Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export to stix bundle bug #20323

Merged
merged 20 commits into from Aug 15, 2022
Merged

Export to stix bundle bug #20323

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
dad2e56
allowed custom fields
yucohen Jul 31, 2022
ccf8cb6
RN
yucohen Jul 31, 2022
d63b1db
file issue
yucohen Aug 1, 2022
434555f
RN
yucohen Aug 1, 2022
b0b6952
Merge branch 'master' into export_to_stix_bundle_bug
yucohen Aug 1, 2022
0b0d3d5
lint fix
yucohen Aug 2, 2022
e4e65a8
Merge branch 'master' into export_to_stix_bundle_bug
yucohen Aug 2, 2022
798e2b8
added deleted spaces
yucohen Aug 7, 2022
e3a129c
added tests
yucohen Aug 7, 2022
da0a5f5
Merge branch 'master' into export_to_stix_bundle_bug
yucohen Aug 7, 2022
a12267b
RN conflicts
yucohen Aug 7, 2022
7d5231d
lint issues
yucohen Aug 8, 2022
7e91bcf
Merge branch 'master' into export_to_stix_bundle_bug
yucohen Aug 8, 2022
808abee
tests
yucohen Aug 8, 2022
aec318d
test
yucohen Aug 15, 2022
3947c83
Merge branch 'master' into export_to_stix_bundle_bug
yucohen Aug 15, 2022
0e136b1
RN
yucohen Aug 15, 2022
10aaaa4
coverage
yucohen Aug 15, 2022
784856e
coverage
yucohen Aug 15, 2022
6edb653
docker
yucohen Aug 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions Packs/CommonScripts/ReleaseNotes/1_7_19.md
View file
Open in desktop
@@ -0,0 +1,5 @@

#### Scripts
##### StixCreator
- Fixed an issue where export to STIX failed when more than one indicator was being exported.
- Fixed an issue where export to STIX failed when trying to export file types.
25 changes: 21 additions & 4 deletions Packs/CommonScripts/Scripts/StixCreator/StixCreator.py
View file
Open in desktop
Expand Up @@ -13,9 +13,9 @@
from typing import Any, Callable

SCOs: dict[str, str] = {
"file md5": "file:hashes.md5",
"file sha1": "file:hashes.sha1",
"file sha256": "file:hashes.sha256",
"md5": "file:hashes.md5",
"sha1": "file:hashes.sha1",
"sha256": "file:hashes.sha256",
"ssdeep": "file:hashes.ssdeep",
"ip": "ipv4-addr:value",
"cidr": "ipv4-addr:value",
Expand Down Expand Up @@ -43,6 +43,21 @@
}


def hash_type(value: str) -> str: # pragma: no coverage
length = len(value)
if length == 32:
return 'md5'
if length == 40:
return 'sha1'
if length == 64 and ":" in value:
return 'ssdeep'
elif length == 64:
return 'sha256'
if length == 128:
return 'sha512'
return ''


def main():

user_args = demisto.args().get('indicators', 'Unknown')
Expand Down Expand Up @@ -94,6 +109,8 @@ def main():

try:
indicator_type = demisto_indicator_type.lower().replace("-", "")
if indicator_type == 'file':
indicator_type = hash_type(value)
indicator = Indicator(pattern=f"[{SCOs[indicator_type]} = '{value}']",
pattern_type='stix',
**kwargs)
Expand Down Expand Up @@ -133,7 +150,7 @@ def main():
continue

if len(indicators) > 1:
bundle = Bundle(indicators)
bundle = Bundle(indicators, allow_custom=True)
context = {
'StixExportedIndicators(val.pattern && val.pattern == obj.pattern)': json.loads(str(bundle))
}
Expand Down
45 changes: 45 additions & 0 deletions Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py
View file
Open in desktop
@@ -0,0 +1,45 @@
import demistomock as demisto # noqa: F401
from CommonServerPython import * # noqa: F401
import pytest
from StixCreator import main

FILE_INDICATOR = \
{
'indicators':
{
'0': {'expirationStatus': 'active', 'firstSeen': '2022-07-31T13:26:05Z',
'indicator_type': 'File',
'lastSeen': '2022-07-31T13:26:05Z', 'score': 'good',
'timestamp': '2022-07-31T13:26:05Z',
'value': 'e14daa9c88a7ec91d770ae262758db73b6593b178527a2d7bba14159fad5f1c2'
}
}
}

DOMAIN_INDICATORS = \
{
'indicators':
{
'0': {'expirationStatus': 'active', 'firstSeen': '2022-07-31T13:24:44Z',
'indicator_type': 'Domain',
'lastSeen': '2022-07-31T13:24:44Z', 'score': 'Unknown',
'timestamp': '2022-07-31T13:24:44Z',
'value': 'test.com'
},
'1': {'expirationStatus': 'active', 'firstSeen': '2022-07-31T13:24:40Z',
'indicator_type': 'Domain',
'lastSeen': '2022-07-31T13:24:40Z', 'score': 'suspicious',
'timestamp': '2022-07-31T13:24:40Z',
'value': 'bad.com'
}
}
}


@pytest.mark.parametrize('indicators, stix_type', [(DOMAIN_INDICATORS, 'bundle'), (FILE_INDICATOR, 'indicator')])
def test_stixCreator_with_indicators(mocker, indicators, stix_type):
mocker.patch.object(demisto, 'args', return_value=indicators)
mocker.patch.object(demisto, 'results')
main()
results = demisto.results.call_args[0]
assert stix_type in results[0]['Contents']
2 changes: 1 addition & 1 deletion Packs/CommonScripts/pack_metadata.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"name": "Common Scripts",
"description": "Frequently used scripts pack.",
"support": "xsoar",
"currentVersion": "1.7.18",
"currentVersion": "1.7.19",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down