more

Packs/FeedThreatFox/Integrations/FeedThreatFox/FeedThreatFox.py

@@ -38,16 +38,11 @@
         :return: 'ok' if test passed, anything else will fail the test.
         :rtype: ``str``
         """
-        message: str = ''
-        try:
-            self.get_indicators_request({'days': 1, 'limit': 5})
-            message = 'ok'
-        except DemistoException as e:
-                raise e
-        return message
+        self.get_indicators_request({'days': 1, 'limit': 5})
+        return 'ok'
 
 
-def check_params_for_query(args: dict)->tuple[bool, str|None]:
+def check_args_for_query(args: dict)->tuple[bool, str|None]:
     """Checks that there are no extra params and no missing ones for the query.
     Args:
         args: dict
@@ -56,13 +51,13 @@
         Str: The query type (one of these: 'search_term', 'id', 'hash', 'tag', 'malware', 'days').
             If args are not good than it will be None.
     """
-    args_lst = list({ele for ele in args if args[ele]})
+    args_lst = list(args.keys())
     if 'limit' in args_lst:
         args_lst.remove('limit')
     if len(args_lst) != 1:
-        return False, None
+        raise DemistoException("Arguments given are invalid. Please specify exactly one argument to search by.")
     else:
-        return True, args_lst[0]
+        return args_lst[0]
 
 
 def create_query(query_arg, id: str | None = None, search_term: str | None = None,
@@ -79,9 +74,8 @@
     """
 
     query_dict = {'search_term': 'search_ioc', 'id': 'ioc', 'hash': 'search_hash',
-            'tag': 'taginfo', 'malware': 'malwareinfo', 'days': 'get_iocs'}
+            'tag': 'taginfo', 'malware': 'malwareinfo'}
 
-    q_days = str((arg_to_number(days) or 1)/1440)
     q_id = arg_to_number(id)
 
     query = assign_params(
@@ -91,7 +85,6 @@
         hash = hash,
         tag = tag,
         malware = malware,
-        days = q_days
     )
 
     # Only queries searching by tag or malware can specify a limit.
@@ -127,7 +120,7 @@
             LastSeenBySource = indicator.get('last_seen'),
             ReportedBy = indicator.get('reporter'),
             Tags = tags(indicator, with_ports=True),
-            Confidence = indicator.get('confidence_level'),
+            Confidence = str(indicator.get('confidence_level')),
             Publications = publications(indicator)
         ))
     return res
@@ -203,12 +196,13 @@
     if not indicator.get('reference'):
         return None
     malware_printable = indicator.get('malware_printable')
+
     return [{'link': indicator.get('reference'),
              'title': malware_printable if malware_printable and malware_printable != 'Unknown malware' else 'Malware' ,
              'source': 'ThreatFox'}]
+
 
-
-def date(date: Optional[str])->Optional[str]:
+def to_date(date: Optional[str])->Optional[str]:
     """parses the date returned from raw response to a date in the right format for indicator fields in XSOAR.
     """
     if date:
@@ -226,18 +220,19 @@
 
     Returns:
         List[str]: List of tags to add to the indicator.
     """
-    res = [indicator.get('malware_printable') if indicator.get('malware_printable') != 'Unknown malware' else None, indicator.get('malware_alias'), indicator.get('threat_type')]
+    res = [indicator.get('malware_printable') if indicator.get('malware_printable') != 'Unknown malware' else None, indicator.get('threat_type')]
     if indicator.get('tags'):
         res.extend(indicator['tags'])
+    if indicator.get('malware_alias'):
+        res.extend(indicator['malware_alias'].split(','))
     if with_ports and indicator.get('ioc_type') == "ip:port":
             res.append('port: ' + indicator['ioc'].split(':')[1])
 
     res = [tag.lower() for tag in res if tag]
 
     # remove duplicate tags
-    seen = set()
-    res =  [tag for tag in res if tag not in seen and not seen.add(tag)]
+    res = list(set(res))
 
     return res
 
@@ -274,6 +269,7 @@
                                                     brand='ThreatFox Feed', reverse_name=reverse_name).to_indicator()]
     return []
 
+
 def validate_interval(interval: int)->int:
     """Validates that the given interval is in days between 1 to 7.
 
@@ -299,29 +295,31 @@
     malware = args.get('malware')
     limit = args.get('limit')
 
-    is_valid, query_type = check_params_for_query(args)
-
-    if not is_valid:
-        raise DemistoException("Arguments given are invalid.")
+    query_type = check_args_for_query(args)
 
     query = create_query(query_type, id, search_term, hash, tag, malware, limit=limit)
 
     demisto.debug(f'{LOG} calling api with {query=}')
-    result = client.get_indicators_request(query)
-    demisto.debug(f'{LOG} got {result=}')
-
+    try:
+        result = client.get_indicators_request(query)
+    except Exception:
+        if 'malware' in query:  # if illegal malware is provided an 502 error response returns
+            demisto.error('make sure..')
+        raise
+
     query_status = result.get('query_status')
     query_data = result.get('data')
 
     if query_status != 'ok' and query_status:
-        raise DemistoException(f'failed to run command {query_status} {query_data}')
+        raise DemistoException(f'failed to run command, {query_status=}, {query_data=}')
 
-    parsed_indicators = parse_indicators_for_get_command(result.get('data') or result)
+    demisto.debug(f'{LOG} got indicators')
 
+    parsed_indicators = parse_indicators_for_get_command(result.get('data') or result)
     human_readable = tableToMarkdown(name='Indicators', t=parsed_indicators,
                                      headers=['ID', 'Value', 'Description', 'MalwareFamilyTags',
                                               'AliasesTags', 'FirstSeenBySource', 'LastSeenBySource', 'ReportedBy',
-                                              'Tags', 'Confidence', 'Publications'], removeNull=True)
+                                              'Tags', 'Confidence', 'Publications'], removeNull=True, is_auto_json_transform=True)
 
     return CommandResults(readable_output=human_readable)
 
@@ -372,7 +370,7 @@
 
     params = demisto.params()
     base_url = urljoin(params['url'], '/api/v1')
-    with_ports = argToBoolean(params.get('with_ports', False))
+    with_ports = argToBoolean(params.get('with_ports'))
     confidence_threshold = arg_to_number(params.get('confidence_threshold')) or 75
     create_relationship = argToBoolean(params.get('create_relationship'))
     tlp_color = params.get('tlp_color') or 'CLEAR'
@@ -390,8 +388,8 @@
         elif command == 'threatfox-get-indicators':
             return_results(threatfox_get_indicators_command(client, demisto.args()))
 
         elif command == 'fetch-indicators':
             next_run, res = fetch_indicators_command(client=client, with_ports=with_ports, confidence_threshold=confidence_threshold,
                                           create_relationship=create_relationship, interval=interval, tlp_color=tlp_color, last_run=demisto.getLastRun())
             for iter_ in batch(res, batch_size=2000):
                 demisto.debug(f"{LOG} {iter_=}")
@@ -399,10 +397,11 @@
             demisto.setLastRun({"last_successful_run": next_run})
 
 
+    #except Exception as e:
+    #    raise Exception(e)
     except Exception as e:
-        raise Exception(e)
-   # except Exception as e:
-    #    return_error(f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}')
+        #print(f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}')
+        return_error(f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}')
 
 
 if __name__ in ('__main__', '__builtin__', 'builtins'):

Packs/FeedThreatFox/Integrations/FeedThreatFox/FeedThreatFox.yml

@@ -23,7 +23,7 @@ configuration:
   - Suspicious
   additionalinfo: Indicators from this integration instance will be marked with this
     reputation.
-- additionalinfo: Reliability of the source providing the intelligence data
+- additionalinfo: Reliability of the source providing the intelligence data.
   defaultvalue: C - Fairly reliable
   display: Source Reliability
   name: feedReliability
@@ -44,7 +44,8 @@ configuration:
   section: Collect
   type: 0
   advanced: true
-- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
+  additionalinfo: If the indicator's confidence is below this number, it will be dropped.
+- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.
   display: Traffic Light Protocol Color
   name: tlp_color
   options:
@@ -123,7 +124,7 @@ configuration:
   type: 8
   required: false
   section: Connect
-description: Use the ThreatFox Feed integration to fetch indicators from the feed.
+description: ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware. Use the ThreatFox Feed integration to fetch indicators from the feed.
 display: ThreatFox Feed Dev
 name: ThreatFox Feed Dev
 script:
@@ -132,13 +133,13 @@ script:
     - description: Indicator value to search for.
       name: search_term
       required: false
-    - description: Indicator id to search for.
+    - description: Indicator ID to search for.
       name: id
       required: false
     - description: Hash to search for.
       name: hash
       required: false
-    - description: tag to search for.
+    - description: Tag to search for.
       name: tag
       required: false
     - description: Malware to search for.

Packs/FeedThreatFox/Integrations/FeedThreatFox/FeedThreatFox_description.md

@@ -1,6 +1,8 @@
-## ThreatFox Feed Help
+## ThreatFox Feed Integration Help
 
-The ThreatFox Feed allows users to fetch indicators from ThreatFox, providing essential threat intelligence.
+ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.
+
+The ThreatFox Feed allows users to fetch indicators from ThreatFox.
 
 A manual command is also available to retrieve indicators from ThreatFox as needed.
 For more details, refer to the ThreatFox documentation: <https://threatfox.abuse.ch/api/>

Packs/FeedThreatFox/Integrations/FeedThreatFox/FeedThreatFox_test.py

@@ -54,13 +54,13 @@
     Then:
         - The function returns (True, {the argument's name}).
     """
-    from FeedThreatFox import check_params_for_query
-    is_valid, query_arg = check_params_for_query(query_args)
+    from FeedThreatFox import check_args_for_query
+    is_valid, query_arg = check_args_for_query(query_args)
     assert (is_valid, query_arg) == expected_result
 
 
 test_check_params_bad_arguments_data = [
     ( {'days': 1, 'tag': 'bla'},  # case two argument are given
      (False, None)),  # expected
     ({},  # case no arguments are given
      (False, None))  # expected
@@ -77,8 +77,8 @@
     Then:
         - The function returns (False, None).
     """
-    from FeedThreatFox import check_params_for_query
-    is_valid, query_arg = check_params_for_query(query_args)
+    from FeedThreatFox import check_args_for_query
+    is_valid, query_arg = check_args_for_query(query_args)
     assert (is_valid, query_arg) == expected_result
 
 
@@ -102,7 +102,7 @@
             - Wrong arguments for a query.
 
         When:
-            - Running check_params function.
+            - Running create_query function.
 
         Then:
             - The function returns (False, None).
@@ -410,8 +410,8 @@
     (True, 80, True, 2880, 'CLEAR', None,  # case interval ==2
      { "query": "get_iocs", "days": 2})  # expected
 ]
 @pytest.mark.parametrize('with_ports, confidence_threshold, create_relationship, interval, tlp_color, last_run, expected', first_run_data)   
 def test_fetch_indicators_command__first_run(mocker, with_ports, confidence_threshold, create_relationship, interval, tlp_color, last_run, expected):
     """
         Given:
             - An arguments with no last_run
@@ -435,8 +435,8 @@
      { "query": "get_iocs", "days": 7})
 ]
 @freeze_time("2024-07-10T15:21:13Z")
 @pytest.mark.parametrize('with_ports, confidence_threshold, create_relationship, interval, tlp_color, last_run, expected', second_run_data)
 def test_fetch_indicators_command__second_run(mocker, with_ports, confidence_threshold, create_relationship, interval, tlp_color, last_run, expected):
     """
         Given:
             - An indicator, with_ports, create_relationship, tlp_color arguments
@@ -450,4 +450,23 @@
     from FeedThreatFox import fetch_indicators_command
     http = mocker.patch.object(CLIENT, '_http_request', return_value={'query_status': 'ok', 'data': {}})
     fetch_indicators_command(CLIENT, with_ports, confidence_threshold, create_relationship, interval, tlp_color, last_run)
-    assert http.call_args.kwargs['json_data'] == expected
+    assert http.call_args.kwargs['json_data'] == expected
+
+
+intervals = [1441, 11520, 10081]
+@pytest.mark.parametrize('interval', intervals)
+def test_validate_interval(interval):
+    """
+        Given:
+            - An invalid interval.
+
+        When:
+            - Running validate_interval func.
+
+        Then:
+            - A DemistoException is raised.
+    """
+    from CommonServerPython import DemistoException
+    from FeedThreatFox import validate_interval
+    with pytest.raises(DemistoException):
+            validate_interval(interval)

Packs/FeedThreatFox/Integrations/FeedThreatFox/README.md

@@ -13,10 +13,10 @@ This integration was integrated and tested with version xx of ThreatFox Feed.
     | Use system proxy settings |  | False |
     | Trust any certificate (not secure) |  | False |
     | Fetch indicators |  | False |
-    | Source Reliability | Reliability of the source providing the intelligence data | False |
+    | Source Reliability | Reliability of the source providing the intelligence data. | False |
     | Indicator Reputation | Indicators from this integration instance will be marked with this reputation. | False |
-    | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed | False |
-    | Indicator Expiration Method |  | False |
+    | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed. | False |
+    | Indicator Expiration Method | The method to be used to expire indicators from this feed. Default: indicatorType | False |
     | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False |
     | Feed Fetch Interval (in days) |  | False |
     | Return IOCs with Ports | If selected, IP indicators will include a tag with the port value | False |
@@ -44,10 +44,10 @@ Retrieves indicators from the ThreatFox API.
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
 | search_term | Indicator value to search for | Optional | 
-| id | Indicator id to search for | Optional | 
-| hash | Hash to search for | Optional | 
-| tag | Tag to search for | Optional | 
-| malware | Malware to search for | Optional | 
+| id | Indicator ID to search for. | Optional | 
+| hash | Hash to search for. | Optional | 
+| tag | Tag to search for. | Optional | 
+| malware | Malware to search for. | Optional | 
 | limit | Maximum indicators to search for. Available only when searching by 'malware' or 'tag'. Default is 50. | Optional | 
 
 #### Context Output

Packs/FeedThreatFox/pack_metadata.json

@@ -1,6 +1,6 @@
 {
     "name": "ThreatFox Feed",
-    "description": "## FILL MANDATORY FIELD ##",
+    "description": "ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. The ThreatFox Feed allows users to fetch indicators from ThreatFox.",
     "support": "xsoar",
     "currentVersion": "1.0.0",
     "author": "Cortex XSOAR",