From 93a756b5b6338312e4f41fbb48f10b4d3b0c152d Mon Sep 17 00:00:00 2001
From: ritesh-metron <87002567+ritesh-metron@users.noreply.github.com>
Date: Wed, 30 Nov 2022 16:15:49 +0530
Subject: [PATCH 1/2] Added checkbox to enable polling for EPP/Detection Malops
 (#12)

* Detection Malops added.
- Detection Malops ingestion added.
- Added timeout to API calls

* timeout

* Linter fixes

* Changed the app version to 2.3.0
- removed comment
- removed timeout for malware fetch
- changed the app version to 2.3.0

* Static test and Compile test fixes
- Changed "err" to error
- Changed "msg" to "message"
- Added whitespace around Arithmatic operator

* Changed min Phantom version to 5.3.0

* Cyberreason: Dev checklist changes

* Added checkbox for EPP Malop polling option

* Cybereason: Updated release notes

* Cyberason: Updated app version

* Cyberason: Added default value for 'enable_epp_poll'

Co-authored-by: suraj-metron <87964764+suraj-metron@users.noreply.github.com>
Co-authored-by: dhwanis-crest <dhwanis@splunk.com>
---
 LICENSE                     | 2 +-
 README.md                   | 3 ++-
 cybereason.json             | 8 +++++++-
 cybereason_poller.py        | 8 +++++---
 release_notes/unreleased.md | 1 +
 5 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/LICENSE b/LICENSE
index 5d4e3ac..f388e5a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
\ No newline at end of file
+   limitations under the License.
diff --git a/README.md b/README.md
index cf6fe0b..c39b730 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 # Cybereason
 
 Publisher: Cybereason  
-Connector Version: 2\.3\.0  
+Connector Version: 2\.3\.1  
 Product Vendor: Cybereason  
 Product Name: Cybereason  
 Product Version Supported (regex): "\.\*"  
@@ -58,6 +58,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 **malware\_historical\_days** |  required  | numeric | The number of days for which we want to get Malware \(This parameter will be used for the first\-time poll only, and will be ignored in subsequent polls\)
 **override\_malop\_severity\_map** |  optional  | string | A JSON string that the user can add to override the default severity mapping for different malop types
 **malware\_severity** |  optional  | string | The severity to apply for all malware events
+**enable\_epp\_poll** |  optional  | boolean | If checked, will poll for EPP/Detection Malops
 
 ### Supported Actions  
 [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration  
diff --git a/cybereason.json b/cybereason.json
index dd09716..bb4880e 100644
--- a/cybereason.json
+++ b/cybereason.json
@@ -11,7 +11,7 @@
     "product_version_regex": ".*",
     "publisher": "Cybereason",
     "license": "Copyright (c) Cybereason, 2018-2022",
-    "app_version": "2.3.0",
+    "app_version": "2.4.0",
     "utctime_updated": "2022-01-07T20:19:08.000000Z",
     "package_name": "phantom_cybereason",
     "main_module": "cybereason_connector.py",
@@ -68,6 +68,12 @@
             "data_type": "string",
             "default": "High",
             "order": 7
+        },
+        "enable_epp_poll": {
+            "description": "If checked, will poll for EPP/Detection Malops",
+            "data_type": "boolean",
+            "default": false,
+            "order": 8
         }
     },
     "actions": [
diff --git a/cybereason_poller.py b/cybereason_poller.py
index e2b04c1..640cd90 100755
--- a/cybereason_poller.py
+++ b/cybereason_poller.py
@@ -104,7 +104,7 @@ def do_poll(self, connector, param):
     def _fetch_and_ingest_malops(self, connector, config, start_time_microsec_timestamp, end_time_microsec, container_count):
         # Fetch Malops
         success = True
-        malops_dict = self._get_malops(connector, start_time_microsec_timestamp, end_time_microsec, container_count)
+        malops_dict = self._get_malops(connector, config, start_time_microsec_timestamp, end_time_microsec, container_count)
         malop_ids = list(malops_dict.keys())
         connector.save_progress("Fetched {number_of_malops} malops from Cybereason console", number_of_malops=len(malop_ids))
 
@@ -459,7 +459,7 @@ def _get_artifact(self, connector, config, source_data_identifier, container_id)
             connector.debug_print("Exception when parsing artifact results: {0}".format(err))
             return None
 
-    def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malops):
+    def _get_malops(self, connector, config, start_timestamp, end_timestamp, max_number_malops):
         malops_dict = {}
         url = f"{connector._base_url}/rest/detection/inbox"
         query = {"startTime": start_timestamp, "endTime": end_timestamp}
@@ -467,6 +467,8 @@ def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malo
         malops = json.loads(malop_res.content)
         connector.save_progress(f"Malops response: {len(malops['malops'])}")
 
+        enable_epp_poll = config.get("enable_epp_poll", False)
+
         for malop in malops["malops"]:
             connector.debug_print(f"Malop EDR: {malop['edr']}")
             if malop['edr']:
@@ -484,7 +486,7 @@ def _get_malops(self, connector, start_timestamp, end_timestamp, max_number_malo
                 }
                 res = self.cr_session.post(url=url, json=query, headers=connector._headers, timeout=DEFAULT_REQUEST_TIMEOUT)
                 malops_dict[malop['guid']] = res.json()["data"]["resultIdToElementDataMap"][malop['guid']]
-            else:
+            elif enable_epp_poll:
                 malops_dict[malop['guid']] = malop
 
         return malops_dict
diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md
index fbcb2fd..02d3e13 100644
--- a/release_notes/unreleased.md
+++ b/release_notes/unreleased.md
@@ -1 +1,2 @@
 **Unreleased**
+* Added Check Box to let the user choose to poll for EPP/Detection Malops
\ No newline at end of file

From d807b8daf805680b9868e262584294625d5e199a Mon Sep 17 00:00:00 2001
From: root <root@splunksoar>
Date: Wed, 30 Nov 2022 02:47:14 -0800
Subject: [PATCH 2/2] Release notes for version 2.4.0

---
 LICENSE                     | 2 +-
 README.md                   | 2 +-
 release_notes/2.4.0.md      | 1 +
 release_notes/unreleased.md | 1 -
 4 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 release_notes/2.4.0.md

diff --git a/LICENSE b/LICENSE
index f388e5a..5d4e3ac 100644
--- a/LICENSE
+++ b/LICENSE
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.
\ No newline at end of file
diff --git a/README.md b/README.md
index c39b730..62c1047 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 # Cybereason
 
 Publisher: Cybereason  
-Connector Version: 2\.3\.1  
+Connector Version: 2\.4\.0  
 Product Vendor: Cybereason  
 Product Name: Cybereason  
 Product Version Supported (regex): "\.\*"  
diff --git a/release_notes/2.4.0.md b/release_notes/2.4.0.md
new file mode 100644
index 0000000..a8938ba
--- /dev/null
+++ b/release_notes/2.4.0.md
@@ -0,0 +1 @@
+* Added Check Box to let the user choose to poll for EPP/Detection Malops
\ No newline at end of file
diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md
index 02d3e13..fbcb2fd 100644
--- a/release_notes/unreleased.md
+++ b/release_notes/unreleased.md
@@ -1,2 +1 @@
 **Unreleased**
-* Added Check Box to let the user choose to poll for EPP/Detection Malops
\ No newline at end of file