Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anomali ThreatStream change DBot verdict from Benign to Unknown for Low Confidence Indicators #30993

Merged
merged 9 commits into from Nov 28, 2023
Merged

Anomali ThreatStream change DBot verdict from Benign to Unknown for Low Confidence Indicators #30993

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
545daae
change DBot verdict from Benign to Unknown for Low Confidence Indicators
zdrouse Nov 20, 2023
4295520
add indicator_default_score param
adi88d Nov 27, 2023
dc08933
changed values to Benign and Unknown
adi88d Nov 27, 2023
cd85200
update README and RN
adi88d Nov 27, 2023
c8b65de
Merge branch 'master' into zdrouse_master
adi88d Nov 27, 2023
d938acb
update RN
adi88d Nov 27, 2023
85a311d
update docker
adi88d Nov 27, 2023
325dacd
update docker
adi88d Nov 27, 2023
843ea4e
fix docs comments
adi88d Nov 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 8 additions & 2 deletions Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py
View file
Open in desktop
Expand Up @@ -496,6 +496,12 @@ def __init__(self, params: Dict):

}

indicator_default_score = params.get('indicator_default_score')
if indicator_default_score and indicator_default_score == 'Unknown':
self.default_score = Common.DBotScore.NONE
else:
self.default_score = Common.DBotScore.GOOD

def calculate_score(self, ioc_type: str, indicator, threshold=None):
"""
Calculate the DBot score according the indicator's confidence and thresholds if exist
Expand All @@ -506,14 +512,14 @@ def calculate_score(self, ioc_type: str, indicator, threshold=None):
confidence = indicator.get('confidence', Common.DBotScore.NONE)
defined_threshold = threshold or self.instance_defined_thresholds.get(ioc_type)
if defined_threshold:
return Common.DBotScore.BAD if confidence >= defined_threshold else Common.DBotScore.GOOD
return Common.DBotScore.BAD if confidence >= defined_threshold else self.default_score
else:
if confidence > DEFAULT_MALICIOUS_THRESHOLD:
return Common.DBotScore.BAD
if confidence > DEFAULT_SUSPICIOUS_THRESHOLD:
return Common.DBotScore.SUSPICIOUS
else:
return Common.DBotScore.GOOD
return self.default_score


def find_worst_indicator(indicators):
Expand Down
9 changes: 9 additions & 0 deletions Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml
View file
Open in desktop
@@ -1,4 +1,4 @@
category: Data Enrichment & Threat Intelligence

Check failure on line 1 in Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml

View workflow job for this annotation

GitHub Actions / pre-commit

Validation Error DO106 

The docker image tag is not the latest numeric tag, please update it.
The docker image tag in the yml file is: 1.0.0.80754
The latest docker image tag in docker hub is: 1.0.0.81101

You can check for the most updated version of demisto/py3-tools here: https://hub.docker.com/r/demisto/py3-tools/tags 
To update the docker image run:
demisto-sdk format -ud -i Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml

Check failure on line 1 in Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml

View workflow job for this annotation

GitHub Actions / pre-commit

Validation Error IN116 

A required field ('indicator_default_score') has been added to an existing integration.
sectionOrder:
- Connect
- Collect
Expand Down Expand Up @@ -72,6 +72,15 @@
required: true
type: 15
section: Collect
- defaultvalue: Benign
display: Default DBOT score for indicators with low Confidence
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
display: Default DBOT score for indicators with low Confidence
display: Default DBOT score for indicators with low confidence

name: indicator_default_score
options:
- Benign
- Unknown
required: true
type: 15
section: Collect
- defaultvalue: 'false'
display: Trust any certificate (not secure)
name: insecure
Expand Down
1 change: 1 addition & 0 deletions Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/README.md
View file
Open in desktop
Expand Up @@ -25,6 +25,7 @@ If you are upgrading from a previous version of this integration, see [Breaking
| Use system proxy settings | | False |
| Create relationships | Create relationships between indicators as part of enrichment. | False |
| Remote API | Gather additional information about the threat model from remote APIs. | False |
| Default DBOT score for indicators with low Confidence | | True |

4. Click **Test** to validate the URLs, token, and connection.

Expand Down
5 changes: 5 additions & 0 deletions Packs/Anomali_ThreatStream/ReleaseNotes/2_2_6.md
View file
Open in desktop
@@ -0,0 +1,5 @@

#### Integrations

##### Anomali ThreatStream v3
- Added a new parameter **Default DBOT score for indicators with low Confidence** - toggle between `Unknown` and `Benign`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Added a new parameter **Default DBOT score for indicators with low Confidence** - toggle between `Unknown` and `Benign`.
- Added a new parameter **Default DBOT score for indicators with low Confidence**. Toggle between `Unknown` and `Benign`.

2 changes: 1 addition & 1 deletion Packs/Anomali_ThreatStream/pack_metadata.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"name": "Anomali ThreatStream",
"description": "Use Anomali ThreatStream to query and submit threats.",
"support": "xsoar",
"currentVersion": "2.2.5",
"currentVersion": "2.2.6",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down