Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] - threatconnect feed missing indicator type parser #32993

Merged
merged 8 commits into from Feb 21, 2024
Merged

[bug] - threatconnect feed missing indicator type parser #32993

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
abe5530
[bug] - threatconnect feed missing indicator type parser
MLainer1 Feb 19, 2024
fd55dae
test
MLainer1 Feb 20, 2024
e1b38e6
Merge branch 'master' into bug_threatconnect_feed_indicator_type
MLainer1 Feb 20, 2024
1bcbcb7
rn
MLainer1 Feb 20, 2024
d18409b
debug logs
MLainer1 Feb 20, 2024
926356a
DI
MLainer1 Feb 20, 2024
f271550
revert
MLainer1 Feb 20, 2024
1f3d2f3
precommit
MLainer1 Feb 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
23 changes: 13 additions & 10 deletions Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect.py
View file
Open in desktop
Expand Up @@ -7,7 +7,6 @@
from contextlib import contextmanager
from enum import Enum
from math import ceil
from typing import Tuple

# Local packages
from CommonServerPython import * # noqa: E402 lgtm [py/polluting-import]
Expand All @@ -29,7 +28,7 @@
INTEGRATION_NAME = 'ThreatConnect Feed'
INTEGRATION_COMMAND_NAME = 'tc'
INTEGRATION_CONTEXT_NAME = 'ThreatConnect'
COMMAND_OUTPUT = Tuple[str, Union[Dict[str, Any], List[Any]], Union[Dict[str, Any], List[Any]]]
COMMAND_OUTPUT = tuple[str, Union[Dict[str, Any], List[Any]], Union[Dict[str, Any], List[Any]]]
INDICATOR_MAPPING_NAMES = {
'Address': FeedIndicatorType.IP,
'CIDR': FeedIndicatorType.CIDR,
Expand Down Expand Up @@ -149,7 +148,6 @@
'URL',
'ASN',
'CIDR',
'Email Subject',
'Hashtag',
'Mutex',
'Registry Key',
Expand Down Expand Up @@ -203,7 +201,7 @@ def create_types_query(params: dict, endpoint: str) -> str:
raise DemistoException('No indicator type or group type were chosen, please choose at least one.')
if endpoint == 'indicators':
if 'All' in indicator_types:
return ''
types.extend(INDICATOR_TYPES)
else:
types.extend(indicator_types)
else:
Expand Down Expand Up @@ -236,7 +234,7 @@ def calculate_dbot_score(threat_assess_score: Optional[Union[int, str]] = None)


def parse_indicator(indicator: Dict[str, str]) -> Dict[str, Any]:
""" Parsing indicator by indicators demisto convension.
""" Parsing indicator by indicators demisto convention.
Args:
indicator: Indicator as raw response.
Returns:
Expand All @@ -261,7 +259,8 @@ def parse_indicator(indicator: Dict[str, str]) -> Dict[str, Any]:
def create_indicator_fields(indicator, indicator_type):
"""Creating an indicator fields from a raw indicator"""
params = demisto.params()
indicator_fields_mapping = TC_INDICATOR_TO_XSOAR_INDICATOR[indicator_type]
indicator_fields_mapping = TC_INDICATOR_TO_XSOAR_INDICATOR.get(indicator_type, {})

fields: dict = {}

for indicator_key, xsoar_indicator_key in indicator_fields_mapping.items():
Expand Down Expand Up @@ -415,7 +414,7 @@ def module_test_command(client: Client, args): # pragma: no cover # noqa
return_error(str(e))


def fetch_indicators_command(client: Client, params: dict, last_run: dict) -> Tuple[
def fetch_indicators_command(client: Client, params: dict, last_run: dict) -> tuple[
List[Dict[str, Any]], List[Dict[str, Any]]]: # noqa # pragma: no cover
""" Fetch indicators from ThreatConnect

Expand Down Expand Up @@ -557,7 +556,7 @@ def get_updated_last_run(indicators: list, groups: list, previous_run: dict) ->
return next_run


def get_indicators_command(client: Client, args: dict) -> dict: # type: ignore # pragma: no cover
def get_indicators_command(client: Client, args: dict) -> tuple(str, dict, list): # type: ignore # pragma: no cover
""" Get indicator from ThreatConnect, Able to change limit and offset by command arguments.
Args:
client: ThreatConnect client.
Expand All @@ -581,8 +580,12 @@ def get_indicators_command(client: Client, args: dict) -> dict: # type: ignore

types = argToList(args.get("indicator_type"))
query = ''
if types and 'All' not in types:
query = 'AND typeName IN ("' + '","'.join(types) + '")'

if types:
if 'All' in types:
query = 'AND typeName IN ("' + '","'.join(INDICATOR_TYPES) + '")'
else:
query = 'AND typeName IN ("' + '","'.join(types) + '")'

tql = active_only + confidence + threat_score + confidence + owners + query
tql = tql.replace('AND ', '', 1)
Expand Down
3 changes: 1 addition & 2 deletions Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect.yml
View file
Open in desktop
Expand Up @@ -99,7 +99,6 @@ configuration:
- URL
- ASN
- CIDR
- EmailSubject
- Hashtag
- Mutex
- Registry Key
Expand Down Expand Up @@ -237,7 +236,7 @@ script:
name: tc-get-indicators
- description: Gets available indicators owners.
name: tc-get-owners
dockerimage: demisto/python3:3.10.13.84405
dockerimage: demisto/python3:3.10.13.87159
feed: true
runonce: false
script: '-'
Expand Down
5 changes: 3 additions & 2 deletions Packs/FeedThreatConnect/Integrations/FeedThreatConnect/FeedThreatConnect_test.py
View file
Open in desktop
Expand Up @@ -6,7 +6,7 @@


def load_json_file(path):
with open(path, 'r') as _json_file:
with open(path) as _json_file:
return json.load(_json_file)


Expand Down Expand Up @@ -38,7 +38,8 @@ def test_create_or_query():

@pytest.mark.parametrize("params, expected_result, endpoint",
[({'indicator_active': False, "indicator_type": ['All'],
'createRelationships': False, "confidence": 0, "threat_assess_score": 0}, '', 'indicators'),
'createRelationships': False, "confidence": 0, "threat_assess_score": 0},
'typeName IN ("EmailAddress","File","Host","URL","ASN","CIDR","Hashtag","Mutex","Registry Key","User Agent","Address")', 'indicators'), # noqa: E501
({'indicator_active': True, "group_type": ['File'],
'createRelationships': False, "confidence": 0, "threat_assess_score": 0},
'typeName IN ("File")', 'groups'),
Expand Down
4 changes: 4 additions & 0 deletions Packs/FeedThreatConnect/ReleaseNotes/2_1_20.json
View file
Open in desktop
@@ -0,0 +1,4 @@
{
"breakingChanges": true,
"breakingChangesNotes": "The option for 'EmailSubject' for indicator type configuration was removed."
MLainer1 marked this conversation as resolved.
Show resolved Hide resolved
}
6 changes: 6 additions & 0 deletions Packs/FeedThreatConnect/ReleaseNotes/2_1_20.md
View file
Open in desktop
@@ -0,0 +1,6 @@

#### Integrations

##### ThreatConnect Feed
- Updated the Docker image to: *demisto/python3:3.10.13.87159*.
- Fixed an issue where fetching indicator from certain type caused an error.
MLainer1 marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion Packs/FeedThreatConnect/pack_metadata.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"name": "ThreatConnect Feed",
"description": "ThreatConnect indicators feed for Cortex XSOAR TIM.",
"support": "xsoar",
"currentVersion": "2.1.19",
"currentVersion": "2.1.20",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down