diff --git a/README.md b/README.md index cf6fe0b..62c1047 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Cybereason Publisher: Cybereason -Connector Version: 2\.3\.0 +Connector Version: 2\.4\.0 Product Vendor: Cybereason Product Name: Cybereason Product Version Supported (regex): "\.\*" @@ -58,6 +58,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION **malware\_historical\_days** | required | numeric | The number of days for which we want to get Malware \(This parameter will be used for the first\-time poll only, and will be ignored in subsequent polls\) **override\_malop\_severity\_map** | optional | string | A JSON string that the user can add to override the default severity mapping for different malop types **malware\_severity** | optional | string | The severity to apply for all malware events +**enable\_epp\_poll** | optional | boolean | If checked, will poll for EPP/Detection Malops ### Supported Actions [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration diff --git a/cybereason.json b/cybereason.json index dd09716..bb4880e 100644 --- a/cybereason.json +++ b/cybereason.json @@ -11,7 +11,7 @@ "product_version_regex": ".*", "publisher": "Cybereason", "license": "Copyright (c) Cybereason, 2018-2022", - "app_version": "2.3.0", + "app_version": "2.4.0", "utctime_updated": "2022-01-07T20:19:08.000000Z", "package_name": "phantom_cybereason", "main_module": "cybereason_connector.py", @@ -68,6 +68,12 @@ "data_type": "string", "default": "High", "order": 7 + }, + "enable_epp_poll": { + "description": "If checked, will poll for EPP/Detection Malops", + "data_type": "boolean", + "default": false, + "order": 8 } }, "actions": [ diff --git a/cybereason_poller.py b/cybereason_poller.py index e2b04c1..640cd90 100755 --- a/cybereason_poller.py +++ b/cybereason_poller.py @@ -104,7 +104,7 @@ def do_poll(self, connector, param): def _fetch_and_ingest_malops(self, connector, config, start_time_microsec_timestamp, end_time_microsec, container_count): # Fetch Malops success = True - malops_dict = self._get_malops(connector, start_time_microsec_timestamp, end_time_microsec, container_count) + malops_dict = self._get_malops(connector, config, start_time_microsec_timestamp, end_time_microsec, container_count) malop_ids = list(malops_dict.keys()) connector.save_progress("Fetched {number_of_malops} malops from Cybereason console", number_of_malops=len(malop_ids)) @@ -459,7 +459,7 @@ def _get_artifact(self, connector, config, source_data_identifier, container_id) connector.debug_print("Exception when parsing artifact results: {0}".format(err)) return None - def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malops): + def _get_malops(self, connector, config, start_timestamp, end_timestamp, max_number_malops): malops_dict = {} url = f"{connector._base_url}/rest/detection/inbox" query = {"startTime": start_timestamp, "endTime": end_timestamp} @@ -467,6 +467,8 @@ def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malo malops = json.loads(malop_res.content) connector.save_progress(f"Malops response: {len(malops['malops'])}") + enable_epp_poll = config.get("enable_epp_poll", False) + for malop in malops["malops"]: connector.debug_print(f"Malop EDR: {malop['edr']}") if malop['edr']: @@ -484,7 +486,7 @@ def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malo } res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT) malops_dict[malop['guid']] = res.json()["data"]["resultIdToElementDataMap"][malop['guid']] - else: + elif enable_epp_poll: malops_dict[malop['guid']] = malop return malops_dict diff --git a/release_notes/2.4.0.md b/release_notes/2.4.0.md new file mode 100644 index 0000000..a8938ba --- /dev/null +++ b/release_notes/2.4.0.md @@ -0,0 +1 @@ +* Added Check Box to let the user choose to poll for EPP/Detection Malops \ No newline at end of file