From c69c3ccf19d934e98794aee9e2eeb8289fe880e8 Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Thu, 19 Jan 2023 22:43:36 +0200 Subject: [PATCH] Trend micro vision one (#23778) (#23958) * removed microsocks Potentially harmful * imported urllib3 and removed reference to requests.packages. Updated release notes and TrendMicroVisionOne.yml * added action to add file entry from incident to sandbox and action to get result of file entry analysis status * removed redundant action to check sandbox submission status * added polling command for sandbox submissions * added unit tests for file entry to sandbox and polling for sandbox submissions * added unit tests for submit file entry and sandbox polling command * updated yml to include submit-file-entry-to-sandbox and run-sandbox-submission-polling * Update README.md Added hints for command execution order * Update README.md Updated Notes for better readability. * Update README.md Updated README.md for better readability. * updated release notes to indicate addition of submit file entry to sandbox and sandbox submission polling command * formatted files per XSOAR standards * Added command examples for V2 actions * added test_data folder containing example responses * Update README.md Added link to supported file types in submit file to sandbox and submit file entry to sandbox. * removed unused mock test case for submit file entry to sandbox and test_data folder with mock responses * Added submit file entry to sandbox and run sandbox submission polling and their respective unit tests and command_examples * added demosti.patch.object to get custom data for demisto.getFilePath in submit file entry to sandbox * updated polling comamnd per XSOAR standards and updated YAML to include polling in sandbox submissing polling command root * TrendMicroVisionOne_description * updated sandbox submission command example to include polling arg * updated yml to include polling in root of sandbox submission polling * removed unused variable declarations * updated doc string for sandbox submission polling * updated min server version to 6.2.0 in sandbox polling unit test * updated if check to differentiate between cmd instead of args * added dbotscore for sandbox submissions status and sandbox polling commands * added doc string for dbot severity helper function * Updated Vendor Name to match integration pack * updated risk to look for obj instead of str and updated release notes and updated docker image version * added dbotscore to VisionOne context data and updated YML and README.md accordingly * small context output fix * Update 1_3_0.md Co-authored-by: yaakovpraisler Co-authored-by: Yaakov Praisler <59408745+yaakovpraisler@users.noreply.github.com> Co-authored-by: shaqnawe Co-authored-by: yaakovpraisler Co-authored-by: Yaakov Praisler <59408745+yaakovpraisler@users.noreply.github.com> --- .../TrendMicroVisionOne/README.md | 8 ++- .../TrendMicroVisionOne.py | 69 +++++++++++++++++++ .../TrendMicroVisionOne.yml | 34 ++++++++- .../TrendMicroVisionOne/ReleaseNotes/1_3_0.md | 3 + Packs/TrendMicroVisionOne/pack_metadata.json | 4 +- 5 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 Packs/TrendMicroVisionOne/ReleaseNotes/1_3_0.md diff --git a/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/README.md b/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/README.md index ac250de70fe4..4a999dce64e7 100755 --- a/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/README.md +++ b/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/README.md @@ -383,11 +383,14 @@ Retrieves the status of a sandbox analysis submission | VisionOne.File_Analysis_Status.digest | string | The hash values of file analyzed | | VisionOne.File_Analysis_Status.analysis_completion_time | string | Sample analysis completed time. | | VisionOne.File_Analysis_Status.risk_level | string | Risk Level of the analyzed file. | -| VisionOne.File_Analysis_Status.descritption | string | Scan result description for NotAnalyzed. | +| VisionOne.File_Analysis_Status.descritption | string | Scan result description for NotAnalyzed. | | VisionOne.File_Analysis_Status.detection_name_list | unknown | Detection name of this sample, if applicable. | | VisionOne.File_Analysis_Status.threat_type_list | unknown | Threat type of this sample. | | VisionOne.File_Analysis_Status.file_type | string | File type of this sample. | | VisionOne.File_Analysis_Status.report_id | string | ID used to get the report and suspicious object. Empty means no report. | +| VisionOne.File_Analysis_Status.DBotScore.score | number | The DBot score. | +| VisionOne.File_Analysis_Status.DBotScore.Vendor | string | The Vendor name. | +| VisionOne.File_Analysis_Status.DBotScore.Reliability | string | The reliability level. | ### trendmicro-visionone-get-file-analysis-report @@ -561,6 +564,9 @@ Runs a polling command to retrieve the status of a sandbox analysis submission | VisionOne.Sandbox_Submission_Polling.threat_type_list | unknown | Threat type of this sample. | | VisionOne.Sandbox_Submission_Polling.file_type | string | File type of this sample. | | VisionOne.Sandbox_Submission_Polling.report_id | string | ID used to get the report and suspicious object. Empty means no report. | +| VisionOne.Sandbox_Submission_Polling.DBotScore.score | number | The DBot score. | +| VisionOne.Sandbox_Submission_Polling.DBotScore.Vendor | string | The Vendor name. | +| VisionOne.Sandbox_Submission_Polling.DBotScore.Reliability | string | The reliability level. | ### trendmicro-visionone-check-task-status diff --git a/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.py b/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.py index 36fc31744d6c..69e54e3fdd01 100644 --- a/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.py +++ b/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.py @@ -14,6 +14,7 @@ """CONSTANTS""" USER_AGENT = "TMV1CortexXSOARApp/1.1" +VENDOR_NAME = "TrendMicroVisionOne" URL = "url" POST = "post" GET = "get" @@ -294,6 +295,22 @@ def sandbox_submission_polling(self, data: Dict[str, Any]) -> Any: """ task_id = data.get(TASKID) result = self.http_request(GET, GET_FILE_STATUS.format(taskId=task_id)) + risk = result.get("data", {}).get("analysisSummary", {}).get("riskLevel", "") + risk_score = self.incident_severity_to_dbot_score(risk) + sha256 = result.get("data", {}).get("digest", {}).get("sha256") + md5 = result.get("data", {}).get("digest", {}).get("md5") + sha1 = result.get("data", {}).get("digest", {}).get("sha1") + reliability = demisto.params().get("integrationReliability") + dbot_score = Common.DBotScore( + indicator=sha256, + indicator_type=DBotScoreType.FILE, + integration_name=VENDOR_NAME, + score=risk_score, + reliability=reliability, + ) + file_entry = Common.File( + sha256=sha256, md5=md5, sha1=sha1, dbot_score=dbot_score + ) message = { "message": result.get("message", ""), "code": result.get("code", ""), @@ -319,6 +336,11 @@ def sandbox_submission_polling(self, data: Dict[str, Any]) -> Any: .get("analysisSummary", "") .get("trueFileType", ""), "report_id": result.get("data", {}).get("reportId", ""), + "DBotScore": { + "Score": dbot_score.score, + "Vendor": dbot_score.integration_name, + "Reliability": dbot_score.reliability, + }, } return CommandResults( readable_output=tableToMarkdown( @@ -327,6 +349,7 @@ def sandbox_submission_polling(self, data: Dict[str, Any]) -> Any: outputs_prefix="VisionOne.Sandbox_Submission_Polling", outputs_key_field="report_id", outputs=message, + indicator=file_entry, ) def lookup_type(self, param: Any) -> str: @@ -428,6 +451,30 @@ def get_workbench_histories(self, start, end, offset=None, size=None) -> str: ] return response + def incident_severity_to_dbot_score(self, severity: str): + """ + Converts an priority string to DBot score representation + alert severity. Can be one of: + Unknown -> 0 + No Risk -> 1 + Low or Medium -> 2 + Critical or High -> 3 + Args: + severity: String representation of severity. + Returns: + Dbot representation of severity + """ + if not isinstance(severity, str): + return 0 + + if severity == "noRisk": + return 1 + if severity in ["low", "medium"]: + return 2 + if severity in ["high", "critical"]: + return 3 + return 0 + def run_polling_command( args: Dict[str, Any], cmd: str, client: Client @@ -664,6 +711,7 @@ def fetch_incidents(client: Client): incident = { "name": record["workbenchName"], "occurred": record["createdTime"], + "severity": client.incident_severity_to_dbot_score(record["severity"]), "rawJSON": json.dumps(record), } incidents.append(incident) @@ -1047,6 +1095,21 @@ def get_file_analysis_status( """ task_id = args.get(TASKID) response = client.http_request(GET, GET_FILE_STATUS.format(taskId=task_id)) + risk = response.get("data", {}).get("analysisSummary", {}).get("riskLevel", "") + risk_score = client.incident_severity_to_dbot_score(risk) + sha256 = response.get("data", {}).get("digest", {}).get("sha256") + md5 = response.get("data", {}).get("digest", {}).get("md5") + sha1 = response.get("data", {}).get("digest", {}).get("sha1") + reliability = demisto.params().get("integrationReliability") + dbot_score = Common.DBotScore( + indicator=sha256, + indicator_type=DBotScoreType.FILE, + integration_name=VENDOR_NAME, + score=risk_score, + reliability=reliability, + ) + + file_entry = Common.File(sha256=sha256, md5=md5, sha1=sha1, dbot_score=dbot_score) message = { "message": response.get("message", ""), @@ -1073,6 +1136,11 @@ def get_file_analysis_status( .get("analysisSummary", "") .get("trueFileType", ""), "report_id": response.get("data", {}).get("reportId", ""), + "DBotScore": { + "Score": dbot_score.score, + "Vendor": dbot_score.integration_name, + "Reliability": dbot_score.reliability, + }, } results = CommandResults( readable_output=tableToMarkdown( @@ -1081,6 +1149,7 @@ def get_file_analysis_status( outputs_prefix="VisionOne.File_Analysis_Status", outputs_key_field="message", outputs=message, + indicator=file_entry, ) return results diff --git a/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.yml b/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.yml index b1d045bc22e2..38d6936fd0c6 100644 --- a/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.yml +++ b/Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOne/TrendMicroVisionOne.yml @@ -49,6 +49,20 @@ configuration: defaultvalue: 'false' type: 8 required: false +- additionalinfo: Reliability of the source providing the intelligence data. + defaultvalue: B - Usually reliable + display: Source Reliability + name: integrationReliability + options: + - A+ - 3rd party enrichment + - A - Completely reliable + - B - Usually reliable + - C - Fairly reliable + - D - Not usually reliable + - E - Unreliable + - F - Reliability cannot be judged + type: 15 + required: false description: Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection. display: Trend Micro Vision One defaultmapperin: Trend Micro Vision One XDR - Incoming Mapper @@ -437,6 +451,15 @@ script: - contextPath: VisionOne.File_Analysis_Status.report_id description: ID used to get the report and suspicious object. Empty means no report. type: string + - contextPath: VisionOne.File_Analysis_Status.DBotScore.Score + description: The DBot score. + type: number + - contextPath: VisionOne.File_Analysis_Status.DBotScore.Vendor + description: The Vendor name. + type: string + - contextPath: VisionOne.File_Analysis_Status.DBotScore.Reliability + description: The Reliability level. + type: string - arguments: - description: report_id of the sandbox submission retrieved from the trendmicro-visionone-get-file-analysis-status command name: report_id @@ -626,6 +649,15 @@ script: - contextPath: VisionOne.Sandbox_Submission_Polling.report_id description: ID used to get the report and suspicious object. Empty means no report. type: string + - contextPath: VisionOne.Sandbox_Submission_Polling.DBotScore.Score + description: The DBot score. + type: number + - contextPath: VisionOne.Sandbox_Submission_Polling.DBotScore.Vendor + description: The Vendor name. + type: string + - contextPath: VisionOne.Sandbox_Submission_Polling.DBotScore.Reliability + description: The Reliability level. + type: string description: Runs a polling command to retrieve the status of a sandbox analysis submission name: trendmicro-visionone-run-sandbox-submission-polling polling: true @@ -692,7 +724,7 @@ script: type: string description: Updates the status of a workbench alert name: trendmicro-visionone-update-status - dockerimage: demisto/python3:3.10.9.40422 + dockerimage: demisto/python3:3.10.9.44472 isFetchSamples: true isfetch: true runonce: false diff --git a/Packs/TrendMicroVisionOne/ReleaseNotes/1_3_0.md b/Packs/TrendMicroVisionOne/ReleaseNotes/1_3_0.md new file mode 100644 index 000000000000..e57a23aa3386 --- /dev/null +++ b/Packs/TrendMicroVisionOne/ReleaseNotes/1_3_0.md @@ -0,0 +1,3 @@ +#### Integrations +##### Trend Micro Vision One +- Added DbotScore calculation for the ***trendmicro-visionone-run-sandbox-submission-polling*** and ***trendmicro-visionone-get-file-analysis-status*** commands. diff --git a/Packs/TrendMicroVisionOne/pack_metadata.json b/Packs/TrendMicroVisionOne/pack_metadata.json index 36b0baad44ff..fd3ee18362b2 100755 --- a/Packs/TrendMicroVisionOne/pack_metadata.json +++ b/Packs/TrendMicroVisionOne/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Trend Micro Vision One", "description": "Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response(XDR) capabilities that collect and automatically correlate data across multiple security layers\u2014email, endpoints, servers, cloud workloads, and networks\u2014Trend Micro Vision One prevents the majority of attacks with automated protection.", "support": "partner", - "currentVersion": "1.2.3", + "currentVersion": "1.3.0", "serverMinVersion": "6.2.0", "author": "Trend Micro", "url": "https://success.trendmicro.com", @@ -26,4 +26,4 @@ "xsoar", "marketplacev2" ] -} +} \ No newline at end of file