Cofense Triage Release 2.1.13

Packs/CofenseTriage/.pack-ignore

@@ -9,4 +9,7 @@ ignore=RM102
 ignore=IM111
 
 [file:CofenseTriage_image.png]
-ignore=IM111
+ignore=IM111
+
+[known_words]
+Cofense

Packs/CofenseTriage/Integrations/CofenseTriagev3/CofenseTriagev3.py

@@ -34,7 +34,8 @@
     "ATTACHMENT_PAYLOAD": "api/public/v2/attachment_payloads",
     "COMMENTS": "api/public/v2/comments/",
     "REPORT_ID": "api/public/v2/reports/{}",
-    "CLUSTER": "api/public/v2/clusters"
+    "CLUSTER": "api/public/v2/clusters",
+    "REPORT_ATTACHMENT_PAYLOAD": "/api/public/v2/reports/{}/attachment_payloads"
 }
 
 OUTPUT_PREFIX = {
@@ -1350,6 +1351,54 @@ def cofense_report_image_download_command(client: Client, args: Dict[str, str])
     return fileResult(filename, data=raw_response, file_type=entryTypes["image"])
 
 
+def cofense_report_attachment_payload_list_command(client: Client, args: Dict[str, str]) -> CommandResults:
+    """
+    Retrieves report attachment payloads based on the filter values provided in the command arguments.
+    Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email attachment.
+
+    :type client: ``Client``
+    :param client: Client object to be used.
+
+    :type args: ``Dict[str, str]``
+    :param args: The command arguments provided by the user.
+
+    :return: Standard command result.
+    :rtype: ``CommandResults``
+    """
+    params = validate_list_attachment_payload_args(args)
+    report_id = args.get("id")
+    # Validation for empty report_id
+    if not report_id:
+        raise ValueError(MESSAGES["REQUIRED_ARGUMENT"].format("id"))
+    # Appending the report id to the url_suffix
+    url_suffix = URL_SUFFIX["REPORT_ATTACHMENT_PAYLOAD"].format(report_id)
+
+    # Sending http request
+    response = client.http_request(url_suffix, params=params)
+
+    result = response.get("data")
+
+    # Returning if data is empty or not present
+    if not result:
+        return CommandResults(readable_output=MESSAGES["NO_RECORDS_FOUND"].format("attachment payloads"))
+
+    if isinstance(result, dict):
+        result = [result]
+
+    # Creating the Human Readable
+    hr_response = prepare_hr_for_attachment_payloads(result)
+
+    # Creating the Context data
+    context_data = remove_empty_elements(result)
+
+    return CommandResults(outputs_prefix=OUTPUT_PREFIX["ATTACHMENT_PAYLOAD"],
+                          outputs_key_field="id",
+                          outputs=context_data,
+                          readable_output=hr_response,
+                          raw_response=response
+                          )
+
+
 def fetch_incidents(client: Client, last_run: dict, params: Dict) -> Tuple[dict, list]:
     """Fetches incidents from Cofense API.
 
@@ -1983,7 +2032,8 @@ def main() -> None:
         'cofense-comment-list': cofense_comment_list_command,
         'cofense-cluster-list': cofense_cluster_list_command,
         'cofense-threat-indicator-update': cofense_threat_indicator_update_command,
-        'cofense-report-image-download': cofense_report_image_download_command
+        'cofense-report-image-download': cofense_report_image_download_command,
+        'cofense-report-attachment-payload-list': cofense_report_attachment_payload_list_command
     }
     command = demisto.command()
     demisto.debug(f'[CofenseTriagev3] Command being called is {command}')

Packs/CofenseTriage/Integrations/CofenseTriagev3/CofenseTriagev3.yml

@@ -17,12 +17,14 @@ configuration:
 - additionalinfo: The maximum limit is 200.
   defaultvalue: '15'
   display: Maximum number of incidents per fetch
+  hidden: false
   name: max_fetch
   required: false
   type: 0
 - additionalinfo: 'Date or relative timestamp to start fetching incidents from. (Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc)'
   defaultvalue: 3 days
   display: First fetch time interval
+  hidden: false
   name: first_fetch
   required: false
   type: 0
@@ -64,6 +66,7 @@ configuration:
     Supports comma separated values.
     Note: Categorization tags are associated with the reports which are processed.
   display: Categorization Tags
+  hidden: false
   name: categorization_tags
   required: false
   type: 0
@@ -83,14 +86,17 @@ configuration:
     Format accepted: {"attribute1_operator": "value1, value2", "attribute2_operator" : "value3, value4"}
     For example: {"updated_at_gt":"2020-10-26T10:48:16.834Z","categorization_tags_any":"test, snow"}
   display: Advanced Filters
+  hidden: false
   name: filter_by
   required: false
   type: 12
 - display: Use system proxy settings
+  hidden: false
   name: proxy
   required: false
   type: 8
 - display: Trust any certificate (not secure)
+  hidden: false
   name: insecure
   required: false
   type: 8
@@ -2139,6 +2145,97 @@ script:
     - contextPath: InfoFile.Extension
       description: File extension.
       type: String
+  - arguments:
+    - default: false
+      description: 'Specify ID of the report to retrieve the attachment payloads.'
+      isArray: false
+      name: id
+      required: true
+      secret: false
+    - default: false
+      defaultValue: '20'
+      description: 'Specify the number of attachment payloads to retrieve per page. Note: Possible values are between 1 and 200. '
+      isArray: false
+      name: page_size
+      required: false
+      secret: false
+    - default: false
+      defaultValue: '1'
+      description: 'Specify a page number to retrieve the attachment payloads.'
+      isArray: false
+      name: page_number
+      required: false
+      secret: false
+    - default: false
+      description: 'Specify the date and time of creation, from when to retrieve the attachment payloads. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.'
+      isArray: false
+      name: created_at
+      required: false
+      secret: false
+    - default: false
+      description: 'Specify the date and time of updation, from when to retrieve the attachment payloads. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.'
+      isArray: false
+      name: updated_at
+      required: false
+      secret: false
+    deprecated: false
+    description: |-
+      Retrieves attachment payloads based on provided report id in the command arguments.
+      Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email attachment.
+    execution: false
+    name: cofense-report-attachment-payload-list
+    outputs:
+    - contextPath: Cofense.AttachmentPayload.id
+      description: Unique identifier of the attachment payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.type
+      description: Type of the resource of Cofense Triage.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.links.self
+      description: Link of the resource.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.attributes.mime_type
+      description: MIME type of the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.attributes.md5
+      description: MD5 hash of the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.attributes.sha256
+      description: SHA256 hash of the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.attributes.risk_score
+      description: Risk score of the payload.
+      type: Number
+    - contextPath: Cofense.AttachmentPayload.attributes.created_at
+      description: Date and time, in ISO 8601 format, when the resource was created.
+      type: Date
+    - contextPath: Cofense.AttachmentPayload.attributes.updated_at
+      description: Date and time, in ISO 8601 format, when the resource was last updated.
+      type: Date
+    - contextPath: Cofense.AttachmentPayload.relationships.attachments.links.self
+      description: Link to retrieve the attachment containing the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.attachments.links.related
+      description: Link to retrieve the detailed information of the attachment containing the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.clusters.links.self
+      description: Link to retrieve the cluster of reports containing the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.clusters.links.related
+      description: Link to retrieve the detailed information of the cluster of reports containing the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.integration_submissions.links.self
+      description: Link to retrieve the integration submissions related to attachment.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.integration_submissions.links.related
+      description: Link to retrieve the detailed information of the integration submissions related to attachment.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.reports.links.self
+      description: Link to retrieve the report with attachments containing the payload.
+      type: String
+    - contextPath: Cofense.AttachmentPayload.relationships.reports.links.related
+      description: Link to retrieve the detailed information of the report with attachments containing the payload.
+      type: String
   dockerimage: demisto/python3:3.10.11.61265
   feed: false
   isfetch: true

Packs/CofenseTriage/Integrations/CofenseTriagev3/CofenseTriagev3_test.py

@@ -1047,3 +1047,59 @@ def test_cofense_report_image_download_command_when_invalid_args_are_provided(mo
     with pytest.raises(ValueError) as err:
         cofense_report_image_download_command(mocked_client, args)
     assert str(err.value) == err_msg
+
+
+def test_cofense_report_attachment_payload_list_command_when_valid_response_is_returned(mocked_client):
+    """Test case scenario for successful execution of cofense-report-attachment-payload-list command."""
+
+    from CofenseTriagev3 import cofense_report_attachment_payload_list_command
+
+    response = util_load_json(
+        os.path.join("test_data", "report_attachment_payload/report_attachment_payload_list_response.json"))
+
+    mocked_client.http_request.return_value = response
+
+    context_output = util_load_json(
+        os.path.join("test_data", "report_attachment_payload/report_attachment_payload_list_context.json"))
+
+    with open(os.path.join("test_data", "report_attachment_payload/report_attachment_payload_list.md"), 'r') as f:
+        readable_output = f.read()
+
+    # Execute
+    args = {"id": "4720", "updated_at": "2020-10-21T20:30:24.185Z"}
+
+    command_response = cofense_report_attachment_payload_list_command(mocked_client, args)
+    # Assert
+    assert command_response.outputs_prefix == 'Cofense.AttachmentPayload'
+    assert command_response.outputs_key_field == "id"
+    assert command_response.outputs == context_output
+    assert command_response.readable_output == readable_output
+    assert command_response.raw_response == response
+
+
+def test_cofense_report_attachment_payload_list_command_when_empty_response_is_returned(mocked_client):
+    """Test case scenario for successful execution of cofense-report-attachment-payload-list command with an empty
+    response. """
+
+    from CofenseTriagev3 import cofense_report_attachment_payload_list_command
+    mocked_client.http_request.return_value = {"data": {}}
+    readable_output = "No attachment payloads were found for the given argument(s)."
+
+    # Execute
+    command_response = cofense_report_attachment_payload_list_command(mocked_client, {'id': 'test'})
+    # Assert
+    assert command_response.readable_output == readable_output
+
+
+def test_validate_report_attachment_payload_list_args_when_invalid_args_are_provided(mocked_client):
+    """Test case scenario when the arguments provided are not valid."""
+
+    from CofenseTriagev3 import MESSAGES, cofense_report_attachment_payload_list_command
+
+    args = {
+        "id": None,
+    }
+
+    with pytest.raises(ValueError) as err:
+        cofense_report_attachment_payload_list_command(mocked_client, args)
+    assert str(err.value) == MESSAGES['REQUIRED_ARGUMENT'].format('id')