demisto · yaakovi · Jun 9, 2020 · Jun 7, 2020 · Jun 7, 2020 · Jun 8, 2020
diff --git a/Packs/XDR_iocs/Integrations/XDR_iocs/README.md b/Packs/XDR_iocs/Integrations/XDR_iocs/README.md
@@ -1,10 +1,14 @@
+Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.
 
-XDR handle indicators  
-This integration was integrated and tested with Branch: stable-50 of XDR
-## Configure XDR iocs on Cortex XSOAR  
+Use the Cortex XDR - IOCs feed integration to sync indicators between Cortex XSOAR and Cortex XDR. The integration will sync indicators according to the defined fetch interval. At each interval, the integration will push new and modified indicators defined in the **Sync Query** from Cortex XSOAR to Cortex XDR. Additionally, the integration will check if there are manual modifications of indicators on Cortex XDR and sync back to Cortex XSOAR. Once per day, the integration will perform a *complete sync* which will also remove indicators that have been deleted/expired in Cortex XSOAR, from Cortex XDR. 
+
+
+This integration was integrated and tested with Branch: stable-50 of XDR.
+
+## Configure Cortex XDR - IOC on Cortex XSOAR  
 
 1. Navigate to **Settings** > **Integrations** > **Servers & Services**.  
-2. Search for XDR iocs.  
+2. Search for Cortex XDR - IOC.  
 3. Click **Add instance** to create and configure a new integration instance.  
 
 | **Parameter** | **Description** | **Required** |  
@@ -13,8 +17,8 @@ This integration was integrated and tested with Branch: stable-50 of XDR
 | apikey_id | API Key ID | True |  
 | apikey | API Key | True |  
 | feed | Fetch indicators | False |  
-| severity | the severity in XDR | True |  
-| query | query | True |  
+| severity | the severity in Cortex XDR | True |  
+| query | Sync Query | True |  
 | insecure | Trust any certificate \(not secure\) | False |  
 | proxy | Use system proxy settings | False |  
 | feedReputation | Indicator Reputation | False |  
@@ -46,65 +50,44 @@ There is no context output for this command.
 
 #### Command Example  
 ```!xdr-iocs-sync```  
-  #### Human Readable Output  
-
->sync with XDR completed.  
-
-### xdr-iocs-iocs-to-keep  
-***  
-Update all iocs to keep and delete the other.  
-run this ones a day in 01:00 - 3:00 utc time.  
-
-
-#### Base Command  
-
-`xdr-iocs-to-keep`  
-#### Input  
-
-There are no input arguments for this command.  
-
-#### Context Output  
-
-There is no context output for this command.  
-
-#### Command Example  
-```xdr-iocs-to-keep```  
-
 #### Human Readable Output  
-  >sync with XDR completed.
 
+>sync with XDR completed.  
 
-### xdr-push-iocs  
+### xdr-iocs-push
 ***  
-Push new iocs to XDR run this ones a min.  
+Push new IOCs to XDR. run This every minute (without indicator argument) or ioc trigerd (using indicator argument).
 
 
 #### Base Command  
 
-`xdr-push-iocs`  
+`xdr-iocs-push`  
 #### Input  
 
-There are no input arguments for this command.  
-
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| indicator | the indicators | Optional | 
+
+
 #### Context Output  
 
 There is no context output for this command.  
 
 #### Command Example  
-```xdr-push-iocs```  
+```xdr-iocs-push```  
 
 #### Human Readable Output  
+>push success.
 
 
-
-### xdr-enable-iocs  
+### xdr-iocs-enable  
 ***  
 Enable iocs in XDR server  
 
 
 #### Base Command  
 
-`xdr-enable-iocs`  
+`xdr-iocs-enable`  
 #### Input  
 
 | **Argument Name** | **Description** | **Required** |  
@@ -116,20 +99,20 @@ Enable iocs in XDR server
 There is no context output for this command.  
 
 #### Command Example  
-```!xdr-enable-iocs indicator=11.11.11.11```  
+```!xdr-iocs-enable indicator=11.11.11.11```  
 
 #### Human Readable Output  
 
 >indicators 11.11.11.11 enabled.  
 
-### xdr-disable-iocs  
+### xdr-iocs-disable  
 ***  
 Disable iocs in XDR server  
 
 
 #### Base Command  
 
-`xdr-disable-iocs`  
+`xdr-iocs-disable`  
 #### Input  
 
 | **Argument Name** | **Description** | **Required** |  
@@ -141,9 +124,8 @@ Disable iocs in XDR server
 There is no context output for this command.  
 
 #### Command Example  
-```!xdr-disable-iocs indicator=22.22.22.22```  
+```!xdr-iocs-disable indicator=22.22.22.22```  
 
 #### Human Readable Output  
 
 >indicators 22.22.22.22 disabled.  
-
diff --git a/Packs/XDR_iocs/Integrations/XDR_iocs/XDR_iocs.py b/Packs/XDR_iocs/Integrations/XDR_iocs/XDR_iocs.py
@@ -33,7 +33,7 @@
 
 class Client:
     severity: str = ''
-    query: str = 'type:File or type:Domain or type:IP'
+    query: str = 'reputation:Bad and (type:File or type:Domain or type:IP)'
     error_codes: Dict[int, str] = {
         500: 'XDR internal server error.',
         401: 'Unauthorized access. An issue occurred during authentication. This can indicate an ' +    # noqa: W504
@@ -182,11 +182,10 @@ def demisto_ioc_to_xdr(ioc: Dict) -> Dict:
     xdr_ioc: Dict = {
         'indicator': ioc['value'],
         'severity': Client.severity,
-        'type': demisto_types_to_xdr(ioc['indicator_type']),
+        'type': demisto_types_to_xdr(str(ioc['indicator_type'])),
         'reputation': demisto_score_to_xdr.get(ioc.get('score', 0), 'UNKNOWN'),
         'expiration_date': demisto_expiration_to_xdr(ioc.get('expiration'))
     }
-
     # get last 'IndicatorCommentRegular'
     comment: Dict = next(filter(lambda x: x.get('type') == 'IndicatorCommentRegular', reversed(ioc.get('comments', []))), {})
     if comment:
@@ -214,7 +213,8 @@ def sync(client: Client):
     path: str = 'sync_tim_iocs'
     client.http_request(path, requests_kwargs)
     demisto.setIntegrationContext({'ts': int(datetime.now(timezone.utc).timestamp() * 1000),
-                                   'time': datetime.now(timezone.utc).strftime(DEMISTO_TIME_FORMAT)})
+                                   'time': datetime.now(timezone.utc).strftime(DEMISTO_TIME_FORMAT),
+                                   'iocs_to_keep_time': create_iocs_to_keep_time()})
     return_outputs('sync with XDR completed.')
 
 
@@ -247,14 +247,22 @@ def get_last_iocs(batch_size=200) -> List:
 
 
 def tim_insert_jsons(client: Client):
-    iocs = get_last_iocs()
+    indicators = demisto.args().get('indicator')
+    if not indicators:
+        iocs = get_last_iocs()
+    else:
+        iocs = []
+        for indicator in indicators.split(','):
+            iocs.append(demisto.searchIndicators(query=f'value:{indicator}').get('iocs')[0])
+
     path = 'tim_insert_jsons/'
     requests_kwargs: Dict = get_requests_kwargs(_json=list(map(lambda ioc: demisto_ioc_to_xdr(ioc), iocs)))
     client.http_request(url_suffix=path, requests_kwargs=requests_kwargs)
+    return_outputs('push success.')
 
 
 def iocs_command(client: Client):
-    command = demisto.command().split('-')[1]
+    command = demisto.command().split('-')[-1]
     indicators = demisto.args().get('indicator', '')
     if command == 'enable':
         path, iocs = prepare_enable_iocs(indicators)
@@ -322,6 +330,38 @@ def module_test(client: Client):
     demisto.results('ok')
 
 
+def fetch_indicators(client: Client, auto_sync: bool = False):
+    if not demisto.getIntegrationContext() and auto_sync:
+        xdr_iocs_sync_command(client, first_time=True)
+    else:
+        get_changes(client)
+        if auto_sync:
+            tim_insert_jsons(client)
+            if iocs_to_keep_time():
+                # first_time=False will call iocs_to_keep
+                xdr_iocs_sync_command(client)
+
+
+def xdr_iocs_sync_command(client: Client, first_time: bool = False):
+    if first_time or not demisto.getIntegrationContext():
+        sync(client)
+    else:
+        iocs_to_keep(client)
+
+
+def iocs_to_keep_time():
+    hour, minute = demisto.getIntegrationContext().get('iocs_to_keep_time', (0, 0))
+    time_now = datetime.now(timezone.utc)
+    return time_now.hour == hour and time_now.min == minute
+
+
+def create_iocs_to_keep_time():
+    offset = secrets.randbelow(115)
+    hour, minute, = divmod(offset, 60)
+    hour += 1
+    return hour, minute
+
+
 def main():
     # """
     # Executes an integration command
@@ -332,18 +372,18 @@ def main():
     client = Client(params)
     commands = {
         'test-module': module_test,
-        'xdr-iocs-sync': sync,
-        'xdr-iocs-to-keep': iocs_to_keep,
-        'xdr-enable-iocs': iocs_command,
-        'xdr-disable-iocs': iocs_command,
-        'xdr-push-iocs': tim_insert_jsons,
-        'fetch-indicators': get_changes,
+        'xdr-iocs-enable': iocs_command,
+        'xdr-iocs-disable': iocs_command,
+        'xdr-iocs-push': tim_insert_jsons,
     }
-
     command = demisto.command()
     try:
-        if command in commands:
+        if command == 'fetch-indicators':
+            fetch_indicators(client, params.get('autoSync', False))
+        elif command in commands:
             commands[command](client)
+        elif command == 'xdr-iocs-sync':
+            xdr_iocs_sync_command(client, bool(demisto.args().get('firstTime', False)))
         else:
             raise NotImplementedError(command)
     except Exception as error: