Keeper Secrets Manager Event Collector (#35107)

* Init integration * Moved to right path * CR fixes * Deleted files * Deleted comments * Dummy * Trying out SDK * Stash changes * Don't throw error * Deleted if statement * Added authentication and fetch * Organized code * Added docs, refresh token, updated fetch events * Updated image * Comment * Adding unit tests * Fixed content item suffix * Testing * added start and complete command * Updated desc * add_time_to_events * Added demo comments * Added UTs for registration * Added docstrings for unit tests * Deleted aud * Deleted test_data * Added README * Added RNs * pre-commit * CR fixes * Removed ignore * Fix YML * Added type: ignore to where needed * pylint errors * Added docs to abstract class * Moved to Keeper Secutiry * Deleted old integration * Removed RNs * Using keeper-security * Add modeling rules * Modified README file * Updated docker tag * Modified modeling rule * Modified modeling rule * Update KeeperSecurity.yml * Added Keywords and Tags to pack's metadata --------- Co-authored-by: samuelFain <[email protected]> Co-authored-by: Yehonatan Asta <[email protected]>
demisto · Sep 23, 2024 · 2936cf3 · 2936cf3
1 parent 66735e8
commit 2936cf3
Show file tree

Hide file tree

Showing 15 changed files with 1,954 additions and 0 deletions.
diff --git a/Packs/KeeperSecurity/.pack-ignore b/Packs/KeeperSecurity/.pack-ignore
diff --git a/Packs/KeeperSecurity/.secrets-ignore b/Packs/KeeperSecurity/.secrets-ignore
diff --git a/Packs/KeeperSecurity/Author_image.png b/Packs/KeeperSecurity/Author_image.png
diff --git a/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.py b/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.py
diff --git a/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.yml b/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.yml
@@ -0,0 +1,65 @@
+category: Authentication & Identity Management
+sectionOrder:
+- Connect
+- Collect
+commonfields:
+  id: KeeperSecurity
+  version: -1
+configuration:
+- defaultvalue: keepersecurity.com
+  display: Server URL
+  name: url
+  required: true
+  type: 0
+  section: Connect
+  additionalinfo: The server URL. For more help, checkout the 'Server Regions' section in the description.
+- display: Username
+  name: credentials
+  defaultvalue: ""
+  type: 9
+  required: true
+  section: Connect
+  displaypassword: Password
+- defaultvalue: "10000"
+  display: Maximum number of Alerts to fetch.
+  name: alerts_max_fetch
+  type: 0
+  section: Collect
+- display: Trust any certificate (not secure)
+  name: insecure
+  type: 8
+  required: false
+  section: Connect
+- display: Use system proxy settings
+  name: proxy
+  type: 8
+  required: false
+  section: Connect
+description: Use this integration to fetch audit logs from Keeper Security Admin Console as XSIAM events.
+display: Keeper Security
+name: KeeperSecurity
+script:
+  commands:
+  - arguments:
+    - description: The authorization code retrieved from user's email.
+      name: code
+      required: false
+    description: "Use this command to complete the registration process."
+    name: keeper-security-register-complete
+  - description: "Use this command to start the registration process."
+    name: keeper-security-register-start
+    arguments: []
+  - description: Use this command to test the connectivity of the instance.
+    name: keeper-security-register-test
+    arguments: []
+  runonce: false
+  isfetchevents: true
+  script: '-'
+  type: python
+  subtype: python3
+  dockerimage: demisto/keepercommander:1.0.0.112259
+fromversion: 6.8.0
+marketplaces:
+- marketplacev2
+tests:
+- No tests (auto formatted)
diff --git a/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_description.md b/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_description.md
@@ -0,0 +1,32 @@
+# Keeper Security Event Collector
+
+## Authentication
+
+Use basic authentication to communicate with the product. Supply your username and password of the account that you want to use.
+To create a new user:
+
+1. Log in in as admin in [Keeper Admin Console](https://keepersecurity.com/console/).
+2. Go to the **Admin** panel, found in the left side bar.
+3. Press on **Add User**, and complete the registration process.
+4. Once the user has been created, press on the **Edit** icon, and in the **User Actions** dropdown, click **Disable 2FA** (2FA is currently not supported).
+
+### Authentication Process
+
+In order to authenticate the configured user, the product uses a device registration process. In order to register a new device that will be used to authenticate the user, follow the following procedures:
+
+1. Run the **!keeper-security-register-start** command.
+2. If the account does **not** have a configured device, then an authorization code will be sent to the configured email address.
+3. Run the **!keeper-security-register-complete** command with the acquired authorization code. If the account already has a registered device, run the command without supplying any arguments.
+4. Run the command **!keeper-security-register-test** to test that everything is working fine.
+
+## Server Regions
+
+Use the URLs for the region that hosts your account:
+For more information, see the [Server Config File Options](https://docs.keeper.io/en/v/secrets-manager/commander-cli/commander-installation-setup/configuration#config-file-options)
+
+- US Instance: <https://keepersecurity.com>
+- EU Instance: <https://keepersecurity.eu>
+- AU Instance: <https://keepersecurity.com.au>
+- GOV Instance: <https://govcloud.keepersecurity.us>
+- CA Instance: <https://keepersecurity.ca>
+- JP Instance: <https://keepersecurity.jp>
diff --git a/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_image.png b/Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_image.png