[CrowdStrike Falcon] Additional command to get IOA Rules for custom …

…IOA rule triggered detections. (demisto#32124) * [CrowdStrike Falcon] Additional command to get IOA Rules for custom IOA rule triggered detections. (demisto#31992) * [Crowdstrike Falcon] Added command to get IOARules * Create 1_12_11.md * Create 1_12_12.md * Update pack_metadata.json * Update CrowdStrikeFalcon.py - fixed flake8 issues --------- Co-authored-by: Yuval Cohen <[email protected]> * fixes * known words --------- Co-authored-by: zeekforit <[email protected]> Co-authored-by: Yuval Cohen <[email protected]> Co-authored-by: yucohen <[email protected]>
SEKOIA-IO · Jan 11, 2024 · 1f42c28 · 1f42c28
1 parent dd2a2c5
commit 1f42c28
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 4 deletions.
diff --git a/Packs/CrowdStrikeFalcon/.pack-ignore b/Packs/CrowdStrikeFalcon/.pack-ignore
@@ -21,6 +21,7 @@ IOM
 IOA
 enrichments
 cspm
+ioarules
 
 [file:classifier-CrowdStrike_Falcon_Incident_Classifier.json]
 ignore=BA101

diff --git a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py
@@ -1287,6 +1287,19 @@ def get_behaviors(behavior_ids: list[str]) -> dict:
     )
 
 
+def get_ioarules(rule_ids: list[str]) -> dict:
+    """
+        Sends ioa rules entities request
+        :param rule_ids: IDs of the requested ioa rule.
+        :return: Response json of the get ioa rule entities endpoint (ioa rule objects)
+    """
+    return http_request(
+        'POST',
+        '/ioarules/entities/rules/GET/v1',
+        data=json.dumps({'ids': rule_ids}),
+    )
+
+
 def get_detections(last_behavior_time=None, behavior_id=None, filter_arg=None):
     """
         Sends detections request. The function will ignore the arguments passed according to priority:
@@ -6536,6 +6549,28 @@ def table_headers_transformer(header: str) -> str:
     )
 
 
+def get_ioarules_command(args: dict) -> CommandResults:
+    rule_ids = argToList(args['rule_ids'])
+    ioarules_response_data = get_ioarules(rule_ids)
+
+    ioarules = ioarules_response_data.get('resources', [])
+
+    return CommandResults(
+        outputs_prefix='CrowdStrike.IOARules',
+        outputs_key_field='instance_id',
+        outputs=ioarules,
+        readable_output=tableToMarkdown(
+            name='CrowdStrike IOA Rules',
+            t=ioarules,
+            headers=['instance_id', 'description', 'enabled', 'name', 'pattern_id'],
+            headerTransform=string_to_table_header,
+            removeNull=True,
+            sort_headers=False,
+        ),
+        raw_response=ioarules_response_data,
+    )
+
+
 def main():
     command = demisto.command()
     args = demisto.args()
@@ -6765,6 +6800,8 @@ def main():
             return_results(cs_falcon_list_users_command(args=args))
         elif command == 'cs-falcon-get-incident-behavior':
             return_results(get_incident_behavior_command(args=args))
+        elif command == 'cs-falcon-get-ioarules':
+            return_results(get_ioarules_command(args=args))
         else:
             raise NotImplementedError(f'CrowdStrike Falcon error: '
                                       f'command {command} is not implemented')

diff --git a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml
@@ -4884,7 +4884,84 @@ script:
     - contextPath: CrowdStrike.IncidentBehavior.compound_tto
       description: The compound TTO.
       type: String
-  dockerimage: demisto/py3-tools:1.0.0.84136
+  - arguments:
+    - description: The rule ID to get IOA rules for.
+      name: rule_ids
+      isArray: true
+      required: true
+    description: Get IOA Rules.
+    name: cs-falcon-get-ioarules
+    outputs:
+    - contextPath: CrowdStrike.IOARules.instance_id
+      description: The IOA Rule's instance ID.
+      type: String
+    - contextPath: CrowdStrike.IOARules.customer_id
+      description: The customer ID.
+      type: String
+    - contextPath: CrowdStrike.IOARules.action_label
+      description: The IOA Rule's action label.
+      type: String
+    - contextPath: CrowdStrike.IOARules.comment
+      description: The IOA Rule's comment.
+      type: String
+    - contextPath: CrowdStrike.IOARules.committed_on
+      description: The timestamp of the IOA Rule's commitment.
+      type: String
+    - contextPath: CrowdStrike.IOARules.created_by
+      description: The IOA Rule's creator.
+      type: String
+    - contextPath: CrowdStrike.IOARules.created_on
+      description: The timestamp of the IOA Rule's creation.
+      type: String
+    - contextPath: CrowdStrike.IOARules.deleted
+      description: Whether the IOA Rule is in deleted status.
+      type: Boolean
+    - contextPath: CrowdStrike.IOARules.description
+      description: The IOA Rule's description.
+      type: String
+    - contextPath: CrowdStrike.IOARules.disposition_id
+      description: The disposition ID used by the IOA Rule.
+      type: String
+    - contextPath: CrowdStrike.IOARules.enabled
+      description: Whether the IOA Rule is enabled.
+      type: Boolean
+    - contextPath: CrowdStrike.IOARules.field_values
+      description: The IOA Rule's field values.
+      type: String
+    - contextPath: CrowdStrike.IOARules.instance_version
+      description: The IOA Rule's instance version.
+      type: String
+    - contextPath: CrowdStrike.IOARules.magic_cookie
+      description: The IOA Rule's magic cookie.
+      type: String
+    - contextPath: CrowdStrike.IOARules.modified_by
+      description: The last user who modified the IOA Rule.
+      type: String
+    - contextPath: CrowdStrike.IOARules.modified_on
+      description: The timestamp of the IOA Rule's last modification.
+      type: String
+    - contextPath: CrowdStrike.IOARules.name
+      description: The IOA Rule name.
+      type: String
+    - contextPath: CrowdStrike.IOARules.pattern_id
+      description: The IOA Rule's pattern ID.
+      type: String
+    - contextPath: CrowdStrike.IOARules.pattern_severity
+      description: The IOA Rule's pattern severity.
+      type: String
+    - contextPath: CrowdStrike.IOARules.rulegroup_id
+      description: The IOA Rule's Rule group ID.
+      type: String
+    - contextPath: CrowdStrike.IOARules.ruletype_id
+      description: The IOA Rule's Rule type ID.
+      type: String
+    - contextPath: CrowdStrike.IOARules.ruletype_name
+      description: The IOA Rule's Rule type name.
+      type: String
+    - contextPath: CrowdStrike.IOARules.version_ids
+      description: The IOA Rule's version ID.
+      type: String
+  dockerimage: demisto/py3-tools:1.0.0.84811
   isfetch: true
   ismappable: true
   isremotesyncin: true

diff --git a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/README.md b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/README.md
@@ -6715,3 +6715,47 @@ Get incident behavior information
 | CrowdStrike.IncidentBehavior.display_name | String | The display name. | 
 | CrowdStrike.IncidentBehavior.objective | String | The objective. | 
 | CrowdStrike.IncidentBehavior.compound_tto | String | The compound TTO. | 
+
+
+### cs-falcon-get-ioarules
+
+***
+Get IOA Rules for Custom IOA rule triggered detections
+
+#### Base Command
+
+`cs-falcon-get-ioarules`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| rule_ids | ID(s) of rules to list. Rule IDs can be retrieved by combining cid and rule_instance_id from 'cs-falcon-list-detection-summaries' output using this format cid:rule_instance_id. Example: 1123casdcccxxaafq13fdasf:2003 | Required | 
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| CrowdStrike.IOARules.instance_id | String | The IOA Rule's Instance ID. | 
+| CrowdStrike.IOARules.customer_id | String | The customer ID. | 
+| CrowdStrike.IOARules.action_label | String | The IOA Rule's Action Label. | 
+| CrowdStrike.IOARules.comment | String | The IOA Rule's Comment.. | 
+| CrowdStrike.IOARules.committed_on | String | The timestamp of the IOA Rule's commitment. | 
+| CrowdStrike.IOARules.created_by | String | The IOA Rule's creator. | 
+| CrowdStrike.IOARules.created_on | String | The timestamp of the IOA Rule's creation. | 
+| CrowdStrike.IOARules.deleted | Boolean | Whether the IOA Rule is in deleted status. | 
+| CrowdStrike.IOARules.description | String | The IOA Rule's Description. | 
+| CrowdStrike.IOARules.disposition_id | String | The Disposition ID used by the IOA Rule. | 
+| CrowdStrike.IOARules.enabled | Boolean | Whether the IOA Rule is enabled. | 
+| CrowdStrike.IOARules.field_values | String | The IOA Rule's field values. | 
+| CrowdStrike.IOARules.instance_version | String | The IOA Rule's Instance Version. | 
+| CrowdStrike.IOARules.magic_cookie | String | The IOA Rule's Magic Cookie. | 
+| CrowdStrike.IOARules.modified_by | String | The IOA Rule's last modified user.
+| CrowdStrike.IOARules.modified_on| String | The timestamp of the IOA Rule's last modification. | 
+| CrowdStrike.IOARules.name | String | The IOA Rule Name. | 
+| CrowdStrike.IOARules.pattern_id | String | The IOA Rule's Pattern ID. | 
+| CrowdStrike.IOARules.pattern_severity | String | The IOA Rule's Pattern Severity. | 
+| CrowdStrike.IOARules.rulegroup_id | String | The IOA Rule's Rule Group ID. | 
+| CrowdStrike.IOARules.ruletype_id | String | The IOA Rule's Rule Type ID. | 
+| CrowdStrike.IOARules.ruletype_name | String | The IOA Rule's Rule Type Name. | 
+| CrowdStrike.IOARules.version_ids | String | The IOA Rule's Version ID. | 
diff --git a/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/examples.txt b/Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/examples.txt
@@ -28,4 +28,5 @@ cs-falcon-cspm-list-service-policy-settings limit=2
 cs-falcon-cspm-update-policy_settings policy_id=1 enabled=true regions="eu-central-1,eu-central-2" severity=high tag_excluded=false
 cs-falcon-resolve-identity-detection ids="id_1,id_2" add_tag="Demo tag" append_comment="Demo comment" assign_to_name="morganf" show_in_ui=true update_status=in_progress
 cs-falcon-list-users limit=1
-cs-falcon-get-incident-behavior behavior_ids=ind:046761c46ec84f40b27b6f79ce7cd32c:1718483878780-364-892944
+cs-falcon-get-incident-behavior behavior_ids=ind:046761c46ec84f40b27b6f79ce7cd32c:1718483878780-364-892944
+cs-falcon-get-ioarules rule_ids=7471ba0636b34cbb8c65fae7979a6a9b:2003
diff --git a/Packs/CrowdStrikeFalcon/ReleaseNotes/1_12_12.md b/Packs/CrowdStrikeFalcon/ReleaseNotes/1_12_12.md
@@ -0,0 +1,4 @@
+
+#### Integrations
+##### CrowdStrike Falcon
+- Added the ***cs-falcon-ioarules*** command that allows to retrieve rules for Custom IOA rules detections.
diff --git a/Packs/CrowdStrikeFalcon/pack_metadata.json b/Packs/CrowdStrikeFalcon/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "CrowdStrike Falcon",
     "description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.",
     "support": "xsoar",
-    "currentVersion": "1.12.11",
+    "currentVersion": "1.12.12",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -70,4 +70,4 @@
         "Malware",
         "FeedMitreAttackv2"
     ]
-}
+}