From fe4ea40827e9e2f600348558a2bd84b5e0578a45 Mon Sep 17 00:00:00 2001 From: Dmytro Branitskyi Date: Thu, 12 Sep 2024 20:37:10 +0200 Subject: [PATCH 1/5] [Pack][IdentityRecordedFuture][v2.0.3] --- .../IdentityRecordedFuture.py | 82 +++++++++++-------- .../IdentityRecordedFuture.yml | 9 +- .../IdentityRecordedFuture_test.py | 15 +++- .../IdentityRecordedFuture/README.md | 2 + .../ReleaseNotes/2_0_3.md | 6 ++ .../IdentityRecordedFuture/pack_metadata.json | 2 +- 6 files changed, 78 insertions(+), 38 deletions(-) create mode 100644 Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.py b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.py index c0d44c252a5a..23feef3413ac 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.py +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.py @@ -5,7 +5,7 @@ import base64 import json import platform -from typing import Any, Dict, Optional +from typing import Any, Dict, List, Optional import requests @@ -17,7 +17,11 @@ # pylint:disable=no-member requests.packages.urllib3.disable_warnings() # type: ignore -__version__ = "2.0.0" +__version__ = "2.0.3" + +TIMEOUT_60 = 60 +TIMEOUT_90 = 90 +TIMEOUT_120 = 120 class Client(BaseClient): @@ -26,7 +30,7 @@ def whoami(self) -> Dict[str, Any]: return self._http_request( method="get", url_suffix="info/whoami", - timeout=60, + timeout=TIMEOUT_60, ) def _call(self, url_suffix: str, **kwargs): @@ -49,11 +53,13 @@ def _call(self, url_suffix: str, **kwargs): v = kwargs.pop(k) json_data[k] = v + method = kwargs.get("method", "post") + request_kwargs = { - "method": "post", + "method": method, "url_suffix": url_suffix, "json_data": json_data, - "timeout": 90, + "timeout": TIMEOUT_90, "retries": 3, "status_list_to_retry": STATUS_TO_RETRY, } @@ -112,7 +118,7 @@ def fetch_incidents(self) -> Dict[str, Any]: """Fetch incidents.""" return self._call( url_suffix="/playbook_alert/fetch", - timeout=120, + timeout=TIMEOUT_120, ) def search_playbook_alerts(self) -> Dict[str, Any]: @@ -196,7 +202,7 @@ def fetch_incidents(self) -> None: if _key == "demisto_last_run": demisto.setLastRun(_val) if _key == "incidents": - _transform_incidents_attachments(_val) + self._transform_incidents_attachments(_val) demisto.incidents(_val) def playbook_alert_search_command(self) -> Optional[List[CommandResults]]: @@ -211,28 +217,33 @@ def playbook_alert_update_command(self) -> Optional[List[CommandResults]]: response = self.client.update_playbook_alerts() return self._process_result_actions(response=response) + @staticmethod + def _transform_incidents_attachments(incidents: list) -> None: + for incident in incidents: + attachments = [] + incident_json = json.loads(incident.get("rawJSON", "{}")) + if incident_json.get("panel_evidence_summary", {}).get("screenshots"): + for screenshot_data in incident_json["panel_evidence_summary"][ + "screenshots" + ]: + file_name = ( + f"{screenshot_data.get('image_id', '').replace('img:', '')}.png" + ) + file_data = screenshot_data.get("base64", "") + file = fileResult(file_name, base64.b64decode(file_data)) + attachment = { + "description": screenshot_data.get("description"), + "name": file.get("File"), + "path": file.get("FileID"), + "showMediaFile": True, + } + attachments.append(attachment) + incident["attachment"] = attachments + -def _transform_incidents_attachments(incidents: list) -> None: - for incident in incidents: - attachments = [] - incident_json = json.loads(incident.get("rawJSON", "{}")) - if incident_json.get("panel_evidence_summary", {}).get("screenshots"): - for screenshot_data in incident_json["panel_evidence_summary"][ - "screenshots" - ]: - file_name = ( - f'{screenshot_data.get("image_id", "").replace("img:", "")}.png' - ) - file_data = screenshot_data.get("base64", "") - file = fileResult(file_name, base64.b64decode(file_data)) - attachment = { - "description": screenshot_data.get("description"), - "name": file.get("File"), - "path": file.get("FileID"), - "showMediaFile": True, - } - attachments.append(attachment) - incident["attachment"] = attachments +# === === === === === === === === === === === === === === === +# === === === === === === === MAIN === === === === === === == +# === === === === === === === === === === === === === === === def get_client() -> Client: @@ -248,7 +259,6 @@ def get_client() -> Client: if not api_token: return_error(message="Please provide a valid API token") - # If user has not set password properties we will get empty string but client require empty list headers = { "X-RFToken": api_token, "X-RF-User-Agent": ( @@ -276,9 +286,9 @@ def main() -> None: if command == "test-module": # This is the call made when pressing the integration Test button. - # Returning 'ok' indicates that the integration works like it suppose to and + # Returning "ok" indicates that the integration works like it suppose to and # connection to the service is successful. - # Returning 'ok' will make the test result be green. + # Returning "ok" will make the test result be green. # Any other response will make the test result be red. try: @@ -313,18 +323,22 @@ def main() -> None: elif command == "fetch-incidents": actions.fetch_incidents() + elif command == "recordedfuture-identity-playbook-alerts-search": + return_results(actions.playbook_alert_search_command()) + elif command == "recordedfuture-identity-playbook-alerts-details": return_results(actions.playbook_alert_details_command()) elif command == "recordedfuture-identity-playbook-alerts-update": return_results(actions.playbook_alert_update_command()) - elif command == "recordedfuture-identity-playbook-alerts-search": - return_results(actions.playbook_alert_search_command()) + else: + return_error(message=f"Unknown command: {command}") except Exception as e: return_error( - message=f"Failed to execute {demisto.command()} command. Error: {str(e)}" + message=f"Failed to execute {demisto.command()} command. Error: {str(e)}", + error=e, ) diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml index c4352aec39ec..e7905eb522da 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml @@ -103,7 +103,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.14.99474 + dockerimage: demisto/python3:3.11.10.111039 commands: - name: recordedfuture-identity-search description: Search for identities in Recorded Future Identity Dataset. @@ -758,6 +758,13 @@ script: - account_disabled_or_terminated - account_remediated - other + - name: reopen + description: 'Re-open on Significant Changes? The alert can remain resolved, or automatically re-open in significant new assessments. Default behaviour: reopen on significant updates.' + required: false + auto: PREDEFINED + predefined: + - never + - significant_updates outputs: - contextPath: IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id description: Unique id of the playbook alert in Recorded Future. diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py index e4b9ab1cb6ed..d115801b6140 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py @@ -5,6 +5,7 @@ import pytest import vcr as vcrpy + from CommonServerPython import CommandResults, DemistoException from IdentityRecordedFuture import Actions, Client, main @@ -1114,7 +1115,8 @@ def test_test_module_with_boom(mocker): f"Failed to execute {demisto.command()} command. Error: Failed due to - " "Unknown error. Please verify that the API URL and Token are correctly configured. " "RAW Error: Side effect triggered" - ) + ), + error=mocker.ANY, ) @@ -1126,8 +1128,17 @@ def test_main_general( client_mock: Mock, mocked_demisto: Mock, ): - """Test main function is it runs correctly and calling general things""" + """Test main function if it runs correctly and calls general functions""" + + # Mocking a known command to ensure that the 'else' block is not triggered + mocked_demisto.command.return_value = "test-module" + mocked_demisto.params.return_value = { + "server_url": "https://mockurl", + "token": "mocktoken", + } + main() + client_mock.assert_called_once() mocked_demisto.params.assert_called_once_with() mocked_demisto.command.assert_called_once_with() diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md index 55549848aca3..23f4c901b88f 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md @@ -713,6 +713,8 @@ Update the status of one or multiple Playbook alerts. | add_actions_taken | Add 'actions taken' to all alerts in alert_ids. Can be used only with 'new_status=resolved' or 'new_status=dismissed'. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other. | Optional | | remove_actions_taken | Remove 'actions taken' from all alerts in alert_ids. You can specify multiple values by providing a quoted string with values separated by commas. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other. | Optional | | comment | Add a comment to all alerts in alert_ids. | Optional | +| reopen | Re-open on Significant Changes? The alert can remain resolved, or automatically re-open in significant new assessments. Default behaviour: reopen on significant updates. | Optional | + #### Context Output diff --git a/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md b/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md new file mode 100644 index 000000000000..cd899a66ccf6 --- /dev/null +++ b/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md @@ -0,0 +1,6 @@ +#### Integrations + +##### Recorded Future Identity + +- Added **reopen** arguments to the **recordedfuture-identity-playbook-alerts-update** command. +- Updated the Docker image to: *demisto/python3:3.11.10.111039*. diff --git a/Packs/IdentityRecordedFuture/pack_metadata.json b/Packs/IdentityRecordedFuture/pack_metadata.json index 73b249d48462..50bf9e49d133 100644 --- a/Packs/IdentityRecordedFuture/pack_metadata.json +++ b/Packs/IdentityRecordedFuture/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Recorded Future Identity", "description": "Recorded Future App for Identity", "support": "partner", - "currentVersion": "2.0.2", + "currentVersion": "2.0.3", "author": "Recorded Future", "url": "https://www.recordedfuture.com/integrations/", "email": "support@recordedfuture.com", From fba0e6c4069cfa9fd59f83c3eece2a414692195c Mon Sep 17 00:00:00 2001 From: Dmytro Branitskyi Date: Fri, 13 Sep 2024 21:04:54 +0200 Subject: [PATCH 2/5] [Pack][IdentityRecordedFuture][v2.0.3] Improve unit test coverage. --- .../IdentityRecordedFuture_test.py | 198 +++++++++++++++++- 1 file changed, 195 insertions(+), 3 deletions(-) diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py index d115801b6140..1b0c43b14bcf 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py @@ -6,8 +6,7 @@ import pytest import vcr as vcrpy -from CommonServerPython import CommandResults, DemistoException -from IdentityRecordedFuture import Actions, Client, main +from IdentityRecordedFuture import Client CASSETTES = Path(__file__).parent / "test_data" DATETIME_STR_VALUE = "2021-12-08T12:10:21.837Z" @@ -77,6 +76,7 @@ def test_credentials_search(mock_call: Mock) -> None: @patch("IdentityRecordedFuture.Actions._process_result_actions") def test_credentials_search_process_result(process_result_mock: Mock) -> None: """Test search identities code.""" + from IdentityRecordedFuture import Actions client = Mock() actions = Actions(client) @@ -101,6 +101,7 @@ def test_credentials_lookup(mock_call: Mock) -> None: @patch("IdentityRecordedFuture.Actions._process_result_actions") def test_credentials_lookup_process_result(process_result_mock: Mock) -> None: """Test lookup identities code.""" + from IdentityRecordedFuture import Actions client = Mock() actions = Actions(client) @@ -126,6 +127,8 @@ def test_password_lookup(mock_call: Mock) -> None: def test_password_lookup_process_result(process_result_mock: Mock) -> None: """Test password lookup code.""" + from IdentityRecordedFuture import Actions + client = Mock() actions = Actions(client) @@ -185,6 +188,8 @@ def test_call(mock_http_request: Mock, mocked_demisto: Mock): @patch("IdentityRecordedFuture.BaseClient._http_request") def test_call_return_error(mock_http_request: Mock, return_error_mock: Mock): """Test _call() when error message was returned.""" + from CommonServerPython import DemistoException + client = create_client() mock_url_suffix = "mock_url_suffix" error_message_res = {"message": "error"} @@ -200,6 +205,8 @@ def test_call_return_error(mock_http_request: Mock, return_error_mock: Mock): @patch("IdentityRecordedFuture.BaseClient._http_request") def test_call_return_error_not_json(mock_http_request: Mock): """Test _call() when error message was returned and it is not json serializable.""" + from CommonServerPython import DemistoException + client = create_client() mock_url_suffix = "mock_url_suffix" mock_error_response = Mock() @@ -219,6 +226,8 @@ def test_call_return_http_404_error( mock_http_request: Mock, command_results_mock: Mock ): """Test _call() when error message was returned.""" + from CommonServerPython import DemistoException + client = create_client() mock_url_suffix = "mock_url_suffix" mock_http_request.side_effect = DemistoException("There is HTTP 404 error") @@ -235,6 +244,8 @@ def test_call_return_http_404_error( @patch("IdentityRecordedFuture.BaseClient._http_request") def test_call_return_http_error(mock_http_request: Mock): """Test _call() when error message was returned.""" + from CommonServerPython import DemistoException + client = create_client() mock_url_suffix = "mock_url_suffix" mock_http_request.side_effect = DemistoException("Some error from the Server") @@ -438,6 +449,60 @@ def mock_http_request_method(*args, **kwargs): assert result.readable_output == "No results found." +def test_call_DemistoException_res_json_error(mocker): + """Test _call when err.res.json() raises an exception (e.g., JSONDecodeError).""" + import json + import demistomock as demisto + from CommonServerPython import DemistoException + + client = create_client() + + mocker.patch.object(demisto, "command", return_value="command_name") + mocker.patch.object(demisto, "args", return_value={}) + mocker.patch.object(demisto, "params", return_value={}) + mocker.patch.object(demisto, "getLastRun", return_value={}) + + class MockResponse: + def json(self): + raise json.JSONDecodeError("Expecting value", "doc", 0) + + def mock_http_request(*args, **kwargs): + err = DemistoException("Error with response") + err.res = MockResponse() + raise err + + mocker.patch.object(client, "_http_request", side_effect=mock_http_request) + + with pytest.raises(DemistoException): + client._call(url_suffix="mock_url_suffix") + + +def test_call_DemistoException_res_None(mocker): + """Test _call when DemistoException has no response (err.res is None).""" + + from CommonServerPython import DemistoException + import demistomock as demisto + + client = create_client() + + mocker.patch.object(demisto, "command", return_value="command_name") + mocker.patch.object(demisto, "args", return_value={}) + mocker.patch.object(demisto, "params", return_value={}) + mocker.patch.object(demisto, "getLastRun", return_value={}) + + def mock_http_request(*args, **kwargs): + err = DemistoException("Some error without response") + err.res = None + raise err + + mocker.patch.object(client, "_http_request", side_effect=mock_http_request) + + with pytest.raises(DemistoException) as excinfo: + client._call(url_suffix="mock_url_suffix") + + assert str(excinfo.value) == "Some error without response" + + def test_fetch_incidents(mocker): """ Test the `fetch_incidents` method to ensure it sends the correct request and processes the response as expected. @@ -676,6 +741,9 @@ def test_actions_init(mocker): def test_process_result_actions_returns_list() -> None: """Test result processing function with the case when we received 404 error.""" + from CommonServerPython import CommandResults + from IdentityRecordedFuture import Actions + client = Mock() actions = Actions(client) @@ -685,6 +753,8 @@ def test_process_result_actions_returns_list() -> None: def test_process_result_actions_returns_none() -> None: + from IdentityRecordedFuture import Actions + client = Mock() actions = Actions(client) @@ -696,6 +766,9 @@ def test_process_result_actions_returns_none() -> None: def test_process_result_actions_404_error() -> None: """Test result processing function with the case when we received 404 error.""" + from CommonServerPython import CommandResults + from IdentityRecordedFuture import Actions + client = Mock() actions = Actions(client) @@ -706,6 +779,8 @@ def test_process_result_actions_404_error() -> None: def test_process_result_actions_wrong_type() -> None: """Test result processing function with the case when we received string data.""" + from IdentityRecordedFuture import Actions + client = Mock() actions = Actions(client) response = "Some bad response from API" @@ -715,6 +790,8 @@ def test_process_result_actions_wrong_type() -> None: def test_process_result_actions_no_key_value() -> None: """Test result processing function with the case when we received date without action_result key.""" + from IdentityRecordedFuture import Actions + client = Mock() actions = Actions(client) response = {} @@ -724,6 +801,9 @@ def test_process_result_actions_no_key_value() -> None: def test_process_result_actions() -> None: """Test result processing function with the case when we received good data.""" + from IdentityRecordedFuture import Actions + from CommonServerPython import CommandResults + client = Mock() actions = Actions(client) response = {"action_result": {"readable_output": "data"}} @@ -830,6 +910,42 @@ def test_process_result_actions_command_results_only(mocker): assert r_a.outputs_key_field == "mock_outputs_key_field" +def test_process_result_actions_with_invalid_actions(mocker): + """Test processing result actions with invalid keys.""" + from IdentityRecordedFuture import Actions + from CommonServerPython import CommandResults + + actions = Actions(rf_client=None) + + response = { + "result_actions": [ + {"InvalidKey": {}}, + { + "CommandResults": { + "outputs_prefix": "mock_prefix", + "outputs": "mock_outputs", + } + }, + { + "CommandResults": { + "outputs_prefix": "another_prefix", + "outputs": "another_outputs", + } + }, + ] + } + + result = actions._process_result_actions(response) + + assert len(result) == 2 + assert isinstance(result[0], CommandResults) + assert result[0].outputs_prefix == "mock_prefix" + assert result[0].outputs == "mock_outputs" + assert isinstance(result[1], CommandResults) + assert result[1].outputs_prefix == "another_prefix" + assert result[1].outputs == "another_outputs" + + def test_fetch_incidents_with_attachment(mocker): """ Test the `fetch_incidents` method to ensure it correctly processes incidents with attachments. @@ -895,6 +1011,21 @@ def test_fetch_incidents_with_attachment(mocker): mock_demisto_set_last_run.assert_called_once_with(mock_demisto_last_run_value) +def test_transform_incidents_attachments_without_screenshots(mocker): + """Test transforming incidents without screenshots.""" + from IdentityRecordedFuture import Actions + import json + + incidents = [{"rawJSON": json.dumps({"panel_evidence_summary": {}})}] + + mock_fileResult = mocker.patch("IdentityRecordedFuture.fileResult") + + Actions._transform_incidents_attachments(incidents) + + assert "attachment" not in incidents[0] + mock_fileResult.assert_not_called() + + def test_fetch_incidents_with_incidents_present(mocker): """ Test the `fetch_incidents` method to ensure it correctly processes incidents when incidents are present in the response. @@ -1129,6 +1260,7 @@ def test_main_general( mocked_demisto: Mock, ): """Test main function if it runs correctly and calls general functions""" + import IdentityRecordedFuture # Mocking a known command to ensure that the 'else' block is not triggered mocked_demisto.command.return_value = "test-module" @@ -1137,9 +1269,69 @@ def test_main_general( "token": "mocktoken", } - main() + IdentityRecordedFuture.main() client_mock.assert_called_once() mocked_demisto.params.assert_called_once_with() mocked_demisto.command.assert_called_once_with() actions_mock.assert_called_once_with(client_mock.return_value) + + +def test_main_with_unknown_command(mocker): + """Test main function with an unknown command.""" + import IdentityRecordedFuture + import demistomock as demisto + + mocker.patch.object(demisto, "command", return_value="unknown-command") + mock_return_error = mocker.patch("IdentityRecordedFuture.return_error") + mock_get_client = mocker.patch("IdentityRecordedFuture.get_client") + + IdentityRecordedFuture.main() + + mock_get_client.assert_called_once() + mock_return_error.assert_called_once_with( + message="Unknown command: unknown-command" + ) + + +def test_main_exception_handling(mocker): + """Test main function's exception handling.""" + import IdentityRecordedFuture + import demistomock as demisto + + mocker.patch.object(demisto, "command", return_value="test-module") + mock_get_client = mocker.patch("IdentityRecordedFuture.get_client") + mock_get_client.return_value.whoami.side_effect = Exception("Test exception") + mock_return_error = mocker.patch("IdentityRecordedFuture.return_error") + + IdentityRecordedFuture.main() + + mock_get_client.assert_called_once() + mock_return_error.assert_called_once_with( + message=( + "Failed to execute test-module command. Error: Failed due to - Unknown error. " + "Please verify that the API URL and Token are correctly configured. RAW Error: Test exception" + ), + error=mocker.ANY, + ) + + +def test_get_client_no_api_token(mocker): + """Test get_client when no API token is provided.""" + import IdentityRecordedFuture + import demistomock as demisto + + mock_params = { + "server_url": "https://api.recordedfuture.com/gw/xsoar/", + "unsecure": False, + "credential": {"password": None}, + "token": None, + } + mocker.patch.object(demisto, "params", return_value=mock_params) + mock_return_error = mocker.patch("IdentityRecordedFuture.return_error") + + IdentityRecordedFuture.get_client() + + mock_return_error.assert_called_once_with( + message="Please provide a valid API token" + ) From 1ba6d9b47b49d758b71b0ff6595ea4d9fb7264eb Mon Sep 17 00:00:00 2001 From: Dmytro Branitskyi Date: Fri, 20 Sep 2024 16:06:54 +0200 Subject: [PATCH 3/5] [Pack][IdentityRecordedFuture][v2.0.3] Update docs. --- .../IdentityRecordedFuture.yml | 12 +- .../IdentityRecordedFuture/README.md | 316 +++++++++--------- 2 files changed, 164 insertions(+), 164 deletions(-) diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml index e7905eb522da..be4b752ba6be 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture.yml @@ -243,10 +243,10 @@ script: description: Search playbook alerts based on filters. arguments: - name: limit - description: Limits the number of alerts to fetch. + description: The maximum number of alerts to fetch. defaultValue: 50 - name: time_since_update - description: Time between now and e.g. "2 hours" or "7 days" ago. + description: The amount of time since the last update. E.g., "2 hours" or "7 days" ago. defaultValue: "24 hours" - name: playbook_alert_status auto: PREDEFINED @@ -255,7 +255,7 @@ script: - in-progress - dismissed - resolved - description: Filter what statuses are fetched, defaults to only new status if not specified. + description: The statuses to retrieve. Defaults to only new status if not specified. - name: priority auto: PREDEFINED predefined: @@ -268,7 +268,7 @@ script: predefined: - updated - created - description: Sort search result by field. + description: The order by which to search for playbook alerts. outputs: - contextPath: IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id description: Unique id of the playbook alert. @@ -735,7 +735,7 @@ script: description: Add comment to all alerts in alert_ids. required: false - name: add_actions_taken - description: Add 'actions taken' to all alerts in alert_ids. Can be used only with new_status=resolved or new_status=dismissed. You can specify multiple values by providing a quoted string with values separated by comma. + description: Add 'actions taken' to all alerts in alert_ids. Can only be used with new_status=resolved or new_status=dismissed. You can specify multiple values by providing a quoted string with values separated by comma. required: false isArray: true auto: PREDEFINED @@ -759,7 +759,7 @@ script: - account_remediated - other - name: reopen - description: 'Re-open on Significant Changes? The alert can remain resolved, or automatically re-open in significant new assessments. Default behaviour: reopen on significant updates.' + description: 'Set the reopen strategy for the alert. Reopen on significant updates or keep the alert Resolved. Default: reopen on significant updates. Can only be used with new_status=resolved.' required: false auto: PREDEFINED predefined: diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md index 23f4c901b88f..e00fcc38f869 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/README.md @@ -498,31 +498,31 @@ Search Playbook alerts based on filters. #### Input -| **Argument Name** | **Description** | **Required** | -|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------| -| limit | Limits the number of alerts to fetch. Default: 10. | Optional | -| time_since_update | Time between now and e.g. "2 hours" or "7 days" ago. Default: "24 hours". | Optional | -| playbook_alert_status | Filter what statuses are fetched, defaults to only new status if not specified. Possible values are: new, in-progress, dismissed, resolved. | Optional | -| priority | Actions priority assigned in Recorded Future. Possible values are: high, moderate, informational. | Optional | -| order_search_by | Actions priority assigned in Recorded Future. Possible values are: updated, created. | Optional | +| **Argument Name** | **Description** | **Required** | +|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------|--------------| +| limit | The maximum number of alerts to fetch. Default: 50. | Optional | +| time_since_update | The amount of time since the last update. E.g., "2 hours" or "7 days" ago. Default: "24 hours". | Optional | +| playbook_alert_status | The statuses to retrieve. Defaults to only new status if not specified. Possible values are: new, in-progress, dismissed, resolved. | Optional | +| priority | Actions priority assigned in Recorded Future. Possible values are: high, moderate, informational. | Optional | +| order_search_by | The order by which to search for playbook alerts. Possible values are: updated, created. | Optional | #### Context Output | **Path** | **Type** | **Description** | |---------------------------------------------------------|----------|---------------------------------------------| -| IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id | String | Unique id of the playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.category | String | Playbook alert category | -| IdentityRecordedFuture.PlaybookAlerts.priority | String | Recommended Priority of the alert | -| IdentityRecordedFuture.PlaybookAlerts.status | String | Current alert status in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.title | String | Title of the alert | -| IdentityRecordedFuture.PlaybookAlerts.updated | date | Date of last update | -| IdentityRecordedFuture.PlaybookAlerts.created | date | Date of creation | -| IdentityRecordedFuture.PlaybookAlerts.organization_id | String | Organization uhash | -| IdentityRecordedFuture.PlaybookAlerts.organization_name | String | Plaintext Organization name | -| IdentityRecordedFuture.PlaybookAlerts.assignee_id | String | uhash of the assigned user | -| IdentityRecordedFuture.PlaybookAlerts.assignee_name | unknown | name of the assigned user | -| IdentityRecordedFuture.PlaybookAlerts.owner_id | String | uhash of the enterprise that owns the alert | -| IdentityRecordedFuture.PlaybookAlerts.owner_name | String | Name of the enterprise that owns the alert | +| IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id | String | Unique ID of the playbook alert | +| IdentityRecordedFuture.PlaybookAlerts.category | String | Playbook alert category | +| IdentityRecordedFuture.PlaybookAlerts.priority | String | Recommended Priority of the alert | +| IdentityRecordedFuture.PlaybookAlerts.status | String | Current alert status in Recorded Future | +| IdentityRecordedFuture.PlaybookAlerts.title | String | Title of the alert | +| IdentityRecordedFuture.PlaybookAlerts.updated | date | Date of last update | +| IdentityRecordedFuture.PlaybookAlerts.created | date | Date of creation | +| IdentityRecordedFuture.PlaybookAlerts.organization_id | String | Organization uhash | +| IdentityRecordedFuture.PlaybookAlerts.organization_name | String | Plaintext Organization name | +| IdentityRecordedFuture.PlaybookAlerts.assignee_id | String | uhash of the assigned user | +| IdentityRecordedFuture.PlaybookAlerts.assignee_name | unknown | name of the assigned user | +| IdentityRecordedFuture.PlaybookAlerts.owner_id | String | uhash of the enterprise that owns the alert | +| IdentityRecordedFuture.PlaybookAlerts.owner_name | String | Name of the enterprise that owns the alert | ##### Command Example @@ -559,136 +559,136 @@ Get Playbook alert details by ID. | **Path** | **Type** | **Description** | |-----------------------------------------------------------------------------------------------|----------|---------------------------------------------------------------------------| -| IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id | String | Unique id of the playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.category | String | Playbook alert category | -| IdentityRecordedFuture.PlaybookAlerts.priority | String | Recommended Priority of the alert | -| IdentityRecordedFuture.PlaybookAlerts.status | String | Current alert status in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.title | String | Title of the alert | -| IdentityRecordedFuture.PlaybookAlerts.updated | date | Date of last update | -| IdentityRecordedFuture.PlaybookAlerts.created | date | Date of creation | -| IdentityRecordedFuture.PlaybookAlerts.organization_id | String | Organization uhash | -| IdentityRecordedFuture.PlaybookAlerts.organization_name | String | Plaintext Organization name | -| IdentityRecordedFuture.PlaybookAlerts.assignee_id | String | uhash of the assigned user | -| IdentityRecordedFuture.PlaybookAlerts.assignee_name | String | name of the assigned user | -| IdentityRecordedFuture.PlaybookAlerts.owner_id | String | uhash of the enterprise that owns the alert | -| IdentityRecordedFuture.PlaybookAlerts.owner_name | String | Name of the enterprise that owns the alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.playbook_alert_id | String | Unique id of the playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.category | String | Playbook alert category | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.priority | String | Recommended Priority of the alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.status | String | Current alert status in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.title | String | Title of the alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.updated | date | Date of last update | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.created | date | Date of creation | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.organization_id | String | Organization uhash | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.organization_name | String | Plaintext Organization name | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.assignee_id | String | uhash of the assigned user | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.assignee_name | unknown | name of the assigned user | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.owner_id | String | uhash of the enterprise that owns the alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.owner_name | String | Name of the enterprise that owns the alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.case_rule_id | String | Id of the playbook alert category | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.case_rule_label | String | Name of the playbook alert category | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.context_list.context | Array | Context of entity connected to the Playbook alert. | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.created | String | Date marking the creation of the Playbook alert in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_criticality | String | Criticality of the Playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_id | String | Id of the entity in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_name | String | Name of the entity | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.risk_score | String | Risk score of the entity in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.targets | Array | List of targets of the Playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_status.lifecycle_stage | String | Indicates what lifecycle the vulerability is in | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.explanation | String | Entails the explanation to the triggering of the Playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.context_list.context | String | Context of entity connected to the Playbook alert. | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.criticality | String | Level of criticality | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.entity | String | ID of the entitiy in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.record_type | String | Type of record A, CNAME or MX | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.risk_score | String | Risk score of the entity in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.description | String | Description of the image | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.image_id | String | ID of the screenshot in recorded future | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.tag | String | Image Analisys tag | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.created | String | When the image was created | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.base64 | String | The image binary encoded as a base64 string | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.targets.name | String | Target affected by the vulnerability | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.lifecycle_stage | String | The current lifecycle stage of the Playbook Alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.rule | String | Name of the rule that triggered | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.description | String | Short description of the trigger \(E.g 13 sightings on 1 source..\) | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.affected_products.name | String | Name of of affected product | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.id | String | The id of the Insikt note | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.title | String | The title of the Insikt note | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.topic | String | The topic of the Insikt note | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.published | String | The time at which the Insikt note was published | -| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.fragment | String | A fragment of the Insikt note text | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.id | String | Log id in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.actor_id | String | Id of the actor | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.created | String | When was the log created | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.modified | String | When was the log last modified | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.action_priority | String | The priority of the Playbook alert | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.message | String | Log message | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.old | String | Previous assignee | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.new | String | New assignee | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.old | String | Previous status | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.new | String | New status | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.old | String | Previous title | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.new | String | New title | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.old | String | Previous priority | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.new | String | New priority | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.old | String | Previous reopen strategy | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.new | String | New reopen strategy | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.removed | String | Removed entity | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.added | String | Added entity | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.removed | String | Removed related entity | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.added | String | Added related entity | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_changetype | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.old | String | Previous description | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.new | String | New description | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.old | String | Previous external ID | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.new | String | New external ID | -| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.type | String | Type of change | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.action | String | The name of the action | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.updated | String | When was the action last updated | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.assignee_name | String | Full name of the assignee | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.assignee_id | String | ID of the assignee | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.status | String | The status of the action | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.description | String | A short description of the action | -| IdentityRecordedFuture.PlaybookAlerts.panel_action.link | String | A link associated with the action | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.record | String | The DNS record | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.risk_score | String | Risk score associated with the record | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.criticality | String | The level of criticality | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.record_type | String | Type of record A, CNAME or MX | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.record | String | The DNS record | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.risk_score | String | Risk score associated with the record | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.criticality | String | The level of criticality | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.record_type | String | Type of record A, CNAME or MX | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.record | String | The DNS record | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.risk_score | String | Risk score associated with the record | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.criticality | String | The level of criticality | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.record_type | String | Type of record A, CNAME or MX | -| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.added | String | When the whois information was added | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.attribute | String | Attribute, either whois or whoisContancts | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.entity | String | Id of whois entity | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.provider | String | Name of provider | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.createdDate | String | When was it created | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.nameServers | Array | List of name server IDs | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.privateRegistration | Bool | Boolean indicating private registration | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.registrarName | String | Name of the registrar | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.status | String | Status of registrar | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.city | String | Contact located in this city | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.country | String | Contact located in this city | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.name | String | Name of contact | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.organization | String | Name of contact organization | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.postalCode | String | Postal code of contact organization | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.state | String | Contact located in state | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.street1 | String | Street name of contact | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.telephone | String | Phone number of contact | -| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.type | String | Type of contact | +| IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id | String | Unique ID of the playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.category | String | Playbook alert category. | +| IdentityRecordedFuture.PlaybookAlerts.priority | String | Recommended Priority of the alert. | +| IdentityRecordedFuture.PlaybookAlerts.status | String | Current alert status in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.title | String | Title of the alert. | +| IdentityRecordedFuture.PlaybookAlerts.updated | date | Date of last update. | +| IdentityRecordedFuture.PlaybookAlerts.created | date | Date of creation. | +| IdentityRecordedFuture.PlaybookAlerts.organization_id | String | Organization uhash. | +| IdentityRecordedFuture.PlaybookAlerts.organization_name | String | Plaintext Organization name. | +| IdentityRecordedFuture.PlaybookAlerts.assignee_id | String | uhash of the assigned user. | +| IdentityRecordedFuture.PlaybookAlerts.assignee_name | String | name of the assigned user. | +| IdentityRecordedFuture.PlaybookAlerts.owner_id | String | uhash of the enterprise that owns the alert. | +| IdentityRecordedFuture.PlaybookAlerts.owner_name | String | Name of the enterprise that owns the alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.playbook_alert_id | String | Unique ID of the playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.category | String | Playbook alert category. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.priority | String | Recommended Priority of the alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.status | String | Current alert status in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.title | String | Title of the alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.updated | date | Date of last update. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.created | date | Date of creation. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.organization_id | String | Organization uhash. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.organization_name | String | Plaintext Organization name. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.assignee_id | String | uhash of the assigned user. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.assignee_name | unknown | name of the assigned user. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.owner_id | String | uhash of the enterprise that owns the alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.owner_name | String | Name of the enterprise that owns the alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.case_rule_id | String | ID of the playbook alert category. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.case_rule_label | String | Name of the playbook alert category. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.context_list.context | Array | Context of entity connected to the Playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.created | String | Date marking the creation of the Playbook alert in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_criticality | String | Criticality of the Playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_id | String | ID of the entity in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_name | String | Name of the entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.risk_score | String | Risk score of the entity in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.targets | Array | List of targets of the Playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_status.lifecycle_stage | String | Indicates what lifecycle the vulerability is in. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.explanation | String | Entails the explanation to the triggering of the Playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.context_list.context | String | Context of entity connected to the Playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.criticality | String | Level of criticality. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.entity | String | ID of the entitiy in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.record_type | String | Type of record A, CNAME or MX. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.risk_score | String | Risk score of the entity in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.description | String | Description of the image. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.image_id | String | ID of the screenshot in recorded future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.tag | String | Image Analisys tag. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.created | String | When the image was created. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.base64 | String | The image binary encoded as a base64 string. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.targets.name | String | Target affected by the vulnerability. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.lifecycle_stage | String | The current lifecycle stage of the Playbook Alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.rule | String | Name of the rule that triggered. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.description | String | Short description of the trigger \(E.g 13 sightings on 1 source..\). | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.affected_products.name | String | Name of of affected product. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.id | String | The ID of the Insikt note. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.title | String | The title of the Insikt note. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.topic | String | The topic of the Insikt note. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.published | String | The time at which the Insikt note was published. | +| IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.fragment | String | A fragment of the Insikt note text. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.id | String | Log ID in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.actor_id | String | ID of the actor. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.created | String | When was the log created. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.modified | String | When was the log last modified. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.action_priority | String | The priority of the Playbook alert. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.message | String | Log message. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.old | String | Previous assignee. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.new | String | New assignee. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.old | String | Previous status. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.new | String | New status. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.old | String | Previous title. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.new | String | New title. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.old | String | Previous priority. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.new | String | New priority. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.old | String | Previous reopen strategy. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.new | String | New reopen strategy. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.removed | String | Removed entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.added | String | Added entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.removed | String | Removed related entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.added | String | Added related entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_changetype | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.old | String | Previous description. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.new | String | New description. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.old | String | Previous external ID. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.new | String | New external ID. | +| IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.type | String | Type of change. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.action | String | The name of the action. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.updated | String | When was the action last updated. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.assignee_name | String | Full name of the assignee. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.assignee_id | String | ID of the assignee. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.status | String | The status of the action. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.description | String | A short description of the action. | +| IdentityRecordedFuture.PlaybookAlerts.panel_action.link | String | A link associated with the action. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.record | String | The DNS record. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.risk_score | String | Risk score associated with the record. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.criticality | String | The level of criticality. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.record_type | String | Type of record A, CNAME or MX. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.record | String | The DNS record. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.risk_score | String | Risk score associated with the record. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.criticality | String | The level of criticality. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.record_type | String | Type of record A, CNAME or MX. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.record | String | The DNS record. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.risk_score | String | Risk score associated with the record. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.criticality | String | The level of criticality. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.record_type | String | Type of record A, CNAME or MX. | +| IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.added | String | When the whois information was added. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.attribute | String | Attribute, either whois or whoisContancts. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.entity | String | ID of whois entity. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.provider | String | Name of provider. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.createdDate | String | When was it created. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.nameServers | Array | List of name server IDs. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.privateRegistration | Bool | Boolean indicating private registration. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.registrarName | String | Name of the registrar. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.status | String | Status of registrar. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.city | String | Contact located in this city. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.country | String | Contact located in this city. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.name | String | Name of contact. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.organization | String | Name of contact organization. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.postalCode | String | Postal code of contact organization. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.state | String | Contact located in state. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.street1 | String | Street name of contact. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.telephone | String | Phone number of contact. | +| IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.type | String | Type of contact. | #### Command Example @@ -710,20 +710,20 @@ Update the status of one or multiple Playbook alerts. |----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| | alert_ids | IDs of the playbook alerts that will be updated. | Required | | new_status | New status to set for all alerts in alert_ids (e.g., new, in-progress, dismissed, resolved). | Required | -| add_actions_taken | Add 'actions taken' to all alerts in alert_ids. Can be used only with 'new_status=resolved' or 'new_status=dismissed'. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other. | Optional | +| add_actions_taken | Add 'actions taken' to all alerts in alert_ids. Can only be used with 'new_status=resolved' or 'new_status=dismissed'. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other. | Optional | | remove_actions_taken | Remove 'actions taken' from all alerts in alert_ids. You can specify multiple values by providing a quoted string with values separated by commas. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other. | Optional | | comment | Add a comment to all alerts in alert_ids. | Optional | -| reopen | Re-open on Significant Changes? The alert can remain resolved, or automatically re-open in significant new assessments. Default behaviour: reopen on significant updates. | Optional | +| reopen | Set the reopen strategy for the alert. Reopen on significant updates or keep the alert Resolved. Default: reopen on significant updates. Can only be used with new_status=resolved. | Optional | #### Context Output -| **Path** | **Type** | **Description** | -|---------------------------------------------------------|----------|-----------------------------------------------------| -| IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id | string | Unique id of the playbook alert in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.current_status | string | Current status of playbook alert in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.title | string | Title of the playbook alert in Recorded Future | -| IdentityRecordedFuture.PlaybookAlerts.status_message | string | Message describing the outcome of the update | +| **Path** | **Type** | **Description** | +|---------------------------------------------------------|----------|------------------------------------------------------| +| IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id | string | Unique ID of the playbook alert in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.current_status | string | Current status of playbook alert in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.title | string | Title of the playbook alert in Recorded Future. | +| IdentityRecordedFuture.PlaybookAlerts.status_message | string | Message describing the outcome of the update. | #### Command Example From 816bc2da54e37f5e984a59ce90ef83f646d81288 Mon Sep 17 00:00:00 2001 From: Dmytro Branitskyi Date: Fri, 20 Sep 2024 19:05:42 +0200 Subject: [PATCH 4/5] [Pack][IdentityRecordedFuture][v2.0.3] Resolve MR issues. --- .../IdentityRecordedFuture/IdentityRecordedFuture_test.py | 2 +- Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py index 1b0c43b14bcf..589a865f0c90 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py @@ -1265,7 +1265,7 @@ def test_main_general( # Mocking a known command to ensure that the 'else' block is not triggered mocked_demisto.command.return_value = "test-module" mocked_demisto.params.return_value = { - "server_url": "https://mockurl", + "server_url": "https://mockurl.com", "token": "mocktoken", } diff --git a/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md b/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md index cd899a66ccf6..d48ceed5fd91 100644 --- a/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md +++ b/Packs/IdentityRecordedFuture/ReleaseNotes/2_0_3.md @@ -2,5 +2,5 @@ ##### Recorded Future Identity -- Added **reopen** arguments to the **recordedfuture-identity-playbook-alerts-update** command. +- Added *reopen* arguments to the ***recordedfuture-identity-playbook-alerts-update*** command. - Updated the Docker image to: *demisto/python3:3.11.10.111039*. From 698a58f1881502a8d17490fb7fbf25bc34ef0cec Mon Sep 17 00:00:00 2001 From: Dmytro Branitskyi Date: Mon, 23 Sep 2024 10:12:18 +0200 Subject: [PATCH 5/5] [Pack][IdentityRecordedFuture][v2.0.3] Attempt fix 'secret found' pipeline failure. --- .../IdentityRecordedFuture/IdentityRecordedFuture_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py index 589a865f0c90..1e4366e9e6d9 100644 --- a/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py +++ b/Packs/IdentityRecordedFuture/Integrations/IdentityRecordedFuture/IdentityRecordedFuture_test.py @@ -1265,7 +1265,7 @@ def test_main_general( # Mocking a known command to ensure that the 'else' block is not triggered mocked_demisto.command.return_value = "test-module" mocked_demisto.params.return_value = { - "server_url": "https://mockurl.com", + "server_url": "https://example.com", "token": "mocktoken", }