From 41c899f82d4f2d02a263b3023daa8a5c5abdf1b0 Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Mon, 8 Jul 2024 17:47:39 +0200 Subject: [PATCH 01/28] Add custom fields --- ...nt_VT_Vendors_Which_Flagged_Malicious.json | 26 + .../indicatorfield-VT_Detection_Names.json | 26 + ...ld-VT_Vendors_Which_Flagged_Malicious.json | 26 + .../Integrations/VirusTotalV3/VirusTotalV3.py | 515 ++++++++++++++---- 4 files changed, 483 insertions(+), 110 deletions(-) create mode 100644 Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json create mode 100644 Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json create mode 100644 Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json new file mode 100644 index 000000000000..aa4265b01265 --- /dev/null +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "countvtvendorswhichflaggedmalicious", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_count_vt_vendors_which_flagged_malicious", + "isReadOnly": false, + "locked": false, + "name": "Count VT Vendors Which Flagged Malicious", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": true, + "version": -1, + "fromVersion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json new file mode 100644 index 000000000000..aa1267e24180 --- /dev/null +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "vtdetectionnames", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_vt_detection_names", + "isReadOnly": false, + "locked": false, + "name": "VT Detection Names", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "tagsSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": true, + "version": -1, + "fromVersion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json new file mode 100644 index 000000000000..1732f7bceda3 --- /dev/null +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "vtvendorswhichflaggedmalicious", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_vt_vendors_which_flagged_malicious", + "isReadOnly": false, + "locked": false, + "name": "VT Vendors Which Flagged Malicious", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "tagsSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": true, + "version": -1, + "fromVersion": "5.5.0" +} \ No newline at end of file diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py index 14433ce1b96f..31f378f96aa9 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py @@ -96,6 +96,156 @@ } +class VTFile(Common.File): + """VT File Indicator.""" + + def __init__( + self, + dbot_score, + count_vt_vendors_which_flagged_malicious=None, + vt_vendors_which_flagged_malicious=None, + vt_detection_names=None, + **kwargs + ): + super().__init__( + dbot_score, + **kwargs + ) + + self.count_vt_vendors_which_flagged_malicious = count_vt_vendors_which_flagged_malicious + self.vt_vendors_which_flagged_malicious = vt_vendors_which_flagged_malicious + self.vt_detection_names = vt_detection_names + + def to_context(self): + context = super().to_context() + file_context = context[Common.File.CONTEXT_PATH] + + if self.count_vt_vendors_which_flagged_malicious is not None: + file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + + if self.vt_vendors_which_flagged_malicious is not None: + file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + + if self.vt_detection_names is not None: + file_context['VT Detection Names'] = self.vt_detection_names + + return context + + +class VTIP(Common.IP): + """VT IP Indicator.""" + + def __init__( + self, + ip, + dbot_score, + count_vt_vendors_which_flagged_malicious=None, + vt_vendors_which_flagged_malicious=None, + vt_detection_names=None, + **kwargs + ): + super().__init__( + ip, + dbot_score, + **kwargs + ) + + self.count_vt_vendors_which_flagged_malicious = count_vt_vendors_which_flagged_malicious + self.vt_vendors_which_flagged_malicious = vt_vendors_which_flagged_malicious + self.vt_detection_names = vt_detection_names + + def to_context(self): + context = super().to_context() + file_context = context[Common.IP.CONTEXT_PATH] + + if self.count_vt_vendors_which_flagged_malicious is not None: + file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + + if self.vt_vendors_which_flagged_malicious is not None: + file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + + if self.vt_detection_names is not None: + file_context['VT Detection Names'] = self.vt_detection_names + + return context + + +class VTURL(Common.URL): + """VT URL Indicator.""" + + def __init__( + self, + url, + dbot_score, + count_vt_vendors_which_flagged_malicious=None, + vt_vendors_which_flagged_malicious=None, + vt_detection_names=None, + **kwargs + ): + super().__init__( + url, + dbot_score, + **kwargs + ) + + self.count_vt_vendors_which_flagged_malicious = count_vt_vendors_which_flagged_malicious + self.vt_vendors_which_flagged_malicious = vt_vendors_which_flagged_malicious + self.vt_detection_names = vt_detection_names + + def to_context(self): + context = super().to_context() + file_context = context[Common.URL.CONTEXT_PATH] + + if self.count_vt_vendors_which_flagged_malicious is not None: + file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + + if self.vt_vendors_which_flagged_malicious is not None: + file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + + if self.vt_detection_names is not None: + file_context['VT Detection Names'] = self.vt_detection_names + + return context + + +class VTDomain(Common.Domain): + """VT Domain Indicator.""" + + def __init__( + self, + domain, + dbot_score, + count_vt_vendors_which_flagged_malicious=None, + vt_vendors_which_flagged_malicious=None, + vt_detection_names=None, + **kwargs + ): + super().__init__( + domain, + dbot_score, + **kwargs + ) + + self.count_vt_vendors_which_flagged_malicious = count_vt_vendors_which_flagged_malicious + self.vt_vendors_which_flagged_malicious = vt_vendors_which_flagged_malicious + self.vt_detection_names = vt_detection_names + + def to_context(self): + context = super().to_context() + file_context = context[Common.Domain.CONTEXT_PATH] + + if self.count_vt_vendors_which_flagged_malicious is not None: + file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + + if self.vt_vendors_which_flagged_malicious is not None: + file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + + if self.vt_detection_names is not None: + file_context['VT Detection Names'] = self.vt_detection_names + + return context + + class Client(BaseClient): """ Attributes: @@ -1320,29 +1470,45 @@ def build_skipped_enrichment_ip_output(client: Client, ip: str) -> CommandResult 'was not enriched. Reputation lookups have been disabled for private IP addresses.') -def build_domain_output( - client: Client, - score_calculator: ScoreCalculator, - domain: str, - raw_response: dict, - extended_data: bool): +def _get_domain_indicator(client: Client, score_calculator: ScoreCalculator, domain: str, raw_response: dict): data = raw_response.get('data', {}) attributes = data.get('attributes', {}) last_analysis_stats = attributes.get('last_analysis_stats', {}) - positive_engines = last_analysis_stats.get('malicious', 0) detection_engines = sum(last_analysis_stats.values()) - relationships_response = data.get('relationships', {}) - whois: defaultdict = get_whois(attributes.get('whois', '')) + positive_detections = last_analysis_stats.get('malicious', 0) + whois = get_whois(attributes.get('whois', '')) + score = score_calculator.domain_score(domain, raw_response) - if score != Common.DBotScore.BAD and client.is_premium: - score = score_calculator.analyze_premium_domain_score(client, domain, score) + logs = score_calculator.get_logs() demisto.debug(logs) - relationships_list = create_relationships(entity_a=domain, entity_a_type=FeedIndicatorType.Domain, - relationships_response=relationships_response, - reliability=client.reliability) - domain_indicator = Common.Domain( + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=domain, + entity_a_type=FeedIndicatorType.Domain, + relationships_response=relationships_response, + reliability=client.reliability + ) + + vt_vendors_which_flagged_malicious = { + x['engine_name']: x['result'] for x in attributes.get('last_analysis_results', {}).values() + if x.get('category') == 'malicious' + } + + return VTDomain( domain=domain, + dbot_score=Common.DBotScore( + domain, + DBotScoreType.DOMAIN, + INTEGRATION_NAME, + score=score, + malicious_description=logs, + reliability=client.reliability, + ), + count_vt_vendors_which_flagged_malicious=len(vt_vendors_which_flagged_malicious), + vt_vendors_which_flagged_malicious=list(vt_vendors_which_flagged_malicious.keys()), + vt_detection_names=list(vt_vendors_which_flagged_malicious.values()), name_servers=whois['Name Server'], creation_date=whois['Creation Date'], updated_date=whois['Updated Date'], @@ -1355,20 +1521,192 @@ def build_domain_output( registrar_name=whois['Registrar'], registrar_abuse_email=whois['Registrar Abuse Contact Email'], registrar_abuse_phone=whois['Registrar Abuse Contact Phone'], + detection_engines=detection_engines, + positive_detections=positive_detections, + relationships=relationships_list, + ) + + +def _get_url_indicator(client: Client, score_calculator: ScoreCalculator, url: str, raw_response: dict): + data = raw_response.get('data', {}) + attributes = data.get('attributes', {}) + last_analysis_stats = attributes.get('last_analysis_stats', {}) + detection_engines = sum(last_analysis_stats.values()) + positive_detections = last_analysis_stats.get('malicious', 0) + + score = score_calculator.url_score(url, raw_response) + + logs = score_calculator.get_logs() + demisto.debug(logs) + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=url, + entity_a_type=FeedIndicatorType.URL, + relationships_response=relationships_response, + reliability=client.reliability + ) + + vt_vendors_which_flagged_malicious = { + x['engine_name']: x['result'] for x in attributes.get('last_analysis_results', {}).values() + if x.get('category') == 'malicious' + } + + return VTURL( + url, dbot_score=Common.DBotScore( - domain, - DBotScoreType.DOMAIN, + url, + DBotScoreType.URL, INTEGRATION_NAME, score=score, + reliability=client.reliability, malicious_description=logs, - reliability=client.reliability ), - relationships=relationships_list + count_vt_vendors_which_flagged_malicious=len(vt_vendors_which_flagged_malicious), + vt_vendors_which_flagged_malicious=list(vt_vendors_which_flagged_malicious.keys()), + vt_detection_names=list(vt_vendors_which_flagged_malicious.values()), + category=attributes.get('categories'), + detection_engines=detection_engines, + positive_detections=positive_detections, + relationships=relationships_list, + ) + + +def _get_ip_indicator(client: Client, score_calculator: ScoreCalculator, ip: str, raw_response: dict): + data = raw_response.get('data', {}) + attributes = data.get('attributes', {}) + last_analysis_stats = attributes.get('last_analysis_stats', {}) + detection_engines = sum(last_analysis_stats.values()) + positive_engines = last_analysis_stats.get('malicious', 0) + + score = score_calculator.ip_score(ip, raw_response) + + logs = score_calculator.get_logs() + demisto.debug(logs) + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=ip, + entity_a_type=FeedIndicatorType.IP, + relationships_response=relationships_response, + reliability=client.reliability + ) + + vt_vendors_which_flagged_malicious = { + x['engine_name']: x['result'] for x in attributes.get('last_analysis_results', {}).values() + if x.get('category') == 'malicious' + } + + return VTIP( + ip, + dbot_score=Common.DBotScore( + ip, + DBotScoreType.IP, + INTEGRATION_NAME, + score=score, + malicious_description=logs, + reliability=client.reliability, + ), + count_vt_vendors_which_flagged_malicious=len(vt_vendors_which_flagged_malicious), + vt_vendors_which_flagged_malicious=list(vt_vendors_which_flagged_malicious.keys()), + vt_detection_names=list(vt_vendors_which_flagged_malicious.values()), + asn=attributes.get('asn'), + geo_country=attributes.get('country'), + detection_engines=detection_engines, + positive_engines=positive_engines, + as_owner=attributes.get('as_owner'), + relationships=relationships_list, ) + + +def _get_file_indicator(client: Client, score_calculator: ScoreCalculator, file_hash: str, raw_response: dict): + data = raw_response.get('data', {}) + attributes = data.get('attributes', {}) + exiftool = attributes.get('exiftool', {}) + signature_info = attributes.get('signature_info', {}) + + score = score_calculator.file_score(file_hash, raw_response) + + logs = score_calculator.get_logs() + demisto.debug(logs) + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=file_hash, + entity_a_type=FeedIndicatorType.File, + relationships_response=relationships_response, + reliability=client.reliability + ) + + vt_vendors_which_flagged_malicious = { + x['engine_name']: x['result'] for x in attributes.get('last_analysis_results', {}).values() + if x.get('category') == 'malicious' + } + + return VTFile( + dbot_score=Common.DBotScore( + file_hash, + DBotScoreType.FILE, + integration_name=INTEGRATION_NAME, + score=score, + malicious_description=logs, + reliability=client.reliability, + ), + count_vt_vendors_which_flagged_malicious=len(vt_vendors_which_flagged_malicious), + vt_vendors_which_flagged_malicious=list(vt_vendors_which_flagged_malicious.keys()), + vt_detection_names=list(vt_vendors_which_flagged_malicious.values()), + name=exiftool.get('OriginalFileName'), + size=attributes.get('size'), + sha1=attributes.get('sha1'), + sha256=attributes.get('sha256'), + file_type=exiftool.get('MIMEType'), + md5=attributes.get('md5'), + ssdeep=attributes.get('ssdeep'), + extension=exiftool.get('FileTypeExtension'), + company=exiftool.get('CompanyName'), + product_name=exiftool.get('ProductName'), + tags=attributes.get('tags'), + signature=Common.FileSignature( + authentihash=attributes.get('authentihash'), + copyright=signature_info.get('copyright'), + file_version=signature_info.get('file version'), + description=signature_info.get('description'), + internal_name=signature_info.get('internal name'), + original_name=signature_info.get('original name'), + ), + relationships=relationships_list, + ) + + +def build_domain_output( + client: Client, + score_calculator: ScoreCalculator, + domain: str, + raw_response: dict, + extended_data: bool +) -> CommandResults: + data = raw_response.get('data', {}) + attributes = data.get('attributes', {}) + + last_analysis_stats = attributes.get('last_analysis_stats', {}) + positive_engines = last_analysis_stats.get('malicious', 0) + detection_engines = sum(last_analysis_stats.values()) + + whois = get_whois(attributes.get('whois', '')) + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=domain, + entity_a_type=FeedIndicatorType.Domain, + relationships_response=relationships_response, + reliability=client.reliability + ) + + domain_indicator = _get_domain_indicator(client, score_calculator, domain, raw_response) + if not extended_data: data = decrease_data_size(data) - attributes = data.get('attributes', {}) return CommandResults( outputs_prefix=f'{INTEGRATION_ENTRY_CONTEXT}.Domain', outputs_key_field='id', @@ -1407,37 +1745,25 @@ def build_url_output( extended_data: bool ) -> CommandResults: data = raw_response.get('data', {}) - score = score_calculator.url_score(url, raw_response) - if score != Common.DBotScore.BAD and client.is_premium: - score = score_calculator.analyze_premium_url_score(client, url, score) - logs = score_calculator.get_logs() - demisto.debug(logs) - # creating readable output attributes = data.get('attributes', {}) + last_analysis_stats = attributes.get('last_analysis_stats', {}) - relationships_response = data.get('relationships', {}) positive_detections = last_analysis_stats.get('malicious', 0) detection_engines = sum(last_analysis_stats.values()) - relationships_list = create_relationships(entity_a=url, entity_a_type=FeedIndicatorType.URL, - relationships_response=relationships_response, - reliability=client.reliability) - url_indicator = Common.URL( - url, - category=attributes.get('categories'), - detection_engines=detection_engines, - positive_detections=positive_detections, - relationships=relationships_list, - dbot_score=Common.DBotScore( - url, - DBotScoreType.URL, - INTEGRATION_NAME, - score=score, - reliability=client.reliability, - malicious_description=logs - ) + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=url, + entity_a_type=FeedIndicatorType.URL, + relationships_response=relationships_response, + reliability=client.reliability ) + + url_indicator = _get_url_indicator(client, score_calculator, url, raw_response) + if not extended_data: data = decrease_data_size(data) + return CommandResults( outputs_prefix=f'{INTEGRATION_ENTRY_CONTEXT}.URL', outputs_key_field='id', @@ -1469,41 +1795,33 @@ def build_url_output( ) -def build_ip_output(client: Client, score_calculator: ScoreCalculator, ip: str, raw_response: dict, - extended_data: bool) -> CommandResults: - score = score_calculator.ip_score(ip, raw_response) - if score != Common.DBotScore.BAD and client.is_premium: - score = score_calculator.analyze_premium_ip_score(client, ip, score) - logs = score_calculator.get_logs() - demisto.debug(logs) +def build_ip_output( + client: Client, + score_calculator: ScoreCalculator, + ip: str, + raw_response: dict, + extended_data: bool +) -> CommandResults: data = raw_response.get('data', {}) attributes = data.get('attributes', {}) - relationships_response = data.get('relationships', {}) - last_analysis_stats = attributes.get('last_analysis_stats') + + last_analysis_stats = attributes.get('last_analysis_stats', {}) positive_engines = last_analysis_stats.get('malicious', 0) detection_engines = sum(last_analysis_stats.values()) - relationships_list = create_relationships(entity_a=ip, entity_a_type=FeedIndicatorType.IP, - relationships_response=relationships_response, - reliability=client.reliability) - ip_indicator = Common.IP( - ip, - asn=attributes.get('asn'), - geo_country=attributes.get('country'), - detection_engines=detection_engines, - positive_engines=positive_engines, - as_owner=attributes.get('as_owner'), - relationships=relationships_list, - dbot_score=Common.DBotScore( - ip, - DBotScoreType.IP, - INTEGRATION_NAME, - score=score, - malicious_description=logs, - reliability=client.reliability - ) + + relationships_response = data.get('relationships', {}) + relationships_list = create_relationships( + entity_a=ip, + entity_a_type=FeedIndicatorType.IP, + relationships_response=relationships_response, + reliability=client.reliability ) + + ip_indicator = _get_ip_indicator(client, score_calculator, ip, raw_response) + if not extended_data: data = decrease_data_size(data) + return CommandResults( outputs_prefix=f'{INTEGRATION_ENTRY_CONTEXT}.IP', outputs_key_field='id', @@ -1533,48 +1851,25 @@ def build_file_output( extended_data: bool ) -> CommandResults: data = raw_response.get('data', {}) - attributes = data.get('attributes') + attributes = data.get('attributes', {}) + + last_analysis_stats = attributes.get('last_analysis_stats', {}) + malicious = last_analysis_stats.get('malicious', 0) + total = sum(last_analysis_stats.values()) + relationships_response = data.get('relationships', {}) - score = score_calculator.file_score(file_hash, raw_response) - logs = score_calculator.get_logs() - demisto.debug(logs) - signature_info = attributes.get('signature_info', {}) - exiftool = attributes.get('exiftool', {}) - relationships_list = create_relationships(entity_a=file_hash, entity_a_type=FeedIndicatorType.File, - relationships_response=relationships_response, - reliability=client.reliability) - file_indicator = Common.File( - dbot_score=Common.DBotScore( - file_hash, - DBotScoreType.FILE, - integration_name=INTEGRATION_NAME, - score=score, - malicious_description=logs, - reliability=client.reliability - ), - name=exiftool.get('OriginalFileName'), - size=attributes.get('size'), - sha1=attributes.get('sha1'), - sha256=attributes.get('sha256'), - file_type=exiftool.get('MIMEType'), - md5=attributes.get('md5'), - ssdeep=attributes.get('ssdeep'), - extension=exiftool.get('FileTypeExtension'), - company=exiftool.get('CompanyName'), - product_name=exiftool.get('ProductName'), - tags=attributes.get('tags'), - signature=Common.FileSignature( - authentihash=attributes.get('authentihash'), - copyright=signature_info.get('copyright'), - file_version=signature_info.get('file version'), - description=signature_info.get('description'), - internal_name=signature_info.get('internal name'), - original_name=signature_info.get('original name') - ), - relationships=relationships_list + relationships_list = create_relationships( + entity_a=file_hash, + entity_a_type=FeedIndicatorType.File, + relationships_response=relationships_response, + reliability=client.reliability ) + + file_indicator = _get_file_indicator(client, score_calculator, file_hash, raw_response) + if not extended_data: data = decrease_data_size(data) + last_analysis_stats = attributes.get("last_analysis_stats", {}) malicious = last_analysis_stats.get('malicious', 0) total = sum(last_analysis_stats.values()) From aa77f1364292e49885b4bba961ac243b4933f008 Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Mon, 8 Jul 2024 17:56:10 +0200 Subject: [PATCH 02/28] nit --- ...torfield-Count_VT_Vendors_Which_Flagged_Malicious.json | 2 +- .../indicatorfield-VT_Detection_Names.json | 2 +- ...indicatorfield-VT_Vendors_Which_Flagged_Malicious.json | 2 +- .../VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py | 8 ++++---- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json index aa4265b01265..b156e5c0e6f8 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json @@ -23,4 +23,4 @@ "useAsKpi": true, "version": -1, "fromVersion": "5.5.0" -} \ No newline at end of file +} diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json index aa1267e24180..59af71c45f5f 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json @@ -23,4 +23,4 @@ "useAsKpi": true, "version": -1, "fromVersion": "5.5.0" -} \ No newline at end of file +} diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json index 1732f7bceda3..ad653f6c7b3e 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json @@ -23,4 +23,4 @@ "useAsKpi": true, "version": -1, "fromVersion": "5.5.0" -} \ No newline at end of file +} diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py index 31f378f96aa9..1187c60d3baf 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py @@ -118,7 +118,7 @@ def __init__( def to_context(self): context = super().to_context() - file_context = context[Common.File.CONTEXT_PATH] + file_context = context[super().CONTEXT_PATH] if self.count_vt_vendors_which_flagged_malicious is not None: file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious @@ -156,7 +156,7 @@ def __init__( def to_context(self): context = super().to_context() - file_context = context[Common.IP.CONTEXT_PATH] + file_context = context[super().CONTEXT_PATH] if self.count_vt_vendors_which_flagged_malicious is not None: file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious @@ -194,7 +194,7 @@ def __init__( def to_context(self): context = super().to_context() - file_context = context[Common.URL.CONTEXT_PATH] + file_context = context[super().CONTEXT_PATH] if self.count_vt_vendors_which_flagged_malicious is not None: file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious @@ -232,7 +232,7 @@ def __init__( def to_context(self): context = super().to_context() - file_context = context[Common.Domain.CONTEXT_PATH] + file_context = context[super().CONTEXT_PATH] if self.count_vt_vendors_which_flagged_malicious is not None: file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious From f1179e8ae8b0aefa273431a92a4c1c047910477c Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Mon, 8 Jul 2024 18:06:42 +0200 Subject: [PATCH 03/28] Lint --- Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py index 1187c60d3baf..c1fb5fa70271 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py @@ -1701,7 +1701,7 @@ def build_domain_output( relationships_response=relationships_response, reliability=client.reliability ) - + domain_indicator = _get_domain_indicator(client, score_calculator, domain, raw_response) if not extended_data: From 7a3460d1b66d418130d1a75fd0b26ea4d636cd9f Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Mon, 8 Jul 2024 18:07:19 +0200 Subject: [PATCH 04/28] Update docker image --- Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index c4656f24a653..b1693bb5c793 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -1666,7 +1666,7 @@ script: description: The analysis ID. type: String - dockerimage: demisto/python3:3.10.13.89009 + dockerimage: demisto/python3:3.11.9.101916 tests: - VirusTotalV3-test - VirusTotal (API v3) Detonate Test From f2a6b9d0503e2c4879b1a0d3c4a5fcffc4079c9a Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Tue, 9 Jul 2024 10:53:05 +0200 Subject: [PATCH 05/28] Update readme and release notes --- .../Integrations/VirusTotalV3/README.md | 23 +++++++++++++++++++ Packs/VirusTotal/ReleaseNotes/2_6_21.md | 7 ++++++ Packs/VirusTotal/pack_metadata.json | 2 +- 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 Packs/VirusTotal/ReleaseNotes/2_6_21.md diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index f8b6e8e918ec..37f693eceba8 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -186,6 +186,9 @@ Checks the file reputation of the specified hash. | File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. | | File.Malicious.Detections | Number | For malicious files, the total number of detections. | | File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. | +| File.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the file as malicious. | +| File.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the file as malicious. | +| File.VT Detection Names | Array | VT detection names which flagged the file as malicious. | | DBotScore.Indicator | String | The indicator that was tested. | | DBotScore.Type | String | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -426,6 +429,9 @@ Checks the reputation of an IP address. | IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. | | IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. | | IP.ASOwner | String | The autonomous system owner of the IP. | +| IP.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the IP as malicious. | +| IP.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the IP as malicious. | +| IP.VT Detection Names | Array | VT detection names which flagged the IP as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -656,6 +662,9 @@ Checks the reputation of a URL. | URL.Relationships.EntityBType | String | The type of the destination of the relationship. | | URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. | | URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. | +| URL.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the URL as malicious. | +| URL.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the URL as malicious. | +| URL.VT Detection Names | Array | VT detection names which flagged the URL as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -813,6 +822,9 @@ Checks the reputation of a domain. | Domain.Relationships.EntityBType | String | The type of the destination of the relationship. | | Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. | | Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. | +| Domain.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the domain as malicious. | +| Domain.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the domain as malicious. | +| Domain.VT Detection Names | Array | VT detection names which flagged the domain as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -2546,3 +2558,14 @@ Get analysis of a private file submitted to VirusTotal. >|Id|Threat Severity Level|Popular Threat Category|Threat Verdict|Status| >|---|---|---|---|---|---|---| >| example-analysis-id | HIGH | trojan | MALICIOUS | completed | + +## VT indicator fields + +3 indicator fields have been added to all indicator types: +- **Count VT Vendors Which Flagged Malicious**. Number. Number of VT vendors which flagged the indicator as malicious. +- **VT Vendors Which Flagged Malicious**. Array. VT vendors which flagged the indicator as malicious. +- **VT Detection Names. Array**. VT detection names which flagged the indicator as malicious. + +To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Detection Names` field for the `File` indicator type, add the path `File.VT Detection Names`. This will enable the field to be populated in the indicator data. + +Note that the field will not automatically appear in the indicator's layout. To make it visible, go to `Settings -> Objects Setup -> Indicators -> Layouts`, select the desired layout (e.g., `File Indicator`), click `Detach` if needed, and then edit the layout to include the new field. diff --git a/Packs/VirusTotal/ReleaseNotes/2_6_21.md b/Packs/VirusTotal/ReleaseNotes/2_6_21.md new file mode 100644 index 000000000000..00922ab10eab --- /dev/null +++ b/Packs/VirusTotal/ReleaseNotes/2_6_21.md @@ -0,0 +1,7 @@ +#### Integrations + +##### VirusTotal (API v3) +- Add **Count VT Vendors Which Flagged Malicious** field to all indicator types. +- Add **VT Vendors Which Flagged Malicious** field to all indicator types. +- Add **VT Detection Names** field to all indicator types. +- Updated the Docker image to: *demisto/python3:3.11.9.101916*. diff --git a/Packs/VirusTotal/pack_metadata.json b/Packs/VirusTotal/pack_metadata.json index bc6950bdcb76..af49021caf5f 100644 --- a/Packs/VirusTotal/pack_metadata.json +++ b/Packs/VirusTotal/pack_metadata.json @@ -2,7 +2,7 @@ "name": "VirusTotal", "description": "Analyze suspicious hashes, URLs, domains and IP addresses", "support": "partner", - "currentVersion": "2.6.20", + "currentVersion": "2.6.21", "author": "VirusTotal", "url": "https://www.virustotal.com", "email": "contact@virustotal.com", From 8f8457234b3ea9b89cf2199c99ff15228b273724 Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Wed, 10 Jul 2024 11:31:33 +0200 Subject: [PATCH 06/28] Update fields --- ...catorfield-VT_Engine_Detection_Names.json} | 6 +-- ... indicatorfield-VT_Engine_Detections.json} | 6 +-- ... => indicatorfield-VT_Engine_Vendors.json} | 6 +-- .../Integrations/VirusTotalV3/README.md | 47 +++++++++---------- .../Integrations/VirusTotalV3/VirusTotalV3.py | 11 +++-- .../VirusTotalV3/VirusTotalV3.yml | 30 ++++++++++-- 6 files changed, 66 insertions(+), 40 deletions(-) rename Packs/VirusTotal/IndicatorFields/{indicatorfield-VT_Vendors_Which_Flagged_Malicious.json => indicatorfield-VT_Engine_Detection_Names.json} (75%) rename Packs/VirusTotal/IndicatorFields/{indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json => indicatorfield-VT_Engine_Detections.json} (73%) rename Packs/VirusTotal/IndicatorFields/{indicatorfield-VT_Detection_Names.json => indicatorfield-VT_Engine_Vendors.json} (81%) diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json similarity index 75% rename from Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json rename to Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json index ad653f6c7b3e..e44f61f7a004 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Vendors_Which_Flagged_Malicious.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json @@ -1,16 +1,16 @@ { "associatedToAll": true, "caseInsensitive": true, - "cliName": "vtvendorswhichflaggedmalicious", + "cliName": "vtenginedetectionnames", "closeForm": false, "content": true, "editForm": true, "group": 2, "hidden": false, - "id": "indicator_vt_vendors_which_flagged_malicious", + "id": "indicator_vt_engine_detection_names", "isReadOnly": false, "locked": false, - "name": "VT Vendors Which Flagged Malicious", + "name": "VT Engine Detection Names", "neverSetAsRequired": false, "ownerOnly": false, "required": false, diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json similarity index 73% rename from Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json rename to Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json index b156e5c0e6f8..74d4017d56af 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-Count_VT_Vendors_Which_Flagged_Malicious.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json @@ -1,16 +1,16 @@ { "associatedToAll": true, "caseInsensitive": true, - "cliName": "countvtvendorswhichflaggedmalicious", + "cliName": "vtenginedetections", "closeForm": false, "content": true, "editForm": true, "group": 2, "hidden": false, - "id": "indicator_count_vt_vendors_which_flagged_malicious", + "id": "indicator_vt_engine_detections", "isReadOnly": false, "locked": false, - "name": "Count VT Vendors Which Flagged Malicious", + "name": "VT Engine Detections", "neverSetAsRequired": false, "ownerOnly": false, "required": false, diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json similarity index 81% rename from Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json rename to Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json index 59af71c45f5f..5e145e607e43 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Detection_Names.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json @@ -1,16 +1,16 @@ { "associatedToAll": true, "caseInsensitive": true, - "cliName": "vtdetectionnames", + "cliName": "vtenginevendors", "closeForm": false, "content": true, "editForm": true, "group": 2, "hidden": false, - "id": "indicator_vt_detection_names", + "id": "indicator_vt_engine_vendors", "isReadOnly": false, "locked": false, - "name": "VT Detection Names", + "name": "VT Engine Vendors", "neverSetAsRequired": false, "ownerOnly": false, "required": false, diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index 37f693eceba8..c982fe643de6 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -184,11 +184,10 @@ Checks the file reputation of the specified hash. | File.Relationships.EntityAType | String | The type of the source of the relationship. | | File.Relationships.EntityBType | String | The type of the destination of the relationship. | | File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. | -| File.Malicious.Detections | Number | For malicious files, the total number of detections. | -| File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. | -| File.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the file as malicious. | -| File.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the file as malicious. | -| File.VT Detection Names | Array | VT detection names which flagged the file as malicious. | +| File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. | +| File.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the file as malicious. | +| File.VTVendors.EngineVendors | Array | VT vendors which flagged the file as malicious. | +| File.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the file as malicious. | | DBotScore.Indicator | String | The indicator that was tested. | | DBotScore.Type | String | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -426,12 +425,12 @@ Checks the reputation of an IP address. | IP.Relationships.Relationship | string | The name of the relationship. | | IP.Relationships.EntityAType | string | The type of the source of the relationship. | | IP.Relationships.EntityBType | string | The type of the destination of the relationship. | -| IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. | -| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. | +| IP.Malicious.Vendor | String | For malicious IPs, the vendor that made the decision. | +| IP.Malicious.Description | String | For malicious IPs, the reason that the vendor made the decision. | +| IP.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the IP as malicious. | +| IP.VTVendors.EngineVendors | Array | VT vendors which flagged the IP as malicious. | +| IP.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the IP as malicious. | | IP.ASOwner | String | The autonomous system owner of the IP. | -| IP.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the IP as malicious. | -| IP.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the IP as malicious. | -| IP.VT Detection Names | Array | VT detection names which flagged the IP as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -660,11 +659,11 @@ Checks the reputation of a URL. | URL.Relationships.Relationship | String | The name of the relationship. | | URL.Relationships.EntityAType | String | The type of the source of the relationship. | | URL.Relationships.EntityBType | String | The type of the destination of the relationship. | -| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. | -| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. | -| URL.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the URL as malicious. | -| URL.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the URL as malicious. | -| URL.VT Detection Names | Array | VT detection names which flagged the URL as malicious. | +| URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. | +| URL.Malicious.Description | String | For malicious URLs, the reason that the vendor made the decision. | +| URL.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the URL as malicious. | +| URL.VTVendors.EngineVendors | Array | VT vendors which flagged the URL as malicious. | +| URL.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the URL as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -820,11 +819,11 @@ Checks the reputation of a domain. | Domain.Relationships.Relationship | String | The name of the relationship. | | Domain.Relationships.EntityAType | String | The type of the source of the relationship. | | Domain.Relationships.EntityBType | String | The type of the destination of the relationship. | -| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. | -| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. | -| Domain.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the domain as malicious. | -| Domain.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the domain as malicious. | -| Domain.VT Detection Names | Array | VT detection names which flagged the domain as malicious. | +| Domain.Malicious.Vendor | String | For malicious domains, the vendor that made the decision. | +| Domain.Malicious.Description | String | For malicious domains, the reason that the vendor made the decision. | +| Domain.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the domain as malicious. | +| Domain.VTVendors.EngineVendors | Array | VT vendors which flagged the domain as malicious. | +| Domain.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the domain as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | @@ -2562,10 +2561,10 @@ Get analysis of a private file submitted to VirusTotal. ## VT indicator fields 3 indicator fields have been added to all indicator types: -- **Count VT Vendors Which Flagged Malicious**. Number. Number of VT vendors which flagged the indicator as malicious. -- **VT Vendors Which Flagged Malicious**. Array. VT vendors which flagged the indicator as malicious. -- **VT Detection Names. Array**. VT detection names which flagged the indicator as malicious. +- **VT Engine Detections**. Number. Number of VT vendors which flagged the indicator as malicious. +- **VT Engine Vendors**. Array. VT vendors which flagged the indicator as malicious. +- **VT Engine Detection Names**. Array. VT detection names which flagged the indicator as malicious. -To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Detection Names` field for the `File` indicator type, add the path `File.VT Detection Names`. This will enable the field to be populated in the indicator data. +To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Engine Detections` field for the `File` indicator type, add the path `File.VTVendors.EngineDetections`. This will enable the field to be populated in the indicator data. Note that the field will not automatically appear in the indicator's layout. To make it visible, go to `Settings -> Objects Setup -> Indicators -> Layouts`, select the desired layout (e.g., `File Indicator`), click `Detach` if needed, and then edit the layout to include the new field. diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py index c1fb5fa70271..c176f3db31da 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py @@ -120,14 +120,19 @@ def to_context(self): context = super().to_context() file_context = context[super().CONTEXT_PATH] + file_context['VTVendors'] = {} + if self.count_vt_vendors_which_flagged_malicious is not None: - file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineDetections'] = self.count_vt_vendors_which_flagged_malicious if self.vt_vendors_which_flagged_malicious is not None: - file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineVendors'] = self.vt_vendors_which_flagged_malicious if self.vt_detection_names is not None: - file_context['VT Detection Names'] = self.vt_detection_names + file_context['VTVendors']['EngineDetectionNames'] = self.vt_detection_names + + if not file_context['VTVendors']: + file_context.pop('VTVendors', None) return context diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index b1693bb5c793..b0e4677bcd5b 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -245,10 +245,14 @@ script: type: string - contextPath: File.Malicious.Vendor description: For malicious files, the vendor that made the decision. - - contextPath: File.Malicious.Detections - description: For malicious files, the total number of detections. - - contextPath: File.Malicious.TotalEngines - description: For malicious files, the total number of engines that checked the file hash. + - contextPath: File.Malicious.Description + description: For malicious files, the reason that the vendor made the decision. + - contextPath: File.VTVendors.EngineDetections + description: Number of VT vendors which flagged the file as malicious. + - contextPath: File.VTVendors.EngineVendors + description: VT vendors which flagged the file as malicious. + - contextPath: File.VTVendors.EngineDetectionNames + description: VT detection names which flagged the file as malicious. - contextPath: DBotScore.Indicator description: The indicator that was tested. - contextPath: DBotScore.Type @@ -491,6 +495,12 @@ script: description: For malicious IPs, the vendor that made the decision. - contextPath: IP.Malicious.Description description: For malicious IPs, the reason that the vendor made the decision. + - contextPath: IP.VTVendors.EngineDetections + description: Number of VT vendors which flagged the IP as malicious. + - contextPath: IP.VTVendors.EngineVendors + description: VT vendors which flagged the IP as malicious. + - contextPath: IP.VTVendors.EngineDetectionNames + description: VT detection names which flagged the IP as malicious. - contextPath: IP.ASOwner description: The autonomous system owner of the IP. type: String @@ -588,6 +598,12 @@ script: description: For malicious URLs, the vendor that made the decision. - contextPath: URL.Malicious.Description description: For malicious URLs, the reason that the vendor made the decision. + - contextPath: URL.VTVendors.EngineDetections + description: Number of VT vendors which flagged the URL as malicious. + - contextPath: URL.VTVendors.EngineVendors + description: VT vendors which flagged the URL as malicious. + - contextPath: URL.VTVendors.EngineDetectionNames + description: VT detection names which flagged the URL as malicious. - contextPath: URL.Relationships.EntityA description: The source of the relationship. type: string @@ -730,6 +746,12 @@ script: description: For malicious domains, the vendor that made the decision. - contextPath: Domain.Malicious.Description description: For malicious domains, the reason that the vendor made the decision. + - contextPath: Domain.VTVendors.EngineDetections + description: Number of VT vendors which flagged the domain as malicious. + - contextPath: Domain.VTVendors.EngineVendors + description: VT vendors which flagged the domain as malicious. + - contextPath: Domain.VTVendors.EngineDetectionNames + description: VT detection names which flagged the domain as malicious. - contextPath: Domain.Relationships.EntityA description: The source of the relationship. type: string From c8ded922994e75897b0d293667edca6a291fd5ce Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Wed, 10 Jul 2024 11:39:19 +0200 Subject: [PATCH 07/28] Update release note --- Packs/VirusTotal/ReleaseNotes/2_6_21.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/ReleaseNotes/2_6_21.md b/Packs/VirusTotal/ReleaseNotes/2_6_21.md index 00922ab10eab..f87666ef7ca9 100644 --- a/Packs/VirusTotal/ReleaseNotes/2_6_21.md +++ b/Packs/VirusTotal/ReleaseNotes/2_6_21.md @@ -1,7 +1,7 @@ #### Integrations ##### VirusTotal (API v3) -- Add **Count VT Vendors Which Flagged Malicious** field to all indicator types. -- Add **VT Vendors Which Flagged Malicious** field to all indicator types. -- Add **VT Detection Names** field to all indicator types. +- Add **VT Engine Detections** field to all indicator types. +- Add **VT Engine Vendors** field to all indicator types. +- Add **VT Engine Detection Names** field to all indicator types. - Updated the Docker image to: *demisto/python3:3.11.9.101916*. From ea9107d0c6f37e9cffacb2e5f0b201f9ed65bb1d Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Wed, 10 Jul 2024 12:12:00 +0200 Subject: [PATCH 08/28] Update all indicators --- .../Integrations/VirusTotalV3/VirusTotalV3.py | 33 ++++++++++++++----- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py index c176f3db31da..555903fe1d2a 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py @@ -163,14 +163,19 @@ def to_context(self): context = super().to_context() file_context = context[super().CONTEXT_PATH] + file_context['VTVendors'] = {} + if self.count_vt_vendors_which_flagged_malicious is not None: - file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineDetections'] = self.count_vt_vendors_which_flagged_malicious if self.vt_vendors_which_flagged_malicious is not None: - file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineVendors'] = self.vt_vendors_which_flagged_malicious if self.vt_detection_names is not None: - file_context['VT Detection Names'] = self.vt_detection_names + file_context['VTVendors']['EngineDetectionNames'] = self.vt_detection_names + + if not file_context['VTVendors']: + file_context.pop('VTVendors', None) return context @@ -201,14 +206,19 @@ def to_context(self): context = super().to_context() file_context = context[super().CONTEXT_PATH] + file_context['VTVendors'] = {} + if self.count_vt_vendors_which_flagged_malicious is not None: - file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineDetections'] = self.count_vt_vendors_which_flagged_malicious if self.vt_vendors_which_flagged_malicious is not None: - file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineVendors'] = self.vt_vendors_which_flagged_malicious if self.vt_detection_names is not None: - file_context['VT Detection Names'] = self.vt_detection_names + file_context['VTVendors']['EngineDetectionNames'] = self.vt_detection_names + + if not file_context['VTVendors']: + file_context.pop('VTVendors', None) return context @@ -239,14 +249,19 @@ def to_context(self): context = super().to_context() file_context = context[super().CONTEXT_PATH] + file_context['VTVendors'] = {} + if self.count_vt_vendors_which_flagged_malicious is not None: - file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineDetections'] = self.count_vt_vendors_which_flagged_malicious if self.vt_vendors_which_flagged_malicious is not None: - file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious + file_context['VTVendors']['EngineVendors'] = self.vt_vendors_which_flagged_malicious if self.vt_detection_names is not None: - file_context['VT Detection Names'] = self.vt_detection_names + file_context['VTVendors']['EngineDetectionNames'] = self.vt_detection_names + + if not file_context['VTVendors']: + file_context.pop('VTVendors', None) return context From c74a1099c59235b7873b0d5c50d7954bc8e6550b Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Wed, 10 Jul 2024 12:18:38 +0200 Subject: [PATCH 09/28] Update version --- Packs/VirusTotal/ReleaseNotes/2_6_22.md | 7 +++++++ Packs/VirusTotal/pack_metadata.json | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 Packs/VirusTotal/ReleaseNotes/2_6_22.md diff --git a/Packs/VirusTotal/ReleaseNotes/2_6_22.md b/Packs/VirusTotal/ReleaseNotes/2_6_22.md new file mode 100644 index 000000000000..f87666ef7ca9 --- /dev/null +++ b/Packs/VirusTotal/ReleaseNotes/2_6_22.md @@ -0,0 +1,7 @@ +#### Integrations + +##### VirusTotal (API v3) +- Add **VT Engine Detections** field to all indicator types. +- Add **VT Engine Vendors** field to all indicator types. +- Add **VT Engine Detection Names** field to all indicator types. +- Updated the Docker image to: *demisto/python3:3.11.9.101916*. diff --git a/Packs/VirusTotal/pack_metadata.json b/Packs/VirusTotal/pack_metadata.json index af49021caf5f..7989872de266 100644 --- a/Packs/VirusTotal/pack_metadata.json +++ b/Packs/VirusTotal/pack_metadata.json @@ -2,7 +2,7 @@ "name": "VirusTotal", "description": "Analyze suspicious hashes, URLs, domains and IP addresses", "support": "partner", - "currentVersion": "2.6.21", + "currentVersion": "2.6.22", "author": "VirusTotal", "url": "https://www.virustotal.com", "email": "contact@virustotal.com", From 7ba47279f76954e12501bfb01af664d40b62c111 Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Wed, 10 Jul 2024 17:36:36 +0200 Subject: [PATCH 10/28] Restore unused fields --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 2 ++ Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index c982fe643de6..21d9d976e398 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -185,6 +185,8 @@ Checks the file reputation of the specified hash. | File.Relationships.EntityBType | String | The type of the destination of the relationship. | | File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. | | File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. | +| File.Malicious.Detections | Number | For malicious files, the total number of detections. | +| File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. | | File.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the file as malicious. | | File.VTVendors.EngineVendors | Array | VT vendors which flagged the file as malicious. | | File.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the file as malicious. | diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index b0e4677bcd5b..3bf4286e12ab 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -247,6 +247,10 @@ script: description: For malicious files, the vendor that made the decision. - contextPath: File.Malicious.Description description: For malicious files, the reason that the vendor made the decision. + - contextPath: File.Malicious.Detections + description: For malicious files, the total number of detections. + - contextPath: File.Malicious.TotalEngines + description: For malicious files, the total number of engines that checked the file hash. - contextPath: File.VTVendors.EngineDetections description: Number of VT vendors which flagged the file as malicious. - contextPath: File.VTVendors.EngineVendors From ffab14d6a42cf208fa840798f08c92092612eca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:06:29 +0200 Subject: [PATCH 11/28] Update Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json Co-authored-by: Sasha Sokolovich <88268646+ssokolovich@users.noreply.github.com> --- .../indicatorfield-VT_Engine_Detection_Names.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json index e44f61f7a004..a628bbadf36d 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detection_Names.json @@ -19,7 +19,7 @@ "threshold": 72, "type": "tagsSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": true, "version": -1, "fromVersion": "5.5.0" From 979d16127012ca625bee57a357f5a0f9c9779cbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:06:36 +0200 Subject: [PATCH 12/28] Update Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json Co-authored-by: Sasha Sokolovich <88268646+ssokolovich@users.noreply.github.com> --- .../IndicatorFields/indicatorfield-VT_Engine_Detections.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json index 74d4017d56af..aa7c0688ccaa 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Detections.json @@ -19,7 +19,7 @@ "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": true, "version": -1, "fromVersion": "5.5.0" From 9a7a698e5fba77f3bfed82eaf13740a1fb3b49aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:06:41 +0200 Subject: [PATCH 13/28] Update Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json Co-authored-by: Sasha Sokolovich <88268646+ssokolovich@users.noreply.github.com> --- .../IndicatorFields/indicatorfield-VT_Engine_Vendors.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json index 5e145e607e43..087db3655987 100644 --- a/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json +++ b/Packs/VirusTotal/IndicatorFields/indicatorfield-VT_Engine_Vendors.json @@ -19,7 +19,7 @@ "threshold": 72, "type": "tagsSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": true, "version": -1, "fromVersion": "5.5.0" From d037fb7634673ac4adc6119130d2f64a275848d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:00 +0200 Subject: [PATCH 14/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index 21d9d976e398..e679c0500e0c 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -187,8 +187,8 @@ Checks the file reputation of the specified hash. | File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. | | File.Malicious.Detections | Number | For malicious files, the total number of detections. | | File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. | -| File.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the file as malicious. | -| File.VTVendors.EngineVendors | Array | VT vendors which flagged the file as malicious. | +| File.VTVendors.EngineDetections | Number | Number of VT vendors that flagged the file as malicious. | +| File.VTVendors.EngineVendors | Array | VT vendors who flagged the file as malicious. | | File.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the file as malicious. | | DBotScore.Indicator | String | The indicator that was tested. | | DBotScore.Type | String | The indicator type. | From d0b0560fd06e072596583d3bb701f1fbd2f37bfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:06 +0200 Subject: [PATCH 15/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index e679c0500e0c..f9bd81d4c3ba 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -189,7 +189,7 @@ Checks the file reputation of the specified hash. | File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. | | File.VTVendors.EngineDetections | Number | Number of VT vendors that flagged the file as malicious. | | File.VTVendors.EngineVendors | Array | VT vendors who flagged the file as malicious. | -| File.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the file as malicious. | +| File.VTVendors.EngineDetectionNames | Array | VT detection names that flagged the file as malicious. | | DBotScore.Indicator | String | The indicator that was tested. | | DBotScore.Type | String | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | From d15e69d7082da62be5443e796bd49fba8da304f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:13 +0200 Subject: [PATCH 16/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index f9bd81d4c3ba..3b692bc7bf95 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -427,7 +427,7 @@ Checks the reputation of an IP address. | IP.Relationships.Relationship | string | The name of the relationship. | | IP.Relationships.EntityAType | string | The type of the source of the relationship. | | IP.Relationships.EntityBType | string | The type of the destination of the relationship. | -| IP.Malicious.Vendor | String | For malicious IPs, the vendor that made the decision. | +| IP.Malicious.Vendor | String | For malicious IPs, the vendor who made the decision. | | IP.Malicious.Description | String | For malicious IPs, the reason that the vendor made the decision. | | IP.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the IP as malicious. | | IP.VTVendors.EngineVendors | Array | VT vendors which flagged the IP as malicious. | From 1efede5e2fe0e13dc1f0465b7446790f18393dc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:20 +0200 Subject: [PATCH 17/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index 3b692bc7bf95..3603e26380e6 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -429,9 +429,9 @@ Checks the reputation of an IP address. | IP.Relationships.EntityBType | string | The type of the destination of the relationship. | | IP.Malicious.Vendor | String | For malicious IPs, the vendor who made the decision. | | IP.Malicious.Description | String | For malicious IPs, the reason that the vendor made the decision. | -| IP.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the IP as malicious. | -| IP.VTVendors.EngineVendors | Array | VT vendors which flagged the IP as malicious. | -| IP.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the IP as malicious. | +| IP.VTVendors.EngineDetections | Number | Number of VT vendors that flagged the IP as malicious. | +| IP.VTVendors.EngineVendors | Array | VT vendors who flagged the IP as malicious. | +| IP.VTVendors.EngineDetectionNames | Array | VT detection names that flagged the IP as malicious. | | IP.ASOwner | String | The autonomous system owner of the IP. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | From 3c09ce6b2038efb8d400fa117109da8c1f2e0b90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:28 +0200 Subject: [PATCH 18/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index 3603e26380e6..fc3f73ba5f79 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -661,11 +661,11 @@ Checks the reputation of a URL. | URL.Relationships.Relationship | String | The name of the relationship. | | URL.Relationships.EntityAType | String | The type of the source of the relationship. | | URL.Relationships.EntityBType | String | The type of the destination of the relationship. | -| URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. | +| URL.Malicious.Vendor | String | For malicious URLs, the vendor who made the decision. | | URL.Malicious.Description | String | For malicious URLs, the reason that the vendor made the decision. | -| URL.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the URL as malicious. | -| URL.VTVendors.EngineVendors | Array | VT vendors which flagged the URL as malicious. | -| URL.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the URL as malicious. | +| URL.VTVendors.EngineDetections | Number | Number of VT vendors that flagged the URL as malicious. | +| URL.VTVendors.EngineVendors | Array | VT vendors who flagged the URL as malicious. | +| URL.VTVendors.EngineDetectionNames | Array | VT detection names that flagged the URL as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | From 3f7d57feacaae7a7c1cc53492e78b52ec2b617bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:37 +0200 Subject: [PATCH 19/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index 3bf4286e12ab..efa6c5fb49e9 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -500,11 +500,11 @@ script: - contextPath: IP.Malicious.Description description: For malicious IPs, the reason that the vendor made the decision. - contextPath: IP.VTVendors.EngineDetections - description: Number of VT vendors which flagged the IP as malicious. + description: Number of VT vendors that flagged the IP as malicious. - contextPath: IP.VTVendors.EngineVendors - description: VT vendors which flagged the IP as malicious. + description: VT vendors who flagged the IP as malicious. - contextPath: IP.VTVendors.EngineDetectionNames - description: VT detection names which flagged the IP as malicious. + description: VT detection names that flagged the IP as malicious. - contextPath: IP.ASOwner description: The autonomous system owner of the IP. type: String From f959d010566f92f4a9768d5a88df69ea4b26c4d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:43 +0200 Subject: [PATCH 20/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index efa6c5fb49e9..890dd2ff64e9 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -603,11 +603,11 @@ script: - contextPath: URL.Malicious.Description description: For malicious URLs, the reason that the vendor made the decision. - contextPath: URL.VTVendors.EngineDetections - description: Number of VT vendors which flagged the URL as malicious. + description: Number of VT vendors that flagged the URL as malicious. - contextPath: URL.VTVendors.EngineVendors - description: VT vendors which flagged the URL as malicious. + description: VT vendors who flagged the URL as malicious. - contextPath: URL.VTVendors.EngineDetectionNames - description: VT detection names which flagged the URL as malicious. + description: VT detection names that flagged the URL as malicious. - contextPath: URL.Relationships.EntityA description: The source of the relationship. type: string From bce53676af4937ab36d87714d8496e807447d42a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:50:57 +0200 Subject: [PATCH 21/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index 890dd2ff64e9..f0a47ca6e329 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -751,11 +751,11 @@ script: - contextPath: Domain.Malicious.Description description: For malicious domains, the reason that the vendor made the decision. - contextPath: Domain.VTVendors.EngineDetections - description: Number of VT vendors which flagged the domain as malicious. + description: Number of VT vendors that flagged the domain as malicious. - contextPath: Domain.VTVendors.EngineVendors - description: VT vendors which flagged the domain as malicious. + description: VT vendors who flagged the domain as malicious. - contextPath: Domain.VTVendors.EngineDetectionNames - description: VT detection names which flagged the domain as malicious. + description: VT detection names that flagged the domain as malicious. - contextPath: Domain.Relationships.EntityA description: The source of the relationship. type: string From 478e8e7a0820ae8b81cfedf0ea432faa3c837bb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:51:05 +0200 Subject: [PATCH 22/28] Update Packs/VirusTotal/ReleaseNotes/2_6_21.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/ReleaseNotes/2_6_21.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/VirusTotal/ReleaseNotes/2_6_21.md b/Packs/VirusTotal/ReleaseNotes/2_6_21.md index 5d640cddfbef..0887cd46caca 100644 --- a/Packs/VirusTotal/ReleaseNotes/2_6_21.md +++ b/Packs/VirusTotal/ReleaseNotes/2_6_21.md @@ -1,3 +1,3 @@ ## VirusTotal -- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release. +Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release. From 7b162d065d6687f9e592dee4093f723cb02a63f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:51:15 +0200 Subject: [PATCH 23/28] Update Packs/VirusTotal/ReleaseNotes/2_6_22.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/ReleaseNotes/2_6_22.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/ReleaseNotes/2_6_22.md b/Packs/VirusTotal/ReleaseNotes/2_6_22.md index f87666ef7ca9..6e7de2a78e1c 100644 --- a/Packs/VirusTotal/ReleaseNotes/2_6_22.md +++ b/Packs/VirusTotal/ReleaseNotes/2_6_22.md @@ -1,7 +1,7 @@ #### Integrations ##### VirusTotal (API v3) -- Add **VT Engine Detections** field to all indicator types. -- Add **VT Engine Vendors** field to all indicator types. -- Add **VT Engine Detection Names** field to all indicator types. +- Add the **VT Engine Detections** field to all indicator types. +- Add the **VT Engine Vendors** field to all indicator types. +- Add the **VT Engine Detection Names** field to all indicator types. - Updated the Docker image to: *demisto/python3:3.11.9.101916*. From 94a6004d72b5b2740f1279cd9802f68feaa47fcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:51:27 +0200 Subject: [PATCH 24/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index fc3f73ba5f79..57e1d770bff5 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -821,11 +821,11 @@ Checks the reputation of a domain. | Domain.Relationships.Relationship | String | The name of the relationship. | | Domain.Relationships.EntityAType | String | The type of the source of the relationship. | | Domain.Relationships.EntityBType | String | The type of the destination of the relationship. | -| Domain.Malicious.Vendor | String | For malicious domains, the vendor that made the decision. | +| Domain.Malicious.Vendor | String | For malicious domains, the vendor who made the decision. | | Domain.Malicious.Description | String | For malicious domains, the reason that the vendor made the decision. | -| Domain.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the domain as malicious. | -| Domain.VTVendors.EngineVendors | Array | VT vendors which flagged the domain as malicious. | -| Domain.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the domain as malicious. | +| Domain.VTVendors.EngineDetections | Number | Number of VT vendors that flagged the domain as malicious. | +| Domain.VTVendors.EngineVendors | Array | VT vendors who flagged the domain as malicious. | +| Domain.VTVendors.EngineDetectionNames | Array | VT detection names that flagged the domain as malicious. | | DBotScore.Indicator | unknown | The indicator that was tested. | | DBotScore.Type | unknown | The indicator type. | | DBotScore.Vendor | unknown | The vendor used to calculate the score. | From 820da2c114e2dcec0b68337d59b11d6eb59d3fc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:51:37 +0200 Subject: [PATCH 25/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index 57e1d770bff5..c20bdb687f1b 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -2563,9 +2563,9 @@ Get analysis of a private file submitted to VirusTotal. ## VT indicator fields 3 indicator fields have been added to all indicator types: -- **VT Engine Detections**. Number. Number of VT vendors which flagged the indicator as malicious. -- **VT Engine Vendors**. Array. VT vendors which flagged the indicator as malicious. -- **VT Engine Detection Names**. Array. VT detection names which flagged the indicator as malicious. +- **VT Engine Detections**. Number. Number of VT vendors that flagged the indicator as malicious. +- **VT Engine Vendors**. Array. VT vendors who flagged the indicator as malicious. +- **VT Engine Detection Names**. Array. VT detection names that flagged the indicator as malicious. To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Engine Detections` field for the `File` indicator type, add the path `File.VTVendors.EngineDetections`. This will enable the field to be populated in the indicator data. From 960203ee32f4912cf9267cd61a1a92a334bd5970 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:51:54 +0200 Subject: [PATCH 26/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index c20bdb687f1b..857ba22c24a7 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -2567,6 +2567,10 @@ Get analysis of a private file submitted to VirusTotal. - **VT Engine Vendors**. Array. VT vendors who flagged the indicator as malicious. - **VT Engine Detection Names**. Array. VT detection names that flagged the indicator as malicious. -To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Engine Detections` field for the `File` indicator type, add the path `File.VTVendors.EngineDetections`. This will enable the field to be populated in the indicator data. +To display the new fields in indicators: + +1. Navigate to `Settings > Objects Setup > Indicators > Types`. +2. Select the desired indicator type, for example, `File`. +3. Click `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Engine Detections` field for the `File` indicator type, add the path `File.VTVendors.EngineDetections`. This will enable the field to be populated in the indicator data. Note that the field will not automatically appear in the indicator's layout. To make it visible, go to `Settings -> Objects Setup -> Indicators -> Layouts`, select the desired layout (e.g., `File Indicator`), click `Detach` if needed, and then edit the layout to include the new field. From 156559f7c1c580d64201cdb2cc77f2a2af60a1e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:52:09 +0200 Subject: [PATCH 27/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md index 857ba22c24a7..f59364524646 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/README.md +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/README.md @@ -2573,4 +2573,8 @@ To display the new fields in indicators: 2. Select the desired indicator type, for example, `File`. 3. Click `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Engine Detections` field for the `File` indicator type, add the path `File.VTVendors.EngineDetections`. This will enable the field to be populated in the indicator data. -Note that the field will not automatically appear in the indicator's layout. To make it visible, go to `Settings -> Objects Setup -> Indicators -> Layouts`, select the desired layout (e.g., `File Indicator`), click `Detach` if needed, and then edit the layout to include the new field. +Note that the field will not automatically appear in the indicator's layout. To make it visible: + +1. Navigate to `Settings > Objects Setup > Indicators > Layouts`. +2. Select the desired layout (e.g., `File Indicator`). +3. Click `Detach` if needed, and then edit the layout to include the new field. From 03e7d79448f3708e5caf150f2857a52507ed2dce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20P=C3=A9rez?= <122302023+pabloperezj@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:52:19 +0200 Subject: [PATCH 28/28] Update Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml index f0a47ca6e329..a181f78f49ea 100644 --- a/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml +++ b/Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml @@ -252,11 +252,11 @@ script: - contextPath: File.Malicious.TotalEngines description: For malicious files, the total number of engines that checked the file hash. - contextPath: File.VTVendors.EngineDetections - description: Number of VT vendors which flagged the file as malicious. + description: Number of VT vendors that flagged the file as malicious. - contextPath: File.VTVendors.EngineVendors - description: VT vendors which flagged the file as malicious. + description: VT vendors who flagged the file as malicious. - contextPath: File.VTVendors.EngineDetectionNames - description: VT detection names which flagged the file as malicious. + description: VT detection names that flagged the file as malicious. - contextPath: DBotScore.Indicator description: The indicator that was tested. - contextPath: DBotScore.Type