Merge pull request #13 from splunk-soar-connectors/next

Merging next to main for release 2.4.0

README.md

@@ -2,7 +2,7 @@
 # Cybereason
 
 Publisher: Cybereason  
-Connector Version: 2\.3\.0  
+Connector Version: 2\.4\.0  
 Product Vendor: Cybereason  
 Product Name: Cybereason  
 Product Version Supported (regex): "\.\*"  
@@ -58,6 +58,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 **malware\_historical\_days** |  required  | numeric | The number of days for which we want to get Malware \(This parameter will be used for the first\-time poll only, and will be ignored in subsequent polls\)
 **override\_malop\_severity\_map** |  optional  | string | A JSON string that the user can add to override the default severity mapping for different malop types
 **malware\_severity** |  optional  | string | The severity to apply for all malware events
+**enable\_epp\_poll** |  optional  | boolean | If checked, will poll for EPP/Detection Malops
 
 ### Supported Actions  
 [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration  

cybereason.json

@@ -11,7 +11,7 @@
     "product_version_regex": ".*",
     "publisher": "Cybereason",
     "license": "Copyright (c) Cybereason, 2018-2022",
-    "app_version": "2.3.0",
+    "app_version": "2.4.0",
     "utctime_updated": "2022-01-07T20:19:08.000000Z",
     "package_name": "phantom_cybereason",
     "main_module": "cybereason_connector.py",
@@ -68,6 +68,12 @@
             "data_type": "string",
             "default": "High",
             "order": 7
+        },
+        "enable_epp_poll": {
+            "description": "If checked, will poll for EPP/Detection Malops",
+            "data_type": "boolean",
+            "default": false,
+            "order": 8
         }
     },
     "actions": [

cybereason_poller.py

@@ -104,7 +104,7 @@ def do_poll(self, connector, param):
     def _fetch_and_ingest_malops(self, connector, config, start_time_microsec_timestamp, end_time_microsec, container_count):
         # Fetch Malops
         success = True
-        malops_dict = self._get_malops(connector, start_time_microsec_timestamp, end_time_microsec, container_count)
+        malops_dict = self._get_malops(connector, config, start_time_microsec_timestamp, end_time_microsec, container_count)
         malop_ids = list(malops_dict.keys())
         connector.save_progress("Fetched {number_of_malops} malops from Cybereason console", number_of_malops=len(malop_ids))
 
@@ -459,14 +459,16 @@ def _get_artifact(self, connector, config, source_data_identifier, container_id)
             connector.debug_print("Exception when parsing artifact results: {0}".format(err))
             return None
 
-    def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malops):
+    def _get_malops(self, connector, config, start_timestamp, end_timestamp, max_number_malops):
         malops_dict = {}
         url = f"{connector._base_url}/rest/detection/inbox"
         query = {"startTime": start_timestamp, "endTime": end_timestamp}
         malop_res = self.cr_session.post(url=url, json=query, headers=connector._headers)
         malops = json.loads(malop_res.content)
         connector.save_progress(f"Malops response: {len(malops['malops'])}")
 
+        enable_epp_poll = config.get("enable_epp_poll", False)
+
         for malop in malops["malops"]:
             connector.debug_print(f"Malop EDR: {malop['edr']}")
             if malop['edr']:
@@ -484,7 +486,7 @@ def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malo
                 }
                 res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT)
                 malops_dict[malop['guid']] = res.json()["data"]["resultIdToElementDataMap"][malop['guid']]
-            else:
+            elif enable_epp_poll:
                 malops_dict[malop['guid']] = malop
 
         return malops_dict

release_notes/2.4.0.md

@@ -0,0 +1 @@
+* Added Check Box to let the user choose to poll for EPP/Detection Malops