[Cortex XDR] Fixed status parsing issue (#28183)

* [Cortex XDR] Fixed status parsing issue (#28131)

* master

* reverting crowdstrike.py

* fixed status issue

* added release notes

* reverted 4_11_8.md 4_11_7.md

* bumped version

* apimodules release notes

* apimodules

* removed 4_11_9.md

* a minor improvement

* code improvements

* Update RN

* Fixed a typo

* Update README files

---------

Co-authored-by: Menachem Weinfeld <mmhw770@gmail.com>

* pre-commit

* fix

---------

Co-authored-by: Enes Özdemir <49711791+ennozdd@users.noreply.github.com>
Co-authored-by: Menachem Weinfeld <mmhw770@gmail.com>

Packs/ApiModules/ReleaseNotes/2_2_18.md

@@ -0,0 +1,4 @@
+
+#### Scripts
+##### CoreIRApiModule
+- Added support for multiple endpoint statuses when calling **get_endpoints_command** function.

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py

@@ -1725,6 +1725,7 @@ def arg_to_timestamp(arg, arg_name: str, required: bool = False):
         return int(date.timestamp() * 1000)
     if isinstance(arg, (int, float)):
         return arg
+    return None
 
 
 def create_account_context(endpoints):
@@ -1813,7 +1814,7 @@ def get_endpoints_command(client, args):
     alias_name = argToList(args.get('alias_name'))
     isolate = args.get('isolate')
     hostname = argToList(args.get('hostname'))
-    status = args.get('status')
+    status = argToList(args.get('status'))
 
     first_seen_gte = arg_to_timestamp(
         arg=args.get('first_seen_gte'),
@@ -2385,7 +2386,7 @@ def get_process_context(alert, process_type):
     remove_nulls_from_dictionary(process_context)
 
     # If the process contains only 'HostName' , don't create an indicator
-    if len(process_context.keys()) == 1 and 'Hostname' in process_context.keys():
+    if len(process_context.keys()) == 1 and 'Hostname' in process_context:
         return {}
     return process_context
 
@@ -2678,7 +2679,7 @@ def sort_by_key(list_to_sort, main_key, fallback_key):
 
 def drop_field_underscore(section):
     section_copy = section.copy()
-    for field in section_copy.keys():
+    for field in section_copy:
         if '_' in field:
             section[field.replace('_', '')] = section.get(field)
 
@@ -2736,7 +2737,7 @@ def get_distribution_versions_command(client, args):
     versions = client.get_distribution_versions()
 
     readable_output = []
-    for operation_system in versions.keys():
+    for operation_system in versions:
         os_versions = versions[operation_system]
 
         readable_output.append(
@@ -3255,7 +3256,7 @@ def get_original_alerts_command(client: CoreClient, args: Dict) -> CommandResult
     reply = copy.deepcopy(raw_response)
     alerts = reply.get('alerts', [])
     filtered_alerts = []
-    for i, alert in enumerate(alerts):
+    for _i, alert in enumerate(alerts):
         # decode raw_response
         try:
             alert['original_alert_json'] = safe_load_json(alert.get('original_alert_json', ''))
@@ -3409,7 +3410,7 @@ def get_dynamic_analysis_command(client: CoreClient, args: Dict) -> CommandResul
     reply = copy.deepcopy(raw_response)
     alerts = reply.get('alerts', [])
     filtered_alerts = []
-    for i, alert in enumerate(alerts):
+    for _i, alert in enumerate(alerts):
         # decode raw_response
         try:
             alert['original_alert_json'] = safe_load_json(alert.get('original_alert_json', ''))
@@ -3458,7 +3459,7 @@ def create_request_filters(
         filters.append({
             'field': 'endpoint_status',
             'operator': 'IN',
-            'value': [status]
+            'value': status if isinstance(status, list) else [status]
         })
 
     if username:

Packs/ApiModules/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ApiModules",
     "description": "API Modules",
     "support": "xsoar",
-    "currentVersion": "2.2.17",
+    "currentVersion": "2.2.18",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml

@@ -177,8 +177,9 @@ script:
       - asc
       - desc
     - auto: PREDEFINED
-      description: The status of the endpoint to filter.
+      description: A comma-separated list of endpoints statuses to filter.
       name: status
+      isArray: true
       predefined:
       - connected
       - disconnected

Packs/Core/Integrations/CortexCoreIR/README.md

@@ -98,7 +98,7 @@ Gets a list of endpoints, according to the passed filters. If there are no filte
 | limit | Maximum number of endpoints to return per page. The default and maximum is 30. Default is 30. | Optional | 
 | sort_by | Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen". Possible values are: first_seen, last_seen. | Optional | 
 | sort_order | The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc. Possible values are: asc, desc. Default is asc. | Optional | 
-| status | The status of the endpoint to filter. Possible values are: connected, disconnected, lost, uninstalled. | Optional | 
+| status | A comma-separated list of endpoints statuses to filter. Possible values are: connected, disconnected, lost, uninstalled. | Optional |
 | username | The usernames to query for, accepts a single user, or comma-separated list of usernames. | Optional |
 
 #### Context Output

Packs/Core/ReleaseNotes/2_0_1.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+
+- Added support for multiple endpoint statuses when calling **core-get-endpoints**.

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "2.0.0",
+    "currentVersion": "2.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml

@@ -740,7 +740,7 @@ script:
       - 'true'
       - 'false'
   - arguments:
-    - description: 'A comma-separated list of enpoint statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated'
+    - description: 'A comma-separated list of endpoints statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated'
       name: status
       isArray: true
     - description: A comma-separated list of endpoint IDs.

Packs/CortexXDR/Integrations/CortexXDRIR/README.md

@@ -923,7 +923,7 @@ Builtin Roles with this permission includes: "Privileged Responder", "Viewer" an
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| status | The status of the endpoint to filter. Possible values are: connected, disconnected, lost, uninstalled. | Optional | 
+| status | A comma-separated list of endpoints statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated. | Optional |
 | endpoint_id_list | A comma-separated list of endpoint IDs. | Optional | 
 | dist_name | A comma-separated list of distribution package names or installation package names.<br/>Example: dist_name1,dist_name2. | Optional | 
 | ip_list | A comma-separated list of IP addresses.<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 

Packs/CortexXDR/ReleaseNotes/5_0_2.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Palo Alto Networks Cortex XDR - Investigation and Response
+
+- Added support for multiple endpoint statuses when calling **xdr-get-endpoints**.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "5.0.1",
+    "currentVersion": "5.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",