Domain extracted from a file with an extension as part of a URL (#27569)

* Fix for domain regex and formatter to avoid catching files as domains * RN * docker bump * RN
demisto · Jul 2, 2023 · a60a26a · a60a26a
1 parent c64ff28
commit a60a26a
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 4 deletions.
diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_88.md b/Packs/CommonScripts/ReleaseNotes/1_11_88.md
@@ -0,0 +1,6 @@
+
+#### Scripts
+
+##### ExtractDomainAndFQDNFromUrlAndEmail
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.63856*.
+- Updated the formatter to remove all characters except for "-" from the parts of the domain.
diff --git a/...cripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py b/...cripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py
@@ -104,6 +104,7 @@ def extract_fqdn(the_input):
     the_input = unescape_url(the_input)
 
     indicator = get_fqdn(the_input)
+    indicator = ".".join([re.sub("[^\w-]", "", part) for part in indicator.split(".")])
     return indicator
 
 

diff --git a/...ripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml b/...ripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml
@@ -18,7 +18,7 @@ tags:
 - indicator-format
 timeout: '0'
 type: python
-dockerimage: demisto/py3-tools:1.0.0.61229
+dockerimage: demisto/py3-tools:1.0.0.63856
 runas: DBotWeakRole
 runonce: false
 tests:

diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Scripts",
     "description": "Frequently used scripts pack.",
     "support": "xsoar",
-    "currentVersion": "1.11.87",
+    "currentVersion": "1.11.88",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json
@@ -6,7 +6,7 @@
     "sortValues": null,
     "commitMessage": "",
     "shouldCommit": false,
-    "regex": "(?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?:%[\\da-f][\\da-f])?(?P<domain>(?:[\\p{L}\\d\\-–]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})(@|%40)?",
+    "regex": "(?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?:%[\\da-f][\\da-f])?(?P<domain>(?:[\\p{L}\\d\\-–]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})(@|%40)?(?:\\b| |[[:punct:]]|$)",
     "details": "Domain",
     "prevDetails": "Domain",
     "reputationScriptName": "",

diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_75.md b/Packs/CommonTypes/ReleaseNotes/3_3_75.md
@@ -0,0 +1,5 @@
+
+#### Indicator Types
+
+- **domainRepUnified**
+Updated the regex to catch punctuation marks after the domain which are removed in the formatter.
diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Types",
     "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
     "support": "xsoar",
-    "currentVersion": "3.3.74",
+    "currentVersion": "3.3.75",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",