Code42 new playbooks (#26431)

* Code42 new playbooks (#25702) * add mapping update to release notes * add new playbooks * layout update * linting and Security Alert playbook file rename * update Security Alert description * update version/release notes * Remove error handling around v1/v2 commands * add integration fix note in release notes * bump py42 docker image * remove test for file-events-search returning error * update playbooks to use code42-file-events-search instead of code42-securitydata-search * bump container version * remove 3_1_5.md change * update docker images * playbook PR feedback * bump to 3.1.7 * add departing employee playbook update * add new hire playbook update * departing employee auto add playbook update * departing employee cleanup playbook update * new hire auto add playbook update * new hire cleanup playbook update * remove departing employees playbook update * remove new hire playbook update * fix incident query * bump version * add `code42-get-user-risk-profile` command * update release notes * fix get user risk profile name and add test * playbook updates with new code42-user-get-risk-profile command * validation * validation * correct release notes docker image * add unit test for Code42FileEventsToMarkdownTable script * update docker image * updated docker image --------- Co-authored-by: Tim Abramson <tim.abramson@code42.com> Co-authored-by: merit <meretmaayta@gmail.com>
demisto · May 10, 2023 · 78022b1 · 78022b1
1 parent 5cf4cfe
commit 78022b1
Show file tree

Hide file tree

Showing 49 changed files with 7,684 additions and 183 deletions.
diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py
@@ -972,9 +972,6 @@ def highriskemployee_remove_risk_tags_command(client, args):
 
 @logger
 def securitydata_search_command(client, args):
-    file_events_version = demisto.incident()["CustomFields"].get("code42fileeventsversion", "1")
-    if file_events_version == "2":
-        return_error("Integration has been configured for V2 file events, use '!code42-file-events-search' instead.")
     code42_security_data_context = []
     _json = args.get("json")
     file_context = []
@@ -1021,9 +1018,6 @@ def securitydata_search_command(client, args):
 
 @logger
 def file_events_search_command(client, args):
-    file_events_version = demisto.incident()["CustomFields"].get("code42fileeventsversion", "1")
-    if file_events_version != "2":
-        return_error("The current incident was created with V1 file events, use '!code42-securitydata-search' instead.")
     json_query = args.get("json")
     add_to_context = argToBoolean(args.get("add-to-context"))
     page_size = arg_to_number(args.get("results"), arg_name="results")
@@ -1295,6 +1289,23 @@ def update_user_risk_profile(client, args):
     )
 
 
+@logger
+def get_user_risk_profile(client, args):
+    username = args.get("username")
+    resp = client.sdk.userriskprofile.get_by_username(username)
+    outputs = {
+        "Username": username,
+        "EndDate": resp.data.get("endDate"),
+        "StartDate": resp.data.get("startDate"),
+        "Notes": resp.data.get("notes"),
+    }
+    return CommandResults(
+        outputs_prefix="Code42.UserRiskProfiles",
+        outputs_key_field="Profile",
+        outputs=outputs,
+    )
+
+
 @logger
 def remove_user_from_watchlist_command(client, args):
     username = args.get("username")
@@ -1569,6 +1580,7 @@ def main():
         "code42-user-unblock": user_unblock_command,
         "code42-user-deactivate": user_deactivate_command,
         "code42-user-reactivate": user_reactivate_command,
+        "code42-user-get-risk-profile": get_user_risk_profile,
         "code42-user-update-risk-profile": update_user_risk_profile,
         "code42-legalhold-add-user": legal_hold_add_user_command,
         "code42-legalhold-remove-user": legal_hold_remove_user_command,

diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml
@@ -952,6 +952,28 @@ script:
     - contextPath: Code42.WatchlistUsers.AddedTime
       description: The datetime the user was added to the watchlist.
       type: datetime
+  - name: code42-user-get-risk-profile
+    description: Get the risk profile details for a given user
+    arguments:
+      - name: username
+        description: The user to get risk profile for.
+        required: true
+        secret: false
+        isArray: false
+        default: false
+    outputs:
+      - contextPath: Code42.UserRiskProfiles.Username
+        description: The username.
+        type: string
+      - contextPath: Code42.UserRiskProfiles.StartDate
+        description: The startDate value of the UserRiskProfile.
+        type: date
+      - contextPath: Code42.UserRiskProfiles.EndDate
+        description: The startDate value of the UserRiskProfile.
+        type: date
+      - contextPath: Code42.UserRiskProfiles.Notes
+        description: The notes value of the UserRiskProfile.
+        type: string
   - name: code42-user-update-risk-profile
     description: Update a user's risk profile.
     arguments:
@@ -1013,7 +1035,7 @@ script:
       - all
       - incident
       - searches
-  dockerimage: demisto/py42:1.0.0.56463
+  dockerimage: demisto/py42:1.0.0.58221
   feed: false
   isfetch: true
   longRunning: false

diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py
@@ -33,6 +33,7 @@
     user_deactivate_command,
     user_reactivate_command,
     update_user_risk_profile,
+    get_user_risk_profile,
     legal_hold_add_user_command,
     legal_hold_remove_user_command,
     list_watchlists_command,
@@ -1196,10 +1197,11 @@ def code42_users_mock(code42_sdk_mock, mocker):
 
 @pytest.fixture
 def code42_user_risk_profile_mock(code42_sdk_mock, mocker):
-    update_risk_profile_response = create_mock_code42_sdk_response(
+    risk_profile_response = create_mock_code42_sdk_response(
         mocker, MOCK_USER_RISK_PROFILE_RESPONSE
     )
-    code42_sdk_mock.userriskprofile.update.return_value = update_risk_profile_response
+    code42_sdk_mock.userriskprofile.get_by_username.return_value = risk_profile_response
+    code42_sdk_mock.userriskprofile.update.return_value = risk_profile_response
     return code42_sdk_mock
 
 
@@ -2027,6 +2029,20 @@ def test_user_reactivate_command(code42_users_mock):
     code42_users_mock.users.reactivate.assert_called_once_with(123456)
 
 
+def test_user_get_risk_profile_command(code42_user_risk_profile_mock):
+    client = _create_client(code42_user_risk_profile_mock)
+    cmd_res = get_user_risk_profile(client, args={"username": "profile@example.com"})
+    assert cmd_res.raw_response == {
+        "EndDate": {"day": 10, "month": 10, "year": 2023},
+        "Notes": "test update",
+        "StartDate": {"day": 10, "month": 10, "year": 2020},
+        "Username": "profile@example.com",
+    }
+    assert cmd_res.outputs["EndDate"] == {"day": 10, "month": 10, "year": 2023}
+    assert cmd_res.outputs_prefix == "Code42.UserRiskProfiles"
+    code42_user_risk_profile_mock.userriskprofile.get_by_username.assert_called_once_with("profile@example.com")
+
+
 def test_user_update_risk_profile_command(code42_user_risk_profile_mock):
     client = _create_client(code42_user_risk_profile_mock)
     cmd_res = update_user_risk_profile(
@@ -2511,24 +2527,6 @@ def test_security_data_search_command_searches_exposure_exists_when_no_exposure_
     assert len(filter_groups) == 3
 
 
-def test_file_events_search_command_returns_error_when_v2_events_not_configured(
-    mocker, code42_file_events_mock
-):
-    mock_demisto = mocker.patch("Code42.demisto")
-    mock_demisto.params.return_value = {"v2_events": False}
-    client = _create_client(code42_file_events_mock)
-    with pytest.raises(SystemExit):
-        file_events_search_command(
-            client,
-            args={
-                "hash": "d41d8cd98f00b204e9800998ecf8427e",
-                "hostname": "DESKTOP-0001",
-                "username": "user3@example.com",
-                "results": 50,
-            },
-        )
-
-
 def test_file_events_search_command_returns_only_table_when_add_to_context_false(
     mocker, code42_file_events_mock
 ):

diff --git a/Packs/Code42/Integrations/Code42/README.md b/Packs/Code42/Integrations/Code42/README.md
@@ -635,6 +635,30 @@ List all users who have been explicitly added to a given watchlist.
 | Code42.WatchlistUsers.Username | string | The username on the watchlist. | 
 | Code42.WatchlistUsers.AddedTime | datetime | The datetime the user was added to the watchlist. | 
 
+### code42-get-user-risk-profile
+
+***
+Get the risk profile details for a given user.
+
+#### Base Command
+
+`code42-user-get-risk-profile`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| username | The user to get risk profile for. | Required | 
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Code42.UserRiskProfiles.Username | string | The username. | 
+| Code42.UserRiskProfiles.StartDate | date | The startDate value of the UserRiskProfile. | 
+| Code42.UserRiskProfiles.EndDate | date | The startDate value of the UserRiskProfile. | 
+| Code42.UserRiskProfiles.Notes | string | The notes value of the UserRiskProfile. | 
+
 ### code42-user-update-risk-profile
 
 ***