ThreatVault new endpoints - API (#37411)

* tests * docsrtring * RN * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <[email protected]> * readme * RN * RN * CR Fixes * RN * rn * RN --------- Co-authored-by: ShirleyDenkberg <[email protected]>
demisto · Dec 3, 2024 · c948530 · c948530
1 parent cf26f8c
commit c948530
Show file tree

Hide file tree

Showing 11 changed files with 303 additions and 40 deletions.
diff --git a/Packs/Base/ReleaseNotes/1_38_0.md b/Packs/Base/ReleaseNotes/1_38_0.md
@@ -0,0 +1,5 @@
+
+#### Scripts
+
+##### CommonServerPython
+Updated the IP class to return an IPv6 indicator based on the provided ip_type.
diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py
@@ -3257,10 +3257,11 @@ def __init__(self, ip, dbot_score, asn=None, as_owner=None, region=None, port=No
                      malware_family=None, relationships=None, blocked=None, description=None, stix_id=None,
                      whois_records=None, organization_prevalence=None,
                      global_prevalence=None, organization_first_seen=None, organization_last_seen=None,
-                     first_seen_by_source=None, last_seen_by_source=None):
+                     first_seen_by_source=None, last_seen_by_source=None, ip_type="IP"):
 
             # Main value of the indicator
             self.ip = ip
+            self.ip_type = ip_type
 
             # Core custom fields - IP
             self.blocked = blocked
@@ -3445,8 +3446,14 @@ def to_context(self):
                                          relationship.to_context()]
                 ip_context['Relationships'] = relationships_context
 
+            if self.ip_type == "IP":
+                context_path = Common.IP.CONTEXT_PATH
+
+            elif self.ip_type == "IPv6":
+                context_path = Common.IP.CONTEXT_PATH.replace("IP", "IPv6")
+
             ret_value = {
-                Common.IP.CONTEXT_PATH: ip_context
+                context_path: ip_context
             }
 
             if self.dbot_score:

diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Base",
     "description": "The base pack for Cortex XSOAR.",
     "support": "xsoar",
-    "currentVersion": "1.37.0",
+    "currentVersion": "1.38.0",
     "author": "Cortex XSOAR",
     "serverMinVersion": "6.0.0",
     "url": "https://www.paloaltonetworks.com/cortex",

diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.py b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.py
@@ -114,6 +114,15 @@ def __init__(
         self.name = "ThreatVault"
         self.reliability = reliability
 
+    def ip_feed_get_request(self, arg: str, value: str) -> dict:    # pragma: no cover
+        suffix = "ip-feed"
+        return self._http_request(method="GET", url_suffix=suffix, params={arg: value})
+
+    def ip_feed_batch_post_request(self, arg: str, value: str) -> dict:    # pragma: no cover
+        suffix = "ip-feed"
+        payload = json.dumps({"ipaddr": value})
+        return self._http_request(method="POST", url_suffix=suffix, data=payload)
+
     def antivirus_signature_get_request(self, arg: str, value: str) -> dict:    # pragma: no cover
 
         suffix = "threats"
@@ -187,7 +196,7 @@ def validate_arguments_search_command(
 
     if sum(1 for x in (cve, vendor, name) if x) > 1:
         raise ValueError(
-            "Only one of the following can be used at a time: " "cve, vendor, name"
+            "Only one of the following can be used at a time: cve, vendor, name"
         )
 
     if sum(1 for x in (from_release_date, to_release_date) if x) == 1:
@@ -469,6 +478,84 @@ def parse_resp_by_type(response: dict, expanded: bool = False) -> List[CommandRe
 """
 
 
+def ip_command(client: Client, args: dict) -> List[CommandResults]:
+    """Retrieve information about the inputted IP from ThreatVault
+
+    Args:
+        client (Client): An instance of the client to call the GET commands.
+        args (dict): The arguments inputted by the user.
+
+    Returns:
+        List[CommandResults]: A list of CommandResults objects to be returned to XSOAR.
+    """
+
+    def headers_transform(header):
+        headers = {"ipaddr": "IP",
+                   "geo": "Country",
+                   "asn": "ASN",
+                   "name": "Feed Name"}
+        return headers[header]
+
+    ips = argToList(args["ip"])
+    command_results_list: List[CommandResults] = []
+    dbot_reliability = DBotScoreReliability.get_dbot_score_reliability_from_str(
+        client.reliability
+    )
+
+    try:
+        if len(ips) == 1:
+            # Call single IP info
+            response = client.ip_feed_get_request(arg="ipaddr", value=ips[0])
+
+        else:
+            # Call batch command
+            response = client.ip_feed_batch_post_request(arg="ipaddr", value=ips)
+
+    except DemistoException:
+        raise
+
+    if response:
+        for data in response["data"]:
+            ip_type = FeedIndicatorType.ip_to_indicator_type(data["ipaddr"])
+
+            dbot_score = Common.DBotScore(
+                indicator=data["ipaddr"],
+                indicator_type=DBotScoreType.IP,
+                integration_name=client.name,
+                score=3 if data["status"] == "released" else 0,
+                reliability=dbot_reliability,
+            )
+
+            ip = Common.IP(
+                ip_type=ip_type,
+                ip=data["ipaddr"],
+                asn=data["asn"].split(" ")[0],
+                as_owner=re.sub("[()]", "", data["asn"].split(" ")[1]),
+                geo_country=data["geo"].split(" ")[0],
+                geo_description=re.sub("[()]", "", data["geo"].split(" ")[1]),
+                dbot_score=dbot_score,
+            )
+
+            readable_output = tableToMarkdown(
+                name="IP Feed Information",
+                t=data,
+                headers=["ipaddr", "geo", "asn", "name"],
+                headerTransform=headers_transform,
+                removeNull=True,
+            )
+
+            command_results = CommandResults(
+                readable_output=readable_output,
+                outputs=data,
+                outputs_prefix="ThreatVault.IP",
+                indicator=ip,
+            )
+
+            command_results_list.append(command_results)
+
+    return command_results_list
+
+
 def file_command(client: Client, args: Dict) -> List[CommandResults]:
     """
     Get the reputation of a sha256 or a md5 representing an antivirus
@@ -1041,13 +1128,15 @@ def main():
         commands = {
             "file": file_command,
             "cve": cve_command,
+            "ip": ip_command,
             "threatvault-threat-signature-get": threat_signature_get_command,
             "threatvault-release-note-get": release_note_get_command,
             "threatvault-threat-batch-search": threat_batch_search_command,
             "threatvault-threat-search": threat_search_command,
             "threatvault-atp-batch-report-get": atp_batch_report_command,
             "threatvault-atp-report-pcap-get": atp_report_pcap_command,
         }
+
         if demisto.command() == "test-module":
             # This is the call made when pressing the integration Test button.
             return_results(test_module(client))
@@ -1063,7 +1152,7 @@ def main():
 
     except Exception as err:
         demisto.error(traceback.format_exc())  # print the traceback
-        return_error(f"Failed to execute {command} command." f"\nError:\n{str(err)}")
+        return_error(f"Failed to execute {command} command.\nError:\n{str(err)}")
 
 
 if __name__ in ("__main__", "__builtin__", "builtins"):

diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.yml b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.yml
@@ -17,7 +17,7 @@ configuration:
   name: integrationReliability
   type: 15
   additionalinfo: Reliability of the source providing the intelligence data.
-  defaultvalue: D - Not usually reliable
+  defaultvalue: C - Fairly reliable
   options:
   - A+ - 3rd party enrichment
   - A - Completely reliable
@@ -56,11 +56,62 @@ configuration:
   required: false
 description: |-
   Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent.
-  Query the Advanced Threat Protection (ATP) API endpoint for Analysis reports and PCAPs
+  Query the Advanced Threat Protection (ATP) API endpoint for Analysis reports and PCAPs.
 display: Palo Alto Networks Threat Vault v2
 name: Palo Alto Networks Threat Vault v2
 script:
   commands:
+  - arguments:
+    - default: true
+      description: A comma-separated list of IPs.
+      isArray: true
+      name: ip
+      required: true
+    description: Returns information about IPs.
+    name: ip
+    outputs:
+    - contextPath: DBotScore.Vendor
+      description: The vendor used to calculate the score.
+      type: String
+    - contextPath: DBotScore.Score
+      description: The actual score.
+      type: Number
+    - contextPath: DBotScore.Type
+      description: The indicator type.
+      type: String
+    - contextPath: DBotScore.Indicator
+      description: The indicator that was tested.
+      type: String
+    - contextPath: IP.Address
+      description: The IP address.
+      type: String
+    - contextPath: IP.ASN
+      description: The IP ASN.
+      type: String
+    - contextPath: IP.GeoCountry
+      description: The IP country.
+      type: String
+    - contextPath: ThreatVault.IP.ipaddr
+      description: The IP address.
+      type: String
+    - contextPath: ThreatVault.IP.asn
+      description: The IP ASN.
+      type: String
+    - contextPath: ThreatVault.IP.geo
+      description: The country where the IP is located.
+      type: String
+    - contextPath: ThreatVault.IP.release.first_release_version
+      description: The release version when the IP feed was released.
+      type: String
+    - contextPath: ThreatVault.IP.release.first_release_time
+      description: The release time when the IP feed was released.
+      type: String
+    - contextPath: ThreatVault.IP.name
+      description: The name of the IP feed entry.
+      type: String
+    - contextPath: ThreatVault.IP.status
+      description: The status of the IP feed entry.
+      type: String
   - arguments:
     - default: true
       description: A comma-separated list of SHA256 or MD5 hashes of the antivirus signature.
@@ -1140,96 +1191,96 @@ script:
       description: The status of the threat (e.g., inactive, active, or released).
       type: String
   - arguments:
-    - description: 'Provides the ATP report by matching the report id '
+    - description: Provides the ATP report by matching the report ID.
       isArray: true
       name: report_id
       required: true
-    description: Retrieve the Advanced Threat Prevention (ATP) report by report id in batch mode. Batch limit is 100 entries. Get one or more ATP reports. Must provide one or more report IDs
+    description: Retrieve the Advanced Threat Prevention (ATP) report by report ID in batch mode. Batch limit is 100 entries. Get one or more ATP reports. Must provide one or more report IDs.
     name: threatvault-atp-batch-report-get
     outputs:
     - contextPath: ThreatVault.ATP.Report
-      description: ThreatVault ATP Report ID
+      description: ThreatVault ATP Report ID.
       type: string
     - contextPath: ThreatVault.ATP.Report.err_msg
-      description: ThreatVault error message
+      description: ThreatVault error message.
       type: string
     - contextPath: ThreatVault.ATP.Report.panos_info.csp_id
-      description: ATP Report CSP
+      description: ATP Report CSP.
       type: string
     - contextPath: ThreatVault.ATP.Report.panos_info.fw_addr_v4
-      description: ATP Report firewall IP
+      description: ATP Report firewall IP.
       type: string
     - contextPath: ThreatVault.ATP.Report.panos_info.fw_app_version
-      description: ATP Report content version
+      description: ATP Report content version.
       type: string
     - contextPath: ThreatVault.ATP.Report.panos_info.fw_hostname
-      description: ATP Report firewall name
+      description: ATP Report firewall name.
       type: string
     - contextPath: ThreatVault.ATP.Report.panos_info.fw_model
-      description: ATP Report firewall model
+      description: ATP Report firewall model.
       type: string
     - contextPath: ThreatVault.ATP.Report.panos_info.fw_sw_version
-      description: ATP Report firewall PAN-OS
+      description: ATP Report firewall PAN-OS.
       type: string
     - contextPath: ThreatVault.ATP.Report.report_id
-      description: ATP Report ID
+      description: ATP Report ID.
       type: string
     - contextPath: ThreatVault.ATP.Report.session_info.flow_info.daddr
-      description: ATP Report Session Flow destination IP
+      description: ATP Report Session Flow destination IP.
       type: string
     - contextPath: ThreatVault.ATP.Report.session_info.flow_info.dport
-      description: ATP Report Session Flow destination Port
+      description: ATP Report Session Flow destination Port.
       type: string
     - contextPath: ThreatVault.ATP.Report.session_info.flow_info.saddr
-      description: ATP Report Session Flow source IP
+      description: ATP Report Session Flow source IP.
       type: string
     - contextPath: ThreatVault.ATP.Report.session_info.flow_info.sport
-      description: ATP Report Session Flow source Port
+      description: ATP Report Session Flow source Port.
       type: string
     - contextPath: ThreatVault.ATP.Report.session_info.session_id
-      description: ATP Report session ID
+      description: ATP Report session ID.
       type: string
     - contextPath: ThreatVault.ATP.Report.session_info.session_timestamp
-      description: ATP Report session timestamp
+      description: ATP Report session timestamp.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.payload_sha256
-      description: ATP Report transaction payload sha256
+      description: ATP Report transaction payload sha256.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.transaction_id
-      description: ATP Report transaction payload ID
+      description: ATP Report transaction payload ID.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.verdict
-      description: ATP Report transaction verdict
+      description: ATP Report transaction verdict.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.detection_service
-      description: ATP Report transaction detection service
+      description: ATP Report transaction detection service.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Method
-      description: ATP Report transaction payload method
+      description: ATP Report transaction payload method.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.User-Agent
-      description: ATP Report transaction payload user-agent
+      description: ATP Report transaction payload user-agent.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Cookie
-      description: ATP Report transaction payload cookie
+      description: ATP Report transaction payload cookie.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Accept
-      description: ATP Report transaction payload accept
+      description: ATP Report transaction payload accept.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Host
-      description: ATP Report transaction payload host
+      description: ATP Report transaction payload host.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.URI
-      description: ATP Report transaction payload URI
+      description: ATP Report transaction payload URI.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Cache-Control
-      description: ATP Report transaction payload cache-control
+      description: ATP Report transaction payload cache-control.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Version
-      description: ATP Report transaction payload version
+      description: ATP Report transaction payload version.
       type: string
     - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Connection
-      description: ATP Report transaction payload connection
+      description: ATP Report transaction payload connection.
       type: string
   - arguments:
     - description: Retrieve the ATP report sample (packet capture) by report id.
@@ -1239,10 +1290,10 @@ script:
     name: threatvault-atp-report-pcap-get
     outputs:
     - contextPath: ThreatVault.ATP.PCAP.ID
-      description: Threatvault ATP PCAP ID
+      description: Threatvault ATP PCAP ID.
       type: string
     - contextPath: ThreatVault.ATP.PCAP.Name
-      description: Threatvault ATP PCAP Name
+      description: Threatvault ATP PCAP name.
       type: string
   dockerimage: demisto/crypto:1.0.0.114611
   isfetch: true