Skip to content

Commit dbc158a

Browse files
dorschwDeanArbelShirleyDenkberg
authored
IPinfo v2 (demisto#12382)
* added entry_type to CSP ctor, defaults to EntryType.NOTE * output format documentation, code refactoring, test files (demisto#35409) * added indicator relationships (demisto#35467) * added relations to CommandResults (alongside IP indicator) Co-authored-by: Dean Arbel <[email protected]> Co-authored-by: ShirleyDenkberg <[email protected]>
1 parent 8179b13 commit dbc158a

21 files changed

Lines changed: 1066 additions & 7 deletions

File tree

Packs/Base/ReleaseNotes/1_10_27.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
2+
#### Scripts
3+
##### CommonServerPython
4+
- Added the `entry_type` field to the `CommandResults` constructor.
5+
`None` defaults to `EntryType.NOTE`, as it did before adding this argument.

Packs/Base/Scripts/CommonServerPython/CommonServerPython.py

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5367,23 +5367,30 @@ class CommandResults:
53675367
:type mark_as_note: ``bool``
53685368
:param mark_as_note: must be a boolean, default value is False. Used to mark entry as note.
53695369
5370+
:type entry_type: ``int`` code of EntryType
5371+
:param entry_type: type of return value, see EntryType
5372+
53705373
:return: None
53715374
:rtype: ``None``
53725375
"""
53735376

53745377
def __init__(self, outputs_prefix=None, outputs_key_field=None, outputs=None, indicators=None, readable_output=None,
53755378
raw_response=None, indicators_timeline=None, indicator=None, ignore_auto_extract=False,
53765379
mark_as_note=False, polling_command=None, polling_args=None, polling_timeout=None,
5377-
polling_next_run=None, relationships=None):
5378-
# type: (str, object, object, list, str, object, IndicatorsTimeline, Common.Indicator, bool, bool,str, dict, str, str, list) -> None # noqa: E501
5380+
polling_next_run=None, relationships=None, entry_type=None):
5381+
# type: (str, object, object, list, str, object, IndicatorsTimeline, Common.Indicator, bool, bool,str, dict, str, str, list, int) -> None # noqa: E501
53795382
if raw_response is None:
53805383
raw_response = outputs
53815384
if outputs is not None and not isinstance(outputs, dict) and not outputs_prefix:
53825385
raise ValueError('outputs_prefix is missing')
53835386
if indicators and indicator:
53845387
raise ValueError('indicators is DEPRECATED, use only indicator')
5388+
if entry_type is None:
5389+
entry_type = EntryType.NOTE
5390+
53855391
self.indicators = indicators # type: Optional[List[Common.Indicator]]
53865392
self.indicator = indicator # type: Optional[Common.Indicator]
5393+
self.entry_type = entry_type # type: int
53875394

53885395
self.outputs_prefix = outputs_prefix
53895396

@@ -5474,7 +5481,7 @@ def to_context(self):
54745481
content_format = EntryFormat.TEXT
54755482

54765483
return_entry = {
5477-
'Type': EntryType.NOTE,
5484+
'Type': self.entry_type,
54785485
'ContentsFormat': content_format,
54795486
'Contents': raw_response,
54805487
'HumanReadable': human_readable,

Packs/Base/pack_metadata.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
"name": "Base",
33
"description": "The base pack for Cortex XSOAR.",
44
"support": "xsoar",
5-
"currentVersion": "1.10.26",
5+
"currentVersion": "1.10.27",
66
"author": "Cortex XSOAR",
77
"serverMinVersion": "6.0.0",
88
"url": "https://www.paloaltonetworks.com/cortex",

Packs/ipinfo/Integrations/integration-Ipinfo_README.md renamed to Packs/ipinfo/Integrations/ipinfo/README.md

File renamed without changes.

Packs/ipinfo/Integrations/integration-Ipinfo.yml renamed to Packs/ipinfo/Integrations/ipinfo/ipinfo.yml

File renamed without changes.

Packs/ipinfo/Integrations/ipinfo_v2/Pipfile

Whitespace-only changes.

Packs/ipinfo/Integrations/ipinfo_v2/Pipfile.lock

Whitespace-only changes.

Packs/ipinfo/Integrations/ipinfo_v2/README.md

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
Use the IPinfo.io API to get data about an IP address.
2+
3+
## Configure ipinfo_v2 on Cortex XSOAR
4+
5+
1. Navigate to **Settings** > **Integrations** > **Servers & Services**.
6+
2. Search for ipinfo_v2.
7+
3. Click **Add instance** to create and configure a new integration instance.
8+
9+
| **Parameter** | **Description** | **Required** |
10+
| --- | --- | --- |
11+
| API Token | The API Key to use for connection | True |
12+
| Source Reliability | Reliability of the source providing the intelligence data. | True |
13+
| Base URL | | False |
14+
| Trust any certificate (not secure) | | False |
15+
| Use system proxy settings | | False |
16+
17+
4. Click **Test** to validate the URLs, token, and connection.
18+
19+
## Commands
20+
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
21+
After you successfully execute a command, a DBot message appears in the War Room with the command details.
22+
### ip
23+
***
24+
Check IP reputation (when information is available, returns a JSON with details). Uses all configured Threat Intelligence feeds
25+
26+
27+
#### Base Command
28+
29+
`ip`
30+
#### Input
31+
32+
| **Argument Name** | **Description** | **Required** |
33+
| --- | --- | --- |
34+
| ip | IP address to query (e.g. 1.1.1.1) | Required |
35+
36+
37+
#### Context Output
38+
39+
| **Path** | **Type** | **Description** |
40+
| --- | --- | --- |
41+
| IPinfo.IP.Address | String | The IP address |
42+
| IPinfo.IP.Hostname | String | The IP Hostname |
43+
| IPinfo.IP.ASN | String | The IP ASN |
44+
| IPinfo.IP.ASOwner | String | The IP AS Owner |
45+
| IPinfo.IP.Organization.Name | String | The IP organization name \(Only available in some IPinfo.io plans\) |
46+
| IPinfo.IP.Organization.Type | String | The IP organization type \(Only available in some IPinfo.io plans\) |
47+
| IPinfo.IP.Geo.Location | String | The IP geographic location \(coordinates as lat:lon\) |
48+
| IPinfo.IP.Geo.Country | String | The IP Country |
49+
| IPinfo.IP.Geo.Description | String | The IP location as &lt;City, Region, Postal Code, Country&gt; |
50+
| IPinfo.IP.Registrar.Abuse.Address | String | The physical address registered for receiving abuse reports for the IP. \(Only available in some IPinfo.io plans\) |
51+
| IPinfo.IP.Registrar.Abuse.Country | String | The country where abuse reports are received for the IP. \(Only available in some IPinfo.io plans\) |
52+
| IPinfo.IP.Registrar.Abuse.Email | String | The email address for abuse reports provided by the IP. \(Only available in some IPinfo.io plans\) |
53+
| IPinfo.IP.Registrar.Abuse.Name | String | The name of the abuse report handler received for the IP. \(Only available in some IPinfo.io plans\) |
54+
| IPinfo.IP.Registrar.Abuse.Network | String | The IP range relevant for abuse inquries provided for the IP \(Only available in some IPinfo.io plans\) |
55+
| IP.Address | String | The IP address |
56+
| IP.Hostname | String | The IP Hostname |
57+
| IP.ASN | String | The IP ASN |
58+
| IP.Tags | String | Tags related the IP use \(hosting, proxy, tor, vpn\) |
59+
| IP.FeedRelatedIndicators.value | String | Names of indicators associated with the IP |
60+
| IP.FeedRelatedIndicators.type | String | Types of indicators associated with the IP |
61+
| IP.Relationships.EntityA | String | The source of the relationship. |
62+
| IP.Relationships.EntityB | String | The destination of the relationship. |
63+
| IP.Relationships.Relationship | String | The name of the relationship. |
64+
| IP.Relationships.EntityAType | String | The type of the source of the relationship. |
65+
| IP.Relationships.EntityBType | String | The type of the destination of the relationship. |
66+
| IP.Relationships.Relationship | String | The name of the relationship. |
67+
| IP.Geo.Location | String | The IP geographic location \(coordinates as lat:lon\) |
68+
| IP.Geo.Country | String | The IP Country |
69+
| IP.Geo.Description | String | The IP location as &lt;City, Region, Postal Code, Country&gt; |
70+
| DBotScore.Indicator | String | The indicator that was tested. |
71+
| DBotScore.Score | Number | The actual score. |
72+
| DBotScore.Reliability | String | How reliable the score is \(for example, "C - fairly reliable"\) |
73+
| DBotScore.Type | String | The indicator type. |
74+
| DBotScore.Vendor | String | The vendor used to calculate the score. |
75+
76+
77+
#### Command Example
78+
```!ip ip=1.1.1.1```
79+
80+
#### Context Example
81+
```json
82+
{
83+
"DBotScore": [
84+
{
85+
"Indicator": "1.1.1.1",
86+
"Reliability": "C - Fairly reliable",
87+
"Score": 0,
88+
"Type": "ip",
89+
"Vendor": "IPinfo_v2"
90+
}
91+
],
92+
"IP": {
93+
"ASN": 13335,
94+
"Address": "1.1.1.1",
95+
"FeedRelatedIndicators": [
96+
{
97+
"description": "Hostname",
98+
"type": "URL",
99+
"value": "one.one.one.one"
100+
}
101+
],
102+
"Geo": {
103+
"Country": "AU"
104+
},
105+
"Hostname": "one.one.one.one",
106+
"Relationships": [
107+
{
108+
"EntityA": "1.1.1.1",
109+
"EntityAType": "IP",
110+
"EntityB": "one.one.one.one",
111+
"EntityBType": "Domain",
112+
"Relationship": "resolves-to"
113+
}
114+
],
115+
},
116+
"IPinfo": {
117+
"IP": {
118+
"ASN": "AS13335",
119+
"ASOwner": "Cloudflare, Inc.",
120+
"Address": "1.1.1.1",
121+
"Geo": {
122+
"Country": "US",
123+
"Description": "Miami, Florida, 33132, US",
124+
"Location": "25.7867,-80.1800"
125+
},
126+
"Hostname": "one.one.one.one",
127+
"Organization": null,
128+
"Registrar": null,
129+
"Tags": []
130+
}
131+
}
132+
}
133+
```
134+
135+
#### Human Readable Output
136+
137+
### IPinfo results for 1.1.1.1
138+
139+
|anycast|city|country|hostname|ip|loc|org|postal|readme|region|timezone|
140+
|---|---|---|---|---|---|---|---|---|---|---|
141+
| true | Miami | US | one.one.one.one | 1.1.1.1 | 25.7867,-80.1800 | AS13335 Cloudflare, Inc. | 33132 | https

Packs/ipinfo/Integrations/ipinfo_v2/command_examples

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
!ip ip=1.1.1.1

0 commit comments

Comments
 (0)