Trend micro vision one (#23778) (#23958)

* removed microsocks

Potentially harmful

* imported urllib3 and removed reference to requests.packages. Updated release notes and TrendMicroVisionOne.yml

* added action to add file entry from incident to sandbox and action to get result of file entry analysis status

* removed redundant action to check sandbox submission status

* added polling command for sandbox submissions

* added unit tests for file entry to sandbox and polling for sandbox submissions

* added unit tests for submit file entry and sandbox polling command

* updated yml to include submit-file-entry-to-sandbox and run-sandbox-submission-polling

* Update README.md

Added hints for command execution order

* Update README.md

Updated Notes for better readability.

* Update README.md

Updated README.md for better readability.

* updated release notes to indicate addition of submit file entry to sandbox and sandbox submission polling command

* formatted files per XSOAR standards

* Added command examples for V2 actions

* added test_data folder containing example responses

* Update README.md

Added link to supported file types in submit file to sandbox and submit file entry to sandbox.

* removed unused mock test case for submit file entry to sandbox and test_data folder with mock responses

* Added submit file entry to sandbox and run sandbox submission polling and their respective unit tests and command_examples

* added demosti.patch.object to get custom data for demisto.getFilePath in submit file entry to sandbox

* updated polling comamnd per XSOAR standards and updated YAML to include polling in sandbox submissing polling command root

* TrendMicroVisionOne_description

* updated sandbox submission command example to include polling arg

* updated yml to include polling in root of sandbox submission polling

* removed unused variable declarations

* updated doc string for sandbox submission polling

* updated min server version to 6.2.0 in sandbox polling unit test

* updated if check to differentiate between cmd instead of args

* added dbotscore for sandbox submissions status and sandbox polling commands

* added doc string for dbot severity helper function

* Updated Vendor Name to match integration pack

* updated risk to look for obj instead of str and updated release notes and updated docker image version

* added dbotscore to VisionOne context data and updated YML and README.md accordingly

* small context output fix

* Update 1_3_0.md

Co-authored-by: yaakovpraisler <ypreisler@paloaltonetworks.com>
Co-authored-by: Yaakov Praisler <59408745+yaakovpraisler@users.noreply.github.com>

Co-authored-by: shaqnawe <shaktishah40@gmail.com>
Co-authored-by: yaakovpraisler <ypreisler@paloaltonetworks.com>
Co-authored-by: Yaakov Praisler <59408745+yaakovpraisler@users.noreply.github.com>

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/README.md

@@ -383,11 +383,14 @@ Retrieves the status of a sandbox analysis submission
 | VisionOne.File_Analysis_Status.digest                   | string   | The hash values of file analyzed                                        |
 | VisionOne.File_Analysis_Status.analysis_completion_time | string   | Sample analysis completed time.                                         |
 | VisionOne.File_Analysis_Status.risk_level               | string   | Risk Level of the analyzed file.                                        |
-| VisionOne.File_Analysis_Status.descritption              | string   | Scan result description for NotAnalyzed.                                |
+| VisionOne.File_Analysis_Status.descritption             | string   | Scan result description for NotAnalyzed.                                |
 | VisionOne.File_Analysis_Status.detection_name_list      | unknown  | Detection name of this sample, if applicable.                           |
 | VisionOne.File_Analysis_Status.threat_type_list         | unknown  | Threat type of this sample.                                             |
 | VisionOne.File_Analysis_Status.file_type                | string   | File type of this sample.                                               |
 | VisionOne.File_Analysis_Status.report_id                | string   | ID used to get the report and suspicious object. Empty means no report. |
+| VisionOne.File_Analysis_Status.DBotScore.score          | number   | The DBot score.                                                         |
+| VisionOne.File_Analysis_Status.DBotScore.Vendor         | string   | The Vendor name.                                                        |
+| VisionOne.File_Analysis_Status.DBotScore.Reliability    | string   | The reliability level.                                                  |
 
 ### trendmicro-visionone-get-file-analysis-report
 
@@ -561,6 +564,9 @@ Runs a polling command to retrieve the status of a sandbox analysis submission
 | VisionOne.Sandbox_Submission_Polling.threat_type_list         | unknown  | Threat type of this sample.                                             |
 | VisionOne.Sandbox_Submission_Polling.file_type                | string   | File type of this sample.                                               |
 | VisionOne.Sandbox_Submission_Polling.report_id                | string   | ID used to get the report and suspicious object. Empty means no report. |
+| VisionOne.Sandbox_Submission_Polling.DBotScore.score          | number   | The DBot score.                                                         |
+| VisionOne.Sandbox_Submission_Polling.DBotScore.Vendor         | string   | The Vendor name.                                                        |
+| VisionOne.Sandbox_Submission_Polling.DBotScore.Reliability    | string   | The reliability level.                                                  |
 
 ### trendmicro-visionone-check-task-status
 

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.py

@@ -14,6 +14,7 @@
 
 """CONSTANTS"""
 USER_AGENT = "TMV1CortexXSOARApp/1.1"
+VENDOR_NAME = "TrendMicroVisionOne"
 URL = "url"
 POST = "post"
 GET = "get"
@@ -294,6 +295,22 @@ def sandbox_submission_polling(self, data: Dict[str, Any]) -> Any:
         """
         task_id = data.get(TASKID)
         result = self.http_request(GET, GET_FILE_STATUS.format(taskId=task_id))
+        risk = result.get("data", {}).get("analysisSummary", {}).get("riskLevel", "")
+        risk_score = self.incident_severity_to_dbot_score(risk)
+        sha256 = result.get("data", {}).get("digest", {}).get("sha256")
+        md5 = result.get("data", {}).get("digest", {}).get("md5")
+        sha1 = result.get("data", {}).get("digest", {}).get("sha1")
+        reliability = demisto.params().get("integrationReliability")
+        dbot_score = Common.DBotScore(
+            indicator=sha256,
+            indicator_type=DBotScoreType.FILE,
+            integration_name=VENDOR_NAME,
+            score=risk_score,
+            reliability=reliability,
+        )
+        file_entry = Common.File(
+            sha256=sha256, md5=md5, sha1=sha1, dbot_score=dbot_score
+        )
         message = {
             "message": result.get("message", ""),
             "code": result.get("code", ""),
@@ -319,6 +336,11 @@ def sandbox_submission_polling(self, data: Dict[str, Any]) -> Any:
             .get("analysisSummary", "")
             .get("trueFileType", ""),
             "report_id": result.get("data", {}).get("reportId", ""),
+            "DBotScore": {
+                "Score": dbot_score.score,
+                "Vendor": dbot_score.integration_name,
+                "Reliability": dbot_score.reliability,
+            },
         }
         return CommandResults(
             readable_output=tableToMarkdown(
@@ -327,6 +349,7 @@ def sandbox_submission_polling(self, data: Dict[str, Any]) -> Any:
             outputs_prefix="VisionOne.Sandbox_Submission_Polling",
             outputs_key_field="report_id",
             outputs=message,
+            indicator=file_entry,
         )
 
     def lookup_type(self, param: Any) -> str:
@@ -428,6 +451,30 @@ def get_workbench_histories(self, start, end, offset=None, size=None) -> str:
         ]
         return response
 
+    def incident_severity_to_dbot_score(self, severity: str):
+        """
+        Converts an priority string to DBot score representation
+            alert severity. Can be one of:
+            Unknown -> 0
+            No Risk -> 1
+            Low or Medium -> 2
+            Critical or High -> 3
+        Args:
+            severity: String representation of severity.
+        Returns:
+            Dbot representation of severity
+        """
+        if not isinstance(severity, str):
+            return 0
+
+        if severity == "noRisk":
+            return 1
+        if severity in ["low", "medium"]:
+            return 2
+        if severity in ["high", "critical"]:
+            return 3
+        return 0
+
 
 def run_polling_command(
     args: Dict[str, Any], cmd: str, client: Client
@@ -664,6 +711,7 @@ def fetch_incidents(client: Client):
             incident = {
                 "name": record["workbenchName"],
                 "occurred": record["createdTime"],
+                "severity": client.incident_severity_to_dbot_score(record["severity"]),
                 "rawJSON": json.dumps(record),
             }
             incidents.append(incident)
@@ -1047,6 +1095,21 @@ def get_file_analysis_status(
     """
     task_id = args.get(TASKID)
     response = client.http_request(GET, GET_FILE_STATUS.format(taskId=task_id))
+    risk = response.get("data", {}).get("analysisSummary", {}).get("riskLevel", "")
+    risk_score = client.incident_severity_to_dbot_score(risk)
+    sha256 = response.get("data", {}).get("digest", {}).get("sha256")
+    md5 = response.get("data", {}).get("digest", {}).get("md5")
+    sha1 = response.get("data", {}).get("digest", {}).get("sha1")
+    reliability = demisto.params().get("integrationReliability")
+    dbot_score = Common.DBotScore(
+        indicator=sha256,
+        indicator_type=DBotScoreType.FILE,
+        integration_name=VENDOR_NAME,
+        score=risk_score,
+        reliability=reliability,
+    )
+
+    file_entry = Common.File(sha256=sha256, md5=md5, sha1=sha1, dbot_score=dbot_score)
 
     message = {
         "message": response.get("message", ""),
@@ -1073,6 +1136,11 @@ def get_file_analysis_status(
         .get("analysisSummary", "")
         .get("trueFileType", ""),
         "report_id": response.get("data", {}).get("reportId", ""),
+        "DBotScore": {
+            "Score": dbot_score.score,
+            "Vendor": dbot_score.integration_name,
+            "Reliability": dbot_score.reliability,
+        },
     }
     results = CommandResults(
         readable_output=tableToMarkdown(
@@ -1081,6 +1149,7 @@ def get_file_analysis_status(
         outputs_prefix="VisionOne.File_Analysis_Status",
         outputs_key_field="message",
         outputs=message,
+        indicator=file_entry,
     )
     return results
 

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.yml

@@ -49,6 +49,20 @@ configuration:
   defaultvalue: 'false'
   type: 8
   required: false
+- additionalinfo: Reliability of the source providing the intelligence data.
+  defaultvalue: B - Usually reliable
+  display: Source Reliability
+  name: integrationReliability
+  options:
+  - A+ - 3rd party enrichment
+  - A - Completely reliable
+  - B - Usually reliable
+  - C - Fairly reliable
+  - D - Not usually reliable
+  - E - Unreliable
+  - F - Reliability cannot be judged
+  type: 15
+  required: false
 description: Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection.
 display: Trend Micro Vision One
 defaultmapperin: Trend Micro Vision One XDR - Incoming Mapper
@@ -437,6 +451,15 @@ script:
     - contextPath: VisionOne.File_Analysis_Status.report_id
       description: ID used to get the report and suspicious object. Empty means no report.
       type: string
+    - contextPath: VisionOne.File_Analysis_Status.DBotScore.Score
+      description: The DBot score.
+      type: number
+    - contextPath: VisionOne.File_Analysis_Status.DBotScore.Vendor
+      description: The Vendor name.
+      type: string
+    - contextPath: VisionOne.File_Analysis_Status.DBotScore.Reliability
+      description: The Reliability level.
+      type: string
   - arguments:
     - description: report_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status command
       name: report_id
@@ -626,6 +649,15 @@ script:
     - contextPath: VisionOne.Sandbox_Submission_Polling.report_id
       description: ID used to get the report and suspicious object. Empty means no report.
       type: string
+    - contextPath: VisionOne.Sandbox_Submission_Polling.DBotScore.Score
+      description: The DBot score.
+      type: number
+    - contextPath: VisionOne.Sandbox_Submission_Polling.DBotScore.Vendor
+      description: The Vendor name.
+      type: string
+    - contextPath: VisionOne.Sandbox_Submission_Polling.DBotScore.Reliability
+      description: The Reliability level.
+      type: string
     description: Runs a polling command to retrieve the status of a sandbox analysis submission
     name: trendmicro-visionone-run-sandbox-submission-polling
     polling: true
@@ -692,7 +724,7 @@ script:
       type: string
     description: Updates the status of a workbench alert
     name: trendmicro-visionone-update-status
-  dockerimage: demisto/python3:3.10.9.40422
+  dockerimage: demisto/python3:3.10.9.44472
   isFetchSamples: true
   isfetch: true
   runonce: false

Packs/TrendMicroVisionOne/ReleaseNotes/1_3_0.md

@@ -0,0 +1,3 @@
+#### Integrations
+##### Trend Micro Vision One
+- Added DbotScore calculation for the ***trendmicro-visionone-run-sandbox-submission-polling*** and ***trendmicro-visionone-get-file-analysis-status*** commands.

Packs/TrendMicroVisionOne/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Trend Micro Vision One",
     "description": "Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response(XDR) capabilities that collect and automatically correlate data across multiple security layers\u2014email, endpoints, servers, cloud workloads, and networks\u2014Trend Micro Vision One prevents the majority of attacks with automated protection.",
     "support": "partner",
-    "currentVersion": "1.2.3",
+    "currentVersion": "1.3.0",
     "serverMinVersion": "6.2.0",
     "author": "Trend Micro",
     "url": "https://success.trendmicro.com",
@@ -26,4 +26,4 @@
         "xsoar",
         "marketplacev2"
     ]
-}
+}