diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 83c053992f60..085ab978b6fe 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,34 +1,33 @@ FROM python:3.10-slim-bullseye -ADD createCerts.sh . -RUN apt-get update && apt-get install dos2unix -y \ - && dos2unix /createCerts.sh \ - && chmod +x /createCerts.sh \ - && /createCerts.sh /usr/local/share/ca-certificates/certs.crt \ - && update-ca-certificates \ - && apt-get install python2 -y - ENV USERNAME demisto ENV HOME /home/$USERNAME ENV NODE_EXTRA_CA_CERTS /usr/local/share/ca-certificates/certs.crt ENV PATH $PATH:$HOME/.local/bin:/root/.local/bin:/usr/local/share/nvm/current/bin -# This is a workaround for VSCode devcontainer features in self signed certificate - -ADD https://raw.githubusercontent.com/devcontainers/features/main/src/common-utils/install.sh /install-common.sh -ADD https://raw.githubusercontent.com/devcontainers/features/main/src/git/install.sh /install-git.sh -ADD https://raw.githubusercontent.com/devcontainers/features/main/src/docker-in-docker/install.sh /install-dind.sh -ADD https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh /install-node.sh +ADD createCerts.sh . +RUN apt-get update && apt-get install dos2unix git python2 curl -y \ + && dos2unix /createCerts.sh \ + && chmod +x /createCerts.sh \ + && /createCerts.sh $NODE_EXTRA_CA_CERTS \ + && update-ca-certificates \ + && rm -rf /features \ + && git clone https://github.com/devcontainers/features.git /features \ + && cd /features \ + # locking to the latest master commit in this repo to prevent breaking changes + # We should update this commit hash from time to time to + && git checkout 42e5a013cc914f87d0ff7bf613a1f80d9ff57579 -RUN UID="1000" GID="1000" bash install-common.sh -RUN VERSION="os-provided" bash install-git.sh -RUN VERSION="latest" bash install-dind.sh -RUN VERSION="lts" bash install-node.sh +# This is a workaround for VSCode devcontainer features in self signed certificate +RUN UID="1000" GID="1000" bash /features/src/common-utils/install.sh +RUN VERSION="os-provided" bash /features/src/git/install.sh +RUN VERSION="latest" bash /features/src/docker-in-docker/install.sh +RUN VERSION="lts" bash /features/src/node/install.sh # install poetry, configure certificate for git and tools for oh my zsh -RUN curl -sSL https://install.python-poetry.org | python3 - \ - && python -m pip install --user pipx \ +RUN python -m pip install --user pipx \ && python -m pipx ensurepath \ + && pipx install poetry \ && git clone https://github.com/zsh-users/zsh-syntax-highlighting.git $HOME/.zsh/zsh-syntax-highlighting \ && echo "source ~/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> $HOME/.zshrc \ && git clone https://github.com/zsh-users/zsh-autosuggestions $HOME/.zsh/zsh-autosuggestions \ diff --git a/.devcontainer/createCerts.sh b/.devcontainer/createCerts.sh index c32b37b8026a..abba6854039d 100644 --- a/.devcontainer/createCerts.sh +++ b/.devcontainer/createCerts.sh @@ -5,6 +5,13 @@ # It tries to connect to a server (for instance, github), show the local certificates and save it to a file. # We connect to a random server and not paloaltonetworks.com to get external certificates. +# if command fails + +if curl -I https://github.com > /dev/null; then + echo "No need to update certificate" + exit +fi + CONNECT_SERVER="github.com:443" FILE=$1 @@ -21,3 +28,6 @@ if [ ! -f "$FILE" ]; then exit fi +git config --system http.sslCAInfo $FILE + + diff --git a/.devcontainer/createCommand.sh b/.devcontainer/createCommand.sh index 1b2b7fb85a48..8ffa5865cf35 100755 --- a/.devcontainer/createCommand.sh +++ b/.devcontainer/createCommand.sh @@ -6,22 +6,19 @@ echo "Fixing permissions" sudo chown demisto .venv sudo chown demisto node_modules +sudo chown demisto /workspaces sudo chown -R demisto $HOME -sudo chown -R demisto /workspaces - -echo "Setting up git certificate" - -sudo git config --system http.sslCAInfo /usr/local/share/ca-certificates/certs.crt echo "Setting up VSCode paths" cp .devcontainer/settings.json .vscode/settings.json touch CommonServerUserPython.py +touch DemistoClassApiModule.py path=$(printf '%s:' Packs/ApiModules/Scripts/*) rm -f .env echo "PYTHONPATH=""$path"":$PYTHONPATH" >> .env echo "MYPYPATH=""$path"":$MYPYPATH" >> .env echo "Setting up content dependencies" - -NO_HOOKS=1 .hooks/bootstrap \ No newline at end of file +poetry install +npm install \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 8706277e04bc..5bceb53ed4cc 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -14,49 +14,8 @@ "source=node-modules,target=${containerWorkspaceFolder}/node_modules,type=volume", "source=dind-var-lib-docker,target=/var/lib/docker,type=volume" ], + "containerUser": "demisto", "remoteUser": "demisto", - "settings": { - "terminal.integrated.defaultProfile.linux": "zsh", - "terminal.integrated.profiles.linux": { - "zsh": { - "path": "/bin/zsh" - } - }, - "cSpell.words": [ - "demisto", - "xsoar", - "xsiam", - "fromversion", - "toversion", - "marketplacev", - "ciac", - "whois", - ] - }, - "extensions": [ - "cortexxsoarext.xsoar", - "ms-python.python", - "ms-vscode.PowerShell", - "ms-toolsai.jupyter", - "timonwong.shellcheck", - "GitHub.vscode-pull-request-github", - "eamodio.gitlens", - "ms-azuretools.vscode-docker", - "ms-vscode-remote.remote-containers", - "streetsidesoftware.code-spell-checker", - "njpwerner.autodocstring", - "VisualStudioExptTeam.vscodeintellicode", - "yzhang.markdown-all-in-one", - "shd101wyy.markdown-preview-enhanced", - "Gruntfuggly.todo-tree", - "redhat.vscode-yaml", - "PKief.material-icon-theme", - "mikestead.dotenv", - "KevinRose.vsc-python-indent", - "rangav.vscode-thunder-client", - "ms-python.black-formatter", - "LittleFoxTeam.vscode-python-test-adapter" - ], "remoteEnv": { "LOCAL_WORKSPACE_PATH": "${localWorkspaceFolder}", "PATH": "${containerWorkspaceFolder}/.venv/bin:${containerEnv:PATH}", @@ -70,26 +29,72 @@ "DEMISTO_VERIFY_SSL": "${localEnv:DEMISTO_VERIFY_SSL}", "DEMISTO_API_KEY": "${localEnv:DEMISTO_API_KEY}" }, - // this is commented out until VSCode will fix self signed certificate issues - // "features": { - // "ghcr.io/devcontainers/features/docker-in-docker:1": { - // "version": "latest" - // }, - // "ghcr.io/devcontainers/features/git:1": { - // "version": "os-provided" - // }, - // "ghcr.io/devcontainers/features/powershell:1": { - // "version": "latest" - // }, - // "ghcr.io/devcontainers/features/common-utils:1": { - // "version": "latest" - // }, - // "ghcr.io/devcontainers/features/node:1": { - // "version": "latest" - // } - // }, - // "overrideFeatureInstallOrder": [ - // "ghcr.io/devcontainers/features/common-utils:1" - // ], - "onCreateCommand": "dos2unix .devcontainer/createCommand.sh && chmod +x .devcontainer/createCommand.sh && bash .devcontainer/createCommand.sh", + "customizations": { + "vscode": { + "settings": { + "terminal.integrated.defaultProfile.linux": "zsh", + "terminal.integrated.profiles.linux": { + "zsh": { + "path": "/bin/zsh" + } + }, + "cSpell.words": [ + "demisto", + "xsoar", + "xsiam", + "fromversion", + "toversion", + "marketplacev", + "ciac", + "whois", + ] + }, + "extensions": [ + "cortexxsoarext.xsoar", + "ms-python.python", + "ms-vscode.PowerShell", + "ms-toolsai.jupyter", + "timonwong.shellcheck", + "GitHub.vscode-pull-request-github", + "eamodio.gitlens", + "ms-azuretools.vscode-docker", + "ms-vscode-remote.remote-containers", + "streetsidesoftware.code-spell-checker", + "njpwerner.autodocstring", + "VisualStudioExptTeam.vscodeintellicode", + "yzhang.markdown-all-in-one", + "shd101wyy.markdown-preview-enhanced", + "Gruntfuggly.todo-tree", + "redhat.vscode-yaml", + "PKief.material-icon-theme", + "mikestead.dotenv", + "KevinRose.vsc-python-indent", + "rangav.vscode-thunder-client", + "ms-python.black-formatter", + "LittleFoxTeam.vscode-python-test-adapter" + ] + } +}, +// this is commented out until VSCode will fix self signed certificate issues +// "features": { +// "ghcr.io/devcontainers/features/docker-in-docker:1": { +// "version": "latest" +// }, +// "ghcr.io/devcontainers/features/git:1": { +// "version": "os-provided" +// }, +// "ghcr.io/devcontainers/features/powershell:1": { +// "version": "latest" +// }, +// "ghcr.io/devcontainers/features/common-utils:1": { +// "version": "latest" +// }, +// "ghcr.io/devcontainers/features/node:1": { +// "version": "latest" +// } +// }, +// "overrideFeatureInstallOrder": [ +// "ghcr.io/devcontainers/features/common-utils:1" +// ], +"onCreateCommand": "dos2unix -n .devcontainer/createCommand.sh .devcontainer/createCommand_unix.sh && chmod +x .devcontainer/createCommand_unix.sh && bash .devcontainer/createCommand_unix.sh" } \ No newline at end of file diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 50a4b3e9b2a9..6d99dc191cd6 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -7,7 +7,7 @@ /Tests/Marketplace/core_packs_mpv2_list.json @yaakovpraisler @bakatzir @GuyLibermanPA @demisto/content-leaders # Docker native image -/Tests/native_image_config.json @GuyAfik @JudahSchwartz +/Tests/docker_native_image_config.json @GuyAfik @JudahSchwartz # Marketplace & Upload-Flow /Tests/scripts/create_artifacts_graph/create_artifacts.py @ilaner @@ -39,7 +39,7 @@ # Important Integrations /Packs/Jira/Integrations/JiraV2/* @demisto/content-leaders -/Packs/ServiceNow/Integrations/ServiceNowv2/* @demisto/content-leaders +/Packs/ServiceNow/Integrations/ServiceNowv2/* @demisto/content-leaders @Shellyber /Packs/EWS/Integrations/EWSv2/* @demisto/content-leaders /Packs/ArcSightESM/Integrations/ArcSightESMv2/* @demisto/content-leaders /Packs/QRadar/Integrations/QRadar_v3/* @tkatzir diff --git a/.github/workflows/check-devcontainer.yml b/.github/workflows/check-devcontainer.yml new file mode 100644 index 000000000000..61a977e81d95 --- /dev/null +++ b/.github/workflows/check-devcontainer.yml @@ -0,0 +1,21 @@ +name: Check Devcontainer +on: + pull_request: + paths: + - .devcontainer/** + push: + branches: + - master + paths: + - .devcontainer/** +jobs: + Build-Devcontainer: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Run demisto-sdk in devcontainer + uses: devcontainers/ci@v0.2 + with: + push: never + runCmd: demisto-sdk --version diff --git a/.github/workflows/close_jira_issue_by_pr_merge.yml b/.github/workflows/close_jira_issue_by_pr_merge.yml index 8dba218eb383..19ed663ac879 100644 --- a/.github/workflows/close_jira_issue_by_pr_merge.yml +++ b/.github/workflows/close_jira_issue_by_pr_merge.yml @@ -32,11 +32,10 @@ jobs: PR_TITLE: ${{ github.event.pull_request.title }} PR_LINK: ${{ github.event.pull_request.html_url }} PR_BODY: ${{ github.event.pull_request.body }} - IS_MERGED: True USERNAME: ${{ secrets.LINK_PR_TO_JIRA_ISSUE_USER }} PASSWORD: ${{ secrets.LINK_PR_TO_JIRA_ISSUE_PASSWORD }} INSTANCE_URL: ${{ secrets.ENGINE_URL }} run: | echo "Checking for related Jira issues to PR: $PR_NUMBER" cd Utils/github_workflow_scripts/jira_integration_scripts - poetry run python ./link_pr_to_jira_issue.py --url "$INSTANCE_URL" --pr_num "$PR_NUMBER" --pr_link "$PR_LINK" --pr_title "$PR_TITLE" --pr_body "$PR_BODY" --is_merged $IS_MERGED --username $USERNAME --password $PASSWORD + poetry run python ./link_pr_to_jira_issue.py --url "$INSTANCE_URL" --pr_num "$PR_NUMBER" --pr_link "$PR_LINK" --pr_title "$PR_TITLE" --pr_body "$PR_BODY" --is_merged --username $USERNAME --password $PASSWORD diff --git a/.github/workflows/link_edited_pr_to_jira_issue.yml b/.github/workflows/link_edited_pr_to_jira_issue.yml index 29c8678fc8fd..83453b251840 100644 --- a/.github/workflows/link_edited_pr_to_jira_issue.yml +++ b/.github/workflows/link_edited_pr_to_jira_issue.yml @@ -16,7 +16,7 @@ jobs: - name: Setup Python uses: actions/setup-python@v3 with: - python-version: '3.9' + python-version: '3.10' - name: Setup Poetry uses: Gr1N/setup-poetry@v7 - uses: actions/cache@v2 @@ -32,12 +32,11 @@ jobs: PR_TITLE: ${{ github.event.pull_request.title }} PR_LINK: ${{ github.event.pull_request.html_url }} PR_BODY: ${{ github.event.pull_request.body }} - IS_MERGED: false USERNAME: ${{ secrets.LINK_PR_TO_JIRA_ISSUE_USER }} PASSWORD: ${{ secrets.LINK_PR_TO_JIRA_ISSUE_PASSWORD }} INSTANCE_URL: ${{ secrets.ENGINE_URL }} run: | echo "Checking for related Jira issues to PR: $PR_NUMBER" cd Utils/github_workflow_scripts/jira_integration_scripts - echo --pr_num $PR_NUMBER --pr_link $PR_LINK --pr_title $PR_TITLE --pr_body $PR_BODY --is_merged $IS_MERGED - poetry run python ./link_pr_to_jira_issue.py --url "$INSTANCE_URL" --pr_num "$PR_NUMBER" --pr_link "$PR_LINK" --pr_title "$PR_TITLE" --pr_body "$PR_BODY" --is_merged $IS_MERGED --username $USERNAME --password $PASSWORD + echo --pr_num $PR_NUMBER --pr_link $PR_LINK --pr_title $PR_TITLE --pr_body $PR_BODY --no-is_merged + poetry run python ./link_pr_to_jira_issue.py --url "$INSTANCE_URL" --pr_num "$PR_NUMBER" --pr_link "$PR_LINK" --pr_title "$PR_TITLE" --pr_body "$PR_BODY" --no-is_merged --username $USERNAME --password $PASSWORD diff --git a/.gitignore b/.gitignore index ab930b635da4..5563291dff4d 100644 --- a/.gitignore +++ b/.gitignore @@ -39,8 +39,7 @@ Scripts/**/__init__.py Integrations/**/__init__.py Packs/**/__init__.py requirements.txt -Tests/scripts/infrastructure_tests/collect_tests.log -Tests/scripts/collect_tests.log +**/collect_tests.log # Environment and reports .demisto-sdk-conf @@ -56,6 +55,7 @@ Packs/**/report_pytest.json # devcontainer folders .devcontainer/certs.crt +.devcontainer/createCommand_unix.sh **/.devcontainer !/.devcontainer diff --git a/.gitlab/ci/.gitlab-ci.yml b/.gitlab/ci/.gitlab-ci.yml index 0c8ebecf67cc..3cfef230d61f 100644 --- a/.gitlab/ci/.gitlab-ci.yml +++ b/.gitlab/ci/.gitlab-ci.yml @@ -1,6 +1,6 @@ default: - image: docker-io.art.code.pan.run/devdemisto/gitlab-content-ci:1.0.0.41253 + image: docker-io.art.code.pan.run/devdemisto/gitlab-content-ci:1.0.0.41284 artifacts: expire_in: 30 days paths: @@ -9,9 +9,8 @@ default: stages: - unittests-and-validations - - create-instances + - prepare-testing-bucket - run-instances - - stage-compare - upload-to-marketplace - fan-in # concentrate pipeline artifacts to single job before triggering child slack pipeline @@ -19,6 +18,7 @@ stages: variables: DONT_CACHE_LAST_RESPONSE: "true" GCS_MARKET_BUCKET: "marketplace-dist" + GCS_MARKET_BUCKET_DEV: "marketplace-dist-dev" GCS_MARKET_V2_BUCKET: "marketplace-v2-dist" GCS_MARKET_XPANSE_BUCKET: "xpanse-dist" STORAGE_BASE_PATH: "" @@ -42,6 +42,7 @@ variables: DEMISTO_CONNECTION_POOL_MAXSIZE: "180" # see this issue for more info https://github.com/demisto/etc/issues/36886 SDK_REF: "master" # The default sdk branch to use OVERRIDE_ALL_PACKS: "false" + TEST_UPLOAD: "true" include: @@ -51,4 +52,3 @@ include: - local: .gitlab/ci/instance-test.yml - local: .gitlab/ci/sdk-nightly.yml - local: .gitlab/ci/miscellaneous.yml - - local: .gitlab/ci/staging.yml diff --git a/.gitlab/ci/bucket-upload.yml b/.gitlab/ci/bucket-upload.yml index 8ad79018ce3c..0b85b60b31ed 100644 --- a/.gitlab/ci/bucket-upload.yml +++ b/.gitlab/ci/bucket-upload.yml @@ -44,9 +44,9 @@ run-unittests-and-lint-upload-flow: - .bucket-upload-rule -create-instances-upload-flow: +xsoar-prepare-testing-bucket-upload-flow: extends: - - create-instances + - xsoar-prepare-testing-bucket variables: IFRA_ENV_TYPE: "Bucket-Upload" ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XSOAR}" @@ -55,10 +55,11 @@ create-instances-upload-flow: when: never - if: '$BUCKET_UPLOAD == "true"' - if: '$FORCE_BUCKET_UPLOAD == "true"' + -prepare-testing-bucket-mpv2-upload-flow: +mpv2-prepare-testing-bucket-upload-flow: extends: - - prepare-testing-bucket-mpv2 + - mpv2-prepare-testing-bucket variables: IFRA_ENV_TYPE: "Bucket-Upload" ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_MPV2}" @@ -69,9 +70,9 @@ prepare-testing-bucket-mpv2-upload-flow: - if: '$FORCE_BUCKET_UPLOAD == "true"' -prepare-testing-bucket-xpanse-upload-flow: +xpanse-prepare-testing-bucket-upload-flow: extends: - - prepare-testing-bucket-xpanse + - xpanse-prepare-testing-bucket variables: IFRA_ENV_TYPE: "Bucket-Upload" ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XPANSE}" @@ -85,7 +86,7 @@ prepare-testing-bucket-xpanse-upload-flow: .install_packs_in_xsoar_server: tags: - gke - needs: ["create-instances-upload-flow"] + needs: ["xsoar-prepare-testing-bucket-upload-flow"] stage: run-instances artifacts: expire_in: 48 hrs @@ -106,6 +107,8 @@ prepare-testing-bucket-xpanse-upload-flow: - EXIT_CODE=0 - section_start "Download configuration" - ./Tests/scripts/download_demisto_conf.sh >> $ARTIFACTS_FOLDER/logs/installations.log + - SECRET_CONF_PATH=$(cat secret_conf_path) + - python3 ./Tests/scripts/add_secrets_file_to_build.py -sa "$GSM_SERVICE_ACCOUNT" -sf "$SECRET_CONF_PATH" -u "$DEMISTO_USERNAME" -p "$DEMISTO_PASSWORD" -gpid "$GSM_PROJECT_ID" - section_end "Download configuration" - !reference [.open-ssh-tunnel] - section_start "Get Instance Variables" @@ -149,7 +152,7 @@ install-packs-in-server-master: .install-mpv2-packs-on-xsiam-instances: tags: - gke - needs: ["prepare-testing-bucket-mpv2-upload-flow"] + needs: ["mpv2-prepare-testing-bucket-upload-flow"] stage: run-instances artifacts: expire_in: 48 hrs @@ -169,8 +172,9 @@ install-packs-in-server-master: - EXIT_CODE=0 - section_start "Download configuration" - ./Tests/scripts/download_demisto_conf.sh >> $ARTIFACTS_FOLDER/logs/installations.log + - SECRET_CONF_PATH=$(cat secret_conf_path) + - python3 ./Tests/scripts/add_secrets_file_to_build.py -sa "$GSM_SERVICE_ACCOUNT" -sf "$SECRET_CONF_PATH" -u "$DEMISTO_USERNAME" -p "$DEMISTO_PASSWORD" -gpid "$GSM_PROJECT_ID" - section_end "Download configuration" - - section_start "Lock XSIAM Machine" - echo "Authenticating GCP" - gcloud auth activate-service-account --key-file="$GCS_ARTIFACTS_KEY" > auth.out 2>&1 @@ -290,11 +294,21 @@ upload-packs-to-marketplace: fi - section_end "Validate Premium Packs" + - | + if [[ $TEST_UPLOAD == "false" ]]; then + section_start "Upload content graph CSVs to GCP" --collapsed + # gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" >> $ARTIFACTS_FOLDER/logs/auth.out + # gsutil -m cp -r $ARTIFACTS_FOLDER/content_graph/import/* "gs://$GCS_MARKET_BUCKET_DEV/content_graph/$MARKETPLACE_VERSION" + # gcloud auth revoke $GCS_ARTIFACTS_ACCOUNT_NAME + section_end "Upload content graph CSVs to GCP" + fi + + upload-packs-to-marketplace-v2: tags: - gke - needs: ["run-validations-upload-flow", "run-unittests-and-lint-upload-flow", "prepare-testing-bucket-mpv2-upload-flow", "install-packs-in-xsiam-ga"] # "install-packs-in-xsiam-dev" + needs: ["run-validations-upload-flow", "run-unittests-and-lint-upload-flow", "mpv2-prepare-testing-bucket-upload-flow", "install-packs-in-xsiam-ga"] # "install-packs-in-xsiam-dev" stage: upload-to-marketplace artifacts: expire_in: 48 hrs @@ -347,11 +361,20 @@ upload-packs-to-marketplace-v2: - python3 ./Tests/Marketplace/zip_packs.py -z $ZIP_FOLDER -a $ARTIFACTS_FOLDER -s $GCS_MARKET_KEY - section_end "Zip Content Packs From GCS" + - | + if [[ $TEST_UPLOAD == "false" ]]; then + section_start "Upload content graph CSVs to GCP" --collapsed + # gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" >> $ARTIFACTS_FOLDER/logs/auth.out + # gsutil -m cp -r $ARTIFACTS_FOLDER/content_graph/import/* "gs://$GCS_MARKET_BUCKET_DEV/content_graph/$MARKETPLACE_VERSION" + # gcloud auth revoke $GCS_ARTIFACTS_ACCOUNT_NAME + section_end "Upload content graph CSVs to GCP" + fi + upload-packs-to-xpanse-marketplace: tags: - gke - needs: ["run-validations-upload-flow", "run-unittests-and-lint-upload-flow", "prepare-testing-bucket-xpanse-upload-flow"] # "install-packs-in-xpanse-dev" + needs: ["run-validations-upload-flow", "run-unittests-and-lint-upload-flow", "xpanse-prepare-testing-bucket-upload-flow"] # "install-packs-in-xpanse-dev" stage: upload-to-marketplace artifacts: expire_in: 48 hrs @@ -404,13 +427,22 @@ upload-packs-to-xpanse-marketplace: - python3 ./Tests/Marketplace/zip_packs.py -z $ZIP_FOLDER -a $ARTIFACTS_FOLDER -s $GCS_MARKET_KEY - section_end "Zip Content Packs From GCS" + - | + if [[ $TEST_UPLOAD == "false" ]]; then + section_start "Upload content graph CSVs to GCP" --collapsed + # gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" >> $ARTIFACTS_FOLDER/logs/auth.out + # gsutil -m cp -r $ARTIFACTS_FOLDER/content_graph/import/* "gs://$GCS_MARKET_BUCKET_DEV/content_graph/$MARKETPLACE_VERSION" + # gcloud auth revoke $GCS_ARTIFACTS_ACCOUNT_NAME + section_end "Upload content graph CSVs to GCP" + fi + force-pack-upload: tags: - gke stage: upload-to-marketplace - needs: ["create-instances-upload-flow"] + needs: ["xsoar-prepare-testing-bucket-upload-flow"] rules: - if: '$FORCE_BUCKET_UPLOAD == "true"' extends: @@ -456,3 +488,17 @@ slack-notify-bucket-upload: extends: - .trigger-slack-notification - .bucket-upload-rule-always + + +upload-id-set-bucket: + tags: + - gke + stage: prepare-testing-bucket + extends: + - .bucket-upload-rule + - .default-job-settings + script: + # This is needed because we still use id_set.json in other repos + - !reference [.create-id-set-xsoar] + - gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" + - gsutil cp $ARTIFACTS_FOLDER/id_set.json "gs://$GCS_MARKET_BUCKET/content/id_set.json" diff --git a/.gitlab/ci/global.yml b/.gitlab/ci/global.yml index bf69eda2dd9e..85985326abbf 100644 --- a/.gitlab/ci/global.yml +++ b/.gitlab/ci/global.yml @@ -55,6 +55,8 @@ .download-demisto-conf: - section_start "Download content-test-conf" --collapsed - ./Tests/scripts/download_demisto_conf.sh >> $ARTIFACTS_FOLDER/logs/download_demisto_conf.log + - SECRET_CONF_PATH=$(cat secret_conf_path) + - python3 ./Tests/scripts/add_secrets_file_to_build.py -sa "$GSM_SERVICE_ACCOUNT" -sf "$SECRET_CONF_PATH" -u "$DEMISTO_USERNAME" -p "$DEMISTO_PASSWORD" -gpid "$GSM_PROJECT_ID" - section_end "Download content-test-conf" .open-ssh-tunnel: @@ -143,6 +145,13 @@ - npm link jsdoc-to-markdown@5.0.3 | tee --append $ARTIFACTS_FOLDER/logs/installations.log # disable-secrets-detection - section_end "Installing node modules" +.get_last_upload_commit: &get_last_upload_commit + - section_start "Getting last bucket upload commit" + - gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" > auth.out 2>&1 + - gsutil cp "gs://$GCS_MARKET_BUCKET/content/packs/index.json" "$ARTIFACTS_FOLDER/previous_index.json" + - export LAST_UPLOAD_COMMIT=$(cat $ARTIFACTS_FOLDER/previous_index.json | jq -r ".\"commit\"") + - section_end "Getting last bucket upload commit" + .default-before-script: before_script: - *setup-network-certs @@ -155,9 +164,10 @@ - *install_node_modules - *install_venv - *get_contribution_pack + - *get_last_upload_commit - *install_ssh_keys - section_start "Build Parameters" - - set | grep -E "^NIGHTLY=|^INSTANCE_TESTS=|^SERVER_BRANCH_NAME=|^ARTIFACT_BUILD_NUM=|^DEMISTO_SDK_NIGHTLY=|^TIME_TO_LIVE=|^CONTRIB_BRANCH=|^FORCE_PACK_UPLOAD=|^PACKS_TO_UPLOAD=|^BUCKET_UPLOAD=|^STORAGE_BASE_PATH=|^OVERRIDE_ALL_PACKS=|^GCS_MARKET_BUCKET=|^GCS_MARKET_V2_BUCKET=|^GCS_MARKET_XPANSE_BUCKET=|^SLACK_CHANNEL=|^NVM_DIR=|^NODE_VERSION=|^PATH=|^ARTIFACTS_FOLDER=|^ENV_RESULTS_PATH=" + - set | grep -E "^NIGHTLY=|^INSTANCE_TESTS=|^SERVER_BRANCH_NAME=|^ARTIFACT_BUILD_NUM=|^DEMISTO_SDK_NIGHTLY=|^TIME_TO_LIVE=|^CONTRIB_BRANCH=|^FORCE_PACK_UPLOAD=|^PACKS_TO_UPLOAD=|^BUCKET_UPLOAD=|^STORAGE_BASE_PATH=|^OVERRIDE_ALL_PACKS=|^GCS_MARKET_BUCKET=|^GCS_MARKET_V2_BUCKET=|^GCS_MARKET_XPANSE_BUCKET=|^SLACK_CHANNEL=|^NVM_DIR=|^NODE_VERSION=|^PATH=|^ARTIFACTS_FOLDER=|^ENV_RESULTS_PATH=|^LAST_UPLOAD_COMMIT=" - python --version - python2 --version - python3 --version @@ -242,10 +252,7 @@ demisto-sdk lint -vvv -p 10 -a --test-xml ./unit-tests --log-path $ARTIFACTS_FOLDER --failure-report $ARTIFACTS_FOLDER --coverage-report $ARTIFACTS_FOLDER/coverage_report -dt 120 --time-measurements-dir $ARTIFACTS_FOLDER else if [[ -n $BUCKET_UPLOAD ]]; then - gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" > auth.out 2>&1 - gsutil cp "gs://$GCS_MARKET_BUCKET/content/packs/index.json" "$ARTIFACTS_FOLDER/previous_index.json" - export COMMIT_HASH_COMPARE_TO=$(cat $ARTIFACTS_FOLDER/previous_index.json | jq -r ".\"commit\"") - demisto-sdk lint -vvv -p 8 -g --no-mypy --prev-ver $COMMIT_HASH_COMPARE_TO -v --test-xml ./unit-tests --log-path $ARTIFACTS_FOLDER --failure-report $ARTIFACTS_FOLDER --coverage-report $ARTIFACTS_FOLDER/coverage_report -idp $ARTIFACTS_FOLDER/id_set.json -cdam + demisto-sdk lint -vvv -p 8 -g --no-mypy --prev-ver $LAST_UPLOAD_COMMIT -v --test-xml ./unit-tests --log-path $ARTIFACTS_FOLDER --failure-report $ARTIFACTS_FOLDER --coverage-report $ARTIFACTS_FOLDER/coverage_report -idp $ARTIFACTS_FOLDER/id_set.json -cdam else echo "Skipping, Should run on circleCi." fi diff --git a/.gitlab/ci/instance-test.yml b/.gitlab/ci/instance-test.yml index 4242940277a4..82dbc7d1b7c5 100644 --- a/.gitlab/ci/instance-test.yml +++ b/.gitlab/ci/instance-test.yml @@ -8,10 +8,10 @@ test_instances: extends: - .default-job-settings - .instance-test-rule - needs: [ "create-instances" ] + needs: [ "xsoar-prepare-testing-bucket" ] stage: run-instances dependencies: - - create-instances + - xsoar-prepare-testing-bucket script: - EXIT_CODE=0 - !reference [.download-demisto-conf] diff --git a/.gitlab/ci/on-push.yml b/.gitlab/ci/on-push.yml index 1a6c33f55167..dd607a1abd10 100644 --- a/.gitlab/ci/on-push.yml +++ b/.gitlab/ci/on-push.yml @@ -22,7 +22,6 @@ trigger-private-build: - python3 Utils/get_private_build_status.py --github-token $GITHUB_TOKEN timeout: 2 hours - .create-release-notes-and-common-docs: - section_start "Create Release Notes and Common Server Documentation" --collapsed - echo "Creating Release Notes and Content Descriptor" @@ -76,183 +75,136 @@ validate-content-conf: fi - section_end "Validate content-tesgt-conf Branch Merged" -create-instances: +.generic-prepare-testing-bucket: tags: - gke extends: - .default-job-settings rules: - - if: '$CI_PIPELINE_SOURCE =~ /^(push|contrib)$/' - - if: '$NIGHTLY' - - if: '$INSTANCE_TESTS' + - if: "$CI_PIPELINE_SOURCE =~ /^(push|contrib)$/" + - if: "$NIGHTLY" cache: policy: pull-push variables: - ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XSOAR}" KUBERNETES_CPU_REQUEST: 2000m needs: [] - stage: create-instances + stage: prepare-testing-bucket script: - !reference [.download-demisto-conf] - - !reference [.create-id-set-xsoar] - !reference [.create-release-notes-and-common-docs] + - section_start "Create or update content graph" --collapsed + + - | + echo "Trying to pull all CSV import files from bucket" + # gcloud auth activate-service-account --key-file="$GCS_MARKET_KEY" > auth.out 2>&1 + # gsutil -m cp -r "gs://$GCS_MARKET_BUCKET_DEV/content_graph/$MARKETPLACE_VERSION/*" /var/lib/neo4j/import || echo "failed to download graph imports." + echo "Successfully pulled all CSV import files from bucket" + - | + if [ -z "$(ls -A /var/lib/neo4j/import)" ]; then + echo "No CSV files to import, creating the content graph" + demisto-sdk create-content-graph + echo "Successfully created content graph" + else + echo "Getting the list of packs to update in content graph" + PACKS_TO_UPDATE=( $(git diff $LAST_UPLOAD_COMMIT --name-only -- Packs/* | awk -F/ '{print $2}' | sort | uniq) ) + echo "Updating graph for packs: $PACKS_TO_UPDATE" + + echo "Updating the content graph" + demisto-sdk update-content-graph -p $PACKS_TO_UPDATE + echo "Successfully updated content graph" + fi + + - | + echo "Moving exported CSV files to artifacts" + mkdir $ARTIFACTS_FOLDER/content_graph + cp -R /var/lib/neo4j/import $ARTIFACTS_FOLDER/content_graph + + - section_end "Update content graph" + - section_start "Create Content Artifacts and Update Conf" --collapsed - - demisto-sdk create-content-artifacts -a $ARTIFACTS_FOLDER --cpus 8 --content_version $CONTENT_VERSION --marketplace "xsoar" -fbi -idp ./Tests/id_set.json >> $ARTIFACTS_FOLDER/logs/create_content_artifacts.log + - | + if [[ $MARKETPLACE_VERSION == "xsoar" ]]; + then + echo "Starting to create artifacts with zip for XSOAR." + python Tests/scripts/create_artifacts_graph/create_artifacts.py --marketplace "xsoar" --artifacts-output $ARTIFACTS_FOLDER/content_packs --dependencies-output $ARTIFACTS_FOLDER/packs_dependencies.json + else + echo "Starting to create artifacts without zip." + python Tests/scripts/create_artifacts_graph/create_artifacts.py --marketplace "$MARKETPLACE_VERSION" --artifacts-output $ARTIFACTS_FOLDER/content_packs --dependencies-output $ARTIFACTS_FOLDER/packs_dependencies.json --no-zip + fi + - gcloud auth activate-service-account --key-file="$GCS_ARTIFACTS_KEY" - - successful_feature_branch_build=$(gsutil ls "gs://xsoar-ci-artifacts/content/$FEATURE_BRANCH_NAME/*" | tail -n 1 | grep -o -E "content/$FEATURE_BRANCH_NAME/[0-9]*") - - echo $successful_feature_branch_build - - python3 Utils/merge_content_new_zip.py -f $FEATURE_BRANCH_NAME -b $successful_feature_branch_build - - zip -j $ARTIFACTS_FOLDER/uploadable_packs.zip $ARTIFACTS_FOLDER/uploadable_packs/* >> $ARTIFACTS_FOLDER/logs/zipping_uploadable_packs.log || echo "failed to zip the uploadable packs, ignoring the failure" - - rm -rf $ARTIFACTS_FOLDER/uploadable_packs + - cp "./Tests/conf.json" "$ARTIFACTS_FOLDER/conf.json" - section_end "Create Content Artifacts and Update Conf" - - section_start "Collect Tests" + - section_start "Replace Cortex XSOAR" --collapsed + - | + if [[ $MARKETPLACE_VERSION != "xsoar" ]]; + then + echo "Replace Cortex XSOAR for non-xsoar build." + pushd "$ARTIFACTS_FOLDER" + find content_packs -type f -not \( -path "*/ReleaseNotes/*" \) -exec sed -i -e 's/Cortex XSOAR/'"$PRODUCTNAME"'/gI' {} \; + pushd content_packs; zip -r ../content_packs.zip * 1> /dev/null; popd + rm -rf content_packs + popd + fi + - section_end "Replace Cortex XSOAR" + - section_start "Collect Tests" --collapsed - | if [ -n "${INSTANCE_TESTS}" ]; then echo "Skipping - not running in INSTANCE_TESTS build" else [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false - python3 ./Tests/scripts/collect_tests/collect_tests.py -n $IS_NIGHTLY --marketplace "xsoar" --service_account $GCS_MARKET_KEY + python3 ./Tests/scripts/collect_tests/collect_tests.py -n $IS_NIGHTLY --marketplace "$MARKETPLACE_VERSION" --service_account $GCS_MARKET_KEY --graph true fi - section_end "Collect Tests" - - - section_start "Calculate Packs Dependencies" --collapsed - - demisto-sdk find-dependencies -idp ./Tests/id_set.json --output-path $ARTIFACTS_FOLDER/packs_dependencies.json --all-packs-dependencies - - section_end "Calculate Packs Dependencies" - section_start "Prepare Content Packs for Testing" - - ./Tests/scripts/prepare_content_packs_for_testing.sh "$GCS_MARKET_BUCKET" "$STORAGE_BASE_PATH" + - ./Tests/scripts/prepare_content_packs_for_testing.sh "$MARKETPLACE_BUCKET" "$STORAGE_BASE_PATH" "$MARKETPLACE_VERSION" - section_end "Prepare Content Packs for Testing" - - section_start "Create Instances" + - section_start "Create Instances for XSOAR" - | - [ -n "${TIME_TO_LIVE}" ] && TTL=${TIME_TO_LIVE} || TTL=300 - python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType "$IFRA_ENV_TYPE" -timetolive $TTL -outfile "$ARTIFACTS_FOLDER/env_results.json" - - section_end "Create Instances" + if [[ ${MARKETPLACE_VERSION} = "xsoar" ]]; then + echo "Creating Instances, only for XSOAR." + [ -n "${TIME_TO_LIVE}" ] && TTL=${TIME_TO_LIVE} || TTL=300 + python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType "$IFRA_ENV_TYPE" -timetolive $TTL -outfile "$ARTIFACTS_FOLDER/env_results.json" + fi + - section_end "Create Instances for XSOAR" - section_start "Upload Artifacts to GCP" --collapsed - ./Tests/scripts/upload_artifacts.sh - section_end "Upload Artifacts to GCP" - echo "create instances done" > "$ARTIFACTS_FOLDER/create_instances_done.txt" -prepare-testing-bucket-mpv2: - tags: - - gke - extends: - - .default-job-settings - rules: - - if: '$CI_PIPELINE_SOURCE =~ /^(push|contrib)$/' - - if: '$NIGHTLY' - cache: - policy: pull-push - variables: - ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_MPV2}" - KUBERNETES_CPU_REQUEST: 2000m - needs: [] - stage: create-instances - script: - - !reference [.download-demisto-conf] - - !reference [.create-id-set-mp-v2] - - !reference [.create-release-notes-and-common-docs] - - - section_start "Create Content Artifacts and Update Conf" --collapsed - - demisto-sdk create-content-artifacts -a $ARTIFACTS_FOLDER --cpus 8 --content_version $CONTENT_VERSION --marketplace "marketplacev2" --no-zip -fbi -idp ./Tests/id_set.json >> $ARTIFACTS_FOLDER/logs/create_content_artifacts.log - - zip -j $ARTIFACTS_FOLDER/uploadable_packs_mpv2.zip $ARTIFACTS_FOLDER/uploadable_packs/* >> $ARTIFACTS_FOLDER/logs/zipping_uploadable_packs.log || echo "failed to zip the uploadable packs, ignoring the failure" - - rm -rf $ARTIFACTS_FOLDER/uploadable_packs - - cp "./Tests/conf.json" "$ARTIFACTS_FOLDER/conf.json" - - section_end "Create Content Artifacts and Update Conf" - - - section_start "Calculate Packs Dependencies" --collapsed - - demisto-sdk find-dependencies -idp Tests/id_set.json --all-packs-dependencies -o $ARTIFACTS_FOLDER/packs_dependencies.json - - section_end "Calculate Packs Dependencies" - - section_start "Replace Cortex XSOAR" --collapsed - - pushd "$ARTIFACTS_FOLDER" - - find content_packs -type f -not \( -path "*/ReleaseNotes/*" \) -exec sed -i -e 's/Cortex XSOAR/'"$PRODUCT_NAME"'/gI' {} \; - - pushd content_packs; zip -r ../content_packs.zip *; popd - - pushd all_content; zip -r ../all_content.zip *; popd - - pushd content_new; zip -r ../content_new.zip *; popd - - pushd content_test; zip -r ../content_test.zip *; popd - - rm -rf content_packs all_content content_new content_test - - popd - - section_end "Replace Cortex XSOAR" - - section_start "Collect Tests and Content Packs" - - | - [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false - python3 ./Tests/scripts/collect_tests/collect_tests.py -n $IS_NIGHTLY --marketplace "marketplacev2" --service_account $GCS_MARKET_KEY - - section_end "Collect Tests and Content Packs" - - - section_start "Prepare Content Packs for Testing" - - ./Tests/scripts/prepare_content_packs_for_testing.sh "$GCS_MARKET_V2_BUCKET" "$STORAGE_BASE_PATH" "marketplacev2" - - section_end "Prepare Content Packs for Testing" - - - section_start "Upload Artifacts to GCP" --collapsed - - ./Tests/scripts/upload_artifacts.sh - - section_end "Upload Artifacts to GCP" - - echo "create instances done" > "$ARTIFACTS_FOLDER/create_instances_done.txt" - - -prepare-testing-bucket-xpanse: - tags: - - gke +xsoar-prepare-testing-bucket: + variables: + ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XSOAR}" + MARKETPLACE_VERSION: "xsoar" + MARKETPLACE_BUCKET: "$GCS_MARKET_BUCKET" extends: - - .default-job-settings - rules: - - if: '$CI_PIPELINE_SOURCE =~ /^(push|contrib)$/' - - if: '$NIGHTLY' - cache: - policy: pull-push + - .generic-prepare-testing-bucket + +xpanse-prepare-testing-bucket: variables: ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XPANSE}" - KUBERNETES_CPU_REQUEST: 2000m - needs: [] - stage: create-instances - script: - - !reference [.download-demisto-conf] - - !reference [.create-id-set-xpanse] - - !reference [.create-release-notes-and-common-docs] - - - section_start "Create Content Artifacts and Update Conf" --collapsed - - demisto-sdk create-content-artifacts -a $ARTIFACTS_FOLDER --cpus 8 --content_version $CONTENT_VERSION --marketplace "xpanse" --no-zip -fbi -idp ./Tests/id_set.json >> $ARTIFACTS_FOLDER/logs/create_content_artifacts.log - - zip -j $ARTIFACTS_FOLDER/uploadable_packs_xpanse.zip $ARTIFACTS_FOLDER/uploadable_packs/* >> $ARTIFACTS_FOLDER/logs/zipping_uploadable_packs.log || echo "failed to zip the uploadable packs, ignoring the failure" - - rm -rf $ARTIFACTS_FOLDER/uploadable_packs - - cp "./Tests/conf.json" "$ARTIFACTS_FOLDER/conf.json" - - section_end "Create Content Artifacts and Update Conf" - - - section_start "Calculate Packs Dependencies" --collapsed - - demisto-sdk find-dependencies -idp Tests/id_set.json --all-packs-dependencies -o $ARTIFACTS_FOLDER/packs_dependencies.json - - section_end "Calculate Packs Dependencies" - - - section_start "Replace Cortex XSOAR" --collapsed - - pushd "$ARTIFACTS_FOLDER" - - export PRODUCT_NAME_XPANSE="Cortex XPANSE" - - find content_packs -type f -not \( -path "*/ReleaseNotes/*" \) -exec sed -i -e 's/Cortex XSOAR/'"$PRODUCT_NAME_XPANSE"'/gI' {} \; - - pushd content_packs; zip -r ../content_packs.zip *; popd - - pushd all_content; zip -r ../all_content.zip *; popd - - pushd content_new; zip -r ../content_new.zip *; popd - - pushd content_test; zip -r ../content_test.zip *; popd - - rm -rf content_packs all_content content_new content_test - - popd - - section_end "Replace Cortex XSOAR" - - - section_start "Collect Tests and Content Packs" - - | - [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false - python3 ./Tests/scripts/collect_tests/collect_tests.py -n $IS_NIGHTLY --marketplace "xpanse" --service_account $GCS_MARKET_KEY - - section_end "Collect Tests and Content Packs" - - - section_start "Prepare Content Packs for Testing" - - ./Tests/scripts/prepare_content_packs_for_testing.sh "$GCS_MARKET_XPANSE_BUCKET" "$STORAGE_BASE_PATH" "xpanse" - - section_end "Prepare Content Packs for Testing" - - - section_start "Upload Artifacts to GCP" --collapsed - - ./Tests/scripts/upload_artifacts.sh - - section_end "Upload Artifacts to GCP" - - echo "create instances done" > "$ARTIFACTS_FOLDER/create_instances_done.txt" + MARKETPLACE_VERSION: "xpanse" + PRODUCTNAME: "Cortex XPANSE" + MARKETPLACE_BUCKET: "$GCS_MARKET_XPANSE_BUCKET" + extends: + - .generic-prepare-testing-bucket +mpv2-prepare-testing-bucket: + variables: + ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_MPV2}" + MARKETPLACE_VERSION: "marketplacev2" + MARKETPLACE_BUCKET: "$GCS_MARKET_V2_BUCKET" + PRODUCTNAME: "Cortex XSIAM" + extends: + - .generic-prepare-testing-bucket .test_content_on_xsoar_server_instances_base: tags: @@ -264,14 +216,14 @@ prepare-testing-bucket-xpanse: ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XSOAR}" ENV_RESULTS_PATH: "${ARTIFACTS_FOLDER_XSOAR}/env_results.json" SERVER_TYPE: "XSOAR" - needs: ["create-instances"] stage: run-instances + needs: ["xsoar-prepare-testing-bucket"] script: - '[[ "create instances done" = $(cat "$ARTIFACTS_FOLDER/create_instances_done.txt" 2> /dev/null) ]] || (echo "this is a known issue with GitLab pipline please mention @esharf in your PR" && exit 1)' - EXIT_CODE=0 - !reference [.download-demisto-conf] - export TEMP=$(cat $ARTIFACTS_FOLDER/filter_envs.json | jq ".\"$INSTANCE_ROLE\"") -# If instance was not created + # If instance was not created - | if [[ "$TEMP" != "true" && -z "${NIGHTLY}" ]]; then echo "Instance with role $INSTANCE_ROLE was not created" @@ -310,7 +262,6 @@ prepare-testing-bucket-xpanse: python3 ./Tests/scripts/destroy_instances.py $ARTIFACTS_FOLDER $ARTIFACTS_FOLDER/env_results.json "$INSTANCE_ROLE" "$TIME_TO_LIVE" || EXIT_CODE=$? - exit $EXIT_CODE - xsoar_server_6_5: extends: .test_content_on_xsoar_server_instances_base # No need to trigger in case of release branch @@ -319,7 +270,6 @@ xsoar_server_6_5: variables: INSTANCE_ROLE: "Server 6.5" - xsoar_server_6_6: extends: .test_content_on_xsoar_server_instances_base # No need to trigger in case of release branch @@ -387,7 +337,7 @@ slack-notify-nightly-build: GCS_MARKET_BUCKET: "${GCS_MARKET_V2_BUCKET}" ENV_RESULTS_PATH: "${ARTIFACTS_FOLDER_MPV2}/env_results.json" SERVER_TYPE: "XSIAM" - needs: ["prepare-testing-bucket-mpv2"] + needs: ["mpv2-prepare-testing-bucket"] stage: run-instances script: - '[[ "create instances done" = $(cat "$ARTIFACTS_FOLDER/create_instances_done.txt" 2> /dev/null) ]] || (echo "this is a known issue with GitLab pipline please mention @esharf in your PR" && exit 1)' diff --git a/.gitlab/ci/sdk-nightly.yml b/.gitlab/ci/sdk-nightly.yml index f19d9c962d54..c9f639ffd69d 100644 --- a/.gitlab/ci/sdk-nightly.yml +++ b/.gitlab/ci/sdk-nightly.yml @@ -83,7 +83,7 @@ demisto_sdk_nightly:check_idset_dependent_commands: - section_end "Calculate Packs Dependencies" -demisto-sdk-nightly:create-instance: +demisto-sdk-nightly:xsoar-prepare-testing-bucket: tags: - gke extends: @@ -95,7 +95,7 @@ demisto-sdk-nightly:create-instance: cache: policy: pull-push needs: [] - stage: create-instances + stage: prepare-testing-bucket script: - !reference [.download-demisto-conf] - | @@ -170,7 +170,7 @@ demisto-sdk-nightly:run-end-to-end-tests: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" INSTANCE_ROLE: "Server Master" - needs: ["demisto-sdk-nightly:create-instance"] + needs: ["demisto-sdk-nightly:xsoar-prepare-testing-bucket"] stage: run-instances script: - !reference [.open-ssh-tunnel] diff --git a/.gitlab/ci/staging.yml b/.gitlab/ci/staging.yml index 68b8b60831a1..dc74a0e46b09 100644 --- a/.gitlab/ci/staging.yml +++ b/.gitlab/ci/staging.yml @@ -1,129 +1 @@ -.generic-graph-prepare-testing-bucket: - tags: - - gke - extends: - - .default-job-settings - rules: - - if: '$CI_PIPELINE_SOURCE =~ /^(push|contrib)$/' - - if: '$NIGHTLY' - cache: - policy: pull - variables: - KUBERNETES_CPU_REQUEST: 2000m - needs: [] - stage: create-instances - allow_failure: true - script: - - pip3 uninstall -y demisto-sdk - - pip3 install git+https://github.com/demisto/demisto-sdk@master - - - !reference [.download-demisto-conf] - - !reference [.create-release-notes-and-common-docs] - - - section_start "Create content graph" --collapsed - - demisto-sdk create-content-graph -o $ARTIFACTS_FOLDER/content-graph.dump - - section_end "Create content graph" - - - section_start "Create Content Artifacts and Update Conf" --collapsed - - | - if [[ $MARKETPLACE_VERSION == "xsoar" ]]; - then - echo "Starting to create artifacts with zip for XSOAR." - python Tests/scripts/create_artifacts_graph/create_artifacts.py --marketplace "xsoar" --artifacts-output $ARTIFACTS_FOLDER/content_packs --dependencies-output $ARTIFACTS_FOLDER/packs_dependencies.json - else - echo "Starting to create artifacts without zip." - python Tests/scripts/create_artifacts_graph/create_artifacts.py --marketplace "$MARKETPLACE_VERSION" --artifacts-output $ARTIFACTS_FOLDER/content_packs --dependencies-output $ARTIFACTS_FOLDER/packs_dependencies.json --no-zip - fi - - - gcloud auth activate-service-account --key-file="$GCS_ARTIFACTS_KEY" - - - cp "./Tests/conf.json" "$ARTIFACTS_FOLDER/conf.json" - - section_end "Create Content Artifacts and Update Conf" - - - section_start "Replace Cortex XSOAR" --collapsed - - | - if [[ $MARKETPLACE_VERSION != "xsoar" ]]; - then - echo "Replace Cortex XSOAR for non-xsoar build." - pushd "$ARTIFACTS_FOLDER" - find content_packs -type f -not \( -path "*/ReleaseNotes/*" \) -exec sed -i -e 's/Cortex XSOAR/'"$PRODUCT_NAME"'/gI' {} \; - pushd content_packs; zip -r ../content_packs.zip * 1> /dev/null; popd - rm -rf content_packs - popd - fi - - section_end "Replace Cortex XSOAR" - - - section_start "Collect Tests" --collapsed - - | - if [ -n "${INSTANCE_TESTS}" ]; then - echo "Skipping - not running in INSTANCE_TESTS build" - else - [ -n "${NIGHTLY}" ] && IS_NIGHTLY=true || IS_NIGHTLY=false - python3 ./Tests/scripts/collect_tests/collect_tests.py -n $IS_NIGHTLY --marketplace "$MARKETPLACE_VERSION" --service_account $GCS_MARKET_KEY --graph true - fi - - cp $ARTIFACTS_FOLDER/content_packs_to_install.txt $ARTIFACTS_FOLDER/content_packs_to_install-graph.txt - - section_end "Collect Tests" - - - section_start "Prepare Content Packs for Testing" --collapsed - - ./Tests/scripts/prepare_content_packs_for_testing.sh "$MARKETPLACE_BUCKET" "$STORAGE_BASE_PATH" "$MARKETPLACE_VERSION" - - section_end "Prepare Content Packs for Testing" - - - section_start "Create Instances for XSOAR" - - | - if [ -n "${INSTANCE_TESTS}" ]; then - echo "Creating Instances, only for XSOAR." - [ -n "${TIME_TO_LIVE}" ] && TTL=${TIME_TO_LIVE} || TTL=300 - python3 ./Tests/scripts/awsinstancetool/aws_instance_tool.py -envType "$IFRA_ENV_TYPE" -timetolive $TTL -outfile "$ARTIFACTS_FOLDER/env_results.json" - fi - - section_end "Create Instances for XSOAR" - - - section_start "Upload Artifacts to GCP" --collapsed - - ./Tests/scripts/upload_artifacts.sh - - section_end "Upload Artifacts to GCP" - - -graph-prepare-testing-bucket-xsoar: - variables: - ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XSOAR}" - MARKETPLACE_VERSION: "xsoar" - MARKETPLACE_BUCKET: "$GCS_MARKET_BUCKET" - extends: - - .generic-graph-prepare-testing-bucket - - -graph-prepare-testing-bucket-xpanse: - variables: - ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_XPANSE}" - MARKETPLACE_VERSION: "xpanse" - PRODUCT_NAME: "Cortex XPANSE" - MARKETPLACE_BUCKET: "$GCS_MARKET_XPANSE_BUCKET" - extends: - - .generic-graph-prepare-testing-bucket - - -graph-prepare-testing-bucket-mpv2: - variables: - ARTIFACTS_FOLDER: "${ARTIFACTS_FOLDER_MPV2}" - MARKETPLACE_VERSION: "marketplacev2" - MARKETPLACE_BUCKET: "$GCS_MARKET_V2_BUCKET" - extends: - - .generic-graph-prepare-testing-bucket - -compare_zips: - needs: ["prepare-testing-bucket-mpv2", "graph-prepare-testing-bucket-mpv2", "create-instances", "graph-prepare-testing-bucket-xsoar", "graph-prepare-testing-bucket-xpanse", "prepare-testing-bucket-xpanse"] - stage: stage-compare - rules: - - if: '$CI_PIPELINE_SOURCE =~ /^(push|contrib)$/' - - if: '$NIGHTLY' - extends: - - .default-job-settings - cache: - policy: pull - allow_failure: true - script: - - echo "compare between graph and id_set" - - python3 ./Tests/scripts/utils/compare_staging_graph.py --artifacts $ARTIFACTS_FOLDER_XSOAR --marketplace xsoar --output-path $ARTIFACTS_FOLDER_XSOAR/report -s "$SLACK_TOKEN" - - python3 ./Tests/scripts/utils/compare_staging_graph.py --artifacts $ARTIFACTS_FOLDER_MPV2 --marketplace marketplacev2 --output-path $ARTIFACTS_FOLDER_MPV2/report -s "$SLACK_TOKEN" - - python3 ./Tests/scripts/utils/compare_staging_graph.py --artifacts $ARTIFACTS_FOLDER_XPANSE --marketplace xpanse --output-path $ARTIFACTS_FOLDER_XPANSE/report -s "$SLACK_TOKEN" - - +# this file is reserved for staging jobs \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/AHA.py b/Packs/AHA/Integrations/AHA/AHA.py index 0595f667e793..1f1fdaf05b9d 100644 --- a/Packs/AHA/Integrations/AHA/AHA.py +++ b/Packs/AHA/Integrations/AHA/AHA.py @@ -3,6 +3,7 @@ import requests from typing import Dict +from enum import Enum # Disable insecure warnings @@ -11,9 +12,42 @@ ''' CONSTANTS ''' REPLACE = 'replace' DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' # ISO8601 format with UTC, default in XSOAR -URL_SUFFIX_PATTERN = f'/products/{REPLACE}/features/' +URL_SUFFIX_PATTERN = f'/products/{REPLACE}/' EDIT_FIELDS = ['id', 'reference_num', 'name', 'description', 'workflow_status', 'created_at'] DEFAULT_FIELDS = ['reference_num', 'name', 'id', 'created_at'] +FEATURE_FIELDS = ['ideas'] + +''' AHA ENUM''' + + +class AHA_TYPE(Enum): + IDEAS = 1 + FEATURES = 2 + + def get_url_suffix(self) -> str: + if (self == AHA_TYPE.IDEAS): + return 'ideas/' + else: + return 'features/' + + def get_type_plural(self) -> str: + if (self == AHA_TYPE.IDEAS): + return 'ideas' + else: + return 'features' + + def get_type_singular(self) -> str: + if (self == AHA_TYPE.IDEAS): + return 'idea' + else: + return 'feature' + + def get_type_for_outputs(self) -> str: + if (self == AHA_TYPE.IDEAS): + return 'Idea' + else: + return 'Feature' + ''' CLIENT CLASS ''' @@ -31,20 +65,22 @@ def __init__(self, self.url = url self._headers['Content-Type'] = 'application/json' - def get_features(self, - feature_name: str, - fields: str, - from_date: str, - page: str, - per_page: str) -> Dict: + def get(self, + aha_type: AHA_TYPE, + name: str, + fields: str, + from_date: str, + page: str, + per_page: str) -> Dict: """ - Retrieves a list of features from AHA + Retrieves a list of features/ideas from AHA Args: - feature_name: str if given it will fetch the feature specified. if not, it will fetch all features. - fields: str optional feature fields to retrive from the service. - from_date: str format: YYYY-MM-DD get features created after from_date. + aha_type: determine what to get ideas or features using AHA_TYPE Enum. + name: str if given it will fetch the feature/idea specified. if not, it will fetch all features/ideas. + fields: str optional feature/idea fields to retrieve from the service. + from_date: str format: YYYY-MM-DD get features/ideas created after from_date. page: str pagination specify the number of the page. - per_page: str pagination specify the maximum number of features per page. + per_page: str pagination specify the maximum number of features/ideas per page. """ headers = self._headers params = { @@ -54,27 +90,28 @@ def get_features(self, 'per_page': per_page, } return self._http_request(method='GET', - url_suffix=f'{self.url}{feature_name}', + url_suffix=f'{self.url}{aha_type.get_url_suffix()}{name}', headers=headers, params=params, resp_type='json') - def edit_feature(self, feature_name: str, fields: Dict) -> Dict: + def edit(self, aha_object_name: str, aha_type: AHA_TYPE, fields: Dict) -> Dict: """ - Updates fields in a feature from AHA + Updates fields in a feature/idea from AHA Args: - feature_name: str feature to update + aha_object_name: str idea to update + aha_type: determine what to edit ideas or features using AHA_TYPE Enum. fields: Dict fields to update """ - payload = extract_payload(fields=fields) - demisto.debug(f'Edit feature payload: {payload}') + payload = build_edit_idea_req_payload() if aha_type == AHA_TYPE.IDEAS else build_edit_feature_req_payload(fields=fields) + demisto.debug(f'Edit {aha_type.get_type_singular()} payload: {payload}') fields = ','.join(EDIT_FIELDS) - return self._http_request(method='PUT', url_suffix=f'{self.url}{feature_name}?fields={fields}', - resp_type='json', json_data=payload) + url_suffix = f'{self.url}{aha_type.get_url_suffix()}{aha_object_name}?fields={fields}' + return self._http_request(method='PUT', url_suffix=url_suffix, resp_type='json', json_data=payload) ''' HELPER FUNCTIONS''' -def extract_payload(fields: Dict): +def build_edit_feature_req_payload(fields: Dict): payload: Dict = {'feature': {}} for field in fields: feature = payload.get('feature', {}) @@ -86,24 +123,40 @@ def extract_payload(fields: Dict): return payload -def parse_features(features: dict, fields: List) -> List: +def build_edit_idea_req_payload(): + payload: Dict = {'idea': {}} + idea = payload.get('idea', {}) + idea['workflow_status'] = "Shipped" + return payload + + +def extract_ideas_from_feature(ideas: List) -> List: + ret_list: list[str] = [] + for idea in ideas: + ret_list.append(idea.get('reference_num')) + return ret_list + + +def parse_multiple_objects(aha_objects: dict, fields: List) -> List: res_list = [] - for res in features: - curr = parse_feature(res, fields=fields) + for res in aha_objects: + curr = parse_single_object(res, fields=fields) res_list.extend(curr) demisto.debug(f'Parsed response fields: {res_list}') return res_list -def parse_feature(feature: dict, fields: List = DEFAULT_FIELDS) -> List: +def parse_single_object(aha_object: dict, fields: List = DEFAULT_FIELDS) -> List: ret_dict = {} for curr in fields: if curr == 'description': - ret_dict[curr] = feature.get(curr, {}).get('body') + ret_dict[curr] = aha_object.get(curr, {}).get('body') elif curr == 'workflow_status': - ret_dict[curr] = feature.get(curr, {}).get('name') + ret_dict[curr] = aha_object.get(curr, {}).get('name') + elif curr == 'ideas': + ret_dict[curr] = extract_ideas_from_feature(aha_object.get(curr, {})) else: - ret_dict[curr] = feature.get(curr, '') + ret_dict[curr] = aha_object.get(curr, '') return [ret_dict] @@ -115,7 +168,7 @@ def test_module(client: Client) -> str: message: str = '' try: - result = client.get_features('', '', '2020-01-01', page='1', per_page='1') + result = client.get(AHA_TYPE.FEATURES, '', '', '2020-01-01', page='1', per_page='1') if result: message = 'ok' except DemistoException as e: @@ -126,26 +179,30 @@ def test_module(client: Client) -> str: return message -def get_features(client: Client, - from_date: str, - feature_name: str = '', - fields: List = [], - page: str = '1', - per_page: str = '30') -> CommandResults: +def get_command(client: Client, + aha_type: AHA_TYPE, + from_date: str, + aha_object_name: str = '', + fields: str = '', + page: str = '1', + per_page: str = '30') -> CommandResults: message: List = [] - req_fields = ','.join(DEFAULT_FIELDS + fields) - response = client.get_features(feature_name=feature_name, fields=req_fields, - from_date=from_date, page=page, per_page=per_page) + fields_list: List = DEFAULT_FIELDS + argToList(fields) + if aha_type == AHA_TYPE.FEATURES: + fields_list.extend(FEATURE_FIELDS) + req_fields = ','.join(fields_list) + response = client.get(aha_type=aha_type, name=aha_object_name, fields=req_fields, + from_date=from_date, page=page, per_page=per_page) if response: - if 'features' in response: - message = parse_features(response['features'], DEFAULT_FIELDS + fields) + if aha_type.get_type_plural() in response: + message = parse_multiple_objects(response[aha_type.get_type_plural()], fields_list) else: - message = parse_feature(response['feature'], DEFAULT_FIELDS + fields) - human_readable = tableToMarkdown('Aha! get features', + message = parse_single_object(response[aha_type.get_type_singular()], fields_list) + human_readable = tableToMarkdown(f'Aha! get {aha_type.get_type_plural()}', message, removeNull=True) return CommandResults( - outputs_prefix='AHA.Feature', + outputs_prefix=f'AHA.{aha_type.get_type_for_outputs()}', outputs_key_field='id', outputs=message, raw_response=response, @@ -153,18 +210,20 @@ def get_features(client: Client, ) -def edit_feature(client: Client, - feature_name: str, - fields: Dict) -> CommandResults: +def edit_command(client: Client, + aha_type: AHA_TYPE, + aha_object_name: str, + fields: str = '{}') -> CommandResults: message: List = [] - response = client.edit_feature(feature_name=feature_name, fields=fields) + fieldsDict = json.loads(fields) + response = client.edit(aha_object_name=aha_object_name, aha_type=aha_type, fields=fieldsDict) if response: - message = parse_feature(response['feature'], fields=EDIT_FIELDS) - human_readable = tableToMarkdown('Aha! edit feature', + message = parse_single_object(response[aha_type.get_type_singular()], fields=EDIT_FIELDS) + human_readable = tableToMarkdown(f'Aha! edit {aha_type.get_type_singular()}', message, removeNull=True) return CommandResults( - outputs_prefix='AHA.Feature', + outputs_prefix=f'AHA.{aha_type.get_type_for_outputs()}', outputs_key_field='id', outputs=message, readable_output=human_readable, @@ -200,18 +259,20 @@ def main() -> None: result = test_module(client) return_results(result) elif command == 'aha-get-features': - from_date = args.get('from_date', '2020-01-01') - feature_name = args.get('feature_name', '') - fields = argToList(args.get('fields', '')) - page = args.get('page', '1') - per_page = args.get('per_page', '30') - command_result = get_features(client, from_date=from_date, feature_name=feature_name, fields=fields, page=page, - per_page=per_page) + command_result = get_command(client, aha_type=AHA_TYPE.FEATURES, + aha_object_name=args.pop('feature_name', ''), **args) return_results(command_result) elif command == 'aha-edit-feature': - feature_name = args.get('feature_name', '') - edit_fields = json.loads(args.get('fields', {})) - command_result = edit_feature(client, feature_name=feature_name, fields=edit_fields) + command_result = edit_command(client, aha_type=AHA_TYPE.FEATURES, + aha_object_name=args.pop('feature_name', ''), **args) + return_results(command_result) + elif command == 'aha-get-ideas': + command_result = get_command(client=client, aha_type=AHA_TYPE.IDEAS, + aha_object_name=args.pop('idea_name', ''), **args) + return_results(command_result) + elif command == 'aha-edit-idea': + command_result = edit_command(client, aha_type=AHA_TYPE.IDEAS, + aha_object_name=args.pop('idea_name', ''), **args) return_results(command_result) else: raise NotImplementedError(f'{command} command is not implemented.') diff --git a/Packs/AHA/Integrations/AHA/AHA.yml b/Packs/AHA/Integrations/AHA/AHA.yml index bd86159546ec..db666275af1c 100644 --- a/Packs/AHA/Integrations/AHA/AHA.yml +++ b/Packs/AHA/Integrations/AHA/AHA.yml @@ -86,16 +86,16 @@ script: description: The feature creation date. type: Date - name: aha-edit-feature - description: "You can edit any of the following fields in a feature: Name, Status and Description." + description: "You can edit the following fields in a feature: Name and Status." deprecated: false arguments: - name: feature_name - description: The name of the features to edit. + description: The name of the feature to edit. required: true isArray: false defaultValue: "" - name: fields - description: 'Fields in JSON format to edit in a feature. Possible fields are name, description and status. Status should match Aha values under workflow_status. Example:" {"name": "name", "description": "desc", "status" : "Closed"}' + description: 'Fields in JSON format to edit in a feature. Possible fields are name and status. Status should match Aha values under workflow_status. Example:" {"name": "name", "status" : "Closed"}' required: true isArray: false defaultValue: "" @@ -109,20 +109,96 @@ script: - contextPath: AHA.Feature.reference_num description: The feature reference number. type: String - - contextPath: AHA.Feature.workflow_status - description: The feature status description. - type: String - contextPath: AHA.Feature.description description: The feature description. type: String + - contextPath: AHA.Feature.workflow_status + description: The feature status description. + type: String - contextPath: AHA.Feature.created_at description: The feature creation date. type: Date + - name: aha-get-ideas + description: Lists all ideas from service, unless a specific idea is specified. + deprecated: false + arguments: + - name: from_date + description: Show ideas created after this date. + required: false + isArray: false + defaultValue: "2020-01-01" + - name: idea_name + description: The name of a specific idea to retrieve. + required: false + isArray: false + defaultValue: "" + - name: fields + description: A comma-separated list of fields to include in the Aha! service response. + required: false + isArray: false + defaultValue: "name,reference_num,id,created_at" + - name: page + description: The specific results page to retrieve. + required: false + isArray: false + defaultValue: "1" + - name: per_page + description: The maximum number of results per page. + required: false + isArray: false + defaultValue: "30" + outputs: + - contextPath: AHA.Idea.id + description: The idea ID. + type: UUID + - contextPath: AHA.Idea.name + description: The idea name. + type: String + - contextPath: AHA.Idea.reference_num + description: The idea reference number. + type: String + - contextPath: AHA.Idea.workflow_status + description: The idea status description. + type: String + - contextPath: AHA.Idea.description + description: The idea description. + type: String + - contextPath: AHA.Idea.created_at + description: The idea creation date. + type: Date + - name: aha-edit-idea + description: "Edit an idea status to Shipped." + deprecated: false + arguments: + - name: idea_name + description: The name of the idea to edit. + required: true + isArray: false + defaultValue: "" + outputs: + - contextPath: AHA.Idea.id + description: The idea ID. + type: UUID + - contextPath: AHA.Idea.name + description: The idea name. + type: String + - contextPath: AHA.Idea.reference_num + description: The idea reference number. + type: String + - contextPath: AHA.Idea.workflow_status + description: The idea status description. + type: String + - contextPath: AHA.Idea.description + description: The idea description. + type: String + - contextPath: AHA.Idea.created_at + description: The idea creation date. + type: Date isfetch: false runonce: false script: "-" type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 feed: false fromversion: 6.5.0 diff --git a/Packs/AHA/Integrations/AHA/AHA_test.py b/Packs/AHA/Integrations/AHA/AHA_test.py index f1337a5d478d..009c3b6e5e01 100644 --- a/Packs/AHA/Integrations/AHA/AHA_test.py +++ b/Packs/AHA/Integrations/AHA/AHA_test.py @@ -1,6 +1,8 @@ import demistomock as demisto # noqa: F401 +import pytest from CommonServerPython import * # noqa: F401 -from AHA import Client, get_features, edit_feature +from AHA import Client, get_command, edit_command +from AHA import AHA_TYPE import io @@ -47,7 +49,7 @@ def test_main(mocker): 'api_key': {'password': 'test_api'}, } ) - mocker.patch('AHA.Client.get_features', return_value={'name': 'test'}) + mocker.patch('AHA.Client.get', return_value={'name': 'test'}) mocker.patch.object( demisto, 'command', return_value='test-module' @@ -58,6 +60,36 @@ def test_main(mocker): assert demisto.results.call_args[0][0] == 'ok' +def test_notImplementedCommand(mocker): + """ + Given: + - All return values from helper functions are valid + When: + - Calling main function with invalid command + Then: + - Return sys.exit(0) + """ + from AHA import main + + mocker.patch.object( + demisto, 'params', return_value={ + 'url': 'example.com', + 'project_name': 'DEMO', + 'api_key': {'password': 'test_api'}, + } + ) + mocker.patch('AHA.Client.get', return_value={'name': 'test'}) + mocker.patch.object( + demisto, 'command', + return_value='tests-module' + ) + mocker.patch.object(demisto, 'results') + with pytest.raises(SystemExit) as pytest_wrapped_e: + main() + assert pytest_wrapped_e.type == SystemExit + assert pytest_wrapped_e.value.code == 0 + + def test_Module(mocker): """ Given: @@ -81,23 +113,40 @@ def test_getFeatures(mocker): - Asserts get a list of expected length with all features. """ client = mock_client(mocker, util_load_json('test_data/get_all_features.json')) - results = get_features(client=client, from_date='2022-01-01') + results = get_command(client=client, aha_type=AHA_TYPE.FEATURES, from_date='2022-01-01') assert len(results.outputs) == 3 + assert len(results.outputs[0].get('ideas')) == 1 + assert results.outputs[0].get('ideas')[0] == 'DEMO-I-299' -def test_getFeaturesFromDate(mocker): +def test_getIdeas(mocker): + """ + When: + - Requesting all ideas + Then: + - Asserts get a list of expected length with all ideas. + """ + client = mock_client(mocker, util_load_json('test_data/get_all_ideas.json')) + results = get_command(client=client, aha_type=AHA_TYPE.IDEAS, from_date='2022-01-01') + assert len(results.outputs) == 4 + + +@pytest.mark.parametrize('file_path, aha_type, from_date', + [('test_data/empty_feature_result.json', AHA_TYPE.FEATURES, '3000-01-01'), + ('test_data/empty_idea_result.json', AHA_TYPE.IDEAS, '3000-01-01')]) +def test_getFeaturesFromDate(mocker, file_path, aha_type, from_date): """ When: - Requesting all features with created date of the future Then: - Return en empty list """ - client = mock_client(mocker, util_load_json('test_data/empty_feature_result.json')) - results = get_features(client=client, from_date='3000-01-01') + client = mock_client(mocker, util_load_json(file_path)) + results = get_command(client=client, aha_type=aha_type, from_date=from_date) assert len(results.outputs) == 0 -def test_getSpecificFeature(mocker): +def test_getAFeature(mocker): """ When: - Requesting a specific feature @@ -105,21 +154,34 @@ def test_getSpecificFeature(mocker): - Returns the requested feature """ client = mock_client(mocker, util_load_json('test_data/get_specific_feature.json')) - result = get_features(client=client, from_date='2020-01-01', feature_name='DEMO-10') + result = get_command(client=client, aha_type=AHA_TYPE.FEATURES, from_date='2020-01-01', aha_object_name='DEMO-10') assert len(result.outputs) == 1 assert result.outputs[0]['reference_num'] == 'DEMO-10' +def test_getAnIdea(mocker): + """ + When: + - Requesting a specific idea + Then: + - Returns the requested idea + """ + client = mock_client(mocker, util_load_json('test_data/get_specific_idea.json')) + result = get_command(client=client, aha_type=AHA_TYPE.IDEAS, from_date='2020-01-01', aha_object_name='DEMO-I-2895') + assert len(result.outputs) == 1 + assert result.outputs[0]['reference_num'] == 'DEMO-I-2895' + + def test_editFeatureField(mocker): """ When: - - Requesting to update fields in a feautre. + - Requesting to update fields in a feature. Then: - Return the feature with updated fields. """ client = mock_client(mocker, util_load_json('test_data/update_feature_fields.json')) - result = edit_feature(client=client, feature_name='DEMO-10', fields={'name': 'DEMO-10', 'description': 'new description', - 'status': 'Closed'}) + result = edit_command(client=client, aha_type=AHA_TYPE.FEATURES, aha_object_name='DEMO-10', + fields='{"name": "DEMO-10", "description": "new description", "status": "Closed"}') assert len(result.outputs) == 1 output = result.outputs[0] assert output.get('name') == 'Demo-10' @@ -127,18 +189,35 @@ def test_editFeatureField(mocker): assert output.get('workflow_status') == 'Closed' +def test_editIdeaStatus(mocker): + """ + When: + - Requesting to update status in an idea. + Then: + - Return the idea with an updated field. + """ + client = mock_client(mocker, util_load_json('test_data/update_idea_status.json')) + result = edit_command(client=client, aha_type=AHA_TYPE.IDEAS, aha_object_name='DEMO-I-2895', fields='{}') + assert len(result.outputs) == 1 + output = result.outputs[0] + assert output.get('name') == '[Test] Mirroring' + assert output.get('description') == 'Aha Jira Mirroring' + assert output.get('workflow_status') == 'Shipped' + + def test_editSpecificFeatureField(mocker): """ When: - - Requesting to update a specific field in a feautre. + - Requesting to update a specific field in a feature. Then: - Return the feature with only the specific field updated. """ - new_description = 'change just description' + new_name = 'change just name' client = mock_client(mocker, util_load_json('test_data/update_feature_field.json')) - result = edit_feature(client=client, feature_name='DEMO-10', fields={'description': new_description}) + result = edit_command(client=client, aha_type=AHA_TYPE.FEATURES, aha_object_name='DEMO-10', + fields=f'{{"description": "{new_name}"}}') assert len(result.outputs) == 1 output = result.outputs[0] - assert output.get('name') == 'Demo-10' - assert output.get('description') == new_description + assert output.get('name') == new_name + assert output.get('description') == 'description' assert output.get('workflow_status') == 'Closed' diff --git a/Packs/AHA/Integrations/AHA/README.md b/Packs/AHA/Integrations/AHA/README.md index 5ad0c7cd8b82..33e6566376d6 100644 --- a/Packs/AHA/Integrations/AHA/README.md +++ b/Packs/AHA/Integrations/AHA/README.md @@ -1,5 +1,6 @@ Use the Aha! integration to list and manage Cortex XSOAR features from Aha. -This integration was integrated and tested with API version September 30, 2022 release of Aha. +This integration was integrated and tested with API version December 02, 2022 release of Aha. + ## Configure Aha on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. @@ -9,8 +10,8 @@ This integration was integrated and tested with API version September 30, 2022 r | **Parameter** | **Description** | **Required** | | --- | --- | --- | | Server URL | | True | - | Project Name | Check the Aha\! project name in the URL. Replace the <PROJECT_NAME> placeholder in the following : example.com.aha.io/products/<PROJECT_NAME>/features | True | - | Api Key | API Key to access the service REST API, | True | + | Project Name | Check the Aha\! project name in the URL. Replace the <PROJECT_NAME> placeholder in the following : example.com.aha.io/products/<PROJECT_NAME>/features. | True | + | Api Key | API Key to access the service REST API. | True | | Trust any certificate (not secure) | | False | | Use system proxy settings | | False | @@ -30,7 +31,7 @@ Lists all features from service, unless a specific feature is specified. | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| from_date | Show features created after that date. Default is 2020-01-01. | Optional | +| from_date | Show features created after this date. Default is 2020-01-01. | Optional | | feature_name | The name of a specific feature to retrieve. | Optional | | fields | A comma-separated list of fields to include in the Aha! service response. Default is name,reference_num,id,created_at. | Optional | | page | The specific results page to retrieve. Default is 1. | Optional | @@ -44,7 +45,7 @@ Lists all features from service, unless a specific feature is specified. | AHA.Feature.id | UUID | The feature ID. | | AHA.Feature.name | String | The feature name. | | AHA.Feature.reference_num | String | The feature reference number. | -| AHA.Feature.workflow_status | String | The feature workflow status. | +| AHA.Feature.workflow_status | String | The feature status description. | | AHA.Feature.description | String | The feature description. | | AHA.Feature.created_at | Date | The feature creation date. | @@ -55,7 +56,7 @@ Lists all features from service, unless a specific feature is specified. ### aha-edit-feature *** -Edit any of the following fields in a feature: Name, Status and Description. +You can edit the following fields in a feature: Name and Description. #### Base Command @@ -65,8 +66,8 @@ Edit any of the following fields in a feature: Name, Status and Description. | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| feature_name | The name of the features to edit. | Required | -| fields | Fields in JSON format to edit in a feature. Possible fields are name, description and status. Status should match Aha values under workflow_status. Example:" {"name": "name", "description": "desc", "status" : "Closed"}. | Required | +| feature_name | The name of the feature to edit. | Required | +| fields | Fields in JSON format to edit in a feature. Possible fields are name and status. Status should match Aha values under workflow_status. Example:" {"name": "name", "status" : "Closed"}. | Required | #### Context Output @@ -76,9 +77,73 @@ Edit any of the following fields in a feature: Name, Status and Description. | AHA.Feature.id | UUID | The feature ID. | | AHA.Feature.name | String | The feature name. | | AHA.Feature.reference_num | String | The feature reference number. | -| AHA.Feature.workflow_status | String | The feature workflow status. | +| AHA.Feature.workflow_status | String | The feature status description. | | AHA.Feature.description | String | The feature description. | | AHA.Feature.created_at | Date | The feature creation date. | #### Command example -```!aha-edit-feature feature_name=DEMO-10 fields=`{"name":"the_new_name", "description":"the_new_desc", "status":"Closed"}``` +```!aha-edit-feature feature_name=DEMO-10 fields=`{"name":"the_new_name", "status":"Closed"}``` + +### aha-get-ideas +*** +Lists all ideas from service, unless a specific idea is specified. + + +#### Base Command + +`aha-get-ideas` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| from_date | Show ideas created after this date. Default is 2020-01-01. | Optional | +| idea_name | The name of a specific idea to retrieve. | Optional | +| fields | A comma-separated list of fields to include in the Aha! service response. Default is name,reference_num,id,created_at. | Optional | +| page | The specific results page to retrieve. Default is 1. | Optional | +| per_page | The maximum number of results per page. Default is 30. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| AHA.Idea.id | UUID | The idea ID. | +| AHA.Idea.name | String | The idea name. | +| AHA.Idea.reference_num | String | The idea reference number. | +| AHA.Idea.workflow_status | String | The idea status description. | +| AHA.Idea.description | String | The idea description. | +| AHA.Idea.created_at | Date | The idea creation date. | + +#### Command example +```!aha-get-ideas``` +```!aha-get-ideas idea_name=DEMO-I-2895``` +```!aha-get-ideas idea_name=DEMO-I-2895 fields=workflow_status``` + +### aha-edit-idea +*** +Edit an idea status to Shipped. + + +#### Base Command + +`aha-edit-idea` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| idea_name | The name of the idea to edit. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| AHA.Idea.id | UUID | The idea ID. | +| AHA.Idea.name | String | The idea name. | +| AHA.Idea.reference_num | String | The idea reference number. | +| AHA.Idea.workflow_status | String | The idea status description. | +| AHA.Idea.description | String | The idea description. | +| AHA.Idea.created_at | Date | The idea creation date. | + +#### Command example +```!aha-edit-idea idea_name=DEMO-I-2895``` diff --git a/Packs/AHA/Integrations/AHA/test_data/empty_idea_result.json b/Packs/AHA/Integrations/AHA/test_data/empty_idea_result.json new file mode 100644 index 000000000000..6bcb18d31949 --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/empty_idea_result.json @@ -0,0 +1,8 @@ +{ + "ideas": [], + "pagination": { + "total_records": 0, + "total_pages": 0, + "current_page": 1 + } +} \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/get_all_features.json b/Packs/AHA/Integrations/AHA/test_data/get_all_features.json index f7c920dc09e8..af7bc7dcf19b 100644 --- a/Packs/AHA/Integrations/AHA/test_data/get_all_features.json +++ b/Packs/AHA/Integrations/AHA/test_data/get_all_features.json @@ -23,7 +23,20 @@ "description": { "id": "7142047390469716564", "body": "

Italy is a major cycling destination from folks from around the world. As part of the Giro coverage also highlight routes and places of interest for casual travelers.

" - } + }, + "ideas": [ + { + "id": "6877998175658332354", + "reference_num": "DEMO-I-299", + "name": "Highlight places of interest for casual travelers.", + "workflow_status": { + "id": "7142047390668922035", + "name": "Open", + "position": 7, + "complete": false, + "color": "#7f7f7f" + } + }] }, { "id": "7142047390531708532", @@ -48,7 +61,8 @@ "description": { "id": "7142047390570897954", "body": "

Enhance the mobile getting started guide with a picture diagram that explains how best to get started.

" - } + }, + "ideas" : [] }, { "id": "7142047390632056703", @@ -73,7 +87,33 @@ "description": { "id": "7142047390668922035", "body": "

Many cities want to make their roads safer and more convenient for cyclists, but they have a problem. They have very little data on where people ride and what influences their choices. We have tons of data that we can make anonymous and sell to these cities.

" - } + }, + "ideas": [ + { + "id": "6877998175658332354", + "reference_num": "DEMO-I-301", + "name": "make roads more convenient", + "workflow_status": { + "id": "7142047390668922035", + "name": "Shipped", + "position": 7, + "complete": false, + "color": "#7f7f7f" + } + }, + { + "id": "6852713789499497935", + "reference_num": "DEMO-I-41", + "name": "[Feature Request] make roads safer", + "workflow_status": { + "id": "7142047390668922035", + "name": "Shipped", + "position": 7, + "complete": false, + "color": "#7f7f7f" + } + } + ] } ], "pagination": { diff --git a/Packs/AHA/Integrations/AHA/test_data/get_all_ideas.json b/Packs/AHA/Integrations/AHA/test_data/get_all_ideas.json new file mode 100644 index 000000000000..2a4561ec154e --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/get_all_ideas.json @@ -0,0 +1,89 @@ +{ + "ideas": [ + { + "id": "7172566722654275503", + "reference_num": "DEMO-I-3078", + "name": "Create an alert exception command", + "created_at": "2022-12-02T15:02:06.684Z", + "updated_at": "2022-12-02T15:32:15.214Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172566723341028779", + "body": "Some analysts needs to add regularly alerts exception.", + "created_at": "2022-12-02T15:02:06.844Z", + "attachments": [] + } + }, + { + "id": "7172551313548762563", + "reference_num": "DEMO-I-3077", + "name": "Adding MFA feature on local admin account. only", + "created_at": "2022-12-02T14:02:18.971Z", + "updated_at": "2022-12-02T19:27:20.486Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172551313663237690", + "body": "

Hello,

We would like to see a new feature in order to enforce security.", + "created_at": "2022-12-02T14:02:18.998Z", + "attachments": [] + } + }, + { + "id": "7172480677120868256", + "reference_num": "DEMO-I-3076", + "name": "Ability to amend the color of the favicons", + "created_at": "2022-12-02T09:28:12.646Z", + "updated_at": "2022-12-03T01:24:37.165Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172480677226219366", + "body": "

Ability to amend the color of the favicons.

", + "created_at": "2022-12-02T09:28:12.671Z", + "attachments": [] + } + }, + { + "id": "7172305193792846103", + "reference_num": "DEMO-I-3075", + "name": "Include a creation timestamp for API Keys", + "created_at": "2022-12-01T22:07:14.749Z", + "updated_at": "2022-12-03T01:24:30.489Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172305193907051640", + "body": "

It would be helpful to see a timestamp of when an API key was created.

", + "created_at": "2022-12-01T22:07:14.776Z", + "attachments": [] + } + } + ], + "pagination": { + "total_records": 3021, + "total_pages": 101, + "current_page": 1 + } +} \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/get_specific_idea.json b/Packs/AHA/Integrations/AHA/test_data/get_specific_idea.json new file mode 100644 index 000000000000..011723553abf --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/get_specific_idea.json @@ -0,0 +1,15 @@ +{ + "idea": { + "id": "7144646026151911047", + "name": "[Test] Mirroring", + "reference_num": "DEMO-I-2895", + "product_id": "6836114877834670881", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + } + } +} \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json b/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json index a97a355426e4..e7d0afbb43c1 100644 --- a/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json +++ b/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json @@ -1,7 +1,7 @@ { "feature": { "id": "7142047393121670680", - "name": "Demo-10", + "name": "change just name", "reference_num": "DEMO-10", "created_by_user": { "id": "7142047370286614216", @@ -21,7 +21,7 @@ }, "description": { "id": "7142047393165357275", - "body": "change just description" + "body": "description" } } } \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/update_idea_status.json b/Packs/AHA/Integrations/AHA/test_data/update_idea_status.json new file mode 100644 index 000000000000..4d21faab9c4b --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/update_idea_status.json @@ -0,0 +1,79 @@ +{ + "idea": { + "id": "7144646026151911047", + "name": "[Test] Mirroring", + "reference_num": "DEMO-I-2895", + "score": 3, + "created_at": "2022-09-18T09:15:32.943Z", + "updated_at": "2022-12-05T10:17:47.065Z", + "product_id": "6836114877834670881", + "votes": 2, + "status_changed_at": "2022-12-05T10:17:47.065Z", + "workflow_status": { + "id": "6904419099755086274", + "name": "Shipped", + "position": 7, + "complete": false, + "color": "#7f7f7f" + }, + "description": { + "id": "7144646026273598263", + "body": "Aha Jira Mirroring", + "created_at": "2022-09-18T09:15:32.971Z", + "attachments": [] + }, + "visibility": "Visible to all ideas portal users", + "url": "test/ideas/ideas/DEMO-I-2895", + "resource": "test/api/v1/ideas/DEMO-I-2895", + "product": { + "id": "6836114877834670881", + "reference_prefix": "DEMO", + "name": "Customer Feature Requests", + "product_line": false, + "created_at": "2020-06-08T22:57:07.099Z", + "workspace_type": "product_workspace" + }, + "created_by_portal_user": { + "id": "6866738214309336808", + "name": "Test Tester", + "email": "user@email.com", + "created_at": "2020-08-30T11:31:18.238Z" + }, + "created_by_idea_user": { + "id": "6951900696067621885", + "name": "Test Tester", + "email": "user@email.com", + "created_at": "2021-04-16T23:25:13.678Z" + }, + "assigned_to_user": { + "id": "6878244936949625239", + "name": "Test Tester", + "email": "user@email.com", + "created_at": "2020-09-30T11:43:15.879Z", + "updated_at": "2022-12-02T09:46:27.293Z", + "default_assignee": false + }, + "feature": { + "id": "7144646339649854720", + "reference_num": "DEMO-1019", + "name": "[Test] Mirroring", + "created_at": "2022-09-18T09:16:45.939Z", + "url": "test/features/DEMO-1019", + "resource": "test/api/v1/features/DEMO-1019", + "product_id": "6836114877834670881" + }, + "endorsements_count": 2, + "comments_count": 0, + "score_facts": [], + "tags": [], + "full_tags": [], + "categories": [ + { + "id": "6871298164875917780", + "name": "New Integration Request", + "parent_id": null, + "created_at": "2020-09-11T18:26:14.464Z" + } + ] + } +} \ No newline at end of file diff --git a/Packs/AHA/ReleaseNotes/1_0_3.md b/Packs/AHA/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..de3d5f5b74d0 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AHA/ReleaseNotes/1_0_4.md b/Packs/AHA/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..137720104d82 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Added support for get ideas and edit ideas. \ No newline at end of file diff --git a/Packs/AHA/pack_metadata.json b/Packs/AHA/pack_metadata.json index bd0b244f803e..ad709cf22669 100644 --- a/Packs/AHA/pack_metadata.json +++ b/Packs/AHA/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AHA", "description": "Use the Aha! integration to edit name/title description and status of features in Aha! according to their status in Jira", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py index 4a0c01a487ad..180f152f53c0 100644 --- a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py +++ b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py @@ -9,6 +9,7 @@ import os import json import requests +import urllib3 from base64 import b64encode ''' GLOBAL VARS / INSTANCE CONFIGURATION ''' @@ -47,7 +48,7 @@ ''' SETUP ''' # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() # Remove proxy if not set to true in params if not PROXY: diff --git a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml index 2686afef4bf3..70489ee1e97f 100644 --- a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml +++ b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml @@ -425,7 +425,7 @@ script: - contextPath: ANYRUN.Task.ID description: ID of the task created to analyze the submission. type: String - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 subtype: python3 isfetch: false runonce: false diff --git a/Packs/ANYRUN/ReleaseNotes/1_0_11.md b/Packs/ANYRUN/ReleaseNotes/1_0_11.md new file mode 100644 index 000000000000..1f49c33eb284 --- /dev/null +++ b/Packs/ANYRUN/ReleaseNotes/1_0_11.md @@ -0,0 +1,3 @@ +#### Integrations +##### ANY.RUN +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/ANYRUN/pack_metadata.json b/Packs/ANYRUN/pack_metadata.json index eb230a80cf19..cbd0b2f52b2a 100644 --- a/Packs/ANYRUN/pack_metadata.json +++ b/Packs/ANYRUN/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ANY.RUN", "description": "ANY.RUN is a cloud-based sandbox with interactive access.", "support": "xsoar", - "currentVersion": "1.0.10", + "currentVersion": "1.0.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml b/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml index d3c003fad274..aa104fa3e824 100644 --- a/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml +++ b/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml @@ -1614,7 +1614,7 @@ script: description: '' type: boolean description: A smart API that accurately checks a website's trustworthiness. - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.42476 runonce: false subtype: python3 fromversion: 5.0.0 diff --git a/Packs/APIVoid/ReleaseNotes/1_0_25.md b/Packs/APIVoid/ReleaseNotes/1_0_25.md new file mode 100644 index 000000000000..25d2d833f14b --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_25.md @@ -0,0 +1,3 @@ +#### Integrations +##### APIVoid +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/APIVoid/ReleaseNotes/1_0_26.md b/Packs/APIVoid/ReleaseNotes/1_0_26.md new file mode 100644 index 000000000000..8cc78d2e0d2d --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_26.md @@ -0,0 +1,3 @@ +#### Integrations +##### APIVoid +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. diff --git a/Packs/APIVoid/pack_metadata.json b/Packs/APIVoid/pack_metadata.json index bd32db307817..e5531f6c5b11 100644 --- a/Packs/APIVoid/pack_metadata.json +++ b/Packs/APIVoid/pack_metadata.json @@ -2,7 +2,7 @@ "name": "APIVoid", "description": "APIVoid wraps up a number of services such as ipvoid & urlvoid", "support": "xsoar", - "currentVersion": "1.0.24", + "currentVersion": "1.0.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py index 8d7346273a1c..0d18e5c96022 100644 --- a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py +++ b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py @@ -4,6 +4,7 @@ import requests import time import re +import urllib3 class ParameterError(Exception): @@ -2224,7 +2225,7 @@ def mute_alert_src_subnet_command(instance, args): def main(): # disable insecure warnings - requests.packages.urllib3.disable_warnings() + urllib3.disable_warnings() # IP address or FQDN of your SDSo node SDSO = demisto.params().get('sdso') diff --git a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml index 70f1017e2fc5..1ad3de3be8ec 100755 --- a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml +++ b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml @@ -906,7 +906,7 @@ script: description: 'Endpoint information, such as the IP address, about the SIAs that were modified based on the rule change.' type: string description: Removes a named rule from the source subnet logic block, disabling the alerts. - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 runonce: false tests: - No test diff --git a/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_10.md b/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_10.md new file mode 100644 index 000000000000..06619d9062eb --- /dev/null +++ b/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_10.md @@ -0,0 +1,3 @@ +#### Integrations +##### ARIA Packet Intelligence +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/ARIAPacketIntelligence/pack_metadata.json b/Packs/ARIAPacketIntelligence/pack_metadata.json index b431bbe0717c..9fc7939203d7 100755 --- a/Packs/ARIAPacketIntelligence/pack_metadata.json +++ b/Packs/ARIAPacketIntelligence/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ARIAPacketIntelligence", "description": "Manage Packet Intelligence rules in response to incidents. Instantly block conversations, redirect packets, generate alerts, or perform other actions.", "support": "partner", - "currentVersion": "2.0.9", + "currentVersion": "2.0.10", "author": "ARIA Cybersecurity Solutions", "url": "https://www.ariacybersecurity.com/cybersecurity-products/aria-packet-intelligence", "email": "ARIA_support@ariacybersecurity.com", diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_28.md b/Packs/AWS-ACM/ReleaseNotes/1_1_28.md new file mode 100644 index 000000000000..149b2a205aef --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_28.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - ACM +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_29.md b/Packs/AWS-ACM/ReleaseNotes/1_1_29.md new file mode 100644 index 000000000000..167d43916dea --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_29.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - ACM +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-ACM/pack_metadata.json b/Packs/AWS-ACM/pack_metadata.json index 29d5c4d28fe8..9bb5c43e58f9 100644 --- a/Packs/AWS-ACM/pack_metadata.json +++ b/Packs/AWS-ACM/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - ACM", "description": "Amazon Web Services Certificate Manager Service (acm)", "support": "xsoar", - "currentVersion": "1.1.27", + "currentVersion": "1.1.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_12.md b/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_12.md new file mode 100644 index 000000000000..244637374a74 --- /dev/null +++ b/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_12.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - CloudWatchLogs +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_13.md b/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_13.md new file mode 100644 index 000000000000..2936d9af9405 --- /dev/null +++ b/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_13.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - CloudWatchLogs +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-CloudWatchLogs/pack_metadata.json b/Packs/AWS-CloudWatchLogs/pack_metadata.json index 5093b319650a..02e1888cd21b 100644 --- a/Packs/AWS-CloudWatchLogs/pack_metadata.json +++ b/Packs/AWS-CloudWatchLogs/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - CloudWatchLogs", "description": "Amazon Web Services CloudWatch Logs (logs).", "support": "xsoar", - "currentVersion": "1.2.11", + "currentVersion": "1.2.13", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.py b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.py index 6c276cf6ac69..224fdd1c30c7 100644 --- a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.py +++ b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.py @@ -1553,8 +1553,8 @@ def create_policy_kwargs_dict(args): policy_kwargs_keys = (('fromPort', 'FromPort'), ('toPort', 'ToPort')) policy_kwargs = {} for args_key, dict_key in policy_kwargs_keys: - if int(args.get(args_key)) is not None: - policy_kwargs.update({dict_key: int(args.get(args_key))}) + if key := args.get(args_key): + policy_kwargs.update({dict_key: arg_to_number(key)}) policy_kwargs_keys = (('cidrIp', 'CidrIp'), ('ipProtocol', 'IpProtocol'), ('sourceSecurityGroupName', 'SourceSecurityGroupName'), ('SourceSecurityGroupOwnerId', 'SourceSecurityGroupOwnerId'), diff --git a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml index 773e7ac47ab0..88237a34cf31 100644 --- a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml +++ b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml @@ -6362,7 +6362,7 @@ script: description: Release on demand dedicated host. execution: false name: aws-ec2-release-hosts - dockerimage: demisto/boto3py3:1.0.0.41082 + dockerimage: demisto/boto3py3:1.0.0.41554 feed: false isfetch: false longRunning: false diff --git a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2_test.py b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2_test.py index 41189e200769..ffef7572a1da 100644 --- a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2_test.py +++ b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2_test.py @@ -79,3 +79,18 @@ def test_aws_ec2_authorize_security_group_egress_rule(mocker, args, expected_res else: results = demisto.results.call_args[0][0] assert results == expected_results + + +def test_create_policy_kwargs_dict(): + """ + Given + - empty policy kwargs + + When + - running create_policy_kwargs_dict function + + Then + - make sure that create_policy_kwargs_dict does not fail on any exception + + """ + assert AWS_EC2.create_policy_kwargs_dict({}) == {} diff --git a/Packs/AWS-EC2/ReleaseNotes/1_2_24.md b/Packs/AWS-EC2/ReleaseNotes/1_2_24.md new file mode 100644 index 000000000000..1b26250697ad --- /dev/null +++ b/Packs/AWS-EC2/ReleaseNotes/1_2_24.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - EC2 +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-EC2/ReleaseNotes/1_2_25.md b/Packs/AWS-EC2/ReleaseNotes/1_2_25.md new file mode 100644 index 000000000000..0d125dffba43 --- /dev/null +++ b/Packs/AWS-EC2/ReleaseNotes/1_2_25.md @@ -0,0 +1,4 @@ +#### Integrations +##### AWS - EC2 +- Fixed an issue where the **aws-ec2-authorize-security-group-ingress-rule** failed. +- Updated the Docker image to: *demisto/boto3py3:1.0.0.41554*. \ No newline at end of file diff --git a/Packs/AWS-EC2/ReleaseNotes/1_2_26.md b/Packs/AWS-EC2/ReleaseNotes/1_2_26.md new file mode 100644 index 000000000000..5b7b48eba170 --- /dev/null +++ b/Packs/AWS-EC2/ReleaseNotes/1_2_26.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - EC2 +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-EC2/pack_metadata.json b/Packs/AWS-EC2/pack_metadata.json index a17b489e24e8..b37aaa6e3128 100644 --- a/Packs/AWS-EC2/pack_metadata.json +++ b/Packs/AWS-EC2/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - EC2", "description": "Amazon Web Services Elastic Compute Cloud (EC2)", "support": "xsoar", - "currentVersion": "1.2.23", + "currentVersion": "1.2.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml b/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml index 2e47270706f8..b5a05cddec49 100644 --- a/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml +++ b/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml @@ -1497,7 +1497,7 @@ script: - contextPath: AWS.GuardDuty.Members.UpdatedAt description: The time a member was last updated. type: string - dockerimage: demisto/boto3py3:1.0.0.38849 + dockerimage: demisto/boto3py3:1.0.0.41464 feed: false isfetch: true longRunning: false diff --git a/Packs/AWS-GuardDuty/Integrations/AWSGuardDutyEventCollector/AWSGuardDutyEventCollector.yml b/Packs/AWS-GuardDuty/Integrations/AWSGuardDutyEventCollector/AWSGuardDutyEventCollector.yml index d3a6d9dc7c95..d01ee117dae4 100644 --- a/Packs/AWS-GuardDuty/Integrations/AWSGuardDutyEventCollector/AWSGuardDutyEventCollector.yml +++ b/Packs/AWS-GuardDuty/Integrations/AWSGuardDutyEventCollector/AWSGuardDutyEventCollector.yml @@ -112,7 +112,7 @@ script: description: Manual command used to fetch events and display them. execution: false name: aws-gd-get-events - dockerimage: demisto/boto3py3:1.0.0.37755 + dockerimage: demisto/boto3py3:1.0.0.41464 isfetchevents: true runonce: false subtype: python3 diff --git a/Packs/AWS-GuardDuty/ReleaseNotes/1_3_7.md b/Packs/AWS-GuardDuty/ReleaseNotes/1_3_7.md new file mode 100644 index 000000000000..b9e787430d69 --- /dev/null +++ b/Packs/AWS-GuardDuty/ReleaseNotes/1_3_7.md @@ -0,0 +1,5 @@ +#### Integrations +##### AWS - GuardDuty +- Updated the Docker image to: *demisto/boto3py3:1.0.0.41464*. +##### AWS - GuardDuty Event Collector +- Updated the Docker image to: *demisto/boto3py3:1.0.0.41464*. diff --git a/Packs/AWS-GuardDuty/ReleaseNotes/1_3_8.md b/Packs/AWS-GuardDuty/ReleaseNotes/1_3_8.md new file mode 100644 index 000000000000..3164d22a2e60 --- /dev/null +++ b/Packs/AWS-GuardDuty/ReleaseNotes/1_3_8.md @@ -0,0 +1,6 @@ +#### Integrations +##### AWS - GuardDuty Event Collector +- Fixed an issue where the **region** argument was not being taken into account in some commands. + +##### AWS - GuardDuty +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-GuardDuty/ReleaseNotes/1_3_9.md b/Packs/AWS-GuardDuty/ReleaseNotes/1_3_9.md new file mode 100644 index 000000000000..532f3aa1bc2b --- /dev/null +++ b/Packs/AWS-GuardDuty/ReleaseNotes/1_3_9.md @@ -0,0 +1,7 @@ + +#### Integrations +##### AWS - GuardDuty Event Collector +- Fixed a typo in **AWSApiModule**. + +##### AWS - GuardDuty +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-GuardDuty/pack_metadata.json b/Packs/AWS-GuardDuty/pack_metadata.json index f7e0defb1a65..13af2ad222a3 100644 --- a/Packs/AWS-GuardDuty/pack_metadata.json +++ b/Packs/AWS-GuardDuty/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - GuardDuty", "description": "Amazon Web Services Guard Duty Service (gd)", "support": "xsoar", - "currentVersion": "1.3.6", + "currentVersion": "1.3.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,9 +10,7 @@ "categories": [ "Cloud Services" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "itemPrefix": [ "AWS", "AWS GuardDuty" diff --git a/Packs/AWS-IAM/ReleaseNotes/1_1_18.md b/Packs/AWS-IAM/ReleaseNotes/1_1_18.md new file mode 100644 index 000000000000..350a8e718e0b --- /dev/null +++ b/Packs/AWS-IAM/ReleaseNotes/1_1_18.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - Identity and Access Management +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-IAM/ReleaseNotes/1_1_19.md b/Packs/AWS-IAM/ReleaseNotes/1_1_19.md new file mode 100644 index 000000000000..c7beef88e8c8 --- /dev/null +++ b/Packs/AWS-IAM/ReleaseNotes/1_1_19.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - Identity and Access Management +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-IAM/pack_metadata.json b/Packs/AWS-IAM/pack_metadata.json index d9be426b1f67..9f26e991ab65 100644 --- a/Packs/AWS-IAM/pack_metadata.json +++ b/Packs/AWS-IAM/pack_metadata.json @@ -3,7 +3,7 @@ "description": "Amazon Web Services Identity and Access Management (IAM)", "support": "xsoar", "author": "Cortex XSOAR", - "currentVersion": "1.1.17", + "currentVersion": "1.1.19", "url": "https://www.paloaltonetworks.com/cortex", "email": "", "created": "2020-04-14T00:00:00Z", diff --git a/Packs/AWS-Lambda/ReleaseNotes/1_2_30.md b/Packs/AWS-Lambda/ReleaseNotes/1_2_30.md new file mode 100644 index 000000000000..1741035308c2 --- /dev/null +++ b/Packs/AWS-Lambda/ReleaseNotes/1_2_30.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - Lambda +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-Lambda/ReleaseNotes/1_2_31.md b/Packs/AWS-Lambda/ReleaseNotes/1_2_31.md new file mode 100644 index 000000000000..5cec64f0cafe --- /dev/null +++ b/Packs/AWS-Lambda/ReleaseNotes/1_2_31.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - Lambda +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-Lambda/pack_metadata.json b/Packs/AWS-Lambda/pack_metadata.json index 0b575f833f7e..ff669e22f08b 100644 --- a/Packs/AWS-Lambda/pack_metadata.json +++ b/Packs/AWS-Lambda/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - Lambda", "description": "Amazon Web Services Serverless Compute service (lambda)", "support": "xsoar", - "currentVersion": "1.2.29", + "currentVersion": "1.2.31", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-S3/ReleaseNotes/1_2_11.md b/Packs/AWS-S3/ReleaseNotes/1_2_11.md new file mode 100644 index 000000000000..069ec9fff4cb --- /dev/null +++ b/Packs/AWS-S3/ReleaseNotes/1_2_11.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - S3 +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-S3/ReleaseNotes/1_2_12.md b/Packs/AWS-S3/ReleaseNotes/1_2_12.md new file mode 100644 index 000000000000..912fbf49e695 --- /dev/null +++ b/Packs/AWS-S3/ReleaseNotes/1_2_12.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - S3 +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-S3/pack_metadata.json b/Packs/AWS-S3/pack_metadata.json index be800c14f096..ae4898079420 100644 --- a/Packs/AWS-S3/pack_metadata.json +++ b/Packs/AWS-S3/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - S3", "description": "Amazon Web Services Simple Storage Service (S3)", "support": "xsoar", - "currentVersion": "1.2.10", + "currentVersion": "1.2.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-SNS/ReleaseNotes/1_0_3.md b/Packs/AWS-SNS/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..d255423ddc58 --- /dev/null +++ b/Packs/AWS-SNS/ReleaseNotes/1_0_3.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - SNS +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-SNS/ReleaseNotes/1_0_4.md b/Packs/AWS-SNS/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..f9bdf06d7ed3 --- /dev/null +++ b/Packs/AWS-SNS/ReleaseNotes/1_0_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - SNS +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-SNS/pack_metadata.json b/Packs/AWS-SNS/pack_metadata.json index b40c92aa36c9..1842bb3d407a 100644 --- a/Packs/AWS-SNS/pack_metadata.json +++ b/Packs/AWS-SNS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - SNS", "description": "This is the integration content pack which can create or delete topic/subscription on AWS Simple Notification System and send the message via SNS as well.", "support": "community", - "currentVersion": "1.0.2", + "currentVersion": "1.0.4", "author": "Jie Liau", "url": "", "email": "", diff --git a/Packs/AWS-SQS/ReleaseNotes/1_2_18.md b/Packs/AWS-SQS/ReleaseNotes/1_2_18.md new file mode 100644 index 000000000000..9d8495ef73bf --- /dev/null +++ b/Packs/AWS-SQS/ReleaseNotes/1_2_18.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - SQS +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-SQS/ReleaseNotes/1_2_19.md b/Packs/AWS-SQS/ReleaseNotes/1_2_19.md new file mode 100644 index 000000000000..165d55722488 --- /dev/null +++ b/Packs/AWS-SQS/ReleaseNotes/1_2_19.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - SQS +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-SQS/pack_metadata.json b/Packs/AWS-SQS/pack_metadata.json index 92845f6992ae..18d1565817b4 100644 --- a/Packs/AWS-SQS/pack_metadata.json +++ b/Packs/AWS-SQS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - SQS", "description": "Amazon Web Services Simple Queuing Service (SQS)", "support": "xsoar", - "currentVersion": "1.2.17", + "currentVersion": "1.2.19", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,9 +10,7 @@ "categories": [ "Cloud Services" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "useCases": [], "keywords": [], "marketplaces": [ diff --git a/Packs/AWS-SecurityHub/ReleaseNotes/1_1_28.md b/Packs/AWS-SecurityHub/ReleaseNotes/1_1_28.md new file mode 100644 index 000000000000..e0cc64b6f9ab --- /dev/null +++ b/Packs/AWS-SecurityHub/ReleaseNotes/1_1_28.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - Security Hub +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-SecurityHub/ReleaseNotes/1_1_29.md b/Packs/AWS-SecurityHub/ReleaseNotes/1_1_29.md new file mode 100644 index 000000000000..cbe25ac0bd9d --- /dev/null +++ b/Packs/AWS-SecurityHub/ReleaseNotes/1_1_29.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - Security Hub +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-SecurityHub/pack_metadata.json b/Packs/AWS-SecurityHub/pack_metadata.json index 01368e9688c8..d3a2d29564e4 100644 --- a/Packs/AWS-SecurityHub/pack_metadata.json +++ b/Packs/AWS-SecurityHub/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - Security Hub", "description": "Amazon Web Services Security Hub Service .", "support": "xsoar", - "currentVersion": "1.1.27", + "currentVersion": "1.1.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,9 +10,7 @@ "categories": [ "Cloud Services" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "useCases": [], "keywords": [], "marketplaces": [ diff --git a/Packs/AWS_DynamoDB/Integrations/AWS_DynamoDB/AWS_DynamoDB.yml b/Packs/AWS_DynamoDB/Integrations/AWS_DynamoDB/AWS_DynamoDB.yml index 98b352fb8f0f..32aa79a8b953 100644 --- a/Packs/AWS_DynamoDB/Integrations/AWS_DynamoDB/AWS_DynamoDB.yml +++ b/Packs/AWS_DynamoDB/Integrations/AWS_DynamoDB/AWS_DynamoDB.yml @@ -6236,7 +6236,7 @@ script: for items in the table. - contextPath: AWS-DynamoDB.TimeToLiveSpecification description: Represents the output of an UpdateTimeToLive operation. - dockerimage: demisto/boto3py3:1.0.0.41082 + dockerimage: demisto/boto3py3:1.0.0.41926 runonce: false script: '' subtype: python3 diff --git a/Packs/AWS_DynamoDB/ReleaseNotes/1_0_31.md b/Packs/AWS_DynamoDB/ReleaseNotes/1_0_31.md new file mode 100644 index 000000000000..d40204950569 --- /dev/null +++ b/Packs/AWS_DynamoDB/ReleaseNotes/1_0_31.md @@ -0,0 +1,3 @@ +#### Integrations +##### Amazon DynamoDB +- Updated the Docker image to: *demisto/boto3py3:1.0.0.41926*. diff --git a/Packs/AWS_DynamoDB/pack_metadata.json b/Packs/AWS_DynamoDB/pack_metadata.json index c45c987d1d47..3eeacd1d9d23 100644 --- a/Packs/AWS_DynamoDB/pack_metadata.json +++ b/Packs/AWS_DynamoDB/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Amazon DynamoDB", "description": "Amazon DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database, so that you don't have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. With DynamoDB, you can create database tables that can store and retrieve any amount of data, and serve any level of request traffic. You can scale up or scale down your tables' throughput capacity without downtime or performance degradation, and use the AWS Management Console to monitor resource utilization and performance metrics. DynamoDB automatically spreads the data and traffic for your tables over a sufficient number of servers to handle your throughput and storage requirements, while maintaining consistent and fast performance. All of your data is stored on solid state disks (SSDs) and automatically replicated across multiple Availability Zones in an AWS region, providing built-in high availability and data durability. ", "support": "xsoar", - "currentVersion": "1.0.30", + "currentVersion": "1.0.31", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py index 1671e058f924..124713bf4da8 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py @@ -1,9 +1,9 @@ import demistomock as demisto from CommonServerPython import * -import requests +import urllib3 -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() class Client(BaseClient): diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml index 50ee7c9f8957..22ffd1bcf28c 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml @@ -576,7 +576,7 @@ script: required: false description: Get the latest threat intel feed. name: abnormal-security-get-latest-threat-intel-feed - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 isfetch: false script: '' subtype: python3 diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurityEventCollector/AbnormalSecurityEventCollector.yml b/Packs/AbnormalSecurity/Integrations/AbnormalSecurityEventCollector/AbnormalSecurityEventCollector.yml index 0b3588b142a9..14a791e2ecf0 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurityEventCollector/AbnormalSecurityEventCollector.yml +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurityEventCollector/AbnormalSecurityEventCollector.yml @@ -41,7 +41,7 @@ script: - 'True' - 'False' required: true - dockerimage: demisto/python3:3.10.7.33922 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AbnormalSecurity/ReleaseNotes/2_0_3.md b/Packs/AbnormalSecurity/ReleaseNotes/2_0_3.md new file mode 100644 index 000000000000..3dd931793022 --- /dev/null +++ b/Packs/AbnormalSecurity/ReleaseNotes/2_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Abnormal Security +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AbnormalSecurity/ReleaseNotes/2_0_4.md b/Packs/AbnormalSecurity/ReleaseNotes/2_0_4.md new file mode 100644 index 000000000000..8c44b1bcb5ff --- /dev/null +++ b/Packs/AbnormalSecurity/ReleaseNotes/2_0_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### Abnormal Security Event Collector +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AbnormalSecurity/pack_metadata.json b/Packs/AbnormalSecurity/pack_metadata.json index 1f1f7fb3d740..2cd2ed7fb9f2 100644 --- a/Packs/AbnormalSecurity/pack_metadata.json +++ b/Packs/AbnormalSecurity/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Abnormal Security", "description": "Abnormal Security detects and protects against the whole spectrum of email attacks", "support": "partner", - "currentVersion": "2.0.2", + "currentVersion": "2.0.4", "author": "Abnormal Security", "url": "", "email": "support@abnormalsecurity.com", diff --git a/Packs/Absolute/Integrations/Absolute/Absolute.yml b/Packs/Absolute/Integrations/Absolute/Absolute.yml index 041375e6c654..cec1ddcc11a7 100644 --- a/Packs/Absolute/Integrations/Absolute/Absolute.yml +++ b/Packs/Absolute/Integrations/Absolute/Absolute.yml @@ -922,7 +922,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.42476 fromversion: 6.0.0 tests: - Absolute_TestPlaybook diff --git a/Packs/Absolute/ReleaseNotes/1_0_12.md b/Packs/Absolute/ReleaseNotes/1_0_12.md new file mode 100644 index 000000000000..c7a4c7ae71ec --- /dev/null +++ b/Packs/Absolute/ReleaseNotes/1_0_12.md @@ -0,0 +1,3 @@ +#### Integrations +##### Absolute +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Absolute/ReleaseNotes/1_0_13.md b/Packs/Absolute/ReleaseNotes/1_0_13.md new file mode 100644 index 000000000000..08c0aa1fc7aa --- /dev/null +++ b/Packs/Absolute/ReleaseNotes/1_0_13.md @@ -0,0 +1,3 @@ +#### Integrations +##### Absolute +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. diff --git a/Packs/Absolute/pack_metadata.json b/Packs/Absolute/pack_metadata.json index fbe788057caa..009f3e2ce029 100644 --- a/Packs/Absolute/pack_metadata.json +++ b/Packs/Absolute/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Absolute", "description": "Absolute is an adaptive endpoint security solution that delivers device security, data security and asset management of endpoints", "support": "xsoar", - "currentVersion": "1.0.11", + "currentVersion": "1.0.13", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py index 148e6cd8f345..028bb197a3a5 100644 --- a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py +++ b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.py @@ -4,11 +4,11 @@ ''' IMPORTS ''' import csv import os - +import urllib3 import requests # disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() ''' GLOBALS ''' VERBOSE = True diff --git a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml index 2401bb80f4d4..4b973c82d803 100644 --- a/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml +++ b/Packs/AbuseDB/Integrations/AbuseDB/AbuseDB.yml @@ -257,7 +257,7 @@ script: script: '' subtype: python3 type: python - dockerimage: demisto/python3:3.10.7.33922 + dockerimage: demisto/python3:3.10.9.40422 fromversion: 5.0.0 tests: - AbuseIPDB Test diff --git a/Packs/AbuseDB/ReleaseNotes/1_0_16.md b/Packs/AbuseDB/ReleaseNotes/1_0_16.md new file mode 100644 index 000000000000..3e3e99726ead --- /dev/null +++ b/Packs/AbuseDB/ReleaseNotes/1_0_16.md @@ -0,0 +1,3 @@ +#### Integrations +##### AbuseIPDB +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AbuseDB/pack_metadata.json b/Packs/AbuseDB/pack_metadata.json index 65bbf5c9691b..afcd5d5c25a8 100644 --- a/Packs/AbuseDB/pack_metadata.json +++ b/Packs/AbuseDB/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AbuseIPDB", "description": "Central repository to report and identify IP addresses that have been associated with malicious activity online. Check the Detailed Information section for more information on how to configure the integration.", "support": "xsoar", - "currentVersion": "1.0.15", + "currentVersion": "1.0.16", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.py b/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.py index 0ad767f528fe..050e13272980 100644 --- a/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.py +++ b/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.py @@ -1,8 +1,9 @@ import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 +import urllib3 # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() ''' CONSTANTS ''' OK_HTTP_CODES = (200, 201) diff --git a/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.yml b/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.yml index 94beba35a938..4a160260aa04 100644 --- a/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.yml +++ b/Packs/AcalvioShadowplex/Integrations/acalvioapp/acalvioapp.yml @@ -192,7 +192,7 @@ script: - contextPath: Acalvio.UnmuteDeceptionEndpoint.DateTime description: Date including Time type: String - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AcalvioShadowplex/ReleaseNotes/1_0_8.md b/Packs/AcalvioShadowplex/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..f9b9988983c8 --- /dev/null +++ b/Packs/AcalvioShadowplex/ReleaseNotes/1_0_8.md @@ -0,0 +1,3 @@ +#### Integrations +##### Acalvio ShadowPlex +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AcalvioShadowplex/pack_metadata.json b/Packs/AcalvioShadowplex/pack_metadata.json index 5513adc19684..48b36189e168 100644 --- a/Packs/AcalvioShadowplex/pack_metadata.json +++ b/Packs/AcalvioShadowplex/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Acalvio ShadowPlex", "description": "Acalvio ShadowPlex Autonomous Deception Solution", "support": "partner", - "currentVersion": "1.0.7", + "currentVersion": "1.0.8", "author": "Acalvio Technologies", "url": "https://www.acalvio.com", "email": "support@acalvio.com", diff --git a/Packs/AccentureCTI/Integrations/ACTIIndicatorQuery/ACTIIndicatorQuery.yml b/Packs/AccentureCTI/Integrations/ACTIIndicatorQuery/ACTIIndicatorQuery.yml index 11ec81040be5..3f95b6ed2340 100644 --- a/Packs/AccentureCTI/Integrations/ACTIIndicatorQuery/ACTIIndicatorQuery.yml +++ b/Packs/AccentureCTI/Integrations/ACTIIndicatorQuery/ACTIIndicatorQuery.yml @@ -404,7 +404,7 @@ script: description: The actual score. type: String - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.py b/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.py index 1f88389cd5f7..74f59c384f23 100644 --- a/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.py +++ b/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.py @@ -1,11 +1,11 @@ import demistomock as demisto from CommonServerPython import * # noqa # pylint: disable=unused-wildcard-import -import requests +import urllib3 import traceback from typing import List # Disable insecure warnings -requests.packages.urllib3.disable_warnings() # pylint: disable=no-member +urllib3.disable_warnings() # pylint: disable=no-member ''' CONSTANTS ''' diff --git a/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.yml b/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.yml index 7aacd055ec0e..e6357134101f 100644 --- a/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.yml +++ b/Packs/AccentureCTI/Integrations/ACTIVulnerabilityQuery/ACTIVulnerabilityQuery.yml @@ -88,7 +88,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false longRunning: false longRunningPort: false diff --git a/Packs/AccentureCTI/Playbooks/playbook-ACTI_Create_Report-Indicator_Associations_README.md b/Packs/AccentureCTI/Playbooks/playbook-ACTI_Create_Report-Indicator_Associations_README.md index dc692b97bcd7..d5a64492e32e 100644 --- a/Packs/AccentureCTI/Playbooks/playbook-ACTI_Create_Report-Indicator_Associations_README.md +++ b/Packs/AccentureCTI/Playbooks/playbook-ACTI_Create_Report-Indicator_Associations_README.md @@ -25,14 +25,14 @@ This playbook does not use any commands. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | | IP | The extracted IP address. | ${IP.Address} | Optional | -| IA | The Intelligence Alert associated with the indicator. | ${intelligence_alerts}.None | Optional | -| IR | The Intelligence Report associated with the indicator. | ${intelligence_reports}.None | Optional | +| IA | The Intelligence Alert associated with the indicator. | ${intelligence_alerts} | Optional | +| IR | The Intelligence Report associated with the indicator. | ${intelligence_reports} | Optional | | URL | The extracted URL. | ${URL.Data} | Optional | | Domain | The extracted Domain. | ${Domain.Name} | Optional | -| MFam | The Malware Family associated with the indicator. | acti_malware_family_uuid.None | Optional | -| TA | The Threat Actor associated with the indicator. | acti_threat_actors_uuid.None | Optional | -| TG | The Threat Group associated with the indicator. | acti_threat_groups_uuid.None | Optional | -| TC | The Threat Campaign associated with the indicator. | acti_threat_campaigns_uuid.None | Optional | +| MFam | The Malware Family associated with the indicator. | acti_malware_family_uuid | Optional | +| TA | The Threat Actor associated with the indicator. | acti_threat_actors_uuid | Optional | +| TG | The Threat Group associated with the indicator. | acti_threat_groups_uuid | Optional | +| TC | The Threat Campaign associated with the indicator. | acti_threat_campaigns_uuid | Optional | ## Playbook Outputs --- diff --git a/Packs/AccentureCTI/Playbooks/playbook-ACTI_Incident_Enrichment_README.md b/Packs/AccentureCTI/Playbooks/playbook-ACTI_Incident_Enrichment_README.md index 035145726d3f..1473a5b987bb 100644 --- a/Packs/AccentureCTI/Playbooks/playbook-ACTI_Incident_Enrichment_README.md +++ b/Packs/AccentureCTI/Playbooks/playbook-ACTI_Incident_Enrichment_README.md @@ -21,12 +21,12 @@ This playbook does not use any scripts. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| ia_uuid | Intelligence Alert unique ID. | ${intelligence_alerts}.None | Optional | -| ir_uuid | Intelligence Report unique ID. | ${intelligence_reports}.None | Optional | -| MalwareFamily_uuid | Malware Family unique ID. | ${acti_malware_family_uuid}.None | Optional | -| ThreatGroup_uuid | Threat Group unique ID. | ${acti_threat_groups_uuid}.None | Optional | -| ThreatCampaign_uuid | Threat Campaign unique ID. | ${acti_threat_campaigns_uuid}.None | Optional | -| ThreatActor_uuid | Threat Actor unique ID. | ${acti_threat_actors_uuid}.None | Optional | +| ia_uuid | Intelligence Alert unique ID. | ${intelligence_alerts} | Optional | +| ir_uuid | Intelligence Report unique ID. | ${intelligence_reports} | Optional | +| MalwareFamily_uuid | Malware Family unique ID. | ${acti_malware_family_uuid} | Optional | +| ThreatGroup_uuid | Threat Group unique ID. | ${acti_threat_groups_uuid} | Optional | +| ThreatCampaign_uuid | Threat Campaign unique ID. | ${acti_threat_campaigns_uuid} | Optional | +| ThreatActor_uuid | Threat Actor unique ID. | ${acti_threat_actors_uuid} | Optional | ## Playbook Image --- diff --git a/Packs/AccentureCTI/Playbooks/playbook-ACTI_Report_Enrichment_README.md b/Packs/AccentureCTI/Playbooks/playbook-ACTI_Report_Enrichment_README.md index 097e017cae30..d89e30934009 100644 --- a/Packs/AccentureCTI/Playbooks/playbook-ACTI_Report_Enrichment_README.md +++ b/Packs/AccentureCTI/Playbooks/playbook-ACTI_Report_Enrichment_README.md @@ -22,8 +22,8 @@ This playbook does not use any scripts. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| ia_uuid | The Intelligence Alert uuid. | ${intelligence_alerts}.None | Optional | -| ir_uuid | The Intelligence Report uuid. | ${intelligence_reports}.None | Optional | +| ia_uuid | The Intelligence Alert uuid. | ${intelligence_alerts} | Optional | +| ir_uuid | The Intelligence Report uuid. | ${intelligence_reports} | Optional | | Domain | The extarcted Domain. | ${Domain} | Optional | | IP | The extracted IP. | ${IP} | Optional | | URL | The extracted URL. | ${URL} | Optional | diff --git a/Packs/AccentureCTI/ReleaseNotes/2_2_3.md b/Packs/AccentureCTI/ReleaseNotes/2_2_3.md new file mode 100644 index 000000000000..2360a65cc2f6 --- /dev/null +++ b/Packs/AccentureCTI/ReleaseNotes/2_2_3.md @@ -0,0 +1,5 @@ +#### Integrations +##### ACTI Indicator Query +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +##### ACTI Vulnerability Query +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AccentureCTI/pack_metadata.json b/Packs/AccentureCTI/pack_metadata.json index 0e00ff6a5e95..056e9c80c6c5 100644 --- a/Packs/AccentureCTI/pack_metadata.json +++ b/Packs/AccentureCTI/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Accenture CTI v2", "description": "Accenture CTI provides intelligence regarding security threats and vulnerabilities.", "support": "partner", - "currentVersion": "2.2.2", + "currentVersion": "2.2.3", "author": "Accenture", "url": "https://www.accenture.com/us-en/services/security/cyber-defense", "email": "CTI.AcctManagement@accenture.com", diff --git a/Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml b/Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml index e4c9dd147e06..2d14bbd8acc0 100644 --- a/Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml +++ b/Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml @@ -176,7 +176,7 @@ script: description: Gets the feed indicators. execution: false name: acti-get-indicators - dockerimage: demisto/jmespath:1.0.0.23980 + dockerimage: demisto/py3-tools:1.0.0.41100 feed: true isfetch: false longRunning: false diff --git a/Packs/AccentureCTI_Feed/ReleaseNotes/1_1_2.md b/Packs/AccentureCTI_Feed/ReleaseNotes/1_1_2.md new file mode 100644 index 000000000000..a6427a18c6f7 --- /dev/null +++ b/Packs/AccentureCTI_Feed/ReleaseNotes/1_1_2.md @@ -0,0 +1,3 @@ +#### Integrations +##### ACTI Indicator Feed +- Updated the Docker image to: *demisto/py3-tools:1.0.0.41100*. diff --git a/Packs/AccentureCTI_Feed/ReleaseNotes/1_1_3.md b/Packs/AccentureCTI_Feed/ReleaseNotes/1_1_3.md new file mode 100644 index 000000000000..e95c8078d065 --- /dev/null +++ b/Packs/AccentureCTI_Feed/ReleaseNotes/1_1_3.md @@ -0,0 +1,4 @@ + +#### Integrations +##### ACTI Indicator Feed +Fixed an issue where an indicator did not have a tag. diff --git a/Packs/AccentureCTI_Feed/pack_metadata.json b/Packs/AccentureCTI_Feed/pack_metadata.json index e0ce678dd5a2..6d99571625fc 100644 --- a/Packs/AccentureCTI_Feed/pack_metadata.json +++ b/Packs/AccentureCTI_Feed/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Accenture CTI Feed", "description": "Accenture Cyber Threat Intelligence Feed", "support": "partner", - "currentVersion": "1.1.1", + "currentVersion": "1.1.3", "author": "Accenture", "url": "https://www.accenture.com/us-en/services/security/cyber-defense", "email": "CTI.AcctManagement@accenture.com", diff --git a/Packs/ActiveMQ/Integrations/ActiveMQ/ActiveMQ.yml b/Packs/ActiveMQ/Integrations/ActiveMQ/ActiveMQ.yml index 84e87c5fbabd..3a21bcbf57c3 100644 --- a/Packs/ActiveMQ/Integrations/ActiveMQ/ActiveMQ.yml +++ b/Packs/ActiveMQ/Integrations/ActiveMQ/ActiveMQ.yml @@ -106,7 +106,7 @@ script: description: Subscribes to and reads messages from a topic or queue. Must provide either queue-name or topic-name. You can't provide both. execution: false name: activemq-subscribe - dockerimage: demisto/py3-tools:1.0.0.40800 + dockerimage: demisto/py3-tools:1.0.0.41748 feed: false isfetch: true longRunning: false diff --git a/Packs/ActiveMQ/ReleaseNotes/1_1_11.md b/Packs/ActiveMQ/ReleaseNotes/1_1_11.md new file mode 100644 index 000000000000..7b5753c5a20b --- /dev/null +++ b/Packs/ActiveMQ/ReleaseNotes/1_1_11.md @@ -0,0 +1,3 @@ +#### Integrations +##### ActiveMQ +- Updated the Docker image to: *demisto/py3-tools:1.0.0.41748*. diff --git a/Packs/ActiveMQ/pack_metadata.json b/Packs/ActiveMQ/pack_metadata.json index 067c91201d56..2427e038eb7c 100644 --- a/Packs/ActiveMQ/pack_metadata.json +++ b/Packs/ActiveMQ/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ActiveMQ", "description": "Uses Durable Topic Subscribers to fetch messages and ingest them as incidents in Demisto.", "support": "xsoar", - "currentVersion": "1.1.10", + "currentVersion": "1.1.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Active_Directory_Query/.pack-ignore b/Packs/Active_Directory_Query/.pack-ignore index d00b84728824..bb91159cfd65 100644 --- a/Packs/Active_Directory_Query/.pack-ignore +++ b/Packs/Active_Directory_Query/.pack-ignore @@ -10,6 +10,10 @@ ignore=BA101 [file:classifier-User_Profile_-_Active_Directory_(Outgoing).json] ignore=BA101 +[file:IAMInitADUser.yml] +ignore=CJ105 + [known_words] LDAP -TLS \ No newline at end of file +TLS + diff --git a/Packs/Active_Directory_Query/Integrations/Active_Directory_Query/Pipfile.lock b/Packs/Active_Directory_Query/Integrations/Active_Directory_Query/Pipfile.lock index 9b9989a65503..15e7e5bc6d80 100644 --- a/Packs/Active_Directory_Query/Integrations/Active_Directory_Query/Pipfile.lock +++ b/Packs/Active_Directory_Query/Integrations/Active_Directory_Query/Pipfile.lock @@ -29,21 +29,11 @@ }, "pyasn1": { "hashes": [ - "sha256:014c0e9976956a08139dc0712ae195324a75e142284d5f87f1a87ee1b068a359", - "sha256:03840c999ba71680a131cfaee6fab142e1ed9bbd9c693e285cc6aca0d555e576", - "sha256:0458773cfe65b153891ac249bcf1b5f8f320b7c2ce462151f8fa74de8934becf", - "sha256:08c3c53b75eaa48d71cf8c710312316392ed40899cb34710d092e96745a358b7", - "sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d", - "sha256:5c9414dcfede6e441f7e8f81b43b34e834731003427e5b09e4e00e3172a10f00", - "sha256:6e7545f1a61025a4e58bb336952c5061697da694db1cae97b116e9c46abcf7c8", - "sha256:78fa6da68ed2727915c4767bb386ab32cdba863caa7dbe473eaae45f9959da86", - "sha256:7ab8a544af125fb704feadb008c99a88805126fb525280b2270bb25cc1d78a12", - "sha256:99fcc3c8d804d1bc6d9a099921e39d827026409a58f2a720dcdb89374ea0c776", - "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba", - "sha256:e89bf84b5437b532b0803ba5c9a5e054d21fec423a89952a74f87fa2c9b7bce2", - "sha256:fec3e9d8e36808a28efb59b489e4528c10ad0f480e57dcc32b4de5c9d8c9fdf3" - ], - "version": "==0.4.8" + "sha256:760db2dafe04091b000af018c45dff6e3d7a204cd9341b760d72689217a611cc", + "sha256:8fcd953d1e34ef6db82a5296bb5ca3762ce4d17f2241c48ac0de2739b2e8fbf2" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", + "version": "==0.5.0rc2" } }, "develop": { @@ -57,11 +47,11 @@ }, "attrs": { "hashes": [ - "sha256:50f3c9b216dc9021042f71b392859a773b904ce1a029077f58f6598272432045", - "sha256:8f7335278dedd26b58c38e006338242cc0977f06d51579b2b8b87b9b33bff66c" + "sha256:29e95c7f6778868dbd49170f98f8818f78f3dc5e0e37c0b1f474e3561b240836", + "sha256:c9227bfc2f01993c03f68db37d1d15c9690188323c067c641f1a35ca58185f99" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.3.0" + "markers": "python_version >= '3.6'", + "version": "==22.2.0" }, "flake8": { "hashes": [ @@ -80,54 +70,36 @@ }, "isort": { "hashes": [ - "sha256:6f62d78e2f89b4500b080fe3a81690850cd254227f27f75c3a0c491a1f351ba7", - "sha256:e8443a5e7a020e9d7f97f1d7d9cd17c88bcb3bc7e218bf9cf5095fe550be2951" + "sha256:6db30c5ded9815d813932c04c2f85a360bcdd35fed496f4d8f35495ef0a261b6", + "sha256:c033fd0edb91000a7f09527fe5c75321878f98322a77ddcc81adbd83724afb7b" ], - "markers": "python_version < '4.0' and python_full_version >= '3.6.1'", - "version": "==5.10.1" + "markers": "python_version >= '3.7'", + "version": "==5.11.4" }, "lazy-object-proxy": { "hashes": [ - "sha256:043651b6cb706eee4f91854da4a089816a6606c1428fd391573ef8cb642ae4f7", - "sha256:07fa44286cda977bd4803b656ffc1c9b7e3bc7dff7d34263446aec8f8c96f88a", - "sha256:12f3bb77efe1367b2515f8cb4790a11cffae889148ad33adad07b9b55e0ab22c", - "sha256:2052837718516a94940867e16b1bb10edb069ab475c3ad84fd1e1a6dd2c0fcfc", - "sha256:2130db8ed69a48a3440103d4a520b89d8a9405f1b06e2cc81640509e8bf6548f", - "sha256:39b0e26725c5023757fc1ab2a89ef9d7ab23b84f9251e28f9cc114d5b59c1b09", - "sha256:46ff647e76f106bb444b4533bb4153c7370cdf52efc62ccfc1a28bdb3cc95442", - "sha256:4dca6244e4121c74cc20542c2ca39e5c4a5027c81d112bfb893cf0790f96f57e", - "sha256:553b0f0d8dbf21890dd66edd771f9b1b5f51bd912fa5f26de4449bfc5af5e029", - "sha256:677ea950bef409b47e51e733283544ac3d660b709cfce7b187f5ace137960d61", - "sha256:6a24357267aa976abab660b1d47a34aaf07259a0c3859a34e536f1ee6e76b5bb", - "sha256:6a6e94c7b02641d1311228a102607ecd576f70734dc3d5e22610111aeacba8a0", - "sha256:6aff3fe5de0831867092e017cf67e2750c6a1c7d88d84d2481bd84a2e019ec35", - "sha256:6ecbb350991d6434e1388bee761ece3260e5228952b1f0c46ffc800eb313ff42", - "sha256:7096a5e0c1115ec82641afbdd70451a144558ea5cf564a896294e346eb611be1", - "sha256:70ed0c2b380eb6248abdef3cd425fc52f0abd92d2b07ce26359fcbc399f636ad", - "sha256:8561da8b3dd22d696244d6d0d5330618c993a215070f473b699e00cf1f3f6443", - "sha256:85b232e791f2229a4f55840ed54706110c80c0a210d076eee093f2b2e33e1bfd", - "sha256:898322f8d078f2654d275124a8dd19b079080ae977033b713f677afcfc88e2b9", - "sha256:8f3953eb575b45480db6568306893f0bd9d8dfeeebd46812aa09ca9579595148", - "sha256:91ba172fc5b03978764d1df5144b4ba4ab13290d7bab7a50f12d8117f8630c38", - "sha256:9d166602b525bf54ac994cf833c385bfcc341b364e3ee71e3bf5a1336e677b55", - "sha256:a57d51ed2997e97f3b8e3500c984db50a554bb5db56c50b5dab1b41339b37e36", - "sha256:b9e89b87c707dd769c4ea91f7a31538888aad05c116a59820f28d59b3ebfe25a", - "sha256:bb8c5fd1684d60a9902c60ebe276da1f2281a318ca16c1d0a96db28f62e9166b", - "sha256:c19814163728941bb871240d45c4c30d33b8a2e85972c44d4e63dd7107faba44", - "sha256:c4ce15276a1a14549d7e81c243b887293904ad2d94ad767f42df91e75fd7b5b6", - "sha256:c7a683c37a8a24f6428c28c561c80d5f4fd316ddcf0c7cab999b15ab3f5c5c69", - "sha256:d609c75b986def706743cdebe5e47553f4a5a1da9c5ff66d76013ef396b5a8a4", - "sha256:d66906d5785da8e0be7360912e99c9188b70f52c422f9fc18223347235691a84", - "sha256:dd7ed7429dbb6c494aa9bc4e09d94b778a3579be699f9d67da7e6804c422d3de", - "sha256:df2631f9d67259dc9620d831384ed7732a198eb434eadf69aea95ad18c587a28", - "sha256:e368b7f7eac182a59ff1f81d5f3802161932a41dc1b1cc45c1f757dc876b5d2c", - "sha256:e40f2013d96d30217a51eeb1db28c9ac41e9d0ee915ef9d00da639c5b63f01a1", - "sha256:f769457a639403073968d118bc70110e7dce294688009f5c24ab78800ae56dc8", - "sha256:fccdf7c2c5821a8cbd0a9440a456f5050492f2270bd54e94360cac663398739b", - "sha256:fd45683c3caddf83abbb1249b653a266e7069a09f486daa8863fb0e7496a9fdb" + "sha256:0c1c7c0433154bb7c54185714c6929acc0ba04ee1b167314a779b9025517eada", + "sha256:14010b49a2f56ec4943b6cf925f597b534ee2fe1f0738c84b3bce0c1a11ff10d", + "sha256:4e2d9f764f1befd8bdc97673261b8bb888764dfdbd7a4d8f55e4fbcabb8c3fb7", + "sha256:4fd031589121ad46e293629b39604031d354043bb5cdf83da4e93c2d7f3389fe", + "sha256:5b51d6f3bfeb289dfd4e95de2ecd464cd51982fe6f00e2be1d0bf94864d58acd", + "sha256:6850e4aeca6d0df35bb06e05c8b934ff7c533734eb51d0ceb2d63696f1e6030c", + "sha256:6f593f26c470a379cf7f5bc6db6b5f1722353e7bf937b8d0d0b3fba911998858", + "sha256:71d9ae8a82203511a6f60ca5a1b9f8ad201cac0fc75038b2dc5fa519589c9288", + "sha256:7e1561626c49cb394268edd00501b289053a652ed762c58e1081224c8d881cec", + "sha256:8f6ce2118a90efa7f62dd38c7dbfffd42f468b180287b748626293bf12ed468f", + "sha256:ae032743794fba4d171b5b67310d69176287b5bf82a21f588282406a79498891", + "sha256:afcaa24e48bb23b3be31e329deb3f1858f1f1df86aea3d70cb5c8578bfe5261c", + "sha256:b70d6e7a332eb0217e7872a73926ad4fdc14f846e85ad6749ad111084e76df25", + "sha256:c219a00245af0f6fa4e95901ed28044544f50152840c5b6a3e7b2568db34d156", + "sha256:ce58b2b3734c73e68f0e30e4e725264d4d6be95818ec0a0be4bb6bf9a7e79aa8", + "sha256:d176f392dbbdaacccf15919c77f526edf11a34aece58b55ab58539807b85436f", + "sha256:e20bfa6db17a39c706d24f82df8352488d2943a3b7ce7d4c22579cb89ca8896e", + "sha256:eac3a9a5ef13b332c059772fd40b4b1c3d45a3a2b05e33a361dee48e54a4dad0", + "sha256:eb329f8d8145379bf5dbe722182410fe8863d186e51bf034d2075eb8d85ee25b" ], - "markers": "python_version >= '3.6'", - "version": "==1.7.1" + "markers": "python_version >= '3.7'", + "version": "==1.8.0" }, "mccabe": { "hashes": [ @@ -138,11 +110,11 @@ }, "packaging": { "hashes": [ - "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb", - "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522" + "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3", + "sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3" ], - "markers": "python_version >= '3.6'", - "version": "==21.3" + "markers": "python_version >= '3.7'", + "version": "==22.0" }, "pluggy": { "hashes": [ @@ -184,14 +156,6 @@ "index": "pypi", "version": "==3.0.0a4" }, - "pyparsing": { - "hashes": [ - "sha256:04ff808a5b90911829c55c4e26f75fa5ca8a2f5f36aa3a51f68e27033341d3e4", - "sha256:d9bdec0013ef1eb5a84ab39a3b3868911598afa494f5faa038647101504e2b81" - ], - "markers": "python_version >= '3.6'", - "version": "==3.0.6" - }, "pytest": { "hashes": [ "sha256:8fc363e0b7407a9397e660ef81e1634e4504faaeb6ad1d2416da4c38d29a0f45", @@ -210,11 +174,11 @@ }, "setuptools": { "hashes": [ - "sha256:a4377723c53721515f72a3dfc1bfacdcd61edfa19a4cccf82e72e4f50d9cecbd", - "sha256:ad0ea3d172404abb14d8f7bd7f54f2ccd4ed9dd00c9da0b1398862e69eb22c03" + "sha256:d0b9a8433464d5800cbe05094acf5c6d52a91bfac9b52bcfc4d41382be5d5d31", + "sha256:e197a19aa8ec9722928f2206f8de752def0e4c9fc6953527360d1c36d94ddb2f" ], - "markers": "python_version >= '3.7'", - "version": "==60.1.0" + "index": "pypi", + "version": "==65.5.1" }, "toml": { "hashes": [ @@ -226,11 +190,11 @@ }, "tomli": { "hashes": [ - "sha256:b5bde28da1fed24b9bd1d4d2b8cba62300bfb4ec9a6187a957e8ddb9434c5224", - "sha256:c292c34f58502a1eb2bbb9f5bbc9a5ebc37bee10ffb8c2d6bbdfa8eb13cc14e1" + "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc", + "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f" ], "markers": "python_version >= '3.7'", - "version": "==2.0.0" + "version": "==2.0.1" }, "wrapt": { "hashes": [ diff --git a/Packs/Active_Directory_Query/ReleaseNotes/1_6_0.md b/Packs/Active_Directory_Query/ReleaseNotes/1_6_0.md new file mode 100644 index 000000000000..11089e2d198d --- /dev/null +++ b/Packs/Active_Directory_Query/ReleaseNotes/1_6_0.md @@ -0,0 +1,4 @@ + +#### Scripts +##### IAMInitADUser +- Added arguments for configuring the complexity of the generated password. These arguments are applicable when using "GeneratePassword" as the password generation script. diff --git a/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.py b/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.py index dc3f13e04b1b..1e8ee678f30b 100644 --- a/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.py +++ b/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.py @@ -1,6 +1,8 @@ import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 +DEFAULT_PWD_GENERATION_SCRIPT = "GeneratePassword" + def main(): outputs: Dict[str, Any] = {} @@ -15,11 +17,30 @@ def main(): to_email = args.get("to_email") inc_id = args.get("inc_id") email_subject = args.get("email_subject") + min_lcase = args.get("min_lcase", 0) + max_lcase = args.get("max_lcase", 10) + min_ucase = args.get("min_ucase", 0) + max_ucase = args.get("max_ucase", 10) + min_digits = args.get("min_digits", 0) + max_digits = args.get("max_digits", 10) + min_symbols = args.get("min_symbols", 0) + max_symbols = args.get("max_symbols", 10) password = None try: # Generate a random password - pwd_generation_script_output = demisto.executeCommand(pwd_generation_script, {}) + if pwd_generation_script == DEFAULT_PWD_GENERATION_SCRIPT: + pwd_generation_script_output = demisto.executeCommand(pwd_generation_script, + {"min_lcase": min_lcase, + "max_lcase": max_lcase, + "min_ucase": min_ucase, + "max_ucase": max_ucase, + "min_digits": min_digits, + "max_digits": max_digits, + "min_symbols": min_symbols, + "max_symbols": max_symbols}) + else: + pwd_generation_script_output = demisto.executeCommand(pwd_generation_script, {}) if is_error(pwd_generation_script_output): raise Exception(f'An error occurred while trying to generate a new password for the user. ' f'Error is:\n{get_error(pwd_generation_script_output)}') diff --git a/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.yml b/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.yml index b4ab55a2db2c..d9216ae31622 100644 --- a/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.yml +++ b/Packs/Active_Directory_Query/Scripts/IAMInitADUser/IAMInitADUser.yml @@ -1,52 +1,51 @@ args: -- default: false - defaultValue: GeneratePassword +- defaultValue: GeneratePassword description: The password generator script. - isArray: false name: pwdGenerationScript - required: false - secret: false -- default: false - description: The sAMAccountName of the employee. - isArray: false +- description: The sAMAccountName of the employee. name: sAMAccountName required: true - secret: false -- default: false - description: The email of the employee. - isArray: false +- description: The email of the employee. name: email required: true - secret: false -- default: false - description: The display name of the employee. - isArray: false +- description: The display name of the employee. name: displayname - required: false - secret: false -- default: false - description: The email address that the password will send to. - isArray: false +- description: The email address that the password will send to. name: to_email required: true - secret: false -- default: false - description: The incident ID. - isArray: false +- description: The incident ID. name: inc_id - required: false - secret: false -- default: false - description: The subject of the email sent to IT. - isArray: false +- description: The subject of the email sent to IT. name: email_subject - required: false - secret: false +- name: min_lcase + description: Minimum number of lower case characters to include in password. Used with the GeneratePassword script. + defaultValue: "0" +- name: max_lcase + description: Maximum number of lower case characters to include in password. Used with the GeneratePassword script. + defaultValue: "10" +- name: min_ucase + description: Minimum number of upper case characters to include in password. Used with the GeneratePassword script. + defaultValue: "0" +- name: max_ucase + description: Maximum number of upper case characters to include in password. Used with the GeneratePassword script. + defaultValue: "10" +- name: min_digits + description: Minimum number of digits to include in password. Used with the GeneratePassword script. + defaultValue: "0" +- name: max_digits + description: Maximum number of digits to include in password. Used with the GeneratePassword script. + defaultValue: "10" +- name: min_symbols + description: Minimum number of symbols to include in password. Used with the GeneratePassword script. + defaultValue: "0" +- name: max_symbols + description: Maximum number of symbols to include in password. Used with the GeneratePassword script. + defaultValue: "10" comment: |- Generates password, Set an AD user account with this password. Enable the account. - Send mail to the user with tha account information. + Send mail to the user with the account information. This script is running `send-mail` command, make sure there is a matching Integration configurated. commonfields: id: IAMInitADUser @@ -55,12 +54,10 @@ enabled: true name: IAMInitADUser outputs: - contextPath: IAM.InitADUser.success - description: True if the Active Directory user was successfully activated, false - otherwise. + description: True if the Active Directory user was successfully activated, false otherwise. type: Boolean - contextPath: IAM.InitADUser.sentMail - description: True if the mail containing the information about the user activation - and its auto-generated password was successfully sent to IT, false otherwise. + description: True if the mail containing the information about the user activation and its auto-generated password was successfully sent to IT, false otherwise. type: Boolean - contextPath: IAM.InitADUser.errorDetails description: The error details, if exists. @@ -68,18 +65,21 @@ outputs: - contextPath: IAM.InitADUser.sendMailError description: The error received from send-mail command, if exists. type: String -script: '-' +script: '' subtype: python3 -system: false +system: true tags: - IAM - active directory - Utility -timeout: '0' type: python -dockerimage: demisto/python3:3.9.8.24399 +dockerimage: demisto/python3:3.10.9.40422 runas: DBotWeakRole runonce: false tests: -- No tests (auto formatted) +- Active Directory Test fromversion: 5.0.0 +contentitemexportablefields: + contentitemfields: + fromServerVersion: "" +scripttarget: 0 diff --git a/Packs/Active_Directory_Query/Scripts/IAMInitADUser/README.md b/Packs/Active_Directory_Query/Scripts/IAMInitADUser/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Active_Directory_Query/pack_metadata.json b/Packs/Active_Directory_Query/pack_metadata.json index 5e9a1d5bd83a..ae2390b06b6d 100644 --- a/Packs/Active_Directory_Query/pack_metadata.json +++ b/Packs/Active_Directory_Query/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Active Directory Query", "description": "Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers).", "support": "xsoar", - "currentVersion": "1.5.9", + "currentVersion": "1.6.0", "author": "Cortex XSOAR", "url": "", "email": "", diff --git a/Packs/AgariPhishingDefense/Integrations/AgariPhishingDefense/AgariPhishingDefense.yml b/Packs/AgariPhishingDefense/Integrations/AgariPhishingDefense/AgariPhishingDefense.yml index bb49fd376a6d..d6ec9b6ef816 100644 --- a/Packs/AgariPhishingDefense/Integrations/AgariPhishingDefense/AgariPhishingDefense.yml +++ b/Packs/AgariPhishingDefense/Integrations/AgariPhishingDefense/AgariPhishingDefense.yml @@ -443,7 +443,7 @@ script: description: Remediate suspected message. execution: false name: apd-remediate-message - dockerimage: demisto/python3:3.10.8.37233 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: true longRunning: false diff --git a/Packs/AgariPhishingDefense/ReleaseNotes/1_1_3.md b/Packs/AgariPhishingDefense/ReleaseNotes/1_1_3.md new file mode 100644 index 000000000000..2ca3932a40dd --- /dev/null +++ b/Packs/AgariPhishingDefense/ReleaseNotes/1_1_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Agari Phishing Defense +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AgariPhishingDefense/pack_metadata.json b/Packs/AgariPhishingDefense/pack_metadata.json index bd249581c039..dd3b23a5fc8d 100644 --- a/Packs/AgariPhishingDefense/pack_metadata.json +++ b/Packs/AgariPhishingDefense/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Agari Phishing Defense", "description": "Use the Agari Phishing Defense integration to retrieve Policy Events as Incidents, retrieve messages and remediate suspected messages.", "support": "partner", - "currentVersion": "1.1.2", + "currentVersion": "1.1.3", "author": "Agari", "url": "https://www.agari.com/support/", "email": "support@agari.com", diff --git a/Packs/Akamai_SIEM/.pack-ignore b/Packs/Akamai_SIEM/.pack-ignore index bbcc8ca5e05d..7fbf2c4801fa 100644 --- a/Packs/Akamai_SIEM/.pack-ignore +++ b/Packs/Akamai_SIEM/.pack-ignore @@ -1,2 +1,6 @@ [file:Akamai_SIEM.yml] ignore=IN126,BA108,BA109,IN145 + +[known_words] +Akamai +WAF diff --git a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py index 009b4efbec38..54f7f05b20c7 100644 --- a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py +++ b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py @@ -36,8 +36,8 @@ class Client(BaseClient): - def get_events(self, config_ids: str, offset: Optional[str] = None, limit: Optional[Union[str, int]] = None, - from_epoch: Optional[str] = None, to_epoch: Optional[str] = None) \ + def get_events(self, config_ids: str, offset: Optional[str] = '', limit: Optional[Union[str, int]] = None, + from_epoch: Optional[str] = '', to_epoch: Optional[str] = '') \ -> Tuple[List[Any], Any]: """ Get security events from Akamai WAF service by - https://developer.akamai.com/api/cloud_security/siem/v1.html, @@ -81,8 +81,10 @@ def get_events(self, config_ids: str, offset: Optional[str] = None, limit: Optio events: List = [] if '{ "total": 0' not in raw_response: events = [json.loads(event) for event in raw_response.split('\n')[:-2]] - offset_new = json.loads(raw_response.split('\n')[-2]).get('offset') - return events, offset_new + new_offset = str(max([int(event.get('httpMessage', {}).get('start')) for event in events])) + else: + new_offset = str(from_epoch) + return events, new_offset '''HELPER FUNCIONS''' @@ -269,15 +271,8 @@ def fetch_incidents_command( """ raw_response: Optional[List] = [] if not last_run: - datetime_new_last_run, _ = parse_date_range(date_range=fetch_time, - date_format='%s') - raw_response, offset = client.get_events(config_ids=config_ids, - from_epoch=datetime_new_last_run, - limit=fetch_limit) - else: - raw_response, offset = client.get_events(config_ids=config_ids, - offset=last_run, - limit=fetch_limit) + last_run, _ = parse_date_range(date_range=fetch_time, date_format='%s') + raw_response, offset = client.get_events(config_ids=config_ids, from_epoch=last_run, limit=fetch_limit) incidents = [] if raw_response: diff --git a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM_test.py b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM_test.py index da395300d5aa..6682104e38de 100644 --- a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM_test.py +++ b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM_test.py @@ -51,7 +51,7 @@ def test_fetch_incidents_command_1(self, client, datadir, requests_mock): config_ids='50170', last_run={}) expected_incidents = load_params_from_json(datadir['expected_fetch.json'], type='incidents') - expected_last_run = {'lastRun': "318d8"} + expected_last_run = {'lastRun': "1576002507"} assert expected_incidents == tested_incidents, "Incidents - No last time exsits and event available" assert tested_last_run == expected_last_run, "Last run - No last time exsits and event available" @@ -59,14 +59,14 @@ def test_fetch_incidents_command_1(self, client, datadir, requests_mock): def test_fetch_incidents_command_2(self, client, datadir, requests_mock): """Test - Last time exsits and events available""" from Akamai_SIEM import fetch_incidents_command - requests_mock.get(f'{BASE_URL}/50170?offset=318d8&limit=5', text=SEC_EVENTS_TXT) + requests_mock.get(f'{BASE_URL}/50170?from=1575966002&limit=5', text=SEC_EVENTS_TXT) tested_incidents, tested_last_run = fetch_incidents_command(client=client, fetch_time='12 hours', fetch_limit='5', config_ids='50170', - last_run='318d8') + last_run='1575966002') expected_incidents = load_params_from_json(datadir['expected_fetch.json'], type='incidents') - expected_last_run = {'lastRun': "318d8"} + expected_last_run = {'lastRun': "1576002507"} assert expected_incidents == tested_incidents, "Incidents - Last time exsits and events available" assert tested_last_run == expected_last_run, "Last run - No last time exsits and event available" @@ -74,13 +74,13 @@ def test_fetch_incidents_command_2(self, client, datadir, requests_mock): def test_fetch_incidents_command_3(self, client, datadir, requests_mock): """Test - Last time exsits and no available data""" from Akamai_SIEM import fetch_incidents_command - requests_mock.get(f'{BASE_URL}/50170?offset=318d8&limit=5', text=SEC_EVENTS_EMPTY_TXT) + requests_mock.get(f'{BASE_URL}/50170?from=1575966002&limit=5', text=SEC_EVENTS_EMPTY_TXT) tested_incidents, tested_last_run = fetch_incidents_command(client=client, fetch_time='12 hours', fetch_limit=5, config_ids='50170', - last_run='318d8') - expected_last_run = {'lastRun': "318d8"} + last_run='1575966002') + expected_last_run = {'lastRun': "1575966002"} expected_incidents = [] assert expected_incidents == tested_incidents, "Incidents - Last time exsits and no available data" assert tested_last_run == expected_last_run, "Last run - No last time exsits and event available" @@ -95,7 +95,7 @@ def test_fetch_incidents_command_4(self, client, datadir, requests_mock): fetch_limit=5, config_ids='50170', last_run={}) - expected_last_run = {'lastRun': "318d8"} + expected_last_run = {'lastRun': "1575966002"} expected_incidents = [] assert expected_incidents == tested_incidents, "Incidents - No last time exsits and no available data" assert tested_last_run == expected_last_run, "Last run - No last time exsits and no available data" diff --git a/Packs/Akamai_SIEM/ReleaseNotes/1_0_8.md b/Packs/Akamai_SIEM/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..4f30efa43595 --- /dev/null +++ b/Packs/Akamai_SIEM/ReleaseNotes/1_0_8.md @@ -0,0 +1,5 @@ + +#### Integrations +##### Akamai WAF SIEM +- Fixed an issue with the ***fetch incidents*** command when the *offset* parameter was expired. + diff --git a/Packs/Akamai_SIEM/pack_metadata.json b/Packs/Akamai_SIEM/pack_metadata.json index dbe9217247ec..238007985d2e 100644 --- a/Packs/Akamai_SIEM/pack_metadata.json +++ b/Packs/Akamai_SIEM/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Akamai WAF SIEM", "description": "Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.", "support": "xsoar", - "currentVersion": "1.0.7", + "currentVersion": "1.0.8", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Alexa/Integrations/AlexaV2/AlexaV2.yml b/Packs/Alexa/Integrations/AlexaV2/AlexaV2.yml index 44613ea7ed28..3826b1959867 100644 --- a/Packs/Alexa/Integrations/AlexaV2/AlexaV2.yml +++ b/Packs/Alexa/Integrations/AlexaV2/AlexaV2.yml @@ -88,7 +88,7 @@ script: - contextPath: Alexa.Domain.Rank description: Alexa rank as determined by Amazon. type: String - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/Alexa/ReleaseNotes/2_0_21.md b/Packs/Alexa/ReleaseNotes/2_0_21.md new file mode 100644 index 000000000000..d0ebfaf9b5c2 --- /dev/null +++ b/Packs/Alexa/ReleaseNotes/2_0_21.md @@ -0,0 +1,3 @@ +#### Integrations +##### Alexa Rank Indicator v2 +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Alexa/pack_metadata.json b/Packs/Alexa/pack_metadata.json index 80c27137795f..1240abfb811c 100644 --- a/Packs/Alexa/pack_metadata.json +++ b/Packs/Alexa/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Alexa Rank Indicator", "description": "Alexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence.", "support": "xsoar", - "currentVersion": "2.0.20", + "currentVersion": "2.0.21", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_schema.json b/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_schema.json index 52fd0e833c83..500d11389aac 100644 --- a/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_schema.json +++ b/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_schema.json @@ -39,10 +39,15 @@ "event_useridentity_principalid": { "type": "string", "is_array": false + }, + "event_errormessage": { + "type": "string", + "is_array": false }, "event_useridentity_username": { "type": "string", "is_array": false } + } } diff --git a/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_testdata.json b/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_testdata.json new file mode 100644 index 000000000000..393f36475489 --- /dev/null +++ b/Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_testdata.json @@ -0,0 +1,26 @@ +{ + "data": [ + { + "test_data_event_id": "60ace5ee-448f-46dc-95e5-982a502bbe43", + "vendor": "alibaba", + "product": "action_trail", + "dataset": "alibaba_action_trail_raw", + "event_data": { "_time": "Nov 23rd 2022 23:26:15", "_insert_time": "Nov 23rd 2022 23:27:02", "_id": "x1-y1-a1-b1-abc123", "_tag": "[]", "event": "null", "_vendor": "alibaba", "__date__": "null", "__line__": "null", "__time__": "1669238775", "_product": "action-trail", "_raw_log": "", "__topic__": "actiontrail_audit_event", "_raw_json": "", "__source__": "actiontrail_internal", "__time___0": "1669238775", "__log_count__": "null", "event_eventid": "abc123", "event_eventrw": "Read", "__log_pattern__": "null", "_collector_name": "alibaba_action-trail", "_collector_type": "XSIAM", "event_acsregion": "TLV", "event_errorcode": "null", "event_eventname": "DescribeDBClusters", "event_eventtype": "ApiCall", "event_requestid": "abc123", "event_useragent": "audit.log.aliyuncs.com", "event_apiversion": "2017-08-01", "__log_signature__": "null", "event_eventsource": "polardb.aliyuncs.com", "event_servicename": "polardb", "event_errormessage": "null", "event_eventversion": "1", "event_resourcename": "null", "event_resourcetype": "null", "_reporting_device_ip": "8.8.8.8", "event_sourceipaddress": "audit.log.aliyuncs.com", "__sls_query_parameter__": "null", "event_useridentity_type": "testuser:Common_Data_Access", "_final_reporting_device_ip": "1.1.1.1", "event_requestparameterjson": "{\"stsTokenPrincipalName\":\"aliyunserviceroleforslsaudit/Common_Data_Access\",\"AcsProduct\":\"polardb\",\"PageSize\":30,\"PageNumber\":1,\"UserAgent\":\"AlibabaCloud (linux\",\"ClientPort\":2962,\"SignatureType\":\"\",\"RegionId\":\"TLV\",\"stsTokenPlayerUid\":abc123}", "event_useridentity_username": "aliyunserviceroleforslsaudit:Common_Data_Access", "event_requestparameters_name": "null", "event_useridentity_accountid": "abc123", "event_requestparameters_hostid": "null", "event_requestparameters_region": "null", "event_useridentity_accesskeyid": "abc123.abc123", "event_useridentity_principalid": "7067606:Common_Data_Access", "event_insightdetails_insighttype": "null", "event_additionaleventdata_mfachecked": "null", "event_insightdetails_sourceipaddress": "null", "event_insightdetails_insightcontext_statistics_insightcount": "null" }, + "expected_values": { + "xdm.event.type": "ApiCall", + "xdm.observer.product": "alibaba", + "xdm.observer.vendor": "action-trail", + "xdm.event.operation": "DescribeDBClusters", + "xdm.target.resource.name": null, + "xdm.target.resource.type": null, + "xdm.event.outcome": null, + "xdm.target.cloud.region": "TLV", + "xdm.source.user.username": "testuser:Common_Data_Access", + "xdm.source.user.user_type": "assumed-role", + "xdm.source.user.identifier": "7067606:Common_Data_Access", + "xdm.source.ipv4": "audit.log.aliyuncs.com", + "xdm.event.id": "abc123" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AlibabaActionTrail/ReleaseNotes/1_0_11.md b/Packs/AlibabaActionTrail/ReleaseNotes/1_0_11.md new file mode 100644 index 000000000000..97ee14b2020d --- /dev/null +++ b/Packs/AlibabaActionTrail/ReleaseNotes/1_0_11.md @@ -0,0 +1,4 @@ + +#### Modeling Rules +##### Alibaba Modeling Rule +- Fixed XDM mapping diff --git a/Packs/AlibabaActionTrail/Triggers/Trigger_-Alibaba_ActionTrail_-_Multiple_Unauthorized_Action_Attempts_Detected_By_a_User.json b/Packs/AlibabaActionTrail/Triggers/Trigger_-Alibaba_ActionTrail_-_Multiple_Unauthorized_Action_Attempts_Detected_By_a_User.json index 7fc8988254a3..49e825f1cb82 100644 --- a/Packs/AlibabaActionTrail/Triggers/Trigger_-Alibaba_ActionTrail_-_Multiple_Unauthorized_Action_Attempts_Detected_By_a_User.json +++ b/Packs/AlibabaActionTrail/Triggers/Trigger_-Alibaba_ActionTrail_-_Multiple_Unauthorized_Action_Attempts_Detected_By_a_User.json @@ -1,6 +1,6 @@ { - "trigger_id": "73545719a1bdeba6ba91f6a16044c021", - "playbook_id": "Alibaba ActionTrail - multiple unauthorized action_attempts detected by a user.yml", + "trigger_id": "abfa084a92abfb031de08b57b3f78ec8", + "playbook_id": "Alibaba ActionTrail - multiple unauthorized action_attempts detected by a user", "suggestion_reason": "Recommended for multiple unauthorized action_attempts detected by a user related alerts", "description": "This trigger is responsible for handling 'Alibaba ActionTrail - multiple unauthorized action_attempts detected by a user' alerts", "trigger_name": "Alibaba ActionTrail - Multiple Unauthorized Action Attempts Detected By a User Alerts", @@ -10,7 +10,7 @@ { "SEARCH_FIELD": "alert_name", "SEARCH_TYPE": "EQ", - "SEARCH_VALUE": "Alibaba ActionTrail - multiple unauthorized action attempts detected by a user.yml" + "SEARCH_VALUE": "Alibaba ActionTrail - multiple unauthorized action attempts detected by a user" } ] } diff --git a/Packs/AlibabaActionTrail/pack_metadata.json b/Packs/AlibabaActionTrail/pack_metadata.json index b0dfb9c72903..977f1d20c7f6 100644 --- a/Packs/AlibabaActionTrail/pack_metadata.json +++ b/Packs/AlibabaActionTrail/pack_metadata.json @@ -2,16 +2,14 @@ "name": "Alibaba Action Trail", "description": "An Integration Pack to fetch Alibaba action trail events.", "support": "xsoar", - "currentVersion": "1.0.10", + "currentVersion": "1.0.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", "categories": [ "Analytics & SIEM" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "useCases": [], "keywords": [], "marketplaces": [ diff --git a/Packs/AlienVault_OTX/Integrations/AlienVault_OTX_v2/AlienVault_OTX_v2.yml b/Packs/AlienVault_OTX/Integrations/AlienVault_OTX_v2/AlienVault_OTX_v2.yml index 85cdd4f80882..f155a79709d6 100644 --- a/Packs/AlienVault_OTX/Integrations/AlienVault_OTX_v2/AlienVault_OTX_v2.yml +++ b/Packs/AlienVault_OTX/Integrations/AlienVault_OTX_v2/AlienVault_OTX_v2.yml @@ -619,7 +619,7 @@ script: - contextPath: URL.Relationships.EntityBType description: The type of the destination of the relationship. type: string - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 isfetch: false longRunning: false longRunningPort: false diff --git a/Packs/AlienVault_OTX/ReleaseNotes/1_1_26.md b/Packs/AlienVault_OTX/ReleaseNotes/1_1_26.md new file mode 100644 index 000000000000..5178b1462556 --- /dev/null +++ b/Packs/AlienVault_OTX/ReleaseNotes/1_1_26.md @@ -0,0 +1,3 @@ +#### Integrations +##### AlienVault OTX v2 +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AlienVault_OTX/pack_metadata.json b/Packs/AlienVault_OTX/pack_metadata.json index d0babe0502e4..664b0b53ac63 100644 --- a/Packs/AlienVault_OTX/pack_metadata.json +++ b/Packs/AlienVault_OTX/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AlienVault OTX", "description": "Query Indicators of Compromise in AlienVault OTX.", "support": "xsoar", - "currentVersion": "1.1.25", + "currentVersion": "1.1.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.py b/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.py index bed91d5af5a6..9e6aa6b41dea 100644 --- a/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.py +++ b/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.py @@ -6,11 +6,12 @@ import json import requests import dateparser +import urllib3 from datetime import datetime from typing import Dict # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() ''' GLOBALS/PARAMS ''' diff --git a/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.yml b/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.yml index 7eab5f8d29da..c97681d4a7de 100644 --- a/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.yml +++ b/Packs/AlienVault_USM_Anywhere/Integrations/AlienVault_USM_Anywhere/AlienVault_USM_Anywhere.yml @@ -412,7 +412,7 @@ script: - contextPath: AlienVault.Event.Subcategory description: The event subcategory. type: String - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 isfetch: true longRunning: false longRunningPort: false diff --git a/Packs/AlienVault_USM_Anywhere/ReleaseNotes/1_0_13.md b/Packs/AlienVault_USM_Anywhere/ReleaseNotes/1_0_13.md new file mode 100644 index 000000000000..16b09cf7a8b8 --- /dev/null +++ b/Packs/AlienVault_USM_Anywhere/ReleaseNotes/1_0_13.md @@ -0,0 +1,3 @@ +#### Integrations +##### AlienVault USM Anywhere +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AlienVault_USM_Anywhere/pack_metadata.json b/Packs/AlienVault_USM_Anywhere/pack_metadata.json index 3c4c6dd8d2d5..ef8dfad19d42 100644 --- a/Packs/AlienVault_USM_Anywhere/pack_metadata.json +++ b/Packs/AlienVault_USM_Anywhere/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AlienVault USM Anywhere", "description": "Searches for and monitors alarms and events from AlienVault USM Anywhere.", "support": "xsoar", - "currentVersion": "1.0.12", + "currentVersion": "1.0.13", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AlphaVantage/Integrations/AlphaVantage/AlphaVantage.yml b/Packs/AlphaVantage/Integrations/AlphaVantage/AlphaVantage.yml index db40ab10649f..2759e581e96e 100755 --- a/Packs/AlphaVantage/Integrations/AlphaVantage/AlphaVantage.yml +++ b/Packs/AlphaVantage/Integrations/AlphaVantage/AlphaVantage.yml @@ -117,7 +117,7 @@ script: - contextPath: AlphaVantage.StockHistory.Time Series description: 'List of all stock data samples' type: Unknown - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AlphaVantage/ReleaseNotes/1_0_8.md b/Packs/AlphaVantage/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..150bb121a4f2 --- /dev/null +++ b/Packs/AlphaVantage/ReleaseNotes/1_0_8.md @@ -0,0 +1,3 @@ +#### Integrations +##### AlphaVantage +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AlphaVantage/pack_metadata.json b/Packs/AlphaVantage/pack_metadata.json index 2bb38fb9b32b..c4342eb5ae13 100755 --- a/Packs/AlphaVantage/pack_metadata.json +++ b/Packs/AlphaVantage/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AlphaVantage", "description": "The Alpha Vantage content pack provides accessible APIs for financial market data such as stock prices. Utilize this pack to get open stock prices, high/low price, trade volume, and so on.", "support": "community", - "currentVersion": "1.0.7", + "currentVersion": "1.0.8", "author": "Ohad Valtzer", "url": "https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions", "email": "", diff --git a/Packs/Anomali_Enterprise/Integrations/Anomali_Enterprise/Anomali_Enterprise.yml b/Packs/Anomali_Enterprise/Integrations/Anomali_Enterprise/Anomali_Enterprise.yml index c05d1b3eb7b7..9ab916ae602a 100644 --- a/Packs/Anomali_Enterprise/Integrations/Anomali_Enterprise/Anomali_Enterprise.yml +++ b/Packs/Anomali_Enterprise/Integrations/Anomali_Enterprise/Anomali_Enterprise.yml @@ -205,7 +205,7 @@ script: - contextPath: Domain.Malicious.Description description: A description of the malicious domain. type: String - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/Anomali_Enterprise/ReleaseNotes/1_0_25.md b/Packs/Anomali_Enterprise/ReleaseNotes/1_0_25.md new file mode 100644 index 000000000000..23110f630470 --- /dev/null +++ b/Packs/Anomali_Enterprise/ReleaseNotes/1_0_25.md @@ -0,0 +1,3 @@ +#### Integrations +##### Anomali Match +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Anomali_Enterprise/pack_metadata.json b/Packs/Anomali_Enterprise/pack_metadata.json index ea99af0b2ddb..2fbcea9ae78f 100644 --- a/Packs/Anomali_Enterprise/pack_metadata.json +++ b/Packs/Anomali_Enterprise/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Anomali Enterprise", "description": "Use Anomali Match to query IOCs and conduct forensic searches.", "support": "xsoar", - "currentVersion": "1.0.24", + "currentVersion": "1.0.25", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml index b7b3ddc589a6..8c9fcd66fc2e 100644 --- a/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml +++ b/Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml @@ -4335,7 +4335,7 @@ script: - contextPath: ThreatStream.Intelligence.severity description: The severity of the intelligence. type: String - dockerimage: demisto/py3-tools:1.0.0.40800 + dockerimage: demisto/py3-tools:1.0.0.41748 feed: false isfetch: false longRunning: false diff --git a/Packs/Anomali_ThreatStream/ReleaseNotes/2_0_22.md b/Packs/Anomali_ThreatStream/ReleaseNotes/2_0_22.md new file mode 100644 index 000000000000..3e8a77b6f46a --- /dev/null +++ b/Packs/Anomali_ThreatStream/ReleaseNotes/2_0_22.md @@ -0,0 +1,3 @@ +#### Integrations +##### Anomali ThreatStream v3 +- Updated the Docker image to: *demisto/py3-tools:1.0.0.41748*. diff --git a/Packs/Anomali_ThreatStream/pack_metadata.json b/Packs/Anomali_ThreatStream/pack_metadata.json index 3259ebab9150..987989c6dff1 100644 --- a/Packs/Anomali_ThreatStream/pack_metadata.json +++ b/Packs/Anomali_ThreatStream/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Anomali ThreatStream", "description": "Use Anomali ThreatStream to query and submit threats.", "support": "xsoar", - "currentVersion": "2.0.21", + "currentVersion": "2.0.22", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AnsibleTower/Integrations/AnsibleTower/AnsibleTower.yml b/Packs/AnsibleTower/Integrations/AnsibleTower/AnsibleTower.yml index 5373c5425951..fd87289d970b 100644 --- a/Packs/AnsibleTower/Integrations/AnsibleTower/AnsibleTower.yml +++ b/Packs/AnsibleTower/Integrations/AnsibleTower/AnsibleTower.yml @@ -1655,7 +1655,7 @@ script: - contextPath: AnsibleAWX.JobEvents.event_data description: Job's raw event data type: String - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AnsibleTower/ReleaseNotes/1_0_27.md b/Packs/AnsibleTower/ReleaseNotes/1_0_27.md new file mode 100644 index 000000000000..d94be062d8cf --- /dev/null +++ b/Packs/AnsibleTower/ReleaseNotes/1_0_27.md @@ -0,0 +1,3 @@ +#### Integrations +##### Ansible Tower +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AnsibleTower/pack_metadata.json b/Packs/AnsibleTower/pack_metadata.json index ef5f1a5aecc9..b5879762c0de 100644 --- a/Packs/AnsibleTower/pack_metadata.json +++ b/Packs/AnsibleTower/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Ansible Tower", "description": "Scale IT automation, manage complex deployments and speed productivity.", "support": "xsoar", - "currentVersion": "1.0.26", + "currentVersion": "1.0.27", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ApiModules/ReleaseNotes/2_2_12.md b/Packs/ApiModules/ReleaseNotes/2_2_12.md new file mode 100644 index 000000000000..6dc40892253b --- /dev/null +++ b/Packs/ApiModules/ReleaseNotes/2_2_12.md @@ -0,0 +1,5 @@ + +#### Scripts +##### TAXII2ApiModule +- Added support for limiting the number of fetched indicators. +- Improved implementation for polling collections. \ No newline at end of file diff --git a/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule.py b/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule.py index 1acd7d1e77af..3a9bfb3b0cf3 100644 --- a/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule.py +++ b/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule.py @@ -18,14 +18,14 @@ def validate_params(aws_default_region, aws_role_arn, aws_role_session_name, aws raise DemistoException('Role session name is required when using role ARN.') -def extract_session_from_access(access_key, session_token): +def extract_session_from_secret(secret_key, session_token): """ - Extract the session token from the access_key field. + Extract the session token from the secret_key field. """ - if access_key and '@@@' in access_key and not session_token: - return access_key.split('@@@')[0], access_key.split('@@@')[1] + if secret_key and '@@@' in secret_key and not session_token: + return secret_key.split('@@@')[0], secret_key.split('@@@')[1] else: - return access_key, session_token + return secret_key, session_token class AWSClient: @@ -40,7 +40,7 @@ def __init__(self, aws_default_region, aws_role_arn, aws_role_session_name, aws_ self.aws_role_session_duration = aws_role_session_duration self.aws_role_policy = aws_role_policy self.aws_access_key_id = aws_access_key_id - self.aws_secret_access_key, self.aws_session_token = extract_session_from_access(aws_secret_access_key, aws_session_token) + self.aws_secret_access_key, self.aws_session_token = extract_session_from_secret(aws_secret_access_key, aws_session_token) self.verify_certificate = verify_certificate proxies = handle_proxy(proxy_param_name='proxy', checkbox_default_value=False) @@ -101,7 +101,7 @@ def aws_session(self, service, region=None, role_arn=None, role_session_name=Non if not self.aws_access_key_id: sts_client = boto3.client('sts', config=self.config, verify=self.verify_certificate, - region_name=self.aws_default_region) + region_name=region if region else self.aws_default_region) sts_response = sts_client.assume_role(**kwargs) client = boto3.client( service_name=service, @@ -127,7 +127,7 @@ def aws_session(self, service, region=None, role_arn=None, role_session_name=Non sts_response = sts_client.assume_role(**kwargs) client = boto3.client( service_name=service, - region_name=self.aws_default_region, + region_name=region if region else self.aws_default_region, aws_access_key_id=sts_response['Credentials']['AccessKeyId'], aws_secret_access_key=sts_response['Credentials']['SecretAccessKey'], aws_session_token=sts_response['Credentials']['SessionToken'], diff --git a/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule_test.py b/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule_test.py index b89f0f5c5dd4..be76ae92ec55 100644 --- a/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule_test.py +++ b/Packs/ApiModules/Scripts/AWSApiModule/AWSApiModule_test.py @@ -178,9 +178,9 @@ def test_AWSClient_without_session_token(): print('failed to create session:' + Exception) -@pytest.mark.parametrize('access_key, session_token, expected', +@pytest.mark.parametrize('secret_key, session_token, expected', [ - ('access_key@@@session_token', None, ('access_key', 'session_token')), + ('secret_key@@@session_token', None, ('secret_key', 'session_token')), ('test1', None, ('test1', None)), ('test1', 'test2', ('test1', 'test2')), ('test1@@@test2', 'test3', ('test1@@@test2', 'test3')), @@ -188,17 +188,17 @@ def test_AWSClient_without_session_token(): (None, '', (None, '')), (None, None, (None, None)) ]) -def test_extract_session_from_access(access_key, session_token, expected): +def test_extract_session_from_secret(secret_key, session_token, expected): """ Given - - Access key and session token + - Secret key and session token When - - Calling the extract_session_from_access function + - Calling the extract_session_from_secret function Then - - Check that the function returns the expected access key and session token + - Check that the function returns the expected secret key and session token """ - result = extract_session_from_access(access_key, session_token) + result = extract_session_from_secret(secret_key, session_token) assert result == expected diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index 0a30742b0c84..51fdfdd67f14 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -2040,7 +2040,7 @@ def blocklist_files_command(client, args): headers=['added_hashes'], headerTransform=pascalToSpace), outputs={f'{args.get("integration_context_brand", "CoreApiModule")}.' - f'blocklist.added_hashes.fileHash(val.fileHash == obj.fileHash)': hash_list}, + f'{args.get("prefix", "blocklist")}.added_hashes.fileHash(val.fileHash == obj.fileHash)': hash_list}, raw_response=res ) @@ -2077,7 +2077,7 @@ def allowlist_files_command(client, args): if detailed_response: return CommandResults( readable_output=tableToMarkdown('Allowlist Files', res), - outputs_prefix=f'{args.get("integration_context_brand", "CoreApiModule")}.blocklist', + outputs_prefix=f'{args.get("integration_context_brand", "CoreApiModule")}.allowlist', outputs=res, raw_response=res ) @@ -2090,7 +2090,7 @@ def allowlist_files_command(client, args): headers=['added_hashes'], headerTransform=pascalToSpace), outputs={f'{args.get("integration_context_brand", "CoreApiModule")}.' - f'allowlist.added_hashes.fileHash(val.fileHash == obj.fileHash)': hash_list}, + f'{args.get("prefix", "allowlist")}.added_hashes.fileHash(val.fileHash == obj.fileHash)': hash_list}, raw_response=res ) diff --git a/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule.py b/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule.py index 3d8c3153c755..42df452379a4 100644 --- a/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule.py +++ b/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule.py @@ -250,7 +250,10 @@ def fetch_indicators_command(client: Client, indicator_type: str, feedTags: list indicators_values_indexes[indicator_value] = len(indicators_values) indicators_values.add(indicator_value) else: - indicators[indicators_values_indexes[indicator_value]]['rawJSON']['service'] += f", {service_name}" + service = indicators[indicators_values_indexes[indicator_value]].get('rawJSON', {}).get('service', '') + if service and service_name not in service.split(','): + service_name += f', {service}' + indicators[indicators_values_indexes[indicator_value]]['rawJSON']['service'] = service_name continue indicators.extend( diff --git a/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule_test.py b/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule_test.py index f4d93eddd941..9df1aecdb911 100644 --- a/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule_test.py +++ b/Packs/ApiModules/Scripts/JSONFeedApiModule/JSONFeedApiModule_test.py @@ -1,5 +1,6 @@ from JSONFeedApiModule import Client, fetch_indicators_command, jmespath, get_no_update_value from CommonServerPython import * +import pytest import requests_mock import demistomock as demisto @@ -25,33 +26,62 @@ def test_json_feed_no_config(): assert len(jmespath.search(expression="[].rawJSON.service", data=indicators)) == 1117 -def test_json_feed_with_config(): +CONFIG_PARAMETERS = [ + ( + { + 'AMAZON': { + 'url': 'https://ip-ranges.amazonaws.com/ip-ranges.json', + 'extractor': "prefixes[?service=='AMAZON']", + 'indicator': 'ip_prefix', + 'indicator_type': FeedIndicatorType.CIDR, + 'fields': ['region', 'service'] + } + }, + 1117, + 0 + ), + ( + { + 'AMAZON': { + 'url': 'https://ip-ranges.amazonaws.com/ip-ranges.json', + 'extractor': "prefixes[?service=='AMAZON']", + 'indicator': 'ip_prefix', + 'indicator_type': FeedIndicatorType.CIDR, + 'fields': ['region', 'service'] + }, + 'CLOUDFRONT': { + 'url': 'https://ip-ranges.amazonaws.com/ip-ranges.json', + 'extractor': "prefixes[?service=='CLOUDFRONT']", + 'indicator': 'ip_prefix', + 'indicator_type': FeedIndicatorType.CIDR, + 'fields': ['region', 'service'] + } + }, + 1148, + 36 + ) +] + + +@pytest.mark.parametrize('config, total_indicators, indicator_with_several_tags', CONFIG_PARAMETERS) +def test_json_feed_with_config(config, total_indicators, indicator_with_several_tags): with open('test_data/amazon_ip_ranges.json') as ip_ranges_json: ip_ranges = json.load(ip_ranges_json) - feed_name_to_config = { - 'AMAZON': { - 'url': 'https://ip-ranges.amazonaws.com/ip-ranges.json', - 'extractor': "prefixes[?service=='AMAZON']", - 'indicator': 'ip_prefix', - 'indicator_type': FeedIndicatorType.CIDR, - 'fields': ['region', 'service'] - } - } - with requests_mock.Mocker() as m: m.get('https://ip-ranges.amazonaws.com/ip-ranges.json', json=ip_ranges) client = Client( url='https://ip-ranges.amazonaws.com/ip-ranges.json', credentials={'username': 'test', 'password': 'test'}, - feed_name_to_config=feed_name_to_config, + feed_name_to_config=config, insecure=True ) indicators, _ = fetch_indicators_command(client=client, indicator_type='CIDR', feedTags=['test'], auto_detect=False) - assert len(jmespath.search(expression="[].rawJSON.service", data=indicators)) == 1117 + assert len(jmespath.search(expression="[].rawJSON.service", data=indicators)) == total_indicators + assert len([i for i in indicators if ',' in i.get('rawJSON').get('service', '')]) == indicator_with_several_tags def test_json_feed_with_config_mapping(): diff --git a/Packs/ApiModules/Scripts/MicrosoftApiModule/MicrosoftApiModule.py b/Packs/ApiModules/Scripts/MicrosoftApiModule/MicrosoftApiModule.py index 0b52fba9241a..68509c17402e 100644 --- a/Packs/ApiModules/Scripts/MicrosoftApiModule/MicrosoftApiModule.py +++ b/Packs/ApiModules/Scripts/MicrosoftApiModule/MicrosoftApiModule.py @@ -148,8 +148,12 @@ def __init__(self, tenant_id: str = '', def is_command_executed_from_integration(self): ctx = demisto.callingContext.get('context', {}) - executed_command = ctx.get('ExecutedCommands', [{'moduleBrand': 'Scripts'}])[0] - return executed_command.get('moduleBrand') != 'Scripts' + executed_commands = ctx.get('ExecutedCommands', [{'moduleBrand': 'Scripts'}]) + + if executed_commands: + return executed_commands[0].get('moduleBrand', "") != 'Scripts' + + return True def http_request( self, *args, resp_type='json', headers=None, diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py index 5a44e13d9acb..3a1b54673369 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule.py @@ -2,7 +2,7 @@ from CommonServerPython import * from CommonServerUserPython import * -from typing import Union, Optional, List, Dict, Tuple +from typing import Optional, List, Dict, Tuple from requests.sessions import merge_setting, CaseInsensitiveDict import re import copy @@ -25,8 +25,6 @@ ERR_NO_COLL = "No collection is available for this user, please make sure you entered the configuration correctly" -DATE_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' - # Pattern Regexes - used to extract indicator type and value INDICATOR_OPERATOR_VAL_FORMAT_PATTERN = r"(\w.*?{value}{operator})'(.*?)'" INDICATOR_EQUALS_VAL_PATTERN = INDICATOR_OPERATOR_VAL_FORMAT_PATTERN.format( @@ -175,6 +173,10 @@ 'ZA': 'South Africa', 'ZM': 'Zambia', 'ZW': 'Zimbabwe'} +def reached_limit(limit: int, element_count: int): + return element_count >= limit > -1 + + class Taxii2FeedClient: def __init__( self, @@ -314,12 +316,18 @@ def init_roots(self): logging.disable(logging.NOTSET) def set_api_root(self): - roots_to_api = {str(api_root.url).split('/')[-2]: api_root - for api_root in self.server.api_roots} # type: ignore[attr-defined] + roots_to_api = {} + for api_root in self.server.api_roots: # type: ignore[attr-defined] + # ApiRoots are initialized with wrong _conn because we are not providing auth or cert to Server + # closing wrong unused connections + api_root_name = str(api_root.url).split('/')[-2] + demisto.debug(f'closing api_root._conn for {api_root_name}') + api_root._conn.close() + roots_to_api[api_root_name] = api_root if self.default_api_root: if not roots_to_api.get(self.default_api_root): - raise DemistoException(f'The given default API root {self.default_api_root} doesn\'t exists.' + raise DemistoException(f'The given default API root {self.default_api_root} doesn\'t exist. ' f'Available API roots are {list(roots_to_api.keys())}.') self.api_root = roots_to_api.get(self.default_api_root) @@ -1001,7 +1009,6 @@ def build_iterator(self, limit: int = -1, **kwargs) -> List[Dict[str, str]]: :param limit: max amount of indicators to fetch :return: Cortex indicators list """ - if not isinstance(self.collection_to_fetch, (v20.Collection, v21.Collection)): raise DemistoException( "Could not find a collection to fetch from. " @@ -1018,7 +1025,7 @@ def build_iterator(self, limit: int = -1, **kwargs) -> List[Dict[str, str]]: return indicators - def load_stix_objects_from_envelope(self, envelopes: Dict[str, Any], limit: int = -1): + def load_stix_objects_from_envelope(self, envelopes: types.GeneratorType, limit: int = -1): parse_stix_2_objects = { "indicator": self.parse_indicator, @@ -1045,118 +1052,65 @@ def load_stix_objects_from_envelope(self, envelopes: Dict[str, Any], limit: int "location": self.parse_location, "vulnerability": self.parse_vulnerability } - indicators = [] - # TAXII 2.0 - if isinstance(list(envelopes.values())[0], types.GeneratorType): - indicators.extend(self.parse_generator_type_envelope(envelopes, parse_stix_2_objects)) - # TAXII 2.1 - else: - indicators.extend(self.parse_dict_envelope(envelopes, parse_stix_2_objects, limit)) + indicators, relationships_lst = self.parse_generator_type_envelope(envelopes, parse_stix_2_objects, limit) + if relationships_lst: + indicators.extend(self.parse_relationships(relationships_lst)) demisto.debug( f"TAXII 2 Feed has extracted {len(indicators)} indicators" ) - if limit > -1: - return indicators[:limit] + return indicators - def parse_generator_type_envelope(self, envelopes: Dict[str, Any], - parse_objects_func): + def parse_generator_type_envelope(self, envelopes: types.GeneratorType, parse_objects_func, limit: int = -1): indicators = [] relationships_lst = [] - for obj_type, envelope in envelopes.items(): - for sub_envelope in envelope: - stix_objects = sub_envelope.get("objects") - if not stix_objects: - # no fetched objects - break - # now we have a list of objects, go over each obj, save id with obj, parse the obj - if obj_type != "relationship": - for obj in stix_objects: - # we currently don't support extension object - if obj.get('type') == 'extension-definition': - continue - self.id_to_object[obj.get('id')] = obj - result = parse_objects_func[obj_type](obj) - if not result: - continue - indicators.extend(result) - self.update_last_modified_indicator_date(obj.get("modified")) - else: - relationships_lst.extend(stix_objects) - if relationships_lst: - indicators.extend(self.parse_relationships(relationships_lst)) + for envelope in envelopes: + stix_objects = envelope.get("objects") + if not stix_objects: + # no fetched objects + break - return indicators + # now we have a list of objects, go over each obj, save id with obj, parse the obj + for obj in stix_objects: + obj_type = obj.get('type') + + # we currently don't support extension object + if obj_type == 'extension-definition': + continue + elif obj_type == 'relationship': + relationships_lst.append(obj) + continue - def parse_dict_envelope(self, envelopes: Dict[str, Any], - parse_objects_func, limit: int = -1): - indicators: list = [] - relationships_list: List[Dict[str, Any]] = [] - for obj_type, envelope in envelopes.items(): - cur_limit = limit - stix_objects = envelope.get("objects", []) - if obj_type != "relationship": - for obj in stix_objects: - # we currently don't support extension object - if obj.get('type') == 'extension-definition': - continue - self.id_to_object[obj.get('id')] = obj - result = parse_objects_func[obj_type](obj) - if not result: - continue + self.id_to_object[obj.get('id')] = obj + if not parse_objects_func.get(obj_type): + demisto.debug(f'There is no parsing function for object type {obj_type}, ' + f'available parsing functions are for types: {",".join(parse_objects_func.keys())}.') + continue + if result := parse_objects_func[obj_type](obj): indicators.extend(result) self.update_last_modified_indicator_date(obj.get("modified")) - else: - relationships_list.extend(stix_objects) - while envelope.get("more", False): - page_size = self.get_page_size(limit, cur_limit) - envelope = self.collection_to_fetch.get_objects( - limit=page_size, next=envelope.get("next", ""), type=obj_type - ) - if isinstance(envelope, Dict): - stix_objects = envelope.get("objects") - if obj_type != "relationship": - for obj in stix_objects: - self.id_to_object[obj.get('id')] = obj - result = parse_objects_func[obj_type](obj) - if not result: - continue - indicators.extend(result) - self.update_last_modified_indicator_date(obj.get("modified")) - else: - relationships_list.extend(stix_objects) - else: - raise DemistoException( - "Error: TAXII 2 client received the following response while requesting " - f"indicators: {str(envelope)}\n\nExpected output is json" - ) + if reached_limit(limit, len(indicators)): + return indicators, relationships_lst - if relationships_list: - indicators.extend(self.parse_relationships(relationships_list)) - return indicators + return indicators, relationships_lst def poll_collection( self, page_size: int, **kwargs - ) -> Dict[str, Union[types.GeneratorType, Dict[str, str]]]: + ) -> types.GeneratorType: """ Polls a taxii collection :param page_size: size of the request page """ - types_envelopes = {} get_objects = self.collection_to_fetch.get_objects - if len(self.objects_to_fetch) > 1: # when fetching one type no need to fetch relationship + if 'relationship' not in self.objects_to_fetch and \ + len(self.objects_to_fetch) > 1: # when fetching one type no need to fetch relationship self.objects_to_fetch.append('relationship') - for obj_type in self.objects_to_fetch: - kwargs['type'] = obj_type - if isinstance(self.collection_to_fetch, v20.Collection): - envelope = v20.as_pages(get_objects, per_request=page_size, **kwargs) - else: - envelope = get_objects(limit=page_size, **kwargs) - if envelope: - types_envelopes[obj_type] = envelope - return types_envelopes + kwargs['type'] = self.objects_to_fetch + if isinstance(self.collection_to_fetch, v20.Collection): + return v20.as_pages(get_objects, per_request=page_size, **kwargs) + return v21.as_pages(get_objects, per_request=page_size, **kwargs) def get_page_size(self, max_limit: int, cur_limit: int) -> int: """ diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py index 8b2def140cc4..934252ca3ecb 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/TAXII2ApiModule_test.py @@ -458,7 +458,7 @@ def test_21_empty(self): expected = [] mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, objects_to_fetch=[]) - actual = mock_client.load_stix_objects_from_envelope({"indicator": STIX_ENVELOPE_NO_IOCS}, -1) + actual = mock_client.load_stix_objects_from_envelope(STIX_ENVELOPE_NO_IOCS, -1) assert len(actual) == 0 assert expected == actual @@ -481,7 +481,7 @@ def test_21_simple(self): mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, tlp_color='GREEN', objects_to_fetch=[]) - actual = mock_client.load_stix_objects_from_envelope({"indicator": STIX_ENVELOPE_17_IOCS_19_OBJS}, -1) + actual = mock_client.load_stix_objects_from_envelope(STIX_ENVELOPE_17_IOCS_19_OBJS, -1) assert len(actual) == 17 assert expected == actual @@ -495,7 +495,7 @@ def test_21_complex_not_skipped(self): - skip is False When: - - extract_indicators_from_envelope_and_parse is called + - load_stix_objects_from_envelope is called Then: - Extract and parse the indicators from the envelope with the complex iocs @@ -505,7 +505,7 @@ def test_21_complex_not_skipped(self): mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, tlp_color='GREEN', objects_to_fetch=[]) - actual = mock_client.load_stix_objects_from_envelope({"indicator": STIX_ENVELOPE_20_IOCS_19_OBJS}, -1) + actual = mock_client.load_stix_objects_from_envelope(STIX_ENVELOPE_20_IOCS_19_OBJS, -1) assert len(actual) == 20 assert actual == expected @@ -519,7 +519,7 @@ def test_21_complex_skipped(self): - skip is True When: - - extract_indicators_from_envelope_and_parse is called + - load_stix_objects_from_envelope is called Then: - Extract and parse the indicators from the envelope with the complex iocs @@ -529,7 +529,7 @@ def test_21_complex_skipped(self): mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, skip_complex_mode=True, objects_to_fetch=[]) - actual = mock_client.load_stix_objects_from_envelope({"indicator": STIX_ENVELOPE_20_IOCS_19_OBJS}, -1) + actual = mock_client.load_stix_objects_from_envelope(STIX_ENVELOPE_20_IOCS_19_OBJS, -1) assert len(actual) == 14 assert actual == expected @@ -550,7 +550,6 @@ def test_load_stix_objects_from_envelope_v21(self): """ mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, objects_to_fetch=[]) objects_envelopes = envelopes_v21 - mock_client.id_to_object = id_to_object result = mock_client.load_stix_objects_from_envelope(objects_envelopes, -1) assert mock_client.id_to_object == id_to_object @@ -564,29 +563,15 @@ def test_load_stix_objects_from_envelope_v20(self): - Envelope with indicators, arranged by object type. When: - - parse_generator_type_envelope is called (skipping condition from load_stix_objects_from_envelope). + - load_stix_objects_from_envelope is called. Then: - Load and parse objects from the envelope according to their object type and ignore extension-definition objects. """ mock_client = Taxii2FeedClient(url='', collection_to_fetch='', proxies=[], verify=False, objects_to_fetch=[]) - objects_envelopes = envelopes_v20 - mock_client.id_to_object = id_to_object - - parse_stix_2_objects = { - "indicator": mock_client.parse_indicator, - "attack-pattern": mock_client.parse_attack_pattern, - "malware": mock_client.parse_malware, - "report": mock_client.parse_report, - "course-of-action": mock_client.parse_course_of_action, - "campaign": mock_client.parse_campaign, - "intrusion-set": mock_client.parse_intrusion_set, - "tool": mock_client.parse_tool, - "threat-actor": mock_client.parse_threat_actor, - "infrastructure": mock_client.parse_infrastructure - } - result = mock_client.parse_generator_type_envelope(objects_envelopes, parse_stix_2_objects) + + result = mock_client.load_stix_objects_from_envelope(envelopes_v20) assert mock_client.id_to_object == id_to_object assert result == parsed_objects @@ -1083,3 +1068,21 @@ def test_parse_location(self, taxii_2_client, location_object, xsoar_expected_re - Make sure all the fields are being parsed correctly. """ assert taxii_2_client.parse_location(location_object) == xsoar_expected_response + + +@pytest.mark.parametrize('limit, element_count, return_value', + [(8, 8, True), + (8, 9, True), + (8, 0, False), + (-1, 10, False)]) +def test_reached_limit(limit, element_count, return_value): + """ + Given: + - A limit and element count. + When: + - Enforcing limit on the elements count. + Then: + - Assert that the element count is not exceeded. + """ + from TAXII2ApiModule import reached_limit + assert reached_limit(limit, element_count) == return_value diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/id_to_object_test.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/id_to_object_test.json index a94aaebc50e8..faedde0f0b98 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/id_to_object_test.json +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/id_to_object_test.json @@ -201,23 +201,5 @@ "modified":"2016-05-07T11:22:30.000Z", "name":"Poison Ivy C2", "infrastructure_types": ["command-and-control"] - }, - "relationship--01a5a209-b94c-450b-b7f9-946497d91055": { - "created": "2018-08-03T21:03:51.484Z", - "id": "relationship--01a5a209-b94c-450b-b7f9-946497d91055", - "modified": "2018-08-03T21:03:51.484Z", - "relationship_type": "uses", - "source_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "type": "relationship" - }, - "relationship--abc475d9-199c-4623-9e9a-02adf340a415": { - "created": "2018-08-03T20:31:03.780Z", - "id": "relationship--abc475d9-199c-4623-9e9a-02adf340a415", - "modified": "2018-08-22T12:36:32.248Z", - "relationship_type": "indicates", - "source_ref": "indicator--545928d9-bfe8-4320-bb98-751f38139892", - "target_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "type": "relationship" } } \ No newline at end of file diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v20.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v20.json index 8d386f0baf97..35599e8a225a 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v20.json +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v20.json @@ -1,281 +1,315 @@ -{ - "indicator": [{ +[ + { "objects": [ - { - "created": "2018-04-23T17:01:01.248Z", - "id": "indicator--545928d9-bfe8-4320-bb98-751f38139892", - "labels": ["malicious-activity"], - "modified": "2018-04-23T17:01:01.248Z", - "name": "windows-updates.com", - "pattern": "[domain-name:value = 'windows-updates.com']", - "type": "indicator", - "valid_from": "2018-04-23T17:01:01.248Z" + { + "created": "2018-04-23T17:01:01.248Z", + "id": "indicator--545928d9-bfe8-4320-bb98-751f38139892", + "labels": [ + "malicious-activity" + ], + "modified": "2018-04-23T17:01:01.248Z", + "name": "windows-updates.com", + "pattern": "[domain-name:value = 'windows-updates.com']", + "type": "indicator", + "valid_from": "2018-04-23T17:01:01.248Z" } ] - }], - "attack-pattern": [{ + }, + { "objects": [ + { + "created": "2017-10-25T14:48:11.535Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", + "external_references": [ + { + "external_id": "T1432", + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1432" + }, + { + "external_id": "APP-13", + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + } + ], + "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "kill_chain_phases": [ + { + "kill_chain_name": "lockheed", + "phase_name": "act-on-objectives" + }, { - "created": "2017-10-25T14:48:11.535Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", - "external_references": [ - { - "external_id": "T1432", - "source_name": "mitre-mobile-attack", - "url": "https://attack.mitre.org/techniques/T1432" - }, - { - "external_id": "APP-13", - "source_name": "NIST Mobile Threat Catalogue", - "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" - } - ], - "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "kill_chain_phases": [ - { - "kill_chain_name": "lockheed", - "phase_name": "act-on-objectives" - }, - { - "kill_chain_name": "mitre-mobile-attack", - "phase_name": "collection" - } - ], - "modified": "2018-10-17T00:14:20.652Z", - "name": "T1432: Access Contact List (Mobile)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "attack-pattern", - "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", - "x_mitre_platforms": ["Android", "iOS"], - "x_mitre_version": "1.0" - }, + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "T1432: Access Contact List (Mobile)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.0" + }, { - "created": "2020-02-05T14:17:46.686Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ", - "external_references": [ - { - "external_id": "T1027.002", - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1027/002" - }, - { - "external_id": "CAPEC-570", - "source_name": "capec", - "url": "https://example.example.com/data/definitions/570.html" - }, - { - "description": "Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.", - "source_name": "ESET FinFisher Jan 2018", - "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" - }, - { - "description": "Executable compression. (n.d.). Retrieved December 4, 2014.", - "source_name": "Wikipedia Exe Compression", - "url": "http://en.wikipedia.org/wiki/Executable_compression" - } - ], - "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", - "kill_chain_phases": [ - { - "kill_chain_name": "lockheed", - "phase_name": "installation" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "modified": "2020-02-05T20:05:41.548Z", - "name": "T1027.002: Software Packing", - "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], - "type": "attack-pattern", - "x_mitre_contributors": ["Filip Kafka, ESET"], - "x_mitre_data_sources": ["File: File Content", "File: File Metadata"], - "x_mitre_defense_bypassed": [ - "Anti-virus", - "Heuristic detection", - "Signature-based detection"], - "x_mitre_detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", - "x_mitre_is_subtechnique": true, - "x_mitre_platforms": ["macOS", "Windows"], - "x_mitre_version": "1.0", - "x_panw_parent_technique": "Obfuscated Files or Information", - "x_panw_parent_technique_subtechnique": "Obfuscated Files or Information: Software Packing" - }, + "created": "2020-02-05T14:17:46.686Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ", + "external_references": [ + { + "external_id": "T1027.002", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/002" + }, + { + "external_id": "CAPEC-570", + "source_name": "capec", + "url": "https://example.example.com/data/definitions/570.html" + }, + { + "description": "Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.", + "source_name": "ESET FinFisher Jan 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" + }, + { + "description": "Executable compression. (n.d.). Retrieved December 4, 2014.", + "source_name": "Wikipedia Exe Compression", + "url": "http://en.wikipedia.org/wiki/Executable_compression" + } + ], + "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "kill_chain_phases": [ + { + "kill_chain_name": "lockheed", + "phase_name": "installation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-02-05T20:05:41.548Z", + "name": "T1027.002: Software Packing", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "x_mitre_contributors": [ + "Filip Kafka, ESET" + ], + "x_mitre_data_sources": [ + "File: File Content", + "File: File Metadata" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Heuristic detection", + "Signature-based detection" + ], + "x_mitre_detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "macOS", + "Windows" + ], + "x_mitre_version": "1.0", + "x_panw_parent_technique": "Obfuscated Files or Information", + "x_panw_parent_technique_subtechnique": "Obfuscated Files or Information: Software Packing" + }, { - "created": "2021-10-21T16:56:05.840605Z", - "created_by_ref": "identity--749249c0-f7c7-5428-a4ad-ea5e1627a221", - "description": "This schema adds TIM data to the object", - "extension_types": [ - "property-extension" - ], - "id": "extension-definition--fc572b8c-bbe3-444b-b40b-06d3b890cd79", - "modified": "2021-10-21T16:56:17.747194Z", - "name": "Cortex XSOAR TIM Attack Pattern", - "schema": "https://github.com/demisto/content/tree/master/Packs/TAXIIServer/doc_files/XSOAR_indicator_schema.json", - "spec_version": "2.0", - "type": "extension-definition", - "version": "1.0" - } + "created": "2021-10-21T16:56:05.840605Z", + "created_by_ref": "identity--749249c0-f7c7-5428-a4ad-ea5e1627a221", + "description": "This schema adds TIM data to the object", + "extension_types": [ + "property-extension" + ], + "id": "extension-definition--fc572b8c-bbe3-444b-b40b-06d3b890cd79", + "modified": "2021-10-21T16:56:17.747194Z", + "name": "Cortex XSOAR TIM Attack Pattern", + "schema": "https://github.com/demisto/content/tree/master/Packs/TAXIIServer/doc_files/XSOAR_indicator_schema.json", + "spec_version": "2.0", + "type": "extension-definition", + "version": "1.0" + } ] - }], - "malware": [{ + }, + { "objects": [ - { - "created": "2019-10-10T14:43:27.256Z", - "id": "malware--481d22d7-6dd8-4e37-a543-dd21cc1707c4", - "labels": ["backdoor"], - "modified": "2019-10-10T20:25:46.596Z", - "name": "Freenki", - "type": "malware" - } + { + "created": "2019-10-10T14:43:27.256Z", + "id": "malware--481d22d7-6dd8-4e37-a543-dd21cc1707c4", + "labels": [ + "backdoor" + ], + "modified": "2019-10-10T20:25:46.596Z", + "name": "Freenki", + "type": "malware" + } ] - }], - "report":[{ + }, + { "objects": [ - { - "created": "2018-08-03T20:31:05.060Z", - "description": "Sofacy (also known as Fancy Bear, APT 28, STRONTIUM, Pawn Storm) is a highly active actor with a Russian nexus. They have been active since the mid 2000s, and have been responsible for targeted intrusion campaigns against various industry vertical such as but not limited to Aerospace, Defense, Energy, Government and Media. Extensive observation and research of Sofacy's activities over time indicated a profile closely mirroring the strategic interests of the Russian government. More recently, this group has been attributed to the GRU, Russia's premier military intelligence service as reported by the US intelligence community within several declassified public documents.\n\nSeveral high profile intrusions have been publicly linked to the Sofacy group, such as the German Bundestag, France's TV5Monde TV station, the Democratic National Committee, the World Anti-Doping Agency, and the Ukrainian military.", - "id": "report--708d589b-8d99-48fd-bbb6-2d47648f807f", - "labels": ["intrusion-set"], - "modified": "2020-07-30T16:55:21.569Z", - "name": "Sofacy", - "object_refs": [ - "intrusion-set--75ac5bcc-3915-4815-b9a1-bf87277fc343", - "report--2791a5e0-d65a-43c0-936e-c15a6b7ba9d1", - "report--40aaefc2-3fe9-423b-a6eb-55abf11639b7", - "report--2f5734bf-4127-4997-9288-e9c5530aa737", - "report--ffe94621-b007-4115-ad49-fb7c8a26b66a" - ], - "published": "2020-07-30T16:55:21.569Z", - "type": "report" - } + { + "created": "2018-08-03T20:31:05.060Z", + "description": "Sofacy (also known as Fancy Bear, APT 28, STRONTIUM, Pawn Storm) is a highly active actor with a Russian nexus. They have been active since the mid 2000s, and have been responsible for targeted intrusion campaigns against various industry vertical such as but not limited to Aerospace, Defense, Energy, Government and Media. Extensive observation and research of Sofacy's activities over time indicated a profile closely mirroring the strategic interests of the Russian government. More recently, this group has been attributed to the GRU, Russia's premier military intelligence service as reported by the US intelligence community within several declassified public documents.\n\nSeveral high profile intrusions have been publicly linked to the Sofacy group, such as the German Bundestag, France's TV5Monde TV station, the Democratic National Committee, the World Anti-Doping Agency, and the Ukrainian military.", + "id": "report--708d589b-8d99-48fd-bbb6-2d47648f807f", + "labels": [ + "intrusion-set" + ], + "modified": "2020-07-30T16:55:21.569Z", + "name": "Sofacy", + "object_refs": [ + "intrusion-set--75ac5bcc-3915-4815-b9a1-bf87277fc343", + "report--2791a5e0-d65a-43c0-936e-c15a6b7ba9d1", + "report--40aaefc2-3fe9-423b-a6eb-55abf11639b7", + "report--2f5734bf-4127-4997-9288-e9c5530aa737", + "report--ffe94621-b007-4115-ad49-fb7c8a26b66a" + ], + "published": "2020-07-30T16:55:21.569Z", + "type": "report" + } ] - }], - "course-of-action": [{ + }, + { "objects": [ - { - "created": "2020-06-23T19:50:31.722Z", - "description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", - "id": "course-of-action--645c6c45-116e-4265-98d2-e30f56325bc6", - "modified": "2020-06-26T13:02:55.803Z", - "name": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'", - "type": "course-of-action", - "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Antivirus`\n\nVerify that antivirus profiles have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, verify that the `imap` and `pop3` decoders are set to `alert` for both `Action` and `Wildfire Action`.", - "x_panw_coa_bp_cis_controls": [ - "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" - ], - "x_panw_coa_bp_description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", - "x_panw_coa_bp_rationale_statement": "Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages.", - "x_panw_coa_bp_recommendation_number": "6.1", - "x_panw_coa_bp_references": [ - "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" - ], - "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Antivirus.`\n\nSet antivirus profiles to have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, set the `imap` and `pop3` decoders to `alert` for both `Action` and `Wildfire Action`.", - "x_panw_coa_bp_scoring_status": "full", - "x_panw_coa_bp_section_number": "6", - "x_panw_coa_bp_status": "published", - "x_panw_coa_bp_title": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'" - } + { + "created": "2020-06-23T19:50:31.722Z", + "description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", + "id": "course-of-action--645c6c45-116e-4265-98d2-e30f56325bc6", + "modified": "2020-06-26T13:02:55.803Z", + "name": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'", + "type": "course-of-action", + "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Antivirus`\n\nVerify that antivirus profiles have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, verify that the `imap` and `pop3` decoders are set to `alert` for both `Action` and `Wildfire Action`.", + "x_panw_coa_bp_cis_controls": [ + "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" + ], + "x_panw_coa_bp_description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", + "x_panw_coa_bp_rationale_statement": "Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages.", + "x_panw_coa_bp_recommendation_number": "6.1", + "x_panw_coa_bp_references": [ + "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" + ], + "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Antivirus.`\n\nSet antivirus profiles to have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, set the `imap` and `pop3` decoders to `alert` for both `Action` and `Wildfire Action`.", + "x_panw_coa_bp_scoring_status": "full", + "x_panw_coa_bp_section_number": "6", + "x_panw_coa_bp_status": "published", + "x_panw_coa_bp_title": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'" + } ] - }], - "campaign": [{ + }, + { "objects": [ - { - "created": "2018-08-03T21:03:51.484Z", - "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).", - "first_seen": "2018-07-15T00:00:00.000Z", - "id": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "last_seen": "2018-07-16T00:00:00.000Z", - "modified": "2018-08-03T21:03:51.484Z", - "name": "IQY Attachment E-mails", - "type": "campaign" - } + { + "created": "2018-08-03T21:03:51.484Z", + "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).", + "first_seen": "2018-07-15T00:00:00.000Z", + "id": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", + "last_seen": "2018-07-16T00:00:00.000Z", + "modified": "2018-08-03T21:03:51.484Z", + "name": "IQY Attachment E-mails", + "type": "campaign" + } ] - }], - "intrusion-set": [{ + }, + { "objects": [ - { - "created": "2018-08-03T20:30:50.665Z", - "id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", - "modified": "2018-08-03T20:30:50.665Z", - "name": "OilRig", - "type": "intrusion-set" - } + { + "created": "2018-08-03T20:30:50.665Z", + "id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", + "modified": "2018-08-03T20:30:50.665Z", + "name": "OilRig", + "type": "intrusion-set" + } ] - }], - "tool": [{ + }, + { "objects": [ - { - "type": "tool", - "spec_version": "2.1", - "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", - "created": "2016-04-06T20:03:48.000Z", - "modified": "2016-04-06T20:03:48.000Z", - "tool_types": [ "remote-access"], - "name": "VNC" - } + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T20:03:48.000Z", + "modified": "2016-04-06T20:03:48.000Z", + "tool_types": [ + "remote-access" + ], + "name": "VNC" + } ] - }], - "threat-actor": [{ + }, + { "objects": [ { - "type": "threat-actor", - "spec_version": "2.1", - "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", - "created": "2016-04-06T20:03:48.000Z", - "modified": "2016-04-06T20:03:48.000Z", - "threat_actor_types": [ "crime-syndicate"], - "name": "Evil Org", - "description": "The Evil Org threat actor group", - "aliases": ["Syndicate 1", "Evil Syndicate 99"], - "roles": ["director"], - "goals": ["Steal bank money", "Steal credit cards"], - "sophistication": "advanced", - "resource_level": "team", - "primary_motivation": "organizational-gain" - } + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T20:03:48.000Z", + "modified": "2016-04-06T20:03:48.000Z", + "threat_actor_types": [ + "crime-syndicate" + ], + "name": "Evil Org", + "description": "The Evil Org threat actor group", + "aliases": [ + "Syndicate 1", + "Evil Syndicate 99" + ], + "roles": [ + "director" + ], + "goals": [ + "Steal bank money", + "Steal credit cards" + ], + "sophistication": "advanced", + "resource_level": "team", + "primary_motivation": "organizational-gain" + } ] - }], - "infrastructure": [{ - "objects": [ - { - "type":"infrastructure", - "spec_version": "2.1", - "id":"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", - "created":"2016-05-07T11:22:30.000Z", - "modified":"2016-05-07T11:22:30.000Z", - "name":"Poison Ivy C2", - "infrastructure_types": ["command-and-control"] - } - ] - }], - "relationship": [{ - "objects": [ - { - "created": "2018-08-03T21:03:51.484Z", - "id": "relationship--01a5a209-b94c-450b-b7f9-946497d91055", - "modified": "2018-08-03T21:03:51.484Z", - "relationship_type": "uses", - "source_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "type": "relationship" - }, - { - "created": "2018-08-03T20:31:03.780Z", - "id": "relationship--abc475d9-199c-4623-9e9a-02adf340a415", - "modified": "2018-08-22T12:36:32.248Z", - "relationship_type": "indicates", - "source_ref": "indicator--545928d9-bfe8-4320-bb98-751f38139892", - "target_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "type": "relationship" - } - ] - }] -} \ No newline at end of file + }, + { + "objects": [ + { + "type": "infrastructure", + "spec_version": "2.1", + "id": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", + "created": "2016-05-07T11:22:30.000Z", + "modified": "2016-05-07T11:22:30.000Z", + "name": "Poison Ivy C2", + "infrastructure_types": [ + "command-and-control" + ] + } + ] + }, + { + "objects": [ + { + "created": "2018-08-03T21:03:51.484Z", + "id": "relationship--01a5a209-b94c-450b-b7f9-946497d91055", + "modified": "2018-08-03T21:03:51.484Z", + "relationship_type": "uses", + "source_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", + "target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "type": "relationship" + }, + { + "created": "2018-08-03T20:31:03.780Z", + "id": "relationship--abc475d9-199c-4623-9e9a-02adf340a415", + "modified": "2018-08-22T12:36:32.248Z", + "relationship_type": "indicates", + "source_ref": "indicator--545928d9-bfe8-4320-bb98-751f38139892", + "target_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", + "type": "relationship" + } + ] + } +] \ No newline at end of file diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v21.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v21.json index c6364062233c..bd77afa8790c 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v21.json +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/objects_envelopes_v21.json @@ -1,281 +1,326 @@ -{ - "indicator": { +[ + { "objects": [ - { - "created": "2018-04-23T17:01:01.248Z", - "id": "indicator--545928d9-bfe8-4320-bb98-751f38139892", - "labels": ["malicious-activity"], - "modified": "2018-04-23T17:01:01.248Z", - "name": "windows-updates.com", - "pattern": "[domain-name:value = 'windows-updates.com']", - "type": "indicator", - "valid_from": "2018-04-23T17:01:01.248Z" + { + "created": "2018-04-23T17:01:01.248Z", + "id": "indicator--545928d9-bfe8-4320-bb98-751f38139892", + "labels": [ + "malicious-activity" + ], + "modified": "2018-04-23T17:01:01.248Z", + "name": "windows-updates.com", + "pattern": "[domain-name:value = 'windows-updates.com']", + "type": "indicator", + "valid_from": "2018-04-23T17:01:01.248Z" } - ] + ], + "more": true }, - "attack-pattern": { + { "objects": [ + { + "created": "2017-10-25T14:48:11.535Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", + "external_references": [ + { + "external_id": "T1432", + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1432" + }, + { + "external_id": "APP-13", + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + } + ], + "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "kill_chain_phases": [ { - "created": "2017-10-25T14:48:11.535Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", - "external_references": [ - { - "external_id": "T1432", - "source_name": "mitre-mobile-attack", - "url": "https://attack.mitre.org/techniques/T1432" - }, - { - "external_id": "APP-13", - "source_name": "NIST Mobile Threat Catalogue", - "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" - } - ], - "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "kill_chain_phases": [ - { - "kill_chain_name": "lockheed", - "phase_name": "act-on-objectives" - }, - { - "kill_chain_name": "mitre-mobile-attack", - "phase_name": "collection" - } - ], - "modified": "2018-10-17T00:14:20.652Z", - "name": "T1432: Access Contact List (Mobile)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "attack-pattern", - "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", - "x_mitre_platforms": ["Android", "iOS"], - "x_mitre_version": "1.0" - }, + "kill_chain_name": "lockheed", + "phase_name": "act-on-objectives" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "T1432: Access Contact List (Mobile)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.0" + }, { - "created": "2020-02-05T14:17:46.686Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ", - "external_references": [ - { - "external_id": "T1027.002", - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1027/002" - }, - { - "external_id": "CAPEC-570", - "source_name": "capec", - "url": "https://example.example.com/data/definitions/570.html" - }, - { - "description": "Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.", - "source_name": "ESET FinFisher Jan 2018", - "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" - }, - { - "description": "Executable compression. (n.d.). Retrieved December 4, 2014.", - "source_name": "Wikipedia Exe Compression", - "url": "http://en.wikipedia.org/wiki/Executable_compression" - } - ], - "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", - "kill_chain_phases": [ - { - "kill_chain_name": "lockheed", - "phase_name": "installation" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "modified": "2020-02-05T20:05:41.548Z", - "name": "T1027.002: Software Packing", - "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], - "type": "attack-pattern", - "x_mitre_contributors": ["Filip Kafka, ESET"], - "x_mitre_data_sources": ["File: File Content", "File: File Metadata"], - "x_mitre_defense_bypassed": [ - "Anti-virus", - "Heuristic detection", - "Signature-based detection"], - "x_mitre_detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", - "x_mitre_is_subtechnique": true, - "x_mitre_platforms": ["macOS", "Windows"], - "x_mitre_version": "1.0", - "x_panw_parent_technique": "Obfuscated Files or Information", - "x_panw_parent_technique_subtechnique": "Obfuscated Files or Information: Software Packing" - }, + "created": "2020-02-05T14:17:46.686Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ", + "external_references": [ + { + "external_id": "T1027.002", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/002" + }, + { + "external_id": "CAPEC-570", + "source_name": "capec", + "url": "https://example.example.com/data/definitions/570.html" + }, + { + "description": "Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.", + "source_name": "ESET FinFisher Jan 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" + }, + { + "description": "Executable compression. (n.d.). Retrieved December 4, 2014.", + "source_name": "Wikipedia Exe Compression", + "url": "http://en.wikipedia.org/wiki/Executable_compression" + } + ], + "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "kill_chain_phases": [ + { + "kill_chain_name": "lockheed", + "phase_name": "installation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-02-05T20:05:41.548Z", + "name": "T1027.002: Software Packing", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "x_mitre_contributors": [ + "Filip Kafka, ESET" + ], + "x_mitre_data_sources": [ + "File: File Content", + "File: File Metadata" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Heuristic detection", + "Signature-based detection" + ], + "x_mitre_detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "macOS", + "Windows" + ], + "x_mitre_version": "1.0", + "x_panw_parent_technique": "Obfuscated Files or Information", + "x_panw_parent_technique_subtechnique": "Obfuscated Files or Information: Software Packing" + }, { - "created": "2021-10-21T16:56:05.840605Z", - "created_by_ref": "identity--749249c0-f7c7-5428-a4ad-ea5e1627a221", - "description": "This schema adds TIM data to the object", - "extension_types": [ - "property-extension" - ], - "id": "extension-definition--fc572b8c-bbe3-444b-b40b-06d3b890cd79", - "modified": "2021-10-21T16:56:17.747194Z", - "name": "Cortex XSOAR TIM Attack Pattern", - "schema": "https://github.com/demisto/content/tree/master/Packs/TAXIIServer/doc_files/XSOAR_indicator_schema.json", - "spec_version": "2.0", - "type": "extension-definition", - "version": "1.0" - } - ] + "created": "2021-10-21T16:56:05.840605Z", + "created_by_ref": "identity--749249c0-f7c7-5428-a4ad-ea5e1627a221", + "description": "This schema adds TIM data to the object", + "extension_types": [ + "property-extension" + ], + "id": "extension-definition--fc572b8c-bbe3-444b-b40b-06d3b890cd79", + "modified": "2021-10-21T16:56:17.747194Z", + "name": "Cortex XSOAR TIM Attack Pattern", + "schema": "https://github.com/demisto/content/tree/master/Packs/TAXIIServer/doc_files/XSOAR_indicator_schema.json", + "spec_version": "2.0", + "type": "extension-definition", + "version": "1.0" + } + ], + "more": true }, - "malware": { + { "objects": [ - { - "created": "2019-10-10T14:43:27.256Z", - "id": "malware--481d22d7-6dd8-4e37-a543-dd21cc1707c4", - "labels": ["backdoor"], - "modified": "2019-10-10T20:25:46.596Z", - "name": "Freenki", - "type": "malware" - } - ] + { + "created": "2019-10-10T14:43:27.256Z", + "id": "malware--481d22d7-6dd8-4e37-a543-dd21cc1707c4", + "labels": [ + "backdoor" + ], + "modified": "2019-10-10T20:25:46.596Z", + "name": "Freenki", + "type": "malware" + } + ], + "more": true }, - "report":{ + { "objects": [ - { - "created": "2018-08-03T20:31:05.060Z", - "description": "Sofacy (also known as Fancy Bear, APT 28, STRONTIUM, Pawn Storm) is a highly active actor with a Russian nexus. They have been active since the mid 2000s, and have been responsible for targeted intrusion campaigns against various industry vertical such as but not limited to Aerospace, Defense, Energy, Government and Media. Extensive observation and research of Sofacy's activities over time indicated a profile closely mirroring the strategic interests of the Russian government. More recently, this group has been attributed to the GRU, Russia's premier military intelligence service as reported by the US intelligence community within several declassified public documents.\n\nSeveral high profile intrusions have been publicly linked to the Sofacy group, such as the German Bundestag, France's TV5Monde TV station, the Democratic National Committee, the World Anti-Doping Agency, and the Ukrainian military.", - "id": "report--708d589b-8d99-48fd-bbb6-2d47648f807f", - "labels": ["intrusion-set"], - "modified": "2020-07-30T16:55:21.569Z", - "name": "Sofacy", - "object_refs": [ - "intrusion-set--75ac5bcc-3915-4815-b9a1-bf87277fc343", - "report--2791a5e0-d65a-43c0-936e-c15a6b7ba9d1", - "report--40aaefc2-3fe9-423b-a6eb-55abf11639b7", - "report--2f5734bf-4127-4997-9288-e9c5530aa737", - "report--ffe94621-b007-4115-ad49-fb7c8a26b66a" - ], - "published": "2020-07-30T16:55:21.569Z", - "type": "report" - } - ] + { + "created": "2018-08-03T20:31:05.060Z", + "description": "Sofacy (also known as Fancy Bear, APT 28, STRONTIUM, Pawn Storm) is a highly active actor with a Russian nexus. They have been active since the mid 2000s, and have been responsible for targeted intrusion campaigns against various industry vertical such as but not limited to Aerospace, Defense, Energy, Government and Media. Extensive observation and research of Sofacy's activities over time indicated a profile closely mirroring the strategic interests of the Russian government. More recently, this group has been attributed to the GRU, Russia's premier military intelligence service as reported by the US intelligence community within several declassified public documents.\n\nSeveral high profile intrusions have been publicly linked to the Sofacy group, such as the German Bundestag, France's TV5Monde TV station, the Democratic National Committee, the World Anti-Doping Agency, and the Ukrainian military.", + "id": "report--708d589b-8d99-48fd-bbb6-2d47648f807f", + "labels": [ + "intrusion-set" + ], + "modified": "2020-07-30T16:55:21.569Z", + "name": "Sofacy", + "object_refs": [ + "intrusion-set--75ac5bcc-3915-4815-b9a1-bf87277fc343", + "report--2791a5e0-d65a-43c0-936e-c15a6b7ba9d1", + "report--40aaefc2-3fe9-423b-a6eb-55abf11639b7", + "report--2f5734bf-4127-4997-9288-e9c5530aa737", + "report--ffe94621-b007-4115-ad49-fb7c8a26b66a" + ], + "published": "2020-07-30T16:55:21.569Z", + "type": "report" + } + ], + "more": true }, - "course-of-action": { + { "objects": [ - { - "created": "2020-06-23T19:50:31.722Z", - "description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", - "id": "course-of-action--645c6c45-116e-4265-98d2-e30f56325bc6", - "modified": "2020-06-26T13:02:55.803Z", - "name": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'", - "type": "course-of-action", - "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Antivirus`\n\nVerify that antivirus profiles have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, verify that the `imap` and `pop3` decoders are set to `alert` for both `Action` and `Wildfire Action`.", - "x_panw_coa_bp_cis_controls": [ - "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" - ], - "x_panw_coa_bp_description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", - "x_panw_coa_bp_rationale_statement": "Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages.", - "x_panw_coa_bp_recommendation_number": "6.1", - "x_panw_coa_bp_references": [ - "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" - ], - "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Antivirus.`\n\nSet antivirus profiles to have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, set the `imap` and `pop3` decoders to `alert` for both `Action` and `Wildfire Action`.", - "x_panw_coa_bp_scoring_status": "full", - "x_panw_coa_bp_section_number": "6", - "x_panw_coa_bp_status": "published", - "x_panw_coa_bp_title": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'" - } - ] + { + "created": "2020-06-23T19:50:31.722Z", + "description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", + "id": "course-of-action--645c6c45-116e-4265-98d2-e30f56325bc6", + "modified": "2020-06-26T13:02:55.803Z", + "name": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'", + "type": "course-of-action", + "x_panw_coa_bp_audit_procedure": "Navigate to `Objects > Security Profiles > Antivirus`\n\nVerify that antivirus profiles have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, verify that the `imap` and `pop3` decoders are set to `alert` for both `Action` and `Wildfire Action`.", + "x_panw_coa_bp_cis_controls": [ + "TITLE:Deploy Network-based Anti-malware Tools CONTROL:v6 8.5 DESCRIPTION:Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.;TITLE:Malware Defenses CONTROL:v7 8 DESCRIPTION:Malware Defenses;" + ], + "x_panw_coa_bp_description": "Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.", + "x_panw_coa_bp_rationale_statement": "Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages.", + "x_panw_coa_bp_recommendation_number": "6.1", + "x_panw_coa_bp_references": [ + "\u201cThreat Prevention Deployment Tech Note\u201d - https://live.paloaltonetworks.com/docs/DOC-3094:\u201cPAN-OS Administrator's Guide 9.0 (English) - Security Profiles\u201d - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles.html" + ], + "x_panw_coa_bp_remediation_procedure": "Navigate to `Objects > Security Profiles > Antivirus.`\n\nSet antivirus profiles to have all decoders set to `block` for both `Action` and `Wildfire Action`. If `imap` and `pop3` are required in the organization, set the `imap` and `pop3` decoders to `alert` for both `Action` and `Wildfire Action`.", + "x_panw_coa_bp_scoring_status": "full", + "x_panw_coa_bp_section_number": "6", + "x_panw_coa_bp_status": "published", + "x_panw_coa_bp_title": "Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'" + } + ], + "more": true }, - "campaign": { + { "objects": [ - { - "created": "2018-08-03T21:03:51.484Z", - "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).", - "first_seen": "2018-07-15T00:00:00.000Z", - "id": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "last_seen": "2018-07-16T00:00:00.000Z", - "modified": "2018-08-03T21:03:51.484Z", - "name": "IQY Attachment E-mails", - "type": "campaign" - } - ] + { + "created": "2018-08-03T21:03:51.484Z", + "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).", + "first_seen": "2018-07-15T00:00:00.000Z", + "id": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", + "last_seen": "2018-07-16T00:00:00.000Z", + "modified": "2018-08-03T21:03:51.484Z", + "name": "IQY Attachment E-mails", + "type": "campaign" + } + ], + "more": true }, - "intrusion-set": { + { "objects": [ - { - "created": "2018-08-03T20:30:50.665Z", - "id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", - "modified": "2018-08-03T20:30:50.665Z", - "name": "OilRig", - "type": "intrusion-set" - } - ] + { + "created": "2018-08-03T20:30:50.665Z", + "id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b", + "modified": "2018-08-03T20:30:50.665Z", + "name": "OilRig", + "type": "intrusion-set" + } + ], + "more": true }, - "tool": { + { "objects": [ - { - "type": "tool", - "spec_version": "2.1", - "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", - "created": "2016-04-06T20:03:48.000Z", - "modified": "2016-04-06T20:03:48.000Z", - "tool_types": [ "remote-access"], - "name": "VNC" - } - ] + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T20:03:48.000Z", + "modified": "2016-04-06T20:03:48.000Z", + "tool_types": [ + "remote-access" + ], + "name": "VNC" + } + ], + "more": true }, - "threat-actor": { + { "objects": [ { - "type": "threat-actor", - "spec_version": "2.1", - "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", - "created": "2016-04-06T20:03:48.000Z", - "modified": "2016-04-06T20:03:48.000Z", - "threat_actor_types": [ "crime-syndicate"], - "name": "Evil Org", - "description": "The Evil Org threat actor group", - "aliases": ["Syndicate 1", "Evil Syndicate 99"], - "roles": ["director"], - "goals": ["Steal bank money", "Steal credit cards"], - "sophistication": "advanced", - "resource_level": "team", - "primary_motivation": "organizational-gain" - } - ] + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T20:03:48.000Z", + "modified": "2016-04-06T20:03:48.000Z", + "threat_actor_types": [ + "crime-syndicate" + ], + "name": "Evil Org", + "description": "The Evil Org threat actor group", + "aliases": [ + "Syndicate 1", + "Evil Syndicate 99" + ], + "roles": [ + "director" + ], + "goals": [ + "Steal bank money", + "Steal credit cards" + ], + "sophistication": "advanced", + "resource_level": "team", + "primary_motivation": "organizational-gain" + } + ], + "more": true }, - "infrastructure": { - "objects": [ - { - "type":"infrastructure", - "spec_version": "2.1", - "id":"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", - "created":"2016-05-07T11:22:30.000Z", - "modified":"2016-05-07T11:22:30.000Z", - "name":"Poison Ivy C2", - "infrastructure_types": ["command-and-control"] - } - ] + { + "objects": [ + { + "type": "infrastructure", + "spec_version": "2.1", + "id": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", + "created": "2016-05-07T11:22:30.000Z", + "modified": "2016-05-07T11:22:30.000Z", + "name": "Poison Ivy C2", + "infrastructure_types": [ + "command-and-control" + ] + } + ], + "more": true }, - "relationship": { - "objects": [ - { - "created": "2018-08-03T21:03:51.484Z", - "id": "relationship--01a5a209-b94c-450b-b7f9-946497d91055", - "modified": "2018-08-03T21:03:51.484Z", - "relationship_type": "uses", - "source_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "type": "relationship" - }, - { - "created": "2018-08-03T20:31:03.780Z", - "id": "relationship--abc475d9-199c-4623-9e9a-02adf340a415", - "modified": "2018-08-22T12:36:32.248Z", - "relationship_type": "indicates", - "source_ref": "indicator--545928d9-bfe8-4320-bb98-751f38139892", - "target_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", - "type": "relationship" - } - ] + { + "objects": [ + { + "created": "2018-08-03T21:03:51.484Z", + "id": "relationship--01a5a209-b94c-450b-b7f9-946497d91055", + "modified": "2018-08-03T21:03:51.484Z", + "relationship_type": "uses", + "source_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", + "target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "type": "relationship" + }, + { + "created": "2018-08-03T20:31:03.780Z", + "id": "relationship--abc475d9-199c-4623-9e9a-02adf340a415", + "modified": "2018-08-22T12:36:32.248Z", + "relationship_type": "indicates", + "source_ref": "indicator--545928d9-bfe8-4320-bb98-751f38139892", + "target_ref": "campaign--6320584e-3ef0-4a72-aaf8-0a49fa1d477c", + "type": "relationship" + } + ], + "more": false } -} \ No newline at end of file +] \ No newline at end of file diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json index 7bf5797fe341..77a5a68ab1e5 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_17-19.json @@ -1,433 +1,435 @@ -{ - "objects": [ - { - "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", - "pattern": "[ipv4-addr:value = '195.123.227.186']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:33.126Z", - "modified": "2020-06-10T01:14:33.126Z", - "name": "bot_ip: 195.123.227.186", - "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.779852Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", - "pattern": "[ipv4-addr:value = '134.209.37.102']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:52.501Z", - "modified": "2020-06-10T01:14:52.501Z", - "name": "bot_ip: 134.209.37.102", - "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.722754Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", - "pattern": "[ipv4-addr:value = '117.141.112.155']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:54.684Z", - "modified": "2020-06-10T01:14:54.684Z", - "name": "bot_ip: 117.141.112.155", - "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.775627Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", - "pattern": "[ipv4-addr:value = '23.129.64.217']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:19.858Z", - "modified": "2020-06-10T01:14:19.858Z", - "name": "bot_ip: 23.129.64.217", - "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.731573Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", - "pattern": "[ipv4-addr:value = '45.142.213.11']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:10.753Z", - "modified": "2020-06-10T01:14:10.753Z", - "name": "bot_ip: 45.142.213.11", - "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.808281Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", - "pattern": "[ipv4-addr:value = '157.245.250.190']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:15.950Z", - "modified": "2020-06-10T01:14:15.950Z", - "name": "bot_ip: 157.245.250.190", - "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.818576Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", - "pattern": "[ipv4-addr:value = '144.91.106.47']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:15:00.764Z", - "modified": "2020-06-10T01:15:00.764Z", - "name": "bot_ip: 144.91.106.47", - "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.791474Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", - "pattern": "[ipv4-addr:value = '141.98.81.208']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:39.995Z", - "modified": "2020-06-10T01:14:39.995Z", - "name": "bot_ip: 141.98.81.208", - "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.766866Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", - "pattern": "[ipv4-addr:value = '51.81.53.159']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:15:01.999Z", - "modified": "2020-06-10T01:15:01.999Z", - "name": "bot_ip: 51.81.53.159", - "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.781286Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", - "pattern": "[ipv4-addr:value = '104.168.173.252']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:58.530Z", - "modified": "2020-06-10T01:14:58.530Z", - "name": "bot_ip: 104.168.173.252", - "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.753603Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", - "pattern": "[ipv4-addr:value = '173.212.206.89']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:34.822Z", - "modified": "2020-06-10T01:14:34.822Z", - "name": "bot_ip: 173.212.206.89", - "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.814015Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", - "pattern": "[ipv4-addr:value = '67.207.94.201']", - "confidence": 15, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:29.751Z", - "modified": "2020-06-10T01:14:29.751Z", - "name": "bot_ip: 67.207.94.201", - "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.837493Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", - "pattern": "[ipv4-addr:value = '89.163.242.76']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:35.839Z", - "modified": "2020-06-10T01:14:35.839Z", - "name": "bot_ip: 89.163.242.76", - "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.800264Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", - "pattern": "[ipv4-addr:value = '51.75.71.205']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:41.919Z", - "modified": "2020-06-10T01:14:41.919Z", - "name": "bot_ip: 51.75.71.205", - "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.73608Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", - "pattern": "[ipv4-addr:value = '140.224.183.58']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:11.651Z", - "modified": "2020-06-10T01:14:11.651Z", - "name": "bot_ip: 140.224.183.58", - "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.801661Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", - "pattern": "[ipv4-addr:value = '161.35.22.86']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:49.620Z", - "modified": "2020-06-10T01:14:49.620Z", - "name": "bot_ip: 161.35.22.86", - "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.831549Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", - "pattern": "[ipv4-addr:value = '45.143.220.246']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:15:10.905Z", - "modified": "2020-06-10T01:15:10.905Z", - "name": "bot_ip: 45.143.220.246", - "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.752185Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", - "created": "2017-01-20T00:00:00.000Z", - "definition_type": "tlp", - "definition": { - "tlp": "amber" +[ + { + "objects": [ + { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" }, - "type": "marking-definition", - "spec_version": "2.1" - }, - { - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "created": "2017-01-20T00:00:00.000Z", - "definition_type": "tlp", - "definition": { - "tlp": "green" + { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" }, - "type": "marking-definition", - "spec_version": "2.1" - } - ], - "more": false -} + { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "amber" + }, + "type": "marking-definition", + "spec_version": "2.1" + }, + { + "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "green" + }, + "type": "marking-definition", + "spec_version": "2.1" + } + ], + "more": false + } +] diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json index 5acaa155427a..53d1edab2468 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_complex_20-19.json @@ -1,433 +1,435 @@ -{ - "objects": [ - { - "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", - "pattern": "[ipv4-addr:value = '195.123.227.186' AND ipv4-addr:value = '1.1.1.1']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:33.126Z", - "modified": "2020-06-10T01:14:33.126Z", - "name": "bot_ip: 195.123.227.186", - "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.779852Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", - "pattern": "[ipv4-addr:value = '134.209.37.102' OR ipv4-addr:value = '2.2.2.2']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:52.501Z", - "modified": "2020-06-10T01:14:52.501Z", - "name": "bot_ip: 134.209.37.102", - "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.722754Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", - "pattern": "[ipv4-addr:value = '117.141.112.155' FOLLOWEDBY ipv4-addr:value = '3.3.3.3']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:54.684Z", - "modified": "2020-06-10T01:14:54.684Z", - "name": "bot_ip: 117.141.112.155", - "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.775627Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", - "pattern": "[ipv4-addr:value = '23.129.64.217']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:19.858Z", - "modified": "2020-06-10T01:14:19.858Z", - "name": "bot_ip: 23.129.64.217", - "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.731573Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", - "pattern": "[ipv4-addr:value = '45.142.213.11']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:10.753Z", - "modified": "2020-06-10T01:14:10.753Z", - "name": "bot_ip: 45.142.213.11", - "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.808281Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", - "pattern": "[ipv4-addr:value = '157.245.250.190']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:15.950Z", - "modified": "2020-06-10T01:14:15.950Z", - "name": "bot_ip: 157.245.250.190", - "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.818576Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", - "pattern": "[ipv4-addr:value = '144.91.106.47']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:15:00.764Z", - "modified": "2020-06-10T01:15:00.764Z", - "name": "bot_ip: 144.91.106.47", - "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.791474Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", - "pattern": "[ipv4-addr:value = '141.98.81.208']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:39.995Z", - "modified": "2020-06-10T01:14:39.995Z", - "name": "bot_ip: 141.98.81.208", - "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.766866Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", - "pattern": "[ipv4-addr:value = '51.81.53.159']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:15:01.999Z", - "modified": "2020-06-10T01:15:01.999Z", - "name": "bot_ip: 51.81.53.159", - "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.781286Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", - "pattern": "[ipv4-addr:value = '104.168.173.252']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:58.530Z", - "modified": "2020-06-10T01:14:58.530Z", - "name": "bot_ip: 104.168.173.252", - "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.753603Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", - "pattern": "[ipv4-addr:value = '173.212.206.89']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:34.822Z", - "modified": "2020-06-10T01:14:34.822Z", - "name": "bot_ip: 173.212.206.89", - "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.814015Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", - "pattern": "[ipv4-addr:value = '67.207.94.201']", - "confidence": 15, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:29.751Z", - "modified": "2020-06-10T01:14:29.751Z", - "name": "bot_ip: 67.207.94.201", - "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.837493Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", - "pattern": "[ipv4-addr:value = '89.163.242.76']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:35.839Z", - "modified": "2020-06-10T01:14:35.839Z", - "name": "bot_ip: 89.163.242.76", - "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.800264Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", - "pattern": "[ipv4-addr:value = '51.75.71.205']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:41.919Z", - "modified": "2020-06-10T01:14:41.919Z", - "name": "bot_ip: 51.75.71.205", - "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.73608Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", - "pattern": "[ipv4-addr:value = '140.224.183.58']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:11.651Z", - "modified": "2020-06-10T01:14:11.651Z", - "name": "bot_ip: 140.224.183.58", - "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.801661Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", - "pattern": "[ipv4-addr:value = '161.35.22.86']", - "confidence": 85, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:14:49.620Z", - "modified": "2020-06-10T01:14:49.620Z", - "name": "bot_ip: 161.35.22.86", - "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.831549Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", - "pattern": "[ipv4-addr:value = '45.143.220.246']", - "confidence": 50, - "lang": "en", - "type": "indicator", - "created": "2020-06-10T01:15:10.905Z", - "modified": "2020-06-10T01:15:10.905Z", - "name": "bot_ip: 45.143.220.246", - "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", - "valid_from": "2020-06-10T01:00:33.752185Z", - "pattern_type": "stix", - "object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "labels": [ - "low" - ], - "indicator_types": [ - "anomalous-activity" - ], - "pattern_version": "2.1", - "spec_version": "2.1" - }, - { - "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", - "created": "2017-01-20T00:00:00.000Z", - "definition_type": "tlp", - "definition": { - "tlp": "amber" +[ + { + "objects": [ + { + "id": "indicator--86fee2b1-807d-423d-9d0e-1117bab576ce", + "pattern": "[ipv4-addr:value = '195.123.227.186' AND ipv4-addr:value = '1.1.1.1']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:33.126Z", + "modified": "2020-06-10T01:14:33.126Z", + "name": "bot_ip: 195.123.227.186", + "description": "TS ID: 55694549840; iType: bot_ip; Date First: 2020-06-05T08:42:19.170Z; State: active; Org: Layer6 Networks; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.779852Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" }, - "type": "marking-definition", - "spec_version": "2.1" - }, - { - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "created": "2017-01-20T00:00:00.000Z", - "definition_type": "tlp", - "definition": { - "tlp": "green" + { + "id": "indicator--891207b3-bff4-4bc2-8c12-7fd2321c9f38", + "pattern": "[ipv4-addr:value = '134.209.37.102' OR ipv4-addr:value = '2.2.2.2']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:52.501Z", + "modified": "2020-06-10T01:14:52.501Z", + "name": "bot_ip: 134.209.37.102", + "description": "TS ID: 55682983162; iType: bot_ip; Date First: 2020-06-02T07:26:06.274Z; State: active; Org: Covidien Lp; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.722754Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" }, - "type": "marking-definition", - "spec_version": "2.1" - } - ], - "more": false -} + { + "id": "indicator--8c726d5f-cb6b-45dc-8c2b-2be8596043cf", + "pattern": "[ipv4-addr:value = '117.141.112.155' FOLLOWEDBY ipv4-addr:value = '3.3.3.3']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:54.684Z", + "modified": "2020-06-10T01:14:54.684Z", + "name": "bot_ip: 117.141.112.155", + "description": "TS ID: 55694549819; iType: bot_ip; Date First: 2020-06-05T08:42:17.907Z; State: active; Org: China Mobile Guangdong; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.775627Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--8e19a19c-cd66-4278-8bfb-c05c64977d12", + "pattern": "[ipv4-addr:value = '23.129.64.217']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:19.858Z", + "modified": "2020-06-10T01:14:19.858Z", + "name": "bot_ip: 23.129.64.217", + "description": "TS ID: 55682983514; iType: bot_ip; Date First: 2020-06-02T07:26:46.206Z; State: active; Org: Emerald Onion; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.731573Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--90a4f95d-1e35-4f47-b303-5651c93457f4", + "pattern": "[ipv4-addr:value = '45.142.213.11']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:10.753Z", + "modified": "2020-06-10T01:14:10.753Z", + "name": "bot_ip: 45.142.213.11", + "description": "TS ID: 55694549856; iType: bot_ip; Date First: 2020-06-05T08:45:37.178Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.808281Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--94f109aa-3ef2-4a8c-a847-dfb4c64f4f29", + "pattern": "[ipv4-addr:value = '157.245.250.190']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:15.950Z", + "modified": "2020-06-10T01:14:15.950Z", + "name": "bot_ip: 157.245.250.190", + "description": "TS ID: 55697907923; iType: bot_ip; Date First: 2020-06-06T09:32:01.051Z; State: active; Org: Datalogic ADC; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.818576Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--96d1737a-5565-49ac-8a91-52c2c7b38903", + "pattern": "[ipv4-addr:value = '144.91.106.47']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:00.764Z", + "modified": "2020-06-10T01:15:00.764Z", + "name": "bot_ip: 144.91.106.47", + "description": "TS ID: 55694549829; iType: bot_ip; Date First: 2020-06-05T08:44:22.790Z; State: active; Org: Mills College; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.791474Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9c98d81b-b4a5-4b8d-8fd6-4b9beec0f1be", + "pattern": "[ipv4-addr:value = '141.98.81.208']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:39.995Z", + "modified": "2020-06-10T01:14:39.995Z", + "name": "bot_ip: 141.98.81.208", + "description": "TS ID: 55691320102; iType: bot_ip; Date First: 2020-06-04T10:33:13.398Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.766866Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9cbf82af-8a54-478a-af76-b88a73a33d37", + "pattern": "[ipv4-addr:value = '51.81.53.159']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:01.999Z", + "modified": "2020-06-10T01:15:01.999Z", + "name": "bot_ip: 51.81.53.159", + "description": "TS ID: 55694549861; iType: bot_ip; Date First: 2020-06-05T08:42:44.478Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.781286Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9ee9aecd-89e6-4dd6-9a24-4c610b33ebbb", + "pattern": "[ipv4-addr:value = '104.168.173.252']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:58.530Z", + "modified": "2020-06-10T01:14:58.530Z", + "name": "bot_ip: 104.168.173.252", + "description": "TS ID: 55691320097; iType: bot_ip; Date First: 2020-06-04T10:32:46.612Z; State: active; Org: Hostwinds LLC.; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.753603Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--9febf107-dd82-4727-bcb7-199291ec474c", + "pattern": "[ipv4-addr:value = '173.212.206.89']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:34.822Z", + "modified": "2020-06-10T01:14:34.822Z", + "name": "bot_ip: 173.212.206.89", + "description": "TS ID: 55697907953; iType: bot_ip; Date First: 2020-06-06T09:31:54.190Z; State: active; Org: Contabo GmbH; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.814015Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a25904c8-0270-4d57-add5-64f5ed1485b5", + "pattern": "[ipv4-addr:value = '67.207.94.201']", + "confidence": 15, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:29.751Z", + "modified": "2020-06-10T01:14:29.751Z", + "name": "bot_ip: 67.207.94.201", + "description": "TS ID: 55697908164; iType: bot_ip; Date First: 2020-06-06T09:32:30.450Z; State: active; Org: Digital Ocean; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.837493Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a5a1408d-ff8b-41b2-8c57-6678aa0c8688", + "pattern": "[ipv4-addr:value = '89.163.242.76']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:35.839Z", + "modified": "2020-06-10T01:14:35.839Z", + "name": "bot_ip: 89.163.242.76", + "description": "TS ID: 55694549874; iType: bot_ip; Date First: 2020-06-05T08:45:20.346Z; State: active; Org: myLoc managed IT AG; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.800264Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8cc5b11-3bbb-4fb2-970c-31a6f58e1374", + "pattern": "[ipv4-addr:value = '51.75.71.205']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:41.919Z", + "modified": "2020-06-10T01:14:41.919Z", + "name": "bot_ip: 51.75.71.205", + "description": "TS ID: 55686993979; iType: bot_ip; Date First: 2020-06-03T07:29:11.148Z; State: active; Org: OVH SAS; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.73608Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--a8ee1e5f-8c08-4135-878c-4973179cbac5", + "pattern": "[ipv4-addr:value = '140.224.183.58']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:11.651Z", + "modified": "2020-06-10T01:14:11.651Z", + "name": "bot_ip: 140.224.183.58", + "description": "TS ID: 55694549823; iType: bot_ip; Date First: 2020-06-05T08:45:24.055Z; State: active; Org: China Telecom FUJIAN NETWORK; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.801661Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--aa4ec99f-3c54-4e60-ab47-83ff78d76570", + "pattern": "[ipv4-addr:value = '161.35.22.86']", + "confidence": 85, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:14:49.620Z", + "modified": "2020-06-10T01:14:49.620Z", + "name": "bot_ip: 161.35.22.86", + "description": "TS ID: 55697907934; iType: bot_ip; Date First: 2020-06-06T09:32:22.615Z; State: active; Org: Racal-Redac; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.831549Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "indicator--ac4a9ca5-9f6e-4072-b568-46dbb03a3ace", + "pattern": "[ipv4-addr:value = '45.143.220.246']", + "confidence": 50, + "lang": "en", + "type": "indicator", + "created": "2020-06-10T01:15:10.905Z", + "modified": "2020-06-10T01:15:10.905Z", + "name": "bot_ip: 45.143.220.246", + "description": "TS ID: 55691320117; iType: bot_ip; Date First: 2020-06-04T10:32:46.584Z; State: active; Source: Emerging Threats - Compromised; MoreDetail: imported by user 668", + "valid_from": "2020-06-10T01:00:33.752185Z", + "pattern_type": "stix", + "object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "labels": [ + "low" + ], + "indicator_types": [ + "anomalous-activity" + ], + "pattern_version": "2.1", + "spec_version": "2.1" + }, + { + "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "amber" + }, + "type": "marking-definition", + "spec_version": "2.1" + }, + { + "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "green" + }, + "type": "marking-definition", + "spec_version": "2.1" + } + ], + "more": false + } +] diff --git a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json index 880413ab4b21..2106847d2956 100644 --- a/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json +++ b/Packs/ApiModules/Scripts/TAXII2ApiModule/test_data/stix_envelope_no_indicators.json @@ -1,25 +1,27 @@ -{ - "objects": [ - { - "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", - "created": "2017-01-20T00:00:00.000Z", - "definition_type": "tlp", - "definition": { - "tlp": "amber" +[ + { + "objects": [ + { + "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "amber" + }, + "type": "marking-definition", + "spec_version": "2.1" }, - "type": "marking-definition", - "spec_version": "2.1" - }, - { - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "created": "2017-01-20T00:00:00.000Z", - "definition_type": "tlp", - "definition": { - "tlp": "green" - }, - "type": "marking-definition", - "spec_version": "2.1" - } - ], - "more": false -} + { + "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", + "created": "2017-01-20T00:00:00.000Z", + "definition_type": "tlp", + "definition": { + "tlp": "green" + }, + "type": "marking-definition", + "spec_version": "2.1" + } + ], + "more": false + } +] diff --git a/Packs/ApiModules/pack_metadata.json b/Packs/ApiModules/pack_metadata.json index f4677b94d096..0a78c013cbdc 100644 --- a/Packs/ApiModules/pack_metadata.json +++ b/Packs/ApiModules/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ApiModules", "description": "API Modules", "support": "xsoar", - "currentVersion": "2.2.11", + "currentVersion": "2.2.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AppNovi/Integrations/appNovi/appNovi.yml b/Packs/AppNovi/Integrations/appNovi/appNovi.yml index c9fef59d0b6d..c09577acff8e 100644 --- a/Packs/AppNovi/Integrations/appNovi/appNovi.yml +++ b/Packs/AppNovi/Integrations/appNovi/appNovi.yml @@ -401,7 +401,7 @@ script: type: textArea description: Server IP to search description: Search for servers using IP address - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 tests: - No tests (auto formatted) fromversion: 6.5.0 diff --git a/Packs/AppNovi/ReleaseNotes/1_0_1.md b/Packs/AppNovi/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..52dfc8748a7e --- /dev/null +++ b/Packs/AppNovi/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### appNovi +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AppNovi/pack_metadata.json b/Packs/AppNovi/pack_metadata.json index 1a40944c0035..f8d5c1c1f02d 100644 --- a/Packs/AppNovi/pack_metadata.json +++ b/Packs/AppNovi/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AppNovi", "description": "Search your combined security data in appNovi via simplified search or search via the appNovi security graph.", "support": "partner", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "appNovi", "url": "https://appnovi.com/support", "email": "", diff --git a/Packs/Arcanna/Integrations/ArcannaAI/ArcannaAI.yml b/Packs/Arcanna/Integrations/ArcannaAI/ArcannaAI.yml index 4fb95369563b..a8eda98aafbb 100644 --- a/Packs/Arcanna/Integrations/ArcannaAI/ArcannaAI.yml +++ b/Packs/Arcanna/Integrations/ArcannaAI/ArcannaAI.yml @@ -249,7 +249,7 @@ script: - contextPath: Arcanna.FeedbackField description: XSOAR field used to signal feedback/label for Arcanna. type: String - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/Arcanna/ReleaseNotes/1_1_5.md b/Packs/Arcanna/ReleaseNotes/1_1_5.md new file mode 100644 index 000000000000..64a7a98a893d --- /dev/null +++ b/Packs/Arcanna/ReleaseNotes/1_1_5.md @@ -0,0 +1,3 @@ +#### Integrations +##### Arcanna.AI +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Arcanna/pack_metadata.json b/Packs/Arcanna/pack_metadata.json index 05c10001cab9..8649d83ee404 100644 --- a/Packs/Arcanna/pack_metadata.json +++ b/Packs/Arcanna/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ArcannaAI", "description": "Siscale Arcanna.Ai Cognitive automation platform that provides AI assistance to IT & Cybersecurity teams", "support": "partner", - "currentVersion": "1.1.4", + "currentVersion": "1.1.5", "author": "Siscale Engineering", "created": "2021-06-16T20:46:43Z", "url": "https://www.arcanna.ai/contact", diff --git a/Packs/ArcherRSA/Integrations/ArcherV2/ArcherV2.yml b/Packs/ArcherRSA/Integrations/ArcherV2/ArcherV2.yml index 1e1cf900b9cb..4cec518b5d66 100644 --- a/Packs/ArcherRSA/Integrations/ArcherV2/ArcherV2.yml +++ b/Packs/ArcherRSA/Integrations/ArcherV2/ArcherV2.yml @@ -423,7 +423,7 @@ script: - arguments: [] description: Prints the Archer's integration cache. name: archer-print-cache - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 isfetch: true runonce: false script: '' diff --git a/Packs/ArcherRSA/ReleaseNotes/1_2_4.md b/Packs/ArcherRSA/ReleaseNotes/1_2_4.md new file mode 100644 index 000000000000..70e6e2baa737 --- /dev/null +++ b/Packs/ArcherRSA/ReleaseNotes/1_2_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### RSA Archer v2 +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/ArcherRSA/pack_metadata.json b/Packs/ArcherRSA/pack_metadata.json index b30a3a0c16c2..80cc9f30e677 100644 --- a/Packs/ArcherRSA/pack_metadata.json +++ b/Packs/ArcherRSA/pack_metadata.json @@ -2,7 +2,7 @@ "name": "RSA Archer", "description": "The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.", "support": "xsoar", - "currentVersion": "1.2.3", + "currentVersion": "1.2.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ArcusTeam/Integrations/ArcusTeam/ArcusTeam.yml b/Packs/ArcusTeam/Integrations/ArcusTeam/ArcusTeam.yml index 7ea2dc167029..48a9c9a4a626 100644 --- a/Packs/ArcusTeam/Integrations/ArcusTeam/ArcusTeam.yml +++ b/Packs/ArcusTeam/Integrations/ArcusTeam/ArcusTeam.yml @@ -171,7 +171,7 @@ script: description: CVE url type: string description: ' Retrieve CVEs for an ArcusTeam device' - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 runonce: false subtype: python3 fromversion: 6.0.0 diff --git a/Packs/ArcusTeam/ReleaseNotes/1_0_5.md b/Packs/ArcusTeam/ReleaseNotes/1_0_5.md new file mode 100644 index 000000000000..2cb8702d43d3 --- /dev/null +++ b/Packs/ArcusTeam/ReleaseNotes/1_0_5.md @@ -0,0 +1,3 @@ +#### Integrations +##### ArcusTeam +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/ArcusTeam/pack_metadata.json b/Packs/ArcusTeam/pack_metadata.json index 1c01f2c402a0..91341ebe6e47 100644 --- a/Packs/ArcusTeam/pack_metadata.json +++ b/Packs/ArcusTeam/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ArcusTeam", "description": "ArcusTeam's DeviceTotal Platform helps to identify and manage vulnerabilities found on IoT devices", "support": "partner", - "currentVersion": "1.0.4", + "currentVersion": "1.0.5", "author": "ArcusTeam", "url": "https://arcusteam.com/pa-partnership/", "email": "support@arcusteam.com", diff --git a/Packs/Arduino/Integrations/Arduino/Arduino.yml b/Packs/Arduino/Integrations/Arduino/Arduino.yml index efbf60574cd4..5b2dfd995a28 100644 --- a/Packs/Arduino/Integrations/Arduino/Arduino.yml +++ b/Packs/Arduino/Integrations/Arduino/Arduino.yml @@ -123,7 +123,7 @@ script: - contextPath: Arduino.DataSend.Received description: The data received type: string - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 runonce: false script: '' subtype: python3 diff --git a/Packs/Arduino/ReleaseNotes/1_0_7.md b/Packs/Arduino/ReleaseNotes/1_0_7.md new file mode 100644 index 000000000000..4da7b58cfb41 --- /dev/null +++ b/Packs/Arduino/ReleaseNotes/1_0_7.md @@ -0,0 +1,3 @@ +#### Integrations +##### Arduino +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Arduino/pack_metadata.json b/Packs/Arduino/pack_metadata.json index 2c2afad9e658..3732e7a7697f 100644 --- a/Packs/Arduino/pack_metadata.json +++ b/Packs/Arduino/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Arduino", "description": "Communicate with an Arduino over a network. Sample code for the Arduino is provided to get up and running. There are functions in the Arduino code to handle setting and getting pin values as well as arbitrary data.", "support": "community", - "currentVersion": "1.0.6", + "currentVersion": "1.0.7", "author": "Adam Burt", "url": "", "email": "", diff --git a/Packs/Arkime/Integrations/Arkime/Arkime.yml b/Packs/Arkime/Integrations/Arkime/Arkime.yml index 07af9452d9cc..d9020d4e0676 100644 --- a/Packs/Arkime/Integrations/Arkime/Arkime.yml +++ b/Packs/Arkime/Integrations/Arkime/Arkime.yml @@ -29,7 +29,7 @@ script: script: '' type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 isfetch: false commands: - name: arkime-connection-list diff --git a/Packs/Arkime/ReleaseNotes/1_0_8.md b/Packs/Arkime/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..0f78d1d6cf21 --- /dev/null +++ b/Packs/Arkime/ReleaseNotes/1_0_8.md @@ -0,0 +1,3 @@ +#### Integrations +##### Arkime +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Arkime/pack_metadata.json b/Packs/Arkime/pack_metadata.json index f6446c8aa85a..ab01594acf21 100644 --- a/Packs/Arkime/pack_metadata.json +++ b/Packs/Arkime/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Arkime", "description": "Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool.", "support": "xsoar", - "currentVersion": "1.0.7", + "currentVersion": "1.0.8", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Armis/pack_metadata.json b/Packs/Armis/pack_metadata.json index a66e7c81e922..c5852414ad53 100755 --- a/Packs/Armis/pack_metadata.json +++ b/Packs/Armis/pack_metadata.json @@ -9,9 +9,7 @@ "categories": [ "Network Security" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "created": "2021-01-02T18:00:53Z", "useCases": [], "keywords": [], diff --git a/Packs/Armorblox/pack_metadata.json b/Packs/Armorblox/pack_metadata.json index 53116c2f50e4..1e20ecd8ce88 100644 --- a/Packs/Armorblox/pack_metadata.json +++ b/Packs/Armorblox/pack_metadata.json @@ -10,9 +10,7 @@ "categories": [ "Analytics & SIEM" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "useCases": [], "keywords": [ "Email Security", diff --git a/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.py b/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.py index 597e16a649d6..e38d47b3267f 100644 --- a/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.py +++ b/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.py @@ -7,9 +7,10 @@ from CommonServerUserPython import * # noqa import requests +import urllib3 # Disable insecure warnings -requests.packages.urllib3.disable_warnings() # pylint: disable=no-member +urllib3.disable_warnings() # pylint: disable=no-member ''' CONSTANTS ''' diff --git a/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.yml b/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.yml index b18678be58fe..5ac39e665bb4 100644 --- a/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.yml +++ b/Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.yml @@ -2140,7 +2140,7 @@ script: - contextPath: ConfluenceCloud.Group._links.self description: Link to the group. type: String - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AtlassianConfluenceCloud/ReleaseNotes/1_0_5.md b/Packs/AtlassianConfluenceCloud/ReleaseNotes/1_0_5.md new file mode 100644 index 000000000000..a10b253c5bda --- /dev/null +++ b/Packs/AtlassianConfluenceCloud/ReleaseNotes/1_0_5.md @@ -0,0 +1,3 @@ +#### Integrations +##### Atlassian Confluence Cloud +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AtlassianConfluenceCloud/pack_metadata.json b/Packs/AtlassianConfluenceCloud/pack_metadata.json index 452b80dbc251..155067f79eea 100644 --- a/Packs/AtlassianConfluenceCloud/pack_metadata.json +++ b/Packs/AtlassianConfluenceCloud/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Atlassian Confluence Cloud", "description": "Atlassian Confluence Cloud allows users to interact with confluence entities like content, space, users and groups. Users can also manage the space permissions.", "support": "xsoar", - "currentVersion": "1.0.4", + "currentVersion": "1.0.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Auditd/.pack-ignore b/Packs/Auditd/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Auditd/.secrets-ignore b/Packs/Auditd/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.xif b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.xif new file mode 100644 index 000000000000..22019683f21f --- /dev/null +++ b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.xif @@ -0,0 +1,28 @@ +[MODEL:dataset="unix_auditd_raw"] +alter eventid = arrayindex(regextract(_raw_log, "audit\([^\:]+\:([^\)]+)"),0), +hostname = arrayindex(regextract(_raw_log ,"\w+\s\d+\s\d+\:\d+\:\d+\s(\w+)\s"),0), +type = arrayindex(regextract(_raw_log , "type\=([^\s]+)"),0), +ses = arrayindex(regextract(_raw_log ,"\sses\=(\S+)\s"),0), +res = arrayindex(regextract(_raw_log ,"\sres\=([a-zA-Z0-9\-\_]+)"),0), +success = arrayindex(regextract(_raw_log ,"\ssuccess\=(\S+)\s"),0), +key = arrayindex(regextract(_raw_log ,"\skey\=\"([^\"]+)\""),0), +op = arrayindex(regextract(_raw_log ,"\sop\=PAM\:(\S+)\s"),0), +acct = arrayindex(regextract(_raw_log ,"\sacct\=\"*([^\"]+)\"*\s"),0), +uid = arrayindex(regextract(_raw_log ,"\suid\=(\S+)\s"),0), +addr = arrayindex(regextract(_raw_log ,"\saddr\=(\d+\.\d+\.\d+\.\d+)\s"),0), +pid = arrayindex(regextract(_raw_log ,"\spid\=(\S+)\s"),0), +comm = arrayindex(regextract(_raw_log ,"\scomm\=\"*([^\"]+)\"*\s"),0), +exe = arrayindex(regextract(_raw_log ,"\sexe\=\"*([^\"]+)\"*\s"),0) +| alter + xdm.event.id = eventid, + xdm.event.type = type, + xdm.session_context_id = ses, + xdm.event.outcome = coalesce(res,success), + xdm.event.operation = coalesce(op,key), + xdm.source.user.username = acct, + xdm.source.user.identifier = uid, + xdm.source.ipv4 = addr, + xdm.source.process.pid = to_number(pid), + xdm.source.host.hostname = hostname, + xdm.source.process.command_line = comm, + xdm.source.process.executable.path = exe; \ No newline at end of file diff --git a/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.yml b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.yml new file mode 100644 index 000000000000..4652b51dcdd6 --- /dev/null +++ b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.yml @@ -0,0 +1,6 @@ +fromversion: 6.10.0 +id: unix_auditd_modeling_rule +name: Unix Auditd Modeling Rule +rules: '' +schema: '' +tags: Unix Auditd \ No newline at end of file diff --git a/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3_schema.json b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3_schema.json new file mode 100644 index 000000000000..0afd33228d0d --- /dev/null +++ b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3_schema.json @@ -0,0 +1,8 @@ +{ + "unix_auditd_raw": { + "_raw_log": { + "type": "string", + "is_array": false + } + } + } \ No newline at end of file diff --git a/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3_testdata.json b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3_testdata.json new file mode 100644 index 000000000000..e69570033f7d --- /dev/null +++ b/Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3_testdata.json @@ -0,0 +1,25 @@ +{ + "data": [ + { + "test_data_event_id": "5fc5c4eb-037a-4bd6-a9c2-c51577c96cbc", + "vendor": "unix", + "product": "auditd", + "dataset": "unix_auditd_raw", + "event_data": {"_raw_log": "<13>Nov 24 12:20:01 somehost123 audispd: node=czstlls086.prg-dc.dhl.com type=LOGIN msg=audit(1669288801.814:57688940): pid=26435 uid=0 old auid=7632 new auid=0 old ses=337905 new ses=357883"}, + "expected_values": { + "xdm.source.user.identifier": "0", + "xdm.event.outcome": null, + "xdm.event.operation": null, + "xdm.session_context_id": "337905", + "xdm.source.host.hostname": "somehost123", + "xdm.source.process.executable.path": null, + "xdm.source.user.username": null, + "xdm.source.ipv4": null, + "xdm.event.id": "57688940", + "xdm.source.process.pid": "26435", + "xdm.event.type": "LOGIN", + "xdm.source.process.command_line": null + } + } + ] +} \ No newline at end of file diff --git a/Packs/Auditd/ParsingRules/Auditd/Auditd.xif b/Packs/Auditd/ParsingRules/Auditd/Auditd.xif new file mode 100644 index 000000000000..e137bce4ebbd --- /dev/null +++ b/Packs/Auditd/ParsingRules/Auditd/Auditd.xif @@ -0,0 +1,6 @@ +[INGEST:vendor="unix", product="auditd", target_dataset="unix_auditd_raw" , no_hit = keep] +alter tmp_event_time = arrayindex(regextract(_raw_log ,"\<\d+\>([A-Za-z]+\s\d+\s\d+\:\d+\:\d+)\s"),0), + tmp_year = to_string(format_timestamp("%Y",_insert_time )) +| alter tmp_full_event_time = concat(tmp_event_time , " ", tmp_year ) +| alter _time = parse_timestamp("%b %d %H:%M:%S %Y" , tmp_full_event_time) +| fields - tmp_event_time , tmp_year , tmp_full_event_time; \ No newline at end of file diff --git a/Packs/Auditd/ParsingRules/Auditd/Auditd.yml b/Packs/Auditd/ParsingRules/Auditd/Auditd.yml new file mode 100644 index 000000000000..75e3ce3031a1 --- /dev/null +++ b/Packs/Auditd/ParsingRules/Auditd/Auditd.yml @@ -0,0 +1,6 @@ +name: UnixAuditd Parsing Rule +id: UnixAuditd Parsing Rule +fromversion: 6.10.0 +tags: [] +rules: '' +samples: '' \ No newline at end of file diff --git a/Packs/Auditd/README.md b/Packs/Auditd/README.md new file mode 100644 index 000000000000..ae55efe2ef29 --- /dev/null +++ b/Packs/Auditd/README.md @@ -0,0 +1,32 @@ +## Collect Events from Vendor + +In order to use the collector, you can use one of the following options to collect events from the vendor: + - [Broker VM](#broker-vm) + +In either option, you will need to configure the vendor and product for this specific collector. +### Broker VM +You will need to use the information described [here](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/configure-your-broker-vm).\ +You can configure the specific vendor and product for this instance. +1. Navigate to **Settings** -> **Configuration** -> **Data Broker** -> **Broker VMs**. +2. Right-click, and select **Syslog Collector** -> **Configure**. +3. When configuring the Syslog Collector, set: + - vendor as vendor<- Unix + - product as product<- Auditd + +### Install Auditd on Ubuntu Linux +Install Bash if not present, on your Ubuntu system. +``` +sudo apt update +sudo apt install bash-completion +``` +After these initial steps, now Install Auditd. The following command will install Auditd's latest version on your ubuntu system. +sudo apt-get install auditd +You can start and enable your auditd service so it will run up after system restart or reboot. + +``` +service status auditd + +auditd start + +auditd restart +``` \ No newline at end of file diff --git a/Packs/Auditd/pack_metadata.json b/Packs/Auditd/pack_metadata.json new file mode 100644 index 000000000000..fa207c04f1d2 --- /dev/null +++ b/Packs/Auditd/pack_metadata.json @@ -0,0 +1,18 @@ +{ + "name": "Auditd", + "description": "Auditd Modeling Rules and Parsing Rules Pack.", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Analytics & SIEM" + ], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] +} \ No newline at end of file diff --git a/Packs/AutoFocus/Integrations/AutofocusV2/AutofocusV2.yml b/Packs/AutoFocus/Integrations/AutofocusV2/AutofocusV2.yml index d05951d53733..cbab62be1d70 100644 --- a/Packs/AutoFocus/Integrations/AutofocusV2/AutofocusV2.yml +++ b/Packs/AutoFocus/Integrations/AutofocusV2/AutofocusV2.yml @@ -1385,7 +1385,7 @@ script: - contextPath: Domain.Name description: The domain name. type: String - dockerimage: demisto/python3:3.10.8.37233 + dockerimage: demisto/python3:3.10.9.40422 isfetch: false longRunning: false longRunningPort: false diff --git a/Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus.yml b/Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus.yml index 5a34fbee053d..5e70caa18a8f 100644 --- a/Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus.yml +++ b/Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus.yml @@ -139,7 +139,7 @@ script: description: Gets the indicators from AutoFocus. execution: false name: autofocus-get-indicators - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: true isfetch: false longRunning: false diff --git a/Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus_commands b/Packs/AutoFocus/Integrations/FeedAutofocus/command_examples.txt similarity index 100% rename from Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus_commands rename to Packs/AutoFocus/Integrations/FeedAutofocus/command_examples.txt diff --git a/Packs/AutoFocus/ReleaseNotes/2_0_33.md b/Packs/AutoFocus/ReleaseNotes/2_0_33.md new file mode 100644 index 000000000000..691fe0d9e628 --- /dev/null +++ b/Packs/AutoFocus/ReleaseNotes/2_0_33.md @@ -0,0 +1,5 @@ +#### Integrations +##### Palo Alto Networks AutoFocus v2 +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +##### AutoFocus Feed +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AutoFocus/pack_metadata.json b/Packs/AutoFocus/pack_metadata.json index f92fb4f94f48..bad040d85a93 100644 --- a/Packs/AutoFocus/pack_metadata.json +++ b/Packs/AutoFocus/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AutoFocus by Palo Alto Networks", "description": "Use the Palo Alto Networks AutoFocus integration to distinguish the most\n important threats from everyday commodity attacks.", "support": "xsoar", - "currentVersion": "2.0.32", + "currentVersion": "2.0.33", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Automox/Integrations/Automox/Automox.py b/Packs/Automox/Integrations/Automox/Automox.py index 5bab7728bbb5..cf046696dd5e 100644 --- a/Packs/Automox/Integrations/Automox/Automox.py +++ b/Packs/Automox/Integrations/Automox/Automox.py @@ -13,12 +13,12 @@ from typing import Any, Dict, List import demistomock as demisto -import requests +import urllib3 from CommonServerPython import * # noqa # pylint: disable=unused-wildcard-import from CommonServerUserPython import * # noqa # Disable insecure warnings -requests.packages.urllib3.disable_warnings() # pylint: disable=no-member +urllib3.disable_warnings() # pylint: disable=no-member ''' CONSTANTS ''' VERSION = "1.0.0" diff --git a/Packs/Automox/Integrations/Automox/Automox.yml b/Packs/Automox/Integrations/Automox/Automox.yml index f0f1cc3d3e4d..6d0cf2711389 100644 --- a/Packs/Automox/Integrations/Automox/Automox.yml +++ b/Packs/Automox/Integrations/Automox/Automox.yml @@ -1104,7 +1104,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 fromversion: 6.0.0 tests: - No tests diff --git a/Packs/Automox/ReleaseNotes/1_0_3.md b/Packs/Automox/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..d3285b6e6cbe --- /dev/null +++ b/Packs/Automox/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Automox +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Automox/pack_metadata.json b/Packs/Automox/pack_metadata.json index aa3123c4e6ac..75bc9f6dfbb3 100644 --- a/Packs/Automox/pack_metadata.json +++ b/Packs/Automox/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Automox", "description": "This pack empowers you with comprehensive solutions to manage your Automox device fleet with ease!", "support": "partner", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Automox Inc.", "url": "https://www.automox.com/", "email": "support@automox.com", diff --git a/Packs/AwakeSecurity/Integrations/AwakeSecurity/AwakeSecurity.yml b/Packs/AwakeSecurity/Integrations/AwakeSecurity/AwakeSecurity.yml index 08a349a890ac..8806e7bd325b 100644 --- a/Packs/AwakeSecurity/Integrations/AwakeSecurity/AwakeSecurity.yml +++ b/Packs/AwakeSecurity/Integrations/AwakeSecurity/AwakeSecurity.yml @@ -109,7 +109,7 @@ script: script: '' type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 commands: - name: awake-query-devices arguments: diff --git a/Packs/AwakeSecurity/ReleaseNotes/1_0_17.md b/Packs/AwakeSecurity/ReleaseNotes/1_0_17.md new file mode 100644 index 000000000000..f9f2b6ea46ec --- /dev/null +++ b/Packs/AwakeSecurity/ReleaseNotes/1_0_17.md @@ -0,0 +1,3 @@ +#### Integrations +##### Awake Security +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AwakeSecurity/pack_metadata.json b/Packs/AwakeSecurity/pack_metadata.json index 911040d6976e..ace1abad6ba1 100644 --- a/Packs/AwakeSecurity/pack_metadata.json +++ b/Packs/AwakeSecurity/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Awake Security", "description": "Network Traffic Analysis", "support": "xsoar", - "currentVersion": "1.0.16", + "currentVersion": "1.0.17", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,9 +10,7 @@ "categories": [ "Network Security" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "useCases": [], "keywords": [], "marketplaces": [ diff --git a/Packs/Aws-SecretsManager/ReleaseNotes/1_0_5.md b/Packs/Aws-SecretsManager/ReleaseNotes/1_0_5.md new file mode 100644 index 000000000000..3e98c11b9db3 --- /dev/null +++ b/Packs/Aws-SecretsManager/ReleaseNotes/1_0_5.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Aws Secrets Manager +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/Aws-SecretsManager/ReleaseNotes/1_0_6.md b/Packs/Aws-SecretsManager/ReleaseNotes/1_0_6.md new file mode 100644 index 000000000000..f2f717013c03 --- /dev/null +++ b/Packs/Aws-SecretsManager/ReleaseNotes/1_0_6.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Aws Secrets Manager +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/Aws-SecretsManager/pack_metadata.json b/Packs/Aws-SecretsManager/pack_metadata.json index 187d42bffe8f..14ec52235aee 100644 --- a/Packs/Aws-SecretsManager/pack_metadata.json +++ b/Packs/Aws-SecretsManager/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS Secrets Manager", "description": "AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services.", "support": "xsoar", - "currentVersion": "1.0.4", + "currentVersion": "1.0.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Axonius/Integrations/Axonius/Axonius.py b/Packs/Axonius/Integrations/Axonius/Axonius.py index 9235c8cdd354..8952e90145ff 100644 --- a/Packs/Axonius/Integrations/Axonius/Axonius.py +++ b/Packs/Axonius/Integrations/Axonius/Axonius.py @@ -275,8 +275,8 @@ def main(): command: str = demisto.command() url: str = params["ax_url"] - key: str = params["ax_key"] - secret: str = params["ax_secret"] + key: str = params.get('credentials', {}).get('identifier') + secret: str = params.get('credentials', {}).get('password') certverify: bool = not params.get("insecure", False) handle_proxy() # noqa: F821, F405 diff --git a/Packs/Axonius/Integrations/Axonius/Axonius.yml b/Packs/Axonius/Integrations/Axonius/Axonius.yml index 36b4410620d2..92eee7df0362 100644 --- a/Packs/Axonius/Integrations/Axonius/Axonius.yml +++ b/Packs/Axonius/Integrations/Axonius/Axonius.yml @@ -7,14 +7,11 @@ configuration: name: ax_url required: true type: 0 -- display: Axonius API Key - name: ax_key +- display: API Key + displaypassword: API Secret + name: credentials + type: 9 required: true - type: 0 -- display: Axonius API Secret - name: ax_secret - required: true - type: 4 - display: Trust any certificate (not secure) name: insecure required: false @@ -737,7 +734,7 @@ script: - contextPath: Axonius.tags description: Axonius Tags type: Unknown - dockerimage: demisto/axonius:1.0.0.30481 + dockerimage: demisto/axonius:1.0.0.40908 feed: false isfetch: false longRunning: false diff --git a/Packs/Axonius/ReleaseNotes/1_1_0.json b/Packs/Axonius/ReleaseNotes/1_1_0.json new file mode 100644 index 000000000000..2cd8b03d8295 --- /dev/null +++ b/Packs/Axonius/ReleaseNotes/1_1_0.json @@ -0,0 +1 @@ +{"breakingChanges": true, "breakingChangesNotes": "To support the use of credentials we are modifying the integration configuration params to use API Key and API Secret instead of ax_key and ax_secret. This is a breaking change. All users will have to re-enter their API credentials."} \ No newline at end of file diff --git a/Packs/Axonius/ReleaseNotes/1_1_0.md b/Packs/Axonius/ReleaseNotes/1_1_0.md new file mode 100644 index 000000000000..572f8a014b5c --- /dev/null +++ b/Packs/Axonius/ReleaseNotes/1_1_0.md @@ -0,0 +1,8 @@ + +#### Integrations +##### Axonius +- Updated the Docker image to: *demisto/axonius:1.0.0.40908*. +- To support the use of credentials we are modifying the integration configuration params to use *API Key* and *API Secret* instead of *ax_key* and *ax_secret*. + - *NOTE:* This is a breaking change. All users will have to re-enter their API credentials. + + diff --git a/Packs/Axonius/pack_metadata.json b/Packs/Axonius/pack_metadata.json index 9af8b2eddec0..3ea93a2f00f3 100644 --- a/Packs/Axonius/pack_metadata.json +++ b/Packs/Axonius/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Axonius", "description": "Enrichment for devices and users in your environment.", "support": "partner", - "currentVersion": "1.0.6", + "currentVersion": "1.1.0", "author": "Axonius", "url": "https://docs.axonius.com", "email": "support@axonius.com", diff --git a/Packs/AzureActiveDirectory/Integrations/AzureADIdentityProtection/example_commands b/Packs/AzureActiveDirectory/Integrations/AzureADIdentityProtection/command_examples.txt similarity index 100% rename from Packs/AzureActiveDirectory/Integrations/AzureADIdentityProtection/example_commands rename to Packs/AzureActiveDirectory/Integrations/AzureADIdentityProtection/command_examples.txt diff --git a/Packs/AzureActiveDirectory/ReleaseNotes/1_3_4.md b/Packs/AzureActiveDirectory/ReleaseNotes/1_3_4.md new file mode 100644 index 000000000000..1b38865066af --- /dev/null +++ b/Packs/AzureActiveDirectory/ReleaseNotes/1_3_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Active Directory Identity Protection (Deprecated) +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureActiveDirectory/pack_metadata.json b/Packs/AzureActiveDirectory/pack_metadata.json index 56ac231ad424..1c0a82cc99af 100644 --- a/Packs/AzureActiveDirectory/pack_metadata.json +++ b/Packs/AzureActiveDirectory/pack_metadata.json @@ -3,7 +3,7 @@ "description": "Deprecated. Use Microsoft Graph Identity and Access instead.", "support": "xsoar", "hidden": true, - "currentVersion": "1.3.3", + "currentVersion": "1.3.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureCompute/ReleaseNotes/1_1_4.md b/Packs/AzureCompute/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..1dec250fbdc1 --- /dev/null +++ b/Packs/AzureCompute/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Compute v2 +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureCompute/pack_metadata.json b/Packs/AzureCompute/pack_metadata.json index 3ee30220b575..6c5ed7323901 100644 --- a/Packs/AzureCompute/pack_metadata.json +++ b/Packs/AzureCompute/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Compute", "description": "Create and Manage Azure Virtual Machines", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureDataExplorer/ReleaseNotes/1_2_5.md b/Packs/AzureDataExplorer/ReleaseNotes/1_2_5.md new file mode 100644 index 000000000000..818a810c5b8b --- /dev/null +++ b/Packs/AzureDataExplorer/ReleaseNotes/1_2_5.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Data Explorer +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureDataExplorer/pack_metadata.json b/Packs/AzureDataExplorer/pack_metadata.json index 33809e5ba25b..f37450fe27fe 100644 --- a/Packs/AzureDataExplorer/pack_metadata.json +++ b/Packs/AzureDataExplorer/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Data Explorer", "description": "Use Azure Data Explorer integration to collect and analyze data inside clusters of Azure Data Explorer and manage search queries.", "support": "xsoar", - "currentVersion": "1.2.4", + "currentVersion": "1.2.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureDevOps/ReleaseNotes/1_2_4.md b/Packs/AzureDevOps/ReleaseNotes/1_2_4.md new file mode 100644 index 000000000000..1770df6312e5 --- /dev/null +++ b/Packs/AzureDevOps/ReleaseNotes/1_2_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AzureDevOps +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureDevOps/pack_metadata.json b/Packs/AzureDevOps/pack_metadata.json index e0698235b83c..bcfa618ccef3 100644 --- a/Packs/AzureDevOps/pack_metadata.json +++ b/Packs/AzureDevOps/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AzureDevOps", "description": "Create and manage Git repositories in Azure DevOps Services.", "support": "xsoar", - "currentVersion": "1.2.3", + "currentVersion": "1.2.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureFirewall/ReleaseNotes/1_1_4.md b/Packs/AzureFirewall/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..63c57d57335a --- /dev/null +++ b/Packs/AzureFirewall/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Firewall +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureFirewall/pack_metadata.json b/Packs/AzureFirewall/pack_metadata.json index 0cc93ef68621..3896e959e260 100644 --- a/Packs/AzureFirewall/pack_metadata.json +++ b/Packs/AzureFirewall/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Firewall", "description": "Azure Firewall is a cloud-native and intelligent network firewall security service that provides breed threat protection for cloud workloads running in Azure.It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureKeyVault/ReleaseNotes/1_1_4.md b/Packs/AzureKeyVault/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..3f94332f01cb --- /dev/null +++ b/Packs/AzureKeyVault/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Key Vault +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureKeyVault/pack_metadata.json b/Packs/AzureKeyVault/pack_metadata.json index 156941471766..ccc3fdc6cab2 100644 --- a/Packs/AzureKeyVault/pack_metadata.json +++ b/Packs/AzureKeyVault/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Key Vault", "description": "Use Key Vault to safeguard and manage cryptographic keys and secrets used by cloud applications and services.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureKubernetesServices/ReleaseNotes/1_1_4.md b/Packs/AzureKubernetesServices/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..d2a0a0211184 --- /dev/null +++ b/Packs/AzureKubernetesServices/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Kubernetes Services +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureKubernetesServices/pack_metadata.json b/Packs/AzureKubernetesServices/pack_metadata.json index daf0184253d3..8b55592854c0 100644 --- a/Packs/AzureKubernetesServices/pack_metadata.json +++ b/Packs/AzureKubernetesServices/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Kubernetes Services", "description": "Deploy and manage containerized applications with a fully managed Kubernetes service.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureLogAnalytics/ReleaseNotes/1_1_4.md b/Packs/AzureLogAnalytics/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..1572912dec37 --- /dev/null +++ b/Packs/AzureLogAnalytics/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Log Analytics +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureLogAnalytics/pack_metadata.json b/Packs/AzureLogAnalytics/pack_metadata.json index e9add298a73e..b18d9af529ad 100644 --- a/Packs/AzureLogAnalytics/pack_metadata.json +++ b/Packs/AzureLogAnalytics/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Log Analytics", "description": "Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureNetworkSecurityGroups/ReleaseNotes/1_2_4.md b/Packs/AzureNetworkSecurityGroups/ReleaseNotes/1_2_4.md new file mode 100644 index 000000000000..66d4301baf47 --- /dev/null +++ b/Packs/AzureNetworkSecurityGroups/ReleaseNotes/1_2_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Network Security Groups +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureNetworkSecurityGroups/pack_metadata.json b/Packs/AzureNetworkSecurityGroups/pack_metadata.json index 8901a3f40a1b..7d487952032e 100644 --- a/Packs/AzureNetworkSecurityGroups/pack_metadata.json +++ b/Packs/AzureNetworkSecurityGroups/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Network Security Groups", "description": "Azure Network Security Groups are used to filter network traffic to and from Azure resources in an Azure virtual network", "support": "xsoar", - "currentVersion": "1.2.3", + "currentVersion": "1.2.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureRiskyUsers/ReleaseNotes/1_1_4.md b/Packs/AzureRiskyUsers/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..8784d1b36948 --- /dev/null +++ b/Packs/AzureRiskyUsers/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Risky Users +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureRiskyUsers/pack_metadata.json b/Packs/AzureRiskyUsers/pack_metadata.json index 90e15da6e36c..7cd2f5f02557 100644 --- a/Packs/AzureRiskyUsers/pack_metadata.json +++ b/Packs/AzureRiskyUsers/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Risky Users", "description": "Azure Risky Users provides access to all at-risk users and risk detections in Azure AD environment.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureSQLManagement/ReleaseNotes/1_1_4.md b/Packs/AzureSQLManagement/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..18dc4dc158c9 --- /dev/null +++ b/Packs/AzureSQLManagement/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure SQL Management (Beta) +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureSQLManagement/pack_metadata.json b/Packs/AzureSQLManagement/pack_metadata.json index ce69ced1bed5..7bc9702b9c71 100644 --- a/Packs/AzureSQLManagement/pack_metadata.json +++ b/Packs/AzureSQLManagement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure SQL Management (Beta)", "description": "Microsoft Azure SQL Database is a managed cloud database provided as part of Microsoft Azure", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureSecurityCenter/ReleaseNotes/1_3_5.md b/Packs/AzureSecurityCenter/ReleaseNotes/1_3_5.md new file mode 100644 index 000000000000..2ad0db248909 --- /dev/null +++ b/Packs/AzureSecurityCenter/ReleaseNotes/1_3_5.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Microsoft Defender for Cloud +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureSecurityCenter/pack_metadata.json b/Packs/AzureSecurityCenter/pack_metadata.json index cc869042e30f..1c2d88c36d32 100644 --- a/Packs/AzureSecurityCenter/pack_metadata.json +++ b/Packs/AzureSecurityCenter/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Defender for Cloud", "description": "Unified security management and advanced threat protection across hybrid cloud workloads.", "support": "xsoar", - "currentVersion": "1.3.4", + "currentVersion": "1.3.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureSentinel/ReleaseNotes/1_4_5.md b/Packs/AzureSentinel/ReleaseNotes/1_4_5.md new file mode 100644 index 000000000000..27b28779c394 --- /dev/null +++ b/Packs/AzureSentinel/ReleaseNotes/1_4_5.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Microsoft Sentinel +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureSentinel/pack_metadata.json b/Packs/AzureSentinel/pack_metadata.json index b967872bd8cb..5fca9abe1ecd 100644 --- a/Packs/AzureSentinel/pack_metadata.json +++ b/Packs/AzureSentinel/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Sentinel", "description": "Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.", "support": "xsoar", - "currentVersion": "1.4.4", + "currentVersion": "1.4.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureStorage/ReleaseNotes/1_2_4.md b/Packs/AzureStorage/ReleaseNotes/1_2_4.md new file mode 100644 index 000000000000..756a48b5b369 --- /dev/null +++ b/Packs/AzureStorage/ReleaseNotes/1_2_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Storage Management +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureStorage/pack_metadata.json b/Packs/AzureStorage/pack_metadata.json index 8a97d8e0ad7e..39925d00ccf8 100644 --- a/Packs/AzureStorage/pack_metadata.json +++ b/Packs/AzureStorage/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Storage Management", "description": "Deploy and manage storage accounts and blob service properties.", "support": "xsoar", - "currentVersion": "1.2.3", + "currentVersion": "1.2.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.py b/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.py index 4bf1165a69ca..3d3269b5bf3f 100644 --- a/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.py +++ b/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.py @@ -1,4 +1,5 @@ import shutil +import urllib3 from typing import Callable from requests import Response @@ -893,7 +894,7 @@ def main() -> None: demisto.debug(f'Command being called is {command}') try: - requests.packages.urllib3.disable_warnings() + urllib3.disable_warnings() client: Client = Client(base_url, verify_certificate, proxy, account_sas_token, storage_account_name, api_version) diff --git a/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.yml b/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.yml index 66a09d296286..9772d611a586 100644 --- a/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.yml +++ b/Packs/AzureStorageContainer/Integrations/AzureStorageContainer/AzureStorageContainer.yml @@ -439,7 +439,7 @@ script: description: Set Blob properties. execution: false name: azure-storage-container-blob-property-set - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AzureStorageContainer/ReleaseNotes/1_0_3.md b/Packs/AzureStorageContainer/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..f0d3c3aa4ec3 --- /dev/null +++ b/Packs/AzureStorageContainer/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Azure Storage Container +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AzureStorageContainer/pack_metadata.json b/Packs/AzureStorageContainer/pack_metadata.json index 0a2cc9553451..216ef52fd80b 100644 --- a/Packs/AzureStorageContainer/pack_metadata.json +++ b/Packs/AzureStorageContainer/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Storage Container", "description": "Create and Manage Azure Storage Container services.", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.py b/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.py index 0ba9f6690ecb..c52b0d88d974 100644 --- a/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.py +++ b/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.py @@ -1,5 +1,6 @@ import copy import shutil +import urllib3 from typing import Callable from requests import Response @@ -763,7 +764,7 @@ def main() -> None: demisto.debug(f'Command being called is {command}') try: - requests.packages.urllib3.disable_warnings() + urllib3.disable_warnings() client: Client = Client(base_url, verify_certificate, proxy, account_sas_token, storage_account_name, api_version) diff --git a/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.yml b/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.yml index 20dcdb6e003a..c46f5960ea3a 100644 --- a/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.yml +++ b/Packs/AzureStorageFileShare/Integrations/AzureStorageFileShare/AzureStorageFileShare.yml @@ -344,7 +344,7 @@ script: description: Delete file from Share. execution: true name: azure-storage-fileshare-file-delete - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AzureStorageFileShare/ReleaseNotes/1_0_3.md b/Packs/AzureStorageFileShare/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..707373025378 --- /dev/null +++ b/Packs/AzureStorageFileShare/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Azure Storage FileShare +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AzureStorageFileShare/pack_metadata.json b/Packs/AzureStorageFileShare/pack_metadata.json index 732b745148a4..4a62dcfe465e 100644 --- a/Packs/AzureStorageFileShare/pack_metadata.json +++ b/Packs/AzureStorageFileShare/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Storage FileShare", "description": "Create and Manage Azure FileShare Files and Directories.", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.py b/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.py index 890040b5d1c2..8d8317d1e077 100644 --- a/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.py +++ b/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.py @@ -2,6 +2,7 @@ from CommonServerPython import * # noqa: F401 import copy +import urllib3 from requests import Response DATE_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' @@ -605,7 +606,7 @@ def main() -> None: demisto.debug(f'Command being called is {command}') try: - requests.packages.urllib3.disable_warnings() + urllib3.disable_warnings() client: Client = Client(base_url, verify_certificate, proxy, account_sas_token, storage_account_name, api_version) diff --git a/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.yml b/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.yml index 156cc75804da..cff5f9610433 100644 --- a/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.yml +++ b/Packs/AzureStorageTable/Integrations/AzureStorageTable/AzureStorageTable.yml @@ -265,7 +265,7 @@ script: description: Delete an existing entity in a table. execution: true name: azure-storage-table-entity-delete - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/AzureStorageTable/ReleaseNotes/1_0_3.md b/Packs/AzureStorageTable/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..f30ec3199a07 --- /dev/null +++ b/Packs/AzureStorageTable/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Azure Storage Table +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AzureStorageTable/pack_metadata.json b/Packs/AzureStorageTable/pack_metadata.json index 4899537ad58b..712a7050e737 100644 --- a/Packs/AzureStorageTable/pack_metadata.json +++ b/Packs/AzureStorageTable/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Storage Table", "description": "Create and Manage Azure Storage Tables and Entities.", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AzureWAF/ReleaseNotes/1_1_4.md b/Packs/AzureWAF/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..066fafbc3fdd --- /dev/null +++ b/Packs/AzureWAF/ReleaseNotes/1_1_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Azure Web Application Firewall +- Fixed an issue where in some rare cases, commands would fail with a `'NoneType' object is not subscriptable` message. diff --git a/Packs/AzureWAF/pack_metadata.json b/Packs/AzureWAF/pack_metadata.json index 6d944a7977ca..e8f89922a419 100644 --- a/Packs/AzureWAF/pack_metadata.json +++ b/Packs/AzureWAF/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure WAF", "description": "Azure Web Application Firewall is used to detect web related attacks targeting your web servers hosted in azure and allow quick respond to threats", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BPA/Integrations/BPA/BPA.py b/Packs/BPA/Integrations/BPA/BPA.py index 1460c86bc2fc..1419a40b6f8a 100644 --- a/Packs/BPA/Integrations/BPA/BPA.py +++ b/Packs/BPA/Integrations/BPA/BPA.py @@ -234,15 +234,16 @@ def get_results_command(client: Client, args: Dict): 'Checks': job_checks, 'Status': status }} - human_readable = tableToMarkdown('BPA Results', job_checks) + headers = ['check_id', 'check_category', 'check_feature', 'check_message', 'check_name', 'check_passed', + 'check_type', 'check_severity'] + human_readable = tableToMarkdown('BPA Results', job_checks, headers=headers, headerTransform=string_to_table_header) return human_readable, context, results def download_report_handler(client: Client, task_id): downloaded_report = client.get_download_results_request(task_id) - demisto.results( - fileResult(task_id + DOWNLOADED_REPORT_NAME_SUFFIX, downloaded_report, entryTypes['entryInfoFile'])) + demisto.results(fileResult(task_id + DOWNLOADED_REPORT_NAME_SUFFIX, downloaded_report, entryTypes['entryInfoFile'])) def test_module(client, panorama): diff --git a/Packs/BPA/Integrations/BPA/BPA.yml b/Packs/BPA/Integrations/BPA/BPA.yml index f3424e676fd6..9e1dd7120669 100644 --- a/Packs/BPA/Integrations/BPA/BPA.yml +++ b/Packs/BPA/Integrations/BPA/BPA.yml @@ -180,7 +180,7 @@ script: - contextPath: InfoFile.Extension description: File extension. type: string - dockerimage: demisto/python3:3.10.8.37233 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/BPA/ReleaseNotes/1_2_15.md b/Packs/BPA/ReleaseNotes/1_2_15.md index 9d4b96500e40..ae62be06f184 100644 --- a/Packs/BPA/ReleaseNotes/1_2_15.md +++ b/Packs/BPA/ReleaseNotes/1_2_15.md @@ -1,4 +1,4 @@ #### Integrations ##### Palo Alto Networks BPA -Documentation and metadata improvements. \ No newline at end of file +Documentation and metadata improvements. diff --git a/Packs/BPA/ReleaseNotes/1_2_16.md b/Packs/BPA/ReleaseNotes/1_2_16.md new file mode 100644 index 000000000000..61f4d128472d --- /dev/null +++ b/Packs/BPA/ReleaseNotes/1_2_16.md @@ -0,0 +1,5 @@ + +#### Integrations +##### Palo Alto Networks BPA +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +- Updated the human-readable section in the ***pan-os-bpa-get-job-results*** command. diff --git a/Packs/BPA/pack_metadata.json b/Packs/BPA/pack_metadata.json index 40d367e7649c..e9aa57cb9dda 100644 --- a/Packs/BPA/pack_metadata.json +++ b/Packs/BPA/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Best Practice Assessment (BPA) by Palo Alto Networks", "description": "Palo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices.", "support": "xsoar", - "currentVersion": "1.2.15", + "currentVersion": "1.2.16", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Base/.secrets-ignore b/Packs/Base/.secrets-ignore index fbe1d2d52424..06c31ece87f8 100644 --- a/Packs/Base/.secrets-ignore +++ b/Packs/Base/.secrets-ignore @@ -147,3 +147,5 @@ mei_qiang_82@sohu.com b4:1a:bf:40:27:21:76:28 0e:97:88:1c:6c:a1:37:96 42:03:bc:45:42:24:75:6c +http://test.t +http://.www.test.test diff --git a/Packs/Base/ReleaseNotes/1_31_46.md b/Packs/Base/ReleaseNotes/1_31_46.md new file mode 100644 index 000000000000..3b64f2921f56 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_31_46.md @@ -0,0 +1,4 @@ + +#### Scripts +##### CommonServerPython +- Added to SSLAdapter class support for HTTPAdapter initialization arguments. diff --git a/Packs/Base/ReleaseNotes/1_31_47.md b/Packs/Base/ReleaseNotes/1_31_47.md new file mode 100644 index 000000000000..328c04fd1bba --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_31_47.md @@ -0,0 +1,4 @@ + +#### Scripts +##### CommonServerPython +- Updated the URL regular expression. diff --git a/Packs/Base/ReleaseNotes/1_31_48.md b/Packs/Base/ReleaseNotes/1_31_48.md new file mode 100644 index 000000000000..9d561dce337f --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_31_48.md @@ -0,0 +1,3 @@ +#### Scripts +##### CommonServerPython +- Fixed an issue in *look-back* functionality where incident ids were removed from the *last-run* before finished fetching all incidents in the same time. \ No newline at end of file diff --git a/Packs/Base/ReleaseNotes/1_31_50.md b/Packs/Base/ReleaseNotes/1_31_50.md new file mode 100644 index 000000000000..4485f6f51976 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_31_50.md @@ -0,0 +1,3 @@ +#### Scripts +##### CommonServerPython +Added the optional **Publications** field to the **CVE** indicator. \ No newline at end of file diff --git a/Packs/Base/ReleaseNotes/1_31_51.md b/Packs/Base/ReleaseNotes/1_31_51.md new file mode 100644 index 000000000000..50231ade0974 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_31_51.md @@ -0,0 +1,3 @@ +#### Scripts +##### CommonServerPython +Improved the error shown when failing to parse a request response. \ No newline at end of file diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py index b16984cd733e..11e5b1ad6d32 100644 --- a/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py +++ b/Packs/Base/Scripts/CommonServerPython/CommonServerPython.py @@ -138,9 +138,6 @@ def fix_traceback_line_numbers(trace_str): return trace_str -from DemistoClassApiModule import * # type:ignore [no-redef] # noqa:E402 - - OS_LINUX = False OS_MAC = False OS_WINDOWS = False @@ -3917,6 +3914,9 @@ class CVE(Indicator): :type traffic_light_protocol: ``str`` :param traffic_light_protocol: The CVE tlp color. + :type publications: ``str`` + :param publications: Unique system-assigned ID of the vulnerability evaluation logic + :type dbot_score: ``DBotScore`` :param dbot_score: If file has a score then create and set a DBotScore object @@ -3927,7 +3927,7 @@ class CVE(Indicator): def __init__(self, id, cvss, published, modified, description, relationships=None, stix_id=None, cvss_version=None, cvss_score=None, cvss_vector=None, cvss_table=None, community_notes=None, - tags=None, traffic_light_protocol=None, dbot_score=None): + tags=None, traffic_light_protocol=None, dbot_score=None, publications=None): # type (str, str, str, str, str) -> None # Main indicator value @@ -3946,6 +3946,7 @@ def __init__(self, id, cvss, published, modified, description, relationships=Non self.stix_id = stix_id self.tags = tags self.traffic_light_protocol = traffic_light_protocol + self.publications = publications # XSOAR Fields self.relationships = relationships @@ -4001,6 +4002,9 @@ def to_context(self): if self.traffic_light_protocol: cve_context['TrafficLightProtocol'] = self.traffic_light_protocol + if self.publications: + cve_context['Publications'] = self.create_context_table(self.publications) + ret_value = { Common.CVE.CONTEXT_PATH: cve_context } @@ -5213,6 +5217,7 @@ class SubjectAlternativeName(object): :return: None :rtype: ``None`` """ + def __init__( self, gn=None, # type: Optional[Common.GeneralName] @@ -5252,6 +5257,7 @@ class AuthorityKeyIdentifier(object): :return: None :rtype: ``None`` """ + def __init__( self, issuer=None, # type: Optional[List[Common.GeneralName]] @@ -5295,6 +5301,7 @@ class DistributionPoint(object): :return: None :rtype: ``None`` """ + def __init__( self, full_name=None, # type: Optional[List[Common.GeneralName]] @@ -5334,6 +5341,7 @@ class CertificatePolicy(object): :return: None :rtype: ``None`` """ + def __init__( self, policy_identifier, # type: str @@ -5366,6 +5374,7 @@ class AuthorityInformationAccess(object): :return: None :rtype: ``None`` """ + def __init__( self, access_method, # type: str @@ -5394,6 +5403,7 @@ class BasicConstraints(object): :return: None :rtype: ``None`` """ + def __init__( self, ca, # type: bool @@ -6101,6 +6111,7 @@ class IndicatorsTimeline: :return: None :rtype: ``None`` """ + def __init__(self, indicators=None, category=None, message=None): # type: (list, str, str) -> None if indicators is None: @@ -6133,7 +6144,6 @@ def __init__(self, indicators=None, category=None, message=None): def arg_to_number(arg, arg_name=None, required=False): # type: (Any, Optional[str], bool) -> Optional[int] - """Converts an XSOAR argument to a Python int This function is used to quickly validate an argument provided to XSOAR @@ -6191,7 +6201,6 @@ def arg_to_number(arg, arg_name=None, required=False): def arg_to_datetime(arg, arg_name=None, is_utc=True, required=False, settings=None): # type: (Any, Optional[str], bool, bool, dict) -> Optional[datetime] - """Converts an XSOAR argument to a datetime This function is used to quickly validate an argument provided to XSOAR @@ -7053,6 +7062,7 @@ class ExecutionMetrics(object): :return: None :rtype: ``None`` """ + def __init__(self, success=0, quota_error=0, general_error=0, auth_error=0, service_error=0, connection_error=0, proxy_error=0, ssl_error=0, timeout_error=0): self._metrics = [] @@ -7237,6 +7247,7 @@ class Command: :return: None :rtype: ``None`` """ + def __init__(self, commands, args_lst, brand=None, instance=None): """ @@ -7286,6 +7297,7 @@ class Result: :return: None :rtype: ``None`` """ + def __init__(self, command, args, brand, instance, result): """ :param command: command that was run. @@ -7557,7 +7569,7 @@ def replace_str(src_str): ipv6cidrRegex = r'^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$' # noqa: E501 emailRegex = r'''(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])''' # noqa: E501 hashRegex = r'\b[0-9a-fA-F]+\b' -urlRegex = r"(?i)^[\[({\"']*(?P(?P(?:https?|hxxps?|s?ftps?|meows?)[:-](?:\/\/|\\\\|3A__))?(?P(?P(?:[\w\-_]+\[?\.\]?)+[^\W\d]{2,})|(?P(?:(?:25[0-5]|2[0-4][\d]|[01]?[\d][\d]?)\.){3}(?:25[0-5]|2[0-4][\d]|[01]?[\d][\d]?)|[1])|(?P0\[?x]?[\da-f]{8})|(?P\[?(?:(?:[\da-fA-F]{1,4}:){7,7}[\da-fA-F]{1,4}|(?:[\da-fA-F]{1,4}:){1,7}:|([\da-fA-F]{1,4}:){1,6}:[\da-fA-F]{1,4}|([\da-fA-F]{1,4}:){1,5}(:[\da-fA-F]{1,4}){1,2}|([\da-fA-F]{1,4}:){1,4}(:[\da-fA-F]{1,4}){1,3}|([\da-fA-F]{1,4}:){1,3}(:[\da-fA-F]{1,4}){1,4}|([\da-fA-F]{1,4}:){1,2}(:[\da-fA-F]{1,4}){1,5}|[\da-fA-F]{1,4}:(?:(:[\da-fA-F]{1,4}){1,6})|:(?:(:[\da-fA-F]{1,4}){1,7}|:)|fe80:(?::[\da-fA-F]{0,4}){0,4}%[\da-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d])|([\da-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d]))\]?))(?P:(?:6[0-5][\d]{3}|[1-5][\d]{4}|[1-9][\d]{,3}))?(?P\/(?:[^?#\s]+\/)*[^?#\s]+)(?P\?[^\s#]*)?(?P#[\w\d]*)?)[\[({\"']*$" # noqa: E501 +urlRegex = r"(?i)^[\[({\"']*(?:(?P(?P(?:https?|hxxps?|s?ftps?|meows?)[:-](?:\/\/|\\\\|3A__))?(?P(?P(?:[\w\-_]+\[?\.\]?)+[^\W\d]{2,})|(?P(?:(?:25[0-5]|2[0-4][\d]|[01]?[\d][\d]?)\.){3}(?:25[0-5]|2[0-4][\d]|[01]?[\d][\d]?)|[1])|(?P0\[?x]?[\da-f]{8})|(?P\[?(?:(?:[\da-fA-F]{1,4}:){7,7}[\da-fA-F]{1,4}|(?:[\da-fA-F]{1,4}:){1,7}:|([\da-fA-F]{1,4}:){1,6}:[\da-fA-F]{1,4}|([\da-fA-F]{1,4}:){1,5}(:[\da-fA-F]{1,4}){1,2}|([\da-fA-F]{1,4}:){1,4}(:[\da-fA-F]{1,4}){1,3}|([\da-fA-F]{1,4}:){1,3}(:[\da-fA-F]{1,4}){1,4}|([\da-fA-F]{1,4}:){1,2}(:[\da-fA-F]{1,4}){1,5}|[\da-fA-F]{1,4}:(?:(:[\da-fA-F]{1,4}){1,6})|:(?:(:[\da-fA-F]{1,4}){1,7}|:)|fe80:(?::[\da-fA-F]{0,4}){0,4}%[\da-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d])|([\da-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[\d]){0,1}[\d]))\]?))(?P:(?:6[0-5][\d]{3}|[1-5][\d]{4}|[1-9][\d]{,3}))?(?P\/(?:[^?#\s]+\/)*[^?#\s]+)(?P\?[^\s#]*)?(?P#[\w\d]*)?)|(?:https?|hxxps?|s?ftps?|meows?)[:-](?:\/\/|\\\\|3A__)(?:(?:[\w\-_]+\[?\.\]?)+[^\W\d]{2,})\/?)[\[({\"']*$" # noqa: E501 domainRegex = r"(?i)(?:(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?((?:[^\\\.@\s\"',(\[:?=]+(?:\.|\[\.\]))+[a-zA-Z]{2,})(?:[_/\s\"',)\]]|[.]\s|%2F|$)" cveRegex = r'(?i)^cve-\d{4}-([1-9]\d{4,}|\d{4})$' md5Regex = re.compile(r'\b[0-9a-fA-F]{32}\b', regexFlags) @@ -8283,11 +8295,11 @@ class SSLAdapter(HTTPAdapter): """ context = create_urllib3_context(ciphers=CIPHERS_STRING) - def __init__(self, verify=True): - # type: (bool) -> None + def __init__(self, verify=True, **kwargs): + # type: (bool, dict) -> None if not verify and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0, 0): self.context.options |= 0x4 - super().__init__() + super().__init__(**kwargs) def init_poolmanager(self, *args, **kwargs): kwargs['ssl_context'] = self.context @@ -8602,8 +8614,8 @@ def _http_request(self, method, url_suffix='', full_url=None, headers=None, auth return res return res except ValueError as exception: - raise DemistoException('Failed to parse json object from response: {}' - .format(res.content), exception, res) + raise DemistoException('Failed to parse {} object from response: {}' + .format(resp_type, res.content), exception, res) except requests.exceptions.ConnectTimeout as exception: err_msg = 'Connection Timeout Error - potential reasons might be that the Server URL parameter' \ ' is incorrect or that the Server is not accessible from your host.' @@ -8656,7 +8668,7 @@ def _is_status_code_valid(self, response, ok_codes=None): return response.status_code in status_codes return response.ok - def client_error_handler(self, res): + def client_error_handler(self, res): """Generic handler for API call error Constructs and throws a proper error for the API call response. @@ -9519,6 +9531,7 @@ class AutoFocusKeyRetriever: :return: No data returned :rtype: ``None`` """ + def __init__(self, api_key): # demisto.getAutoFocusApiKey() is available from version 6.2.0 if not api_key: @@ -10010,6 +10023,7 @@ class PollResult: :rtype: ``PollResult`` """ + def __init__(self, response, continue_to_poll=False, args_for_next_run=None, partial_result=None): """ Constructor for PollResult @@ -10437,7 +10451,7 @@ def remove_old_incidents_ids(found_incidents_ids, current_time, look_back): return new_found_incidents_ids -def get_found_incident_ids(last_run, incidents, look_back, id_field): +def get_found_incident_ids(last_run, incidents, look_back, id_field, remove_incident_ids): """ Gets the found incident ids from the last run object and adds the new fetched incident IDs. @@ -10462,8 +10476,8 @@ def get_found_incident_ids(last_run, incidents, look_back, id_field): for incident in incidents: found_incidents[incident[id_field]] = current_time - - found_incidents = remove_old_incidents_ids(found_incidents, current_time, look_back) + if remove_incident_ids: + found_incidents = remove_old_incidents_ids(found_incidents, current_time, look_back) return found_incidents @@ -10505,6 +10519,8 @@ def create_updated_last_run_object(last_run, incidents, fetch_limit, look_back, :rtype: ``Dict`` """ + remove_incident_ids = True + if len(incidents) == 0: new_last_run = { 'time': end_fetch_time, @@ -10518,12 +10534,13 @@ def create_updated_last_run_object(last_run, incidents, fetch_limit, look_back, 'limit': fetch_limit, } else: + remove_incident_ids = False new_last_run = { 'time': start_fetch_time, 'limit': last_run.get('limit', fetch_limit) + fetch_limit, } - return new_last_run + return new_last_run, remove_incident_ids def update_last_run_object(last_run, incidents, fetch_limit, start_fetch_time, end_fetch_time, look_back, @@ -10565,10 +10582,18 @@ def update_last_run_object(last_run, incidents, fetch_limit, start_fetch_time, e :rtype: ``Dict`` """ - found_incidents = get_found_incident_ids(last_run, incidents, look_back, id_field) + updated_last_run, remove_incident_ids = create_updated_last_run_object(last_run, + incidents, + fetch_limit, + look_back, + start_fetch_time, + end_fetch_time, + created_time_field, + date_format, + increase_last_run_time, + ) - updated_last_run = create_updated_last_run_object(last_run, incidents, fetch_limit, look_back, start_fetch_time, - end_fetch_time, created_time_field, date_format, increase_last_run_time) + found_incidents = get_found_incident_ids(last_run, incidents, look_back, id_field, remove_incident_ids) if found_incidents: updated_last_run.update({'found_incident_ids': found_incidents}) @@ -10612,6 +10637,7 @@ class OutputArgument: :return: The OutputArgument object :rtype: ``OutputArgument`` """ + def __init__(self, name, output_type=dict, @@ -10630,6 +10656,7 @@ class InputArgument: :return: The InputArgument object :rtype: ``InputArgument`` """ + def __init__(self, name=None, description=None, @@ -10653,6 +10680,7 @@ class ConfKey: :return: The ConfKey object :rtype: ``ConfKey`` """ + def __init__(self, name, display=None, @@ -10676,6 +10704,7 @@ class YMLMetadataCollector: :return: The YMLMetadataCollector object :rtype: ``YMLMetadataCollector`` """ + def __init__(self, integration_name, docker_image="demisto/python3:latest", description=None, category="Utilities", conf=None, is_feed=False, is_fetch=False, is_runonce=False, diff --git a/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py b/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py index 09b810b9b11e..6e8acf1e6340 100644 --- a/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py +++ b/Packs/Base/Scripts/CommonServerPython/CommonServerPython_test.py @@ -3447,7 +3447,7 @@ def test_append_context(mocker, context_mock, data_mock, key, expected_answer): ('test@gmail.com', 'Email'), ('e775eb1250137c0b83d4e7c4549c71d6f10cae4e708ebf0b5c4613cbd1e91087', 'File'), ('test@yahoo.com', 'Email'), - ('http://test.com', 'Domain'), + ('http://test.com', 'URL'), ('11.111.11.11/11', 'CIDR'), ('CVE-0000-0000', 'CVE'), ('dbot@demisto.works', 'Email'), @@ -7807,6 +7807,224 @@ def test_fetch_with_look_back(self, mocker, params, result_phase1, result_phase2 else: self.INCIDENTS = incidents + @pytest.mark.parametrize( + 'args1, expected_results1, args2, expected_results2, args3, expected_results3', + [ + ( + { + 'incidents': [ + {'createAt': '2022-04-01T10:11:00', 'id': '1'}, + {'createAt': '2022-04-01T10:12:00', 'id': '2'}, + {'createAt': '2022-04-01T10:13:00', 'id': '3'} + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-05T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-01T10:11:00', + 'limit': 6, + 'found_incident_ids': {'1': '', '2': '', '3': ''} + }, + { + 'incidents': [ + {'createAt': '2022-04-02T10:11:00', 'id': '4'}, + {'createAt': '2022-04-02T10:12:00', 'id': '5'}, + {'createAt': '2022-04-02T10:13:00', 'id': '6'} + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-06T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-01T10:11:00', + 'limit': 9, + 'found_incident_ids': {'1': '', '2': '', '3': '', + '4': '', '5': '', '6': ''} + }, + { + 'incidents': [ + {'createAt': '2022-04-03T10:11:00', 'id': '7'}, + {'createAt': '2022-04-03T10:12:00', 'id': '8'}, + {'createAt': '2022-04-03T10:13:00', 'id': '9'} + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-07T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-01T10:11:00', + 'limit': 12, + 'found_incident_ids': {'1': '', '2': '', '3': '', + '4': '', '5': '', '6': '', + '7': '', '8': '', '9': ''} + } + ), + ( + { + 'incidents': [ + {'createAt': '2022-04-01T10:11:00', 'id': '1'}, + {'createAt': '2022-04-01T10:12:00', 'id': '2'}, + {'createAt': '2022-04-01T10:13:00', 'id': '3'} + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-05T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-01T10:11:00', + 'limit': 6, + 'found_incident_ids': {'1': '', '2': '', '3': ''} + }, + { + 'incidents': [ + {'createAt': '2022-04-02T10:11:00', 'id': '4'}, + {'createAt': '2022-04-02T10:12:00', 'id': '5'}, + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-06T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-02T10:12:00', + 'limit': 3, + 'found_incident_ids': {'4': '', '5': ''} + }, + { + 'incidents': [ + {'createAt': '2022-04-03T10:11:00', 'id': '7'}, + {'createAt': '2022-04-03T10:12:00', 'id': '8'}, + {'createAt': '2022-04-03T10:13:00', 'id': '9'} + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-02T10:12:00', + 'end_fetch_time': '2022-04-07T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-02T10:12:00', + 'limit': 6, + 'found_incident_ids': {'4': '', '5': '', + '7': '', '8': '', '9': ''} + } + ), + ( + { + 'incidents': [ + {'createAt': '2022-04-01T10:11:00', 'id': '1'}, + {'createAt': '2022-04-01T10:12:00', 'id': '2'}, + {'createAt': '2022-04-01T10:13:00', 'id': '3'} + ], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-05T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-01T10:11:00', + 'limit': 6, + 'found_incident_ids': {'1': '', '2': '', '3': ''} + }, + { + 'incidents': [], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-01T10:11:00', + 'end_fetch_time': '2022-04-06T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-06T10:11:00', + 'limit': 3, + 'found_incident_ids': {'1': '', '2': '', '3': ''} + }, + { + 'incidents': [], + 'fetch_limit': 3, + 'start_fetch_time': '2022-04-02T10:12:00', + 'end_fetch_time': '2022-04-07T10:11:00', + 'look_back': 1, + 'created_time_field': 'createAt', + 'id_field': 'id', + 'date_format': '%Y-%m-%dT%H:%M:%S', + 'increase_last_run_time': True + }, + { + 'time': '2022-04-07T10:11:00', + 'limit': 3, + 'found_incident_ids': {'1': '', '2': '', '3': ''} + } + ) + ] + ) + def test_update_last_run_object(self, args1, expected_results1, args2, expected_results2, args3, expected_results3): + + from CommonServerPython import update_last_run_object + + args1.update({'last_run': {}}) + results = update_last_run_object(**args1) + + assert results.get('time') == expected_results1.get('time') + assert results.get('limit') == expected_results1.get('limit') + for id_ in results.get('found_incident_ids').keys(): + assert id_ in expected_results1.get('found_incident_ids') + + for id_ in results.get('found_incident_ids'): + results['found_incident_ids'][id_] = results['found_incident_ids'][id_] - 200 + args2.update({'last_run': results}) + results = update_last_run_object(**args2) + + assert results.get('time') == expected_results2.get('time') + assert results.get('limit') == expected_results2.get('limit') + for id_ in results.get('found_incident_ids').keys(): + assert id_ in expected_results2.get('found_incident_ids') + + for id_ in results.get('found_incident_ids'): + results['found_incident_ids'][id_] = results['found_incident_ids'][id_] - 200 + args3.update({'last_run': results}) + results = update_last_run_object(**args3) + + assert results.get('time') == expected_results3.get('time') + assert results.get('limit') == expected_results3.get('limit') + for id_ in results.get('found_incident_ids').keys(): + assert id_ in expected_results3.get('found_incident_ids') + class TestTracebackLineNumberAdgustment: @staticmethod diff --git a/Packs/Base/TestPlaybooks/playbook-Indicators-reputation-.json-Test.yml b/Packs/Base/TestPlaybooks/playbook-Indicators-reputation-.json-Test.yml index 73a84b136bac..cfcad8ca831c 100644 --- a/Packs/Base/TestPlaybooks/playbook-Indicators-reputation-.json-Test.yml +++ b/Packs/Base/TestPlaybooks/playbook-Indicators-reputation-.json-Test.yml @@ -6,10 +6,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: bcabcfdf-4792-4845-8f07-6f3da93d5b44 + taskid: 96dfc405-6764-4647-882b-ff224743acc8 type: start task: - id: bcabcfdf-4792-4845-8f07-6f3da93d5b44 + id: 96dfc405-6764-4647-882b-ff224743acc8 version: -1 name: "" iscommand: false @@ -36,10 +36,10 @@ tasks: isautoswitchedtoquietmode: false "8": id: "8" - taskid: 88f2eee0-0805-4e96-8938-b5618b762231 + taskid: 070cde1a-68e5-482f-8f1f-3f246e281721 type: title task: - id: 88f2eee0-0805-4e96-8938-b5618b762231 + id: 070cde1a-68e5-482f-8f1f-3f246e281721 version: -1 name: FIle type: title @@ -55,7 +55,7 @@ tasks: { "position": { "x": 50, - "y": 9960 + "y": 8590 } } note: false @@ -67,10 +67,10 @@ tasks: isautoswitchedtoquietmode: false "9": id: "9" - taskid: 539b85a7-0392-47e5-81e4-c3a83e43b2aa + taskid: a98837d5-6033-4310-8f08-4727b0ef2be5 type: regular task: - id: 539b85a7-0392-47e5-81e4-c3a83e43b2aa + id: a98837d5-6033-4310-8f08-4727b0ef2be5 version: -1 name: DeleteContext description: Delete field from context @@ -102,10 +102,10 @@ tasks: isautoswitchedtoquietmode: false "10": id: "10" - taskid: 87aa3ff9-2a56-421d-8b77-52e2a2910c93 + taskid: 18358820-4fb9-452b-8c89-02afb5ca1f9d type: regular task: - id: 87aa3ff9-2a56-421d-8b77-52e2a2910c93 + id: 18358820-4fb9-452b-8c89-02afb5ca1f9d version: -1 name: Set valid emails description: Sets a value into the context with the given context key @@ -127,7 +127,7 @@ tasks: { "position": { "x": 50, - "y": 7365 + "y": 5995 } } note: false @@ -139,10 +139,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: fe1eb59b-0210-4e84-850c-4dc14c18510e + taskid: 3425a00e-0339-4479-8940-99b5acb4efb4 type: regular task: - id: fe1eb59b-0210-4e84-850c-4dc14c18510e + id: 3425a00e-0339-4479-8940-99b5acb4efb4 version: -1 name: Print valid emails description: Prints text to war room (Markdown supported) @@ -163,7 +163,7 @@ tasks: { "position": { "x": 50, - "y": 7540 + "y": 6170 } } note: false @@ -175,10 +175,10 @@ tasks: isautoswitchedtoquietmode: false "12": id: "12" - taskid: 172b65e1-3819-4cf7-81b3-8d0fdd5f89be + taskid: 4a7c9a41-d9da-4736-8ba9-d1b98fb0191d type: condition task: - id: 172b65e1-3819-4cf7-81b3-8d0fdd5f89be + id: 4a7c9a41-d9da-4736-8ba9-d1b98fb0191d version: -1 name: check auto extract emails type: condition @@ -252,7 +252,7 @@ tasks: { "position": { "x": 50, - "y": 7715 + "y": 6345 } } note: false @@ -264,10 +264,10 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: 6616f8ca-eef3-4fca-8e2e-4179a165c43e + taskid: 2d16bc6f-918b-4ce0-8416-cfdd592a056b type: regular task: - id: 6616f8ca-eef3-4fca-8e2e-4179a165c43e + id: 2d16bc6f-918b-4ce0-8416-cfdd592a056b version: -1 name: set invalid emails description: Sets a value into the context with the given context key @@ -289,7 +289,7 @@ tasks: { "position": { "x": 50, - "y": 7890 + "y": 6520 } } note: false @@ -301,10 +301,10 @@ tasks: isautoswitchedtoquietmode: false "14": id: "14" - taskid: 6320da04-3896-4f03-8527-d2fbb6fe20fc + taskid: 67f4f93e-523b-4440-895d-98f19419d953 type: regular task: - id: 6320da04-3896-4f03-8527-d2fbb6fe20fc + id: 67f4f93e-523b-4440-895d-98f19419d953 version: -1 name: Print invalid emails description: Prints text to war room (Markdown supported) @@ -325,7 +325,7 @@ tasks: { "position": { "x": 50, - "y": 8065 + "y": 6695 } } note: false @@ -337,10 +337,10 @@ tasks: isautoswitchedtoquietmode: false "15": id: "15" - taskid: d397b573-f882-4d37-854c-38252ea1355d + taskid: 332a5b59-2c3d-4df1-8b9b-718fdbe33075 type: condition task: - id: d397b573-f882-4d37-854c-38252ea1355d + id: 332a5b59-2c3d-4df1-8b9b-718fdbe33075 version: -1 name: check non extraction of invalid emails type: condition @@ -446,7 +446,7 @@ tasks: { "position": { "x": 50, - "y": 8240 + "y": 6870 } } note: false @@ -458,10 +458,10 @@ tasks: isautoswitchedtoquietmode: false "17": id: "17" - taskid: e7f255ac-9e45-4b50-88d2-8e793be5267c + taskid: ecd05f7f-409a-4ff8-85f8-0b08c66db8de type: title task: - id: e7f255ac-9e45-4b50-88d2-8e793be5267c + id: ecd05f7f-409a-4ff8-85f8-0b08c66db8de version: -1 name: Email type: title @@ -477,7 +477,7 @@ tasks: { "position": { "x": 50, - "y": 7220 + "y": 5850 } } note: false @@ -489,10 +489,10 @@ tasks: isautoswitchedtoquietmode: false "19": id: "19" - taskid: 47b07975-5fbb-4d0d-8efb-fa0206f21673 + taskid: f0252bd0-94b9-4910-888f-d169a830c676 type: title task: - id: 47b07975-5fbb-4d0d-8efb-fa0206f21673 + id: f0252bd0-94b9-4910-888f-d169a830c676 version: -1 name: Domain type: title @@ -508,7 +508,7 @@ tasks: { "position": { "x": 50, - "y": 8590 + "y": 7220 } } note: false @@ -520,10 +520,10 @@ tasks: isautoswitchedtoquietmode: false "20": id: "20" - taskid: 93c55e17-d0ae-4ea2-8458-48d41833ee27 + taskid: 7292f7a0-2157-437d-8f7e-97ea4e6b8300 type: regular task: - id: 93c55e17-d0ae-4ea2-8458-48d41833ee27 + id: 7292f7a0-2157-437d-8f7e-97ea4e6b8300 version: -1 name: Set vaild domains description: Sets a value into the context with the given context key @@ -545,7 +545,7 @@ tasks: { "position": { "x": 50, - "y": 8735 + "y": 7365 } } note: false @@ -557,10 +557,10 @@ tasks: isautoswitchedtoquietmode: false "21": id: "21" - taskid: 432543c1-5408-46e0-858d-d6433cd4f8fe + taskid: c9fb4107-ce49-409a-879b-c3a594353c5a type: regular task: - id: 432543c1-5408-46e0-858d-d6433cd4f8fe + id: c9fb4107-ce49-409a-879b-c3a594353c5a version: -1 name: Print valid domains description: Prints text to war room (Markdown supported) @@ -583,7 +583,7 @@ tasks: { "position": { "x": 50, - "y": 8910 + "y": 7540 } } note: false @@ -595,10 +595,10 @@ tasks: isautoswitchedtoquietmode: false "22": id: "22" - taskid: 905cd1cb-29bd-4401-8e47-33f3e1343572 + taskid: 87dff01f-dd26-411f-8244-c35c8d66432a type: condition task: - id: 905cd1cb-29bd-4401-8e47-33f3e1343572 + id: 87dff01f-dd26-411f-8244-c35c8d66432a version: -1 name: check auto extract domains type: condition @@ -712,7 +712,7 @@ tasks: { "position": { "x": 50, - "y": 9085 + "y": 7715 } } note: false @@ -724,10 +724,10 @@ tasks: isautoswitchedtoquietmode: false "23": id: "23" - taskid: ff51bff6-54af-4046-8176-29a0f2a05ebc + taskid: 73d73645-f778-48df-820f-3510c185fd0c type: regular task: - id: ff51bff6-54af-4046-8176-29a0f2a05ebc + id: 73d73645-f778-48df-820f-3510c185fd0c version: -1 name: Set invalid domains description: Sets a value into the context with the given context key @@ -749,7 +749,7 @@ tasks: { "position": { "x": 50, - "y": 9260 + "y": 7890 } } note: false @@ -761,10 +761,10 @@ tasks: isautoswitchedtoquietmode: false "24": id: "24" - taskid: cc446440-fdf0-4b69-8f54-2605f89f7521 + taskid: 18416ec6-7bb5-4699-8c36-8c94b7e7c4bb type: regular task: - id: cc446440-fdf0-4b69-8f54-2605f89f7521 + id: 18416ec6-7bb5-4699-8c36-8c94b7e7c4bb version: -1 name: Print invalid domains description: Prints text to war room (Markdown supported) @@ -785,7 +785,7 @@ tasks: { "position": { "x": 50, - "y": 9435 + "y": 8065 } } note: false @@ -797,10 +797,10 @@ tasks: isautoswitchedtoquietmode: false "25": id: "25" - taskid: ee19311a-9ad4-4e95-836c-d914059e72c7 + taskid: f80cb10d-8067-4ed3-8e95-504ff350966d type: condition task: - id: ee19311a-9ad4-4e95-836c-d914059e72c7 + id: f80cb10d-8067-4ed3-8e95-504ff350966d version: -1 name: check non extraction of invalid domains type: condition @@ -858,442 +858,7 @@ tasks: { "position": { "x": 50, - "y": 9610 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "27": - id: "27" - taskid: b645b350-6d82-43b7-8d8d-433b331152e3 - type: title - task: - id: b645b350-6d82-43b7-8d8d-433b331152e3 - version: -1 - name: URL - type: title - iscommand: false - brand: "" - description: '' - nexttasks: - '#none#': - - "28" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 5850 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "28": - id: "28" - taskid: ead6f3b9-acde-4270-8d9b-0384b56fe5d4 - type: regular - task: - id: ead6f3b9-acde-4270-8d9b-0384b56fe5d4 - version: -1 - name: Set valid URLs - description: Sets a value into the context with the given context key - scriptName: Set - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "29" - scriptarguments: - key: - simple: valid_urls - value: - simple: '"www.ru.wikipedia.org/wiki/Елизавета_I", "www.golang.org/pkg/regexp/syntax/", "http://www.mock.com?e=P6wGLG", "https://Test.com/this-that" "http://_23_11.redacted.com./#redactedredactedredacted", "http://www.mock.com?gbdfs","http://test.com#fragment3","http://test.com#fragment3/","(http://www.foo.bar/taz?())", "http://test.com#fragment3","http://test.com#fragment3/","http://test.com#fragment3#fragment3", "(http://www.foo.bar/taz?())","http://öevil.tld/","http://öevil.tld:5000","http://öevil.tld/anypath", "www.evilö.tld/evil.aspx","https://www.evöl.tld/","https://www.evöl.tld/anypath", "hxxps://www.xn--e1v2i3l4.tld","www.evil.tld:443/path/to/resource.html", "https://www.evil.tld:443/path/to/resource.html","1.2.3.4/path", "google.com/path","2001:db8:3333:4444:5555:6666:7777:8888/path/path", "ftp://foo.bar/resource","ftp://foo.bar/"' - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 5995 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "29": - id: "29" - taskid: 9ca7a3d5-54dc-4598-8b04-bc837ec2e69b - type: regular - task: - id: 9ca7a3d5-54dc-4598-8b04-bc837ec2e69b - version: -1 - name: Print valid URLs - description: Prints text to war room (Markdown supported) - scriptName: Print - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "30" - scriptarguments: - value: - simple: ${valid_urls} - reputationcalc: 2 - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 6170 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "30": - id: "30" - taskid: dbd336db-5c5b-4981-8f39-81c9b5c5ba7c - type: condition - task: - id: dbd336db-5c5b-4981-8f39-81c9b5c5ba7c - version: -1 - name: Check auto-extract - type: condition - iscommand: false - brand: "" - nexttasks: - "yes": - - "31" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://öevil.tld/ - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://öevil.tld:5000 - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://öevil.tld/anypath - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: www.evilö.tld/evil.aspx - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: https://www.evöl.tld/ - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: https://www.evöl.tld/anypath - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: www.evil.tld:443/path/to/resource.html - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: https://www.evil.tld:443/path/to/resource.html - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: 1.2.3.4/path - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: google.com/path - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: ftp://foo.bar/resource - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: ftp://foo.bar/ - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: www.ru.wikipedia.org/wiki/Елизавета_I - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: www.golang.org/pkg/regexp/syntax/ - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://www.mock.com?gbdfs - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://www.mock.com?e=P6wGLG - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://test.com#fragment3 - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://test.com#fragment3/ - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://_23_11.redacted.com./#redactedredactedredacted - - - operator: containsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: https://Test.com/this-that - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 6345 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "31": - id: "31" - taskid: 224d6f63-f4e1-4436-81fb-0ff6c94988c3 - type: regular - task: - id: 224d6f63-f4e1-4436-81fb-0ff6c94988c3 - version: -1 - name: Set invalid URLs - description: Sets a value into the context with the given context key - scriptName: Set - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "32" - scriptarguments: - key: - simple: invalid_urls - value: - simple: '"http://3628126748", "http://.www.test.com/",, "http:// shouldfail.com", "http://test.t/foo(bar)baz","http://www.te[st.com/test?x=3())"' # disable-secrets-detection - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 6520 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "32": - id: "32" - taskid: 7d62a8ee-0ca4-4897-8db5-0b35927fb94b - type: regular - task: - id: 7d62a8ee-0ca4-4897-8db5-0b35927fb94b - version: -1 - name: Print invalid URLs - description: Prints text to war room (Markdown supported) - scriptName: Print - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "33" - scriptarguments: - value: - simple: ${invalid_urls} - reputationcalc: 2 - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 6695 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "33": - id: "33" - taskid: 43d398e9-5c5b-4ec1-8f10-82d7000c6f15 - type: condition - task: - id: 43d398e9-5c5b-4ec1-8f10-82d7000c6f15 - version: -1 - name: Check non extraction of invalid URLs - type: condition - iscommand: false - brand: "" - nexttasks: - "yes": - - "75" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: notContainsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://3628126748 - - - operator: notContainsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://.www.test.test/ # disable-secrets-detection - - - operator: notContainsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http:// shouldfail.com - - - operator: notContainsGeneral - left: - value: - simple: ${URL.Data} - iscontext: true - right: - value: - simple: http://test.t/foo(bar)baz quux # disable-secrets-detection - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 6870 + "y": 8240 } } note: false @@ -1305,10 +870,10 @@ tasks: isautoswitchedtoquietmode: false "34": id: "34" - taskid: 52b42d11-b0ea-467b-8082-704c814ddbef + taskid: 733dcce0-91a3-46cf-889f-fae38bf7d55e type: title task: - id: 52b42d11-b0ea-467b-8082-704c814ddbef + id: 733dcce0-91a3-46cf-889f-fae38bf7d55e version: -1 name: IP description: IP @@ -1336,10 +901,10 @@ tasks: isautoswitchedtoquietmode: false "35": id: "35" - taskid: dce0e537-593f-418e-85cf-ccaad845895a + taskid: 39da1d19-b0d8-4805-8e57-c4772a375e2d type: regular task: - id: dce0e537-593f-418e-85cf-ccaad845895a + id: 39da1d19-b0d8-4805-8e57-c4772a375e2d version: -1 name: Set valid IPs description: Sets a value into the context with the given context key @@ -1373,10 +938,10 @@ tasks: isautoswitchedtoquietmode: false "36": id: "36" - taskid: 1237a1f9-3d9b-420e-8b24-bda18d280ddf + taskid: 9a195e6d-b208-47b3-85ae-7181b409ac10 type: regular task: - id: 1237a1f9-3d9b-420e-8b24-bda18d280ddf + id: 9a195e6d-b208-47b3-85ae-7181b409ac10 version: -1 name: Print valid IPs description: Prints text to war room (Markdown supported) @@ -1409,10 +974,10 @@ tasks: isautoswitchedtoquietmode: false "37": id: "37" - taskid: 2391df39-9ab0-415a-8564-1ed4821669f2 + taskid: ce8e0ba3-d0ec-4225-861c-9949ae35c070 type: condition task: - id: 2391df39-9ab0-415a-8564-1ed4821669f2 + id: ce8e0ba3-d0ec-4225-861c-9949ae35c070 version: -1 name: Check auto-extract type: condition @@ -1474,10 +1039,10 @@ tasks: isautoswitchedtoquietmode: false "38": id: "38" - taskid: fddade7d-c769-4595-8b32-4a1f14c54dd6 + taskid: 7f298ea3-fffd-4abd-8900-760ffd9ae289 type: regular task: - id: fddade7d-c769-4595-8b32-4a1f14c54dd6 + id: 7f298ea3-fffd-4abd-8900-760ffd9ae289 version: -1 name: Set invalid IPs description: Sets a value into the context with the given context key @@ -1511,10 +1076,10 @@ tasks: isautoswitchedtoquietmode: false "39": id: "39" - taskid: 3d3856e9-f827-47fb-8b2c-2be18bd2daf2 + taskid: 697dc944-3768-43da-8c68-8eea8a01781f type: regular task: - id: 3d3856e9-f827-47fb-8b2c-2be18bd2daf2 + id: 697dc944-3768-43da-8c68-8eea8a01781f version: -1 name: Print invalid IPs description: Prints text to war room (Markdown supported) @@ -1547,10 +1112,10 @@ tasks: isautoswitchedtoquietmode: false "40": id: "40" - taskid: 624d7a72-a35b-47fa-8d0f-2b6adf036338 + taskid: c5111433-8df8-471e-88d4-b74734648431 type: condition task: - id: 624d7a72-a35b-47fa-8d0f-2b6adf036338 + id: c5111433-8df8-471e-88d4-b74734648431 version: -1 name: Check non extraction of invalid IPs type: condition @@ -1644,10 +1209,10 @@ tasks: isautoswitchedtoquietmode: false "42": id: "42" - taskid: 3429a51c-c590-43b4-8d9e-b6629d78b9c0 + taskid: 98a30a73-139c-4fa0-8b1c-4e05e3d53331 type: title task: - id: 3429a51c-c590-43b4-8d9e-b6629d78b9c0 + id: 98a30a73-139c-4fa0-8b1c-4e05e3d53331 version: -1 name: IPv4 CIDR type: title @@ -1675,10 +1240,10 @@ tasks: isautoswitchedtoquietmode: false "43": id: "43" - taskid: 73a59453-bf5a-41e8-803d-ffcbd8dfd6fc + taskid: 5ace44db-309a-450f-86de-576b0d850c64 type: regular task: - id: 73a59453-bf5a-41e8-803d-ffcbd8dfd6fc + id: 5ace44db-309a-450f-86de-576b0d850c64 version: -1 name: Set valid IPv4s CIDR description: Sets a value into the context with the given context key @@ -1712,10 +1277,10 @@ tasks: isautoswitchedtoquietmode: false "44": id: "44" - taskid: b216e330-4f91-41a3-8ab8-28cb03def8ef + taskid: f9fe1895-27dd-40db-859a-1fcb5c41792f type: regular task: - id: b216e330-4f91-41a3-8ab8-28cb03def8ef + id: f9fe1895-27dd-40db-859a-1fcb5c41792f version: -1 name: Print valid IPv4s CIDR description: Prints text to war room (Markdown supported) @@ -1748,10 +1313,10 @@ tasks: isautoswitchedtoquietmode: false "45": id: "45" - taskid: bc75d85c-117f-4cb3-857d-bbb0d0ad95b8 + taskid: ca0d49e5-693d-4a8b-8655-98603a1e30fe type: condition task: - id: bc75d85c-117f-4cb3-857d-bbb0d0ad95b8 + id: ca0d49e5-693d-4a8b-8655-98603a1e30fe version: -1 name: Check auto-extract type: condition @@ -1813,10 +1378,10 @@ tasks: isautoswitchedtoquietmode: false "46": id: "46" - taskid: 3e6b6f20-2498-4c69-8f6c-22055eb5143d + taskid: 9ee61910-c20e-4c80-8b3a-8c21f12c2ca3 type: regular task: - id: 3e6b6f20-2498-4c69-8f6c-22055eb5143d + id: 9ee61910-c20e-4c80-8b3a-8c21f12c2ca3 version: -1 name: Set invalid IPv4s CIDR description: Sets a value into the context with the given context key @@ -1850,10 +1415,10 @@ tasks: isautoswitchedtoquietmode: false "47": id: "47" - taskid: c51a05d6-6be4-4d93-8d2d-179dfafc7df3 + taskid: 3e71b37b-30d6-43f2-8649-1d9e75e8b371 type: regular task: - id: c51a05d6-6be4-4d93-8d2d-179dfafc7df3 + id: 3e71b37b-30d6-43f2-8649-1d9e75e8b371 version: -1 name: Print invalid IPv4s CIDR description: Prints text to war room (Markdown supported) @@ -1886,10 +1451,10 @@ tasks: isautoswitchedtoquietmode: false "48": id: "48" - taskid: fc4190c4-a7f0-4dbc-8003-5ccaadfcb5e6 + taskid: aefea302-c4b0-4f6e-8df9-6e8761525174 type: condition task: - id: fc4190c4-a7f0-4dbc-8003-5ccaadfcb5e6 + id: aefea302-c4b0-4f6e-8df9-6e8761525174 version: -1 name: Check non extraction of invalid IPv4s CIDR type: condition @@ -1943,10 +1508,10 @@ tasks: isautoswitchedtoquietmode: false "49": id: "49" - taskid: ad202caf-fc8b-4197-8f49-6acb4aa093ae + taskid: 900c2a46-beff-46ae-8550-1efa20d0e163 type: title task: - id: ad202caf-fc8b-4197-8f49-6acb4aa093ae + id: 900c2a46-beff-46ae-8550-1efa20d0e163 version: -1 name: IPv6 type: title @@ -1974,10 +1539,10 @@ tasks: isautoswitchedtoquietmode: false "51": id: "51" - taskid: fcd8a3ab-a8bd-426d-859f-1b83c98f0a8b + taskid: 27deaed2-2f1c-47d3-833b-1dfd2d8492f7 type: regular task: - id: fcd8a3ab-a8bd-426d-859f-1b83c98f0a8b + id: 27deaed2-2f1c-47d3-833b-1dfd2d8492f7 version: -1 name: Print valid IPv6s description: Prints text to war room (Markdown supported) @@ -2010,10 +1575,10 @@ tasks: isautoswitchedtoquietmode: false "52": id: "52" - taskid: 1c560fcc-3ecb-4c64-8b76-c8afccfbc51e + taskid: a0dfd7c3-048b-43c6-84eb-849d7b8a9f2e type: condition task: - id: 1c560fcc-3ecb-4c64-8b76-c8afccfbc51e + id: a0dfd7c3-048b-43c6-84eb-849d7b8a9f2e version: -1 name: Check auto-extract type: condition @@ -2075,10 +1640,10 @@ tasks: isautoswitchedtoquietmode: false "53": id: "53" - taskid: 931014f7-0a18-4452-87c0-ec101dd95dfa + taskid: 7c5b9672-aca4-4a47-8030-1cf0e9606a05 type: regular task: - id: 931014f7-0a18-4452-87c0-ec101dd95dfa + id: 7c5b9672-aca4-4a47-8030-1cf0e9606a05 version: -1 name: Set invalid IPv6s description: Sets a value into the context with the given context key @@ -2112,10 +1677,10 @@ tasks: isautoswitchedtoquietmode: false "54": id: "54" - taskid: c7326cba-b628-4802-8b16-74a401439ca9 + taskid: 3708700f-c36c-4a45-8fa3-b6948155f410 type: regular task: - id: c7326cba-b628-4802-8b16-74a401439ca9 + id: 3708700f-c36c-4a45-8fa3-b6948155f410 version: -1 name: Print invalid IPv6s description: Prints text to war room (Markdown supported) @@ -2148,10 +1713,10 @@ tasks: isautoswitchedtoquietmode: false "55": id: "55" - taskid: f0ebf8bb-b4ab-44cc-8136-5d31e315658f + taskid: 5efb173d-a83a-481e-884b-9ef70beb23f2 type: condition task: - id: f0ebf8bb-b4ab-44cc-8136-5d31e315658f + id: 5efb173d-a83a-481e-884b-9ef70beb23f2 version: -1 name: Check non extraction of invalid IPv6s type: condition @@ -2205,10 +1770,10 @@ tasks: isautoswitchedtoquietmode: false "56": id: "56" - taskid: 614fe6b2-3b7a-423d-8ca8-a48f3d5e416a + taskid: 1ff54077-6b53-4865-84d2-0d4419703bd3 type: title task: - id: 614fe6b2-3b7a-423d-8ca8-a48f3d5e416a + id: 1ff54077-6b53-4865-84d2-0d4419703bd3 version: -1 name: IPV6 CIDR type: title @@ -2236,10 +1801,10 @@ tasks: isautoswitchedtoquietmode: false "57": id: "57" - taskid: c3bf460a-8463-43e2-86a9-714b5b5482df + taskid: c6f873c2-dc4e-4bfa-8dd9-2d59874d6d3e type: regular task: - id: c3bf460a-8463-43e2-86a9-714b5b5482df + id: c6f873c2-dc4e-4bfa-8dd9-2d59874d6d3e version: -1 name: Set valid IPv6s CIDR description: Sets a value into the context with the given context key @@ -2273,10 +1838,10 @@ tasks: isautoswitchedtoquietmode: false "58": id: "58" - taskid: 720bee84-07cb-42e4-8f6f-50eece5e98e8 + taskid: 82036e29-4e27-46e8-82b9-6adca631ba76 type: regular task: - id: 720bee84-07cb-42e4-8f6f-50eece5e98e8 + id: 82036e29-4e27-46e8-82b9-6adca631ba76 version: -1 name: Print valid IPv6s CIDR description: Prints text to war room (Markdown supported) @@ -2309,10 +1874,10 @@ tasks: isautoswitchedtoquietmode: false "59": id: "59" - taskid: d326a797-4eaa-49bd-8c13-d1bcccf18a7f + taskid: abcfd3e6-df3f-428e-88b4-f01a087dace5 type: condition task: - id: d326a797-4eaa-49bd-8c13-d1bcccf18a7f + id: abcfd3e6-df3f-428e-88b4-f01a087dace5 version: -1 name: Check auto-extract type: condition @@ -2350,10 +1915,10 @@ tasks: isautoswitchedtoquietmode: false "60": id: "60" - taskid: b4a924c3-0e9c-4262-89dd-9a037e941703 + taskid: 6bef679d-11ed-470a-8f49-4b7812456377 type: regular task: - id: b4a924c3-0e9c-4262-89dd-9a037e941703 + id: 6bef679d-11ed-470a-8f49-4b7812456377 version: -1 name: Set invalid IPv6s CIDR description: Sets a value into the context with the given context key @@ -2387,10 +1952,10 @@ tasks: isautoswitchedtoquietmode: false "61": id: "61" - taskid: ccab5e8a-2ad4-45a2-81c0-060dfdd3c396 + taskid: 5aeae99d-0b9d-4f37-8bd3-d98d7606e60a type: regular task: - id: ccab5e8a-2ad4-45a2-81c0-060dfdd3c396 + id: 5aeae99d-0b9d-4f37-8bd3-d98d7606e60a version: -1 name: Print invalid IPv6s CIDR description: Prints text to war room (Markdown supported) @@ -2423,10 +1988,10 @@ tasks: isautoswitchedtoquietmode: false "62": id: "62" - taskid: dc1ada51-0620-46b7-810b-78426cac0ef2 + taskid: 8ab198f2-f084-4a13-84b6-c862f606f503 type: condition task: - id: dc1ada51-0620-46b7-810b-78426cac0ef2 + id: 8ab198f2-f084-4a13-84b6-c862f606f503 version: -1 name: Check non extraction of invalid IPv6s CIDR type: condition @@ -2464,10 +2029,10 @@ tasks: isautoswitchedtoquietmode: false "65": id: "65" - taskid: cd905953-e94b-4320-85c7-329d5f2ac5bd + taskid: 6ff3ca89-844c-4efb-84cd-7e09df034a28 type: regular task: - id: cd905953-e94b-4320-85c7-329d5f2ac5bd + id: 6ff3ca89-844c-4efb-84cd-7e09df034a28 version: -1 name: DeleteContext description: Delete field from context @@ -2499,10 +2064,10 @@ tasks: isautoswitchedtoquietmode: false "67": id: "67" - taskid: 41acea7b-7fcb-4caf-8eb2-1ca089e32bcb + taskid: 6e5e1a02-d0ca-47fa-8e95-9be54319fbd6 type: regular task: - id: 41acea7b-7fcb-4caf-8eb2-1ca089e32bcb + id: 6e5e1a02-d0ca-47fa-8e95-9be54319fbd6 version: -1 name: Set valid File description: Sets a value into the context with the given context key @@ -2524,7 +2089,7 @@ tasks: { "position": { "x": 50, - "y": 10105 + "y": 8735 } } note: false @@ -2536,10 +2101,10 @@ tasks: isautoswitchedtoquietmode: false "68": id: "68" - taskid: 8ec1dff6-6e5c-403a-85af-1b49cde2de6d + taskid: 96b89b7d-f0b2-49bd-8554-04483adaef93 type: regular task: - id: 8ec1dff6-6e5c-403a-85af-1b49cde2de6d + id: 96b89b7d-f0b2-49bd-8554-04483adaef93 version: -1 name: Print valid File description: Prints text to war room (Markdown supported) @@ -2560,7 +2125,7 @@ tasks: { "position": { "x": 50, - "y": 10280 + "y": 8910 } } note: false @@ -2572,10 +2137,10 @@ tasks: isautoswitchedtoquietmode: false "69": id: "69" - taskid: 6fcecf4e-a151-4754-8d6d-fda3dddd6a77 + taskid: a53e87c6-6e09-4f7c-88d7-c422699a764d type: condition task: - id: 6fcecf4e-a151-4754-8d6d-fda3dddd6a77 + id: a53e87c6-6e09-4f7c-88d7-c422699a764d version: -1 name: Check auto-extract type: condition @@ -2601,7 +2166,7 @@ tasks: { "position": { "x": 50, - "y": 10455 + "y": 9085 } } note: false @@ -2613,10 +2178,10 @@ tasks: isautoswitchedtoquietmode: false "70": id: "70" - taskid: 15484458-ce25-40ed-8549-3184df9e3c63 + taskid: 8b897f52-c859-43ca-8838-cb34d536c256 type: regular task: - id: 15484458-ce25-40ed-8549-3184df9e3c63 + id: 8b897f52-c859-43ca-8838-cb34d536c256 version: -1 name: Untitled Task description: Delete field from context @@ -2636,7 +2201,7 @@ tasks: { "position": { "x": 50, - "y": 10630 + "y": 9260 } } note: false @@ -2648,10 +2213,10 @@ tasks: isautoswitchedtoquietmode: false "71": id: "71" - taskid: b1ad7899-a909-4ce6-81ba-4af561d7fcba + taskid: ca25f73a-32c4-427c-802f-abbbcade11d7 type: regular task: - id: b1ad7899-a909-4ce6-81ba-4af561d7fcba + id: ca25f73a-32c4-427c-802f-abbbcade11d7 version: -1 name: DeleteContext description: Delete field from context @@ -2671,7 +2236,7 @@ tasks: { "position": { "x": 50, - "y": 10805 + "y": 9435 } } note: false @@ -2683,10 +2248,10 @@ tasks: isautoswitchedtoquietmode: false "72": id: "72" - taskid: 9384f6b2-f209-4b4e-8fab-e6291dfc173f + taskid: 0a7fed81-d4b9-404b-88e7-6fe4cda3e0b2 type: title task: - id: 9384f6b2-f209-4b4e-8fab-e6291dfc173f + id: 0a7fed81-d4b9-404b-88e7-6fe4cda3e0b2 version: -1 name: Done type: title @@ -2699,7 +2264,7 @@ tasks: { "position": { "x": 50, - "y": 10980 + "y": 9610 } } note: false @@ -2711,10 +2276,10 @@ tasks: isautoswitchedtoquietmode: false "73": id: "73" - taskid: 35e50791-cb5d-412d-8d2e-b9fe0ad44739 + taskid: 1be70c24-f050-4a59-8c5b-e32480196d09 type: regular task: - id: 35e50791-cb5d-412d-8d2e-b9fe0ad44739 + id: 1be70c24-f050-4a59-8c5b-e32480196d09 version: -1 name: Set valid IPv6s description: Sets a value into the context with the given context key @@ -2746,47 +2311,12 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "75": - id: "75" - taskid: 47cf6141-851a-44f2-877c-ac1b7d246762 - type: regular - task: - id: 47cf6141-851a-44f2-877c-ac1b7d246762 - version: -1 - name: DeleteContext - description: Delete field from context - scriptName: DeleteContext - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "17" - scriptarguments: - all: - simple: "yes" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 7045 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "76": id: "76" - taskid: b7602254-fd14-4426-82b4-1e8b8753bd68 + taskid: d3c01fea-098b-4daa-88d7-8a8fa26c1366 type: regular task: - id: b7602254-fd14-4426-82b4-1e8b8753bd68 + id: d3c01fea-098b-4daa-88d7-8a8fa26c1366 version: -1 name: DeleteContext description: Delete field from context @@ -2806,7 +2336,7 @@ tasks: { "position": { "x": 50, - "y": 8415 + "y": 7045 } } note: false @@ -2818,10 +2348,10 @@ tasks: isautoswitchedtoquietmode: false "77": id: "77" - taskid: 87d21368-84f3-47b4-8084-291d0afaa9cc + taskid: e2981510-057b-4bb2-84c1-6748976471ea type: regular task: - id: 87d21368-84f3-47b4-8084-291d0afaa9cc + id: e2981510-057b-4bb2-84c1-6748976471ea version: -1 name: DeleteContext description: Delete field from context @@ -2841,7 +2371,7 @@ tasks: { "position": { "x": 50, - "y": 9785 + "y": 8415 } } note: false @@ -2853,10 +2383,10 @@ tasks: isautoswitchedtoquietmode: false "79": id: "79" - taskid: f477ebd3-ac9d-40bd-8772-e2925476a320 + taskid: 7c5ead2c-97e7-4ae4-80e2-268d225da85b type: regular task: - id: f477ebd3-ac9d-40bd-8772-e2925476a320 + id: 7c5ead2c-97e7-4ae4-80e2-268d225da85b version: -1 name: DeleteContext description: Delete field from context @@ -2888,10 +2418,10 @@ tasks: isautoswitchedtoquietmode: false "80": id: "80" - taskid: ca6273ae-889a-4dbf-844b-61f3704faa07 + taskid: 38932b93-798d-4fcc-8854-0efe76cc0ae5 type: regular task: - id: ca6273ae-889a-4dbf-844b-61f3704faa07 + id: 38932b93-798d-4fcc-8854-0efe76cc0ae5 version: -1 name: DeleteContext description: Delete field from context @@ -2923,10 +2453,10 @@ tasks: isautoswitchedtoquietmode: false "81": id: "81" - taskid: 5658f61e-e892-476e-85f0-a8b9ed1b5e76 + taskid: 10dfc819-2fc1-48f3-88ac-19ae3da38170 type: regular task: - id: 5658f61e-e892-476e-85f0-a8b9ed1b5e76 + id: 10dfc819-2fc1-48f3-88ac-19ae3da38170 version: -1 name: DeleteContext description: Delete field from context @@ -2936,7 +2466,7 @@ tasks: brand: "" nexttasks: '#none#': - - "27" + - "17" scriptarguments: all: simple: "yes" @@ -2961,7 +2491,7 @@ view: |- "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 10995, + "height": 9625, "width": 380, "x": 50, "y": 50 @@ -2971,5 +2501,3 @@ view: |- inputs: [] outputs: [] fromversion: 5.0.0 -contentitemexportablefields: - contentitemfields: {} diff --git a/Packs/Base/TestPlaybooks/playbook-URLextraction-Test.yml b/Packs/Base/TestPlaybooks/playbook-URLextraction-Test.yml new file mode 100644 index 000000000000..e8fff09f5a24 --- /dev/null +++ b/Packs/Base/TestPlaybooks/playbook-URLextraction-Test.yml @@ -0,0 +1,965 @@ +id: URL extraction test +version: -1 +name: URL extraction test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 7d58553c-af3a-46a3-86fc-18550a743376 + type: start + task: + id: 7d58553c-af3a-46a3-86fc-18550a743376 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "20" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 0b1d7e00-29da-4d23-804c-05b7592e4b6e + type: regular + task: + id: 0b1d7e00-29da-4d23-804c-05b7592e4b6e + version: -1 + name: Set valid URLs + description: Sets a value into the context with the given context key + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + key: + simple: valid_urls + value: + simple: '"www.ru.wikipedia.org/wiki/Елизавета_I", "www.golang.org/pkg/regexp/syntax/", "http://www.mock.com?e=P6wGLG", "https://Test.com/this-that" "http://_23_11.redacted.com./#redactedredactedredacted", "http://www.mock.com?gbdfs","http://test.com#fragment3","http://test.com#fragment3/","(http://www.foo.bar/taz?())", "http://test.com#fragment3","http://test.com#fragment3/","http://test.com#fragment3#fragment3", "(http://www.foo.bar/taz?())","http://öevil.tld/","http://öevil.tld:5000/","http://öevil.tld/anypath", "www.evilö.tld/evil.aspx","https://www.evöl.tld/","https://www.evöl.tld/anypath", "hxxps://www.xn--e1v2i3l4.tld","www.evil.tld:443/path/to/resource.html", "https://www.evil.tld:443/path/to/resource.html","1.2.3.4/path", "google.com/path","2001:db8:3333:4444:5555:6666:7777:8888/path/path", "ftp://foo.bar/resource","ftp://foo.bar/"' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 7504e217-587f-4a23-8d0e-fb99de6a5723 + type: regular + task: + id: 7504e217-587f-4a23-8d0e-fb99de6a5723 + version: -1 + name: Print valid URLs + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + - "13" + - "11" + - "9" + - "12" + - "10" + - "14" + - "15" + - "16" + scriptarguments: + value: + simple: ${valid_urls} + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 6b6ffd6c-5814-4825-80b3-66246e477793 + type: condition + task: + id: 6b6ffd6c-5814-4825-80b3-66246e477793 + version: -1 + name: Check URL case + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: https://Test.com/this-that + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 82e06ed9-2854-4563-88a0-13361d4fe05f + type: regular + task: + id: 82e06ed9-2854-4563-88a0-13361d4fe05f + version: -1 + name: Set invalid URLs + description: Sets a value into the context with the given context key + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + key: + simple: invalid_urls + value: + simple: '"http://3628126748", "http://.www.test.com/",, "http:// shouldfail.com", "http://test.t/foo(bar)baz","http://www.te[st.com/test?x=3())"' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 895 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: e628858e-2d27-4db7-8f42-5bbe6ff06b52 + type: regular + task: + id: e628858e-2d27-4db7-8f42-5bbe6ff06b52 + version: -1 + name: Print invalid URLs + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + - "19" + - "18" + - "17" + scriptarguments: + value: + simple: ${invalid_urls} + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 1070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: d01a567d-1cbb-4911-806a-3ec825ae42e5 + type: condition + task: + id: d01a567d-1cbb-4911-806a-3ec825ae42e5 + version: -1 + name: Check non extraction of invalid URLs - Numbers + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: notContainsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://3628126748 + continueonerrortype: "" + view: |- + { + "position": { + "x": 1125, + "y": 1245 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 74d80b22-1758-4d59-8442-8975db8bef52 + type: regular + task: + id: 74d80b22-1758-4d59-8442-8975db8bef52 + version: -1 + name: DeleteContext + description: Delete field from context + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + scriptarguments: + all: + simple: "yes" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 1420 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: e66234b8-81a0-49ed-8de9-8da47bc09169 + type: condition + task: + id: e66234b8-81a0-49ed-8de9-8da47bc09169 + version: -1 + name: Check URL with port + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://öevil.tld:5000/ + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 92676c11-fd4d-48bd-80e9-5e2ffbd038bd + type: condition + task: + id: 92676c11-fd4d-48bd-80e9-5e2ffbd038bd + version: -1 + name: URL with port and path + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: www.evil.tld:443/path/to/resource.html + continueonerrortype: "" + view: |- + { + "position": { + "x": 910, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 1054c3b2-9e4f-4e88-8dd8-ba9c96e37e07 + type: condition + task: + id: 1054c3b2-9e4f-4e88-8dd8-ba9c96e37e07 + version: -1 + name: Check URL with non ASCII + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://öevil.tld/ + continueonerrortype: "" + view: |- + { + "position": { + "x": 1340, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 514ec6e5-68fd-4a16-8392-20b2406ad9c2 + type: condition + task: + id: 514ec6e5-68fd-4a16-8392-20b2406ad9c2 + version: -1 + name: Check URL with path + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://öevil.tld/anypath + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 86735273-4fc7-416c-8f3d-9930f49af923 + type: condition + task: + id: 86735273-4fc7-416c-8f3d-9930f49af923 + version: -1 + name: IP as a URL + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: 1.2.3.4/path + continueonerrortype: "" + view: |- + { + "position": { + "x": 2200, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: ed48c3c4-aef9-48fd-8e39-051b7884e106 + type: condition + task: + id: ed48c3c4-aef9-48fd-8e39-051b7884e106 + version: -1 + name: Check URL Query + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://www.mock.com?e=P6wGLG + continueonerrortype: "" + view: |- + { + "position": { + "x": 2630, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: beeda4c1-084b-41e0-8496-c6b53bf0f6d2 + type: condition + task: + id: beeda4c1-084b-41e0-8496-c6b53bf0f6d2 + version: -1 + name: Check URL fragment + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://test.com#fragment3 + continueonerrortype: "" + view: |- + { + "position": { + "x": 3060, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: aa265836-09c8-4adf-84fd-d7de4481df99 + type: condition + task: + id: aa265836-09c8-4adf-84fd-d7de4481df99 + version: -1 + name: Check auto-extract + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://öevil.tld/ + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://öevil.tld:5000/ + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://öevil.tld/anypath + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: www.evilö.tld/evil.aspx + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: https://www.evöl.tld/ + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: https://www.evöl.tld/anypath + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: www.evil.tld:443/path/to/resource.html + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: https://www.evil.tld:443/path/to/resource.html + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: 1.2.3.4/path + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: google.com/path + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: ftp://foo.bar/resource + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: ftp://foo.bar/ + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: www.ru.wikipedia.org/wiki/Елизавета_I + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: www.golang.org/pkg/regexp/syntax/ + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://www.mock.com?gbdfs + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://www.mock.com?e=P6wGLG + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://test.com#fragment3 + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://test.com#fragment3/ + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://_23_11.redacted.com./#redactedredactedredacted + - - operator: containsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: https://Test.com/this-that + continueonerrortype: "" + view: |- + { + "position": { + "x": 3490, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 44ff2572-54ca-4515-8b7c-b31bb3498622 + type: condition + task: + id: 44ff2572-54ca-4515-8b7c-b31bb3498622 + version: -1 + name: Check non extraction of invalid URLs - invalid path + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: notContainsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://test.t/foo(bar)baz quux + continueonerrortype: "" + view: |- + { + "position": { + "x": 1555, + "y": 1245 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 75196521-1dea-43f5-842c-4c88e63671e8 + type: condition + task: + id: 75196521-1dea-43f5-842c-4c88e63671e8 + version: -1 + name: Check non extraction of invalid URLs - space in sub domain + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: notContainsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http:// shouldfail.com + continueonerrortype: "" + view: |- + { + "position": { + "x": 1985, + "y": 1245 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: f7950349-a9d1-4d3f-8b5c-c0802359a9ea + type: condition + task: + id: f7950349-a9d1-4d3f-8b5c-c0802359a9ea + version: -1 + name: Check non extraction of invalid URLs - invalid subdomain + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: notContainsGeneral + left: + value: + simple: ${URL.Data} + iscontext: true + right: + value: + simple: http://.www.test.test/ + continueonerrortype: "" + view: |- + { + "position": { + "x": 2415, + "y": 1245 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: e3162182-3c3a-4a07-89cd-5577b9d7fe3a + type: regular + task: + id: e3162182-3c3a-4a07-89cd-5577b9d7fe3a + version: -1 + name: DeleteContext + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + all: + simple: "yes" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1465, + "width": 3820, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] +fromversion: 6.5.0 +description: Test playbook for URL extraction flow diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index 62565cff4343..a7b2a348e4b7 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.31.45", + "currentVersion": "1.31.51", "author": "Cortex XSOAR", "serverMinVersion": "6.0.0", "url": "https://www.paloaltonetworks.com/cortex", diff --git a/Packs/BeyondTrust_Password_Safe/Integrations/BeyondTrust_Password_Safe/BeyondTrust_Password_Safe.yml b/Packs/BeyondTrust_Password_Safe/Integrations/BeyondTrust_Password_Safe/BeyondTrust_Password_Safe.yml index 2f05d43cc402..66d76b10fd1f 100644 --- a/Packs/BeyondTrust_Password_Safe/Integrations/BeyondTrust_Password_Safe/BeyondTrust_Password_Safe.yml +++ b/Packs/BeyondTrust_Password_Safe/Integrations/BeyondTrust_Password_Safe/BeyondTrust_Password_Safe.yml @@ -297,7 +297,7 @@ script: description: Updates the credentials for a Managed Account, optionally applying the change to the Managed System. execution: false name: beyondtrust-change-credentials - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 isfetch: false runonce: false script: '-' diff --git a/Packs/BeyondTrust_Password_Safe/ReleaseNotes/1_0_24.md b/Packs/BeyondTrust_Password_Safe/ReleaseNotes/1_0_24.md new file mode 100644 index 000000000000..398f2b804bc9 --- /dev/null +++ b/Packs/BeyondTrust_Password_Safe/ReleaseNotes/1_0_24.md @@ -0,0 +1,3 @@ +#### Integrations +##### BeyondTrust Password Safe +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/BeyondTrust_Password_Safe/pack_metadata.json b/Packs/BeyondTrust_Password_Safe/pack_metadata.json index 5bf1cc7413bf..0671d8002e55 100644 --- a/Packs/BeyondTrust_Password_Safe/pack_metadata.json +++ b/Packs/BeyondTrust_Password_Safe/pack_metadata.json @@ -2,7 +2,7 @@ "name": "BeyondTrust Password Safe", "description": "Unified password and session management for seamless accountability and control over privileged accounts.", "support": "xsoar", - "currentVersion": "1.0.23", + "currentVersion": "1.0.24", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.py b/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.py index 629231173bfa..25d3bf44574e 100644 --- a/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.py +++ b/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.py @@ -2,9 +2,9 @@ from CommonServerPython import * # noqa: F401 from typing import Dict, Any -import requests +import urllib3 -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() class Client(BaseClient): diff --git a/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.yml b/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.yml index 6584c667d1af..be089b38fc57 100644 --- a/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.yml +++ b/Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR.yml @@ -97,7 +97,7 @@ script: description: Organization Id of endpoint type: number description: Acquire evidence from an endpoint - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 runonce: false subtype: python3 fromversion: 6.2.0 diff --git a/Packs/Binalyze/ReleaseNotes/1_0_1.md b/Packs/Binalyze/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..a6ed00c4dac3 --- /dev/null +++ b/Packs/Binalyze/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### Binalyze AIR +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Binalyze/pack_metadata.json b/Packs/Binalyze/pack_metadata.json index 4330d77b425d..0557bd12ec88 100644 --- a/Packs/Binalyze/pack_metadata.json +++ b/Packs/Binalyze/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Binalyze AIR", "description": "Collect over 150 different types of evidence under 10 minutes.", "support": "partner", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Binalyze Integration Team", "url": "https://kb.binalyze.com/air/integrations/cortex-xsoar-integration", "email": "support@binalyze.com", diff --git a/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.py b/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.py index 4520c388b0fe..eb0031b21c17 100644 --- a/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.py +++ b/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.py @@ -1,5 +1,6 @@ """Main file for BitSightForSecurityPerformanceManagement Integration.""" import requests +import urllib3 import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 @@ -64,7 +65,7 @@ } # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() class Client(BaseClient): diff --git a/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.yml b/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.yml index 495c9f52cc7b..19578841e380 100644 --- a/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.yml +++ b/Packs/BitSight/Integrations/BitSightForSecurityPerformanceManagement/BitSightForSecurityPerformanceManagement.yml @@ -617,7 +617,7 @@ script: - contextPath: BitSight.MyCompany.guid description: The unique identifier of my company. type: String - dockerimage: demisto/python3:3.10.5.33323 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: true longRunning: false diff --git a/Packs/BitSight/ReleaseNotes/1_1_4.md b/Packs/BitSight/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..13aaef07010b --- /dev/null +++ b/Packs/BitSight/ReleaseNotes/1_1_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### BitSight for Security Performance Management +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/BitSight/pack_metadata.json b/Packs/BitSight/pack_metadata.json index 0af375d3e451..5b6b51637968 100644 --- a/Packs/BitSight/pack_metadata.json +++ b/Packs/BitSight/pack_metadata.json @@ -2,7 +2,7 @@ "name": "BitSight", "description": "Bitsight Integration will allow you visibility into BitSight findings for remediation in your security program.", "support": "partner", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "BitSight", "url": "https://service.bitsighttech.com/", "email": "support@bitsight.com", diff --git a/Packs/Bitbucket/Integrations/Bitbucket/Bitbucket.yml b/Packs/Bitbucket/Integrations/Bitbucket/Bitbucket.yml index 7785bcbea006..cb4fdd6aa26f 100644 --- a/Packs/Bitbucket/Integrations/Bitbucket/Bitbucket.yml +++ b/Packs/Bitbucket/Integrations/Bitbucket/Bitbucket.yml @@ -2552,6 +2552,6 @@ script: script: "-" type: python subtype: python3 - dockerimage: demisto/python3:3.10.9.40422 + dockerimage: demisto/python3:3.10.9.42008 tests: - Test_Bitbucket diff --git a/Packs/Bitbucket/ReleaseNotes/1_0_4.md b/Packs/Bitbucket/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..6578d3e92337 --- /dev/null +++ b/Packs/Bitbucket/ReleaseNotes/1_0_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### Bitbucket +- Updated the Docker image to: *demisto/python3:3.10.9.42008*. diff --git a/Packs/Bitbucket/pack_metadata.json b/Packs/Bitbucket/pack_metadata.json index d3d2b355f2cd..5b9f39ce4aeb 100644 --- a/Packs/Bitbucket/pack_metadata.json +++ b/Packs/Bitbucket/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Bitbucket", "description": "Bitbucket Cloud is a Git-based code and CI/CD tool optimized for teams using Jira", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BitcoinAbuse/Integrations/BitcoinAbuse/BitcoinAbuse.yml b/Packs/BitcoinAbuse/Integrations/BitcoinAbuse/BitcoinAbuse.yml index 3aa997cb24ff..6f9881924e12 100644 --- a/Packs/BitcoinAbuse/Integrations/BitcoinAbuse/BitcoinAbuse.yml +++ b/Packs/BitcoinAbuse/Integrations/BitcoinAbuse/BitcoinAbuse.yml @@ -136,7 +136,7 @@ script: name: limit description: Gets indicators from the feed. name: bitcoinabuse-get-indicators - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 feed: true isFetchSamples: true runonce: false diff --git a/Packs/BitcoinAbuse/ReleaseNotes/1_0_32.md b/Packs/BitcoinAbuse/ReleaseNotes/1_0_32.md new file mode 100644 index 000000000000..4de7517baa32 --- /dev/null +++ b/Packs/BitcoinAbuse/ReleaseNotes/1_0_32.md @@ -0,0 +1,3 @@ +#### Integrations +##### BitcoinAbuse Feed +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/BitcoinAbuse/pack_metadata.json b/Packs/BitcoinAbuse/pack_metadata.json index 421f3b352c3d..736e1c6a35b7 100644 --- a/Packs/BitcoinAbuse/pack_metadata.json +++ b/Packs/BitcoinAbuse/pack_metadata.json @@ -3,7 +3,7 @@ "description": "Use the integration to fetch Bitcoin Cryptocurrency Address indicators from BitcoinAbuse.com feed, a public database of bitcoin addresses used by hackers and criminals.", "serverMinVersion": "5.5.0", "support": "xsoar", - "currentVersion": "1.0.31", + "currentVersion": "1.0.32", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BluecatAddressManager/Integrations/BluecatAddressManager/BluecatAddressManager.yml b/Packs/BluecatAddressManager/Integrations/BluecatAddressManager/BluecatAddressManager.yml index 5bcf2876bba7..ce47626b1716 100644 --- a/Packs/BluecatAddressManager/Integrations/BluecatAddressManager/BluecatAddressManager.yml +++ b/Packs/BluecatAddressManager/Integrations/BluecatAddressManager/BluecatAddressManager.yml @@ -200,7 +200,7 @@ script: - contextPath: BlueCat.AddressManager.Range.Parents.CIDR description: Classless Inter-Domain Routing. type: String - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 isfetch: false longRunning: false longRunningPort: false diff --git a/Packs/BluecatAddressManager/ReleaseNotes/1_1_4.md b/Packs/BluecatAddressManager/ReleaseNotes/1_1_4.md new file mode 100644 index 000000000000..81ca6f98e5a4 --- /dev/null +++ b/Packs/BluecatAddressManager/ReleaseNotes/1_1_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### Bluecat Address Manager +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/BluecatAddressManager/pack_metadata.json b/Packs/BluecatAddressManager/pack_metadata.json index 3815f5827e8d..271263704a8a 100644 --- a/Packs/BluecatAddressManager/pack_metadata.json +++ b/Packs/BluecatAddressManager/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Bluecat Address Manager", "description": "Use the BlueCat Address Manager integration to enrich IP addresses and manage response policies.", "support": "xsoar", - "currentVersion": "1.1.3", + "currentVersion": "1.1.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.py b/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.py index 317ce7d32425..ef61e10515a2 100644 --- a/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.py +++ b/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.py @@ -14,7 +14,6 @@ # Disable insecure warnings urllib3.disable_warnings() -requests.packages.urllib3.disable_warnings() # CONSTANTS DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' diff --git a/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.yml b/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.yml index 3a7ba80daa97..e557fac8e8d6 100644 --- a/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.yml +++ b/Packs/BmcHelixRemedyForce/Integrations/BmcHelixRemedyForce/BmcHelixRemedyForce.yml @@ -1157,7 +1157,7 @@ script: - contextPath: BmcRemedyforce.ServiceRequest.Type description: The type of the service request. type: String - dockerimage: demisto/python3:3.10.4.30607 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: true longRunning: false diff --git a/Packs/BmcHelixRemedyForce/ReleaseNotes/1_0_19.md b/Packs/BmcHelixRemedyForce/ReleaseNotes/1_0_19.md new file mode 100644 index 000000000000..1da43633d6dc --- /dev/null +++ b/Packs/BmcHelixRemedyForce/ReleaseNotes/1_0_19.md @@ -0,0 +1,3 @@ +#### Integrations +##### BMC Helix Remedyforce +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/BmcHelixRemedyForce/pack_metadata.json b/Packs/BmcHelixRemedyForce/pack_metadata.json index 1e3acb165172..e6ec41174141 100644 --- a/Packs/BmcHelixRemedyForce/pack_metadata.json +++ b/Packs/BmcHelixRemedyForce/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Bmc Helix Remedyforce", "description": "Integration of BMC Helix Remedyforce with Cortex XSOAR. BMC Helix Remedyforce integration allows customers to create/update service requests and incidents. It also allows to update status, resolve service requests and incidents with customer notes. This integration exposes standard ticketing capabilities that can be utilized as part of automation & orchestration.", "support": "xsoar", - "currentVersion": "1.0.18", + "currentVersion": "1.0.19", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BmcITSM/Integrations/BmcITSM/BmcITSM.yml b/Packs/BmcITSM/Integrations/BmcITSM/BmcITSM.yml index ac0f09115315..bc726ae700f1 100644 --- a/Packs/BmcITSM/Integrations/BmcITSM/BmcITSM.yml +++ b/Packs/BmcITSM/Integrations/BmcITSM/BmcITSM.yml @@ -163,7 +163,7 @@ script: script: "" type: python subtype: python3 - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.9.40422 commands: - name: bmc-itsm-user-list description: diff --git a/Packs/BmcITSM/ReleaseNotes/1_0_1.md b/Packs/BmcITSM/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..f4e6f46cb078 --- /dev/null +++ b/Packs/BmcITSM/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### BMC Helix ITSM +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/BmcITSM/pack_metadata.json b/Packs/BmcITSM/pack_metadata.json index e81e2e7e1006..691b124b38da 100644 --- a/Packs/BmcITSM/pack_metadata.json +++ b/Packs/BmcITSM/pack_metadata.json @@ -2,7 +2,7 @@ "name": "BMC Helix ITSM", "description": "BMC Helix ITSM allows customers to manage service request, incident, change request, task, problem investigation and known error tickets.", "support": "xsoar", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Box/Integrations/BoxV2/BoxV2.yml b/Packs/Box/Integrations/BoxV2/BoxV2.yml index 647d4702fe7d..3457b17a3407 100644 --- a/Packs/Box/Integrations/BoxV2/BoxV2.yml +++ b/Packs/Box/Integrations/BoxV2/BoxV2.yml @@ -3137,7 +3137,7 @@ script: - contextPath: Box.Folder.item_status description: The status of the parent of the item. type: String - dockerimage: demisto/pyjwt3:1.0.0.38747 + dockerimage: demisto/pyjwt3:1.0.0.40917 feed: false isfetch: true longRunning: false diff --git a/Packs/Box/ReleaseNotes/3_1_11.md b/Packs/Box/ReleaseNotes/3_1_11.md new file mode 100644 index 000000000000..7ecb9b21703d --- /dev/null +++ b/Packs/Box/ReleaseNotes/3_1_11.md @@ -0,0 +1,3 @@ +#### Integrations +##### Box v2 +- Updated the Docker image to: *demisto/pyjwt3:1.0.0.40917*. diff --git a/Packs/Box/pack_metadata.json b/Packs/Box/pack_metadata.json index cf5a584ee5b5..7dd913d39601 100644 --- a/Packs/Box/pack_metadata.json +++ b/Packs/Box/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Box", "description": "Manage Box users", "support": "xsoar", - "currentVersion": "3.1.10", + "currentVersion": "3.1.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/BreachRx/Integrations/BreachRx/BreachRx.py b/Packs/BreachRx/Integrations/BreachRx/BreachRx.py index 498a19d9eeeb..6c3bad1e6e2c 100644 --- a/Packs/BreachRx/Integrations/BreachRx/BreachRx.py +++ b/Packs/BreachRx/Integrations/BreachRx/BreachRx.py @@ -2,7 +2,7 @@ from CommonServerUserPython import * # noqa from collections.abc import Callable -import requests +import urllib3 import traceback from urllib.parse import urlparse @@ -11,7 +11,7 @@ from requests.auth import HTTPBasicAuth # Disable insecure warnings -requests.packages.urllib3.disable_warnings() # pylint: disable=no-member +urllib3.disable_warnings() # pylint: disable=no-member create_incident_mutation = gql(""" mutation CreateIncident( diff --git a/Packs/BreachRx/Integrations/BreachRx/BreachRx.yml b/Packs/BreachRx/Integrations/BreachRx/BreachRx.yml index 55e19de56554..d8f0bf741c09 100644 --- a/Packs/BreachRx/Integrations/BreachRx/BreachRx.yml +++ b/Packs/BreachRx/Integrations/BreachRx/BreachRx.yml @@ -122,7 +122,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/graphql:1.0.0.32116 + dockerimage: demisto/graphql:1.0.0.40739 fromversion: 6.2.0 tests: - No tests (auto formatted) diff --git a/Packs/BreachRx/ReleaseNotes/1_0_1.md b/Packs/BreachRx/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..86c6824207ae --- /dev/null +++ b/Packs/BreachRx/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### BreachRx +- Updated the Docker image to: *demisto/graphql:1.0.0.40739*. diff --git a/Packs/BreachRx/pack_metadata.json b/Packs/BreachRx/pack_metadata.json index 5c723eda7698..0b27ecb1ebfc 100644 --- a/Packs/BreachRx/pack_metadata.json +++ b/Packs/BreachRx/pack_metadata.json @@ -2,7 +2,7 @@ "name": "BreachRx", "description": "Automate your privacy Incident Response workflow through the BreachRx platform.", "support": "partner", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "BreachRx", "url": "https://breachrx.com", "email": "support@breachrx.com", diff --git a/Packs/CIRCL/Integrations/CIRCL/CIRCL.py b/Packs/CIRCL/Integrations/CIRCL/CIRCL.py index b9c896a2704a..382e6667a020 100644 --- a/Packs/CIRCL/Integrations/CIRCL/CIRCL.py +++ b/Packs/CIRCL/Integrations/CIRCL/CIRCL.py @@ -3,9 +3,9 @@ from CommonServerUserPython import * import requests import json - -# disable insecure warnings -requests.packages.urllib3.disable_warnings() +import urllib3 +# Disable insecure warnings +urllib3.disable_warnings() ''' GLOBAL VARS ''' BASE_URL = demisto.getParam('url') @@ -26,14 +26,13 @@ def http_request(method, url): ) if response.status_code != 200: - return_error('Error in API call: [%d] - %s' % (response.status_code, response.reason)) - + return_error(f'Error in API call: [{response.status_code}] - {response.reason}') return response def validate_sha1(sha1): if len(sha1) != 40: - return_error('Invalid SHA-1, expected 40 characters: %s' % (sha1)) + return_error(f'Invalid SHA-1, expected 40 characters: {sha1}') def validate_ip_of_cidr(ip): @@ -42,7 +41,7 @@ def validate_ip_of_cidr(ip): match = re.search(regex, ip) if match is None: - return_error('Invalid IP or CIDR: %s' % (ip)) + return_error(f'Invalid IP or CIDR: {ip}') def timestamp_to_string(timestamp): @@ -55,7 +54,7 @@ def timestamp_to_string(timestamp): def dns_get_command(url): response = http_dns_get(url) - results = list(map(lambda line: json.loads(line), response.text.splitlines())) + results = list([json.loads(line) for line in response.text.splitlines()]) results = merge_by_rdata(results) records = [] @@ -67,7 +66,7 @@ def dns_get_command(url): 'Type': entryTypes['note'], 'ContentsFormat': formats['text'], 'Contents': response.text, - 'HumanReadable': tableToMarkdown("CIRCL Dns - " + url, records), + 'HumanReadable': tableToMarkdown(f'CIRCL Dns - {url}', records), 'EntryContext': { 'CIRCLdns.Query(val.Value===obj.Value)': { 'Value': url, @@ -78,7 +77,7 @@ def dns_get_command(url): def http_dns_get(url): - query_url = BASE_URL + '/pdns/query/' + url + query_url = f'{BASE_URL}/pdns/query/{url}' return http_request('GET', query_url) @@ -117,14 +116,14 @@ def list_certificates(queryValue): data = response.json() records = [] - for ip, ip_data in data.items(): + for ip, ip_data in list(data.items()): records.append(create_ip_context(ip, ip_data)) result = { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': data, - 'HumanReadable': tableToMarkdown('List certificates for ' + queryValue, records), + 'HumanReadable': tableToMarkdown(f'List certificates for {queryValue}', records), 'EntryContext': { 'CIRCLssl.IPAddress(val.Value===obj.Value)': records } @@ -134,7 +133,7 @@ def list_certificates(queryValue): def http_list_certificates(queryValue): - query_url = BASE_URL + '/v2pssl/query/' + queryValue + query_url = f'{BASE_URL}/v2pssl/query/{queryValue}' return http_request('GET', query_url) @@ -170,7 +169,7 @@ def list_certificate_seen_ips(sha1, limit): 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': data, - 'HumanReadable': 'Hits: ' + str(certificate['Hits']), + 'HumanReadable': f'Hits: {str(certificate["Hits"])}', 'EntryContext': { 'CIRCLssl.Certificate(val.SHA1===obj.SHA1)': certificate, } @@ -180,7 +179,7 @@ def list_certificate_seen_ips(sha1, limit): def http_list_certificate_seen_ips(sha1): - query_url = BASE_URL + '/v2pssl/cquery/' + sha1 + query_url = f'{BASE_URL}/v2pssl/cquery/{sha1}' return http_request('GET', query_url) @@ -204,7 +203,7 @@ def get_certificate_details(sha1): 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': data, - 'HumanReadable': tableToMarkdown("CIRCL ssl certificate - " + sha1, certificate), + 'HumanReadable': tableToMarkdown(f'CIRCL ssl certificate - {sha1}', certificate), 'EntryContext': { 'CIRCLssl.Certificate(val.SHA1===obj.SHA1)': certificate, } @@ -214,8 +213,7 @@ def get_certificate_details(sha1): def http_get_certificate_details(sha1): - query_url = BASE_URL + '/v2pssl/cfetch/' + sha1 - + query_url = f'{BASE_URL}/v2pssl/cfetch/{sha1}' return http_request('GET', query_url) diff --git a/Packs/CIRCL/Integrations/CIRCL/CIRCL.yml b/Packs/CIRCL/Integrations/CIRCL/CIRCL.yml index c833fe305b9a..2f3bb7b736df 100644 --- a/Packs/CIRCL/Integrations/CIRCL/CIRCL.yml +++ b/Packs/CIRCL/Integrations/CIRCL/CIRCL.yml @@ -140,8 +140,8 @@ script: runonce: false script: '-' type: python - subtype: python2 - dockerimage: demisto/python:2.7.18.27799 + subtype: python3 + dockerimage: demisto/python3:3.10.9.42476 tests: - CirclIntegrationTest fromversion: 5.0.0 diff --git a/Packs/CIRCL/ReleaseNotes/1_0_7.md b/Packs/CIRCL/ReleaseNotes/1_0_7.md new file mode 100644 index 000000000000..d31f96048abc --- /dev/null +++ b/Packs/CIRCL/ReleaseNotes/1_0_7.md @@ -0,0 +1,3 @@ +#### Integrations +##### CIRCL +- Updated the Docker image to: *demisto/python:2.7.18.37800*. diff --git a/Packs/CIRCL/ReleaseNotes/1_0_8.md b/Packs/CIRCL/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..3ed1a0e987d9 --- /dev/null +++ b/Packs/CIRCL/ReleaseNotes/1_0_8.md @@ -0,0 +1,5 @@ + +#### Integrations +##### CIRCL +- Converted the Integration to python3. +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. diff --git a/Packs/CIRCL/pack_metadata.json b/Packs/CIRCL/pack_metadata.json index 91d91f6ac66e..724caafb8838 100644 --- a/Packs/CIRCL/pack_metadata.json +++ b/Packs/CIRCL/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CIRCL", "description": "CIRCL Passive DNS is a database storing historical DNS records from various resources.\nCIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address.", "support": "xsoar", - "currentVersion": "1.0.6", + "currentVersion": "1.0.8", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.yml b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.yml index 69108e40ab01..730fa0a17587 100644 --- a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.yml +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.yml @@ -1,7 +1,7 @@ id: CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell version: -1 name: CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell -description: "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. \n\nCurrently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.\n\nThis playbook includes the following tasks:\n\n* Collect detection rules, indicators and mitigation tools.\n* Exploitation patterns hunting using Cortex XDR - XQL Engine.\n* Exploitation patterns hunting using 3rd party SIEM products:\n * Azure Sentinel\n * Splunk\n * QRadar\n * Elasticsearch\n* Indicators hunting using:\n * PAN-OS\n * Splunk\n * QRadar\n* Provides Microsoft mitigation and detection capabilities.\n\n**More information:**\n\n[Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/)\n\n**References:**\n\n[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)\n\n[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)\n\n[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)\n\n[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)\n\n**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve." +description: "**UPDATE**\nA new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang.\nWhile the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF.\nThe OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA).\n\nThis playbook introduces several updates in response to the new discovery:\n- Hunting:\n - Detecting possibly successful exploitation of the OWA SSRF vulnerability.\n- Mitigations:\n - IIS URL Rewrite rule for the modified exploitation URI path.\n- Remediation:\n - Block Indicators - Generic v3 playbook.\n\nMicrosoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. \n\nCurrently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.\n\nThis playbook includes the following tasks:\n\n* Collect detection rules, indicators and mitigation tools.\n* Exploitation patterns hunting using Cortex XDR - XQL Engine.\n* Exploitation patterns hunting using 3rd party SIEM products:\n * Azure Sentinel\n * Splunk\n * QRadar\n * Elasticsearch\n* Indicators hunting using:\n * PAN-OS\n * Splunk\n * QRadar\n* Provides Microsoft mitigation and detection capabilities.\n\n**More information:**\n\n[Threat Brief: OWASSRF Vulnerability Exploitation](https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/)\n\n[Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/)\n\n**References:**\n\n[OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations](https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/)\n\n[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)\n\n[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)\n\n[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)\n\n[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)\n\n**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve." starttaskid: "0" tasks: "0": @@ -66,7 +66,7 @@ tasks: view: |- { "position": { - "x": -100, + "x": -750, "y": -390 } } @@ -98,7 +98,7 @@ tasks: view: |- { "position": { - "x": -310, + "x": -750, "y": -530 } } @@ -260,7 +260,7 @@ tasks: view: |- { "position": { - "x": -1560, + "x": -2240, "y": 1400 } } @@ -333,7 +333,7 @@ tasks: description: '' nexttasks: '#none#': - - "11" + - "12" separatecontext: false continueonerrortype: "" view: |- @@ -365,11 +365,11 @@ tasks: nexttasks: '#default#': - "19" - "yes": - - "12" + "Yes": + - "82" separatecontext: false conditions: - - label: "yes" + - label: "Yes" condition: - - operator: isEqualString left: @@ -386,7 +386,7 @@ tasks: { "position": { "x": -310, - "y": 2760 + "y": 2930 } } note: false @@ -412,10 +412,7 @@ tasks: '#default#': - "19" "yes": - - "22" - - "32" - - "56" - - "57" + - "11" separatecontext: false conditions: - label: "yes" @@ -449,8 +446,8 @@ tasks: view: |- { "position": { - "x": -540, - "y": 2950 + "x": -310, + "y": 2750 } } note: false @@ -767,7 +764,7 @@ tasks: view: |- { "position": { - "x": -1980, + "x": -2660, "y": 1570 } } @@ -780,27 +777,26 @@ tasks: isautoswitchedtoquietmode: false "19": id: "19" - taskid: 79b080cc-a8a0-491b-8c96-ac4730de29ab + taskid: fbc1055e-ef71-4fe5-8648-0d5d91e6869c type: title task: - id: 79b080cc-a8a0-491b-8c96-ac4730de29ab + id: fbc1055e-ef71-4fe5-8648-0d5d91e6869c version: -1 - name: Mitigation + name: Remediation type: title iscommand: false brand: "" description: '' nexttasks: '#none#': - - "20" - - "21" + - "78" separatecontext: false continueonerrortype: "" view: |- { "position": { "x": -310, - "y": 3340 + "y": 3810 } } note: false @@ -825,13 +821,14 @@ tasks: nexttasks: '#none#': - "59" + - "77" separatecontext: false continueonerrortype: "" view: |- { "position": { "x": -80, - "y": 3490 + "y": 4110 } } note: false @@ -862,7 +859,7 @@ tasks: { "position": { "x": -540, - "y": 3490 + "y": 4110 } } note: false @@ -901,8 +898,8 @@ tasks: view: |- { "position": { - "x": -1100, - "y": 3150 + "x": -1810, + "y": 3630 } } note: false @@ -940,7 +937,7 @@ tasks: view: |- { "position": { - "x": -970, + "x": -310, "y": -390 } } @@ -972,7 +969,7 @@ tasks: { "position": { "x": -540, - "y": 3630 + "y": 4260 } } note: false @@ -1005,7 +1002,7 @@ tasks: { "position": { "x": -310, - "y": 3930 + "y": 4560 } } note: false @@ -1051,7 +1048,7 @@ tasks: { "position": { "x": -310, - "y": 4300 + "y": 4930 } } note: false @@ -1082,7 +1079,7 @@ tasks: { "position": { "x": -760, - "y": 4130 + "y": 4760 } } note: false @@ -1117,7 +1114,7 @@ tasks: { "position": { "x": -310, - "y": 4130 + "y": 4760 } } note: false @@ -1148,7 +1145,7 @@ tasks: { "position": { "x": -310, - "y": 3800 + "y": 4430 } } note: false @@ -1238,8 +1235,8 @@ tasks: view: |- { "position": { - "x": -680, - "y": 3150 + "x": -1390, + "y": 3630 } } note: false @@ -1263,13 +1260,14 @@ tasks: description: '' nexttasks: '#none#': - - "34" + - "79" + - "80" separatecontext: false continueonerrortype: "" view: |- { "position": { - "x": 370, + "x": 130, "y": -530 } } @@ -1280,46 +1278,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "34": - id: "34" - taskid: bd5250af-e816-4aa5-8cd8-e37795dfcfe4 - type: regular - task: - id: bd5250af-e816-4aa5-8cd8-e37795dfcfe4 - version: -1 - name: Collect indicators from GTSC - description: This script will extract indicators from HTML and will handle bad TLDs to avoid file extensions false positives. - scriptName: ParseHTMLIndicators - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "35" - scriptarguments: - exclude_indicators: - simple: https://github.com/ncsgroupvn/NCSE0Scanner, github.com, https://github.com/antonioCoco/SharPyShell - unescape_domain: - simple: "False" - url: - simple: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - separatecontext: false - continueonerror: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 370, - "y": -390 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "35": id: "35" taskid: 41cf7702-120f-4d38-80a6-434d179b5055 @@ -1700,7 +1658,7 @@ tasks: view: |- { "position": { - "x": -1980, + "x": -2660, "y": 1400 } } @@ -1741,7 +1699,7 @@ tasks: view: |- { "position": { - "x": -520, + "x": -1170, "y": -390 } } @@ -1920,6 +1878,7 @@ tasks: - "50" - "52" - "51" + - "76" separatecontext: false conditions: - label: "yes" @@ -1977,9 +1936,9 @@ tasks: **Reference:** * https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - script: '|||azure-log-analytics-execute-query' tags: - - SIEMResults + - SIEMResults + script: '|||azure-log-analytics-execute-query' type: regular iscommand: true brand: "" @@ -2006,8 +1965,8 @@ tasks: view: |- { "position": { - "x": -1340, - "y": 2290 + "x": -1640, + "y": 2280 } } note: false @@ -2053,8 +2012,8 @@ tasks: view: |- { "position": { - "x": -930, - "y": 2290 + "x": -1220, + "y": 2280 } } note: false @@ -2107,8 +2066,8 @@ tasks: view: |- { "position": { - "x": -520, - "y": 2290 + "x": -800, + "y": 2280 } } note: false @@ -2155,8 +2114,8 @@ tasks: view: |- { "position": { - "x": 720, - "y": 2290 + "x": 510, + "y": 2280 } } note: false @@ -2203,8 +2162,8 @@ tasks: view: |- { "position": { - "x": -100, - "y": 2290 + "x": -310, + "y": 2280 } } note: false @@ -2249,8 +2208,8 @@ tasks: view: |- { "position": { - "x": 310, - "y": 2290 + "x": 100, + "y": 2280 } } note: false @@ -2281,7 +2240,7 @@ tasks: { "position": { "x": -310, - "y": 2490 + "y": 2480 } } note: false @@ -2351,8 +2310,8 @@ tasks: view: |- { "position": { - "x": 60, - "y": 3150 + "x": -970, + "y": 3630 } } note: false @@ -2391,8 +2350,8 @@ tasks: view: |- { "position": { - "x": 480, - "y": 3150 + "x": -550, + "y": 3630 } } note: false @@ -2422,7 +2381,7 @@ tasks: view: |- { "position": { - "x": -970, + "x": -310, "y": -530 } } @@ -2435,12 +2394,12 @@ tasks: isautoswitchedtoquietmode: false "59": id: "59" - taskid: 3a86c7c1-ba25-421e-8f8c-60a5a89386a0 + taskid: 1307648e-0432-4905-8330-1f12bbff8825 type: regular task: - id: 3a86c7c1-ba25-421e-8f8c-60a5a89386a0 + id: 1307648e-0432-4905-8330-1f12bbff8825 version: -1 - name: Mitigate IIS URL Rewrite + name: Mitigate IIS URL Rewrite - ProxyNotShell description: "1. Microsoft mitigation tool, **EOMTv2**, is available for download directly via XSOAR.\n2. Mitigate Manually using the following instructions:\n 1. Open IIS Manager. \n 2. Select Default Web Site.\n 3. In the Feature View, click URL Rewrite.\n 4. In the Actions pane on the right-hand side, click Add Rule(s)… \n 5. Select Request Blocking and click OK. \n 6. Add the string “.*autodiscover\\.json.*\\@.*Powershell.*” (excluding quotes).\n 7. Select Regular Expression under Using.\n 8. Select Abort Request under How to block and then click OK.\n 9. Expand the rule and select the rule with the pattern .*autodiscover\\.json.*\\@.*Powershell.* and click Edit under Conditions. \n 10. Change the Condition input from {URL} to {REQUEST_URI}\n\n**NOTE:** If you need to change any rule, it is best to delete and recreate it.\n\n**Impact:** There is no known effect on Exchange functionality if URL Rewrite is installed as recommended. " type: regular iscommand: false @@ -2454,7 +2413,7 @@ tasks: { "position": { "x": -80, - "y": 3620 + "y": 4250 } } note: false @@ -2482,9 +2441,11 @@ tasks: QRadar v2: - "8" - "42" + - "74" QRadar v3: - "66" - "68" + - "75" separatecontext: false conditions: - label: QRadar v2 @@ -2546,8 +2507,8 @@ tasks: view: |- { "position": { - "x": -1120, - "y": 1190 + "x": -1390, + "y": 1170 } } note: false @@ -2575,6 +2536,7 @@ tasks: "Yes": - "31" - "7" + - "72" separatecontext: false conditions: - label: "Yes" @@ -2610,7 +2572,7 @@ tasks: { "position": { "x": -310, - "y": 1190 + "y": 1170 } } note: false @@ -2638,6 +2600,7 @@ tasks: "Yes": - "46" - "9" + - "73" separatecontext: false conditions: - label: "Yes" @@ -2672,8 +2635,8 @@ tasks: view: |- { "position": { - "x": 320, - "y": 1190 + "x": 330, + "y": 1170 } } note: false @@ -2814,7 +2777,7 @@ tasks: view: |- { "position": { - "x": -1540, + "x": -2220, "y": 1570 } } @@ -2849,7 +2812,7 @@ tasks: view: |- { "position": { - "x": -1120, + "x": -1810, "y": 1570 } } @@ -2886,8 +2849,8 @@ tasks: view: |- { "position": { - "x": -1330, - "y": 1740 + "x": -1810, + "y": 1750 } } note: false @@ -2964,8 +2927,8 @@ tasks: view: |- { "position": { - "x": 1350, - "y": 1190 + "x": 1850, + "y": 1170 } } note: false @@ -2975,72 +2938,792 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": { - "11_12_yes": 0.2, - "11_19_#default#": 0.3, - "12_19_#default#": 0.54, - "47_54_#default#": 0.26, - "60_55_#default#": 0.38, - "61_55_#default#": 0.17, - "62_55_#default#": 0.12 - }, - "paper": { - "dimensions": { - "height": 5045, - "width": 3710, - "x": -1980, - "y": -680 + "72": + id: "72" + taskid: d755d776-6098-4102-8ce2-37b13038c3d7 + type: regular + task: + id: d755d776-6098-4102-8ce2-37b13038c3d7 + version: -1 + name: Detect a possibly successful ProxyNotShell bypass attempt. + description: Detect a possibly successful ProxyNotShell bypass attempt. + tags: + - SIEMResults + script: '|||splunk-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "55" + scriptarguments: + earliest_time: + complex: + root: inputs.SplunkEarliestTime + latest_time: + complex: + root: inputs.SplunkLatestTime + query: + simple: source="WinEventLog:*" AND (sc-status="200" AND c-uri="/owa/*@*/powershell") + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -950, + "y": 1400 + } } - } - } -inputs: -- key: CVEs - value: - simple: CVE-2022-41040,CVE-2022-41082 - required: false - description: The vulnerabilities CVE indicators. - playbookInputQuery: -- key: SplunkIndex - value: - simple: '*' - required: false - description: Splunk's index name in which to search. The default is "*" - All. - playbookInputQuery: -- key: SplunkEarliestTime - value: - simple: -7d@d - required: false - description: Splunk's earliest time to search. - playbookInputQuery: -- key: SplunkLatestTime - value: - simple: now - required: false - description: Splunk's latest time to search. - playbookInputQuery: -- key: ElasticIndex - value: - simple: winlogbeat-* - required: false - description: Elastic's index name in which to search. The default is "winlogbeat-*" - All. - playbookInputQuery: -- key: QRadarTimeRange - value: - simple: Last 7 DAYS - required: false - description: QRadar's query time range. - playbookInputQuery: -- key: RunXQLHuntingQueries - value: - simple: "False" - required: false - description: Whether to execute the XQL queries. + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "73": + id: "73" + taskid: a976674c-6e26-402d-8f97-35cc31b5da5a + type: regular + task: + id: a976674c-6e26-402d-8f97-35cc31b5da5a + version: -1 + name: Detect a possibly successful ProxyNotShell bypass attempt. + description: Searches an index. + tags: + - SIEMResults + script: '|||search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "55" + scriptarguments: + index: + complex: + root: inputs.ElasticIndex + query: + simple: (http.response.status_code:"200" AND url.original:\/owa\/\*@\*\/powershell) + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1290, + "y": 1400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "74": + id: "74" + taskid: 107a51ed-3e93-4217-87de-3d25445354b7 + type: playbook + task: + id: 107a51ed-3e93-4217-87de-3d25445354b7 + version: -1 + name: Detect a possibly successful ProxyNotShell bypass attempt + description: This playbook runs a QRadar query and return its results to the context. + playbookName: QRadarFullSearch + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "18" + scriptarguments: + interval: + simple: "1" + query_expression: + simple: SELECT UTF8(payload) FROM events WHERE "sc-status"='200' AND "URL" ILIKE '/owa/*@*/powershell' + timeout: + simple: "600" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": -3080, + "y": 1400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "75": + id: "75" + taskid: 4c119ae8-264d-4323-81ff-819bbc209806 + type: regular + task: + id: 4c119ae8-264d-4323-81ff-819bbc209806 + version: -1 + name: Detect a possibly successful ProxyNotShell bypass attempt. + description: Creates a new asynchronous Ariel search. Returns the search ID. Search status and results can be polled by sending the search ID to the 'qradar-search-status-get' and 'qradar-search-results-get' commands. Accepts SELECT query expressions only. + script: '|||qradar-search-create' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "69" + scriptarguments: + query_expression: + simple: SELECT UTF8(payload) FROM events WHERE "sc-status"='200' AND "URL" ILIKE '/owa/*@*/powershell' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1390, + "y": 1570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "76": + id: "76" + taskid: 1b73385b-83b2-4c7a-8f8c-94a63e117b65 + type: regular + task: + id: 1b73385b-83b2-4c7a-8f8c-94a63e117b65 + version: -1 + name: Detect possibly successful ProxyNotShell bypass - OWASSRF + description: "This query was originally published in the threat analytics report, \"Exchange Server zero-days exploited in the wild\".\nIn early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:\n 1. CVE-2021-26855\n 2. CVE-2021-26857\n 3. CVE-2021-26858\n 4. CVE-2021-27065\n\nThe following query checks for the IIS worker process in Exchange Server dropping files that appear to be the web shells and other threat artifacts observed in known attacks.\nMore queries related to this threat can be found under the See also section of this page.\n\n**Reference:** \n* https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/" + tags: + - SIEMResults + script: '|||azure-log-analytics-execute-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "54" + scriptarguments: + query: + simple: Webserver | where (sc_status == 200 and Url contains @'/owa/*@*/powershell') + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 920, + "y": 2280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "77": + id: "77" + taskid: f151f26a-8091-47e9-8209-71905d761869 + type: regular + task: + id: f151f26a-8091-47e9-8209-71905d761869 + version: -1 + name: Mitigate IIS URL Rewrite - OWASSRF - ProxyNotShell bypass + description: "(**Note: This is a beta rule**)\n Mitigate Manually using the following instructions:\n 1. Open + IIS Manager. \n 2. Select Default Web Site.\n 3. In the Feature View, click URL Rewrite.\n 4. In the Actions pane on the right-hand side, click Add Rule(s)… \n 5. Select Request Blocking and click OK. \n 6. Add the string “.*owa\\/.*\\@.*\\/powershell.*” (excluding quotes).\n 7. Select Regular Expression under Using.\n 8. Select Abort Request under How to block and then click OK.\n 9. Expand the rule and select the rule with the pattern .*owa\\/.*\\@.*\\/powershell.* and click Edit under Conditions. \n 10. Change the Condition input from {URL} to {REQUEST_URI}\n\n**NOTE:** If you need to change any rule, it is best to delete and recreate it." + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 4250 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "78": + id: "78" + taskid: d4f6875e-d4cb-46a8-86f9-20f0355a19a4 + type: playbook + task: + id: d4f6875e-d4cb-46a8-86f9-20f0355a19a4 + version: -1 + name: Block Indicators - Generic v3 + playbookName: Block Indicators - Generic v3 + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "21" + - "20" + scriptarguments: + AutoCommit: + simple: "No" + CustomBlockRule: + simple: "True" + CustomURLCategory: + simple: Demisto Remediation - Malicious URLs + IP: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + ignorecase: true + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + transformers: + - operator: uniq + InputEnrichment: + simple: "False" + MD5: + complex: + root: File + accessor: MD5 + RuleDirection: + simple: inbound + RuleName: + simple: XSOAR - Block Indicators playbook - ${incident.id} + SHA256: + complex: + root: File + accessor: SHA256 + URL: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: url + ignorecase: true + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + transformers: + - operator: uniq + UserVerification: + simple: "True" + Username: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: username + ignorecase: true + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -310, + "y": 3940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "79": + id: "79" + taskid: 4e1861a2-fec9-4ee6-8329-5a3d9f2d3d8a + type: regular + task: + id: 4e1861a2-fec9-4ee6-8329-5a3d9f2d3d8a + version: -1 + name: Collect indicators from SOCRadar + description: This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. + scriptName: ParseHTMLIndicators + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "35" + scriptarguments: + url: + simple: https://socradar.io/threat-actors-exploit-unpatched-microsoft-exchange-zero-days/ + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 550, + "y": -390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "80": + id: "80" + taskid: dc4bce3a-3a34-4b04-8861-de49a684ab8e + type: regular + task: + id: dc4bce3a-3a34-4b04-8861-de49a684ab8e + version: -1 + name: Collect indicators from PANW Unit42 + description: This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. + scriptName: ParseHTMLIndicators + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "35" + scriptarguments: + exclude_indicators: + simple: outlook[.]com + url: + simple: https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/ + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 130, + "y": -390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "81": + id: "81" + taskid: c1c56114-47b0-4e0a-8b66-7fc235228fec + type: title + task: + id: c1c56114-47b0-4e0a-8b66-7fc235228fec + version: -1 + name: ProxyNotShell XQL Queries + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "22" + - "32" + - "56" + - "57" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1180, + "y": 3460 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "82": + id: "82" + taskid: 09391d30-a6e9-4e35-80f2-743d299c0588 + type: condition + task: + id: 09391d30-a6e9-4e35-80f2-743d299c0588 + version: -1 + name: Choose which XQL queries to execute + type: condition + iscommand: false + brand: "" + description: Choose whether to execute ProxyNotShell, OWASSRF XQL queries or both. + nexttasks: + '#default#': + - "19" + Both: + - "86" + OWASSRF: + - "83" + ProxyNotShell: + - "81" + separatecontext: false + conditions: + - label: ProxyNotShell + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.XQLHuntingQueriesType + iscontext: true + right: + value: + simple: ProxyNotShell + ignorecase: true + - label: OWASSRF + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.XQLHuntingQueriesType + iscontext: true + right: + value: + simple: OWASSRF + ignorecase: true + - label: Both + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.XQLHuntingQueriesType + iscontext: true + right: + value: + simple: Both + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -310, + "y": 3120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "83": + id: "83" + taskid: bd1f18ef-ee2e-4dbd-8e7c-1eaa35b94af7 + type: title + task: + id: bd1f18ef-ee2e-4dbd-8e7c-1eaa35b94af7 + version: -1 + name: OWASSRF XQL Queries + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "84" + - "85" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 340, + "y": 3460 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "84": + id: "84" + taskid: 59467b70-dc41-453b-87ce-1d843231303b + type: regular + task: + id: 59467b70-dc41-453b-87ce-1d843231303b + version: -1 + name: Detect w3wp.exe suspicious child processes + description: |- + Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised. + When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, + unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context. + script: '|||xdr-xql-generic-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + query: + simple: "// Processes spawned by exploiting this vulnerability will have a parent process of w3wp.exe in the \"MSExchangePowerShellAppPool\" application pool. Review the results of this query for suspicious child processes.\n \nconfig case_sensitive = false\n \n| dataset = xdr_data\n \n| filter event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START\n \n| filter actor_process_image_name = \"w3wp.exe\" and actor_process_command_line contains \"MSExchangePowerShellAppPool\"\n \n| filter action_process_image_name not in (\"wermgr.exe\",\"wmiapsrv.exe\",\"dllhost.exe\")\n \n| fields _time, agent_id, agent_version, action_process_image_path,action_process_image_command_line,action_process_image_sha256, actor_process_command_line" + query_name: + simple: Detect w3wp.exe suspicious child processes + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 130, + "y": 3640 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "85": + id: "85" + taskid: 716566f5-08bb-45fb-8f14-6ef3267cc9f0 + type: regular + task: + id: 716566f5-08bb-45fb-8f14-6ef3267cc9f0 + version: -1 + name: Detect w3wp.exe spawning PowerShell with 'frombase64string' in the command-line + description: |- + Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised. + When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, + unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context. + script: '|||xdr-xql-generic-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + query: + simple: |- + // Description: In activity we observed in the wild, a w3wp.exe process belonging to the "MSExchangePowerShellAppPool" application pool spawned PowerShell one-liners with "frombase64string" in the command line. + + config case_sensitive = false + + | dataset = xdr_data + + | filter event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START + + | filter action_process_image_name = "powershell.exe" and action_process_image_command_line contains "frombase64string" + + | filter (actor_process_image_name = "w3wp.exe" and actor_process_command_line contains "MSExchangePowerShellAppPool") or (causality_actor_process_image_name = "w3wp.exe" and causality_actor_process_command_line contains "MSExchangePowerShellAppPool") + + | fields action_process_image_path, action_process_image_command_line , actor_process_command_line , causality_actor_process_command_line, agent_hostname + query_name: + simple: Detect w3wp.exe spawning PowerShell with 'frombase64string' in the command-line + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 550, + "y": 3640 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "86": + id: "86" + taskid: 412aae29-70ef-4208-88f2-1068493bc979 + type: title + task: + id: 412aae29-70ef-4208-88f2-1068493bc979 + version: -1 + name: ProxyNotShell & OWASSRF XQL Queries + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "81" + - "83" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -310, + "y": 3320 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "11_19_#default#": 0.38, + "11_82_Yes": 0.37, + "12_11_yes": 0.45, + "12_19_#default#": 0.32, + "47_48_yes": 0.87, + "47_49_yes": 0.81, + "47_51_yes": 0.8, + "47_54_#default#": 0.26, + "47_76_yes": 0.86, + "60_55_#default#": 0.34, + "61_55_#default#": 0.17, + "62_55_#default#": 0.12, + "82_19_#default#": 0.35, + "82_81_ProxyNotShell": 0.77, + "82_83_OWASSRF": 0.67 + }, + "paper": { + "dimensions": { + "height": 5675, + "width": 5310, + "x": -3080, + "y": -680 + } + } + } +inputs: +- key: CVEs + value: + simple: CVE-2022-41040,CVE-2022-41082 + required: false + description: The vulnerabilities CVE indicators. + playbookInputQuery: +- key: SplunkIndex + value: + simple: '*' + required: false + description: Splunk's index name in which to search. The default is "*" - All. + playbookInputQuery: +- key: SplunkEarliestTime + value: + simple: -7d@d + required: false + description: Splunk's earliest time to search. + playbookInputQuery: +- key: SplunkLatestTime + value: + simple: now + required: false + description: Splunk's latest time to search. + playbookInputQuery: +- key: ElasticIndex + value: + simple: winlogbeat-* + required: false + description: Elastic's index name in which to search. The default is "winlogbeat-*" - All. + playbookInputQuery: +- key: QRadarTimeRange + value: + simple: Last 7 DAYS + required: false + description: QRadar's query time range. + playbookInputQuery: +- key: RunXQLHuntingQueries + value: + simple: "False" + required: false + description: Whether to execute the XQL queries. + playbookInputQuery: +- key: XQLHuntingQueriesType + value: + simple: OWASSRF + required: false + description: | + Whether to execute the ProxyNotShell or OWASSRF XQL queries or both. + + * Use 'ProxyNotShell' as an input to execute ProxyNotShell queries + * Use 'OWASSRF' as an input to execute OWASSRF queries + * Use 'Both' as an input to execute both ProxyNotShell and OWASSRF queries playbookInputQuery: - key: PlaybookDescription value: - simple: "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. \n\nCurrently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.\n\nThis playbook includes the following tasks:\n\n* Collect detection rules, indicators and mitigation tools.\n* Exploitation patterns hunting using Cortex XDR - XQL Engine.\n* Exploitation patterns hunting using 3rd party SIEM products:\n * Azure Sentinel\n * Splunk\n * QRadar\n * Elasticsearch\n* Indicators hunting using:\n * PAN-OS\n * Splunk\n * QRadar\n* Provides Microsoft mitigation and detection capabilities.\n\n**References:**\n\n[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)\n\n[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)\n\n[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)\n\n[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)\n\n**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve." + simple: "**UPDATE**\nA new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang.\nWhile the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF.\nThe OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA).\n\nThis playbook introduces several updates in response to the new discovery:\n- Hunting:\n - Detecting possibly successful exploitation of the OWA SSRF vulnerability.\n- Mitigations:\n - IIS URL Rewrite rule for the modified exploitation URI path.\n- Remediation:\n - Block Indicators - Generic v3 playbook.\n\nMicrosoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. \n\nCurrently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.\n\nThis playbook includes the following tasks:\n\n* Collect detection rules, indicators and mitigation tools.\n* Exploitation patterns hunting using Cortex XDR - XQL Engine.\n* Exploitation patterns hunting using 3rd party SIEM products:\n * Azure Sentinel\n * Splunk\n * QRadar\n * Elasticsearch\n* Indicators hunting using:\n * PAN-OS\n * Splunk\n * QRadar\n* Provides Microsoft mitigation and detection capabilities.\n\n**More information:**\n\n[Threat Brief: OWASSRF Vulnerability Exploitation](https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/)\n\n[Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/)\n\n**References:**\n\n[OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations](https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/)\n\n[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)\n\n[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)\n\n[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)\n\n[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)\n\n**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve." required: false description: The playbook's description. playbookInputQuery: diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell_README.md b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell_README.md index 4c6ae379d68c..4d7ed23e3432 100644 --- a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell_README.md +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell_README.md @@ -1,3 +1,16 @@ +**UPDATE** +A new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang. +While the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF. +The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA). + +This playbook introduces several updates in response to the new discovery: +- Hunting: + - Detecting possibly successful exploitation of the OWA SSRF vulnerability. +- Mitigations: + - IIS URL Rewrite rule for the modified exploitation URI path. +- Remediation: + - Block Indicators - Generic v3 playbook. + Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. @@ -19,10 +32,14 @@ This playbook includes the following tasks: **More information:** +[Threat Brief: OWASSRF Vulnerability Exploitation](https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/) + [Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/) **References:** +[OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations](https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/) + [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/) [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/) @@ -37,31 +54,34 @@ This playbook includes the following tasks: This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks +* Block Indicators - Generic v3 +* PAN-OS Query Logs For Indicators * QRadar Indicator Hunting V2 -* QRadarFullSearch +* Detect suspicious ASPX file dropped by Exchange * Rapid Breach Response - Set Incident Info +* Detect Chopper Webshell process pattern +* Detect a possibly successful ProxyNotShell bypass attempt * Splunk Indicator Hunting -* PAN-OS Query Logs For Indicators ### Integrations -* Elasticsearch v2 +This playbook does not use any integrations. ### Scripts +* ParseHTMLIndicators * HttpV2 * http -* ParseHTMLIndicators ### Commands -* xdr-xql-generic-query -* search -* azure-log-analytics-execute-query +* splunk-search * extractIndicators +* associateIndicatorsToIncident +* closeInvestigation +* xdr-xql-generic-query * createNewIndicator +* azure-log-analytics-execute-query * qradar-search-results-get -* closeInvestigation -* associateIndicatorsToIncident * qradar-search-create -* splunk-search +* search ## Playbook Inputs --- @@ -75,7 +95,8 @@ This playbook uses the following sub-playbooks, integrations, and scripts. | ElasticIndex | Elastic's index name in which to search. The default is "winlogbeat-\*" - All. | winlogbeat-* | Optional | | QRadarTimeRange | QRadar's query time range. | Last 7 DAYS | Optional | | RunXQLHuntingQueries | Whether to execute the XQL queries. | False | Optional | -| PlaybookDescription | The playbook's description. | Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

This playbook includes the following tasks:

* Collect detection rules, indicators and mitigation tools.
* Exploitation patterns hunting using Cortex XDR - XQL Engine.
* Exploitation patterns hunting using 3rd party SIEM products:
* Azure Sentinel
* Splunk
* QRadar
* Elasticsearch
* Indicators hunting using:
* PAN-OS
* Splunk
* QRadar
* Provides Microsoft mitigation and detection capabilities.

**References:**

[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)

[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)

[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)

[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)

**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional | +| XQLHuntingQueriesType | Whether to execute the ProxyNotShell or OWASSRF XQL queries or both.

\* Use 'ProxyNotShell' as an input to execute ProxyNotShell queries
\* Use 'OWASSRF' as an input to execute OWASSRF queries
\* Use 'Both' as an input to execute both ProxyNotShell and OWASSRF queries
| OWASSRF | Optional | +| PlaybookDescription | The playbook's description. | **UPDATE**
A new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang.
While the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF.
The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA).

This playbook introduces several updates in response to the new discovery:
- Hunting:
- Detecting possibly successful exploitation of the OWA SSRF vulnerability.
- Mitigations:
- IIS URL Rewrite rule for the modified exploitation URI path.
- Remediation:
- Block Indicators - Generic v3 playbook.

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

This playbook includes the following tasks:

* Collect detection rules, indicators and mitigation tools.
* Exploitation patterns hunting using Cortex XDR - XQL Engine.
* Exploitation patterns hunting using 3rd party SIEM products:
* Azure Sentinel
* Splunk
* QRadar
* Elasticsearch
* Indicators hunting using:
* PAN-OS
* Splunk
* QRadar
* Provides Microsoft mitigation and detection capabilities.

**More information:**

[Threat Brief: OWASSRF Vulnerability Exploitation](https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/)

[Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/)

**References:**

[OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations](https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/)

[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)

[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)

[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)

[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)

**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional | ## Playbook Outputs --- diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/README.md b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/README.md index 3546ec5c33c9..ba0194133a0f 100644 --- a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/README.md +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/README.md @@ -1,5 +1,19 @@ This pack is part of the [Rapid Breach Response](https://cortex.marketplace.pan.dev/marketplace/details/MajorBreachesInvestigationandResponse/) pack. +**UPDATE** +A new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang. +While the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF. +The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA). + +This playbook introduces several updates in response to the new discovery: +- Hunting: + - Detecting possibly successful exploitation of the OWA SSRF vulnerability. +- Mitigations: + - IIS URL Rewrite rule for the modified exploitation URI path. +- Remediation: + - Block Indicators - Generic v3 playbook. + + Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_3.md b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..044434045b82 --- /dev/null +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_3.md @@ -0,0 +1,13 @@ + +#### Playbooks +##### CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell +A new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang. +While the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF. + +This playbook introduces several updates in response to the new discovery: +- Hunting: + - Detecting possibly successful exploitation of the OWA SSRF vulnerability. +- Mitigations: + - IIS URL Rewrite rule for the modified exploitation URI path. (**Note: This rule hasn't been tested.**) +- Remediation: + - Block Indicators - Generic v3 playbook. \ No newline at end of file diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_4.md b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..d565cb645d74 --- /dev/null +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_4.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell +- Updated playbook description with the 'OWASSRF' CVE (CVE-2022-41080). \ No newline at end of file diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_5.md b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_5.md new file mode 100644 index 000000000000..389a700e92b2 --- /dev/null +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/ReleaseNotes/1_0_5.md @@ -0,0 +1,6 @@ + +#### Playbooks +##### CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell +- Added Unit42 as an indicator source. +- Added Cortex XQL hunting queries for the OWASSRF exploitation patterns. +- Added a playbook input that allows the user to choose whether to execute the ProxyNotShell or OWASSRF XQL queries, or both. diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png index b0372a839cfa..08dae07cf82e 100644 Binary files a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png and b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png differ diff --git a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/pack_metadata.json b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/pack_metadata.json index 91871a52c90d..51f8e3f61b08 100644 --- a/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/pack_metadata.json +++ b/Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell", "description": "This pack handles Microsoft Exchange SSRF CVE-2022-41040 & RCE CVE-2022-41082 vulnerabilities, aka ProxyNotShell, a 0-day exploits in Microsoft Exchange Servers", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -21,10 +21,14 @@ "ProxyNotShell", "CVE-2022-41040", "CVE-2022-41082", + "CVE-2022-41080", + "41080", "41040", "41082", "RCE", - "SSRF" + "SSRF", + "OWA", + "OWASSRF" ], "dependencies": { "MajorBreachesInvestigationandResponse": { diff --git a/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.py b/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.py index a6e61b50dffa..9f03f3a48531 100644 --- a/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.py +++ b/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.py @@ -4,7 +4,7 @@ from CommonServerPython import * from cbc_sdk import platform, CBCloudAPI, errors import ntpath -import requests +import urllib3 # Disable insecure warnings CONNECTION_ERROR_MSG = 'Connection Error - check your server URL' @@ -12,7 +12,7 @@ ORG_ID_ERROR_MSG = 'Authorization Error - check your Organization Key' PROXY_ERROR_MSG = 'Proxy Error - if the \'Use system proxy\' checkbox in the integration configuration is' \ ' selected, try clearing the checkbox.' -requests.packages.urllib3.disable_warnings() # pylint: disable=no-member +urllib3.disable_warnings() # pylint: disable=no-member ''' CONSTANTS ''' diff --git a/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.yml b/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.yml index 2f20538dd2e4..d9b021a366f2 100644 --- a/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.yml +++ b/Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.yml @@ -295,6 +295,6 @@ script: description: Performs a memory dump operation on the remote machine. execution: true outputs: [] - dockerimage: demisto/carbon-black-cloud:1.0.0.30898 + dockerimage: demisto/carbon-black-cloud:1.0.0.40690 runonce: false subtype: python3 diff --git a/Packs/CarbonBlackDefense/ReleaseNotes/3_0_15.md b/Packs/CarbonBlackDefense/ReleaseNotes/3_0_15.md new file mode 100644 index 000000000000..e23a09696d11 --- /dev/null +++ b/Packs/CarbonBlackDefense/ReleaseNotes/3_0_15.md @@ -0,0 +1,3 @@ +#### Integrations +##### Carbon Black Live Response Cloud +- Updated the Docker image to: *demisto/carbon-black-cloud:1.0.0.40690*. diff --git a/Packs/CarbonBlackDefense/pack_metadata.json b/Packs/CarbonBlackDefense/pack_metadata.json index 8b810233e817..e677710d7a3b 100644 --- a/Packs/CarbonBlackDefense/pack_metadata.json +++ b/Packs/CarbonBlackDefense/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Carbon Black Endpoint Standard", "description": "Next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks and ransomware.", "support": "xsoar", - "currentVersion": "3.0.14", + "currentVersion": "3.0.15", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CarbonBlackEnterpriseEDR/Integrations/CarbonBlackEnterpriseEDR/CarbonBlackEnterpriseEDR.yml b/Packs/CarbonBlackEnterpriseEDR/Integrations/CarbonBlackEnterpriseEDR/CarbonBlackEnterpriseEDR.yml index 32ec8180173e..22f387874df4 100644 --- a/Packs/CarbonBlackEnterpriseEDR/Integrations/CarbonBlackEnterpriseEDR/CarbonBlackEnterpriseEDR.yml +++ b/Packs/CarbonBlackEnterpriseEDR/Integrations/CarbonBlackEnterpriseEDR/CarbonBlackEnterpriseEDR.yml @@ -1797,7 +1797,7 @@ script: - contextPath: CarbonBlackEEDR.SearchProcess.results.scriptload_count description: The cumulative count of loaded scripts since process tracking started. type: Number - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: true longRunning: false diff --git a/Packs/CarbonBlackEnterpriseEDR/ReleaseNotes/1_1_25.md b/Packs/CarbonBlackEnterpriseEDR/ReleaseNotes/1_1_25.md new file mode 100644 index 000000000000..0ce892c80761 --- /dev/null +++ b/Packs/CarbonBlackEnterpriseEDR/ReleaseNotes/1_1_25.md @@ -0,0 +1,3 @@ +#### Integrations +##### VMware Carbon Black Enterprise EDR +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CarbonBlackEnterpriseEDR/pack_metadata.json b/Packs/CarbonBlackEnterpriseEDR/pack_metadata.json index 900a314591d8..5bbcb9e3f3c9 100644 --- a/Packs/CarbonBlackEnterpriseEDR/pack_metadata.json +++ b/Packs/CarbonBlackEnterpriseEDR/pack_metadata.json @@ -2,16 +2,14 @@ "name": "Carbon Black Cloud Enterprise EDR", "description": "Advanced threat hunting and incident response solution.", "support": "xsoar", - "currentVersion": "1.1.24", + "currentVersion": "1.1.25", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", "categories": [ "Endpoint" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "created": "2020-05-10T08:16:14Z", "useCases": [], "keywords": [], diff --git a/Packs/CarbonBlackProtect/pack_metadata.json b/Packs/CarbonBlackProtect/pack_metadata.json index a2444f6181de..37747ee0ae78 100644 --- a/Packs/CarbonBlackProtect/pack_metadata.json +++ b/Packs/CarbonBlackProtect/pack_metadata.json @@ -10,9 +10,7 @@ "categories": [ "Endpoint" ], - "tags": [ - "marketplacev2:Data Source" - ], + "tags": [], "useCases": [], "keywords": [], "marketplaces": [ diff --git a/Packs/CaseManagement-Generic/Layouts/layoutscontainer-Case_Management_Layout_v2.json b/Packs/CaseManagement-Generic/Layouts/layoutscontainer-Case_Management_Layout_v2.json index 25d0e7a80241..04de62ea9383 100644 --- a/Packs/CaseManagement-Generic/Layouts/layoutscontainer-Case_Management_Layout_v2.json +++ b/Packs/CaseManagement-Generic/Layouts/layoutscontainer-Case_Management_Layout_v2.json @@ -57,25 +57,38 @@ "id": "incident-severity-field", "index": 1, "sectionItemType": "field", - "startCol": 0 + "startCol": 0, + "dropEffect": "move", + "listId": "caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-kkq7tnozrg-caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8" }, { "dropEffect": "move", "endCol": 2, - "fieldId": "owner", + "fieldId": "phase", "height": 22, - "id": "incident-owner-field", + "id": "b5b2da60-7052-11ed-9645-a75d6a758df4", "index": 2, - "listId": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "listId": "caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-kkq7tnozrg-caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", "sectionItemType": "field", "startCol": 0 }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0, + "dropEffect": "move", + "listId": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8" + }, { "endCol": 2, "fieldId": "roles", "height": 22, "id": "73a95920-a6ae-11ea-ae9d-8553407179ff", - "index": 3, + "index": 4, "sectionItemType": "field", "startCol": 0 }, @@ -84,7 +97,7 @@ "fieldId": "playbookid", "height": 22, "id": "8afc0470-9b25-11ec-a77a-f7e2032aa20a", - "index": 4, + "index": 5, "sectionItemType": "field", "startCol": 0 }, @@ -93,7 +106,7 @@ "fieldId": "sourcebrand", "height": 22, "id": "8f06b740-9b25-11ec-a77a-f7e2032aa20a", - "index": 5, + "index": 6, "sectionItemType": "field", "startCol": 0 }, @@ -102,12 +115,11 @@ "fieldId": "sourceinstance", "height": 22, "id": "905668c0-9b25-11ec-a77a-f7e2032aa20a", - "index": 6, + "index": 7, "sectionItemType": "field", "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -120,7 +132,6 @@ { "h": 2, "i": "caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-kkq7tnozrg-caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -135,7 +146,6 @@ "displayType": "ROW", "h": 2, "i": "caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-kkq7tnozrg-caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -151,7 +161,6 @@ "h": 2, "hideName": false, "i": "caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-kkq7tnozrg-caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -159,7 +168,7 @@ "static": false, "type": "team", "w": 1, - "x": 1, + "x": 2, "y": 6 }, { @@ -190,7 +199,7 @@ }, { "dropEffect": "move", - "endCol": 2, + "endCol": 4, "fieldId": "closenotes", "height": 44, "id": "incident-closeNotes-field", @@ -200,13 +209,12 @@ "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, "name": "Closing Information", "static": false, - "w": 1, + "w": 2, "x": 0, "y": 6 }, @@ -219,13 +227,11 @@ "isVisible": true, "items": [ { - "dropEffect": "move", - "endCol": 2, - "fieldId": "detectionurl", + "endCol": 4, + "fieldId": "externallink", "height": 22, - "id": "bc05b000-ddf8-11ec-a585-5fb0e6a4ec3a", + "id": "5b549620-7053-11ed-b527-97b08825afd7", "index": 0, - "listId": "caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-kkq7tnozrg-caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", "sectionItemType": "field", "startCol": 0 }, @@ -250,7 +256,6 @@ "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -336,7 +341,6 @@ "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -428,7 +432,6 @@ "startCol": 2 } ], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -437,21 +440,6 @@ "w": 2, "x": 1, "y": 4 - }, - { - "h": 2, - "i": "caseinfoid-84997990-eba3-11ec-adef-e5ef9f1f7b57", - "items": [], - "maxH": null, - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Linked Incidents", - "static": false, - "type": "linkedIncidents", - "w": 1, - "x": 2, - "y": 6 } ], "type": "custom" @@ -465,10 +453,8 @@ "h": 3, "i": "caseinfoid-field-changed-kkq7tnozrg-caseinfoid-kkq7tnozrg-caseinfoid-kkq7tnozrg-c4515bf0-a4df-11ea-8c29-db553c036fb9", "items": [], - "maxH": null, "maxW": 3, "minH": 1, - "minW": 3, "moved": false, "name": "Indicators", "query": "", @@ -477,7 +463,8 @@ "type": "indicators", "w": 3, "x": 0, - "y": 2 + "y": 2, + "description": "All associated indicators with the current incident." }, { "h": 2, @@ -494,17 +481,16 @@ "startCol": 0 } ], - "maxH": null, - "maxW": 1, + "maxW": 3, "minH": 1, - "minW": 1, "moved": false, "name": "Labels", "static": false, "type": "labels", "w": 1, "x": 2, - "y": 0 + "y": 0, + "description": "Raw data from the alert that triggered the current incident." }, { "displayType": "ROW", @@ -597,10 +583,8 @@ "startCol": 2 } ], - "maxH": null, - "maxW": 2, + "maxW": 3, "minH": 1, - "minW": 2, "moved": false, "name": "Investigation Data", "static": false, @@ -612,10 +596,8 @@ "h": 2, "i": "caseinfoid-9f29f350-9b23-11ec-a77a-f7e2032aa20a", "items": [], - "maxH": null, - "maxW": 2, + "maxW": 3, "minH": 1, - "minW": 2, "moved": false, "name": "Linked Incidents", "static": false, @@ -628,23 +610,21 @@ "displayType": "CARD", "h": 2, "hideItemTitleOnlyOne": true, - "i": "caseinfoid-a2577540-eba3-11ec-adef-e5ef9f1f7b57", + "i": "caseinfoid-7950e870-7055-11ed-a7e3-25575d6677b2", "items": [ { "endCol": 2, "fieldId": "incident_attachment", "height": 53, - "id": "a251a8e1-eba3-11ec-adef-e5ef9f1f7b57", + "id": "794eeca1-7055-11ed-a7e3-25575d6677b2", "index": 0, "isVisible": true, "sectionItemType": "field", "startCol": 0 } ], - "maxH": null, - "maxW": 1, + "maxW": 3, "minH": 1, - "minW": 1, "moved": false, "name": "Attachments", "static": false, @@ -692,12 +672,10 @@ { "description": "", "h": 7, - "i": "yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-ezf8qothdj-caseinfoid-c7c1d8b0-3803-11ec-83b9-bbbad1a9d462", + "i": "caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-ezf8qothdj-caseinfoid-c7c1d8b0-3803-11ec-83b9-bbbad1a9d462", "items": [], - "maxH": null, - "maxW": 2, + "maxW": 3, "minH": 1, - "minW": 2, "moved": false, "name": "Analyst Tools", "query": "CaseMgmtAnalystTools", @@ -713,7 +691,7 @@ "displayType": "ROW", "h": 7, "hideName": false, - "i": "yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-8a252500-9bec-11ec-bf5b-3f81ae54e773", + "i": "caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-8a252500-9bec-11ec-bf5b-3f81ae54e773", "items": [ { "args": {}, @@ -793,10 +771,8 @@ "startCol": 0 } ], - "maxH": null, - "maxW": 1, + "maxW": 3, "minH": 1, - "minW": 1, "moved": false, "name": "Quick Actions", "static": false, @@ -821,7 +797,6 @@ "hideName": false, "i": "caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-xd2uikfpom-caseinfoid-ezf8qothdj-caseinfoid-phnf2odnms-6ff55d60-343e-11eb-bc94-47298fb74458", "items": [], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -838,7 +813,6 @@ "hideName": false, "i": "caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-xd2uikfpom-caseinfoid-ezf8qothdj-caseinfoid-phnf2odnms-d78a7950-3d95-11eb-977e-4150345205e0", "items": [], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, @@ -855,7 +829,6 @@ "hideName": false, "i": "caseinfoid-yh3gwnhgwz-caseinfoid-yh3gwnhgwz-caseinfoid-field-changed-caseinfoid-xd2uikfpom-caseinfoid-92e2c5d0-3805-11ec-81a5-351a935f8f6d", "items": [], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, diff --git a/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_-_Start_SLA_Timers.yml b/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_-_Start_SLA_Timers.yml new file mode 100644 index 000000000000..fe5a552abd1c --- /dev/null +++ b/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_-_Start_SLA_Timers.yml @@ -0,0 +1,199 @@ +id: Case Management - Generic - Start SLA Timers +version: -1 +name: Case Management - Generic - Start SLA Timers +description: |- + This playbook will start the Time to Assignment or Remediation SLA timers based on whether an Owner is assigned to the Incident. + + Can be used as a sub-playbook to perform the same logic across different playbooks/use cases. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 22f5e450-7943-4097-86b6-c961a3c1ab3b + type: start + task: + id: 22f5e450-7943-4097-86b6-c961a3c1ab3b + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 5fb3376c-bdd9-476d-8025-079ee0a65957 + type: condition + task: + id: 5fb3376c-bdd9-476d-8025-079ee0a65957 + version: -1 + name: Is an Owner already assigned? + description: Checks to see if there is an Owner assigned to this case. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "3" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: incident.owner + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 332a5ae2-6913-487a-8a80-5749e5bb0132 + type: regular + task: + id: 332a5ae2-6913-487a-8a80-5749e5bb0132 + version: -1 + name: Start Time to Assignment Timer + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + value: + simple: No Owner assigned, starting Time to Assignment timer. + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false + timertriggers: + - fieldname: timetoassignment + action: start + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 93f9a2b5-2414-4961-836c-07a392c4e21e + type: regular + task: + id: 93f9a2b5-2414-4961-836c-07a392c4e21e + version: -1 + name: Start Remediation SLA Timer + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + value: + simple: Starting Remediation SLA timer. + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 370 + } + } + note: false + timertriggers: + - fieldname: remediationsla + action: start + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 67aa8ef1-02bf-4e67-836a-16321b196fa7 + type: title + task: + id: 67aa8ef1-02bf-4e67-836a-16321b196fa7 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 560, + "width": 810, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] +tests: +- No tests (auto formatted) +fromversion: 6.2.0 diff --git a/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_-_Start_SLA_Timers_README.md b/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_-_Start_SLA_Timers_README.md new file mode 100644 index 000000000000..a70611f57491 --- /dev/null +++ b/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_-_Start_SLA_Timers_README.md @@ -0,0 +1,26 @@ +This playbook will start the Time to Assignment or Remediation SLA timers based on whether an Owner is assigned to the Incident. + +Can be used as a sub-playbook to perform the same logic across different playbooks/use cases. + +## Dependencies +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks +This playbook does not use any sub-playbooks. + +### Integrations +This playbook does not use any integrations. + +### Scripts +* Print + +### Commands +This playbook does not use any commands. + +## Playbook Inputs +--- +There are no inputs for this playbook. + +## Playbook Outputs +--- +There are no outputs for this playbook. \ No newline at end of file diff --git a/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_v2.yml b/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_v2.yml index 2b4d62a78205..77206d7db003 100644 --- a/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_v2.yml +++ b/Packs/CaseManagement-Generic/Playbooks/Case_Management_-_Generic_v2.yml @@ -100,21 +100,22 @@ tasks: skipunavailable: false task: brand: '' - id: a48d5514-a168-41c5-8798-809683bb68d8 + id: 16ba667f-3dd6-4a11-89b6-7ea9d5e65dfc iscommand: false name: '' version: -1 description: '' - taskid: a48d5514-a168-41c5-8798-809683bb68d8 + taskid: 16ba667f-3dd6-4a11-89b6-7ea9d5e65dfc timertriggers: [] type: start view: |- { "position": { - "x": 265, + "x": 50, "y": 50 } } + continueonerrortype: "" '12': id: '12' ignoreworker: false @@ -126,22 +127,23 @@ tasks: skipunavailable: false task: brand: '' - id: d14fd353-5b17-4cd9-8630-973dde8c74e3 + id: 130af4f4-5944-482c-82fb-9aaafa56b704 iscommand: false name: 'Done ' type: title version: -1 description: '' - taskid: d14fd353-5b17-4cd9-8630-973dde8c74e3 + taskid: 130af4f4-5944-482c-82fb-9aaafa56b704 timertriggers: [] type: title view: |- { "position": { - "x": 265, + "x": 50, "y": 2145 } } + continueonerrortype: "" '16': id: '16' ignoreworker: false @@ -157,61 +159,22 @@ tasks: task: brand: Builtin description: "### Analyst Investigation\n\nPlease ensure to take the following actions:\n\n### Assign to yourself, or another Analyst\n- Click Assign to Me to assign this to yourself.\n- Select an Owner via the Owner field to assign or reassign to another Analyst.\n\n### Select Actions -> Close Incident to close this when completed. \n- Please ensure to capture the appropriate close reason, and closing notes/resolution as required.\n\n### Timers\n- Time to Assignment will stop when an Owner is assigned, and the Remediation SLA Timer will be started.\n- The Remediation SLA timers will not stop until the Incident is closed" - id: 57d24284-885f-4c22-8bee-83d2f3b27936 + id: dd7178e8-2538-45ab-8504-e3e9f42cf055 iscommand: false name: Manual - Analyst Investigation type: regular version: -1 - taskid: 57d24284-885f-4c22-8bee-83d2f3b27936 + taskid: dd7178e8-2538-45ab-8504-e3e9f42cf055 timertriggers: [] type: regular view: |- { "position": { - "x": 265, + "x": 50, "y": 1970 } } - '18': - conditions: - - condition: - - - left: - iscontext: true - value: - simple: incident.owner - operator: isNotEmpty - label: yes - id: '18' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - '22' - yes: - - '23' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - description: Checks to see if there is an Owner assigned to this case. - id: 5c6c0a82-2d81-498c-88a3-035199c898e1 - iscommand: false - name: Is an Owner already assigned? - type: condition - version: -1 - taskid: 5c6c0a82-2d81-498c-88a3-035199c898e1 - timertriggers: [] - type: condition - view: |- - { - "position": { - "x": 265, - "y": 1650 - } - } + continueonerrortype: "" '20': id: '20' ignoreworker: false @@ -226,87 +189,24 @@ tasks: skipunavailable: false task: brand: '' - id: f2b5f1f3-6ea5-4e73-847b-686b36646b22 + id: 47fa3a5f-e596-48f2-8bd3-20ebecfcea72 iscommand: false name: Calculate Severity - Standard - playbookId: Calculate Severity - Standard type: playbook version: -1 description: '' - taskid: f2b5f1f3-6ea5-4e73-847b-686b36646b22 + playbookName: Calculate Severity - Standard + taskid: 47fa3a5f-e596-48f2-8bd3-20ebecfcea72 timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 265, - "y": 835 - } - } - '22': - id: '22' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '16' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - id: 12992c48-d963-44a6-85ae-d23ce25a223a - iscommand: false - name: Start Time to Assignment Timer - type: title - version: -1 - description: '' - taskid: 12992c48-d963-44a6-85ae-d23ce25a223a - timertriggers: - - action: start - fieldname: timetoassignment - type: title view: |- { "position": { "x": 50, - "y": 1825 - } - } - '23': - id: '23' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '16' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - id: 3627deaf-6946-432c-8c2e-0add06bf2e8e - iscommand: false - name: Start Remediation SLA Timer - type: title - version: -1 - description: '' - taskid: 3627deaf-6946-432c-8c2e-0add06bf2e8e - timertriggers: - - action: start - fieldname: remediationsla - type: title - view: |- - { - "position": { - "x": 480, - "y": 1825 + "y": 835 } } + continueonerrortype: "" '24': conditions: - condition: @@ -337,21 +237,22 @@ tasks: task: brand: '' description: Checks whether the Enrich playbook input is set to True. - id: d8ec74d0-aa42-4e63-8fc7-4a8ef0dd756d + id: ae6fd9f2-155d-4c1c-864d-6bfb8dc16520 iscommand: false name: Should indicators be extracted and enriched? type: condition version: -1 - taskid: d8ec74d0-aa42-4e63-8fc7-4a8ef0dd756d + taskid: ae6fd9f2-155d-4c1c-864d-6bfb8dc16520 timertriggers: [] type: condition view: |- { "position": { - "x": 265, + "x": 50, "y": 195 } } + continueonerrortype: "" '25': id: '25' ignoreworker: false @@ -366,22 +267,23 @@ tasks: skipunavailable: false task: brand: '' - id: 26700fc2-1de4-4b08-8125-a89a969cd1ee + id: 10c62e54-56a5-4da2-8a17-7aac10ceab1a iscommand: false name: Enrich indicators type: title version: -1 description: '' - taskid: 26700fc2-1de4-4b08-8125-a89a969cd1ee + taskid: 10c62e54-56a5-4da2-8a17-7aac10ceab1a timertriggers: [] type: title view: |- { "position": { - "x": 377.5, + "x": 162.5, "y": 370 } } + continueonerrortype: "" '26': id: '26' ignoreworker: false @@ -402,22 +304,23 @@ tasks: task: brand: Builtin description: Extracts all indicators that match the regex for the indicator type, and enriches the repuration using the reputation command defined for the indicator type. - id: 5ff4184b-c4ea-498a-8702-362b77826ae7 + id: d00b80ad-7d43-4224-8c7f-135228d15cca iscommand: true name: Extract Indicators from Incident script: Builtin|||extractIndicators type: regular version: -1 - taskid: 5ff4184b-c4ea-498a-8702-362b77826ae7 + taskid: d00b80ad-7d43-4224-8c7f-135228d15cca timertriggers: [] type: regular view: |- { "position": { - "x": 377.5, + "x": 162.5, "y": 515 } } + continueonerrortype: "" '27': id: '27' ignoreworker: false @@ -432,22 +335,23 @@ tasks: skipunavailable: false task: brand: '' - id: 0ab8768c-20da-437c-87ca-ca6be6a4c160 + id: 0fdcd68f-e137-4d32-8b7d-5132ecc94f83 iscommand: false name: Calculate Severity type: title version: -1 description: '' - taskid: 0ab8768c-20da-437c-87ca-ca6be6a4c160 + taskid: 0fdcd68f-e137-4d32-8b7d-5132ecc94f83 timertriggers: [] type: title view: |- { "position": { - "x": 265, + "x": 50, "y": 690 } } + continueonerrortype: "" '28': id: '28' ignoreworker: false @@ -455,29 +359,30 @@ tasks: isoversize: false nexttasks: '#none#': - - '18' + - "32" note: false quietmode: 0 separatecontext: false skipunavailable: false task: brand: '' - id: cdf4cb29-9cd1-4b7d-81c9-74838ac541a1 + id: 51a1b4a5-c1fc-4729-849d-dba7a37521d2 iscommand: false name: Start SLA Timers type: title version: -1 description: '' - taskid: cdf4cb29-9cd1-4b7d-81c9-74838ac541a1 + taskid: 51a1b4a5-c1fc-4729-849d-dba7a37521d2 timertriggers: [] type: title view: |- { "position": { - "x": 265, + "x": 50, "y": 1505 } } + continueonerrortype: "" '29': conditions: - condition: @@ -506,21 +411,22 @@ tasks: task: brand: '' description: Checks if the SetSLAs input is set to True, and if so moves to the sub-playbook to set the SLAs based on Severity. - id: d1cca75f-7e05-4503-872f-75c5e596187e + id: 64613864-7465-4c52-8739-a6a15d928c36 iscommand: false name: Should we set SLAs based on Severity? type: condition version: -1 - taskid: d1cca75f-7e05-4503-872f-75c5e596187e + taskid: 64613864-7465-4c52-8739-a6a15d928c36 timertriggers: [] type: condition view: |- { "position": { - "x": 265, + "x": 50, "y": 1155 } } + continueonerrortype: "" '30': id: '30' ignoreworker: false @@ -578,23 +484,24 @@ tasks: skipunavailable: false task: brand: '' - id: 70d0f89c-9f27-441d-8acc-2b8cf37c051a + id: ac3032bb-9a4a-47d2-8561-1b15bc3070af iscommand: false name: Case Management - Generic - Set SLAs based on Severity - playbookId: Case Management - Generic - Set SLAs based on Severity type: playbook version: -1 description: '' - taskid: 70d0f89c-9f27-441d-8acc-2b8cf37c051a + playbookName: Case Management - Generic - Set SLAs based on Severity + taskid: ac3032bb-9a4a-47d2-8561-1b15bc3070af timertriggers: [] type: playbook view: |- { "position": { - "x": 377.5, + "x": 162.5, "y": 1330 } } + continueonerrortype: "" '31': id: '31' ignoreworker: false @@ -609,22 +516,86 @@ tasks: skipunavailable: false task: brand: '' - id: f629382c-7027-478b-8455-acaf88e39887 + id: 5c11f903-f3de-444f-8efa-b64a3552fa31 iscommand: false name: Set SLAs type: title version: -1 description: '' - taskid: f629382c-7027-478b-8455-acaf88e39887 + taskid: 5c11f903-f3de-444f-8efa-b64a3552fa31 timertriggers: [] type: title view: |- { "position": { - "x": 265, + "x": 50, "y": 1010 } } + continueonerrortype: "" + "32": + id: "32" + taskid: d4684072-8462-4adb-8e0f-2849127bcd39 + type: playbook + task: + id: d4684072-8462-4adb-8e0f-2849127bcd39 + version: -1 + name: Case Management - Generic - Start SLA Timers + playbookName: Case Management - Generic - Start SLA Timers + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "33" + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1650 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: db6acbda-7787-4a39-863f-110f857adeda + type: title + task: + id: db6acbda-7787-4a39-863f-110f857adeda + version: -1 + name: Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "16" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1825 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false version: -1 view: |- { @@ -632,7 +603,7 @@ view: |- "paper": { "dimensions": { "height": 2160, - "width": 810, + "width": 492.5, "x": 50, "y": 50 } diff --git a/Packs/CaseManagement-Generic/ReleaseNotes/1_4_0.md b/Packs/CaseManagement-Generic/ReleaseNotes/1_4_0.md new file mode 100644 index 000000000000..d2b1b7fcb7c4 --- /dev/null +++ b/Packs/CaseManagement-Generic/ReleaseNotes/1_4_0.md @@ -0,0 +1,50 @@ + +#### Layouts +##### Case Management Layout v2 +- Added Phase field to the info section on the layout. +- Replaced Detection URL field with External Link field to match Malware Investigation and Response Layout. + +#### Playbooks +##### Case Management - Generic v2 +- Added the Case Management - Generic - Start SLA Timers sub-playbook, which performs the logic of starting the appropriate timers based on Owner assignment. + +##### New: Case Management - Generic - Start SLA Timers +- This playbook will start the Time to Assignment or Remediation SLA timers based on whether an Owner is assigned to the Incident. +- Can be used as a sub-playbook to perform the same logic across different playbooks/use cases. (Available from Cortex XSOAR 6.5.0). + +#### Scripts +##### AssignToMeButton +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. + + +##### GenerateSummaryReportButton +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. + + +##### CaseMgmtIncidentTypesDisplay +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. + + +##### New: CaseMgmtIncidentTypesByRole +- Restricts the Incident Types a user can create manually, based on their assigned XSOAR Role(s). +- Requirements - Create an XSOAR List called IncidentTypeRBAC with the following structure: + +``` +{ +"Default":["DefaultIncidentTypeforAllUsers"], +"Role":["IncidentType1","IncidentType2"] +} +``` + +##### CaseMgmtAnalystTools +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. + + +##### LinkIncidentsButton +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. + + +##### TimersOnOwnerChange +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. + + diff --git a/Packs/CaseManagement-Generic/Scripts/AssignToMeButton/AssignToMeButton.yml b/Packs/CaseManagement-Generic/Scripts/AssignToMeButton/AssignToMeButton.yml index b7b151b9a0e1..0b949919b976 100644 --- a/Packs/CaseManagement-Generic/Scripts/AssignToMeButton/AssignToMeButton.yml +++ b/Packs/CaseManagement-Generic/Scripts/AssignToMeButton/AssignToMeButton.yml @@ -2,7 +2,7 @@ comment: 'Assigns the current Incident to the Cortex XSOAR user who clicked the commonfields: id: AssignToMeButton version: -1 -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.42476 enabled: true name: AssignToMeButton runas: DBotWeakRole diff --git a/Packs/CaseManagement-Generic/Scripts/CaseMgmtAnalystTools/CaseMgmtAnalystTools.yml b/Packs/CaseManagement-Generic/Scripts/CaseMgmtAnalystTools/CaseMgmtAnalystTools.yml index 4cd06dc7f329..7d236930e92a 100644 --- a/Packs/CaseManagement-Generic/Scripts/CaseMgmtAnalystTools/CaseMgmtAnalystTools.yml +++ b/Packs/CaseManagement-Generic/Scripts/CaseMgmtAnalystTools/CaseMgmtAnalystTools.yml @@ -5,7 +5,7 @@ comment: |- commonfields: id: CaseMgmtAnalystTools version: -1 -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.42476 enabled: true name: CaseMgmtAnalystTools runas: DBotWeakRole diff --git a/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/CaseMgmtIncidentTypesByRole.py b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/CaseMgmtIncidentTypesByRole.py new file mode 100644 index 000000000000..b454dfc1a93f --- /dev/null +++ b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/CaseMgmtIncidentTypesByRole.py @@ -0,0 +1,44 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + +# check if this is a new Incident or not +incident = demisto.incident().get("id") + +# if new Incident, the ID will be empty: +if not incident: + + # get the XSOAR IncidentTypesRBAC XSOAR List + types_list = demisto.executeCommand("getList", {"listName": "IncidentTypesRBAC"})[0]["Contents"] + + # check if the list exists, if not, display the default options. + if "Item not found" in types_list: + # do nothing, return the original values from the field + pass + else: + # make sure the list is valid json, if it's invalid or another error, return the original values from the field + try: + role_list = json.loads(types_list) + + # get the users roles + roles = demisto.executeCommand("getUsers", {"current": "true"})[0].get("Contents")[0].get("allRoles") + + # set default Incident types for all roles + allowedTypes = role_list["Default"] + + # for each role the user has, add their types + for role in roles: + allowedTypes.extend(role_list[role]) + + # remove duplicates + allowedTypes = list(set(allowedTypes)) + + demisto.results({'hidden': False, 'options': allowedTypes}) + except ValueError: + pass + except Exception: + pass +else: + # if it's an existing Incident, prevent changing the type from the UI. + # get the current Incident Type, and only return that type. + incident_type = demisto.incident().get("type") + return_results({'hidden': False, 'options': [incident_type]}) diff --git a/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/CaseMgmtIncidentTypesByRole.yml b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/CaseMgmtIncidentTypesByRole.yml new file mode 100644 index 000000000000..035da24877f1 --- /dev/null +++ b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/CaseMgmtIncidentTypesByRole.yml @@ -0,0 +1,18 @@ +comment: "Restricts the Incident Types a user can create manually, based on their assigned XSOAR Role(s). \n\nRequirements - Create an XSOAR List called IncidentTypeRBAC with the following structure, the names must match exactly to the names in the Incident Types under Settings!\n\nExample List:\n{\n\"Default\":[\"Case\",\"Job\",\"Unclassified\"],\n\"Analyst\":[\"Phishing\",\"Malware\"],\n\"ThreatHunters\":[\"Hunt\"]\n}" +commonfields: + id: CaseMgmtIncidentTypesByRole + version: -1 +dockerimage: demisto/python3:3.10.9.42476 +enabled: true +name: CaseMgmtIncidentTypesByRole +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: +- field-display +type: python +fromversion: 6.5.0 +tests: +- No tests (auto formatted) diff --git a/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/README.md b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesByRole/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesDisplay/CaseMgmtIncidentTypesDisplay.yml b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesDisplay/CaseMgmtIncidentTypesDisplay.yml index d58d5d7b954c..3c646877745f 100644 --- a/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesDisplay/CaseMgmtIncidentTypesDisplay.yml +++ b/Packs/CaseManagement-Generic/Scripts/CaseMgmtIncidentTypesDisplay/CaseMgmtIncidentTypesDisplay.yml @@ -2,7 +2,7 @@ comment: "Restricts the Incident Types a user can create manually based on an XS commonfields: id: CaseMgmtIncidentTypesDisplay version: -1 -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.42476 enabled: true name: CaseMgmtIncidentTypesDisplay runas: DBotWeakRole diff --git a/Packs/CaseManagement-Generic/Scripts/GenerateSummaryReportButton/GenerateSummaryReportButton.yml b/Packs/CaseManagement-Generic/Scripts/GenerateSummaryReportButton/GenerateSummaryReportButton.yml index eae0c2cef326..5234e8693e14 100644 --- a/Packs/CaseManagement-Generic/Scripts/GenerateSummaryReportButton/GenerateSummaryReportButton.yml +++ b/Packs/CaseManagement-Generic/Scripts/GenerateSummaryReportButton/GenerateSummaryReportButton.yml @@ -2,7 +2,7 @@ comment: This button will generate summary 'Case Report' template for a given In commonfields: id: GenerateSummaryReportButton version: -1 -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.42476 enabled: true name: GenerateSummaryReportButton runas: DBotWeakRole diff --git a/Packs/CaseManagement-Generic/Scripts/LinkIncidentsButton/LinkIncidentsButton.yml b/Packs/CaseManagement-Generic/Scripts/LinkIncidentsButton/LinkIncidentsButton.yml index bd10ed5acf3f..fadc13869d3f 100644 --- a/Packs/CaseManagement-Generic/Scripts/LinkIncidentsButton/LinkIncidentsButton.yml +++ b/Packs/CaseManagement-Generic/Scripts/LinkIncidentsButton/LinkIncidentsButton.yml @@ -14,7 +14,7 @@ comment: | commonfields: id: LinkIncidentsButton version: -1 -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.42476 enabled: true name: LinkIncidentsButton runas: DBotWeakRole diff --git a/Packs/CaseManagement-Generic/Scripts/TimersOnOwnerChange/TimersOnOwnerChange.yml b/Packs/CaseManagement-Generic/Scripts/TimersOnOwnerChange/TimersOnOwnerChange.yml index fd8e1f0bf5c4..4a214729be5a 100644 --- a/Packs/CaseManagement-Generic/Scripts/TimersOnOwnerChange/TimersOnOwnerChange.yml +++ b/Packs/CaseManagement-Generic/Scripts/TimersOnOwnerChange/TimersOnOwnerChange.yml @@ -9,7 +9,7 @@ comment: |- commonfields: id: TimersOnOwnerChange version: -1 -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.42476 enabled: true name: TimersOnOwnerChange runas: DBotWeakRole diff --git a/Packs/CaseManagement-Generic/pack_metadata.json b/Packs/CaseManagement-Generic/pack_metadata.json index ea6ab5b5c6b0..b04ad56a7d77 100644 --- a/Packs/CaseManagement-Generic/pack_metadata.json +++ b/Packs/CaseManagement-Generic/pack_metadata.json @@ -2,12 +2,14 @@ "name": "CaseManagement-Generic", "description": "Case Management - Beta\n\nBuilt by the Cortex Customer Success Team to provide quick deployment of Case Management with XSOAR", "support": "community", - "currentVersion": "1.3.1", + "currentVersion": "1.4.0", "author": "Cortex XSOAR Customer Success", "url": "", "email": "", "created": "2020-08-20T14:37:35Z", - "categories": ["Case Management"], + "categories": [ + "Case Management" + ], "tags": [], "useCases": [ "Case Management" @@ -20,4 +22,4 @@ "marketplaces": [ "xsoar" ] -} +} \ No newline at end of file diff --git a/Packs/Censys/Integrations/CensysV2/CensysV2.yml b/Packs/Censys/Integrations/CensysV2/CensysV2.yml index c2147e1fa727..7e653c4a4b7f 100644 --- a/Packs/Censys/Integrations/CensysV2/CensysV2.yml +++ b/Packs/Censys/Integrations/CensysV2/CensysV2.yml @@ -413,7 +413,7 @@ script: - contextPath: Censys.Search.parsed.issuer_dn description: Distinguished name of the entity that has signed and issued the certificate. type: String - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/Censys/ReleaseNotes/2_0_15.md b/Packs/Censys/ReleaseNotes/2_0_15.md new file mode 100644 index 000000000000..5450ec22525f --- /dev/null +++ b/Packs/Censys/ReleaseNotes/2_0_15.md @@ -0,0 +1,3 @@ +#### Integrations +##### Censys v2 +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Censys/pack_metadata.json b/Packs/Censys/pack_metadata.json index 2edcdfd8309a..91d75b3eedd8 100644 --- a/Packs/Censys/pack_metadata.json +++ b/Packs/Censys/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Censys", "description": "Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.", "support": "xsoar", - "currentVersion": "2.0.14", + "currentVersion": "2.0.15", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Centreon/Integrations/Centreon/Centreon.yml b/Packs/Centreon/Integrations/Centreon/Centreon.yml index b2cab2184ef9..af7d6f7f0dcd 100644 --- a/Packs/Centreon/Integrations/Centreon/Centreon.yml +++ b/Packs/Centreon/Integrations/Centreon/Centreon.yml @@ -151,7 +151,7 @@ script: description: Service state description: All the monitoring information regarding services runonce: false - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 tests: - Centreon-Test-Playbook fromversion: 5.0.0 diff --git a/Packs/Centreon/ReleaseNotes/1_0_11.md b/Packs/Centreon/ReleaseNotes/1_0_11.md new file mode 100644 index 000000000000..47af0be01dd2 --- /dev/null +++ b/Packs/Centreon/ReleaseNotes/1_0_11.md @@ -0,0 +1,3 @@ +#### Integrations +##### Centreon +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Centreon/pack_metadata.json b/Packs/Centreon/pack_metadata.json index db260207d384..9ae4a4abb331 100644 --- a/Packs/Centreon/pack_metadata.json +++ b/Packs/Centreon/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Centreon", "description": "IT & Network Monitoring", "support": "xsoar", - "currentVersion": "1.0.10", + "currentVersion": "1.0.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CheckPhish/Integrations/CheckPhish/CheckPhish.yml b/Packs/CheckPhish/Integrations/CheckPhish/CheckPhish.yml index 2396fb66fe42..7e9aa4d624bd 100644 --- a/Packs/CheckPhish/Integrations/CheckPhish/CheckPhish.yml +++ b/Packs/CheckPhish/Integrations/CheckPhish/CheckPhish.yml @@ -206,5 +206,5 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 fromversion: 5.0.0 diff --git a/Packs/CheckPhish/ReleaseNotes/1_0_14.md b/Packs/CheckPhish/ReleaseNotes/1_0_14.md new file mode 100644 index 000000000000..19f63d974235 --- /dev/null +++ b/Packs/CheckPhish/ReleaseNotes/1_0_14.md @@ -0,0 +1,3 @@ +#### Integrations +##### CheckPhish +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CheckPhish/pack_metadata.json b/Packs/CheckPhish/pack_metadata.json index 937371288dc6..828b8f06786a 100644 --- a/Packs/CheckPhish/pack_metadata.json +++ b/Packs/CheckPhish/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CheckPhish", "description": "Check any URL to detect supsicious behavior.", "support": "xsoar", - "currentVersion": "1.0.13", + "currentVersion": "1.0.14", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CheckPointDome9/Integrations/CheckPointDome9/CheckPointDome9.yml b/Packs/CheckPointDome9/Integrations/CheckPointDome9/CheckPointDome9.yml index 916495b5fd51..be531353a8d0 100644 --- a/Packs/CheckPointDome9/Integrations/CheckPointDome9/CheckPointDome9.yml +++ b/Packs/CheckPointDome9/Integrations/CheckPointDome9/CheckPointDome9.yml @@ -1601,7 +1601,7 @@ script: - contextPath: CheckPointDome9.FindingsBundle.region description: The CloudTrail account ID. type: String - dockerimage: demisto/python3:3.10.5.33323 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: true longRunning: false diff --git a/Packs/CheckPointDome9/ReleaseNotes/1_0_1.md b/Packs/CheckPointDome9/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..4825bc95cc6b --- /dev/null +++ b/Packs/CheckPointDome9/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### Check Point Dome9 (CloudGuard) +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CheckPointDome9/pack_metadata.json b/Packs/CheckPointDome9/pack_metadata.json index 9c02ae5e8057..32a9c5b2db70 100644 --- a/Packs/CheckPointDome9/pack_metadata.json +++ b/Packs/CheckPointDome9/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Check Point Dome9 (CloudGuard)", "description": "Dome9 integration allows to easily manage the security and compliance of the public cloud.", "support": "xsoar", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CimTrak-SystemIntegrityAssurance/Integrations/CimTrak/CimTrak.yml b/Packs/CimTrak-SystemIntegrityAssurance/Integrations/CimTrak/CimTrak.yml index b500ea73d120..5f7c8f846f46 100644 --- a/Packs/CimTrak-SystemIntegrityAssurance/Integrations/CimTrak/CimTrak.yml +++ b/Packs/CimTrak-SystemIntegrityAssurance/Integrations/CimTrak/CimTrak.yml @@ -2331,7 +2331,7 @@ script: - contextPath: CimTrak.Object.agentObjectId description: Agent Object Id type: number - dockerimage: demisto/python3:3.10.8.37233 + dockerimage: demisto/python3:3.10.9.40422 isfetch: true longRunning: true runonce: false diff --git a/Packs/CimTrak-SystemIntegrityAssurance/ReleaseNotes/1_0_4.md b/Packs/CimTrak-SystemIntegrityAssurance/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..056b8935450c --- /dev/null +++ b/Packs/CimTrak-SystemIntegrityAssurance/ReleaseNotes/1_0_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### CimTrak - System Integrity Assurance +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CimTrak-SystemIntegrityAssurance/pack_metadata.json b/Packs/CimTrak-SystemIntegrityAssurance/pack_metadata.json index 1fe1c8d47495..918655b24bdc 100644 --- a/Packs/CimTrak-SystemIntegrityAssurance/pack_metadata.json +++ b/Packs/CimTrak-SystemIntegrityAssurance/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CimTrak - System Integrity Assurance", "description": "The CimTrak integration helps you detect unexpected system/device/config modifications and automatically respond/react to threats", "support": "partner", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cimcor", "url": "www.cimcor.com", "email": "support@cimcor.com", diff --git a/Packs/CircleCI/Integrations/CircleCI/CircleCI.yml b/Packs/CircleCI/Integrations/CircleCI/CircleCI.yml index 7e754ce23e28..08ab821f3501 100644 --- a/Packs/CircleCI/Integrations/CircleCI/CircleCI.yml +++ b/Packs/CircleCI/Integrations/CircleCI/CircleCI.yml @@ -335,7 +335,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 fromversion: 5.5.0 tests: - No tests (auto formatted) diff --git a/Packs/CircleCI/ReleaseNotes/1_0_20.md b/Packs/CircleCI/ReleaseNotes/1_0_20.md new file mode 100644 index 000000000000..1fcafa7d3757 --- /dev/null +++ b/Packs/CircleCI/ReleaseNotes/1_0_20.md @@ -0,0 +1,3 @@ +#### Integrations +##### CircleCI +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CircleCI/pack_metadata.json b/Packs/CircleCI/pack_metadata.json index 4ab0bf176d47..0d39a4af7daf 100644 --- a/Packs/CircleCI/pack_metadata.json +++ b/Packs/CircleCI/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CircleCI", "description": "CircleCI is a modern continuous integration and continuous delivery (CI/CD) platform. CircleCI automates the building, testing, and deployment of software.", "support": "xsoar", - "currentVersion": "1.0.19", + "currentVersion": "1.0.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Cisco-umbrella-enforcement/Integrations/CiscoUmbrellaEnforcement/CiscoUmbrellaEnforcement.yml b/Packs/Cisco-umbrella-enforcement/Integrations/CiscoUmbrellaEnforcement/CiscoUmbrellaEnforcement.yml index e7ff9d0c0002..5256a902e09d 100644 --- a/Packs/Cisco-umbrella-enforcement/Integrations/CiscoUmbrellaEnforcement/CiscoUmbrellaEnforcement.yml +++ b/Packs/Cisco-umbrella-enforcement/Integrations/CiscoUmbrellaEnforcement/CiscoUmbrellaEnforcement.yml @@ -151,7 +151,7 @@ script: description: Delete domain. execution: false name: umbrella-domain-delete - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/Cisco-umbrella-enforcement/ReleaseNotes/1_0_21.md b/Packs/Cisco-umbrella-enforcement/ReleaseNotes/1_0_21.md new file mode 100644 index 000000000000..b8172561f16a --- /dev/null +++ b/Packs/Cisco-umbrella-enforcement/ReleaseNotes/1_0_21.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco Umbrella Enforcement +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Cisco-umbrella-enforcement/pack_metadata.json b/Packs/Cisco-umbrella-enforcement/pack_metadata.json index 566da954ee5c..7df65bc8e5bc 100644 --- a/Packs/Cisco-umbrella-enforcement/pack_metadata.json +++ b/Packs/Cisco-umbrella-enforcement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco Umbrella Enforcement", "description": "Cisco Umbrella Enforcement", "support": "xsoar", - "currentVersion": "1.0.20", + "currentVersion": "1.0.21", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CiscoASA/Integrations/CiscoASA/CiscoASA.yml b/Packs/CiscoASA/Integrations/CiscoASA/CiscoASA.yml index a2718f41e344..aba1341e6769 100644 --- a/Packs/CiscoASA/Integrations/CiscoASA/CiscoASA.yml +++ b/Packs/CiscoASA/Integrations/CiscoASA/CiscoASA.yml @@ -518,7 +518,7 @@ script: - contextPath: CiscoASA.Interface.Type description: The type of interface. type: String - dockerimage: demisto/python3:3.10.9.40422 + dockerimage: demisto/python3:3.10.9.42476 isfetch: false runonce: false script: '-' diff --git a/Packs/CiscoASA/ReleaseNotes/1_0_29.md b/Packs/CiscoASA/ReleaseNotes/1_0_29.md new file mode 100644 index 000000000000..903e385324b9 --- /dev/null +++ b/Packs/CiscoASA/ReleaseNotes/1_0_29.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco ASA +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. diff --git a/Packs/CiscoASA/pack_metadata.json b/Packs/CiscoASA/pack_metadata.json index a1230f930219..b999189cffe1 100644 --- a/Packs/CiscoASA/pack_metadata.json +++ b/Packs/CiscoASA/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco ASA", "description": "Cisco Adaptive Security Appliance Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices.", "support": "xsoar", - "currentVersion": "1.0.28", + "currentVersion": "1.0.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CiscoEmailSecurity/Integrations/CiscoEmailSecurity/CiscoEmailSecurity.yml b/Packs/CiscoEmailSecurity/Integrations/CiscoEmailSecurity/CiscoEmailSecurity.yml index e883ae8a00d9..074ac1aae247 100644 --- a/Packs/CiscoEmailSecurity/Integrations/CiscoEmailSecurity/CiscoEmailSecurity.yml +++ b/Packs/CiscoEmailSecurity/Integrations/CiscoEmailSecurity/CiscoEmailSecurity.yml @@ -1218,3 +1218,4 @@ tests: - No tests fromversion: 5.0.0 beta: true +deprecated: true \ No newline at end of file diff --git a/Packs/CiscoEmailSecurity/ReleaseNotes/1_1_1.md b/Packs/CiscoEmailSecurity/ReleaseNotes/1_1_1.md new file mode 100644 index 000000000000..5ee10ab053dc --- /dev/null +++ b/Packs/CiscoEmailSecurity/ReleaseNotes/1_1_1.md @@ -0,0 +1,5 @@ + +#### Integrations +##### CiscoEmailSecurity (Beta) (Deprecated) +- Deprecated. Use Cisco Security Management Appliance instead. +- Updated the Docker image to: *demisto/python3:3.10.8.37753*. diff --git a/Packs/CiscoEmailSecurity/pack_metadata.json b/Packs/CiscoEmailSecurity/pack_metadata.json index 77974a5d0a03..80ae6d771493 100644 --- a/Packs/CiscoEmailSecurity/pack_metadata.json +++ b/Packs/CiscoEmailSecurity/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco Email Security (Beta) (Deprecated)", "description": "Deprecated. Use CiscoSMA instead.", "support": "xsoar", - "currentVersion": "1.1.0", + "currentVersion": "1.1.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -11,6 +11,7 @@ "Network Security" ], "tags": [], + "hidden": true, "useCases": [], "keywords": [], "marketplaces": [ diff --git a/Packs/CiscoSMA/Integrations/CiscoSMA/CiscoSMA.yml b/Packs/CiscoSMA/Integrations/CiscoSMA/CiscoSMA.yml index ecda1e93d746..9c7b7425e678 100644 --- a/Packs/CiscoSMA/Integrations/CiscoSMA/CiscoSMA.yml +++ b/Packs/CiscoSMA/Integrations/CiscoSMA/CiscoSMA.yml @@ -95,7 +95,7 @@ script: script: '' type: python subtype: python3 - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 isfetch: true commands: - name: cisco-sma-spam-quarantine-message-search diff --git a/Packs/CiscoSMA/ReleaseNotes/1_1_3.md b/Packs/CiscoSMA/ReleaseNotes/1_1_3.md new file mode 100644 index 000000000000..c7d693ce335a --- /dev/null +++ b/Packs/CiscoSMA/ReleaseNotes/1_1_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco Security Management Appliance +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CiscoSMA/pack_metadata.json b/Packs/CiscoSMA/pack_metadata.json index 62a0ce0b025d..5c3609942720 100644 --- a/Packs/CiscoSMA/pack_metadata.json +++ b/Packs/CiscoSMA/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CiscoSMA", "description": "The Security Management Appliance (SMA) is used to centralize services from Email Security Appliances (ESAs) and Web Security Appliances (WSAs).", "support": "xsoar", - "currentVersion": "1.1.2", + "currentVersion": "1.1.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CiscoStealthwatch/Integrations/CiscoStealthwatch/CiscoStealthwatch.yml b/Packs/CiscoStealthwatch/Integrations/CiscoStealthwatch/CiscoStealthwatch.yml index 77f658b7c875..06f04881b9ad 100644 --- a/Packs/CiscoStealthwatch/Integrations/CiscoStealthwatch/CiscoStealthwatch.yml +++ b/Packs/CiscoStealthwatch/Integrations/CiscoStealthwatch/CiscoStealthwatch.yml @@ -397,7 +397,7 @@ script: - contextPath: CiscoStealthwatch.SecurityEventResults.hitCount description: The hit count of the security event. type: str - dockerimage: demisto/python3:3.10.8.36650 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/CiscoStealthwatch/ReleaseNotes/1_0_8.md b/Packs/CiscoStealthwatch/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..edce552128ce --- /dev/null +++ b/Packs/CiscoStealthwatch/ReleaseNotes/1_0_8.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco Secure Network Analytics (Stealthwatch) +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CiscoStealthwatch/pack_metadata.json b/Packs/CiscoStealthwatch/pack_metadata.json index 184837a089c1..7af6534c070f 100644 --- a/Packs/CiscoStealthwatch/pack_metadata.json +++ b/Packs/CiscoStealthwatch/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco Secure Network Analytics (Stealthwatch)", "description": "Cisco Secure Network Analytics (Stealthwatch) provides scalable visibility and security analytics.", "support": "xsoar", - "currentVersion": "1.0.7", + "currentVersion": "1.0.8", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CiscoUmbrellaReporting/Integrations/CiscoUmbrellaReporting/CiscoUmbrellaReporting.yml b/Packs/CiscoUmbrellaReporting/Integrations/CiscoUmbrellaReporting/CiscoUmbrellaReporting.yml index d229bd059911..afe9431cb27f 100644 --- a/Packs/CiscoUmbrellaReporting/Integrations/CiscoUmbrellaReporting/CiscoUmbrellaReporting.yml +++ b/Packs/CiscoUmbrellaReporting/Integrations/CiscoUmbrellaReporting/CiscoUmbrellaReporting.yml @@ -2073,7 +2073,7 @@ script: - contextPath: UmbrellaReporting.SignatureListSummary.signatures.id description: Signature ID. type: Number - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: false longRunning: false diff --git a/Packs/CiscoUmbrellaReporting/ReleaseNotes/1_0_1.md b/Packs/CiscoUmbrellaReporting/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..cfcb31bc1dfc --- /dev/null +++ b/Packs/CiscoUmbrellaReporting/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco Umbrella Reporting +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/CiscoUmbrellaReporting/pack_metadata.json b/Packs/CiscoUmbrellaReporting/pack_metadata.json index 46d0552f72cd..64183d611bc1 100644 --- a/Packs/CiscoUmbrellaReporting/pack_metadata.json +++ b/Packs/CiscoUmbrellaReporting/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco Umbrella Reporting", "description": "Use Cisco Umbrella's Reporting to monitor your Umbrella integration and gain a better understanding of your Umbrella usage. Gain insights into request activity and blocked activity, determining which of your identities are generating blocked requests. Reports help build actionable intelligence in addressing security threats including changes in usage trends over time. The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. This integration was integrated and tested with version 2 of Cisco-umbrella-reporting.", "support": "xsoar", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CitrixADC/.pack-ignore b/Packs/CitrixADC/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CitrixADC/.secrets-ignore b/Packs/CitrixADC/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3.xif b/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3.xif new file mode 100644 index 000000000000..984c7075d8e6 --- /dev/null +++ b/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3.xif @@ -0,0 +1,25 @@ +[MODEL: dataset="citrix_adc_raw"] +alter http_method=arrayindex(regextract(_raw_log,"\s\:\s(\w+)\s\/"),0) +|alter +xdm.event.type = arrayindex(regextract(_raw_log,"\:\s\w+\s(\w+)\s"),0), +xdm.source.ipv4 = coalesce(arrayindex(regextract(_raw_log,"Source\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),arrayindex(regextract(_raw_log,"Client_ip\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s"),0),arrayindex(regextract(_raw_log,"Context\s[\w\d]+\@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s"),0),arrayindex(regextract(_raw_log,"client=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:"),0)), +xdm.source.port = to_integer(coalesce(arrayindex(regextract(_raw_log,"Source\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)\s"),0),arrayindex(regextract(_raw_log,"client=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)"),0))), +xdm.target.port = to_integer(arrayindex(regextract(_raw_log,"Destination\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)\s"),0)), +xdm.target.ipv4 = coalesce(arrayindex(regextract(_raw_log,"Destination\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:"),0),arrayindex(regextract(_raw_log,"Remote_ip\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s"),0)), +xdm.source.sent_bytes = to_integer(arrayindex(regextract(_raw_log,"Total_bytes_send\s(\d+)\s"),0)), +xdm.target.sent_bytes=to_integer(arrayindex(regextract(_raw_log,"Total_bytes_recv\s(\d+)\s"),0)), +xdm.event.operation=arrayindex(regextract(_raw_log,"\:\s\w+\s\w+\s(\w+)\s"),0), +xdm.event.id=arrayindex(regextract(_raw_log,"\:\s\w+\s\w+\s\w+\s(\d+)\s"),0), +xdm.source.application.name=arrayindex(regextract(_raw_log,"applicationName\s(\w+)\s"),0), +xdm.session_context_id=arrayindex(regextract(_raw_log,"connectionId\s(\w+)\s"),0), +xdm.source.user.username=coalesce(arrayindex(regextract(_raw_log,"username:domainname\s(\w+)\:"),0),arrayindex(regextract(_raw_log,"User\s([\w\@\.\d]+)\s\:"),0),arrayindex(regextract(_raw_log,"Context\s([\w\d]+)\@"),0),arrayindex(regextract(_raw_log,"user:\s\<([\w\d\.\_\-]+)\@"),0)), +xdm.source.user.domain=arrayindex(regextract(_raw_log,"username:domainname\s\w+\:(\w+)\s"),0), + xdm.network.http.method = if(http_method="ACL", XDM_CONST.HTTP_METHOD_ACL,http_method="BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL,http_method="BIND", XDM_CONST.HTTP_METHOD_BIND,http_method="CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN,http_method="CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT,http_method="CONNECT", XDM_CONST.HTTP_METHOD_CONNECT,http_method="COPY", XDM_CONST.HTTP_METHOD_COPY,http_method="DELETE", XDM_CONST.HTTP_METHOD_DELETE,http_method="GET", XDM_CONST.HTTP_METHOD_GET,http_method="HEAD", XDM_CONST.HTTP_METHOD_HEAD,http_method="LABEL", XDM_CONST.HTTP_METHOD_LABEL,http_method="LINK", XDM_CONST.HTTP_METHOD_LINK,http_method="LOCK", XDM_CONST.HTTP_METHOD_LOCK,http_method="MERGE", XDM_CONST.HTTP_METHOD_MERGE,http_method="MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY,http_method="MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR,http_method="MKCOL", XDM_CONST.HTTP_METHOD_MKCOL,http_method="MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF,http_method="MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE,http_method="MOVE", XDM_CONST.HTTP_METHOD_MOVE,http_method="OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS,http_method="ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH,http_method="PATCH", XDM_CONST.HTTP_METHOD_PATCH,http_method="POST", XDM_CONST.HTTP_METHOD_POST,http_method="PRI", XDM_CONST.HTTP_METHOD_PRI,http_method="PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND,http_method="PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH,http_method="PUT", XDM_CONST.HTTP_METHOD_PUT,http_method="REBIND", XDM_CONST.HTTP_METHOD_REBIND,http_method="REPORT", XDM_CONST.HTTP_METHOD_REPORT,http_method="SEARCH", XDM_CONST.HTTP_METHOD_SEARCH,http_method="TRACE", XDM_CONST.HTTP_METHOD_TRACE,http_method="UNBIND", XDM_CONST.HTTP_METHOD_UNBIND,http_method="UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT,http_method="UNLINK", XDM_CONST.HTTP_METHOD_UNLINK,http_method="UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK,http_method="UPDATE", XDM_CONST.HTTP_METHOD_UPDATE,http_method="UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF,http_method="VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method), +xdm.network.http.url=arrayindex(regextract(_raw_log,"GET\s([\w\/\.]+)\s"),0), +xdm.event.description=arrayindex(regextract(_raw_log,"\d+\s\d+\s\:\s+\"([^\"]+)\""),0), +xdm.intermediate.host.hostname=arrayindex(regextract(_raw_log,"\:\d{2}\s\w+\s([\w\-\_\.\d\:]+)\s"),0), +xdm.network.session_id=arrayindex(regextract(_raw_log,"SessionId:\s(\d+)\s"),0), +xdm.event.outcome = if(arrayindex(regextract(_raw_log,"Status\s\"(\w+)\""),0)="SUCCESS", XDM_CONST.OUTCOME_SUCCESS, arrayindex(regextract(_raw_log,"Status\s\"(\w+)\""),0)="FAILURE", XDM_CONST.OUTCOME_FAILED, arrayindex(regextract(_raw_log,"Status\s\"(\w+)\""),0)), +xdm.source.user_agent=arrayindex(regextract(_raw_log,"Browser_type\s\"([^\"]+)\""),0), +xdm.intermediate.ipv4=arrayindex(regextract(_raw_log,"Vserver\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:"),0), +xdm.intermediate.port=to_integer(arrayindex(regextract(_raw_log,"Vserver\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)\s"),0)); \ No newline at end of file diff --git a/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3.yml b/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3.yml new file mode 100644 index 000000000000..0dfa2746c1de --- /dev/null +++ b/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3.yml @@ -0,0 +1,6 @@ +fromversion: 6.10.0 +id: Citrix ADC +name: Citrix ADC +rules: '' +schema: '' +tags: Citrix ADC \ No newline at end of file diff --git a/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3_schema.json b/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3_schema.json new file mode 100644 index 000000000000..0fdb3eea5275 --- /dev/null +++ b/Packs/CitrixADC/ModelingRules/CitrixADC_1_3/CitrixADC_1_3_schema.json @@ -0,0 +1,8 @@ +{ + "citrix_adc_raw": { + "_raw_log": { + "type": "string", + "is_array": false + } + } +} \ No newline at end of file diff --git a/Packs/CitrixADC/ParsingRules/CitrixADC_1_3/CitrixADC_1_3.xif b/Packs/CitrixADC/ParsingRules/CitrixADC_1_3/CitrixADC_1_3.xif new file mode 100644 index 000000000000..5bb44fb35828 --- /dev/null +++ b/Packs/CitrixADC/ParsingRules/CitrixADC_1_3/CitrixADC_1_3.xif @@ -0,0 +1,2 @@ +[INGEST:vendor="citrix", product="adc", target_dataset="citrix_adc_raw", no_hit=keep] +alter _time=parse_timestamp("%m/%d/%Y:%H:%M:%S", arrayindex(regextract(_raw_log,"\>\s(\d{2}\/\d{2}\/\d{4}\:\d{2}\:\d{2}\:\d{2})\s"),0)); \ No newline at end of file diff --git a/Packs/CitrixADC/ParsingRules/CitrixADC_1_3/CitrixADC_1_3.yml b/Packs/CitrixADC/ParsingRules/CitrixADC_1_3/CitrixADC_1_3.yml new file mode 100644 index 000000000000..d703ff4c5c84 --- /dev/null +++ b/Packs/CitrixADC/ParsingRules/CitrixADC_1_3/CitrixADC_1_3.yml @@ -0,0 +1,6 @@ +name: Citrix ADC +id: Citrix ADC +fromversion: 6.10.0 +tags: [] +rules: '' +samples: '' \ No newline at end of file diff --git a/Packs/CitrixADC/README.md b/Packs/CitrixADC/README.md new file mode 100644 index 000000000000..94077a45fb76 --- /dev/null +++ b/Packs/CitrixADC/README.md @@ -0,0 +1,33 @@ +# Citrix ADC +This pack includes Cortex XSIAM content. + +## Configuration on Server Side +You need to configure an audit log policy in the Citrix ADC UI. + +1. Navigate to **Configuration** > **System** > **Auditing** > **Syslog**. +![Server Screenshot](https://raw.githubusercontent.com/demisto/content/6bdec7b07cba1473f92fe12319f8b812ea45494c/Packs/CitrixADC/doc_imgs/citrixadc1.png) +2. Select **Servers** tab. +3. Click **Add**. +4. In the **Create Auditing Server** page, populate the relevant fields, and click **Create**. +5. To add the policy, select the **Policies** tab, and click **Add**. +6. In the **Create Auditing Syslog Policy** page, populate the relevant fields, and click **Create**. +![Server Screenshot](https://raw.githubusercontent.com/demisto/content/6bdec7b07cba1473f92fe12319f8b812ea45494c/Packs/CitrixADC/doc_imgs/citrixadc2.png) +7. To bind the policy globally, select **Advanced Policy Global Bindings** from the dropdown list. Select the **best_syslog_policy_ever** policy. Click **Select**. +8. From the dropdown list, select the bind point as **SYSTEM_GLOBAL** and click **Bind**, and then click **Done**. +9. Navigate to **System** > **Auditing** > **Message Actions**, and create the audit message action. + +## Collect Events from Vendor + +In order to use the collector, use the [Broker VM](#broker-vm) option. + +### Broker VM +To create or configure the Broker VM, use the information described [here](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/configure-your-broker-vm). + +You can configure the specific vendor and product for this instance. + + +1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. +2. Right-click, and select **Syslog Collector** > **Configure**. +3. When configuring the Syslog Collector, set the following values: + - vendor as vendor - citrix + - product as product - adc diff --git a/Packs/CitrixADC/doc_imgs/citrixadc1.png b/Packs/CitrixADC/doc_imgs/citrixadc1.png new file mode 100644 index 000000000000..4201ff9721b9 Binary files /dev/null and b/Packs/CitrixADC/doc_imgs/citrixadc1.png differ diff --git a/Packs/CitrixADC/doc_imgs/citrixadc2.png b/Packs/CitrixADC/doc_imgs/citrixadc2.png new file mode 100644 index 000000000000..4a9e318ac4f1 Binary files /dev/null and b/Packs/CitrixADC/doc_imgs/citrixadc2.png differ diff --git a/Packs/CitrixADC/pack_metadata.json b/Packs/CitrixADC/pack_metadata.json new file mode 100644 index 000000000000..175595d82dfd --- /dev/null +++ b/Packs/CitrixADC/pack_metadata.json @@ -0,0 +1,18 @@ +{ + "name": "Citrix ADC", + "description": "Citrix ADC is an application delivery controller (ADC) is a purpose-built networking appliance used to improve the performance, security, and resiliency of applications delivered over the web.", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Network Security" + ], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] +} \ No newline at end of file diff --git a/Packs/Claroty/Integrations/Claroty/Claroty.yml b/Packs/Claroty/Integrations/Claroty/Claroty.yml index 17b93ec90f03..face6f9ff594 100644 --- a/Packs/Claroty/Integrations/Claroty/Claroty.yml +++ b/Packs/Claroty/Integrations/Claroty/Claroty.yml @@ -493,7 +493,7 @@ script: - contextPath: Claroty.Alert.Severity description: The alert severity. type: String - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.9.40422 feed: false isfetch: true longRunning: false diff --git a/Packs/Claroty/ReleaseNotes/1_0_21.md b/Packs/Claroty/ReleaseNotes/1_0_21.md new file mode 100644 index 000000000000..d67b2caaa742 --- /dev/null +++ b/Packs/Claroty/ReleaseNotes/1_0_21.md @@ -0,0 +1,3 @@ +#### Integrations +##### Claroty +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/Claroty/pack_metadata.json b/Packs/Claroty/pack_metadata.json index 3178ffe5a943..71bb907e73a8 100644 --- a/Packs/Claroty/pack_metadata.json +++ b/Packs/Claroty/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Claroty", "description": "Use the Claroty CTD to manage assets and alerts.", "support": "partner", - "currentVersion": "1.0.20", + "currentVersion": "1.0.21", "author": "Claroty", "url": "", "email": "support@claroty.com", diff --git a/Packs/Cloaken/Integrations/Cloaken/Cloaken.yml b/Packs/Cloaken/Integrations/Cloaken/Cloaken.yml index 9d284b0509f6..97e20356cbf0 100644 --- a/Packs/Cloaken/Integrations/Cloaken/Cloaken.yml +++ b/Packs/Cloaken/Integrations/Cloaken/Cloaken.yml @@ -61,6 +61,6 @@ script: description: Status of the screenshot. type: string description: Creates a screenshot of the specified URL. - dockerimage: demisto/cloaken:1.0.0.38363 + dockerimage: demisto/cloaken:1.0.0.41020 runonce: false fromversion: 5.0.0 diff --git a/Packs/Cloaken/ReleaseNotes/1_0_6.md b/Packs/Cloaken/ReleaseNotes/1_0_6.md new file mode 100644 index 000000000000..d78c847a7e4c --- /dev/null +++ b/Packs/Cloaken/ReleaseNotes/1_0_6.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cloaken +- Updated the Docker image to: *demisto/cloaken:1.0.0.41020*. diff --git a/Packs/Cloaken/pack_metadata.json b/Packs/Cloaken/pack_metadata.json index 5d14c68e7aed..39ff6d967b94 100644 --- a/Packs/Cloaken/pack_metadata.json +++ b/Packs/Cloaken/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cloaken", "description": "Unshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries.", "support": "xsoar", - "currentVersion": "1.0.5", + "currentVersion": "1.0.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CloudflareWAF/Integrations/CloudflareWAF/CloudflareWAF.yml b/Packs/CloudflareWAF/Integrations/CloudflareWAF/CloudflareWAF.yml index 07cdc833f9e1..7afca247ec17 100644 --- a/Packs/CloudflareWAF/Integrations/CloudflareWAF/CloudflareWAF.yml +++ b/Packs/CloudflareWAF/Integrations/CloudflareWAF/CloudflareWAF.yml @@ -842,7 +842,7 @@ script: - contextPath: CloudflareWAF.IpListItem.list_id description: The list ID. type: String - dockerimage: demisto/python3:3.10.9.40422 + dockerimage: demisto/python3:3.10.9.42008 feed: false isfetch: false longRunning: false diff --git a/Packs/CloudflareWAF/ReleaseNotes/1_0_6.md b/Packs/CloudflareWAF/ReleaseNotes/1_0_6.md new file mode 100644 index 000000000000..500717dc081c --- /dev/null +++ b/Packs/CloudflareWAF/ReleaseNotes/1_0_6.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cloudflare WAF +- Updated the Docker image to: *demisto/python3:3.10.9.42008*. diff --git a/Packs/CloudflareWAF/pack_metadata.json b/Packs/CloudflareWAF/pack_metadata.json index 78b83a978ea9..24c04b676fa5 100644 --- a/Packs/CloudflareWAF/pack_metadata.json +++ b/Packs/CloudflareWAF/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cloudflare WAF", "description": "Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.", "support": "xsoar", - "currentVersion": "1.0.5", + "currentVersion": "1.0.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 0fca839190f2..606484b17675 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -5,6 +5,7 @@ import json import os import requests +import urllib3 import py42.sdk import py42.settings from datetime import datetime @@ -31,7 +32,7 @@ class EventId(FileEventFilterStringField): # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() """ CONSTANTS """ CODE42_EVENT_CONTEXT_FIELD_MAPPER = { diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index b801c37efadd..23cb8b543ef0 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -918,7 +918,7 @@ script: - contextPath: Code42.UpdatedUserRiskProfiles.Success description: If the risk profile update was successful. type: boolean - dockerimage: demisto/py42:1.0.0.33857 + dockerimage: demisto/py42:1.0.0.40798 feed: false isfetch: true longRunning: false diff --git a/Packs/Code42/ReleaseNotes/3_0_1.md b/Packs/Code42/ReleaseNotes/3_0_1.md new file mode 100644 index 000000000000..387e63f1dbaa --- /dev/null +++ b/Packs/Code42/ReleaseNotes/3_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### Code42 +- Updated the Docker image to: *demisto/py42:1.0.0.40798*. diff --git a/Packs/Code42/pack_metadata.json b/Packs/Code42/pack_metadata.json index 3573470725d6..933ebf75f201 100644 --- a/Packs/Code42/pack_metadata.json +++ b/Packs/Code42/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Code42", "description": "The Code42 INCYDR integration accelerates insider threat incident response and remediation procedures for potential data exfiltration across computers, email, cloud and SaaS apps.", "support": "partner", - "currentVersion": "3.0.0", + "currentVersion": "3.0.1", "author": "Code42", "url": "https://support.code42.com/Administrator/Cloud/Monitoring_and_managing/Install_and_manage_the_Code42_app_for_Cortex_XSOAR", "email": "gethelp@code42.com", diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_-_Generic_v2_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_-_Generic_v2_README.md index ceb4ea259bd2..da6e4c6d8d53 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_-_Generic_v2_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_-_Generic_v2_README.md @@ -29,12 +29,12 @@ This playbook does not use any integrations. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| DBotScore | Array of all indicators associated with the incident. | DBotScore.None | Optional | +| DBotScore | Array of all indicators associated with the incident. | DBotScore | Optional | | CriticalUsers | CSV of usernames of critical users. | admin,administrator | Optional | | CriticalEndpoints | CSV of hostnames of critical endpoints. | admin | Optional | | CriticalGroups | CSV of DN names of critical AD groups. | admins,administrators | Optional | -| Account | User accounts to check against the critical lists. | Account.None | Optional | -| Endpoint | Endpoints to check against the CriticalEndpoints list. | Endpoint.None | Optional | +| Account | User accounts to check against the critical lists. | Account | Optional | +| Endpoint | Endpoints to check against the CriticalEndpoints list. | Endpoint | Optional | | EmailAuthenticityCheck | Indicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are: Pass, Fail, Suspicious, and Undetermined. | Email.AuthenticityCheck | Optional | | MicrosoftHeadersSeverityCheck | The value is set by the "Process Microsoft's Anti-Spam Headers" Playbook, which calculates the severity after processing the PCL, BCL and PCL values inside Microsoft's headers. | ${MicrosoftHeadersSeverityCheck} | Optional | diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_By_Highest_DBotScore_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_By_Highest_DBotScore_README.md index b1c060e03cb5..6c978abf8a13 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_By_Highest_DBotScore_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Calculate_Severity_By_Highest_DBotScore_README.md @@ -21,7 +21,7 @@ This playbook does not use any commands. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| DBotScore | Array of all indicators associated with the incident. | DBotScore.None | Optional | +| DBotScore | Array of all indicators associated with the incident. | DBotScore | Optional | ## Playbook Outputs --- diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Command-Line_Analysis.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Command-Line_Analysis.yml index df3050217d28..bb20d34bf284 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Command-Line_Analysis.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Command-Line_Analysis.yml @@ -33,7 +33,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "4": id: "4" taskid: d0ba6b98-7de7-4621-8d6b-85a067f4f314 @@ -64,7 +63,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "7": id: "7" taskid: 95c7a960-8b66-48f0-8510-ed22481ae4f2 @@ -109,7 +107,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "8": id: "8" taskid: 7c5def9c-5b0b-4c84-867e-43de7bfe984c @@ -148,7 +145,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "9": id: "9" taskid: 81a7238c-3db0-43d4-89e3-5f4e7da0f2f7 @@ -181,7 +177,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "11": id: "11" taskid: 8a4fdd44-5f23-4285-8e9f-3219392329a5 @@ -221,7 +216,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "12": id: "12" taskid: 5610ad88-bc53-45a1-865c-6a6b607e1a98 @@ -256,7 +250,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "13": id: "13" taskid: b027e4bc-d481-4f58-842d-395bd7ef348f @@ -293,7 +286,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "15": id: "15" taskid: 961ec942-dacf-4f4a-8b34-7e2847919a5e @@ -586,7 +578,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "17": id: "17" taskid: 4191d8a3-0ed7-4abd-8b4d-a2fe3af03fa4 @@ -663,7 +654,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "19": id: "19" taskid: 6f484473-7f55-4d72-8ce3-07361395169c @@ -753,7 +743,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "21": id: "21" taskid: e3b1b82d-4b1c-4cd4-8273-f4b2b3f9477f @@ -942,7 +931,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "22": id: "22" taskid: b355c8cd-9438-4d16-88cf-367aad8dc5a2 @@ -1082,7 +1070,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "23": id: "23" taskid: c56fef87-e77c-452f-850d-8a76d44d6e30 @@ -1126,7 +1113,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "24": id: "24" taskid: 4eb71ce1-0bd1-47e9-8679-293960d28e78 @@ -1188,7 +1174,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "26": id: "26" taskid: c89fbf52-da5f-4bab-836e-07a697e0fb71 @@ -1225,7 +1210,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "27": id: "27" taskid: b9b89f0b-8885-4908-8d0f-c785c90feddd @@ -1262,7 +1246,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "28": id: "28" taskid: 0fbff6eb-dc6e-4a75-876a-7dcb37dffa6b @@ -1299,7 +1282,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "30": id: "30" taskid: cb6662a9-4a56-48b9-8b2d-e375410b246d @@ -1336,7 +1318,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "31": id: "31" taskid: 7d374634-8e9f-42f4-821e-aae890e35f05 @@ -1387,7 +1368,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "32": id: "32" taskid: 118d06f7-1309-4b4b-8b2d-6f56454411d9 @@ -1424,7 +1404,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "33": id: "33" taskid: 1bde910b-a975-4fc5-8a0d-e05230b3ecf6 @@ -1464,7 +1443,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "34": id: "34" taskid: d02185ac-3059-4ac1-84df-388155f7bfee @@ -1480,6 +1458,7 @@ tasks: nexttasks: "yes": - "33" + '#default#': - "9" separatecontext: false conditions: @@ -1490,7 +1469,6 @@ tasks: value: simple: inputs.Commandline iscontext: true - continueonerrortype: "" view: |- { "position": { @@ -1532,7 +1510,6 @@ tasks: subplaybook: simple: "yes" separatecontext: false - continueonerrortype: "" view: |- { "position": { diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md index 230bca39e593..36cc8b1d0073 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_File_-_Generic_README.md @@ -34,7 +34,7 @@ This playbook does not use any commands. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | | EntryID | Entry ID of file to be detonated | File.EntryID | Optional | -| File | File object of file to be detonated | File.None | Optional | +| File | File object of file to be detonated | File | Optional | ## Playbook Outputs --- diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md index b523f7ea5163..e1c8f2991779 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Detonate_URL_-_Generic_README.md @@ -42,7 +42,7 @@ This playbook does not use any commands. | **Name** | **Description** | **Default Value** | **Required** | | -------- | ------------------------------------------ | ----------------- | ------------ | -| URL | The URL object of the URL to be detonated. | URL.None | Optional | +| URL | The URL object of the URL to be detonated. | URL | Optional | ## Playbook Outputs diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml index 4acfa38a063b..8d0dcdf15d18 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml @@ -1357,7 +1357,7 @@ inputs: playbookInputQuery: - key: query value: - simple: (initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and alertsource:${alert.sourceBrand} and alertname:${alert.name} + simple: (initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}" required: false description: |- A query for the previous alerts search. diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md index d7f05a48b5f0..eebbea0617af 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md @@ -29,7 +29,7 @@ This playbook does not use any integrations. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | | threshold | The number of previous alerts that were closed as false positive alerts. This threshold establishes whether the Previous Verdict key will be marked as false positive. | alert.hostip | Optional | -| query | A query for the previous alerts search.
Use free form query \(Lucene syntax\) as a filter. All other filters are ignored when this filter is used. | (initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and alertsource:${alert.sourceBrand} and alertname:${alert.name} | Optional | +| query | A query for the previous alerts search.
Use free form query \(Lucene syntax\) as a filter. All other filters are ignored when this filter is used. | (initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}" | Optional | | CloseReason | The closing reason of the previous alerts to search for.
Possible values are:
- Resolved - Threat Handled
- Resolved - True Positive
- Resolved - False Positive
- Resolved - Security Testing
- Resolved - Known Issue
- Resolved - Duplicate Incident
- Resolved - Other
- Resolved - Auto | Resolved - False Positive,Resolved - Duplicate Incident,Resolved - Known Issue | Optional | | FileMD5 | File MD5 to enrich and give verdict. | | Optional | | FileSHA256 | File SHA256 to enrich and give verdict. | alert.initiatorsha256 | Optional | diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Extract_Indicators_From_File_-_Generic_v2_4_5_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Extract_Indicators_From_File_-_Generic_v2_4_5_README.md index ed32d56366a4..f62feafc7e55 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Extract_Indicators_From_File_-_Generic_v2_4_5_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Extract_Indicators_From_File_-_Generic_v2_4_5_README.md @@ -45,7 +45,7 @@ This playbook does not use any integrations. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| File | The file to extract indicators from. | File.None | Optional | +| File | The file to extract indicators from. | File | Optional | | Indicator Query | Indicators matching the indicator query will be used as playbook input. | | Optional | | Decode | Possible values: "True" or "False". Default is "False".
When this is set to "True", in case a macro was found within the file \(using oletools\), it will output all the obfuscated strings with their decoded content \(Hex, Base64, StrReverse, Dridex, VBA\). | False | Optional | diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2.yml b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2.yml index d71e0deb8e03..a5aa866fdba3 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2.yml @@ -28,7 +28,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 49 } } @@ -96,7 +96,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 590 } } @@ -157,7 +157,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 1150 } } @@ -198,7 +198,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 195 } } @@ -240,7 +240,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 385 } } @@ -285,7 +285,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 800 } } @@ -344,7 +344,7 @@ tasks: view: |- { "position": { - "x": 520, + "x": 460, "y": 970 } } @@ -375,7 +375,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 1290 } } @@ -438,7 +438,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 1453 } } @@ -488,7 +488,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 102.5, "y": 1670 } } @@ -550,7 +550,7 @@ tasks: view: |- { "position": { - "x": 640, + "x": 500, "y": 1290 } } @@ -613,7 +613,7 @@ tasks: view: |- { "position": { - "x": 640, + "x": 500, "y": 1453 } } @@ -663,7 +663,7 @@ tasks: view: |- { "position": { - "x": 640, + "x": 500, "y": 1670 } } @@ -689,7 +689,7 @@ tasks: description: '' nexttasks: '#none#': - - "45" + - "46" separatecontext: false continueonerrortype: "" view: |- @@ -708,10 +708,10 @@ tasks: isautoswitchedtoquietmode: false "45": id: "45" - taskid: d2baa447-e80c-4ea5-8a36-33fa609633a2 + taskid: e47282e7-f860-4707-883f-623837a431b9 type: regular task: - id: d2baa447-e80c-4ea5-8a36-33fa609633a2 + id: e47282e7-f860-4707-883f-623837a431b9 version: -1 name: Check Reputation description: Checks the reputation of an IP address using all available integrations. @@ -725,15 +725,25 @@ tasks: scriptarguments: ip: complex: - root: IP - accessor: Address + root: IP.Address + filters: + - - operator: IsNotInCidrRanges + left: + value: + simple: IP.Address + iscontext: true + right: + value: + simple: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 + transformers: + - operator: uniq separatecontext: false continueonerrortype: "" view: |- { "position": { "x": -300, - "y": 1453 + "y": 1670 } } note: false @@ -743,6 +753,51 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: c55e9651-e6f5-48ec-8bbc-995c4e87808b + type: condition + task: + id: c55e9651-e6f5-48ec-8bbc-995c4e87808b + version: -1 + name: Should use !IP command? + description: Should use !IP command? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "24" + "yes": + - "45" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.UseReputationCommand + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -300, + "y": 1453 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { @@ -752,15 +807,16 @@ view: |- "28_39_#default#": 0.35, "34_27_#default#": 0.49, "34_35_yes": 0.53, - "37_24_#default#": 0.2, + "37_24_#default#": 0.28, "37_38_yes": 0.52, - "42_24_#default#": 0.1, - "42_43_yes": 0.51 + "42_24_#default#": 0.2, + "42_43_yes": 0.51, + "46_24_#default#": 0.53 }, "paper": { "dimensions": { "height": 1876, - "width": 1620, + "width": 1480, "x": -600, "y": 49 } @@ -779,17 +835,25 @@ inputs: playbookInputQuery: - key: InternalRange value: - simple: inputs.InternalRange + simple: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" required: false description: 'A CSV list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).' playbookInputQuery: - key: ResolveIP value: - complex: - root: inputs.ResolveIP + simple: "True" required: true description: Whether to convert the IP address to a hostname using a DNS query (True/False). playbookInputQuery: +- key: UseReputationCommand + value: + simple: "False" + required: true + description: |- + Define if you would like to use the !IP command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + playbookInputQuery: outputs: - contextPath: IP description: The IP address objects. @@ -814,4 +878,6 @@ outputs: description: Endpoint domain name. type: string tests: -- IP Enrichment - Generic v2 - Test +- No tests (auto formatted) +contentitemexportablefields: + contentitemfields: {} diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2_README.md index ac0fa0375a6f..d0c269c539a8 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_External_-_Generic_v2_README.md @@ -14,13 +14,13 @@ This playbook does not use any sub-playbooks. * VirusTotal - Private API ### Scripts -* IPToHost * IsIPInRanges +* IPToHost ### Commands -* vt-private-get-ip-report -* threat-crowd-ip * ip +* threat-crowd-ip +* vt-private-get-ip-report ## Playbook Inputs --- @@ -28,8 +28,9 @@ This playbook does not use any sub-playbooks. | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | | IP | The IP address to enrich. | IP.Address | Optional | -| InternalRange | A CSV list of IP address ranges \(in CIDR notation\). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). If a list is not provided, will use default list provided in the IsIPInRanges script \(the known IPv4 private address ranges\). | inputs.InternalRange | Optional | -| ResolveIP | Whether to convert the IP address to a hostname using a DNS query \(True/False\). | inputs.ResolveIP.None | Required | +| InternalRange | A CSV list of IP address ranges \(in CIDR notation\). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). If a list is not provided, will use default list provided in the IsIPInRanges script \(the known IPv4 private address ranges\). | 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16 | Optional | +| ResolveIP | Whether to convert the IP address to a hostname using a DNS query \(True/False\). | True | Required | +| UseReputationCommand | Define if you would like to use the \!IP command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False. | False | Required | ## Playbook Outputs --- diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2.yml b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2.yml index c5117fa3b352..235e795cd594 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2.yml @@ -98,6 +98,9 @@ tasks: ResolveIP: complex: root: inputs.ResolveIP + UseReputationCommand: + complex: + root: inputs.UseReputationCommand separatecontext: true loop: iscommand: false @@ -200,8 +203,23 @@ inputs: value: complex: root: inputs.ResolveIP + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: { } + defaultValue: + value: + simple: "False" required: true description: Determines whether to convert the IP address to a hostname using a DNS query (True/ False). +- key: UseReputationCommand + value: + simple: "False" + required: true + description: |- + Define if you would like to use the !IP command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. outputs: - contextPath: IP description: The IP objects diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2_README.md index cc4ffb6d93e1..312383064d7e 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-IP_Enrichment_-_Generic_v2_README.md @@ -1,4 +1,4 @@ -Enriches IP addresses using one or more integrations. +Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS) - Provide threat information @@ -24,26 +24,27 @@ This playbook does not use any commands. ## Playbook Inputs --- -| **Name** | **Description** | **Default Value** | **Source** | **Required** | -| --- | --- | --- | --- | --- | -| IP | The IP address to enrich. | Address | IP | Optional | -| InternalRange | A list of internal IP address ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotation marks). If a list is not provided, the default list provided in the `IsIPInRanges` script (the known IPv4 private address ranges). | None | inputs.InternalRange | Optional | -| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query (True/False). | None | inputs.ResolveIP | Required | +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| IP | The IP address to enrich. | IP.Address | Optional | +| InternalRange | A list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). If a list is not provided, will use default list provided in the IsIPInRanges script \(the known IPv4 private address ranges\). | inputs.InternalRange | Optional | +| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query \(True/ False\). | inputs.ResolveIP | Required | +| UseReputationCommand | Define if you would like to use the \!IP command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False. | False | Required | ## Playbook Outputs --- | **Path** | **Description** | **Type** | | --- | --- | --- | -| IP | The IP objects. | unknown | -| DBotScore | The Indicator, Score, Type, and Vendor. | unknown | -| Endpoint | The Endpoint's object. | unknown | -| Endpoint.Hostname | The hostname to enrich. | string | -| Endpoint.OS | The Endpoint OS. | string | -| Endpoint.IP | The list of Endpoint IP addresses. | unknown | -| Endpoint.MAC | The list of Endpoint MAC addresses. | unknown | -| Endpoint.Domain | The Endpoint domain name. | string | +| IP | The IP objects | unknown | +| DBotScore | Indicator, Score, Type, Vendor | unknown | +| Endpoint | The Endpoint's object | unknown | +| Endpoint.Hostname | The hostname to enrich | string | +| Endpoint.OS | Endpoint OS | string | +| Endpoint.IP | List of endpoint IP addresses | unknown | +| Endpoint.MAC | List of endpoint MAC addresses | unknown | +| Endpoint.Domain | Endpoint domain name | string | ## Playbook Image --- -![IP_Enrichment_Generic_v2](https://raw.githubusercontent.com/demisto/content/1bdd5229392bd86f0cc58265a24df23ee3f7e662/docs/images/playbooks/IP_Enrichment_Generic_v2.png) +![IP Enrichment - Generic v2](../doc_files/IP_Enrichment_-_Generic_v2.png) \ No newline at end of file diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Delete_Emails_-_Generic_-_v2_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Delete_Emails_-_Generic_-_v2_README.md index 9779dc364bc9..9e346bf87832 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Delete_Emails_-_Generic_-_v2_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Delete_Emails_-_Generic_-_v2_README.md @@ -30,7 +30,7 @@ This playbook does not use any commands. | O365Description | Used only in O365. Description of the compliance search. | | Optional | | O365AllowNotFoundExchangeLocations
| Used only in O365. Whether to include mailboxes other than regular user mailboxes in the compliance search. | false | Optional | | O365DeleteType | Used only in O365. The delete type to perform on the search results. Possible values are Hard and Soft or leave empty to select manually. \(Hard = Unrecoverable, Soft=Recoverable\) | inputs.O365DeleteType | Optional | -| O365ExchangeLocationExclusion | Used only when searching and deleting emails in O365. The exchange location. Determines from where to search and delete emails searched using O365 playbooks. Use the value "All" to search all mailboxes, use "SingleMailbox" to search and delete the email only from the recipient's inbox, or specify "Manual" to decide manually for every incident. Note: Searching all mailboxes may take a significant amount of time. | inputs.O365ExchangeLocationExclusion.None | Optional | +| O365ExchangeLocationExclusion | Used only when searching and deleting emails in O365. The exchange location. Determines from where to search and delete emails searched using O365 playbooks. Use the value "All" to search all mailboxes, use "SingleMailbox" to search and delete the email only from the recipient's inbox, or specify "Manual" to decide manually for every incident. Note: Searching all mailboxes may take a significant amount of time. | inputs.O365ExchangeLocationExclusion | Optional | | To | The email address to which the email was sent. This is used if the user decides to search for and delete emails only from the inbox of the recipient using O365. | incident.emailto | Optional | ## Playbook Outputs diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_3_21.md b/Packs/CommonPlaybooks/ReleaseNotes/2_3_21.md new file mode 100644 index 000000000000..58baf8cbc402 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_3_21.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### Command-Line Analysis +- Fixed a bug where the playbook would fail if the **Commandline** input was empty. diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_3_22.md b/Packs/CommonPlaybooks/ReleaseNotes/2_3_22.md new file mode 100644 index 000000000000..c02ba507e330 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_3_22.md @@ -0,0 +1,9 @@ + +#### Playbooks +##### IP Enrichment - Generic v2 +Added new playbook input - UseReputationCommand. + +##### IP Enrichment - External - Generic v2 + - Added a conditional task for !ip command. + - Added filtering for not running !ip on RFC 1918. + - Fixed issues with the playbook inputs' default values. \ No newline at end of file diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_3_23.md b/Packs/CommonPlaybooks/ReleaseNotes/2_3_23.md new file mode 100644 index 000000000000..44fbfeaf13f5 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_3_23.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### Enrichment for Verdict +- Fixes the syntax of the Lucene query under the 'query' playbook input. diff --git a/Packs/CommonPlaybooks/doc_files/Command-Line_Analysis.png b/Packs/CommonPlaybooks/doc_files/Command-Line_Analysis.png index 1af1bd6cf571..497ebcaeb92b 100644 Binary files a/Packs/CommonPlaybooks/doc_files/Command-Line_Analysis.png and b/Packs/CommonPlaybooks/doc_files/Command-Line_Analysis.png differ diff --git a/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_External_-_Generic_v2.png b/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_External_-_Generic_v2.png index cb0e033b3cdc..05f3c85836da 100644 Binary files a/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_External_-_Generic_v2.png and b/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_External_-_Generic_v2.png differ diff --git a/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_Generic_v2.png b/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_Generic_v2.png new file mode 100644 index 000000000000..3ec7adf844a2 Binary files /dev/null and b/Packs/CommonPlaybooks/doc_files/IP_Enrichment_-_Generic_v2.png differ diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json index 2e71428513bf..b358efdf5b3e 100644 --- a/Packs/CommonPlaybooks/pack_metadata.json +++ b/Packs/CommonPlaybooks/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Playbooks", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.3.20", + "currentVersion": "2.3.23", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_26.md b/Packs/CommonScripts/ReleaseNotes/1_10_26.md new file mode 100644 index 000000000000..c771b7d3b4a3 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_26.md @@ -0,0 +1,5 @@ + +#### Scripts +##### ExtractDomainAndFQDNFromUrlAndEmail +- Updated the Docker image to: *demisto/py3-tools:1.0.0.41100*. +- Updated the indicator domain type regex to avoid catching HTML tags in extracted domains. diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_27.md b/Packs/CommonScripts/ReleaseNotes/1_10_27.md new file mode 100644 index 000000000000..4e4fcc0a03d4 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_27.md @@ -0,0 +1,5 @@ + +#### Scripts +##### ExtractEmailV2 +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +- Fixed an issue where the JSON returned to XSOAR was invalid. diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_28.md b/Packs/CommonScripts/ReleaseNotes/1_10_28.md new file mode 100644 index 000000000000..e66d8841f703 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_28.md @@ -0,0 +1,5 @@ + +#### Scripts +##### FormatURL +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +- Updated the URL Formatter to ignore valid CIDRs. diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_29.md b/Packs/CommonScripts/ReleaseNotes/1_10_29.md new file mode 100644 index 000000000000..7c7ea6eb72af --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_29.md @@ -0,0 +1,4 @@ + +#### Scripts +##### SetWithTemplate +- Added the template_type parameter to build data from a JSON text. \ No newline at end of file diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_30.md b/Packs/CommonScripts/ReleaseNotes/1_10_30.md new file mode 100644 index 000000000000..004f1f1b7f27 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_30.md @@ -0,0 +1,5 @@ + +#### Scripts +##### BetweenHours +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +- Fixed an issue in which the **BetweenHours** script was printing deprecated logs. diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_31.md b/Packs/CommonScripts/ReleaseNotes/1_10_31.md new file mode 100644 index 000000000000..894598426fb2 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_31.md @@ -0,0 +1,5 @@ + +#### Scripts +##### ParseEmailFilesV2 +- Fixed an issue where parsing numbers failed. +- Updated the Docker image to: *demisto/parse-emails:1.0.0.41885*. diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_32.md b/Packs/CommonScripts/ReleaseNotes/1_10_32.md new file mode 100644 index 000000000000..b8d83fde3f17 --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_32.md @@ -0,0 +1,4 @@ + +#### Scripts +##### New: CreateNewIndicatorsOnly +- Added this script to allow users to only create indicators that are not already present in the database. (Available from Cortex XSOAR 6.5.0). \ No newline at end of file diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_33.md b/Packs/CommonScripts/ReleaseNotes/1_10_33.md new file mode 100644 index 000000000000..904ec12e102e --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_33.md @@ -0,0 +1,6 @@ + +#### Scripts +##### DemistoVersion +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +- Updated the script to support XSOAR only. + diff --git a/Packs/CommonScripts/ReleaseNotes/1_10_34.md b/Packs/CommonScripts/ReleaseNotes/1_10_34.md new file mode 100644 index 000000000000..53f2e1a7f2ea --- /dev/null +++ b/Packs/CommonScripts/ReleaseNotes/1_10_34.md @@ -0,0 +1,4 @@ + +#### Scripts +##### ParseEmailFilesV2 +- Fixed an issue where parsing files that uploaded from the DataCollection task, failed. diff --git a/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.py b/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.py index a4953b4cb837..12a43c7497d4 100644 --- a/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.py +++ b/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.py @@ -4,9 +4,10 @@ def is_between_hours(value, begin_time, end_time): - input_time = dateparser.parse(value).time() # type: ignore - start_time = dateparser.parse(begin_time).time() # type: ignore - end_time = dateparser.parse(end_time).time() # type: ignore + # https://stackoverflow.com/questions/71256416/pytzusagewarning-doesnt-seem-to-go-away + input_time = dateparser.parse(value, settings={'TIMEZONE': 'UTC'}).time() # type: ignore + start_time = dateparser.parse(begin_time, settings={'TIMEZONE': 'UTC'}).time() # type: ignore + end_time = dateparser.parse(end_time, settings={'TIMEZONE': 'UTC'}).time() # type: ignore return start_time <= input_time <= end_time diff --git a/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.yml b/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.yml index 4d39d2fe137d..39c7b59a7b5b 100644 --- a/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.yml +++ b/Packs/CommonScripts/Scripts/BetweenHours/BetweenHours.yml @@ -36,7 +36,7 @@ outputs: scripttarget: 0 subtype: python3 runonce: false -dockerimage: demisto/python3:3.10.5.31928 +dockerimage: demisto/python3:3.10.9.40422 runas: DBotWeakRole tests: - No test \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly.py b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly.py new file mode 100644 index 000000000000..e80c9f9cac26 --- /dev/null +++ b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly.py @@ -0,0 +1,101 @@ +from typing import Any, Dict, List, Optional + +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + +STATUS_NEW = 'new' +STATUS_EXISTING = 'existing' +STATUS_UNAVAILABLE = 'unavailable' + +KEY_CREATION_STATUS = 'CreationStatus' + + +def normalize_indicator_value(indicator_value: Any) -> str: + if isinstance(indicator_value, int): + return str(indicator_value) + elif isinstance(indicator_value, str) and indicator_value: + return indicator_value + else: + raise DemistoException(f'Invalid indicator value: {str(indicator_value)}') + + +def add_new_indicator(indicator_value: Any, + create_new_indicator_args: Dict[str, Any]) -> Dict[str, Any]: + indicator_value = normalize_indicator_value(indicator_value) + + if indicators := execute_command('findIndicators', {'value': indicator_value}): + indicator = indicators[0] + indicator[KEY_CREATION_STATUS] = STATUS_EXISTING + else: + args = dict(create_new_indicator_args, value=indicator_value) + indicator = execute_command('createNewIndicator', args) + if isinstance(indicator, dict): + indicator[KEY_CREATION_STATUS] = STATUS_NEW + elif isinstance(indicator, str): + # createNewIndicator has been successfully done, but the indicator + # wasn't created for some reasons. + if 'done - Indicator was not created' in indicator: + demisto.debug(f'Indicator was not created. Make sure "{indicator_value}" is not excluded.') + else: + demisto.debug(indicator) + + indicator = { + 'value': indicator_value, + 'indicator_type': args.get('type', 'Unknown'), + KEY_CREATION_STATUS: STATUS_UNAVAILABLE, + } + else: + raise DemistoException(f'Unknown response from createNewIndicator: str{indicator_value}') + + return indicator + + +def add_new_indicators(indicator_values: Optional[List[Any]], + create_new_indicator_args: Dict[str, Any]) -> List[Dict[str, Any]]: + return [add_new_indicator(indicator_value, create_new_indicator_args) + for indicator_value in indicator_values or []] + + +def main(): + try: + args = assign_params(**demisto.args()) + + # Don't use argToList to make a list in order to accept an indicator including commas. + # The `indicator_values` parameter doesn't support a comma separated list. + if indicator_values := args.get('indicator_values', []): + if not isinstance(indicator_values, list): + indicator_values = [indicator_values] + + create_new_indicator_args = dict(args) + create_new_indicator_args.pop('indicator_values', None) + create_new_indicator_args.pop('verbose', None) + ents = add_new_indicators(indicator_values, create_new_indicator_args) + + outputs = [assign_params( + ID=ent.get('id'), + Score=ent.get('score'), + CreationStatus=ent.get(KEY_CREATION_STATUS), + Type=ent.get('indicator_type'), + Value=ent.get('value'), + ) for ent in ents] + + count_new = sum(1 for ent in ents if ent.get(KEY_CREATION_STATUS) == STATUS_NEW) + readable_output = f'{count_new} new indicators have been added.' + if argToBoolean(args.get('verbose', 'false')): + readable_output += '\n' + tblToMd('New Indicator Created', outputs, + ['ID', 'Score', 'CreationStatus', 'Type', 'Value']) + + return_results(CommandResults( + outputs_prefix='CreateNewIndicatorsOnly', + outputs_key_field=['Value', 'Type'], + outputs=outputs, + raw_response=ents, + readable_output=readable_output + )) + except Exception as e: + return_error( + f'Failed to execute CreateNewIndicatorsOnly.\nError:\n{str(e)}') + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly.yml b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly.yml new file mode 100644 index 000000000000..08023b165fa1 --- /dev/null +++ b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly.yml @@ -0,0 +1,77 @@ +commonfields: + id: CreateNewIndicatorsOnly + version: -1 +name: CreateNewIndicatorsOnly +script: '' +type: python +tags: +- Utility +comment: Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. +enabled: true +args: +- name: indicator_values + description: The indicator values + isArray: true +- name: type + auto: PREDEFINED + predefined: + - IP + - CIDR + - IPv6 + - IPv6CIDR + - Domain + - Email + - URL + - File + - File MD5 + - File SHA256 + - File SHA1 + - Account + - CVE + - Host + - ssdeep + - Registry Key + description: The indicator type of the indicators. +- name: source + description: The indicator source. +- name: verdict + auto: PREDEFINED + predefined: + - Unknown + - Benign + - Suspicious + - Malicious + description: The indicator reputation. +- name: tags + description: The tags to add to the new indicators. + isArray: true +- name: verbose + auto: PREDEFINED + predefined: + - "true" + - "false" + description: Whether to output additional messages as readable output. +outputs: +- contextPath: CreateNewIndicatorsOnly.ID + description: The indicator ID. + type: string +- contextPath: CreateNewIndicatorsOnly.Value + description: The indicator value. + type: string +- contextPath: CreateNewIndicatorsOnly.Type + description: The indicator type. + type: string +- contextPath: CreateNewIndicatorsOnly.Score + description: The indicator score. + type: number +- contextPath: CreateNewIndicatorsOnly.CreationStatus + description: The status of the indicator requested to add. Value is either new, existing, or unavailable. + type: string +scripttarget: 0 +subtype: python3 +runonce: false +dockerimage: demisto/python3:3.10.9.40422 +runas: DBotWeakRole +fromversion: 6.5.0 +tests: +- No tests (auto formatted) diff --git a/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly_test.py b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly_test.py new file mode 100644 index 000000000000..4e9b572703b4 --- /dev/null +++ b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/CreateNewIndicatorsOnly_test.py @@ -0,0 +1,377 @@ +import demistomock as demisto +from CommonServerPython import * # noqa: F401 +import CreateNewIndicatorsOnly +from typing import Any + + +def equals_object(obj1, obj2) -> bool: + if not isinstance(obj1, type(obj2)): + return False + elif isinstance(obj1, dict): + for k1, v1 in obj1.items(): + if k1 not in obj2: + return False + if not equals_object(v1, obj2[k1]): + return False + return not (set(obj1.keys()) ^ set(obj2.keys())) + elif isinstance(obj1, list): + # Compare lists (ignore order) + list2 = list(obj2) + for i1, v1 in enumerate(obj1): + for i2, v2 in enumerate(list2): + if equals_object(v1, v2): + list2.pop(i2) + break + else: + return False + return not list2 + else: + return obj1 == obj2 + + +def test_no_values(mocker): + """ + Given: + No values are given to the 'indicator_values'. + + When: + Running the script + + Then: + Validate the right response returns. + """ + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': [], + }) + + expected_entry_context = {} + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '0 new indicators have been added' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) + + +def test_all_indicators_exist_with_single_value(mocker): + """ + Given: + A single indicator existing in the threat intel is given to the 'indicator_values'. + + When: + Running the script + + Then: + Validate the right response returns. + """ + def __execute_command(cmd, args) -> Any: + if cmd == 'findIndicators': + return [{ + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + }] + raise ValueError('Unexpected calls') + + mocker.patch('CreateNewIndicatorsOnly.execute_command', side_effect=__execute_command) + + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': '1.1.1.1', + }) + + expected_entry_context = { + 'CreateNewIndicatorsOnly(val.Value && val.Value == obj.Value && val.Type && val.Type == obj.Type)': [{ + 'CreationStatus': 'existing', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '1.1.1.1' + } + ] + } + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '0 new indicators have been added' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) + + +def test_all_indicators_exist_with_multiple_value(mocker): + """ + Given: + All indicators existing in the threat intel are given to the 'indicator_values'. + + When: + Running the script + + Then: + Validate the right response returns. + """ + def __execute_command(cmd, args) -> Any: + if cmd == 'findIndicators': + return [{ + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + }] + raise ValueError('Unexpected calls') + + mocker.patch('CreateNewIndicatorsOnly.execute_command', side_effect=__execute_command) + + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': [ + '1.1.1.1', + '2.2.2.2' + ], + }) + + expected_entry_context = { + 'CreateNewIndicatorsOnly(val.Value && val.Value == obj.Value && val.Type && val.Type == obj.Type)': [{ + 'CreationStatus': 'existing', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '1.1.1.1' + }, { + 'CreationStatus': 'existing', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '2.2.2.2' + } + ] + } + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '0 new indicators have been added' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) + + +def test_some_indicators_exist_with_multiple_value(mocker): + """ + Given: + Some of indicators existing in the threat intel are given to the 'indicator_values'. + + When: + Running the script + + Then: + Validate the right response returns. + """ + def __execute_command(cmd, args) -> Any: + if cmd == 'findIndicators': + value = args.get('value') + if value != '1.1.1.1': + return [] + else: + return [{ + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + }] + elif cmd == 'createNewIndicator': + return { + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + } + raise ValueError('Unexpected calls') + + mocker.patch('CreateNewIndicatorsOnly.execute_command', side_effect=__execute_command) + + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': [ + '1.1.1.1', + '2.2.2.2' + ], + }) + + expected_entry_context = { + 'CreateNewIndicatorsOnly(val.Value && val.Value == obj.Value && val.Type && val.Type == obj.Type)': [{ + 'CreationStatus': 'existing', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '1.1.1.1' + }, { + 'CreationStatus': 'new', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '2.2.2.2' + } + ] + } + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '1 new indicators have been added' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) + + +def test_some_indicators_are_excluded(mocker): + """ + Given: + Some of indicators given to the 'indicator_values' are in the exclusion list. + + When: + Running the script + + Then: + Validate the right response returns. + """ + def __execute_command(cmd, args) -> Any: + if cmd == 'findIndicators': + return [] + elif cmd == 'createNewIndicator': + value = args.get('value') + if value == '1.1.1.1': + return 'done - Indicator was not created' + else: + return { + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + } + raise ValueError('Unexpected calls') + + mocker.patch('CreateNewIndicatorsOnly.execute_command', side_effect=__execute_command) + + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': [ + '1.1.1.1', + '2.2.2.2' + ], + }) + + expected_entry_context = { + 'CreateNewIndicatorsOnly(val.Value && val.Value == obj.Value && val.Type && val.Type == obj.Type)': [{ + 'CreationStatus': 'unavailable', + 'Type': 'Unknown', + 'Value': '1.1.1.1' + }, { + 'CreationStatus': 'new', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '2.2.2.2' + } + ] + } + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '1 new indicators have been added' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) + + +def test_indicator_including_commas(mocker): + """ + Given: + An indicator given to the 'indicator_values' contains commas + + When: + Running the script + + Then: + Validate the right response returns. + """ + def __execute_command(cmd, args) -> Any: + if cmd == 'findIndicators': + return [] + elif cmd == 'createNewIndicator': + return { + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + } + raise ValueError('Unexpected calls') + + mocker.patch('CreateNewIndicatorsOnly.execute_command', side_effect=__execute_command) + + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': 'http://www.paloaltonetworks.com/?q=,123', + }) + + expected_entry_context = { + 'CreateNewIndicatorsOnly(val.Value && val.Value == obj.Value && val.Type && val.Type == obj.Type)': [{ + 'CreationStatus': 'new', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': 'http://www.paloaltonetworks.com/?q=,123' + } + ] + } + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '1 new indicators have been added' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) + + +def test_print_verbose(mocker): + """ + Given: + `verbose=true` is given to the argument parameters + + When: + Running the script + + Then: + Validate the right response returns. + """ + def __execute_command(cmd, args) -> Any: + if cmd == 'findIndicators': + return [] + elif cmd == 'createNewIndicator': + return { + 'id': '0', + 'value': args.get('value'), + 'score': 0, + 'indicator_type': args.get('type', 'Unknown') + } + raise ValueError('Unexpected calls') + + mocker.patch('CreateNewIndicatorsOnly.execute_command', side_effect=__execute_command) + + mocker.patch.object(demisto, 'args', return_value={ + 'indicator_values': '1.1.1.1', + 'verbose': 'true' + }) + + expected_entry_context = { + 'CreateNewIndicatorsOnly(val.Value && val.Value == obj.Value && val.Type && val.Type == obj.Type)': [{ + 'CreationStatus': 'new', + 'ID': '0', + 'Score': 0, + 'Type': 'Unknown', + 'Value': '1.1.1.1' + } + ] + } + + mocker.patch.object(demisto, 'results') + CreateNewIndicatorsOnly.main() + assert demisto.results.call_count == 1 + results = demisto.results.call_args[0][0] + assert '|ID|Score|CreationStatus|Type|Value' in results.get('HumanReadable') + assert equals_object(expected_entry_context, results.get('EntryContext')) diff --git a/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/README.md b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/README.md new file mode 100644 index 000000000000..ecda392a4994 --- /dev/null +++ b/Packs/CommonScripts/Scripts/CreateNewIndicatorsOnly/README.md @@ -0,0 +1,38 @@ +Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. + +## Script Data +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Tags | Utility | +| Cortex XSOAR Version | 6.5.0 | + +## Inputs +--- + +| **Argument Name** | **Description** | +| --- | --- | +| indicator_values | The indicator values | +| type | The indicator type of the indicators. | +| source | The indicator source. | +| verdict | The indicator reputation. | +| tags | The tags to add to the new indicators. | +| verbose | Whether to output additional messages as readable output. | + +## Outputs +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| CreateNewIndicatorsOnly.ID | The indicator ID. | string | +| CreateNewIndicatorsOnly.Value | The indicator value. | string | +| CreateNewIndicatorsOnly.Type | The indicator type. | string | +| CreateNewIndicatorsOnly.Score | The indicator score. | number | +| CreateNewIndicatorsOnly.CreationStatus | The status of the indicator requested to add. Value is either new, existing, or unavailable. | string | + +## Notice +--- + +When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/DemistoVersion/DemistoVersion.yml b/Packs/CommonScripts/Scripts/DemistoVersion/DemistoVersion.yml index 7aa7586d9542..03bd137c203a 100644 --- a/Packs/CommonScripts/Scripts/DemistoVersion/DemistoVersion.yml +++ b/Packs/CommonScripts/Scripts/DemistoVersion/DemistoVersion.yml @@ -1,9 +1,7 @@ commonfields: id: DemistoVersion - id_x2: GetVersion version: -1 name: DemistoVersion -name_x2: GetVersion script: '' type: python tags: [] @@ -19,6 +17,10 @@ outputs: scripttarget: 0 subtype: python3 runonce: false -dockerimage: demisto/python3:3.10.6.33415 +dockerimage: demisto/python3:3.10.9.40422 runas: DBotWeakRole fromversion: 5.0.0 +marketplaces: +- xsoar +tests: +- No tests (auto formatted) diff --git a/Packs/CommonScripts/Scripts/EditServerConfig/README.md b/Packs/CommonScripts/Scripts/EditServerConfig/README.md index 221e49751c8a..d9bb715c2058 100644 --- a/Packs/CommonScripts/Scripts/EditServerConfig/README.md +++ b/Packs/CommonScripts/Scripts/EditServerConfig/README.md @@ -30,3 +30,8 @@ There are no outputs for this script. ## Human Readable Output >Server configuration with content.unlock.integrations was updated successfully. + +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py index d187af235cc8..33eb853bacbb 100644 --- a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py +++ b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.py @@ -7,7 +7,7 @@ PROOFPOINT_PREFIXES = ['https://urldefense.proofpoint.com/', "https://urldefense.com/"] ATP_LINK_REG = r'(https:\/\/\w*|\w*)\.safelinks\.protection\.outlook\.com/' -DOMAIN_REGEX = r"(?i)(?:(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?((?:[^\\.@\s\"',(\[:?=]+(?:\.|\[\.\]))+[^0-9_/\\\.@\s\"',()\[\]{}<>:?=]{2,})(?:[_/\s\"',)\]}>]|[.]\s|%2F|$)" # noqa: E501 +DOMAIN_REGEX = r"(?i)(?P(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?P(?:[\w\-–_]+(?:\.|\[\.\]))+[^\W\d_]{2,})(?:[_/\s\"',)\]}>]|[.]\s?|%2F|.?$)" # noqa: E501 def atp_get_original_url(safe_url): # pragma: no cover @@ -71,9 +71,9 @@ def pre_process_input(the_input): the_input = the_input.removesuffix('.') the_input = the_input.removeprefix('/') - match = re.match(DOMAIN_REGEX, the_input) + match = re.search(DOMAIN_REGEX, the_input) if match: - the_input = match.group(1) + the_input = match.group('domain') return the_input diff --git a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml index 8e96633a4b67..e0e654553e84 100644 --- a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml +++ b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail.yml @@ -18,7 +18,7 @@ tags: - indicator-format timeout: '0' type: python -dockerimage: demisto/py3-tools:1.0.0.38394 +dockerimage: demisto/py3-tools:1.0.0.41100 runas: DBotWeakRole runonce: false tests: diff --git a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail_test.py b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail_test.py index ee3e2401e080..08260724987b 100644 --- a/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail_test.py +++ b/Packs/CommonScripts/Scripts/ExtractDomainAndFQDNFromUrlAndEmail/ExtractDomainAndFQDNFromUrlAndEmail_test.py @@ -47,6 +47,7 @@ ('test.co.il ', 'test.co.il'), ('test.co.il)', 'test.co.il'), ('/evil3.com', 'evil3.com'), # noqa: E501 disable-secrets-detection + ('
kasai.qlmsourcing.com', 'kasai.qlmsourcing.com'), # disable-secrets-detection ]) # noqa: E124 def test_extract_fqdn_or_domain(input, fqdn): extracted_fqdn = extract_fqdn(input) diff --git a/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.py b/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.py index 763e50a5ab63..b0fb174f4d50 100644 --- a/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.py +++ b/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.py @@ -26,7 +26,11 @@ def extract_email(email_address: str) -> str: "\[?@]?[\w.-]{1,255}\[?\.]?" "[A-Za-z]{2,})", re.IGNORECASE) - return re.findall(email_format, email_address)[0] + try: + return re.findall(email_format, email_address)[0] + + except IndexError: + return '' def check_tld(email_address: str) -> bool: @@ -71,8 +75,8 @@ def main(): { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], - 'Contents': email_address, - 'EntryContext': {'Email': email_address}, + 'Contents': [email_address] if email_address else [], + 'EntryContext': {'Email': email_address} if email_address else {}, } for email_address in list_results] if output: diff --git a/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.yml b/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.yml index 5a3b42cec2cd..0a4fa7634e83 100644 --- a/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.yml +++ b/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting.yml @@ -16,7 +16,7 @@ args: scripttarget: 0 subtype: python3 runonce: false -dockerimage: demisto/python3:3.10.8.39276 +dockerimage: demisto/python3:3.10.9.40422 fromversion: 5.5.0 tests: - ExtractEmailV2-Test diff --git a/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting_test.py b/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting_test.py index e0fbb9862d8a..6a24fcdd8e10 100644 --- a/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting_test.py +++ b/Packs/CommonScripts/Scripts/ExtractEmailFormatting/ExtractEmailFormatting_test.py @@ -36,6 +36,7 @@ def test_check_tld(address, valid): ('\\u003ctest@test.com', 'test@test.com'), ('"test@test.com"', 'test@test.com'), ('', 'test@test.com'), + ('test', '') ]) # noqa: E124 def test_extract_email(input, output): assert extract_email(input) == output @@ -48,11 +49,11 @@ def test_extract_email(input, output): } EXPECTED_RESULTS = [ - 'xsoar@test.org.de', # disable-secrets-detection - '', - 'xsoar@test.uk', # disable-secrets-detection - '', - 'xsoar@xsoar.co.il', # disable-secrets-detection + ['xsoar@test.org.de'], # disable-secrets-detection + [], + ['xsoar@test.uk'], # disable-secrets-detection + [], + ['xsoar@xsoar.co.il'], # disable-secrets-detection ] @@ -75,7 +76,7 @@ def test_main(mocker): def test_main_invalid_emails(mocker): """Verifies that no input returns an empty string. Given - - Empty string as an input to the fprmatter. + - Empty string as an input to the formatter. When - An empty string is passed to formatter by the user. Then diff --git a/Packs/CommonScripts/Scripts/FormatURL/FormatURL.py b/Packs/CommonScripts/Scripts/FormatURL/FormatURL.py index a0d211798c6d..59f6be06628a 100644 --- a/Packs/CommonScripts/Scripts/FormatURL/FormatURL.py +++ b/Packs/CommonScripts/Scripts/FormatURL/FormatURL.py @@ -637,6 +637,23 @@ def fix_scheme(match: Match) -> str: return URLFormatter.scheme_fix.sub(fix_scheme, url) +def _is_valid_cidr(cidr: str) -> bool: + """ + Will check if "url" is a valid CIDR in order to ignore it + Args: + cidr: the suspected input + + Returns: + True if inout is a valid CIDR + + """ + try: + ipaddress.ip_network(cidr) + return True + except ValueError: + return False + + def main(): raw_urls = demisto.args().get('input') @@ -648,6 +665,11 @@ def main(): for url in raw_urls: formatted_url = '' + if _is_valid_cidr(url): + # If input is a valid CIDR formatter will ignore it to let it become a CIDR + formatted_urls.append('') + continue + try: formatted_url = URLFormatter(url).output diff --git a/Packs/CommonScripts/Scripts/FormatURL/FormatURL.yml b/Packs/CommonScripts/Scripts/FormatURL/FormatURL.yml index 4190c329cb06..9cee01523006 100644 --- a/Packs/CommonScripts/Scripts/FormatURL/FormatURL.yml +++ b/Packs/CommonScripts/Scripts/FormatURL/FormatURL.yml @@ -22,7 +22,7 @@ tags: timeout: '0' type: python subtype: python3 -dockerimage: demisto/python3:3.10.8.39276 +dockerimage: demisto/python3:3.10.9.40422 fromversion: 5.5.0 tests: - FormatURL-Test diff --git a/Packs/CommonScripts/Scripts/GetFieldsByIncidentType/README.md b/Packs/CommonScripts/Scripts/GetFieldsByIncidentType/README.md new file mode 100644 index 000000000000..6b45427b5a3d --- /dev/null +++ b/Packs/CommonScripts/Scripts/GetFieldsByIncidentType/README.md @@ -0,0 +1,4 @@ +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/IncidentFields/README.md b/Packs/CommonScripts/Scripts/IncidentFields/README.md index bb3af36fe9a3..45f0bb50c012 100644 --- a/Packs/CommonScripts/Scripts/IncidentFields/README.md +++ b/Packs/CommonScripts/Scripts/IncidentFields/README.md @@ -133,3 +133,8 @@ There are no outputs for this script. > "type": "multiSelect" > }, >``` + +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.py b/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.py index c1c6411ea71f..9842925d34c1 100644 --- a/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.py +++ b/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.py @@ -87,12 +87,12 @@ def extract_file_info(entry_id: str) -> tuple: file_path = result[0]['Contents']['path'] file_name = result[0]['Contents']['name'] - result = demisto.executeCommand('getEntry', {'id': entry_id}) - if is_error(result): - return_error(get_error(result)) - file_metadata = result[0]['FileMetadata'] - file_type = file_metadata.get('info', '') or file_metadata.get('type', '') + dt_file_type = demisto.dt(demisto.context(), f"File(val.EntryID=='{entry_id}').Type") + if isinstance(dt_file_type, list): + file_type = dt_file_type[0] + else: + file_type = dt_file_type except Exception as ex: return_error( diff --git a/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.yml b/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.yml index c8033d974e9d..16641130a69a 100644 --- a/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.yml +++ b/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.yml @@ -133,5 +133,5 @@ type: python fromversion: 5.0.0 tests: - ParseEmailFilesV2-test -dockerimage: demisto/parse-emails:1.0.0.38879 +dockerimage: demisto/parse-emails:1.0.0.41885 diff --git a/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2_test.py b/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2_test.py index eda7e0f5f529..b3067e117604 100644 --- a/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2_test.py +++ b/Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2_test.py @@ -88,6 +88,8 @@ def executeCommand(name, args=None): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['SMTP mail, UTF-8 Unicode text, with CRLF terminators']) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' @@ -137,6 +139,8 @@ def executeCommand(name, args=None): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['news or mail text, ASCII text']) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' @@ -199,6 +203,8 @@ def executeCommand(name, args=None): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['news or mail text, ASCII text']) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' @@ -257,6 +263,8 @@ def executeCommand(name, args=None): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test', 'max_depth': '1'}) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['news or mail text, ASCII text']) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' @@ -291,6 +299,8 @@ def test_msg(mocker): info = 'CDFV2 Microsoft Outlook Message' mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('smime-p7s.msg', info=info)) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['CDFV2 Microsoft Outlook Message']) mocker.patch.object(demisto, 'results') # validate our mocks are good assert demisto.args()['entryid'] == 'test' @@ -315,6 +325,8 @@ def test_no_content_type_file(mocker): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('no_content_type.eml', info="ascii text")) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['ascii text']) mocker.patch.object(demisto, 'results') main() results = demisto.results.call_args[0] @@ -335,6 +347,8 @@ def test_no_content_file(mocker): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test'}) mocker.patch.object(demisto, 'executeCommand', side_effect=exec_command_for_file('no_content.eml', info="ascii text")) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['ascii text']) mocker.patch.object(demisto, 'results') try: main() @@ -489,6 +503,8 @@ def executeCommand(name, args=None): mocker.patch.object(demisto, 'args', return_value={'entryid': 'test', 'nesting_level_to_return': nesting_level_to_return}) + mocker.patch.object(demisto, 'context') + mocker.patch.object(demisto, 'dt', return_value=['news or mail text, ASCII text']) mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand) mocker.patch.object(demisto, 'results') main() diff --git a/Packs/CommonScripts/Scripts/ProvidesCommand/README.md b/Packs/CommonScripts/Scripts/ProvidesCommand/README.md index e3d5a4ac9baf..83f5ed7f9610 100644 --- a/Packs/CommonScripts/Scripts/ProvidesCommand/README.md +++ b/Packs/CommonScripts/Scripts/ProvidesCommand/README.md @@ -26,3 +26,8 @@ This script uses the following commands and scripts. ## Outputs --- There are no outputs for this script. + +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/CommonScripts/Scripts/SetWithTemplate/README.md b/Packs/CommonScripts/Scripts/SetWithTemplate/README.md index fa3b9c6ecf8b..c19282d7eacf 100644 --- a/Packs/CommonScripts/Scripts/SetWithTemplate/README.md +++ b/Packs/CommonScripts/Scripts/SetWithTemplate/README.md @@ -16,6 +16,7 @@ Set a value built by a template in context under the key you entered. | --- | --- | | key | The key to set. Can be a full path such as "Key.ID". If using append=true can also use a DT selector such as "Data\(val.ID == obj.ID\)". | | template | The template text which can include DT expressions such as $\{value\}. | +| template_type | The template type. | | append | If false, the context key will be overwritten. If set to true, the script will be appended to the existing context key. | | stringify | Whether to save the argument as a string. The default value is "noop". | | force | Whether to force the creation of the context. The default value is "false". | diff --git a/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.py b/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.py index 0cc9e57503e8..42cfc10ce392 100644 --- a/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.py +++ b/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.py @@ -224,6 +224,7 @@ def main(): args = assign_params(**demisto.args()) key = args.get('key') template = args.get('template') + template_type = args.get('template_type', 'raw') append = argToBoolean(args.get('append', False)) stringify = args.get('stringify', 'noop') force = argToBoolean(args.get('force', False)) @@ -239,6 +240,11 @@ def main(): value = '' if template: + if template_type == 'json': + template = json.loads(template) + elif template_type != 'raw': + raise DemistoException(f'Invalid template type: {template_type}') + context = args.get('context') if context: context = json.loads(context) if isinstance(context, str) else context diff --git a/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.yml b/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.yml index a7ff3d7c73f1..17ae36f9a6ec 100644 --- a/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.yml +++ b/Packs/CommonScripts/Scripts/SetWithTemplate/SetWithTemplate.yml @@ -13,6 +13,13 @@ args: description: The key to set. Can be a full path such as "Key.ID". If using append=true can also use a DT selector such as "Data(val.ID == obj.ID)". - name: template description: The template text which can include DT expressions such as ${value}. +- name: template_type + auto: PREDEFINED + predefined: + - raw + - json + description: The template type + defaultValue: raw - name: append auto: PREDEFINED predefined: @@ -52,7 +59,7 @@ args: scripttarget: 0 subtype: python3 runonce: false -dockerimage: demisto/python3:3.10.8.39276 +dockerimage: demisto/python3:3.10.9.40422 runas: DBotWeakRole fromversion: 6.5.0 tests: diff --git a/Packs/CommonScripts/Scripts/SetWithTemplate/test_data/test.json b/Packs/CommonScripts/Scripts/SetWithTemplate/test_data/test.json index 91d9a666e6d1..a66d082e7d10 100644 --- a/Packs/CommonScripts/Scripts/SetWithTemplate/test_data/test.json +++ b/Packs/CommonScripts/Scripts/SetWithTemplate/test_data/test.json @@ -341,5 +341,49 @@ "entry_context": { "Output": "{value}" } + }, + { + "args": { + "key": "Output", + "template": { + "1": "aaa ${name1} bbb", + "2": "aaa ${name2} ccc" + }, + "append": false, + "stringify": null, + "context": { + "name1": "value1", + "name2": "value2" + }, + "variable_markers": null, + "keep_symbol_to_null": false + }, + "entry_context": { + "Output": { + "1": "aaa value1 bbb", + "2": "aaa value2 ccc" + } + } + }, + { + "args": { + "key": "Output", + "template": "{\"1\": \"aaa ${name1} bbb\", \"2\": \"aaa ${name2} ccc\"}", + "template_type": "json", + "append": false, + "stringify": null, + "context": { + "name1": "value1", + "name2": "value2" + }, + "variable_markers": null, + "keep_symbol_to_null": false + }, + "entry_context": { + "Output": { + "1": "aaa value1 bbb", + "2": "aaa value2 ccc" + } + } } ] \ No newline at end of file diff --git a/Packs/CommonScripts/pack_metadata.json b/Packs/CommonScripts/pack_metadata.json index deb8f20b93e0..0b409ec5e6d7 100644 --- a/Packs/CommonScripts/pack_metadata.json +++ b/Packs/CommonScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Scripts", "description": "Frequently used scripts pack.", "support": "xsoar", - "currentVersion": "1.10.25", + "currentVersion": "1.10.34", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -58,4 +58,4 @@ "marketplacev2", "xpanse" ] -} +} \ No newline at end of file diff --git a/Packs/CommonTypes/.pack-ignore b/Packs/CommonTypes/.pack-ignore index f04a29c23eaa..23fd49ef64b4 100644 --- a/Packs/CommonTypes/.pack-ignore +++ b/Packs/CommonTypes/.pack-ignore @@ -327,6 +327,9 @@ emailRep accountRep cveRep VerifyCIDR +Exabeam +swid +cpe [file:classifier-Mail-listener.json] ignore=BA101 diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Close_Time.json b/Packs/CommonTypes/IncidentFields/incidentfield-Close_Time.json index f4c7d9d07a0e..52eff02307a8 100644 --- a/Packs/CommonTypes/IncidentFields/incidentfield-Close_Time.json +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Close_Time.json @@ -7,7 +7,8 @@ "SysAid Request", "Qradar Generic", "Guardicore Incident", - "Saas Security Incident" + "Saas Security Incident", + "Exabeam Incident" ], "breachScript": "", "caseInsensitive": true, diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Item_Owner.json b/Packs/CommonTypes/IncidentFields/incidentfield-Item_Owner.json index 61784fdce80c..e22a91865c68 100644 --- a/Packs/CommonTypes/IncidentFields/incidentfield-Item_Owner.json +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Item_Owner.json @@ -23,7 +23,8 @@ "Symantec DLP Discover Incident", "Symantec DLP Endpoint Incident", "Symantec DLP Network Incident", - "ThreatConnect" + "ThreatConnect", + "Exabeam Incident" ], "unmapped": false, "unsearchable": false, diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Source_Updated_By.json b/Packs/CommonTypes/IncidentFields/incidentfield-Source_Updated_By.json new file mode 100644 index 000000000000..736f09aa3833 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Source_Updated_By.json @@ -0,0 +1,28 @@ +{ + "id": "incident_sourceupdatedby", + "version": -1, + "modified": "2022-12-05T14:55:55.838824+02:00", + "name": "Source Updated by", + "ownerOnly": false, + "cliName": "sourceupdatedby", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Start_Time.json b/Packs/CommonTypes/IncidentFields/incidentfield-Start_Time.json index b74b40901eb8..22238b4b4bcd 100644 --- a/Packs/CommonTypes/IncidentFields/incidentfield-Start_Time.json +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Start_Time.json @@ -8,7 +8,8 @@ "CrowdStrike Falcon Incident", "Microsoft Defender For Endpoint", "Skyhigh Security Alert", - "Skyhigh Security Threat" + "Skyhigh Security Threat", + "Exabeam Incident" ], "breachScript": "", "caseInsensitive": true, diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Title.json b/Packs/CommonTypes/IncidentFields/incidentfield-Title.json index 0cdad582b55b..cabdfc9a1193 100644 --- a/Packs/CommonTypes/IncidentFields/incidentfield-Title.json +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Title.json @@ -37,7 +37,8 @@ "AWS Guard Duty IAM Finding", "AWS Guard Duty Kubernetes Finding", "AWS Guard Duty Malware Protection Finding", - "AWS Guard Duty S3 Finding" + "AWS Guard Duty S3 Finding", + "Exabeam Incident" ], "associatedToAll": false, "unmapped": false, diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-Languages.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-Languages.json new file mode 100644 index 000000000000..c87919f51c70 --- /dev/null +++ b/Packs/CommonTypes/IndicatorFields/indicatorfield-Languages.json @@ -0,0 +1,29 @@ +{ + "id": "indicator_languages", + "version": -1, + "modified": "2022-12-29T08:16:02.361764813Z", + "name": "Languages", + "ownerOnly": false, + "description": "Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.", + "cliName": "languages", + "type": "tagsSelect", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 2, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-Vendor.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-Vendor.json new file mode 100644 index 000000000000..531173cfa2b0 --- /dev/null +++ b/Packs/CommonTypes/IndicatorFields/indicatorfield-Vendor.json @@ -0,0 +1,28 @@ +{ + "id": "indicator_vendor", + "version": -1, + "modified": "2022-12-29T08:17:00.110483821Z", + "name": "Vendor", + "ownerOnly": false, + "cliName": "vendor", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 2, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-Version.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-Version.json new file mode 100644 index 000000000000..d4c7ac4cc3c4 --- /dev/null +++ b/Packs/CommonTypes/IndicatorFields/indicatorfield-Version.json @@ -0,0 +1,28 @@ +{ + "id": "indicator_version", + "version": -1, + "modified": "2022-12-29T08:17:22.095878244Z", + "name": "Version", + "ownerOnly": false, + "cliName": "version", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 2, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-cpe.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-cpe.json new file mode 100644 index 000000000000..3cd121406e3b --- /dev/null +++ b/Packs/CommonTypes/IndicatorFields/indicatorfield-cpe.json @@ -0,0 +1,29 @@ +{ + "id": "indicator_cpe", + "version": -1, + "modified": "2022-12-29T08:06:20.294356126Z", + "name": "CPE", + "ownerOnly": false, + "description": "Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary", + "cliName": "cpe", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 2, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-swid.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-swid.json new file mode 100644 index 000000000000..47fe47f62082 --- /dev/null +++ b/Packs/CommonTypes/IndicatorFields/indicatorfield-swid.json @@ -0,0 +1,29 @@ +{ + "id": "indicator_swid", + "version": -1, + "modified": "2022-12-29T08:12:28.451895767Z", + "name": "SWID", + "ownerOnly": false, + "description": "Specifies the Software Identification (SWID) tags entry for the software", + "cliName": "swid", + "type": "markdown", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 2, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.5.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-Software.json b/Packs/CommonTypes/IndicatorTypes/reputation-Software.json new file mode 100644 index 000000000000..365e9fe41b39 --- /dev/null +++ b/Packs/CommonTypes/IndicatorTypes/reputation-Software.json @@ -0,0 +1,60 @@ +{ + "id": "Software", + "version": -1, + "modified": "2022-12-29T08:33:10.878587682Z", + "shouldCommit": false, + "regex": "", + "details": "Software", + "prevDetails": "Software", + "system": false, + "locked": false, + "disabled": false, + "file": false, + "updateAfter": 0, + "mergeContext": false, + "manualMapping": { + "cpe": { + "simple": "Software.cpe" + }, + "description": { + "simple": "Software.Description" + }, + "languages": { + "complex": { + "root": "Software", + "filters": [], + "accessor": "Languages", + "transformers": [ + { + "operator": "split", + "args": { + "delimiter": { + "value": { + "simple": "," + } + } + } + } + ] + } + }, + "stixid": { + "simple": "Software.StixID" + }, + "swid": { + "simple": "Software.swid" + }, + "trafficlightprotocol": { + "simple": "Software.TLP" + }, + "vendor": { + "simple": "Software.Vendor" + }, + "version": { + "simple": "Software.Version" + } + }, + "expiration": 0, + "layout": "Software", + "fromVersion": "6.5.0" +} diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json index fb8980ee2f7c..be9225e12a4c 100644 --- a/Packs/CommonTypes/IndicatorTypes/reputation-domain.json +++ b/Packs/CommonTypes/IndicatorTypes/reputation-domain.json @@ -6,7 +6,7 @@ "sortValues": null, "commitMessage": "", "shouldCommit": false, - "regex": "(?i)(?P(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?P(?:[\\p{L}\\d\\-–_]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})(?:[_/\\s\\\"',)\\]}>]|[.]\\s|%2F|.?$)", + "regex": "(?i)(?P(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?P(?:[\\p{L}\\d\\-–_]+(?:\\.|\\[\\.\\]))+[\\p{L}]{2,})", "details": "Domain", "prevDetails": "Domain", "reputationScriptName": "", diff --git a/Packs/CommonTypes/IndicatorTypes/reputation-url.json b/Packs/CommonTypes/IndicatorTypes/reputation-url.json index aed09e7c1239..fab1fb9f937d 100644 --- a/Packs/CommonTypes/IndicatorTypes/reputation-url.json +++ b/Packs/CommonTypes/IndicatorTypes/reputation-url.json @@ -7,7 +7,7 @@ "commitMessage": "", "shouldPublish": false, "shouldCommit": false, - "regex": "(?i)[\\[({\"']*(?:(?:(?:https?|hxxps?|s?ftps?|meows?)[:-](?:\\/\\/|\\\\\\\\|3A__))(?:[-_\\d\\p{L}\\p{S}]+\\[?\\.\\]?)+[-_\\d\\p{L}\\[\\]]+(?::\\d+)?(?:[/*#?]*(?:[?\\d\\p{L}+&@'#%=~_\\\\\\/$!:.;*–—―\\-|\\[\\]]*|[(][\\-\\d\\p{L}+&@#\\/%=~_$?!:,;*–—―|\\[\\]]*[)])*)|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|(?:(?:[\\[\\]\\p{L}\\dֿ]+\\[?\\.\\]?)+[\\p{L}]+))(?::[\\d]+)?\\/(?:[\\-\\p{L}+&@#\\/%=~_$?!\\\\:,;*–—―|.\\])]+(?:\\d*)?)+|(?:(?:https?|s?ftps?|hxxps?):(?:\\/\\/|\\\\\\\\))[\\d][\\S]+|((https?|s?ftps?|hxxps?):((\\/\\/)|(\\\\\\\\)))?(\\[)?(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\\])?(:[\\d]+)?(((\\/|\\\\)[\\d]+(\\/|\\\\)[-\\d\\p{L}+&@'#\\/%=~_$!\\-:.;\\\\*–—―|\\[\\]]+)|((\\/|\\\\)[^\\d \\n\\t]+)))[\\])}\"']*", + "regex": "(?i)(?P(?Phttps?|hxxps?|s?ftps?|meows?)[:-](?://|\\\\|3A__))?(?P(?P(?:[-_\\d\\p{L}\\p{S}]+\\[?\\.\\]?)+[-_\\d\\p{L}\\[\\]]{2,}.?)|(?P(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(?P\\[?(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(?:\\])?))(?P:[\\d]+)?(?P[/*#?]+(?:[?\\d\\p{L}+&@'#%=~_\\\\\\/$!:.;*–—―\\-|\\[\\]]*|[(][\\-\\d\\p{L}+&@#\\/%=~_$?!:,;*–—―|\\[\\]]*[)])*)", "details": "URL", "prevDetails": "URL", "reputationScriptName": "", diff --git a/Packs/CommonTypes/Layouts/layoutscontainer-Software.json b/Packs/CommonTypes/Layouts/layoutscontainer-Software.json new file mode 100644 index 000000000000..b45b75c48741 --- /dev/null +++ b/Packs/CommonTypes/Layouts/layoutscontainer-Software.json @@ -0,0 +1,640 @@ +{ + "edit": { + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "indicator_value", + "isVisible": true + }, + { + "fieldId": "indicator_indicatortype", + "isVisible": true + }, + { + "fieldId": "indicator_score", + "isVisible": true + }, + { + "fieldId": "indicator_expiration", + "isVisible": true + }, + { + "fieldId": "indicator_comment", + "isVisible": true + }, + { + "fieldId": "indicator_investigationids", + "isVisible": true + } + ], + "isVisible": true, + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "basicInformationSection" + }, + { + "description": "", + "fields": [ + { + "fieldId": "indicator_description", + "isVisible": true + }, + { + "fieldId": "indicator_stixid", + "isVisible": true + }, + { + "fieldId": "indicator_trafficlightprotocol", + "isVisible": true + }, + { + "fieldId": "indicator_tags", + "isVisible": true + } + ], + "isVisible": true, + "name": "Custom fields - core", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + }, + { + "description": "", + "fields": [ + { + "fieldId": "indicator_cpe", + "isVisible": true + }, + { + "fieldId": "indicator_swid", + "isVisible": true + }, + { + "fieldId": "indicator_languages", + "isVisible": true + }, + { + "fieldId": "indicator_vendor", + "isVisible": true + }, + { + "fieldId": "indicator_version", + "isVisible": true + } + ], + "isVisible": true, + "name": "Custom fields - unique", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + } + ] + }, + "group": "indicator", + "id": "Software", + "indicatorsDetails": { + "tabs": [ + { + "id": "main", + "name": "Summary", + "sections": [ + { + "columns": [ + { + "displayed": true, + "isDefault": false, + "key": "id", + "width": 110 + }, + { + "displayed": true, + "isDefault": true, + "key": "name", + "width": 300 + }, + { + "displayed": true, + "isDefault": false, + "key": "severity", + "width": 80 + }, + { + "displayed": true, + "isDefault": true, + "key": "type", + "width": 200 + }, + { + "displayed": true, + "isDefault": true, + "key": "status", + "width": 80 + } + ], + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "main-c1f3f0d0-a09d-11e9-8956-390f602b039a", + "isVisible": true, + "items": null, + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Related Incidents", + "readOnly": true, + "static": false, + "type": "relatedIncidents", + "w": 3, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "main-e2c8c970-a09d-11e9-8956-390f602b039a", + "isVisible": true, + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "comment", + "height": 22, + "id": "0b9dd200-a09e-11e9-8956-390f602b039a", + "index": 0, + "listId": "e2c8c970-a09d-11e9-8956-390f602b039a", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "timestamp", + "height": 22, + "id": "0a4b4e10-81af-11ec-a247-cfbd25dcdbb6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "modified", + "height": 22, + "id": "54038b80-ccca-11ea-a049-6b4b59f3b34f", + "index": 1, + "listId": "main-e2c8c970-a09d-11e9-8956-390f602b039a", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "stixid", + "height": 22, + "id": "f1ebc8a0-d17d-11ea-b39d-69849bf59ed7", + "index": 2, + "listId": "main-e2c8c970-a09d-11e9-8956-390f602b039a", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "cpe", + "height": 22, + "id": "c5bad550-8751-11ed-94d8-d7368a18fd7a", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "languages", + "height": 22, + "id": "cb3d0cf0-8751-11ed-94d8-d7368a18fd7a", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "vendor", + "height": 22, + "id": "d0a81310-8751-11ed-94d8-d7368a18fd7a", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "version", + "height": 22, + "id": "d49070d0-8751-11ed-94d8-d7368a18fd7a", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "trafficlightprotocol", + "height": 22, + "id": "b36304a0-b6dd-11ea-842d-c3903a6d3bd1", + "index": 7, + "listId": "main-0e19dbd0-4e74-11ea-8bf6-67db400d7da5", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "tags", + "height": 22, + "id": "1cf1e850-4e74-11ea-8bf6-67db400d7da5", + "index": 8, + "listId": "main-0e19dbd0-4e74-11ea-8bf6-67db400d7da5", + "sectionItemType": "field", + "startCol": 0 + }, + { + "args": { + "field": { + "simple": "tags" + } + }, + "endCol": 1, + "fieldId": "", + "height": 44, + "id": "f1f63340-aa49-11ea-9e46-5ff91c1cf9b7", + "index": 9, + "name": "Add tags", + "scriptId": "Builtin|||appendIndicatorField", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "field": { + "simple": "tags" + } + }, + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "height": 44, + "id": "fb499720-aa49-11ea-9e46-5ff91c1cf9b7", + "index": 9, + "listId": "main-0e19dbd0-4e74-11ea-8bf6-67db400d7da5", + "name": "Remove tags", + "scriptId": "Builtin|||removeIndicatorField", + "sectionItemType": "button", + "startCol": 1 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Software Details", + "static": false, + "w": 1, + "x": 1, + "y": 0 + }, + { + "h": 2, + "i": "main-acbc9a10-3d54-11ea-8f80-71a50769e869", + "items": null, + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Timeline", + "static": false, + "type": "indicatorTimeline", + "w": 1, + "x": 2, + "y": 2 + }, + { + "h": 2, + "i": "main-e608e030-3d54-11ea-8f80-71a50769e869", + "items": null, + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Comments", + "static": false, + "type": "comments", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 3, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "main-a37f4790-cf12-11ea-99ca-719a20305a18", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "description", + "height": 106, + "id": "3a65d1d0-d17d-11ea-b39d-69849bf59ed7", + "index": 0, + "listId": "main-a37f4790-cf12-11ea-99ca-719a20305a18", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Software Description", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 3, + "i": "main-979b5ae0-979e-11eb-a8d1-098e2c945225", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Relationships", + "static": false, + "type": "relationshipsTable", + "w": 2, + "x": 0, + "y": 3 + }, + { + "displayType": "ROW", + "h": 2, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "main-86809d70-8751-11ed-94d8-d7368a18fd7a", + "items": [ + { + "endCol": 2, + "fieldId": "swid", + "height": 22, + "id": "b39d88e0-8751-11ed-94d8-d7368a18fd7a", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "SWID", + "static": false, + "w": 1, + "x": 2, + "y": 0 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "ifyfdlsd7t", + "name": "Publications and notes", + "sections": [ + { + "displayType": "ROW", + "h": 9, + "hideName": false, + "i": "ifyfdlsd7t-zuteowyvsu-e768a150-7ebf-11ec-b7e4-a70f28a44ba6", + "items": [ + { + "endCol": 6, + "fieldId": "publications", + "height": 106, + "id": "f6abcbb0-7ebf-11ec-b7e4-a70f28a44ba6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "communitynotes", + "height": 106, + "id": "f8eb5b70-7ebf-11ec-b7e4-a70f28a44ba6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Publications and notes", + "static": false, + "w": 3, + "x": 0, + "y": 0 + } + ], + "type": "custom" + } + ] + }, + "indicatorsQuickView": { + "tabs": [ + { + "id": "indicator-quick-view-info", + "name": "Info", + "sections": [ + { + "h": 2, + "i": "indicator-quick-view-info-relatedIncidents", + "maxW": 3, + "moved": false, + "name": "Related Incidents", + "static": false, + "type": "relatedIncidents", + "w": 1, + "x": 0, + "y": 4 + }, + { + "h": 2, + "i": "indicator-quick-view-info-comments", + "maxW": 3, + "moved": false, + "name": "Comments", + "static": false, + "type": "comments", + "w": 1, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "indicator-quick-view-info-3518e4c0-cccc-11ea-a049-6b4b59f3b34f", + "items": [ + { + "endCol": 2, + "fieldId": "timestamp", + "height": 22, + "id": "0cc59400-8a4e-11ec-a1ef-6369524b39c7", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "modified", + "height": 22, + "id": "3faf7700-cccc-11ea-a049-6b4b59f3b34f", + "index": 1, + "listId": "indicator-quick-view-info-3518e4c0-cccc-11ea-a049-6b4b59f3b34f", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "stixid", + "height": 22, + "id": "20001a20-d183-11ea-b1ee-39abdac77dba", + "index": 2, + "listId": "indicator-quick-view-info-3518e4c0-cccc-11ea-a049-6b4b59f3b34f", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "cpe", + "height": 22, + "id": "070576a0-8752-11ed-94d8-d7368a18fd7a", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "languages", + "height": 22, + "id": "0bda7e50-8752-11ed-94d8-d7368a18fd7a", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "vendor", + "height": 22, + "id": "133d5cd0-8752-11ed-94d8-d7368a18fd7a", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "version", + "height": 22, + "id": "16a16f60-8752-11ed-94d8-d7368a18fd7a", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "trafficlightprotocol", + "height": 22, + "id": "acc3f580-d16f-11ea-b39d-69849bf59ed7", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "tags", + "height": 22, + "id": "indicator-quick-view-info-tags-field", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Software Details", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "indicator-quick-view-info-c9d165e0-d16f-11ea-b39d-69849bf59ed7", + "items": [ + { + "endCol": 2, + "fieldId": "description", + "height": 22, + "id": "514ccc90-d183-11ea-b1ee-39abdac77dba", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Software Description", + "static": false, + "w": 1, + "x": 0, + "y": 0 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "se889tdxik", + "name": "Relationships", + "sections": [ + { + "h": 8, + "i": "se889tdxik-09585430-979f-11eb-a8d1-098e2c945225", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Relationships", + "static": false, + "type": "relationshipsTable", + "w": 1, + "x": 0, + "y": 0 + } + ], + "type": "custom" + } + ] + }, + "name": "Software", + "system": false, + "version": -1, + "fromVersion": "6.5.0", + "description": "" +} \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_38.md b/Packs/CommonTypes/ReleaseNotes/3_3_38.md new file mode 100644 index 000000000000..48d498cc49d5 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_38.md @@ -0,0 +1,4 @@ + +#### Indicator Types +- **urlRep** +- Fixed an issue where the URL type regex did not catch the full domain indicator when it was separated by a hyphen. diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_39.md b/Packs/CommonTypes/ReleaseNotes/3_3_39.md new file mode 100644 index 000000000000..0cde2544abd8 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_39.md @@ -0,0 +1,4 @@ + +#### Indicator Types +- **domainRepUnified** +Fixed an issue in the domain regex causing XSOAR markdown to break in the war-room. diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_40.md b/Packs/CommonTypes/ReleaseNotes/3_3_40.md new file mode 100644 index 000000000000..bd01c26e465b --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_40.md @@ -0,0 +1,10 @@ + +#### Incident Fields +Added the **Exabeam Incident** incident type to the following incident fields: +- **Close Time** +- **Item Owner** +- **Start Time** +- **Title** +- **Source Updated by** + +Added the **Source Updated By** incident field. \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_41.md b/Packs/CommonTypes/ReleaseNotes/3_3_41.md new file mode 100644 index 000000000000..ed9452f589be --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_41.md @@ -0,0 +1,14 @@ + +#### Indicator Fields +- **SWID** +- **Version** +- **Vendor** +- **Languages** +- **CPE** + +#### Indicator Types +- **Software** + +#### Layouts +##### New: Software +- Created a new layout for the new indicator type (Available from Cortex XSOAR 6.5.0). diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index 20719742d39c..5ab96a1f8533 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.", "support": "xsoar", - "currentVersion": "3.3.37", + "currentVersion": "3.3.41", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ContentInstallation/Scripts/ContentPackInstaller/README.md b/Packs/ContentInstallation/Scripts/ContentPackInstaller/README.md index e69de29bb2d1..6b45427b5a3d 100644 --- a/Packs/ContentInstallation/Scripts/ContentPackInstaller/README.md +++ b/Packs/ContentInstallation/Scripts/ContentPackInstaller/README.md @@ -0,0 +1,4 @@ +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/ContentManagement/.pack-ignore b/Packs/ContentManagement/.pack-ignore index 23c556b761e9..4a860ce8a9c5 100644 --- a/Packs/ContentManagement/.pack-ignore +++ b/Packs/ContentManagement/.pack-ignore @@ -37,4 +37,6 @@ ignore=PB106 [known_words] cliname -CICD \ No newline at end of file +CICD +BitBucket +GitLab \ No newline at end of file diff --git a/Packs/ContentManagement/.secrets-ignore b/Packs/ContentManagement/.secrets-ignore index e69de29bb2d1..863cc49aaeca 100644 --- a/Packs/ContentManagement/.secrets-ignore +++ b/Packs/ContentManagement/.secrets-ignore @@ -0,0 +1 @@ +https://gitlab.com \ No newline at end of file diff --git a/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_Generic.yml b/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_Generic.yml index 9bd1a0860eb9..ab981607f3fa 100644 --- a/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_Generic.yml +++ b/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_Generic.yml @@ -6,10 +6,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: 235d4f1f-490b-4885-8d96-51ff9fef2dff + taskid: 5e500d11-7271-4af7-8367-f80168225669 type: start task: - id: 235d4f1f-490b-4885-8d96-51ff9fef2dff + id: 5e500d11-7271-4af7-8367-f80168225669 version: -1 name: "" iscommand: false @@ -22,7 +22,7 @@ tasks: view: |- { "position": { - "x": 490, + "x": 695, "y": 50 } } @@ -36,10 +36,10 @@ tasks: continueonerrortype: "" "1": id: "1" - taskid: 15ffc64d-0ab8-4836-82f6-076c16759769 + taskid: 08f47732-082f-460f-8ccb-0b15755bce27 type: regular task: - id: 15ffc64d-0ab8-4836-82f6-076c16759769 + id: 08f47732-082f-460f-8ccb-0b15755bce27 version: -1 name: Unzip pack description: Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. @@ -59,7 +59,7 @@ tasks: view: |- { "position": { - "x": 490, + "x": 695, "y": 370 } } @@ -73,10 +73,10 @@ tasks: continueonerrortype: "" "11": id: "11" - taskid: 32ceacf6-4a23-41a7-8ed7-5ea275fcfe34 + taskid: 7248d03e-2b13-43cd-89ec-98fdd550c070 type: regular task: - id: 32ceacf6-4a23-41a7-8ed7-5ea275fcfe34 + id: 7248d03e-2b13-43cd-89ec-98fdd550c070 version: -1 name: Read metadata.json file description: Load the contents of a file into context. @@ -105,7 +105,7 @@ tasks: view: |- { "position": { - "x": 490, + "x": 695, "y": 545 } } @@ -119,10 +119,10 @@ tasks: continueonerrortype: "" "12": id: "12" - taskid: eb82dbd0-6591-4b1f-83db-404497e50cd8 + taskid: c38fe235-5a09-4621-82b0-1b65e94ea351 type: regular task: - id: eb82dbd0-6591-4b1f-83db-404497e50cd8 + id: c38fe235-5a09-4621-82b0-1b65e94ea351 version: -1 name: Set pack name description: Set a pack name in context under the key PackName. @@ -157,7 +157,7 @@ tasks: view: |- { "position": { - "x": 490, + "x": 695, "y": 720 } } @@ -171,10 +171,10 @@ tasks: continueonerrortype: "" "22": id: "22" - taskid: 3644c7a9-269e-4f00-83ad-f64523176434 + taskid: 9107974c-e152-4a7b-8f69-ca988881b001 type: regular task: - id: 3644c7a9-269e-4f00-83ad-f64523176434 + id: 9107974c-e152-4a7b-8f69-ca988881b001 version: -1 name: Send notification description: Sends a message to a user, group, or channel. @@ -198,8 +198,8 @@ tasks: view: |- { "position": { - "x": 50, - "y": 2240 + "x": 685, + "y": 2235 } } note: false @@ -212,10 +212,10 @@ tasks: continueonerrortype: "" "23": id: "23" - taskid: 86b53518-6f73-4716-835c-97f57a417ca8 + taskid: 21e06594-223f-4e48-815d-7caef3b9f39e type: regular task: - id: 86b53518-6f73-4716-835c-97f57a417ca8 + id: 21e06594-223f-4e48-815d-7caef3b9f39e version: -1 name: Get username description: commands.local.cmd.get.users @@ -235,7 +235,7 @@ tasks: view: |- { "position": { - "x": 490, + "x": 695, "y": 195 } } @@ -249,10 +249,10 @@ tasks: continueonerrortype: "" "32": id: "32" - taskid: a979f769-d17b-4817-884a-c533a556c4c4 + taskid: 5cec1b8d-460f-444c-8606-b0ddf6233fa5 type: regular task: - id: a979f769-d17b-4817-884a-c533a556c4c4 + id: 5cec1b8d-460f-444c-8606-b0ddf6233fa5 version: -1 name: Set incident fields values description: |- @@ -285,8 +285,8 @@ tasks: view: |- { "position": { - "x": 275, - "y": 1390 + "x": 470, + "y": 1370 } } note: false @@ -299,10 +299,10 @@ tasks: continueonerrortype: "" "33": id: "33" - taskid: c17af818-1b69-4a1c-8e46-b10c58f11430 + taskid: 684639ae-9772-4cbe-8a1f-94bd39ff8b44 type: condition task: - id: c17af818-1b69-4a1c-8e46-b10c58f11430 + id: 684639ae-9772-4cbe-8a1f-94bd39ff8b44 version: -1 name: Is Slack v2 enabled? description: Returns 'yes' if integration brand is available. Otherwise returns 'no' @@ -324,7 +324,7 @@ tasks: view: |- { "position": { - "x": 162.5, + "x": 797.5, "y": 1885 } } @@ -338,10 +338,10 @@ tasks: continueonerrortype: "" "34": id: "34" - taskid: 99c15f43-eea5-48af-8576-c1434229f937 + taskid: ac2776bf-b590-45b4-8c0f-a71529e04bad type: condition task: - id: 99c15f43-eea5-48af-8576-c1434229f937 + id: ac2776bf-b590-45b4-8c0f-a71529e04bad version: -1 name: Is Microsoft Teams enabled? description: Returns 'yes' if integration brand is available. Otherwise returns 'no' @@ -363,7 +363,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 910, "y": 2060 } } @@ -377,10 +377,10 @@ tasks: continueonerrortype: "" "42": id: "42" - taskid: f201d067-53ac-48b4-8926-a7eef801bafe + taskid: 45cb8118-9845-49bd-838e-b22df3cec2c1 type: title task: - id: f201d067-53ac-48b4-8926-a7eef801bafe + id: 45cb8118-9845-49bd-838e-b22df3cec2c1 version: -1 name: Send notification type: title @@ -394,7 +394,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 910, "y": 1565 } } @@ -408,10 +408,10 @@ tasks: continueonerrortype: "" "43": id: "43" - taskid: e964d19f-6760-4ead-836b-9e9495a7c349 + taskid: bb251813-25d1-4567-8dc6-c59b67dd4ef1 type: title task: - id: e964d19f-6760-4ead-836b-9e9495a7c349 + id: bb251813-25d1-4567-8dc6-c59b67dd4ef1 version: -1 name: Done type: title @@ -422,7 +422,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 1012.5, "y": 2410 } } @@ -436,10 +436,10 @@ tasks: continueonerrortype: "" "44": id: "44" - taskid: 45959dca-48b2-41a6-87e7-db5e9e39d206 + taskid: 9a0fece8-462f-4528-85b5-5d7bcf3d60b4 type: condition task: - id: 45959dca-48b2-41a6-87e7-db5e9e39d206 + id: 9a0fece8-462f-4528-85b5-5d7bcf3d60b4 version: -1 name: Is channel given? type: condition @@ -466,7 +466,7 @@ tasks: view: |- { "position": { - "x": 275, + "x": 910, "y": 1710 } } @@ -480,10 +480,10 @@ tasks: continueonerrortype: "" "45": id: "45" - taskid: 40898dbb-39bf-42ef-8981-c8e37e9ba4a8 + taskid: 840fad60-19e4-4626-82c9-b297c28fd61c type: playbook task: - id: 40898dbb-39bf-42ef-8981-c8e37e9ba4a8 + id: 840fad60-19e4-4626-82c9-b297c28fd61c version: -1 name: Pull Request Creation - Github description: This playbook creates a pull request using Github integration. @@ -516,8 +516,8 @@ tasks: view: |- { "position": { - "x": 275, - "y": 1215 + "x": 470, + "y": 1210 } } note: false @@ -530,10 +530,10 @@ tasks: continueonerrortype: "" "46": id: "46" - taskid: 49cc5d40-6c4f-4cd9-8052-f5c390f3b801 + taskid: e46c9f2a-788b-4bef-81f1-a3bb83bdc5e3 type: title task: - id: 49cc5d40-6c4f-4cd9-8052-f5c390f3b801 + id: e46c9f2a-788b-4bef-81f1-a3bb83bdc5e3 version: -1 name: Create the pull request type: title @@ -547,7 +547,7 @@ tasks: view: |- { "position": { - "x": 490, + "x": 695, "y": 895 } } @@ -561,10 +561,10 @@ tasks: continueonerrortype: "" "47": id: "47" - taskid: 279c30f3-1970-4cd9-8275-1f6aea84b175 + taskid: b4894f8f-75e3-4406-86f3-06500e96ba77 type: condition task: - id: 279c30f3-1970-4cd9-8275-1f6aea84b175 + id: b4894f8f-75e3-4406-86f3-06500e96ba77 version: -1 name: What integration to use for create the pull request description: Check the GitIntegration input to know which git integration we want to use to create the pull request. @@ -578,6 +578,8 @@ tasks: - "45" bitbucket: - "49" + GitLab: + - "53" separatecontext: false conditions: - label: github @@ -603,10 +605,20 @@ tasks: right: value: simple: bitbucket + - label: GitLab + condition: + - - operator: isEqualString + left: + value: + simple: inputs.GitIntegration + iscontext: true + right: + value: + simple: gitlab view: |- { "position": { - "x": 490, + "x": 695, "y": 1040 } } @@ -620,10 +632,10 @@ tasks: continueonerrortype: "" "48": id: "48" - taskid: 24dfbac3-fe79-4a09-880b-6cc67b28473a + taskid: fbc7b286-9eb2-4818-8ce0-a911a2eb654c type: regular task: - id: 24dfbac3-fe79-4a09-880b-6cc67b28473a + id: fbc7b286-9eb2-4818-8ce0-a911a2eb654c version: -1 name: Print error description: Prints an error entry with a given message @@ -646,8 +658,8 @@ tasks: view: |- { "position": { - "x": 1165, - "y": 1215 + "x": -30, + "y": 1210 } } note: false @@ -660,13 +672,13 @@ tasks: continueonerrortype: "" "49": id: "49" - taskid: 17ca51a0-19aa-4280-881d-2b40667c3abf + taskid: 0f8941a5-780f-4aec-8b31-f19ab6d3af24 type: playbook task: - id: 17ca51a0-19aa-4280-881d-2b40667c3abf + id: 0f8941a5-780f-4aec-8b31-f19ab6d3af24 version: -1 name: Pull Request Creation - Bitbucket - description: This playbook creates a pull request using Github integration. + description: This playbook creates a pull request using Bitbucket integration. playbookName: Pull Request Creation - Bitbucket type: playbook iscommand: false @@ -694,7 +706,7 @@ tasks: view: |- { "position": { - "x": 720, + "x": 910, "y": 1210 } } @@ -707,10 +719,10 @@ tasks: isautoswitchedtoquietmode: false "51": id: "51" - taskid: 76da55ce-d100-4731-8756-fdf64c71674b + taskid: 8094455e-1dab-4f49-8d98-02841f7d6011 type: regular task: - id: 76da55ce-d100-4731-8756-fdf64c71674b + id: 8094455e-1dab-4f49-8d98-02841f7d6011 version: -1 name: Set incident fields values description: |- @@ -744,7 +756,101 @@ tasks: view: |- { "position": { - "x": 720, + "x": 910, + "y": 1390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "53": + id: "53" + taskid: e2a56c19-f448-43bc-887d-d22c5e435f07 + type: playbook + task: + id: e2a56c19-f448-43bc-887d-d22c5e435f07 + version: -1 + name: Pull Request Creation - GitLab + description: This playbook creates a pull request using GitLab integration. + playbookName: Pull Request Creation - GitLab + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "54" + scriptarguments: + MainBranch: + simple: ${inputs.MainBranch} + PackName: + simple: ${PackName} + PullRequestTemplate: + simple: ${inputs.PullRequestTemplate} + separatecontext: false + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1340, + "y": 1210 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: 04f8f18d-6c22-4cad-88dd-0a0fbf91d785 + type: regular + task: + id: 04f8f18d-6c22-4cad-88dd-0a0fbf91d785 + version: -1 + name: Set incident fields values + description: |- + Update the following incident fields with the relevant data: + - cicdreviewer + - cicdpullrequestlink + - cicdpackname + - cicdbranch + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "42" + scriptarguments: + cicdbranch: + complex: + root: BranchName + cicdpackname: + complex: + root: PackName + cicdpullrequestlink: + simple: https://github.com/${GitHub.PR.Head.Repo.FullName}/pull/${GitHub.PR.Number} + cicdreviewer: + complex: + root: GitLab.MergeRequest.reviewers + accessor: account_id + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1340, "y": 1390 } } @@ -761,8 +867,8 @@ view: |- "paper": { "dimensions": { "height": 2425, - "width": 1495, - "x": 50, + "width": 1750, + "x": -30, "y": 50 } } @@ -781,13 +887,13 @@ inputs: playbookInputQuery: - key: MainBranch value: - simple: master + simple: main required: true description: The name of the branch you want the changes pulled into, which must be an existing branch on the current repository. playbookInputQuery: - key: GitIntegration value: - simple: github + simple: gitlab required: true description: Which version control integration to use. We support github, gitlab and bitbucket. playbookInputQuery: @@ -795,5 +901,3 @@ outputs: [] tests: - No tests (auto formatted) fromversion: 6.0.0 -contentitemexportablefields: - contentitemfields: {} diff --git a/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_GitLab.yml b/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_GitLab.yml new file mode 100644 index 000000000000..fd09275bc939 --- /dev/null +++ b/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_GitLab.yml @@ -0,0 +1,1137 @@ +id: Pull Request Creation - GitLab +version: -1 +name: Pull Request Creation - GitLab +description: This playbook creates a pull request using GitLab integration. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 6e73a904-d543-431d-8baf-f64094c7f953 + type: start + task: + id: 6e73a904-d543-431d-8baf-f64094c7f953 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 9d0ae47a-be51-4532-83cd-d9f99ddb46a6 + type: regular + task: + id: 9d0ae47a-be51-4532-83cd-d9f99ddb46a6 + version: -1 + name: Get main branch + description: Get a list of repository branches from a project, alphabetically sorted by name. + script: GitLabv2|||gitlab-branch-list + type: regular + iscommand: true + brand: GitLabv2 + nexttasks: + '#none#': + - "38" + scriptarguments: + branch_name: + complex: + root: inputs.MainBranch + search: + simple: main + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 895 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 90d6c4f6-6720-4f8a-86e2-11ac710d1ab5 + type: regular + task: + id: 90d6c4f6-6720-4f8a-86e2-11ac710d1ab5 + version: -1 + name: Commit files + description: This script gets content files as input from the context, commits the files in the correct folder and creates the pull request text. + scriptName: CommitFiles + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "20" + scriptarguments: + branch: + complex: + root: BranchName + comment: + complex: + root: incident + accessor: cicdpullrequestcomment + files: + simple: ${File} + git_integration: + simple: Gitlab + pack: + simple: ${inputs.PackName} + template: + complex: + root: inputs.PullRequestTemplate + user: + complex: + root: DemistoUsers + transformers: + - operator: FirstArrayElement + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 2060 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 3fb3e8bb-cc7e-4943-8f76-6c98f5d58b37 + type: regular + task: + id: 3fb3e8bb-cc7e-4943-8f76-6c98f5d58b37 + version: -1 + name: Create pull request + description: Creates a new merge request. + script: GitLabv2|||gitlab-merge-request-create + type: regular + iscommand: true + brand: GitLabv2 + nexttasks: + '#none#': + - "9" + scriptarguments: + description: + simple: ${PR_text} + partial_response: + simple: "false" + source_branch: + simple: ${inputs.MainBranch} + target_branch: + simple: ${AvailableBranch} + title: + complex: + root: incident + accessor: cicdpullrequesttitle + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 2730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: dd6e4ab9-b214-4b15-87ca-07d509b61e7d + type: regular + task: + id: dd6e4ab9-b214-4b15-87ca-07d509b61e7d + version: -1 + name: Request pr review + description: Updates an existing merge request. You can change the target branch, title, or even close the merge request. + script: GitLabv2|||gitlab-merge-request-update + type: regular + iscommand: true + brand: GitLabv2 + nexttasks: + '#none#': + - "36" + scriptarguments: + assignee_ids: + simple: ${incident.cicdreviewer} + merge_request_id: + simple: ${GitLab.MergeRequest.iid} + partial_response: + simple: "false" + target_branch: + simple: ${GitLab.MergeRequest.target_branch} + title: + simple: ${inputs.PackName} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 377.5, + "y": 3080 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 3a40890d-fd97-4731-81d0-2e974222459e + type: condition + task: + id: 3a40890d-fd97-4731-81d0-2e974222459e + version: -1 + name: Add reviewer? + type: condition + iscommand: false + description: Add reviewer? + brand: "" + nexttasks: + '#default#': + - "36" + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: incident.cicdreviewer + iscontext: true + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 2905 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 365fbc78-7833-464d-8b27-1b29d015412f + type: regular + task: + id: 365fbc78-7833-464d-8b27-1b29d015412f + version: -1 + name: Get branch + description: Get a list of repository branches from a project, alphabetically sorted by name. + script: GitLabv2|||gitlab-branch-list + type: regular + iscommand: true + brand: GitLabv2 + nexttasks: + '#none#': + - "19" + scriptarguments: + branch_name: + complex: + root: ${BranchName} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 1215 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 693bcb25-ccab-43ba-8f58-8bbfbf28ef35 + type: condition + task: + id: 693bcb25-ccab-43ba-8f58-8bbfbf28ef35 + version: -1 + name: Does branch exist? + type: condition + iscommand: false + brand: "" + description: Does branch exist? + nexttasks: + '#default#': + - "48" + "yes": + - "50" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: GitLab.Branch.name + iscontext: true + right: + value: + simple: ${BranchName} + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 1390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 748cd435-122d-4b64-8fbc-073ac459c23d + type: condition + task: + id: 748cd435-122d-4b64-8fbc-073ac459c23d + version: -1 + name: Does branch exist? + type: condition + iscommand: false + brand: "" + description: Does branch exist? + nexttasks: + '#default#': + - "40" + branch exist: + - "41" + separatecontext: false + conditions: + - label: branch exist + condition: + - - operator: isEqualString + left: + value: + simple: ${IsBranchExist} + iscontext: true + right: + value: + simple: "true" + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 2235 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: d0d3c442-10ea-47c3-896a-ac87465aa8f8 + type: regular + task: + id: d0d3c442-10ea-47c3-896a-ac87465aa8f8 + version: -1 + name: Set branch name from CI/CD Branch field + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + key: + simple: BranchName + value: + complex: + root: incident + accessor: cicdbranch + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: bc7810b4-cfbf-4865-8846-4f471db127c6 + type: condition + task: + id: bc7810b4-cfbf-4865-8846-4f471db127c6 + version: -1 + name: Is CI/CD Branch field given + type: condition + iscommand: false + brand: "" + description: Is there a branch name in the update branch field in the incident. + nexttasks: + '#default#': + - "27" + "yes": + - "25" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: incident.cicdbranch + iscontext: true + right: + value: {} + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 27ca3ba5-6321-4cc2-8074-f58565fdbc56 + type: regular + task: + id: 27ca3ba5-6321-4cc2-8074-f58565fdbc56 + version: -1 + name: Suggest branch name + description: | + The script gets the pack name as input and suggests an available branch name, for example: + pack name is "MyPack" the branch name will be "MyPack". + If a branch with the name "MyPack" exists, the script return "MyPack_1". + scriptName: SuggestBranchName + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "28" + scriptarguments: + pack: + simple: ${inputs.PackName} + use_command: + simple: gitlab-branch-list + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: b5f30c74-e49f-4b1c-8833-b839b0d0c2c4 + type: regular + task: + id: b5f30c74-e49f-4b1c-8833-b839b0d0c2c4 + version: -1 + name: Set branch name from SuggestBranchName output + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + key: + simple: BranchName + value: + complex: + root: AvailableBranch + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 5f725051-252d-40bf-8622-fa5998683911 + type: condition + task: + id: 5f725051-252d-40bf-8622-fa5998683911 + version: -1 + name: Is CI/CD Pull Request Branch field given + type: condition + iscommand: false + description: Is there a branch name in the update branch field in the incident. + brand: "" + nexttasks: + '#default#': + - "26" + "yes": + - "30" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: incident.cicdpullrequestbranch + iscontext: true + right: + value: {} + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 16290b8c-3711-43ff-876f-2fd79b7eea05 + type: regular + task: + id: 16290b8c-3711-43ff-876f-2fd79b7eea05 + version: -1 + name: Set branch name from CI/CD Pull Request Branch field + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + key: + simple: BranchName + value: + complex: + root: incident + accessor: cicdpullrequestbranch + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 910, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: b578fa51-7316-4d8b-840e-79ca721cb0ce + type: regular + task: + id: b578fa51-7316-4d8b-840e-79ca721cb0ce + version: -1 + name: Get merge request + description: Get all merge requests for this project. + script: GitLabv2|||gitlab-merge-request-list + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "51" + scriptarguments: + partial_response: + simple: "false" + search: + simple: ${BranchName} + source_branch: + simple: ${BranchName} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 910, + "y": 2555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: a595408c-7033-414b-82ab-60cb615b3677 + type: regular + task: + id: a595408c-7033-414b-82ab-60cb615b3677 + version: -1 + name: Set MessageText value for update action + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + scriptarguments: + key: + simple: MessageText + value: + simple: |- + This pull request for the pack ${PackName} was updated by ${DemistoUsers.[0].username}: + https://github.com/${GitHub.PR.Head.Repo.FullName}/pull/${GitHub.PR.Number} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 910, + "y": 2945 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: c6bdf395-0ea9-4a81-8b9d-7bab0f62591f + type: regular + task: + id: c6bdf395-0ea9-4a81-8b9d-7bab0f62591f + version: -1 + name: Set MessageText for new pull request + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + scriptarguments: + key: + simple: MessageText + value: + simple: |- + New pull request was created by ${DemistoUsers.[0].username} for the pack ${PackName}: + https://gitlab.com/${GitLab.PR.Head.Repo.FullName}/pull/${GitLab.PR.Number} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 3255 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 05b1d5e1-9e95-49f8-8687-b1a651b07c5a + type: title + task: + id: 05b1d5e1-9e95-49f8-8687-b1a651b07c5a + version: -1 + name: Check if branch exists and create it if not + type: title + iscommand: false + brand: "" + description: Check if branch exists and create it if not + nexttasks: + '#none#': + - "18" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 1070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 167b1554-113b-46b7-8e5e-e5345ed5b38e + type: title + task: + id: 167b1554-113b-46b7-8e5e-e5345ed5b38e + version: -1 + name: Commit the files + type: title + iscommand: false + brand: "" + description: running the script CommitFiles + nexttasks: + '#none#': + - "6" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 1915 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 1d56e97e-7315-436e-8759-a062164c40dc + type: title + task: + id: 1d56e97e-7315-436e-8759-a062164c40dc + version: -1 + name: Create new pull request + type: title + iscommand: false + brand: "" + description: creating pull request + nexttasks: + '#none#': + - "46" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 2410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 08dde432-36ed-4ec3-8380-6a48cbb7fa66 + type: title + task: + id: 08dde432-36ed-4ec3-8380-6a48cbb7fa66 + version: -1 + name: Update existing pull request + type: title + iscommand: false + brand: "" + description: Update existing pull request + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 910, + "y": 2410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: ca941d2b-421b-4015-8b02-34e122f950ff + type: regular + task: + id: ca941d2b-421b-4015-8b02-34e122f950ff + version: -1 + name: Create pull request with pack name as title + description: Creates a new merge request. + script: GitLabv2|||gitlab-merge-request-create + type: regular + iscommand: true + brand: GitLabv2 + nexttasks: + '#none#': + - "9" + scriptarguments: + description: + simple: ${PR_text} + partial_response: + simple: "false" + source_branch: + simple: ${BranchName} + target_branch: + simple: ${inputs.MainBranch} + title: + complex: + root: PackName + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 2730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 38a637c8-40e5-41de-8a74-0ae64584ee5e + type: condition + task: + id: 38a637c8-40e5-41de-8a74-0ae64584ee5e + version: -1 + name: Is Pull Request title empty? + type: condition + iscommand: false + brand: "" + description: Is the field of the pull request title in the incident empty? + nexttasks: + '#default#': + - "7" + "yes": + - "45" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEmpty + left: + value: + complex: + root: incident + accessor: cicdpullrequesttitle + iscontext: true + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 2555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: 8c5eb494-d36f-448a-8fef-d708de2c259f + type: regular + task: + id: 8c5eb494-d36f-448a-8fef-d708de2c259f + version: -1 + name: Create new branch Gitlab + description: Creates a new branch in the repository. + script: GitLabv2|||gitlab-branch-create + type: regular + iscommand: true + brand: GitLabv2 + nexttasks: + '#none#': + - "49" + scriptarguments: + branch: + simple: ${BranchName} + ref: + simple: main + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 1565 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 13833930-4ea6-45d5-8f7a-3c62d73d2d54 + type: regular + task: + id: 13833930-4ea6-45d5-8f7a-3c62d73d2d54 + version: -1 + name: 'Set creating new branch ' + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "39" + scriptarguments: + key: + simple: IsBranchExist + value: + simple: "false" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 265, + "y": 1740 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: eeb1e74f-2fc0-487a-8cd3-fd8ec0585774 + type: regular + task: + id: eeb1e74f-2fc0-487a-8cd3-fd8ec0585774 + version: -1 + name: 'Set existing branch ' + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "39" + scriptarguments: + key: + simple: IsBranchExist + value: + simple: "true" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 695, + "y": 1740 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "51": + id: "51" + taskid: 04fc84ad-5f4f-4eb1-8ffe-6bf2dc5ecba5 + type: regular + task: + id: 04fc84ad-5f4f-4eb1-8ffe-6bf2dc5ecba5 + version: -1 + name: merge request update + description: Updates an existing merge request. You can change the target branch, title, or even close the merge request. + script: GitLabv2|||gitlab-merge-request-update + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "35" + scriptarguments: + description: + simple: ${PR_text} + merge_request_id: + simple: ${GitLab.MergeRequest.iid} + partial_response: + simple: "false" + target_branch: + simple: ${inputs.MainBranch} + title: + simple: ${GitLab.MergeRequest.title} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 910, + "y": 2750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 3300, + "width": 1240, + "x": 50, + "y": 50 + } + } + } +inputs: +- key: PullRequestTemplate + value: {} + required: true + description: Pull request description template. + playbookInputQuery: +- key: MainBranch + value: {} + required: true + description: The name of the branch you want the changes pulled into, which must be an existing branch on the current repository. + playbookInputQuery: +- key: PackName + value: {} + required: false + description: The name of the branch you want the changes pulled into, which must be an existing branch on the current repository. + playbookInputQuery: +outputs: [] +tests: +- No tests (auto formatted) +fromversion: 6.0.0 diff --git a/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_GitLab_README.md b/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_GitLab_README.md new file mode 100644 index 000000000000..d4effeca7cf2 --- /dev/null +++ b/Packs/ContentManagement/Playbooks/playbook-Pull_Request_Creation_-_GitLab_README.md @@ -0,0 +1,37 @@ +This playbook creates a pull request using Bitbucket integration. + +## Dependencies +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks +This playbook does not use any sub-playbooks. + +### Integrations +* GitLab + +### Scripts +* SuggestBranchName +* CommitFiles +* Set +* DeleteContext + +### Commands +* gitlab-merge-request-list +* gitlab-branch-list +* gitlab-merge-request-update +* gitlab-branch-create +* gitlab-merge-request-create + +## Playbook Inputs +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| PullRequestTemplate | Pull request description template. | | Required | +| MainBranch | The name of the branch you want the changes pulled into, which must be an existing branch on the current repository. | | Required | +| PackName | The name of the pack | | Required | +| File | The File or Files to commit to the new or updated branch or pr | | Required | + +## Playbook Outputs +--- +There are no outputs for this playbook. diff --git a/Packs/ContentManagement/ReleaseNotes/1_2_0.md b/Packs/ContentManagement/ReleaseNotes/1_2_0.md new file mode 100644 index 000000000000..a20665fe5aa3 --- /dev/null +++ b/Packs/ContentManagement/ReleaseNotes/1_2_0.md @@ -0,0 +1,4 @@ + +#### Scripts +##### New: DeleteContent +- Added the DeleteContent script. Use it to keep your XSOAR instance clean and tidy. diff --git a/Packs/ContentManagement/ReleaseNotes/1_2_1.md b/Packs/ContentManagement/ReleaseNotes/1_2_1.md new file mode 100644 index 000000000000..67d5e577e82f --- /dev/null +++ b/Packs/ContentManagement/ReleaseNotes/1_2_1.md @@ -0,0 +1,5 @@ + +#### Scripts +##### CustomPackInstaller +- The script is now using the ***demisto-api-install-packs*** command to install custom packs. +- Updated the Docker image to: *demisto/xsoar-tools:1.0.0.40869*. \ No newline at end of file diff --git a/Packs/ContentManagement/ReleaseNotes/1_2_2.md b/Packs/ContentManagement/ReleaseNotes/1_2_2.md new file mode 100644 index 000000000000..090d300809fe --- /dev/null +++ b/Packs/ContentManagement/ReleaseNotes/1_2_2.md @@ -0,0 +1,10 @@ +#### Playbooks +##### Pull Request Creation - Generic + - Added the option to create a pull request in GitLab. + +##### New: Pull Request Creation - GitLab + - Added the playbook **Pull Request Creation - GitLab** that creates a pull request using GitLab integration. + +#### Scripts +##### CommitFiles + - Added support for **GitLab** integration. \ No newline at end of file diff --git a/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.py b/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.py index 835dde52780d..e8e2e0938049 100644 --- a/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.py +++ b/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.py @@ -104,22 +104,16 @@ def commit_content_item_gitlab(branch_name: str, content_file: ContentFile, new_ commit_args = {'commit_message': f'Added {content_file.file_name}', 'file_path': f'{content_file.path_to_file}/{content_file.file_name}', 'branch': branch_name, 'file_content': content_file.file_text} - - file_sha = get_file_sha(branch_name, content_file, 'gitlab-file-get') - - # dont commit pack_metadata.json if already exists in the branch - if file_sha and content_file.file_name == 'pack_metadata.json': - return - elif file_sha: - # update existing file - commit_args['file_content'] = file_sha + status, commit_res = execute_command('gitlab-file-create', commit_args, fail_on_error=False) + if isinstance(commit_res, dict): + new_files.append(content_file.file_name) + elif isinstance(commit_res, str) and "already exists" in commit_res: + demisto.debug(f'The file {content_file.file_name} already exist, running update command') + if content_file.file_name == 'pack_metadata.json': + return commit_args['commit_message'] = f'Updated {content_file.file_name}' modified_files.append(content_file.file_name) - else: - # new file added - new_files.append(content_file.file_name) - # gitlab-file-create - status, commit_res = execute_command('gitlab-file-create', commit_args, fail_on_error=False) + status, commit_res = execute_command('gitlab-file-update', commit_args, fail_on_error=False) if not status: raise DemistoException(commit_res) @@ -237,7 +231,7 @@ def split_yml_file(content_file: ContentFile): # pragma: no cover def commit_git(git_integration: str, branch_name: str, content_file: ContentFile, - new_files: List, modified_files: List): # pragma: no cover + new_files: List, modified_files: List): if git_integration == 'Gitlab': commit_content_item_gitlab(branch_name, content_file, new_files, modified_files) elif git_integration == 'GitHub': @@ -249,7 +243,7 @@ def commit_git(git_integration: str, branch_name: str, content_file: ContentFile ''' MAIN FUNCTION ''' -def main(): # pragma: no cover +def main(): try: files = demisto.getArg('files') branch_name = demisto.getArg('branch') diff --git a/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.yml b/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.yml index 2dd8161e00f9..c45e6c4081f3 100644 --- a/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.yml +++ b/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles.yml @@ -31,7 +31,7 @@ commonfields: contentitemexportablefields: contentitemfields: fromServerVersion: '' -dockerimage: demisto/xsoar-tools:1.0.0.39936 +dockerimage: demisto/xsoar-tools:1.0.0.40869 enabled: true name: CommitFiles outputs: diff --git a/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles_test.py b/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles_test.py index ee0681f8afa5..acea263c03de 100644 --- a/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles_test.py +++ b/Packs/ContentManagement/Scripts/CommitFiles/CommitFiles_test.py @@ -157,3 +157,37 @@ def delete_files(): os.remove(script_path) if yml_path: os.remove(yml_path) + + +def test_commit_new_content_item_gitlab(mocker): + """ + Given: + - A branch name and a content file. + When: + - Committing the files to gitlab + """ + from CommitFiles import commit_content_item_gitlab + branch_name = 'demisto' + expected_args = { + 'branch': f'{branch_name}', + 'commit_message': f'Added {content_file.file_name}', + 'file_content': f'{content_file.file_text}', + 'file_path': f'{content_file.path_to_file}/{content_file.file_name}'} + mocker.patch.object(demisto, 'executeCommand') + mocker.patch('CommitFiles.execute_command', return_value=(True, expected_args)) + commit_content_item_gitlab(branch_name, content_file, [], []) + + +def test_update_content_item_gitlab(mocker): + """ + Given: + - A branch name and a content file. + When: + - Committing the files to gitlab + """ + from CommitFiles import commit_content_item_gitlab + branch_name = 'demisto' + expected_str = 'already exists' + mocker.patch.object(demisto, 'executeCommand') + mocker.patch('CommitFiles.execute_command', return_value=(True, expected_str)) + commit_content_item_gitlab(branch_name, content_file, [], []) diff --git a/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.py b/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.py index 815117b4a146..d1a4853cb9f2 100644 --- a/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.py +++ b/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.py @@ -1,5 +1,4 @@ from typing import Tuple -from urllib import parse import demistomock as demisto from CommonServerPython import * @@ -7,22 +6,6 @@ SCRIPT_NAME = 'CustomPackInstaller' -def build_url_parameters(skip_verify: bool, skip_validation: bool) -> str: - is_server_ge_to_6_5 = is_demisto_version_ge('6.5.0') - is_server_ge_to_6_6 = is_demisto_version_ge('6.6.0') - - uri = '/contentpacks/installed/upload' - params = {} - if skip_verify == 'true' and is_server_ge_to_6_5: - params['skipVerify'] = 'true' - - if skip_validation == 'true' and is_server_ge_to_6_6: - params['skipValidation'] = 'true' - - params = parse.urlencode(params) - return f'{uri}?{params}' if params else uri - - def install_custom_pack(pack_id: str, skip_verify: bool, skip_validation: bool, instance_name: str = '') -> Tuple[bool, str]: """Installs a custom pack in the machine. @@ -53,15 +36,14 @@ def install_custom_pack(pack_id: str, skip_verify: bool, skip_validation: bool, pack_file_entry_id = file_in_context.get('EntryID') break - uri = build_url_parameters(skip_verify=skip_verify, skip_validation=skip_validation) - if pack_file_entry_id: - args = {'uri': uri, 'entryID': pack_file_entry_id} + args = {'entry_id': pack_file_entry_id, 'skip_verify': str(skip_verify), + 'skip_validation': str(skip_validation)} if instance_name: args['using'] = instance_name status, res = execute_command( - 'demisto-api-multipart', + 'demisto-api-install-packs', args, fail_on_error=False, ) diff --git a/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.yml b/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.yml index a4b137c0fafe..1dc11674ecf4 100644 --- a/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.yml +++ b/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller.yml @@ -37,7 +37,7 @@ tags: - Content Management timeout: '0' type: python -dockerimage: demisto/xsoar-tools:1.0.0.34680 +dockerimage: demisto/xsoar-tools:1.0.0.40869 tests: - No tests (auto formatted) fromversion: 6.0.0 diff --git a/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller_test.py b/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller_test.py index c96899c96566..8adba3ca5930 100644 --- a/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller_test.py +++ b/Packs/ContentManagement/Scripts/CustomPackInstaller/CustomPackInstaller_test.py @@ -2,26 +2,6 @@ from CommonServerPython import * -@pytest.mark.parametrize( - argnames='skip_verify, skip_validation, uri', - argvalues=[ - ('true', 'true', '/contentpacks/installed/upload?skipVerify=true&skipValidation=true'), - ('false', 'true', '/contentpacks/installed/upload?skipValidation=true'), - ('true', 'false', '/contentpacks/installed/upload?skipVerify=true'), - ('false', 'false', '/contentpacks/installed/upload') - ]) -def test_build_url_parameters(mocker, skip_verify, skip_validation, uri): - from CustomPackInstaller import build_url_parameters - mocker.patch('CustomPackInstaller.is_demisto_version_ge', return_value=True) - - url_res = build_url_parameters(skip_verify, skip_validation) - assert url_res == uri - - mocker.patch('CustomPackInstaller.is_demisto_version_ge', return_value=False) - url_res = build_url_parameters(skip_verify, skip_validation) - assert url_res == '/contentpacks/installed/upload' - - @pytest.mark.parametrize( argnames='pack_id, context, err_massage, res', argvalues=[ diff --git a/Packs/ContentManagement/Scripts/CustomPackInstaller/README.md b/Packs/ContentManagement/Scripts/CustomPackInstaller/README.md index e69de29bb2d1..6b45427b5a3d 100644 --- a/Packs/ContentManagement/Scripts/CustomPackInstaller/README.md +++ b/Packs/ContentManagement/Scripts/CustomPackInstaller/README.md @@ -0,0 +1,4 @@ +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent.py b/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent.py new file mode 100644 index 000000000000..bdf6206f23fb --- /dev/null +++ b/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent.py @@ -0,0 +1,670 @@ +"""Delete Content script, used to keep instances tidy.""" +from CommonServerPython import * + +from abc import ABC, abstractmethod +from typing import Tuple +from urllib.parse import quote + +import requests +import json + +SCRIPT_NAME = 'DeleteContent' +CORE_PACKS_LIST_URL = "https://raw.githubusercontent.com/demisto/content/master/Tests/Marketplace/core_packs_list.json" + + +def verify_search_response_in_list(response: Any, name: str): + ids = [entity.get('id', '') for entity in response] if type(response) is list else [] + return False if name not in ids else name + + +def verify_search_response_in_dict(response: Union[dict, str, list]): + if type(response) is dict and response.get("id"): + return response.get("id") + return False + + +class EntityAPI(ABC): + """Abstract class for APIs of different content entities.""" + name = '' + + @abstractmethod + def search_specific_id(self, specific_id: str): + pass + + @abstractmethod + def search_all(self): + pass + + @abstractmethod + def delete_specific_id(self, specific_id: str): + pass + + @abstractmethod + def verify_specific_search_response(self, response: Union[dict, str], name: str): + pass + + def parse_all_entities_response(self, response: Union[dict, str, list]): + return [entity.get('id', '') for entity in response] if type(response) is list else [] + + +class PlaybookAPI(EntityAPI): # works + name = 'playbook' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/playbook/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-post', + {'uri': '/playbook/search', + 'body': {'page': 0, 'size': 100}}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/playbook/delete', + 'body': {'id': specific_id}}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + return verify_search_response_in_dict(response) + + def parse_all_entities_response(self, response: Union[dict, str, list]): + return [entity.get('id', '') for entity in response.get('playbooks', [])] if type(response) is dict else [] + + +class IntegrationAPI(EntityAPI): # works + name = 'integration' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/settings/integration/search', + 'body': {'page': 0, 'size': 100, 'query': f'name:"{specific_id}"'}}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-post', + {'uri': '/settings/integration/search', + 'body': {'page': 0, 'size': 100}}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/settings/integration-conf/delete', + 'body': {'id': quote(specific_id)}}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + integrations = response.get('configurations', []) if type(response) is dict else response + return verify_search_response_in_list(integrations, name) + + def parse_all_entities_response(self, response: Union[dict, str, list]): + integrations = response.get('configurations', []) if type(response) is dict else response + return [entity.get('id') for entity in integrations] if type(integrations) is list else [] + + +class ScriptAPI(EntityAPI): # works :) + name = 'script' + always_excluded = ['CommonServerUserPowerShell', 'CommonServerUserPython', 'CommonUserServer', SCRIPT_NAME] + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/automation/search', + 'body': {'page': 0, 'size': 1, 'query': f'name:"{specific_id}"'}}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-post', + {'uri': '/automation/search', + 'body': {'page': 0, 'size': 100}}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/automation/delete', + 'body': {'script': {'id': specific_id}}}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + scripts = response.get('scripts') if type(response) is dict else response + return verify_search_response_in_list(scripts, name) + + def parse_all_entities_response(self, response: Union[dict, str, list]): + return [entity.get('id', '') for entity in response.get('scripts', [])] if type(response) is dict else [] + + +class IncidentFieldAPI(EntityAPI): # checked and works + name = 'incidentfield' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': '/incidentfields'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/incidentfields'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/incidentfield/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + return verify_search_response_in_list(response, name) + + +class PreProcessingRuleAPI(EntityAPI): # checked and works + name = 'pre-process-rule' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': '/preprocess/rules'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/preprocess/rules'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/preprocess/rule/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + return verify_search_response_in_list(response, name) + + +class WidgetAPI(EntityAPI): # works + name = 'widget' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/widgets/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/widgets'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/widgets/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + return verify_search_response_in_dict(response) + + def parse_all_entities_response(self, response: Union[dict, str, list]): + if type(response) is dict: + return list(response.keys()) + return [entity.get('id', '') for entity in response] if type(response) is list else [] + + +class DashboardAPI(EntityAPI): # works + name = 'dashboard' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/dashboards/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/dashboards'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/dashboards/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + return verify_search_response_in_dict(response) + + def parse_all_entities_response(self, response: Union[dict, str, list]): + if type(response) is dict: + return list(response.keys()) + return [entity.get('id', '') for entity in response] if type(response) is list else [] + + +class ReportAPI(EntityAPI): # works + name = 'report' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/reports/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/reports'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/report/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + return verify_search_response_in_dict(response) + + +class IncidentTypeAPI(EntityAPI): # checked and works + name = 'incidenttype' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': '/incidenttypes/export'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/incidenttypes/export'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/incidenttype/delete', + 'body': {'id': specific_id}}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + return verify_search_response_in_list(response, name) + + +class ClassifierAPI(EntityAPI): # works + name = 'classifier' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/classifier/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-post', + {'uri': '/classifier/search', + 'body': {'page': 0, 'size': 100}}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/classifier/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + return verify_search_response_in_dict(response) + + def parse_all_entities_response(self, response: Union[dict, str, list]): + classifiers = response.get('classifiers', []) if type(response) is dict else [] + return [entity.get('id', '') for entity in classifiers] if type(classifiers) is list else [] + + +class ReputationAPI(EntityAPI): # works + name = 'reputation' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': '/reputation/export'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/reputation/export'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/reputation/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + return verify_search_response_in_list(response, name) + + +class LayoutAPI(EntityAPI): # works + name = 'layout' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/layout/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/layouts'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': f'/layout/{specific_id}/remove', + 'body': {}}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str, list], name: str): + return verify_search_response_in_dict(response) + + +class JobAPI(EntityAPI): + name = 'job' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/jobs/search', + 'body': {'page': 0, 'size': 1, 'query': f'name:"{specific_id}"'}}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-post', + {'uri': '/jobs/search', + 'body': {'page': 0, 'size': 100}}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'jobs/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + job_params = {} + if type(response) is dict: + search_results = response.get('data') + if search_results: + job_params = search_results[0] + + if not job_params or not job_params.get("id"): + return False + return job_params.get("id") + + def parse_all_entities_response(self, response: Union[dict, str, list]): + return [entity.get('name', '') for entity in response.get('data', [])] if type(response) is dict else [] + + +class ListAPI(EntityAPI): + name = 'list' + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/lists/download/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/lists/names'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-post', + {'uri': '/lists/delete', + 'body': {'id': specific_id}}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + if response: + return name + return False + + def parse_all_entities_response(self, response: Union[dict, str, list]): + return response + + +class InstalledPackAPI(EntityAPI): + name = 'pack' + always_excluded = ['ContentManagement', 'CleanUpContent'] + + def __init__(self, proxy_skip=True, verify=True): + if proxy_skip: + skip_proxy() + core_packs_response = requests.get(CORE_PACKS_LIST_URL, verify=verify) + self.always_excluded = json.loads(core_packs_response.text) + self.always_excluded + + def search_specific_id(self, specific_id: str): + return execute_command('demisto-api-get', + {'uri': f'/contentpacks/installed/{specific_id}'}, + fail_on_error=False) + + def search_all(self): + return execute_command('demisto-api-get', + {'uri': '/contentpacks/installed-expired'}, + fail_on_error=False) + + def delete_specific_id(self, specific_id: str): + return execute_command('demisto-api-delete', + {'uri': f'/contentpacks/installed/{specific_id}'}, + fail_on_error=False) + + def verify_specific_search_response(self, response: Union[dict, str], name: str): + return verify_search_response_in_dict(response) + + +def search_and_delete_existing_entity(name: str, entity_api: EntityAPI, dry_run: bool = True) -> bool: + """Searches the machine for previously configured entity_types with the given name. + + Args: + name (str): The name of the entity to update it's past configurations. + + Returns: + True if deleted, False otherwise. + """ + + status, res = entity_api.search_specific_id(specific_id=name) + + if not status: + demisto.debug(f'Could not find {entity_api.name} with id {name} - Response:\n{res}') + return False + + specific_id = entity_api.verify_specific_search_response(res.get('response'), name) + + if not specific_id: + return False + + if not dry_run: + status, res = entity_api.delete_specific_id(specific_id=specific_id) + else: + demisto.debug(f'DRY RUN - Not deleting {entity_api.name} with id {name}.') + status = True + res = True + + if not status: + demisto.debug(f'Could not delete {entity_api.name} with id {name} - Response:\n{res}') + return False + + return True + + +def search_for_all_entities(entity_api: EntityAPI) -> list: + """Search for all existing entities in xsoar. + + Args: + entity_api (EntityAPI): The entity api to preform api calls on. + + Returns: + list of entity ids. + """ + status, res = entity_api.search_all() + + if not status: + error_message = f'Search All {entity_api.name}s - {res}' + demisto.debug(error_message) + raise Exception(error_message) + + entity_ids = entity_api.parse_all_entities_response(res.get('response', {})) + + return entity_ids + + +def get_and_delete_entities(entity_api: EntityAPI, excluded_ids: list = [], included_ids: list = [], + dry_run: bool = True) -> Tuple[list, list, list]: + """Search and delete entities with provided EntityAPI. + + Args: + entity_api (EntityAPI): The api object to use for the get and delete api calls. + excluded_ids (list): List of ids to exclude from deletion. + included_ids (list): List of ids to include in deletion. + dry_run (bool): If true, will not really delete anything. + + Returns: + (list) successfully deleted ids, (list) not deleted ids + """ + demisto.debug(f'Starting handling {entity_api.name} entities.') + succesfully_deleted = [] + not_deleted = [] + extended_excluded_ids = excluded_ids.copy() + + if not included_ids and not excluded_ids: + return [], [], extended_excluded_ids + + if hasattr(entity_api, 'always_excluded'): + extended_excluded_ids += entity_api.always_excluded # type: ignore + + new_included_ids = [item for item in included_ids if item not in extended_excluded_ids] + demisto.debug(f'Included ids for {entity_api.name} after excluding excluded are {new_included_ids}') + + if included_ids: + for included_id in included_ids: + if included_id in new_included_ids: + if search_and_delete_existing_entity(included_id, entity_api=entity_api, dry_run=dry_run): + succesfully_deleted.append(included_id) + else: + not_deleted.append(included_id) + else: + not_deleted.append(included_id) + + else: + all_entities = search_for_all_entities(entity_api=entity_api) + if not all_entities: + return [], [], extended_excluded_ids + + for entity_id in all_entities: + if entity_id not in extended_excluded_ids: + if search_and_delete_existing_entity(entity_id, entity_api=entity_api, dry_run=dry_run): + succesfully_deleted.append(entity_id) + else: + demisto.debug(f'Did not find or could not delete {entity_api.name} with ' + f'id {entity_id} in xsoar.') + not_deleted.append(entity_id) + else: + not_deleted.append(entity_id) + + return succesfully_deleted, not_deleted, extended_excluded_ids + + +def get_deletion_status(excluded: list, included: list, deleted: list, undeleted: list) -> bool: + if excluded: + if undeleted == excluded: + return True + else: + for excluded_id in excluded: + if excluded_id in deleted: + return False + return True + + elif included: + if set(deleted) == set(included): + return True + # Nothing excluded + elif not undeleted: + return True + return False + + +def handle_content_enitity(entity_api: EntityAPI, + included_ids_dict: Optional[dict], + excluded_ids_dict: Optional[dict], + dry_run: bool) -> Tuple[bool, dict, dict]: + + excluded_ids = excluded_ids_dict.get(entity_api.name, []) if excluded_ids_dict else [] + included_ids = included_ids_dict.get(entity_api.name, []) if included_ids_dict else [] + + deleted_ids, undeleted_ids, new_excluded_ids = get_and_delete_entities(entity_api=entity_api, + excluded_ids=excluded_ids, + included_ids=included_ids, + dry_run=dry_run) + + deletion_status = get_deletion_status(excluded=new_excluded_ids, included=included_ids, + deleted=deleted_ids, undeleted=undeleted_ids) + + return deletion_status, {entity_api.name: deleted_ids}, {entity_api.name: undeleted_ids} + + +def handle_input_json(input_dict: Any) -> Any: + if type(input_dict) == str: + return json.loads(input_dict) + return input_dict + + +def get_and_delete_needed_ids(args: dict) -> CommandResults: + """Search and delete provided ids to delete. + + Args: + args[exclude_ids_dict] (dict): Dict content items ids to exclude. Will delete all the rest of the found ids. + args[include_ids_dict] (dict): Dict content items ids to include. Will delete all the ids specified. + args[dry_run] (str(bool)): If True, will only collect items for deletion and will not delete them. + + Remark: + exclude_ids_dict, include_ids_dict are assumed to be in the {'entity_type': [entity_ids]} format. + (e.g. {'job': ['job1', 'job2'], 'playbook': ['playbook1', 'playbook2']}) + + Raise: + ValueError if both exclude_ids and include_ids are specified. + + Returns: + CommandResults with the following outputs: + successfully_deleted: list of content ids gathered for deletion. + not_deleted: list of content ids gathered not to delete. + status: Deletion status (Failed/Completed/Dry run, nothing really deleted.) + """ + dry_run = argToBoolean(args.get('dry_run', 'true')) + include_ids = handle_input_json(args.get('include_ids_dict')) + exclude_ids = handle_input_json(args.get('exclude_ids_dict')) + skip_proxy = argToBoolean(args.get('skip_proxy', 'false')) + verify_cert = argToBoolean(args.get('verify_cert', 'true')) + + entities_to_delete = [InstalledPackAPI(proxy_skip=skip_proxy, verify=verify_cert), IntegrationAPI(), ScriptAPI(), + PlaybookAPI(), IncidentFieldAPI(), + PreProcessingRuleAPI(), WidgetAPI(), DashboardAPI(), ReportAPI(), JobAPI(), ListAPI(), + IncidentTypeAPI(), ClassifierAPI(), ReputationAPI(), LayoutAPI()] + + all_deleted: dict = dict() + all_not_deleted: dict = dict() + all_deletion_statuses: list = [] + for entity in entities_to_delete: + entity_deletion_status, deleted, undeleted = handle_content_enitity(entity, include_ids, exclude_ids, dry_run) + all_deleted.update(deleted) + all_not_deleted.update(undeleted) + all_deletion_statuses.append(entity_deletion_status) + + deletion_status = 'Failed' + if dry_run: + deletion_status = 'Dry run, nothing really deleted.' + else: + if all(all_deletion_statuses): + deletion_status = 'Completed' + + return CommandResults( + outputs_prefix='ConfigurationSetup.Deletion', + outputs_key_field='name', + outputs={ + # Only show keys with values. + 'successfully_deleted': {key: value for key, value in all_deleted.items() if value}, + 'not_deleted': {key: value for key, value in all_not_deleted.items() if value}, + 'status': deletion_status, + }, + ) + + +def main(): # pragma: no cover + try: + return_results(get_and_delete_needed_ids(demisto.args())) + + except Exception as e: + return_error(f'Error occurred while deleting contents.\n{e}' + f'\n{traceback.format_exc()}') + + +if __name__ in ('__main__', '__builtin__', 'builtins'): # pragma: no cover + main() diff --git a/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent.yml b/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent.yml new file mode 100644 index 000000000000..b95a2fa637dc --- /dev/null +++ b/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent.yml @@ -0,0 +1,75 @@ +args: +- default: false + description: The content items ids to delete, in a JSON format. + isArray: false + name: include_ids_dict + required: false + secret: false +- default: false + description: The content items IDs to preserve, in a JSON format. + isArray: false + name: exclude_ids_dict + required: false + secret: false +- auto: PREDEFINED + default: false + description: If set to true, the flow will work as usuall except that no content items will be deleted from the system. + isArray: false + name: dry_run + required: true + secret: false + predefined: + - 'true' + - 'false' +- auto: PREDEFINED + default: false + defaultValue: 'true' + description: If true, verify certificates when accessing github. + isArray: false + name: verify_cert + required: true + secret: false + predefined: + - 'true' + - 'false' +- auto: PREDEFINED + default: false + defaultValue: 'false' + description: If true, skip system proxy settings. + isArray: false + name: skip_proxy + required: true + secret: false + predefined: + - 'true' + - 'false' +commonfields: + id: DeleteContent + version: -1 +enabled: false +name: DeleteContent +comment: Delete content to keep XSOAR tidy. +outputs: +- contextPath: ConfigurationSetup.Deletion.successfully_deleted + description: Deleted ids + type: String +- contextPath: ConfigurationSetup.Deletion.not_deleted + description: Not deleted ids + type: String +- contextPath: ConfigurationSetup.Deletion.status + description: Deletion status + type: String +script: '-' +system: false +tags: +- configuration +- Content Management +timeout: 3600 +type: python +subtype: python3 +dockerimage: demisto/python3:3.10.9.40422 +tests: +- No tests (auto formatted) +fromversion: 6.0.0 +marketplaces: +- xsoar diff --git a/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent_test.py b/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent_test.py new file mode 100644 index 000000000000..98759c4c814c --- /dev/null +++ b/Packs/ContentManagement/Scripts/DeleteContent/DeleteContent_test.py @@ -0,0 +1,621 @@ +import pytest + +from DeleteContent import get_and_delete_needed_ids, CORE_PACKS_LIST_URL +from abc import ABC, abstractmethod +from typing import Tuple, Any + + +XSOAR_IDS_FULL_STATE = { + 'pack': ['installed_pack_id1', 'installed_pack_id2', 'Base'], + 'list': ['list1', 'list2'], + 'job': ['job1', 'job2'], + 'script': ['script1', 'script2', 'CommonUserServer'], + 'playbook': ['playbook1', 'playbook2'], + 'integration': ['integration1', 'integration2'], + 'incidentfield': ['incidentfield1', 'incidentfield2'], + 'pre-process-rule': ['pre-process-rule1', 'pre-process-rule2'], + 'widget': ['widget1', 'widget2'], + 'dashboard': ['dashboard1', 'dashboard2'], + 'report': ['report1', 'report2'], + 'incidenttype': ['incidenttype1', 'incidenttype2'], + 'classifier': ['classifier1', 'classifier2'], + 'reputation': ['reputation1', 'reputation2'], + 'layout': ['layout1', 'layout2'] +} + + +class MockEntityResponses(ABC): + entity_name = '' + + def __init__(self, xsoar_state): + self.xsoar_state_ids = xsoar_state.get(self.entity_name) + + @abstractmethod + def search_response(self, command_name, command_args) -> Tuple[bool, Any]: + pass + + @abstractmethod + def delete_response(self, command_name, command_args) -> Tuple[bool, Any]: + pass + + +class MockJobResponses(MockEntityResponses): + entity_name = 'job' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/jobs/search': + if command_args.get('body', {}).get('size') == 1: + job_name = command_args.get('body', {}).get('query').split('name:"')[1].split('"')[0] + if job_name in self.xsoar_state_ids: + # if search and found + return True, {'data': [{'name': job_name, 'id': job_name}]} + + # if search and not found + return False, 'Id not found' + + # If search all return all + return True, {'data': [{'name': job_name, 'id': job_name} for job_name in self.xsoar_state_ids]} + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('jobs/') and command_name == 'demisto-api-delete': + job_name = command_uri.split('jobs/')[1] + if job_name in self.xsoar_state_ids: + return True, {'data': [{'name': job_name, 'id': job_name}]} + return False, 'Id not found' + return False, False + + +class MockListResponses(MockEntityResponses): + entity_name = 'list' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/lists/download/'): + list_name = command_uri.split('/lists/download/')[1] + if list_name in self.xsoar_state_ids: + return True, list_name + return False, 'Id not found' + + if command_uri == '/lists/names': + return True, self.xsoar_state_ids + + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/lists/delete': + list_name = command_args.get('body').get('id') + if list_name in self.xsoar_state_ids: + return True, list_name + return False, 'Id not found' + return False, False + + +class MockPackResponses(MockEntityResponses): + entity_name = 'pack' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_name == 'demisto-api-get' and command_uri.startswith('/contentpacks/installed/'): + pack_name = command_uri.split('/contentpacks/installed/')[1] + return (True, {'id': pack_name}) if pack_name in self.xsoar_state_ids else (False, 'Id not found') + + if command_name == 'demisto-api-get' and command_uri.startswith('/contentpacks/installed-expired'): + return True, [{'id': pack_name} for pack_name in self.xsoar_state_ids] + + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_name == 'demisto-api-delete' and command_uri.startswith('/contentpacks/installed/'): + pack_name = command_uri.split('/contentpacks/installed/')[1] + return (True, {'id': pack_name}) if pack_name in self.xsoar_state_ids else (False, 'Id not found') + return False, False + + +class MockScriptResponses(MockEntityResponses): + entity_name = 'script' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/automation/search': + if command_args.get('body', {}).get('size') == 1: + script_name = command_args.get('body', {}).get('query').split('name:"')[1].split('"')[0] + if script_name in self.xsoar_state_ids: + # if search and found + return True, {'scripts': [{'id': script_name}]} + + # if search and not found + return False, 'Id not found' + + # If search all return all + return True, {'scripts': [{'id': script_name} for script_name in self.xsoar_state_ids]} + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/automation/delete' and command_name == 'demisto-api-post': + script_name = command_args.get('body', {}).get('script', {}).get('id', '') + if script_name in self.xsoar_state_ids: + return True, {'scripts': [{'id': script_name}]} + return False, 'Id not found' + return False, False + + +class MockPlaybookResponses(MockEntityResponses): + entity_name = 'playbook' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_name == 'demisto-api-get' and command_uri.startswith('/playbook/'): + name = command_uri.split('/playbook/')[1] + if name in self.xsoar_state_ids: + return True, {'id': name} + return False, 'Id not found' + + if command_name == 'demisto-api-post' and command_uri == '/playbook/search': + return True, {'playbooks': [{'id': name} for name in self.xsoar_state_ids]} + + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/playbook/delete': + name = command_args.get('body', {}).get('id') + if name in self.xsoar_state_ids: + return True, {'id': name} + return False, 'Id not found' + return False, False + + +class MockIncidentFieldResponses(MockEntityResponses): + entity_name = 'incidentfield' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/incidentfields' and command_name == 'demisto-api-get': + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/incidentfield/') and command_name == 'demisto-api-delete': + name = command_uri.split('/incidentfield/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockIntegrationResponses(MockEntityResponses): + entity_name = 'integration' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/settings/integration/search': + if command_args.get('body', {}).get('query'): + name = command_args.get('body', {}).get('query').split('name:"')[1].split('"')[0] + if name in self.xsoar_state_ids: + # if search and found + return True, {'configurations': [{'id': name}]} + + # if search and not found + return False, 'Id not found' + + # If search all return all + return True, {'configurations': [{'id': name} for name in self.xsoar_state_ids]} + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/settings/integration-conf/delete' and command_name == 'demisto-api-post': + name = command_args.get('body', {}).get('id') + if name in self.xsoar_state_ids: + return True, {'configurations': [{'id': name}]} + return False, 'Id not found' + return False, False + + +class MockPreprocessRuleResponses(MockEntityResponses): + entity_name = 'pre-process-rule' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/preprocess/rules' and command_name == 'demisto-api-get': + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/preprocess/rule/') and command_name == 'demisto-api-delete': + name = command_uri.split('/preprocess/rule/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockWidgetResponses(MockEntityResponses): + entity_name = 'widget' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/widgets') and command_name == 'demisto-api-get': + if command_uri.startswith('/widgets/'): + name = command_uri.split('/widgets/')[1] + if name in self.xsoar_state_ids: + return True, {'id': name} + return True, 'Id not found' + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/widgets/') and command_name == 'demisto-api-delete': + name = command_uri.split('/widgets/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockDashboardResponses(MockEntityResponses): + entity_name = 'dashboard' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/dashboards') and command_name == 'demisto-api-get': + if command_uri.startswith('/dashboards/'): + name = command_uri.split('/dashboards/')[1] + if name in self.xsoar_state_ids: + return True, {'id': name} + return True, 'Id not found' + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/dashboards/') and command_name == 'demisto-api-delete': + name = command_uri.split('/dashboards/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockReportResponses(MockEntityResponses): + entity_name = 'report' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/reports') and command_name == 'demisto-api-get': + if command_uri.startswith('/reports/'): + name = command_uri.split('/reports/')[1] + if name in self.xsoar_state_ids: + return True, {'id': name} + return True, 'Id not found' + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/report/') and command_name == 'demisto-api-delete': + name = command_uri.split('/report/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockIncidentTypeResponses(MockEntityResponses): + entity_name = 'incidenttype' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/incidenttypes/export') and command_name == 'demisto-api-get': + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/incidenttype/delete') and command_name == 'demisto-api-post': + name = command_args.get('body', {}).get('id') + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockClassifierResponses(MockEntityResponses): + entity_name = 'classifier' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri == '/classifier/search' and command_name == 'demisto-api-post': + return True, {'classifiers': [{'id': name} for name in self.xsoar_state_ids]} + if command_uri.startswith('/classifier/') and command_name == 'demisto-api-get': + name = command_uri.split('/classifier/')[1] + if name in self.xsoar_state_ids: + return True, {'id': name} + return False, 'Id not found' + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/classifier/') and command_name == 'demisto-api-delete': + name = command_uri.split('/classifier/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockReputationResponses(MockEntityResponses): + entity_name = 'reputation' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/reputation/export') and command_name == 'demisto-api-get': + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/reputation/') and command_name == 'demisto-api-delete': + name = command_uri.split('/reputation/')[1] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +class MockLayoutResponses(MockEntityResponses): + entity_name = 'layout' + + def search_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/layout/') and command_name == 'demisto-api-get': + name = command_uri.split('/layout/')[1] + if name in self.xsoar_state_ids: + return True, {'id': name} + return False, 'Id not Found' + if command_uri == '/layouts' and command_name == 'demisto-api-get': + return True, [{'id': name} for name in self.xsoar_state_ids] + return False, False + + def delete_response(self, command_name, command_args): + command_uri = command_args.get('uri') + if command_uri.startswith('/layout/') and command_uri.endswith('/remove') and command_name == 'demisto-api-post': + name = command_uri.split('/layout/')[1] + name = name.split('/remove')[0] + if name in self.xsoar_state_ids: + return True, None + return False, 'Id not found' + return False, False + + +def mock_demisto_responses(command_name, command_args, xsoar_ids_state): + """Mock function for demisto responses to api calls according to xsoar ids state. + + Args: + command_name (str): The command name sent to the executeCommand demisto function. + command_args (dict): The command args sent to the executeCommand demisto function. + xsoar_ids_state (dict): A representation for the content ids in an xsoar instance. + + Returns: + status, demisto response + """ + mocked_entities = [MockJobResponses(xsoar_ids_state), MockPackResponses(xsoar_ids_state), + MockListResponses(xsoar_ids_state), MockScriptResponses(xsoar_ids_state), + MockPlaybookResponses(xsoar_ids_state), MockIntegrationResponses(xsoar_ids_state), + MockIncidentFieldResponses(xsoar_ids_state), MockPreprocessRuleResponses(xsoar_ids_state), + MockWidgetResponses(xsoar_ids_state), MockDashboardResponses(xsoar_ids_state), + MockReportResponses(xsoar_ids_state), MockIncidentTypeResponses(xsoar_ids_state), + MockClassifierResponses(xsoar_ids_state), MockReputationResponses(xsoar_ids_state), + MockLayoutResponses(xsoar_ids_state)] + for mocked_entity in mocked_entities: + status, response = mocked_entity.search_response(command_name, command_args) + if (status, response) != (False, False): + return status, response + + status, response = mocked_entity.delete_response(command_name, command_args) + if (status, response) != (False, False): + return status, response + + return False, 'Command Not Mocked.' + + +@pytest.mark.parametrize('args, xsoar_ids_state, expected_outputs', [ + pytest.param( + {'dry_run': 'false'}, XSOAR_IDS_FULL_STATE, { + 'not_deleted': {}, + 'successfully_deleted': {}, + 'status': 'Completed'}, id='delete nothing'), + pytest.param( + {'dry_run': 'false', 'include_ids_dict': {'job': ['job1'], + 'pack': ['installed_pack_id1'], + 'list': ['list1'], + 'script': ['script1'], + 'playbook': ['playbook1'], + 'integration': ['integration1'], + 'incidentfield': ['incidentfield1'], + 'pre-process-rule': ['pre-process-rule1'], + 'widget': ['widget1'], + 'dashboard': ['dashboard1'], + 'report': ['report1'], + 'incidenttype': ['incidenttype1'], + 'classifier': ['classifier1'], + 'reputation': ['reputation1'], + 'layout': ['layout1']}, + 'delete_unspecified': 'false'}, XSOAR_IDS_FULL_STATE, { + 'not_deleted': {}, + 'successfully_deleted': {'job': ['job1'], 'list': ['list1'], 'pack': ['installed_pack_id1'], + 'script': ['script1'], 'playbook': ['playbook1'], 'integration': ['integration1'], + 'incidentfield': ['incidentfield1'], 'pre-process-rule': ['pre-process-rule1'], + 'widget': ['widget1'], 'dashboard': ['dashboard1'], 'report': ['report1'], + 'incidenttype': ['incidenttype1'], 'classifier': ['classifier1'], + 'reputation': ['reputation1'], 'layout': ['layout1']}, + 'status': 'Completed'}, id='delete only included ids'), + pytest.param( + {'dry_run': 'false', 'exclude_ids_dict': {'job': ['job1'], + 'pack': ['installed_pack_id1'], + 'list': ['list1'], + 'script': ['script1'], + 'playbook': ['playbook1'], + 'integration': ['integration1'], + 'incidentfield': ['incidentfield1'], + 'pre-process-rule': ['pre-process-rule1'], + 'widget': ['widget1'], + 'dashboard': ['dashboard1'], + 'report': ['report1'], + 'incidenttype': ['incidenttype1'], + 'classifier': ['classifier1'], + 'reputation': ['reputation1'], + 'layout': ['layout1']}}, XSOAR_IDS_FULL_STATE, { + 'not_deleted': {'pack': ['installed_pack_id1', 'Base'], 'job': ['job1'], 'list': ['list1'], + 'script': ['script1', 'CommonUserServer'], + 'playbook': ['playbook1'], 'integration': ['integration1'], + 'incidentfield': ['incidentfield1'], 'pre-process-rule': ['pre-process-rule1'], + 'widget': ['widget1'], 'dashboard': ['dashboard1'], 'report': ['report1'], + 'incidenttype': ['incidenttype1'], 'classifier': ['classifier1'], + 'reputation': ['reputation1'], 'layout': ['layout1']}, + 'successfully_deleted': { # packs can only be deleted when included. + 'job': ['job2'], 'list': ['list2'], 'playbook': ['playbook2'], 'script': ['script2'], + 'integration': ['integration2'], 'incidentfield': ['incidentfield2'], + 'pre-process-rule': ['pre-process-rule2'], 'widget': ['widget2'], + 'dashboard': ['dashboard2'], 'report': ['report2'], 'incidenttype': ['incidenttype2'], + 'classifier': ['classifier2'], 'reputation': ['reputation2'], 'layout': ['layout2'], + 'pack': ['installed_pack_id2'], + }, + 'status': 'Completed'}, id='dont delete excluded ids'), + pytest.param( + {'dry_run': 'false', 'exclude_ids_dict': {'job': ['job3'], + 'pack': ['installed_pack3'], + 'list': ['list3'], + 'script': ['script3'], + 'playbook': ['playbook3'], + 'integration': ['integration3'], + 'incidentfield': ['incidentfield3'], + 'pre-process-rule': ['pre-process-rule3'], + 'widget': ['widget3'], + 'dashboard': ['dashboard3'], + 'report': ['report3'], + 'incidenttype': ['incidenttype3'], + 'classifier': ['classifier3'], + 'reputation': ['reputation3'], + 'layout': ['layout3']}}, XSOAR_IDS_FULL_STATE, { + 'not_deleted': {'pack': ['Base'], 'script': ['CommonUserServer']}, + 'successfully_deleted': {'job': ['job1', 'job2'], 'list': ['list1', 'list2'], + 'script': ['script1', 'script2'], 'playbook': ['playbook1', 'playbook2'], + 'integration': ['integration1', 'integration2'], + 'incidentfield': ['incidentfield1', 'incidentfield2'], + 'pre-process-rule': ['pre-process-rule1', 'pre-process-rule2'], + 'widget': ['widget1', 'widget2'], 'dashboard': ['dashboard1', 'dashboard2'], + 'report': ['report1', 'report2'], + 'incidenttype': ['incidenttype1', 'incidenttype2'], + 'classifier': ['classifier1', 'classifier2'], + 'reputation': ['reputation1', 'reputation2'], + 'layout': ['layout1', 'layout2'], + 'pack': ['installed_pack_id1', 'installed_pack_id2']}, + 'status': 'Completed'}, id='exclude unfound id'), + pytest.param( + {'dry_run': 'false', 'include_ids_dict': {'job': ['job3'], + 'pack': ['installed_pack3'], + 'list': ['list3'], + 'script': ['script3'], + 'playbook': ['playbook3'], + 'integration': ['integration3'], + 'incidentfield': ['incidentfield3'], + 'pre-process-rule': ['pre-process-rule3'], + 'widget': ['widget3'], + 'dashboard': ['dashboard3'], + 'report': ['report3'], + 'incidenttype': ['incidenttype3'], + 'classifier': ['classifier3'], + 'reputation': ['reputation3'], + 'layout': ['layout3']}}, XSOAR_IDS_FULL_STATE, { + 'not_deleted': {'job': ['job3'], 'pack': ['installed_pack3'], 'list': ['list3'], + 'script': ['script3'], 'playbook': ['playbook3'], 'integration': ['integration3'], + 'incidentfield': ['incidentfield3'], 'pre-process-rule': ['pre-process-rule3'], + 'widget': ['widget3'], 'dashboard': ['dashboard3'], 'report': ['report3'], + 'incidenttype': ['incidenttype3'], 'classifier': ['classifier3'], + 'reputation': ['reputation3'], + 'layout': ['layout3']}, + 'successfully_deleted': {}, + 'status': 'Failed'}, id='include unfound id'), + pytest.param( + {'dry_run': 'false', 'include_ids_dict': {'script': ['CommonUserServer'], + 'pack': ['Base']}}, XSOAR_IDS_FULL_STATE, { + 'not_deleted': {'pack': ['Base'], 'script': ['CommonUserServer']}, + 'successfully_deleted': {}, + 'status': 'Completed'}, id='include always excluded id'), +]) +def test_get_and_delete_needed_ids(requests_mock, mocker, args, xsoar_ids_state, expected_outputs): + """ + Given: + Xsoar ids state. + Include_ids and exclude_ids lists. + + When: + Running get_and_delete_needed_ids with dry_run set to false. + + Then: + Assert deleted id lists are correct. + """ + requests_mock.get(CORE_PACKS_LIST_URL, text='[\n "Base",\n "rasterize",\n "DemistoRESTAPI"\n]') + + def execute_command_mock(command_name, command_args, fail_on_error=False): + status, response = mock_demisto_responses(command_name, command_args, xsoar_ids_state) + return status, {'response': response} + + mocker.patch("DeleteContent.execute_command", side_effect=execute_command_mock) + + result = get_and_delete_needed_ids(args) + assert result.outputs.get('not_deleted') == expected_outputs.get('not_deleted') + assert result.outputs.get('successfully_deleted') == expected_outputs.get('successfully_deleted') + assert result.outputs.get('status') == expected_outputs.get('status') + + +@pytest.mark.parametrize('args, xsoar_ids_state, expected_outputs, call_count', [ + pytest.param( + {'dry_run': 'true', 'include_ids_dict': {'job': ['job1', 'job2']}}, + XSOAR_IDS_FULL_STATE, { + 'not_deleted': {}, + 'successfully_deleted': {'job': ['job1', 'job2']}, + 'status': 'Dry run, nothing really deleted.'}, 2, id='dry run, delete.'), + pytest.param( + {'dry_run': 'false', 'include_ids_dict': {'job': ['job1', 'job2']}}, + XSOAR_IDS_FULL_STATE, { + 'not_deleted': {}, + 'successfully_deleted': {'job': ['job1', 'job2']}, + 'status': 'Completed'}, 4, id='not dry run, delete.') +]) +def test_dry_run_delete(requests_mock, mocker, args, xsoar_ids_state, expected_outputs, call_count): + """ + Given: + Xsoar ids state. + dry_run flag. + + When: + Running get_and_delete_needed_ids with dry_run toggled. + + Then: + Assert deleted id lists are correct. + Assert call count to executeCommand API does not include calls for actual deletion. + """ + requests_mock.get(CORE_PACKS_LIST_URL, text='[\n "Base",\n "rasterize",\n "DemistoRESTAPI"\n]') + + def execute_command_mock(command_name, command_args, fail_on_error=False): + status, response = mock_demisto_responses(command_name, command_args, xsoar_ids_state) + return status, {'response': response} + + execute_mock = mocker.patch("DeleteContent.execute_command", side_effect=execute_command_mock) + + result = get_and_delete_needed_ids(args) + assert result.outputs.get('not_deleted') == expected_outputs.get('not_deleted') + assert result.outputs.get('successfully_deleted') == expected_outputs.get('successfully_deleted') + assert result.outputs.get('status') == expected_outputs.get('status') + assert execute_mock.call_count == call_count diff --git a/Packs/ContentManagement/Scripts/DeleteContent/README.md b/Packs/ContentManagement/Scripts/DeleteContent/README.md new file mode 100644 index 000000000000..c8cd4af74ae7 --- /dev/null +++ b/Packs/ContentManagement/Scripts/DeleteContent/README.md @@ -0,0 +1,30 @@ +Delete content to keep XSOAR tidy. + +## Script Data +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Tags | configuration, Content Management | +| Cortex XSOAR Version | 6.0.0 | + +## Inputs +--- + +| **Argument Name** | **Description** | +| --- | --- | +| include_ids_dict | The content items ids to delete, in a JSON format. | +| exclude_ids_dict | The content items IDs to preserve, in a JSON format. | +| dry_run | If set to true, the flow will work as usuall except that no content items will be deleted from the system. | +| verify_cert | If true, verify certificates when accessing github. | +| skip_proxy | If true, skip system proxy settings. | + +## Outputs +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| ConfigurationSetup.Deletion.successfully_deleted | Deleted ids | String | +| ConfigurationSetup.Deletion.not_deleted | Not deleted ids | String | +| ConfigurationSetup.Deletion.status | Deletion status | String | diff --git a/Packs/ContentManagement/Scripts/JobCreator/README.md b/Packs/ContentManagement/Scripts/JobCreator/README.md index e69de29bb2d1..6b45427b5a3d 100644 --- a/Packs/ContentManagement/Scripts/JobCreator/README.md +++ b/Packs/ContentManagement/Scripts/JobCreator/README.md @@ -0,0 +1,4 @@ +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/ContentManagement/Scripts/MarketplacePackInstaller/README.md b/Packs/ContentManagement/Scripts/MarketplacePackInstaller/README.md index e69de29bb2d1..6b45427b5a3d 100644 --- a/Packs/ContentManagement/Scripts/MarketplacePackInstaller/README.md +++ b/Packs/ContentManagement/Scripts/MarketplacePackInstaller/README.md @@ -0,0 +1,4 @@ +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/ContentManagement/pack_metadata.json b/Packs/ContentManagement/pack_metadata.json index 64ef5a699dfc..e015bd03e057 100644 --- a/Packs/ContentManagement/pack_metadata.json +++ b/Packs/ContentManagement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "XSOAR CI/CD", "description": "This pack enables you to orchestrate your XSOAR system configuration.", "support": "xsoar", - "currentVersion": "1.1.7", + "currentVersion": "1.2.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Core/Playbooks/playbook-IOC_Alert.yml b/Packs/Core/Playbooks/playbook-IOC_Alert.yml index cec7ccfe1439..2be282072a16 100644 --- a/Packs/Core/Playbooks/playbook-IOC_Alert.yml +++ b/Packs/Core/Playbooks/playbook-IOC_Alert.yml @@ -433,7 +433,7 @@ tasks: root: ExtractedIndicators accessor: URL query: - simple: alertsource:${alert.sourceBrand} and alertname:${alert.name} + simple: sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}" threshold: simple: "5" separatecontext: true diff --git a/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml b/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml index 028f11821ad8..1794678fde24 100644 --- a/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml +++ b/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml @@ -953,7 +953,7 @@ tasks: root: alert accessor: username query: - simple: (initiatorsha256:${alert.initiatorsha256.[0]} or hostip:${alert.hostip.[0]}) and alertsource:${alert.sourceBrand} and alertname:${alert.name} + simple: (initiatorsha256:${alert.initiatorsha256.[0]} or hostip:${alert.hostip.[0]}) and sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}" threshold: simple: "5" loop: diff --git a/Packs/Core/Playbooks/playbook-T1036_-_Masquerading.yml b/Packs/Core/Playbooks/playbook-T1036_-_Masquerading.yml index 92afaf0cf561..900d62ade54e 100644 --- a/Packs/Core/Playbooks/playbook-T1036_-_Masquerading.yml +++ b/Packs/Core/Playbooks/playbook-T1036_-_Masquerading.yml @@ -569,7 +569,7 @@ tasks: root: alert accessor: username query: - simple: (initiatorsha256:${alert.initiatorsha256} or hostip:${alert.hostip} or username:${alert.username} or url:${alert.url}) and alertsource:${alert.sourceBrand} and alertname:${alert.name} + simple: (initiatorsha256:${alert.initiatorsha256} or hostip:${alert.hostip} or username:${alert.username} or url:${alert.url}) and sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}" threshold: simple: "5" separatecontext: false diff --git a/Packs/Core/Playbooks/playbook-WildFire_Malware.yml b/Packs/Core/Playbooks/playbook-WildFire_Malware.yml index e6d2cbb98954..443be3a9caaa 100644 --- a/Packs/Core/Playbooks/playbook-WildFire_Malware.yml +++ b/Packs/Core/Playbooks/playbook-WildFire_Malware.yml @@ -1066,8 +1066,7 @@ tasks: root: alert accessor: username query: - simple: initiatorsha256:${inputs.sha256} and alertsource:${alert.sourceBrand} - and alertname:${alert.name} + simple: initiatorsha256:${inputs.sha256} and sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}" threshold: simple: "5" separatecontext: true diff --git a/Packs/Core/ReleaseNotes/1_3_21.md b/Packs/Core/ReleaseNotes/1_3_21.md new file mode 100644 index 000000000000..d2e4112ab044 --- /dev/null +++ b/Packs/Core/ReleaseNotes/1_3_21.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Investigation & Response +- Fixed an issue where the ***xdr-blacklist-files*** and ***xdr-whitelist-files*** deprecated commands were mistakenly removed. diff --git a/Packs/Core/ReleaseNotes/1_3_22.md b/Packs/Core/ReleaseNotes/1_3_22.md new file mode 100644 index 000000000000..b66407f9a826 --- /dev/null +++ b/Packs/Core/ReleaseNotes/1_3_22.md @@ -0,0 +1,10 @@ + +#### Playbooks +##### IOC Alert +- Fixes the syntax of the 'Enrichment for Verdict' sub-playbook inputs. +##### Local Analysis alert Investigation +- Fixes the syntax of the 'Enrichment for Verdict' sub-playbook inputs. +##### T1036 - Masquerading +- Fixes the syntax of the 'Enrichment for Verdict' sub-playbook inputs. +##### WildFire Malware +- Fixes the syntax of the 'Enrichment for Verdict' sub-playbook inputs. diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index 5172ea2ebdd8..1ab1be0f8bc1 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "1.3.20", + "currentVersion": "1.3.22", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json b/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json index 5f1c3027eb7e..219e9968759e 100644 --- a/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json +++ b/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json @@ -38,6 +38,11 @@ "cliName": "proofpointtapuseragent", "type": "shortText", "name": "Proofpoint TAP User Agent" + }, + { + "cliName": "skyhighsecurityuseragent", + "type": "multiSelect", + "name": "Skyhigh User Agent" } ] } \ No newline at end of file diff --git a/Packs/CoreAlertFields/ReleaseNotes/1_0_22.md b/Packs/CoreAlertFields/ReleaseNotes/1_0_22.md new file mode 100644 index 000000000000..a4f6c775e4b9 --- /dev/null +++ b/Packs/CoreAlertFields/ReleaseNotes/1_0_22.md @@ -0,0 +1,4 @@ + +#### Incident Fields +##### User Agent +Updated the incident field to support the new **SkyHigh user agent** incident filed. \ No newline at end of file diff --git a/Packs/CoreAlertFields/pack_metadata.json b/Packs/CoreAlertFields/pack_metadata.json index 880dbe2c25d7..9f972cd097a6 100644 --- a/Packs/CoreAlertFields/pack_metadata.json +++ b/Packs/CoreAlertFields/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core Alert Fields", "description": "This Content Pack will provide you with the core alert fields.", "support": "xsoar", - "currentVersion": "1.0.21", + "currentVersion": "1.0.22", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index cfa6915ec023..54bc3146e232 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -1448,9 +1448,17 @@ def main(): # pragma: no cover elif command == 'xdr-blocklist-files': return_results(blocklist_files_command(client, args)) + elif command == 'xdr-blacklist-files': + args['prefix'] = 'blacklist' + return_results(blocklist_files_command(client, args)) + elif command == 'xdr-allowlist-files': return_results(allowlist_files_command(client, args)) + elif command == 'xdr-whitelist-files': + args['prefix'] = 'whitelist' + return_results(allowlist_files_command(client, args)) + elif command == 'xdr-remove-blocklist-files': return_results(remove_blocklist_files_command(client, args)) diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml index 8434646d8222..99a24c7a6acf 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml @@ -3108,7 +3108,7 @@ script: required: true description: Removes a tag from specified endpoint_ids. name: xdr-endpoint-tag-remove - dockerimage: demisto/python3:3.10.8.37753 + dockerimage: demisto/python3:3.10.9.40422 isfetch: true runonce: false script: '' diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Isolate_Endpoint.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Isolate_Endpoint.yml index cb666b998a9b..877bbea72b1e 100644 --- a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Isolate_Endpoint.yml +++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Isolate_Endpoint.yml @@ -21,6 +21,7 @@ tasks: '#none#': - "2" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -33,7 +34,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "1": @@ -65,6 +65,7 @@ tasks: iscontext: true - operator: uniq separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -77,7 +78,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "2": @@ -88,10 +88,10 @@ tasks: id: cb9ba187-6e23-4c6c-847b-004dc0b6b241 version: -1 name: Is 'Palo Alto Networks Cortex XDR - Investigation and Response' integration enabled? + description: 'Checks if the ''Palo Alto Networks Cortex XDR - Investigation and Response'' integration is enabled. ' type: condition iscommand: false brand: "" - description: 'Checks if the ''Palo Alto Networks Cortex XDR - Investigation and Response'' integration is enabled. ' nexttasks: '#default#': - "3" @@ -127,6 +127,7 @@ tasks: iscontext: true right: value: {} + continueonerrortype: "" view: |- { "position": { @@ -139,7 +140,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "3": @@ -155,6 +155,7 @@ tasks: brand: "" description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -167,7 +168,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "4": @@ -178,10 +178,10 @@ tasks: id: 465da07f-5e0a-458f-8efe-f3b1ba853d88 version: -1 name: Is there an endpoint to isolate? + description: Checks if there is any endpoint to isolate. type: condition iscommand: false brand: "" - description: 'Checks if there is any endpoint to isolate.' nexttasks: '#default#': - "3" @@ -215,6 +215,7 @@ tasks: complex: root: inputs.hostname iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -227,7 +228,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "6": @@ -269,6 +269,7 @@ tasks: dt: simple: PaloAltoNetworksXDR.Endpoint(val.is_isolated!=='AGENT_ISOLATED').endpoint_id separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" @@ -286,7 +287,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "7": @@ -311,6 +311,7 @@ tasks: root: PaloAltoNetworksXDR accessor: Isolation.endpoint_id separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -323,7 +324,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "8": @@ -341,7 +341,7 @@ tasks: brand: "" nexttasks: '#none#': - - "10" + - "11" scriptarguments: hostname: complex: @@ -350,11 +350,12 @@ tasks: complex: root: inputs.ip_list separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 710, - "y": 540 + "x": 780, + "y": 680 } } note: false @@ -362,7 +363,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "9": @@ -387,6 +387,7 @@ tasks: root: PaloAltoNetworksXDR accessor: Isolation.endpoint_id separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -399,7 +400,6 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "10": @@ -422,11 +422,12 @@ tasks: endpoint_id_list: simple: ${inputs.endpoint_id} separatecontext: false + continueonerrortype: "" view: |- { "position": { "x": 380, - "y": 710 + "y": 680 } } note: false @@ -434,21 +435,20 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false "11": id: "11" - taskid: 84f4c199-6e4d-421c-8e64-2824dd30215d + taskid: d0720102-4246-49eb-8e38-bc04f44369c9 type: condition task: - id: 84f4c199-6e4d-421c-8e64-2824dd30215d + id: d0720102-4246-49eb-8e38-bc04f44369c9 version: -1 name: Is the endpoint ready for isolation? + description: Checks if there is any endpoint ready for isolation. type: condition iscommand: false brand: "" - description: 'Checks if there is any endpoint ready for isolation.' nexttasks: '#default#': - "3" @@ -468,17 +468,14 @@ tasks: right: value: simple: AGENT_UNISOLATED - - - operator: isEqualString + - - operator: isNotEmpty left: value: complex: root: PaloAltoNetworksXDR.Endpoint - accessor: is_isolated - iscontext: true - right: - value: - simple: inputs.endpoint_id + accessor: endpoint_id iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -491,9 +488,9 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 - continueonerrortype: "" isoversize: false isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -506,7 +503,7 @@ view: |- "paper": { "dimensions": { "height": 1945, - "width": 1040, + "width": 1110, "x": 50, "y": 50 } @@ -552,5 +549,6 @@ outputs: - contextPath: Endpoint.Hostname description: The hostname that is mapped to this endpoint. tests: -- no tests +- Test XDR Playbook fromversion: 5.0.0 +toversion: 6.1.9 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.yml new file mode 100644 index 000000000000..1f4e7e5d7883 --- /dev/null +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.yml @@ -0,0 +1,2032 @@ +id: Cortex XDR - Get entity alerts by MITRE tactics +version: -1 +name: Cortex XDR - Get entity alerts by MITRE tactics +description: |- + This playbook is part of the Cortex XDR by Palo Alto Networks’ pack. This playbook searches alerts related to specific entities from Cortex XDR, on a given timeframe, based on MITRE tactics. + Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 2e7c6fcb-b000-4bd4-8ab8-5c6f537acfa5 + type: start + task: + id: 2e7c6fcb-b000-4bd4-8ab8-5c6f537acfa5 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "50" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -1070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 3da757cf-6459-42ac-87cf-ef4e020e43ad + type: condition + task: + id: 3da757cf-6459-42ac-87cf-ef4e020e43ad + version: -1 + name: Should hunt for Discovery techniques? + description: Whether to hunt for Discovery techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "7" + "yes": + - "20" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntDiscoveryTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: bcf53717-1e45-4306-8344-d0f52b07a6e1 + type: condition + task: + id: bcf53717-1e45-4306-8344-d0f52b07a6e1 + version: -1 + name: Should hunt for Persistence techniques? + description: Whether to hunt for Persistence techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "4" + "yes": + - "14" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntPersistenceTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 5856960b-1e9f-4b4b-8755-5e380d5557ad + type: condition + task: + id: 5856960b-1e9f-4b4b-8755-5e380d5557ad + version: -1 + name: Should hunt for Initial Access techniques? + description: Whether to hunt for Initial Access techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "16" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntInitialAccessTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -140 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: ec48b402-f820-4f9e-8945-6c6dfc169f1e + type: condition + task: + id: ec48b402-f820-4f9e-8945-6c6dfc169f1e + version: -1 + name: Should hunt for Privilege Escalation techniques? + description: Whether to hunt for Privilege Escalation techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "18" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntPrivilegeEscalationTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1270 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 42d80a92-e1d2-4c30-8c39-d664ba3668e0 + type: condition + task: + id: 42d80a92-e1d2-4c30-8c39-d664ba3668e0 + version: -1 + name: Should hunt for Defense Evasion techniques? + description: Whether to hunt for Defense Evasion techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "61" + "yes": + - "19" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntDefenseEvasionTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1740 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 49c89def-cbd9-4ec9-8197-1642c687f51d + type: condition + task: + id: 49c89def-cbd9-4ec9-8197-1642c687f51d + version: -1 + name: Should hunt for Execution techniques? + description: Whether to hunt for Execution techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "17" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntExecutionTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 283d3e90-3798-4a94-825d-8ebe5234572b + type: condition + task: + id: 283d3e90-3798-4a94-825d-8ebe5234572b + version: -1 + name: Should hunt for Lateral Movement techniques? + description: Whether to hunt for Lateral Movement techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "21" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntLateralMovementTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 6c4bd98c-f2df-4e66-81c3-f95bce31787e + type: condition + task: + id: 6c4bd98c-f2df-4e66-81c3-f95bce31787e + version: -1 + name: Should hunt for Collection techniques? + description: Whether to hunt for Collection techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "23" + "yes": + - "22" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntCollectionTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3685 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 60a731f8-4d6b-43b6-825d-a1c12c5cff20 + type: title + task: + id: 60a731f8-4d6b-43b6-825d-a1c12c5cff20 + version: -1 + name: Persistence + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "15" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 440037aa-c32f-4376-8857-1fee67c21e4d + type: regular + task: + id: 440037aa-c32f-4376-8857-1fee67c21e4d + version: -1 + name: Hunt Persistence techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0003" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Persistence + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 1100 + } + } + note: false + evidencedata: + description: + simple: Hunt Persistence techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Persistence + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: ecae67cb-2dd0-4cc4-85b6-39d8d1872678 + type: title + task: + id: ecae67cb-2dd0-4cc4-85b6-39d8d1872678 + version: -1 + name: Initial Access + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 30 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 80c56186-6f82-46e3-81cc-e1f5ca970db2 + type: title + task: + id: 80c56186-6f82-46e3-81cc-e1f5ca970db2 + version: -1 + name: Execution + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: b802ec3d-1047-4584-8815-fa53902a49c0 + type: title + task: + id: b802ec3d-1047-4584-8815-fa53902a49c0 + version: -1 + name: Privilege Escalation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "32" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 1440 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 3d02cd98-8ac1-46d4-8d3b-1e865a6dc674 + type: title + task: + id: 3d02cd98-8ac1-46d4-8d3b-1e865a6dc674 + version: -1 + name: Defense Evasion + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "33" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 1910 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 867cde89-05a0-42e8-8b82-ffe9b2c928b7 + type: title + task: + id: 867cde89-05a0-42e8-8b82-ffe9b2c928b7 + version: -1 + name: Discovery + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "34" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 2880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 3a90ced3-1ab4-49fd-8965-a94da7483689 + type: title + task: + id: 3a90ced3-1ab4-49fd-8965-a94da7483689 + version: -1 + name: Lateral Movement + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "35" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 3360 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 3f6cf6de-b65a-4f9b-86e3-d5b1dbf66a51 + type: title + task: + id: 3f6cf6de-b65a-4f9b-86e3-d5b1dbf66a51 + version: -1 + name: Collection + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 3860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 9d88f8c7-fa4d-4b2f-86b9-a88dc466eb75 + type: condition + task: + id: 9d88f8c7-fa4d-4b2f-86b9-a88dc466eb75 + version: -1 + name: Should hunt for CnC techniques? + description: Whether to hunt for Command and Control techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "24" + "yes": + - "25" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntCnCTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 4170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: d40c9049-5927-4e44-8f96-086d435b7ca9 + type: condition + task: + id: d40c9049-5927-4e44-8f96-086d435b7ca9 + version: -1 + name: Should hunt for Impact techniques? + description: Whether to hunt for Impact techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "64" + "yes": + - "26" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntImpactTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 4630 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: e34844ec-ffe6-4d48-81d9-3798d60bf6ee + type: title + task: + id: e34844ec-ffe6-4d48-81d9-3798d60bf6ee + version: -1 + name: Command and Control + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "37" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 4340 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: f3226c98-20fe-48b6-8292-5575a7337fb1 + type: title + task: + id: f3226c98-20fe-48b6-8292-5575a7337fb1 + version: -1 + name: Impact + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "38" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 4800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 7e1ea21c-493d-443d-8f87-88a59bf237d0 + type: condition + task: + id: 7e1ea21c-493d-443d-8f87-88a59bf237d0 + version: -1 + name: Should hunt for suspicious Reconnaissance techniques? + description: Whether to hunt for Reconnaissance techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "28" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntReconnaissanceTechniques + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -620 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: b3c85728-d7d1-4f70-876b-dcd6394d3953 + type: title + task: + id: b3c85728-d7d1-4f70-876b-dcd6394d3953 + version: -1 + name: Reconnaissance + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": -450 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: de4fd91a-a7f9-4293-8a6a-7d5de66f46e9 + type: regular + task: + id: de4fd91a-a7f9-4293-8a6a-7d5de66f46e9 + version: -1 + name: Hunt Reconnaissance techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0043" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Reconnaissance + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": -320 + } + } + note: false + evidencedata: + description: + simple: Hunt Reconnaissance techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Reconnaissance + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 0c938021-0384-4df3-8d3d-53f82bcd58f6 + type: regular + task: + id: 0c938021-0384-4df3-8d3d-53f82bcd58f6 + version: -1 + name: Hunt Initial Access techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0001" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Initial_Access + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 160 + } + } + note: false + evidencedata: + description: + simple: Hunt Initial Access techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Initial Access + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: b3768c4c-2d01-4270-8f4e-15ca232402dc + type: regular + task: + id: b3768c4c-2d01-4270-8f4e-15ca232402dc + version: -1 + name: Hunt Execution techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0002" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Execution + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 630 + } + } + note: false + evidencedata: + description: + simple: Hunt Initial Access techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Execution + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 988d760d-3672-41c3-89df-d831f7df2def + type: regular + task: + id: 988d760d-3672-41c3-89df-d831f7df2def + version: -1 + name: Hunt Privilege Escalation techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0004" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Privilege_Escalation + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 1570 + } + } + note: false + evidencedata: + description: + simple: Hunt Privilege Escalation techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Privilege Escalation + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: 52f3cdfe-4d58-4279-8367-875e748828a6 + type: regular + task: + id: 52f3cdfe-4d58-4279-8367-875e748828a6 + version: -1 + name: Hunt Defense Evasion techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "61" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0005" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Defense_Evasion + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 2050 + } + } + note: false + evidencedata: + description: + simple: Hunt Privilege Escalation techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Defense_Evasion + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 25ea0a69-89a1-4c30-87db-ea9cff4ebc59 + type: regular + task: + id: 25ea0a69-89a1-4c30-87db-ea9cff4ebc59 + version: -1 + name: Hunt Discovery techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "7" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0007" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Discovery + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 3020 + } + } + note: false + evidencedata: + description: + simple: Hunt Discovery techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Discovery + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 3fc4a7bb-cf46-448c-8a33-3d15d82a0a2d + type: regular + task: + id: 3fc4a7bb-cf46-448c-8a33-3d15d82a0a2d + version: -1 + name: Hunt Lateral Movement techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0008" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Lateral_Movement + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 3510 + } + } + note: false + evidencedata: + description: + simple: Hunt Lateral Movement techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Lateral_Movement + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: f9311151-0f3d-441b-89b6-289a8841a277 + type: regular + task: + id: f9311151-0f3d-441b-89b6-289a8841a277 + version: -1 + name: Hunt Collection techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "23" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0009" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Collection + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 4000 + } + } + note: false + evidencedata: + description: + simple: Hunt Lateral Movement techniques - Cortex XDR - Endpoint Investigation + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: 3f439bc7-0627-48a5-80e2-ba44096083b8 + type: regular + task: + id: 3f439bc7-0627-48a5-80e2-ba44096083b8 + version: -1 + name: Hunt Command and Control techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "24" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0011" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Command_And_Control + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 4460 + } + } + note: false + evidencedata: + description: + simple: Hunt Command and Control techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Command and Control + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: efc4d25a-ce92-444f-8dc4-38d383d67b76 + type: regular + task: + id: efc4d25a-ce92-444f-8dc4-38d383d67b76 + version: -1 + name: Hunt Impact techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "64" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0040" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Impact_techniques + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 4940 + } + } + note: false + evidencedata: + description: + simple: Hunt Impact techniques - Cortex XDR - Endpoint Investigation + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: d126a4c8-162c-4c28-8d70-449f593d1230 + type: title + task: + id: d126a4c8-162c-4c28-8d70-449f593d1230 + version: -1 + name: Hunt by MITRE Tactics + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "58" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: 591149d8-6eba-46cb-874b-bb83eea0c6fe + type: title + task: + id: 591149d8-6eba-46cb-874b-bb83eea0c6fe + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 5430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "58": + id: "58" + taskid: 4dc85afd-df87-481b-8232-acb1e067abad + type: condition + task: + id: 4dc85afd-df87-481b-8232-acb1e067abad + version: -1 + name: Run all Hunting Queries on Mitre Tactics? + description: Run all hunting queries on Mitre tactics? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "27" + "yes": + - "28" + - "16" + - "14" + - "18" + - "19" + - "20" + - "21" + - "22" + - "25" + - "26" + - "17" + - "62" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.RunAll + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -190, + "y": -800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "59": + id: "59" + taskid: 70d127c4-ca66-42ba-8a53-6cc8ee476f7d + type: regular + task: + id: 70d127c4-ca66-42ba-8a53-6cc8ee476f7d + version: -1 + name: Count Relevant Alerts + description: Count the array size. + scriptName: CountArraySize + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "52" + scriptarguments: + array: + complex: + root: PaloAltoNetworksXDR.Alert + filters: + - - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.severity + iscontext: true + right: + value: + simple: low + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.severity + iscontext: true + right: + value: + simple: medium + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.severity + iscontext: true + right: + value: + simple: high + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.severity + iscontext: true + right: + value: + simple: critical + ignorecase: true + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 5270 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "61": + id: "61" + taskid: 998a5710-4743-48bf-8e31-53ff61230593 + type: condition + task: + id: 998a5710-4743-48bf-8e31-53ff61230593 + version: -1 + name: Should hunt for Credential Access techniques? + description: Whether to hunt for Credential Access techniques. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "1" + "yes": + - "62" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.HuntCredentialAccessTechniques + iscontext: true + right: + value: + simple: "True" + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: d84fcb11-cf36-4538-8013-a5448145d330 + type: title + task: + id: d84fcb11-cf36-4538-8013-a5448145d330 + version: -1 + name: Credential Access + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "63" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 2390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: a67b85d8-ed7c-45c4-810e-476bca9c31a1 + type: regular + task: + id: a67b85d8-ed7c-45c4-810e-476bca9c31a1 + version: -1 + name: Hunt Credential Access techniques + description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \n Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value." + script: '|||xdr-get-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "1" + scriptarguments: + custom_filter: + simple: |- + { + "AND": [ + { + "SEARCH_FIELD": "mitre_tactic_id_and_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "TA0006" + }, + { + "SEARCH_FIELD": "${inputs.EntityType}", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "${inputs.entityID}" + } + ] + } + extend-context: + simple: Defense_Evasion + time_frame: + complex: + root: inputs.timeRange + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 2520 + } + } + note: false + evidencedata: + description: + simple: Hunt Privilege Escalation techniques - Cortex XDR - Endpoint Investigation + tags: + simple: Defense_Evasion + customfields: {} + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "64": + id: "64" + taskid: 4371a3ef-940f-4aaa-8b02-2287c631d511 + type: condition + task: + id: 4371a3ef-940f-4aaa-8b02-2287c631d511 + version: -1 + name: Has Results? + description: Found any alerts? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "52" + "yes": + - "59" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: PaloAltoNetworksXDR + accessor: Alert + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 5110 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "58_26_yes": 0.89 + }, + "paper": { + "dimensions": { + "height": 6565, + "width": 1020, + "x": -190, + "y": -1070 + } + } + } +inputs: +- key: HuntReconnaissanceTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Reconnaissance techniques. + playbookInputQuery: +- key: HuntInitialAccessTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Initial Access techniques. + playbookInputQuery: +- key: HuntExecutionTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Execution techniques. + playbookInputQuery: +- key: HuntPersistenceTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Persistence techniques. + playbookInputQuery: +- key: HuntPrivilegeEscalationTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Privilege Escalation techniques. + playbookInputQuery: +- key: HuntDefenseEvasionTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Defense Evasion techniques. + playbookInputQuery: +- key: HuntDiscoveryTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Discovery techniques. + playbookInputQuery: +- key: HuntLateralMovementTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Lateral Movement techniques. + playbookInputQuery: +- key: HuntCollectionTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Collection techniques . + playbookInputQuery: +- key: HuntCnCTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Command and Control techniques. + playbookInputQuery: +- key: HuntImpactTechniques + value: + simple: "True" + required: false + description: Set to True to hunt for identified alerts with MITRE Impact techniques. + playbookInputQuery: +- key: HuntCredentialAccessTechniques + value: {} + required: false + description: Set to True to hunt for identified alerts with MITRE Credential Access techniques. + playbookInputQuery: +- key: timeRange + value: + simple: 2 hours + required: false + description: |- + A time range to execute the hunting in. + The input should be in the following format: + * 1 day + * 2 minutes + * 4 hours + * 8 days + playbookInputQuery: +- key: RunAll + value: {} + required: false + description: Whether to run all the sub-tasks for Mitre Tactics. + playbookInputQuery: +- key: EntityType + value: {} + required: false + description: Entity type to search on xdr-get-alerts custom filters. + playbookInputQuery: +- key: entityID + value: {} + required: false + description: Entity value. + playbookInputQuery: +outputs: +- contextPath: PaloAltoNetworksXDR.Alert + description: Alerts found. + type: unknown +- contextPath: ArraySize + description: Array size. +tests: +- No tests (auto formatted) +fromversion: 6.5.0 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics_README.md new file mode 100644 index 000000000000..6a830fd82dfd --- /dev/null +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics_README.md @@ -0,0 +1,51 @@ +This playbook is part of the Cortex XDR by Palo Alto Networks’ pack. This playbook searches alerts related to specific entities from Cortex XDR, on a given timeframe, based on MITRE Tactics. +Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details. + +## Dependencies +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks +This playbook does not use any sub-playbooks. + +### Integrations +CortexXDRIR + +### Scripts +CountArraySize + +### Commands +xdr-get-alerts + +## Playbook Inputs +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| HuntReconnaissanceTechniques | Set to True to hunt for identified alerts with MITRE Reconnaissance techniques. | True | Optional | +| HuntInitialAccessTechniques | Set to True to hunt for identified alerts with MITRE Initial Access techniques. | True | Optional | +| HuntExecutionTechniques | Set to True to hunt for identified alerts with MITRE Execution techniques. | True | Optional | +| HuntPersistenceTechniques | Set to True to hunt for identified alerts with MITRE Persistence techniques. | True | Optional | +| HuntPrivilegeEscalationTechniques | Set to True to hunt for identified alerts with MITRE Privilege Escalation techniques. | True | Optional | +| HuntDefenseEvasionTechniques | Set to True to hunt for identified alerts with MITRE Defense Evasion techniques. | True | Optional | +| HuntDiscoveryTechniques | Set to True to hunt for identified alerts with MITRE Discovery techniques. | True | Optional | +| HuntLateralMovementTechniques | Set to True to hunt for identified alerts with MITRE Lateral Movement techniques. | True | Optional | +| HuntCollectionTechniques | Set to True to hunt for MITRE Collection techniques identified alerts. | True | Optional | +| HuntCnCTechniques | Set to True to hunt for identified alerts with MITRE Command and Control techniques. | True | Optional | +| HuntImpactTechniques | Set to True to hunt for identified alerts with MITRE Impact techniques. | True | Optional | +| HuntCredentialAccessTechniques | Set to True to hunt for identified alerts with MITRE Credential Access techniques. | | Optional | +| timeRange | A time range to execute the hunting in.
The input should be in the following format:
\* 1 day
\* 2 minutes
\* 4 hours
\* 8 days | 2 hours | Optional | +| RunAll | Whether to run all the sub-tasks for Mitre Tactics. | | Optional | +| EntityType | Entity type to search on xdr-get-alerts custom filters. | | Optional | +| entityID | Entity value.| | Optional | + +## Playbook Outputs +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| PaloAltoNetworksXDR.Alert | Alerts found. | unknown | +| ArraySize | Array size. | unknown | + +## Playbook Image +--- +![Cortex XDR - Get entity alerts by MITRE tactics](../doc_files/Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.png) diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Isolate_Endpoint_6_2.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Isolate_Endpoint_6_2.yml new file mode 100644 index 000000000000..3995c731753b --- /dev/null +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Isolate_Endpoint_6_2.yml @@ -0,0 +1,438 @@ +id: Cortex XDR - Isolate Endpoint +version: -1 +contentitemexportablefields: + contentitemfields: {} +name: Cortex XDR - Isolate Endpoint +description: This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: f1adb14a-4677-41e4-8e31-6efc7047c635 + type: start + task: + id: f1adb14a-4677-41e4-8e31-6efc7047c635 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "2" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 5fc9dbc7-ce76-4017-8d3f-8f47d87ab84c + type: regular + task: + id: 5fc9dbc7-ce76-4017-8d3f-8f47d87ab84c + version: -1 + name: Cortex XDR - isolate endpoint + description: Isolates the specified endpoint. + script: '|||xdr-endpoint-isolate' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + endpoint_id: + complex: + root: PaloAltoNetworksXDR.Endpoint.endpoint_id + filters: + - - operator: isNotEmpty + left: + value: + simple: PaloAltoNetworksXDR.Endpoint.endpoint_id + iscontext: true + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 570, + "y": 930 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: cb9ba187-6e23-4c6c-847b-004dc0b6b241 + type: condition + task: + id: cb9ba187-6e23-4c6c-847b-004dc0b6b241 + version: -1 + name: Is 'Palo Alto Networks Cortex XDR - Investigation and Response' integration enabled? + description: 'Checks if the ''Palo Alto Networks Cortex XDR - Investigation and Response'' integration is enabled. ' + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "4" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Cortex XDR - IR + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + accessor: brand + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 559a6fdc-20c3-44c7-82ab-726499c93163 + type: title + task: + id: 559a6fdc-20c3-44c7-82ab-726499c93163 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 1100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 465da07f-5e0a-458f-8efe-f3b1ba853d88 + type: condition + task: + id: 465da07f-5e0a-458f-8efe-f3b1ba853d88 + version: -1 + name: Is there an endpoint to isolate? + description: Checks if there is any endpoint to isolate. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + Endpoint ID: + - "10" + IP or Hostname: + - "8" + separatecontext: false + conditions: + - label: Endpoint ID + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.endpoint_id + iscontext: true + right: + value: {} + - label: IP or Hostname + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.ip_list + iscontext: true + - operator: isNotEmpty + left: + value: + complex: + root: inputs.hostname + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 570, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: ae2ef3ed-1fe0-4026-8dfd-a5193e575f64 + type: regular + task: + id: ae2ef3ed-1fe0-4026-8dfd-a5193e575f64 + version: -1 + name: Cortex XDR - get endpoint ID + description: Gets a list of endpoints, according to the passed filters. Filtering by multiple fields is concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of the endpoint from the start of the result set (start by counting from 0). + script: '|||xdr-get-endpoints' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + hostname: + complex: + root: inputs.hostname + transformers: + - operator: split + args: + delimiter: {} + - operator: uniq + ip_list: + complex: + root: inputs.ip_list + transformers: + - operator: split + args: + delimiter: {} + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 780, + "y": 540 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 9116896d-29f0-426d-8c89-7b8d3e14ff25 + type: regular + task: + id: 9116896d-29f0-426d-8c89-7b8d3e14ff25 + version: -1 + name: Get endpoint status + description: Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of the endpoint from the start of the result set (start by counting from 0). + script: '|||xdr-get-endpoints' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.endpoint_id + transformers: + - operator: split + args: + delimiter: {} + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 370, + "y": 540 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 76b781b9-b93b-4480-84f9-d79c839e0cb5 + type: condition + task: + id: 76b781b9-b93b-4480-84f9-d79c839e0cb5 + version: -1 + name: Is the endpoint ready for isolation? + description: Checks if there is any endpoint ready for isolation. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "1" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: PaloAltoNetworksXDR.Endpoint + accessor: is_isolated + iscontext: true + right: + value: + simple: AGENT_UNISOLATED + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: PaloAltoNetworksXDR.Endpoint + accessor: endpoint_id + iscontext: true + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 570, + "y": 710 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "11_1_yes": 0.61, + "2_3_#default#": 0.13, + "4_10_Endpoint ID": 0.56, + "4_3_#default#": 0.37, + "4_8_IP or Hostname": 0.57 + }, + "paper": { + "dimensions": { + "height": 1115, + "width": 1120, + "x": 40, + "y": 50 + } + } + } +inputs: +- key: endpoint_id + value: {} + required: false + description: The endpoint ID (string) to isolate. You can retrieve the ID using the xdr-get-endpoints command. + playbookInputQuery: +- key: hostname + value: + complex: + root: Endpoint + accessor: Hostname + transformers: + - operator: uniq + required: false + description: A comma-separated list of hostnames. + playbookInputQuery: +- key: ip_list + value: + complex: + root: IP + accessor: Address + transformers: + - operator: uniq + required: false + description: A comma-separated list of IP addresses. + playbookInputQuery: +outputs: +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id + description: The endpoint ID. +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name + description: The endpoint name. +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status + description: The status of the endpoint. +- contextPath: PaloAltoNetworksXDR.Endpoint.ip + description: A list of IP addresses. +- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated + description: Whether the endpoint is isolated. +- contextPath: Endpoint.Hostname + description: The hostname that is mapped to this endpoint. +tests: +- Test XDR Playbook +fromversion: 6.2.0 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Isolate_Endpoint_6_2_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Isolate_Endpoint_6_2_README.md new file mode 100644 index 000000000000..6e298b70b01c --- /dev/null +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Isolate_Endpoint_6_2_README.md @@ -0,0 +1,42 @@ +This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration. + +## Dependencies +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks +This playbook does not use any sub-playbooks. + +### Integrations +* CortexXDRIR + +### Scripts +This playbook does not use any scripts. + +### Commands +* xdr-endpoint-isolate +* xdr-get-endpoints + +## Playbook Inputs +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| endpoint_id | The endpoint ID \(string\) to isolate. You can retrieve the ID using the xdr-get-endpoints command. | | Optional | +| hostname | A comma-separated list of hostnames. | Endpoint.Hostname | Optional | +| ip_list | A comma-separated list of IP addresses. | IP.Address | Optional | + +## Playbook Outputs +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| PaloAltoNetworksXDR.Endpoint.endpoint_id | The endpoint ID. | unknown | +| PaloAltoNetworksXDR.Endpoint.endpoint_name | The endpoint name. | unknown | +| PaloAltoNetworksXDR.Endpoint.endpoint_status | The status of the endpoint. | unknown | +| PaloAltoNetworksXDR.Endpoint.ip | A list of IP addresses. | unknown | +| PaloAltoNetworksXDR.Endpoint.is_isolated | Whether the endpoint is isolated. | unknown | +| Endpoint.Hostname | The hostname that is mapped to this endpoint. | unknown | + +## Playbook Image +--- +![Cortex XDR - Isolate Endpoint](../doc_files/Cortex_XDR_-_Isolate_Endpoint6_2.png) \ No newline at end of file diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_True_Positive_Incident_Handling_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_True_Positive_Incident_Handling_README.md index 4d15d60f8866..ed8d4921f116 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_True_Positive_Incident_Handling_README.md +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_True_Positive_Incident_Handling_README.md @@ -39,9 +39,9 @@ CortexXDRIR | HostID | The ID of the host for running an isolation process. | ${incident.deviceid} | Optional | | FilePaths | Enter the file paths you would like to delete. | incident.processpaths | Optional | | ManuallyChooseIOCForHunting | This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook.
If false, it will hunt for all IOCs detected in the incident.
Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage. | True | Optional | -| IP | IP value to be hunt upon. | IP.None | Optional | -| MD5 | MD5 file value to be hunt upon. | File.MD5.None | Optional | -| URL_or_Domain | URL or Domain to be hunt upon. | Domain.None | Optional | +| IP | IP value to be hunt upon. | IP | Optional | +| MD5 | MD5 file value to be hunt upon. | File.MD5 | Optional | +| URL_or_Domain | URL or Domain to be hunt upon. | Domain | Optional | | FileSha1 | File SHA1 value to be hunt upon. | File.SHA1 | Optional | ## Playbook Outputs diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint.yml index ce1163664fc3..b65a9794d4ba 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint.yml +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint.yml @@ -292,3 +292,4 @@ tests: - Test XDR Playbook - Cortex XDR - IOC - Test fromversion: 5.5.0 +toversion: 6.1.9 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_6_2.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_6_2.yml new file mode 100644 index 000000000000..8d181ffe9161 --- /dev/null +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_6_2.yml @@ -0,0 +1,346 @@ +id: Cortex XDR - Unisolate Endpoint +version: -1 +name: Cortex XDR - Unisolate Endpoint +description: This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 41d05f94-51a2-44cf-828b-58ed003b2470 + type: start + task: + id: 41d05f94-51a2-44cf-828b-58ed003b2470 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "3" + separatecontext: false + view: |- + { + "position": { + "x": 1470, + "y": 100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 1dc90b7b-6380-4a1b-89df-0ada079bf854 + type: condition + task: + id: 1dc90b7b-6380-4a1b-89df-0ada079bf854 + version: -1 + name: 'Is cortex XDR available ' + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + "no": + - "5" + "yes": + - "4" + scriptarguments: + brandname: + simple: Cortex XDR - IR + results: + - brandInstances + separatecontext: false + view: |- + { + "position": { + "x": 1470, + "y": 260 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: f2ee88e0-4fbb-4b5e-81e6-631b37e066ad + type: condition + task: + id: f2ee88e0-4fbb-4b5e-81e6-631b37e066ad + version: -1 + name: Is there an endpoint to unisolate? + description: Is there an endpoint to unisolate? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Endpoint_ID + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: inputs.Hostname + iscontext: true + - operator: isNotEmpty + left: + value: + simple: inputs.IP + iscontext: true + view: |- + { + "position": { + "x": 1690, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 1dd236f7-ea7b-447a-8374-f5b9149e6f04 + type: title + task: + id: 1dd236f7-ea7b-447a-8374-f5b9149e6f04 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + view: |- + { + "position": { + "x": 1470, + "y": 1160 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 7f93febb-d3a1-429a-843a-08b7143d52bd + type: regular + task: + id: 7f93febb-d3a1-429a-843a-08b7143d52bd + version: -1 + name: Unisolate endpoint + description: Reverses the isolation of an endpoint. + script: '|||xdr-endpoint-unisolate' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + endpoint_id: + complex: + root: PaloAltoNetworksXDR.Endpoint.endpoint_id + filters: + - - operator: isNotEmpty + left: + value: + simple: PaloAltoNetworksXDR.Endpoint.endpoint_id + iscontext: true + transformers: + - operator: uniq + separatecontext: false + view: |- + { + "position": { + "x": 1860, + "y": 990 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 9fc01dd3-680f-4ec6-807c-255e3aab6c41 + type: regular + task: + id: 9fc01dd3-680f-4ec6-807c-255e3aab6c41 + version: -1 + name: Get endpoint status + description: Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0). + script: '|||xdr-get-endpoints' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.Endpoint_ID + transformers: + - operator: split + args: + delimiter: {} + - operator: uniq + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: split + args: + delimiter: {} + - operator: uniq + ip_list: + complex: + root: inputs.IP + transformers: + - operator: split + args: + delimiter: {} + - operator: uniq + separatecontext: false + view: |- + { + "position": { + "x": 1860, + "y": 610 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 0210a256-b211-4a77-8e86-fd5897fa0a19 + type: condition + task: + id: 0210a256-b211-4a77-8e86-fd5897fa0a19 + version: -1 + name: Is the endpoint is isolated? + description: Is the endpoint is isolated? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "6" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.Endpoint.is_isolated + iscontext: true + right: + value: + simple: AGENT_ISOLATED + - - operator: isNotEmpty + left: + value: + simple: PaloAltoNetworksXDR.Endpoint.endpoint_id + iscontext: true + view: |- + { + "position": { + "x": 1860, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + continueonerrortype: "" + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "3_5_no": 0.81, + "4_5_#default#": 0.24, + "8_5_#default#": 0.44, + "8_6_yes": 0.55 + }, + "paper": { + "dimensions": { + "height": 1125, + "width": 770, + "x": 1470, + "y": 100 + } + } + } +inputs: +- key: Endpoint_ID + value: {} + required: false + description: The endpoint ID that you want to be unisolated. + playbookInputQuery: +- key: Hostname + value: {} + required: false + description: The endpoint's hostname that you want to be unisolated. + playbookInputQuery: +- key: IP + value: {} + required: false + description: The endpoint's IP that you want to be unisolated. + playbookInputQuery: +outputs: [] +tests: +- Test XDR Playbook +fromversion: 6.2.0 +contentitemexportablefields: + contentitemfields: {} +system: true diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_6_2_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_6_2_README.md new file mode 100644 index 000000000000..0a1969e3022a --- /dev/null +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_6_2_README.md @@ -0,0 +1,34 @@ +This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input. + +## Dependencies +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks +This playbook does not use any sub-playbooks. + +### Integrations +* CortexXDRIR + +### Scripts +* IsIntegrationAvailable + +### Commands +* xdr-endpoint-unisolate +* xdr-get-endpoints + +## Playbook Inputs +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Endpoint_ID | The endpoint ID that you want to be unisolated. | | Optional | +| Hostname | The endpoint's hostname that you want to be unisolated. | | Optional | +| IP | The endpoint's IP that you want to be unisolated. | | Optional | + +## Playbook Outputs +--- +There are no outputs for this playbook. + +## Playbook Image +--- +![Cortex XDR - Unisolate Endpoint](../doc_files/Cortex_XDR_-_Unisolate_Endpoint6_2.png) \ No newline at end of file diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_README.md index 468af1d6a845..c46936930683 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_README.md +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Unisolate_Endpoint_README.md @@ -7,14 +7,14 @@ This playbook uses the following sub-playbooks, integrations, and scripts. This playbook does not use any sub-playbooks. ### Integrations -CortexXDR - IR +* CortexXDRIR ### Scripts -IsIntegrationAvailable +* IsIntegrationAvailable ### Commands -* xdr-get-endpoints * xdr-unisolate-endpoint +* xdr-get-endpoints ## Playbook Inputs --- @@ -29,4 +29,4 @@ There are no outputs for this playbook. ## Playbook Image --- -![Cortex XDR - Unisolate Endpoint](https://raw.githubusercontent.com/demisto/content/4966d5a5c9b80af03106f8da8dcd8512b3cb259e/Packs/CortexXDR/doc_files/Cortex_XDR_-_Unisolate_Endpoint.png) +![Cortex XDR - Unisolate Endpoint](../doc_files/Cortex_XDR_-_Unisolate_Endpoint.png) \ No newline at end of file diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml index f5ac6f3e4937..6dd842cb5480 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml @@ -443,7 +443,7 @@ tasks: description: Checks whether given entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If an array is provided, returns 'yes' if one of the entries returned an error. id: ad8f236e-56eb-4e7a-8e03-3f98b22f7fe3 iscommand: false - name: Check if we have more than 1 item + name: Is there only one endpoint? scriptName: isError type: condition version: -1 @@ -525,9 +525,7 @@ tasks: grid_id: simple: alertsandrelatedinfo keys: - simple: alert_id,host_name,actor_process_image_name,actor_process_os_pid,actor_process_image_sha256,actor_process_command_line,causality_actor_process_image_name - sort_by: - simple: MicrosoftATP.Alert.Evidence.[0].processCommandLine + simple: name,host_name,actor_process_image_name,actor_process_os_pid,actor_process_image_sha256,actor_process_command_line,causality_actor_process_image_name separatecontext: false skipunavailable: false task: @@ -867,7 +865,33 @@ tasks: - "14" scriptarguments: accountmemberof: - simple: ${Account.Groups} + complex: + root: Account + accessor: Groups + transformers: + - operator: uniq + - operator: replace + args: + limit: {} + replaceWith: + value: + simple: / + toReplace: + value: + simple: ',' + - operator: concat + args: + prefix: + value: + simple: '"' + suffix: + value: + simple: '"' + - operator: join + args: + separator: + value: + simple: ',' accountname: complex: root: Account diff --git a/Packs/CortexXDR/ReleaseNotes/4_9_10.md b/Packs/CortexXDR/ReleaseNotes/4_9_10.md new file mode 100644 index 000000000000..32dc6907d874 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/4_9_10.md @@ -0,0 +1,5 @@ + +#### Integrations +##### Palo Alto Networks Cortex XDR - Investigation and Response +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. +- Fixed an issue where the ***xdr-blacklist-files*** and ***xdr-whitelist-files*** deprecated commands were mistakenly removed. diff --git a/Packs/CortexXDR/ReleaseNotes/4_9_11.md b/Packs/CortexXDR/ReleaseNotes/4_9_11.md new file mode 100644 index 000000000000..b960513538d8 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/4_9_11.md @@ -0,0 +1,3 @@ +#### Playbooks +##### Cortex XDR Malware - Incident Enrichment +Fixed an issue with setting up account groups information in the layout. \ No newline at end of file diff --git a/Packs/CortexXDR/ReleaseNotes/4_9_12.md b/Packs/CortexXDR/ReleaseNotes/4_9_12.md new file mode 100644 index 000000000000..41658ed7b38f --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/4_9_12.md @@ -0,0 +1,5 @@ + +#### Playbooks +##### New: Cortex XDR - Get entity alerts by MITRE tactics +This playbook is part of the Cortex XDR by Palo Alto Networks’ pack. This playbook searches alerts related to specific entities from Cortex XDR, on a given timeframe, based on MITRE Tactics. +Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details. diff --git a/Packs/CortexXDR/ReleaseNotes/4_9_13.md b/Packs/CortexXDR/ReleaseNotes/4_9_13.md new file mode 100644 index 000000000000..6b3a861d42f3 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/4_9_13.md @@ -0,0 +1,8 @@ + +#### Playbooks +##### Cortex XDR - Unisolate Endpoint +- Fixed an issue with the conditional task "Is the endpoint ready for isolation?" where the condition was not filtering properly the right Endpoint ID's. +- Changed deprecated command to the new one "xdr-endpoint-isolate". +##### Cortex XDR - Isolate Endpoint +- Added new inputs support ("IP" and "Hostname") along the Endpoint_ID. +- Changed deprecated command to the new one "xdr-unisolate-endpoint". \ No newline at end of file diff --git a/Packs/CortexXDR/ReleaseNotes/4_9_14.md b/Packs/CortexXDR/ReleaseNotes/4_9_14.md new file mode 100644 index 000000000000..07ee71a23ed8 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/4_9_14.md @@ -0,0 +1,4 @@ + +#### Playbooks +##### Cortex XDR - Get entity alerts by MITRE tactics +- Conditional task for alerts results was added diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.png new file mode 100644 index 000000000000..9e47274433e5 Binary files /dev/null and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Get_entity_alerts_by_MITRE_tactics.png differ diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint.png index 69720585adf8..7f30eff71ee8 100644 Binary files a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint.png and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint.png differ diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint6_2.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint6_2.png new file mode 100644 index 000000000000..74c498e9d22a Binary files /dev/null and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Isolate_Endpoint6_2.png differ diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Unisolate_Endpoint6_2.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Unisolate_Endpoint6_2.png new file mode 100644 index 000000000000..d5ce53a7c0c4 Binary files /dev/null and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Unisolate_Endpoint6_2.png differ diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index 2fd682109152..0282c6b88f07 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "4.9.9", + "currentVersion": "4.9.14", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CreateEDLInstance/Scripts/CreateEDLInstance/README.md b/Packs/CreateEDLInstance/Scripts/CreateEDLInstance/README.md index 0a4b171ad002..26bf1c014320 100644 --- a/Packs/CreateEDLInstance/Scripts/CreateEDLInstance/README.md +++ b/Packs/CreateEDLInstance/Scripts/CreateEDLInstance/README.md @@ -24,3 +24,8 @@ Use this automation to create an EDL instance on XSOAR. | **Name** | **Port** | **PortListName** | **Query** | | --- | --- | --- | --- | | Testing | 8008 | EDL_PORT_LIST | tags:block and type:IP | + +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/CreatePlbkDoc/Scripts/CreatePlbkDoc/README.md b/Packs/CreatePlbkDoc/Scripts/CreatePlbkDoc/README.md index 2d55dc85f838..3d9073745be2 100644 --- a/Packs/CreatePlbkDoc/Scripts/CreatePlbkDoc/README.md +++ b/Packs/CreatePlbkDoc/Scripts/CreatePlbkDoc/README.md @@ -28,3 +28,8 @@ Requirements: This automation requires "Demisto REST API" integration enabled an ## Outputs --- There are no outputs for this script. + +### Troubleshooting +Multi-tenant environments should be configured with the Cortex Rest API instance when using this +automation. Make sure the *Use tenant* parameter (in the Cortex Rest API integration) is checked +to ensure that API calls are made to the current tenant instead of the master tenant. \ No newline at end of file diff --git a/Packs/CrowdStrikeFalcon/.pack-ignore b/Packs/CrowdStrikeFalcon/.pack-ignore index 35df28a6f0e6..a848bf20cf01 100644 --- a/Packs/CrowdStrikeFalcon/.pack-ignore +++ b/Packs/CrowdStrikeFalcon/.pack-ignore @@ -1,5 +1,5 @@ [file:CrowdStrikeFalcon.yml] -ignore=IN126,IN136,IN144,IN145 +ignore=IN126,IN136,IN144,IN145,IN124 [file:README.md] ignore=RM102,RM104,RM106 diff --git a/Packs/CrowdStrikeFalcon/.secrets-ignore b/Packs/CrowdStrikeFalcon/.secrets-ignore index 51c8c68589d1..b731d80846b5 100644 --- a/Packs/CrowdStrikeFalcon/.secrets-ignore +++ b/Packs/CrowdStrikeFalcon/.secrets-ignore @@ -16,4 +16,8 @@ 7.5.9.8 9.6.3.5 4.6.8.7 -098f6bcd4621d373cade4e832627b4f6 \ No newline at end of file +4.6.8.7 +098f6bcd4621d373cade4e832627b4f6 +2000:db1:3333:4444:5555:6666:7777:8888 +test.com +e444c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 diff --git a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py index 4ec088ce6475..75e0297bab45 100644 --- a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py +++ b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py @@ -9,19 +9,16 @@ from enum import Enum from threading import Timer from typing import Any, Callable, Dict, List, Optional, Tuple, Union - import requests from dateutil.parser import parse - # Disable insecure warnings import urllib3 urllib3.disable_warnings() - ''' GLOBALS/PARAMS ''' INTEGRATION_NAME = 'CrowdStrike Falcon' -CLIENT_ID = demisto.params().get('client_id') -SECRET = demisto.params().get('secret') +CLIENT_ID = demisto.params().get('credentials', {}).get('identifier') or demisto.params().get('client_id') +SECRET = demisto.params().get('credentials', {}).get('password') or demisto.params().get('secret') # Remove trailing slash to prevent wrong URL path to service SERVER = demisto.params()['url'][:-1] if (demisto.params()['url'] and demisto.params()['url'].endswith('/')) else \ demisto.params()['url'] @@ -40,7 +37,6 @@ TOKEN_LIFE_TIME = 28 INCIDENTS_PER_FETCH = int(demisto.params().get('incidents_per_fetch', 15)) DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' - # Remove proxy if not set to true in params handle_proxy() @@ -329,6 +325,56 @@ def http_request(method, url_suffix, params=None, data=None, files=None, headers f'Failed to parse json object from response: {exception} - {res.content}') # type: ignore[str-bytes-safe] +def create_relationships(cve: dict) -> List: + """ + creates relationships between the cve and each actor from 'actors' field + : args: cve contains the cve id and the actors field if it is exists. + : return: a list of relationships by type THREAT_ACTOR. + """ + list_with_actors_field = [] + if not cve.get('actors'): + return [] + for actor in cve.get('actors', {}): + list_with_actors_field.append(actor) + relationships_list: list[EntityRelationship] = [] + # need to create entity + for entity_b in list_with_actors_field: + relationships_list.append(EntityRelationship(entity_a=cve.get('id'), + entity_a_type=FeedIndicatorType.CVE, + name=EntityRelationship.Relationships.TARGETED_BY, + entity_b=entity_b, + entity_b_type=ThreatIntel.ObjectsNames.THREAT_ACTOR, + brand=INTEGRATION_NAME, + reverse_name=EntityRelationship.Relationships.TARGETS)) + + return relationships_list + + +def create_dbot_Score(cve: dict, reliability: str) -> Common.DBotScore: + """ + Creates DBotScore CVE indicator, for get_cve_command. + """ + return Common.DBotScore(indicator=cve.get('id'), + indicator_type=DBotScoreType.CVE, + integration_name=INTEGRATION_NAME, + score=Common.DBotScore.NONE, + reliability=reliability) + + +def create_publications(cve: dict) -> list: + """ + Creates publications list from CVE, while using get_cve_command. + """ + publications = [] + if cve.get('references'): + for reference in cve.get('references', {}): + publications.append(Common.Publications(title='references', link=reference)) + if cve.get('vendor_advisory'): + for vendor_advisory in cve.get('vendor_advisory', {}): + publications.append(Common.Publications(title='vendor_advisory', link=vendor_advisory)) + return publications + + ''' API FUNCTIONS ''' @@ -1272,6 +1318,7 @@ def search_custom_iocs( limit: str = '50', sort: Optional[str] = None, offset: Optional[str] = None, + after: Optional[str] = None, ) -> dict: """ :param types: A list of indicator types. Separate multiple types by comma. @@ -1281,6 +1328,10 @@ def search_custom_iocs( :param limit: The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100. :param sort: The order of the results. Format :param offset: The offset to begin the list from + :param after: A pagination token used with the limit parameter to manage pagination of results. + On your first request, don't provide an 'after' token. On subsequent requests, provide + the 'after' token from the previous response to continue from that place in the results. + To access more than 10k indicators, use the 'after' parameter instead of 'offset'. """ filter_list = [] if types: @@ -1297,6 +1348,7 @@ def search_custom_iocs( 'sort': sort, 'offset': offset, 'limit': limit, + 'after': after, } return http_request('GET', '/iocs/combined/indicator/v1', params=params) @@ -2254,7 +2306,8 @@ def search_custom_iocs_command( limit: str = '50', sort: Optional[str] = None, offset: Optional[str] = None, -) -> dict: + next_page_token: Optional[str] = None, +) -> List[dict]: """ :param types: A list of indicator types. Separate multiple types by comma. :param values: Comma-separated list of indicator values @@ -2263,6 +2316,10 @@ def search_custom_iocs_command( :param limit: The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100. :param sort: The order of the results. Format :param offset: The offset to begin the list from + :param next_page_token: A pagination token used with the limit parameter to manage pagination of results. + On your first request, don't provide an 'after' token. On subsequent requests, provide + the 'after' token from the previous response to continue from that place in the results. + To access more than 10k indicators, use the 'after' parameter instead of 'offset'. """ raw_res = search_custom_iocs( types=argToList(types), @@ -2272,17 +2329,30 @@ def search_custom_iocs_command( offset=offset, expiration=expiration, limit=limit, + after=next_page_token, ) iocs = raw_res.get('resources') + meta = raw_res.get('meta') + if meta: + pagination_token = meta['pagination'].get('after') + else: + pagination_token = None if not iocs: return create_entry_object(hr='Could not find any Indicators of Compromise.') handle_response_errors(raw_res) + entry_objects_list = [] ec = [get_trasnformed_dict(ioc, IOC_KEY_MAP) for ioc in iocs] - return create_entry_object( + entry_objects_list.append(create_entry_object( contents=raw_res, ec={'CrowdStrike.IOC(val.ID === obj.ID)': ec}, hr=tableToMarkdown('Indicators of Compromise', ec, headers=IOC_HEADERS), - ) + )) + entry_objects_list.append(create_entry_object( + contents=raw_res, + ec={'CrowdStrike.NextPageToken': pagination_token}, + hr=tableToMarkdown('Pagination Info', pagination_token, headers=['Next Page Token']), + )) + return entry_objects_list def get_custom_ioc_command( @@ -3874,8 +3944,174 @@ def get_detection_for_incident_command(incident_id: str) -> CommandResults: raw_response=detection_res) +def build_url_filter(values: list[str] | str | None): + return 'cve.id:[\'' + "','".join(argToList(values)) + '\']' + + +def cs_falcon_spotlight_search_vulnerability_request(aid: list[str] | None, cve_id: list[str] | None, + cve_severity: list[str] | None, tags: list[str] | None, + status: list[str] | None, platform_name: str | None, + host_group: list[str] | None, host_type: list[str] | None, + last_seen_within: str | None, is_suppressed: str | None, filter_: str, + remediation: bool | None, evaluation_logic: bool | None, + host_info: bool | None, limit: str | None) -> dict: + input_arg_dict = {'aid': aid, + 'cve.id': cve_id, + 'host_info.tags': tags, + 'status': status, + 'host_info.groups': host_group, + 'last_seen_within': last_seen_within, + 'suppression_info.is_suppressed': is_suppressed} + input_arg_dict['cve.severity'] = [severity.upper() for severity in cve_severity] if cve_severity else None + input_arg_dict['host_info.platform_name'] = platform_name.capitalize() if platform_name else None + input_arg_dict['host_info.product_type_desc'] = [host_type_.capitalize() for host_type_ in host_type] if host_type else None + remove_nulls_from_dictionary(input_arg_dict) + # In Falcon Query Language, '+' (after decode '%2B) stands for AND and ',' for OR + # (https://falcon.crowdstrike.com/documentation/45/falcon-query-language-fql) + url_filter = filter_.replace('+', '%2B') + if not any((input_arg_dict, url_filter)): + raise DemistoException('Please add a at least one filter argument') + for key, arg in input_arg_dict.items(): + if url_filter: + url_filter += '%2B' + if isinstance(arg, list): + url_filter += f'{key}:[\'' + "','".join(arg) + '\']' + else: + url_filter += f"{key}:'{arg}'" # All args should be a list. this is a fallback + url_facet = '&facet=cve' + for argument, url_value in ( + ('remediation', remediation), + ('evaluation_logic', evaluation_logic), + ('host_info', host_info), + ): + if argToBoolean(url_value): + url_facet += f"&facet={argument}" + # The url is hardcoded since facet is a parameter that can have serval values, therefore we can't use a dict + suffix_url = f'/spotlight/combined/vulnerabilities/v1?filter={url_filter}{url_facet}&limit={limit}' + return http_request('GET', suffix_url) + + +def cs_falcon_spotlight_list_host_by_vulnerability_request(cve_ids: list[str] | None, limit: str) -> dict: + url_filter = build_url_filter(cve_ids) + params = {'filter': url_filter, 'facet': 'host_info', 'limit': limit} + return http_request('GET', '/spotlight/combined/vulnerabilities/v1', params=params) + + +def cve_request(cve_id: list[str] | None) -> dict: + url_filter = build_url_filter(cve_id) + return http_request('GET', '/spotlight/combined/vulnerabilities/v1', + params={'filter': url_filter, 'facet': 'cve'}) + + +def cs_falcon_spotlight_search_vulnerability_command(args: dict) -> CommandResults: + """ + Get a list of vulnerability by spotlight + : args: filter which include params or filter param. + : return: a list of vulnerabilities according to the user. + """ + + vulnerability_response = cs_falcon_spotlight_search_vulnerability_request(argToList(args.get('aid')), + argToList(args.get('cve_id')), + argToList(args.get('cve_severity')), + argToList(args.get('tags')), + argToList(args.get('status')), + args.get('platform_name'), + argToList(args.get('host_group')), + argToList(args.get('host_type')), + args.get('last_seen_within'), + args.get('is_suppressed'), + args.get('filter', ''), + args.get('display_remediation_info'), + args.get('display_evaluation_logic_info'), + args.get('display_host_info'), + args.get('limit')) + headers = ['ID', 'Severity', 'Status', 'Base Score', 'Published Date', 'Impact Score', + 'Exploitability Score', 'Vector'] + outputs = [] + for vulnerability in vulnerability_response.get('resources', {}): + outputs.append({'ID': vulnerability.get('cve', {}).get('id'), + 'Severity': vulnerability.get('cve', {}).get('severity'), + 'Status': vulnerability.get('status'), + 'Base Score': vulnerability.get('cve', {}).get('base_score'), + 'Published Date': vulnerability.get('cve', {}).get('published_date'), + 'Impact Score': vulnerability.get('cve', {}).get('impact_score'), + 'Exploitability Score': vulnerability.get('cve', {}).get('exploitability_score'), + 'Vector': vulnerability.get('cve', {}).get('vector') + }) + human_readable = tableToMarkdown('List Vulnerabilities', outputs, removeNull=True, headers=headers) + return CommandResults(raw_response=vulnerability_response, + readable_output=human_readable, outputs=vulnerability_response.get('resources'), + outputs_prefix="CrowdStrike.Vulnerability", outputs_key_field="id") + + +def cs_falcon_spotlight_list_host_by_vulnerability_command(args: dict) -> CommandResults: + """ + Get a list of vulnerability by spotlight + : args: filter which include params or filter param. + : return: a list of vulnerabilities according to the user. + """ + cve_ids = args.get('cve_ids') + limit = args.get('limit', '50') + vulnerability_response = cs_falcon_spotlight_list_host_by_vulnerability_request(cve_ids, limit) + headers = ['CVE ID', 'hostname', 'os Version', 'Product Type Desc', + 'Local IP', 'ou', 'Machine Domain', 'Site Name', + 'CVE Exploitability Score', 'CVE Vector'] + outputs = [] + for vulnerability in vulnerability_response.get('resources', {}): + outputs.append({'CVE ID': vulnerability.get('cve', {}).get('id'), + 'hostname': vulnerability.get('host_info', {}).get('hostname'), + 'os Version': vulnerability.get('host_info', {}).get('os_version'), + 'Product Type Desc': vulnerability.get('host_info', {}).get('product_type_desc'), + 'Local IP': vulnerability.get('host_info', {}).get('local_ip'), + 'ou': vulnerability.get('host_info', {}).get('ou'), + 'Machine Domain': vulnerability.get('host_info', {}).get('machine_domain'), + 'Site Name': vulnerability.get('host_info', {}).get('site_name')}) + human_readable = tableToMarkdown('List Vulnerabilities For Host', outputs, removeNull=True, headers=headers) + return CommandResults(raw_response=vulnerability_response, + readable_output=human_readable, outputs=vulnerability_response.get('resources'), + outputs_prefix="CrowdStrike.VulnerabilityHost", outputs_key_field="id") + + +def get_cve_command(args: dict) -> list[CommandResults]: + """ + Get a list of vulnerability by spotlight + : args: filter which include params or filter param. + : return: a list of cve indicators according to the user. + """ + if not args.get('cve_id'): + raise DemistoException('Please add a filter argument "cve_id".') + command_results_list = [] + http_response = cve_request(args.get('cve_id')) + raw_cve = [res_element.get('cve') for res_element in http_response.get('resources', [])] + for cve in raw_cve: + relationships_list = create_relationships(cve) + cve_dbot_score = create_dbot_Score(cve=cve, reliability=args.get('Reliability', 'A+ - 3rd party enrichment')) + cve_indicator = Common.CVE(id=cve.get('id'), + cvss='', + published=cve.get('published_date'), + modified='', + description=cve.get('description'), + cvss_score=cve.get('base_score'), + cvss_vector=cve.get('vector'), + dbot_score=cve_dbot_score, + publications=create_publications(cve), + relationships=relationships_list) + cve_human_readable = {'ID': cve.get('id'), + 'Description': cve.get('description'), + 'Published Date': cve.get('published_date'), + 'Base Score': cve.get('base_score')} + human_readable = tableToMarkdown('CrowdStrike Falcon CVE', cve_human_readable, + headers=['ID', 'Description', 'Published Date', 'Base Score']) + command_results_list.append(CommandResults(raw_response=cve, + readable_output=human_readable, + relationships=relationships_list, + indicator=cve_indicator)) + return command_results_list + + ''' COMMANDS MANAGER / SWITCH PANEL ''' + LOG('Command being called is {}'.format(demisto.command())) @@ -4021,13 +4257,10 @@ def main(): host_ids = argToList(args.get('host_ids')) return_results(rtr_general_command_on_hosts(host_ids, "runscript", full_command, execute_run_batch_admin_cmd_with_timer)) - elif command == 'cs-falcon-rtr-retrieve-file': return_results(rtr_polling_retrieve_file_command(args)) - elif command == 'cs-falcon-get-detections-for-incident': return_results(get_detection_for_incident_command(args.get('incident_id'))) - elif command == 'get-remote-data': return_results(get_remote_data_command(args)) elif demisto.command() == 'get-modified-remote-data': @@ -4036,6 +4269,12 @@ def main(): return_results(update_remote_system_command(args)) elif demisto.command() == 'get-mapping-fields': return_results(get_mapping_fields_command()) + elif command == 'cs-falcon-spotlight-search-vulnerability': + return_results(cs_falcon_spotlight_search_vulnerability_command(args)) + elif command == 'cs-falcon-spotlight-list-host-by-vulnerability': + return_results(cs_falcon_spotlight_list_host_by_vulnerability_command(args)) + elif command == 'cve': + return_results(get_cve_command(args)) else: raise NotImplementedError(f'CrowdStrike Falcon error: ' f'command {command} is not implemented') diff --git a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml index bf459bb5a873..0c45828980a1 100644 --- a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml +++ b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml @@ -8,24 +8,45 @@ configuration: name: url required: true type: 0 +- display: Client ID + name: credentials + required: false + type: 9 + displaypassword: Secret - display: Client ID name: client_id - required: true + required: false type: 0 + hidden: true - display: Secret name: secret - required: true + required: false type: 4 -- defaultvalue: 3 days - display: First fetch timestamp (