Crowdstrike falcon intel v2 support (#1768)

* added crowdstrike intel test playbook + v2 indicator integration

* fixed format (whitespace missing)

* extended playbook cs-indicators

* added test-module by version, more documentation

* added releaseNotes to crowdstrike falcon intel

Author: Yarden Sade

Integrations/integration-CrowdStrikeIntel.yml

@@ -5,10 +5,11 @@ name: FalconIntel
 display: CrowdStrike Falcon Intel
 category: Data Enrichment & Threat Intelligence
 image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAATCAYAAABbV8lLAAALzElEQVRo3u1YeVgV5RdWMQpFKDJMVBRNJQGRfQlZFRRUFHEXs0gjQwRKAbPABZcEk9wwQzMFLVcUREEEAbdExSVMRQgURYF7Z+69c+fO3aZ3BrhyA63H3z+/fJjnmQdm7jfn+77znvOe93yd5EVnbDt1XK/uRW9cG0unrFvT8qy8efWdDq+8Qpf6Ua0J4Wkhkq6JT+CexZ/OzJGfPB7c4ZlXKYtT1q4UWL/FUl9FpjDZRycKHfrKZBk/TevwzCtySROXJYnmTjovdOxHi2aPL6C+/iJV6NyflMQu3CwvLjDq8NB//FJV3htK+No/FM0Nyhf6jKghRg6tF4dOySNGmjcQ7ubV1PLYOHlBXu8OT/2HL/nZ/ABksIQM8roqmuZ3SejUnyJ87R4DbFYw3JAl3AYLxPNn/ExvXj+BOZnVs8Nj/0WQzxfZEwGuZRy4ZKB7FeFlxRKuZiyymBXa92a5Oi0Y0ZMlRg4RiGaMzaWWx4QzWYfNXmYu2bbv/KjYiJXUkvDVsq0bpir/uPWa5rcTmb2Y/XtCmYyfFtJbksLpb5cHqOoedf67De4beuOaYGrx52uo+MXfMAfTnbWY6c/7JvLD+0NUT+p0NXssyPNVXL1srxlTV2fIHN4/R1V134B7Zg7t88e8YczPPy7E/uYx+3Y7teurglxzKmbhMklk6Hp628YQVcUfemop1VX2w6Z59PqV0fSGxCh6w+rmOzGaXhsfrSy7YiHPOdaZTk6cjzuK/m5NNJW47DPmQLqDlu3c7A9QNqNUlRWDeH9sT+kBm5FY15SWMczJ4wHShCVLVLfKzPlvftkzhV63PKp53mjYj5ZtTfZqs3Dl72W60nUJkYSHxWMAzSKLWcJjGCt0HcQK7XqzQoc++PsugH6bB1zoPEAKaj8G5e36r1S7iDQUzZ6QS3zwXoNo1rgsUciETMLT8hEC6iZTkGvCjSG8Lb2EtsYsMcbhIjHG8QICql68ICRLLRHrtgJvCBHgcgtBWCOaM/EIOc0vD2shJVHzd7EKeVdujKL0ghkEIyvPP+XI7+1xrS7hZdkg/jg4V+OofbuDEcAS1d3b3blngU3PMsJ1YC1snyP8na5inQIw2ln140d9Wr5RXDrngblEAovXwW5vso1DOrGS6E8z1KTwdfhKIni/Kyuw1OeZj08KK0N+DJOxK4z6OloHz5TAqgfGdGcFFm/wYwBeeIt9ydJFyQ2DO7GKM7l8NyP0tRnAjSODR13m915VMVRga6wkvIfXqxobjLl3opkBpY3v68BmN41dYLbruUAoykp7SBO/XiIcbVvJgUn42tZjU0qhvUkTyC03QOc2AHpnFL+dd/wngCURH2eSk0fdUFwv7aWZ62KxgWzntk9YpbIHv6HRI3zg4BpN0JWV9oIeoJj0XeP5IJFK9cE0f0qiw/Yqb1zVa+X4IQjIWunahJSWd+REj1vo8xfzv5cU2vB78bJsVFbceZNfz+IFOyURHx1pGU+4mF0ngzwXPFtbiYnow0kFEJ+/qWlah3fm3KBsgfWbLL05aaps944hEKXfMicyp/OZdPqkNZNzzEG2fdOHQpt3WMLf+RBzMMMBCeCgulPeUxw+x1Bo05PAusrleTkO9I5NY7kgQqA+wV74IKMSliQ2DnuNVZzND+TXNN7FFN+okQynm3z4UTb3u7yoYEzLOhHkJYTzAAYM4YkSOgLrscH/pu2Lrid1vRTnikybDj6u6VBxEetARxnSFXHbBFb62gA331wkS+IiFr6wBJQUWgpdzBTKG9csXjSOCHDyIca7VWu98x7eyOxNm8pnXfquUHK0zRO1+FlGa+YoPO0DvUApy2/2bnZWsmhOYCHfDm5aH0NOGFmOYH2E0uLL2/V3rkIWf6yZx21wGeFnF6nlj5o/jQGClDl+0IM/KwibfbgR2StdG78UAWDQ3h5AocO54Cc8zDdr7WPiyLfxXgz2uvBsvy530bXQ8lNZfMeC0vA3gF1NwWhKBFkhAiqUm5uKi9zT2q4oJPAc4TpIhjJgprx+xaAlWNoH+O5tc3KSZzm16qtYett34ciIxahJs1RP6wyQfdeFyAJtgE1YAaIVk095Yb+9JSmE8Bpe/U9ZTgS6eRLuw0hsPJGY4BYPZ2SDnn7n6J3fzKxxP4hmjjvabhAVFxjgWwG9Ndmdd/SJzNGkt1WDqrpKj5zhf16WmrIIdJouXR6TrLx+tR83j/LubVMtgMc6RrZZk79zueTLzz5vqv2/WxIBzrcazbuABgcSACReJRToaQGcfcSBL2k+w1Nbvyen+Bih9NUjYAgwyTH4uURgbcQigfaq5QyvM6An2mawk6mIK1sc/YJJadXDmv6t7Yo/mnyWL5kcw2Kc0Me6kk7bovdcJyuvXX5PNMO/gKOiRnMdRKJFgyTqk1/EocH5qIkSTnRpgQzDqF2kaPqYk3RqSqiKEHZtI6x2bJ6IU7N6xeULr78Y4JHuXMYgYg+Qk30KuQUr75QP1dB81PxkAFzQbmm5UGxMuA0RMccO2DfVq/v6HG3Lft4Ryv1VXLk0EEwwWzTVr5TeuuELMsj7htbczwN4rFMFBNE8TRLcv6uDY95w0tu6iqt9VEz4XlB4578DDObRBnjqKCMAVIekUELLiDnACD+HarVI1KNlTLsU7dCHwfrL4ZPDXJ2V7UxdrJXBH04qhj0ltTRyN4J3uzRpZaK85IzuP6vdPT+OFn8+50dy1Ij7TcJAvylC2qFpvh6PMGIbh+ly2RzRzrHoOwgOijl2MOSFAPvZoQa7ajIdINylv1+/vFVddEMwKVT37wxuG0RbYgBGtar+qSZ60d4dJ7ytH5BBPmXNZacvnPoQvX8Vsi+5DcC+dlqlRlF60ZHTH4rSS3xpUT190ktelD+Qt3XjWmeUi1pkmFi2e7v+vwLY3oRE5l6BH3qIPwvJBMgqrk19IcA2PVlk6Ql0E29wZxZgAbH6QXX/ZxQ94RzWTr98C3U6pytUoB1o6lvx3KAzGkXdKoOblLURywUC4TJQClFh3qY27UlbBGUrR2sxDTYN5YV53ZnMA+7Y8GXUj1H8hrwsRxF+9rUQV92a2oacQGxICfWoacnQYqWTPtY18kMZHmgrujHZh9+WJq0Ih20lnidrl4bkCE6VQktonA0GON8ItYuxnq3HCl0GQGR5xdPfr+kt25VqJkvbNh1nAY3QH9u53zmFjvP6fOxfSsUtWg06XQUxpeJKl6q6UsNaTNYhR74T8LL8QQvgYG8jjKdQcq7wAVJ+0wJ+U5KBHrfVEgkflBBtqzn6h56Y2KxJTIVIHDBqEW/7+KEQXrlHzjvaugZz3Q2+3ShNiFkt/ebL1Sitn7wU2MqbZdZCp35yTiW2gAsApOJ504/QG1ZNQd32x4TF6AnD2hUgaakL4LQ6KMc6UNwj0HGjZGlkMsSdQdOGnL3QNt1TNAPMZ+HcyWepZdE7NWwgkXTBZpLxbT1vw2PYE2RLJbIiqG1/X2yJ9UmQVeM0oCetSuDbjKoKLZGEoDkNxY76aFWPNTagpNSgJ/2KZWQ8/aopSRdZ2tYQjKvmGQ2ikxxtW6G4dlmrX4aStoMil4LuN2lR6ayAt/D+qWjW+BLNUfGK2O2gXQWTsZtX79SKuASURqmiuIBfLznZsx/hZEqJmts7VqnoLA6blQe2lCuKCnixKJk/MxdBR3Mg8wzLKXj3YcUvndHMqayxqCNyXlXbwpjrIIlopv8pKEHr5n5XH3XY4Llt2Pmi7nC4jWxvmj1saZ2MQRC9AeXaRy19VtPUJKGPute/zTpOHDXCQYG9/Mh+K/mFoq7tzcUqFJ1hr69a1tTmNNvTg1B5t43ArK40xgHDABxcmIGx+oKK27WpuHKxG/NruiWz7yer1q2axj4UPoLHFPa0zvJVD6q74H1fVe0Dzdxo+3RV9/4wxW+9m0rAU0NVxR1TNUXpNan4Kh3eVu1D41b2u0EM9295p35ci3XfM+XHtdzVVcb/08kX8+ue8RA833NtCbI3i4pduBHUG9ZxJviqHXHm5XigjVgLdWrd4Y3/r+svksqca07dD2oAAAAASUVORK5CYII=
-description: Actors, indicators and reports intelligence
+description: Actors, indicators and reports intelligence with indicator V2 api support
 detaileddescription: |-
   Please provide the API id and key for the CrowsStrike Falcon Intelligence.
   API Key Pairs can be generated by accessing the CrowdStrike API tab located in the user settings on the Intelligence Portal.
+  Indicator API v2 is supported.
 configuration:
 - display: Server URL (e.g. https://192.168.0.1)
   name: url
@@ -35,8 +36,16 @@ configuration:
   defaultvalue: "false"
   type: 8
   required: false
+- display: Support indicator API V2
+  name: version
+  defaultvalue: "true"
+  type: 8
+  required: false
 script:
   script: |
+    // determine api version for api calls
+    var version = (params.version ? "v2" : "v1");
+
     var serverUrl = params.url;
     if (serverUrl[serverUrl.length - 1] !== '/') {
         serverUrl += '/';
@@ -50,7 +59,8 @@ script:
                     'X-CSIX-CUSTID': [params.id],
                     'X-CSIX-CUSTKEY': [params.key],
                     'Content-Type': ['application/json'],
-                    'Accept': ['application/json']
+                    'Accept': ['application/json'],
+                    'X-INTEGRATION' : ['Demisto_demisto_3.6']
                 },
                 Method: method,
                 Body: body ? JSON.stringify(body) : ''
@@ -237,7 +247,7 @@ script:
                 a.order = parts[1];
             }
         }
-        var res = doReq('GET', 'indicator/v1/search/' + args.parameter, a);
+        var res = doReq('GET', 'indicator/'+ version +'/search/' + args.parameter, a);
         var md = '## Falcon Intel Indicator Search for: ' + args.value + '\n';
         var found = false;
         var ec = {};
@@ -289,7 +299,7 @@ script:
 
     var doIndicator = function(ind, type, title, appendContextFunc) {
         var a = {equal: ind};
-        var res = doReq('GET', 'indicator/v1/search/indicator', a);
+        var res = doReq('GET', 'indicator/'+ version +'/search/indicator', a);
         var md = '## ' + title + ': ' + ind + '\n';
         var ec = {};
         var found = false;
@@ -431,8 +441,13 @@ script:
 
     switch (command) {
         case 'test-module':
-            doReq('GET', 'actors/queries/actors/v1', {q: 'panda'});
-            return true;
+            if(version === 'v2') {
+                doReq('GET', 'indicator/'+ version +'/search/indicator', {equal: '4.4.4.4'});
+                return true;
+            } else {
+                doReq('GET', 'actors/queries/actors/v1', {q: 'panda'});
+                return true;
+            }
         case 'file':
             return doFile(args.file);
         case 'ip':
@@ -455,11 +470,9 @@ script:
   type: javascript
   commands:
   - name: file
-    deprecated: false
     arguments:
     - name: file
       required: true
-      deprecated: false
       default: true
       description: The file hash md5/sha1/sha256 to check
     outputs:
@@ -483,11 +496,9 @@ script:
       description: The actual score
     description: Check file reputation
   - name: url
-    deprecated: false
     arguments:
     - name: url
       required: true
-      deprecated: false
       default: true
       description: URL to be checked
     outputs:
@@ -507,11 +518,9 @@ script:
       description: The actual score
     description: Check the given URL reputation
   - name: domain
-    deprecated: false
     arguments:
     - name: domain
       required: true
-      deprecated: false
       default: true
       description: Domain to be checked
     outputs:
@@ -531,11 +540,9 @@ script:
       description: The actual score
     description: Check the given URL reputation
   - name: ip
-    deprecated: false
     arguments:
     - name: ip
       required: true
-      deprecated: false
       default: true
       description: IP to check
     outputs:
@@ -555,74 +562,55 @@ script:
       description: The actual score
     description: Check IP reputation
   - name: cs-actors
-    deprecated: false
     arguments:
     - name: q
-      deprecated: false
       default: true
       description: Search all fields for the given data
     - name: name
-      deprecated: false
       description: Search based on actor name
     - name: desc
-      deprecated: false
       description: Search based on description
     - name: minLastModifiedDate
-      deprecated: false
       description: Search range from modified date. Dates are formatted as YYYY-MM-DD.
     - name: maxLastModifiedDate
-      deprecated: false
       description: Search range to modified date. Dates are formatted as YYYY-MM-DD.
     - name: minLastActivityDate
-      deprecated: false
       description: Search range from activity date. Dates are formatted as YYYY-MM-DD.
     - name: maxLastActivityDate
-      deprecated: false
       description: Search range to activity date. Dates are formatted as YYYY-MM-DD.
     - name: origins
-      deprecated: false
       description: Search by origins separated by ","
     - name: targetCountries
-      deprecated: false
       description: Search by target countries separated by ","
     - name: targetIndustries
-      deprecated: false
       description: Search by target industries separated by ","
     - name: motivations
-      deprecated: false
       description: Search by motivations separated by ","
     - name: offset
-      deprecated: false
       description: Which page of the results to retrieve. It is 0 based.
     - name: limit
-      deprecated: false
       description: Number of results for the page
     - name: sort
-      deprecated: false
       description: Sort is field_name.order, field_name.order where order is either
         asc or desc
     - name: slug
-      deprecated: false
       description: 'Search by ''slug'' or short descriptive name. Ex: "anchor-panda"'
     description: Search known actors based on the given parameters. Dates are formatted
       as YYYY-MM-DD. Max date is taken automatically looking at end-of-day time. Origins,
       targetCountries, targetIndustries and motivations can all receive multiple values
       separated by ",". Offset is 0 based. Sort is field_name.order, field_name.order
       where order is either asc or desc.
   - name: cs-indicators
-    deprecated: false
     arguments:
     - name: parameter
       required: true
-      deprecated: false
       description: Based on what parameter to search. See CrowdStrike documentation
         for details. Can be one of indicator, type, report, actor, malicious_confidence,
         published_date, last_updated, malware_family, kill_chain, labels, DomainType,
         EmailAddressType, IntelNews, IPAddressType, Malware, Status, Target, ThreatType,
         Vulnerability
     - name: filter
       required: true
-      deprecated: false
       auto: PREDEFINED
       predefined:
       - match
@@ -634,18 +622,14 @@ script:
       description: Can be either match, equal, gt(e), lt(e)
     - name: value
       required: true
-      deprecated: false
       description: The value for the given parameter
     - name: sort
-      deprecated: false
       description: Sort by a field. Should be field_name.order where order is either
         asc or desc. Fields are indicator, type, report, actor, malicious_confidence,
         published_date, last_updated.
     - name: page
-      deprecated: false
       description: The page to retrieve - 1 based
     - name: pageSize
-      deprecated: false
       description: The size of the page to retrieve
     outputs:
     - contextPath: File.MD5
@@ -718,35 +702,25 @@ script:
       description: The actual score
     description: Search known indicators based on the given parameters
   - name: cs-reports
-    deprecated: false
     arguments:
     - name: q
-      deprecated: false
       description: Perform a generic substring search across all fields in a report
     - name: name
-      deprecated: false
       description: Search for keywords across report names (i.e. the report’s title)
     - name: actor
-      deprecated: false
       description: Search for a report related to a particular actor. For a list of
         actors, refer to the Intel Actors API
     - name: targetCountries
-      deprecated: false
       description: Search reports by targeted country/countries
     - name: targetIndustries
-      deprecated: false
       description: Search reports by targeted industry/industries
     - name: motivations
-      deprecated: false
       description: Search by motivation
     - name: slug
-      deprecated: false
       description: Search by report 'slug' or short descriptive name
     - name: description
-      deprecated: false
       description: Search the body of the report
     - name: type
-      deprecated: false
       auto: PREDEFINED
       predefined:
       - intelligence report
@@ -755,7 +729,6 @@ script:
       - tipper
       description: The type of object to search for.
     - name: subType
-      deprecated: false
       auto: PREDEFINED
       predefined:
       - weekly
@@ -764,38 +737,30 @@ script:
       - annual
       description: The sub-type to search for.
     - name: tags
-      deprecated: false
       description: Tags associated with a report (managed internally by CS)
     - name: minLastModifiedDate
-      deprecated: false
       description: Constrain results to those modified on or after a certain date
         - format YYYY-MM-DD
     - name: maxLastModifiedDate
-      deprecated: false
       description: Constrain results to those modified on or before a certain date
         - format YYYY-MM-DD
     - name: offset
-      deprecated: false
       description: Used to paginate the response. You can then use limit to set the
         number of results for the next page.
     - name: limit
-      deprecated: false
       description: Limits the number of results to return
     - name: sort
-      deprecated: false
       description: 'The field and direction to sort results on in the format of: <field>.<asc>
         or <field>.<desc>. Valid values include: name, target_countries, target_industries,
         type, created_date, last_modified_date'
     description: The Falcon Intel Reports API allows to query CrowdStrike intelligence
       publications.
   - name: cs-report-pdf
-    deprecated: false
     arguments:
     - name: id
       required: true
-      deprecated: false
       default: true
       description: The ID of the report to retrieve
     description: Retrieve the Falcon Intel Report PDF
-hidden: false
-fromversion: 3.5.0
+  runonce: false
+releaseNotes: "Added support for v2 indicator API"