From 5618dcdbcf419493409c58631df413808283be44 Mon Sep 17 00:00:00 2001 From: chloerongier <150173582+chloerongier@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:52:27 +0100 Subject: [PATCH] Updated outputs to cmds ip and abuseipdb-check-cidr-block (#31946) * Updated outputs to cmds ip and abuseipdb-check-cidr-block * Updated outputs to cmds ip and abuseipdb-check-cidr-block * remove comma * fix: return to previous arg name * Update Packs/AbuseDB/ReleaseNotes/1_0_30.md --------- Co-authored-by: Yuval Cohen <86777474+yucohen@users.noreply.github.com> --- Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py | 21 ++++- .../AbuseDB/Integrations/AbuseDB/AbuseDB.yml | 60 ++++++++++++- Packs/AbuseDB/Integrations/AbuseDB/README.md | 86 ++++++++++++++++++- Packs/AbuseDB/ReleaseNotes/1_0_30.md | 13 +++ Packs/AbuseDB/pack_metadata.json | 2 +- 5 files changed, 171 insertions(+), 11 deletions(-) create mode 100644 Packs/AbuseDB/ReleaseNotes/1_0_30.md diff --git a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py index 8a93c48d5f78..1e05558308c7 100644 --- a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py +++ b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py @@ -143,17 +143,30 @@ def analysis_to_entry(info, reliability, threshold=THRESHOLD, verbose=VERBOSE): for analysis in info: ip_ec = { "Address": analysis.get("ipAddress"), - "Geo": {"Country": analysis.get("countryName") or analysis.get("countryCode")} + "Geo": { + "Country": analysis.get("countryName"), + "CountryCode": analysis.get("countryCode") + } } abuse_ec = { "IP": { "Address": analysis.get("ipAddress"), - "Geo": {"Country": analysis.get("countryName") or analysis.get("countryCode")}, + "Geo": { + "Country": analysis.get("countryName"), + "CountryCode": analysis.get("countryCode") + }, "AbuseConfidenceScore": analysis.get('abuseConfidenceScore'), - "TotalReports": analysis.get("totalReports") or analysis.get("numReports") or "0", + "TotalReports": analysis.get("totalReports") or analysis.get("numReports") or 0, "ISP": analysis.get("isp"), "UsageType": analysis.get("usageType"), - "Domain": analysis.get("domain") + "Domain": analysis.get("domain"), + "Hostnames": analysis.get("hostnames"), + "IpVersion": analysis.get("ipVersion"), + "IsPublic": analysis.get("isPublic"), + "IsTor": analysis.get("isTor"), + "IsWhitelisted": analysis.get("isWhitelisted"), + "LastReportedAt": analysis.get("lastReportedAt"), + "NumDistinctUsers": analysis.get("numDistinctUsers") } } diff --git a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml index 2d7651f54880..75701e419647 100644 --- a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml +++ b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml @@ -116,6 +116,9 @@ script: - contextPath: IP.Geo.Country description: The country in which the IP address is located. type: String + - contextPath: IP.Geo.CountryCode + description: The country code in which the IP address is located. + type: String - contextPath: IP.Malicious.Vendor description: The vendor reporting the IP address as malicious. type: String @@ -134,6 +137,30 @@ script: - contextPath: AbuseIPDB.IP.Geo.Country description: The country associated with the IP Address. type: String + - contextPath: AbuseIPDB.IP.Geo.CountryCode + description: The country code associated with the IP Address. + type: String + - contextPath: AbuseIPDB.IP.Hostnames + description: The hostame(s) of the IP address. + type: String + - contextPath: AbuseIPDB.IP.IpVersion + description: The version of the IP address. + type: String + - contextPath: AbuseIPDB.IP.IsPublic + description: Is the IP address public. + type: String + - contextPath: AbuseIPDB.IP.IsTor + description: Is the IP address a Tor IP. + type: String¨ + - contextPath: AbuseIPDB.IP.IsWhitelisted + description: Is the IP address whitelisted. + type: String + - contextPath: AbuseIPDB.IP.LastReportedAt + description: When the IP address was last reported. + type: String + - contextPath: AbuseIPDB.IP.NumDistinctUsers + description: The distinct number of users. + type: String - contextPath: AbuseIPDB.IP.Reports description: The reports summary (for "verbose" reports). type: String @@ -192,6 +219,9 @@ script: - contextPath: IP.Geo.Country description: The country in which the IP address is located. type: String + - contextPath: IP.Geo.CountryCode + description: The country code in which the IP address is located. + type: String - contextPath: IP.Malicious.Vendor description: The vendor reporting the IP address as malicious. type: String @@ -211,8 +241,32 @@ script: description: The number of times this address has been reported. type: Unknown - contextPath: AbuseIPDB.IP.Geo.Country - description: The country associated with this IP Address. - type: Unknown + description: The country associated with the IP Address. + type: String + - contextPath: AbuseIPDB.IP.Geo.CountryCode + description: The country code associated with the IP Address. + type: String + - contextPath: AbuseIPDB.IP.Hostnames + description: The hostame(s) of the IP address. + type: String + - contextPath: AbuseIPDB.IP.IpVersion + description: The version of the IP address. + type: String + - contextPath: AbuseIPDB.IP.IsPublic + description: Is the IP address public. + type: String + - contextPath: AbuseIPDB.IP.IsTor + description: Is the IP address a Tor IP. + type: String¨ + - contextPath: AbuseIPDB.IP.IsWhitelisted + description: Is the IP address whitelisted. + type: String + - contextPath: AbuseIPDB.IP.LastReportedAt + description: When the IP address was last reported. + type: String + - contextPath: AbuseIPDB.IP.NumDistinctUsers + description: The distinct number of users. + type: String - contextPath: AbuseIPDB.IP.Reports description: Reports summary (for "verbose" reports). type: Unknown @@ -285,7 +339,7 @@ script: script: '' subtype: python3 type: python - dockerimage: demisto/python3:3.10.13.80014 + dockerimage: demisto/python3:3.10.13.83255 fromversion: 5.0.0 tests: - AbuseIPDB Test diff --git a/Packs/AbuseDB/Integrations/AbuseDB/README.md b/Packs/AbuseDB/Integrations/AbuseDB/README.md index c2a918082f15..ed781314b524 100644 --- a/Packs/AbuseDB/Integrations/AbuseDB/README.md +++ b/Packs/AbuseDB/Integrations/AbuseDB/README.md @@ -99,10 +99,50 @@