Merge branch 'contrib/metron-labs_devo-enh-4' into devo-enh-3

Packs/ActiveMQ/Integrations/ActiveMQ/ActiveMQ.yml

@@ -27,7 +27,7 @@ configuration:
   required: false
 - display: Client certificate key (.key)
   name: client_key
-  type: 12
+  type: 14
   required: false
 - display: Root Certificate
   name: root_ca

Packs/ActiveMQ/ReleaseNotes/1_1_15.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### ActiveMQ
+
+- Fixed an issue where some configuration values were presented in clear text.

Packs/ActiveMQ/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ActiveMQ",
     "description": "Uses Durable Topic Subscribers to fetch messages and ingest them as incidents in Demisto.",
     "support": "xsoar",
-    "currentVersion": "1.1.14",
+    "currentVersion": "1.1.15",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py

@@ -13,7 +13,7 @@
 
 XSOAR_RESOLVED_STATUS_TO_XDR = {
     'Other': 'resolved_other',
-    'Duplicate': 'resolved_duplicate_incident',
+    'Duplicate': 'resolved_duplicate',
     'False Positive': 'resolved_false_positive',
     'Resolved': 'resolved_true_positive',
     'Security Testing': 'resolved_security_testing',
@@ -22,6 +22,7 @@
 XDR_RESOLVED_STATUS_TO_XSOAR = {
     'resolved_known_issue': 'Other',
     'resolved_duplicate_incident': 'Duplicate',
+    'resolved_duplicate': 'Duplicate',
     'resolved_false_positive': 'False Positive',
     'resolved_true_positive': 'Resolved',
     'resolved_security_testing': 'Security Testing',

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py

@@ -3860,21 +3860,21 @@ def test_handle_outgoing_issue_closure(args, expected_delta):
                                                   "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used when no mapping provided.
-                             ("", ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                             ("", ["resolved_other", "resolved_duplicate", "resolved_false_positive",
                                    "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used when improper mapping is provided.
                              ("Duplicate=RANDOM1, Other=Random2",
-                              ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                              ["resolved_other", "resolved_duplicate", "resolved_false_positive",
                                "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              ("Random1=Duplicate Incident",
-                              ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                              ["resolved_other", "resolved_duplicate", "resolved_false_positive",
                                "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used when improper mapping *format* is provided.
                              ("Duplicate=Other False Positive=Other",
-                              ["resolved_other", "resolved_duplicate_incident", "resolved_false_positive",
+                              ["resolved_other", "resolved_duplicate", "resolved_false_positive",
                                "resolved_true_positive", "resolved_security_testing", "resolved_other"]),
 
                              # Expecting default mapping to be used for when improper key-value pair *format* is provided.

Packs/Code42/Integrations/Code42EventCollector/Code42EventCollector.py

@@ -226,7 +226,7 @@ def fetch_file_events(client: Client, last_run: dict, max_fetch_file_events: int
     new_last_run = last_run.copy()
     new_last_run.pop("nextTrigger", None)
     file_event_time = dateparser.parse(last_run[FileEventLastRun.TIME]) if FileEventLastRun.TIME in last_run else (
-        datetime.now() - timedelta(minutes=240)
+        datetime.now() - timedelta(minutes=1)
     )
 
     file_events = client.get_file_events(file_event_time, limit=max_fetch_file_events)  # type: ignore[arg-type]

Packs/Code42/Playbooks/playbook-Code42_Add_Employees_To_Departing_Employee_Watchlist.yml

@@ -620,10 +620,6 @@ inputs:
   description: The departure date (in YYYY-MM-DD format) provided in a stand-down
     ticket from Jira, Zendesk, etc.
   playbookInputQuery: null
-- key: ticket_key
-  value: {}
-  required: false
-  description: The unique identifier of a stand-down ticket from Jira, Zendesk, etc.
-    (optional).
-  playbookInputQuery: null
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_Add_Employees_To_Departing_Employee_Watchlist_README.md

@@ -31,7 +31,6 @@ This playbook does not use any sub-playbooks.
 | --- | --- | --- | --- |
 | ticket_username | The username \(in email format\) provided in a stand-down ticket from Jira, Zendesk, etc. |  | Required |
 | ticket_departure_date | The departure date \(in YYYY-MM-DD format\) provided in a stand-down ticket from Jira, Zendesk, etc. |  | Required |
-| ticket_key | The unique identifier of a stand-down ticket from Jira, Zendesk, etc. \(optional\). |  | Optional |
 
 ## Playbook Outputs
 

Packs/Code42/Playbooks/playbook-Code42_Add_Employees_To_New_Hire_Watchlist.yml

@@ -621,10 +621,6 @@ inputs:
   description: The start date (in YYYY-MM-DD format) provided in a stand-up ticket
     from Jira, Zendesk, etc.
   playbookInputQuery: null
-- key: ticket_key
-  value: {}
-  required: false
-  description: The unique identifier of a stand-up ticket from Jira, Zendesk, etc.
-    (optional).
-  playbookInputQuery: null
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_Add_Employees_To_New_Hire_Watchlist_README.md

@@ -31,7 +31,6 @@ This playbook does not use any sub-playbooks.
 | --- | --- | --- | --- |
 | ticket_username | The username \(in email format\) provided in a stand-up ticket from Jira, Zendesk, etc. |  | Required |
 | ticket_start_date | The start date \(in YYYY-MM-DD format\) provided in a stand-up ticket from Jira, Zendesk, etc. |  | Required |
-| ticket_key | The unique identifier of a stand-up ticket from Jira, Zendesk, etc. \(optional\). |  | Optional |
 
 ## Playbook Outputs
 

Packs/Code42/Playbooks/playbook-Code42_Departing_Employee_Auto-Add.yml

@@ -498,3 +498,5 @@ view: |-
   }
 inputs: []
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_Departing_Employee_Clean-Up.yml

@@ -451,3 +451,5 @@ view: |-
   }
 inputs: []
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_New_Hire_Auto-Add.yml

@@ -495,3 +495,5 @@ view: |-
   }
 inputs: []
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_New_Hire_Clean-Up.yml

@@ -446,3 +446,5 @@ view: |-
   }
 inputs: []
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_Remove_Employees_From_Departing_Employee_Watchlist.yml

@@ -690,3 +690,5 @@ inputs:
     post-departure activity (e.g. "30", "7", etc.). Default is 30.
   playbookInputQuery: null
 outputs: []
+tests:
+- No tests

Packs/Code42/Playbooks/playbook-Code42_Remove_Employees_From_New_Hire_Watchlist.yml

@@ -534,3 +534,5 @@ inputs:
     Default is 30.
   playbookInputQuery: null
 outputs: []
+tests:
+- No tests

Packs/Code42/ReleaseNotes/5_0_1.md

@@ -0,0 +1,32 @@
+
+#### Integrations
+
+##### Code42
+- Added integration image.
+
+#### Playbooks
+
+##### Add Employees to New Hire Watchlist
+
+- Removed the **ticket_key** input.
+##### Add Employees to Departing Employee Watchlist
+
+- Removed the **ticket_key** input.
+##### New Hire Clean-Up
+
+- Fixed an issue where the playbook didnt have any test playbook.
+##### Remove Employees from Departing Employee Watchlist
+
+- Fixed an issue where the playbook didnt have any test playbook.
+##### New Hire Auto-Add
+
+- Fixed an issue where the playbook didnt have any test playbook.
+##### Departing Employee Clean-Up
+
+- Fixed an issue where the playbook didnt have any test playbook.
+##### Departing Employee Auto-Add
+
+- Fixed an issue where the playbook didnt have any test playbook.
+##### Remove Employees from New Hire Watchlist
+
+- Fixed an issue where the playbook didnt have any test playbook.

Packs/Code42/ReleaseNotes/5_0_2.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Code42 Event Collector
+
+- Fixed an issue where the first fetch when fetching file-events was 4 hours by default.

Packs/Code42/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Code42",
     "description": "The Code42 INCYDR integration accelerates insider threat incident response and remediation procedures for potential data exfiltration across computers, email, cloud and SaaS apps.",
     "support": "xsoar",
-    "currentVersion": "5.0.0",
+    "currentVersion": "5.0.2",
     "author": "Code42",
     "url": "https://support.code42.com/Administrator/Cloud/Monitoring_and_managing/Install_and_manage_the_Code42_app_for_Cortex_XSOAR",
     "email": "[email protected]",

Packs/CommonScripts/ReleaseNotes/1_14_36.md

@@ -0,0 +1,4 @@
+
+#### Scripts
+##### ParseEmailFilesV2
+- Fixed an issue where some eml files where not recognized.

Packs/CommonScripts/Scripts/ParseEmailFilesV2/ParseEmailFilesV2.py

@@ -95,11 +95,23 @@ def extract_file_info(entry_id: str) -> tuple:
         dt_file_type = demisto.dt(demisto.context(), f"File(val.EntryID=='{entry_id}').Type")
         file_type = dt_file_type[0] if isinstance(dt_file_type, list) else dt_file_type
 
+        dt_file_info = demisto.dt(demisto.context(), f"File(val.EntryID=='{entry_id}').Info")
+        file_info = dt_file_info[0] if isinstance(dt_file_info, list) else dt_file_info
+        demisto.debug(f'Context values: {dt_file_type=}, {file_type=}, {dt_file_info=}, {file_info=}')
+
+        if file_info:
+            file_info_lower = file_info.lower()
+
+        if (file_type == 'eml' or file_type == 'txt') and ('rfc' in file_info_lower or 'ascii' in file_info_lower):
+            demisto.debug(f'{file_type=} seems wrong, changing it to {file_info=}')
+            file_type = file_info
+
     except Exception as ex:
         return_error(
             "Failed to load file entry with entry id: {}. Error: {}".format(
                 entry_id, str(ex) + "\n\nTrace:\n" + traceback.format_exc()))
 
+    demisto.debug(f'extract_file_info returning {file_type=}, {file_path=}, {file_name=}')
     return file_type, file_path, file_name
 
 

Packs/CommonScripts/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Common Scripts",
     "description": "Frequently used scripts pack.",
     "support": "xsoar",
-    "currentVersion": "1.14.35",
+    "currentVersion": "1.14.36",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Core/ReleaseNotes/3_0_26.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Investigation & Response
+
+- Fixed an issue in CoreIRApiModule where closing an incident in XDR with 'duplicate' close reason, would not be closed in XSOAR.
+

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.0.25",
+    "currentVersion": "3.0.26",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexAttackSurfaceManagement/.pack-ignore

@@ -47,4 +47,5 @@ NMAP
 ml
 vpc
 Prisma
-ITSM
+ITSM
+Terrapin