Modify: Script part

Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/README.md

@@ -0,0 +1,25 @@
+Script to add a comment to an alert in Sekoia, including the name of the person who made the comment.
+
+## Script Data
+
+---
+
+| **Name** | **Description** |
+| --- | --- |
+| Script Type | python3 |
+| Tags | incident-action-button |
+| Cortex XSOAR Version | 6.10.0 |
+
+## Inputs
+
+---
+
+| **Argument Name** | **Description** |
+| --- | --- |
+| short_id | The short ID of the alert. |
+| comment | The comment you want to send to an alert. |
+
+## Outputs
+
+---
+There are no outputs for this script.

Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/SekoiaXDRAddComment.py

@@ -2,25 +2,34 @@
 from CommonServerPython import *  # noqa: F401
 
 
-def main():
+def get_username():
+    get_users = execute_command("getUsers", {"current": "true"})
+    username = get_users[0]["name"]  # type: ignore
+    return username
 
-    alert_short_id = demisto.args().get("short_id")
-    comment = demisto.args().get("comment")
 
-    user = execute_command("getUsers", {"current": "true"})[0]["name"]  # type: ignore
-    execute_command(
-        "sekoia-xdr-post-comment-alert",
-        {"id": alert_short_id, "comment": comment, "author": user},
-    )
+def post_comment(alert_short_id: str, comment: Optional[str], author: str):
+    try:
+        execute_command(
+            "sekoia-xdr-post-comment-alert",
+            {"id": alert_short_id, "comment": comment, "author": author},
+        )
+    except Exception as e:
+        return_error(
+            f"Failed to post comment for alert with id {alert_short_id} : {str(e)}"
+        )
 
+
+def main():
+    alert_short_id = demisto.args()["short_id"]
+    comment = demisto.args().get("comment")
+
+    user = get_username()
+    post_comment(alert_short_id, comment, user)
     readable_output = f"### Comment added by {user}:\n {comment}"
-    demisto.results(
-        {
-            "ContentsFormat": formats["markdown"],
-            "Type": entryTypes["note"],
-            "Contents": readable_output,
-        }
-    )
+
+    command_results = CommandResults(readable_output=readable_output)
+    return_results(command_results)
 
 
 if __name__ in ["__main__", "builtin", "builtins"]:

Packs/SekoiaXDR/Scripts/SekoiaXDRAddComment/SekoiaXDRAddComment_test.py

@@ -0,0 +1,18 @@
+import demistomock as demisto
+from SekoiaXDRAddComment import get_username, post_comment  # type: ignore
+
+
+def test_get_username(mocker):
+    output_data = [
+        {"Type": 3, "Contents": [{"name": "admin", "PrettyRoles": "Administrator"}]}
+    ]
+    mocker.patch.object(demisto, "executeCommand", return_value=output_data)
+    assert get_username() == "admin"
+
+
+def test_post_comment(mocker):
+    output_data = [
+        {"Type": 3, "Contents": [{"id": "1", "comment": "test", "author": "admin"}]}
+    ]
+    mocker.patch.object(demisto, "executeCommand", return_value=output_data)
+    assert not post_comment("1", "test", "admin")

Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/README.md

@@ -0,0 +1,26 @@
+This script changes the status of the Sekoia alert.
+
+## Script Data
+
+---
+
+| **Name** | **Description** |
+| --- | --- |
+| Script Type | python3 |
+| Tags | incident-action-button |
+| Cortex XSOAR Version | 6.10.0 |
+
+## Inputs
+
+---
+
+| **Argument Name** | **Description** |
+| --- | --- |
+| short_id | The short ID of the alert. |
+| status | Status to change on the Sekoia alert. |
+| comment | The comment to add to the alert on the status change. |
+
+## Outputs
+
+---
+There are no outputs for this script.

Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus.py

@@ -2,35 +2,53 @@
 from CommonServerPython import *  # noqa: F401
 
 
+def get_username():
+    get_users = execute_command("getUsers", {"current": "true"})
+    username = get_users[0]["name"]  # type: ignore
+    return username
+
+
+def post_comment(alert_short_id: str, comment: Optional[str], author: str):
+    try:
+        execute_command(
+            "sekoia-xdr-post-comment-alert",
+            {"id": alert_short_id, "comment": comment, "author": author},
+        )
+    except Exception as e:
+        return_error(
+            f"Failed to post comment for alert with id {alert_short_id} : {str(e)}"
+        )
+
+
+def update_status(MirrorEnable: str, alert_short_id: str, new_status: str):
+    if MirrorEnable in ["Out", "Both"]:
+        execute_command("setIncident", {"sekoiaalertstatus": new_status})
+    elif MirrorEnable == "In":
+        execute_command(
+            "sekoia-xdr-update-status-alert",
+            {"id": alert_short_id, "status": new_status},
+        )
+    else:
+        execute_command(
+            "sekoia-xdr-update-status-alert",
+            {"id": alert_short_id, "status": new_status},
+        )
+        execute_command("setIncident", {"sekoiaalertstatus": new_status})
+
+
 def main():
     incident = demisto.incidents()[0]  # type: ignore
     isMirrorEnable = incident.get("dbotMirrorDirection")
-    alert_short_id = demisto.args().get("short_id")
-    new_status = demisto.args().get("status")
+    alert_short_id = demisto.args()["short_id"]
+    new_status = demisto.args()["status"]
     comment = demisto.args().get("comment")
 
     if new_status in ["Ongoing", "Acknowledged"]:
         if comment:
-            user = execute_command("getUsers", {"current": "true"})[0]["name"]  # type: ignore
-            execute_command(
-                "sekoia-xdr-post-comment-alert",
-                {"id": alert_short_id, "comment": comment, "author": user},
-            )
-        if isMirrorEnable in ["Out", "Both"]:
-            execute_command("setIncident", {"sekoiaalertstatus": new_status})
-        elif isMirrorEnable == "In":
-            execute_command(
-                "sekoia-xdr-update-status-alert",
-                {"id": alert_short_id, "status": new_status},
-            )
-        else:
-            execute_command(
-                "sekoia-xdr-update-status-alert",
-                {"id": alert_short_id, "status": new_status},
-            )
-            execute_command("setIncident", {"sekoiaalertstatus": new_status})
+            post_comment(alert_short_id, comment, get_username())
+        update_status(isMirrorEnable, alert_short_id, new_status)
         readable_output = f"### Status of the alert changed to:\n {new_status}"
-        demisto.results(
+        return_results(
             {
                 "ContentsFormat": formats["markdown"],
                 "Type": entryTypes["note"],
@@ -39,9 +57,8 @@ def main():
         )
     else:
         raise Exception(
-            "Sorry, the alert was not possible to be changed to that status.\n \
-            If you want to reject or close the Sekoia Alert please do it \
-            by closing the XSOAR incident with the XSOAR close incident button."
+            f"Alert {alert_short_id} could not be changed to that status. \
+                Please reject or close the Sekoia Alert by closing the XSOAR incident using the XSOAR close incident button."
         )
 
 

Packs/SekoiaXDR/Scripts/SekoiaXDRChangeStatus/SekoiaXDRChangeStatus_test.py

@@ -0,0 +1,28 @@
+import demistomock as demisto
+from SekoiaXDRChangeStatus import get_username, main  # type: ignore
+
+
+def test_get_username(mocker):
+    output_data = [
+        {"Type": 3, "Contents": [{"name": "admin", "PrettyRoles": "Administrator"}]}
+    ]
+    mocker.patch.object(demisto, "executeCommand", return_value=output_data)
+    assert get_username() == "admin"
+
+
+def test_main(mocker):
+    mocker.patch.object(
+        demisto, "incidents", return_value=[{"dbotMirrorDirection": "In"}]
+    )
+    mocker.patch.object(
+        demisto,
+        "args",
+        return_value={"short_id": "1", "status": "Ongoing", "comment": "test"},
+    )
+    mocker.patch.object(demisto, "results")
+    mocker.patch("SekoiaXDRChangeStatus.get_username", return_value="admin")
+    main()
+    assert (
+        demisto.results.call_args[0][0]["Contents"]
+        == "### Status of the alert changed to:\n Ongoing"
+    )

Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/README.md

@@ -0,0 +1,21 @@
+Post-processing script to close Sekoia Alert after the XSOAR incident is closed.
+
+## Script Data
+
+---
+
+| **Name** | **Description** |
+| --- | --- |
+| Script Type | python3 |
+| Tags | post-processing |
+| Cortex XSOAR Version | 6.10.0 |
+
+## Inputs
+
+---
+There are no inputs for this script.
+
+## Outputs
+
+---
+There are no outputs for this script.

Packs/SekoiaXDR/Scripts/SekoiaXDRCloseAlert/SekoiaXDRCloseAlert.py

@@ -1,44 +1,92 @@
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
 
-incident = demisto.incidents()[0]  # type: ignore
-isMirrorEnable = incident.get("dbotMirrorDirection")
-alert_short_id = incident.get("CustomFields", {}).get("alertid")
-reject = demisto.getArg("sekoiaalertreject")
-close_reason = demisto.getArg("closeReason")
-close_notes = demisto.getArg("closeNotes")
-owner = demisto.getArg("owner")
-username = demisto.getArg("closingUserId")
-
-# Check if the owner is set when closing the incident otherwise raise an error.
-if not owner or owner == "Assign owner" or not incident.get("owner"):
-    raise Exception(
-        "**** Please select a owner, the incident can't be closed without an owner. ****"
-    )
 
-# Check if the Sekoia Alert is closed and if not then make a comment and close it
-get_alert = execute_command("sekoia-xdr-get-alert", {"id": alert_short_id})
-alert_status = get_alert["status"]["name"]  # type: ignore
-if alert_status not in ["Closed", "Rejected"]:
-    # Check if the mirror Out or Both is enabled in which case the sekoiaalertstatus
-    # field will be changed and in the period of 1 minute the mirror out will send the changes to Sekoia XDR.
-    if isMirrorEnable in ["Out", "Both"]:
-        # IF reject is False then close the sekoia alert and if reject is True then reject the sekoia alert.
-        if reject == "false":
-            execute_command("setIncident", {"sekoiaalertstatus": "Closed"})
-        if reject == "true":
-            execute_command("setIncident", {"sekoiaalertstatus": "Rejected"})
-
-    # Send the close reason and notes as a comment to the Sekoia XDR alert using the name of the person who closed the incident.
+def get_status_name(alert_id: str):
+    get_alert = execute_command("sekoia-xdr-get-alert", {"id": alert_id})
+    return get_alert["status"]["name"]  # type: ignore
+
+
+def get_username(username: str):
     user = execute_command("getUserByUsername", {"username": username})
-    comment = execute_command(
-        "sekoia-xdr-post-comment-alert",
-        {
-            "id": alert_short_id,
-            "comment": f"{close_reason}-{close_notes}",
-            "author": user["name"],  # type: ignore
-        },
+    return user["name"]  # type: ignore
+
+
+def post_closure_comment(
+    alert_id: str,
+    close_reason: Optional[str],
+    close_notes: Optional[str],
+    username: str,
+):
+    try:
+        execute_command(
+            "sekoia-xdr-post-comment-alert",
+            {
+                "id": alert_id,
+                "comment": (
+                    f"{close_reason}-{close_notes}"
+                    if close_reason and close_notes
+                    else None
+                ),
+                "author": get_username(username),  # type: ignore
+            },
+        )
+    except Exception as e:
+        return_error(f"Failed to post comment: {str(e)}")
+
+
+def close_alert(
+    alert_id: str,
+    reject: str,
+    isMirrorEnable: str,
+    close_reason: Optional[str],
+    close_notes: Optional[str],
+    username: str,
+):
+    alert_status = get_status_name(alert_id)
+    if alert_status not in ["Closed", "Rejected"]:
+        if isMirrorEnable in ["Out", "Both"]:
+            if reject == "false":
+                execute_command("setIncident", {"sekoiaalertstatus": "Closed"})
+                readable_output = f"**** The alert {alert_id} has been closed. ****"
+            if reject == "true":
+                execute_command("setIncident", {"sekoiaalertstatus": "Rejected"})
+                readable_output = f"**** The alert {alert_id} has been rejected. ****"
+
+        post_closure_comment(alert_id, close_reason, close_notes, username)
+
+        return_results(
+            {
+                "ContentsFormat": formats["markdown"],
+                "Type": entryTypes["note"],
+                "Contents": readable_output,
+            }
+        )
+
+    else:
+        raise Exception("**** The alert is already closed or rejected. ****")
+
+
+def main():
+    incident = demisto.incidents()[0]  # type: ignore
+    isMirrorEnable = incident.get("dbotMirrorDirection")
+    alert_short_id = incident.get("CustomFields", {}).get("alertid")
+    reject = demisto.getArg["sekoiaalertreject"]  # type: ignore
+    close_reason = demisto.getArg("closeReason")
+    close_notes = demisto.getArg("closeNotes")
+    owner = demisto.getArg("owner")
+    username = demisto.getArg["closingUserId"]  # type: ignore
+
+    # Check if the owner is set when closing the incident otherwise raise an error.
+    if not owner or owner == "Assign owner" or not incident.get("owner"):
+        raise Exception(
+            "**** Please select a owner, the incident can't be closed without an owner. ****"
+        )
+
+    close_alert(
+        alert_short_id, reject, isMirrorEnable, close_reason, close_notes, username
     )
-else:
-    # If the alert is already closed or rejected then raise an error.
-    raise Exception("**** The alert is already closed or rejected. ****")
+
+
+if __name__ in ("__main__", "__builtin__", "builtins"):
+    main()