Merge branch 'contrib/SEKOIA-IO_Add/SekoiaXDR' into Add/SekoiaXDR

SEKOIA-IO · Jul 15, 2024 · 945cef0 · 945cef0
2 parents a691f01 + 143180b
commit 945cef0
Show file tree

Hide file tree

Showing 184 changed files with 13,307 additions and 1,705 deletions.
diff --git a/.pre-commit-config_template.yaml b/.pre-commit-config_template.yaml
@@ -41,7 +41,6 @@ repos:
     - --config=nightly_ruff.toml
     args:ci:
     - --config=nightly_ruff.toml
-    skip:docker_autoupdate: true
 - repo: https://github.com/hhatto/autopep8
   rev: v2.3.1
   hooks:
@@ -175,7 +174,6 @@ repos:
     - Tests/scripts/dev_envs/pytest/conftest.py
     skip:commit: true
     run_isolated: true
-    skip:docker_autoupdate: true
     pass_docker_extra_args:ci: --rm=false
     pass_docker_extra_args:nightly: --rm=false
 

diff --git a/Packs/Armis/Integrations/ArmisEventCollector/ArmisEventCollector.yml b/Packs/Armis/Integrations/ArmisEventCollector/ArmisEventCollector.yml
@@ -20,14 +20,14 @@ configuration:
   name: max_fetch
   additionalinfo: Alerts and activity events.
   type: 0
-  defaultvalue: 5000
+  defaultvalue: 100000
   section: Collect
 - display: Maximum number of device events per fetch
   name: devices_max_fetch
   type: 0
   section: Collect
   additionalinfo: Devices events.
-  defaultvalue: 10000
+  defaultvalue: 50000
 - display: Trust any certificate (not secure)
   name: insecure
   type: 8
@@ -67,7 +67,7 @@ configuration:
   display: Device Fetch Interval
   additionalinfo: Time between fetch of devices (for example 12 hours, 60 minutes, etc.).
   name: deviceFetchInterval
-  defaultvalue: "24 hours"
+  defaultvalue: "4 hours"
   type: 0
   required: false
 description: Collects alerts, devices and activities from Armis resources.
@@ -107,7 +107,7 @@ script:
   script: '-'
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.14.92207
+  dockerimage: demisto/python3:3.11.9.103066
 marketplaces:
 - marketplacev2
 fromversion: 6.10.0

diff --git a/Packs/Armis/Integrations/ArmisEventCollector/ArmisEventCollector_description.md b/Packs/Armis/Integrations/ArmisEventCollector/ArmisEventCollector_description.md
@@ -10,4 +10,11 @@ This integration supports the Armis API 1.8.0 version.
 1. Log into the Armis platform and browse to **Settings** by clicking your account icon on the top right-hand side of the screen.
 2. Choose **Settings API Management**.
 3. Click **Create** and copy the generated key. (Do not share this key and do not create a non-encrypted copy of it.)
-4. Refer to [Obtaining an API key from Armis](https://docs.ic.armis.com/docs/introduction_api-keys) for more details.
+4. Refer to [Obtaining an API key from Armis](https://docs.ic.armis.com/docs/introduction_api-keys) for more details.
+
+## General note:
+
+- The **Activities** and **Alerts** event types are expected to have a many logs within a short interval. Therefore, the default limit is 100k and the interval is 1 minute.
+- The **Devices** event type is expected to have heavier responses but with fewer events within a long interval. Therefore the default limit is 50k and the interval is 4 hours.
+- Internal server errors may occur when there is a significant disparity between the number of events being fetched and the available events within a given time frame. This can happen when the limit set for fetching events is too low, resulting in the retrieval of older events while a substantial number of new events are available.
+- If you encounter timeout or internal server errors while fetching events, separate instances for each event type and tweak the limits according to the issues - lowering the limit for timeout or raising the limit for internal server errors.
diff --git a/Packs/Armis/ReleaseNotes/1_1_16.json b/Packs/Armis/ReleaseNotes/1_1_16.json
@@ -0,0 +1,4 @@
+{
+    "breakingChanges": true,
+    "breakingChangesNotes": "Raised the default value of device events max fetch and events max fetch to 50k and 100k respectively and lowered the device fetch interval default value to 4 hours."
+}
diff --git a/Packs/Armis/ReleaseNotes/1_1_16.md b/Packs/Armis/ReleaseNotes/1_1_16.md
@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Armis Event Collector
+
+- Raised the default value of device events max fetch and events max fetch to 50k and 100k respectively and lowered the device fetch interval default value to 4 hours.
+- Updated the Docker image to: *demisto/python3:3.11.9.103066*.
diff --git a/Packs/Armis/pack_metadata.json b/Packs/Armis/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Armis",
     "description": "Agentless and passive security platform that sees, identifies, and classifies every device, tracks behavior, identifies threats, and takes action automatically to protect critical information and systems",
     "support": "partner",
-    "currentVersion": "1.1.15",
+    "currentVersion": "1.1.16",
     "author": "Armis Corporation",
     "url": "https://support.armis.com/",
     "email": "[email protected]",

diff --git a/Packs/Base/ReleaseNotes/1_34_29.md b/Packs/Base/ReleaseNotes/1_34_29.md
@@ -0,0 +1,21 @@
+
+#### Scripts
+
+##### DBotTrainTextClassifierV2
+
+- Updated the Docker image to: *demisto/ml:1.0.0.103517*.
+##### DBotFindSimilarIncidentsByIndicators
+
+- Updated the Docker image to: *demisto/ml:1.0.0.103517*.
+##### GetMLModelEvaluation
+
+- Updated the Docker image to: *demisto/ml:1.0.0.103517*.
+##### DBotPredictPhishingWords
+
+- Updated the Docker image to: *demisto/ml:1.0.0.103517*.
+##### DBotFindSimilarIncidents
+
+- Updated the Docker image to: *demisto/ml:1.0.0.103517*.
+##### DBotPreProcessTextData
+
+- Updated the Docker image to: *demisto/ml:1.0.0.103517*.
diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml
@@ -86,7 +86,7 @@ script: '-'
 subtype: python3
 timeout: '0'
 type: python
-dockerimage: demisto/ml:1.0.0.101889
+dockerimage: demisto/ml:1.0.0.103517
 runas: DBotWeakRole
 tests:
 - DBotFindSimilarIncidents-test

diff --git a/...ase/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/...ase/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml
@@ -42,7 +42,7 @@ script: '-'
 subtype: python3
 timeout: '0'
 type: python
-dockerimage: demisto/ml:1.0.0.101889
+dockerimage: demisto/ml:1.0.0.103517
 runas: DBotWeakRole
 tests:
 - DBotFindSimilarIncidentsByIndicators - Test

diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml
@@ -98,7 +98,7 @@ tags:
 - phishing
 timeout: 60µs
 type: python
-dockerimage: demisto/ml:1.0.0.101889
+dockerimage: demisto/ml:1.0.0.103517
 tests:
 - Create Phishing Classifier V2 ML Test
 fromversion: 5.0.0

diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml
@@ -104,7 +104,7 @@ tags:
 - ml
 timeout: 120µs
 type: python
-dockerimage: demisto/ml:1.0.0.101889
+dockerimage: demisto/ml:1.0.0.103517
 tests:
 - Create Phishing Classifier V2 ML Test
 fromversion: 5.0.0
diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml
@@ -121,7 +121,7 @@ tags:
 - ml
 timeout: 12µs
 type: python
-dockerimage: demisto/ml:1.0.0.101889
+dockerimage: demisto/ml:1.0.0.103517
 tests:
 - Create Phishing Classifier V2 ML Test
 fromversion: 5.0.0

diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml
@@ -43,7 +43,7 @@ tags:
 - ml
 timeout: 60µs
 type: python
-dockerimage: demisto/ml:1.0.0.101889
+dockerimage: demisto/ml:1.0.0.103517
 tests:
 - Create Phishing Classifier V2 ML Test
 fromversion: 5.0.0

diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Base",
     "description": "The base pack for Cortex XSOAR.",
     "support": "xsoar",
-    "currentVersion": "1.34.28",
+    "currentVersion": "1.34.29",
     "author": "Cortex XSOAR",
     "serverMinVersion": "6.0.0",
     "url": "https://www.paloaltonetworks.com/cortex",

diff --git a/Packs/CiscoASA/ModelingRules/CiscoASA_1_4/CiscoASA_1_4.xif b/Packs/CiscoASA/ModelingRules/CiscoASA_1_4/CiscoASA_1_4.xif
diff --git a/Packs/CiscoASA/README.md b/Packs/CiscoASA/README.md
@@ -1,27 +1,28 @@
 ## Collect Events from Vendor
 
-In order to use the collector, you can use one of the following options to collect events from the vendor:
- - [Broker VM](#broker-vm)
+In order to use the collector, use the [Broker VM](#broker-vm) option.
 
-In either option, you will need to configure the vendor and product for this specific collector.
 ### Broker VM
-You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).\
-You can configure the specific vendor and product for this instance.
-1. Navigate to **Settings** -> **Configuration** -> **Data Broker** -> **Broker VMs**. 
-2. Right-click, and select **Syslog Collector** -> **Configure**.
-3. When configuring the Syslog Collector, set:
-   - vendor as vendor<- Cisco
-   - product as product<- ASA
+You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**. 
+2. Go to the **APPS** column under the **Brokers** tab and add the **Syslog** app for the relevant broker instance. If the Syslog app already exists, hover over it and click **Configure**.
+3. Click **Add New**.
+4. When configuring the Syslog Collector, set the following parameters:
+   | Parameter     | Value    
+   | :---          | :---                    
+   | `Vendor`      | Enter **Cisco**. 
+   | `Product`     | Enter **ASA**. 
 
 ### Configure Timestamp on Cisco ASA
-Supported date format is RFC 5424, an example: "2023-04-09T16:30:00Z" "2023-04-09T16:30:00+07:00"
+Supported date format is RFC 5424, for example: "2023-04-09T16:30:00Z", "2023-04-09T16:30:00+07:00".
 
 1. Access the Cisco ADSM.
-2. Go to Configuration -> logging -> Syslog setup.
+2. Go to Configuration &rarr; logging &rarr; Syslog setup.
 3. On Timestamp Format drildown click on the option "RFC 5424(yyyy-MM-ddTHH:mm:ssZ)".
 4. Click on the Apply button.
 
-Another supported date format is "Jul 08 09:14:35 UTC"
+Another supported date format is "Jul 08 09:14:35 UTC".
 
 **Note** : If a different timestamp format is used, time extraction and mapping will not be supported.
 

diff --git a/Packs/CiscoASA/ReleaseNotes/1_1_7.md b/Packs/CiscoASA/ReleaseNotes/1_1_7.md
@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Cisco ASA Modeling Rule
+
+Fixed an issue for TCP and UDP connection teardown events (Event IDs 302014 & 302016, respectively), which caused the source and target fields to be inverted.
diff --git a/Packs/CiscoASA/pack_metadata.json b/Packs/CiscoASA/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cisco ASA",
     "description": "Cisco Adaptive Security Appliance Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices.",
     "support": "xsoar",
-    "currentVersion": "1.1.6",
+    "currentVersion": "1.1.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/CloudIDS/.pack-ignore b/Packs/CloudIDS/.pack-ignore
@@ -1,2 +0,0 @@
-[file:README.md]
-ignore=RM108

diff --git a/Packs/CloudIDS/README.md b/Packs/CloudIDS/README.md
@@ -1,16 +1,16 @@
-# CloudIDS
-Google Cloud IDS is a next-generation advanced intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks.
-
-## What does this pack do?
-
-### Playbook
-* `Cloud_IDS-IP_Blacklist-GCP_Firewall_Extract`: Gets the attacker's IP address from Cloud IDS through Google Pub/Sub. 
-  `Cloud_IDS-IP_Blacklist-GCP_Firewall_Append` will update the ip list so GCP automatically blocks the IP address.
-
-#### Flow Chart of Playbook 
-* [Cloud_IDS-IP_Blacklist-GCP_Firewall](https://github.com/demisto/content/blob/423e13b69b375288d3ec2183bfbd4d2ee6fe018c/Packs/CloudIDS/Playbooks/Cloud_IDS-IP_Blacklist-GCP_Firewall_README.md)
-![Playbook Image](doc_files/Cloud_IDS-IP_Blacklist-GCP_Firewall_Combine.png)
-![Playbook Image](doc_files/Cloud_IDS-IP_Blacklist-GCP_Firewall_Extract.png)
-![Playbook Image](doc_files/Cloud_IDS-IP_Blacklist-GCP_Firewall_Append.png)
-
-
+# CloudIDS
+Google Cloud IDS is a next-generation advanced intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks.
+
+## What does this pack do?
+
+### Playbook
+* `Cloud_IDS-IP_Blacklist-GCP_Firewall_Extract`: Gets the attacker's IP address from Cloud IDS through Google Pub/Sub. 
+  `Cloud_IDS-IP_Blacklist-GCP_Firewall_Append` will update the ip list so GCP automatically blocks the IP address.
+
+#### Flow Chart of Playbook 
+* [Cloud_IDS-IP_Blacklist-GCP_Firewall](https://github.com/demisto/content/blob/423e13b69b375288d3ec2183bfbd4d2ee6fe018c/Packs/CloudIDS/Playbooks/Cloud_IDS-IP_Blacklist-GCP_Firewall_README.md)
+![Playbook Image](https://github.com/demisto/content/raw/423e13b69b375288d3ec2183bfbd4d2ee6fe018c/Packs/CloudIDS/doc_files/Cloud_IDS-IP_Blacklist-GCP_Firewall_Combine.png)
+![Playbook Image](https://github.com/demisto/content/raw/423e13b69b375288d3ec2183bfbd4d2ee6fe018c/Packs/CloudIDS/doc_files/Cloud_IDS-IP_Blacklist-GCP_Firewall_Extract.png)
+![Playbook Image](https://github.com/demisto/content/raw/423e13b69b375288d3ec2183bfbd4d2ee6fe018c/Packs/CloudIDS/doc_files/Cloud_IDS-IP_Blacklist-GCP_Firewall_Append.png)
+
+