updated the functionality to make actions platfrom compatible

splunk-soar-connectors · Apr 23, 2024 · 3a117ba · 3a117ba
1 parent 2d2a6c0
commit 3a117ba
Show file tree

Hide file tree

Showing 14 changed files with 519 additions and 73 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.16
+    rev: v1.17
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies

diff --git a/LICENSE b/LICENSE
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.
diff --git a/manual_readme_content.md b/manual_readme_content.md
@@ -12,6 +12,50 @@
 [comment]: # "either express or implied. See the License for the specific language governing permissions"
 [comment]: # "and limitations under the License."
 [comment]: # ""
+
+## Playbook Backward Compatibility
+
+-   "**create event**" action has been updated
+    -   The following parameters have been removed from the create event action:
+        -   to_ids
+        -   source ips
+        -   dest ips
+        -   domains
+        -   source emails
+        -   dest emails
+        -   urls
+    -   The input for the `json` parameter has changed. Please refer the notes below to see the new format.
+
+-   The "**update event**" action has been renamed to "**add attribute**" and has the following changes:
+    -   The following new parameters are added :
+        -   attribute category
+        -   attribute type
+        -   attribute value
+        -   attribute comment
+
+    -   The following parameters are removed and moved to `attribute type`:
+        -   source_ips
+        -   dest_ips
+        -   domains
+        -   source_emails
+        -   dest_emails
+        -   urls
+
+    -   The input for the `json` parameter has changed. Please refer the notes below to see the new format.
+
+
+-   The below-mentioned actions have been added
+    -   bulk add attributes
+
+-   Hence, it is requested to the end-user to please
+    update their existing playbooks by inserting the corresponding action blocks for this action on
+    the earlier versions of the app.
+
+
+Note: The asset configuration parameter 'timezone', will be used for the 'occur_date' parameter in
+the 'add ttp' action.
+
+
 ## pymisp-2.4.138
 
 This app uses the pymisp module, which is licensed under an open source license. A simplified 2-BSD
@@ -62,15 +106,43 @@ For **analysis** :
 **Note:**
 
 -   Create new events with the `create event` action.
+-   `create event` action supports add attributes while creating the event.
 -   To add a single attribute to an existing event use the `add attribute` action.
+    -   To add a single attribute using `json` paramter, pass json data as show below:
+        ```
+        {
+            "category": "Network activity",
+            "type": "comment",
+            "value": "Example value for and event",
+            "to_ids": true
+        }
+        ```
+    - All the properties that can be added using the `json` parameter can be checked in the [misp documentation](https://www.misp-project.org/openapi/#tag/Attributes/operation/addAttribute)  
 -   To add multiple attributes to an event, use the `bulk add attributes` action.
--   In the **'run query'** action, tags containing a comma (,) in its value can be passed through
+-   The `json` parameter of `create event` and `bulk add attribute` takes similar input. The user needs to pass a list of dictionaries in the format given below:
+    ```
+       [
+             {
+                "category": "Network activity",
+                "type": "comment",
+                "value": "Example value for and event 1",
+                "to_ids": true
+            },
+            {
+                "type": "comment",
+                "value": "Example value for and event 2",
+                "to_ids": false
+            }
+        ]
+    ```
+-   In the "**run query**" action, tags containing a comma (,) in its value can be passed through
     the 'other' action parameter. For example:
 
     -   other: {"tags": \["tag1, tag11", "tag_2"\]}
 
     "tag1, tag11" will be considered a single tag.
 
+
 ## Port Information
 
 The app uses HTTP/HTTPS protocol for communicating with the Misp Server. Below are the default ports