From da673bae9e648b0ac3073c6300580d6bed40ba3e Mon Sep 17 00:00:00 2001 From: xsoar-bot Date: Mon, 9 Jun 2025 19:19:39 +0000 Subject: [PATCH 01/29] "pack contribution initial commit" --- Packs/SOCRadarTakedown/.pack-ignore | 0 Packs/SOCRadarTakedown/.secrets-ignore | 0 .../Integrations/SOCRadarTakedown/README.md | 160 ++++ .../SOCRadarTakedown/SOCRadarTakedown.py | 681 ++++++++++++++++++ .../SOCRadarTakedown/SOCRadarTakedown.yml | 233 ++++++ .../SOCRadarTakedown_image.png | 6 + Packs/SOCRadarTakedown/README.md | 0 Packs/SOCRadarTakedown/pack_metadata.json | 21 + 8 files changed, 1101 insertions(+) create mode 100644 Packs/SOCRadarTakedown/.pack-ignore create mode 100644 Packs/SOCRadarTakedown/.secrets-ignore create mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md create mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py create mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml create mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png create mode 100644 Packs/SOCRadarTakedown/README.md create mode 100644 Packs/SOCRadarTakedown/pack_metadata.json diff --git a/Packs/SOCRadarTakedown/.pack-ignore b/Packs/SOCRadarTakedown/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/.secrets-ignore b/Packs/SOCRadarTakedown/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..d2d9dd3f80e4 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md @@ -0,0 +1,160 @@ +Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks +## Configure SOCRadar Takedown in Cortex + + +| **Parameter** | **Required** | +| --- | --- | +| API Key | True | +| Company ID | True | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | +| Reliability | False | + +## Commands + +You can execute these commands from the CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. + +### socradar-submit-phishing-domain + +*** +Submits a takedown request for a phishing or malicious domain + +#### Base Command + +`socradar-submit-phishing-domain` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| domain | The phishing domain to submit for takedown. | Required | +| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, malware, fake_site. | Optional | +| type | Type of domain (default is phishing_domain). Possible values are: phishing_domain, malicious_domain. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | +| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | +| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | +| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | +| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | + +### socradar-submit-social-media-impersonation + +*** +Submits a takedown request for an impersonating social media account + +#### Base Command + +`socradar-submit-social-media-impersonation` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Username of the impersonating account. | Required | +| full_name | Full name shown on the impersonating account. | Required | +| account_type | Type of social media platform. Possible values are: facebook, twitter, instagram, linkedin, tiktok, youtube, other. | Required | +| description | Description or ID of the impersonation case. | Optional | +| followers | Number of followers (default is 0). | Optional | +| profile_picture | URL to the profile picture. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is false). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | +| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | +| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | +| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | + +### socradar-get-takedown-progress + +*** +Gets the progress of a takedown request + +#### Base Command + +`socradar-get-takedown-progress` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| asset_id | The ID of the asset for which to check progress. | Required | +| type | Type of takedown request. Possible values are: phishing_domain, impersonating_accounts, source_code_leaks, rogue_mobile_apps. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.Progress.AssetID | string | The ID of the asset | +| SOCRadarTakedown.Progress.Type | string | Type of takedown request | +| SOCRadarTakedown.Progress.Status | string | Status of the API request | +| SOCRadarTakedown.Progress.Data | unknown | Progress data returned from the API | +| SOCRadarTakedown.Progress.Message | string | Message returned from the API | + +### socradar-submit-source-code-leak + +*** +Submits a takedown request for leaked source code + +#### Base Command + +`socradar-submit-source-code-leak` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the source code leak to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | +| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | +| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | + +### socradar-submit-rogue-app + +*** +Submits a takedown request for a rogue mobile app + +#### Base Command + +`socradar-submit-rogue-app` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the rogue mobile app to takedown. | Required | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | +| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | +| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | +| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py new file mode 100644 index 000000000000..bd63d1406987 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -0,0 +1,681 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +import urllib3 +import traceback +import re +from typing import Any, Dict, List, Optional, Union +from json.decoder import JSONDecodeError + +# Disable insecure warnings +urllib3.disable_warnings() + +""" CONSTANTS """ + +SOCRADAR_API_ENDPOINT = "https://platform.socradar.com/api" +MESSAGES = { + "BAD_REQUEST_ERROR": "An error occurred while fetching the data.", + "AUTHORIZATION_ERROR": "Authorization Error: make sure API Key is correctly set.", + "RATE_LIMIT_EXCEED_ERROR": "Rate limit has been exceeded. Please make sure your API key's rate limit is adequate.", +} + +""" CLIENT CLASS """ + + +class Client: + """ + Client class to interact with the SOCRadar Takedown API + """ + + def __init__(self, base_url, api_key, company_id, verify, proxy): + self.base_url = base_url + self.api_key = api_key + self.company_id = company_id + self.headers = {"API-KEY": self.api_key} + self.verify = verify + self.proxy = proxy + + def check_auth(self): + """Checks if the API key is valid""" + import requests + + url = f"{self.base_url}/get/company/{self.company_id}/takedown/progress" + params = {"asset_id": "test", "type": "impersonating_accounts"} + + try: + response = requests.get( + url, + params=params, + headers=self.headers, + verify=self.verify + ) + + if response.status_code == 401: + raise Exception("Authorization Error: Invalid API Key") + elif response.status_code == 429: + raise Exception("Rate limit exceeded") + elif response.status_code >= 400: + raise Exception(f"API Error: {response.status_code}") + + return {"is_success": True} + + except requests.exceptions.RequestException as e: + raise Exception(f"Connection error: {str(e)}") + + def submit_phishing_domain_takedown(self, domain, abuse_type="potential_phishing", notes="", + domain_type="phishing_domain", send_alarm=True, email=""): + """Submits a takedown request for a phishing domain""" + import requests + + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" + data = { + "abuse_type": abuse_type, + "entity": domain, + "type": domain_type, + "notes": notes, + "send_alarm": send_alarm, + "email": email + } + + response = requests.post( + url, + json=data, + headers=self.headers, + verify=self.verify + ) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_social_media_impersonation_takedown(self, url_link, abuse_type="impersonating_accounts", + notes="", send_alarm=True, email=""): + """Submits a takedown request for social media impersonation""" + import requests + + api_url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" + data = { + "abuse_type": abuse_type, + "entity": url_link, + "type": "impersonating_accounts", + "notes": notes, + "send_alarm": send_alarm, + "email": email + } + + response = requests.post( + api_url, + json=data, + headers=self.headers, + verify=self.verify + ) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def get_takedown_progress(self, asset_id, takedown_type): + """Gets the progress of a takedown request""" + import requests + + url = f"{self.base_url}/get/company/{self.company_id}/takedown/progress" + params = { + "asset_id": asset_id, + "type": takedown_type + } + + try: + response = requests.get( + url, + params=params, + headers=self.headers, + verify=self.verify + ) + + if response.status_code == 401: + raise Exception("Authorization Error: Invalid API Key") + elif response.status_code == 429: + raise Exception("Rate limit exceeded") + elif response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + except requests.exceptions.RequestException as e: + raise Exception(f"Connection error: {str(e)}") + + def submit_source_code_leak_takedown(self, url_link, abuse_type="source_code_leak", + notes="", send_alarm=True, email=""): + """Submits a takedown request for leaked source code""" + import requests + + api_url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" + data = { + "abuse_type": abuse_type, + "entity": url_link, + "type": "source_code_leak", + "notes": notes, + "send_alarm": send_alarm, + "email": email + } + + response = requests.post( + api_url, + json=data, + headers=self.headers, + verify=self.verify + ) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_rogue_app_takedown(self, app_info, abuse_type="rogue_mobile_app", + notes="", send_alarm=True, email=""): + """Submits a takedown request for a rogue mobile app""" + import requests + + api_url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" + data = { + "abuse_type": abuse_type, + "entity": app_info, + "type": "rogue_mobile_app", + "notes": notes, + "send_alarm": send_alarm, + "email": email + } + + response = requests.post( + api_url, + json=data, + headers=self.headers, + verify=self.verify + ) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + +""" HELPER FUNCTIONS """ + + +class Validator: + @staticmethod + def validate_domain(domain_to_validate): + if not isinstance(domain_to_validate, str) or len(domain_to_validate) > 255: + return False + if domain_to_validate.endswith("."): + domain_to_validate = domain_to_validate[:-1] + domain_regex = re.compile(r"(?!-)[A-Z\d-]{1,63}(? + + + + + diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/pack_metadata.json b/Packs/SOCRadarTakedown/pack_metadata.json new file mode 100644 index 000000000000..acaa6dc36876 --- /dev/null +++ b/Packs/SOCRadarTakedown/pack_metadata.json @@ -0,0 +1,21 @@ +{ + "name": "SOCRadarTakedown", + "description": "", + "support": "community", + "currentVersion": "1.0.0", + "author": "Radargoger", + "url": "", + "email": "", + "created": "2025-06-09T19:19:21Z", + "categories": [], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "xsoar", + "marketplacev2" + ], + "githubUser": [ + "Radargoger" + ] +} \ No newline at end of file From 026625587eebd12eb4a45d1d1fa028d537b22515 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Wed, 25 Jun 2025 12:29:22 +0300 Subject: [PATCH 02/29] Update pack_metadata.json update pack_metadajson --- Packs/SOCRadarTakedown/pack_metadata.json | 35 ++++++++++++++--------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/Packs/SOCRadarTakedown/pack_metadata.json b/Packs/SOCRadarTakedown/pack_metadata.json index acaa6dc36876..91356622e0dd 100644 --- a/Packs/SOCRadarTakedown/pack_metadata.json +++ b/Packs/SOCRadarTakedown/pack_metadata.json @@ -1,21 +1,30 @@ { "name": "SOCRadarTakedown", - "description": "", + "description": "Submit and manage takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through the SOCRadar platform. This pack helps security teams automate the process of reporting and tracking malicious content for removal.", "support": "community", "currentVersion": "1.0.0", - "author": "Radargoger", + "author": "Community Contributor", "url": "", "email": "", - "created": "2025-06-09T19:19:21Z", - "categories": [], - "tags": [], - "useCases": [], - "keywords": [], - "marketplaces": [ - "xsoar", - "marketplacev2" + "created": "2024-06-24T00:00:00Z", + "categories": [ + "Threat Intelligence" ], - "githubUser": [ - "Radargoger" + "tags": [ + "takedown", + "phishing", + "threat-intelligence", + "brand-protection" + ], + "useCases": [ + "Brand Protection", + "Threat Intelligence Management" + ], + "keywords": [ + "socradar", + "takedown", + "phishing", + "impersonation", + "brand protection" ] -} \ No newline at end of file +} From affd7e15e8090760853a0cdc965a7090c3d9f7aa Mon Sep 17 00:00:00 2001 From: Radargoger Date: Wed, 25 Jun 2025 12:29:55 +0300 Subject: [PATCH 03/29] Update SOCRadarTakedown.yml --- .../SOCRadarTakedown/SOCRadarTakedown.yml | 354 +++++++++--------- 1 file changed, 178 insertions(+), 176 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml index bd4048a0f012..1c0503a1388a 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -1,233 +1,235 @@ -category: Data Enrichment & Threat Intelligence commonfields: - id: SOCRadarTakedown + id: SOCRadar Takedown version: -1 +name: SOCRadar Takedown +display: SOCRadar Takedown +category: Threat Intelligence +description: Submit and track takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through SOCRadar platform. +detaileddescription: | + This integration allows you to: + - Submit takedown requests for phishing domains + - Submit takedown requests for social media impersonation + - Submit takedown requests for source code leaks + - Submit takedown requests for rogue mobile apps + - Track the progress of submitted takedown requests + + ## Authentication + You need a valid SOCRadar API key and Company ID to use this integration. + + ## Rate Limits + Please ensure your API key has adequate rate limits for your usage. + configuration: -- display: API Key +- display: SOCRadar API Key name: apikey required: true type: 4 + additionalinfo: Your SOCRadar platform API key - display: Company ID name: company_id required: true type: 0 + additionalinfo: Your SOCRadar Company ID - display: Trust any certificate (not secure) name: insecure required: false type: 8 + defaultvalue: false - display: Use system proxy settings name: proxy required: false type: 8 -- defaultvalue: B - Usually reliable - display: Reliability - name: integrationReliability - options: - - A+ - 3rd party enrichment - - A - Completely reliable - - B - Usually reliable - - C - Fairly reliable - - D - Not usually reliable - - E - Unreliable - - F - Reliability cannot be judged - required: false - type: 15 -description: Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks. -display: SOCRadar Takedown -name: SOCRadarTakedown + defaultvalue: false + script: + script: '' + type: python + subtype: python3 + dockerimage: demisto/python3:3.10.13.72123 commands: - - arguments: - - description: The phishing domain to submit for takedown. - name: domain + - name: socradar-submit-phishing-domain + description: Submit a takedown request for a phishing domain + arguments: + - name: domain + description: The phishing domain to be taken down required: true - - auto: PREDEFINED - description: Type of abuse (default is potential_phishing). - name: abuse_type + - name: abuse_type + description: Type of abuse + defaultValue: potential_phishing predefined: - potential_phishing - - malware - - fake_site - - auto: PREDEFINED - description: Type of domain (default is phishing_domain). - name: type + - confirmed_phishing + - name: type + description: Domain type + defaultValue: phishing_domain predefined: - phishing_domain - - malicious_domain - - description: Additional information about the takedown request. - name: notes - - auto: PREDEFINED - description: Whether to send an alarm (default is true). - name: send_alarm + - lookalike_domain + - name: notes + description: Additional notes for the takedown request + required: false + - name: send_alarm + description: Whether to send alarm notification + defaultValue: "true" predefined: - - 'true' - - 'false' - - description: Email to receive notifications about the takedown request. - name: email + - "true" + - "false" + - name: email + description: Email address for notifications required: true - description: Submits a takedown request for a phishing or malicious domain. - name: socradar-submit-phishing-domain outputs: - contextPath: SOCRadarTakedown.PhishingDomain.Domain - description: The domain submitted for takedown. - type: string + description: The domain that was reported + type: String - contextPath: SOCRadarTakedown.PhishingDomain.AbuseType - description: Type of abuse. - type: string + description: Type of abuse reported + type: String - contextPath: SOCRadarTakedown.PhishingDomain.Status - description: Status of the takedown request. - type: string + description: Status of the takedown request + type: String - contextPath: SOCRadarTakedown.PhishingDomain.Message - description: Message returned from the API. - type: string + description: Response message from the API + type: String - contextPath: SOCRadarTakedown.PhishingDomain.SendAlarm - description: Whether an alarm was sent. - type: boolean + description: Whether alarm notification is enabled + type: Boolean - contextPath: SOCRadarTakedown.PhishingDomain.Notes - description: Notes provided with the takedown request. - type: string - - arguments: - - description: Username of the impersonating account. - name: username + description: Additional notes for the request + type: String + - name: socradar-submit-social-media-impersonation + description: Submit a takedown request for social media impersonation + arguments: + - name: url + description: URL of the impersonating social media account required: true - - description: Full name shown on the impersonating account. - name: full_name - required: true - - auto: PREDEFINED - description: Type of social media platform. - name: account_type + - name: abuse_type + description: Type of abuse + defaultValue: impersonating_accounts predefined: - - facebook - - twitter - - instagram - - linkedin - - tiktok - - youtube - - other - required: true - - description: Description or ID of the impersonation case. - name: description - - description: Number of followers (default is 0). - name: followers - - description: URL to the profile picture. - name: profile_picture - - description: Additional information about the takedown request. - name: notes - - auto: PREDEFINED - description: Whether to send an alarm (default is false). - name: send_alarm + - impersonating_accounts + - fake_profiles + - name: notes + description: Additional notes for the takedown request + required: false + - name: send_alarm + description: Whether to send alarm notification + defaultValue: "true" predefined: - - 'true' - - 'false' - - description: Email to receive notifications about the takedown request. - name: email - description: Submits a takedown request for an impersonating social media account. - name: socradar-submit-social-media-impersonation + - "true" + - "false" + - name: email + description: Email address for notifications + required: true outputs: - - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Username - description: Username of the impersonating account. - type: string - - contextPath: SOCRadarTakedown.SocialMediaImpersonation.FullName - description: Full name shown on the impersonating account. - type: string - - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AccountType - description: Type of social media platform. - type: string + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.URL + description: The URL that was reported + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AbuseType + description: Type of abuse reported + type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Status - description: Status of the takedown request. - type: string + description: Status of the takedown request + type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Message - description: Message returned from the API. - type: string + description: Response message from the API + type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.SendAlarm - description: Whether an alarm was sent. - type: boolean + description: Whether alarm notification is enabled + type: Boolean - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Notes - description: Notes provided with the takedown request. - type: string - - arguments: - - description: The ID of the asset for which to check progress. - name: asset_id + description: Additional notes for the request + type: String + - name: socradar-submit-source-code-leak + description: Submit a takedown request for leaked source code + arguments: + - name: url + description: URL where the source code leak is found required: true - - auto: PREDEFINED - description: Type of takedown request. - name: type + - name: abuse_type + description: Type of abuse + defaultValue: source_code_leak predefined: - - phishing_domain - - impersonating_accounts - - source_code_leaks - - rogue_mobile_apps - required: true - description: Gets the progress of a takedown request. - name: socradar-get-takedown-progress - outputs: - - contextPath: SOCRadarTakedown.Progress.AssetID - description: The ID of the asset. - type: string - - contextPath: SOCRadarTakedown.Progress.Type - description: Type of takedown request. - type: string - - contextPath: SOCRadarTakedown.Progress.Status - description: Status of the API request. - type: string - - contextPath: SOCRadarTakedown.Progress.Data - description: Progress data returned from the API. - type: unknown - - contextPath: SOCRadarTakedown.Progress.Message - description: Message returned from the API. - type: string - - arguments: - - description: ID of the source code leak to takedown. - name: id + - source_code_leak + - data_leak + - name: notes + description: Additional notes for the takedown request + required: false + - name: send_alarm + description: Whether to send alarm notification + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications required: true - - description: Additional information about the takedown request. - name: notes - - description: Email to receive notifications about the takedown request. - name: email - description: Submits a takedown request for leaked source code. - name: socradar-submit-source-code-leak outputs: - - contextPath: SOCRadarTakedown.SourceCodeLeak.LeakID - description: ID of the source code leak. - type: number + - contextPath: SOCRadarTakedown.SourceCodeLeak.URL + description: The URL that was reported + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.AbuseType + description: Type of abuse reported + type: String - contextPath: SOCRadarTakedown.SourceCodeLeak.Status - description: Status of the takedown request. - type: string + description: Status of the takedown request + type: String - contextPath: SOCRadarTakedown.SourceCodeLeak.Message - description: Message returned from the API. - type: string + description: Response message from the API + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.SendAlarm + description: Whether alarm notification is enabled + type: Boolean - contextPath: SOCRadarTakedown.SourceCodeLeak.Notes - description: Notes provided with the takedown request. - type: string - - contextPath: SOCRadarTakedown.SourceCodeLeak.Email - description: Email provided for notifications. - type: string - - arguments: - - description: ID of the rogue mobile app to takedown. - name: id + description: Additional notes for the request + type: String + - name: socradar-submit-rogue-app + description: Submit a takedown request for a rogue mobile app + arguments: + - name: app_info + description: Information about the rogue mobile app (name, store URL, etc.) + required: true + - name: abuse_type + description: Type of abuse + defaultValue: rogue_mobile_app + predefined: + - rogue_mobile_app + - malicious_app + - name: notes + description: Additional notes for the takedown request + required: false + - name: send_alarm + description: Whether to send alarm notification + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications required: true - - description: Email to receive notifications about the takedown request. - name: email - description: Submits a takedown request for a rogue mobile app. - name: socradar-submit-rogue-app outputs: - - contextPath: SOCRadarTakedown.RogueApp.AppID - description: ID of the rogue mobile app. - type: string + - contextPath: SOCRadarTakedown.RogueApp.AppInfo + description: Information about the app that was reported + type: String + - contextPath: SOCRadarTakedown.RogueApp.AbuseType + description: Type of abuse reported + type: String - contextPath: SOCRadarTakedown.RogueApp.Status - description: Status of the takedown request. - type: string + description: Status of the takedown request + type: String - contextPath: SOCRadarTakedown.RogueApp.Message - description: Message returned from the API. - type: string - - contextPath: SOCRadarTakedown.RogueApp.Email - description: Email provided for notifications. - type: string - dockerimage: demisto/python3:3.12.8.3296088 + description: Response message from the API + type: String + - contextPath: SOCRadarTakedown.RogueApp.SendAlarm + description: Whether alarm notification is enabled + type: Boolean + - contextPath: SOCRadarTakedown.RogueApp.Notes + description: Additional notes for the request + type: String runonce: false - script: '' - subtype: python3 - type: python + ismappable: false + isremotesyncin: false + isremotesyncout: false + fromversion: 6.0.0 tests: - No tests (auto formatted) From bfd3a62bd84687fc28e25ce3f8d3b322ba68cc9c Mon Sep 17 00:00:00 2001 From: Radargoger Date: Wed, 25 Jun 2025 12:30:16 +0300 Subject: [PATCH 04/29] Update SOCRadarTakedown.py --- .../SOCRadarTakedown/SOCRadarTakedown.py | 781 ++++++------------ 1 file changed, 234 insertions(+), 547 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index bd63d1406987..e5c02a8a1556 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -1,11 +1,12 @@ -import demistomock as demisto # noqa: F401 -from CommonServerPython import * # noqa: F401 import urllib3 import traceback import re from typing import Any, Dict, List, Optional, Union from json.decoder import JSONDecodeError +# Import XSOAR common functions +from CommonServerPython import * + # Disable insecure warnings urllib3.disable_warnings() @@ -20,13 +21,12 @@ """ CLIENT CLASS """ - class Client: """ Client class to interact with the SOCRadar Takedown API """ - def __init__(self, base_url, api_key, company_id, verify, proxy): + def __init__(self, base_url: str, api_key: str, company_id: str, verify: bool, proxy: bool): self.base_url = base_url self.api_key = api_key self.company_id = company_id @@ -34,17 +34,13 @@ def __init__(self, base_url, api_key, company_id, verify, proxy): self.verify = verify self.proxy = proxy - def check_auth(self): + def check_auth(self) -> Dict[str, Any]: """Checks if the API key is valid""" - import requests - - url = f"{self.base_url}/get/company/{self.company_id}/takedown/progress" - params = {"asset_id": "test", "type": "impersonating_accounts"} - + url = f"{self.base_url}/get/company/{self.company_id}/takedown/requests" + try: response = requests.get( url, - params=params, headers=self.headers, verify=self.verify ) @@ -53,6 +49,8 @@ def check_auth(self): raise Exception("Authorization Error: Invalid API Key") elif response.status_code == 429: raise Exception("Rate limit exceeded") + elif response.status_code >= 500: + raise Exception(f"Server Error: {response.status_code}") elif response.status_code >= 400: raise Exception(f"API Error: {response.status_code}") @@ -61,16 +59,14 @@ def check_auth(self): except requests.exceptions.RequestException as e: raise Exception(f"Connection error: {str(e)}") - def submit_phishing_domain_takedown(self, domain, abuse_type="potential_phishing", notes="", - domain_type="phishing_domain", send_alarm=True, email=""): - """Submits a takedown request for a phishing domain""" - import requests - + def submit_takedown_request(self, entity: str, request_type: str, abuse_type: str, + notes: str = "", send_alarm: bool = True, email: str = "") -> Dict[str, Any]: + """Generic method to submit takedown requests""" url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" data = { "abuse_type": abuse_type, - "entity": domain, - "type": domain_type, + "entity": entity, + "type": request_type, "notes": notes, "send_alarm": send_alarm, "email": email @@ -88,124 +84,11 @@ def submit_phishing_domain_takedown(self, domain, abuse_type="potential_phishing return response.json() - def submit_social_media_impersonation_takedown(self, url_link, abuse_type="impersonating_accounts", - notes="", send_alarm=True, email=""): - """Submits a takedown request for social media impersonation""" - import requests - - api_url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" - data = { - "abuse_type": abuse_type, - "entity": url_link, - "type": "impersonating_accounts", - "notes": notes, - "send_alarm": send_alarm, - "email": email - } - - response = requests.post( - api_url, - json=data, - headers=self.headers, - verify=self.verify - ) - - if response.status_code >= 400: - raise Exception(f"API Error: {response.status_code} - {response.text}") - - return response.json() - - def get_takedown_progress(self, asset_id, takedown_type): - """Gets the progress of a takedown request""" - import requests - - url = f"{self.base_url}/get/company/{self.company_id}/takedown/progress" - params = { - "asset_id": asset_id, - "type": takedown_type - } - - try: - response = requests.get( - url, - params=params, - headers=self.headers, - verify=self.verify - ) - - if response.status_code == 401: - raise Exception("Authorization Error: Invalid API Key") - elif response.status_code == 429: - raise Exception("Rate limit exceeded") - elif response.status_code >= 400: - raise Exception(f"API Error: {response.status_code} - {response.text}") - - return response.json() - - except requests.exceptions.RequestException as e: - raise Exception(f"Connection error: {str(e)}") - - def submit_source_code_leak_takedown(self, url_link, abuse_type="source_code_leak", - notes="", send_alarm=True, email=""): - """Submits a takedown request for leaked source code""" - import requests - - api_url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" - data = { - "abuse_type": abuse_type, - "entity": url_link, - "type": "source_code_leak", - "notes": notes, - "send_alarm": send_alarm, - "email": email - } - - response = requests.post( - api_url, - json=data, - headers=self.headers, - verify=self.verify - ) - - if response.status_code >= 400: - raise Exception(f"API Error: {response.status_code} - {response.text}") - - return response.json() - - def submit_rogue_app_takedown(self, app_info, abuse_type="rogue_mobile_app", - notes="", send_alarm=True, email=""): - """Submits a takedown request for a rogue mobile app""" - import requests - - api_url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" - data = { - "abuse_type": abuse_type, - "entity": app_info, - "type": "rogue_mobile_app", - "notes": notes, - "send_alarm": send_alarm, - "email": email - } - - response = requests.post( - api_url, - json=data, - headers=self.headers, - verify=self.verify - ) - - if response.status_code >= 400: - raise Exception(f"API Error: {response.status_code} - {response.text}") - - return response.json() - - """ HELPER FUNCTIONS """ - class Validator: @staticmethod - def validate_domain(domain_to_validate): + def validate_domain(domain_to_validate: str) -> bool: if not isinstance(domain_to_validate, str) or len(domain_to_validate) > 255: return False if domain_to_validate.endswith("."): @@ -219,7 +102,7 @@ def raise_if_domain_not_valid(domain: str): raise ValueError(f'Domain "{domain}" is not a valid domain address') @staticmethod - def validate_url(url: str): + def validate_url(url: str) -> bool: """Basic URL validation""" url_pattern = re.compile( r'^https?://' # http:// or https:// @@ -235,445 +118,249 @@ def raise_if_url_not_valid(url: str): if not Validator.validate_url(url): raise ValueError(f'URL "{url}" is not a valid URL') +def get_client_from_params() -> Client: + """Initialize client from demisto params""" + api_key = demisto.params().get("apikey", "").strip() + company_id = demisto.params().get("company_id", "").strip() + verify_certificate = not demisto.params().get("insecure", False) + proxy = demisto.params().get("proxy", False) + + if not api_key: + raise ValueError("API Key is required") + if not company_id: + raise ValueError("Company ID is required") + + return Client( + base_url=SOCRADAR_API_ENDPOINT, + api_key=api_key, + company_id=company_id, + verify=verify_certificate, + proxy=proxy + ) """ COMMAND FUNCTIONS """ - -def test_module(): +def test_module(client: Client) -> str: """Tests API connectivity and authentication""" try: - # Get parameters - api_key = demisto.params().get("apikey", "") - company_id = demisto.params().get("company_id", "") - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) - - if not api_key: - return "API Key is required" - if not company_id: - return "Company ID is required" - - # Create client and test - client = Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) - client.check_auth() return "ok" - except Exception as e: return f"Test failed: {str(e)}" - -def submit_phishing_domain_takedown_command(): +def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for a phishing domain""" - try: - # Get parameters - api_key = demisto.params().get("apikey", "") - company_id = demisto.params().get("company_id", "") - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) - - # Get arguments - domain = demisto.args().get("domain", "") - abuse_type = demisto.args().get("abuse_type", "potential_phishing") - domain_type = demisto.args().get("type", "phishing_domain") - notes = demisto.args().get("notes", "") - send_alarm = demisto.args().get("send_alarm", "true").lower() == "true" - email = demisto.args().get("email", "") - - # Validate required fields - if not domain: - raise ValueError("Domain is required") - if not email: - raise ValueError("Email is required") - - # Validate domain - Validator.raise_if_domain_not_valid(domain) - - # Create client - client = Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) - - # Submit request - raw_response = client.submit_phishing_domain_takedown( - domain, abuse_type, notes, domain_type, send_alarm, email - ) - - # Prepare output - readable_output = f"### Phishing Domain Takedown Request\n" - readable_output += f"**Domain**: {domain}\n" - readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" - - if raw_response.get("message"): - readable_output += f"**Message**: {raw_response.get('message')}\n" - - outputs = { - "SOCRadarTakedown.PhishingDomain(val.Domain == obj.Domain)": { - "Domain": domain, - "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", - "Message": raw_response.get("message", ""), - "SendAlarm": send_alarm, - "Notes": notes - } - } - - demisto.results({ - "Type": entryTypes["note"], - "Contents": raw_response, - "ContentsFormat": formats["json"], - "HumanReadable": readable_output, - "EntryContext": outputs - }) - - except Exception as e: - demisto.results({ - "Type": entryTypes["error"], - "Contents": str(e), - "ContentsFormat": formats["text"] - }) - - -def submit_social_media_impersonation_takedown_command(): + args = demisto.args() + domain = args.get("domain", "") + abuse_type = args.get("abuse_type", "potential_phishing") + domain_type = args.get("type", "phishing_domain") + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Validate domain + Validator.raise_if_domain_not_valid(domain) + + # Submit request + raw_response = client.submit_takedown_request( + entity=domain, + request_type=domain_type, + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + # Prepare output + readable_output = f"### Phishing Domain Takedown Request\n" + readable_output += f"**Domain**: {domain}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "Domain": domain, + "AbuseType": abuse_type, + "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.PhishingDomain", + outputs_key_field="Domain", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response + ) + +def submit_social_media_impersonation_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for social media impersonation""" - try: - # Get parameters - api_key = demisto.params().get("apikey", "") - company_id = demisto.params().get("company_id", "") - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) - - # Get arguments - url_link = demisto.args().get("url", "") - abuse_type = demisto.args().get("abuse_type", "impersonating_accounts") - notes = demisto.args().get("notes", "") - send_alarm = demisto.args().get("send_alarm", "true").lower() == "true" - email = demisto.args().get("email", "") - - # Validate required fields - if not url_link: - raise ValueError("URL is required") - if not email: - raise ValueError("Email is required") - - # Validate URL - Validator.raise_if_url_not_valid(url_link) - - # Create client - client = Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) - - # Submit request - raw_response = client.submit_social_media_impersonation_takedown( - url_link, abuse_type, notes, send_alarm, email - ) - - # Prepare output - readable_output = f"### Social Media Impersonation Takedown Request\n" - readable_output += f"**URL**: {url_link}\n" - readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" - - if raw_response.get("message"): - readable_output += f"**Message**: {raw_response.get('message')}\n" - - outputs = { - "SOCRadarTakedown.SocialMediaImpersonation(val.URL == obj.URL)": { - "URL": url_link, - "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", - "Message": raw_response.get("message", ""), - "SendAlarm": send_alarm, - "Notes": notes - } - } - - demisto.results({ - "Type": entryTypes["note"], - "Contents": raw_response, - "ContentsFormat": formats["json"], - "HumanReadable": readable_output, - "EntryContext": outputs - }) - - except Exception as e: - demisto.results({ - "Type": entryTypes["error"], - "Contents": str(e), - "ContentsFormat": formats["text"] - }) - - -def get_takedown_progress_command(): - """Gets the progress of a takedown request""" - try: - # Get parameters - api_key = demisto.params().get("apikey", "") - company_id = demisto.params().get("company_id", "") - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) - - # Get arguments - asset_id = demisto.args().get("asset_id", "") - takedown_type = demisto.args().get("type", "") - - # Validate required fields - if not asset_id: - raise ValueError("Asset ID is required") - if not takedown_type: - raise ValueError("Type is required") - - # Create client - client = Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) - - # Get progress - raw_response = client.get_takedown_progress(asset_id, takedown_type) - - # Prepare output - readable_output = f"### Takedown Progress\n" - readable_output += f"**Asset ID**: {asset_id}\n" - readable_output += f"**Type**: {takedown_type}\n" - - if raw_response.get("status"): - readable_output += f"**Status**: {raw_response.get('status')}\n" - if raw_response.get("progress"): - readable_output += f"**Progress**: {raw_response.get('progress')}\n" - if raw_response.get("message"): - readable_output += f"**Message**: {raw_response.get('message')}\n" - - outputs = { - "SOCRadarTakedown.Progress(val.AssetId == obj.AssetId)": { - "AssetId": asset_id, - "Type": takedown_type, - "Status": raw_response.get("status", ""), - "Progress": raw_response.get("progress", ""), - "Message": raw_response.get("message", ""), - "RawResponse": raw_response - } - } - - demisto.results({ - "Type": entryTypes["note"], - "Contents": raw_response, - "ContentsFormat": formats["json"], - "HumanReadable": readable_output, - "EntryContext": outputs - }) - - except Exception as e: - demisto.results({ - "Type": entryTypes["error"], - "Contents": str(e), - "ContentsFormat": formats["text"] - }) - - -def submit_source_code_leak_takedown_command(): + args = demisto.args() + url_link = args.get("url", "") + abuse_type = args.get("abuse_type", "impersonating_accounts") + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Validate URL + Validator.raise_if_url_not_valid(url_link) + + # Submit request + raw_response = client.submit_takedown_request( + entity=url_link, + request_type="impersonating_accounts", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + # Prepare output + readable_output = f"### Social Media Impersonation Takedown Request\n" + readable_output += f"**URL**: {url_link}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "URL": url_link, + "AbuseType": abuse_type, + "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.SocialMediaImpersonation", + outputs_key_field="URL", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response + ) + +def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for leaked source code""" - try: - # Get parameters - api_key = demisto.params().get("apikey", "") - company_id = demisto.params().get("company_id", "") - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) - - # Get arguments - url_link = demisto.args().get("url", "") - abuse_type = demisto.args().get("abuse_type", "source_code_leak") - notes = demisto.args().get("notes", "") - send_alarm = demisto.args().get("send_alarm", "true").lower() == "true" - email = demisto.args().get("email", "") - - # Validate required fields - if not url_link: - raise ValueError("URL is required") - if not email: - raise ValueError("Email is required") - - # Validate URL - Validator.raise_if_url_not_valid(url_link) - - # Create client - client = Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) - - # Submit request - raw_response = client.submit_source_code_leak_takedown( - url_link, abuse_type, notes, send_alarm, email - ) - - # Prepare output - readable_output = f"### Source Code Leak Takedown Request\n" - readable_output += f"**URL**: {url_link}\n" - readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" - - if raw_response.get("message"): - readable_output += f"**Message**: {raw_response.get('message')}\n" - - outputs = { - "SOCRadarTakedown.SourceCodeLeak(val.URL == obj.URL)": { - "URL": url_link, - "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", - "Message": raw_response.get("message", ""), - "SendAlarm": send_alarm, - "Notes": notes - } - } - - demisto.results({ - "Type": entryTypes["note"], - "Contents": raw_response, - "ContentsFormat": formats["json"], - "HumanReadable": readable_output, - "EntryContext": outputs - }) - - except Exception as e: - demisto.results({ - "Type": entryTypes["error"], - "Contents": str(e), - "ContentsFormat": formats["text"] - }) - - -def submit_rogue_app_takedown_command(): + args = demisto.args() + url_link = args.get("url", "") + abuse_type = args.get("abuse_type", "source_code_leak") + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Validate URL + Validator.raise_if_url_not_valid(url_link) + + # Submit request + raw_response = client.submit_takedown_request( + entity=url_link, + request_type="source_code_leak", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + # Prepare output + readable_output = f"### Source Code Leak Takedown Request\n" + readable_output += f"**URL**: {url_link}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "URL": url_link, + "AbuseType": abuse_type, + "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.SourceCodeLeak", + outputs_key_field="URL", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response + ) + +def submit_rogue_app_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for a rogue mobile app""" - try: - # Get parameters - api_key = demisto.params().get("apikey", "") - company_id = demisto.params().get("company_id", "") - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) - - # Get arguments - app_info = demisto.args().get("app_info", "") - abuse_type = demisto.args().get("abuse_type", "rogue_mobile_app") - notes = demisto.args().get("notes", "") - send_alarm = demisto.args().get("send_alarm", "true").lower() == "true" - email = demisto.args().get("email", "") - - # Validate required fields - if not app_info: - raise ValueError("App info is required") - if not email: - raise ValueError("Email is required") - - # Create client - client = Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) - - # Submit request - raw_response = client.submit_rogue_app_takedown( - app_info, abuse_type, notes, send_alarm, email - ) - - # Prepare output - readable_output = f"### Rogue App Takedown Request\n" - readable_output += f"**App Info**: {app_info}\n" - readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" - - if raw_response.get("message"): - readable_output += f"**Message**: {raw_response.get('message')}\n" - - outputs = { - "SOCRadarTakedown.RogueApp(val.AppInfo == obj.AppInfo)": { - "AppInfo": app_info, - "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", - "Message": raw_response.get("message", ""), - "SendAlarm": send_alarm, - "Notes": notes - } - } - - demisto.results({ - "Type": entryTypes["note"], - "Contents": raw_response, - "ContentsFormat": formats["json"], - "HumanReadable": readable_output, - "EntryContext": outputs - }) - - except Exception as e: - demisto.results({ - "Type": entryTypes["error"], - "Contents": str(e), - "ContentsFormat": formats["text"] - }) - + args = demisto.args() + app_info = args.get("app_info", "") + abuse_type = args.get("abuse_type", "rogue_mobile_app") + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Submit request + raw_response = client.submit_takedown_request( + entity=app_info, + request_type="rogue_mobile_app", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + # Prepare output + readable_output = f"### Rogue App Takedown Request\n" + readable_output += f"**App Info**: {app_info}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "AppInfo": app_info, + "AbuseType": abuse_type, + "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.RogueApp", + outputs_key_field="AppInfo", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response + ) """ MAIN FUNCTION """ - def main(): """Main function, parses params and runs command functions""" try: command = demisto.command() - + if command == "test-module": - result = test_module() - demisto.results(result) - - elif command == "socradar-submit-phishing-domain": - submit_phishing_domain_takedown_command() - - elif command == "socradar-submit-social-media-impersonation": - submit_social_media_impersonation_takedown_command() - - elif command == "socradar-get-takedown-progress": - get_takedown_progress_command() - - elif command == "socradar-submit-source-code-leak": - submit_source_code_leak_takedown_command() - - elif command == "socradar-submit-rogue-app": - submit_rogue_app_takedown_command() - + client = get_client_from_params() + result = test_module(client) + return_results(result) else: - demisto.results({ - "Type": entryTypes["error"], - "Contents": f"Unknown command: {command}", - "ContentsFormat": formats["text"] - }) + client = get_client_from_params() + + if command == "socradar-submit-phishing-domain": + return_results(submit_phishing_domain_takedown_command(client)) + elif command == "socradar-submit-social-media-impersonation": + return_results(submit_social_media_impersonation_takedown_command(client)) + elif command == "socradar-submit-source-code-leak": + return_results(submit_source_code_leak_takedown_command(client)) + elif command == "socradar-submit-rogue-app": + return_results(submit_rogue_app_takedown_command(client)) + else: + raise NotImplementedError(f"Unknown command {command}") except Exception as e: - demisto.results({ - "Type": entryTypes["error"], - "Contents": f"Failed to execute {demisto.command()} command. Error: {str(e)}", - "ContentsFormat": formats["text"] - }) - + return_error(f"Failed to execute {demisto.command()} command.\nError:\n{str(e)}") """ ENTRY POINT """ From 16a6361dcf23a60b5c86d253acf585cca77510cb Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 29 Jun 2025 17:51:37 +0300 Subject: [PATCH 05/29] Update Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml Co-authored-by: Sapir Malka <44067957+itssapir@users.noreply.github.com> --- .../Integrations/SOCRadarTakedown/SOCRadarTakedown.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml index 1c0503a1388a..6da3e9e3368c 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -3,7 +3,7 @@ commonfields: version: -1 name: SOCRadar Takedown display: SOCRadar Takedown -category: Threat Intelligence +category: Data Enrichment & Threat Intelligence description: Submit and track takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through SOCRadar platform. detaileddescription: | This integration allows you to: From 98abaa123a7500e029a361fa64c5bd779327f1d8 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 29 Jun 2025 17:55:38 +0300 Subject: [PATCH 06/29] Create SOCRadarTakedown_description.md --- .../SOCRadarTakedown/SOCRadarTakedown_description.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md new file mode 100644 index 000000000000..7dde8b235bef --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md @@ -0,0 +1,12 @@ +This integration allows you to: +- Submit takedown requests for phishing domains +- Submit takedown requests for social media impersonation +- Submit takedown requests for source code leaks +- Submit takedown requests for rogue mobile apps +- Track the progress of submitted takedown requests + +## Authentication +You need a valid SOCRadar API key and Company ID to use this integration. + +## Rate Limits +Please ensure your API key has adequate rate limits for your usage. From f363abf1d432e4d5265d6cf9c5c1e0b6dfcb4e83 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 29 Jun 2025 17:56:15 +0300 Subject: [PATCH 07/29] Update Packs/SOCRadarTakedown/pack_metadata.json Co-authored-by: Sapir Malka <44067957+itssapir@users.noreply.github.com> --- Packs/SOCRadarTakedown/pack_metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/SOCRadarTakedown/pack_metadata.json b/Packs/SOCRadarTakedown/pack_metadata.json index 91356622e0dd..2f0968683592 100644 --- a/Packs/SOCRadarTakedown/pack_metadata.json +++ b/Packs/SOCRadarTakedown/pack_metadata.json @@ -6,7 +6,7 @@ "author": "Community Contributor", "url": "", "email": "", - "created": "2024-06-24T00:00:00Z", + "created": "2025-06-24T00:00:00Z", "categories": [ "Threat Intelligence" ], From e119f2bfe3154579fe545377b459d1477ebe4452 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Tue, 1 Jul 2025 17:56:21 +0300 Subject: [PATCH 08/29] Delete Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md --- .../SOCRadarTakedown/SOCRadarTakedown_description.md | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md deleted file mode 100644 index 7dde8b235bef..000000000000 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md +++ /dev/null @@ -1,12 +0,0 @@ -This integration allows you to: -- Submit takedown requests for phishing domains -- Submit takedown requests for social media impersonation -- Submit takedown requests for source code leaks -- Submit takedown requests for rogue mobile apps -- Track the progress of submitted takedown requests - -## Authentication -You need a valid SOCRadar API key and Company ID to use this integration. - -## Rate Limits -Please ensure your API key has adequate rate limits for your usage. From 49958773e5df2fd8ca0e913a50d45a3da7d48a6c Mon Sep 17 00:00:00 2001 From: Sapir Malka Date: Mon, 7 Jul 2025 12:09:21 +0300 Subject: [PATCH 09/29] pre-commit fixes --- Packs/SOCRadarTakedown/.secrets-ignore | 1 + .../SOCRadarTakedown/SOCRadarTakedown.py | 122 ++++++++---------- .../SOCRadarTakedown/SOCRadarTakedown.yml | 111 ++++++++-------- Packs/SOCRadarTakedown/pack_metadata.json | 16 ++- 4 files changed, 122 insertions(+), 128 deletions(-) diff --git a/Packs/SOCRadarTakedown/.secrets-ignore b/Packs/SOCRadarTakedown/.secrets-ignore index e69de29bb2d1..b31fc640c72f 100644 --- a/Packs/SOCRadarTakedown/.secrets-ignore +++ b/Packs/SOCRadarTakedown/.secrets-ignore @@ -0,0 +1 @@ +https://platform.socradar.com \ No newline at end of file diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index e5c02a8a1556..72d55c3b7509 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -1,8 +1,6 @@ import urllib3 -import traceback import re -from typing import Any, Dict, List, Optional, Union -from json.decoder import JSONDecodeError +from typing import Any # Import XSOAR common functions from CommonServerPython import * @@ -21,6 +19,7 @@ """ CLIENT CLASS """ + class Client: """ Client class to interact with the SOCRadar Takedown API @@ -34,16 +33,12 @@ def __init__(self, base_url: str, api_key: str, company_id: str, verify: bool, p self.verify = verify self.proxy = proxy - def check_auth(self) -> Dict[str, Any]: + def check_auth(self) -> dict[str, Any]: """Checks if the API key is valid""" url = f"{self.base_url}/get/company/{self.company_id}/takedown/requests" - + try: - response = requests.get( - url, - headers=self.headers, - verify=self.verify - ) + response = requests.get(url, headers=self.headers, verify=self.verify) if response.status_code == 401: raise Exception("Authorization Error: Invalid API Key") @@ -59,8 +54,9 @@ def check_auth(self) -> Dict[str, Any]: except requests.exceptions.RequestException as e: raise Exception(f"Connection error: {str(e)}") - def submit_takedown_request(self, entity: str, request_type: str, abuse_type: str, - notes: str = "", send_alarm: bool = True, email: str = "") -> Dict[str, Any]: + def submit_takedown_request( + self, entity: str, request_type: str, abuse_type: str, notes: str = "", send_alarm: bool = True, email: str = "" + ) -> dict[str, Any]: """Generic method to submit takedown requests""" url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" data = { @@ -69,23 +65,20 @@ def submit_takedown_request(self, entity: str, request_type: str, abuse_type: st "type": request_type, "notes": notes, "send_alarm": send_alarm, - "email": email + "email": email, } - response = requests.post( - url, - json=data, - headers=self.headers, - verify=self.verify - ) + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) if response.status_code >= 400: raise Exception(f"API Error: {response.status_code} - {response.text}") return response.json() + """ HELPER FUNCTIONS """ + class Validator: @staticmethod def validate_domain(domain_to_validate: str) -> bool: @@ -105,12 +98,14 @@ def raise_if_domain_not_valid(domain: str): def validate_url(url: str) -> bool: """Basic URL validation""" url_pattern = re.compile( - r'^https?://' # http:// or https:// - r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' # domain... - r'localhost|' # localhost... - r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip - r'(?::\d+)?' # optional port - r'(?:/?|[/?]\S+)$', re.IGNORECASE) + r"^https?://" # http:// or https:// + r"(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|" # domain... + r"localhost|" # localhost... + r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" # ...or ip + r"(?::\d+)?" # optional port + r"(?:/?|[/?]\S+)$", + re.IGNORECASE, + ) return url_pattern.match(url) is not None @staticmethod @@ -118,6 +113,7 @@ def raise_if_url_not_valid(url: str): if not Validator.validate_url(url): raise ValueError(f'URL "{url}" is not a valid URL') + def get_client_from_params() -> Client: """Initialize client from demisto params""" api_key = demisto.params().get("apikey", "").strip() @@ -130,16 +126,12 @@ def get_client_from_params() -> Client: if not company_id: raise ValueError("Company ID is required") - return Client( - base_url=SOCRADAR_API_ENDPOINT, - api_key=api_key, - company_id=company_id, - verify=verify_certificate, - proxy=proxy - ) + return Client(base_url=SOCRADAR_API_ENDPOINT, api_key=api_key, company_id=company_id, verify=verify_certificate, proxy=proxy) + """ COMMAND FUNCTIONS """ + def test_module(client: Client) -> str: """Tests API connectivity and authentication""" try: @@ -148,6 +140,7 @@ def test_module(client: Client) -> str: except Exception as e: return f"Test failed: {str(e)}" + def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for a phishing domain""" args = demisto.args() @@ -163,16 +156,11 @@ def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: # Submit request raw_response = client.submit_takedown_request( - entity=domain, - request_type=domain_type, - abuse_type=abuse_type, - notes=notes, - send_alarm=send_alarm, - email=email + entity=domain, request_type=domain_type, abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, email=email ) # Prepare output - readable_output = f"### Phishing Domain Takedown Request\n" + readable_output = "### Phishing Domain Takedown Request\n" readable_output += f"**Domain**: {domain}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" @@ -182,10 +170,10 @@ def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: outputs = { "Domain": domain, "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), "SendAlarm": send_alarm, - "Notes": notes + "Notes": notes, } return CommandResults( @@ -193,9 +181,10 @@ def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: outputs_key_field="Domain", outputs=outputs, readable_output=readable_output, - raw_response=raw_response + raw_response=raw_response, ) + def submit_social_media_impersonation_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for social media impersonation""" args = demisto.args() @@ -215,11 +204,11 @@ def submit_social_media_impersonation_takedown_command(client: Client) -> Comman abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, - email=email + email=email, ) # Prepare output - readable_output = f"### Social Media Impersonation Takedown Request\n" + readable_output = "### Social Media Impersonation Takedown Request\n" readable_output += f"**URL**: {url_link}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" @@ -229,10 +218,10 @@ def submit_social_media_impersonation_takedown_command(client: Client) -> Comman outputs = { "URL": url_link, "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), "SendAlarm": send_alarm, - "Notes": notes + "Notes": notes, } return CommandResults( @@ -240,9 +229,10 @@ def submit_social_media_impersonation_takedown_command(client: Client) -> Comman outputs_key_field="URL", outputs=outputs, readable_output=readable_output, - raw_response=raw_response + raw_response=raw_response, ) + def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for leaked source code""" args = demisto.args() @@ -257,16 +247,11 @@ def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: # Submit request raw_response = client.submit_takedown_request( - entity=url_link, - request_type="source_code_leak", - abuse_type=abuse_type, - notes=notes, - send_alarm=send_alarm, - email=email + entity=url_link, request_type="source_code_leak", abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, email=email ) # Prepare output - readable_output = f"### Source Code Leak Takedown Request\n" + readable_output = "### Source Code Leak Takedown Request\n" readable_output += f"**URL**: {url_link}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" @@ -276,10 +261,10 @@ def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: outputs = { "URL": url_link, "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), "SendAlarm": send_alarm, - "Notes": notes + "Notes": notes, } return CommandResults( @@ -287,9 +272,10 @@ def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: outputs_key_field="URL", outputs=outputs, readable_output=readable_output, - raw_response=raw_response + raw_response=raw_response, ) + def submit_rogue_app_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for a rogue mobile app""" args = demisto.args() @@ -301,16 +287,11 @@ def submit_rogue_app_takedown_command(client: Client) -> CommandResults: # Submit request raw_response = client.submit_takedown_request( - entity=app_info, - request_type="rogue_mobile_app", - abuse_type=abuse_type, - notes=notes, - send_alarm=send_alarm, - email=email + entity=app_info, request_type="rogue_mobile_app", abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, email=email ) # Prepare output - readable_output = f"### Rogue App Takedown Request\n" + readable_output = "### Rogue App Takedown Request\n" readable_output += f"**App Info**: {app_info}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" @@ -320,10 +301,10 @@ def submit_rogue_app_takedown_command(client: Client) -> CommandResults: outputs = { "AppInfo": app_info, "AbuseType": abuse_type, - "Status": "Success" if raw_response.get('is_success', False) else "Failed", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), "SendAlarm": send_alarm, - "Notes": notes + "Notes": notes, } return CommandResults( @@ -331,23 +312,25 @@ def submit_rogue_app_takedown_command(client: Client) -> CommandResults: outputs_key_field="AppInfo", outputs=outputs, readable_output=readable_output, - raw_response=raw_response + raw_response=raw_response, ) + """ MAIN FUNCTION """ + def main(): """Main function, parses params and runs command functions""" try: command = demisto.command() - + if command == "test-module": client = get_client_from_params() result = test_module(client) return_results(result) else: client = get_client_from_params() - + if command == "socradar-submit-phishing-domain": return_results(submit_phishing_domain_takedown_command(client)) elif command == "socradar-submit-social-media-impersonation": @@ -362,6 +345,7 @@ def main(): except Exception as e: return_error(f"Failed to execute {demisto.command()} command.\nError:\n{str(e)}") + """ ENTRY POINT """ if __name__ in ("__main__", "__builtin__", "builtins"): diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml index 6da3e9e3368c..a133386ad656 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -1,6 +1,9 @@ commonfields: id: SOCRadar Takedown version: -1 +sectionorder: +- Connect +- Collect name: SOCRadar Takedown display: SOCRadar Takedown category: Data Enrichment & Threat Intelligence @@ -25,205 +28,209 @@ configuration: required: true type: 4 additionalinfo: Your SOCRadar platform API key + section: Connect - display: Company ID name: company_id required: true type: 0 additionalinfo: Your SOCRadar Company ID + section: Connect - display: Trust any certificate (not secure) name: insecure required: false type: 8 - defaultvalue: false + section: Connect + advanced: true - display: Use system proxy settings name: proxy required: false type: 8 - defaultvalue: false + section: Connect + advanced: true script: script: '' type: python subtype: python3 - dockerimage: demisto/python3:3.10.13.72123 + dockerimage: demisto/python3:3.12.11.3982393 commands: - name: socradar-submit-phishing-domain - description: Submit a takedown request for a phishing domain + description: Submit a takedown request for a phishing domain. arguments: - name: domain - description: The phishing domain to be taken down + description: The phishing domain to be taken down. required: true - name: abuse_type - description: Type of abuse + description: Type of abuse. defaultValue: potential_phishing predefined: - potential_phishing - confirmed_phishing - name: type - description: Domain type + description: Domain type. defaultValue: phishing_domain predefined: - phishing_domain - lookalike_domain - name: notes - description: Additional notes for the takedown request + description: Additional notes for the takedown request. required: false - name: send_alarm - description: Whether to send alarm notification + description: Whether to send alarm notification. defaultValue: "true" predefined: - "true" - "false" - name: email - description: Email address for notifications + description: Email address for notifications. required: true outputs: - contextPath: SOCRadarTakedown.PhishingDomain.Domain - description: The domain that was reported + description: The domain that was reported. type: String - contextPath: SOCRadarTakedown.PhishingDomain.AbuseType - description: Type of abuse reported + description: Type of abuse reported. type: String - contextPath: SOCRadarTakedown.PhishingDomain.Status - description: Status of the takedown request + description: Status of the takedown request. type: String - contextPath: SOCRadarTakedown.PhishingDomain.Message - description: Response message from the API + description: Response message from the API. type: String - contextPath: SOCRadarTakedown.PhishingDomain.SendAlarm - description: Whether alarm notification is enabled + description: Whether alarm notification is enabled. type: Boolean - contextPath: SOCRadarTakedown.PhishingDomain.Notes - description: Additional notes for the request + description: Additional notes for the request. type: String - name: socradar-submit-social-media-impersonation - description: Submit a takedown request for social media impersonation + description: Submit a takedown request for social media impersonation. arguments: - name: url - description: URL of the impersonating social media account + description: URL of the impersonating social media account. required: true - name: abuse_type - description: Type of abuse + description: Type of abuse. defaultValue: impersonating_accounts predefined: - impersonating_accounts - fake_profiles - name: notes - description: Additional notes for the takedown request + description: Additional notes for the takedown request. required: false - name: send_alarm - description: Whether to send alarm notification + description: Whether to send alarm notification. defaultValue: "true" predefined: - "true" - "false" - name: email - description: Email address for notifications + description: Email address for notifications. required: true outputs: - contextPath: SOCRadarTakedown.SocialMediaImpersonation.URL - description: The URL that was reported + description: The URL that was reported. type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AbuseType - description: Type of abuse reported + description: Type of abuse reported. type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Status - description: Status of the takedown request + description: Status of the takedown request. type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Message - description: Response message from the API + description: Response message from the API. type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.SendAlarm - description: Whether alarm notification is enabled + description: Whether alarm notification is enabled. type: Boolean - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Notes - description: Additional notes for the request + description: Additional notes for the request. type: String - name: socradar-submit-source-code-leak - description: Submit a takedown request for leaked source code + description: Submit a takedown request for leaked source code. arguments: - name: url - description: URL where the source code leak is found + description: URL where the source code leak is found. required: true - name: abuse_type - description: Type of abuse + description: Type of abuse. defaultValue: source_code_leak predefined: - source_code_leak - data_leak - name: notes - description: Additional notes for the takedown request + description: Additional notes for the takedown request. required: false - name: send_alarm - description: Whether to send alarm notification + description: Whether to send alarm notification. defaultValue: "true" predefined: - "true" - "false" - name: email - description: Email address for notifications + description: Email address for notifications. required: true outputs: - contextPath: SOCRadarTakedown.SourceCodeLeak.URL - description: The URL that was reported + description: The URL that was reported. type: String - contextPath: SOCRadarTakedown.SourceCodeLeak.AbuseType - description: Type of abuse reported + description: Type of abuse reported. type: String - contextPath: SOCRadarTakedown.SourceCodeLeak.Status - description: Status of the takedown request + description: Status of the takedown request. type: String - contextPath: SOCRadarTakedown.SourceCodeLeak.Message - description: Response message from the API + description: Response message from the API. type: String - contextPath: SOCRadarTakedown.SourceCodeLeak.SendAlarm - description: Whether alarm notification is enabled + description: Whether alarm notification is enabled. type: Boolean - contextPath: SOCRadarTakedown.SourceCodeLeak.Notes - description: Additional notes for the request + description: Additional notes for the request. type: String - name: socradar-submit-rogue-app - description: Submit a takedown request for a rogue mobile app + description: Submit a takedown request for a rogue mobile app. arguments: - name: app_info - description: Information about the rogue mobile app (name, store URL, etc.) + description: Information about the rogue mobile app (name, store URL, etc.). required: true - name: abuse_type - description: Type of abuse + description: Type of abuse. defaultValue: rogue_mobile_app predefined: - rogue_mobile_app - malicious_app - name: notes - description: Additional notes for the takedown request + description: Additional notes for the takedown request. required: false - name: send_alarm - description: Whether to send alarm notification + description: Whether to send alarm notification. defaultValue: "true" predefined: - "true" - "false" - name: email - description: Email address for notifications + description: Email address for notifications. required: true outputs: - contextPath: SOCRadarTakedown.RogueApp.AppInfo - description: Information about the app that was reported + description: Information about the app that was reported. type: String - contextPath: SOCRadarTakedown.RogueApp.AbuseType - description: Type of abuse reported + description: Type of abuse reported. type: String - contextPath: SOCRadarTakedown.RogueApp.Status - description: Status of the takedown request + description: Status of the takedown request. type: String - contextPath: SOCRadarTakedown.RogueApp.Message - description: Response message from the API + description: Response message from the API. type: String - contextPath: SOCRadarTakedown.RogueApp.SendAlarm - description: Whether alarm notification is enabled + description: Whether alarm notification is enabled. type: Boolean - contextPath: SOCRadarTakedown.RogueApp.Notes - description: Additional notes for the request + description: Additional notes for the request. type: String runonce: false ismappable: false diff --git a/Packs/SOCRadarTakedown/pack_metadata.json b/Packs/SOCRadarTakedown/pack_metadata.json index 2f0968683592..f96dd4049997 100644 --- a/Packs/SOCRadarTakedown/pack_metadata.json +++ b/Packs/SOCRadarTakedown/pack_metadata.json @@ -8,17 +8,14 @@ "email": "", "created": "2025-06-24T00:00:00Z", "categories": [ - "Threat Intelligence" + "Data Enrichment & Threat Intelligence" ], "tags": [ - "takedown", - "phishing", - "threat-intelligence", - "brand-protection" + "Threat Intelligence" ], "useCases": [ - "Brand Protection", - "Threat Intelligence Management" + "Threat Intelligence Management", + "Phishing" ], "keywords": [ "socradar", @@ -26,5 +23,10 @@ "phishing", "impersonation", "brand protection" + ], + "marketplaces": [ + "xsoar", + "marketplacev2", + "platform" ] } From efa060ee8b106b847a52ab3fb26119a3178440cd Mon Sep 17 00:00:00 2001 From: Sapir Malka Date: Mon, 7 Jul 2025 12:12:07 +0300 Subject: [PATCH 10/29] fix image --- .../SOCRadarTakedown_image.png | Bin 8523 -> 6407 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png index 83fa8264183de2c49be001061e85f0d4a2bb78a0..1f89829473ca2d021a894642725a3665f1067fc6 100644 GIT binary patch literal 6407 zcmV+i8TjUjP)004R> z004l5008;`004mK004C`008P>0026e000+ooVrmw00006VoOIv0RI600RN!9r;`8x z7?4RsK~#9!?VNd>9aXjOzrS5|PR~gvAs_-_3d2Pnli+}W>2x3nI52Zn#y}?uGF&bw z+$%vKctKPGgR&M{@8W8Pj@;KgvaM% zexFZ$`gGN6&T5GShc8L!Fn|Le;hqoqDFNQa^P_FDsDcKB}!?Y0e2-w?5o~DKZ zQmQ+z_#n-$#cDwB=Ox>33P_Ghr5>{}7`I?HHhUZaF8l3)6cEx&)aQ?*r}ru1Tmj59 z^Cutm_&@eoZ3f$yz6G9`*pDSmuOaoj01fmr6~Kn5-vdQp0dil){L4TEOVIr{ebjXL z*dkulf;R5kP*;GS#g4||-=dP7h1o~~V=F*+Rx|}ln0ci7nl>7MMqo?K{~0(DxCvKR z`KXETafVyvl2HYGoTIMsUrEb9!fYMFN-YBa8>h{Hjet#nt$?k8O@WPY+8nq8SV~yQ zjlea)on~phwH?LGQ_lXVY4NedDv4;@^B8~};!=!bfO;T7>cqK|NRs(9feF_d0c!ra21dTiii{GE&LoK(L=xfsA=-C z!m5hs9e{JQ@*eme&YcapZc61Ssn0b7rvonm3kO}V0{;cwqbWvtTwKQdjVO08@H)_d zw{yVl$Eyo#C)8T30jzKZXT)v-W&&RT61-iH(@Eq?70PvWn0+0m3xHuPcLh@h65t{d ze?I2Ryn2(d$)qoV-ANGnvw%s!LMk3T@bizFHveNVe*AF&5vY;C(}F~jrnX8e_+$ce z4Y&iR|HPsS<%VI1^KiNj7)=nj1)yutRUqiwM&Jyb{zw#!<`V}1{&&D7Sv&0*dr}{P zdtcl0e@cuW-vKBFJ`X$u`~}!eaxRM8N*LVO0u9ZxkX`^@!1QBG@1nF7`Pl^K=YTTk zP2$!`;5H;!(;ESwL>vMvpvq{c?Qpu3ruAAVw*X87{x9GVr&CPVAzI7eRY80EWz#bAin%RM{G9Bz3Z2yJFfNvn(LY~Kn6M%Dooe6u~9?-?W<`CUM@%g2i_0ujI z=nBu632X!G3%p0r;fLVM7t>H^Md|^*1H29VXZCk3RuPiwK~I7EJ8&=Xpc(I&*+$;` zfjYRY?Kqrsv6(fH>1U7pv5_x*L*8Ll0`>y#Ba1glre&Ut>%H#+RjR?RDFHyM4 zrGD$KUdM*R$I?^&Io>`G6v57>r*HwSqwDbLIwZYsJVcyK^)8nrNqrp0S^vx=^#aN4 z+0y}NZ|^_??{VJSa+bUdBLBbx*ZhAYczb&XK;%93K;#^SG_@q3ciea1b!)V(Af6cu zOp)U2%+ey*@xWb@4CqlP*r%i$BuzB4OMu~7J+DYQGELKGUaVMY;W}m%xB@s5?@wR& z@>5rj8QI48=B_&6Q@|C#wi$yLNE`;d-0LZP_kqX#SNGg*E8sz3UEpENeU&tMo92;f z>sjg?st5K@lH|NNjz?w;eofLT-qR^X6~Id=5;^bL)_bcTlD*PmiC4pKD*Ns`x_92Z zE^fa0!wGhbAK!r)k#n?p&zZpX&T(X#+HXEY25$)*FGW8yOK%2lO_KaMaa`UT=us$S z0K0&01J)y0wbfPOfui^JviE*UQ)&;?CGe;7VYBg4m8~-Yo#H znsH!5_uGHHr?nLaM*%kwEbCKy;L80fQO-Gb1^oh8XNW#jfO+61LGrxhJTMBFZN?V# z`@d`9v->%TUp6*Ir!87k>S}3;t+R9bhr(cjD!PrZqi~=DrSz^e&GWzmSAQ7oZ4OK^ zvzsNo0vrlFW@fKNk-eGeV6}p-Be)s+#B&A*G&-lP<2bshR2PrQE!Gm?&MkeecV}#i zKzI(y1{Do@w;9+<(v9iJjW&x4C4t=px&h_SLT>uuWd|_XOf!KEm(zzj;IrT#0k^9K zc8Y!TH+1YIA;fjJ|@X1DDm0h0QUrFG?K3%Ew{-V9UdCRZ)ya!GK zT{(b*|Uc-(7w*ZiLDfiCg*(4Ih+|~FwaV`-+ogl6g-k* zGs{VMP#LhZ`?<(FKQKUke+G!FSXEg61IG51)@f`;Ozovf$ zE{LSvQtUl}%*bWW+X-&R-3a^I9f3LY8)F9aI;RWsd0pJw>v2xUnAy~fc~w^Y9r%KC zdZScI$>rP+fU{~w;t39te+O=FYHCQ!<;p>oN^%iF=PG0TdCqaU8IPK=WlbNx3d{y# z$r3YtANbxNYIOkDKmGI@Y`W?2#-^rx&ber;_x8<jeui;ze(I>Mpwpc%4P2)1fFO%)kfsB4)RPiZ%y_(^p(%ahiRajM+s$qP?gu)7O(b0aTxe#^LrnD^pfGCG zd%XGPIz&-A4VXaKw^xw|W9zL)4=b0;zcf?3_vW+NkC`2tF=tAemT!Y70r=t|i9>2WIPynKG0bEK%q3UK@Fw=;L{HF!_287~cboPrx0$8KI@WBopo8VSZ= zKD(NM7BjnEiq6U98nox0-$oK(V+fM#&_E~Zvv-<+Er7F!>W|dCo0-1@Y`d)fMuO_8 z&wlSD@u+iZ&nCRGa?L=4nSD#rL0S1apk87|KCdVH+yz6xz4OlEq*yH1W>t&DvvYbSbXHDMtxo(u&PBI6=cwI&WWSBDZFr%k{N5WimJQ{H1$5mQqSzzpERrAwbp%xcx_@)5@l=hQpswt>aK2r}D3QiY)R)0%RP zlG{5?ldZw%?p`YI)9+;~X(*#o4753F(U37q8BI!rWQpnubCQNdk(*Xm=LSorx{NOa z+B9QPsbsxcfms@l7_s5ZC@S0mc392*uS5D3&=t=;_uP-$+b5Tti%Z_8WKy6d)6G>Z z@jmH|qTKS@SxPX-?$0{e>YT>p^KOq~F|F<1SzvDtRYAt&B)eA03T|(ojG5J&+17&| zMZj}}K*xDz);(gxu)B-J@{Hcz;!y-UBV&~9n5M}dz_YEbEv??$b_}%it45_*W_vV% z8IJ*PW=wuV(zRw*FtgJntwS{d!WbPSB(;mK+MW?6VL}#5mtf}1 z)Hz^;nSGaFP)$wKWVo5Hc76{+1POx0{h%af&02ONU$gppsWsKTuPYWSpB_}aIOv`C zgC?MH{P>Px!JuIZuzd}oyS=x!ya(@fyL0ZBQRF`5oa>Nuo8-RYT=XS^HC{!F_lEa& zG_Y%bT}G1l^K-ezPk?Pt5Z%kedj!LAs`qRGTom*;n*+5RS|2!)A@nKmmYE$2YzXlf z=iFt^tt6ZvMM#_rHjjbZ3kafNxS9QX_I#X~Fw;)-Z)>`|=MR3R8-&3S;G)%iYZWT} zH6f8;A@I7HokwOo0Z7a+<1R4FcoFCTd+nWfmbgNpw;n7p^Zx*z?<10P2Q)O)k0z{8 zYU;WdxNz~}1-($7Pq1zmF54~3y2cDME{-B)2A%TGxeD+@;Ki(Pp5W>o$~$sW6h*(0 z(xp=UTasHMt(d{FbE2iCZgF>aX#!!p^6jjVS}~L(%(NT8KF>fgWX{RIA8(DBWroWd zMdJ#dEtEJtij-u-llR_9jL*hC8n_wkM&MCGCJWyC&C2ES&Y%No#@PirHI7w$@WDHo zFkuRnO6BD!ip~yn8i-=iXlz7DV)dY72$H3X5H5X~fs1P>u6dxxdrxO)U-c^`x|=iS zdU|@wM3EK)X8?NwuMw=?!RvBkupa?W({B|w1KX}{iglWL3WeU)UiTjWW#D8p=7)c; zgRr;%lNon|eGb^d%+569Dd6aucOx?!0e#8+5cF=J7?&JT6al=uY}2B-nYmxVy2yeC+YV}RXaN(E3+uO zG0e>NNxco3`r6iZT=nMw|8g8h<<{2bX9g9ogAeRREC5T$JUKPEF-dm0v;W_YUBPb6 z2wM$t8bNxsP$Sl}`w=x(ti-#LlBxt6%KoUK8EMLYm~j=sF;q|gDs3eA%U70N^B!2& z>PpIZuf0w{QvAtJuIuN{{iFZKKkiA}+NLZ8UNEySIHxIQ_Cxy3|2-t_W@bG#^)!uX z&PP{2^F}(j0m)(J8-a@@RS8ruBhcA2s71ybrEK5&HsPuDSOZA6zK$r;OA>#qxj$OsvhHp+h+|w^+p*Q8vIuN_unT~xb#*#e(h4nb=iCxW57yku zMN!@6ot@W{Erh<+QYw}IdczGrn77L=TNk28OViZ4890F*=mpT-HTPm*y)?C2m9har zatubUroDuaV*Hkwbw^RI3)~V0I#|{mgT1%?fkS{#nAwfJz5bYq6W48dg{ToEAbA&0<85Atqc4fm=scetYyiPr}r>pCa`-=xtAoS0#qvgB{Mn)^=X1+PnfZr z7=C((;Moy)R`3OrI`J)8eV^?UUCJsXYBK!^Vv}iWgt(!h0ig z=pR~BM4A43speiYa8Vp^4>gU#(WEL#k_GHO`5x4q|UyM!&nTu~bSg z2YxIm2@dgP+=+9YDbX)1GWXjz?Ev`={Ne`jW2&2Ep9Xfxx^fu+@&%eAgosl3|- z64=g!^rHcV2$8TQ^heM>XU3BRuTvx~lc)eJvmK1HZPL@usgxw$BE;iYW<|d*IOn*4 zffi>2!Kxc6sg-4Q%914MD}Mt{DwoHKePI}uns zsGg=l_0$?5PXU)WXDbxbNs_#6W`C)<)o8{+gb7n4eQfVEE&LU9J=k2}76wkJj4|8| zJW_Kn0$M;L2~5uq?t>(jEa@&(DoKrDXh(p}Aq3^;6T+7t3S1QVi-A=+iERX<<$DW& z**UpFa4nuh@Eol~hv*+s)X*_!?(|1~8z&C92xIRVxir^mdYs^BSXl(YfG&yS&Gb4e z*c8s1bq(M!)769tQN`|(b_b3p*b)$!H_FTo0d~q5HTYPovN4`S@F_13wFwWHS-zuV z@4MqT{#8wx2-wbh|E~nq7O$Ls?+>m}Xs8fEeOD3m>QLu(OTe>c96r+9f*0eo3E9?< zj2RXGOUtmoNp2z`tG>iQQ@(n<^fj=9dK)*MS!|yK=m=m6<@7eZb=>F@fNRb4Z-lsV zd5As~f%%e-jG|$`uMy2j*5`6|4UpNAy+d$5`0V*eGuycA?NJ5wQmJ_-7v9mcaU9)} z5xp{~%<}}Fa`h-|?N|#ESJEF7E(8Ad+kcM~!l^a%by<65$vq7`UNbSO%&uhP^Mm@Z z%815}-J#l%PT&f#jX;~xHxsQ3I2qh2i;Vem_uABW>D^0-^nHdk{b`^3AADunC)R&! zxVQ!Q10iqPXYVhObOu2Ly>fTD$eM$$xrN|Nn2&Rp=B3wf^76ow5MAM%)tTA$l8W?u zj82erJn)=Z*?TX{=niDy_ zEb%D8E4O<_yoz(ty>)f@Z7(rkq!eSl{rekQR8L4}loH_bS_uFhZM zy=#{AUU-*IGq=c01?Tt~_z1L9Hem~rE&&}Ukw|)7(i5PEvc8Uz^jy~dquJFnfBw8x zX7B(JH-7viz%_vSj4F?@tFzLyoEeFg=}&xbB&_&DS+8m4nXeal)D$zw7wnvhmyndV zl|=;0^H!>PT;dkwj=+1%o)sP-O{Q60eUez-4LqaNYeuE6E@H-vYiMhmj2Uu{yo9UH z?vNXW@9Yc#n)deNfY^br^{-ce#Cu;&^zZ9)6h%p6V^iso3SF3 zP%F;eS^QT>KiwB+M=+=;Dx9s_|V6!N8d)9o6_@5RlWN;=XdkEj>SWMW|UjTGa?lx2|V4Q(-TjF$UR(9|K z@TI_9#C8~`vCaBRSkx0k({{ksKt0~~&{Oyc_uc*kfM%@ub3^~ESe=ise24H676Dzz z9SQb3lq(ULNRxWJEidaXMHGmNMrA|{J>NvS3e-Tb46mb9I)fxF=;5^=VOf({z0WAY zjfB8NMA&Lv2bv02KyeXYT;{8FHsM&vcSEHq9Lh3Xf&3x#$6BWmN9U1uMS2r--`dY8 ztx2r1va>xW0W^V~2>gJ)PdAVNHxq*EAuukNf-@|M``gfgU_U14! z+YOfa#@1SVaI9vCD(b;;A!&JiH)H9Ztqmg zU4_L(Ex0!%=dQ&X$LfEKbiz?!K1Y<>1+&`;=`FQkG9y^j)jTFwbH5C{f{VXNn#^PL zf(mbLie|4}xgQqZ-{*w)ngsnZ+RtJ33;MJA^YlxGl)%&!=s|oRxmzGAfu)+c)>{6s z@qsp+HsNS+F2<}8lgLHe2CzmgKqDDr!R?tUv$bpFcgm{QS4yKYw_c*1fzuKL7ahPoIDP@Urd4%j2Iv|M=y(^vi@ja|Ig3A{PN-D*WZ5q@#XQa|NZ6He|&iP{QK{J|IZ(O`10k;@MRu;`@f%l zn8tDZ!S*kI`O}~O{@=fUe*Epj%g3qAb=d1;I>upMrsq_)d6rDJ?J=+0uuaP?*Kr$;ad}_1Whk}0PUTpKy1g&; z7{={*BQL`=KbB=2%37nxm~)q{40A1ysnls0*T=G#;h5-G#(mhVpYn4Ww{@7h_@MPM zY@65TVLhldQhTxcHcZp(>G5c%)p0oH`X~qU%3~?Vu&#R->oE^?s?Te+u60=JYOgX5 z?3q>+3Wu zd0ij`cq%(jO^;fpVXDXbOx3!_WBLAkuO5ee$Yp-a`!bC2eA(m5$GlZGQ=_cT6_|Ax zkImyt95(aF5_iTEBxlYWahirTt4(H-Xf5{Y>m$D&)n@UZ?1;(90znX{SMGOKdE<6b zw9h;Z+gRV{Nph4m-%msFJeTd8tQ%)qkxTVHbw&rtrg>b3twd&oC^CK7^SERwT+;#+ z?Th5`_e^5)cS-%}qh#CT3;Vp4!(PJWC7Czf8Ci~T8tN(|nKnJkzU{*#C%m~!=(013 zN=dk7ja+8B_KbU$ZDZq|kPmgFP!8`W@h7tQ9TM2rwt9*NmwKNX8&{S!g(vJ=Qgrz$ z^GuP0*YeErQTFuL6M?#~_xAC0ovD8vKP%sPJFK7Tbr*H@d)+f{99CYrTqv1@DlX-? zRLH)o5E;Pg?OpP4;lY=;UpaXx+mK*gP*Rpf^loT*lx1gHIdLs!G z*c;MZNYdp$B1u^UY8S^7NuG|C@B#-wj#$1(vg4b;)T5+MI&ze{w0i8wQn;_JU(f-q z%D}@NJCv&o5ZI0#igc*3rGv*M-{{fh3qHIrL^pcaKB?Wo!|AKCzrmwaagYujJ<2k+ zLcPF)aZo{6E^sLTN4nnNp~xFd{sBBV>HI!mu>c$LH0%v4>LghM!))$gQ5NtX%sSD+ zsdGE^f&)r57k9WQRY(G9eZ2;2z{>>}jFc%iS`c&E8w^rX65@Nbcyf`%@j6efD%bO^ z{DTgM=S6TmbN7S?$8UOzL<@e)fO>4-<@Wc9`sw3T<<6b^&nZ5KxV;vp3Q1cn%s@?o zS7_K0y(RJ+8G_Sqq(+5$72waj1!~tBQrEyDbCqh1)H>a~dTG^*sstY`J9J5>jWwyX z)oC!5a)2f4!KKCX6RbSf$<_hOl8&o+NrkDxv805w94GB4`MQy%-C9^R2Y5=$uvKN> za<)Cb>Cm%GtIPYud2;r3njy%#z0b4Q*X@l=!4um@X3V@jQ&TEXIcn{!|Hg^m`k2p) zuDM8bUmyFb9~I|obEgcRB?Ggn99o$R^KGol%Avh-!??>ig(H#2of}3$nmjM|D;&OM zxV5&Hf37cM+|r)cveNU@CENb(yyONVL!Yz*_$<{Aa6&)53B#DSVfJ{Ln0HAYu3#D6 z=!*+h10ob>-S{A62CrB|YCT(Z3(>;FDItfhjZp~E7+t!&*=AnetI+TBbhdoDL>@;z zpty|VBM_3%m$OHG_2G9uZV=u2c6YkUfU%r*IoGAt0V{Hz|-l_s8wQjI=S(L z?(|!}oZjW`^!9#O+~supxAVHwoe#eF?esbILK3@MH5hdWX`7c}n7_*OaysZcarkmN z4C5s@e>ok*fe!({oUU)kZ?;`dzvVwTy+LIX@p8IzfE$RtoDLhuH2&L%ix#P&Uoxlf zSP!`91&o)GyQnh@KAsnNz!B1^bpUn66_dg!n}c=cK>SGGvH@Z1RS!%M^Ez)3o|8-qz@J?ReFgLU*@bIXN zTIS93$tYeH=yeZm;_j5OraMXHTfVgK%Zkk|{q0#EtfrK{`@BPTyb()jr=QSj`Bd)m zH2FKv3k8mW;o}A(P|JI59BqFsDhCR@De6XH`jk?FanthVZ}WM&=DbvLP$XTO6)P)e z8EfB)11#YjMwWE4sv~T1dOBhFv%1)dm3x!D`@Fs#>^1)xSR}yudZU$X7sJUq58! z2Fi@5+)*Bvn_Bx=w)%Q`@vVD#0X5^Xzh?%@WHw?tLFk6qMX)kat5(w-?+Ok*1aqPO z2q_a>WZj5G-DBl_MTh*RdV>~+P9TV#=~Lglk%n>I88mZIj?VlyL0-b_RTVyF2o=42wQHAq@-Ik_C~_w~6A3ZiqpKY7pKd+$H-8n_hQ^LWF$ zXwHv4Bw5b&)b8HD5(3c599utW<(sj*G=i4p~hzfKDN5OZ)KJqFvGtp=RYsj+0V0N2`YT(H>(x=_! zl(9UgjJU0zBt&e?)P{m6j4`)2_I zsHP6mgmSkKKu?!E>!d}>jZT-Jx}}8rI#H({a5vax&ackz3Dc&`jP) zEyo3Iw4qVK2hWV~Vs-4x8yMIR?h5S;ZXjIyx~*@V>f%Y8m66A|KKcGGiuVesOGXZp}g9Jzao9ZCfTkPoT28f+|f?Cj+n~KCw zhcjZA-22&&SA!2mPxVI~=wCI7+^lqwm$ySqyBuCAw(h{>M3_-{U7`?cPF}g?1_&r0 z;eFr+;HxM1fN73WFwZFtR3*Gq6ibMmaJZlf$1#8)ereg92Uh0D8JrxKye{hLvNm$6 zQxs*PWvljBPKVpAKo(~B#yYdt)^|mF&rK)R!R*s{xtUB*#9855kI$7nUvFACJlzWxt zoy-i;k6c&1A_H1vXtiN%$slRcE=~^MoI4~Jg(@%%Otf_JJ@CMbd+OhI8Uz5i3ckzX zSbTr3rtmNf1&UOtLrzI(MHu|RD!%62XC~8>yLnEc2kU|{H?niqw?KdLve1sk8@BZs zCmR*IOzF^LtV(b)U*2-+Ks}zT8DKJS^tV$MCa;#i+5M8AsoPD6`}!)+O}1?S%KKfu zc;L0#&+czuy575AvMvT~!+j@YM#qLOm1j;t7%!qL+1oh6Pq{VCwIojG;oLN_G(Awd z2zw*qxl`P7OWWo1(!%rCx*|$9x!*UA1gEd<^XtV}#ql~`s2ff<-CUZgw@n3nRbEzR@t=Jz5!6+Y{h+eYL^`-a|ul;;XKS0%r40g%&<+^mbey1aGp z`B`-laL~R_7CPF`Hq1>Ul)7nz(rKUOx1@<7NkJkNI>a1QgD$K790pmrXN9fNs+;Na zGrvmh&@kU)l#P@xA@&ZlszH_NR&LFDk&f$KcD-dE!(40D zYhB2h^#UTH99(V0gfIF8cVr^ZFJ+N)S8;{J=V!Bl&H29Br%@){GqTj|w`CG_7WKF% zLp*duS(>ablNFh}f>zV%oJ?+a)G$AH1bsw1jr?k{n6)%!oQz2HWokwS54J?7l}a-# zzqRDZ?S=&2Ho2hx%)wdK`H}5uN{$MRw&h2-RdVq-t8Zi3n(J%?FyDr~ZnC{7D3!pi zvPGr1Bf#pf4A+2MDR5(XJ1c+;qZftNDn!Gfhj}AEb)|Y__I=*=wX*;ER}q-LuWUbr zs@WTZQQ=h ziTBf&9tcez=6uDMrg zNYLLkPrC5{^G)GXh~e$juZyRK_sd<&@%ZZOe+Q$Yr79RLgI&7JY4^nUDz2J4m-hCRR|o|e zgi7?5cUWQ$kD@>mh!N9Ty5f-`Y|^wD!hmL2f_GXNj$jsgmm(GgWUucDwcF2FtBbf7 z&Ka&*ukTNtQrFs;8{5c6!>sG7xx4qfK(4PsArTYnX1CN1w8}tz%i#~19Q%6wm@Hor z7DX8fyCp%_^P)BmR$K8=Yp?Fq8{=<2im$w8B=WqU8Z^O-j7Zg+_d|qI2Cvo>r1A2M UWaCKeza8`Mx@-Q+;V*yse_%VB0{{R3 From 13340ca93f6b123b13743756afcd5384fdadf3e6 Mon Sep 17 00:00:00 2001 From: Sapir Malka Date: Mon, 7 Jul 2025 12:18:52 +0300 Subject: [PATCH 11/29] change to credentials object and add description file --- .../SOCRadarTakedown/SOCRadarTakedown_description.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md new file mode 100644 index 000000000000..3ec47ae26287 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md @@ -0,0 +1,12 @@ +This integration allows you to: +- Submit takedown requests for phishing domains +- Submit takedown requests for social media impersonation +- Submit takedown requests for source code leaks +- Submit takedown requests for rogue mobile apps +- Track the progress of submitted takedown requests + +## Authentication +You need a valid SOCRadar API key and Company ID to use this integration. + +## Rate Limits +Please ensure your API key has adequate rate limits for your usage. \ No newline at end of file From b3068e1396f694f045d400d53dcf171abca2e35c Mon Sep 17 00:00:00 2001 From: Sapir Malka Date: Mon, 7 Jul 2025 16:16:53 +0300 Subject: [PATCH 12/29] fix change to credentials, and markdownlint pass --- .../Integrations/SOCRadarTakedown/README.md | 100 +++++++++--------- .../SOCRadarTakedown/SOCRadarTakedown.py | 9 +- .../SOCRadarTakedown/SOCRadarTakedown.yml | 28 +---- 3 files changed, 59 insertions(+), 78 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md index d2d9dd3f80e4..e657eae14c32 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md @@ -1,6 +1,6 @@ Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks -## Configure SOCRadar Takedown in Cortex +## Configure SOCRadar Takedown in Cortex | **Parameter** | **Required** | | --- | --- | @@ -28,23 +28,23 @@ Submits a takedown request for a phishing or malicious domain | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| domain | The phishing domain to submit for takedown. | Required | -| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, malware, fake_site. | Optional | -| type | Type of domain (default is phishing_domain). Possible values are: phishing_domain, malicious_domain. | Optional | -| notes | Additional information about the takedown request. | Optional | -| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | -| email | Email to receive notifications about the takedown request. | Required | +| domain | The phishing domain to submit for takedown. | Required | +| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, malware, fake_site. | Optional | +| type | Type of domain (default is phishing_domain). Possible values are: phishing_domain, malicious_domain. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | -| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | -| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | -| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | -| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | -| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | -| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | +| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | +| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | +| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | +| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | ### socradar-submit-social-media-impersonation @@ -59,27 +59,27 @@ Submits a takedown request for an impersonating social media account | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| username | Username of the impersonating account. | Required | -| full_name | Full name shown on the impersonating account. | Required | -| account_type | Type of social media platform. Possible values are: facebook, twitter, instagram, linkedin, tiktok, youtube, other. | Required | -| description | Description or ID of the impersonation case. | Optional | -| followers | Number of followers (default is 0). | Optional | -| profile_picture | URL to the profile picture. | Optional | -| notes | Additional information about the takedown request. | Optional | -| send_alarm | Whether to send an alarm (default is false). Possible values are: true, false. | Optional | -| email | Email to receive notifications about the takedown request. | Optional | +| username | Username of the impersonating account. | Required | +| full_name | Full name shown on the impersonating account. | Required | +| account_type | Type of social media platform. Possible values are: facebook, twitter, instagram, linkedin, tiktok, youtube, other. | Required | +| description | Description or ID of the impersonation case. | Optional | +| followers | Number of followers (default is 0). | Optional | +| profile_picture | URL to the profile picture. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is false). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | -| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | -| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | -| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | -| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | -| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | -| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | -| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | +| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | +| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | +| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | ### socradar-get-takedown-progress @@ -94,18 +94,18 @@ Gets the progress of a takedown request | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| asset_id | The ID of the asset for which to check progress. | Required | -| type | Type of takedown request. Possible values are: phishing_domain, impersonating_accounts, source_code_leaks, rogue_mobile_apps. | Required | +| asset_id | The ID of the asset for which to check progress. | Required | +| type | Type of takedown request. Possible values are: phishing_domain, impersonating_accounts, source_code_leaks, rogue_mobile_apps. | Required | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | -| SOCRadarTakedown.Progress.AssetID | string | The ID of the asset | -| SOCRadarTakedown.Progress.Type | string | Type of takedown request | -| SOCRadarTakedown.Progress.Status | string | Status of the API request | -| SOCRadarTakedown.Progress.Data | unknown | Progress data returned from the API | -| SOCRadarTakedown.Progress.Message | string | Message returned from the API | +| SOCRadarTakedown.Progress.AssetID | string | The ID of the asset | +| SOCRadarTakedown.Progress.Type | string | Type of takedown request | +| SOCRadarTakedown.Progress.Status | string | Status of the API request | +| SOCRadarTakedown.Progress.Data | unknown | Progress data returned from the API | +| SOCRadarTakedown.Progress.Message | string | Message returned from the API | ### socradar-submit-source-code-leak @@ -120,19 +120,19 @@ Submits a takedown request for leaked source code | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| id | ID of the source code leak to takedown. | Required | -| notes | Additional information about the takedown request. | Optional | -| email | Email to receive notifications about the takedown request. | Optional | +| id | ID of the source code leak to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | -| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | -| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | -| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | -| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | -| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | +| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | +| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | +| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | ### socradar-submit-rogue-app @@ -147,14 +147,14 @@ Submits a takedown request for a rogue mobile app | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| id | ID of the rogue mobile app to takedown. | Required | -| email | Email to receive notifications about the takedown request. | Optional | +| id | ID of the rogue mobile app to takedown. | Required | +| email | Email to receive notifications about the takedown request. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | -| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | -| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | -| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | -| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | +| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | +| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | +| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | +| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index 72d55c3b7509..2fa3183626fc 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -116,10 +116,11 @@ def raise_if_url_not_valid(url: str): def get_client_from_params() -> Client: """Initialize client from demisto params""" - api_key = demisto.params().get("apikey", "").strip() - company_id = demisto.params().get("company_id", "").strip() - verify_certificate = not demisto.params().get("insecure", False) - proxy = demisto.params().get("proxy", False) + params = demisto.params() + api_key = params.get("credentials", {}).get("password", "").strip() + company_id = params.get("credentials", {}).get("identifier", "").strip() + verify_certificate = not params.get("insecure", False) + proxy = params.get("proxy", False) if not api_key: raise ValueError("API Key is required") diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml index a133386ad656..f32b52464423 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -8,32 +8,12 @@ name: SOCRadar Takedown display: SOCRadar Takedown category: Data Enrichment & Threat Intelligence description: Submit and track takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through SOCRadar platform. -detaileddescription: | - This integration allows you to: - - Submit takedown requests for phishing domains - - Submit takedown requests for social media impersonation - - Submit takedown requests for source code leaks - - Submit takedown requests for rogue mobile apps - - Track the progress of submitted takedown requests - - ## Authentication - You need a valid SOCRadar API key and Company ID to use this integration. - - ## Rate Limits - Please ensure your API key has adequate rate limits for your usage. - configuration: -- display: SOCRadar API Key - name: apikey - required: true - type: 4 - additionalinfo: Your SOCRadar platform API key - section: Connect -- display: Company ID - name: company_id +- name: credentials + display: Company ID required: true - type: 0 - additionalinfo: Your SOCRadar Company ID + type: 9 + displaypassword: API Key section: Connect - display: Trust any certificate (not secure) name: insecure From 5d53d9bdde9c8e732efcca3dfaf9e105401cab26 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Thu, 17 Jul 2025 09:54:32 +0300 Subject: [PATCH 13/29] Update SOCRadarTakedown.py --- .../Integrations/SOCRadarTakedown/SOCRadarTakedown.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index 2fa3183626fc..11916784866c 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -2,9 +2,6 @@ import re from typing import Any -# Import XSOAR common functions -from CommonServerPython import * - # Disable insecure warnings urllib3.disable_warnings() From 31b540c40ae60654facef6a285b2da14cc4d75a0 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 20 Jul 2025 01:01:57 +0300 Subject: [PATCH 14/29] Update README.md --- .../Integrations/SOCRadarTakedown/README.md | 51 +++++-------------- 1 file changed, 14 insertions(+), 37 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md index e657eae14c32..a91ef9f7fc49 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md @@ -8,7 +8,6 @@ Submit and monitor takedown requests for phishing domains, impersonating account | Company ID | True | | Trust any certificate (not secure) | False | | Use system proxy settings | False | -| Reliability | False | ## Commands @@ -18,7 +17,7 @@ After you successfully execute a command, a DBot message appears in the War Room ### socradar-submit-phishing-domain *** -Submits a takedown request for a phishing or malicious domain +Submits a takedown request for a phishing domain or URL #### Base Command @@ -28,9 +27,9 @@ Submits a takedown request for a phishing or malicious domain | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| domain | The phishing domain to submit for takedown. | Required | -| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, malware, fake_site. | Optional | -| type | Type of domain (default is phishing_domain). Possible values are: phishing_domain, malicious_domain. | Optional | +| domain | The phishing domain or URL to submit for takedown. | Required | +| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, confirmed_phishing. | Optional | +| type | Type of domain/URL (default is phishing_domain). Possible values are: phishing_domain, phishing_url. | Optional | | notes | Additional information about the takedown request. | Optional | | send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | | email | Email to receive notifications about the takedown request. | Required | @@ -61,13 +60,10 @@ Submits a takedown request for an impersonating social media account | --- | --- | --- | | username | Username of the impersonating account. | Required | | full_name | Full name shown on the impersonating account. | Required | -| account_type | Type of social media platform. Possible values are: facebook, twitter, instagram, linkedin, tiktok, youtube, other. | Required | -| description | Description or ID of the impersonation case. | Optional | -| followers | Number of followers (default is 0). | Optional | -| profile_picture | URL to the profile picture. | Optional | +| account_type | Type of social media platform. Possible values are: facebook, instagram, twitter, tiktok, linkedin, youtube, meta, other. | Required | | notes | Additional information about the takedown request. | Optional | -| send_alarm | Whether to send an alarm (default is false). Possible values are: true, false. | Optional | -| email | Email to receive notifications about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | #### Context Output @@ -76,37 +72,12 @@ Submits a takedown request for an impersonating social media account | SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | | SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | | SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | +| SOCRadarTakedown.SocialMediaImpersonation.AbuseType | string | Type of abuse reported | | SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | | SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | | SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | | SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | -### socradar-get-takedown-progress - -*** -Gets the progress of a takedown request - -#### Base Command - -`socradar-get-takedown-progress` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| asset_id | The ID of the asset for which to check progress. | Required | -| type | Type of takedown request. Possible values are: phishing_domain, impersonating_accounts, source_code_leaks, rogue_mobile_apps. | Required | - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SOCRadarTakedown.Progress.AssetID | string | The ID of the asset | -| SOCRadarTakedown.Progress.Type | string | Type of takedown request | -| SOCRadarTakedown.Progress.Status | string | Status of the API request | -| SOCRadarTakedown.Progress.Data | unknown | Progress data returned from the API | -| SOCRadarTakedown.Progress.Message | string | Message returned from the API | - ### socradar-submit-source-code-leak *** @@ -129,6 +100,7 @@ Submits a takedown request for leaked source code | **Path** | **Type** | **Description** | | --- | --- | --- | | SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | +| SOCRadarTakedown.SourceCodeLeak.AbuseType | string | Type of abuse reported | | SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | | SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | | SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | @@ -148,6 +120,8 @@ Submits a takedown request for a rogue mobile app | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | id | ID of the rogue mobile app to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | | email | Email to receive notifications about the takedown request. | Optional | #### Context Output @@ -155,6 +129,9 @@ Submits a takedown request for a rogue mobile app | **Path** | **Type** | **Description** | | --- | --- | --- | | SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | +| SOCRadarTakedown.RogueApp.AbuseType | string | Type of abuse reported | | SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | | SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | +| SOCRadarTakedown.RogueApp.SendAlarm | boolean | Whether alarm notification is enabled | +| SOCRadarTakedown.RogueApp.Notes | string | Additional notes for the request | | SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | From 001ebba625ae32f125e0e06855762744f48787a2 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 20 Jul 2025 01:02:40 +0300 Subject: [PATCH 15/29] Update SOCRadarTakedown_description.md --- .../SOCRadarTakedown/SOCRadarTakedown_description.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md index 3ec47ae26287..760441edc417 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md @@ -1,12 +1,17 @@ This integration allows you to: -- Submit takedown requests for phishing domains +- Submit takedown requests for phishing domains and URLs - Submit takedown requests for social media impersonation - Submit takedown requests for source code leaks - Submit takedown requests for rogue mobile apps -- Track the progress of submitted takedown requests ## Authentication You need a valid SOCRadar API key and Company ID to use this integration. ## Rate Limits -Please ensure your API key has adequate rate limits for your usage. \ No newline at end of file +Please ensure your API key has adequate rate limits for your usage. + +## Commands Available +- **socradar-submit-phishing-domain**: Submit takedown requests for phishing domains and URLs +- **socradar-submit-social-media-impersonation**: Submit takedown requests for impersonating social media accounts +- **socradar-submit-source-code-leak**: Submit takedown requests for leaked source code +- **socradar-submit-rogue-app**: Submit takedown requests for rogue mobile applications From b77da928cd9c913bb9e57d3c69426a6866736618 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 20 Jul 2025 01:03:13 +0300 Subject: [PATCH 16/29] Update SOCRadarTakedown.yml --- .../SOCRadarTakedown/SOCRadarTakedown.yml | 92 ++++++++++--------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml index f32b52464423..867acae4f02d 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -38,7 +38,7 @@ script: description: Submit a takedown request for a phishing domain. arguments: - name: domain - description: The phishing domain to be taken down. + description: The phishing domain or URL to be taken down. required: true - name: abuse_type description: Type of abuse. @@ -47,11 +47,11 @@ script: - potential_phishing - confirmed_phishing - name: type - description: Domain type. + description: Domain/URL type. defaultValue: phishing_domain predefined: - phishing_domain - - lookalike_domain + - phishing_url - name: notes description: Additional notes for the takedown request. required: false @@ -83,18 +83,28 @@ script: - contextPath: SOCRadarTakedown.PhishingDomain.Notes description: Additional notes for the request. type: String + - name: socradar-submit-social-media-impersonation description: Submit a takedown request for social media impersonation. arguments: - - name: url - description: URL of the impersonating social media account. + - name: username + description: Username of the impersonating account. + required: true + - name: full_name + description: Full name shown on the impersonating account. + required: true + - name: account_type + description: Type of social media platform. required: true - - name: abuse_type - description: Type of abuse. - defaultValue: impersonating_accounts predefined: - - impersonating_accounts - - fake_profiles + - facebook + - instagram + - twitter + - tiktok + - linkedin + - youtube + - meta + - other - name: notes description: Additional notes for the takedown request. required: false @@ -108,8 +118,14 @@ script: description: Email address for notifications. required: true outputs: - - contextPath: SOCRadarTakedown.SocialMediaImpersonation.URL - description: The URL that was reported. + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Username + description: Username of the impersonating account. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.FullName + description: Full name shown on the impersonating account. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AccountType + description: Type of social media platform. type: String - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AbuseType description: Type of abuse reported. @@ -126,34 +142,23 @@ script: - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Notes description: Additional notes for the request. type: String + - name: socradar-submit-source-code-leak description: Submit a takedown request for leaked source code. arguments: - - name: url - description: URL where the source code leak is found. + - name: id + description: ID of the source code leak to takedown. required: true - - name: abuse_type - description: Type of abuse. - defaultValue: source_code_leak - predefined: - - source_code_leak - - data_leak - name: notes description: Additional notes for the takedown request. required: false - - name: send_alarm - description: Whether to send alarm notification. - defaultValue: "true" - predefined: - - "true" - - "false" - name: email description: Email address for notifications. - required: true + required: false outputs: - - contextPath: SOCRadarTakedown.SourceCodeLeak.URL - description: The URL that was reported. - type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.LeakID + description: ID of the source code leak. + type: Number - contextPath: SOCRadarTakedown.SourceCodeLeak.AbuseType description: Type of abuse reported. type: String @@ -163,24 +168,19 @@ script: - contextPath: SOCRadarTakedown.SourceCodeLeak.Message description: Response message from the API. type: String - - contextPath: SOCRadarTakedown.SourceCodeLeak.SendAlarm - description: Whether alarm notification is enabled. - type: Boolean - contextPath: SOCRadarTakedown.SourceCodeLeak.Notes description: Additional notes for the request. type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Email + description: Email provided for notifications. + type: String + - name: socradar-submit-rogue-app description: Submit a takedown request for a rogue mobile app. arguments: - - name: app_info - description: Information about the rogue mobile app (name, store URL, etc.). + - name: id + description: ID of the rogue mobile app to takedown. required: true - - name: abuse_type - description: Type of abuse. - defaultValue: rogue_mobile_app - predefined: - - rogue_mobile_app - - malicious_app - name: notes description: Additional notes for the takedown request. required: false @@ -192,10 +192,10 @@ script: - "false" - name: email description: Email address for notifications. - required: true + required: false outputs: - - contextPath: SOCRadarTakedown.RogueApp.AppInfo - description: Information about the app that was reported. + - contextPath: SOCRadarTakedown.RogueApp.AppID + description: ID of the rogue mobile app. type: String - contextPath: SOCRadarTakedown.RogueApp.AbuseType description: Type of abuse reported. @@ -212,6 +212,10 @@ script: - contextPath: SOCRadarTakedown.RogueApp.Notes description: Additional notes for the request. type: String + - contextPath: SOCRadarTakedown.RogueApp.Email + description: Email provided for notifications. + type: String + runonce: false ismappable: false isremotesyncin: false From 74d9b7ce0dc5f9edf891438c2491f6e4684e818f Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 20 Jul 2025 01:07:19 +0300 Subject: [PATCH 17/29] Update SOCRadarTakedown.py --- .../SOCRadarTakedown/SOCRadarTakedown.py | 147 ++++++++++++------ 1 file changed, 103 insertions(+), 44 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index 11916784866c..bf159ac4d974 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -51,15 +51,15 @@ def check_auth(self) -> dict[str, Any]: except requests.exceptions.RequestException as e: raise Exception(f"Connection error: {str(e)}") - def submit_takedown_request( - self, entity: str, request_type: str, abuse_type: str, notes: str = "", send_alarm: bool = True, email: str = "" + def submit_phishing_domain_takedown( + self, domain: str, abuse_type: str, domain_type: str, notes: str = "", send_alarm: bool = True, email: str = "" ) -> dict[str, Any]: - """Generic method to submit takedown requests""" + """Submit phishing domain takedown request""" url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" data = { "abuse_type": abuse_type, - "entity": entity, - "type": request_type, + "entity": domain, + "type": domain_type, "notes": notes, "send_alarm": send_alarm, "email": email, @@ -72,6 +72,65 @@ def submit_takedown_request( return response.json() + def submit_social_media_impersonation_takedown( + self, username: str, full_name: str, account_type: str, notes: str = "", send_alarm: bool = True, email: str = "" + ) -> dict[str, Any]: + """Submit social media impersonation takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/social_media_risks" + data = { + "impersonating_account": { + "username": username, + "full_name": full_name, + "account_type": account_type + }, + "notes": notes, + "send_alarm": send_alarm, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_source_code_leak_takedown( + self, leak_id: int, notes: str = "", email: str = "" + ) -> dict[str, Any]: + """Submit source code leak takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/source_code_leaks" + data = { + "id": leak_id, + "notes": notes, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_rogue_app_takedown( + self, app_id: int, notes: str = "", email: str = "" + ) -> dict[str, Any]: + """Submit rogue mobile app takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/rogue_mobile_apps" + data = { + "id": app_id, + "notes": notes, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + """ HELPER FUNCTIONS """ @@ -140,7 +199,7 @@ def test_module(client: Client) -> str: def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: - """Submits a takedown request for a phishing domain""" + """Submits a takedown request for a phishing domain or URL""" args = demisto.args() domain = args.get("domain", "") abuse_type = args.get("abuse_type", "potential_phishing") @@ -149,12 +208,15 @@ def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: send_alarm = args.get("send_alarm", "true").lower() == "true" email = args.get("email", "") - # Validate domain - Validator.raise_if_domain_not_valid(domain) + # Validate based on type + if domain_type == "phishing_url": + Validator.raise_if_url_not_valid(domain) + else: # phishing_domain + Validator.raise_if_domain_not_valid(domain) # Submit request - raw_response = client.submit_takedown_request( - entity=domain, request_type=domain_type, abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, email=email + raw_response = client.submit_phishing_domain_takedown( + domain=domain, abuse_type=abuse_type, domain_type=domain_type, notes=notes, send_alarm=send_alarm, email=email ) # Prepare output @@ -186,20 +248,18 @@ def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: def submit_social_media_impersonation_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for social media impersonation""" args = demisto.args() - url_link = args.get("url", "") - abuse_type = args.get("abuse_type", "impersonating_accounts") + username = args.get("username", "") + full_name = args.get("full_name", "") + account_type = args.get("account_type", "") notes = args.get("notes", "") send_alarm = args.get("send_alarm", "true").lower() == "true" email = args.get("email", "") - # Validate URL - Validator.raise_if_url_not_valid(url_link) - # Submit request - raw_response = client.submit_takedown_request( - entity=url_link, - request_type="impersonating_accounts", - abuse_type=abuse_type, + raw_response = client.submit_social_media_impersonation_takedown( + username=username, + full_name=full_name, + account_type=account_type, notes=notes, send_alarm=send_alarm, email=email, @@ -207,15 +267,19 @@ def submit_social_media_impersonation_takedown_command(client: Client) -> Comman # Prepare output readable_output = "### Social Media Impersonation Takedown Request\n" - readable_output += f"**URL**: {url_link}\n" + readable_output += f"**Username**: {username}\n" + readable_output += f"**Full Name**: {full_name}\n" + readable_output += f"**Account Type**: {account_type}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" if raw_response.get("message"): readable_output += f"**Message**: {raw_response.get('message')}\n" outputs = { - "URL": url_link, - "AbuseType": abuse_type, + "Username": username, + "FullName": full_name, + "AccountType": account_type, + "AbuseType": "impersonating_accounts", "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), "SendAlarm": send_alarm, @@ -224,7 +288,7 @@ def submit_social_media_impersonation_takedown_command(client: Client) -> Comman return CommandResults( outputs_prefix="SOCRadarTakedown.SocialMediaImpersonation", - outputs_key_field="URL", + outputs_key_field="Username", outputs=outputs, readable_output=readable_output, raw_response=raw_response, @@ -234,40 +298,35 @@ def submit_social_media_impersonation_takedown_command(client: Client) -> Comman def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for leaked source code""" args = demisto.args() - url_link = args.get("url", "") - abuse_type = args.get("abuse_type", "source_code_leak") + leak_id = int(args.get("id", "0")) notes = args.get("notes", "") - send_alarm = args.get("send_alarm", "true").lower() == "true" email = args.get("email", "") - # Validate URL - Validator.raise_if_url_not_valid(url_link) - # Submit request - raw_response = client.submit_takedown_request( - entity=url_link, request_type="source_code_leak", abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, email=email + raw_response = client.submit_source_code_leak_takedown( + leak_id=leak_id, notes=notes, email=email ) # Prepare output readable_output = "### Source Code Leak Takedown Request\n" - readable_output += f"**URL**: {url_link}\n" + readable_output += f"**Leak ID**: {leak_id}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" if raw_response.get("message"): readable_output += f"**Message**: {raw_response.get('message')}\n" outputs = { - "URL": url_link, - "AbuseType": abuse_type, + "LeakID": leak_id, + "AbuseType": "source_code_leak", "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), - "SendAlarm": send_alarm, "Notes": notes, + "Email": email, } return CommandResults( outputs_prefix="SOCRadarTakedown.SourceCodeLeak", - outputs_key_field="URL", + outputs_key_field="LeakID", outputs=outputs, readable_output=readable_output, raw_response=raw_response, @@ -277,37 +336,37 @@ def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: def submit_rogue_app_takedown_command(client: Client) -> CommandResults: """Submits a takedown request for a rogue mobile app""" args = demisto.args() - app_info = args.get("app_info", "") - abuse_type = args.get("abuse_type", "rogue_mobile_app") + app_id = int(args.get("id", "0")) notes = args.get("notes", "") send_alarm = args.get("send_alarm", "true").lower() == "true" email = args.get("email", "") # Submit request - raw_response = client.submit_takedown_request( - entity=app_info, request_type="rogue_mobile_app", abuse_type=abuse_type, notes=notes, send_alarm=send_alarm, email=email + raw_response = client.submit_rogue_app_takedown( + app_id=app_id, notes=notes, email=email ) # Prepare output readable_output = "### Rogue App Takedown Request\n" - readable_output += f"**App Info**: {app_info}\n" + readable_output += f"**App ID**: {app_id}\n" readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" if raw_response.get("message"): readable_output += f"**Message**: {raw_response.get('message')}\n" outputs = { - "AppInfo": app_info, - "AbuseType": abuse_type, + "AppID": str(app_id), + "AbuseType": "rogue_mobile_app", "Status": "Success" if raw_response.get("is_success", False) else "Failed", "Message": raw_response.get("message", ""), "SendAlarm": send_alarm, "Notes": notes, + "Email": email, } return CommandResults( outputs_prefix="SOCRadarTakedown.RogueApp", - outputs_key_field="AppInfo", + outputs_key_field="AppID", outputs=outputs, readable_output=readable_output, raw_response=raw_response, From 8c8e42d10bf6459581d21ee25d81a8c0d0970f3e Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 20 Jul 2025 01:07:51 +0300 Subject: [PATCH 18/29] Update SOCRadarTakedown.yml From 90ac1ab45e21e68ca1bf78d81ac0c90dff15d744 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Sun, 20 Jul 2025 01:08:37 +0300 Subject: [PATCH 19/29] Update README.md From 0b05d5e91ff9def0e9f20720545560c32abf7724 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Mon, 21 Jul 2025 11:09:04 +0300 Subject: [PATCH 20/29] Update SOCRadarTakedown.py --- .../Integrations/SOCRadarTakedown/SOCRadarTakedown.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index bf159ac4d974..e0fa1706a3e9 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -2,6 +2,9 @@ import re from typing import Any +# Import SOAR common functions +from CommonServerPython import * + # Disable insecure warnings urllib3.disable_warnings() From 5b40b673fd4d002d70d852b80539a98e0e9ea53e Mon Sep 17 00:00:00 2001 From: Radargoger Date: Mon, 21 Jul 2025 11:09:48 +0300 Subject: [PATCH 21/29] Update SOCRadarTakedown.py --- .../Integrations/SOCRadarTakedown/SOCRadarTakedown.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index e0fa1706a3e9..2ee990a8ec91 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -2,8 +2,7 @@ import re from typing import Any -# Import SOAR common functions -from CommonServerPython import * + # Disable insecure warnings urllib3.disable_warnings() From a7fc4f4c66e6588f85ca6684ee0ca8eab519eaf2 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Mon, 21 Jul 2025 11:09:57 +0300 Subject: [PATCH 22/29] Update SOCRadarTakedown.py --- .../Integrations/SOCRadarTakedown/SOCRadarTakedown.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index 2ee990a8ec91..10b81afb27fc 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -2,7 +2,8 @@ import re from typing import Any - +# Import XSOAR common functions +from CommonServerPython import * # Disable insecure warnings urllib3.disable_warnings() From d1498c6a34fe2a0da6533ed39c90ae7d093ec627 Mon Sep 17 00:00:00 2001 From: Sapir Malka Date: Mon, 21 Jul 2025 11:28:51 +0300 Subject: [PATCH 23/29] ruff fixes --- .../SOCRadarTakedown/SOCRadarTakedown.py | 22 +++++-------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py index 10b81afb27fc..3cdc73b64ed4 100644 --- a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -81,11 +81,7 @@ def submit_social_media_impersonation_takedown( """Submit social media impersonation takedown request""" url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/social_media_risks" data = { - "impersonating_account": { - "username": username, - "full_name": full_name, - "account_type": account_type - }, + "impersonating_account": {"username": username, "full_name": full_name, "account_type": account_type}, "notes": notes, "send_alarm": send_alarm, "email": email, @@ -98,9 +94,7 @@ def submit_social_media_impersonation_takedown( return response.json() - def submit_source_code_leak_takedown( - self, leak_id: int, notes: str = "", email: str = "" - ) -> dict[str, Any]: + def submit_source_code_leak_takedown(self, leak_id: int, notes: str = "", email: str = "") -> dict[str, Any]: """Submit source code leak takedown request""" url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/source_code_leaks" data = { @@ -116,9 +110,7 @@ def submit_source_code_leak_takedown( return response.json() - def submit_rogue_app_takedown( - self, app_id: int, notes: str = "", email: str = "" - ) -> dict[str, Any]: + def submit_rogue_app_takedown(self, app_id: int, notes: str = "", email: str = "") -> dict[str, Any]: """Submit rogue mobile app takedown request""" url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/rogue_mobile_apps" data = { @@ -306,9 +298,7 @@ def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: email = args.get("email", "") # Submit request - raw_response = client.submit_source_code_leak_takedown( - leak_id=leak_id, notes=notes, email=email - ) + raw_response = client.submit_source_code_leak_takedown(leak_id=leak_id, notes=notes, email=email) # Prepare output readable_output = "### Source Code Leak Takedown Request\n" @@ -345,9 +335,7 @@ def submit_rogue_app_takedown_command(client: Client) -> CommandResults: email = args.get("email", "") # Submit request - raw_response = client.submit_rogue_app_takedown( - app_id=app_id, notes=notes, email=email - ) + raw_response = client.submit_rogue_app_takedown(app_id=app_id, notes=notes, email=email) # Prepare output readable_output = "### Rogue App Takedown Request\n" From 6f126f24e8374b1b94568758ec804531963a52b1 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Mon, 21 Jul 2025 11:34:49 +0300 Subject: [PATCH 24/29] Update README.md --- Packs/SOCRadarTakedown/README.md | 137 +++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md index e69de29bb2d1..54bf0561952d 100644 --- a/Packs/SOCRadarTakedown/README.md +++ b/Packs/SOCRadarTakedown/README.md @@ -0,0 +1,137 @@ +Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks + +## Configure SOCRadar Takedown in Cortex + +| **Parameter** | **Required** | +| --- | --- | +| API Key | True | +| Company ID | True | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | + +## Commands + +You can execute these commands from the CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. + +### socradar-submit-phishing-domain + +*** +Submits a takedown request for a phishing domain or URL + +#### Base Command + +`socradar-submit-phishing-domain` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| domain | The phishing domain or URL to submit for takedown. | Required | +| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, confirmed_phishing. | Optional | +| type | Type of domain/URL (default is phishing_domain). Possible values are: phishing_domain, phishing_url. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | +| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | +| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | +| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | +| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | + +### socradar-submit-social-media-impersonation + +*** +Submits a takedown request for an impersonating social media account + +#### Base Command + +`socradar-submit-social-media-impersonation` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Username of the impersonating account. | Required | +| full_name | Full name shown on the impersonating account. | Required | +| account_type | Type of social media platform. Possible values are: facebook, instagram, twitter, tiktok, linkedin, youtube, meta, other. | Required | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | +| SOCRadarTakedown.SocialMediaImpersonation.AbuseType | string | Type of abuse reported | +| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | +| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | +| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | + +### socradar-submit-source-code-leak + +*** +Submits a takedown request for leaked source code + +#### Base Command + +`socradar-submit-source-code-leak` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the source code leak to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | +| SOCRadarTakedown.SourceCodeLeak.AbuseType | string | Type of abuse reported | +| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | +| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | + +### socradar-submit-rogue-app + +*** +Submits a takedown request for a rogue mobile app + +#### Base Command + +`socradar-submit-rogue-app` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the rogue mobile app to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | +| SOCRadarTakedown.RogueApp.AbuseType | string | Type of abuse reported | +| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | +| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | +| SOCRadarTakedown.RogueApp.SendAlarm | boolean | Whether alarm notification is enabled | +| SOCRadarTakedown.RogueApp.Notes | string | Additional notes for the request | +| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | From 8715b32d17a405226f0e5814bd7adca88f5ef921 Mon Sep 17 00:00:00 2001 From: Radargoger Date: Mon, 21 Jul 2025 11:52:43 +0300 Subject: [PATCH 25/29] Update README.md --- Packs/SOCRadarTakedown/README.md | 136 ------------------------------- 1 file changed, 136 deletions(-) diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md index 54bf0561952d..d3f5a12faa99 100644 --- a/Packs/SOCRadarTakedown/README.md +++ b/Packs/SOCRadarTakedown/README.md @@ -1,137 +1 @@ -Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks -## Configure SOCRadar Takedown in Cortex - -| **Parameter** | **Required** | -| --- | --- | -| API Key | True | -| Company ID | True | -| Trust any certificate (not secure) | False | -| Use system proxy settings | False | - -## Commands - -You can execute these commands from the CLI, as part of an automation, or in a playbook. -After you successfully execute a command, a DBot message appears in the War Room with the command details. - -### socradar-submit-phishing-domain - -*** -Submits a takedown request for a phishing domain or URL - -#### Base Command - -`socradar-submit-phishing-domain` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| domain | The phishing domain or URL to submit for takedown. | Required | -| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, confirmed_phishing. | Optional | -| type | Type of domain/URL (default is phishing_domain). Possible values are: phishing_domain, phishing_url. | Optional | -| notes | Additional information about the takedown request. | Optional | -| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | -| email | Email to receive notifications about the takedown request. | Required | - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | -| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | -| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | -| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | -| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | -| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | - -### socradar-submit-social-media-impersonation - -*** -Submits a takedown request for an impersonating social media account - -#### Base Command - -`socradar-submit-social-media-impersonation` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| username | Username of the impersonating account. | Required | -| full_name | Full name shown on the impersonating account. | Required | -| account_type | Type of social media platform. Possible values are: facebook, instagram, twitter, tiktok, linkedin, youtube, meta, other. | Required | -| notes | Additional information about the takedown request. | Optional | -| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | -| email | Email to receive notifications about the takedown request. | Required | - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | -| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | -| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | -| SOCRadarTakedown.SocialMediaImpersonation.AbuseType | string | Type of abuse reported | -| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | -| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | -| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | -| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | - -### socradar-submit-source-code-leak - -*** -Submits a takedown request for leaked source code - -#### Base Command - -`socradar-submit-source-code-leak` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| id | ID of the source code leak to takedown. | Required | -| notes | Additional information about the takedown request. | Optional | -| email | Email to receive notifications about the takedown request. | Optional | - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | -| SOCRadarTakedown.SourceCodeLeak.AbuseType | string | Type of abuse reported | -| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | -| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | -| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | -| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | - -### socradar-submit-rogue-app - -*** -Submits a takedown request for a rogue mobile app - -#### Base Command - -`socradar-submit-rogue-app` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| id | ID of the rogue mobile app to takedown. | Required | -| notes | Additional information about the takedown request. | Optional | -| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | -| email | Email to receive notifications about the takedown request. | Optional | - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | -| SOCRadarTakedown.RogueApp.AbuseType | string | Type of abuse reported | -| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | -| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | -| SOCRadarTakedown.RogueApp.SendAlarm | boolean | Whether alarm notification is enabled | -| SOCRadarTakedown.RogueApp.Notes | string | Additional notes for the request | -| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | From 370906854587e7b79135df679cbe8e794a562efe Mon Sep 17 00:00:00 2001 From: Radargoger Date: Mon, 21 Jul 2025 11:53:18 +0300 Subject: [PATCH 26/29] Update README.md From c4f3ebcf1b6f3fed8c10ba517165130dafebf461 Mon Sep 17 00:00:00 2001 From: Sapir Malka <44067957+itssapir@users.noreply.github.com> Date: Mon, 21 Jul 2025 12:32:52 +0300 Subject: [PATCH 27/29] remove README.md empty lines From 97e427fe02007ea50474e479642334839e098b48 Mon Sep 17 00:00:00 2001 From: Sapir Malka <44067957+itssapir@users.noreply.github.com> Date: Mon, 21 Jul 2025 12:43:23 +0300 Subject: [PATCH 28/29] Delete Packs/SOCRadarTakedown/README.md --- Packs/SOCRadarTakedown/README.md | 1 - 1 file changed, 1 deletion(-) delete mode 100644 Packs/SOCRadarTakedown/README.md diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md deleted file mode 100644 index d3f5a12faa99..000000000000 --- a/Packs/SOCRadarTakedown/README.md +++ /dev/null @@ -1 +0,0 @@ - From af8abd2128bcd1bc98fdbf097188ed84ceee82cb Mon Sep 17 00:00:00 2001 From: Sapir Malka Date: Mon, 21 Jul 2025 13:22:46 +0300 Subject: [PATCH 29/29] Add empty readme --- Packs/SOCRadarTakedown/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Packs/SOCRadarTakedown/README.md diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..e69de29bb2d1