Prisma Cloud Compute custom feeds ip remove (CIAC-11607) (demisto#37032)

Added prisma-cloud-compute-custom-feeds-ip-remove command

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.py

@@ -1269,6 +1269,40 @@ def add_custom_ip_feeds(client: PrismaCloudComputeClient, args: dict) -> Command
     return CommandResults(readable_output="Successfully updated the custom IP feeds")
 
 
+def remove_custom_ip_feeds(client: PrismaCloudComputeClient, args: dict) -> CommandResults:
+    """
+    Remove a list of IPs from the system's block list.
+    Implements the command 'prisma-cloud-compute-custom-feeds-ip-remove'
+
+    Args:
+        client (PrismaCloudComputeClient): prisma-cloud-compute client.
+        args (dict): prisma-cloud-compute-custom-feeds-ip-remove command arguments.
+
+    Returns:
+        CommandResults: command-results object.
+    """
+    # Cast to sets for faster operations and to remove duplicates
+    current_ip_feeds = set((client.get_custom_ip_feeds() or {}).get('feed') or [])
+    ips = set(argToList(arg=args.pop('ip')))
+    ips_to_remove = ips & current_ip_feeds
+    ignored_ips = ips - ips_to_remove
+
+    if not ips_to_remove:
+        return CommandResults(readable_output=f'Could not find {ignored_ips} in the custom IP feeds.')
+
+    filtered_feeds = list(current_ip_feeds - ips_to_remove)
+
+    client.add_custom_ip_feeds(feeds=filtered_feeds)
+
+    if ignored_ips:
+        hr = f'''Successfully removed {ips_to_remove} from the custom IP feeds.
+        Could not find {ignored_ips} in the custom IP feeds.'''
+    else:
+        hr = f'Successfully removed {ips_to_remove} from the custom IP feeds'
+
+    return CommandResults(readable_output=hr)
+
+
 def get_custom_malware_feeds(client: PrismaCloudComputeClient, args: dict) -> CommandResults:
     """
     List all custom uploaded md5 malware records.
@@ -2714,6 +2748,8 @@ def main():
             return_results(results=get_profile_host_forensic_list(client=client, args=demisto.args()))
         elif requested_command == 'prisma-cloud-compute-custom-feeds-ip-add':
             return_results(results=add_custom_ip_feeds(client=client, args=demisto.args()))
+        elif requested_command == 'prisma-cloud-compute-custom-feeds-ip-remove':
+            return_results(results=remove_custom_ip_feeds(client=client, args=demisto.args()))
         elif requested_command == 'prisma-cloud-compute-console-version-info':
             return_results(results=get_console_version(client=client))
         elif requested_command == 'prisma-cloud-compute-custom-feeds-ip-list':

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.yml

@@ -74,7 +74,7 @@ description: Use the Prisma Cloud Compute integration to fetch incidents from yo
 display: Palo Alto Networks - Prisma Cloud Compute
 name: PaloAltoNetworks_PrismaCloudCompute
 script:
-  dockerimage: demisto/python3:3.10.14.95137
+  dockerimage: demisto/python3:3.11.10.113941
   isfetch: true
   runonce: false
   script: "-"
@@ -754,6 +754,15 @@ script:
       isArray: true
       defaultValue: ""
     outputs: []
+  - name: prisma-cloud-compute-custom-feeds-ip-remove
+    description: Remove a list of IPs from the system's block list.
+    arguments:
+    - name: ip
+      description: A comma-separated list of custom IP addresses to remove from the banned IPs list. For example ip=1.1.1.1,2.2.2.2.
+      required: true
+      isArray: true
+      defaultValue: ""
+    outputs: []
   - name: prisma-cloud-compute-custom-feeds-malware-list
     description: List all custom uploaded md5 malwares.
     arguments:

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_test.py

@@ -1854,3 +1854,34 @@ def test_runtime_host_audit_events_command(requests_mock):
     args = {}
 
     assert get_host_audit_list_command(client, args).raw_response == response
+
+
+@pytest.mark.parametrize('initial_ips, ips_arg, expected', [
+    (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '2.2.2.2', ['1.1.1.1', '3.3.3.3']),
+    (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '4.4.4.4, 2.2.2.2', ['1.1.1.1', '3.3.3.3']),
+    (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '1.1.1.1, 2.2.2.2, 3.3.3.3', []),
+    (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '4.4.4.4', None),
+    ([], '1.1.1.1, 2.2.2.2', None),
+])
+def test_remove_custom_ip_feeds(client, requests_mock, initial_ips, ips_arg, expected):
+    """
+    Given:
+        - An app client object.
+        - List of ips to remove.
+    When:
+        - Calling 'prisma-cloud-compute-custom-ip-feeds-remove' command.
+    Then:
+        - Ensure the call to update the feed has the expected ips removed.
+    """
+
+    from PaloAltoNetworks_PrismaCloudCompute import remove_custom_ip_feeds
+
+    requests_mock.get(url=f'{BASE_URL}/feeds/custom/ips', json={'feed': initial_ips})
+    custom_ip_put_mock = requests_mock.put(url=f'{BASE_URL}/feeds/custom/ips')
+
+    remove_custom_ip_feeds(client, args={'ip': ips_arg})
+
+    if expected is None:  # Nothing to remove, api should not be called
+        assert custom_ip_put_mock.called is False
+    else:
+        assert set(custom_ip_put_mock.last_request.json()['feed']) == set(expected)

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/README.md

@@ -934,6 +934,31 @@ There is no context output for this command.
 #### Human Readable Output
 >Successfully updated the custom IP feeds
 
+### prisma-cloud-compute-custom-feeds-ip-remove
+
+***
+Remove a list of IPs from the system's block list.
+
+#### Base Command
+
+`prisma-cloud-compute-custom-feeds-ip-remove`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| ip | A comma-separated list of custom IP addresses to remove from the banned IPs list. For example ip=1.1.1.1,2.2.2.2. | Required | 
+
+#### Context Output
+
+There is no context output for this command.
+#### Command example
+```!prisma-cloud-compute-custom-feeds-ip-remove ip=2.2.2.2,5.6.7.8```
+#### Human Readable Output
+
+>Successfully removed {'2.2.2.2'} from the custom IP feeds.
+>        Could not find {'5.6.7.8'} in the custom IP feeds.
+
 ### prisma-cloud-compute-custom-feeds-malware-list
 ***
 List all custom uploaded md5 malwares.

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/commands.txt

@@ -6,6 +6,7 @@
 !prisma-cloud-compute-console-version-info
 !prisma-cloud-compute-custom-feeds-ip-list
 !prisma-cloud-compute-custom-feeds-ip-add ip=1.1.1.1,2.2.2.2
+!prisma-cloud-compute-custom-feeds-ip-remove ip=2.2.2.2,5.6.7.8
 !prisma-cloud-compute-custom-feeds-malware-list limit=2
 !prisma-cloud-compute-custom-feeds-malware-add name=test md5=md5_hash1,md5_hash2,md5_hash3
 !cve cve_id=cve-2016-223,cve-2020-3546

Packs/PrismaCloudCompute/ReleaseNotes/1_7_5.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Palo Alto Networks - Prisma Cloud Compute
+
+- Added new command `prisma-cloud-compute-custom-feeds-ip-remove`
+- Updated the Docker image to: *demisto/python3:3.11.10.113941*.

Packs/PrismaCloudCompute/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Prisma Cloud Compute by Palo Alto Networks",
     "description": "Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.",
     "support": "xsoar",
-    "currentVersion": "1.7.4",
+    "currentVersion": "1.7.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",