From 04cba724ed6ab852cc0e2efeef16ea1a06bfe81e Mon Sep 17 00:00:00 2001 From: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Date: Mon, 29 Jul 2024 09:35:19 +0300 Subject: [PATCH 01/19] Fix CrowdSrtrike mapper/XSUP-39790 (#35618) * fix mapper * RN * fixes * fix rn --- ...ssifier-CrowdStrike_Falcon_Mapper_6.5.json | 67 ++++--------------- Packs/CrowdStrikeFalcon/ReleaseNotes/2_0_7.md | 6 ++ Packs/CrowdStrikeFalcon/pack_metadata.json | 2 +- 3 files changed, 20 insertions(+), 55 deletions(-) create mode 100644 Packs/CrowdStrikeFalcon/ReleaseNotes/2_0_7.md diff --git a/Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Mapper_6.5.json b/Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Mapper_6.5.json index 0e41d719d4d5..5c376f2eeca5 100644 --- a/Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Mapper_6.5.json +++ b/Packs/CrowdStrikeFalcon/Classifiers/classifier-CrowdStrike_Falcon_Mapper_6.5.json @@ -808,28 +808,6 @@ "dbot_classification_incident_type_all": { "dontMapEventToLabels": false, "internalMapping": { - "External Start Time": { - "complex": { - "filters": [], - "root": "first_behavior", - "transformers": [ - { - "args": { - "item": { - "isContext": true, - "value": { - "simple": "start" - } - } - }, - "operator": "append" - } - ] - } - }, - "Additional Data": { - "simple": "behaviors" - }, "Agent Version": { "simple": "device.agent_version" }, @@ -854,10 +832,10 @@ } }, "CMD line": { - "simple": "behaviors.cmdline" + "simple": "cmdline" }, "Description": { - "simple": "behaviors.description" + "simple": "description" }, "Device External IPs": { "complex": { @@ -966,26 +944,7 @@ "simple": "incident_type" }, "External Confidence": { - "simple": "max_confidence" - }, - "External End Time": { - "complex": { - "filters": [], - "root": "last_behavior", - "transformers": [ - { - "args": { - "item": { - "isContext": true, - "value": { - "simple": "end" - } - } - }, - "operator": "append" - } - ] - } + "simple": "confidence" }, "External ID": { "complex": { @@ -1096,16 +1055,16 @@ } }, "File MD5": { - "simple": "behaviors.md5" + "simple": "md5" }, "File Names": { - "simple": "behaviors.filename" + "simple": "filename" }, "File Paths": { - "simple": "behaviors.filepath" + "simple": "filepath" }, "File SHA256": { - "simple": "behaviors.sha256" + "simple": "sha256" }, "Hostnames": { "complex": { @@ -1146,22 +1105,22 @@ "simple": "parent_details.cmdline" }, "Parent Process SHA256": { - "simple": "behaviors.parent_details.parent_sha256" + "simple": "parent_details.sha256" }, "Parent Process MD5": { - "simple": "behaviors.parent_details.parent_md5" + "simple": "parent_details.md5" }, "Process CMD": { "simple": "parent_details.cmdline" }, "Process MD5": { - "simple": "behaviors.md5" + "simple": "md5" }, "Process SHA256": { - "simple": "behaviors.sha256" + "simple": "sha256" }, "Scenario": { - "simple": "behaviors.scenario" + "simple": "scenario" }, "Source MAC Address": { "simple": "device.mac_address" @@ -1182,7 +1141,7 @@ "args": { "conditions": { "value": { - "simple": "[\n {\n \"condition\": \"#{incident_type} == 'detection'\",\n \"return\": \"Falcon Detection - \" + #{behaviors\\.display_name} + \" - Detection ID: \" + #{composite_id}\n },\n {\n \"condition\": \"#{incident_type} == 'incident'\",\n \"return\": \"Falcon Incident - ID: \" + #{incident_id}\n },\n {\n \"condition\": \"#{incident_type} == 'IDP detection'\",\n \"return\": #{id}\n },\n {\n \"condition\": \"#{incident_type} == 'iom_configurations'\",\n \"return\": #{id}\n },\n {\n \"condition\": \"#{incident_type} == 'ioa_events'\",\n \"return\": #{event_id}\n },\n {\n \"condition\": \"#{incident_type} == 'MOBILE detection'\",\n \"return\": #{mobile_detection_id}\n },\n {\n \"condition\": \"#{device\\.hostname} != None\",\n \"return\": #{incident_type} + \" - \" + #{composite_id} + \" - \" + #{device\\.hostname}\n },\n {\n \"condition\": \"#{hosts\\.hostname} != None\",\n \"return\": #{incident_type} + \" - \" + #{incident_id} + \" - \" + #{hosts\\.hostname}\n },\n {\n \"condition\": \"#{incident_id} != None\",\n \"return\": #{incident_type} + \" - \" + #{incident_id}\n },\n {\n \"condition\": \"#{composite_id} != None\",\n \"return\": #{incident_type} + \" - \" + #{composite_id}\n },\n {\n \"default\": #{incident_type}\n }\n]" + "simple": "[\n {\n \"condition\": \"#{incident_type} == 'detection'\",\n \"return\": \"Falcon Detection - \" + #{display_name} + \" - Detection ID: \" + #{composite_id}\n },\n {\n \"condition\": \"#{incident_type} == 'incident'\",\n \"return\": \"Falcon Incident - ID: \" + #{incident_id}\n },\n {\n \"condition\": \"#{incident_type} == 'IDP detection'\",\n \"return\": #{id}\n },\n {\n \"condition\": \"#{incident_type} == 'iom_configurations'\",\n \"return\": #{id}\n },\n {\n \"condition\": \"#{incident_type} == 'ioa_events'\",\n \"return\": #{event_id}\n },\n {\n \"condition\": \"#{incident_type} == 'MOBILE detection'\",\n \"return\": #{mobile_detection_id}\n },\n {\n \"condition\": \"#{device\\.hostname} != None\",\n \"return\": #{incident_type} + \" - \" + #{composite_id} + \" - \" + #{device\\.hostname}\n },\n {\n \"condition\": \"#{hosts\\.hostname} != None\",\n \"return\": #{incident_type} + \" - \" + #{incident_id} + \" - \" + #{hosts\\.hostname}\n },\n {\n \"condition\": \"#{incident_id} != None\",\n \"return\": #{incident_type} + \" - \" + #{incident_id}\n },\n {\n \"condition\": \"#{composite_id} != None\",\n \"return\": #{incident_type} + \" - \" + #{composite_id}\n },\n {\n \"default\": #{incident_type}\n }\n]" } }, "flags": {} diff --git a/Packs/CrowdStrikeFalcon/ReleaseNotes/2_0_7.md b/Packs/CrowdStrikeFalcon/ReleaseNotes/2_0_7.md new file mode 100644 index 000000000000..0c540869a76e --- /dev/null +++ b/Packs/CrowdStrikeFalcon/ReleaseNotes/2_0_7.md @@ -0,0 +1,6 @@ + +#### Mappers + +##### CrowdStrike Falcon Mapper + +Fixed an issue where some fields did not align with the newest version of CrowdStrike Falcon. Some fields have been modified, and others have been deleted as they no longer return from CrowdStrike Falcon. diff --git a/Packs/CrowdStrikeFalcon/pack_metadata.json b/Packs/CrowdStrikeFalcon/pack_metadata.json index f28c755a7c56..e8e794fe7c8f 100644 --- a/Packs/CrowdStrikeFalcon/pack_metadata.json +++ b/Packs/CrowdStrikeFalcon/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CrowdStrike Falcon", "description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.", "support": "xsoar", - "currentVersion": "2.0.6", + "currentVersion": "2.0.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 97d92847de1fb2678e6bada6b9c61a6606ceb7ad Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Mon, 29 Jul 2024 10:28:33 +0300 Subject: [PATCH 02/19] [Marketplace Contribution] Akamai WAF - Content Pack Update (#35501) * [Marketplace Contribution] Akamai WAF - Content Pack Update (#35309) * "contribution update to pack 'Akamai WAF'" * Update Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: davistonehub <111578758+davistonehub@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Adding UT for new commands. * Updating RN * linter changes. * pre-commit changes. --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: davistonehub <111578758+davistonehub@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Danny_Fried --- .../Integrations/Akamai_WAF/Akamai_WAF.py | 128 ++++++++++++++++++ .../Integrations/Akamai_WAF/Akamai_WAF.yml | 23 +++- .../Akamai_WAF/Akamai_WAF_test.py | 57 ++++++++ .../Integrations/Akamai_WAF/README.md | 41 +++++- .../get_cps_enrollment_by_id_context.json | 1 + .../get_cps_enrollment_by_id_test.json | 24 ++++ Packs/Akamai_WAF/ReleaseNotes/2_0_12.md | 9 ++ Packs/Akamai_WAF/pack_metadata.json | 2 +- 8 files changed, 282 insertions(+), 3 deletions(-) create mode 100644 Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_context.json create mode 100644 Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_test.json create mode 100644 Packs/Akamai_WAF/ReleaseNotes/2_0_12.md diff --git a/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.py b/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.py index 00307f4f6b12..cb8ee6515367 100644 --- a/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.py +++ b/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.py @@ -2102,6 +2102,47 @@ def get_cps_change_status(self, headers=headers, ) + def cancel_cps_change(self, change_path: str, account_switch_key: str = "") -> dict: + """ + Cancels a pending change. + + Args: + change_path: Change path on which to perform the desired operation. + account_switch_key: For customers who manage more than one account, + this runs the operation from another account. The Identity and + Access Management API provides a list of available account switch keys. + + Returns: + The response provides a dict of change_path. + + """ + method = 'delete' + headers = {"accept": "application/vnd.akamai.cps.change-id.v1+json"} + params = {"accountSwitchKey": account_switch_key} + return self._http_request(method=method, + url_suffix=change_path, + headers=headers, + params=params, + ) + + def get_cps_enrollment_by_id(self, + enrollment_id: int) -> dict: + """ + Returns the Enarollment by enrollment id + Args: + enrollment_id: Unique Identifier of the Enrollment on which to perform the desired operation. + + Returns: + The response provides a deployment associcated to the enrollment id + + """ + headers = {"accept": "application/vnd.akamai.cps.enrollment.v12+json"} + method = "GET" + return self._http_request(method=method, + url_suffix=f'cps/v2/enrollments/{enrollment_id}', + headers=headers, + ) + ''' HELPER FUNCTIONS ''' @@ -5912,6 +5953,91 @@ def get_cps_change_status_command(client: Client, return human_readable, context_entry, raw_response +@logger +def cancel_cps_change_command(client: Client, + change_id: str = '0', + enrollment_id: str = '0', + change_path: str = "", + account_switch_key: str = "", + ) -> tuple[str, dict, Union[list, dict]]: + """ + Cancels a pending change. + Reference: https://techdocs.akamai.com/cps/reference/delete-enrollment-change + Args: + client: + change_id: The change for this enrollment on which to perform the desired operation. Default is 0. + enrollment_id: Enrollment on which to perform the desired operation. Default is 0. + change_path: Change path on which to perform the desired operation. + - Sample: /cps/v2/enrollments/100000/changes/88888888 + - Note: change_path is not listed in the reference as a parameter. + However it can be extracted directly from "list_enrollments_command". + This should be the most common useage when generate RestAPI's URL. + account_switch_key: For customers who manage more than one account, this runs + the operation from another account. The Identity and Access Management API + provides a list of available account switch keys. + - Sample: "1-5C0YLB:1-8BYUX" + + NOTE: There is no need to provice "change_id"/"enrollment_id" and "change_path" + at the same time. "change_id"/"enrollment_id" can be used to generate + "change_path" as well. + + Returns: + human readable (markdown format), entry context and raw response + """ + + if not (change_id == '0' and enrollment_id == '0'): + change_path = f'/cps/v2/enrollments/{enrollment_id}/changes/{change_id}' + + raw_response: dict = client.cancel_cps_change(change_path=change_path, account_switch_key=account_switch_key) + + title = f'{INTEGRATION_NAME} - cps cancel change' + entry_context = raw_response + human_readable_ec = raw_response + context_entry: dict = { + f"{INTEGRATION_CONTEXT_NAME}.Cps.Change.Canceled": entry_context + } + + human_readable = tableToMarkdown( + name=title, + t=human_readable_ec, + removeNull=True, + ) + return human_readable, context_entry, raw_response + + +# Created by D.S. 2024-06-18 +@logger +def get_cps_enrollment_by_id_command(client: Client, + enrollment_id: int) -> tuple[str, dict, Union[list, dict]]: + """ + Returns the certification/Enarollment. + + Args: + client: + enrollment_id: Unique Identifier of the Enrollment on which to perform the desired operation. + And it can be retrived via list_enrollments_command + + Returns: + human readable (markdown format), entry context and raw response + """ + + raw_response: dict = client.get_cps_enrollment_by_id(enrollment_id=enrollment_id) + + title = f'{INTEGRATION_NAME} - get cps enrollment by id command' + entry_context = raw_response + human_readable_ec = raw_response + context_entry: dict = { + f"{INTEGRATION_CONTEXT_NAME}.Cps.Enrollments": entry_context + } + + human_readable = tableToMarkdown( + name=title, + t=human_readable_ec, + removeNull=True, + ) + return human_readable, context_entry, raw_response + + ''' COMMANDS MANAGER / SWITCH PANEL ''' @@ -6006,6 +6132,8 @@ def main(): f'{INTEGRATION_COMMAND_NAME}-update-cps-enrollment': update_cps_enrollment_command, f'{INTEGRATION_COMMAND_NAME}-update-cps-enrollment-schedule': update_cps_enrollment_schedule_command, f'{INTEGRATION_COMMAND_NAME}-get-cps-change-status': get_cps_change_status_command, + f'{INTEGRATION_COMMAND_NAME}-cancel-cps-change': cancel_cps_change_command, + f'{INTEGRATION_COMMAND_NAME}-get-cps-enrollment-by-id': get_cps_enrollment_by_id_command, } try: readable_output, outputs, raw_response = commands[command](client=client, **demisto.args()) diff --git a/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.yml b/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.yml index 092af00bb75d..610e839c0b5d 100644 --- a/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.yml +++ b/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF.yml @@ -1489,7 +1489,28 @@ script: - contextPath: Akamai.Enrollments.Change.Status description: Akamai enrollments change status. type: Dictionary - dockerimage: demisto/auth-utils:1.0.0.94075 + - arguments: + - defaultValue: '0' + description: The change for this enrollment on which to perform the desired operation. Default is 0. "change_path" is used. + name: change_id + required: true + - defaultValue: '0' + description: Enrollment on which to perform the desired operation. Default is 0. "change_path" is used. + name: enrollment_id + required: true + - description: "Change path on which to perform the desired operation. Sample: /cps/v2/enrollments/100000/changes/88888888. Note: change_path is not listed in the reference as a parameter. However it can be extracted directly from \"list_enrollments_command\". This should be the most common usage when generating the RestAPI's URL." + name: change_path + - description: For customers who manage more than one account, this runs the operation from another account. The Identity and Access Management API provides a list of available account switch keys. + name: account_switch_key + description: Cancels a pending change on CPS. + name: akamai-cancel-cps-change + - arguments: + - description: Enrollment ID on which to perform the desired operation. + name: enrollment_id + required: true + description: Get an enrollment in CPS by enrollment id. + name: akamai-get-cps-enrollment-by-id + dockerimage: demisto/auth-utils:1.0.0.105764 script: '' subtype: python3 type: python diff --git a/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF_test.py b/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF_test.py index 72ae7e3c887e..83cb1a6f8f5a 100644 --- a/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF_test.py +++ b/Packs/Akamai_WAF/Integrations/Akamai_WAF/Akamai_WAF_test.py @@ -10,6 +10,14 @@ def util_load_json(path): return json.loads(f.read()) +def util_load_txt(path: str): + """ + Utility to load text data from a local folder. + """ + with open(path, encoding='utf-8') as file: + return file.read() + + @pytest.fixture(scope='module') def akamai_waf_client(): return Client(base_url="https://hostname/", @@ -250,3 +258,52 @@ def test_acknowledge_warning_command(mocker, akamai_waf_client): assert expected_raw_response == raw_response assert expected_human_readable == human_readable assert expected_context_entry == context_entry + + +def test_cancel_cps_change_command(mocker, akamai_waf_client): + """ + Given: + - enrollment ID and change ID. + When: + - running the command cancel_cps_change_command. + Then: + - enrollment ID is cancelled correctly. + """ + from Akamai_WAF import cancel_cps_change_command + expected_raw_response = { + "change": "/cps/v2/enrollments/193622/changes/3914270" + } + expected_human_readable = "### Akamai WAF - cps cancel change\n|change|\n|---|\n|\ + /cps/v2/enrollments/193622/changes/3914270 |\n" + expected_context_entry = { + 'Akamai.Cps.Change.Canceled': { + 'change': '/cps/v2/enrollments/193622/changes/3914270' + } + } + mocker.patch.object(akamai_waf_client, 'cancel_cps_change', return_value=expected_raw_response) + human_readable, context_entry, raw_response = cancel_cps_change_command(client=akamai_waf_client, + enrollment_id="193622", + change_id="3914270") + assert expected_raw_response == raw_response + assert expected_human_readable == human_readable + assert expected_context_entry == context_entry + + +def test_get_cps_enrollment_by_id_command(mocker, akamai_waf_client): + """ + Given: + - enrollment ID. + When: + - running the command get_cps_enrollment_by_id_command. + Then: + - we get details of enrollment. + """ + from Akamai_WAF import get_cps_enrollment_by_id_command + test_data = util_load_json('test_data/get_cps_enrollment_by_id_test.json') + expected_raw_response = test_data + expected_context_entry = util_load_json('test_data/get_cps_enrollment_by_id_context.json') + + mocker.patch.object(akamai_waf_client, 'get_cps_enrollment_by_id', return_value=expected_raw_response) + _, context_entry, raw_response = get_cps_enrollment_by_id_command(client=akamai_waf_client, enrollment_id=193622) + assert expected_raw_response == raw_response + assert expected_context_entry == context_entry diff --git a/Packs/Akamai_WAF/Integrations/Akamai_WAF/README.md b/Packs/Akamai_WAF/Integrations/Akamai_WAF/README.md index f37d8639a161..0026b3f0eb1d 100644 --- a/Packs/Akamai_WAF/Integrations/Akamai_WAF/README.md +++ b/Packs/Akamai_WAF/Integrations/Akamai_WAF/README.md @@ -1683,4 +1683,43 @@ Gets the status of a pending change. } } }}}} -``` \ No newline at end of file +``` +### akamai-get-cps-enrollment-by-id + +*** +Get an enrollment in CPS by enrollment id + +#### Base Command + +`akamai-get-cps-enrollment-by-id` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| enrollment_id | Enrollment on which to perform the desired operation. | Required | + +#### Context Output + +There is no context output for this command. +### akamai-cancel-cps-change + +*** +Cancels a pending change on CPS. + +#### Base Command + +`akamai-cancel-cps-change` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| change_id | The change for this enrollment on which to perform the desired operation. Default is 0. "change_path" is used. Default is 0. | Required | +| enrollment_id | Enrollment on which to perform the desired operation. Default is 0. "change_path" is used. Default is 0. | Required | +| change_path | Change path on which to perform the desired operation. Sample: /cps/v2/enrollments/100000/changes/88888888. Note: change_path is not listed in the reference as a parameter. However it can be extracted directly from "list_enrollments_command". This should be the most common useage when generate RestAPI's URL. | Optional | +| account_switch_key | For customers who manage more than one account, this runs the operation from another account. The Identity and Access Management API provides a list of available account switch keys. | Optional | + +#### Context Output + +There is no context output for this command. diff --git a/Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_context.json b/Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_context.json new file mode 100644 index 000000000000..83f96240ab77 --- /dev/null +++ b/Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_context.json @@ -0,0 +1 @@ +{"Akamai.Cps.Enrollments": {"adminContact": {"addressLineOne": "601 Riverside Avenue", "addressLineTwo": null, "city": null, "country": null, "email": "Akamaizers@test.com", "firstName": "FIS", "lastName": "Akamaizers", "organizationName": null, "phone": "123-123-1234", "postalCode": null, "region": null, "title": null}, "assignedSlots": [168334], "autoRenewalStartTime": null, "certificateChainType": "default", "certificateType": "third-party", "changeManagement": true, "csr": {"c": "US", "cn": "tools-portal-app-mbp-amex-batest.dev.fiscloudservices.com", "l": "Jacksonville", "o": "Fidelity National Information Services", "ou": "Fidelity National Information Services", "preferredTrustChain": null, "sans": ["tools-portal-app-mbp-amex-batest.dev.fiscloudservices.com"], "st": "Florida"}, "enableMultiStackedCertificates": true, "id": 190080, "location": "/cps/v2/enrollments/190080", "maxAllowedSanNames": 100, "maxAllowedWildcardSanNames": 100, "networkConfiguration": {"clientMutualAuthentication": null, "disallowedTlsVersions": ["TLSv1","TLSv1_1"], "dnsNameSettings": {"cloneDnsNames":true,"dnsNames":["tools-portal-app-mbp-amex-batest.dev.fiscloudservices.com"]}, "fipsMode": null, "geography": "core", "mustHaveCiphers": "ak-akamai-2020q1", "ocspStapling": "on", "preferredCiphers": "ak-akamai-2020q1", "quicEnabled": true, "secureNetwork": "enhanced-tls", "sniOnly": true}, "org": {"addressLineOne": "601 Riverside Avenue", "addressLineTwo": null, "city": "Jacksonville", "country": "US", "name": "Fidelity National Information Services", "phone": "501-220-5100", "postalCode": "32204", "region": "Florida"}, "orgId": null, "pendingChanges": [{"changeType":"renewal","location":"/cps/v2/enrollments/190080/changes/5231996"}], "productionSlots": [168334], "ra": "third-party", "signatureAlgorithm": null, "stagingSlots": [168334], "techContact": {"addressLineOne": null, "addressLineTwo": null, "city": null, "country": null, "email": "test-ps@akamai.com", "firstName": "FIS", "lastName": "PS", "organizationName": null, "phone": "877-425-2832", "postalCode": null, "region": null, "title": null}, "thirdParty": {"excludeSans": false}, "validationType": "third-party"}} \ No newline at end of file diff --git a/Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_test.json b/Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_test.json new file mode 100644 index 000000000000..467d13885840 --- /dev/null +++ b/Packs/Akamai_WAF/Integrations/Akamai_WAF/test_data/get_cps_enrollment_by_id_test.json @@ -0,0 +1,24 @@ +{ + "adminContact":{ + "addressLineOne":"601 Riverside Avenue", + "addressLineTwo":null, + "city":null, + "country":null, + "email":"Akamaizers@test.com", + "firstName":"FIS", + "lastName":"Akamaizers", + "organizationName":null, + "phone":"123-123-1234", + "postalCode":null, + "region":null, + "title":null + }, + "assignedSlots":[168334], + "autoRenewalStartTime":null, + "certificateChainType":"default", + "certificateType":"third-party", + "changeManagement":true, + "csr":{"c":"US","cn":"tools-portal-app-mbp-amex-batest.dev.fiscloudservices.com","l":"Jacksonville","o":"Fidelity National Information Services","ou":"Fidelity National Information Services","preferredTrustChain":null,"sans":["tools-portal-app-mbp-amex-batest.dev.fiscloudservices.com"],"st":"Florida"},"enableMultiStackedCertificates":true,"id":190080,"location":"/cps/v2/enrollments/190080","maxAllowedSanNames":100,"maxAllowedWildcardSanNames":100,"networkConfiguration":{"clientMutualAuthentication":null,"disallowedTlsVersions":["TLSv1","TLSv1_1"],"dnsNameSettings":{"cloneDnsNames":true,"dnsNames":["tools-portal-app-mbp-amex-batest.dev.fiscloudservices.com"]},"fipsMode":null,"geography":"core","mustHaveCiphers":"ak-akamai-2020q1","ocspStapling":"on","preferredCiphers":"ak-akamai-2020q1","quicEnabled":true,"secureNetwork":"enhanced-tls","sniOnly":true},"org":{"addressLineOne":"601 Riverside Avenue","addressLineTwo":null,"city":"Jacksonville","country":"US","name":"Fidelity National Information Services","phone":"501-220-5100","postalCode":"32204","region":"Florida"},"orgId":null,"pendingChanges":[{"changeType":"renewal","location":"/cps/v2/enrollments/190080/changes/5231996"}],"productionSlots":[168334],"ra":"third-party","signatureAlgorithm":null,"stagingSlots":[168334],"techContact":{"addressLineOne":null,"addressLineTwo":null,"city":null,"country":null,"email":"test-ps@akamai.com","firstName":"FIS","lastName":"PS","organizationName":null,"phone":"877-425-2832","postalCode":null,"region":null,"title":null}, + "thirdParty":{"excludeSans":false}, + "validationType":"third-party" +} \ No newline at end of file diff --git a/Packs/Akamai_WAF/ReleaseNotes/2_0_12.md b/Packs/Akamai_WAF/ReleaseNotes/2_0_12.md new file mode 100644 index 000000000000..09a70b100e2e --- /dev/null +++ b/Packs/Akamai_WAF/ReleaseNotes/2_0_12.md @@ -0,0 +1,9 @@ + +#### Integrations + +##### Akamai WAF +- Updated the Docker image to: *demisto/auth-utils:1.0.0.105764*. + + - Added 2 commands: + - ***akamai-cancel-cps-change*** + - ***akamai-get-cps-enrollment-by-id*** diff --git a/Packs/Akamai_WAF/pack_metadata.json b/Packs/Akamai_WAF/pack_metadata.json index de330bb2ea05..5ea59016041d 100644 --- a/Packs/Akamai_WAF/pack_metadata.json +++ b/Packs/Akamai_WAF/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Akamai WAF", "description": "Use the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features.", "support": "xsoar", - "currentVersion": "2.0.11", + "currentVersion": "2.0.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From e286780334d99b6ff7072461382896504573b608 Mon Sep 17 00:00:00 2001 From: ilaredo <166304750+ilaredo@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:23:08 +0300 Subject: [PATCH 03/19] add description about en-gb instead of en-us (#35619) * add description about en-gb instead of en-us * Update Packs/rasterize/Integrations/rasterize/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/rasterize/Integrations/rasterize/rasterize_description.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * update release note --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/rasterize/Integrations/rasterize/README.md | 1 + .../rasterize/Integrations/rasterize/rasterize_description.md | 1 + Packs/rasterize/ReleaseNotes/2_0_19.md | 4 ++++ Packs/rasterize/pack_metadata.json | 2 +- 4 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/rasterize/ReleaseNotes/2_0_19.md diff --git a/Packs/rasterize/Integrations/rasterize/README.md b/Packs/rasterize/Integrations/rasterize/README.md index eb33838f00ec..becb34f840ca 100644 --- a/Packs/rasterize/Integrations/rasterize/README.md +++ b/Packs/rasterize/Integrations/rasterize/README.md @@ -29,6 +29,7 @@ If you are using the integration to rasterize un-trusted URLs or HTML content, s ``` To set a language for the browser, add the *--accept-lang* argument followed by the desired language code in IETF BCP 47 format. For example, `--accept-lang=de-DE`. +If you want to set the language to en-US, use en-GB instead. * Rasterize Mode: It is possible to rasterize either via Chrome WebDriver or Chrome Headless CLI. WebDriver supports more options than Headless CLI. Such as support for the `offline` option in the `rasterize-emails` command. There are some urls that do not rasterize well with WebDriver and may succeed with Headless CLI. Thus, it is recommended to use the `WebDriver - Preferred` mode, which will use WebDriver as a start and fallback to Headless CLI if it fails. * Use system proxy settings: Select this checkbox to use the system's proxy settings. **Important**: this integration does not support proxies which require authentication. diff --git a/Packs/rasterize/Integrations/rasterize/rasterize_description.md b/Packs/rasterize/Integrations/rasterize/rasterize_description.md index 45e19670fe13..7dd252c7ca51 100644 --- a/Packs/rasterize/Integrations/rasterize/rasterize_description.md +++ b/Packs/rasterize/Integrations/rasterize/rasterize_description.md @@ -12,5 +12,6 @@ If you are using the integration to rasterize un-trusted URLs or HTML content, s --disable-auto-reload,[--disable-dev-shm-usage] ``` To set a language for the browser, add the *--accept-lang* argument followed by the desired language code in IETF BCP 47 format. For example, `--accept-lang=de-DE`. + If you want to set the language to en-US, use en-GB instead. * Rasterize Mode: It is possible to rasterize either via Chrome WebDriver or Chrome Headless CLI. WebDriver supports more options than Headless CLI. Such as support for the `offline` option in the `rasterize-emails` command. There are some urls that do not rasterize well with WebDriver and may succeed with Headless CLI. Thus, it is recommended to use the `WebDriver - Preferred` mode, which will use WebDriver as a start and fallback to Headless CLI if it fails. * Use system proxy settings: Select this checkbox to use the system's proxy settings. **Important**: this integration does not support proxies which require authentication. diff --git a/Packs/rasterize/ReleaseNotes/2_0_19.md b/Packs/rasterize/ReleaseNotes/2_0_19.md new file mode 100644 index 000000000000..91e23f6d4f43 --- /dev/null +++ b/Packs/rasterize/ReleaseNotes/2_0_19.md @@ -0,0 +1,4 @@ +#### Integrations + +##### Rasterize +Updated integration description. \ No newline at end of file diff --git a/Packs/rasterize/pack_metadata.json b/Packs/rasterize/pack_metadata.json index 871de71e22e1..32421e04dc81 100644 --- a/Packs/rasterize/pack_metadata.json +++ b/Packs/rasterize/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Rasterize", "description": "Converts URLs, PDF files, and emails to an image file or PDF file.", "support": "xsoar", - "currentVersion": "2.0.18", + "currentVersion": "2.0.19", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 1f805aa7a5a23dca0969808689b4efc1664f616f Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:26:18 +0300 Subject: [PATCH 04/19] [Marketplace Contribution] LogPoint SIEM Integration - Content Pack Update (#34185) (#35632) * "contribution update to pack 'LogPoint SIEM Integration'" * pack resubmitted * pack resubmitted * resolved rebase conflicts * Updated for contributor * Added docker image to RNs * Deleted pack.zip * Updated RNs * Updated docs --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: Anas Yousef <44998563+anas-yousef@users.noreply.github.com> --- .../LogPoint_SIEM_Integration.py | 28 +- .../LogPoint_SIEM_Integration.yml | 371 +++++++++--------- .../LogPoint_SIEM_Integration/README.md | 27 +- .../ReleaseNotes/1_2_11.md | 8 + .../pack_metadata.json | 2 +- 5 files changed, 234 insertions(+), 202 deletions(-) create mode 100644 Packs/LogPoint_SIEM_Integration/ReleaseNotes/1_2_11.md diff --git a/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.py b/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.py index c2c57e77cedf..7f6e0d956c0c 100644 --- a/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.py +++ b/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.py @@ -1,15 +1,15 @@ import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 -from CommonServerUserPython import * ''' IMPORTS ''' -import dateparser import json import traceback +from datetime import datetime, timedelta + +import dateparser import urllib3 -from datetime import timedelta, datetime # Disable insecure warnings urllib3.disable_warnings() @@ -302,7 +302,7 @@ def get_livesearches(self): data=data ) - def get_search_id(self, query, time_range, limit=100, repos=[]): + def get_search_id(self, query, time_range, limit=100, repos=[], timeout=60): """ :param query: LogPoint search query @@ -312,6 +312,8 @@ def get_search_id(self, query, time_range, limit=100, repos=[]): :param repos: LogPoint repos from where logs should be fetched + :param timeout: LogPoint search timeout + :return: dict containing response from API call """ data = { @@ -321,7 +323,8 @@ def get_search_id(self, query, time_range, limit=100, repos=[]): "query": query, "time_range": time_range, "limit": limit, - "repos": repos + "repos": repos, + "timeout": timeout }) } return self._http_request( @@ -701,12 +704,13 @@ def get_searchid_command(client, args): time_range = args.get('time_range', 'Last 5 minutes') limit = args.get('limit', '100') repos = argToList(args.get('repos')) + timeout = args.get('timeout', '60') if limit: try: limit = int(limit) except ValueError: raise DemistoException(f"The provided argument '{limit}' for limit is not a valid integer.") - result = client.get_search_id(query, time_range, limit, repos) + result = client.get_search_id(query, time_range, limit, repos, timeout) if not result.get('success'): raise DemistoException(result.get('message')) search_id = result.get('search_id') @@ -729,10 +733,14 @@ def get_searchid_command(client, args): def search_logs_command(client, args): search_id = args.get('search_id') - search_result = client.get_search_results(search_id) - if not search_result.get('success'): - raise DemistoException(search_result.get('message')) - rows = search_result.get('rows', []) + rows = [] + while True: + search_result = client.get_search_results(search_id) + if not search_result.get('success'): + raise DemistoException(search_result.get('message')) + rows += search_result.get('rows', []) + if search_result.get('final'): + break if rows and len(rows) > 0: display_title = f"Found {len(rows)} logs" markdown = tableToMarkdown(display_title, rows, headers=None, diff --git a/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.yml b/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.yml index 75592883b978..78f124419a9c 100644 --- a/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.yml +++ b/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/LogPoint_SIEM_Integration.yml @@ -46,15 +46,20 @@ configuration: name: max_fetch type: 0 required: false +- defaultvalue: '1' + display: Incidents Fetch Interval + name: incidentFetchInterval + required: false + type: 19 description: Use this Content Pack to search logs, fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time. display: LogPoint SIEM Integration name: LogPoint SIEM Integration script: commands: - arguments: - - description: From Timestamp + - description: From Timestamp. name: ts_from - - description: To Timestamp + - description: To Timestamp. name: ts_to - description: Number of incidents to fetch. Accepts integer value. name: limit @@ -62,82 +67,82 @@ script: name: lp-get-incidents outputs: - contextPath: LogPoint.Incidents.name - description: LogPoint Incident Name + description: LogPoint Incident Name. type: String - contextPath: LogPoint.Incidents.type - description: LogPoint Incident Type + description: LogPoint Incident Type. type: String - contextPath: LogPoint.Incidents.incident_id - description: LogPoint Incident ID + description: LogPoint Incident ID. type: String - contextPath: LogPoint.Incidents.assigned_to - description: LogPoint Incidents Assigned To + description: LogPoint Incidents Assigned To. type: String - contextPath: LogPoint.Incidents.status - description: LogPoint Incidents Status + description: LogPoint Incidents Status. type: String - contextPath: LogPoint.Incidents.id - description: LogPoint Incident Object ID + description: LogPoint Incident Object ID. type: String - contextPath: LogPoint.Incidents.detection_timestamp - description: LogPoint Incidents Detection Timestamp + description: LogPoint Incidents Detection Timestamp. type: Number - contextPath: LogPoint.Incidents.username - description: LogPoint Incident Username + description: LogPoint Incident Username. type: String - contextPath: LogPoint.Incidents.user_id - description: LogPoint Incidents User ID + description: LogPoint Incidents User ID. type: String - contextPath: LogPoint.Incidents.assigned_to - description: LogPoint Incidents Assigned To + description: LogPoint Incidents Assigned To. type: String - contextPath: LogPoint.Incidents.visible_to - description: LogPoint Incidents Visible To + description: LogPoint Incidents Visible To. type: String - contextPath: LogPoint.Incidents.tid - description: LogPoint Incidents Tid + description: LogPoint Incidents Tid. type: String - contextPath: LogPoint.Incidents.rows_count - description: LogPoint Incidents Rows Count + description: LogPoint Incidents Rows Count. type: String - contextPath: LogPoint.Incidents.risk_level - description: LogPoint Incidents Risk Level + description: LogPoint Incidents Risk Level. type: String - contextPath: LogPoint.Incidents.detection_timestamp - description: LogPoint Incidents Detection Timestamp + description: LogPoint Incidents Detection Timestamp. type: String - contextPath: LogPoint.Incidents.loginspect_ip_dns - description: LogPoint Incidents Loginspect IP DNS + description: LogPoint Incidents Loginspect IP DNS. type: String - contextPath: LogPoint.Incidents.status - description: LogPoint Incidents Status + description: LogPoint Incidents Status. type: String - contextPath: LogPoint.Incidents.comments - description: LogPoint Incidents Comments + description: LogPoint Incidents Comments. type: String - contextPath: LogPoint.Incidents.commentscount - description: LogPoint Incidents Comments Count + description: LogPoint Incidents Comments Count. type: Number - contextPath: LogPoint.Incidents.query - description: LogPoint Incidents Query + description: LogPoint Incidents Query. type: String - contextPath: LogPoint.Incidents.repos - description: LogPoint Incidents Repos + description: LogPoint Incidents Repos. type: String - contextPath: LogPoint.Incidents.time_range - description: LogPoint Incidents Time Range + description: LogPoint Incidents Time Range. type: String - contextPath: LogPoint.Incidents.alert_obj_id - description: LogPoint Incidents Alert Obj Id + description: LogPoint Incidents Alert Obj Id. type: String - contextPath: LogPoint.Incidents.throttle_enabled - description: LogPoint Incidents Throttle Enabled + description: LogPoint Incidents Throttle Enabled. type: Boolean - contextPath: LogPoint.Incidents.lastaction - description: LogPoint Incidents Last Action + description: LogPoint Incidents Last Action. type: String - contextPath: LogPoint.Incidents.description - description: LogPoint Incidents Description + description: LogPoint Incidents Description. type: String - arguments: - description: Object ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. @@ -149,403 +154,403 @@ script: - description: Incident Detection TImestamp. It is the value contained in 'detection_timestamp' key of the incidents obtained from 'lp-get-incidents' command. name: date required: true - description: Retrieves a Particular Incident's Data + description: Retrieves a Particular Incident's Data. name: lp-get-incident-data outputs: - contextPath: LogPoint.Incidents.data.use - description: LogPoint Incidents Data Use + description: LogPoint Incidents Data Use. type: String - contextPath: LogPoint.Incidents.data.used - description: LogPoint Incidents Data Used + description: LogPoint Incidents Data Used. type: String - contextPath: LogPoint.Incidents.data.log_ts - description: LogPoint Incidents Data Log Ts + description: LogPoint Incidents Data Log Ts. type: Number - contextPath: LogPoint.Incidents.data._type_str - description: LogPoint Incidents Data Type Str + description: LogPoint Incidents Data Type Str. type: String - contextPath: LogPoint.Incidents.data.msg - description: LogPoint Incidents Data Msg + description: LogPoint Incidents Data Msg. type: String - contextPath: LogPoint.Incidents.data.total - description: LogPoint Incidents Data Total + description: LogPoint Incidents Data Total. type: String - contextPath: LogPoint.Incidents.data.device_name - description: LogPoint Incidents Data Device Name + description: LogPoint Incidents Data Device Name. type: String - contextPath: LogPoint.Incidents.data._offset - description: LogPoint Incidents Data Offset + description: LogPoint Incidents Data Offset. type: String - contextPath: LogPoint.Incidents.data.logpoint_name - description: LogPoint Incidents Data LogPoint Name + description: LogPoint Incidents Data LogPoint Name. type: String - contextPath: LogPoint.Incidents.data.repo_name - description: LogPoint Incidents Data Repo Name + description: LogPoint Incidents Data Repo Name. type: String - contextPath: LogPoint.Incidents.data.free - description: LogPoint Incidents Data Free + description: LogPoint Incidents Data Free. type: String - contextPath: LogPoint.Incidents.data.source_name - description: LogPoint Incidents Data Source Name + description: LogPoint Incidents Data Source Name. type: String - contextPath: LogPoint.Incidents.data.col_ts - description: LogPoint Incidents Data Col Ts + description: LogPoint Incidents Data Col Ts. type: Number - contextPath: LogPoint.Incidents.data._tz - description: LogPoint Incidents Data Tz + description: LogPoint Incidents Data Tz. type: String - contextPath: LogPoint.Incidents.data.norm_id - description: LogPoint Incidents Data Norm Id + description: LogPoint Incidents Data Norm Id. type: String - contextPath: LogPoint.Incidents.data._identifier - description: LogPoint Incidents Data Identifier + description: LogPoint Incidents Data Identifier. type: String - contextPath: LogPoint.Incidents.data.collected_at - description: LogPoint Incidents Data Collected At + description: LogPoint Incidents Data Collected At. type: String - contextPath: LogPoint.Incidents.data.device_ip - description: LogPoint Incidents Data Device IP + description: LogPoint Incidents Data Device IP. type: String - contextPath: LogPoint.Incidents.data._fromV550 - description: LogPoint Incidents Data From V550 + description: LogPoint Incidents Data From V550. type: String - contextPath: LogPoint.Incidents.data._enrich_policy - description: LogPoint Incidents Data Enrich Policy + description: LogPoint Incidents Data Enrich Policy. type: String - contextPath: LogPoint.Incidents.data._type_num - description: LogPoint Incidents Data Type Num + description: LogPoint Incidents Data Type Num. type: String - contextPath: LogPoint.Incidents.data._type_ip - description: LogPoint Incidents Data Type IP + description: LogPoint Incidents Data Type IP. type: String - contextPath: LogPoint.Incidents.data.sig_id - description: LogPoint Incidents Data Sig Id + description: LogPoint Incidents Data Sig Id. type: String - contextPath: LogPoint.Incidents.data.col_type - description: LogPoint Incidents Data Col Type + description: LogPoint Incidents Data Col Type. type: String - contextPath: LogPoint.Incidents.data.object - description: LogPoint Incidents Data Object + description: LogPoint Incidents Data Object. type: String - contextPath: LogPoint.Incidents.data._labels - description: LogPoint Incidents Data Labels + description: LogPoint Incidents Data Labels. type: String - contextPath: LogPoint.Incidents.data.source_address - description: Source Address + description: Source Address. type: String - contextPath: LogPoint.Incidents.data.destination_address - description: Destination Address + description: Destination Address. type: String - contextPath: LogPoint.Incidents.data.workstation - description: Workstation + description: Workstation. type: String - contextPath: LogPoint.Incidents.data.domain - description: Domain + description: Domain. type: String - contextPath: LogPoint.Incidents.data.user - description: User + description: User. type: String - contextPath: LogPoint.Incidents.data.caller_user - description: Caller User + description: Caller User. type: String - contextPath: LogPoint.Incidents.data.target_user - description: Target User + description: Target User. type: String - contextPath: LogPoint.Incidents.data.source_machine_id - description: Source Machie Id + description: Source Machie Id. type: String - contextPath: LogPoint.Incidents.data.destination_machine_id - description: Destination Machine Id + description: Destination Machine Id. type: String - contextPath: LogPoint.Incidents.data.destination_port - description: Destination Port + description: Destination Port. type: String - contextPath: LogPoint.Incidents.data.event_type - description: Event Type + description: Event Type. type: String - contextPath: LogPoint.Incidents.data.share_path - description: Share Path + description: Share Path. type: String - contextPath: LogPoint.Incidents.data.object_name - description: Object Name + description: Object Name. type: String - contextPath: LogPoint.Incidents.data.sub_status_code - description: Sub Status Code + description: Sub Status Code. type: String - contextPath: LogPoint.Incidents.data.object_type - description: Object Type + description: Object Type. type: String - contextPath: LogPoint.Incidents.data.request_method - description: Request Method + description: Request Method. type: String - contextPath: LogPoint.Incidents.data.status_code - description: Status Code + description: Status Code. type: String - contextPath: LogPoint.Incidents.data.received_datasize - description: Received Datasize + description: Received Datasize. type: String - contextPath: LogPoint.Incidents.data.received_packet - description: Received Packet + description: Received Packet. type: String - contextPath: LogPoint.Incidents.data.user_agent - description: User Agent + description: User Agent. type: String - contextPath: LogPoint.Incidents.data.sent_datasize - description: Sent Datasize + description: Sent Datasize. type: String - contextPath: LogPoint.Incidents.data.sender - description: Sender + description: Sender. type: String - contextPath: LogPoint.Incidents.data.receiver - description: Receiver + description: Receiver. type: String - contextPath: LogPoint.Incidents.data.datasize - description: Datasize + description: Datasize. type: String - contextPath: LogPoint.Incidents.data.file - description: File + description: File. type: String - contextPath: LogPoint.Incidents.data.subject - description: Subject + description: Subject. type: String - contextPath: LogPoint.Incidents.data.status - description: Status + description: Status. type: String - contextPath: LogPoint.Incidents.data.file_count - description: File Count + description: File Count. type: String - contextPath: LogPoint.Incidents.data.protocol_id - description: Protocol Id + description: Protocol Id. type: String - contextPath: LogPoint.Incidents.data.sent_packet - description: Sent Packet + description: Sent Packet. type: String - contextPath: LogPoint.Incidents.data.service - description: Service + description: Service. type: String - contextPath: LogPoint.Incidents.data.printer - description: Printer + description: Printer. type: String - contextPath: LogPoint.Incidents.data.print_count - description: Print Count + description: Print Count. type: String - contextPath: LogPoint.Incidents.data.event_id - description: Event Id + description: Event Id. type: String - contextPath: LogPoint.Incidents.data.country_name - description: Country Name + description: Country Name. type: String - contextPath: LogPoint.Incidents.data.host - description: Host + description: Host. type: String - contextPath: LogPoint.Incidents.data.hash - description: Hash + description: Hash. type: String - contextPath: LogPoint.Incidents.data.hash_sha1 - description: Hash SHA1 + description: Hash SHA1. type: String - contextPath: LogPoint.Incidents.data.agent_address - description: Agent Address + description: Agent Address. type: String - contextPath: LogPoint.Incidents.data.attacker_address - description: Attacker Address + description: Attacker Address. type: String - contextPath: LogPoint.Incidents.data.broadcast_address - description: Broadcast Address + description: Broadcast Address. type: String - contextPath: LogPoint.Incidents.data.client_address - description: Client Address + description: Client Address. type: String - contextPath: LogPoint.Incidents.data.client_hardware_address - description: Client Hardware Address + description: Client Hardware Address. type: String - contextPath: LogPoint.Incidents.data.destination_hardware_address - description: Destination Hardware Address + description: Destination Hardware Address. type: String - contextPath: LogPoint.Incidents.data.destination_nat_address - description: Destination NAT Address + description: Destination NAT Address. type: String - contextPath: LogPoint.Incidents.data.device_address - description: Device Address + description: Device Address. type: String - contextPath: LogPoint.Incidents.data.external_address - description: External Address + description: External Address. type: String - contextPath: LogPoint.Incidents.data.gateway_address - description: Gateway Address + description: Gateway Address. type: String - contextPath: LogPoint.Incidents.data.hardware_address - description: Hardware Address + description: Hardware Address. type: String - contextPath: LogPoint.Incidents.data.host_address - description: Host Address + description: Host Address. type: String - contextPath: LogPoint.Incidents.data.interface_address - description: Interface Address + description: Interface Address. type: String - contextPath: LogPoint.Incidents.data.lease_address - description: Lease Address + description: Lease Address. type: String - contextPath: LogPoint.Incidents.data.local_address - description: Local Address + description: Local Address. type: String - contextPath: LogPoint.Incidents.data.nas_address - description: Nas ddress + description: Nas ddress. type: String - contextPath: LogPoint.Incidents.data.nas_ipv6_address - description: Nas_IPV6 Address + description: Nas_IPV6 Address. type: String - contextPath: LogPoint.Incidents.data.nat_address - description: NAT Address + description: NAT Address. type: String - contextPath: LogPoint.Incidents.data.nat_source_address - description: NAT Source Address + description: NAT Source Address. type: String - contextPath: LogPoint.Incidents.data.network_address - description: Network Address + description: Network Address. type: String - contextPath: LogPoint.Incidents.data.new_hardware_address - description: New Hardware Address + description: New Hardware Address. type: String - contextPath: LogPoint.Incidents.data.old_hardware_address - description: Old Hardware Address + description: Old Hardware Address. type: String - contextPath: LogPoint.Incidents.data.original_address - description: Original Address + description: Original Address. type: String - contextPath: LogPoint.Incidents.data.original_client_address - description: Original Client Address + description: Original Client Address. type: String - contextPath: LogPoint.Incidents.data.original_destination_address - description: Original Destination Address + description: Original Destination Address. type: String - contextPath: LogPoint.Incidents.data.original_server_address - description: Original Server Address + description: Original Server Address. type: String - contextPath: LogPoint.Incidents.data.original_source_address - description: Original Source Address + description: Original Source Address. type: String - contextPath: LogPoint.Incidents.data.originating_address - description: Originating Address + description: Originating Address. type: String - contextPath: LogPoint.Incidents.data.peer_address - description: Peer Address + description: Peer Address. type: String - contextPath: LogPoint.Incidents.data.private_address - description: Private Address + description: Private Address. type: String - contextPath: LogPoint.Incidents.data.proxy_address - description: Proxy Address + description: Proxy Address. type: String - contextPath: LogPoint.Incidents.data.proxy_source_address - description: Proxy Source Address + description: Proxy Source Address. type: String - contextPath: LogPoint.Incidents.data.relay_address - description: Relay Address + description: Relay Address. type: String - contextPath: LogPoint.Incidents.data.remote_address - description: Remote Address + description: Remote Address. type: String - contextPath: LogPoint.Incidents.data.resolved_address - description: Resolved Address + description: Resolved Address. type: String - contextPath: LogPoint.Incidents.data.route_address - description: Route Address + description: Route Address. type: String - contextPath: LogPoint.Incidents.data.scanner_address - description: Scanner Address + description: Scanner Address. type: String - contextPath: LogPoint.Incidents.data.server_address - description: Server Address + description: Server Address. type: String - contextPath: LogPoint.Incidents.data.server_hardware_address - description: Server Hardware Address + description: Server Hardware Address. type: String - contextPath: LogPoint.Incidents.data.source_hardware_address - description: Source Hardware Address + description: Source Hardware Address. type: String - contextPath: LogPoint.Incidents.data.start_address - description: Start Address + description: Start Address. type: String - contextPath: LogPoint.Incidents.data.supplier_address - description: Supplier Address + description: Supplier Address. type: String - contextPath: LogPoint.Incidents.data.switch_address - description: Switch Address + description: Switch Address. type: String - contextPath: LogPoint.Incidents.data.translated_address - description: Translated Address + description: Translated Address. type: String - contextPath: LogPoint.Incidents.data.virtual_address - description: Virtual Address + description: Virtual Address. type: String - contextPath: LogPoint.Incidents.data.virtual_server_address - description: Virtual Server Address + description: Virtual Server Address. type: String - contextPath: LogPoint.Incidents.data.vpn_address - description: VPN Address + description: VPN Address. type: String - contextPath: LogPoint.Incidents.data.hash_length - description: Hash Length + description: Hash Length. type: String - contextPath: LogPoint.Incidents.data.hash_sha256 - description: Hash SHA256 + description: Hash SHA256. type: String - contextPath: LogPoint.Incidents.data.alternate_user - description: Alternate User + description: Alternate User. type: String - contextPath: LogPoint.Incidents.data.authenticated_user - description: Authenticated User + description: Authenticated User. type: String - contextPath: LogPoint.Incidents.data.authorized_user - description: Authorized User + description: Authorized User. type: String - contextPath: LogPoint.Incidents.data.certificate_user - description: Certificate User + description: Certificate User. type: String - contextPath: LogPoint.Incidents.data.current_user - description: Current User + description: Current User. type: String - contextPath: LogPoint.Incidents.data.database_user - description: Database User + description: Database User. type: String - contextPath: LogPoint.Incidents.data.destination_user - description: Destination User + description: Destination User. type: String - contextPath: LogPoint.Incidents.data.logon_user - description: Logon User + description: Logon User. type: String - contextPath: LogPoint.Incidents.data.new_max_user - description: New Max User + description: New Max User. type: String - contextPath: LogPoint.Incidents.data.new_user - description: New User + description: New User. type: String - contextPath: LogPoint.Incidents.data.old_max_user - description: Old Max User + description: Old Max User. type: String - contextPath: LogPoint.Incidents.data.os_user - description: OS User + description: OS User. type: String - contextPath: LogPoint.Incidents.data.remote_user - description: Remote User + description: Remote User. type: String - contextPath: LogPoint.Incidents.data.source_user - description: Source User + description: Source User. type: String - contextPath: LogPoint.Incidents.data.system_user - description: System User + description: System User. type: String - contextPath: LogPoint.Incidents.data.target_logon_user - description: Target Logon User + description: Target Logon User. type: String - contextPath: LogPoint.Incidents.data.zone_user - description: Zone User + description: Zone User. type: String - arguments: - - description: From Timestamp + - description: From Timestamp. name: ts_from - - description: To Timestamp + - description: To Timestamp. name: ts_to - description: Number of incident states data to fetch. Accepts integer value. name: limit @@ -553,16 +558,16 @@ script: name: lp-get-incident-states outputs: - contextPath: LogPoint.Incidents.states.id - description: LogPoint Incidents States Id + description: LogPoint Incidents States Id. type: String - contextPath: LogPoint.Incidents.states.status - description: LogPoint Incidents States Status + description: LogPoint Incidents States Status. type: String - contextPath: LogPoint.Incidents.states.assigned_to - description: LogPoint Incidents States Assigned To + description: LogPoint Incidents States Assigned To. type: String - contextPath: LogPoint.Incidents.states.comments - description: LogPoint Incidents States Comments + description: LogPoint Incidents States Comments. type: String - arguments: - description: Object ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. @@ -571,11 +576,11 @@ script: - description: Comment to be added to the incidents. name: comment required: true - description: Add comments to the incidents + description: Add comments to the incidents. name: lp-add-incident-comment outputs: - contextPath: LogPoint.Incidents.comment - description: LogPoint Incidents Comment + description: LogPoint Incidents Comment. type: String - arguments: - description: Object ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma. @@ -585,11 +590,11 @@ script: - description: Id of the user whom the incidents are assigned. It can be displayed using 'lp-get-users' command. name: new_assignee required: true - description: Assigning/Re-assigning Incidents + description: Assigning/Re-assigning Incidents. name: lp-assign-incidents outputs: - contextPath: LogPoint.Incidents.assign - description: LogPoint Incidents Assign + description: LogPoint Incidents Assign. type: String - arguments: - description: Object ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma. @@ -600,7 +605,7 @@ script: name: lp-resolve-incidents outputs: - contextPath: LogPoint.Incidents.resolve - description: LogPoint Incidents Resolve + description: LogPoint Incidents Resolve. type: String - arguments: - description: Object ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma. @@ -611,31 +616,32 @@ script: name: lp-close-incidents outputs: - contextPath: LogPoint.Incidents.close - description: LogPoint Incidents Close + description: LogPoint Incidents Close. type: String - arguments: - description: Object ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma. isArray: true name: incident_obj_ids required: true - description: Re-opens the closed incidents + description: Re-opens the closed incidents. name: lp-reopen-incidents outputs: - contextPath: LogPoint.Incidents.reopen - description: LogPoint Incidents Reopen + description: LogPoint Incidents Reopen. type: String - description: Gets Incident users and user groups. name: lp-get-users outputs: - contextPath: LogPoint.Incidents.users.id - description: LogPoint Incidents Users Id + description: LogPoint Incidents Users Id. type: String - contextPath: LogPoint.Incidents.users.name - description: LogPoint Incidents Users Name + description: LogPoint Incidents Users Name. type: String - contextPath: LogPoint.Incidents.users.usergroups - description: LogPoint Incidents Users Usergroups + description: LogPoint Incidents Users Usergroups. type: String + arguments: [] - description: Gets LogPoint user's preference such as timezone, date format, etc. name: lp-get-users-preference outputs: @@ -648,6 +654,7 @@ script: - contextPath: LogPoint.User.Preference.hour_format description: LogPoint user's hour format. type: String + arguments: [] - description: Gets user's LogPoints. name: lp-get-logpoints outputs: @@ -657,6 +664,7 @@ script: - contextPath: LogPoint.LogPoints.ip description: LogPoint's IP address. type: String + arguments: [] - description: Gets the list of LogPoint repos that can be accessed by the user. name: lp-get-repos outputs: @@ -666,6 +674,7 @@ script: - contextPath: LogPoint.Repos.address description: LogPoint repo address. type: String + arguments: [] - description: Gets devices associated with LogPoint. name: lp-get-devices outputs: @@ -675,6 +684,7 @@ script: - contextPath: LogPoint.Devices.address description: Device IP address. type: String + arguments: [] - description: Gets live search results of the alerts and dashboards. name: lp-get-livesearches outputs: @@ -690,6 +700,7 @@ script: - contextPath: LogPoint.LiveSearches.query description: The live search query. type: String + arguments: [] - arguments: - description: LogPoint search query. This should be the exact query to use to search logs in the LogPoint UI. name: query @@ -703,6 +714,9 @@ script: - description: A comma-separated list of LogPoint repos from which logs are to be fetched. If not provided, it will display logs from all repos. isArray: true name: repos + - defaultValue: '60' + description: LogPoint search timeout in seconds. + name: timeout description: Gets the search ID based on the provided search parameters. name: lp-get-searchid outputs: @@ -719,10 +733,10 @@ script: - contextPath: LogPoint.SearchLogs description: Search results. type: String - dockerimage: demisto/python3:3.10.14.90585 + dockerimage: demisto/python3:3.10.14.99865 isfetch: true runonce: false - script: '-' + script: '' subtype: python3 type: python tests: @@ -730,5 +744,4 @@ tests: - LogPoint SIEM Integration - Test Playbook 2 - LogPoint SIEM Integration - Test Playbook 3 defaultmapperin: LogPoint SIEM Integration - Incoming Mapper -defaultclassifier: fromversion: 6.0.0 diff --git a/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/README.md b/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/README.md index d86a8c1325ee..622b51cdbb9b 100644 --- a/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/README.md +++ b/Packs/LogPoint_SIEM_Integration/Integrations/LogPoint_SIEM_Integration/README.md @@ -17,17 +17,19 @@ This integration was integrated and tested with version 6.7.4 of LogPoint. | **Parameter** | **Description** | **Required** | | --- | --- | --- | - | url | LogPoint URL | True | - | username | LogPoint Username | True | - | apikey | API Key | True | - | insecure | Trust any certificate \(not secure\) | False | - | proxy | Use system proxy settings | False | - | first_fetch | First fetch timestamp (\ \