Created GoogleThreatList Trigger

GoogleThreatIntelligence/CHANGELOG.md

@@ -0,0 +1,55 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+
+## 2025-01-30 - 0.1.14
+
+### Fixed
+
+- Action schemas: Move result fields to root level (remove `data` wrapper) for consistency across all actions:
+  - Get Comments
+  - Get IoC Report
+  - Get Passive DNS
+  - Get Vulnerability Associations
+  - Get Vulnerability Report
+  - Scan File
+  - Scan URL
+
+### Added
+
+- Scan File: Additional unit tests for 100% code coverage (missing file_path argument, absolute paths handling, directory detection, error handling cases)
+
+## 2025-12-21 - 0.1.13
+
+### Fixed
+
+- Scan File: copy file to a local temporary directory before uploading to handle remote storage (S3) file paths
+
+## 2025-12-21 - 0.1.4
+
+### Fixed
+
+- Get Vulnerability Report: infinite loop with edge cases.
+
+## 2025-12-19 - 0.1.3
+
+### Fixed
+
+- Add proxy support
+
+## 2025-12-19 - 0.1.2
+
+### Fixed
+
+- Get Vulnerability Report: Extract all available fields from VT API response including counters, risk_rating, exploitation_state, exploit_availability, and other critical fields that were previously missing
+
+## 2025-12-18 - 0.1.1
+
+### Fixed
+
+- Remove validation patterns as not working with jinja templates inputs

GoogleThreatIntelligence/Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3.11
+
+WORKDIR /app
+
+RUN pip install poetry
+
+# Install dependencies
+COPY poetry.lock pyproject.toml /app/
+RUN poetry config virtualenvs.create false && poetry install --only main
+
+COPY . .
+
+RUN useradd -ms /bin/bash sekoiaio-runtime
+USER sekoiaio-runtime
+
+ENTRYPOINT [ "python", "./main.py" ]

GoogleThreatIntelligence/action_get_comments.json

@@ -0,0 +1,136 @@
+{
+  "uuid": "a8e3b5f1-3f4a-4b2d-8f7e-1b2f6c9d5e11",
+  "name": "Get Comments",
+  "description": "Retrieve recent comments associated with a domain or IP from Google Threat Intelligence",
+  "docker_parameters": "get_comments",
+  "arguments": {
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+      "ip": {
+        "type": "string",
+        "description": "IP address to query (e.g., 8.8.8.8)"
+      },
+      "domain": {
+        "type": "string",
+        "description": "Domain name to query (e.g., google.com)"
+      },
+      "url": {
+        "type": "string",
+        "description": "URL to query (e.g., https://example.com/path)"
+      },
+      "file_hash": {
+        "type": "string",
+        "description": "File hash to query (MD5, SHA1, or SHA256)"
+      }
+    },
+    "oneOf": [
+      {
+        "required": [
+          "ip"
+        ]
+      },
+      {
+        "required": [
+          "domain"
+        ]
+      },
+      {
+        "required": [
+          "url"
+        ]
+      },
+      {
+        "required": [
+          "file_hash"
+        ]
+      }
+    ]
+  },
+  "results": {
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "title": "Get Comments Results",
+    "properties": {
+      "success": {
+        "type": "boolean"
+      },
+      "comments_count": {
+        "type": "integer",
+        "description": "Total number of comments retrieved"
+      },
+      "entity": {
+        "type": "string",
+        "description": "The entity (domain, IP, URL, or file hash) that was queried"
+      },
+      "comments": {
+        "type": "array",
+        "description": "Array of comment objects",
+        "items": {
+          "type": "object",
+          "properties": {
+            "type": {
+              "type": "string",
+              "description": "Type of the object (always 'comment')",
+              "enum": [
+                "comment"
+              ]
+            },
+            "id": {
+              "type": "string",
+              "description": "Unique identifier for the comment"
+            },
+            "text": {
+              "type": "string",
+              "description": "The comment text content"
+            },
+            "date": {
+              "type": [
+                "integer",
+                "string"
+              ],
+              "description": "Comment timestamp (Unix timestamp or ISO 8601 string)"
+            },
+            "votes": {
+              "type": "object",
+              "description": "Vote statistics for the comment",
+              "properties": {
+                "positive": {
+                  "type": "integer",
+                  "description": "Number of positive votes"
+                },
+                "negative": {
+                  "type": "integer",
+                  "description": "Number of negative votes"
+                }
+              },
+              "required": [
+                "positive",
+                "negative"
+              ]
+            },
+            "author": {
+              "type": [
+                "string",
+                "null"
+              ],
+              "description": "Username of the comment author (may be null for anonymous)"
+            }
+          },
+          "required": [
+            "text",
+            "date",
+            "votes"
+          ]
+        }
+      }
+    },
+    "required": [
+      "success",
+      "comments_count",
+      "entity",
+      "comments"
+    ]
+  },
+  "slug": "get_comments_in_gti"
+}