Skip to content

Unit42 Intelligence change hard coded source reliability in relationships to use parameter. #42933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lehrbaumm wants to merge 9 commits into
base: contrib/lehrbaumm_unit42_fix_reliability
Choose a base branch
from
Open

Unit42 Intelligence change hard coded source reliability in relationships to use parameter. #42933

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5712a5a
Update Unit42Intelligence.py relationship reliability
lehrbaumm Feb 4, 2026
e5fef45
Create ReleaseNotes for Unit42 Intelligence Pack
lehrbaumm Feb 4, 2026
e73829f
Update pack_metadata.json
lehrbaumm Feb 4, 2026
c25b4e8
Create CONTRIBUTORS.json
lehrbaumm Feb 4, 2026
e5cbb22
Update Unit42Intelligence.py
lehrbaumm Feb 4, 2026
f3f6ebd
Merge branch 'contrib/lehrbaumm_unit42_fix_reliability' into unit42_f…
MosheEichler Feb 5, 2026
b448718
Reverted formating changes
lehrbaumm Feb 5, 2026
dea2a16
Merge branch 'contrib/lehrbaumm_unit42_fix_reliability' into unit42_f…
MosheEichler Feb 5, 2026
6710c06
Update Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/ReleaseNotes/…
MosheEichler Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/CONTRIBUTORS.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[
"Maximilian Lehrbaum"
]
95 changes: 63 additions & 32 deletions ...hreatIntelligencebyPaloAltoNetworks/Integrations/Unit42Intelligence/Unit42Intelligence.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,11 @@ def remove_mitre_technique_id_prefix(threat_name: str) -> str:


def create_relationships(
indicator: str, indicator_type: str, threat_objects: list[dict[str, Any]], create_relationships: bool
indicator: str,
indicator_type: str,
threat_objects: list[dict[str, Any]],
create_relationships: bool,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
Copy link
Contributor

@content-bot content-bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the docstring to include the new reliability parameter.

This also applies to the following functions where the parameter was added:

  • create_threat_object_relationships
  • create_campaigns_relationships
  • create_attack_patterns_relationships
  • create_malware_relationships
  • create_tools_relationships
  • create_vulnerabilities_relationships
  • create_actor_relationships
  • create_location_indicators_and_relationships

) -> list[EntityRelationship]:
"""
Create relationships between indicator and threat objects
Expand Down Expand Up @@ -305,7 +309,7 @@ def create_relationships(
entity_a_type=indicator_type,
entity_b=threat_name,
entity_b_type=INDICATOR_TYPE_MAPPING[threat_class],
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(relationship)
Expand Down Expand Up @@ -439,7 +443,10 @@ def create_publications(publications_data: list) -> list:


def create_threat_object_relationships(
threat_obj: dict[str, Any], threat_object_name: str, threat_class: str
threat_obj: dict[str, Any],
threat_object_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create threat object relationships from related_threat_objects
Expand Down Expand Up @@ -469,7 +476,7 @@ def create_threat_object_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=related_name,
entity_b_type=INDICATOR_TYPE_MAPPING[related_class],
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())
Expand All @@ -478,7 +485,10 @@ def create_threat_object_relationships(


def create_campaigns_relationships(
threat_obj: dict[str, Any], threat_object_name: str, threat_class: str
threat_obj: dict[str, Any],
threat_object_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create campaigns relationships from campaigns list
Expand All @@ -502,7 +512,7 @@ def create_campaigns_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(campaign),
entity_b_type=ThreatIntel.ObjectsNames.CAMPAIGN,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())
Expand All @@ -511,7 +521,10 @@ def create_campaigns_relationships(


def create_attack_patterns_relationships(
threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str
threat_obj: dict[str, Any],
threat_actor_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create attack patterns relationships from attack patterns associations
Expand Down Expand Up @@ -546,7 +559,7 @@ def create_attack_patterns_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(pattern_name),
entity_b_type=ThreatIntel.ObjectsNames.ATTACK_PATTERN,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())
Expand All @@ -555,7 +568,10 @@ def create_attack_patterns_relationships(


def create_malware_relationships(
threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str
threat_obj: dict[str, Any],
threat_actor_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create malware relationships from malware_associations
Expand Down Expand Up @@ -583,7 +599,7 @@ def create_malware_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(name),
entity_b_type=ThreatIntel.ObjectsNames.MALWARE,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())
Expand All @@ -596,15 +612,20 @@ def create_malware_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(alias),
entity_b_type=ThreatIntel.ObjectsNames.MALWARE,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())

return relationships


def create_tools_relationships(threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str) -> list[EntityRelationship]:
def create_tools_relationships(
threat_obj: dict[str, Any],
threat_actor_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create tools relationships from tools associations

Expand All @@ -629,7 +650,7 @@ def create_tools_relationships(threat_obj: dict[str, Any], threat_actor_name: st
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(tool_name),
entity_b_type=ThreatIntel.ObjectsNames.TOOL,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
fields={"tags": f"mitre-id: {tool.get('mitreid')}" if tool.get("mitreid") else ""},
)
Expand All @@ -639,7 +660,10 @@ def create_tools_relationships(threat_obj: dict[str, Any], threat_actor_name: st


def create_vulnerabilities_relationships(
threat_obj: dict[str, Any], threat_actor_name: str, threat_class: str
threat_obj: dict[str, Any],
threat_actor_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create vulnerabilities relationships from vulnerabilities associations
Expand All @@ -665,7 +689,7 @@ def create_vulnerabilities_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=cve_id.upper(),
entity_b_type=FeedIndicatorType.CVE,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())
Expand All @@ -674,7 +698,10 @@ def create_vulnerabilities_relationships(


def create_actor_relationships(
threat_obj: dict[str, Any], malware_family_name: str, threat_class: str
threat_obj: dict[str, Any],
malware_family_name: str,
threat_class: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[EntityRelationship]:
"""
Create actor relationships from actor_associations
Expand Down Expand Up @@ -703,7 +730,7 @@ def create_actor_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(alias),
entity_b_type=ThreatIntel.ObjectsNames.THREAT_ACTOR,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())
Expand All @@ -715,15 +742,19 @@ def create_actor_relationships(
entity_a_type=INDICATOR_TYPE_MAPPING[threat_class],
entity_b=string_to_table_header(name),
entity_b_type=ThreatIntel.ObjectsNames.THREAT_ACTOR,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)
relationships.append(entity_relationship.to_entry())

return relationships


def create_location_indicators_and_relationships(threat_obj: dict[str, Any], threat_actor_name: str) -> list[dict[str, Any]]:
def create_location_indicators_and_relationships(
threat_obj: dict[str, Any],
threat_actor_name: str,
reliability: str = DBotScoreReliability.A_PLUS_PLUS,
) -> list[dict[str, Any]]:
"""
Create location indicators from affected regions and origin field and build relationships

Expand Down Expand Up @@ -760,7 +791,7 @@ def create_location_indicators_and_relationships(threat_obj: dict[str, Any], thr
entity_a_type=ThreatIntel.ObjectsNames.THREAT_ACTOR,
entity_b=standardized_region,
entity_b_type=FeedIndicatorType.Location,
source_reliability=DBotScoreReliability.A_PLUS_PLUS,
source_reliability=reliability,
brand=INTEGRATION_NAME,
)

Expand Down Expand Up @@ -830,13 +861,13 @@ def create_threat_object_indicators(

# Create relationships
relationships = []
relationships += create_threat_object_relationships(threat_obj, name, threat_class)
relationships += create_campaigns_relationships(threat_obj, name, threat_class)
relationships += create_attack_patterns_relationships(threat_obj, name, threat_class)
relationships += create_malware_relationships(threat_obj, name, threat_class)
relationships += create_tools_relationships(threat_obj, name, threat_class)
relationships += create_vulnerabilities_relationships(threat_obj, name, threat_class)
relationships += create_actor_relationships(threat_obj, name, threat_class)
relationships += create_threat_object_relationships(threat_obj, name, threat_class, reliability)
relationships += create_campaigns_relationships(threat_obj, name, threat_class, reliability)
relationships += create_attack_patterns_relationships(threat_obj, name, threat_class, reliability)
relationships += create_malware_relationships(threat_obj, name, threat_class, reliability)
relationships += create_tools_relationships(threat_obj, name, threat_class, reliability)
relationships += create_vulnerabilities_relationships(threat_obj, name, threat_class, reliability)
relationships += create_actor_relationships(threat_obj, name, threat_class, reliability)

# Create fields with threat object details
fields = {
Expand Down Expand Up @@ -867,7 +898,7 @@ def create_threat_object_indicators(
indicators.append(indicator_data)

# Create location indicators from affected regions
location_indicators = create_location_indicators_and_relationships(threat_obj, name)
location_indicators = create_location_indicators_and_relationships(threat_obj, name, reliability)
indicators.extend(location_indicators)

return indicators
Expand Down Expand Up @@ -981,7 +1012,7 @@ def ip_command(client: Client, args: dict[str, Any]) -> CommandResults:
ip_indicator = Common.IP(ip=ip, dbot_score=dbot_score, tags=tags, malware_family=malware_families)

# Create relationships
relationships = create_relationships(ip, FeedIndicatorType.IP, threat_objects, create_relationships_flag)
relationships = create_relationships(ip, FeedIndicatorType.IP, threat_objects, create_relationships_flag, client.reliability)

# Create indicators from relationships
if create_threat_object_indicators_flag:
Expand Down Expand Up @@ -1044,7 +1075,7 @@ def domain_command(client: Client, args: dict[str, Any]) -> CommandResults:
domain_indicator = Common.Domain(domain=domain, dbot_score=dbot_score, tags=tags, malware_family=malware_families)

# Create relationships
relationships = create_relationships(domain, FeedIndicatorType.Domain, threat_objects, create_relationships_flag)
relationships = create_relationships(domain, FeedIndicatorType.Domain, threat_objects, create_relationships_flag, client.reliability)

# Create indicators from relationships
if create_threat_object_indicators_flag:
Expand Down Expand Up @@ -1107,7 +1138,7 @@ def url_command(client: Client, args: dict[str, Any]) -> CommandResults:
url_indicator = Common.URL(url=url, dbot_score=dbot_score, tags=tags, malware_family=malware_families)

# Create relationships
relationships = create_relationships(url, FeedIndicatorType.URL, threat_objects, create_relationships_flag)
relationships = create_relationships(url, FeedIndicatorType.URL, threat_objects, create_relationships_flag, client.reliability)

# Create indicators from relationships
if create_threat_object_indicators_flag:
Expand Down Expand Up @@ -1188,7 +1219,7 @@ def file_command(client: Client, args: dict[str, Any]) -> CommandResults:
)

# Create relationships
relationships = create_relationships(file_hash, FeedIndicatorType.File, threat_objects, create_relationships_flag)
relationships = create_relationships(file_hash, FeedIndicatorType.File, threat_objects, create_relationships_flag, client.reliability)

# Create indicators from relationships
if create_threat_object_indicators_flag:
Expand Down
5 changes: 5 additions & 0 deletions Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/ReleaseNotes/1_0_12.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#### Integrations

##### Unit 42 Intelligence

- Changed `create_relationships` to use the `reliability` parameter for `source_reliability`, allowing for configurable reliability levels.
4 changes: 2 additions & 2 deletions Packs/Unit42ThreatIntelligencebyPaloAltoNetworks/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Unit 42 Threat Intelligence by Palo Alto Networks",
"description": "Use the Unit 42 Threat Intelligence by Palo Alto Networks integrations to enrich indicators with threat intelligence data and fetch threat intelligence feeds.",
"support": "xsoar",
"currentVersion": "1.0.11",
"currentVersion": "1.0.12",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down Expand Up @@ -49,4 +49,4 @@
"cloud_runtime_security",
"cloud_posture"
]
}
}
Loading