Add zdl ti fusion pack (#26981) (#27286)

* Add ZeroDayLiveTIFusion Pack

* Formatting updates

* Remove .lock, set default repotation value

* Remove th pipefile

* Rename Pack to contain feed - adhere to PA conventions

* Reuse existing CSV API module

* Metadata updates - post review

* Update descriptions

Co-authored-by: grzegorzpapkala <[email protected]>

Packs/FeedZeroDayLiveTIFusion/.secrets-ignore

@@ -0,0 +1,2 @@
+https://us-cert.cisa.gov
+ZeroDayLiveTIFUSION

Packs/FeedZeroDayLiveTIFusion/Integrations/FeedZeroDayLiveTIFUSION/FeedZeroDayLiveTIFUSION.py

@@ -0,0 +1,20 @@
+import demistomock as demisto
+from CommonServerPython import *
+
+
+def main():
+    params = demisto.params()
+    # when auto_detect is not selected
+    if params.get('auto_detect_type') is False and not params.get('indicator_type'):
+        return_error('Indicator Type cannot be empty when Auto Detect Indicator Type is unchecked')
+    # when auto_detect does not exist - for previous integration instances
+    if params.get('auto_detect_type') is None and not params.get('indicator_type'):
+        return_error('Indicator Type cannot be empty')
+    feed_main('ZDL', prefix='zdl', params=params)
+
+
+from CSVFeedApiModule import *  # noqa: E402
+
+
+if __name__ in ('__builtin__', 'builtins', '__main__'):
+    main()

Packs/FeedZeroDayLiveTIFusion/Integrations/FeedZeroDayLiveTIFUSION/FeedZeroDayLiveTIFUSION.yml

@@ -0,0 +1,122 @@
+category: Data Enrichment & Threat Intelligence
+commonfields:
+  id: ZeroDayLiveTIFUSION Feed
+  version: -1
+configuration:
+- defaultvalue: "true"
+  display: Fetch indicators
+  name: feed
+  required: false
+  type: 8
+- additionalinfo: Indicators from this integration instance will be marked with this reputation
+  defaultvalue: Bad
+  display: Indicator Reputation
+  name: feedReputation
+  options:
+  - None
+  - Good
+  - Suspicious
+  - Bad
+  required: false
+  type: 18
+- additionalinfo: Reliability of the source providing the intelligence data
+  defaultvalue: F - Reliability cannot be judged
+  display: Source Reliability
+  name: feedReliability
+  options:
+  - A - Completely reliable
+  - B - Usually reliable
+  - C - Fairly reliable
+  - D - Not usually reliable
+  - E - Unreliable
+  - F - Reliability cannot be judged
+  required: true
+  type: 15
+- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
+  display: Traffic Light Protocol Color
+  name: tlp_color
+  options:
+  - RED
+  - AMBER
+  - GREEN
+  - WHITE
+  required: false
+  type: 15
+- defaultvalue: indicatorType
+  display: ""
+  name: feedExpirationPolicy
+  options:
+  - never
+  - interval
+  - indicatorType
+  - suddenDeath
+  required: false
+  type: 17
+- defaultvalue: "20160"
+  display: ""
+  name: feedExpirationInterval
+  required: false
+  type: 1
+- defaultvalue: "240"
+  display: Feed Fetch Interval
+  name: feedFetchInterval
+  required: false
+  type: 19
+- additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
+  display: Bypass exclusion list
+  name: feedBypassExclusionList
+  required: false
+  type: 8
+- additionalinfo: If selected, the indicator type will be auto detected for each indicator.
+  defaultvalue: "true"
+  display: Auto detect indicator type
+  name: auto_detect_type
+  required: false
+  type: 8
+- additionalinfo: Type of the indicator in the feed, If auto-detect is checked then the value set as Indicator Type will be ignored.
+  display: Indicator Type
+  name: indicator_type
+  required: false
+  type: 0
+- display: URL
+  name: url
+  required: true
+  type: 0
+- display: Username
+  name: credentials
+  required: false
+  type: 9
+- additionalinfo: The names to apply to the fields in the CSV feed. The name for the field containing the indicator should be "value".
+  display: Field Names
+  name: fieldnames
+  required: false
+  type: 0
+  defaultvalue: "value"
+- additionalinfo: Time (in seconds) before HTTP requests timeout.
+  defaultvalue: "20"
+  display: Request Timeout
+  name: polling_timeout
+  required: true
+  type: 0
+- additionalinfo: Supports CSV values.
+  display: Tags
+  name: feedTags
+  required: false
+  type: 0
+- display: Use system proxy settings
+  name: proxy
+  required: false
+  type: 8
+description: 'Zero Day Live is Blackwired’s flagship product that delivers proprietary cyber threat intelligence, enabling our clients to operate at the same speed as the adversary. Zero Day Live specializes in unknown, zero day and early warning threats. Our intelligence is delivered finished, actionable and seamlessly orchestrated, directly into the existing security infrastructure – measurably reducing the risk of breach.'
+display: Zero Day Live TI FUSION Feed
+name: ZeroDayLiveTIFUSION Feed
+script:
+  dockerimage: demisto/py3-tools:1.0.0.61931
+  feed: true
+  runonce: true
+  script: '-'
+  type: python
+  subtype: python3
+fromversion: 6.6.0
+tests:
+- No tests (auto formatted)

Packs/FeedZeroDayLiveTIFusion/Integrations/FeedZeroDayLiveTIFUSION/FeedZeroDayLiveTIFUSION_description.md

@@ -0,0 +1,20 @@
+Fetch indicators from a ZeroDayLive feed.
+
+* **Indicator Type** - The type of indicators in the feed.
+* **Server URL** - URL of the feed.
+* **Username + Password** - Credentials to access feeds that require basic authentication. 
+These fields also support the use of API key headers. To use API key headers, specify the header name and value in the following format:
+`_header:<header_name>` in the **Username** field and the header value in the **Password** field.
+
+
+## Step by step configuration
+
+As an example, we'll be looking at the Palo-Alto-sha256 feed. This feed will ingest indicators of type File. These are the feed instance configuration parameters for our example
+
+**Indicator Type** - File.
+**Server URL**: <https://digitalwitness.zeroday.live/exports/download/Palo-Alto-sha256.csv>.
+**Credentials** - user: *XXX*, password: *XXX* - need to be obtained from Zero Day Live portal.
+
+The other paramer values can stay with defualt
+
+**Field Names** - There is only single field and that field is the indicator to fetch. So to confgiure that we can leave default `value` as is.

Packs/FeedZeroDayLiveTIFusion/Integrations/FeedZeroDayLiveTIFUSION/README.md

@@ -0,0 +1,42 @@
+## Overview
+
+---
+
+Fetch indicators from a ZeroDayLive feed.
+Zero Day Live is our threat intelligence platform. It services multiple security vendors within the industry with the latest intelligence in order to prevent cyber attacks.  
+
+## Configure ZeroDayLive Feed on Cortex XSOAR
+
+---
+
+
+1. Navigate to __Settings__ > __Integrations__ > __Servers & Services__.
+2. Search for Zero Day Live TI FUSION Feed.
+3. Click __Add instance__ to create and configure a new integration instance.
+    * __Name__: a textual name for the integration instance.
+    * __URL__: Server URL where the feed is.
+    * __Fetch indicators__: boolean flag. If set to true will fetch indicators.
+    * __Fetch Interval__: Interval of the fetches.
+    * __Reliability__: Reliability of the feed. 
+    * __Traffic Light Protocol Color__: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at <https://us-cert.cisa.gov/tlp>
+    * __Username + Password__ - Credentials to access feeds that require basic authentication. 
+These fields also support the use of API key headers. To use API key headers, specify the header name and value in the following format:
+`_header:<header_name>` in the __Username__ field and the header value in the __Password__ field.
+    * __Use system proxy settings__
+    * __Request Timeout__: Time (in seconds) before HTTP requests timeout.
+    * __Field Names__: Name of the field names in the CSV. If several are given, will use
+    "value" as the indicator value field.
+4. Click __Test__ to validate the URLs, token, and connection.
+
+
+## Step by step configuration
+
+As an example, we'll be looking at the Palo-Alto-sha256 feed. This feed will ingest indicators of type File. These are the feed instance configuration parameters for our example
+
+**Indicator Type** - File.
+**Server URL**: <https://digitalwitness.zeroday.live/exports/download/Palo-Alto-sha256.csv>.
+**Credentials** - user: *XXX*, password: *XXX* - need to be obtained from Zero Day Live portal.
+
+The other paramer values can stay with defualt
+
+**Field Names** - There is only single field and that field is the indicator to fetch. So to confgiure that we can leave default `value` as is.

Packs/FeedZeroDayLiveTIFusion/pack_metadata.json

@@ -0,0 +1,22 @@
+{
+    "name": "Zero Day Live TI FUSION Feed",
+    "description": "'Zero Day Live is Blackwired’s flagship product that delivers proprietary, holistic, high confidence and precision intelligence data points on Adversaries’ malicious intent.",
+    "support": "community",
+    "currentVersion": "1.0.0",
+    "author": "Grzegorz Papkala",
+    "url": "https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions",
+    "email": "",
+    "categories": [
+        "Data Enrichment & Threat Intelligence"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "xsoar"
+    ],
+    "devEmail": [
+        "[email protected]"
+    ],
+    "githubUser": []
+}