From 693e3905dc6e9185d7b846df721404e01cb69275 Mon Sep 17 00:00:00 2001 From: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Date: Sun, 5 Nov 2023 13:11:12 +0200 Subject: [PATCH 1/9] [Marketplace Contribution] Github Maltrail Feed (#30052) * "pack contribution initial commit" * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update GithubMaltrailFeed.yml * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update GithubMaltrailFeed.py * Update GithubMaltrailFeed.py * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Update Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> * Delete Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/integration-Github_Maltrail_Feed.yml * Update pack_metadata.json * Update GithubMaltrailFeed.yml * Update GithubMaltrailFeed.py * Update GithubMaltrailFeed.py * Update GithubMaltrailFeed.yml * Update GithubMaltrailFeed.py * Update GithubMaltrailFeed.yml * Update GithubMaltrailFeed.py --------- Co-authored-by: Abel S. Santamarina <89417559+asantamarina@users.noreply.github.com> Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> --- Packs/GithubMaltrailFeed/.pack-ignore | 0 Packs/GithubMaltrailFeed/.secrets-ignore | 0 .../GithubMaltrailFeed/GithubMaltrailFeed.py | 209 ++++++++++++++++++ .../GithubMaltrailFeed/GithubMaltrailFeed.yml | 123 +++++++++++ .../GithubMaltrailFeed_description.md | 1 + .../GithubMaltrailFeed_image.png | Bin 0 -> 7147 bytes .../Integrations/GithubMaltrailFeed/README.md | 0 Packs/GithubMaltrailFeed/README.md | 0 Packs/GithubMaltrailFeed/pack_metadata.json | 21 ++ 9 files changed, 354 insertions(+) create mode 100644 Packs/GithubMaltrailFeed/.pack-ignore create mode 100644 Packs/GithubMaltrailFeed/.secrets-ignore create mode 100644 Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py create mode 100644 Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml create mode 100644 Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_description.md create mode 100644 Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_image.png create mode 100644 Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md create mode 100644 Packs/GithubMaltrailFeed/README.md create mode 100644 Packs/GithubMaltrailFeed/pack_metadata.json diff --git a/Packs/GithubMaltrailFeed/.pack-ignore b/Packs/GithubMaltrailFeed/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/GithubMaltrailFeed/.secrets-ignore b/Packs/GithubMaltrailFeed/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py new file mode 100644 index 000000000000..cda085f39963 --- /dev/null +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py @@ -0,0 +1,209 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +import requests +import base64 +from datetime import datetime +import regex + +# CONSTANTS +SOURCE_NAME = "Github Maltrail Feed" +DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' +COMMIT_LIMIT = 100 + +# ############################## OVERWRITE REGEX FORMATTING ############################### +regexFlags = re.M # Multi line matching +REGEX_IP = r"\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(?:\[\.\]|\.)){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b" + +class Client(BaseClient): + + def __init__(self, params: dict): + self._verify: bool = not params.get('insecure', False) + self.user = params.get('user') + self.token = (params.get('api_token') or {}).get('password', '') + self.repo = params.get('repository') + self.url = params.get('base_url') + # self.base_url = f'{self.url}/{self.user}/{self.repo}' + self.base_url = urljoin(self.url, self.user) + self.base_url = urljoin(self.base_url, self.repo) + handle_proxy() + + def http_request_indicators(self): + res = requests.get( + url=self.base_url, + verify=self._verify + ) + try: + res.raise_for_status() + except Exception: + demisto.info(f'Github Maltrail Feed - exception in request: {res.status_code!r} {res.content!r}') + raise + return res.text + + def getclienturl(self): + return self.base_url + + def http_request(self, url_endpoint, params: dict = None): + """The HTTP request for daily feeds. + Returns: + list. A list of indicators fetched from the feed. + """ + self.headers = { + 'Authorization': "Bearer " + self.token + } + res = requests.request( + method="GET", + url=urljoin(self.base_url, url_endpoint), + verify=self._verify, + headers=self.headers, + params=params + ) + return res + + +def fetch_indicators(client: Client, url: str, limit: int=None, params: dict=None): + if params: + feed_tags = argToList(params.get('feedTags', [])) + tlp_color = params.get('tlp_color') + response = client.http_request(url) + indicators_list = [] + demisto.debug('Fetch of indicators started ###') + + if response.ok: + content = response.json()["content"] + file_content = base64.b64decode(content).decode("utf-8") + lines = file_content.split("\n") + for line in lines: + if '#' not in line and line != '': + type_ = auto_detect_indicator_type(line) + if regex.search(REGEX_IP, line): + if line.startswith('http://'): + line = line.removeprefix('http://') + elif line.startswith('https://'): + line = line.removeprefix('https://') + else: + line = line.split(':')[0] + type_ = "IP" + elif type_ == "URL": + if not line.startswith('http://') and not line.startswith('https://'): + line = 'http://' + line + raw_data = { + 'value': line, + 'type': type_, + } + indicator_obj = { + 'value': line, + 'type': type_, + 'service': "GitHub Maltrail Feed", + 'fields': {}, + 'rawJSON': raw_data + } + if feed_tags: + indicator_obj['fields']['tags'] = feed_tags + if tlp_color: + indicator_obj['fields']['trafficlightprotocol'] = tlp_color + indicators_list.append(indicator_obj) + # If limit is reached, break loop + if limit and isinstance(limit, int): + if len(indicators_list)>=limit: + break + else: + demisto.error(f"Error: {response.status_code} - {response.json()['message']}") + return indicators_list + + +def get_last_commit_date(client): + api_url = "/commits" + response = client.http_request(api_url) + last_commit_date = None + if response.ok: + commits = [] + page = 1 + while response.ok and page < COMMIT_LIMIT: + commits.extend(response.json()) + link_header = response.headers.get('Link') + if not link_header or 'rel="next"' not in link_header: + break + page += 1 + response = client.http_request(api_url, params={'page': page}) + for commit in commits: + if 'qakbot' in commit['commit']['message']: + commit_date = date_to_timestamp(parse_date_string(commit['commit']['author']['date'], DATE_FORMAT)) + if not last_commit_date: + last_commit_date = commit_date + elif commit_date > last_commit_date: + last_commit_date = commit_date + + return last_commit_date + + +def fetch_indicators_command(client: Client, params: dict=None): + integration_context = get_integration_context() + api_url = "/contents/trails/static/malware/qakbot.txt" + indicators_list = [] + #First Fetch + if not integration_context: + time_of_first_fetch = date_to_timestamp(datetime.now(), DATE_FORMAT) + set_integration_context({'time_of_last_fetch': time_of_first_fetch}) + indicators_list = fetch_indicators(client, api_url, None, params) + else: + time_from_last_update = integration_context.get('time_of_last_fetch') + now = date_to_timestamp(datetime.now(), DATE_FORMAT) + last_commit_date = get_last_commit_date(client) + if last_commit_date > time_from_last_update: + indicators_list = fetch_indicators(client, api_url, None, params) + set_integration_context({'time_of_last_fetch': now}) + else: + demisto.debug(f'### Nothing to fetch') + + return indicators_list + + +def get_indicators_command(client: Client, params: dict, args: dict): + try: + limit = int(args.get('limit', 50)) + except ValueError: + raise ValueError('The limit argument must be a number.') + api_url = "/contents/trails/static/malware/qakbot.txt" + indicators_list = fetch_indicators(client, api_url, limit, params) + entry_result = indicators_list[:limit] + human_readable = tableToMarkdown("Indicators from Github Maltrail:", entry_result, + headers=['value', 'type', 'firstseenbysource', 'lastseenbysource', 'name'], + removeNull=True) + return human_readable, {}, entry_result + + +def test_module_command(client: Client, params: dict, args: dict): + client.http_request_indicators() + return 'ok', {}, {} + + +def main(): + params = demisto.params() + args = demisto.args() + + command = demisto.command() + demisto.info(f'Command being called is {command}') + + # Switch case + commands = { + 'test-module': test_module_command, + 'gh-maltrail-get-indicators': get_indicators_command + } + + try: + client = Client(params) + if command == 'fetch-indicators': + indicators = fetch_indicators_command(client, params) + for b in batch(indicators, batch_size=2000): + demisto.createIndicators(b) + else: + readable_output, outputs, raw_response = commands[command](client, params, args) + return_outputs(readable_output, outputs, raw_response) + + except Exception as e: + raise Exception(f'Error in {SOURCE_NAME} Integration [{e}]') + + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml new file mode 100644 index 000000000000..1f25c6eac1b6 --- /dev/null +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml @@ -0,0 +1,123 @@ +category: Utilities +commonfields: + id: Github Maltrail Feed + version: -1 +configuration: +- additionalinfo: API Token + display: "" + displaypassword: API Token + hiddenusername: true + name: api_token + required: true + type: 9 +- display: 'Username of the repository owner, for example: github.com/repos/{user}/{repo}/issues' + name: user + required: true + type: 0 +- defaultvalue: https://api.github.com/repos + display: Base URL + name: base_url + required: true + type: 0 +- display: 'The name of the requested repository, for example: github.com/repos/{user}/{repo}/issues' + name: repository + required: true + type: 0 +- advanced: true + display: Trust any certificate (not secure) + name: insecure + required: false + section: Connect + type: 8 +- advanced: true + display: Use system proxy settings + name: proxy + required: false + section: Connect + type: 8 +- defaultvalue: "15" + display: Feed Fetch Interval + name: feedFetchInterval + required: false + type: 19 +- defaultvalue: "true" + display: Fetch indicators + name: feed + required: false + type: 8 +- additionalinfo: Indicators from this integration instance will be marked with this reputation + defaultvalue: Bad + display: Indicator Reputation + name: feedReputation + options: + - None + - Good + - Suspicious + - Bad + required: false + type: 18 +- additionalinfo: Reliability of the source providing the intelligence data + defaultvalue: F - Reliability cannot be judged + display: Source Reliability + name: feedReliability + options: + - A - Completely reliable + - B - Usually reliable + - C - Fairly reliable + - D - Not usually reliable + - E - Unreliable + - F - Reliability cannot be judged + required: true + type: 15 +- defaultvalue: indicatorType + display: "" + name: feedExpirationPolicy + options: + - never + - interval + - indicatorType + - suddenDeath + required: false + type: 17 +- defaultvalue: "20160" + display: "" + name: feedExpirationInterval + required: false + type: 1 +- additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. + display: Bypass exclusion list + name: feedBypassExclusionList + required: false + type: 8 +- additionalinfo: Supports CSV values. + display: Tags + name: feedTags + required: false + type: 0 +- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed + display: Traffic Light Protocol Color + name: tlp_color + options: + - RED + - AMBER + - GREEN + - WHITE + required: false + type: 15 +description: Fetches Indicators from Github Repo https://github.com/stamparm/maltrail +display: Github Maltrail Feed +name: Github Maltrail Feed +script: + commands: + - arguments: + - name: limit + description: The maximum number of results to return to the output. + defaultValue: "50" + name: gh-maltrail-get-indicators + description: Get indicators from the feed. + dockerimage: demisto/python3:3.10.13.78623 + feed: true + runonce: false + script: '' + subtype: python3 + type: python diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_description.md b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_description.md new file mode 100644 index 000000000000..b0e115a8fa52 --- /dev/null +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_description.md @@ -0,0 +1 @@ +Fetches Indicators from Github Repo https://github.com/stamparm/maltrail \ No newline at end of file diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_image.png b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed_image.png new file mode 100644 index 0000000000000000000000000000000000000000..f48bdfc08a57b1efdc6d8464e39be22dc0138c91 GIT binary patch literal 7147 zcmVbc7cLM(h=oqlS434P=jsZ>vjsl7SC)np6;NO9+4{%+dbW8@y0T*Zo zW&jrfUhsPp@EFho*!BlF(e=TW)$hA(;QPRFz90I5>lX>I*7Y&uQqM~ zwqgW25(r}iiV$E)2stFPBBUG#)zV2cnIr=20KNchKFn+Tq+<$Z{$s#*ffMMnfC@+e z4+3G zo_YjL6Dw)2uAr-8ILY5HqWsQBIM(wR3C!g)0S^TQq=Az#iqIbthyxdEA$B6=>jx`f z3kU(Fz|>&im2;-+e!{AUDf7=eEFqSd%ea7A8q15@ns*Hdg zAP?jB+A#Lp!30lLm|*BQU=lD2BW%a>;MNB@=9SfyTzfw2PdJjcGfrU7=n=gB<{I)8 zP>_RLRZe$hDal9#AHeqz-AOF1K`DfrMvTbEEgw#MAmG?XIYS>aNcQ%tj+AnyQfedc zU%;ur3QW*79ViL*odV3VF~a&Ta7HlLYrqy@TChz3qVzo}8FTC9MCqw0roA+eL|P$| zDWsX&7-d_izst0Jyde6vS|8*HU<6REl-ee3dyVq_vyk2@p>-Xw1UL_)?VgRvp~A5U zDWxFg64qc_5-f>VkW1I7656L!(R9=#nx|IMQ8ki8PRy8F0N+QX1VRc#M;G?uH^{4N zBr1Z-Qwm|*sJSy}ns5Z&i(a8<%MP+C%jljumd?@=l5GjB*3RCC%;GZ)ga(9CY7OuN zFb^nDo;L#!5{4_Sr%5SaR7#Blb_1JipbX%&}rHYOz zm2}2p_+g0_5+rD)5z;~@(+D?>3|Z*hINr}6rs`JeTDB$glj0kR~^Y1%%|6fA~TN0cqDgDV>%jdOL?}6&DZ9C;l zxfQMRP%6s`g?6iC@?}g+<=GgF+bP3~X8!2e* zBEGi9JY>q)^%Su5?=^cL18Bfy{CJ=B>#tUd%RoIY5YHoot&|#r?{{mgs1Ra__Pjz& zmNN!;(ZW!L^BUWTFJD9MnBlZf7(*fwLMb27mBdQ9#$e7{r zd4DSeDy;55`y-W)qJmx~v6^Y(B4;eP#}tBLPu4wWa0PqgXYnmB|* zElgA#rK!CH)Rh>)9RX|uW@)XzBBk7{wSO|;Dy5>pg&116UII@8HA*4hTFa=f{fHCK zypH2qHnyO^`&b*h`%$?-faUy;@tr4+Kg3unSax@L{1 zA-KQ};HSVJ0bCC|k-)-1k1VB2m{@roa80mX4E!60ayu+c3^O@q^ElFel+ob{neV4h z$A*d!^XGr05&9)_2t#}rb1v!4I!2Xpp%YO{$j`YAt)qu9oDEhPFy69Mo-OPLG4qwg zuvw=9bxP~47>?q64AHR`SOzSYKn?H%jJDCzLG}wP82i8eFUMSd8=t>#0iz<>c%DMM zx0&KZl87>XwH^2ya0jp&K!CtTopwAsqUQEWfg+$4z!GT7LZeLj6olG!7_I#s@RwlR z!-g#>vIH}c&UBLLB7i-25YOMmcVs;BGj@!b^g+hoACw{z_4q+7rWO&-z6q@@0O?R= z3q1zgnTFPp1C28PCfoG=;hy%|q?EtM%u^$1duz#_a||uBr%)H{-vfLPI34&2##{ghT;%lebYw+IVSKNH z$)gb#%CbxmLHCssf*kL|DJ}?&GUi?@Y^4C2J17iGE(3WD;rPrC<2-|&TaXnAb0U^K zn^5!=jG07e(#qVSix7u+pTY+#4SWT-M=3QOSSO`y0h*OkMM|k-fsMd}Kt6CLa5hkp z5wOA#9G75nsGkM@tKF>(d*vMp>|DGv=1?ak3L~^;Oj*yRe?=(x6xhLx;35FFL<?nhacpDId-R&cJbAS4xcmK96A^E9HQ}IxvayEx^@4jpt!)t|v|kaq=vh zMwQTt(ad?lF_~1T7phNynH!1#glznXefVUC)-cCB3=VVV9P~qx9mTT*X%OJ#q!0J} zkDr4CY?y8{Uk~QXyLWdmAEi#Bqv2+RIP7!v!Lx+cJs|&tsnE3m1;8APg1v%qbH|ZR z&jEG;2OsEeth7>VYZS7+0X=^y|>esmajJ83~>V=d(2l=BHIJ(Ux8{dW1 zPfY@5gNQNp+!j_Zc=v17qT;`{=T~-AUAjT9jn!W}`_{_GS5dw@G%3lYH@tV-s*A&m z>X>%Z-xwEyVppz%|2(pe&t3lpFW<2?V|ImruU0}-N5jd)heD@IAX^9#*TPzbQoE#- zSxPA%Qx;sP2!0aqXDQ_`l~NwivA=4POF%fJ(^x35L#WAPXj%9QU;?N@O#Rjb z6Z?uSqrnb}hqKD+9nPWABI6Hjt`(+{|zuzsI&$IDWB z7?W47aSH=sHzq|R%kF9)p6W6r5Ov0w6 z(sI7#ILxeR;=2tA!U`lR2~8V(HaMF(^XIps^`i)Z)`+X7@qJ%-myn(HTj07wz1IN{ zfTNTe4(e=-qAYV9XL&lE&Iab8nFQq<5oqLiA*5|nf>zmijmy5gU{lkjo7$}$4#spnO7`OUm;QrwAX&6B#37D**5F-#^PL>H40E&l^3fYiM1-{V02FOIn{jiq? zhaCL<+47;#oS@c^j(CD$MQgD1TeNOyIDTwTSseB4m$q&{y}9n)FLAa0HGR=MfFQ9u zBpO*Ub`&?xN^t9nOr_e^cB<^Sms7eMa$X|2dtITZ^G~eir1iC_8{ckzzfx`g>**K)`%2(xli3^= zQL`T;FqX1jDSV8OpOI2FDWy&UW=km-D5W036pVHN*8T(>1+s*IoGjA#2u~xNC`w9v z_AcpJVDj7{#ALp{S|Fo%eFro>8o5 z7)gHt3qU3;@ieO8W}e?t%lB|&Ma=%j8?1clX>?Ms{$V{^(Y-%vz{-I!b6?_~yMD=$G6ArBc})sxs0H`EyI;;aZ~Twvt*B?p zo+O3KUnO@^31icqhHf1}Ya1axY^}|}$GDXeKqzQL>zPWYX8_Bklna$oSs03PBrqDd z8%P~cgDnZUFMk{}>Y%b$pGf}b+p!=faOir4406diWPV0jYw)9fM*Z+{K7Odgw z+73o{dk8>pY&4N8*}_MOAtUon4@+e%j_(d01qd6gNK;0*{qfA@OuOM%+_Zc<^V(e* zPbx!Otlow6!+`qGv~?hSjHw-oNn3M)EkeupH0lIQ_ss=LsRuC)jx7XDj!LO5z@7tX za7;?b$)*Q^Cj@w|sqYd{Xc*yz5fCy0RHjJ-f_*FkCd;w#ESoeMUmYZKr8PWwJ{P^X znIErj4`usKPB*sRgqz$jv9u?a>`|v}_6{d>+viN6JPWNQLiAdiuKOvu_FnFIqejeY zAsZEm?8J4~*)p+XMu~gOnpVd5d~^-I8slrz81pQFSA|eJwPvA|@>QkO9l%&AWrI>` z0mfG^qoQIRwYB^8!C@dAa-cY$QEr+X%O>gj-c3yb&&U-h#!1x|DDCzNG zA&k+~g+PmCSr1v3wbOOo^^W7DQmNE^z?n*^%YYYwhk+&3)>?qGKLO_fk!T1CbC~S= zXr=HhD=>?uoRe-YE|T8fl+<;3Hy9UUDK)9EoJihxLN93o*; zG_Y-=X^*I9w8h61=R-g!WJ6AjJOQPSL!o6RJY%B6mV|f=#}YV7Ve5m;h?^S7?dc*$ zZlTAtbJy=h)^}rzgKf|g2&9Hk_@E`MHFjq+xoOXV5o79mg`0uG{z!GV-=$!bNn@hq z3`b#O9)Ol$8j4VAf>KHb`|fv=hXV}Dfk+rUAGCtDPDq;Pwg;0;8x6Jsd*B-`Itavc zaE_3a=6Bz;%4WJZGW!gv#aVGuPKY#J9X9J;EYEPjcb-S&7mx9UZ7sx*`;T6$BDljs zxVCViqbt)^%KZ7g4Q)d~g<~Xz@S$mE5id8EfZ?Q{znW=ptz&wR3&@Ww$b!CNOgPvw z!p>|`O1T{LYd|MbzTef=m5Cwr{!DZ+Kw&OqMIeZxY3=MSCUjuP?ouFR+Ykx`(%SoW zB^a}wSqU{@pJ5n6WzZu3s446y{43k-hV_%YH}AQe*KhA0l|{#*Rh(9{hp%k!LNZeL zXn#mSi7(ML;yD^44UH4i%l~pZCtUFA?9GomkG%5rtf@Toyznv)$lm%W1nRdJu^}FE zVe8Uqe7osJ8FLo>a%Fl9n#|LO0ch;?ev< zisUYK`8t$wH(DVDI3NUG;DV;mRz93%#i8!ccWr#`7`@eh^j++jmkMq9QHy?Su7@%+ zFZY>`<45z{!hF6_vt?6tYTeFnD$oD=svShVaABypFioOM;0j@9CRA!{VSIh>Se99e z1>g)8$PGaMhat0CA&jw@7Dn)jK0Yu3;CbF#z{=qF-nk#jL`N}`PH}}dW}7)mCE*OTQEigssB zT6@A5X5KxqNY&tZjihx4fG6nk6+6*>1CH*>ocoKjcxZYVi*saG3b&^)p+ZsDRo$(5 zBs@iFj{6VR%&q3uNkytwx}6F|ZbBCNy7Gia&p0Ojr>IDG;kkPVddNJ@ zZl!e>+S`>G!-qXSx(ns+#F*8CLB`*n3S1?noE}`;U{jot<3NUSNDa;>Xs4|x4n`1= zOhIEy?>>#e-(0{7I}oym7O>WVnGYV6QKc}pyw@Te4LmT^o#x*{-BaJ6ue~z1`L@d!{t=l9vFqK{0JZI`NeeE*cQvgoYcpe1|A4J`oy|4%U7Wh2 zjtVzc)H$olDWpOVBk>qi2lo4T`Q0_WftTn_i9H@B}*j3i{ng(4$Mym_Dz0 zz#F!Oe&~nj#7pR1&zdp6d4BI$?_xB0ztHm$XIt>M0I;$m zMuXM90hR|OJs(;E^R59YVdnVW{U!pJVv=-)3E=k0F~zMx1i9>%AujvCxZvr)e;vjc zzgdL`>lvu!A0li_6)zph&mZQtwVkLG&tQbxjZwTtpf(f=WxGPSq*6^7tgn}!+Vpt20M)MEiR zW61IZrt$rLOoIPuLL9T2GvT(ijaN$jJLW;Z0n=SG6VpWCx~@AClgd5>+!Y+3X<+P) zBL)Up65|g~0GK!$;?X|exuxC+1|!^U!7+sZxp9a@_R(Mqqrr^;^-aeA%0R%QOX18p zy&+~cFbnglhwCwg>rWd50k^NTZUYtt{~wKc*#CfusEaY}Ia7dtwQYMQ3{KYe*Wf%% zm%x=kc{BvaPc^0#Oys*_UGKhIFf~eolTnZxm}s?E7?<%4bpTuI4N;O4H)M%Y@GoD2 zjxPAyJCOFFD*?^z#4sz^|H#2dou3q#{8#Ilz=Tw5q&y*^dHNglX9D*HA8mE>`B4!eE7+gP!|~EhZn&;3jm|hpT>2TUkrIUM!?Z9ytc*&C%AwYF{a}RpxUuv>j*=-EIn zjurZQ97GO*nTy_?mbpn(RHyRd=7_<813x2xYMHba8!6GdlUP{t*v!S^o%x7&~!A=~iKk1m0i-tIl-IgGiu zNC+Y!8)l7%BSsi)AEW@8F&!@ebCQ8a8@_ksp5!yOTwCgKaxD4)m#F$bH zU;G!0gD=XC!Ht)|&%bG+?UXyH)658XF|em20rxy*a_XEc!$)VwprsRj|E#eZz;?{S zwofZGP=OKjD9n3Oj>M!<2~0X!g5x~F0hZa?^sQnzZP6RBu@0tH1^pCX${H+yp73kFZh3N!A~E8>%I#4IpDf*?^Cek&E9>N zVuFZIBf>~oi&ATWcKQC!J1nfIu{3P!|FhdOl?vYK@RBxmVrR$2j~u zgZ;aKWNR0>cQ1hIa-+drNn@fryNrovZ|ckk{u4M^DGGl5XLx5595)qq?t!OY?k!2S zV;HSZD?%vMDW!ZyDK!Pti6eTJONj$0YVvlx!iyQ=qp=DYGogYFA3_8e+VC)Vmn-ZmiON zgYLle{S16D${Co2+c~xc=Y0XL`wDE`3D@0aB4W%c^E26dQFjRV28MDg>vs)3m{&La zj1Ra7{9}wPOp7cSiZ_DcCT3w?MAsvweAKcc3xx2}TI;Z7S#8N=@{lRre(z=)5)!x( zBN#0Ox_mgga9F?fxn`00P{&Td2>Lsi7qOj8-%^-QGX~DP9goL{VH9s7eeW|nkbFKA z*cburz~rnM!S-OH=Hde!pXoRH?7dh+BN}X(M!SCqyLSvGG50Wn{tZD9;xl|82n=mG h3=?eSa)?&$zX7%t`rW8)@cIA%002ovPDHLkV1fe)c-Q~{ literal 0 HcmV?d00001 diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/GithubMaltrailFeed/README.md b/Packs/GithubMaltrailFeed/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/GithubMaltrailFeed/pack_metadata.json b/Packs/GithubMaltrailFeed/pack_metadata.json new file mode 100644 index 000000000000..43d2c794b59b --- /dev/null +++ b/Packs/GithubMaltrailFeed/pack_metadata.json @@ -0,0 +1,21 @@ +{ + "name": "Github Maltrail Feed", + "description": "Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).\n\nhttps://github.com/stamparm/maltrail", + "support": "community", + "currentVersion": "1.0.0", + "author": "Abel S. Santamarina", + "url": "", + "email": "", + "created": "2023-10-04T21:52:43Z", + "categories": ['Utilities', 'Forensics & Malware Analysis', 'Data Enrichment & Threat Intelligence'], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "xsoar", + "marketplacev2" + ], + "githubUser": [ + "asantamarina" + ] +} From 3c47597e4a86dbcdbeb5d6a50f41aba53a57ad07 Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 13:56:54 +0200 Subject: [PATCH 2/9] pre-commit fixes --- .../GithubMaltrailFeed/GithubMaltrailFeed.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py index cda085f39963..be7a51ff22aa 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py @@ -12,7 +12,8 @@ # ############################## OVERWRITE REGEX FORMATTING ############################### regexFlags = re.M # Multi line matching -REGEX_IP = r"\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(?:\[\.\]|\.)){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b" +RGX_IP = r"\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(?:\[\.\]|\.)){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b" + class Client(BaseClient): @@ -60,7 +61,7 @@ def http_request(self, url_endpoint, params: dict = None): return res -def fetch_indicators(client: Client, url: str, limit: int=None, params: dict=None): +def fetch_indicators(client: Client, url: str, limit: int = None, params: dict = None): if params: feed_tags = argToList(params.get('feedTags', [])) tlp_color = params.get('tlp_color') @@ -75,7 +76,7 @@ def fetch_indicators(client: Client, url: str, limit: int=None, params: dict=Non for line in lines: if '#' not in line and line != '': type_ = auto_detect_indicator_type(line) - if regex.search(REGEX_IP, line): + if regex.search(RGX_IP, line): if line.startswith('http://'): line = line.removeprefix('http://') elif line.startswith('https://'): @@ -104,7 +105,7 @@ def fetch_indicators(client: Client, url: str, limit: int=None, params: dict=Non indicators_list.append(indicator_obj) # If limit is reached, break loop if limit and isinstance(limit, int): - if len(indicators_list)>=limit: + if len(indicators_list) >= limit: break else: demisto.error(f"Error: {response.status_code} - {response.json()['message']}") @@ -136,11 +137,11 @@ def get_last_commit_date(client): return last_commit_date -def fetch_indicators_command(client: Client, params: dict=None): +def fetch_indicators_command(client: Client, params: dict = None): integration_context = get_integration_context() api_url = "/contents/trails/static/malware/qakbot.txt" indicators_list = [] - #First Fetch + # First Fetch if not integration_context: time_of_first_fetch = date_to_timestamp(datetime.now(), DATE_FORMAT) set_integration_context({'time_of_last_fetch': time_of_first_fetch}) @@ -204,6 +205,5 @@ def main(): raise Exception(f'Error in {SOURCE_NAME} Integration [{e}]') - if __name__ in ('__main__', '__builtin__', 'builtins'): main() From 187a44b0173645874d404370385c092c18512b7c Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 14:09:53 +0200 Subject: [PATCH 3/9] add README.md --- .../GithubMaltrailFeed/GithubMaltrailFeed.yml | 4 +- .../Integrations/GithubMaltrailFeed/README.md | 51 +++++++++++++++++++ 2 files changed, 53 insertions(+), 2 deletions(-) diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml index 1f25c6eac1b6..3f5e207aec3b 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml @@ -70,7 +70,7 @@ configuration: required: true type: 15 - defaultvalue: indicatorType - display: "" + display: Feed Expiration Policy name: feedExpirationPolicy options: - never @@ -80,7 +80,7 @@ configuration: required: false type: 17 - defaultvalue: "20160" - display: "" + display: Feed Expiration Interval name: feedExpirationInterval required: false type: 1 diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md index e69de29bb2d1..ba478ff4a9da 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md @@ -0,0 +1,51 @@ +Fetches Indicators from Github Repo https://github.com/stamparm/maltrail + +## Configure Github Maltrail Feed on Cortex XSOAR + +1. Navigate to **Settings** > **Integrations** > **Servers & Services**. +2. Search for Github Maltrail Feed. +3. Click **Add instance** to create and configure a new integration instance. + + | **Parameter** | **Description** | **Required** | + | --- | --- | --- | + | API Token | API Token | True | + | Username of the repository owner, for example: github.com/repos/{user}/{repo}/issues | | True | + | Base URL | | True | + | The name of the requested repository, for example: github.com/repos/{user}/{repo}/issues | | True | + | Trust any certificate (not secure) | | False | + | Use system proxy settings | | False | + | Feed Fetch Interval | | False | + | Fetch indicators | | False | + | Indicator Reputation | Indicators from this integration instance will be marked with this reputation | False | + | Source Reliability | Reliability of the source providing the intelligence data | True | + | Feed Expiration Policy | | False | + | Feed Expiration Interval | | False | + | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False | + | Tags | Supports CSV values. | False | + | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed | False | + +4. Click **Test** to validate the URLs, token, and connection. + +## Commands + +You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. + +### gh-maltrail-get-indicators + +*** +Get indicators from the feed. + +#### Base Command + +`gh-maltrail-get-indicators` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| limit | The maximum number of results to return to the output. Default is 50. | Optional | + +#### Context Output + +There is no context output for this command. From ec9630b010da626978420dffeaafbd9664b5a595 Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 14:58:50 +0200 Subject: [PATCH 4/9] fix json --- Packs/GithubMaltrailFeed/pack_metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/GithubMaltrailFeed/pack_metadata.json b/Packs/GithubMaltrailFeed/pack_metadata.json index 43d2c794b59b..c7106f3c0d3e 100644 --- a/Packs/GithubMaltrailFeed/pack_metadata.json +++ b/Packs/GithubMaltrailFeed/pack_metadata.json @@ -7,7 +7,7 @@ "url": "", "email": "", "created": "2023-10-04T21:52:43Z", - "categories": ['Utilities', 'Forensics & Malware Analysis', 'Data Enrichment & Threat Intelligence'], + "categories": ["Utilities", "Forensics & Malware Analysis", "Data Enrichment & Threat Intelligence"], "tags": [], "useCases": [], "keywords": [], From 0595d1ce813656acb2774a4cc0f555a77af59dfa Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 16:07:04 +0200 Subject: [PATCH 5/9] format --- .../Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml index 3f5e207aec3b..2c16f42780d7 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml @@ -114,10 +114,12 @@ script: description: The maximum number of results to return to the output. defaultValue: "50" name: gh-maltrail-get-indicators - description: Get indicators from the feed. + description: Get indicators from the feed. dockerimage: demisto/python3:3.10.13.78623 feed: true runonce: false script: '' subtype: python3 type: python +tests: +- No tests (auto formatted) From 4177ebade3eecf8375d2126d1830198c1a67f229 Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 16:07:58 +0200 Subject: [PATCH 6/9] from version --- .../Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml index 2c16f42780d7..7895fa078720 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml @@ -123,3 +123,4 @@ script: type: python tests: - No tests (auto formatted) +fromversion: 6.10.0 From 75e94debb86965c23213fe0bb32ecf99836f612e Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 16:09:02 +0200 Subject: [PATCH 7/9] categories --- Packs/GithubMaltrailFeed/pack_metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/GithubMaltrailFeed/pack_metadata.json b/Packs/GithubMaltrailFeed/pack_metadata.json index c7106f3c0d3e..e63af1a63268 100644 --- a/Packs/GithubMaltrailFeed/pack_metadata.json +++ b/Packs/GithubMaltrailFeed/pack_metadata.json @@ -7,7 +7,7 @@ "url": "", "email": "", "created": "2023-10-04T21:52:43Z", - "categories": ["Utilities", "Forensics & Malware Analysis", "Data Enrichment & Threat Intelligence"], + "categories": ["Data Enrichment & Threat Intelligence"], "tags": [], "useCases": [], "keywords": [], From bd392437194582ae75c4391594181ab4456c0dcd Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 16:12:10 +0200 Subject: [PATCH 8/9] validate fixes --- .../Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml | 6 +++--- .../Integrations/GithubMaltrailFeed/README.md | 2 -- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml index 7895fa078720..558a6b549c15 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.yml @@ -70,7 +70,7 @@ configuration: required: true type: 15 - defaultvalue: indicatorType - display: Feed Expiration Policy + display: '' name: feedExpirationPolicy options: - never @@ -80,7 +80,7 @@ configuration: required: false type: 17 - defaultvalue: "20160" - display: Feed Expiration Interval + display: '' name: feedExpirationInterval required: false type: 1 @@ -115,7 +115,7 @@ script: defaultValue: "50" name: gh-maltrail-get-indicators description: Get indicators from the feed. - dockerimage: demisto/python3:3.10.13.78623 + dockerimage: demisto/python3:3.10.13.78960 feed: true runonce: false script: '' diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md index ba478ff4a9da..a0b78e40cc52 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/README.md @@ -18,8 +18,6 @@ Fetches Indicators from Github Repo https://github.com/stamparm/maltrail | Fetch indicators | | False | | Indicator Reputation | Indicators from this integration instance will be marked with this reputation | False | | Source Reliability | Reliability of the source providing the intelligence data | True | - | Feed Expiration Policy | | False | - | Feed Expiration Interval | | False | | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False | | Tags | Supports CSV values. | False | | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed | False | From 0f9fa9277757f1dfbf250f22e41eaca5d528fa84 Mon Sep 17 00:00:00 2001 From: MosheEichler Date: Sun, 5 Nov 2023 16:19:14 +0200 Subject: [PATCH 9/9] remove f string --- .../Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py index be7a51ff22aa..68df9552c8b9 100644 --- a/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py +++ b/Packs/GithubMaltrailFeed/Integrations/GithubMaltrailFeed/GithubMaltrailFeed.py @@ -154,7 +154,7 @@ def fetch_indicators_command(client: Client, params: dict = None): indicators_list = fetch_indicators(client, api_url, None, params) set_integration_context({'time_of_last_fetch': now}) else: - demisto.debug(f'### Nothing to fetch') + demisto.debug('### Nothing to fetch') return indicators_list