Added context output and indicator tagging to CreateIndicatorsFromStix (

#31485)

* Added context output and indicator tagging to CreateIndicatorsFromStix (#31140)

* Added context output and tagging to CreateIndicatorsFromSTIX.py

* Removed Spaces in CommandResults

* Added Release Note
Bumped Up Version to 1.12.50

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.py

Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.py

Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.yml

Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

* Update Packs/CommonScripts/ReleaseNotes/1_12_50.md

Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.py

Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

* fixes in CreateIndicatorsFromSTIX.py

* Updated YML

* Updated CreateIndicatorsFromSTIX_test.py

* Updated CreateIndicatorsFromSTIX_test.py

* Updated Docker Image Version

* Updated Release notes to align with docker version

* Added Tags to context output.

* Added outputs to CreateIndicatorsFromSTIX.yml

* Bumped up Docker Image version in Release Note and YML
Added additional asserts in test

* Adjusted Version

* Updated README.md

* Updated CreateIndicatorsFromSTIX.yml with description periods.

* Added CONTRIBUTORS.json

* Deleted CONTRIBUTORS.json

* Update 1_13_5.md

* Update CreateIndicatorsFromSTIX.yml

* Update README.md

* Update README.md

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

---------

Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* merge from master

---------

Co-authored-by: Martin Ohl <Martin.Ohl@ohl-net.eu>
Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
Co-authored-by: adi88d <adaud@paloaltonetworks.com>

Packs/CommonScripts/ReleaseNotes/1_13_6.md

@@ -0,0 +1,6 @@
+#### Scripts
+
+##### CreateIndicatorsFromSTIX
+
+- Added the *add_context* and * tags* arguments for context output.
+- Updated the Docker image to: *demisto/python3:3.10.13.83255*.

Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.py

@@ -34,34 +34,61 @@ def create_relationships_from_entity(indicator_relationships):
     return entity_relationships
 
 
-def create_indicators_loop(indicators):
+def create_indicators_loop(args, indicators):
     """ Create indicators using createNewIndicator automation
 
     :param indicators: parsed indicators
     :return: errors if exist
     """
     relationships_objects = list()
     errors = list()
+    context_data = []
+    add_context = argToBoolean(args.get('add_context', False))
+    tags = argToList(args.get('tags'))
+
     for indicator in indicators:
         indicator['type'] = indicator.get('indicator_type')
         relationship_object = create_relationships_from_entity(indicator.get('relationships'))
         if relationship_object:
             relationships_objects.extend(relationship_object)
+
+        if len(tags) > 0:
+            if 'customFields' in indicator:
+                if 'tags' in indicator.get('customFields'):
+                    [indicator['customFields']['tags'].append(ntag) for ntag in tags]
+
+        context = {'value': indicator['value'], 'type': indicator['type']}
+        if 'tags' in indicator.get('customFields'):
+            context['tags'] = indicator['customFields']['tags']
+
         res = demisto.executeCommand("createNewIndicator", indicator)
+        context_data.append(context)
+
         if is_error(res[0]):
             errors.append(f'Error creating indicator - {(res[0]["Contents"])}')
-    result = CommandResults(
-        readable_output=f"Create Indicators From STIX: {len(indicators) - len(errors)} indicators were created.",
-        relationships=relationships_objects
-    )
+
+    if add_context:
+        result = CommandResults(
+            readable_output=f"Create Indicators From STIX: {len(indicators) - len(errors)} indicators were created.",
+            relationships=relationships_objects,
+            outputs_prefix='StixIndicators',
+            outputs_key_field='value',
+            outputs=context_data
+        )
+    else:
+        result = CommandResults(
+            readable_output=f"Create Indicators From STIX: {len(indicators) - len(errors)} indicators were created.",
+            relationships=relationships_objects
+        )
+
     return result, errors
 
 
 def main():  # pragma: no cover
     args = demisto.args()
     entry_id = args.get("entry_id", "")
     indicators = parse_indicators_using_stix_parser(entry_id)
-    results, errors = create_indicators_loop(indicators)
+    results, errors = create_indicators_loop(args, indicators)
     return_results(results)
     if errors:
         return_error(json.dumps(errors, indent=4))

Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX.yml

@@ -2,6 +2,22 @@ args:
 - description: The entry ID of the STIX file.
   name: entry_id
   required: true
+- auto: PREDEFINED
+  defaultValue: "false"
+  description: Adds indicators to context.
+  name: add_context
+  predefined:
+  - "true"
+  - "false"
+- description: A comma-separated list of tags to add to indicators. 
+  name: tags
+outputs:
+- contextPath: StixIndicators.type
+  description: Type of the indicator.
+- contextPath: StixIndicators.value
+  description: Value of the indicator.
+- contextPath: StixIndicators.tags
+  description: Tags of the indicator.
 comment: Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.
 commonfields:
   id: CreateIndicatorsFromSTIX

Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/CreateIndicatorsFromSTIX_test.py

@@ -1,10 +1,7 @@
-import demistomock as demisto
-from CommonServerPython import *
-from CommonServerUserPython import *
 from CreateIndicatorsFromSTIX import *
 
 
-def test_create_indicators_loop(mocker):
+def test_create_indicators_loop_wo_args(mocker):
     """
     Given:
         - A collection of indicators in XSOAR Format
@@ -15,12 +12,40 @@ def test_create_indicators_loop(mocker):
     Then:
         - Validate the indicators extract without errors.
     """
+    args = {}
     with open('test_data/expected_result_example3.json') as json_f:
         indicators = json.load(json_f)
     mocker.patch.object(demisto, 'executeCommand', return_value=[None])
-    results, errors = create_indicators_loop(indicators=indicators)
+    results, errors = create_indicators_loop(args, indicators)
+
+    assert errors == []
+    assert results.readable_output == 'Create Indicators From STIX: 2 indicators were created.'
+
+
+def test_create_indicators_loop_w_args(mocker):
+    """
+    Given:
+        - A collection of indicators in XSOAR Format
+
+    When:
+        - Parsing stix indicators.
+
+    Then:
+        - Validate the indicators extract without errors.
+    """
+    args = {
+        'add_context': 'true',
+        'tags': 'tag1,tag2'
+    }
+
+    with open('test_data/expected_result_example3.json') as json_f:
+        indicators = json.load(json_f)
+    mocker.patch.object(demisto, 'executeCommand', return_value=[None])
+    results, errors = create_indicators_loop(args, indicators)
+
     assert errors == []
     assert results.readable_output == 'Create Indicators From STIX: 2 indicators were created.'
+    assert results.outputs[0]['tags'] == ['tag1', 'tag2']
 
 
 def test_parse_indicators_using_stix_parser(mocker):

Packs/CommonScripts/Scripts/CreateIndicatorsFromSTIX/README.md

@@ -17,7 +17,15 @@ Wrapper for the **StixParser** automation. This automation creates indicators an
 | **Argument Name** | **Description** |
 | --- | --- |
 | entry_id | The entry ID of the STIX file. |
+| add_context | Adds indicators to context. |
+| tags | A comma-separated list of tags to add to indicators.  |
 
 ## Outputs
+
 ---
-There are no outputs for this script.
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StixIndicators.type | Type of the indicator. | String |
+| StixIndicators.value | Value of the indicator. | String |
+| StixIndicators.tags | Tags of the indicator. | Unknown |

Packs/CommonScripts/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Common Scripts",
     "description": "Frequently used scripts pack.",
     "support": "xsoar",
-    "currentVersion": "1.13.5",
+    "currentVersion": "1.13.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",