Add incidents field (#30393) (#31233)

* add rawJSON field to incidents

* release notes

* update docker image tag

* nit

* fetching incident details

* mapper + incident fields

* remove incorrect incident field files

* new incident field files, new mapper

* sdk validate command changes

* update release noteS

* validation errors

* fix validation errors

* undo release notes changes

* undo release notes change

* undo release notes

* undo release notes

* undo release notes

* nit

* new release notes

* remove playbook id

* update docker image tag

* revert release notes

* revert RN

* nit- remove filters used for testing

* add details field to threats

* remove try/except blocks

* changing version

* Update Abnormal_Security_Custom_Incident_types.json change from version

* nit - remove changes used for demo

* updating docker image

* update docker image tag

---------

Co-authored-by: William Olyslager <wolyslager@abnormalsecurity.com>
Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com>
Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>

Packs/AbnormalSecurity/Classifiers/classifier-Abnormal_Security_Mapper.json

@@ -0,0 +1,172 @@
+{
+    "description": "",
+    "feed": false,
+    "id": "Abnormal Security - Incoming Mapper",
+    "mapping": {
+        "AbnormalSecurity": {
+            "dontMapEventToLabels": true,
+            "internalMapping": {
+                "Abnormal Security Abuse Campaign Attack Type": {
+                    "simple": "attackType"
+                },
+                "Abnormal Security Abuse Campaign First Reported": {
+                    "simple": "firstReported"
+                },
+                "Abnormal Security Abuse Campaign From Address": {
+                    "simple": "fromAddress"
+                },
+                "Abnormal Security Abuse Campaign From Name": {
+                    "simple": "fromName"
+                },
+                "Abnormal Security Abuse Campaign ID": {
+                    "simple": "campaignId"
+                },
+                "Abnormal Security Abuse Campaign Judgement Status": {
+                    "simple": "judgementStatus"
+                },
+                "Abnormal Security Abuse Campaign Last Reported": {
+                    "simple": "lastReported"
+                },
+                "Abnormal Security Abuse Campaign Message ID": {
+                    "simple": "messageId"
+                },
+                "Abnormal Security Abuse Campaign Overall Status": {
+                    "simple": "overallStatus"
+                },
+                "Abnormal Security Abuse Campaign Recipient Address": {
+                    "simple": "recipientAddress"
+                },
+                "Abnormal Security Abuse Campaign Recipient Name": {
+                    "simple": "recipientName"
+                },
+                "Abnormal Security Abuse Campaign Subject": {
+                    "simple": "subject"
+                },
+                "Abnormal Security Affected Employee": {
+                    "simple": "affectedEmployee"
+                },
+                "Abnormal Security Analysis": {
+                    "simple": "analysis"
+                },
+                "Abnormal Security Attachment Count": {
+                    "simple": "messages.attachmentCount"
+                },
+                "Abnormal Security Attachment Names": {
+                    "simple": "messages.attachmentNames"
+                },
+                "Abnormal Security Attack Strategy": {
+                    "simple": "messages.attackStrategy"
+                },
+                "Abnormal Security Attack Type": {
+                    "simple": "messages.attackType"
+                },
+                "Abnormal Security Attack Vector": {
+                    "simple": "messages.attackVector"
+                },
+                "Abnormal Security Attacked Party": {
+                    "simple": "messages.attackedParty"
+                },
+                "Abnormal Security Auto Remediated": {
+                    "simple": "messages.autoRemediated"
+                },
+                "Abnormal Security CC Emails": {
+                    "simple": "messages.ccEmails"
+                },
+                "Abnormal Security Case ID": {
+                    "simple": "caseId"
+                },
+                "Abnormal Security Case Status": {
+                    "simple": "case_status"
+                },
+                "Abnormal Security Customer Visible Time": {
+                    "simple": "customerVisibleTime"
+                },
+                "Abnormal Security First Observed Time": {
+                    "simple": "firstObserved"
+                },
+                "Abnormal Security From Address": {
+                    "simple": "messages.fromAddress"
+                },
+                "Abnormal Security From Name": {
+                    "simple": "messages.fromName"
+                },
+                "Abnormal Security Impersonated Party": {
+                    "simple": "messages.impersonatedParty"
+                },
+                "Abnormal Security Internet Message ID": {
+                    "simple": "messages.internetMessageId"
+                },
+                "Abnormal Security Is Read": {
+                    "simple": "messages.isRead"
+                },
+                "Abnormal Security Message ID": {
+                    "simple": "messages.abxMessageId"
+                },
+                "Abnormal Security Portal URL": {
+                    "simple": "messages.abxPortalUrl"
+                },
+                "Abnormal Security Post Remediated": {
+                    "simple": "messages.postRemediated"
+                },
+                "Abnormal Security Received Time": {
+                    "simple": "messages.receivedTime"
+                },
+                "Abnormal Security Recipient Address": {
+                    "simple": "messages.recipientAddress"
+                },
+                "Abnormal Security Remediation Status": {
+                    "simple": "messages.remediationStatus"
+                },
+                "Abnormal Security Remediation Timestamp": {
+                    "simple": "messages.remediationTimestamp"
+                },
+                "Abnormal Security Reply To Emails": {
+                    "simple": "messages.replyToEmails"
+                },
+                "Abnormal Security Return Path": {
+                    "simple": "messages.returnPath"
+                },
+                "Abnormal Security Sender Domain": {
+                    "simple": "messages.senderDomain"
+                },
+                "Abnormal Security Sender IP Address": {
+                    "simple": "messages.senderIpAddress"
+                },
+                "Abnormal Security Sent Time": {
+                    "simple": "messages.sentTime"
+                },
+                "Abnormal Security Severity": {
+                    "simple": "severity"
+                },
+                "Abnormal Security Severity Level": {
+                    "simple": "severity_level"
+                },
+                "Abnormal Security Subject": {
+                    "simple": "messages.subject"
+                },
+                "Abnormal Security Summary Insights": {
+                    "simple": "messages.summaryInsights"
+                },
+                "Abnormal Security Threat ID": {
+                    "simple": "messages.threatId"
+                },
+                "Abnormal Security Threat IDs": {
+                    "simple": "threatIds"
+                },
+                "Abnormal Security To Addresses": {
+                    "simple": "messages.toAddresses"
+                },
+                "Abnormal Security Url Count": {
+                    "simple": "messages.urlCount"
+                },
+                "URLs": {
+                    "simple": "messages.urls"
+                }
+            }
+        }
+    },
+    "name": "Abnormal Security - Incoming Mapper",
+    "type": "mapping-incoming",
+    "version": -1,
+    "fromVersion": "6.0.0"
+}

Packs/AbnormalSecurity/IncidentFields/incidentfields_Abnormal_Security_Abuse_Campaign_Attack_Type.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_abnormalsecurityabusecampaignattacktype",
+    "version": -1,
+    "modified": "2023-11-21T13:08:49.422094213Z",
+    "name": "Abnormal Security Abuse Campaign Attack Type",
+    "ownerOnly": false,
+    "cliName": "abnormalsecurityabusecampaignattacktype",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "AbnormalSecurity"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}

Packs/AbnormalSecurity/IncidentFields/incidentfields_Abnormal_Security_Abuse_Campaign_First_Reported.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_abnormalsecurityabusecampaignfirstreported",
+    "version": -1,
+    "modified": "2023-11-21T13:05:22.276839408Z",
+    "name": "Abnormal Security Abuse Campaign First Reported",
+    "ownerOnly": false,
+    "cliName": "abnormalsecurityabusecampaignfirstreported",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "AbnormalSecurity"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}

Packs/AbnormalSecurity/IncidentFields/incidentfields_Abnormal_Security_Abuse_Campaign_From_Address.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_abnormalsecurityabusecampaignfromaddress",
+    "version": -1,
+    "modified": "2023-11-21T13:06:55.200764198Z",
+    "name": "Abnormal Security Abuse Campaign From Address",
+    "ownerOnly": false,
+    "cliName": "abnormalsecurityabusecampaignfromaddress",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "AbnormalSecurity"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}

Packs/AbnormalSecurity/IncidentFields/incidentfields_Abnormal_Security_Abuse_Campaign_From_Name.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_abnormalsecurityabusecampaignfromname",
+    "version": -1,
+    "modified": "2023-11-21T13:06:39.326960647Z",
+    "name": "Abnormal Security Abuse Campaign From Name",
+    "ownerOnly": false,
+    "cliName": "abnormalsecurityabusecampaignfromname",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "AbnormalSecurity"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}

Packs/AbnormalSecurity/IncidentFields/incidentfields_Abnormal_Security_Abuse_Campaign_ID.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_abnormalsecurityabusecampaignid",
+    "version": -1,
+    "modified": "2023-11-21T13:05:02.620809663Z",
+    "name": "Abnormal Security Abuse Campaign ID",
+    "ownerOnly": false,
+    "cliName": "abnormalsecurityabusecampaignid",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "AbnormalSecurity"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}

Packs/AbnormalSecurity/IncidentFields/incidentfields_Abnormal_Security_Abuse_Campaign_Judgement_Status.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_abnormalsecurityabusecampaignjudgementstatus",
+    "version": -1,
+    "modified": "2023-11-21T13:08:10.092998231Z",
+    "name": "Abnormal Security Abuse Campaign Judgement Status",
+    "ownerOnly": false,
+    "cliName": "abnormalsecurityabusecampaignjudgementstatus",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "AbnormalSecurity"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}