diff --git a/Packs/ReversingLabs_A1000/.secrets-ignore b/Packs/ReversingLabs_A1000/.secrets-ignore index c32771029b61..c7c27fb843ff 100644 --- a/Packs/ReversingLabs_A1000/.secrets-ignore +++ b/Packs/ReversingLabs_A1000/.secrets-ignore @@ -76,3 +76,4 @@ http://nsis.sf.net 32::C 123.140.161.243 https://worldofcreatures.at +5.0.0.24 \ No newline at end of file diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py index 740e156841bf..55c889b2647d 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py @@ -880,11 +880,11 @@ def user_tags_command(a1000: A1000): resp = a1000.delete_user_tags(sample_hash=sample_hash, tags=tags_list) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -915,7 +915,7 @@ def file_analysis_status_command(a1000: A1000): except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -957,11 +957,11 @@ def pdf_report_command(a1000: A1000): resp = a1000.download_pdf_report(sample_hash=sample_hash) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -978,7 +978,8 @@ def pdf_report_output(resp, action, sample_hash): file_result = None if action == "CREATE REPORT": - markdown = markdown + f"""**Status endpoint**: {resp.get("status_endpoint")}\n **Download endpoint**: {resp.get("download_endpoint")}""" + markdown = (markdown + f"""**Status endpoint**: {resp.get("status_endpoint")}\n""" + + f"""**Download endpoint**: {resp.get("download_endpoint")}""") context = resp elif action == "CHECK STATUS": @@ -1007,7 +1008,7 @@ def static_analysis_report_command(a1000: A1000): except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -1020,7 +1021,9 @@ def static_analysis_report_output(resp_json, sample_hash): indicators_table = tableToMarkdown("Indicators", resp_json.get("indicators")) tags_table = tableToMarkdown("Tags", resp_json.get("tags")) - markdown = f"""## ReversingLabs A1000 static analysis report for {sample_hash}\n **Classification**: {classification_obj.get("classification")} + markdown = f"## ReversingLabs A1000 static analysis report for {sample_hash}\n" + + fields = f"""**Classification**: {classification_obj.get("classification")} **Factor**: {classification_obj.get("factor")} **Result**: {classification_obj.get("result")} **SHA-1**: {resp_json.get("sha1")} @@ -1030,6 +1033,8 @@ def static_analysis_report_output(resp_json, sample_hash): **Story**: {resp_json.get("story")}\n {indicators_table} {tags_table} """ + markdown = markdown + fields + dbot_score = Common.DBotScore( indicator=sample_hash, indicator_type=DBotScoreType.FILE, @@ -1072,11 +1077,11 @@ def dynamic_analysis_report_command(a1000: A1000): resp = a1000.download_dynamic_analysis_report(sample_hash=sample_hash, report_format=report_format) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -1098,7 +1103,8 @@ def dynamic_analysis_report_output(resp, action, sample_hash, report_format): file_result = None if action == "CREATE REPORT": - markdown = markdown + f"""**Status endpoint**: {resp.get("status_endpoint")}\n **Download endpoint**: {resp.get("download_endpoint")}""" + markdown = (markdown + f"""**Status endpoint**: {resp.get("status_endpoint")}\n""" + + f"""**Download endpoint**: {resp.get("download_endpoint")}""") context = resp elif action == "CHECK STATUS": @@ -1160,11 +1166,11 @@ def sample_classification_command(a1000: A1000): resp = a1000.delete_classification(sample_hash=sample_hash, system=system) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -1242,9 +1248,7 @@ def yara_command(a1000: A1000): action = demisto.getArg("action") ruleset_name = demisto.getArg("ruleset_name") ruleset_content = demisto.getArg("ruleset_content") - publish = demisto.getArg("publish") - if publish: - publish = argToBoolean(publish) + publish = argToBoolean(demisto.args().get("publish", False)) sync_time = demisto.getArg("sync_time") if action == "GET RULESETS": @@ -1275,7 +1279,7 @@ def yara_command(a1000: A1000): resp = a1000.update_yara_ruleset_synchronization_time(sync_time=sync_time) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") results = yara_output(resp_json=resp.json(), action=action) return results @@ -1313,7 +1317,7 @@ def yara_retro_command(a1000: A1000): resp = a1000.get_yara_cloud_retro_scan_status(ruleset_name=ruleset_name) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") results = yara_retro_output(resp_json=resp.json(), action=action) return results @@ -1338,15 +1342,15 @@ def list_containers_command(a1000: A1000): hash_list = sample_hashes.split(",") if not len(hash_list) > 0: - return_error("Please enter at least one sample hash or check the formatting. " - "The hashes should be comma-separated with no whitespaces") + raise Exception("Please enter at least one sample hash or check the formatting. " + "The hashes should be comma-separated with no whitespaces") try: resp = a1000.list_containers_for_hashes(sample_hashes=hash_list) except Exception as e: if hasattr(e, "response_object"): - return_error(e.response_object.content) + raise Exception(e.response_object.content) else: raise @@ -1375,9 +1379,7 @@ def upload_from_url_command(a1000: A1000): archive_password = demisto.getArg("archive_password") sandbox_platform = demisto.getArg("sandbox_platform") task_id = demisto.getArg("task_id") - retry = demisto.getArg("retry") - if retry: - retry = argToBoolean(retry) + retry = argToBoolean(demisto.args().get("retry", False)) if action == "UPLOAD": resp = a1000.upload_sample_from_url( @@ -1403,7 +1405,7 @@ def upload_from_url_command(a1000: A1000): resp = a1000.check_submitted_url_status(task_id=task_id) else: - return_error("This action is not supported.") + raise Exception("This action is not supported.") results = upload_from_url_output(resp_json=resp.json(), action=action) return results diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml index af38f0e65824..6735918c9c47 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml @@ -458,6 +458,30 @@ script: default: true required: true outputs: + - contextPath: File.SHA256 + description: The SHA256 hash of the file. + type: String + - contextPath: File.SHA1 + description: The SHA1 hash of the file. + type: String + - contextPath: File.MD5 + description: MD5 hash of the file. + type: String + - contextPath: DBotScore.Score + description: The actual score. + type: Number + - contextPath: DBotScore.Type + description: The indicator type. + type: String + - contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String + - contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: String + - contextPath: DBotScore.Reliability + description: Reliability of the source providing the intelligence data. + type: String - contextPath: ReversingLabs.a1000_static_analysis_report description: The static analysis report. type: Unknown @@ -537,6 +561,30 @@ script: - name: threat_name description: If specified, must be an alphanumeric string not longer than 32 characters. If not specified, the default value is 'Generic'. outputs: + - contextPath: File.SHA256 + description: The SHA256 hash of the file. + type: String + - contextPath: File.SHA1 + description: The SHA1 hash of the file. + type: String + - contextPath: File.MD5 + description: MD5 hash of the file. + type: String + - contextPath: DBotScore.Score + description: The actual score. + type: Number + - contextPath: DBotScore.Type + description: The indicator type. + type: String + - contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String + - contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: String + - contextPath: DBotScore.Reliability + description: Reliability of the source providing the intelligence data. + type: String - contextPath: ReversingLabs.a1000_sample_classification description: Sample classification actions. type: Unknown @@ -638,6 +686,30 @@ script: - name: retry description: Utilize the retry mechanism for fetching the report. Used in GET REPORT and UPLOAD AND GET REPORT. outputs: + - contextPath: File.SHA256 + description: The SHA256 hash of the file. + type: String + - contextPath: File.SHA1 + description: The SHA1 hash of the file. + type: String + - contextPath: File.MD5 + description: MD5 hash of the file. + type: String + - contextPath: DBotScore.Score + description: The actual score. + type: Number + - contextPath: DBotScore.Type + description: The indicator type. + type: String + - contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String + - contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: String + - contextPath: DBotScore.Reliability + description: Reliability of the source providing the intelligence data. + type: String - contextPath: ReversingLabs.a1000_upload_from_url_actions description: Actions for uploading a sample from a URL and fetching the analysis results. type: Unknown diff --git a/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md b/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md index ae13e87cfc5d..3ada1f04cf97 100644 --- a/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md +++ b/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md @@ -2,14 +2,14 @@ ##### ReversingLabs A1000 v2 - Updated the Docker image to: *demisto/reversinglabs-sdk-py3:2.0.0.96712*. -Added new commands: -- ***reversinglabs-a1000-user-tags*** -- ***reversinglabs-a1000-file-analysis-status*** -- ***reversinglabs-a1000-pdf-report*** -- ***reversinglabs-a1000-static-analysis-report*** -- ***reversinglabs-a1000-dynamic-analysis-report*** -- ***reversinglabs-a1000-sample-classification*** -- ***reversinglabs-a1000-yara*** -- ***reversinglabs-a1000-yara-retro*** -- ***reversinglabs-a1000-list-containers*** -- ***reversinglabs-a1000-upload-from-url-actions*** +- Added new commands: + - ***reversinglabs-a1000-user-tags*** + - ***reversinglabs-a1000-file-analysis-status*** + - ***reversinglabs-a1000-pdf-report*** + - ***reversinglabs-a1000-static-analysis-report*** + - ***reversinglabs-a1000-dynamic-analysis-report*** + - ***reversinglabs-a1000-sample-classification*** + - ***reversinglabs-a1000-yara*** + - ***reversinglabs-a1000-yara-retro*** + - ***reversinglabs-a1000-list-containers*** + - ***reversinglabs-a1000-upload-from-url-actions*** diff --git a/Packs/ReversingLabs_TitaniumScale/.secrets-ignore b/Packs/ReversingLabs_TitaniumScale/.secrets-ignore index 3d7c3aa2f5e2..8af95536d061 100644 --- a/Packs/ReversingLabs_TitaniumScale/.secrets-ignore +++ b/Packs/ReversingLabs_TitaniumScale/.secrets-ignore @@ -14,3 +14,4 @@ t@0.0.0.99 38.229.82.25 116.202.120.166 Win32.Ransomware.Tox +5.0.1.26 \ No newline at end of file diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md index 5516443a3ae6..4f58409afe63 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md @@ -1,4 +1,23 @@ -ReversingLabs advanced file decomposition appliance. +## Overview +This integration supports using ReversingLabs Advanced File Analysis to 'detonate file' on the TitaniumScale Advanced Malware +Analysis Appliance. + +The ReversingLabs TitaniumScale Appliance is powered by TitaniumCore, the malware analysis engine that performs +automated static analysis using the Active File Decomposition technology. + +TitaniumCore unpacks and recursively analyzes files without executing them, and extracts internal threat indicators to +classify files and determine their threat level. TitaniumCore is capable of identifying thousands of file format +families. It recursively unpacks hundreds of file format families, and fully repairs extracted files to enable further +analysis. + +* * * +## Prerequisites + +You need to obtain the following: + +* TitaniumScale instance +* TitaniumScale API Token + ## Configure ReversingLabs TitaniumScale on Cortex XSOAR diff --git a/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md b/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md index 0287f96e6eb0..51755854a298 100644 --- a/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md +++ b/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md @@ -2,9 +2,9 @@ ##### ReversingLabs TitaniumScale - Updated the Docker image to *demisto/reversinglabs-sdk-py3:2.0.0.96712*. -Added new commands: -- ***reversinglabs-titaniumscale-list-processing-tasks*** -- ***reversinglabs-titaniumscale-get-processing-task-info*** -- ***reversinglabs-titaniumscale-delete-processing-task*** -- ***reversinglabs-titaniumscale-delete-multiple-tasks*** -- ***reversinglabs-titaniumscale-get-yara-id*** +- Added new commands: + - ***reversinglabs-titaniumscale-list-processing-tasks*** + - ***reversinglabs-titaniumscale-get-processing-task-info*** + - ***reversinglabs-titaniumscale-delete-processing-task*** + - ***reversinglabs-titaniumscale-delete-multiple-tasks*** + - ***reversinglabs-titaniumscale-get-yara-id*** diff --git a/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/README.md b/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/README.md index 6c6eb77892a1..e4cac685fa65 100644 --- a/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/README.md +++ b/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/README.md @@ -92943,3 +92943,70 @@ Retrieve dynamic analysis results for a URL. > +### reversinglabs-titaniumcloud-customer-usage-data + +*** +Check API usage data for a single user or the whole company. + +#### Base Command + +`reversinglabs-titaniumcloud-customer-usage-data` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| data_type | Select the type of API usage data that will be returned. Options are DAILY USAGE, MONTHLY USAGE, DATE RANGE USAGE and QUOTA LIMITS. Possible values are: DAILY USAGE, MONTHLY USAGE, DATE RANGE USAGE, QUOTA LIMITS. | Required | +| whole_company | Return usage data for the whole company. Possible values are: true, false. | Optional | +| from | Starting day/month. Used only with DAILY USAGE and MONTHLY USAGE. In case of DAILY USAGE, the format is yyyy-MM-dd. In case of MONTHLY USAGE, the format is yyyy-MM. Mutually exclusive with single_time_unit. | Optional | +| to | Ending day/month. Used only with DAILY USAGE and MONTHLY USAGE. In case of DAILY USAGE, the format is yyyy-MM-dd. In case of MONTHLY USAGE, the format is yyyy-MM. Mutually exclusive with single_time_unit. | Optional | +| single_time_unit | Return usage data only for this day/month. Used only with DAILY USAGE and MONTHLY USAGE. In case of DAILY USAGE, the format is yyyy-MM-dd. In case of MONTHLY USAGE, the format is yyyy-MM. Mutually exclusive with from and to. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.customer_usage_data | Unknown | API usage data. | + +### reversinglabs-titaniumcloud-customer-usage-yara + +*** +Return the number of active YARA rulesets for the TitaniumCloud account. + +#### Base Command + +`reversinglabs-titaniumcloud-customer-usage-yara` + +#### Input + +There are no input arguments for this command. + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.customer_usage_yara | Unknown | Number of active YARA rulesets. | + +#### Command example +```!reversinglabs-titaniumcloud-customer-usage-yara``` +#### Context Example +```json +{ + "ReversingLabs": { + "customer_usage_yara": { + "rl": { + "number_of_active_rulesets": 6, + "product": "TCA-0303 Yara Hunting" + } + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs active YARA rulesets for rl/msever +> ### Results +>|number_of_active_rulesets|product| +>|---|---| +>| 6 | TCA-0303 Yara Hunting | \ No newline at end of file diff --git a/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/ReversingLabsTitaniumCloudv2.yml b/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/ReversingLabsTitaniumCloudv2.yml index b1a7c3271325..5d8c6e18e6ad 100644 --- a/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/ReversingLabsTitaniumCloudv2.yml +++ b/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/ReversingLabsTitaniumCloudv2.yml @@ -833,7 +833,7 @@ script: - contextPath: ReversingLabs.customer_usage_yara description: Number of active YARA rulesets. type: Unknown - dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.86428 + dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.96712 runonce: false script: "-" subtype: python3 diff --git a/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/command_examples.txt b/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/command_examples.txt index d62224694b2e..4ac07a117744 100644 --- a/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/command_examples.txt +++ b/Packs/ReversingLabs_Titanium_Cloud/Integrations/ReversingLabsTitaniumCloudv2/command_examples.txt @@ -37,4 +37,5 @@ !reversinglabs-titaniumcloud-submit-sample-for-dynamic-analysis sha1=21841b32c6165b27dddbd4d6eb3a672defe54271 platform=windows10 !reversinglabs-titaniumcloud-get-url-dynamic-analysis-results url=http://classicairjordanshoes.com/classic-air-jordan-9-c-7.html?zenid=egbmmbi039iqms5ho5dt2qnunm0mettt analysis_id=0f57134a-ecb8-4f8f-ad60-903b63bf8bc4 latest_analysis=false !reversinglabs-titaniumcloud-submit-url-for-dynamic-analysis url=http://classicairjordanshoes.com/classic-air-jordan-9-c-7.html?zenid=egbmmbi039iqms5ho5dt2qnunm0mettt platform=windows10 - +!reversinglabs-titaniumcloud-customer-usage-data data_type=MONTHLY USAGE whole_company=true +!reversinglabs-titaniumcloud-customer-usage-yara diff --git a/Packs/ReversingLabs_Titanium_Cloud/ReleaseNotes/2_6_0.md b/Packs/ReversingLabs_Titanium_Cloud/ReleaseNotes/2_6_0.md index 79e4f65ea5e1..0c3417233ef4 100644 --- a/Packs/ReversingLabs_Titanium_Cloud/ReleaseNotes/2_6_0.md +++ b/Packs/ReversingLabs_Titanium_Cloud/ReleaseNotes/2_6_0.md @@ -1,6 +1,8 @@ #### Integrations ##### ReversingLabs TitaniumCloud v2 -Added new commands: -- ***reversinglabs-titaniumcloud-customer-usage-data*** -- ***reversinglabs-titaniumcloud-customer-usage-yara*** +- Updated the Docker image to: *demisto/reversinglabs-sdk-py3:2.0.0.96712*. + +- Added new commands: + - ***reversinglabs-titaniumcloud-customer-usage-data*** + - ***reversinglabs-titaniumcloud-customer-usage-yara***