Cyberint/add premium ioc feed, rename existing integrations#44052
Merged
MosheEichler merged 9 commits intoMay 20, 2026
Conversation
* add premium ioc feed * add premium ioc feed * add premium ioc feed rn * add premium ioc enrichment * add premium ioc enrichment * add premium ioc enrichment * update integration names * add breaking changes information * minor fixes * minor updates * Update Packs/Cyberint/ReleaseNotes/1_4_0.md Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com> * Update Packs/Cyberint/ReleaseNotes/1_4_0.md Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com> * Update Packs/Cyberint/ReleaseNotes/1_4_0.md Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com> * Update Packs/Cyberint/ReleaseNotes/1_4_0.md Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com> * review updates * review updates 2 --------- Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com>
content-bot
added
Contribution
Contributor
Author
🤖 AI-Powered Code Review AvailableHi @MosheEichler, you can leverage AI-powered code review to assist with this PR! Available Commands:
|
Contributor
Author
🤖 AI-Powered Code Review AvailableYou can leverage AI-powered code review to assist with this PR! Available Commands:
|
MosheEichler
approved these changes
Apr 27, 2026
Contributor
Author
🔍 AI Triage Report AvailableAn automated triage report has been generated for this pipeline. Status: 📋 Triage Report
|
Contributor
|
@MosheEichler Hi, there's an issue in your internal pipeline - could you take a look when you get a chance? |
Contributor
@MosheEichler Hi, could you share the error msg? |
Contributor
This is the list of the errors I'll take care on it |
Contributor
|
@MosheEichler Hi, thanks! Please, let me know if I can help you |
Contributor
|
@MosheEichler Hi! Is there anything I can help you with? |
Contributor
|
@MosheEichler @Benimanela Hi, please help us to merge this PR 🙏 |
MosheEichler
added
the
ready-for-instance-test
Contributor
Author
|
Validate summary Verdict: PR can be force merged from validate perspective? ✅ |
TheL0L
pushed a commit
that referenced
this pull request
May 24, 2026
…44052) * add premium ioc feed * add premium ioc feed * add premium ioc feed rn * add premium ioc enrichment * add premium ioc enrichment * add premium ioc enrichment * update integration names * add breaking changes information * minor fixes * minor updates * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * review updates * review updates 2 --------- Co-authored-by: klevitskiy <155461095+klevitskiy@users.noreply.github.com> Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com>
DeanArbel
pushed a commit
that referenced
this pull request
May 25, 2026
* hide mirroring parameters for unsupported markets * add additional info for these parameters regarding supported marketplaces * update readmes * add release notes * Cs falcon spotlight catch error (#44358) * Catch 401 auth error * release notes * Orion malware content pack (#42667) (#43952) * [add] adding OrionMalware content pack * [add] png image of the author Airbus * [fix] adding question mark to condition to match playbook convention * [fix] editing tasks description to meet playbooks conventions * [fix] editing tasks conditions to disable auto extract * [fix] editing tasks inputs to add uniq transformer * [fix] fixing tasks for playbook detonate * [add] adding Airbus logo and description to OrionMalware contentpack * [fix] new author image * [fix] add fromversion for validation purpose * [fix] fromVersion and not fromversion for json * [fix] fix missing things to pass format function * [fix] change unsearchble to true to respect best practices * [fix] fixing some wording issues * [fix] fix default value for OrionMalware URL * [add] adding playbook screenshots to complete the README * [fix] add import of demisto and CommonPython * [fix] fixing format error * [fix] add the right associated types * [fix] import section and return simplification * [fix] last pre commits error * [fix] Fix Pre-commit tests * Signed-off-by: xrenou <xavier.renou@airbus.com> * Fix pre-commit last errors * Fix markdownlint errors --------- Signed-off-by: xrenou <xavier.renou@airbus.com> Co-authored-by: arthurbgprat <arthur.prat@airbus.com> Co-authored-by: meutal <xavier.renou@airbus.com> Co-authored-by: meutal <146005453+meutal@users.noreply.github.com> * SOCRadar v2.3.0: Add complete integration suite (#43732) (#44181) * Change risk score scale from 1000 to 100 It is very important to new joiner * SOCRadar v2.2.2: Add complete integration suite * Rename 2_2_2.md to 2_3_0.md * fix: Update SOCRadar pack to v2.3.0 with markdown fixes - Fix README.md markdown formatting for pre-commit compliance - Update pack version from 2.2.2 to 2.3.0 - Rename release notes: 2_2_2.md -> 2_3_0.md - Add missing sections: SOCRadar Incidents, Incidents v4 - Fix header spacing and consistent formatting - Correct support email to operation@socradar.io * Update README.md * Fixed trailing whitespace in all files * Fix: Update type hints to Python 3.9+ style * Fix: Update type hints to Python 3.9+ style * Fix: Resolve PIE810 and mypy type annotation errors * Fix: Add Union type annotation for indicator_object * Merge with pre-commit auto-fixes * Apply pycln: remove unused imports * Apply black formatting to all Python files * Apply ruff formatting with --isolated flag * Fix: Apply ruff formatting to test file * Apply black formatting with line-length 88 * Fix: Shorten long line to meet line-length 130 requirement * Fix: Syntax error on line 591 - split merged lines * Fix: Shorten long lines * Fixed formatting and linting issues * Fixed formatting issues * Fixed formatting * Docs: Fix markdown formatting and newline issues * Fix: Revert file permission changes (755 -> 644) for unrelated SOCRadar pack files * Fix: Apply XSOAR best practices to FeedSOCRadarThreatFeed - Replace BaseClient with ContentClient - Use .get() for safe dict access in build_entry_context - Remove assert, handle None/empty date in date_string_to_iso_format_parsing - Return None for unknown indicator types to enable auto-detection - Fix raise_for_status error handling in handle_error_response * Fix: Apply XSOAR best practices to SOCRadarRapidReputation - Replace BaseClient with ContentClient - Fix raise_for_status error handling in handle_error_response - Use is_ip_valid (accept_v6_ips=False) correctly for IPv4 validation - Move demisto.params() to main(), pass reliability as parameter - Use get_hash_type instead of length-based hash detection * Fix: Apply XSOAR best practices to SOCRadarIoCEnrichment - Replace BaseClient with ContentClient - Move include_ai_insights from demisto.params() to Client constructor - Fix raise_for_status error handling in handle_error_response - Move demisto.params() to main(), pass reliability as parameter - Simplify calculate_dbot_score: score-based only (0=Unknown, 1-50=Suspicious, 51-100=Malicious) * update yaml * yml changes * add md file * Fix: Add unit tests and score mapping for RapidReputation and IoCEnrichment * Fix: Move demistomock import to line 1 in FeedSOCRadarThreatFeed XSOAR on-prem runner expects import demistomock as demisto to be the very first import line so it can inject the real demisto object. * Fix: Revert ContentClient to BaseClient; fix ruff-format issues ContentClient is not part of CommonServerPython and is not available in the demisto/python3 Docker image used by these integrations. The ContentClientApiModule defines a different ContentClient class designed for content management, not REST API clients. BaseClient (from CommonServerPython) is the correct base class here. Note for reviewer: ContentClient requirement cannot be satisfied in this Docker image context. BaseClient provides identical HTTP functionality for these integrations. Also fixed ruff-format violations: - SOCRadarIoCEnrichment.py: removed extra blank line - SOCRadarRapidReputation.py: added spaces around / operator * Fix: Resolve ruff E501, mypy return type, and test data key name issues - FeedSOCRadarThreatFeed.py: fix convert_to_demisto_indicator_type return type to Optional[str] since dict.get() can return None (mypy error) - test_data JSON files: update expected keys to PascalCase to match build_entry_context output (IndicatorType, FirstSeenDate, LastSeenDate, FeedMaintainerName, SeenCount) - tests were failing due to key rename - SOCRadarRapidReputation.py: shorten rate limit help text to fit within 130-char line limit (E501) * update readme files * update a readme file * update readme * Fix: markdownlint sublist style and bare URLs in README files - SOCRadarRapidReputation/README.md: change sublist markers from '-' to '*' to fix brack/markdownlint-cli2 CI failure - SOCRadarIoCEnrichment/README.md: wrap bare URLs with angle brackets * Fix: YAML formatting, fromversion bumps, and description style fixes - SOCRadarIncidentsV4/MultiTenant: normalize YAML list indentation style - SOCRadarRapidReputation: add periods to context output descriptions; bump fromversion to 6.10.0 - SOCRadarIoCEnrichment: fix defaultvalue boolean to string format; bump fromversion to 6.10.0 - FeedSOCRadarThreatFeed: bump fromversion to 6.10.0 - Remove trailing newlines from description and metadata files * Fix: convert remaining dash list markers to asterisk in RapidReputation README * Fix: switch API key to type 9, replace time.sleep with HTTP retry mechanism - Change apikey param from type 4 to type 9 (encrypted credential) with displaypassword and hiddenusername across all three integrations (FeedSOCRadarThreatFeed, SOCRadarIoCEnrichment, SOCRadarRapidReputation) - Update params.get("apikey") to params.get("apikey", {}).get("password") in all three Python files to match type 9 credentials object - Remove time.sleep(1) from socradar-bulk-check command and replace with platform-native retry via retries=3, status_list_to_retry=[429], backoff_factor=1 on _http_request * Fix: ruff B007 and increase unit test coverage above 70% - Replace enumerate loop with simple for loop in socradar_bulk_check_command since idx was unused after removing time.sleep - Add tests for test_module, process_entity_by_type, socradar_reputation_command, and socradar_bulk_check_command in SOCRadarRapidReputation_test.py - Add tests for test_module, socradar_ioc_enrichment_command, and no-data paths in SOCRadarIoCEnrichment_test.py * Fix: resolve CI failures in coverage tests - Fix ruff-format: collapse multi-line call in socradar_reputation_command test - Replace json=None with json={} in all no-data tests so _http_request returns falsy empty dict instead of failing to parse empty body - Add mocker.patch("demisto.error") to connection_error test to suppress stdout output that was triggering the check_std_out_err conftest fixture * Fix: patch demistomock.error instead of demisto.error in IoC Enrichment tests - test_test_module_no_response: add mocker fixture and patch demistomock.error to suppress stdout output from demisto.error() call that triggered check_std_out_err - test_test_module_connection_error: change mocker.patch("demisto.error") to mocker.patch("demistomock.error") — "demisto" is not an importable module in CI, only demistomock is available * Fix: patch demistomock.error in test_test_module_api_failure test_module calls demisto.error() when is_success is False, which prints to stdout and triggers the check_std_out_err conftest fixture teardown error. Added mocker fixture and patched demistomock.error to suppress the output. * Fix: correct severity and status_list filter param names for multi-tenant API - severity: was sent as 'severities' (list), API expects 'severity' (comma-separated) - status: was sent as 'status' (list), API expects 'status_list[]' (bracket notation) Single-value status_list without brackets returns 400 from the API - Updated 2_3_0.md release notes to document the fix --------- Co-authored-by: Radargoger <burak.goger@socradar.io> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Cyberint/add premium ioc feed, rename existing integrations (#44008) (#44052) * add premium ioc feed * add premium ioc feed * add premium ioc feed rn * add premium ioc enrichment * add premium ioc enrichment * add premium ioc enrichment * update integration names * add breaking changes information * minor fixes * minor updates * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * Update Packs/Cyberint/ReleaseNotes/1_4_0.md * review updates * review updates 2 --------- Co-authored-by: klevitskiy <155461095+klevitskiy@users.noreply.github.com> Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com> * Improve zia-category-update command docs (#44349) * Fix anyrun-get-user-limits command (#44357) * Fix anyrun-get-user-limits command, update support contacts (#44339) Co-authored-by: Semen Shalnev <85073445+pro100broo@users.noreply.github.com> * Update Docker image tag --------- Co-authored-by: Semen Shalnev <85073445+semayellow@users.noreply.github.com> Co-authored-by: Semen Shalnev <85073445+pro100broo@users.noreply.github.com> Co-authored-by: Kamal Qarain <kqarain@paloaltonetworks.com> Co-authored-by: Kamal Qarain <45042524+kamalq97@users.noreply.github.com> * feat: add SOC Framework — NIST IR lifecycle orchestration layer for X… (#44344) * feat: add SOC Framework — NIST IR lifecycle orchestration layer for X… (#43700) * feat: add SOC Framework — NIST IR lifecycle orchestration layer for XSIAM PoV delivery * chore(soc-framework-manager): address marketplace review feedback - Remove SDK-generated dev artifacts (POST_CONFIG_README.md, README_COMMANDS.md, xsoar_config.json) - Remove Author_image.png; falls back to author text from pack_metadata.json - Revert unrelated package-lock.json changes * fix(soc-framework-manager): clear pre-commit, CodeQL, and structure gates * chore(soc-framework-manager): address marketplace review feedback - Remove ReleaseNotes/1_1_0.md and reset pack to 1.0.0 - Move detaileddescription from integration YAML into README - Reformat integration description for clarity - Drop redundant required-field checks in test-module - Honor insecure param on download and demisto-sdk upload - Stream pack ZIP download with 500 MB size cap - Add Architecture section explaining script <-> integration split - Drop committed .ruff_cache and stale "core-api-*"/"content/bundle" comments * fix(soc-framework-manager): address marketplace AI + reviewer feedback - Integration: refactor to ContentClient(BaseClient); thread insecure/proxy through every HTTP path; harden ZIP extraction against ZipSlip and path traversal with realpath/commonpath checks and uncompressed-size cap; remove redundant runtime arg validation already enforced by YAML; empty embedded script field - Scripts: add standard CommonServerPython imports; swap _parse_csv for argToList; empty embedded script field; add top-level comment, full outputs section, and the 10 previously-undeclared args - Integration YAML: lead with display/name; rewrite description for clarity; trim verbose configuration display text; declare all four context outputs - pack_metadata.json: add created, serverMinVersion, dependencies, keywords - .pack-ignore: rewrite as valid INI with no active suppressions - READMEs: regenerate in demisto-sdk generate-docs format; reframe sync-tags as backward-compat action (modern deployments use SOCActionTimeMap_V3) - Tests: enrich CommonServerPython stubs (BaseClient, DemistoException, argToBoolean, argToList); rewrite integration tests against the new ContentClient API; 16/16 + 31/31 passing * fix(soc-framework-manager): address marketplace AI reviewer round-2 feedback - Integration: sanitize filename arg with os.path.basename to prevent pack-name path traversal; reject empty/dot values - Integration YAML: add required sectionorder field - Integration README: add canonical Command example, Context Example, and Human Readable Output sections - Scripts: remove local return_results that shadowed the imported helper; emit_progress now routes through return_results from CommonServerPython - Scripts: wrap main() body in try/except with return_error on uncaught exceptions - Scripts: hidden-pack guard in resolve_manifest now raises instead of passing silently when include_hidden=false - Scripts README: replace generic Examples block with per-action Command example sections - pack_metadata.json: add githubUser; add vendor name (Palo Alto Networks, Cortex, Cortex XSIAM) to keywords - Pack README: add "## What does this pack do?" capabilities section - .secrets-ignore: empty out (no comments allowed per format) * - empty secrets * fix(soc-framework-manager): clear pre-commit lint failures - Scripts: fix B023 by binding `payload` as default arg in nested _do_put - Scripts: split 8 lines exceeding the 130-char limit - Scripts: drop redundant f-prefix on value_tags 0-rows error (F541) - Integration tests: narrow pytest.raises(Exception) to RuntimeError (B017) * pre-commit fixes * fix(soc-framework-manager): rename CSP collisions, remove all time.sleep - Rename two helpers in Scripts/SOCFWPackManager/SOCFWPackManager.py that shadowed CommonServerPython.is_error and CommonServerPython.get_error: get_error -> socfw_get_error is_error -> socfw_is_error Updated all four call sites in the same file. - Remove every time.sleep() call from pack code. All seven sites (exec_with_retry backoff, wait_for_pack_installed poll, integration-instance create retry, _wait_for_dataset poll, lookup post-load settle, jobs index-propagation settle, job verify-after-upsert) now route their wait through the platform Sleep automation: demisto.executeCommand('Sleep', {'seconds': str(N)}). No time.sleep in pack source. import time retained for time.time() deadline math, which is not a sleep statement. - Tests: 31/31 in SOCFWPackManager_test.py green. Labels: version:patch * pre-commit fixes --------- Co-authored-by: merit-maita <meretmaayta@gmail.com> * Apply suggestion from @merit-maita --------- Co-authored-by: scottbrumley <scott@nsisecure.com> Co-authored-by: merit-maita <meretmaayta@gmail.com> Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com> * add release notes * fix release notes header * revert some sdk changes in readmes --------- Signed-off-by: xrenou <xavier.renou@airbus.com> Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> Co-authored-by: Content Bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: arthurbgprat <arthur.prat@airbus.com> Co-authored-by: meutal <xavier.renou@airbus.com> Co-authored-by: meutal <146005453+meutal@users.noreply.github.com> Co-authored-by: Radargoger <burak.goger@socradar.io> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: klevitskiy <155461095+klevitskiy@users.noreply.github.com> Co-authored-by: Marketplace AI reviewer <svc-mp-ai-reviewer@paloaltonetworks.com> Co-authored-by: Kamal Qarain <45042524+kamalq97@users.noreply.github.com> Co-authored-by: Semen Shalnev <85073445+semayellow@users.noreply.github.com> Co-authored-by: Semen Shalnev <85073445+pro100broo@users.noreply.github.com> Co-authored-by: Kamal Qarain <kqarain@paloaltonetworks.com> Co-authored-by: scottbrumley <scott@nsisecure.com> Co-authored-by: merit-maita <meretmaayta@gmail.com> Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Original External PR
external pull request
Contributor
@klevitskiy
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
Description
Adds new Cyberint Premium Feed integration that connects to the Premium IOC Feed and Enrichment APIs. The feed integration fetches indicators incrementally page-by-page. It includes three commands:
cyberint-premium-get-indicatorsfor manual indicator retrieval with rich server-side filtering/sorting andcyberint-premium-enrichfor single-IOC enrichment across all 6 supported types (ipv4,domain,url,sha256,sha1,md5) with type-specific enrichment data (geo/ASN, WHOIS, file info).The 'Cyberint Alerts' integration display name has been renamed to 'Check Point EM Alerts'.
The 'Cyberint Feed' integration display name has been renamed to 'Check Point EM Feed'.
The 'Cyberint Takedowns' integration display name has been renamed to 'Check Point EM Takedowns'.
If you have any playbooks, scripts, or automations that reference the old integration names, please update them accordingly.
Must have
C6xpAXk.mp4
fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-16616