From 0f8cec9697b4ebb0b0ab128135bd2ad364138b71 Mon Sep 17 00:00:00 2001 From: Daniil Lanskoy <107933862+LanskoyGIB@users.noreply.github.com> Date: Mon, 13 Nov 2023 13:00:17 +0300 Subject: [PATCH] Group-IB hot fix integration (#30470) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * test commit * remove bt link * Remove A in TI for yaml and md for indicator * back yaml to default * refactor yaml with cortex utils * refactor md and yaml for feed * remove bp/domain * replace git_leak with git_repository * Add new collection Fix issue with date for TI * remove changes outside the Packs * Update Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/example.json Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> * Update Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/example.json Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> * Update Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> * Update Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> * Update Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> * update release notes * update logo * update logo * Revert "update release notes" This reverts commit 7c9ac76fd46c499fd185de154fe8d272657971db. * revert microsocks * fix compromised account issue * adding RL * Update Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> * create release notes v1_3_12 * add test for compromised/account_group * refactor changes in playbook * fixed validation errors * adding pragma no cover * refactor RN * add urllib exception * fixing validation errors * adding pragma no cover * format * fix lint test errors * revert sentinel * revert changes to azure sentinel * fixing cloud machine ids processing (#29777) * fixing cloud machine ids processing * not exiting the installation script if we fail to install a pack. report an error but continue with the test playbook upload (#29759) Co-authored-by: kobymeir * Microsoft DNS Parsing Rule Drop (#29765) * Updated ParsingRules * Updated ReleaseNotes * Updated ReleaseNotes * Updated ReleaseNotes * Updated pack_metadata * Updated pack_metadata * Updated pack_metadata * Updated README * Updated README * Updated README * [JoeSecurity] Pre-Commit (#29717) * [pre-commit ruff] Align the entire repo with ruff #2 (#29754) * [pre-commit ruff] Align the entire repo with ruff #2 * Add RN * Update the docker image * Don't checkout build files in pre-commit (#27900) * is file up to date pre-commit * Revert changes made by mistake --------- Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> Co-authored-by: Menachem Weinfeld <90556466+mmhw@users.noreply.github.com> Co-authored-by: Menachem Weinfeld * Fixes for 'NGFW Scan' and 'WildFire Malware' XSIAM playbooks (#29774) * Fixes for 'NGFW Scan' and 'WildFire Malware' XSIAM playbooks * RN * fixed RN and 'NGFW Scan playbook' * CiscoSMA- Added timeout parameter (#29372) * fix * add_tests * fix_test_description * fix_yml_add_readme * fixes - add timeout to the client * add timeout to yml * revert changes * Update CiscoSMA.py * Update CiscoSMA.py * CR review * add RN * fix CR review * update docker image * XSUP-27956/ Added EWS PS V3 Description (#29784) * updated the description * update rn * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Xsup 27738 DBotFindSimilarIncidents NoneType Error (#29701) * failed ut * fix * rn * pre-commit * pre commit * just the fix * fix description in yml * fix * docker * Update Packs/Base/ReleaseNotes/1_32_34.md Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * test * test * removed import --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * Wiz v1 2 11 (#29719) * Wiz v1 2 11 (#29688) * remove redundant parenthesis * ../Packs/Wiz/Integrations/Wiz/Wiz.py * add Wiz user agent * rephrase release notes * update pack metadata json * rephrase release notes v2 * fix minor typos and update docker image * Bump Docker version --------- Co-authored-by: Ariel Tobiana <107474518+ariel-wiz@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [ASM] - Expander - Update ASM fields (4821) (#29702) * [ASM] - Expander - Update ASM fields (4821) (#29506) * Add missing comments to grid fields - Update descriptions of fields as needed. * Add release notes * Add descriptions to two fields - asmdevcheckdetails - asmenrichmentstatus * Update release notes. * Grammar updates. * Update release notes * Add mandatory or optional in comments * Update comments with mandatory * Update pack version and release notes * Add correct 1_6_33 release notes * fix rn * fix rn --------- Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: ostolero * Wildfire-upload-url add poling timeout argument (#29790) * save adding timeout param * new docker image * added rn * fix ruff * ruff made me to do this fixes :( not related to my changes * Update Packs/Palo_Alto_Networks_WildFire/ReleaseNotes/2_1_35.md * poetry files (#29793) Co-authored-by: Content Bot * Dra-cvss-color-fix (#29757) * Fixed a small issue when indicator had no custom fields * RN * docker bump * RN * Update CVECVSSColor.py * docker bump * RN * fixing typos in build scripts. (#29788) unremovable -> non-removable productname -> product_name testplaybook -> test_playbook changed some arg passing to use their full name: -gpidd -gpidp Co-authored-by: kobymeir * mapping to standard stix values (#29785) * mapping to standard stix values * updated release notes * update docker * breaking json * add dot * Add the nightly_ruff file for run pre-commit with --all flag (#29684) * Add the nightly_ruff file for run pre-commit with --all flag * Add more rules; Add the error name * Add E501 * Add F601, F842, TID252 * XSUP-27528 (#29705) * add_tests * add_tests * add RN, fix tests, format yml * Update Packs/CommonScripts/ReleaseNotes/1_12_24.md Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> * fix readme * Bump pack from version CommonScripts to 1.12.25. --------- Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: Content Bot * [Axonius Content Pack 1.2.0] Bumping Dockerfile (#29802) * [Axonius Content Pack 1.2.0] Bumping Dockerfile (#29625) * bumped docker version for axonius api client * docker image * remove the - --------- Co-authored-by: Yehuda * format --------- Co-authored-by: Bryce Pedroza <97995056+bryce-ax@users.noreply.github.com> Co-authored-by: Yehuda * Updated native:8.4 image; Add auth-utils support (#29792) Co-authored-by: GuyAfik * Fixed sc_task closing state (#29636) * Fixed sc_task closing state * Added release notes * Updated docker image * small fix * bumped dokcer * fixed rn --------- Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> Co-authored-by: sbenyakir * Private Compliance Packs (#29664) * XSUP-27936 problem with regex (#29613) * failed test * fix * rn * rn * unit test * ut * validations * fixed test and docker * fix * validation * Prisma Cloud V2 Add "usernames" Argument (#29710) * add username arg * support list * update UT * update README * docker update * update TPB * Fortinet fortigate enhancement (#29655) * Updated the readme for proofpoint fortigate. * Modified the modeling rule. * Modified the modeling rule and the schema file. * Updated the release note. * Update Packs/FortiGate/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Updated the modeling rule. * Added tags to the readme. * removed ftntfgtmastersrcmac and ftntfgtmasterdstmac from the mapping. * updated the modeling rule and the schema file. * updated the modeling rule * updated the modeling rule --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Add syslog example for War Room Actions (#29800) * Graph Security Update (#29797) * Updated MicrosoftGraphSecurity_schema * Updated ReleaseNotes * Updated ReleaseNotes * [Dataminr Pulse] Release 106 (#29805) * [Dataminr Pulse] Release 106 (#29693) * Changes related to release v1.0.6 * Changes related to release v1.0.6 * Fixing Release Note related issue --------- Co-authored-by: crestdatasystems Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Bump Docker version --------- Co-authored-by: Crest Data Systems <60967033+crestdatasystems@users.noreply.github.com> Co-authored-by: crestdatasystems Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [RecordedFuture] threat actor playbook update V2.5.1 (#29690) (#29807) * Update Threat actor search playbook. * Add release notes * Fix formatting * Change ExtractedIndicators to ExtractedIndicators\.File * Fix release notes --------- Co-authored-by: Yaroslav Nestor Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [JoeSecurity] show partial result in polling commands (#29715) * updating build docker image to latest devdemisto/gitlab-content-ci:1.0.0.64455 (#29761) * updating build docker image to latest devdemisto/gitlab-content-ci:1.0.0.64455 * Private Upload Mode - ThreatExchange v2 (#28249) * ThreatExchange integration * ThreatExchange updates * Added param to instance configuration * pre-commit * updated RN * RN test * CR updates * Removed Threat_Crowd * Update Packs/ThreatExchange/ReleaseNotes/2_0_12.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * docker * format * skip tests since theres no instance * no testing instance --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: Yehuda * added plus 1 for each iteration in find destination (#29811) * added plus 1 for each iteration in find destination (#29760) * added plus 1 for each iteration in find destination * added release notes * Update Packs/Cisco-umbrella-cloud-security/ReleaseNotes/2_0_2.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * updated docker image tag to latest * updated unit test for pagination functions * removed comments --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update 2_0_2.md --------- Co-authored-by: LiorQM <106475467+LiorQM@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: RotemAmit * Mde list indicator filter (#29640) * Mde list indicator filter (#29338) * init indicator filter * release notes * latest docker image * updated docker image * minor fixes * reslove conflicts * resolve version conflicts * silence linter * format * docker * Apply suggestions from Shirley Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * add period * change phrase * adding "is_mockable": false * docker * try change test playbook * empty line * docker * return the mock * Revert "return the mock" This reverts commit ef23428eac12ef075f0dbdfba672399fb4ca7090. --------- Co-authored-by: ckaadic <48683125+ckaadic@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Audit Logs Endpoints Scripts Aligments for Xsoar-8 (#29781) * test * fix core api * ExportAuditLogsToFile - add support for xsoar-8 * add ExportAuditLogsToFile UTs * add forward audit logs uts * update ut * validation fixes * mypy * bump rns * update docker * update docker image * fix ut * format * Bump pack from version CommonScripts to 1.12.25. * Bump pack from version CommonScripts to 1.12.26. * cr * cr fixes * update * fix uts --------- Co-authored-by: Content Bot * Add command prisma-cloud-compute-get-file-integrity-events (#29608) * Add command prisma-cloud-compute-get-file-integrity-events (#29187) * Add command prisma-cloud-compute-get-file-integrity-events * Incorporate changes from review comments. Add documentation and unit test. * Add missing lines to YML file (add description of new command) * Update docker image * Incorporate changes from demo * Update docker image * fix validation * fix validation --------- Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: ostolero * Bump pack from version PrismaCloudCompute to 1.4.10. * [pre-commit ruff] Align the entire repo with ruff (#29603) * Fix falls of the ruff hook * pre-commit * Fix B003 ruff error * Fix ruff errors on Utils/update_playbook.py * remove code to trigger upload on dev branches (#29621) * [pre-commit pycln] Align the entire repo with pycln (#29611) * Fix falls of the pycln hook * pre-commit * Fix unit test * Add RN * Fix validate in GetDomainDNSDetails * fuff on GetDomainDNSDetails * ignore mypy error in test_content.py:350 * Fix falls of the autopep8 hook (#29638) * add marketplaces to metadata (#29629) * Fixing AWS Project Number in ASM Cloud (#29593) (#29642) Co-authored-by: Chait A <112722030+capanw@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [MS Teams] support reset_graph_auth (#29644) * fixed * pre-commit * update * Recordedfuture threathunting v2.5.0 (#29641) * Recordedfuture threathunting v2.5.0 (#29025) * Add commands related to Automated Threat hunting recordedfuture-threat-map recordedfuture-threat-links recordedfuture-detection-rules * Add recordedfuture-collective-insight command. Change app version. * Update README.md. Add release notes * Add playbook. Add unittests * Add unittests * Fix test_collective_insight_command * Remove incorrect release note * Add documentation for threat actor search playbook * update Recorded Future Threat actor search playbook. add release note about new playbook. * Update release notes, fix formatting * Format yml files * Update Recorded future threat actor search playbook * Update docker image * Fix linter --------- Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Minor README fixes --------- Co-authored-by: Yaroslav Nestor Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [ASM] Expander 5777 (#29647) * [ASM] Expander 5777 (#29619) * first * RN * Bump pack from version CortexAttackSurfaceManagement to 1.6.36. --------- Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Content Bot * XDR Malware Enrichment - hotfix for usernames (split) (#29585) * Updated playbook with hotfix where we split usernames from domains and append them to the username list of usernames for account enrichment * Added RN * remove irrelevant test * Updated RN * Bump pack from version CortexXDR to 5.1.6. * Update Packs/CortexXDR/ReleaseNotes/5_1_6.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: Content Bot Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Docker Image To demisto/pyjwt3 (#29656) * Updated Metadata Of Pack Silverfort * Added release notes to pack Silverfort * Packs/Silverfort/Integrations/Silverfort/Silverfort.yml Docker image update * Update Docker Image To demisto/trustar (#29660) * Updated Metadata Of Pack TruSTAR * Added release notes to pack TruSTAR * Update Docker Image To demisto/keeper-ksm (#29661) * Updated Metadata Of Pack KeeperSecretsManager * Added release notes to pack KeeperSecretsManager * Packs/KeeperSecretsManager/Integrations/KeeperSecretsManager/KeeperSecretsManager.yml Docker image update * Update Docker Image To demisto/py3-tools (#29654) * Updated Metadata Of Pack Intezer * Added release notes to pack Intezer * Packs/Intezer/Integrations/IntezerV2/IntezerV2.yml Docker image update * Updated Metadata Of Pack FeedMalwareBazaar * Added release notes to pack FeedMalwareBazaar * Packs/FeedMalwareBazaar/Integrations/MalwareBazaarFeed/MalwareBazaarFeed.yml Docker image update * Updated Metadata Of Pack FeedGCPWhitelist * Added release notes to pack FeedGCPWhitelist * Packs/FeedGCPWhitelist/Integrations/FeedGoogleIPRanges/FeedGoogleIPRanges.yml Docker image update * Updated Metadata Of Pack AccentureCTI_Feed * Added release notes to pack AccentureCTI_Feed * Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * Update Docker Image To demisto/taxii-server (#29659) * Updated Metadata Of Pack CybleThreatIntel * Added release notes to pack CybleThreatIntel * Packs/CybleThreatIntel/Integrations/CybleThreatIntel/CybleThreatIntel.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * Update Docker Image To demisto/datadog-api-client (#29662) * Updated Metadata Of Pack DatadogCloudSIEM * Added release notes to pack DatadogCloudSIEM * Packs/DatadogCloudSIEM/Integrations/DatadogCloudSIEM/DatadogCloudSIEM.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * Add reliability parameter to cves and pipl integration (#28703) * commiting PrismaCloudCompute * release notes added * changed couldcompute, CVESearchV2, pipl * added pack metadata * fixed pipl readme * reverting changes in CVESearch since it was deprecated * removed redundant * committing pre commit changes * added known words * added known words * fixed lint error * changed according to review * updated docker version in PrismaCloudCompute * changed according to doc review * Added condition for not receiving new incidents in the test playbook * updating release notes * reverting fetch changes * fixed playbook * formatted playbook * new validation, new run * new validation, new run * Bump pack from version PrismaCloudCompute to 1.4.10. * update the docker image --------- Co-authored-by: Content Bot * Proofpoint email security pack: update description (#29651) * update description * Updated the schema file. * Updated the schema file. --------- Co-authored-by: Yehonatan Asta * Jira v2 deprecated (#29649) * Deprecate to jira v2 * update RN * update conf.json file * add task to the Create Jira Issue playbook that check if jira v3 is enable * add image.png of the playbook * update the playbook (yml, readme, image) and RN * Update Docker Image To demisto/python3 (#29652) * Updated Metadata Of Pack PANOSPolicyOptimizer * Added release notes to pack PANOSPolicyOptimizer * Packs/PANOSPolicyOptimizer/Integrations/PANOSPolicyOptimizer/PANOSPolicyOptimizer.yml Docker image update * Updated Metadata Of Pack VMwareWorkspaceONEUEM * Added release notes to pack VMwareWorkspaceONEUEM * Packs/VMwareWorkspaceONEUEM/Integrations/VMwareWorkspaceONEUEM/VMwareWorkspaceONEUEM.yml Docker image update * Updated Metadata Of Pack CiscoSMA * Added release notes to pack CiscoSMA * Packs/CiscoSMA/Integrations/CiscoSMA/CiscoSMA.yml Docker image update * Updated Metadata Of Pack FeedThreatConnect * Added release notes to pack FeedThreatConnect * Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect.yml Docker image update * Updated Metadata Of Pack BitSight * Added release notes to pack BitSight * Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.yml Docker image update * Updated Metadata Of Pack AWS-ILM * Added release notes to pack AWS-ILM * Packs/AWS-ILM/Integrations/AWSILM/AWSILM.yml Docker image update * Updated Metadata Of Pack CiscoWSA * Added release notes to pack CiscoWSA * Packs/CiscoWSA/Integrations/CiscoWSAV2/CiscoWSAV2.yml Docker image update * Updated Metadata Of Pack SysAid * Added release notes to pack SysAid * Packs/SysAid/Integrations/SysAid/SysAid.yml Docker image update * Updated Metadata Of Pack ManageEngine_PAM360 * Added release notes to pack ManageEngine_PAM360 * Packs/ManageEngine_PAM360/Integrations/ManageEnginePAM360/ManageEnginePAM360.yml Docker image update * Updated Metadata Of Pack CiscoUmbrellaReporting * Added release notes to pack CiscoUmbrellaReporting * Packs/CiscoUmbrellaReporting/Integrations/CiscoUmbrellaReporting/CiscoUmbrellaReporting.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * XSUP-27717/FortiSIEM (#29458) * add tests * add RN,fix,logs * Update 2_0_21.md * add period * add a name to incident * fixes CR * update docker image * delete logs * CR fixes * Update 2_0_21.md * Update FortiSIEMV2.py * reverting the Docker image (#29607) * reverting the Docker image * Update Packs/cyberark_AIM/ReleaseNotes/1_0_14.md --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * [Marketplace Contribution] Roksit DNS Security Integration - Sarp (#29663) * [Marketplace Contribution] Roksit DNS Security Integration - Sarp (#29314) * "pack contribution initial commit" * Update RoksitDNSSecurityIntegrationSarp.py * Update RoksitDNSSecurityIntegrationSarp.py * Yehuda's version * test module * readme * new logo * Update RoksitDNSSecurityIntegrationSarp.yml * Apply suggestions from code review * Update RoksitDNSSecurityIntegrationSarp_description.md * Update pack_metadata.json * Update README.md * Update pack_metadata.json * Update pack_metadata.json * Update Packs/RoksitDNSSecurityIntegration-Sarp/pack_metadata.json * fixes * change name * folder name * file names * version * rename sub folder * remove (DNSSense) from the integration name * rename folder * docker * replace image * fix image name --------- Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> * rename image --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> * add unstuck fetch stream command (#29646) * add unstuck fetch stream command * added RN * fixes * add note * cr fixes * fix conflicts * reverts * [pre-commit pycln] Align the entire repo with pycln #4 (#29665) * Fix pycln errors * Update the docker images * Run demisto-sdk pre-commit * Remove unnecessary recommendations from extensions.json (#29605) * update extensions.json * Update devcontainer.json * Update recommendations list * Zscaler-FW-Logs (#29094) * Zscaler FW Logs Modeling Rules * Zscaler FW logs Modeling Rules * Updated README * Updated ZscalerModelingRule_1_3 * Changed cs5 field name to cat * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Updated README * Updated ModelingRules and Schema * Updated ModelingRules and schema * Updated ModelingRules * Updated ModelingRules --------- Co-authored-by: Eido Epstain Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * PANOS - EXPANDR-5744 (#29223) (#29686) * playbook updates * RN, Readme, screenshot * Apply suggestions from code review * update RN * bump ver * more descriptive task * bump ver --------- Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Audit alert fields fix (#29685) * Add associated types to systemAssociatedTypes * Add associated types to systemAssociatedTypes * fix incident field structure * RN * Workday documentation fix (#29681) * readme * readme * rn * rn * [Marketplace Contribution] Active Directory Query - Content Pack Update (#28633) * [Marketplace Contribution] Active Directory Query - Content Pack Update (#27822) * "contribution update to pack "Active Directory Query"" * revert changes * rl * remove files * removed from rl * Update pack_metadata.json * Create 1_6_19.md * Update 1_6_18.md * Update 1_6_19.md * Delete 1_6_19.md * Update 1_6_18.md * Update pack_metadata.json * Update Active_Directory_Query.yml removed duplicate section and type * pass SERVER_IP as argument to test_credentials function * Create 1_7_0.md * Update pack_metadata.json * Update README.md with ad-test-credentials info * Update Active_Directory_Query.yml * removed duplicate `type: 8` from ntlm * removed duplicate types from integration settings * removed duplicate description from ad-enable-account * Update Active_Directory_Query.yml * Update Active_Directory_Query.yml * Update Active_Directory_Query.yml * removing not relevant release note * adding function * update fucntion * cr note * adding NTLM_AUTH option * Update Active_Directory_Query.py * Update Packs/Active_Directory_Query/Integrations/Active_Directory_Query/Active_Directory_Query.py Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * cr notes * update after merging from master * reverting a change in olr rl * added test_test_credentials unit test function * fix unit test * fixing unit tests * fix unit test * fixed lint errors * Update Active_Directory_Query_test.py * empty commit * fix yml and docker file * revert changes in send email manager * fix yml * fix * fix validation error * fixing in129 --------- Co-authored-by: maimorag Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * cr notes * Bump pack from version Active_Directory_Query to 1.6.21. * fix yml changes * cr notes * lint fixes * fix test * docker update * Update Packs/Active_Directory_Query/Integrations/Active_Directory_Query/README.md Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * fix delete required * Apply suggestions from code review * fix test * docker update * rl * empty commit * docker update * empty commit * empty commit * merge from master * empty commit check * revert changes * Delete Packs/cyberark_AIM/Integrations/CyberArkAIM_v2/integration-CyberArkAIM_v2.yml * docker downgrade * rl * trying new docker image * validate errors fix * revert docker version * [DS108] - Description must end with a period (".") - fix * empty commit check * empty commit check --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: maimorag Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> Co-authored-by: Content Bot * Big query bug xsup 28132 (#29680) * bug fix * rn * rn * Apply suggestions from code review Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * format * pre commit --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * New Prisma Cloud v2 commands (#29323) * resource list command * limit results * user roles list command * pre commit * users list command * edit remediation commands * UTs * update README * update RN * pre commit fixes * edit test playbook * CR changes * Demo changes - remediate 406 raises error new args for resource_list & user_roles * fix test * Apply suggestions from doc review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * fix test playbook * Tomer's changes --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Prisma Cloud Update (#29666) * Updated ModelingRules * Updated ReleaseNotes * Updated ReleaseNotes * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Bump pack from version PrismaCloud to 4.2.4. --------- Co-authored-by: Content Bot * Rapid7 appsec (#29134) (#29687) * Revert "Add space to conf" This reverts commit 08e6490c8907bdb3fbf2dc394d0bc352dc0c5935. * Updated the packs category to *Authentication & Identity Management* (part 2) (#24876) * Update Docker Image To demisto/fastapi (#24923) * Updated Metadata Of Pack CyberArkIdentity * Added release notes to pack CyberArkIdentity * Packs/CyberArkIdentity/Integrations/CyberArkIdentityEventCollector/CyberArkIdentityEventCollector.yml Docker image update * Update Docker Image To demisto/lxml (#24924) * Updated Metadata Of Pack TaniumThreatResponse * Added release notes to pack TaniumThreatResponse * Packs/TaniumThreatResponse/Integrations/TaniumThreatResponseV2/TaniumThreatResponseV2.yml Docker image update * Update Docker Image To demisto/crypto (#24922) * Updated Metadata Of Pack X509Certificate * Added release notes to pack X509Certificate * Packs/X509Certificate/Scripts/CertificateExtract/CertificateExtract.yml Docker image update * Update Docker Image To demisto/python3 (#24921) * Updated Metadata Of Pack Cybereason * Added release notes to pack Cybereason * Packs/Cybereason/Integrations/Cybereason/Cybereason.yml Docker image update * Updated Metadata Of Pack DNSDB * Added release notes to pack DNSDB * Packs/DNSDB/Integrations/DNSDB_v2/DNSDB_v2.yml Docker image update * Updated Metadata Of Pack DeepInstinct * Added release notes to pack DeepInstinct * Packs/DeepInstinct/Integrations/DeepInstinct3x/DeepInstinct3x.yml Docker image update * Updated Metadata Of Pack FeedCyrenThreatInDepth * Added release notes to pack FeedCyrenThreatInDepth * Packs/FeedCyrenThreatInDepth/Integrations/CyrenThreatInDepth/CyrenThreatInDepth.yml Docker image update * Updated Metadata Of Pack IronDefense * Added release notes to pack IronDefense * Packs/IronDefense/Integrations/IronDefense/IronDefense.yml Docker image update * Updated Metadata Of Pack Qintel * Added release notes to pack Qintel * Packs/Qintel/Integrations/QintelPMI/QintelPMI.yml Docker image update * Packs/Qintel/Integrations/QintelQSentry/QintelQSentry.yml Docker image update * Packs/Qintel/Integrations/QintelQWatch/QintelQWatch.yml Docker image update * Updated Metadata Of Pack QualysFIM * Added release notes to pack QualysFIM * Packs/QualysFIM/Integrations/QualysFIM/QualysFIM.yml Docker image update * Updated Metadata Of Pack QutteraWebsiteMalwareScanner * Added release notes to pack QutteraWebsiteMalwareScanner * Packs/QutteraWebsiteMalwareScanner/Integrations/QutteraWebsiteMalwareScanner/QutteraWebsiteMalwareScanner.yml Docker image update * Fixed mypy + validation --------- * NGINXApiModule: fix logging typo (#24878) * fix logging typo * bump dependent packs --------- * Downgrade docker to fix banner issue (#24905) * Downgrade docker to fix banner issue * Fix docs * Add UT to prevent Docker bump * Fix yml validation * Adding vulnerability commands * Fixing pagination page index * Updating PR comments and Scan commands * Updating ID in test data. * Updating integration * Updating integration * Updating fromversion * Updating linters * Updating linters * Updating git pre-commit * Updating docstring * Updating the handling of request when limit * Removing get_pagination_params * Updating integration * Updating git-pre commit * Updating integration * Updating integration * Updating unit test * Updating docker image * Updating integration * Updating README version. * Updating secrets * Updating integration * Updating integration * Updating integration * Updating docstrings * Updating doc-review comments. * Updating doc-review comments. * Updating description --------- Co-authored-by: ‪Ron Hadad‬‏ <112933572+ronh1@users.noreply.github.com> Co-authored-by: TalGumi Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> Co-authored-by: sberman Co-authored-by: Guy Lichtman <1395797+glicht@users.noreply.github.com> Co-authored-by: glicht Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> * Panos add param (#29672) * added param job_polling_max_num_attempts * Added rn * Added missing param type Fixed unit tests * added to readme * fixed readme * Update Packs/PAN-OS/Integrations/Panorama/Panorama.yml Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> * fixed text and namings * Bump pack from version PAN-OS to 2.1.8. --------- Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> Co-authored-by: Content Bot * Fix proxy usage (#85) (#29630) * Fix proxy usage (#85) (#29181) * Fix proxy usage (#85) * Fix proxy usage in ZF client * Fix variable USE_SSL to verify requests * Remove proxy object from client Given that the proxy works by default with env vars, the proxy object is not necessary * Update version and add release notes * Fix call to modified alerts (#86) * Fix call to modified alerts * Update docker image * Fix tests associated with get modified data * change rn * fix validation --------- Co-authored-by: Felipe Garrido Co-authored-by: ostolero Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> * Missing dependencies when installing packs (#28989) * search and install packs --------- Co-authored-by: kobymeir * Deprecate Picus Community (#29573) * Merge branch 'master' into github_workflow_partner # Conflicts: # Utils/github_workflow_scripts/utils.py * Merge branch 'master' into github_workflow_partner # Conflicts: # Utils/github_workflow_scripts/utils.py * Picus NG display name * Picus update * Picus update * Picus update * Picus update * Picus update * Picus update * Picus update * Picus update --------- Co-authored-by: RotemAmit * [ASM] - Expander - GCP Hierarchy field - 4376 (#29696) (#29704) * Add assethierarchy field to GCP ASM playbook * Add release notes * Update field json Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> * fix merge * update rn * remove access code * fix conflicts * update docker * fix validation --------- Co-authored-by: Ali Sawyer <91506078+ali-sawyer@users.noreply.github.com> Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: ostolero Co-authored-by: Content Bot Co-authored-by: Menachem Weinfeld <90556466+mmhw@users.noreply.github.com> Co-authored-by: omerKarkKatz <95565843+omerKarkKatz@users.noreply.github.com> Co-authored-by: Yaakov Praisler <59408745+yaakovpraisler@users.noreply.github.com> Co-authored-by: Chait A <112722030+capanw@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> Co-authored-by: Yaroslav Nestor Co-authored-by: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: sberman Co-authored-by: DinaMeylakh <72339665+DinaMeylakh@users.noreply.github.com> Co-authored-by: ilaner <88267954+ilaner@users.noreply.github.com> Co-authored-by: Yehonatan Asta Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> Co-authored-by: sapir shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Co-authored-by: samuelFain <65926551+samuelFain@users.noreply.github.com> Co-authored-by: nkanon <109467661+nkanon@users.noreply.github.com> Co-authored-by: Eido Epstain Co-authored-by: Tomer Haimof <81556849+tomer-pan@users.noreply.github.com> Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> Co-authored-by: maimorag Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> Co-authored-by: Adi Bamberger Edri <72088126+BEAdi@users.noreply.github.com> Co-authored-by: eepstain <116078117+eepstain@users.noreply.github.com> Co-authored-by: ‪Ron Hadad‬‏ <112933572+ronh1@users.noreply.github.com> Co-authored-by: TalGumi Co-authored-by: Guy Lichtman <1395797+glicht@users.noreply.github.com> Co-authored-by: glicht Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> Co-authored-by: Felipe Garrido Co-authored-by: Koby Meir Co-authored-by: kobymeir Co-authored-by: Edi Katsenelson <85438368+edik24@users.noreply.github.com> Co-authored-by: RotemAmit Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> * [Marketplace Contribution] Okta - Content Pack Update (#29650) * [Marketplace Contribution] Okta - Content Pack Update (#29303) * "contribution update to pack "Okta"" * minor fixes * add outputs and readme * add outputs description * update docker * change outputs --------- Co-authored-by: ostolero Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> * Fixing AWS Project Number in ASM Cloud (#29593) (#29642) Co-authored-by: Chait A <112722030+capanw@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [MS Teams] support reset_graph_auth (#29644) * fixed * pre-commit * update * Recordedfuture threathunting v2.5.0 (#29641) * Recordedfuture threathunting v2.5.0 (#29025) * Add commands related to Automated Threat hunting recordedfuture-threat-map recordedfuture-threat-links recordedfuture-detection-rules * Add recordedfuture-collective-insight command. Change app version. * Update README.md. Add release notes * Add playbook. Add unittests * Add unittests * Fix test_collective_insight_command * Remove incorrect release note * Add documentation for threat actor search playbook * update Recorded Future Threat actor search playbook. add release note about new playbook. * Update release notes, fix formatting * Format yml files * Update Recorded future threat actor search playbook * Update docker image * Fix linter --------- Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Minor README fixes --------- Co-authored-by: Yaroslav Nestor Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [ASM] Expander 5777 (#29647) * [ASM] Expander 5777 (#29619) * first * RN * Bump pack from version CortexAttackSurfaceManagement to 1.6.36. --------- Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Content Bot * XDR Malware Enrichment - hotfix for usernames (split) (#29585) * Updated playbook with hotfix where we split usernames from domains and append them to the username list of usernames for account enrichment * Added RN * remove irrelevant test * Updated RN * Bump pack from version CortexXDR to 5.1.6. * Update Packs/CortexXDR/ReleaseNotes/5_1_6.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: Content Bot Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Docker Image To demisto/pyjwt3 (#29656) * Updated Metadata Of Pack Silverfort * Added release notes to pack Silverfort * Packs/Silverfort/Integrations/Silverfort/Silverfort.yml Docker image update * Update Docker Image To demisto/trustar (#29660) * Updated Metadata Of Pack TruSTAR * Added release notes to pack TruSTAR * Update Docker Image To demisto/keeper-ksm (#29661) * Updated Metadata Of Pack KeeperSecretsManager * Added release notes to pack KeeperSecretsManager * Packs/KeeperSecretsManager/Integrations/KeeperSecretsManager/KeeperSecretsManager.yml Docker image update * Update Docker Image To demisto/py3-tools (#29654) * Updated Metadata Of Pack Intezer * Added release notes to pack Intezer * Packs/Intezer/Integrations/IntezerV2/IntezerV2.yml Docker image update * Updated Metadata Of Pack FeedMalwareBazaar * Added release notes to pack FeedMalwareBazaar * Packs/FeedMalwareBazaar/Integrations/MalwareBazaarFeed/MalwareBazaarFeed.yml Docker image update * Updated Metadata Of Pack FeedGCPWhitelist * Added release notes to pack FeedGCPWhitelist * Packs/FeedGCPWhitelist/Integrations/FeedGoogleIPRanges/FeedGoogleIPRanges.yml Docker image update * Updated Metadata Of Pack AccentureCTI_Feed * Added release notes to pack AccentureCTI_Feed * Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * Update Docker Image To demisto/taxii-server (#29659) * Updated Metadata Of Pack CybleThreatIntel * Added release notes to pack CybleThreatIntel * Packs/CybleThreatIntel/Integrations/CybleThreatIntel/CybleThreatIntel.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * Update Docker Image To demisto/datadog-api-client (#29662) * Updated Metadata Of Pack DatadogCloudSIEM * Added release notes to pack DatadogCloudSIEM * Packs/DatadogCloudSIEM/Integrations/DatadogCloudSIEM/DatadogCloudSIEM.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * Add reliability parameter to cves and pipl integration (#28703) * commiting PrismaCloudCompute * release notes added * changed couldcompute, CVESearchV2, pipl * added pack metadata * fixed pipl readme * reverting changes in CVESearch since it was deprecated * removed redundant * committing pre commit changes * added known words * added known words * fixed lint error * changed according to review * updated docker version in PrismaCloudCompute * changed according to doc review * Added condition for not receiving new incidents in the test playbook * updating release notes * reverting fetch changes * fixed playbook * formatted playbook * new validation, new run * new validation, new run * Bump pack from version PrismaCloudCompute to 1.4.10. * update the docker image --------- Co-authored-by: Content Bot * Proofpoint email security pack: update description (#29651) * update description * Updated the schema file. * Updated the schema file. --------- Co-authored-by: Yehonatan Asta * Jira v2 deprecated (#29649) * Deprecate to jira v2 * update RN * update conf.json file * add task to the Create Jira Issue playbook that check if jira v3 is enable * add image.png of the playbook * update the playbook (yml, readme, image) and RN * Update Docker Image To demisto/python3 (#29652) * Updated Metadata Of Pack PANOSPolicyOptimizer * Added release notes to pack PANOSPolicyOptimizer * Packs/PANOSPolicyOptimizer/Integrations/PANOSPolicyOptimizer/PANOSPolicyOptimizer.yml Docker image update * Updated Metadata Of Pack VMwareWorkspaceONEUEM * Added release notes to pack VMwareWorkspaceONEUEM * Packs/VMwareWorkspaceONEUEM/Integrations/VMwareWorkspaceONEUEM/VMwareWorkspaceONEUEM.yml Docker image update * Updated Metadata Of Pack CiscoSMA * Added release notes to pack CiscoSMA * Packs/CiscoSMA/Integrations/CiscoSMA/CiscoSMA.yml Docker image update * Updated Metadata Of Pack FeedThreatConnect * Added release notes to pack FeedThreatConnect * Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect.yml Docker image update * Updated Metadata Of Pack BitSight * Added release notes to pack BitSight * Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.yml Docker image update * Updated Metadata Of Pack AWS-ILM * Added release notes to pack AWS-ILM * Packs/AWS-ILM/Integrations/AWSILM/AWSILM.yml Docker image update * Updated Metadata Of Pack CiscoWSA * Added release notes to pack CiscoWSA * Packs/CiscoWSA/Integrations/CiscoWSAV2/CiscoWSAV2.yml Docker image update * Updated Metadata Of Pack SysAid * Added release notes to pack SysAid * Packs/SysAid/Integrations/SysAid/SysAid.yml Docker image update * Updated Metadata Of Pack ManageEngine_PAM360 * Added release notes to pack ManageEngine_PAM360 * Packs/ManageEngine_PAM360/Integrations/ManageEnginePAM360/ManageEnginePAM360.yml Docker image update * Updated Metadata Of Pack CiscoUmbrellaReporting * Added release notes to pack CiscoUmbrellaReporting * Packs/CiscoUmbrellaReporting/Integrations/CiscoUmbrellaReporting/CiscoUmbrellaReporting.yml Docker image update * Fix DS108 --------- Co-authored-by: sberman * XSUP-27717/FortiSIEM (#29458) * add tests * add RN,fix,logs * Update 2_0_21.md * add period * add a name to incident * fixes CR * update docker image * delete logs * CR fixes * Update 2_0_21.md * Update FortiSIEMV2.py * reverting the Docker image (#29607) * reverting the Docker image * Update Packs/cyberark_AIM/ReleaseNotes/1_0_14.md --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * [Marketplace Contribution] Roksit DNS Security Integration - Sarp (#29663) * [Marketplace Contribution] Roksit DNS Security Integration - Sarp (#29314) * "pack contribution initial commit" * Update RoksitDNSSecurityIntegrationSarp.py * Update RoksitDNSSecurityIntegrationSarp.py * Yehuda's version * test module * readme * new logo * Update RoksitDNSSecurityIntegrationSarp.yml * Apply suggestions from code review * Update RoksitDNSSecurityIntegrationSarp_description.md * Update pack_metadata.json * Update README.md * Update pack_metadata.json * Update pack_metadata.json * Update Packs/RoksitDNSSecurityIntegration-Sarp/pack_metadata.json * fixes * change name * folder name * file names * version * rename sub folder * remove (DNSSense) from the integration name * rename folder * docker * replace image * fix image name --------- Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> * rename image --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> * add unstuck fetch stream command (#29646) * add unstuck fetch stream command * added RN * fixes * add note * cr fixes * fix conflicts * reverts * [pre-commit pycln] Align the entire repo with pycln #4 (#29665) * Fix pycln errors * Update the docker images * Run demisto-sdk pre-commit * update docker --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: ostolero Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: Chait A <112722030+capanw@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> Co-authored-by: Yaroslav Nestor Co-authored-by: Content Bot Co-authored-by: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: sberman Co-authored-by: DinaMeylakh <72339665+DinaMeylakh@users.noreply.github.com> Co-authored-by: ilaner <88267954+ilaner@users.noreply.github.com> Co-authored-by: Yehonatan Asta Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> Co-authored-by: sapir shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Co-authored-by: Menachem Weinfeld <90556466+mmhw@users.noreply.github.com> * If-Elif Transformer (#27763) * IfElif init * minor changes * parse single strings not json * fixed regex * fixed json bug * removed context * created eval blacklist * added json KW to eval * Update bucket-upload.yml * added ast for parsing * use hash for context grab * added value arg * quick * added unit-tests * added README.md * added RN * added flags arg; use dt for context grabbing * fixed context grabbing * added regex support * finished readme * finished readme 2 * added variables arg * changed vars to upper * changed to class * prefixed variable bug * some tests * finished unit-tests * completed tests * finished docs * finished docs in yml * new design for 'value' * unit-tests complete * docs part 1 * docs complete * added if-elif TPB * fixed TPB * fixed mypy error * fixed mypy error * fixed injection issue; added + op * name changes * added injection test in TPB * CR changes * error for unknown variables * reformat 'from_context' func * resolve conflicts * demo changes * demo changes part 2 * bug fix * updated docker * added list_compare flag * added error catcher for comp funcs * readme update; textArea for conditions * resolve conflicts * resolve conflicts * updated docker * name changes * fixed unit-tests * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * added missing flag to readme * CR changes * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * name changes * added suppres_error behaviuor to docs * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * updated docker --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * revert removal of release notes generator (#29828) * revert * validations * rn * search_and_install_packs.py - less strict when installing packs during nightly. should be reverted in (#29806) Co-authored-by: kobymeir * exit on error alignment.fixing echo message when exiting the uninstallation script. (#29821) * exit on error alignment. fixing echo message when exiting the uninstallation script. * installing specific poetry version (#29812) * installing specific poetry version - moving the logic to bootstrap * Cs falcon detections revert (#29833) * Revert "Cs falcon fetch limit issue (#29411)" This reverts commit f7b7d5c6 * Revert "Cs limit in idp detections (#29550)" This reverts commit 47738d56 * Added rn * Added rn * SQL Alchemy 2.x.x (#29436) * MySQL and Postgress works * MSSQL, My SQL and postgres works with bind_variables from the second form * resolve conflicts * fix CR's comments * pre commit * parsing the results * Add UT * same name and right docker * RN * sourcery * another docker image * revert docker image * Update Packs/GenericSQL/ReleaseNotes/1_0_25.md Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * Update Packs/GenericSQL/Integrations/GenericSQL/GenericSQL.py Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * Update Packs/GenericSQL/Integrations/GenericSQL/GenericSQL.py Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * Update Packs/GenericSQL/Integrations/GenericSQL/GenericSQL.py Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * fix variable name * constants * mapping instead of conditions * unskip Oracle TPB * resolve conflicts * resolve conflicts * Constants * Update Packs/GenericSQL/Integrations/GenericSQL/GenericSQL.py Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * CR fixes * Update Packs/GenericSQL/ReleaseNotes/1_1_0.md Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * add commit after executing a query * fix UT * remove autocommit true from MSSQL * fix UT * autocommit for MSSQL, commit for the others * commit for the others DBs, since in MSSQL is automatically * docker image --------- Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * Generic playbooks fixes (#29711) * fixes for generic playbooks * fixes for generic playbooks * fixes for generic playbooks * Use Case Builder Development stage Field update (#29771) (#29825) * pushing changes to the use case stage * adding release notes * Update pack_metadata.json * Rename 1_1_0.md to 1_0_4.md * Update 1_0_4.md * Update 1_0_4.md --------- Co-authored-by: Joe Cosgrove Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Add mapper and disable auto extraction for ThinkstCanary (#29756) * Add Classification and Mapping to ThinkstCanary Integration * Duo Mapping Enrichment (#29139) * Updated DuoModelingRule_1_3 * Updated ModelingRules and ReleaseNotes * Updated ModelingRules and ReleaseNotes * Updated DuoModelingRule_1_3_schema and README * Rev DuoModelingRule_1_3 | add DuoModelingRule_2_0 * Updated .yml and ReleaseNotes * Updated DuoModelingRule_2_0 * Updated ReleaseNotes * Updated .yml with toversion: 8.3.0 * Updated DuoModelingRule_2_0_schema * Updated ModelingRules * Updated ReleaseNotes * Bump pack from version DuoAdminApi to 4.0.8. * Updated DuoModelingRule_1_3 * azure * Updated DuoModelingRule_2_0 * Updated DuoModelingRule_2_0 * Updated ParsingRules * Updated ReleaseNotes * Updated ReleaseNotes * Updated ReleaseNotes * Updated pack_metadata * Updated pack_metadata * Updated pack_metadata * Updated README * Updated README * Updated README * Updated ReleaseNotes * Updated ReleaseNotes * Updated DuoModelingRule_2_0 * Reverted MS packs * Reverted MS packs * Updated DuoModelingRule_1_3_schema * Updated ReleaseNotes * Update Packs/DuoAdminApi/ReleaseNotes/4_0_10.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: Content Bot Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * [AWS System Manager] New Pack (#28992) * init - new pack * 2 commands * aws-ssm-inventory-entry-list * list_associations_command * remove boto stubs * remove boto stubs * improve * poetry * revert poetry * aws-ssm-association-list * aws-ssm-association-get * aws-ssm-association-get * aws-ssm-association-version-list * format * aws-ssm-document-list * ruff * ruff * ssmclient test * test * doc get * docs * Update pyproject.toml * Update poetry.lock * Update .pre-commit-config_template.yaml * regex * aws-ssm-tag-remove * improve * aws-ssm-automation-execution-list * pack * aws-ssm-command-list * aws-ssm-command-run aws-ssm-command-cancel * ruff * Apply suggestions from code review Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> * UT * UT * cr and docs * black * black and ruff * format * description * format description * pack metadata * fix ut * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * cr * cr * fix yml * add outputs * Update Packs/AWS_SystemManager/Integrations/AWSSystemManager/AWSSystemManager.py Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * fix cr * run command and fix UT * automation run * fix output add playbook * docs * docs * docs * docs * ruff and black * fix demo * fix demo * update docker and fix line to long * Apply suggestions from code review (docs) Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * cr fix * update docker * fix line * Fix an issue * Fix an issue * Update playbook description * Update docker --------- Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * Fix splunk search in incident context (#29763) * fixes * fixes * fixes * update docker * added rn * add bc rn * Empty-Commit * Test For 'WildFire Malware' Playbook (#29404) * Test For 'WildFire Malware' Playbook * PR * RN * added the "is_mockable" config to the conf file * removed the "is_mockable" config to the conf file * Bump pack from version Core to 2.0.14. * Bump pack from version Core to 2.0.15. * Increased timeout configs * Added VirusTotal to the conf file * added virustotal instance name * changed the 'AutoContainment' playbook input config to 'true' * changed 'timeout' * changed 'timeout' * changed 'timeout' to 1600 * changed the 'ShouldCloseAutomatically' playbook input to 'false' * added the test playbook name to the playbook YML file * RN * removed the close note alert field verification * added the 'marketplacev2' to the test playbook YML file * added the '000001e7a228b2a7abdf7f7e404bc8522df32b725e86907dde32176bccbbbb27' malicious file hash to secrets ignore file. the file hash is used within the test playbook for enrichment and test purposes. --------- Co-authored-by: Content Bot * update docker image (#29845) * added functionallity to download index by marketplace (#29834) * added functionallity to download index by marketplace * added some logs for validation * commit * removed logs * [pre-commit MyPy] Align the entire repo with MyPy #2 (#29799) * [pre-commit MyPy] Align the entire repo with MyPy #2 * Add RN * Revert changes in 1.12.26 RN * Update the docker images * [pre-commit MyPy] Align the entire repo with MyPy #1 (#29798) * [pre-commit MyPy] Align the entire repo with MyPy #1 * Xsup 27738 DBotFindSimilarIncidents NoneType Error (#29701) * failed ut * fix * rn * pre-commit * pre commit * just the fix * fix description in yml * fix * docker * Update Packs/Base/ReleaseNotes/1_32_34.md Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * test * test * removed import --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * Wiz v1 2 11 (#29719) * Wiz v1 2 11 (#29688) * remove redundant parenthesis * ../Packs/Wiz/Integrations/Wiz/Wiz.py * add Wiz user agent * rephrase release notes * update pack metadata json * rephrase release notes v2 * fix minor typos and update docker image * Bump Docker version --------- Co-authored-by: Ariel Tobiana <107474518+ariel-wiz@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * [ASM] - Expander - Update ASM fields (4821) (#29702) * [ASM] - Expander - Update ASM fields (4821) (#29506) * Add missing comments to grid fields - Update descriptions of fields as needed. * Add release notes * Add descriptions to two fields - asmdevcheckdetails - asmenrichmentstatus * Update release notes. * Grammar updates. * Update release notes * Add mandatory or optional in comments * Update comments with mandatory * Update pack version and release notes * Add correct 1_6_33 release notes * fix rn * fix rn --------- Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: ostolero * Wildfire-upload-url add poling timeout argument (#29790) * save adding timeout param * new docker image * added rn * fix ruff * ruff made me to do this fixes :( not related to my changes * Update Packs/Palo_Alto_Networks_WildFire/ReleaseNotes/2_1_35.md * poetry files (#29793) Co-authored-by: Content Bot * Dra-cvss-color-fix (#29757) * Fixed a small issue when indicator had no custom fields * RN * docker bump * RN * Update CVECVSSColor.py * docker bump * RN * fixing typos in build scripts. (#29788) unremovable -> non-removable productname -> product_name testplaybook -> test_playbook changed some arg passing to use their full name: -gpidd -gpidp Co-authored-by: kobymeir * mapping to standard stix values (#29785) * mapping to standard stix values * updated release notes * update docker * breaking json * add dot * Add the nightly_ruff file for run pre-commit with --all flag (#29684) * Add the nightly_ruff file for run pre-commit with --all flag * Add more rules; Add the error name * Add E501 * Add F601, F842, TID252 * XSUP-27528 (#29705) * add_tests * add_tests * add RN, fix tests, format yml * Update Packs/CommonScripts/ReleaseNotes/1_12_24.md Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> * fix readme * Bump pack from version CommonScripts to 1.12.25. --------- Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: Content Bot * Add RN * Update Packs/Cybersixgill-DVE/pack_metadata.json Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * Add RN * Fix UT * Update the docker images --------- Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: Ariel Tobiana <107474518+ariel-wiz@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: ostolero Co-authored-by: Darya Koval <72339940+daryakoval@users.noreply.github.com> Co-authored-by: Content Bot Co-authored-by: Dror Avrahami Co-authored-by: Koby Meir Co-authored-by: kobymeir Co-authored-by: Judah Schwartz Co-authored-by: sapir shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> * New logs feed recorded future (#29848) * added logs * added release notes * new line * updated docker * period * Microsoft atp list no category (#29755) * Added category support * saave rn * validations + pre-commit fixes * Update Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_9.md Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * fix test playbook * fix test playbook * new docker * fix test playbook * trying without docker change * docker update * save rn * Update Packs/Active_Directory_Query/ReleaseNotes/1_6_24.md * update docker * fix test playbook --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> * revert (#29859) * Zscaler FW - Fix duplicated field in Schema (#29854) * poetry files (#29860) Co-authored-by: Content Bot * Update Docker Image To demisto/py3-tools (#29865) * Updated Metadata Of Pack FeedAWS * Added release notes to pack FeedAWS * Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml Docker image update * Update Docker Image To demisto/oci (#29872) * Updated Metadata Of Pack OracleCloudInfrastructure * Added release notes to pack OracleCloudInfrastructure * Packs/OracleCloudInfrastructure/Integrations/OracleCloudInfrastructureEventCollector/OracleCloudInfrastructureEventCollector.yml Docker image update * moving machines destroy/unlock to after_script (#29789) * moving machines destroy/unlock to after_script * Update Docker Image To demisto/sixgill (#29874) * Updated Metadata Of Pack Sixgill-Darkfeed * Added release notes to pack Sixgill-Darkfeed * Packs/Sixgill-Darkfeed/Integrations/Sixgill_Darkfeed_Enrichment/Sixgill_Darkfeed_Enrichment.yml Docker image update * Packs/Sixgill-Darkfeed/Integrations/Sixgill_Darkfeed/Sixgill_Darkfeed.yml Docker image update * Update Docker Image To demisto/taxii2 (#29875) * Updated Metadata Of Pack FeedDHS * Added release notes to pack FeedDHS * Packs/FeedDHS/Integrations/DHSFeedV2/DHSFeedV2.yml Docker image update * Updated Metadata Of Pack FeedUnit42v2 * Added release notes to pack FeedUnit42v2 * Packs/FeedUnit42v2/Integrations/FeedUnit42v2/FeedUnit42v2.yml Docker image update * fix bad Unicode character (#29861) * Bugfix/Playbook-Prisma-Cloud-Compute-Audit-Alert-v2-wrong-input (#29437) * Fix issues with tasks inputs * Update release notes * Update line to end with period * Remove wrong test playbook * Bump pack from version PrismaCloudCompute to 1.4.10. * Fix playbook logic to properly handle errors * Fix wrong task arguments from simple to complex type * Bump pack from version PrismaCloudCompute to 1.4.11. * Bump pack from version PrismaCloudCompute to 1.4.12. * Bump pack from version PrismaCloudCompute to 1.4.13. * Fix wrong task arguments * Improve playbook logic * Update review comments * Add a check for missing field and using field from incident * Update release notes * Add a period to make release notes perfect * Update release notes * Fix review comments * Fix review comments * Update playbook image * Fix review comments, add checks for host defenders and host forensic * Remove wrong test --------- Co-authored-by: Content Bot * Update Docker Image To demisto/crypto (#29866) * Updated Metadata Of Pack AzureSecurityCenter * Added release notes to pack AzureSecurityCenter * Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * fix (#29857) * fix * fix * [CrowdStrike Falcon] Add file_name to upload ioc (#29703) * Update Docker Image To demisto/python3 (#29868) * Updated Metadata Of Pack AbnormalSecurity * Added release notes to pack AbnormalSecurity * Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml Docker image update * Updated Metadata Of Pack FeedLOLBAS * Added release notes to pack FeedLOLBAS * Packs/FeedLOLBAS/Integrations/FeedLOLBAS/FeedLOLBAS.yml Docker image update * Updated Metadata Of Pack Hackuity * Added release notes to pack Hackuity * Packs/Hackuity/Integrations/Hackuity/Hackuity.yml Docker image update * Updated Metadata Of Pack Grafana * Added release notes to pack Grafana * Packs/Grafana/Integrations/Grafana/Grafana.yml Docker image update * Updated Metadata Of Pack Binalyze * Added release notes to pack Binalyze * Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.yml Docker image update * Updated Metadata Of Pack ServiceDeskPlus * Added release notes to pack ServiceDeskPlus * Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus.yml Docker image update * Updated Metadata Of Pack Oracle_IAM * Added release notes to pack Oracle_IAM * Packs/Oracle_IAM/Integrations/OracleIAM/OracleIAM.yml Docker image update * Updated Metadata Of Pack SalesforceFusion * Added release notes to pack SalesforceFusion * Packs/SalesforceFusion/Integrations/SalesforceFusionIAM/SalesforceFusionIAM.yml Docker image update * Updated Metadata Of Pack AppNovi * Added release notes to pack AppNovi * Packs/AppNovi/Integrations/appNovi/appNovi.yml Docker image update * Updated Metadata Of Pack FireMonSecurityManager * Added release notes to pack FireMonSecurityManager * Packs/FireMonSecurityManager/Integrations/FireMonSecurityManager/FireMonSecurityManager.yml Docker image update * Fix DS108 * Fix DS108 --------- Co-authored-by: israelpolishook * Update Docker Image To demisto/pymisp2 (#29867) * Updated Metadata Of Pack MISP * Added release notes to pack MISP * Packs/MISP/Integrations/MISPV3/MISPV3.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * XSIAM Compliance Dashboards Metadata (#29843) * use the updated netutils image (#29576) * use the updated netutils image * update RN * ruff changes * updated RN * update docker image * Bump pack from version DeveloperTools to 1.2.54. * Bump pack from version CommonScripts to 1.12.25. * Bump pack from version CommonScripts to 1.12.26. * update docker image * ignore Ping in native image * update RN --------- Co-authored-by: Content Bot * Fixed the IfElIf README (#29847) * Update Docker Image To demisto/py3-tools (#29871) * Updated Metadata Of Pack Zabbix * Added release notes to pack Zabbix * Updated Metadata Of Pack SEKOIAIntelligenceCenter * Added release notes to pack SEKOIAIntelligenceCenter * Packs/SEKOIAIntelligenceCenter/Integrations/SEKOIAIntelligenceCenter/SEKOIAIntelligenceCenter.yml Docker image update * Updated Metadata Of Pack Anomali_ThreatStream * Added release notes to pack Anomali_ThreatStream * Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml Docker image update * Updated Metadata Of Pack FeedCyjax * Added release notes to pack FeedCyjax * Packs/FeedCyjax/Integrations/FeedCyjax/FeedCyjax.yml Docker image update * Updated Metadata Of Pack CommonWidgets * Added release notes to pack CommonWidgets * Packs/CommonWidgets/Scripts/RSSWidget/RSSWidget.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook * Update Docker Image To demisto/carbon-black-cloud (#29876) * Updated Metadata Of Pack CarbonBlackDefense * Added release notes to pack CarbonBlackDefense * Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.yml Docker image update * Update Docker Image To demisto/pyjwt3 (#29877) * Updated Metadata Of Pack Box * Added release notes to pack Box * Packs/Box/Integrations/BoxV2/BoxV2.yml Docker image update * Update Docker Image To demisto/crypto (#29873) * Updated Metadata Of Pack AzureRiskyUsers * Added release notes to pack AzureRiskyUsers * Packs/AzureRiskyUsers/Integrations/AzureRiskyUsers/AzureRiskyUsers.yml Docker image update * Updated Metadata Of Pack MicrosoftGraphIdentityandAccess * Added release notes to pack MicrosoftGraphIdentityandAccess * Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess.yml Docker image update * Updated Metadata Of Pack X509Certificate * Added release notes to pack X509Certificate * Packs/X509Certificate/Scripts/CertificateExtract/CertificateExtract.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook * Update Docker Image To demisto/opnsense (#29878) * Updated Metadata Of Pack OPNSense * Added release notes to pack OPNSense * Packs/OPNSense/Integrations/OPNSense/OPNSense.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook * Update Docker Image To demisto/googleapi-python3 (#29880) * Updated Metadata Of Pack GoogleDrive * Added release notes to pack GoogleDrive * Packs/GoogleDrive/Integrations/GoogleDrive/GoogleDrive.yml Docker image update * Updated Metadata Of Pack GoogleCalendar * Added release notes to pack GoogleCalendar * Packs/GoogleCalendar/Integrations/GoogleCalendar/GoogleCalendar.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/bottle (#29883) * Updated Metadata Of Pack WebFileRepository * Added release notes to pack WebFileRepository * Packs/WebFileRepository/Integrations/WebFileRepository/WebFileRepository.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/google-api-py3 (#29884) * Updated Metadata Of Pack GoogleCloudSCC * Added release notes to pack GoogleCloudSCC * Packs/GoogleCloudSCC/Integrations/GoogleCloudSCC/GoogleCloudSCC.yml Docker image update * Updated Metadata Of Pack GoogleCloudLogging * Added release notes to pack GoogleCloudLogging * Packs/GoogleCloudLogging/Integrations/GoogleCloudLogging/GoogleCloudLogging.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/lxml (#29881) * Updated Metadata Of Pack TaniumThreatResponse * Added release notes to pack TaniumThreatResponse * Packs/TaniumThreatResponse/Integrations/TaniumThreatResponseV2/TaniumThreatResponseV2.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> Co-authored-by: israelpolishook * Update Docker Image To demisto/cymruwhois (#29886) * Updated Metadata Of Pack TeamCymru * Added release notes to pack TeamCymru * Packs/TeamCymru/Integrations/TeamCymru/TeamCymru.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/rubrik-polaris-sdk-py3 (#29888) * Updated Metadata Of Pack RubrikPolaris * Added release notes to pack RubrikPolaris * Packs/RubrikPolaris/Integrations/RubrikPolaris/RubrikPolaris.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/netmiko (#29894) * Updated Metadata Of Pack Netmiko * Added release notes to pack Netmiko * Packs/Netmiko/Integrations/Netmiko/Netmiko.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/glpi (#29890) * Updated Metadata Of Pack GLPI * Added release notes to pack GLPI * Packs/GLPI/Integrations/GLPI/GLPI.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/pycountry (#29885) * Updated Metadata Of Pack CyCognito * Added release notes to pack CyCognito * Packs/CyCognito/Integrations/CyCognito/CyCognito.yml Docker image update * Updated Metadata Of Pack FeedCyCognito * Added release notes to pack FeedCyCognito * Packs/FeedCyCognito/Integrations/FeedCyCognito/FeedCyCognito.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook * Update Docker Image To demisto/m2crypto (#29891) * Updated Metadata Of Pack SMIME_Messaging * Added release notes to pack SMIME_Messaging * Packs/SMIME_Messaging/Integrations/SMIME_Messaging/SMIME_Messaging.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * Update Docker Image To demisto/octoxlabs (#29893) * Updated Metadata Of Pack OctoxLabs * Added release notes to pack OctoxLabs * Packs/OctoxLabs/Integrations/OctoxLabs/OctoxLabs.yml Docker image update --------- Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> * 'NGFW Scan' XSIAM Test Playbook (#29635) * 'NGFW Scan' XSIAM Test Playbook * RN * added the '80.66.75.36' ip address to secrets ignore file. the ip address is used within the test playbook for enrichment and test purposes * Removed XDR IR integration from the conf file * updated conf file * re-configured the UserVerification playbook input * changed 'timeout' * changed 'timeout' * changed 'timeout' to 1600 * changed the 'AutoCloseAlert' playbook input to 'false' * removed the status alert field verification from the test YML file, added the test playbook to the 'NGFW Scan' playbook YML file * re-added the IP address to the secrets ignore file, re-added the test to the conf file, created RN * changed the operator of task number 78 to 'isNotEmpty' * removed the validation for 'VirusTotal.IP.attributes.tags' context data * [pre-commit MyPy] Align the entire repo with MyPy #3 (#29819) * [pre-commit MyPy] Align the entire repo with MyPy #3 * Fix the typing * Add RNs * Fix mypy errors * Add hint type * Fix Flake8 errorsmypy errors * Fix mypy error * Fix mypy error * Fix review comments * Fix more types * Fix more types * Detonate url fixing (#29896) * fixes * RN * review fix * review fix * Mandiant Threat Intelligence - Use Local Filtering (#29851) * Mandiant Threat Intelligence - Use Local Filtering (#29724) * Using local filtering to ensure that data doesn't become orphaned * Bump docker version * add missing periods * release notes * Addressing feedback * Missing space --------- Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Update Docker version --------- Co-authored-by: Christopher Hultin Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Update README.md (#29904) * Update Docker Image To demisto/devo (#29887) * Updated Metadata Of Pack Devo * Added release notes to pack Devo * Packs/Devo/Integrations/Devo_v2/Devo_v2.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook * GitHub Added `cancel-workflow` command (#29794) * README * RN * UT * RN * ignore ruff error * CR fixes * docker * pre-commit * pre-commit * XSOAR Engineer Training Pack (#29853) * XSOAR Engineer Training Pack (#29522) * initial commit * formatting, validation, fixes etc * formatting and updating ignore list * updated pack metadata * adding secrets * removing extras * removed unused vars from integration * updated message for send-mail command * updated mock url to be xsoar.pan.dev, and only internal ips for source ip * updated pack metadata and removed release notes and author image * updated image * updated secrets to remove unused ips * updated commands with xet prefix and removed the jokes * updated docker image * docker * fix the unreachable code * Apply suggestions from Shirley Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * secret ignore * fix secret ignore * another one * replace secret ignore with "# guardrails-disable" --------- Co-authored-by: Mike Beauchamp Co-authored-by: Yehuda Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Docker Image To demisto/pydantic-jwt3 (#29889) * Updated Metadata Of Pack Box * Added release notes to pack Box * Packs/Box/Integrations/BoxEventsCollector/BoxEventsCollector.yml Docker image update * Fix DS108 --------- Co-authored-by: israelpolishook * Bugfix/Multiple-issues-with-Detonate-URL-FireEye-AX (#29412) * Fix wrong tasks inputs * Update release notes * Update lines to end with a period * Fix task inputs * Fix inputs according to customer tests * Fix autopep8 error (#29908) * Gitlab added cancel pipeline command (#29897) * add new command to cancel a gitlab pipeline * RN and docs * RN * docker * RN * format * doc review * mypy fixes * UT * [pre-commit ruff] Align the entire repo with ruff #3 (#29762) * [pre-commit ruff] Align the entire repo with ruff #3 * Add RN * Update the RN * Update the docker image * Ad-get-users return null response (#29555) * save remove null * rn * fix typo * rn * remove nested null * update docker * revert docker image update * save new rn * revert unnessasary yml changes * pre-commit fixes * update rn and docker --------- Co-authored-by: Moshe Galitzky <112559840+moishce@users.noreply.github.com> * Detonate file fix falcon x (#29918) * fixes * RN * RN * Unskip FindEmailCampaign (#29901) * revert changes from dirty commit * test commit * adding unit tests * adding unit tests to find_element_by_key function * fix validation errors * fixing Flake8 errors * add pytest * fix flake0 issues * fixing Validate Files and Yaml step * fixing errors * fixing names * fixing validation errors * dockers update * fix pre * dockers update * emptu commit * docker * remove imports * remove imports * update RN * upate RM v1.4.0 * remove incident type BP Domain --------- Co-authored-by: Mai Morag <81917647+maimorag@users.noreply.github.com> Co-authored-by: maimorag Co-authored-by: Koby Meir Co-authored-by: kobymeir Co-authored-by: eepstain <116078117+eepstain@users.noreply.github.com> Co-authored-by: ilaner <88267954+ilaner@users.noreply.github.com> Co-authored-by: Menachem Weinfeld <90556466+mmhw@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> Co-authored-by: Menachem Weinfeld Co-authored-by: TalNos <112805149+TalNos@users.noreply.github.com> Co-authored-by: sapir shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: Ariel Tobiana <107474518+ariel-wiz@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com> Co-authored-by: ostolero Co-authored-by: Darya Koval <72339940+daryakoval@users.noreply.github.com> Co-authored-by: Content Bot Co-authored-by: Dror Avrahami Co-authored-by: Judah Schwartz Co-authored-by: Bryce Pedroza <97995056+bryce-ax@users.noreply.github.com> Co-authored-by: Yehuda Co-authored-by: samuelFain <65926551+samuelFain@users.noreply.github.com> Co-authored-by: GuyAfik Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> Co-authored-by: sbenyakir Co-authored-by: tkatzir Co-authored-by: Adi Bamberger Edri <72088126+BEAdi@users.noreply.github.com> Co-authored-by: yasta5 <112320333+yasta5@users.noreply.github.com> Co-authored-by: Crest Data Systems <60967033+crestdatasystems@users.noreply.github.com> Co-authored-by: crestdatasystems Co-authored-by: Yaroslav Nestor Co-authored-by: darkushin <61732335+darkushin@users.noreply.github.com> Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: LiorQM <106475467+LiorQM@users.noreply.github.com> Co-authored-by: RotemAmit Co-authored-by: ckaadic <48683125+ckaadic@users.noreply.github.com> Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> Co-authored-by: Ali Sawyer <91506078+ali-sawyer@users.noreply.github.com> Co-authored-by: omerKarkKatz <95565843+omerKarkKatz@users.noreply.github.com> Co-authored-by: Yaakov Praisler <59408745+yaakovpraisler@users.noreply.github.com> Co-authored-by: Chait A <112722030+capanw@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> Co-authored-by: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Co-authored-by: sberman Co-authored-by: DinaMeylakh <72339665+DinaMeylakh@users.noreply.github.com> Co-authored-by: Yehonatan Asta Co-authored-by: israelpoli <72099621+israelpoli@users.noreply.github.com> Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: asimsarpkurt <79475614+asimsarpkurt@users.noreply.github.com> Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Co-authored-by: nkanon <109467661+nkanon@users.noreply.github.com> Co-authored-by: Eido Epstain Co-authored-by: Tomer Haimof <81556849+tomer-pan@users.noreply.github.com> Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> Co-authored-by: ‪Ron Hadad‬‏ <112933572+ronh1@users.noreply.github.com> Co-authored-by: TalGumi Co-authored-by: Guy Lichtman <1395797+glicht@users.noreply.github.com> Co-authored-by: glicht Co-authored-by: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Co-authored-by: Felipe Garrido Co-authored-by: Edi Katsenelson <85438368+edik24@users.noreply.github.com> Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> Co-authored-by: Yuval Cohen <86777474+yucohen@users.noreply.github.com> Co-authored-by: rshunim <102469772+rshunim@users.noreply.github.com> Co-authored-by: OmriItzhak <115150792+OmriItzhak@users.noreply.github.com> Co-authored-by: Joe Cosgrove Co-authored-by: Shmuel Kroizer <69422117+shmuel44@users.noreply.github.com> Co-authored-by: Israel Lappe <79846863+ilappe@users.noreply.github.com> Co-authored-by: Erez FelmanDar <102903097+efelmandar@users.noreply.github.com> Co-authored-by: israelpolishook Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> Co-authored-by: ArikDay <115150768+ArikDay@users.noreply.github.com> Co-authored-by: Christopher Hultin Co-authored-by: Mike Beauchamp Co-authored-by: Moshe Galitzky <112559840+moishce@users.noreply.github.com> --- ...identtype-GIB_Brand_Protection_Domain.json | 44 - .../Integrations/GroupIBTIA/GroupIBTIA.py | 19 +- .../Integrations/GroupIBTIA/GroupIBTIA.yml | 1672 +++++++++++++++-- .../GroupIBTIA/GroupIBTIA_description.md | 2 +- .../Integrations/GroupIBTIA/README.md | 213 ++- .../GroupIB_TIA_Feed/GroupIB_TIA_Feed.py | 30 +- .../Integrations/GroupIB_TIA_Feed/README.md | 8 + ...er-GIB_Brand_Protection_Domain_Layout.json | 540 ------ ...hreat_Intelligence_&_Attribution_README.md | 4 +- .../README.md | 4 +- .../ReleaseNotes/1_4_0.md | 32 + .../GIBIncidentUpdate/GIBIncidentUpdate.py | 3 - .../GIBIncidentUpdateIncludingClosed.py | 3 - .../pack_metadata.json | 2 +- package-lock.json | 188 +- 15 files changed, 1931 insertions(+), 833 deletions(-) delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json deleted file mode 100644 index 998e3bfea0bf..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "autorun": true, - "color": "#8052f3", - "days": 0, - "daysR": 0, - "default": false, - "detached": false, - "disabled": false, - "extractSettings": { - "fieldCliNameToExtractSettings": { - "alertcategory": { - "extractAsIsIndicatorTypeId": "", - "extractIndicatorTypesIDs": [], - "isExtractingAllIndicatorTypes": false - }, - "gibphishingdomain": { - "extractAsIsIndicatorTypeId": "domainRepUnified", - "extractIndicatorTypesIDs": [], - "isExtractingAllIndicatorTypes": false - }, - "gibrelatedindicatorsdata": { - "extractAsIsIndicatorTypeId": "", - "extractIndicatorTypesIDs": [], - "isExtractingAllIndicatorTypes": true - } - }, - "mode": "Specific" - }, - "hours": 0, - "hoursR": 0, - "id": "GIB Brand Protection Domain", - "layout": "GIB Brand Protection Domain Layout", - "locked": false, - "name": "GIB Brand Protection Domain", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", - "readonly": false, - "reputationCalc": 2, - "system": false, - "version": -1, - "weeks": 0, - "weeksR": 0, - "fromVersion": "6.0.0" -} diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py index 67618c90838f..625afed0d98e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py @@ -1,8 +1,3 @@ - -import demistomock as demisto -from CommonServerPython import * -from CommonServerUserPython import * - """ IMPORTS """ import json @@ -40,6 +35,9 @@ "add_fields": ["events.cnc.ipv4.asn", "events.cnc.ipv4.countryName", "events.cnc.ipv4.region"], "add_fields_types": ["asn", "geocountry", "geolocation"] }, + { + "main_field": "events.client.ipv4.ip", + } ] }, "compromised/card": { @@ -437,7 +435,7 @@ class Client(BaseClient): """ def _create_update_generator(self, collection_name: str, max_requests: int, - date_from: Optional[str] = None, seq_update: Union[int, str] = None, + date_from: str | None = None, seq_update: int | str = None, limit: int = 200) -> Generator: """ Creates generator of lists with feeds class objects for an update session @@ -839,7 +837,7 @@ def calculate_dbot_score(type_): return Common.DBotScore( indicator=value, indicator_type=type_, - integration_name="GIB TI", + integration_name="GIB TI&A", score=score ) @@ -1032,16 +1030,13 @@ def fetch_incidents_command(client: Client, last_run: dict, first_fetch_time: st :return: next_run will be last_run in the next fetch-incidents; incidents and indicators will be created in Demisto. """ incidents = [] - next_run: dict[str, dict[str, Union[int, Any]]] = {"last_fetch": {}} + next_run: dict[str, dict[str, int | Any]] = {"last_fetch": {}} for collection_name in incident_collections: last_fetch = last_run.get("last_fetch", {}).get(collection_name) portions = client.create_poll_generator(collection_name=collection_name, max_requests=requests_count, last_fetch=last_fetch, first_fetch_time=first_fetch_time) for portion, last_fetch in portions: - last_test = last_fetch - for last in last_test: - set(last) for feed in portion: mapping = MAPPING.get(collection_name, {}) if collection_name == "compromised/breached": @@ -1086,7 +1081,7 @@ def fetch_incidents_command(client: Client, last_run: dict, first_fetch_time: st return next_run, incidents -def get_available_collections_command(client: Client): +def get_available_collections_command(client: Client, args): """ Returns list of available collections to context and War Room. diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml index c9bf3f82c7b3..f028ea0ecd58 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml @@ -14,25 +14,27 @@ configuration: name: credentials required: true type: 9 -- additionalinfo: Whether to allow connections without verifying SSL certificates validity. +- additionalinfo: Whether to allow connections without verifying SSL certificates + validity. display: Trust any certificate (not secure) name: insecure - type: 8 required: false + type: 8 - additionalinfo: Whether to use XSOAR system proxy settings to connect to the API. display: Use system proxy settings name: proxy - type: 8 required: false + type: 8 - display: Fetch incidents name: isFetch - type: 8 required: false + type: 8 - additionalinfo: Type(s) of incidents to fetch from the third party API. display: Colletions to fetch + hidden: false name: incident_collections options: - - compromised/account + - compromised/account_group - compromised/card - compromised/breached - bp/phishing @@ -40,19 +42,21 @@ configuration: - osi/git_repository - osi/public_leak - malware/targeted_malware - type: 16 required: false - hidden: false + type: 16 - additionalinfo: Date to start fetching incidents from. defaultvalue: 3 days display: Incidents first fetch + hidden: false name: first_fetch - type: 0 required: false - hidden: false -- additionalinfo: A number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 incidents). If you face some runtime errors, lower the value. + type: 0 +- additionalinfo: A number of requests per collection that integration sends in one + fetch iteration (each request picks up to 200 incidents). If you face some runtime + errors, lower the value. defaultvalue: '3' display: Number of requests per collection + hidden: false name: max_fetch options: - '1' @@ -60,28 +64,49 @@ configuration: - '3' - '4' - '5' - type: 15 required: false - hidden: false + type: 15 - display: Incident type name: incidentType - type: 13 required: false -description: "Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. \nThe list of included collections: \nCompromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware." + type: 13 +description: "Pack helps to integrate Group-IB Threat Intelligence and get incidents\ + \ directly into Cortex XSOAR. \nThe list of included collections: \nCompromised\ + \ Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing\ + \ Kit, OSI Git Leak, OSI Public Leak, Targeted Malware." +detaileddescription: "### Group-IB Threat Intelligence\n \n \n- This section explains\ + \ how to configure the instance of Threat Intelligence in Cortex XSOAR. \n \n\ + 1. Open Group-IB TI web interface. (It may be either new interface: [https://tap.group-ib.com](https://tap.group-ib.com))\ + \ \n2. To generate API key(password): \n2.1. In the new interface: click on your\ + \ name in the right upper corner -> choose **Profile** option -> switch to **Security\ + \ and Access** tab -> click **Personal token** -> follow instructions to generate\ + \ API token. \n3. Your server URL is the same as your TI web interface URL. \n\ + 4. Your username is the email that you use to enter in the web interface.\n5. Set\ + \ classifier and mapper with Group-IB Threat Intelligence classifier and mapper\ + \ or with our own if you want so.\n6. Go to Settings->Integrations->Pre-Processing\ + \ Rules and set up the pre-processing rule:\n* Set up conditions: \"gibid Is not\ + \ empty (General)\" and \"Type Doesn't equal(String) GIB Data Breach\".\n* Action:\ + \ \"Run a script\".\n* Script: \"GIBIncidentUpdate\" (will recreate closed incidents\ + \ if they get an update, in other cases will update the existing one) or \"GIBIncidentUpdateIncludingClosed\"\ + (will only update incidents). \n7. Don't forget to contact Group-IB to add to allow\ + \ list your Cortex IP or public IP of a proxy that you are using with Cortex." display: Group-IB Threat Intelligence name: Group-IB Threat Intelligence & Attribution script: commands: - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 253b9a136f0d574149fc43691eaf7ae27aff141a. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/account collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/account collection + with provided ID. + execution: false name: gibtia-get-compromised-account-info outputs: - contextPath: GIBTIA.CompromisedAccount.client.ipv4.asn @@ -153,18 +178,19 @@ script: - contextPath: GIBTIA.CompromisedAccount.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: ecda6f4dc85596f447314ce01e2152db9c9d3cbc. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/card collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/card collection + with provided ID. + execution: false name: gibtia-get-compromised-card-info outputs: - contextPath: GIBTIA.CompromisedCard.cardInfo.cvv @@ -230,22 +256,24 @@ script: - contextPath: GIBTIA.CompromisedCard.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 50a3b4abbfca5dcbec9c8b3a110598f61ba93r33. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/mule collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/mule collection + with provided ID. + execution: false name: gibtia-get-compromised-mule-info outputs: - contextPath: GIBTIA.CompromisedMule.account - description: Account number (card/phone), which was used by threat actor to cash out. + description: Account number (card/phone), which was used by threat actor to + cash out. type: String - contextPath: GIBTIA.CompromisedMule.cnc.ipv4.asn description: CNC ASN. @@ -292,18 +320,19 @@ script: - contextPath: GIBTIA.CompromisedMule.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 0c1426048474df19ada9d0089ef8b3efce906556. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/imei collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/imei collection + with provided ID. + execution: false name: gibtia-get-compromised-imei-info outputs: - contextPath: GIBTIA.CompromisedIMEI.client.ipv4.asn @@ -363,18 +392,19 @@ script: - contextPath: GIBTIA.CompromisedIMEI.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 6fd344f340f4bdc08548cb36ded62bdf. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/breached collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/breached collection + with provided ID. + execution: false name: gibtia-get-compromised-breached-info outputs: - contextPath: GIBTIA.DataBreach.email @@ -395,18 +425,19 @@ script: - contextPath: GIBTIA.DataBreach.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: f201c253ac71f7d78db39fa111a2af9d7ee7a3f7. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in osi/git_leak collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in osi/git_leak collection + with provided ID. + execution: false name: gibtia-get-osi-git-leak-info outputs: - contextPath: GIBTIA.GitLeak.dateDetected @@ -442,18 +473,19 @@ script: - contextPath: GIBTIA.GitLeak.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: a9a5b5cb9b971a2a037e3a0a30654185ea148095. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in osi/public_leak collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in osi/public_leak collection + with provided ID. + execution: false name: gibtia-get-osi-public-leak-info outputs: - contextPath: GIBTIA.PublicLeak.created @@ -492,19 +524,20 @@ script: - contextPath: GIBTIA.PublicLeak.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: CVE-2021-27152. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in osi/vulnerability collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in osi/vulnerability collection + with provided ID. + execution: false name: gibtia-get-osi-vulnerability-info outputs: - contextPath: GIBTIA.OSIVulnerability.affectedSoftware.name @@ -546,18 +579,19 @@ script: - contextPath: GIBTIA.OSIVulnerability.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 044f3f2cb599228c1882884eb77eb073f68a25f2. - name: id - default: false isArray: false + name: id required: false secret: false - description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID. + deprecated: false + description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit + collections with provided ID. + execution: false name: gibtia-get-phishing-kit-info outputs: - contextPath: GIBTIA.PhishingKit.dateDetected @@ -599,18 +633,19 @@ script: - contextPath: GIBTIA.PhishingKit.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: fce7f92d0b64946cf890842d083953649b259952. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID. + deprecated: false + description: Command performs Group IB event lookup in bp/phishing and attacks/phishing + collections with provided ID. + execution: false name: gibtia-get-phishing-info outputs: - contextPath: GIBTIA.Phishing.dateDetected @@ -664,18 +699,19 @@ script: - contextPath: GIBTIA.Phishing.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 26a05baa4025edff367b058b13c6b43e820538a5. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in attacks/ddos collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in attacks/ddos collection + with provided ID. + execution: false name: gibtia-get-attacks-ddos-info outputs: - contextPath: GIBTIA.AttacksDDoS.cnc.url @@ -729,18 +765,19 @@ script: - contextPath: GIBTIA.AttacksDDoS.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 6009637a1135cd001ef46e21. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in attacks/deface collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in attacks/deface collection + with provided ID. + execution: false name: gibtia-get-attacks-deface-info outputs: - contextPath: GIBTIA.AttacksDeface.date @@ -773,29 +810,30 @@ script: - contextPath: GIBTIA.AttacksDeface.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 1b09d389d016121afbffe481a14b30ea995876e4. + isArray: false name: id required: true - default: false - isArray: false secret: false - auto: PREDEFINED + default: false defaultValue: 'false' description: Is threat APT. + isArray: false name: isAPT predefined: - 'true' - 'false' - default: false - isArray: false required: false secret: false - description: Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in hi/threat (or in apt/threat + if the APT flag is true) collection with provided ID. + execution: false name: gibtia-get-threat-info outputs: - contextPath: GIBTIA.Threat.contacts.account @@ -903,29 +941,30 @@ script: - contextPath: GIBTIA.Threat.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB internal threatActor ID. e.g.: 0d4496592ac3a0f5511cd62ef29887f48d9cb545. + isArray: false name: id required: true - default: false - isArray: false secret: false - auto: PREDEFINED + default: false defaultValue: 'false' description: Is threat actor APT group. + isArray: false name: isAPT predefined: - 'true' - 'false' - default: false - isArray: false required: false secret: false - description: Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in hi/threat_actor (or in + apt/threat_actor if the APT flag is true) collection with provided ID. + execution: false name: gibtia-get-threat-actor-info outputs: - contextPath: GIBTIA.ThreatActor.aliases @@ -985,18 +1024,19 @@ script: - contextPath: GIBTIA.ThreatActor.stat.sectors description: Sectors attacked by threat actor. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 109.70.100.46. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in suspicious_ip/tor_node + collection with provided ID. + execution: false name: gibtia-get-suspicious-ip-tor-node-info outputs: - contextPath: GIBTIA.SuspiciousIPTorNode.ipv4.asn @@ -1017,18 +1057,19 @@ script: - contextPath: GIBTIA.SuspiciousIPTorNode.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: cc6a2856da2806b03839f81aa214f22dbcfd7369. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in suspicious_ip/open_proxy + collection with provided ID. + execution: false name: gibtia-get-suspicious-ip-open-proxy-info outputs: - contextPath: GIBTIA.SuspiciousIPOpenProxy.ipv4.asn @@ -1058,18 +1099,19 @@ script: - contextPath: GIBTIA.SuspiciousIPOpenProxy.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in suspicious_ip/socks_proxy + collection with provided ID. + execution: false name: gibtia-get-suspicious-ip-socks-proxy-info outputs: - contextPath: GIBTIA.SuspiciousIPSocksProxy.ipv4.asn @@ -1090,18 +1132,19 @@ script: - contextPath: GIBTIA.SuspiciousIPSocksProxy.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 5bbd38acf0b9e4f04123af494d485f6c49221e98. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in malware/targeted_malware collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in malware/targeted_malware + collection with provided ID. + execution: false name: gibtia-get-malware-targeted-malware-info outputs: - contextPath: GIBTIA.TargetedMalware.date @@ -1155,26 +1198,27 @@ script: - contextPath: GIBTIA.TargetedMalware.evaluation.severity description: Event severity. type: String - deprecated: false + - deprecated: false + description: Returns list of available collections. execution: false - - description: Returns list of available collections. name: gibtia-get-available-collections outputs: - contextPath: GIBTIA.OtherInfo.collections description: List of availiable collections. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: aeed277396e27e375d030a91533aa232444d0089. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in malware/cnc collection by provided ID. + deprecated: false + description: Command performs Group IB event lookup in malware/cnc collection + by provided ID. + execution: false name: gibtia-get-malware-cnc-info outputs: - contextPath: GIBTIA.MalwareCNC.dateDetected @@ -1216,18 +1260,18 @@ script: - contextPath: GIBTIA.MalwareCNC.id description: GIB event ID. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- Query you want to search. e.g.: 8.8.8.8. + isArray: false name: query required: true - default: false - isArray: false secret: false + deprecated: false description: Command performs global Group IB search. + execution: false name: gibtia-global-search outputs: - contextPath: apiPath @@ -1239,11 +1283,11 @@ script: - contextPath: GIBLink description: Link to GIB TI&A interface. type: String - deprecated: false - execution: false - arguments: - auto: PREDEFINED + default: false description: Collection you want to search. + isArray: false name: collection_name predefined: - compromised/account @@ -1269,30 +1313,30 @@ script: - malware/cnc - malware/targeted_malware required: true - default: false - isArray: false secret: false - - description: |- + - default: false + description: |- Query you want to search. e.g.: 8.8.8.8. + isArray: false name: query required: true - default: false - isArray: false secret: false - - description: Start date of search session. - name: date_from - default: false + - default: false + description: Start date of search session. isArray: false + name: date_from required: false secret: false - - description: End date of search session. - name: date_to - default: false + - default: false + description: End date of search session. isArray: false + name: date_to required: false secret: false + deprecated: false description: Command performs Group IB search in selected collection. + execution: false name: gibtia-local-search outputs: - contextPath: id @@ -1301,17 +1345,1331 @@ script: - contextPath: additional_info description: Additional info about feed. type: String - deprecated: false - execution: false dockerimage: demisto/python3:3.10.13.78960 + feed: false isfetch: true + longRunning: false + longRunningPort: false runonce: false - script: '-' + script: |- + """ IMPORTS """ + + import json + from datetime import datetime, timedelta + from typing import Dict, Generator, List, Optional, Tuple, Union + + import dateparser + import urllib3 + import random + from requests.auth import HTTPBasicAuth + + # Disable insecure warnings + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + """ CONSTANTS """ + + DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ" + MAPPING: dict = { + "compromised/account_group": { + "date": + "dateFirstSeen", + "name": + "login", + "prefix": + "Compromised Account", + "indicators": + [ + { + "main_field": "events.cnc.url", "main_field_type": "URL" + }, + { + "main_field": "events.cnc.domain", "main_field_type": "Domain" + }, + { + "main_field": "events.cnc.ipv4.ip", "main_field_type": "IP", + "add_fields": ["events.cnc.ipv4.asn", "events.cnc.ipv4.countryName", "events.cnc.ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + }, + { + "main_field": "events.client.ipv4.ip", + } + ] + }, + "compromised/card": { + "date": + "dateDetected", + "name": + "cardInfo.number", + "prefix": + "Compromised Card", + "indicators": + [ + { + "main_field": "cnc.url", "main_field_type": "URL" + }, + { + "main_field": "cnc.domain", "main_field_type": "Domain" + }, + { + "main_field": "cnc.ipv4.ip", "main_field_type": "IP", + "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "compromised/breached": { + "date": + "uploadTime", + "name": + "email", + "prefix": + "Data Breach", + "indicators": [] + }, + "bp/phishing": { + "date": + "dateDetected", + "name": + "phishingDomain.domain", + "prefix": + "Phishing", + "indicators": + [ + { + "main_field": "url", "main_field_type": "URL" + }, + { + "main_field": "phishingDomain.domain", "main_field_type": "Domain", + "add_fields": ["phishingDomain.registrar"], + "add_fields_types": ["registrarname"] + }, + { + "main_field": "ipv4.ip", "main_field_type": "IP" + } + ] + }, + "bp/phishing_kit": { + "date": + "dateDetected", + "name": + "hash", + "prefix": + "Phishing Kit", + "indicators": + [ + { + "main_field": "emails", "main_field_type": "Email" + } + ] + }, + # "bp/domain": { + # "date": + # "ts_create", + # "name": + # "attrs.domain", + # "prefix": + # "Phishing Domain", + # "indicators": + # [ + # { + # "main_field": "attrs.domain", "main_field_type": "Domain", + # "add_fields": ["phishingDomain.registrar"], + # "add_fields_types": ["registrarname"] + # }, + # { + # "main_field": "attrs.server_ip", "main_field_type": "IP", + # "add_fields": ["attrs.server_ip_asn", "attrs.server_ip_country_name", "attrs.server_ip_region"], + # "add_fields_types": ["asn", "geocountry", "geolocation"] + # } + # ] + # }, + "osi/git_repository": { + "date": + "dateDetected", + "name": + "name", + "prefix": + "Git Leak", + }, + "osi/public_leak": { + "date": + "created", + "name": + "hash", + "prefix": + "Public Leak", + }, + "malware/targeted_malware": { + "date": + "date", + "name": + "injectMd5", + "prefix": + "Targeted Malware", + "indicators": + [ + { + "main_field": "md5", "main_field_type": "File", + "add_fields": ["fileName", "md5", "sha1", "sha256", "size"], + "add_fields_types": ["gibfilename", "md5", "sha1", "sha256", "size"] + } + ] + }, + + + "compromised/mule": { + "name": + "account", + "prefix": + "Compromised Mule", + "indicators": + [ + { + "main_field": "cnc.url", "main_field_type": "URL", + }, + { + "main_field": "cnc.domain", "main_field_type": "Domain", + }, + { + "main_field": "cnc.ipv4.ip", "main_field_type": "IP", + "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "compromised/imei": { + "name": + "device.imei", + "prefix": + "Compromised IMEI", + "indicators": + [ + { + "main_field": "cnc.url", "main_field_type": "URL", + }, + { + "main_field": "cnc.domain", "main_field_type": "Domain", + }, + { + "main_field": "cnc.ipv4.ip", "main_field_type": "IP", + "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "attacks/ddos": { + "name": + "target.ipv4.ip", + "prefix": + "Attacks DDoS", + "indicators": + [ + { + "main_field": "cnc.url", "main_field_type": "URL", + }, + { + "main_field": "cnc.domain", "main_field_type": "Domain", + }, + { + "main_field": "cnc.ipv4.ip", "main_field_type": "IP", + "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + }, + ] + }, + "attacks/deface": { + "name": + "url", + "prefix": + "Attacks Deface", + "indicators": + [ + { + "main_field": "url", "main_field_type": "URL", + }, + { + "main_field": "targetDomain", "main_field_type": "Domain", + }, + { + "main_field": "targetIp.ip", "main_field_type": "IP", + "add_fields": ["targetIp.asn", "targetIp.countryName", "targetIp.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "attacks/phishing": { + "name": + "phishingDomain.domain", + "prefix": + "Phishing", + "indicators": + [ + { + "main_field": "url", "main_field_type": "URL", + }, + { + "main_field": "phishingDomain.domain", "main_field_type": "Domain", + "add_fields": ["phishingDomain.registrar"], + "add_fields_types": ["registrarname"] + }, + { + "main_field": "ipv4.ip", "main_field_type": "IP", + "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "attacks/phishing_kit": { + "name": + "emails", + "prefix": + "Phishing Kit", + "indicators": + [ + { + "main_field": "emails", "main_field_type": "Email", + } + ] + }, + "apt/threat": { + "prefix": + "Threat", + "indicators": + [ + { + "main_field": "indicators.params.ipv4", "main_field_type": "IP", + }, + { + "main_field": "indicators.params.domain", "main_field_type": "Domain", + }, + { + "main_field": "indicators.params.url", "main_field_type": "URL", + }, + { + "main_field": "indicators.params.hashes.md5", "main_field_type": "File", + "add_fields": + [ + "indicators.params.name", "indicators.params.hashes.md5", + "indicators.params.hashes.sha1", + "indicators.params.hashes.sha256", "indicators.params.size" + ], + "add_fields_types": ["gibfilename", "md5", "sha1", "sha256", "size"] + } + ] + }, + "hi/threat": { + "prefix": + "Threat", + "indicators": + [ + { + "main_field": "indicators.params.ipv4", "main_field_type": "IP", + }, + { + "main_field": "indicators.params.domain", "main_field_type": "Domain", + }, + { + "main_field": "indicators.params.url", "main_field_type": "URL", + }, + { + "main_field": "indicators.params.hashes.md5", "main_field_type": "File", + "add_fields": + [ + "indicators.params.name", "indicators.params.hashes.md5", + "indicators.params.hashes.sha1", + "indicators.params.hashes.sha256", "indicators.params.size" + ], + "add_fields_types": ["gibfilename", "md5", "sha1", "sha256", "size"] + } + ] + }, + "suspicious_ip/tor_node": { + "name": + "ipv4.ip", + "prefix": + "Suspicious IP Tor Node", + "indicators": + [ + { + "main_field": "ipv4.ip", "main_field_type": "IP", + "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "suspicious_ip/open_proxy": { + "name": + "ipv4.ip", + "prefix": + "Suspicious IP Open Proxy", + "indicators": + [ + { + "main_field": "ipv4.ip", "main_field_type": "IP", + "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "suspicious_ip/socks_proxy": { + "name": + "ipv4.ip", + "prefix": + "Suspicious IP Socks Proxy", + "indicators": + [ + { + "main_field": "ipv4.ip", "main_field_type": "IP", + "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "malware/cnc": { + "name": + "ipv4.ip", + "prefix": + "Malware CNC", + "indicators": + [ + { + "main_field": "url", "main_field_type": "URL" + }, + { + "main_field": "domain", "main_field_type": "Domain" + }, + { + "main_field": "ipv4.ip", "main_field_type": "IP", + "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], + "add_fields_types": ["asn", "geocountry", "geolocation"] + } + ] + }, + "osi/vulnerability": { + "name": + "id", + "prefix": + "OSI Vulnerability", + "indicators": + [ + { + "main_field": "id", "main_field_type": "CVE", + "add_fields": ["cvss.score", "description", "dateLastSeen", "datePublished"], + "add_fields_types": ["cvss", "cvedescription", "cvemodified", "published"] + } + ] + }, + "hi/threat_actor": {"prefix": "Threat Actor"}, + "apt/threat_actor": {"prefix": "Threat Actor"} + } + + STATUS_CODE_MSGS = { + 401: "Bad Credentials", + 403: "Something is wrong with your account, please, contact GIB.", + 404: "Not found. There is no such data on server.", + 500: "There are some troubles on server with your request.", + 301: "Verify that your public IP is whitelisted by Group IB.", + 302: "Verify that your public IP is whitelisted by Group IB." + } + + # LEGACY_HEADERS = { + # "Accept": "application/json", + # 'Connection': 'Keep-Alive', + # 'Keep-Alive': "30" + # } + + TIMEOUT = 60. + RETRIES = 4 + STATUS_LIST_TO_RETRY = [429, 500] + + + class Client(BaseClient): + """ + Client will implement the service API, and should not contain any Demisto logic. + Should only do requests and return data. + """ + + def _create_update_generator(self, collection_name: str, max_requests: int, + date_from: Optional[str] = None, seq_update: Union[int, str] = None, + limit: int = 200) -> Generator: + """ + Creates generator of lists with feeds class objects for an update session + (feeds are sorted in ascending order) `collection_name` with set parameters. + + `seq_update` allows you to receive all relevant feeds. Such a request uses the seq_update parameter, + you will receive a portion of feeds that starts with the next `seq_update` parameter for the current collection. + For all feeds in the Group IB Intelligence continuous numbering is carried out. + For example, the `seq_update` equal to 1999998 can be in the `compromised/accounts` collection, + and a feed with seq_update equal to 1999999 can be in the `attacks/ddos` collection. + If item updates (for example, if new attacks were associated with existing APT by our specialists + or tor node has been detected as active again), the item gets a new parameter and it automatically rises + in the database and "becomes relevant" again. + + :param collection_name: collection to update. + :param max_requests: a maximum number of requests to API. + :param date_from: start date of update session. + :param seq_update: identification number from which to start the session. + """ + requests_count = 0 + while True: + if requests_count >= max_requests: + break + session = requests.Session() + session.auth = HTTPBasicAuth(self._auth[0], self._auth[1]) + + session.headers["Accept"] = "*/*" + session.headers["User-Agent"] = f'SOAR/CortexSOAR/{self._auth[0]}/unknown' + + params = {'df': date_from, 'limit': limit, 'seqUpdate': seq_update} + params = {key: value for key, value in params.items() if value} + portion = session.get(url=f'{self._base_url}{collection_name}/updated', params=params, timeout=60).json() + + # params = {"df": date_from, "seqUpdate": seq_update} + # params = assign_params(**params) + # portion = self._http_request(method="GET", url_suffix=collection_name + "/updated", + # params=params, timeout=TIMEOUT, retries=RETRIES, + # status_list_to_retry=STATUS_LIST_TO_RETRY) + if portion.get("count") == 0: + break + seq_update = portion.get("seqUpdate") + date_from = None + requests_count += 1 + + yield portion.get("items"), seq_update + + def _create_search_generator(self, collection_name: str, max_requests: int, date_to: str = None, + page: int = 0, starting_date_from: str = None, + starting_date_to: str = None, limit: int = 200) -> Generator: + """ + Creates generator of lists with feeds for the search session for ingestion purpose + (feeds are sorted in descending order) for `collection_name` with set parameters. This version solves problem + with a large number of feeds with the same date. + + :param collection_name: collection to search. + :param max_requests: a maximum number of requests to API. + :param date_to: current search location. + :param page: number of pages from start. + :param starting_date_from: global down border for a session. + :param starting_date_to: global upper border for a session. + """ + + requests_count = 0 + result_id = None + no_data_flag = 0 + while True: + if requests_count >= max_requests or no_data_flag: + break + + if page and not result_id: + k = 0 + while k != page: + if result_id: + params = {'resultId': result_id} + else: + params = {'df': starting_date_from, 'dt': date_to} + params = assign_params(**params) + portion = self._http_request(method="GET", url_suffix=collection_name, + params=params, timeout=TIMEOUT, retries=RETRIES, + status_list_to_retry=STATUS_LIST_TO_RETRY) + result_id = portion.get("resultId") + k += 1 + + if result_id: + params = {'resultId': result_id} + else: + params = {'df': starting_date_from, 'dt': date_to} + params = assign_params(**params) + portion = self._http_request(method="GET", url_suffix=collection_name, + params=params, timeout=TIMEOUT, retries=RETRIES, + status_list_to_retry=STATUS_LIST_TO_RETRY) + + requests_count += 1 + data = portion.get('items') + if len(data) < 100: + no_data_flag = 1 + page = 0 + starting_date_from = (dateparser.parse(starting_date_to) # type: ignore + + timedelta(seconds=1)).strftime(DATE_FORMAT) + starting_date_to = datetime.now().strftime(DATE_FORMAT) + date_to = starting_date_to + else: + if data[0].get("uploadTime") == data[-1].get("uploadTime"): + page += 1 + else: + result_id = None + page = 0 + for i in range(len(data) - 1, -1, -1): + if data[i].get("uploadTime") != data[-1].get("uploadTime"): + upload_time_parsed = dateparser.parse(data[i].get("uploadTime")) + assert upload_time_parsed is not None, f'could not parse {data[i].get("uploadTime")}' + date_to = (upload_time_parsed - timedelta(seconds=1)).strftime(DATE_FORMAT) + data = data[:i + 1:] + break + + last_fetch = {"starting_date_from": starting_date_from, "page": page, + "starting_date_to": starting_date_to, "current_date_to": date_to} + yield data, last_fetch + + # def _create_legacy_generator(self, action: str, max_requests: int, last: Optional[str] = None) -> Generator: + # """ + # Legacy generator is similar to update generator. + # + # :param action: collection to search. + # :param max_requests: a maximum number of requests to API. + # :param last: identification number from which to start the session. + # """ + # requests_count = 0 + # while True: + # if requests_count >= max_requests: + # break + # + # params = {"action": action, "last": last, "module": "get", "lang": 3} + # params = assign_params(**params) + # portion = self._http_request(method="GET", full_url="https://bt.group-ib.com", + # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, + # status_list_to_retry=STATUS_LIST_TO_RETRY) + # if portion.get("status") != 200: + # if portion.get("status") in STATUS_CODE_MSGS: + # raise DemistoException(STATUS_CODE_MSGS[portion.get("status")]) + # else: + # raise DemistoException( + # "Something is wrong, status code {0} for request to APIv1".format(portion.get("status")) + # ) + # portion = portion.get("data") + # + # if portion.get("count") == 0: + # break + # last = portion.get("last") + # requests_count += 1 + # + # yield portion.get("new"), last + # + # def _legacy_get_last(self, date_from, action): + # """ + # Get last for a certain date. + # + # :param action: collection to search. + # :param date_from: date to get the "last" identifier. + # """ + # params = {"action": "get_last", "date": date_from, "module": "get", "type": action} + # params = assign_params(**params) + # resp = self._http_request(method="GET", full_url="https://bt.group-ib.com", + # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, + # status_list_to_retry=STATUS_LIST_TO_RETRY) + # if resp.get("status") != 200: + # if resp.get("status") in STATUS_CODE_MSGS: + # raise DemistoException(STATUS_CODE_MSGS[resp.get("status")]) + # else: + # raise DemistoException( + # "Something is wrong, status code {0} for request to APIv1".format(resp.get("status")) + # ) + # last = resp.get("data") + # return last + + def create_poll_generator(self, collection_name: str, max_requests: int, **kwargs): + """ + Interface to work with different types of indicators. + """ + + # Handle first time fetch + date_from = None + last_fetch = kwargs.get("last_fetch") + if not last_fetch: + date_from = dateparser.parse(kwargs.get("first_fetch_time")) # type: ignore + if date_from is None: + raise DemistoException('Inappropriate first_fetch format, ' + 'please use something like this: 2020-01-01 or January 1 2020 or 3 days') + date_from = date_from.strftime('%Y-%m-%d') # type: ignore + + if collection_name == "compromised/breached": + # we need the isinstance check for BC because it used to be a string + if last_fetch and isinstance(last_fetch, dict): + starting_date_from = last_fetch.get("starting_date_from") + starting_date_to = last_fetch.get("starting_date_to") + date_to = last_fetch.get("current_date_to") + page = last_fetch.get("page", 0) + else: + starting_date_from = date_from + starting_date_to = datetime.now().strftime(DATE_FORMAT) + date_to = starting_date_to + page = 0 + return self._create_search_generator(collection_name=collection_name, max_requests=max_requests, + date_to=date_to, page=page, starting_date_from=starting_date_from, + starting_date_to=starting_date_to) + # elif collection_name == "bp/domain": + # if not last_fetch: + # last_fetch = self._legacy_get_last(date_from=date_from, action="domain") + # return self._create_legacy_generator(action="domain", max_requests=max_requests, last=last_fetch) + else: + return self._create_update_generator(collection_name=collection_name, max_requests=max_requests, + date_from=date_from, seq_update=last_fetch) # type: ignore + + def create_manual_generator(self, collection_name: str, date_from: str = None, + date_to: str = None, query: str = None) -> Generator: + """ + Creates generator of lists with feeds for the search session + (feeds are sorted in descending order) for `collection_name` with set parameters. + + :param collection_name: collection to search. + :param date_from: start date of search session. + :param date_to: end date of search session. + :param query: query to search. + """ + + result_id = None + while True: + params = {'df': date_from, 'dt': date_to, 'resultId': result_id, 'q': query} + params = assign_params(**params) + portion = self._http_request(method="GET", url_suffix=collection_name, + params=params, timeout=TIMEOUT, retries=RETRIES, + status_list_to_retry=STATUS_LIST_TO_RETRY) + if portion.get('count') > 2000: + raise DemistoException('Portion is too large (count > 2000), this can cause timeout in Demisto.' + 'Please, change or set date_from/date_to arguments or change query.') + if len(portion.get('items')) == 0: + break + result_id = portion.get("resultId") + date_from, date_to, query = None, None, None + yield portion.get('items') + + def search_feed_by_id(self, collection_name: str, feed_id: str) -> Dict: + """ + Searches for feed with `feed_id` in collection with `collection_name`. + + :param collection_name: in what collection to search. + :param feed_id: id of feed to search. + """ + portion = self._http_request(method="GET", url_suffix=collection_name + "/" + feed_id, timeout=TIMEOUT, + retries=RETRIES, status_list_to_retry=STATUS_LIST_TO_RETRY, + backoff_factor=random.random() * 10 + 1) + + return portion + + def get_available_collections(self): + """ + Gets list of available collections from GIB TI&A API. + """ + + response = self._http_request(method="GET", url_suffix="user/granted_collections", + timeout=TIMEOUT, retries=RETRIES, + status_list_to_retry=STATUS_LIST_TO_RETRY) + buffer_list = find_element_by_key(response, 'collection') + + # buffer_list = list(response.get("list").keys()) + # + # try: + # self._http_request(method="GET", url_suffix="compromised/breached", params={"limit": 1}, + # timeout=TIMEOUT, retries=RETRIES, status_list_to_retry=STATUS_LIST_TO_RETRY) + # buffer_list.append("compromised/breached") + # except Exception: + # pass + # + # # legacy collection + # try: + # params = {"action": "get_last", "date": datetime.now().strftime("%Y-%m-%d"), + # "module": "get", "type": "domain"} + # response = self._http_request(method="GET", full_url="https://bt.group-ib.com", + # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, + # status_list_to_retry=STATUS_LIST_TO_RETRY) + # last = response.get("data") + # params = {"action": "domain", "last": last, "module": "get"} + # portion = self._http_request(method="GET", full_url="https://bt.group-ib.com", + # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, + # status_list_to_retry=STATUS_LIST_TO_RETRY) + # if portion.get("status") == 200: + # buffer_list.append("bp/domain") + # except Exception: + # pass + + collections_list = [] + for key in MAPPING.keys(): + if key in buffer_list: + collections_list.append(key) + return {"collections": collections_list}, buffer_list + + def search_by_query(self, q): + results = self._http_request(method="GET", url_suffix="search", params={'q': q}, + timeout=TIMEOUT, retries=RETRIES, + status_list_to_retry=STATUS_LIST_TO_RETRY) + return results + + + def test_module(client: Client) -> str: + """ + Returning 'ok' indicates that the integration works like it is supposed to. Connection to the service is successful. + + :param client: GIB_TI&A client + :return: 'ok' if test passed, anything else will fail the test. + """ + + collections_list, _ = client.get_available_collections() + for collection in collections_list.get("collections"): + if collection not in MAPPING.keys(): + return "Test failed, some problems with getting available collections." + return "ok" + + + """ Support functions """ + + + def find_element_by_key(obj, key): + """ + Recursively finds element or elements in dict. + """ + + path = key.split(".", 1) + if len(path) == 1: + if isinstance(obj, list): + return [i.get(path[0]) for i in obj if i not in ["255.255.255.255", "0.0.0.0", ""]] + elif isinstance(obj, dict): + if obj.get(path[0]) in ["255.255.255.255", "0.0.0.0", ""]: + return None + else: + return obj.get(path[0]) + else: + if obj in ["255.255.255.255", "0.0.0.0", ""]: + return None + else: + return obj + else: + if isinstance(obj, list): + return [find_element_by_key(i.get(path[0]), path[1]) for i in obj] + elif isinstance(obj, dict): + return find_element_by_key(obj.get(path[0]), path[1]) + else: + if obj in ["255.255.255.255", "0.0.0.0", ""]: + return None + else: + return obj + + + def transform_to_command_results(iocs, ioc_type, fields, fields_names, collection_name): + """ + Recursively ties together and transforms indicator data. + """ + + parsed_info = [] + if isinstance(iocs, list): + for i, ioc in enumerate(iocs): + buf_fields = [] + for field in fields: + if isinstance(field, list): + buf_fields.append(field[i]) + else: + buf_fields.append(field) + parsed_info.extend(transform_to_command_results(ioc, ioc_type, buf_fields, fields_names, collection_name)) + return parsed_info + else: + if iocs is None: + return [] + + fields = {fields_names[i]: fields[i] for i in range(len(fields_names)) if fields[i] is not None} + + output = parse_to_outputs(iocs, ioc_type, fields) + if output: + results = [CommandResults( + readable_output=tableToMarkdown("{0} indicator".format(ioc_type), {"value": iocs, **fields}), + indicator=output, + ignore_auto_extract=True + )] + return results + else: + return [] + + + def parse_to_outputs(value, indicator_type, fields): + def calculate_dbot_score(type_): + severity = fields.get("severity") + if severity == "green": + score = Common.DBotScore.GOOD + elif severity == "orange": + score = Common.DBotScore.SUSPICIOUS + elif severity == "red": + score = Common.DBotScore.BAD + else: + score = Common.DBotScore.NONE + + return Common.DBotScore( + indicator=value, + indicator_type=type_, + integration_name="GIB TI&A", + score=score + ) + + if indicator_type == "IP": + return Common.IP(ip=value, asn=fields.get("asn"), geo_country=fields.get("geocountry"), + geo_description=fields.get("geolocation"), + dbot_score=calculate_dbot_score(DBotScoreType.IP)) + elif indicator_type == "Domain": + return Common.Domain(domain=value, registrar_name=fields.get("registrarname"), + dbot_score=calculate_dbot_score(DBotScoreType.DOMAIN)) + elif indicator_type == "File": + return Common.File(md5=value, sha1=fields.get("sha1"), sha256=fields.get("sha256"), + name=fields.get("gibfilename"), size=fields.get("size"), + dbot_score=calculate_dbot_score(DBotScoreType.FILE)) + elif indicator_type == "URL": + return Common.URL(url=value, dbot_score=calculate_dbot_score(DBotScoreType.URL)) + elif indicator_type == "CVE": + return Common.CVE(id=value, cvss=fields.get("cvss"), published=fields.get("published"), + modified=fields.get("cvemodified"), description=fields.get("cvedescription")) + return None + + + def find_iocs_in_feed(feed: Dict, collection_name: str) -> List: + """ + Finds IOCs in the feed and transform them to the appropriate format to ingest them into Demisto. + + :param feed: feed from GIB TI&A. + :param collection_name: which collection this feed belongs to. + """ + + indicators = [] + indicators_info = MAPPING.get(collection_name, {}).get("indicators", []) + for i in indicators_info: + main_field = find_element_by_key(feed, i["main_field"]) + main_field_type = i["main_field_type"] + add_fields = [] + add_fields_list = i.get("add_fields", []) + ["evaluation.severity"] + add_fields_types = i.get("add_fields_types", []) + ["severity"] + for j in add_fields_list: + add_fields.append(find_element_by_key(feed, j)) + parsed_info = transform_to_command_results(main_field, main_field_type, + add_fields, add_fields_types, collection_name) + indicators.extend(parsed_info) + + return indicators + + + def transform_some_fields_into_markdown(collection_name, feed: Dict) -> Dict: + """ + Some fields can have complex nesting, so this function transforms them into an appropriate state. + + :param collection_name: which collection this feed belongs to. + :param feed: feed from GIB TI&A that needs transformation. + :return: given feed with transformed fields. + """ + + if collection_name == "osi/git_repository": + buffer = "" + files = feed.get("files", []) + for i in files: + url = i.get("url") + date = i.get("dateCreated") + # file_diff = "[https://bt.group-ib.com/api/v2/osi/git_leak]({0})".format(i.get("fileDiff")) + # info = find_element_by_key(i,'revisions.info') + author_email = ''.join(find_element_by_key(i, 'revisions.info.authorEmail')) + author_name = ''.join(find_element_by_key(i, 'revisions.info.authorName')) + timestamp = ''.join(str(find_element_by_key(i, 'revisions.info.timestamp'))) + # author_email, author_name, date = info.get("authorEmail"), info.get("authorName"), info.get("dateCreated") + buffer += "| {0} | {1} | {2} | {3} | {4} |\n".format(url, author_email, author_name, date, timestamp) + if buffer: + buffer = "| URL | Author Email | Author Name | Date Created| TimeStamp |\n" \ + "| ---- | --------------- | ------------ | ----------- | ------------ |\n" + buffer + feed["files"] = buffer + else: + del feed["files"] + + elif collection_name == "osi/public_leak": + buffer = "" + link_list = feed.get("linkList", []) + for i in link_list: + author = i.get("author") + detected = i.get("dateDetected") + published = i.get("datePublished") + hash_ = i.get("hash") + link = "[{0}]({0})".format(i.get("link")) + source = i.get("source") + buffer += "| {0} | {1} | {2} | {3} | {4} | {5} |\n".format(author, detected, published, hash_, link, source) + if buffer: + buffer = "| Author | Date Detected | Date Published | Hash | Link | Source |\n" \ + "| ------ | ------------- | -------------- | ---- |----- | ------ |\n" + buffer + feed["linkList"] = buffer + else: + del feed["linkList"] + + buffer = "" + matches = feed.get("matches", {}) + if isinstance(matches, list): + matches = {} + for type_, sub_dict in matches.items(): + for sub_type, sub_list in sub_dict.items(): + for value in sub_list: + buffer += "| {0} | {1} | {2} |\n".format(type_, sub_type, value) + if buffer: + buffer = "| Type | Sub Type | Value |\n" \ + "| ---- | -------- | ----- |\n" + buffer + feed["matches"] = buffer + else: + del feed["matches"] + + elif collection_name == "bp/phishing_kit": + buffer = "" + downloaded_from = feed.get("downloadedFrom", []) + for i in downloaded_from: + date, url, domain, filename = i.get("date"), i.get("url"), i.get("domain"), i.get("fileName") + buffer += "| {0} | {1} | {2} | {3} |\n".format(url, filename, domain, date) + if buffer: + buffer = "| URL | File Name | Domain | Date |\n| --- | --------- | ------ | ---- |\n" + buffer + feed["downloadedFrom"] = buffer + else: + del feed["downloadedFrom"] + + return feed + + + def get_human_readable_feed(collection_name, feed): + return tableToMarkdown(name="Feed from {0} with ID {1}".format(collection_name, feed.get("id")), + t=feed, removeNull=True) + + + def transform_function(result, previous_keys="", is_inside_list=False): + result_dict = {} + additional_tables: List[Any] = [] + + if isinstance(result, dict): + if is_inside_list: + additional_tables.append(result) + else: + for key, value in result.items(): + sub_key = previous_keys + " " + key if previous_keys else key + transformed_part, additional_info = transform_function(value, previous_keys=sub_key, + is_inside_list=is_inside_list) + result_dict.update(transformed_part) + additional_tables.extend(additional_info) + + return result_dict, additional_tables + + elif isinstance(result, list): + is_inside_list = True + for value in result: + transformed_part, additional_info = transform_function(value, previous_keys=previous_keys, + is_inside_list=is_inside_list) + additional_tables.extend(additional_info) + if result_dict.get(previous_keys) is None: + result_dict.update(transformed_part) + else: + result_dict[previous_keys].extend(transformed_part[previous_keys]) + + if additional_tables: + additional_tables = [CommandResults( + readable_output=tableToMarkdown("{0} table".format(previous_keys), additional_tables, removeNull=True), + ignore_auto_extract=True + )] + + return result_dict, additional_tables + + elif isinstance(result, (str, int, float)) or result is None: + if not is_inside_list: + result_dict.update({previous_keys: result}) + else: + result_dict.update({previous_keys: [result]}) + + return result_dict, additional_tables + + + """ Commands """ + + + def fetch_incidents_command(client: Client, last_run: Dict, first_fetch_time: str, + incident_collections: List, requests_count: int) -> Tuple[Dict, List]: + """ + This function will execute each interval (default is 1 minute). + + :param client: GIB_TI&A_Feed client. + :param last_run: the greatest sequpdate we fetched from last fetch. + :param first_fetch_time: if last_run is None then fetch all incidents since first_fetch_time. + :param incident_collections: list of collections enabled by client. + :param requests_count: count of requests to API per collection. + + :return: next_run will be last_run in the next fetch-incidents; incidents and indicators will be created in Demisto. + """ + incidents = [] + next_run: Dict[str, Dict[str, Union[int, Any]]] = {"last_fetch": {}} + for collection_name in incident_collections: + last_fetch = last_run.get("last_fetch", {}).get(collection_name) + + portions = client.create_poll_generator(collection_name=collection_name, max_requests=requests_count, + last_fetch=last_fetch, first_fetch_time=first_fetch_time) + for portion, last_fetch in portions: + for feed in portion: + mapping = MAPPING.get(collection_name, {}) + if collection_name == "compromised/breached": + feed.update({"name": mapping.get("prefix", "") + ": " + ', '.join( + find_element_by_key(feed, mapping.get("name")))}) + else: + feed.update({"name": mapping.get("prefix", "") + ": " + str( + find_element_by_key(feed, mapping.get("name")))}) + + feed.update({"gibType": collection_name}) + + severity = feed.get("evaluation", {}).get("severity") + system_severity = 0 + if severity == "green": + system_severity = 1 + elif severity == "orange": + system_severity = 2 + elif severity == "red": + system_severity = 3 + + related_indicators_data = [] + indicators_info = MAPPING.get(collection_name, {}).get("indicators", []) + for i in indicators_info: + if find_element_by_key(feed, i["main_field"]) is not None: + related_indicators_data.append(find_element_by_key(feed, i["main_field"])) + + incident_created_time = dateparser.parse(feed.get(mapping.get("date"))) + assert incident_created_time is not None + feed.update({"relatedIndicatorsData": related_indicators_data}) + feed.update({"systemSeverity": system_severity}) + if collection_name in ["osi/git_repository", "osi/public_leak", "bp/phishing_kit"]: + feed = transform_some_fields_into_markdown(collection_name, feed) + incident = { + "name": feed["name"], + "occurred": incident_created_time.strftime(DATE_FORMAT), + "rawJSON": json.dumps(feed) + } + incidents.append(incident) + + next_run["last_fetch"][collection_name] = last_fetch + + return next_run, incidents + + + def get_available_collections_command(client: Client, args): + """ + Returns list of available collections to context and War Room. + + :param client: GIB_TI&A_Feed client. + """ + + result, buffer_list = client.get_available_collections() + readable_output = tableToMarkdown(name="Available collections", t=result, headers="collections") + return CommandResults( + outputs_prefix="GIBTIA.OtherInfo", + outputs_key_field="collections", + outputs=result, + readable_output=readable_output, + ignore_auto_extract=True, + raw_response=buffer_list + ) + + + def get_info_by_id_command(collection_name: str): + """ + Decorator around actual commands, that returns command depends on `collection_name`. + """ + + def get_info_by_id_for_collection(client: Client, args: Dict) -> List[CommandResults]: + """ + This function returns additional information to context and War Room. + + :param client: GIB_TI&A_Feed client. + :param args: arguments, provided by client. + """ + results = [] + coll_name = collection_name + id_ = str(args.get("id")) + + if coll_name in ["threat", "threat_actor"]: + flag = args.get("isAPT") + if flag: + coll_name = "apt/" + coll_name + else: + coll_name = "hi/" + coll_name + result = client.search_feed_by_id(coll_name, id_) + if "displayOptions" in result: + del result["displayOptions"] + + else: + result = client.search_feed_by_id(coll_name, id_) + if "isFavourite" in result: + del result["isFavourite"] + if "isHidden" in result: + del result["isHidden"] + + if "seqUpdate" in result: + del result["seqUpdate"] + + indicators: List[CommandResults] = [] + if coll_name not in ["apt/threat_actor", "hi/threat_actor"]: + indicators = find_iocs_in_feed(result, coll_name) + + if coll_name in ["apt/threat", "hi/threat"]: + del result["indicatorMalwareRelationships"], result["indicatorRelationships"], \ + result["indicatorToolRelationships"], result["indicatorsIds"], \ + result["indicators"] + + if coll_name == "compromised/breached": + if "updateTime" in result: + del result["updateTime"] + main_table_data, additional_tables = result, [] + else: + main_table_data, additional_tables = transform_function(result) + results.append(CommandResults( + outputs_prefix="GIBTIA.{0}".format(MAPPING.get(coll_name, {}).get("prefix", "").replace(" ", "")), + outputs_key_field="id", + outputs=result, + readable_output=get_human_readable_feed(collection_name, main_table_data), + raw_response=result, + ignore_auto_extract=True + )) + results.extend(additional_tables) + results.extend(indicators) + return results + + return get_info_by_id_for_collection + + + def global_search_command(client: Client, args: Dict): + query = str(args.get('query')) + raw_response = client.search_by_query(query) + handled_list = [] + for result in raw_response: + if result.get('apiPath') in MAPPING.keys(): + handled_list.append({'apiPath': result.get('apiPath'), 'count': result.get('count'), + 'GIBLink': result.get('link'), + 'query': result.get('apiPath') + '?q=' + query}) + if len(handled_list) != 0: + results = CommandResults( + outputs_prefix="GIBTIA.search.global", + outputs_key_field="query", + outputs=handled_list, + readable_output=tableToMarkdown('Search results', t=handled_list, + headers=['apiPath', 'count', 'GIBLink'], + url_keys=['GIBLink']), + raw_response=raw_response, + ignore_auto_extract=True + ) + else: + results = CommandResults( + raw_response=raw_response, + ignore_auto_extract=True, + outputs=[], + readable_output="Did not find anything for your query :(" + ) + return results + + + def local_search_command(client: Client, args: Dict): + query, date_from, date_to = args.get('query'), args.get('date_from', None), args.get('date_to', None) + collection_name = str(args.get('collection_name')) + + if date_from is not None: + date_from_parsed = dateparser.parse(date_from) + if date_from_parsed is None: + raise DemistoException('Inappropriate date_from format, ' + 'please use something like this: 2020-01-01 or January 1 2020') + date_from_parsed = date_from_parsed.strftime('%Y-%m-%dT%H:%M:%SZ') + else: + date_from_parsed = date_from # type: ignore + if date_to is not None: + date_to_parsed = dateparser.parse(date_to) + if date_to_parsed is None: + raise DemistoException('Inappropriate date_to format, ' + 'please use something like this: 2020-01-01 or January 1 2020') + date_to_parsed = date_to_parsed.strftime('%Y-%m-%dT%H:%M:%SZ') + else: + date_to_parsed = date_to # type: ignore + + portions = client.create_manual_generator(collection_name=collection_name, query=query, + date_from=date_from_parsed, date_to=date_to_parsed) + result_list = [] + name = MAPPING.get(collection_name, {}).get('name') + for portion in portions: + for feed in portion: + add_info = None + if name is not None: + add_info = name + ": " + str(find_element_by_key(feed, name)) + result_list.append({'id': feed.get('id'), 'additional_info': add_info}) + + results = CommandResults( + outputs_prefix="GIBTIA.search.local", + outputs_key_field="id", + outputs=result_list, + readable_output=tableToMarkdown('Search results', t=result_list, + headers=['id', 'additional_info']), + ignore_auto_extract=True + ) + return results + + + def main(): + """ + PARSE AND VALIDATE INTEGRATION PARAMS + """ + params = demisto.params() + username = params.get("credentials").get("identifier") + password = params.get("credentials").get("password") + base_url = str(params.get("url")) + proxy = params.get("proxy", False) + verify_certificate = not params.get("insecure", False) + + incident_collections = params.get("incident_collections", []) + incidents_first_fetch = params.get("first_fetch", "3 days").strip() + requests_count = int(params.get("max_fetch", 3)) + + args = demisto.args() + command = demisto.command() + LOG(f"Command being called is {command}") + try: + client = Client( + base_url=base_url, + verify=verify_certificate, + auth=(username, password), + proxy=proxy, + headers={"Accept": "*/*"} + ) + + commands = { + "gibtia-get-compromised-account-info": get_info_by_id_command("compromised/account_group"), + "gibtia-get-compromised-card-info": get_info_by_id_command("compromised/card"), + "gibtia-get-compromised-mule-info": get_info_by_id_command("compromised/mule"), + "gibtia-get-compromised-imei-info": get_info_by_id_command("compromised/imei"), + "gibtia-get-compromised-breached-info": get_info_by_id_command("compromised/breached"), + "gibtia-get-phishing-kit-info": get_info_by_id_command("attacks/phishing_kit"), + "gibtia-get-phishing-info": get_info_by_id_command("attacks/phishing"), + "gibtia-get-osi-git-leak-info": get_info_by_id_command("osi/git_repository"), + "gibtia-get-osi-public-leak-info": get_info_by_id_command("osi/public_leak"), + "gibtia-get-osi-vulnerability-info": get_info_by_id_command("osi/vulnerability"), + "gibtia-get-attacks-ddos-info": get_info_by_id_command("attacks/ddos"), + "gibtia-get-attacks-deface-info": get_info_by_id_command("attacks/deface"), + "gibtia-get-threat-info": get_info_by_id_command("threat"), + "gibtia-get-threat-actor-info": get_info_by_id_command("threat_actor"), + "gibtia-get-suspicious-ip-tor-node-info": get_info_by_id_command("suspicious_ip/tor_node"), + "gibtia-get-suspicious-ip-open-proxy-info": get_info_by_id_command("suspicious_ip/open_proxy"), + "gibtia-get-suspicious-ip-socks-proxy-info": get_info_by_id_command("suspicious_ip/socks_proxy"), + "gibtia-get-malware-targeted-malware-info": get_info_by_id_command("malware/targeted_malware"), + "gibtia-get-malware-cnc-info": get_info_by_id_command("malware/cnc"), + "gibtia-get-available-collections": get_available_collections_command, + "gibtia-global-search": global_search_command, + "gibtia-local-search": local_search_command + } + + if command == "test-module": + # This is the call made when pressing the integration Test button. + result = test_module(client) + demisto.results(result) + + elif command == "fetch-incidents": + # Set and define the fetch incidents command to run after activated via integration settings. + next_run, incidents = fetch_incidents_command(client=client, last_run=demisto.getLastRun(), + first_fetch_time=incidents_first_fetch, + incident_collections=incident_collections, + requests_count=requests_count) + demisto.setLastRun(next_run) + demisto.incidents(incidents) + else: + return_results(commands[command](client, args)) + + # Log exceptions + except Exception as e: + return_error(f"Failed to execute {demisto.command()} command. Error: {str(e)}") + + + if __name__ in ("__main__", "__builtin__", "builtins"): + main() subtype: python3 type: python - feed: false - longRunning: false - longRunningPort: false +image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAvwAAAB6CAYAAADDLodjAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAB31SURBVHgB7d3tmRy3lQXgQz76LzmBFeQALHoDMGHvf4tyAGZLAZiSAjBLCkCiNgBNUQGQVACrLm0AFpmABwxgTToBzfYxGp5mc3qmP3BRQNV5nwemSI6s+kLVxcUt1C20ya3anVV7f9U+WLV313/m1n//3rptCxu/vl61l6t2vv6Vf/YcIrLN4fT+Ri8Q+91zqL+JiIgUcwv1c6vmEQOOu+vfvwcbKRhhYDKs22uIzIdDuf5Gz9dtQOx3GgSIiIhkVmvA71ft3qp9hMss4liGVXu2aj/gMlPZEh7HO5iHgDhAS03B43486ulvAbHPsb89Q9ss+h6v60eYpg75Det2LLdqC8xLwOW9VPfQNi2Q/17OaojHOJ1ftzkJUGzyBo/4IHu1aheVtp9X7T7GD4oO0aPe41nqnD1FDCY8bLPVLfGov79x287Q7sOhR/5jco7psriGOpzGG21XSy3dQ+9jPsmj1i2R/zr4EXl0yL9trfarJWYUm3AHHyDueCsnKbUztBH492jruJZoS7Q3cMuh5f52Dg2203GYKovrpsNpvNF2tdzOEZ9/Cv7rtUT+866A374tMcHYhIHHQ9SdXTzkBHnUq0dbx3OsDjZlU+pvbGeY72D7HNNlca10OI032q6ptDTrLXVZIv+5VsBftnFWzSOj2ygrBR7niCd9ClMYHrFznWF+GeMp8IiBGa/J+5iWKfY3WuAyy+ggImNhlr/HNO+fImPiO2CMLf+OTH2rZMDPUoKpBR6bFoj79w0UhLTIYVoPrqn3N1og3hAfQkTG5HB5//QQkVy4FHa/ak9wYmxZIuBnBoAPZb4gOIcXJj/DPMpEpsohdq5Ws8dz628OcVBzDg20RcbmEO8/THxpgQSRfD5GzPYfneCyDvjTC4Ie8+IQg0bd9Nq1QHxwtfRi2lz7GznEoF/ZfpHxMfHFe5GDiOTCpfS7VfsOR8SWVgG/w2WWcc5002ubQzx/n6FuDupvSQdl+0Vq4BDvn/cgIjl9smp/w4HPOYuA36P+lWtKctBNr3Wcqak1c+yh/rbNQX1OpAbMQqY1/EUkH9b2c+Ukt++/kDvgZ0nBEsqubUs3PZUbtKtDfedP/W039TmRevRQ0C+SWwr69yrvyRnw88GqkoLrdVAA0rIO9ZT3qL/tp0OcoRGRcfXQTKRIbgz6n+zzg7kCfgYfHWQfHRT0t4zBo8e4uA0dZF8cpJ1BRMbGWTcHEcnp96v29U0/lCPgV7B/uA4K+ls25kOLgWvtLxHXaAEF/SJjY+nBElq9TiQ3xgX+uh84NeBXsH+8DgrcWsWH1RjBI/vbAnKsBRT0i4zNQQkvkdy4ZOe1Wf5TAn4F+6eroTxEjuNRdsCm/pbHAqrpFxnbjdlIETkYvxu0My45NuDncncdJAfVNLaLQXiJqWmuxtNBcvkMml0TGZsG3iJ5Mcv/V+yIS44J+B00LZ5TWj5Q2sNzZx04csSu1Xjy0+yayLh4b9NSnSJ5MS5ZXPUX7+Dw/6NaX7gJq/Z81V6v2ssdP/M+4oCF238H9eC2MAD5HNIaZt8ZkL9Gfg51DwZfr1vY+D29t/GrQ70v6PHY/haX2y8iZfHe+Rgikguz/H/EFYnCQwN+/h84jI+BxTPEAP+n9a/H8Kv2IWKJkse4mCn+YdUGSEtSlr9Dfh3qKfcKiNdm6m/8/b6DnDTAdrjsczUMuNPL17+HiIyBfZBZfgX9Ivn4dRtwpMWqXYzYXiEOODxsuPU+LgFcjNTOkV8PFNn2ObdXyO8BUGz7d7Xlejsc8nMYv7+lZlWW1SP/tp5juizObYfTeKPtUrtsS0huPKa5z9OPyKND/m1Te7t12LJvht9hvGW0mEX8FnZlE0lAfECzecRg5D7KcognqUPdmOGtpfyIGaL3Eb82x8yxR3nv4cTR9BaH8a4B9jFm2ziDNsBOwGV/c4j7W7q/JSynG3D8TKHIofhMs3ye7Yv3rncR++AdjFN+55H3/inzw3v3t6hDQOxHqaQ1zWg7lPVnHBlH9Cg/Onm13tgx6389Ykat9H7n3Oce+bdxibqxRKtH2fN2hnyeAkW2ebtxUD1mf3MYb0Zqifx65N/Oc0yXxXntcBpvtF0OdXIYZ+ZNCxPkZXH+as7w59o2Swz6e5SLKX/BEc/zO4U2brM9RV0v+nUou/85lyvrkX/7lmiDQ7kAMldZzwIw39arzqdDPRzGKfXJXdrTI/82nmO6LM5ph9N4o+1yqJ9DueSDRVnknC2R/xwp4M/DoUxcwoB/sfkf3mdZzpKrhHCK85NV+xh1THcmHWLJSEAZDDwc5FQB8YLnNWV9PaWynlM9RDk8JizN4kurAfUIiNvEbSt5H+Cxr3VFIZHSAuKzuEQ/zHX/FKldQIxLvoAtrtbz4eYf3BTwL1Au8AyIS+T1qFNADEJK1flavUg4Rz3KLL946sozDDgdygiI13PNU+nctpLLZpb4roJIa9gPea+wDvpPvX+KtISVHNZBv9v8zU0Bf6lsI4PoFtbDDigX9N+Hso05BdjPHHkcz2HHxzIM8PotOXg9RUDZbeWqROp3Im9K9wxLHiLzwsH0ADt7Z/gXKJNtTDeSmkp4rsPtLBGAKNuYH8/Zl7BzF8fjAM/BXupvAe0IKBf0q9+JXM16dbZT7p8iLWKt/aew4zZ/c13AXyK731qwn3B7mS0OsPUAkhtH1AE20lJch3Iok91vtb9RqYE2KcsvcjXr+6eDyLwE2Gb5XfqHXQH/Pdh3vID6Xs49RID99utFJhuW6/U6HM6jTH9rNdhPUtAfYEtZfpHdLGdJP4TIvDDL/z0K2BXwl8gst1ZWcBXrEhG6D8mth13geweHs55NC2g/2E9S0G+9L8ryi1ztGez63wcQmZ8Bdv79HLsq4HewzyqzDjBgGqxfuuBsiwKPvPiwGmDD4TAlZtM6TKe/UUCcXbPEPqeaYpG38f75A2w4iMxPgN0g+tqA33oqu8f0vqpnmeXnyTomayzX+wk2Dh2cWc/g9Kv2GNMzwP5T6irrEbma1bs070Jknsxn4K8K+D+CLesSmDEMsA2q7kFyC7BxyAPLwfbcBkyzvyUdbGcuPDS7JnKVATYcRMTEdsDvYdvhGHwETFMHO6rjz6/Eai838bDVYbr9jdKXgi0pyy/ytim8DyRSE6s+FdI/bAf8C9gJmF4pz6YAu6yHlivLz6pz/eqAn7UcyAVMs5RnG18gHGBHdfwibwuwoRk1mSura//fsc52wG/5cOsw/ayAZfmEh+RkdS3uW9LjYHtOO8yHdb9TECJShvqazFXRgJ8vhjrYCLB7q78mA+wCSWUa87LqXGHPn/OwEzCP7H4ywDbLv4CIiIiNYz/aeZM3Spc3A34POwPmU/NnFWhppZ68xs4kedjpMD+aXRNpX4DI/FjFdy83f/POxj9bZpCnvFLINtYUW3wtUC9J5eVg4597/pxVfwuYV3Y/GRD7iMVATrNrIm9yEJEcbsFudcwXm7/ZDPg9bAyY16h9gG15geRhNaLeZ2BmWT43YL64Lr/FV4vTtzBqWNlJpAYONvZNmIhMiUXAf4GteCCV9PBhZlXi0EOkPlYB/897/IxledYcs/vJADseIpJY3cNeQWReFrAbQF9Zw28ZgFh90VTkFFZlGvtkqDxsBMw7wz/AbjbRokxPpFVWJQgvITIfLOf5K2wM2Ko4sA74OboIEKnLAoVG1DtYBY8DxGo1MA8RIQe7/rDPDKnIFDDY/xo2sQjLed6a7U8Bv1UAouy+1MiizpsY7O9bw2/hGcTqGDhojXAR8rCjGn6ZC8Yhn8HOW/G3dYZfAYjUZgG77P4+09Eqn7Nl+WKtg8i8OdglTEgvxsvUMXH0DWz7EWe6w/Yf3obdgv+kzis1cYgdzcrTPX7Gwca+swtTx2Ngdd/RtzBk7jroHiZyDMbZD1btHLaZfZbzfHvVX3BZTsv6fXVeqYVbtSVsyzL2ybBb9jeJeB4sjrMCfpkzBiv3YUf3MJmSlEz3iIuE3EOZstCAHe/zvWO4AXrbXmrhEbPvlp1t3xfUHWy8gCRWgcO7EJknBvuPYOuQEuAOtiURtfg9tBjDPniczlEPy8qZ6zC7v/NDt9YZfpExscPxIWWZlUr2fRi+Dxvqb5dU0iOSB++h1i8XJkpayCkchIPmnd/isczwa3ktGUP6KiozUh7lRtn7vjBrtT0BkgTYGCNjIzKGVG/8Gcpc9wN0DxM5BbP7X1z3Awz4rTKONS6vlYLB1o39fkSqS6tBmjrjef0Qtl+N3qXH/g8rBxsBkrxet9zXgYPIdDmUrzdOeojIKb7CDXGAZYY/oC7cT846OLRv7Lo+BtVLSPL4gJ+16G8Bss0i4Mf6/3PMwbZMwxnq4TBezXGiJYVFjsd4rLvph+YU8LMO0UEkrwH7D74cbATItgCb462AX3LwkKSH7mEix+LLyp/u84NpHf6pK/XSkczPJ5AaWa0Spjp+kby+hIgcg8H+H7DngNkq4A+oB1886iCSX4/DrnW9sNs+Bfwi+fTQ/UvkGK9W7U84oP9MPcPvoGBfbAQcnplSsFhOgIjUTtl9kcOlzP5BS1DfxnQ52H9ZVearQz1BZY0rYomIXKeHBuYix3iGI743YxXwB4yPX1Z1EMnvWxy2Mo81vUQqIi0JUHZf5Fifr9rfcWCMaxXwj51V/wb6KqbY4KhaL4CLiByvg7L7Iqf4YNV+xAErfk0x4NeKPGKFdXMfoz5WH88TEcmtthlSkValoH+vmHdqNfwMxjqI5HfQ8lciIvKWACXkRHK6tWpfY49+xYB/KvW/HOl8B5H8cgX7qrUvx0FEahIQvxIvInmloP/+dT9kFfCXLulJ0xpakUdy+xn5MvtWAf+vICJSLyZNGOwHiIgFBv3Xvr86hRp+7uQTzCujp0yxvYtVe4Q2ynhUw/82q2MSICKHUDmkSBlM/j3BjiQgA/4AGw5lcBpjbivyKOC3xS/YfYG49FXOYx1gQzNbb7M6Jup7IvvLOUMqIjdjxcuTq/7Csoa/RBDSYZ4vACnosMGsPj/W9p+I2X0LFufOQbY52FDfE7lZSzOkIlNzF1fU8zPgt/pKp3XWnSvyPMQ8KejIiw+nNO1s/YCyOncOkrwHm4RDgIjchDOknyL/DKmI7CfV87/xHHwHbZb0zHlFngDJhYH+gLgmdKl1ofnhLof8PoSujcTBRoCI7ML7aY9YDqlAX0ri9fYKhwuw5/DmM+kWymAdPytguvQHlgG/1Utzc1+RJ0BOxRsDA++vEAP+kqxm1D6AJA42rM6dSMtS4mSM+6kIpXdFanZn3T5aN7IO/v+CWFr3rwG45Uu7HjbmtiLPNgUdp2ONPm8OA8oLsPEhJPGw8RxiRS+et4VBPhMnqU5/rPupSCv4/OgRy9F/jVj2dg5bvK8u0m+sS3r4H8s5tcfpiXdhf5BysMq4Bozv2OmzffCasV5XfoHxvsgcYGNuK1Vdx2rwEyBWFPDX7WL9K+/9DFy+X7VnUOmOyDECYvA/IMYi92GDMwicTfjXIiQp4GentbjhMggZkM8j2K2ekhunmCyCsIDx8YZv9cVEB/sB3QPEmv0xBo4DbPBayz3AbpXV4CdAJI8LtCEg3u9/WrUX63+u5R7TyjEU2SUgJiD5q9UiNFyxx6/a8M7Gf9TiIXkP853mswo6pl5WEFbtS9iuwMTAmC99j/GZ9wA7uQfYLfKwyxbX0PccpskhvwvUGxRyBZtayzMDLhOBtSYQmPjrMX1K4MwDYx4+tx4gP2b5PTYCfo7cLQLUudYVW5ZXTD3gJ97M+bKJZWmPRwz4lyiP51ADbBuWA+1aHr6aydlfrcfpB2jG6BQ1D0bGVmoVGMmHiQkmARgze+T3O/7P7fVvrIJIj3nWZloFHXO5yXEfv4I9ZvnHuD5fwMZHEKtj8BL1cJie38KGFjkQkRYw6P8SNvyqvZcC/gF2FpgfDxtzyO4nzPIPsOUwzpeaB9hwsLv2WuBgt/8D6mG15PFYmJF0EBGZN74rM8DGnc0Mv1XmeI5Zx7uwYZUZrpXVaHcTa+ZKr2E/wI7HfHnYGXC4ABtT/ObCb2DDajUxEZHcmOX/CTb+HfCTynryYDmPg40x6s3HNKzaU9jitfk1ygqwG2BbvPTTCqsXvdNShMf8exam+G6Ugw2V9IhISywCfs6i/mYz4P8BdsYomxiLhx2rkV/NSnymnS+7ll6xx6q/cQDjMT8edkHjsf3O6rr1mBYHu3MXICLSDqvku9sM+AfYYdZxLll+qw8o1LRKSElh1b6FvdJZ/gF2LJc0rdUCdo6dZQqw4TCtmncPOwEiIu2wivPcdkmP1X+Iwf4csvx3YLdCzxyz+wlf4A2wxfNW8hp9Bjse88ryO9gNtOnYvhdg5x6mIa0RbUHLNopIiwIM3N76/WPYmUOW3zJgtAwQa8cHd4kXeJkZt1z7fxP3aYCdOWX5O9gZcPzNN0CLIezjd7Axp1XNRESu47YDfsugcupZfge7LKN1cNiCHvbHoPQLvJbvzfhV+xjTxxVrLLP7PU4TYMNjGgkUzlQ42JjbqmYiIjttB/wDbKdBx1gCsZQF7Mw5u7+pRJZ/gXLlMD1s+xsHL1OfVfsRtk4tpbMMOltPoLCcx2qwxuXtAkRE2uNg4PYVf2b5giSDj+8wPQ62JRQK+KMBp2dc91GqHObY5R735TDt0p4Oti+vDjg9aLQ8v60vwepgW5qkkh4RaY1Zku6qgH+ALY/plfZ0sBNgW/rRms9h/zKeR7lr1HrWgvtResnREjhTaD2Y6XE6y6CTDwbLciZLzO53sDXnhQ5EpE1WC7+EXQH/AFt8UP8W08BgyvKhO0A2MdgvsUwnr9ES5TAD7EsPnmBapXTcF+tSnnPkWcRggO0AtUObZVs8h3+GnQEiIu2xCvhf397xF9ZZRz6gphCEcPutS5RK1K235hFiQGaJ12ipchjL1bEo9bdSKxBZYmaY7yY42MrZ71S29Saew/+BHcvP04uIWOG98Y+wsTPgH2CfdXRoPwixDjwG6MWzqzBj+inssRzGwx4HMNZlSswaMCt+C21jn7sHWwF5A0brkryWyrZ4/XGA4mBrgIhIWxzsYo5w+5q/tM46UgpCWgz6O9gHHj1kl2HVlrBXIntaqkyJ/Y0zUi32t1TzXeLdCt77AvLpYY/ntYUZUw/7PhWgDL+ItMXyvSbOel67YhzLAP6x/kHr9jPaKu/pYH9M/o48euTftiXqwAC2xPW5gD32t1cASuxPa/2NA5QzlDk257DJPi8B823nea15MPdrlLnGc5ZZethso4OIDQaOS+S/ZnO9N9Wh3m0bE2dpre6Jv6yavy7Dz6zjVygjZfprD0LSCOwh7Kl2/2asjX4Ee9/A/sXIUll+aqW/UXpBd4Eycmf3kxIrbdV8XrlIA+v2rfsRH27/DRGRdpR4H3Svd8mYab4o1Jj9WaDOOuOSWcZc2X3qkX/7lqhHqZmoDva4L6X7G5c5rbG/cZuY8Sg165G7320rOYNzjnqCfp5HfvG51L7nPoceNtvpIGJDGf52pOfcOezuiWx/w5688YZc1c5QV5aK2alzlNv/+8inR/7tW6IurOsucV5KXJMewEXh9hRx32oJ/Dm47lH+ONyHrUcASu1LDckTnseS+8xp69xLfXrYbKuDiA0F/PXjOeL9sYPd/XCzfYMD/Fhoozbb+fpgjP3A6lB2v3NfuD3yb+MS9eEI1vrclNrvMfob2xnGDfxTfyuZ1U/tCex5ABeF2xnKn9NSWavtZjFD42GzrQ4iNhTw1+fWRuO9keW7pZ5zTITc5Ua8g/1wCUQGVCVfCHOItfL3EevZuepCQNwBSzwhnH5/sG6lP2pTYrnJKfoC9gG5RyxPeApbY/Q3Wqxbj/j+TsD0+xvxxvsF7A3r5lHOApfnlLXtrOO0Oqc8l37V/oqy+0jcp8cQkTnis7LGpYndqr2LmHT5DeJ7VqWfcQFHrFpWqmziunaGeFLTSCmXzZEXp6DHyDCydcivR/7tXKJOJTLj5yjTYWvob0vEYDFliHP0ufT/86v1Pi6Bovt0VSux1GfiMe6+ciUfDqxynNPN+2aH8e6bbMzuO+TnYbO9DiI25pjhV9vdjn4ZeKxSg+3GBwuzrOmDM7e22i7bP8eH3icYN8hPzeqFwR75t3WJOjmUOY8dyngC4KKSxkDxDHEAwD7HgP3Wno0/y/dgUl/7uaL9KlHKs+0Mdez7OeJ9lAMAzlzxHF13Xvl3H6x/lvfeZxj/vslmUbufeMBkmx1EbCjgV0uN90aXDvy+JT3JnxBLDcZ+oZYZ1nt488NXnKrm0oZh1V7u+PfeX//KaRWHccoHdvkD5FQBsTbuIWwxQHqMGDBZYmkPr9Wx+xvdWbfFxp+l/rbrK8EOsY/V1M828fyVKOXZxpWRPsL4a+a7ddv1AcGw8XM143n8HiIisqnHictM86HPUUOtI5oWWwc7PZB9e5eoV6llOksdgzso9wG8ObVf1sd2LDWUbE3lPDrY8YDJdjuI2FCGX43trXvjdR/e2oWZ9DGyYlPFKfUOkkupD8Z5lHlJSP3NBo/pXh8iMcLSpiXkFHyofQmbD6WJiLSK98YeW/fGYwJ+4sPqS8ipzqFVeSzw+hxgjy/DlChX6aH+lhOPZYkvNN+Eff8V5Fi8f6pfiIi8KeCKxOexAT91iIGIHIcPK9btv4ZYKBEIOJRb4aWDgpsceAw71CEgvhclh+NA6b8gIiKbmN3vcMXM5ykBP3HVjR5yKD6s+KAPECsD7NfLp7TEYQkdFPSfokd95XMDdE4PxQcanz0BIiKSpFKeKxcxODXgJwX9h2Gwz8z+mPXDc8E6besZFJb0fI1yOihAPAZLeD5BnTrUUWLUglS3/wNERGQTK0d2vvOXI+AnPkgVhNxMwX5ZAXGZTmtc1rDEC7xJh9jfLiA3SQHi56gbb9KPIddJ51LPGhGRNzHYZ5ljsTLxDlqyc1fjh7XGWAawR/59WaIdzMDz2Fuf33OUx/cH1N92t19Q9iu6p+Jyej3aOsYlz+VDlOdhsz8OIja0LOf82l5fGs+V4U86xNp0rTzxpnMosz8WjnZLLGvpUD64ZBnIf2KcwUbt0mxaS6UyvHEvoAz2Nh4XztDouIiIvCnFl+GmH8wd8NMzKAhJ+KDii6M8HgEyFl6TA+w9RPmvp3IQyc6+hBD7HI8F+9yANnVQyVbCgdvHKFOaJyLSCj4ffsaewT5ZBPxY/8d/jXk/tLjfzCxzxkNLb46vRHaw9Au8SUDs9HMPElOf2/sGWLEO806cpGlqHgO9oCsicon3RyZBqnvWOZSpoa6p/Q3j1OtfpUf+/VuiTd+gzPn3GI9D7G9zqu3nvrK+tJY+l5ND7MNzO5/sqyU+ancTD5t9dBCxoRr+ad8b/2/VPkLlOkw/8P8H6lvnu0f+/VyiTQwgWCJgfR3UcHwWmMdAm32upRdzj7XA9M/nL+t9vIt6eNjsq4OIDQX8070/1pII2YtbtTNML1vF/fkOdd7Ee+Tf3yXa1aHMNVFDEOoQ95dB8cXEWhpcN3Pzy8BhmiuhcX94Ph+iPh42++wgYkMB/7TujTXHl3txuAz8W354pVICj3r1yL/fS7StRKaUMwm1BKMOMTMwhVKfOQb62xymUeazGejXej49bPbdQcSGAv72Wwv3xoM5XE5Vt/LwSieCAZRH/XrkPwZLtM2jzLXyDerCG8cC7QX+3Fa+F9Nh3oH+NofYv1s8n608zDxsjoGDiA0F/O21lPxOseVdTJxHzPpzh2t8eKVs/gO0FXT0yH8slmgfz2WJ68ajTh6xv9UaLLY2sB7bAvGarnXWNJ1PbuNdtMPD5ng4iNiwCPhT/JNDh7zb1kL75YrG+yETWSzX+QsK3BNuoU73EN9CvovLg1B6Wy/Wvw6r9r+IgXNAe3gsc69ecr5qj9E2hxgkWeM6+c9QN79q91FHfwuIyzCy8dhpSdvDOMTz+cf1ryk5Mdb55Pnj9f8T4jlt7Xw62Nwn+EE4XdtiZYG8AST7M5/73+N0HvNL4vD4vV63l4jPuYDCag34NznEi4PById4O3g9dR8uNv6ZJ4NBxgvEB9QA3ZRlXhzK9Td6vm4cVA/QB+py84jnMQ3mNs9njvv/9vkMiOcxnVN9XVxEpAItBPxX4UPLrdr7G7++h8sRrdvx74X1r6/X/8xfGdxzxPUcCjZErpK7v/0TCu7HwvN2Z+PX/8Db59Ht+HfD+tfN85myVS82/kxERCrz/yWA75WCYL0wAAAAAElFTkSuQmCC tests: - Group-IB Threat Intelligence -Test fromversion: 6.0.0 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md index 817bda1a083f..050d2745288d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md @@ -13,4 +13,4 @@ * Set up conditions: "gibid Is not empty (General)" and "Type Doesn't equal(String) GIB Data Breach". * Action: "Run a script". * Script: "GIBIncidentUpdate" (will recreate closed incidents if they get an update, in other cases will update the existing one) or "GIBIncidentUpdateIncludingClosed"(will only update incidents). -7. Don't forget to contact Group-IB to add to allow list your Cortex IP or public IP of a proxy that you are using with Cortex. +7. Don't forget to contact Group-IB to add to allow list your Cortex IP or public IP of a proxy that you are using with Cortex. \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md index ee4e3e4c4091..3ac87a0302ff 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md @@ -3,11 +3,12 @@ -Pack helps to integrate Group-IB Threat Intelligence & Attribution and get incidents directly into Cortex XSOAR. +Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware. -This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence & Attribution -## Configure Group-IB Threat Intelligence & Attribution on Cortex XSOAR +This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence + +## Configure Group-IB Threat Intelligence on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. 2. Search for Group-IB Threat Intelligence. @@ -24,10 +25,14 @@ This integration was integrated and tested with version 1.0 of Group-IB Threat I | Number of requests per collection | A number of requests per collection that integration sends in one faetch iteration \(each request picks up to 200 incidents\). If you face some runtime errors, lower the value. | False | 4. Click **Test** to validate the URLs, token, and connection. + ## Commands + You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. + ### gibtia-get-compromised-account-info + *** Command performs Group IB event lookup in compromised/account collection with provided ID. @@ -35,6 +40,7 @@ Command performs Group IB event lookup in compromised/account collection with pr #### Base Command `gibtia-get-compromised-account-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -72,9 +78,11 @@ Command performs Group IB event lookup in compromised/account collection with pr #### Command Example + ```!gibtia-get-compromised-account-info id=253b9a136f0d574149fc43691eaf7ae27aff141a``` #### Context Example + ```json { "DBotScore": [ @@ -218,21 +226,25 @@ Command performs Group IB event lookup in compromised/account collection with pr #### Human Readable Output >### Feed from compromised/account with ID 253b9a136f0d574149fc43691eaf7ae27aff141a + >|client ipv4 ip|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|cnc url|companyId|dateDetected|domain|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|login|malware id|malware name|malware stixGuid|oldId|password|portalLink|silentInsert|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 0.0.0.0 | http://some.ru | some.ru | AS1111 | Moscow | RU | Russian Federation | 11.11.11.11 | some.ru | Moscow | http://some.ru | -1 | 2020-02-22T01:21:03+00:00 | some.ru | A2 | 80 | 100 | red | red | 90 | 253b9a136f0d574149fc43691eaf7ae27aff141a | some.ru | 411ac9df6c5515922a56e30013e8b8b366eeec80 | PredatorStealer | 2f7650f4-bc72-2068-d1a5-467b688975d8 | 396792583 | @some@ | https://bt.group-ib.com/cd/accounts?searchValue=id:253b9a136f0d574149fc43691eaf7ae27aff141a | 0 | Botnet | 8abb3aa9-e351-f837-d61a-856901c3dc9d | +>| 0.0.0.0 | | some.ru | AS1111 | Moscow | RU | Russian Federation | 11.11.11.11 | some.ru | Moscow | http://some.ru | -1 | 2020-02-22T01:21:03+00:00 | some.ru | A2 | 80 | 100 | red | red | 90 | 253b9a136f0d574149fc43691eaf7ae27aff141a | some.ru | 411ac9df6c5515922a56e30013e8b8b366eeec80 | PredatorStealer | 2f7650f4-bc72-2068-d1a5-467b688975d8 | 396792583 | @some@ | | 0 | Botnet | 8abb3aa9-e351-f837-d61a-856901c3dc9d | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 253b9a136f0d574149fc43691eaf7ae27aff141a | red | http://some.ru | +>| 253b9a136f0d574149fc43691eaf7ae27aff141a | red | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 253b9a136f0d574149fc43691eaf7ae27aff141a | red | some.ru | >### IP indicator + >|asn|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---|---| >| AS1111 | Russian Federation | Moscow | 253b9a136f0d574149fc43691eaf7ae27aff141a | red | 11.11.11.11 | @@ -240,6 +252,7 @@ Command performs Group IB event lookup in compromised/account collection with pr ### gibtia-get-compromised-card-info + *** Command performs Group IB event lookup in compromised/card collection with provided ID. @@ -247,6 +260,7 @@ Command performs Group IB event lookup in compromised/card collection with provi #### Base Command `gibtia-get-compromised-card-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -282,9 +296,11 @@ Command performs Group IB event lookup in compromised/card collection with provi #### Command Example + ```!gibtia-get-compromised-card-info id=ecda6f4dc85596f447314ce01e2152db9c9d3cbc``` #### Context Example + ```json { "DBotScore": [ @@ -421,16 +437,19 @@ Command performs Group IB event lookup in compromised/card collection with provi #### Human Readable Output >### Feed from compromised/card with ID ecda6f4dc85596f447314ce01e2152db9c9d3cbc + >|baseName|cardInfo issuer countryCode|cardInfo issuer countryName|cardInfo issuer issuer|cardInfo number|cardInfo system|cardInfo type|cardInfo validThru|cnc cnc|cnc domain|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|companyId|dateCompromised|dateDetected|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|externalId|id|isDump|isExpired|isIgnore|isMasked|malware id|malware name|malware stixGuid|oldId|owner city|owner countryCode|owner name|owner phone|owner state|portalLink|price currency|price value|silentInsert|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| United States | US | UNITED STATES | SOME BANK | XXXXXXXXXXXXXXXX | VISA | CLASSIC | 01/2021 | some.ru | some.ru | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2020-02-22T12:21:00+00:00 | 2020-01-11T10:12:49+00:00 | A2 | 80 | 90 | red | red | 90 | 26579 | ecda6f4dc85596f447314ce01e2152db9c9d3cbc | false | false | false | true | 53013c863116aae720581ff2aa2b4f92d3cb2bd7 | mandarincc | 8c843ab8-f019-e455-c78b-47ee80f3bb0c | 396798216 | Some | US | Some Person | 111111 | Some | https://bt.group-ib.com/cd/cards?searchValue=id:ecda6f4dc85596f447314ce01e2152db9c9d3cbc | USD | 1 | 1 | Card shop | 00eccda0-aae6-c111-6080-c51f857450bf | +>| United States | US | UNITED STATES | SOME BANK | XXXXXXXXXXXXXXXX | VISA | CLASSIC | 01/2021 | some.ru | some.ru | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2020-02-22T12:21:00+00:00 | 2020-01-11T10:12:49+00:00 | A2 | 80 | 90 | red | red | 90 | 26579 | ecda6f4dc85596f447314ce01e2152db9c9d3cbc | false | false | false | true | 53013c863116aae720581ff2aa2b4f92d3cb2bd7 | mandarincc | 8c843ab8-f019-e455-c78b-47ee80f3bb0c | 396798216 | Some | US | Some Person | 111111 | Some | | USD | 1 | 1 | Card shop | 00eccda0-aae6-c111-6080-c51f857450bf | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| ecda6f4dc85596f447314ce01e2152db9c9d3cbc | red | some.ru | >### IP indicator + >|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---| >| United States | Some | ecda6f4dc85596f447314ce01e2152db9c9d3cbc | red | 11.11.11.11 | @@ -438,6 +457,7 @@ Command performs Group IB event lookup in compromised/card collection with provi ### gibtia-get-compromised-breached-info + *** Command performs Group IB event lookup in compromised/breached collection with provided ID. @@ -445,6 +465,7 @@ Command performs Group IB event lookup in compromised/breached collection with p #### Base Command `gibtia-get-compromised-breached-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -465,9 +486,11 @@ Command performs Group IB event lookup in compromised/breached collection with p #### Command Example + ```!gibtia-get-compromised-breached-info id=277c4112d348c91f6dabe9467f0d18ba``` #### Context Example + ```json { "GIBTIA": { @@ -508,6 +531,7 @@ Command performs Group IB event lookup in compromised/breached collection with p #### Human Readable Output >### Feed from compromised/breached with ID 277c4112d348c91f6dabe9467f0d18ba + >|addInfo|email|evaluation|id|leakName|password|uploadTime| >|---|---|---|---|---|---|---| >| address:
| some@gmail.com | admiraltyCode: C3
credibility: 50
reliability: 50
severity: green
tlp: amber
ttl: null | 277c4112d348c91f6dabe9467f0d18ba | some.com | AC91C480FDE9D7ACB8AC4B78310EB2TD,
1390DDDFA28AE085D23518A035703112 | 2021-06-12T03:02:00 | @@ -515,6 +539,7 @@ Command performs Group IB event lookup in compromised/breached collection with p ### gibtia-get-compromised-mule-info + *** Command performs Group IB event lookup in compromised/mule collection with provided ID. @@ -522,6 +547,7 @@ Command performs Group IB event lookup in compromised/mule collection with provi #### Base Command `gibtia-get-compromised-mule-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -552,9 +578,11 @@ Command performs Group IB event lookup in compromised/mule collection with provi #### Command Example + ```!gibtia-get-compromised-mule-info id=50a3b4abbfca5dcbec9c8b3a110598f61ba90a99``` #### Context Example + ```json { "DBotScore": [ @@ -673,27 +701,32 @@ Command performs Group IB event lookup in compromised/mule collection with provi >### Feed from compromised/mule with ID 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 + >|account|cnc cnc|cnc domain|cnc ipv4 ip|cnc url|dateAdd|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|malware id|malware name|malware stixGuid|oldId|organization name|portalLink|sourceType|stixGuid|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 1111111111111111 | http://some.ru | some | 11.11.11.11 | http://some.ru | 2020-02-21T13:02:00+00:00 | A2 | 80 | 100 | red | amber | 30 | some | 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | 5a2b741f8593f88178623848573abc899f9157d4 | Anubis | 7d837524-7b01-ddc9-a357-46e7136a9852 | 392993084 | Some | https://bt.group-ib.com/cd/mules?searchValue=id:50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | Botnet | 2da6b164-9a12-6db5-4346-2a80a4e03255 | Person | +>| 1111111111111111 | | some | 11.11.11.11 | http://some.ru | 2020-02-21T13:02:00+00:00 | A2 | 80 | 100 | red | amber | 30 | some | 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | 5a2b741f8593f88178623848573abc899f9157d4 | Anubis | 7d837524-7b01-ddc9-a357-46e7136a9852 | 392993084 | Some | | Botnet | 2da6b164-9a12-6db5-4346-2a80a4e03255 | Person | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | http://some.ru | +>| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | some | >### IP indicator + >|gibid|severity|value| >|---|---|---| >| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | 11.11.11.11 | ### gibtia-get-compromised-imei-info + *** Command performs Group IB event lookup in compromised/imei collection with provided ID. @@ -701,6 +734,7 @@ Command performs Group IB event lookup in compromised/imei collection with provi #### Base Command `gibtia-get-compromised-imei-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -734,9 +768,11 @@ Command performs Group IB event lookup in compromised/imei collection with provi #### Command Example + ```!gibtia-get-compromised-imei-info id=0c1426048474df19ada9d0089ef8b3efce906556``` #### Context Example + ```json { "DBotScore": [ @@ -856,27 +892,32 @@ Command performs Group IB event lookup in compromised/imei collection with provi >### Feed from compromised/imei with ID 0c1426048474df19ada9d0089ef8b3efce906556 + >|client ipv4 asn|client ipv4 countryCode|client ipv4 countryName|client ipv4 ip|client ipv4 provider|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc url|dateDetected|device iccid|device imei|device imsi|device model|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|malware id|malware name|malware stixGuid|oldId|operator number|portalLink|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| AS11111 | NL | Netherlands | 11.11.11.11 | Some Company | http://some.ru | some.ru | AS11111 | FR | France | 11.11.11.11 | Some | http://some.ru | 2020-02-11T03:12:43+00:00 | ~ | Some | ~ | Nexus S/2.3.7 ($$$Flexnet v.5.5) | A2 | 80 | 100 | red | red | 30 | 0c1426048474df19ada9d0089ef8b3efce906556 | 8790a290230b3b4c059c2516a6adace1eac16066 | FlexNet | b51140c2-a88b-a95c-f5b0-1c5d1855ffde | 396766002 | ~ | https://bt.group-ib.com/cd/imei?searchValue=id:0c1426048474df19ada9d0089ef8b3efce906556 | Botnet | 9cff66e9-c2b3-26ca-771a-c9e4d501c453 | +>| AS11111 | NL | Netherlands | 11.11.11.11 | Some Company | | some.ru | AS11111 | FR | France | 11.11.11.11 | Some | http://some.ru | 2020-02-11T03:12:43+00:00 | ~ | Some | ~ | Nexus S/2.3.7 ($$$Flexnet v.5.5) | A2 | 80 | 100 | red | red | 30 | 0c1426048474df19ada9d0089ef8b3efce906556 | 8790a290230b3b4c059c2516a6adace1eac16066 | FlexNet | b51140c2-a88b-a95c-f5b0-1c5d1855ffde | 396766002 | ~ | | Botnet | 9cff66e9-c2b3-26ca-771a-c9e4d501c453 | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 0c1426048474df19ada9d0089ef8b3efce906556 | red | http://some.ru | +>| 0c1426048474df19ada9d0089ef8b3efce906556 | red | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 0c1426048474df19ada9d0089ef8b3efce906556 | red | some.ru | >### IP indicator + >|asn|geocountry|gibid|severity|value| >|---|---|---|---|---| >| AS11111 | France | 0c1426048474df19ada9d0089ef8b3efce906556 | red | 11.11.11.11 | ### gibtia-get-osi-git-leak-info + *** Command performs Group IB event lookup in osi/git_leak collection with provided ID. @@ -884,6 +925,7 @@ Command performs Group IB event lookup in osi/git_leak collection with provided #### Base Command `gibtia-get-osi-git-leak-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -909,9 +951,11 @@ Command performs Group IB event lookup in osi/git_leak collection with provided #### Command Example + ```!gibtia-get-osi-git-leak-info id=ead0d8ae9f2347789941ebacde88ad2e3b1ef691``` #### Context Example + ```json { "GIBTIA": { @@ -1007,18 +1051,21 @@ Command performs Group IB event lookup in osi/git_leak collection with provided >### Feed from osi/git_leak with ID ead0d8ae9f2347789941ebacde88ad2e3b1ef691 + >|companyId|dateDetected|dateUpdated|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|file|fileId|id|matchesType|matchesTypeCount card|matchesTypeCount cisco|matchesTypeCount commonKeywords|matchesTypeCount domain|matchesTypeCount dsn|matchesTypeCount email|matchesTypeCount google|matchesTypeCount ip|matchesTypeCount keyword|matchesTypeCount login|matchesTypeCount metasploit|matchesTypeCount nmap|matchesTypeCount pgp|matchesTypeCount sha|matchesTypeCount slackAPI|matchesTypeCount ssh|name|repository|source| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 40,
1872,
2060,
2248,
2522,
2692 | 2020-03-12T01:12:00+00:00 | 2020-02-11T01:12:00+00:00 | A6 | 100 | 100 | green | amber | 30 | https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/bWFpbi0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3 | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | commonKeywords,
keyword | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | some | some.ru | github | +>| 40,
1872,
2060,
2248,
2522,
2692 | 2020-03-12T01:12:00+00:00 | 2020-02-11T01:12:00+00:00 | A6 | 100 | 100 | green | amber | 30 | | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | commonKeywords,
keyword | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | some | some.ru | github | >### revisions table + >|bind|companyId|data|file|fileDiff|fileDiffId|fileId|hash|info|parentFileId| >|---|---|---|---|---|---|---|---|---|---| ->| {'bindBy': 'cert', 'companyId': [2692], 'data': 'cert', 'type': 'keyword'} | 2692 | commonKeywords: {"password": ["password"]} | https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZS0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3 | https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZURpZmYtMzkxZGI1ZDVmMTdhYjZjYmJiZjdjMzVkMWY0ZDA3NmNiNGM4MzBmMDk3YjJhOWVkZGQyZGY3YjA2NTA3MDlhNw== | a2187ee179076a22e550e8f7fbc51840e87aba260431ab9cb2d4e0192ad4134c | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | Some | authorEmail: some@gmail.ru
authorName: some
dateCreated: 2020-01-03T11:17:52+00:00
timestamp: 1617794272 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | +>| {'bindBy': 'cert', 'companyId': [2692], 'data': 'cert', 'type': 'keyword'} | 2692 | commonKeywords: {"password": ["password"]} | | == | a2187ee179076a22e550e8f7fbc51840e87aba260431ab9cb2d4e0192ad4134c | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | Some | authorEmail: some@gmail.ru
authorName: some
dateCreated: 2020-01-03T11:17:52+00:00
timestamp: 1617794272 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | ### gibtia-get-osi-public-leak-info + *** Command performs Group IB event lookup in osi/public_leak collection with provided ID. @@ -1026,6 +1073,7 @@ Command performs Group IB event lookup in osi/public_leak collection with provid #### Base Command `gibtia-get-osi-public-leak-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1052,9 +1100,11 @@ Command performs Group IB event lookup in osi/public_leak collection with provid #### Command Example + ```!gibtia-get-osi-public-leak-info id=a09f2354e52d5fa0a8697c8df0b4ed99cc956273``` #### Context Example + ```json { "GIBTIA": { @@ -1104,17 +1154,20 @@ Command performs Group IB event lookup in osi/public_leak collection with provid >### Feed from osi/public_leak with ID a11f2354e52d5fa0a8697c8df0b4ed99cc956211 + >|created|data|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|language|portalLink|size|updated|useful| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2020-02-02T13:52:01+03:00 | Big chunk of data | C3 | 50 | 50 | green | amber | 30 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | java | https://bt.group-ib.com/osi/public_leak?searchValue=id:a09f2354e52d5fa0a8697c8df0b4ed99cc956273 | 709 B | 2021-04-01T14:57:01+03:00 | 1 | +>| 2020-02-02T13:52:01+03:00 | Big chunk of data | C3 | 50 | 50 | green | amber | 30 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | java | | 709 B | 2021-04-01T14:57:01+03:00 | 1 | >### linkList table + >|dateDetected|datePublished|hash|itemSource|link|size|source|status| >|---|---|---|---|---|---|---|---| ->| 2021-04-01T14:57:01+03:00 | 2021-04-01T14:50:45+03:00 | 5d9657dbdf59487a6031820add2cacbe54e86814 | api | https://some.ru | 709 | some.ru | 1 | +>| 2021-04-01T14:57:01+03:00 | 2021-04-01T14:50:45+03:00 | 5d9657dbdf59487a6031820add2cacbe54e86814 | api | | 709 | some.ru | 1 | ### gibtia-get-osi-vulnerability-info + *** Command performs Group IB event lookup in osi/vulnerability collection with provided ID. @@ -1122,6 +1175,7 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov #### Base Command `gibtia-get-osi-vulnerability-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1149,9 +1203,11 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov #### Command Example + ```!gibtia-get-osi-vulnerability-info id=CVE-2021-27152``` #### Context Example + ```json { "CVE": { @@ -1251,17 +1307,20 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov #### Human Readable Output >### Feed from osi/vulnerability with ID CVE-2021-27152 + >|bulletinFamily|cvss score|cvss vector|dateLastSeen|dateModified|datePublished|description|displayOptions isFavourite|displayOptions isHidden|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|exploitCount|extCvss base|extCvss environmental|extCvss exploitability|extCvss impact|extCvss mImpact|extCvss overall|extCvss temporal|extCvss vector|extDescription|href|id|lastseen|modified|portalLink|provider|published|references|reporter|title|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| NVD | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | 2021-02-10T19:15:00+03:00 | Description | false | false | A1 | 100 | 100 | red | green | 30 | 0 | 9.8 | 0.0 | 3.9 | 5.9 | 0.0 | 9.8 | 0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Big description | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | CVE-2021-27152 | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | https://bt.group-ib.com/osi/vulnerabilities?searchValue=id:CVE-2021-27152 | some.ru | 2021-02-10T19:15:00+03:00 | https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | some.ru | CVE-2021-27152 | cve | +>| NVD | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | 2021-02-10T19:15:00+03:00 | Description | false | false | A1 | 100 | 100 | red | green | 30 | 0 | 9.8 | 0.0 | 3.9 | 5.9 | 0.0 | 9.8 | 0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Big description | | CVE-2021-27152 | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | | some.ru | 2021-02-10T19:15:00+03:00 | ,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | some.ru | CVE-2021-27152 | cve | >### softwareMixed table + >|os|osVendor|osVersion|vendor| >|---|---|---|---| >| some_firmware | some | some | some | ### gibtia-get-phishing-kit-info + *** Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID. @@ -1269,6 +1328,7 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k #### Base Command `gibtia-get-phishing-kit-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1296,9 +1356,11 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k #### Command Example + ```!gibtia-get-phishing-kit-info id=044f3f2cb599228c1882884eb77eb073f68a25f2``` #### Context Example + ```json { "GIBTIA": { @@ -1356,16 +1418,19 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k #### Human Readable Output >### Feed from attack/phishing_kit with ID 044f3f2cb599228c1882884eb77eb073f68a25f2 + >|companyId|dateDetected|dateFirstSeen|dateLastSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|login|oldId|path|portalLink|source| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| -1 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:12:17+00:00 | B2 | 70 | 80 | orange | amber | 30 | 8d7ea805fe20d6d77f57e2f0cadd17b1 | 044f3f2cb599228c1882884eb77eb073f68a25f2 | some | 396793696 | https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit/044f3f2cb599228c1882884eb77eb073f68a25f2/file/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76 | https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:044f3f2cb599228c1882884eb77eb073f68a25f2 | some | +>| -1 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:12:17+00:00 | B2 | 70 | 80 | orange | amber | 30 | 8d7ea805fe20d6d77f57e2f0cadd17b1 | 044f3f2cb599228c1882884eb77eb073f68a25f2 | some | 396793696 | | | some | >### downloadedFrom table + >|date|domain|fileName|url| >|---|---|---|---| ->| 2021-01-21 10:10:41 | some.ru | some.ru| https://some.ru | +>| 2021-01-21 10:10:41 | some.ru | some.ru| | >### variables table + >|filePath|type|value| >|---|---|---| >| some.ru | DB | host: localhost | @@ -1373,6 +1438,7 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k ### gibtia-get-phishing-info + *** Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID. @@ -1380,6 +1446,7 @@ Command performs Group IB event lookup in bp/phishing and attacks/phishing colle #### Base Command `gibtia-get-phishing-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1411,9 +1478,11 @@ Command performs Group IB event lookup in bp/phishing and attacks/phishing colle #### Command Example + ```!gibtia-get-phishing-info id=fce7f92d0b64946cf890842d083953649b259952``` #### Context Example + ```json { "DBotScore": [ @@ -1536,32 +1605,38 @@ Command performs Group IB event lookup in bp/phishing and attacks/phishing colle #### Human Readable Output >### Feed from attacks/phishing with ID fce7f92d0b64946cf890842d083953649b259952 + >|companyId|dateBlocked|dateDetected|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 city|ipv4 countryCode|ipv4 countryName|ipv4 ip|ipv4 provider|ipv4 region|objective|oldId|phishingDomain dateRegistered|phishingDomain domain|phishingDomain local|phishingDomain registrar|portalLink|status|stixGuid|targetBrand|targetCategory|targetDomain|type|url| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2008 | 2021-01-25T22:58:10+00:00 | 2021-01-21T11:21:34+00:00 | A2 | 80 | 90 | red | amber | 30 | fce7f92d0b64946cf890842d083953649b259952 | Some | CA | Canada | 11.11.11.11 | Some | NA | Login harvest | 396798526 | 2021-01-20 13:41:30 | some.ru | some.ru | Some | https://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952 | Responding completed | 4812358a-1de0-ab32-05e4-d91842d369e2 | Some | Finance > Banking | some.ru | Phishing | https://some.ru | +>| 2008 | 2021-01-25T22:58:10+00:00 | 2021-01-21T11:21:34+00:00 | A2 | 80 | 90 | red | amber | 30 | fce7f92d0b64946cf890842d083953649b259952 | Some | CA | Canada | 11.11.11.11 | Some | NA | Login harvest | 396798526 | 2021-01-20 13:41:30 | some.ru | some.ru | Some | | Responding completed | 4812358a-1de0-ab32-05e4-d91842d369e2 | Some | Finance > Banking | some.ru | Phishing | | >### history table + >|date|field|reason|reporter|value| >|---|---|---|---|---| >| 2021-01-21T11:20:50+00:00 | Detected | In response | Group-IB Intelligence | In response | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| fce7f92d0b64946cf890842d083953649b259952 | red | https://some.ru | +>| fce7f92d0b64946cf890842d083953649b259952 | red | | >### Domain indicator + >|creationdate|gibid|gibphishingtitle|gibtargetbrand|gibtargetcategory|gibtargetdomain|registrarname|severity|value| >|---|---|---|---|---|---|---|---|---| >| 2021-01-20T13:41:30Z | fce7f92d0b64946cf890842d083953649b259952 | | Some | Finance > Banking | some.ru | Some | red | some.ru | >### IP indicator + >|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---| >| Canada | NA | fce7f92d0b64946cf890842d083953649b259952 | red | 11.11.11.11 | ### gibtia-get-attacks-ddos-info + *** Command performs Group IB event lookup in attacks/ddos collection with provided ID. @@ -1569,6 +1644,7 @@ Command performs Group IB event lookup in attacks/ddos collection with provided #### Base Command `gibtia-get-attacks-ddos-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1600,9 +1676,11 @@ Command performs Group IB event lookup in attacks/ddos collection with provided #### Command Example + ```!gibtia-get-attacks-ddos-info id=26a05baa4025edff367b058b13c6b43e820538a5``` #### Context Example + ```json { "DBotScore": [ @@ -1704,22 +1782,26 @@ Command performs Group IB event lookup in attacks/ddos collection with provided #### Human Readable Output >### Feed from attacks/ddos with ID 26a05baa4025edff367b058b13c6b43e820538a5 + >|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|companyId|dateBegin|dateEnd|dateReg|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|oldId|portalLink|protocol|source|stixGuid|target domainsCount|target ipv4 asn|target ipv4 city|target ipv4 countryCode|target ipv4 countryName|target ipv4 ip|target ipv4 provider|target ipv4 region|target port|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| some.ru | some.ru | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2021-01-16T02:58:53+00:00 | 2021-01-16T02:58:55+00:00 | 2021-01-16 | A2 | 90 | 90 | red | green | 30 | 26a05baa4025edff367b058b13c6b43e820538a5 | 394657345 | https://bt.group-ib.com/attacks/ddos?searchValue=id:26a05baa4025edff367b058b13c6b43e820538a5 | udp | honeypot_logs:1 | ea05c117-2cca-b3cd-f033-a8e16e5db3c2 | 0 | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | 55843 | DNS Reflection | +>| some.ru | some.ru | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2021-01-16T02:58:53+00:00 | 2021-01-16T02:58:55+00:00 | 2021-01-16 | A2 | 90 | 90 | red | green | 30 | 26a05baa4025edff367b058b13c6b43e820538a5 | 394657345 | | udp | honeypot_logs:1 | ea05c117-2cca-b3cd-f033-a8e16e5db3c2 | 0 | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | 55843 | DNS Reflection | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 26a05baa4025edff367b058b13c6b43e820538a5 | red | some.ru | >### IP indicator + >|asn|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---|---| >| AS11111 | United States | Some | 26a05baa4025edff367b058b13c6b43e820538a5 | red | 11.11.11.11 | ### gibtia-get-attacks-deface-info + *** Command performs Group IB event lookup in attacks/deface collection with provided ID. @@ -1727,6 +1809,7 @@ Command performs Group IB event lookup in attacks/deface collection with provide #### Base Command `gibtia-get-attacks-deface-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1751,9 +1834,11 @@ Command performs Group IB event lookup in attacks/deface collection with provide #### Command Example + ```!gibtia-get-attacks-deface-info id=6009637a1135cd001ef46e21``` #### Context Example + ```json { "DBotScore": [ @@ -1834,27 +1919,32 @@ Command performs Group IB event lookup in attacks/deface collection with provide #### Human Readable Output >### Feed from attacks/deface with ID 6009637a1135cd001ef46e21 + >|date|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|mirrorLink|portalLink|providerDomain|siteUrl|source|targetDomain|targetIp countryName|targetIp ip|threatActor id|threatActor isAPT|threatActor name|tsCreate|url| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2021-01-21T02:22:18+00:00 | B2 | 80 | 80 | orange | amber | 30 | 6009637a1135cd001ef46e21 | https://some.ru/id:-6009637a1135cd001ef46e21: | https://bt.group-ib.com/attacks/deface?searchValue=id:6009637a1135cd001ef46e21 | some.ru | http://some.ru | some.ru | some.ru | Indonesia | 11.11.11.11 | d7ff75c35f93dce6f5410bba9a6c206bdff66555 | false | FRK48 | 2021-01-21T11:19:52+00:00 | http://some.ru | +>| 2021-01-21T02:22:18+00:00 | B2 | 80 | 80 | orange | amber | 30 | 6009637a1135cd001ef46e21 | : | | some.ru | | some.ru | some.ru | Indonesia | 11.11.11.11 | d7ff75c35f93dce6f5410bba9a6c206bdff66555 | false | FRK48 | 2021-01-21T11:19:52+00:00 | http://some.ru | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 6009637a1135cd001ef46e21 | orange | http://some.ru | +>| 6009637a1135cd001ef46e21 | orange | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 6009637a1135cd001ef46e21 | orange | some.ru | >### IP indicator + >|geocountry|gibid|severity|value| >|---|---|---|---| >| Indonesia | 6009637a1135cd001ef46e21 | orange | 11.11.11.11 | ### gibtia-get-threat-info + *** Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. @@ -1862,6 +1952,7 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT #### Base Command `gibtia-get-threat-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1912,9 +2003,11 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT #### Command Example + ```!gibtia-get-threat-info id=1b09d389d016121afbffe481a14b30ea995876e4 isAPT=true``` #### Context Example + ```json { "DBotScore": [ @@ -2089,11 +2182,13 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT >### Feed from threat with ID 1b09d389d016121afbffe481a14b30ea995876e4 + >|createdAt|dateFirstSeen|dateLastSeen|datePublished|deleted|description|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|id|isPublished|isTailored|langs|oldId|reportNumber|sectors|threatActor country|threatActor id|threatActor isAPT|threatActor name|title|type|updatedAt| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| >| 2021-01-15T16:53:20+03:00 | 2021-01-15 | 2021-01-15 | 2021-01-15 | false | Big description | B1 | 100 | 80 | orange | amber | 1b09d389d016121afbffe481a14b30ea995876e4 | true | false | en,
ru | 4c01c2d4-5ebb-44d8-9e91-be89231b0eb3 | CP-2501-1653 | financial-services,
finance | KP | 5e9f20fdcf5876b5772b3d09b432f4080711ac5f | true | Lazarus | Lazarus launches new attack with cryptocurrency trading platforms | threat | 2021-04-02T14:08:03+03:00 | >### files table + >|hash|mime|name|size| >|---|---|---|---| >| fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11 | image/png | fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11 | 284731 | @@ -2102,25 +2197,29 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT >| 623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2 | image/png | 623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2 | 209254 | >### mitreMatrix table + >|attackPatternId|attackTactic|attackType|id|params| >|---|---|---|---|---| >| attack-pattern--45242287-2964-4a3e-9373-159fad4d8195 | establish-&-maintain-infrastructure | pre_attack_tactics | PRE-T1105 | data: | >### indicatorRelationships table + >|sourceId|targetId| >|---|---| >| 9f3a2a244570a38e772a35d7c9171eed92bec6f7 | 12cad1ca535a92a2ed306c0edf3025e7d9776693 | >### indicators table + >|deleted|id|langs|params|seqUpdate|type| >|---|---|---|---|---|---| >| false | 9f3a2a244570a38e772a35d7c9171eed12bec6f7 | en | hashes: {"md4": "", "md5": "8397ea747d2ab50da4f876a36d631272", "md6": "", "ripemd160": "", "sha1": "48a6d5141e25b6c63ad8da20b954b56afe512031", "sha224": "", "sha256": "89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e1aa15ccd7512b1e63957", "sha384": "", "sha512": "", "whirlpool": ""}
name: some.ru
size: null | 16107188499162 | file | ->| false | 8b96c56cbc980c1e3362060ffa953e65281fb1df | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: https://some.ru | 16107188498393 | network | +>| false | 8b96c56cbc980c1e3362060ffa953e65281fb1df | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: | 16107188498393 | network | >| false | 42a9929807fd954918f9bb603135754be7a6e11c | en | hashes: {"md4": "", "md5": "5d43baf1c9e9e3a939e5defd8f3fbd1d", "md6": "", "ripemd120": "", "sha1": "d5ff73c043f3bb75dd749636307500b60a336150", "sha224": "", "sha256": "867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc3dd12", "sha384": "", "sha512": "", "whirlpool": ""}
name: 5d43baf1c9e9e3a939e5defd8f8fbd1d
size: null | 16107188498634 | file | ->| false | 12cad1ca535a92a2ed306c0edf3025e7d9776612 | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: https://some.ru | 16107188498908 | network | +>| false | 12cad1ca535a92a2ed306c0edf3025e7d9776612 | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: | 16107188498908 | network | ### gibtia-get-threat-actor-info + *** Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. @@ -2128,6 +2227,7 @@ Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_acto #### Base Command `gibtia-get-threat-actor-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2162,9 +2262,11 @@ Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_acto #### Command Example + ```!gibtia-get-threat-actor-info id=0d4496592ac3a0f5511cd62ef29887f48d9cb545 isAPT=true``` #### Context Example + ```json { "GIBTIA": { @@ -2232,16 +2334,19 @@ Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_acto >### Feed from threat_actor with ID 0d4496592ac3a0f5511cd62ef29887f48d9cb545 + >|aliases|country|createdAt|deleted|description|goals|id|isAPT|isPublished|labels|langs|name|roles|spokenOnLangs|stat countries|stat dateFirstSeen|stat dateLastSeen|stat regions|stat sectors|stixGuid|updatedAt| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| >| SectorC08 | RU | 2018-09-26T16:59:50+03:00 | false | Big description | Information | 0d4496592ac3a0f5511cd62ef29887f48d9cb545 | true | true | spy | en | Gamaredon | agent | ru | US | 2013-06-01 | 2021-03-19 | asia | non-profit | 63d0e4d4-9f55-4fa2-87af-b6c91ded80e0 | 2021-04-08T22:09:07+03:00 | >### stat reports table + >|datePublished|id|name| >|---|---|---| >| 2021-02-04 | 59dec5947c5adac898445e3958b1d05e1c260459 | en: Template injection attacks from the Gamaredon group continued: protocol topics | ### gibtia-get-suspicious-ip-tor-node-info + *** Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID. @@ -2249,6 +2354,7 @@ Command performs Group IB event lookup in suspicious_ip/tor_node collection with #### Base Command `gibtia-get-suspicious-ip-tor-node-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2269,9 +2375,11 @@ Command performs Group IB event lookup in suspicious_ip/tor_node collection with #### Command Example + ```!gibtia-get-suspicious-ip-tor-node-info id=109.70.100.46``` #### Context Example + ```json { "DBotScore": { @@ -2316,17 +2424,20 @@ Command performs Group IB event lookup in suspicious_ip/tor_node collection with #### Human Readable Output >### Feed from suspicious_ip/tor_node with ID 11.11.11.11 + >|dateFirstSeen|dateLastSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 ip|portalLink|source| >|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2020-09-03T14:15:25+00:00 | 2021-04-25T03:15:29+00:00 | A1 | 90 | 90 | green | green | 30 | 11.11.11.11 | 11.11.11.11 | https://bt.group-ib.com/suspicious/tor?searchValue=id:11.11.11.11 | some.ru | +>| 2020-09-03T14:15:25+00:00 | 2021-04-25T03:15:29+00:00 | A1 | 90 | 90 | green | green | 30 | 11.11.11.11 | 11.11.11.11 | | some.ru | >### IP indicator + >|gibid|severity|value| >|---|---|---| >| 11.11.11.11 | green | 11.11.11.11 | ### gibtia-get-suspicious-ip-open-proxy-info + *** Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID. @@ -2334,6 +2445,7 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi #### Base Command `gibtia-get-suspicious-ip-open-proxy-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2357,9 +2469,11 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi #### Command Example + ```!gibtia-get-suspicious-ip-open-proxy-info id=cc6a2856da2806b03839f81aa214f22dbcfd7369``` #### Context Example + ```json { "DBotScore": { @@ -2413,11 +2527,13 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi #### Human Readable Output >### Feed from suspicious_ip/open_proxy with ID cc6a2856da2806b03839f81aa214f22dbcfd7369 + >|anonymous|dateDetected|dateFirstSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 countryCode|ipv4 countryName|ipv4 ip|ipv4 provider|oldId|port|portalLink|source|stixGuid|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 11.11.11.11 | 2021-01-21T11:01:02+00:00 | 2020-03-19T23:01:01+00:00 | C3 | 50 | 50 | green | white | 15 | cc6a2856da2806b03839f81aa214f22dbcfd7369 | CZ | Czech Republic | 11.11.11.11 | Some | 241549215 | 80 | https://bt.group-ib.com/suspicious/proxies?searchValue=id:cc6a2856da2806b03839f81aa214f22dbcfd7369 | some.ru | c30604ac-94d5-b514-f1d1-7230ec13c739 | http | +>| 11.11.11.11 | 2021-01-21T11:01:02+00:00 | 2020-03-19T23:01:01+00:00 | C3 | 50 | 50 | green | white | 15 | cc6a2856da2806b03839f81aa214f22dbcfd7369 | CZ | Czech Republic | 11.11.11.11 | Some | 241549215 | 80 | | some.ru | c30604ac-94d5-b514-f1d1-7230ec13c739 | http | >### IP indicator + >|geocountry|gibid|gibproxyanonymous|gibproxyport|severity|source|value| >|---|---|---|---|---|---|---| >| Czech Republic | cc6a2856da2806b03839f81aa214f22dbcfd7369 | 11.11.11.11 | 80 | green | some.ru | 11.11.11.11 | @@ -2425,6 +2541,7 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi ### gibtia-get-suspicious-ip-socks-proxy-info + *** Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID. @@ -2432,6 +2549,7 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w #### Base Command `gibtia-get-suspicious-ip-socks-proxy-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2452,9 +2570,11 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w #### Command Example + ```!gibtia-get-suspicious-ip-socks-proxy-info id=02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e``` #### Context Example + ```json { "DBotScore": { @@ -2507,17 +2627,20 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w #### Human Readable Output >### Feed from suspicious_ip/socks_proxy with ID 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e + >|dateDetected|dateFirstSeen|dateLastSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 asn|ipv4 countryCode|ipv4 countryName|ipv4 ip|ipv4 provider|oldId|portalLink|source|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2021-01-19T07:41:11+00:00 | 2021-01-19T07:41:11+00:00 | 2021-02-23T20:58:51+00:00 | A1 | 100 | 90 | green | amber | 2 | 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | AS11111 | LB | Lebanon | 11.11.11.11 | Some | 395880626 | https://bt.group-ib.com/suspicious/socks?searchValue=id:02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | awmproxy.com | 78cd5f78-e542-bf2c-fc40-e2a41b36dd97 | +>| 2021-01-19T07:41:11+00:00 | 2021-01-19T07:41:11+00:00 | 2021-02-23T20:58:51+00:00 | A1 | 100 | 90 | green | amber | 2 | 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | AS11111 | LB | Lebanon | 11.11.11.11 | Some | 395880626 | | awmproxy.com | 78cd5f78-e542-bf2c-fc40-e2a41b36dd97 | >### IP indicator + >|asn|geocountry|gibid|severity|value| >|---|---|---|---|---| >| AS11111 | Lebanon | 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | green | 11.11.11.11 | ### gibtia-get-malware-targeted-malware-info + *** Command performs Group IB event lookup in malware/targeted_malware collection with provided ID. @@ -2525,6 +2648,7 @@ Command performs Group IB event lookup in malware/targeted_malware collection wi #### Base Command `gibtia-get-malware-targeted-malware-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2556,9 +2680,11 @@ Command performs Group IB event lookup in malware/targeted_malware collection wi #### Command Example + ```!gibtia-get-malware-targeted-malware-info id=5bbd38acf0b9e4f04123af494d485f6c49221e98``` #### Context Example + ```json { "DBotScore": { @@ -2629,17 +2755,20 @@ Command performs Group IB event lookup in malware/targeted_malware collection wi #### Human Readable Output >### Feed from malware/targeted_malware with ID 5bbd38acf0b9e4f04123af494d485f6c49221e98 + >|company|companyId|date|dateAnalyzeEnded|dateAnalyzeStarted|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|fileName|fileType|hasReport|id|injectDump|injectMd5|malware id|malware name|md5|oldId|portalLink|sha1|sha256|size|source|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| some | -1,
38 | 2021-01-21T06:49:12+00:00 | 2021-01-21T09:53:23+00:00 | 2021-01-21T09:49:12+00:00 | A1 | 100 | 100 | red | red | some.txt | data | true | 5bbd38acf0b9e4f04123af494d485f6c49221e98 | Big dump | 973cca2a0f04ced4cdb8128624d18de1 | b69fc9d439d2fd41e98a7e3c60b9a55340012eb6 | Cobalt Strike | 11702f92313f5f3413d129809ca4f11d | 396793259 | https://bt.group-ib.com/targeted_malware/Cobalt Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show | 93fce6228be5557c69d8eeeab5a5a2a643e7d110 | 630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001 | 208978 | Sandbox service | 937a940c-8b51-0fd8-c16f-973529bc4dd7 | +>| some | -1,
38 | 2021-01-21T06:49:12+00:00 | 2021-01-21T09:53:23+00:00 | 2021-01-21T09:49:12+00:00 | A1 | 100 | 100 | red | red | some.txt | data | true | 5bbd38acf0b9e4f04123af494d485f6c49221e98 | Big dump | 973cca2a0f04ced4cdb8128624d18de1 | b69fc9d439d2fd41e98a7e3c60b9a55340012eb6 | Cobalt Strike | 11702f92313f5f3413d129809ca4f11d | 396793259 | Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show | 93fce6228be5557c69d8eeeab5a5a2a643e7d110 | 630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001 | 208978 | Sandbox service | 937a940c-8b51-0fd8-c16f-973529bc4dd7 | >### File indicator + >|filetype|gibfilename|gibid|md5|severity|sha1|sha256|size|value| >|---|---|---|---|---|---|---|---|---| >| data | some.txt | 5bbd38acf0b9e4f04123af494d485f6c49221e98 | 11702f92313f5f3413d129809ca4f11d | red | 93fce6228be5557c69d8eeeab5a5a2a643e7d110 | 630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001 | 208978 | 11702f92313f5f3413d129809ca4f11d | ### gibtia-get-malware-cnc-info + *** Command performs Group IB event lookup in malware/cnc collection by provided ID. @@ -2647,6 +2776,7 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. #### Base Command `gibtia-get-malware-cnc-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2674,9 +2804,11 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. #### Command Example + ```!gibtia-get-malware-cnc-info id=aeed277396e27e375d030a91533aa232444d0089``` #### Context Example + ```json { "DBotScore": [ @@ -2757,37 +2889,44 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. #### Human Readable Output >### Feed from malware/cnc with ID aeed277396e27e375d030a91533aa232444d0089 + >|cnc|dateDetected|dateLastSeen|domain|id|oldId|stixGuid|url| >|---|---|---|---|---|---|---|---| ->| https://some.ru | 2021-04-25T13:37:23+00:00 | 2021-04-25T13:37:23+00:00 | some.ru | aeed277396e27e375d030a91533aa232444d0089 | 211146923 | 417b2644-1105-d65b-4b67-a78e82f59b65 | https://some.ru | +>| | 2021-04-25T13:37:23+00:00 | 2021-04-25T13:37:23+00:00 | some.ru | aeed277396e27e375d030a91533aa232444d0089 | 211146923 | 417b2644-1105-d65b-4b67-a78e82f59b65 | https://some.ru | >### ipv4 table + >|asn|countryCode|countryName|ip|provider| >|---|---|---|---|---| >| AS1111 | US | United States | 11.11.11.11 | Some | >### malwareList table + >|id|name|stixGuid| >|---|---|---| >| e99c294ffe7b79655d6ef1f32add638d8a2d4b24 | JS Sniffer - Poter | 1ac5a303-ef6f-2d6a-ad20-a39196815a1a | >### URL indicator + >|gibid|value| >|---|---| ->| aeed277396e27e375d030a91533aa232444d0089 | https://some.ru | +>| aeed277396e27e375d030a91533aa232444d0089 | | >### Domain indicator + >|gibid|value| >|---|---| >| aeed277396e27e375d030a91533aa232444d0089 | some.ru | >### IP indicator + >|asn|geocountry|gibid|value| >|---|---|---|---| >| AS1111 | United States | aeed277396e27e375d030a91533aa232444d0089 | 11.11.11.11 | ### gibtia-get-available-collections + *** Returns list of available collections. @@ -2795,6 +2934,7 @@ Returns list of available collections. #### Base Command `gibtia-get-available-collections` + #### Input There are no input arguments for this command. @@ -2807,9 +2947,11 @@ There are no input arguments for this command. #### Command Example + ```!gibtia-get-available-collections``` #### Context Example + ```json { "GIBTIA": { @@ -2846,12 +2988,14 @@ There are no input arguments for this command. #### Human Readable Output >### Available collections + >|collections| >|---| >| compromised/account,
compromised/card,
bp/phishing,
bp/phishing_kit,
osi/git_leak,
osi/public_leak,
malware/targeted_malware,
compromised/mule,
compromised/imei,
attacks/ddos,
attacks/deface,
attacks/phishing,
attacks/phishing_kit,
apt/threat,
hi/threat,
suspicious_ip/tor_node,
suspicious_ip/open_proxy,
suspicious_ip/socks_proxy,
malware/cnc,
osi/vulnerability,
hi/threat_actor,
apt/threat_actor | ### gibtia-global-search + *** Command performs global Group IB search @@ -2859,6 +3003,7 @@ Command performs global Group IB search #### Base Command `gibtia-global-search` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2876,9 +3021,11 @@ Command performs global Group IB search #### Command Example + ```!gibtia-global-search query=100.100.100.100``` #### Context Example + ```json { "GIBTIA": { @@ -2923,6 +3070,7 @@ Command performs global Group IB search #### Human Readable Output >### Search results + >|apiPath|count|GIBLink| >|---|---|---| >| compromised/account | 14 | | @@ -2933,6 +3081,7 @@ Command performs global Group IB search ### gibtia-local-search + *** Command performs Group IB search in selected collection. @@ -2940,6 +3089,7 @@ Command performs Group IB search in selected collection. #### Base Command `gibtia-local-search` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2959,9 +3109,11 @@ Command performs Group IB search in selected collection. #### Command Example + ```!gibtia-local-search collection_name=attacks/phishing query=100.100.100.100``` #### Context Example + ```json { "GIBTIA": { @@ -2978,6 +3130,7 @@ Command performs Group IB search in selected collection. #### Human Readable Output >### Search results + >|id|additional_info| >|---|---| >| 8bd7e5cef2290b0c3f04bf283586406dceffe25d | phishingDomain_domain: some.ru | diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py index 597c004af785..5bffb53e1a2a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py @@ -1,9 +1,3 @@ -import requests - -import demistomock as demisto -import demistomock -from CommonServerPython import * -from CommonServerUserPython import * """ IMPORTS """ from collections.abc import Generator @@ -161,18 +155,18 @@ 'firstseenbysource', 'lastseenbysource' ] }, - # { - # "main_field": 'target.ipv4.ip', "main_field_type": 'GIB Victim IP', - # "add_fields": [ - # 'target.ipv4.asn', 'target.ipv4.countryName', 'target.ipv4.region', - # *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, - # 'dateBegin', 'dateEnd', *EVALUATION_FIELDS - # ], - # "add_fields_types": [ - # *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, - # 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - # ] - # } + { + "main_field": 'target.ipv4.ip', "main_field_type": 'GIB Victim IP', + "add_fields": [ + 'target.ipv4.asn', 'target.ipv4.countryName', 'target.ipv4.region', + *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, + 'dateBegin', 'dateEnd', *EVALUATION_FIELDS + ], + "add_fields_types": [ + *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, + 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES + ] + } ] }, "attacks/deface": { diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md index 8a9107131592..5e3ff7703784 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md @@ -2,6 +2,7 @@ Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections. This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence & Attribution Feed + ## Configure Group-IB Threat Intelligence & Attribution Feed on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. @@ -29,10 +30,14 @@ This integration was integrated and tested with version 1.0 of Group-IB Threat I | | | False | 4. Click **Test** to validate the URLs, token, and connection. + ## Commands + You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. + ### gibtia-get-indicators + *** Get limited count of indicators for specified collection and get all indicators from particular events by id. @@ -40,6 +45,7 @@ Get limited count of indicators for specified collection and get all indicators #### Base Command `gibtia-get-indicators` + #### Input | **Argument Name** | **Description** | **Required** | @@ -54,11 +60,13 @@ Get limited count of indicators for specified collection and get all indicators There is no context output for this command. #### Command Example + ```!gibtia-get-indicators collection=compromised/mule``` #### Human Readable Output >### IP indicators + >|value|type|asn|geocountry|gibmalwarename| >|---|---|---|---|---| >| 11.11.11.11 | IP | | | Anubis | diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json deleted file mode 100644 index 9f60bab17b9b..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json +++ /dev/null @@ -1,540 +0,0 @@ -{ - "description": "Layout for GIB Brand Protection Domain", - "detailsV2": { - "tabs": [ - { - "id": "summary", - "name": "Legacy Summary", - "type": "summary" - }, - { - "id": "caseinfoid", - "name": "Incident Info", - "sections": [ - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "type", - "height": 22, - "id": "incident-type-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "severity", - "height": 22, - "id": "incident-severity-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "owner", - "height": 22, - "id": "incident-owner-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotsource", - "height": 22, - "id": "incident-source-field", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourcebrand", - "height": 22, - "id": "incident-sourceBrand-field", - "index": 4, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourceinstance", - "height": 22, - "id": "incident-sourceInstance-field", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "playbookid", - "height": 22, - "id": "incident-playbookId-field", - "index": 6, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Case Details", - "static": false, - "w": 1, - "x": 0, - "y": 0 - }, - { - "h": 2, - "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Notes", - "static": false, - "type": "notes", - "w": 1, - "x": 2, - "y": 0 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Work Plan", - "static": false, - "type": "workplan", - "w": 1, - "x": 1, - "y": 0 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "maxW": 3, - "moved": false, - "name": "Linked Incidents", - "static": false, - "type": "linkedIncidents", - "w": 1, - "x": 1, - "y": 10 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Child Incidents", - "static": false, - "type": "childInv", - "w": 1, - "x": 2, - "y": 4 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", - "maxW": 3, - "moved": false, - "name": "Evidence", - "static": false, - "type": "evidence", - "w": 1, - "x": 2, - "y": 2 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", - "maxW": 3, - "moved": false, - "name": "Team Members", - "static": false, - "type": "team", - "w": 1, - "x": 2, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", - "maxW": 3, - "moved": false, - "name": "Indicators", - "query": "", - "queryType": "input", - "static": false, - "type": "indicators", - "w": 2, - "x": 0, - "y": 8 - }, - { - "displayType": "CARD", - "h": 2, - "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", - "items": [ - { - "endCol": 1, - "fieldId": "occurred", - "height": 22, - "id": "incident-occurred-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 1, - "fieldId": "dbotmodified", - "height": 22, - "id": "incident-modified-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotduedate", - "height": 22, - "id": "incident-dueDate-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotcreated", - "height": 22, - "id": "incident-created-field", - "index": 0, - "sectionItemType": "field", - "startCol": 1 - }, - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 22, - "id": "incident-closed-field", - "index": 1, - "sectionItemType": "field", - "startCol": 1 - } - ], - "maxW": 3, - "moved": false, - "name": "Timeline Information", - "static": false, - "w": 1, - "x": 0, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 22, - "id": "incident-dbotClosed-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closereason", - "height": 22, - "id": "incident-closeReason-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closenotes", - "height": 44, - "id": "incident-closeNotes-field", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Closing Information", - "static": false, - "w": 1, - "x": 0, - "y": 10 - }, - { - "displayType": "CARD", - "h": 2, - "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "details", - "height": 22, - "id": "incident-details-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Investigation Data", - "static": false, - "w": 1, - "x": 1, - "y": 6 - }, - { - "description": "", - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "items": [ - { - "endCol": 4, - "fieldId": "gibnameservers", - "height": 22, - "id": "ec5ba620-0f12-11ec-b4dd-539628da0f41", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibtitle", - "height": 22, - "id": "8c7ce9e0-0f11-11ec-b4dd-539628da0f41", - "index": 3, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibphishingtype", - "height": 22, - "id": "01126220-0f13-11ec-b4dd-539628da0f41", - "index": 4, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibphishingstatus", - "height": 22, - "id": "29a76e80-7362-11eb-8aef-c39e29f029fe", - "index": 5, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "Phishing Information from GIB TIA", - "static": false, - "w": 1, - "x": 1, - "y": 4 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-69c7f3b0-0f1e-11ec-b4dd-539628da0f41", - "items": [ - { - "endCol": 4, - "fieldId": "gibdatecreated", - "height": 22, - "id": "d3f80ec0-0f12-11ec-b4dd-539628da0f41", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "gibdateexpired", - "height": 22, - "id": "dd41d5b0-0f12-11ec-b4dd-539628da0f41", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibid", - "height": 22, - "id": "5ff80ed0-72c8-11eb-9bde-efbce7414b24", - "index": 2, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibscreenshot", - "height": 22, - "id": "c59fe0a0-0f12-11ec-b4dd-539628da0f41", - "index": 3, - "listId": "caseinfoid-69c7f3b0-0f1e-11ec-b4dd-539628da0f41", - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "gibhtml", - "height": 22, - "id": "b57b7e00-0f12-11ec-b4dd-539628da0f41", - "index": 4, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "gibfavicon", - "height": 22, - "id": "b8585f30-0f12-11ec-b4dd-539628da0f41", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "General Information from GIB TIA", - "static": false, - "w": 2, - "x": 0, - "y": 2 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-81b45f40-0f1e-11ec-b4dd-539628da0f41", - "items": [ - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "gibperson", - "height": 22, - "id": "355968d0-0f13-11ec-b4dd-539628da0f41", - "index": 0, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "gibaddress", - "height": 22, - "id": "31a64be0-0f13-11ec-b4dd-539628da0f41", - "index": 1, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "phonenumber", - "height": 22, - "id": "3f55b6e0-0f13-11ec-b4dd-539628da0f41", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "gibemail", - "height": 22, - "id": "3ac161b0-0f13-11ec-b4dd-539628da0f41", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "Person Information from GIB TIA", - "static": false, - "w": 1, - "x": 0, - "y": 4 - } - ], - "type": "custom" - }, - { - "id": "warRoom", - "name": "War Room", - "type": "warRoom" - }, - { - "id": "workPlan", - "name": "Work Plan", - "type": "workPlan" - }, - { - "id": "evidenceBoard", - "name": "Evidence Board", - "type": "evidenceBoard" - }, - { - "id": "relatedIncidents", - "name": "Related Incidents", - "type": "relatedIncidents" - }, - { - "id": "canvas", - "name": "Canvas", - "type": "canvas" - } - ] - }, - "group": "incident", - "id": "GIB Brand Protection Domain Layout", - "name": "GIB Brand Protection Domain Layout", - "system": false, - "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] -} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md index af4bfdcbe8f5..bc56e8123c4c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md @@ -7,7 +7,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts. This playbook does not use any sub-playbooks. ### Integrations -* Group-IB Threat Intelligence & Attribution +* Group-IB Threat Intelligence ### Scripts This playbook does not use any scripts. @@ -27,4 +27,4 @@ There are no outputs for this playbook. ## Playbook Image --- -![Incident Postprocessing - Group-IB Threat Intelligence & Attribution](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) +![Incident Postprocessing - Group-IB Threat Intelligence](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/README.md index 2f35b7bf202f..6e8902d73422 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/README.md @@ -1,6 +1,6 @@ Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly. -Group-IB Threat Intelligence & Attribution Pack can help you with managing your incident and indicators from Group-IB within the SOAR system. +Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system. ### What does this pack do? * Receive incidents and attribute them to adversaries. @@ -9,5 +9,5 @@ Group-IB Threat Intelligence & Attribution Pack can help you with managing your As part of this pack, you will also get incident types, fields, and layouts; indicator types, fields, and layouts; the classifier and mapper for properly delivering data to these types and fields. Also, you will get a playbook, that enriches incidents, upcoming from Group-IB with threat reports and threat actor information. -![Incident Postprocessing - Group-IB Threat Intelligence & Attribution](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) +![Incident Postprocessing - Group-IB Threat Intelligence](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md new file mode 100644 index 000000000000..b730007e7398 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md @@ -0,0 +1,32 @@ + +#### Integrations +- Deprecated layout bp/domain +- Deprecated incident type Brand Protection Domain + +##### Group-IB Threat Intelligence + +- Updated all Group-IB Threat Intelligence feed collections +- Updated app logic - app was completely redesigned, including parsing and matching parameters +- New branding + +##### Group-IB Threat Intelligence Feed + +- Added new (and major) feeds - compromised/account_group, ioc/common +- Deprecated feeds - bp/domain, osi/git_leak, compromised/account +- New branding + +##### Group-IB Threat Intelligence + +- New branding +##### Group-IB Threat Intelligence Feed + +- New branding + +#### Scripts + +##### GIBIncidentUpdate + +- New branding +##### GIBIncidentUpdateIncludingClosed + +- New branding diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.py index b510c1b62f44..1f1fc7947188 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.py @@ -1,6 +1,3 @@ -import demistomock as demisto # noqa: F401 -from CommonServerPython import * # noqa: F401 - def prevent_duplication(current_incident): """ diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.py index 4654fe11a97e..6cbc50f5a8d8 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.py @@ -1,6 +1,3 @@ -import demistomock as demisto # noqa: F401 -from CommonServerPython import * # noqa: F401 - def prevent_duplication(current_incident): """ diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json b/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json index 612f6da2417f..2ec29ba9fec1 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Group-IB Threat Intelligence", "description": "Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.", "support": "partner", - "currentVersion": "1.3.12", + "currentVersion": "1.4.0", "author": "Group-IB", "url": "https://www.group-ib.com/", "email": "integration@group-ib.com", diff --git a/package-lock.json b/package-lock.json index 10d2f04573bd..ca7961916d7d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -51,20 +51,98 @@ "integrity": "sha512-3r/aACDJ3fhQ/EVgFy0hpj8oHyHpQc+LPtJoY9SzTThAsStm4Ptegq92vqKoE3vD706ZVFWITnMnxucw+S9Ipg==" }, "@babel/helper-function-name": { - "version": "7.19.0", - "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.19.0.tgz", - "integrity": "sha512-WAwHBINyrpqywkUH0nTnNgI5ina5TFn85HKS0pbPDfxFfhyR/aNQEn4hGi1P1JyT//I0t4OgXUlofzWILRvS5w==", + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.23.0.tgz", + "integrity": "sha512-OErEqsrxjZTJciZ4Oo+eoZqeW9UIiOcuYKRJA4ZAgV9myA+pOXhhmpfNCKjEH/auVfEYVFJ6y1Tc4r0eIApqiw==", "requires": { - "@babel/template": "^7.18.10", - "@babel/types": "^7.19.0" + "@babel/template": "^7.22.15", + "@babel/types": "^7.23.0" + }, + "dependencies": { + "@babel/code-frame": { + "version": "7.22.13", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.13.tgz", + "integrity": "sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==", + "requires": { + "@babel/highlight": "^7.22.13", + "chalk": "^2.4.2" + } + }, + "@babel/helper-string-parser": { + "version": "7.22.5", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.22.5.tgz", + "integrity": "sha512-mM4COjgZox8U+JcXQwPijIZLElkgEpO5rsERVDJTc2qfCDfERyob6k5WegS14SX18IIjv+XD+GrqNumY5JRCDw==" + }, + "@babel/helper-validator-identifier": { + "version": "7.22.20", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz", + "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==" + }, + "@babel/highlight": { + "version": "7.22.20", + "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.20.tgz", + "integrity": "sha512-dkdMCN3py0+ksCgYmGG8jKeGA/8Tk+gJwSYYlFGxG5lmhfKNoAy004YpLxpS1W2J8m/EK2Ew+yOs9pVRwO89mg==", + "requires": { + "@babel/helper-validator-identifier": "^7.22.20", + "chalk": "^2.4.2", + "js-tokens": "^4.0.0" + } + }, + "@babel/parser": { + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.23.0.tgz", + "integrity": "sha512-vvPKKdMemU85V9WE/l5wZEmImpCtLqbnTvqDS2U1fJ96KrxoW7KrXhNsNCblQlg8Ck4b85yxdTyelsMUgFUXiw==" + }, + "@babel/template": { + "version": "7.22.15", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.22.15.tgz", + "integrity": "sha512-QPErUVm4uyJa60rkI73qneDacvdvzxshT3kksGqlGWYdOTIUOwJ7RDUL8sGqslY1uXWSL6xMFKEXDS3ox2uF0w==", + "requires": { + "@babel/code-frame": "^7.22.13", + "@babel/parser": "^7.22.15", + "@babel/types": "^7.22.15" + } + }, + "@babel/types": { + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.23.0.tgz", + "integrity": "sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==", + "requires": { + "@babel/helper-string-parser": "^7.22.5", + "@babel/helper-validator-identifier": "^7.22.20", + "to-fast-properties": "^2.0.0" + } + } } }, "@babel/helper-hoist-variables": { - "version": "7.18.6", - "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.18.6.tgz", - "integrity": "sha512-UlJQPkFqFULIcyW5sbzgbkxn2FKRgwWiRexcuaR8RNJRy8+LLveqPjwZV/bwrLZCN0eUHD/x8D0heK1ozuoo6Q==", + "version": "7.22.5", + "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.22.5.tgz", + "integrity": "sha512-wGjk9QZVzvknA6yKIUURb8zY3grXCcOZt+/7Wcy8O2uctxhplmUPkOdlgoNhmdVee2c92JXbf1xpMtVNbfoxRw==", "requires": { - "@babel/types": "^7.18.6" + "@babel/types": "^7.22.5" + }, + "dependencies": { + "@babel/helper-string-parser": { + "version": "7.22.5", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.22.5.tgz", + "integrity": "sha512-mM4COjgZox8U+JcXQwPijIZLElkgEpO5rsERVDJTc2qfCDfERyob6k5WegS14SX18IIjv+XD+GrqNumY5JRCDw==" + }, + "@babel/helper-validator-identifier": { + "version": "7.22.20", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz", + "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==" + }, + "@babel/types": { + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.23.0.tgz", + "integrity": "sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==", + "requires": { + "@babel/helper-string-parser": "^7.22.5", + "@babel/helper-validator-identifier": "^7.22.20", + "to-fast-properties": "^2.0.0" + } + } } }, "@babel/helper-module-imports": { @@ -191,20 +269,90 @@ } }, "@babel/traverse": { - "version": "7.20.13", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.20.13.tgz", - "integrity": "sha512-kMJXfF0T6DIS9E8cgdLCSAL+cuCK+YEZHWiLK0SXpTo8YRj5lpJu3CDNKiIBCne4m9hhTIqUg6SYTAI39tAiVQ==", + "version": "7.23.2", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.23.2.tgz", + "integrity": "sha512-azpe59SQ48qG6nu2CzcMLbxUudtN+dOM9kDbUqGq3HXUJRlo7i8fvPoxQUzYgLZ4cMVmuZgm8vvBpNeRhd6XSw==", "requires": { - "@babel/code-frame": "^7.18.6", - "@babel/generator": "^7.20.7", - "@babel/helper-environment-visitor": "^7.18.9", - "@babel/helper-function-name": "^7.19.0", - "@babel/helper-hoist-variables": "^7.18.6", - "@babel/helper-split-export-declaration": "^7.18.6", - "@babel/parser": "^7.20.13", - "@babel/types": "^7.20.7", + "@babel/code-frame": "^7.22.13", + "@babel/generator": "^7.23.0", + "@babel/helper-environment-visitor": "^7.22.20", + "@babel/helper-function-name": "^7.23.0", + "@babel/helper-hoist-variables": "^7.22.5", + "@babel/helper-split-export-declaration": "^7.22.6", + "@babel/parser": "^7.23.0", + "@babel/types": "^7.23.0", "debug": "^4.1.0", "globals": "^11.1.0" + }, + "dependencies": { + "@babel/code-frame": { + "version": "7.22.13", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.13.tgz", + "integrity": "sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==", + "requires": { + "@babel/highlight": "^7.22.13", + "chalk": "^2.4.2" + } + }, + "@babel/generator": { + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.23.0.tgz", + "integrity": "sha512-lN85QRR+5IbYrMWM6Y4pE/noaQtg4pNiqeNGX60eqOfo6gtEj6uw/JagelB8vVztSd7R6M5n1+PQkDbHbBRU4g==", + "requires": { + "@babel/types": "^7.23.0", + "@jridgewell/gen-mapping": "^0.3.2", + "@jridgewell/trace-mapping": "^0.3.17", + "jsesc": "^2.5.1" + } + }, + "@babel/helper-environment-visitor": { + "version": "7.22.20", + "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.20.tgz", + "integrity": "sha512-zfedSIzFhat/gFhWfHtgWvlec0nqB9YEIVrpuwjruLlXfUSnA8cJB0miHKwqDnQ7d32aKo2xt88/xZptwxbfhA==" + }, + "@babel/helper-split-export-declaration": { + "version": "7.22.6", + "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.22.6.tgz", + "integrity": "sha512-AsUnxuLhRYsisFiaJwvp1QF+I3KjD5FOxut14q/GzovUe6orHLesW2C7d754kRm53h5gqrz6sFl6sxc4BVtE/g==", + "requires": { + "@babel/types": "^7.22.5" + } + }, + "@babel/helper-string-parser": { + "version": "7.22.5", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.22.5.tgz", + "integrity": "sha512-mM4COjgZox8U+JcXQwPijIZLElkgEpO5rsERVDJTc2qfCDfERyob6k5WegS14SX18IIjv+XD+GrqNumY5JRCDw==" + }, + "@babel/helper-validator-identifier": { + "version": "7.22.20", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz", + "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==" + }, + "@babel/highlight": { + "version": "7.22.20", + "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.20.tgz", + "integrity": "sha512-dkdMCN3py0+ksCgYmGG8jKeGA/8Tk+gJwSYYlFGxG5lmhfKNoAy004YpLxpS1W2J8m/EK2Ew+yOs9pVRwO89mg==", + "requires": { + "@babel/helper-validator-identifier": "^7.22.20", + "chalk": "^2.4.2", + "js-tokens": "^4.0.0" + } + }, + "@babel/parser": { + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.23.0.tgz", + "integrity": "sha512-vvPKKdMemU85V9WE/l5wZEmImpCtLqbnTvqDS2U1fJ96KrxoW7KrXhNsNCblQlg8Ck4b85yxdTyelsMUgFUXiw==" + }, + "@babel/types": { + "version": "7.23.0", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.23.0.tgz", + "integrity": "sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==", + "requires": { + "@babel/helper-string-parser": "^7.22.5", + "@babel/helper-validator-identifier": "^7.22.20", + "to-fast-properties": "^2.0.0" + } + } } }, "@babel/types": {