Merge pull request #2 from splunk-soar-connectors/next

Merging next to main for release 1.0.1

Author: sodle-splunk

.github/workflows/linting.yml

@@ -1,7 +1,7 @@
 name: Linting
 on: [push, pull_request]
 jobs:
-  lint: 
+  lint:
     # Run per push for internal contributers. This isn't possible for forked pull requests,
     # so we'll need to run on PR events for external contributers.
     # String comparison below is case insensitive.

.gitignore

@@ -0,0 +1 @@
+.vscode/

.pre-commit-config.yaml

@@ -1,11 +1,11 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.13
+    rev: v1.23
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies
 -   repo: https://github.com/Yelp/detect-secrets
-    rev: v1.2.0
+    rev: v1.5.0
     hooks:
     -   id: detect-secrets
-        args: ['--no-verify']
+        args: ['--no-verify', '--exclude-files', '^gsgmail.json$']

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2024 Splunk Inc.
+   Copyright (c) 2024 Splunk Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,9 +1,138 @@
-# Splunk> Phantom
+[comment]: # "Auto-generated SOAR connector documentation"
+# Cisco Talos Intelligence
 
-Welcome to the open-source repository for Splunk> Phantom's talosintelligencev2 App.
+Publisher: Splunk  
+Connector Version: 1.0.1  
+Product Vendor: Cisco  
+Product Name: Talos Intelligence  
+Product Version Supported (regex): ".\*"  
+Minimum Product Version: 6.3.0  
 
-Please have a look at our [Contributing Guide](https://github.com/Splunk-SOAR-Apps/.github/blob/main/.github/CONTRIBUTING.md) if you are interested in contributing, raising issues, or learning more about open-source Phantom apps.
+This app provides investigative actions for Cisco Talos Intelligence
 
-## Legal and License
+[comment]: # " File: README.md"
+[comment]: # "Copyright (c) 2024 Splunk Inc."
+[comment]: # ""
+[comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');"
+[comment]: # "you may not use this file except in compliance with the License."
+[comment]: # "You may obtain a copy of the License at"
+[comment]: # ""
+[comment]: # "    http://www.apache.org/licenses/LICENSE-2.0"
+[comment]: # ""
+[comment]: # "Unless required by applicable law or agreed to in writing, software distributed under"
+[comment]: # "the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,"
+[comment]: # "either express or implied. See the License for the specific language governing permissions"
+[comment]: # "and limitations under the License."
+[comment]: # ""
+## Cisco Talos Intelligence license for Splunk SOAR (Cloud)
 
-This Phantom App is licensed under the Apache 2.0 license. Please see our [Contributing Guide](https://github.com/Splunk-SOAR-Apps/.github/blob/main/.github/CONTRIBUTING.md#legal-notice) for further details.
+The Cisco Talos Intelligence license is included with your Splunk SOAR (Cloud) license.
+
+## Overview
+
+This app uses the Cisco Talos API that specializes in identifying, analyzing, and mitigating cybersecurity threats.
+
+For additional details, see the [Cisco Talos Intelligence article](https://docs.splunk.com/Documentation/SOAR/current/Playbook/Talos) in the Splunk SOAR documentation.
+
+**Note:** The Cisco Talos Intelligence asset is already configured in your Splunk SOAR (Cloud) deployment. 
+
+### Supported Actions  
+[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration  
+[ip reputation](#action-ip-reputation) - Look up Cisco Talos threat intelligence for a given IP address  
+[domain reputation](#action-domain-reputation) - Look up Cisco Talos threat intelligence for a given domain  
+[url reputation](#action-url-reputation) - Look up Cisco Talos threat intelligence for a given URL  
+
+## action: 'test connectivity'
+Validate the asset configuration for connectivity using supplied configuration
+
+Type: **test**  
+Read only: **True**
+
+Action uses the URS API to get a list of the AUP categories used to classify website content.
+
+#### Action Parameters
+No parameters are required for this action
+
+#### Action Output
+No Output  
+
+## action: 'ip reputation'
+Look up Cisco Talos threat intelligence for a given IP address
+
+Type: **investigate**  
+Read only: **True**
+
+Provides information on an IP address's reputation, so you can take appropriate action against untrusted or unwanted resources.
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**ip** |  required  | IP to query | string |  `ip`  `ipv6` 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.parameter.ip | string |  `ip`  `ipv6`  |  
+action_result.status | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |  
+action_result.data.\*.Observable | string |  |  
+action_result.data.\*.Threat_Level | string |  |  
+action_result.data.\*.Threat_Categories | string |  |  
+action_result.data.\*.AUP | string |  |  
+action_result.summary.message | string |  |   72.163.4.185 has a Favorable threat level   
+
+## action: 'domain reputation'
+Look up Cisco Talos threat intelligence for a given domain
+
+Type: **investigate**  
+Read only: **True**
+
+Provides information on a domain's reputation, so you can take appropriate action against untrusted or unwanted resources.
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**domain** |  required  | Domain to query | string |  `domain` 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.parameter.domain | string |  `domain`  |  
+action_result.status | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |  
+action_result.data.\*.Observable | string |  |  
+action_result.data.\*.Threat_Level | string |  |  
+action_result.data.\*.Threat_Categories | string |  |  
+action_result.data.\*.AUP | string |  |  
+action_result.summary.message | string |  |   splunk.com has a Favorable threat level   
+
+## action: 'url reputation'
+Look up Cisco Talos threat intelligence for a given URL
+
+Type: **investigate**  
+Read only: **True**
+
+Provides information on a URL's reputation, so you can take appropriate action against untrusted or unwanted resources.
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**url** |  required  | URL to query | string |  `url` 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.parameter.url | string |  `url`  |  
+action_result.status | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |  
+action_result.data.\*.Observable | string |  |  
+action_result.data.\*.Threat_Level | string |  |  
+action_result.data.\*.Threat_Categories | string |  |  
+action_result.data.\*.AUP | string |  |  
+action_result.summary.message | string |  |   https://splunk.com has a Favorable threat level 

__init__.py

@@ -0,0 +1,14 @@
+# File: __init__.py
+#
+# Copyright (c) 2024 Splunk Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions
+# and limitations under the License.