Fix: domain/url enrichment KeyError on case-mismatched indicator values

[almog2296]

Related Issues

fixes: XSUP-69120

Description

Aggregated enrichment commands, such as !domain-enrichment and !url-enrichment, raised a KeyError when the input casing did not match the casing of the indicator stored in TIM.

For example, an indicator created as Test1.com could later be queried as test1.com or tesT1.com. TIM returns the existing indicator using its original casing, but the aggregation logic tried to map it back using the exact input casing, causing the lookup to fail.

Root Cause

The input-to-indicator mapping in AggregatedCommandApiModule was case-sensitive and supported only a single value per normalized key.

Fix

Updated the mapping to be case-insensitive and multi-valued:

dict[str, list[IndicatorInstance]]

This ensures all case variants of the same indicator receive the correct TIM enrichment result.

Additional fixes in this PR:

• Removed the IPEnrichment TPB dependency on CrowdStrike Falcon.
• Replaced AlienVault v2 in the IPEnrichment TPB with Palo Alto Networks Threat Vault v2 due to frequent rate-limit issues.
• Replaced AlienVault v2 in the DomainEnrichment TPB with CrowdStrike Falcon Intel v2 due to frequent rate-limit issues.

[content-bot]

🤖 AI-Powered Code Review Available

You can leverage AI-powered code review to assist with this PR!

Available Commands:

• @marketplace-ai-reviewer start review - Initiate a full AI code review
• @marketplace-ai-reviewer re-review - Incremental review for new commits

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
Packs/AggregatedScripts/Scripts/CVEEnrichment
CVEEnrichment.py	14	0	100%
Packs/AggregatedScripts/Scripts/DomainEnrichment
DomainEnrichment.py	28	0	100%
Packs/AggregatedScripts/Scripts/FileEnrichment
FileEnrichment.py	22	0	100%
Packs/AggregatedScripts/Scripts/IPEnrichment
IPEnrichment.py	44	12	72%	136–143, 145–148
Packs/AggregatedScripts/Scripts/IndicatorEnrichment
IndicatorEnrichment.py	243	6	97%	217, 221, 254, 394, 542–543
Packs/AggregatedScripts/Scripts/URLEnrichment
URLEnrichment.py	22	0	100%
Packs/ApiModules/Scripts/AggregatedCommandApiModule
AggregatedCommandApiModule.py	741	115	84%	150–153, 311–314, 316–317, 355–359, 362–363, 366–367, 391–394, 398–401, 404–405, 437–445, 622, 722, 769–770, 884–887, 889–892, 895–898, 901–902, 904, 906–908, 910–914, 916–917, 946, 951, 1130–1131, 1196–1198, 1200–1207, 1209, 1211–1214, 1216, 1218, 1321–1323, 1326, 1328–1331, 1334–1340, 1342, 1349, 1386–1387, 1407, 1522, 1536, 1765, 1805, 1925, 1927
TOTAL	1114	133	88%

Tests	Skipped	Failures	Errors	Time
163	0 💤	0 ❌	0 🔥	4.913s ⏱️

[marketplace-ai-reviewer]

🤖 Analysis started. Please wait for results...

[marketplace-ai-reviewer]

🤖 AI Review Disclaimer

This review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause.

[marketplace-ai-reviewer]

Hi! Thanks for your contribution. I've reviewed the changes and have a few minor adjustments regarding metadata and release notes.

Please ensure the keywords lists in the pack metadata files include a vendor name (e.g., 'Cortex' or 'XSOAR'), and add a mandatory category to the ApiModules pack. Also, since there are no functional changes in AggregatedScripts, the release notes should be simplified to the standard metadata template.

Thanks again for your work on this!

Additionally, please address the following file-level notes:

• Packs/AggregatedScripts/pack_metadata.json: The keywords list is empty. Please add the vendor name (e.g., 'Cortex' or 'XSOAR') to the keywords list.
• Packs/ApiModules/pack_metadata.json: - The categories list is empty. Please ensure this mandatory key is populated with at least one category.
• The keywords list is empty. Please add the vendor name (e.g., 'Cortex' or 'XSOAR') to the keywords list.
• Packs/AggregatedScripts/ReleaseNotes/1_3_40.md: Since there are no functional code changes in the AggregatedScripts pack (only a version bump), the release notes should be at the pack level and use the standard metadata template. Please replace the entire contents of this file with the following:

## Aggregated Scripts
- Documentation and metadata improvements.

@JudahSchwartz, @almog2296 please review and approve the results generated by the AI Reviewer by responding 👍 on this comment.

[content-bot]

This PR was automatically updated by a GitHub Action

• AggregatedScripts pack version was bumped to 1.3.41.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

[content-bot]

This PR was automatically updated by a GitHub Action

• ApiModules pack version was bumped to 2.4.18.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

[content-bot]

This PR was automatically updated by a GitHub Action

• ApiModules pack version was bumped to 2.4.20.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

[Shellyber]

Great work.

[almog2296]

Requesting Force Merge for this PR.

Only the IPEnrichment TPB is failing. The failure is caused by a known issue in our build tenants, where an IP address can sometimes be extracted by !extractIndicators as both Domain and IP. This causes the ip-enrichment script to treat the input as invalid.

The PR itself changes only a small part of the module. All other TPBs are passing successfully, and the updated command was tested manually on a working tenant (the TPB also passed succesfully).

This PR also updates the IPEnrichment TPB to replace the usage of CrowdStrike Falcon, so future CrowdStrike-related PRs will not fail on this TPB unnecessarily.

[content-bot]

This PR was automatically updated by a GitHub Action

• ApiModules pack version was bumped to 2.4.21.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

[content-bot]

Validate summary
The following errors were reported as warnings: MC101.
The following errors were thrown as a part of this pr: .
If the AG100 validation in the pre-commit GitHub Action fails, the pull request cannot be force-merged.

Verdict: PR can be force merged from validate perspective? ✅

[content-bot]

🔍 AI Triage Report Available

An automated triage report has been generated for this pipeline.

Status: failed
Report ID: b6207b25e337782c

📋 Triage Report
💡 Resolutions are available in the full report.

⚠️ AI-generated triage. Validate before acting.

[almog2296]

Requesting Force Merge for this PR.

Only the IPEnrichment TPB is failing. The failure is caused by a known issue in our build tenants, where an IP address can sometimes be extracted by !extractIndicators as both Domain and IP. This causes the ip-enrichment script to treat the input as invalid.

The PR itself changes only a small part of the module. All other TPBs are passing successfully, and the updated command was tested manually on a working tenant (the TPB also passed succesfully).

This PR also updates the IPEnrichment TPB to replace the usage of CrowdStrike Falcon, so future CrowdStrike-related PRs will not fail on this TPB unnecessarily.