Anomali ThreatStream change DBot verdict from Benign to Unknown for L…

…ow Confidence Indicators (demisto#30993) (demisto#31151) * change DBot verdict from Benign to Unknown for Low Confidence Indicators Indicators found in Anomali that are below Confidence thresholds should be created as Unknown and not Benign. Anomali ThreatStream documentation regarding Confidence https://ui.threatstream.com/optic-doc/Content/Features/threat_model/Observables/details_indicator.htm Confidence - Confidence indicates the certainty that an observable exhibits or is connected to malicious behavior. If Anomali has indicators with low Confidence, that doesn't mean the indicator is Benign/Safe. It means Anomali is unsure that the indicator is Malicious and as such the more appropriate verdict in XSOAR should be Unknown. * add indicator_default_score param * changed values to Benign and Unknown * update README and RN * update RN * update docker set required to false * update docker * fix docs comments --------- Co-authored-by: zdrouse <zdrouse@gmail.com> Co-authored-by: adi88d <adaud@paloaltonetworks.com> Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>
AccessDataOps · Nov 28, 2023 · 8c88411 · 8c88411
1 parent ca47b0d
commit 8c88411
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 4 deletions.
diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py
@@ -496,6 +496,12 @@ def __init__(self, params: Dict):
 
         }
 
+        indicator_default_score = params.get('indicator_default_score')
+        if indicator_default_score and indicator_default_score == 'Unknown':
+            self.default_score = Common.DBotScore.NONE
+        else:
+            self.default_score = Common.DBotScore.GOOD
+
     def calculate_score(self, ioc_type: str, indicator, threshold=None):
         """
             Calculate the DBot score according the indicator's confidence and thresholds if exist
@@ -506,14 +512,14 @@ def calculate_score(self, ioc_type: str, indicator, threshold=None):
         confidence = indicator.get('confidence', Common.DBotScore.NONE)
         defined_threshold = threshold or self.instance_defined_thresholds.get(ioc_type)
         if defined_threshold:
-            return Common.DBotScore.BAD if confidence >= defined_threshold else Common.DBotScore.GOOD
+            return Common.DBotScore.BAD if confidence >= defined_threshold else self.default_score
         else:
             if confidence > DEFAULT_MALICIOUS_THRESHOLD:
                 return Common.DBotScore.BAD
             if confidence > DEFAULT_SUSPICIOUS_THRESHOLD:
                 return Common.DBotScore.SUSPICIOUS
             else:
-                return Common.DBotScore.GOOD
+                return self.default_score
 
 
 def find_worst_indicator(indicators):

diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml
@@ -72,6 +72,15 @@ configuration:
   required: true
   type: 15
   section: Collect
+- defaultvalue: Benign
+  display: Default DBOT score for indicators with low confidence
+  name: indicator_default_score
+  options:
+  - Benign
+  - Unknown
+  required: false
+  type: 15
+  section: Collect
 - defaultvalue: 'false'
   display: Trust any certificate (not secure)
   name: insecure
@@ -6422,7 +6431,7 @@ script:
       isArray: true
     description: Remove tags from the indicators.
     name: threatstream-remove-indicator-tag
-  dockerimage: demisto/py3-tools:1.0.0.80754
+  dockerimage: demisto/py3-tools:1.0.0.81280
   runonce: false
   script: '-'
   subtype: python3

diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/README.md b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/README.md
@@ -25,6 +25,7 @@ If you are upgrading from a previous version of this integration, see [Breaking
     | Use system proxy settings |  | False |
     | Create relationships | Create relationships between indicators as part of enrichment. | False |
     | Remote API | Gather additional information about the threat model from remote APIs. | False |
+    | Default DBOT score for indicators with low confidence |  | False |
 
 4. Click **Test** to validate the URLs, token, and connection.
 

diff --git a/Packs/Anomali_ThreatStream/ReleaseNotes/2_2_6.md b/Packs/Anomali_ThreatStream/ReleaseNotes/2_2_6.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Anomali ThreatStream v3
+- Added a new parameter **Default DBOT score for indicators with low Confidence** - Toggle between `Unknown` and `Benign`.
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.81280*.
diff --git a/Packs/Anomali_ThreatStream/pack_metadata.json b/Packs/Anomali_ThreatStream/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Anomali ThreatStream",
     "description": "Use Anomali ThreatStream to query and submit threats.",
     "support": "xsoar",
-    "currentVersion": "2.2.5",
+    "currentVersion": "2.2.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",