Added support for unknown relationship names

Packs/Base/ReleaseNotes/1_31_42.md

@@ -0,0 +1,11 @@
+#### Scripts
+##### SearchIndicatorRelationships
+- Updated the Docker image to: *demisto/python3:3.10.8.39276*.
+- Added the options "detects", "detected-by" and "located-at" for the *relationships* argument.
+
+##### CommonServerPython
+- Added the names "detects", "detected-by" and "located-at" for *relationship type*.
+
+##### CreateIndicatorRelationship
+- Updated the Docker image to: *demisto/python3:3.10.8.39276*.
+- Added the options "detects", "detected-by" and "located-at" for the *relationship* and *reverse_relationship* arguments.

Packs/Base/Scripts/CommonServerPython/CommonServerPython.py

@@ -3777,7 +3777,7 @@ def to_context(self):
                 file_context['Hashes'].append({'type': 'SSDeep',
                                                'value': self.ssdeep})
 
-            if self.extension:
+            if self.extension: 
                 file_context['Extension'] = self.extension
 
             if self.file_type:
@@ -6364,6 +6364,8 @@ class Relationships(object):
         CREATES = 'creates'
         DELIVERED_BY = 'delivered-by'
         DELIVERS = 'delivers'
+        DETECTS = 'detects'
+        DETECTED_BY = 'detected-by'
         DOWNLOADS = 'downloads'
         DOWNLOADS_FROM = 'downloads-from'
         DROPPED_BY = 'dropped-by'
@@ -6385,6 +6387,7 @@ class Relationships(object):
         INJECTS_INTO = 'injects-into'
         INVESTIGATES = 'investigates'
         IS_ALSO = 'is-also'
+        LOCATED_AT = 'located-at'
         MITIGATED_BY = 'mitigated-by'
         MITIGATES = 'mitigates'
         ORIGINATED_FROM = 'originated-from'
@@ -6435,6 +6438,8 @@ class Relationships(object):
                                'creates': 'created-by',
                                'delivered-by': 'delivers',
                                'delivers': 'delivered-by',
+                               'detects': 'detected-by',
+                               'detected-by': 'detects',
                                'downloads': 'downloaded-by',
                                'downloads-from': 'hosts',
                                'dropped-by': 'drops',
@@ -6506,21 +6511,24 @@ def get_reverse(name):
             :return: Returns the reversed relationship name
             :rtype: ``str``
             """
-
-            return EntityRelationship.Relationships.RELATIONSHIPS_NAMES[name]
+            try:
+                return EntityRelationship.Relationships.RELATIONSHIPS_NAMES[name]
+            except KeyError:
+                demisto.debug('Cannot find a reverse name for relationship name, using "related-to" instead.')
+                return EntityRelationship.Relationships.RELATED_TO
 
     def __init__(self, name, entity_a, entity_a_type, entity_b, entity_b_type,
                  reverse_name='', relationship_type='IndicatorToIndicator', entity_a_family='Indicator',
                  entity_b_family='Indicator', source_reliability="", fields=None, brand=""):
 
         # Relationship
         if not EntityRelationship.Relationships.is_valid(name):
-            raise ValueError("Invalid relationship: " + name)
+            demisto.debug("Uknown relationship name: " + name)
         self._name = name
 
         if reverse_name:
             if not EntityRelationship.Relationships.is_valid(reverse_name):
-                raise ValueError("Invalid reverse relationship: " + reverse_name)
+                demisto.debug("Uknown reverse relationship name: " + reverse_name)
             self._reverse_name = reverse_name
         else:
             self._reverse_name = EntityRelationship.Relationships.get_reverse(name)

Packs/Base/Scripts/CreateIndicatorRelationship/CreateIndicatorRelationship.yml

@@ -129,6 +129,7 @@ args:
   - injects-into
   - investigates
   - is-also
+  - located-at
   - mitigated-by
   - mitigates
   - originated-from
@@ -158,6 +159,8 @@ args:
   - used-on
   - uses
   - variant-of
+  - detects
+  - detected-by
   required: true
   secret: false
 - default: false
@@ -236,6 +239,8 @@ args:
   - used-on
   - uses
   - variant-of
+  - detects
+  - detected-by
   required: false
   secret: false
 - default: false
@@ -289,7 +294,7 @@ tags:
 timeout: '0'
 type: python
 subtype: python3
-dockerimage: demisto/python3:3.10.4.30607
+dockerimage: demisto/python3:3.10.8.39276
 fromversion: 6.2.0
 tests:
 - Relationships scripts - Test

Packs/Base/Scripts/CreateIndicatorRelationship/README.md

@@ -0,0 +1,36 @@
+This automation creates a relationship between indicator objects.
+
+## Script Data
+---
+
+| **Name** | **Description** |
+| --- | --- |
+| Script Type | python3 |
+| Tags | basescript |
+| Cortex XSOAR Version | 6.2.0 |
+
+## Used In
+---
+This script is used in the following playbooks and scripts.
+* ACTI Create Report-Indicator Associations
+
+## Inputs
+---
+
+| **Argument Name** | **Description** |
+| --- | --- |
+| entity_a | The source of the relationship, for example 1.1.1.1. Only a single value is acceptable. |
+| entity_a_type | The source type of the relationship, for example IP. The value must be an accepted indicator type. Only a single value is acceptable. |
+| entity_b | A comma-separated list of destinations or second entity values, for example 3.3.3.3,2.2.2.2. This argument must be used with the entity_b_type argument and cannot be used in conjunction with the entity_b_query argument. |
+| entity_b_type | The destination type of the relationship, for example IP. Only a single value is acceptable. This argument must be used with the entity_b argument and cannot be used in conjunction with the entity_b_query argument. |
+| entity_b_query | The indicator query for all the entity_b results. The indicators that are the results of the query will be used as the destination of the relationship. For example type:ip AND tags:mytag. For more query examples, see https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-indicators/understand-indicators/indicators-page.html. This argument cannot be used in conjunction with the entity_b argument or the entity_b_type argument. |
+| relationship | The name of relationship to be created. |
+| reverse_relationship | The reverse name of relationship to be created. If the argument isn't provided by the user, the default reverse relation will be created. |
+| source_reliability | Reliability of the source providing the intelligence data. |
+| description | Free text description to add to the relationship. |
+| first_seen | The time the relationship was seen. If left empty, the default value will be the time the relationship was created. Format \(YYYY-MM-DDTHH:MM:SSZ\). For example: 2020-02-02T19:00:00Z |
+| create_indicator | True, if the non-existing indicators will be created according to the specified entities and their types. Default is false. |
+
+## Outputs
+---
+There are no outputs for this script.

Packs/Base/Scripts/SearchIndicatorRelationships/SearchIndicatorRelationships.yml

@@ -86,6 +86,7 @@ args:
   - injects-into
   - investigates
   - is-also
+  - located-at
   - mitigated-by
   - mitigates
   - originated-from
@@ -115,6 +116,8 @@ args:
   - used-on
   - uses
   - variant-of
+  - detects
+  - detected-by
 - default: false
   defaultValue: '20'
   description: The number of results to return. Default is 20.
@@ -200,7 +203,7 @@ tags:
 timeout: '0'
 type: python
 subtype: python3
-dockerimage: demisto/python3:3.10.4.30607
+dockerimage: demisto/python3:3.10.8.39276
 fromversion: 6.2.0
 tests:
 - Relationships scripts - Test

Packs/Base/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Base",
     "description": "The base pack for Cortex XSOAR.",
     "support": "xsoar",
-    "currentVersion": "1.31.41",
+    "currentVersion": "1.31.42",
     "author": "Cortex XSOAR",
     "serverMinVersion": "6.0.0",
     "url": "https://www.paloaltonetworks.com/cortex",

Packs/FeedMitreAttackv2/Integrations/FeedMitreAttackv2/FeedMitreAttackv2.py

@@ -1,14 +1,15 @@
+import logging
+
 import demistomock as demisto
 from CommonServerPython import *
 
 from typing import List, Dict, Set, Optional
 import json
-import requests
+import urllib3
 from stix2 import TAXIICollectionSource, Filter
 from taxii2client.v20 import Server, Collection, ApiRoot
 
 ''' CONSTANT VARIABLES '''
-
 MITRE_TYPE_TO_DEMISTO_TYPE = {
     "attack-pattern": ThreatIntel.ObjectsNames.ATTACK_PATTERN,
     "course-of-action": ThreatIntel.ObjectsNames.COURSE_OF_ACTION,
@@ -17,15 +18,13 @@
     "tool": ThreatIntel.ObjectsNames.TOOL,
     "relationship": "Relationship"
 }
-
 INDICATOR_TYPE_TO_SCORE = {
     "Intrusion Set": ThreatIntel.ObjectsScore.INTRUSION_SET,
     "Attack Pattern": ThreatIntel.ObjectsScore.ATTACK_PATTERN,
     "Course of Action": ThreatIntel.ObjectsScore.COURSE_OF_ACTION,
     "Malware": ThreatIntel.ObjectsScore.MALWARE,
     "Tool": ThreatIntel.ObjectsScore.TOOL
 }
-
 MITRE_CHAIN_PHASES_TO_DEMISTO_FIELDS = {
     'build-capabilities': ThreatIntel.KillChainPhases.BUILD_CAPABILITIES,
     'privilege-escalation': ThreatIntel.KillChainPhases.PRIVILEGE_ESCALATION,
@@ -46,7 +45,6 @@
     'act-on-objectives': ThreatIntel.KillChainPhases.ACT_ON_OBJECTIVES,
     'command-and-control': ThreatIntel.KillChainPhases.COMMAND_AND_CONTROL
 }
-
 FILTER_OBJS = {
     "Technique": {"name": "attack-pattern", "filter": Filter("type", "=", "attack-pattern")},
     "Mitigation": {"name": "course-of-action", "filter": Filter("type", "=", "course-of-action")},
@@ -55,12 +53,14 @@
     "Tool": {"name": "tool", "filter": Filter("type", "=", "tool")},
     "relationships": {"name": "relationships", "filter": Filter("type", "=", "relationship")},
 }
-
 RELATIONSHIP_TYPES = EntityRelationship.Relationships.RELATIONSHIPS_NAMES.keys()
 ENTERPRISE_COLLECTION_ID = '95ecc380-afe9-11e4-9b6c-751b66dd541e'
 
+# disable warnings coming from taxii2client - https://github.com/OTRF/ATTACK-Python-Client/issues/43#issuecomment-1016581436
+logging.getLogger("taxii2client.v20").setLevel(logging.ERROR)
+
 # Disable insecure warnings
-requests.packages.urllib3.disable_warnings()
+urllib3.disable_warnings()
 
 
 class Client:
@@ -332,8 +332,7 @@ def create_relationship(item_json, id_to_name):
         'firstseenbysource': item_json.get('created')
     }
     if item_json.get('relationship_type') not in RELATIONSHIP_TYPES:
-        demisto.debug(f"Invalid relation type: {item_json.get('relationship_type')}")
-        return
+        demisto.debug(f"Unknown relationship name: {item_json.get('relationship_type')}")
 
     entity_a = id_to_name.get(item_json.get('source_ref'))
     entity_b = id_to_name.get(item_json.get('target_ref'))
@@ -536,6 +535,15 @@ def attack_pattern_reputation_command(client, args):
     return command_results
 
 
+def filter_attack_pattern_object_by_attack_id(attack_id, attack_pattern_object):
+    external_references_list = attack_pattern_object.get('external_references', [])
+    for external_reference in external_references_list:
+        if external_reference.get('external_id', '') == attack_id:
+            return True
+
+    return False
+
+
 def get_mitre_value_from_id(client, args):
     attack_ids = argToList(args.get('attack_ids', []))
 
@@ -546,17 +554,24 @@ def get_mitre_value_from_id(client, args):
         collection_data = Collection(collection_url, verify=client.verify, proxies=client.proxies)
 
         tc_source = TAXIICollectionSource(collection_data)
-        attack_pattern_obj = tc_source.query([
-            Filter("external_references.external_id", "=", attack_id),
+        attack_pattern_objects = tc_source.query(query=[
             Filter("type", "=", "attack-pattern")
         ])
-        attack_pattern_name = attack_pattern_obj[0]['name'] if attack_pattern_obj else None
+        if attack_pattern_objects:
+            attack_pattern = list(filter(lambda attack_pattern_obj:
+                                  filter_attack_pattern_object_by_attack_id(attack_id,
+                                                                            attack_pattern_obj), attack_pattern_objects))
+            attack_pattern_name = attack_pattern[0]['name']
 
         if attack_pattern_name and len(attack_id) > 5:  # sub-technique
-            parent_name = tc_source.query([
-                Filter("external_references.external_id", "=", attack_id[:5]),
+            parent_objects = tc_source.query([
                 Filter("type", "=", "attack-pattern")
-            ])[0]['name']
+            ])
+            parent_object = list(filter(lambda attack_pattern_obj:
+                                 filter_attack_pattern_object_by_attack_id(attack_id[:5],
+                                                                           attack_pattern_obj), parent_objects))
+            parent_name = parent_object[0]['name']
+
             attack_pattern_name = f'{parent_name}: {attack_pattern_name}'
 
         if attack_pattern_name:

Packs/FeedMitreAttackv2/Integrations/FeedMitreAttackv2/FeedMitreAttackv2.yml

@@ -184,7 +184,7 @@ script:
     - contextPath: MITREATTACK.value
       description: MITRE ATTACK Attack Pattern value.
       type: String
-  dockerimage: demisto/taxii2:1.0.0.21842
+  dockerimage: demisto/taxii2:1.0.0.39779
   feed: true
   isfetch: false
   longRunning: false

Packs/FeedMitreAttackv2/Integrations/FeedMitreAttackv2/FeedMitreAttackv2_test.py

@@ -3,7 +3,7 @@
 from stix2 import TAXIICollectionSource
 from test_data.mitre_test_data import ATTACK_PATTERN, COURSE_OF_ACTION, INTRUSION_SET, MALWARE, TOOL, ID_TO_NAME, \
     RELATION, STIX_TOOL, STIX_MALWARE, STIX_ATTACK_PATTERN, MALWARE_LIST_WITHOUT_PREFIX, MALWARE_LIST_WITH_PREFIX, \
-    INDICATORS_LIST, NEW_INDICATORS_LIST, MITRE_ID_TO_MITRE_NAME, OLD_ID_TO_NAME, NEW_ID_TO_NAME
+    INDICATORS_LIST, NEW_INDICATORS_LIST, MITRE_ID_TO_MITRE_NAME, OLD_ID_TO_NAME, NEW_ID_TO_NAME, RELATIONSHIP_ENTITY
 
 ENTERPRISE_COLLECTION_ID = '95ecc380-afe9-11e4-9b6c-751b66dd541e'
 NON_ENTERPRISE_COLLECTION_ID = '101010101010101010101010101010101'
@@ -199,3 +199,11 @@ def test_create_relationships_invalid():
     item_json = {'source_ref': '',
                  'target_ref': ''}
     assert create_relationship(item_json, {}) is None
+
+
+def test_create_relationship_with_unknown_relationship_name():
+    from FeedMitreAttackv2 import create_relationship
+    item_json = {'source_ref--source_ref': 'source_ref',
+                 'target_ref--target_ref': 'target_ref'}
+    output = create_relationship(RELATIONSHIP_ENTITY, item_json)
+    assert output is not None

Packs/FeedMitreAttackv2/Integrations/FeedMitreAttackv2/test_data/mitre_test_data.py

@@ -652,3 +652,10 @@
     '8': 'Machete 1: Adups',
     '9': 'Machete 1: 4H RAT'
 }
+
+RELATIONSHIP_ENTITY = {'description': 'description',
+                       'modified': 'modified',
+                       'created': 'created',
+                       'relationship_type': 'not_supported_relationship_type',
+                       'source_ref': 'source_ref--source_ref',
+                       'target_ref': 'target_ref--target_ref'}

Packs/FeedMitreAttackv2/ReleaseNotes/1_1_5.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+##### MITRE ATT&CK
+- Updated the Docker image to: *demisto/taxii2:1.0.0.39779*.
+- Fixed an issue where creating relationship with unknown name failed.
+- Removed unsupported query filter.

Packs/FeedMitreAttackv2/pack_metadata.json

@@ -2,14 +2,15 @@
     "name": "MITRE ATT&CK",
     "description": "Fetches indicators from MITRE ATT&CK.",
     "support": "xsoar",
-    "currentVersion": "1.1.4",
+    "currentVersion": "1.1.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Data Enrichment & Threat Intelligence"
     ],
-    "tags": ["Threat Intelligence Management"
+    "tags": [
+        "Threat Intelligence Management"
     ],
     "useCases": [],
     "keywords": [