From 591479205709e66d1144dd6ded8bd1e34a880766 Mon Sep 17 00:00:00 2001 From: Sapir Malka <44067957+itssapir@users.noreply.github.com> Date: Tue, 5 Nov 2024 16:51:09 +0200 Subject: [PATCH] Prisma Cloud Compute custom feeds ip remove (CIAC-11607) (#37032) Added prisma-cloud-compute-custom-feeds-ip-remove command --- .../PaloAltoNetworks_PrismaCloudCompute.py | 36 +++++++++++++++++++ .../PaloAltoNetworks_PrismaCloudCompute.yml | 11 +++++- ...aloAltoNetworks_PrismaCloudCompute_test.py | 31 ++++++++++++++++ .../README.md | 25 +++++++++++++ .../commands.txt | 1 + .../PrismaCloudCompute/ReleaseNotes/1_7_5.md | 7 ++++ Packs/PrismaCloudCompute/pack_metadata.json | 2 +- 7 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 Packs/PrismaCloudCompute/ReleaseNotes/1_7_5.md diff --git a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.py b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.py index c08daf87fe53..0bb882c94144 100644 --- a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.py +++ b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.py @@ -1269,6 +1269,40 @@ def add_custom_ip_feeds(client: PrismaCloudComputeClient, args: dict) -> Command return CommandResults(readable_output="Successfully updated the custom IP feeds") +def remove_custom_ip_feeds(client: PrismaCloudComputeClient, args: dict) -> CommandResults: + """ + Remove a list of IPs from the system's block list. + Implements the command 'prisma-cloud-compute-custom-feeds-ip-remove' + + Args: + client (PrismaCloudComputeClient): prisma-cloud-compute client. + args (dict): prisma-cloud-compute-custom-feeds-ip-remove command arguments. + + Returns: + CommandResults: command-results object. + """ + # Cast to sets for faster operations and to remove duplicates + current_ip_feeds = set((client.get_custom_ip_feeds() or {}).get('feed') or []) + ips = set(argToList(arg=args.pop('ip'))) + ips_to_remove = ips & current_ip_feeds + ignored_ips = ips - ips_to_remove + + if not ips_to_remove: + return CommandResults(readable_output=f'Could not find {ignored_ips} in the custom IP feeds.') + + filtered_feeds = list(current_ip_feeds - ips_to_remove) + + client.add_custom_ip_feeds(feeds=filtered_feeds) + + if ignored_ips: + hr = f'''Successfully removed {ips_to_remove} from the custom IP feeds. + Could not find {ignored_ips} in the custom IP feeds.''' + else: + hr = f'Successfully removed {ips_to_remove} from the custom IP feeds' + + return CommandResults(readable_output=hr) + + def get_custom_malware_feeds(client: PrismaCloudComputeClient, args: dict) -> CommandResults: """ List all custom uploaded md5 malware records. @@ -2714,6 +2748,8 @@ def main(): return_results(results=get_profile_host_forensic_list(client=client, args=demisto.args())) elif requested_command == 'prisma-cloud-compute-custom-feeds-ip-add': return_results(results=add_custom_ip_feeds(client=client, args=demisto.args())) + elif requested_command == 'prisma-cloud-compute-custom-feeds-ip-remove': + return_results(results=remove_custom_ip_feeds(client=client, args=demisto.args())) elif requested_command == 'prisma-cloud-compute-console-version-info': return_results(results=get_console_version(client=client)) elif requested_command == 'prisma-cloud-compute-custom-feeds-ip-list': diff --git a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.yml b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.yml index 99bab4990bb5..e7018efb2cf5 100644 --- a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.yml +++ b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.yml @@ -74,7 +74,7 @@ description: Use the Prisma Cloud Compute integration to fetch incidents from yo display: Palo Alto Networks - Prisma Cloud Compute name: PaloAltoNetworks_PrismaCloudCompute script: - dockerimage: demisto/python3:3.10.14.95137 + dockerimage: demisto/python3:3.11.10.113941 isfetch: true runonce: false script: "-" @@ -754,6 +754,15 @@ script: isArray: true defaultValue: "" outputs: [] + - name: prisma-cloud-compute-custom-feeds-ip-remove + description: Remove a list of IPs from the system's block list. + arguments: + - name: ip + description: A comma-separated list of custom IP addresses to remove from the banned IPs list. For example ip=1.1.1.1,2.2.2.2. + required: true + isArray: true + defaultValue: "" + outputs: [] - name: prisma-cloud-compute-custom-feeds-malware-list description: List all custom uploaded md5 malwares. arguments: diff --git a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_test.py b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_test.py index 2cde316f190c..2b55d77d0dfc 100644 --- a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_test.py +++ b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_test.py @@ -1854,3 +1854,34 @@ def test_runtime_host_audit_events_command(requests_mock): args = {} assert get_host_audit_list_command(client, args).raw_response == response + + +@pytest.mark.parametrize('initial_ips, ips_arg, expected', [ + (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '2.2.2.2', ['1.1.1.1', '3.3.3.3']), + (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '4.4.4.4, 2.2.2.2', ['1.1.1.1', '3.3.3.3']), + (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '1.1.1.1, 2.2.2.2, 3.3.3.3', []), + (['1.1.1.1', '2.2.2.2', '3.3.3.3'], '4.4.4.4', None), + ([], '1.1.1.1, 2.2.2.2', None), +]) +def test_remove_custom_ip_feeds(client, requests_mock, initial_ips, ips_arg, expected): + """ + Given: + - An app client object. + - List of ips to remove. + When: + - Calling 'prisma-cloud-compute-custom-ip-feeds-remove' command. + Then: + - Ensure the call to update the feed has the expected ips removed. + """ + + from PaloAltoNetworks_PrismaCloudCompute import remove_custom_ip_feeds + + requests_mock.get(url=f'{BASE_URL}/feeds/custom/ips', json={'feed': initial_ips}) + custom_ip_put_mock = requests_mock.put(url=f'{BASE_URL}/feeds/custom/ips') + + remove_custom_ip_feeds(client, args={'ip': ips_arg}) + + if expected is None: # Nothing to remove, api should not be called + assert custom_ip_put_mock.called is False + else: + assert set(custom_ip_put_mock.last_request.json()['feed']) == set(expected) diff --git a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/README.md b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/README.md index fb4678f19d8a..c0931a873fdd 100644 --- a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/README.md +++ b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/README.md @@ -934,6 +934,31 @@ There is no context output for this command. #### Human Readable Output >Successfully updated the custom IP feeds +### prisma-cloud-compute-custom-feeds-ip-remove + +*** +Remove a list of IPs from the system's block list. + +#### Base Command + +`prisma-cloud-compute-custom-feeds-ip-remove` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| ip | A comma-separated list of custom IP addresses to remove from the banned IPs list. For example ip=1.1.1.1,2.2.2.2. | Required | + +#### Context Output + +There is no context output for this command. +#### Command example +```!prisma-cloud-compute-custom-feeds-ip-remove ip=2.2.2.2,5.6.7.8``` +#### Human Readable Output + +>Successfully removed {'2.2.2.2'} from the custom IP feeds. +> Could not find {'5.6.7.8'} in the custom IP feeds. + ### prisma-cloud-compute-custom-feeds-malware-list *** List all custom uploaded md5 malwares. diff --git a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/commands.txt b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/commands.txt index b87a18ff8291..13712ea4cc71 100644 --- a/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/commands.txt +++ b/Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/commands.txt @@ -6,6 +6,7 @@ !prisma-cloud-compute-console-version-info !prisma-cloud-compute-custom-feeds-ip-list !prisma-cloud-compute-custom-feeds-ip-add ip=1.1.1.1,2.2.2.2 +!prisma-cloud-compute-custom-feeds-ip-remove ip=2.2.2.2,5.6.7.8 !prisma-cloud-compute-custom-feeds-malware-list limit=2 !prisma-cloud-compute-custom-feeds-malware-add name=test md5=md5_hash1,md5_hash2,md5_hash3 !cve cve_id=cve-2016-223,cve-2020-3546 diff --git a/Packs/PrismaCloudCompute/ReleaseNotes/1_7_5.md b/Packs/PrismaCloudCompute/ReleaseNotes/1_7_5.md new file mode 100644 index 000000000000..754caa360b15 --- /dev/null +++ b/Packs/PrismaCloudCompute/ReleaseNotes/1_7_5.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### Palo Alto Networks - Prisma Cloud Compute + +- Added new command `prisma-cloud-compute-custom-feeds-ip-remove` +- Updated the Docker image to: *demisto/python3:3.11.10.113941*. diff --git a/Packs/PrismaCloudCompute/pack_metadata.json b/Packs/PrismaCloudCompute/pack_metadata.json index 7a5c40439ed7..e40ec010c922 100644 --- a/Packs/PrismaCloudCompute/pack_metadata.json +++ b/Packs/PrismaCloudCompute/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Prisma Cloud Compute by Palo Alto Networks", "description": "Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.", "support": "xsoar", - "currentVersion": "1.7.4", + "currentVersion": "1.7.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",