Recordedfuture threathunting v2.5.0 (demisto#29641)

* Recordedfuture threathunting v2.5.0 (demisto#29025) * Add commands related to Automated Threat hunting recordedfuture-threat-map recordedfuture-threat-links recordedfuture-detection-rules * Add recordedfuture-collective-insight command. Change app version. * Update README.md. Add release notes * Add playbook. Add unittests * Add unittests * Fix test_collective_insight_command * Remove incorrect release note * Add documentation for threat actor search playbook * update Recorded Future Threat actor search playbook. add release note about new playbook. * Update release notes, fix formatting * Format yml files * Update Recorded future threat actor search playbook * Update docker image * Fix linter --------- Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com> * Minor README fixes --------- Co-authored-by: Yaroslav Nestor <yaroslav.nestor22@gmail.com> Co-authored-by: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com>
wolyslager · Oct 2, 2023 · 9a1ccae · 9a1ccae
1 parent 11fa172
commit 9a1ccae
Show file tree

Hide file tree

Showing 8 changed files with 1,302 additions and 8 deletions.
diff --git a/Packs/RecordedFuture/Integrations/RecordedFuture/README.md b/Packs/RecordedFuture/Integrations/RecordedFuture/README.md
@@ -1154,6 +1154,119 @@ Search for a malware by specified filters.
 | RecordedFuture.Malware.type | string | Recorded Future entity type \(always = "Malware"\). | 
 | RecordedFuture.Malware.intelCard | date | Recorded Future intelligence card URL. | 
 
+
+#### Base Command
+
+`recordedfuture-threat-map`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| actors_ids | Actors IDs for which to get the threat map | Optional | 
+| actor_name | Actors name for which to get the threat map | Optional | 
+| include_links | Fetch links to threat actor or not | Optional | 
+
+#### Context Output
+
+| **Path**                             | **Type** | **Description**                           |
+|--------------------------------------|----------|-------------------------------------------|
+| RecordedFuture.ThreatMap.id          | string   | Recorded Future threat actor ID.          | 
+| RecordedFuture.ThreatMap.name        | string   | Recorded Future entity name.              | 
+| RecordedFuture.ThreatMap.alias       | array    | Recorded Future threat actor alias.       | 
+| RecordedFuture.ThreatMap.intent      | number   | Recorded Future threat actor intent.      | 
+| RecordedFuture.ThreatMap.id          | string   | Recorded Future threat actor ID.          | 
+| RecordedFuture.ThreatMap.opportunity | number   | Recorded Future threat actor opportunity. | 
+| RecordedFuture.ThreatMap.log_entries | array    | Recorded Future threat actor log entries. | 
+| RecordedFuture.ThreatMap.links       | array    | Recorded Future threat actor links.       |
+
+
+#### Base Command
+
+`recordedfuture-threat-links`
+
+#### Input
+
+| **Argument Name** | **Description**                                                                                                                                                                         | **Required** |
+|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
+| entity_type       | Type of the entity to fetch links for. E.g. "domain", "ip", "file", "url", "cve", "malware", "organization, "person". Should be provided along with the entity in entity_name argument. | Optional     | 
+| entity_name       | Name of the entity to fetch links for                                                                                                                                                   | Optional     | 
+| entity_id         | ID of entity to fetch links for                                                                                                                                                         | Optional     | 
+| source_type       | Source of the links to be fetched. Can be "insikt" or "technical"                                                                                                                       | Optional     | 
+| timeframe         | Time range of the links to be fetched. Eg. "-1d" for last 1 day                                                                                                                         | Optional     | 
+| technical_type    | Type of technical source to fetch links from. Can be "type:MalwareAnalysis", "type:InfrastructureAnalysis", "type:NetworkTrafficAnalysis" or "type:TTPAnalysis"                         | Optional     | 
+
+#### Context Output
+
+| **Path**                              | **Type** | **Description**                  |
+|---------------------------------------|----------|----------------------------------|
+| RecordedFuture.Links.entity.id        | string   | Recorded Future Entity id.       | 
+| RecordedFuture.Links.entity.type      | string   | Recorded Future Entity type      | 
+| RecordedFuture.Links.links.type       | string   | Recorded Future link type.       | 
+| RecordedFuture.Links.links.id         | string   | Recorded Future link id.         | 
+| RecordedFuture.Links.links.name       | string   | Recorded Future link name.       | 
+| RecordedFuture.Links.links.source     | string   | Recorded Future link source.     | 
+| RecordedFuture.Links.links.section    | string   | Recorded Future link section.    | 
+| RecordedFuture.Links.links.attributes | string   | Recorded Future link attributes. |
+
+
+#### Base Command
+
+`recordedfuture-detection-rules`
+
+#### Input
+
+| **Argument Name** | **Description**                            | **Required** |
+|-------------------|--------------------------------------------|--------------|
+| entity_type       | Type of the entity to fetch links for      | Optional     | 
+| entity_name       | Name of the entity to fetch links for      | Optional     | 
+| entity_id         | ID of entity to fetch links for            | Optional     | 
+| rule_types        | Rule type. Can be "yara", "sigma", "snort" | Optional     | 
+| title             | Rule title                                 | Optional     | 
+
+#### Context Output
+
+| **Path**                                          | **Type** | **Description**                             |
+|---------------------------------------------------|----------|---------------------------------------------|
+| RecordedFuture.DetectionRules.id                  | string   | Recorded Future Detection rule id.          | 
+| RecordedFuture.DetectionRules.type                | string   | Recorded Future Detection rule type.        | 
+| RecordedFuture.DetectionRules.title               | string   | Recorded Future Detection rule title.       | 
+| RecordedFuture.DetectionRules.description         | string   | Recorded Future Detection rule description. | 
+| RecordedFuture.DetectionRules.created             | string   | Recorded Future link name.                  | 
+| RecordedFuture.DetectionRules.updated             | string   | Recorded Future link source.                | 
+| RecordedFuture.DetectionRules.rules               | array    | Recorded Future link section.               | 
+| RecordedFuture.DetectionRules.rules.entities      | array    | Recorded Future link attributes.            |
+| RecordedFuture.DetectionRules.rules.entities.id   | string   | Recorded Future link attributes.            |
+| RecordedFuture.DetectionRules.rules.entities.type | string   | Recorded Future link attributes.            |
+| RecordedFuture.DetectionRules.rules.entities.name | string   | Recorded Future link attributes.            |
+| RecordedFuture.DetectionRules.rules.content       | string   | Recorded Future link attributes.            |
+| RecordedFuture.DetectionRules.rules.file_name     | string   | Recorded Future link attributes.            |
+
+
+#### Base Command
+
+`recordedfuture-collective-insight`
+
+#### Input
+#### Input
+
+| **Argument Name**  | **Description**                                                                                     | **Required** |
+|--------------------|-----------------------------------------------------------------------------------------------------|--------------|
+| entity_type        | Value that can contain one of the enumerated list of values (ip, hash, domain, vulnerability, url). | Required     | 
+| entity_name        | Value of the IOC itself                                                                             | Required     | 
+| entity_source_type | Used to describe what log source the IOC came from                                                  | Optional     | 
+| incident_name      | Title of the incident related to the IOC                                                            | Optional     | 
+| incident_id        | ID of the incident related to the IOC                                                               | Optional     | 
+| incident_type      | Attack vector associated with the incident (C2, Phishing.. etc)                                     | Optional     | 
+| mitre_codes        | List contains one or more MITRE codes associated with the IOC                                       | Optional     | 
+| malware            | List contains all known malware associated with the IOCs                                            | Optional     | 
+
+#### Context Output
+
+| **Path**                                | **Type** | **Description** |
+|-----------------------------------------|----------|-----------------|
+| RecordedFuture.CollectiveInsight.status | string   | Request status  | 
+
 ## Breaking changes from the previous version of this integration - Recorded Future v2
 
 Renamed the integration setting "Incident Sharing" to "Collective Insights", resetting any previous configuration to this setting. 
diff --git a/Packs/RecordedFuture/Integrations/RecordedFuture/RecordedFuture.py b/Packs/RecordedFuture/Integrations/RecordedFuture/RecordedFuture.py
@@ -4,6 +4,7 @@
 
 import copy
 import platform
+from typing import *
 
 # flake8: noqa: F402,F405 lgtm
 
@@ -12,7 +13,7 @@
 # disable insecure warnings
 requests.packages.urllib3.disable_warnings()  # type: ignore
 
-__version__ = '2.4.3'
+__version__ = '2.5.0'
 
 
 # === === === === === === === === === === === === === === ===
@@ -282,9 +283,7 @@ def get_single_alert(self) -> dict:
         """Get a single alert"""
         return self._call(url_suffix='/v2/alert/lookup')
 
-    def get_alerts(
-        self,
-    ) -> Dict[str, Any]:
+    def get_alerts(self) -> Dict[str, Any]:
         """Get alerts."""
         return self._call(url_suffix='/v2/alert/search')
 
@@ -320,6 +319,18 @@ def get_triage(self) -> Dict[str, Any]:
         """SOAR triage lookup."""
         return self._call(url_suffix='/v2/lookup/triage')
 
+    def get_threat_map(self) -> Dict[str, Any]:
+        return self._call(url_suffix='/v2/threat/actors')
+
+    def get_threat_links(self) -> Dict[str, Any]:
+        return self._call(url_suffix='/v2/links/search')
+
+    def get_detection_rules(self) -> Dict[str, Any]:
+        return self._call(url_suffix='/v2/detection_rules/search')
+
+    def submit_detection_to_collective_insight(self) -> Dict[str, Any]:
+        return self._call(url_suffix='/v2/collective-insights/detections')
+
 
 # === === === === === === === === === === === === === === ===
 # === === === === === === ACTIONS === === === === === === ===
@@ -441,13 +452,28 @@ def triage_command(self) -> List[CommandResults]:
         response = self.client.get_triage()
         return self._process_result_actions(response=response)
 
+    def threat_actors_command(self) -> List[CommandResults]:
+        response = self.client.get_threat_map()
+        return self._process_result_actions(response=response)
+
+    def threat_links_command(self) -> List[CommandResults]:
+        response = self.client.get_threat_links()
+        return self._process_result_actions(response=response)
+
+    def detection_rules_command(self) -> List[CommandResults]:
+        response = self.client.get_detection_rules()
+        return self._process_result_actions(response=response)
+
+    def collective_insight_command(self) -> List[CommandResults]:
+        response = self.client.submit_detection_to_collective_insight()
+        return self._process_result_actions(response=response)
 
 # === === === === === === === === === === === === === === ===
 # === === === === === === === MAIN === === === === === === ==
 # === === === === === === === === === === === === === === ===
 
 
-def main() -> None:
+def main() -> None:  # pragma: no cover
     """Main method used to run actions."""
     try:
         demisto_params = demisto.params()
@@ -525,6 +551,15 @@ def main() -> None:
         elif command == 'recordedfuture-threat-assessment':
             return_results(actions.triage_command())
 
+        elif command == 'recordedfuture-threat-map':
+            return_results(actions.threat_actors_command())
+        elif command == 'recordedfuture-threat-links':
+            return_results(actions.threat_links_command())
+        elif command == 'recordedfuture-detection-rules':
+            return_results(actions.detection_rules_command())
+        elif command == 'recordedfuture-collective-insight':
+            return_results(actions.collective_insight_command())
+
     except Exception as e:
         return_error(message=f'Failed to execute {demisto.command()} command: {str(e)}')