added sort field and direction to event-search and alert-search (#26413)

* added sort field and direction to event-search and alert-search

* updated release notes

* updated release notes

* changed docker version

* Updated release notes

* Update Packs/PrismaCloud/ReleaseNotes/4_1_0.md

* fixed flake8 errors

---------

Co-authored-by: Judah Schwartz <JudahSchwartz@users.noreply.github.com>

Packs/PrismaCloud/Integrations/PrismaCloudV2/PrismaCloudV2.py

@@ -193,10 +193,15 @@ def config_search_request(self, time_range: Dict[str, Any], query: str, limit: O
 
         return self._http_request('POST', 'search/config', json_data=data)
 
-    def event_search_request(self, time_range: Dict[str, Any], query: str, limit: Optional[int] = None):
+    def event_search_request(self,
+                             time_range: Dict[str, Any],
+                             query: str,
+                             limit: Optional[int] = None,
+                             sort_by: Optional[List[Dict[str, str]]] = None):
         data = remove_empty_values({'limit': limit,
                                     'query': query,
                                     'timeRange': time_range,
+                                    'sort': sort_by,
                                     })
 
         return self._http_request('POST', 'search/event', json_data=data)
@@ -936,8 +941,13 @@ def alert_search_command(client: Client, args: Dict[str, Any]) -> CommandResults
                                      amount_value=arg_to_number(args.get('time_range_value')),
                                      time_from=args.get('time_range_date_from'),
                                      time_to=args.get('time_range_date_to'))
+    sort_by = (
+        [f'{sort_field}:{args.get("sort_direction")}']
+        if (sort_field := args.get('sort_field'))
+        else None
+    )
 
-    response = client.alert_search_request(time_filter, filters, limit, detailed, next_token)
+    response = client.alert_search_request(time_filter, filters, limit, detailed, next_token, sort_by)
     response_items = response.get('items', [])
     next_page_token = response.get('nextPageToken')
     for response_item in response_items:
@@ -1202,8 +1212,14 @@ def event_search_command(client: Client, args: Dict[str, Any]) -> CommandResults
                                      amount_value=arg_to_number(args.get('time_range_value')),
                                      time_from=args.get('time_range_date_from'),
                                      time_to=args.get('time_range_date_to'))
+    sort_by = [
+        {
+            'field': sort_field,
+            'direction': args.get('sort_direction'),
+        }
+    ] if (sort_field := args.get('sort_field')) else None
 
-    response = client.event_search_request(time_filter, str(query), limit)
+    response = client.event_search_request(time_filter, str(query), limit, sort_by)
     response_items = response.get('data', {}).get('items', [])
     for response_item in response_items:
         change_timestamp_to_datestring_in_dict(response_item)

Packs/PrismaCloud/Integrations/PrismaCloudV2/PrismaCloudV2.yml

@@ -88,7 +88,7 @@ script:
   script: ''
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.11.54132
+  dockerimage: demisto/python3:3.10.11.57890
   isfetch: true
   commands:
   - arguments:
@@ -500,6 +500,29 @@ script:
       name: next_token
       required: false
       secret: false
+    - default: false
+      description: 'The field to sort the results by. Possible values are: alertTime,firstSeen,lastSeen,lastUpdated.'
+      isArray: false
+      name: sort_field
+      required: false
+      secret: false
+      auto: PREDEFINED
+      predefined:
+        - alertTime
+        - firstSeen
+        - lastSeen
+        - lastUpdated
+    - default: false
+      description: 'The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc.'
+      isArray: false
+      name: sort_direction
+      required: false
+      secret: false
+      defaultValue: asc
+      auto: PREDEFINED
+      predefined:
+        - asc
+        - desc
     description: Search alerts on the Prisma Cloud platform. When no absolute time nor relative time arguments are provided, the search will show alerts from the last 7 days.
     execution: false
     name: prisma-cloud-alert-search
@@ -772,6 +795,33 @@ script:
       name: limit
       required: false
       secret: false
+    - default: false
+      description: 'The field to sort the results by. Possible values are: cloudService, operation, cloudAccount, cloudRegion, id, time, crud, user.'
+      isArray: false
+      name: sort_field
+      required: false
+      secret: false
+      auto: PREDEFINED
+      predefined:
+        - cloudService
+        - operation
+        - cloudAccount
+        - cloudRegion
+        - id
+        - time
+        - crud
+        - user
+    - default: false
+      description: 'The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc.'
+      isArray: false
+      name: sort_direction
+      required: false
+      secret: false
+      defaultValue: asc
+      auto: PREDEFINED
+      predefined:
+        - asc
+        - desc
     description: Search events inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "event". When no absolute time nor relative time arguments are provided, the default time range is all times.
     execution: false
     name: prisma-cloud-event-search

Packs/PrismaCloud/Integrations/PrismaCloudV2/README.md

@@ -752,6 +752,8 @@ Search alerts on the Prisma Cloud platform. When no absolute time nor relative t
 | detailed | Whether to retrieve the entire / trimmed alert model. Possible values are: true, false. Default is true. | Optional | 
 | limit | Maximum number of entries to return. Default is 50. | Optional | 
 | next_token | Token of the next page to retrive. When provided, other arguments are ignored. | Optional | 
+| sort_field | The field to sort the results by. Possible values are: alertTime,firstSeen,lastSeen,lastUpdated. | Optional | 
+| sort_direction | The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc. | Optional | 
 
 #### Context Output
 
@@ -1154,6 +1156,8 @@ Search events inventory on the Prisma Cloud platform using RQL language. Use thi
 | time_range_value | The amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc. | Optional | 
 | query | Query to run in Prisma Cloud event API using RQL language. For more information see: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/event-query. | Required | 
 | limit | Maximum number of entries to return. Default is 50. | Optional | 
+| sort_field | The field to sort the results by. Possible values are: cloudService, operation, cloudAccount, cloudRegion, id, time, crud, user. | Optional | 
+| sort_direction | The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc. | Optional | 
 
 #### Context Output
 

Packs/PrismaCloud/ReleaseNotes/4_1_0.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Prisma Cloud v2
+
+- Added the *sort_field* and *sort_direction* arguments to the *prisma-cloud-event-search* and *prisma-cloud-alert-search* commands.

Packs/PrismaCloud/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Prisma Cloud by Palo Alto Networks",
     "description": "Automate and unify security incident response across your cloud environments, while still giving a degree of control to dedicated cloud teams.",
     "support": "xsoar",
-    "currentVersion": "4.0.1",
+    "currentVersion": "4.1.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",