XDR Expandr-3361 (#30662)

* XDR Expandr-3361 (#30308) * updates * README and lint updates * RN * docker * update RN * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * bump ver * bump docker * PR feedback * test change XDR MP on integration * more MP check * GR100 fixes * update RN * description changes and bump * GR100 and README * bump XDR ver * bump ver * fix GR100 --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * resolve conflicts * fix period issue * update docker image * revert . issue * fix gr100 * add RN to cft01 * update RN * review fix * update docker image * update RN * update RN- core * update RN, change docker image, delete RN for APIModule * update RN, change docker image * Update 5_2_6.md * update RN, change docker image * add pack ignore, add timeout * fix RN and docs * Update 1_0_1.md * fix rn * Bump pack from version ctf01 to 1.0.2. --------- Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com> Co-authored-by: melamedbn <bmelamed@paloaltonetworks.com> Co-authored-by: Content Bot <bot@demisto.com>
demisto · Nov 14, 2023 · c76c951 · c76c951
1 parent 043bb53
commit c76c951
Show file tree

Hide file tree

Showing 49 changed files with 333 additions and 144 deletions.
diff --git a/Packs/ApiModules/.pack-ignore b/Packs/ApiModules/.pack-ignore
@@ -17,4 +17,16 @@ ignore=BA124
 ignore=BA124
 
 [tests_require_network]
-NGINXApiModule
+NGINXApiModule
+
+[file:CSVFeedApiModule.yml]
+ignore=DS108
+
+[file:MicrosoftApiModule.yml]
+ignore=DS108
+
+[file:TAXII2ApiModule.yml]
+ignore=DS108
+
+[file:JSONFeedApiModule.yml]
+ignore=DS108
diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
@@ -152,6 +152,7 @@ def get_endpoints(self,
                       endpoint_id_list=None,
                       dist_name=None,
                       ip_list=None,
+                      public_ip_list=None,
                       group_name=None,
                       platform=None,
                       alias_name=None,
@@ -181,7 +182,7 @@ def get_endpoints(self,
             status=status, username=username, endpoint_id_list=endpoint_id_list, dist_name=dist_name,
             ip_list=ip_list, group_name=group_name, platform=platform, alias_name=alias_name, isolate=isolate,
             hostname=hostname, first_seen_gte=first_seen_gte, first_seen_lte=first_seen_lte,
-            last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte
+            last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte, public_ip_list=public_ip_list
         )
 
         if search_from:
@@ -1809,6 +1810,7 @@ def get_endpoints_command(client, args):
     endpoint_id_list = argToList(args.get('endpoint_id_list'))
     dist_name = argToList(args.get('dist_name'))
     ip_list = argToList(args.get('ip_list'))
+    public_ip_list = argToList(args.get('public_ip_list'))
     group_name = argToList(args.get('group_name'))
     platform = argToList(args.get('platform'))
     alias_name = argToList(args.get('alias_name'))
@@ -1845,6 +1847,7 @@ def get_endpoints_command(client, args):
         endpoint_id_list=endpoint_id_list,
         dist_name=dist_name,
         ip_list=ip_list,
+        public_ip_list=public_ip_list,
         group_name=group_name,
         platform=platform,
         alias_name=alias_name,
@@ -3461,6 +3464,7 @@ def create_request_filters(
     endpoint_id_list: Optional[List] = None,
     dist_name: Optional[List] = None,
     ip_list: Optional[List] = None,
+    public_ip_list: Optional[List] = None,
     group_name: Optional[List] = None,
     platform: Optional[List] = None,
     alias_name: Optional[List] = None,
@@ -3509,6 +3513,13 @@ def create_request_filters(
             'value': ip_list
         })
 
+    if public_ip_list:
+        filters.append({
+            'field': 'public_ip_list',
+            'operator': 'in',
+            'value': public_ip_list
+        })
+
     if group_name:
         filters.append({
             'field': 'group_name',

diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
@@ -12,5 +12,7 @@ comment: Common Core IR Client, provides generic Infrastructure.
 scripttarget: 0
 dependson: {}
 timeout: 0s
-dockerimage: demisto/python3:3.10.1.27636
+dockerimage: demisto/python3:3.10.13.78960
 fromversion: 5.0.0
+tests:
+- No tests (auto formatted)
diff --git a/Packs/ApiModules/pack_metadata.json b/Packs/ApiModules/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "ApiModules",
     "description": "API Modules",
     "support": "xsoar",
-    "currentVersion": "2.2.20",
+    "currentVersion": "2.2.21",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -13,6 +13,7 @@
     "keywords": [],
     "marketplaces": [
         "xsoar",
-        "marketplacev2"
+        "marketplacev2",
+        "xpanse"
     ]
 }
diff --git a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
@@ -100,19 +100,24 @@ script:
       isArray: true
       name: dist_name
     - description: |-
-        A comma-separated list of IP addresses.
-        Example: 8.8.8.8,1.1.1.1.
+        A comma-separated list of private IP addresses.
+        Example: 10.1.1.1,192.168.1.1.
       isArray: true
       name: ip_list
+    - description: |-
+        A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).
+        Example: 8.8.8.8,1.1.1.1.
+      isArray: true
+      name: public_ip_list
     - description: |-
         The group name to which the agent belongs.
         Example: group_name1,group_name2.
       isArray: true
       name: group_name
-    - auto: PREDEFINED
-      description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
+    - description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
       isArray: true
       name: platform
+      auto: PREDEFINED
       predefined:
       - windows
       - linux
@@ -121,19 +126,20 @@ script:
     - description: |-
         A comma-separated list of alias names.
         Examples: alias_name1,alias_name2.
-      isArray: true
       name: alias_name
-    - auto: PREDEFINED
-      description: Specifies whether the endpoint was isolated or unisolated.
+      isArray: true
+    - description: |-
+        Specifies whether the endpoint was isolated or unisolated.
       name: isolate
+      auto: PREDEFINED
       predefined:
       - isolated
       - unisolated
     - description: |-
         Hostname
         Example: hostname1,hostname2.
-      isArray: true
       name: hostname
+      isArray: true
     - description: |-
         All the agents that were first seen after {first_seen_gte}.
         Supported values:
@@ -165,26 +171,26 @@ script:
     - defaultValue: '0'
       description: Page number (for pagination). The default is 0 (the first page).
       name: page
-    - defaultValue: '30'
-      description: Maximum number of endpoints to return per page. The default and maximum is 30.
+    - description: Maximum number of endpoints to return per page. The default and maximum is 30.
       name: limit
+      defaultValue: '30'
     - auto: PREDEFINED
       description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
       name: sort_by
       predefined:
       - first_seen
       - last_seen
     - auto: PREDEFINED
-      defaultValue: asc
       description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
       name: sort_order
       predefined:
       - asc
       - desc
-    - auto: PREDEFINED
+      defaultValue: asc
+    - name: status
       description: A comma-separated list of endpoints statuses to filter.
-      name: status
       isArray: true
+      auto: PREDEFINED
       predefined:
       - connected
       - disconnected
@@ -2864,7 +2870,7 @@ script:
   script: '-'
   subtype: python3
   type: python
-  dockerimage: demisto/python3:3.10.13.78960
+  dockerimage: demisto/python3:3.10.13.80014
 tests:
 - No tests
 fromversion: 6.2.0
diff --git a/Packs/Core/Integrations/CortexCoreIR/README.md b/Packs/Core/Integrations/CortexCoreIR/README.md
@@ -84,7 +84,8 @@ Gets a list of endpoints, according to the passed filters. If there are no filte
 | --- | --- | --- |
 | endpoint_id_list | A comma-separated list of endpoint IDs. | Optional | 
 | dist_name | A comma-separated list of distribution package names or installation package names. <br/>Example: dist_name1,dist_name2. | Optional | 
-| ip_list | A comma-separated list of IP addresses.<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
+| ip_list | A comma-separated list of private IP addresses.<br/> Example: 10.1.1.1,192.168.1.1. | Optional | 
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
 | group_name | The group name to which the agent belongs.<br/>Example: group_name1,group_name2. | Optional | 
 | platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional | 
 | alias_name | A comma-separated list of alias names.<br/>Examples: alias_name1,alias_name2. | Optional | 

diff --git a/Packs/Core/ReleaseNotes/2_1_2.md b/Packs/Core/ReleaseNotes/2_1_2.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+- Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+- Added the *public_ip_list* argument for the ***core-get-endpoints*** command.
diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "2.1.1",
+    "currentVersion": "2.1.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/CortexXDR/.pack-ignore b/Packs/CortexXDR/.pack-ignore
@@ -54,6 +54,10 @@ xql
 indicatorsvalues
 setindicators
 printerrorentry
+SSO
+RDP
+XCLOUD
+Cryptomining
 
 [file:classifier-PaloAltoNetworks_CortexXDR.json]
 ignore=BA101
@@ -122,4 +126,7 @@ ignore=IF115
 ignore=IF115
 
 [file:CortexXDRInvestigationVerdict.yml]
-ignore=BA124
+ignore=BA124
+
+[file:XDR_Last_Mirrored_In_Time.json]
+ignore=IF113
diff --git a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
@@ -21,5 +21,8 @@
 	"weeks": 0,
 	"weeksR": 0,
 	"fromVersion": "6.0.0",
-	"layout": "Cortex XDR Incident"
+	"layout": "Cortex XDR Incident",
+	"marketplaces": [
+        "xsoar"
+    ]
 }
diff --git a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
@@ -22,5 +22,8 @@
 	"weeksR": 0,
 	"fromVersion": "5.0.0",
 	"toVersion": "5.9.9",
-	"layout": "Cortex XDR Incident"
+	"layout": "Cortex XDR Incident",
+	"marketplaces": [
+        "xsoar"
+    ]
 }
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_Lite.json b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_Lite.json
@@ -24,6 +24,8 @@
     "version": -1,
     "weeks": 0,
     "weeksR": 0,
-    "fromVersion": "6.9.0"
-
+    "fromVersion": "6.9.0",
+    "marketplaces": [
+        "xsoar"
+    ]
 }
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
@@ -26,5 +26,8 @@
         "mode": "Specific",
         "fieldCliNameToExtractSettings": {}
     },
-    "fromVersion": "6.5.0"
+    "fromVersion": "6.5.0",
+    "marketplaces": [
+        "xsoar"
+    ]
 }
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json b/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
@@ -18,5 +18,8 @@
     "version": -1,
     "weeks": 0,
     "weeksR": 0,
-    "fromVersion": "5.5.0"
+    "fromVersion": "5.5.0",
+    "marketplaces": [
+        "xsoar"
+    ]
 }
diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
@@ -780,10 +780,15 @@ script:
       isArray: true
       name: dist_name
     - description: |-
-        A comma-separated list of IP addresses.
-        Example: 8.8.8.8,1.1.1.1.
+        A comma-separated list of private IP addresses.
+        Example: 10.1.1.1,192.168.1.1.
       isArray: true
       name: ip_list
+    - description: |-
+        A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).
+        Example: 8.8.8.8,1.1.1.1.
+      isArray: true
+      name: public_ip_list
     - description: |-
         The group name to which the agent belongs.
         Example: group_name1,group_name2.
@@ -801,19 +806,20 @@ script:
     - description: |-
         A comma-separated list of alias names.
         Examples: alias_name1,alias_name2.
-      isArray: true
       name: alias_name
-    - auto: PREDEFINED
-      description: Specifies whether the endpoint was isolated or unisolated.
+      isArray: true
+    - description: |-
+        Specifies whether the endpoint was isolated or unisolated.
       name: isolate
+      auto: PREDEFINED
       predefined:
       - isolated
       - unisolated
     - description: |-
         Hostname
         Example: hostname1,hostname2.
-      isArray: true
       name: hostname
+      isArray: true
     - description: |-
         All the agents that were first seen after {first_seen_gte}.
         Supported values:
@@ -845,19 +851,19 @@ script:
     - defaultValue: '0'
       description: Page number (for pagination). The default is 0 (the first page).
       name: page
-    - defaultValue: '30'
-      description: Maximum number of endpoints to return per page. The default and maximum is 30.
+    - description: Maximum number of endpoints to return per page. The default and maximum is 30.
       name: limit
+      defaultValue: '30'
     - auto: PREDEFINED
       description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
       name: sort_by
       predefined:
       - first_seen
       - last_seen
-    - auto: PREDEFINED
-      defaultValue: asc
+    - name: sort_order
       description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
-      name: sort_order
+      auto: PREDEFINED
+      defaultValue: asc
       predefined:
       - asc
       - desc
@@ -3466,7 +3472,7 @@ script:
       isArray: true
     name: xdr-remove-user-role
     description: Remove one or more users from a role.
-  dockerimage: demisto/python3:3.10.13.78960
+  dockerimage: demisto/python3:3.10.13.80014
   isfetch: true
   script: ''
   subtype: python3

diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
@@ -690,7 +690,8 @@ Builtin Roles with this permission includes: "Privileged Responder", "Viewer" an
 | status | A comma-separated list of endpoints statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated. | Optional |
 | endpoint_id_list | A comma-separated list of endpoint IDs. | Optional | 
 | dist_name | A comma-separated list of distribution package names or installation package names.<br/>Example: dist_name1,dist_name2. | Optional | 
-| ip_list | A comma-separated list of IP addresses.<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
+| ip_list | A comma-separated list of private IP addresses.<br/>Example: Example: 10.1.1.1,192.168.1.1. | Optional | 
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
 | group_name | The group name to which the agent belongs.<br/>Example: group_name1,group_name2. | Optional | 
 | platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional | 
 | alias_name | A comma-separated list of alias names.<br/>Examples: alias_name1,alias_name2. | Optional | 

diff --git a/Packs/CortexXDR/Integrations/XDR_iocs/XDR_iocs.yml b/Packs/CortexXDR/Integrations/XDR_iocs/XDR_iocs.yml
@@ -203,7 +203,7 @@ script:
       required: true
     description: Disables IOCs in the XDR server.
     name: xdr-iocs-disable
-  dockerimage: demisto/python3:3.10.13.75921
+  dockerimage: demisto/python3:3.10.13.80014
   feed: true
   runonce: false
   script: '-'