Add scripts

Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.py

@@ -0,0 +1,27 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def main():
+
+    alert_short_id = demisto.args().get("short_id")
+    comment = demisto.args().get("comment")
+
+    user = execute_command("getUsers", {"current": "true"})[0]["name"]
+    execute_command(
+        "sekoia-xdr-post-comment-alert",
+        {"id": alert_short_id, "comment": comment, "author": user},
+    )
+
+    readable_output = f"### Comment added by {user}:\n {comment}"
+    demisto.results(
+        {
+            "ContentsFormat": formats["markdown"],
+            "Type": entryTypes["note"],
+            "Contents": readable_output,
+        }
+    )
+
+
+if __name__ in ["__main__", "builtin", "builtins"]:
+    main()

Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/add_comment.yml

@@ -0,0 +1,26 @@
+commonfields:
+  id: c82c5535-89e8-48a6-829b-05929bd88f8e
+  version: 5
+vcShouldKeepItemLegacyProdMachine: false
+name: script-SekoiaXDRAddComment
+script: ''
+type: python
+tags:
+- incident-action-button
+comment: Script to add a comment to an alert in Sekoia, including the name of the person who made the comment.
+enabled: true
+args:
+- name: short_id
+  required: true
+  description: The short ID of the alert.
+- name: comment
+  required: true
+  description: The comment you want to send to an alert.
+scripttarget: 0
+subtype: python3
+pswd: ''
+runonce: false
+dockerimage: demisto/python3:3.10.14.97374
+runas: DBotWeakRole
+engineinfo: {}
+mainengineinfo: {}

Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py

@@ -0,0 +1,49 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def main():
+    incident = demisto.incidents()[0]  # type: ignore
+    isMirrorEnable = incident.get("dbotMirrorDirection")
+    alert_short_id = demisto.args().get("short_id")
+    new_status = demisto.args().get("status")
+    comment = demisto.args().get("comment")
+
+    if new_status in ["Ongoing", "Acknowledged"]:
+        if comment:
+            user = execute_command("getUsers", {"current": "true"})[0]["name"]  # type: ignore
+            execute_command(
+                "sekoia-xdr-post-comment-alert",
+                {"id": alert_short_id, "comment": comment, "author": user},
+            )
+        if isMirrorEnable in ["Out", "Both"]:
+            execute_command("setIncident", {"sekoiaalertstatus": new_status})
+        elif isMirrorEnable == "In":
+            execute_command(
+                "sekoia-xdr-update-status-alert",
+                {"id": alert_short_id, "status": new_status},
+            )
+        else:
+            execute_command(
+                "sekoia-xdr-update-status-alert",
+                {"id": alert_short_id, "status": new_status},
+            )
+            execute_command("setIncident", {"sekoiaalertstatus": new_status})
+        readable_output = f"### Status of the alert changed to:\n {new_status}"
+        demisto.results(
+            {
+                "ContentsFormat": formats["markdown"],
+                "Type": entryTypes["note"],
+                "Contents": readable_output,
+            }
+        )
+    else:
+        raise Exception(
+            "Sorry, the alert was not possible to be changed to that status.\n \
+            If you want to reject or close the Sekoia Alert please do it \
+            by closing the XSOAR incident with the XSOAR close incident button."
+        )
+
+
+if __name__ in ["__main__", "builtin", "builtins"]:
+    main()

Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.yml

@@ -0,0 +1,32 @@
+commonfields:
+  id: b4e28711-18ee-4ae4-8ccb-1c5f647b55f1
+  version: 4
+vcShouldKeepItemLegacyProdMachine: false
+name: script-SekoiaXDRChangeStatus
+script: ''
+type: python
+tags:
+- incident-action-button
+comment: This script changes the status of the Sekoia alert.
+enabled: true
+args:
+- name: short_id
+  required: true
+  description: The short ID of the alert.
+- name: status
+  required: true
+  auto: PREDEFINED
+  predefined:
+  - Ongoing
+  - Acknowledged
+  description: Status to change on the Sekoia alert.
+- name: comment
+  description: The comment to add to the alert on the status change.
+scripttarget: 0
+subtype: python3
+pswd: ''
+runonce: false
+dockerimage: demisto/python3:3.10.9.46032
+runas: DBotWeakRole
+engineinfo: {}
+mainengineinfo: {}

Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py

@@ -0,0 +1,44 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+incident = demisto.incidents()[0]  # type: ignore
+isMirrorEnable = incident.get("dbotMirrorDirection")
+alert_short_id = incident.get("CustomFields", {}).get("alertid")
+reject = demisto.getArg("sekoiaalertreject")
+close_reason = demisto.getArg("closeReason")
+close_notes = demisto.getArg("closeNotes")
+owner = demisto.getArg("owner")
+username = demisto.getArg("closingUserId")
+
+# Check if the owner is set when closing the incident otherwise raise an error.
+if not owner or owner == "Assign owner" or not incident.get("owner"):
+    raise Exception(
+        "**** Please select a owner, the incident can't be closed without an owner. ****"
+    )
+
+# Check if the Sekoia Alert is closed and if not then make a comment and close it
+get_alert = execute_command("sekoia-xdr-get-alert", {"id": alert_short_id})
+alert_status = get_alert["status"]["name"]  # type: ignore
+if alert_status not in ["Closed", "Rejected"]:
+    # Check if the mirror Out or Both is enabled in which case the sekoiaalertstatus
+    # field will be changed and in the period of 1 minute the mirror out will send the changes to Sekoia XDR.
+    if isMirrorEnable in ["Out", "Both"]:
+        # IF reject is False then close the sekoia alert and if reject is True then reject the sekoia alert.
+        if reject == "false":
+            execute_command("setIncident", {"sekoiaalertstatus": "Closed"})
+        if reject == "true":
+            execute_command("setIncident", {"sekoiaalertstatus": "Rejected"})
+
+    # Send the close reason and notes as a comment to the Sekoia XDR alert using the name of the person who closed the incident.
+    user = execute_command("getUserByUsername", {"username": username})
+    comment = execute_command(
+        "sekoia-xdr-post-comment-alert",
+        {
+            "id": alert_short_id,
+            "comment": f"{close_reason}-{close_notes}",
+            "author": user["name"],  # type: ignore
+        },
+    )
+else:
+    # If the alert is already closed or rejected then raise an error.
+    raise Exception("**** The alert is already closed or rejected. ****")

Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.yml

@@ -0,0 +1,19 @@
+commonfields:
+  id: 0fa7a002-c00c-45c8-80ab-a7ebcfaa11f7
+  version: 10
+vcShouldKeepItemLegacyProdMachine: false
+name: postScript-CloseSekoiaAlert
+script: ''
+type: python
+tags:
+- post-processing
+comment: Post-processing script to close Sekoia Alert after the XSOAR incident is closed.
+enabled: true
+scripttarget: 0
+subtype: python3
+pswd: ''
+runonce: false
+dockerimage: demisto/python3:3.10.14.97374
+runas: DBotWeakRole
+engineinfo: {}
+mainengineinfo: {}

Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.py

@@ -0,0 +1,41 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def main():
+    incident = demisto.incident()
+    alert_uuid = incident.get("CustomFields", {}).get("alertuuid")
+    readable_output = (
+        "### {{color:green}}(There is no case information related to this alert.)"
+    )
+
+    try:
+        alert_infos = execute_command("sekoia-xdr-get-alert", {"id": alert_uuid})
+    except Exception as e:
+        return_error(f"Failed to get alert information: {str(e)}")
+
+    assets_infos = []
+    assets_ids = alert_infos.get("assets")  # type: ignore
+    if assets_ids:
+        for asset in assets_ids:
+            asset_infos = execute_command("sekoia-xdr-get-asset", {"asset_uuid": asset})
+            asset_dict = {
+                "name": asset_infos["name"],  # type: ignore
+                "description": asset_infos["description"],  # type: ignore
+            }
+            assets_infos.append(asset_dict)
+
+        headers = ["name", "description"]
+        readable_output = tableToMarkdown(
+            "Impacted assets:", assets_infos, headers=headers
+        )
+
+    command_results = CommandResults(readable_output=readable_output)
+
+    return_results(command_results)
+
+
+""" ENTRY POINT """
+
+if __name__ in ("__main__", "__builtin__", "builtins"):
+    main()

Packs/SekoiaXDR/Scripts/SekoiaXDRPrintAssets/SekoiaXDRPrintAssets.yml

@@ -0,0 +1,19 @@
+commonfields:
+  id: 13fe424a-a6dd-4b0a-8c60-7701d82a0ebc
+  version: 22
+vcShouldKeepItemLegacyProdMachine: false
+name: SekoiaXDRPrintAssets
+script: ''
+type: python
+tags:
+- dynamic-section
+comment: Print all assets by incident
+enabled: true
+scripttarget: 0
+subtype: python3
+pswd: ''
+runonce: false
+dockerimage: demisto/python3:3.10.14.97374
+runas: DBotWeakRole
+engineinfo: {}
+mainengineinfo: {}

Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.py

@@ -0,0 +1,37 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def main():
+    incident = demisto.incident()
+    alert_uuid = incident.get("CustomFields", {}).get("alertuuid")
+    readable_output = (
+        "### {{color:green}}(There is no case information related to this alert.)"
+    )
+
+    try:
+        cases = execute_command("sekoia-xdr-get-cases-alert", {"alert_id": alert_uuid})
+    except Exception as e:
+        return_error(f"Failed to get case information: {str(e)}")
+
+    if cases:
+        for case in cases:
+            case_title = case["title"]  # type: ignore
+            case_description = case["description"]  # type: ignore
+            case_id = case["short_id"]  # type: ignore
+            case_status = case["status"]  # type: ignore
+            case_priority = case["priority"]  # type: ignore
+            alerts = [alert["short_id"] for alert in case["alerts"]]  # type: ignore
+
+        readable_output = f"### Case {case_id}:\n|Case title:|Case description:|Case status:\
+            |Case priority:|Related Alerts:|\n|---|---|---|---|---|\n| \
+            {case_title} | {case_description} | {case_status.capitalize()} | {case_priority.capitalize()} | {', '.join(alerts)}"
+
+    command_results = CommandResults(readable_output=readable_output)
+    return_results(command_results)
+
+
+""" ENTRY POINT """
+
+if __name__ in ("__main__", "__builtin__", "builtins"):
+    main()

Packs/SekoiaXDR/Scripts/SekoiaXDRPrintCase/SekoiaXDRPrintCase.yml

@@ -0,0 +1,19 @@
+commonfields:
+  id: 37b383c0-16a2-4962-8f46-7245f8e187a0
+  version: 16
+vcShouldKeepItemLegacyProdMachine: false
+name: script-SekoiaXDRPrintCase
+script: ''
+type: python
+tags:
+- dynamic-section
+comment: Prints case details from the Sekoia alert.
+enabled: true
+scripttarget: 0
+subtype: python3
+pswd: ''
+runonce: false
+dockerimage: demisto/python3:3.10.14.97374
+runas: DBotWeakRole
+engineinfo: {}
+mainengineinfo: {}

Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.py

@@ -0,0 +1,40 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def main():
+
+    incident = demisto.incident()
+    alert_short_id = incident.get("CustomFields", {}).get("alertid")
+    readable_output = (
+        "### Comments:\n ### {{color:green}}(There is no comments in this alert.)"
+    )
+
+    try:
+        comments = execute_command("sekoia-xdr-get-comments", {"id": alert_short_id})
+    except Exception as e:
+        return_error(f"Failed to get comments: {str(e)}")
+
+    if len(comments) > 0:  # type: ignore
+        readable_comment = []
+        for comment in comments:  # type: ignore
+            new_item = {
+                "date": comment["date"],  # type: ignore
+                "comment": comment["content"],  # type: ignore
+                "user": comment["user"],  # type: ignore
+            }
+            readable_comment.append(new_item)
+
+        headers = ["date", "comment", "user"]
+        readable_output = tableToMarkdown(
+            "Comments:", readable_comment, headers=headers
+        )
+
+    command_results = CommandResults(readable_output=readable_output)
+    return_results(command_results)
+
+
+""" ENTRY POINT """
+
+if __name__ in ("__main__", "__builtin__", "builtins"):
+    main()

Packs/SekoiaXDR/Scripts/SekoiaXDRPrintComments/SekoiaXDRPrintComments.yml

@@ -0,0 +1,19 @@
+commonfields:
+  id: 146130dc-9f3a-41e9-8a81-fbea9b933d0c
+  version: 12
+vcShouldKeepItemLegacyProdMachine: false
+name: script-SekoiaXDRPrintComments
+script: ''
+type: python
+tags:
+- dynamic-section
+comment: Prints the comments fetched from the Sekoia alert in a table format.
+enabled: true
+scripttarget: 0
+subtype: python3
+pswd: ''
+runonce: false
+dockerimage: demisto/python3:3.10.14.97374
+runas: DBotWeakRole
+engineinfo: {}
+mainengineinfo: {}