Recorded Future: Added two new fields to intelligence lookups for CVE…

…s. (#12610) * Recorded Future: Added two new fields to intelligence lookups for CVEs. (#12445) * Added two new fields to intelligence lookups for CVEs. * Added release notes. * Update Packs/RecordedFuture/ReleaseNotes/1_1_1.md Co-authored-by: Dan Tavori <[email protected]> Co-authored-by: Dan Tavori <[email protected]> * docker image - bumped version Co-authored-by: christian-recordedfuture <[email protected]> Co-authored-by: Dan Tavori <[email protected]> Co-authored-by: Dan Tavori <[email protected]>
demisto · May 9, 2021 · 4462847 · 4462847
1 parent a100a83
commit 4462847
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 8 deletions.
diff --git a/Packs/RecordedFuture/Integrations/RecordedFuture/README.md b/Packs/RecordedFuture/Integrations/RecordedFuture/README.md
@@ -1005,6 +1005,8 @@ Get threat intelligence for an IP, Domain, CVE, URL or File.
 | RecordedFuture.CVE.relatedEntities.RelatedCompany.id | String | Recorded Future Related ID |
 | RecordedFuture.CVE.relatedEntities.RelatedCompany.name | String | Recorded Future Related Name |
 | RecordedFuture.CVE.relatedEntities.RelatedCompany.type | String | Recorded Future Related Type |
+| RecordedFuture.CVE.cpe | String | Recorded Future  CPE information |
+| RecordedFuture.CVE.relatedLinks | String | Recorded Future CVE Related Links |
 | RecordedFuture.File.criticality | number | Risk Criticality |
 | RecordedFuture.File.criticalityLabel | string | Risk Criticality Label |
 | RecordedFuture.File.riskString | string | Risk String |

diff --git a/Packs/RecordedFuture/Integrations/RecordedFuture/RecordedFuture.py b/Packs/RecordedFuture/Integrations/RecordedFuture/RecordedFuture.py
@@ -14,7 +14,7 @@
 # disable insecure warnings
 requests.packages.urllib3.disable_warnings()  # pylint:disable=no-member
 
-__version__ = '2.1'
+__version__ = '2.1.1'
 
 
 def rename_keys(old_to_new: Dict[str, str], original: Dict[str, Any]):
@@ -50,7 +50,9 @@ def entity_lookup(
         )
 
     def entity_enrich(
-        self, entity: str, entity_type: str, related: bool, risky: bool, profile: str = 'All'
+        self, entity: str, entity_type: str,
+            related: bool, risky: bool,
+            profile: str = 'All'
     ) -> Dict[str, Any]:
         """Entity enrich."""
 
@@ -119,6 +121,8 @@ def entity_enrich(
                 "cvss",
                 "nvdDescription",
                 "relatedEntities",
+                "cpe",
+                "relatedLinks"
             ],
             "url": [
                 "entity",
@@ -219,6 +223,37 @@ def translate_score(score: int, threshold: int) -> int:
         return Common.DBotScore.NONE
 
 
+def parse_cpe(cpes: list) -> list:
+    dicts = []
+    parts = {
+        'o': 'Operating System',
+        'a': 'Application',
+        'h': 'Hardware',
+        '*': 'Any',
+        '-': 'NA'
+    }
+    cpe_regex = re.compile(
+        r'cpe:2\.3:(?P<Part>[aoh*-]):(?P<Vendor>[a-zA-Z_-]+):'
+        r'(?P<Product>[A-Za-z0-9_-]+):(?P<Version>[0-9.]+):(?P<Update>[a-zA-Z0-9*]+):'
+        r'(?P<Edition>[a-zA-Z0-9*]+):(?P<Language>[a-zA-Z0-9*]+):'
+        r'(?P<swedition>[a-zA-Z0-9*]+):(?P<targetsw>[a-zA-Z0-9*]+):'
+        r'(?P<targethw>[a-zA-Z0-9*]+):(?P<Other>[a-zA-Z0-9*]+)'
+    )
+    for cpe in cpes:
+        try:
+            match = cpe_regex.match(cpe)
+            if match:
+                tmp_dict = match.groupdict()
+                tmp_dict['Part'] = parts[tmp_dict.get('Part', '-')]
+                tmp_dict['Software Edition'] = tmp_dict.pop('swedition')
+                tmp_dict['Target Software'] = tmp_dict.pop('targetsw')
+                tmp_dict['Target Hardware'] = tmp_dict.pop('targethw')
+                dicts.append(tmp_dict)
+        except:
+            continue
+    return dicts
+
+
 def determine_hash(hash_value: str) -> str:
     """Determine hash type by length."""
     hash_length = len(hash_value)
@@ -778,6 +813,21 @@ def build_intel_markdown(entity_data: Dict[str, Any], entity_type: str) -> str:
                     f'{prettify_time(cdata.get("lastModified"))}',
                 ]
             markdown.extend(cvss)
+            if data.get("cpe", None):
+                markdown.append(
+                    tableToMarkdown(
+                        "CPE Information",
+                        parse_cpe(data.get("cpe")),
+                        ['Part', 'Vendor', 'Product', 'Version', 'Update', 'Edition',
+                         'Language', 'Software Edition', 'Target Software',
+                         'Target Hardware', 'Other']
+                    )
+                )
+            if data.get('relatedLinks', None):
+                markdown.append(tableToMarkdown(
+                    "Related Links",
+                    [{'Related Links': x} for x in data.get('relatedLinks')]
+                ))
         evidence_table = [
             {
                 "Rule Criticality": detail.get("criticalityLabel"),
@@ -857,7 +907,10 @@ def build_intel_context(
         )
         command_results.append(
             CommandResults(
-                readable_output=tableToMarkdown('New indicator was created', indicator.to_context()),
+                readable_output=tableToMarkdown(
+                    'New indicator was created',
+                    indicator.to_context()
+                ),
                 indicator=indicator
             )
         )
@@ -871,7 +924,10 @@ def build_intel_context(
             )
             command_results.append(
                 CommandResults(
-                    readable_output=tableToMarkdown("New indicator was created", indicator.to_context()),
+                    readable_output=tableToMarkdown(
+                        "New indicator was created",
+                        indicator.to_context()
+                    ),
                     indicator=indicator
                 )
             )

diff --git a/Packs/RecordedFuture/Integrations/RecordedFuture/RecordedFuture.yml b/Packs/RecordedFuture/Integrations/RecordedFuture/RecordedFuture.yml
@@ -67,7 +67,7 @@ script:
   script: '-'
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.9.2.17246
+  dockerimage: demisto/python3:3.9.4.19537
   commands:
   - name: domain
     arguments:
@@ -1501,6 +1501,12 @@ script:
     - contextPath: RecordedFuture.CVE.relatedEntities.RelatedCompany.type
       description: Recorded Future Related Type
       type: string
+    - contextPath: RecordedFuture.CVE.cpe
+      description: Recorded Future CPE information
+      type: string
+    - contextPath: RecordedFuture.CVE.relatedLinks
+      description: Recorded Future CVE Related Links
+      type: string
     - contextPath: RecordedFuture.File.criticality
       description: Risk Criticality
       type: number

diff --git a/Packs/RecordedFuture/ReleaseNotes/1_1_1.md b/Packs/RecordedFuture/ReleaseNotes/1_1_1.md
@@ -0,0 +1,5 @@
+
+#### Integrations
+##### Recorded Future v2
+- Updated the Docker image to: *demisto/python3:3.9.4.19537*.
+- Added CPE information and related links to the outputs of the ***recordedfuture-intelligence*** command.
diff --git a/Packs/RecordedFuture/pack_metadata.json b/Packs/RecordedFuture/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "RecordedFuture v2",
     "description": "Recorded Future App v2",
     "support": "partner",
-    "currentVersion": "1.1.0",
+    "currentVersion": "1.1.1",
     "author": "Recorded Future",
     "url": "https://www.recordedfuture.com/support/demisto-integration/",
     "email": "[email protected]",
@@ -11,7 +11,7 @@
     ],
     "tags": [],
     "created": "2020-05-12T13:09:02Z",
-    "updated": "2020-06-03T13:09:02Z",
+    "updated": "2021-04-26T15:48:02Z",
     "certification": "certified",
     "useCases": [],
     "keywords": [
@@ -30,4 +30,4 @@
     "githubUser": [
         "christian-recordedfuture"
     ]
-}
+}