Add script to delete indicators (#37855) (#37892)

* add script to delete indicators * update contributors file * Update RNs * Fix arg validation * add README file * Update DeleteIndicators.py * Update Packs/CommunityCommonScripts/Scripts/DeleteIndicators/DeleteIndicators.py * Update Packs/CommunityCommonScripts/Scripts/DeleteIndicators/DeleteIndicators.py --------- Co-authored-by: Ali Sawyer <[email protected]> Co-authored-by: Yair Glick <[email protected]>
demisto · Jan 1, 2025 · 77946a9 · 77946a9
1 parent b54c323
commit 77946a9
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 2 deletions.
diff --git a/Packs/CommunityCommonScripts/CONTRIBUTORS.json b/Packs/CommunityCommonScripts/CONTRIBUTORS.json
@@ -1 +1 @@
-["Mandar Naik", "nikstuckenbrock", "Lizz Boice"]
+["Mandar Naik", "nikstuckenbrock", "Lizz Boice", "Ali Sawyer"]
diff --git a/Packs/CommunityCommonScripts/ReleaseNotes/1_3_9.md b/Packs/CommunityCommonScripts/ReleaseNotes/1_3_9.md
@@ -0,0 +1,6 @@
+
+#### Scripts
+
+##### New: DeleteIndicators
+
+New: Delete indicators based on query, values, or IDs.
diff --git a/Packs/CommunityCommonScripts/Scripts/DeleteIndicators/DeleteIndicators.py b/Packs/CommunityCommonScripts/Scripts/DeleteIndicators/DeleteIndicators.py
@@ -0,0 +1,45 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def main():
+    try:
+        args = demisto.args()
+        query = args.get('indicator_query', None)
+        indicator_vals = argToList(args.get('indicator_values', None))
+        indicator_ids = argToList(args.get('indicator_ids', None))
+        do_not_whitelist = not argToBoolean(args.get('exclude', False))
+        reason = args.get('exclusion_reason', '')
+
+        # Ensure only one argument is supplied for the list of indicators to delete
+        args = [query, indicator_vals, indicator_ids]
+        if sum(bool(arg) for arg in args) != 1:
+            return_error(
+                "Invalid input: Exactly ONE of the following arguments must be provided: "
+                "'indicator_query', 'indicator_values', or 'indicator_ids'."
+            )
+
+        if query:
+            search_query = query
+        elif indicator_vals:
+            search_query = f"value:({' '.join(indicator_vals)})"
+        elif indicator_ids:
+            search_query = f"id:({' '.join(indicator_ids)})"
+
+        res = execute_command("deleteIndicators", {
+            "query": search_query,
+            "doNotWhitelist": do_not_whitelist,
+            "reason": reason
+        })
+        if is_error(res):
+            raise Exception(res)
+        else:
+            return_results(res)
+
+    except Exception as ex:
+        demisto.error(traceback.format_exc())  # print the traceback
+        return_error(f'Failed to execute DeleteIndicators. Error: {str(ex)}')
+
+
+if __name__ in ('__main__', '__builtin__', 'builtins'):
+    main()
diff --git a/Packs/CommunityCommonScripts/Scripts/DeleteIndicators/DeleteIndicators.yml b/Packs/CommunityCommonScripts/Scripts/DeleteIndicators/DeleteIndicators.yml
@@ -0,0 +1,34 @@
+args:
+- description: Query for indicators to delete.
+  name: indicator_query
+- description: Comma-separated list of indicator values to delete.
+  name: indicator_values
+- description: Comma-separated list of indicator IDs to delete.
+  name: indicator_ids
+- auto: PREDEFINED
+  defaultValue: "false"
+  description: Whether to add the deleted indicator to the Exclusion List.
+  name: exclude
+  predefined:
+  - "true"
+  - "false"
+- description: Reason for indicator exclusion.
+  name: exclusion_reason
+comment: Delete indicators based on query, values, or IDs.
+commonfields:
+  id: 'DeleteIndicators'
+  version: -1
+dockerimage: demisto/python3:3.11.10.115186
+enabled: true
+engineinfo: {}
+name: DeleteIndicators
+runas: DBotWeakRole
+runonce: false
+script: ''
+scripttarget: 0
+subtype: python3
+tags: []
+type: python
+fromversion: 6.10.0
+tests:
+- No tests (auto formatted)
diff --git a/Packs/CommunityCommonScripts/Scripts/DeleteIndicators/README.md b/Packs/CommunityCommonScripts/Scripts/DeleteIndicators/README.md
@@ -0,0 +1,27 @@
+Delete indicators based on query, values, or IDs.
+
+## Script Data
+
+---
+
+| **Name** | **Description** |
+| --- | --- |
+| Script Type | python3 |
+| Cortex XSOAR Version | 6.10.0 |
+
+## Inputs
+
+---
+
+| **Argument Name** | **Description** |
+| --- | --- |
+| indicator_query | Query for indicators to delete. |
+| indicator_values | Comma-separated list of indicator values to delete. |
+| indicator_ids | Comma-separated list of indicator IDs to delete. |
+| exclude | Whether to add the deleted indicator to the Exclusion List. |
+| exclusion_reason | Reason for indicator exclusion. |
+
+## Outputs
+
+---
+There are no outputs for this script.
diff --git a/Packs/CommunityCommonScripts/pack_metadata.json b/Packs/CommunityCommonScripts/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Community Common Scripts",
     "description": "A pack that contains community scripts",
     "support": "community",
-    "currentVersion": "1.3.8",
+    "currentVersion": "1.3.9",
     "author": "",
     "url": "https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions",
     "email": "",
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		["Mandar Naik", "nikstuckenbrock", "Lizz Boice"]
		["Mandar Naik", "nikstuckenbrock", "Lizz Boice", "Ali Sawyer"]