Darkmon Pack — 1.0.0 (new pack)#44273
Open
dakmon-cybersecurity wants to merge 7 commits into
Open
Conversation
Initial Marketplace submission of the Darkmon pack — a developer-supported content pack that connects Cortex XSOAR to Darkmon TIP for real-time threat intelligence from the Clear, Deep, and Dark Web. The pack ships: - 1 integration with 18 commands (indicator enrichment via DBotScore/Common.<Type>, IOC feed for TIM, compromised data, board protection, ransomware, NRD, CVE, and a dynamic global search) - 20 playbooks (5 indicator enrichers, 5 continuous-monitoring sweeps, 5 incident responders, 3 provider-agnostic switchboard sub-playbooks, plus utilities) - 6 incident types with custom layouts, 27 incident fields, 5 indicator fields - 14 lists for multi-tenant tunables and dedup state - 6 cron jobs wired to the monitoring playbooks Validated locally with demisto-sdk validate (clean) and 81 unit tests pass.
|
|
content-bot
added
Contribution
content-bot
changed the base branch from
master
to
contrib/dakmon-cybersecurity_darkmon-1.0.0
Contributor
|
Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @kamalq97 will know the proposed changes are ready to be reviewed. |
Contributor
|
Hi @dakmon-cybersecurity, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link. |
Contributor
🤖 AI-Powered Code Review AvailableHi @kamalq97, @Benimanela, you can leverage AI-powered code review to assist with this PR! Available Commands:
|
- Remove internal dev build script (sync_yaml.py) - Remove doc_files (internal screenshots from a non-public tenant and the demo-video planning note); pack ships without screenshots for now - README + release notes: remove mentions of features that are not in the pack yet (Darkmon Setup Wizard, Threat Overview dashboard, Weekly Threat Intel Digest report) — those will arrive in a future minor version
content-bot
added
Community
Contribution Form Filled
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Align Darkmon pack with the repo's pre-commit pipeline: - Replace top-of-file `register_module_line(...)` + `CONSTANT_PACK_VERSION` / `demisto.debug(pack id)` build markers with the standard `import demistomock as demisto` + `from CommonServerPython import *` preamble (silences F821 for runtime-injected names). - Drop the trailing `register_module_line(... 'end' ...)` from every integration/script source file. - Empty the YAML's inline `script.script` body; demisto-sdk inlines Darkmon.py at packaging time, matching the upstream convention. - Run `ruff format` over Integrations/ and Scripts/. - Update tests that asserted on the removed source markers (pack version check now reads pack_metadata.json; YAML drift check now requires the inline script body to be empty).
kamalq97
added
ready-for-instance-test
Contributor
|
For the Reviewer: Trigger build request has been accepted for this contribution PR. |
Contributor
|
For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/8988081 |
content-bot
removed
the
ready-for-instance-test
marketplace-ai-reviewer
removed
the
ready-for-ai-review
Contributor
|
🤖 Analysis started. Please wait for results... |
Contributor
🤖 AI Review DisclaimerThis review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause. |
Contributor
marketplace-ai-reviewer
left a comment
marketplace-ai-reviewer
left a comment
There was a problem hiding this comment.
| assert "DOMAIN Indicators" in md | ||
| assert "FILE Indicators" in md | ||
| assert "IP Indicators" in md | ||
| assert "phish.example.com" in md |
| md = result.readable_output | ||
| assert "Domains Information" in md # uses TipFeature enum value | ||
| assert "malicious" in md | ||
| assert "evil.com" in md |
| # Rendering should only show a Urls table | ||
| md = result.readable_output | ||
| assert "Urls Information" in md | ||
| assert "https://x.example" in md |
- Darkmon.py: split two `Common.File`/pagination-help strings across multiple lines to satisfy E501 (130-char limit). - Apply ruff's `--unsafe-fixes` for UP038 (`isinstance` tuple -> PEP 604 union) and C414 (drop the redundant `list()` inside `sorted()`). - Darkmon_test.py: split each PT018 multi-condition assertion into separate asserts; collapse the PIE810 `endswith` chain into a single tuple call; rename the unused loop variable to `_` for B007. - DarkmonCreateIncidents.py: drop the unused `labels` assignment (F841). Verified locally with the repo's pyproject ruff config (line-length 130, py311, full demisto select-list): no findings outside the already-excluded sync_yaml.py / conftest.py. 225 unit tests pass.
- Drop the duplicate `camel_case_to_underscore` definition in Darkmon.py (CommonServerPython already exports it, so the local copy was triggering pylint E0102 and mypy [no-redef]). The unused `import re` follows automatically. Remove the matching unit test. - Annotate previously-inferred empty containers: 9 x `headers_set = set()` -> `set[str]`, plus `type_groups` and `all_headers`. - Coerce `arg_to_number(...)` callers in the two affected commands to fall back to a sane default (DEFAULT_SIZE / 1) so the result is a concrete `int`, not `int | None`. Likewise default `indicator_type` to `""` before passing it through; the Client still raises `Invalid indicator type` for empty/unknown values. - Narrow `cr.outputs` to a dict before subscript/spread so mypy stops flagging the `object`-typed return. - Replace test-only `builtins.DemistoException` / `builtins.demisto` references with `src.DemistoException` / `src.demisto`. These rely on the now-correct `from CommonServerPython import *` preamble and let the docker-hosted pytest hook run without our local conftest. - README.md: add the blank line markdownlint MD032 requires between each `###` heading and the bullet list that follows. Local pytest: 220 passing. Local ruff (format + repo's full select list, line-length 130, py311): clean across all PR files.
The Domains/IP/etc. tables emitted by `dmontip-global-search` previously
fed every header through CommonServerPython's `string_to_table_header`,
which capitalises one word at a time and silently lower-cases acronyms
("WHOIS Registrar" -> "Whois Registrar"). The backend already returns a
pre-formatted `displayName` per cell, so the second transform was both
redundant and wrong.
- When `displayName` is present, use it verbatim as the column header.
- When only `accessorKey` is available, convert it once via
`pascalToSpace` (CSP) so acronyms survive (e.g. `firstSeenIP` ->
`First Seen IP`).
- Drop the `headerTransform=string_to_table_header` argument from
`tableToMarkdown` so headers are no longer mangled a second time.
Fixes the pytest-in-docker failure on
`test_global_search_handles_brand_new_columns_without_code_changes`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Initial Marketplace submission of the Darkmon Threat Intelligence pack — a developer-supported content pack that brings real-time clear-, deep- and dark-web threat intelligence from Darkmon into Cortex XSOAR.
developer(maintained by Darkmon viacode@darkmon.com/support@darkmon.com)xsoar,marketplacev2fromVersion: 6.5.0 (jobs require 6.8.0)What's in the pack
ip/url/domain/email/file) wired to DBotScore +Common.<Type>; IOC feed for TIM;dmontip-*discovery commands; dynamic global searchCompliance posture
Default config redacts secrets (passwords, card numbers) from War Room markdown via the integration's
redact_secretstoggle. Raw values remain inrawJSONfor automation. Provider-agnostic switchboards keep responder playbooks vendor-neutral.Test plan
demisto-sdk validate -i Packs/Darkmon— all validations passed locallyDarkmon_test.py)TestreturnedSuccess,!dmontip-get-cveand!dmontip-get-compromisedreturned live data with expected schemaAbout the contributor
This is a first-time submission from Darkmon (
dakmon-cybersecurityGitHub org).Contact:
code@darkmon.com(developer) /support@darkmon.com(devEmail).We'll fill the Contributor Registration Form and sign the CLA from this account once the bot comment appears.
relates: https://jira-dc.paloaltonetworks.com/browse/CIAC-16765