From c9485300801ca76fd8b70467739229a85738408a Mon Sep 17 00:00:00 2001 From: Dror Avrahami Date: Tue, 3 Dec 2024 17:28:59 +0200 Subject: [PATCH] ThreatVault new endpoints - API (#37411) * tests * docsrtring * RN * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * readme * RN * RN * CR Fixes * RN * rn * RN --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Base/ReleaseNotes/1_38_0.md | 5 + .../CommonServerPython/CommonServerPython.py | 11 +- Packs/Base/pack_metadata.json | 2 +- .../ThreatVaultv2/ThreatVaultv2.py | 93 +++++++++++++- .../ThreatVaultv2/ThreatVaultv2.yml | 119 +++++++++++++----- .../ThreatVaultv2/ThreatVaultv2_test.py | 88 +++++++++++++ .../test_data/ip_batch_results.json | 1 + .../test_data/single_ip_result.json | 1 + Packs/PaloAltoNetworks_Threat_Vault/README.md | 16 +++ .../ReleaseNotes/2_0_16.md | 5 + .../pack_metadata.json | 2 +- 11 files changed, 303 insertions(+), 40 deletions(-) create mode 100644 Packs/Base/ReleaseNotes/1_38_0.md create mode 100644 Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/ip_batch_results.json create mode 100644 Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/single_ip_result.json create mode 100644 Packs/PaloAltoNetworks_Threat_Vault/ReleaseNotes/2_0_16.md diff --git a/Packs/Base/ReleaseNotes/1_38_0.md b/Packs/Base/ReleaseNotes/1_38_0.md new file mode 100644 index 000000000000..afa10288d734 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_38_0.md @@ -0,0 +1,5 @@ + +#### Scripts + +##### CommonServerPython +Updated the IP class to return an IPv6 indicator based on the provided ip_type. diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py index 1ad3c78b7f4a..731c53487fc9 100644 --- a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py +++ b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py @@ -3257,10 +3257,11 @@ def __init__(self, ip, dbot_score, asn=None, as_owner=None, region=None, port=No malware_family=None, relationships=None, blocked=None, description=None, stix_id=None, whois_records=None, organization_prevalence=None, global_prevalence=None, organization_first_seen=None, organization_last_seen=None, - first_seen_by_source=None, last_seen_by_source=None): + first_seen_by_source=None, last_seen_by_source=None, ip_type="IP"): # Main value of the indicator self.ip = ip + self.ip_type = ip_type # Core custom fields - IP self.blocked = blocked @@ -3445,8 +3446,14 @@ def to_context(self): relationship.to_context()] ip_context['Relationships'] = relationships_context + if self.ip_type == "IP": + context_path = Common.IP.CONTEXT_PATH + + elif self.ip_type == "IPv6": + context_path = Common.IP.CONTEXT_PATH.replace("IP", "IPv6") + ret_value = { - Common.IP.CONTEXT_PATH: ip_context + context_path: ip_context } if self.dbot_score: diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index 999dfea9394d..62431f25ffdb 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.37.0", + "currentVersion": "1.38.0", "author": "Cortex XSOAR", "serverMinVersion": "6.0.0", "url": "https://www.paloaltonetworks.com/cortex", diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.py b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.py index a7946a19672b..c537e239da0b 100644 --- a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.py +++ b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.py @@ -114,6 +114,15 @@ def __init__( self.name = "ThreatVault" self.reliability = reliability + def ip_feed_get_request(self, arg: str, value: str) -> dict: # pragma: no cover + suffix = "ip-feed" + return self._http_request(method="GET", url_suffix=suffix, params={arg: value}) + + def ip_feed_batch_post_request(self, arg: str, value: str) -> dict: # pragma: no cover + suffix = "ip-feed" + payload = json.dumps({"ipaddr": value}) + return self._http_request(method="POST", url_suffix=suffix, data=payload) + def antivirus_signature_get_request(self, arg: str, value: str) -> dict: # pragma: no cover suffix = "threats" @@ -187,7 +196,7 @@ def validate_arguments_search_command( if sum(1 for x in (cve, vendor, name) if x) > 1: raise ValueError( - "Only one of the following can be used at a time: " "cve, vendor, name" + "Only one of the following can be used at a time: cve, vendor, name" ) if sum(1 for x in (from_release_date, to_release_date) if x) == 1: @@ -469,6 +478,84 @@ def parse_resp_by_type(response: dict, expanded: bool = False) -> List[CommandRe """ +def ip_command(client: Client, args: dict) -> List[CommandResults]: + """Retrieve information about the inputted IP from ThreatVault + + Args: + client (Client): An instance of the client to call the GET commands. + args (dict): The arguments inputted by the user. + + Returns: + List[CommandResults]: A list of CommandResults objects to be returned to XSOAR. + """ + + def headers_transform(header): + headers = {"ipaddr": "IP", + "geo": "Country", + "asn": "ASN", + "name": "Feed Name"} + return headers[header] + + ips = argToList(args["ip"]) + command_results_list: List[CommandResults] = [] + dbot_reliability = DBotScoreReliability.get_dbot_score_reliability_from_str( + client.reliability + ) + + try: + if len(ips) == 1: + # Call single IP info + response = client.ip_feed_get_request(arg="ipaddr", value=ips[0]) + + else: + # Call batch command + response = client.ip_feed_batch_post_request(arg="ipaddr", value=ips) + + except DemistoException: + raise + + if response: + for data in response["data"]: + ip_type = FeedIndicatorType.ip_to_indicator_type(data["ipaddr"]) + + dbot_score = Common.DBotScore( + indicator=data["ipaddr"], + indicator_type=DBotScoreType.IP, + integration_name=client.name, + score=3 if data["status"] == "released" else 0, + reliability=dbot_reliability, + ) + + ip = Common.IP( + ip_type=ip_type, + ip=data["ipaddr"], + asn=data["asn"].split(" ")[0], + as_owner=re.sub("[()]", "", data["asn"].split(" ")[1]), + geo_country=data["geo"].split(" ")[0], + geo_description=re.sub("[()]", "", data["geo"].split(" ")[1]), + dbot_score=dbot_score, + ) + + readable_output = tableToMarkdown( + name="IP Feed Information", + t=data, + headers=["ipaddr", "geo", "asn", "name"], + headerTransform=headers_transform, + removeNull=True, + ) + + command_results = CommandResults( + readable_output=readable_output, + outputs=data, + outputs_prefix="ThreatVault.IP", + indicator=ip, + ) + + command_results_list.append(command_results) + + return command_results_list + + def file_command(client: Client, args: Dict) -> List[CommandResults]: """ Get the reputation of a sha256 or a md5 representing an antivirus @@ -1041,6 +1128,7 @@ def main(): commands = { "file": file_command, "cve": cve_command, + "ip": ip_command, "threatvault-threat-signature-get": threat_signature_get_command, "threatvault-release-note-get": release_note_get_command, "threatvault-threat-batch-search": threat_batch_search_command, @@ -1048,6 +1136,7 @@ def main(): "threatvault-atp-batch-report-get": atp_batch_report_command, "threatvault-atp-report-pcap-get": atp_report_pcap_command, } + if demisto.command() == "test-module": # This is the call made when pressing the integration Test button. return_results(test_module(client)) @@ -1063,7 +1152,7 @@ def main(): except Exception as err: demisto.error(traceback.format_exc()) # print the traceback - return_error(f"Failed to execute {command} command." f"\nError:\n{str(err)}") + return_error(f"Failed to execute {command} command.\nError:\n{str(err)}") if __name__ in ("__main__", "__builtin__", "builtins"): diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.yml b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.yml index 75e339f095c9..212faba0d6b5 100644 --- a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.yml +++ b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2.yml @@ -17,7 +17,7 @@ configuration: name: integrationReliability type: 15 additionalinfo: Reliability of the source providing the intelligence data. - defaultvalue: D - Not usually reliable + defaultvalue: C - Fairly reliable options: - A+ - 3rd party enrichment - A - Completely reliable @@ -56,11 +56,62 @@ configuration: required: false description: |- Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent. - Query the Advanced Threat Protection (ATP) API endpoint for Analysis reports and PCAPs + Query the Advanced Threat Protection (ATP) API endpoint for Analysis reports and PCAPs. display: Palo Alto Networks Threat Vault v2 name: Palo Alto Networks Threat Vault v2 script: commands: + - arguments: + - default: true + description: A comma-separated list of IPs. + isArray: true + name: ip + required: true + description: Returns information about IPs. + name: ip + outputs: + - contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: String + - contextPath: DBotScore.Score + description: The actual score. + type: Number + - contextPath: DBotScore.Type + description: The indicator type. + type: String + - contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String + - contextPath: IP.Address + description: The IP address. + type: String + - contextPath: IP.ASN + description: The IP ASN. + type: String + - contextPath: IP.GeoCountry + description: The IP country. + type: String + - contextPath: ThreatVault.IP.ipaddr + description: The IP address. + type: String + - contextPath: ThreatVault.IP.asn + description: The IP ASN. + type: String + - contextPath: ThreatVault.IP.geo + description: The country where the IP is located. + type: String + - contextPath: ThreatVault.IP.release.first_release_version + description: The release version when the IP feed was released. + type: String + - contextPath: ThreatVault.IP.release.first_release_time + description: The release time when the IP feed was released. + type: String + - contextPath: ThreatVault.IP.name + description: The name of the IP feed entry. + type: String + - contextPath: ThreatVault.IP.status + description: The status of the IP feed entry. + type: String - arguments: - default: true description: A comma-separated list of SHA256 or MD5 hashes of the antivirus signature. @@ -1140,96 +1191,96 @@ script: description: The status of the threat (e.g., inactive, active, or released). type: String - arguments: - - description: 'Provides the ATP report by matching the report id ' + - description: Provides the ATP report by matching the report ID. isArray: true name: report_id required: true - description: Retrieve the Advanced Threat Prevention (ATP) report by report id in batch mode. Batch limit is 100 entries. Get one or more ATP reports. Must provide one or more report IDs + description: Retrieve the Advanced Threat Prevention (ATP) report by report ID in batch mode. Batch limit is 100 entries. Get one or more ATP reports. Must provide one or more report IDs. name: threatvault-atp-batch-report-get outputs: - contextPath: ThreatVault.ATP.Report - description: ThreatVault ATP Report ID + description: ThreatVault ATP Report ID. type: string - contextPath: ThreatVault.ATP.Report.err_msg - description: ThreatVault error message + description: ThreatVault error message. type: string - contextPath: ThreatVault.ATP.Report.panos_info.csp_id - description: ATP Report CSP + description: ATP Report CSP. type: string - contextPath: ThreatVault.ATP.Report.panos_info.fw_addr_v4 - description: ATP Report firewall IP + description: ATP Report firewall IP. type: string - contextPath: ThreatVault.ATP.Report.panos_info.fw_app_version - description: ATP Report content version + description: ATP Report content version. type: string - contextPath: ThreatVault.ATP.Report.panos_info.fw_hostname - description: ATP Report firewall name + description: ATP Report firewall name. type: string - contextPath: ThreatVault.ATP.Report.panos_info.fw_model - description: ATP Report firewall model + description: ATP Report firewall model. type: string - contextPath: ThreatVault.ATP.Report.panos_info.fw_sw_version - description: ATP Report firewall PAN-OS + description: ATP Report firewall PAN-OS. type: string - contextPath: ThreatVault.ATP.Report.report_id - description: ATP Report ID + description: ATP Report ID. type: string - contextPath: ThreatVault.ATP.Report.session_info.flow_info.daddr - description: ATP Report Session Flow destination IP + description: ATP Report Session Flow destination IP. type: string - contextPath: ThreatVault.ATP.Report.session_info.flow_info.dport - description: ATP Report Session Flow destination Port + description: ATP Report Session Flow destination Port. type: string - contextPath: ThreatVault.ATP.Report.session_info.flow_info.saddr - description: ATP Report Session Flow source IP + description: ATP Report Session Flow source IP. type: string - contextPath: ThreatVault.ATP.Report.session_info.flow_info.sport - description: ATP Report Session Flow source Port + description: ATP Report Session Flow source Port. type: string - contextPath: ThreatVault.ATP.Report.session_info.session_id - description: ATP Report session ID + description: ATP Report session ID. type: string - contextPath: ThreatVault.ATP.Report.session_info.session_timestamp - description: ATP Report session timestamp + description: ATP Report session timestamp. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.payload_sha256 - description: ATP Report transaction payload sha256 + description: ATP Report transaction payload sha256. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.transaction_id - description: ATP Report transaction payload ID + description: ATP Report transaction payload ID. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.verdict - description: ATP Report transaction verdict + description: ATP Report transaction verdict. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.detection_service - description: ATP Report transaction detection service + description: ATP Report transaction detection service. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Method - description: ATP Report transaction payload method + description: ATP Report transaction payload method. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.User-Agent - description: ATP Report transaction payload user-agent + description: ATP Report transaction payload user-agent. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Cookie - description: ATP Report transaction payload cookie + description: ATP Report transaction payload cookie. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Accept - description: ATP Report transaction payload accept + description: ATP Report transaction payload accept. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Host - description: ATP Report transaction payload host + description: ATP Report transaction payload host. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.URI - description: ATP Report transaction payload URI + description: ATP Report transaction payload URI. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Cache-Control - description: ATP Report transaction payload cache-control + description: ATP Report transaction payload cache-control. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Version - description: ATP Report transaction payload version + description: ATP Report transaction payload version. type: string - contextPath: ThreatVault.ATP.Report.transaction_data.detection_results.details.payload_info.Connection - description: ATP Report transaction payload connection + description: ATP Report transaction payload connection. type: string - arguments: - description: Retrieve the ATP report sample (packet capture) by report id. @@ -1239,10 +1290,10 @@ script: name: threatvault-atp-report-pcap-get outputs: - contextPath: ThreatVault.ATP.PCAP.ID - description: Threatvault ATP PCAP ID + description: Threatvault ATP PCAP ID. type: string - contextPath: ThreatVault.ATP.PCAP.Name - description: Threatvault ATP PCAP Name + description: Threatvault ATP PCAP name. type: string dockerimage: demisto/crypto:1.0.0.114611 isfetch: true diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2_test.py b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2_test.py index 122ab87b60d4..d33b253bee42 100644 --- a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2_test.py +++ b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/ThreatVaultv2_test.py @@ -14,9 +14,15 @@ resp_to_hr, parse_date, reputation_type_to_hr, + ip_command ) +def _open_json_file(path): + with open(path) as f: + return json.loads(f.read()) + + @pytest.mark.parametrize( "command, demisto_args, expected_results", [ @@ -447,6 +453,88 @@ def test_resp_to_hr(resp, type_, expanded, expected, expected_content): assert result[key] == value +@pytest.mark.parametrize( + "args, response, expected_results", + [ + pytest.param( + {"ip": "8.8.8.8"}, + { + "success": "true", + "link": { + "next": "null", + "previous": "null", + }, + "count": 1, + "data": [ + { + "ipaddr": "8.8.8.8", + "name": "null", + "status": "N/A", + "release": {}, + "geo": "US (United States of America)", + "asn": "15169 (GOOGLE, US)", + } + ], + "message": "Successful", + }, + _open_json_file("test_data/single_ip_result.json"), + id="Single IP test", + ), + pytest.param( + {"ip": "8.8.8.8, 9.9.9.9"}, + { + "success": "true", + "link": {"next": "null", "previous": "null"}, + "count": 2, + "data": [ + { + "ipaddr": "8.8.8.8", + "name": "null", + "status": "N/A", + "release": {}, + "geo": "US (United States of America)", + "asn": "15169 (GOOGLE, US)", + }, + { + "ipaddr": "9.9.9.9", + "name": "null", + "status": "N/A", + "release": {}, + "geo": "CH (Switzerland)", + "asn": "19281 (QUAD9-AS-1, CH)", + }, + ], + "message": "Successful", + }, + _open_json_file("test_data/ip_batch_results.json"), + id="IP Batch", + ), + ] +) +def test_ip_command(mocker, args, response, expected_results): + + client = Client( + base_url="test", + api_key="test", + verify=False, + proxy=False, + reliability="E - Unreliable", + ) + + mocker.patch.object( + client, "ip_feed_get_request", return_value=response + ) + + mocker.patch.object( + client, "ip_feed_batch_post_request", return_value=response + ) + + results = ip_command(client, args) + results = [result.to_context() for result in results] + + assert results == expected_results + + FILE_COMMAND_ARGS = [ ( {"file": "xxxxzzzzaaaaxxxxzzzzaaaaxxxxzzzzaaaaxxxxzzzzaaaaxxxxzzzzaaaaxxxx"}, diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/ip_batch_results.json b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/ip_batch_results.json new file mode 100644 index 000000000000..f60c9fdc5772 --- /dev/null +++ b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/ip_batch_results.json @@ -0,0 +1 @@ +[{"Type": 1, "ContentsFormat": "json", "Contents": {"ipaddr": "8.8.8.8", "name": "null", "status": "N/A", "release": {}, "geo": "US (United States of America)", "asn": "15169 (GOOGLE, US)"}, "HumanReadable": "### IP Feed Information\n|IP|Country|ASN|Feed Name|\n|---|---|---|---|\n| 8.8.8.8 | US (United States of America) | 15169 (GOOGLE, US) | null |\n", "EntryContext": {"IP(val.Address && val.Address == obj.Address)": [{"Address": "8.8.8.8", "ASN": "15169", "ASOwner": "GOOGLE,", "Geo": {"Country": "US", "Description": "United"}}], "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [{"Indicator": "8.8.8.8", "Type": "ip", "Vendor": "ThreatVault", "Score": 0, "Reliability": "E - Unreliable"}], "ThreatVault.IP": {"ipaddr": "8.8.8.8", "name": "null", "status": "N/A", "release": {}, "geo": "US (United States of America)", "asn": "15169 (GOOGLE, US)"}}, "IndicatorTimeline": [], "IgnoreAutoExtract": false, "Note": false, "Relationships": []}, {"Type": 1, "ContentsFormat": "json", "Contents": {"ipaddr": "9.9.9.9", "name": "null", "status": "N/A", "release": {}, "geo": "CH (Switzerland)", "asn": "19281 (QUAD9-AS-1, CH)"}, "HumanReadable": "### IP Feed Information\n|IP|Country|ASN|Feed Name|\n|---|---|---|---|\n| 9.9.9.9 | CH (Switzerland) | 19281 (QUAD9-AS-1, CH) | null |\n", "EntryContext": {"IP(val.Address && val.Address == obj.Address)": [{"Address": "9.9.9.9", "ASN": "19281", "ASOwner": "QUAD9-AS-1,", "Geo": {"Country": "CH", "Description": "Switzerland"}}], "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [{"Indicator": "9.9.9.9", "Type": "ip", "Vendor": "ThreatVault", "Score": 0, "Reliability": "E - Unreliable"}], "ThreatVault.IP": {"ipaddr": "9.9.9.9", "name": "null", "status": "N/A", "release": {}, "geo": "CH (Switzerland)", "asn": "19281 (QUAD9-AS-1, CH)"}}, "IndicatorTimeline": [], "IgnoreAutoExtract": false, "Note": false, "Relationships": []}] \ No newline at end of file diff --git a/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/single_ip_result.json b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/single_ip_result.json new file mode 100644 index 000000000000..df9a34d02575 --- /dev/null +++ b/Packs/PaloAltoNetworks_Threat_Vault/Integrations/ThreatVaultv2/test_data/single_ip_result.json @@ -0,0 +1 @@ +[{"Type": 1, "ContentsFormat": "json", "Contents": {"ipaddr": "8.8.8.8", "name": "null", "status": "N/A", "release": {}, "geo": "US (United States of America)", "asn": "15169 (GOOGLE, US)"}, "HumanReadable": "### IP Feed Information\n|IP|Country|ASN|Feed Name|\n|---|---|---|---|\n| 8.8.8.8 | US (United States of America) | 15169 (GOOGLE, US) | null |\n", "EntryContext": {"IP(val.Address && val.Address == obj.Address)": [{"Address": "8.8.8.8", "ASN": "15169", "ASOwner": "GOOGLE,", "Geo": {"Country": "US", "Description": "United"}}], "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [{"Indicator": "8.8.8.8", "Type": "ip", "Vendor": "ThreatVault", "Score": 0, "Reliability": "E - Unreliable"}], "ThreatVault.IP": {"ipaddr": "8.8.8.8", "name": "null", "status": "N/A", "release": {}, "geo": "US (United States of America)", "asn": "15169 (GOOGLE, US)"}}, "IndicatorTimeline": [], "IgnoreAutoExtract": false, "Note": false, "Relationships": []}] \ No newline at end of file diff --git a/Packs/PaloAltoNetworks_Threat_Vault/README.md b/Packs/PaloAltoNetworks_Threat_Vault/README.md index e69de29bb2d1..f3ab93237495 100644 --- a/Packs/PaloAltoNetworks_Threat_Vault/README.md +++ b/Packs/PaloAltoNetworks_Threat_Vault/README.md @@ -0,0 +1,16 @@ + +# Palo Alto Networks Threat Vault Pack + +## Overview + +The Threat Vault API provides Palo Alto Networks customers with an active Advanced Threat Prevention or Threat Prevention subscription with the ability to access threat signature metadata and other pertinent information that's only available in Threat Vault. + +## Use Cases + +- Retrieve detailed information about specific threat signatures. +- Access the latest threat intelligence data from Palo Alto Networks. +- Enhance threat hunting and incident response capabilities with up-to-date threat metadata. + +## Support + +For any questions or issues, please contact Palo Alto Networks support or visit the Cortex XSOAR community forums. diff --git a/Packs/PaloAltoNetworks_Threat_Vault/ReleaseNotes/2_0_16.md b/Packs/PaloAltoNetworks_Threat_Vault/ReleaseNotes/2_0_16.md new file mode 100644 index 000000000000..24532541519d --- /dev/null +++ b/Packs/PaloAltoNetworks_Threat_Vault/ReleaseNotes/2_0_16.md @@ -0,0 +1,5 @@ + +#### Integrations + +##### Palo Alto Networks Threat Vault v2 +Updated the enricher to support the new ip-feed API end-point. diff --git a/Packs/PaloAltoNetworks_Threat_Vault/pack_metadata.json b/Packs/PaloAltoNetworks_Threat_Vault/pack_metadata.json index aa1dca91f084..1da800b5675c 100644 --- a/Packs/PaloAltoNetworks_Threat_Vault/pack_metadata.json +++ b/Packs/PaloAltoNetworks_Threat_Vault/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Threat Vault by Palo Alto Networks", "description": "Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent.", "support": "xsoar", - "currentVersion": "2.0.15", + "currentVersion": "2.0.16", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",