Cybersixgill alerts typosquatting (#31386)

* Cybersixgill alerts typosquatting (#30787) * Added mapper for 2 custom incident fields * Updated release notes. * Added typosquatting to known words * new Incident fields and incomming mapper formated * Release notes reviewed. * setting unseachable to true. * Suspicious and Triggered domain as tables. * Moved 3 mappings from code to mapper. * Updated test case * Updated test case * Added default mapper and updated docker image version * Added breaking change note * Removed breaking change note * Renamed files as per suggestion * renamed mapper as per suggestion * Added new release note. * Changed id and name for incident fields and updated docker image name * update RN * update RN, update fields names, update mapper * update id, update RN * Update 1_2_10.md * Update incidentfield-Cybersixgill_Triggered_Domain.json * update docker * ID value contained invalid caps character. * changing type in fields to tagselect --------- Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> * docker image update --------- Co-authored-by: syed-loginsoft <97145640+syed-loginsoft@users.noreply.github.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com>
demisto · Dec 10, 2023 · c6f93b9 · c6f93b9
1 parent 07b8c1b
commit c6f93b9
Show file tree

Hide file tree

Showing 10 changed files with 124 additions and 18 deletions.
diff --git a/Packs/Cybersixgill-ActionableAlerts/.pack-ignore b/Packs/Cybersixgill-ActionableAlerts/.pack-ignore
@@ -20,4 +20,5 @@ ignore=IF115
 ignore=BA124
 
 [known_words]
-Cybersixgill
+Cybersixgill
+typosquatting
diff --git a/...tionableAlerts/Classifiers/classifier-mapper-incoming-Cybersixgill-Actionable-Alerts.json b/...tionableAlerts/Classifiers/classifier-mapper-incoming-Cybersixgill-Actionable-Alerts.json
@@ -0,0 +1,31 @@
+{
+	"description": "",
+	"feed": false,
+	"id": "Cybersixgill Actionable Alerts - Incoming Mapper",
+	"mapping": {
+		"Cybersixgill Actionable Alerts": {
+			"dontMapEventToLabels": true,
+			"internalMapping": {
+				"Cybersixgill CVSS 2.0": {
+					"simple": "additional_info.nvd.v3.current"
+				},
+				"Cybersixgill CVSS 3.1": {
+					"simple": "additional_info.nvd.v2.current"
+				},
+				"Cybersixgill DVE Score": {
+					"simple": "additional_info.score.current"
+				},
+				"Cybersixgill Suspicious domain": {
+					"simple": "additional_info.tables.suspicious_domain"
+				},
+				"Cybersixgill Triggered domain": {
+					"simple": "additional_info.tables.triggered_domain"
+				}
+			}
+		}
+	},
+	"name": "Cybersixgill Actionable Alerts - Incoming Mapper",
+	"type": "mapping-incoming",
+	"version": -1,
+    "fromVersion": "6.10.0"
+}
diff --git a/...sixgill-ActionableAlerts/IncidentFields/incidentfield-Cybersixgill_Suspicious_Domain.json b/...sixgill-ActionableAlerts/IncidentFields/incidentfield-Cybersixgill_Suspicious_Domain.json
@@ -0,0 +1,31 @@
+{
+    "id": "incident_cybersixgillsuspiciousdomain",
+    "version": -1,
+    "modified": "2023-11-09T22:08:56.499540505+05:30",
+    "name": "Cybersixgill Suspicious domain",
+    "ownerOnly": false,
+    "description": "Suspicious Domain",
+    "cliName": "cybersixgillsuspiciousdomain",
+    "type": "tagsSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": true,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "associatedTypes": [
+        "Cybersixgill Actionable Alerts"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}
diff --git a/...rsixgill-ActionableAlerts/IncidentFields/incidentfield-Cybersixgill_Triggered_Domain.json b/...rsixgill-ActionableAlerts/IncidentFields/incidentfield-Cybersixgill_Triggered_Domain.json
@@ -0,0 +1,32 @@
+{
+    "id": "incident_cybersixgilltriggereddomain",
+    "version": -1,
+    "modified": "2023-11-09T22:08:00.46683194+05:30",
+    "name": "Cybersixgill Triggered domain",
+    "ownerOnly": false,
+    "description": "Triggered domain",
+    "cliName": "cybersixgilltriggereddomain",
+    "type": "tagsSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": true,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "Cybersixgill Actionable Alerts"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}
diff --git a/...ctionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.py b/...ctionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.py
@@ -83,9 +83,6 @@ def add_sub_alerts_shared_fields(incident, item_info):
         'cybersixgillassessment': item_info.get('assessment', None),
         'cybersixgillrecommendations': '\n\n-----------\n\n'.join(item_info.get('recommendations', [])),
         'incidentlink': f"https://portal.cybersixgill.com/#/?actionable_alert={item_info.get('id', '')}",
-        'cybersixgillcvss31': -1,
-        'cybersixgillcvss20': -1,
-        'cybersixgilldvescore': -1,
         'cve': None,
         'cybersixgillattributes': None
     }
@@ -130,11 +127,6 @@ def get_alert_content(content_item, item_info, incident, sixgill_alerts_client):
         content_item['content'] = f'https://portal.cybersixgill.com/#/cve/{cve_id}'
         additional_info = item_info.get("additional_info", {})
         incident['CustomFields']['cve'] = cve_id
-        cybersixgillcvss31 = additional_info.get("nvd", {}).get("v3", {}).get("current")
-        cybersixgillcvss20 = additional_info.get("nvd", {}).get("v2", {}).get("current")
-        incident['CustomFields']['cybersixgillcvss31'] = cybersixgillcvss31 or -1
-        incident['CustomFields']['cybersixgillcvss20'] = cybersixgillcvss20 or -1
-        incident['CustomFields']['cybersixgilldvescore'] = additional_info.get("score", {}).get("current")
         attributes = []
         for attribute in additional_info.get("attributes", []):
             if attribute.get("value", False):

diff --git a/...tionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml b/...tionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml
@@ -98,7 +98,7 @@ display: Cybersixgill Actionable Alerts
 name: Cybersixgill_Actionable_Alerts
 script:
   commands:
-  - description: updates the existing actionable alert status
+  - description: updates the existing actionable alert status.
     name: cybersixgill-update-alert-status
     arguments:
     - required: true
@@ -109,7 +109,7 @@ script:
       name: alert_status
     - description: The aggregate alert id.
       name: aggregate_alert_id
-  dockerimage: demisto/sixgill:1.0.0.82351
+  dockerimage: demisto/sixgill:1.0.0.83225
   isfetch: true
   runonce: false
   script: '-'
@@ -118,3 +118,4 @@ script:
 tests:
 - No tests
 fromversion: 5.0.0
+defaultmapperin: Cybersixgill Actionable Alerts - Incoming Mapper
diff --git a/...ableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts_test.py b/...ableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts_test.py
@@ -182,9 +182,6 @@
             "cybersixgillsite": "rw_everest",
             "cybersixgillactor": None,
             "cybersixgilltriggeredassets": ["Walmart"],
-            "cybersixgillcvss31": -1,
-            "cybersixgillcvss20": -1,
-            "cybersixgilldvescore": -1,
             "cve": None,
             "cybersixgillattributes": None,
         },
@@ -215,9 +212,6 @@
     "CustomFields": {
         "cve": "Sample ID",
         "cybersixgillattributes": "",
-        "cybersixgillcvss20": -1,
-        "cybersixgillcvss31": -1,
-        "cybersixgilldvescore": None,
     },
     "alert_name": "Your organization was potentially targeted by a ransomware group",
     "content": "text",

diff --git a/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_10.json b/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_10.json
@@ -0,0 +1,4 @@
+{
+    "breakingChanges": true,
+    "breakingChangesNotes": "Field mapping moved from code to incoming mapper (classifier-mapper-incoming-Cybersixgill-Actionable-Alerts). Please select the mentioned mapper on integration instance configuration to ensure smooth transition."
+}
diff --git a/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_10.md b/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_10.md
@@ -0,0 +1,20 @@
+
+#### Integrations
+
+##### Cybersixgill Actionable Alerts
+
+- The *cybersixgillcvss31*, *cybersixgillcvss20*, *cybersixgilldvescore* incident fields are now mapped by the mapper.
+- Updated the Docker image to: *demisto/sixgill:1.0.0.83225*.
+
+#### Mappers
+
+##### New: Cybersixgill Actionable Alerts - Incoming Mapper
+
+- New: Added the mapper for incident type Cybersixgill Actionable Alert (Available from Cortex XSOAR 6.10.0).
+
+#### Incident Fields
+
+- New: **Cybersixgill Suspicious domain**
+
+- New: **Cybersixgill Triggered domain**
+
diff --git a/Packs/Cybersixgill-ActionableAlerts/pack_metadata.json b/Packs/Cybersixgill-ActionableAlerts/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cybersixgill Actionable Alerts",
     "description": "The integration allow retrieving Cybersixgill's actionable alerts based on organization assets",
     "support": "partner",
-    "currentVersion": "1.2.9",
+    "currentVersion": "1.2.10",
     "author": "Cybersixgill",
     "url": "https://www.cybersixgill.com/",
     "email": "getstarted@cybersixgill.com",