diff --git a/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/CONTRIBUTORS.json b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/CONTRIBUTORS.json new file mode 100644 index 000000000000..fcabcec481f7 --- /dev/null +++ b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/CONTRIBUTORS.json @@ -0,0 +1,3 @@ +[ + "Maximilian Lehrbaum" +] diff --git a/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/Integrations/Unit42Intelligence/Unit42Intelligence.py b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/Integrations/Unit42Intelligence/Unit42Intelligence.py index dfcfd3c04af0..4e826953c261 100644 --- a/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/Integrations/Unit42Intelligence/Unit42Intelligence.py +++ b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/Integrations/Unit42Intelligence/Unit42Intelligence.py @@ -267,7 +267,11 @@ def remove_mitre_technique_id_prefix(threat_name: str) -> str: def create_relationships( - indicator: str, indicator_type: str, threat_objects: list[dict[str, Any]], create_relationships: bool + indicator: str, + indicator_type: str, + threat_objects: list[dict[str, Any]], + create_relationships: bool, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create relationships between indicator and threat objects @@ -305,7 +309,7 @@ def create_relationships( entity_a_type=indicator_type, entity_b=threat_name, entity_b_type=INDICATOR_TYPE_MAPPING[threat_class], - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(relationship) @@ -439,7 +443,10 @@ def create_publications(publications_data: list) -> list: def create_threat_object_relationships( - threat_obj: dict[str, Any], threat_object_name: str, threat_class: str + threat_obj: dict[str, Any], + threat_object_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create threat object relationships from related_threat_objects @@ -469,7 +476,7 @@ def create_threat_object_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=related_name, entity_b_type=INDICATOR_TYPE_MAPPING[related_class], - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -478,7 +485,10 @@ def create_threat_object_relationships( def create_campaigns_relationships( - threat_obj: dict[str, Any], threat_object_name: str, threat_class: str + threat_obj: dict[str, Any], + threat_object_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create campaigns relationships from campaigns list @@ -502,7 +512,7 @@ def create_campaigns_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(campaign), entity_b_type=ThreatIntel.ObjectsNames.CAMPAIGN, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -511,7 +521,10 @@ def create_campaigns_relationships( def create_attack_patterns_relationships( - threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str + threat_obj: dict[str, Any], + threat_actor_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create attack patterns relationships from attack patterns associations @@ -546,7 +559,7 @@ def create_attack_patterns_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(pattern_name), entity_b_type=ThreatIntel.ObjectsNames.ATTACK_PATTERN, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -555,7 +568,10 @@ def create_attack_patterns_relationships( def create_malware_relationships( - threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str + threat_obj: dict[str, Any], + threat_actor_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create malware relationships from malware_associations @@ -583,7 +599,7 @@ def create_malware_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(name), entity_b_type=ThreatIntel.ObjectsNames.MALWARE, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -596,7 +612,7 @@ def create_malware_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(alias), entity_b_type=ThreatIntel.ObjectsNames.MALWARE, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -604,7 +620,12 @@ def create_malware_relationships( return relationships -def create_tools_relationships(threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str) -> list[EntityRelationship]: +def create_tools_relationships( + threat_obj: dict[str, Any], + threat_actor_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, +) -> list[EntityRelationship]: """ Create tools relationships from tools associations @@ -629,7 +650,7 @@ def create_tools_relationships(threat_obj: dict[str, Any], threat_actor_name: st entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(tool_name), entity_b_type=ThreatIntel.ObjectsNames.TOOL, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, fields={"tags": f"mitre-id: {tool.get('mitreid')}" if tool.get("mitreid") else ""}, ) @@ -639,7 +660,10 @@ def create_tools_relationships(threat_obj: dict[str, Any], threat_actor_name: st def create_vulnerabilities_relationships( - threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str + threat_obj: dict[str, Any], + threat_actor_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create vulnerabilities relationships from vulnerabilities associations @@ -665,7 +689,7 @@ def create_vulnerabilities_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=cve_id.upper(), entity_b_type=FeedIndicatorType.CVE, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -674,7 +698,10 @@ def create_vulnerabilities_relationships( def create_actor_relationships( - threat_obj: dict[str, Any], malware_family_name: str, threat_class: str + threat_obj: dict[str, Any], + malware_family_name: str, + threat_class: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, ) -> list[EntityRelationship]: """ Create actor relationships from actor_associations @@ -703,7 +730,7 @@ def create_actor_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(alias), entity_b_type=ThreatIntel.ObjectsNames.THREAT_ACTOR, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -715,7 +742,7 @@ def create_actor_relationships( entity_a_type=INDICATOR_TYPE_MAPPING[threat_class], entity_b=string_to_table_header(name), entity_b_type=ThreatIntel.ObjectsNames.THREAT_ACTOR, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) relationships.append(entity_relationship.to_entry()) @@ -723,7 +750,11 @@ def create_actor_relationships( return relationships -def create_location_indicators_and_relationships(threat_obj: dict[str, Any], threat_actor_name: str) -> list[dict[str, Any]]: +def create_location_indicators_and_relationships( + threat_obj: dict[str, Any], + threat_actor_name: str, + reliability: str = DBotScoreReliability.A_PLUS_PLUS, +) -> list[dict[str, Any]]: """ Create location indicators from affected regions and origin field and build relationships @@ -760,7 +791,7 @@ def create_location_indicators_and_relationships(threat_obj: dict[str, Any], thr entity_a_type=ThreatIntel.ObjectsNames.THREAT_ACTOR, entity_b=standardized_region, entity_b_type=FeedIndicatorType.Location, - source_reliability=DBotScoreReliability.A_PLUS_PLUS, + source_reliability=reliability, brand=INTEGRATION_NAME, ) @@ -830,13 +861,13 @@ def create_threat_object_indicators( # Create relationships relationships = [] - relationships += create_threat_object_relationships(threat_obj, name, threat_class) - relationships += create_campaigns_relationships(threat_obj, name, threat_class) - relationships += create_attack_patterns_relationships(threat_obj, name, threat_class) - relationships += create_malware_relationships(threat_obj, name, threat_class) - relationships += create_tools_relationships(threat_obj, name, threat_class) - relationships += create_vulnerabilities_relationships(threat_obj, name, threat_class) - relationships += create_actor_relationships(threat_obj, name, threat_class) + relationships += create_threat_object_relationships(threat_obj, name, threat_class, reliability) + relationships += create_campaigns_relationships(threat_obj, name, threat_class, reliability) + relationships += create_attack_patterns_relationships(threat_obj, name, threat_class, reliability) + relationships += create_malware_relationships(threat_obj, name, threat_class, reliability) + relationships += create_tools_relationships(threat_obj, name, threat_class, reliability) + relationships += create_vulnerabilities_relationships(threat_obj, name, threat_class, reliability) + relationships += create_actor_relationships(threat_obj, name, threat_class, reliability) # Create fields with threat object details fields = { @@ -867,7 +898,7 @@ def create_threat_object_indicators( indicators.append(indicator_data) # Create location indicators from affected regions - location_indicators = create_location_indicators_and_relationships(threat_obj, name) + location_indicators = create_location_indicators_and_relationships(threat_obj, name, reliability) indicators.extend(location_indicators) return indicators @@ -981,7 +1012,7 @@ def ip_command(client: Client, args: dict[str, Any]) -> CommandResults: ip_indicator = Common.IP(ip=ip, dbot_score=dbot_score, tags=tags, malware_family=malware_families) # Create relationships - relationships = create_relationships(ip, FeedIndicatorType.IP, threat_objects, create_relationships_flag) + relationships = create_relationships(ip, FeedIndicatorType.IP, threat_objects, create_relationships_flag, client.reliability) # Create indicators from relationships if create_threat_object_indicators_flag: @@ -1044,7 +1075,7 @@ def domain_command(client: Client, args: dict[str, Any]) -> CommandResults: domain_indicator = Common.Domain(domain=domain, dbot_score=dbot_score, tags=tags, malware_family=malware_families) # Create relationships - relationships = create_relationships(domain, FeedIndicatorType.Domain, threat_objects, create_relationships_flag) + relationships = create_relationships(domain, FeedIndicatorType.Domain, threat_objects, create_relationships_flag, client.reliability) # Create indicators from relationships if create_threat_object_indicators_flag: @@ -1107,7 +1138,7 @@ def url_command(client: Client, args: dict[str, Any]) -> CommandResults: url_indicator = Common.URL(url=url, dbot_score=dbot_score, tags=tags, malware_family=malware_families) # Create relationships - relationships = create_relationships(url, FeedIndicatorType.URL, threat_objects, create_relationships_flag) + relationships = create_relationships(url, FeedIndicatorType.URL, threat_objects, create_relationships_flag, client.reliability) # Create indicators from relationships if create_threat_object_indicators_flag: @@ -1188,7 +1219,7 @@ def file_command(client: Client, args: dict[str, Any]) -> CommandResults: ) # Create relationships - relationships = create_relationships(file_hash, FeedIndicatorType.File, threat_objects, create_relationships_flag) + relationships = create_relationships(file_hash, FeedIndicatorType.File, threat_objects, create_relationships_flag, client.reliability) # Create indicators from relationships if create_threat_object_indicators_flag: diff --git a/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/ReleaseNotes/1_0_12.md b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/ReleaseNotes/1_0_12.md new file mode 100644 index 000000000000..89dff56b3b76 --- /dev/null +++ b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/ReleaseNotes/1_0_12.md @@ -0,0 +1,5 @@ +#### Integrations + +##### Unit 42 Intelligence + +- Changed `create_relationships` to use the `reliability` parameter for `source_reliability`, allowing for configurable reliability levels. diff --git a/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/pack_metadata.json b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/pack_metadata.json index 15ba65ebd2ec..b9e2f40dec87 100644 --- a/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/pack_metadata.json +++ b/Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Unit 42 Threat Intelligence by Palo Alto Networks", "description": "Use the Unit 42 Threat Intelligence by Palo Alto Networks integrations to enrich indicators with threat intelligence data and fetch threat intelligence feeds.", "support": "xsoar", - "currentVersion": "1.0.11", + "currentVersion": "1.0.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -49,4 +49,4 @@ "cloud_runtime_security", "cloud_posture" ] -} \ No newline at end of file +}