demisto · adi88d · Dec 5, 2023 · Dec 3, 2023 · Dec 3, 2023 · Dec 3, 2023
diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py
@@ -2501,7 +2501,6 @@ def get_indicators(client: Client, **kwargs):
     """
     page = kwargs.get('page')
     page_size = kwargs.get('page_size')
-    offset = kwargs['offset'] = 0
     limit = kwargs['limit'] = int(kwargs.get('limit', 20))
     params = return_params_of_pagination_or_limit(arg_to_number(page), arg_to_number(page_size), arg_to_number(limit))
     kwargs.update(params)
@@ -2512,18 +2511,20 @@ def get_indicators(client: Client, **kwargs):
     url = "v2/intelligence/"
     if 'query' in kwargs:
         url += f"?q={kwargs.pop('query')}"
-    iocs_list = client.http_request("GET", url, params=kwargs).get('objects', None)
+    res = client.http_request("GET", url, params=kwargs)
+    iocs_list = res.get('objects', None)
     if not iocs_list:
         return 'No indicators found from ThreatStream'
 
     iocs_context = parse_indicators_list(iocs_list)
     # handle the issue that the API does not return more than 1000 indicators.
     if limit > 1000:
-        while len(iocs_context) < limit:
-            offset += len(iocs_list)
-            kwargs['limit'] = limit
-            kwargs['offset'] = offset
-            iocs_list = client.http_request("GET", url, params=kwargs).get('objects', None)
+        next_page = res.get('meta', {}).get('next', None)
+        while len(iocs_context) < limit and next_page:
+            next_page = next_page.replace('api/', '')
+            res = client.http_request("GET", next_page)
+            iocs_list = res.get('objects', None)
+            next_page = res.get('meta', {}).get('next', None)
             if iocs_list:
                 iocs_context.extend(parse_indicators_list(iocs_list))
             else:

diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml
@@ -6431,7 +6431,7 @@ script:
       isArray: true
     description: Remove tags from the indicators.
     name: threatstream-remove-indicator-tag
-  dockerimage: demisto/py3-tools:1.0.0.82341
+  dockerimage: demisto/py3-tools:1.0.0.82746
   runonce: false
   script: '-'
   subtype: python3

diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3_test.py b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3_test.py
@@ -705,7 +705,7 @@ def test_get_commands__no_result(self, mocker, command, command_args, expected_o
             ('threatstream-get-indicators-by-model', {'model': 'Actor', 'id': 1}, {'limit': 20}),
             ('threatstream-get-indicators-by-model', {'model': 'Actor', 'id': 1, 'page': 2, 'page_size': 2},
              {'limit': 2, 'offset': 2}),
-            ('threatstream-get-indicators', {}, {'limit': 20, 'offset': 0}),
+            ('threatstream-get-indicators', {}, {'limit': 20}),
             ('threatstream-get-indicators', {'page': 2, 'page_size': 2}, {'limit': 2, 'offset': 2}),
             ('threatstream-list-user', {'page': 2, 'page_size': 3}, {'limit': 3, 'offset': 3}),
             ('threatstream-list-user', {}, {'limit': 50}),
@@ -1060,13 +1060,13 @@ def test_pagination(mocker):
             verify that the requested amount is returned.
         """
         mocker.patch.object(Client, 'http_request', side_effect=[
-            {'objects': INDICATOR * 1000},
-            {'objects': INDICATOR * 1000},
-            {'objects': INDICATOR * 1000},
-            {'objects': INDICATOR * 1000},
-            {'objects': INDICATOR * 1000},
-            {'objects': INDICATOR * 1000},
-            {'objects': INDICATOR * 1000},
+            {'objects': INDICATOR * 1000, 'meta': {'next': '/api/v2/intelligence/?&search_after=1693750222045%2C455231625'}},
+            {'objects': INDICATOR * 1000, 'meta': {'next': '/api/v2/intelligence/?&search_after=1693750222045%2C455231625'}},
+            {'objects': INDICATOR * 1000, 'meta': {'next': '/api/v2/intelligence/?&search_after=1693750222045%2C455231625'}},
+            {'objects': INDICATOR * 1000, 'meta': {'next': '/api/v2/intelligence/?&search_after=1693750222045%2C455231625'}},
+            {'objects': INDICATOR * 1000, 'meta': {'next': '/api/v2/intelligence/?&search_after=1693750222045%2C455231625'}},
+            {'objects': INDICATOR * 1000, 'meta': {'next': '/api/v2/intelligence/?&search_after=1693750222045%2C455231625'}},
+            {'objects': INDICATOR * 1000, 'meta': {'next': None}},
         ])
         client = Client(
             base_url='',

diff --git a/Packs/Anomali_ThreatStream/ReleaseNotes/2_2_9.md b/Packs/Anomali_ThreatStream/ReleaseNotes/2_2_9.md
@@ -0,0 +1,4 @@
+#### Integrations
+##### Anomali ThreatStream v3
+- Fixed an issue where the ***threatstream-get-indicators*** command would not fetch all the indicators.
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.82746*.
diff --git a/Packs/Anomali_ThreatStream/pack_metadata.json b/Packs/Anomali_ThreatStream/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Anomali ThreatStream",
     "description": "Use Anomali ThreatStream to query and submit threats.",
     "support": "xsoar",
-    "currentVersion": "2.2.8",
+    "currentVersion": "2.2.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",