From a60a26a3a744a9a4e815d0f86a2e89cea6ae93b2 Mon Sep 17 00:00:00 2001
From: Dror Avrahami <davrahami@paloaltonetworks.com>
Date: Tue, 20 Jun 2023 15:28:12 +0200
Subject: [PATCH] Domain extracted from a file with an extension as part of a
 URL (#27569)

* Fix for domain regex and formatter to avoid catching files as domains

* RN

* docker bump

* RN
---
 Packs/CommonScripts/ReleaseNotes/1_11_88.md                 | 6 ++++++
 .../ExtractDomainAndFQDNFromUrlAndEmail.py                  | 1 +
 .../ExtractDomainAndFQDNFromUrlAndEmail.yml                 | 2 +-
 Packs/CommonScripts/pack_metadata.json                      | 2 +-
 Packs/CommonTypes/IndicatorTypes/reputation-domain.json     | 2 +-
 Packs/CommonTypes/ReleaseNotes/3_3_75.md                    | 5 +++++
 Packs/CommonTypes/pack_metadata.json                        | 2 +-
 7 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 Packs/CommonScripts/ReleaseNotes/1_11_88.md
 create mode 100644 Packs/CommonTypes/ReleaseNotes/3_3_75.md

diff --git a/Packs/CommonScripts/ReleaseNotes/1_11_88.md b/Packs/CommonScripts/ReleaseNotes/1_11_88.md
new file mode 100644
index 000000000000..85af4f6b5a4f
--- /dev/null
+++ b/Packs/CommonScripts/ReleaseNotes/1_11_88.md
@@ -0,0 +1,6 @@
+
+#### Scripts
+
+##### ExtractDomainAndFQDNFromUrlAndEmail
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.63856*.
+- Updated the formatter to remove all characters except for "-" from the parts of the domain.
diff --git a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py
index 3e303f8e9ae2..1aab01312b21 100644
--- a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py
+++ b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py
@@ -104,6 +104,7 @@ def extract_fqdn(the_input):
     the_input = unescape_url(the_input)
 
     indicator = get_fqdn(the_input)
+    indicator = ".".join([re.sub("[^\w-]", "", part) for part in indicator.split(".")])
     return indicator
 
 
diff --git a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml
index 45452cc3e55d..e6e4463ef781 100644
--- a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml
+++ b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml
@@ -18,7 +18,7 @@ tags:
 - indicator-format
 timeout: '0'
 type: python
-dockerimage: demisto/py3-tools:1.0.0.61229
+dockerimage: demisto/py3-tools:1.0.0.63856
 runas: DBotWeakRole
 runonce: false
 tests:
diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json
index 11ffe6382046..6bbc8d4cc07e 100644
--- a/Packs/CommonScripts/pack_metadata.json
+++ b/Packs/CommonScripts/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Scripts",
     "description": "Frequently used scripts pack.",
     "support": "xsoar",
-    "currentVersion": "1.11.87",
+    "currentVersion": "1.11.88",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json
index 50c0865714b4..c9ce39df14fe 100644
--- a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json
+++ b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json
@@ -6,7 +6,7 @@
     "sortValues": null,
     "commitMessage": "",
     "shouldCommit": false,
-    "regex": "(?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?:%[\\da-f][\\da-f])?(?P<domain>(?:[\\p{L}\\d\\-–]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})(@|%40)?",
+    "regex": "(?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?:%[\\da-f][\\da-f])?(?P<domain>(?:[\\p{L}\\d\\-–]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})(@|%40)?(?:\\b| |[[:punct:]]|$)",
     "details": "Domain",
     "prevDetails": "Domain",
     "reputationScriptName": "",
diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_75.md b/Packs/CommonTypes/ReleaseNotes/3_3_75.md
new file mode 100644
index 000000000000..5d40d7f2260e
--- /dev/null
+++ b/Packs/CommonTypes/ReleaseNotes/3_3_75.md
@@ -0,0 +1,5 @@
+
+#### Indicator Types
+
+- **domainRepUnified**
+Updated the regex to catch punctuation marks after the domain which are removed in the formatter.
diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json
index 2b50922146ba..53d034fb34ec 100644
--- a/Packs/CommonTypes/pack_metadata.json
+++ b/Packs/CommonTypes/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Types",
     "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
     "support": "xsoar",
-    "currentVersion": "3.3.74",
+    "currentVersion": "3.3.75",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",