From 5a96a08f835a1fcc38048aa421dd4ef6643114ad Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Thu, 20 Apr 2023 19:48:51 +0300 Subject: [PATCH 01/23] Added a flag for sco indicators, and updated the creation process of scos. Updated the sdos IDs. Updated the docker image. Added release notes --- Packs/CommonScripts/.secrets-ignore | 4 +- Packs/CommonScripts/ReleaseNotes/1_11_61.md | 7 + .../Scripts/StixCreator/StixCreator.py | 206 +++++++++++++----- .../Scripts/StixCreator/StixCreator.yml | 2 +- .../Scripts/StixCreator/StixCreator_test.py | 139 +++++++++++- Packs/CommonScripts/pack_metadata.json | 2 +- 6 files changed, 298 insertions(+), 62 deletions(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_61.md diff --git a/Packs/CommonScripts/.secrets-ignore b/Packs/CommonScripts/.secrets-ignore index b835b2563a8d..8a7133d98804 100644 --- a/Packs/CommonScripts/.secrets-ignore +++ b/Packs/CommonScripts/.secrets-ignore @@ -109,4 +109,6 @@ PrivateIPRangeList http://www.testhxxp.com http://www.meow.com https://www.testhxxp.com -https://www.meow.com \ No newline at end of file +https://www.meow.com +701393b3b8e6ae6e70effcda7598a8cf92d0adb1aaeb5aa91c73004519644801 +uuid.uuid5(SCO_DET_ID_NAMESPACE \ No newline at end of file diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_61.md b/Packs/CommonScripts/ReleaseNotes/1_11_61.md new file mode 100644 index 000000000000..7247d670801c --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_61.md @@ -0,0 +1,7 @@ + +#### Scripts + +##### StixCreator + +- Added an option to enter a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py index 15cb98e0921b..797fc80024d6 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py @@ -6,7 +6,7 @@ ''' IMPORTS ''' import json - +import uuid from stix2 import Bundle, ExternalReference, Indicator, Vulnerability from stix2 import AttackPattern, Campaign, Malware, Infrastructure, IntrusionSet, Report, ThreatActor from stix2 import Tool, CourseOfAction @@ -23,9 +23,9 @@ "ipv6cidr": "ipv6-addr:value", "url": "url:value", "email": "email-message:sender_ref.value", - "username": "user-account:account_login", + "account": "user-account:account_login", "domain": "domain-name:value", - "hostname": "domain-name:value", + "host": "domain-name:value", "registry key": "windows-registry-key:key" } @@ -42,6 +42,38 @@ "course of action": CourseOfAction } +SCO_DET_ID_NAMESPACE = uuid.UUID('00abedb4-aa42-466c-9c01-fed23315a9b7') +PAWN_UUID = uuid.uuid5(uuid.NAMESPACE_URL, 'https://www.paloaltonetworks.com') + +XSOAR_TYPES_TO_STIX_SCO = { + FeedIndicatorType.CIDR: 'ipv4-addr', + FeedIndicatorType.DomainGlob: 'domain-name', + FeedIndicatorType.IPv6: 'ipv6-addr', + FeedIndicatorType.IPv6CIDR: 'ipv6-addr', + FeedIndicatorType.Account: 'user-account', + FeedIndicatorType.Domain: 'domain-name', + FeedIndicatorType.Email: 'email-addr', + FeedIndicatorType.IP: 'ipv4-addr', + FeedIndicatorType.Registry: 'windows-registry-key', + FeedIndicatorType.File: 'file', + FeedIndicatorType.URL: 'url', + FeedIndicatorType.Software: 'software', + FeedIndicatorType.AS: 'asn', +} + +XSOAR_TYPES_TO_STIX_SDO = { + ThreatIntel.ObjectsNames.ATTACK_PATTERN: 'attack-pattern', + ThreatIntel.ObjectsNames.CAMPAIGN: 'campaign', + ThreatIntel.ObjectsNames.COURSE_OF_ACTION: 'course-of-action', + ThreatIntel.ObjectsNames.INFRASTRUCTURE: 'infrastructure', + ThreatIntel.ObjectsNames.INTRUSION_SET: 'instruction-set', + ThreatIntel.ObjectsNames.REPORT: 'report', + ThreatIntel.ObjectsNames.THREAT_ACTOR: 'threat-actor', + ThreatIntel.ObjectsNames.TOOL: 'tool', + ThreatIntel.ObjectsNames.MALWARE: 'malware', + FeedIndicatorType.CVE: 'vulnerability', +} + def hash_type(value: str) -> str: # pragma: no cover length = len(value) @@ -68,10 +100,58 @@ def guess_indicator_type(type_: str, val: str) -> str: return (auto_detect_indicator_type(val) or type_).lower() +def create_sco_stix_uuid(xsoar_indicator: dict, stix_type: Optional[str], value: str) -> str: + """ + Create uuid for sco objects. + """ + if stixid := xsoar_indicator.get('CustomFields', {}).get('stixid'): + return stixid + if stix_type == 'user-account': + account_type = xsoar_indicator.get('CustomFields', {}).get('accounttype') + user_id = xsoar_indicator.get('CustomFields', {}).get('userid') + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, + f'{{"account_login":"{value}","account_type":"{account_type}","user_id":"{user_id}"}}') + elif stix_type == 'windows-registry-key': + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"key":"{value}"}}') + elif stix_type == 'file': + if 'md5' == get_hash_type(value): + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"hashes":{{"MD5":"{value}"}}}}') + elif 'sha1' == get_hash_type(value): + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"hashes":{{"SHA-1":"{value}"}}}}') + elif 'sha256' == get_hash_type(value): + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"hashes":{{"SHA-256":"{value}"}}}}') + elif 'sha512' == get_hash_type(value): + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"hashes":{{"SHA-512":"{value}"}}}}') + else: + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"value":"{value}"}}') + else: + unique_id = uuid.uuid5(SCO_DET_ID_NAMESPACE, f'{{"value":"{value}"}}') + + return f'{stix_type}--{unique_id}' + + +def create_sdo_stix_uuid(xsoar_indicator: dict, stix_type: Optional[str], value: str) -> str: + """ + Create uuid for sdo objects. + """ + if stixid := xsoar_indicator.get('CustomFields', {}).get('stixid'): + return stixid + if stix_type == 'attack-pattern': + if mitre_id := xsoar_indicator.get('CustomFields', {}).get('mitreid'): + unique_id = uuid.uuid5(PAWN_UUID, f'{stix_type}:{mitre_id}') + else: + unique_id = uuid.uuid5(PAWN_UUID, f'{stix_type}:{value}') + else: + unique_id = uuid.uuid5(PAWN_UUID, f'{stix_type}:{value}') + + return f'{stix_type}--{unique_id}' + + def main(): user_args = demisto.args().get('indicators', 'Unknown') doubleBackslash = demisto.args().get('doubleBackslash', True) + is_sco = argToBoolean(demisto.args().get('sco_flag', False)) all_args = {} if isinstance(user_args, dict): @@ -83,6 +163,7 @@ def main(): except: # noqa: E722 return_error('indicators argument is invalid json object') + demisto.debug(f'StixCreator {demisto.args()=}\n{user_args=}\n{all_args=}') indicators = [] for indicator_fields in all_args: @@ -95,75 +176,88 @@ def main(): else: value = all_args[indicator_fields].get('value', '') - demisto_score = all_args[indicator_fields].get('score', '').lower() + if demisto_indicator_type in XSOAR_TYPES_TO_STIX_SCO and is_sco: + stix_type = XSOAR_TYPES_TO_STIX_SCO.get(demisto_indicator_type) + stix_id = create_sco_stix_uuid(all_args[indicator_fields], stix_type, value) + indicator = { + "type": stix_type, + "spec_version": "2.1", + "value": value, + "id": stix_id + } + indicators.append(indicator) + else: + demisto_score = all_args[indicator_fields].get('score', '').lower() - if demisto_score in ["bad", "malicious"]: - kwargs["score"] = "High" + if demisto_score in ["bad", "malicious"]: + kwargs["score"] = "High" - elif demisto_score == "suspicious": - kwargs["score"] = "Medium" + elif demisto_score == "suspicious": + kwargs["score"] = "Medium" - elif demisto_score in ["good", "benign"]: - kwargs["score"] = "None" + elif demisto_score in ["good", "benign"]: + kwargs["score"] = "None" - else: - kwargs["score"] = "Not Specified" + else: + kwargs["score"] = "Not Specified" - kwargs["created"] = dateparser.parse(all_args[indicator_fields].get('timestamp', '')) - kwargs["modified"] = dateparser.parse(all_args[indicator_fields].get('lastSeen', f'{kwargs["created"]}')) - kwargs["id"] = all_args[indicator_fields].get('stixid', '') - kwargs["labels"] = [demisto_indicator_type.lower()] - kwargs["description"] = all_args[indicator_fields].get('description', '') + stix_type = XSOAR_TYPES_TO_STIX_SDO.get(demisto_indicator_type, 'indicator') + stix_id = create_sdo_stix_uuid(all_args[indicator_fields], stix_type, value) + kwargs["id"] = stix_id - kwargs = {k: v for k, v in kwargs.items() if v} # Removing keys with empty strings + kwargs["created"] = dateparser.parse(all_args[indicator_fields].get('timestamp', '')) + kwargs["modified"] = dateparser.parse(all_args[indicator_fields].get('lastSeen', f'{kwargs["created"]}')) + kwargs["labels"] = [demisto_indicator_type.lower()] + kwargs["description"] = all_args[indicator_fields].get('description', '') - try: - indicator_type = demisto_indicator_type.lower().replace("-", "") - if indicator_type == 'file': - indicator_type = hash_type(value) - if indicator_type not in SCOs and indicator_type not in SDOs: - indicator_type = guess_indicator_type(indicator_type, value) - indicator = Indicator(pattern=f"[{SCOs[indicator_type]} = '{value}']", - pattern_type='stix', - **kwargs) + kwargs = {k: v for k, v in kwargs.items() if v} # Removing keys with empty strings - indicators.append(indicator) + try: + indicator_type = demisto_indicator_type.lower().replace("-", "") + if indicator_type == 'file': + indicator_type = hash_type(value) + if indicator_type not in SCOs and indicator_type not in SDOs: + indicator_type = guess_indicator_type(indicator_type, value) + indicator = Indicator(pattern=f"[{SCOs[indicator_type]} = '{value}']", + pattern_type='stix', + **kwargs) + indicators.append(indicator) - except KeyError: + except KeyError: - demisto.debug(f"{demisto_indicator_type} isn't an SCO checking other IOC types") + demisto.debug(f"{demisto_indicator_type} isn't an SCO checking other IOC types") - try: - indicator_type = demisto_indicator_type.lower() + try: + indicator_type = demisto_indicator_type.lower() - if indicator_type == 'cve': - kwargs["external_references"] = [ExternalReference(source_name="cve", external_id=value)] + if indicator_type == 'cve': + kwargs["external_references"] = [ExternalReference(source_name="cve", external_id=value)] - elif indicator_type == "attack pattern": - try: - mitreid = all_args[indicator_fields].get('mitreid', '') - if mitreid: - kwargs["external_references"] = [ExternalReference(source_name="mitre", external_id=mitreid)] + elif indicator_type == "attack pattern": + try: + mitreid = all_args[indicator_fields].get('mitreid', '') + if mitreid: + kwargs["external_references"] = [ExternalReference(source_name="mitre", external_id=mitreid)] - except KeyError: - pass + except KeyError: + pass - elif indicator_type == 'malware': + elif indicator_type == 'malware': - kwargs['is_family'] = argToBoolean(all_args[indicator_fields].get('ismalwarefamily', '').lower()) + kwargs['is_family'] = argToBoolean(all_args[indicator_fields].get('ismalwarefamily', 'False').lower()) - indicator = SDOs[indicator_type]( - name=value, - **kwargs - ) + indicator = SDOs[indicator_type]( + name=value, + **kwargs + ) - indicators.append(indicator) + indicators.append(indicator) - except (KeyError, TypeError) as e: - demisto.info( - "Indicator type: {}, with the value: {} is not STIX compatible".format(demisto_indicator_type, value)) - demisto.info("Export failure excpetion: {}".format(e)) - continue + except (KeyError, TypeError) as e: + demisto.info( + "Indicator type: {}, with the value: {} is not STIX compatible".format(demisto_indicator_type, value)) + demisto.info("Export failure excpetion: {}".format(e)) + continue if len(indicators) > 1: bundle = Bundle(indicators, allow_custom=True) @@ -175,12 +269,14 @@ def main(): raw_response=str(bundle))) elif len(indicators) == 1: + bundle = Bundle(indicators, allow_custom=True) + bundle_obj = bundle.get('objects', [])[0] context = { - 'StixExportedIndicators(val.pattern && val.pattern == obj.pattern)': json.loads(str(indicators[0])) + 'StixExportedIndicators(val.pattern && val.pattern == obj.pattern)': json.loads(str(bundle_obj)) } res = (CommandResults(readable_output="", outputs=context, - raw_response=str(indicators[0]))) + raw_response=str(bundle_obj))) else: context = { 'StixExportedIndicators': {} diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml index 7bd8fd6d1c0a..f3efe172303a 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml @@ -39,7 +39,7 @@ outputs: type: date scripttarget: 0 runonce: false -dockerimage: demisto/py3-tools:1.0.0.49703 +dockerimage: demisto/py3-tools:1.0.0.55284 subtype: python3 runas: DBotWeakRole tests: diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py index 497ac78201dc..87b462dd23a0 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py @@ -1,7 +1,7 @@ import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 import pytest -from StixCreator import main, guess_indicator_type +from StixCreator import main, guess_indicator_type, create_sco_stix_uuid, create_sdo_stix_uuid FILE_INDICATOR = \ { @@ -49,13 +49,13 @@ 'indicators': { '0': {'expirationStatus': 'active', 'firstSeen': '2022-07-31T13:24:44Z', - 'indicator_type': 'cve', + 'indicator_type': 'CVE', 'lastSeen': '2022-07-31T13:24:44Z', 'score': 'Unknown', 'timestamp': '2022-07-31T13:24:44Z', 'value': 'test.com' }, '1': {'expirationStatus': 'active', 'firstSeen': '2022-07-31T13:24:40Z', - 'indicator_type': 'attack pattern', + 'indicator_type': 'Attack Pattern', 'lastSeen': '2022-07-31T13:24:40Z', 'score': 'suspicious', 'timestamp': '2022-07-31T13:24:40Z', 'value': 'bad.com' @@ -63,11 +63,43 @@ } } +IP_INDICATOR_SCO = { # checking the new logic + "indicators": { + "0": { + "expirationStatus": "active", + "firstSeen": "2023-04-18T12:17:38+03:00", + "indicator_type": "IP", + "lastSeen": "2023-04-18T12:17:38+03:00", + "score": "Unknown", + "timestamp": "2023-04-18T12:17:38+03:00", + "value": "8.8.8.8", + } + }, + "sco_flag": "true", +} + +IP_INDICATOR_SDO = { # checking bc + "indicators": { + "0": { + "expirationStatus": "active", + "firstSeen": "2023-04-18T12:17:38+03:00", + "indicator_type": "IP", + "lastSeen": "2023-04-18T12:17:38+03:00", + "score": "Unknown", + "timestamp": "2023-04-18T12:17:38+03:00", + "value": "8.8.8.8", + } + }, + "sco_flag": "false", +} + @pytest.mark.parametrize('indicators, stix_type', [(DOMAIN_INDICATORS, 'bundle'), (FILE_INDICATOR, 'indicator'), (MALWARE_INDICATOR, 'malware'), - (ATTACK_PATTERN_INDICATOR, 'attack-pattern')]) + (ATTACK_PATTERN_INDICATOR, 'attack-pattern'), + (IP_INDICATOR_SCO, 'ipv4-addr'), + (IP_INDICATOR_SDO, 'indicator')]) def test_stixCreator_with_indicators(mocker, indicators, stix_type): mocker.patch.object(demisto, 'args', return_value=indicators) mocker.patch.object(demisto, 'results') @@ -85,3 +117,102 @@ def test_stixCreator_with_indicators(mocker, indicators, stix_type): def test_guess_indicator_type(k, v, exp): a = guess_indicator_type(k, v) assert a == exp + + +xsoar_indicator_1 = {'expirationStatus': 'active', + 'firstSeen': '2023-04-19T17:43:07+03:00', + 'indicator_type': 'Account', + 'lastSeen': '2023-04-19T17:43:07+03:00', + 'score': 'Unknown', + 'timestamp': '2023-04-19T17:43:07+03:00', + 'value': 'test@test.com'} +stix_type_1 = "user-account" +value_1 = 'test@test.com' +expected_stix_id_1 = "user-account--783b9e67-d7b0-58f3-b566-58ac7881a3bc" + +xsoar_indicator_2 = {'expirationStatus': 'active', + 'firstSeen': '2023-04-20T10:20:04+03:00', + 'indicator_type': 'File', + 'lastSeen': '2023-04-20T10:20:04+03:00', + 'score': 'Unknown', 'sourceBrands': 'VirusTotal', + 'sourceInstances': 'VirusTotal', + 'timestamp': '2023-04-20T10:20:04+03:00', + 'value': '701393b3b8e6ae6e70effcda7598a8cf92d0adb1aaeb5aa91c73004519644801'} +stix_type_2 = "file" +value_2 = '701393b3b8e6ae6e70effcda7598a8cf92d0adb1aaeb5aa91c73004519644801' +expected_stix_id_2 = "file--3e26aab3-dfc3-57c5-8fe2-45cfde8fe7c8" + +xsoar_indicator_3 = {'expirationStatus': 'active', + 'firstSeen': '2023-04-18T12:17:38+03:00', + 'indicator_type': 'IP', + 'lastSeen': '2023-04-18T12:17:38+03:00', + 'score': 'Unknown', + 'timestamp': '2023-04-18T12:17:38+03:00', + 'value': '8.8.8.8'} +stix_type_3 = "ipv4-addr" +value_3 = '8.8.8.8' +expected_stix_id_3 = "ipv4-addr--2f689bf9-0ff2-545f-aa61-e495eb8cecc7" + +test_test_create_sco_stix_uuid_params = [(xsoar_indicator_1, stix_type_1, value_1, expected_stix_id_1), + (xsoar_indicator_2, stix_type_2, value_2, expected_stix_id_2), + (xsoar_indicator_3, stix_type_3, value_3, expected_stix_id_3)] + + +@pytest.mark.parametrize('xsoar_indicator, stix_type, value, expected_stix_id', test_test_create_sco_stix_uuid_params) +def test_create_sco_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_id): + """ + Given: + - An indicator from XSOAR, it's stix type and the value of the indicator. + When: + - Creating a SCO inducator and calling create_sco_stix_uuid + Then: + - Return the indicator id. + """ + stix_id = create_sco_stix_uuid(xsoar_indicator, stix_type, value) + assert expected_stix_id == stix_id + + +sdo_xsoar_indicator_1 = { + "expirationStatus": "active", + "firstSeen": "2023-04-19T13:05:01+03:00", + "indicator_type": "Attack Pattern", + "lastSeen": "2023-04-19T13:05:01+03:00", + "score": "Unknown", + "timestamp": "2023-04-19T13:05:01+03:00", + "value": "T111", +} +sdo_stix_type_1 = 'attack-pattern' +sdo_value_1 = 'T111' +sdo_expected_stix_id_1 = 'attack-pattern--116d410f-50f9-5f0d-b677-2a9b95812a3e' + +sdo_xsoar_indicator_2 = { + "expirationStatus": "active", + "firstSeen": "2023-04-20T17:20:10+03:00", + "indicator_type": "Malware", + "lastSeen": "2023-04-20T17:20:10+03:00", + "score": "Unknown", + "timestamp": "2023-04-20T17:20:10+03:00", + "value": "bad malware", + "ismalwarefamily": "True", +} +sdo_stix_type_2 = 'malware' +sdo_value_2 = 'bad malware' +sdo_expected_stix_id_2 = 'malware--bddcf01f-9fd0-5107-a013-4b174285babc' + +test_test_create_sdo_stix_uuid_params = [(sdo_xsoar_indicator_1, sdo_stix_type_1, sdo_value_1, sdo_expected_stix_id_1), + (sdo_xsoar_indicator_2, sdo_stix_type_2, sdo_value_2, sdo_expected_stix_id_2)] + + +@pytest.mark.parametrize('xsoar_indicator, stix_type, value, expected_stix_id', test_test_create_sdo_stix_uuid_params) +def test_create_sdo_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_id): + """ + Given: + - An indicator from XSOAR, it's stix type and the value of the indicator. + When: + - Creating a SDO inducator and calling create_sdo_stix_uuid + Then: + - Return the indicator id. + """ + + stix_id = create_sdo_stix_uuid(xsoar_indicator, stix_type, value) + assert expected_stix_id == stix_id diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index eac289ece5c4..a0b3332054ab 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.60", + "currentVersion": "1.11.61", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 302f062bcf28d008effbf1bf24831f5f801943d5 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Sun, 23 Apr 2023 09:25:40 +0300 Subject: [PATCH 02/23] updated release notes --- Packs/CommonScripts/ReleaseNotes/1_11_62.md | 10 ++++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_62.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_62.md b/Packs/CommonScripts/ReleaseNotes/1_11_62.md new file mode 100644 index 000000000000..894b7d65667f --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_62.md @@ -0,0 +1,10 @@ + +#### Scripts + +##### StixCreator + +##### StixCreator + +- Added an option to enter a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index a0b3332054ab..db36d1b82cf7 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.61", + "currentVersion": "1.11.62", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 52ea71d1c0d83806912e02de40de6e25b4ec6129 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Sun, 23 Apr 2023 11:15:15 +0300 Subject: [PATCH 03/23] updated task 17 in playbook-TestStixCreator --- .../playbook-TestStixCreator.yml | 85 +++++++++++-------- 1 file changed, 49 insertions(+), 36 deletions(-) diff --git a/Packs/CommonScripts/TestPlaybooks/playbook-TestStixCreator.yml b/Packs/CommonScripts/TestPlaybooks/playbook-TestStixCreator.yml index bfc6c7cf492f..a1696524eec7 100644 --- a/Packs/CommonScripts/TestPlaybooks/playbook-TestStixCreator.yml +++ b/Packs/CommonScripts/TestPlaybooks/playbook-TestStixCreator.yml @@ -5,10 +5,10 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: 836efd42-b9a2-409d-8979-099a1dd7ad73 + taskid: 95878e97-f37b-43b3-8a83-ec5e41bad3e2 type: start task: - id: 836efd42-b9a2-409d-8979-099a1dd7ad73 + id: 95878e97-f37b-43b3-8a83-ec5e41bad3e2 version: -1 name: '' iscommand: false @@ -32,12 +32,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '1': id: '1' - taskid: e50d117c-df8b-44c2-87ba-906ed0625623 + taskid: f37fb7e5-bb4d-4605-8f12-c29662e25683 type: regular task: - id: e50d117c-df8b-44c2-87ba-906ed0625623 + id: f37fb7e5-bb4d-4605-8f12-c29662e25683 version: -1 name: Stix2Creator with Email scriptName: StixCreator @@ -69,12 +70,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '2': id: '2' - taskid: 45693cf4-7a89-42e8-8c28-259e09e9624b + taskid: 6a1ad729-763c-4dad-8a6f-3f0b54fb3a82 type: condition task: - id: 45693cf4-7a89-42e8-8c28-259e09e9624b + id: 6a1ad729-763c-4dad-8a6f-3f0b54fb3a82 version: -1 name: Check STIX Export Result type: condition @@ -109,12 +111,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '3': id: '3' - taskid: f841d097-00eb-403e-8168-799cd6f3ac0c + taskid: 2dc91fa5-27de-4b98-86e7-32e93a26394d type: title task: - id: f841d097-00eb-403e-8168-799cd6f3ac0c + id: 2dc91fa5-27de-4b98-86e7-32e93a26394d version: -1 name: Success type: title @@ -136,12 +139,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '4': id: '4' - taskid: 073ee3b1-687b-4e73-8c8c-d24e1fdb228b + taskid: fe2e2f8b-1690-4598-86ba-6dddebeefd18 type: regular task: - id: 073ee3b1-687b-4e73-8c8c-d24e1fdb228b + id: fe2e2f8b-1690-4598-86ba-6dddebeefd18 version: -1 name: DeleteContext description: Delete field from context @@ -170,12 +174,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '5': id: '5' - taskid: 7c729ae3-0b1d-4f96-8693-925524d75044 + taskid: a6ee24d6-92fb-41f7-8fea-aad4447377cd type: regular task: - id: 7c729ae3-0b1d-4f96-8693-925524d75044 + id: a6ee24d6-92fb-41f7-8fea-aad4447377cd version: -1 name: Stix2Creator with IP scriptName: StixCreator @@ -207,12 +212,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '6': id: '6' - taskid: 41dd7376-9b63-410b-881b-69daa8628a34 + taskid: 1595cf27-a346-43ae-8c52-d7d5cbadb241 type: condition task: - id: 41dd7376-9b63-410b-881b-69daa8628a34 + id: 1595cf27-a346-43ae-8c52-d7d5cbadb241 version: -1 name: Check STIX Export Result type: condition @@ -247,12 +253,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '7': id: '7' - taskid: 08a26486-4db0-43cf-8cc9-b89523f902b1 + taskid: 185315e0-72df-478d-838d-0d69a2fa0684 type: regular task: - id: 08a26486-4db0-43cf-8cc9-b89523f902b1 + id: 185315e0-72df-478d-838d-0d69a2fa0684 version: -1 name: Stix2Creator with Domain description: Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format. @@ -285,12 +292,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '9': id: '9' - taskid: 2dafd11f-d122-4ce5-8e67-942323fa9422 + taskid: baa9d897-64d3-4313-8dec-938318f028e8 type: regular task: - id: 2dafd11f-d122-4ce5-8e67-942323fa9422 + id: baa9d897-64d3-4313-8dec-938318f028e8 version: -1 name: DeleteContext description: Delete field from context @@ -319,12 +327,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '10': id: '10' - taskid: 831757ba-0104-41bf-8930-e910aae5572c + taskid: 7c95d21b-09a4-4779-8e4a-fa11543199ff type: regular task: - id: 831757ba-0104-41bf-8930-e910aae5572c + id: 7c95d21b-09a4-4779-8e4a-fa11543199ff version: -1 name: DeleteContext description: Delete field from context @@ -353,12 +362,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '12': id: '12' - taskid: 99b8be0c-8702-4eaf-890c-34d82717f888 + taskid: c9b7d148-6c92-4020-8960-effc5fb0f2ea type: condition task: - id: 99b8be0c-8702-4eaf-890c-34d82717f888 + id: c9b7d148-6c92-4020-8960-effc5fb0f2ea version: -1 name: Check STIX Export Result type: condition @@ -393,12 +403,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '14': id: '14' - taskid: 7781454c-e3a6-4fc3-8b7a-736b097a666e + taskid: 848b9310-fefc-4339-8d20-d78f2a187b15 type: regular task: - id: 7781454c-e3a6-4fc3-8b7a-736b097a666e + id: 848b9310-fefc-4339-8d20-d78f2a187b15 version: -1 name: Stix2Creator with Registry description: Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format. @@ -431,12 +442,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '15': id: '15' - taskid: 8f69a2e8-0b9e-4a7d-876c-88887658b82a + taskid: f9571829-5c2b-4215-817d-7ae0ff4aa7bc type: condition task: - id: 8f69a2e8-0b9e-4a7d-876c-88887658b82a + id: f9571829-5c2b-4215-817d-7ae0ff4aa7bc version: -1 name: Check STIX Export Result type: condition @@ -471,12 +483,13 @@ tasks: quietmode: 2 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '16': id: '16' - taskid: 8229c593-10d1-4d5d-87d7-4698959bfde1 + taskid: 128c2243-c6ea-4f7d-8306-f6f3ba9e625a type: regular task: - id: 8229c593-10d1-4d5d-87d7-4698959bfde1 + id: 128c2243-c6ea-4f7d-8306-f6f3ba9e625a version: -1 name: DeleteContext description: Delete field from context @@ -505,12 +518,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '17': id: '17' - taskid: d883cc78-501d-42c3-873a-73a8b4875a37 + taskid: 4c4e2d3e-f052-4248-8659-3ab003d05074 type: regular task: - id: d883cc78-501d-42c3-873a-73a8b4875a37 + id: 4c4e2d3e-f052-4248-8659-3ab003d05074 version: -1 name: Stix2Creator with CVE description: Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format. @@ -525,7 +539,7 @@ tasks: indicators: simple: |- {"0": {"firstSeen": "2019-03-13T12:06:20+02:00", "id": "994", "indicator_type": - "cve", "investigationIDs": "237, 283, 466", "lastSeen": "2019-03-24T10:33:42+02:00", + "CVE", "investigationIDs": "237, 283, 466", "lastSeen": "2019-03-24T10:33:42+02:00", "score": "Bad", "source": "DBot", "timestamp": "2019-03-13T12:06:27+02:00", "value": "CVE-1234-5678"}} separatecontext: false @@ -543,12 +557,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '18': id: '18' - taskid: c323230c-3548-4f18-801f-22eb7863e2f3 + taskid: 5f372ebe-3cb0-4929-896a-7310becb9d45 type: condition task: - id: c323230c-3548-4f18-801f-22eb7863e2f3 + id: 5f372ebe-3cb0-4929-896a-7310becb9d45 version: -1 name: Check STIX Export Result type: condition @@ -585,6 +600,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" view: |- { "linkLabelsPosition": { @@ -602,7 +618,4 @@ view: |- inputs: [] outputs: [] fromversion: 5.0.0 -contentitemexportablefields: - contentitemfields: {} -system: true description: Testing output of the Stix Export button From 71da72a6bbe6566394725497f414b0a0c101796e Mon Sep 17 00:00:00 2001 From: Content Bot Date: Sun, 23 Apr 2023 10:28:49 +0000 Subject: [PATCH 04/23] Bump pack from version CommonScripts to 1.11.63. --- Packs/CommonScripts/ReleaseNotes/1_11_63.md | 10 ++++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_63.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_63.md b/Packs/CommonScripts/ReleaseNotes/1_11_63.md new file mode 100644 index 000000000000..894b7d65667f --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_63.md @@ -0,0 +1,10 @@ + +#### Scripts + +##### StixCreator + +##### StixCreator + +- Added an option to enter a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index db36d1b82cf7..7792b37c244f 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.62", + "currentVersion": "1.11.63", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 63592f35c4f6dcabccf190848b150c5ebdad746a Mon Sep 17 00:00:00 2001 From: RotemAmit <71597826+RotemAmit@users.noreply.github.com> Date: Sun, 23 Apr 2023 14:45:31 +0300 Subject: [PATCH 05/23] Update Packs/CommonScripts/ReleaseNotes/1_11_63.md Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com> --- Packs/CommonScripts/ReleaseNotes/1_11_63.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_63.md b/Packs/CommonScripts/ReleaseNotes/1_11_63.md index 894b7d65667f..cc0c600acd85 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_11_63.md +++ b/Packs/CommonScripts/ReleaseNotes/1_11_63.md @@ -3,7 +3,6 @@ ##### StixCreator -##### StixCreator - Added an option to enter a flag for creating SCO indicators. - Updated the process of generating IDs for SDO indicators. From f058eff6ec3f62247e39cbaf285e6ac328f66cf6 Mon Sep 17 00:00:00 2001 From: RotemAmit <71597826+RotemAmit@users.noreply.github.com> Date: Sun, 23 Apr 2023 14:45:40 +0300 Subject: [PATCH 06/23] Update Packs/CommonScripts/Scripts/StixCreator/StixCreator.py Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com> --- Packs/CommonScripts/Scripts/StixCreator/StixCreator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py index 797fc80024d6..4cdcdd28f547 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py @@ -225,7 +225,7 @@ def main(): except KeyError: - demisto.debug(f"{demisto_indicator_type} isn't an SCO checking other IOC types") + demisto.debug(f"{demisto_indicator_type} isn't a SCO, checking other IOC types") try: indicator_type = demisto_indicator_type.lower() From d3d2aecbf09c861d38857acc34afdae150f3a413 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Sun, 23 Apr 2023 18:01:49 +0300 Subject: [PATCH 07/23] fixed cr comments --- Packs/CommonScripts/ReleaseNotes/1_11_63.md | 2 +- .../Scripts/StixCreator/StixCreator.py | 40 ++++++++++++------- .../Scripts/StixCreator/StixCreator_test.py | 20 ++++++---- 3 files changed, 40 insertions(+), 22 deletions(-) diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_63.md b/Packs/CommonScripts/ReleaseNotes/1_11_63.md index cc0c600acd85..eeb2a1ca5f0f 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_11_63.md +++ b/Packs/CommonScripts/ReleaseNotes/1_11_63.md @@ -4,6 +4,6 @@ ##### StixCreator -- Added an option to enter a flag for creating SCO indicators. +- Added a flag for creating SCO indicators. - Updated the process of generating IDs for SDO indicators. - Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py index 4cdcdd28f547..d57cd449d549 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py @@ -102,7 +102,13 @@ def guess_indicator_type(type_: str, val: str) -> str: def create_sco_stix_uuid(xsoar_indicator: dict, stix_type: Optional[str], value: str) -> str: """ - Create uuid for sco objects. + Create uuid for SCO objects. + Args: + xsoar_indicator: dict - The XSOAR representation of the indicator. + stix_type: Optional[str] - The indicator type according to STIX. + value: str - The value of the indicator. + Returns: + The uuid that represents the indicator according to STIX. """ if stixid := xsoar_indicator.get('CustomFields', {}).get('stixid'): return stixid @@ -132,7 +138,13 @@ def create_sco_stix_uuid(xsoar_indicator: dict, stix_type: Optional[str], value: def create_sdo_stix_uuid(xsoar_indicator: dict, stix_type: Optional[str], value: str) -> str: """ - Create uuid for sdo objects. + Create uuid for SDO objects. + Args: + xsoar_indicator: dict - The XSOAR representation of the indicator. + stix_type: Optional[str] - The indicator type according to STIX. + value: str - The value of the indicator. + Returns: + The uuid that represents the indicator according to STIX. """ if stixid := xsoar_indicator.get('CustomFields', {}).get('stixid'): return stixid @@ -163,22 +175,22 @@ def main(): except: # noqa: E722 return_error('indicators argument is invalid json object') - demisto.debug(f'StixCreator {demisto.args()=}\n{user_args=}\n{all_args=}') indicators = [] for indicator_fields in all_args: kwargs: dict[str, Any] = {"allow_custom": True} - demisto_indicator_type = all_args[indicator_fields].get('indicator_type', 'Unknown') + indicator_dict = all_args[indicator_fields] + demisto_indicator_type = indicator_dict.get('indicator_type', 'Unknown') if doubleBackslash: - value = all_args[indicator_fields].get('value', '').replace('\\', r'\\') + value = indicator_dict.get('value', '').replace('\\', r'\\') else: - value = all_args[indicator_fields].get('value', '') + value = indicator_dict.get('value', '') if demisto_indicator_type in XSOAR_TYPES_TO_STIX_SCO and is_sco: stix_type = XSOAR_TYPES_TO_STIX_SCO.get(demisto_indicator_type) - stix_id = create_sco_stix_uuid(all_args[indicator_fields], stix_type, value) + stix_id = create_sco_stix_uuid(indicator_dict, stix_type, value) indicator = { "type": stix_type, "spec_version": "2.1", @@ -187,7 +199,7 @@ def main(): } indicators.append(indicator) else: - demisto_score = all_args[indicator_fields].get('score', '').lower() + demisto_score = indicator_dict.get('score', '').lower() if demisto_score in ["bad", "malicious"]: kwargs["score"] = "High" @@ -202,13 +214,13 @@ def main(): kwargs["score"] = "Not Specified" stix_type = XSOAR_TYPES_TO_STIX_SDO.get(demisto_indicator_type, 'indicator') - stix_id = create_sdo_stix_uuid(all_args[indicator_fields], stix_type, value) + stix_id = create_sdo_stix_uuid(indicator_dict, stix_type, value) kwargs["id"] = stix_id - kwargs["created"] = dateparser.parse(all_args[indicator_fields].get('timestamp', '')) - kwargs["modified"] = dateparser.parse(all_args[indicator_fields].get('lastSeen', f'{kwargs["created"]}')) + kwargs["created"] = dateparser.parse(indicator_dict.get('timestamp', '')) + kwargs["modified"] = dateparser.parse(indicator_dict.get('lastSeen', f'{kwargs["created"]}')) kwargs["labels"] = [demisto_indicator_type.lower()] - kwargs["description"] = all_args[indicator_fields].get('description', '') + kwargs["description"] = indicator_dict.get('description', '') kwargs = {k: v for k, v in kwargs.items() if v} # Removing keys with empty strings @@ -235,7 +247,7 @@ def main(): elif indicator_type == "attack pattern": try: - mitreid = all_args[indicator_fields].get('mitreid', '') + mitreid = indicator_dict.get('mitreid', '') if mitreid: kwargs["external_references"] = [ExternalReference(source_name="mitre", external_id=mitreid)] @@ -244,7 +256,7 @@ def main(): elif indicator_type == 'malware': - kwargs['is_family'] = argToBoolean(all_args[indicator_fields].get('ismalwarefamily', 'False').lower()) + kwargs['is_family'] = argToBoolean(indicator_dict.get('ismalwarefamily', 'False').lower()) indicator = SDOs[indicator_type]( name=value, diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py index 87b462dd23a0..5abc3becd4f8 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py @@ -162,11 +162,16 @@ def test_guess_indicator_type(k, v, exp): def test_create_sco_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_id): """ Given: - - An indicator from XSOAR, it's stix type and the value of the indicator. + - Case 1: A XSOAR indicator of type 'Account', with a stix type of 'user-account' and a value of 'test@test.com'. + - Case 2: A XSOAR indicator of type 'File', with a stix type of 'file' and a value of + '701393b3b8e6ae6e70effcda7598a8cf92d0adb1aaeb5aa91c73004519644801'. + - Case 3: A XSOAR indicator of type 'IP', with a stix type of 'ipv4-addr' and a value of '8.8.8.8'. When: - - Creating a SCO inducator and calling create_sco_stix_uuid + - Creating a SCO indicator and calling create_sco_stix_uuid. Then: - - Return the indicator id. + - Case 1: Assert the ID looks like 'user-account--783b9e67-d7b0-58f3-b566-58ac7881a3bc'. + - Case 2: Assert the ID looks like 'file--3e26aab3-dfc3-57c5-8fe2-45cfde8fe7c8'. + - Case 3: Assert the ID looks like 'ipv4-addr--2f689bf9-0ff2-545f-aa61-e495eb8cecc7'. """ stix_id = create_sco_stix_uuid(xsoar_indicator, stix_type, value) assert expected_stix_id == stix_id @@ -207,12 +212,13 @@ def test_create_sco_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_i def test_create_sdo_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_id): """ Given: - - An indicator from XSOAR, it's stix type and the value of the indicator. + - Case 1: A XSOAR indicator of type 'Attack Pattern', with a stix type of 'attack-pattern' and a value of 'T111'. + - Case 2: A XSOAR indicator of type 'Malware', with a stix type of 'malware' and a value of 'bad malware'. When: - - Creating a SDO inducator and calling create_sdo_stix_uuid + - Creating a SDO indicator and calling create_sco_stix_uuid. Then: - - Return the indicator id. + - Case 1: Assert the ID looks like 'attack-pattern--116d410f-50f9-5f0d-b677-2a9b95812a3e'. + - Case 2: Assert the ID looks like 'malware--bddcf01f-9fd0-5107-a013-4b174285babc'. """ - stix_id = create_sdo_stix_uuid(xsoar_indicator, stix_type, value) assert expected_stix_id == stix_id From 68dfaa54f03b5945c9f5d50e2aac5071aca08d69 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Sun, 23 Apr 2023 20:35:45 +0300 Subject: [PATCH 08/23] updated the release notes --- Packs/CommonScripts/ReleaseNotes/1_11_63.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_63.md b/Packs/CommonScripts/ReleaseNotes/1_11_63.md index eeb2a1ca5f0f..5a2e83dadb34 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_11_63.md +++ b/Packs/CommonScripts/ReleaseNotes/1_11_63.md @@ -3,7 +3,6 @@ ##### StixCreator - - Added a flag for creating SCO indicators. -- Updated the process of generating IDs for SDO indicators. +- Updated the process of generating IDs for SDO indicators. Instead of generating a new ID each click on the button "Export (STIX)", now the indicators will have the same ID. - Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. From ebef81463426f476de965640a4b93bc6a40fd54e Mon Sep 17 00:00:00 2001 From: Content Bot Date: Mon, 24 Apr 2023 07:47:30 +0000 Subject: [PATCH 09/23] Bump pack from version CommonScripts to 1.11.64. --- Packs/CommonScripts/ReleaseNotes/1_11_64.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_64.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_64.md b/Packs/CommonScripts/ReleaseNotes/1_11_64.md new file mode 100644 index 000000000000..5a2e83dadb34 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_64.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. Instead of generating a new ID each click on the button "Export (STIX)", now the indicators will have the same ID. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index 7792b37c244f..fb0c2cb9a3e2 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.63", + "currentVersion": "1.11.64", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From fd6bedc76d515c52ad3aa1284d266479c4f6ada0 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Thu, 27 Apr 2023 07:36:10 +0000 Subject: [PATCH 10/23] Bump pack from version CommonScripts to 1.11.65. --- Packs/CommonScripts/ReleaseNotes/1_11_65.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_65.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_65.md b/Packs/CommonScripts/ReleaseNotes/1_11_65.md new file mode 100644 index 000000000000..5a2e83dadb34 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_65.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. Instead of generating a new ID each click on the button "Export (STIX)", now the indicators will have the same ID. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index fb0c2cb9a3e2..27ad8dae3c7c 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.64", + "currentVersion": "1.11.65", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 0153418f40d5e2059e888ad8a573016cc95d2d08 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Sun, 30 Apr 2023 13:46:49 +0000 Subject: [PATCH 11/23] Bump pack from version CommonScripts to 1.11.66. --- Packs/CommonScripts/ReleaseNotes/1_11_66.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_66.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_66.md b/Packs/CommonScripts/ReleaseNotes/1_11_66.md new file mode 100644 index 000000000000..5a2e83dadb34 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_66.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. Instead of generating a new ID each click on the button "Export (STIX)", now the indicators will have the same ID. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index 27ad8dae3c7c..319d2302f36b 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.65", + "currentVersion": "1.11.66", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 98da96815880b46bcab6a59ce5bb0e331cde0381 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Sat, 6 May 2023 18:09:26 +0000 Subject: [PATCH 12/23] Bump pack from version CommonScripts to 1.11.67. --- Packs/CommonScripts/ReleaseNotes/1_11_67.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_67.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_67.md b/Packs/CommonScripts/ReleaseNotes/1_11_67.md new file mode 100644 index 000000000000..5a2e83dadb34 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_67.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators. Instead of generating a new ID each click on the button "Export (STIX)", now the indicators will have the same ID. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index 319d2302f36b..492ac713ab4f 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.66", + "currentVersion": "1.11.67", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From be33828fe7d9e8ec883a069eb2d90d275b0ea55e Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Sun, 7 May 2023 09:16:33 +0300 Subject: [PATCH 13/23] updated release notes --- Packs/CommonScripts/ReleaseNotes/1_11_67.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_67.md b/Packs/CommonScripts/ReleaseNotes/1_11_67.md index 5a2e83dadb34..f080ad42c15d 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_11_67.md +++ b/Packs/CommonScripts/ReleaseNotes/1_11_67.md @@ -4,5 +4,5 @@ ##### StixCreator - Added a flag for creating SCO indicators. -- Updated the process of generating IDs for SDO indicators. Instead of generating a new ID each click on the button "Export (STIX)", now the indicators will have the same ID. +- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. - Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. From 587733590df4113d26d1d460d7ff462687247d4e Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Sun, 7 May 2023 09:18:33 +0300 Subject: [PATCH 14/23] updated the docker image --- Packs/CommonScripts/ReleaseNotes/1_11_67.md | 2 +- Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_67.md b/Packs/CommonScripts/ReleaseNotes/1_11_67.md index f080ad42c15d..edadfbe3c441 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_11_67.md +++ b/Packs/CommonScripts/ReleaseNotes/1_11_67.md @@ -5,4 +5,4 @@ - Added a flag for creating SCO indicators. - Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. -- Updated the Docker image to: *demisto/py3-tools:1.0.0.55284*. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml index f3efe172303a..f8f3f2587f49 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml @@ -39,7 +39,7 @@ outputs: type: date scripttarget: 0 runonce: false -dockerimage: demisto/py3-tools:1.0.0.55284 +dockerimage: demisto/py3-tools:1.0.0.57669 subtype: python3 runas: DBotWeakRole tests: From 380ff477ba8cda2a3a3cc279919a09ef72b813b1 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Sun, 7 May 2023 15:06:06 +0000 Subject: [PATCH 15/23] Bump pack from version CommonScripts to 1.11.68. --- Packs/CommonScripts/ReleaseNotes/1_11_68.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_68.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_68.md b/Packs/CommonScripts/ReleaseNotes/1_11_68.md new file mode 100644 index 000000000000..edadfbe3c441 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_68.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index 492ac713ab4f..d43ca4d9f37f 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.67", + "currentVersion": "1.11.68", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From eb36eb97c275f1acbf3e7b250db537eb94235488 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Mon, 8 May 2023 10:01:13 +0000 Subject: [PATCH 16/23] Bump pack from version CommonScripts to 1.11.69. --- Packs/CommonScripts/ReleaseNotes/1_11_69.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_69.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_69.md b/Packs/CommonScripts/ReleaseNotes/1_11_69.md new file mode 100644 index 000000000000..edadfbe3c441 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_69.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index d43ca4d9f37f..bf7cfc8823a8 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.68", + "currentVersion": "1.11.69", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From e2e5bbba6ebb0ea5c6a7159164ec2964b8f63f23 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Mon, 8 May 2023 14:47:19 +0300 Subject: [PATCH 17/23] updated the File and ASN indicator types and added unit tests --- .../Scripts/StixCreator/StixCreator.py | 98 +++++++++++---- .../Scripts/StixCreator/StixCreator_test.py | 118 +++++++++++++++++- 2 files changed, 187 insertions(+), 29 deletions(-) diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py index d57cd449d549..9dd083109a61 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py @@ -8,7 +8,7 @@ import json import uuid from stix2 import Bundle, ExternalReference, Indicator, Vulnerability -from stix2 import AttackPattern, Campaign, Malware, Infrastructure, IntrusionSet, Report, ThreatActor +from stix2 import AttackPattern, Campaign, Malware, Infrastructure, IntrusionSet, Report, ThreatActor # TODO, ASN from stix2 import Tool, CourseOfAction from typing import Any, Callable @@ -26,7 +26,8 @@ "account": "user-account:account_login", "domain": "domain-name:value", "host": "domain-name:value", - "registry key": "windows-registry-key:key" + "registry key": "windows-registry-key:key", + "asn": "autonomous-system:name" } SDOs: dict[str, Callable] = { # pragma: no cover @@ -45,7 +46,7 @@ SCO_DET_ID_NAMESPACE = uuid.UUID('00abedb4-aa42-466c-9c01-fed23315a9b7') PAWN_UUID = uuid.uuid5(uuid.NAMESPACE_URL, 'https://www.paloaltonetworks.com') -XSOAR_TYPES_TO_STIX_SCO = { +XSOAR_TYPES_TO_STIX_SCO = { # pragma: no cover FeedIndicatorType.CIDR: 'ipv4-addr', FeedIndicatorType.DomainGlob: 'domain-name', FeedIndicatorType.IPv6: 'ipv6-addr', @@ -58,15 +59,15 @@ FeedIndicatorType.File: 'file', FeedIndicatorType.URL: 'url', FeedIndicatorType.Software: 'software', - FeedIndicatorType.AS: 'asn', + FeedIndicatorType.AS: 'autonomous-system', } -XSOAR_TYPES_TO_STIX_SDO = { +XSOAR_TYPES_TO_STIX_SDO = { # pragma: no cover ThreatIntel.ObjectsNames.ATTACK_PATTERN: 'attack-pattern', ThreatIntel.ObjectsNames.CAMPAIGN: 'campaign', ThreatIntel.ObjectsNames.COURSE_OF_ACTION: 'course-of-action', ThreatIntel.ObjectsNames.INFRASTRUCTURE: 'infrastructure', - ThreatIntel.ObjectsNames.INTRUSION_SET: 'instruction-set', + ThreatIntel.ObjectsNames.INTRUSION_SET: 'intrusion-set', ThreatIntel.ObjectsNames.REPORT: 'report', ThreatIntel.ObjectsNames.THREAT_ACTOR: 'threat-actor', ThreatIntel.ObjectsNames.TOOL: 'tool', @@ -75,6 +76,14 @@ } +HASH_TYPE_TO_STIX_HASH_TYPE = { # pragma: no cover + 'md5': 'MD5', + 'sha1': 'SHA-1', + 'sha256': 'SHA-256', + 'sha512': 'SHA-512', +} + + def hash_type(value: str) -> str: # pragma: no cover length = len(value) if length == 32: @@ -159,6 +168,49 @@ def create_sdo_stix_uuid(xsoar_indicator: dict, stix_type: Optional[str], value: return f'{stix_type}--{unique_id}' +def add_file_fields_to_indicator(xsoar_indicator: Dict, value: str) -> Dict: + """ + Create the hashes dictionary for the indicator object. + Args: + xsoar_indicator: Dict - The XSOAR representation of the indicator. + value: str - The value of the indicator. + Returns: + The dictionary with the file hashes. + """ + hashes_dict = {} + for hash_kind in ['md5', 'sha1', 'sha256', 'sha512']: + if get_hash_type(value) == hash_kind: + hashes_dict[HASH_TYPE_TO_STIX_HASH_TYPE.get(hash_kind)] = value + elif hash_kind in xsoar_indicator: + hashes_dict[HASH_TYPE_TO_STIX_HASH_TYPE.get(hash_kind)] = xsoar_indicator.get(hash_kind, '') + return hashes_dict + + +def create_stix_sco_indicator(stix_id: Optional[str], stix_type: Optional[str], value: str, xsoar_indicator: Dict) -> Dict: + """ + Create stix sco indicator object. + Args: + stix_id: Optional[str] - The stix id of the indicator. + stix_type: str - the stix type of the indicator. + xsoar_indicator: Dict - The XSOAR representation of the indicator. + value: str - The value of the indicator. + Returns: + The Dictionary representing the stix indicator. + """ + stix_indicator: Dict[str, Any] = { + "type": stix_type, + "spec_version": "2.1", + "value": value, + "id": stix_id + } + if stix_type == 'file': + stix_indicator['hashes'] = add_file_fields_to_indicator(xsoar_indicator, value) + elif stix_type == 'autonomous-system': + stix_indicator['number'] = value + stix_indicator['name'] = xsoar_indicator.get('name', '') + return stix_indicator + + def main(): user_args = demisto.args().get('indicators', 'Unknown') @@ -180,26 +232,22 @@ def main(): for indicator_fields in all_args: kwargs: dict[str, Any] = {"allow_custom": True} - indicator_dict = all_args[indicator_fields] - demisto_indicator_type = indicator_dict.get('indicator_type', 'Unknown') + xsoar_indicator = all_args[indicator_fields] + demisto_indicator_type = xsoar_indicator.get('indicator_type', 'Unknown') if doubleBackslash: - value = indicator_dict.get('value', '').replace('\\', r'\\') + value = xsoar_indicator.get('value', '').replace('\\', r'\\') else: - value = indicator_dict.get('value', '') + value = xsoar_indicator.get('value', '') if demisto_indicator_type in XSOAR_TYPES_TO_STIX_SCO and is_sco: stix_type = XSOAR_TYPES_TO_STIX_SCO.get(demisto_indicator_type) - stix_id = create_sco_stix_uuid(indicator_dict, stix_type, value) - indicator = { - "type": stix_type, - "spec_version": "2.1", - "value": value, - "id": stix_id - } - indicators.append(indicator) + stix_id = create_sco_stix_uuid(xsoar_indicator, stix_type, value) + stix_indicator = create_stix_sco_indicator(stix_id, stix_type, value, xsoar_indicator) + indicators.append(stix_indicator) + else: - demisto_score = indicator_dict.get('score', '').lower() + demisto_score = xsoar_indicator.get('score', '').lower() if demisto_score in ["bad", "malicious"]: kwargs["score"] = "High" @@ -214,13 +262,13 @@ def main(): kwargs["score"] = "Not Specified" stix_type = XSOAR_TYPES_TO_STIX_SDO.get(demisto_indicator_type, 'indicator') - stix_id = create_sdo_stix_uuid(indicator_dict, stix_type, value) + stix_id = create_sdo_stix_uuid(xsoar_indicator, stix_type, value) kwargs["id"] = stix_id - kwargs["created"] = dateparser.parse(indicator_dict.get('timestamp', '')) - kwargs["modified"] = dateparser.parse(indicator_dict.get('lastSeen', f'{kwargs["created"]}')) + kwargs["created"] = dateparser.parse(xsoar_indicator.get('timestamp', '')) + kwargs["modified"] = dateparser.parse(xsoar_indicator.get('lastSeen', f'{kwargs["created"]}')) kwargs["labels"] = [demisto_indicator_type.lower()] - kwargs["description"] = indicator_dict.get('description', '') + kwargs["description"] = xsoar_indicator.get('description', '') kwargs = {k: v for k, v in kwargs.items() if v} # Removing keys with empty strings @@ -247,7 +295,7 @@ def main(): elif indicator_type == "attack pattern": try: - mitreid = indicator_dict.get('mitreid', '') + mitreid = xsoar_indicator.get('mitreid', '') if mitreid: kwargs["external_references"] = [ExternalReference(source_name="mitre", external_id=mitreid)] @@ -256,7 +304,7 @@ def main(): elif indicator_type == 'malware': - kwargs['is_family'] = argToBoolean(indicator_dict.get('ismalwarefamily', 'False').lower()) + kwargs['is_family'] = argToBoolean(xsoar_indicator.get('ismalwarefamily', 'False').lower()) indicator = SDOs[indicator_type]( name=value, diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py index 5abc3becd4f8..408a20b2bff8 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py @@ -1,7 +1,8 @@ import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 import pytest -from StixCreator import main, guess_indicator_type, create_sco_stix_uuid, create_sdo_stix_uuid +from StixCreator import main, guess_indicator_type, create_sco_stix_uuid, create_sdo_stix_uuid, \ + add_file_fields_to_indicator, create_stix_sco_indicator FILE_INDICATOR = \ { @@ -204,11 +205,11 @@ def test_create_sco_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_i sdo_value_2 = 'bad malware' sdo_expected_stix_id_2 = 'malware--bddcf01f-9fd0-5107-a013-4b174285babc' -test_test_create_sdo_stix_uuid_params = [(sdo_xsoar_indicator_1, sdo_stix_type_1, sdo_value_1, sdo_expected_stix_id_1), - (sdo_xsoar_indicator_2, sdo_stix_type_2, sdo_value_2, sdo_expected_stix_id_2)] +test_create_sdo_stix_uuid_params = [(sdo_xsoar_indicator_1, sdo_stix_type_1, sdo_value_1, sdo_expected_stix_id_1), + (sdo_xsoar_indicator_2, sdo_stix_type_2, sdo_value_2, sdo_expected_stix_id_2)] -@pytest.mark.parametrize('xsoar_indicator, stix_type, value, expected_stix_id', test_test_create_sdo_stix_uuid_params) +@pytest.mark.parametrize('xsoar_indicator, stix_type, value, expected_stix_id', test_create_sdo_stix_uuid_params) def test_create_sdo_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_id): """ Given: @@ -222,3 +223,112 @@ def test_create_sdo_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_i """ stix_id = create_sdo_stix_uuid(xsoar_indicator, stix_type, value) assert expected_stix_id == stix_id + + +xsoar_indicator_file = {'expirationStatus': 'active', + 'firstSeen': '2023-05-07T14:42:59Z', + 'indicator_type': 'File', + 'lastSeen': '2023-05-07T14:42:59Z', + 'score': 'Unknown', + 'sha1': '57218c316b6921e2cd61027a2387edc31a2d9471', + 'sha256': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5', + 'sha512': '37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229' + 'b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5', + 'ssdeep': '3:g:g', + 'timestamp': '2023-05-07T14:42:59Z', + 'value': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5'} + + +def test_add_file_fields_to_indicator(): + """ + Given: + - A dictionary representing a xsoar indicator. + When: + - Creating a dictionary containing the file hashes. + Then: + - check the hashes dictionary + """ + expected_hashes_dict = {'SHA-1': '57218c316b6921e2cd61027a2387edc31a2d9471', + 'SHA-256': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5', + 'SHA-512': '37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0' + '229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5'} + value = xsoar_indicator_file.get('value', '') + result = add_file_fields_to_indicator(xsoar_indicator_file, value) + assert expected_hashes_dict == result + + +xsoar_indicator_domain = {'expirationStatus': 'active', + 'firstSeen': '2023-05-07T13:18:27Z', + 'indicator_type': 'Domain', + 'lastSeen': '2023-05-07T13:18:27Z', + 'score': 'Unknown', + 'timestamp': '2023-05-07T13:18:27Z', + 'value': 'hello@test.com'} +xsoar_indicator_asn = {'expirationStatus': 'active', + 'firstSeen': '2023-05-07T07:37:30Z', + 'indicator_type': 'ASN', + 'lastSeen': '2023-05-07T07:37:30Z', + 'name': 'name', + 'score': 'Unknown', + 'timestamp': '2023-05-07T07:37:30Z', + 'value': '54538'} + +file_stix_id = 'file--a1b6bbfd-73cd-5fef-9e12-9453e3b74cc5' +domain_stix_id = 'domain-name--fdf407b4-c3d0-5011-a66c-5ef889593b08' +asn_stix_id = 'autonomous-system--937a0541-d893-5707-ad67-bcfe8398164e' + +file_stix_type = 'file' +domain_stix_type = 'domain-name' +asn_stix_type = 'autonomous-system' + +file_value = 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5' +domain_value = 'hello@test.com' +asn_value = '54538' + +expectes_stix_file_indicator = {'type': 'file', + 'spec_version': '2.1', + 'value': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5', + 'id': 'file--a1b6bbfd-73cd-5fef-9e12-9453e3b74cc5', + 'hashes': { + 'SHA-1': '57218c316b6921e2cd61027a2387edc31a2d9471', + 'SHA-256': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5', + 'SHA-512': '37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14' + '815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5'}} +expectes_stix_domain_indicator = {'type': 'domain-name', + 'spec_version': '2.1', + 'value': 'hello@test.com', + 'id': 'domain-name--fdf407b4-c3d0-5011-a66c-5ef889593b08'} +expectes_stix_asn_indicator = {'type': 'autonomous-system', + 'spec_version': '2.1', + 'value': '54538', + 'id': 'autonomous-system--937a0541-d893-5707-ad67-bcfe8398164e', + 'number': '54538', + 'name': 'name'} +params_test_create_stix_sco_indicator = [(file_stix_id, file_stix_type, file_value, xsoar_indicator_file, + expectes_stix_file_indicator), + (domain_stix_id, domain_stix_type, domain_value, xsoar_indicator_domain, + expectes_stix_domain_indicator), + (asn_stix_id, asn_stix_type, asn_value, xsoar_indicator_asn, + expectes_stix_asn_indicator)] + + +@pytest.mark.parametrize('stix_id, stix_type, value, xsoar_indicator, expectes_stix_indicator', + params_test_create_stix_sco_indicator) +def test_create_stix_sco_indicator(stix_id, stix_type, value, xsoar_indicator, expectes_stix_indicator): + """ + Given: + - Case 1: A XSOAR indicator of type 'File', with a stix id of 'file--a1b6bbfd-73cd-5fef-9e12-9453e3b74cc5', + stix type of 'file' and a value of 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5'. + - Case 2: A XSOAR indicator of type 'Domain', with a stix id of + 'domain-name--fdf407b4-c3d0-5011-a66c-5ef889593b08', stix type of 'domain-name' and a value of + 'hello@test.com'. + - Case 2: A XSOAR indicator of type 'ASN', with a stix id of + 'autonomous-system--937a0541-d893-5707-ad67-bcfe8398164e', stix type of 'autonomous-system' and a value of + '54538'. + When: + - Creating a SCO indicator and calling create_stix_sco_indicator. + Then: + - Assert the indicator dictionary is as expected. + """ + result = create_stix_sco_indicator(stix_id, stix_type, value, xsoar_indicator) + assert result == expectes_stix_indicator From a74dd1afd0510d0845cdecd0dabbfc77b196d2f8 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Mon, 8 May 2023 17:00:42 +0300 Subject: [PATCH 18/23] removed the key 'value' from file and asn stix indicators --- Packs/CommonScripts/Scripts/StixCreator/StixCreator.py | 3 ++- .../CommonScripts/Scripts/StixCreator/StixCreator_test.py | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py index 9dd083109a61..c467cd35f1b5 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py @@ -200,7 +200,6 @@ def create_stix_sco_indicator(stix_id: Optional[str], stix_type: Optional[str], stix_indicator: Dict[str, Any] = { "type": stix_type, "spec_version": "2.1", - "value": value, "id": stix_id } if stix_type == 'file': @@ -208,6 +207,8 @@ def create_stix_sco_indicator(stix_id: Optional[str], stix_type: Optional[str], elif stix_type == 'autonomous-system': stix_indicator['number'] = value stix_indicator['name'] = xsoar_indicator.get('name', '') + else: + stix_indicator['value'] = value return stix_indicator diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py index 408a20b2bff8..de306bb005fa 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator_test.py @@ -235,8 +235,7 @@ def test_create_sdo_stix_uuid(xsoar_indicator, stix_type, value, expected_stix_i 'sha512': '37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229' 'b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5', 'ssdeep': '3:g:g', - 'timestamp': '2023-05-07T14:42:59Z', - 'value': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5'} + 'timestamp': '2023-05-07T14:42:59Z'} def test_add_file_fields_to_indicator(): @@ -270,8 +269,7 @@ def test_add_file_fields_to_indicator(): 'lastSeen': '2023-05-07T07:37:30Z', 'name': 'name', 'score': 'Unknown', - 'timestamp': '2023-05-07T07:37:30Z', - 'value': '54538'} + 'timestamp': '2023-05-07T07:37:30Z'} file_stix_id = 'file--a1b6bbfd-73cd-5fef-9e12-9453e3b74cc5' domain_stix_id = 'domain-name--fdf407b4-c3d0-5011-a66c-5ef889593b08' @@ -287,7 +285,6 @@ def test_add_file_fields_to_indicator(): expectes_stix_file_indicator = {'type': 'file', 'spec_version': '2.1', - 'value': 'f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5', 'id': 'file--a1b6bbfd-73cd-5fef-9e12-9453e3b74cc5', 'hashes': { 'SHA-1': '57218c316b6921e2cd61027a2387edc31a2d9471', @@ -300,7 +297,6 @@ def test_add_file_fields_to_indicator(): 'id': 'domain-name--fdf407b4-c3d0-5011-a66c-5ef889593b08'} expectes_stix_asn_indicator = {'type': 'autonomous-system', 'spec_version': '2.1', - 'value': '54538', 'id': 'autonomous-system--937a0541-d893-5707-ad67-bcfe8398164e', 'number': '54538', 'name': 'name'} From 332327f601b7fa5beb8c587e42dbe30f9784af62 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Mon, 8 May 2023 14:31:18 +0000 Subject: [PATCH 19/23] Bump pack from version CommonScripts to 1.11.70. --- Packs/CommonScripts/ReleaseNotes/1_11_70.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_70.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_70.md b/Packs/CommonScripts/ReleaseNotes/1_11_70.md new file mode 100644 index 000000000000..edadfbe3c441 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_70.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index bf7cfc8823a8..424e88f951ec 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.69", + "currentVersion": "1.11.70", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From d0f5d987a02e7813248131d4f4ae4e7f5720f937 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Mon, 8 May 2023 15:20:49 +0000 Subject: [PATCH 20/23] Bump pack from version CommonScripts to 1.11.71. --- Packs/CommonScripts/ReleaseNotes/1_11_71.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_71.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_71.md b/Packs/CommonScripts/ReleaseNotes/1_11_71.md new file mode 100644 index 000000000000..edadfbe3c441 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_71.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index 424e88f951ec..ead73914f06d 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.70", + "currentVersion": "1.11.71", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 5d5e86cf961e385cce27bc06bd8d954f059ae6d1 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Tue, 9 May 2023 14:36:41 +0000 Subject: [PATCH 21/23] Bump pack from version CommonScripts to 1.11.72. --- Packs/CommonScripts/ReleaseNotes/1_11_72.md | 8 ++++++++ Packs/CommonScripts/pack_metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_72.md diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_72.md b/Packs/CommonScripts/ReleaseNotes/1_11_72.md new file mode 100644 index 000000000000..edadfbe3c441 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_11_72.md @@ -0,0 +1,8 @@ + +#### Scripts + +##### StixCreator + +- Added a flag for creating SCO indicators. +- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index ead73914f06d..d9a91f9cf751 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.11.71", + "currentVersion": "1.11.72", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 093dcd7f309f9054250c5b40537788821f0ef74d Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Tue, 9 May 2023 19:38:00 +0300 Subject: [PATCH 22/23] cr fixes --- Packs/CommonScripts/Scripts/StixCreator/StixCreator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py index c467cd35f1b5..6722d5623881 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.py @@ -8,7 +8,7 @@ import json import uuid from stix2 import Bundle, ExternalReference, Indicator, Vulnerability -from stix2 import AttackPattern, Campaign, Malware, Infrastructure, IntrusionSet, Report, ThreatActor # TODO, ASN +from stix2 import AttackPattern, Campaign, Malware, Infrastructure, IntrusionSet, Report, ThreatActor from stix2 import Tool, CourseOfAction from typing import Any, Callable From c4cb795fb5213f28c9b319bda84d7473e60f9511 Mon Sep 17 00:00:00 2001 From: RotemAmit Date: Wed, 10 May 2023 09:37:30 +0300 Subject: [PATCH 23/23] updated the docker image --- Packs/CommonScripts/ReleaseNotes/1_11_72.md | 2 +- Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_72.md b/Packs/CommonScripts/ReleaseNotes/1_11_72.md index edadfbe3c441..65a8fde7ae93 100644 --- a/Packs/CommonScripts/ReleaseNotes/1_11_72.md +++ b/Packs/CommonScripts/ReleaseNotes/1_11_72.md @@ -5,4 +5,4 @@ - Added a flag for creating SCO indicators. - Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually. -- Updated the Docker image to: *demisto/py3-tools:1.0.0.57669*. +- Updated the Docker image to: *demisto/py3-tools:1.0.0.58222*. diff --git a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml index f8f3f2587f49..8035370d1169 100644 --- a/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml +++ b/Packs/CommonScripts/Scripts/StixCreator/StixCreator.yml @@ -39,7 +39,7 @@ outputs: type: date scripttarget: 0 runonce: false -dockerimage: demisto/py3-tools:1.0.0.57669 +dockerimage: demisto/py3-tools:1.0.0.58222 subtype: python3 runas: DBotWeakRole tests: