Skip to content

Commit

Permalink
CI
Browse files Browse the repository at this point in the history
  • Loading branch information
@pabloperezj
pabloperezj committed Sep 21, 2024
1 parent c0703a0 commit c2fb359
Show file tree
Hide file tree
Showing 6 changed files with 47 additions and 96 deletions.
12 changes: 6 additions & 6 deletions Packs/GoogleThreatIntelligence/Integrations/IoCStream/IoCStream_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ def test_fetch_indicators_command(mocker):
'detectionengines', 'positivedetections', 'displayname', 'name', 'size',
'gtithreatscore', 'gtiseverity', 'gtiverdict', 'actor', 'malwarefamily',
}
assert indicator['value'] == '9ceef6e3194cb4babe53863b686a012be4a1b368aca7c108df80b77adb5a1c25'
assert indicator['value'] == '<sha256>'
assert indicator['value'] == indicator['fields']['sha256']
assert indicator['origin'] == 'hunting'
assert indicator['sources'] == '[hunting_ruleset] Malware Families YARA ruleset'
Expand All @@ -86,25 +86,25 @@ def test_fetch_indicators_command(mocker):
'tags', 'creationdate', 'updateddate', 'detectionengines', 'positivedetections',
'gtithreatscore', 'gtiseverity', 'gtiverdict', 'actor', 'malwarefamily',
}
assert indicator['value'] == 'account-facebook.com'
assert indicator['fields']['adminemail'] == 'c215fc66323f439as@knowbe4.com'
assert indicator['value'] == '<domain>'
assert indicator['fields']['adminemail'] == '<admin_email>@google.com'
assert indicator['fields']['registrantcountry'] == 'US'
assert indicator['fields']['registrarabusephone'] == '+1.2024422253'
assert indicator['fields']['registrarabusephone'] == '+34 600 000 000'
elif indicator['type'] == FeedIndicatorType.URL:
assert set(indicator['fields'].keys()) == {
'tags', 'firstseenbysource', 'lastseenbysource', 'updateddate',
'detectionengines', 'positivedetections',
'gtithreatscore', 'gtiseverity', 'gtiverdict', 'actor', 'malwarefamily',
}
assert indicator['value'] == 'https://www.leparisien.wf/politique/Jupiter-et-une-bande-d'
assert indicator['value'] == '<url>'
assert indicator['fields']['firstseenbysource'] == 1722360511
elif indicator['type'] == FeedIndicatorType.IP:
assert set(indicator['fields'].keys()) == {
'tags', 'firstseenbysource', 'lastseenbysource', 'updateddate',
'detectionengines', 'positivedetections', 'countrycode',
'gtithreatscore', 'gtiseverity', 'gtiverdict', 'actor', 'malwarefamily',
}
assert indicator['value'] == '8.8.8.8'
assert indicator['value'] == 'X.X.X.X'
assert indicator['fields']['countrycode'] == 'US'
else:
raise ValueError(f'Unknown type: {indicator["type"]}')
Expand Down
10 changes: 5 additions & 5 deletions Packs/GoogleThreatIntelligence/Integrations/IoCStream/test_data/domain.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"id": "account-facebook.com",
"id": "<domain>",
"type": "domain",
"attributes": {
"last_modification_date": 1726690020,
Expand All @@ -9,7 +9,7 @@
"mandiant_ic_score": 84,
"registrar": "Amazon Registrar, Inc.",
"last_dns_records_date": 1726675835,
"whois": "Admin City: Clearwater\nAdmin Country: US\nAdmin Email: [email protected]\nAdmin Organization: Knowbe4\nAdmin Postal Code: 33755\nAdmin State/Province: FL\nCreation Date: 2020-12-07T20:18:23Z\nDNSSEC: unsigned\nDomain Name: ACCOUNT-FACEBOOK.COM\nDomain Name: account-facebook.com\nDomain Status: ok https://icann.org/epp#ok\nName Server: NS-1381.AWSDNS-44.ORG\nName Server: NS-1693.AWSDNS-19.CO.UK\nName Server: NS-330.AWSDNS-41.COM\nName Server: NS-537.AWSDNS-03.NET\nRegistrant City: 9f17c16e0cbd11e5\nRegistrant Country: US\nRegistrant Email: [email protected]\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: 3432650ec337c945\nRegistrant Name: 24277ff58446df8f\nRegistrant Organization: c25274193b9137ef\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: 6099a769d1923d4a\nRegistrant Postal Code: f28adb1ee249d449\nRegistrant State/Province: 6eb233f5a5adbed8\nRegistrant Street: 7d57c43d3cfd7338\nRegistrar Abuse Contact Email: [email protected]\nRegistrar Abuse Contact Phone: +1.2024422253\nRegistrar IANA ID: 468\nRegistrar Registration Expiration Date: 2024-12-07T20:18:23Z\nRegistrar URL: http://registrar.amazon.com\nRegistrar URL: https://registrar.amazon.com\nRegistrar WHOIS Server: whois.registrar.amazon\nRegistrar WHOIS Server: whois.registrar.amazon.com\nRegistrar: Amazon Registrar, Inc.\nRegistry Admin ID: Not Available From Registry\nRegistry Domain ID: 2577160164_DOMAIN_COM-VRSN\nRegistry Expiry Date: 2024-12-07T20:18:23Z\nRegistry Registrant ID: Not Available From Registry\nRegistry Tech ID: Not Available From Registry\nTech City: Clearwater\nTech Country: US\nTech Email: [email protected]\nTech Organization: Knowbe4\nTech Postal Code: 33755\nTech State/Province: FL\nUpdated Date: 2023-11-03T22:57:14Z",
"whois": "Admin City: Clearwater\nAdmin Country: US\nAdmin Email: <admin_email>@google.com\nAdmin Organization: <Admin Org>\nAdmin Postal Code: 33755\nAdmin State/Province: FL\nCreation Date: 2020-12-07T20:18:23Z\nDNSSEC: unsigned\nDomain Name: <Domain Name>\nDomain Status: OK\nName Server: <Name Server>\nRegistrant City: 9f17c16e0cbd11e5\nRegistrant Country: US\nRegistrant Email: <registrant_email>@google.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: 3432650ec337c945\nRegistrant Name: 24277ff58446df8f\nRegistrant Organization: c25274193b9137ef\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: 6099a769d1923d4a\nRegistrant Postal Code: f28adb1ee249d449\nRegistrant State/Province: 6eb233f5a5adbed8\nRegistrant Street: 7d57c43d3cfd7338\nRegistrar Abuse Contact Email: <abuse>@google.com\nRegistrar Abuse Contact Phone: +34 600 000 000\nRegistrar IANA ID: <IANA ID>\nRegistrar Registration Expiration Date: 2024-12-07T20:18:23Z\nRegistrar URL: <Registrar URL>\nRegistrar URL: <Registrar URL>\nRegistrar WHOIS Server: <Registrar WHOIS Server>\nRegistrar: <Registrar>\nRegistry Admin ID: Not Available From Registry\nRegistry Domain ID: <Registry Domain ID>\nRegistry Expiry Date: 2024-12-07T20:18:23Z\nRegistry Registrant ID: Not Available From Registry\nRegistry Tech ID: Not Available From Registry\nTech City: Clearwater\nTech Country: US\nTech Email: <tech_email>@google.com\nTech Organization: <Tech Org>\nTech Postal Code: 33755\nTech State/Province: FL\nUpdated Date: 2023-11-03T22:57:14Z",
"last_https_certificate_date": 1593568953,
"threat_verdict": "VERDICT_UNDETECTED",
"whois_date": 1724217310,
Expand All @@ -28,13 +28,13 @@
"attribution": {
"detailed_threat_actors": [
{
"name": "UNC2710",
"name": "<TA_name>",
"source": "Mandiant",
"id": "threat-actor--31613362-0ea7-596b-8941-8ede904e98ac"
"id": "<TA_id>"
}
],
"threat_actors": [
"UNC2710"
"<TA_name>"
]
},
"total_votes": {
Expand Down
56 changes: 12 additions & 44 deletions Packs/GoogleThreatIntelligence/Integrations/IoCStream/test_data/file.json
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{
"id": "9ceef6e3194cb4babe53863b686a012be4a1b368aca7c108df80b77adb5a1c25",
"id": "<sha256>",
"type": "file",
"attributes": {
"type_description": "Win32 EXE",
"tlsh": "T155069E15A6D82B64E7F35FB2217B871007797E45885B929E1660A04F0C33F5CDEB2F29",
"vhash": "036046651d6510b8z201cpz31zd025z",
"tlsh": "<tlsh>",
"vhash": "<vhash>",
"exiftool": {
"MIMEType": "application/octet-stream",
"Subsystem": "Windows GUI",
Expand Down Expand Up @@ -47,7 +47,7 @@
],
"creation_date": 1290243788,
"names": [
"6a650da84adf6e3356227cc8890a9ee7.virus"
"<name>.virus"
],
"last_modification_date": 1635959808,
"type_tag": "peexe",
Expand All @@ -57,43 +57,11 @@
"malicious": 0
},
"size": 3723264,
"popular_threat_classification": {
"vhash_cluster_name": [
"forgiving",
"unhealthful",
"swordsmanship"
],
"suggested_threat_label": "trojan.wannacry/wannacryptor",
"popular_threat_category": [
{
"count": 23,
"value": "trojan"
},
{
"count": 21,
"value": "ransomware"
}
],
"popular_threat_name": [
{
"count": 10,
"value": "wannacry"
},
{
"count": 7,
"value": "wannacryptor"
},
{
"count": 6,
"value": "wannacrypt"
}
]
},
"authentihash": "7adeabbcb861b786990dab55a6030a8b56ea2a2df7b2e38e09b6b3de747ce0f7",
"authentihash": "<authentihash>",
"last_submission_date": 1635952526,
"meaningful_name": "6a650da84adf6e3356227cc8890a9ee7.virus",
"meaningful_name": "<name>.virus",
"downloadable": true,
"sha256": "9ceef6e3194cb4babe53863b686a012be4a1b368aca7c108df80b77adb5a1c25",
"sha256": "<sha256>",
"type_extension": "exe",
"tags": [
"peexe",
Expand All @@ -103,15 +71,15 @@
"last_analysis_date": 1635952526,
"unique_sources": 1,
"first_submission_date": 1635952526,
"sha1": "f13339bc7527261c3552cc37c619f33ca04c1321",
"ssdeep": "12288:GwbLgPluCtgQbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D85SQeuB8:Vb+8",
"bloom": "eNozqDA0oC2glvlGBqOAjsBiNAhGwSgYisBkkGb10SJlJAEAAXSRWA==\n",
"sha1": "<sha1>",
"ssdeep": "<ssdeep>",
"bloom": "<bloom>",
"packers": {
"PEiD": "Microsoft Visual C++"
},
"md5": "6a650da84adf6e3356227cc8890a9ee7",
"md5": "<md5>",
"pe_info": {
"imphash": "9ecee117164e0b870a53dd187cdd7174"
"imphash": "<imphash>"
},
"magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
"last_analysis_stats": {
Expand Down
50 changes: 17 additions & 33 deletions Packs/GoogleThreatIntelligence/Integrations/IoCStream/test_data/ip.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"id": "8.8.8.8",
"id": "X.X.X.X",
"type": "ip_address",
"attributes": {
"last_modification_date": 1726781178,
Expand All @@ -18,9 +18,9 @@
"first_seen_itw_date": 1409607591,
"reputation": 535,
"tags": [],
"whois": "NetRange: 8.8.8.0 - 8.8.8.255\nCIDR: 8.8.8.0/24\nNetName: GOGL\nNetHandle: NET-8-8-8-0-2\nParent: NET8 (NET-8-0-0-0-0)\nNetType: Direct Allocation\nOriginAS: \nOrganization: Google LLC (GOGL)\nRegDate: 2023-12-28\nUpdated: 2023-12-28\nRef: https://rdap.arin.net/registry/ip/8.8.8.0\nOrgName: Google LLC\nOrgId: GOGL\nAddress: 1600 Amphitheatre Parkway\nCity: Mountain View\nStateProv: CA\nPostalCode: 94043\nCountry: US\nRegDate: 2000-03-30\nUpdated: 2019-10-31\nComment: Please note that the recommended way to file abuse complaints are located in the following links. \nComment: \nComment: To report abuse and illegal activity: https://www.google.com/contact/\nComment: \nComment: For legal requests: http://support.google.com/legal \nComment: \nComment: Regards, \nComment: The Google Team\nRef: https://rdap.arin.net/registry/entity/GOGL\nOrgAbuseHandle: ABUSE5250-ARIN\nOrgAbuseName: Abuse\nOrgAbusePhone: +1-650-253-0000 \nOrgAbuseEmail: [email protected]\nOrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5250-ARIN\nOrgTechHandle: ZG39-ARIN\nOrgTechName: Google LLC\nOrgTechPhone: +1-650-253-0000 \nOrgTechEmail: [email protected]\nOrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN\n",
"whois": "NetRange: X.X.X.0 - X.X.X.255\nCIDR: X.X.X.0/24\n",
"continent": "NA",
"network": "8.8.8.0/24",
"network": "X.X.X.0/24",
"threat_verdict": "VERDICT_UNDETECTED",
"country": "US",
"regional_internet_registry": "ARIN",
Expand All @@ -32,51 +32,35 @@
"attribution": {
"detailed_threat_actors": [
{
"source": "MISPGalaxy",
"name": "ToddyCat",
"id": "threat-actor--091a0b69-74de-44b6-bb12-16b7a8fd078b"
"source": "<TA_source_1>",
"name": "<TA_name_1>",
"id": "<TA_id_1>"
},
{
"source": "MISPGalaxy",
"name": "SWEED",
"id": "threat-actor--64ac8827-89d9-4738-9df3-cd955c628bee"
"source": "<TA_source_2>",
"name": "<TA_name_2>",
"id": "<TA_id_2>"
}
],
"malware_families": [
{
"source": "mandiant_backscatter",
"family": "asyncrat"
"source": "<MF_source_1>",
"family": "<MF_family_1>"
},
{
"source": "mandiant_backscatter_memdump_cape",
"family": "metasploit"
},
{
"source": "mandiant_backscatter_memdump_zenbox",
"family": "metasploit"
},
{
"source": "mandiant_backscatter",
"family": "metasploit"
},
{
"source": "mandiant_backscatter",
"family": "meterpreter"
},
{
"source": "mandiant_backscatter",
"family": "quasarrat"
"source": "<MF_source_2>",
"family": "<MF_family_2>"
}
],
"threat_actors": [
"ToddyCat",
"SWEED"
"<TA_name_1>",
"<TA_name_2>"
],
"family": "asyncrat",
"family": "<MF_family_1>",
"family_pivot": "collection:None"
},
"last_seen_itw_date": 1726766855,
"jarm": "29d3fd00029d29d00042d43d00041d598ac0c1012db967bb1ad0ff2491b3ae",
"jarm": "<jarm>",
"gti_assessment": {
"contributing_factors": {
"normalised_categories": [
Expand Down
9 changes: 3 additions & 6 deletions Packs/GoogleThreatIntelligence/Integrations/IoCStream/test_data/url.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,8 @@
{
"id": "c585abf839e48d49806972b62cf7f054dd1a1207368a87d067bda72a717f3137",
"id": "<sha256>",
"type": "url",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/c585abf839e48d49806972b62cf7f054dd1a1207368a87d067bda72a717f3137"
},
"attributes": {
"last_final_url": "https://www.leparisien.wf/politique/Jupiter-et-une-bande-d",
"last_final_url": "<last_final_url>",
"tags": [],
"categories": {
"Forcepoint ThreatSeeker": "elevated exposure"
Expand All @@ -18,7 +15,7 @@
"harmless": 67,
"timeout": 0
},
"url": "https://www.leparisien.wf/politique/Jupiter-et-une-bande-d",
"url": "<url>",
"threat_verdict": "VERDICT_UNDETECTED",
"reputation": 0,
"has_content": false,
Expand Down
6 changes: 4 additions & 2 deletions Packs/GoogleThreatIntelligence/ReleaseNotes/1_1_0.md
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@

#### Indicator Fields

- New: **GTI Verdict**
- New: **GTI Severity**

- New: **GTI Threat Score**

- New: **GTI Verdict**

#### Integrations

##### New: Google Threat Intelligence IoC Stream Feed

- New: Use this feed integration to fetch Google Threat Intelligence IoC Stream notifications as indicators. (Available from Cortex XSOAR 5.5.0).
- New: Use this feed integration to fetch Google Threat Intelligence IoC Stream notifications as indicators.

0 comments on commit c2fb359

Please sign in to comment.