Merge branch 'release/3.7.4'

Author: nusantara-self

CHANGELOG.md

@@ -8,6 +8,10 @@
 
 - \[FR\] Clusterhawk template enhancement [\#1410](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1410)
 
+**Merged pull requests:**
+
+- AbuseIPDB - Report Responder & improvements [\#1411](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1411) ([nusantara-self](https://github.com/nusantara-self))
+
 ## [3.7.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.7.2) (2026-01-13)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.7.1...3.7.2)

responders/Slack/README.md

@@ -16,7 +16,7 @@ This directory contains two Slack responders for TheHive integration:
 - Invites default participants by email
 - Sets channel visibility (private or public)
 - Posts case summary and/or case description (optional)
-- **Automatically tags the case** with `slack:<channel_name>` for easy tracking
+- **Automatically tags the case** with `slack:<channel_name>` and `slack-id:<channel_id>` for fast lookups
 
 ### Slack_SyncChannel
 - **Syncs all Slack channels tagged with `slack:` prefix** on the case
@@ -89,19 +89,28 @@ Log into your Cortex instance, go to Organization > Responders and enable the de
 ## Privacy & Security Considerations
 
 ### Channel Tagging
-When `Slack_CreateChannel` runs, it automatically adds a `slack:<channel_name>` tag to the case. This tag:
-- Makes it easy to identify which Slack channel(s) are associated with a case
-- Enables `Slack_SyncChannel` to reliably find channels without reconstructing names
-- Can be manually added to sync additional channels (see warning below)
+When `Slack_CreateChannel` runs, it automatically adds two tags to the case:
+- `slack:<channel_name>` - Human-readable channel name
+- `slack-id:<channel_id>` - Channel ID for fast direct lookups
+
+This enables `Slack_SyncChannel` to find channels instantly without searching through all workspace channels.
+
+### Syncing Existing Channels
+To sync a channel that wasn't created via `Slack_CreateChannel`:
+1. Invite the Slack bot to the channel
+2. Add `slack:<channel-name>` tag to the case
+3. (Optional) Add `slack-id:<channel-id>` for faster lookups
+   - Get the ID: right-click channel in Slack → "View channel details" → ID at bottom
+4. Run `Slack_SyncChannel`
 
 ### Multi-Channel Syncing
 `Slack_SyncChannel` will sync **all** channels that have `slack:` tags on the case:
 - Each channel creates its own separate task in TheHive
 - Partial failures are handled gracefully (some channels may sync, others may fail)
 - Failed channels are reported in the responder output
 
-### Access Control Warning ⚠️
-- The bot can only read channels it has been **invited to**
+### Access Control
+- The bot only searches channels it's a **member of** (security + performance)
+- Channels created via `Slack_CreateChannel` automatically include the bot
 - Syncing brings Slack conversations into TheHive: ensure case permissions align with channel access
-- Private Slack channels synced to non-private TheHive cases may expose sensitive information
-- Consider your organization's data governance policies before syncing channels
+- Private Slack channels synced to non-private TheHive cases may expose sensitive information

responders/Slack/slack.py

@@ -31,8 +31,31 @@ def __init__(self):
         self.thehive_base_url = self.get_param("config.thehive_base_url", None)
         self.thehive_apikey = self.get_param("config.thehive_apikey", None)
 
-    def find_existing_channel(self, name, headers):
-        url = "https://slack.com/api/conversations.list"
+    def get_channel_info(self, channel_id, headers):
+        """Direct lookup by channel ID"""
+        try:
+            url = "https://slack.com/api/conversations.info"
+            resp = requests.get(url, headers=headers, params={"channel": channel_id}).json()
+            if resp.get("ok"):
+                return resp.get("channel")
+        except Exception:
+            pass
+        return None
+
+    def find_existing_channel(self, name, headers, channel_ids=None):
+        """
+        Find channel by name. If channel_ids provided, tries direct lookup first.
+        Falls back to searching only channels the bot is a member of.
+        """
+        # Try direct lookup if we have IDs
+        if channel_ids:
+            for cid in channel_ids:
+                ch = self.get_channel_info(cid, headers)
+                if ch and ch.get("name") == name:
+                    return cid
+
+        # Fallback: search through bot's channels only (security + performance)
+        url = "https://slack.com/api/users.conversations"
         cursor = None
         while True:
             params = {
@@ -43,6 +66,8 @@ def find_existing_channel(self, name, headers):
             if cursor:
                 params["cursor"] = cursor
             resp = requests.get(url, headers=headers, params=params).json()
+            if not resp.get("ok"):
+                break
             for ch in resp.get("channels", []):
                 if ch["name"] == name:
                     return ch["id"]
@@ -96,10 +121,7 @@ def run(self):
 
             # 2. create channel only after we have valid users
             channel_id = self.find_existing_channel(channel_name, headers)
-            if channel_id:
-                # Channel already exists, reuse it
-                pass
-            else:
+            if not channel_id:
                 create_url = "https://slack.com/api/conversations.create"
                 payload = {
                     "name": channel_name,
@@ -113,6 +135,8 @@ def run(self):
                     )
                 channel_id = create_data["channel"]["id"]
 
+            self.channel_id = channel_id
+
             # 3. invite users
             if user_ids:
                 invite_url = "https://slack.com/api/conversations.invite"
@@ -192,13 +216,16 @@ def format_tlp(level):
         elif self.service == "syncchannel":
             case_id = self.get_param("data.caseId")
             case_unique_id = self.get_param("data.id")
+            case_tags = self.get_param("data.tags", [])
 
-            # Collect all channel names from tags
+            # Extract channel IDs and names from tags
+            channel_ids = []
             channel_names = []
-            case_tags = self.get_param("data.tags", [])
             for tag in case_tags:
-                if tag.startswith("slack:"):
-                    channel_names.append(tag[6:])  # Remove "slack:" prefix
+                if tag.startswith("slack-id:"):
+                    channel_ids.append(tag[9:])
+                elif tag.startswith("slack:"):
+                    channel_names.append(tag[6:])
 
             # Fallback to reconstructing channel name if no tags found
             if not channel_names:
@@ -207,8 +234,7 @@ def format_tlp(level):
                     .replace(".", "")
                     .replace(",", "")
                     .lower()
-                )
-                channel_name = channel_name[:80]
+                )[:80]
                 channel_names.append(channel_name)
 
             headers = {
@@ -222,8 +248,8 @@ def format_tlp(level):
 
             for channel_name in channel_names:
                 try:
-                    # Find the channel
-                    channel_id = self.find_existing_channel(channel_name, headers)
+                    # Find the channel (uses IDs for direct lookup if available)
+                    channel_id = self.find_existing_channel(channel_name, headers, channel_ids)
                     if not channel_id:
                         errors.append(f"Channel '{channel_name}' not found")
                         continue
@@ -731,15 +757,13 @@ def create_or_update_thehive_task(self, case_id, channel_name, conversations):
                 self.error(f"Failed to create task: {str(e)}")
 
     def operations(self, raw):
-        artifacts = []
-        # AddTagToArtifact ({ "type": "AddTagToArtifact", "tag": "tag to add" }): add a tag to the artifact related to the object
-        # AddTagToCase ({ "type": "AddTagToCase", "tag": "tag to add" }): add a tag to the case related to the object
-        # MarkAlertAsRead: mark the alert related to the object as read
-        # AddCustomFields ({"name": "key", "value": "value", "tpe": "type"): add a custom field to the case related to the object
+        ops = []
         if self.service == "createchannel":
             if hasattr(self, 'channel_name'):
-                artifacts.append(self.build_operation("AddTagToCase", tag=f"slack:{self.channel_name}"))
-        return artifacts
+                ops.append(self.build_operation("AddTagToCase", tag=f"slack:{self.channel_name}"))
+            if hasattr(self, 'channel_id'):
+                ops.append(self.build_operation("AddTagToCase", tag=f"slack-id:{self.channel_id}"))
+        return ops
 
 
 if __name__ == "__main__":