Replacing Qradar search PB with the representative command (#31328)

* Changed the QradarSearch PB to the relavent command * RN * RN * Changed the PB to be deprecated * Changed keys according to the new output * Resolve conflicts * Removed un required tests * Changed from simple to complex * Bump pack from version CommonPlaybooks to 2.4.40. * Added BC + updated the PB readme files * Added BC + updated the PB readme files * Bump pack from version QRadar to 2.4.46. * removed un-used script arguments ( ChangeContext script) --------- Co-authored-by: Content Bot <bot@demisto.com>
demisto · Dec 17, 2023 · 29995dd · 29995dd
1 parent f52519a
commit 29995dd
Show file tree

Hide file tree

Showing 17 changed files with 240 additions and 196 deletions.
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml b/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml
@@ -7,7 +7,7 @@ description: |-
   Supported Integrations:
   -Splunk
   -QRadar
-  -Azure Log Analytics
+  -Azure Log Analytics.
 starttaskid: "0"
 tasks:
   "0":
@@ -85,7 +85,7 @@ tasks:
       description: ''
     nexttasks:
       '#none#':
-      - "4"
+      - "24"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -225,50 +225,6 @@ tasks:
     quietmode: 2
     isoversize: false
     isautoswitchedtoquietmode: false
-  "4":
-    id: "4"
-    taskid: eaf023ca-5658-4d9d-887c-d65d088917d6
-    type: playbook
-    task:
-      id: eaf023ca-5658-4d9d-887c-d65d088917d6
-      version: -1
-      name: Search for failed logon attempts using QRadar
-      description: This playbook runs a QRadar query and return its results to the context.
-      playbookName: QRadarFullSearch
-      type: playbook
-      iscommand: false
-      brand: ""
-    nexttasks:
-      '#none#':
-      - "16"
-    scriptarguments:
-      interval:
-        simple: "1"
-      query_expression:
-        simple: select * from events WHERE LogSourceTypeName(deviceType) = 'Microsoft Windows Security Event Log' and username='${inputs.Username}' and "EventID"='4771'  or "EventID"='4625' and "Logon Type"='2' OR "Logon Type"='7' OR "Logon Type"='10' ${inputs.QRadarSearchTime}
-      timeout:
-        simple: "600"
-    separatecontext: true
-    continueonerrortype: ""
-    loop:
-      iscommand: false
-      exitCondition: ""
-      wait: 1
-      max: 0
-    view: |-
-      {
-        "position": {
-          "x": -440,
-          "y": 690
-        }
-      }
-    note: false
-    timertriggers: []
-    ignoreworker: false
-    skipunavailable: true
-    quietmode: 2
-    isoversize: false
-    isautoswitchedtoquietmode: false
   "5":
     id: "5"
     taskid: 945c3b67-2b94-4ac9-8c41-91e440bc38be
@@ -449,8 +405,8 @@ tasks:
     scriptarguments:
       array:
         complex:
-          root: QRadar.Search.Result
-          accessor: events
+          root: QRadar.SearchEvents
+          accessor: Events
       contextKey:
         simple: NumOfSiemFailedLogon
       extend-context:
@@ -540,8 +496,8 @@ tasks:
           left:
             value:
               complex:
-                root: QRadar.Search.Result
-                accessor: events
+                root: QRadar.SearchEvents
+                accessor: Events
             iscontext: true
           right:
             value: {}
@@ -715,6 +671,43 @@ tasks:
     quietmode: 2
     isoversize: false
     isautoswitchedtoquietmode: false
+  "24":
+    id: "24"
+    taskid: f8fa6689-2d97-4d84-895d-5c923b1b6751
+    type: regular
+    task:
+      id: f8fa6689-2d97-4d84-895d-5c923b1b6751
+      version: -1
+      name: Run Qradar Search
+      description: Polling command to search for events of a specific offense.
+      script: '|||qradar-search-retrieve-events'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "16"
+    scriptarguments:
+      interval_in_seconds:
+        simple: "1"
+      query_expression:
+        simple: select * from events WHERE LogSourceTypeName(deviceType) = 'Microsoft Windows Security Event Log' and username='${inputs.Username}' and "EventID"='4771'  or "EventID"='4625' and "Logon Type"='2' OR "Logon Type"='7' OR "Logon Type"='10' ${inputs.QRadarSearchTime}
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -440,
+          "y": 690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 system: true
 view: |-
   {
@@ -774,7 +767,7 @@ outputs:
 - contextPath: NumOfSiemFailedLogon
   description: Number of failed login from Siem.
   type: unknown
-- contextPath: QRadar.Search.Result
+- contextPath: QRadar.SearchEvents
   description: The result of the QRadar search.
 - contextPath: Splunk.Result
   description: The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event.
@@ -783,5 +776,7 @@ outputs:
   type: unknown
 quiet: true
 tests:
-- No tests (auto formatted)
+  - No tests
 fromversion: 6.5.0
+contentitemexportablefields:
+  contentitemfields: {}
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins_README.md
@@ -3,26 +3,33 @@ This playbook searches for failed logon on a specific user by querying logs from
 Supported Integrations:
 -Splunk
 -QRadar
--Azure Log Analytics
+-Azure Log Analytics.
 
 ## Dependencies
+
 This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
-* Search for failed logon attempts using QRadar
+
+This playbook does not use any sub-playbooks.
 
 ### Integrations
+
 This playbook does not use any integrations.
 
 ### Scripts
-* Set
+
 * CountArraySize
+* Set
 
 ### Commands
-* splunk-search
+
+* qradar-search-retrieve-events
 * azure-log-analytics-execute-query
+* splunk-search
 
 ## Playbook Inputs
+
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
@@ -35,15 +42,18 @@ This playbook does not use any integrations.
 | Username | User name. |  | Optional |
 
 ## Playbook Outputs
+
 ---
 
 | **Path** | **Description** | **Type** |
 | --- | --- | --- |
 | NumOfSiemFailedLogon | Number of failed login from Siem. | unknown |
-| QRadar.Search.Result | The result of the QRadar search. | unknown |
+| QRadar.SearchEvents | The result of the QRadar search. | unknown |
 | Splunk.Result | The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event. | unknown |
 | AzureFailedLogonLogs | The result of the Azure Log Analytics search. | unknown |
 
 ## Playbook Image
+
 ---
-![SIEM - Search for Failed logins](../doc_files/SIEM_-_Search_for_Failed_logins.png)
+
+![SIEM - Search for Failed logins](../doc_files/SIEM_-_Search_for_Failed_logins.png)
diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_4_40.json b/Packs/CommonPlaybooks/ReleaseNotes/2_4_40.json
@@ -0,0 +1 @@
+{"breakingChanges":true,"breakingChangesNotes":"The \"SIEM- Search for Failed logins\" playbook output context path was changed from QRadar.Search.Result.events to QRadar.SearchEvents.Events."}
diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_4_40.md b/Packs/CommonPlaybooks/ReleaseNotes/2_4_40.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### SIEM - Search for Failed logins
+
+Updated the deprecated sub-playbook 'QradarFullSearch' to the command 'qradar-search-retrieve-events'.
diff --git a/Packs/CommonPlaybooks/doc_files/SIEM_-_Search_for_Failed_logins.png b/Packs/CommonPlaybooks/doc_files/SIEM_-_Search_for_Failed_logins.png
diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.4.39",
+    "currentVersion": "2.4.40",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/QRadar/Playbooks/playbook-QRadarFullSearch.yml b/Packs/QRadar/Playbooks/playbook-QRadarFullSearch.yml
@@ -1,7 +1,9 @@
 id: QRadarFullSearch
 version: -1
 name: QRadarFullSearch
-description: This playbook runs a QRadar query and return its results to the context.
+description: |-
+  Deprecated.Use the following command instead `qradar-search-retrieve-results`.
+  This playbook runs a QRadar query and return its results to the context.
 starttaskid: "0"
 tasks:
   "0":
@@ -450,6 +452,7 @@ outputs:
 tests:
 - No tests (auto formatted)
 fromversion: 5.0.0
+deprecated: true
 contentitemexportablefields:
   contentitemfields: {}
 system: true
diff --git a/Packs/QRadar/Playbooks/playbook-QRadarFullSearch_README.md b/Packs/QRadar/Playbooks/playbook-QRadarFullSearch_README.md
@@ -1,25 +1,32 @@
+Deprecated.Use the following command instead `qradar-search-retrieve-results`.
 This playbook runs a QRadar query and return its results to the context.
 
 ## Dependencies
+
 This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
+
 * GenericPolling
 
 ### Integrations
-* QRadar_v2
+
 * QRadar
 * QRadar_v3
+* QRadar_v2
 
 ### Scripts
-This playbook does not use any scripts.
+
+* PrintErrorEntry
 
 ### Commands
+
 * qradar-get-search
-* qradar-get-search-results
 * qradar-searches
+* qradar-get-search-results
 
 ## Playbook Inputs
+
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
@@ -31,12 +38,15 @@ This playbook does not use any scripts.
 | headers | Table headers |  | Optional |
 
 ## Playbook Outputs
+
 ---
 
 | **Path** | **Description** | **Type** |
 | --- | --- | --- |
 | QRadar.Search.Result | The result of the search | unknown |
 
 ## Playbook Image
+
 ---
-![QRadarFullSearch](../doc_files/QRadarFullSearch.png)
+
+![QRadarFullSearch](../doc_files/QRadarFullSearch.png)