From 278a8f090a5c962e95af8a047815e8b80a9c242b Mon Sep 17 00:00:00 2001 From: bluza Date: Sun, 7 Sep 2025 09:14:40 -0700 Subject: [PATCH 1/2] Implement domainrisk,domainhotlist feeds; Update test cases --- .../FeedDomainTools/FeedDomainTools.py | 116 +++++++++++------- .../FeedDomainTools/FeedDomainTools.yml | 2 + .../FeedDomainTools/FeedDomainTools_test.py | 59 +++++---- .../test_data/feed_mock_response.py | 114 ++++++++++++++++- 4 files changed, 225 insertions(+), 66 deletions(-) diff --git a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.py b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.py index b4999f984149..e999ebf8e4f1 100644 --- a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.py +++ b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.py @@ -9,6 +9,8 @@ # disable insecure warnings urllib3.disable_warnings() +RISK_THRESHOLD = 70 + class DomainToolsClient(BaseClient): """ @@ -24,6 +26,8 @@ class DomainToolsClient(BaseClient): NOH_FEED = "noh" DOMAINRDAP = "domainrdap" DOMAINDISCOVERY = "domaindiscovery" + DOMAINRISK = "domainrisk" + DOMAINHOTLIST = "domainhotlist" FEED_URL = "/v1/feed" DOMAINTOOLS_API_BASE_URL = "https://api.domaintools.com" @@ -35,22 +39,21 @@ def __init__( verify_ssl: bool = True, proxy: bool = False, tags: str = "", - tlp_color: str | None = None + tlp_color: str | None = None, ): self.feed_type = "nod" # default to NOD feeds self.tags = tags self.tlp_color = tlp_color if not (api_username and api_key): - raise DemistoException( - "The 'API Username' and 'API Key' parameters are required." - ) + raise DemistoException("The 'API Username' and 'API Key' parameters are required.") self.api_username = api_username self.api_key = api_key - super().__init__(base_url=self.DOMAINTOOLS_API_BASE_URL, headers={ - "Content-Type": "application/json"}, verify=verify_ssl, proxy=proxy) + super().__init__( + base_url=self.DOMAINTOOLS_API_BASE_URL, headers={"Content-Type": "application/json"}, verify=verify_ssl, proxy=proxy + ) def _get_dt_feeds( self, @@ -74,12 +77,11 @@ def _get_dt_feeds( "domain": domain, } - demisto.info( - f"Fetching DomainTools {feed_type_name} feed type with params: {query_params}" - ) + demisto.info(f"Fetching DomainTools {feed_type_name} feed type with params: {query_params}") - response = self._http_request("GET", url_suffix=f"{self.FEED_URL}/{self.feed_type}/", - params=query_params, resp_type="text", raise_on_status=True) + response = self._http_request( + "GET", url_suffix=f"{self.FEED_URL}/{self.feed_type}/", params=query_params, resp_type="text", raise_on_status=True + ) results = response.strip().split("\n") if response else [] return results @@ -99,9 +101,7 @@ def _format_parameter(self, key: str, value: Any) -> Any: return value - def build_iterator( - self, feed_type: str = "nod", dt_feed_kwargs: dict = {} - ) -> Iterator: + def build_iterator(self, feed_type: str = "nod", dt_feed_kwargs: dict = {}) -> Iterator: """ Retrieves all entries from the feed. @@ -117,7 +117,7 @@ def build_iterator( # DomainTools feeds optional arguments session_id = dt_feed_kwargs.get("session_id", "dt-cortex-feeds") - top = int(dt_feed_kwargs.get("top", "5000")) + top = int(dt_feed_kwargs.get("top") or "5000") domain = dt_feed_kwargs.get("domain") after = dt_feed_kwargs.get("after") before = dt_feed_kwargs.get("before") @@ -156,10 +156,11 @@ def build_iterator( timestamp = json_feed.get("timestamp", "") indicator = json_feed.get("domain") - indicator_type = auto_detect_indicator_type(indicator) + indicator_type = FeedIndicatorType.Domain # for `domainrdap` feed, we have more data to display including the parsed data. parsed_record = json_feed.get("parsed_record", {}) + overall_risk_score = json_feed.get("overall_risk", None) if indicator and indicator_type: yield { @@ -168,7 +169,8 @@ def build_iterator( "timestamp": timestamp, "tags": ["DomainToolsFeeds", self.feed_type] + ud_tags, "tlp_color": self.tlp_color, - "parsed_record": parsed_record + "parsed_record": parsed_record, + "overall_risk_score": overall_risk_score, } limit_counter += 1 @@ -177,9 +179,37 @@ def build_iterator( demisto.info(f"Done processing {processed_feeds} out of {total_dt_feeds} {self.feed_type} feeds.") except Exception as err: demisto.debug(str(err)) - raise ValueError( - f"Could not parse returned data as indicator. \n\nError massage: {str(err)}" - ) + raise ValueError(f"Could not parse returned data as indicator. \n\nError massage: {str(err)}") + + +def get_dbot_score(overall_risk_score: int | None = None): + """ + Gets the DBot score + score info: + NONE = 0 + GOOD = 1 + SUSPICIOUS = 2 + BAD = 3 + Args: + overall_risk_score: The overall riskscore. Defaults to None. + + Returns: DBot Score + + """ + # Unknown scores + if overall_risk_score is None: + return Common.DBotScore.NONE + + # check for the 'BAD' condition then return. + if overall_risk_score >= RISK_THRESHOLD: + return Common.DBotScore.BAD + + # check for 'SUSPICIOUS' conditions as we know both scores will be lower. + if 50 <= overall_risk_score <= 69: + return Common.DBotScore.SUSPICIOUS + + # If the domain is not BAD and not SUSPICIOUS, then return GOOD. + return Common.DBotScore.GOOD def batch_create_indicators(indicators: list[dict[str, Any]], batch_size: int = 2000): @@ -193,9 +223,7 @@ def batch_create_indicators(indicators: list[dict[str, Any]], batch_size: int = demisto.createIndicators(iter_) -def fetch_indicators( - client: DomainToolsClient, feed_type: str = "nod", dt_feed_kwargs: dict[str, Any] = {} -) -> list[dict]: +def fetch_indicators(client: DomainToolsClient, feed_type: str = "nod", dt_feed_kwargs: dict[str, Any] = {}) -> list[dict]: """Retrieves indicators from the feed Args: @@ -215,6 +243,7 @@ def fetch_indicators( tags_ = item.get("tags", []) tlp_color_ = item.get("tlp_color") parsed_record_ = item.get("parsed_record") + overall_risk_score_ = item.get("overall_risk_score") indicator_tags = ",".join(tags_).rstrip(",") @@ -235,7 +264,7 @@ def fetch_indicators( "tags": indicator_tags, "service": "DomainTools Feeds", "firstseenbysource": timestamp_, - "sourcebrands": "FeedDomainTools" + "sourcebrands": "FeedDomainTools", }, "rawJSON": raw_data, } @@ -243,6 +272,9 @@ def fetch_indicators( if tlp_color_: indicator_obj["fields"]["trafficlightprotocol"] = tlp_color_ + if overall_risk_score_: + indicator_obj["score"] = get_dbot_score(overall_risk_score=overall_risk_score_) + indicators.append(indicator_obj) if idx % 1000 == 0 or (idx < 1000 and idx % 100 == 0): @@ -277,9 +309,7 @@ def get_indicators_command(client: DomainToolsClient, args: dict[str, str], para } demisto.debug(f"Fetching feed indicators by feed_type: {feed_type}") - indicators = fetch_indicators( - client, feed_type=feed_type, dt_feed_kwargs=dt_feeds_kwargs - ) + indicators = fetch_indicators(client, feed_type=feed_type, dt_feed_kwargs=dt_feeds_kwargs) human_readable = tableToMarkdown( f"Indicators from DomainTools {feed_type.upper()} Feed:", @@ -290,11 +320,7 @@ def get_indicators_command(client: DomainToolsClient, args: dict[str, str], para batch_create_indicators(indicators, batch_size=100) - return CommandResults( - readable_output=human_readable, - raw_response=indicators, - ignore_auto_extract=True - ) + return CommandResults(readable_output=human_readable, raw_response=indicators, ignore_auto_extract=True) def fetch_indicators_command(client: DomainToolsClient, params: dict[str, Any] = {}) -> list[dict]: @@ -318,7 +344,9 @@ def fetch_indicators_command(client: DomainToolsClient, params: dict[str, Any] = client.NAD_FEED, client.NOH_FEED, client.DOMAINRDAP, - client.DOMAINDISCOVERY + client.DOMAINDISCOVERY, + client.DOMAINRISK, + client.DOMAINHOTLIST, ] dt_feed_kwargs = {"top": top, "after": after, "session_id": session_id} @@ -333,6 +361,7 @@ def fetch_indicators_command(client: DomainToolsClient, params: dict[str, Any] = indicators = fetch_indicators(client, feed_type=feed_type, dt_feed_kwargs=dt_feed_kwargs) fetched_indicators.extend(indicators) + return fetched_indicators @@ -343,12 +372,11 @@ def test_module(client: DomainToolsClient, args: dict[str, str], params: dict[st Returns: str. """ - dt_feed_kwargs = { - "top": 1, - "after": None - } + dt_feed_kwargs = {"top": 1, "after": None} + + feed_type_ = params.get("feed_type", "NOD") try: - next(client.build_iterator(dt_feed_kwargs=dt_feed_kwargs)) + next(client.build_iterator(feed_type=feed_type_, dt_feed_kwargs=dt_feed_kwargs)) except Exception as e: raise Exception( "Could not fetch DomainTools Feed\n" @@ -371,13 +399,19 @@ def main(): api_username = params.get("credentials", {}).get("identifier", "") api_key = params.get("credentials", {}).get("password", "") insecure = not params.get("insecure", False) - proxy = params.get('proxy', False) + proxy = params.get("proxy", False) user_defined_tags = params.get("feedTags", "") tlp_color = params.get("tlp_color") try: - client = DomainToolsClient(api_username=api_username, api_key=api_key, verify_ssl=insecure, - proxy=proxy, tags=user_defined_tags, tlp_color=tlp_color) + client = DomainToolsClient( + api_username=api_username, + api_key=api_key, + verify_ssl=insecure, + proxy=proxy, + tags=user_defined_tags, + tlp_color=tlp_color, + ) demisto.debug(f"Command being called is {command}") if command in commands: diff --git a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml index 66fe827eee37..2d077cad3402 100644 --- a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml +++ b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml @@ -47,6 +47,8 @@ configuration: - noh - domainrdap - domaindiscovery + - domainrisk + - domainhotlist additionalinfo: The DomainTools feed type fo fetch. Defaults to 'ALL'. section: Collect - display: Fetch indicators diff --git a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools_test.py b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools_test.py index b923c0617d73..84ccb36cd749 100644 --- a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools_test.py +++ b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools_test.py @@ -6,6 +6,7 @@ fetch_indicators, fetch_indicators_command, get_indicators_command, + get_dbot_score, main, ) @@ -19,7 +20,6 @@ def dt_feeds_client(): class TestDTClient: - def test_nod_build_iterator(self, mocker, dt_feeds_client): """ Given: @@ -78,9 +78,7 @@ def test_build_iterator_with_limit(self, mocker, dt_feeds_client): return_value=feed_mock_response.NOD_FEED_RESPONSE, ) - indicators = list( - dt_feeds_client.build_iterator(feed_type="nod", dt_feed_kwargs={"top": 5}) - ) + indicators = list(dt_feeds_client.build_iterator(feed_type="nod", dt_feed_kwargs={"top": 5})) [indicator.get("value") for indicator in indicators] assert len(indicators) == 5 @@ -106,24 +104,39 @@ def test_conversion_feed_to_indicato_obj(mocker, dt_feeds_client): "before": "-60", } - indicators = fetch_indicators( - dt_feeds_client, feed_type="nod", dt_feed_kwargs=mock_dt_feeds_kwargs - ) + indicators = fetch_indicators(dt_feeds_client, feed_type="nod", dt_feed_kwargs=mock_dt_feeds_kwargs) assert len(indicators) == 10 assert indicators == feed_mock_response.NOD_PARSED_INDICATOR_RESPONSE @pytest.mark.parametrize( - "feed_type", + "overall_riskscore,expected_dbot_score", [ - "nod", - "nad", - "noh", - "domaindiscovery", - "domainrdap" + (99, 3), + (63, 2), + (21, 1), + (0, 1), + (None, 0), ], ) +def test_get_dbot_score(overall_riskscore, expected_dbot_score): + """ + Given: + - Output of the feed API as list Overall risk score of a domain + When: + - Getting a feed of indicators from the `domainrisk, domainhotlist` API endpoint + Then: + - Returns the DbotScore + """ + actual_dbot_score = get_dbot_score(overall_riskscore) + assert actual_dbot_score == expected_dbot_score + + +@pytest.mark.parametrize( + "feed_type", + ["nod", "nad", "noh", "domaindiscovery", "domainrdap", "domainrisk", "domainhotlist"], +) def test_get_indicators_command(mocker, dt_feeds_client, feed_type): """ Given: @@ -141,6 +154,8 @@ def test_get_indicators_command(mocker, dt_feeds_client, feed_type): "noh": feed_mock_response.NOH_FEED_RESPONSE, "domaindiscovery": feed_mock_response.DOMAINDISCOVERY_RESPONSE, "domainrdap": feed_mock_response.DOMAINRDAP_RESPONSE, + "domainrisk": feed_mock_response.DOMAINRISK_RESPONSE, + "domainhotlist": feed_mock_response.DOMAINHOTLIST_RESPONSE, } mocker.patch.object( @@ -148,16 +163,16 @@ def test_get_indicators_command(mocker, dt_feeds_client, feed_type): "_get_dt_feeds", return_value=mock_feed_response[feed_type], ) - results = get_indicators_command( - dt_feeds_client, args={"feed_type": feed_type, "top": "10"}, params={} - ) + results = get_indicators_command(dt_feeds_client, args={"feed_type": feed_type, "top": "10"}, params={}) expected_indicator_results = { "nod": feed_mock_response.NOD_PARSED_INDICATOR_RESPONSE, "nad": feed_mock_response.NAD_PARSED_INDICATOR_RESPONSE, "noh": feed_mock_response.NOH_PARSED_INDICATOR_RESPONSE, "domaindiscovery": feed_mock_response.DOMAINDISCOVERY_PARSED_INDICATOR_RESPONSE, - "domainrdap": feed_mock_response.DOMAINRDAP_PARSED_INDICATOR_RESPONSE + "domainrdap": feed_mock_response.DOMAINRDAP_PARSED_INDICATOR_RESPONSE, + "domainrisk": feed_mock_response.DOMAINRISK_PARSED_INDICATOR_RESPONSE, + "domainhotlist": feed_mock_response.DOMAINHOTLIST_PARSED_INDICATOR_RESPONSE, } human_readable = tableToMarkdown( @@ -182,9 +197,7 @@ def test_fetch_indicators_command(mocker, dt_feeds_client): """ mock_return_value = ( - feed_mock_response.NAD_FEED_RESPONSE - + feed_mock_response.NOD_FEED_RESPONSE - + feed_mock_response.DOMAINDISCOVERY_RESPONSE + feed_mock_response.NAD_FEED_RESPONSE + feed_mock_response.NOD_FEED_RESPONSE + feed_mock_response.DOMAINDISCOVERY_RESPONSE ) mocker.patch.object( dt_feeds_client, @@ -193,7 +206,7 @@ def test_fetch_indicators_command(mocker, dt_feeds_client): ) results = fetch_indicators_command(dt_feeds_client, params={"top": "2"}) - assert len(results) == 10 + assert len(results) == 14 def test_calling_command_using_main(mocker, dt_feeds_client): @@ -210,9 +223,7 @@ def test_calling_command_using_main(mocker, dt_feeds_client): mocker.patch.object( demisto, "params", - return_value={ - "credentials": {"identifier": "test_username", "password": "test_key"} - }, + return_value={"credentials": {"identifier": "test_username", "password": "test_key"}}, ) mocker.patch( "FeedDomainTools.DomainToolsClient._get_dt_feeds", diff --git a/Packs/FeedDomainTools/Integrations/FeedDomainTools/test_data/feed_mock_response.py b/Packs/FeedDomainTools/Integrations/FeedDomainTools/test_data/feed_mock_response.py index 8ea9fd71ca8a..7565c491ac05 100644 --- a/Packs/FeedDomainTools/Integrations/FeedDomainTools/test_data/feed_mock_response.py +++ b/Packs/FeedDomainTools/Integrations/FeedDomainTools/test_data/feed_mock_response.py @@ -54,6 +54,17 @@ '{"timestamp":"2025-03-10T16:25:34Z","domain":"parkcitieslincolnoffers.com","raw_record":{"first_request_timestamp":"2025-03-10T16:25:29Z","requests":[{"data":"{\\"objectClassName\\":\\"domain\\",\\"handle\\":\\"2071186162_DOMAIN_COM-VRSN\\",\\"ldhName\\":\\"PARKCITIESLINCOLNOFFERS.COM\\",\\"links\\":[{\\"value\\":\\"https:\\\\/\\\\/rdap.verisign.com\\\\/com\\\\/v1\\\\/domain\\\\/PARKCITIESLINCOLNOFFERS.COM\\",\\"rel\\":\\"self\\",\\"href\\":\\"https:\\\\/\\\\/rdap.verisign.com\\\\/com\\\\/v1\\\\/domain\\\\/PARKCITIESLINCOLNOFFERS.COM\\",\\"type\\":\\"application\\\\/rdap+json\\"},{\\"value\\":\\"https:\\\\/\\\\/rdap.squarespace.domains\\\\/domain\\\\/PARKCITIESLINCOLNOFFERS.COM\\",\\"rel\\":\\"related\\",\\"href\\":\\"https:\\\\/\\\\/rdap.squarespace.domains\\\\/domain\\\\/PARKCITIESLINCOLNOFFERS.COM\\",\\"type\\":\\"application\\\\/rdap+json\\"}],\\"status\\":[\\"client delete prohibited\\",\\"client transfer prohibited\\"],\\"entities\\":[{\\"objectClassName\\":\\"entity\\",\\"handle\\":\\"895\\",\\"roles\\":[\\"registrar\\"],\\"publicIds\\":[{\\"type\\":\\"IANA Registrar ID\\",\\"identifier\\":\\"895\\"}],\\"vcardArray\\":[\\"vcard\\",[[\\"version\\",{},\\"text\\",\\"4.0\\"],[\\"fn\\",{},\\"text\\",\\"Squarespace Domains II LLC\\"]]],\\"entities\\":[{\\"objectClassName\\":\\"entity\\",\\"roles\\":[\\"abuse\\"],\\"vcardArray\\":[\\"vcard\\",[[\\"version\\",{},\\"text\\",\\"4.0\\"],[\\"fn\\",{},\\"text\\",\\"\\"],[\\"tel\\",{\\"type\\":\\"voice\\"},\\"uri\\",\\"tel:+1.6466935324\\"],[\\"email\\",{},\\"text\\",\\"abuse-complaints@squarespace.com\\"]]]}]}],\\"events\\":[{\\"eventAction\\":\\"registration\\",\\"eventDate\\":\\"2016-11-03T02:54:47Z\\"},{\\"eventAction\\":\\"expiration\\",\\"eventDate\\":\\"2025-11-03T02:54:47Z\\"},{\\"eventAction\\":\\"last changed\\",\\"eventDate\\":\\"2024-10-19T06:10:25Z\\"},{\\"eventAction\\":\\"last update of RDAP database\\",\\"eventDate\\":\\"2025-03-10T16:25:18Z\\"}],\\"secureDNS\\":{\\"delegationSigned\\":false},\\"nameservers\\":[{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"NS-CLOUD-D1.GOOGLEDOMAINS.COM\\"},{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"NS-CLOUD-D2.GOOGLEDOMAINS.COM\\"},{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"NS-CLOUD-D3.GOOGLEDOMAINS.COM\\"},{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"NS-CLOUD-D4.GOOGLEDOMAINS.COM\\"}],\\"rdapConformance\\":[\\"rdap_level_0\\",\\"icann_rdap_technical_implementation_guide_0\\",\\"icann_rdap_response_profile_0\\"],\\"notices\\":[{\\"title\\":\\"Terms of Use\\",\\"description\\":[\\"Service subject to Terms of Use.\\"],\\"links\\":[{\\"href\\":\\"https:\\\\/\\\\/www.verisign.com\\\\/domain-names\\\\/registration-data-access-protocol\\\\/terms-service\\\\/index.xhtml\\",\\"type\\":\\"text\\\\/html\\"}]},{\\"title\\":\\"Status Codes\\",\\"description\\":[\\"For more information on domain status codes, please visit https:\\\\/\\\\/icann.org\\\\/epp\\"],\\"links\\":[{\\"href\\":\\"https:\\\\/\\\\/icann.org\\\\/epp\\",\\"type\\":\\"text\\\\/html\\"}]},{\\"title\\":\\"RDDS Inaccuracy Complaint Form\\",\\"description\\":[\\"URL of the ICANN RDDS Inaccuracy Complaint Form: https:\\\\/\\\\/icann.org\\\\/wicf\\"],\\"links\\":[{\\"href\\":\\"https:\\\\/\\\\/icann.org\\\\/wicf\\",\\"type\\":\\"text\\\\/html\\"}]}]}","source_type":"registry","timestamp":"2025-03-10T16:25:29Z","url":"https://rdap.verisign.com/com/v1/domain/parkcitieslincolnoffers.com"},{"data":"{\\"rdapConformance\\":[\\"rdap_level_0\\"],\\"objectClassName\\":\\"domain\\",\\"lang\\":\\"en-US\\",\\"events\\":[{\\"eventAction\\":\\"registration\\",\\"eventActor\\":\\"Squarespace Domains II LLC\\",\\"eventDate\\":\\"2016-11-03T02:54:47Z\\"},{\\"eventAction\\":\\"last changed\\",\\"eventActor\\":\\"Squarespace Domains II LLC\\",\\"eventDate\\":\\"2024-10-19T06:10:25Z\\"},{\\"eventAction\\":\\"expiration\\",\\"eventActor\\":\\"Squarespace Domains II LLC\\",\\"eventDate\\":\\"2025-11-03T02:54:47Z\\"}],\\"status\\":[\\"client transfer prohibited\\",\\"client delete prohibited\\"],\\"port43\\":\\"whois.squarespace.domains\\",\\"handle\\":\\"2071186162_DOMAIN_COM-VRSN\\",\\"ldhName\\":\\"parkcitieslincolnoffers.com\\",\\"unicodeName\\":\\"parkcitieslincolnoffers.com\\",\\"secureDNS\\":{\\"delegationSigned\\":false},\\"entities\\":[{\\"objectClassName\\":\\"entity\\",\\"vcardArray\\":[\\"vcard\\",[[\\"version\\",{},\\"text\\",\\"4.0\\"],[\\"fn\\",{},\\"text\\",\\"REDACTED FOR PRIVACY\\"],[\\"adr\\",{},\\"text\\",[\\"\\",\\"\\",\\"REDACTED FOR PRIVACY\\",\\"REDACTED FOR PRIVACY\\",\\"VA\\",\\"REDACTED FOR PRIVACY\\",\\"US\\"]],[\\"org\\",{},\\"text\\",\\"TVM\\"]]],\\"roles\\":[\\"administrative\\"]},{\\"objectClassName\\":\\"entity\\",\\"vcardArray\\":[\\"vcard\\",[[\\"version\\",{},\\"text\\",\\"4.0\\"],[\\"fn\\",{},\\"text\\",\\"REDACTED FOR PRIVACY\\"],[\\"adr\\",{},\\"text\\",[\\"\\",\\"\\",\\"REDACTED FOR PRIVACY\\",\\"REDACTED FOR PRIVACY\\",\\"VA\\",\\"REDACTED FOR PRIVACY\\",\\"US\\"]],[\\"org\\",{},\\"text\\",\\"TVM\\"]]],\\"roles\\":[\\"registrant\\"]},{\\"objectClassName\\":\\"entity\\",\\"vcardArray\\":[\\"vcard\\",[[\\"version\\",{},\\"text\\",\\"4.0\\"],[\\"fn\\",{},\\"text\\",\\"REDACTED FOR PRIVACY\\"],[\\"adr\\",{},\\"text\\",[\\"\\",\\"\\",\\"REDACTED FOR PRIVACY\\",\\"REDACTED FOR PRIVACY\\",\\"VA\\",\\"REDACTED FOR PRIVACY\\",\\"US\\"]],[\\"org\\",{},\\"text\\",\\"TVM\\"]]],\\"roles\\":[\\"technical\\"]}],\\"publicIds\\":[{\\"type\\":\\"IANA Registrar ID\\",\\"identifier\\":\\"895\\"}],\\"nameservers\\":[{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"ns-cloud-d2.googledomains.com\\",\\"unicodeName\\":\\"ns-cloud-d2.googledomains.com\\",\\"ipAddresses\\":{\\"v4\\":[],\\"v6\\":[]}},{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"ns-cloud-d3.googledomains.com\\",\\"unicodeName\\":\\"ns-cloud-d3.googledomains.com\\",\\"ipAddresses\\":{\\"v4\\":[],\\"v6\\":[]}},{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"ns-cloud-d1.googledomains.com\\",\\"unicodeName\\":\\"ns-cloud-d1.googledomains.com\\",\\"ipAddresses\\":{\\"v4\\":[],\\"v6\\":[]}},{\\"objectClassName\\":\\"nameserver\\",\\"ldhName\\":\\"ns-cloud-d4.googledomains.com\\",\\"unicodeName\\":\\"ns-cloud-d4.googledomains.com\\",\\"ipAddresses\\":{\\"v4\\":[],\\"v6\\":[]}}]}","source_type":"registrar","timestamp":"2025-03-10T16:25:32Z","url":"https://rdap.squarespace.domains/domain/PARKCITIESLINCOLNOFFERS.COM"}]},"parsed_record":{"parsed_fields":{"conformance":["rdap_level_0"],"contacts":[{"city":"REDACTED FOR PRIVACY","country":"US","name":"REDACTED FOR PRIVACY","org":"TVM","postal":"REDACTED FOR PRIVACY","region":"VA","roles":["administrative"],"street":"REDACTED FOR PRIVACY"},{"city":"REDACTED FOR PRIVACY","country":"US","name":"REDACTED FOR PRIVACY","org":"TVM","postal":"REDACTED FOR PRIVACY","region":"VA","roles":["registrant"],"street":"REDACTED FOR PRIVACY"},{"city":"REDACTED FOR PRIVACY","country":"US","name":"REDACTED FOR PRIVACY","org":"TVM","postal":"REDACTED FOR PRIVACY","region":"VA","roles":["technical"],"street":"REDACTED FOR PRIVACY"}],"creation_date":"2016-11-03T02:54:47+00:00","dnssec":{"signed":false},"domain":"parkcitieslincolnoffers.com","domain_statuses":["client transfer prohibited","client delete prohibited"],"email_domains":["squarespace.com"],"emails":["abuse-complaints@squarespace.com"],"expiration_date":"2025-11-03T02:54:47+00:00","handle":"2071186162_DOMAIN_COM-VRSN","last_changed_date":"2024-10-19T06:10:25+00:00","links":[{"href":"https://rdap.verisign.com/com/v1/domain/PARKCITIESLINCOLNOFFERS.COM","rel":"self"},{"href":"https://rdap.squarespace.domains/domain/PARKCITIESLINCOLNOFFERS.COM","rel":"related"}],"nameservers":["ns-cloud-d2.googledomains.com","ns-cloud-d3.googledomains.com","ns-cloud-d1.googledomains.com","ns-cloud-d4.googledomains.com"],"registrar":{"contacts":[{"email":"abuse-complaints@squarespace.com","name":"","phone":"tel:+1.6466935324","roles":["abuse"]}],"iana_id":"895","name":"Squarespace Domains II LLC"},"unclassified_emails":[]},"registrar_request_url":"https://rdap.squarespace.domains/domain/PARKCITIESLINCOLNOFFERS.COM","registry_request_url":"https://rdap.verisign.com/com/v1/domain/parkcitieslincolnoffers.com"}}' ] +DOMAINRISK_RESPONSE = [ + '{"timestamp":"2025-09-06T21:18:06Z","domain":"resmiguncelsite.com","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100}', + '{"timestamp":"2025-09-06T21:42:06Z","domain":"bpi-cye.co","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":45}', + '{"timestamp":"2025-09-06T21:12:06Z","domain":"antthrobchannel.com","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":63}' +] + +DOMAINHOTLIST_RESPONSE = [ + '{"timestamp":"2025-09-06T22:27:06Z","domain":"scmipgf.icu","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T11:34:51Z"}', + '{"timestamp":"2025-09-06T22:26:49Z","domain":"growth-hacker-ppc.com","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T19:19:29Z"}', + '{"timestamp":"2025-09-06T22:26:55Z","domain":"gq5zn0u.top","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T11:53:17Z"}' +] NOD_PARSED_INDICATOR_RESPONSE = [ { @@ -668,7 +679,6 @@ }, ] - DOMAINRDAP_PARSED_INDICATOR_RESPONSE = [ { "value": "parkcitieslincolnoffers.com", @@ -766,3 +776,105 @@ }, } ] + +DOMAINRISK_PARSED_INDICATOR_RESPONSE = [ + { + "value": "resmiguncelsite.com", + "type": "Domain", + "fields": { + "tags": "DomainToolsFeeds,domainrisk", + "service": "DomainTools Feeds", + "firstseenbysource": "2025-09-06T21:18:06Z", + "sourcebrands": "FeedDomainTools", + }, + "rawJSON": { + "value": "resmiguncelsite.com", + "type": "Domain", + "timestamp": "2025-09-06T21:18:06Z", + }, + "score": 3 + }, + { + "value": "bpi-cye.co", + "type": "Domain", + "fields": { + "tags": "DomainToolsFeeds,domainrisk", + "service": "DomainTools Feeds", + "firstseenbysource": "2025-09-06T21:42:06Z", + "sourcebrands": "FeedDomainTools", + }, + "rawJSON": { + "value": "bpi-cye.co", + "type": "Domain", + "timestamp": "2025-09-06T21:42:06Z", + }, + "score": 1 + }, + { + "value": "antthrobchannel.com", + "type": "Domain", + "fields": { + "tags": "DomainToolsFeeds,domainrisk", + "service": "DomainTools Feeds", + "firstseenbysource": "2025-09-06T21:12:06Z", + "sourcebrands": "FeedDomainTools", + }, + "rawJSON": { + "value": "antthrobchannel.com", + "type": "Domain", + "timestamp": "2025-09-06T21:12:06Z", + }, + "score": 2 + } +] + +DOMAINHOTLIST_PARSED_INDICATOR_RESPONSE = [ + { + "value": "scmipgf.icu", + "type": "Domain", + "fields": { + "tags": "DomainToolsFeeds,domainhotlist", + "service": "DomainTools Feeds", + "firstseenbysource": "2025-09-06T22:27:06Z", + "sourcebrands": "FeedDomainTools", + }, + "rawJSON": { + "value": "scmipgf.icu", + "type": "Domain", + "timestamp": "2025-09-06T22:27:06Z", + }, + "score": 3 + }, + { + "value": "growth-hacker-ppc.com", + "type": "Domain", + "fields": { + "tags": "DomainToolsFeeds,domainhotlist", + "service": "DomainTools Feeds", + "firstseenbysource": "2025-09-06T22:26:49Z", + "sourcebrands": "FeedDomainTools", + }, + "rawJSON": { + "value": "growth-hacker-ppc.com", + "type": "Domain", + "timestamp": "2025-09-06T22:26:49Z", + }, + "score": 1 + }, + { + "value": "gq5zn0u.top", + "type": "Domain", + "fields": { + "tags": "DomainToolsFeeds,domainhotlist", + "service": "DomainTools Feeds", + "firstseenbysource": "2025-09-06T22:26:55Z", + "sourcebrands": "FeedDomainTools", + }, + "rawJSON": { + "value": "gq5zn0u.top", + "type": "Domain", + "timestamp": "2025-09-06T22:26:55Z", + }, + "score": 2 + } +] From 76c125bbb21857bc581c836f1b347a70864810ee Mon Sep 17 00:00:00 2001 From: bluza Date: Sun, 7 Sep 2025 09:25:20 -0700 Subject: [PATCH 2/2] Update vendor-sdk docker image --- .../Integrations/FeedDomainTools/FeedDomainTools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml index 2d077cad3402..e1593caec9cb 100644 --- a/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml +++ b/Packs/FeedDomainTools/Integrations/FeedDomainTools/FeedDomainTools.yml @@ -197,7 +197,7 @@ script: default: false required: false secret: false - dockerimage: demisto/vendors-sdk:1.0.0.3242986 + dockerimage: demisto/vendors-sdk:1.0.0.4577311 feed: true isfetch: false longRunning: false