diff --git a/README.md b/README.md index d7a2f9f..1cf1ebb 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,11 @@ Publisher: Splunk Connector Version: 1.0.1 Product Vendor: Cisco -Product Name: Talos Cloud Intelligence +Product Name: Talos Intelligence Product Version Supported (regex): ".\*" -Minimum Product Version: 6.2.2 +Minimum Product Version: 6.3.0 -This app provides investigative actions for Cisco Talos Cloud Intelligence +This app provides investigative actions for Cisco Talos Intelligence [comment]: # " File: README.md" [comment]: # "Copyright (c) 2024 Splunk Inc." @@ -24,31 +24,23 @@ This app provides investigative actions for Cisco Talos Cloud Intelligence [comment]: # "either express or implied. See the License for the specific language governing permissions" [comment]: # "and limitations under the License." [comment]: # "" -## Getting a Talos license +## Cisco Talos Intelligence license for Splunk SOAR (Cloud) -A request needs to be made to the Talos team. In the configuration window please insert the certificate contents and -private key separatley. +The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) license. -## Talos +## Overview -This app makes use of Ciscos Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats +This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats. +For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/current/Playbook/Talos) in the Splunk SOAR documentation. -### Configuration Variables -The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Talos Cloud Intelligence asset in SOAR. - -VARIABLE | REQUIRED | TYPE | DESCRIPTION --------- | -------- | ---- | ----------- -**base_url** | required | string | Base URL provided by Talos -**certificate** | required | password | Certificate contents to authenticate with Talos -**key** | required | password | Private key to authenticate with Talos -**verify_server_cert** | optional | boolean | Verify server certificate +**Note:** The Cisco Talos Intelligence asset is already configured in your Splunk SOAR (Cloud) deployment. ### Supported Actions [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration -[ip reputation](#action-ip-reputation) - Query IP info -[domain reputation](#action-domain-reputation) - Query domain info -[url reputation](#action-url-reputation) - Query URL info +[ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address +[domain reputation](#action-domain-reputation) - Look up Cisco Talos threat intelligence for a given domain +[url reputation](#action-url-reputation) - Look up Cisco Talos threat intelligence for a given URL ## action: 'test connectivity' Validate the asset configuration for connectivity using supplied configuration @@ -65,12 +57,12 @@ No parameters are required for this action No Output ## action: 'ip reputation' -Query IP info +Look up Cisco Talos threat intelligence for a given IP address Type: **investigate** Read only: **True** -Provide information on an IP address's reputation, enabling you to take proper action against untrusted, and unwanted resources. +Provides information on an IP address's reputation, so you can take appropriate action against untrusted or unwanted resources. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS @@ -92,22 +84,22 @@ action_result.data.\*.AUP | string | | action_result.summary.message | string | | 72.163.4.185 has a Favorable threat level ## action: 'domain reputation' -Query domain info +Look up Cisco Talos threat intelligence for a given domain Type: **investigate** Read only: **True** -Provide information on a domain's reputation, enabling you to take proper action against untrusted, and unwanted resources. +Provides information on a domain's reputation, so you can take appropriate action against untrusted or unwanted resources. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**domain** | required | Domain to query | string | `domain` `url` +**domain** | required | Domain to query | string | `domain` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.domain | string | `domain` `url` | +action_result.parameter.domain | string | `domain` | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | | @@ -119,12 +111,12 @@ action_result.data.\*.AUP | string | | action_result.summary.message | string | | splunk.com has a Favorable threat level ## action: 'url reputation' -Query URL info +Look up Cisco Talos threat intelligence for a given URL Type: **investigate** Read only: **True** -Provide information on an URL's reputation, enabling you to take proper action against untrusted, and unwanted resources. +Provides information on a URL's reputation, so you can take appropriate action against untrusted or unwanted resources. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS diff --git a/ciscotalosintelligence.json b/ciscotalosintelligence.json index 3703382..0de42ac 100644 --- a/ciscotalosintelligence.json +++ b/ciscotalosintelligence.json @@ -1,12 +1,12 @@ { "appid": "7c653487-22c8-4ec1-bca0-16a8b1513c86", "name": "Cisco Talos Intelligence", - "description": "This app provides investigative actions for Cisco Talos Cloud Intelligence", + "description": "This app provides investigative actions for Cisco Talos Intelligence", "type": "information", "product_vendor": "Cisco", "logo": "ciscotalosintelligence.svg", "logo_dark": "ciscotalosintelligence_dark.svg", - "product_name": "Talos Cloud Intelligence", + "product_name": "Talos Intelligence", "python_version": "3", "latest_tested_versions": [ "Cloud, October 30, 2024" @@ -19,7 +19,7 @@ "package_name": "phantom_ciscotalosintelligence", "fips_compliant": false, "main_module": "ciscotalosintelligence_connector.py", - "min_phantom_version": "6.2.2", + "min_phantom_version": "6.3.0", "app_wizard_version": "1.0.0", "pip39_dependencies": { "wheel": [ @@ -89,33 +89,37 @@ "base_url": { "data_type": "string", "order": 0, - "description": "Base URL provided by Talos", + "description": "Base URL provided by Talos.", "default": "https://soar-api.talos.cisco.com", "required": true, "name": "base_url", - "id": 0 + "id": 0, + "visibility": [] }, "certificate": { "data_type": "password", "order": 1, - "description": "Certificate contents to authenticate with Talos", + "description": "Certificate contents to authenticate with Talos.", "required": true, "name": "certificate", - "id": 1 + "id": 1, + "visibility": [] }, "key": { "data_type": "password", "order": 2, - "description": "Private key to authenticate with Talos", + "description": "Private key to authenticate with Talos.", "required": true, "name": "key", - "id": 2 + "id": 2, + "visibility": [] }, "verify_server_cert": { - "description": "Verify server certificate", + "description": "Verify server certificate.", "data_type": "boolean", "default": false, - "order": 3 + "order": 3, + "visibility": [] } }, "actions": [ @@ -133,8 +137,8 @@ { "action": "ip reputation", "identifier": "ip_reputation", - "description": "Query IP info", - "verbose": "Provide information on an IP address's reputation, enabling you to take proper action against untrusted, and unwanted resources.", + "description": "Look up Cisco Talos threat intelligence for a given IP address", + "verbose": "Provides information on an IP address's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, "parameters": { @@ -221,8 +225,8 @@ { "action": "domain reputation", "identifier": "domain_reputation", - "description": "Query domain info", - "verbose": "Provide information on a domain's reputation, enabling you to take proper action against untrusted, and unwanted resources.", + "description": "Look up Cisco Talos threat intelligence for a given domain", + "verbose": "Provides information on a domain's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, "parameters": { @@ -232,8 +236,7 @@ "required": true, "primary": true, "contains": [ - "domain", - "url" + "domain" ], "value_list": [], "default": "", @@ -246,8 +249,7 @@ "data_path": "action_result.parameter.domain", "data_type": "string", "contains": [ - "domain", - "url" + "domain" ] }, { @@ -309,8 +311,8 @@ { "action": "url reputation", "identifier": "url_reputation", - "description": "Query URL info", - "verbose": "Provide information on an URL's reputation, enabling you to take proper action against untrusted, and unwanted resources.", + "description": "Look up Cisco Talos threat intelligence for a given URL", + "verbose": "Provides information on a URL's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, "parameters": { diff --git a/ciscotalosintelligence_connector.py b/ciscotalosintelligence_connector.py index bae1980..669b4c1 100644 --- a/ciscotalosintelligence_connector.py +++ b/ciscotalosintelligence_connector.py @@ -165,7 +165,6 @@ def _make_rest_call(self, retry, endpoint, action_result, method="get", **kwargs break except Exception as e: self.debug_print(f"Retrying to establish connection to the server for the {i + 1} time") - self.debug_print(e) jittered_delay = random.uniform(delay * 0.9, delay * 1.1) time.sleep(jittered_delay) delay = min(delay * 2, 256) diff --git a/manual_readme_content.md b/manual_readme_content.md index 822e254..da744f0 100644 --- a/manual_readme_content.md +++ b/manual_readme_content.md @@ -12,11 +12,14 @@ [comment]: # "either express or implied. See the License for the specific language governing permissions" [comment]: # "and limitations under the License." [comment]: # "" -## Getting a Talos license +## Cisco Talos Intelligence license for Splunk SOAR (Cloud) -A request needs to be made to the Talos team. In the configuration window please insert the certificate contents and -private key separatley. +The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) license. -## Talos +## Overview -This app makes use of Ciscos Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats +This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats. + +For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/current/Playbook/Talos) in the Splunk SOAR documentation. + +**Note:** The Cisco Talos Intelligence asset is already configured in your Splunk SOAR (Cloud) deployment. \ No newline at end of file