diff --git a/Packs/OpenPhish/Integrations/OpenPhish_v2/OpenPhish_v2_description.md b/Packs/OpenPhish/Integrations/OpenPhish_v2/OpenPhish_v2_description.md
index 8240706b61ec..afb19e6c85eb 100644
--- a/Packs/OpenPhish/Integrations/OpenPhish_v2/OpenPhish_v2_description.md
+++ b/Packs/OpenPhish/Integrations/OpenPhish_v2/OpenPhish_v2_description.md
@@ -1 +1,3 @@
-To configure an integration instance, you only need to set the refresh interval. All of the URLs are stored in the integration context and are refreshed according to the refresh interval.
\ No newline at end of file
+To configure an integration instance, you only need to set the refresh interval. All of the URLs are stored in the integration context and are refreshed according to the refresh interval.
+
+Notice: Submitting indicators using the ***url*** command of this integration might make the indicator data publicly available. See the vendor’s documentation for more details.
\ No newline at end of file
diff --git a/Packs/OpenPhish/Integrations/OpenPhish_v2/README.md b/Packs/OpenPhish/Integrations/OpenPhish_v2/README.md
index 94ad357ab10b..2800c434ae2c 100644
--- a/Packs/OpenPhish/Integrations/OpenPhish_v2/README.md
+++ b/Packs/OpenPhish/Integrations/OpenPhish_v2/README.md
@@ -20,6 +20,8 @@ After you successfully execute a command, a DBot message appears in the War Room
***
Checks the reputation of a URL.
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
+
#### Base Command
diff --git a/Packs/OpenPhish/ReleaseNotes/2_0_15.md b/Packs/OpenPhish/ReleaseNotes/2_0_15.md
new file mode 100644
index 000000000000..8710ff7c92df
--- /dev/null
+++ b/Packs/OpenPhish/ReleaseNotes/2_0_15.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### OpenPhish v2
+
+Documentation and metadata improvements.
diff --git a/Packs/OpenPhish/pack_metadata.json b/Packs/OpenPhish/pack_metadata.json
index d0fd25566214..fef41088e5f5 100644
--- a/Packs/OpenPhish/pack_metadata.json
+++ b/Packs/OpenPhish/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "OpenPhish",
"description": "OpenPhish uses proprietary Artificial Intelligence algorithms to automatically identify zero-day phishing sites and provide comprehensive, actionable, real-time threat intelligence.",
"support": "xsoar",
- "currentVersion": "2.0.14",
+ "currentVersion": "2.0.15",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
@@ -14,8 +14,7 @@
"Plug & Enrich",
"Free Enricher"
],
- "useCases": [
- ],
+ "useCases": [],
"keywords": [],
"marketplaces": [
"xsoar",
diff --git a/Packs/Polygon/.pack-ignore b/Packs/Polygon/.pack-ignore
index d808126cd5bb..c3ee4d81865e 100644
--- a/Packs/Polygon/.pack-ignore
+++ b/Packs/Polygon/.pack-ignore
@@ -4,3 +4,5 @@ ignore=RM106
[file:Polygon_image.png]
ignore=IM111
+[known_words]
+THF
\ No newline at end of file
diff --git a/Packs/Polygon/Integrations/Polygon/Polygon_description.md b/Packs/Polygon/Integrations/Polygon/Polygon_description.md
index 040f167de2ee..f9e593a6383a 100644
--- a/Packs/Polygon/Integrations/Polygon/Polygon_description.md
+++ b/Packs/Polygon/Integrations/Polygon/Polygon_description.md
@@ -4,4 +4,6 @@
1. Open THF Huntbox web interface. (It may be like https://huntbox.group-ib.com)
2. Navigate to Profile and click Generate auth token.
3. Your server URL is the same as your Huntbox web interface URL.
-3. API Key was generated in 2.
\ No newline at end of file
+3. API Key was generated in 2.
+
+Notice: Submitting indicators using the ***polygon-upload-url*** command of this integration might make the indicator data publicly available. See the vendor’s documentation for more details.
diff --git a/Packs/Polygon/Integrations/Polygon/README.md b/Packs/Polygon/Integrations/Polygon/README.md
index c51fd1a95b4f..cc62d2c78fa7 100644
--- a/Packs/Polygon/Integrations/Polygon/README.md
+++ b/Packs/Polygon/Integrations/Polygon/README.md
@@ -68,7 +68,9 @@ Upload file for analysis
### polygon-upload-url
***
-Upload URL for analysis
+Upload URL for analysis.
+
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#### Base Command
diff --git a/Packs/Polygon/ReleaseNotes/1_0_10.md b/Packs/Polygon/ReleaseNotes/1_0_10.md
new file mode 100644
index 000000000000..2ec8af309347
--- /dev/null
+++ b/Packs/Polygon/ReleaseNotes/1_0_10.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Group-IB THF Polygon
+
+Documentation and metadata improvements.
diff --git a/Packs/Polygon/pack_metadata.json b/Packs/Polygon/pack_metadata.json
index a22be75f3a14..a1a390d3a2ba 100644
--- a/Packs/Polygon/pack_metadata.json
+++ b/Packs/Polygon/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Polygon",
"description": "Analyze your files and URLs with Polygon playbooks and extract deep IOCs that appear when malicious code is triggered and executed.",
"support": "partner",
- "currentVersion": "1.0.9",
+ "currentVersion": "1.0.10",
"author": "Group-IB",
"url": "https://thfwiki.group-ib.tech/about/summary/",
"email": "thf@group-ib.com",
diff --git a/Packs/ThreatQ/.pack-ignore b/Packs/ThreatQ/.pack-ignore
index babc48de137e..bb237d136744 100644
--- a/Packs/ThreatQ/.pack-ignore
+++ b/Packs/ThreatQ/.pack-ignore
@@ -1,8 +1,9 @@
-[file:integration-ThreatQ.yml]
-ignore=IN110,IN109
+[file:ThreatQ.yml]
+ignore=IN110,IN109,BA124
[file:ThreatQ_v2.yml]
ignore=BA108,BA109
[known_words]
-ThreatQ
\ No newline at end of file
+ThreatQ
+Q
\ No newline at end of file
diff --git a/Packs/ThreatQ/Integrations/ThreatQ/README.md b/Packs/ThreatQ/Integrations/ThreatQ/README.md
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ.py b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ.py
new file mode 100644
index 000000000000..5cb82b68325c
--- /dev/null
+++ b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ.py
@@ -0,0 +1,330 @@
+import demistomock as demisto # noqa: F401
+from CommonServerPython import * # noqa: F401
+''' IMPORTS '''
+import os
+import datetime
+import requests
+import json
+
+# disable insecure warnings
+requests.packages.urllib3.disable_warnings()
+
+''' GLOBAL VARS '''
+
+API_URL = demisto.params()['apiUrl']
+API_TOKEN_URL = API_URL + "/token"
+CLIENT_ID = demisto.params()['client_id']
+EMAIL = demisto.getParam('credentials').get('identifier')
+PASSWORD = demisto.getParam('credentials').get('password')
+USE_SSL = not demisto.params().get('insecure', False)
+
+
+''' HELPER FUNCTIONS '''
+
+def load_proxy():
+ # Load the system configured proxy if enabled in configuration
+ proxy = {}
+ if 'proxy' in demisto.params():
+ proxy["http"] = os.environ["http_proxy"]
+ proxy["https"] = os.environ["https_proxy"]
+ return proxy
+
+PROXY = load_proxy()
+
+def get_errors_string_from_bad_request(bad_request_results):
+ errors_list = bad_request_results.json().get("errors", [])
+ errors_string = ""
+ error_num = 1
+ if errors_list:
+ errors_string = "Errors from server: \n"
+ for error in errors_list:
+ errors_string += "Error #{0}: {1}\n".format(error_num, error)
+ error_num += 1
+ return errors_string
+
+# ThreatQ auth based on OAuth 2.0 credential grand method
+def tq_access():
+ data = {'grant_type': 'password','email': EMAIL, 'password': PASSWORD, 'client_id': CLIENT_ID}
+ access_token_response = requests.post(API_TOKEN_URL, data=data, verify=False, allow_redirects=False)
+
+ tokens = json.loads(access_token_response.text)
+ if int(access_token_response.status_code) >= 400:
+ errors_string = get_errors_string_from_bad_request(access_token_response)
+ error_message = "Authentication failed, unable to retrieve an access token.\n {}".format(errors_string)
+ return_error(error_message)
+
+ new_integration_context = {
+ "access_token": tokens['access_token'],
+ "access_token_creation_time": int(time.time()) -1, # decrementing one second to be on the safe side
+ "access_token_expires_in": tokens['expires_in']
+ }
+ demisto.setIntegrationContext(new_integration_context)
+ token = tokens['access_token']
+ return token
+
+
+def access_token_not_expired():
+ epoch_time_now = time.time()
+ epoch_time_when_token_granted = demisto.getIntegrationContext().get("access_token_creation_time")
+ token_time_until_expiration = demisto.getIntegrationContext().get("access_token_expires_in")
+ return int(epoch_time_now) - int(epoch_time_when_token_granted) < int(token_time_until_expiration)
+
+
+def get_access_token():
+ existing_access_token = demisto.getIntegrationContext().get("access_token")
+ if existing_access_token and access_token_not_expired():
+ return existing_access_token
+ else:
+ new_access_token = tq_access()
+ return new_access_token
+
+
+# remove html tags from ThreatQ description field
+def cleanhtml(raw_html):
+ cleanr = re.compile('<.*?>')
+ cleantext = re.sub(cleanr, '', raw_html)
+ return cleantext
+
+
+''' Catch-all function for all command '''
+def query_tq(keyword):
+ '''
+ This function handles all the querying of threatq
+ '''
+ tq_url = API_URL + "/search?query=" + keyword
+ access_token = get_access_token()
+ api_call_headers = {'Authorization': 'Bearer ' + access_token}
+ api_call_response = requests.get(tq_url, headers=api_call_headers, verify=False)
+
+ response = json.loads(api_call_response.text)
+
+ # Find ThreatQ object type and object id based on keyword search results
+
+ try:
+ object_type = str(response['data'][0]['object'])
+ object_id = str(response['data'][0]['id']) # get the object id from the query results
+ except Exception, e:
+ results = {'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'], 'Contents': "No results from ThreatQ"}
+ return results
+ results = describe_by_id(object_type,object_id)
+ return results
+
+
+''' FUNCTIONS '''
+
+''' Get ThreatQ object details '''
+def describe_by_id(tq_obj_type,tq_obj_id):
+ md = ''
+
+ # build the ThreatQ query url
+ if tq_obj_type == "indicator":
+ tq_url = API_URL + "/indicators" + "/" + tq_obj_id
+ elif tq_obj_type == "adversary":
+ tq_url = API_URL + "/adversaries" + "/" + tq_obj_id
+ elif tq_obj_type == "event":
+ tq_url = API_URL + "/events" + "/" + tq_obj_id
+ else:
+ tq_url = API_URL + "/" + tq_obj_type + "/" + tq_obj_id
+
+ # get ThreatQ response
+ access_token = get_access_token()
+ api_call_headers = {'Authorization': 'Bearer ' + access_token}
+ api_call_response = requests.get(tq_url, headers=api_call_headers, verify=False)
+ response = json.loads(api_call_response.text)
+
+ if not response or len(response['data']) == 0:
+ return "Found in ThreatQ, but no context"
+
+ description = response['data']['description']
+ name = response['data']['value']
+
+ tq_attributes = None
+ dbot_score = None
+
+ if tq_obj_type == "indicator":
+ result = tq_indicator(name)
+ tq_attributes = result['attributes']
+ dbot_score = result['dbotscore']
+
+
+ # Description in clear text will be sent to War Room
+ if description:
+ clean_desc = cleanhtml(description)
+ else:
+ clean_desc = "No description found in ThreatQ"
+
+ last_update = str(response['data']['updated_at'])
+
+ tq_desc = {
+ 'name': name,
+ 'last_update' : last_update,
+ 'description' : clean_desc,
+ 'is_indicator': str(tq_obj_type == "indicator")
+ }
+
+
+ md += "## TQ Object: " + tq_obj_type + " ID: " + tq_obj_id + "\n"
+ # Build a ThreatQ Response table
+ md += tableToMarkdown('ThreatQ Response',tq_desc)
+
+ if tq_obj_type == "indicator":
+ if not tq_attributes or len(tq_attributes) == 0:
+ md += "Found no attributs"
+ else:
+ md += tableToMarkdown("Attributes", tq_attributes)
+ tq_desc.update(tq_attributes)
+
+ entry2 = {
+ 'Type': entryTypes['note'],
+ 'Contents': tq_desc,
+ 'ContentsFormat': formats['json'],
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': md,
+ 'EntryContext': {'ThreatQ(val.name && val.name == obj.name)': createContext(tq_desc, removeNull=True)},
+ }
+
+ if dbot_score:
+ entry2['EntryContext']['DBotScore(val.Vendor && val.Indicator && val.Vendor == obj.Vendor && val.Indicator == obj.Indicator)'] = createContext(dbot_score, removeNull=True)
+
+ return entry2
+
+def create_dbot_score(ind_name, ind_score):
+
+ return dbot_score
+''' Get ThreatQ indicator's score and attributes '''
+
+def tq_indicator(indicator):
+ '''
+ This function parse all the attributes of an indicator
+ '''
+ tq_url = API_URL + "/indicators/?value=" + indicator + "&with=score,attributes,sources"
+
+ # get ThreatQ response on indicators attributes
+ access_token = get_access_token()
+ api_call_headers = {'Authorization': 'Bearer ' + access_token}
+ api_call_response = requests.get(tq_url, headers=api_call_headers, verify=False)
+ try:
+ response = json.loads(api_call_response.text)
+ except requests.exceptions.RequestException as e:
+ md += '## TQ cound not FIND this indicator\n'
+ exit(1)
+ # check if any attributes
+ attributes = response["data"][0]["attributes"]
+ score = response["data"][0]["score"]
+ sources = response["data"][0]["sources"][0]
+ gen_score = score["generated_score"]
+ manual_score = score["manual_score"]
+ source = sources["name"]
+
+ if not manual_score:
+ manual_score = 0
+
+ ind_score = max(float(gen_score),float(manual_score))
+
+ ''' TBD - ThreatQ score to dbot_score conversion '''
+ if ind_score >= 8 :
+ dbot_score = 3
+ malicious = {
+ 'Vendor' : 'ThreatQ',
+ 'Detections' : 'high risk',
+ }
+ elif 4 < ind_score < 8:
+ dbot_score = 2
+ malicious = {
+ 'Vendor' : 'ThreatQ',
+ 'Detections' : 'mid risk',
+ }
+ elif ind_score <= 2:
+ dbot_score = 1
+ malicious = {
+ 'Vendor' : 'ThreatQ',
+ 'Detections' : 'low risk',
+ }
+
+ dbot_score = {
+ 'Vendor' : 'ThreatQ',
+ 'Indicator' : indicator,
+ 'Type' : 'ip',
+ 'Score' : dbot_score,
+ 'Malicious' : malicious,
+ }
+
+
+ md = ''
+
+ try:
+ length = len(attributes)
+ if length > 0:
+ md += "## TQ found " + str(length) + " attributes\n"
+ else:
+ md += "## TQ found no attributes\n"
+ tq_attr = {
+ 'name' : indicator,
+ 'score' : ind_score
+ }
+
+ for x in range(length):
+ name = str(attributes[x]["name"])
+ value = str(attributes[x]["value"])
+ tq_attr[name] = value
+ md += "Attribute " + name + " is " + value + "\n"
+ tq_attr_context = dict(tq_attr)
+ except:
+ md += '## TQ could not EXTRACT attributes\n'
+ pass
+
+ entry3 = {
+ 'Type': entryTypes['note'],
+ 'Contents': tq_attr_context,
+ 'ContentsFormat': formats['json'],
+ 'ReadableContentsFormat': formats['markdown'],
+ 'HumanReadable': md,
+ 'EntryContext': {'ThreatQ(val.name && val.name == obj.name)': createContext(tq_attr_context, removeNull=True),
+ 'DBotScore(val.Vendor && val.Indicator && val.Vendor == obj.Vendor && val.Indicator == obj.Indicator)' :
+ createContext(dbot_score, removeNull=True),
+ }
+ }
+ # demisto.results(entry3)
+ return {'attributes': tq_attr_context,
+ 'dbotscore': dbot_score }
+
+
+''' EXECUTION CODE '''
+LOG('command is %s' % (demisto.command(), ))
+try:
+ if demisto.command() == 'test-module':
+ token = tq_access()
+ if token:
+ demisto.results('ok')
+ else:
+ demisto.results('test failed')
+ elif demisto.command() == 'tq-search-by-name':
+ args = demisto.args()
+ keyword = demisto.get(args, 'keyword')
+ results = query_tq(keyword)
+ demisto.results(results)
+ elif demisto.command() == 'ip':
+ args = demisto.args()
+ ip = demisto.get(args, 'ip')
+ results = query_tq(ip)
+ demisto.results(results)
+ elif demisto.command() == 'url':
+ args = demisto.args()
+ url = demisto.get(args, 'url')
+ results = query_tq(url)
+ demisto.results(results)
+ elif demisto.command() == 'file':
+ args = demisto.args()
+ file = demisto.get(args, 'file')
+ results = query_tq(file)
+ demisto.results(results)
+
+ elif demisto.command() == 'fetch-incidents':
+ fetch_incidents()
+
+except Exception, e:
+ raise
+ return_error(e)
+
+
+# Params are of the type given in the integration page creation.
diff --git a/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ.yml b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ.yml
new file mode 100644
index 000000000000..24d9a20529d4
--- /dev/null
+++ b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ.yml
@@ -0,0 +1,109 @@
+commonfields:
+ id: ThreatQ_Beta
+ version: -1
+name: ThreatQ_Beta
+display: ThreatQ (Deprecated)
+category: Data Enrichment & Threat Intelligence
+description: Deprecated. Use ThreatQ v2 instead. ThreatQ Integration
+configuration:
+- display: TQ API URL E.g. https://192.168.1.136/api
+ name: apiUrl
+ defaultvalue: ''
+ type: 0
+ required: true
+- display: TQ Client ID
+ name: client_id
+ defaultvalue: ''
+ type: 0
+ required: true
+- display: Email
+ name: credentials
+ defaultvalue: ''
+ type: 9
+ required: true
+- display: Trust any certificate (not secure)
+ name: insecure
+ defaultvalue: 'false'
+ type: 8
+ required: false
+- display: Use system proxy settings
+ name: proxy
+ defaultvalue: 'false'
+ type: 8
+ required: false
+script:
+ script: ''
+ type: python
+ subtype: python2
+ commands:
+ - name: tq-search-by-name
+ arguments:
+ - name: keyword
+ required: true
+ default: true
+ description: keyword
+ defaultValue: Naid
+ outputs:
+ - contextPath: ThreatQ.description
+ description: Description
+ description: Search ThreatQ repository by keywords
+ - name: ip
+ arguments:
+ - name: ip
+ required: true
+ description: IP address
+ defaultValue: 8.8.8.8
+ default: true
+ isArray: true
+ outputs:
+ - contextPath: ThreatQ.score
+ description: ThreatQ score
+ - contextPath: ThreatQ.name
+ description: ThreatQ name
+ - contextPath: DBotScore.Vendor
+ description: DBotScore Vendor
+ - contextPath: DBotScore.Malicious
+ description: DBotScore Malicious status
+ description: 'Run ip check against ThreatQ '
+ - name: url
+ arguments:
+ - name: url
+ required: true
+ description: URL or FQDN
+ defaultValue: www.google.com
+ default: true
+ isArray: true
+ outputs:
+ - contextPath: ThreatQ.score
+ description: ThreatQ score
+ - contextPath: ThreatQ.name
+ description: ThreatQ name
+ - contextPath: DBotScore.Vendor
+ description: DBotScore Vendor
+ - contextPath: DBotScore.Malicious
+ description: DBotScore Malicious status
+ description: Run url check against ThreatQ
+ - name: file
+ arguments:
+ - name: file
+ description: File name, MD5 or SHA
+ defaultValue: google.exe
+ default: true
+ isArray: true
+ required: true
+ outputs:
+ - contextPath: ThreatQ.score
+ description: ThreatQ score
+ - contextPath: ThreatQ.name
+ description: ThreatQ name
+ - contextPath: DBotScore.Vendor
+ description: DBotScore Vendor
+ - contextPath: DBotScore.Malicious
+ description: DBotScore Malicious status
+ description: Run file check against ThreatQ
+ dockerimage: demisto/python:2.7.18.24398
+beta: true
+deprecated: true
+tests:
+- No test
+fromversion: 5.0.0
diff --git a/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ_description.md b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ_description.md
new file mode 100644
index 000000000000..1f06a06c2bbb
--- /dev/null
+++ b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ_description.md
@@ -0,0 +1,5 @@
+You must have a ThreatQ user account to retrieve an api token. The api token is required for all api requests.
+ThreatQ provides indicator scoring weighting for indicators and their contextual information, such as sources, attributes, and indicator types, as they are added to ThreatQ.
+For detailed information on ThreatQ scoring please refer to https://helpcenter.threatq.com/
+
+Note: This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.
\ No newline at end of file
diff --git a/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ_image.png b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ_image.png
new file mode 100644
index 000000000000..d5976cb0586e
Binary files /dev/null and b/Packs/ThreatQ/Integrations/ThreatQ/ThreatQ_image.png differ
diff --git a/Packs/ThreatQ/Integrations/ThreatQ_v2/README.md b/Packs/ThreatQ/Integrations/ThreatQ_v2/README.md
index efe5dd32c413..39bb8f7432f2 100644
--- a/Packs/ThreatQ/Integrations/ThreatQ_v2/README.md
+++ b/Packs/ThreatQ/Integrations/ThreatQ_v2/README.md
@@ -274,6 +274,7 @@
3. Check a URL
Checks the reputation of a URL in ThreatQ.
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
url
Input
@@ -721,6 +722,7 @@
6. Check a domain
Checks the reputation of a domain in ThreatQ.
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
domain
Input
diff --git a/Packs/ThreatQ/Integrations/ThreatQ_v2/ThreatQ_v2_description.md b/Packs/ThreatQ/Integrations/ThreatQ_v2/ThreatQ_v2_description.md
index d46d83153fcc..75c2da08b66e 100644
--- a/Packs/ThreatQ/Integrations/ThreatQ_v2/ThreatQ_v2_description.md
+++ b/Packs/ThreatQ/Integrations/ThreatQ_v2/ThreatQ_v2_description.md
@@ -2,5 +2,11 @@ You must have a ThreatQ user account to retrieve an api token. The api token is
ThreatQ provides indicator scoring weighting for indicators and their contextual information, such as sources, attributes, and indicator types, as they are added to ThreatQ.
For detailed information on ThreatQ scoring please refer to https://helpcenter.threatq.com/
+Notice: Submitting indicators using the following commands of this integration might make the indicator data publicly available.
+- ***url***
+- ***domain***
+See the vendor’s documentation for more details.
+
+
---
[View Integration Documentation](https://xsoar.pan.dev/docs/reference/integrations/threat-q-v2)
\ No newline at end of file
diff --git a/Packs/ThreatQ/Integrations/integration-ThreatQ.yml b/Packs/ThreatQ/Integrations/integration-ThreatQ.yml
deleted file mode 100644
index a493dcbf015e..000000000000
--- a/Packs/ThreatQ/Integrations/integration-ThreatQ.yml
+++ /dev/null
@@ -1,463 +0,0 @@
-commonfields:
- id: ThreatQ_Beta
- version: -1
-name: ThreatQ_Beta
-display: ThreatQ (Deprecated)
-category: Data Enrichment & Threat Intelligence
-image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAYAAACXpx/YAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAA+DSURBVHgB7VoLdFXVmf73PveRhMhDGQQEDRB5BEaQIMkNTL0okkToiFMCFqViV5euMnVNTFBHlzPGLtdqARPAtjrSmWn6boMiKBUC0obSJJdHECkkPGISQpSXPJJAkpt7z9799jn3JueGe7NASbvadb61zj378e+9/7P//e//3/++RDZs2LBhw4YNGzZs2Lg+MLLRJ8jPe66+K8NkA36KCwtX/rS3Ns/nPp/UycTS1atXFdANAicbfYUkkmwTMf0JKeUmklScn5/v7a1BUKMkztjLdAPhIBt9BsnEgaLCwjJoZkOQy9VMOAaocqWpQSZ+Qox5kW3gQj4sND6QpHxX1Rvaz+Qah843WeiwRqigqGjlK3QdsDW4D8EYPZ6f9+xPdA2Ck7LstdUrNqlyXRPvovKSLjoHoXyT0Gi1rvsPIL3WbKg/oUO4fvJfQm4n6EapOtjTgtzc3IHXw4OtwX0JyRsIWiwF9JHYQ3l5z+UK0VksJZsCKR5gzJkrQMYl865Zs+ZSXt6zDcopKoTWh7vIzX2+TAMdkpPNEmcSfg7QNcLW4D6EJLGzsHDV2sLVK5die4Udll4i98BQZTM0vAHPAUnyiWjtIfClnEP7OdVLRoaDpmniujTYFnBfQsiB0MAkPF7O6F7G+MU1a1Y0QNgQrJRFRauKhQhsdApeZm2mbLR6Q9O9ahGoRYL3APoCsAXch2Ccr9a4rDe0UMoGXfifUeVCsFnYmufDmZIad9UHGeWa5YGNSvhwyOrzn3l+DZf6Rmj6FEVHgt1NNv6+AIcpKZrTpMot6YHX61jZsGHjHwV2qDIGkpOz3SNGtOtlZWVB+pJIfXKfs2rdtEDP8ruWl/ZzBy6mcAfPYJJNx2FqKhyxZES+TsL2vk/O4Grfiq830JeALWALxkzNTHa56DnG2b3I3oSJxumENUkp3g9I7fXa3VtarqWfu18o+ae4APsW/GAPDsDj4DhpCGvVQIAnDALJhmDmxyE1FM+QWP1AOH4wsB8OVpVgYuf5zs5tA/xX2qvWPRWga0RUAU/KyB4DF39krEZBTv6hro695zqcaYw057k2sffMwW1XrDQp6Q+mcRLxgsmD1ZWlF8ZkzBkSL3iKlUaQaD/fRod6th3rmTfeJYNDo40thNSr95TuCueTvN64xI649C4CjV8+VP7BPpWcmP7ADMUfxQB4awJvtQa/nszvYDq+j2Q/Q7CMXYYk4lBmtJeSqmqy0qdTQYGI1Z/XW+AIpE56UZBcjuxNdKMh6VcQeF2g1f29qnX/2matmp73m3l7ih7Z3LNJ1EiWkGItQmlzKQY4Md+ZK+5vMQf7E1Znxy39Wm87Q9QlJK/X6zjTKXYKSS6hB8ej6IJbZ3MFp//v2dMt/Uje4skqrK7c+mwXUzJQLBhLizq4xqrxOzGcTfDHL4ag/i+cl3pQ3eKMTknJvBlSUvzFhGR8GV61EO5iCPIHBkdM/pKzhLyDFe+eHeHJie/PWpaB8DWcQ1MnbKt8tIbo59H6yskp0U7eztaxGEGLGwJGi6GRTa5Ev4bcixFVjGXjdW0CBhDspmKjoZTzEWZDIJzegzwuGLVB6WMOnmaEvxl9VF1RecHa+FSbc4qmkRvJuqEJet0RVchpaqj6Izz7jZSU48DZTKSWQ9s2HvZtL0+558GhCO9NIrPzjWCg2do3NLiiK5OTo1FT61PmF8qPIYjJsGGGTHk8HwTBF5vDUBImxounDRpQ0jUpGu3EbnEbycAbxl4madOhytIl5tiYycr17XgVTvBkLsVWPYkJ9jWKIeCmkfJF0PSdcLsxArw+PeO5jT8sXzn/s4KCAl7anDIa5fdEI44qYGxbT6t3Soo3UQ6IW6DSXLqePFTx3pkwTUp61utqUrCZ7e7ZnmvaLCPB2CdhJwW73jSsMrVg3jjsK/3fECmbkJ5ZjfLxghxfRb6cO4LTBPF+SJ+YOCIxZ/369TrFwPjGlvlQOTgndBjCzUfRh3gM+kNVWz7By5jwcenZj2pMerF17qupKI0QwgRP1s/AJ6JEMsBlQC2WaEqvtvFJWOi3ReMjI7fEgx2n4K/o0CTqevAdT17Jqa2tbBd8hkUIdx6LRtjrZYMYEJ/KSSbik08f2t0tXAOMZpoJ/aOrGkqabVp3U9uU/SWpTTaWA+nlVkrO2TFo2HgS+mCjN9AhjKdqdvUmXAWuIQIklS1na0kPOLjmUNp6lYDQ37+YLDPr2JScltYfhTmqBdoVH9r9+zNRB5KqqepHRLW/CEd9H1vzXzUqiPHSYYKCmKoZ0Joh0MD/iUbXK1P4oOxQco+1fNyMB4bjNUWlA0yLmDS1bUJRPWYHcod6xRO7BwzFYxIbB8cFj1vJUTba5IQfNseUhu3FTvtn6gUp0zKnQ2tnooP64NnjP+NOhzs0priKH5L3GmMxOmitcvGB8zBBcUYz6rbjdNU8sMRQ6kLPuoz/+O1X0PNX6G8AphSUwQuX9GmgOa4kGk2vGoyz2eRQYru1XNNRbqxpCrpIFqRkZHW3+fRyvDQ8SBloES2GNysEn2xcmBHtsp4rUzIyHwJzk4yMdGxOTU11wujNMLJCZKV4skZ3dSz4lurdH2zqyjvlS4ZYGHuztrbWP2HwmDjDBMCAW3kdf7J1JIrHKH6wHCt7fOHDoXfrkLjOqmqKNRHq3xmKKVnfswoX9Q/+rc+aWLgbenrVYTh6ayYpa7KaMhmkP0RUMT6lq72kxyJade2Q7FhTZWW7UcblDGYW3zwhfc63lRuOxTMBG/a3Td9Grq3Zvfk4vNnpisZszpQdnxXuF5fmH4bTKZ5sBN7lV9HlpwHB3jJZYi5zaBmxRUOh70SlE5/xcU3F7xu7+ATZxIzsUQYNTEmsgMZETyYCD2qBqBlhVT3r8SH39Hk4QcojGOgOUpthFID/frGaxtyix6U99M8Q7jC18icl9T8SLs/JyVGzNjuUxbmRTY18qNTkSf5RvdWRCUZyRoiTbHi5P2KS/wiZ7zAVACD25q1u/3Kzno01P4h8OGLNsj7apRPvhfoDnTCcQCyaHydoca13ZTyMpDStPrEIu824ZvgK8ID3kMWBuu+++7C45fDQBO4Ll3sLIteyzth93ZMld1rrcDRS3/SFrvGuB1hYP8aOthR8qkBJTx8DcRhzrqMhpgZz6phpfBLOvFZnp7qp5WbMZKoaRdf1d47u2d7lZMFlp5JS33hjVOJb1Ptzv2u6usuEwHHBLV81OeJzUebF7Hy3unLLy9VdnNJsUxfkjiO+0rJofH0uXCPxxUtC2QeCss3YTRjxYea3y2D3lystffB+I831fdZ+Ll6E8xhvaoTkojZcrl+6MCynpOTU+oULjcV0rpO+FprR2sOhoEgYR8cEBvXrdA23KjDG3IZvu9K9/V832sH2BswV2jPFH7qjQuHQ5vpWLUjKyP/FHUK6n8F5/UnsgK24RyzyrV4U89+asZ0szlLVC+r/obVYSu1OCH2AOnDrF+ojHKHijWXqWut2ldb9l30GPeNjzX5YeXXlttfUg9I3jTqSs2VoR3U43LgTJ9MZokhnKAy1e4gAf4nMhamMegZ6fsh8Qs5Z6Jik4DW0VKSF+qyw9tWmqT6YFvomLVwe4Hpm3e6g4dGf7ozzgL05Jg29EcFLQQlBuM9gwGGh/uvwvKY5XAsCVy49AuaaIueNcNcrD5P5waZFV7e8RJ8h91kXHdawr3DBEsYco6RO/wnxthoVQjyiXhWFj53wFeXk6lqnmtckX9GiFdQLomqw291frcnpZi7yaCERhAgt2D3KubHWJfSL9yAMpsztp8c/2nVOfQEcsFnKjgspu87LPKD7pMvRBlN896xZ9ysegslT70+GZ3U7SDuD0l95lzc7wrDdjIV9sO7cYM0V9xhmoRN2/d8wCS3dE6g/goGXYVV3CfhMhzYBY6ituLGmYttha39xAVc7PEQVfbsJAyV7vUuprKxY6UvAJRwvpT75Vm7Hnzc8IE31rO1sE7+0tj/RLqZoTPt3c2y5KeCkx6tWLDSCMp78t7+H0hGWWdvcRGxx/0bS+ydpOFGIMfD1L5NDq/Ffcp5wxPuTuQOBGjLU9bwy7M0Fv700oIXNkOYRTjgY32Edf/fKxyIWUCxEFfDo1Jm3M6kjykT+Dh55rMHY2crcIWhw1R+/cEzMNCaEyT+p/KRJC12sPzOOEDizfhymO1z14UkIHkF8OfZ0h0vZyDLOg2PUXyBUvZPHlQX9kabmlHR+Q3M6sG3JBOwub9dUbP2dtR7OUKpxXOXUtUVz5vQaPpc0wpsRHR5E/Bs81KF0KHapb57pPLs1OTt7JxPyPBo+yvslvo5I2AY4g0sFtOeTg9vOWtvzIN+AlzJXx6+c8z968OdLukK16C+nezD567j91d9o+kNBmK/y0BPBDhbFr0C7GBPryn76A7p4uTkDwR8c46RamMXlhTm9/mk+FqJu0dAGOEVMecjH6nZtPxlZaThMylmuvLolm0aG1246WsGBraNApy4t2nUm9kYMIeR+k1Zmmt0aC0HNiwruj4p85Cge6KjDwnmcDJPJ/5uiQ20fQcsos8l0q/dGpRbiVeVEYuwh8LbLnGfFVCkdypEZrGnOb94654VDUjgyj+zeFuE9p75lmHPjFgg703KrcBX8FJiHxbvOmBEsoJaxw91S9hYVVwtGvGAEaRhLuuDyp2J3wtlbIj7P0nxFC4voCyKqgIe6/SVt7o6EIe6OqcSYlTPW5vaPUnU1vq07era74u6YreoWzvEYq+1oefrxtriORGpuHHi0fPtnVtpb4/xLFC1rOfmy0XFL/5dVPvrjT6ipGnoW6ZGd51j8Id/vanqOfdjt/6Gilc2NmeEy5BepskVZ6QXRvrPat20LtHMeVkUFVlq7dNH40wNbjLMuNDe3+fPTw9XxzdpGOZLa0cZx2CtwTSL3wx6+37PfqsLFR2Sw07g8gQc8y5U4aNN/vfJqr0El6XTcaRzj0cItO85WrsrZrARbWZTTTl8C9n1wCBNSs4ZJLdB5ZM+O8578ktOYmlvxrKssXPCUle6OvJIEuM371X0utHIZhPBmtP7M2yX6AdTDi+ygIOnT9xZ9/WSs8T3L18MBoxQ8JyoKFySpoM2NgP3H9xBqqraeCqehSMewVyp7/A5R6J4phOGMfoGXuqxH8CWamTKxfv1C5ewto2sEtudfY6DvYjT36Fd+qsKnHXQDYAs4CpjmnFuxcn5r9Nr4F6XedpQ0niBE8Jo82WuBrzDn1bRn397PdLF4eKPurL9BArZhw4YNGzZs2LBhw4YNGzZs2LBhw4YNGzZs2PhS+AuFFJapmkImHgAAAABJRU5ErkJggg==
-description: Deprecated. Use ThreatQ v2 instead. ThreatQ Integration
-detaileddescription: "You must have a ThreatQ user account to retrieve an api token. The api token is required for all api requests. \nThreatQ provides indicator scoring weighting for indicators and their contextual information, such as sources, attributes, and indicator types, as they are added to ThreatQ.\nFor detailed information on ThreatQ scoring please refer to https://helpcenter.threatq.com/\n\nNote: This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve."
-configuration:
-- display: TQ API URL E.g. https://192.168.1.136/api
- name: apiUrl
- defaultvalue: ''
- type: 0
- required: true
-- display: TQ Client ID
- name: client_id
- defaultvalue: ''
- type: 0
- required: true
-- display: Email
- name: credentials
- defaultvalue: ''
- type: 9
- required: true
-- display: Trust any certificate (not secure)
- name: insecure
- defaultvalue: 'false'
- type: 8
- required: false
-- display: Use system proxy settings
- name: proxy
- defaultvalue: 'false'
- type: 8
- required: false
-script:
- script: >-
- ''' IMPORTS '''
-
- import os
-
- import datetime
-
- import requests
-
- import json
-
-
- # disable insecure warnings
-
- requests.packages.urllib3.disable_warnings()
-
-
- ''' GLOBAL VARS '''
-
-
- API_URL = demisto.params()['apiUrl']
-
- API_TOKEN_URL = API_URL + "/token"
-
- CLIENT_ID = demisto.params()['client_id']
-
- EMAIL = demisto.getParam('credentials').get('identifier')
-
- PASSWORD = demisto.getParam('credentials').get('password')
-
- USE_SSL = not demisto.params().get('insecure', False)
-
-
-
- ''' HELPER FUNCTIONS '''
-
-
- def load_proxy():
- # Load the system configured proxy if enabled in configuration
- proxy = {}
- if 'proxy' in demisto.params():
- proxy["http"] = os.environ["http_proxy"]
- proxy["https"] = os.environ["https_proxy"]
- return proxy
-
- PROXY = load_proxy()
-
-
- def get_errors_string_from_bad_request(bad_request_results):
- errors_list = bad_request_results.json().get("errors", [])
- errors_string = ""
- error_num = 1
- if errors_list:
- errors_string = "Errors from server: \n"
- for error in errors_list:
- errors_string += "Error #{0}: {1}\n".format(error_num, error)
- error_num += 1
- return errors_string
-
- # ThreatQ auth based on OAuth 2.0 credential grand method
-
- def tq_access():
- data = {'grant_type': 'password','email': EMAIL, 'password': PASSWORD, 'client_id': CLIENT_ID}
- access_token_response = requests.post(API_TOKEN_URL, data=data, verify=False, allow_redirects=False)
-
- tokens = json.loads(access_token_response.text)
- if int(access_token_response.status_code) >= 400:
- errors_string = get_errors_string_from_bad_request(access_token_response)
- error_message = "Authentication failed, unable to retrieve an access token.\n {}".format(errors_string)
- return_error(error_message)
-
- new_integration_context = {
- "access_token": tokens['access_token'],
- "access_token_creation_time": int(time.time()) -1, # decrementing one second to be on the safe side
- "access_token_expires_in": tokens['expires_in']
- }
- demisto.setIntegrationContext(new_integration_context)
- token = tokens['access_token']
- return token
-
-
- def access_token_not_expired():
- epoch_time_now = time.time()
- epoch_time_when_token_granted = demisto.getIntegrationContext().get("access_token_creation_time")
- token_time_until_expiration = demisto.getIntegrationContext().get("access_token_expires_in")
- return int(epoch_time_now) - int(epoch_time_when_token_granted) < int(token_time_until_expiration)
-
-
- def get_access_token():
- existing_access_token = demisto.getIntegrationContext().get("access_token")
- if existing_access_token and access_token_not_expired():
- return existing_access_token
- else:
- new_access_token = tq_access()
- return new_access_token
-
-
- # remove html tags from ThreatQ description field
-
- def cleanhtml(raw_html):
- cleanr = re.compile('<.*?>')
- cleantext = re.sub(cleanr, '', raw_html)
- return cleantext
-
-
- ''' Catch-all function for all command '''
-
- def query_tq(keyword):
- '''
- This function handles all the querying of threatq
- '''
- tq_url = API_URL + "/search?query=" + keyword
- access_token = get_access_token()
- api_call_headers = {'Authorization': 'Bearer ' + access_token}
- api_call_response = requests.get(tq_url, headers=api_call_headers, verify=False)
-
- response = json.loads(api_call_response.text)
-
- # Find ThreatQ object type and object id based on keyword search results
-
- try:
- object_type = str(response['data'][0]['object'])
- object_id = str(response['data'][0]['id']) # get the object id from the query results
- except Exception, e:
- results = {'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'], 'Contents': "No results from ThreatQ"}
- return results
- results = describe_by_id(object_type,object_id)
- return results
-
-
- ''' FUNCTIONS '''
-
-
- ''' Get ThreatQ object details '''
-
- def describe_by_id(tq_obj_type,tq_obj_id):
- md = ''
-
- # build the ThreatQ query url
- if tq_obj_type == "indicator":
- tq_url = API_URL + "/indicators" + "/" + tq_obj_id
- elif tq_obj_type == "adversary":
- tq_url = API_URL + "/adversaries" + "/" + tq_obj_id
- elif tq_obj_type == "event":
- tq_url = API_URL + "/events" + "/" + tq_obj_id
- else:
- tq_url = API_URL + "/" + tq_obj_type + "/" + tq_obj_id
-
- # get ThreatQ response
- access_token = get_access_token()
- api_call_headers = {'Authorization': 'Bearer ' + access_token}
- api_call_response = requests.get(tq_url, headers=api_call_headers, verify=False)
- response = json.loads(api_call_response.text)
-
- if not response or len(response['data']) == 0:
- return "Found in ThreatQ, but no context"
-
- description = response['data']['description']
- name = response['data']['value']
-
- tq_attributes = None
- dbot_score = None
-
- if tq_obj_type == "indicator":
- result = tq_indicator(name)
- tq_attributes = result['attributes']
- dbot_score = result['dbotscore']
-
-
- # Description in clear text will be sent to War Room
- if description:
- clean_desc = cleanhtml(description)
- else:
- clean_desc = "No description found in ThreatQ"
-
- last_update = str(response['data']['updated_at'])
-
- tq_desc = {
- 'name': name,
- 'last_update' : last_update,
- 'description' : clean_desc,
- 'is_indicator': str(tq_obj_type == "indicator")
- }
-
-
- md += "## TQ Object: " + tq_obj_type + " ID: " + tq_obj_id + "\n"
- # Build a ThreatQ Response table
- md += tableToMarkdown('ThreatQ Response',tq_desc)
-
- if tq_obj_type == "indicator":
- if not tq_attributes or len(tq_attributes) == 0:
- md += "Found no attributs"
- else:
- md += tableToMarkdown("Attributes", tq_attributes)
- tq_desc.update(tq_attributes)
-
- entry2 = {
- 'Type': entryTypes['note'],
- 'Contents': tq_desc,
- 'ContentsFormat': formats['json'],
- 'ReadableContentsFormat': formats['markdown'],
- 'HumanReadable': md,
- 'EntryContext': {'ThreatQ(val.name && val.name == obj.name)': createContext(tq_desc, removeNull=True)},
- }
-
- if dbot_score:
- entry2['EntryContext']['DBotScore(val.Vendor && val.Indicator && val.Vendor == obj.Vendor && val.Indicator == obj.Indicator)'] = createContext(dbot_score, removeNull=True)
-
- return entry2
-
- def create_dbot_score(ind_name, ind_score):
-
- return dbot_score
- ''' Get ThreatQ indicator's score and attributes '''
-
-
- def tq_indicator(indicator):
- '''
- This function parse all the attributes of an indicator
- '''
- tq_url = API_URL + "/indicators/?value=" + indicator + "&with=score,attributes,sources"
-
- # get ThreatQ response on indicators attributes
- access_token = get_access_token()
- api_call_headers = {'Authorization': 'Bearer ' + access_token}
- api_call_response = requests.get(tq_url, headers=api_call_headers, verify=False)
- try:
- response = json.loads(api_call_response.text)
- except requests.exceptions.RequestException as e:
- md += '## TQ cound not FIND this indicator\n'
- exit(1)
- # check if any attributes
- attributes = response["data"][0]["attributes"]
- score = response["data"][0]["score"]
- sources = response["data"][0]["sources"][0]
- gen_score = score["generated_score"]
- manual_score = score["manual_score"]
- source = sources["name"]
-
- if not manual_score:
- manual_score = 0
-
- ind_score = max(float(gen_score),float(manual_score))
-
- ''' TBD - ThreatQ score to dbot_score conversion '''
- if ind_score >= 8 :
- dbot_score = 3
- malicious = {
- 'Vendor' : 'ThreatQ',
- 'Detections' : 'high risk',
- }
- elif 4 < ind_score < 8:
- dbot_score = 2
- malicious = {
- 'Vendor' : 'ThreatQ',
- 'Detections' : 'mid risk',
- }
- elif ind_score <= 2:
- dbot_score = 1
- malicious = {
- 'Vendor' : 'ThreatQ',
- 'Detections' : 'low risk',
- }
-
- dbot_score = {
- 'Vendor' : 'ThreatQ',
- 'Indicator' : indicator,
- 'Type' : 'ip',
- 'Score' : dbot_score,
- 'Malicious' : malicious,
- }
-
-
- md = ''
-
- try:
- length = len(attributes)
- if length > 0:
- md += "## TQ found " + str(length) + " attributes\n"
- else:
- md += "## TQ found no attributes\n"
- tq_attr = {
- 'name' : indicator,
- 'score' : ind_score
- }
-
- for x in range(length):
- name = str(attributes[x]["name"])
- value = str(attributes[x]["value"])
- tq_attr[name] = value
- md += "Attribute " + name + " is " + value + "\n"
- tq_attr_context = dict(tq_attr)
- except:
- md += '## TQ could not EXTRACT attributes\n'
- pass
-
- entry3 = {
- 'Type': entryTypes['note'],
- 'Contents': tq_attr_context,
- 'ContentsFormat': formats['json'],
- 'ReadableContentsFormat': formats['markdown'],
- 'HumanReadable': md,
- 'EntryContext': {'ThreatQ(val.name && val.name == obj.name)': createContext(tq_attr_context, removeNull=True),
- 'DBotScore(val.Vendor && val.Indicator && val.Vendor == obj.Vendor && val.Indicator == obj.Indicator)' :
- createContext(dbot_score, removeNull=True),
- }
- }
- # demisto.results(entry3)
- return {'attributes': tq_attr_context,
- 'dbotscore': dbot_score }
-
-
- ''' EXECUTION CODE '''
-
- LOG('command is %s' % (demisto.command(), ))
-
- try:
- if demisto.command() == 'test-module':
- token = tq_access()
- if token:
- demisto.results('ok')
- else:
- demisto.results('test failed')
- elif demisto.command() == 'tq-search-by-name':
- args = demisto.args()
- keyword = demisto.get(args, 'keyword')
- results = query_tq(keyword)
- demisto.results(results)
- elif demisto.command() == 'ip':
- args = demisto.args()
- ip = demisto.get(args, 'ip')
- results = query_tq(ip)
- demisto.results(results)
- elif demisto.command() == 'url':
- args = demisto.args()
- url = demisto.get(args, 'url')
- results = query_tq(url)
- demisto.results(results)
- elif demisto.command() == 'file':
- args = demisto.args()
- file = demisto.get(args, 'file')
- results = query_tq(file)
- demisto.results(results)
-
- elif demisto.command() == 'fetch-incidents':
- fetch_incidents()
-
- except Exception, e:
- raise
- return_error(e)
-
-
- # Params are of the type given in the integration page creation.
- type: python
- subtype: python2
- commands:
- - name: tq-search-by-name
- arguments:
- - name: keyword
- required: true
- default: true
- description: keyword
- defaultValue: Naid
- outputs:
- - contextPath: ThreatQ.description
- description: Description
- description: Search ThreatQ repository by keywords
- - name: ip
- arguments:
- - name: ip
- required: true
- description: IP address
- defaultValue: 8.8.8.8
- default: true
- isArray: true
- outputs:
- - contextPath: ThreatQ.score
- description: ThreatQ score
- - contextPath: ThreatQ.name
- description: ThreatQ name
- - contextPath: DBotScore.Vendor
- description: DBotScore Vendor
- - contextPath: DBotScore.Malicious
- description: DBotScore Malicious status
- description: 'Run ip check against ThreatQ '
- - name: url
- arguments:
- - name: url
- required: true
- description: URL or FQDN
- defaultValue: www.google.com
- default: true
- isArray: true
- outputs:
- - contextPath: ThreatQ.score
- description: ThreatQ score
- - contextPath: ThreatQ.name
- description: ThreatQ name
- - contextPath: DBotScore.Vendor
- description: DBotScore Vendor
- - contextPath: DBotScore.Malicious
- description: DBotScore Malicious status
- description: Run url check against ThreatQ
- - name: file
- arguments:
- - name: file
- description: File name, MD5 or SHA
- defaultValue: google.exe
- default: true
- isArray: true
- required: true
- outputs:
- - contextPath: ThreatQ.score
- description: ThreatQ score
- - contextPath: ThreatQ.name
- description: ThreatQ name
- - contextPath: DBotScore.Vendor
- description: DBotScore Vendor
- - contextPath: DBotScore.Malicious
- description: DBotScore Malicious status
- description: Run file check against ThreatQ
- dockerimage: demisto/python:2.7.18.24398
-beta: true
-deprecated: true
-tests:
-- No test
-fromversion: 5.0.0
diff --git a/Packs/ThreatQ/ReleaseNotes/1_0_25.md b/Packs/ThreatQ/ReleaseNotes/1_0_25.md
new file mode 100644
index 000000000000..9b75e371e086
--- /dev/null
+++ b/Packs/ThreatQ/ReleaseNotes/1_0_25.md
@@ -0,0 +1,10 @@
+
+#### Integrations
+
+##### ThreatQ v2
+
+Documentation and metadata improvements.
+
+##### ThreatQ (Deprecated)
+
+Documentation and metadata improvements.
diff --git a/Packs/ThreatQ/pack_metadata.json b/Packs/ThreatQ/pack_metadata.json
index f55c9b7a8653..dd7e74f61368 100644
--- a/Packs/ThreatQ/pack_metadata.json
+++ b/Packs/ThreatQ/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "ThreatQ",
"description": "Platform for collecting and interpreting intelligence data from open sources and managing indicator scores, types, and attributes.",
"support": "xsoar",
- "currentVersion": "1.0.24",
+ "currentVersion": "1.0.25",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/Twinwave/Integrations/Twinwave/README.md b/Packs/Twinwave/Integrations/Twinwave/README.md
index 0b0ddeb031ba..d07e8a17c5fe 100644
--- a/Packs/Twinwave/Integrations/Twinwave/README.md
+++ b/Packs/Twinwave/Integrations/Twinwave/README.md
@@ -26,7 +26,9 @@ You can execute these commands from the Cortex XSOAR CLI, as part of an automati
After you successfully execute a command, a DBot message appears in the War Room with the command details.
### twinwave-submit-url
***
-Submit New URL for Scanning
+Submit New URL for Scanning.
+
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#### Base Command
@@ -52,7 +54,9 @@ Submit New URL for Scanning
### twinwave-submit-file
***
-Submit File for Scanning
+Submit File for Scanning.
+
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#### Base Command
diff --git a/Packs/Twinwave/Integrations/Twinwave/Twinwave_description.md b/Packs/Twinwave/Integrations/Twinwave/Twinwave_description.md
new file mode 100644
index 000000000000..772bc20bc819
--- /dev/null
+++ b/Packs/Twinwave/Integrations/Twinwave/Twinwave_description.md
@@ -0,0 +1,4 @@
+Notice: Submitting indicators using the following commands of this integration might make the indicator data publicly available.
+- ***twinwave-submit-url***
+- ***twinwave-submit-file***
+See the vendor’s documentation for more details.
\ No newline at end of file
diff --git a/Packs/Twinwave/ReleaseNotes/1_0_8.md b/Packs/Twinwave/ReleaseNotes/1_0_8.md
new file mode 100644
index 000000000000..25eb89851eff
--- /dev/null
+++ b/Packs/Twinwave/ReleaseNotes/1_0_8.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Twinwave
+
+Documentation and metadata improvements.
diff --git a/Packs/Twinwave/pack_metadata.json b/Packs/Twinwave/pack_metadata.json
index 3f9168347847..fccd19237bfd 100644
--- a/Packs/Twinwave/pack_metadata.json
+++ b/Packs/Twinwave/pack_metadata.json
@@ -3,7 +3,7 @@
"description": "TwinWave's threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities.",
"support": "partner",
"certification": "certified",
- "currentVersion": "1.0.7",
+ "currentVersion": "1.0.8",
"author": "Twinwave",
"url": "",
"email": "support@twinwave.io",
diff --git a/Packs/isight/Integrations/FireEyeISIGHT/FireEyeISIGHT_description.md b/Packs/isight/Integrations/FireEyeISIGHT/FireEyeISIGHT_description.md
index 41a5c9776f03..7360bf43ca9b 100644
--- a/Packs/isight/Integrations/FireEyeISIGHT/FireEyeISIGHT_description.md
+++ b/Packs/isight/Integrations/FireEyeISIGHT/FireEyeISIGHT_description.md
@@ -1,3 +1,5 @@
## FireEye iSIGHT
FireEye iSIGHT is a cybersecurity intelligence platform that provides organizations with comprehensive threat intelligence and analysis.
It offers real-time monitoring and detection of emerging cyber threats, allowing businesses to proactively defend against attacks.
+
+Notice: Submitting indicators using the ***domain*** command of this integration might make the indicator data publicly available. See the vendor’s documentation for more details.
diff --git a/Packs/isight/Integrations/FireEyeISIGHT/README.md b/Packs/isight/Integrations/FireEyeISIGHT/README.md
index fe6548839d98..86a0831ed6dd 100644
--- a/Packs/isight/Integrations/FireEyeISIGHT/README.md
+++ b/Packs/isight/Integrations/FireEyeISIGHT/README.md
@@ -30,7 +30,9 @@ basic search reports by ip
### domain
***
-basic search reports by domain
+basic search reports by domain.
+
+Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#### Base Command
diff --git a/Packs/isight/ReleaseNotes/1_0_4.md b/Packs/isight/ReleaseNotes/1_0_4.md
new file mode 100644
index 000000000000..38cbd2672fb2
--- /dev/null
+++ b/Packs/isight/ReleaseNotes/1_0_4.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### FireEye iSIGHT
+
+Documentation and metadata improvements.
diff --git a/Packs/isight/pack_metadata.json b/Packs/isight/pack_metadata.json
index 05835486babb..1ae8cdbf07c3 100644
--- a/Packs/isight/pack_metadata.json
+++ b/Packs/isight/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "FireEye iSIGHT",
"description": "FireEye cyber threat intelligence",
"support": "xsoar",
- "currentVersion": "1.0.3",
+ "currentVersion": "1.0.4",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",