Fix DomainGlob expansion and legacy query mode persistence in EDL (#43809)

* DomainGlob expansion and legacy query mode persistence in EDL

* Create 3_3_28.md

* Update EDL.py

* Update EDL.py

* Update 3_3_28.md

* Update unit tests

* Update EDL.py

* Update release notes again

* Update EDL.py

Author: kamalq97

Packs/EDL/Integrations/EDL/EDL.py

@@ -226,7 +226,9 @@ def from_context_json(cls, ctx_dict):
     def get_fields_to_present(self, fields_to_present: str) -> str:
         # based on func ToIoC https://github.com/demisto/server/blob/master/domain/insight.go
 
-        if fields_to_present == "use_legacy_query":
+        # Fixes legacy query mode silently lost after the first refresh because
+        # `get_fields_to_present("")` returned "name,type" instead of ""
+        if fields_to_present == "use_legacy_query" or (not fields_to_present and self.out_format == FORMAT_TEXT):
             return ""
 
         fields_for_format = {
@@ -867,7 +869,8 @@ def create_text_out_format(iocs: IO, request_args: RequestArguments) -> tuple[Un
             # for PAN-OS *.domain.com does not match domain.com
             # we should provide both
             # this could generate more than num entries according to PAGE_SIZE
-            if indicator.startswith("*."):
+            # Handle DomainGlob type indicators even when value doesn't start with "*."
+            if indicator.startswith("*.") or ioc_type == FeedIndicatorType.DomainGlob:
                 domain = str(indicator.lstrip("*."))
                 # if we should ignore TLDs and the domain is a TLD
                 if request_args.no_wildcard_tld and tldextract.extract(domain).suffix == domain:

Packs/EDL/Integrations/EDL/EDL_test.py

@@ -142,7 +142,11 @@ def test_get_edl_on_demand__with_refresh_signal(self, mocker):
 
         expected_edl = "8.8.8.8"
         edl_log_line = "\nAdded | 8.8.8.8 | 8.8.8.8 | Found new Domain."
-        ctx = {edl.EDL_ON_DEMAND_KEY: True, edl.RequestArguments.CTX_QUERY_KEY: "*"}
+        ctx = {
+            edl.EDL_ON_DEMAND_KEY: True,
+            edl.RequestArguments.CTX_QUERY_KEY: "*",
+            edl.RequestArguments.CTX_FIELDS_TO_PRESENT: "name,type",
+        }
         tmp_dir = mkdtemp()
         edl.EDL_ON_DEMAND_CACHE_PATH = os.path.join(tmp_dir, "cache")
         mocker.patch.object(edl, "get_integration_context", return_value=ctx)
@@ -525,7 +529,9 @@ def test_create_csv_out_format(self):
 
         with open("test_data/demisto_url_iocs.json") as iocs_json_f:
             iocs_json = json.loads(iocs_json_f.read())
-            request_args = RequestArguments(query="", drop_invalids=True, url_port_stripping=True, url_protocol_stripping=True)
+            request_args = RequestArguments(
+                query="", drop_invalids=True, url_port_stripping=True, url_protocol_stripping=True, fields_to_present="name,type"
+            )
             returned_output = ""
             not_first_call = False
             for ioc in iocs_json:
@@ -1488,19 +1494,73 @@ def test_store_log_data(mocker, wip_exist):
     "out_format, fields_to_present, expected",
     [
         # Case 1: use_legacy_query returns ""
-        (FORMAT_TEXT, "use_legacy_query", ""),
+        pytest.param(FORMAT_TEXT, "use_legacy_query", "", id="legacy_query_mode"),
         # Case 2: FORMAT_CSV with 'all' returns ""
-        (FORMAT_CSV, "all", ""),
+        pytest.param(FORMAT_CSV, "all", "", id="csv_all_fields"),
         # Case 3: FORMAT_JSON with 'value' replaced to 'name'
-        (FORMAT_JSON, "value,type", "name,type"),
+        pytest.param(FORMAT_JSON, "value,type", "name,type", id="json_value_to_name"),
         # Case 4: FORMAT_MWG with no fields_to_present
-        (FORMAT_MWG, "", RequestArguments.FILTER_FIELDS_ON_FORMAT_MWG),
+        pytest.param(FORMAT_MWG, "", RequestArguments.FILTER_FIELDS_ON_FORMAT_MWG, id="mwg_default_fields"),
         # Case 5: FORMAT_PROXYSG with no fields_to_present
-        (FORMAT_PROXYSG, "", RequestArguments.FILTER_FIELDS_ON_FORMAT_PROXYSG),
+        pytest.param(FORMAT_PROXYSG, "", RequestArguments.FILTER_FIELDS_ON_FORMAT_PROXYSG, id="proxysg_default_fields"),
         # Case 6: Unknown format fallback to FILTER_FIELDS_ON_FORMAT_TEXT
-        ("unknown_format", "", RequestArguments.FILTER_FIELDS_ON_FORMAT_TEXT),
+        pytest.param("unknown_format", "", RequestArguments.FILTER_FIELDS_ON_FORMAT_TEXT, id="unknown_format_fallback"),
+        # Case 7: Empty string returns "" (fix for XSUP-67083 - legacy mode preservation)
+        pytest.param(FORMAT_TEXT, "", "", id="empty_string_returns_empty"),
     ],
 )
 def test_get_fields_to_present(out_format, fields_to_present, expected):
+    """
+    Given:
+        - Various output formats and fields_to_present values
+    When:
+        - Creating RequestArguments with different field configurations
+    Then:
+        - Ensure get_fields_to_present returns the correct field list
+        - Ensure empty string is treated as legacy query mode (returns "")
+    """
     args = RequestArguments(out_format=out_format, fields_to_present=fields_to_present)
     assert args.fields_to_present == expected
+
+
+@pytest.mark.parametrize(
+    "indicator_value, indicator_type, expected_output",
+    [
+        pytest.param("*.example.org", "DomainGlob", ["example.org", "*.example.org"], id="domainglob_with_wildcard_prefix"),
+        pytest.param("*.example.org", "URL", ["example.org", "*.example.org"], id="url_with_wildcard_prefix"),
+        pytest.param("example.com", "Domain", ["example.com"], id="domain_without_wildcard"),
+    ],
+)
+def test_domain_glob_wildcard_expansion(indicator_value: str, indicator_type: str, expected_output: list):
+    """
+    Given:
+        - Indicators with different types (DomainGlob, URL, Domain) and values
+    When:
+        - Processing indicators through create_text_out_format for PAN-OS text output
+    Then:
+        - Ensure DomainGlob indicators produce both wildcard and bare domain forms
+        - Ensure URL wildcards are handled correctly
+        - Ensure regular domains produce only the domain itself
+        - Ensure DomainGlob type triggers expansion even without "*." prefix
+    """
+    import json
+    from io import StringIO
+    from EDL import create_text_out_format
+
+    # Create indicator data in memory (no file writing)
+    indicator_json = json.dumps({"value": indicator_value, "indicator_type": indicator_type})
+    indicators_data = StringIO(indicator_json + "\n")
+
+    # Create request arguments for PAN-OS text format
+    request_args = RequestArguments(out_format=FORMAT_TEXT)
+
+    # Process the indicator
+    output, _ = create_text_out_format(indicators_data, request_args)
+
+    # Parse the output - seek to beginning and read
+    output.seek(0)
+    output_content = output.read().strip()
+    output_lines = output_content.split("\n") if output_content else []
+
+    # Verify the output matches expected
+    assert sorted(output_lines) == sorted(expected_output)

Packs/EDL/ReleaseNotes/3_3_31.md

@@ -0,0 +1,8 @@
+
+#### Integrations
+
+##### Generic Export Indicators Service
+
+- Fixed an issue where DomainGlob wildcard indicators (e.g., `*.example.com`) were not appearing in the EDL output when the platform returned the bare domain instead of the wildcard form.
+
+- Fixed an issue where legacy query mode was silently lost after the first EDL refresh, causing the integration to present the `name` and `type` fields only instead of no field filtering.

Packs/EDL/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Generic Export Indicators Service",
     "description": "Use this pack to generate a list based on your Threat Intel Library, and export it to any product in your network, such as firewalls, agents or SIEMs. This pack supports ongoing distribution of indicators from XSOAR to other products in the network, by creating an endpoint with a list of indicators that can be pulled by external vendors.",
     "support": "xsoar",
-    "currentVersion": "3.3.30",
+    "currentVersion": "3.3.31",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",