Recorded Future Intelligence v10 (#2) (chronicle#529)

* PSF-1146: fix links parsing

* PSF-1152 - sync tracking connector param name

* PSF-1154 - fix new entity logic

* PSF-1155 - fix invalid param

* PSF-1177 - fix domain abuse image fetch

* PSF-1198 - fix incorrect documentation link

* PSF-1145 - bump psengine v2.4.2+

* PSF-1138 - integration v10 meta

* PSF-1072 - SOAR enrichment action

* PSF-1072 - new action files

* PSF-1071 - Add hash sandbox enrich action

* PSF-1178 - update json result response examples

* PSF-1138 - refactor enrichment

Author: dmartinson-rf

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/AddAnalystNote.py

@@ -103,13 +103,9 @@ def end_script() -> NoReturn:
         ).document_id
 
     except Exception as err:
-        output_message = (
-            f"Error executing action {ADD_ANALYST_NOTE_SCRIPT_NAME}. Reason: {err}"
-        )
+        output_message = f"Error executing action {ADD_ANALYST_NOTE_SCRIPT_NAME}. Reason: {err}"
         if isinstance(err, RecordedFutureUnauthorizedError):
-            output_message = (
-                "Unauthorized - please check your API token and try again. {}"
-            )
+            output_message = "Unauthorized - please check your API token and try again. {}"
         success = False
         status = EXECUTION_STATE_FAILED
         siemplify.LOGGER.error(output_message)

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/DetonateFile.py

@@ -214,14 +214,11 @@ def main(is_first_run):
         else:
             pending_files = (
                 file_name
-                for file_name, submission in submit_action.action_context[
-                    "submissions"
-                ].items()
+                for file_name, submission in submit_action.action_context["submissions"].items()
                 if submission.get("pending_submissions", [])
             )
             output_message = (
-                f"Waiting for results for the following files: "
-                f"{','.join(pending_files)}"
+                f"Waiting for results for the following files: {','.join(pending_files)}"
             )
             action_result = ActionResult(
                 result_value=json.dumps(action_context),

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/DetonateFile.yaml

@@ -1,7 +1,7 @@
 creator: severins
 description: Submits a File to the Recorded Future Sandbox for analysis.
 dynamic_results_metadata:
--   result_example_path: null
+-   result_example_path: resources/DetonateSandbox_JsonResult_example.json
     result_name: JsonResult
     show_result: true
 integration_identifier: RecordedFutureIntelligence
@@ -32,3 +32,5 @@ parameters:
     is_mandatory: false
     name: Password
     type: string
+script_result_name: is_success
+simulation_data_json: '{"Entities": ["FILEHASH"]}'

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/DetonateURL.py

@@ -187,14 +187,10 @@ def main(is_first_run: bool):
         else:
             pending_urls = (
                 entity_name
-                for entity_name, submission in submit_action.action_context[
-                    "submissions"
-                ].items()
+                for entity_name, submission in submit_action.action_context["submissions"].items()
                 if submission.get("pending_submissions", [])
             )
-            output_message = (
-                f"Waiting for results for the following urls: {','.join(pending_urls)}"
-            )
+            output_message = f"Waiting for results for the following urls: {','.join(pending_urls)}"
             action_result = ActionResult(
                 result_value=json.dumps(action_context),
                 output_message=output_message,

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/DetonateURL.yaml

@@ -1,7 +1,7 @@
 creator: severins
 description: Submits a URL to the Recorded Future Sandbox for analysis.
 dynamic_results_metadata:
--   result_example_path: null
+-   result_example_path: resources/DetonateSandbox_JsonResult_example.json
     result_name: JsonResult
     show_result: true
 integration_identifier: RecordedFutureIntelligence
@@ -13,3 +13,5 @@ parameters:
     is_mandatory: false
     name: Profile
     type: string
+script_result_name: is_success
+simulation_data_json: '{"Entities": ["DestinationURL"]}'

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/EnrichCVE.py

@@ -101,9 +101,7 @@ def main():
         )
 
     except RecordedFutureUnauthorizedError as e:
-        output_message = (
-            f"Unauthorized - please check your API token and try again. {e}"
-        )
+        output_message = f"Unauthorized - please check your API token and try again. {e}"
         siemplify.LOGGER.error(output_message)
         siemplify.LOGGER.exception(e)
     except Exception as e:

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/EnrichHash.py

@@ -101,9 +101,7 @@ def main():
         )
 
     except RecordedFutureUnauthorizedError as e:
-        output_message = (
-            f"Unauthorized - please check your API token and try again. {e}"
-        )
+        output_message = f"Unauthorized - please check your API token and try again. {e}"
         siemplify.LOGGER.error(output_message)
         siemplify.LOGGER.exception(e)
     except Exception as e:

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/EnrichHost.py

@@ -101,9 +101,7 @@ def main():
         )
 
     except RecordedFutureUnauthorizedError as e:
-        output_message = (
-            f"Unauthorized - please check your API token and try again. {e}"
-        )
+        output_message = f"Unauthorized - please check your API token and try again. {e}"
         siemplify.LOGGER.error(output_message)
         siemplify.LOGGER.exception(e)
     except Exception as e:

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/EnrichIOC.py

@@ -108,9 +108,7 @@ def main():
         )
 
     except RecordedFutureUnauthorizedError as e:
-        output_message = (
-            f"Unauthorized - please check your API token and try again. {e}"
-        )
+        output_message = f"Unauthorized - please check your API token and try again. {e}"
         siemplify.LOGGER.error(output_message)
         siemplify.LOGGER.exception(e)
     except Exception as e:

content/response_integrations/third_party/partner/recorded_future_intelligence/actions/EnrichIOCsBulk.py

@@ -0,0 +1,94 @@
+############################## TERMS OF USE ################################### # noqa: E266
+# The following code is provided for demonstration purposes only, and should  #
+# not be used without independent verification. Recorded Future makes no      #
+# representations or warranties, express, implied, statutory, or otherwise,   #
+# regarding this code, and provides it strictly "as-is".                      #
+# Recorded Future shall not be liable for, and you assume all risk of         #
+# using the foregoing.                                                        #
+###############################################################################
+
+from constants import (
+    DEFAULT_DEVICE_VENDOR,
+    ENRICH_IOC_SOAR_SCRIPT_NAME,
+    PROVIDER_NAME,
+)
+from RecordedFutureCommon import RecordedFutureCommon
+from SiemplifyAction import SiemplifyAction
+from SiemplifyDataModel import EntityTypes
+from SiemplifyUtils import output_handler
+from TIPCommon.extraction import extract_action_param, extract_configuration_param
+
+SUPPORTED_ENTITIES = [
+    EntityTypes.HOSTNAME,
+    EntityTypes.CVE,
+    EntityTypes.FILEHASH,
+    EntityTypes.ADDRESS,
+    EntityTypes.URL,
+    EntityTypes.DOMAIN,
+]
+
+
+@output_handler
+def main():
+    siemplify = SiemplifyAction()
+    siemplify.script_name = ENRICH_IOC_SOAR_SCRIPT_NAME
+    siemplify.LOGGER.info("----------------- Main - Started -----------------")
+
+    api_url = extract_configuration_param(
+        siemplify, provider_name=PROVIDER_NAME, param_name="ApiUrl"
+    )
+    api_key = extract_configuration_param(
+        siemplify, provider_name=PROVIDER_NAME, param_name="ApiKey"
+    )
+    verify_ssl = extract_configuration_param(
+        siemplify,
+        provider_name=PROVIDER_NAME,
+        param_name="Verify SSL",
+        default_value=False,
+        input_type=bool,
+    )
+    collective_insights_global = extract_configuration_param(
+        siemplify,
+        provider_name=PROVIDER_NAME,
+        param_name="CollectiveInsights",
+        default_value=True,
+        input_type=bool,
+    )
+    collective_insights_action = extract_action_param(
+        siemplify,
+        param_name="Enable Collective Insights",
+        default_value=True,
+        input_type=bool,
+    )
+
+    # Exclude Collective Insights submissions for Recorded Future Alerts
+    reporting_vendor = siemplify.current_alert.reporting_vendor
+    external_vendor = reporting_vendor != DEFAULT_DEVICE_VENDOR
+
+    collective_insights_enabled = (
+        collective_insights_action and collective_insights_global and external_vendor
+    )
+
+    recorded_future_common = RecordedFutureCommon(
+        siemplify=siemplify,
+        api_url=api_url,
+        api_key=api_key,
+        verify_ssl=verify_ssl,
+    )
+
+    try:
+        recorded_future_common.enrich_soar_logic(
+            entity_types=SUPPORTED_ENTITIES,
+            collective_insights_enabled=collective_insights_enabled,
+        )
+    except Exception as e:
+        siemplify.LOGGER.error(
+            "General error performing action {}".format(ENRICH_IOC_SOAR_SCRIPT_NAME)
+        )
+        siemplify.LOGGER.exception(e)
+
+    siemplify.LOGGER.info("\n----------------- Main - Finished -----------------")
+
+
+if __name__ == "__main__":
+    main()