[bug] - threatconnect feed missing indicator type parser

Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect.py

@@ -7,7 +7,6 @@
 from contextlib import contextmanager
 from enum import Enum
 from math import ceil
-from typing import Tuple
 
 # Local packages
 from CommonServerPython import *  # noqa: E402 lgtm [py/polluting-import]
@@ -29,7 +28,7 @@
 INTEGRATION_NAME = 'ThreatConnect Feed'
 INTEGRATION_COMMAND_NAME = 'tc'
 INTEGRATION_CONTEXT_NAME = 'ThreatConnect'
-COMMAND_OUTPUT = Tuple[str, Union[Dict[str, Any], List[Any]], Union[Dict[str, Any], List[Any]]]
+COMMAND_OUTPUT = tuple[str, Union[Dict[str, Any], List[Any]], Union[Dict[str, Any], List[Any]]]
 INDICATOR_MAPPING_NAMES = {
     'Address': FeedIndicatorType.IP,
     'CIDR': FeedIndicatorType.CIDR,
@@ -149,7 +148,6 @@
                    'URL',
                    'ASN',
                    'CIDR',
-                   'Email Subject',
                    'Hashtag',
                    'Mutex',
                    'Registry Key',
@@ -203,7 +201,7 @@ def create_types_query(params: dict, endpoint: str) -> str:
         raise DemistoException('No indicator type or group type were chosen, please choose at least one.')
     if endpoint == 'indicators':
         if 'All' in indicator_types:
-            return ''
+            types.extend(INDICATOR_TYPES)
         else:
             types.extend(indicator_types)
     else:
@@ -236,7 +234,7 @@ def calculate_dbot_score(threat_assess_score: Optional[Union[int, str]] = None)
 
 
 def parse_indicator(indicator: Dict[str, str]) -> Dict[str, Any]:
-    """ Parsing indicator by indicators demisto convension.
+    """ Parsing indicator by indicators demisto convention.
     Args:
         indicator: Indicator as raw response.
     Returns:
@@ -261,7 +259,8 @@ def parse_indicator(indicator: Dict[str, str]) -> Dict[str, Any]:
 def create_indicator_fields(indicator, indicator_type):
     """Creating an indicator fields from a raw indicator"""
     params = demisto.params()
-    indicator_fields_mapping = TC_INDICATOR_TO_XSOAR_INDICATOR[indicator_type]
+    indicator_fields_mapping = TC_INDICATOR_TO_XSOAR_INDICATOR.get(indicator_type, {})
+
     fields: dict = {}
 
     for indicator_key, xsoar_indicator_key in indicator_fields_mapping.items():
@@ -415,7 +414,7 @@ def module_test_command(client: Client, args):  # pragma: no cover # noqa
             return_error(str(e))
 
 
-def fetch_indicators_command(client: Client, params: dict, last_run: dict) -> Tuple[
+def fetch_indicators_command(client: Client, params: dict, last_run: dict) -> tuple[
     List[Dict[str, Any]], List[Dict[str, Any]]]:  # noqa  # pragma: no cover
     """ Fetch indicators from ThreatConnect
 
@@ -581,8 +580,12 @@ def get_indicators_command(client: Client, args: dict) -> dict:  # type: ignore
 
         types = argToList(args.get("indicator_type"))
         query = ''
-        if types and 'All' not in types:
-            query = 'AND typeName IN ("' + '","'.join(types) + '")'
+
+        if types:
+            if 'All' in types:
+                query = 'AND typeName IN ("' + '","'.join(INDICATOR_TYPES) + '")'
+            else:
+                query = 'AND typeName IN ("' + '","'.join(types) + '")'
 
         tql = active_only + confidence + threat_score + confidence + owners + query
         tql = tql.replace('AND ', '', 1)
@@ -604,6 +607,7 @@ def get_indicators_command(client: Client, args: dict) -> dict:  # type: ignore
                                                t=t, removeNull=True)  # type: ignore # noqa
 
         return readable_output, {}, list(response)  # type: ignore
+    return {}
 
 
 def get_owners_command(client: Client, args: dict) -> COMMAND_OUTPUT:  # pragma: no cover

Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect.yml

@@ -99,7 +99,6 @@ configuration:
   - URL
   - ASN
   - CIDR
-  - EmailSubject
   - Hashtag
   - Mutex
   - Registry Key
@@ -237,7 +236,7 @@ script:
     name: tc-get-indicators
   - description: Gets available indicators owners.
     name: tc-get-owners
-  dockerimage: demisto/python3:3.10.13.84405
+  dockerimage: demisto/python3:3.10.13.87159
   feed: true
   runonce: false
   script: '-'

Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect_test.py

@@ -6,7 +6,7 @@
 
 
 def load_json_file(path):
-    with open(path, 'r') as _json_file:
+    with open(path) as _json_file:
         return json.load(_json_file)
 
 
@@ -38,7 +38,8 @@ def test_create_or_query():
 
 @pytest.mark.parametrize("params, expected_result, endpoint",
                          [({'indicator_active': False, "indicator_type": ['All'],
-                           'createRelationships': False, "confidence": 0, "threat_assess_score": 0}, '', 'indicators'),
+                           'createRelationships': False, "confidence": 0, "threat_assess_score": 0},
+                           'typeName IN ("EmailAddress","File","Host","URL","ASN","CIDR","Hashtag","Mutex","Registry Key","User Agent","Address")', 'indicators'),  # noqa: E501
                           ({'indicator_active': True, "group_type": ['File'],
                            'createRelationships': False, "confidence": 0, "threat_assess_score": 0},
                            'typeName IN ("File")', 'groups'),

Packs/FeedThreatConnect/ReleaseNotes/2_1_20.json

@@ -0,0 +1,4 @@
+{
+    "breakingChanges": true,
+    "breakingChangesNotes": "The *EmailSubject* option was removed from the *Indicator Types* feed parameter."
+}

Packs/FeedThreatConnect/ReleaseNotes/2_1_20.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### ThreatConnect Feed
+- Updated the Docker image to: *demisto/python3:3.10.13.87159*.
+- Fixed an issue where selecting indicators of type *EmailSubject* to pull caused an error. This type is no longer supported.

Packs/FeedThreatConnect/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ThreatConnect Feed",
     "description": "ThreatConnect indicators feed for Cortex XSOAR TIM.",
     "support": "xsoar",
-    "currentVersion": "2.1.19",
+    "currentVersion": "2.1.20",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",