diff --git a/Packs/CofenseIntelligenceV2/.pack-ignore b/Packs/CofenseIntelligenceV2/.pack-ignore index da116393f9eb..c7a597cdf02f 100644 --- a/Packs/CofenseIntelligenceV2/.pack-ignore +++ b/Packs/CofenseIntelligenceV2/.pack-ignore @@ -1,2 +1,51 @@ [known_words] -Cofense \ No newline at end of file +Cofense +Malcovery +Descriptio +SS +Threathq +recomended +br +D +B +s +md +pv +Infotech +str +pc +exe +p +w +xn +hc +chmk +Fchmmc +z +yy +v +vb +rfq +naics +myclassapp +tamymakeup +rt +Emotet +UKR +fs +fd +q +Frlsd +r +x +Uyb +sw +CRLF +https +ds +pytest +plugin +lf +ff +vs +vr \ No newline at end of file diff --git a/Packs/CofenseIntelligenceV2/.secrets-ignore b/Packs/CofenseIntelligenceV2/.secrets-ignore index 0e48e3fcc1e6..60f5724d1e69 100644 --- a/Packs/CofenseIntelligenceV2/.secrets-ignore +++ b/Packs/CofenseIntelligenceV2/.secrets-ignore @@ -17,4 +17,9 @@ Chicago doc.1000158989PO_pdf 65mCQoz34ZaOo6c.exe 12288:r+iFyKuYN9m7vg8BRptBhfPvLtgs88TUs9/vIKkoZYN11:yAZ7YvTX5vLigT9XIdoZYT -6144:x2zl9WZ2TWKqcDRW4IM5Fkgfh+cHk6GIgr79+lbYUUUnOysAQnEqA6oWUmUx2jq3:gpWwlW4IkmYh+IHG/+RYrUBsxpA6HUhX \ No newline at end of file +6144:x2zl9WZ2TWKqcDRW4IM5Fkgfh+cHk6GIgr79+lbYUUUnOysAQnEqA6oWUmUx2jq3:gpWwlW4IkmYh+IHG/+RYrUBsxpA6HUhX +78c4f0f7f8c90d137fcb633b6c2c24e2a9f6b9c6054e5de1157d1bed +9bd5ab8d458cf2bd64e6942dd586b5456f4a37d73ae788e4acbef666332c7ed00672fa4bc714d1f5b1b826f8e32ca6fe +4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03 +aad5ffa7e291bb1f1528f2ed805307a8dfe9bdfae13b766e4fdbd7b9605008a2bc7eb9b177b3306de9fc113eda7c5c632f27446956394f601713cdeeaa075a43 +1536:TVsXVrOaM0uEcFrlsd21G33VRxQFsUKRFdLeo0sw/x7W:4OapOlOXLisUybLeoO/4 \ No newline at end of file diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.py b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.py index ec7ab8d2e72b..828b559dad6d 100644 --- a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.py +++ b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.py @@ -87,7 +87,7 @@ def threat_search_call(self, days_back=90, ip=None, file=None, email=None, url=N params['watchListEmail'] = email elif file: - params['allMD5'] = file + params['allHash'] = file elif url: params['urlSearch'] = url @@ -355,33 +355,36 @@ def file_threats_analysis(severity_score, threats: List, file: str, threshold: s raise Exception( f'Cofense error: Invalid threshold value: {threshold}. Valid values are: None, Minor, Moderate or Major') - md_data = [] + file_data = [] dbot_score = 0 - indicator_found = False - file_indicator = Common.File(md5=file, dbot_score=dbot_score_obj) + file_indicator = Common.File(dbot_score=dbot_score_obj) for threat in threats: severity_level = 0 indicator_found = False for es in threat.get('executableSet', {}): - if es.get('md5Hex') == file: - indicator_found = True - threat_score = severity_score.get(es.get('severityLevel'), 0) - adjusted_score = 3 if threshold_score <= threat_score else threat_score - severity_level = max(severity_level, adjusted_score) - - file_indicator.sha512 = es.get('sha512Hex') - file_indicator.sha1 = es.get('sha1Hex') - file_indicator.sha256 = es.get('sha256Hex') - file_indicator.name = es.get('fileName') - file_indicator.malware_family = es.get('malwareFamily', {}).get('familyName') - file_indicator.extension = es.get('fileNameExtension') + for es_key, es_value in es.items(): + if 'Hex' in es_key and isinstance(es_value, str) and es_value.lower() == file.lower(): + indicator_found = True + threat_score = severity_score.get(es.get('severityLevel'), 0) + adjusted_score = 3 if threshold_score <= threat_score else threat_score + severity_level = max(severity_level, adjusted_score) + + file_indicator.file_type = es.get('type') + file_indicator.ssdeep = es.get('ssdeep') + file_indicator.md5 = es.get('md5Hex') + file_indicator.sha512 = es.get('sha512Hex') + file_indicator.sha1 = es.get('sha1Hex') + file_indicator.sha256 = es.get('sha256Hex') + file_indicator.name = es.get('fileName') + file_indicator.malware_family = es.get('malwareFamily', {}).get('familyName') + file_indicator.extension = es.get('fileNameExtension') if indicator_found: dbot_score = max(dbot_score, severity_level) threat_md_row = create_threat_md_row(threat, severity_level) - md_data.append(threat_md_row) + file_data.append(threat_md_row) - return md_data, dbot_score, file_indicator + return file_data, dbot_score, file_indicator def check_indicator_type(indicator_value) -> str: @@ -627,7 +630,7 @@ def check_email_command(client: Client, args: Dict[str, Any], params) -> List[Co return results_list -def check_md5_command(client: Client, args: Dict[str, Any], params) -> List[CommandResults]: +def check_file_command(client: Client, args: Dict[str, Any], params) -> List[CommandResults]: """ Perform the api call to cofense threts-search endpoint to get all threats associated with the given file hash. @@ -857,7 +860,7 @@ def main() -> None: return_results(check_email_command(client, args, params)) elif command == "file": - return_results(check_md5_command(client, args, params)) + return_results(check_file_command(client, args, params)) elif command == "ip": return_results(check_ip_command(client, args, params)) diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.yml b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.yml index 0d6687ec0c5f..1f6f38399af4 100644 --- a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.yml +++ b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2.yml @@ -535,7 +535,7 @@ script: type: String - arguments: - default: true - description: The MD5 hash of the file to check. + description: The hash of the file to check. isArray: true name: file required: true @@ -550,6 +550,27 @@ script: - contextPath: File.MD5 description: The MD5 hash of the file. type: Unknown + - contextPath: File.sha1 + description: The SHA-1 hash of the file. + type: String + - contextPath: File.sha256 + description: The SHA-256 hash of the file. + type: String + - contextPath: File.sha512 + description: The SHA-512 hash of the file. + type: String + - contextPath: File.SSDeep + description: The SSDeep hash of the file. + type: String + - contextPath: File.Type + description: The file type. + type: String + - contextPath: File.Hashes.type + description: The hash type. + type: String + - contextPath: File.Hashes.value + description: The hash value. + type: String - contextPath: File.Malicious.Description description: A description explaining why the file was determined to be malicious. type: Unknown @@ -682,6 +703,9 @@ script: - contextPath: CofenseIntelligence.File.Threats.executableSet.type description: Description of the purpose this file serves within the malware infection. type: String + - contextPath: CofenseIntelligence.File.Threats.executableSet.ssdeep + description: The ssdeep hash of the file. + type: String - contextPath: CofenseIntelligence.File.Threats.executableSet.dateEntered description: Date when this file was analyzed by Malcovery. type: Date @@ -1467,7 +1491,7 @@ script: - contextPath: File.Extension description: The file extension. type: String - dockerimage: demisto/python3:3.10.12.66339 + dockerimage: demisto/python3:3.10.13.72123 runonce: false script: '-' subtype: python3 diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2_test.py b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2_test.py index 19b004186da1..aeef6034126a 100644 --- a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2_test.py +++ b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/CofenseIntelligenceV2_test.py @@ -31,7 +31,7 @@ 'name': 'related-to', 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'} ] -FILE_RELATIONSHIP = [ +FILE_RELATIONSHIP_MD5 = [ {'brand': 'Cofense Intelligence', 'entityA': 'md5', 'entityAFamily': 'Indicator', 'entityAType': 'File', 'entityB': 'com', 'entityBFamily': 'Indicator', 'entityBType': 'Domain', 'fields': {}, 'name': 'related-to', 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}, @@ -46,6 +46,21 @@ 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'} ] +FILE_RELATIONSHIP_SHA256 = [ + {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File', + 'entityB': 'com', 'entityBFamily': 'Indicator', 'entityBType': 'Domain', 'fields': {}, 'name': 'related-to', + 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}, + {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File', + 'entityB': '127.0.0.1', 'entityBFamily': 'Indicator', 'entityBType': 'IP', 'fields': {}, 'name': 'related-to', + 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}, + {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File', + 'entityB': 'md5', 'entityBFamily': 'Indicator', 'entityBType': 'File', 'fields': {}, 'name': 'related-to', + 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'}, + {'brand': 'Cofense Intelligence', 'entityA': 'sha256', 'entityAFamily': 'Indicator', 'entityAType': 'File', + 'entityB': 'md5', 'entityBFamily': 'Indicator', 'entityBType': 'File', 'fields': {}, 'name': 'related-to', + 'reverseName': 'related-to', 'type': 'IndicatorToIndicator'} +] + EMAIL_RELATIONSHIP = [ {'brand': 'Cofense Intelligence', 'entityA': 'email@email.com', 'entityAFamily': 'Indicator', 'entityAType': 'Email', 'entityB': 'email@email.com', 'entityBFamily': 'Indicator', @@ -247,14 +262,14 @@ def test_check_ip_command(mocker): assert IP_RELATIONSHIP == (response[0].to_context())['Relationships'] -def test_check_md5_command(mocker): +def test_check_file_command_with_md5_hash(mocker): """ - Test case scenario for file command. + Test case scenario for file command when md5 hash is provided as argument. Given: - file command args When: - - run check_md5_command + - run check_file_command Then: - Verify response outputs - verify response readable output @@ -263,12 +278,40 @@ def test_check_md5_command(mocker): test_data = util_load_json('test_data/test_search_file.json') return_value = test_data.get('file_search_response') mocker.patch.object(client, 'threat_search_call', return_value=return_value) - response = check_md5_command(client, mock_args, mock_params) - mock_outputs = test_data.get('mock_output') - mock_readable_outputs = test_data.get('mock_readable') + response = check_file_command(client, mock_args, mock_params) + mock_outputs = test_data.get('mock_output_md5') + mock_readable_outputs = test_data.get('mock_readable_md5') + assert mock_outputs == str(response[0].outputs) + assert mock_readable_outputs == response[0].readable_output + assert FILE_RELATIONSHIP_MD5 == (response[0].to_context())['Relationships'] + assert response[0].indicator.md5 == mock_args['file'] + assert response[0].indicator.sha256 != mock_args['file'] + + +def test_check_file_command_with_sha256_hash(mocker): + """ + Test case scenario for file command when sha256 hash is provided as argument. + + Given: + - file command args + When: + - run check_file_command + Then: + - Verify response outputs + - verify response readable output + """ + mock_args = {'file': 'sha256'} + test_data = util_load_json('test_data/test_search_file.json') + return_value = test_data.get('file_search_response') + mocker.patch.object(client, 'threat_search_call', return_value=return_value) + response = check_file_command(client, mock_args, mock_params) + mock_outputs = test_data.get('mock_output_sha256') + mock_readable_outputs = test_data.get('mock_readable_sha256') assert mock_outputs == str(response[0].outputs) assert mock_readable_outputs == response[0].readable_output - assert FILE_RELATIONSHIP == (response[0].to_context())['Relationships'] + assert FILE_RELATIONSHIP_SHA256 == (response[0].to_context())['Relationships'] + assert response[0].indicator.sha256 == mock_args['file'] + assert response[0].indicator.md5 != mock_args['file'] def test_check_domain_command(mocker): diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/README.md b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/README.md index 0c98454db0bc..dab7cd3b97b0 100644 --- a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/README.md +++ b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/README.md @@ -439,7 +439,7 @@ Checks the reputation of a file hash. | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| file | The MD5 hash of the file to check. | Required | +| file | The hash of the file to check. | Required | | days_back | The maximum number of days from which to start returning data. 90 days is recommended by Cofense. | Optional | @@ -447,12 +447,19 @@ Checks the reputation of a file hash. | **Path** | **Type** | **Description** | | --- | --- | --- | -| File.Extension | unknown | The file extension. | -| File.MD5 | unknown | The MD5 hash of the file. | -| File.Malicious.Description | unknown | A description explaining why the file was determined to be malicious. | -| File.Malicious.Vendor | unknown | The vendor who reported the file as malicious. | -| File.MalwareFamily | unknown | The malware family associated with the file. | -| File.Name | unknown | The full file name. | +| File.Extension | Unknown | The file extension. | +| File.MD5 | Unknown | The MD5 hash of the file. | +| File.sha1 | String | The SHA-1 hash of the file. | +| File.sha256 | String | The SHA-256 hash of the file. | +| File.sha512 | String | The SHA-512 hash of the file. | +| File.SSDeep | String | The SSDeep hash of the file. | +| File.Type | String | The file type. | +| File.Hashes.type | String | The hash type. | +| File.Hashes.value | String | The hash value. | +| File.Malicious.Description | Unknown | A description explaining why the file was determined to be malicious. | +| File.Malicious.Vendor | Unknown | The vendor who reported the file as malicious. | +| File.MalwareFamily | Unknown | The malware family associated with the file. | +| File.Name | Unknown | The full file name. | | File.Relationships.EntityA | String | The source of the relationship. | | File.Relationships.EntityB | String | The destination of the relationship. | | File.Relationships.Relationship | String | The name of the relationship. | @@ -493,6 +500,7 @@ Checks the reputation of a file hash. | CofenseIntelligence.File.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. | | CofenseIntelligence.File.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. | | CofenseIntelligence.File.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. | +| CofenseIntelligence.File.Threats.executableSet.ssdeep | String | The ssdeep hash of the file. | | CofenseIntelligence.File.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. | | CofenseIntelligence.File.Threats.executableSet.severityLevel | String | The malware infection severity level. | | CofenseIntelligence.File.Threats.executableSet.fileNameExtension | String | The file extension. | @@ -519,7 +527,7 @@ Checks the reputation of a file hash. | CofenseIntelligence.File.Threats.threatDetailURL | String | T3 report URL. | | CofenseIntelligence.File.Threats.malwareFamilySet.familyName | String | Family name of the malware. | | CofenseIntelligence.File.Threats.malwareFamilySet.description | String | Description of the malware family set. | -| CofenseIntelligence.File.Threats.threatType | String | If malware, will have value ‘malware’, otherwise it is empty. | +| CofenseIntelligence.File.Threats.threatType | String | If malware, will have value 'malware', otherwise it is empty. | #### Command Example ```!file file=9798ba6199168e6d2cf205760ea683d1 using=CofenseIntelligenceV2_instance``` @@ -546,8 +554,7 @@ Checks the reputation of a file hash. }, "role": "C2", "roleDescription": "Command and control location used by malware" - }, - + } ], "campaignBrandSet": [ { @@ -575,7 +582,26 @@ Checks the reputation of a file hash. } ], "domainSet": [], - "executableSet":[ + "executableSet":[ + { + "dateEntered": 1598576136841, + "deliveryMechanism": { + "description": "Microsoft Office documents with macro scripting for malware delivery", + "mechanismName": "OfficeMacro" + }, + "fileName": "bobbyx.exe", + "fileNameExtension": "exe", + "md5Hex": "9798ba6199168e6d2cf205760ea683d1", + "severityLevel": "Major", + "sha1Hex": "dcfad03686e029646d6118a5edd18a3b56a2c358", + "sha224Hex": "78c4f0f7f8c90d137fcb633b6c2c24e2a9f6b9c6054e5de1157d1bed", + "sha256Hex": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a", + "sha384Hex": "9bd5ab8d458cf2bd64e6942dd586b5456f4a37d73ae788e4acbef666332c7ed00672fa4bc714d1f5b1b826f8e32ca6fe", + "sha512Hex": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03", + "ssdeep": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp", + "type": "Attachment", + "vendorDetections": [] + } ], "executiveSummary": "summary", "extractedStringSet": [], @@ -630,10 +656,37 @@ Checks the reputation of a file hash. "File": { "Extension": "exe", "MD5": "9798ba6199168e6d2cf205760ea683d1", + "sha1": "dcfad03686e029646d6118a5edd18a3b56a2c358", + "sha256": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a", + "sha512": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03", + "SSDeep": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp", + "Type": "Attachment", "Malicious": { "Description": null, "Vendor": "CofenseIntelligenceV2" }, + "Hashes": [ + { + "type": "MD5", + "value": "9798ba6199168e6d2cf205760ea683d1" + }, + { + "type": "sha1", + "value": "dcfad03686e029646d6118a5edd18a3b56a2c358" + }, + { + "type": "sha256", + "value": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a" + }, + { + "type": "sha512", + "value": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03" + }, + { + "type": "SSDeep", + "value": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp" + } + ], "MalwareFamily": "Agent Tesla", "Name": "bobbyx.exe" } diff --git a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/test_data/test_search_file.json b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/test_data/test_search_file.json index 2d4363cc0a41..03b9f2fafb1d 100644 --- a/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/test_data/test_search_file.json +++ b/Packs/CofenseIntelligenceV2/Integrations/CofenseIntelligenceV2/test_data/test_search_file.json @@ -580,7 +580,9 @@ ] } }, - "mock_output": "{'Data': 'md5', 'Threats': [{'id': 6294, 'relatedSearchTags': [], 'feeds': [{'id': 23, 'permissions': {'WRITE': False, 'OWNER': False, 'READ': True}, 'displayName': 'Cofense'}], 'blockSet': [{'deliveryMechanism': {'mechanismName': 'JSDropper', 'description': 'JavaScriptnaries'}, 'impact': 'Major', 'confidence': 0, 'blockType': 'Domain Name', 'roleDescription': 'Location from which a payload is obtained', 'role': 'Payload', 'data': 'com', 'data_1': '.com'}, {'malwareFamily': {'familyName': 'Locky', 'description': 'info'}, 'impact': 'Major', 'confidence': 0, 'blockType': 'IPv4 Address', 'roleDescription': 'Command and control location used by malware', 'role': 'C2', 'infrastructureTypeSubclass': {'description': 'Update or Standard C2'}, 'data': '127.0.0.1', 'data_1': '127.0.0.1'}], 'campaignBrandSet': [{'totalCount': 14, 'brand': {'id': 2051, 'text': 'None'}}], 'extractedStringSet': [], 'domainSet': [{'totalCount': 1, 'domain': '.com'}], 'senderEmailSet': [{'totalCount': 1, 'senderEmail': 'email.com'}], 'executableSet': [{'malwareFamily': {'familyName': 'Locky Ransomware', 'description': 'Locky encryption ransomware'}, 'vendorDetections': [{'detected': True, 'threatVendorName': 'Bkav'}, {'detected': True, 'threatVendorName': 'McAfee-GW-Edition'}, {'detected': True, 'threatVendorName': 'McAfee'}, {'detected': True, 'threatVendorName': 'Baidu'}, {'detected': True, 'threatVendorName': 'Qihoo-360'}], 'fileName': '5sGMg8sei5h.exe', 'type': 'Drop', 'dateEntered': 1466806654833, 'severityLevel': 'Major', 'fileNameExtension': 'exe', 'md5Hex': 'md5', 'sha384Hex': 'sha384', 'sha512Hex': 'sha512', 'sha1Hex': 'sha1', 'sha224Hex': 'sha224', 'sha256Hex': 'sha256'}, {'malwareFamily': {'familyName': 'Locky Ransomware', 'description': 'Locky encryption ransomware'}, 'vendorDetections': [{'detected': True, 'threatVendorName': 'Ad-Aware'}, {'detected': True, 'threatVendorName': 'Baidu'}, {'detected': True, 'threatVendorName': 'Tencent'}, {'detected': True, 'threatVendorName': 'McAfee-GW-Edition'}, {'detected': True, 'threatVendorName': 'MicroWorld-eScan'}, {'detected': True, 'threatVendorName': 'Kaspersky'}, {'detected': True, 'threatVendorName': 'McAfee'}, {'detected': True, 'threatVendorName': 'Bkav'}], 'fileName': '65mCQoz34ZaOo6c.exe', 'type': 'Drop', 'dateEntered': 1466806654883, 'severityLevel': 'Major', 'fileNameExtension': 'exe', 'md5Hex': 'md5', 'sha384Hex': 'sha384', 'sha512Hex': 'sha512', 'sha1Hex': 'sha1', 'sha224Hex': 'sha224', 'sha256Hex': 'sha256'}], 'senderIpSet': [], 'senderNameSet': [], 'spamUrlSet': [], 'campaignLanguageSet': [], 'lastPublished': 1539357256130, 'firstPublished': 1466806722599, 'label': 'Undelivered', 'executiveSummary': 'summary.', 'hasReport': True, 'reportURL': 'https://', 'apiReportURL': 'https://', 'threatDetailURL': '', 'malwareFamilySet': [{'familyName': 'Locky', 'description': 'Lock'}], 'threatType': 'MALWARE', 'naicsCodes': []}]}", - "mock_readable": "### Cofense file Reputation for file md5\n|Threat ID|Threat Type|Verdict|Executive Summary|Campaign|Malware Family Description|Last Published|Threat Report|\n|---|---|---|---|---|---|---|---|\n| 6294 | MALWARE | Malicious | summary. | Undelivered | Lock | 2018-10-12 15:14:16 | [https://](https://) |\n" + "mock_output_md5": "{'Data': 'md5', 'Threats': [{'id': 6294, 'relatedSearchTags': [], 'feeds': [{'id': 23, 'permissions': {'WRITE': False, 'OWNER': False, 'READ': True}, 'displayName': 'Cofense'}], 'blockSet': [{'deliveryMechanism': {'mechanismName': 'JSDropper', 'description': 'JavaScriptnaries'}, 'impact': 'Major', 'confidence': 0, 'blockType': 'Domain Name', 'roleDescription': 'Location from which a payload is obtained', 'role': 'Payload', 'data': 'com', 'data_1': '.com'}, {'malwareFamily': {'familyName': 'Locky', 'description': 'info'}, 'impact': 'Major', 'confidence': 0, 'blockType': 'IPv4 Address', 'roleDescription': 'Command and control location used by malware', 'role': 'C2', 'infrastructureTypeSubclass': {'description': 'Update or Standard C2'}, 'data': '127.0.0.1', 'data_1': '127.0.0.1'}], 'campaignBrandSet': [{'totalCount': 14, 'brand': {'id': 2051, 'text': 'None'}}], 'extractedStringSet': [], 'domainSet': [{'totalCount': 1, 'domain': '.com'}], 'senderEmailSet': [{'totalCount': 1, 'senderEmail': 'email.com'}], 'executableSet': [{'malwareFamily': {'familyName': 'Locky Ransomware', 'description': 'Locky encryption ransomware'}, 'vendorDetections': [{'detected': True, 'threatVendorName': 'Bkav'}, {'detected': True, 'threatVendorName': 'McAfee-GW-Edition'}, {'detected': True, 'threatVendorName': 'McAfee'}, {'detected': True, 'threatVendorName': 'Baidu'}, {'detected': True, 'threatVendorName': 'Qihoo-360'}], 'fileName': '5sGMg8sei5h.exe', 'type': 'Drop', 'dateEntered': 1466806654833, 'severityLevel': 'Major', 'fileNameExtension': 'exe', 'md5Hex': 'md5', 'sha384Hex': 'sha384', 'sha512Hex': 'sha512', 'sha1Hex': 'sha1', 'sha224Hex': 'sha224', 'sha256Hex': 'sha256'}, {'malwareFamily': {'familyName': 'Locky Ransomware', 'description': 'Locky encryption ransomware'}, 'vendorDetections': [{'detected': True, 'threatVendorName': 'Ad-Aware'}, {'detected': True, 'threatVendorName': 'Baidu'}, {'detected': True, 'threatVendorName': 'Tencent'}, {'detected': True, 'threatVendorName': 'McAfee-GW-Edition'}, {'detected': True, 'threatVendorName': 'MicroWorld-eScan'}, {'detected': True, 'threatVendorName': 'Kaspersky'}, {'detected': True, 'threatVendorName': 'McAfee'}, {'detected': True, 'threatVendorName': 'Bkav'}], 'fileName': '65mCQoz34ZaOo6c.exe', 'type': 'Drop', 'dateEntered': 1466806654883, 'severityLevel': 'Major', 'fileNameExtension': 'exe', 'md5Hex': 'md5', 'sha384Hex': 'sha384', 'sha512Hex': 'sha512', 'sha1Hex': 'sha1', 'sha224Hex': 'sha224', 'sha256Hex': 'sha256'}], 'senderIpSet': [], 'senderNameSet': [], 'spamUrlSet': [], 'campaignLanguageSet': [], 'lastPublished': 1539357256130, 'firstPublished': 1466806722599, 'label': 'Undelivered', 'executiveSummary': 'summary.', 'hasReport': True, 'reportURL': 'https://', 'apiReportURL': 'https://', 'threatDetailURL': '', 'malwareFamilySet': [{'familyName': 'Locky', 'description': 'Lock'}], 'threatType': 'MALWARE', 'naicsCodes': []}]}", + "mock_output_sha256": "{'Data': 'sha256', 'Threats': [{'id': 6294, 'relatedSearchTags': [], 'feeds': [{'id': 23, 'permissions': {'WRITE': False, 'OWNER': False, 'READ': True}, 'displayName': 'Cofense'}], 'blockSet': [{'deliveryMechanism': {'mechanismName': 'JSDropper', 'description': 'JavaScriptnaries'}, 'impact': 'Major', 'confidence': 0, 'blockType': 'Domain Name', 'roleDescription': 'Location from which a payload is obtained', 'role': 'Payload', 'data': 'com', 'data_1': '.com'}, {'malwareFamily': {'familyName': 'Locky', 'description': 'info'}, 'impact': 'Major', 'confidence': 0, 'blockType': 'IPv4 Address', 'roleDescription': 'Command and control location used by malware', 'role': 'C2', 'infrastructureTypeSubclass': {'description': 'Update or Standard C2'}, 'data': '127.0.0.1', 'data_1': '127.0.0.1'}], 'campaignBrandSet': [{'totalCount': 14, 'brand': {'id': 2051, 'text': 'None'}}], 'extractedStringSet': [], 'domainSet': [{'totalCount': 1, 'domain': '.com'}], 'senderEmailSet': [{'totalCount': 1, 'senderEmail': 'email.com'}], 'executableSet': [{'malwareFamily': {'familyName': 'Locky Ransomware', 'description': 'Locky encryption ransomware'}, 'vendorDetections': [{'detected': True, 'threatVendorName': 'Bkav'}, {'detected': True, 'threatVendorName': 'McAfee-GW-Edition'}, {'detected': True, 'threatVendorName': 'McAfee'}, {'detected': True, 'threatVendorName': 'Baidu'}, {'detected': True, 'threatVendorName': 'Qihoo-360'}], 'fileName': '5sGMg8sei5h.exe', 'type': 'Drop', 'dateEntered': 1466806654833, 'severityLevel': 'Major', 'fileNameExtension': 'exe', 'md5Hex': 'md5', 'sha384Hex': 'sha384', 'sha512Hex': 'sha512', 'sha1Hex': 'sha1', 'sha224Hex': 'sha224', 'sha256Hex': 'sha256'}, {'malwareFamily': {'familyName': 'Locky Ransomware', 'description': 'Locky encryption ransomware'}, 'vendorDetections': [{'detected': True, 'threatVendorName': 'Ad-Aware'}, {'detected': True, 'threatVendorName': 'Baidu'}, {'detected': True, 'threatVendorName': 'Tencent'}, {'detected': True, 'threatVendorName': 'McAfee-GW-Edition'}, {'detected': True, 'threatVendorName': 'MicroWorld-eScan'}, {'detected': True, 'threatVendorName': 'Kaspersky'}, {'detected': True, 'threatVendorName': 'McAfee'}, {'detected': True, 'threatVendorName': 'Bkav'}], 'fileName': '65mCQoz34ZaOo6c.exe', 'type': 'Drop', 'dateEntered': 1466806654883, 'severityLevel': 'Major', 'fileNameExtension': 'exe', 'md5Hex': 'md5', 'sha384Hex': 'sha384', 'sha512Hex': 'sha512', 'sha1Hex': 'sha1', 'sha224Hex': 'sha224', 'sha256Hex': 'sha256'}], 'senderIpSet': [], 'senderNameSet': [], 'spamUrlSet': [], 'campaignLanguageSet': [], 'lastPublished': 1539357256130, 'firstPublished': 1466806722599, 'label': 'Undelivered', 'executiveSummary': 'summary.', 'hasReport': True, 'reportURL': 'https://', 'apiReportURL': 'https://', 'threatDetailURL': '', 'malwareFamilySet': [{'familyName': 'Locky', 'description': 'Lock'}], 'threatType': 'MALWARE', 'naicsCodes': []}]}", + "mock_readable_md5": "### Cofense file Reputation for file md5\n|Threat ID|Threat Type|Verdict|Executive Summary|Campaign|Malware Family Description|Last Published|Threat Report|\n|---|---|---|---|---|---|---|---|\n| 6294 | MALWARE | Malicious | summary. | Undelivered | Lock | 2018-10-12 15:14:16 | [https://](https://) |\n", + "mock_readable_sha256": "### Cofense file Reputation for file sha256\n|Threat ID|Threat Type|Verdict|Executive Summary|Campaign|Malware Family Description|Last Published|Threat Report|\n|---|---|---|---|---|---|---|---|\n| 6294 | MALWARE | Malicious | summary. | Undelivered | Lock | 2018-10-12 15:14:16 | [https://](https://) |\n" } diff --git a/Packs/CofenseIntelligenceV2/ReleaseNotes/1_1_13.md b/Packs/CofenseIntelligenceV2/ReleaseNotes/1_1_13.md new file mode 100644 index 000000000000..3aab6857eedd --- /dev/null +++ b/Packs/CofenseIntelligenceV2/ReleaseNotes/1_1_13.md @@ -0,0 +1,8 @@ + +#### Integrations + +##### Cofense Intelligence v2 + +- Fixed an issue in which the ***file*** command returned an incorrect MD5 value for non-MD5 hash types. +- Added support for the non-MD5 hashes in the ***file*** command. +- Updated the Docker image to: *demisto/python3:3.10.13.72123*. diff --git a/Packs/CofenseIntelligenceV2/pack_metadata.json b/Packs/CofenseIntelligenceV2/pack_metadata.json index 062f2b2b6504..333fce972dad 100644 --- a/Packs/CofenseIntelligenceV2/pack_metadata.json +++ b/Packs/CofenseIntelligenceV2/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cofense Intelligence v2", "description": "Cofense Intelligence allows users to search for threat intelligence reports based on domains, IPs, email address, file hashes, URLs and extracted strings.", "support": "partner", - "currentVersion": "1.1.12", + "currentVersion": "1.1.13", "author": "Cofense", "url": "https://cofense.com/contact-support/", "email": "support@cofense.com",