Merge branch 'contrib/SEKOIA-IO_Add/SekoiaXDR' into Add/SekoiaXDR

.pre-commit-config_template.yaml

@@ -41,6 +41,8 @@ repos:
     - --config=nightly_ruff.toml
     args:ci:
     - --config=nightly_ruff.toml
+    args:docker_autoupdate:
+    - --config=nightly_ruff.toml
 - repo: https://github.com/hhatto/autopep8
   rev: v2.3.1
   hooks:

Packs/AzureSentinel/Integrations/AzureSentinel/README.md

@@ -86,8 +86,12 @@ To setup the mirroring follow these instructions:
 5. Optional: Check the **Close Mirrored XSOAR Incident** integration parameter to close the Cortex XSOAR incident when the corresponding incident is closed in *Microsoft Sentinel*.
 6. Optional: Check the **Close Mirrored Microsoft Sentinel Ticket** integration parameter to close the *Microsoft Sentinel* incident when the corresponding Cortex XSOAR incident is closed.
 
-Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.
-**Important Note:** To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and *Microsoft Sentinel*.
+Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.  
+
+**Important Notes:**  
+
+- To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and *Microsoft Sentinel*.
+- If the **The minimum severity of incidents to fetch** integration parameter is set to a value other than `None`, incidents with a severity lower than the specified value will not be mirrored, even if their severity is changed in *Microsoft Sentinel* to a higher severity.
 
 
 ## Commands

Packs/CommonScripts/ReleaseNotes/1_15_50.md

@@ -0,0 +1,15 @@
+
+#### Scripts
+
+##### ExtractIndicatorsFromWordFile
+
+- Updated the Docker image to: *demisto/office-utils:2.0.0.107687*.
+##### ExtractHyperlinksFromOfficeFiles
+
+- Updated the Docker image to: *demisto/office-utils:2.0.0.107687*.
+##### ConvertFile
+
+- Updated the Docker image to: *demisto/office-utils:2.0.0.107687*.
+##### ParseWordDoc
+
+- Updated the Docker image to: *demisto/office-utils:2.0.0.107687*.

Packs/CommonScripts/Scripts/ConvertFile/ConvertFile.yml

@@ -21,10 +21,10 @@ args:
 - name: all_files
   auto: PREDEFINED
   predefined:
-  - "yes"
-  - "no"
+  - 'yes'
+  - 'no'
   description: If "yes", will return all generated files. If "no", will return only the main file. Relevant for formats that might generate multiple files, such as html (which will generate image files additionally to the main html file). Default is "no".
-  defaultValue: "no"
+  defaultValue: 'no'
 outputs:
 - contextPath: File.Name
   description: The name of the output file.
@@ -42,7 +42,7 @@ outputs:
   description: The file type.
   type: String
 scripttarget: 0
-dockerimage: demisto/office-utils:2.0.0.88735
+dockerimage: demisto/office-utils:2.0.0.107687
 runas: DBotWeakRole
 tests:
 - No tests (auto formatted)

Packs/CommonScripts/Scripts/ExtractHyperlinksFromOfficeFiles/ExtractHyperlinksFromOfficeFiles.yml

@@ -1,5 +1,5 @@
 args:
-- description: 'The entry id of the file to extract hyperlinks from.'
+- description: The entry id of the file to extract hyperlinks from.
   name: entry_id
   required: true
 comment: 'Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx.'
@@ -18,5 +18,5 @@ script: '-'
 timeout: '0'
 type: python
 subtype: python3
-dockerimage: demisto/office-utils:2.0.0.96781
+dockerimage: demisto/office-utils:2.0.0.107687
 fromversion: 5.5.0

Packs/CommonScripts/Scripts/ExtractIndicatorsFromWordFile/ExtractIndicatorsFromWordFile.py

@@ -35,15 +35,15 @@ def convert_doc_to_docx(self):
         output = subprocess.check_output(
             ['soffice', '--headless', '-env:UserInstallation=file:///tmp/.config/extractindicators', '--convert-to',
              'docx', self.file_path], stderr=subprocess.STDOUT)
-        demisto.debug("soffice output: [{}]".format(str(output)))
+        demisto.debug(f"soffice output: [{str(output)}]")
         # Requires office-utils docker image
         output_file_name = self.file_name[0:self.file_name.rfind('.')] + '.docx'
         self.file_path = self.file_path + ".docx"
         try:
             with open(self.file_path, 'rb') as f:
                 f_data = f.read()
                 self.res = fileResult(output_file_name, f_data)
-        except IOError:
+        except OSError:
             return_error("Error: was not able to convert the input file to docx format.")
 
     def extract_indicators(self):
@@ -113,7 +113,7 @@ def main():
     try:
         parser.parse_word()
     except subprocess.CalledProcessError as perr:
-        return_error("ProcessError: exit code: {}. Output: {}".format(perr.returncode, perr.output))
+        return_error(f"ProcessError: exit code: {perr.returncode}. Output: {perr.output}")
     except Exception as e:
         return_error(str(e))
 

Packs/CommonScripts/Scripts/ExtractIndicatorsFromWordFile/ExtractIndicatorsFromWordFile.yml

@@ -2,13 +2,16 @@ args:
 - description: The entry ID of the word document to be parsed for indicators. The document can be either in DOC or DOCX format.
   name: entryID
   required: true
-comment: |-
-  Used to extract indicators from Word files (DOC, DOCX).
+comment: 'Used to extract indicators from Word files (DOC, DOCX).
+
   The script does not extract data from macros (e.g., embedded code).
 
+
   This automation runs using the default Limited User role, unless you explicitly change the permissions.
+
   For more information, see the section about permissions here:
-  https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
+
+  https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations'
 commonfields:
   id: ExtractIndicatorsFromWordFile
   version: -1
@@ -25,7 +28,7 @@ timeout: '0'
 type: python
 subtype: python3
 runas: DBotRole
-dockerimage: demisto/office-utils:2.0.0.93886
+dockerimage: demisto/office-utils:2.0.0.107687
 fromversion: 5.0.0
 tests:
 - Extract Indicators From File - Generic v2 - Test

Packs/CommonScripts/Scripts/ParseWordDoc/ParseWordDoc.yml

@@ -6,15 +6,19 @@ comment: Takes an input docx file (entryID) as an input and saves an output text
 script: ''
 type: python
 subtype: python3
-tags: [word, docx, doc, parser]
+tags:
+- word
+- docx
+- doc
+- parser
 enabled: true
 args:
 - name: entryID
   required: true
   default: true
   description: Docx file to parse.
 scripttarget: 0
-dockerimage: demisto/office-utils:2.0.0.93886
+dockerimage: demisto/office-utils:2.0.0.107687
 fromversion: 5.0.0
 tests:
 - ParseWordDoc-Test

Packs/CommonScripts/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Common Scripts",
     "description": "Frequently used scripts pack.",
     "support": "xsoar",
-    "currentVersion": "1.15.49",
+    "currentVersion": "1.15.50",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/FeedCrowdstrikeFalconIntel/Integrations/CrowdStrikeIndicatorFeed/README.md

@@ -16,7 +16,7 @@ CrowdStrike Falcon Intel Indicator Feed
     | Max. indicators per fetch | Maximum number of indicators per fetch. Value should be between 1 - 10000. A large value may result in a timeout. | False |
     | Malicious confidence | Malicious confidence level to filter by. | False |
     | Include deleted indicators |  | False |
-    | Filter | Advanced: FQL query. For more information visit the CrowdStrike documentation. | False |
+    | Filter | Advanced: FQL query. For more information visit the CrowdStrike documentation. For example: published_date:>"now-3d" can be used to only pull indicators published in the last 3 days. | False |
     | Generic phrase match | Generic phrase match search across all indicator fields. | False |
     | Indicator Reputation | Indicators from this integration instance will be marked with this reputation. | False |
     | Source Reliability | Reliability of the source providing the intelligence data. | True |

Packs/HealthCheck/ReleaseNotes/2_1_2.md

@@ -0,0 +1,7 @@
+
+#### Scripts
+
+##### HealthCheckFields
+
+- Updated the script's war-room description.
+- Updated the Docker image to: *demisto/python3:3.11.9.107902*.

Packs/HealthCheck/Scripts/HealthCheckFields/HealthCheckFields.py

@@ -11,9 +11,9 @@ def find_indexed_longText_fields(fields):
     return found
 
 
-DESCRIPTION = ['Custom fields which useually contains big data are being indexed, consider not to index it']
+DESCRIPTION = ['Custom fields which usually contains big data are being indexed, consider not to index it']
 
-RESOLUTION = ['Navigate to incident field page (Settings > Advanced > Fields), select Field > Edit, '
+RESOLUTION = ['Navigate to incident field page (Settings > Object Setup > Incidents > Incident Fields), select Field > Edit, '
               'and turn off Make data available for search under the Attributes tab its determines if '
               'the values in these fields are available when searching.']
 

Packs/HealthCheck/Scripts/HealthCheckFields/HealthCheckFields.yml

@@ -2,7 +2,7 @@ comment: Parsing custom fields to detect indexed fields for risky field types.
 commonfields:
   id: HealthCheckFields
   version: -1
-dockerimage: demisto/python3:3.10.13.83255
+dockerimage: demisto/python3:3.11.9.107902
 enabled: true
 name: HealthCheckFields
 runas: DBotWeakRole

Packs/HealthCheck/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "System Diagnostics and Health Check",
     "description": "CS Health Check",
     "support": "community",
-    "currentVersion": "2.1.1",
+    "currentVersion": "2.1.2",
     "author": "Cortex XSOAR Customer Success",
     "url": "https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions",
     "email": "",

Packs/Office365/ParsingRules/Office365/Office365.xif

@@ -1,19 +1,39 @@
 [INGEST:vendor="msft", product="o365_general", target_dataset="msft_o365_general_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
 | alter
-    _time = CreationTime;
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
+| alter
+    _time = tmp_check_format
+| fields -tmp*;
 
 [INGEST:vendor="msft", product="o365_exchange_online", target_dataset="msft_o365_exchange_online_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
+| alter
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
 | alter
-    _time = CreationTime;
+    _time = tmp_check_format
+| fields -tmp*;
 
 [INGEST:vendor="msft", product="o365_sharepoint_online", target_dataset="msft_o365_sharepoint_online_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
 | alter
-    _time = CreationTime;
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
+| alter
+    _time = tmp_check_format
+| fields -tmp*;
 
 [INGEST:vendor="msft", product="o365_dlp", target_dataset="msft_o365_dlp_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
+| alter
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
 | alter
-    _time = CreationTime;
+    _time = tmp_check_format
+| fields -tmp*;

Packs/Office365/README.md

@@ -19,4 +19,10 @@ Timestamp ingestion for Office 365 logs is currently available for the following
 * Exchange Online → `msft_o365_exchange_online_raw`
 * SharePoint Online → `msft_o365_sharepoint_online_raw`
 * DLP → `msft_o365_dlp_raw`
+
+The ingestion is made using the CreationTime field in the following formats:
+* yyyy-mm-ddThh:mm:ssZ
+* yyyy-mm-ddThh:mm:ss.msZ
+* yyyy-mm-dd hh:mm:ss UTC
+* yyyy-mm-dd hh:mm:ss.ms UTC
 </~XSIAM>

Packs/Office365/ReleaseNotes/1_0_4.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Office 365 Parsing Rule
+
+Updated the Parsing Rule logic, ingesting specific UTC time formats from the CreationTime field.

Packs/Office365/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Office 365",
     "description": "The product family of productivity and collaboration cloud based softwares owned by Microsoft.",
     "support": "xsoar",
-    "currentVersion": "1.0.3",
+    "currentVersion": "1.0.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",