From ca14c4620f022a0854c3fa1ee134a0bed454bc93 Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Wed, 15 Jan 2025 13:16:03 +0200 Subject: [PATCH] ReversingLabs A1000 v2.4.4 (#38112) (#38170) * Update version to 2.4.4 * Update readme * Fix minor bugs in classification commands. * Add the contributors file * Add release notes Co-authored-by: Mislav Sever <46045160+MislavReversingLabs@users.noreply.github.com> --- Packs/ReversingLabs_A1000/CONTRIBUTORS.json | 3 + .../ReversingLabsA1000v2/README.md | 1 + .../ReversingLabsA1000v2.py | 66 ++++++++++--------- .../ReversingLabsA1000v2.yml | 3 + .../ReversingLabs_A1000/ReleaseNotes/2_4_4.md | 6 ++ Packs/ReversingLabs_A1000/pack_metadata.json | 2 +- 6 files changed, 50 insertions(+), 31 deletions(-) create mode 100644 Packs/ReversingLabs_A1000/CONTRIBUTORS.json create mode 100644 Packs/ReversingLabs_A1000/ReleaseNotes/2_4_4.md diff --git a/Packs/ReversingLabs_A1000/CONTRIBUTORS.json b/Packs/ReversingLabs_A1000/CONTRIBUTORS.json new file mode 100644 index 000000000000..a79327c204f1 --- /dev/null +++ b/Packs/ReversingLabs_A1000/CONTRIBUTORS.json @@ -0,0 +1,3 @@ +[ + "Mislav Sever" +] \ No newline at end of file diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md index 2fce10662523..a8e7f6672816 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md @@ -5740,6 +5740,7 @@ Retrieve classification report for a sample | --- | --- | --- | | hash | The hash of a desired sample. | Required | | localOnly | Return only local classification data for the sample, without falling back to querying TitaniumCloud. Default is False. | Optional | +| avScanners | Return AV scanner data from TitaniumCloud. | Optional | #### Context Output diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py index 17421e1308d7..800ff8d9a5ff 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py @@ -2,7 +2,7 @@ from ReversingLabs.SDK.a1000 import A1000 -VERSION = "v2.4.0" +VERSION = "v2.4.4" USER_AGENT = f"ReversingLabs XSOAR A1000 {VERSION}" HOST = demisto.getParam('host') TOKEN = demisto.getParam('token') @@ -427,11 +427,12 @@ def get_classification(a1000): """ hash_value = demisto.getArg('hash') local_only = argToBoolean(demisto.getArg('localOnly')) + av_scanners = argToBoolean(demisto.getArg('avScanners')) try: response_json = a1000.get_classification_v3(hash_value, local_only=local_only, - av_scanners=True).json() + av_scanners=av_scanners).json() except Exception as e: return_error(str(e)) @@ -1211,36 +1212,41 @@ def sample_classification_output(resp_json, action, av_scanners, sample_hash): markdown = f"""## ReversingLabs A1000 sample classification - {action}\n""" if action == "GET CLASSIFICATION": - markdown = markdown + f"""**Classification**: {resp_json.get("classification")} - **Risk score**: {resp_json.get("riskscore")} - **First seen**: {resp_json.get("first_seen")} - **Last seen**: {resp_json.get("last_seen")} - **Classification result**: {resp_json.get("classification_result")} - **Classification reason**: {resp_json.get("classification_reason")} - **SHA-1**: {resp_json.get("sha1")} - **SHA-256**: {resp_json.get("sha256")} - **MD5**: {resp_json.get("md5")} - """ - if av_scanners: - scanners_table = tableToMarkdown("Scanner results", resp_json.get("av_scanners")) - markdown = markdown + f"\n{scanners_table}" + if resp_json.get("classification"): + markdown = markdown + f"""**Classification**: {resp_json.get("classification")} + **Risk score**: {resp_json.get("riskscore")} + **First seen**: {resp_json.get("first_seen")} + **Last seen**: {resp_json.get("last_seen")} + **Classification result**: {resp_json.get("classification_result")} + **Classification reason**: {resp_json.get("classification_reason")} + **SHA-1**: {resp_json.get("sha1")} + **SHA-256**: {resp_json.get("sha256")} + **MD5**: {resp_json.get("md5")} + """ + if av_scanners: + scanners_table = tableToMarkdown("Scanner results", resp_json.get("av_scanners")) + markdown = markdown + f"\n{scanners_table}" + + d_bot_score = classification_to_score(resp_json.get("classification").upper()) + dbot_score = Common.DBotScore( + indicator=sample_hash, + indicator_type=DBotScoreType.FILE, + integration_name='ReversingLabs A1000 v2', + score=d_bot_score, + malicious_description=resp_json.get("classification_result"), + reliability=RELIABILITY + ) - d_bot_score = classification_to_score(resp_json.get("classification").upper()) - dbot_score = Common.DBotScore( - indicator=sample_hash, - indicator_type=DBotScoreType.FILE, - integration_name='ReversingLabs A1000 v2', - score=d_bot_score, - malicious_description=resp_json.get("classification_result"), - reliability=RELIABILITY - ) + indicator = Common.File( + md5=resp_json.get("md5"), + sha1=resp_json.get("sha1"), + sha256=resp_json.get("sha256"), + dbot_score=dbot_score + ) - indicator = Common.File( - md5=resp_json.get("md5"), - sha1=resp_json.get("sha1"), - sha256=resp_json.get("sha256"), - dbot_score=dbot_score - ) + else: + markdown = markdown + "There were no results for the given hash." + indicator = None command_results = CommandResults( outputs_prefix="ReversingLabs", diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml index aa5b6e397334..7c66a31e29dc 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml @@ -236,6 +236,9 @@ script: - defaultValue: 'False' description: Return only local classification data for the sample, without falling back to querying TitaniumCloud. name: localOnly + - defaultValue: 'True' + description: Return AV scanner data from TitaniumCloud. + name: avScanners description: Retrieve classification report for a sample. name: reversinglabs-a1000-get-classification outputs: diff --git a/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_4.md b/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_4.md new file mode 100644 index 000000000000..3e2acba101e6 --- /dev/null +++ b/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_4.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### ReversingLabs A1000 v2 + +- Fixed minor bugs in the ***reversinglabs-a1000-get-classification*** and ***reversinglabs-a1000-sample-classification*** commands. diff --git a/Packs/ReversingLabs_A1000/pack_metadata.json b/Packs/ReversingLabs_A1000/pack_metadata.json index c922b312fc1a..8b7bb8b85afd 100644 --- a/Packs/ReversingLabs_A1000/pack_metadata.json +++ b/Packs/ReversingLabs_A1000/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ReversingLabs A1000", "description": "Powerful threat detection and file analysis platform. Get detailed information on each file's status and threat capabilities.", "support": "partner", - "currentVersion": "2.4.3", + "currentVersion": "2.4.4", "author": "ReversingLabs", "url": "https://www.reversinglabs.com/products/malware-threat-hunting-and-investigations", "email": "support@reversinglabs.com",