): + cveCode = args.get('CVE', '') + vulnId = args.get('CVE_id', '') + + if not vulnId: + vulnId = cveCode + + result = client.get_cve_info(vulnId) + + if result: + name = demisto.get(result, "data.attributes.name") + description = demisto.get(result, "data.attributes.description") + updatedAt = demisto.get(result, "data.attributes.updated_at") + score = demisto.get(result, "data.attributes.score") + exploitsTableData = demisto.get(result, "data.attributes.exploits") + platformsTableData = demisto.get(result, "data.attributes.platforms") + + # ATTACK PATTERNS + attackPatternIds = "" + attackPatterns = demisto.get(result, "data.relationships.attack_patterns.meta.count") + if attackPatterns: + attackPatternIds = client.get_relationships("cve", str(vulnId), "attack-pattern") + + # SIGNATURES # + signatures = demisto.get(result, "data.relationships.signatures.meta.count") + signatureIds = "" + if signatures: + signatureIds = client.get_relationships("cve", str(vulnId), "signature") + + # TAGS # + tagIds = "" + tags = demisto.get(result, "data.relationships.tags.meta.count") + if tags: + tagIds = client.get_relationships("cve", str(vulnId), "tag") + + # CRIME SERVERS # + crimeServerIds = "" + crimeServers = demisto.get(result, "data.relationships.crime_servers.meta.count") + if crimeServers: + crimeServerIds = client.get_relationships("cve", str(vulnId), "crime-server") + + # SPARKS # + sparkIds = "" + sparks = demisto.get(result, "data.relationships.sparks.meta.count") + if sparks: + sparkIds = client.get_relationships("cve", vulnId, "spark") + + # MALWARE # + malwareIds = "" + malware = demisto.get(result, "data.relationships.malware.meta.count") + if malware: + malwareIds = client.get_relationships("cve", vulnId, "malware") + + human = getHuman(result) + demisto.results({ + "Type": entryTypes["note"], + 'Contents': result, + "ContentsFormat": formats["json"], + 'HumanReadable': tableToMarkdown("Blueliv CVE info", human), + 'ReadableContentsFormat': formats['markdown'], + 'EntryContext': { + 'BluelivThreatContext.cve(val.id && val.id == obj.id)': { + 'id': vulnId, + 'name': name, + 'description': description, + 'updatedAt': updatedAt, + 'score': score, + 'attackPatterns': attackPatterns, + 'attackPatternIds': attackPatternIds, + 'signatures': signatures, + 'signatureIds': signatureIds, + 'tags': tags, + 'tagIds': tagIds, + 'crimeServers': crimeServers, + 'crimeServerIds,': crimeServerIds, + 'sparks': sparks, + 'sparkIds': sparkIds, + 'malware': malware, + 'malwareIds': malwareIds, + 'exploits': exploitsTableData, + 'platforms': platformsTableData + } + } + }) + else: + notFound() + + +# DEMISTO command evaluation +def main(): + params = demisto.params() + server_url = params.get('url') + verify_ssl = not params.get('unsecure', '') + proxy = params.get('proxy') + username = params['credentials']['identifier'] + password = params['credentials']['password'] + + client = Client(server_url, verify_ssl, proxy, headers={'Accept': 'application/json'}) + token = client.authenticate(username, password) + + args = demisto.args() + if demisto.command() == 'test-module': + # Checks if the user is correctly authenticated. If the execution gets here all is correct. + demisto.results("ok") + + if demisto.command() == 'blueliv-authenticate': + demisto.results({ + "Type": entryTypes["note"], + 'Contents': token, + "ContentsFormat": formats["text"], + 'EntryContext': {'BluelivThreatContext.token': token} + }) + + elif demisto.command() == 'blueliv-tc-threat-actor': + blueliv_threatActor(client, args) + + elif demisto.command() == 'blueliv-tc-campaign': + blueliv_campaign(client, args) + + elif demisto.command() == 'blueliv-tc-malware': + blueliv_malware(client, args) + + elif demisto.command() == 'blueliv-tc-indicator-ip': + blueliv_indicatorIp(client, args) + + elif demisto.command() == 'blueliv-tc-indicator-fqdn': + blueliv_indicatorFqdn(client, args) + + elif demisto.command() == 'blueliv-tc-indicator-cs': + blueliv_indicatorCs(client, args) + + elif demisto.command() == 'blueliv-tc-attack-pattern': + blueliv_attackPattern(client, args) + + elif demisto.command() == 'blueliv-tc-tool': + blueliv_tool(client, args) + + elif demisto.command() == 'blueliv-tc-signature': + blueliv_signature(client, args) + + elif demisto.command() == 'blueliv-tc-cve': + blueliv_cve(client, args) + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml new file mode 100644 index 000000000000..c330c03a1303 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext.yml @@ -0,0 +1,754 @@ +category: Data Enrichment & Threat Intelligence +commonfields: + id: Blueliv ThreatContext + version: -1 +configuration: +- defaultvalue: https://demisto.blueliv.com/api/v2 + display: Server URL (e.g. https://demisto.blueliv.com/api/v2) + name: url + required: true + type: 0 +- display: Username + name: credentials + required: true + type: 9 +- defaultvalue: 'false' + display: Trust any certificate (not secure) + name: unsecure + required: false + type: 8 +- display: Use system proxy settings + hidden: false + name: proxy + required: false + type: 8 +description: The Threat Context module provides SOC, Incident Response, and Threat + Intelligence teams with continuously updated and intuitive information around threat + actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. +display: Blueliv ThreatContext +name: Blueliv ThreatContext +script: + commands: + - deprecated: false + description: Authenticates and gets the API token. + execution: false + name: blueliv-authenticate + outputs: + - contextPath: BluelivThreatContext.token + description: Authentication token. + type: String + - arguments: + - default: false + description: Internal Blueliv malware hash ID. + isArray: false + name: hash_id + required: false + secret: false + - default: false + description: Malware file hash to search for. + isArray: false + name: hash + required: false + secret: false + deprecated: false + description: Gets information about malware, by ID. + execution: false + name: blueliv-tc-malware + outputs: + - contextPath: BluelivThreatContext.malware.hash.sha256 + description: File SHA256 hash. + type: String + - contextPath: BluelivThreatContext.malware.hash.sha1 + description: File SHA1 hash. + type: String + - contextPath: BluelivThreatContext.malware.hash.md5 + description: File MD5 hash. + type: String + - contextPath: BluelivThreatContext.malware.type + description: Malware type. + type: String + - contextPath: BluelivThreatContext.malware.hasCandC + description: Whether there is an associated C&C. + type: Boolean + - contextPath: BluelivThreatContext.malware.memory + description: Malware memory. + type: String + - contextPath: BluelivThreatContext.malware.procMemory + description: Malware proc memory. + type: String + - contextPath: BluelivThreatContext.malware.analysisStatus + description: Malware analysis status. + type: String + - contextPath: BluelivThreatContext.malware.dropped + description: Malware dropped. + type: Boolean + - contextPath: BluelivThreatContext.malware.buffers + description: Malware buffers. + type: Boolean + - contextPath: BluelivThreatContext.malware.hasNetwork + description: Whether the malware has Network information. + type: Boolean + - contextPath: BluelivThreatContext.malware.risk + description: Malware associated risk. + type: Number + - contextPath: BluelivThreatContext.malware.campaigns + description: Malware related campaigns. + type: Number + - contextPath: BluelivThreatContext.malware.campaignIds + description: Malware related campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.signatures + description: Malware signatures. + type: Number + - contextPath: BluelivThreatContext.malware.sigantureIds + description: Malware sigantures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.threatActors + description: Malware threat actors. + type: Number + - contextPath: BluelivThreatContext.malware.threatActorIds + description: Malware threat actors' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.sources + description: Malware sources. + type: Number + - contextPath: BluelivThreatContext.malware.sourceIds + description: Malware sources' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.tags + description: Malware tags. + type: Number + - contextPath: BluelivThreatContext.malware.tagIds + description: Malware tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.crimeServers + description: Malware related crime servers. + type: Number + - contextPath: BluelivThreatContext.malware.crimeServerIds + description: Malware crime servers' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.fqdns + description: Malware FQDNs. + type: Number + - contextPath: BluelivThreatContext.malware.fqdnIds + description: Malware FQDNs internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.types + description: Malware types. + type: Number + - contextPath: BluelivThreatContext.malware.typeIds + description: Malware types' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.sparks + description: Malware sparks. + type: Number + - contextPath: BluelivThreatContext.malware.sparkIds + description: Malware sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.malware.ips + description: Malware IP addresses. + type: Number + - contextPath: BluelivThreatContext.malware.ipIds + description: Malware IP addresses' internal IDs. + type: Unknown + - arguments: + - default: false + description: Internal Blueliv IP address ID. + isArray: false + name: IP_id + required: false + secret: false + - default: false + description: IP address to get information for. + isArray: false + name: IP + required: false + secret: false + deprecated: false + description: Gets information about an IP address. + execution: false + name: blueliv-tc-indicator-ip + outputs: + - contextPath: BluelivThreatContext.indicator.lastSeen + description: Indicator last seen date. + type: Date + - contextPath: BluelivThreatContext.indicator.risk + description: Indicator risk + type: Number + - contextPath: BluelivThreatContext.indicator.latitude + description: Indicator latitude. + type: Number + - contextPath: BluelivThreatContext.indicator.longitude + description: Indicator longitude. + type: Number + - contextPath: BluelivThreatContext.indicator.countryId + description: Indicator countries' internal IDs. + type: Number + - contextPath: BluelivThreatContext.indicator.campaigns + description: Indicator campaigns. + type: Number + - contextPath: BluelivThreatContext.indicator.campaignIds + description: Indicator campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.signatures + description: Indicator signatures. + type: Number + - contextPath: BluelivThreatContext.indicator.signatureIds + description: Indicator signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.threatActors + description: Indicator threat actors. + type: Number + - contextPath: BluelivThreatContext.indicator.threatActorIds + description: Indicator threat actors' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.tags + description: Indicator tags. + type: Number + - contextPath: BluelivThreatContext.indicator.tagIds + description: Indicator tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.fqdns + description: Indicator FQDNs. + type: Number + - contextPath: BluelivThreatContext.indicator.fqdnIds + description: Indicator FQDNs' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sparks + description: Indicator sparks. + type: Number + - contextPath: BluelivThreatContext.indicator.sparkIds + description: Indicator sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.bots + description: Indicator bots. + type: Number + - contextPath: BluelivThreatContext.indicator.botIds + description: Indicator bots' internal IDs. + type: Unknown + - arguments: + - default: false + description: CVE to get information for. + isArray: false + name: CVE + required: false + secret: false + - default: false + description: Internal Blueliv CVE ID. + isArray: false + name: CVE_id + required: false + secret: false + deprecated: false + description: Gets information about a CVE. + execution: false + name: blueliv-tc-cve + outputs: + - contextPath: BluelivThreatContext.cve.name + description: CVE name. + type: String + - contextPath: BluelivThreatContext.cve.description + description: CVE description. + type: String + - contextPath: BluelivThreatContext.cve.updatedAt + description: Date the CVE was last updated. + type: Date + - contextPath: BluelivThreatContext.cve.score + description: CVE score. + type: Number + - contextPath: BluelivThreatContext.cve.attackPatterns + description: CVE attack patterns. + type: Number + - contextPath: BluelivThreatContext.cve.attackPatternIds + description: CVE attack patterns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.signatures + description: CVE signatures. + type: Number + - contextPath: BluelivThreatContext.cve.signatureIds + description: CVE signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.tags + description: CVE tags. + type: Number + - contextPath: BluelivThreatContext.cve.tagIds + description: CVE tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.crimeServers + description: CVE crime servers. + type: Number + - contextPath: BluelivThreatContext.cve.crimeServerIds + description: CVE crime servers' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.sparks + description: CVE sparks. + type: Number + - contextPath: BluelivThreatContext.cve.sparkIds + description: CVE sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.malware + description: CVE malware. + type: Number + - contextPath: BluelivThreatContext.cve.malwareIds + description: CVE malwares' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.cve.exploits + description: CVE exploits. + type: Number + - contextPath: BluelivThreatContext.cve.platforms + description: CVE platforms. + type: Unknown + - arguments: + - default: false + description: Internal Blueliv FQDN ID. + isArray: false + name: FQDN_id + required: false + secret: false + - default: false + description: FQDN to get information for. + isArray: false + name: FQDN + required: false + secret: false + deprecated: false + description: Gets information about an FQDN. + execution: false + name: blueliv-tc-indicator-fqdn + outputs: + - contextPath: BluelivThreatContext.indicator.lastSeen + description: Date the indicator was last seen. + type: Date + - contextPath: BluelivThreatContext.indicator.risk + description: Indicator risk. + type: Number + - contextPath: BluelivThreatContext.indicator.campaigns + description: Indicator campaigns. + type: Number + - contextPath: BluelivThreatContext.indicator.campaignIds + description: Indicator campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.signatures + description: Indicator signatures. + type: Number + - contextPath: BluelivThreatContext.indicator.signatureIds + description: Indicator signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.threatActors + description: Indicator threat actors. + type: Number + - contextPath: BluelivThreatContext.indicator.threatActorIds + description: Indicator threat actors' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.tags + description: Indicator tags. + type: Number + - contextPath: BluelivThreatContext.indicator.tagIds + description: Indicator tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.crimeServers + description: Indicator crime servers. + type: Number + - contextPath: BluelivThreatContext.indicator.crimeServerIds + description: Indicator crime servers' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sparks + description: Indicator sparks. + type: Number + - contextPath: BluelivThreatContext.indicator.sparkIds + description: Indicator sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.ips + description: Indicator IP addresses. + type: Number + - contextPath: BluelivThreatContext.indicator.ipIds + description: Indicator IP addresses' internal IDs. + type: Unknown + - arguments: + - default: false + description: Internal Blueliv Crime Server ID. + isArray: false + name: CS_id + required: false + secret: false + - default: false + description: The name of the Crime Server to get information for. + isArray: false + name: CS + required: false + secret: false + deprecated: false + description: Gets information about a Crime Server. + execution: false + name: blueliv-tc-indicator-cs + outputs: + - contextPath: BluelivThreatContext.indicator.lastSeen + description: Date the indicator was last seen. + type: Date + - contextPath: BluelivThreatContext.indicator.status + description: Indicator status. + type: String + - contextPath: BluelivThreatContext.indicator.risk + description: Indicator risk. + type: Number + - contextPath: BluelivThreatContext.indicator.isFalsePositive + description: Whether the indicator is a false positive. + type: Boolean + - contextPath: BluelivThreatContext.indicator.crimeServerUrl + description: Indicator Crime Server URL. + type: String + - contextPath: BluelivThreatContext.indicator.creditCardsCount + description: Indicator credit cards count. + type: Number + - contextPath: BluelivThreatContext.indicator.credentialsCount + description: Indicator credentials count. + type: Number + - contextPath: BluelivThreatContext.indicator.botsCount + description: Indicator bots count. + type: Number + - contextPath: BluelivThreatContext.indicator.fqdnId + description: Indicator FQDNs internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.malware + description: Indicator malware. + type: Number + - contextPath: BluelivThreatContext.indicator.malwareIds + description: Indicator malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.tags + description: Indicator tags. + type: Number + - contextPath: BluelivThreatContext.indicator.tagIds + description: Indicator tags' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sparks + description: Indicator sparks. + type: Number + - contextPath: BluelivThreatContext.indicator.sparkIds + description: Indicator sparks' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.indicator.sources + description: Indicator sources. + type: Number + - contextPath: BluelivThreatContext.indicator.sourceIds + description: Indicator sources' internal IDs. + type: Unknown + - arguments: + - default: false + description: Threat actor to get information for. + isArray: false + name: threatActor + required: false + secret: false + - default: false + description: Internal Blueliv Threat Actor ID. + isArray: false + name: threatActor_id + required: false + secret: false + deprecated: false + description: Gets information about a Threat Actor. + execution: false + name: blueliv-tc-threat-actor + outputs: + - contextPath: BluelivThreatContext.threatActor.name + description: Threat actor name. + type: String + - contextPath: BluelivThreatContext.threatActor.description + description: Threat actor description. + type: String + - contextPath: BluelivThreatContext.threatActor.objective + description: Threat actor objective. + type: String + - contextPath: BluelivThreatContext.threatActor.sophistication + description: Threat actor sophistication. + type: String + - contextPath: BluelivThreatContext.threatActor.lastSeen + description: Date the threat actor was last seen. + type: Date + - contextPath: BluelivThreatContext.threatActor.active + description: Threat actor active. + type: Boolean + - contextPath: BluelivThreatContext.threatActor.milestones + description: Threat actor milestones. + type: Number + - contextPath: BluelivThreatContext.threatActor.milestoneIds + description: Threat actor milestones' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.tools + description: Threat actor tools. + type: Number + - contextPath: BluelivThreatContext.threatActor.toolIds + description: Threat actor tools' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.campaigns + description: Threat actor campaigns. + type: Number + - contextPath: BluelivThreatContext.threatActor.campaignIds + description: Threat actor campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.signatures + description: Threat actor signatures. + type: Number + - contextPath: BluelivThreatContext.threatActor.signatureIds + description: Threat actor signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.onlineServices + description: Threat actor online services. + type: Number + - contextPath: BluelivThreatContext.threatActor.onlineServiceIds + description: Threat actor online services' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.malware + description: Threat actor malware. + type: Number + - contextPath: BluelivThreatContext.threatActor.malwareIds + description: Threat actor malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.threatTypes + description: Threat actor threat types. + type: Number + - contextPath: BluelivThreatContext.threatActor.threatTypeIds + description: Threat actor threat types' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.fqdns + description: Threat actor FQDNs. + type: Number + - contextPath: BluelivThreatContext.threatActor.fqdnIds + description: Threat actor FQDNs' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.attackPatterns + description: Threat actor attack patterns. + type: Number + - contextPath: BluelivThreatContext.threatActor.attackPatternIds + description: Threat actor attack patterns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.ips + description: Threat actor IP addresses. + type: Number + - contextPath: BluelivThreatContext.threatActor.ipIds + description: Threat actor IP addresses' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.threatActor.targets + description: Threat actor targets. + type: Number + - contextPath: BluelivThreatContext.threatActor.targetIds + description: Threat actor targets' internal IDs. + type: Unknown + - arguments: + - default: false + description: Name of the campaign to get information for. + isArray: false + name: campaign + required: false + secret: false + - default: false + description: Blueliv internal campaign ID. + isArray: false + name: campaign_id + required: false + secret: false + deprecated: false + description: Gets information about a campaign. + execution: false + name: blueliv-tc-campaign + outputs: + - contextPath: BluelivThreatContext.campaign.name + description: Campaign name. + type: String + - contextPath: BluelivThreatContext.campaign.description + description: Campaign description. + type: String + - contextPath: BluelivThreatContext.campaign.lastSeen + description: Date the campaign was last seen. + type: Date + - contextPath: BluelivThreatContext.campaign.botnets + description: Campaign botnets. + type: Number + - contextPath: BluelivThreatContext.campaign.botnetIds + description: Campaign botnets' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.signatures + description: Campaign signatures. + type: Number + - contextPath: BluelivThreatContext.campaign.signatureIds + description: Campaign signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.ips + description: Campaign IP addresses. + type: Number + - contextPath: BluelivThreatContext.campaign.ipIds + description: Campaign IP addresses' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.malware + description: Campaign malware. + type: Number + - contextPath: BluelivThreatContext.campaign.malwareIds + description: Campaign malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.attackPatterns + description: Campaign attack patterns. + type: Number + - contextPath: BluelivThreatContext.campaign.attackPatternIds + description: Campaign attack patterns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.tools + description: Campaign tools. + type: Number + - contextPath: BluelivThreatContext.campaign.toolIds + description: Campaign tools' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.fqdns + description: Campaign FQDNs. + type: Number + - contextPath: BluelivThreatContext.campaign.fqdnIds + description: Campaign FQDNs' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.campaign.threatActorId + description: Campaign threat actors' internal IDs. + type: Number + - arguments: + - default: false + description: The name of the Attack Pattern name to get information for. + isArray: false + name: attackPattern + required: false + secret: false + - default: false + description: Interanl Blueliv ID for the Attack Pattern. + isArray: false + name: attackPattern_id + required: false + secret: false + deprecated: false + description: Gets information about an Attack Pattern. + execution: false + name: blueliv-tc-attack-pattern + outputs: + - contextPath: BluelivThreatContext.attackPattern.name + description: Attack pattern name. + type: String + - contextPath: BluelivThreatContext.attackPattern.description + description: Attack pattern description. + type: String + - contextPath: BluelivThreatContext.attackPattern.updatedAt + description: Date the attack pattern was last updated. + type: Date + - contextPath: BluelivThreatContext.attackPattern.severity + description: Attack pattern severity. + type: String + - contextPath: BluelivThreatContext.attackPattern.signatures + description: Attack pattern signatures. + type: Number + - contextPath: BluelivThreatContext.attackPattern.signatureIds + description: Attack pattern signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.attackPattern.campaigns + description: Attack pattern campaigns. + type: Number + - contextPath: BluelivThreatContext.attackPattern.campaignIds + description: Attack pattern campaigns'. internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.attackPattern.threatActors + description: Attack pattern threat actors. + type: Number + - contextPath: BluelivThreatContext.attackPattern.threatActorIds + description: Attack pattern threat actors'. internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.attackPattern.cves + description: Attack pattern CVEs. + type: Number + - contextPath: BluelivThreatContext.attackPattern.cveIds + description: Attack pattern CVEs' internal IDs. + type: Unknown + - arguments: + - default: false + description: The name of the tool to get information for. + isArray: false + name: tool + required: false + secret: false + - default: false + description: Internal Blueliv ID of the tool. + isArray: false + name: tool_id + required: false + secret: false + deprecated: false + description: Gets information about a Tool. + execution: false + name: blueliv-tc-tool + outputs: + - contextPath: BluelivThreatContext.tool.name + description: Tool name. + type: String + - contextPath: BluelivThreatContext.tool.description + description: Tool description. + type: String + - contextPath: BluelivThreatContext.tool.lastSeen + description: Date the tool was last seen. + type: Date + - contextPath: BluelivThreatContext.tool.campaigns + description: Tool campaigns. + type: Number + - contextPath: BluelivThreatContext.tool.campaignIds + description: Tool campaigns' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.tool.signatures + description: Tool signatures. + type: Number + - contextPath: BluelivThreatContext.tool.signatureIds + description: Tool signatures' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.tool.threatActors + description: Tool threat actors. + type: Number + - contextPath: BluelivThreatContext.tool.threatActorIds + description: Tool threat actors' internal IDs. + type: Unknown + - arguments: + - default: false + description: Name of the signature to get information for. + isArray: false + name: signature + required: false + secret: false + - default: false + description: Internal Blueliv ID for the signature. + isArray: false + name: signature_id + required: false + secret: false + deprecated: false + description: Gets information about a Signature. + execution: false + name: blueliv-tc-signature + outputs: + - contextPath: BluelivThreatContext.signature.name + description: Signature name. + type: String + - contextPath: BluelivThreatContext.signature.updatedAt + description: Date the signature was last updated. + type: Date + - contextPath: BluelivThreatContext.signature.ipIds + description: Signature IP addresses' internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.signature.malware + description: Signature malware. + type: Number + - contextPath: BluelivThreatContext.signature.malwareIds + description: Signature malware internal IDs. + type: Unknown + - contextPath: BluelivThreatContext.signature.type + description: Signature type. + type: String + dockerimage: demisto/python3:3.8.3.9324 + feed: false + isfetch: false + longRunning: false + longRunningPort: false + runonce: false + script: '-' + subtype: python3 + type: python +fromversion: 5.0.0 diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md new file mode 100644 index 000000000000..402213af8396 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_description.md @@ -0,0 +1,45 @@ +## Overview +--- +Use Blueliv ThreatContext integration to get threats information + +## To set up Blueliv ThreatContext to work with Cortex XSOAR: +--- + +You need the following information: + +1. platform credentials +2. your tenant URL +3. Specify proxy server (if required) + +## To set up the integration on Cortex XSOAR: +--- + +1. Navigate to __Settings__ > __Integrations__ > __Servers & Services__. +2. Search for Blueliv ThreatContext integration. +3. Click __Add instance__ to create and configure a new integration instance. + * __Name__: a textual name for the integration instance. + * __Server URL (e.g., https://mytenant.blueliv.com)__ + * __Username__ + * __Password__ + * __Trust any certificate (not secure)__ + * __Use system proxy settings__ + +4. Click __Test__ to validate the URLs, token, and connection. + +## Fetched Incidents Data +--- + +## Use Cases +--- +1. Get attack patterns information +2. Get malware campaigns information +3. Get information about specific CVE +4. Get information about crimeservers (C&C) +5. Get information about differnt indicators of compromise like IPs, FQDN,hashes... +6. Get information about malware signatures +7. Get information about threat actors +8. Get information about hacking tools + +## Known Limitations +--- +Currently is not possible to create a user with a passwod that doesn't expire, so you need to remember to change the password and update the integration credentials used to generate the token. \ No newline at end of file diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_image.png new file mode 100644 index 0000000000000000000000000000000000000000..ca790faca385a2203c0e09aebbb1f346913ded0a GIT binary patch literal 4907 zcmV+`6V&X9P)`Pkw7w2zeRZz%2d|Gl$! zJ`=HWg#k=bAn|{e_{qs&kR<$5?xCF!Ij|r1R5Ji$&KX?a|1IR(x8d2cB`UXR%kOt( z@PF2Z9RSY1b`1@hwN}a59g5a6G(*)&6)-wF8e?N$gTded(B{aP8AE=4J{q)WV+R;A zdUolARY}X}w*TRam`p}`MkabjL}~zLh#eV)=~LoBBy{84Pq;ZN9)_Yq?&ua-g6FVd zsNAgwWZ5;V{TZ9SuK>%8aoXzFCk*ow;$hGe6A1LKT)A>5z@eS6YWYJ7Fc@N^qcCGi z94wLn2$UhzPRKsta?{5Ip0IkONM z(a%P|k0ih&qA+7>9E{9@>mSC${KH8|JQq<v81xb< z`Bc^zg+2LVij3R0Z^L9V@r@~xBC<*7P^Wfn?A!G@JoF-g5&*Z;P&Cl?|F3(r1X>yZc8!X&Vgn@#>` z!Wei~3*pN+c*+O@)*N3L%{Km|c>gSG!Ef zEugZ7f`{2;!i5VLke8RopW)}{hZ;3%z~JGbiWBr~ZQ15Ji>AfJs1z+S5L$}Dbp%Q@ z`DaWB9zq*nU_20$<1k)F(~9IWf-{|=0>z>1G%*Pj^xUmHO3$JhcuWm$+z4Nm0kFWA zVbSsx_<-s}j*7%T+puyOLOOMF17HQItJ1Lbi=9xItm-8U@w29(e!Y5k0IV>E$?s0Z z>6{!$ik{!E*Xgh^Ed?GP9uB1p0Z!@PZ|5&yMe0gy-?ayqE?$B{U{C=h$sFX+&M)G% zkt0y=x!O*2T1uHjS+tsD(SHAR`ZVI+dmoG$1iBLN_lVvYGH@VDjKvrlJsL&DMpz)h zz|8RUu7H(EiKtYuqD$xDrRBA2cr_*lMx))jYd%#COXep)){}vhPy6=_FfF90s0cm! z4#4+0=Rl;3+M4y3?kTu@_#)Q$BJmGcDF{8%5fo){Ksu$Cq(vlaUTWA;804oYMY}tzO zZ@mMVj9$IQjgH2OP0$h4Wo5!UBf#xw%-fBoW85z9S-1 z!I9CqeQT`$GzmJLu;{X~XhLw>tdEhHvdR{#2%Mdp*SQ3kF$G}*B9U?8gbgqc0{B#h z4PZ`h7Bgmi{0Ww&q}cAW+KN>*rK-lkei%dKpn;e-YZ`Pq0$C`_cL*I$9(*)C9lZt( zaq#|0fB_QsW1vrX7?%Dcf&bY#3|SO2hD68Un|=GaL~4-? zkYT~0-8)dHcAa~rXvaEOA|rOe2He;9=l0l1f2-)_jjjJ&hb9f{LXt#0D;r>7+N{|~ zOj&6=pz;7FRVg#e4lsG}&l-R!$xB)FDW=YxO|r1PR9Pj>9*KS`=Y}? z_|*>l<;eiIJh(i7DFK@{dk&J8r#cv1O5y_a?B3%J4_>`)J>HlygNHkjv@y(?J_S+3 zhu)R8eUD0(Q~yu3fVM4yv2^hQJQ?6;Ynk0&fGr4%7=nz<6EZD zIKx?s)>1Si9LY#W??FQx5+5x^lQDh&<4*|b)elhYVo~qzU6HhSzFHBG%~6613>XrH z!$*(vKU3VU;B7$0{;yFjkPOcK%RLV!j&qr?Y4bQudyz?K+Mq7BY+MVUN|o+EMZ=7q z1BN0i^CTBntR8%p0QU4kVPPSfwrbD+&+(FUXw#w@K3lUIUItOB5G&odaTA-jZAa>w zHOR^N*?wvqUfO(5iv7l?;2xMpfV0)Ku#fr!}ybr#W zefg>g;ER{?(7atIo*)VXl@Qi71Sv}v@#OVxu5tkm2nfKSzF|B@I4jh&nEWgGICktf ze!Y0n_FmGYb&462CXU6V3FH4%fW5uEap=$?3>fl?!#SiZPehMU5?vU6`OkTzt>1`E zoBoL_1=qQ^QsQI1NS2_OS3RH#j_m&m-rg0FnVIF-O>*|&asU>VW=8U=G)$fOvBsDr zBrS|budp!aWC3vM%1<$6=4{(N7D++cvP5(Z?R?j*)iNlW>rrUdn3Sx|E{(=Iu2)=K zjJW9^VC}|Dyx~B$eKgu1i;3x|k1%r`)Z^W>{m_2>!9~uF=ZvazSGCU?0dv<^0kR`58T7<4$LUH-(p9k=wrOEg({u2%B zIH)9cfSH79{#AHeb8uuN{#x@XAuVc*fY(&z)xmB8Y<=;LUAqt!GlAE#6bdMlT9Pmu z{riPu`SKJ@pA!$OdQC?0)#sb>e3SY-mvBeD($a02TC}@TB|T74%y=bs9Cm%V&o;Y6 zpC>PxhwvU@<#@1ynX~6&adL{o#t%m-hVK%zWbL=yS7ubC$@dD z1Ea=IWla$ctUn}kl9F^hE0c>W zR;`-|-6mDuCBTKZZ=+R*5M0c^rlxy9NT&{1ot%j9z5|h&{e!w^CKA2fyKM7aMkb^Z zx&*f$ly7%oK*WX*01RZJn)6 zOd9&;b*s^Lz~5o!jUEBe`)|FDaj`Krz$me1R2cIc?1>@O*`$AP!<1A#+<7kA8DJ(W zXx^yoW&_zrNl6K&e>4{>($)ywR4rXdaXEGT0IK=)M4q7I z_tH<=hR-l}-h41V07zcT@NBJTuz6D&^h|$WJ(wst>r^&+^o_8|yR?UT&(+15GdZf! zD$pAYIJR#$YSyS}4=aj-pKlf7)vX6%guPK=(Ob~tDPK%|AqaYn(p9F=K{OQT=Z`); zyYm;^Q6@=ZTJreubez9%30wvg$HNnd;Gm}XV#`L3_vQR6XjsNX$HlzM2!0_1Mq{yt zUKDic^dcsVACG5h{S8;I7GT4M4M383 zU}_w~!+VL0lmUfBMMzt}9v{Zfhsk8-2QK z+>2fHe4PO{navnEW*olUy_bs?wu>=T^AEstwQKW+?dh{QxKeP{;hAKRf2&yoU+>%s zUmx<4`wg%tnf|eC1wNXapaEF3OfV!S%tgPx;ST*^GQFIFTWGrS8<;h{Wa`4bQYR40 z!&*7?nB4+cZD;ehYxQTXh;P+|MYv;#9M~W8W`D@zTzLTVem*nfr<`+msZW1UT`ew+ z(P$F~7vH*Y2AJYg{?!}k7dZq!p0TS`qzX|8<6%t9r;B}Qo>{@m8yi=zK=bB75W>;@ z1=u?8cK$*hf;$Ms%GqeE_*O*bp#$*sp#;!AfM5eSbuUa>fT3VSooZzRe6`>j>IJpp zVg=0{Xk5wFA4LO%dxts&LCppU7&-K1y!Y-Dco?ibRpG()G!#ul*n{Sxlb5Q7BWQ8c z_AfAD(qt5y6h66N6;rH|Btb!n&tGdkjbH!sn|QY*Vz9Pd$R|B0G!ztI^q7e_bo4kB znZTv5n5a`DR&Xhyq}aHC#8bKCIKDv> z9%l;*(KPidn6*?4hT(MrkQCO&p~>Um!31zaQjVC8Pjk3?(KJP%zdzcyZH?hW2P3Fy zQ-_Iu>)?As&EUJtBy#7y|{x)E(w?1fRbV41Kl=mi8im?H=y{FwHCdntPsS z!jAM?Hq@lV_*SU`FY;LH0Gj4ktdkYLozHc6Pz7&qkk+kp7%3H5t+6Fjsy@LzhW|V1@fzCnsq72C zDpeq>Lj$f(v81F3zx{rZPl8y(1Q|??8r7kbb;27ptYD%DXfos9#YOPcQn#eQSJK0u zhU_&B2?u~hNo?)@-c8qn#$`nYEf(pr_2ig_tAlxhfgJA_?N9q!#1qMLM2<_tfMkK% zDG2f9wo=}!c4@4!R@)yI>Hs~i?Dg~KtI=AGDS}YdK|k?+O;A_A3c%~^GS9@K8OF1k zfLNic{czz$5oW0M3o9G((SXuC*j-9~eBZ-!0*}7{{_tS+hgSL+;6HS156>?>2KeE@ d>JP2-{{h{egC*^SHdX)t002ovPDHLkV1h=YW>EkD literal 0 HcmV?d00001 diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py new file mode 100644 index 000000000000..7b3c707f2e96 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/BluelivThreatContext_test.py @@ -0,0 +1,1348 @@ +import demistomock as demisto +from BluelivThreatContext import Client, blueliv_threatActor, blueliv_campaign, blueliv_malware, blueliv_indicatorIp, \ + blueliv_indicatorFqdn, blueliv_indicatorCs, blueliv_attackPattern, blueliv_tool, \ + blueliv_signature, blueliv_cve + + +def test_blueliv_threatActor(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "active": True, + "aliases": [ + "Vendetta" + ], + "country_name": "Italy", + "created_at": "2020-06-10T11:23:22.584500Z", + "description": "Vendetta is a threat actor based on Italy or Turkey discovered in April 2020", + "first_seen": "2020-04-01T00:00:00Z", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/", + "last_seen": "2020-06-15T00:00:00Z", + "modus_operandi": "Vendetta uses well designed phishing campaigns to target businessuals. ", + "name": "Vendetta", + "objective": "This threat actor appears to be focused on stealing informatio using.", + "references": [ + { + "link": "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "title": "Vendetta-new threat actor from Europe" + }, + { + "link": "https://business.blogthinkbig.com/vendetta-group-covid-19-phishing-emails/", + "title": "Vendetta Group and the COVID-19 Phishing Emails" + } + ], + "sophistication": "intermediate", + "tlp": "white", + "types": [ + "hacker" + ], + "updated_at": "2020-06-16T08:57:08.536868Z", + "uuid": None + }, + "id": "232", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/attack-pattern/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "country": { + "data": { + "id": "108", + "type": "Country" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/country/108/" + } + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/cve/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/ip/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/malware/" + }, + "meta": {"count": 0} + }, + "milestones": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/milestone/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/milestone/" + }, + "meta": {"count": 0} + }, + "online_services": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/online-service/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/online-service/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/signature/" + }, + "meta": {"count": 0} + }, + "targets": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/target/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/target/" + }, + "meta": {"count": 0} + }, + "threat_types": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/threat-type/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/threat-type/" + }, + "meta": {"count": 0} + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/relationships/tool/" + }, + "meta": {"count": 0} + } + }, + "type": "ThreatActor" + } + } + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"threatActor_id": 232} + blueliv_threatActor(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.threatActor(val.name && val.id == obj.id)', {}) + assert demisto.get(ind, "sophistication") == "intermediate" + assert str(demisto.get(ind, "lastSeen")) == "2020-06-15T00:00:00Z" + + +def test_blueliv_campaign(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "created_at": "2020-05-28T21:24:11.307288Z", + "description": "\u003cp\u003eA distribution campaign for the GRANDOREIRO banking Trojan.", + "first_seen": "2020-04-16T00:00:00Z", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/", + "last_seen": "2020-05-28T00:00:00Z", + "name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain", + "tlp": "white", + "updated_at": "2020-05-28T23:58:36.883515Z", + "uuid": None + }, + "id": "152", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/attack-pattern/" + }, + "meta": {"count": 0} + }, + "botnets": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/botnet/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/botnet/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/cve/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/ip/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/malware/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/signature/" + }, + "meta": {"count": 0} + }, + "threat_actor": { + "data": { + "id": "226", + "type": "ThreatActor" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-actor/226/" + } + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/campaign/152/relationships/tool/" + }, + "meta": {"count": 0} + } + }, + "type": "Campaign" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"campaign_id": 152} + blueliv_campaign(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.campaign(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "name") == "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain" + assert demisto.get(ind, "threatActorId") == "226" + + +def test_blueliv_malware(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "analysis_date": "2020-06-15T16:30:22.770000Z", + "analysis_delivered_date": "2020-06-15T16:22:00.220000Z", + "analysis_signatures": [ + "Signature severity - Informative", + "Signature severity - Malicious" + ], + "analysis_status": "FINISHED_SUCCESSFULLY", + "at_afapi": True, + "behaviors": [], + "buffers": False, + "cerberus": 0.9645, + "created_at": "2020-06-15T16:27:20.074884Z", + "created_at_afapi": "2020-06-15T16:21:38.209000Z", + "dropped": False, + "file_type": "PE", + "first_seen": "2020-06-15T16:21:38.209000Z", + "has_c_and_c": False, + "has_network": True, + "has_other_urls": False, + "hash": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1", + "ioa": { + "attack_patterns": [ + { + "id": "T1022", + "name": "Data Encrypted" + }, + { + "id": "T1093", + "name": "Process Hollowing" + } + ], + "certificates": [], + "connections": { + "tcp": [], + "tcp_dead": [ + "25.20.116.113:957", + "103.143.173.25:80" + ], + "udp": [] + }, + "domain": [], + "email": [], + "host": [ + "25.20.116.113", + "103.143.173.25" + ], + "ip": [ + "25.20.116.113", + "103.143.173.25", + "192.168.56.102" + ], + "metadata": { + "crc32": { + "original": "B7CACEE9", + "unpacked": {} + }, + "file_type": { + "original": "PE32 executable (GUI) Intel 80386, for MS Windows", + "unpacked": {} + }, + "names": { + "author": [], + "common_name": [], + "company_name": None, + "country": [], + "creator": [], + "internal_name": None, + "legal_copyright": None, + "legal_trademarks": None, + "locality": [], + "organization": [], + "organizational_unit": [], + "original_filename": None, + "private_build": None, + "producer": [], + "product_name": None, + "special_build": None, + "subject": [], + "title": [] + }, + "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", + "pe_timestamp": "2012-06-07 17:59:53", + "peid_signatures": [], + "postal_code": None, + "signing_date": "", + "ssdeep": { + "original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FxuVVjfFoynPaVBUR8f+kN10EBO", + "unpacked": {} + } + }, + "mutex": [ + "DCPERSFWBP", + "DC_MUTEX-K5CAEA3", + "Local\\MSCTF.Asm.MutexDefault1" + ], + "path": { + "filepaths": { + "directory_created": [ + "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches" + ], + "directory_enumerated": [], + "directory_queried": [ + "C:\\Users\\Administrator", + "C:\\Users" + ], + "directory_removed": [], + "dll_loaded": [ + "kernel32", + "OLEACC.dll" + ], + "file_copied": [ + "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe" + ], + "file_created": [ + "C:\\Windows\\System32\\oleaccrc.dll", + "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" + ], + "file_deleted": [], + "file_exists": [ + "C:\\Windows\\System32\\oleaccrc.dll", + "C:\\Users\\Administrator\\Documents\\MSDCSC" + ], + "file_moved": [], + "file_opened": [ + "C:\\Windows\\System32\\oleaccrc.dll", + "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" + ], + "file_read": [ + "C:\\Users\\desktop.ini", + "C:\\Users\\Administrator\\Documents\\desktop.ini" + ], + "file_written": [] + }, + "pdb_path": [] + }, + "ports": { + "tcp": [], + "tcp_dead": [ + 80, + 957 + ], + "udp": [] + }, + "process_name": [ + "msdcsc.exe", + "sXPFvH.exe", + "notepad.exe" + ], + "registry": [], + "regkeys": { + "regkey_created": [ + "HKEY_CURRENT_USER\\Software" + ], + "regkey_deleted": [], + "regkey_enumerated": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP" + ], + "regkey_opened": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", + "HKEY_CURRENT_USER\\Software\\DC2_USERS" + ], + "regkey_read": [ + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\21082CA9", + "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey" + ], + "regkey_written": [ + "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate", + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit" + ] + }, + "url": [ + "http://uk.ask.com/favicon.ico", + "http://www.priceminister.com/" + ], + "yara": { + "generic": [], + "memory": [ + "darkcomet_memory_1", + "darkcomet_memory_3" + ], + "misc": { + "crypto": [ + "RIPEMD160_Constants", + "SHA1_Constants" + ], + "misc": [ + "dbgdetect_funcs_ig" + ], + "packer": [ + "MinGW_1", + "borland_delphi" + ] + }, + "pre_analysis": [], + "url": [] + } + }, + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/malware/ioc/", + "last_risk_scoring": "2020-06-15T16:48:42.527191Z", + "last_seen": "2020-06-23T23:52:30.123694Z", + "malfind": False, + "malicious_category": 2, + "md5": "36a40cc55e2ffe7d44d007c6e37afd7f", + "memory": False, + "metadata": {}, + "number_properties": 0, + "pcap": "https://tctrustoylo.blueliv.com/api/v1/malware//pcap/", + "priority_at_afapi": 3, + "proc_memory": False, + "properties": [], + "report": "https://tctrustoylo.blueliv.com/api/v1/malware/report/", + "risk": 7, + "sample": "https://tctrustoylo.blueliv.com/api/v1/malware/sample/", + "scans_link": "https://tctrustoylo.blueliv.com/api/v1/malware/ad536nrichment/scans/", + "seen_at_analyzer": False, + "sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055", + "sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1", + "sha512": "e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b10391b7a3073cc6", + "slugs_tags": [], + "sources_representation": [ + "virustotalAPI" + ], + "subtype": "DARKCOMET", + "target": False, + "tlp": "white", + "types_names": [ + "DARKCOMET" + ], + "updated_at": "2020-06-23T23:52:30.137745Z", + "updated_at_afapi": "2020-06-15T16:30:33.293000Z", + "uuid": None, + "version": "none", + "vt_matches": [ + "darkkomet", + "fynloski", + "genmalicious" + ] + }, + "id": "59770710", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/6e749976bade1/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/a49976bade1/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad51/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "crime_servers": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660-server/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8dhips/crime-server/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7eqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1n/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed1re/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bonships/signature/" + }, + "meta": {"count": 0} + }, + "solr_type": { + "data": { + "id": "62", + "type": "ThreatType" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-type/DARKCOMET/" + } + }, + "sources": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2rce/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f2ce/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd51/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53614bde1/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad5376bade1/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6976bade1/relationships/tag/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660bade1/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6eat-actor/" + }, + "meta": {"count": 0} + }, + "types": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6976bade1/type/", + "self": "https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2edtionships/threat-type/" + }, + "meta": {"count": 0} + } + }, + "type": "Malware" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"hash_id": 59770710} + blueliv_malware(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.malware(val.id && val.id == obj.id)', {}) + assert ind.get("hash.sha1") == "5c0be68316ce77584a7b966ff40e7d61a8a98055" + assert demisto.get(ind, "fileType") == "PE" + + +def test_blueliv_indicatorIp(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "address": "103.76.228.28", + "asn_number": "394695", + "asn_owner": "PDR", + "at_afapi": False, + "created_at": "2019-05-03T09:57:46.834135Z", + "created_at_afapi": None, + "first_seen": "2019-04-11T04:12:09.830000Z", + "history_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/", + "last_risk_scoring": "2020-06-15T15:17:47.624936Z", + "last_seen": "2020-06-18T23:36:37Z", + "latitude": 20, + "longitude": 77, + "passive_dns_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/", + "risk": 4, + "slugs_tags": [], + "tlp": "amber", + "updated_at": "2020-06-18T21:47:29.968912Z", + "updated_at_afapi": None, + "virus_total_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/", + "whois_link": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/" + }, + "id": "70236228", + "links": {"self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/"}, + "relationships": { + "bots": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/bot/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/bot/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "country": { + "data": {"id": "103", "type": "Country"}, + "links": {"related": "https://tctrustoylo.blueliv.com/api/v1/country/103/"} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/signature/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/tag/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "IP" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"IP": "103.76.228.28"} + blueliv_indicatorIp(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.indicator(val.ipName && val.ipName == obj.ipName)', {}) + assert str(demisto.get(ind, "countryId")) == "103" + assert str(demisto.get(ind, "ipName")) == "1037622828" + + +def test_blueliv_indicatorFqdn(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "active_dns_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/enrichment/dns/", + "created_at": "2018-08-07T22:41:25.933804Z", + "domain": "rayanmarketing.com", + "first_seen": "2018-08-07T22:41:25.933689Z", + "history_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/history/", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/ioc/", + "last_risk_scoring": "2020-07-02T11:34:14.339528Z", + "last_seen": "2018-08-07T22:41:25.933696Z", + "passive_dns_link": "https://tctrustoylo.blueliv.com/m/enrichment/passive-dns/", + "risk": 2.5, + "slugs_tags": [], + "tlp": "white", + "updated_at": "2020-07-02T11:34:14.339963Z", + "virus_total_link": "https://tctrustoylo.blueliv.com/api/v1/frichment/virus-total/", + "whois_link": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/enrichment/whois/" + }, + "id": "5783887", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relampaign/" + }, + "meta": {"count": 0} + }, + "crime_servers": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/crime-server/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.cops/crime-server/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/ip/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketionships/signature/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/relationships/tag/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/rayanmarketing.com/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/fqdn/ing.com/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "FQDN" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"FQDN_id": 5783887} + blueliv_indicatorFqdn(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.indicator(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "lastSeen") == "2018-08-07T22:41:25.933696Z" + assert demisto.get(ind, "risk") == "2.5" + + +def test_blueliv_indicatorCs(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "at_feed": True, + "at_free_feed": True, + "bots_count": 0, + "confidence": 1, + "created_at": "2020-06-15T17:02:40.327300Z", + "created_at_afapi": "2020-06-15T16:46:06.119000Z", + "credentials_count": 0, + "credit_cards_count": 0, + "crime_server_url": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php", + "false_positive_modification_time": "2020-06-15T17:02:38.524874Z", + "first_seen": "2020-06-15T16:44:25Z", + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/", + "is_false_positive": False, + "last_log_timestamp": None, + "last_risk_scoring": "2020-06-15T17:14:36.146566Z", + "last_seen": "2020-06-15T17:02:21.737000Z", + "main_type": "c_and_c", + "risk": 4, + "scans_link": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/", + "service_scans": {}, + "slugs_tags": [], + "status": "offline", + "subtype_name": "ANUBIS", + "target_status": None, + "tlp": "amber", + "updated_at": "2020-06-19T09:35:04.675771Z", + "updated_at_afapi": "2020-06-15T17:02:21.737000Z" + }, + "id": "6626263", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/" + }, + "relationships": { + "fqdn": { + "data": { + "id": "9633658", + "type": "FQDN" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/fqdn/saveback.xyz/" + } + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/malware/" + }, + "meta": {"count": 0} + }, + "sources": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/source/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/source/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/spark/" + }, + "meta": {"count": 0} + }, + "subtype": { + "data": { + "id": "7458", + "type": "ThreatType" + }, + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/threat-type/ANUBIS/" + } + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/relationships/tag/" + }, + "meta": {"count": 0} + }, + "vendor_analysis": { + "meta": { + "count": [] + } + } + }, + "type": "CrimeServer" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"CS_id": 6626263} + blueliv_indicatorCs(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.indicator(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "fqdnId") == "9633658" + assert demisto.get(ind, "status") == "offline" + + +def test_blueliv_attackPattern(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "attack_phases": {}, + "attacker_skills_or_knowledge_required": [], + "capec_id": None, + "created_at": "2018-12-24T23:00:02.352087Z", + "description": "Adversaries may attempt to get a listing of local system or domain accounts.", + "name": "Account Discovery", + "prerequisites": [], + "purposes": [], + "references": [], + "related_vulnerabilities": [], + "related_weaknesses": [], + "severity": "Medium", + "solutions_and_mitigations": [], + "tlp": "white", + "updated_at": "2018-12-24T23:00:02.352102Z", + "uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" + }, + "id": "686", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/cve/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/signature/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "AttackPattern" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"attackPattern_id": 686} + blueliv_attackPattern(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.attackPattern(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "name") == "Account Discovery" + assert demisto.get(ind, "serverity") == "Medium" + + +def test_blueliv_tool(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "created_at": "2020-02-26T14:35:55.698486Z", + "description": "\u003cp\u003eACEHASH is a credential theft/password hash dumping utility.", + "discovery_date": None, + "first_seen": "2012-12-01T00:00:00Z", + "last_seen": "2019-12-01T00:00:00Z", + "name": "ACEHASH", + "references": [ + { + "link": "https://content.fireeye.com/apt-41/rpt-apt41", + "title": "Double Dragon: APT41, a dual espionage and cyber crime operation" + } + ], + "targeted_platforms": [], + "tlp": "white", + "updated_at": "2020-02-26T14:35:55.698549Z", + "uuid": None, + "version": "" + }, + "id": "532", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/" + }, + "relationships": { + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/cve/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/signature/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/tool/532/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/tool/532/relationships/threat-actor/" + }, + "meta": {"count": 0} + } + }, + "type": "Tool" + } + } + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"tool_id": 532} + blueliv_tool(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.tool(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "name") == "ACEHASH" + assert demisto.get(ind, "lastSeen") == "2019-12-01T00:00:00Z" + + +def test_blueliv_signature(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "created_at": "2020-06-15T02:11:21.962302Z", + "name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)", + "references": [], + "sid": 2030333, + "signature": "alert udp $HOME_NET any -\u003e any 53 (m depth:1; ack_target C_at 2020_06_12;)", + "status": "enabled", + "tlp": "white", + "type": "snort", + "updated_at": "2020-06-15T02:11:21.962364Z", + "version": 2 + }, + "id": "84458", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/attack-pattern/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/campaign/" + }, + "meta": {"count": 0} + }, + "cves": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/cve/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/cve/" + }, + "meta": {"count": 0} + }, + "fqdns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/fqdn/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/fqdn/" + }, + "meta": {"count": 0} + }, + "ips": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/ip/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/ip/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/malware/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/threat-actor/" + }, + "meta": {"count": 0} + }, + "threat_types": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/threat-type/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/threat-type/" + }, + "meta": {"count": 0} + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/signature/84458/relationships/tool/" + }, + "meta": {"count": 0} + } + }, + "type": "Signature" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"signature_id": 84458} + blueliv_signature(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.signature(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "type") == "snort" + assert demisto.get(ind, "updatedAt") == "2020-06-15T02:11:21.962364Z" + + +def test_blueliv_cve(mocker, requests_mock): + blueliv_response = { + "data": { + "attributes": { + "bl_score": 96, + "created_at": "2020-02-26T01:12:25.635599Z", + "cvss": { + "v2": { + "accessComplexity": "LOW", + "accessVector": "NETWORK", + "authentication": "NONE", + "availabilityImpact": "COMPLETE", + "baseScore": 10, + "confidentialityImpact": "COMPLETE", + "integrityImpact": "COMPLETE", + "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "version": "2.0" + }, + "v3": None + }, + "description": "OpenSMTPD before 6.6.4 allows remote code execution because of an out-s read in.", + "exploits": [ + { + "author": "Qualys Corporation", + "date": "2020-02-26", + "id": None, + "name": "OpenSMTPD \u003c 6.6.3p1 - Local Privilege Escalation + Remote Code Execution", + "platform": "openbsd", + "port": "", + "type": "remote", + "url": "https://github.com/offensive-security/exploitdb/blo/openbsd/remote/48140.c" + } + ], + "ioc_link": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/ioc/", + "microsoft_bulletins": [], + "name": "CVE-2020-8794", + "num_crime_servers": 0, + "num_malware": 0, + "platforms": [ + { + "id": "cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*", + "title": "cpe:2.3:a:opensmtpd:opensmtpd:*:*:*:*:*:*:*:*" + } + ], + "published_at": "2020-02-25T17:15:00Z", + "references": [ + { + "id": "https://www.openbsd.org/security.html", + "type": "MISC", + "url": "https://www.openbsd.org/security.html" + }, + { + "id": "https://www.openwall.com/lists/oss-security/2020/02/24/5", + "type": "MISC", + "url": "https://www.openwall.com/lists/oss-security/2020/02/24/5" + }, + { + "id": "[oss-security] 20200226 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2020/02/26/1" + }, + { + "id": "DSA-4634", + "type": "DEBIAN", + "url": "https://www.debian.org/security/2020/dsa-4634" + }, + { + "id": "20200227 LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2020/Feb/32" + }, + { + "id": "[oss-security] 20200301 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2020/03/01/1" + }, + { + "id": "[oss-security] 20200301 Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)", + "type": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2020/03/01/2" + }, + { + "id": "http://packetstormsecurity.com/files/156633/OpenSMRead-Local-Privilege-Escalation.html", + "type": "MISC", + "url": "http://packetstormsecurity.com/files/156633/OpenSMTPDivilege-Escalation.html" + } + ], + "score": 10, + "tags_slugs": [], + "updated_at": "2020-03-09T15:17:41.667962Z", + "uuid": None + }, + "id": "139511", + "links": { + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/" + }, + "relationships": { + "attack_patterns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/attack-pattern/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/attackattern/" + }, + "meta": {"count": 0} + }, + "campaigns": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/campaign/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/campaigns/" + }, + "meta": {"count": 0} + }, + "crime_servers": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/crime-server/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/crime-server/" + }, + "meta": {"count": 0} + }, + "malware": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/malware/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/malware/" + }, + "meta": {"count": 0} + }, + "mentions": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/mention/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/mentions/" + }, + "meta": {"count": 0} + }, + "signatures": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/signature/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/signature/" + }, + "meta": {"count": 0} + }, + "sparks": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/spark/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/spark/" + }, + "meta": {"count": 0} + }, + "tags": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/tag/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/tags/" + }, + "meta": {"count": 0} + }, + "threat_actors": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/threat-actor/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/threat-actors/" + }, + "meta": {"count": 0} + }, + "tools": { + "links": { + "related": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/tool/", + "self": "https://tctrustoylo.blueliv.com/api/v1/cve/CVE-2020-8794/relationships/tools/" + }, + "meta": {"count": 0} + } + }, + "type": "CVE" + } + } + + mocker.patch.object(demisto, 'results') + requests_mock.register_uri('POST', 'https://tctrustoylo.blueliv.com/api/v2/gateway', json=blueliv_response) + + client = Client(base_url='https://tctrustoylo.blueliv.com/api/v2', verify=False) + args = {"CVE": "CVE-2020-8794"} + blueliv_cve(client, args) + + results = demisto.results.call_args[0][0] + + entry_context = results.get('EntryContext', {}) + ind = entry_context.get('BluelivThreatContext.cve(val.id && val.id == obj.id)', {}) + assert demisto.get(ind, "updatedAt") == "2020-03-09T15:17:41.667962Z" + assert str(demisto.get(ind, "score")) == "10" diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md new file mode 100644 index 000000000000..7ca011be317b --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/CHANGELOG.md @@ -0,0 +1,12 @@ +## [20.06.08] - 2020-06-08 +Added initial support for Blueliv ThreatContext with the following commands: + * __blueliv-tc-threat-actor__: Allows searching by threat actors. + * __blueliv-tc-campaign__: Allows searching by campaigns. + * __blueliv-tc-malware__: Allows searching by malware hashes. + * __blueliv-tc-indicator-ip__: Allows searching by IP. + * __blueliv-tc-indicator-fqdn__: Allows searching by FQDNs. + * __blueliv-tc-indicator-cs__: Allows searching by crime servers. + * __blueliv-tc-attack-pattern__: Allows searching by MITRE attack patterns. + * __blueliv-tc-tool__: Allows searching by used tools. + * __blueliv-tc-signature__: Allows searching detection signatures. + * __blueliv-tc-cve__: Allows searching by CVEs. diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile new file mode 100644 index 000000000000..3523d3b6b93b --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile @@ -0,0 +1,18 @@ +[[source]] +name = "pypi" +url = "https://pypi.org/simple" +verify_ssl = true + +[dev-packages] +pylint = "*" +pytest = "==5.0.1" +pytest-mock = "*" +requests-mock = "*" +pytest-asyncio = "*" + +[packages] +pytest = "*" +requests = "*" + +[requires] +python_version = "3.7" diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock new file mode 100644 index 000000000000..6bdb9313414e --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/Pipfile.lock @@ -0,0 +1,369 @@ +{ + "_meta": { + "hash": { + "sha256": "278db815bec49c11262633d34305f9b33f09432a223bedd5329a04f758f78b55" + }, + "pipfile-spec": 6, + "requires": { + "python_version": "3.7" + }, + "sources": [ + { + "name": "pypi", + "url": "https://pypi.org/simple", + "verify_ssl": true + } + ] + }, + "default": { + "atomicwrites": { + "hashes": [ + "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4", + "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6" + ], + "version": "==1.3.0" + }, + "attrs": { + "hashes": [ + "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79", + "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399" + ], + "version": "==19.1.0" + }, + "certifi": { + "hashes": [ + "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50", + "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef" + ], + "version": "==2019.9.11" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "importlib-metadata": { + "hashes": [ + "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb", + "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f" + ], + "markers": "python_version < '3.8'", + "version": "==0.22" + }, + "more-itertools": { + "hashes": [ + "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832", + "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4" + ], + "version": "==7.2.0" + }, + "packaging": { + "hashes": [ + "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9", + "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe" + ], + "version": "==19.1" + }, + "pluggy": { + "hashes": [ + "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6", + "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34" + ], + "version": "==0.13.0" + }, + "py": { + "hashes": [ + "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa", + "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53" + ], + "version": "==1.8.0" + }, + "pyparsing": { + "hashes": [ + "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80", + "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4" + ], + "version": "==2.4.2" + }, + "pytest": { + "hashes": [ + "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", + "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" + ], + "index": "pypi", + "version": "==5.1.2" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "index": "pypi", + "version": "==2.22.0" + }, + "six": { + "hashes": [ + "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", + "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + ], + "version": "==1.12.0" + }, + "urllib3": { + "hashes": [ + "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1", + "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232" + ], + "version": "==1.25.3" + }, + "wcwidth": { + "hashes": [ + "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e", + "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c" + ], + "version": "==0.1.7" + }, + "zipp": { + "hashes": [ + "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e", + "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335" + ], + "version": "==0.6.0" + } + }, + "develop": { + "astroid": { + "hashes": [ + "sha256:6560e1e1749f68c64a4b5dee4e091fce798d2f0d84ebe638cf0e0585a343acf4", + "sha256:b65db1bbaac9f9f4d190199bb8680af6f6f84fd3769a5ea883df8a91fe68b4c4" + ], + "version": "==2.2.5" + }, + "atomicwrites": { + "hashes": [ + "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4", + "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6" + ], + "version": "==1.3.0" + }, + "attrs": { + "hashes": [ + "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79", + "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399" + ], + "version": "==19.1.0" + }, + "certifi": { + "hashes": [ + "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50", + "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef" + ], + "version": "==2019.9.11" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "importlib-metadata": { + "hashes": [ + "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb", + "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f" + ], + "markers": "python_version < '3.8'", + "version": "==0.22" + }, + "isort": { + "hashes": [ + "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1", + "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd" + ], + "version": "==4.3.21" + }, + "lazy-object-proxy": { + "hashes": [ + "sha256:02b260c8deb80db09325b99edf62ae344ce9bc64d68b7a634410b8e9a568edbf", + "sha256:18f9c401083a4ba6e162355873f906315332ea7035803d0fd8166051e3d402e3", + "sha256:1f2c6209a8917c525c1e2b55a716135ca4658a3042b5122d4e3413a4030c26ce", + "sha256:2f06d97f0ca0f414f6b707c974aaf8829c2292c1c497642f63824119d770226f", + "sha256:616c94f8176808f4018b39f9638080ed86f96b55370b5a9463b2ee5c926f6c5f", + "sha256:63b91e30ef47ef68a30f0c3c278fbfe9822319c15f34b7538a829515b84ca2a0", + "sha256:77b454f03860b844f758c5d5c6e5f18d27de899a3db367f4af06bec2e6013a8e", + "sha256:83fe27ba321e4cfac466178606147d3c0aa18e8087507caec78ed5a966a64905", + "sha256:84742532d39f72df959d237912344d8a1764c2d03fe58beba96a87bfa11a76d8", + "sha256:874ebf3caaf55a020aeb08acead813baf5a305927a71ce88c9377970fe7ad3c2", + "sha256:9f5caf2c7436d44f3cec97c2fa7791f8a675170badbfa86e1992ca1b84c37009", + "sha256:a0c8758d01fcdfe7ae8e4b4017b13552efa7f1197dd7358dc9da0576f9d0328a", + "sha256:a4def978d9d28cda2d960c279318d46b327632686d82b4917516c36d4c274512", + "sha256:ad4f4be843dace866af5fc142509e9b9817ca0c59342fdb176ab6ad552c927f5", + "sha256:ae33dd198f772f714420c5ab698ff05ff900150486c648d29951e9c70694338e", + "sha256:b4a2b782b8a8c5522ad35c93e04d60e2ba7f7dcb9271ec8e8c3e08239be6c7b4", + "sha256:c462eb33f6abca3b34cdedbe84d761f31a60b814e173b98ede3c81bb48967c4f", + "sha256:fd135b8d35dfdcdb984828c84d695937e58cc5f49e1c854eb311c4d6aa03f4f1" + ], + "version": "==1.4.2" + }, + "mccabe": { + "hashes": [ + "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42", + "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f" + ], + "version": "==0.6.1" + }, + "more-itertools": { + "hashes": [ + "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832", + "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4" + ], + "version": "==7.2.0" + }, + "packaging": { + "hashes": [ + "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9", + "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe" + ], + "version": "==19.1" + }, + "pluggy": { + "hashes": [ + "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6", + "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34" + ], + "version": "==0.13.0" + }, + "py": { + "hashes": [ + "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa", + "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53" + ], + "version": "==1.8.0" + }, + "pylint": { + "hashes": [ + "sha256:5d77031694a5fb97ea95e828c8d10fc770a1df6eb3906067aaed42201a8a6a09", + "sha256:723e3db49555abaf9bf79dc474c6b9e2935ad82230b10c1138a71ea41ac0fff1" + ], + "index": "pypi", + "version": "==2.3.1" + }, + "pyparsing": { + "hashes": [ + "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80", + "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4" + ], + "version": "==2.4.2" + }, + "pytest": { + "hashes": [ + "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", + "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" + ], + "index": "pypi", + "version": "==5.1.2" + }, + "pytest-asyncio": { + "hashes": [ + "sha256:9fac5100fd716cbecf6ef89233e8590a4ad61d729d1732e0a96b84182df1daaf", + "sha256:d734718e25cfc32d2bf78d346e99d33724deeba774cc4afdf491530c6184b63b" + ], + "index": "pypi", + "version": "==0.10.0" + }, + "pytest-mock": { + "hashes": [ + "sha256:43ce4e9dd5074993e7c021bb1c22cbb5363e612a2b5a76bc6d956775b10758b7", + "sha256:5bf5771b1db93beac965a7347dc81c675ec4090cb841e49d9d34637a25c30568" + ], + "index": "pypi", + "version": "==1.10.4" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "index": "pypi", + "version": "==2.22.0" + }, + "requests-mock": { + "hashes": [ + "sha256:510df890afe08d36eca5bb16b4aa6308a6f85e3159ad3013bac8b9de7bd5a010", + "sha256:88d3402dd8b3c69a9e4f9d3a73ad11b15920c6efd36bc27bf1f701cf4a8e4646" + ], + "index": "pypi", + "version": "==1.7.0" + }, + "six": { + "hashes": [ + "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", + "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + ], + "version": "==1.12.0" + }, + "typed-ast": { + "hashes": [ + "sha256:18511a0b3e7922276346bcb47e2ef9f38fb90fd31cb9223eed42c85d1312344e", + "sha256:262c247a82d005e43b5b7f69aff746370538e176131c32dda9cb0f324d27141e", + "sha256:2b907eb046d049bcd9892e3076c7a6456c93a25bebfe554e931620c90e6a25b0", + "sha256:354c16e5babd09f5cb0ee000d54cfa38401d8b8891eefa878ac772f827181a3c", + "sha256:4e0b70c6fc4d010f8107726af5fd37921b666f5b31d9331f0bd24ad9a088e631", + "sha256:630968c5cdee51a11c05a30453f8cd65e0cc1d2ad0d9192819df9978984529f4", + "sha256:66480f95b8167c9c5c5c87f32cf437d585937970f3fc24386f313a4c97b44e34", + "sha256:71211d26ffd12d63a83e079ff258ac9d56a1376a25bc80b1cdcdf601b855b90b", + "sha256:95bd11af7eafc16e829af2d3df510cecfd4387f6453355188342c3e79a2ec87a", + "sha256:bc6c7d3fa1325a0c6613512a093bc2a2a15aeec350451cbdf9e1d4bffe3e3233", + "sha256:cc34a6f5b426748a507dd5d1de4c1978f2eb5626d51326e43280941206c209e1", + "sha256:d755f03c1e4a51e9b24d899561fec4ccaf51f210d52abdf8c07ee2849b212a36", + "sha256:d7c45933b1bdfaf9f36c579671fec15d25b06c8398f113dab64c18ed1adda01d", + "sha256:d896919306dd0aa22d0132f62a1b78d11aaf4c9fc5b3410d3c666b818191630a", + "sha256:ffde2fbfad571af120fcbfbbc61c72469e72f550d676c3342492a9dfdefb8f12" + ], + "markers": "implementation_name == 'cpython'", + "version": "==1.4.0" + }, + "urllib3": { + "hashes": [ + "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1", + "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232" + ], + "version": "==1.25.3" + }, + "wcwidth": { + "hashes": [ + "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e", + "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c" + ], + "version": "==0.1.7" + }, + "wrapt": { + "hashes": [ + "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1" + ], + "version": "==1.11.2" + }, + "zipp": { + "hashes": [ + "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e", + "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335" + ], + "version": "==0.6.0" + } + } +} diff --git a/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md new file mode 100644 index 000000000000..732f06f343b5 --- /dev/null +++ b/Packs/BluelivThreatContext/Integrations/BluelivThreatContext/README.md @@ -0,0 +1,811 @@ +The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. +This integration was integrated and tested with version xx of Blueliv ThreatContext +## Configure Blueliv ThreatContext on Cortex XSOAR + +1. Navigate to **Settings** > **Integrations** > **Servers & Services**. +2. Search for Blueliv ThreatContext. +3. Click **Add instance** to create and configure a new integration instance. + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| url | Server URL \(e.g. https://demisto.blueliv.com/api/v2\) | False | +| credentials | Username | False | +| unsecure | Trust any certificate \(not secure\) | False | + +4. Click **Test** to validate the URLs, token, and connection. +## Commands +You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. +### blueliv-authenticate +*** +Authenticate and get the API token + + +#### Base Command + +`blueliv-authenticate` +#### Input + +There are no input arguments for this command. + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| token | string | Authentication token | + + +#### Command Example +```!blueliv-authenticate``` + +#### Context Example +``` +{} +``` + +#### Human Readable Output + +>981bfb934723091e606c0e35998217bdcafc8697d1a6d0911ff5b2fedb5a16c + +### blueliv-tc-malware +*** +Gets information about malware by ID + + +#### Base Command + +`blueliv-tc-malware` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hash_id | Internal Blueliv's malware hash ID | Optional | +| hash | Malware file hash to search for | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| malware.hash.sha256 | Unknown | File SHA256 | +| malware.hash.sha1 | Unknown | File SHA1 | +| malware.hash.md5 | Unknown | File MD5 | +| malware.type | Unknown | Malware Type | +| malware.hasCandC | unknown | If there is a C&C associated | +| malware.memory | Unknown | Malware memory | +| malware.procMemory | Unknown | Malware proc memory | +| malware.analysisStatus | Unknown | Malware analysis status | +| malware.dropped | Unknown | Malware dropped | +| malware.buffers | Unknown | Malware buffers | +| malware.hasNetwork | Unknown | If the malware has Network informations | +| malware.risk | Unknown | Malware associated risk | +| malware.campaigns | Unknown | Malware related campaigns | +| malware.campaignIds | Unknown | Malware related campaigns internal IDs | +| malware.signatures | Unknown | Malware signatures | +| malware.sigantureIds | Unknown | Malware sigantures internal IDs | +| malware.threatActors | Unknown | Malware threat actors | +| malware.threatActorIds | Unknown | Malware threat actors internal IDs | +| malware.sources | Unknown | Malware sources | +| malware.sourceIds | Unknown | Malware sources internal IDs | +| malware.tags | Unknown | Malware tags | +| malware.tagIds | Unknown | Malware tags internal IDs | +| malware.crimeServers | Unknown | Malware related crime servers | +| malware.crimeServerIds | Unknown | Malware crime servers internal IDs | +| malware.fqdns | Unknown | Malware FQDNs | +| malware.fqdnIds | Unknown | Malware FQDNs internal IDs | +| malware.types | Unknown | Malware types | +| malware.typeIds | Unknown | Malware types internal IDs | +| malware.sparks | Unknown | Malware sparks | +| malware.sparkIds | Unknown | Malware sparks internal IDs | +| malware.ips | Unknown | Malware IPs | +| malware.ipIds | Unknown | Malware IPs internal IDs | + + +#### Command Example +```!blueliv-tc-malware hash=ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1``` + +#### Context Example +``` +{ + "malware": { + "analysisStatus": "FINISHED_SUCCESSFULLY", + "buffers": false, + "campaignIds": "", + "campaigns": 0, + "crimeServers": 0, + "crimeserverIds": "", + "dropped": false, + "fileType": "PE", + "fqdnIds": "", + "fqdns": 0, + "hasCandC": false, + "hasNetwork": true, + "hash": { + "md5": "36a40cc55e2ffe7d44d007c6e37afd7f", + "sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055", + "sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1" + }, + "ipIds": "92269700,100333500,", + "ips": 2, + "memory": false, + "procMemory": false, + "risk": 7, + "signatureIds": "", + "signatures": 0, + "sourceIds": "1958672,", + "sources": 1, + "sparkIds": "", + "sparks": 0, + "tagIds": "", + "tags": 0, + "threatActorIds": "", + "threatActors": 0, + "typeIds": "62,", + "types": 1 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Malware file info +>|analysis_date|analysis_delivered_date|analysis_signatures|analysis_status|at_afapi|behaviors|buffers|cerberus|created_at|created_at_afapi|dropped|file_type|first_seen|has_c_and_c|has_network|has_other_urls|hash|id|ioa|ioc_link|last_risk_scoring|last_seen|links|malfind|malicious_category|md5|memory|metadata|number_properties|pcap|priority_at_afapi|proc_memory|properties|report|risk|sample|scans_link|seen_at_analyzer|sha1|sha256|sha512|slugs_tags|sources_representation|subtype|target|tlp|type|types_names|updated_at|updated_at_afapi|uuid|version|vt_matches| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-06-15T16:30:22.770000Z | 2020-06-15T16:22:00.220000Z | Signature severity - Informative,
    Detected dead hosts,
    Detects the presence of a Debugger,
    Clipboard access capabilities,
    Creates Mutants,
    Detected cryptographic algorithm,
    Has the ability to retrieve keyboard strokes,
    Has the ability to reboot/shutdown the Operating System,
    Detected Packer,
    Detected PE anomalies,
    Reads configuration files,
    Loads Visual Basic Runtime environment,
    Detected injected process,
    Signature severity - Suspicious,
    Allocates memory with Read-Write-Execute permissions,
    Attempts to delay the analysis task,
    Clipboard modification capabilities,
    Spawns processes,
    Classified by Blueliv,
    Allocates memory with write/execute permissions in a remote process,
    Machine Learning scoring,
    Detected Keylogger,
    Detected Autorun Persistence,
    Writes data to a remote process,
    Detected RunPE injection technique,
    VirusTotal matches,
    Signature severity - Malicious | FINISHED_SUCCESSFULLY | true | | false | 0.9645 | 2020-06-15T16:27:20.074884Z | 2020-06-15T16:21:38.209000Z | false | PE | 2020-06-15T16:21:38.209000Z | false | true | false | ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 | 59770710 | ip: 25.20.116.113,
    103.143.173.25,
    192.168.56.102
    url: http://uk.ask.com/favicon.ico,
    http://www.priceminister.com/,
    http://ru.wikipedia.org/,
    http://www.merlin.com.pl/favicon.ico,
    http://www.cnet.com/favicon.ico,
    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0,
    http://search.nifty.com/,
    http://ns.adobe.com/exif/1.0/,
    http://www.shopzilla.com/,
    http://crl.chambersign.org/publicnotaryroot.crl0,
    http://search.goo.ne.jp/,
    http://fr.wikipedia.org/favicon.ico,
    http://busca.estadao.com.br/favicon.ico,
    http://search.hanafos.com/favicon.ico,
    http://search.chol.com/favicon.ico,
    http://search.livedoor.com/favicon.ico,
    http://amazon.fr/,
    http://www.amazon.co.jp/,
    http://www.e-szigno.hu/SZSZ/0,
    http://busqueda.aol.com.mx/,
    http://search.live.com/results.aspx?FORM=SOLTDF,
    http://msdn.microsoft.com/,
    http://www.sogou.com/favicon.ico,
    http://yellowpages.superpages.com/,
    http://www.expedia.com/favicon.ico,
    http://crl.chambersign.org/chambersroot.crl0,
    http://search.aol.com/,
    http://browse.guardian.co.uk/,
    http://www.mercadolibre.com.mx/,
    http://www.asharqalawsat.com/,
    http://www.facebook.com/,
    http://search.auone.jp/,
    http://www.rtl.de/favicon.ico,
    http://search.msn.com/results.aspx?q=,
    http://www.microsoft.com.,
    http://search.naver.com/favicon.ico,
    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0,
    http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0,
    http://en.wikipedia.org/favicon.ico,
    http://si.wikipedia.org/w/api.php?action=opensearch,
    http://www.signatur.rtr.at/de/directory/cps.html0,
    http://udn.com/favicon.ico,
    http://rover.ebay.com,
    http://search.ebay.fr/,
    http://www.univision.com/,
    http://pt.wikipedia.org/w/api.php?action=opensearch,
    http://www.certplus.com/CRL/class3TS.crl0,
    http://it.wikipedia.org/favicon.ico,
    http://uk.ask.com/,
    http://www.google.co.uk/,
    http://cnweb.search.live.com/results.aspx?q=,
    http://www.google.cz/,
    http://www.google.co.jp/,
    http://search.ebay.co.uk/,
    http://www.weather.com/,
    http://www.taobao.com/favicon.ico,
    http://www.news.com.au/favicon.ico,
    http://www.priceminister.com/favicon.ico,
    http://www.e-me.lv/repository0,
    http://video.globo.com/,
    http://search.ebay.de/,
    http://www.taobao.com/,
    http://find.joins.com/,
    http://corp.naukri.com/favicon.ico,
    http://www.servicios.clarin.com/,
    http://localhost,
    http://www.rambler.ru/favicon.ico,
    http://www.linternaute.com/favicon.ico,
    http://ns.adobe.com/photoshop/1.0/,
    http://www.etmall.com.tw/,
    http://www.amazon.com/gp/search?ie=UTF8,
    http://search.live.com/results.aspx?FORM=SO2TDF,
    http://www.quovadis.bm0,
    http://www.chambersign.org1,
    http://www.excite.co.jp/,
    http://cs.wikipedia.org/,
    http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0,
    http://www.gismeteo.ru/favicon.ico,
    http://www.cjmall.com/favicon.ico,
    http://suche.t-online.de/,
    http://www.ya.com/favicon.ico,
    http://search.orange.co.uk/favicon.ico,
    http://www.trustcenter.de/guidelines0,
    http://www.mercadolibre.com.mx/favicon.ico,
    http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl,
    https://ocsp.quovadisoffshore.com0,
    http://www.e-trust.be/CPS/QNcerts,
    http://ns.adobe.com/tiff/1.0/,
    http://www.otto.de/favicon.ico,
    http://search.lycos.com/favicon.ico,
    http://www.iask.com/,
    http://www.arrakis.com/,
    http://it.search.dada.net/,
    http://support.microsoft.com/kb/9311250,
    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0,
    http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity,
    http://search.ebay.es/,
    http://search.gamer.com.tw/,
    http://busca.igbusca.com.br//app/static/images/favicon.ico,
    http://ns.adobe.com/xap/1.0/,
    http://www.soso.com/favicon.ico,
    http://www.echoworx.com/ca/root2/cps.pdf0,
    http://recherche.tf1.fr/,
    http://si.wikipedia.org/,
    http://list.taobao.com/browse/search_visual.htm?n=15,
    http://www.registradores.org/scr/normativa/cp_f2.htm0,
    http://crl.microsoft.com/pki/crl/products/TrustListPCA.crl0O,
    http://www.usertrust.com1604,
    http://search.centrum.cz/,
    http://www.auction.co.kr/auction.ico,
    http://www.paginasamarillas.es/favicon.ico,
    http://ja.wikipedia.org/favicon.ico,
    http://www.abril.com.br/favicon.ico,
    http://clients5.google.com/complete/search?hl=,
    http://www.ozon.ru/,
    http://search.alice.it/,
    http://www.ssc.lt/cps03,
    http://www.microsoft.com/windowsxp/expertzone/,
    http://search.yahoo.co.jp/favicon.ico,
    http://cnet.search.com/,
    http://www.walmart.com/,
    http://www.microsoft.com/pki/certs/TrustListPCA.crt0,
    http://espn.go.com/favicon.ico,
    http://www.pkioverheid.nl/policies/root-policy0,
    http://www.mtv.com/favicon.ico,
    http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp),
    http://search.interpark.com/,
    http://www.gmarket.co.kr/favicon.ico,
    http://www.certplus.com/CRL/class3.crl0,
    http://www.neckermann.de/favicon.ico,
    http://sitesearch.timesonline.co.uk/,
    http://cn.bing.com/search?q=,
    http://video.globo.com/favicon.ico,
    http://www.passport.com,
    http://es.wikipedia.org/,
    http://img.atlas.cz/favicon.ico,
    https://www.catcert.net/verarrel,
    http://searchresults.news.com.au/,
    http://search.rediff.com/,
    http://search.lycos.co.uk/,
    http://en.wikipedia.org/,
    http://www.google.com.tw/,
    http://www.tchibo.de/,
    http://www.google.com/,
    http://buscador.terra.es/,
    http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0,
    http://crl.ssc.lt/root-a/cacrl.crl0,
    http://search.msn.co.jp/results.aspx?q=,
    http://www.mercadolivre.com.br/favicon.ico,
    http://ja.wikipedia.org/,
    http://search.chol.com/,
    http://crl.usertrust.com/UTN-USERFirst-Object.crl0),
    http://search.espn.go.com/,
    http://www.google.com.sa/,
    http://jobsearch.monster.com/,
    http://buscador.terra.com/,
    http://www.google.co.in/,
    http://suche.freenet.de/,
    http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0,
    http://www.cdiscount.com/favicon.ico,
    http://asp.usatoday.com/,
    http://vachercher.lycos.fr/,
    http://www.yam.com/favicon.ico,
    http://search.sify.com/,
    http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0,
    http://search.ebay.com/favicon.ico,
    http://www.paginasamarillas.es/,
    http://nl.wikipedia.org/,
    http://search.alice.it/favicon.ico,
    http://www.ask.com/,
    http://www.so-net.ne.jp/share/favicon.ico,
    http://espanol.search.yahoo.com/,
    http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0,
    http://www.alarabiya.net/favicon.ico,
    http://pt.wikipedia.org/favicon.ico,
    http://ocnsearch.goo.ne.jp/,
    http://list.taobao.com/,
    http://certificates.starfieldtech.com/repository/1604,
    http://buscador.terra.com.br/,
    http://search.msn.co.uk/results.aspx?q=,
    http://www.google.de/,
    http://www.tiscali.it/favicon.ico,
    http://search.naver.com/,
    http://ie8.ebay.com/open-search/output-xml.php?q=,
    http://www.rambler.ru/,
    http://esearch.rakuten.co.jp/,
    http://www.pki.gva.es/cps0,
    http://www.cdiscount.com/,
    http://www.mercadolivre.com.br/,
    http://www.facebook.com/favicon.ico,
    http://www.t-online.de/favicon.ico,
    http://search.hanafos.com/,
    http://sads.myspace.com/,
    http://repository.swisssign.com/0,
    http://www.acabogacia.org0,
    http://crl.ssc.lt/root-c/cacrl.crl0,
    http://suche.web.de/,
    http://recherche.tf1.fr/favicon.ico,
    http://cs.wikipedia.org/w/api.php?action=opensearch,
    http://search.dreamwiz.com/,
    http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService,
    http://www.yandex.ru/,
    http://www.e-szigno.hu/RootCA.crl,
    http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0,
    http://www.trustdst.com/certificates/policy/ACES-index.html0,
    http://www.baidu.com/favicon.ico,
    http://ariadna.elmundo.es/,
    http://www.rtl.de/,
    http://www.kkbox.com.tw/favicon.ico,
    http://p.zhongsou.com/,
    http://www.ancert.com/cps0,
    https://ca.sia.it/secsrv/repository/CPS0,
    http://www.timesonline.co.uk/img/favicon.ico,
    http://buscar.ozu.es/,
    http://so-net.search.goo.ne.jp/,
    http://cgi.search.biglobe.ne.jp/favicon.ico,
    http://search.livedoor.com/,
    http://www.soso.com/,
    http://www.afisha.ru/App_Themes/Default/images/favicon.ico,
    http://img.shopzilla.com/shopzilla/shopzilla.ico,
    http://wellformedweb.org/CommentAPI/,
    http://crl.oces.certifikat.dk/oces.crl0,
    http://ca.sia.it/seccli/repository/CRL.der0J,
    http://search.orange.co.uk/,
    http://www.myspace.com/favicon.ico,
    http://ariadna.elmundo.es/favicon.ico,
    http://www.e-szigno.hu/RootCA.crt0,
    http://search.gismeteo.ru/,
    http://www3.fnac.com/favicon.ico,
    http://en.wikipedia.org/w/api.php?action=opensearch,
    http://repository.infonotary.com/cps/qcps.html0,
    http://ocsp.pki.gva.es0,
    http://support.microsoft.com,
    http://in.search.yahoo.com/,
    http://www.etmall.com.tw/favicon.ico,
    http://www.ceneo.pl/favicon.ico,
    http://service2.bfast.com/,
    http://tw.search.yahoo.com/,
    http://es.ask.com/,
    http://www.ozu.es/favicon.ico,
    http://www.iask.com/favicon.ico,
    http://www.dailymail.co.uk/favicon.ico,
    http://google.pchome.com.tw/,
    http://crl.ssc.lt/root-b/cacrl.crl0,
    http://p.zhongsou.com/favicon.ico,
    http://crl.securetrust.com/STCA.crl0,
    http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=,
    http://search.ebay.com/,
    http://br.search.yahoo.com/,
    http://suche.lycos.de/,
    http://users.ocsp.d-trust.net03,
    http://www.asharqalawsat.com/favicon.ico,
    http://mail.live.com/,
    http://ru.search.yahoo.com,
    http://de.wikipedia.org/,
    http://crl.comodo.net/AAACertificateServices.crl0,
    http://ns.adobe.com/xap/1.0/mm/,
    http://cps.chambersign.org/cps/chambersroot.html0,
    http://www.google.ru/,
    http://search.empas.com/favicon.ico,
    http://search.seznam.cz/,
    http://de.wikipedia.org/w/api.php?action=opensearch,
    http://www.expedia.com/,
    http://www.clarin.com/favicon.ico,
    http://www.acabogacia.org/doc0,
    http://busca.uol.com.br/,
    http://www.sk.ee/cps/0,
    http://mail.live.com/?rru=compose%3Fsubject%3D,
    https://www.catcert.net/verarrel05,
    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0,
    http://crl.securetrust.com/SGCA.crl0,
    http://buscador.terra.com/favicon.ico,
    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0,
    http://crl.globalsign.net/root-r2.crl0,
    http://purl.org/rss/1.0/modules/slash/,
    http://www.d-trust.net0,
    http://es.search.yahoo.com/,
    http://www.ocn.ne.jp/favicon.ico,
    http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0,
    http://corp.naukri.com/,
    http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended,
    http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity,
    http://www.recherche.aol.fr/,
    http://pl.wikipedia.org/w/api.php?action=opensearch,
    http://www.weather.com/favicon.ico,
    http://search.centrum.cz/favicon.ico,
    http://search.yam.com/,
    http://uk.search.yahoo.com/,
    http://busca.uol.com.br/favicon.ico,
    http://es.wikipedia.org/favicon.ico,
    http://images.joins.com/ui_c/fvc_joins.ico,
    http://cgi.search.biglobe.ne.jp/,
    http://www.microsoft.com/pki/crl/products/TrustListPCA.crl,
    http://msk.afisha.ru/,
    http://es.wikipedia.org/w/api.php?action=opensearch,
    http://www.globaltrust.info0,
    http://www.google.pl/,
    http://www.arrakis.com/favicon.ico,
    http://search.microsoft.com/,
    http://search.goo.ne.jp/favicon.ico,
    http://image.excite.co.jp/jp/favicon/lep.ico,
    https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0,
    http://www.merlin.com.pl/,
    http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01,
    http://www.amazon.de/,
    http://www.sogou.com/,
    http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0,
    http://cerca.lycos.it/,
    http://www.usertrust.com1,
    http://www.orange.fr/,
    http://spaces.live.com/BlogIt.aspx,
    http://www.microsofttranslator.com/?ref=IE8Activity,
    http://www.rakuten.co.jp/favicon.ico,
    http://search.nate.com/,
    http://www.nate.com/favicon.ico,
    http://de.wikipedia.org/favicon.ico,
    http://www.dnie.es/dpc0,
    http://www.najdi.si/,
    http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity,
    http://search.daum.net/favicon.ico,
    https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E,
    http://nl.wikipedia.org/favicon.ico,
    http://crl.pki.wellsfargo.com/wsprca.crl0,
    http://it.search.yahoo.com/,
    http://www.google.it/,
    http://www.d-trust.net/crl/d-trust_root_class_3_ca_2007.crl0,
    http://suche.web.de/favicon.ico,
    http://search.seznam.cz/favicon.ico,
    http://purl.org/rss/1.0/,
    http://search.lycos.com/,
    http://fr.wikipedia.org/w/api.php?action=opensearch,
    http://qual.ocsp.d-trust.net0,
    http://search.dreamwiz.com/favicon.ico,
    http://www.kkbox.com.tw/,
    http://suche.aol.de/,
    http://www.entrust.net/CRL/net1.crl0,
    http://www.entrust.net/CRL/Client1.crl0,
    http://crl.xrampsecurity.com/XGCA.crl0,
    http://search.empas.com/,
    http://yellowpages.superpages.com/favicon.ico,
    http://arianna.libero.it/,
    http://www.dailymail.co.uk/,
    http://ru.wikipedia.org/favicon.ico,
    http://purl.org/rss/1.0/modules/content/,
    http://search.auction.co.kr/,
    http://www.certplus.com/CRL/class1.crl0,
    http://ocsp.infonotary.com/responder.cgi0V,
    http://search.yahoo.co.jp,
    http://asp.usatoday.com/favicon.ico,
    http://www.signatur.rtr.at/current.crl0,
    http://search.msn.com.cn/results.aspx?q=,
    http://crl.microsoft.com/pki/crl/products/tspca.crl0H,
    http://www.a-cert.at/certificate-policy.html0,
    https://localhost,
    http://cn.bing.com/favicon.ico,
    http://www.firmaprofesional.com0,
    http://search2.estadao.com.br/,
    http://www.microsoft.com/pki/certs/tspca.crt0,
    http://search.cn.yahoo.com/,
    http://www.rootca.or.kr/rca/cps.html0,
    http://ie.search.yahoo.com/os?command=,
    http://www.tesco.com/,
    http://search-dyn.tiscali.it/,
    http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl,
    http://search.ipop.co.kr/favicon.ico,
    http://arianna.libero.it/favicon.ico,
    http://www.sk.ee/juur/crl/0,
    http://it.wikipedia.org/,
    http://crl.comodo.net/TrustedCertificateServices.crl0,
    http://busca.orange.es/,
    http://www.microsoft.com/schemas/rss/core/2005/internal,
    http://www.baidu.com/,
    http://home.altervista.org/,
    http://it.search.dada.net/favicon.ico,
    http://www.gmarket.co.kr/,
    http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01,
    http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0,
    http://www.google.com.br/,
    http://buscar.ya.com/,
    http://images.monster.com/favicon.ico,
    http://search.ebay.it/,
    http://www.alarabiya.net/,
    http://ru.wikipedia.org/w/api.php?action=opensearch,
    https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0,
    http://www.maktoob.com/favicon.ico,
    http://price.ru/favicon.ico,
    http://ns.adobe.com/pdf/1.3/,
    http://www.microsoft.com/schemas/ie8tldlistdescription/1.0,
    http://logo.verisign.com/vslogo.gif0,
    http://price.ru/,
    http://www.disig.sk/ca/crl/ca_disig.crl0,
    http://www.najdi.si/favicon.ico,
    http://kr.search.yahoo.com/,
    http://www.aol.com/favicon.ico,
    http://www.ozon.ru/favicon.ico,
    http://pl.wikipedia.org/,
    http://www.target.com/favicon.ico,
    http://fr.search.yahoo.com/,
    http://crl.usertrust.com/UTN-DATACorpSGC.crl0,
    http://search.daum.net/,
    http://www.certicamara.com/certicamaraca.crl0,
    http://de.search.yahoo.com/,
    http://suche.freenet.de/favicon.ico,
    http://www.post.trust.ie/reposit/cps.html0,
    http://busca.buscape.com.br/favicon.ico,
    http://www2.public-trust.com/crl/ct/ctroot.crl0,
    http://www.microsoft.com/favicon.ico,
    http://www.certicamara.com0,
    http://auone.jp/favicon.ico,
    http://buscador.lycos.es/,
    http://search.yahoo.com/,
    http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp),
    http://search.rediff.com/favicon.ico,
    http://si.wikipedia.org/favicon.ico,
    http://www3.fnac.com/,
    http://web.ask.com/,
    http://ca.sia.it/secsrv/repository/CRL.der0J,
    http://search.books.com.tw/,
    http://search.ebay.in/,
    http://search.about.com/,
    http://www.neckermann.de/,
    http://www.disig.sk/ca0f,
    http://browse.guardian.co.uk/favicon.ico,
    http://www.tesco.com/favicon.ico,
    http://search.ipop.co.kr/,
    https://www.example.com.,
    http://www.target.com/,
    http://www.amazon.com/favicon.ico,
    http://recherche.linternaute.com/,
    http://www.google.fr/,
    http://www.certicamara.com/dpc/0Z,
    http://openimage.interpark.com/interpark.ico,
    http://www.google.si/,
    http://www.yandex.ru/favicon.ico,
    http://www.google.com/favicon.ico,
    http://www.walmart.com/favicon.ico,
    http://udn.com/,
    http://purl.org/dc/elements/1.1/,
    http://www.wellsfargo.com/certpolicy0,
    http://fedir.comsign.co.il/crl/ComSignCA.crl0,
    http://www.google.es/,
    http://www.cnet.co.uk/,
    http://www.mtv.com/,
    http://search.live.com/results.aspx?FORM=IEFM1,
    http://www.abril.com.br/,
    https://www.netlock.hu/docs/,
    http://search1.taobao.com/,
    http://www.a-cert.at0E,
    http://www.amazon.co.uk/,
    http://it.wikipedia.org/w/api.php?action=opensearch,
    http://www.tchibo.de/favicon.ico,
    http://www.pchome.com.tw/favicon.ico,
    http://pt.wikipedia.org/,
    http://fr.wikipedia.org/,
    http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0,
    https://rca.e-szigno.hu/ocsp0-,
    http://ja.wikipedia.org/w/api.php?action=opensearch,
    https://ca.sia.it/seccli/repository/CPS0,
    http://www.chennaionline.com/ncommon/images/collogo.ico,
    http://www.cjmall.com/,
    http://search.live.com/results.aspx?q=,
    http://www.comsign.co.il/cps0,
    http://www.certifikat.dk/repository0,
    http://cps.chambersign.org/cps/publicnotaryroot.html0,
    http://search.yahoo.com/favicon.ico,
    http://www.quovadisglobal.com/cps0,
    http://busca.igbusca.com.br/,
    http://ca.disig.sk/ca/crl/ca_disig.crl0,
    http://www.nifty.com/favicon.ico,
    http://cps.chambersign.org/cps/chambersignroot.html0,
    http://www.sify.com/favicon.ico,
    http://www.certplus.com/CRL/class2.crl0,
    http://home.altervista.org/favicon.ico,
    http://search.gamer.com.tw/favicon.ico,
    http://busca.buscape.com.br/,
    http://search.atlas.cz/,
    http://www.ceneo.pl/,
    http://crl.chambersign.org/chambersignroot.crl0,
    http://www.certplus.com/CRL/class3P.crl0,
    https://www.netlock.net/docs,
    http://pl.wikipedia.org/favicon.ico,
    http://ns.adobe.com/iX/1.0/,
    http://search.books.com.tw/favicon.ico,
    http://search.aol.in/,
    http://crl.comodoca.com/TrustedCertificateServices.crl0:,
    https://example.com,
    http://cs.wikipedia.org/favicon.ico,
    http://spaces.live.com/,
    http://www.valicert.com/1,
    http://crl.comodoca.com/AAACertificateServices.crl06,
    http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity,
    http://www.crc.bg0,
    http://z.about.com/m/a08.ico,
    http://www.univision.com/favicon.ico,
    http://crl.comodoca.com/COMODOCertificationAuthority.crl0,
    http://nl.wikipedia.org/w/api.php?action=opensearch,
    http://search.aol.co.uk/
    host: 25.20.116.113,
    103.143.173.25
    path: {"pdb_path": [], "filepaths": {"file_read": ["C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini"], "dll_loaded": ["kernel32", "gdi32.dll", "kernel32.dll", "UxTheme.dll", "oleaut32.dll", "C:\\Windows\\system32\\ole32.dll", "NTDLL.DLL", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "USER32.DLL", "C:\\Windows\\system32\\uxtheme.dll", "ntmarta.dll", "C:\\Windows\\system32\\MSCTF.dll", "KERNEL32.DLL", "C:\\ogxses\\bin\\monitor-x86.dll", "KERNELBASE.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "user32", "OLEAUT32.DLL", "advapi32.dll", "comctl32", "ole32.dll", "IMM32.dll", "C:\\Windows\\system32\\notepad.exe", "EXPLORER.EXE", "C:\\Windows\\system32\\xmllite.dll", "OLEAUT32.dll", "SHELL32.dll", "DUser.dll", "comctl32.dll", "C:\\Windows\\system32\\DUser.dll", "User32.dll", "USER32", "ADVAPI32.dll", "rpcrt4.dll", "SETUPAPI.dll", "user32.dll", "OLEACC.dll"], "file_moved": [], "file_copied": ["C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_exists": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\Documents\\MSDCSC", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\Administrator\\AppData\\Roaming", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\MSDCSC\\", "C:\\Users\\Administrator\\Documents\\MSDCSC\\rEj9MRKQ3Kzp\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe", "C:\\Users\\Administrator\\Documents\\MSDCSC\\rEj9MRKQ3Kzp.dcp", "C:\\Users\\Administrator", "C:\\Users\\Administrator\\Documents", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\notepad", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs\\", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\rEj9MRKQ3Kzp.dcp", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs"], "file_opened": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_created": ["C:\\Windows\\System32\\oleaccrc.dll", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\", "C:\\Users\\desktop.ini", "C:\\Users\\Administrator\\Documents\\desktop.ini", "C:\\Users\\Administrator", "C:\\Users", "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\\Users\\Administrator\\Documents\\MSDCSC\\msdcsc.exe", "C:\\Users\\Administrator\\AppData\\Local\\Temp\\sXPFvH.exe"], "file_deleted": [], "file_written": [], "directory_created": ["C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\Caches", "C:\\Users\\Administrator\\Documents\\MSDCSC", "C:\\Users\\Administrator\\AppData\\Roaming\\dclogs"], "directory_queried": ["C:\\Users\\Administrator", "C:\\Users\\Administrator\\Documents", "C:\\Users"], "directory_removed": [], "directory_enumerated": []}}
    yara: {"url": [], "misc": {"misc": ["dbgdetect_funcs_ig"], "crypto": ["RIPEMD160_Constants", "SHA1_Constants", "DES_Long", "MD5_Constants", "VC8_Random", "RijnDael_AES_LONG", "Delphi_Random", "BASE64_table", "CRC32_table", "RijnDael_AES_CHAR", "MD5_API"], "packer": ["MinGW_1", "borland_delphi"]}, "memory": ["darkcomet_memory_1", "darkcomet_memory_3", "darkcomet_memory_2", "darkcomet_memory_4"], "generic": [], "pre_analysis": []}
    email:
    mutex: DCPERSFWBP,
    DC_MUTEX-K5CAEA3,
    Local\MSCTF.Asm.MutexDefault1
    ports: {"tcp": [], "udp": [], "tcp_dead": [80, 957]}
    domain:
    regkeys: {"regkey_read": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\21082CA9", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfOutPrecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\StatusBar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfOrientation", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfUnderline", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentConfig", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginTop", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fSaveWindowPositions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginBottom", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginLeft", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC\\{e29ac6c0-7037-11de-816d-806e6f6e6963-4234460882}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo\\DockingState", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\HwProfileGuid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfClipPrecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfCharSet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fMLE_is_broken", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfItalic", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfWeight", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\FriendlyName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfStrikeOut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iPointSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iMarginRight", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfQuality", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\szTrailer", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosX", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\fWrap", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\LdapClientIntegrity", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\szHeader", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ldap\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosDY", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\iWindowPosDX", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad\\lfEscapement", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate"], "regkey_opened": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\DC2_USERS", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses", "HKEY_CLASSES_ROOT\\Folder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows", "HKEY_CLASSES_ROOT\\Directory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\Software\\Borland\\Locales", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{FA445657-9379-11D6-B41A-00065B83EE53}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\IDConfigDB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo", "HKEY_LOCAL_MACHINE\\Software\\Borland\\Locales", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\notepad.exe", "HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales", "HKEY_CLASSES_ROOT\\AllFilesystemObjects", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace"], "regkey_created": ["HKEY_CURRENT_USER\\Software", "HKEY_CURRENT_USER\\Software\\DC3_FEXEC", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"], "regkey_deleted": [], "regkey_written": ["HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"], "regkey_enumerated": ["HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys"]}
    metadata: {"crc32": {"original": "B7CACEE9", "unpacked": {}}, "names": {"title": [], "author": [], "country": [], "creator": [], "subject": [], "locality": [], "producer": [], "common_name": [], "company_name": null, "organization": [], "product_name": null, "internal_name": null, "private_build": null, "special_build": null, "legal_copyright": null, "legal_trademarks": null, "original_filename": null, "organizational_unit": []}, "ssdeep": {"original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hPA:JZ1xuVVjfFoynPaVBUR8f+kN10EBO", "unpacked": {}}, "file_type": {"original": "PE32 executable (GUI) Intel 80386, for MS Windows", "unpacked": {}}, "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", "postal_code": null, "pe_timestamp": "2012-06-07 17:59:53", "signing_date": "", "peid_signatures": []}
    registry:
    connections: {"tcp": [], "udp": [], "tcp_dead": ["25.20.116.113:957", "103.143.173.25:80"]}
    certificates:
    process_name: msdcsc.exe,
    sXPFvH.exe,
    notepad.exe
    attack_patterns: {'id': 'T1022', 'name': 'Data Encrypted'},
    {'id': 'T1056', 'name': 'Input Capture'},
    {'id': 'T1529', 'name': 'System Shutdown/Reboot'},
    {'id': 'T1027', 'name': 'Obfuscated Files or Information'},
    {'id': 'T1045', 'name': 'Software Packing'},
    {'id': 'T1055', 'name': 'Process Injection'},
    {'id': 'T1497', 'name': 'Virtualization/Sandbox Evasion'},
    {'id': 'T1115', 'name': 'Clipboard Data'},
    {'id': 'T1060', 'name': 'Registry Run Keys / Startup Folder'},
    {'id': 'T1093', 'name': 'Process Hollowing'} | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ioc/ | 2020-06-15T16:48:42.527191Z | 2020-06-15T18:25:32Z | self: https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ | false | 2 | 36a40cc55e2ffe7d44d007c6e37afd7f | false | | 0 | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/pcap/ | 3 | false | | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/report/ | 7.0 | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/sample/ | https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/enrichment/scans/ | false | 5c0be68316ce77584a7b966ff40e7d61a8a98055 | ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 | e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b103913240173b2bafbcaac689d83828654ecf054cb7a30766c4a3cc6 | | virustotalAPI | DARKCOMET | false | white | Malware | DARKCOMET | 2020-06-15T17:12:28.893118Z | 2020-06-15T16:30:33.293000Z | | none | darkkomet,
    fynloski,
    genmalicious | + + +### blueliv-tc-indicator-ip +*** +Gets information about an IP + + +#### Base Command + +`blueliv-tc-indicator-ip` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| IP_id | Internal Blueliv's IP ID | Required | +| IP | IP to search | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| indicator.lastSeen | Unknown | Indicator last seen | +| indicator.risk | Unknown | Indicator risk | +| indicator.latitude | Unknown | Indicator latitude | +| indicator.longitude | Unknown | Indicator longitude | +| indicator.countryId | Unknown | Indicator countryes internal IDs | +| indicator.campaigns | Unknown | Indicator campaigns | +| indicator.campaignIds | Unknown | Indicator campaigns internal IDs | +| indicator.signatures | Unknown | Indicator signatures | +| indicator.signatureIds | Unknown | Indicator signatures internal IDs | +| indicator.threatActors | Unknown | Indicator threat actors | +| indicator.threatActorIds | Unknown | Indicator threat actors internal IDs | +| indicator.tags | Unknown | Indicator tags | +| indicator.tagIds | Unknown | Indicator tags internal IDs | +| indicator.fqdns | Unknown | Indicator FQDNs | +| indicator.fqdnIds | Unknown | Indicator FQDNs internal IDs | +| indicator.sparks | Unknown | Indicator sparks | +| indicator.sparkIds | Unknown | Indicator sparks internal IDs | +| indicator.bots | Unknown | Indicator bots | +| indicator.botIds | Unknown | Indicator bots internal IDs | + + +#### Command Example +```!blueliv-tc-indicator-ip IP="103.76.228.28"``` + +#### Context Example +``` +{ + "indicator": { + "botIds": "", + "bots": 0, + "campaignIds": "", + "campaigns": 0, + "countryId": "103", + "fqdnIds": "", + "fqdns": 0, + "lastSeen": "2020-06-15T18:25:00Z", + "latitude": "20.0", + "longitude": "77.0", + "risk": "4.0", + "signatureIds": "", + "signatures": 0, + "sparkIds": "", + "sparks": 0, + "tagIds": "", + "tags": 0, + "threatActorIds": "", + "threatActors": 0 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv IP info +>|address|asn_number|asn_owner|at_afapi|created_at|created_at_afapi|first_seen|history_link|id|ioc_link|last_risk_scoring|last_seen|latitude|links|longitude|passive_dns_link|risk|slugs_tags|tlp|type|updated_at|updated_at_afapi|virus_total_link|whois_link| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 103.76.228.28 | 394695 | PDR | false | 2019-05-03T09:57:46.834135Z | | 2019-04-11T04:12:09.830000Z | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/ | 70236228 | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/ | 2020-06-15T15:17:47.624936Z | 2020-06-15T18:25:00Z | 20.0 | self: https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ | 77.0 | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/ | 4.0 | | amber | IP | 2020-06-15T16:44:49.623167Z | | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/ | https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/ | + + +### blueliv-tc-cve +*** +Gets information about CVE + + +#### Base Command + +`blueliv-tc-cve` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| CVE | CVE to search | Optional | +| CVE_id | Internal Blueliv's CVE ID | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| cve.name | Unknown | CVE name | +| cve.description | Unknown | CVE description | +| cve.updatedAt | Unknown | CVE updated at | +| cve.score | Unknown | CVE score | +| cve.attackPatterns | Unknown | CVE attack patterns | +| cve.attackPatternIds | Unknown | CVE attackp patterns internal IDs | +| cve.signatures | Unknown | CVE signatures | +| cve.signatureIds | Unknown | CVE signatures internal IDs | +| cve.tags | Unknown | CVE tags | +| cve.tagIds | Unknown | CVE tags internal IDs | +| cve.crimeServers | Unknown | CVE Crime servers | +| cve.crimeServerIds | Unknown | CVE crime servers internal IDs | +| cve.sparks | Unknown | CVE sparks | +| cve.sparkIds | Unknown | CVE sparks internal IDs | +| cve.malware | Unknown | CVE malware | +| cve.malwareIds | Unknown | CVE malwares internal IDs | +| cve.exploits | Unknown | CVE exploits | +| cve.platforms | Unknown | CVE platforms | + + +#### Command Example +```!blueliv-tc-cve CVE="CVE-2020-8794"``` + +#### Context Example +``` +{} +``` + +#### Human Readable Output + +>{"apiId": "THIAPP", "url": "/api/v1/cve/CVE-2020-8794/relationships/attack-pattern/", "requestType": "GET"} + +### blueliv-tc-indicator-fqdn +*** +Gets information about FQDN + + +#### Base Command + +`blueliv-tc-indicator-fqdn` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| FQDN_id | Internal Blueliv's FQDN id | Optional | +| FQDN | FQDN to search | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| indicator.lastSeen | Unknown | Indicator last seen | +| indicator.risk | Unknown | Indicator risk | +| indicator.campaigns | Unknown | Indicator campaigns | +| indicator.campaignIds | Unknown | Indicator campaigns internal IDs | +| indicator.signatures | Unknown | Indicator signatures | +| indicator.signatureIds | Unknown | Indicator signatures internal IDs | +| indicator.threatActors | Unknown | Indicator threat actors | +| indicator.threatActorIds | Unknown | Indicator threat actors internal IDs | +| indicator.tags | Unknown | Indicator tags | +| indicator.tagIds | Unknown | Indicator tags internal IDs | +| indicator.crimeServers | Unknown | Indicator crime servers | +| indicator.crimeServerIds | Unknown | Indicator crime servers internal IDs | +| indicator.sparks | Unknown | Indicator sparks | +| indicator.sparkIds | Unknown | Indicator sparks internal IDs | +| indicator.ips | Unknown | Indicator IPs | +| indicator.ipIds | Unknown | Indicator IPs internal IDs | + + +#### Command Example +```!blueliv-tc-indicator-fqdn FQDN="self-repair.r53-2.services.mozilla.com"``` + +#### Context Example +``` +{ + "indicator": { + "campaignIds": "", + "campaigns": 0, + "crimeServerIds": "", + "crimeServers": 0, + "ipIds": "", + "ips": 0, + "lastSeen": "2018-08-07T22:40:47.580489Z", + "risk": "2.5", + "signatureIds": "", + "signatures": 0, + "sparkIds": "", + "sparks": 0, + "tagids": "", + "tags": 0, + "threatActorIds": "", + "threatActors": 0 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv FQDN info +>|active_dns_link|created_at|domain|first_seen|history_link|id|ioc_link|last_risk_scoring|last_seen|links|passive_dns_link|risk|slugs_tags|tlp|type|updated_at|virus_total_link|whois_link| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/dns/ | 2018-08-07T22:40:47.580640Z | anad.ir | 2018-08-07T22:40:47.580479Z | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/history/ | 5783871 | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ioc/ | 2020-06-15T17:25:37.498738Z | 2018-08-07T22:40:47.580489Z | self: https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/passive-dns/ | 2.5 | | white | FQDN | 2020-06-15T17:25:37.499246Z | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/virus-total/ | https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/whois/ | + + +### blueliv-tc-indicator-cs +*** +Gets information about a Crime Server + + +#### Base Command + +`blueliv-tc-indicator-cs` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| CS_id | Internal Blueliv's Crime Server id | Required | +| CS | The name of the Crime Server to search | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| indicator.lastSeen | Unknown | Indicator lastSeen | +| indicator.status | Unknown | Indicator status | +| indicator.risk | Unknown | Indicator risk | +| indicator.isFalsePositive | Unknown | Indicator is a false positive | +| indicator.crimeServerUrl | Unknown | Indicator crime server URL | +| indicator.creditCardsCount | Unknown | Indicator credit cards count | +| indicator.credentialsCount | Unknown | Indicator credentials count | +| indicator.botsCount | Unknown | Indicator bots count | +| indicator.fqdnId | Unknown | Indicator FQDNs internal IDs | +| indicator.malware | Unknown | Indicator malware | +| indicator.malwareIds | Unknown | Indicator malwares internal IDs | +| indicator.tags | Unknown | Indicator tags | +| indicator.tagIds | Unknown | Indicator tags internal IDs | +| indicator.sparks | Unknown | Indicator sparks | +| indicator.sparkIds | Unknown | Indicator sparks internal IDs | + + +#### Command Example +```!blueliv-tc-indicator-cs CS_id=6626263``` + +#### Context Example +``` +{ + "indicator": { + "botsCount": "0", + "credentialsCount": "0", + "creditCardsCount": "0", + "crimeServerUrl": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php", + "fqdnId": "9633658", + "isFalsePositive": "False", + "lastSeen": "2020-06-15T16:46:06.170000Z", + "malware": 0, + "malwareIds": "", + "risk": "4.0", + "sourceIds": "642676,", + "sources": 1, + "sparkIds": "", + "sparks": 0, + "status": "online", + "tagIds": "", + "tags": 0 + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Crime Server info +>|at_feed|at_free_feed|bots_count|confidence|created_at|created_at_afapi|credentials_count|credit_cards_count|crime_server_url|false_positive_modification_time|first_seen|id|ioc_link|is_false_positive|last_log_timestamp|last_risk_scoring|last_seen|links|main_type|risk|scans_link|service_scans|slugs_tags|status|subtype_name|target_status|tlp|type|updated_at|updated_at_afapi| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| true | true | 0 | 1 | 2020-06-15T17:02:40.327300Z | 2020-06-15T16:46:06.119000Z | 0 | 0 | http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php | 2020-06-15T17:02:38.524874Z | 2020-06-15T16:44:25Z | 6626263 | https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/ | false | | 2020-06-15T17:14:36.146566Z | 2020-06-15T16:46:06.170000Z | self: https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ | c_and_c | 4.0 | https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/ | | | online | ANUBIS | | amber | CrimeServer | 2020-06-15T17:14:36.149943Z | 2020-06-15T16:46:06.170000Z | + + +### blueliv-tc-threat-actor +*** +Gets information about a Threat Actor + + +#### Base Command + +`blueliv-tc-threat-actor` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| threatActor | Threat Actor to search | Optional | +| threatActor_id | Internal Blueliv's Threat Actor id | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| threatActor.name | Unknown | Threat actor name | +| threatActor.description | Unknown | Threat actor description | +| threatActor.objective | Unknown | Threat actor objective | +| threatActor.sophistication | Unknown | Threat actor sophistication | +| threatActor.lastSeen | Unknown | Threat actor last seen | +| threatActor.active | Unknown | Threat actor active | +| threatActor.milestones | Unknown | Threat actor milestones | +| threatActor.milestoneIds | Unknown | Threat actor milestones internal IDs | +| threatActor.tools | Unknown | Threat actor tools | +| threatActor.toolIds | Unknown | Threat actor tools internal IDs | +| threatActor.campaigns | Unknown | Threat actor campaigns | +| threatActor.campaignIds | Unknown | Threat actor campaigns internal IDs | +| threatActor.signatures | Unknown | Threat actor signatures | +| threatActor.signatureIds | Unknown | Threat actor signatures internal IDs | +| threatActor.onlineServices | Unknown | Threat actor online services | +| threatActor.onlineServiceIds | Unknown | Threat actor online services internal IDs | +| threatActor.malware | Unknown | Threat actor malware | +| threatActor.malwareIds | Unknown | Threat actor malwares internal IDs | +| threatActor.threatTypes | Unknown | Threat actor threat types | +| threatActor.threatTypeIds | Unknown | Threat actor threat types internal IDs | +| threatActor.fqdns | Unknown | Threat actor FQDNs | +| threatActor.fqdnIds | Unknown | Threat actor FQDNs internal IDs | +| threatActor.attackPatterns | Unknown | Threat actor attack patterns | +| threatActor.attackPatternIds | Unknown | Threat actor attack patterns internal IDs | +| threatActor.ips | Unknown | Threat actor IPs | +| threatActor.ipIds | Unknown | Threat actor IPs internal IDs | +| threatActor.targets | Unknown | Threat actor targets | +| threatActor.targetIds | Unknown | Threat actor targets internal IDs | + + +#### Command Example +```!blueliv-tc-threat-actor threatActor=Vendetta``` + +#### Context Example +``` +{ + "threatAactor": { + "onlineServices": 0, + "threatTypes": 0 + }, + "threatActor": { + "active": "True", + "attackPatternIds": "511,529,603,613,703,705,735,", + "attackPatterns": 7, + "campaignIds": "", + "campaigns": 0, + "description": "
    Key Points
    \n\n
      \n\t
    • \n\t

      Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.

      \n\t
      • \n\t
    • \n\t

      Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.

      \n\t
      • \n\t
    • The threat actor uses social engineering techniques to infect the victims with a RAT.
      • \n
    \n\n
    Assessment
    \n\n

    Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:

    \n\n
    C:\\Users\\Vendetta\\source\\repos\\{project name}\\*\\obj\\Debug\\{project name}.pdb
    \n\n

    Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.

    \n\n

    Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.

    ", + "fqdnIds": "9607329,", + "fqdns": 1, + "ips": 1, + "lastSeen": "2020-06-10T00:00:00Z", + "malware": 56, + "malwareIds": "55048892,55954618,56069689,56081184,56101608,56174304,56435633,56482393,56528142,56528442,56660508,56822336,56834251,56895357,56906597,56921822,56963320,57023523,57143218,57500808,57531883,57577157,57992940,58151119,59402651,59402653,59402654,59402655,59402656,59406230,59406231,59406232,59406233,59406234,59406235,59406236,59421287,59421291,59421298,59421308,59421351,59421352,59421389,59421399,59421403,59421435,59421463,59421467,59421471,59421474,59421499,59421511,59421557,59421568,59421605,59468951,", + "milestoneIds": "", + "milestones": 0, + "name": "Vendetta", + "objective": "

    This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.

    ", + "onlineServiceIds": "", + "signatureIds": "", + "signatures": 0, + "sophistication": "intermediate", + "targetIds": "13,14,36,46,62,98,120,154,163,186,188,220,225,227,254,257,259,268,293,301,1164,", + "targets": 21, + "threatTypeIds": "", + "toolIds": "136,193,", + "tools": 2 + }, + "threatActor,ipIds": "96161121,", + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Threat Actor info +>|active|aliases|country_name|created_at|description|first_seen|id|ioc_link|last_seen|links|modus_operandi|name|objective|references|sophistication|tlp|type|types|updated_at|uuid| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| true | Vendetta | Italy | 2020-06-10T11:23:22.584500Z |
    Key Points




    • Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.




    • Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.



    • The threat actor uses social engineering techniques to infect the victims with a RAT.



    Assessment


    Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:



    C:\Users\Vendetta\source\repos\{project name}\*\obj\Debug\{project name}.pdb


    Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.



    Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.

    | 2020-04-01T00:00:00Z | 232 | https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/ | 2020-06-10T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ |

    Vendetta uses well designed phishing campaigns to target businesses and individuals. The phishing emails contain a malicious payload that, once unleashed, will install a RAT in the infected computer.

    | Vendetta |

    This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.

    | {'link': 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'title': 'Vendetta-new threat actor from Europe'} | intermediate | white | ThreatActor | hacker | 2020-06-10T12:29:16.463528Z | | + + +### blueliv-tc-campaign +*** +Gets information about a Campaign + + +#### Base Command + +`blueliv-tc-campaign` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| campaign | Name of the Campaign to search for | Optional | +| campaign_id | Blueliv's internal Campaign id | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| campaign.name | Unknown | Campaign name | +| campaign.description | Unknown | Campaign description | +| campaign.lastSeen | Unknown | Campaign last seen | +| campaign.botnets | Unknown | Campaign botnets | +| campaign.botnetIds | Unknown | Campaign botnets internal IDs | +| campaign.signatures | Unknown | Campaign signatures | +| campaign.signatureIds | Unknown | Campaign signatures internal IDs | +| campaign.ips | Unknown | Campaign IPs | +| campaign.ipIds | Unknown | Campaign IPs internal IDs | +| campaign.malware | Unknown | Campaign malware | +| campaign.malwareIds | Unknown | Campaign malwares internal IDs | +| campaign.attackPatterns | Unknown | Campaign attack patterns | +| campaign.attackPatternIds | Unknown | Campaign attack patterns internal IDs | +| campaign.tools | Unknown | Campaign tools | +| campaign.toolIds | Unknown | Campaign tools internal IDs | +| campaign.fqdns | Unknown | Campaign FQDNs | +| campaign.fqdnIds | Unknown | Campaign FQDNs internal IDs | +| campaign.threatActorId | Unknown | Campaign threat actors internal IDs | + + +#### Command Example +```!blueliv-tc-campaign campaign_id=152``` + +#### Context Example +``` +{ + "campaign": { + "attackPatternIds": "", + "attackPatterns": 0, + "botnetIds": "", + "botnets": 0, + "description": "

    A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.

    \n\n

    There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.

    \n\n

    This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.

    \n\n

    Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.

    ", + "fqdnIds": "138612,9322638,9394712,9549083,9549084,9549097,9549098,9549099,", + "fqdns": 8, + "ips": 0, + "lastSeen": "2020-05-28T00:00:00Z", + "malware": 9, + "malwareIds": "55800558,55800615,58635752,58635753,58635754,58635755,58635756,58635757,58635758,", + "name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain", + "signatureIds": "", + "signatures": 0, + "threatActorId": "226", + "toolIds": "673,", + "tools": 1 + }, + "campaign,ipIds": "", + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Campaign info +>|created_at|description|first_seen|id|ioc_link|last_seen|links|name|tlp|type|updated_at|uuid| +>|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-05-28T21:24:11.307288Z |

    A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.



    There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.



    This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.



    Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.

    | 2020-04-16T00:00:00Z | 152 | https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/ | 2020-05-28T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/campaign/152/ | 2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain | white | Campaign | 2020-05-28T23:58:36.883515Z | | + + +### blueliv-tc-attack-pattern +*** +Gets information about a Attack Pattern + + +#### Base Command + +`blueliv-tc-attack-pattern` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| attackPattern | The Attack Pattern's name to search for | Optional | +| attackPatternId | Interanl Blueliv's ID for the Attack Pattern | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| attackPattern.name | Unknown | Attack pattern name | +| attackPattern.description | Unknown | Attack pattern description | +| attackPattern.updatedAt | Unknown | Attack pattern updated at | +| attackPattern.severity | Unknown | Attack pattern severity | +| attackPattern.signatures | Unknown | Attack pattern signatures | +| attackPattern.signatureIds | Unknown | Attack pattern signatures internal IDs | +| attackPattern.campaigns | Unknown | Attack pattern campaigns | +| attackPattern.campaignIds | Unknown | Attack pattern campaigns internal IDs | +| attackPattern.threatActors | Unknown | Attack pattern threat actors | +| attackPattern.threatActorIds | Unknown | Attack pattern threat actors internal IDs | +| attackPattern.cves | Unknown | Attack pattern CVEs | +| attackPattern.cveIds | Unknown | Attack pattern CVEs internal IDs | + + +#### Command Example +```!blueliv-tc-attack-pattern attackPattern="Account Discovery"``` + +#### Context Example +``` +{ + "attackPattern": { + "campaignIds": "95,81,82,83,3,", + "campaigns": 5, + "cveIds": "", + "cves": 0, + "description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.\n\nAlso, groups can be enumerated through the groups and id commands.", + "name": "Account Discovery", + "serverity": "Medium", + "signatureIds": "", + "signatures": 0, + "threatActorIds": "1,34,62,21,131,56,89,191,47,8,81,10,50,28,37,194,228,190,", + "threatActors": 18, + "updatedAt": "2018-12-24T23:00:02.352102Z" + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Attack Pattern info +>|attack_phases|attacker_skills_or_knowledge_required|capec_id|created_at|description|id|links|name|prerequisites|purposes|references|related_vulnerabilities|related_weaknesses|severity|solutions_and_mitigations|tlp|type|updated_at|uuid| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| | | | 2018-12-24T23:00:02.352087Z | Adversaries may attempt to get a listing of local system or domain accounts.

    ### Windows

    Example commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.

    ### Mac

    On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

    ### Linux

    On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

    Also, groups can be enumerated through the groups and id commands. | 686 | self: https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/ | Account Discovery | | | | | | Medium | | white | AttackPattern | 2018-12-24T23:00:02.352102Z | 72b74d71-8169-42aa-92e0-e7b04b9f5a08 | + + +### blueliv-tc-tool +*** +Gets information about a Tool + + +#### Base Command + +`blueliv-tc-tool` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| tool | Tool's name to search for | Optional | +| tool_id | Internal Blueliv's id of the tool | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| tool.Name | Unknown | Tool Name | +| tool.description | Unknown | Tool description | +| tool.lastSeen | Unknown | Tool last seen | +| tool.campaigns | Unknown | Tool campaigns | +| tool.campaignIds | Unknown | Tool campaigns internal IDs | +| tool.signatures | Unknown | Tool signatures | +| tool.signatureIds | Unknown | Tool signatures internal IDs | +| tool.threatActors | Unknown | Tool threat actors | +| tool.threatActorIds | Unknown | Tool threat actors internal IDs | + + +#### Command Example +```!blueliv-tc-tool tool=ACEHASH``` + +#### Context Example +``` +{ + "threatContext": { + "hasResults": "true" + }, + "tool": { + "campaignIds": "", + "campaigns": 0, + "description": "

    ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.

    ", + "lastSeen": "2019-12-01T00:00:00Z", + "name": "ACEHASH", + "signatureIds": "", + "signatures": 0, + "threatActorIds": "194,", + "threatActors": 1 + } +} +``` + +#### Human Readable Output + +>### Blueliv Tool info +>|created_at|description|discovery_date|first_seen|id|last_seen|links|name|references|targeted_platforms|tlp|type|updated_at|uuid|version| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-02-26T14:35:55.698486Z |

    ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.

    | | 2012-12-01T00:00:00Z | 532 | 2019-12-01T00:00:00Z | self: https://tctrustoylo.blueliv.com/api/v1/tool/532/ | ACEHASH | {'link': 'https://content.fireeye.com/apt-41/rpt-apt41', 'title': 'Double Dragon: APT41, a dual espionage and cyber crime operation'} | | white | Tool | 2020-02-26T14:35:55.698549Z | | | + + +### blueliv-tc-signature +*** +Gets information about a Signature + + +#### Base Command + +`blueliv-tc-signature` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| signature | Signature's name to search for | Optional | +| signature_id | Internal Blueliv's ID for the signature | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| signature.name | Unknown | Signature name | +| signature.updatedAt | Unknown | Signature updated at | +| signature.ipIds | Unknown | Signature IPs internal IDs | +| signature.malware | Unknown | Signature malware | +| signature.malwareIds | Unknown | Signature malwares internal IDs | +| signature.score | Unknown | Signature score | + + +#### Command Example +```!blueliv-tc-signature signature_id=84458``` + +#### Context Example +``` +{ + "signature": { + "malware": 0, + "malwareIds": "", + "name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)", + "type": "snort", + "updatedAt": "2020-06-15T02:11:21.962364Z" + }, + "threatContext": { + "hasResults": "true" + } +} +``` + +#### Human Readable Output + +>### Blueliv Signature info +>|created_at|id|links|name|references|sid|signature|status|tlp|type|updated_at|version| +>|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-06-15T02:11:21.962302Z | 84458 | self: https://tctrustoylo.blueliv.com/api/v1/signature/84458/ | ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333) | | 2030333 | alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DonotGroup Staging Domain in DNS Query"; content:"\|01\|"; offset:2; depth:1; content:"\|00 01 00 00 00 00 00\|"; distance:1; within:7; content:"\|0c\|yourcontents\|03\|xyz\|00\|"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2030333; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_06_12, updated_at 2020_06_12;) | enabled | white | snort | 2020-06-15T02:11:21.962364Z | 2 | + diff --git a/Packs/BluelivThreatContext/README.md b/Packs/BluelivThreatContext/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml b/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml new file mode 100644 index 000000000000..815778af522f --- /dev/null +++ b/Packs/BluelivThreatContext/TestPlaybooks/Blueliv_ThreatContext_test.yml @@ -0,0 +1,411 @@ +id: Blueliv_ThreatContext_test +version: -1 +name: Blueliv_ThreatContext_test +description: Test all commands from Blueliv ThreatContext integration. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 22e35a94-75e3-4089-8e8d-6ac2c69b2989 + type: start + task: + id: 22e35a94-75e3-4089-8e8d-6ac2c69b2989 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "7" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 60 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "2": + id: "2" + taskid: 51ae9209-8831-4f95-8ec9-9419f4217f20 + type: regular + task: + id: 51ae9209-8831-4f95-8ec9-9419f4217f20 + version: -1 + name: Check IP + description: Gets information about an IP + script: '|||blueliv-tc-indicator-ip' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + IP: + simple: 103.76.228.28 + IP_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: e2479e96-2909-4980-8bf9-aacd094ca3a4 + type: regular + task: + id: e2479e96-2909-4980-8bf9-aacd094ca3a4 + version: -1 + name: Check Threat Actor + description: Gets information about a Threat Actor + script: '|||blueliv-tc-threat-actor' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + threatActor: + simple: Vendetta + threatActor_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "4": + id: "4" + taskid: d43499ae-253f-4dc0-827d-f415490feb7f + type: regular + task: + id: d43499ae-253f-4dc0-827d-f415490feb7f + version: -1 + name: Get Tools + description: Gets information about a Tool + script: '|||blueliv-tc-tool' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + tool: + simple: ACEHASH + tool_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "5": + id: "5" + taskid: 0c44a276-72e0-4632-8e55-fb77e7de07ce + type: regular + task: + id: 0c44a276-72e0-4632-8e55-fb77e7de07ce + version: -1 + name: Get CVE + description: Gets information about CVE + script: '|||blueliv-tc-cve' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + CVE: + simple: CVE-2020-8794 + CVE_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: ec703143-3dfe-48de-84b6-73a4012d0bd4 + type: regular + task: + id: ec703143-3dfe-48de-84b6-73a4012d0bd4 + version: -1 + name: Get malware hash + description: Gets information about malware by ID + script: '|||blueliv-tc-malware' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + hash: + simple: ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1 + hash_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "7": + id: "7" + taskid: f72e2020-bc63-49bb-8de8-464a6a2eed61 + type: regular + task: + id: f72e2020-bc63-49bb-8de8-464a6a2eed61 + version: -1 + name: Delete Context + description: Delete field from context + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + all: + simple: "yes" + index: {} + key: {} + keysToKeep: {} + subplaybook: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 210 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "8": + id: "8" + taskid: e1a14b28-4856-4647-81ba-9d72f0cebb09 + type: regular + task: + id: e1a14b28-4856-4647-81ba-9d72f0cebb09 + version: -1 + name: Get FQDN + description: Gets information about FQDN + script: '|||blueliv-tc-indicator-fqdn' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + FQDN: + simple: self-repair.r53-2.services.mozilla.com + FQDN_id: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "9": + id: "9" + taskid: c163d4e9-deaf-4d77-8056-4d156976a995 + type: regular + task: + id: c163d4e9-deaf-4d77-8056-4d156976a995 + version: -1 + name: Get attack pattern + description: Gets information about a Attack Pattern + script: '|||blueliv-tc-attack-pattern' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + attackPattern: + simple: Account Discovery + attackPatternId: {} + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "10": + id: "10" + taskid: 79a2af8f-a658-4410-8a27-15d172d229f0 + type: regular + task: + id: 79a2af8f-a658-4410-8a27-15d172d229f0 + version: -1 + name: Get signature + description: Gets information about a Signature + script: '|||blueliv-tc-signature' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + signature: {} + signature_id: + simple: "84458" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1700 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "11": + id: "11" + taskid: 32a9fbaa-2097-4d09-8b78-3eb6cc2f8242 + type: regular + task: + id: 32a9fbaa-2097-4d09-8b78-3eb6cc2f8242 + version: -1 + name: Get Campaign + description: Gets information about a Campaign + script: '|||blueliv-tc-campaign' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "12" + scriptarguments: + campaign: {} + campaign_id: + simple: "152" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 1870 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "12": + id: "12" + taskid: f6c08518-db12-4cdb-820c-68807fc21036 + type: regular + task: + id: f6c08518-db12-4cdb-820c-68807fc21036 + version: -1 + name: Get Crime Server + description: Gets information about a Crime Server + script: '|||blueliv-tc-indicator-cs' + type: regular + iscommand: true + brand: "" + scriptarguments: + CS: {} + CS_id: + simple: "6626263" + separatecontext: false + view: |- + { + "position": { + "x": 600, + "y": 2060 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 2095, + "width": 380, + "x": 600, + "y": 60 + } + } + } +inputs: [] +outputs: [] +fromversion: 5.0.0 diff --git a/Packs/BluelivThreatContext/pack_metadata.json b/Packs/BluelivThreatContext/pack_metadata.json new file mode 100644 index 000000000000..c6b2816e9f4e --- /dev/null +++ b/Packs/BluelivThreatContext/pack_metadata.json @@ -0,0 +1,16 @@ +{ + "name": "Blueliv ThreatContext", + "description": "The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. Analysts can rapidly gather enriched, contextualized information to enhance cybersecurity processes before, during and after an attack.", + "support": "community", + "currentVersion": "1.0.0", + "author": "Trust Oylo", + "url": "", + "email": "demisto@trustoylo.com", + "created": "2020-06-08T15:37:54Z", + "categories": [ + "Data Enrichment & Threat Intelligence" + ], + "tags": [], + "useCases": [], + "keywords": [] +} \ No newline at end of file diff --git a/Packs/BreachNotification-US/README.md b/Packs/BreachNotification-US/README.md index bbd8a61e552f..5c3c098acf13 100644 --- a/Packs/BreachNotification-US/README.md +++ b/Packs/BreachNotification-US/README.md @@ -13,6 +13,6 @@ The playbooks included in this pack help you automate repetitive tasks associate As part of this pack, you will also get out-of-the-box US breach notification incident views, and a full layout. All of these are easily customizable to suit the needs of your organization. -_For more information, visit our [Cortex XSOAR Developer Docs](https://xsoar.pan.dev/docs/reference/playbooks/phishing-investigation---generic-v2)_ +_For more information, visit our [Cortex XSOAR Developer Docs](https://xsoar.pan.dev/docs/reference/playbooks/us---breach-notification)_ ![US-BreachNotification](https://raw.githubusercontent.com/demisto/content/master/Packs/BreachNotification-US/doc_files/US_-_Breach_Notification.png) diff --git a/Packs/BreachNotification-US/ReleaseNotes/1_0_4.md b/Packs/BreachNotification-US/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..e43e9209459b --- /dev/null +++ b/Packs/BreachNotification-US/ReleaseNotes/1_0_4.md @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/Packs/BreachNotification-US/pack_metadata.json b/Packs/BreachNotification-US/pack_metadata.json index 314d46a7dec4..61b91b0f3e27 100644 --- a/Packs/BreachNotification-US/pack_metadata.json +++ b/Packs/BreachNotification-US/pack_metadata.json @@ -2,7 +2,7 @@ "name": "US - Breach Notification", "description": " ", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BruteForce/README.md b/Packs/BruteForce/README.md index e69de29bb2d1..0e86550094df 100644 --- a/Packs/BruteForce/README.md +++ b/Packs/BruteForce/README.md @@ -0,0 +1,22 @@ +Brute Force investigations require security teams to reconcile data from many different sources. Valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest. +This Brute Force content pack contains the ‘Brute Force Investigation - Generic’ playbook, that automates response to different Brute Force incidents. The pack also contains the corresponding custom Brute Force incident fields, views and layouts to facilitate analyst investigation. + + +##### What does this pack do? +The playbook included in this pack handles the following use-cases: +- Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. +- Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. +- Brute Force Potentially Compromised Accounts - A detection of accounts that have shown a high amount of failed logins with one successful login. +This playbook helps you save time and automate repetitive tasks associated with Brute Force incidents: +- Gather and enrich user and IP information. +- Interact with the suspected user to retrieve more information about the incident. +- Calculate the incident severity based on the enriched information, login data and information received from the user. +- Isolate the attacked endpoint. +- Remediate the incident by blocking malicious indicators, and disabling the account. +- Generate an investigation report to document the incident’s details. + +As part of this pack, you will also get out-of-the-box Brute Force incident type views, with incident fields and a full layout. All of these are easily customizable to suit the needs of your organization. + +_For more information, visit our [Cortex XSOAR Developer Docs](https://xsoar.pan.dev/docs/reference/playbooks/brute-force-investigation---generic)_ + +![Brute_Force_Investigation_- Generic](https://raw.githubusercontent.com/demisto/content/7ef8d9950372db10879e54ebf3759b8096073c56/Packs/BruteForce/doc_files/Brute_Force_Investigation_-_Generic.png) diff --git a/Packs/BruteForce/ReleaseNotes/1_1_1.md b/Packs/BruteForce/ReleaseNotes/1_1_1.md new file mode 100644 index 000000000000..e43e9209459b --- /dev/null +++ b/Packs/BruteForce/ReleaseNotes/1_1_1.md @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/Packs/BruteForce/pack_metadata.json b/Packs/BruteForce/pack_metadata.json index 9c612f1a95e4..550d743dfda6 100644 --- a/Packs/BruteForce/pack_metadata.json +++ b/Packs/BruteForce/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Brute Force", "description": "Investigates a \"Brute Force\" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation.", "support": "xsoar", - "currentVersion": "1.1.0", + "currentVersion": "1.1.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CarbonBlackProtect/Playbooks/playbook-Carbon_black_Protection_Rapid_IOC_Hunting.yml b/Packs/CarbonBlackProtect/Playbooks/playbook-Carbon_black_Protection_Rapid_IOC_Hunting.yml index c25681c42ce3..6469833a3daf 100644 --- a/Packs/CarbonBlackProtect/Playbooks/playbook-Carbon_black_Protection_Rapid_IOC_Hunting.yml +++ b/Packs/CarbonBlackProtect/Playbooks/playbook-Carbon_black_Protection_Rapid_IOC_Hunting.yml @@ -109,7 +109,7 @@ tasks: task: id: ec572e1b-78cf-4daf-8185-688d7b04041b version: -1 - name: Is CarbonBlack Protection enabled? + name: Is CarbonBlack Protection v2 enabled? description: Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. scriptName: Exists @@ -123,7 +123,7 @@ tasks: - "12" scriptarguments: value: - simple: ${modules(val.brand == 'carbonblackprotection' && val.state == 'active')} + simple: ${modules(val.brand == 'CarbonBlackProtectionV2' && val.state == 'active')} separatecontext: false view: |- { diff --git a/Packs/CarbonBlackProtect/ReleaseNotes/1_0_2.md b/Packs/CarbonBlackProtect/ReleaseNotes/1_0_2.md new file mode 100644 index 000000000000..df066cac2570 --- /dev/null +++ b/Packs/CarbonBlackProtect/ReleaseNotes/1_0_2.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### Carbon black Protection Rapid IOC Hunting +Updated the playbook to use the **Carbon Black Enterprise Protection v2** integration . diff --git a/Packs/CarbonBlackProtect/pack_metadata.json b/Packs/CarbonBlackProtect/pack_metadata.json index 26837cad4b03..e70cfe7ef1d8 100644 --- a/Packs/CarbonBlackProtect/pack_metadata.json +++ b/Packs/CarbonBlackProtect/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Carbon Black Enterprise Protection", "description": "Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml b/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml index 443f54cd1e71..a6f3961a7cc6 100644 --- a/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml +++ b/Packs/CheckpointFirewall/Integrations/integration-CheckpointFirewall.yml @@ -944,5 +944,4 @@ script: description: Delete rule from firewall runonce: false tests: -- blockip_test_playbook - CheckpointFW-test diff --git a/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md b/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md new file mode 100644 index 000000000000..61c7c5f83633 --- /dev/null +++ b/Packs/CheckpointFirewall/ReleaseNotes/1_1_0.md @@ -0,0 +1,5 @@ + diff --git a/Packs/CheckpointFirewall/pack_metadata.json b/Packs/CheckpointFirewall/pack_metadata.json index 076cae73aea9..ac16fc914c8f 100644 --- a/Packs/CheckpointFirewall/pack_metadata.json +++ b/Packs/CheckpointFirewall/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Check Point Firewall", "description": "Manage Check Point firewall via API", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.1.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2.yml index fcff663e1c9d..36a0f52c60a6 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2.yml @@ -9,6 +9,7 @@ description: |- * Palo Alto Networks Minemeld * Palo Alto Networks PAN-OS * Zscaler + * FortiGate starttaskid: "0" tasks: "0": @@ -81,6 +82,7 @@ tasks: - "18" - "19" - "20" + - "26" separatecontext: false view: |- { @@ -135,10 +137,10 @@ tasks: quietmode: 0 "7": id: "7" - taskid: f5912507-b8b7-4a1e-8cbc-43d6ed014158 + taskid: f74fb6b5-f7c9-42ed-808a-d227355f1e9d type: condition task: - id: f5912507-b8b7-4a1e-8cbc-43d6ed014158 + id: f74fb6b5-f7c9-42ed-808a-d227355f1e9d version: -1 name: Is Check Point Firewall enabled? description: Verify that there is a valid instance of Check Point Firewall enabled. @@ -185,7 +187,7 @@ tasks: { "position": { "x": 980, - "y": 660 + "y": 650 } } note: false @@ -257,7 +259,7 @@ tasks: { "position": { "x": 500, - "y": 660 + "y": 650 } } note: false @@ -267,10 +269,10 @@ tasks: quietmode: 0 "12": id: "12" - taskid: 1bed0b61-b979-45c7-8628-f337dc0912ed + taskid: e8c51174-7d85-4248-86b4-6d14eba20ca6 type: condition task: - id: 1bed0b61-b979-45c7-8628-f337dc0912ed + id: e8c51174-7d85-4248-86b4-6d14eba20ca6 version: -1 name: Is Zscaler enabled? description: Verify that there is a valid instance of Zscaler enabled. @@ -317,7 +319,7 @@ tasks: { "position": { "x": 1470, - "y": 660 + "y": 650 } } note: false @@ -611,13 +613,13 @@ tasks: quietmode: 0 "22": id: "22" - taskid: 4f95fd93-d93e-432b-891b-da70b95207d9 + taskid: 621b09ab-5f15-4893-8b6d-eb6d241d8f98 type: condition task: - id: 4f95fd93-d93e-432b-891b-da70b95207d9 + id: 621b09ab-5f15-4893-8b6d-eb6d241d8f98 version: -1 name: Use Custom Block Rules? - description: "" + description: Verify if custom block rule playbook input is set to true or not. type: condition iscommand: false brand: "" @@ -644,7 +646,7 @@ tasks: view: |- { "position": { - "x": 80, + "x": 90, "y": 650 } } @@ -655,13 +657,14 @@ tasks: quietmode: 0 "23": id: "23" - taskid: c4e83fd9-f8b6-45da-833e-94db3447c312 + taskid: 8d1ccb6b-eade-48db-8c34-904dbcbf644c type: condition task: - id: c4e83fd9-f8b6-45da-833e-94db3447c312 + id: 8d1ccb6b-eade-48db-8c34-904dbcbf644c version: -1 name: Use Static Address Group? - description: "" + description: Verify if there is a static address group name set as a playbook + input. type: condition iscommand: false brand: "" @@ -694,13 +697,13 @@ tasks: quietmode: 0 "24": id: "24" - taskid: 5ac3d7c2-8b78-45e9-8095-184b2a82a919 + taskid: 156aee26-31e3-4cba-8846-767ee8a2dc6a type: condition task: - id: 5ac3d7c2-8b78-45e9-8095-184b2a82a919 + id: 156aee26-31e3-4cba-8846-767ee8a2dc6a version: -1 name: Use External Dynamic List? - description: "" + description: Verify if there is an EDL Server IP as a playbook input. type: condition iscommand: false brand: "" @@ -739,13 +742,14 @@ tasks: quietmode: 0 "25": id: "25" - taskid: 5387aea9-c64b-4b9d-848f-c9269f644889 + taskid: 181b1519-8b3e-4296-8cb2-d0f91984b16b type: condition task: - id: 5387aea9-c64b-4b9d-848f-c9269f644889 + id: 181b1519-8b3e-4296-8cb2-d0f91984b16b version: -1 name: Use Dynamic Address Group? - description: "" + description: Verify if there is a dynamic address group name set as a playbook + input. type: condition iscommand: false brand: "" @@ -776,22 +780,141 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 -system: true + "26": + id: "26" + taskid: 65dca814-c04b-40ff-8e32-766432ee9f13 + type: title + task: + id: 65dca814-c04b-40ff-8e32-766432ee9f13 + version: -1 + name: Fortinet + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "27" + separatecontext: false + view: |- + { + "position": { + "x": 1920, + "y": 510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "27": + id: "27" + taskid: 5ec7ae21-1c50-4a72-8a86-daa39ac43f18 + type: condition + task: + id: 5ec7ae21-1c50-4a72-8a86-daa39ac43f18 + version: -1 + name: Is FortiGate enabled? + description: Verify that there is a valid instance of FortiGate enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "28" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: FortiGate + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 1920, + "y": 650 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "28": + id: "28" + taskid: f3b16aab-fe0c-4c4f-8791-55cbd589405f + type: regular + task: + id: f3b16aab-fe0c-4c4f-8791-55cbd589405f + version: -1 + name: 'FortiGate Ban IP ' + description: Adds IP addresses to the banned list. + script: '|||fortigate-ban-ip' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + expiry: {} + ip_address: + complex: + root: inputs.IP + separatecontext: false + view: |- + { + "position": { + "x": 1920, + "y": 850 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 view: |- { "linkLabelsPosition": { - "12_2_#default#": 0.23, + "12_2_#default#": 0.18, "22_2_#default#": 0.22, "23_2_#default#": 0.11, "24_2_#default#": 0.1, "25_2_#default#": 0.1, + "27_2_#default#": 0.16, "7_2_#default#": 0.39, "8_2_#default#": 0.48 }, "paper": { "dimensions": { "height": 1075, - "width": 3030, + "width": 3480, "x": -1180, "y": 10 } diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2_README.md index 0dbf787bcb02..191728d95554 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Block_IP_-_Generic_v2_README.md @@ -1,80 +1,90 @@ -Blocks malicious IP addressess using all integrations that are enabled. +This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: * Check Point Firewall * Palo Alto Networks Minemeld * Palo Alto Networks PAN-OS * Zscaler +* FortiGate ## Dependencies This playbook uses the following sub-playbooks, integrations, and scripts. -## Sub-playbooks -* PAN-OS DAG Configuration +### Sub-playbooks +* PAN-OS - Block IP - Custom Block Rule * PAN-OS - Block IP - Static Address Group +* Add Indicator to Miner - Palo Alto MineMeld * PAN-OS - Block IP and URL - External Dynamic List -* PAN-OS - Block IP - Custom Block Rule -* Add Indicator to Miner - Minemeld +* PAN-OS DAG Configuration -## Integrations +### Integrations * Zscaler -## Scripts +### Scripts This playbook does not use any scripts. -## Commands +### Commands * checkpoint-block-ip * zscaler-blacklist-ip +* fortigate-ban-ip ## Playbook Inputs --- -| **Name** | **Description** | **Default Value** |**Required** | +| **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| IPBlacklistMiner | The name of the IP address blacklist Miner in Minemeld. | - |Optional | -| IP | The aof malicious IP addresses to block. | - | Optional | -| CustomBlockRule | This input determines whether Palo Alto Networks Panorama or Firewall Custom Block Rules are used.Specify True to use Custom Block Rules. | True |Optional | -| LogForwarding | The Panorama log forwarding object name. | - | Optional | -| AutoCommit | This input determines whether to commit the configuration automatically. Yes - Commit automatically. No - Commit manually. | No | Optional | -| StaticAddressGroup | This input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used. Specify the Static Address Group name for IP address handling. | - |Optional | -| IPListName | This input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for blocking IP addresses. Specify the EDL name for IP address handling. | - |Optional | -| EDLServerIP | This input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used: * The IP address of the web server on which the files are stored. * The web server IP address is configured in the integration instance. | - | Optional | -| DAG | This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. Specify the Dynamic Address Group tag name for IP address handling. | - |Optional | +| IPBlacklistMiner | The name of the IP blacklist Miner in Minemeld. | | Optional | +| IP | Array of malicious IPs to block. | | Optional | +| CustomBlockRule | This input determines whether Palo Alto Networks Panorama or Firewall Custom Block Rules are used. +Specify True to use Custom Block Rules. | True | Optional | +| LogForwarding | Panorama log forwarding object name. | | Optional | +| AutoCommit | This input determines whether to commit the configuration automatically. +Yes \- Commit automatically. +No \- Commit manually. | No | Optional | +| StaticAddressGroup | This input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used. +Specify the Static Address Group name for IP handling. | | Optional | +| IPListName | This input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for blocking IPs. +Specify the EDL name for IP handling. | | Optional | +| EDLServerIP | This input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used: +\* The IP address of the web server on which the files are stored. +\* The web server IP address is configured in the integration instance. | | Optional | +| DAG | This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. +Specify the Dynamic Address Group tag name for IP handling. | | Optional | ## Playbook Outputs --- | **Path** | **Description** | **Type** | | --- | --- | --- | -| CheckpointFWRule.Destination | The rule destination. | unknown | -| CheckpointFWRule.DestinationNegate | The rule destination negate status. Can be, "True" or "False". | unknown | -| PanoramaRule.Direction | The direction of the Panorama rule. Can be, "to","from", or "both". | string | -| PanoramaRule.IP | The IP address the Panorama rule blocks. | string | -| CheckpointFWRule.Name | The rule name. | unknown | -| PanoramaRule.Name | The name of the Panorama rule. | string | -| CheckpointFWRule.UID | The rule's UID. | unknown | -| PanoramaRule | The list of Panorama rules. | unknown | -| CheckpointFWRule.Type | The rule type. | unknown | -| CheckpointFWRule.Action | The rule action. Valid values are, "Accept", 'Drop", "Apply Layer", "Ask", or "Info". | unknown | -| CheckpointFWRule.ActionSetting | The rule action settings. | unknown | -| CheckpointFWRule.CustomFields | The rule custom fields. | unknown | -| CheckpointFWRule.Data | The rule data. | unknown | -| CheckpointFWRule.DataDirection | The rule data direction. | unknown | -| CheckpointFWRule.DataNegate | The rule data negate status. Can be, "True" or "False". | unknown | -| CheckpointFWRule.Domain | The rule domain. | unknown | -| CheckpointFWRule.Enabled | The rule status. | unknown | -| CheckpointFWRule.Hits | The rule hits count. | unknown | -| CheckpointFWRule.Data.Name | The rule data object name. | unknown | -| CheckpointFWRule.Data.Domain | The information about the domain the data object belongs to. | unknown | -| CheckpointFWRule.Domain.Name | The rule domain name. | unknown | -| CheckpointFWRule.Domain.UID | The rule domain UID. | unknown | -| CheckpointFWRule.Domain.Type | The rule domain type. | unknown | +| CheckpointFWRule.Destination | Rule Destination. | unknown | +| CheckpointFWRule.DestinationNegate | Rule destination negate status \(True/False\). | unknown | +| PanoramaRule.Direction | Direction of the Panorama rule. Can be 'to','from', 'both' | string | +| PanoramaRule.IP | The IP the Panorama rule blocks | string | +| CheckpointFWRule.Name | Rule name. | unknown | +| PanoramaRule.Name | Name of the Panorama rule | string | +| CheckpointFWRule.UID | Rule UID. | unknown | +| PanoramaRule | List of Panorama rules | unknown | +| CheckpointFWRule.Type | Rule Type. | unknown | +| CheckpointFWRule.Action | Rule action \(Valid values are: Accept, Drop, Apply Layer, Ask, Info\). | unknown | +| CheckpointFWRule.ActionSetting | Rule action settings. | unknown | +| CheckpointFWRule.CustomFields | Rule custom fields. | unknown | +| CheckpointFWRule.Data | Rule data. | unknown | +| CheckpointFWRule.DataDirection | Rule data direction. | unknown | +| CheckpointFWRule.DataNegate | Rule data negate status \(True/False\). | unknown | +| CheckpointFWRule.Domain | Rule domain. | unknown | +| CheckpointFWRule.Enabled | Rule status. | unknown | +| CheckpointFWRule.Hits | Rule hits count. | unknown | +| CheckpointFWRule.Data.Name | Rule data object name. | unknown | +| CheckpointFWRule.Data.Domain | Information about the domain the data object belongs to. | unknown | +| CheckpointFWRule.Domain.Name | Rule domain name. | unknown | +| CheckpointFWRule.Domain.UID | Rule domain UID. | unknown | +| CheckpointFWRule.Domain.Type | Rule domain type. | unknown | | CheckpointFWRule.Hits.FirstDate | The date of the first hit for the rule. | unknown | | CheckpointFWRule.Hits.LastDate | The date of the last hit for the rule. | unknown | -| CheckpointFWRule.Hits.Level | The level of rule hits. | unknown | -| CheckpointFWRule.Hits.Percentage | The percentage of rule hits. | unknown | -| CheckpointFWRule.Hits.Value | The value of rule hits. | unknown | +| CheckpointFWRule.Hits.Level | Level of rule hits. | unknown | +| CheckpointFWRule.Hits.Percentage | Percentage of rule hits. | unknown | +| CheckpointFWRule.Hits.Value | Value of rule hits. | unknown | ## Playbook Image --- -![Block_IP_Generic_v2](https://raw.githubusercontent.com/demisto/content/1bdd5229392bd86f0cc58265a24df23ee3f7e662/docs/images/playbooks/Block_IP_Generic_v2.png) +![Block IP - Generic v2](Insert the link to your image here) diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic.yml index 580d458676dd..78e03d72e29a 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic.yml @@ -1,1099 +1,1143 @@ -id: Detonate File - Generic -version: -1 -name: Detonate File - Generic -description: Detonate file through active integrations that support file detonation -starttaskid: "0" -tasks: - "0": - id: "0" - taskid: 2ac07fca-26e2-4263-8b08-c3944731d448 - type: start - task: - id: 2ac07fca-26e2-4263-8b08-c3944731d448 - version: -1 - name: "" - description: Playbook start point - iscommand: false - brand: "" - nexttasks: - '#none#': - - "8" - - "10" - - "9" - - "11" - - "13" - - "14" - - "15" - - "16" - - "17" - - "18" - - "19" - - "20" - separatecontext: false - view: |- - { - "position": { - "x": 2200, - "y": 50 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "3": - id: "3" - taskid: 0fb13cc0-f182-49f6-8ced-38ddfe5c5d6e - type: title - task: - id: 0fb13cc0-f182-49f6-8ced-38ddfe5c5d6e - version: -1 - name: Done - description: Done - type: title - iscommand: false - brand: "" - separatecontext: false - view: |- - { - "position": { - "x": 2200, - "y": 370 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "8": - id: "8" - taskid: eb680898-4271-4270-8249-7de1acc7cea9 - type: playbook - task: - id: eb680898-4271-4270-8249-7de1acc7cea9 - version: -1 - name: Detonate File - JoeSecurity - description: |- - Detonates one or more files using the Joe Security - Joe Sandbox integration. - Returns relevant reports to the War Room and file reputations to the context data. - All file types are supported. - playbookName: Detonate File - JoeSecurity - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 50, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "9": - id: "9" - taskid: de2bc919-5bdb-4bdf-8346-dea2f40822d1 - type: playbook - task: - id: de2bc919-5bdb-4bdf-8346-dea2f40822d1 - version: -1 - name: ATD - Detonate File - description: |- - Detonates a File using the McAfee Advanced Threat Defense sandbox. - Advanced Threat Defense supports the following File Types: - 32-bit Portable Executables (PE)files; 64-bit PE+files - exe, sys, dll, com, scr, cpl, ocx, cgi - Microsoft Office Suite documents - doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar - Just Systems Ichitaro documents - jtd, jtdc - Adobe - pdf, swf - Compressed files - gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar - Android application package - apk, Java, JAR, CLASS, Java Script, Java bin files - Image files - jpeg, png, gif - Other file types - cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh - playbookName: ATD - Detonate File - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: inputs.File - Interval: - simple: "1" - Timeout: - simple: "15" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 480, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "10": - id: "10" - taskid: 579d4c4e-ea47-490e-85ba-eb2b8d985873 - type: playbook - task: - id: 579d4c4e-ea47-490e-85ba-eb2b8d985873 - version: -1 - name: Detonate File - ThreatGrid - description: Detonate one or more files using the ThreatGrid integration. This - playbook returns relevant reports to the War Room and file reputations to - the context data. The detonation supports the following file types - EXE, - DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, - GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, - BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM - playbookName: Detonate File - ThreatGrid - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: inputs.File - FileName: - simple: file-detonated-via-demisto - Interval: - simple: "1" - Private: {} - Source: {} - Tags: {} - Timeout: - simple: "15" - VM: {} - playbook: - simple: default - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 910, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "11": - id: "11" - taskid: 8fcc8803-c38d-4aae-8900-ccbc9d9a19ae - type: playbook - task: - id: 8fcc8803-c38d-4aae-8900-ccbc9d9a19ae - version: -1 - name: CrowdStrike Falcon Sandbox - Detonate file - description: Detonate one or more files using the CrowdStrike Falcon Sandbox - integration. This playbook returns relevant reports to the War Room and file - reputations to the context data. The detonation supports the following file - types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, - ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, - JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM - playbookName: CrowdStrike Falcon Sandbox - Detonate file - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - EnvironmentID: - simple: "100" - File: - complex: - root: inputs.File - Interval: - simple: "5" - Timeout: - simple: "30" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 1340, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "13": - id: "13" - taskid: 5d6a8999-d509-45d4-81c8-3d86758f09ff - type: playbook - task: - id: 5d6a8999-d509-45d4-81c8-3d86758f09ff - version: -1 - name: WildFire - Detonate file - description: |- - Detonate one or more files using the Wildfire integration. This playbook - returns relevant reports to the War Room and file reputations to the context data. - The detonation supports the following file types - - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PDF, DMG, PKG, RAR, 7Z - playbookId: WildFire - Detonate file - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: inputs.File - Interval: - simple: "1" - ReportFileType: {} - Timeout: - simple: "15" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 1780, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "14": - id: "14" - taskid: 2ea061e9-20ec-4db2-8561-833ebfb9924e - type: playbook - task: - id: 2ea061e9-20ec-4db2-8561-833ebfb9924e - version: -1 - name: Detonate File - Lastline v2 - description: |- - Detonates a File using the Lastline sandbox. - Lastline supports the following File Types: - EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH - playbookName: Detonate File - Lastline v2 - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: inputs.File - Interval: - simple: "1" - Timeout: - simple: "15" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 2200, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "15": - id: "15" - taskid: f46bc6da-5b3b-4acd-8d8a-7d21e02c12f3 - type: playbook - task: - id: f46bc6da-5b3b-4acd-8d8a-7d21e02c12f3 - version: -1 - name: Detonate File - Cuckoo - description: Detonating file with Cuckoo - playbookName: Detonate File - Cuckoo - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - simple: ${inputs.File} - interval: - simple: "1" - timeout: - simple: "10" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 2630, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "16": - id: "16" - taskid: b8804e5e-310a-43fe-86a9-ad68ed0641f4 - type: playbook - task: - id: b8804e5e-310a-43fe-86a9-ad68ed0641f4 - version: -1 - name: Detonate File - SNDBOX - description: |- - Detonates a File using the SNDBOX. - Advanced Threat Defense supports the following File Types: - Microsoft (2003 and earlier) - doc, dot, xls, csv, xlt, xlm, ppt, pot, pps - - Microsoft (2007 and later): - docx, docm, dotx, dotm, dotm, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, iqy, pptx, pptm, potx, ppsx, xml - - Other: - pe32, rtf, pdf, vbs, vbe, ps1, js, lnk, html, bat - playbookName: Detonate File - SNDBOX - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: File - Interval: - simple: "1" - Timeout: - simple: "15" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 3060, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "17": - id: "17" - taskid: b10694a4-f49b-48f7-8e43-e6448541ff65 - type: playbook - task: - id: b10694a4-f49b-48f7-8e43-e6448541ff65 - version: -1 - name: Detonate File - HybridAnalysis - description: |- - Detonates one or more files using the Hybrid Analysis integration. - Returns relevant reports to the War Room and file reputations to the context data. - All file types are supported. - playbookName: Detonate File - HybridAnalysis - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - Comments: {} - EnvironmentID: - simple: "100" - File: - complex: - root: File - InternetAccess: - simple: "True" - Interval: - simple: "1" - ReportFileType: {} - Systems: {} - Timeout: - simple: "15" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 3490, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "18": - id: "18" - taskid: 08685dd3-4865-4dda-8b8a-4018c98e1518 - type: playbook - task: - id: 08685dd3-4865-4dda-8b8a-4018c98e1518 - version: -1 - name: Detonate File - ANYRUN - description: |- - Detonates one or more files using the ANYRUN sandbox integration. - Returns relevant reports to the War Room and file reputations to the context data. - All file types are supported. - playbookName: Detonate File - ANYRUN - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: File - Interval: - simple: "1" - Timeout: - simple: "15" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 3920, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "19": - id: "19" - taskid: 0d0261e2-a689-46c1-8321-79cc173dac64 - type: playbook - task: - id: 0d0261e2-a689-46c1-8321-79cc173dac64 - version: -1 - name: Detonate File - FireEye AX - description: Detonate one or more files using the FireEye AX integration. This - playbook returns relevant reports to the War Room and file reputations to - the context data. The detonation supports the following file types - PE32, - EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, - XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, - HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM, JPG, JPEG, GIF, PNG, XLSX - playbookName: Detonate File - FireEye AX - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 4350, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "20": - id: "20" - taskid: 330dba59-a610-47a5-852d-5d9e4d39c7e9 - type: playbook - task: - id: 330dba59-a610-47a5-852d-5d9e4d39c7e9 - version: -1 - name: Detonate File - VMRay - description: Detonating file with VMRay - playbookName: Detonate File - VMRay - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - scriptarguments: - File: - complex: - root: File - transformers: - - operator: uniq - archive_password: {} - document_password: {} - interval: - simple: "1" - max_jobs: {} - reanalyze: {} - sample_type: {} - shareable: {} - tags: {} - timeout: - simple: "10" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 4780, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 385, - "width": 5110, - "x": 50, - "y": 50 - } - } - } -inputs: -- key: EntryID - value: - complex: - root: File - accessor: EntryID - required: false - description: Entry ID of file to be detonated - playbookInputQuery: -- key: File - value: - complex: - root: File - required: false - description: File object of file to be detonated - playbookInputQuery: -outputs: -- contextPath: Joe.Analysis.Status - description: Analysis Status - type: string -- contextPath: Joe.Analysis.WebID - description: Web ID - type: string -- contextPath: File.Name - description: Filename (only in case of report type=json) - type: string -- contextPath: File.SHA1 - description: SHA1 of the file - type: string -- contextPath: File.SHA256 - description: SHA256 of the file - type: string -- contextPath: File.Size - description: File size (only in case of report type=json) - type: number -- contextPath: File.Type - description: File type e.g. "PE" (only in case of report type=json) - type: string -- contextPath: File.Malicious - description: The File malicious description - type: unknown -- contextPath: File.Malicious.Description - description: For malicious files, the reason for the vendor to make the decision - type: string -- contextPath: File.Malicious.Vendor - description: For malicious files, the vendor that made the decision - type: string -- contextPath: DBotScore - description: The Indicator's object - type: unknown -- contextPath: DBotScore.Indicator - description: The indicator that was tested - type: string -- contextPath: DBotScore.Score - description: The actual score - type: number -- contextPath: DBotScore.Type - description: The type of the indicator - type: string -- contextPath: DBotScore.Vendor - description: Vendor used to calculate the score - type: string -- contextPath: IP.Address - description: IP's relevant to the sample - type: string -- contextPath: DBotScore.Malicious.Vendor - description: Vendor used to calculate the score - type: string -- contextPath: DBotScore.Malicious.Detections - description: The sub analysis detection statuses - type: string -- contextPath: DBotScore.Malicious.SHA1 - description: The SHA1 of the file - type: string -- contextPath: Sample.State - description: The sample state -- contextPath: Sample.ID - description: The sample ID -- contextPath: File - description: The File's object - type: unknown -- contextPath: File.MD5 - description: MD5 of the file - type: string -- contextPath: Joe.Analysis.SampleName - description: Sample Data, could be a file name or URL - type: string -- contextPath: Joe.Analysis.Comments - description: Analysis Comments - type: string -- contextPath: Joe.Analysis.Time - description: Submitted Time - type: date -- contextPath: Joe.Analysis.Runs - description: Sub-Analysis Information - type: unknown -- contextPath: Joe.Analysis.Result - description: Analysis Results - type: string -- contextPath: Joe.Analysis.Errors - description: Raised errors during sampling - type: unknown -- contextPath: Joe.Analysis.Systems - description: Analysis OS - type: unknown -- contextPath: Joe.Analysis.MD5 - description: MD5 of analysis sample - type: string -- contextPath: Joe.Analysis.SHA1 - description: SHA1 of analysis sample - type: string -- contextPath: Joe.Analysis.SHA256 - description: SHA256 of analysis sample - type: string -- contextPath: InfoFile.Name - description: FileName of the report file - type: string -- contextPath: InfoFile.EntryID - description: The EntryID of the report file - type: string -- contextPath: InfoFile.Size - description: File Size - type: number -- contextPath: InfoFile.Type - description: File type e.g. "PE" - type: string -- contextPath: InfoFile.Info - description: Basic information of the file - type: string -- contextPath: File.Extension - description: File Extension - type: string -- contextPath: InfoFile - description: The report file's object - type: unknown -- contextPath: WildFire.Report - description: The submission object - type: unknown -- contextPath: WildFire.Report.Status - description: The status of the submission - type: string -- contextPath: WildFire.Report.SHA256 - description: SHA256 of the submission - type: string -- contextPath: WildFire.Report.MD5 - description: MD5 of the submission - type: string -- contextPath: WildFire.Report.FileType - description: The type of the submission - type: string -- contextPath: WildFire.Report.Size - description: The size of the submission - type: number -- contextPath: Joe.Analysis - description: Thee Analysis object - type: unknown -- contextPath: Cuckoo.Task.Category - description: Category of task -- contextPath: Cuckoo.Task.Machine - description: Machine of task -- contextPath: Cuckoo.Task.Errors - description: Errors of task -- contextPath: Cuckoo.Task.Target - description: Target of task -- contextPath: Cuckoo.Task.Package - description: Package of task -- contextPath: Cuckoo.Task.SampleID - description: Sample ID of task -- contextPath: Cuckoo.Task.Guest - description: Task guest -- contextPath: Cuckoo.Task.Custom - description: Custom values of task -- contextPath: Cuckoo.Task.Owner - description: Task owner -- contextPath: Cuckoo.Task.Priority - description: Priority of task -- contextPath: Cuckoo.Task.Platform - description: Platform of task -- contextPath: Cuckoo.Task.Options - description: Task options -- contextPath: Cuckoo.Task.Status - description: Task status -- contextPath: Cuckoo.Task.EnforceTimeout - description: Is timeout of task enforced -- contextPath: Cuckoo.Task.Timeout - description: Task timeout -- contextPath: Cuckoo.Task.Memory - description: Task memory -- contextPath: Cuckoo.Task.Tags - description: Task tags -- contextPath: Cuckoo.Task.ID - description: ID of task -- contextPath: Cuckoo.Task.AddedOn - description: Date on which the task was added -- contextPath: Cuckoo.Task.CompletedOn - description: Date on which the task was completed -- contextPath: Cuckoo.Task.Score - description: Reported score of the the task -- contextPath: Cuckoo.Task.Monitor - description: Monitor of the reported task -- contextPath: SNDBOX.Analysis.ID - description: Analysis ID - type: string -- contextPath: SNDBOX.Analysis.SampleName - description: Sample Data, could be a file name or URL - type: string -- contextPath: SNDBOX.Analysis.Status - description: Analysis Status - type: string -- contextPath: SNDBOX.Analysis.Time - description: Submitted Time - type: date -- contextPath: SNDBOX.Analysis.Result - description: Analysis Results - type: string -- contextPath: SNDBOX.Analysis.Errors - description: Raised errors during sampling -- contextPath: SNDBOX.Analysis.Link - description: Analysis Link - type: string -- contextPath: SNDBOX.Analysis.MD5 - description: MD5 of analysis sample - type: string -- contextPath: SNDBOX.Analysis.SHA1 - description: SHA1 of analysis sample - type: string -- contextPath: SNDBOX.Analysis.SHA256 - description: SHA256 of analysis sample - type: string -- contextPath: SNDBOX.Analysis - description: SNDBOX analysis - type: unknown -- contextPath: HybridAnalysis.Submit.State - description: The state of the process - type: string -- contextPath: HybridAnalysis.Submit.SHA256 - description: The submission SHA256 - type: string -- contextPath: HybridAnalysis.Submit.JobID - description: The JobID of the submission - type: string -- contextPath: HybridAnalysis.Submit.EnvironmentID - description: The environmentID of the submission - type: string -- contextPath: HybridAnalysis.Submit - description: The HybridAnalysis object - type: unknown -- contextPath: ANYRUN.Task.AnalysisDate - description: Date and time the analysis was executed. - type: String -- contextPath: ANYRUN.Task.Behavior.Category - description: Category of a process behavior. - type: String -- contextPath: ANYRUN.Task.Behavior.Action - description: Actions performed by a process. - type: String -- contextPath: ANYRUN.Task.Behavior.ThreatLevel - description: Threat score associated with a process behavior. - type: Number -- contextPath: ANYRUN.Task.Behavior.ProcessUUID - description: Unique ID of the process whose behaviors are being profiled. - type: String -- contextPath: ANYRUN.Task.Connection.Reputation - description: Connection reputation. - type: String -- contextPath: ANYRUN.Task.Connection.ProcessUUID - description: ID of the process that created the connection. - type: String -- contextPath: ANYRUN.Task.Connection.ASN - description: Connection autonomous system network. - type: String -- contextPath: ANYRUN.Task.Connection.Country - description: Connection country. - type: String -- contextPath: ANYRUN.Task.Connection.Protocol - description: Connection protocol. - type: String -- contextPath: ANYRUN.Task.Connection.Port - description: Connection port number. - type: Number -- contextPath: ANYRUN.Task.Connection.IP - description: Connection IP number. - type: String -- contextPath: ANYRUN.Task.DnsRequest.Reputation - description: Reputation of the DNS request. - type: String -- contextPath: ANYRUN.Task.DnsRequest.IP - description: IP addresses associated with a DNS request. - type: Unknown -- contextPath: ANYRUN.Task.DnsRequest.Domain - description: Domain resolution of a DNS request. - type: String -- contextPath: ANYRUN.Task.Threat.ProcessUUID - description: Unique process ID from where the threat originated. - type: String -- contextPath: ANYRUN.Task.Threat.Msg - description: Threat message. - type: String -- contextPath: ANYRUN.Task.Threat.Class - description: Class of the threat. - type: String -- contextPath: ANYRUN.Task.Threat.SrcPort - description: Port on which the threat originated. - type: Number -- contextPath: ANYRUN.Task.Threat.DstPort - description: Destination port of the threat. - type: Number -- contextPath: ANYRUN.Task.Threat.SrcIP - description: Source IP address where the threat originated. - type: String -- contextPath: ANYRUN.Task.Threat.DstIP - description: Destination IP address of the threat. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Reputation - description: Reputation of the HTTP request. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Country - description: HTTP request country. - type: String -- contextPath: ANYRUN.Task.HttpRequest.ProcessUUID - description: ID of the process making the HTTP request. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Body - description: HTTP request body parameters and details. - type: Unknown -- contextPath: ANYRUN.Task.HttpRequest.HttpCode - description: HTTP request response code. - type: Number -- contextPath: ANYRUN.Task.HttpRequest.Status - description: Status of the HTTP request. - type: String -- contextPath: ANYRUN.Task.HttpRequest.ProxyDetected - description: Whether the HTTP request was made through a proxy. - type: Boolean -- contextPath: ANYRUN.Task.HttpRequest.Port - description: HTTP request port. - type: Number -- contextPath: ANYRUN.Task.HttpRequest.IP - description: HTTP request IP address. - type: String -- contextPath: ANYRUN.Task.HttpRequest.URL - description: HTTP request URL. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Host - description: HTTP request host. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Method - description: HTTP request method type. - type: String -- contextPath: ANYRUN.Task.FileInfo - description: Details of the submitted file. - type: String -- contextPath: ANYRUN.Task.OS - description: OS of the sandbox in which the file was analyzed. - type: String -- contextPath: ANYRUN.Task.ID - description: The unique ID of the task. - type: String -- contextPath: ANYRUN.Task.MIME - description: The MIME of the file submitted for analysis. - type: String -- contextPath: ANYRUN.Task.MD5 - description: The MD5 hash of the file submitted for analysis. - type: String -- contextPath: ANYRUN.Task.SHA1 - description: The SHA1 hash of the file submitted for analysis. - type: String -- contextPath: ANYRUN.Task.SHA256 - description: The SHA256 hash of the file submitted for analysis. - type: String -- contextPath: ANYRUN.Task.SSDeep - description: SSDeep hash of the file submitted for analysis. - type: String -- contextPath: ANYRUN.Task.Verdict - description: ANY.RUN verdict for the maliciousness of the submitted file or URL. - type: String -- contextPath: ANYRUN.Task.Process.FileName - description: File name of the process. - type: String -- contextPath: ANYRUN.Task.Process.PID - description: Process identification number. - type: Number -- contextPath: ANYRUN.Task.Process.PPID - description: Parent process identification number. - type: Number -- contextPath: ANYRUN.Task.Process.ProcessUUID - description: Unique process ID (used by ANY.RUN). - type: String -- contextPath: ANYRUN.Task.Process.CMD - description: Process command. - type: String -- contextPath: ANYRUN.Task.Process.Path - description: Path of the executed command. - type: String -- contextPath: ANYRUN.Task.Process.User - description: User who executed the command. - type: String -- contextPath: ANYRUN.Task.Process.IntegrityLevel - description: The process integrity level. - type: String -- contextPath: ANYRUN.Task.Process.ExitCode - description: Process exit code. - type: Number -- contextPath: ANYRUN.Task.Process.MainProcess - description: Whether the process is the main process. - type: Boolean -- contextPath: ANYRUN.Task.Process.Version.Company - description: Company responsible for the program executed. - type: String -- contextPath: ANYRUN.Task.Process.Version.Description - description: Description of the type of program. - type: String -- contextPath: ANYRUN.Task.Process.Version.Version - description: Version of the program executed. - type: String -- contextPath: File.Extension - description: Extension of the file submitted for analysis. - type: String -- contextPath: File.Name - description: The name of the file submitted for analysis. - type: String -- contextPath: File.MD5 - description: MD5 hash of the file submitted for analysis. - type: String -- contextPath: File.SHA1 - description: SHA1 hash of the file submitted for analysis. - type: String -- contextPath: File.SHA256 - description: SHA256 hash of the file submitted for analysis. - type: String -- contextPath: File.SSDeep - description: SSDeep hash of the file submitted for analysis. - type: String -- contextPath: File.Malicious.Vendor - description: For malicious files, the vendor that made the decision. - type: String -- contextPath: File.Malicious.Description - description: For malicious files, the reason that the vendor made the decision. - type: String -- contextPath: ANYRUN.Task.Status - description: Task analysis status. - type: String -fromversion: 4.0.0 -tests: -- Detonate File - Generic Test +id: Detonate File - Generic +version: -1 +name: Detonate File - Generic +description: Detonate file through active integrations that support file detonation +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 2ac07fca-26e2-4263-8b08-c3944731d448 + type: start + task: + id: 2ac07fca-26e2-4263-8b08-c3944731d448 + version: -1 + name: "" + description: Playbook start point + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + - "10" + - "9" + - "11" + - "13" + - "14" + - "15" + - "16" + - "17" + - "18" + - "19" + - "20" + - "21" + separatecontext: false + view: |- + { + "position": { + "x": 2200, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: 0fb13cc0-f182-49f6-8ced-38ddfe5c5d6e + type: title + task: + id: 0fb13cc0-f182-49f6-8ced-38ddfe5c5d6e + version: -1 + name: Done + description: Done + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 2200, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "8": + id: "8" + taskid: eb680898-4271-4270-8249-7de1acc7cea9 + type: playbook + task: + id: eb680898-4271-4270-8249-7de1acc7cea9 + version: -1 + name: Detonate File - JoeSecurity + description: |- + Detonates one or more files using the Joe Security - Joe Sandbox integration. + Returns relevant reports to the War Room and file reputations to the context data. + All file types are supported. + playbookName: Detonate File - JoeSecurity + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "9": + id: "9" + taskid: de2bc919-5bdb-4bdf-8346-dea2f40822d1 + type: playbook + task: + id: de2bc919-5bdb-4bdf-8346-dea2f40822d1 + version: -1 + name: ATD - Detonate File + description: |- + Detonates a File using the McAfee Advanced Threat Defense sandbox. + Advanced Threat Defense supports the following File Types: + 32-bit Portable Executables (PE)files; 64-bit PE+files + exe, sys, dll, com, scr, cpl, ocx, cgi + Microsoft Office Suite documents + doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar + Just Systems Ichitaro documents + jtd, jtdc + Adobe + pdf, swf + Compressed files + gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar + Android application package + apk, Java, JAR, CLASS, Java Script, Java bin files + Image files + jpeg, png, gif + Other file types + cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh + playbookName: ATD - Detonate File + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: inputs.File + Interval: + simple: "1" + Timeout: + simple: "15" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 480, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "10": + id: "10" + taskid: 579d4c4e-ea47-490e-85ba-eb2b8d985873 + type: playbook + task: + id: 579d4c4e-ea47-490e-85ba-eb2b8d985873 + version: -1 + name: Detonate File - ThreatGrid + description: Detonate one or more files using the ThreatGrid integration. This + playbook returns relevant reports to the War Room and file reputations to + the context data. The detonation supports the following file types - EXE, + DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, + GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, + BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM + playbookName: Detonate File - ThreatGrid + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: inputs.File + FileName: + simple: file-detonated-via-demisto + Interval: + simple: "1" + Private: {} + Source: {} + Tags: {} + Timeout: + simple: "15" + VM: {} + playbook: + simple: default + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 910, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "11": + id: "11" + taskid: 8fcc8803-c38d-4aae-8900-ccbc9d9a19ae + type: playbook + task: + id: 8fcc8803-c38d-4aae-8900-ccbc9d9a19ae + version: -1 + name: CrowdStrike Falcon Sandbox - Detonate file + description: Detonate one or more files using the CrowdStrike Falcon Sandbox + integration. This playbook returns relevant reports to the War Room and file + reputations to the context data. The detonation supports the following file + types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, + ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, + JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM + playbookName: CrowdStrike Falcon Sandbox - Detonate file + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + EnvironmentID: + simple: "100" + File: + complex: + root: inputs.File + Interval: + simple: "5" + Timeout: + simple: "30" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 1340, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "13": + id: "13" + taskid: 5d6a8999-d509-45d4-81c8-3d86758f09ff + type: playbook + task: + id: 5d6a8999-d509-45d4-81c8-3d86758f09ff + version: -1 + name: WildFire - Detonate file + description: |- + Detonate one or more files using the Wildfire integration. This playbook + returns relevant reports to the War Room and file reputations to the context data. + The detonation supports the following file types - + APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PDF, DMG, PKG, RAR, 7Z + playbookName: WildFire - Detonate file + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: inputs.File + Interval: + simple: "1" + ReportFileType: {} + Timeout: + simple: "15" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 1780, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "14": + id: "14" + taskid: 2ea061e9-20ec-4db2-8561-833ebfb9924e + type: playbook + task: + id: 2ea061e9-20ec-4db2-8561-833ebfb9924e + version: -1 + name: Detonate File - Lastline v2 + description: |- + Detonates a File using the Lastline sandbox. + Lastline supports the following File Types: + EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH + playbookName: Detonate File - Lastline v2 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: inputs.File + Interval: + simple: "1" + Timeout: + simple: "15" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 2200, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "15": + id: "15" + taskid: f46bc6da-5b3b-4acd-8d8a-7d21e02c12f3 + type: playbook + task: + id: f46bc6da-5b3b-4acd-8d8a-7d21e02c12f3 + version: -1 + name: Detonate File - Cuckoo + description: Detonating file with Cuckoo + playbookName: Detonate File - Cuckoo + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + simple: ${inputs.File} + interval: + simple: "1" + timeout: + simple: "10" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 2630, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "16": + id: "16" + taskid: b8804e5e-310a-43fe-86a9-ad68ed0641f4 + type: playbook + task: + id: b8804e5e-310a-43fe-86a9-ad68ed0641f4 + version: -1 + name: Detonate File - SNDBOX + description: |- + Detonates a File using the SNDBOX. + Advanced Threat Defense supports the following File Types: + Microsoft (2003 and earlier) + doc, dot, xls, csv, xlt, xlm, ppt, pot, pps + + Microsoft (2007 and later): + docx, docm, dotx, dotm, dotm, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, iqy, pptx, pptm, potx, ppsx, xml + + Other: + pe32, rtf, pdf, vbs, vbe, ps1, js, lnk, html, bat + playbookName: Detonate File - SNDBOX + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: File + Interval: + simple: "1" + Timeout: + simple: "15" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 3060, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "17": + id: "17" + taskid: b10694a4-f49b-48f7-8e43-e6448541ff65 + type: playbook + task: + id: b10694a4-f49b-48f7-8e43-e6448541ff65 + version: -1 + name: Detonate File - HybridAnalysis + description: |- + Detonates one or more files using the Hybrid Analysis integration. + Returns relevant reports to the War Room and file reputations to the context data. + All file types are supported. + playbookName: Detonate File - HybridAnalysis + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + Comments: {} + EnvironmentID: + simple: "100" + File: + complex: + root: File + InternetAccess: + simple: "True" + Interval: + simple: "1" + ReportFileType: {} + Systems: {} + Timeout: + simple: "15" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 3490, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "18": + id: "18" + taskid: 08685dd3-4865-4dda-8b8a-4018c98e1518 + type: playbook + task: + id: 08685dd3-4865-4dda-8b8a-4018c98e1518 + version: -1 + name: Detonate File - ANYRUN + description: |- + Detonates one or more files using the ANYRUN sandbox integration. + Returns relevant reports to the War Room and file reputations to the context data. + All file types are supported. + playbookName: Detonate File - ANYRUN + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: File + Interval: + simple: "1" + Timeout: + simple: "15" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 3920, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "19": + id: "19" + taskid: 0d0261e2-a689-46c1-8321-79cc173dac64 + type: playbook + task: + id: 0d0261e2-a689-46c1-8321-79cc173dac64 + version: -1 + name: Detonate File - FireEye AX + description: Detonate one or more files using the FireEye AX integration. This + playbook returns relevant reports to the War Room and file reputations to + the context data. The detonation supports the following file types - PE32, + EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, + XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, + HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM, JPG, JPEG, GIF, PNG, XLSX + playbookName: Detonate File - FireEye AX + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 4350, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "20": + id: "20" + taskid: 330dba59-a610-47a5-852d-5d9e4d39c7e9 + type: playbook + task: + id: 330dba59-a610-47a5-852d-5d9e4d39c7e9 + version: -1 + name: Detonate File - VMRay + description: Detonating file with VMRay + playbookName: Detonate File - VMRay + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + File: + complex: + root: File + transformers: + - operator: uniq + archive_password: {} + document_password: {} + interval: + simple: "1" + max_jobs: {} + reanalyze: {} + sample_type: {} + shareable: {} + tags: {} + timeout: + simple: "10" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 4780, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "21": + id: "21" + taskid: 83643c76-d978-48d1-803e-33d86c24e2a2 + type: playbook + task: + id: 83643c76-d978-48d1-803e-33d86c24e2a2 + version: -1 + name: Detonate File - Group-IB TDS Polygon + playbookName: Detonate File - Group-IB TDS Polygon + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "3" + scriptarguments: + Interval: + simple: "1" + Timeout: + simple: "60" + file_id: + complex: + root: File + accessor: EntryID + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -380, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 385, + "width": 5540, + "x": -380, + "y": 50 + } + } + } +inputs: +- key: EntryID + value: + complex: + root: File + accessor: EntryID + required: false + description: Entry ID of file to be detonated + playbookInputQuery: +- key: File + value: + complex: + root: File + required: false + description: File object of file to be detonated + playbookInputQuery: +outputs: +- contextPath: Joe.Analysis.Status + description: Analysis Status + type: string +- contextPath: Joe.Analysis.WebID + description: Web ID + type: string +- contextPath: File.Name + description: Filename (only in case of report type=json) + type: string +- contextPath: File.SHA1 + description: SHA1 of the file + type: string +- contextPath: File.SHA256 + description: SHA256 of the file + type: string +- contextPath: File.Size + description: File size (only in case of report type=json) + type: number +- contextPath: File.Type + description: File type e.g. "PE" (only in case of report type=json) + type: string +- contextPath: File.Malicious + description: The File malicious description + type: unknown +- contextPath: File.Malicious.Description + description: For malicious files, the reason for the vendor to make the decision + type: string +- contextPath: File.Malicious.Vendor + description: For malicious files, the vendor that made the decision + type: string +- contextPath: DBotScore + description: The Indicator's object + type: unknown +- contextPath: DBotScore.Indicator + description: The indicator that was tested + type: string +- contextPath: DBotScore.Score + description: The actual score + type: number +- contextPath: DBotScore.Type + description: The type of the indicator + type: string +- contextPath: DBotScore.Vendor + description: Vendor used to calculate the score + type: string +- contextPath: IP.Address + description: IP's relevant to the sample + type: string +- contextPath: DBotScore.Malicious.Vendor + description: Vendor used to calculate the score + type: string +- contextPath: DBotScore.Malicious.Detections + description: The sub analysis detection statuses + type: string +- contextPath: DBotScore.Malicious.SHA1 + description: The SHA1 of the file + type: string +- contextPath: Sample.State + description: The sample state +- contextPath: Sample.ID + description: The sample ID +- contextPath: File + description: The File's object + type: unknown +- contextPath: File.MD5 + description: MD5 of the file + type: string +- contextPath: Joe.Analysis.SampleName + description: Sample Data, could be a file name or URL + type: string +- contextPath: Joe.Analysis.Comments + description: Analysis Comments + type: string +- contextPath: Joe.Analysis.Time + description: Submitted Time + type: date +- contextPath: Joe.Analysis.Runs + description: Sub-Analysis Information + type: unknown +- contextPath: Joe.Analysis.Result + description: Analysis Results + type: string +- contextPath: Joe.Analysis.Errors + description: Raised errors during sampling + type: unknown +- contextPath: Joe.Analysis.Systems + description: Analysis OS + type: unknown +- contextPath: Joe.Analysis.MD5 + description: MD5 of analysis sample + type: string +- contextPath: Joe.Analysis.SHA1 + description: SHA1 of analysis sample + type: string +- contextPath: Joe.Analysis.SHA256 + description: SHA256 of analysis sample + type: string +- contextPath: InfoFile.Name + description: FileName of the report file + type: string +- contextPath: InfoFile.EntryID + description: The EntryID of the report file + type: string +- contextPath: InfoFile.Size + description: File Size + type: number +- contextPath: InfoFile.Type + description: File type e.g. "PE" + type: string +- contextPath: InfoFile.Info + description: Basic information of the file + type: string +- contextPath: File.Extension + description: File Extension + type: string +- contextPath: InfoFile + description: The report file's object + type: unknown +- contextPath: WildFire.Report + description: The submission object + type: unknown +- contextPath: WildFire.Report.Status + description: The status of the submission + type: string +- contextPath: WildFire.Report.SHA256 + description: SHA256 of the submission + type: string +- contextPath: WildFire.Report.MD5 + description: MD5 of the submission + type: string +- contextPath: WildFire.Report.FileType + description: The type of the submission + type: string +- contextPath: WildFire.Report.Size + description: The size of the submission + type: number +- contextPath: Joe.Analysis + description: Thee Analysis object + type: unknown +- contextPath: Cuckoo.Task.Category + description: Category of task +- contextPath: Cuckoo.Task.Machine + description: Machine of task +- contextPath: Cuckoo.Task.Errors + description: Errors of task +- contextPath: Cuckoo.Task.Target + description: Target of task +- contextPath: Cuckoo.Task.Package + description: Package of task +- contextPath: Cuckoo.Task.SampleID + description: Sample ID of task +- contextPath: Cuckoo.Task.Guest + description: Task guest +- contextPath: Cuckoo.Task.Custom + description: Custom values of task +- contextPath: Cuckoo.Task.Owner + description: Task owner +- contextPath: Cuckoo.Task.Priority + description: Priority of task +- contextPath: Cuckoo.Task.Platform + description: Platform of task +- contextPath: Cuckoo.Task.Options + description: Task options +- contextPath: Cuckoo.Task.Status + description: Task status +- contextPath: Cuckoo.Task.EnforceTimeout + description: Is timeout of task enforced +- contextPath: Cuckoo.Task.Timeout + description: Task timeout +- contextPath: Cuckoo.Task.Memory + description: Task memory +- contextPath: Cuckoo.Task.Tags + description: Task tags +- contextPath: Cuckoo.Task.ID + description: ID of task +- contextPath: Cuckoo.Task.AddedOn + description: Date on which the task was added +- contextPath: Cuckoo.Task.CompletedOn + description: Date on which the task was completed +- contextPath: Cuckoo.Task.Score + description: Reported score of the the task +- contextPath: Cuckoo.Task.Monitor + description: Monitor of the reported task +- contextPath: SNDBOX.Analysis.ID + description: Analysis ID + type: string +- contextPath: SNDBOX.Analysis.SampleName + description: Sample Data, could be a file name or URL + type: string +- contextPath: SNDBOX.Analysis.Status + description: Analysis Status + type: string +- contextPath: SNDBOX.Analysis.Time + description: Submitted Time + type: date +- contextPath: SNDBOX.Analysis.Result + description: Analysis Results + type: string +- contextPath: SNDBOX.Analysis.Errors + description: Raised errors during sampling +- contextPath: SNDBOX.Analysis.Link + description: Analysis Link + type: string +- contextPath: SNDBOX.Analysis.MD5 + description: MD5 of analysis sample + type: string +- contextPath: SNDBOX.Analysis.SHA1 + description: SHA1 of analysis sample + type: string +- contextPath: SNDBOX.Analysis.SHA256 + description: SHA256 of analysis sample + type: string +- contextPath: SNDBOX.Analysis + description: SNDBOX analysis + type: unknown +- contextPath: HybridAnalysis.Submit.State + description: The state of the process + type: string +- contextPath: HybridAnalysis.Submit.SHA256 + description: The submission SHA256 + type: string +- contextPath: HybridAnalysis.Submit.JobID + description: The JobID of the submission + type: string +- contextPath: HybridAnalysis.Submit.EnvironmentID + description: The environmentID of the submission + type: string +- contextPath: HybridAnalysis.Submit + description: The HybridAnalysis object + type: unknown +- contextPath: ANYRUN.Task.AnalysisDate + description: Date and time the analysis was executed. + type: String +- contextPath: ANYRUN.Task.Behavior.Category + description: Category of a process behavior. + type: String +- contextPath: ANYRUN.Task.Behavior.Action + description: Actions performed by a process. + type: String +- contextPath: ANYRUN.Task.Behavior.ThreatLevel + description: Threat score associated with a process behavior. + type: Number +- contextPath: ANYRUN.Task.Behavior.ProcessUUID + description: Unique ID of the process whose behaviors are being profiled. + type: String +- contextPath: ANYRUN.Task.Connection.Reputation + description: Connection reputation. + type: String +- contextPath: ANYRUN.Task.Connection.ProcessUUID + description: ID of the process that created the connection. + type: String +- contextPath: ANYRUN.Task.Connection.ASN + description: Connection autonomous system network. + type: String +- contextPath: ANYRUN.Task.Connection.Country + description: Connection country. + type: String +- contextPath: ANYRUN.Task.Connection.Protocol + description: Connection protocol. + type: String +- contextPath: ANYRUN.Task.Connection.Port + description: Connection port number. + type: Number +- contextPath: ANYRUN.Task.Connection.IP + description: Connection IP number. + type: String +- contextPath: ANYRUN.Task.DnsRequest.Reputation + description: Reputation of the DNS request. + type: String +- contextPath: ANYRUN.Task.DnsRequest.IP + description: IP addresses associated with a DNS request. + type: Unknown +- contextPath: ANYRUN.Task.DnsRequest.Domain + description: Domain resolution of a DNS request. + type: String +- contextPath: ANYRUN.Task.Threat.ProcessUUID + description: Unique process ID from where the threat originated. + type: String +- contextPath: ANYRUN.Task.Threat.Msg + description: Threat message. + type: String +- contextPath: ANYRUN.Task.Threat.Class + description: Class of the threat. + type: String +- contextPath: ANYRUN.Task.Threat.SrcPort + description: Port on which the threat originated. + type: Number +- contextPath: ANYRUN.Task.Threat.DstPort + description: Destination port of the threat. + type: Number +- contextPath: ANYRUN.Task.Threat.SrcIP + description: Source IP address where the threat originated. + type: String +- contextPath: ANYRUN.Task.Threat.DstIP + description: Destination IP address of the threat. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Reputation + description: Reputation of the HTTP request. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Country + description: HTTP request country. + type: String +- contextPath: ANYRUN.Task.HttpRequest.ProcessUUID + description: ID of the process making the HTTP request. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Body + description: HTTP request body parameters and details. + type: Unknown +- contextPath: ANYRUN.Task.HttpRequest.HttpCode + description: HTTP request response code. + type: Number +- contextPath: ANYRUN.Task.HttpRequest.Status + description: Status of the HTTP request. + type: String +- contextPath: ANYRUN.Task.HttpRequest.ProxyDetected + description: Whether the HTTP request was made through a proxy. + type: Boolean +- contextPath: ANYRUN.Task.HttpRequest.Port + description: HTTP request port. + type: Number +- contextPath: ANYRUN.Task.HttpRequest.IP + description: HTTP request IP address. + type: String +- contextPath: ANYRUN.Task.HttpRequest.URL + description: HTTP request URL. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Host + description: HTTP request host. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Method + description: HTTP request method type. + type: String +- contextPath: ANYRUN.Task.FileInfo + description: Details of the submitted file. + type: String +- contextPath: ANYRUN.Task.OS + description: OS of the sandbox in which the file was analyzed. + type: String +- contextPath: ANYRUN.Task.ID + description: The unique ID of the task. + type: String +- contextPath: ANYRUN.Task.MIME + description: The MIME of the file submitted for analysis. + type: String +- contextPath: ANYRUN.Task.MD5 + description: The MD5 hash of the file submitted for analysis. + type: String +- contextPath: ANYRUN.Task.SHA1 + description: The SHA1 hash of the file submitted for analysis. + type: String +- contextPath: ANYRUN.Task.SHA256 + description: The SHA256 hash of the file submitted for analysis. + type: String +- contextPath: ANYRUN.Task.SSDeep + description: SSDeep hash of the file submitted for analysis. + type: String +- contextPath: ANYRUN.Task.Verdict + description: ANY.RUN verdict for the maliciousness of the submitted file or URL. + type: String +- contextPath: ANYRUN.Task.Process.FileName + description: File name of the process. + type: String +- contextPath: ANYRUN.Task.Process.PID + description: Process identification number. + type: Number +- contextPath: ANYRUN.Task.Process.PPID + description: Parent process identification number. + type: Number +- contextPath: ANYRUN.Task.Process.ProcessUUID + description: Unique process ID (used by ANY.RUN). + type: String +- contextPath: ANYRUN.Task.Process.CMD + description: Process command. + type: String +- contextPath: ANYRUN.Task.Process.Path + description: Path of the executed command. + type: String +- contextPath: ANYRUN.Task.Process.User + description: User who executed the command. + type: String +- contextPath: ANYRUN.Task.Process.IntegrityLevel + description: The process integrity level. + type: String +- contextPath: ANYRUN.Task.Process.ExitCode + description: Process exit code. + type: Number +- contextPath: ANYRUN.Task.Process.MainProcess + description: Whether the process is the main process. + type: Boolean +- contextPath: ANYRUN.Task.Process.Version.Company + description: Company responsible for the program executed. + type: String +- contextPath: ANYRUN.Task.Process.Version.Description + description: Description of the type of program. + type: String +- contextPath: ANYRUN.Task.Process.Version.Version + description: Version of the program executed. + type: String +- contextPath: File.Extension + description: Extension of the file submitted for analysis. + type: String +- contextPath: File.Name + description: The name of the file submitted for analysis. + type: String +- contextPath: File.MD5 + description: MD5 hash of the file submitted for analysis. + type: String +- contextPath: File.SHA1 + description: SHA1 hash of the file submitted for analysis. + type: String +- contextPath: File.SHA256 + description: SHA256 hash of the file submitted for analysis. + type: String +- contextPath: File.SSDeep + description: SSDeep hash of the file submitted for analysis. + type: String +- contextPath: File.Malicious.Vendor + description: For malicious files, the vendor that made the decision. + type: String +- contextPath: File.Malicious.Description + description: For malicious files, the reason that the vendor made the decision. + type: String +- contextPath: ANYRUN.Task.Status + description: Task analysis status. + type: String +fromversion: 5.0.0 +tests: +- Detonate File - Generic Test diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md index fb17d56e39ac..7ab2d51305ef 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md @@ -1,21 +1,22 @@ -Detonates a file through active integrations that support file detonation. +Detonate file through active integrations that support file detonation ## Dependencies This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* Detonate File - Cuckoo -* Detonate File - Lastline v2 -* Detonate File - ThreatGrid +* Detonate File - Group-IB TDS Polygon +* Detonate File - HybridAnalysis +* WildFire - Detonate file * CrowdStrike Falcon Sandbox - Detonate file +* Detonate File - FireEye AX +* Detonate File - JoeSecurity +* Detonate File - ANYRUN +* Detonate File - ThreatGrid * ATD - Detonate File -* WildFire - Detonate file -* Detonate File - HybridAnalysis * Detonate File - SNDBOX -* Detonate File - FireEye AX +* Detonate File - Cuckoo +* Detonate File - Lastline v2 * Detonate File - VMRay -* Detonate File - ANYRUN -* Detonate File - JoeSecurity ### Integrations This playbook does not use any integrations. @@ -29,171 +30,167 @@ This playbook does not use any commands. ## Playbook Inputs --- -| **Name** | **Description** | **Default Value** | **Source** | **Required** | -| --- | --- | --- | --- | --- | -| EntryID | The entry ID of the file to be detonated. | EntryID | File | Optional | -| File | The file object of the file to be detonated. | None | File | Optional | +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| EntryID | Entry ID of file to be detonated | File.EntryID | Optional | +| File | File object of file to be detonated | File.None | Optional | ## Playbook Outputs --- | **Path** | **Description** | **Type** | | --- | --- | --- | -| Joe.Analysis.Status | The analysis status. | string | -| Joe.Analysis.WebID | The web ID. | string | -| File.Name | The filename (only in case of report type=json). | string | -| File.SHA1 | The SHA1 hash of the file. | string | -| File.SHA256 | The SHA256 hash of the file. | string | -| File.Size | The file size (only in case of report type=json). | number | -| File.Type | The file type. For example, "PE" (only in case of report type=json). | string | -| File.Malicious | The malicious file's description. | unknown | -| File.Malicious.Description | The reason for the vendor to make the decision that the file is malicious. | string | -| File.Malicious.Vendor | The vendor that made the decision that the file is malicious. | string | -| DBotScore | The indicator's object. | unknown | -| DBotScore.Indicator | The indicator we tested. | string | -| DBotScore.Score | The actual score. | number | -| DBotScore.Type | The type of the indicator. | string | -| DBotScore.Vendor | The vendor used to calculate the score. | string | -| IP.Address | The IP addresses's relevant to the sample. | string | -| DBotScore.Malicious.Vendor | The vendor used to calculate the score. | string | -| DBotScore.Malicious.Detections | The sub analysis detection statuses. | string | -| DBotScore.Malicious.SHA1 | The SHA1 hash of the file. | string | -| Sample.State | The sample state. | unknown | -| Sample.ID | The sample ID. | unknown | -| File | The file's object. | unknown | -| File.MD5 | The MD5 hash of the file. | string | -| Joe.Analysis.SampleName | The sample data. Can be, a file name or a URL. | string | -| Joe.Analysis.Comments | The analysis comments. | string | -| Joe.Analysis.Time | The submitted time. | date | -| Joe.Analysis.Runs | The sub-analysis information. | unknown | -| Joe.Analysis.Result | The analysis results. | string | -| Joe.Analysis.Errors | The errors raised during sampling. | unknown | -| Joe.Analysis.Systems | The analysis OS. | unknown | -| Joe.Analysis.MD5 | The MD5 hash of the analysis sample. | string | -| Joe.Analysis.SHA1 | The SHA1 hash of the analysis sample. | string | -| Joe.Analysis.SHA256 | The SHA256 hash of the analysis sample. | string | -| InfoFile.Name | The filename of the report file. | string | -| InfoFile.EntryID | The EntryID of the report file. | string | -| InfoFile.Size | The file size. | number | -| InfoFile.Type | The file type. For example, "PE". | string | -| InfoFile.Info | The basic information of the file. | string | -| File.Extension | The file extension. | string | -| InfoFile | The report file's object. | unknown | -| WildFire.Report | The submission object. | unknown | -| WildFire.Report.Status | The status of the submission. | string | -| WildFire.Report.SHA256 | The SHA256 hash of the submission. | string | -| WildFire.Report.MD5 | The MD5 hash of the submission. | string | -| WildFire.Report.FileType | The type of the submission. | string | -| WildFire.Report.Size | The size of the submission. | number | -| Joe.Analysis | The analysis object. | unknown | -| Cuckoo.Task.Category | The category of the task. | unknown | -| Cuckoo.Task.Machine | The machine of the task. | unknown | -| Cuckoo.Task.Errors | The errors of the task. | unknown | -| Cuckoo.Task.Target | The target of the task. | unknown | -| Cuckoo.Task.Package | The package of the task. | unknown | -| Cuckoo.Task.SampleID | The sample ID of the task. | unknown | -| Cuckoo.Task.Guest | The task guest. | unknown | -| Cuckoo.Task.Custom | The custom values of the task. | unknown | -| Cuckoo.Task.Owner | The task owner. | unknown | -| Cuckoo.Task.Priority | The priority of the task. | unknown | -| Cuckoo.Task.Platform | The platform of the task. | unknown | -| Cuckoo.Task.Options | The task options. | unknown | -| Cuckoo.Task.Status | The task status. | unknown | -| Cuckoo.Task.EnforceTimeout | Whether the timeout of the task is enforced. | unknown | -| Cuckoo.Task.Timeout | The task timeout. | unknown | -| Cuckoo.Task.Memory | The task memory. | unknown | -| Cuckoo.Task.Tags | The task tags. | unknown | -| Cuckoo.Task.ID | The ID of the task. | unknown | -| Cuckoo.Task.AddedOn | The date the task was added. | unknown | -| Cuckoo.Task.CompletedOn | The date the task was completed. | unknown | -| Cuckoo.Task.Score | The reported score of the the task. | unknown | -| Cuckoo.Task.Monitor |The monitor of the reported task. | unknown | -| SNDBOX.Analysis.ID | The analysis ID. | string | -| SNDBOX.Analysis.SampleName | The sample data. Can be, "file name" or "URL". | string | -| SNDBOX.Analysis.Status | The analysis status. | string | -| SNDBOX.Analysis.Time | The time it was submitted. | date | -| SNDBOX.Analysis.Result | The analysis results. | string | -| SNDBOX.Analysis.Errors | The errors raised during sampling. | unknown | -| SNDBOX.Analysis.Link | The analysis link. | string | -| SNDBOX.Analysis.MD5 | The MD5 hash of the analysis sample. | string | -| SNDBOX.Analysis.SHA1 | The SHA1 hash of the analysis sample. | string | -| SNDBOX.Analysis.SHA256 | The SHA256 hash of the analysis sample. | string | -| SNDBOX.Analysis | The `SNDBOX` analysis. | unknown | -| HybridAnalysis.Submit.State | The state of the process. | string | -| HybridAnalysis.Submit.SHA256 | The submission SHA256 hash. | string | -| HybridAnalysis.Submit.JobID | The JobID of the submission. | string | -| HybridAnalysis.Submit.EnvironmentID | The environmentID of the submission. | string | -| HybridAnalysis.Submit | The HybridAnalysis object. | unknown | -| ANYRUN.Task.AnalysisDate | The date and time the analysis was executed. | String | -| ANYRUN.Task.Behavior.Category | The category of a process behavior. | String | -| ANYRUN.Task.Behavior.Action | The actions performed by a process. | String | -| ANYRUN.Task.Behavior.ThreatLevel | The threat score associated with a process behavior. | Number | -| ANYRUN.Task.Behavior.ProcessUUID | The unique ID of the process whose behaviors are being profiled. | String | -| ANYRUN.Task.Connection.Reputation | The connection reputation. | String | -| ANYRUN.Task.Connection.ProcessUUID | The ID of the process that created the connection. | String | -| ANYRUN.Task.Connection.ASN | The connection autonomous system network. | String | -| ANYRUN.Task.Connection.Country | The connection country. | String | -| ANYRUN.Task.Connection.Protocol | The connection protocol. | String | -| ANYRUN.Task.Connection.Port | The connection port number. | Number | -| ANYRUN.Task.Connection.IP | The connection IP address number. | String | -| ANYRUN.Task.DnsRequest.Reputation | The reputation of the DNS request. | String | -| ANYRUN.Task.DnsRequest.IP | The IP addresses associated with a DNS request. | Unknown | -| ANYRUN.Task.DnsRequest.Domain | The domain resolution of a DNS request. | String | -| ANYRUN.Task.Threat.ProcessUUID | The unique process ID from where the threat originated. | String | -| ANYRUN.Task.Threat.Msg | The threat message. | String | -| ANYRUN.Task.Threat.Class | The class of the threat. | String | -| ANYRUN.Task.Threat.SrcPort | The port on which the threat originated. | Number | -| ANYRUN.Task.Threat.DstPort | The destination port of the threat. | Number | -| ANYRUN.Task.Threat.SrcIP | The source IP address where the threat originated. | String | -| ANYRUN.Task.Threat.DstIP | The destination IP address of the threat. | String | -| ANYRUN.Task.HttpRequest.Reputation | The reputation of the HTTP request. | String | -| ANYRUN.Task.HttpRequest.Country | The HTTP request country. | String | -| ANYRUN.Task.HttpRequest.ProcessUUID | The ID of the process making the HTTP request. | String | -| ANYRUN.Task.HttpRequest.Body | The HTTP request body parameters and details. | Unknown | -| ANYRUN.Task.HttpRequest.HttpCode | The HTTP request response code. | Number | -| ANYRUN.Task.HttpRequest.Status | The status of the HTTP request. | String | +| Joe.Analysis.Status | Analysis Status | string | +| Joe.Analysis.WebID | Web ID | string | +| File.Name | Filename \(only in case of report type=json\) | string | +| File.SHA1 | SHA1 of the file | string | +| File.SHA256 | SHA256 of the file | string | +| File.Size | File size \(only in case of report type=json\) | number | +| File.Type | File type e.g. "PE" \(only in case of report type=json\) | string | +| File.Malicious | The File malicious description | unknown | +| File.Malicious.Description | For malicious files, the reason for the vendor to make the decision | string | +| File.Malicious.Vendor | For malicious files, the vendor that made the decision | string | +| DBotScore | The Indicator's object | unknown | +| DBotScore.Indicator | The indicator that was tested | string | +| DBotScore.Score | The actual score | number | +| DBotScore.Type | The type of the indicator | string | +| DBotScore.Vendor | Vendor used to calculate the score | string | +| IP.Address | IP's relevant to the sample | string | +| DBotScore.Malicious.Vendor | Vendor used to calculate the score | string | +| DBotScore.Malicious.Detections | The sub analysis detection statuses | string | +| DBotScore.Malicious.SHA1 | The SHA1 of the file | string | +| Sample.State | The sample state | unknown | +| Sample.ID | The sample ID | unknown | +| File | The File's object | unknown | +| File.MD5 | MD5 of the file | string | +| Joe.Analysis.SampleName | Sample Data, could be a file name or URL | string | +| Joe.Analysis.Comments | Analysis Comments | string | +| Joe.Analysis.Time | Submitted Time | date | +| Joe.Analysis.Runs | Sub\-Analysis Information | unknown | +| Joe.Analysis.Result | Analysis Results | string | +| Joe.Analysis.Errors | Raised errors during sampling | unknown | +| Joe.Analysis.Systems | Analysis OS | unknown | +| Joe.Analysis.MD5 | MD5 of analysis sample | string | +| Joe.Analysis.SHA1 | SHA1 of analysis sample | string | +| Joe.Analysis.SHA256 | SHA256 of analysis sample | string | +| InfoFile.Name | FileName of the report file | string | +| InfoFile.EntryID | The EntryID of the report file | string | +| InfoFile.Size | File Size | number | +| InfoFile.Type | File type e.g. "PE" | string | +| InfoFile.Info | Basic information of the file | string | +| File.Extension | File Extension | string | +| InfoFile | The report file's object | unknown | +| WildFire.Report | The submission object | unknown | +| WildFire.Report.Status | The status of the submission | string | +| WildFire.Report.SHA256 | SHA256 of the submission | string | +| WildFire.Report.MD5 | MD5 of the submission | string | +| WildFire.Report.FileType | The type of the submission | string | +| WildFire.Report.Size | The size of the submission | number | +| Joe.Analysis | Thee Analysis object | unknown | +| Cuckoo.Task.Category | Category of task | unknown | +| Cuckoo.Task.Machine | Machine of task | unknown | +| Cuckoo.Task.Errors | Errors of task | unknown | +| Cuckoo.Task.Target | Target of task | unknown | +| Cuckoo.Task.Package | Package of task | unknown | +| Cuckoo.Task.SampleID | Sample ID of task | unknown | +| Cuckoo.Task.Guest | Task guest | unknown | +| Cuckoo.Task.Custom | Custom values of task | unknown | +| Cuckoo.Task.Owner | Task owner | unknown | +| Cuckoo.Task.Priority | Priority of task | unknown | +| Cuckoo.Task.Platform | Platform of task | unknown | +| Cuckoo.Task.Options | Task options | unknown | +| Cuckoo.Task.Status | Task status | unknown | +| Cuckoo.Task.EnforceTimeout | Is timeout of task enforced | unknown | +| Cuckoo.Task.Timeout | Task timeout | unknown | +| Cuckoo.Task.Memory | Task memory | unknown | +| Cuckoo.Task.Tags | Task tags | unknown | +| Cuckoo.Task.ID | ID of task | unknown | +| Cuckoo.Task.AddedOn | Date on which the task was added | unknown | +| Cuckoo.Task.CompletedOn | Date on which the task was completed | unknown | +| Cuckoo.Task.Score | Reported score of the the task | unknown | +| Cuckoo.Task.Monitor | Monitor of the reported task | unknown | +| SNDBOX.Analysis.ID | Analysis ID | string | +| SNDBOX.Analysis.SampleName | Sample Data, could be a file name or URL | string | +| SNDBOX.Analysis.Status | Analysis Status | string | +| SNDBOX.Analysis.Time | Submitted Time | date | +| SNDBOX.Analysis.Result | Analysis Results | string | +| SNDBOX.Analysis.Errors | Raised errors during sampling | unknown | +| SNDBOX.Analysis.Link | Analysis Link | string | +| SNDBOX.Analysis.MD5 | MD5 of analysis sample | string | +| SNDBOX.Analysis.SHA1 | SHA1 of analysis sample | string | +| SNDBOX.Analysis.SHA256 | SHA256 of analysis sample | string | +| SNDBOX.Analysis | SNDBOX analysis | unknown | +| HybridAnalysis.Submit.State | The state of the process | string | +| HybridAnalysis.Submit.SHA256 | The submission SHA256 | string | +| HybridAnalysis.Submit.JobID | The JobID of the submission | string | +| HybridAnalysis.Submit.EnvironmentID | The environmentID of the submission | string | +| HybridAnalysis.Submit | The HybridAnalysis object | unknown | +| ANYRUN.Task.AnalysisDate | Date and time the analysis was executed. | String | +| ANYRUN.Task.Behavior.Category | Category of a process behavior. | String | +| ANYRUN.Task.Behavior.Action | Actions performed by a process. | String | +| ANYRUN.Task.Behavior.ThreatLevel | Threat score associated with a process behavior. | Number | +| ANYRUN.Task.Behavior.ProcessUUID | Unique ID of the process whose behaviors are being profiled. | String | +| ANYRUN.Task.Connection.Reputation | Connection reputation. | String | +| ANYRUN.Task.Connection.ProcessUUID | ID of the process that created the connection. | String | +| ANYRUN.Task.Connection.ASN | Connection autonomous system network. | String | +| ANYRUN.Task.Connection.Country | Connection country. | String | +| ANYRUN.Task.Connection.Protocol | Connection protocol. | String | +| ANYRUN.Task.Connection.Port | Connection port number. | Number | +| ANYRUN.Task.Connection.IP | Connection IP number. | String | +| ANYRUN.Task.DnsRequest.Reputation | Reputation of the DNS request. | String | +| ANYRUN.Task.DnsRequest.IP | IP addresses associated with a DNS request. | Unknown | +| ANYRUN.Task.DnsRequest.Domain | Domain resolution of a DNS request. | String | +| ANYRUN.Task.Threat.ProcessUUID | Unique process ID from where the threat originated. | String | +| ANYRUN.Task.Threat.Msg | Threat message. | String | +| ANYRUN.Task.Threat.Class | Class of the threat. | String | +| ANYRUN.Task.Threat.SrcPort | Port on which the threat originated. | Number | +| ANYRUN.Task.Threat.DstPort | Destination port of the threat. | Number | +| ANYRUN.Task.Threat.SrcIP | Source IP address where the threat originated. | String | +| ANYRUN.Task.Threat.DstIP | Destination IP address of the threat. | String | +| ANYRUN.Task.HttpRequest.Reputation | Reputation of the HTTP request. | String | +| ANYRUN.Task.HttpRequest.Country | HTTP request country. | String | +| ANYRUN.Task.HttpRequest.ProcessUUID | ID of the process making the HTTP request. | String | +| ANYRUN.Task.HttpRequest.Body | HTTP request body parameters and details. | Unknown | +| ANYRUN.Task.HttpRequest.HttpCode | HTTP request response code. | Number | +| ANYRUN.Task.HttpRequest.Status | Status of the HTTP request. | String | | ANYRUN.Task.HttpRequest.ProxyDetected | Whether the HTTP request was made through a proxy. | Boolean | -| ANYRUN.Task.HttpRequest.Port | The HTTP request port. | Number | -| ANYRUN.Task.HttpRequest.IP | The HTTP request IP address. | String | -| ANYRUN.Task.HttpRequest.URL | The HTTP request URL. | String | -| ANYRUN.Task.HttpRequest.Host | The HTTP request host. | String | -| ANYRUN.Task.HttpRequest.Method | The HTTP request method type. | String | -| ANYRUN.Task.FileInfo | The details of the submitted file. | String | -| ANYRUN.Task.OS | The OS of the sandbox in which the file was analyzed. | String | +| ANYRUN.Task.HttpRequest.Port | HTTP request port. | Number | +| ANYRUN.Task.HttpRequest.IP | HTTP request IP address. | String | +| ANYRUN.Task.HttpRequest.URL | HTTP request URL. | String | +| ANYRUN.Task.HttpRequest.Host | HTTP request host. | String | +| ANYRUN.Task.HttpRequest.Method | HTTP request method type. | String | +| ANYRUN.Task.FileInfo | Details of the submitted file. | String | +| ANYRUN.Task.OS | OS of the sandbox in which the file was analyzed. | String | | ANYRUN.Task.ID | The unique ID of the task. | String | | ANYRUN.Task.MIME | The MIME of the file submitted for analysis. | String | | ANYRUN.Task.MD5 | The MD5 hash of the file submitted for analysis. | String | | ANYRUN.Task.SHA1 | The SHA1 hash of the file submitted for analysis. | String | | ANYRUN.Task.SHA256 | The SHA256 hash of the file submitted for analysis. | String | -| ANYRUN.Task.SSDeep | The SSDeep hash of the file submitted for analysis. | String | -| ANYRUN.Task.Verdict | The `ANY.RUN` verdict for the maliciousness of the submitted file or URL. | String | -| ANYRUN.Task.Process.FileName | The file name of the process. | String | -| ANYRUN.Task.Process.PID | The process identification number. | Number | -| ANYRUN.Task.Process.PPID | The parent process identification number. | Number | -| ANYRUN.Task.Process.ProcessUUID | The unique process ID (used by `ANY.RUN`). | String | -| ANYRUN.Task.Process.CMD | The process command. | String | -| ANYRUN.Task.Process.Path | The path of the executed command. | String | -| ANYRUN.Task.Process.User | The user who executed the command. | String | +| ANYRUN.Task.SSDeep | SSDeep hash of the file submitted for analysis. | String | +| ANYRUN.Task.Verdict | ANY.RUN verdict for the maliciousness of the submitted file or URL. | String | +| ANYRUN.Task.Process.FileName | File name of the process. | String | +| ANYRUN.Task.Process.PID | Process identification number. | Number | +| ANYRUN.Task.Process.PPID | Parent process identification number. | Number | +| ANYRUN.Task.Process.ProcessUUID | Unique process ID \(used by ANY.RUN\). | String | +| ANYRUN.Task.Process.CMD | Process command. | String | +| ANYRUN.Task.Process.Path | Path of the executed command. | String | +| ANYRUN.Task.Process.User | User who executed the command. | String | | ANYRUN.Task.Process.IntegrityLevel | The process integrity level. | String | -| ANYRUN.Task.Process.ExitCode | The process exit code. | Number | +| ANYRUN.Task.Process.ExitCode | Process exit code. | Number | | ANYRUN.Task.Process.MainProcess | Whether the process is the main process. | Boolean | -| ANYRUN.Task.Process.Version.Company | The company responsible for the program executed. | String | -| ANYRUN.Task.Process.Version.Description | The description of the type of program. | String | -| ANYRUN.Task.Process.Version.Version | The version of the program executed. | String | -| DBotScore.Indicator | The indicator that was tested. | String | -| DBotScore.Score | The actual score. | Number | -| DBotScore.Type | Type of indicator. | String | -| DBotScore.Vendor | The vendor used to calculate the score. | String | -| File.Extension | The extension of the file submitted for analysis. | String | +| ANYRUN.Task.Process.Version.Company | Company responsible for the program executed. | String | +| ANYRUN.Task.Process.Version.Description | Description of the type of program. | String | +| ANYRUN.Task.Process.Version.Version | Version of the program executed. | String | +| File.Extension | Extension of the file submitted for analysis. | String | | File.Name | The name of the file submitted for analysis. | String | -| File.MD5 | The MD5 hash of the file submitted for analysis. | String | -| File.SHA1 | The SHA1 hash of the file submitted for analysis. | String | -| File.SHA256 | The SHA256 hash of the file submitted for analysis. | String | -| File.SSDeep | The SSDeep hash of the file submitted for analysis. | String | -| File.Malicious.Vendor | The vendor that made the decision that the file is malicious. | String | -| File.Malicious.Description | The reason that the vendor made the decision tha the file is malicious. | String | -| ANYRUN.Task.Status | The task analysis status. | String | +| File.MD5 | MD5 hash of the file submitted for analysis. | String | +| File.SHA1 | SHA1 hash of the file submitted for analysis. | String | +| File.SHA256 | SHA256 hash of the file submitted for analysis. | String | +| File.SSDeep | SSDeep hash of the file submitted for analysis. | String | +| File.Malicious.Vendor | For malicious files, the vendor that made the decision. | String | +| File.Malicious.Description | For malicious files, the reason that the vendor made the decision. | String | +| ANYRUN.Task.Status | Task analysis status. | String | ## Playbook Image --- -![Detonate_File_Generic](https://raw.githubusercontent.com/demisto/content/1bdd5229392bd86f0cc58265a24df23ee3f7e662/docs/images/playbooks/Detonate_File_Generic.png) +![Detonate File - Generic](Insert the link to your image here) \ No newline at end of file diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic.yml index 995a8937d240..1e6dff17fa9e 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic.yml @@ -1,663 +1,704 @@ -id: detonate_url_-_generic -version: -1 -name: Detonate URL - Generic -description: Detonate URL through active integrations that support URL detonation -starttaskid: "0" -tasks: - "0": - id: "0" - taskid: 6b297ce6-c5e2-4f24-8dcb-41070c90a3fb - type: start - task: - id: 6b297ce6-c5e2-4f24-8dcb-41070c90a3fb - version: -1 - name: "" - description: Playbook start point - iscommand: false - brand: "" - nexttasks: - '#none#': - - "11" - - "13" - - "12" - - "14" - - "15" - - "16" - - "17" - separatecontext: false - view: |- - { - "position": { - "x": 1340, - "y": 50 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "3": - id: "3" - taskid: 1fc0bb86-45c3-41ae-878e-df4ef11c1962 - type: title - task: - id: 1fc0bb86-45c3-41ae-878e-df4ef11c1962 - version: -1 - name: Done - description: Done - type: title - iscommand: false - brand: "" - separatecontext: false - view: |- - { - "position": { - "x": 1340, - "y": 370 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - "11": - id: "11" - taskid: dafc8370-20e5-4a82-8bb7-d06bc0105799 - type: playbook - task: - id: dafc8370-20e5-4a82-8bb7-d06bc0105799 - version: -1 - name: Detonate URL - ThreatGrid - description: Detonate one or more URLs using the Threat Grid integration. This - playbook returns relevant reports to the War Room and URL reputations to the - context data. - playbookName: Detonate URL - ThreatGrid - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 50, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "12": - id: "12" - taskid: 0fa1d1eb-6f40-4f31-8a6b-ba7e9fd57fc6 - type: playbook - task: - id: 0fa1d1eb-6f40-4f31-8a6b-ba7e9fd57fc6 - version: -1 - name: Detonate URL - McAfee ATD - description: Detonates a URL using the McAfee Advanced Threat Defense sandbox - integration. - playbookName: Detonate URL - McAfee ATD - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 480, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "13": - id: "13" - taskid: 89907712-1aa5-43fb-8728-d9773dd75f5f - type: playbook - task: - id: 89907712-1aa5-43fb-8728-d9773dd75f5f - version: -1 - name: Detonate URL - JoeSecurity - description: |- - Detonates one or more URLs using the Joe Security sandbox integration. - Returns relevant reports to the War Room and url reputations to the context data. - playbookName: Detonate URL - JoeSecurity - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 910, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "14": - id: "14" - taskid: bf259681-c0d3-4b7f-8bd6-0ece1323359a - type: playbook - task: - id: bf259681-c0d3-4b7f-8bd6-0ece1323359a - version: -1 - name: Detonate URL - CrowdStrike - description: Detonate one or more files using the Wildfire integration. This - playbook returns relevant reports to the War Room and file reputations to - the context data. - playbookName: Detonate URL - CrowdStrike - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 1340, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "15": - id: "15" - taskid: 2ae02fff-51ea-4dad-894f-22d5612dece0 - type: playbook - task: - id: 2ae02fff-51ea-4dad-894f-22d5612dece0 - version: -1 - name: Detonate URL - Lastline v2 - description: Detonates a URL using the Lastline sandbox integration. - playbookName: Detonate URL - Lastline v2 - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 1770, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "16": - id: "16" - taskid: 5d7f87a9-26e8-4bc9-824c-4ebbf69f6956 - type: playbook - task: - id: 5d7f87a9-26e8-4bc9-824c-4ebbf69f6956 - version: -1 - name: Detonate URL - Cuckoo - description: Detonates a file using Cuckoo sandbox - playbookName: Detonate URL - Cuckoo - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 0 - view: |- - { - "position": { - "x": 2200, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - "17": - id: "17" - taskid: 0890fbf7-9411-4a55-83de-96ce4d71210f - type: playbook - task: - id: 0890fbf7-9411-4a55-83de-96ce4d71210f - version: -1 - name: Detonate URL - ANYRUN - description: Detonates a URL using ANYRUN sandbox - playbookName: Detonate URL - ANYRUN - type: playbook - iscommand: false - brand: "" - nexttasks: - '#none#': - - "3" - separatecontext: true - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 2630, - "y": 195 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 -system: true -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 385, - "width": 2960, - "x": 50, - "y": 50 - } - } - } -inputs: -- key: URL - value: - complex: - root: URL - required: false - description: URL object of url to be detonated. - playbookInputQuery: -outputs: -- contextPath: File - description: The File's object - type: unknown -- contextPath: File.Name - description: Filename - type: string -- contextPath: File.Size - description: File size - type: number -- contextPath: File.Type - description: File type e.g. "PE" (only in case of report type=json) - type: string -- contextPath: File.SHA256 - description: SHA256 of the file - type: string -- contextPath: File.SHA1 - description: SHA1 of the file - type: string -- contextPath: File.MD5 - description: MD5 of the file - type: string -- contextPath: File.Malicious.Vendor - description: For malicious files, the vendor that made the decision - type: string -- contextPath: File.Malicious.Description - description: For malicious files, the reason for the vendor to make the decision - type: string -- contextPath: DBotScore - description: The Indicator's object - type: unknown -- contextPath: DBotScore.Type - description: The type of the indicator - type: string -- contextPath: DBotScore.Indicator - description: The indicator we tested - type: string -- contextPath: DBotScore.Vendor - description: Vendor used to calculate the score - type: string -- contextPath: DBotScore.Score - description: The actual score - type: number -- contextPath: Joe.Analysis.WebID - description: Web ID - type: string -- contextPath: Joe.Analysis.Status - description: Analysis Status - type: string -- contextPath: Joe.Analysis.Comments - description: Analysis Comments - type: string -- contextPath: Joe.Analysis.Time - description: Submitted Time - type: date -- contextPath: Joe.Analysis.Runs - description: Sub-Analysis Information - type: unknown -- contextPath: Joe.Analysis.Result - description: Analysis Results - type: string -- contextPath: Joe.Analysis.Errors - description: Raised errors during sampling - type: unknown -- contextPath: Joe.Analysis.Systems - description: Analysis OS - type: unknown -- contextPath: Joe.Analysis.MD5 - description: MD5 of analysis sample - type: string -- contextPath: Joe.Analysis.SHA1 - description: SHA1 of analysis sample - type: string -- contextPath: Joe.Analysis.SHA256 - description: SHA256 of analysis sample - type: string -- contextPath: Joe.Analysis.SampleName - description: Sample Data, could be a file name or URL - type: string -- contextPath: InfoFile.Name - description: FileName - type: string -- contextPath: InfoFile.EntryID - description: The EntryID of the sample - type: string -- contextPath: InfoFile.Size - description: File Size - type: number -- contextPath: InfoFile.Type - description: File type e.g. "PE" - type: string -- contextPath: InfoFile.Info - description: Basic information of the file - type: string -- contextPath: Sample.State - description: The sample state - type: string -- contextPath: Sample.ID - description: The sample ID - type: string -- contextPath: IP.Address - description: IP's relevant to the sample - type: string -- contextPath: InfoFile - description: The report file's object - type: unknown -- contextPath: Cuckoo.Task.Category - description: Category of task -- contextPath: Cuckoo.Task.Machine - description: Machine of task -- contextPath: Cuckoo.Task.Errors - description: Errors of task -- contextPath: Cuckoo.Task.Target - description: Target of task -- contextPath: Cuckoo.Task.Package - description: Package of task -- contextPath: Cuckoo.Task.SampleID - description: Sample ID of task -- contextPath: Cuckoo.Task.Guest - description: Task guest -- contextPath: Cuckoo.Task.Custom - description: Custom values of task -- contextPath: Cuckoo.Task.Owner - description: Task owner -- contextPath: Cuckoo.Task.Priority - description: Priority of task -- contextPath: Cuckoo.Task.Platform - description: Platform of task -- contextPath: Cuckoo.Task.Options - description: Task options -- contextPath: Cuckoo.Task.Status - description: Task status -- contextPath: Cuckoo.Task.EnforceTimeout - description: Is timeout of task enforced -- contextPath: Cuckoo.Task.Timeout - description: Task timeout -- contextPath: Cuckoo.Task.Memory - description: Task memory -- contextPath: Cuckoo.Task.Tags - description: Task tags -- contextPath: Cuckoo.Task.ID - description: ID of task -- contextPath: Cuckoo.Task.AddedOn - description: Date on which the task was added -- contextPath: Cuckoo.Task.CompletedOn - description: Date on which the task was completed -- contextPath: Cuckoo.Task.Score - description: Reported score of the the task -- contextPath: Cuckoo.Task.Monitor - description: Monitor of the reported task -- contextPath: ANYRUN.Task.AnalysisDate - description: Date and time the analysis was executed. - type: String -- contextPath: ANYRUN.Task.Behavior.Category - description: Category of a process behavior. - type: String -- contextPath: ANYRUN.Task.Behavior.Action - description: Actions performed by a process. - type: String -- contextPath: ANYRUN.Task.Behavior.ThreatLevel - description: Threat score associated with a process behavior. - type: Number -- contextPath: ANYRUN.Task.Behavior.ProcessUUID - description: Unique ID of the process whose behaviors are being profiled. - type: String -- contextPath: ANYRUN.Task.Connection.Reputation - description: Connection reputation. - type: String -- contextPath: ANYRUN.Task.Connection.ProcessUUID - description: ID of the process that created the connection. - type: String -- contextPath: ANYRUN.Task.Connection.ASN - description: Connection autonomous system network. - type: String -- contextPath: ANYRUN.Task.Connection.Country - description: Connection country. - type: String -- contextPath: ANYRUN.Task.Connection.Protocol - description: Connection protocol. - type: String -- contextPath: ANYRUN.Task.Connection.Port - description: Connection port number. - type: Number -- contextPath: ANYRUN.Task.Connection.IP - description: Connection IP number. - type: String -- contextPath: ANYRUN.Task.DnsRequest.Reputation - description: Reputation of the DNS request. - type: String -- contextPath: ANYRUN.Task.DnsRequest.IP - description: IP addresses associated with a DNS request. - type: Unknown -- contextPath: ANYRUN.Task.DnsRequest.Domain - description: Domain resolution of a DNS request. - type: String -- contextPath: ANYRUN.Task.Threat.ProcessUUID - description: Unique process ID from where the threat originated. - type: String -- contextPath: ANYRUN.Task.Threat.Msg - description: Threat message. - type: String -- contextPath: ANYRUN.Task.Threat.Class - description: Class of the threat. - type: String -- contextPath: ANYRUN.Task.Threat.SrcPort - description: Port on which the threat originated. - type: Number -- contextPath: ANYRUN.Task.Threat.DstPort - description: Destination port of the threat. - type: Number -- contextPath: ANYRUN.Task.Threat.SrcIP - description: Source IP address where the threat originated. - type: String -- contextPath: ANYRUN.Task.Threat.DstIP - description: Destination IP address of the threat. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Reputation - description: Reputation of the HTTP request. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Country - description: HTTP request country. - type: String -- contextPath: ANYRUN.Task.HttpRequest.ProcessUUID - description: ID of the process making the HTTP request. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Body - description: HTTP request body parameters and details. - type: Unknown -- contextPath: ANYRUN.Task.HttpRequest.HttpCode - description: HTTP request response code. - type: Number -- contextPath: ANYRUN.Task.HttpRequest.Status - description: Status of the HTTP request. - type: String -- contextPath: ANYRUN.Task.HttpRequest.ProxyDetected - description: Whether the HTTP request was made through a proxy. - type: Boolean -- contextPath: ANYRUN.Task.HttpRequest.Port - description: HTTP request port. - type: Number -- contextPath: ANYRUN.Task.HttpRequest.IP - description: HTTP request IP address. - type: String -- contextPath: ANYRUN.Task.HttpRequest.URL - description: HTTP request URL. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Host - description: HTTP request host. - type: String -- contextPath: ANYRUN.Task.HttpRequest.Method - description: HTTP request method type. - type: String -- contextPath: ANYRUN.Task.FileInfo - description: Details of the submitted file. - type: String -- contextPath: ANYRUN.Task.OS - description: OS of the sandbox in which the file was analyzed. - type: String -- contextPath: ANYRUN.Task.ID - description: The unique ID of the task. - type: String -- contextPath: ANYRUN.Task.MIME - description: The MIME of the file submitted for analysis. - type: String -- contextPath: ANYRUN.Task.Verdict - description: ANY.RUN verdict for the maliciousness of the submitted file or URL. - type: String -- contextPath: ANYRUN.Task.Process.FileName - description: File name of the process. - type: String -- contextPath: ANYRUN.Task.Process.PID - description: Process identification number. - type: Number -- contextPath: ANYRUN.Task.Process.PPID - description: Parent process identification number. - type: Number -- contextPath: ANYRUN.Task.Process.ProcessUUID - description: Unique process ID (used by ANY.RUN). - type: String -- contextPath: ANYRUN.Task.Process.CMD - description: Process command. - type: String -- contextPath: ANYRUN.Task.Process.Path - description: Path of the executed command. - type: String -- contextPath: ANYRUN.Task.Process.User - description: User who executed the command. - type: String -- contextPath: ANYRUN.Task.Process.IntegrityLevel - description: The process integrity level. - type: String -- contextPath: ANYRUN.Task.Process.ExitCode - description: Process exit code. - type: Number -- contextPath: ANYRUN.Task.Process.MainProcess - description: Whether the process is the main process. - type: Boolean -- contextPath: ANYRUN.Task.Process.Version.Company - description: Company responsible for the program executed. - type: String -- contextPath: ANYRUN.Task.Process.Version.Description - description: Description of the type of program. - type: String -- contextPath: ANYRUN.Task.Process.Version.Version - description: Version of the program executed. - type: String -- contextPath: DBotScore.Indicator - description: The indicator that was tested. - type: String -- contextPath: DBotScore.Score - description: The actual score. - type: Number -- contextPath: DBotScore.Type - description: Type of indicator. - type: String -- contextPath: DBotScore.Vendor - description: Vendor used to calculate the score. - type: String -- contextPath: URL.Data - description: URL data. - type: String -- contextPath: URL.Malicious.Vendor - description: For malicious URLs, the vendor that made the decision. - type: String -- contextPath: URL.Malicious.Description - description: For malicious URLs, the reason for the vendor to make the decision. - type: String -- contextPath: ANYRUN.Task.Status - description: Task analysis status. - type: String -fromversion: 4.0.0 -tests: -- Detonate URL - Generic Test +id: detonate_url_-_generic +version: -1 +name: Detonate URL - Generic +description: Detonate URL through active integrations that support URL detonation +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 6b297ce6-c5e2-4f24-8dcb-41070c90a3fb + type: start + task: + id: 6b297ce6-c5e2-4f24-8dcb-41070c90a3fb + version: -1 + name: "" + description: Playbook start point + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + - "13" + - "12" + - "14" + - "15" + - "16" + - "17" + - "18" + separatecontext: false + view: |- + { + "position": { + "x": 1340, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: 1fc0bb86-45c3-41ae-878e-df4ef11c1962 + type: title + task: + id: 1fc0bb86-45c3-41ae-878e-df4ef11c1962 + version: -1 + name: Done + description: Done + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 1340, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "11": + id: "11" + taskid: dafc8370-20e5-4a82-8bb7-d06bc0105799 + type: playbook + task: + id: dafc8370-20e5-4a82-8bb7-d06bc0105799 + version: -1 + name: Detonate URL - ThreatGrid + description: Detonate one or more URLs using the Threat Grid integration. This + playbook returns relevant reports to the War Room and URL reputations to the + context data. + playbookName: Detonate URL - ThreatGrid + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "12": + id: "12" + taskid: 0fa1d1eb-6f40-4f31-8a6b-ba7e9fd57fc6 + type: playbook + task: + id: 0fa1d1eb-6f40-4f31-8a6b-ba7e9fd57fc6 + version: -1 + name: Detonate URL - McAfee ATD + description: Detonates a URL using the McAfee Advanced Threat Defense sandbox + integration. + playbookName: Detonate URL - McAfee ATD + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 480, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "13": + id: "13" + taskid: 89907712-1aa5-43fb-8728-d9773dd75f5f + type: playbook + task: + id: 89907712-1aa5-43fb-8728-d9773dd75f5f + version: -1 + name: Detonate URL - JoeSecurity + description: |- + Detonates one or more URLs using the Joe Security sandbox integration. + Returns relevant reports to the War Room and url reputations to the context data. + playbookName: Detonate URL - JoeSecurity + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 910, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "14": + id: "14" + taskid: bf259681-c0d3-4b7f-8bd6-0ece1323359a + type: playbook + task: + id: bf259681-c0d3-4b7f-8bd6-0ece1323359a + version: -1 + name: Detonate URL - CrowdStrike + description: Detonate one or more files using the Wildfire integration. This + playbook returns relevant reports to the War Room and file reputations to + the context data. + playbookName: Detonate URL - CrowdStrike + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 1340, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "15": + id: "15" + taskid: 2ae02fff-51ea-4dad-894f-22d5612dece0 + type: playbook + task: + id: 2ae02fff-51ea-4dad-894f-22d5612dece0 + version: -1 + name: Detonate URL - Lastline v2 + description: Detonates a URL using the Lastline sandbox integration. + playbookName: Detonate URL - Lastline v2 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 1770, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "16": + id: "16" + taskid: 5d7f87a9-26e8-4bc9-824c-4ebbf69f6956 + type: playbook + task: + id: 5d7f87a9-26e8-4bc9-824c-4ebbf69f6956 + version: -1 + name: Detonate URL - Cuckoo + description: Detonates a file using Cuckoo sandbox + playbookName: Detonate URL - Cuckoo + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 2200, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "17": + id: "17" + taskid: 0890fbf7-9411-4a55-83de-96ce4d71210f + type: playbook + task: + id: 0890fbf7-9411-4a55-83de-96ce4d71210f + version: -1 + name: Detonate URL - ANYRUN + description: Detonates a URL using ANYRUN sandbox + playbookName: Detonate URL - ANYRUN + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 2630, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + "18": + id: "18" + taskid: ddbaa888-9228-487f-8a48-a34b8f96bde6 + type: playbook + task: + id: ddbaa888-9228-487f-8a48-a34b8f96bde6 + version: -1 + name: Detonate URL - Group-IB TDS Polygon + playbookName: Detonate URL - Group-IB TDS Polygon + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "3" + scriptarguments: + Interval: + simple: "1" + Timeout: + simple: "60" + url: + simple: ${URL.Data} + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -390, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 385, + "width": 3400, + "x": -390, + "y": 50 + } + } + } +inputs: +- key: URL + value: + complex: + root: URL + required: false + description: URL object of url to be detonated. + playbookInputQuery: +outputs: +- contextPath: File + description: The File's object + type: unknown +- contextPath: File.Name + description: Filename + type: string +- contextPath: File.Size + description: File size + type: number +- contextPath: File.Type + description: File type e.g. "PE" (only in case of report type=json) + type: string +- contextPath: File.SHA256 + description: SHA256 of the file + type: string +- contextPath: File.SHA1 + description: SHA1 of the file + type: string +- contextPath: File.MD5 + description: MD5 of the file + type: string +- contextPath: File.Malicious.Vendor + description: For malicious files, the vendor that made the decision + type: string +- contextPath: File.Malicious.Description + description: For malicious files, the reason for the vendor to make the decision + type: string +- contextPath: DBotScore + description: The Indicator's object + type: unknown +- contextPath: DBotScore.Type + description: The type of the indicator + type: string +- contextPath: DBotScore.Indicator + description: The indicator we tested + type: string +- contextPath: DBotScore.Vendor + description: Vendor used to calculate the score + type: string +- contextPath: DBotScore.Score + description: The actual score + type: number +- contextPath: Joe.Analysis.WebID + description: Web ID + type: string +- contextPath: Joe.Analysis.Status + description: Analysis Status + type: string +- contextPath: Joe.Analysis.Comments + description: Analysis Comments + type: string +- contextPath: Joe.Analysis.Time + description: Submitted Time + type: date +- contextPath: Joe.Analysis.Runs + description: Sub-Analysis Information + type: unknown +- contextPath: Joe.Analysis.Result + description: Analysis Results + type: string +- contextPath: Joe.Analysis.Errors + description: Raised errors during sampling + type: unknown +- contextPath: Joe.Analysis.Systems + description: Analysis OS + type: unknown +- contextPath: Joe.Analysis.MD5 + description: MD5 of analysis sample + type: string +- contextPath: Joe.Analysis.SHA1 + description: SHA1 of analysis sample + type: string +- contextPath: Joe.Analysis.SHA256 + description: SHA256 of analysis sample + type: string +- contextPath: Joe.Analysis.SampleName + description: Sample Data, could be a file name or URL + type: string +- contextPath: InfoFile.Name + description: FileName + type: string +- contextPath: InfoFile.EntryID + description: The EntryID of the sample + type: string +- contextPath: InfoFile.Size + description: File Size + type: number +- contextPath: InfoFile.Type + description: File type e.g. "PE" + type: string +- contextPath: InfoFile.Info + description: Basic information of the file + type: string +- contextPath: Sample.State + description: The sample state + type: string +- contextPath: Sample.ID + description: The sample ID + type: string +- contextPath: IP.Address + description: IP's relevant to the sample + type: string +- contextPath: InfoFile + description: The report file's object + type: unknown +- contextPath: Cuckoo.Task.Category + description: Category of task +- contextPath: Cuckoo.Task.Machine + description: Machine of task +- contextPath: Cuckoo.Task.Errors + description: Errors of task +- contextPath: Cuckoo.Task.Target + description: Target of task +- contextPath: Cuckoo.Task.Package + description: Package of task +- contextPath: Cuckoo.Task.SampleID + description: Sample ID of task +- contextPath: Cuckoo.Task.Guest + description: Task guest +- contextPath: Cuckoo.Task.Custom + description: Custom values of task +- contextPath: Cuckoo.Task.Owner + description: Task owner +- contextPath: Cuckoo.Task.Priority + description: Priority of task +- contextPath: Cuckoo.Task.Platform + description: Platform of task +- contextPath: Cuckoo.Task.Options + description: Task options +- contextPath: Cuckoo.Task.Status + description: Task status +- contextPath: Cuckoo.Task.EnforceTimeout + description: Is timeout of task enforced +- contextPath: Cuckoo.Task.Timeout + description: Task timeout +- contextPath: Cuckoo.Task.Memory + description: Task memory +- contextPath: Cuckoo.Task.Tags + description: Task tags +- contextPath: Cuckoo.Task.ID + description: ID of task +- contextPath: Cuckoo.Task.AddedOn + description: Date on which the task was added +- contextPath: Cuckoo.Task.CompletedOn + description: Date on which the task was completed +- contextPath: Cuckoo.Task.Score + description: Reported score of the the task +- contextPath: Cuckoo.Task.Monitor + description: Monitor of the reported task +- contextPath: ANYRUN.Task.AnalysisDate + description: Date and time the analysis was executed. + type: String +- contextPath: ANYRUN.Task.Behavior.Category + description: Category of a process behavior. + type: String +- contextPath: ANYRUN.Task.Behavior.Action + description: Actions performed by a process. + type: String +- contextPath: ANYRUN.Task.Behavior.ThreatLevel + description: Threat score associated with a process behavior. + type: Number +- contextPath: ANYRUN.Task.Behavior.ProcessUUID + description: Unique ID of the process whose behaviors are being profiled. + type: String +- contextPath: ANYRUN.Task.Connection.Reputation + description: Connection reputation. + type: String +- contextPath: ANYRUN.Task.Connection.ProcessUUID + description: ID of the process that created the connection. + type: String +- contextPath: ANYRUN.Task.Connection.ASN + description: Connection autonomous system network. + type: String +- contextPath: ANYRUN.Task.Connection.Country + description: Connection country. + type: String +- contextPath: ANYRUN.Task.Connection.Protocol + description: Connection protocol. + type: String +- contextPath: ANYRUN.Task.Connection.Port + description: Connection port number. + type: Number +- contextPath: ANYRUN.Task.Connection.IP + description: Connection IP number. + type: String +- contextPath: ANYRUN.Task.DnsRequest.Reputation + description: Reputation of the DNS request. + type: String +- contextPath: ANYRUN.Task.DnsRequest.IP + description: IP addresses associated with a DNS request. + type: Unknown +- contextPath: ANYRUN.Task.DnsRequest.Domain + description: Domain resolution of a DNS request. + type: String +- contextPath: ANYRUN.Task.Threat.ProcessUUID + description: Unique process ID from where the threat originated. + type: String +- contextPath: ANYRUN.Task.Threat.Msg + description: Threat message. + type: String +- contextPath: ANYRUN.Task.Threat.Class + description: Class of the threat. + type: String +- contextPath: ANYRUN.Task.Threat.SrcPort + description: Port on which the threat originated. + type: Number +- contextPath: ANYRUN.Task.Threat.DstPort + description: Destination port of the threat. + type: Number +- contextPath: ANYRUN.Task.Threat.SrcIP + description: Source IP address where the threat originated. + type: String +- contextPath: ANYRUN.Task.Threat.DstIP + description: Destination IP address of the threat. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Reputation + description: Reputation of the HTTP request. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Country + description: HTTP request country. + type: String +- contextPath: ANYRUN.Task.HttpRequest.ProcessUUID + description: ID of the process making the HTTP request. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Body + description: HTTP request body parameters and details. + type: Unknown +- contextPath: ANYRUN.Task.HttpRequest.HttpCode + description: HTTP request response code. + type: Number +- contextPath: ANYRUN.Task.HttpRequest.Status + description: Status of the HTTP request. + type: String +- contextPath: ANYRUN.Task.HttpRequest.ProxyDetected + description: Whether the HTTP request was made through a proxy. + type: Boolean +- contextPath: ANYRUN.Task.HttpRequest.Port + description: HTTP request port. + type: Number +- contextPath: ANYRUN.Task.HttpRequest.IP + description: HTTP request IP address. + type: String +- contextPath: ANYRUN.Task.HttpRequest.URL + description: HTTP request URL. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Host + description: HTTP request host. + type: String +- contextPath: ANYRUN.Task.HttpRequest.Method + description: HTTP request method type. + type: String +- contextPath: ANYRUN.Task.FileInfo + description: Details of the submitted file. + type: String +- contextPath: ANYRUN.Task.OS + description: OS of the sandbox in which the file was analyzed. + type: String +- contextPath: ANYRUN.Task.ID + description: The unique ID of the task. + type: String +- contextPath: ANYRUN.Task.MIME + description: The MIME of the file submitted for analysis. + type: String +- contextPath: ANYRUN.Task.Verdict + description: ANY.RUN verdict for the maliciousness of the submitted file or URL. + type: String +- contextPath: ANYRUN.Task.Process.FileName + description: File name of the process. + type: String +- contextPath: ANYRUN.Task.Process.PID + description: Process identification number. + type: Number +- contextPath: ANYRUN.Task.Process.PPID + description: Parent process identification number. + type: Number +- contextPath: ANYRUN.Task.Process.ProcessUUID + description: Unique process ID (used by ANY.RUN). + type: String +- contextPath: ANYRUN.Task.Process.CMD + description: Process command. + type: String +- contextPath: ANYRUN.Task.Process.Path + description: Path of the executed command. + type: String +- contextPath: ANYRUN.Task.Process.User + description: User who executed the command. + type: String +- contextPath: ANYRUN.Task.Process.IntegrityLevel + description: The process integrity level. + type: String +- contextPath: ANYRUN.Task.Process.ExitCode + description: Process exit code. + type: Number +- contextPath: ANYRUN.Task.Process.MainProcess + description: Whether the process is the main process. + type: Boolean +- contextPath: ANYRUN.Task.Process.Version.Company + description: Company responsible for the program executed. + type: String +- contextPath: ANYRUN.Task.Process.Version.Description + description: Description of the type of program. + type: String +- contextPath: ANYRUN.Task.Process.Version.Version + description: Version of the program executed. + type: String +- contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String +- contextPath: DBotScore.Score + description: The actual score. + type: Number +- contextPath: DBotScore.Type + description: Type of indicator. + type: String +- contextPath: DBotScore.Vendor + description: Vendor used to calculate the score. + type: String +- contextPath: URL.Data + description: URL data. + type: String +- contextPath: URL.Malicious.Vendor + description: For malicious URLs, the vendor that made the decision. + type: String +- contextPath: URL.Malicious.Description + description: For malicious URLs, the reason for the vendor to make the decision. + type: String +- contextPath: ANYRUN.Task.Status + description: Task analysis status. + type: String +fromversion: 5.0.0 +tests: +- Detonate URL - Generic Test diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md index a403b3e73ad1..83d1cc0d0e06 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md @@ -1,16 +1,17 @@ -Detonates a URL through active integrations that supports URL detonation. +Detonate URL through active integrations that support URL detonation ## Dependencies This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* Detonate URL - Lastline v2 -* Detonate URL - Cuckoo +* Detonate URL - ThreatGrid +* Detonate URL - CrowdStrike * Detonate URL - JoeSecurity +* Detonate URL - Lastline v2 +* Detonate URL - Group-IB TDS Polygon * Detonate URL - ANYRUN * Detonate URL - McAfee ATD -* Detonate URL - CrowdStrike -* Detonate URL - ThreatGrid +* Detonate URL - Cuckoo ### Integrations This playbook does not use any integrations. @@ -24,133 +25,133 @@ This playbook does not use any commands. ## Playbook Inputs --- -| **Name** | **Description** | **Default Value** | **Source** | **Required** | -| --- | --- | --- | --- | --- | -| URL | The URL object of the URL to be detonated. | None | URL | Optional | +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| URL | URL object of url to be detonated. | URL.None | Optional | ## Playbook Outputs --- | **Path** | **Description** | **Type** | | --- | --- | --- | -| File | The file's object. | unknown | -| File.Name | The filename. | string | -| File.Size | The file size. | number | -| File.Type | The file type. For example, "PE" (only in case of report type=json). | string | -| File.SHA256 | The SHA256 hash of the file. | string | -| File.SHA1 | The SHA1 hash of the file. | string | -| File.MD5 | The MD5 hash of the file. | string | -| File.Malicious.Vendor | The vendor that made the decision that the file is malicious. | string | -| File.Malicious.Description | The reason for the vendor to make the decision that the file is malicious.| string | -| DBotScore | The Indicator's object. | unknown | -| DBotScore.Type | The type of the indicator. | string | -| DBotScore.Indicator | The indicator was tested.| string | -| DBotScore.Vendor | The vendor used to calculate the score. | string | -| DBotScore.Score | The actual score. | number | -| Joe.Analysis.WebID | The web ID. | string | -| Joe.Analysis.Status | The analysis status. | string | -| Joe.Analysis.Comments | The analysis comments. | string | -| Joe.Analysis.Time | The submitted time. | date | -| Joe.Analysis.Runs | The sub-analysis information. | unknown | -| Joe.Analysis.Result | The analysis results. | string | -| Joe.Analysis.Errors | The errors raised during sampling. | unknown | -| Joe.Analysis.Systems | The analysis OS. | unknown | -| Joe.Analysis.MD5 | The MD5 hash of the analysis sample. | string | -| Joe.Analysis.SHA1 | The SHA1 hash of the analysis sample. | string | -| Joe.Analysis.SHA256 | The SHA256 hash of the analysis sample. | string | -| Joe.Analysis.SampleName | The sample data. Can be a "filename" or "URL". | string | -| InfoFile.Name | The filename. | string | -| InfoFile.EntryID | The EntryID of the sample. | string | -| InfoFile.Size | The file size. | number | -| InfoFile.Type | The file type. For example, "PE". | string | -| InfoFile.Info | The basic information of the file. | string | -| Sample.State | The sample state. | string | -| Sample.ID | The sample ID. | string | -| IP.Address | The IP addresses's relevant to the sample. | string | -| InfoFile | The report file's object. | unknown | -| Cuckoo.Task.Category | The category of the task. | unknown | -| Cuckoo.Task.Machine | The machine of the task. | unknown | -| Cuckoo.Task.Errors | The errors of the task. | unknown | -| Cuckoo.Task.Target | The target of the task. | unknown | -| Cuckoo.Task.Package | The package of the task. | unknown | -| Cuckoo.Task.SampleID | The sample ID of the task. | unknown | -| Cuckoo.Task.Guest | The task guest. | unknown | -| Cuckoo.Task.Custom | The custom values of the task. | unknown | -| Cuckoo.Task.Owner | THe task owner. | unknown | -| Cuckoo.Task.Priority | The priority of task. | unknown | -| Cuckoo.Task.Platform | The platform of task. | unknown | -| Cuckoo.Task.Options | The task options. | unknown | -| Cuckoo.Task.Status | The task status. | unknown | -| Cuckoo.Task.EnforceTimeout | Whether the timeout of task enforced. | unknown | -| Cuckoo.Task.Timeout | The task timeout. | unknown | -| Cuckoo.Task.Memory | The task memory. | unknown | -| Cuckoo.Task.Tags | The task tags. | unknown | -| Cuckoo.Task.ID | The ID of the task. | unknown | -| Cuckoo.Task.AddedOn | The date the task was added. | unknown | -| Cuckoo.Task.CompletedOn | The date the task was completed. | unknown | -| Cuckoo.Task.Score | The reported score of the the task. | unknown | -| Cuckoo.Task.Monitor | The monitor of the reported task. | unknown | -| ANYRUN.Task.AnalysisDate | The date and time the analysis was executed. | String | -| ANYRUN.Task.Behavior.Category | The category of a process behavior. | String | -| ANYRUN.Task.Behavior.Action | The actions performed by a process. | String | -| ANYRUN.Task.Behavior.ThreatLevel | The threat score associated with a process behavior. | Number | -| ANYRUN.Task.Behavior.ProcessUUID | The unique ID of the process whose behaviors are being profiled. | String | -| ANYRUN.Task.Connection.Reputation | The connection reputation. | String | -| ANYRUN.Task.Connection.ProcessUUID | The ID of the process that created the connection. | String | -| ANYRUN.Task.Connection.ASN | The connection autonomous system network. | String | -| ANYRUN.Task.Connection.Country | The connection country. | String | -| ANYRUN.Task.Connection.Protocol | The connection protocol. | String | -| ANYRUN.Task.Connection.Port | The connection port number. | Number | -| ANYRUN.Task.Connection.IP | The connection IP address number. | String | -| ANYRUN.Task.DnsRequest.Reputation | The reputation of the DNS request. | String | -| ANYRUN.Task.DnsRequest.IP | The IP addresses associated with a DNS request. | Unknown | -| ANYRUN.Task.DnsRequest.Domain | The Domain resolution of a DNS request. | String | -| ANYRUN.Task.Threat.ProcessUUID | The unique process ID from where the threat originated. | String | -| ANYRUN.Task.Threat.Msg | The threat message. | String | -| ANYRUN.Task.Threat.Class | The class of the threat. | String | -| ANYRUN.Task.Threat.SrcPort | The port on which the threat originated. | Number | -| ANYRUN.Task.Threat.DstPort | The destination port of the threat. | Number | -| ANYRUN.Task.Threat.SrcIP | The source IP address where the threat originated. | String | -| ANYRUN.Task.Threat.DstIP | The destination IP address of the threat. | String | -| ANYRUN.Task.HttpRequest.Reputation | The reputation of the HTTP request. | String | -| ANYRUN.Task.HttpRequest.Country | The HTTP request country. | String | -| ANYRUN.Task.HttpRequest.ProcessUUID | The ID of the process making the HTTP request. | String | -| ANYRUN.Task.HttpRequest.Body | The HTTP request body parameters and details. | Unknown | -| ANYRUN.Task.HttpRequest.HttpCode | The HTTP request response code. | Number | -| ANYRUN.Task.HttpRequest.Status | The status of the HTTP request. | String | +| File | The File's object | unknown | +| File.Name | Filename | string | +| File.Size | File size | number | +| File.Type | File type e.g. "PE" \(only in case of report type=json\) | string | +| File.SHA256 | SHA256 of the file | string | +| File.SHA1 | SHA1 of the file | string | +| File.MD5 | MD5 of the file | string | +| File.Malicious.Vendor | For malicious files, the vendor that made the decision | string | +| File.Malicious.Description | For malicious files, the reason for the vendor to make the decision | string | +| DBotScore | The Indicator's object | unknown | +| DBotScore.Type | The type of the indicator | string | +| DBotScore.Indicator | The indicator we tested | string | +| DBotScore.Vendor | Vendor used to calculate the score | string | +| DBotScore.Score | The actual score | number | +| Joe.Analysis.WebID | Web ID | string | +| Joe.Analysis.Status | Analysis Status | string | +| Joe.Analysis.Comments | Analysis Comments | string | +| Joe.Analysis.Time | Submitted Time | date | +| Joe.Analysis.Runs | Sub\-Analysis Information | unknown | +| Joe.Analysis.Result | Analysis Results | string | +| Joe.Analysis.Errors | Raised errors during sampling | unknown | +| Joe.Analysis.Systems | Analysis OS | unknown | +| Joe.Analysis.MD5 | MD5 of analysis sample | string | +| Joe.Analysis.SHA1 | SHA1 of analysis sample | string | +| Joe.Analysis.SHA256 | SHA256 of analysis sample | string | +| Joe.Analysis.SampleName | Sample Data, could be a file name or URL | string | +| InfoFile.Name | FileName | string | +| InfoFile.EntryID | The EntryID of the sample | string | +| InfoFile.Size | File Size | number | +| InfoFile.Type | File type e.g. "PE" | string | +| InfoFile.Info | Basic information of the file | string | +| Sample.State | The sample state | string | +| Sample.ID | The sample ID | string | +| IP.Address | IP's relevant to the sample | string | +| InfoFile | The report file's object | unknown | +| Cuckoo.Task.Category | Category of task | unknown | +| Cuckoo.Task.Machine | Machine of task | unknown | +| Cuckoo.Task.Errors | Errors of task | unknown | +| Cuckoo.Task.Target | Target of task | unknown | +| Cuckoo.Task.Package | Package of task | unknown | +| Cuckoo.Task.SampleID | Sample ID of task | unknown | +| Cuckoo.Task.Guest | Task guest | unknown | +| Cuckoo.Task.Custom | Custom values of task | unknown | +| Cuckoo.Task.Owner | Task owner | unknown | +| Cuckoo.Task.Priority | Priority of task | unknown | +| Cuckoo.Task.Platform | Platform of task | unknown | +| Cuckoo.Task.Options | Task options | unknown | +| Cuckoo.Task.Status | Task status | unknown | +| Cuckoo.Task.EnforceTimeout | Is timeout of task enforced | unknown | +| Cuckoo.Task.Timeout | Task timeout | unknown | +| Cuckoo.Task.Memory | Task memory | unknown | +| Cuckoo.Task.Tags | Task tags | unknown | +| Cuckoo.Task.ID | ID of task | unknown | +| Cuckoo.Task.AddedOn | Date on which the task was added | unknown | +| Cuckoo.Task.CompletedOn | Date on which the task was completed | unknown | +| Cuckoo.Task.Score | Reported score of the the task | unknown | +| Cuckoo.Task.Monitor | Monitor of the reported task | unknown | +| ANYRUN.Task.AnalysisDate | Date and time the analysis was executed. | String | +| ANYRUN.Task.Behavior.Category | Category of a process behavior. | String | +| ANYRUN.Task.Behavior.Action | Actions performed by a process. | String | +| ANYRUN.Task.Behavior.ThreatLevel | Threat score associated with a process behavior. | Number | +| ANYRUN.Task.Behavior.ProcessUUID | Unique ID of the process whose behaviors are being profiled. | String | +| ANYRUN.Task.Connection.Reputation | Connection reputation. | String | +| ANYRUN.Task.Connection.ProcessUUID | ID of the process that created the connection. | String | +| ANYRUN.Task.Connection.ASN | Connection autonomous system network. | String | +| ANYRUN.Task.Connection.Country | Connection country. | String | +| ANYRUN.Task.Connection.Protocol | Connection protocol. | String | +| ANYRUN.Task.Connection.Port | Connection port number. | Number | +| ANYRUN.Task.Connection.IP | Connection IP number. | String | +| ANYRUN.Task.DnsRequest.Reputation | Reputation of the DNS request. | String | +| ANYRUN.Task.DnsRequest.IP | IP addresses associated with a DNS request. | Unknown | +| ANYRUN.Task.DnsRequest.Domain | Domain resolution of a DNS request. | String | +| ANYRUN.Task.Threat.ProcessUUID | Unique process ID from where the threat originated. | String | +| ANYRUN.Task.Threat.Msg | Threat message. | String | +| ANYRUN.Task.Threat.Class | Class of the threat. | String | +| ANYRUN.Task.Threat.SrcPort | Port on which the threat originated. | Number | +| ANYRUN.Task.Threat.DstPort | Destination port of the threat. | Number | +| ANYRUN.Task.Threat.SrcIP | Source IP address where the threat originated. | String | +| ANYRUN.Task.Threat.DstIP | Destination IP address of the threat. | String | +| ANYRUN.Task.HttpRequest.Reputation | Reputation of the HTTP request. | String | +| ANYRUN.Task.HttpRequest.Country | HTTP request country. | String | +| ANYRUN.Task.HttpRequest.ProcessUUID | ID of the process making the HTTP request. | String | +| ANYRUN.Task.HttpRequest.Body | HTTP request body parameters and details. | Unknown | +| ANYRUN.Task.HttpRequest.HttpCode | HTTP request response code. | Number | +| ANYRUN.Task.HttpRequest.Status | Status of the HTTP request. | String | | ANYRUN.Task.HttpRequest.ProxyDetected | Whether the HTTP request was made through a proxy. | Boolean | -| ANYRUN.Task.HttpRequest.Port | The HTTP request port. | Number | -| ANYRUN.Task.HttpRequest.IP | The HTTP request IP address. | String | -| ANYRUN.Task.HttpRequest.URL | The HTTP request URL. | String | -| ANYRUN.Task.HttpRequest.Host | The HTTP request host. | String | -| ANYRUN.Task.HttpRequest.Method | The HTTP request method type. | String | -| ANYRUN.Task.FileInfo | The details of the submitted file. | String | -| ANYRUN.Task.OS | The OS of the sandbox in which the file was analyzed. | String | +| ANYRUN.Task.HttpRequest.Port | HTTP request port. | Number | +| ANYRUN.Task.HttpRequest.IP | HTTP request IP address. | String | +| ANYRUN.Task.HttpRequest.URL | HTTP request URL. | String | +| ANYRUN.Task.HttpRequest.Host | HTTP request host. | String | +| ANYRUN.Task.HttpRequest.Method | HTTP request method type. | String | +| ANYRUN.Task.FileInfo | Details of the submitted file. | String | +| ANYRUN.Task.OS | OS of the sandbox in which the file was analyzed. | String | | ANYRUN.Task.ID | The unique ID of the task. | String | | ANYRUN.Task.MIME | The MIME of the file submitted for analysis. | String | -| ANYRUN.Task.Verdict | The `ANY.RUN` verdict for the maliciousness of the submitted file or URL. | String | -| ANYRUN.Task.Process.FileName | The file name of the process. | String | -| ANYRUN.Task.Process.PID | The process identification number. | Number | -| ANYRUN.Task.Process.PPID | The parent process identification number. | Number | -| ANYRUN.Task.Process.ProcessUUID | The unique process ID (used by `ANY.RUN`). | String | -| ANYRUN.Task.Process.CMD | The process command. | String | -| ANYRUN.Task.Process.Path | The path of the executed command. | String | -| ANYRUN.Task.Process.User | The user who executed the command. | String | +| ANYRUN.Task.Verdict | ANY.RUN verdict for the maliciousness of the submitted file or URL. | String | +| ANYRUN.Task.Process.FileName | File name of the process. | String | +| ANYRUN.Task.Process.PID | Process identification number. | Number | +| ANYRUN.Task.Process.PPID | Parent process identification number. | Number | +| ANYRUN.Task.Process.ProcessUUID | Unique process ID \(used by ANY.RUN\). | String | +| ANYRUN.Task.Process.CMD | Process command. | String | +| ANYRUN.Task.Process.Path | Path of the executed command. | String | +| ANYRUN.Task.Process.User | User who executed the command. | String | | ANYRUN.Task.Process.IntegrityLevel | The process integrity level. | String | -| ANYRUN.Task.Process.ExitCode | The process exit code. | Number | +| ANYRUN.Task.Process.ExitCode | Process exit code. | Number | | ANYRUN.Task.Process.MainProcess | Whether the process is the main process. | Boolean | -| ANYRUN.Task.Process.Version.Company | The company responsible for the program executed. | String | -| ANYRUN.Task.Process.Version.Description | The description of the type of program. | String | -| ANYRUN.Task.Process.Version.Version | The version of the program executed. | String | +| ANYRUN.Task.Process.Version.Company | Company responsible for the program executed. | String | +| ANYRUN.Task.Process.Version.Description | Description of the type of program. | String | +| ANYRUN.Task.Process.Version.Version | Version of the program executed. | String | | DBotScore.Indicator | The indicator that was tested. | String | | DBotScore.Score | The actual score. | Number | -| DBotScore.Type | The type of the indicator. | String | -| DBotScore.Vendor | The vendor used to calculate the score. | String | -| URL.Data | The URL data. | String | -| URL.Malicious.Vendor | The vendor that made the decision that the URL is malicious. | String | -| URL.Malicious.Description | The reason for the vendor to make the decision that the URL is malicious. | String | -| ANYRUN.Task.Status | The task analysis status. | String | +| DBotScore.Type | Type of indicator. | String | +| DBotScore.Vendor | Vendor used to calculate the score. | String | +| URL.Data | URL data. | String | +| URL.Malicious.Vendor | For malicious URLs, the vendor that made the decision. | String | +| URL.Malicious.Description | For malicious URLs, the reason for the vendor to make the decision. | String | +| ANYRUN.Task.Status | Task analysis status. | String | ## Playbook Image --- -![Detonate_URL_Generic](https://raw.githubusercontent.com/demisto/content/1bdd5229392bd86f0cc58265a24df23ee3f7e662/docs/images/playbooks/Detonate_URL_Generic.png) +![Detonate URL - Generic](Insert the link to your image here) \ No newline at end of file diff --git a/Packs/CommonPlaybooks/ReleaseNotes/1_5_1.md b/Packs/CommonPlaybooks/ReleaseNotes/1_5_1.md new file mode 100644 index 000000000000..32e7d2d48e8a --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/1_5_1.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### Block IP - Generic v2 +- Added FortiGate Ban IP command to Block IP - Generic v2 playbook. diff --git a/Packs/CommonPlaybooks/ReleaseNotes/1_5_2.md b/Packs/CommonPlaybooks/ReleaseNotes/1_5_2.md new file mode 100644 index 000000000000..74243d020f2e --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/1_5_2.md @@ -0,0 +1,6 @@ + +#### Playbooks +##### Detonate File - Generic + - Added Detonate File - Group-IB TDS Polygon as a sub-playbook +##### Detonate URL - Generic + - Added Detonate URL - Group-IB TDS Polygon as a sub-playbook diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json index 52f2995fe70b..a2575fffcc72 100644 --- a/Packs/CommonPlaybooks/pack_metadata.json +++ b/Packs/CommonPlaybooks/pack_metadata.json @@ -1,292 +1,296 @@ -{ - "name": "Common Playbooks", - "description": "Frequently used playbooks pack.", - "support": "xsoar", - "currentVersion": "1.5.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-05-14T08:33:25Z", - "categories": [], - "tags": [], - "useCases": [], - "keywords": [], - "dependencies": { - "VirusTotal": { - "mandatory": false, - "display_name": "VirusTotal" - }, - "ExtraHop": { - "mandatory": false, - "display_name": "ExtraHop Reveal(x)" - }, - "CommonScripts": { - "mandatory": true, - "display_name": "Common Scripts" - }, - "JoeSecurity": { - "mandatory": false, - "display_name": "Joe Security" - }, - "SNDBOX": { - "mandatory": false, - "display_name": "SNDBOX" - }, - "McAfee-TIE": { - "mandatory": false, - "display_name": "McAfee Threat Intelligence Exchange" - }, - "GmailSingleUser": { - "mandatory": false, - "display_name": "Gmail Single User (Beta)" - }, - "Flashpoint": { - "mandatory": false, - "display_name": "Flashpoint" - }, - "CarbonBlackProtect": { - "mandatory": false, - "display_name": "Carbon Black Enterprise Protection" - }, - "CrowdStrikeIntel": { - "mandatory": false, - "display_name": "CrowdStrike Falcon Intel" - }, - "CalculateTimeDifference": { - "mandatory": true, - "display_name": "CalculateTimeDifference" - }, - "Cylance_Protect": { - "mandatory": false, - "display_name": "Cylance Protect" - }, - "Active_Directory_Query": { - "mandatory": false, - "display_name": "Active Directory Query" - }, - "ReversingLabs_Titanium_Cloud": { - "mandatory": false, - "display_name": "ReversingLabs Titanium Cloud" - }, - "Anomali_ThreatStream": { - "mandatory": false, - "display_name": "Anomali ThreatStream" - }, - "VulnDB": { - "mandatory": false, - "display_name": "VulnDB" - }, - "ThreatMiner": { - "mandatory": false, - "display_name": "ThreatMiner" - }, - "AutoFocus": { - "mandatory": false, - "display_name": "AutoFocus" - }, - "Cofense-Intelligence": { - "mandatory": false, - "display_name": "Cofense Intelligence" - }, - "VirusTotal-Private_API": { - "mandatory": false, - "display_name": "VirusTotal - Private API" - }, - "Carbon_Black_Enterprise_Response": { - "mandatory": false, - "display_name": "Carbon Black Enterprise Response" - }, - "Palo_Alto_Networks_WildFire": { - "mandatory": false, - "display_name": "Palo Alto Networks WildFire" - }, - "ThreatQ": { - "mandatory": false, - "display_name": "ThreatQ" - }, - "CheckpointFirewall": { - "mandatory": false, - "display_name": "Check Point Firewall" - }, - "CortexXDR": { - "mandatory": false, - "display_name": "Palo Alto Networks Cortex XDR - Investigation and Response" - }, - "Gmail": { - "mandatory": false, - "display_name": "Gmail" - }, - "D2": { - "mandatory": false, - "display_name": "D2" - }, - "CrowdStrikeHost": { - "mandatory": false, - "display_name": "FalconHost" - }, - "McAfee_Advanced_Threat_Defense": { - "mandatory": false, - "display_name": "McAfee Advanced Threat Defense" - }, - "Phishing": { - "mandatory": false, - "display_name": "Phishing" - }, - "ReversingLabs_A1000": { - "mandatory": false, - "display_name": "ReversingLabs A1000" - }, - "MicrosoftGraphListener": { - "mandatory": false, - "display_name": "Microsoft Graph Mail Single User" - }, - "Lastline": { - "mandatory": false, - "display_name": "Lastline" - }, - "illuminate": { - "mandatory": false, - "display_name": "illuminate" - }, - "MicrosoftGraphMail": { - "mandatory": false, - "display_name": "Microsoft Graph Mail" - }, - "isight": { - "mandatory": false, - "display_name": "FireEye iSIGHT" - }, - "CrowdStrikeFalconSandbox": { - "mandatory": false, - "display_name": "CrowdStrike Falcon Sandbox" - }, - "fireeye": { - "mandatory": false, - "display_name": "FireEye (AX Series)" - }, - "Threat_Crowd": { - "mandatory": false, - "display_name": "Threat Crowd" - }, - "XFE": { - "mandatory": false, - "display_name": "IBM X-Force Exchange" - }, - "ML": { - "mandatory": false, - "display_name": "Machine Learning" - }, - "Symantec_Deepsight": { - "mandatory": false, - "display_name": "Symantec Deepsight Intelligence (Beta)" - }, - "rasterize": { - "mandatory": false, - "display_name": "Rasterize" - }, - "CuckooSandbox": { - "mandatory": false, - "display_name": "Cuckoo Sandbox" - }, - "ANYRUN": { - "mandatory": false, - "display_name": "ANY.RUN" - }, - "MailSenderNew": { - "mandatory": false, - "display_name": "Mail Sender (New)" - }, - "ThreatExchange": { - "mandatory": false, - "display_name": "ThreatExchange" - }, - "AlienVault_OTX": { - "mandatory": false, - "display_name": "AlienVault OTX" - }, - "ThreatGrid": { - "mandatory": false, - "display_name": "Cisco Threat Grid" - }, - "ThreatConnect": { - "mandatory": false, - "display_name": "ThreatConnect" - }, - "Zscaler": { - "mandatory": false, - "display_name": "Zscaler" - }, - "Maltiverse": { - "mandatory": false, - "display_name": "Maltiverse" - }, - "EclecticIQ": { - "mandatory": false, - "display_name": "EclecticIQ Platform" - }, - "Traps": { - "mandatory": false, - "display_name": "Palo Alto Networks Traps" - }, - "PAN-OS": { - "mandatory": false, - "display_name": "PAN-OS" - }, - "TruSTAR": { - "mandatory": false, - "display_name": "TruSTAR" - }, - "epo": { - "mandatory": false, - "display_name": "McAfee ePO" - }, - "Recorded_Future": { - "mandatory": false, - "display_name": "Recorded Future" - }, - "EWSMailSender": { - "mandatory": false, - "display_name": "EWS Mail Sender" - }, - "PolySwarm": { - "mandatory": false, - "display_name": "PolySwarm" - }, - "Cisco-umbrella": { - "mandatory": false, - "display_name": "Cisco Umbrella Investigate" - }, - "ImageOCR": { - "mandatory": false, - "display_name": "Image OCR" - }, - "EWS": { - "mandatory": false, - "display_name": "EWS" - }, - "XForceExchange": { - "mandatory": false, - "display_name": "IBM X-Force Exchange" - }, - "URLHaus": { - "mandatory": false, - "display_name": "URLhaus" - }, - "MISP": { - "mandatory": false, - "display_name": "MISP" - }, - "Cybereason": { - "mandatory": false, - "display_name": "Cybereason" - }, - "VMRay": { - "mandatory": false, - "display_name": "VMRay" - }, - "HybridAnalysis": { - "mandatory": false, - "display_name": "Hybrid Analysis" - } - } -} \ No newline at end of file +{ + "name": "Common Playbooks", + "description": "Frequently used playbooks pack.", + "support": "xsoar", + "currentVersion": "1.5.2", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-05-14T08:33:25Z", + "categories": [], + "tags": [], + "useCases": [], + "keywords": [], + "dependencies": { + "VirusTotal": { + "mandatory": false, + "display_name": "VirusTotal" + }, + "ExtraHop": { + "mandatory": false, + "display_name": "ExtraHop Reveal(x)" + }, + "CommonScripts": { + "mandatory": true, + "display_name": "Common Scripts" + }, + "JoeSecurity": { + "mandatory": false, + "display_name": "Joe Security" + }, + "SNDBOX": { + "mandatory": false, + "display_name": "SNDBOX" + }, + "McAfee-TIE": { + "mandatory": false, + "display_name": "McAfee Threat Intelligence Exchange" + }, + "GmailSingleUser": { + "mandatory": false, + "display_name": "Gmail Single User (Beta)" + }, + "Flashpoint": { + "mandatory": false, + "display_name": "Flashpoint" + }, + "CarbonBlackProtect": { + "mandatory": false, + "display_name": "Carbon Black Enterprise Protection" + }, + "CrowdStrikeIntel": { + "mandatory": false, + "display_name": "CrowdStrike Falcon Intel" + }, + "CalculateTimeDifference": { + "mandatory": true, + "display_name": "Calculate Time Difference" + }, + "Cylance_Protect": { + "mandatory": false, + "display_name": "Cylance Protect" + }, + "Active_Directory_Query": { + "mandatory": false, + "display_name": "Active Directory Query" + }, + "ReversingLabs_Titanium_Cloud": { + "mandatory": false, + "display_name": "ReversingLabs Titanium Cloud" + }, + "Anomali_ThreatStream": { + "mandatory": false, + "display_name": "Anomali ThreatStream" + }, + "VulnDB": { + "mandatory": false, + "display_name": "VulnDB" + }, + "ThreatMiner": { + "mandatory": false, + "display_name": "ThreatMiner" + }, + "AutoFocus": { + "mandatory": false, + "display_name": "AutoFocus" + }, + "Cofense-Intelligence": { + "mandatory": false, + "display_name": "Cofense Intelligence" + }, + "VirusTotal-Private_API": { + "mandatory": false, + "display_name": "VirusTotal - Private API" + }, + "Carbon_Black_Enterprise_Response": { + "mandatory": false, + "display_name": "Carbon Black Enterprise Response" + }, + "Palo_Alto_Networks_WildFire": { + "mandatory": false, + "display_name": "Palo Alto Networks WildFire" + }, + "ThreatQ": { + "mandatory": false, + "display_name": "ThreatQ" + }, + "CheckpointFirewall": { + "mandatory": false, + "display_name": "Check Point Firewall" + }, + "CortexXDR": { + "mandatory": false, + "display_name": "Palo Alto Networks Cortex XDR - Investigation and Response" + }, + "Gmail": { + "mandatory": false, + "display_name": "Gmail" + }, + "D2": { + "mandatory": false, + "display_name": "D2" + }, + "CrowdStrikeHost": { + "mandatory": false, + "display_name": "FalconHost" + }, + "McAfee_Advanced_Threat_Defense": { + "mandatory": false, + "display_name": "McAfee Advanced Threat Defense" + }, + "Phishing": { + "mandatory": false, + "display_name": "Phishing" + }, + "ReversingLabs_A1000": { + "mandatory": false, + "display_name": "ReversingLabs A1000" + }, + "MicrosoftGraphListener": { + "mandatory": false, + "display_name": "Microsoft Graph Mail Single User" + }, + "Lastline": { + "mandatory": false, + "display_name": "Lastline" + }, + "illuminate": { + "mandatory": false, + "display_name": "illuminate" + }, + "MicrosoftGraphMail": { + "mandatory": false, + "display_name": "Microsoft Graph Mail" + }, + "isight": { + "mandatory": false, + "display_name": "FireEye iSIGHT" + }, + "CrowdStrikeFalconSandbox": { + "mandatory": false, + "display_name": "CrowdStrike Falcon Sandbox" + }, + "fireeye": { + "mandatory": false, + "display_name": "FireEye (AX Series)" + }, + "Threat_Crowd": { + "mandatory": false, + "display_name": "Threat Crowd" + }, + "XFE": { + "mandatory": false, + "display_name": "IBM X-Force Exchange" + }, + "Symantec_Deepsight": { + "mandatory": false, + "display_name": "Symantec Deepsight Intelligence (Beta)" + }, + "rasterize": { + "mandatory": false, + "display_name": "Rasterize" + }, + "CuckooSandbox": { + "mandatory": false, + "display_name": "Cuckoo Sandbox" + }, + "ANYRUN": { + "mandatory": false, + "display_name": "ANY.RUN" + }, + "MailSenderNew": { + "mandatory": false, + "display_name": "Mail Sender (New)" + }, + "ThreatExchange": { + "mandatory": false, + "display_name": "ThreatExchange" + }, + "AlienVault_OTX": { + "mandatory": false, + "display_name": "AlienVault OTX" + }, + "ThreatGrid": { + "mandatory": false, + "display_name": "Cisco Threat Grid" + }, + "ThreatConnect": { + "mandatory": false, + "display_name": "ThreatConnect" + }, + "Zscaler": { + "mandatory": false, + "display_name": "Zscaler" + }, + "Maltiverse": { + "mandatory": false, + "display_name": "Maltiverse" + }, + "EclecticIQ": { + "mandatory": false, + "display_name": "EclecticIQ Platform" + }, + "Traps": { + "mandatory": false, + "display_name": "Palo Alto Networks Traps" + }, + "PAN-OS": { + "mandatory": false, + "display_name": "PAN-OS" + }, + "TruSTAR": { + "mandatory": false, + "display_name": "TruSTAR" + }, + "epo": { + "mandatory": false, + "display_name": "McAfee ePO" + }, + "Recorded_Future": { + "mandatory": false, + "display_name": "Recorded Future" + }, + "EWSMailSender": { + "mandatory": false, + "display_name": "EWS Mail Sender" + }, + "PolySwarm": { + "mandatory": false, + "display_name": "PolySwarm" + }, + "Cisco-umbrella": { + "mandatory": false, + "display_name": "Cisco Umbrella Investigate" + }, + "ImageOCR": { + "mandatory": false, + "display_name": "Image OCR" + }, + "EWS": { + "mandatory": false, + "display_name": "EWS" + }, + "XForceExchange": { + "mandatory": false, + "display_name": "IBM X-Force Exchange" + }, + "URLHaus": { + "mandatory": false, + "display_name": "URLhaus" + }, + "MISP": { + "mandatory": false, + "display_name": "MISP" + }, + "Cybereason": { + "mandatory": false, + "display_name": "Cybereason" + }, + "VMRay": { + "mandatory": false, + "display_name": "VMRay" + }, + "HybridAnalysis": { + "mandatory": false, + "display_name": "Hybrid Analysis" + }, + "Polygon": { + "mandatory": false, + "display_name": "Polygon" + }, + "FortiGate": { + "mandatory": false, + "display_name": "FortiGate" + } + } +} diff --git a/Packs/CommonScripts/ReleaseNotes/1_1_11.md b/Packs/CommonScripts/ReleaseNotes/1_1_11.md index 7be940089ed4..132e285219c5 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_1_11.md +++ b/Packs/CommonScripts/ReleaseNotes/1_1_11.md @@ -1,5 +1,7 @@ + + diff --git a/Packs/CommonScripts/ReleaseNotes/1_1_13.md b/Packs/CommonScripts/ReleaseNotes/1_1_13.md index 2591bb4fe280..170a54b71ad0 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_1_13.md +++ b/Packs/CommonScripts/ReleaseNotes/1_1_13.md @@ -1,12 +1,5 @@ -<<<<<<< HEAD #### Scripts ##### SetGridField - Fixed an issue where "None" values were causing the script to fail. -======= - ->>>>>>> 6da33a3eedba95c0aef172ccbb90b631c4b5b8d6 + diff --git a/Packs/CommonScripts/ReleaseNotes/1_2_2.md b/Packs/CommonScripts/ReleaseNotes/1_2_2.md new file mode 100644 index 000000000000..4041c396cfdb --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_2_2.md @@ -0,0 +1,4 @@ + +#### Scripts +##### JSONtoCSV +- Improved error message when invalid JSON entry is given. diff --git a/Packs/CommonScripts/ReleaseNotes/1_2_3.md b/Packs/CommonScripts/ReleaseNotes/1_2_3.md new file mode 100644 index 000000000000..cd5772db0489 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_2_3.md @@ -0,0 +1,5 @@ + +### Scripts +##### FindSimilarIncidents + - You can now search for for similar incidents using numeric and boolean fields. + - Added support for sorting by ID of similar incidents with identical timestamp. \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/CHANGELOG.md b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/CHANGELOG.md index 234e64a59ae1..a816f6e47049 100644 --- a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/CHANGELOG.md +++ b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/CHANGELOG.md @@ -1,4 +1,6 @@ ## [Unreleased] +- You can now search for for similar incidents using numeric and boolean fields. +- Added support for sorting by ID of similar incidents with identical timestamp. ## [20.5.2] - 2020-05-26 diff --git a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.py b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.py index e82ff8509643..9dea2fcee639 100644 --- a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.py +++ b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.py @@ -117,6 +117,7 @@ def get_incidents_by_keys(similar_incident_keys, time_field, incident_time, inci .replace('"', r'\"') .replace("\n", "\\n") .replace("\r", "\\r") + if isinstance(t[1], STRING_TYPES) else t[1] ), similar_incident_keys.items())) incident_time = parse_datetime(incident_time) @@ -362,7 +363,7 @@ def main(): if len(duplicate_incidents or []) > 0: duplicate_incidents_rows = map(lambda x: incident_to_record(x, TIME_FIELD), duplicate_incidents) - duplicate_incidents_rows = list(sorted(duplicate_incidents_rows, key=lambda x: x['time'])) + duplicate_incidents_rows = list(sorted(duplicate_incidents_rows, key=lambda x: (x['time'], x['id']))) context = { 'similarIncidentList': duplicate_incidents_rows[:MAX_CANDIDATES_IN_LIST], diff --git a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.yml b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.yml index 1262ebc42fe7..b295e6f85962 100644 --- a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.yml +++ b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/FindSimilarIncidentsV2.yml @@ -146,7 +146,7 @@ tags: - incidents timeout: 300ns type: python -dockerimage: demisto/python:2.7.17.6981 +dockerimage: demisto/python:2.7.18.9326 runonce: false tests: - Dedup - Generic v2 - Test diff --git a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/find_similar_incidents_test.py b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/find_similar_incidents_test.py index 266215c1b146..2f92965d5e8e 100644 --- a/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/find_similar_incidents_test.py +++ b/Packs/CommonScripts/Scripts/FindSimilarIncidentsV2/find_similar_incidents_test.py @@ -67,7 +67,7 @@ 'type': 'Phishing', 'severity': 0, 'status': 1, - 'created': '2019-01-01', + 'created': '2019-01-02', 'closed': '0001-01-01T00:00:00Z', 'labels': [{'type': 'subject', 'value': 'This subject2'}], 'attachment': [{'name': 'Test word1'}] @@ -85,13 +85,25 @@ 'attachment': [{'name': 'Test word1 word2'}] } +incident1_dup2 = { + 'id': 4, + 'name': 'This is incident1', + 'type': 'Phishing', + 'severity': 0, + 'status': 1, + 'created': '2019-01-01', + 'closed': '0001-01-01T00:00:00Z', + 'labels': [{'type': 'subject', 'value': 'This subject1'}], + 'attachment': [{'name': 'Test word1 word2'}] +} + def execute_command(command, args=None): if command == 'getIncidents': entry = {} entry['Type'] = entryTypes['note'] entry['Contents'] = {} - entry['Contents']['data'] = [incident1_dup, incident2] + entry['Contents']['data'] = [incident1_dup, incident2, incident1_dup2] return [entry] elif command == 'getContext': if args['id'] == 1: @@ -116,7 +128,7 @@ def test_similar_incidents_fields(mocker): mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) result = main() - assert len(result['EntryContext']['similarIncidentList']) == 1 + assert len(result['EntryContext']['similarIncidentList']) == 2 assert result['EntryContext']['similarIncidentList'][0]['rawId'] == 3 @@ -130,9 +142,10 @@ def test_similar_incidents_fields_with_diff(mocker): mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) result = main() - assert len(result['EntryContext']['similarIncidentList']) == 2 + assert len(result['EntryContext']['similarIncidentList']) == 3 assert result['EntryContext']['similarIncidentList'][0]['rawId'] == 3 - assert result['EntryContext']['similarIncidentList'][1]['rawId'] == 2 + assert result['EntryContext']['similarIncidentList'][1]['rawId'] == 4 + assert result['EntryContext']['similarIncidentList'][2]['rawId'] == 2 def test_similar_incidents_missing_fields(mocker): @@ -158,9 +171,10 @@ def test_similar_incidents_list_field(mocker): mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) result = main() - assert len(result['EntryContext']['similarIncidentList']) == 2 + assert len(result['EntryContext']['similarIncidentList']) == 3 assert result['EntryContext']['similarIncidentList'][0]['rawId'] == 3 - assert result['EntryContext']['similarIncidentList'][1]['rawId'] == 2 + assert result['EntryContext']['similarIncidentList'][1]['rawId'] == 4 + assert result['EntryContext']['similarIncidentList'][2]['rawId'] == 2 def test_similar_incidents_no_results(mocker): @@ -176,6 +190,21 @@ def test_similar_incidents_no_results(mocker): assert err.type == SystemExit +def test_similar_incidents_order(mocker): + args = dict(default_args) + args.update({'similarIncidentFields': 'name', 'similarLabelsKeys': 'subject'}) + + mocker.patch.object(demisto, 'args', return_value=args) + mocker.patch.object(demisto, 'incidents', return_value=[incident1]) + + mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) + + result = main() + assert len(result['EntryContext']['similarIncidentList']) == 2 + assert result['EntryContext']['similarIncidentList'][0]['rawId'] == 3 + assert result['EntryContext']['similarIncidentList'][1]['rawId'] == 4 + + def test_similar_context_simple_value(mocker): args = dict(default_args) args.update({'similarIncidentFields': 'name', 'similarContextKeys': 'simpleValue'}) diff --git a/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.py b/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.py new file mode 100644 index 000000000000..b728c1962da0 --- /dev/null +++ b/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.py @@ -0,0 +1,68 @@ +import demistomock as demisto +from CommonServerPython import * + +import io +import csv +import sys + + +def main(): + entry_id = demisto.args()['entryid'] + if isinstance(entry_id, list): + entry_id = entry_id[0] + + json_ent = demisto.executeCommand('getEntry', {'id': entry_id}) + + dictlist = json_ent[0]['Contents'] + + csv_final = json_to_csv(dictlist) + + if 'filename' in demisto.args(): + # output cvs to file in warroom + demisto.results(fileResult(demisto.args()['filename'], csv_final.encode("utf-8"))) + else: + # output cvs to warrrom + demisto.results(csv_final.encode("utf-8")) + + +def json_to_csv(data): + """ + takes a list of dictionaries and parsing them into csv. + json should be only list which contains dictionaries. + + json: + [ + { + "dn": "DC=demisto,DC=int", + "provider": "activedir" + }, + { + "dn": "CN=Users,DC=demisto,DC=int", + "provider": "activedir" + } + ] + + csv: + "dn", "provider" + "DC=demisto,DC=int" , "activedir" + "CN=Users,DC=demisto, DC=int" ,"activedir" + """ + si = io.BytesIO() + cw = csv.writer(si) + try: + keys = list(data[0].iterkeys()) + except KeyError: + print("The given JSON is not an iterable list.") + sys.exit(0) + + cw.writerow(keys) + for d in data: + val_lst = [] + for k in keys: + val_lst.append(d[k]) + cw.writerow(val_lst) + return si.getvalue().strip('\r\n') + + +if __name__ == "__builtin__" or __name__ == "builtins": + main() diff --git a/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.yml b/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.yml new file mode 100644 index 000000000000..72a00309a3fd --- /dev/null +++ b/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV.yml @@ -0,0 +1,38 @@ +commonfields: + id: JSONtoCSV + version: -1 +name: JSONtoCSV +script: '' +type: python +subtype: python2 +tags: [] +comment: Convert a JSON warroom output via EntryID to a CSV file. +enabled: true +args: +- name: entryid + required: true + description: entry id of json + isArray: true +- name: delimiter + default: true + description: CSV Delimiter. + defaultValue: '|' +- name: filename + description: if provided will output CSV to file. Default output is to WarRoom. +outputs: +- contextPath: File.Name + description: Filename (only in case of report type=json) +- contextPath: File.Type + description: File type e.g. "PE" (only in case of report type=json) +- contextPath: File.Size + description: File size (only in case of report type=json) +- contextPath: File.MD5 + description: MD5 hash of the file (only in case of report type=json) +- contextPath: File.SHA1 + description: SHA1 hash of the file (only in case of report type=json) +- contextPath: File.SHA256 + description: SHA256 hash of the file (only in case of report type=json) +scripttarget: 0 +runonce: false +tests: +- JSONtoCSV-Test \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV_test.py b/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV_test.py new file mode 100644 index 000000000000..a2a05523c815 --- /dev/null +++ b/Packs/CommonScripts/Scripts/JSONtoCSV/JSONtoCSV_test.py @@ -0,0 +1,19 @@ +from CommonServerPython import * + + +def test_main(mocker): + from JSONtoCSV import main + + mocker.patch.object(demisto, 'args', return_value={ + 'entryid': 'something@something' + }) + mocker.patch.object(demisto, 'executeCommand', return_value=[ + {"Contents": [ + {"Test": "value"}, + {"Test": "value2"} + ]} + ]) + mocker.patch.object(demisto, 'results') + main() + results = demisto.results.call_args + assert results[0][0] == 'Test\r\nvalue\r\nvalue2' diff --git a/Packs/CommonScripts/Scripts/script-JSONtoCSV_README.md b/Packs/CommonScripts/Scripts/JSONtoCSV/README.md similarity index 100% rename from Packs/CommonScripts/Scripts/script-JSONtoCSV_README.md rename to Packs/CommonScripts/Scripts/JSONtoCSV/README.md diff --git a/Packs/CommonScripts/Scripts/script-JSONtoCSV.yml b/Packs/CommonScripts/Scripts/script-JSONtoCSV.yml deleted file mode 100644 index 699618665749..000000000000 --- a/Packs/CommonScripts/Scripts/script-JSONtoCSV.yml +++ /dev/null @@ -1,96 +0,0 @@ -commonfields: - id: JSONtoCSV - version: -1 -name: JSONtoCSV -script: |- - import json - import io - import csv - - entry_id = demisto.args()['entryid'] - if isinstance(entry_id, list): - entry_id = entry_id[0] - - json_ent = demisto.executeCommand('getEntry', {'id': entry_id}) - - dictlist = json_ent[0]['Contents'] - delim = demisto.args()['delimiter'] - - def json_to_csv(data): - """ - takes a list of dictionatiers and parsing them into csv. - json should be only list which contains dictionaries. - - json: - [ - { - "dn": "DC=demisto,DC=int", - "provider": "activedir" - }, - { - "dn": "CN=Users,DC=demisto,DC=int", - "provider": "activedir" - } - ] - - csv: - "dn", "provider" - "DC=demisto,DC=int" , "activedir" - "CN=Users,DC=demisto, DC=int" ,"activedir" - """ - si = io.BytesIO() - cw = csv.writer(si) - keys = list(dictlist[0].iterkeys()) - - cw.writerow(keys) - for d in data: - val_lst = [] - for k in keys: - val_lst.append(d[k]) - cw.writerow(val_lst) - return si.getvalue().strip('\r\n') - - csv_final = json_to_csv(dictlist) - - if 'filename' in demisto.args(): - #outout cvs to file in warroom - demisto.results(fileResult(demisto.args()['filename'],csv_final.encode("utf-8"))) - else: - #outout cvs to warrrom - demisto.results(csv_final.encode("utf-8")) - - - -type: python -subtype: python2 -tags: [] -comment: Convert a JSON warroom output via EntryID to a CSV file. -enabled: true -args: -- name: entryid - required: true - description: entry id of json - isArray: true -- name: delimiter - default: true - description: CSV Delimiter. - defaultValue: '|' -- name: filename - description: if provided will output CSV to file. Default output is to WarRoom. -outputs: -- contextPath: File.Name - description: Filename (only in case of report type=json) -- contextPath: File.Type - description: File type e.g. "PE" (only in case of report type=json) -- contextPath: File.Size - description: File size (only in case of report type=json) -- contextPath: File.MD5 - description: MD5 hash of the file (only in case of report type=json) -- contextPath: File.SHA1 - description: SHA1 hash of the file (only in case of report type=json) -- contextPath: File.SHA256 - description: SHA256 hash of the file (only in case of report type=json) -scripttarget: 0 -runonce: false -tests: -- JSONtoCSV-Test diff --git a/Packs/CommonScripts/Scripts/script-JSONtoCSV_CHANGELOG.md b/Packs/CommonScripts/Scripts/script-JSONtoCSV_CHANGELOG.md deleted file mode 100644 index 9930e43aa7fd..000000000000 --- a/Packs/CommonScripts/Scripts/script-JSONtoCSV_CHANGELOG.md +++ /dev/null @@ -1,5 +0,0 @@ -## [Unreleased] - - -## [20.5.2] - 2020-05-26 -- diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index ca0b6cca2ca5..4940d232ea29 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.2.1", + "currentVersion": "1.2.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CommonTypes/IndicatorFields/incidentfield-feedrelatedindicators.json b/Packs/CommonTypes/IndicatorFields/incidentfield-feedrelatedindicators.json new file mode 100644 index 000000000000..7eb7c482c93f --- /dev/null +++ b/Packs/CommonTypes/IndicatorFields/incidentfield-feedrelatedindicators.json @@ -0,0 +1,97 @@ +{ + "id": "indicator_feedrelatedindicators", + "version": -1, + "modified": "2020-04-02T15:08:30.420979614Z", + "sortValues": null, + "vcShouldIgnore": false, + "commitMessage": "", + "shouldCommit": false, + "name": "Feed Related Indicators", + "prevName": "Feed Related Indicators", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "feedrelatedindicators", + "type": "grid", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "fieldCalcScript": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": [], + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 2, + "mergeStrategy": "", + "hidden": false, + "associatedTypes": [ + "Registry Key", + "CVE", + "Domain", + "Email", + "IP", + "IPv6", + "CIDR", + "IPv6CIDR", + "File", + "URL" + ], + "systemAssociatedTypes": null, + "associatedToAll": true, + "unmapped": false, + "unsearchable": false, + "caseInsensitive": true, + "columns": [ + { + "key": "value", + "displayName": "value", + "type": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "type", + "displayName": "type", + "type": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "description", + "displayName": "description", + "type": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + } + ], + "defaultRows": [ + {}, + {}, + {} + ], + "sla": 0, + "threshold": 72, + "breachScript": "", + "validatedError": "", + "fromVersion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-domain.json b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-domain.json index 66139757e3ca..78dc84f1c318 100644 --- a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-domain.json +++ b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-domain.json @@ -5,7 +5,7 @@ "TypeName": "", "id": "domainRepUnified", "kind": "indicatorsDetails", - "modified": "2020-03-26T12:40:50.625087+02:00", + "modified": "2020-07-02T10:03:32.758057+03:00", "name": "", "system": false, "tabs": [ @@ -330,14 +330,14 @@ "startCol": 0 }, { - "index": 18, - "endCol": 2, - "height": 24, - "startCol": 0, + "endCol": 2, + "fieldId": "aggregatedreliability", + "height": 24, + "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e", + "index": 18, "sectionItemType": "field", - "fieldId": "aggregatedreliability", - "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e" - } + "startCol": 0 + } ], "maxW": 3, "minH": 1, @@ -539,6 +539,32 @@ "w": 2, "x": 1, "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "default-main-00755e60-bc32-11ea-9755-ebbaf4d3af4d", + "items": [ + { + "endCol": 6, + "fieldId": "feedrelatedindicators", + "height": 106, + "id": "0eb6d030-bc32-11ea-9755-ebbaf4d3af4d", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "minW": 1, + "moved": false, + "name": "Feed Related Indicators", + "static": false, + "w": 3, + "x": 0, + "y": 11 } ], "type": "custom" @@ -549,5 +575,5 @@ }, "typeId": "domainRepUnified", "version": -1, - "fromversion": "5.5.0" -} + "fromversion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-ip.json b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-ip.json index f49fb277cc16..cf8a1ed86c44 100644 --- a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-ip.json +++ b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-ip.json @@ -5,7 +5,7 @@ "TypeName": "", "id": "ipRep", "kind": "indicatorsDetails", - "modified": "2020-03-26T12:49:38.832835+02:00", + "modified": "2020-07-02T10:12:52.396985+03:00", "name": "", "system": false, "tabs": [ @@ -149,13 +149,13 @@ "startCol": 0 }, { - "index": 7, - "endCol": 2, - "height": 24, - "startCol": 0, - "fieldId": "aggregatedreliability", - "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e" - } + "endCol": 2, + "fieldId": "aggregatedreliability", + "height": 24, + "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e", + "index": 7, + "startCol": 0 + } ], "maxW": 3, "minH": 1, @@ -393,6 +393,32 @@ "w": 2, "x": 1, "y": 10 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "main-2ba6ff20-bc33-11ea-9755-ebbaf4d3af4d", + "items": [ + { + "endCol": 6, + "fieldId": "feedrelatedindicators", + "height": 106, + "id": "49099460-bc33-11ea-9755-ebbaf4d3af4d", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "minW": 1, + "moved": false, + "name": "Feed Related Indicators", + "static": false, + "w": 3, + "x": 0, + "y": 12 } ], "type": "custom" @@ -403,5 +429,5 @@ }, "typeId": "ipRep", "version": -1, - "fromversion": "5.5.0" -} + "fromversion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-unifiedFile.json b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-unifiedFile.json index c2a36bd25d8a..d9525978b217 100644 --- a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-unifiedFile.json +++ b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-unifiedFile.json @@ -77,13 +77,13 @@ "startCol": 0 }, { - "index": 7, - "endCol": 2, - "height": 24, - "startCol": 0, - "fieldId": "aggregatedreliability", - "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e" - } + "endCol": 2, + "fieldId": "aggregatedreliability", + "height": 24, + "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e", + "index": 7, + "startCol": 0 + } ], "maxW": 3, "minH": 1, @@ -560,6 +560,32 @@ "w": 2, "x": 1, "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "main-10a34c00-bc34-11ea-9755-ebbaf4d3af4d", + "items": [ + { + "endCol": 6, + "fieldId": "feedrelatedindicators", + "height": 106, + "id": "200b3c70-bc34-11ea-9755-ebbaf4d3af4d", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "minW": 1, + "moved": false, + "name": "Feed Related Indicators", + "static": false, + "w": 3, + "x": 0, + "y": 13 } ], "type": "custom" @@ -571,4 +597,4 @@ "typeId": "unifiedFileRep", "version": -1, "fromversion": "5.5.0" -} +} \ No newline at end of file diff --git a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-url.json b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-url.json index 38bb1b6d2d9f..c593e3a08548 100644 --- a/Packs/CommonTypes/Layouts/layout-indicatorsDetails-url.json +++ b/Packs/CommonTypes/Layouts/layout-indicatorsDetails-url.json @@ -5,7 +5,7 @@ "TypeName": "", "id": "urlRep", "kind": "indicatorsDetails", - "modified": "2020-03-26T12:56:24.850115+02:00", + "modified": "2020-07-02T10:22:48.067031+03:00", "name": "", "system": false, "tabs": [ @@ -125,14 +125,14 @@ "startCol": 0 }, { - "index": 7, - "endCol": 2, - "height": 24, - "startCol": 0, + "endCol": 2, + "fieldId": "aggregatedreliability", + "height": 24, + "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e", + "index": 7, "sectionItemType": "field", - "fieldId": "aggregatedreliability", - "id": "b49a3ba0-6f8d-11ea-aeac-6dbd1bcce63e" - } + "startCol": 0 + } ], "moved": false, "name": "URL Info", @@ -308,12 +308,12 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Custom Details", + "name": "Feed Related Indicators", "static": false, "type": "customDetails", - "w": 1, + "w": 3, "x": 0, - "y": 10 + "y": 12 }, { "displayType": "CARD", @@ -346,8 +346,8 @@ "name": "Extended Details", "static": false, "type": "extendedDetails", - "w": 2, - "x": 1, + "w": 3, + "x": 0, "y": 10 } ], @@ -359,5 +359,5 @@ }, "typeId": "urlRep", "version": -1, - "fromversion": "5.5.0" -} + "fromversion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/1_4_0.md b/Packs/CommonTypes/ReleaseNotes/1_4_0.md new file mode 100644 index 000000000000..2154540c7e32 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/1_4_0.md @@ -0,0 +1,10 @@ + +#### Layouts +##### domainRepUnified + - Added the Feed Related Indicators section to the layout. +##### unifiedFileRep + - Added the Feed Related Indicators section to the layout. +##### ipRep + - Added the Feed Related Indicators section to the layout. +##### urlRep + - Added the Feed Related Indicators section to the layout. \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/1_4_1.md b/Packs/CommonTypes/ReleaseNotes/1_4_1.md new file mode 100644 index 000000000000..fd91f40e9378 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/1_4_1.md @@ -0,0 +1,5 @@ + diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index 9c822904730b..d5f78252b9f7 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "Common types pack.", "support": "xsoar", - "currentVersion": "1.3.0", + "currentVersion": "1.4.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -11,5 +11,373 @@ "tags": [], "useCases": [], "keywords": [], - "dependencies": {} + "dependencies": { + "TruSTAR": { + "mandatory": false, + "display_name": "TruSTAR" + }, + "MaxMind_GeoIP2": { + "mandatory": false, + "display_name": "MaxMind GeoIP2" + }, + "Traps": { + "mandatory": false, + "display_name": "Palo Alto Networks Traps" + }, + "Shodan": { + "mandatory": false, + "display_name": "Shodan" + }, + "Whois": { + "mandatory": false, + "display_name": "Whois" + }, + "Polygon": { + "mandatory": false, + "display_name": "Polygon" + }, + "Phishing": { + "mandatory": false, + "display_name": "Phishing" + }, + "ThreatConnect": { + "mandatory": false, + "display_name": "ThreatConnect" + }, + "Malware": { + "mandatory": false, + "display_name": "Malware" + }, + "Expanse": { + "mandatory": false, + "display_name": "Expanse" + }, + "BruteForce": { + "mandatory": false, + "display_name": "Brute Force" + }, + "CommonScripts": { + "mandatory": true, + "display_name": "Common Scripts" + }, + "Pipl": { + "mandatory": false, + "display_name": "Pipl" + }, + "SplunkPy": { + "mandatory": false, + "display_name": "SplunkPy" + }, + "AccessInvestigation": { + "mandatory": false, + "display_name": "Access Investigation" + }, + "AutoFocus": { + "mandatory": false, + "display_name": "AutoFocus" + }, + "VulnDB": { + "mandatory": false, + "display_name": "VulnDB" + }, + "Palo_Alto_Networks_WildFire": { + "mandatory": false, + "display_name": "Palo Alto Networks WildFire" + }, + "ThreatQ": { + "mandatory": false, + "display_name": "ThreatQ" + }, + "Alexa": { + "mandatory": false, + "display_name": "Alexa Rank Indicator" + }, + "AlienVault_OTX": { + "mandatory": false, + "display_name": "AlienVault OTX" + }, + "Recorded_Future": { + "mandatory": false, + "display_name": "Recorded Future" + }, + "UrlScan": { + "mandatory": false, + "display_name": "urlscan.io" + }, + "ReversingLabs_A1000": { + "mandatory": false, + "display_name": "ReversingLabs A1000" + }, + "Zscaler": { + "mandatory": false, + "display_name": "Zscaler" + }, + "Flashpoint": { + "mandatory": false, + "display_name": "Flashpoint" + }, + "ExtraHop": { + "mandatory": false, + "display_name": "ExtraHop Reveal(x)" + }, + "OpenPhish": { + "mandatory": false, + "display_name": "OpenPhish" + }, + "Ipstack": { + "mandatory": false, + "display_name": "Ipstack" + }, + "Lastline": { + "mandatory": false, + "display_name": "Lastline" + }, + "ImpossibleTraveler": { + "mandatory": false, + "display_name": "Impossible Traveler" + }, + "ReversingLabs_Titanium_Cloud": { + "mandatory": false, + "display_name": "ReversingLabs Titanium Cloud" + }, + "Maltiverse": { + "mandatory": false, + "display_name": "Maltiverse" + }, + "PassiveTotal": { + "mandatory": false, + "display_name": "PassiveTotal" + }, + "EclecticIQ": { + "mandatory": false, + "display_name": "EclecticIQ Platform" + }, + "GoogleChronicleBackstory": { + "mandatory": false, + "display_name": "Chronicle" + }, + "TCPIPUtils": { + "mandatory": false, + "display_name": "TCPIPUtils" + }, + "DomainTools_Iris": { + "mandatory": false, + "display_name": "DomainTools Iris" + }, + "GoogleSafeBrowsing": { + "mandatory": false, + "display_name": "Google Safe Browsing" + }, + "URLHaus": { + "mandatory": false, + "display_name": "URLhaus" + }, + "APIVoid": { + "mandatory": false, + "display_name": "APIVoid" + }, + "AwakeSecurity": { + "mandatory": false, + "display_name": "Awake Security" + }, + "PhishTank": { + "mandatory": false, + "display_name": "PhishTank" + }, + "illuminate": { + "mandatory": false, + "display_name": "illuminate" + }, + "isight": { + "mandatory": false, + "display_name": "FireEye iSIGHT" + }, + "SlashNextPhishingIncidentResponse": { + "mandatory": false, + "display_name": "SlashNext Phishing Incident Response" + }, + "Symantec_Deepsight": { + "mandatory": false, + "display_name": "Symantec Deepsight Intelligence (Beta)" + }, + "Compliance": { + "mandatory": false, + "display_name": "Compliance" + }, + "ipinfo": { + "mandatory": false, + "display_name": "ipinfo" + }, + "Anomali_ThreatStream": { + "mandatory": false, + "display_name": "Anomali ThreatStream" + }, + "GDPR": { + "mandatory": false, + "display_name": "GDPR" + }, + "PrismaCloud": { + "mandatory": false, + "display_name": "Prisma Cloud" + }, + "PcapAnalysis": { + "mandatory": false, + "display_name": "PCAP Analysis" + }, + "XForceExchange": { + "mandatory": false, + "display_name": "IBM X-Force Exchange" + }, + "VirusTotal": { + "mandatory": false, + "display_name": "VirusTotal" + }, + "XFE": { + "mandatory": false, + "display_name": "IBM X-Force Exchange" + }, + "CrowdStrikeIntel": { + "mandatory": false, + "display_name": "CrowdStrike Falcon Intel" + }, + "PolySwarm": { + "mandatory": false, + "display_name": "PolySwarm" + }, + "Cofense-Intelligence": { + "mandatory": false, + "display_name": "Cofense Intelligence" + }, + "HelloWorld": { + "mandatory": false, + "display_name": "HelloWorld" + }, + "PortScan": { + "mandatory": false, + "display_name": "Port Scan" + }, + "iDefense": { + "mandatory": false, + "display_name": "iDefense" + }, + "ThreatMiner": { + "mandatory": false, + "display_name": "ThreatMiner" + }, + "CVESearch": { + "mandatory": false, + "display_name": "CVE Search" + }, + "EmployeeOffboarding": { + "mandatory": false, + "display_name": "Employee Offboarding" + }, + "MISP": { + "mandatory": false, + "display_name": "MISP" + }, + "AbuseDB": { + "mandatory": false, + "display_name": "AbuseIPDB" + }, + "IsItPhishing": { + "mandatory": false, + "display_name": "IsItPhishing" + }, + "Cisco-umbrella": { + "mandatory": false, + "display_name": "Cisco Umbrella Investigate" + }, + "DomainTools": { + "mandatory": false, + "display_name": "DomainTools" + }, + "ThreatExchange": { + "mandatory": false, + "display_name": "ThreatExchange" + }, + "Pwned": { + "mandatory": false, + "display_name": "Pwned" + }, + "McAfee-TIE": { + "mandatory": false, + "display_name": "McAfee Threat Intelligence Exchange" + } + }, + "displayedImages": [ + "TruSTAR", + "MaxMind_GeoIP2", + "Traps", + "Shodan", + "Whois", + "Polygon", + "Phishing", + "ThreatConnect", + "Malware", + "Expanse", + "BruteForce", + "CommonScripts", + "Pipl", + "SplunkPy", + "AccessInvestigation", + "AutoFocus", + "VulnDB", + "Palo_Alto_Networks_WildFire", + "ThreatQ", + "Alexa", + "AlienVault_OTX", + "Recorded_Future", + "UrlScan", + "ReversingLabs_A1000", + "Zscaler", + "Flashpoint", + "ExtraHop", + "OpenPhish", + "Ipstack", + "Lastline", + "ImpossibleTraveler", + "ReversingLabs_Titanium_Cloud", + "Maltiverse", + "PassiveTotal", + "EclecticIQ", + "GoogleChronicleBackstory", + "TCPIPUtils", + "DomainTools_Iris", + "GoogleSafeBrowsing", + "URLHaus", + "APIVoid", + "AwakeSecurity", + "PhishTank", + "illuminate", + "isight", + "SlashNextPhishingIncidentResponse", + "Symantec_Deepsight", + "Compliance", + "ipinfo", + "Anomali_ThreatStream", + "GDPR", + "PrismaCloud", + "PcapAnalysis", + "XForceExchange", + "VirusTotal", + "XFE", + "CrowdStrikeIntel", + "PolySwarm", + "Cofense-Intelligence", + "HelloWorld", + "PortScan", + "iDefense", + "ThreatMiner", + "CVESearch", + "EmployeeOffboarding", + "MISP", + "AbuseDB", + "IsItPhishing", + "Cisco-umbrella", + "DomainTools", + "ThreatExchange", + "Pwned", + "McAfee-TIE" + ] } \ No newline at end of file diff --git a/Packs/Compliance/README.md b/Packs/Compliance/README.md index e69de29bb2d1..f62aaa741c68 100644 --- a/Packs/Compliance/README.md +++ b/Packs/Compliance/README.md @@ -0,0 +1,4 @@ +Compliance pack is the base pack for compliance-related packs, such as HIPAA breach notification, US breach notification, and GDPR breach notification. +This Compliance content pack contains essential incidents fields and scripts that are being used in the compliance-related packs. + +_For more information, visit our [Cortex XSOAR Developer Docs](https://xsoar.pan.dev/docs)_ diff --git a/Packs/Compliance/ReleaseNotes/1_0_3.md b/Packs/Compliance/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..e43e9209459b --- /dev/null +++ b/Packs/Compliance/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/Packs/Compliance/pack_metadata.json b/Packs/Compliance/pack_metadata.json index 4990c3dbe325..a814de55be12 100644 --- a/Packs/Compliance/pack_metadata.json +++ b/Packs/Compliance/pack_metadata.json @@ -1,8 +1,8 @@ { "name": "Compliance", - "description": "This pack contains essential incidents fields for compliance packs.", + "description": " ", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/README.md b/Packs/CortexDataLake/Integrations/CortexDataLake/README.md index c4a24311f880..5f22ab301c03 100644 --- a/Packs/CortexDataLake/Integrations/CortexDataLake/README.md +++ b/Packs/CortexDataLake/Integrations/CortexDataLake/README.md @@ -65,7 +65,7 @@ Runs a query on the Cortex logging service. | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| query | A free-text SQL query. For example, query="SELECT * FROM `firewall.traffic` limit 10". There are multiple tables in Loggings, for example: threat, traffic, and so on. Refer to the Cortex Logging service schema reference for the full list. | Optional | +| query | A free-text SQL query. For example, query="SELECT * FROM \`firewall.traffic\` limit 10". There are multiple tables in Loggings, for example: threat, traffic, and so on. Refer to the Cortex Logging service schema reference for the full list. | Optional | | limit | The number of logs to return. Default is 10 | Optional | diff --git a/Packs/CortexXDR/Integrations/PaloAltoNetworks_XDR/README.md b/Packs/CortexXDR/Integrations/PaloAltoNetworks_XDR/README.md index 66886a36c535..1b3af54d1f50 100644 --- a/Packs/CortexXDR/Integrations/PaloAltoNetworks_XDR/README.md +++ b/Packs/CortexXDR/Integrations/PaloAltoNetworks_XDR/README.md @@ -64,6 +64,7 @@ You need to collect several pieces of information in order to configure the inte 4. Click __Test__ to validate the URLs, token, and connection. ## Fetched Incidents Data --- +``` incident_id:31 creation_time:1564594008755 modification_time:1566339537617 @@ -84,7 +85,7 @@ resolve_comment:null manual_severity:low manual_description:null xdr_url:https://1111.paloaltonetworks.com/incident-view/31 - +``` ## Commands --- You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. @@ -242,9 +243,9 @@ Returns a list of incidents, which you can filter by a list of incident IDs (max ### Incidents |alert_count|assigned_user_mail|assigned_user_pretty_name|creation_time|description|detection_time|high_severity_alert_count|host_count|incident_id|low_severity_alert_count|manual_description|manual_severity|med_severity_alert_count|modification_time|notes|resolve_comment|severity|starred|status|user_count|xdr_url| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| 5 | | | 1577276587937 | 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast | | 4 | 1 | 4 | 0 | | medium | 1 | 1579290004178 | | This issue was solved in Incident number 192304 | medium | false | new | 1 | https://some.xdr.url.com/incident-view/4 | -| 1 | woo@demisto.com | woo@demisto.com | 1576100096594 | 'test 1' generated by Virus Total - Firewall | | 1 | 1 | 3 | 0 | | medium | 0 | 1579237974014 | | | medium | false | new | 1 | https://some.xdr.url.com/incident-view/3 | -| 2 | | | 1576062816474 | 'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast | | 2 | 1 | 2 | 0 | | high | 0 | 1579288790259 | | | high | false | under_investigation | 1 | https://some.xdr.url.com/incident-view/2 | +| 5 | | | 1577276587937 | 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast | | 4 | 1 | 4 | 0 | | medium | 1 | 1579290004178 | | This issue was solved in Incident number 192304 | medium | false | new | 1 | `https://some.xdr.url.com/incident-view/4` | +| 1 | woo@demisto.com | woo@demisto.com | 1576100096594 | 'test 1' generated by Virus Total - Firewall | | 1 | 1 | 3 | 0 | | medium | 0 | 1579237974014 | | | medium | false | new | 1 | `https://some.xdr.url.com/incident-view/3` | +| 2 | | | 1576062816474 | 'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast | | 2 | 1 | 2 | 0 | | high | 0 | 1579288790259 | | | high | false | under_investigation | 1 | `https://some.xdr.url.com/incident-view/2` | ### 2. xdr-get-incident-extra-data @@ -639,7 +640,7 @@ Returns additional data for the specified incident, for example, related alerts, ### Incident 4 |alert_count|assigned_user_mail|assigned_user_pretty_name|creation_time|description|detection_time|high_severity_alert_count|host_count|incident_id|low_severity_alert_count|manual_description|manual_severity|med_severity_alert_count|modification_time|notes|resolve_comment|severity|starred|status|user_count|xdr_url| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| 5 | | | 1577276587937 | 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast | | 4 | 1 | 4 | 0 | | medium | 1 | 1579290004178 | | This issue was solved in Incident number 192304 | medium | false | new | 1 | https://some.xdr.url.com/incident-view/4 | +| 5 | | | 1577276587937 | 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast | | 4 | 1 | 4 | 0 | | medium | 1 | 1579290004178 | | This issue was solved in Incident number 192304 | medium | false | new | 1 | `https://some.xdr.url.com/incident-view/4` | ### Alerts |action|action_external_hostname|action_file_md5|action_file_path|action_file_sha256|action_local_ip|action_local_port|action_pretty|action_process_image_command_line|action_process_image_name|action_process_image_sha256|action_process_signature_status|action_process_signature_vendor|action_registry_data|action_registry_full_key|action_remote_ip|action_remote_port|actor_process_command_line|actor_process_image_name|actor_process_signature_status|actor_process_signature_vendor|alert_id|category|causality_actor_causality_id|causality_actor_process_command_line|causality_actor_process_image_name|causality_actor_process_signature_status|causality_actor_process_signature_vendor|description|detection_timestamp|event_type|fw_app_id|host_ip|host_name|is_whitelisted|name|severity|source|starred|user_name| @@ -1300,12 +1301,3 @@ Gets agent event reports. You can filter by multiple fields, which will be conca | Audit | XDR Agent policy updated on aaaaa.compute.internal | | ea303670c76e4ad09600c8b346f7c804 | aaaaa.compute.internal | | 1579286565904.3281 | Success | Policy Update | 1579284369143.7048 | 7.0.0.1915 | Policy | | Audit | XDR Agent policy updated on aaaaa.compute.internal | | ea303670c76e4ad09600c8b346f7c804 | aaaaa.compute.internal | | 1579282965742.36 | Success | Policy Update | 1579280769141.43 | 7.0.0.1915 | Policy | - -## Additional Information ---- - -## Known Limitations ---- - -## Troubleshooting ---- diff --git a/Packs/CrowdStrikeFalconX/.pack-ignore b/Packs/CrowdStrikeFalconX/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CrowdStrikeFalconX/.secrets-ignore b/Packs/CrowdStrikeFalconX/.secrets-ignore new file mode 100644 index 000000000000..169b2ec7d810 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/.secrets-ignore @@ -0,0 +1,9 @@ +"17.111.13.67", +"111.27.12.67", +"'normalized_path.exe',", +"172.217.9.206", +"172.217.7.163", +"172.217.14.163" +"172.217.13.67" +"17.111.13.67" +"111.111.1.1" diff --git a/Packs/CrowdStrikeFalconX/CHANGELOG.md b/Packs/CrowdStrikeFalconX/CHANGELOG.md new file mode 100644 index 000000000000..4117bdc5e161 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +- \ No newline at end of file diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CHANGELOG.md b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CHANGELOG.md new file mode 100644 index 000000000000..692024bdf7da --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CHANGELOG.md @@ -0,0 +1,3 @@ +## [Unreleased] +- + diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.py b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.py new file mode 100644 index 000000000000..07b7e8ffdc16 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.py @@ -0,0 +1,874 @@ +from typing import Dict, Tuple, List + +import demistomock as demisto +from CommonServerPython import * +from CommonServerUserPython import * + +import urllib3 +import traceback +import shutil + +# Disable insecure warnings +urllib3.disable_warnings() + + +def convert_environment_id_string_to_int( + environment_id: str +) -> int: + """ + Converting the string that describes the environment id into an int which needed for the http request + :param environment_id: one of the environment_id options + :return: environment_id represented by an int + """ + try: + environment_id_options = { + "300: Linux Ubuntu 16.04": 300, + "200: Android (static analysis)": 200, + "160: Windows 10": 160, + "110: Windows 7": 110, + "100: Windows 7": 100, + "64-bit": 64, + "32-bit": 32, + } + return environment_id_options[environment_id] + except Exception: + raise Exception('Invalid environment id option') + + +class Client: + """ + Client to use in the CrowdStrikeFalconX integration. Uses BaseClient + """ + + def __init__(self, server_url: str, username: str, password: str, use_ssl: bool, proxy: bool): + self._base_url = server_url + self._verify = use_ssl + self._ok_codes = tuple() # type: ignore[var-annotated] + self._username = username + self._password = password + self._session = requests.Session() + self._token = self._generate_token() + self._headers = {'Authorization': 'bearer ' + self._token} + if not proxy: + self._session.trust_env = False + + @staticmethod + def _handle_errors(errors: list) -> str: + """ + Converting the errors of the API to a string, in case there are no error, return an empty string + :param errors: each error is a dict with the keys code and message + :return: errors converted to single str + """ + return '\n'.join(f"{error['code']}: {error['message']}" for error in errors) + + def _is_status_code_valid(self, response, ok_codes=None): + """If the status code is OK, return 'True'. + + :type response: ``requests.Response`` + :param response: Response from API after the request for which to check the status. + + :type ok_codes: ``tuple`` or ``list`` + :param ok_codes: + The request codes to accept as OK, for example: (200, 201, 204). If you specify + "None", will use response.ok. + + :return: Whether the status of the response is valid. + :rtype: ``bool`` + """ + # Get wanted ok codes + status_codes = ok_codes if ok_codes else self._ok_codes + if status_codes: + return response.status_code in status_codes + return response.ok + + def _http_request(self, method, url_suffix, full_url=None, headers=None, + json_data=None, params=None, data=None, files=None, + timeout=10, ok_codes=None, return_empty_response=False): + """A wrapper for requests lib to send our requests and handle requests and responses better. + + :type method: ``str`` + :param method: The HTTP method, for example: GET, POST, and so on. + + :type url_suffix: ``str`` + :param url_suffix: The API endpoint. + + :type full_url: ``str`` + :param full_url: + Bypasses the use of self._base_url + url_suffix. This is useful if you need to + make a request to an address outside of the scope of the integration + API. + + :type headers: ``dict`` + :param headers: Headers to send in the request. If None, will use self._headers. + + :type params: ``dict`` + :param params: URL parameters to specify the query. + + :type data: ``dict`` + :param data: The data to send in a 'POST' request. + + :type json_data: ``dict`` + :param json_data: The dictionary to send in a 'POST' request. + + :type files: ``dict`` + :param files: The file data to send in a 'POST' request. + + :type timeout: ``float`` or ``tuple`` + :param timeout: + The amount of time (in seconds) that a request will wait for a client to + establish a connection to a remote machine before a timeout occurs. + can be only float (Connection Timeout) or a tuple (Connection Timeout, Read Timeout). + + :type ok_codes: ``tuple`` + :param ok_codes: + The request codes to accept as OK, for example: (200, 201, 204). If you specify + "None", will use self._ok_codes. + + :return: Depends on the resp_type parameter + :rtype: ``dict`` or ``str`` or ``requests.Response`` + """ + try: + # Replace params if supplied + address = full_url if full_url else urljoin(self._base_url, url_suffix) + headers = headers if headers else self._headers + # Execute + res = self._session.request( + method, + address, + verify=self._verify, + params=params, + data=data, + json=json_data, + files=files, + headers=headers, + timeout=timeout, + ) + # Handle error responses gracefully + if not self._is_status_code_valid(res, ok_codes): + try: + # Try to parse json error response + error_entry = res.json() + err_msg = self._handle_errors(error_entry.get("errors")) + raise DemistoException(err_msg) + except ValueError: + err_msg += '\n{}'.format(res.text) + raise DemistoException(err_msg) + + is_response_empty_and_successful = (res.status_code == 204) + if is_response_empty_and_successful and return_empty_response: + return res + + try: + return res.json() + except ValueError as exception: + raise DemistoException("Failed to parse json object from response:" + str(res.content), exception) + except requests.exceptions.ConnectTimeout as exception: + err_msg = 'Connection Timeout Error - potential reasons might be that the Server URL parameter' \ + ' is incorrect or that the Server is not accessible from your host.' + raise DemistoException(err_msg, exception) + except requests.exceptions.SSLError as exception: + err_msg = 'SSL Certificate Verification Failed - try selecting \'Trust any certificate\' checkbox in' \ + ' the integration configuration.' + raise DemistoException(err_msg, exception) + except requests.exceptions.ProxyError as exception: + err_msg = 'Proxy Error - if the \'Use system proxy\' checkbox in the integration configuration is' \ + ' selected, try clearing the checkbox.' + raise DemistoException(err_msg, exception) + except requests.exceptions.ConnectionError as exception: + # Get originating Exception in Exception chain + error_class = str(exception.__class__) + err_type = '<' + error_class[error_class.find('\'') + 1: error_class.rfind('\'')] + '>' + err_msg = '\nError Type: {}\nError Number: [{}]\nMessage: {}\n' \ + 'Verify that the server URL parameter' \ + ' is correct and that you have access to the server from your host.' \ + .format(err_type, exception.errno, exception.strerror) + raise DemistoException(err_msg, exception) + + def _generate_token(self) -> str: + """Generate an Access token using the user name and password + :return: valid token + """ + body = { + 'client_id': self._username, + 'client_secret': self._password + } + + byte_creds = f'{self._username}:{self._password}'.encode('utf-8') + + headers = { + 'Authorization': f'Basic {base64.b64encode(byte_creds).decode()}' + } + token_res = self._http_request('POST', '/oauth2/token', data=body, headers=headers) + return token_res.get('access_token') + + def upload_file( + self, + file: str, + file_name: str, + is_confidential: str = "true", + comment: str = "" + ) -> dict: + """Creating the needed arguments for the http request + :param file: content of the uploaded sample in binary format + :param file_name: name of the file + :param is_confidential: defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console + :param comment: a descriptive comment to identify the file for other users + :return: http response + """ + name = demisto.getFilePath(file)['name'] + try: + shutil.copy(demisto.getFilePath(file)['path'], name) + with open(name, 'rb') as f: + url_suffix = f"/samples/entities/samples/v2?file_name={file_name}&is_confidential={is_confidential}" \ + f"&comment={comment}" + self._headers['Content-Type'] = 'application/octet-stream' + shutil.rmtree(file_name, ignore_errors=True) + return self._http_request("POST", url_suffix, files={'file': f}) + except OSError: + raise Exception('Failed to prepare file for upload.') + finally: + shutil.rmtree(file_name, ignore_errors=True) + + def send_uploaded_file_to_sandbox_analysis( + self, + sha256: str, + environment_id: str, + action_script: str, + command_line: str, + document_password: str, + enable_tor: str, + submit_name: str, + system_date: str, + system_time: str + ) -> dict: + """Creating the needed arguments for the http request + :param sha256: SHA256 ID of the sample, which is a SHA256 hash value + :param environment_id: specifies the sandbox environment used for analysis + :param action_script: runtime script for sandbox analysis + :param command_line: command line script passed to the submitted file at runtime + :param document_password: auto-filled for Adobe or Office files that prompt for a password + :param enable_tor: if true, sandbox analysis routes network traffic via TOR + :param submit_name: name of the malware sample that’s used for file type detection and analysis + :param system_date: set a custom date in the format yyyy-MM-dd for the sandbox environment + :param system_time: set a custom time in the format HH:mm for the sandbox environment. + :return: http response + """ + url_suffix = "/falconx/entities/submissions/v1" + body = { + "sandbox": [ + { + "sha256": sha256, + "environment_id": convert_environment_id_string_to_int(environment_id), + "action_script": action_script, + "command_line": command_line, + "document_password": document_password, + "enable_tor": enable_tor == "true", + "submit_name": submit_name, + "system_date": system_date, + "system_time": system_time + } + ] + } + self._headers['Content-Type'] = 'application/json' + return self._http_request("POST", url_suffix, json_data=body) + + def send_url_to_sandbox_analysis( + self, + url: str, + environment_id: str, + action_script: str, + command_line: str, + document_password: str, + enable_tor: str, + submit_name: str, + system_date: str, + system_time: str + ) -> dict: + """Creating the needed arguments for the http request + :param url: a web page or file URL. It can be HTTP(S) or FTP. + :param environment_id: specifies the sandbox environment used for analysis + :param action_script: runtime script for sandbox analysis + :param command_line: command line script passed to the submitted file at runtime + :param document_password: auto-filled for Adobe or Office files that prompt for a password + :param enable_tor: if true, sandbox analysis routes network traffic via TOR + :param submit_name: name of the malware sample that’s used for file type detection and analysis + :param system_date: set a custom date in the format yyyy-MM-dd for the sandbox environment + :param system_time: set a custom time in the format HH:mm for the sandbox environment. + :return: http response + """ + url_suffix = "/falconx/entities/submissions/v1" + body = { + "sandbox": [ + { + "url": url, + "environment_id": convert_environment_id_string_to_int(environment_id), + "action_script": action_script, + "command_line": command_line, + "document_password": document_password, + "enable_tor": enable_tor == "true", + "submit_name": submit_name, + "system_date": system_date, + "system_time": system_time + } + ] + } + self._headers['Content-Type'] = 'application/json' + return self._http_request("POST", url_suffix, json_data=body) + + def get_full_report( + self, + id: str + ) -> dict: + """Creating the needed arguments for the http request + :param id: id of a submitted malware samples. + :return: http response + """ + url_suffix = f"/falconx/entities/reports/v1?ids={id}" + params = { + "ids": id + } + return self._http_request("Get", url_suffix, params=params) + + def get_report_summary( + self, + id: str + ) -> dict: + """Creating the needed arguments for the http request + :param id: id of a submitted malware samples. + :return: http response + """ + url_suffix = f"/falconx/entities/report-summaries/v1?ids={id}" + params = { + "ids": id + } + return self._http_request("Get", url_suffix, params=params) + + def get_analysis_status( + self, + ids: list + ) -> dict: + """Creating the needed arguments for the http request + :param ids: ids of a submitted malware samples. + :return: http response + """ + url_suffix = f"/falconx/entities/submissions/v1?ids={ids}" + params = { + "ids": ids + } + return self._http_request("Get", url_suffix, params=params) + + def download_ioc( + self, + id: str, + name: str, + accept_encoding: str + ) -> dict: + """Creating the needed arguments for the http request + :param id: id of an artifact, such as an IOC pack, PCAP file, or actor image + :param name: the name given to your downloaded file + :param accept_encoding: format used to compress your downloaded file + :return: http response + """ + url_suffix = f"/falconx/entities/artifacts/v1?id={id}&name={name}&Accept-Encoding={accept_encoding}" + params = { + "ids": id, + "name": name, + "Accept-Encoding": accept_encoding, + } + return self._http_request("Get", url_suffix, params=params) + + def check_quota_status( + self + ) -> dict: + """Creating the needed arguments for the http request + :return: http response + """ + url_suffix = "/falconx/entities/submissions/v1?ids=" + return self._http_request("Get", url_suffix) + + def find_sandbox_reports( + self, + limit: int, + filter: str, + offset: str, + sort: str, + ) -> dict: + """Creating the needed arguments for the http request + :param limit: maximum number of report IDs to return + :param filter: optional filter and sort criteria in the form of an FQL query + :param offset: the offset to start retrieving reports from. + :param sort: sort order: asc or desc + :return: http response + """ + url_suffix = f"/falconx/queries/reports/v1?filter={filter}&offset={offset}&limit{limit}=&sort={sort}" + params = { + "filter": filter, + "offset": offset, + "limit": limit, + "sort": sort, + } + return self._http_request("Get", url_suffix, params=params) + + def find_submission_id( + self, + limit: int, + filter: str, + offset: str, + sort: str, + ) -> dict: + """Creating the needed arguments for the http request + :param limit: maximum number of report IDs to return + :param filter: optional filter and sort criteria in the form of an FQL query + :param offset: the offset to start retrieving reports from. + :param sort: sort order: asc or desc + :return: http response + """ + url_suffix = f"/falconx/queries/submissions/v1?filter={filter}&offset={offset}&limit{limit}=&sort={sort}" + + params = { + "filter": filter, + "offset": offset, + "limit": limit, + "sort": sort, + } + return self._http_request("Get", url_suffix, params=params) + + +def add_outputs_from_dict( + api_current_dict: dict, + fields_to_keep: list +) -> dict: + """ + Filters a dict and keeps only the keys that appears in the given list + :param api_current_dict: the origin dict + :param fields_to_keep: the list which contains the wanted keys + :return: a dict based on api_current_dict without the keys that doesn't appear in fields_to_keep + """ + if not api_current_dict or not fields_to_keep: + return {} + + group_outputs = {} + + for field_to_keep in fields_to_keep: + if field_to_keep in api_current_dict.keys(): + group_outputs[field_to_keep] = api_current_dict.get(field_to_keep) + + return group_outputs + + +def parse_outputs( + api_res: dict, + meta_fields: list = [], + quota_fields: list = [], + resources_fields: list = [], + sandbox_fields: list = [] +) -> Dict[str, dict]: + """Parse group data as received from CrowdStrike FalconX API into Demisto's conventions + the output from the API is a dict that contains the keys: meta, resources and errors + the meta contains a "quota" dict + the "resources" is an array that contains the sandbox dict + the function filters the wanted params from the api result + :param api_res: the api result from the http request + :param meta_fields: the wanted params that appear in the mate section + :param quota_fields: the wanted params that appear in the quota section + :param resources_fields: the wanted params that appear in the resources section + :param sandbox_fields: the wanted params that appear in the sandbox section + :return: a dict based on api_res with the wanted params only + """ + api_res_quota, api_res_resources, api_res_sandbox = {}, {}, {} + resources_group_outputs, sandbox_group_outputs = {}, {} + + api_res_meta = api_res.get("meta") + if api_res_meta: + api_res_quota = api_res_meta.get("quota") + + meta_group_outputs = add_outputs_from_dict(api_res_meta, meta_fields) + quota_group_outputs = add_outputs_from_dict(api_res_quota, quota_fields) + + resources = api_res.get("resources") + if resources: + # depended on the command, the resources section can be a str list or a list that contains + # only one argument which is a dict + if type(resources[0]) == dict: + api_res_resources = resources[0] + resources_group_outputs = add_outputs_from_dict(api_res_resources, resources_fields) + + sandbox = api_res_resources.get("sandbox") + if api_res_resources and sandbox: + api_res_sandbox = sandbox[0] + sandbox_group_outputs = add_outputs_from_dict(api_res_sandbox, sandbox_fields) + else: + # the resources section is a list of strings + resources_group_outputs = {"resources": api_res.get("resources")} + + merged_dicts = {**meta_group_outputs, **quota_group_outputs, **resources_group_outputs, **sandbox_group_outputs} + + return merged_dicts + + +def test_module( + client: Client, +) -> Tuple[str, dict, list]: + """ + If a client was made then an accesses token was successfully reached, + therefor the username and password are valid and a connection was made + additionally, checks if not using all the optional quota + :param client: the client object with an access token + :return: ok if got a valid accesses token and not all the quota is used at the moment + """ + output = client.check_quota_status() + + error = output.get("errors") + if error: + return error[0] + + meta = output.get("meta") + if meta is not None: + quota = meta.get("quota") + if quota is not None: + total = quota.get("total") + used = quota.get("used") + if total <= used: + raise Exception(f"Quota limitation has been reached: {used}") + else: + return 'ok', {}, [] + raise Exception("Quota limitation is unreachable") + + +def upload_file_command( + client: Client, + file: str, + file_name: str, + is_confidential: str = "true", + comment: str = "", + submit_file: str = "no", +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Upload a file for sandbox analysis. + :param client: the client object with an access token + :param file: content of the uploaded sample in binary format + :param file_name: name of the file + :param is_confidential: defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console + :param comment: a descriptive comment to identify the file for other users + :param submit_file: if "yes" run cs-fx-submit-uploaded-file for the uploaded file + :return: Demisto outputs when entry_context and responses are lists + """ + response = client.upload_file(file, file_name, is_confidential, comment) + + resources_fields = ["file_name", "sha256"] + filtered_outputs = parse_outputs(response, resources_fields=resources_fields) + entry_context = {'csfalconx.resource(val.sha256 === obj.sha256)': [filtered_outputs]} + if submit_file == 'no': + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs), entry_context, [response] + + else: + sha256 = str(filtered_outputs.get("sha256")) + return send_uploaded_file_to_sandbox_analysis_command(client, sha256, "160: Windows 10") + + +def send_uploaded_file_to_sandbox_analysis_command( + client: Client, + sha256: str, + environment_id: str, + action_script: str = "", + command_line: str = "", + document_password: str = "", + enable_tor: str = "false", + submit_name: str = "", + system_date: str = "", + system_time: str = "" +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Submit a sample SHA256 for sandbox analysis. + :param client: the client object with an access token + :param sha256: SHA256 ID of the sample, which is a SHA256 hash value + :param environment_id: specifies the sandbox environment used for analysis + :param action_script: runtime script for sandbox analysis + :param command_line: command line script passed to the submitted file at runtime + :param document_password: auto-filled for Adobe or Office files that prompt for a password + :param enable_tor: if true, sandbox analysis routes network traffic via TOR + :param submit_name: name of the malware sample that’s used for file type detection and analysis + :param system_date: set a custom date in the format yyyy-MM-dd for the sandbox environment + :param system_time: set a custom time in the format HH:mm for the sandbox environment. + :return: Demisto outputs when entry_context and responses are lists + """ + response = client.send_uploaded_file_to_sandbox_analysis(sha256, environment_id, action_script, command_line, + document_password, enable_tor, submit_name, system_date, + system_time) + + sandbox_fields = ["environment_id", "sha256"] + resource_fields = ['id', 'state', 'created_timestamp', 'created_timestamp'] + filtered_outputs = parse_outputs(response, sandbox_fields=sandbox_fields, resources_fields=resource_fields) + # in order identify the id source, upload or submit command, the id name changed + filtered_outputs["submitted_id"] = filtered_outputs.pop("id") + entry_context = {'csfalconx.resource(val.submitted_id === obj.submitted_id)': [filtered_outputs]} + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs), entry_context, [response] + + +def send_url_to_sandbox_analysis_command( + client: Client, + url: str, + environment_id: str, + action_script: str = "", + command_line: str = "", + document_password: str = "", + enable_tor: str = "false", + submit_name: str = "", + system_date: str = "", + system_time: str = "" +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Submit a URL or FTP for sandbox analysis. + :param client: the client object with an access token + :param url: a web page or file URL. It can be HTTP(S) or FTP. + :param environment_id: specifies the sandbox environment used for analysis + :param action_script: runtime script for sandbox analysis + :param command_line: command line script passed to the submitted file at runtime + :param document_password: auto-filled for Adobe or Office files that prompt for a password + :param enable_tor: if true, sandbox analysis routes network traffic via TOR + :param submit_name: name of the malware sample that’s used for file type detection and analysis + :param system_date: set a custom date in the format yyyy-MM-dd for the sandbox environment + :param system_time: set a custom time in the format HH:mm for the sandbox environment. + :return: Demisto outputs when entry_context and responses are lists + """ + response = client.send_url_to_sandbox_analysis(url, environment_id, action_script, command_line, document_password, + enable_tor, submit_name, system_date, system_time) + + resources_fields = ['id', 'state', 'created_timestamp'] + sandbox_fields = ["environment_id", "sha256"] + filtered_outputs = parse_outputs(response, resources_fields=resources_fields, sandbox_fields=sandbox_fields) + # in order identify the id source, upload or submit command, the id name changed + filtered_outputs["submitted_id"] = filtered_outputs.pop("id") + entry_context = {'csfalconx.resource(val.submitted_id === obj.submitted_id)': [filtered_outputs]} + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs), entry_context, [response] + + +def get_full_report_command( + client: Client, + ids: list +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Get a full version of a sandbox report. + :param client: the client object with an access token + :param ids: ids of a submitted malware samples. + :return: Demisto outputs when entry_context and responses are lists + """ + ids_list = argToList(ids) + filtered_outputs_list = [] + response_list = [] + + for single_id in ids_list: + response = client. get_full_report(single_id) + response_list.append(response) + + resources_fields = ['id', 'verdict', 'created_timestamp', "ioc_report_strict_csv_artifact_id", + "ioc_report_broad_csv_artifact_id", "ioc_report_strict_json_artifact_id", + "ioc_report_broad_json_artifact_id", "ioc_report_strict_stix_artifact_id", + "ioc_report_broad_stix_artifact_id", "ioc_report_strict_maec_artifact_id", + "ioc_report_broad_maec_artifact_id"] + + sandbox_fields = ["environment_id", "environment_description", "threat_score", "submit_url", "submission_type", + "filetype", "filesize", "sha256"] + filtered_outputs_list.append(parse_outputs(response, resources_fields=resources_fields, + sandbox_fields=sandbox_fields)) + + entry_context = {'csfalconx.resource(val.id === obj.id)': filtered_outputs_list} + + if not filtered_outputs_list: + # if there are no results, the sample is still being analyzed + no_results_message = 'There are no results yet, the sample might still being analyzed.' \ + ' Please wait to download the report.\n' \ + 'You can use cs-fx-get-analysis-status to check the status of a sandbox analysis.' + return no_results_message, entry_context, response_list + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs_list), entry_context, response_list + + +def get_report_summary_command( + client: Client, + ids: list +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Get a short summary version of a sandbox report. + :param client: the client object with an access token + :param ids: ids of a submitted malware samples. + :return: Demisto outputs when entry_context and responses are lists + """ + filtered_outputs_list = [] + response_list = [] + ids_list = argToList(ids) + + for single_id in ids_list: + response = client.get_report_summary(single_id) + response_list.append(response) + + resources_fields = [ + 'id', 'verdict', 'created_timestamp', "ioc_report_strict_csv_artifact_id", + "ioc_report_broad_csv_artifact_id", "ioc_report_strict_json_artifact_id", + "ioc_report_broad_json_artifact_id", "ioc_report_strict_stix_artifact_id", + "ioc_report_broad_stix_artifact_id", "ioc_report_strict_maec_artifact_id", + "ioc_report_broad_maec_artifact_id" + ] + + sandbox_fields = ["environment_id", "environment_description", "threat_score", "submit_url", "submission_type", + "filetype", "filesize", "sha256"] + outputs = parse_outputs(response, resources_fields=resources_fields, sandbox_fields=sandbox_fields) + if outputs: + # no need to add empty dict + filtered_outputs_list.append(outputs) + + entry_context = {'csfalconx.resource(val.id === obj.id)': filtered_outputs_list} + + if not filtered_outputs_list: + # if there are no results, the sample is still being analyzed + no_results_message = 'There are no results yet, the sample might still being analyzed.' \ + ' Please wait to download the report.\n' \ + 'You can use cs-fx-get-analysis-status to check the status of a sandbox analysis.' + return no_results_message, entry_context, response_list + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs_list), entry_context, response_list + + +def get_analysis_status_command( + client: Client, + ids: list +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Check the status of a sandbox analysis. + :param client: the client object with an access token + :param ids: ids of a submitted malware samples. + :return: Demisto outputs when entry_context and responses are lists + """ + filtered_outputs_list = [] + response_list = [] + ids_list = argToList(ids) + + for single_id in ids_list: + response = client.get_analysis_status(single_id) + response_list.append(response) + + resources_fields = ['id', 'state', 'created_timestamp'] + sandbox_fields = ["environment_id", "sha256"] + filtered_outputs_list.append(parse_outputs(response, resources_fields=resources_fields, + sandbox_fields=sandbox_fields)) + + entry_context = {'csfalconx.resource(val.id === obj.id)': filtered_outputs_list} + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs_list), entry_context, response_list + + +def download_ioc_command( + client: Client, + id: str, + name: str = "", + accept_encoding: str = "" +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Download IOC packs, PCAP files, and other analysis artifacts. + :param client: the client object with an access token + :param id: id of an artifact, such as an IOC pack, PCAP file, or actor image + :param name: the name given to your downloaded file + :param accept_encoding: format used to compress your downloaded file + :return: Demisto outputs when entry_context and responses are lists + """ + try: + response = client.download_ioc(id, name, accept_encoding) + except Exception as a: + print(a) + entry_context = {'csfalconx.resource(val.id === obj.id)': [response]} + + return tableToMarkdown("CrowdStrike Falcon X response:", response), entry_context, [response] + + +def check_quota_status_command( + client: Client +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Search endpoint contains File Hash. + :param client: the client object with an access token + :return: Demisto outputs when entry_context and responses are lists + """ + response = client.check_quota_status() + quota_fields = ['total', 'used', 'in_progress'] + + filtered_outputs = parse_outputs(response, quota_fields=quota_fields) + entry_context = {'csfalconx.resource(val.id === obj.id)': [filtered_outputs]} + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs), entry_context, [response] + + +def find_sandbox_reports_command( + client: Client, + limit: int = 50, + filter: str = "", + offset: str = "", + sort: str = "", +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Find sandbox reports by providing an FQL filter and paging details. + :param client: the client object with an access token + :param limit: maximum number of report IDs to return + :param filter: optional filter and sort criteria in the form of an FQL query + :param offset: the offset to start retrieving reports from. + :param sort: sort order: asc or desc + :return: Demisto outputs when entry_context and responses are lists + """ + response = client.find_sandbox_reports(limit, filter, offset, sort) + resources_fields = ['id'] + + filtered_outputs = parse_outputs(response, resources_fields=resources_fields) + entry_context = {'csfalconx.resource(val.id === obj.id)': [filtered_outputs]} + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs), entry_context, [response] + + +def find_submission_id_command( + client: Client, + limit: int = 50, + filter: str = "", + offset: str = "", + sort: str = "", +) -> Tuple[str, Dict[str, List[Dict[str, dict]]], List[dict]]: + """Find submission IDs for uploaded files by providing an FQL filter and paging details. + :param client: the client object with an access token + :param limit: maximum number of report IDs to return + :param filter: optional filter and sort criteria in the form of an FQL query + :param offset: the offset to start retrieving reports from. + :param sort: sort order: asc or desc + :return: Demisto outputs when entry_context and responses are lists + """ + response = client.find_submission_id(limit, filter, offset, sort) + + resources_fields = ['id'] + filtered_outputs = parse_outputs(response, resources_fields=resources_fields) + entry_context = {'csfalconx.resource(val.id === obj.id)': [filtered_outputs]} + + return tableToMarkdown("CrowdStrike Falcon X response:", filtered_outputs), entry_context, [response] + + +def main(): + params = demisto.params() + username = params.get('credentials').get('identifier') + password = params.get('credentials').get('password') + use_ssl = not params.get('insecure', False) + proxy = params.get('proxy', False) + url = "https://api.crowdstrike.com/" + try: + command = demisto.command() + LOG(f'Command being called in CrowdStrikeFalconX Sandbox is: {command}') + client = Client(server_url=url, username=username, password=password, use_ssl=use_ssl, proxy=proxy) + commands = { + 'test-module': test_module, + 'cs-fx-upload-file': upload_file_command, + 'cs-fx-submit-uploaded-file': send_uploaded_file_to_sandbox_analysis_command, + 'cs-fx-submit-url': send_url_to_sandbox_analysis_command, + 'cs-fx-get-full-report': get_full_report_command, + 'cs-fx-get-report-summary': get_report_summary_command, + 'cs-fx-get-analysis-status': get_analysis_status_command, + 'cs-fx-download-ioc': download_ioc_command, + 'cs-fx-check-quota': check_quota_status_command, + 'cs-fx-find-reports': find_sandbox_reports_command, + 'cs-fx-find-submission-id': find_submission_id_command + } + if command in commands: + return_outputs(*commands[command](client, **demisto.args())) # type: ignore[operator] + else: + raise NotImplementedError(f'{command} is not an existing CrowdStrike Falcon X command') + except Exception as err: + return_error(f'Unexpected error:\n{str(err)}', error=traceback.format_exc()) + + +if __name__ in ['__main__', 'builtin', 'builtins']: + main() diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.yml b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.yml new file mode 100644 index 000000000000..cc2159072ff4 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX.yml @@ -0,0 +1,613 @@ +category: Forensics & Malware Analysis +commonfields: + id: CrowdStrike Falcon X + version: -1 +configuration: +- display: Client ID + name: credentials + required: true + type: 9 +- display: Trust any certificate (not secure) + name: insecure + required: false + type: 8 +- display: Use system proxy settings + name: proxy + required: false + type: 8 +description: Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports. +display: CrowdStrike Falcon X +name: CrowdStrike Falcon X +script: + commands: + - arguments: + - default: false + description: Name of the file to upload for sandbox analysis. + isArray: false + name: file_name + required: true + secret: false + - default: false + description: A descriptive comment to identify the file for other users. + isArray: false + name: comment + required: false + secret: false + - auto: PREDEFINED + default: false + description: Determines the visibility of this file in Falcon MalQuery. Can be "true" or "false". If "true", the file is confidential. + isArray: false + name: is_confidential + predefined: + - 'true' + - 'false' + required: false + secret: false + - default: false + description: Content of the uploaded sample in binary format. + isArray: false + name: file + required: true + secret: false + - auto: PREDEFINED + default: + defaultValue: "no" + description: Whether to submit the given file to the sandbox. Can be "yes" or "no". Default is "no". + isArray: false + name: submit_file + predefined: + - 'no' + - 'yes' + required: false + secret: false + deprecated: false + description: Uploads a file for sandbox analysis. + execution: false + name: cs-fx-upload-file + outputs: + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the uploaded file. + type: String + - contextPath: csfalconx.resource.file_name + description: 'Name of the uploaded file. ' + type: String + - arguments: + - default: false + description: SHA256 ID of the sample, which is a SHA256 hash value. Find the sample + ID from the response when uploading a malware sample or search with the cs-fx-upload-file command. + isArray: false + name: sha256 + required: true + secret: false + - auto: PREDEFINED + default: false + description: Sandbox environment used for analysis. + isArray: false + name: environment_id + predefined: + - '300: Linux Ubuntu 16.04' + - 64-bit + - '200: Android (static analysis)' + - '160: Windows 10' + - 64-bit + - '110: Windows 7' + - 64-bit + - '100: Windows 7' + - 32-bit + required: true + secret: false + - auto: PREDEFINED + default: false + description: Runtime script for sandbox analysis. + isArray: false + name: action_script + predefined: + - default + - default_maxantievasion + - default_randomfiles + - default_randomtheme + - default_openie + required: false + secret: false + - default: false + description: 'Command line script passed to the submitted file at runtime. Max + length: 2048 characters.' + isArray: false + name: command_line + required: false + secret: false + - default: false + description: 'Auto-filled for Adobe or Office files that prompt for a password. + Max length: 32 characters.' + isArray: false + name: document_password + required: false + secret: false + - auto: PREDEFINED + default: false + description: Whether the sandbox analysis routes network traffic via TOR. Can be "true" or "false". If true, sandbox analysis routes network traffic via TOR. + isArray: false + name: enable_tor + predefined: + - 'true' + - 'false' + required: false + secret: false + - default: false + description: Name of the malware sample that’s used for file type detection. + and analysis. + isArray: false + name: submit_name + required: false + secret: false + - default: false + description: Set a custom date for the sandbox environment in the format yyyy-MM-dd. + isArray: false + name: system_date + required: false + secret: false + - default: false + description: Sets a custom time for the sandbox environment in the format HH:mm. + isArray: false + name: system_time + required: false + secret: false + deprecated: false + description: Submits a sample SHA256 hash for sandbox analysis. + execution: false + name: cs-fx-submit-uploaded-file + outputs: + - contextPath: 'csfalconx.resource.uploaded_id ' + description: Analysis ID received after uploading the file. + type: String + - contextPath: csfalconx.resource.state + description: Analysis state. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the scanned file. + type: Unknown + - contextPath: csfalconx.resource.environment_id + description: 'Environment ID of the analysis. ' + type: Unknown + - arguments: + - default: false + description: ID of a submitted malware sample. Find a submission ID from the + response when submitting a malware sample or search with the cs-fx-submit-uploaded-file command. + isArray: true + name: ids + required: true + secret: false + deprecated: false + description: Gets a full version of a sandbox report. + execution: false + name: cs-fx-get-full-report + outputs: + - contextPath: csfalconx.resource.submitted_id + description: Analysis ID received after submitting the file. + type: String + - contextPath: csfalconx.resource.verdict + description: Analysis verdict. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.environment_id + description: Environment ID. + type: String + - contextPath: csfalconx.resource.snadbox.environment_description + description: Environment description. + type: String + - contextPath: csfalconx.resource.threat_score + description: Score of the threat. + type: Int + - contextPath: csfalconx.resource.submit_url + description: URL submitted for analysis. + type: String + - contextPath: csfalconx.resource.submission_type + description: Type of submitted artifact, for example file, URL, etc. + type: String + - contextPath: csfalconx.resource.filetype + description: File type. + type: String + - contextPath: csfalconx.resource.filesize + description: File size. + type: Int + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the submitted file. + type: String + - contextPath: csfalconx.resource.ioc_report_strict_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: Int + - contextPath: csfalconx.resource.ioc_report_broad_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: Int + - contextPath: csfalconx.resource.ioc_report_strict_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - arguments: + - default: false + description: ID of a submitted malware sample. Find a submission ID from the + response when submitting a malware sample or search with the cs-fx-submit-uploaded-file command. + isArray: true + name: ids + required: true + secret: false + deprecated: false + description: Gets a short summary version of a sandbox report. + execution: false + name: cs-fx-get-report-summary + outputs: + - contextPath: csfalconx.resource.id + description: Analysis ID. + type: String + - contextPath: csfalconx.resource.verdict + description: Analysis verdict. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.environment_id + description: Environment ID. + type: String + - contextPath: csfalconx.resource.environment_description + description: Environment description. + type: String + - contextPath: csfalconx.resource.threat_score + description: Score of the threat. + type: Int + - contextPath: csfalconx.resource.submit_url + description: URL submitted for analysis. + type: String + - contextPath: csfalconx.resource.submission_type + description: Type of submitted artifact. For example, file, URL, etc. + type: String + - contextPath: csfalconx.resource.filetype + description: File type. + type: String + - contextPath: csfalconx.resource.filesize + description: File size. + type: Int + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the submitted file. + type: String + - contextPath: csfalconx.resource.ioc_report_strict_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: Int + - contextPath: csfalconx.resource.ioc_report_broad_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: Int + - contextPath: csfalconx.resource.ioc_report_strict_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - arguments: + - default: false + description: ID of a submitted malware sample. Find a submission ID from the + response when submitting a malware sample or search with the cs-fx-submit-uploaded-file/url command. + isArray: true + name: ids + required: true + secret: false + deprecated: false + description: Checks the status of a sandbox analysis. + execution: false + name: cs-fx-get-analysis-status + outputs: + - contextPath: csfalconx.resource.id + description: Analysis ID. + type: String + - contextPath: csfalconx.resource.verdict + description: Analysis verdict. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.environment_id + description: Environment ID. + type: String + - contextPath: csfalconx.resource.environment_description + description: Environment description. + type: String + - contextPath: csfalconx.resource.threat_score + description: Score of the threat. + type: Int + - contextPath: csfalconx.resource.submit_url + description: URL submitted for analysis. + type: String + - contextPath: csfalconx.resource.submission_type + description: Type of submitted artifact. For example, file, URL, etc. + type: String + - contextPath: csfalconx.resource.filetype + description: File type. + type: String + - contextPath: csfalconx.resource.filesize + description: File size. + type: Int + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the submitted file. + type: String + - contextPath: csfalconx.resource.ioc_report_strict_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: Int + - contextPath: csfalconx.resource.ioc_report_broad_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: Int + - contextPath: csfalconx.resource.ioc_report_strict_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - deprecated: false + description: Returns the total quota number and the in use quota number. + execution: false + name: cs-fx-check-quota + outputs: + - contextPath: csfalconx.resource.quota.total + description: 'Total quota number. ' + type: Number + - contextPath: csfalconx.resource.quota.used + description: Used quota number. + type: Number + - contextPath: csfalconx.resource.quota.in_progress + description: Analysis in progress. + type: Number + - arguments: + - default: false + description: Optional filter and sort criteria in the form of an FQL query. + isArray: false + name: filter + required: false + secret: false + - default: false + description: The offset from which to start retrieving reports. + isArray: false + name: offset + required: false + secret: false + - default: false + description: 'Maximum number of report IDs to return. Maximum is 5000.' + isArray: false + name: limit + required: false + secret: false + - auto: PREDEFINED + default: false + description: Sort order. Can be "asc" or "desc". + isArray: false + name: sort + predefined: + - asc + - desc + required: false + secret: false + deprecated: false + description: Finds sandbox reports by providing an FQL filter and paging details. + execution: false + name: cs-fx-find-reports + outputs: + - contextPath: csfalconx.resource.id + description: 'Set of report IDs that match the search criteria. ' + type: Number + - arguments: + - default: false + description: Optional filter and sort criteria in the form of an FQL query. + isArray: false + name: filter + required: false + secret: false + - default: false + description: The offset from which to start retrieving reports. + isArray: false + name: offset + required: false + secret: false + - default: false + description: 'Maximum number of report IDs to return. Maximum is 5000.' + isArray: false + name: limit + required: false + secret: false + - auto: PREDEFINED + default: false + description: Sort order. Can be "asc" or "desc". + isArray: false + name: sort + predefined: + - asc + - desc + required: false + secret: false + deprecated: false + description: Finds submission IDs for uploaded files by providing an FQL filter + and paging details. Returns a set of submission IDs that match the search criteria. + execution: false + name: cs-fx-find-submission-id + outputs: + - contextPath: csfalconx.resource.id + description: 'Set of report IDs that match the search criteria. ' + type: Number + - arguments: + - default: false + description: |- + A web page or file URL. It can be HTTP(S) or FTP. + For example: “https://url.com”,“ftp://ftp.com” + isArray: false + name: url + required: true + secret: false + - auto: PREDEFINED + default: false + description: Sandbox environment used for analysis. + isArray: false + name: environment_id + predefined: + - '300: Linux Ubuntu 16.04' + - 64-bit + - '200: Android (static analysis)' + - '160: Windows 10' + - 64-bit + - '110: Windows 7' + - 64-bit + - '100: Windows 7' + - 32-bit + required: true + secret: false + - default: false + description: |- + Runtime script for sandbox analysis. Values: + default + default_maxantievasion + default_randomfiles + default_randomtheme + default_openie + isArray: false + name: action_script + required: false + secret: false + - default: false + description: 'Command line script passed to the submitted file at runtime. Max + length: 2048 characters' + isArray: false + name: command_line + required: false + secret: false + - default: false + description: 'Auto-filled for Adobe or Office files that prompt for a password. + Max length: 32 characters.' + isArray: false + name: document_password + required: false + secret: false + - auto: PREDEFINED + default: false + defaultValue: 'false' + description: 'Whether the sandbox analysis routes network traffic via TOR. Can be "true" or "false". If true, sandbox analysis routes network traffic via TOR. Default is false.' + isArray: false + name: enable_tor + predefined: + - 'false' + - ' true' + required: false + secret: false + - default: false + description: Name of the malware sample that’s used for file type detection + and analysis. + isArray: false + name: submit_name + required: false + secret: false + - default: false + description: Sets a custom date for the sandbox environment in the format yyyy-MM-dd. + isArray: false + name: system_date + required: false + secret: false + - default: false + description: Sets a custom time for the sandbox environment in the format HH:mm. + isArray: false + name: system_time + required: false + secret: false + deprecated: false + description: Submits a URL or FTP for sandbox analysis. + execution: false + name: cs-fx-submit-url + outputs: + - contextPath: csfalconx.resource.submitted_id + description: Analysis ID received after submitting the file. + type: String + - contextPath: csfalconx.resource.state + description: Analysis state. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the scanned file. + type: Unknown + - contextPath: csfalconx.resource.environment_id + description: Environment ID of the analysis. + type: Unknown + - arguments: + - default: false + description: ID of an artifact, such as an IOC pack, PCAP file, or actor image. + Find an artifact ID in a report or summary. + isArray: false + name: id + required: true + secret: false + - default: false + description: The name given to then downloaded file. + isArray: false + name: name + required: false + secret: false + - default: false + defaultValue: gzip + description: Format used to compress the downloaded file. Currently, you must + provide the value of the GZIP file. + isArray: false + name: accept_encoding + required: false + secret: false + deprecated: false + description: Downloads IOC packs, PCAP files, and other analysis artifacts. + execution: false + name: cs-fx-download-ioc + dockerimage: demisto/python3:3.8.3.9324 + feed: false + isfetch: false + longRunning: false + longRunningPort: false + runonce: false + script: '-' + subtype: python3 + type: python +fromversion: 5.0.0 +tests: +- No tests - no instance diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_description.md b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_description.md new file mode 100644 index 000000000000..13d7c67e29a9 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_description.md @@ -0,0 +1,10 @@ +## CrowdStrike Falcon X +To create a client ID and client secret (the password in the integration) refer to [CrowdStrike Falcon X API Client and keys](https://falcon.crowdstrike.com/support/api-clients-and-keys). + +The process for submitting files contains 2 commands: +* cs-fx-upload-file +* cs-fx-submit-uploaded-file +First we upload the file and retrieve its SHA256 hash. Then, we use that ID to upload the file to the sandbox. +If you want to upload a file to the sandbox in a single command, use the cs-fx-upload-file and supply the following argument and value: submit_file=yes. + +For more information on CrowdStrike Falcon X, see the [CrowdStrike Falcon X FAQ](https://www.crowdstrike.com/endpoint-security-products/falcon-x-threat-intelligence/crowdstrike-falcon-x-faq/). diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_image.png b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_image.png new file mode 100644 index 0000000000000000000000000000000000000000..42dde6b74ce9a4b2c6ccdd1cbd8db455934651d6 GIT binary patch literal 4182 zcmaKwXEYlO!-i2ailkzXK1#KzOt00{{R-3v{K;lJ(wZ^Wr7Nk~Wu`A>EK z9i-ldP&Ja8F-{^02@v=KqH63C*IDstzE{NpX&XvR2)#6s}=d#eKK`F_?2J~PvzRG`}H zL)RvW28p%?@2)efd`PWicB(!|Kx8248oQ@+w!fj=sZ^TKbszV1cJ#}r;EgmH(0unH z$y-l{BKfTm_F<;roZhNYk*!fk%K)`WI&Incz2@JteFj@nSOWNE~ST@qi4IF zTm>0OK_(CKDL8)|#|o7?oDQ(qT;p!#$(dbc+i2L$@Cy|Nhwh}C7o|zpyX5vqrYVQ;$WA+e# z0c9?rZKjYzg4y@ia^oU%KQ8o=#o^7oCR5Uhy7EC_IL;l67 z?(Z~ejoVrii`@ZArz~_=8Jc*D07ZyO+rgnbE7Md1KWzB~Rd}x#z z>5{ZnE@LM6u}A2{)lKERBbTfh{Q^UNEV?t3FP|fDm$A1!lsd~pPxVQ@On_{bDhbXZ ze`bjA1mYM;>YwwYFvNw9RpQTHYAon)9Q6OO1%+)K5l+Yk*6U9u+F1iWQZnD%GcXsN zz2B}eOB~2FS}3pB{%l#|v%28N<6T4SkfBP9`Reu_V&jthx=xso7Q$KAv+6@`rJ?Gd z5(Q>y(u1y4b+&*}GyE=$h+y+YOanu7G;(CGJ|0kiikl4V^yyjIMGR5Nm*offW5n76 z$B{~0?`>b-gC#H9`s#&C$j`7AH{sLjLTS+C(6k&bl%|Oae1Mv-L2UP^;)8A+yMbV0 zxzq>ACQFwQ{d05hv7Y^Y&aHG4o zWS;BK^suhw7O^EM!^Q*OFttOUJQScRiDmSL3xL{ma9F`@z-hZo6@=2T? z^Xn0!Yz=#n5oi$Tu!%MvG3!7UUzZyD@;j}pesTJGASbLE6-=ye325c6zX1-5*KV&o zdx>%|#2b$Usi5xxuZ=j^l_F5H+rgp*^Zh0`x~bpXo6lIdOEq@=7H0`vwpe@iB&w&; zRN3!(uFMVxsym(xTFrDX8z||N$dDr$T?<~tP zE1u#rCmtRc(5E7!1pj)!r$!>r!o!U+zQ)VyW~Gu!pmsItFUO6weFX*!{?nb?qaa)+ zLB*B?R#IfRrv1SG!m|9_b(k`1p4AKd$}PIUJP0N9OpeN54UFgF>Ma-8-wrw1Zt~jT`G(=XnOa zQKUQw1=u&F3kRFmAjeEfSkfXZJh#DXjTjX;x*xaPYSt^<0=v8qH+1HGObZw`QWO9$ z^Q>g(YDV%ZR0dh|<#5C)$jj$j3#3Om7kN3O15`m(u*s~dpvC-tW$&H_RI)4nZC)|T zQaFV$oO=A=0;$mGUC2>29X+@lhh&r-JTK>|GZHfs4(zVlNtS;wpqI=0)ih$fXS*9D zleD8^qouj6s6^c{;MrVkt$SG>Z}9*RPz~dtC;n}gZQ)!q1hpF#HO2WXS;{uhV;z-< z^tG;cwQkSZT~cq(fj*ic0=6c0`Z9C?Tz>XCA;%kWI$1YY9zWq-AzPdGYCkxXyW{ju`56XCSyi-#2}_DAc+ z{Ota}5lfjF(F-RA}wFKfv-Gww&WrD9x zyg6dl@TTW&^$=alokDq+bx^4n1){49D0I;p8zvgG~LARj6RNK|=>IqOZ5eyP`_-z&#OmLV_poawt zJWS2y+f=Y#oOEShX4+QZF}?&!{AT~GQoEBgB&JXx(3GE-_VO8|Ri)rsDmm)?FU_;! zX)NpRI18Y}W0)GYE3i1x$w`;zk`s$}EJQ9GQVoymOie9Q$|$ervQUiq%_&F|1B4=p zaBA1!N763A#d16Rm5^nj;jd0H348Z+Ug^(w*|F`E`*kyc8pE< zDyfsH=@>F;Xn%zft)#*_%;w>?sX-M&xHN?W3V;i0Uxg!S#H+v8F#!3O(p94FAXN4K zK-X5pDCWx!J`haAyB>X+-(9@O?xA+-xTdMOzCB7{Fq0l(D43T@TW%xY)pg3J1I;k{t@YV4i*QhBuFdEYwCBxJ+<;k!r&8KU)_a=F@Ycg*Ln>vjTzj_^f?76vhtL`ucJIeb2(*8x(2` zdS5HKcOHri%B%?cKNmgy0|wg+*mbmMPB2_g0c9L0o~CN7tk*rOQ%AT}7d@fb>j9A> zS3ccIpoWQTll`RcM&mPqwwU6*z;#=S_VK1JlOT%B_Hn{%SIjiO?spB7#~c_n0OyZU zBi(}vi+7(Jb`SY~s0lMRHyfym?BHV5c2mNkR=RnYlQ-+60U$Lg$gG%$qa{ASvY3Q> zE)>|Hf%kJgo|O(9DEJUL<)@#@UF8&0yU`ctDh0yM*?kwwHtrG}1$}z6k7cKFPaYcn z70mz5lVPu!^D7JWE_=xc(DDz1baIHvN=hnLmkt$q_xaL$Y0sC`JZZytj+)RzO6yZ7 z=*K$5>V41WP(mqzFTx1!*xfniRdT;lxLdjRWwW}Arh)2f0B!u!(^pLkr-R*lGH7Oe z7{R8ny2r7^)ZcW)Iakw+geJ_4VentR~^j&V(6gX|F zTJbcm|6CsY^7V7LRThnCD^Ob|=tetLunWI7^Xn|1YjAAa@#MuwgRNtD$oC<7FvK)B z1*%`tx_#84s&{4G8+L(|a}UulS&Drc-#sGPH*`Yg2k^{&Wdl>UxJV?p`3|lm#-!io z(7GiUZoE8+5|f?Ayk#6a0_XiRp3&(SG$__>aBqZ3zL(05{=&h{vz@%JQ(hV#?6&3K zg!N3wmR!O#Sv2dR1m)XS!^(wza>!6yQQb(l25nUzz4SRdbrzx4f-qqyd<6v^ zT7hZXpwiaN`&rRc9{qAN!w)^)ovkg{eSJ#T9!(=xE4Fh~_fq$J082|_ebROD6%O!` zU!u=0RFMHm=>QAc`l}~Bqxv8QB4`!e`^$Ym_&Ra65mYfP0w`vPeJVe@lc@s=JT0U|ws--tCK}$c2|>W@(mrg-XMK2MHQ{1@jY^2qAf?CXwHI6{LCnwIWOu69&jbfs-%!K*vVon)cA-W?4=$rt}H*!ix5Z3?U^6 zj;4@2s))H#dwckP=hUE&aI4|4`Xf7=6LA;1GGzP~@mAowW^MyinDTqRyG_>>>O?A?69$CI;s)X&S@#5{pnf5^X#uu&3oFaS0B?*jXsn~;AK*}xC zT&|6@=B}2hQ3RS{RQXAKIq)gP#S>C5dq6~g3^)=JW)mheHD!2%beHmBpub`mub~SP z^TJ4?c>&BIx4SdKGHhcRW<}L^_RhSp(o>B)Bk@k<3ikzsbOJvjh zBPxV??XG}#Jf&xI9u9@4Wo9XB@~U@47!UK*G?S``4{A~KZ<`}gtflBQAvlZn z2fZ=_y_b7hY$XMzitcAX7q3A}m{#f6pkH0VSUNJY_!nYUmFeYIy^kX|Gp+8>(O&%Q z$TdBC_-7iC`U-smPn!T|=q;Fj+e#!F*2rv`Vjv@*C%DtDyxwF`|EFpLizXulUWC8SZygC4~MDaGAjKr)}SE?D$O_ Sv;I8_NM1bGh196ohW{VSv=IFO literal 0 HcmV?d00001 diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_test.py b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_test.py new file mode 100644 index 000000000000..572a172cf531 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/CrowdStrikeFalconX_test.py @@ -0,0 +1,132 @@ +from CrowdStrikeFalconX import Client,\ + send_uploaded_file_to_sandbox_analysis_command, send_url_to_sandbox_analysis_command,\ + get_full_report_command, get_report_summary_command, get_analysis_status_command,\ + check_quota_status_command, find_sandbox_reports_command, find_submission_id_command +from TestsInput.context import SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_CONTEXT, SEND_URL_TO_SANDBOX_ANALYSIS_CONTEXT,\ + GET_FULL_REPORT_CONTEXT, GET_REPORT_SUMMARY_CONTEXT, GET_ANALYSIS_STATUS_CONTEXT, CHECK_QUOTA_STATUS_CONTEXT,\ + FIND_SANDBOX_REPORTS_CONTEXT, FIND_SUBMISSION_ID_CONTEXT, MULTIPLE_ERRORS_RESULT +from TestsInput.http_responses import SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_HTTP_RESPONSE,\ + SEND_URL_TO_SANDBOX_ANALYSIS_HTTP_RESPONSE, GET_FULL_REPORT_HTTP_RESPONSE, GET_REPORT_SUMMARY_HTTP_RESPONSE,\ + CHECK_QUOTA_STATUS_HTTP_RESPONSE, FIND_SANDBOX_REPORTS_HTTP_RESPONSE, FIND_SUBMISSION_ID_HTTP_RESPONSE,\ + GET_ANALYSIS_STATUS_HTTP_RESPONSE, MULTI_ERRORS_HTTP_RESPONSE, NO_ERRORS_HTTP_RESPONSE +import pytest + + +class ResMocker: + def __init__(self, http_response): + self.http_response = http_response + self.ok = False + + def json(self): + return self.http_response + + +SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_ARGS = { + "sha256": "sha256", + "environment_id": "160: Windows 10", + "action_script": "", + "command_line": "", + "document_password": "", + "enable_tor": "false", + "submit_name": "", + "system_date": "", + "system_time": "" +} + + +SEND_URL_TO_SANDBOX_ANALYSIS_ARGS = { + "url": "https://www.google.com", + "environment_id": "160: Windows 10", + "enable_tor": "False", + "action_script": "", + "command_line": "", + "document_password": "", + "submit_name": "", + "system_date": "", + "system_time": "" +} + +GET_FULL_REPORT_ARGS = { + "ids": "ids", +} + +GET_REPORT_SUMMARY_ARGS = { + "ids": "ids", +} + +GET_ANALYSIS_STATUS_ARGS = { + "ids": "ids", +} + +FIND_SANDBOX_REPORTS_ARGS = { + "offset": "", + "limit": "", + "sort": "", + "filter": "", +} + +FIND_SUBMISSION_ID_ARGS = { + "offset": "", + "limit": "", + "sort": "", + "filter": "", +} + + +@pytest.mark.parametrize('command, args, http_response, context', [ + (send_uploaded_file_to_sandbox_analysis_command, SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_ARGS, + SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_HTTP_RESPONSE, SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_CONTEXT), + (send_url_to_sandbox_analysis_command, SEND_URL_TO_SANDBOX_ANALYSIS_ARGS, + SEND_URL_TO_SANDBOX_ANALYSIS_HTTP_RESPONSE, SEND_URL_TO_SANDBOX_ANALYSIS_CONTEXT), + (get_full_report_command, GET_FULL_REPORT_ARGS, GET_FULL_REPORT_HTTP_RESPONSE, GET_FULL_REPORT_CONTEXT), + (get_report_summary_command, GET_REPORT_SUMMARY_ARGS, GET_REPORT_SUMMARY_HTTP_RESPONSE, GET_REPORT_SUMMARY_CONTEXT), + (get_analysis_status_command, GET_ANALYSIS_STATUS_ARGS, GET_ANALYSIS_STATUS_HTTP_RESPONSE, + GET_ANALYSIS_STATUS_CONTEXT), + (check_quota_status_command, {}, CHECK_QUOTA_STATUS_HTTP_RESPONSE, CHECK_QUOTA_STATUS_CONTEXT), + (find_sandbox_reports_command, FIND_SANDBOX_REPORTS_ARGS, FIND_SANDBOX_REPORTS_HTTP_RESPONSE, + FIND_SANDBOX_REPORTS_CONTEXT), + (find_submission_id_command, FIND_SUBMISSION_ID_ARGS, FIND_SUBMISSION_ID_HTTP_RESPONSE, FIND_SUBMISSION_ID_CONTEXT), +]) +def test_cs_falconx_commands(command, args, http_response, context, mocker): + """Unit test + Given + - demisto args + - raw response of the http request + When + - mock the http request result + Then + - convert the result to human readable table + - create the context + - validate the expected_result and the created context + """ + mocker.patch.object(Client, '_generate_token') + client = Client(server_url="https://api.crowdstrike.com/", username="user1", password="12345", use_ssl=False, + proxy=False) + + mocker.patch.object(Client, '_http_request', return_value=http_response) + + _, outputs, _ = command(client, **args) + assert outputs == context + + +@pytest.mark.parametrize('http_response, output', [ + (MULTI_ERRORS_HTTP_RESPONSE, MULTIPLE_ERRORS_RESULT), + (NO_ERRORS_HTTP_RESPONSE, "") +]) +def test_handle_errors(http_response, output, mocker): + """Unit test + Given + - raw response of the http request + When + - there are or there are no errors + Then + - show the exception content + """ + mocker.patch.object(Client, '_generate_token') + client = Client(server_url="https://api.crowdstrike.com/", username="user1", password="12345", use_ssl=False, + proxy=False) + try: + mocker.patch.object(client._session, 'request', return_value=ResMocker(http_response)) + _, output, _ = check_quota_status_command(client) + except Exception as e: + assert (str(e) == str(output)) diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile new file mode 100644 index 000000000000..3523d3b6b93b --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile @@ -0,0 +1,18 @@ +[[source]] +name = "pypi" +url = "https://pypi.org/simple" +verify_ssl = true + +[dev-packages] +pylint = "*" +pytest = "==5.0.1" +pytest-mock = "*" +requests-mock = "*" +pytest-asyncio = "*" + +[packages] +pytest = "*" +requests = "*" + +[requires] +python_version = "3.7" diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile.lock b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile.lock new file mode 100644 index 000000000000..6bdb9313414e --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/Pipfile.lock @@ -0,0 +1,369 @@ +{ + "_meta": { + "hash": { + "sha256": "278db815bec49c11262633d34305f9b33f09432a223bedd5329a04f758f78b55" + }, + "pipfile-spec": 6, + "requires": { + "python_version": "3.7" + }, + "sources": [ + { + "name": "pypi", + "url": "https://pypi.org/simple", + "verify_ssl": true + } + ] + }, + "default": { + "atomicwrites": { + "hashes": [ + "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4", + "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6" + ], + "version": "==1.3.0" + }, + "attrs": { + "hashes": [ + "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79", + "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399" + ], + "version": "==19.1.0" + }, + "certifi": { + "hashes": [ + "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50", + "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef" + ], + "version": "==2019.9.11" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "importlib-metadata": { + "hashes": [ + "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb", + "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f" + ], + "markers": "python_version < '3.8'", + "version": "==0.22" + }, + "more-itertools": { + "hashes": [ + "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832", + "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4" + ], + "version": "==7.2.0" + }, + "packaging": { + "hashes": [ + "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9", + "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe" + ], + "version": "==19.1" + }, + "pluggy": { + "hashes": [ + "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6", + "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34" + ], + "version": "==0.13.0" + }, + "py": { + "hashes": [ + "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa", + "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53" + ], + "version": "==1.8.0" + }, + "pyparsing": { + "hashes": [ + "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80", + "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4" + ], + "version": "==2.4.2" + }, + "pytest": { + "hashes": [ + "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", + "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" + ], + "index": "pypi", + "version": "==5.1.2" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "index": "pypi", + "version": "==2.22.0" + }, + "six": { + "hashes": [ + "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", + "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + ], + "version": "==1.12.0" + }, + "urllib3": { + "hashes": [ + "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1", + "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232" + ], + "version": "==1.25.3" + }, + "wcwidth": { + "hashes": [ + "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e", + "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c" + ], + "version": "==0.1.7" + }, + "zipp": { + "hashes": [ + "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e", + "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335" + ], + "version": "==0.6.0" + } + }, + "develop": { + "astroid": { + "hashes": [ + "sha256:6560e1e1749f68c64a4b5dee4e091fce798d2f0d84ebe638cf0e0585a343acf4", + "sha256:b65db1bbaac9f9f4d190199bb8680af6f6f84fd3769a5ea883df8a91fe68b4c4" + ], + "version": "==2.2.5" + }, + "atomicwrites": { + "hashes": [ + "sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4", + "sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6" + ], + "version": "==1.3.0" + }, + "attrs": { + "hashes": [ + "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79", + "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399" + ], + "version": "==19.1.0" + }, + "certifi": { + "hashes": [ + "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50", + "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef" + ], + "version": "==2019.9.11" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "importlib-metadata": { + "hashes": [ + "sha256:652234b6ab8f2506ae58e528b6fbcc668831d3cc758e1bc01ef438d328b68cdb", + "sha256:6f264986fb88042bc1f0535fa9a557e6a376cfe5679dc77caac7fe8b5d43d05f" + ], + "markers": "python_version < '3.8'", + "version": "==0.22" + }, + "isort": { + "hashes": [ + "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1", + "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd" + ], + "version": "==4.3.21" + }, + "lazy-object-proxy": { + "hashes": [ + "sha256:02b260c8deb80db09325b99edf62ae344ce9bc64d68b7a634410b8e9a568edbf", + "sha256:18f9c401083a4ba6e162355873f906315332ea7035803d0fd8166051e3d402e3", + "sha256:1f2c6209a8917c525c1e2b55a716135ca4658a3042b5122d4e3413a4030c26ce", + "sha256:2f06d97f0ca0f414f6b707c974aaf8829c2292c1c497642f63824119d770226f", + "sha256:616c94f8176808f4018b39f9638080ed86f96b55370b5a9463b2ee5c926f6c5f", + "sha256:63b91e30ef47ef68a30f0c3c278fbfe9822319c15f34b7538a829515b84ca2a0", + "sha256:77b454f03860b844f758c5d5c6e5f18d27de899a3db367f4af06bec2e6013a8e", + "sha256:83fe27ba321e4cfac466178606147d3c0aa18e8087507caec78ed5a966a64905", + "sha256:84742532d39f72df959d237912344d8a1764c2d03fe58beba96a87bfa11a76d8", + "sha256:874ebf3caaf55a020aeb08acead813baf5a305927a71ce88c9377970fe7ad3c2", + "sha256:9f5caf2c7436d44f3cec97c2fa7791f8a675170badbfa86e1992ca1b84c37009", + "sha256:a0c8758d01fcdfe7ae8e4b4017b13552efa7f1197dd7358dc9da0576f9d0328a", + "sha256:a4def978d9d28cda2d960c279318d46b327632686d82b4917516c36d4c274512", + "sha256:ad4f4be843dace866af5fc142509e9b9817ca0c59342fdb176ab6ad552c927f5", + "sha256:ae33dd198f772f714420c5ab698ff05ff900150486c648d29951e9c70694338e", + "sha256:b4a2b782b8a8c5522ad35c93e04d60e2ba7f7dcb9271ec8e8c3e08239be6c7b4", + "sha256:c462eb33f6abca3b34cdedbe84d761f31a60b814e173b98ede3c81bb48967c4f", + "sha256:fd135b8d35dfdcdb984828c84d695937e58cc5f49e1c854eb311c4d6aa03f4f1" + ], + "version": "==1.4.2" + }, + "mccabe": { + "hashes": [ + "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42", + "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f" + ], + "version": "==0.6.1" + }, + "more-itertools": { + "hashes": [ + "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832", + "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4" + ], + "version": "==7.2.0" + }, + "packaging": { + "hashes": [ + "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9", + "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe" + ], + "version": "==19.1" + }, + "pluggy": { + "hashes": [ + "sha256:0db4b7601aae1d35b4a033282da476845aa19185c1e6964b25cf324b5e4ec3e6", + "sha256:fa5fa1622fa6dd5c030e9cad086fa19ef6a0cf6d7a2d12318e10cb49d6d68f34" + ], + "version": "==0.13.0" + }, + "py": { + "hashes": [ + "sha256:64f65755aee5b381cea27766a3a147c3f15b9b6b9ac88676de66ba2ae36793fa", + "sha256:dc639b046a6e2cff5bbe40194ad65936d6ba360b52b3c3fe1d08a82dd50b5e53" + ], + "version": "==1.8.0" + }, + "pylint": { + "hashes": [ + "sha256:5d77031694a5fb97ea95e828c8d10fc770a1df6eb3906067aaed42201a8a6a09", + "sha256:723e3db49555abaf9bf79dc474c6b9e2935ad82230b10c1138a71ea41ac0fff1" + ], + "index": "pypi", + "version": "==2.3.1" + }, + "pyparsing": { + "hashes": [ + "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80", + "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4" + ], + "version": "==2.4.2" + }, + "pytest": { + "hashes": [ + "sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", + "sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" + ], + "index": "pypi", + "version": "==5.1.2" + }, + "pytest-asyncio": { + "hashes": [ + "sha256:9fac5100fd716cbecf6ef89233e8590a4ad61d729d1732e0a96b84182df1daaf", + "sha256:d734718e25cfc32d2bf78d346e99d33724deeba774cc4afdf491530c6184b63b" + ], + "index": "pypi", + "version": "==0.10.0" + }, + "pytest-mock": { + "hashes": [ + "sha256:43ce4e9dd5074993e7c021bb1c22cbb5363e612a2b5a76bc6d956775b10758b7", + "sha256:5bf5771b1db93beac965a7347dc81c675ec4090cb841e49d9d34637a25c30568" + ], + "index": "pypi", + "version": "==1.10.4" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "index": "pypi", + "version": "==2.22.0" + }, + "requests-mock": { + "hashes": [ + "sha256:510df890afe08d36eca5bb16b4aa6308a6f85e3159ad3013bac8b9de7bd5a010", + "sha256:88d3402dd8b3c69a9e4f9d3a73ad11b15920c6efd36bc27bf1f701cf4a8e4646" + ], + "index": "pypi", + "version": "==1.7.0" + }, + "six": { + "hashes": [ + "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", + "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + ], + "version": "==1.12.0" + }, + "typed-ast": { + "hashes": [ + "sha256:18511a0b3e7922276346bcb47e2ef9f38fb90fd31cb9223eed42c85d1312344e", + "sha256:262c247a82d005e43b5b7f69aff746370538e176131c32dda9cb0f324d27141e", + "sha256:2b907eb046d049bcd9892e3076c7a6456c93a25bebfe554e931620c90e6a25b0", + "sha256:354c16e5babd09f5cb0ee000d54cfa38401d8b8891eefa878ac772f827181a3c", + "sha256:4e0b70c6fc4d010f8107726af5fd37921b666f5b31d9331f0bd24ad9a088e631", + "sha256:630968c5cdee51a11c05a30453f8cd65e0cc1d2ad0d9192819df9978984529f4", + "sha256:66480f95b8167c9c5c5c87f32cf437d585937970f3fc24386f313a4c97b44e34", + "sha256:71211d26ffd12d63a83e079ff258ac9d56a1376a25bc80b1cdcdf601b855b90b", + "sha256:95bd11af7eafc16e829af2d3df510cecfd4387f6453355188342c3e79a2ec87a", + "sha256:bc6c7d3fa1325a0c6613512a093bc2a2a15aeec350451cbdf9e1d4bffe3e3233", + "sha256:cc34a6f5b426748a507dd5d1de4c1978f2eb5626d51326e43280941206c209e1", + "sha256:d755f03c1e4a51e9b24d899561fec4ccaf51f210d52abdf8c07ee2849b212a36", + "sha256:d7c45933b1bdfaf9f36c579671fec15d25b06c8398f113dab64c18ed1adda01d", + "sha256:d896919306dd0aa22d0132f62a1b78d11aaf4c9fc5b3410d3c666b818191630a", + "sha256:ffde2fbfad571af120fcbfbbc61c72469e72f550d676c3342492a9dfdefb8f12" + ], + "markers": "implementation_name == 'cpython'", + "version": "==1.4.0" + }, + "urllib3": { + "hashes": [ + "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1", + "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232" + ], + "version": "==1.25.3" + }, + "wcwidth": { + "hashes": [ + "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e", + "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c" + ], + "version": "==0.1.7" + }, + "wrapt": { + "hashes": [ + "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1" + ], + "version": "==1.11.2" + }, + "zipp": { + "hashes": [ + "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e", + "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335" + ], + "version": "==0.6.0" + } + } +} diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/README.md b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/README.md new file mode 100644 index 000000000000..a0a7ab4f5850 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/README.md @@ -0,0 +1,2809 @@ +Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports. +This integration was integrated and tested with version xx of CrowdStrike Falcon X +## Configure CrowdStrike Falcon X on Cortex XSOAR + +1. Navigate to **Settings** > **Integrations** > **Servers & Services**. +2. Search for CrowdStrike Falcon X. +3. Click **Add instance** to create and configure a new integration instance. + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| credentials | Client ID | True | +| insecure | Trust any certificate \(not secure\) | False | +| proxy | Use system proxy settings | False | + +4. Click **Test** to validate the URLs, token, and connection. +## Commands +You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. +### cs-fx-upload-file +*** +Uploads a file for sandbox analysis. + + +#### Base Command + +`cs-fx-upload-file` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| file_name | Name of the file to upload for sandbox analysis. | Required | +| comment | A descriptive comment to identify the file for other users. | Optional | +| is_confidential | Determines the visibility of this file in Falcon MalQuery. Can be "true" or "false". If "true", the file is confidential. | Optional | +| file | Content of the uploaded sample in binary format. | Required | +| submit_file | Whether to submit the given file to the sandbox. Can be "yes" or "no". Default is "no". | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.sha256 | String | SHA256 hash of the uploaded file. | +| csfalconx.resource.file_name | String | Name of the uploaded file. | + + +#### Command Example +```!cs-fx-upload-file file=895@07031695-ae27-49f6-8bb2-41943c7cb80c file_name=test.pdf comment="example" is_confidential="true" submit_file=no``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "file_name": "test.pdf", + "sha256": "c5fdd1fb2c53cd00aba5b01270f91fd5598f315bef99938ddeb92c23667ec2c9" + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|file_name|sha256| +>|---|---| +>| test.pdf | c5fdd1fb2c53cd00aba5b01270f91fd5598f315bef99938ddeb92c23667ec2c9 | + + +### cs-fx-submit-uploaded-file +*** +Submits a sample SHA256 hash for sandbox analysis. + + +#### Base Command + +`cs-fx-submit-uploaded-file` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| sha256 | SHA256 ID of the sample, which is a SHA256 hash value. Find the sample ID from the response when uploading a malware sample or search with the cs-fx-upload-file command. | Required | +| environment_id | Sandbox environment used for analysis. | Required | +| action_script | Runtime script for sandbox analysis. | Optional | +| command_line | Command line script passed to the submitted file at runtime. Max length: 2048 characters. | Optional | +| document_password | Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters. | Optional | +| enable_tor | Whether the sandbox analysis routes network traffic via TOR. Can be "true" or "false". If true, sandbox analysis routes network traffic via TOR. | Optional | +| submit_name | Name of the malware sample that’s used for file type detection. and analysis. | Optional | +| system_date | Set a custom date for the sandbox environment in the format yyyy-MM-dd. | Optional | +| system_time | Sets a custom time for the sandbox environment in the format HH:mm. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.uploaded_id | String | Analysis ID received after uploading the file. | +| csfalconx.resource.state | String | Analysis state. | +| csfalconx.resource.created_timpestamp | String | Analysis start time. | +| csfalconx.resource.sha256 | Unknown | SHA256 hash of the scanned file. | +| csfalconx.resource.environment_id | Unknown | Environment ID of the analysis. | + + +#### Command Example +```!cs-fx-submit-uploaded-file sha256="a381a7b679119dee5b95c9c09993885e44ad2fd9cd52fa28bc116f8bdea71679" environment_id="160: Windows 10" action_script="default" command_line="command" document_password="password" enable_tor="false" submit_name="malware_test" system_date="2020-08-10" system_time="12:48"``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "created_timestamp": "2020-07-03T06:36:17Z", + "environment_id": 160, + "sha256": "a381a7b679119dee5b95c9c09993885e44ad2fd9cd52fa28bc116f8bdea71679", + "state": "created", + "submitted_id": "1c9fe398b2294301aa3080ede8d77356_943236d30cc349538cab108d61c6986a" + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|created_timestamp|environment_id|sha256|state|submitted_id| +>|---|---|---|---|---| +>| 2020-07-03T06:36:17Z | 160 | a381a7b679119dee5b95c9c09993885e44ad2fd9cd52fa28bc116f8bdea71679 | created | 1c9fe398b2294301aa3080ede8d77356_943236d30cc349538cab108d61c6986a | + + +### cs-fx-get-full-report +*** +Gets a full version of a sandbox report. + + +#### Base Command + +`cs-fx-get-full-report` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| ids | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with the cs-fx-submit-uploaded-file command. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.submitted_id | String | Analysis ID received after submitting the file. | +| csfalconx.resource.verdict | String | Analysis verdict. | +| csfalconx.resource.created_timpestamp | String | Analysis start time. | +| csfalconx.resource.environment_id | String | Environment ID. | +| csfalconx.resource.snadbox.environment_description | String | Environment description. | +| csfalconx.resource.threat_score | Int | Score of the threat. | +| csfalconx.resource.submit_url | String | URL submitted for analysis. | +| csfalconx.resource.submission_type | String | Type of submitted artifact, for example file, URL, etc. | +| csfalconx.resource.filetype | String | File type. | +| csfalconx.resource.filesize | Int | File size. | +| csfalconx.resource.sha256 | String | SHA256 hash of the submitted file. | +| csfalconx.resource.ioc_report_strict_csv_artifact_id | String | ID of the IOC pack to download \(CSV\). | +| csfalconx.resource.ioc_report_broad_csv_artifact_id | String | ID of the IOC pack to download \(CSV\). | +| csfalconx.resource.ioc_report_strict_json_artifact_id | Int | ID of the IOC pack to download \(JSON\). | +| csfalconx.resource.ioc_report_broad_json_artifact_id | String | ID of the IOC pack to download \(JSON\). | +| csfalconx.resource.ioc_report_strict_stix_artifact_id | String | ID of the IOC pack to download \(STIX\). | +| csfalconx.resource.ioc_report_broad_stix_artifact_id | Int | ID of the IOC pack to download \(STIX\). | +| csfalconx.resource.ioc_report_strict_maec_artifact_id | String | ID of the IOC pack to download \(MAEC\). | +| csfalconx.resource.ioc_report_broad_maec_artifact_id | String | ID of the IOC pack to download \(MAEC\). | + + +#### Command Example +```!cs-fx-get-full-report ids="1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f"``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "created_timestamp": "2020-03-16T17:04:48Z", + "environment_description": "Windows 10 64 bit", + "environment_id": 160, + "id": "1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f", + "ioc_report_broad_csv_artifact_id": "910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04", + "ioc_report_broad_json_artifact_id": "b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8", + "ioc_report_broad_maec_artifact_id": "16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945", + "ioc_report_broad_stix_artifact_id": "90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1", + "ioc_report_strict_csv_artifact_id": "910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04", + "ioc_report_strict_json_artifact_id": "b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8", + "ioc_report_strict_maec_artifact_id": "16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945", + "ioc_report_strict_stix_artifact_id": "90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1", + "sha256": "15fea7cc23194aea10dce58cff8fff050c81e1be0d16e4da542f4fedd5a421c3", + "submission_type": "page_url", + "submit_url": "hxxps://www.google.com", + "threat_score": 13, + "verdict": "no specific threat" + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|created_timestamp|environment_description|environment_id|id|ioc_report_broad_csv_artifact_id|ioc_report_broad_json_artifact_id|ioc_report_broad_maec_artifact_id|ioc_report_broad_stix_artifact_id|ioc_report_strict_csv_artifact_id|ioc_report_strict_json_artifact_id|ioc_report_strict_maec_artifact_id|ioc_report_strict_stix_artifact_id|sha256|submission_type|submit_url|threat_score|verdict| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-03-16T17:04:48Z | Windows 10 64 bit | 160 | 1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f | 910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04 | b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8 | 16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945 | 90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1 | 910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04 | b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8 | 16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945 | 90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1 | 15fea7cc23194aea10dce58cff8fff050c81e1be0d16e4da542f4fedd5a421c3 | page_url | hxxps://www.google.com | 13 | no specific threat | + + +### cs-fx-get-report-summary +*** +Gets a short summary version of a sandbox report. + + +#### Base Command + +`cs-fx-get-report-summary` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| ids | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with the cs-fx-submit-uploaded-file command. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.id | String | Analysis ID. | +| csfalconx.resource.verdict | String | Analysis verdict. | +| csfalconx.resource.created_timpestamp | String | Analysis start time. | +| csfalconx.resource.environment_id | String | Environment ID. | +| csfalconx.resource.environment_description | String | Environment description. | +| csfalconx.resource.threat_score | Int | Score of the threat. | +| csfalconx.resource.submit_url | String | URL submitted for analysis. | +| csfalconx.resource.submission_type | String | Type of submitted artifact. For example, file, URL, etc. | +| csfalconx.resource.filetype | String | File type. | +| csfalconx.resource.filesize | Int | File size. | +| csfalconx.resource.sha256 | String | SHA256 hash of the submitted file. | +| csfalconx.resource.ioc_report_strict_csv_artifact_id | String | ID of the IOC pack to download \(CSV\). | +| csfalconx.resource.ioc_report_broad_csv_artifact_id | String | ID of the IOC pack to download \(CSV\). | +| csfalconx.resource.ioc_report_strict_json_artifact_id | Int | ID of the IOC pack to download \(JSON\). | +| csfalconx.resource.ioc_report_broad_json_artifact_id | String | ID of the IOC pack to download \(JSON\). | +| csfalconx.resource.ioc_report_strict_stix_artifact_id | String | ID of the IOC pack to download \(STIX\). | +| csfalconx.resource.ioc_report_broad_stix_artifact_id | Int | ID of the IOC pack to download \(STIX\). | +| csfalconx.resource.ioc_report_strict_maec_artifact_id | String | ID of the IOC pack to download \(MAEC\). | +| csfalconx.resource.ioc_report_broad_maec_artifact_id | String | ID of the IOC pack to download \(MAEC\). | + + +#### Command Example +```!cs-fx-get-report-summary ids="1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f"``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "created_timestamp": "2020-03-16T17:04:48Z", + "environment_description": "Windows 10 64 bit", + "environment_id": 160, + "id": "1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f", + "ioc_report_broad_csv_artifact_id": "910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04", + "ioc_report_broad_json_artifact_id": "b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8", + "ioc_report_broad_maec_artifact_id": "16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945", + "ioc_report_broad_stix_artifact_id": "90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1", + "ioc_report_strict_csv_artifact_id": "910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04", + "ioc_report_strict_json_artifact_id": "b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8", + "ioc_report_strict_maec_artifact_id": "16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945", + "ioc_report_strict_stix_artifact_id": "90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1", + "sha256": "15fea7cc23194aea10dce58cff8fff050c81e1be0d16e4da542f4fedd5a421c3", + "submission_type": "page_url", + "submit_url": "hxxps://www.google.com", + "threat_score": 13, + "verdict": "no specific threat" + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|created_timestamp|environment_description|environment_id|id|ioc_report_broad_csv_artifact_id|ioc_report_broad_json_artifact_id|ioc_report_broad_maec_artifact_id|ioc_report_broad_stix_artifact_id|ioc_report_strict_csv_artifact_id|ioc_report_strict_json_artifact_id|ioc_report_strict_maec_artifact_id|ioc_report_strict_stix_artifact_id|sha256|submission_type|submit_url|threat_score|verdict| +>|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +>| 2020-03-16T17:04:48Z | Windows 10 64 bit | 160 | 1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f | 910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04 | b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8 | 16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945 | 90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1 | 910b844555678892b85afaa6761eb0619b43355a851797f2cd54aa814ad84e04 | b02b32f52a8fa67ad42d8b0e002d37622142b6b5f9c8174fa62df859422a8de8 | 16f7cb67df103b63badeed41a6d05d717c8aee898b811b1620e7d009dab18945 | 90c36e086e9459b8c08503409f58b1d8710b46867736fac292afff45b4ffb1f1 | 15fea7cc23194aea10dce58cff8fff050c81e1be0d16e4da542f4fedd5a421c3 | page_url | hxxps://www.google.com | 13 | no specific threat | + + +### cs-fx-get-analysis-status +*** +Checks the status of a sandbox analysis. + + +#### Base Command + +`cs-fx-get-analysis-status` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| ids | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with the cs-fx-submit-uploaded-file/url command. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.id | String | Analysis ID. | +| csfalconx.resource.verdict | String | Analysis verdict. | +| csfalconx.resource.created_timpestamp | String | Analysis start time. | +| csfalconx.resource.environment_id | String | Environment ID. | +| csfalconx.resource.environment_description | String | Environment description. | +| csfalconx.resource.threat_score | Int | Score of the threat. | +| csfalconx.resource.submit_url | String | URL submitted for analysis. | +| csfalconx.resource.submission_type | String | Type of submitted artifact. For example, file, URL, etc. | +| csfalconx.resource.filetype | String | File type. | +| csfalconx.resource.filesize | Int | File size. | +| csfalconx.resource.sha256 | String | SHA256 hash of the submitted file. | +| csfalconx.resource.ioc_report_strict_csv_artifact_id | String | ID of the IOC pack to download \(CSV\). | +| csfalconx.resource.ioc_report_broad_csv_artifact_id | String | ID of the IOC pack to download \(CSV\). | +| csfalconx.resource.ioc_report_strict_json_artifact_id | Int | ID of the IOC pack to download \(JSON\). | +| csfalconx.resource.ioc_report_broad_json_artifact_id | String | ID of the IOC pack to download \(JSON\). | +| csfalconx.resource.ioc_report_strict_stix_artifact_id | String | ID of the IOC pack to download \(STIX\). | +| csfalconx.resource.ioc_report_broad_stix_artifact_id | Int | ID of the IOC pack to download \(STIX\). | +| csfalconx.resource.ioc_report_strict_maec_artifact_id | String | ID of the IOC pack to download \(MAEC\). | +| csfalconx.resource.ioc_report_broad_maec_artifact_id | String | ID of the IOC pack to download \(MAEC\). | + + +#### Command Example +```!cs-fx-get-analysis-status ids="1c9fe398b2294301aa3080ede8d77356_8cfaaf951fff412090df3d27d4b4193d"``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "created_timestamp": "2020-05-26T21:24:41Z", + "environment_id": 160, + "id": "1c9fe398b2294301aa3080ede8d77356_8cfaaf951fff412090df3d27d4b4193d", + "sha256": "05cca3437abcb4057c157ed8b933b07fb198aa0fa0eb7f7c27e97029e9e0ad61", + "state": "success" + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|created_timestamp|environment_id|id|sha256|state| +>|---|---|---|---|---| +>| 2020-05-26T21:24:41Z | 160 | 1c9fe398b2294301aa3080ede8d77356_8cfaaf951fff412090df3d27d4b4193d | 05cca3437abcb4057c157ed8b933b07fb198aa0fa0eb7f7c27e97029e9e0ad61 | success | + + +### cs-fx-check-quota +*** +Returns the total quota number and the in use quota number. + + +#### Base Command + +`cs-fx-check-quota` +#### Input + +There are no input arguments for this command. + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.quota.total | Number | Total quota number. | +| csfalconx.resource.quota.used | Number | Used quota number. | +| csfalconx.resource.quota.in_progress | Number | Analysis in progress. | + + +#### Command Example +```!cs-fx-check-quota``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "in_progress": 3, + "total": 500, + "used": 11 + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|in_progress|total|used| +>|---|---|---| +>| 3 | 500 | 11 | + + +### cs-fx-find-reports +*** +Finds sandbox reports by providing an FQL filter and paging details. + + +#### Base Command + +`cs-fx-find-reports` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| filter | Optional filter and sort criteria in the form of an FQL query. | Optional | +| offset | The offset from which to start retrieving reports. | Optional | +| limit | Maximum number of report IDs to return. Maximum is 5000. | Optional | +| sort | Sort order. Can be "asc" or "desc". | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.id | Number | Set of report IDs that match the search criteria. | + + +#### Command Example +```!cs-fx-find-reports offset=1 limit=5``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "resources": [ + "1c9fe398b2294301aa3080ede8d77356_b85ecb950a7946f781055165fb772d1d", + "1c9fe398b2294301aa3080ede8d77356_d0b4bc43b10849bdb3a6b47ad21300e4", + "1c9fe398b2294301aa3080ede8d77356_91863c129067479198bd150b512bb408", + "1c9fe398b2294301aa3080ede8d77356_c94eaa632d5c4166a9b1266bce73d2f4", + "1c9fe398b2294301aa3080ede8d77356_d0cd12feda95443d94c8bdc78d513d52" + ] + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|resources| +>|---| +>| 1c9fe398b2294301aa3080ede8d77356_b85ecb950a7946f781055165fb772d1d,
    1c9fe398b2294301aa3080ede8d77356_d0b4bc43b10849bdb3a6b47ad21300e4,
    1c9fe398b2294301aa3080ede8d77356_91863c129067479198bd150b512bb408,
    1c9fe398b2294301aa3080ede8d77356_c94eaa632d5c4166a9b1266bce73d2f4,
    1c9fe398b2294301aa3080ede8d77356_d0cd12feda95443d94c8bdc78d513d52 | + + +### cs-fx-find-submission-id +*** +Finds submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match the search criteria. + + +#### Base Command + +`cs-fx-find-submission-id` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| filter | Optional filter and sort criteria in the form of an FQL query. | Optional | +| offset | The offset from which to start retrieving reports. | Optional | +| limit | Maximum number of report IDs to return. Maximum is 5000. | Optional | +| sort | Sort order. Can be "asc" or "desc". | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.id | Number | Set of report IDs that match the search criteria. | + + +#### Command Example +```!cs-fx-find-submission-id offset=1 limit=5``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "resources": [ + "1c9fe398b2294301aa3080ede8d77356_943236d30cc349538cab108d61c6986a", + "1c9fe398b2294301aa3080ede8d77356_853956d90743418b96dea59d190cdaf9", + "1c9fe398b2294301aa3080ede8d77356_c97b23377e594218b5df76b512466582", + "1c9fe398b2294301aa3080ede8d77356_b85ecb950a7946f781055165fb772d1d", + "1c9fe398b2294301aa3080ede8d77356_d0b4bc43b10849bdb3a6b47ad21300e4" + ] + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|resources| +>|---| +>| 1c9fe398b2294301aa3080ede8d77356_943236d30cc349538cab108d61c6986a,
    1c9fe398b2294301aa3080ede8d77356_853956d90743418b96dea59d190cdaf9,
    1c9fe398b2294301aa3080ede8d77356_c97b23377e594218b5df76b512466582,
    1c9fe398b2294301aa3080ede8d77356_b85ecb950a7946f781055165fb772d1d,
    1c9fe398b2294301aa3080ede8d77356_d0b4bc43b10849bdb3a6b47ad21300e4 | + + +### cs-fx-submit-url +*** +Submits a URL or FTP for sandbox analysis. + + +#### Base Command + +`cs-fx-submit-url` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| url | A web page or file URL. It can be HTTP(S) or FTP.
    For example: “https://url.com”,“ftp://ftp.com” | Required | +| environment_id | Sandbox environment used for analysis. | Required | +| action_script | Runtime script for sandbox analysis. Values:
    default
    default_maxantievasion
    default_randomfiles
    default_randomtheme
    default_openie | Optional | +| command_line | Command line script passed to the submitted file at runtime. Max length: 2048 characters | Optional | +| document_password | Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters. | Optional | +| enable_tor | Whether the sandbox analysis routes network traffic via TOR. Can be "true" or "false". If true, sandbox analysis routes network traffic via TOR. Default is false. | Optional | +| submit_name | Name of the malware sample that’s used for file type detection and analysis. | Optional | +| system_date | Sets a custom date for the sandbox environment in the format yyyy-MM-dd. | Optional | +| system_time | Sets a custom time for the sandbox environment in the format HH:mm. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| csfalconx.resource.submitted_id | String | Analysis ID received after submitting the file. | +| csfalconx.resource.state | String | Analysis state. | +| csfalconx.resource.created_timpestamp | String | Analysis start time. | +| csfalconx.resource.sha256 | Unknown | SHA256 hash of the scanned file. | +| csfalconx.resource.environment_id | Unknown | Environment ID of the analysis. | + + +#### Command Example +```!cs-fx-submit-url url="https://www.google.com" environment_id="160: Windows 10" action_script="default" document_password="password" enable_tor="false" submit_name="malware_test" system_date="2020-08-10" system_time="12:48"``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": { + "created_timestamp": "2020-07-03T06:36:19Z", + "environment_id": 160, + "state": "created", + "submitted_id": "1c9fe398b2294301aa3080ede8d77356_472d590fdd4e49639e41f81928df2542" + } + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|created_timestamp|environment_id|state|submitted_id| +>|---|---|---|---| +>| 2020-07-03T06:36:19Z | 160 | created | 1c9fe398b2294301aa3080ede8d77356_472d590fdd4e49639e41f81928df2542 | + + +### cs-fx-download-ioc +*** +Downloads IOC packs, PCAP files, and other analysis artifacts. + + +#### Base Command + +`cs-fx-download-ioc` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary. | Required | +| name | The name given to then downloaded file. | Optional | +| accept_encoding | Format used to compress the downloaded file. Currently, you must provide the value of the GZIP file. | Optional | + + +#### Context Output + +There is no context output for this command. + +#### Command Example +```!cs-fx-download-ioc id="cd1db2f53e8760792a48a2ec544a29e6f876643204598621783f71017f6b4266" name="test" accept_encoding="gzip"``` + +#### Context Example +``` +{ + "csfalconx": { + "resource": [ + [ + { + "ioc": "7.77.7.7", + "source": "runtime", + "type": "ip" + }, + { + "ioc": "054e58bdec6972ff4b3167b34e77612f", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "05d6eeb048c90c766aece42e337dde4d", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "0f109e8d4aedbf943299263b152d4f00", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "15dd37df165655f35e8ce536d024167f", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "16e8057213bd80adc4baaf3a1ecc3f82", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "17fc5228ad1d52335c5fe981253ee545", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "195ef9caeb0f6216d9e8cfd4be942d36", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "1b4b2c7752a15752d30c0c0e6970988c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "1c3582f2c953e92f1be73969f49b209e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "1d5dc5cb90058cf92f1466d2fcfa4c97", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "21d10abfd2a3d671e5db3539c0cf431e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "222d020bd33c90170a8296adc1b7036a", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "2291c23b5ff917a1e40a64c5e5d71986", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "262810da4b496d7ce1486a413e4b12b1", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "264d51f1b2f3df04bb8bf07f7b1fb71c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "28082a61a32170d0479e2b1523962135", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "2d630301c6a51385326aab073ff4ec2e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "32b14e28f95191808d638688c9152843", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "3623a0e7cdcf3310ffb4c87c5b43ae02", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "36353ce86b46b877af6d90325ff03b95", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "3663019e0506c85d753c08c02660b34a", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "394f5551ee04fb916f132a6ba807de11", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "3b48ed2a0c41e2329e9c7ab86edd64b1", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "3bbbb863f37d818aba19a8451927c616", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "3e52939e94c51551361a10ad81197b60", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "46266ab248b89b3a40542e63bfc02603", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "46eebcbe18910b967267d592f76a2836", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "4fe51249cdc1c1ab03173fd0bed7db4f", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "5695647c9de015395b00344eb9d48a9d", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "576af4ad78a176e07b1af29bcf92aa1e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "59b1f27a96d13e54cd4867f0dddecd83", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "60767e9bd01835bd95792df61433ce4b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "656da8a3661b746eb9374659d15c4a2b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "67abaf7458772435ad67564b3fbf14a0", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "68b14871e4b235ac3788866621297a27", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "6d53703fddac024e2cf27fc4a7ac5df6", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "6f0cfccd7f00f7fd009b00ce6871272e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "6fddc5aede1751f10ce62923c042a793", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "704730bc2fbc8c69a929e21ef8aa7379", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "72c6a76c1eec3490f06e41bfa0d3f26b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "751b9ce3dc2dd9e3de156da983b2b3b4", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "77541eb350a5b881f81f3fcf6b9d3936", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "786551c4c8bcde890d0d4e0d70545529", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "7d3ed29c7c33ea81a14ab3563d3ce87c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "7f15e8271ee067b6074493d93813dad3", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "80b82d4d5e9d867ff1113e1879d92f68", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "8295247d3dae9745677ec2c1d6339011", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "83018fe200707cc3205b49b59ad1f760", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "83129da20ca16fae0bf1e24820eb1906", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "878a59d39c6172aab0997124ece4e8fe", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "8c39aaffa9b99019fc96e298296543d3", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "8db811264a0a6282eb134f60c7844c57", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "8e5034c077d52dafd449df9206cf5471", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "9234edf95ad1d3409a38b90d16713467", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "93ba37530689e5f858dfa8b31ae6c236", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "951c29a740e714857433557e9de737c8", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "95351915b3f4e2d7f5c2a8744c0ce4eb", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "99ba01e7652e90cc1740d6eaef4effdf", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "9b305ac55cbefb495190ba4c3c6f8e97", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "9e284a4ffaad5f5c3a3b5d9f3ab0b03d", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "9ec17d371530d8a4ee2c90fd393a1eb4", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "9ef29221c01ff06c6808b4c61108a824", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a040a3ada27bd0421afbe20ce933af4b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a5603a0780d44b6edfb18b7a68880b93", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a66cc76dfcb0f4ed5c51bd9c1b389a78", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a6763ae35acd41ec0f50bdfcc559d83b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a6836a433946a889741af4943e2ba623", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a82bba1dcff205558edc62b4509775f6", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a856d4a6170bbdc323372974ffca437e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a881defcf778f764141d5770e55132e4", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "a949ea32164cbfbeffaace03d289e34f", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "af84af2c2eaa9500b4a85e4237434b24", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b080dc93850347a50475fcd3df3a263a", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b3dfec2163622335b59b717d85a8b0d4", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b447d3f9668152426c12a2c497346553", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b4b02868b76e096f64bfc214f9611e8f", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b4e3cf26877344bbf70852ac3f7a5b94", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b5ff695b08c839155c5eb003d6e90cba", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "b8a434d31c6a7557e3a5723c39cc2ab3", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "c10d754c27174b47349306b4c3a3054f", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "ce72a3a3fe723345694654f97dad8bb6", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "d059dda2747521880e351cb19d66f25b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "d1db526687b9439169ee91614fdd8e0c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "d280e4b97c3981b9c85cda924a81ebac", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "d9129968f1e1cd135426368bbfaadb6b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "d9472401f9b7002921cb909fa421393c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "e03b08d438b560988883511e8d854a4b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "e85a6a9cf37b580a47073a9f41f7e36e", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "eb815e917831e2d9475e148457799855", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "f2f95afad83bd1a8b4facf8debd6cf4c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "f526b0de0664ec18965f46bcf39e6ab0", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "f8d1c5f572f3d8056d92e6a19f6a3186", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "fa0c8e71e7049ee4311b7c194ab9330b", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "fc47823102b667b6b7dc883155fbb574", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "fcab2d9f7bb7b3bee0fa8e47bcefdb95", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "fd3e826a891b2dba2acd7aea4e00599c", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "fdc1565e0b31d64d714aaf5234716bc2", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "fde52cb94e207ea2a2782dfa18d37ce3", + "source": "extracted", + "type": "md5" + }, + { + "ioc": "0409018a0d4c8a5fca7a6872fc5f36c6c117eabf", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "09bfa1e0ed619838c09a8a2f9d0f305f51f35293", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "0a332783a3be35d35b4f8e6ed24c29b9b73fb2b2", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "0b2e71f7031c3ae1e426916a84592629e5285974", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "0bccfbe2680222ed00fc5b78472d68395f67c5d1", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "0cbd138a2ffada08365752c96dfb01e9c4706e72", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "0f142aec235f5b7055a51671fc8dd11c41761e89", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "0f9f02b33e97a37a0a83198d9277c7de30a2a133", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "12adc4a068cae4dd09372d30ba5b472b9a6f9187", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "135ad157d42af083da9c48f1b3a97e44043c46b0", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "194a177ff869dcc601a1c20e87e8a0743591964a", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "1acc8207029efcfc2abeeaf2d87732041ce43af0", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "1cbb4004815ad74e82bd38a25a842a5d8a11e2b6", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "1dac6ad3f332fbadde42f043aea0bfe38f8f7462", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "1df02e555b0eb8720a0e8f3a6236e96edbd46a44", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "20f8bbae09d11d0815e29b8c34d05fbf94025665", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "21bb1242cad0f4ed15f5428dd2888b0927bbbcbe", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "21ee83eb497f555d141c0a5da6cf0f4ed15b1bad", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "23d45a52d72f7d6ce5dd6870f6db2c6cbbf24a95", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "2494479325f5d95b0282c5804f29a1a2d3f279bc", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "258de626af33f204eb4f88a10035bffc185269cd", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "25e45a471f0ffb063302539f1c8199890b38b5bd", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "291fad57d3dde5490dbadddd8ea0a21b5b22b0e3", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "2b2003a078355d1b5c40a7173d902975adb82161", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "2e2a6d9ed39c0cd66e78016f32bcc4791f17a68e", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "2f947dd46ff651e9a0d7f459eb6d8e762f828f35", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "31ab45ed24d82fa29928e621a50916d40ebf90b9", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "344955ef0750adab73dcb1f990e034a1768dff33", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "355c210e196f7eee39bdca034313e20f7c8ffd6f", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "360dec6792e5cfe2bc7839a3663ede38d04c4f29", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "40696cc382192e83346030175c22d3ee8262ca40", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "440d2777660ebf84a0f51b0e9d4d70b38e7baa0c", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "47571575dfeaa7a547dd37bca16d09189e79b4ca", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "47de58c724df0b49b2b0d3d1e9641cca121d9f5f", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "51b28ec7ce79ea6d744d762d17df66e55d54c580", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "526a85d9e22f5e46631e96a22361424936ce1226", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "5906da6d0e07c4110e990ff9ff93004340ab8124", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "5b0f2ae72eed1584bc91176a04206f69ade904aa", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "5b8df645cff49aa1390d76af30571412987b004b", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "5e890811ecb79be566670c281bbab2886f49c496", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "5ef850a2715d725561f6e184d03e885ece113b01", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "5f1735bdbe22512ae84bdd52ed4f491ea48596a0", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "60f8972d53c3ba46246ddf344903cd50513d07b2", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "612e6f443d927330b9b8ac13cc4a2a6b959cee48", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "654f2250a2d0fd6cce1d7a0b132787c0a6067e41", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "65a3847912fc6f1196d1057d520997772cdd4990", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "6a7038d482c73815fc532391e8fa39566a421f5a", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "7207b8aae726d16516ee568eca1348c3c45d86cf", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "7477e03983e8ce3b617ad8010ecbdb0c6d110482", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "76ac49e1c29553124d8b42de15092381919acfed", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "7ad583aa228ab1cc01af4d69b8a1256d3ffbef23", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "808cbf203744a91fd5dd754fd8ace8b53c59d743", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8a82a108cb5533eb6fbb71464eddb6bb1568d6b9", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8b1fa15062d370e53a774e1890bd62bbb1c64195", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8b89e958739aba89e3e0651fca7e9c2a20e043c3", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8cb4b9c3fa0426fba933b589c41547c9c74b1a43", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8d02d2e21d0883aef74c58c4165b81eb2b91d687", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8d2dfab4359f85d26d2273a665f4756ea309583f", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "8e9df2292f5280f7aed98b310e11668485a18e86", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "91bf4d341678981c67a865040de73340fcd01a41", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "97839f6c09dc984c06707e0562e858bb479c6443", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "995c07769b3bf806c5bcd7d9211d56627dee888b", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "9b20e394a39ca22294fefc650f3d295c1380b3d5", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "9dff73112f7fc8397c3127e3b6a6efd0f5e23848", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "a5c10fc317416971fc5beb8ce2be03345f5128e2", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "a6419cdc5724dc9452de9ab1180f8d49bcc1aa3d", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "a78b33dc7086b59f9232dcf50d4e8590ccfd72ec", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "a8ee535fde7cb1bec7082c8df9566f0f97d6dd94", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "aaf20a6ec982df2a397bb975bf72cf5771128184", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "acee3127c9c3f2622a8bccc653cd740206cf66ff", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "af5b31dc8e381b2e2e07ead1efb37c6d39aa6569", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "b093757dbbc9e5e753a86addc10e8e5139ba7dcb", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "b36a63ad1c5758170ab356666916ac43db0b1e86", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "b3d4cf49fcf551f19bdd6af5df50cf43e0e85658", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "b3e15a4cc38d11187b9503989d9b1d17585f3bb7", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "b71226d430cfaca9adebaf2a584bec5ca3a72319", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "b718cc5a5ffcd038efd3f22a838712a410fb632b", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "ba9449290387275b0a80e03d534208a28614fa26", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "bd5d64d9ed4b3a4e9ce11c068f2c368be2c9a0f4", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "be3c08b7e5b5c2f7b8f6c28529725f5d73e0c764", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "bfe8dca1c5b9e9cffe0c683bf2e87bd6522bd9e9", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "c0431f82350b647faf7f38bb6dd5447faafaeced", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "c28b4a54808e597a70f119d08bc61cec1157984f", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "c59bee3260b514d321d6bdabcb6d6ed7b88edc6a", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "c986d550e8c663fb9bb4990c597ae6f553eacb86", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "d210cb1c1a3b8eb3d926f76170c1f7afea241bc8", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "d50acc1b397e06076d96984ed55f58f720190422", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "d7e37398dedae7d0b252131dd63351e24434017c", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "d9d08cbc21098199b9525df1c7a931aa7d4ed6b3", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "da90758c936d2b4b07be6d9ad189f54ceb7c14ba", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "db4f4f54bfa4cc299db4b7c585b5c92e2c8800f3", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "e1bd983e865184f74fcd72cc5c8fda0e5471f84b", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "eefb7c27460f2ff6a770f8f20d4be44809d894c2", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "f37aafac973dd7b5dee1f37642f26b3882d63751", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "f491be785a74d3d99feb3158d453c7a2f5020be5", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "f715c61244912f292946f63cb3cf0b376110aa5c", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "f89dd73d45cce148548e35ba18872a08397fb3bb", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "fd97f7d413d542c1f80c9532b9accd97bf930b6b", + "source": "extracted", + "type": "sha1" + }, + { + "ioc": "005021b5f9b2672e7c6b846447c0cebeb8f9bd077428e2722948b51975f9660d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "016a28eb17ff195a7a18a69649bb99f58a2f03496b141a95f88f92e28988b0a6", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "099fef1c71250ca5bf9dff4bffdeb04bca1e1f3eb853d1a974bf3a8cd39383ef", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "1074ce0c035e280ff10ce80780840465024b3a019305145c61a26c8315c39164", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "11fa26754c6ed1985e2b4049b06f112450f275b040574518acf51a37fcca3360", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "141156d92537f78e092999fd7f66b99d69813e414b89ca21f0f25e7a71c4a311", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "1566ab7d93d6b46d25d4d06e25bce78a44ac1e40826b90b0b92dce533c919fe4", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "17095cf302d370f7e2f66e4335ef56058ae36e588be67d5530e191f2e95c8dd5", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "178267f61af3e6e76052ea6b7ade224977c524f4a7e72df8a1422c0dd6dd14b6", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "19b1060bedc50b9362640395e3ace60622228edd29caa54228c5b3b4e2a6082d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "1a5612ca4453eeaef55e00a29b94cb55053db0febf5d767465fbf70348c473df", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "1e0ca5e091883e134828d8efda9866955212a455837bf6343e112afd2d5673d5", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "2016b27bbb381338db8a3205fe8391e0970bebe67470ab8fb09567563f625291", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "2572e5fe6786c52232c894641858abeef9c159200bf1f47acd5418e7e8b703e9", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "2a4cb70fd5a06adf1eee7e6d4cb89a4c8c92978cfa51bde8e3360b58fb62e49d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "2b52e902c2940fc007833114f30f1f54161f84da2f357b83d29b8c1134fb9a5d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "2d35cc1bb51d974de29e8fcc3b9afb5dfcb7e7a3027b9a009dbc289dd99c2748", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "3083d74bc9f52470c62df3c711249fa60df4164762e2575139684f9ba3c71240", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "31acb2b8cf32b6081522359e4b6fd035a3c5de87e5cae667dc44406b31125cfd", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "366de179cdd67383a1483796335457797b853481ca0e5408659a11ae5d5e7b8e", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "384b850d0e1698e1592609245e0caa3e9e1e5c03641f055b9115a86fd781a7da", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "3b63770b6f507105dcd72414e7bdaef44852cd76ad48647b493e84702e7eef3d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "40f873a43330c92904fa5763b509a2b651b4b29d0d2081bbb5ce10d2d12443be", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "4172d573062ad265f7d322d38883ccddff7b05e0820fb7ec3cf9801ebae64ed7", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "46aade266c90ebc02d4c8018f537ed3043cd5486fea77d68955ea1613aa5458b", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "488c2c65b0b94be87b4c0036a098df25ee4f6cd2bf194b6f1a15441f2ee1db7d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "4a6b711a3a224a9451e043be2ec2475c2849243601f45729611acf55617bb5e6", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "51e2236f5764848a02fb5673420699a12b78ff19c78ca0509a18b24f6b7d2b50", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "55759ff83e70935bc16506acc584db6f7b1d4e7f3a4fba044ca90a8e3e5241e0", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "57a677b2cf2db05bd8a494ab4cbc9322cfde33b91220ed1080c1cf13f84fbf2e", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "600672e9164d0201ebb0349111994910105ad61386ca58c5d67556efa66f35c6", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "63a415feb02b52c34543ae9df5b069b1918d00e752bab94158a7380843d6cd06", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "6cb1b6e339a9117c2b25eba1515fe7ab9d616c262523dfdd12c76415d080f478", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "6e7b135be3e92d0709f0b7773202a7c3758233ecab4635700a464208cc9950c9", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "76ec85daea72b0c471fd559d3daa79ee9dc5e732015f6c698341ef9c94b84991", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "796daed8551007a9f7bf760a41de33dc92bfc32e6fb157f4e6af762ef2cce22b", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "7d73afa3dabaeec33cc7f5b2ff30f9489db7ed082234e42c78ae35aa52bb3a41", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "80c829f2db2ec88e55f34cf3473614d947ccc0ba39b2e267a8a93830470e5df0", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "844b02484b208c34b408fb61e4c8590970010997ed8ba2aee2009a33b01d7797", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "856bc7c058908168d12f859c3aa35a72a914be0c3b5dfdd9584fdbfaeb612bec", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "8909691ae3c674cc2bfcdd145c08eedca21c89b98403b38da958ab9ba1cefff6", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "8a0440855c7e08ecffde06a89f2182ea4cc3f493e75566170f040575a6a826e0", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "8d16cbada454edb42478219342651dd426815e703e446319a1ee690542eaef84", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "8e24a437490f1aa421b8ee7a95a0667041840b8cd10fd9a4d057ad73cd103864", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "8faa9b6971eda5eb1ddab5d94adb4ae59c8455459b50dcbe3420f2c8d30914b7", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "8fbd98643ff35c35a7034ce402dc8e519af1497c80a509c26d8b48215862d14f", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "90cdec4faf737adb2623fd668b3f8b023acae1aef55d1596cc1371c6ca6c753c", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "916f43a76ee027ed5cfae1932e5211ac5d2023773f1af6f8f1e1e836c81aceef", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "9b32c07c158eec7eb6a0bb8df3961633db49faef0f06d54fe94fa8d50d056331", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "a43cfc443e8b9bfd88d81a8b45360f1327889b9ba4d5db2e89c0558c2fdb6333", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "a79100b37dc27bb1198c8f56199e5f1ff686ca039cf6d76dd40a0acdd53f8cc7", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "a8156f1a6b38353aa444924406ad47736c6aaf90e534db826bc68260a5583725", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "a98058ead416c9036e7b91817b09f1df2ce6f2e5b1a690f620d4661019f531f1", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "a9a62a6c3536f17922b116d5b258c7c10ba687f4734fa91df02f13c72510d1b5", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "aa853c997b93d102ba4201102c4f42fd52c55e69d1c54f08783df9c600bc5884", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "aec564e08b5b0e6efaafcb5e32acdf4f2595cefbee8f3bb8fc529adc74dd82e2", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "b177f1717f348b2dbe913c81ae906f31b12ce240886548c335fcd931b09be3e3", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "b5e72042bc0ebb598affa5dc5adde62afa4af7d11a61c9682c10807bd8e665f3", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "b7139337e7a72822ac22eff838e3e955f713203298b4a6c9c00e7a1e19245154", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "b7b9555f4c2a4445f8d786bfad4c12bcf3c664a0f40d0576607cfa847d58eac2", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "b9865a550841bc99887b87502fcad20f1d0ceb3b84d88a1c70d6593101f6cd66", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "b9d5bcb6f63d7a3e20dd4ea343d9cefecd5770aa806c6471fa3da30d48888b26", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c001f8e6a175f024e553986cea4453e3f95396d8b5a1b19c3242344bcfc5e4f0", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c22d444aa5c44eeee70ec8e21f267faf8f5642507a331a304e026a798a7810ea", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c23e0d3598c4477caa7a75632c5b158ea73db3a02dfeccee695528a8efa4aeac", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c30ca342482170bcd279a029af1e6218a161b64c4bc2e725e63ded3bfd49983e", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c444e5a71483c95ae89468ff5ab420d15e71b33b05372bd3a1db6c435e996796", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c4eada327d83caebe0929b3aa638db533a2d30c4ef15a3dc4f445245dfd53797", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c70c2b47003a69646fc8347ed31504fdc4d6f0941ebae8761ef0cadce6c56e88", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c7ec4c42203f4931261ebf4e456a9bed0c389f9043ed8b6bfb97d7b9eb383319", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "c896ab2ab4f249ddd2e8be2bdb9e9956bcb5248c256e43e6474ef857f7f9141e", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "caf97c83f8926849e2f6eae191e2b9213550f410f6601c62f0aa7d3485ce79e5", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "cf62241aab4cc80a668ba9b676e0a55e870b945e38b710cdb3cd61c8ce6d7bd3", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "d18c35ae32ab207f8479c372e82aa6934f84aa640cc7bbffd285e5d40e17ad58", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "d5930d3ebabc0aa8e731fd6c249dc0cf54922505e0cf8b1629f895c47cb46f84", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "d62251a0f4874e2b56f27c1b44c399d29d57db85cded1b1bd758911eeb3f7e2e", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "d683ab7b817616669795b19aa794270e3b957caa3b271bdf665401203c20d6bc", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "d7b088b36bd43bd4325f7ab98cc6ef1f021559faf97d8d45d23424b0a8fe0e63", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "e2f2b23b31261c95e53c178183cebccfe55c9057d756fdef07af6124491e6413", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "e432f683769629d5c5712f4b34f26ddac599b4ba9c360f58eb0f8ca8a3eba6f9", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "e4c1015408bbb08ddd32da612e63ccdfe4e6ed8f6b3048ade7b9b21d520e7abc", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "e71ca8e2723e179767ace6aa690ba08a63e83c4b700bef411f56519310788136", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "e889837f9b3205d9b8f6c4341f3655258cf266fa3e9c33056b4fa52e02550237", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "eb5544fbad7bff6c43ff8b03ba7b122450c6577379fc6f6e5bc05a0b482ace74", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "f40bbbe902680c45c2192ec261e1e32a2a561b626bb588c60ef712aaf49bf5f9", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "f42b6e6d7dbf55534906d6d4102957d2ff38d7660ac1f75ff7572c410992b545", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "f53612ca03a286c2c94e07ab0c49ea7c7cb51cff2f6674b36fc0667f70b93c4d", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "f629edf2af597ab193ba750e68712024fb3560edb2445cf3162a48df0b2725c4", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "f8142377e4387420430e233be0ab491395c5d90b2b3dff9bdc608a836e09ed1b", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "f87046fbdd9a360b53561a02df2d6ebe87235c5c36c99eb03c1a81c0fa2f5cce", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "fa76c2a832dd0b351f1efd4a80ba8df2aaca9afa489a4de15182d81d12368a81", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "fb2556d2f1dc4deb27de7c59214134ea2839fd78580ce158943e94cf04819a61", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "fb3bd8af4332bd00f548a30e43e5e0180369afc581f0bdc04dba70e9296d5d3f", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "fc71e29adcf3f47d12ddcdbe3313f887c61f177d3c56346222f4b3d56324eec2", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "fd08e05c9ccc86940f430aed203fbd9366bc015c3d977baf18c306ce70cc2390", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "ff264234364940f1843d23207b67ba71554670d6372a0ce9b7dcd98915d16758", + "source": "extracted", + "type": "sha256" + }, + { + "ioc": "55759ff83e70935bc16506acc584db6f7b1d4e7f3a4fba044ca90a8e3e5241e0", + "source": "input", + "type": "sha256" + }, + { + "ioc": "178267f61af3e6e76052ea6b7ade224977c524f4a7e72df8a1422c0dd6dd14b6", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "2a4cb70fd5a06adf1eee7e6d4cb89a4c8c92978cfa51bde8e3360b58fb62e49d", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "4172d573062ad265f7d322d38883ccddff7b05e0820fb7ec3cf9801ebae64ed7", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "55759ff83e70935bc16506acc584db6f7b1d4e7f3a4fba044ca90a8e3e5241e0", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "b798e287d0d73c389f4ad8e0e55f88aa16d42757cd5ff9168bb855807ab66b6a", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "c4eada327d83caebe0929b3aa638db533a2d30c4ef15a3dc4f445245dfd53797", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "d7b088b36bd43bd4325f7ab98cc6ef1f021559faf97d8d45d23424b0a8fe0e63", + "source": "runtime", + "type": "sha256" + }, + { + "ioc": "hxxp://32.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://allocator.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://apply.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://arena.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://backup.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://behaviors.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://blink.net", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://call.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://chrome.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://command.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://commands.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://common.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://crash.pb.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://dir.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://elf.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://event.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://experiment.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://gzip.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://handler.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://helper.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://impl.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://in.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://info.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://install.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://integration.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://io.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://item.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://list.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://lite.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://log.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://loop.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://main.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://memory.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://minidump.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://parameters.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://preferences.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://program.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://range.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://reader.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://recorder.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://report.pb.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://reports.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://seeker.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://server.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://settings.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://shortcut.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://snapshot.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://source.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://state.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://storage.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://stream.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://thread.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://tracker.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://trial.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://uninstall.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://util.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://version.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://versions.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://visitor.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://watcher.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://win.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://win32.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://worker.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://writable.cc", + "source": "runtime", + "type": "url" + }, + { + "ioc": "hxxp://writer.cc", + "source": "runtime", + "type": "url" + } + ] + ] + } +} +``` + +#### Human Readable Output + +>### CrowdStrike Falcon X response: +>|ioc|source|type| +>|---|---|---| +>| 7.77.7.7 | runtime | ip | +>| 054e58bdec6972ff4b3167b34e77612f | extracted | md5 | +>| 05d6eeb048c90c766aece42e337dde4d | extracted | md5 | +>| 0f109e8d4aedbf943299263b152d4f00 | extracted | md5 | +>| 15dd37df165655f35e8ce536d024167f | extracted | md5 | +>| 16e8057213bd80adc4baaf3a1ecc3f82 | extracted | md5 | +>| 17fc5228ad1d52335c5fe981253ee545 | extracted | md5 | +>| 195ef9caeb0f6216d9e8cfd4be942d36 | extracted | md5 | +>| 1b4b2c7752a15752d30c0c0e6970988c | extracted | md5 | +>| 1c3582f2c953e92f1be73969f49b209e | extracted | md5 | +>| 1d5dc5cb90058cf92f1466d2fcfa4c97 | extracted | md5 | +>| 21d10abfd2a3d671e5db3539c0cf431e | extracted | md5 | +>| 222d020bd33c90170a8296adc1b7036a | extracted | md5 | +>| 2291c23b5ff917a1e40a64c5e5d71986 | extracted | md5 | +>| 262810da4b496d7ce1486a413e4b12b1 | extracted | md5 | +>| 264d51f1b2f3df04bb8bf07f7b1fb71c | extracted | md5 | +>| 28082a61a32170d0479e2b1523962135 | extracted | md5 | +>| 2d630301c6a51385326aab073ff4ec2e | extracted | md5 | +>| 32b14e28f95191808d638688c9152843 | extracted | md5 | +>| 3623a0e7cdcf3310ffb4c87c5b43ae02 | extracted | md5 | +>| 36353ce86b46b877af6d90325ff03b95 | extracted | md5 | +>| 3663019e0506c85d753c08c02660b34a | extracted | md5 | +>| 394f5551ee04fb916f132a6ba807de11 | extracted | md5 | +>| 3b48ed2a0c41e2329e9c7ab86edd64b1 | extracted | md5 | +>| 3bbbb863f37d818aba19a8451927c616 | extracted | md5 | +>| 3e52939e94c51551361a10ad81197b60 | extracted | md5 | +>| 46266ab248b89b3a40542e63bfc02603 | extracted | md5 | +>| 46eebcbe18910b967267d592f76a2836 | extracted | md5 | +>| 4fe51249cdc1c1ab03173fd0bed7db4f | extracted | md5 | +>| 5695647c9de015395b00344eb9d48a9d | extracted | md5 | +>| 576af4ad78a176e07b1af29bcf92aa1e | extracted | md5 | +>| 59b1f27a96d13e54cd4867f0dddecd83 | extracted | md5 | +>| 60767e9bd01835bd95792df61433ce4b | extracted | md5 | +>| 656da8a3661b746eb9374659d15c4a2b | extracted | md5 | +>| 67abaf7458772435ad67564b3fbf14a0 | extracted | md5 | +>| 68b14871e4b235ac3788866621297a27 | extracted | md5 | +>| 6d53703fddac024e2cf27fc4a7ac5df6 | extracted | md5 | +>| 6f0cfccd7f00f7fd009b00ce6871272e | extracted | md5 | +>| 6fddc5aede1751f10ce62923c042a793 | extracted | md5 | +>| 704730bc2fbc8c69a929e21ef8aa7379 | extracted | md5 | +>| 72c6a76c1eec3490f06e41bfa0d3f26b | extracted | md5 | +>| 751b9ce3dc2dd9e3de156da983b2b3b4 | extracted | md5 | +>| 77541eb350a5b881f81f3fcf6b9d3936 | extracted | md5 | +>| 786551c4c8bcde890d0d4e0d70545529 | extracted | md5 | +>| 7d3ed29c7c33ea81a14ab3563d3ce87c | extracted | md5 | +>| 7f15e8271ee067b6074493d93813dad3 | extracted | md5 | +>| 80b82d4d5e9d867ff1113e1879d92f68 | extracted | md5 | +>| 8295247d3dae9745677ec2c1d6339011 | extracted | md5 | +>| 83018fe200707cc3205b49b59ad1f760 | extracted | md5 | +>| 83129da20ca16fae0bf1e24820eb1906 | extracted | md5 | +>| 878a59d39c6172aab0997124ece4e8fe | extracted | md5 | +>| 8c39aaffa9b99019fc96e298296543d3 | extracted | md5 | +>| 8db811264a0a6282eb134f60c7844c57 | extracted | md5 | +>| 8e5034c077d52dafd449df9206cf5471 | extracted | md5 | +>| 9234edf95ad1d3409a38b90d16713467 | extracted | md5 | +>| 93ba37530689e5f858dfa8b31ae6c236 | extracted | md5 | +>| 951c29a740e714857433557e9de737c8 | extracted | md5 | +>| 95351915b3f4e2d7f5c2a8744c0ce4eb | extracted | md5 | +>| 99ba01e7652e90cc1740d6eaef4effdf | extracted | md5 | +>| 9b305ac55cbefb495190ba4c3c6f8e97 | extracted | md5 | +>| 9e284a4ffaad5f5c3a3b5d9f3ab0b03d | extracted | md5 | +>| 9ec17d371530d8a4ee2c90fd393a1eb4 | extracted | md5 | +>| 9ef29221c01ff06c6808b4c61108a824 | extracted | md5 | +>| a040a3ada27bd0421afbe20ce933af4b | extracted | md5 | +>| a5603a0780d44b6edfb18b7a68880b93 | extracted | md5 | +>| a66cc76dfcb0f4ed5c51bd9c1b389a78 | extracted | md5 | +>| a6763ae35acd41ec0f50bdfcc559d83b | extracted | md5 | +>| a6836a433946a889741af4943e2ba623 | extracted | md5 | +>| a82bba1dcff205558edc62b4509775f6 | extracted | md5 | +>| a856d4a6170bbdc323372974ffca437e | extracted | md5 | +>| a881defcf778f764141d5770e55132e4 | extracted | md5 | +>| a949ea32164cbfbeffaace03d289e34f | extracted | md5 | +>| af84af2c2eaa9500b4a85e4237434b24 | extracted | md5 | +>| b080dc93850347a50475fcd3df3a263a | extracted | md5 | +>| b3dfec2163622335b59b717d85a8b0d4 | extracted | md5 | +>| b447d3f9668152426c12a2c497346553 | extracted | md5 | +>| b4b02868b76e096f64bfc214f9611e8f | extracted | md5 | +>| b4e3cf26877344bbf70852ac3f7a5b94 | extracted | md5 | +>| b5ff695b08c839155c5eb003d6e90cba | extracted | md5 | +>| b8a434d31c6a7557e3a5723c39cc2ab3 | extracted | md5 | +>| c10d754c27174b47349306b4c3a3054f | extracted | md5 | +>| ce72a3a3fe723345694654f97dad8bb6 | extracted | md5 | +>| d059dda2747521880e351cb19d66f25b | extracted | md5 | +>| d1db526687b9439169ee91614fdd8e0c | extracted | md5 | +>| d280e4b97c3981b9c85cda924a81ebac | extracted | md5 | +>| d9129968f1e1cd135426368bbfaadb6b | extracted | md5 | +>| d9472401f9b7002921cb909fa421393c | extracted | md5 | +>| e03b08d438b560988883511e8d854a4b | extracted | md5 | +>| e85a6a9cf37b580a47073a9f41f7e36e | extracted | md5 | +>| eb815e917831e2d9475e148457799855 | extracted | md5 | +>| f2f95afad83bd1a8b4facf8debd6cf4c | extracted | md5 | +>| f526b0de0664ec18965f46bcf39e6ab0 | extracted | md5 | +>| f8d1c5f572f3d8056d92e6a19f6a3186 | extracted | md5 | +>| fa0c8e71e7049ee4311b7c194ab9330b | extracted | md5 | +>| fc47823102b667b6b7dc883155fbb574 | extracted | md5 | +>| fcab2d9f7bb7b3bee0fa8e47bcefdb95 | extracted | md5 | +>| fd3e826a891b2dba2acd7aea4e00599c | extracted | md5 | +>| fdc1565e0b31d64d714aaf5234716bc2 | extracted | md5 | +>| fde52cb94e207ea2a2782dfa18d37ce3 | extracted | md5 | +>| 0409018a0d4c8a5fca7a6872fc5f36c6c117eabf | extracted | sha1 | +>| 09bfa1e0ed619838c09a8a2f9d0f305f51f35293 | extracted | sha1 | +>| 0a332783a3be35d35b4f8e6ed24c29b9b73fb2b2 | extracted | sha1 | +>| 0b2e71f7031c3ae1e426916a84592629e5285974 | extracted | sha1 | +>| 0bccfbe2680222ed00fc5b78472d68395f67c5d1 | extracted | sha1 | +>| 0cbd138a2ffada08365752c96dfb01e9c4706e72 | extracted | sha1 | +>| 0f142aec235f5b7055a51671fc8dd11c41761e89 | extracted | sha1 | +>| 0f9f02b33e97a37a0a83198d9277c7de30a2a133 | extracted | sha1 | +>| 12adc4a068cae4dd09372d30ba5b472b9a6f9187 | extracted | sha1 | +>| 135ad157d42af083da9c48f1b3a97e44043c46b0 | extracted | sha1 | +>| 194a177ff869dcc601a1c20e87e8a0743591964a | extracted | sha1 | +>| 1acc8207029efcfc2abeeaf2d87732041ce43af0 | extracted | sha1 | +>| 1cbb4004815ad74e82bd38a25a842a5d8a11e2b6 | extracted | sha1 | +>| 1dac6ad3f332fbadde42f043aea0bfe38f8f7462 | extracted | sha1 | +>| 1df02e555b0eb8720a0e8f3a6236e96edbd46a44 | extracted | sha1 | +>| 20f8bbae09d11d0815e29b8c34d05fbf94025665 | extracted | sha1 | +>| 21bb1242cad0f4ed15f5428dd2888b0927bbbcbe | extracted | sha1 | +>| 21ee83eb497f555d141c0a5da6cf0f4ed15b1bad | extracted | sha1 | +>| 23d45a52d72f7d6ce5dd6870f6db2c6cbbf24a95 | extracted | sha1 | +>| 2494479325f5d95b0282c5804f29a1a2d3f279bc | extracted | sha1 | +>| 258de626af33f204eb4f88a10035bffc185269cd | extracted | sha1 | +>| 25e45a471f0ffb063302539f1c8199890b38b5bd | extracted | sha1 | +>| 291fad57d3dde5490dbadddd8ea0a21b5b22b0e3 | extracted | sha1 | +>| 2b2003a078355d1b5c40a7173d902975adb82161 | extracted | sha1 | +>| 2e2a6d9ed39c0cd66e78016f32bcc4791f17a68e | extracted | sha1 | +>| 2f947dd46ff651e9a0d7f459eb6d8e762f828f35 | extracted | sha1 | +>| 31ab45ed24d82fa29928e621a50916d40ebf90b9 | extracted | sha1 | +>| 344955ef0750adab73dcb1f990e034a1768dff33 | extracted | sha1 | +>| 355c210e196f7eee39bdca034313e20f7c8ffd6f | extracted | sha1 | +>| 360dec6792e5cfe2bc7839a3663ede38d04c4f29 | extracted | sha1 | +>| 40696cc382192e83346030175c22d3ee8262ca40 | extracted | sha1 | +>| 440d2777660ebf84a0f51b0e9d4d70b38e7baa0c | extracted | sha1 | +>| 47571575dfeaa7a547dd37bca16d09189e79b4ca | extracted | sha1 | +>| 47de58c724df0b49b2b0d3d1e9641cca121d9f5f | extracted | sha1 | +>| 51b28ec7ce79ea6d744d762d17df66e55d54c580 | extracted | sha1 | +>| 526a85d9e22f5e46631e96a22361424936ce1226 | extracted | sha1 | +>| 5906da6d0e07c4110e990ff9ff93004340ab8124 | extracted | sha1 | +>| 5b0f2ae72eed1584bc91176a04206f69ade904aa | extracted | sha1 | +>| 5b8df645cff49aa1390d76af30571412987b004b | extracted | sha1 | +>| 5e890811ecb79be566670c281bbab2886f49c496 | extracted | sha1 | +>| 5ef850a2715d725561f6e184d03e885ece113b01 | extracted | sha1 | +>| 5f1735bdbe22512ae84bdd52ed4f491ea48596a0 | extracted | sha1 | +>| 60f8972d53c3ba46246ddf344903cd50513d07b2 | extracted | sha1 | +>| 612e6f443d927330b9b8ac13cc4a2a6b959cee48 | extracted | sha1 | +>| 654f2250a2d0fd6cce1d7a0b132787c0a6067e41 | extracted | sha1 | +>| 65a3847912fc6f1196d1057d520997772cdd4990 | extracted | sha1 | +>| 6a7038d482c73815fc532391e8fa39566a421f5a | extracted | sha1 | +>| 7207b8aae726d16516ee568eca1348c3c45d86cf | extracted | sha1 | +>| 7477e03983e8ce3b617ad8010ecbdb0c6d110482 | extracted | sha1 | +>| 76ac49e1c29553124d8b42de15092381919acfed | extracted | sha1 | +>| 7ad583aa228ab1cc01af4d69b8a1256d3ffbef23 | extracted | sha1 | +>| 808cbf203744a91fd5dd754fd8ace8b53c59d743 | extracted | sha1 | +>| 8a82a108cb5533eb6fbb71464eddb6bb1568d6b9 | extracted | sha1 | +>| 8b1fa15062d370e53a774e1890bd62bbb1c64195 | extracted | sha1 | +>| 8b89e958739aba89e3e0651fca7e9c2a20e043c3 | extracted | sha1 | +>| 8cb4b9c3fa0426fba933b589c41547c9c74b1a43 | extracted | sha1 | +>| 8d02d2e21d0883aef74c58c4165b81eb2b91d687 | extracted | sha1 | +>| 8d2dfab4359f85d26d2273a665f4756ea309583f | extracted | sha1 | +>| 8e9df2292f5280f7aed98b310e11668485a18e86 | extracted | sha1 | +>| 91bf4d341678981c67a865040de73340fcd01a41 | extracted | sha1 | +>| 97839f6c09dc984c06707e0562e858bb479c6443 | extracted | sha1 | +>| 995c07769b3bf806c5bcd7d9211d56627dee888b | extracted | sha1 | +>| 9b20e394a39ca22294fefc650f3d295c1380b3d5 | extracted | sha1 | +>| 9dff73112f7fc8397c3127e3b6a6efd0f5e23848 | extracted | sha1 | +>| a5c10fc317416971fc5beb8ce2be03345f5128e2 | extracted | sha1 | +>| a6419cdc5724dc9452de9ab1180f8d49bcc1aa3d | extracted | sha1 | +>| a78b33dc7086b59f9232dcf50d4e8590ccfd72ec | extracted | sha1 | +>| a8ee535fde7cb1bec7082c8df9566f0f97d6dd94 | extracted | sha1 | +>| aaf20a6ec982df2a397bb975bf72cf5771128184 | extracted | sha1 | +>| acee3127c9c3f2622a8bccc653cd740206cf66ff | extracted | sha1 | +>| af5b31dc8e381b2e2e07ead1efb37c6d39aa6569 | extracted | sha1 | +>| b093757dbbc9e5e753a86addc10e8e5139ba7dcb | extracted | sha1 | +>| b36a63ad1c5758170ab356666916ac43db0b1e86 | extracted | sha1 | +>| b3d4cf49fcf551f19bdd6af5df50cf43e0e85658 | extracted | sha1 | +>| b3e15a4cc38d11187b9503989d9b1d17585f3bb7 | extracted | sha1 | +>| b71226d430cfaca9adebaf2a584bec5ca3a72319 | extracted | sha1 | +>| b718cc5a5ffcd038efd3f22a838712a410fb632b | extracted | sha1 | +>| ba9449290387275b0a80e03d534208a28614fa26 | extracted | sha1 | +>| bd5d64d9ed4b3a4e9ce11c068f2c368be2c9a0f4 | extracted | sha1 | +>| be3c08b7e5b5c2f7b8f6c28529725f5d73e0c764 | extracted | sha1 | +>| bfe8dca1c5b9e9cffe0c683bf2e87bd6522bd9e9 | extracted | sha1 | +>| c0431f82350b647faf7f38bb6dd5447faafaeced | extracted | sha1 | +>| c28b4a54808e597a70f119d08bc61cec1157984f | extracted | sha1 | +>| c59bee3260b514d321d6bdabcb6d6ed7b88edc6a | extracted | sha1 | +>| c986d550e8c663fb9bb4990c597ae6f553eacb86 | extracted | sha1 | +>| d210cb1c1a3b8eb3d926f76170c1f7afea241bc8 | extracted | sha1 | +>| d50acc1b397e06076d96984ed55f58f720190422 | extracted | sha1 | +>| d7e37398dedae7d0b252131dd63351e24434017c | extracted | sha1 | +>| d9d08cbc21098199b9525df1c7a931aa7d4ed6b3 | extracted | sha1 | +>| da90758c936d2b4b07be6d9ad189f54ceb7c14ba | extracted | sha1 | +>| db4f4f54bfa4cc299db4b7c585b5c92e2c8800f3 | extracted | sha1 | +>| e1bd983e865184f74fcd72cc5c8fda0e5471f84b | extracted | sha1 | +>| eefb7c27460f2ff6a770f8f20d4be44809d894c2 | extracted | sha1 | +>| f37aafac973dd7b5dee1f37642f26b3882d63751 | extracted | sha1 | +>| f491be785a74d3d99feb3158d453c7a2f5020be5 | extracted | sha1 | +>| f715c61244912f292946f63cb3cf0b376110aa5c | extracted | sha1 | +>| f89dd73d45cce148548e35ba18872a08397fb3bb | extracted | sha1 | +>| fd97f7d413d542c1f80c9532b9accd97bf930b6b | extracted | sha1 | +>| 005021b5f9b2672e7c6b846447c0cebeb8f9bd077428e2722948b51975f9660d | extracted | sha256 | +>| 016a28eb17ff195a7a18a69649bb99f58a2f03496b141a95f88f92e28988b0a6 | extracted | sha256 | +>| 099fef1c71250ca5bf9dff4bffdeb04bca1e1f3eb853d1a974bf3a8cd39383ef | extracted | sha256 | +>| 0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043 | extracted | sha256 | +>| 1074ce0c035e280ff10ce80780840465024b3a019305145c61a26c8315c39164 | extracted | sha256 | +>| 11fa26754c6ed1985e2b4049b06f112450f275b040574518acf51a37fcca3360 | extracted | sha256 | +>| 141156d92537f78e092999fd7f66b99d69813e414b89ca21f0f25e7a71c4a311 | extracted | sha256 | +>| 1566ab7d93d6b46d25d4d06e25bce78a44ac1e40826b90b0b92dce533c919fe4 | extracted | sha256 | +>| 17095cf302d370f7e2f66e4335ef56058ae36e588be67d5530e191f2e95c8dd5 | extracted | sha256 | +>| 178267f61af3e6e76052ea6b7ade224977c524f4a7e72df8a1422c0dd6dd14b6 | extracted | sha256 | +>| 19b1060bedc50b9362640395e3ace60622228edd29caa54228c5b3b4e2a6082d | extracted | sha256 | +>| 1a5612ca4453eeaef55e00a29b94cb55053db0febf5d767465fbf70348c473df | extracted | sha256 | +>| 1e0ca5e091883e134828d8efda9866955212a455837bf6343e112afd2d5673d5 | extracted | sha256 | +>| 2016b27bbb381338db8a3205fe8391e0970bebe67470ab8fb09567563f625291 | extracted | sha256 | +>| 2572e5fe6786c52232c894641858abeef9c159200bf1f47acd5418e7e8b703e9 | extracted | sha256 | +>| 2a4cb70fd5a06adf1eee7e6d4cb89a4c8c92978cfa51bde8e3360b58fb62e49d | extracted | sha256 | +>| 2b52e902c2940fc007833114f30f1f54161f84da2f357b83d29b8c1134fb9a5d | extracted | sha256 | +>| 2d35cc1bb51d974de29e8fcc3b9afb5dfcb7e7a3027b9a009dbc289dd99c2748 | extracted | sha256 | +>| 3083d74bc9f52470c62df3c711249fa60df4164762e2575139684f9ba3c71240 | extracted | sha256 | +>| 31acb2b8cf32b6081522359e4b6fd035a3c5de87e5cae667dc44406b31125cfd | extracted | sha256 | +>| 366de179cdd67383a1483796335457797b853481ca0e5408659a11ae5d5e7b8e | extracted | sha256 | +>| 384b850d0e1698e1592609245e0caa3e9e1e5c03641f055b9115a86fd781a7da | extracted | sha256 | +>| 3b63770b6f507105dcd72414e7bdaef44852cd76ad48647b493e84702e7eef3d | extracted | sha256 | +>| 40f873a43330c92904fa5763b509a2b651b4b29d0d2081bbb5ce10d2d12443be | extracted | sha256 | +>| 4172d573062ad265f7d322d38883ccddff7b05e0820fb7ec3cf9801ebae64ed7 | extracted | sha256 | +>| 4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3 | extracted | sha256 | +>| 46aade266c90ebc02d4c8018f537ed3043cd5486fea77d68955ea1613aa5458b | extracted | sha256 | +>| 488c2c65b0b94be87b4c0036a098df25ee4f6cd2bf194b6f1a15441f2ee1db7d | extracted | sha256 | +>| 4a6b711a3a224a9451e043be2ec2475c2849243601f45729611acf55617bb5e6 | extracted | sha256 | +>| 51e2236f5764848a02fb5673420699a12b78ff19c78ca0509a18b24f6b7d2b50 | extracted | sha256 | +>| 55759ff83e70935bc16506acc584db6f7b1d4e7f3a4fba044ca90a8e3e5241e0 | extracted | sha256 | +>| 57a677b2cf2db05bd8a494ab4cbc9322cfde33b91220ed1080c1cf13f84fbf2e | extracted | sha256 | +>| 600672e9164d0201ebb0349111994910105ad61386ca58c5d67556efa66f35c6 | extracted | sha256 | +>| 63a415feb02b52c34543ae9df5b069b1918d00e752bab94158a7380843d6cd06 | extracted | sha256 | +>| 6cb1b6e339a9117c2b25eba1515fe7ab9d616c262523dfdd12c76415d080f478 | extracted | sha256 | +>| 6e7b135be3e92d0709f0b7773202a7c3758233ecab4635700a464208cc9950c9 | extracted | sha256 | +>| 76ec85daea72b0c471fd559d3daa79ee9dc5e732015f6c698341ef9c94b84991 | extracted | sha256 | +>| 796daed8551007a9f7bf760a41de33dc92bfc32e6fb157f4e6af762ef2cce22b | extracted | sha256 | +>| 7d73afa3dabaeec33cc7f5b2ff30f9489db7ed082234e42c78ae35aa52bb3a41 | extracted | sha256 | +>| 80c829f2db2ec88e55f34cf3473614d947ccc0ba39b2e267a8a93830470e5df0 | extracted | sha256 | +>| 844b02484b208c34b408fb61e4c8590970010997ed8ba2aee2009a33b01d7797 | extracted | sha256 | +>| 856bc7c058908168d12f859c3aa35a72a914be0c3b5dfdd9584fdbfaeb612bec | extracted | sha256 | +>| 8909691ae3c674cc2bfcdd145c08eedca21c89b98403b38da958ab9ba1cefff6 | extracted | sha256 | +>| 8a0440855c7e08ecffde06a89f2182ea4cc3f493e75566170f040575a6a826e0 | extracted | sha256 | +>| 8d16cbada454edb42478219342651dd426815e703e446319a1ee690542eaef84 | extracted | sha256 | +>| 8e24a437490f1aa421b8ee7a95a0667041840b8cd10fd9a4d057ad73cd103864 | extracted | sha256 | +>| 8faa9b6971eda5eb1ddab5d94adb4ae59c8455459b50dcbe3420f2c8d30914b7 | extracted | sha256 | +>| 8fbd98643ff35c35a7034ce402dc8e519af1497c80a509c26d8b48215862d14f | extracted | sha256 | +>| 90cdec4faf737adb2623fd668b3f8b023acae1aef55d1596cc1371c6ca6c753c | extracted | sha256 | +>| 916f43a76ee027ed5cfae1932e5211ac5d2023773f1af6f8f1e1e836c81aceef | extracted | sha256 | +>| 9b32c07c158eec7eb6a0bb8df3961633db49faef0f06d54fe94fa8d50d056331 | extracted | sha256 | +>| a43cfc443e8b9bfd88d81a8b45360f1327889b9ba4d5db2e89c0558c2fdb6333 | extracted | sha256 | +>| a79100b37dc27bb1198c8f56199e5f1ff686ca039cf6d76dd40a0acdd53f8cc7 | extracted | sha256 | +>| a8156f1a6b38353aa444924406ad47736c6aaf90e534db826bc68260a5583725 | extracted | sha256 | +>| a98058ead416c9036e7b91817b09f1df2ce6f2e5b1a690f620d4661019f531f1 | extracted | sha256 | +>| a9a62a6c3536f17922b116d5b258c7c10ba687f4734fa91df02f13c72510d1b5 | extracted | sha256 | +>| aa853c997b93d102ba4201102c4f42fd52c55e69d1c54f08783df9c600bc5884 | extracted | sha256 | +>| aec564e08b5b0e6efaafcb5e32acdf4f2595cefbee8f3bb8fc529adc74dd82e2 | extracted | sha256 | +>| b177f1717f348b2dbe913c81ae906f31b12ce240886548c335fcd931b09be3e3 | extracted | sha256 | +>| b5e72042bc0ebb598affa5dc5adde62afa4af7d11a61c9682c10807bd8e665f3 | extracted | sha256 | +>| b7139337e7a72822ac22eff838e3e955f713203298b4a6c9c00e7a1e19245154 | extracted | sha256 | +>| b7b9555f4c2a4445f8d786bfad4c12bcf3c664a0f40d0576607cfa847d58eac2 | extracted | sha256 | +>| b9865a550841bc99887b87502fcad20f1d0ceb3b84d88a1c70d6593101f6cd66 | extracted | sha256 | +>| b9d5bcb6f63d7a3e20dd4ea343d9cefecd5770aa806c6471fa3da30d48888b26 | extracted | sha256 | +>| c001f8e6a175f024e553986cea4453e3f95396d8b5a1b19c3242344bcfc5e4f0 | extracted | sha256 | +>| c22d444aa5c44eeee70ec8e21f267faf8f5642507a331a304e026a798a7810ea | extracted | sha256 | +>| c23e0d3598c4477caa7a75632c5b158ea73db3a02dfeccee695528a8efa4aeac | extracted | sha256 | +>| c30ca342482170bcd279a029af1e6218a161b64c4bc2e725e63ded3bfd49983e | extracted | sha256 | +>| c444e5a71483c95ae89468ff5ab420d15e71b33b05372bd3a1db6c435e996796 | extracted | sha256 | +>| c4eada327d83caebe0929b3aa638db533a2d30c4ef15a3dc4f445245dfd53797 | extracted | sha256 | +>| c70c2b47003a69646fc8347ed31504fdc4d6f0941ebae8761ef0cadce6c56e88 | extracted | sha256 | +>| c7ec4c42203f4931261ebf4e456a9bed0c389f9043ed8b6bfb97d7b9eb383319 | extracted | sha256 | +>| c896ab2ab4f249ddd2e8be2bdb9e9956bcb5248c256e43e6474ef857f7f9141e | extracted | sha256 | +>| caf97c83f8926849e2f6eae191e2b9213550f410f6601c62f0aa7d3485ce79e5 | extracted | sha256 | +>| cf62241aab4cc80a668ba9b676e0a55e870b945e38b710cdb3cd61c8ce6d7bd3 | extracted | sha256 | +>| d18c35ae32ab207f8479c372e82aa6934f84aa640cc7bbffd285e5d40e17ad58 | extracted | sha256 | +>| d5930d3ebabc0aa8e731fd6c249dc0cf54922505e0cf8b1629f895c47cb46f84 | extracted | sha256 | +>| d62251a0f4874e2b56f27c1b44c399d29d57db85cded1b1bd758911eeb3f7e2e | extracted | sha256 | +>| d683ab7b817616669795b19aa794270e3b957caa3b271bdf665401203c20d6bc | extracted | sha256 | +>| d7b088b36bd43bd4325f7ab98cc6ef1f021559faf97d8d45d23424b0a8fe0e63 | extracted | sha256 | +>| e2f2b23b31261c95e53c178183cebccfe55c9057d756fdef07af6124491e6413 | extracted | sha256 | +>| e432f683769629d5c5712f4b34f26ddac599b4ba9c360f58eb0f8ca8a3eba6f9 | extracted | sha256 | +>| e4c1015408bbb08ddd32da612e63ccdfe4e6ed8f6b3048ade7b9b21d520e7abc | extracted | sha256 | +>| e71ca8e2723e179767ace6aa690ba08a63e83c4b700bef411f56519310788136 | extracted | sha256 | +>| e889837f9b3205d9b8f6c4341f3655258cf266fa3e9c33056b4fa52e02550237 | extracted | sha256 | +>| eb5544fbad7bff6c43ff8b03ba7b122450c6577379fc6f6e5bc05a0b482ace74 | extracted | sha256 | +>| f40bbbe902680c45c2192ec261e1e32a2a561b626bb588c60ef712aaf49bf5f9 | extracted | sha256 | +>| f42b6e6d7dbf55534906d6d4102957d2ff38d7660ac1f75ff7572c410992b545 | extracted | sha256 | +>| f53612ca03a286c2c94e07ab0c49ea7c7cb51cff2f6674b36fc0667f70b93c4d | extracted | sha256 | +>| f629edf2af597ab193ba750e68712024fb3560edb2445cf3162a48df0b2725c4 | extracted | sha256 | +>| f8142377e4387420430e233be0ab491395c5d90b2b3dff9bdc608a836e09ed1b | extracted | sha256 | +>| f87046fbdd9a360b53561a02df2d6ebe87235c5c36c99eb03c1a81c0fa2f5cce | extracted | sha256 | +>| fa76c2a832dd0b351f1efd4a80ba8df2aaca9afa489a4de15182d81d12368a81 | extracted | sha256 | +>| fb2556d2f1dc4deb27de7c59214134ea2839fd78580ce158943e94cf04819a61 | extracted | sha256 | +>| fb3bd8af4332bd00f548a30e43e5e0180369afc581f0bdc04dba70e9296d5d3f | extracted | sha256 | +>| fc71e29adcf3f47d12ddcdbe3313f887c61f177d3c56346222f4b3d56324eec2 | extracted | sha256 | +>| fd08e05c9ccc86940f430aed203fbd9366bc015c3d977baf18c306ce70cc2390 | extracted | sha256 | +>| ff264234364940f1843d23207b67ba71554670d6372a0ce9b7dcd98915d16758 | extracted | sha256 | +>| 55759ff83e70935bc16506acc584db6f7b1d4e7f3a4fba044ca90a8e3e5241e0 | input | sha256 | +>| 178267f61af3e6e76052ea6b7ade224977c524f4a7e72df8a1422c0dd6dd14b6 | runtime | sha256 | +>| 2a4cb70fd5a06adf1eee7e6d4cb89a4c8c92978cfa51bde8e3360b58fb62e49d | runtime | sha256 | +>| 4172d573062ad265f7d322d38883ccddff7b05e0820fb7ec3cf9801ebae64ed7 | runtime | sha256 | +>| 55759ff83e70935bc16506acc584db6f7b1d4e7f3a4fba044ca90a8e3e5241e0 | runtime | sha256 | +>| b798e287d0d73c389f4ad8e0e55f88aa16d42757cd5ff9168bb855807ab66b6a | runtime | sha256 | +>| c4eada327d83caebe0929b3aa638db533a2d30c4ef15a3dc4f445245dfd53797 | runtime | sha256 | +>| d7b088b36bd43bd4325f7ab98cc6ef1f021559faf97d8d45d23424b0a8fe0e63 | runtime | sha256 | +>| hxxp://32.cc | runtime | url | +>| hxxp://allocator.cc | runtime | url | +>| hxxp://apply.cc | runtime | url | +>| hxxp://arena.cc | runtime | url | +>| hxxp://backup.cc | runtime | url | +>| hxxp://behaviors.cc | runtime | url | +>| hxxp://blink.net | runtime | url | +>| hxxp://call.cc | runtime | url | +>| hxxp://chrome.cc | runtime | url | +>| hxxp://command.cc | runtime | url | +>| hxxp://commands.cc | runtime | url | +>| hxxp://common.cc | runtime | url | +>| hxxp://crash.pb.cc | runtime | url | +>| hxxp://dir.cc | runtime | url | +>| hxxp://elf.cc | runtime | url | +>| hxxp://event.cc | runtime | url | +>| hxxp://experiment.cc | runtime | url | +>| hxxp://gzip.cc | runtime | url | +>| hxxp://handler.cc | runtime | url | +>| hxxp://helper.cc | runtime | url | +>| hxxp://impl.cc | runtime | url | +>| hxxp://in.cc | runtime | url | +>| hxxp://info.cc | runtime | url | +>| hxxp://install.cc | runtime | url | +>| hxxp://integration.cc | runtime | url | +>| hxxp://io.cc | runtime | url | +>| hxxp://item.cc | runtime | url | +>| hxxp://list.cc | runtime | url | +>| hxxp://lite.cc | runtime | url | +>| hxxp://log.cc | runtime | url | +>| hxxp://loop.cc | runtime | url | +>| hxxp://main.cc | runtime | url | +>| hxxp://memory.cc | runtime | url | +>| hxxp://minidump.cc | runtime | url | +>| hxxp://parameters.cc | runtime | url | +>| hxxp://preferences.cc | runtime | url | +>| hxxp://program.cc | runtime | url | +>| hxxp://range.cc | runtime | url | +>| hxxp://reader.cc | runtime | url | +>| hxxp://recorder.cc | runtime | url | +>| hxxp://report.pb.cc | runtime | url | +>| hxxp://reports.cc | runtime | url | +>| hxxp://seeker.cc | runtime | url | +>| hxxp://server.cc | runtime | url | +>| hxxp://settings.cc | runtime | url | +>| hxxp://shortcut.cc | runtime | url | +>| hxxp://snapshot.cc | runtime | url | +>| hxxp://source.cc | runtime | url | +>| hxxp://state.cc | runtime | url | +>| hxxp://storage.cc | runtime | url | +>| hxxp://stream.cc | runtime | url | +>| hxxp://thread.cc | runtime | url | +>| hxxp://tracker.cc | runtime | url | +>| hxxp://trial.cc | runtime | url | +>| hxxp://uninstall.cc | runtime | url | +>| hxxp://util.cc | runtime | url | +>| hxxp://version.cc | runtime | url | +>| hxxp://versions.cc | runtime | url | +>| hxxp://visitor.cc | runtime | url | +>| hxxp://watcher.cc | runtime | url | +>| hxxp://win.cc | runtime | url | +>| hxxp://win32.cc | runtime | url | +>| hxxp://worker.cc | runtime | url | +>| hxxp://writable.cc | runtime | url | +>| hxxp://writer.cc | runtime | url | diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/context.py b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/context.py new file mode 100644 index 000000000000..3dbad91870ae --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/context.py @@ -0,0 +1,102 @@ +from CommonServerPython import DemistoException + +SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_CONTEXT = { + 'csfalconx.resource(val.submitted_id === obj.submitted_id)': + [{'submitted_id': 'id', + 'state': 'created', + 'created_timestamp': '2020-05-12T15:34:11Z', + 'environment_id': 160, + 'sha256': 'sha256' + }] +} + +SEND_URL_TO_SANDBOX_ANALYSIS_CONTEXT = { + 'csfalconx.resource(val.submitted_id === obj.submitted_id)': + [{ + 'submitted_id': 'id', + 'state': 'created', + 'created_timestamp': '2020-05-12T16:40:52Z', + 'environment_id': 160 + }] +} + +GET_REPORT_SUMMARY_CONTEXT = { + 'csfalconx.resource(val.id === obj.id)': + [{ + 'id': 'id', + 'verdict': 'no specific threat', + 'created_timestamp': '2020-03-16T17:04:48Z', + 'ioc_report_strict_csv_artifact_id': 'ioc_report_strict_csv_artifact_id', + 'ioc_report_broad_csv_artifact_id': 'ioc_report_broad_csv_artifact_id', + 'ioc_report_strict_json_artifact_id': 'ioc_report_strict_json_artifact_id', + 'ioc_report_broad_json_artifact_id': 'ioc_report_broad_json_artifact_id', + 'ioc_report_strict_stix_artifact_id': 'ioc_report_strict_stix_artifact_id', + 'ioc_report_broad_stix_artifact_id': 'ioc_report_broad_stix_artifact_id', + 'ioc_report_strict_maec_artifact_id': 'ioc_report_strict_maec_artifact_id', + 'ioc_report_broad_maec_artifact_id': 'ioc_report_broad_maec_artifact_id', + 'environment_id': 160, + 'environment_description': 'Windows 10 64 bit', + 'threat_score': 13, + 'submit_url': 'hxxps://www.google.com', + 'submission_type': 'page_url', + 'sha256': 'sha256' + }] +} + +GET_ANALYSIS_STATUS_CONTEXT = { + 'csfalconx.resource(val.id === obj.id)': + [{ + 'id': 'id', + 'state': 'success', + 'created_timestamp': '2020-03-16T17:04:48Z', + 'environment_id': 160 + }] +} + +CHECK_QUOTA_STATUS_CONTEXT = { + 'csfalconx.resource(val.id === obj.id)': + [{ + 'total': 100, + 'used': 47, + 'in_progress': 2 + }] +} + +FIND_SANDBOX_REPORTS_CONTEXT = { + 'csfalconx.resource(val.id === obj.id)': + [{ + 'resources': ['resources1', 'resources2', 'resources3', 'resources4'] + }] +} + +FIND_SUBMISSION_ID_CONTEXT = { + 'csfalconx.resource(val.id === obj.id)': + [{ + 'resources': ['resources1', 'resources2', 'resources3', 'resources4'] + }] +} + +GET_FULL_REPORT_CONTEXT = { + 'csfalconx.resource(val.id === obj.id)': + [{ + 'id': 'id', + 'verdict': 'no specific threat', + 'created_timestamp': '2020-03-16T17:04:48Z', + 'ioc_report_strict_csv_artifact_id': 'ioc_report_strict_csv_artifact_id', + 'ioc_report_broad_csv_artifact_id': 'ioc_report_broad_csv_artifact_id', + 'ioc_report_strict_json_artifact_id': 'ioc_report_strict_json_artifact_id', + 'ioc_report_broad_json_artifact_id': 'ioc_report_broad_json_artifact_id', + 'ioc_report_strict_stix_artifact_id': 'ioc_report_strict_stix_artifact_id', + 'ioc_report_broad_stix_artifact_id': 'ioc_report_broad_stix_artifact_id', + 'ioc_report_strict_maec_artifact_id': 'ioc_report_strict_maec_artifact_id', + 'ioc_report_broad_maec_artifact_id': 'ioc_report_broad_maec_artifact_id', + 'environment_id': 160, + 'environment_description': 'Windows 10 64 bit', + 'threat_score': 13, + 'submit_url': 'hxxps://www.google.com', + 'submission_type': 'page_url', + 'sha256': 'sha256' + }] +} + +MULTIPLE_ERRORS_RESULT = DemistoException('403: access denied, authorization failed\n401: test error #1\n402: test error #2') diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/http_responses.py b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/http_responses.py new file mode 100644 index 000000000000..bbe9cb376b19 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/TestsInput/http_responses.py @@ -0,0 +1,675 @@ +SEND_UPLOADED_FILE_TO_SENDBOX_ANALYSIS_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "falconx-api", + "query_time": 0.163158146, + "quota": { + "in_progress": 3, + "total": 100, + "used": 36 + }, + "trace_id": "trace_id" + }, + "resources": [ + { + "cid": "cid", + "created_timestamp": "2020-05-12T15:34:11Z", + "id": "id", + "origin": "apigateway", + "sandbox": [ + { + "environment_id": 160, + "sha256": "sha256" + } + ], + "state": "created" + } + ] +} + +SEND_URL_TO_SANDBOX_ANALYSIS_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "falconx-api", + "query_time": 0.12387683, + "quota": { + "in_progress": 5, + "total": 100, + "used": 44 + }, + "trace_id": "trace_id" + }, + "resources": [ + { + "cid": "cid", + "created_timestamp": "2020-05-12T16:40:52Z", + "id": "id", + "origin": "apigateway", + "sandbox": [ + { + "environment_id": 160, + "url": "https://www.google.com" + } + ], + "state": "created" + } + ] +} + +GET_FULL_REPORT_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "falconx-api", + "query_time": 0.006237549, + "quota": { + "in_progress": 2, + "total": 100, + "used": 47 + }, + "trace_id": "trace_id" + }, + "resources": [ + { + "cid": "cid", + "created_timestamp": "2020-03-16T17:04:48Z", + "id": "id", + "ioc_report_broad_csv_artifact_id": "ioc_report_broad_csv_artifact_id", + "ioc_report_broad_json_artifact_id": "ioc_report_broad_json_artifact_id", + "ioc_report_broad_maec_artifact_id": "ioc_report_broad_maec_artifact_id", + "ioc_report_broad_stix_artifact_id": "ioc_report_broad_stix_artifact_id", + "ioc_report_strict_csv_artifact_id": "ioc_report_strict_csv_artifact_id", + "ioc_report_strict_json_artifact_id": "ioc_report_strict_json_artifact_id", + "ioc_report_strict_maec_artifact_id": "ioc_report_strict_maec_artifact_id", + "ioc_report_strict_stix_artifact_id": "ioc_report_strict_stix_artifact_id", + "malquery": [ + { + "input": "input", + "type": "url", + "verdict": "whitelisted" + }, + { + "input": "input", + "type": "url", + "verdict": "whitelisted" + }, + { + "input": "input", + "type": "url", + "verdict": "whitelisted" + }, + { + "input": "input", + "type": "url", + "verdict": "whitelisted" + } + ], + "origin": "apigateway", + "sandbox": [ + { + "architecture": "WINDOWS", + "classification": [ + "91.6% (.URL) Windows URL shortcut", + "8.3% (.INI) Generic INI configuration" + ], + "contacted_hosts": [ + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + }, + { + "name": "name.exe", + "pid": 9372 + } + ], + "country": "United States", + "port": 443, + "protocol": "TCP" + }, + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + }, + { + "name": "name.exe", + "pid": 9372 + } + ], + "country": "United States", + "port": 80, + "protocol": "TCP" + }, + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + } + ], + "country": "United States", + "port": 443, + "protocol": "TCP" + }, + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + } + ], + "country": "United States", + "port": 443, + "protocol": "TCP" + }, + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + } + ], + "country": "United States", + "port": 443, + "protocol": "TCP" + }, + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + } + ], + "country": "United States", + "port": 443, + "protocol": "TCP" + }, + { + "address": "111.27.12.67", + "associated_runtime": [ + { + "name": "name.exe", + "pid": 6428 + } + ], + "country": "United States", + "port": 443, + "protocol": "TCP" + } + ], + "dns_requests": [ + { + "address": "111.111.1.1", + "country": "United States", + "domain": "googleads.g.doubleclick.net", + "registrar_creation_timestamp": "1996-01-16T00:00:00+00:00", + "registrar_name": "registrar_name", + "registrar_organization": "registrar_organization" + }, + { + "address": "172.217.7.163", + "country": "United States", + "domain": "domain" + }, + { + "address": "111.27.12.67", + "country": "United States", + "domain": "ssl.gstatic.com", + "registrar_creation_timestamp": "2008-02-11T00:00:00+00:00", + "registrar_name": "registrar_name", + "registrar_organization": "Google Inc." + }, + { + "address": "172.217.14.163", + "country": "United States", + "domain": "www.gstatic.com", + "registrar_creation_timestamp": "2008-02-11T00:00:00+00:00", + "registrar_name": "registrar_name", + "registrar_organization": "registrar_organization" + } + ], + "environment_description": "Windows 10 64 bit", + "environment_id": 160, + "extracted_interesting_strings": [ + { + "filename": "rundll32.exe", + "source": "Process Commandline", + "type": "Ansi", + "value": "value" + }, + { + "filename": "filename", + "source": "PCAP Processing", + "type": "Ansi", + "value": "value" + }, + { + "filename": "filename", + "source": "Image Processing", + "type": "Ansi", + "value": "value" + }, + { + "filename": "screen_3.png", + "source": "Image Processing", + "type": "Ansi", + "value": "value" + }, + { + "filename": "filename", + "source": "Image Processing", + "type": "Ansi", + "value": "value" + }, + { + "filename": "filename", + "source": "PCAP Processing", + "type": "Ansi", + "value": "value" + }, + { + "filename": "filename", + "source": "PCAP Processing", + "type": "Ansi", + "value": "value" + } + ], + "http_requests": [ + { + "header": "header", + "host": "host", + "host_ip": "111.27.12.67", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "host", + "host_ip": "111.27.12.67", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "ocsp.pki.goog", + "host_ip": "172.217.7.163", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "ocsp.pki.goog", + "host_ip": "172.217.7.163", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "ocsp.pki.goog", + "host_ip": "172.217.7.163", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "ocsp.pki.goog", + "host_ip": "172.217.7.163", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "ocsp.pki.goog", + "host_ip": "172.217.7.163", + "host_port": 80, + "method": "GET", + "url": "url" + }, + { + "header": "header", + "host": "ocsp.pki.goog", + "host_ip": "172.217.7.163", + "host_port": 80, + "method": "GET", + "url": "url" + } + ], + "incidents": [ + { + "details": [ + "Contacts 4 domains and 4 hosts" + ], + "name": "Network Behavior" + } + ], + "pcap_report_artifact_id": "pcap_report_artifact_id", + "processes": [ + { + "command_line": "command_line", + "icon_artifact_id": "icon_artifact_id", + "name": "rundll32.exe", + "normalized_path": "normalized_path.exe", + "pid": 6648, + "process_flags": [ + { + "name": "Reduced Monitoring" + } + ], + "sha256": "sha256", + "uid": "00074182-00006648" + } + ], + "sample_flags": [ + "Network Traffic" + ], + "screenshots_artifact_ids": [ + "screenshots_artifact_ids1", + "screenshots_artifact_ids2", + "screenshots_artifact_ids3", + "screenshots_artifact_ids4" + ], + "sha256": "sha256", + "signatures": [ + { + "category": "General", + "description": "description", + "identifier": "network-0", + "name": "Contacts domains", + "origin": "Network Traffic", + "relevance": 1, + "threat_level_human": "informative", + "type": 7 + }, + { + "category": "General", + "description": "description", + "identifier": "network-1", + "name": "Contacts server", + "origin": "Network Traffic", + "relevance": 1, + "threat_level_human": "informative", + "type": 7 + }, + { + "category": "Network Related", + "description": "description", + "identifier": "string-3", + "name": "Found potential URL in binary/memory", + "origin": "String", + "relevance": 10, + "threat_level_human": "informative", + "type": 2 + }, + { + "category": "External Systems", + "description": "description", + "identifier": "suricata-0", + "name": "Detected Suricata Alert", + "origin": "Suricata Alerts", + "relevance": 10, + "threat_level_human": "informative", + "type": 18 + }, + { + "category": "Ransomware/Banking", + "description": "description", + "identifier": "string-12", + "name": "Detected text artifact in screenshot that indicate file could be ransomware", + "origin": "String", + "relevance": 10, + "threat_level": 1, + "threat_level_human": "suspicious", + "type": 2 + }, + { + "category": "Network Related", + "description": "description", + "identifier": "network-23", + "name": "Sends traffic on typical HTTP outbound port, but without HTTP header", + "origin": "Network Traffic", + "relevance": 5, + "threat_level": 1, + "threat_level_human": "suspicious", + "type": 7 + } + ], + "submission_type": "page_url", + "submit_url": "hxxps://www.google.com", + "suricata_alerts": [ + { + "category": "Unknown Traffic", + "description": "ET JA3 Hash - Possible Malware - Banking Phish", + "destination_ip": "destination_ip", + "destination_port": 443, + "protocol": "TCP", + "sid": "sid" + }, + { + "category": "Unknown Traffic", + "description": "ET JA3 Hash - Possible Malware - Banking Phish", + "destination_ip": "destination_ip", + "destination_port": 443, + "protocol": "TCP", + "sid": "sid" + }, + { + "category": "Unknown Traffic", + "description": "ET JA3 Hash - Possible Malware - Banking Phish", + "destination_ip": "destination_ip", + "destination_port": 443, + "protocol": "TCP", + "sid": "sid" + }, + { + "category": "Unknown Traffic", + "description": "ET JA3 Hash - Possible Malware - Banking Phish", + "destination_ip": "172.217.9.206", + "destination_port": 443, + "protocol": "TCP", + "sid": "sid" + } + ], + "threat_score": 13, + "verdict": "no specific threat", + "windows_version_bitness": 64, + "windows_version_edition": "Professional", + "windows_version_name": "Windows 10", + "windows_version_version": "10.0 (build 16299)" + } + ], + "verdict": "no specific threat" + } + ] +} + +GET_REPORT_SUMMARY_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "falconx-api", + "query_time": 0.008725752, + "quota": { + "in_progress": 2, + "total": 100, + "used": 47 + }, + "trace_id": "trace_id" + }, + "resources": [ + { + "cid": "cid", + "created_timestamp": "2020-03-16T17:04:48Z", + "id": "id", + "ioc_report_broad_csv_artifact_id": "ioc_report_broad_csv_artifact_id", + "ioc_report_broad_json_artifact_id": "ioc_report_broad_json_artifact_id", + "ioc_report_broad_maec_artifact_id": "ioc_report_broad_maec_artifact_id", + "ioc_report_broad_stix_artifact_id": "ioc_report_broad_stix_artifact_id", + "ioc_report_strict_csv_artifact_id": "ioc_report_strict_csv_artifact_id", + "ioc_report_strict_json_artifact_id": "ioc_report_strict_json_artifact_id", + "ioc_report_strict_maec_artifact_id": "ioc_report_strict_maec_artifact_id", + "ioc_report_strict_stix_artifact_id": "ioc_report_strict_stix_artifact_id", + "origin": "apigateway", + "sandbox": [ + { + "environment_description": "Windows 10 64 bit", + "environment_id": 160, + "incidents": [ + { + "details": [ + "Contacts 4 domains and 4 hosts" + ], + "name": "Network Behavior" + } + ], + "sample_flags": [ + "Network Traffic" + ], + "sha256": "sha256", + "submission_type": "page_url", + "submit_url": "hxxps://www.google.com", + "threat_score": 13, + "verdict": "no specific threat" + } + ], + "verdict": "no specific threat" + } + ] +} + +CHECK_QUOTA_STATUS_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "falconx-api", + "query_time": 0.008237956, + "quota": { + "in_progress": 2, + "total": 100, + "used": 47 + }, + "trace_id": "trace_id" + }, + "resources": None +} + +FIND_SANDBOX_REPORTS_HTTP_RESPONSE = { + "errors": [], + "meta": { + "pagination": { + "limit": 10, + "offset": 0, + "total": 69 + }, + "powered_by": "falconx-api", + "query_time": 0.008271345, + "quota": { + "in_progress": 2, + "total": 100, + "used": 47 + }, + "trace_id": "trace_id" + }, + "resources": [ + "resources1", + "resources2", + "resources3", + "resources4" + ] +} + +FIND_SUBMISSION_ID_HTTP_RESPONSE = { + "errors": [], + "meta": { + "pagination": { + "limit": 10, + "offset": 0, + "total": 72 + }, + "powered_by": "falconx-api", + "query_time": 0.008812114, + "quota": { + "in_progress": 2, + "total": 100, + "used": 47 + }, + "trace_id": "trace_id" + }, + "resources": [ + "resources1", + "resources2", + "resources3", + "resources4" + ] +} + +GET_ANALYSIS_STATUS_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "falconx-api", + "query_time": 0.004325809, + "quota": { + "in_progress": 2, + "total": 100, + "used": 47 + }, + "trace_id": "trace_id" + }, + "resources": [ + { + "cid": "cid", + "created_timestamp": "2020-03-16T17:04:48Z", + "id": "id", + "origin": "apigateway", + "sandbox": [ + { + "environment_id": 160, + "url": "hxxps://www.google.com" + } + ], + "state": "success" + } + ] +} + +MULTI_ERRORS_HTTP_RESPONSE = { + "errors": [ + { + "code": 403, + "message": "access denied, authorization failed" + }, + { + "code": 401, + "message": "test error #1" + }, + { + "code": 402, + "message": "test error #2" + } + ], + "meta": { + "powered_by": "crowdstrike-api-gateway", + "query_time": 0.000654734, + "trace_id": "39f1573c-7a51-4b1a-abaa-92d29f704afd" + } +} + +NO_ERRORS_HTTP_RESPONSE = { + "errors": [], + "meta": { + "powered_by": "crowdstrike-api-gateway", + "query_time": 0.000654734, + "trace_id": "39f1573c-7a51-4b1a-abaa-92d29f704afd" + } +} diff --git a/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/example.txt b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/example.txt new file mode 100644 index 000000000000..63fdf9a71d77 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Integrations/CrowdStrikeFalconX/example.txt @@ -0,0 +1,10 @@ +cs-fx-upload-file file=172@07031695-ae27-49f6-8bb2-41943c7cb80c file_name=test.pdf comment="example" is_confidential="true" submit_file=no +cs-fx-submit-uploaded-file sha256="a381a7b679119dee5b95c9c09993885e44ad2fd9cd52fa28bc116f8bdea71679" environment_id="160: Windows 10" action_script="default" command_line="command" document_password="password" enable_tor="false" submit_name="malware_test" system_date="2020-08-10" system_time="12:48" +cs-fx-submit-url url="https://www.google.com" environment_id="160: Windows 10" action_script="default" document_password="password" enable_tor="false" submit_name="malware_test" system_date="2020-08-10" system_time="12:48" +cs-fx-get-full-report ids="1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f" +cs-fx-get-report-summary ids="1c9fe398b2294301aa3080ede8d77356_8511c69fa47f4188bf59e3ab80f0f39f" +cs-fx-get-analysis-status ids="1c9fe398b2294301aa3080ede8d77356_8cfaaf951fff412090df3d27d4b4193d" +cs-fx-download-ioc id="cd1db2f53e8760792a48a2ec544a29e6f876643204598621783f71017f6b4266" name="test" accept_encoding="gzip" +cs-fx-check-quota +cs-fx-find-reports offset=1 limit=5 +cs-fx-find-submission-id offset=1 limit=5 \ No newline at end of file diff --git a/Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_X.yml b/Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_X.yml new file mode 100644 index 000000000000..b39c457a3d06 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_X.yml @@ -0,0 +1,555 @@ +id: Detonate File - CrowdStrike Falcon X +version: -1 +name: Detonate File - CrowdStrike Falcon X +description: |- + Detonates a File using CrowdStrike Falcon X sandbox. + Accepted file formats: + Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. + Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub + PDF + APK + Executable JAR + Windows script component: .sct + Windows shortcut: .lnk + Windows help: .chm + HTML application: .hta + Windows script file: .wsf + Javascript: .js + Visual Basic: .vbs, .vbe + Shockwave Flash: .swf + Perl: .pl + Powershell: .ps1, .psd1, .psm1 + Scalable vector graphics: .svg + Python: .py + Linux ELF executables + Email files: MIME RFC 822 .eml, Outlook .msg. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 2e14779f-7f47-4445-845c-bfea5627cbe3 + type: start + task: + id: 2e14779f-7f47-4445-845c-bfea5627cbe3 + version: -1 + name: "" + description: '-' + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 20 + } + } + note: false + timertriggers: [] + ignoreworker: false + "2": + id: "2" + taskid: 334792b6-7e5d-4494-85a1-aa4bc2274105 + type: playbook + task: + id: 334792b6-7e5d-4494-85a1-aa4bc2274105 + version: -1 + name: GenericPolling + description: |- + Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. + This playbook implements polling by continuously running the command in Step \#2 until the operation completes. + The remote action should have the following structure: + + 1. Initiate the operation. + 2. Poll to check if the operation completed. + 3. (optional) Get the results of the operation. + playbookName: GenericPolling + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + AdditionalPollingCommandArgNames: {} + AdditionalPollingCommandArgValues: {} + Ids: + complex: + root: csfalconx + accessor: resource.submitted_id + Interval: + complex: + root: inputs.Interval + PollingCommandArgName: + simple: ids + PollingCommandName: + simple: cs-fx-get-analysis-status + Timeout: + complex: + root: inputs.Timeout + dt: + simple: csfalconx(val.resource.state !== 'success').resource.id + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 460, + "y": 1530 + } + } + note: false + timertriggers: [] + ignoreworker: false + "3": + id: "3" + taskid: c7c659db-15a7-4c9b-8f3d-72713eefe5f1 + type: regular + task: + id: c7c659db-15a7-4c9b-8f3d-72713eefe5f1 + version: -1 + name: CrowdStrike Falcon X Get Report + description: Get a full version of a sandbox report. + script: CrowdStrike Falcon X|||cs-fx-get-full-report + type: regular + iscommand: true + brand: CrowdStrike Falcon X + nexttasks: + '#none#': + - "5" + scriptarguments: + ids: + simple: ${csfalconx.resource.submitted_id} + separatecontext: false + view: |- + { + "position": { + "x": 460, + "y": 1760 + } + } + note: false + timertriggers: [] + ignoreworker: false + "5": + id: "5" + taskid: 73843b9d-b556-4e1c-895c-93ae4f6671dc + type: title + task: + id: 73843b9d-b556-4e1c-895c-93ae4f6671dc + version: -1 + name: Done + description: finished + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 70, + "y": 2090 + } + } + note: false + timertriggers: [] + ignoreworker: false + "7": + id: "7" + taskid: ee402758-5d33-4edd-89fb-816dee6233c5 + type: condition + task: + id: ee402758-5d33-4edd-89fb-816dee6233c5 + version: -1 + name: Is CrowdStrike Falcon X enabled? + description: | + Verify that there is a valid instance of CrowdStrike Falcon X enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "12" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: CrowdStrike Falcon X + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + "8": + id: "8" + taskid: 44e9c26f-c38e-4c1c-8b60-80a92220810e + type: condition + task: + id: 44e9c26f-c38e-4c1c-8b60-80a92220810e + version: -1 + name: Filter taskId + description: Checks that only valid files have been sent to detonation. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "2" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: csfalconx.resource.submitted_id(val != -1) + iscontext: true + view: |- + { + "position": { + "x": 387.5, + "y": 1230 + } + } + note: false + timertriggers: [] + ignoreworker: false + "10": + id: "10" + taskid: dd7a0c59-4cf4-4a46-8316-19dadac61a1b + type: condition + task: + id: dd7a0c59-4cf4-4a46-8316-19dadac61a1b + version: -1 + name: Is file type supported? + description: Checks if the file type is supported. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "14" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: File + filters: + - - operator: match + left: + value: + simple: File.Type + iscontext: true + right: + value: + simple: .*(?:EXE|DLL|COM|SCR|CPL|DOC|DOCX|XLS|XSLX|PPS|PPSX|PPT|PPTX|RTF|PDF|ETC|PUB|SCT|INK|CHM|HTA|WSF|JS|VBS|VBE|SWF|PL|PS1|PSD1|PSM1|SVG|PY|ELF|EML|MSG)\b + ignorecase: true + - operator: match + left: + value: + simple: File.Extension + iscontext: true + right: + value: + simple: .*(?:EXE|DLL|COM|SCR|CPL|DOC|DOCX|XLS|XSLX|PPS|PPSX|PPT|PPTX|RTF|PDF|ETC|PUB|SCT|INK|CHM|HTA|WSF|JS|VBS|VBE|SWF|PL|PS1|PSD1|PSM1|SVG|PY|ELF|EML|MSG)\b + ignorecase: true + - operator: match + left: + value: + simple: File.Info + iscontext: true + right: + value: + simple: .*(?:EXE|DLL|COM|SCR|CPL|DOC|DOCX|XLS|XSLX|PPS|PPSX|PPT|PPTX|RTF|PDF|ETC|PUB|SCT|INK|CHM|HTA|WSF|JS|VBS|VBE|SWF|PL|PS1|PSD1|PSM1|SVG|PY|ELF|EML|MSG)\b + ignorecase: true + accessor: EntryID + iscontext: true + ignorecase: true + view: |- + { + "position": { + "x": 275, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + "11": + id: "11" + taskid: e0e4b29f-fe26-47b2-8930-00d6087bdbeb + type: regular + task: + id: e0e4b29f-fe26-47b2-8930-00d6087bdbeb + version: -1 + name: Set File to context + description: Set the file object into context. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + append: {} + key: + simple: File + value: + complex: + root: inputs.File + separatecontext: false + view: |- + { + "position": { + "x": 275, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + "12": + id: "12" + taskid: 813639b9-9c78-44dc-8600-afad5cc1c5db + type: condition + task: + id: 813639b9-9c78-44dc-8600-afad5cc1c5db + version: -1 + name: Is there a File to Detonate? + description: Checks that there is a file in the playbook’s input. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "11" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: inputs.File + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + "14": + id: "14" + taskid: 33e04243-7824-4475-8ea1-5c2366c22fd6 + type: regular + task: + id: 33e04243-7824-4475-8ea1-5c2366c22fd6 + version: -1 + name: CrowdStrike Falcon X Upload File to Sandbox + description: Upload a file for sandbox analysis. + script: CrowdStrike Falcon X|||cs-fx-upload-file + type: regular + iscommand: true + brand: CrowdStrike Falcon X + nexttasks: + '#none#': + - "15" + scriptarguments: + comment: {} + file: + simple: ${inputs.File.EntryID} + file_name: + simple: inputs.File.EntryID + is_confidential: {} + separatecontext: false + view: |- + { + "position": { + "x": 387.5, + "y": 915 + } + } + note: false + timertriggers: [] + ignoreworker: false + "15": + id: "15" + taskid: 5a968f27-55f8-4761-88d0-a89b4d023bda + type: regular + task: + id: 5a968f27-55f8-4761-88d0-a89b4d023bda + version: -1 + name: CrowdStrike FalconX Detonate Uploaded File + description: Submit a sample SHA256 for sandbox analysis. + script: '|||cs-fx-submit-uploaded-file' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + action_script: {} + command_line: {} + document_password: {} + enable_tor: + simple: "false" + environment_id: + simple: '160: Windows 10' + sha256: + simple: ${csfalconx.resource.sha256} + submit_name: {} + system_date: {} + system_time: {} + separatecontext: false + view: |- + { + "position": { + "x": 387.5, + "y": 1075 + } + } + note: false + timertriggers: [] + ignoreworker: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 2135, + "width": 790, + "x": 50, + "y": 20 + } + } + } +inputs: +- key: File + value: + complex: + root: File + required: false + description: The file to detonate. The file is taken from the context. +- key: Interval + value: + simple: "1" + required: false + description: Polling frequency - how often the polling command should run (minutes) +- key: Timeout + value: + simple: "15" + required: false + description: How much time to wait before a timeout occurs (minutes) +outputs: + - contextPath: csfalconx.resource.id + description: Analysis ID. + type: String + - contextPath: csfalconx.resource.verdict + description: Analysis verdict. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.environment_id + description: Environment ID. + type: String + - contextPath: csfalconx.resource.snadbox.environment_description + description: Environment description. + type: String + - contextPath: csfalconx.resource.threat_score + description: Score of the threat. + type: Int + - contextPath: csfalconx.resource.submit_url + description: URL submitted for analysis. + type: String + - contextPath: csfalconx.resource.submission_type + description: Type of submitted artifact, for example file, URL, etc. + type: String + - contextPath: csfalconx.resource.filetype + description: File type. + type: String + - contextPath: csfalconx.resource.filesize + description: File size. + type: Int + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the submitted file. + type: String + - contextPath: csfalconx.resource.ioc_report_strict_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: Int + - contextPath: csfalconx.resource.ioc_report_broad_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: Int + - contextPath: csfalconx.resource.ioc_report_strict_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String +fromversion: 5.0.0 +tests: + - No tests diff --git a/Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_X.yml b/Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_X.yml new file mode 100644 index 000000000000..0bc0c21738e1 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_X.yml @@ -0,0 +1,387 @@ +id: Detonate URL - CrowdStrike Falcon X +version: -1 +name: Detonate URL - CrowdStrike Falcon X +description: Detonate one or more files using the CrowdStrike Falcon Sandbox integration. + This playbook returns relevant reports to the War Room and file reputations to the + context data. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 5efceda5-4236-42ed-882f-e26acb6f4756 + type: start + task: + id: 5efceda5-4236-42ed-882f-e26acb6f4756 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "5" + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 0 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "5": + id: "5" + taskid: fc1f205f-4605-402d-805d-57b7d4b4cef7 + type: condition + task: + id: fc1f205f-4605-402d-805d-57b7d4b4cef7 + version: -1 + name: Is CrowdStrike Falcon X enabled? + description: | + Verify that there is a valid instance of CrowdStrike enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "14" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: CrowdStrike Falcon X + ignorecase: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 165 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: 66063116-5734-4166-82b3-aa4c0f629285 + type: title + task: + id: 66063116-5734-4166-82b3-aa4c0f629285 + version: -1 + name: Done + description: Done + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 460, + "y": 1140 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "8": + id: "8" + taskid: 9ab16bf8-de8e-4201-8561-992345b51280 + type: regular + task: + id: 9ab16bf8-de8e-4201-8561-992345b51280 + version: -1 + name: CrowdStrike Falcon X Get Report + description: Get a full version of a sandbox report. + script: CrowdStrike Falcon X|||cs-fx-get-full-report + type: regular + iscommand: true + brand: CrowdStrike Falcon X + nexttasks: + '#none#': + - "6" + scriptarguments: + ids: + simple: ${csfalconx.resource.submitted_id} + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 935 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "13": + id: "13" + taskid: 251b7acf-b9ad-4122-8968-788528be9bc1 + type: regular + task: + id: 251b7acf-b9ad-4122-8968-788528be9bc1 + version: -1 + name: CrowdStrike Falcon X Submit URL + description: Submit a URL or FTP for sandbox analysis. + script: '|||cs-fx-submit-url' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + action_script: {} + command_line: {} + document_password: {} + enable_tor: {} + environment_id: + simple: '160: Windows 10' + submit_name: {} + system_date: {} + system_time: {} + url: + complex: + root: inputs.URL + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "14": + id: "14" + taskid: 7bda06fb-0f5a-487b-8242-69d776363760 + type: condition + task: + id: 7bda06fb-0f5a-487b-8242-69d776363760 + version: -1 + name: Is there a URL to detonate? + description: Checks whether there's a file to detonate. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "13" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: inputs.URL + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 380 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "16": + id: "16" + taskid: 92f6cd66-9c00-4782-85e6-4b9ebe0fd014 + type: playbook + task: + id: 92f6cd66-9c00-4782-85e6-4b9ebe0fd014 + version: -1 + name: GenericPolling + description: |- + Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. + This playbook implements polling by continuously running the command in Step \#2 until the operation completes. + The remote action should have the following structure: + + 1. Initiate the operation. + 2. Poll to check if the operation completed. + 3. (optional) Get the results of the operation. + playbookName: GenericPolling + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + AdditionalPollingCommandArgNames: {} + AdditionalPollingCommandArgValues: {} + Ids: + complex: + root: csfalconx + accessor: resource.submitted_id + Interval: + complex: + root: inputs.Interval + PollingCommandArgName: + simple: ids + PollingCommandName: + simple: cs-fx-get-analysis-status + Timeout: + complex: + root: inputs.Timeout + dt: + simple: csfalconx(val.resource.state !== 'success').resource.id + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": 162.5, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1205, + "width": 677.5, + "x": 162.5, + "y": 0 + } + } + } +inputs: +- key: URL + value: + complex: + root: URL + accessor: Data + required: false + description: URL to detonate. + playbookInputQuery: +- key: EnvironmentID + value: + simple: "100" + required: false + description: Environment ID to submit the file to. To get all IDs run the crowdstrike-get-environments + command. + playbookInputQuery: +- key: Interval + value: + simple: "5" + required: false + description: Polling frequency - how often the polling command should run (minutes) + playbookInputQuery: +- key: Timeout + value: + simple: "30" + required: false + description: How much time to wait before a timeout occurs (minutes) + playbookInputQuery: +outputs: + - contextPath: csfalconx.resource.id + description: Analysis ID. + type: String + - contextPath: csfalconx.resource.verdict + description: Analysis verdict. + type: String + - contextPath: csfalconx.resource.created_timpestamp + description: Analysis start time. + type: String + - contextPath: csfalconx.resource.environment_id + description: Environment ID. + type: String + - contextPath: csfalconx.resource.environment_description + description: Environment description. + type: String + - contextPath: csfalconx.resource.threat_score + description: Score of the threat. + type: Int + - contextPath: csfalconx.resource.submit_url + description: URL submitted for analysis. + type: String + - contextPath: csfalconx.resource.submission_type + description: Type of submitted artifact, for example file, URL, etc. + type: String + - contextPath: csfalconx.resource.sha256 + description: SHA256 hash of the submitted file. + type: String + - contextPath: csfalconx.resource.ioc_report_strict_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_csv_artifact_id + description: ID of the IOC pack to download (CSV). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: Int + - contextPath: csfalconx.resource.ioc_report_broad_json_artifact_id + description: ID of the IOC pack to download (JSON). + type: String + - contextPath: csfalconx.resource.ioc_report_strict_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_stix_artifact_id + description: ID of the IOC pack to download (STIX). + type: Int + - contextPath: csfalconx.resource.ioc_report_strict_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String + - contextPath: csfalconx.resource.ioc_report_broad_maec_artifact_id + description: ID of the IOC pack to download (MAEC). + type: String +fromversion: 5.0.0 +tests: + - No tests diff --git a/Packs/CrowdStrikeFalconX/README.md b/Packs/CrowdStrikeFalconX/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_File.yml b/Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_File.yml new file mode 100644 index 000000000000..f373e8824bca --- /dev/null +++ b/Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_File.yml @@ -0,0 +1,154 @@ +id: CrowdStrike_Falcon_X_-Test-Detonate_File +version: -1 +name: CrowdStrike_Falcon_X_-Test-Detonate_File +description: "" +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 0febfd58-06a1-4831-8160-30b15e923847 + type: start + task: + id: 0febfd58-06a1-4831-8160-30b15e923847 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "1": + id: "1" + taskid: 3bc7bc7b-cf09-40c9-8191-658cf6ce571b + type: regular + task: + id: 3bc7bc7b-cf09-40c9-8191-658cf6ce571b + version: -1 + name: DeleteContext + scriptName: DeleteContext + type: regular + iscommand: false + description: "" + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + all: + simple: "yes" + key: {} + keysToKeep: {} + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: 7fc6a518-4ddb-425c-8f12-1ca517d6bf45 + type: regular + task: + id: 7fc6a518-4ddb-425c-8f12-1ca517d6bf45 + version: -1 + name: Set File + description: Sends an http request and returns the response as JSON. + scriptName: http + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + body: {} + filename: + simple: test.pdf + headers: {} + insecure: {} + method: + simple: GET + password: {} + proxy: {} + saveAsFile: + simple: "yes" + unsecure: {} + url: + simple: http://www.pdf995.com/samples/pdf.pdf + username: {} + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 380 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "4": + id: "4" + taskid: 7043a945-5200-40c5-8f48-b62e4b1c7573 + type: playbook + task: + id: Detonate File - CrowdStrike Falcon X + version: -1 + name: Detonate File - CrowsStrike Falcon X + playbookName: Detonate File - CrowsStrike Falcon X + playbookId: Detonate File - CrowdStrike Falcon X + type: playbook + iscommand: false + brand: "" + description: '' + separatecontext: true + view: |- + { + "position": { + "x": 50, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 625, + "width": 380, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] +fromversion: 5.0.0 diff --git a/Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_URL.yml b/Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_URL.yml new file mode 100644 index 000000000000..85d3b25e566d --- /dev/null +++ b/Packs/CrowdStrikeFalconX/TestPlaybooks/CrowdStrike_Falcon_X_-Test-Detonate_URL.yml @@ -0,0 +1,144 @@ +id: CrowdStrike_Falcon_X_-Test-Detonate_URL +version: -1 +name: CrowdStrike_Falcon_X_-Test-Detonate_URL +description: "" +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 80a1754e-b8e6-406a-8108-337eed83ff43 + type: start + task: + id: 80a1754e-b8e6-406a-8108-337eed83ff43 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "1": + id: "1" + taskid: 8da20376-add7-41e7-817e-8ee2a32dee59 + type: regular + task: + id: 8da20376-add7-41e7-817e-8ee2a32dee59 + version: -1 + name: DeleteContext + scriptName: DeleteContext + type: regular + iscommand: false + description: '' + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + all: + simple: "yes" + key: {} + keysToKeep: {} + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "3": + id: "3" + taskid: d5fd2168-0e80-4f43-8294-b3e7cee570d8 + type: regular + task: + id: d5fd2168-0e80-4f43-8294-b3e7cee570d8 + version: -1 + name: Set URL + scriptName: Set + type: regular + iscommand: false + description: '' + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + append: {} + key: + simple: URL.Data + value: + simple: https://www.google.com + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "4": + id: "4" + taskid: 402c0b9a-94f9-4a17-82a5-0478df6c5da9 + type: playbook + task: + id: Detonate URL - CrowdStrike Falcon X + version: -1 + name: Detonate URL - CrowsStrike Falcon X + playbookName: Detonate URL - CrowsStrike Falcon X + playbookId: Detonate URL - CrowdStrike Falcon X + type: playbook + iscommand: false + brand: "" + description: '' + separatecontext: true + view: |- + { + "position": { + "x": 50, + "y": 570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 615, + "width": 380, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] +fromversion: 5.0.0 diff --git a/Packs/CrowdStrikeFalconX/pack_metadata.json b/Packs/CrowdStrikeFalconX/pack_metadata.json new file mode 100644 index 000000000000..403d95f2c461 --- /dev/null +++ b/Packs/CrowdStrikeFalconX/pack_metadata.json @@ -0,0 +1,21 @@ +{ + "name": "CrowdStrike FalconX", + "description": "Fully automated malware analysis", + "support": "xsoar", + "serverMinVersion": "5.0.0", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": ["Forensics & Malware Analysis"], + "tags": [], + "created": "2020-04-04T17:46:55Z", + "updated": "2020-04-04T17:46:55Z", + "beta": false, + "deprecated": false, + "certification": "certified", + "useCases": [], + "keywords": [], + "price": 0, + "dependencies": {} +} \ No newline at end of file diff --git a/Packs/CrowdStrikeHost/.secrets-ignore b/Packs/CrowdStrikeHost/.secrets-ignore index e69de29bb2d1..03b1822d6139 100644 --- a/Packs/CrowdStrikeHost/.secrets-ignore +++ b/Packs/CrowdStrikeHost/.secrets-ignore @@ -0,0 +1 @@ +10.2.101.237 \ No newline at end of file diff --git a/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost.yml b/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost.yml index d70b35829a19..66df93c239c9 100644 --- a/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost.yml +++ b/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost.yml @@ -18,12 +18,10 @@ configuration: required: true - display: API ID name: id - defaultvalue: "" type: 0 required: true - display: API Key name: key - defaultvalue: "" type: 4 required: true - display: Use system proxy settings @@ -828,6 +826,8 @@ script: - sha1 - md5 - domain + - ipv4 + - ipv6 description: The type of indicator from the list of supported indicator types. - name: value required: true @@ -869,6 +869,7 @@ script: description: Retrieves the details of a process, according to process ID, that is running or that previously ran. - name: cs-resolve-detection + deprecated: true arguments: - name: ids required: true @@ -992,10 +993,10 @@ script: - contextPath: CrowdStrikeHost.Detections.behaviors.technique description: Technique of the behavior type: string - description: Sets the state of a detection in Falcon Host. You can obtain detection - IDs from the Falcon Host UI or from the Falcon Streaming API. + description: Deprecated. Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead. execution: true - name: cs-detection-search + deprecated: true arguments: - name: query description: Free text search filter @@ -1005,10 +1006,9 @@ script: - contextPath: CrowdStrikeHost.Detections.detection_id description: IDs of the related detections type: string - description: String search through all Crowdstrike Detection fields. For example, - provide a sensor ID to search for all detections that contain that sensor ID - (and any other fields that would happen to contain it) + description: Deprecated. Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead. - name: cs-detection-details + deprecated: true arguments: - name: detection_id required: true @@ -1120,7 +1120,7 @@ script: - contextPath: CrowdStrikeHost.Detections.behaviors.technique description: Technique of the behavior type: string - description: Fetches details of a Crowdstrike Detection using the detection ID + description: Deprecated. Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead. - name: cs-threatgraph-summary arguments: - name: ctg_id diff --git a/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost_README.md b/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost_README.md index bb46c7a6ca5b..ad9c9a7e4b44 100644 --- a/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost_README.md +++ b/Packs/CrowdStrikeHost/Integrations/integration-CrowdStrikeHost_README.md @@ -34,9 +34,9 @@
  • Get a list of device IDs that an indicator ran on: cs-device-ran-on
  • Get the process ID of an indicator for a device: cs-processes-ran-on
  • Get process details: cs-process-details
    • -
  • Set resolution status: cs-resolve-detection
    • -
  • Search all detection fields: cs-detection-search
    • -
  • Get detection details: cs-detection-details
    • +
  • Set resolution status: cs-resolve-detection (Deprecated)
    • +
  • Search all detection fields: cs-detection-search (Deprecated)
    • +
  • Get detection details: cs-detection-details (Deprecated)

    • 1. Upload indicators for CS to monitor

    @@ -594,8 +594,9 @@
     
    Context Output

    There is no context output for this command.

    -

    12. Set resolution status

    +

    12. Set resolution status (Deprecated)

    +

    Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead.

    Sets the state of a detection in Falcon Host. You can obtain detection IDs from the Falcon Host UI or from the Falcon Streaming API.

    Base Command

    cs-resolve-detection

    @@ -811,8 +812,9 @@
    Command Example

    !cs-resolve-detection ids=cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142 status=in_progress

    -

    13. Search all detection fields

    +

    13. Search all detection fields (Deprecated)

    +

    Deprecated. Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.

    Performs a string search through all CrowdStrike Detection fields. For example, provide a sensor ID to search for all detections that contain that sensor ID.

    Base Command
    cs-detection-search
    @@ -862,8 +864,9 @@
    Human Readable Output

    screen shot 2018-10-08 at 12 12 56

     

    -

    14. Get detection details

    +

    14. Get detection details (Deprecated)

    +

    Deprecated. Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.

    Fetches details of a CrowdStrike Detection using the detection ID.

    Base Command
    cs-detection-details
    diff --git a/Packs/CrowdStrikeHost/ReleaseNotes/1_1_2.md b/Packs/CrowdStrikeHost/ReleaseNotes/1_1_2.md new file mode 100644 index 000000000000..8abde8342433 --- /dev/null +++ b/Packs/CrowdStrikeHost/ReleaseNotes/1_1_2.md @@ -0,0 +1,8 @@ + +#### Integrations +##### FalconHost + - Added support for IPv4 and IPv6 indicator types to the ***cs-device-ran-on*** command. + - Deprecated the following commands: + - ***cs-resolve-detection***: Use the ***cs-falcon-resolve-detection*** command from the **CrowdStrike Falcon** integration instead. + - ***cs-detection-details***: Use the ***cs-falcon-search-detection*** command from the **CrowdStrike Falcon** integration instead. + - ***cs-detection-search***: Use the ***cs-falcon-search-detection*** command from the **CrowdStrike Falcon** integration instead. diff --git a/Packs/CrowdStrikeHost/TestPlaybooks/playbook-CrowdStrike_FalconHost_test.yml b/Packs/CrowdStrikeHost/TestPlaybooks/playbook-CrowdStrike_FalconHost_test.yml index 73dab99b4bb2..0cc7448076dc 100644 --- a/Packs/CrowdStrikeHost/TestPlaybooks/playbook-CrowdStrike_FalconHost_test.yml +++ b/Packs/CrowdStrikeHost/TestPlaybooks/playbook-CrowdStrike_FalconHost_test.yml @@ -1,20 +1,15 @@ -elasticcommonfields: {} id: FalconHost Test version: -1 -contentitemexportablefields: - contentitemfields: - propagationLabels: - - all +vcShouldKeepItemLegacyProdMachine: false name: FalconHost Test starttaskid: "0" tasks: "0": id: "0" - taskid: "c3d0808c-fef8-42bf-bc88-c4d681200d78" + taskid: 814a2191-34e0-40f0-8666-40c67174a0e3 type: start task: - elasticcommonfields: {} - id: "c3d0808c-fef8-42bf-bc88-c4d681200d78" + id: 814a2191-34e0-40f0-8666-40c67174a0e3 version: -1 name: "" iscommand: false @@ -26,7 +21,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 265, "y": 50 } } @@ -34,14 +29,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "7": id: "7" - taskid: "0b2b1d55-17ea-48d5-99c4-546e4d25de57" + taskid: f16f4c13-934e-422f-8415-6d84bd306c88 type: regular task: - elasticcommonfields: {} - id: "0b2b1d55-17ea-48d5-99c4-546e4d25de57" + id: f16f4c13-934e-422f-8415-6d84bd306c88 version: -1 name: Search devices description: Search for devices in your environment by platform, host name, @@ -63,7 +57,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 265, "y": 370 } } @@ -71,14 +65,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "8": id: "8" - taskid: "b76a1dae-2ba1-40da-81d6-2ed628084bf2" + taskid: d84e95eb-b9a3-457e-83c9-4cab302a94b5 type: regular task: - elasticcommonfields: {} - id: "b76a1dae-2ba1-40da-81d6-2ed628084bf2" + id: d84e95eb-b9a3-457e-83c9-4cab302a94b5 version: -1 name: DeleteContext description: Delete field from context @@ -97,7 +90,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 265, "y": 195 } } @@ -105,14 +98,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "13": id: "13" - taskid: "24428a6a-46ee-4d67-8f56-9645df13d580" + taskid: 1a6ef7d7-f6a0-4028-8111-56913ffcc87d type: condition task: - elasticcommonfields: {} - id: "24428a6a-46ee-4d67-8f56-9645df13d580" + id: 1a6ef7d7-f6a0-4028-8111-56913ffcc87d version: -1 name: Found any devices? type: condition @@ -136,7 +128,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 265, "y": 545 } } @@ -144,14 +136,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "15": id: "15" - taskid: "2561f88c-efdb-466c-a231-1dc73572ac46" + taskid: d3f6e785-edad-4a2b-89ed-1247ea92d857 type: regular task: - elasticcommonfields: {} - id: "2561f88c-efdb-466c-a231-1dc73572ac46" + id: d3f6e785-edad-4a2b-89ed-1247ea92d857 version: -1 name: Get device details description: Get details for one or more devices, according to device ID @@ -169,7 +160,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 377.5, "y": 720 } } @@ -177,14 +168,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "16": id: "16" - taskid: "dc1e8c3c-8608-4ca5-a290-558845a302eb" + taskid: c5092555-1c08-41ae-8d39-b4cee81f02fd type: regular task: - elasticcommonfields: {} - id: "dc1e8c3c-8608-4ca5-a290-558845a302eb" + id: c5092555-1c08-41ae-8d39-b4cee81f02fd version: -1 name: Verify Endpoint description: |- @@ -209,7 +199,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 377.5, "y": 895 } } @@ -217,14 +207,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "17": id: "17" - taskid: "be1933ad-2852-48bb-8421-d702c4959231" + taskid: e32e6cd8-3a3f-4af6-8f74-aa25e3f5166f type: regular task: - elasticcommonfields: {} - id: "be1933ad-2852-48bb-8421-d702c4959231" + id: e32e6cd8-3a3f-4af6-8f74-aa25e3f5166f version: -1 name: Search by MD5 description: Returns a list of device IDs on which an indicator ran @@ -244,7 +233,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 377.5, "y": 1245 } } @@ -252,14 +241,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "18": id: "18" - taskid: "5d3db641-f79f-496f-9bed-b15eca350fc0" + taskid: 30a8b402-3b19-4fcd-85c2-89c784800ce4 type: regular task: - elasticcommonfields: {} - id: "5d3db641-f79f-496f-9bed-b15eca350fc0" + id: 30a8b402-3b19-4fcd-85c2-89c784800ce4 version: -1 name: Get details description: Get details for one or more devices, according to device ID @@ -269,7 +257,7 @@ tasks: brand: FalconHost nexttasks: '#none#': - - "23" + - "33" scriptarguments: ids: simple: ${FalconHostDevices} @@ -277,7 +265,7 @@ tasks: view: |- { "position": { - "x": 50, + "x": 490, "y": 1595 } } @@ -285,14 +273,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "19": id: "19" - taskid: "e523fb12-c3d0-42bf-ad11-426fe2eefeb2" + taskid: 89baa8b3-c51d-4fd3-82ca-4ab5b0aa68f8 type: regular task: - elasticcommonfields: {} - id: "e523fb12-c3d0-42bf-ad11-426fe2eefeb2" + id: 89baa8b3-c51d-4fd3-82ca-4ab5b0aa68f8 version: -1 name: Delete Context description: Delete field from context @@ -314,7 +301,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 377.5, "y": 1070 } } @@ -322,14 +309,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "21": id: "21" - taskid: "96ecfd8d-8345-4d78-a4c1-bd8439133bc0" + taskid: 68dfc3fe-83f7-4055-8ae4-2c8ea4e0277b type: regular task: - elasticcommonfields: {} - id: "96ecfd8d-8345-4d78-a4c1-bd8439133bc0" + id: 68dfc3fe-83f7-4055-8ae4-2c8ea4e0277b version: -1 name: Search with number offset description: Search for devices in your environment by platform, host name, @@ -351,22 +337,21 @@ tasks: view: |- { "position": { - "x": 162.5, - "y": 1945 + "x": 377.5, + "y": 2470 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "22": id: "22" - taskid: "d76dc448-ddd3-4164-b16c-ef5bb63218d0" + taskid: 96b3082f-634e-4464-8243-eb28911f29fa type: regular task: - elasticcommonfields: {} - id: "d76dc448-ddd3-4164-b16c-ef5bb63218d0" + id: 96b3082f-634e-4464-8243-eb28911f29fa version: -1 name: Get device details description: Get details for one or more devices, according to device ID @@ -384,22 +369,21 @@ tasks: view: |- { "position": { - "x": 162.5, - "y": 2120 + "x": 377.5, + "y": 2645 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "23": id: "23" - taskid: "90399b9b-4b87-48aa-9d0b-7d5a61ec3d48" + taskid: bebd7ce9-ca44-4728-8bc2-d182accddbf5 type: regular task: - elasticcommonfields: {} - id: "90399b9b-4b87-48aa-9d0b-7d5a61ec3d48" + id: bebd7ce9-ca44-4728-8bc2-d182accddbf5 version: -1 name: Set number offset description: Sets a value into the context with the given context key @@ -420,22 +404,21 @@ tasks: view: |- { "position": { - "x": 162.5, - "y": 1770 + "x": 377.5, + "y": 2295 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "24": id: "24" - taskid: "0538af06-8fdd-4113-98e7-99e174e1aff2" + taskid: d9e46570-c5f0-4c44-8aaa-a9f001c8d688 type: condition task: - elasticcommonfields: {} - id: "0538af06-8fdd-4113-98e7-99e174e1aff2" + id: d9e46570-c5f0-4c44-8aaa-a9f001c8d688 version: -1 name: Found any devices? type: condition @@ -443,7 +426,7 @@ tasks: brand: "" nexttasks: '#default#': - - "23" + - "33" "yes": - "18" separatecontext: false @@ -459,7 +442,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 377.5, "y": 1420 } } @@ -467,14 +450,13 @@ tasks: timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "25": id: "25" - taskid: "4db38125-e1c3-4911-9dec-8559ad767753" + taskid: 9c68c21d-78a8-4487-89c1-0a7876c8b74a type: condition task: - elasticcommonfields: {} - id: "4db38125-e1c3-4911-9dec-8559ad767753" + id: 9c68c21d-78a8-4487-89c1-0a7876c8b74a version: -1 name: Check detections were fetched description: Check detections were fetched @@ -512,22 +494,21 @@ tasks: view: |- { "position": { - "x": 275, - "y": 2500 + "x": 265, + "y": 2995 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "26": id: "26" - taskid: "c17e52a0-5e56-451a-a31f-9ce6f7a6b7fe" + taskid: 4b1c707d-956b-48c6-8db8-ea6eadb7a0bd type: regular task: - elasticcommonfields: {} - id: "c17e52a0-5e56-451a-a31f-9ce6f7a6b7fe" + id: 4b1c707d-956b-48c6-8db8-ea6eadb7a0bd version: -1 name: Get Detection Details description: Fetch details of a Crowdstrike Detection using the detection ID @@ -547,22 +528,21 @@ tasks: view: |- { "position": { - "x": 60, - "y": 2755 + "x": 50, + "y": 3170 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "27": id: "27" - taskid: "efd3a3b5-7cd4-452a-a63b-bed069f26fd2" + taskid: 79dd6e1e-4b80-42e8-8628-3078e72aef69 type: title task: - elasticcommonfields: {} - id: "efd3a3b5-7cd4-452a-a63b-bed069f26fd2" + id: 79dd6e1e-4b80-42e8-8628-3078e72aef69 version: -1 name: No Detections to check type: title @@ -572,22 +552,21 @@ tasks: view: |- { "position": { - "x": 542.5, - "y": 2755 + "x": 480, + "y": 3185 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "28": id: "28" - taskid: "d782f73e-82c3-4aab-b57b-47672b8187c0" + taskid: e915c6ff-a88b-47d5-8572-14fdec4d6ee8 type: condition task: - elasticcommonfields: {} - id: "d782f73e-82c3-4aab-b57b-47672b8187c0" + id: e915c6ff-a88b-47d5-8572-14fdec4d6ee8 version: -1 name: Assert detections details were fetched description: Assert detections details were fetched @@ -611,22 +590,21 @@ tasks: view: |- { "position": { - "x": 60, - "y": 2940 + "x": 50, + "y": 3345 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "29": id: "29" - taskid: "dd288834-40d0-4f0f-85c6-ff021b62ac52" + taskid: b9c891b1-3d19-4a68-8519-2f48f94b7105 type: regular task: - elasticcommonfields: {} - id: "dd288834-40d0-4f0f-85c6-ff021b62ac52" + id: b9c891b1-3d19-4a68-8519-2f48f94b7105 version: -1 name: Change Detection to in_progress description: Sets the state of a detection in Falcon Host. You can obtain detection @@ -649,22 +627,21 @@ tasks: view: |- { "position": { - "x": 60, - "y": 3120 + "x": 50, + "y": 3520 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "30": id: "30" - taskid: "5be55b33-7679-46fd-9381-63291044ffec" + taskid: db5f714e-a4e7-4da1-8d07-2083c0b33e5a type: title task: - elasticcommonfields: {} - id: "5be55b33-7679-46fd-9381-63291044ffec" + id: db5f714e-a4e7-4da1-8d07-2083c0b33e5a version: -1 name: Done description: Done @@ -675,22 +652,21 @@ tasks: view: |- { "position": { - "x": 60, - "y": 3320 + "x": 50, + "y": 3695 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 "31": id: "31" - taskid: "98ba8ad4-29cb-41d0-90b8-d327336e913b" + taskid: f40e6b74-da7f-4dd9-8196-18957526f7d3 type: regular task: - elasticcommonfields: {} - id: "98ba8ad4-29cb-41d0-90b8-d327336e913b" + id: f40e6b74-da7f-4dd9-8196-18957526f7d3 version: -1 name: Search Detections Since 2017 description: String search through all Crowdstrike Detection fields. For example, @@ -711,22 +687,126 @@ tasks: view: |- { "position": { - "x": 275, - "y": 2300 + "x": 265, + "y": 2820 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "33": + id: "33" + taskid: d6c3da2e-28a9-43a6-87ab-7b8e0385079d + type: regular + task: + id: d6c3da2e-28a9-43a6-87ab-7b8e0385079d + version: -1 + name: Search by IPv4 + description: Returns a list of device IDs on which an indicator ran + script: FalconHost|||cs-device-ran-on + type: regular + iscommand: true + brand: FalconHost + nexttasks: + '#none#': + - "37" + scriptarguments: + type: + simple: ipv4 + value: + simple: 10.2.101.237 + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 1770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "37": + id: "37" + taskid: 4529e31f-2a27-48d8-83c0-e26bccad20e7 + type: regular + task: + id: 4529e31f-2a27-48d8-83c0-e26bccad20e7 + version: -1 + name: Search by IPv6 + description: Returns a list of device IDs on which an indicator ran + script: FalconHost|||cs-device-ran-on + type: regular + iscommand: true + brand: FalconHost + nexttasks: + '#none#': + - "38" + scriptarguments: + type: + simple: ipv6 + value: + simple: 2001:4860:4860::8888 + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 1945 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "38": + id: "38" + taskid: 657811da-8607-42da-87e2-fa4b393a1de2 + type: regular + task: + id: 657811da-8607-42da-87e2-fa4b393a1de2 + version: -1 + name: Delete Context + description: Delete field from context + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "23" + scriptarguments: + all: + simple: "yes" + index: {} + key: {} + keysToKeep: {} + subplaybook: {} + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 2120 } } note: false timertriggers: [] ignoreworker: false skipunavailable: false - quiet: false + quietmode: 0 view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 3335, - "width": 872.5, + "height": 3710, + "width": 820, "x": 50, "y": 50 } diff --git a/Packs/CrowdStrikeHost/pack_metadata.json b/Packs/CrowdStrikeHost/pack_metadata.json index 360a7365ffce..5a3eaf72c1fd 100644 --- a/Packs/CrowdStrikeHost/pack_metadata.json +++ b/Packs/CrowdStrikeHost/pack_metadata.json @@ -1,16 +1,16 @@ { - "name": "FalconHost", - "description": "Crowdstrike IOCs and detections API", - "support": "xsoar", - "currentVersion": "1.1.1", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-04-14T00:00:00Z", - "categories": [ - "Endpoint" - ], - "tags": [], - "useCases": [], - "keywords": [] + "name": "FalconHost", + "description": "Crowdstrike IOCs and detections API", + "support": "xsoar", + "currentVersion": "1.1.2", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-04-14T00:00:00Z", + "categories": [ + "Endpoint" + ], + "tags": [], + "useCases": [], + "keywords": [] } diff --git a/Packs/Cylance_Protect/Integrations/Cylance_Protect_v2/README.md b/Packs/Cylance_Protect/Integrations/Cylance_Protect_v2/README.md index 54a0ef08f306..e9102dc1e5e4 100644 --- a/Packs/Cylance_Protect/Integrations/Cylance_Protect_v2/README.md +++ b/Packs/Cylance_Protect/Integrations/Cylance_Protect_v2/README.md @@ -1465,7 +1465,7 @@
    Command Example
    !cylance-protect-download-threat sha256="0f427b33b824110427b2ba7be20740b45ea4da41bc1416dd55771edfb0c18f09" unzip="yes"
    Context Example
    -
    DBotScore
    {
      "Indicator": "AutoitLocker.exe",
      "Score": 3,
      "Type": "file",
      "Vendor": "Cylance Protect"
    }
    File
    {
      "DownloadURL":       "https://cylanceephemeralfilestore.s3.amazonaws.com/0F/42/7B/33/0F427B33B824110427B2BA7BE20740B45EA4DA41BC1416DD55771EDFB0C18F09.zip? Signature=98kI7a19I2q%2BeE7Ef1un4BjSolQ%3D&Expires=1541875473&AWSAccessKeyId=AKIAIAD6JC2YTYVBFRFA",
      "MD5": "2FC103D0D52466B63D44444CE12A5901",
      "Malicious": {
      "Description": "Score determined by get threat command",
      "Vendor": "Cylance Protect"
    },
      "Name": "AutoitLocker.exe",
      "SHA256": "0F427B33B824110427B2BA7BE20740B45EA4DA41BC1416DD55771EDFB0C18F09",
      "Safelisted": false,
      "Size": 405345,
      "Timestamp": "0001-01-01T00:00:00"
    }
    +
    DBotScore
    {
      "Indicator": "AutoitLocker.exe",
      "Score": 3,
      "Type": "file",
      "Vendor": "Cylance Protect"
    }
    File
    {
      "DownloadURL":       "https://cylanceephemeralfilestore.s3.amazonaws.com/0F/42/7B/33/0F427B33B824110427B2BA7BE20740B45EA4DA41BC1416DD55771EDFB0C18F09.zip? Signature=98kI7a19I2q%2BeE7Ef1un4BjSolQ%3D&Expires=1541875473&AWSAccessKeyId=AKIAIAD6JC2YTYVBFRFA",
      "MD5": "2FC103D0D52466B63D44444CE12A5901",
      "Malicious": {
      "Description": "Score determined by get threat command",
      "Vendor": "Cylance Protect"
    },
      "Name": "AutoitLocker.exe",
      "SHA256": "0F427B33B824110427B2BA7BE20740B45EA4DA41BC1416DD55771EDFB0C18F09",
      "Safelisted": false,
      "Size": 405345,
      "Timestamp": "0001-01-01T00:00:00"
    }
    Human Readable Output

    screen shot 2018-11-10 at 20 56 40

    17. Add a hash to a list

    diff --git a/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml b/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml index 71472728efc6..c96fb4f5a459 100644 --- a/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml +++ b/Packs/DeprecatedContent/Integrations/Cymon/Cymon.yml @@ -111,3 +111,5 @@ script: script: '' type: python subtype: python2 +tests: + - No tests diff --git a/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml b/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml index 26db2061c43f..65936fd2310d 100644 --- a/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml +++ b/Packs/DeprecatedContent/Integrations/ExtraHop/ExtraHop.yml @@ -890,4 +890,4 @@ script: type: python subtype: python3 tests: -- ExtraHop-Test +- No tests diff --git a/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml b/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml index a55ebf4725ea..f497d978e3ea 100644 --- a/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml +++ b/Packs/DeprecatedContent/Integrations/PaloAltoNetworksCortex/PaloAltoNetworksCortex.yml @@ -1772,5 +1772,5 @@ script: type: python subtype: python3 tests: -- Palo Alto Networks Cortex Test +- No tests fromversion: 4.1.0 diff --git a/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml b/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml index 5acb4fe52ebf..c5f34db41daa 100644 --- a/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml +++ b/Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/PaloAlto_MineMeld.yml @@ -488,4 +488,4 @@ script: type: python subtype: python2 tests: -- minemeld_test +- No tests diff --git a/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml b/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml index 63a1b8170dea..de841fe0e07d 100644 --- a/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml +++ b/Packs/DeprecatedContent/Integrations/integration-AlienVaultOTX.yml @@ -461,4 +461,4 @@ script: runonce: false fromversion: 3.0.1 tests: - - AlienVaultOTX Test + - No tests diff --git a/Packs/DeprecatedContent/Integrations/integration-Shodan.yml b/Packs/DeprecatedContent/Integrations/integration-Shodan.yml index 15038b0b0377..49221175a08c 100644 --- a/Packs/DeprecatedContent/Integrations/integration-Shodan.yml +++ b/Packs/DeprecatedContent/Integrations/integration-Shodan.yml @@ -142,4 +142,4 @@ script: description: Returns all services that have been found on the given host IP. runonce: false tests: - - ShodanTest + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml b/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml index a1a7672c023f..0f2a88616805 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-Account_Enrichment_-_Generic_v2.yml @@ -238,4 +238,4 @@ outputs: description: The account's manager. type: string tests: - - Account Enrichment - Generic v2 - Test + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml index 4ad4042a7447..d28806cfef44 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifier.yml @@ -361,4 +361,4 @@ outputs: description: Model list name in Demisto fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest \ No newline at end of file + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml index 52a9131c2d98..eb229c324f18 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-DBotCreatePhishingClassifierJob.yml @@ -185,4 +185,4 @@ inputs: [] outputs: [] fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest \ No newline at end of file + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml b/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml index 91a9a5527ec9..a70d9e7cd3bf 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-DeDup_incidents.yml @@ -196,4 +196,4 @@ outputs: - contextPath: isSimilarIncidentFound description: Is similar incident found? (true\false) tests: - - test_similar_incidents + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml b/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml index 088f4d379cb5..bb22e40a710d 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-Dedup_-_Generic.yml @@ -381,4 +381,4 @@ outputs: description: The similar incident. type: unknown tests: - - dedup_-_generic_-_test + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml b/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml index f5f0fa568a29..d1263dba2e85 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-Email_Address_Enrichment_-_Generic_v2.yml @@ -622,4 +622,4 @@ outputs: description: The DBot score. type: number tests: - - Email Address Enrichment - Generic v2 - Test + - No tests diff --git a/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml b/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml index 801122d458ef..31df28bfe808 100644 --- a/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml +++ b/Packs/DeprecatedContent/Playbooks/playbook-PANW_-_Hunting_and_threat_detection_by_indicator_type.yml @@ -1536,7 +1536,7 @@ tasks: type: condition task: id: 7c07c4aa-f0d0-4b3f-8066-06638dc7dd4d - description: Is Cortex Data Lake enabled? + description: Is Cortex Data Lake enabled? version: -1 name: Is Cortex Data Lake enabled? type: condition @@ -3479,4 +3479,4 @@ outputs: type: string tests: -- PANW - Hunting and threat detection by indicator type Test +- No tests diff --git a/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md b/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md new file mode 100644 index 000000000000..33cd9e03bef1 --- /dev/null +++ b/Packs/DeprecatedContent/ReleaseNotes/1_3_0.md @@ -0,0 +1,32 @@ + diff --git a/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml b/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml index 493b92bcd1f8..1eadbe2702af 100644 --- a/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml +++ b/Packs/DeprecatedContent/Scripts/DBotPredictPhishingLabel/DBotPredictPhishingLabel.yml @@ -60,5 +60,5 @@ deprecated: true dockerimage: demisto/dl:1.1 runonce: false tests: -- CreatePhishingClassifierMLTest +- No tests fromversion: 4.1.0 diff --git a/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml b/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml index 31cb7f28e1d6..25d79290404f 100644 --- a/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml +++ b/Packs/DeprecatedContent/Scripts/ProofpointDecodeURL/ProofpointDecodeURL.yml @@ -18,5 +18,5 @@ outputs: description: Decoded URLs scripttarget: 0 tests: - - ProofpointDecodeURL-Test + - No tests deprecated: true diff --git a/Packs/DeprecatedContent/Scripts/script-BlockIP.yml b/Packs/DeprecatedContent/Scripts/script-BlockIP.yml index 76e8657251e8..7e6704d1deec 100644 --- a/Packs/DeprecatedContent/Scripts/script-BlockIP.yml +++ b/Packs/DeprecatedContent/Scripts/script-BlockIP.yml @@ -66,4 +66,4 @@ dependson: - panorama - checkpoint tests: -- blockip_test_playbook +- No tests diff --git a/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml b/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml index 632891d2baf9..bdb51059cc74 100644 --- a/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml +++ b/Packs/DeprecatedContent/Scripts/script-CPBlockIP.yml @@ -104,4 +104,4 @@ dependson: must: - checkpoint tests: -- blockip_test_playbook \ No newline at end of file +- No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml b/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml index d285ee817e69..b68d7e4eb1fb 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotPredictPhishingEvaluation.yml @@ -163,4 +163,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml b/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml index 80a3b48c830c..49887e089ebe 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotPredictTextLabel.yml @@ -107,4 +107,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml b/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml index 030ebf5126dd..009becc7ddbe 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotPreparePhishingData.yml @@ -222,4 +222,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml b/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml index 9eb29956af35..5057dce8d3b4 100644 --- a/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml +++ b/Packs/DeprecatedContent/Scripts/script-DBotTrainTextClassifier.yml @@ -118,4 +118,4 @@ dockerimage: demisto/dl:1.1 deprecated: true fromversion: 4.1.0 tests: - - CreatePhishingClassifierMLTest \ No newline at end of file + - No tests diff --git a/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml b/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml index e95f99e5f328..5b33afc4a140 100644 --- a/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml +++ b/Packs/DeprecatedContent/Scripts/script-PanoramaBlockIP.yml @@ -91,5 +91,4 @@ dependson: must: - panorama tests: -- palo_alto_firewall_test_pb -- blockip_test_playbook \ No newline at end of file +- No tests diff --git a/Packs/DeprecatedContent/pack_metadata.json b/Packs/DeprecatedContent/pack_metadata.json index afd3604e0c22..d80edbb28466 100644 --- a/Packs/DeprecatedContent/pack_metadata.json +++ b/Packs/DeprecatedContent/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Deprecated Content", "description": "Deprecated Cortex XSOAR content pack.", "support": "xsoar", - "currentVersion": "1.2.0", + "currentVersion": "1.3.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py index 91de03df5f13..102bc39d4e8f 100644 --- a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py +++ b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py @@ -84,8 +84,12 @@ def create_api_call(): host=HOST, ca_certs='DISABLE' ) + try: + client._make_request = lambda method, uri, body, headers: override_make_request(client, method, uri, body, headers) - client._make_request = lambda method, uri, body, headers: override_make_request(client, method, uri, body, headers) + except Exception as e: + demisto.error("Error making request - failed to create client: {}".format(e)) + raise Exception return client @@ -103,6 +107,10 @@ def set_proxy(): except ValueError: admin_api.set_proxy(host=None, port=None, proxy_type=None) + except Exception as e: + demisto.error('Error setting proxy: {}'.format(e)) + raise Exception + def get_host_port_from_proxy_settings(proxy_settings): proxy_settings_str = str(proxy_settings) @@ -355,5 +363,6 @@ def delete_u2f_token(token_id): delete_u2f_token(demisto.getArg('token_id')) except Exception as e: + demisto.error("Duo Admin failed on: {} on this command {}".format(e, demisto.command)) return_error(e.message) sys.exit(0) diff --git a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml index f82310d08485..93ac063c9469 100644 --- a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml +++ b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml @@ -25,7 +25,7 @@ configuration: type: 8 description: |- DUO for admins. - Must have access to the admin api in order to use this + Must have access to the admin api in order to use this. display: DUO Admin name: DUO Admin script: @@ -232,7 +232,7 @@ script: description: Associates a device to a user execution: false name: duoadmin-associate-device-to-user - dockerimage: demisto/duoadmin:1.0.0.147 + dockerimage: demisto/duoadmin:1.0.0.8854 isfetch: false longRunning: false longRunningPort: false diff --git a/Packs/DuoAdminApi/ReleaseNotes/2_0_0.md b/Packs/DuoAdminApi/ReleaseNotes/2_0_0.md new file mode 100644 index 000000000000..71a55c2d8003 --- /dev/null +++ b/Packs/DuoAdminApi/ReleaseNotes/2_0_0.md @@ -0,0 +1,4 @@ + +#### Integrations +##### DUO Admin +- Test diff --git a/Packs/DuoAdminApi/pack_metadata.json b/Packs/DuoAdminApi/pack_metadata.json index f0fba2cd3360..523abd40b0dc 100644 --- a/Packs/DuoAdminApi/pack_metadata.json +++ b/Packs/DuoAdminApi/pack_metadata.json @@ -1,16 +1,16 @@ { - "name": "DUO Admin", - "description": "DUO for admins.\nMust have access to the admin api in order to use this", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-04-14T00:00:00Z", - "categories": [ - "Authentication" - ], - "tags": [], - "useCases": [], - "keywords": [] -} + "name": "DUO Admin", + "description": "DUO for admins.\nMust have access to the admin api in order to use this", + "support": "xsoar", + "currentVersion": "2.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-04-14T00:00:00Z", + "categories": [ + "Authentication" + ], + "tags": [], + "useCases": [], + "keywords": [] +} \ No newline at end of file diff --git a/Packs/EDL/Integrations/EDL/README.md b/Packs/EDL/Integrations/EDL/README.md index 37d8f35a51a2..486c2159559d 100644 --- a/Packs/EDL/Integrations/EDL/README.md +++ b/Packs/EDL/Integrations/EDL/README.md @@ -35,7 +35,7 @@ To access the EDL service by instance name, make sure ***Instance execute extern 1. In Cortex XSOAR, go to **Settings > About > Troubleshooting**. 2. In the **Server Configuration** section, verify that the ***instance.execute.external*** key is set to *true*. If this key does not exist, click **+ Add Server Configuration** and add the *instance.execute.external* and set the value to *true*. See [this documentation](https://xsoar.pan.dev/docs/integrations/long-running#invoking-http-integrations-via-cortex-xsoar-servers-route-handling) for further information. -3. In a web browser, go to **https://**/instance/execute/**** . +3. In a web browser, go to `https:///instance/execute/` . ## Commands You can execute these commands from the Cortex XSOAR CLI as part of an automation, or in a playbook. diff --git a/Packs/EWS/Integrations/EWSO365/EWSO365.yml b/Packs/EWS/Integrations/EWSO365/EWSO365.yml index dc99373365a7..f525b3a40b31 100644 --- a/Packs/EWS/Integrations/EWSO365/EWSO365.yml +++ b/Packs/EWS/Integrations/EWSO365/EWSO365.yml @@ -71,7 +71,7 @@ configuration: name: self_deployed required: false type: 8 -description: Exchange Web Services and Office 365 (mail) +description: The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail). display: EWS O365 name: EWSO365 script: diff --git a/Packs/EWS/Integrations/EWSO365/README.md b/Packs/EWS/Integrations/EWSO365/README.md index d9a5c5f446d1..eeb0e9d13326 100644 --- a/Packs/EWS/Integrations/EWSO365/README.md +++ b/Packs/EWS/Integrations/EWSO365/README.md @@ -19,12 +19,9 @@ The EWS integration can be used for the following use cases. * Search for an email message across mailboxes and folders. This can be achieved in the following ways: - 1. Use the `ews-search-mailboxes` command to search for all emails in a specific scope of mailboxes. - Use the filter argument to narrow the search for emails sent from a specific account and more. - 2. Use the `ews-search-mailbox` command to search for all emails in a specific folder within the target mailbox. + 1. Use the `ews-search-mailbox` command to search for all emails in a specific folder within the target mailbox. Use the query argument to narrow the search for emails sent from a specific account and more. - * Both of these commands retrieve the _ItemID_ field for each email item listed in the results. The `ItemID` can be used in the `ews-get-items` command in order to get more information about the email item itself. - * For instance, use the `ews-search-mailboxes` command to hunt for emails that were marked as malicious in prior investigations, across organization mailboxes. Focus your hunt on emails sent from a specific mail account, emails with a specific subject and more. + * This command retrieve the _ItemID_ field for each email item listed in the results. The `ItemID` can be used in the `ews-get-items` command in order to get more information about the email item itself. * Get email attachment information. Use the `ews-get-attachment` command to retrieve information on one attachment or all attachments of a message at once. It supports both file attachments and item attachments (e.g., email messages). @@ -78,24 +75,24 @@ Pay special attention to the following fields in the instance settings: You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. -1. [Get the attachments of an item: ews-get-attachment](#h_22ec0bbb-12b3-4f1c-9159-b1a4daa114c7) -2. [Delete the attachments of an item: ews-delete-attachment](#h_cae18768-1dd5-4cd1-b2c9-abfd0e7787f3) -3. [Get a list of searchable mailboxes: ews-get-searchable-mailboxes](#h_7bdec9fe-e3d9-4645-8da4-337ee3798a84) -5. [Move an item to a different folder: ews-move-item](#h_0661f657-850a-430a-8fe1-aacf7e3ce40b) -6. [Delete an item from a mailbox: ews-delete-items](#h_712791a3-5937-4641-8e02-1fd773ab3211) -7. [Search a single mailbox: ews-search-mailbox](#h_2b4fd205-165c-489f-b58c-3bb77a86acfc) -8. [Get the contacts for a mailbox: ews-get-contacts](#h_3b6dc53b-4c1a-4479-a529-0ff3300dc4f5) -9. [Get the out-of-office status for a mailbox: ews-get-out-of-office](#h_b592e5fe-af2a-4d3c-90aa-b933e69a7526) -10. [Recover soft-deleted messages: ews-recover-messages](#h_212102bb-4ad8-4bb8-9c05-1b1197e2a9c9) -11. [Create a folder: ews-create-folder](#h_4ab168b9-21e9-4ce1-b18c-56bc22c0e0bd) -12. [Mark an item as junk: ews-mark-item-as-junk](#h_01b093ea-bc1c-46a3-b694-8cd45effeaa0) -13. [Search for folders: ews-find-folders](#h_3f9e1f1e-e634-4f92-b2a2-cdca5ca662eb) -14. [Get items of a folder: ews-get-items-from-folder](#h_0035899d-fdd0-43b7-bf7b-11a38a2e575a) -15. [Get items: ews-get-items](#h_e8f449a2-aecf-4d65-8d04-a38c6d4bfe62) -16. [Move an item to a different mailbox: ews-move-item-between-mailboxes](#h_88c0edd5-09b0-42a1-a671-b36b73772898) -17. [Get a folder: ews-get-folder](#h_87ca72d4-d98a-462e-9829-c940321663c2) -18. [Expand a distribution list: ews-expand-group](#h_d91ca450-7004-4a19-a88d-840389b21556) -19. [Mark items as read: ews-mark-items-as-read](#h_e278dc88-b4b0-4330-b849-3069b770e5ba) +1. Get the attachments of an item: ews-get-attachment +2. Delete the attachments of an item: ews-delete-attachment +3. Get a list of searchable mailboxes: ews-get-searchable-mailboxes +5. Move an item to a different folder: ews-move-item +6. Delete an item from a mailbox: ews-delete-items +7. Search a single mailbox: ews-search-mailbox +8. Get the contacts for a mailbox: ews-get-contacts +9. Get the out-of-office status for a mailbox: ews-get-out-of-office +10. Recover soft-deleted messages: ews-recover-messages +11. Create a folder: ews-create-folder +12. Mark an item as junk: ews-mark-item-as-junk +13. Search for folders: ews-find-folders +14. Get items of a folder: ews-get-items-from-folder +15. Get items: ews-get-items +16. Move an item to a different mailbox: ews-move-item-between-mailboxes +17. Get a folder: ews-get-folder +18. Expand a distribution list: ews-expand-group +19. Mark items as read: ews-mark-items-as-read ### 1\. Get the attachments of an item diff --git a/Packs/EWS/ReleaseNotes/1_1_3.md b/Packs/EWS/ReleaseNotes/1_1_3.md new file mode 100644 index 000000000000..23e8ef8db72f --- /dev/null +++ b/Packs/EWS/ReleaseNotes/1_1_3.md @@ -0,0 +1,4 @@ + +#### Integrations +##### EWS O365 +Updated integration description. diff --git a/Packs/EWS/pack_metadata.json b/Packs/EWS/pack_metadata.json index 9335a270f266..94cc507d6688 100644 --- a/Packs/EWS/pack_metadata.json +++ b/Packs/EWS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "EWS", "description": "Exchange Web Services and Office 365 (mail)", "support": "Cortex XSOAR", - "currentVersion": "1.1.2", + "currentVersion": "1.1.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/EclecticIQ/Integrations/EclecticIQ/README.md b/Packs/EclecticIQ/Integrations/EclecticIQ/README.md index b5041a1c8e87..55bde064c120 100644 --- a/Packs/EclecticIQ/Integrations/EclecticIQ/README.md +++ b/Packs/EclecticIQ/Integrations/EclecticIQ/README.md @@ -1121,7 +1121,7 @@ Maliciousness confidence level -Domain.Name +Domain.Name String Domain name that was tested @@ -1198,7 +1198,7 @@
    Human Readable Output
    -

    EclecticIQ Domain reputation - gooc.om +

    EclecticIQ Domain reputation - gooc.om

    @@ -1217,7 +1217,7 @@ 74 unknown -gooc.om +gooc.om 2018-11-21T13:34:38.964435+00:00 2018-11-21T13:34:38.964435+00:00 diff --git a/Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml b/Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml index 27ee1f9b34f9..afebb9ddc1d3 100644 --- a/Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml +++ b/Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml @@ -94,6 +94,12 @@ configuration: name: feedFetchInterval required: false type: 19 +- additionalinfo: Supports CSV values. + display: Tags + hidden: false + name: feedTags + required: false + type: 0 - additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. @@ -127,7 +133,7 @@ script: description: Fetches indicators from the feed. execution: false name: aws-get-indicators - dockerimage: demisto/jmespath:1.0.0.6980 + dockerimage: demisto/jmespath:1.0.0.8854 feed: true isfetch: false longRunning: false @@ -138,4 +144,4 @@ script: type: python fromversion: 5.5.0 defaultClassifier: AWS Feed -defaultMapperIn: AWS Feed-mapper \ No newline at end of file +defaultMapperIn: AWS Feed-mapper diff --git a/Packs/FeedAWS/ReleaseNotes/1_0_2.md b/Packs/FeedAWS/ReleaseNotes/1_0_2.md new file mode 100644 index 000000000000..ea6e349ea4b8 --- /dev/null +++ b/Packs/FeedAWS/ReleaseNotes/1_0_2.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS Feed +- Added the *Tags* parameter. diff --git a/Packs/FeedAWS/pack_metadata.json b/Packs/FeedAWS/pack_metadata.json index a79ec81d80b2..61ddb396bc84 100644 --- a/Packs/FeedAWS/pack_metadata.json +++ b/Packs/FeedAWS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS Feed", "description": "Indicators feed from AWS", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.py b/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.py index 82e112fe3324..3b1a5ad5795a 100644 --- a/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.py +++ b/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.py @@ -463,7 +463,7 @@ class Client(): all_collections(bool): Whether to run on all active collections. """ def __init__(self, api_key: str, collection: str, insecure: bool = False, proxy: bool = False, - all_collections: bool = False): + all_collections: bool = False, tags: list = []): taxii_client = cabby.create_client(discovery_path="https://otx.alienvault.com/taxii/discovery") taxii_client.set_auth(username=str(api_key), password="foo", verify_ssl=not insecure) @@ -471,6 +471,7 @@ def __init__(self, api_key: str, collection: str, insecure: bool = False, proxy: taxii_client.set_proxies(handle_proxy()) self.taxii_client = taxii_client + self.tags = tags self.all_collections = all_collections if all_collections: @@ -570,17 +571,17 @@ def get_indicators_command(client: Client, args: Dict): limit = int(args.get('limit', 50)) indicator_list = fetch_indicators_command(client, limit) - human_readable = tableToMarkdown("Indicators from AlienVault OTX TAXII:", indicator_list, - headers=['value', 'type'], removeNull=True) + human_readable = tableToMarkdown("Indicators from AlienVault OTX TAXII:", indicator_list, removeNull=True) return human_readable, {}, indicator_list -def parse_indicators(sub_indicator_list, full_indicator_list): +def parse_indicators(sub_indicator_list, full_indicator_list, tags): """Gets a decoded indicator list and returns a parsed version of the indicator with accordance with Demisto's Feed indicator standards. Args: + tags(list): The tags to add to the indicator. sub_indicator_list(list): A list of STIXDecoded indicators full_indicator_list(list): A list of all the indicators fetched to this point - used to prevent duplications. @@ -595,7 +596,8 @@ def parse_indicators(sub_indicator_list, full_indicator_list): indicator['value'] = indicator['indicator'] indicator['fields'] = { - "description": indicator["stix_package_short_description"] + "description": indicator["stix_package_short_description"], + "tags": tags } temp_copy = indicator.copy() @@ -637,7 +639,7 @@ def fetch_indicators_command(client: Client, limit=None): # the only_indicator_list is a list containing only the indicators themselves. # it is used to prevent duplicated indicators from being created in the system. # this is because AlienVault OTX can return the same indicator several times from the same collection. - parsed_list, only_indicator_list = parse_indicators(res, only_indicator_list) + parsed_list, only_indicator_list = parse_indicators(res, only_indicator_list, client.tags) indicator_list.extend(parsed_list) if limit is not None and limit <= len(indicator_list): indicator_list = indicator_list[:limit] @@ -648,9 +650,9 @@ def fetch_indicators_command(client: Client, limit=None): def main(): params = demisto.params() - + tags = argToList(params.get('feedTags')) client = Client(params.get('api_key'), params.get('collections'), params.get('insecure'), params.get('proxy'), - params.get('all_collections')) + params.get('all_collections'), tags=tags) command = demisto.command() demisto.info(f'Command being called is {command}') diff --git a/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.yml b/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.yml index 7def2680ceab..daff32b41b1c 100644 --- a/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.yml +++ b/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii.yml @@ -3,7 +3,7 @@ commonfields: id: AlienVault OTX TAXII Feed version: -1 configuration: -- defaultvalue: true +- defaultvalue: 'true' display: Fetch indicators name: feed required: false @@ -35,6 +35,7 @@ configuration: type: 15 - defaultvalue: indicatorType name: feedExpirationPolicy + display: '' options: - never - interval @@ -42,17 +43,22 @@ configuration: - suddenDeath required: false type: 17 - display: "" - defaultvalue: '20160' + display: '' name: feedExpirationInterval required: false type: 1 - display: "" - defaultvalue: '240' display: Feed Fetch Interval name: feedFetchInterval required: false type: 19 +- additionalinfo: Supports CSV values. + display: Tags + hidden: false + name: feedTags + required: false + type: 0 - additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. @@ -60,19 +66,21 @@ configuration: name: feedBypassExclusionList required: false type: 8 - defaultvalue: "" - display: API Key hidden: false name: api_key required: true type: 4 -- additionalinfo: 'When selected, will run on all active collections regardless of the supplied collections. Inactive or empty collections will be ignored.' +- additionalinfo: When selected, will run on all active collections regardless of + the supplied collections. Inactive or empty collections will be ignored. display: Get All Active Collections hidden: false name: all_collections required: false type: 8 -- additionalinfo: 'Supports a CSV of collections to fetch from. If an inactive or empty collection is supplied, n error will be raised. If not set, will raise an error listing all the available collections.' +- additionalinfo: Supports a CSV of collections to fetch from. If an inactive or empty + collection is supplied, an error will be raised. If not set, it will raise an error + listing all the available collections. display: Collections to Fetch From hidden: false name: collections @@ -86,7 +94,8 @@ configuration: name: proxy required: false type: 8 -description: This integration fetches indicators from AlienVault OTX using a TAXII client. +description: This integration fetches indicators from AlienVault OTX using a TAXII + client. display: AlienVault OTX TAXII Feed name: AlienVault OTX TAXII Feed script: @@ -94,7 +103,8 @@ script: - arguments: - default: false defaultValue: '10' - description: The maximum number of indicators to return. The default value is 10. + description: The maximum number of indicators to return. The default value is + 10. isArray: false name: limit required: true @@ -103,7 +113,7 @@ script: description: Gets the indicators from AlienVault OTX. execution: false name: alienvaultotx-get-indicators - dockerimage: demisto/taxii:1.0.0.6243 + dockerimage: demisto/taxii:1.0.0.9263 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii_test.py b/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii_test.py index 37f12db6c228..be1ae296f2a9 100644 --- a/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii_test.py +++ b/Packs/FeedAlienVault/Integrations/FeedAlienVaultOTXTaxii/FeedAlienVaultOTXTaxii_test.py @@ -54,58 +54,59 @@ 'stix_package_short_description': 'https://otx.alienvault.com/pulse/111', 'stix_package_information_source': 'Alienvault OTX', 'value': 'http://demsito.demisto.com/', - 'fields': {'description': 'https://otx.alienvault.com/pulse/111'}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/111', 'tags': ['tag1', 'tag2']}, 'rawJSON': {'indicator': 'http://demsito.demisto.com/', 'type': 'URL', 'stix_title': 'URL - http://demsito.demisto.com/', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/111', 'stix_package_information_source': 'Alienvault OTX', 'value': 'http://demsito.demisto.com/', - 'fields': {'description': 'https://otx.alienvault.com/pulse/111'}}}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/111', 'tags': ['tag1', 'tag2']}}}, {'htype': 'md5', 'type': 'File', 'stix_title': 'FileHash-MD5 - 39eb39ad9fad2710be03c18de6985c20', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': '39eb39ad9fad2710be03c18de6985c20', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}, 'rawJSON': {'indicator': '39eb39ad9fad2710be03c18de6985c20', 'htype': 'md5', 'type': 'File', 'stix_title': 'FileHash-MD5 - 39eb39ad9fad2710be03c18de6985c20', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': '39eb39ad9fad2710be03c18de6985c20', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}}}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}}}, {'type': 'Domain', 'stix_title': 'hostname - demisto.com', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': 'demisto.com', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}, 'rawJSON': {'indicator': 'demisto.com', 'type': 'Domain', 'stix_title': 'hostname - demisto.com', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', - 'value': 'demisto.com', 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}}}, + 'value': 'demisto.com', 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', + 'tags': ['tag1', 'tag2']}}}, {'type': 'IP', 'stix_title': 'IP - 1.2.3.4', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': '1.2.3.4', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}, 'rawJSON': {'indicator': '1.2.3.4', 'type': 'IP', 'stix_title': 'IP - 1.2.3.4', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': '1.2.3.4', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}}}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}}}, {'type': 'CIDR', 'stix_title': 'CIDR - 1.2.3.4/24', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': '1.2.3.4/24', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}, + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}, 'rawJSON': {'indicator': '1.2.3.4/24', 'type': 'CIDR', 'stix_title': 'CIDR - 1.2.3.4/24', 'stix_package_title': 'demisto', 'stix_package_description': '', 'stix_package_short_description': 'https://otx.alienvault.com/pulse/1111', 'stix_package_information_source': 'Alienvault OTX', 'value': '1.2.3.4/24', - 'fields': {'description': 'https://otx.alienvault.com/pulse/1111'}}}] + 'fields': {'description': 'https://otx.alienvault.com/pulse/1111', 'tags': ['tag1', 'tag2']}}}] RESULT_ONLY_INDICATORS_LIST = ['http://demsito.demisto.com/', '39eb39ad9fad2710be03c18de6985c20', 'demisto.com', '1.2.3.4', '1.2.3.4/24'] def test_parse_inndicators(): - parsed_list, only_indicator_list = parse_indicators(TEST_DATA, []) + parsed_list, only_indicator_list = parse_indicators(TEST_DATA, [], tags=['tag1', 'tag2']) assert parsed_list == RESULT_PARSED_INDICATORS assert only_indicator_list == RESULT_ONLY_INDICATORS_LIST diff --git a/Packs/FeedAlienVault/ReleaseNotes/1_0_1.md b/Packs/FeedAlienVault/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..8d99c28ff5a6 --- /dev/null +++ b/Packs/FeedAlienVault/ReleaseNotes/1_0_1.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AlienVault OTX TAXII Feed +- Added the *Tags* parameter. diff --git a/Packs/FeedAlienVault/TestPlaybooks/playbook-AlienVaultReputationFeed_Test.yml b/Packs/FeedAlienVault/TestPlaybooks/playbook-AlienVaultReputationFeed_Test.yml index 962645995bb9..cc1840718d3c 100644 --- a/Packs/FeedAlienVault/TestPlaybooks/playbook-AlienVaultReputationFeed_Test.yml +++ b/Packs/FeedAlienVault/TestPlaybooks/playbook-AlienVaultReputationFeed_Test.yml @@ -1,16 +1,15 @@ -elasticcommonfields: {} id: AlienVaultReputationFeed_Test version: -1 +vcShouldKeepItemLegacyProdMachine: false name: AlienVaultReputationFeed_Test starttaskid: "0" tasks: "0": id: "0" - taskid: 10dd718c-c314-423e-89ca-c0fca06a2e93 + taskid: def8b814-3f4f-4dd3-88bd-7f212513388b type: start task: - elasticcommonfields: {} - id: 10dd718c-c314-423e-89ca-c0fca06a2e93 + id: def8b814-3f4f-4dd3-88bd-7f212513388b version: -1 name: "" iscommand: false @@ -33,11 +32,10 @@ tasks: quietmode: 0 "1": id: "1" - taskid: 4a51a852-0721-46ae-84f8-716a34f88a45 + taskid: 4eddbd7e-e8d6-4c13-8e22-014eb2c05698 type: regular task: - elasticcommonfields: {} - id: 4a51a852-0721-46ae-84f8-716a34f88a45 + id: 4eddbd7e-e8d6-4c13-8e22-014eb2c05698 version: -1 name: Get Indicators description: Gets the feed indicators. @@ -49,12 +47,11 @@ tasks: '#none#': - "5" scriptarguments: - extend-context: - simple: AlienVaultFeed.value=value::AlienVaultFeed.type=type indicator_type: simple: IP limit: - simple: "10" + simple: "1" + reputationcalc: 2 separatecontext: false view: |- { @@ -70,11 +67,10 @@ tasks: quietmode: 0 "3": id: "3" - taskid: ef01415d-6ac6-4e16-8ab8-4e413645d416 + taskid: 9a8c841c-b3b4-4fd7-844d-4feb2a9cbbd6 type: title task: - elasticcommonfields: {} - id: ef01415d-6ac6-4e16-8ab8-4e413645d416 + id: 9a8c841c-b3b4-4fd7-844d-4feb2a9cbbd6 version: -1 name: Done description: Done @@ -96,11 +92,10 @@ tasks: quietmode: 0 "4": id: "4" - taskid: 6e57e6a8-83a8-48f1-8136-19044c339538 + taskid: f350f97f-d796-4813-85d7-ef642242d124 type: regular task: - elasticcommonfields: {} - id: 6e57e6a8-83a8-48f1-8136-19044c339538 + id: f350f97f-d796-4813-85d7-ef642242d124 version: -1 name: Delete Context description: Delete field from context. @@ -133,13 +128,12 @@ tasks: quietmode: 0 "5": id: "5" - taskid: e3ef64ee-d2da-42b7-820a-15805a5519a0 + taskid: 4e6003ba-28b9-4ea8-8208-9fb2c9694133 type: condition task: - elasticcommonfields: {} - id: e3ef64ee-d2da-42b7-820a-15805a5519a0 + id: 4e6003ba-28b9-4ea8-8208-9fb2c9694133 version: -1 - name: Assert Output + name: Assert Outputs type: condition iscommand: false brand: "" @@ -150,15 +144,11 @@ tasks: conditions: - label: "yes" condition: - - - operator: isExists + - - operator: isNotEmpty left: value: - simple: AlienVaultFeed.type - iscontext: true - - - operator: isExists - left: - value: - simple: AlienVaultFeed.value + complex: + root: ${IP} iscontext: true view: |- { @@ -187,4 +177,3 @@ view: |- inputs: [] outputs: [] sourceplaybookid: AlienVaultReputationFeed_Test -fromversion: 5.5.0 \ No newline at end of file diff --git a/Packs/FeedAlienVault/pack_metadata.json b/Packs/FeedAlienVault/pack_metadata.json index 8d1cd429f93a..8e359ed89fc3 100644 --- a/Packs/FeedAlienVault/pack_metadata.json +++ b/Packs/FeedAlienVault/pack_metadata.json @@ -1,19 +1,19 @@ { - "name": "AlienVault Feed", - "description": "Indicators feed from AlienVault", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-03-09T16:04:45Z", - "categories": [ - "Data Enrichment & Threat Intelligence" - ], - "tags": [], - "useCases": [], - "keywords": [ - "AlienVault", - "Feed" - ] + "name": "AlienVault Feed", + "description": "Indicators feed from AlienVault", + "support": "xsoar", + "currentVersion": "1.0.1", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-03-09T16:04:45Z", + "categories": [ + "Data Enrichment & Threat Intelligence" + ], + "tags": [], + "useCases": [], + "keywords": [ + "AlienVault", + "Feed" + ] } \ No newline at end of file diff --git a/Packs/FeedBambenekConsulting/Integrations/FeedBambenekConsulting/FeedBambenekConsulting.yml b/Packs/FeedBambenekConsulting/Integrations/FeedBambenekConsulting/FeedBambenekConsulting.yml index 45cb112cdc9f..595cf3c563a0 100644 --- a/Packs/FeedBambenekConsulting/Integrations/FeedBambenekConsulting/FeedBambenekConsulting.yml +++ b/Packs/FeedBambenekConsulting/Integrations/FeedBambenekConsulting/FeedBambenekConsulting.yml @@ -43,6 +43,11 @@ configuration: - interval - indicatorType - suddenDeath +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 - display: "" name: feedExpirationInterval required: false @@ -117,7 +122,7 @@ script: description: Gets the feed indicators. execution: false name: bambenek-get-indicators - dockerimage: demisto/python3:3.8.2.6981 + dockerimage: demisto/python3:3.8.3.9324 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedBambenekConsulting/ReleaseNotes/1_0_1.md b/Packs/FeedBambenekConsulting/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..095516b6da6e --- /dev/null +++ b/Packs/FeedBambenekConsulting/ReleaseNotes/1_0_1.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Bambenek Consulting Feed +Added the *Tags* parameter. \ No newline at end of file diff --git a/Packs/FeedBambenekConsulting/pack_metadata.json b/Packs/FeedBambenekConsulting/pack_metadata.json index 6f2fe7d89c25..5e82e37de5fd 100644 --- a/Packs/FeedBambenekConsulting/pack_metadata.json +++ b/Packs/FeedBambenekConsulting/pack_metadata.json @@ -1,19 +1,19 @@ { - "name": "Bambenek Consulting Feed", - "description": "Indicators feed from Bambenek Consulting", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-03-09T16:04:45Z", - "categories": [ - "Data Enrichment & Threat Intelligence" - ], - "tags": [], - "useCases": [], - "keywords": [ - "Bambenek Consulting", - "Feed" - ] + "name": "Bambenek Consulting Feed", + "description": "Indicators feed from Bambenek Consulting", + "support": "xsoar", + "currentVersion": "1.0.1", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-03-09T16:04:45Z", + "categories": [ + "Data Enrichment & Threat Intelligence" + ], + "tags": [], + "useCases": [], + "keywords": [ + "Bambenek Consulting", + "Feed" + ] } \ No newline at end of file diff --git a/Packs/FeedCSV/Integrations/FeedCSV/FeedCSV.yml b/Packs/FeedCSV/Integrations/FeedCSV/FeedCSV.yml index 6d4cec107c15..d6cf0f9071b9 100644 --- a/Packs/FeedCSV/Integrations/FeedCSV/FeedCSV.yml +++ b/Packs/FeedCSV/Integrations/FeedCSV/FeedCSV.yml @@ -67,7 +67,8 @@ configuration: name: auto_detect_type required: false type: 8 -- additionalinfo: Type of the indicator in the feed, If auto-detect is checked then the value set as Indicator Type will be ignored. +- additionalinfo: Type of the indicator in the feed, If auto-detect is checked then + the value set as Indicator Type will be ignored. display: Indicator Type name: indicator_type required: false @@ -91,8 +92,8 @@ configuration: name: ignore_regex required: false type: 0 -- additionalinfo: The names to apply to the fields in the CSV feed. The name for the field containing the indicator should be "value". - defaultvalue: value +- additionalinfo: The names to apply to the fields in the CSV feed. The name for the + field containing the indicator should be "value". display: Field Names name: fieldnames required: false @@ -126,6 +127,11 @@ configuration: name: skipinitialspace required: false type: 8 +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 - defaultvalue: '' display: Trust any certificate (not secure) name: insecure @@ -149,7 +155,9 @@ script: required: false secret: false - default: false - description: The indicator type. If the configuration parameter 'Auto detect indicator type' is marked true for the integration instance, then this value will be ignored. + description: The indicator type. If the configuration parameter 'Auto detect + indicator type' is marked true for the integration instance, then this value + will be ignored. isArray: false name: indicator_type required: false @@ -168,7 +176,7 @@ script: - contextPath: CSV.Indicator.rawJSON description: The indicator rawJSON value. type: Unknown - dockerimage: demisto/jmespath:1.0.0.6980 + dockerimage: demisto/jmespath:1.0.0.8854 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedCSV/ReleaseNotes/1_0_2.md b/Packs/FeedCSV/ReleaseNotes/1_0_2.md new file mode 100644 index 000000000000..5015cc15fdb1 --- /dev/null +++ b/Packs/FeedCSV/ReleaseNotes/1_0_2.md @@ -0,0 +1,4 @@ + +#### Integrations +##### CSVFeed +Added the *Tags* parameter. diff --git a/Packs/FeedCSV/pack_metadata.json b/Packs/FeedCSV/pack_metadata.json index 41be4249c9ea..17c514e07710 100644 --- a/Packs/FeedCSV/pack_metadata.json +++ b/Packs/FeedCSV/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CSV Feed", "description": "Indicators feed from a CSV file", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.py b/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.py index 0390475a2750..7a1a515fd0fa 100644 --- a/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.py +++ b/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.py @@ -34,6 +34,7 @@ def __init__( verify: bool = False, proxy: bool = False, read_time_out: Optional[float] = 120.0, + tags: list = [] ): """Constructor of Client and BaseClient @@ -46,6 +47,7 @@ def __init__( verify {bool} -- Should verify certificate. (default: {False}) proxy {bool} -- Should use proxy. (default: {False}) read_time_out {int} -- Read time out in seconds. (default: {30}) + tags {list} -- A list of tags to add to the feed. """ self.read_time_out = read_time_out self.threat_type = ( @@ -54,6 +56,7 @@ def __init__( # Request related attributes self.suffix = "/apiv1/threat/search/" + self.tags = tags super().__init__(url, verify=verify, proxy=proxy, auth=auth) @@ -137,8 +140,7 @@ def _convert_block(cls, block: dict) -> Tuple[str, str]: indicator_type = FeedIndicatorType.DomainGlob return indicator_type, value - @classmethod - def process_item(cls, threat: dict) -> List[dict]: + def process_item(self, threat: dict) -> List[dict]: """Gets a threat and processes them. Arguments: @@ -156,7 +158,7 @@ def process_item(cls, threat: dict) -> List[dict]: block_set: List[dict] = threat.get("blockSet", []) threat_id = threat.get("id") for block in block_set: - indicator, value = cls._convert_block(block) + indicator, value = self._convert_block(block) block["value"] = value block["type"] = indicator block["threat_id"] = threat_id @@ -168,6 +170,7 @@ def process_item(cls, threat: dict) -> List[dict]: "type": indicator, "rawJSON": block, "fields": { + "tags": self.tags, "name": threat_id, "malwarefamily": malware_family.get("familyName"), "description": malware_family.get("description"), @@ -312,7 +315,8 @@ def main(): verify = not params.get("insecure") proxy = params.get("proxy") threat_type = params.get("threat_type") - client = Client(url, auth=auth, verify=verify, proxy=proxy, threat_type=threat_type) + tags = argToList(params.get('feedTags')) + client = Client(url, auth=auth, verify=verify, proxy=proxy, threat_type=threat_type, tags=tags) demisto.info(f"Command being called is {demisto.command()}") try: diff --git a/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.yml b/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.yml index 1dfaebf3f697..8d49048ff4f9 100644 --- a/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.yml +++ b/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense.yml @@ -57,6 +57,12 @@ configuration: name: feedFetchInterval required: false type: 19 +- additionalinfo: Supports CSV values. + display: Tags + hidden: false + name: feedTags + required: false + type: 0 - additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. @@ -116,7 +122,7 @@ script: description: Gets indicators from the feed. execution: false name: cofense-get-indicators - dockerimage: demisto/python3:3.8.3.8715 + dockerimage: demisto/python3:3.8.3.9324 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense_test.py b/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense_test.py index 7a6c5686659d..552125c2d649 100644 --- a/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense_test.py +++ b/Packs/FeedCofense/Integrations/FeedCofense/FeedCofense_test.py @@ -8,7 +8,7 @@ data = raw["data"] threats = data["threats"] -client = Client("https://www.threathq.com", ("username", "password")) +client = Client("https://www.threathq.com", ("username", "password"), tags=['tag1', 'tag2']) class TestFetchIndicators: @@ -27,6 +27,7 @@ def test_process_item(self, threat, value, _type, indicator_index, length): assert len(ans) == length assert first_obj["value"] == value assert first_obj["type"] == _type + assert first_obj['fields']['tags'] == client.tags else: assert not ans @@ -68,5 +69,6 @@ def test_fetch_indicators_command( for i, res in enumerate(results): assert expected_value[i] in res["value"] assert expected_type[i] in res["type"] + assert res['fields']['tags'] == client.tags else: assert not results diff --git a/Packs/FeedCofense/ReleaseNotes/1_0_4.md b/Packs/FeedCofense/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..34ddb1703261 --- /dev/null +++ b/Packs/FeedCofense/ReleaseNotes/1_0_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Cofense Feed +- Added the *Tags* parameter. diff --git a/Packs/FeedCofense/pack_metadata.json b/Packs/FeedCofense/pack_metadata.json index 555b39070672..291723f917f8 100644 --- a/Packs/FeedCofense/pack_metadata.json +++ b/Packs/FeedCofense/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cofense Feed", "description": "Indicators feed from Cofense", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.py b/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.py index 6bcfc5a9388b..5a2894b43f52 100644 --- a/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.py +++ b/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.py @@ -35,7 +35,7 @@ class ElasticsearchClient: def __init__(self, insecure=None, server=None, username=None, password=None, api_key=None, api_id=None, - time_field=None, time_method=None, fetch_index=None, fetch_time=None, query=None): + time_field=None, time_method=None, fetch_index=None, fetch_time=None, query=None, tags=None): self._insecure = insecure self._proxy = handle_proxy() # _elasticsearch_builder expects _proxy to be None if empty @@ -51,6 +51,7 @@ def __init__(self, insecure=None, server=None, username=None, password=None, api self.fetch_time = fetch_time self.query = query self.es = self._elasticsearch_builder() + self.tags = tags def _elasticsearch_builder(self): """Builds an Elasticsearch obj with the necessary credentials, proxy settings and secure connection.""" @@ -136,12 +137,12 @@ def get_indicators_command(client, feed_type, src_val, src_type, default_type): now = datetime.now() if FEED_TYPE_GENERIC in feed_type: search = get_scan_generic_format(client, now) - ioc_lst = get_generic_indicators(search, src_val, src_type, default_type) + ioc_lst = get_generic_indicators(search, src_val, src_type, default_type, client.tags) hr = tableToMarkdown('Indicators', ioc_lst, [src_val]) else: # Insight is the name of the indicator object as it's saved into the database search = get_scan_insight_format(client, now, feed_type=feed_type) - ioc_lst, ioc_enrch_lst = get_demisto_indicators(search) + ioc_lst, ioc_enrch_lst = get_demisto_indicators(search, client.tags) hr = tableToMarkdown('Indicators', list(set(map(lambda ioc: ioc.get('name'), ioc_lst))), 'Name') if ioc_enrch_lst: for ioc_enrch in ioc_enrch_lst: @@ -149,22 +150,22 @@ def get_indicators_command(client, feed_type, src_val, src_type, default_type): return_outputs(hr, {}, ioc_lst) -def get_generic_indicators(search, src_val, src_type, default_type): +def get_generic_indicators(search, src_val, src_type, default_type, tags): """Implements get indicators in generic format""" ioc_lst: list = [] for hit in search.scan(): - hit_lst = extract_indicators_from_generic_hit(hit, src_val, src_type, default_type) + hit_lst = extract_indicators_from_generic_hit(hit, src_val, src_type, default_type, tags) ioc_lst.extend(hit_lst) return ioc_lst -def get_demisto_indicators(search): +def get_demisto_indicators(search, tags): """Implements get indicators in insight format""" limit = int(demisto.args().get('limit', FETCH_SIZE)) ioc_lst: list = [] ioc_enrch_lst: list = [] for hit in search.scan(): - hit_lst, hit_enrch_lst = extract_indicators_from_insight_hit(hit) + hit_lst, hit_enrch_lst = extract_indicators_from_insight_hit(hit, tags=tags) ioc_lst.extend(hit_lst) ioc_enrch_lst.extend(hit_enrch_lst) if len(ioc_lst) >= limit: @@ -182,13 +183,13 @@ def fetch_indicators_command(client, feed_type, src_val, src_type, default_type, # Insight is the name of the indicator object as it's saved into the database search = get_scan_insight_format(client, now, last_fetch_timestamp, feed_type) for hit in search.scan(): - hit_lst, hit_enrch_lst = extract_indicators_from_insight_hit(hit) + hit_lst, hit_enrch_lst = extract_indicators_from_insight_hit(hit, tags=client.tags) ioc_lst.extend(hit_lst) ioc_enrch_lst.extend(hit_enrch_lst) else: search = get_scan_generic_format(client, now, last_fetch_timestamp) for hit in search.scan(): - ioc_lst.extend(extract_indicators_from_generic_hit(hit, src_val, src_type, default_type)) + ioc_lst.extend(extract_indicators_from_generic_hit(hit, src_val, src_type, default_type, client.tags)) if ioc_lst: for b in batch(ioc_lst, batch_size=2000): @@ -234,10 +235,10 @@ def get_scan_generic_format(client, now, last_fetch_timestamp=None): return search -def extract_indicators_from_generic_hit(hit, src_val, src_type, default_type): +def extract_indicators_from_generic_hit(hit, src_val, src_type, default_type, tags): """Extracts indicators in generic format""" ioc_lst = [] - ioc = hit_to_indicator(hit, src_val, src_type, default_type) + ioc = hit_to_indicator(hit, src_val, src_type, default_type, tags) if ioc.get('value'): ioc_lst.append(ioc) return ioc_lst @@ -264,11 +265,11 @@ def get_scan_insight_format(client, now, last_fetch_timestamp=None, feed_type=No return search -def extract_indicators_from_insight_hit(hit): +def extract_indicators_from_insight_hit(hit, tags): """Extracts indicators from an insight hit including enrichments""" ioc_lst = [] ioc_enirhcment_list = [] - ioc = hit_to_indicator(hit) + ioc = hit_to_indicator(hit, tags=tags) if ioc.get('value'): ioc_lst.append(ioc) module_to_feedmap = ioc.get(MODULE_TO_FEEDMAP_KEY) @@ -286,7 +287,7 @@ def extract_indicators_from_insight_hit(hit): return ioc_lst, ioc_enirhcment_list -def hit_to_indicator(hit, ioc_val_key='name', ioc_type_key=None, default_ioc_type=None): +def hit_to_indicator(hit, ioc_val_key='name', ioc_type_key=None, default_ioc_type=None, tags=None): """Convert a single hit to an indicator""" ioc_dict = hit.to_dict() ioc_dict['value'] = ioc_dict.get(ioc_val_key) @@ -295,6 +296,8 @@ def hit_to_indicator(hit, ioc_val_key='name', ioc_type_key=None, default_ioc_typ ioc_dict['type'] = default_ioc_type elif ioc_type_key: ioc_dict['type'] = ioc_dict.get(ioc_type_key) + if tags: + ioc_dict['fields'] = {'tags': tags} return ioc_dict @@ -323,6 +326,7 @@ def main(): creds = params.get('credentials') username, password = (creds.get('identifier'), creds.get('password')) if creds else (None, None) insecure = not params.get('insecure') + tags = argToList(params.get('feedTags')) feed_type = params.get('feed_type') time_field = params.get('time_field') if FEED_TYPE_GENERIC in feed_type else 'calculatedTime' time_method = params.get('time_method') @@ -331,7 +335,7 @@ def main(): query = params.get('es_query') api_id, api_key = extract_api_from_username_password(username, password) client = ElasticsearchClient(insecure, server, username, password, api_key, api_id, time_field, time_method, - fetch_index, fetch_time, query) + fetch_index, fetch_time, query, tags) src_val = params.get('src_val') src_type = params.get('src_type') default_type = params.get('default_type') diff --git a/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.yml b/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.yml index 3f1c53b1e099..ef1e16810be5 100644 --- a/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.yml +++ b/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch.yml @@ -91,6 +91,12 @@ configuration: name: feedFetchInterval required: false type: 19 +- additionalinfo: Supports CSV values. + display: Tags + hidden: false + name: feedTags + required: false + type: 0 - additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. display: Bypass exclusion list name: feedBypassExclusionList @@ -161,7 +167,7 @@ script: description: Gets indicators available in the configured Elasticsearch database. execution: false name: es-get-indicators - dockerimage: demisto/elasticsearch:1.0.0.8935 + dockerimage: demisto/elasticsearch:1.0.0.9516 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch_test.py b/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch_test.py index 2e4a520e7bbc..660fd89b5e80 100644 --- a/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch_test.py +++ b/Packs/FeedElasticsearch/Integrations/FeedElasticsearch/FeedElasticsearch_test.py @@ -26,7 +26,8 @@ def to_dict(self): 'indicatorType': 'IP', 'value': '5.5.5.5' }, - 'type': 'IP' + 'type': 'IP', + 'fields': {'tags': ['tag1', 'tag2']} } PARSED_INSIGHT_HIT = { @@ -131,7 +132,8 @@ def to_dict(self): }, "expiration": "0001-01-01T00:00:00Z", "expirationStatus": "active", - "expirationSource": None + "expirationSource": None, + 'fields': {'tags': ['tag1', 'tag2']} } FEED_IOC_KEYS = ( @@ -152,18 +154,19 @@ def to_dict(self): 'firstSeen', 'CustomFields', 'modifiedTime', - 'isEnrichment' + 'isEnrichment', + 'fields' ) def test_hit_to_indicator(): import FeedElasticsearch as esf - ioc = esf.hit_to_indicator(MockHit(CUSTOM_HIT), CUSTOM_VAL_KEY, CUSTOM_TYPE_KEY, None) + ioc = esf.hit_to_indicator(MockHit(CUSTOM_HIT), CUSTOM_VAL_KEY, CUSTOM_TYPE_KEY, None, ['tag1', 'tag2']) assert ioc == PARSED_CUSTOM_HIT no_type_hit = dict(CUSTOM_HIT) no_type_hit[CUSTOM_TYPE_KEY] = '' - ioc = esf.hit_to_indicator(MockHit(no_type_hit), CUSTOM_VAL_KEY, CUSTOM_TYPE_KEY, 'IP') + ioc = esf.hit_to_indicator(MockHit(no_type_hit), CUSTOM_VAL_KEY, CUSTOM_TYPE_KEY, 'IP', ['tag1', 'tag2']) assert ioc['type'] == 'IP' assert ioc[CUSTOM_TYPE_KEY] == '' @@ -171,7 +174,7 @@ def test_hit_to_indicator(): def test_extract_indicators_from_insight_hit(mocker): import FeedElasticsearch as esf mocker.patch.object(esf, 'hit_to_indicator', return_value=dict(PARSED_INSIGHT_HIT)) - ioc_lst, ioc_enrch_lst = esf.extract_indicators_from_insight_hit(PARSED_INSIGHT_HIT) + ioc_lst, ioc_enrch_lst = esf.extract_indicators_from_insight_hit(PARSED_INSIGHT_HIT, ['tag1', 'tag2']) # moduleToFeedMap with isEnrichment: False should not be added to ioc_lst assert len(ioc_lst) == 1 assert len(ioc_enrch_lst[0]) == 2 @@ -186,14 +189,15 @@ def test_extract_indicators_from_insight_hit(mocker): def test_extract_indicators_from_generic_hit(mocker): import FeedElasticsearch as esf mocker.patch.object(esf, 'hit_to_indicator', return_value=PARSED_CUSTOM_HIT) - ioc_lst = esf.extract_indicators_from_generic_hit(CUSTOM_HIT, CUSTOM_VAL_KEY, CUSTOM_TYPE_KEY, None) + ioc_lst = esf.extract_indicators_from_generic_hit(CUSTOM_HIT, CUSTOM_VAL_KEY, CUSTOM_TYPE_KEY, None, + ['tag1', 'tag2']) assert ioc_lst == [PARSED_CUSTOM_HIT] def test_create_enrichment_batches_one_indicator(mocker): import FeedElasticsearch as esf mocker.patch.object(esf, 'hit_to_indicator', return_value=PARSED_INSIGHT_HIT) - _, ioc_enrch_lst = esf.extract_indicators_from_insight_hit(PARSED_INSIGHT_HIT) + _, ioc_enrch_lst = esf.extract_indicators_from_insight_hit(PARSED_INSIGHT_HIT, ['tag1', 'tag2']) ioc_enrch_lst_of_lsts = esf.create_enrichment_batches(ioc_enrch_lst) assert len(ioc_enrch_lst_of_lsts) == 2 assert ioc_enrch_lst_of_lsts[0][0] == ioc_enrch_lst[0][0] diff --git a/Packs/FeedElasticsearch/ReleaseNotes/1_0_3.md b/Packs/FeedElasticsearch/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..fea0ded868d6 --- /dev/null +++ b/Packs/FeedElasticsearch/ReleaseNotes/1_0_3.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Elasticsearch Feed +- Added the *Tags* parameter. diff --git a/Packs/FeedElasticsearch/pack_metadata.json b/Packs/FeedElasticsearch/pack_metadata.json index d994172dc092..a21f226a4d6d 100644 --- a/Packs/FeedElasticsearch/pack_metadata.json +++ b/Packs/FeedElasticsearch/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Elasticsearch Feed", "description": "Indicators feed from Elasticsearch database", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedFeodoTracker/Integrations/FeedFeodoTrackerHashes/FeedFeodoTrackerHashes_image.png b/Packs/FeedFeodoTracker/Integrations/FeedFeodoTrackerHashes/FeedFeodoTrackerHashes_image.png index 22ad570c572a5b5652390adfe1009c3617a91ebe..9c15d2fe2a631f40fb517fd6fa4cc6d3514aff80 100644 GIT binary patch literal 4341 zcmV!P)Tor{{5f*Klk3}5;<_-z<~n?4jede;J|@{IEaA-GpY(-Nz_3J+S##C!q;v~a?P~o zlJ?ft)>`y6gKJ;`lPE~k0Ta@yuMyLg_ij?QwhO%z9*D$=*A*e%ja3;&JQ}m*ei70o)Kt5h2TZW5(nKkA7I5{8ZbWwW0VH zKA%t4O=`G~g;KSBOjjPB7rujP>1Fzw!IhxybqMpoz(Pf0&me7g zqHWv2LYAi{EPq43n~dWRK_bf;z;%yMyq(?hZE2}#O#D3(A_o;WSzargvuWYoEz7q0 z2axQ>=T(e#2!ct0l(Nw;8}iCylGWqWLvv{J;?-?SP6>I(;fHnQGz?f#Ue~g+u0By4DbBrI zu_)HoBS`+QG`vgp{jm1KSp7GDTe!K~Ez01wze_?cmfhxd6hAwFOeX|d0k?0LU-Uq6 zYI3GE8^qUvYz|z;jpKu%dT843VjZB6Kf&cZ2>7^SzAF$`TMn(N(~3gVebcv$nw&is z{eB0gQlyK2oU^H5P0O-+KYdLgX#_BR^J0&ZE**FEM1ROi{A%B_Q^M7FZDrjtrOXGw z(lJI*5eDu>iXPA=1;-pYP&HMwnw!qX;{}nIX z7!EF}?-Y{YvMB&BFx8ZF@xV5kkNgdV=OCb;_4$%f4fqX2%x^Q>3P(PTqml zMLz*!3KzxF(!RDrdfUb%ZNaUH33myD&P9e!N~sg50H zEsy6TB$2Iy@pIV|*PiPRsqV&GU+mDo=hR#`B^-5+QyAahYDaWo;@LHRiFR z9}v6015QUt%L-ri+wUwTI`xRt9-imT80EQ=yRF-Vm(~@mEokaEKXp-r=m*l^(S|UC zGpZM?ZdktKU6vP2BN1MaKQW~ZMlnCCqPsw1{lI5SltpiB8h#diXQC|HC6N;oeSk^I zgb=0_yi(w*zj_FZG7tmV9zVh|e1e7tf$%W}DYM=PiNq9BusVsDpvj#x?a6s*hrYk7 zW3bLFMF!+M+U}$1NPOKWm)g@Eg#`;^B`mW7tL|fFhk3%4AtyqE?o>=QSYzK82%2wZ zrWog1l74)SC*y+?QU3yXpkI$o3O$dkes5+pbpe$7J}~w3qzLcoNa0Cl_sK4|^rptf zO7$4uQo{NLwC%};rO)o2QB!<{F!`54^8FTByGgo!4rcE{POygBqsgFmBc88;*!*|Z z#eW#=*%DdsSwmOUig-QZO<3`C*jiSgHDwx#-x}CXYdO-S%X@x_qs_PM8kT^e`5s0; zxaVa2JZv$4q{|`bKZ#z;Ob^SsxYVB38BECj(4wfE*lkO+r*Ot~Dn^`sg4JEkK zB|ZE0-qy1LlUG@&*U|5!wgpP#-0=Ice&4KG{9=Sd#fFD;R=yWPx{-z4lJtw>B()cB9Rj3GYGTb&ek2){HzOx4N(fO7&3E$_XoDo!p)4N-i+I+tVP30$8SCp?a7-L zC#9#jZxK2V5EO;Ho(qQAj@wuk?Lpb`o|fX?OE%1%FtGou%J~;UIaZ^;2ZJ_8Biuy8 z1#?HAaD60aZM=RiwpI6H*>f;LpW>oY zc4-(s8MRtzm^dpg+Hi|kptXZly&pZyoXufS{Bi())y|HMwJw5pnGO0Hg(o?~NiQwnSFiQ6= z+u9P}K}ze_N@2H|#VSnFt+-p7S6y^eD1p38A=}2J3%v!(|J~RYSVx0c7?TTLpOd;G zYRLJ*@@fn=KPOrd;oHA*dvpHdg%?oNPAo|;EAy+S9|RNg5kH?gxTLnTm#`r1jFBv0 zd7(YldxpjTnzOOU-*W4-`;b#K!vu?E61~%SQ(eDsl~=ithJz7_!7((g*nS{yV^Ikn zs04z#27=Bcz5CPyWV|>TB5{AyvF-Ie8yIJVPC@m7MlE98GY#+MwvxTyaSHpE?fmeH z>f#5&#E8$l1hbijSbL#;megY?+Qn@!SUgHYE~PA-c1eU&b=SN8RGqOMn_`IK}SPbCM!kIvjU|7AhdbDzfzKQ85^)%i~a28R~x4U_tPNRb(+_; zr(KzUk9DriFP1f7m&XWaC%ao~m&70O?HH7gSC?iRAGV6uV zohRWXo<_{HEl+!-{F=fdw#0HJhLw86E6k5x!*Xi6Z?P|FQaAR` z`QrU6cD_1u)AdD4SvSL)mmm?tTHmU1U)T`}w|S3K$X#{P9sP_PIB?*=fddB)95`^` zz<~n?4jlYHM`>xP{rM{3%i?uJ_o97kd?JAJtM%)B_D-(P=cBH!E|Hv^%=-TGA`l3c zNJaW^p`OkXe)?0Nkh1@aBo99L;BfZE6QZ-d6Wf=De!>578bOTAabYhyMOQhFFdvKk z_WMIwmPzmW{lOgi0>BB}YD*;kcg5!gtFC7>Pw^i*3sAyXh@-@%G{P8B3$~atrBqV} z6lWQR%Fs93g@r=;y*XjOr5v;Dn5D+nFxADXHJJ%+>ltKxZEgRn#JN@kSx+bFGpKi7FIv_e3*oACRW=rcxJrIel$T?cWMqHejRWHycq z2aShPa83slL4Tl31zKk;!+uf0ujyf|Z86@24m-pJb~$*9@emAl7l65c>*0YH(U*h~ z7ceH+&n$N94<5YVYdJ!U-fxo3Fr>Q_^;x7pnn_mmn5ZczFNZH|Pft(pvjnAhTUkX} zJxRH>r^K5Pk*58+1J1;4!LmLaXU?gpsPJR_BVeK&Vc{wqrVskgHO_OhAmnfBkCGzG zRtzX6IP`0JAeI5%uCjR(TmYqPwa1Z$_B`n>mn+AzEX{+zto%U?yRHQX_50~dz=*qO zZJF!Wuk-2ql9GF2X}tPWT~|3mT!FB74GY2}M<-Ack!gj@7vcXozu)@6p`8_)pO33q-5R8;(?Ra?G} z_qwlA(QO`O)ayFMtUX7L9;0V0W4CS(0c#$z5UX?H0WuMTNAyo^F^sf;nfkp7Yv)=l zdS70af^-~R4|jJM0#5I1D`f$!?XXU!P;eEp+_f=!vA(@m)-=n?%Ct*gt7#$m`7|oI zQM*kYo1s9Zx(u%OCG@V)!br?x50sLB2Ty-J`dWtcd>ZZbJj_weOS9%r(>0~C|6NdC zUZy?F7L3zqKaaHEgZ{JE(_eX%l$2!QlQBqnhOVQ}iNWX%HO3dEmx#YVXDkN}95`^` jz<~n?4jedeaMtmE`Uu4jMJV%K00000NkvXXu0mjfEir=I literal 4248 zcmb7|g+CmQUYuf4@x8XR{M|HtdL0moU-J+IXK=*WaeON=BK)hdR-6FU}O51;z`oskf2y z|MH4L-TZv-+J~@RhW-#9%ZLvm2F@kiV%ljodoPiUTwX$k|Q1YK}->);1E_karg;SoR2ARq31$$L6i$&9NGy=J}iF$ zvitSbYDO%nJW7o+o*PPlDoQ`a5Ri_Uv-<2ZJ-A5E^&rZ9YHfv0^3(wBo@E#^ zaF}5DTD#nYtXDQ{&(O-`R@tt(Q0sF3`bjHaEeQ2A=LV->M!AaB@|p)riD0}k%n%Ui z=v`#}i^|K2_=Zb}5FEGTK&=x@a5cnLYytZTJs0Y`rz6}l#y~~xFQ-X!FJXCgb@j7- zgB?|m!UdJEdzJHBD(EBEpzcsRcU7SZ!@Vr+>T_1^r5Iv@MYmdUp2+Zdri(FYRF?Bl ziV^yYDQ*iLTF;i$kO<_&0l)nw5{i)2c(v#pv_{)zp2~&4}5#37Teu3*H(u5cn zHm<8M?5VKJ#H+%Em&LGdcn$DP#w^`y+1X zpS!7uaX*Fxsn9c+QiYcJu)fD2_V*__GP}==AZg!6*MCu?cDC<}P_Hc(XxKbOo`E^a zTX;sSo)ckU!yJyd6iP7_{AmgkYx|QfJmGJQH7L;_JJTh#`^nm(zqZL?AX+mGh1REw z!z^z4VaekJQ3vK1z_f9eyxP+8Bep+3-wo--i&Wxg2TxczHx`vf*{R>x%NzYUdlXet zz<3WRb z$NJ>=06Haz9K2r~)vS)=K2q!WVAJ{<625_L{ydZHx|Nt0Rv%OZ&x4Azp~R^|9q_RJ-FQ>M<* z(Mva-9@@;yZ9j(PY(?(FBV_$sNwrY=R+CjC4urNKb`cQqhcG(94#f5q5$cm3)a6@T-F*~n`D3XC6lwOZ=9S$@)bt~{HlZ7d-N zGvUYr36qQ#pQ~ugGfKl1rV|Hy4xEfvqfV(hECJCQ2)_&e%dZH?8g-6hKBgw-a16zw zO*j`k@`Ct|Rfw8q`c4Ppzx}B9XzFNUl2O0t)*3$o%gY8=q*jQ9uxf{=9o>}N445_K zcq9ejzmYR%!>U-6NmuaIjFeJ<6K+JuHmC~nN#amd_e!*9vw5#%Ea*_?bErRY2$)AV z@ue|d4^rnuNbow)BfQU534)q5M!)hTH3s|5rD9p#co7aEuXotZ(=WqV<<>G~2A&DU z+9&cw$grbeXqC}GKD*|Agsf&9TToc=G4^5~bs^-%7XVv24xY%^hTMxAZL->dq0H#H z!Fm?nD@=3V69y3>Cox|s0D&q)+48XPDa&NFbz5T(HzK>@%X@H-%?5i5cx#1fjHd@r zd}SV6Ok*I61mD@cZyc3M4^ReW?nm~Y^=5FCrG%2F_7oRT_~S4&K`lK2mSdOvoU09% z$A(5VU|N&l*i3qVdHi)edO>nw--teRon&9tG%*>HN^lY{n8{_2d%B97WFi9p>mJW* zz4-D<#(J6WybKpA>Cmbe4;PpM_*NzeS7dWBQbE}m(b<~aC)rH0A;%)v88v~74DuMq z^c9G}@4$oG+BPXBi5w?Oivept$iuj&rtunpX?< zk2up;W4-E|?o}L?=AtAt9us< z_JeMKVXWlE3EKQrz0Gt3v>!kwc<1w5GXrx#wuM; zTndO=6eVVK+tAV25f<*0>ZZS;Zfan%I4SCrf%DcuQiM>1|w2mNt@h~ z&h-USBqDK@As=D=y_+9I4UJRnJr4s1bq6hmzu;1B$Cee8lPUa%1a_;uw0c7mIU0Hi zqnP>z3>$gNJfuRKbyw{AA(CGuA}~jElki7DYKi7Q#~pIMtTbXmiPcF}sy*RQ;QGqHmNM{%V(YGz5Nx0CoJl z8);ZIi%4FLrJF>WatiZugFjs1EujxGhy{xChW}_$D(4wsyM6&+2Jzy7$Ht(K%vvI| z^RC^K8|CJ1qx?b+2f8LkEFbQIwmQqxVgO%NGax5!Ur%)#S(ZAgKW(&p2z?hc!iYTc zPCYrHamm~ts91t&6SMbSg@=0=_W}D@@2-bO6M)=KeCEf7eh(C71{6y;BqcQV%sMPw1<9|i8q7nm7moyM(aU>ZNIY>HJ!)zTZ+&WtOe52e{~iO?)<<>`*e~ZN{`f zC8alaV=_sr-QTX*NspgC#o<#Ra3x(Ndx%|{nb454l+V|sNvRgtu0m0~eQ7U7B8RB% z2TY~hi)6QGsw3)TtK}@%^}@GH1ZtYJH}C+EQ+=SQkkN4!zJ+rj{51qObYsO@hM;KN z`{{2zNH+Ko8BqVUAggwq5-$jr(u7m6Z zPJxd$7V2kyZoepgcP}-FC4y@!Mo`bDpI)hlDW+to2|yA!T!@n7bL_^}Dq{4tJ(^m2(XztGU; z9~9~Q@Wa{JT6;34DY+G3nX8*MJd>SGG<7K9)Xk3&)QAowtgEA(-RFDx`CPC?tF`vi z71yFk)53Etqy$cqJ4g51pqo2_5Pasg;sd*^(KGPOW zsK!adGFJ@#Q;TZK_tSY+b1kJZ{HhhgdpciaO&)8W3<|m?2dT+urm5vi=()^foN?NK z!!(>0iO<^Jw20@j(?3Q99^xm+H*Jes#rRjj-WFRO6^674%b3CSYFnz81UpNy?H>{h z4!V@r9kvARA`eoXJwQZp3tq7eDMnzk+NL3@W0OhjaGqBIb@ZQX=ga>@Z!2N%=to|= zi=sZZtj$=MCpAp|aq=!wep&B%Dw(vN{c32_wB1j}qp2WD7O(f4>AGa$yevFl8Plp8 z*eJeBzLsR7amuZS7+Sbbn@vbwuLbA@Hp$U!UF^-Dp}U@**+(!{FPh}XJEMplmsiBP zgU70cDl!omG3!lsaVaFa6y3ZeyZ@(cNSn2bCw}phOD1h@3C3Hl!B?HC?VZ@nZp*&M zYzH;VLg=;pZb+~P%5Ym?oE<&<)h$^CejjDwS|41`Vjo}LrFS^W9%HuEMbVyOte(c$ z9kl1XZPdkRc573w$l16*W6;PkM7xsSVx#V(;0zd&X8v6J@X1+z>jnX;C(v8&_-zfD z(w!)joNm*sx*Z-!?CzEy<;jsaHf{LysrZvbWnH_0bh0gP4qb{0nDV32Hj$J+W>P3; zcUV&(pa}Pb);Ew#_VCO#Tv?m6N661F*KK3TSBYO4f9UqEz=^85n!yVPvTy`)JO-gw zc0<89OOwp1=G%zmwf_Rj!bvO(v?+s+=MF}O?XNkkNm&yIc|B}j%3vAFj9UjDZb-*oW`TtZ5M(ft znSxjwsWjHBS(jJHa71iz?o>T^7z~4Kj3`en)aD&I2)m^@!_J9IX}0C^Up&yaHuR>z z-Th~Kp1QNfQJ49bR~?}i7oJOIFnPjrD)htXkn9{EDNOPrK0g3CF=kT@aeC3Cy0Z=l zM_iws?1^qfki)?Srx?UsHOcxO_BV0tVLU$j_&rPih|p|V$2aYmCdyUG6Sh{xxb{pH zfs@eaaH2k$G$TwH*PU%qU=l&M*C*$2gLL+owp$<1;Z{#aCk_3dGAVZ784M{8(sjC! zPlZ?)$qX28d>Q1U28KFYBv&H)GwG1~gKzicQqaiHB_Hqkg`U>ukR4tqe^pdxRw4*O z@W0ad(M&X6P|BlTmC;D-D%)=Ue!15#Xz943f;KK2lZ?uZM5N%8h5$qiE)jvv3Q)CZ zPLS6fzv~U_hW(b4R+;@CH7aF5a+;H(W5khbN%gyiX+j*?W@>J+E8R(I@yz9`9Q1#f z{VZ#Du|1Z&4!XWgDkq542O3p?Ex_ORVSpV@rQ;`=MNjfF1*Li#G~CCz9lFXssb?M* z`OOdTy^Gj4pPEBUf*Jt0)3RF&JO&VRW-2)`YnXOTNq-2Fb)P`mx`ELm+^c#kf(cAJ zNsp!M1V@N}`(?OzD{TwxK!q#v(|mB--J_+${y!4_XhwJkq!m0gHq?wF{C72A NX+76dZ%~Cr{10pe`R4!t diff --git a/Packs/FeedFeodoTracker/Integrations/FeedFeodoTrackerIPBlocklist/FeedFeodoTrackerIPBlocklist_image.png b/Packs/FeedFeodoTracker/Integrations/FeedFeodoTrackerIPBlocklist/FeedFeodoTrackerIPBlocklist_image.png index 22ad570c572a5b5652390adfe1009c3617a91ebe..46e8a92122112bd7f508a959797084e120656419 100644 GIT binary patch literal 4614 zcmV+h68Y_kP)AS9hI;ctA#uOD@&IkK?A-}ZgO*TZ|*&3|MTs0^SHSrmsA7GvG-f+ z`T-^3EES)uI zDN^vy@t7IIx*z>c5sNq3Az!aOwev0VlIo3@@nr=!OA@p3cndLkgdo90$MI*sCAnhk z3#kVyD=RJfn!yoYz$Ee$b-;o&=zG|7q&j5cwk-HhvH$07xXVfM^dltY_b^a)mwt&X z{Fy2gO?ElmQzkuGy!7C`J3i~|Xz>tsh#T;9SsXV+QiRE}-kdOU=2IW7PkXL$d1WxR zh1ctqRU>L{Wg*sK%&YBALeJC2)ljOjlIf-s(?j=CCA~^tGdL2|y#Zk!jW1Lr4)oA= z585`y7qaYHu)Gach#XYhVY#hP&eO#!4lmf@ zizC^F>otsZ9D+%Ql*XXn7|1J^NtO@I3QnOdbCxvD?Gp0tku@_xb0gYb0ggUL(N<>T z6=)5H6Ssnsf581(DA%6x|5@~%`g?ZO(ANmP3s`Vv&5x_rQy*YO_|e0QtEv;Vk>c_j z6pJElJ%Z%_O2a+((2pxW>Zt$rZwt1xImKGI?eCM2b7Y&j3&qdJk!gWIOW^kH@~a;y z%19e%O$PBtK{f|2F8 z8v6YXOr=W)|1{_6{AGt1RQu>_0!fzuxB6U%zPgE5b7FLBKzOqJdA^?_7H~2i z4P14mCF^@?clgXCgaq|&lrzrNig7{WLWk4FI^1`X_Pa#iVntWlRcUexwRF?eoXd7&q^ zfDQg*bMxE3KYriwZVTmbil3qF?AS8J>JM3sf!|kqtIde1+=9gzq203-Cy(BN>24g9x*d-u7Th5Wx*QogDW%S$l6xB#DQ+W2i8-JYI%~e5fHf?^ zO-R~;NSLxs$=|T~QtZ}Bh4DVpiq>0SW-}y|45OXi+FcP_cXfGDhGnV2P|V@NY8whm z78xJ5_}&?o?i!Bzj|ZmmFkfhl44EJN@xHx&)L+fg%2p2Jv+PqXC%cWyEOIKQk21n? zsO55fj3lz5Cw{Jf=9bHyLDg1!*UQcN|0xx>jtWJbLzLw>b#(D|dkbkNtu!XB_QOvD z<42~Aa2qc1Mi2B7S@1iUY_~Xx`M*6tW%jgJtVi4CZf)Uev)rF_?n@zDo!O>!(OxG^UwI;+CL%OoWZ~;QrmF zk!fp(DdQS4%Sqw^?@!H$9raI=`;@%8c1zq8~|v2N=Q( zOemkZq-Npn_gH>oEQ!#fyy5AMFp3!w71;|C>*D8@D2v`$*Y_-Xd7>=ZA(0akeTYRG z2qBEh-Gilv%$B33n)_V08{LL6f^|?6cD|kNCWgF zE5l`cM+xhf(6(o5=0AUMLPgPy!sLGzk{`Cn+E3E)3ov^>a)M>l6iEZU+cCcyV)Nfs zEB~RVxh1mTenV@-3cFq6Em-k5*qX=RkUkd0Z^yUOT8=d7hUkCdRQ;WM`y^m!zKhWh z?l}$rp0Jod*5wfNpG3Q5W`*Q5+$zuO45nlSU8O7<0!t6VNp}+`ElPb{19rV`xZ zkgh`q?~cBJ$t^9=`{;Kw8vUzc-0%k-{k~l`=jAX5iwqa(to$H^bUO>VJ@W(qmiG4N zbi2F_(`*4lfvyt{^%J})+)=ae`HePfCcFoUH#l-;XFc+a@#O^-P^!mM&$V31(ye>> zp}#+`S-9sN>IIi1i+=Ny-A(X@b-Vi z(D&fat!xZGlv`GKSh9Qu3hPr&m%F__Xi?Cgh{a1HVEvBRY76hj;vXk_A?3mer3EuQ z-uWrIdd`+P#vqmcJ>j6Gq~kP+x0S{Fdm}gYiLvg)-LUqBnByuv4_)W*H|qRS8U!ADglJJhY=&C@O?t+-?^4G*T!bm`R)tr-i}j_1 zxLdEaMH^1B4_ez()d!JtZPy-M@lxRM;ujinON)Mh4b(QQwUxGf6Lie=sSGZ^M{aA)WZaeWGcN|dq-8baFttHOnt#6iNPJHTeRzF?#9BU zn9x!P>ShRfAnCVHQ6S^R$qrU^gj=sRSAan|<4>T$f(e^}3a^aM~piPSyPrOJ^Pp2y;(7cLM@# zr~T=!_Y9|6IiYOk|EP$V1nLt}^|G#4rum$77|*5oLr+cIIOA1I%FC@%wF9&}U98)m zwl$m?9EU@kUtzm-he>L$LB;~vD$8@r3#y<8&;+5V z9B5MJ-(#O^^NVdw$l)?VW73=rm2+c{_;&Zm$7>6B={US-+|x7uDJ9~#nG9hIh8DJ4Kn6IoM5nz*Op((~zC-1FDx*`zCIgv4s7`YGl^M z(4A-DCAK1F+Lot1QeH(tAzNahlJXx>cRbQ!olVbjM?y+H=@#b4uVXtk&O67OI-(8l z&-t1oi}t)W@#$HGN?G$@&2y26VXtphIIn6Bh8o>xDCjIZ=Zt(#NhFa(5=kVHL=s6P zkwg+nB#}fCe+dxu6@=I8?eV!k`mb8G%D%5&z1ptRpW5l?uM%Q;{IckmchL_#;1%h3 zVd#C#%X-mTTU)!nkH7+^rKNE^vw9N2V6d~DQfZW)PIiBv&zCKwYbg#1Dp1uxe0=BfY6nD0pSgA(e65FQ(85wC6O-)TZ zOG-*?-dC(xVbjq_Nl9VREJPCpiUo_Tl`B{7)U;z2)tsp$F^Wy1hFJefS{RM|!;0`*tK7*1hZ4s^O zr4aLQa#`FHZ5u+I%*-56p)aj4J@FfeDz`m`0L_junwwj_dJek0rKNQ#%0AcQz{|{{ ze!@i)Fyfqe@WBTK7}u_brR0Vl8**TizS>>Vzr?$8{l8^co8VisEEU$jL)r{A*rwg8 zzLXTOdeLClDRpN_$!{8BxrllNS-tMDHJi^H8eW7b`W>_uHk#*KN`4bpF5>?VQ}Je4 zX#5mqC(4ytqntN#`tS$GY`pvZgw@|CNQgdth78uU*=E#}AD>l$Kd8&a)@aB?hen|c9u$+E0! zDUFkc77mFDqO@n$t@AcKaQ_M)gw@a+|Cpi&LjJD(EJZ^HznX@fD1rgW_J?;+1~Ci5 zYmi6)?YT3Zb2uD17&{+zzV++Zcy;-*Wh?eeI{yRwFM^9EU?IhArrCC+ec^kBc5V8O zh1raSIVYvF7>QZ6O~d{qG9_F8giHx#fB9j%v-TL<9>)R0*HIT6XQ4cLVNYshfMt~= z+Hz%QYljf}J40AYSddpxARomG=)yDIv3A{>&UQK z^0#|4LCa0kp#^R)LDYo{f;XW4!bNk@%x2StgsXw9d$hhF1ic?&rHty%O3TR7ZV_&B zpCB=*QxfSEcIB-^G~h(5hTVMFo>eWCR%T+5?zuFVHxCt0$+qNZissjX2b zCs^=R9qsJwmw7q#f0nL;C2U1PlhZynYs+3&vTg?!yxugd^5}?SKa!?-$m(-qc&7+O za+p=QPJXZ~zZ6W-n5`_teDSxMJ_L~8`@Fjl%P+jriHKl(%VX+&Ia9TX`RZ{@sq9}O zXdW?-5*^l{=qI2YSw!@u_tRf#Xjg~J6IbTxbb;r$_fX$ydlJ>fkI@q^eI2JKetVUYuf4@x8XR{M|HtdL0moU-J+IXK=*WaeON=BK)hdR-6FU}O51;z`oskf2y z|MH4L-TZv-+J~@RhW-#9%ZLvm2F@kiV%ljodoPiUTwX$k|Q1YK}->);1E_karg;SoR2ARq31$$L6i$&9NGy=J}iF$ zvitSbYDO%nJW7o+o*PPlDoQ`a5Ri_Uv-<2ZJ-A5E^&rZ9YHfv0^3(wBo@E#^ zaF}5DTD#nYtXDQ{&(O-`R@tt(Q0sF3`bjHaEeQ2A=LV->M!AaB@|p)riD0}k%n%Ui z=v`#}i^|K2_=Zb}5FEGTK&=x@a5cnLYytZTJs0Y`rz6}l#y~~xFQ-X!FJXCgb@j7- zgB?|m!UdJEdzJHBD(EBEpzcsRcU7SZ!@Vr+>T_1^r5Iv@MYmdUp2+Zdri(FYRF?Bl ziV^yYDQ*iLTF;i$kO<_&0l)nw5{i)2c(v#pv_{)zp2~&4}5#37Teu3*H(u5cn zHm<8M?5VKJ#H+%Em&LGdcn$DP#w^`y+1X zpS!7uaX*Fxsn9c+QiYcJu)fD2_V*__GP}==AZg!6*MCu?cDC<}P_Hc(XxKbOo`E^a zTX;sSo)ckU!yJyd6iP7_{AmgkYx|QfJmGJQH7L;_JJTh#`^nm(zqZL?AX+mGh1REw z!z^z4VaekJQ3vK1z_f9eyxP+8Bep+3-wo--i&Wxg2TxczHx`vf*{R>x%NzYUdlXet zz<3WRb z$NJ>=06Haz9K2r~)vS)=K2q!WVAJ{<625_L{ydZHx|Nt0Rv%OZ&x4Azp~R^|9q_RJ-FQ>M<* z(Mva-9@@;yZ9j(PY(?(FBV_$sNwrY=R+CjC4urNKb`cQqhcG(94#f5q5$cm3)a6@T-F*~n`D3XC6lwOZ=9S$@)bt~{HlZ7d-N zGvUYr36qQ#pQ~ugGfKl1rV|Hy4xEfvqfV(hECJCQ2)_&e%dZH?8g-6hKBgw-a16zw zO*j`k@`Ct|Rfw8q`c4Ppzx}B9XzFNUl2O0t)*3$o%gY8=q*jQ9uxf{=9o>}N445_K zcq9ejzmYR%!>U-6NmuaIjFeJ<6K+JuHmC~nN#amd_e!*9vw5#%Ea*_?bErRY2$)AV z@ue|d4^rnuNbow)BfQU534)q5M!)hTH3s|5rD9p#co7aEuXotZ(=WqV<<>G~2A&DU z+9&cw$grbeXqC}GKD*|Agsf&9TToc=G4^5~bs^-%7XVv24xY%^hTMxAZL->dq0H#H z!Fm?nD@=3V69y3>Cox|s0D&q)+48XPDa&NFbz5T(HzK>@%X@H-%?5i5cx#1fjHd@r zd}SV6Ok*I61mD@cZyc3M4^ReW?nm~Y^=5FCrG%2F_7oRT_~S4&K`lK2mSdOvoU09% z$A(5VU|N&l*i3qVdHi)edO>nw--teRon&9tG%*>HN^lY{n8{_2d%B97WFi9p>mJW* zz4-D<#(J6WybKpA>Cmbe4;PpM_*NzeS7dWBQbE}m(b<~aC)rH0A;%)v88v~74DuMq z^c9G}@4$oG+BPXBi5w?Oivept$iuj&rtunpX?< zk2up;W4-E|?o}L?=AtAt9us< z_JeMKVXWlE3EKQrz0Gt3v>!kwc<1w5GXrx#wuM; zTndO=6eVVK+tAV25f<*0>ZZS;Zfan%I4SCrf%DcuQiM>1|w2mNt@h~ z&h-USBqDK@As=D=y_+9I4UJRnJr4s1bq6hmzu;1B$Cee8lPUa%1a_;uw0c7mIU0Hi zqnP>z3>$gNJfuRKbyw{AA(CGuA}~jElki7DYKi7Q#~pIMtTbXmiPcF}sy*RQ;QGqHmNM{%V(YGz5Nx0CoJl z8);ZIi%4FLrJF>WatiZugFjs1EujxGhy{xChW}_$D(4wsyM6&+2Jzy7$Ht(K%vvI| z^RC^K8|CJ1qx?b+2f8LkEFbQIwmQqxVgO%NGax5!Ur%)#S(ZAgKW(&p2z?hc!iYTc zPCYrHamm~ts91t&6SMbSg@=0=_W}D@@2-bO6M)=KeCEf7eh(C71{6y;BqcQV%sMPw1<9|i8q7nm7moyM(aU>ZNIY>HJ!)zTZ+&WtOe52e{~iO?)<<>`*e~ZN{`f zC8alaV=_sr-QTX*NspgC#o<#Ra3x(Ndx%|{nb454l+V|sNvRgtu0m0~eQ7U7B8RB% z2TY~hi)6QGsw3)TtK}@%^}@GH1ZtYJH}C+EQ+=SQkkN4!zJ+rj{51qObYsO@hM;KN z`{{2zNH+Ko8BqVUAggwq5-$jr(u7m6Z zPJxd$7V2kyZoepgcP}-FC4y@!Mo`bDpI)hlDW+to2|yA!T!@n7bL_^}Dq{4tJ(^m2(XztGU; z9~9~Q@Wa{JT6;34DY+G3nX8*MJd>SGG<7K9)Xk3&)QAowtgEA(-RFDx`CPC?tF`vi z71yFk)53Etqy$cqJ4g51pqo2_5Pasg;sd*^(KGPOW zsK!adGFJ@#Q;TZK_tSY+b1kJZ{HhhgdpciaO&)8W3<|m?2dT+urm5vi=()^foN?NK z!!(>0iO<^Jw20@j(?3Q99^xm+H*Jes#rRjj-WFRO6^674%b3CSYFnz81UpNy?H>{h z4!V@r9kvARA`eoXJwQZp3tq7eDMnzk+NL3@W0OhjaGqBIb@ZQX=ga>@Z!2N%=to|= zi=sZZtj$=MCpAp|aq=!wep&B%Dw(vN{c32_wB1j}qp2WD7O(f4>AGa$yevFl8Plp8 z*eJeBzLsR7amuZS7+Sbbn@vbwuLbA@Hp$U!UF^-Dp}U@**+(!{FPh}XJEMplmsiBP zgU70cDl!omG3!lsaVaFa6y3ZeyZ@(cNSn2bCw}phOD1h@3C3Hl!B?HC?VZ@nZp*&M zYzH;VLg=;pZb+~P%5Ym?oE<&<)h$^CejjDwS|41`Vjo}LrFS^W9%HuEMbVyOte(c$ z9kl1XZPdkRc573w$l16*W6;PkM7xsSVx#V(;0zd&X8v6J@X1+z>jnX;C(v8&_-zfD z(w!)joNm*sx*Z-!?CzEy<;jsaHf{LysrZvbWnH_0bh0gP4qb{0nDV32Hj$J+W>P3; zcUV&(pa}Pb);Ew#_VCO#Tv?m6N661F*KK3TSBYO4f9UqEz=^85n!yVPvTy`)JO-gw zc0<89OOwp1=G%zmwf_Rj!bvO(v?+s+=MF}O?XNkkNm&yIc|B}j%3vAFj9UjDZb-*oW`TtZ5M(ft znSxjwsWjHBS(jJHa71iz?o>T^7z~4Kj3`en)aD&I2)m^@!_J9IX}0C^Up&yaHuR>z z-Th~Kp1QNfQJ49bR~?}i7oJOIFnPjrD)htXkn9{EDNOPrK0g3CF=kT@aeC3Cy0Z=l zM_iws?1^qfki)?Srx?UsHOcxO_BV0tVLU$j_&rPih|p|V$2aYmCdyUG6Sh{xxb{pH zfs@eaaH2k$G$TwH*PU%qU=l&M*C*$2gLL+owp$<1;Z{#aCk_3dGAVZ784M{8(sjC! zPlZ?)$qX28d>Q1U28KFYBv&H)GwG1~gKzicQqaiHB_Hqkg`U>ukR4tqe^pdxRw4*O z@W0ad(M&X6P|BlTmC;D-D%)=Ue!15#Xz943f;KK2lZ?uZM5N%8h5$qiE)jvv3Q)CZ zPLS6fzv~U_hW(b4R+;@CH7aF5a+;H(W5khbN%gyiX+j*?W@>J+E8R(I@yz9`9Q1#f z{VZ#Du|1Z&4!XWgDkq542O3p?Ex_ORVSpV@rQ;`=MNjfF1*Li#G~CCz9lFXssb?M* z`OOdTy^Gj4pPEBUf*Jt0)3RF&JO&VRW-2)`YnXOTNq-2Fb)P`mx`ELm+^c#kf(cAJ zNsp!M1V@N}`(?OzD{TwxK!q#v(|mB--J_+${y!4_XhwJkq!m0gHq?wF{C72A NX+76dZ%~Cr{10pe`R4!t diff --git a/Packs/CommonTypes/IndicatorFields/incidentfield-mitreexternalreferences.json b/Packs/FeedMitreAttack/IndicatorFields/incidentfield-mitreexternalreferences.json similarity index 96% rename from Packs/CommonTypes/IndicatorFields/incidentfield-mitreexternalreferences.json rename to Packs/FeedMitreAttack/IndicatorFields/incidentfield-mitreexternalreferences.json index ea08d4088d11..f170ec13220b 100644 --- a/Packs/CommonTypes/IndicatorFields/incidentfield-mitreexternalreferences.json +++ b/Packs/FeedMitreAttack/IndicatorFields/incidentfield-mitreexternalreferences.json @@ -30,13 +30,6 @@ "mergeStrategy": "", "hidden": false, "associatedTypes": [ - "Domain", - "IP", - "IPv6", - "CIDR", - "IPv6CIDR", - "File", - "URL", "MITRE ATT&CK" ], "systemAssociatedTypes": null, diff --git a/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.py b/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.py index 2770f11e9c43..4a5301db5c76 100644 --- a/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.py +++ b/Packs/FeedMitreAttack/Integrations/FeedMitreAttack/FeedMitreAttack.py @@ -1,6 +1,6 @@ import demistomock as demisto -from CommonServerPython import * # noqa: E402 lgtm [py/polluting-import] -from CommonServerUserPython import * # noqa: E402 lgtm [py/polluting-import] +from CommonServerPython import * +from CommonServerUserPython import * from typing import List, Dict, Set import json @@ -359,36 +359,41 @@ def reputation_command(client, args): all_indicators: List[Dict] = list() page = 0 size = 1000 - raw_data = demisto.searchIndicators(query=f'type:"{client.indicatorType}" value:{input_indicator}', page=page, - size=size) - while len(raw_data.get('iocs', [])) > 0: - all_indicators.extend(raw_data.get('iocs', [])) - page += 1 - raw_data = demisto.searchIndicators(query=f'type:"{client.indicatorType}" value:{input_indicator}', page=page, - size=size) - for indicator in all_indicators: - custom_fields = indicator.get('CustomFields', {}) - - score = indicator.get('score') - value = indicator.get('value') - indicator_id = indicator.get('id') - url = indicator_url + indicator_id - md = f"## {[value]}({url}):\n {custom_fields.get('mitredescription', '')}" - ec = { - "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor && val.Vendor == obj.Vendor)": { - "Indicator": value, - "Type": client.indicatorType, - "Vendor": "MITRE ATT&CK", - "Score": score - }, - "MITRE.ATT&CK(val.value && val.value = obj.value)": { - 'value': value, - 'indicatorid': indicator_id, - 'customFields': custom_fields + raw_data: dict = demisto.searchIndicators(query=f'type:"{client.indicatorType}" value:{input_indicator}', + page=page, size=size) + if raw_data.get('total') == 0: + md = 'No indicators found.' + ec = {} + else: + while len(raw_data.get('iocs', [])) > 0: + all_indicators.extend(raw_data.get('iocs', [])) + page += 1 + raw_data = demisto.searchIndicators(query=f'type:"{client.indicatorType}" value:{input_indicator}', + page=page, size=size) + for indicator in all_indicators: + custom_fields = indicator.get('CustomFields', {}) + + score = indicator.get('score') + value = indicator.get('value') + indicator_id = indicator.get('id') + url = indicator_url + indicator_id + md = f"## {[value]}({url}):\n {custom_fields.get('mitredescription', '')}" + ec = { + "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor && val.Vendor == obj.Vendor)": { + "Indicator": value, + "Type": client.indicatorType, + "Vendor": "MITRE ATT&CK", + "Score": score + }, + "MITRE.ATT&CK(val.value && val.value = obj.value)": { + 'value': value, + 'indicatorid': indicator_id, + 'customFields': custom_fields + } } - } + raw_data = {'indicators': all_indicators} - return_outputs(md, ec, score) + return_outputs(md, ec, raw_data) def main(): diff --git a/Packs/FeedMitreAttack/ReleaseNotes/1_0_5.md b/Packs/FeedMitreAttack/ReleaseNotes/1_0_5.md new file mode 100644 index 000000000000..b1d3b7ad90aa --- /dev/null +++ b/Packs/FeedMitreAttack/ReleaseNotes/1_0_5.md @@ -0,0 +1,4 @@ + +#### Integrations +##### MITRE ATT&CK Feed +- Fixed an issue where a non existing indicator query using the ***mitre-reputation*** command did not return result. diff --git a/Packs/FeedMitreAttack/TestPlaybooks/playbook-Mitre_Attack_List_2_Indicators_Feed_Test.yml b/Packs/FeedMitreAttack/TestPlaybooks/playbook-Mitre_Attack_List_2_Indicators_Feed_Test.yml index 2fd6d3437f67..cdaf0ab61506 100644 --- a/Packs/FeedMitreAttack/TestPlaybooks/playbook-Mitre_Attack_List_2_Indicators_Feed_Test.yml +++ b/Packs/FeedMitreAttack/TestPlaybooks/playbook-Mitre_Attack_List_2_Indicators_Feed_Test.yml @@ -5,15 +5,14 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: 84bd5c2a-7ed5-4ac8-8e40-0a35f00ee98a + taskid: 59581c2f-91b8-4647-806a-f72810eb1003 type: start task: - id: 84bd5c2a-7ed5-4ac8-8e40-0a35f00ee98a + id: 59581c2f-91b8-4647-806a-f72810eb1003 version: -1 name: "" iscommand: false brand: "" - description: "" nexttasks: '#none#': - "2" @@ -21,7 +20,7 @@ tasks: view: |- { "position": { - "x": 50, + "x": 265, "y": 50 } } @@ -32,10 +31,10 @@ tasks: quietmode: 0 "1": id: "1" - taskid: f1ae0fa4-4cfa-4194-8dac-3964fa213d3b + taskid: cdbecdbb-bab3-418a-8b12-8d1338e2b265 type: regular task: - id: f1ae0fa4-4cfa-4194-8dac-3964fa213d3b + id: cdbecdbb-bab3-418a-8b12-8d1338e2b265 version: -1 name: mitre-get-indicators description: Retreives a limited number of the indicators . @@ -54,7 +53,7 @@ tasks: view: |- { "position": { - "x": 50, + "x": 265, "y": 370 } } @@ -65,10 +64,10 @@ tasks: quietmode: 0 "2": id: "2" - taskid: e3634256-778d-465d-848a-2980aaf7ff41 + taskid: 90b52ed3-6655-4611-8066-790e4c7aff5a type: regular task: - id: e3634256-778d-465d-848a-2980aaf7ff41 + id: 90b52ed3-6655-4611-8066-790e4c7aff5a version: -1 name: DeleteContext description: Delete field from context @@ -90,7 +89,7 @@ tasks: view: |- { "position": { - "x": 50, + "x": 265, "y": 195 } } @@ -101,19 +100,20 @@ tasks: quietmode: 0 "3": id: "3" - taskid: 6a74b4aa-f80c-4921-860b-9434d8e6e6de + taskid: b9fc5ae5-9c1f-48e0-82b5-cafaf147a619 type: condition task: - id: 6a74b4aa-f80c-4921-860b-9434d8e6e6de + id: b9fc5ae5-9c1f-48e0-82b5-cafaf147a619 version: -1 name: Indiactors found type: condition iscommand: false brand: "" - description: "" nexttasks: + '#default#': + - "6" "yes": - - "4" + - "5" separatecontext: false conditions: - label: "yes" @@ -134,7 +134,7 @@ tasks: view: |- { "position": { - "x": 50, + "x": 265, "y": 545 } } @@ -145,21 +145,81 @@ tasks: quietmode: 0 "4": id: "4" - taskid: 080b69a4-a2bf-44b2-8837-b72fd78de834 + taskid: 731b40ee-d7e6-4810-8f0e-8ee8433f5999 type: title task: - id: 080b69a4-a2bf-44b2-8837-b72fd78de834 + id: 731b40ee-d7e6-4810-8f0e-8ee8433f5999 version: -1 name: Complete type: title iscommand: false brand: "" - description: "" separatecontext: false view: |- { "position": { "x": 50, + "y": 895 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "5": + id: "5" + taskid: ba18d85d-fa0f-473b-894c-1014b7b858d9 + type: regular + task: + id: ba18d85d-fa0f-473b-894c-1014b7b858d9 + version: -1 + name: mitre-reputation with non existing ID + description: Lookup reputation in the indicators. + script: MITRE ATT&CK|||mitre-reputation + type: regular + iscommand: true + brand: MITRE ATT&CK + nexttasks: + '#none#': + - "4" + scriptarguments: + indicator: + simple: T153111 + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: e5f7d1d2-e80b-4516-8027-326c08046dd4 + type: regular + task: + id: e5f7d1d2-e80b-4516-8027-326c08046dd4 + version: -1 + name: Print error from get-indicators + description: Prints an error entry with a given message + scriptName: PrintErrorEntry + type: regular + iscommand: false + brand: "" + scriptarguments: + message: + simple: mitre IOCs not found + separatecontext: false + view: |- + { + "position": { + "x": 480, "y": 720 } } @@ -173,8 +233,8 @@ view: |- "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 735, - "width": 380, + "height": 910, + "width": 810, "x": 50, "y": 50 } @@ -182,5 +242,3 @@ view: |- } inputs: [] outputs: [] -fromversion: 5.5.0 -description: "" diff --git a/Packs/FeedMitreAttack/pack_metadata.json b/Packs/FeedMitreAttack/pack_metadata.json index 5aa184d292f3..1d841e5613e3 100644 --- a/Packs/FeedMitreAttack/pack_metadata.json +++ b/Packs/FeedMitreAttack/pack_metadata.json @@ -2,7 +2,7 @@ "name": "MITRE ATT&CK", "description": "Fetches indicators from MITRE ATT&CK.", "support": "xsoar", - "currentVersion": "1.0.4", + "currentVersion": "1.0.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.py b/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.py index b85b184b8ca2..537ccc5acd53 100644 --- a/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.py +++ b/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.py @@ -1,4 +1,4 @@ -from typing import Dict, List, Tuple, Any, Callable +from typing import Dict, List, Tuple, Any, Callable, Optional import uuid import urllib3 @@ -37,7 +37,7 @@ def build_urls_dict(regions_list: list, services_list: list, unique_id) -> List[ return urls_list -class Client(BaseClient): +class Client: """ Client to use in the Office 365 Feed integration. Overrides BaseClient. Office 365 IP address and URL web service announcement: @@ -45,13 +45,15 @@ class Client(BaseClient): https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-Office-365-endpoint-categories-and-Office-365-IP/ba-p/177638 """ - def __init__(self, urls_list: list, insecure: bool = False): + def __init__(self, urls_list: list, insecure: bool = False, tags: Optional[list] = None): """ Implements class for Office 365 feeds. :param urls_list: List of url, regions and service of each service. :param insecure: boolean, if *false* feed HTTPS server certificate is verified. Default: *false* """ - super().__init__(base_url=urls_list, verify=not insecure) + self._urls_list: List[dict] = urls_list + self._verify: bool = insecure + self.tags = [] if tags is None else tags self._proxies = handle_proxy(proxy_param_name='proxy', checkbox_default_value=False) def build_iterator(self) -> List: @@ -61,8 +63,8 @@ def build_iterator(self) -> List: A list of objects, containing the indicators. """ result = [] - for feed_obj in self._base_url: - feed_url = feed_obj.get('FeedURL') + for feed_obj in self._urls_list: + feed_url = feed_obj.get('FeedURL', '') region = feed_obj.get('Region') service = feed_obj.get('Service') try: @@ -76,9 +78,9 @@ def build_iterator(self) -> List: indicators = [i for i in data if 'ips' in i or 'urls' in i] # filter empty entries and add metadata] for i in indicators: # add relevant fields of services i.update({ - "Region": region, - "Service": service, - "FeedURL": feed_url + 'Region': region, + 'Service': service, + 'FeedURL': feed_url }) result.extend(indicators) except requests.exceptions.SSLError as err: @@ -178,12 +180,13 @@ def fetch_indicators(client: Client, indicator_type_lower: str, limit: int = -1) indicator_mapping_fields["office365required"] = item.get('required') if item.get('notes'): indicator_mapping_fields["description"] = item.get('notes') + indicator_mapping_fields['tags'] = client.tags indicators.append({ - "value": value, - "type": type_, - "rawJSON": raw_data, - "fields": indicator_mapping_fields + 'value': value, + 'type': type_, + 'rawJSON': raw_data, + 'fields': indicator_mapping_fields }) return indicators @@ -226,17 +229,19 @@ def main(): """ PARSE AND VALIDATE INTEGRATION PARAMS """ + params = demisto.params() unique_id = str(uuid.uuid4()) - regions_list = argToList(demisto.params().get('regions')) - services_list = argToList(demisto.params().get('services')) + regions_list = argToList(params.get('regions')) + services_list = argToList(params.get('services')) urls_list = build_urls_dict(regions_list, services_list, unique_id) - insecure = demisto.params().get('insecure', False) + insecure = params.get('insecure', False) + tags = argToList(params.get('feedTags')) command = demisto.command() demisto.info(f'Command being called is {command}') try: - client = Client(urls_list, insecure) + client = Client(urls_list, insecure, tags) commands: Dict[str, Callable[[Client, Dict[str, str]], Tuple[str, Dict[Any, Any], Dict[Any, Any]]]] = { 'test-module': test_module, 'office365-get-indicators': get_indicators_command diff --git a/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.yml b/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.yml index 9de482c3712f..a572d8d2bf0e 100644 --- a/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.yml +++ b/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.yml @@ -75,6 +75,11 @@ configuration: name: feedFetchInterval required: false type: 19 +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 - additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. @@ -92,7 +97,11 @@ configuration: name: proxy required: false type: 8 -description: The Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and apply to its policy rules. +description: The Office 365 IP Address and URL web service is a read-only API provided + by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed + integration fetches indicators from the service, with which you can create a list + (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and + apply to its policy rules. display: Office 365 Feed name: Office 365 Feed script: @@ -122,7 +131,7 @@ script: description: Gets indicators from the feed. execution: false name: office365-get-indicators - dockerimage: demisto/python3:3.8.3.8715 + dockerimage: demisto/python3:3.8.3.9324 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365_test.py b/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365_test.py index 1764de16c35e..478528792727 100644 --- a/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365_test.py +++ b/Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365_test.py @@ -44,3 +44,26 @@ def test_commands(command, args, response, length, mocker): assert args.get('indicator_type') != 'IPs' else: # ip assert args.get('indicator_type') != 'URLs' + + +class TestFeedTags: + urls = [{ + "FeedURL": 'https://endpoints.office.com/endpoints/worldwide', + "Region": 'Worldwide', + "Service": 'Any' + }] + + @pytest.mark.parametrize('tags', [['tag1', 'tag2'], []]) + def test_feed_tags(self, mocker, tags): + """ + Given: + - tags parameters + When: + - Executing any command on feed + Then: + - Validate the tags supplied exists in the indicators + """ + client = Client(self.urls, False, tags) + mocker.patch.object(client, 'build_iterator', return_value=RESPONSE_DATA) + _, _, raw_json = get_indicators_command(client, {'limit': 2, 'indicator_type': 'IPs'}) + assert tags == raw_json.get('raw_response')[0]['fields']['tags'] diff --git a/Packs/FeedOffice365/ReleaseNotes/1_1_2.md b/Packs/FeedOffice365/ReleaseNotes/1_1_2.md new file mode 100644 index 000000000000..96911f76e78f --- /dev/null +++ b/Packs/FeedOffice365/ReleaseNotes/1_1_2.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Office 365 Feed +Added the *Tags* parameter. diff --git a/Packs/FeedOffice365/pack_metadata.json b/Packs/FeedOffice365/pack_metadata.json index eb3ab5290bb3..ce418556145f 100644 --- a/Packs/FeedOffice365/pack_metadata.json +++ b/Packs/FeedOffice365/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Office 365 Feed", "description": "The Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and apply to its policy rules.", "support": "xsoar", - "currentVersion": "1.1.1", + "currentVersion": "1.1.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.py b/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.py index a45246362322..c172771e8c16 100644 --- a/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.py +++ b/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.py @@ -14,7 +14,10 @@ class Client(BaseClient): - def __init__(self, base_url, auth_code, **kwargs): + def __init__(self, base_url, auth_code, tags: list = None, **kwargs): + if tags is None: + tags = [] + self._tags: list = tags base_url = url_concat(base_url, auth_code, "reputation") super().__init__(base_url, **kwargs) @@ -104,12 +107,13 @@ def _build_iterator( yield item @staticmethod - def _process_item(item: dict) -> dict: + def _process_item(item: dict, tags: list) -> dict: return { "value": item["value"], "type": item["type"], "rawJSON": item, "fields": { + "tags": tags, "port": item.get("ports", "").split() if isinstance(item.get("ports"), str) else item.get("ports"), "firstseenbysource": item.get("first_seen", ""), "lastseenbysource": item.get("last_seen", ""), @@ -145,7 +149,7 @@ def get_indicators_domain(self) -> List[dict]: list of indicators """ return [ - self._process_item(item) + self._process_item(item, self._tags) for item in self._build_iterator_domain() ] @@ -156,7 +160,7 @@ def get_indicators_ip(self) -> List[dict]: list of indicators """ return [ - self._process_item(item) + self._process_item(item, self._tags) for item in self._build_iterator_ip() ] @@ -253,10 +257,11 @@ def main(): args = demisto.args() base_url = "https://rules.emergingthreats.net/" client = Client( - base_url=base_url, + base_url, auth_code=params.get("auth_code"), verify=not params.get("insecure", False), proxy=params.get("proxy"), + tags=argToList(params.get("feedTags")) ) command = demisto.command() demisto.info("Command being called is {}".format(command)) diff --git a/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.yml b/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.yml index daa47bb951de..b6d1d757f714 100644 --- a/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.yml +++ b/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint.yml @@ -78,6 +78,11 @@ configuration: - domain required: true type: 15 +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 - display: Trust any certificate (not secure) name: insecure required: false @@ -117,7 +122,7 @@ script: description: Gets indicators from the feed. execution: false name: proofpoint-get-indicators - dockerimage: demisto/python3:3.8.2.6981 + dockerimage: demisto/python3:3.8.3.9324 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint_test.py b/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint_test.py index f78867dc7666..2918fbde761a 100644 --- a/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint_test.py +++ b/Packs/FeedProofpoint/Integrations/FeedProofpoint/FeedProofpoint_test.py @@ -1,3 +1,4 @@ +import pytest from FeedProofpoint import Client, fetch_indicators_command from CommonServerPython import FeedIndicatorType @@ -33,3 +34,24 @@ def test_fetch_domains(requests_mock): assert len(domain_globs) == 3 assert all(['*' not in ind.get('value') for ind in domains]) assert all(['*' in ind.get('value') for ind in domain_globs]) + + +@pytest.mark.parametrize('tags', (['tag1, tag2'], [])) +def test_feed_param(tags, requests_mock): + """ + Given: + - tags parameters + When: + - Executing any command on feed + Then: + - Validate the tags supplied exists in the indicators + """ + client._tags = tags + ip_path = "./TestData/detailed-iprep.txt" + with open(ip_path) as f: + data = f.read() + requests_mock.get( + "https://example.com/cool/reputation/detailed-iprepdata.txt", text=data + ) + indicators = fetch_indicators_command(client, client.IP_TYPE) + assert tags == indicators[0]['fields']['tags'] diff --git a/Packs/FeedProofpoint/ReleaseNotes/1_0_1.md b/Packs/FeedProofpoint/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..9faded7ff93f --- /dev/null +++ b/Packs/FeedProofpoint/ReleaseNotes/1_0_1.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Proofpoint Feed +Added the *Tags* parameter. \ No newline at end of file diff --git a/Packs/FeedProofpoint/pack_metadata.json b/Packs/FeedProofpoint/pack_metadata.json index 4c216e209953..9a0bcee01593 100644 --- a/Packs/FeedProofpoint/pack_metadata.json +++ b/Packs/FeedProofpoint/pack_metadata.json @@ -1,16 +1,16 @@ { - "name": "Proofpoint Feed", - "description": "Detailed feed of domains and ips classified in different categories. You need a valid authorization code from Proofpoint ET to access this feed", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "created": "2020-03-09T16:35:16Z", - "categories": [ - "Data Enrichment & Threat Intelligence" - ], - "tags": [], - "useCases": [], - "keywords": [] + "name": "Proofpoint Feed", + "description": "Detailed feed of domains and ips classified in different categories. You need a valid authorization code from Proofpoint ET to access this feed", + "support": "xsoar", + "currentVersion": "1.0.1", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-03-09T16:35:16Z", + "categories": [ + "Data Enrichment & Threat Intelligence" + ], + "tags": [], + "useCases": [], + "keywords": [] } \ No newline at end of file diff --git a/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.py b/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.py index c9b1c2c246d4..6a371b4943aa 100644 --- a/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.py +++ b/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.py @@ -1,16 +1,15 @@ -import demistomock as demisto from CommonServerPython import * -from CommonServerUserPython import * # IMPORTS +import urllib3 import csv import requests import itertools import traceback import urllib.parse -from typing import Tuple, Optional +from typing import Tuple, Optional, List # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() INTEGRATION_NAME = 'Recorded Future' # taken from recorded future docs @@ -36,7 +35,8 @@ class Client(BaseClient): def __init__(self, indicator_type: str, api_token: str, services: list, risk_rule: str = None, fusion_file_path: str = None, insecure: bool = False, - polling_timeout: int = 20, proxy: bool = False, threshold: int = 65): + polling_timeout: int = 20, proxy: bool = False, threshold: int = 65, + tags: Optional[list] = None): """ Attributes: indicator_type: string, the indicator type of the feed. @@ -48,9 +48,10 @@ def __init__(self, indicator_type: str, api_token: str, services: list, risk_rul polling_timeout: timeout of the polling request in seconds. Default: 20 proxy: Sets whether use proxy when sending requests threshold: The minimum score from the feed in order to to determine whether the indicator is malicious. + tags: A list of tags to add to indicators """ - - super().__init__(self.BASE_URL, proxy=proxy, verify=not insecure) + if tags is None: + tags = [] try: self.polling_timeout = int(polling_timeout) except (ValueError, TypeError): @@ -62,6 +63,8 @@ def __init__(self, indicator_type: str, api_token: str, services: list, risk_rul self.services = services self.indicator_type = indicator_type self.threshold = int(threshold) + self.tags = tags + super().__init__(self.BASE_URL, proxy=proxy, verify=not insecure) def _build_request(self, service, indicator_type): """Builds the request for the Recorded Future feed. @@ -97,6 +100,8 @@ def _build_request(self, service, indicator_type): url + fusion_path, headers=self.headers, params=self.PARAMS) + else: + raise DemistoException(f'Service unknown: {service}') return response.prepare() def build_iterator(self, service, indicator_type): @@ -176,18 +181,23 @@ def run_parameters_validations(self): return_error("You entered a fusion file path but the 'fusion' service is not chosen. " "Add the 'fusion' service to the list or remove the fusion file path.") + def get_risk_rules(self, indicator_type: Optional[str] = None) -> dict: + if indicator_type is None: + indicator_type = self.indicator_type + return self._http_request( + method='GET', + url_suffix=indicator_type + '/riskrules', + params=self.PARAMS, + headers=self.headers + ) + def is_valid_risk_rule(client: Client, risk_rule): """Checks if the risk rule is valid by requesting from RF a list of all available rules. Returns: bool. Whether the risk rule is valid or not """ - risk_rule_response = client._http_request( - method='GET', - url_suffix=client.indicator_type + '/riskrules', - params=client.PARAMS, - headers=client.headers - ) + risk_rule_response: dict = client.get_risk_rules() risk_rules_list = [single_risk_rule['name'] for single_risk_rule in risk_rule_response['data']['results']] if risk_rule in risk_rules_list: return True @@ -195,7 +205,7 @@ def is_valid_risk_rule(client: Client, risk_rule): return False -def test_module(client: Client, args: dict) -> Tuple[str, dict, dict]: +def test_module(client: Client, *args) -> Tuple[str, dict, dict]: """Builds the iterator to check that the feed is accessible. Args: client(Client): Recorded Future Feed client. @@ -281,7 +291,7 @@ def format_risk_string(risk_string): return f'{splitted_risk_string[0]} of {splitted_risk_string[1]} Risk Rules Triggered' -def fetch_indicators_command(client, indicator_type, limit: Optional[int] = None): +def fetch_indicators_command(client, indicator_type, limit: Optional[int] = None) -> List[dict]: """Fetches indicators from the Recorded Future feeds. Args: client(Client): Recorded Future Feed client. @@ -307,17 +317,20 @@ def fetch_indicators_command(client, indicator_type, limit: Optional[int] = None if evidence_details: raw_json['EvidenceDetails'] = evidence_details for rule in evidence_details: - rule = dict((k.lower(), v) for k, v in rule.items()) + rule = dict((key.lower(), value) for key, value in rule.items()) lower_case_evidence_details_keys.append(rule) risk_string = item.get('RiskString') if isinstance(risk_string, str): raw_json['RiskString'] = format_risk_string(risk_string) indicators.append({ - "value": value, - "type": raw_json['type'], - "rawJSON": raw_json, - "fields": {'recordedfutureevidencedetails': lower_case_evidence_details_keys}, - "score": score + 'value': value, + 'type': raw_json['type'], + 'rawJSON': raw_json, + 'fields': { + 'recordedfutureevidencedetails': lower_case_evidence_details_keys, + 'tags': client.tags + }, + 'score': score }) return indicators @@ -349,12 +362,7 @@ def get_risk_rules_command(client: Client, args) -> Tuple[str, dict, dict]: str, dict, list. the markdown table, context JSON and list of risk rules """ indicator_type = args.get('indicator_type', demisto.params().get('indicator_type')) - result = client._http_request( - method='GET', - url_suffix=indicator_type + '/riskrules', - params=client.PARAMS, - headers=client.headers - ) + result = client.get_risk_rules(indicator_type) entry_result = [] for entry in result['data']['results']: entry_result.append({ @@ -371,7 +379,9 @@ def main(): params = demisto.params() client = Client(params.get('indicator_type'), params.get('api_token'), params.get('services'), params.get('risk_rule'), params.get('fusion_file_path'), params.get('insecure'), - params.get('polling_timeout'), params.get('proxy'), params.get('threshold')) + params.get('polling_timeout'), params.get('proxy'), params.get('threshold'), + argToList(params.get('feedTags')) + ) command = demisto.command() demisto.info('Command being called is {}'.format(command)) # Switch case diff --git a/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.yml b/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.yml index 233fe36bb705..8fbffa410355 100644 --- a/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.yml +++ b/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture.yml @@ -110,6 +110,11 @@ configuration: name: fusion_file_path required: false type: 0 +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 - additionalinfo: Time in seconds before HTTP requests timeout. defaultvalue: '20' display: Request Timeout @@ -183,7 +188,7 @@ script: - contextPath: RecordedFutureFeed.RiskRule.Criticality description: The risk rule criticality. type: String - dockerimage: demisto/python3:3.8.2.6981 + dockerimage: demisto/python3:3.8.3.9324 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture_test.py b/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture_test.py index 34d573935eee..7079b38eafd8 100644 --- a/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture_test.py +++ b/Packs/FeedRecordedFuture/Integrations/FeedRecordedFuture/FeedRecordedFuture_test.py @@ -134,3 +134,22 @@ def test_fetch_indicators_command(mocker): return_value=[{'Name': '192.168.1.1'}] ) fetch_indicators_command(client, indicator_type) + + +@pytest.mark.parametrize('tags', (['tag1', 'tag2'], [])) +def test_feed_tags(mocker, tags): + """ + Given: + - tags parameters + When: + - Executing any command on feed + Then: + - Validate the tags supplied exists in the indicators + """ + client = Client(indicator_type='ip', api_token='dummytoken', services='fusion', tags=tags) + mocker.patch( + 'FeedRecordedFuture.Client.build_iterator', + return_value=[{'Name': '192.168.1.1'}] + ) + indicators = fetch_indicators_command(client, 'ip') + assert tags == indicators[0]['fields']['tags'] diff --git a/Packs/FeedRecordedFuture/ReleaseNotes/1_0_2.md b/Packs/FeedRecordedFuture/ReleaseNotes/1_0_2.md new file mode 100644 index 000000000000..1e7b76607828 --- /dev/null +++ b/Packs/FeedRecordedFuture/ReleaseNotes/1_0_2.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Recorded Future RiskList Feed +Added the *Tags* parameter. diff --git a/Packs/FeedRecordedFuture/pack_metadata.json b/Packs/FeedRecordedFuture/pack_metadata.json index 605ea3962099..5efc81dbd231 100644 --- a/Packs/FeedRecordedFuture/pack_metadata.json +++ b/Packs/FeedRecordedFuture/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Recorded Future Feed", "description": "Ingests indicators from Recorded Future feeds into Demisto.", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/FeedTAXII/.secrets-ignore b/Packs/FeedTAXII/.secrets-ignore index e69de29bb2d1..ffbd1f058340 100644 --- a/Packs/FeedTAXII/.secrets-ignore +++ b/Packs/FeedTAXII/.secrets-ignore @@ -0,0 +1,20 @@ +TAXII2.Collections.Name +45.95.169.253 +23.254.230.216 +116.153.32.211 +45.142.213.171 +95.111.253.253 +141.98.81.83 +109.234.34.135 +205.185.122.111 +51.89.96.140 +203.165.90.173 +68.183.195.82 +195.3.246.202 +78.88.188.42 +194.35.12.117 +141.98.9.161 +142.93.7.46 +190.19.169.69 +82.118.242.107 +e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e diff --git a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.py b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.py index 95a3f40a98b3..ef319177451c 100644 --- a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.py +++ b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.py @@ -114,9 +114,9 @@ def _decode_basic_props(props): if size is not None: result['stix_file_size'] = size.text - format = next((c for c in props if c.name == 'File_Format'), None) - if format is not None: - result['stix_file_format'] = format.text + file_format = next((c for c in props if c.name == 'File_Format'), None) + if file_format is not None: + result['stix_file_format'] = file_format.text return result @@ -372,8 +372,7 @@ def discovery_request(message_id=None): if message_id is None: message_id = Taxii11.new_message_id() - return ''''''.format( - message_id) + return f'''''' @staticmethod def collection_information_request(message_id=None): @@ -424,11 +423,9 @@ def poll_fulfillment_request(result_id, result_part_number, collection_name, mes if message_id is None: message_id = Taxii11.new_message_id() - return ''''''.format(message_id, - collection_name, - result_id, - result_part_number) + return f'''''' @staticmethod def headers(content_type=None, accept=None, services=None, protocol=None): @@ -471,7 +468,7 @@ def parse_timestamp_label(timestamp_label): class TAXIIClient(object): def __init__(self, insecure: bool = True, polling_timeout: int = 20, initial_interval: str = '1 day', discovery_service: str = '', poll_service: str = None, collection: str = None, - credentials: dict = None, cert_text: str = None, key_text: str = None, **kwargs): + credentials: dict = None, cert_text: str = None, key_text: str = None, tags: str = None, **kwargs): """ TAXII Client :param insecure: Set to true to ignore https certificate @@ -511,7 +508,7 @@ def __init__(self, insecure: bool = True, polling_timeout: int = 20, initial_int self.username = None self.password = None self.crt = None - + self.tags = argToList(tags) # authentication if credentials: if '_header:' in credentials.get('identifier', None): @@ -565,13 +562,12 @@ def get_all_collections(self, is_raise_error=False): try: all_collections = taxii_client.get_collections() + return [collection.name for collection in all_collections] except Exception as e: if is_raise_error: raise ConnectionError() return_error(f'{INTEGRATION_NAME} - An error occurred when trying to fetch available collections.\n{e}') - return [collection.name for collection in all_collections] - return [] def _send_request(self, url, headers, data, stream=False): @@ -605,7 +601,8 @@ def _send_request(self, url, headers, data, stream=False): return r - def _raise_for_taxii_error(self, response): + @staticmethod + def _raise_for_taxii_error(response): if response.contents[0].name != 'Status_Message': return @@ -682,13 +679,13 @@ def _discover_poll_service(self): self._raise_for_taxii_error(result) # from here we look for the collection - collections = result.find_all('Collection', collection_name=self.collection) - if len(collections) == 0: - raise RuntimeError('{} - collection {} not found'.format(INTEGRATION_NAME, self.collection)) + collections_found = result.find_all('Collection', collection_name=self.collection) + if len(collections_found) == 0: + raise RuntimeError(f'{INTEGRATION_NAME} - collection {self.collection} not found') # and the right poll service poll_service = None - for coll in collections: + for coll in collections_found: pservice = coll.find('Polling_Service') if pservice is None: LOG('{} - Collection with no Polling_Service: {!r}'.format(INTEGRATION_NAME, coll)) @@ -703,7 +700,6 @@ def _discover_poll_service(self): if poll_service is None: poll_service = address continue - msgbindings = coll_service.find_all('Message_Binding') if len(msgbindings) != 0: for msgbinding in msgbindings: @@ -939,13 +935,14 @@ def interval_in_sec(val): return None if isinstance(val, int): return val - range_split = val.split() - if len(range_split) != 2: - raise ValueError('Interval must be "number date_range_unit", examples: (2 hours, 4 minutes,6 months, 1 day.') - number = int(range_split[0]) - range_unit = range_split[1].lower() - if range_unit not in ['minute', 'minutes', 'hour', 'hours', 'day', 'days']: - raise ValueError('The unit of Interval is invalid. Must be minutes, hours or days') + else: + range_split = val.split() + if len(range_split) != 2: + raise ValueError('Interval must be "number date_range_unit", examples: (2 hours, 4 minutes,6 months, 1 day.') + number = int(range_split[0]) + range_unit = range_split[1].lower() + if range_unit not in ['minute', 'minutes', 'hour', 'hours', 'day', 'days']: + raise ValueError('The unit of Interval is invalid. Must be minutes, hours or days') multipliers = { 'minute': 60, @@ -981,9 +978,10 @@ def fetch_indicators_command(client): if indicator: item['value'] = indicator indicators.append({ - "value": indicator, - "type": item.get('type'), - "rawJSON": item, + 'value': indicator, + 'type': item.get('type'), + 'fields': {'tags': client.tags}, + 'rawJSON': item, }) return indicators @@ -1000,7 +998,7 @@ def get_indicators_command(client, args): def main(): # Write configure here - params = {k: v for k, v in demisto.params().items() if v is not None} + params = {key: value for key, value in demisto.params().items() if value is not None} handle_proxy() client = TAXIIClient(**params) command = demisto.command() diff --git a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.yml b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.yml index 98278de551f9..0407cdfbdb5f 100644 --- a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.yml +++ b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII.yml @@ -8,7 +8,8 @@ configuration: name: feed required: false type: 8 -- additionalinfo: Indicators from this integration instance will be marked with this reputation +- additionalinfo: Indicators from this integration instance will be marked with this + reputation display: Indicator Reputation name: feedReputation options: @@ -48,7 +49,9 @@ configuration: name: feedFetchInterval required: false type: 19 -- additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. +- additionalinfo: When selected, the exclusion list is ignored for indicators from + this feed. This means that if an indicator from this feed is on the exclusion + list, the indicator might still be added to the system. display: Bypass exclusion list name: feedBypassExclusionList required: false @@ -101,6 +104,11 @@ configuration: name: initial_interval required: false type: 0 +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 - display: Trust any certificate (not secure) name: insecure required: false @@ -144,7 +152,7 @@ script: - contextPath: TAXII.Indicator.Rawjson description: The indicator rawJSON value. type: Unknown - dockerimage: demisto/taxii:1.0.0.7289 + dockerimage: demisto/taxii:1.0.0.9263 feed: true isfetch: false longRunning: false diff --git a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test.py b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test.py index 1f0a95bf9c1d..2372b2c53292 100644 --- a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test.py +++ b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test.py @@ -1,6 +1,8 @@ import json import pytest +from FeedTAXII import TAXIIClient, fetch_indicators_command + """ helper functions """ @@ -86,12 +88,29 @@ def test_interval_in_sec_6(self): class TestCommands: def test_fetch_indicators(self, mocker): - from FeedTAXII import TAXIIClient, fetch_indicators_command client = TAXIIClient(collection='a collection') with open('FeedTAXII_test/TestCommands/raw_indicators.json', 'r') as f: raw_indicators = json.load(f) mocker.patch.object(client, 'build_iterator', return_value=raw_indicators) res = fetch_indicators_command(client) - with open('FeedTAXII_test/TestCommands/indicators_results.json', 'r') as exp_f: + with open('FeedTAXII_test/TestCommands/indicators_results.json') as exp_f: expected = json.load(exp_f) assert res == expected + + +@pytest.mark.parametrize('tags', (['tags1, tags2'], [])) +def test_tags_parameter(mocker, tags): + """ + Given: + - tags parameters + When: + - Executing any command on feed + Then: + - Validate the tags supplied exists in the indicators + """ + client = TAXIIClient(collection='a collection', tags=json.dumps(tags)) + with open('FeedTAXII_test/TestCommands/raw_indicators.json', 'r') as f: + raw_indicators = json.load(f) + mocker.patch.object(client, 'build_iterator', return_value=raw_indicators) + res = fetch_indicators_command(client) + assert tags == res[0]['fields']['tags'] diff --git a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test/TestCommands/indicators_results.json b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test/TestCommands/indicators_results.json index c97e6092be19..58e502beaee7 100644 --- a/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test/TestCommands/indicators_results.json +++ b/Packs/FeedTAXII/Integrations/FeedTAXII/FeedTAXII_test/TestCommands/indicators_results.json @@ -1,602 +1,752 @@ [ - { - "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/", - "type": "URL", - "rawJSON": { - "indicator": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/", - "type": "URL", - "stix_title": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/...", - "stix_description": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/| isOnline:yes| dateVerified:2020-01-06T07:55:08+00:00", - "share_level": "white", - "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/" - } - }, - { - "value": "https://software8n-chase.com/home/", - "type": "URL", - "rawJSON": { - "indicator": "https://software8n-chase.com/home/", - "type": "URL", - "stix_title": "URL: https://software8n-chase.com/home/...", - "stix_description": "URL: https://software8n-chase.com/home/| isOnline:yes| dateVerified:2020-01-06T07:54:30+00:00", - "share_level": "white", - "value": "https://software8n-chase.com/home/" - } - }, - { - "value": "https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php", - "type": "URL", - "rawJSON": { - "indicator": "https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php", - "type": "URL", - "stix_title": "URL: https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/inde...", - "stix_description": "URL: https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php| isOnline:yes| dateVerified:2020-01-06T13:25:07+00:00", - "share_level": "white", - "value": "https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php" - } - }, - { - "value": "http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66", - "type": "URL", - "rawJSON": { - "indicator": "http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66", - "type": "URL", - "stix_title": "URL: http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/accou...", - "stix_description": "URL: http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66| isOnline:yes| dateVerified:2020-01-06T07:37:02+00:00", - "share_level": "white", - "value": "http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66" - } - }, - { - "value": "https://icloud.com.uk-maps.info/?ld=iXS64Gold", - "type": "URL", - "rawJSON": { - "indicator": "https://icloud.com.uk-maps.info/?ld=iXS64Gold", - "type": "URL", - "stix_title": "URL: https://icloud.com.uk-maps.info/?ld=iXS64Gold...", - "stix_description": "URL: https://icloud.com.uk-maps.info/?ld=iXS64Gold| isOnline:yes| dateVerified:2020-01-06T09:38:56+00:00", - "share_level": "white", - "value": "https://icloud.com.uk-maps.info/?ld=iXS64Gold" - } - }, - { - "value": "https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122", - "type": "URL", - "rawJSON": { - "indicator": "https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122", - "type": "URL", - "stix_title": "URL: https://www.americanas.semanasaldao.com/destaques/produto/133756522/sm...", - "stix_description": "URL: https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122| isOnline:yes| dateVerified:2020-01-06T07:38:50+00:00", - "share_level": "white", - "value": "https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122" - } - }, - { - "value": "https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", - "type": "URL", - "rawJSON": { - "indicator": "https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", - "type": "URL", - "stix_title": "URL: https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715...", - "stix_description": "URL: https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/| isOnline:yes| dateVerified:2020-01-06T10:46:48+00:00", - "share_level": "white", - "value": "https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/" - } - }, - { - "value": "https://services.runescape.com-ey.top/weblogin/loginForm/", - "type": "URL", - "rawJSON": { - "indicator": "https://services.runescape.com-ey.top/weblogin/loginForm/", - "type": "URL", - "stix_title": "URL: https://services.runescape.com-ey.top/weblogin/loginForm/...", - "stix_description": "URL: https://services.runescape.com-ey.top/weblogin/loginForm/| isOnline:yes| dateVerified:2020-01-06T12:37:36+00:00", - "share_level": "white", - "value": "https://services.runescape.com-ey.top/weblogin/loginForm/" - } - }, - { - "value": "http://inspireddds.com/jc", - "type": "URL", - "rawJSON": { - "indicator": "http://inspireddds.com/jc", - "type": "URL", - "stix_title": "URL: http://inspireddds.com/jc...", - "stix_description": "URL: http://inspireddds.com/jc| isOnline:yes| dateVerified:2020-01-06T07:37:09+00:00", - "share_level": "white", - "value": "http://inspireddds.com/jc" - } - }, - { - "value": "http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&amp;maxads=0&amp;kld=1003&amp;yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&amp;prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&amp;eml&amp;cmd=form_submit&amp;dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&amp;&amp;kt=217&amp;kbc=settingsppup&amp;ktd=0&amp;kp=2", - "type": "URL", - "rawJSON": { - "indicator": "http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&amp;maxads=0&amp;kld=1003&amp;yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&amp;prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&amp;eml&amp;cmd=form_submit&amp;dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&amp;&amp;kt=217&amp;kbc=settingsppup&amp;ktd=0&amp;kp=2", - "type": "URL", - "stix_title": "URL: http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?...", - "stix_description": "URL: http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&maxads=0&kld=1003&yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&eml&cmd=form_submit&dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&&kt=217&kbc=settingsppup&ktd=0&kp=2| isOnline:yes| dateVerified:2020-01-06T07:32:28+00:00", - "share_level": "white", - "value": "http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&amp;maxads=0&amp;kld=1003&amp;yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&amp;prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&amp;eml&amp;cmd=form_submit&amp;dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&amp;&amp;kt=217&amp;kbc=settingsppup&amp;ktd=0&amp;kp=2" - } - }, - { - "value": "https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform", - "type": "URL", - "rawJSON": { - "indicator": "https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform", - "type": "URL", - "stix_title": "URL: https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0Z...", - "stix_description": "URL: https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform| isOnline:yes| dateVerified:2020-01-06T07:52:14+00:00", - "share_level": "white", - "value": "https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform" - } - }, - { - "value": "http://20.36.37.97/~/", - "type": "URL", - "rawJSON": { - "indicator": "http://20.36.37.97/~/", - "type": "URL", - "stix_title": "URL: http://20.36.37.97/~/...", - "stix_description": "URL: http://20.36.37.97/~/| isOnline:yes| dateVerified:2020-01-06T14:17:16+00:00", - "share_level": "white", - "value": "http://20.36.37.97/~/" - } - }, - { - "value": "https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform", - "type": "URL", - "rawJSON": { - "indicator": "https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform", - "type": "URL", - "stix_title": "URL: https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8...", - "stix_description": "URL: https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform| isOnline:yes| dateVerified:2020-01-06T08:42:27+00:00", - "share_level": "white", - "value": "https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform" - } - }, - { - "value": "http://clienteofertaoonline.com/promocao.php", - "type": "URL", - "rawJSON": { - "indicator": "http://clienteofertaoonline.com/promocao.php", - "type": "URL", - "stix_title": "URL: http://clienteofertaoonline.com/promocao.php...", - "stix_description": "URL: http://clienteofertaoonline.com/promocao.php| isOnline:yes| dateVerified:2020-01-06T10:57:35+00:00", - "share_level": "white", - "value": "http://clienteofertaoonline.com/promocao.php" - } - }, - { - "value": "https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", - "type": "URL", - "rawJSON": { - "indicator": "https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", - "type": "URL", - "stix_title": "URL: https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a...", - "stix_description": "URL: https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/| isOnline:yes| dateVerified:2020-01-06T10:44:31+00:00", - "share_level": "white", - "value": "https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/" - } - }, - { - "value": "http://telesomonline.com/", - "type": "URL", - "rawJSON": { - "indicator": "http://telesomonline.com/", - "type": "URL", - "stix_title": "URL: http://telesomonline.com/...", - "stix_description": "URL: http://telesomonline.com/| isOnline:yes| dateVerified:2020-01-06T08:00:06+00:00", - "share_level": "white", - "value": "http://telesomonline.com/" - } - }, - { - "value": "http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&amp;id=1", - "type": "URL", - "rawJSON": { - "indicator": "http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&amp;id=1", - "type": "URL", - "stix_title": "URL: http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-p...", - "stix_description": "URL: http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&id=1| isOnline:yes| dateVerified:2020-01-06T10:34:46+00:00", - "share_level": "white", - "value": "http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&amp;id=1" - } - }, - { - "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba", - "type": "URL", - "rawJSON": { - "indicator": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba", - "type": "URL", - "stix_title": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba...", - "stix_description": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba| isOnline:yes| dateVerified:2020-01-06T08:15:25+00:00", - "share_level": "white", - "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba" - } - }, - { - "value": "http://0fertas-do-dia-24hr-com.umbler.net/promocao.php", - "type": "URL", - "rawJSON": { - "indicator": "http://0fertas-do-dia-24hr-com.umbler.net/promocao.php", - "type": "URL", - "stix_title": "URL: http://0fertas-do-dia-24hr-com.umbler.net/promocao.php...", - "stix_description": "URL: http://0fertas-do-dia-24hr-com.umbler.net/promocao.php| isOnline:yes| dateVerified:2020-01-06T13:03:38+00:00", - "share_level": "white", - "value": "http://0fertas-do-dia-24hr-com.umbler.net/promocao.php" - } - }, - { - "value": "http://mindspring.com/~hangle/homepage/index.html", - "type": "URL", - "rawJSON": { - "indicator": "http://mindspring.com/~hangle/homepage/index.html", - "type": "URL", - "stix_title": "URL: http://mindspring.com/~hangle/homepage/index.html...", - "stix_description": "URL: http://mindspring.com/~hangle/homepage/index.html| isOnline:yes| dateVerified:2020-01-06T10:06:41+00:00", - "share_level": "white", - "value": "http://mindspring.com/~hangle/homepage/index.html" - } - }, - { - "value": "https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php", - "type": "URL", - "rawJSON": { - "indicator": "https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php", - "type": "URL", - "stix_title": "URL: https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisic...", - "stix_description": "URL: https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php| isOnline:yes| dateVerified:2020-01-06T14:16:27+00:00", - "share_level": "white", - "value": "https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php" - } - }, - { - "value": "https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&amp;&amp;&amp;country.x=US", - "type": "URL", - "rawJSON": { - "indicator": "https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&amp;&amp;&amp;country.x=US", - "type": "URL", - "stix_title": "URL: https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-ver...", - "stix_description": "URL: https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&&&country.x=US| isOnline:yes| dateVerified:2020-01-06T06:27:50+00:00", - "share_level": "white", - "value": "https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&amp;&amp;&amp;country.x=US" - } - }, - { - "value": "http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/", - "type": "URL", - "rawJSON": { - "indicator": "http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/", - "type": "URL", - "stix_title": "URL: http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C12...", - "stix_description": "URL: http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/| isOnline:yes| dateVerified:2020-01-06T10:11:25+00:00", - "share_level": "white", - "value": "http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/" - } - }, - { - "value": "http://ahahahahah.buzz/l/rBraLX/welcome.html", - "type": "URL", - "rawJSON": { - "indicator": "http://ahahahahah.buzz/l/rBraLX/welcome.html", - "type": "URL", - "stix_title": "URL: http://ahahahahah.buzz/l/rBraLX/welcome.html...", - "stix_description": "URL: http://ahahahahah.buzz/l/rBraLX/welcome.html| isOnline:yes| dateVerified:2020-01-06T07:42:52+00:00", - "share_level": "white", - "value": "http://ahahahahah.buzz/l/rBraLX/welcome.html" - } - }, - { - "value": "https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079", - "type": "URL", - "rawJSON": { - "indicator": "https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079", - "type": "URL", - "stix_title": "URL: https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&s...", - "stix_description": "URL: https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079| isOnline:yes| dateVerified:2020-01-06T04:13:03+00:00", - "share_level": "white", - "value": "https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079" - } - }, - { - "value": "http://clinicaskin.cl/whre/beth/", - "type": "URL", - "rawJSON": { - "indicator": "http://clinicaskin.cl/whre/beth/", - "type": "URL", - "stix_title": "URL: http://clinicaskin.cl/whre/beth/...", - "stix_description": "URL: http://clinicaskin.cl/whre/beth/| isOnline:yes| dateVerified:2020-01-06T10:01:19+00:00", - "share_level": "white", - "value": "http://clinicaskin.cl/whre/beth/" - } - }, - { - "value": "https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm", - "type": "URL", - "rawJSON": { - "indicator": "https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm", - "type": "URL", - "stix_title": "URL: https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWO...", - "stix_description": "URL: https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm| isOnline:yes| dateVerified:2020-01-06T06:21:07+00:00", - "share_level": "white", - "value": "https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm" - } - }, - { - "value": "http://bit.ly/2RTEXSf", - "type": "URL", - "rawJSON": { - "indicator": "http://bit.ly/2RTEXSf", - "type": "URL", - "stix_title": "URL: http://bit.ly/2RTEXSf...", - "stix_description": "URL: http://bit.ly/2RTEXSf| isOnline:yes| dateVerified:2020-01-06T08:23:29+00:00", - "share_level": "white", - "value": "http://bit.ly/2RTEXSf" - } - }, - { - "value": "http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134", - "type": "URL", - "rawJSON": { - "indicator": "http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134", - "type": "URL", - "stix_title": "URL: http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134...", - "stix_description": "URL: http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134| isOnline:yes| dateVerified:2020-01-06T07:55:18+00:00", - "share_level": "white", - "value": "http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134" - } - }, - { - "value": "http://sdfgress.info/Tssb/", - "type": "URL", - "rawJSON": { - "indicator": "http://sdfgress.info/Tssb/", - "type": "URL", - "stix_title": "URL: http://sdfgress.info/Tssb/...", - "stix_description": "URL: http://sdfgress.info/Tssb/| isOnline:yes| dateVerified:2020-01-06T15:06:50+00:00", - "share_level": "white", - "value": "http://sdfgress.info/Tssb/" - } - }, - { - "value": "https://rebrand.ly/ir3td8", - "type": "URL", - "rawJSON": { - "indicator": "https://rebrand.ly/ir3td8", - "type": "URL", - "stix_title": "URL: https://rebrand.ly/ir3td8...", - "stix_description": "URL: https://rebrand.ly/ir3td8| isOnline:yes| dateVerified:2020-01-06T07:38:49+00:00", - "share_level": "white", - "value": "https://rebrand.ly/ir3td8" - } - }, - { - "value": "https://ltau-portal.com/device/m", - "type": "URL", - "rawJSON": { - "indicator": "https://ltau-portal.com/device/m", - "type": "URL", - "stix_title": "URL: https://ltau-portal.com/device/m...", - "stix_description": "URL: https://ltau-portal.com/device/m| isOnline:yes| dateVerified:2020-01-06T14:17:16+00:00", - "share_level": "white", - "value": "https://ltau-portal.com/device/m" - } - }, - { - "value": "http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html", - "type": "URL", - "rawJSON": { - "indicator": "http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html", - "type": "URL", - "stix_title": "URL: http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSegur...", - "stix_description": "URL: http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html| isOnline:yes| dateVerified:2020-01-06T07:40:30+00:00", - "share_level": "white", - "value": "http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html" - } - }, - { - "value": "http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html", - "type": "URL", - "rawJSON": { - "indicator": "http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html", - "type": "URL", - "stix_title": "URL: http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html...", - "stix_description": "URL: http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html| isOnline:yes| dateVerified:2020-01-06T14:23:01+00:00", - "share_level": "white", - "value": "http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html" - } - }, - { - "value": "https://t.co/urOY0sKqpl", - "type": "URL", - "rawJSON": { - "indicator": "https://t.co/urOY0sKqpl", - "type": "URL", - "stix_title": "URL: https://t.co/urOY0sKqpl...", - "stix_description": "URL: https://t.co/urOY0sKqpl| isOnline:yes| dateVerified:2020-01-06T09:43:39+00:00", - "share_level": "white", - "value": "https://t.co/urOY0sKqpl" - } - }, - { - "value": "https://paypal.co.uk.6mon.icu/p/login.php", - "type": "URL", - "rawJSON": { - "indicator": "https://paypal.co.uk.6mon.icu/p/login.php", - "type": "URL", - "stix_title": "URL: https://paypal.co.uk.6mon.icu/p/login.php...", - "stix_description": "URL: https://paypal.co.uk.6mon.icu/p/login.php| isOnline:yes| dateVerified:2020-01-06T14:29:56+00:00", - "share_level": "white", - "value": "https://paypal.co.uk.6mon.icu/p/login.php" - } - }, - { - "value": "http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&amp;dispatched=80&amp;id=6383734797", - "type": "URL", - "rawJSON": { - "indicator": "http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&amp;dispatched=80&amp;id=6383734797", - "type": "URL", - "stix_title": "URL: http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285a...", - "stix_description": "URL: http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&dispatched=80&id=6383734797| isOnline:yes| dateVerified:2020-01-06T07:58:20+00:00", - "share_level": "white", - "value": "http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&amp;dispatched=80&amp;id=6383734797" - } - }, - { - "value": "http://magalufimdesemana.com/promocao.php", - "type": "URL", - "rawJSON": { - "indicator": "http://magalufimdesemana.com/promocao.php", - "type": "URL", - "stix_title": "URL: http://magalufimdesemana.com/promocao.php...", - "stix_description": "URL: http://magalufimdesemana.com/promocao.php| isOnline:yes| dateVerified:2020-01-06T10:47:34+00:00", - "share_level": "white", - "value": "http://magalufimdesemana.com/promocao.php" - } - }, - { - "value": "http://20.36.37.97/~", - "type": "URL", - "rawJSON": { - "indicator": "http://20.36.37.97/~", - "type": "URL", - "stix_title": "URL: http://20.36.37.97/~...", - "stix_description": "URL: http://20.36.37.97/~| isOnline:yes| dateVerified:2020-01-06T14:17:16+00:00", - "share_level": "white", - "value": "http://20.36.37.97/~" - } - }, - { - "value": "http://jppost-ki.co/zog.html", - "type": "URL", - "rawJSON": { - "indicator": "http://jppost-ki.co/zog.html", - "type": "URL", - "stix_title": "URL: http://jppost-ki.co/zog.html...", - "stix_description": "URL: http://jppost-ki.co/zog.html| isOnline:yes| dateVerified:2020-01-06T08:58:15+00:00", - "share_level": "white", - "value": "http://jppost-ki.co/zog.html" - } - }, - { - "value": "https://addventures.reclaimbetasite.com/sec/Asb/", - "type": "URL", - "rawJSON": { - "indicator": "https://addventures.reclaimbetasite.com/sec/Asb/", - "type": "URL", - "stix_title": "URL: https://addventures.reclaimbetasite.com/sec/Asb/...", - "stix_description": "URL: https://addventures.reclaimbetasite.com/sec/Asb/| isOnline:yes| dateVerified:2020-01-06T14:29:05+00:00", - "share_level": "white", - "value": "https://addventures.reclaimbetasite.com/sec/Asb/" - } - }, - { - "value": "https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl", - "type": "URL", - "rawJSON": { - "indicator": "https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl", - "type": "URL", - "stix_title": "URL: https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;se...", - "stix_description": "URL: https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl| isOnline:yes| dateVerified:2020-01-06T14:23:46+00:00", - "share_level": "white", - "value": "https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl" - } - }, - { - "value": "https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2", - "type": "URL", - "rawJSON": { - "indicator": "https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2", - "type": "URL", - "stix_title": "URL: https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2...", - "stix_description": "URL: https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2| isOnline:yes| dateVerified:2020-01-06T07:41:04+00:00", - "share_level": "white", - "value": "https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2" - } - }, - { - "value": "https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm", - "type": "URL", - "rawJSON": { - "indicator": "https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm", - "type": "URL", - "stix_title": "URL: https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm...", - "stix_description": "URL: https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm| isOnline:yes| dateVerified:2020-01-06T07:33:19+00:00", - "share_level": "white", - "value": "https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm" - } - }, - { - "value": "https://x0m0s.weblium.site/", - "type": "URL", - "rawJSON": { - "indicator": "https://x0m0s.weblium.site/", - "type": "URL", - "stix_title": "URL: https://x0m0s.weblium.site/...", - "stix_description": "URL: https://x0m0s.weblium.site/| isOnline:yes| dateVerified:2020-01-06T14:35:24+00:00", - "share_level": "white", - "value": "https://x0m0s.weblium.site/" - } - }, - { - "value": "http://www.ablenew.biz/nD/", - "type": "URL", - "rawJSON": { - "indicator": "http://www.ablenew.biz/nD/", - "type": "URL", - "stix_title": "URL: http://www.ablenew.biz/nD/...", - "stix_description": "URL: http://www.ablenew.biz/nD/| isOnline:yes| dateVerified:2020-01-06T09:13:21+00:00", - "share_level": "white", - "value": "http://www.ablenew.biz/nD/" - } - }, - { - "value": "http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/", - "type": "URL", - "rawJSON": { - "indicator": "http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/", - "type": "URL", - "stix_title": "URL: http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP...", - "stix_description": "URL: http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/| isOnline:yes| dateVerified:2020-01-06T10:06:44+00:00", - "share_level": "white", - "value": "http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/" - } - }, - { - "value": "http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw", - "type": "URL", - "rawJSON": { - "indicator": "http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw", - "type": "URL", - "stix_title": "URL: http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datensch...", - "stix_description": "URL: http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw| isOnline:yes| dateVerified:2020-01-06T10:23:06+00:00", - "share_level": "white", - "value": "http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw" - } - }, - { - "value": "https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&amp;url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&amp;platform=app_android&amp;brand=o2", - "type": "URL", - "rawJSON": { - "indicator": "https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&amp;url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&amp;platform=app_android&amp;brand=o2", - "type": "URL", - "stix_title": "URL: https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed6...", - "stix_description": "URL: https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&platform=app_android&brand=o2| isOnline:yes| dateVerified:2020-01-06T07:53:37+00:00", - "share_level": "white", - "value": "https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&amp;url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&amp;platform=app_android&amp;brand=o2" - } - }, - { - "value": "http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2", - "type": "URL", - "rawJSON": { - "indicator": "http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2", - "type": "URL", - "stix_title": "URL: http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af...", - "stix_description": "URL: http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2| isOnline:yes| dateVerified:2020-01-06T10:30:01+00:00", - "share_level": "white", - "value": "http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2" - } - } -] + { + "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/", + "type": "URL", + "stix_title": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/...", + "stix_description": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/| isOnline:yes| dateVerified:2020-01-06T07:55:08+00:00", + "share_level": "white", + "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba/" + } + }, + { + "value": "https://software8n-chase.com/home/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://software8n-chase.com/home/", + "type": "URL", + "stix_title": "URL: https://software8n-chase.com/home/...", + "stix_description": "URL: https://software8n-chase.com/home/| isOnline:yes| dateVerified:2020-01-06T07:54:30+00:00", + "share_level": "white", + "value": "https://software8n-chase.com/home/" + } + }, + { + "value": "https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php", + "type": "URL", + "stix_title": "URL: https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/inde...", + "stix_description": "URL: https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php| isOnline:yes| dateVerified:2020-01-06T13:25:07+00:00", + "share_level": "white", + "value": "https://hmrc.5-notifications.com/338c933a18e9b57f72e608e67c5e4afd/index.php" + } + }, + { + "value": "http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66", + "type": "URL", + "stix_title": "URL: http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/accou...", + "stix_description": "URL: http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66| isOnline:yes| dateVerified:2020-01-06T07:37:02+00:00", + "share_level": "white", + "value": "http://medimobility.es/wordpress/wp-admin/includes/onlinebanking/account/validation/chase.com/home/myaccount/billing.php?dispatched=66" + } + }, + { + "value": "https://icloud.com.uk-maps.info/?ld=iXS64Gold", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://icloud.com.uk-maps.info/?ld=iXS64Gold", + "type": "URL", + "stix_title": "URL: https://icloud.com.uk-maps.info/?ld=iXS64Gold...", + "stix_description": "URL: https://icloud.com.uk-maps.info/?ld=iXS64Gold| isOnline:yes| dateVerified:2020-01-06T09:38:56+00:00", + "share_level": "white", + "value": "https://icloud.com.uk-maps.info/?ld=iXS64Gold" + } + }, + { + "value": "https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122", + "type": "URL", + "stix_title": "URL: https://www.americanas.semanasaldao.com/destaques/produto/133756522/sm...", + "stix_description": "URL: https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122| isOnline:yes| dateVerified:2020-01-06T07:38:50+00:00", + "share_level": "white", + "value": "https://www.americanas.semanasaldao.com/destaques/produto/133756522/smart-tv-led-55-samsung-ultra-hd-4k-55nu7100-com-conversor-digital-3-hdmi-2-usb-wi-fi-solucao-inteligente-de-cabos-hdr-premium-smart-tizen/29120912594122" + } + }, + { + "value": "https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", + "type": "URL", + "stix_title": "URL: https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715...", + "stix_description": "URL: https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/| isOnline:yes| dateVerified:2020-01-06T10:46:48+00:00", + "share_level": "white", + "value": "https://www31.janeirodepromocao.com/prodcb684ff46e483a3566954545d85715e7lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/" + } + }, + { + "value": "https://services.runescape.com-ey.top/weblogin/loginForm/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://services.runescape.com-ey.top/weblogin/loginForm/", + "type": "URL", + "stix_title": "URL: https://services.runescape.com-ey.top/weblogin/loginForm/...", + "stix_description": "URL: https://services.runescape.com-ey.top/weblogin/loginForm/| isOnline:yes| dateVerified:2020-01-06T12:37:36+00:00", + "share_level": "white", + "value": "https://services.runescape.com-ey.top/weblogin/loginForm/" + } + }, + { + "value": "http://inspireddds.com/jc", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://inspireddds.com/jc", + "type": "URL", + "stix_title": "URL: http://inspireddds.com/jc...", + "stix_description": "URL: http://inspireddds.com/jc| isOnline:yes| dateVerified:2020-01-06T07:37:09+00:00", + "share_level": "white", + "value": "http://inspireddds.com/jc" + } + }, + { + "value": "http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&amp;maxads=0&amp;kld=1003&amp;yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&amp;prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&amp;eml&amp;cmd=form_submit&amp;dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&amp;&amp;kt=217&amp;kbc=settingsppup&amp;ktd=0&amp;kp=2", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&amp;maxads=0&amp;kld=1003&amp;yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&amp;prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&amp;eml&amp;cmd=form_submit&amp;dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&amp;&amp;kt=217&amp;kbc=settingsppup&amp;ktd=0&amp;kp=2", + "type": "URL", + "stix_title": "URL: http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?...", + "stix_description": "URL: http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&maxads=0&kld=1003&yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&eml&cmd=form_submit&dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&&kt=217&kbc=settingsppup&ktd=0&kp=2| isOnline:yes| dateVerified:2020-01-06T07:32:28+00:00", + "share_level": "white", + "value": "http://paypal.co.uk.useriq3sr4wszak.settingsppup.com/Settingsppup.cfm?fp=qA%20%20vfQCaxyRJ63KlZNT%20STTnPxyxrYfTfokWwjt6X8B2KMHd6vrhSDSVfCo87DIqJw7qRkWEOMbkv0rR4RQZYukqG1gSiNtwcKqaVUL1Ij0SBjrze%20hbkOC8CcMto%20ggUgBfzdNZ3Nh0nPG3SVk1Z8b5UrUDAxFsPajUDfY%20dBMPYAFLetKCfGDMDOS/jyeF2uK0Mh6gRUZKk99LBnJtA==&amp;maxads=0&amp;kld=1003&amp;yprpnd=7kxC8yexsnklnVq9qQrS1HTq1TxFDwZbYVKGXhVoFBU=&amp;prvtof=i4Cwtdag9Riq8qyOYYXfleX%20C9RGjbg5qA0Mcy3u6sE=&amp;eml&amp;cmd=form_submit&amp;dispatch=34xsd45423d1zmw241234zxadvzvh24af23d60&amp;&amp;kt=217&amp;kbc=settingsppup&amp;ktd=0&amp;kp=2" + } + }, + { + "value": "https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform", + "type": "URL", + "stix_title": "URL: https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0Z...", + "stix_description": "URL: https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform| isOnline:yes| dateVerified:2020-01-06T07:52:14+00:00", + "share_level": "white", + "value": "https://docs.google.com/forms/d/e/1FAIpQLSfLZzjIPwUm4Vu6wdSTu1N_h_cA0ZDfGXxatIKjXc4cdv43Vw/viewform" + } + }, + { + "value": "http://20.36.37.97/~/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://20.36.37.97/~/", + "type": "URL", + "stix_title": "URL: http://20.36.37.97/~/...", + "stix_description": "URL: http://20.36.37.97/~/| isOnline:yes| dateVerified:2020-01-06T14:17:16+00:00", + "share_level": "white", + "value": "http://20.36.37.97/~/" + } + }, + { + "value": "https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform", + "type": "URL", + "stix_title": "URL: https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8...", + "stix_description": "URL: https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform| isOnline:yes| dateVerified:2020-01-06T08:42:27+00:00", + "share_level": "white", + "value": "https://docs.google.com/forms/d/e/1FAIpQLScq5VuZ98zL9mh341AaAzgMNHvEh8Luuka_eoZOV_DtRcjCoA/viewform" + } + }, + { + "value": "http://clienteofertaoonline.com/promocao.php", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://clienteofertaoonline.com/promocao.php", + "type": "URL", + "stix_title": "URL: http://clienteofertaoonline.com/promocao.php...", + "stix_description": "URL: http://clienteofertaoonline.com/promocao.php| isOnline:yes| dateVerified:2020-01-06T10:57:35+00:00", + "share_level": "white", + "value": "http://clienteofertaoonline.com/promocao.php" + } + }, + { + "value": "https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/", + "type": "URL", + "stix_title": "URL: https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a...", + "stix_description": "URL: https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/| isOnline:yes| dateVerified:2020-01-06T10:44:31+00:00", + "share_level": "white", + "value": "https://www35.janeirodepromocao.com/proddd16cd2bd128c923651287c2ba7a1a74lnk/samsung-galaxy-j8-prata-64gb-and-8-1-6-octa-core-1-8ghz-4g/p/ceg87g4b76/te/sgj8/" + } + }, + { + "value": "http://telesomonline.com/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://telesomonline.com/", + "type": "URL", + "stix_title": "URL: http://telesomonline.com/...", + "stix_description": "URL: http://telesomonline.com/| isOnline:yes| dateVerified:2020-01-06T08:00:06+00:00", + "share_level": "white", + "value": "http://telesomonline.com/" + } + }, + { + "value": "http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&amp;id=1", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&amp;id=1", + "type": "URL", + "stix_title": "URL: http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-p...", + "stix_description": "URL: http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&id=1| isOnline:yes| dateVerified:2020-01-06T10:34:46+00:00", + "share_level": "white", + "value": "http://novasmelhoresluiza.com/site/25181aihj521800084/index.php?o-de-panelas-tramontina-turim-20298707-7-pecas-vermelho-/p/ehf4hekh4a/ud/panl/&amp;id=1" + } + }, + { + "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba", + "type": "URL", + "stix_title": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba...", + "stix_description": "URL: http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba| isOnline:yes| dateVerified:2020-01-06T08:15:25+00:00", + "share_level": "white", + "value": "http://www.lifetmeda.ru/rewq/3e7479b6d30a8b744b96db72795b6aba" + } + }, + { + "value": "http://0fertas-do-dia-24hr-com.umbler.net/promocao.php", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://0fertas-do-dia-24hr-com.umbler.net/promocao.php", + "type": "URL", + "stix_title": "URL: http://0fertas-do-dia-24hr-com.umbler.net/promocao.php...", + "stix_description": "URL: http://0fertas-do-dia-24hr-com.umbler.net/promocao.php| isOnline:yes| dateVerified:2020-01-06T13:03:38+00:00", + "share_level": "white", + "value": "http://0fertas-do-dia-24hr-com.umbler.net/promocao.php" + } + }, + { + "value": "http://mindspring.com/~hangle/homepage/index.html", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://mindspring.com/~hangle/homepage/index.html", + "type": "URL", + "stix_title": "URL: http://mindspring.com/~hangle/homepage/index.html...", + "stix_description": "URL: http://mindspring.com/~hangle/homepage/index.html| isOnline:yes| dateVerified:2020-01-06T10:06:41+00:00", + "share_level": "white", + "value": "http://mindspring.com/~hangle/homepage/index.html" + } + }, + { + "value": "https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php", + "type": "URL", + "stix_title": "URL: https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisic...", + "stix_description": "URL: https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php| isOnline:yes| dateVerified:2020-01-06T14:16:27+00:00", + "share_level": "white", + "value": "https://ltau-portal.com/device/m/para-voce/webApps_AplicationInfoFisica1.php" + } + }, + { + "value": "https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&amp;&amp;&amp;country.x=US", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&amp;&amp;&amp;country.x=US", + "type": "URL", + "stix_title": "URL: https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-ver...", + "stix_description": "URL: https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&&&country.x=US| isOnline:yes| dateVerified:2020-01-06T06:27:50+00:00", + "share_level": "white", + "value": "https://ecertificatewala.com/www.PayPal.com-Re-Secure-Your-Account-verification-support/signin?amp&amp;&amp;&amp;country.x=US" + } + }, + { + "value": "http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/", + "type": "URL", + "stix_title": "URL: http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C12...", + "stix_description": "URL: http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/| isOnline:yes| dateVerified:2020-01-06T10:11:25+00:00", + "share_level": "white", + "value": "http://receptfritt-cialis.com/drwxe/customer_center/customer-IDPP00C129/myaccount/signin/" + } + }, + { + "value": "http://ahahahahah.buzz/l/rBraLX/welcome.html", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://ahahahahah.buzz/l/rBraLX/welcome.html", + "type": "URL", + "stix_title": "URL: http://ahahahahah.buzz/l/rBraLX/welcome.html...", + "stix_description": "URL: http://ahahahahah.buzz/l/rBraLX/welcome.html| isOnline:yes| dateVerified:2020-01-06T07:42:52+00:00", + "share_level": "white", + "value": "http://ahahahahah.buzz/l/rBraLX/welcome.html" + } + }, + { + "value": "https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079", + "type": "URL", + "stix_title": "URL: https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&s...", + "stix_description": "URL: https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079| isOnline:yes| dateVerified:2020-01-06T04:13:03+00:00", + "share_level": "white", + "value": "https://optusupdatemail.com/optusnetAU/fbs/?cmd=_account-details&session=84afcc2281c3532820e288acca3079f5&dispatch=b0cd4918361149a5283d11547c1a65e55b1a1079" + } + }, + { + "value": "http://clinicaskin.cl/whre/beth/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://clinicaskin.cl/whre/beth/", + "type": "URL", + "stix_title": "URL: http://clinicaskin.cl/whre/beth/...", + "stix_description": "URL: http://clinicaskin.cl/whre/beth/| isOnline:yes| dateVerified:2020-01-06T10:01:19+00:00", + "share_level": "white", + "value": "http://clinicaskin.cl/whre/beth/" + } + }, + { + "value": "https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm", + "type": "URL", + "stix_title": "URL: https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWO...", + "stix_description": "URL: https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm| isOnline:yes| dateVerified:2020-01-06T06:21:07+00:00", + "share_level": "white", + "value": "https://belovedcommunityusa.com/.NEDBRANCH/NedMoney~PROFILE~PIN~PASSWORD.htm" + } + }, + { + "value": "http://bit.ly/2RTEXSf", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://bit.ly/2RTEXSf", + "type": "URL", + "stix_title": "URL: http://bit.ly/2RTEXSf...", + "stix_description": "URL: http://bit.ly/2RTEXSf| isOnline:yes| dateVerified:2020-01-06T08:23:29+00:00", + "share_level": "white", + "value": "http://bit.ly/2RTEXSf" + } + }, + { + "value": "http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134", + "type": "URL", + "stix_title": "URL: http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134...", + "stix_description": "URL: http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134| isOnline:yes| dateVerified:2020-01-06T07:55:18+00:00", + "share_level": "white", + "value": "http://dreamhouse.in.th/sigin/customer_center/customer-IDPP00C134" + } + }, + { + "value": "http://sdfgress.info/Tssb/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://sdfgress.info/Tssb/", + "type": "URL", + "stix_title": "URL: http://sdfgress.info/Tssb/...", + "stix_description": "URL: http://sdfgress.info/Tssb/| isOnline:yes| dateVerified:2020-01-06T15:06:50+00:00", + "share_level": "white", + "value": "http://sdfgress.info/Tssb/" + } + }, + { + "value": "https://rebrand.ly/ir3td8", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://rebrand.ly/ir3td8", + "type": "URL", + "stix_title": "URL: https://rebrand.ly/ir3td8...", + "stix_description": "URL: https://rebrand.ly/ir3td8| isOnline:yes| dateVerified:2020-01-06T07:38:49+00:00", + "share_level": "white", + "value": "https://rebrand.ly/ir3td8" + } + }, + { + "value": "https://ltau-portal.com/device/m", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://ltau-portal.com/device/m", + "type": "URL", + "stix_title": "URL: https://ltau-portal.com/device/m...", + "stix_description": "URL: https://ltau-portal.com/device/m| isOnline:yes| dateVerified:2020-01-06T14:17:16+00:00", + "share_level": "white", + "value": "https://ltau-portal.com/device/m" + } + }, + { + "value": "http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html", + "type": "URL", + "stix_title": "URL: http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSegur...", + "stix_description": "URL: http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html| isOnline:yes| dateVerified:2020-01-06T07:40:30+00:00", + "share_level": "white", + "value": "http://www.sdmiramar.edu/library/sites/default/files/styles/RedirSeguro.html" + } + }, + { + "value": "http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html", + "type": "URL", + "stix_title": "URL: http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html...", + "stix_description": "URL: http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html| isOnline:yes| dateVerified:2020-01-06T14:23:01+00:00", + "share_level": "white", + "value": "http://exam.karthikeyaiasacademy.com/.chase/chases/jpmchase.html" + } + }, + { + "value": "https://t.co/urOY0sKqpl", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://t.co/urOY0sKqpl", + "type": "URL", + "stix_title": "URL: https://t.co/urOY0sKqpl...", + "stix_description": "URL: https://t.co/urOY0sKqpl| isOnline:yes| dateVerified:2020-01-06T09:43:39+00:00", + "share_level": "white", + "value": "https://t.co/urOY0sKqpl" + } + }, + { + "value": "https://paypal.co.uk.6mon.icu/p/login.php", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://paypal.co.uk.6mon.icu/p/login.php", + "type": "URL", + "stix_title": "URL: https://paypal.co.uk.6mon.icu/p/login.php...", + "stix_description": "URL: https://paypal.co.uk.6mon.icu/p/login.php| isOnline:yes| dateVerified:2020-01-06T14:29:56+00:00", + "share_level": "white", + "value": "https://paypal.co.uk.6mon.icu/p/login.php" + } + }, + { + "value": "http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&amp;dispatched=80&amp;id=6383734797", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&amp;dispatched=80&amp;id=6383734797", + "type": "URL", + "stix_title": "URL: http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285a...", + "stix_description": "URL: http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&dispatched=80&id=6383734797| isOnline:yes| dateVerified:2020-01-06T07:58:20+00:00", + "share_level": "white", + "value": "http://chase-2sconfirm.com/home/myaccount/billing.php?websrc=e17ea285ad581008aac6b89b49ab879e&amp;dispatched=80&amp;id=6383734797" + } + }, + { + "value": "http://magalufimdesemana.com/promocao.php", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://magalufimdesemana.com/promocao.php", + "type": "URL", + "stix_title": "URL: http://magalufimdesemana.com/promocao.php...", + "stix_description": "URL: http://magalufimdesemana.com/promocao.php| isOnline:yes| dateVerified:2020-01-06T10:47:34+00:00", + "share_level": "white", + "value": "http://magalufimdesemana.com/promocao.php" + } + }, + { + "value": "http://20.36.37.97/~", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://20.36.37.97/~", + "type": "URL", + "stix_title": "URL: http://20.36.37.97/~...", + "stix_description": "URL: http://20.36.37.97/~| isOnline:yes| dateVerified:2020-01-06T14:17:16+00:00", + "share_level": "white", + "value": "http://20.36.37.97/~" + } + }, + { + "value": "http://jppost-ki.co/zog.html", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://jppost-ki.co/zog.html", + "type": "URL", + "stix_title": "URL: http://jppost-ki.co/zog.html...", + "stix_description": "URL: http://jppost-ki.co/zog.html| isOnline:yes| dateVerified:2020-01-06T08:58:15+00:00", + "share_level": "white", + "value": "http://jppost-ki.co/zog.html" + } + }, + { + "value": "https://addventures.reclaimbetasite.com/sec/Asb/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://addventures.reclaimbetasite.com/sec/Asb/", + "type": "URL", + "stix_title": "URL: https://addventures.reclaimbetasite.com/sec/Asb/...", + "stix_description": "URL: https://addventures.reclaimbetasite.com/sec/Asb/| isOnline:yes| dateVerified:2020-01-06T14:29:05+00:00", + "share_level": "white", + "value": "https://addventures.reclaimbetasite.com/sec/Asb/" + } + }, + { + "value": "https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl", + "type": "URL", + "stix_title": "URL: https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;se...", + "stix_description": "URL: https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl| isOnline:yes| dateVerified:2020-01-06T14:23:46+00:00", + "share_level": "white", + "value": "https://paypal.co.uk.6mon.icu/air/Login.php?sslchannel=true&amp;sessionid=EavGnT9qBbJHUghI9lfdBfQBcNIJriWz93UpeD9bm22QzPKIZj9WJxUGHc7IW6T001IYCJHrI7wmAouc6yKYxTbBVsl3XABKGqZtju5hjlwiEcTvWCpaRamuHSRX2TVDBl" + } + }, + { + "value": "https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2", + "type": "URL", + "stix_title": "URL: https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2...", + "stix_description": "URL: https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2| isOnline:yes| dateVerified:2020-01-06T07:41:04+00:00", + "share_level": "white", + "value": "https://a1.gymtracker.net/v2/?sess=t51h1q0sljin0t3e4ahejnk4h2" + } + }, + { + "value": "https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm", + "type": "URL", + "stix_title": "URL: https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm...", + "stix_description": "URL: https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm| isOnline:yes| dateVerified:2020-01-06T07:33:19+00:00", + "share_level": "white", + "value": "https://kb-healthcare.com/att/sbc/sbc/sbcglobal.net.htm" + } + }, + { + "value": "https://x0m0s.weblium.site/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://x0m0s.weblium.site/", + "type": "URL", + "stix_title": "URL: https://x0m0s.weblium.site/...", + "stix_description": "URL: https://x0m0s.weblium.site/| isOnline:yes| dateVerified:2020-01-06T14:35:24+00:00", + "share_level": "white", + "value": "https://x0m0s.weblium.site/" + } + }, + { + "value": "http://www.ablenew.biz/nD/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://www.ablenew.biz/nD/", + "type": "URL", + "stix_title": "URL: http://www.ablenew.biz/nD/...", + "stix_description": "URL: http://www.ablenew.biz/nD/| isOnline:yes| dateVerified:2020-01-06T09:13:21+00:00", + "share_level": "white", + "value": "http://www.ablenew.biz/nD/" + } + }, + { + "value": "http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/", + "type": "URL", + "stix_title": "URL: http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP...", + "stix_description": "URL: http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/| isOnline:yes| dateVerified:2020-01-06T10:06:44+00:00", + "share_level": "white", + "value": "http://www.mahmoudghoneim.com/help/login/customer_center/customer-IDPP00C468/" + } + }, + { + "value": "http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw", + "type": "URL", + "stix_title": "URL: http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datensch...", + "stix_description": "URL: http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw| isOnline:yes| dateVerified:2020-01-06T10:23:06+00:00", + "share_level": "white", + "value": "http://genuineautoparts.co.uk/nofij3ksa/nptoris/shipping_info/datenschutz/videotest/privacy_policy.php/cps/ypx/?sense=1v05z5csp5aeuaw" + } + }, + { + "value": "https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&amp;url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&amp;platform=app_android&amp;brand=o2", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&amp;url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&amp;platform=app_android&amp;brand=o2", + "type": "URL", + "stix_title": "URL: https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed6...", + "stix_description": "URL: https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&platform=app_android&brand=o2| isOnline:yes| dateVerified:2020-01-06T07:53:37+00:00", + "share_level": "white", + "value": "https://zasobygwp.pl/redirect?sig=78a326687125ec4399e48d9862d738f4eed69984f79ae4231dac7b02040c966b&amp;url=aHR0cHM6Ly9yZWJyYW5kLmx5L2xuMW4xZA==&amp;platform=app_android&amp;brand=o2" + } + }, + { + "value": "http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2", + "type": "URL", + "fields": { + "tags": [] + }, + "rawJSON": { + "indicator": "http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2", + "type": "URL", + "stix_title": "URL: http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af...", + "stix_description": "URL: http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2| isOnline:yes| dateVerified:2020-01-06T10:30:01+00:00", + "share_level": "white", + "value": "http://111.90.149.220/banks/Desjardins/a40b89886fe5eb23fc134a53e1bd0af2" + } + } +] \ No newline at end of file diff --git a/Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.py b/Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.py new file mode 100644 index 000000000000..ed16418d1750 --- /dev/null +++ b/Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.py @@ -0,0 +1,312 @@ +import demistomock as demisto +from CommonServerPython import * +from CommonServerUserPython import * + +from typing import Any, Tuple, Optional + +""" CONSTANT VARIABLES """ + + +CONTEXT_PREFIX = "TAXII2" +COMPLEX_OBSERVATION_MODE_SKIP = "Skip indicators with more than a single observation" +COMPLEX_OBSERVATION_MODE_CREATE_ALL = "Create indicator for each observation" + +""" HELPER FUNCTIONS """ + + +def try_parse_integer( + int_to_parse: Any, err_msg: str = "Please provide a valid limit (positive integer)" +) -> int: + """ + Tries to parse an integer, and if fails will throw DemistoException with given err_msg + """ + if not int_to_parse: + return int_to_parse + try: + res = int(int_to_parse) + except (TypeError, ValueError): + raise DemistoException(err_msg) + return res + + +""" COMMAND FUNCTIONS """ + + +def module_test_command(client, limit, fetch_full_feed): + if client.collections: + if fetch_full_feed: + if limit and limit != -1: + return_error( + "Configuration Error - Max Indicators Per Fetch is disabled when Full Feed Fetch is enabled" + ) + demisto.results("ok") + else: + return_error("Could not connect to server") + + +def fetch_indicators_command( + client, + initial_interval, + limit, + last_run_ctx, + fetch_full_feed: bool = False, + filter_args: Optional[dict] = None, +) -> Tuple[list, dict]: + """ + Fetch indicators from TAXII 2 server + :param client: Taxii2FeedClient + :param initial_interval: initial interval in parse_date_range format + :param limit: upper limit of indicators to fetch + :param last_run_ctx: last run dict with {collection_id: last_run_time string} + :param fetch_full_feed: when set to true, will ignore last run, and try to fetch the entire feed + :param filter_args: filter args requested by the user + :return: indicators in cortex TIM format + """ + if initial_interval: + initial_interval, _ = parse_date_range( + initial_interval, date_format=TAXII_TIME_FORMAT + ) + if filter_args is None: + filter_args = {} + last_fetch_time = ( + last_run_ctx.get(client.collection_to_fetch.id) + if client.collection_to_fetch + else None + ) + filter_args["added_after"] = get_added_after( + fetch_full_feed, initial_interval, last_fetch_time, filter_args + ) + + if client.collection_to_fetch is None: + # fetch all collections + if client.collections is None: + raise DemistoException(ERR_NO_COLL) + indicators: list = [] + for collection in client.collections: + client.collection_to_fetch = collection + filter_args["added_after"] = get_added_after( + fetch_full_feed, initial_interval, last_run_ctx.get(collection.id) + ) + fetched_iocs = client.build_iterator(limit, **filter_args) + indicators.extend(fetched_iocs) + if limit >= 0: + limit -= len(fetched_iocs) + if limit <= 0: + break + last_run_ctx[collection.id] = client.last_fetched_indicator__modified + else: + # fetch from a single collection + indicators = client.build_iterator(limit, **filter_args) + last_run_ctx[client.collection_to_fetch.id] = ( + client.last_fetched_indicator__modified + if client.last_fetched_indicator__modified + else filter_args.get("added_after") + ) + return indicators, last_run_ctx + + +def get_added_after( + fetch_full_feed, initial_interval, last_fetch_time=None, filter_args=None +): + """ + Creates the added_after param, or extracts it from the filter_args + :param fetch_full_feed: when set to true, will limit added_after + :param initial_interval: initial_interval if no + :param last_fetch_time: last_fetch time value (str) + :param filter_args: set of filter_args defined by the user to be merged with added_after + :return: added_after + """ + if fetch_full_feed: + return initial_interval + + if not filter_args or "added_after" not in filter_args: + return last_fetch_time or initial_interval + + return filter_args["added_after"] + + +def get_indicators_command( + client, raw="false", limit=10, added_after=None, filter_args=None +): + """ + Fetch indicators from TAXII 2 server + :param client: Taxii2FeedClient + :param raw: When set to "true" will return only rawJSON + :param limit: upper limit of indicators to fetch + :param (Optional) added_after: added after time string in parse_date_range format + :param (Optional) filter_args: filter to be used for taxii poll + :return: indicators in cortex TIM format + """ + limit = try_parse_integer(limit) + filter_args = handle_filter_arg(filter_args) + if added_after and "added_after" not in filter_args: + added_after, _ = parse_date_range(added_after, date_format=TAXII_TIME_FORMAT) + filter_args["added_after"] = added_after + raw = raw == "true" + + if client.collection_to_fetch is None: + # fetch all collections + if client.collections is None: + raise DemistoException(ERR_NO_COLL) + indicators: list = [] + for collection in client.collections: + client.collection_to_fetch = collection + fetched_iocs = client.build_iterator(limit, **filter_args) + indicators.extend(fetched_iocs) + if limit >= 0: + limit -= len(fetched_iocs) + if limit <= 0: + break + + else: + indicators = client.build_iterator(limit=limit, **filter_args) + + if raw: + demisto.results({"indicators": [x.get("rawJSON") for x in indicators]}) + return + + md = f"Found {len(indicators)} results:\n" + tableToMarkdown( + "", indicators, ["value", "type"] + ) + if indicators: + return CommandResults( + outputs_prefix=CONTEXT_PREFIX + ".Indicators", + outputs_key_field="value", + outputs=indicators, + readable_output=md, + ) + return md + + +def get_collections_command(client): + """ + Get the available collections in the TAXII server + :param client: FeedClient + :return: available collections + """ + collections = list() + for collection in client.collections: + collections.append({"Name": collection.title, "ID": collection.id}) + md = tableToMarkdown("TAXII2 Server Collections:", collections, ["Name", "ID"]) + return CommandResults( + outputs_prefix=CONTEXT_PREFIX + ".Collections", + outputs_key_field="ID", + outputs=collections, + readable_output=md, + ) + + +def reset_fetch_command(client): + """ + Reset the last fetch from the integration context + """ + demisto.setIntegrationContext({}) + return ( + "Fetch was reset successfully. Your next indicator fetch will collect indicators from " + 'the configured "First Fetch Time"' + ) + + +def handle_filter_arg(filter_args=None, delimiter="="): + """ + Transforms filter arguments (str) to a dict to be used by build_iterator + :param filter_args: filter_args as typed by the user in the filter_args param + :param delimiter: delimiter to use between filter_key and filter_val + :return: filter_args dict with type:indicator {filter_key: filter_value} + + """ + # add filter for indicator types by default + filter_dict = {"type": "indicator"} + if filter_args: + filter_args = argToList(filter_args) + try: + for arg in filter_args: + key, val = arg.split(delimiter) + filter_dict[key] = val + except ValueError: + raise DemistoException( + "Encountered an error while trying to parse filter_args, please make sure you entered them in the correct format" + ) + return filter_dict + + +def main(): + params = demisto.params() + args = demisto.args() + url = params.get("url") + collection_to_fetch = params.get("collection_to_fetch") + credentials = params.get("credentials") or {} + username = credentials.get("identifier") + password = credentials.get("password") + proxies = handle_proxy() + verify_certificate = not params.get("insecure", False) + skip_complex_mode = COMPLEX_OBSERVATION_MODE_SKIP == params.get( + "observation_operator_mode" + ) + feed_tags = argToList(params.get("feedTags")) + + initial_interval = params.get("initial_interval") + fetch_full_feed = params.get("fetch_full_feed") or False + limit = try_parse_integer(params.get("limit") or -1) + limit_per_request = try_parse_integer(params.get("limit_per_request")) + filter_args = handle_filter_arg(params.get("filter_args")) + + command = demisto.command() + demisto.info(f"Command being called in {CONTEXT_PREFIX} is {command}") + try: + client = Taxii2FeedClient( + url=url, + collection_to_fetch=collection_to_fetch, + proxies=proxies, + verify=verify_certificate, + skip_complex_mode=skip_complex_mode, + username=username, + password=password, + tags=feed_tags, + limit_per_request=limit_per_request, + ) + client.initialise() + commands = { + "taxii2-reset-fetch-indicators": reset_fetch_command, + "taxii2-get-indicators": get_indicators_command, + "taxii2-get-collections": get_collections_command, + } + + if demisto.command() == "test-module": + # This is the call made when pressing the integration Test button. + module_test_command(client, limit, fetch_full_feed) + + elif demisto.command() == "fetch-indicators": + if fetch_full_feed: + limit = -1 + integration_ctx = demisto.getIntegrationContext() or {} + (indicators, integration_ctx) = fetch_indicators_command( + client, + initial_interval, + limit, + integration_ctx, + fetch_full_feed, + filter_args, + ) + for iter_ in batch(indicators, batch_size=2000): + demisto.createIndicators(iter_) + + demisto.setIntegrationContext(integration_ctx) + else: + return_results(commands[command](client, **args)) # type: ignore[operator] + + except Exception as e: + err_msg = f"Failed to execute {command} command. Error: {str(e)}\n\ntraceback: {traceback.format_exc()}" + if isinstance(e, requests.exceptions.SSLError): + LOG(err_msg) + err_msg = ( + "Encountered an HTTPS certificate error. This error can be ignored by enabling " + '"Trust any certificate (not secure)" in the instance configuration.' + ) + return_error(err_msg) + + +from TAXII2ApiModule import * # noqa: E402 + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.yml b/Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.yml new file mode 100644 index 000000000000..ec846c862a90 --- /dev/null +++ b/Packs/FeedTAXII/Integrations/FeedTAXII2/FeedTAXII2.yml @@ -0,0 +1,220 @@ +category: Data Enrichment & Threat Intelligence +commonfields: + id: TAXII 2 Feed + version: -1 +configuration: +- defaultvalue: 'true' + display: Fetch indicators + name: feed + required: false + type: 8 +- additionalinfo: Indicators from this integration instance will be marked with this + reputation + display: Indicator Reputation + name: feedReputation + options: + - None + - Good + - Suspicious + - Bad + required: false + type: 18 +- additionalinfo: Reliability of the source providing the intelligence data + display: Source Reliability + name: feedReliability + options: + - A - Completely reliable + - B - Usually reliable + - C - Fairly reliable + - D - Not usually reliable + - E - Unreliable + - F - Reliability cannot be judged + required: true + type: 15 +- display: '' + name: feedExpirationPolicy + options: + - never + - interval + - indicatorType + - suddenDeath + required: false + type: 17 +- display: '' + name: feedExpirationInterval + required: false + type: 1 +- defaultvalue: '240' + display: Feed Fetch Interval + name: feedFetchInterval + required: false + type: 19 +- additionalinfo: When selected, the exclusion list is ignored for indicators from + this feed. This means that if an indicator from this feed is on the exclusion + list, the indicator might still be added to the system. + display: Bypass exclusion list + name: feedBypassExclusionList + required: false + type: 8 +- display: Discovery Service URL (e.g. https://example.net/taxii) + name: url + required: true + type: 0 +- display: Username / API Key (see '?') + name: credentials + required: false + type: 9 +- additionalinfo: Indicators will be fetched from this collection. Run "taxii2-get-collections" + command to get a valid value. If left empty, the instance will try to fetch from + all the collections in the given discovery service. + display: Collection Name To Fetch Indicators From + name: collection_to_fetch + required: false + type: 0 +- additionalinfo: When enabled, fetch-indicators will try to fetch the entire feed + for every fetch. When disabled, fetch-indicators will try to fetch just the latest + entries (since the last fetch). + defaultvalue: 'true' + display: Full Feed Fetch + name: fetch_full_feed + required: false + type: 8 +- additionalinfo: The maximum number of indicators that can be fetched per fetch. + If this field is left empty, there will be no limit on the number of indicators + fetched. + display: Max Indicators Per Fetch (disabled for Full Feed Fetch) + hidden: false + name: limit + required: false + type: 0 +- additionalinfo: The time interval for the first fetch (retroactive).
    -
    -
    - -
    +
    +
    + +


    -
    - -
    -
    - -
    - -
    - -

    Related articles

    - - -
    +
    +
    -
    - -
    -
    -

    Network Firewall or Proxy Server Settings for Zoom Follow

    - -
    - -
    -
    -

    Network Firewall or Web Security Gateway

    -

    If your app stays in a "connecting" mode or  timed out due to "Network error, please try again" or "Can't connect to our service, please check your network connection and try again"  - it could be related to your network connection, network firewall settings or web security gateway settings.

    -

    Note: Check your network connection by opening a browser and ensure that you can access https://www.demisto.com

    -

    To configure your network firewall, please see the following table: 

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ProtocolPortsSourceDestination
    TCP80,443All Zoom Clients*.zoom.us
    TCP443, 8801, 8802All Zoom Clients -

    IPv4:

    -

    3.7.35.0/25
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/32
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/32
    8.8.8.8/26
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/22
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/22
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/26  
    8.8.8.8/26
    8.8.8.8/26 
    8.8.8.8/26
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/19
    8.8.8.8/17
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/22
    8.8.8.8/22
    8.8.8.8/22
    8.8.8.8/23
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/20
    8.8.8.8/22
    8.8.8.8/22
    8.8.8.8/19
    8.8.8.8/22
    8.8.8.8/19
    8.8.8.8/17
    8.8.8.8/27
    8.8.8.8/27
    8.8.8.8/21
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/27
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/27

    IPv6:
    2620:123:2000::/40

    -
    UDP -

    3478, 3479, 8801 - 8810

    -    		All Zoom Clients -

    IPv4:

    -

    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/32
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/32
    8.8.8.8/26
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/22
    8.8.8.8/25
    8.8.8.8/23
    8.8.8.8/22
    8.8.8.8/25
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/26  
    8.8.8.8/26
    8.8.8.8/26 
    8.8.8.8/26
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/19
    8.8.8.8/17
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/22
    8.8.8.8/22
    8.8.8.8/22
    8.8.8.8/23
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/20
    8.8.8.8/22
    8.8.8.8/22
    8.8.8.8/19
    8.8.8.8/22
    8.8.8.8/19
    8.8.8.8/17
    8.8.8.8/27
    8.8.8.8/27
    8.8.8.8/21
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/27
    8.8.8.8/25
    8.8.8.8/25
    8.8.8.8/27

    IPv6:
    2620:123:2000::/40

    -
    -

     

    -

    Connection Type: Zoom Phone

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ProtocolPortsSourceDestination
    TCP5090, 5091All Zoom Clients8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/23
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/19
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/24
    UDP5090All Zoom Clients8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/23
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/19
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/24
    UDP20000-64000All Zoom Clients8.8.8.8/24
    8.8.8.8/23
    8.8.8.8/19
    8.8.8.8/22
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    8.8.8.8/24
    -

     

    -

    Connection Type: Zoom Website

    - - - - - - - - - - - - - - - - - -
    ProtocolPortsSourceDestination
    TCP80, 443All Zoom Clients*.zoom.us
    *.cloudfront.net
    -


    Proxy Server 

    -

    We support https/SSL proxy server via port 443.

    -

    Zoom automatically detects your proxy settings. In some instances, you may be prompted to enter the proxy username/password.

    -

    Note: We recommend whitelisting zoom.us and *.zoom.us from proxy or SSL inspection. 

    -

    Note: IP ranges to be whitelisted can also be found at the following:

    - -

    For Meeting Connector and Others

    - -

    Please submit a ticket if you have further questions. 

    -

     

    -
    + Zoom Help Center + + + +
  • + + Account & Admin + +
    • + +
  • + + Network and Firewall + +
    • + + + + +
    +
    + +
    + +
    + +

    Related articles

    + + +
    + + +
    +
    + +
    +
    +

    Network firewall or proxy server settings for Zoom Follow +

    + +
    + +
    +
    +

    Network firewall or web security gateway

    +

    If your app stays in a "connecting" mode or  timed out due to "Network error, please try again" + or "Can't connect to our service, please check your network connection and try again"  - it could + be related to your network connection, network firewall settings or web security gateway settings.

    +

    Note: Check your network connection by opening a browser and ensure that you can + access https://zoom.us +

    +

    To configure your network firewall, please see the following table: 

    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ProtocolPortsSourceDestination
    TCP80,443All Zoom clients*.zoom.us
    TCP443, 8801, 8802All Zoom clients +

    IPv4:

    +

    3.7.35.0/25
    3.21.137.128/25
    3.22.11.0/24
    3.23.93.0/24
    + 3.25.41.128/25
    3.25.42.0/25
    IPv6:
    + 2620:123:2000::/40

    +
    UDP +

    3478, 3479, 8801 - 8810

    +     		All Zoom clients +

    IPv4:

    +
    +

     

    +

    Connection Type: Zoom Phone

    + + + + + + + + + + + + + + + + + + + + + + + + +
    ProtocolPortsSourceDestination
    TCP5091All Zoom clients
    UDP5090All Zoom Clients
    UDP20000-64000All Zoom Clients
    +

     

    +

    Connection type: Zoom website

    + + + + + + + + + + + + + + + +
    ProtocolPortsSourceDestination
    TCP80, 443All Zoom Clients*.zoom.us
    *.cloudfront.net
    +

     

    +

    Proxy server

    +

    We support https/SSL proxy server via port 443.

    +

    Zoom automatically detects your proxy settings. In some instances, you may be prompted to enter tde + proxy username/password.

    +

    Note: We recommend + whitelisting zoom.us and *.zoom.us from proxy + or SSL inspection. 

    +

    Note: IP ranges to be whitelisted can also be found at the following:

    + +

    For Meeting Connector and others

    + +
    + +
    +
      + +
    +
    + +
    + +
    + Was this article helpful? +
    + + +
    + +
    + +
    +
    +
    -
    -
      - -
    +
    - -
    - -
    - Was this article helpful? -
    - - -
    - -
    - -
    -
    -
    - -
    -