Fix for list of techniques in InvestigationDetailedSummaryToTable (demisto#39291)

* fix for customer issue

Author: amshamah419

Packs/MalwareInvestigationAndResponse/ReleaseNotes/2_0_17.md

@@ -0,0 +1,7 @@
+
+#### Scripts
+
+##### InvestigationDetailedSummaryToTable
+
+- Updated the InvestigationDetailedSummaryToTable script to support a list of techniques.
+- Updated the Docker image to: *demisto/python3:3.12.8.1983910*.

Packs/MalwareInvestigationAndResponse/Scripts/InvestigationDetailedSummaryToTable/InvestigationDetailedSummaryToTable.py

@@ -15,9 +15,13 @@ def table_command(context: dict) -> CommandResults:
     for tactic, techniques in context.items():
         table_values.append({TACTIC: f'**{tactic.upper()}**', STATUS: ''})
 
-        for technique, found in techniques.items():
-            table_values.append({TACTIC: technique, STATUS: BOOL_TO_DESCRIPTION[found]})
-    return CommandResults(readable_output=tableToMarkdown('', table_values, headers=[TACTIC, STATUS]))
+        techniques_list = techniques if isinstance(techniques, list) else [techniques]
+        for technique_dict in techniques_list:
+            for technique, found in technique_dict.items():
+                table_values.append({TACTIC: technique, STATUS: BOOL_TO_DESCRIPTION[found]})
+
+    readable_output = tableToMarkdown('', table_values, headers=[TACTIC, STATUS])
+    return CommandResults(readable_output=readable_output)
 
 
 def main():

Packs/MalwareInvestigationAndResponse/Scripts/InvestigationDetailedSummaryToTable/InvestigationDetailedSummaryToTable.yml

@@ -12,7 +12,7 @@ tags:
 timeout: '0'
 type: python
 subtype: python3
-dockerimage: demisto/python3:3.11.10.115186
+dockerimage: demisto/python3:3.12.8.1983910
 fromversion: 6.2.0
 tests:
 - No tests (auto formatted)

Packs/MalwareInvestigationAndResponse/Scripts/InvestigationDetailedSummaryToTable/InvestigationDetailedSummaryToTable_test.py

@@ -20,13 +20,123 @@ def test_empty_context():
 
 def test_table_command():
     context = {
-        "Defense Evasion": {
-            "Deobfuscate/Decode Files or Information": True,
-            "Indicator Removal on Host": False
-        },
-        "Execution": {
-            "Command and Scripting Interpreter": True,
-            "Command and Scripting Interpreter: PowerShell": True
-        },
+        "Collection": [
+            {
+                "Automated Collection": True,
+                "Data Staged: Local Data Staging": True,
+                "Data from Local System": True,
+                "Email Collection": True,
+                "Input Capture: Keylogging": True,
+                "Screen Capture": True,
+            }
+        ],
+        "Command & Control": [
+            {
+                "Application Layer Protocol": True,
+                "Encrypted Channel": True,
+                "Encrypted Channel: Asymmetric Cryptography": True,
+                "Encrypted Channel: Symmetric Cryptography": True,
+                "Ingress Tool Transfer": True,
+                "Non-Application Layer Protocol": True,
+                "Proxy": True,
+            }
+        ],
+        "Credential Access": [
+            {"Credentials from Password Stores": True, "Input Capture: Keylogging": True}
+        ],
+        "Defense Evasion": [
+            {
+                "Abuse Elevation Control Mechanism: Bypass User Account Control": True,
+                "Access Token Manipulation": True,
+                "Access Token Manipulation: Token Impersonation/Theft": True,
+                "Debugger Evasion": True,
+                "Deobfuscate/Decode Files or Information": True,
+                "Execution Guardrails": True,
+                "File and Directory Permissions Modification": True,
+                "Hide Artifacts": True,
+                "Hijack Execution Flow: Hijack Execution Flow": True,
+                "Impair Defenses: Disable or Modify Tools": True,
+                "Indicator Removal: Clear Command History": True,
+                "Indicator Removal: Indicator Removal": True,
+                "Masquerading": True,
+                "Modify Registry": True,
+                "Obfuscated Files or Information": True,
+                "Obfuscated Files or Information: Embedded Payloads": True,
+                "Obfuscated Files or Information: Obfuscated Files or Information": True,
+                "Process Injection": True,
+                "Process Injection: Asynchronous Procedure Call": True,
+                "Process Injection: Dynamic-link Library Injection": True,
+                "Process Injection: Extra Window Memory Injection": True,
+                "Process Injection: Thread Execution Hijacking": True,
+                "Reflective Code Loading": True,
+                "Virtualization/Sandbox Evasion: System Checks": True,
+                "Virtualization/Sandbox Evasion: Time Based Evasion": True,
+            }
+        ],
+        "Discovery": [
+            {
+                "Account Discovery": True,
+                "Application Window Discovery": True,
+                "Debugger Evasion": True,
+                "File and Directory Discovery": True,
+                "Process Discovery": True,
+                "Query Registry": True,
+                "Remote System Discovery": True,
+                "System Information Discovery": True,
+                "System Location Discovery": True,
+                "System Location Discovery: System Language Discovery": True,
+                "System Owner/User Discovery": True,
+                "System Service Discovery": True,
+                "System Time Discovery": True,
+                "Virtualization/Sandbox Evasion: System Checks": True,
+                "Virtualization/Sandbox Evasion: Time Based Evasion": True,
+            }
+        ],
+        "Execution": [
+            {
+                "Command and Scripting Interpreter": False,
+                "Command and Scripting Interpreter: PowerShell": True,
+                "Inter-Process Communication": True,
+                "Native API": True,
+                "Shared Modules": True,
+                "System Services: System Services": True,
+            }
+        ],
+        "Exfiltration": [{"Scheduled Transfer": True}],
+        "Impact": [
+            {
+                "Data Encrypted for Impact": True,
+                "Data Manipulation": True,
+                "Service Stop": True,
+                "System Shutdown/Reboot": True,
+            }
+        ],
+        "Lateral Movement": [{"Lateral Tool Transfer": True, "Remote Services": False}],
+        "Persistence": [
+            {
+                "Boot or Logon Autostart Execution": True,
+                "Create or Modify System Process": True,
+                "Create or Modify System Process: Windows Service": True,
+                "Event Triggered Execution: Event Triggered Execution": True,
+                "Hijack Execution Flow: Hijack Execution Flow": True,
+            }
+        ],
+        "Privilege Escalation": [
+            {
+                "Abuse Elevation Control Mechanism: Bypass User Account Control": True,
+                "Access Token Manipulation": True,
+                "Access Token Manipulation: Token Impersonation/Theft": True,
+                "Boot or Logon Autostart Execution": True,
+                "Create or Modify System Process": True,
+                "Create or Modify System Process: Windows Service": True,
+                "Event Triggered Execution: Event Triggered Execution": True,
+                "Hijack Execution Flow: Hijack Execution Flow": True,
+                "Process Injection": True,
+                "Process Injection: Asynchronous Procedure Call": True,
+                "Process Injection: Dynamic-link Library Injection": True,
+                "Process Injection: Extra Window Memory Injection": True,
+                "Process Injection: Thread Execution Hijacking": True,
+            }
+        ],
     }
     assert table_command(context).to_context() == _load_test_file('table_command.json')

Packs/MalwareInvestigationAndResponse/Scripts/InvestigationDetailedSummaryToTable/test_data/table_command.json

@@ -1,11 +1,11 @@
 {
-  "Type": 1,
-  "ContentsFormat": "json",
-  "Contents": null,
-  "HumanReadable": "|Tactic|Status|\n|---|---|\n| **DEFENSE EVASION** |  |\n| Deobfuscate/Decode Files or Information | \ud83d\udd34  Detected |\n| Indicator Removal on Host | \ud83d\udfe2  Not Detected |\n| **EXECUTION** |  |\n| Command and Scripting Interpreter | \ud83d\udd34  Detected |\n| Command and Scripting Interpreter: PowerShell | \ud83d\udd34  Detected |\n",
-  "EntryContext": {},
-  "IndicatorTimeline": [],
-  "IgnoreAutoExtract": false,
-  "Note": false,
-  "Relationships": []
-}
+    "Type": 1,
+    "ContentsFormat": "json",
+    "Contents": null,
+    "HumanReadable": "|Tactic|Status|\n|---|---|\n| **COLLECTION** |  |\n| Automated Collection | 🔴  Detected |\n| Data Staged: Local Data Staging | 🔴  Detected |\n| Data from Local System | 🔴  Detected |\n| Email Collection | 🔴  Detected |\n| Input Capture: Keylogging | 🔴  Detected |\n| Screen Capture | 🔴  Detected |\n| **COMMAND & CONTROL** |  |\n| Application Layer Protocol | 🔴  Detected |\n| Encrypted Channel | 🔴  Detected |\n| Encrypted Channel: Asymmetric Cryptography | 🔴  Detected |\n| Encrypted Channel: Symmetric Cryptography | 🔴  Detected |\n| Ingress Tool Transfer | 🔴  Detected |\n| Non-Application Layer Protocol | 🔴  Detected |\n| Proxy | 🔴  Detected |\n| **CREDENTIAL ACCESS** |  |\n| Credentials from Password Stores | 🔴  Detected |\n| Input Capture: Keylogging | 🔴  Detected |\n| **DEFENSE EVASION** |  |\n| Abuse Elevation Control Mechanism: Bypass User Account Control | 🔴  Detected |\n| Access Token Manipulation | 🔴  Detected |\n| Access Token Manipulation: Token Impersonation/Theft | 🔴  Detected |\n| Debugger Evasion | 🔴  Detected |\n| Deobfuscate/Decode Files or Information | 🔴  Detected |\n| Execution Guardrails | 🔴  Detected |\n| File and Directory Permissions Modification | 🔴  Detected |\n| Hide Artifacts | 🔴  Detected |\n| Hijack Execution Flow: Hijack Execution Flow | 🔴  Detected |\n| Impair Defenses: Disable or Modify Tools | 🔴  Detected |\n| Indicator Removal: Clear Command History | 🔴  Detected |\n| Indicator Removal: Indicator Removal | 🔴  Detected |\n| Masquerading | 🔴  Detected |\n| Modify Registry | 🔴  Detected |\n| Obfuscated Files or Information | 🔴  Detected |\n| Obfuscated Files or Information: Embedded Payloads | 🔴  Detected |\n| Obfuscated Files or Information: Obfuscated Files or Information | 🔴  Detected |\n| Process Injection | 🔴  Detected |\n| Process Injection: Asynchronous Procedure Call | 🔴  Detected |\n| Process Injection: Dynamic-link Library Injection | 🔴  Detected |\n| Process Injection: Extra Window Memory Injection | 🔴  Detected |\n| Process Injection: Thread Execution Hijacking | 🔴  Detected |\n| Reflective Code Loading | 🔴  Detected |\n| Virtualization/Sandbox Evasion: System Checks | 🔴  Detected |\n| Virtualization/Sandbox Evasion: Time Based Evasion | 🔴  Detected |\n| **DISCOVERY** |  |\n| Account Discovery | 🔴  Detected |\n| Application Window Discovery | 🔴  Detected |\n| Debugger Evasion | 🔴  Detected |\n| File and Directory Discovery | 🔴  Detected |\n| Process Discovery | 🔴  Detected |\n| Query Registry | 🔴  Detected |\n| Remote System Discovery | 🔴  Detected |\n| System Information Discovery | 🔴  Detected |\n| System Location Discovery | 🔴  Detected |\n| System Location Discovery: System Language Discovery | 🔴  Detected |\n| System Owner/User Discovery | 🔴  Detected |\n| System Service Discovery | 🔴  Detected |\n| System Time Discovery | 🔴  Detected |\n| Virtualization/Sandbox Evasion: System Checks | 🔴  Detected |\n| Virtualization/Sandbox Evasion: Time Based Evasion | 🔴  Detected |\n| **EXECUTION** |  |\n| Command and Scripting Interpreter | 🟢  Not Detected |\n| Command and Scripting Interpreter: PowerShell | 🔴  Detected |\n| Inter-Process Communication | 🔴  Detected |\n| Native API | 🔴  Detected |\n| Shared Modules | 🔴  Detected |\n| System Services: System Services | 🔴  Detected |\n| **EXFILTRATION** |  |\n| Scheduled Transfer | 🔴  Detected |\n| **IMPACT** |  |\n| Data Encrypted for Impact | 🔴  Detected |\n| Data Manipulation | 🔴  Detected |\n| Service Stop | 🔴  Detected |\n| System Shutdown/Reboot | 🔴  Detected |\n| **LATERAL MOVEMENT** |  |\n| Lateral Tool Transfer | 🔴  Detected |\n| Remote Services | 🟢  Not Detected |\n| **PERSISTENCE** |  |\n| Boot or Logon Autostart Execution | 🔴  Detected |\n| Create or Modify System Process | 🔴  Detected |\n| Create or Modify System Process: Windows Service | 🔴  Detected |\n| Event Triggered Execution: Event Triggered Execution | 🔴  Detected |\n| Hijack Execution Flow: Hijack Execution Flow | 🔴  Detected |\n| **PRIVILEGE ESCALATION** |  |\n| Abuse Elevation Control Mechanism: Bypass User Account Control | 🔴  Detected |\n| Access Token Manipulation | 🔴  Detected |\n| Access Token Manipulation: Token Impersonation/Theft | 🔴  Detected |\n| Boot or Logon Autostart Execution | 🔴  Detected |\n| Create or Modify System Process | 🔴  Detected |\n| Create or Modify System Process: Windows Service | 🔴  Detected |\n| Event Triggered Execution: Event Triggered Execution | 🔴  Detected |\n| Hijack Execution Flow: Hijack Execution Flow | 🔴  Detected |\n| Process Injection | 🔴  Detected |\n| Process Injection: Asynchronous Procedure Call | 🔴  Detected |\n| Process Injection: Dynamic-link Library Injection | 🔴  Detected |\n| Process Injection: Extra Window Memory Injection | 🔴  Detected |\n| Process Injection: Thread Execution Hijacking | 🔴  Detected |\n",
+    "EntryContext": {},
+    "IndicatorTimeline": [],
+    "IgnoreAutoExtract": false,
+    "Note": false,
+    "Relationships": []
+}

Packs/MalwareInvestigationAndResponse/pack_metadata.json

@@ -5,7 +5,7 @@
     "videos": [
         "https://www.youtube.com/watch?v=DtGIefyoTao"
     ],
-    "currentVersion": "2.0.16",
+    "currentVersion": "2.0.17",
     "serverMinVersion": "6.5.0",
     "author": "Cortex XSOAR",
     "hidden": false,