diff --git a/Packs/Base/ReleaseNotes/1_34_31.md b/Packs/Base/ReleaseNotes/1_34_31.md new file mode 100644 index 000000000000..41ae70613f92 --- /dev/null +++ b/Packs/Base/ReleaseNotes/1_34_31.md @@ -0,0 +1,21 @@ + +#### Scripts + +##### DBotTrainTextClassifierV2 + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. +##### DBotFindSimilarIncidentsByIndicators + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. +##### GetMLModelEvaluation + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. +##### DBotPredictPhishingWords + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. +##### DBotFindSimilarIncidents + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. +##### DBotPreProcessTextData + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. \ No newline at end of file diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml index 9c4c3ede517b..4774563c6e96 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidents/DBotFindSimilarIncidents.yml @@ -86,7 +86,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 runas: DBotWeakRole tests: - DBotFindSimilarIncidents-test diff --git a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml index d8dd96aca214..2a50a1004a76 100644 --- a/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml +++ b/Packs/Base/Scripts/DBotFindSimilarIncidentsByIndicators/DBotFindSimilarIncidentsByIndicators.yml @@ -42,7 +42,7 @@ script: '-' subtype: python3 timeout: '0' type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 runas: DBotWeakRole tests: - DBotFindSimilarIncidentsByIndicators - Test diff --git a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml index 4b72a32eb885..f341384979f4 100644 --- a/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml +++ b/Packs/Base/Scripts/DBotPredictPhishingWords/DBotPredictPhishingWords.yml @@ -98,7 +98,7 @@ tags: - phishing timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml index 400463d45da0..7fd43c9e3190 100644 --- a/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml +++ b/Packs/Base/Scripts/DBotPreprocessTextData/DBotPreprocessTextData.yml @@ -104,7 +104,7 @@ tags: - ml timeout: 120µs type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml index 63759829d17e..150a85c46135 100644 --- a/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml +++ b/Packs/Base/Scripts/DBotTrainTextClassifierV2/DBotTrainTextClassifierV2.yml @@ -121,7 +121,7 @@ tags: - ml timeout: 12µs type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml index 5c307e6cf9c8..c779b36d7b09 100644 --- a/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml +++ b/Packs/Base/Scripts/GetMLModelEvaluation/GetMLModelEvaluation.yml @@ -43,7 +43,7 @@ tags: - ml timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 tests: - Create Phishing Classifier V2 ML Test fromversion: 5.0.0 diff --git a/Packs/Base/pack_metadata.json b/Packs/Base/pack_metadata.json index 612d37e41f9a..48d649ed703b 100644 --- a/Packs/Base/pack_metadata.json +++ b/Packs/Base/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Base", "description": "The base pack for Cortex XSOAR.", "support": "xsoar", - "currentVersion": "1.34.30", + "currentVersion": "1.34.31", "author": "Cortex XSOAR", "serverMinVersion": "6.0.0", "url": "https://www.paloaltonetworks.com/cortex", diff --git a/Packs/CofenseTriage/Integrations/CofenseTriagev2/CofenseTriagev2.yml b/Packs/CofenseTriage/Integrations/CofenseTriagev2/CofenseTriagev2.yml index 932160bcad39..5b9bcbd1d354 100644 --- a/Packs/CofenseTriage/Integrations/CofenseTriagev2/CofenseTriagev2.yml +++ b/Packs/CofenseTriage/Integrations/CofenseTriagev2/CofenseTriagev2.yml @@ -402,7 +402,7 @@ script: description: Value of the threat indicator. type: string description: Threat Indicators that are designated by analysts as malicious, suspicious or benign. - dockerimage: demisto/chromium:127.0.6533.105883 + dockerimage: demisto/chromium:126.0.6478.103218 isfetch: true tests: - No test - partner integration (test pb exists - Cofense Triage Test) diff --git a/Packs/CofenseTriage/ReleaseNotes/2_1_28.md b/Packs/CofenseTriage/ReleaseNotes/2_1_28.md new file mode 100644 index 000000000000..1eb92da8d2ff --- /dev/null +++ b/Packs/CofenseTriage/ReleaseNotes/2_1_28.md @@ -0,0 +1,5 @@ + +#### Integrations + +##### Cofense Triage v2 +Updated the Docker image to: *demisto/chromium:126.0.6478.103218*. diff --git a/Packs/CofenseTriage/pack_metadata.json b/Packs/CofenseTriage/pack_metadata.json index 0da5d5fe7c71..6006a3817bcc 100644 --- a/Packs/CofenseTriage/pack_metadata.json +++ b/Packs/CofenseTriage/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cofense Triage", "description": "Cofense Triage allows users to fetch reports by using the fetch incidents capability. It also provides commands to get entities like reporters, rules, categories, and more.", "support": "partner", - "currentVersion": "2.1.27", + "currentVersion": "2.1.28", "author": "Cofense", "url": "https://cofense.com/contact-support/", "email": "support@cofense.com", diff --git a/Packs/CommonTypes/IndicatorFields/indicatorfield-primary_motivation.json b/Packs/CommonTypes/IndicatorFields/indicatorfield-primary_motivation.json index 4b3128f10ed5..140dccdacaba 100644 --- a/Packs/CommonTypes/IndicatorFields/indicatorfield-primary_motivation.json +++ b/Packs/CommonTypes/IndicatorFields/indicatorfield-primary_motivation.json @@ -27,7 +27,8 @@ "IP", "Domain", "URL", - "Intrusion Set" + "Intrusion Set", + "Threat Actor" ], "associatedToAll": false, "unmapped": false, @@ -36,4 +37,4 @@ "sla": 0, "threshold": 72, "fromVersion": "5.0.0" -} \ No newline at end of file +} diff --git a/Packs/CommonTypes/ReleaseNotes/3_5_11.md b/Packs/CommonTypes/ReleaseNotes/3_5_11.md new file mode 100644 index 000000000000..0e1fd220642f --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_5_11.md @@ -0,0 +1,6 @@ + +#### Indicator Fields + +##### Primary Motivation + +- Added Threat Actor as an associated type. diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index 11903991acb0..6b93af51b284 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.", "support": "xsoar", - "currentVersion": "3.5.10", + "currentVersion": "3.5.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py index dbb097f64fd9..3246b727bfbf 100644 --- a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py +++ b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.py @@ -172,7 +172,7 @@ def get_user_id(admin_api, username): # Duo client return 2 different known structures of error messages def test_instance(admin_api): try: - admin_api.get_users() + admin_api.get_users(limit=1) demisto.results('ok') except Exception as e: diff --git a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml index a72727ad7925..f579f14d4ce2 100644 --- a/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml +++ b/Packs/DuoAdminApi/Integrations/DuoAdminApi/DuoAdminApi.yml @@ -324,7 +324,7 @@ script: outputs: [] description: Modify the user account. name: duoadmin-modify-user - dockerimage: demisto/vendors-sdk:1.0.0.87491 + dockerimage: demisto/vendors-sdk:1.0.0.103334 script: '' type: python subtype: python3 diff --git a/Packs/DuoAdminApi/ReleaseNotes/4_0_20.md b/Packs/DuoAdminApi/ReleaseNotes/4_0_20.md new file mode 100644 index 000000000000..f43e922e2a71 --- /dev/null +++ b/Packs/DuoAdminApi/ReleaseNotes/4_0_20.md @@ -0,0 +1,5 @@ + +#### Integrations +##### DUO Admin +- Fixed an issue where ***test*** failed on timeout. +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.103334*. diff --git a/Packs/DuoAdminApi/TestPlaybooks/playbook-DuoAdminaAPITest.yml b/Packs/DuoAdminApi/TestPlaybooks/playbook-DuoAdminaAPITest.yml index 1b48be89c8f3..961c287a6181 100644 --- a/Packs/DuoAdminApi/TestPlaybooks/playbook-DuoAdminaAPITest.yml +++ b/Packs/DuoAdminApi/TestPlaybooks/playbook-DuoAdminaAPITest.yml @@ -6,10 +6,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: 3cbe78f6-6f61-4b51-8e98-1fee0e85ac03 + taskid: 6ea06d80-4361-4e2f-89e6-8a9ddd515389 type: start task: - id: 3cbe78f6-6f61-4b51-8e98-1fee0e85ac03 + id: 6ea06d80-4361-4e2f-89e6-8a9ddd515389 version: -1 name: "" iscommand: false @@ -35,10 +35,10 @@ tasks: isautoswitchedtoquietmode: false "1": id: "1" - taskid: 6c1a1839-688b-4e0b-86f8-7894b1ef7350 + taskid: 07922a2b-00d5-40a2-83d0-988244fd1176 type: regular task: - id: 6c1a1839-688b-4e0b-86f8-7894b1ef7350 + id: 07922a2b-00d5-40a2-83d0-988244fd1176 version: -1 name: Get Users Detail script: '|||duoadmin-get-users' @@ -65,10 +65,10 @@ tasks: isautoswitchedtoquietmode: false "3": id: "3" - taskid: 33e09495-0cd1-4a70-81d5-2f0cccd22038 + taskid: fc55e5e8-b632-491f-87e1-79bbbc9c41f5 type: regular task: - id: 33e09495-0cd1-4a70-81d5-2f0cccd22038 + id: fc55e5e8-b632-491f-87e1-79bbbc9c41f5 version: -1 name: Get User2 Logs script: '|||duoadmin-get-authentication-logs-by-user' @@ -100,10 +100,10 @@ tasks: isautoswitchedtoquietmode: false "9": id: "9" - taskid: 03c3baa1-8200-496b-8b84-717b4ece9869 + taskid: 468c72b9-6942-45fd-8ba6-f9b018742cad type: title task: - id: 03c3baa1-8200-496b-8b84-717b4ece9869 + id: 468c72b9-6942-45fd-8ba6-f9b018742cad version: -1 name: Check if two different users have different auth logs type: title @@ -112,7 +112,7 @@ tasks: description: '' nexttasks: '#none#': - - "40" + - "48" separatecontext: false view: |- { @@ -130,10 +130,10 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: 17d62ac7-c909-40e8-856b-82118f7a5a6f + taskid: 53b1078b-2655-4f29-89b6-d4a315a60aff type: regular task: - id: 17d62ac7-c909-40e8-856b-82118f7a5a6f + id: 53b1078b-2655-4f29-89b6-d4a315a60aff version: -1 name: Delete Context scriptName: DeleteContext @@ -163,23 +163,25 @@ tasks: isautoswitchedtoquietmode: false "15": id: "15" - taskid: c846bd84-7149-45c2-865e-1b4de9bbcd13 + taskid: a2e31677-42d3-43c0-89d8-5f6f5f3d8a91 type: condition task: - id: c846bd84-7149-45c2-865e-1b4de9bbcd13 + id: a2e31677-42d3-43c0-89d8-5f6f5f3d8a91 version: -1 - name: Are auth logs a part of user details? + name: Are auth logs a part of user nor empty? type: condition iscommand: false brand: "" nexttasks: - "yes": + '#default#': - "9" + "yes": + - "50" separatecontext: false conditions: - label: "yes" condition: - - - operator: isExists + - - operator: isNotEmpty left: value: complex: @@ -202,10 +204,10 @@ tasks: isautoswitchedtoquietmode: false "16": id: "16" - taskid: 4eefe78b-2115-484c-8cfb-6bee12b90259 + taskid: 6789fe24-b96b-409f-8238-9e3af6e643a8 type: title task: - id: 4eefe78b-2115-484c-8cfb-6bee12b90259 + id: 6789fe24-b96b-409f-8238-9e3af6e643a8 version: -1 name: User Devices Operations type: title @@ -232,10 +234,10 @@ tasks: isautoswitchedtoquietmode: false "17": id: "17" - taskid: 9d18f8b7-c729-4d60-84de-71ec5b22cd7a + taskid: 7e744ad1-f4d7-411a-8a8f-d8755520ec7a type: title task: - id: 9d18f8b7-c729-4d60-84de-71ec5b22cd7a + id: 7e744ad1-f4d7-411a-8a8f-d8755520ec7a version: -1 name: User Logs type: title @@ -262,10 +264,10 @@ tasks: isautoswitchedtoquietmode: false "19": id: "19" - taskid: 79685bf7-39b8-4c53-899b-b8dca67d786a + taskid: 2ebf49de-01e2-4419-8923-b8ace76a2b7b type: title task: - id: 79685bf7-39b8-4c53-899b-b8dca67d786a + id: 2ebf49de-01e2-4419-8923-b8ace76a2b7b version: -1 name: Devices type: title @@ -292,10 +294,10 @@ tasks: isautoswitchedtoquietmode: false "20": id: "20" - taskid: 4820fd50-df75-4649-8680-44d5c20f705c + taskid: f4e4830d-78bc-4ec9-8327-c308b8849a3e type: regular task: - id: 4820fd50-df75-4649-8680-44d5c20f705c + id: f4e4830d-78bc-4ec9-8327-c308b8849a3e version: -1 name: Get All Devices script: '|||duoadmin-get-devices' @@ -322,10 +324,10 @@ tasks: isautoswitchedtoquietmode: false "21": id: "21" - taskid: b0f26b20-004c-4016-8841-d0b96bd22818 + taskid: 03dbd6ae-a28c-428a-8b03-f79fe806694e type: condition task: - id: b0f26b20-004c-4016-8841-d0b96bd22818 + id: 03dbd6ae-a28c-428a-8b03-f79fe806694e version: -1 name: Are phones a part of the DuoAdmin object? type: condition @@ -378,10 +380,10 @@ tasks: isautoswitchedtoquietmode: false "23": id: "23" - taskid: a4982747-69cc-4e61-8a52-d3957e1f057b + taskid: 601c5bef-fa2e-46c8-8153-4d267a088c11 type: regular task: - id: a4982747-69cc-4e61-8a52-d3957e1f057b + id: 601c5bef-fa2e-46c8-8153-4d267a088c11 version: -1 name: Get User Phones script: '|||duoadmin-get-devices-by-user' @@ -411,10 +413,10 @@ tasks: isautoswitchedtoquietmode: false "24": id: "24" - taskid: 9320979c-925a-419b-8145-1fe99c9391cf + taskid: f15f2308-ba45-42d6-87e8-4ff52eb510fc type: condition task: - id: 9320979c-925a-419b-8145-1fe99c9391cf + id: f15f2308-ba45-42d6-87e8-4ff52eb510fc version: -1 name: Does the user have a phone? type: condition @@ -467,10 +469,10 @@ tasks: isautoswitchedtoquietmode: false "27": id: "27" - taskid: 14f7c06a-9c0d-4bf5-8b06-f028757fbbb8 + taskid: 90061888-908c-41a3-853a-9e493ed5da16 type: regular task: - id: 14f7c06a-9c0d-4bf5-8b06-f028757fbbb8 + id: 90061888-908c-41a3-853a-9e493ed5da16 version: -1 name: Get User Phones script: '|||duoadmin-get-devices-by-user' @@ -500,10 +502,10 @@ tasks: isautoswitchedtoquietmode: false "28": id: "28" - taskid: 8bac786b-6073-4622-82a3-ef93ad1bbfa4 + taskid: b8165043-43d4-4ca8-820c-65c0710f3cb2 type: regular task: - id: 8bac786b-6073-4622-82a3-ef93ad1bbfa4 + id: b8165043-43d4-4ca8-820c-65c0710f3cb2 version: -1 name: Dissociate the phone from the user script: '|||duoadmin-dissociate-device-from-user' @@ -535,45 +537,28 @@ tasks: isautoswitchedtoquietmode: false "29": id: "29" - taskid: aed9cd02-929b-47e6-8baf-115a4a56dbd7 + taskid: 3e9e33e8-e7d7-4160-8f25-96494c637a3b type: condition task: - id: aed9cd02-929b-47e6-8baf-115a4a56dbd7 + id: 3e9e33e8-e7d7-4160-8f25-96494c637a3b version: -1 name: Does the user still has a phone? type: condition iscommand: false brand: "" nexttasks: - "no": + "yes": - "19" separatecontext: false conditions: - - label: "no" + - label: "yes" condition: - - - operator: isNotEmpty + - - operator: isNotExists left: value: complex: - root: DuoAdmin - accessor: UserDetails - transformers: - - operator: WhereFieldEquals - args: - equalTo: - value: - simple: winitzky - field: - value: - simple: username - getField: - value: - simple: phones - - operator: atIndex - args: - index: - value: - simple: "0" + root: DuoAdmin.UserDetails.[3] + accessor: phones iscontext: true view: |- { @@ -591,10 +576,10 @@ tasks: isautoswitchedtoquietmode: false "36": id: "36" - taskid: 6f4122cb-db04-4f50-8c38-f328996774dd + taskid: 0d182e3e-21f8-4811-829b-d11e63001b5e type: regular task: - id: 6f4122cb-db04-4f50-8c38-f328996774dd + id: 0d182e3e-21f8-4811-829b-d11e63001b5e version: -1 name: Associate a dummy phone script: '|||duoadmin-associate-device-to-user' @@ -626,10 +611,10 @@ tasks: isautoswitchedtoquietmode: false "40": id: "40" - taskid: 4ce8f2ee-d8a8-4b0c-8510-3f4f1b68905b + taskid: 2aa2de4e-2911-4262-86e5-726b4a324d40 type: regular task: - id: 4ce8f2ee-d8a8-4b0c-8510-3f4f1b68905b + id: 2aa2de4e-2911-4262-86e5-726b4a324d40 version: -1 name: Get User0 Logs description: Returns authentication logs associated with a user. Limited to 30 at a time @@ -639,7 +624,7 @@ tasks: brand: DUO Admin nexttasks: '#none#': - - "45" + - "49" scriptarguments: from: simple: 5_years_ago @@ -651,7 +636,7 @@ tasks: { "position": { "x": 890, - "y": 2245 + "y": 2355 } } note: false @@ -663,10 +648,10 @@ tasks: isautoswitchedtoquietmode: false "43": id: "43" - taskid: b5c94cf5-1949-4cdb-8116-38c340dd0377 + taskid: 69b73909-224c-4b8c-80e7-d0971f74218e type: title task: - id: b5c94cf5-1949-4cdb-8116-38c340dd0377 + id: 69b73909-224c-4b8c-80e7-d0971f74218e version: -1 name: done type: title @@ -678,7 +663,7 @@ tasks: { "position": { "x": 890, - "y": 2810 + "y": 3100 } } note: false @@ -690,10 +675,10 @@ tasks: isautoswitchedtoquietmode: false "45": id: "45" - taskid: 10237983-5bf1-47ec-821d-9e86b8b87177 + taskid: 99c770ee-9baf-45ff-8dea-9c1114d6fdcb type: condition task: - id: 10237983-5bf1-47ec-821d-9e86b8b87177 + id: 99c770ee-9baf-45ff-8dea-9c1114d6fdcb version: -1 name: Check that user0 and user2 auth_logs are different type: condition @@ -724,8 +709,8 @@ tasks: view: |- { "position": { - "x": 890, - "y": 2435 + "x": 780, + "y": 2700 } } note: false @@ -737,10 +722,10 @@ tasks: isautoswitchedtoquietmode: false "46": id: "46" - taskid: 746bc186-e8fc-4aac-8d69-0fb7d6c404a0 + taskid: 83af78fa-b5b3-46ca-874f-5004fc9e1e8a type: regular task: - id: 746bc186-e8fc-4aac-8d69-0fb7d6c404a0 + id: 83af78fa-b5b3-46ca-874f-5004fc9e1e8a version: -1 name: Print Error in case of two users have the same auth logs description: Prints an error entry with a given message @@ -758,8 +743,8 @@ tasks: view: |- { "position": { - "x": 650, - "y": 2630 + "x": 580, + "y": 2910 } } note: false @@ -771,10 +756,10 @@ tasks: isautoswitchedtoquietmode: false "47": id: "47" - taskid: d89fbc49-8c64-4b86-892e-d46929d478a6 + taskid: ab3bee4b-6c12-4b91-8ed3-50f98942bceb type: regular task: - id: d89fbc49-8c64-4b86-892e-d46929d478a6 + id: ab3bee4b-6c12-4b91-8ed3-50f98942bceb version: -1 name: Wait for context to update description: Sleep for X seconds @@ -803,6 +788,125 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: a36117a0-3471-4051-8470-696838972ced + type: regular + task: + id: a36117a0-3471-4051-8470-696838972ced + version: -1 + name: Wait to avoid quota limit + description: Sleep for X seconds + scriptName: Sleep + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + seconds: + simple: "60" + separatecontext: false + view: |- + { + "position": { + "x": 890, + "y": 2195 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 09f9dd80-94ca-4bf9-89d5-9afbfc32a857 + type: condition + task: + id: 09f9dd80-94ca-4bf9-89d5-9afbfc32a857 + version: -1 + name: Check that user0 and user2 auth_logs are not empty + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "43" + "yes": + - "45" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: DuoAdmin + accessor: UserDetails.[0].auth_logs.[0] + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: DuoAdmin.UserDetails.[2].auth_logs + iscontext: true + view: |- + { + "position": { + "x": 890, + "y": 2515 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: d5fd47a3-d1de-4652-8399-8d8582c3fa62 + type: condition + task: + id: d5fd47a3-d1de-4652-8399-8d8582c3fa62 + version: -1 + name: Are auth logs a part of user details? + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: DuoAdmin + accessor: UserDetails.[2].auth_logs + iscontext: true + view: |- + { + "position": { + "x": 900, + "y": 1790 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { @@ -810,7 +914,7 @@ view: |- }, "paper": { "dimensions": { - "height": 2825, + "height": 3115, "width": 1530, "x": 50, "y": 50 diff --git a/Packs/DuoAdminApi/pack_metadata.json b/Packs/DuoAdminApi/pack_metadata.json index 9916b1b8e293..cbbecc05209b 100644 --- a/Packs/DuoAdminApi/pack_metadata.json +++ b/Packs/DuoAdminApi/pack_metadata.json @@ -2,7 +2,7 @@ "name": "DUO Admin", "description": "DUO for admins.\nMust have access to the admin api in order to use this", "support": "xsoar", - "currentVersion": "4.0.19", + "currentVersion": "4.0.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ExpanseV2/Integrations/ExpanseV2/ExpanseV2.yml b/Packs/ExpanseV2/Integrations/ExpanseV2/ExpanseV2.yml index 17e8140c9694..f66923226491 100644 --- a/Packs/ExpanseV2/Integrations/ExpanseV2/ExpanseV2.yml +++ b/Packs/ExpanseV2/Integrations/ExpanseV2/ExpanseV2.yml @@ -186,8 +186,10 @@ configuration: section: Collect advanced: true required: false -description: The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Xpanse issues. It also leverages Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Xpanse Expander and risky flows detected by Xpanse Behavior. -display: Cortex Xpanse Legacy +description: Deprecated. Use Cortex Xpanse integration instead. > + The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Cortex Xpanse issues. It also leverages Cortex Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Cortex Xpanse Expander and risky flows detected by Cortex Xpanse Behavior. +deprecated: true +display: Cortex Xpanse Legacy (Deprecated) name: ExpanseV2 script: commands: diff --git a/Packs/ExpanseV2/Integrations/FeedExpanse/FeedExpanse.yml b/Packs/ExpanseV2/Integrations/FeedExpanse/FeedExpanse.yml index 65a64a76a527..48a1550e2f30 100644 --- a/Packs/ExpanseV2/Integrations/FeedExpanse/FeedExpanse.yml +++ b/Packs/ExpanseV2/Integrations/FeedExpanse/FeedExpanse.yml @@ -1,10 +1,12 @@ commonfields: id: FeedExpanse version: -1 -display: Expanse Expander Feed +display: Expanse Expander Feed (Deprecated) +deprecated: true name: FeedExpanse category: Data Enrichment & Threat Intelligence -description: Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database. +description: Deprecated. Use Xpanse Feed integration instead. > + Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database. configuration: - defaultvalue: https://expander.expanse.co display: Your server URL diff --git a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Attribution.yml b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Attribution.yml index 1064ec8e233b..d430892d4857 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Attribution.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Attribution.yml @@ -1,7 +1,9 @@ id: Expanse Attribution version: -1 name: Expanse Attribution +deprecated: true description: | + Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. diff --git a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Enrich_Cloud_Assets.yml b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Enrich_Cloud_Assets.yml index d40023d47f4b..f1f9e2d0d584 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Enrich_Cloud_Assets.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Enrich_Cloud_Assets.yml @@ -3,7 +3,9 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Expanse Enrich Cloud Assets +deprecated: true description: |- + Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. This Playbook is meant to be used as a subplaybook to enrich Public Cloud Assets (i.e. IP addresses and FQDNs) by: - Searching the corresponding Region and Service by correlating the provided IPs with IP range feeds retrieved from Public Cloud Providers (require TIM and Public Cloud feeds such as AWS Feed integrations to be enabled). diff --git a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Find_Cloud_IP_Address_Region_and_Service.yml b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Find_Cloud_IP_Address_Region_and_Service.yml index 40d0592e40d6..009139f5329b 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Find_Cloud_IP_Address_Region_and_Service.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Find_Cloud_IP_Address_Region_and_Service.yml @@ -3,7 +3,9 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Expanse Find Cloud IP Address Region and Service -description: 'Subplaybook for Expanse Enrich Cloud Assets subplaybook. This playbook +deprecated: true +description: 'Deprecated. No available replacement. > + Sub-playbook for Expanse Enrich Cloud Assets sub-playbook. This playbook is used to find the corresponding Public Cloud Region (i.e. AWS us-east-1) and Service (i.e. AWS EC2) for a provided IP Address. It works by correlating the provided IP address with the IP Range Indicators (CIDRs) that can be collected from Public Cloud diff --git a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Load_Create_List.yml b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Load_Create_List.yml index dc8f2e989bd7..e8b7b30c0542 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Load_Create_List.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Load_Create_List.yml @@ -3,7 +3,9 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Expanse Load-Create List +deprecated: true description: | + Deprecated. No available replacement. Sub-playbook to support Expanse Handle Incident playbook. Loads a list to be used in the Expanse playbook. Creates the list if it does not exist. diff --git a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Unmanaged_Cloud.yml b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Unmanaged_Cloud.yml index 46a79c323653..6bea9e91dd70 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Expanse_Unmanaged_Cloud.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Expanse_Unmanaged_Cloud.yml @@ -1,7 +1,9 @@ id: Expanse Unmanaged Cloud version: -1 name: Expanse Unmanaged Cloud +deprecated: true description: | + Deprecated. No available replacement. Subplaybook for bringing rogue cloud accounts under management. starttaskid: "0" tasks: diff --git a/Packs/ExpanseV2/Playbooks/playbook-Expanse_VM_Enrich.yml b/Packs/ExpanseV2/Playbooks/playbook-Expanse_VM_Enrich.yml index b49c8ce8e9d8..013f4153804c 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Expanse_VM_Enrich.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Expanse_VM_Enrich.yml @@ -1,7 +1,9 @@ id: Expanse VM Enrich version: -1 name: Expanse VM Enrich +deprecated: true description: | + Deprecated. No available replacement. This Playbook is used to verify that all assets found by Expanse are being scanned by a vulnerability management tool by: - Searching the IP and / or domain of the identified Expanse asset in the vulnerability management tool This playbook expects an incident with an IP or a Domain to exist in the context. diff --git a/Packs/ExpanseV2/Playbooks/playbook-Extract_and_Enrich_Expanse_Indicators.yml b/Packs/ExpanseV2/Playbooks/playbook-Extract_and_Enrich_Expanse_Indicators.yml index 74468f258c45..3b64fe48b051 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Extract_and_Enrich_Expanse_Indicators.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Extract_and_Enrich_Expanse_Indicators.yml @@ -3,11 +3,13 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Extract and Enrich Expanse Indicators +deprecated: true description: |2- + Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents. Enrichment is performed via enrichIndicators command and generic playbooks. - Returns the enriched indicators. + Returns the enriched indicators. starttaskid: "0" tasks: "0": diff --git a/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident.yml b/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident.yml index 096c39dc2cf3..9f8dad8ca3d3 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident.yml @@ -3,9 +3,10 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Handle Expanse Incident +deprecated: true description: |- + Deprecated. No available replacement. Main Playbook to Handle Expanse Incidents. - There are several phases: 1. Enrichment: all the related information from the incident is extracted, and related indicators (IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. 2. Validation: the found IP and FQDN are correlated with the information available in other products: diff --git a/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident_-_Attribution_Only.yml b/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident_-_Attribution_Only.yml index 71ff79cf7a2c..0c341b341b91 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident_-_Attribution_Only.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Handle_Expanse_Incident_-_Attribution_Only.yml @@ -3,7 +3,9 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Handle Expanse Incident - Attribution Only +deprecated: true description: |2- + Deprecated. No available replacement. Shorter version of Handle Expanse Incident playbook with only the Attribution part. There are several phases: diff --git a/Packs/ExpanseV2/Playbooks/playbook-NSA_-_5_Security_Vulnerabilities_Under_Active_Nation-State_Attack.yml b/Packs/ExpanseV2/Playbooks/playbook-NSA_-_5_Security_Vulnerabilities_Under_Active_Nation-State_Attack.yml index 6eaca64dba76..751941287c90 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-NSA_-_5_Security_Vulnerabilities_Under_Active_Nation-State_Attack.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-NSA_-_5_Security_Vulnerabilities_Under_Active_Nation-State_Attack.yml @@ -1,7 +1,9 @@ id: NSA - 5 Security Vulnerabilities Under Active Nation-State Attack version: -1 name: NSA - 5 Security Vulnerabilities Under Active Nation-State Attack -description: "Russian Foreign Intelligence Service (SVR) actors (also known as APT29,\ +deprecated: true +description: "Deprecated. No available replacement. \ + \ Russian Foreign Intelligence Service (SVR) actors (also known as APT29,\ \ Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct\ \ widespread scanning and exploitation.\nThis playbook should be trigger manually\ \ and includes the following tasks:\n- Enrich related known CVEs reported in the US agencies alert.\n\ diff --git a/Packs/ExpanseV2/Playbooks/playbook-Xpanse_Incident_Handling_-_Generic.yml b/Packs/ExpanseV2/Playbooks/playbook-Xpanse_Incident_Handling_-_Generic.yml index a25d9216c2ad..914342b5d05b 100644 --- a/Packs/ExpanseV2/Playbooks/playbook-Xpanse_Incident_Handling_-_Generic.yml +++ b/Packs/ExpanseV2/Playbooks/playbook-Xpanse_Incident_Handling_-_Generic.yml @@ -3,7 +3,9 @@ version: -1 contentitemexportablefields: contentitemfields: {} name: Xpanse Incident Handling - Generic +deprecated: true description: |- + Deprecated. Use Xpanse - Alert Handler playbook instead. A generic playbook for handling Xpanse issues. The logic behind this playbook is to work with an internal exclusions list which will help the analyst to get to a decision or, if configured, close incidents automatically. The phases of this playbook are: diff --git a/Packs/ExpanseV2/ReleaseNotes/1_10_57.md b/Packs/ExpanseV2/ReleaseNotes/1_10_57.md new file mode 100644 index 000000000000..5172d589befc --- /dev/null +++ b/Packs/ExpanseV2/ReleaseNotes/1_10_57.md @@ -0,0 +1,97 @@ +#### Integrations + +##### Cortex Xpanse Legacy (Deprecated) + +Deprecated. Use [Cortex Xpanse](https://xsoar.pan.dev/docs/reference/integrations/cortex-xpanse) integration instead. + +##### Expanse Expander Feed (Deprecated) + +Deprecated. Use [Xpanse Feed](https://xsoar.pan.dev/docs/reference/integrations/xpanse-feed) integration instead. + +#### Scripts + +##### ExpanseAggregateAttributionCI + +Deprecated. No available replacement. + +##### ExpanseAggregateAttributionDevice + +Deprecated. No available replacement. + +##### ExpanseAggregateAttributionIP + +Deprecated. No available replacement. + +##### ExpanseAggregateAttributionUser + +Deprecated. No available replacement. + +##### ExpanseEnrichAttribution + +Deprecated. No available replacement. + +##### ExpanseEvidenceDynamicSection + +Deprecated. No available replacement. + +##### ExpanseGenerateIssueMapWidgetScript + +Deprecated. No available replacement. + +##### ExpansePrintSuggestions + +Deprecated. No available replacement. + +##### ExpanseRefreshIssueAssets + +Deprecated. No available replacement. + +##### MatchIPinCIDRIndicators + +Deprecated. No available replacement. + +#### Playbooks + +##### Expanse Load-Create List + +Deprecated. No available replacement. + +##### Handle Expanse Incident - Attribution Only + +Deprecated. No available replacement. + +##### NSA - 5 Security Vulnerabilities Under Active Nation-State Attack + +Deprecated. No available replacement. + +##### Xpanse Incident Handling - Generic + +Deprecated. No available replacement. + +##### Expanse Attribution + +Deprecated. No available replacement. + +##### Expanse Enrich Cloud Assets + +Deprecated. No available replacement. + +##### Expanse Find Cloud IP Address Region and Service + +Deprecated. No available replacement. + +##### Expanse Unmanaged Cloud + +Deprecated. No available replacement. + +##### Expanse VM Enrich + +Deprecated. No available replacement. + +##### Extract and Enrich Expanse Indicators + +Deprecated. No available replacement. + +##### Handle Expanse Incident + +Deprecated. Use [Xpanse - Alert Handler](https://xsoar.pan.dev/docs/reference/playbooks/xpanse---alert-handler) playbook. \ No newline at end of file diff --git a/Packs/ExpanseV2/ReleaseNotes/1_10_58.md b/Packs/ExpanseV2/ReleaseNotes/1_10_58.md new file mode 100644 index 000000000000..abc06b83d18f --- /dev/null +++ b/Packs/ExpanseV2/ReleaseNotes/1_10_58.md @@ -0,0 +1,5 @@ + +#### Scripts + +##### ExpanseGenerateIssueMapWidgetScript +Updated the Docker image to: *demisto/chromium:126.0.6478.103218*. diff --git a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionCI/ExpanseAggregateAttributionCI.yml b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionCI/ExpanseAggregateAttributionCI.yml index ce53d5f33746..6c88f642b533 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionCI/ExpanseAggregateAttributionCI.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionCI/ExpanseAggregateAttributionCI.yml @@ -1,5 +1,7 @@ name: ExpanseAggregateAttributionCI -comment: Aggregate entries from ServiceNow CMDB into AttributionCI. +comment: Deprecated. No available replacement. > + Aggregate entries from ServiceNow CMDB into AttributionCI. +deprecated: true commonfields: id: ExpanseAggregateAttributionCI version: -1 diff --git a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionDevice/ExpanseAggregateAttributionDevice.yml b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionDevice/ExpanseAggregateAttributionDevice.yml index 19d976298fe2..6e3419f3f63c 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionDevice/ExpanseAggregateAttributionDevice.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionDevice/ExpanseAggregateAttributionDevice.yml @@ -1,5 +1,7 @@ name: ExpanseAggregateAttributionDevice -comment: Aggregate entries from multiple sources into AttributionDevice. +comment: Deprecated. No available replacement. > + Aggregate entries from multiple sources into AttributionDevice. +deprecated: true commonfields: id: ExpanseAggregateAttributionDevice version: -1 diff --git a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionIP/ExpanseAggregateAttributionIP.yml b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionIP/ExpanseAggregateAttributionIP.yml index 277dbc6d7ab2..101273e58dd8 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionIP/ExpanseAggregateAttributionIP.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionIP/ExpanseAggregateAttributionIP.yml @@ -1,5 +1,7 @@ name: ExpanseAggregateAttributionIP -comment: Aggregate entries from multiple sources into AttributionIP. +comment: Deprecated. No available replacement. > + Aggregate entries from multiple sources into AttributionIP. +deprecated: true commonfields: id: ExpanseAggregateAttributionIP version: -1 diff --git a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionUser/ExpanseAggregateAttributionUser.yml b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionUser/ExpanseAggregateAttributionUser.yml index 0c6777ef8455..8d4206bada45 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionUser/ExpanseAggregateAttributionUser.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseAggregateAttributionUser/ExpanseAggregateAttributionUser.yml @@ -1,5 +1,7 @@ name: ExpanseAggregateAttributionUser -comment: Aggregate entries from multiple sources into AttributionUser. +comment: Deprecated. No available replacement. > + Aggregate entries from multiple sources into AttributionUser. +deprecated: true commonfields: id: ExpanseAggregateAttributionUser version: -1 diff --git a/Packs/ExpanseV2/Scripts/ExpanseEnrichAttribution/ExpanseEnrichAttribution.yml b/Packs/ExpanseV2/Scripts/ExpanseEnrichAttribution/ExpanseEnrichAttribution.yml index 39c9725cbe79..3693cffd8859 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseEnrichAttribution/ExpanseEnrichAttribution.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseEnrichAttribution/ExpanseEnrichAttribution.yml @@ -20,9 +20,10 @@ args: - name: enrich_fields description: comma separated list of fields to take enrichment details from required: true -comment: > +comment: Deprecated. No available replacement. > This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details +deprecated: true commonfields: id: ExpanseEnrichAttribution version: -1 diff --git a/Packs/ExpanseV2/Scripts/ExpanseEvidenceDynamicSection/ExpanseEvidenceDynamicSection.yml b/Packs/ExpanseV2/Scripts/ExpanseEvidenceDynamicSection/ExpanseEvidenceDynamicSection.yml index 7fcb6a497e79..293603f725b4 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseEvidenceDynamicSection/ExpanseEvidenceDynamicSection.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseEvidenceDynamicSection/ExpanseEvidenceDynamicSection.yml @@ -4,7 +4,9 @@ commonfields: dockerimage: demisto/python3:3.10.13.83255 enabled: true name: ExpanseEvidenceDynamicSection -comment: Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure. +comment: Deprecated. No available replacement. > + Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure. +deprecated: true runas: DBotWeakRole script: '' scripttarget: 0 diff --git a/Packs/ExpanseV2/Scripts/ExpanseGenerateIssueMapWidgetScript/ExpanseGenerateIssueMapWidgetScript.yml b/Packs/ExpanseV2/Scripts/ExpanseGenerateIssueMapWidgetScript/ExpanseGenerateIssueMapWidgetScript.yml index 4fdf241fe138..b86a3006e060 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseGenerateIssueMapWidgetScript/ExpanseGenerateIssueMapWidgetScript.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseGenerateIssueMapWidgetScript/ExpanseGenerateIssueMapWidgetScript.yml @@ -4,16 +4,17 @@ args: - description: The start date for searching incidents. name: from comment: |- + Deprecated. No available replacement. This widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. The map is generated as a static PNG file embedded in Markdown. - This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations +deprecated: true commonfields: id: ExpanseGenerateIssueMapWidgetScript version: -1 -dockerimage: demisto/chromium:127.0.6533.105883 +dockerimage: demisto/chromium:126.0.6478.103218 enabled: true name: ExpanseGenerateIssueMapWidgetScript script: '-' diff --git a/Packs/ExpanseV2/Scripts/ExpansePrintSuggestions/ExpansePrintSuggestions.yml b/Packs/ExpanseV2/Scripts/ExpansePrintSuggestions/ExpansePrintSuggestions.yml index 2a63f322d8fc..93a81146bffa 100644 --- a/Packs/ExpanseV2/Scripts/ExpansePrintSuggestions/ExpansePrintSuggestions.yml +++ b/Packs/ExpanseV2/Scripts/ExpansePrintSuggestions/ExpansePrintSuggestions.yml @@ -37,7 +37,9 @@ args: - description: List of Expanse Business Units. isArray: true name: expanse_business_units -comment: Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner. +comment: Deprecated. No available replacement. > + Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner. +deprecated: true commonfields: id: ExpansePrintSuggestions version: -1 diff --git a/Packs/ExpanseV2/Scripts/ExpanseRefreshIssueAssets/ExpanseRefreshIssueAssets.yml b/Packs/ExpanseV2/Scripts/ExpanseRefreshIssueAssets/ExpanseRefreshIssueAssets.yml index a77da657b2b8..1a43ae4506de 100644 --- a/Packs/ExpanseV2/Scripts/ExpanseRefreshIssueAssets/ExpanseRefreshIssueAssets.yml +++ b/Packs/ExpanseV2/Scripts/ExpanseRefreshIssueAssets/ExpanseRefreshIssueAssets.yml @@ -1,6 +1,7 @@ -comment: > +comment: Deprecated. No available replacement. > Script to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context. +deprecated: true commonfields: id: ExpanseRefreshIssueAssets version: -1 diff --git a/Packs/ExpanseV2/Scripts/MatchIPinCIDRIndicators/MatchIPinCIDRIndicators.yml b/Packs/ExpanseV2/Scripts/MatchIPinCIDRIndicators/MatchIPinCIDRIndicators.yml index 2b80a524c243..420e21f8fbb1 100644 --- a/Packs/ExpanseV2/Scripts/MatchIPinCIDRIndicators/MatchIPinCIDRIndicators.yml +++ b/Packs/ExpanseV2/Scripts/MatchIPinCIDRIndicators/MatchIPinCIDRIndicators.yml @@ -5,7 +5,9 @@ args: - description: Tags to search (comma separated string). isArray: true name: tags -comment: Match provided IP address in all the Indicators of type CIDR with the provided tags (longest match). +comment: Deprecated. No available replacement. > + Match provided IP address in all the Indicators of type CIDR with the provided tags (longest match). +deprecated: true commonfields: id: MatchIPinCIDRIndicators version: -1 diff --git a/Packs/ExpanseV2/pack_metadata.json b/Packs/ExpanseV2/pack_metadata.json index d9b90d959c31..af0c88c5f6de 100644 --- a/Packs/ExpanseV2/pack_metadata.json +++ b/Packs/ExpanseV2/pack_metadata.json @@ -1,8 +1,9 @@ { - "name": "Cortex Xpanse by Palo Alto Networks", - "description": "Automate Attack Surface Management to identify Internet assets and quickly remediate misconfigurations with Expanse, a Palo Alto Networks company.", + "name": "Cortex Xpanse by Palo Alto Networks (Deprecated)", + "description": "Deprecated. Use Cortex Xpanse instead.", + "hidden": true, "support": "xsoar", - "currentVersion": "1.10.56", + "currentVersion": "1.10.58", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Impartner/Integrations/Impartner/Impartner.py b/Packs/Impartner/Integrations/Impartner/Impartner.py index 9ba56a7bc0d3..c857e048eeef 100644 --- a/Packs/Impartner/Integrations/Impartner/Impartner.py +++ b/Packs/Impartner/Integrations/Impartner/Impartner.py @@ -119,7 +119,7 @@ def impartner_get_account_id_command(client: Client, args: Dict[str, Any]) -> Co else: context_result = {'name': parsed_result.get('name'), 'id': parsed_result.get('id'), 'link': parsed_result.get('recordLink'), - 'PST Engineer': parsed_result.get('tech_BD_Assigned_for_XSOAR__cf')} + 'tech_BD_Assigned_for_XSOAR__cf': parsed_result.get('tech_BD_Assigned_for_XSOAR__cf')} readable_list = {'name': parsed_result.get('name'), 'ID': parsed_result.get('id'), 'link': parsed_result.get('recordLink'), 'PST Engineer': parsed_result.get('tech_BD_Assigned_for_XSOAR__cf')} readable_output = tableToMarkdown('Account Details', readable_list, diff --git a/Packs/Impartner/Integrations/Impartner/Impartner_test.py b/Packs/Impartner/Integrations/Impartner/Impartner_test.py index ac6e00791c61..af96ebeb17f1 100644 --- a/Packs/Impartner/Integrations/Impartner/Impartner_test.py +++ b/Packs/Impartner/Integrations/Impartner/Impartner_test.py @@ -48,7 +48,7 @@ def test_list_command(mocker): 'panW_Integration_Product__cf': ['test'], 'account_Integration_Status__cf': ['Integrations in Process'], 'accountTimeline': '2022-06-30T00:00:00'}), - ({'id': '1111', 'all_fields': 'FALSE'},{'PST Engineer': 'Edi', 'id': 11111111, + ({'id': '1111', 'all_fields': 'FALSE'},{'tech_BD_Assigned_for_XSOAR__cf': 'Edi', 'id': 11111111, 'link': 'https://prod.impartner.live/load/ACT/11111111', 'name': 'test_account'}) ] ) diff --git a/Packs/Impartner/ReleaseNotes/1_0_1.md b/Packs/Impartner/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..fbd25a2db81c --- /dev/null +++ b/Packs/Impartner/ReleaseNotes/1_0_1.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Impartner + +- Fixed an issue where the context path of *assigned PST engineer* was incorrect in **impartner-get-account-id** command. diff --git a/Packs/Impartner/pack_metadata.json b/Packs/Impartner/pack_metadata.json index 7778776d7cfa..ecfb67b385d2 100644 --- a/Packs/Impartner/pack_metadata.json +++ b/Packs/Impartner/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Impartner", "description": "Pack for integrating Impartner - a company that specializes in providing Partner Relationship Management (PRM) solutions ", "support": "community", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Edi Katsenelson", "url": "", "email": "", diff --git a/Packs/ML/ReleaseNotes/1_4_13.md b/Packs/ML/ReleaseNotes/1_4_13.md new file mode 100644 index 000000000000..0a6973e4b049 --- /dev/null +++ b/Packs/ML/ReleaseNotes/1_4_13.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### DBotPredictOutOfTheBoxV2 + +- Updated the Docker image to: *demisto/ml:1.0.0.105874*. diff --git a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml index e70a2643d104..41dbc5ce9dce 100644 --- a/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml +++ b/Packs/ML/Scripts/DBotPredictOutOfTheBoxV2/DBotPredictOutOfTheBoxV2.yml @@ -59,7 +59,7 @@ script: '-' subtype: python3 timeout: 60µs type: python -dockerimage: demisto/ml:1.0.0.103517 +dockerimage: demisto/ml:1.0.0.105874 tests: - DbotPredictOufOfTheBoxTestV2 - VerifyOOBV2Predictions-Test diff --git a/Packs/ML/pack_metadata.json b/Packs/ML/pack_metadata.json index 850923df3c91..36c3a2db97b8 100644 --- a/Packs/ML/pack_metadata.json +++ b/Packs/ML/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Machine Learning", "description": "Help to manage machine learning models in Cortex XSOAR", "support": "xsoar", - "currentVersion": "1.4.12", + "currentVersion": "1.4.13", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Office365/ModelingRules/Office365/Office365.xif b/Packs/Office365/ModelingRules/Office365/Office365.xif index 6d495b205bee..ed7855a23b1c 100644 --- a/Packs/Office365/ModelingRules/Office365/Office365.xif +++ b/Packs/Office365/ModelingRules/Office365/Office365.xif @@ -64,7 +64,7 @@ call o365_common_fields xdm.source.ipv6 = src_ip_v6, xdm.target.file.size = FileSize, xdm.email.return_path = p1sender, - xdm.email.message_id = coalesce(NetworkMessageId, messageid, internetmessageid), + xdm.email.message_id = coalesce(NetworkMessageId, to_string(messageid), internetmessageid), xdm.target.file.file_type = FileType, xdm.target.file.sha256 = `sha256`, xdm.event.outcome = if(EnforcementMode = 1, XDM_CONST.OUTCOME_UNKNOWN, to_string(EnforcementMode) ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EnforcementMode = 4, XDM_CONST.OUTCOME_FAILED, EnforcementMode = 5, XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED), @@ -79,7 +79,7 @@ call o365_common_fields xdm.target.user.identifier = targetyammeruserid, xdm.alert.original_threat_name = replex(ThreatsAndDetectionTech, "[\"\[\]]", ""), xdm.target.url = url, - xdm.network.http.url = coalesce(requestsource, eventdeeplink, deeplinkurl), + xdm.network.http.url = coalesce(eventdeeplink, deeplinkurl), xdm.source.process.name = if(Application ~= "\.[Ee][Xx][Ee]", Application), xdm.observer.type = coalesce(sourceworkload_name, Source, Workload); diff --git a/Packs/Office365/ModelingRules/Office365/Office365_schema.json b/Packs/Office365/ModelingRules/Office365/Office365_schema.json index fbfdbfa65fe8..b54721ef0e08 100644 --- a/Packs/Office365/ModelingRules/Office365/Office365_schema.json +++ b/Packs/Office365/ModelingRules/Office365/Office365_schema.json @@ -276,10 +276,6 @@ "type": "string", "is_array": false }, - "requestsource": { - "type": "string", - "is_array": false - }, "eventdeeplink": { "type": "string", "is_array": false diff --git a/Packs/Office365/ReleaseNotes/1_0_2.md b/Packs/Office365/ReleaseNotes/1_0_2.md new file mode 100644 index 000000000000..49e6a966e408 --- /dev/null +++ b/Packs/Office365/ReleaseNotes/1_0_2.md @@ -0,0 +1,6 @@ + +#### Modeling Rules + +##### Office 365 Modeling Rule + +Updated the Modeling Rules, fixed an issue with incompatible data type comparisons. diff --git a/Packs/Office365/pack_metadata.json b/Packs/Office365/pack_metadata.json index 59f4520abc31..fe3fc2007087 100644 --- a/Packs/Office365/pack_metadata.json +++ b/Packs/Office365/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Office 365", "description": "The product family of productivity and collaboration cloud based softwares owned by Microsoft.", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/PhishingURL/ReleaseNotes/1_1_18.md b/Packs/PhishingURL/ReleaseNotes/1_1_18.md new file mode 100644 index 000000000000..d3ea27987d7a --- /dev/null +++ b/Packs/PhishingURL/ReleaseNotes/1_1_18.md @@ -0,0 +1,7 @@ + +#### Scripts + +##### DBotPredictURLPhishing + +- Added the new argument `defaultRequestProtocol` (default value http). This will be the default protocol used for URLs supplied with no explicit schema. This argument affects the http requests sent by this script, it has no effect to scripts called through executeCommand (rasterize, whois). + diff --git a/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.py b/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.py index 968f89a45f44..f7d60edc259b 100644 --- a/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.py +++ b/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.py @@ -113,7 +113,31 @@ TIMEOUT_RASTERIZE = 120 -def load_demisto_model(): +class Model: + '''Abstract class that represents the class of the built-in phishing model.''' + + clf: Any # sklearn.pipeline.Pipeline + custom_logo_associated_domain: dict + debug: bool + df_voc: dict + features: list + fields_prediction: list + heuristic_html: bool + heuristic_image: bool + heuristic_url: bool + logos_dict: dict + major: int + minor: int + path_logos: str + path_voc: str + top_domains: dict + top_domains_path: str + + def predict(self, x_pred: pd.DataFrame) -> dict: + pass + + +def load_demisto_model() -> Model: """ Return model data saved in demisto (string of encoded base 64) :param model_name: name of the model to load from demisto @@ -126,16 +150,16 @@ def load_demisto_model(): return decode_model_data(res_model['Contents']['modelData']) -def decode_model_data(model_data: str): +def decode_model_data(model_data: str) -> Model: """ Decode the base 64 version of the model :param model_data: string of the encoded based 64 model :return: Model """ - return dill.loads(base64.b64decode(model_data.encode('utf-8'))) # guardrails-disable-line + return cast(Model, dill.loads(base64.b64decode(model_data.encode('utf-8')))) # guardrails-disable-line -def load_oob(path=OUT_OF_THE_BOX_MODEL_PATH): +def load_oob(path: str = OUT_OF_THE_BOX_MODEL_PATH) -> bytes: """ Load pickle model from the docker :param path: path of the model saved in the docker @@ -145,12 +169,12 @@ def load_oob(path=OUT_OF_THE_BOX_MODEL_PATH): return base64.b64encode(f.read()) -def load_model_from_docker(path=OUT_OF_THE_BOX_MODEL_PATH): +def load_model_from_docker(path: str = OUT_OF_THE_BOX_MODEL_PATH) -> Model: with open(path, 'rb') as f: - return dill.load(f) # guardrails-disable-line + return cast(Model, dill.load(f)) # guardrails-disable-line -def load_oob_model(path: str): +def load_oob_model(path: str) -> str: """ Load and save model from the model in the docker :return: None @@ -188,7 +212,7 @@ def oob_model_exists_and_updated() -> tuple[bool, int, int, str]: return True, existing_model_version_major, existing_model_version_minor, model_data -def image_from_base64_to_bytes(base64_message: str): +def image_from_base64_to_bytes(base64_message: str) -> bytes: """ Transform image from base64 string into bytes :param base64_message: @@ -197,12 +221,12 @@ def image_from_base64_to_bytes(base64_message: str): return base64.b64decode(base64_message.encode('utf-8')) -def extract_domainv2(url): +def extract_domainv2(url: str) -> str: ext = no_fetch_extract(url) return ext.domain + "." + ext.suffix -def in_white_list(model, url: str) -> bool: +def in_white_list(model: Model, url: str) -> bool: """ Check if url belongs to the Model whitelist :param model: model which contains top_domains attribute @@ -259,7 +283,7 @@ def prepend_protocol(url: str, protocol: str, www: bool = True) -> str: def return_entry_summary( pred_json: dict, url: str, is_white_listed: bool, output_rasterize: dict, verdict: str, reliability: str = DBotScoreReliability.A_PLUS, **_ -): +) -> Optional[dict[str, Any]]: """ Return entry to demisto :param pred_json: json with output of the model @@ -339,7 +363,7 @@ def return_entry_summary( return explain -def return_entry_white_list(url): +def return_entry_white_list(url: str): """ Create syntethci entry when url belongs to whitelist :param url: url @@ -376,7 +400,7 @@ def return_entry_white_list(url): return_results(return_entry) -def get_score(pred_json): +def get_score(pred_json: dict) -> int: use_age = False use_logo = False if pred_json[DOMAIN_AGE_KEY]: @@ -413,14 +437,14 @@ def get_verdict(pred_json: dict, is_white_listed: bool) -> tuple[float, str]: return score, MALICIOUS_VERDICT -def create_dict_context(url, verdict, pred_json, score, is_white_listed, output_rasterize): +def create_dict_context(url, verdict, pred_json, score, is_white_listed, output_rasterize) -> dict: return { 'url_redirect': url, 'url': url, 'verdict': verdict, 'pred_json': pred_json, 'score': score, 'is_white_listed': is_white_listed, 'output_rasterize': output_rasterize } -def extract_created_date(entry: dict): +def extract_created_date(entry: dict) -> Union[bool, None]: """ Check if domain age is younger than THRESHOLD_NEW_DOMAIN_YEAR year :param entry_list: output of the whois command @@ -435,7 +459,7 @@ def extract_created_date(entry: dict): return None -def return_and_remove_additional_results(results: list, from_index): +def return_and_remove_additional_results(results: list, from_index: int): '''Return and remove the extra unneeded results returned from a command call. In XSOAR 8 log results are usually returned with sub-commands if debug-mode=true''' if results[from_index:]: @@ -484,7 +508,7 @@ def rasterize_urls(urls: list[str], rasterize_timeout: int) -> list[dict]: return cast(list[dict], res_rasterize) -def get_whois_verdict(domains: list[dict]) -> list: +def get_whois_verdict(domains: list[str]) -> list: '''Check domain age from WHOIS command''' default = [None] * len(domains) if isCommandAvailable('whois'): @@ -499,7 +523,9 @@ def get_whois_verdict(domains: list[dict]) -> list: return default -def get_predictions_for_urls(model, urls, force_model, debug, rasterize_timeout): +def get_predictions_for_urls( + model: Model, urls: list[str], force_model: bool, debug: bool, rasterize_timeout: int, protocol: str +) -> Optional[list[dict]]: domains = list(map(extract_domainv2, urls)) @@ -525,7 +551,10 @@ def get_predictions_for_urls(model, urls, force_model, debug, rasterize_timeout) else: is_white_listed = False - x_pred = create_x_pred(output_rasterize, url) + x_pred = create_x_pred( + output_rasterize, + prepend_protocol(url, protocol) + ) pred_json = model.predict(x_pred) if debug: @@ -541,12 +570,11 @@ def get_predictions_for_urls(model, urls, force_model, debug, rasterize_timeout) return results -def return_general_summary(results, tag="Summary"): +def return_general_summary(results: list[dict], tag: str = "Summary") -> list[dict]: df_summary = pd.DataFrame() df_summary['URL'] = [x.get('url_redirect') for x in results] - df_summary[KEY_FINAL_VERDICT] = [MAPPING_VERDICT_COLOR[x.get('verdict')].format(x.get('verdict')) - if x.get('verdict') in MAPPING_VERDICT_COLOR - else VERDICT_ERROR_COLOR.format(x.get('verdict')) for x in results] + df_summary[KEY_FINAL_VERDICT] = [MAPPING_VERDICT_COLOR.get( + x.get('verdict'), VERDICT_ERROR_COLOR).format(x.get('verdict')) for x in results] # type: ignore summary_context = [ {KEY_CONTENT_SUMMARY_URL: x.get('url_redirect'), KEY_CONTENT_SUMMARY_FINAL_VERDICT: BENIGN_VERDICT, KEY_CONTENT_IS_WHITELISTED: 'True'} for x in results if x.get('is_white_listed')] @@ -565,7 +593,7 @@ def return_general_summary(results, tag="Summary"): return df_summary_json -def return_detailed_summary(results: list, reliability: str): +def return_detailed_summary(results: list, reliability: str) -> list[dict[str, str]]: outputs = [] results.sort(key=lambda x: x['score']) for result in results: @@ -577,7 +605,7 @@ def return_detailed_summary(results: list, reliability: str): return outputs -def save_model_in_demisto(model): +def save_model_in_demisto(model: Model): encoded_model = base64.b64encode(dill.dumps(model)) # guardrails-disable-line res = demisto.executeCommand('createMLModel', {'modelData': encoded_model.decode('utf-8'), 'modelName': URL_PHISHING_MODEL_NAME, @@ -592,14 +620,14 @@ def save_model_in_demisto(model): raise DemistoException(get_error(res)) -def extract_urls(text): +def extract_urls(text: str) -> list[str]: res = demisto.executeCommand("extractIndicators", {"text": text}) if is_error(res): raise DemistoException(get_error(res)) return list(set(json.loads(res[0]["Contents"]).get("URL", []))) -def get_final_urls(urls, max_urls, model): +def get_final_urls(urls: list[str], max_urls: int, model: Model) -> list[str]: final_url = [] seen = [] low_priority_urls = [] @@ -613,11 +641,11 @@ def get_final_urls(urls, max_urls, model): seen.append(extract_domainv2(url)) i += 1 if len(final_url) < max_urls: - final_url = final_url + low_priority_urls[:min(len(low_priority_urls), max_urls - len(final_url))] + final_url += low_priority_urls[:min(len(low_priority_urls), max_urls - len(final_url))] return final_url -def extract_embedded_urls_from_html(html): +def extract_embedded_urls_from_html(html: str) -> list[str]: embedded_urls = [] soup = BeautifulSoup(html) for a in soup.findAll('a'): @@ -626,7 +654,10 @@ def extract_embedded_urls_from_html(html): return embedded_urls -def get_urls_to_run(email_body, email_html, urls_argument, max_urls, model, msg_list, debug): +def get_urls_to_run( + email_body: str, email_html: str, urls_argument: Union[list, str], + max_urls: int, model: Model, msg_list: list[str], debug: bool +) -> tuple[list[str], list[str]]: if email_body: urls_email_body = extract_urls(email_body) else: @@ -654,7 +685,7 @@ def get_urls_to_run(email_body, email_html, urls_argument, max_urls, model, msg_ return urls, msg_list -def update_model_docker_from_model(model_docker, model): +def update_model_docker_from_model(model_docker: Model, model: Model) -> Model: model_docker.logos_dict = model.logos_dict model_docker.top_domains = model.top_domains @@ -670,8 +701,10 @@ def update_model_docker_from_model(model_docker, model): return model_docker -def update_and_load_model(debug, exist, reset_model, msg_list, demisto_major_version, demisto_minor_version, - model_data): +def update_and_load_model( + debug: bool, exist: bool, reset_model: bool, msg_list: list[str], + demisto_major_version: int, demisto_minor_version: int, model_data: str +) -> tuple[Model, list[str]]: if debug: msg_list.append( MSG_MODEL_VERSION_IN_DEMISTO.format(demisto_major_version, demisto_minor_version) @@ -716,6 +749,7 @@ def main(): reliability = DBotScoreReliability.get_dbot_score_reliability_from_str( args.get("reliability", DBotScoreReliability.A_PLUS) ) + protocol = demisto.args().get('defaultRequestProtocol', 'HTTP').lower() msg_list: list = [] @@ -731,7 +765,7 @@ def main(): if urls: # Run the model and get predictions - results = get_predictions_for_urls(model, urls, force_model, debug, rasterize_timeout) + results = get_predictions_for_urls(model, urls, force_model, debug, rasterize_timeout, protocol) if results: general_summary = return_general_summary(results) detailed_summary = return_detailed_summary(results, reliability) diff --git a/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.yml b/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.yml index 6df6ed9c8ea6..5ed8fb6fa695 100644 --- a/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.yml +++ b/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/DBotPredictURLPhishing.yml @@ -26,6 +26,13 @@ args: predefined: - 'False' - 'True' +- description: The protocol to use when calling the URLs. This argument effects the calls sent by the model only and has no effect on the rasterize or whois commands. + defaultValue: 'HTTP' + name: defaultRequestProtocol + auto: PREDEFINED + predefined: + - 'HTTP' + - 'HTTPS' - auto: PREDEFINED description: Whether to enter debug mode. defaultValue: 'False' diff --git a/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/README.md b/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/README.md index c1fe4f2877aa..09f726b9dd1f 100644 --- a/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/README.md +++ b/Packs/PhishingURL/Scripts/DBotPredictURLPhishing/README.md @@ -32,6 +32,7 @@ Phishing - Machine Learning Analysis | maxNumberOfURL | Maximum number of extracted URLs on which to run the model. | | forceModel | Whether to force the model to run if the URL belongs to the whitelist. If True, the model will run in every case. If False, the model will run only if the URL does not belong to the whitelist. | | resetModel | Whether to reset the model to the model existing in Docker. | +| defaultRequestProtocol | The protocol to use when calling the URLs. This argument effects the calls sent by the model only and has no effect on the rasterize or whois commands. | | debug | Whether to enter debug mode. | | reliability | Reliability of the source providing the intelligence data. | @@ -53,10 +54,18 @@ Phishing - Machine Learning Analysis ## Script Examples ### Example command -```!DBotPredictURLPhishing urls=google.com``` +```!DBotPredictURLPhishing urls="http://google.com"``` ### Context Example ```json -{} +{ + "DBotPredictURLPhishing": [ + { + "FinalVerdict": "Benign", + "TopMajesticDomain": "True", + "URL": "http://google.com" + } + ] +} ``` ### Human Readable Output diff --git a/Packs/PhishingURL/pack_metadata.json b/Packs/PhishingURL/pack_metadata.json index d800a286a84d..5347ce39fe88 100644 --- a/Packs/PhishingURL/pack_metadata.json +++ b/Packs/PhishingURL/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Phishing URL", "description": "Phishing URL is a project with the goal of detecting phishing URLs using machine learning", "support": "xsoar", - "currentVersion": "1.1.17", + "currentVersion": "1.1.18", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/rasterize/Integrations/rasterize/rasterize.yml b/Packs/rasterize/Integrations/rasterize/rasterize.yml index 097f15dd2ee1..dc96c80cbd40 100644 --- a/Packs/rasterize/Integrations/rasterize/rasterize.yml +++ b/Packs/rasterize/Integrations/rasterize/rasterize.yml @@ -334,7 +334,7 @@ script: - contextPath: InfoFile.Type description: The type of the image/pdf file. type: string - dockerimage: demisto/chromium:127.0.6533.105883 + dockerimage: demisto/chromium:126.0.6478.103218 runonce: false script: "-" subtype: python3 diff --git a/Packs/rasterize/ReleaseNotes/2_0_21.md b/Packs/rasterize/ReleaseNotes/2_0_21.md new file mode 100644 index 000000000000..f8e5790df71a --- /dev/null +++ b/Packs/rasterize/ReleaseNotes/2_0_21.md @@ -0,0 +1,4 @@ +#### Integrations + +##### Rasterize +Updated the Docker image to: *demisto/chromium:126.0.6478.103218*. \ No newline at end of file diff --git a/Packs/rasterize/pack_metadata.json b/Packs/rasterize/pack_metadata.json index af321d6c86cc..d70c564acb6e 100644 --- a/Packs/rasterize/pack_metadata.json +++ b/Packs/rasterize/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Rasterize", "description": "Converts URLs, PDF files, and emails to an image file or PDF file.", "support": "xsoar", - "currentVersion": "2.0.20", + "currentVersion": "2.0.21", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Tests/conf.json b/Tests/conf.json index 1284bb8e7165..2e4352475814 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -5969,7 +5969,17 @@ "CiscoMerakiv2": "CIAC-11322", "Test Playbook - Cortex XDR - Retrieve File by sha256" : "CIAC-11274", "Test XDR Playbook quarantine file command": "CIAC-11274", - "Test XDR Playbook retrieve file command": "CIAC-11274" + "Test XDR Playbook retrieve file command": "CIAC-11274", + "Cortex XDR - IOC - Test without fetch" : "CIAC-11274", + "Cortex XDR - XQL Query - Test" : "CIAC-11274", + "XDR_test_helper" : "CIAC-11274", + "Test Playbook - Cortex XDR - Endpoint Investigation": "CIAC-11274", + "Test Playbook - Cortex XDR - False Positive Incident Handling" : "CIAC-11274", + "Test Playbook - Cortex XDR - Get File Path from alerts by hash" : "CIAC-11274", + "Test Playbook - Cortex XDR Malware - Incident Enrichment" : "CIAC-11274", + "Test XDR Playbook execute script commands": "CIAC-11274", + "Test XDR Playbook general commands": "CIAC-11274", + "Test XDR Playbook": "CIAC-11274" }, "skipped_integrations": { "AWS - Lambda": "No instance - wrong creds, issue CRTX-110456", diff --git a/poetry.lock b/poetry.lock index e2d76d3358d7..b2fdc5b6230e 100644 --- a/poetry.lock +++ b/poetry.lock @@ -3840,6 +3840,348 @@ type = "legacy" url = "https://pypi.org/simple" reference = "pypi-public" +[[package]] +name = "types-cryptography" +version = "3.3.23.2" +description = "Typing stubs for cryptography" +optional = false +python-versions = "*" +files = [ + {file = "types-cryptography-3.3.23.2.tar.gz", hash = "sha256:09cc53f273dd4d8c29fa7ad11fefd9b734126d467960162397bc5e3e604dea75"}, + {file = "types_cryptography-3.3.23.2-py3-none-any.whl", hash = "sha256:b965d548f148f8e87f353ccf2b7bd92719fdf6c845ff7cedf2abb393a0643e4f"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-dateparser" +version = "1.2.0.20240420" +description = "Typing stubs for dateparser" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-dateparser-1.2.0.20240420.tar.gz", hash = "sha256:8f813ddf5ef41b32cabe6167138ae833ada10c22811e42220a1e38a0be7adbdc"}, + {file = "types_dateparser-1.2.0.20240420-py3-none-any.whl", hash = "sha256:bf3695ddfbadfdfc875064895a51d926fd80b04da1a44364c6c1a9703db7b194"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-decorator" +version = "5.1.8.20240310" +description = "Typing stubs for decorator" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-decorator-5.1.8.20240310.tar.gz", hash = "sha256:52e316b03783886a8a2abdc228f7071680ba65894545cd2085ebe3cf88684a0e"}, + {file = "types_decorator-5.1.8.20240310-py3-none-any.whl", hash = "sha256:3af75dc38f5baf65b9b53ea6661ce2056c5ca7d70d620d0b1f620285c1242757"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-emoji" +version = "2.1.0.3" +description = "Typing stubs for emoji" +optional = false +python-versions = "*" +files = [ + {file = "types-emoji-2.1.0.3.tar.gz", hash = "sha256:98ddb0ff5f48622550c431206e4dbfcbde8ca8bc03fcfbb9962a778d2049aa13"}, + {file = "types_emoji-2.1.0.3-py3-none-any.whl", hash = "sha256:32fe5cf02c4834bb59579380f600a89d1471571fb56e36465cbd0c7d95f669ca"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-markdown" +version = "3.6.0.20240316" +description = "Typing stubs for Markdown" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-Markdown-3.6.0.20240316.tar.gz", hash = "sha256:de9fb84860b55b647b170ca576895fcca61b934a6ecdc65c31932c6795b440b8"}, + {file = "types_Markdown-3.6.0.20240316-py3-none-any.whl", hash = "sha256:d3ecd26a940781787c7b57a0e3c9d77c150db64e12989ef687059edc83dfd78a"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-mock" +version = "4.0.15.2" +description = "Typing stubs for mock" +optional = false +python-versions = "*" +files = [ + {file = "types-mock-4.0.15.2.tar.gz", hash = "sha256:83fe479741adb92210c3c92f006fe058297d5051e93c2cec36f1a9e0bae16e9e"}, + {file = "types_mock-4.0.15.2-py3-none-any.whl", hash = "sha256:39d489b6d9361b75448677680a3087701c0cfab61260363cfc0f646d2bf0a8b2"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-paramiko" +version = "2.12.0.0" +description = "Typing stubs for paramiko" +optional = false +python-versions = "*" +files = [ + {file = "types-paramiko-2.12.0.0.tar.gz", hash = "sha256:6359f4e8885bf0e2e478eddbfeb06d9b9599a2a8eb7815ee463800d365d20894"}, + {file = "types_paramiko-2.12.0.0-py3-none-any.whl", hash = "sha256:49d7a323dda2d3e9b334e3828e4cb0c50deaa1b060fcfbd6634fc46c9eb28da1"}, +] + +[package.dependencies] +types-cryptography = "*" + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-pkg-resources" +version = "0.1.3" +description = "Typing stubs for pkg_resources" +optional = false +python-versions = "*" +files = [ + {file = "types-pkg_resources-0.1.3.tar.gz", hash = "sha256:834a9b8d3dbea343562fd99d5d3359a726f6bf9d3733bccd2b4f3096fbab9dae"}, + {file = "types_pkg_resources-0.1.3-py2.py3-none-any.whl", hash = "sha256:0cb9972cee992249f93fff1a491bf2dc3ce674e5a1926e27d4f0866f7d9b6d9c"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-protobuf" +version = "4.25.0.20240417" +description = "Typing stubs for protobuf" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-protobuf-4.25.0.20240417.tar.gz", hash = "sha256:c34eff17b9b3a0adb6830622f0f302484e4c089f533a46e3f147568313544352"}, + {file = "types_protobuf-4.25.0.20240417-py3-none-any.whl", hash = "sha256:e9b613227c2127e3d4881d75d93c93b4d6fd97b5f6a099a0b654a05351c8685d"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-pymysql" +version = "1.1.0.20240425" +description = "Typing stubs for PyMySQL" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-PyMySQL-1.1.0.20240425.tar.gz", hash = "sha256:afe24e8eba5f4851b729835530a1698b1b1645a93f9f9c83ae45228866ed31fc"}, + {file = "types_PyMySQL-1.1.0.20240425-py3-none-any.whl", hash = "sha256:32a472233de53b913e934695530a2d083146b81ed6de1669ecb845f76b6ddc15"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-python-dateutil" +version = "2.9.0.20240316" +description = "Typing stubs for python-dateutil" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-python-dateutil-2.9.0.20240316.tar.gz", hash = "sha256:5d2f2e240b86905e40944dd787db6da9263f0deabef1076ddaed797351ec0202"}, + {file = "types_python_dateutil-2.9.0.20240316-py3-none-any.whl", hash = "sha256:6b8cb66d960771ce5ff974e9dd45e38facb81718cc1e208b10b1baccbfdbee3b"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-pytz" +version = "2022.7.1.2" +description = "Typing stubs for pytz" +optional = false +python-versions = "*" +files = [ + {file = "types-pytz-2022.7.1.2.tar.gz", hash = "sha256:487d3e8e9f4071eec8081746d53fa982bbc05812e719dcbf2ebf3d55a1a4cd28"}, + {file = "types_pytz-2022.7.1.2-py3-none-any.whl", hash = "sha256:40ca448a928d566f7d44ddfde0066e384f7ffbd4da2778e42a4570eaca572446"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-pyyaml" +version = "6.0.12.20240311" +description = "Typing stubs for PyYAML" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-PyYAML-6.0.12.20240311.tar.gz", hash = "sha256:a9e0f0f88dc835739b0c1ca51ee90d04ca2a897a71af79de9aec5f38cb0a5342"}, + {file = "types_PyYAML-6.0.12.20240311-py3-none-any.whl", hash = "sha256:b845b06a1c7e54b8e5b4c683043de0d9caf205e7434b3edc678ff2411979b8f6"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-requests" +version = "2.28.11" +description = "Typing stubs for requests" +optional = false +python-versions = "*" +files = [ + {file = "types-requests-2.28.11.tar.gz", hash = "sha256:7ee827eb8ce611b02b5117cfec5da6455365b6a575f5e3ff19f655ba603e6b4e"}, + {file = "types_requests-2.28.11-py3-none-any.whl", hash = "sha256:af5f55e803cabcfb836dad752bd6d8a0fc8ef1cd84243061c0e27dee04ccf4fd"}, +] + +[package.dependencies] +types-urllib3 = "<1.27" + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-setuptools" +version = "69.5.0.20240522" +description = "Typing stubs for setuptools" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-setuptools-69.5.0.20240522.tar.gz", hash = "sha256:c5a97601b2d040d3b9fcd0633730f0a8c86ebef208552525c97301427f261549"}, + {file = "types_setuptools-69.5.0.20240522-py3-none-any.whl", hash = "sha256:e27231cbc80648cfaee4921d2f1150107fdf8d33666958abf2aba0191a82688b"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-six" +version = "1.16.21.20240513" +description = "Typing stubs for six" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-six-1.16.21.20240513.tar.gz", hash = "sha256:cdf445b5161bf17753500713a475ab79a45bd0d87728b8bfcecd86e2fbf66402"}, + {file = "types_six-1.16.21.20240513-py3-none-any.whl", hash = "sha256:af2a105be6d504339bfed81319cc8e8697865f0ee5c6baa63658f127b33b9e63"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-tabulate" +version = "0.9.0.20240106" +description = "Typing stubs for tabulate" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-tabulate-0.9.0.20240106.tar.gz", hash = "sha256:c9b6db10dd7fcf55bd1712dd3537f86ddce72a08fd62bb1af4338c7096ce947e"}, + {file = "types_tabulate-0.9.0.20240106-py3-none-any.whl", hash = "sha256:0378b7b6fe0ccb4986299496d027a6d4c218298ecad67199bbd0e2d7e9d335a1"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-toml" +version = "0.10.8.20240310" +description = "Typing stubs for toml" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-toml-0.10.8.20240310.tar.gz", hash = "sha256:3d41501302972436a6b8b239c850b26689657e25281b48ff0ec06345b8830331"}, + {file = "types_toml-0.10.8.20240310-py3-none-any.whl", hash = "sha256:627b47775d25fa29977d9c70dc0cbab3f314f32c8d8d0c012f2ef5de7aaec05d"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-tqdm" +version = "4.66.0.20240417" +description = "Typing stubs for tqdm" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-tqdm-4.66.0.20240417.tar.gz", hash = "sha256:16dce9ef522ea8d40e4f5b8d84dd8a1166eefc13ceee7a7e158bf0f1a1421a31"}, + {file = "types_tqdm-4.66.0.20240417-py3-none-any.whl", hash = "sha256:248aef1f9986b7b8c2c12b3cb4399fc17dba0a29e7e3f3f9cd704babb879383d"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-ujson" +version = "5.10.0.20240515" +description = "Typing stubs for ujson" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-ujson-5.10.0.20240515.tar.gz", hash = "sha256:ceae7127f0dafe4af5dd0ecf98ee13e9d75951ef963b5c5a9b7ea92e0d71f0d7"}, + {file = "types_ujson-5.10.0.20240515-py3-none-any.whl", hash = "sha256:02bafc36b3a93d2511757a64ff88bd505e0a57fba08183a9150fbcfcb2015310"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + +[[package]] +name = "types-urllib3" +version = "1.26.25.14" +description = "Typing stubs for urllib3" +optional = false +python-versions = "*" +files = [ + {file = "types-urllib3-1.26.25.14.tar.gz", hash = "sha256:229b7f577c951b8c1b92c1bc2b2fdb0b49847bd2af6d1cc2a2e3dd340f3bda8f"}, + {file = "types_urllib3-1.26.25.14-py3-none-any.whl", hash = "sha256:9683bbb7fb72e32bfe9d2be6e04875fbe1b3eeec3cbb4ea231435aa7fd6b4f0e"}, +] + +[package.source] +type = "legacy" +url = "https://pypi.org/simple" +reference = "pypi-public" + [[package]] name = "typing-extensions" version = "4.12.2" @@ -4269,4 +4611,4 @@ reference = "pypi-public" [metadata] lock-version = "2.0" python-versions = "^3.8,<3.11" -content-hash = "e7adedb989d25579cc8374882d035c043650b7317589890d2a02533129c04c3a" +content-hash = "c57c05f9d7fe034d67818cb62fc81c03ea453d8f34db4512781e3ccbb6a71295" diff --git a/pyproject.toml b/pyproject.toml index 1cd7401e1386..96a07f4f5597 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -33,6 +33,26 @@ freezegun = ">=1.1.0" dateparser = ">=1.2.0" ruff = "*" # See `.pre-commit-config-template` for version used in pre-commit. Version here doesn't matter. +[tool.poetry.group.typing.dependencies] +types-tqdm = "^4.66.0.2" +types-requests = "2.28.11" +types-mock = "^4.0.15" +types-setuptools = "^69.2.0.20240317" +types-ujson = "^5.6.0.0" +types-decorator = "^5.1.8" +types-pkg-resources = "^0.1.3" +types-toml = "^0.10.8.7" +types-tabulate = "^0.9.0.20240106" +types-pytz = ">=2021.3.6,<2023.0.0" +types-dateparser = "^1.1.4.20240106" +types-python-dateutil = "^2.9.0.20240316" +types-protobuf = "^4.24.0.4" +types-six = "^1.16.21.20240513" +types-paramiko = "2.12.0" +types-PyMySQL = "1.1.0.20240425" +types-markdown = "3.6.0.20240316" +types-PyYAML = "6.0.12.20240311" +types-emoji = "2.1.0.3" [tool.ruff] select = [