import-indicator-commands (#27558)

* import-indicator-commands

* fix doc review CR

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.py

@@ -2069,9 +2069,10 @@ def get_passive_dns(client: Client, value, all_results=None, type=DBotScoreType.
 
 
 def import_ioc_with_approval(client: Client, import_type, import_value, confidence="50", classification="Private",
-                             threat_type="exploit", severity="low", ip_mapping=None, domain_mapping=None,
+                             threat_type="exploit", severity="low", default_state='inactive',
+                             ip_mapping=None, domain_mapping=None,
                              url_mapping=None, email_mapping=None, md5_mapping=None, tags=None,
-                             source_confidence_weight=None):
+                             source_confidence_weight=None, tags_tlp: str = None, expiration_ts=None):
     """
         Imports indicators data to ThreatStream.
         The data can be imported using one of three import_types: data-text (plain-text),
@@ -2082,13 +2083,16 @@ def import_ioc_with_approval(client: Client, import_type, import_value, confiden
         confidence=int(confidence),
         source_confidence_weight=arg_to_number(source_confidence_weight) if source_confidence_weight else None,
         ip_mapping=ip_mapping,
+        default_state=default_state,
+        expiration_ts=expiration_ts,
         domain_mapping=domain_mapping,
         url_mapping=url_mapping,
         email_mapping=email_mapping,
         md5_mapping=md5_mapping,
         threat_type=threat_type,
         severity=severity,
-        tags=json.dumps([{'name': tag} for tag in argToList(tags)]) if tags else None
+        tags=(json.dumps([({'name': tag, 'tlp': tags_tlp.lower()} if tags_tlp else {'name': tag}) for tag in argToList(tags)])
+              if tags else None)
     )
     files = None
     uploaded_file = None
@@ -2128,9 +2132,10 @@ def import_ioc_with_approval(client: Client, import_type, import_value, confiden
         raise DemistoException('The data was not imported. Check if valid arguments were passed')
 
 
-def import_ioc_without_approval(client: Client, classification, file_id=None, confidence=None, allow_unresolved='no',
+def import_ioc_without_approval(client: Client, classification, file_id=None, confidence=None,
+                                allow_unresolved='no',
                                 source_confidence_weight=None, expiration_ts=None, severity=None,
-                                tags=None, trustedcircles=None, indicators_json=None):
+                                tags=None, trustedcircles=None, indicators_json=None, tags_tlp: str = None):
     """
         Imports indicators data to ThreatStream.
         file_id of uploaded file to war room.
@@ -2166,7 +2171,8 @@ def import_ioc_without_approval(client: Client, classification, file_id=None, co
         source_confidence_weight=source_confidence_weight,
         expiration_ts=expiration_ts,
         severity=severity,
-        tags=tags,
+        tags=([({'name': tag, 'tlp': tags_tlp.lower()} if tags_tlp else {'name': tag}) for tag in argToList(tags)]
+              if tags else None),
         trustedcircles=trustedcircles
     )
     ioc_to_import.update({"meta": meta})

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml

@@ -2448,8 +2448,7 @@ script:
       required: false
       secret: false
     - default: false
-      description: Ratio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence
-        entirely and not re-assess the value using machine learning algorithms, set this argument to 100.
+      description: Ratio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence entirely and not re-assess the value using machine learning algorithms, set this argument to 100.
       isArray: false
       name: source_confidence_weight
       required: false
@@ -2563,13 +2562,42 @@ script:
       required: false
       secret: false
     - default: false
-      description: A comma-separated list of tags. For example, tag1,tag2.
+      description: A comma-separated list of tags applied to the imported observables. For example, tag1,tag2.
       isArray: false
       name: tags
       required: false
       secret: false
+    - auto: PREDEFINED
+      default: false
+      description: You can add tags that are private to your organization by setting the tlp attribute for the tag to red. If you do not specify a tlp setting, the tag is visible to any ThreatStream user with access to the observable.
+      isArray: false
+      name: tags_tlp
+      predefined:
+      - Red
+      - Amber
+      - Green
+      - White
+      required: false
+      secret: false
+    - default: false
+      description: The timestamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. By default, the expiration_ts is set to 90 days from the current date.
+      isArray: false
+      name: expiration_ts
+      required: false
+      secret: false
+    - auto: PREDEFINED
+      default: false
+      defaultValue: 'inactive'
+      description: Whether the import job must be approved from the ThreatStream user interface before observables become active. When default_state is set to active, observables become active upon submission, without requiring approval. In these cases, an import job is created on ThreatStream which is automatically approved.
+      isArray: false
+      name: default_state
+      predefined:
+      - active
+      - inactive
+      required: false
+      secret: false
     deprecated: false
-    description: 'Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL.'
+    description: 'Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. You must have the Approve Import privilege in order to import observables through the API with default_state set to active.'
     execution: false
     name: threatstream-import-indicator-with-approval
     outputs:
@@ -2588,14 +2616,13 @@ script:
       required: false
       secret: false
     - default: false
-      description: Ratio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence
-        entirely and not re-assess the value using machine learning algorithms, set this argument to 100.
+      description: Ratio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence entirely and not re-assess the value using machine learning algorithms, set this argument to 100.
       isArray: false
       name: source_confidence_weight
       required: false
       secret: false
     - default: false
-      description: The time stamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00.
+      description: The timestamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. By default, the expiration_ts is set to 90 days from the current date.
       isArray: false
       name: expiration_ts
       required: false
@@ -2612,7 +2639,7 @@ script:
       required: false
       secret: false
     - default: false
-      description: A comma-separated list of tags. For example, tag1,tag2.
+      description: 'A comma-separated list of tags applied to the imported observables. For example, tag1,tag2. Note: In cases where tags are specified at both the global and per observable level, tags specified per observable overwrite global tags.'
       isArray: false
       name: tags
       required: false
@@ -2655,6 +2682,18 @@ script:
       name: indicators_json
       required: false
       secret: false
+    - auto: PREDEFINED
+      default: false
+      description: You can add tags that are private to your organization by setting the tlp attribute for the tag to red. If you do not specify a tlp setting, the tag is visible to any ThreatStream user with access to the observable.
+      isArray: false
+      name: tags_tlp
+      predefined:
+      - Red
+      - Amber
+      - Green
+      - White
+      required: false
+      secret: false
     deprecated: false
     description: Imports indicators (observables) into ThreatStream. Approval is not required for the imported data. You must have the Approve Intel user permission to import without approval using the API.
     execution: false
@@ -7299,7 +7338,7 @@ script:
     execution: false
     description: Creates associations between threat model entities on the ThreatStream platform.
     name: threatstream-add-threat-model-association
-  dockerimage: demisto/py3-tools:1.0.0.63020
+  dockerimage: demisto/py3-tools:1.0.0.63856
   feed: false
   isfetch: false
   longRunning: false

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3_test.py

@@ -411,7 +411,8 @@ def test_import_indicator_with_approval__happy_path(self, mocker, import_type):
                             return_value={'success': True, 'import_session_id': 'test_session_id', 'job_id': 'id'})
 
         # run
-        result = import_ioc_with_approval(mock_client(), import_type, 'test_value')
+        result = import_ioc_with_approval(mock_client(), import_type, 'test_value', tags="tag1,tag2",
+                                          expiration_ts="2023-12-25T00:00:00")
 
         # validate
 
@@ -422,8 +423,10 @@ def test_import_indicator_with_approval__happy_path(self, mocker, import_type):
             assert files['file'][0] == 'test_file.txt'
         else:
             assert data[import_type] == 'test_value'
+            assert data['expiration_ts'] == '2023-12-25T00:00:00'
+            assert data['tags'] == '[{"name": "tag1"}, {"name": "tag2"}]'
 
-        assert all(key in data for key in ['classification', 'confidence', 'threat_type', 'severity'])
+        assert all(key in data for key in ['classification', 'confidence', 'threat_type', 'severity', 'default_state'])
 
         assert result.outputs == {'ImportID': 'test_session_id', 'JobID': 'id'}
 
@@ -460,6 +463,35 @@ def test_import_indicator_with_approval__happy_path(self, mocker, import_type):
                 },
                 ('classification', 'confidence', 'severity', 'allow_unresolved', 'tags'),
                 {'severity': 'high', 'confidence': 70}
+            ),
+            (
+                MOCK_OBJECTS_2,
+                'test_file',
+                {
+                    'file_id': 'test_file_id',
+                    'classification': 'Private',
+                    'confidence': "70",
+                    'severity': 'high',
+                    'allow_unresolved': True,
+                    'tags': "tag1,tag2",
+                    "tags_tlp": "Red"
+                },
+                ('classification', 'confidence', 'severity', 'allow_unresolved', 'tags'),
+                {'severity': 'high', 'confidence': 70, 'tags': [{'name': 'tag1', 'tlp': 'red'}, {'name': 'tag2', 'tlp': 'red'}]}
+            ),
+            (
+                MOCK_OBJECTS_2,
+                'test_file',
+                {
+                    'file_id': 'test_file_id',
+                    'classification': 'Private',
+                    'confidence': "70",
+                    'severity': 'high',
+                    'allow_unresolved': True,
+                    'tags': "tag1,tag2",
+                },
+                ('classification', 'confidence', 'severity', 'allow_unresolved', 'tags'),
+                {'severity': 'high', 'confidence': 70, 'tags': [{'name': 'tag1'}, {'name': 'tag2'}]}
             )
         ]
     )
@@ -494,6 +526,8 @@ def test_import_indicator_without_approval__happy_path(self,
             confidence=args.get('confidence'),
             severity=args.get('severity'),
             allow_unresolved=args.get('allow_unresolved'),
+            tags=args.get('tags'),
+            tags_tlp=args.get('tags_tlp'),
         )
 
         # validate
@@ -745,7 +779,7 @@ def test_get_model_description__various_models(self, mocker, model, description)
         get_model_description(mock_client(), model, '1')
 
         # validate
-        mocked_result.call_args[0][1] == 'test_description'.encode(encoding='UTF-8')
+        mocked_result.call_args[0][1] == b'test_description'
 
 
 class TestUpdateCommands:

Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/README.md

@@ -1455,13 +1455,14 @@ for time in UTC time. |
 
 
 ### threatstream-import-indicator-with-approval
-***
-Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL.
 
+***
+Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. You must have the Approve Import privilege in order to import observables through the API with default_state set to active.
 
 #### Base Command
 
 `threatstream-import-indicator-with-approval`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
@@ -1478,7 +1479,10 @@ Imports indicators (observables) into ThreatStream. The imported data must be ap
 | url_mapping | Indicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported URL-type observable when an explicit itype is not specified for it. | Optional | 
 | email_mapping | Indicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported email-type observable when an explicit itype is not specified for it. | Optional | 
 | md5_mapping | Indicator type to assign if a specific type is not associated with an observable. This is a global setting that applies to any imported MD5-type observable when an explicit itype is not specified for it. | Optional | 
-| tags | A comma-separated list of tags. For example, tag1,tag2. | Optional | 
+| tags | A comma-separated list of tags applied to the imported observables. For example, tag1,tag2. | Optional | 
+| tags_tlp | You can add tags that are private to your organization by setting the tlp attribute for the tag to red. If you do not specify a tlp setting, the tag is visible to any ThreatStream user with access to the observable. Possible values are: Red, Amber, Green, White. | Optional | 
+| expiration_ts | The timestamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. By default, the expiration_ts is set to 90 days from the current date. | Optional | 
+| default_state | Whether the import job must be approved from the ThreatStream user interface before observables become active. When default_state is set to active, observables become active upon submission, without requiring approval. In these cases, an import job is created on ThreatStream which is automatically approved. Possible values are: active, inactive. Default is inactive. | Optional | 
 
 
 #### Context Output
@@ -1524,14 +1528,15 @@ Imports indicators (observables) into ThreatStream. Approval is not required for
 | --- | --- | --- |
 | confidence | The observable certainty level of a reported indicator type. Default is 50. | Optional | 
 | source_confidence_weight | Ratio (0-100) between the source confidence and the ThreatStream confidence. To use your specified confidence entirely and not re-assess the value using machine learning algorithms, set this argument to 100. | Optional | 
-| expiration_ts | The time stamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. | Optional | 
-| severity | The severity to assign to the observable when it is imported. Can be "low", "medium", "high" , or "very-high". Possible values are: low, medium, high, very-high. | Optional | 
-| tags | A comma-separated list of tags. For example, tag1,tag2. | Optional | 
+| expiration_ts | The timestamp when intelligence will expire on ThreatStream, in ISO format. For example, 2020-12-24T00:00:00. By default, the expiration_ts is set to 90 days from the current date. | Optional | 
+| severity | The severity to assign to the observable when it is imported. Possible values are: low, medium, high, very-high. | Optional | 
+| tags | A comma-separated list of tags applied to the imported observables. For example, tag1,tag2. Note: In cases where tags are specified at both the global and per observable level, tags specified per observable overwrite global tags. | Optional | 
 | trustedcircles | A comma-separated list of trusted circle IDs with which threat data should be shared. | Optional | 
 | classification | Denotes whether the indicator data is public or private to the organization. Possible values are: private, public. | Required | 
-| allow_unresolved | Whether unresolved domain observables are included in the file will be accepted as valid in ThreatStream and imported. Possible values are: yes, no. | Optional | 
+| allow_unresolved | Whether unresolved domain observables included in the file will be accepted as valid in ThreatStream and imported. Possible values are: yes, no. | Optional | 
 | file_id | The entry ID of a file (containing a JSON with an "objects" array and "meta" maps) that is uploaded to the War Room. | Optional | 
 | indicators_json | The “meta” section will be added to this json, and we will send this json to the api endpoint. | Optional | 
+| tags_tlp | You can add tags that are private to your organization by setting the tlp attribute for the tag to red. If you do not specify a tlp setting, the tag is visible to any ThreatStream user with access to the observable. Possible values are: Red, Amber, Green, White. | Optional | 
 
 
 #### Context Output

Packs/Anomali_ThreatStream/ReleaseNotes/2_1_6.md

@@ -0,0 +1,11 @@
+
+#### Integrations
+
+##### Anomali ThreatStream v3
+
+- Added the following arguments to the ***threatstream-import-indicator-with-approval*** command:
+    - *tags_tlp*
+    - *default_state*
+    - *expiration_ts*
+- Added the *tags_tlp* argument to the ***threatstream-import-indicator-without-approval*** command.
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.63856*.

Packs/Anomali_ThreatStream/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Anomali ThreatStream",
     "description": "Use Anomali ThreatStream to query and submit threats.",
     "support": "xsoar",
-    "currentVersion": "2.1.5",
+    "currentVersion": "2.1.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",