[Marketplace Contribution] Oracle Cloud Infrastructure Feed (demisto#…

…27670) (demisto#27753) * "pack contribution initial commit" * Adding category to pack metadata. --------- Co-authored-by: xsoar-bot <[email protected]> Co-authored-by: Danny_Fried <[email protected]>
xsoar-contrib · Jul 26, 2023 · 959f7a8 · 959f7a8
1 parent b455893
commit 959f7a8
Show file tree

Hide file tree

Showing 9 changed files with 368 additions and 0 deletions.
diff --git a/Packs/OracleCloudInfrastructureFeed/.pack-ignore b/Packs/OracleCloudInfrastructureFeed/.pack-ignore
diff --git a/Packs/OracleCloudInfrastructureFeed/.secrets-ignore b/Packs/OracleCloudInfrastructureFeed/.secrets-ignore
diff --git a/...structureFeed/Integrations/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed.py b/...structureFeed/Integrations/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed.py
@@ -0,0 +1,178 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+from typing import Dict, List, Optional
+
+import urllib3
+from urllib.parse import urlparse
+
+urllib3.disable_warnings()
+
+
+class Client(BaseClient):
+
+    def build_iterator(self) -> List:
+        result = []
+        res = self._http_request('GET',
+                                 url_suffix='',
+                                 full_url=self._base_url,
+                                 resp_type='json',
+                                 )
+        try:
+            indicators = []
+            for region in res["regions"]:
+                for cidr in region['cidrs']:
+                    indicators.append(cidr['cidr'])
+
+            for indicator in indicators:
+                if indicator_type := auto_detect_indicator_type(indicator):
+                    related_indicator = {}
+                    if indicator_type == FeedIndicatorType.URL:
+                        domain = urlparse(indicator).netloc
+                        related_indicator = {
+                            'value': domain,
+                            'type': FeedIndicatorType.Domain,
+                            'relationType': 'hosted-on'
+                        }
+
+                    result.append({
+                        'value': indicator,
+                        'type': indicator_type,
+                        'FeedURL': self._base_url,
+                        'relations': [related_indicator]
+                    })
+
+        except ValueError as err:
+            demisto.debug(str(err))
+            raise ValueError(f'Could not parse returned data as indicator. \n\nError massage: {err}')
+        return result
+
+
+def test_module(client: Client) -> str:
+    fetch_indicators(client, limit=1)
+    return 'ok'
+
+
+def fetch_indicators(client: Client, tlp_color: Optional[str] = None, feed_tags: List = [], limit: int = -1,
+                     create_relationships: bool = False) -> List[Dict]:
+    iterator = client.build_iterator()
+    indicators = []
+    if limit > 0:
+        iterator = iterator[:limit]
+
+    for item in iterator:
+        value_ = item.get('value')
+        type_ = item.get('type')
+        raw_data = {
+            'value': value_,
+            'type': type_,
+        }
+        for key, value in item.items():
+            raw_data.update({key: value})
+        indicator_obj = {
+            'value': value_,
+            'type': type_,
+            'service': 'HelloWorld',
+            'fields': {},
+            'rawJSON': raw_data
+        }
+
+        if feed_tags:
+            indicator_obj['fields']['tags'] = feed_tags
+
+        if tlp_color:
+            indicator_obj['fields']['trafficlightprotocol'] = tlp_color
+
+        if (relations := item.get('relations')) and create_relationships:
+            relationships = []
+            for relation in relations:
+                if relation:
+                    entity_relation = EntityRelationship(
+                        name=relation.get('relationType'),
+                        entity_a=value_,
+                        entity_a_type=type_,
+                        entity_b=relation.get('value'),
+                        entity_b_type=relation.get('type')
+                    )
+                    relationships.append(entity_relation.to_indicator())
+
+            indicator_obj['relationships'] = relationships
+
+        indicators.append(indicator_obj)
+
+    return indicators
+
+
+def get_indicators_command(client: Client,
+                           params: Dict[str, str],
+                           args: Dict[str, str]
+                           ) -> CommandResults:
+    """Wrapper for retrieving indicators from the feed to the war-room.
+    Args:
+        client: Client object with request
+        params: demisto.params()
+        args: demisto.args()
+    Returns:
+        Outputs.
+    """
+    limit = int(args.get('limit', '10'))
+    tlp_color = params.get('tlp_color')
+    feed_tags = argToList(params.get('feedTags', ''))
+    indicators = fetch_indicators(client, tlp_color, feed_tags, limit)
+    human_readable = tableToMarkdown('Indicators from HelloWorld Feed:', indicators,
+                                     headers=['value', 'type'], headerTransform=string_to_table_header, removeNull=True)
+    return CommandResults(
+        readable_output=human_readable,
+        outputs_prefix='',
+        outputs_key_field='',
+        raw_response=indicators,
+        outputs={},
+    )
+
+
+def fetch_indicators_command(client: Client, params: Dict[str, str]) -> List[Dict]:
+    feed_tags = argToList(params.get('feedTags', ''))
+    tlp_color = params.get('tlp_color')
+    create_relationships = argToBoolean(params.get('create_relationships', True))
+
+    indicators = fetch_indicators(client, tlp_color, feed_tags, create_relationships=create_relationships)
+    return indicators
+
+
+def main():
+    params = demisto.params()
+
+    base_url = params.get('url')
+    insecure = not params.get('insecure', False)
+    proxy = params.get('proxy', False)
+    command = demisto.command()
+    args = demisto.args()
+    demisto.debug(f'Command being called is {command}')
+
+    try:
+        client = Client(
+            base_url=base_url,
+            verify=insecure,
+            proxy=proxy,
+        )
+
+        if command == 'test-module':
+            return_results(test_module(client))
+
+        elif command == 'oci-get-indicators':
+            return_results(get_indicators_command(client, params, args))
+
+        elif command == 'fetch-indicators':
+            indicators = fetch_indicators_command(client, params)
+            for iter_ in batch(indicators, batch_size=2000):
+                demisto.createIndicators(iter_)
+
+        else:
+            raise NotImplementedError(f'Command {command} is not implemented.')
+
+    except Exception as e:
+        return_error(f'Failed to execute {command} command.\nError:\n{str(e)}')
+
+
+if __name__ in ['__main__', 'builtin', 'builtins']:
+    main()
diff --git a/...tructureFeed/Integrations/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed.yml b/...tructureFeed/Integrations/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed.yml
@@ -0,0 +1,113 @@
+category: Data Enrichment & Threat Intelligence
+commonfields:
+  id: Oracle Cloud Infrastructure Feed
+  version: -1
+configuration:
+- defaultvalue: "true"
+  display: Fetch indicators
+  name: feed
+  required: false
+  type: 8
+- defaultvalue: https://docs.oracle.com/iaas/tools/public_ip_ranges.json
+  display: Server's URL
+  name: url
+  required: true
+  type: 0
+- additionalinfo: Indicators from this integration instance will be marked with this reputation
+  defaultvalue: Good
+  display: Indicator Reputation
+  name: feedReputation
+  options:
+  - None
+  - Good
+  - Suspicious
+  - Bad
+  required: false
+  type: 18
+- additionalinfo: Reliability of the source providing the intelligence data
+  defaultvalue: F - Reliability cannot be judged
+  display: Source Reliability
+  name: feedReliability
+  options:
+  - A - Completely reliable
+  - B - Usually reliable
+  - C - Fairly reliable
+  - D - Not usually reliable
+  - E - Unreliable
+  - F - Reliability cannot be judged
+  required: true
+  type: 15
+- additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
+  display: Traffic Light Protocol Color
+  name: tlp_color
+  options:
+  - RED
+  - AMBER
+  - GREEN
+  - WHITE
+  required: false
+  type: 15
+- defaultvalue: "30"
+  display: Feed Fetch Interval
+  name: feedFetchInterval
+  required: false
+  type: 19
+- additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
+  defaultvalue: "true"
+  display: Bypass exclusion list
+  name: feedBypassExclusionList
+  required: false
+  type: 8
+- display: Trust any certificate (not secure)
+  name: insecure
+  required: false
+  type: 8
+- display: Use system proxy settings
+  name: proxy
+  required: false
+  type: 8
+- display: ""
+  name: feedExpirationPolicy
+  options:
+  - never
+  - interval
+  - indicatorType
+  - suddenDeath
+  required: false
+  type: 17
+- display: ""
+  name: feedExpirationInterval
+  required: false
+  type: 1
+- additionalinfo: Supports CSV values.
+  display: Tags
+  name: feedTags
+  required: false
+  type: 0
+- defaultvalue: "false"
+  display: Create relationships
+  name: create_relationships
+  required: false
+  type: 8
+description: |-
+  Oracle Cloud Infrastructure Feed (OCI Feed)
+  This feed provides information about public IP address ranges for services that are deployed in Oracle Cloud Infrastructure.
+display: Oracle Cloud Infrastructure Feed
+name: Oracle Cloud Infrastructure Feed
+script:
+  commands:
+  - arguments:
+    - defaultValue: "10"
+      description: The maximum number of results to return.
+      name: limit
+    description: Gets indicators from the feed.
+    name: oci-get-indicators
+  dockerimage: demisto/python3:3.10.12.63474
+  feed: true
+  runonce: false
+  script: ''
+  subtype: python3
+  type: python
+fromversion: 6.0.0
+tests:
+- No tests (auto formatted)
diff --git a/...ions/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed_description.md b/...ions/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed_description.md
@@ -0,0 +1,5 @@
+### Oracle Cloud Infrastructure (OCI)
+ #### IP Address Ranges
+This feed provides information about public IP address ranges for services that are deployed in Oracle Cloud Infrastructure.
+See additional information in this link:
+https://docs.oracle.com/en-us/iaas/Content/General/Concepts/addressranges.htm
diff --git a/...egrations/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed_image.png b/...egrations/OracleCloudInfrastructureFeed/OracleCloudInfrastructureFeed_image.png
diff --git a/...cleCloudInfrastructureFeed/Integrations/OracleCloudInfrastructureFeed/README.md b/...cleCloudInfrastructureFeed/Integrations/OracleCloudInfrastructureFeed/README.md
@@ -0,0 +1,49 @@
+Oracle Cloud Infrastructure Feed (OCI Feed)
+This feed provides information about public IP address ranges for services that are deployed in Oracle Cloud Infrastructure.
+## Configure Oracle Cloud Infrastructure Feed on Cortex XSOAR
+
+1. Navigate to **Settings** > **Integrations** > **Servers & Services**.
+2. Search for Oracle Cloud Infrastructure Feed.
+3. Click **Add instance** to create and configure a new integration instance.
+
+    | **Parameter** | **Description** | **Required** |
+    | --- | --- | --- |
+    | Fetch indicators |  | False |
+    | Server's URL |  | True |
+    | Indicator Reputation | Indicators from this integration instance will be marked with this reputation | False |
+    | Source Reliability | Reliability of the source providing the intelligence data | True |
+    | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed | False |
+    | Feed Fetch Interval |  | False |
+    | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False |
+    | Trust any certificate (not secure) |  | False |
+    | Use system proxy settings |  | False |
+    |  |  | False |
+    |  |  | False |
+    | Tags | Supports CSV values. | False |
+    | Create relationships |  | False |
+
+4. Click **Test** to validate the URLs, token, and connection.
+
+## Commands
+
+You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
+After you successfully execute a command, a DBot message appears in the War Room with the command details.
+
+### oci-get-indicators
+
+***
+Gets indicators from the feed.
+
+#### Base Command
+
+`oci-get-indicators`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| limit | The maximum number of results to return. Default is 10. | Optional | 
+
+#### Context Output
+
+There is no context output for this command.
diff --git a/Packs/OracleCloudInfrastructureFeed/README.md b/Packs/OracleCloudInfrastructureFeed/README.md
diff --git a/Packs/OracleCloudInfrastructureFeed/pack_metadata.json b/Packs/OracleCloudInfrastructureFeed/pack_metadata.json
@@ -0,0 +1,23 @@
+{
+    "name": "Oracle Cloud Infrastructure Feed",
+    "description": "This feed provides information about public IP address ranges for services that are deployed in Oracle Cloud Infrastructure.\nSee additional information in this link:\nhttps://docs.oracle.com/en-us/iaas/Content/General/Concepts/addressranges.htm",
+    "support": "community",
+    "currentVersion": "1.0.0",
+    "author": "Rod Gonzalez",
+    "url": "",
+    "email": "",
+    "created": "2023-06-22T18:59:06Z",
+    "categories": [
+            "Cloud Services"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "xsoar",
+        "marketplacev2"
+    ],
+    "githubUser": [
+        "rgleza"
+    ]
+}