Add Defender for Endpoint File Indicator to file statistics command (d…

…emisto#37022)
siscale · Nov 18, 2024 · e3cb014 · e3cb014
1 parent 6411782
commit e3cb014
Show file tree

Hide file tree

Showing 21 changed files with 933 additions and 60 deletions.
diff --git a/Packs/Base/ReleaseNotes/1_35_0.md b/Packs/Base/ReleaseNotes/1_35_0.md
@@ -0,0 +1,18 @@
+
+#### Scripts
+
+##### CommonServerPython
+
+Added new fields to `Common.File`, `Common.URL`, `Common.Domain`, `Common.IP` indicator classes: 
+
+- `organization_prevalence`
+
+- `globally_prevalence`
+
+- `organization_first_seen`
+
+- `organization_last_seen`
+
+- `first_seen_by_source`
+
+- `last_seen_by_source`
diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py
diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py
@@ -5819,6 +5819,7 @@ def test_create_domain(self):
             dns='dns.somedomain',
             detection_engines=10,
             positive_detections=5,
+            first_seen_by_source='2024-10-06T09:50:50.555Z',
             organization='Some Organization',
             admin_phone='18000000',
             admin_email='[email protected]',
@@ -5896,6 +5897,7 @@ def test_create_domain(self):
                         'Registrar': {'Name': 'Mr Registrar', 'AbuseEmail': '[email protected]', 'AbusePhone': None},
                         'Registrant': {'Name': 'Mr Registrant', 'Email': None, 'Phone': None, 'Country': None},
                         'Admin': {'Name': None, 'Email': '[email protected]', 'Phone': '18000000', 'Country': None},
+                        'FirstSeenBySource': '2024-10-06T09:50:50.555Z',
                         'Organization': 'Some Organization',
                         'Subdomains': ['sub-domain1.somedomain.com', 'sub-domain2.somedomain.com',
                                        'sub-domain3.somedomain.com'], 'DomainStatus': 'ACTIVE',
@@ -5994,6 +5996,7 @@ def test_create_url(self):
             certificates=None,
             description='description test',
             stix_id='stix_id',
+            organization_first_seen='2024-11-04T14:48:23.456Z',
         )
 
         results = CommandResults(
@@ -6033,6 +6036,7 @@ def test_create_url(self):
                         'ASOwner': 'test_as_owner',
                         'Geo': {'Country': 'test_geo_country'},
                         'Organization': 'test_organization',
+                        'OrganizationFirstSeen': '2024-11-04T14:48:23.456Z',
                         'CommunityNotes': [{'note': 'note', 'timestamp': '2019-01-01T00:00:00'}],
                         'Publications': [
                             {'source': 'source',
@@ -6118,7 +6122,8 @@ def test_create_file(self):
             creation_date='test_creation_date',
             description='test_description',
             hashes=None,
-            stix_id='test_stix_id'
+            stix_id='test_stix_id',
+            organization_prevalence=0,
         )
 
         results = CommandResults(
@@ -6164,6 +6169,7 @@ def test_create_file(self):
                                       'threatcategoryconfidence': 'threat_category_confidence'}],
                      'Imphash': 'test_imphash',
                      'Organization': 'test_organization',
+                     'OrganizationPrevalence': 0,
                      'Malicious': {'Vendor': 'Test', 'Description': 'malicious!'}
                      }
                 ],

diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Base",
     "description": "The base pack for Cortex XSOAR.",
     "support": "xsoar",
-    "currentVersion": "1.34.47",
+    "currentVersion": "1.35.0",
     "author": "Cortex XSOAR",
     "serverMinVersion": "6.0.0",
     "url": "https://www.paloaltonetworks.com/cortex",

diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-globalprevalence.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-globalprevalence.json
@@ -0,0 +1,36 @@
+{
+    "id": "indicator_globalprevalence",
+    "version": -1,
+    "modified": "2024-10-30T12:05:32.803043623Z",
+    "name": "Global Prevalence",
+    "ownerOnly": false,
+    "cliName": "globalprevalence",
+    "type": "number",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 2,
+    "hidden": false,
+    "openEnded": false,
+    "description": "The number of times the indicator is detected across all organizations.",
+    "associatedTypes": [
+        "Domain",
+        "IP",
+        "IPv6",
+        "URL",
+        "File"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": false,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "5.0.0"
+}
diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-organizationfirstseen.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-organizationfirstseen.json
@@ -0,0 +1,36 @@
+{
+    "id": "indicator_organizationfirstseen",
+    "version": -1,
+    "modified": "2024-10-30T12:05:32.803043623Z",
+    "name": "Organization First Seen",
+    "ownerOnly": false,
+    "cliName": "organizationfirstseen",
+    "type": "date",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 2,
+    "hidden": false,
+    "openEnded": false,
+    "description": "Date and time when the indicator was first seen in the organization.",
+    "associatedTypes": [
+        "Domain",
+        "IP",
+        "IPv6",
+        "URL",
+        "File"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": false,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "5.0.0"
+}
diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-organizationlastseen.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-organizationlastseen.json
@@ -0,0 +1,36 @@
+{
+    "id": "indicator_organizationlastseen",
+    "version": -1,
+    "modified": "2024-10-30T12:05:32.803043623Z",
+    "name": "Organization Last Seen",
+    "ownerOnly": false,
+    "cliName": "organizationlastseen",
+    "type": "date",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 2,
+    "hidden": false,
+    "openEnded": false,
+    "description": "Date and time when the indicator was last seen in the organization.",
+    "associatedTypes": [
+        "Domain",
+        "IP",
+        "IPv6",
+        "URL",
+        "File"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": false,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "5.0.0"
+}
diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-organizationprevalence.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-organizationprevalence.json
@@ -0,0 +1,36 @@
+{
+    "id": "indicator_organizationprevalence",
+    "version": -1,
+    "modified": "2024-10-30T12:05:32.803043623Z",
+    "name": "Organization Prevalence",
+    "ownerOnly": false,
+    "cliName": "organizationprevalence",
+    "type": "number",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 2,
+    "hidden": false,
+    "openEnded": false,
+    "description": "The number of times the indicator is detected in the organization.",
+    "associatedTypes": [
+        "Domain",
+        "IP",
+        "IPv6",
+        "URL",
+        "File"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": false,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "5.0.0"
+}
diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json
@@ -535,6 +535,30 @@
                     }
                 ]
             }
+        },
+        "organizationprevalence": {
+            "simple": "Domain.OrganizationPrevalence",
+            "complex": null
+        },
+        "globalprevalence": {
+            "simple": "Domain.GlobalPrevalence",
+            "complex": null
+        },
+        "organizationfirstseen": {
+            "simple": "Domain.OrganizationFirstSeen",
+            "complex": null
+        },
+        "organizationlastseen": {
+            "simple": "Domain.OrganizationLastSeen",
+            "complex": null
+        },
+        "firstseenbysource": {
+            "simple": "Domain.FirstSeenBySource",
+            "complex": null
+        },
+        "lastseenbysource": {
+            "simple": "Domain.LastSeenBySource",
+            "complex": null
         }
     },
   "manualMapping": null,

diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-file.json b/Packs/CommonTypes/IndicatorTypes/reputation-file.json
@@ -476,6 +476,30 @@
             }
           ]
         }
+      },
+      "organizationprevalence": {
+        "simple": "File.OrganizationPrevalence",
+        "complex": null
+      },
+      "globalprevalence": {
+        "simple": "File.GlobalPrevalence",
+        "complex": null
+      },
+      "organizationfirstseen": {
+        "simple": "File.OrganizationFirstSeen",
+        "complex": null
+      },
+      "organizationlastseen": {
+        "simple": "File.OrganizationLastSeen",
+        "complex": null
+      },
+      "firstseenbysource": {
+        "simple": "File.FirstSeenBySource",
+        "complex": null
+      },
+      "lastseenbysource": {
+        "simple": "File.LastSeenBySource",
+        "complex": null
       }
     },
     "manualMapping": null,

diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-ip.json b/Packs/CommonTypes/IndicatorTypes/reputation-ip.json
@@ -446,6 +446,30 @@
                     }
                 ]
             }
+        },
+        "organizationprevalence": {
+            "simple": "IP.OrganizationPrevalence",
+            "complex": null
+        },
+        "globalprevalence": {
+            "simple": "IP.GlobalPrevalence",
+            "complex": null
+        },
+        "organizationfirstseen": {
+            "simple": "IP.OrganizationFirstSeen",
+            "complex": null
+        },
+        "organizationlastseen": {
+            "simple": "IP.OrganizationLastSeen",
+            "complex": null
+        },
+        "firstseenbysource": {
+            "simple": "IP.FirstSeenBySource",
+            "complex": null
+        },
+        "lastseenbysource": {
+            "simple": "IP.LastSeenBySource",
+            "complex": null
         }
     },
     "manualMapping": null,

diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-ipv6.json b/Packs/CommonTypes/IndicatorTypes/reputation-ipv6.json
@@ -229,6 +229,30 @@
                     }
                 ]
             }
+        },
+        "organizationprevalence": {
+            "simple": "IPv6.OrganizationPrevalence",
+            "complex": null
+        },
+        "globalprevalence": {
+            "simple": "IPv6.GlobalPrevalence",
+            "complex": null
+        },
+        "organizationfirstseen": {
+            "simple": "IPv6.OrganizationFirstSeen",
+            "complex": null
+        },
+        "organizationlastseen": {
+            "simple": "IPv6.OrganizationLastSeen",
+            "complex": null
+        },
+        "firstseenbysource": {
+            "simple": "IPv6.FirstSeenBySource",
+            "complex": null
+        },
+        "lastseenbysource": {
+            "simple": "IPv6.LastSeenBySource",
+            "complex": null
         }
     },
     "manualMapping": null,

diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-url.json b/Packs/CommonTypes/IndicatorTypes/reputation-url.json
@@ -264,7 +264,31 @@
           "operator": "uniq",
           "args": {}
         }]
-      }
+        }
+    },
+    "organizationprevalence": {
+        "simple": "URL.OrganizationPrevalence",
+        "complex": null
+    },
+    "globalprevalence": {
+        "simple": "URL.GlobalPrevalence",
+        "complex": null
+    },
+    "organizationfirstseen": {
+        "simple": "URL.OrganizationFirstSeen",
+        "complex": null
+    },
+    "organizationlastseen": {
+        "simple": "URL.OrganizationLastSeen",
+        "complex": null
+    },
+    "firstseenbysource": {
+        "simple": "URL.FirstSeenBySource",
+        "complex": null
+    },
+    "lastseenbysource": {
+        "simple": "URL.LastSeenBySource",
+        "complex": null
     }
   },
   "manualMapping": null,