From 6f3dc2233fa9130d6118ba51b534ad85343a2106 Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Mon, 2 Dec 2024 11:32:48 -0800 Subject: [PATCH 01/13] PAPP-35152: documentation changes --- ciscotalosintelligence.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ciscotalosintelligence.json b/ciscotalosintelligence.json index 3703382..491e678 100644 --- a/ciscotalosintelligence.json +++ b/ciscotalosintelligence.json @@ -1,7 +1,7 @@ { "appid": "7c653487-22c8-4ec1-bca0-16a8b1513c86", "name": "Cisco Talos Intelligence", - "description": "This app provides investigative actions for Cisco Talos Cloud Intelligence", + "description": "This app provides investigative actions for Cisco Talos Intelligence", "type": "information", "product_vendor": "Cisco", "logo": "ciscotalosintelligence.svg", From 3fe79691b22260c898578cc73004829dbd863087 Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Mon, 2 Dec 2024 19:33:34 +0000 Subject: [PATCH 02/13] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d7a2f9f..6516795 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Product Name: Talos Cloud Intelligence Product Version Supported (regex): ".\*" Minimum Product Version: 6.2.2 -This app provides investigative actions for Cisco Talos Cloud Intelligence +This app provides investigative actions for Cisco Talos Intelligence [comment]: # " File: README.md" [comment]: # "Copyright (c) 2024 Splunk Inc." From 9e325ad77f2baa9741683b995eca7bf1c196bb4d Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Tue, 3 Dec 2024 11:07:34 -0800 Subject: [PATCH 03/13] PAPP-35152: doc changes and changing visibility og congif params --- ciscotalosintelligence.json | 24 ++++++++++++++---------- manual_readme_content.md | 11 ++++++----- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ciscotalosintelligence.json b/ciscotalosintelligence.json index 491e678..fbb5fdf 100644 --- a/ciscotalosintelligence.json +++ b/ciscotalosintelligence.json @@ -93,7 +93,8 @@ "default": "https://soar-api.talos.cisco.com", "required": true, "name": "base_url", - "id": 0 + "id": 0, + "visibility": [] }, "certificate": { "data_type": "password", @@ -101,7 +102,8 @@ "description": "Certificate contents to authenticate with Talos", "required": true, "name": "certificate", - "id": 1 + "id": 1, + "visibility": [] }, "key": { "data_type": "password", @@ -109,13 +111,15 @@ "description": "Private key to authenticate with Talos", "required": true, "name": "key", - "id": 2 + "id": 2, + "visibility": [] }, "verify_server_cert": { "description": "Verify server certificate", "data_type": "boolean", "default": false, - "order": 3 + "order": 3, + "visibility": [] } }, "actions": [ @@ -133,8 +137,8 @@ { "action": "ip reputation", "identifier": "ip_reputation", - "description": "Query IP info", - "verbose": "Provide information on an IP address's reputation, enabling you to take proper action against untrusted, and unwanted resources.", + "description": "Look up Cisco Talos threat intelligence for a given IP address.", + "verbose": "Provides information on an IP address's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, "parameters": { @@ -221,8 +225,8 @@ { "action": "domain reputation", "identifier": "domain_reputation", - "description": "Query domain info", - "verbose": "Provide information on a domain's reputation, enabling you to take proper action against untrusted, and unwanted resources.", + "description": "Look up Cisco Talos threat intelligence for a given domain.", + "verbose": "Provides information on a domain's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, "parameters": { @@ -309,8 +313,8 @@ { "action": "url reputation", "identifier": "url_reputation", - "description": "Query URL info", - "verbose": "Provide information on an URL's reputation, enabling you to take proper action against untrusted, and unwanted resources.", + "description": "Look up Cisco Talos threat intelligence for a given URL.", + "verbose": "Provides information on a URL's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, "parameters": { diff --git a/manual_readme_content.md b/manual_readme_content.md index 822e254..8c003be 100644 --- a/manual_readme_content.md +++ b/manual_readme_content.md @@ -12,11 +12,12 @@ [comment]: # "either express or implied. See the License for the specific language governing permissions" [comment]: # "and limitations under the License." [comment]: # "" -## Getting a Talos license +## Cisco Talos Intelligence license for Splunk SOAR (Cloud) -A request needs to be made to the Talos team. In the configuration window please insert the certificate contents and -private key separatley. +The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) license. -## Talos +## Overview -This app makes use of Ciscos Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats +This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats + +For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/drafts/Playbook/Talos) in the Splunk SOAR documentation. From b756a9cd75fc1406f734d9e6e27b381d2580926a Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Tue, 3 Dec 2024 11:59:40 -0800 Subject: [PATCH 04/13] PAPP-35152: change to product name --- ciscotalosintelligence.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ciscotalosintelligence.json b/ciscotalosintelligence.json index fbb5fdf..dce1fa5 100644 --- a/ciscotalosintelligence.json +++ b/ciscotalosintelligence.json @@ -6,7 +6,7 @@ "product_vendor": "Cisco", "logo": "ciscotalosintelligence.svg", "logo_dark": "ciscotalosintelligence_dark.svg", - "product_name": "Talos Cloud Intelligence", + "product_name": "Talos Intelligence", "python_version": "3", "latest_tested_versions": [ "Cloud, October 30, 2024" From 3135d7a876a3a0c6277315b371fa002fd8b6f7b3 Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Tue, 3 Dec 2024 20:00:27 +0000 Subject: [PATCH 05/13] Update README.md --- README.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 6516795..b402b59 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Publisher: Splunk Connector Version: 1.0.1 Product Vendor: Cisco -Product Name: Talos Cloud Intelligence +Product Name: Talos Intelligence Product Version Supported (regex): ".\*" Minimum Product Version: 6.2.2 @@ -24,18 +24,19 @@ This app provides investigative actions for Cisco Talos Intelligence [comment]: # "either express or implied. See the License for the specific language governing permissions" [comment]: # "and limitations under the License." [comment]: # "" -## Getting a Talos license +## Cisco Talos Intelligence license for Splunk SOAR (Cloud) -A request needs to be made to the Talos team. In the configuration window please insert the certificate contents and -private key separatley. +The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) license. -## Talos +## Overview -This app makes use of Ciscos Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats +This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats + +For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/drafts/Playbook/Talos) in the Splunk SOAR documentation. ### Configuration Variables -The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Talos Cloud Intelligence asset in SOAR. +The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Talos Intelligence asset in SOAR. VARIABLE | REQUIRED | TYPE | DESCRIPTION -------- | -------- | ---- | ----------- @@ -46,9 +47,9 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION ### Supported Actions [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration -[ip reputation](#action-ip-reputation) - Query IP info -[domain reputation](#action-domain-reputation) - Query domain info -[url reputation](#action-url-reputation) - Query URL info +[ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address. +[domain reputation](#action-domain-reputation) - Look up Cisco Talos threat intelligence for a given domain. +[url reputation](#action-url-reputation) - Look up Cisco Talos threat intelligence for a given URL. ## action: 'test connectivity' Validate the asset configuration for connectivity using supplied configuration @@ -65,12 +66,12 @@ No parameters are required for this action No Output ## action: 'ip reputation' -Query IP info +Look up Cisco Talos threat intelligence for a given IP address. Type: **investigate** Read only: **True** -Provide information on an IP address's reputation, enabling you to take proper action against untrusted, and unwanted resources. +Provides information on an IP address's reputation, so you can take appropriate action against untrusted or unwanted resources. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS @@ -92,12 +93,12 @@ action_result.data.\*.AUP | string | | action_result.summary.message | string | | 72.163.4.185 has a Favorable threat level ## action: 'domain reputation' -Query domain info +Look up Cisco Talos threat intelligence for a given domain. Type: **investigate** Read only: **True** -Provide information on a domain's reputation, enabling you to take proper action against untrusted, and unwanted resources. +Provides information on a domain's reputation, so you can take appropriate action against untrusted or unwanted resources. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS @@ -119,12 +120,12 @@ action_result.data.\*.AUP | string | | action_result.summary.message | string | | splunk.com has a Favorable threat level ## action: 'url reputation' -Query URL info +Look up Cisco Talos threat intelligence for a given URL. Type: **investigate** Read only: **True** -Provide information on an URL's reputation, enabling you to take proper action against untrusted, and unwanted resources. +Provides information on a URL's reputation, so you can take appropriate action against untrusted or unwanted resources. #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS From 643ebe2a98bd026607ff0c22ec40619743fc59e6 Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Wed, 4 Dec 2024 17:28:15 -0800 Subject: [PATCH 06/13] New readme template From f7dec6b64b34475f986f8a3e687001e0fc6cd823 Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Wed, 4 Dec 2024 17:32:20 -0800 Subject: [PATCH 07/13] PAPP-35152: bumping min phantom version --- ciscotalosintelligence.json | 12 ++++++------ manual_readme_content.md | 4 +++- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ciscotalosintelligence.json b/ciscotalosintelligence.json index dce1fa5..f29f2a8 100644 --- a/ciscotalosintelligence.json +++ b/ciscotalosintelligence.json @@ -19,7 +19,7 @@ "package_name": "phantom_ciscotalosintelligence", "fips_compliant": false, "main_module": "ciscotalosintelligence_connector.py", - "min_phantom_version": "6.2.2", + "min_phantom_version": "6.3.0", "app_wizard_version": "1.0.0", "pip39_dependencies": { "wheel": [ @@ -89,7 +89,7 @@ "base_url": { "data_type": "string", "order": 0, - "description": "Base URL provided by Talos", + "description": "Base URL provided by Talos.", "default": "https://soar-api.talos.cisco.com", "required": true, "name": "base_url", @@ -99,7 +99,7 @@ "certificate": { "data_type": "password", "order": 1, - "description": "Certificate contents to authenticate with Talos", + "description": "Certificate contents to authenticate with Talos.", "required": true, "name": "certificate", "id": 1, @@ -108,14 +108,14 @@ "key": { "data_type": "password", "order": 2, - "description": "Private key to authenticate with Talos", + "description": "Private key to authenticate with Talos.", "required": true, "name": "key", "id": 2, "visibility": [] }, "verify_server_cert": { - "description": "Verify server certificate", + "description": "Verify server certificate.", "data_type": "boolean", "default": false, "order": 3, @@ -126,7 +126,7 @@ { "action": "test connectivity", "identifier": "test_connectivity", - "description": "Validate the asset configuration for connectivity using supplied configuration", + "description": "Validate the asset configuration for connectivity using supplied configuration.", "verbose": "Action uses the URS API to get a list of the AUP categories used to classify website content.", "type": "test", "read_only": true, diff --git a/manual_readme_content.md b/manual_readme_content.md index 8c003be..5635da6 100644 --- a/manual_readme_content.md +++ b/manual_readme_content.md @@ -18,6 +18,8 @@ The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) l ## Overview -This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats +This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats. For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/drafts/Playbook/Talos) in the Splunk SOAR documentation. + +**Note:** The Cisco Talos Intelligence asset is already configured in your Splunk SOAR (Cloud) deployment. \ No newline at end of file From ab277fd8d889b29260b3928067fe2c7261188a4a Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Thu, 5 Dec 2024 16:41:49 +0000 Subject: [PATCH 08/13] Update README.md --- README.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index b402b59..76198e3 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Connector Version: 1.0.1 Product Vendor: Cisco Product Name: Talos Intelligence Product Version Supported (regex): ".\*" -Minimum Product Version: 6.2.2 +Minimum Product Version: 6.3.0 This app provides investigative actions for Cisco Talos Intelligence @@ -30,29 +30,26 @@ The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) l ## Overview -This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats +This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats. For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/drafts/Playbook/Talos) in the Splunk SOAR documentation. +**Note:** The Cisco Talos Intelligence asset is already configured in your Splunk SOAR (Cloud) deployment. ### Configuration Variables -The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Talos Intelligence asset in SOAR. +This table lists the configuration variables required to operate Cisco Talos Intelligence. These variables are specified when configuring a Talos Intelligence asset in Splunk SOAR. VARIABLE | REQUIRED | TYPE | DESCRIPTION -------- | -------- | ---- | ----------- -**base_url** | required | string | Base URL provided by Talos -**certificate** | required | password | Certificate contents to authenticate with Talos -**key** | required | password | Private key to authenticate with Talos -**verify_server_cert** | optional | boolean | Verify server certificate ### Supported Actions -[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration +[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration. [ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address. [domain reputation](#action-domain-reputation) - Look up Cisco Talos threat intelligence for a given domain. [url reputation](#action-url-reputation) - Look up Cisco Talos threat intelligence for a given URL. ## action: 'test connectivity' -Validate the asset configuration for connectivity using supplied configuration +Validate the asset configuration for connectivity using supplied configuration. Type: **test** Read only: **True** From 477921ac7856baa27f9be71e8d84fa35dbeaac70 Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Fri, 6 Dec 2024 09:49:40 -0800 Subject: [PATCH 09/13] trigger pipeline From 996930833bf981ef219f55ebd1f3bee4298c8244 Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Fri, 6 Dec 2024 10:01:52 -0800 Subject: [PATCH 10/13] PAPP-35152: removing periods at the end of description --- ciscotalosintelligence.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ciscotalosintelligence.json b/ciscotalosintelligence.json index f29f2a8..d4fda6a 100644 --- a/ciscotalosintelligence.json +++ b/ciscotalosintelligence.json @@ -126,7 +126,7 @@ { "action": "test connectivity", "identifier": "test_connectivity", - "description": "Validate the asset configuration for connectivity using supplied configuration.", + "description": "Validate the asset configuration for connectivity using supplied configuration", "verbose": "Action uses the URS API to get a list of the AUP categories used to classify website content.", "type": "test", "read_only": true, @@ -137,7 +137,7 @@ { "action": "ip reputation", "identifier": "ip_reputation", - "description": "Look up Cisco Talos threat intelligence for a given IP address.", + "description": "Look up Cisco Talos threat intelligence for a given IP address", "verbose": "Provides information on an IP address's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, @@ -225,7 +225,7 @@ { "action": "domain reputation", "identifier": "domain_reputation", - "description": "Look up Cisco Talos threat intelligence for a given domain.", + "description": "Look up Cisco Talos threat intelligence for a given domain", "verbose": "Provides information on a domain's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, @@ -313,7 +313,7 @@ { "action": "url reputation", "identifier": "url_reputation", - "description": "Look up Cisco Talos threat intelligence for a given URL.", + "description": "Look up Cisco Talos threat intelligence for a given URL", "verbose": "Provides information on a URL's reputation, so you can take appropriate action against untrusted or unwanted resources.", "type": "investigate", "read_only": true, From 6db81c086ca73ae6cf4bad717bf815bc21857d5b Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Fri, 6 Dec 2024 18:02:39 +0000 Subject: [PATCH 11/13] Update README.md --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 76198e3..c8e0017 100644 --- a/README.md +++ b/README.md @@ -43,13 +43,13 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION -------- | -------- | ---- | ----------- ### Supported Actions -[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration. -[ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address. -[domain reputation](#action-domain-reputation) - Look up Cisco Talos threat intelligence for a given domain. -[url reputation](#action-url-reputation) - Look up Cisco Talos threat intelligence for a given URL. +[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration +[ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address +[domain reputation](#action-domain-reputation) - Look up Cisco Talos threat intelligence for a given domain +[url reputation](#action-url-reputation) - Look up Cisco Talos threat intelligence for a given URL ## action: 'test connectivity' -Validate the asset configuration for connectivity using supplied configuration. +Validate the asset configuration for connectivity using supplied configuration Type: **test** Read only: **True** @@ -63,7 +63,7 @@ No parameters are required for this action No Output ## action: 'ip reputation' -Look up Cisco Talos threat intelligence for a given IP address. +Look up Cisco Talos threat intelligence for a given IP address Type: **investigate** Read only: **True** @@ -90,7 +90,7 @@ action_result.data.\*.AUP | string | | action_result.summary.message | string | | 72.163.4.185 has a Favorable threat level ## action: 'domain reputation' -Look up Cisco Talos threat intelligence for a given domain. +Look up Cisco Talos threat intelligence for a given domain Type: **investigate** Read only: **True** @@ -117,7 +117,7 @@ action_result.data.\*.AUP | string | | action_result.summary.message | string | | splunk.com has a Favorable threat level ## action: 'url reputation' -Look up Cisco Talos threat intelligence for a given URL. +Look up Cisco Talos threat intelligence for a given URL Type: **investigate** Read only: **True** From 563d90f47e8a3c164e75e90b74bb0cb45dfb3d88 Mon Sep 17 00:00:00 2001 From: Tapish Jain Date: Fri, 6 Dec 2024 16:51:43 -0800 Subject: [PATCH 12/13] trigger pipeline From 251b15d73f42a8ac8eea7c24ef1cdd2a6163a403 Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Wed, 18 Dec 2024 21:09:55 +0000 Subject: [PATCH 13/13] Update README.md --- README.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index c8e0017..1cf1ebb 100644 --- a/README.md +++ b/README.md @@ -32,16 +32,10 @@ The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) l This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats. -For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/drafts/Playbook/Talos) in the Splunk SOAR documentation. +For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/current/Playbook/Talos) in the Splunk SOAR documentation. **Note:** The Cisco Talos Intelligence asset is already configured in your Splunk SOAR (Cloud) deployment. -### Configuration Variables -This table lists the configuration variables required to operate Cisco Talos Intelligence. These variables are specified when configuring a Talos Intelligence asset in Splunk SOAR. - -VARIABLE | REQUIRED | TYPE | DESCRIPTION --------- | -------- | ---- | ----------- - ### Supported Actions [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration [ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address @@ -100,12 +94,12 @@ Provides information on a domain's reputation, so you can take appropriate actio #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**domain** | required | Domain to query | string | `domain` `url` +**domain** | required | Domain to query | string | `domain` #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.parameter.domain | string | `domain` `url` | +action_result.parameter.domain | string | `domain` | action_result.status | string | | action_result.message | string | | summary.total_objects | numeric | |