Anomali threat stream v3 enhancement #25514

sapirshuker · 2023-03-26T12:50:44Z

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

In Progress
Ready
In Hold - (Reason for hold)

Related Issues

fixes: https://jira-hq.paloaltonetworks.local/browse/CIAC-551

Description

Updated the Docker image to: demisto/py3-tools:1.0.0.51296.
Added support for the all_results argument in the threatstream-get-passive-dns command.
Added support for the page and page_size arguments in the threatstream-get-model-list command.
Added support for the malware and attack pattern options in model argument in the threatstream-get-model-list command.
Added support for the page and page_size arguments in the threatstream-get-indicators-by-model command.
Added support for the malware and attack pattern options in model argument threatstream-get-indicators-by-model command.
Added support for the page and page_size arguments in the threatstream-get-indicators command.
Added support for the all_results argument in the threatstream-supported-platforms command.
Added support for the tags argument in the threatstream-import-indicator-with-approval command.
Added 18 commands:
- threatstream-list-rule
- threatstream-create-rule
- threatstream-update-rule
- threatstream-delete-rule
- threatstream-list-user
- threatstream-list-investigation
- threatstream-create-investigation
- threatstream-update-investigation
- threatstream-delete-investigation
- threatstream-add-investigation-element
- threatstream-list-whitelist-entry
- threatstream-create-whitelist-entry
- threatstream-update-whitelist-entry-note
- threatstream-delete-whitelist-entry
- threatstream-list-import-job
- threatstream-approve-import-job
- threatstream-search-threat-model
- threatstream-add-threat-model-association

Minimum version of Cortex XSOAR

6.0.0
6.1.0
6.2.0
6.5.0

Does it break backward compatibility?

Yes
- Further details:
No

Must have

Tests
Documentation

Shellyber

Few General notes:

Remove all extra new lines - not necessary (for example all of the tableToMarkdown - the headers and such)
All commands should be split to 2: one request and one command - please split all the unified commands you did

Packs/Anomali_ThreatStream/pack_metadata.json

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py

Packs/Anomali_ThreatStream/ReleaseNotes/2_1_0.md

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py

Shellyber · 2023-03-30T12:43:51Z

@ShirleyDenkberg Did you finish the review on this?

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/README.md

Packs/Anomali_ThreatStream/ReleaseNotes/2_1_0.md

ShirleyDenkberg · 2023-04-03T08:23:45Z

@sapirshuker I made a few changes to the integration readme, but in general, please regenerate this file with the changes I made in the yml.
@Shellyber Doc review completed.

…atStream-v3-Enhancement

…sto/content into Anomali-ThreatStream-v3-Enhancement

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/README.md

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3_test.py

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py

Shellyber

Nice work!

* AnomaliThreatStreamv3-enhancement * update readme * add_tests * Delete 2_0_31.md * conflicts * conflicts * Update 2_0_32.md * first_cr_fixes * fix PR comments * fix PR comments * fix PR comments * change yml and readme * TPB * TPB * CR remarks * CR remarks * doc review fixes * doc review fixes * remove list-users from TPB * readme * add_coverage * fixes from CR, update docker image * update readme * fix CR comments * fix CR comments

* avoid the output_prefix to be a period * add UT * RN * RN * fix the error * cr fixes * revert the previous check * conflicts * version * attr-defined * בםמכךןבאד * revert * add server url configuration to BoxCollector and BoxV2 (#25463) * committing failing unittests * converting to str * finalizing * fixed according to review * merged from master and updated release notes * updated docker image * updated another docker image * AWS Security Hub Event Collector (#25336) * Initial AWS Security Hub Collector commit * Add datetime class import to avoid confusion with the datetime module * Fix `aws_session` parameters * Fix issues and add logs * Improve fetch limit functionality * Apply code review suggestions * Apply suggestions from code review Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> * Various fixes * Add ignore list to last run data to avoid duplicates * Fix default max results & datetime format issues * Add modeling rules * Apply suggestions from code review Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> * Fix modeling rules' file & folder names * Various fixes * Move default first fetch value to const * Fix missing limit for `fetch_events` * Fix infinite fetch-events loop because `next_run` is set to `None` if no results were returned. * Fix linting issues * Change query time field to `CreatedAt` * Add `_time` field * Fix `XSOAR` to `XSIAM` * Return so-far fetched events if API call failed * Add `Compliance` to modeling schema * Apply code-review suggestions * Add modeling rules test * Update README * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Fix and improve the`aws-securityhub-get-events` command * Fix modeling rules test data * Add unit tests * Update unit-tests * Update Docker image * Add release notes & bump pack version * Fix unit-test * Minor unit-test changes * Fix test module * Bump Docker version --------- Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Anomali threat stream v3 enhancement (#25514) * AnomaliThreatStreamv3-enhancement * update readme * add_tests * Delete 2_0_31.md * conflicts * conflicts * Update 2_0_32.md * first_cr_fixes * fix PR comments * fix PR comments * fix PR comments * change yml and readme * TPB * TPB * CR remarks * CR remarks * doc review fixes * doc review fixes * remove list-users from TPB * readme * add_coverage * fixes from CR, update docker image * update readme * fix CR comments * fix CR comments * Add native:candidate testing workflow (#25155) * testing * fixed indent * fixed include * finding the full name first * added support to native:candidate * added checking native:candidate in circleci * added native:candidate to lint * trying with nre demisto-sdk * locking poetry * do not run regular uniittests and lint on test-native-candidate pipeline * dont run regular lint * another try * updating native:candidate like was tested * fixed typo * updated ignored images * fix issue with note .split() (#25755) * fix issue with note .split() (#25752) * Update Packs/ServiceNow/ReleaseNotes/2_5_17.md --------- Co-authored-by: Ali Sawyer <91506078+ali-sawyer@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * [Zoom] Create Zoom Event Collector (#25555) Create new Zoom Logs Event Collector. * Update Docker Image To demisto/pymisp2 (#25782) * Updated Metadata Of Pack MISP * Added release notes to pack MISP * Packs/MISP/Integrations/MISPV3/MISPV3.yml Docker image update * Update Docker Image To demisto/python3 (#25745) * Updated Metadata Of Pack Core * Added release notes to pack Core * Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml Docker image update * Updated Metadata Of Pack SafeNet_Trusted_Access * Added release notes to pack SafeNet_Trusted_Access * Packs/SafeNet_Trusted_Access/Integrations/SafeNetTrustedAccessEventCollector/SafeNetTrustedAccessEventCollector.yml Docker image update * Updated Metadata Of Pack SalesforceFusion * Added release notes to pack SalesforceFusion * Packs/SalesforceFusion/Integrations/SalesforceFusionIAM/SalesforceFusionIAM.yml Docker image update * Updated Metadata Of Pack SecneurXThreatFeeds * Added release notes to pack SecneurXThreatFeeds * Packs/SecneurXThreatFeeds/Integrations/SecneurXThreatFeeds/SecneurXThreatFeeds.yml Docker image update * Updated Metadata Of Pack Securonix * Added release notes to pack Securonix * Packs/Securonix/Integrations/Securonix/Securonix.yml Docker image update * Updated Metadata Of Pack ServiceDeskPlus * Added release notes to pack ServiceDeskPlus * Packs/ServiceDeskPlus/Integrations/ServiceDeskPlus/ServiceDeskPlus.yml Docker image update * Updated Metadata Of Pack SingleConnect * Added release notes to pack SingleConnect * Packs/SingleConnect/Integrations/SingleConnect/SingleConnect.yml Docker image update * Updated Metadata Of Pack SkyhighSecurity * Added release notes to pack SkyhighSecurity * Packs/SkyhighSecurity/Integrations/SkyhighSecurity/SkyhighSecurity.yml Docker image update * Updated Metadata Of Pack SolarWinds * Added release notes to pack SolarWinds * Packs/SolarWinds/Integrations/SolarWinds/SolarWinds.yml Docker image update * Updated Metadata Of Pack SophosCentral * Added release notes to pack SophosCentral * Packs/SophosCentral/Integrations/SophosCentral/SophosCentral.yml Docker image update * Added sleep step to wait till gitlab start running (#25784) * Update Docker Image To demisto/python3 (#25780) * Updated Metadata Of Pack PhishTank * Added release notes to pack PhishTank * Packs/PhishTank/Integrations/PhishTankV2/PhishTankV2.yml Docker image update * Updated Metadata Of Pack Shodan * Added release notes to pack Shodan * Packs/Shodan/Integrations/Shodan_v2/Shodan_v2.yml Docker image update * Updated Metadata Of Pack FeedOffice365 * Added release notes to pack FeedOffice365 * Packs/FeedOffice365/Integrations/FeedOffice365/FeedOffice365.yml Docker image update * Updated Metadata Of Pack PrismaSaasSecurity * Added release notes to pack PrismaSaasSecurity * Packs/PrismaSaasSecurity/Integrations/SaasSecurity/SaasSecurity.yml Docker image update * Updated Metadata Of Pack PaloAltoNetworks_IoT * Added release notes to pack PaloAltoNetworks_IoT * Packs/PaloAltoNetworks_IoT/Integrations/PaloAltoNetworks_IoT/PaloAltoNetworks_IoT.yml Docker image update * - --------- Co-authored-by: sberman <sberman@paloaltonetworks.com> * updating CDL integration to add ThreatName to two threat log queries (#25771) * updating CDL integration to add ThreatName to two threat log queries (#25754) * updating CDL integration to add ThreatName to two threat log queries * Update 1_4_4.md fixing wording according to checks for period line ending and ThreatName to Threat Name * Update Packs/CortexDataLake/ReleaseNotes/1_4_4.md * Update Packs/CortexDataLake/ReleaseNotes/1_4_4.md --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * docker update --------- Co-authored-by: epartington <epartington@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * Servicenow add ticket type (#25765) * add sc_req_item to predefined values * update RN * update RN and docker image * update RN and docker image * update rn * update docker * update RN * update RN * Add support for Mal-Eval (#25763) * Add support for Mal-Eval (#25027) * Add support for Mal-Eval * Fix flake errors * Fixes per GitHub comments * Fixes per GitHub comments * Fixes per GitHub comments * Fixes * Additional tests for new output * updates * update RN * update UT --------- Co-authored-by: mikewilusz-stairwell <90697468+mikewilusz-stairwell@users.noreply.github.com> Co-authored-by: Dan Sterenson <38375556+dansterenson@users.noreply.github.com> * [PAN-OS] fix panorama_list_edls command (#25743) * fix prettify_edls_arr to work with one output * sample.json * expected.json * fixed unit test * rn Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> --------- Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> * Added mapper functionality to SlackV3 (#25666) * Added support for mapping * Added message to the context * updated is_bot * updated ut * updated release notes * Apply suggestions from code review Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * updated docker image * Fix UT * updated release notes --------- Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * Crowdstrike - fix fetch detections (#25785) * TAXII Server 2 - Updated the way the server serves file hashes and other SCOs (#25392) * Correct JSON build for SCOs * Updating tests * RN * RN bump * Update 1_31_79.md * Added "FeedIndicatorType" to ignore words. * Bump RN * Docker version * RN * Update TAXII2Server.py * Update Packs/TAXIIServer/ReleaseNotes/2_0_30.md Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * relationships support new file object * Revoked relationships are not returned * Added ASN object * Update Packs/Base/ReleaseNotes/1_31_80.md Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * Update 1_31_80.md * RN * docker * RN * CSP docker bump * RN * Added Software as a valid FeedIndicatorType * RN * ignore str * empty lines * RN * Update 1_31_83.md * Update 1_31_83.md * Update 1_31_80.md * Update Packs/TAXIIServer/Integrations/TAXII2Server/TAXII2Server.py Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * Update Packs/TAXIIServer/Integrations/TAXII2Server/TAXII2Server.py Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * Update Packs/TAXIIServer/ReleaseNotes/2_0_31.md Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * Update Packs/TAXIIServer/Integrations/TAXII2Server/TAXII2Server.py Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * Moved sco_test to use parameterize * RN * RN * docker bump * Update 1_31_84.md * RN * dockerimage bump * RN --------- Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> * Cisco ASA parsing rules - iso8601 (#25766) * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * update parsing rules * Crowdstrike endpoint command bug fix (#25795) * [CrowdStrikeFalcon] - filter hostnames and ignore case sensetivity * add unit-test * bump rn * add comment * bump rn * remove comma * update rn * [Marketplace Contribution] EDL Monitor (#25764) * [Marketplace Contribution] EDL Monitor (#25641) * "pack contribution initial commit" * pack resubmitted * fixes * fix validations --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: Dan Sterenson <38375556+dansterenson@users.noreply.github.com> * [WildFire] Improve error message when failing to upload an unsupported file (#25793) * improved error message when failing to upload an invalid file * Update Docker Image To demisto/py3-tools (#25803) * Updated Metadata Of Pack FeedAWS * Added release notes to pack FeedAWS * Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml Docker image update * Update Docker Image To demisto/tesseract (#25806) * Updated Metadata Of Pack ImageOCR * Added release notes to pack ImageOCR * Packs/ImageOCR/Integrations/ImageOCR/ImageOCR.yml Docker image update * conflicts --------- Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> Co-authored-by: DinaMeylakh <72339665+DinaMeylakh@users.noreply.github.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: sapir shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: Ali Sawyer <91506078+ali-sawyer@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> Co-authored-by: sberman <sberman@paloaltonetworks.com> Co-authored-by: epartington <epartington@users.noreply.github.com> Co-authored-by: Dan Sterenson <38375556+dansterenson@users.noreply.github.com> Co-authored-by: mikewilusz-stairwell <90697468+mikewilusz-stairwell@users.noreply.github.com> Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> Co-authored-by: Dror Avrahami <davrahami@paloaltonetworks.com> Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> Co-authored-by: guytamir10 <106061479+guytamir10@users.noreply.github.com> Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com>

sapirshuker added 3 commits March 26, 2023 14:56

AnomaliThreatStreamv3-enhancement

16c899a

update readme

66ceac3

update from master

125cd08

sapirshuker requested a review from Shellyber March 27, 2023 07:11

sapirshuker and others added 2 commits March 27, 2023 10:11

Merge branch 'master' into Anomali-ThreatStream-v3-Enhancement

70e1c35

add_tests

422b982

sapirshuker requested a review from ShirleyDenkberg March 27, 2023 10:20

sapirshuker and others added 5 commits March 27, 2023 13:50

conflicts

b57ba20

Delete 2_0_31.md

dc22bea

conflicts

9258e1c

conflicts

b76550c

Update 2_0_32.md

d819802

Shellyber removed the request for review from ShirleyDenkberg March 27, 2023 11:04

Shellyber suggested changes Mar 27, 2023

View reviewed changes

sapirshuker and others added 6 commits March 30, 2023 10:00

Merge branch 'master' into Anomali-ThreatStream-v3-Enhancement

5842cd6

first_cr_fixes

3fea38f

conflicts

ffed668

fix PR comments

a2e520a

fix PR comments

bd5ee2f

fix PR comments

d00f966

sapirshuker requested a review from Shellyber March 30, 2023 10:06

Shellyber suggested changes Mar 30, 2023

View reviewed changes

ShirleyDenkberg self-assigned this Mar 30, 2023

ShirleyDenkberg added the docs-approved label Mar 30, 2023

ShirleyDenkberg removed the docs-approved label Mar 30, 2023

ShirleyDenkberg removed their assignment Mar 30, 2023

Shellyber assigned ShirleyDenkberg Mar 30, 2023

ShirleyDenkberg reviewed Mar 30, 2023

View reviewed changes

sapirshuker added 2 commits April 2, 2023 17:16

CR remarks

e6ee27f

CR remarks

1d5604e

ShirleyDenkberg reviewed Apr 3, 2023

View reviewed changes

ShirleyDenkberg added the docs-approved label Apr 3, 2023

sapirshuker and others added 8 commits April 3, 2023 12:41

doc review fixes

05399a3

doc review fixes

381c321

remove list-users from TPB

54c957b

readme

ed4eb04

Merge branch 'master' into Anomali-ThreatStream-v3-Enhancement

ee8d804

Merge branch 'master' of github.com:demisto/content into Anomali-Thre…

e6c459c

…atStream-v3-Enhancement

Merge branch 'Anomali-ThreatStream-v3-Enhancement' of github.com:demi…

322daa6

…sto/content into Anomali-ThreatStream-v3-Enhancement

add_coverage

dce5b92

sapirshuker requested a review from Shellyber April 4, 2023 10:04

Shellyber reviewed Apr 4, 2023

View reviewed changes

sapirshuker added 2 commits April 9, 2023 14:37

fixes from CR, update docker image

44d949a

update readme

42afc22

sapirshuker requested review from Shellyber and removed request for Shellyber April 9, 2023 11:56

sapirshuker added 2 commits April 9, 2023 15:04

fix CR comments

3c60ebf

fix CR comments

1479f91

sapirshuker requested a review from Shellyber April 9, 2023 12:17

Shellyber approved these changes Apr 9, 2023

View reviewed changes

sapirshuker merged commit 2e1d130 into master Apr 9, 2023
13 checks passed

sapirshuker deleted the Anomali-ThreatStream-v3-Enhancement branch April 9, 2023 13:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Anomali threat stream v3 enhancement #25514

Anomali threat stream v3 enhancement #25514

sapirshuker commented Mar 26, 2023

Shellyber left a comment

Shellyber commented Mar 30, 2023

ShirleyDenkberg commented Apr 3, 2023

Shellyber left a comment

Anomali threat stream v3 enhancement #25514

Anomali threat stream v3 enhancement #25514

Conversation

sapirshuker commented Mar 26, 2023

Contributing to Cortex XSOAR Content

Status

Related Issues

Description

Minimum version of Cortex XSOAR

Does it break backward compatibility?

Must have

Shellyber left a comment

Choose a reason for hiding this comment

Shellyber commented Mar 30, 2023

ShirleyDenkberg commented Apr 3, 2023

Shellyber left a comment

Choose a reason for hiding this comment