Open cti unknown score (#30099)

* remove default score
to get all scores include UNKNOWN score

* RN

* added score argument
 to opencti-get-indicators command

* Update Packs/OpenCTI/ReleaseNotes/1_0_9.md

Co-authored-by: Anar Azadaliyev <aazadaliyev@paloaltonetworks.com>

* UT

---------

Co-authored-by: Anar Azadaliyev <aazadaliyev@paloaltonetworks.com>

Packs/OpenCTI/Integrations/OpenCTI/OpenCTI.py

@@ -1,7 +1,6 @@
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
 import copy
-from typing import List, Optional
 from io import StringIO
 import sys
 import urllib3
@@ -49,7 +48,7 @@
 }
 
 
-def label_create(client: OpenCTIApiClient, label_name: Optional[str]):
+def label_create(client: OpenCTIApiClient, label_name: str | None):
     """ Create label at opencti
 
         Args:
@@ -67,7 +66,7 @@ def label_create(client: OpenCTIApiClient, label_name: Optional[str]):
     return label
 
 
-def build_indicator_list(indicator_list: List[str]) -> List[str]:
+def build_indicator_list(indicator_list: list[str]) -> list[str]:
     """Builds an indicator list for the query
     Args:
         indicator_list: List of XSOAR indicators types to return..
@@ -92,8 +91,8 @@ def reset_last_run():
     return CommandResults(readable_output='Fetch history deleted successfully')
 
 
-def get_indicators(client: OpenCTIApiClient, indicator_types: List[str], score: List[str] = None,
-                   limit: Optional[int] = 500, last_run_id: Optional[str] = None, search: str = "") -> dict:
+def get_indicators(client: OpenCTIApiClient, indicator_types: list[str], score=None,
+                   limit: int | None = 500, last_run_id: str | None = None, search: str = "") -> dict:
     """ Retrieving indicators from the API
 
     Args:
@@ -137,19 +136,28 @@ def get_indicators_command(client: OpenCTIApiClient, args: dict) -> CommandResul
     indicator_types = argToList(args.get("indicator_types"))
     last_run_id = args.get("last_run_id")
     limit = arg_to_number(args.get('limit', 50))
-    start = arg_to_number(args.get('score_start', 1))
-    end = arg_to_number(args.get('score_end', 100)) + 1  # type:ignore
+    start = arg_to_number(args.get('score_start'))
+    end = arg_to_number(args.get('score_end'))  # type:ignore
+    score = args.get('score')
     search = args.get("search", "")
-    score = None
-    if start or end:
-        score = [str(i) for i in range(start, end)]  # type:ignore
+    scores = None
+    if score:
+        if score.lower() == "unknown":
+            scores = [None]
+        elif score.isdigit():
+            scores = [score]
+        else:
+            raise DemistoException("Invalid score was provided.")
+
+    elif start or end:
+        scores = [str(i) for i in range(start, end + 1)]  # type:ignore
 
     raw_response = get_indicators(
         client=client,
         indicator_types=indicator_types,
         limit=limit,
         last_run_id=last_run_id,
-        score=score,
+        score=scores,
         search=search
     )
 
@@ -302,7 +310,7 @@ def indicator_create_command(client: OpenCTIApiClient, args: Dict[str, str]) ->
     )
 
 
-def indicator_add_marking(client: OpenCTIApiClient, id: Optional[str], value: Optional[str]):
+def indicator_add_marking(client: OpenCTIApiClient, id: str | None, value: str | None):
     """ Add indicator marking to opencti
         Args:
             client: OpenCTI Client object
@@ -320,7 +328,7 @@ def indicator_add_marking(client: OpenCTIApiClient, id: Optional[str], value: Op
     return result
 
 
-def indicator_add_label(client: OpenCTIApiClient, id: Optional[str], value: Optional[str]):
+def indicator_add_label(client: OpenCTIApiClient, id: str | None, value: str | None):
     """ Add indicator label to opencti
         Args:
             client: OpenCTI Client object
@@ -365,7 +373,7 @@ def indicator_field_add_command(client: OpenCTIApiClient, args: Dict[str, str])
         return CommandResults(readable_output=f'Cant add {key} to indicator.')
 
 
-def indicator_remove_label(client: OpenCTIApiClient, id: Optional[str], value: Optional[str]):
+def indicator_remove_label(client: OpenCTIApiClient, id: str | None, value: str | None):
     """ Remove indicator label from opencti
         Args:
             client: OpenCTI Client object
@@ -383,7 +391,7 @@ def indicator_remove_label(client: OpenCTIApiClient, id: Optional[str], value: O
     return result
 
 
-def indicator_remove_marking(client: OpenCTIApiClient, id: Optional[str], value: Optional[str]):
+def indicator_remove_marking(client: OpenCTIApiClient, id: str | None, value: str | None):
     """ Remove indicator marking from opencti
         Args:
             client: OpenCTI Client object

Packs/OpenCTI/Integrations/OpenCTI/OpenCTI.yml

@@ -34,10 +34,12 @@ script:
   - arguments:
     - description: The maximum number of indicators to return. Default value is 50. Maximum value is 500.
       name: limit
-    - description: 'Score minimum value to filter by. Values range is 1-100. '
+    - description: 'Score minimum value to filter by. Values range is 0-100. '
       name: score_start
-    - description: 'Score maximum value to filter by. Values range is 1-100. '
+    - description: 'Score maximum value to filter by. Values range is 0-100. '
       name: score_end
+    - description: 'A specific score. Values range is 0-100 or Unknown.'
+      name: score
     - auto: PREDEFINED
       defaultValue: ALL
       description: 'The indicator types to fetch. Out-of-the-box indicator types supported in XSOAR are: Account, Domain, Email, File, Host, IP, IPv6, Registry Key, and URL.'
@@ -291,7 +293,7 @@ script:
     - contextPath: OpenCTI.MarkingDefinitions.markingsLastRun
       description: The last ID of the previous fetch to use for pagination.
       type: String
-  dockerimage: demisto/vendors-sdk:1.0.0.74116
+  dockerimage: demisto/vendors-sdk:1.0.0.76365
   runonce: false
   script: '-'
   subtype: python3

Packs/OpenCTI/Integrations/OpenCTI/OpenCTI_test.py

@@ -51,7 +51,7 @@ def test_get_indicators_value_argument(mocker, response_mock, value, expected_le
     mocker.patch.object(client.stix_cyber_observable, 'list', return_value=response_mock)
     indicators = get_indicators(client, ["ALL"], search=value)
     assert len(indicators) == expected_length
-    indicators[0].get('value') == expected_value
+    assert indicators[0].get('value') == expected_value
 
 
 def test_get_indicators_command(mocker):
@@ -75,6 +75,27 @@ def test_get_indicators_command(mocker):
     assert "Indicators" in results.readable_output
 
 
+def test_get_indicators_command_with_score(mocker):
+    """Tests get_indicators_command function with a specified score
+    Given
+        The following indicator types: 'registry key', 'account' that were chosen by the user and a specified 'score': 50
+    When
+        - Calling `get_indicators_command`
+    Then
+        - Verify that the result includes indicators with a score of 50.
+    """
+    client = Client
+    args = {
+        'indicator_types': 'registry key,account',
+        'score': '50'
+    }
+    mocker.patch.object(client.stix_cyber_observable, 'list', return_value=RESPONSE_DATA)
+    results: CommandResults = get_indicators_command(client, args)
+    assert len(results.raw_response) == 2
+    for indicator in results.raw_response:
+        assert indicator.get('x_opencti_score') == 50
+
+
 def test_get_indicators_command_with_no_data_to_return(mocker):
     """Tests get_indicators_command function with no data to return
     Given

Packs/OpenCTI/ReleaseNotes/1_0_9.md

@@ -0,0 +1,8 @@
+
+#### Integrations
+
+##### OpenCTI
+
+- Fixed an issue by removing **score_start** and **score_end** default values from  **opencti-get-indicators** command to get all indicators,including those with an 'UNKNOWN' score.
+- Added the **score** argument to **opencti-get-indicators** command.
+- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.76365*.

Packs/OpenCTI/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "OpenCTI",
     "description": "Manages indicators from OpenCTI.",
     "support": "xsoar",
-    "currentVersion": "1.0.8",
+    "currentVersion": "1.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",