Skip to content

Commit

Permalink
Merge branch 'contrib/SEKOIA-IO_Add/SekoiaXDR' into Add/SekoiaXDR
Browse files Browse the repository at this point in the history
  • Loading branch information
TOUFIKIzakarya authored Aug 12, 2024
2 parents ebfffc8 + 97ff7c5 commit de69be7
Show file tree
Hide file tree
Showing 232 changed files with 10,716 additions and 1,534 deletions.
5 changes: 4 additions & 1 deletion Config/approved_categories.json
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@
"Utilities",
"Vulnerability Management",
"Authentication & Identity Management",
"Email"
"Email",
"Cloud Service Provider",
"Code Repositories",
"CI/CD"
]
}
2 changes: 1 addition & 1 deletion Packs/AWS-ACM/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"email": "",
"created": "2020-04-14T00:00:00Z",
"categories": [
"Cloud Services"
"Cloud Service Provider"
],
"tags": [],
"useCases": [],
Expand Down
2 changes: 1 addition & 1 deletion Packs/AWS-Athena/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"email": "",
"created": "2020-04-14T00:00:00Z",
"categories": [
"Cloud Services"
"Cloud Service Provider"
],
"tags": [],
"useCases": [],
Expand Down
2 changes: 1 addition & 1 deletion Packs/AWS-CloudTrail/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"email": "",
"created": "2020-04-14T00:00:00Z",
"categories": [
"Cloud Services"
"Cloud Service Provider"
],
"tags": [],
"useCases": [],
Expand Down
2 changes: 1 addition & 1 deletion Packs/AWS-EC2/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"email": "",
"created": "2020-04-14T00:00:00Z",
"categories": [
"Cloud Services"
"Cloud Service Provider"
],
"tags": [],
"useCases": [],
Expand Down
2 changes: 1 addition & 1 deletion Packs/AWS-EKS/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
"categories": [
"Cloud Services"
"Cloud Service Provider"
],
"tags": [],
"useCases": [],
Expand Down
6 changes: 6 additions & 0 deletions Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_20.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Scripts

##### AWSRecreateSG

Fixed an issue where `All UDP` and `All TCP` Security Group rules were being treated as if they were `All Traffic` rules.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def split_rule(rule: dict, port: int, protocol: str) -> list[dict]:
"""
res_list = []
# Check if 'FromPort' is in rule, else it is an "all traffic rule".
if rule.get('FromPort'):
if 'FromPort' in rule:
# Port of interest is in front of back of range, therefore, edit the original rule.
if rule['FromPort'] == port:
rule['FromPort'] = rule['FromPort'] + 1
Expand Down Expand Up @@ -77,7 +77,7 @@ def sg_fix(sg_info: list, port: int, protocol: str, assume_role: str, instance_t
for rule in info['IpPermissions']:
if rule.get('IpRanges') and len(rule.get('IpRanges')) > 0:
# Check if 'FromPort' is in rule, else it is an "all traffic rule".
if rule.get('FromPort'):
if 'FromPort' in rule:
# Don't recreate if it targets just the port of interest.
if (
rule['FromPort'] == port
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ dependson:
- AWS - EC2|||aws-ec2-authorize-security-group-egress-rule
- AWS - EC2|||aws-ec2-revoke-security-group-ingress-rule
- AWS - EC2|||aws-ec2-revoke-security-group-egress-rule
dockerimage: demisto/python3:3.10.13.87159
dockerimage: demisto/python3:3.11.9.107421
enabled: true
name: AWSRecreateSG
runas: DBotWeakRole
Expand Down
2 changes: 1 addition & 1 deletion Packs/AWS-Enrichment-Remediation/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "AWS Enrichment and Remediation",
"description": "Playbooks using multiple AWS content packs for enrichment and remediation purposes",
"support": "xsoar",
"currentVersion": "1.1.19",
"currentVersion": "1.1.20",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
2 changes: 1 addition & 1 deletion Packs/AWS-GuardDuty/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"email": "",
"created": "2020-04-14T00:00:00Z",
"categories": [
"Cloud Services"
"Cloud Service Provider"
],
"tags": [],
"itemPrefix": [
Expand Down
58 changes: 58 additions & 0 deletions Packs/AWS-IAM/Integrations/AWS-IAM/AWS-IAM.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import demistomock as demisto # noqa: F401
from CommonServerPython import * # noqa: F401


import botocore.exceptions
from datetime import datetime, date

Expand Down Expand Up @@ -385,6 +387,56 @@ def delete_access_key(args, client): # pragma: no cover
demisto.results("The Access Key was deleted")


def list_mfa_devices(args, client):
user_name = args.get('userName', "")
marker = args.get('marker', None)
limit, is_manual, page_size = get_limit(args)

kwargs = {
'UserName': user_name,
'MaxItems': limit
}
if marker:
kwargs.update({'Marker': marker})
response = client.list_mfa_devices(**kwargs)

mfa_devices = response['MFADevices']
data = []

for mfa_device in mfa_devices:
data.append({
'UserName': mfa_device['UserName'],
'SerialNumber': mfa_device['SerialNumber'],
'EnableDate': datetime.strftime(mfa_device['EnableDate'], '%Y-%m-%d %H:%M:%S'),
})
if is_manual and page_size and len(data) > page_size:
data = data[-1 * page_size:]
human_readable = tableToMarkdown('AWS IAM Users MFA Devices', data)
return CommandResults(
readable_output=human_readable,
outputs_key_field="UserName",
outputs_prefix="AWS.IAM.MFADevices",
outputs={"Devices": data, "Marker": response["Marker"]},
)


def deactivate_mfa_device(args, client):
response = client.deactivate_mfa_device(
UserName=args['userName'],
SerialNumber=args['serialNumber']
)
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
demisto.results('The User {} mfa device has been deactivated'.format(args.get('userName')))


def delete_virtual_mfa_device(args, client):
response = client.delete_virtual_mfa_device(
SerialNumber=args['serialNumber']
)
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
demisto.results('The User {} mfa device has been deleted'.format(args.get('serialNumber')))


def create_instance_profile(args, client): # pragma: no cover
kwargs = {'InstanceProfileName': args.get('instanceProfileName')}
if args.get('path') is not None:
Expand Down Expand Up @@ -1321,6 +1373,12 @@ def main(): # pragma: no cover
remove_user_from_group(args, client)
elif command == 'aws-iam-delete-access-key':
delete_access_key(args, client)
elif command == 'aws-iam-list-mfa-devices':
list_mfa_devices(args, client)
elif command == 'aws-iam-deactivate-mfa-devices':
deactivate_mfa_device(args, client)
elif command == 'aws-iam-delete-mfa-devices':
delete_virtual_mfa_device(args, client)
elif command == 'aws-iam-create-instance-profile':
create_instance_profile(args, client)
elif command == 'aws-iam-delete-instance-profile':
Expand Down
66 changes: 65 additions & 1 deletion Packs/AWS-IAM/Integrations/AWS-IAM/AWS-IAM.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1545,7 +1545,71 @@ script:
- contextPath: AWS.IAM.Roles.AttachedPolicies.Query.Marker
description: When IsTruncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
type: string
dockerimage: demisto/boto3py3:1.0.0.100468
- arguments:
- description: The name of the user whose MFA devices you want to list.
name: userName
required: true
- description: The Amazon Resource Name (ARN) of the role to assume.
name: roleArn
required: false
- description: An identifier for the assumed role session.
name: roleSessionName
required: false
- description: The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.
name: roleSessionDuration
required: false
- description: Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.
name: marker
required: false
name: aws-iam-list-mfa-devices
description: Lists the MFA devices for an IAM user.
outputs:
- contextPath: AWS.IAM.MFADevices.Devices.UserName
description: The user with whom the MFA device is associated.
type: string
- contextPath: AWS.IAM.MFADevices.Devices.SerialNumber
description: The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
type: string
- contextPath: AWS.IAM.MFADevices.Devices.EnableDate
description: The date when the MFA device was enabled for the user.
type: date
- contextPath: MFADevices.Devices.Marker
description: First element of next page of items.
type: string
- arguments:
- description: The name of the user whose MFA devices you want to list.
name: userName
required: true
- description: The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the same as the ARN.
name: serialNumber
required: true
- description: The Amazon Resource Name (ARN) of the role to assume.
name: roleArn
required: false
- description: An identifier for the assumed role session.
name: roleSessionName
required: false
- description: The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.
name: roleSessionDuration
required: false
description: Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.
name: aws-iam-deactivate-mfa-devices
- arguments:
- description: The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the same as the ARN.
name: serialNumber
required: true
- description: The Amazon Resource Name (ARN) of the role to assume.
name: roleArn
required: false
- description: An identifier for the assumed role session.
name: roleSessionName
required: false
- description: The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.
name: roleSessionDuration
required: false
description: Deletes a virtual MFA device.
name: aws-iam-delete-mfa-devices
dockerimage: demisto/boto3py3:1.0.0.101103
runonce: false
script: '-'
subtype: python3
Expand Down
Empty file.
107 changes: 106 additions & 1 deletion Packs/AWS-IAM/Integrations/AWS-IAM/AWS-IAM_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import pytest
import importlib
import demistomock as demisto

from pytest_mock import MockerFixture
AWS_IAM = importlib.import_module("AWS-IAM")

ATTACHED_POLICIES = [
Expand Down Expand Up @@ -81,6 +81,15 @@ def get_user(self):
def list_attached_role_policies(self):
pass

def deactivate_mfa_device(self):
pass

def delete_virtual_mfa_device(self):
pass

def list_mfa_devices(self):
pass

@property
def exceptions(self):
raise NoSuchEntityException
Expand Down Expand Up @@ -516,3 +525,99 @@ def test_list_attached_role_policies(mocker, is_truncated: bool, expeted_second_
assert result[1].outputs.get('Marker') == expected_marker
assert result[1].raw_response == response
assert result[1].readable_output == expeted_second_output


def test_deactivate_mfa_device(mocker: MockerFixture):
"""
Given:
args - userName, serialNumber.
When:
calling deactivate_mfa_device function.
Then:
Ensure that the response returns as expected and contains the userName.
"""
mock_res = {
"ResponseMetadata": {
"HTTPStatusCode": 200
}
}

args = {
"userName": "test",
"serialNumber": "test1"
}
mocker.patch.object(Boto3Client, "deactivate_mfa_device", return_value=mock_res)
results = mocker.patch.object(demisto, 'results')

client = Boto3Client()
AWS_IAM.deactivate_mfa_device(args, client)

assert results.call_args[0][0] == "The User test mfa device has been deactivated"


def test_delete_virtual_mfa_device(mocker: MockerFixture):
"""
Given:
args - serialNumber.
When:
calling delete_virtual_mfa_device function.
Then:
Ensure that the response returns as expected and contains the userName.
"""
mock_res = {
"ResponseMetadata": {
"HTTPStatusCode": 200
}
}

args = {
"serialNumber": "test1"
}
mocker.patch.object(Boto3Client, "delete_virtual_mfa_device", return_value=mock_res)
results = mocker.patch.object(demisto, 'results')

client = Boto3Client()
AWS_IAM.delete_virtual_mfa_device(args, client)

assert results.call_args[0][0] == "The User test1 mfa device has been deleted"


@pytest.mark.parametrize(
"page_size",
[
1,
2
]
)
def test_list_mfa_devices(mocker: MockerFixture, page_size: int):
"""
Given:
- page_size argument
Then:
- run `list_mfa_devices` function
When:
- Ensure that `outputs_prefix` is as expected
- Ensure that the number of returned devices is as expected
"""
mock_res = {
"MFADevices": [
{
"UserName": "test",
"SerialNumber": "test",
"EnableDate": datetime.datetime(2021, 11, 7, 15, 55, 3)
},
{
"UserName": "test2",
"SerialNumber": "test2",
"EnableDate": datetime.datetime(2022, 11, 7, 15, 55, 3)
}
],
"Marker": "test"
}
mocker.patch.object(Boto3Client, "list_mfa_devices", return_value=mock_res)

client = Boto3Client()
res = AWS_IAM.list_mfa_devices({"page_size": page_size, "page": 1}, client)

assert len(res.outputs["Devices"]) == page_size
assert res.outputs_prefix == "AWS.IAM.MFADevices"
Loading

0 comments on commit de69be7

Please sign in to comment.