Cofense Intelligence v2 - release-1.1.13 (#29364)

* Cofense Intelligence v2 - release-1.1.13 (#29214) Co-authored-by: crestdatasystems <crestdatasystems@users.noreply.github.com> * update docker --------- Co-authored-by: Crest Data Systems <60967033+crestdatasystems@users.noreply.github.com> Co-authored-by: crestdatasystems <crestdatasystems@users.noreply.github.com> Co-authored-by: ostolero <ostolero@paloaltonetworks.com> Co-authored-by: ostolero <86190583+ostolero@users.noreply.github.com>
demisto · Sep 14, 2023 · 7bdf794 · 7bdf794
1 parent da2f8de
commit 7bdf794
Show file tree

Hide file tree

Showing 9 changed files with 233 additions and 46 deletions.
diff --git a/Packs/CofenseIntelligenceV2/.pack-ignore b/Packs/CofenseIntelligenceV2/.pack-ignore
@@ -1,2 +1,51 @@
 [known_words]
-Cofense
+Cofense
+Malcovery
+Descriptio
+SS
+Threathq
+recomended
+br
+D
+B
+s
+md
+pv
+Infotech
+str
+pc
+exe
+p
+w
+xn
+hc
+chmk
+Fchmmc
+z
+yy
+v
+vb
+rfq
+naics
+myclassapp
+tamymakeup
+rt
+Emotet
+UKR
+fs
+fd
+q
+Frlsd
+r
+x
+Uyb
+sw
+CRLF
+https
+ds
+pytest
+plugin
+lf
+ff
+vs
+vr
diff --git a/Packs/CofenseIntelligenceV2/.secrets-ignore b/Packs/CofenseIntelligenceV2/.secrets-ignore
@@ -17,4 +17,9 @@ Chicago
 doc.1000158989PO_pdf
 65mCQoz34ZaOo6c.exe
 12288:r+iFyKuYN9m7vg8BRptBhfPvLtgs88TUs9/vIKkoZYN11:yAZ7YvTX5vLigT9XIdoZYT
-6144:x2zl9WZ2TWKqcDRW4IM5Fkgfh+cHk6GIgr79+lbYUUUnOysAQnEqA6oWUmUx2jq3:gpWwlW4IkmYh+IHG/+RYrUBsxpA6HUhX
+6144:x2zl9WZ2TWKqcDRW4IM5Fkgfh+cHk6GIgr79+lbYUUUnOysAQnEqA6oWUmUx2jq3:gpWwlW4IkmYh+IHG/+RYrUBsxpA6HUhX
+78c4f0f7f8c90d137fcb633b6c2c24e2a9f6b9c6054e5de1157d1bed
+9bd5ab8d458cf2bd64e6942dd586b5456f4a37d73ae788e4acbef666332c7ed00672fa4bc714d1f5b1b826f8e32ca6fe
+4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03
+aad5ffa7e291bb1f1528f2ed805307a8dfe9bdfae13b766e4fdbd7b9605008a2bc7eb9b177b3306de9fc113eda7c5c632f27446956394f601713cdeeaa075a43
+1536:TVsXVrOaM0uEcFrlsd21G33VRxQFsUKRFdLeo0sw/x7W:4OapOlOXLisUybLeoO/4
diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.py b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.py
@@ -87,7 +87,7 @@ def threat_search_call(self, days_back=90, ip=None, file=None, email=None, url=N
             params['watchListEmail'] = email
 
         elif file:
-            params['allMD5'] = file
+            params['allHash'] = file
 
         elif url:
             params['urlSearch'] = url
@@ -355,33 +355,36 @@ def file_threats_analysis(severity_score, threats: List, file: str, threshold: s
         raise Exception(
             f'Cofense error: Invalid threshold value: {threshold}. Valid values are: None, Minor, Moderate or Major')
 
-    md_data = []
+    file_data = []
     dbot_score = 0
-    indicator_found = False
 
-    file_indicator = Common.File(md5=file, dbot_score=dbot_score_obj)
+    file_indicator = Common.File(dbot_score=dbot_score_obj)
     for threat in threats:
         severity_level = 0
         indicator_found = False
         for es in threat.get('executableSet', {}):
-            if es.get('md5Hex') == file:
-                indicator_found = True
-                threat_score = severity_score.get(es.get('severityLevel'), 0)
-                adjusted_score = 3 if threshold_score <= threat_score else threat_score
-                severity_level = max(severity_level, adjusted_score)
-
-                file_indicator.sha512 = es.get('sha512Hex')
-                file_indicator.sha1 = es.get('sha1Hex')
-                file_indicator.sha256 = es.get('sha256Hex')
-                file_indicator.name = es.get('fileName')
-                file_indicator.malware_family = es.get('malwareFamily', {}).get('familyName')
-                file_indicator.extension = es.get('fileNameExtension')
+            for es_key, es_value in es.items():
+                if 'Hex' in es_key and isinstance(es_value, str) and es_value.lower() == file.lower():
+                    indicator_found = True
+                    threat_score = severity_score.get(es.get('severityLevel'), 0)
+                    adjusted_score = 3 if threshold_score <= threat_score else threat_score
+                    severity_level = max(severity_level, adjusted_score)
+
+                    file_indicator.file_type = es.get('type')
+                    file_indicator.ssdeep = es.get('ssdeep')
+                    file_indicator.md5 = es.get('md5Hex')
+                    file_indicator.sha512 = es.get('sha512Hex')
+                    file_indicator.sha1 = es.get('sha1Hex')
+                    file_indicator.sha256 = es.get('sha256Hex')
+                    file_indicator.name = es.get('fileName')
+                    file_indicator.malware_family = es.get('malwareFamily', {}).get('familyName')
+                    file_indicator.extension = es.get('fileNameExtension')
         if indicator_found:
             dbot_score = max(dbot_score, severity_level)
             threat_md_row = create_threat_md_row(threat, severity_level)
-            md_data.append(threat_md_row)
+            file_data.append(threat_md_row)
 
-    return md_data, dbot_score, file_indicator
+    return file_data, dbot_score, file_indicator
 
 
 def check_indicator_type(indicator_value) -> str:
@@ -627,7 +630,7 @@ def check_email_command(client: Client, args: Dict[str, Any], params) -> List[Co
     return results_list
 
 
-def check_md5_command(client: Client, args: Dict[str, Any], params) -> List[CommandResults]:
+def check_file_command(client: Client, args: Dict[str, Any], params) -> List[CommandResults]:
     """
     Perform the api call to cofense threts-search endpoint to get all threats associated with the given file hash.
 
@@ -857,7 +860,7 @@ def main() -> None:
             return_results(check_email_command(client, args, params))
 
         elif command == "file":
-            return_results(check_md5_command(client, args, params))
+            return_results(check_file_command(client, args, params))
 
         elif command == "ip":
             return_results(check_ip_command(client, args, params))

diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.yml b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.yml
@@ -535,7 +535,7 @@ script:
       type: String
   - arguments:
     - default: true
-      description: The MD5 hash of the file to check.
+      description: The hash of the file to check.
       isArray: true
       name: file
       required: true
@@ -550,6 +550,27 @@ script:
     - contextPath: File.MD5
       description: The MD5 hash of the file.
       type: Unknown
+    - contextPath: File.sha1
+      description: The SHA-1 hash of the file.
+      type: String
+    - contextPath: File.sha256
+      description: The SHA-256 hash of the file.
+      type: String
+    - contextPath: File.sha512
+      description: The SHA-512 hash of the file.
+      type: String
+    - contextPath: File.SSDeep
+      description: The SSDeep hash of the file.
+      type: String
+    - contextPath: File.Type
+      description: The file type.
+      type: String
+    - contextPath: File.Hashes.type
+      description: The hash type.
+      type: String
+    - contextPath: File.Hashes.value
+      description: The hash value.
+      type: String
     - contextPath: File.Malicious.Description
       description: A description explaining why the file was determined to be malicious.
       type: Unknown
@@ -682,6 +703,9 @@ script:
     - contextPath: CofenseIntelligence.File.Threats.executableSet.type
       description: Description of the purpose this file serves within the malware infection.
       type: String
+    - contextPath: CofenseIntelligence.File.Threats.executableSet.ssdeep
+      description: The ssdeep hash of the file.
+      type: String
     - contextPath: CofenseIntelligence.File.Threats.executableSet.dateEntered
       description: Date when this file was analyzed by Malcovery.
       type: Date
@@ -1467,7 +1491,7 @@ script:
     - contextPath: File.Extension
       description: The file extension.
       type: String
-  dockerimage: demisto/python3:3.10.12.66339
+  dockerimage: demisto/python3:3.10.13.72123
   runonce: false
   script: '-'
   subtype: python3

diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2_test.py b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2_test.py
@@ -31,7 +31,7 @@
      'name': 'related-to', 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}
 ]
 
-FILE_RELATIONSHIP = [
+FILE_RELATIONSHIP_MD5 = [
     {'brand': 'Cofense Intelligence', 'entityA': 'md5', 'entityAFamily': 'Indicator', 'entityAType': 'File',
      'entityB': 'com', 'entityBFamily': 'Indicator', 'entityBType': 'Domain', 'fields': {}, 'name': 'related-to',
      'reverseName': 'related-to', 'type': 'IndicatorToIndicator'},
@@ -46,6 +46,21 @@
      'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}
 ]
 
+FILE_RELATIONSHIP_SHA256 = [
+    {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File',
+     'entityB': 'com', 'entityBFamily': 'Indicator', 'entityBType': 'Domain', 'fields': {}, 'name': 'related-to',
+     'reverseName': 'related-to', 'type': 'IndicatorToIndicator'},
+    {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File',
+     'entityB': '127.0.0.1', 'entityBFamily': 'Indicator', 'entityBType': 'IP', 'fields': {}, 'name': 'related-to',
+     'reverseName': 'related-to', 'type': 'IndicatorToIndicator'},
+    {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File',
+     'entityB': 'md5', 'entityBFamily': 'Indicator', 'entityBType': 'File', 'fields': {}, 'name': 'related-to',
+     'reverseName': 'related-to', 'type': 'IndicatorToIndicator'},
+    {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File',
+     'entityB': 'md5', 'entityBFamily': 'Indicator', 'entityBType': 'File', 'fields': {}, 'name': 'related-to',
+     'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}
+]
+
 EMAIL_RELATIONSHIP = [
     {'brand': 'Cofense Intelligence', 'entityA': 'email@email.com', 'entityAFamily': 'Indicator',
      'entityAType': 'Email', 'entityB': 'email@email.com', 'entityBFamily': 'Indicator',
@@ -247,14 +262,14 @@ def test_check_ip_command(mocker):
     assert IP_RELATIONSHIP == (response[0].to_context())['Relationships']
 
 
-def test_check_md5_command(mocker):
+def test_check_file_command_with_md5_hash(mocker):
     """
-    Test case scenario for file command.
+    Test case scenario for file command when md5 hash is provided as argument.
 
     Given:
         - file command args
     When:
-        - run check_md5_command
+        - run check_file_command
     Then:
         - Verify response outputs
         - verify response readable output
@@ -263,12 +278,40 @@ def test_check_md5_command(mocker):
     test_data = util_load_json('test_data/test_search_file.json')
     return_value = test_data.get('file_search_response')
     mocker.patch.object(client, 'threat_search_call', return_value=return_value)
-    response = check_md5_command(client, mock_args, mock_params)
-    mock_outputs = test_data.get('mock_output')
-    mock_readable_outputs = test_data.get('mock_readable')
+    response = check_file_command(client, mock_args, mock_params)
+    mock_outputs = test_data.get('mock_output_md5')
+    mock_readable_outputs = test_data.get('mock_readable_md5')
+    assert mock_outputs == str(response[0].outputs)
+    assert mock_readable_outputs == response[0].readable_output
+    assert FILE_RELATIONSHIP_MD5 == (response[0].to_context())['Relationships']
+    assert response[0].indicator.md5 == mock_args['file']
+    assert response[0].indicator.sha256 != mock_args['file']
+
+
+def test_check_file_command_with_sha256_hash(mocker):
+    """
+    Test case scenario for file command when sha256 hash is provided as argument.
+
+    Given:
+        - file command args
+    When:
+        - run check_file_command
+    Then:
+        - Verify response outputs
+        - verify response readable output
+    """
+    mock_args = {'file': 'sha256'}
+    test_data = util_load_json('test_data/test_search_file.json')
+    return_value = test_data.get('file_search_response')
+    mocker.patch.object(client, 'threat_search_call', return_value=return_value)
+    response = check_file_command(client, mock_args, mock_params)
+    mock_outputs = test_data.get('mock_output_sha256')
+    mock_readable_outputs = test_data.get('mock_readable_sha256')
     assert mock_outputs == str(response[0].outputs)
     assert mock_readable_outputs == response[0].readable_output
-    assert FILE_RELATIONSHIP == (response[0].to_context())['Relationships']
+    assert FILE_RELATIONSHIP_SHA256 == (response[0].to_context())['Relationships']
+    assert response[0].indicator.sha256 == mock_args['file']
+    assert response[0].indicator.md5 != mock_args['file']
 
 
 def test_check_domain_command(mocker):