From db16ec4707ec977778d7befaea4cbbd5eb2424b2 Mon Sep 17 00:00:00 2001 From: Mai Morag <81917647+maimorag@users.noreply.github.com> Date: Sun, 7 Apr 2024 10:58:10 +0300 Subject: [PATCH] Fixing incident alerts and artifacts is not populated (#33558) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * reproduce test case * fix * fix rl * adding a unit test that fail using the new incident format * adding the fix * removing logs * update * update * update * update * [Marketplace Contribution] NetskopeV2 - Content Pack Update (#33549) * [Marketplace Contribution] NetskopeV2 - Content Pack Update (#33527) * "contribution update to pack 'NetskopeV2'" * Update 1_0_3.md * remove empty display * Remove duplicate API Key parameter in table --------- Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> * Update Packs/NetskopeV2/ReleaseNotes/1_0_3.md --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com> * Ciac 985 qradar (#33239) * Add ID argument to QRadar_V3 qradar_log_sources_list * remove redundant parantheses * Add qradar-event-collectors-list command to QRadar_V3 * Add wincollect-destinations-list command to QRadar_V3 * Add qradar-disconnected-log-collectors-list command to QRadar_V3 * Fix command description on qradar-disconnected-log-collectors-list * Start building log-source-types command in QRadar_v3 * Build log-source-types-list command on QRadar_v3 * Build log-source-extensions-list command on QRadar_v3 * Build log-source-languages-list command on QRadar_v3 * Build log-source-groups-list command on QRadar_v3 * Remove unnecessary field from log-source-types HR on QRadar_V3 * Add qradar-log-source-protocol-types command to QRadar_V3 * Add qradar-log-source-delete command to QRadar_V3 * Add qradar-log-source-create command to QRadar_V3 * Clean qradar-log-source-create command * add qradar-log-source-update command to QRadar_v3 and make some bug fixes to old commands * start writing tests * checkout * Address CR * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: Judah Schwartz * Address CR * Add commands to playbook and fix bugs * Fix playbook * Menually merge master tpb * merge in master * checkout * fix pre commit errors * address pre-commit issues * address pre-commit issues * checkout * checkout * Bump pack from version QRadar to 2.4.52. * checkout * Remove map_raw_to_labels parameter from qradar settings * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * add timeout to qradar events polling * Bump pack from version QRadar to 2.4.53. * checkout * raise qradar timeout * checkout * remove timeout parameter from qradar-search-retrieve-events command * make qradar-log-source-delete not crash when deleting non-existing id * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * address doc review * address doc review * restore pre-commit and update command examples * address lint issues * address pre-commit errors * address pre-commit errors * address Juda's CR * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * address doc review * fix RN * regenerate docs * Update Packs/QRadar/ReleaseNotes/2_4_53.md Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> --------- Co-authored-by: Judah Schwartz Co-authored-by: Content Bot Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> * Update docker pcap (#33450) * updated dockeר image * rn * Bump pack from version CommonScripts to 1.14.21. * Bump pack from version CommonScripts to 1.14.22. --------- Co-authored-by: Content Bot * added validations to validation_config file (#33493) * added validations to validation_config file * fixes * test * changes * fixes * remove BA100 * adding back support_multithreading (#33542) * adding back support_multithreading * generate container id and add debug logs and RN * fix UT * RN * add DEMISTO_SDK_GRAPH_FORCE_CREATE to validate in bucket upload (#33563) * add DEMISTO_SDK_GRAPH_FORCE_CREATE to validate in bucket upload * trigger build * remove tmp file from repo (#33582) force merge: accidental file added * SplunkPy: documentation updates (#33565) * update doc * RN * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * [pre-commit] - skip some hooks on nightly (#33578) * [pre-commit] - skip validate-deleted-files in nightly * Empty-Commit * init (#33577) * Scheduled Task Sanitize (#33368) * XSUP-34767 - add utf8bom to csv header when needed (#33567) * XSUP-34767 - add utf8bom to csv header when needed * [MicrosoftGraphIdentityandAccess] update permissions (#33564) * update scopes * Revert "update scopes" This reverts commit b250caf6ddbc9272552a7054ba25f5f85f3f67e0. * update scopes * pre commit * update desc * Aws e2c create vpc endpoint (#33517) * code, readme, tests * code, readme, tests, rn * fix * pre-commit * fix * fix * demo and pre commit * known words * CR * CR * test fix * pre commit * gitlab pre-commit not mandatoary (#33594) force merge: making pre-commit not mandatory * [MicrosoftCloudAppSecurity] Fix the fetch in XSOAR 8 (#33588) * [MicrosoftCloudAppSecurity] Fix the fetch in XSOAR 8 * Update Packs/MicrosoftCloudAppSecurity/ReleaseNotes/2_1_58.md Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> --------- Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> * [Mail Sender (New)] Fix for EML Files with ASCII Encoding Error" (#33417) * fix * test PB * rn * Update docker * fix tpb * Empty-Commit * fix tpb * pre-commit path validations (#33589) * add validate-content-paths hook * fix name * no need for nightly * remove test file * use three-dot-diff (#33599) * removed DO105 (#33605) * RedCanary: fix detection without relationship (#33593) * fix wrong code * fix test name * fix pre commit * Update README.md (#33543) (#33574) Added note indicating why integration doesn't support REST API token. Co-authored-by: gbouzar <113393855+gbouzar@users.noreply.github.com> * poetry files (#33606) Co-authored-by: Content Bot * update * update * deleying file * adjustments * adjustments * adding logs * fix lambda * removing logs * removing logs * fix unit test * cr fixes * cr fixes * mypy fixes * Update Packs/CortexXDR/ReleaseNotes/6_1_27.md Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> * Update Packs/CortexXDR/ReleaseNotes/6_1_27.md Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> * adding unit test * unit test that repreduce XSUP-35253 * fixing bug * Update CortexXDRIR_test.py removing last unit test * fixing bug * fixing bug * pre commit --------- Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: Randy Baldwin <32545292+randomizerxd@users.noreply.github.com> Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com> Co-authored-by: Tal Zichlinsky <35036457+talzich@users.noreply.github.com> Co-authored-by: Judah Schwartz Co-authored-by: Content Bot Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: Yuval Cohen <86777474+yucohen@users.noreply.github.com> Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Co-authored-by: JudithB <132264628+jbabazadeh@users.noreply.github.com> Co-authored-by: ilaner <88267954+ilaner@users.noreply.github.com> Co-authored-by: Israel Lappe <79846863+ilappe@users.noreply.github.com> Co-authored-by: Guy Afik <53861351+GuyAfik@users.noreply.github.com> Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> Co-authored-by: tkatzir Co-authored-by: David Binyamin <47333909+davidbinyamin@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com> Co-authored-by: Menachem Weinfeld <90556466+mmhw@users.noreply.github.com> Co-authored-by: Binat Ziser <89336697+bziser@users.noreply.github.com> Co-authored-by: Shmuel Kroizer <69422117+shmuel44@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> Co-authored-by: gbouzar <113393855+gbouzar@users.noreply.github.com> --- .../Integrations/CortexXDRIR/CortexXDRIR.py | 99 +++++++++++-------- .../CortexXDRIR/CortexXDRIR_test.py | 27 ++++- .../test_data/get_extra_data_all_alerts.json | 79 +-------------- .../get_incident_extra_data_new_status.json | 5 + Packs/CortexXDR/ReleaseNotes/6_1_27.md | 8 ++ Packs/CortexXDR/pack_metadata.json | 2 +- 6 files changed, 99 insertions(+), 121 deletions(-) create mode 100644 Packs/CortexXDR/ReleaseNotes/6_1_27.md diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py index 0abd5f7093a8..c3847d48a2dc 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.py @@ -17,7 +17,7 @@ INTEGRATION_CONTEXT_BRAND = 'PaloAltoNetworksXDR' XDR_INCIDENT_TYPE_NAME = 'Cortex XDR Incident Schema' INTEGRATION_NAME = 'Cortex XDR - IR' -ALERTS_LIMIT_PER_INCIDENTS = -1 +ALERTS_LIMIT_PER_INCIDENTS: int = -1 FIELDS_TO_EXCLUDE = [ 'network_artifacts', 'file_artifacts' @@ -522,6 +522,35 @@ def get_last_mirrored_in_time(args): return last_mirrored_in_timestamp +def sort_incident_data(raw_incident): + """ + Sorts and processes the raw incident data into a cleaned incident dict. + + Parameters: + - raw_incident (dict): The raw incident data as provided by the API. + + Returns: + - dict: A dictionary containing the processed incident data with: + - organized alerts. + - file artifact + - network artifacts. + """ + incident = raw_incident.get('incident', {}) + raw_alerts = raw_incident.get('alerts', {}).get('data', None) + file_artifacts = raw_incident.get('file_artifacts', {}).get('data') + network_artifacts = raw_incident.get('network_artifacts', {}).get('data') + context_alerts = clear_trailing_whitespace(raw_alerts) + if context_alerts: + for alert in context_alerts: + alert['host_ip_list'] = alert.get('host_ip').split(',') if alert.get('host_ip') else [] + incident.update({ + 'alerts': context_alerts, + 'file_artifacts': file_artifacts, + 'network_artifacts': network_artifacts + }) + return incident + + def get_incident_extra_data_command(client, args): global ALERTS_LIMIT_PER_INCIDENTS incident_id = args.get('incident_id') @@ -542,29 +571,20 @@ def get_incident_extra_data_command(client, args): if isinstance(raw_incident, list): raw_incident = raw_incident[0] if raw_incident.get('incident', {}).get('alert_count') > ALERTS_LIMIT_PER_INCIDENTS: + demisto.debug(f'for incident:{incident_id} using the old call since "\ + "alert_count:{raw_incident.get("incident", {}).get("alert_count")} >" \ + "limit:{ALERTS_LIMIT_PER_INCIDENTS}') raw_incident = client.get_incident_extra_data(incident_id, alerts_limit) - incident = raw_incident.get('incident', {}) - incident_id = incident.get('incident_id') - raw_alerts = raw_incident.get('alerts', {}).get('data', None) - readable_output = [tableToMarkdown(f'Incident {incident_id}', incident, removeNull=True)] - file_artifacts = raw_incident.get('file_artifacts', {}).get('data') - network_artifacts = raw_incident.get('network_artifacts', {}).get('data') - context_alerts = clear_trailing_whitespace(raw_alerts) - if context_alerts: - for alert in context_alerts: - alert['host_ip_list'] = alert.get('host_ip').split(',') if alert.get('host_ip') else [] - if len(context_alerts) > 0: - readable_output.append(tableToMarkdown('Alerts', context_alerts, - headers=[key for key in context_alerts[0] - if key != 'host_ip'], removeNull=True)) - readable_output.append(tableToMarkdown('Network Artifacts', network_artifacts, removeNull=True)) - readable_output.append(tableToMarkdown('File Artifacts', file_artifacts, removeNull=True)) + demisto.debug(f"in get_incident_extra_data_command {incident_id=} {raw_incident=}") + readable_output = [tableToMarkdown(f'Incident {incident_id}', raw_incident.get('incident'), removeNull=True)] + incident = sort_incident_data(raw_incident) + if incident_alerts := incident.get('alerts'): + readable_output.append(tableToMarkdown('Alerts', incident_alerts, + headers=[key for key in incident_alerts[0] + if key != 'host_ip'], removeNull=True)) + readable_output.append(tableToMarkdown('Network Artifacts', incident.get('network_artifacts'), removeNull=True)) + readable_output.append(tableToMarkdown('File Artifacts', incident.get('file_artifacts'), removeNull=True)) - incident.update({ - 'alerts': context_alerts, - 'file_artifacts': file_artifacts, - 'network_artifacts': network_artifacts - }) account_context_output = assign_params( Username=incident.get('users', '') ) @@ -578,7 +598,6 @@ def get_incident_extra_data_command(client, args): alert_context['ID'] = endpoint_id if alert_context: endpoint_context_output.append(alert_context) - context_output = {f'{INTEGRATION_CONTEXT_BRAND}.Incident(val.incident_id==obj.incident_id)': incident} if account_context_output: context_output['Account(val.Username==obj.Username)'] = account_context_output @@ -695,7 +714,6 @@ def sort_all_list_incident_fields(incident_data): if incident_data.get('incident_sources', []): incident_data['incident_sources'] = sorted(incident_data.get('incident_sources', [])) - format_sublists = not argToBoolean(demisto.params().get('dont_format_sublists', False)) if incident_data.get('alerts', []): incident_data['alerts'] = sort_by_key(incident_data.get('alerts', []), main_key='alert_id', fallback_key='name') @@ -972,17 +990,19 @@ def fetch_incidents(client, first_fetch_time, integration_instance, last_run: di incidents = [] if incidents_from_previous_run: raw_incidents = incidents_from_previous_run + ALERTS_LIMIT_PER_INCIDENTS = last_run.get('alerts_limit_per_incident', -1) if isinstance(last_run, dict) else -1 else: if statuses: raw_incidents = [] for status in statuses: - raw_incidents.append(client.get_multiple_incidents_extra_data( - gte_creation_time_milliseconds=last_fetch, - status=status, - limit=max_fetch, starred=starred, - starred_incidents_fetch_window=starred_incidents_fetch_window, - fields_to_exclude=fields_to_exclude)) - raw_incidents = sorted(raw_incidents, key=lambda inc: inc['incident']['creation_time']) + raw_incident_status = client.get_multiple_incidents_extra_data( + gte_creation_time_milliseconds=last_fetch, + status=status, + limit=max_fetch, starred=starred, + starred_incidents_fetch_window=starred_incidents_fetch_window, + fields_to_exclude=fields_to_exclude) + raw_incidents.extend(raw_incident_status) + raw_incidents = sorted(raw_incidents, key=lambda inc: inc.get('incident', {}).get('creation_time')) else: raw_incidents = client.get_multiple_incidents_extra_data( gte_creation_time_milliseconds=last_fetch, limit=max_fetch, @@ -1000,16 +1020,15 @@ def fetch_incidents(client, first_fetch_time, integration_instance, last_run: di count_incidents = 0 for raw_incident in raw_incidents: - incident_data: dict[str, Any] = raw_incident.get('incident') or raw_incident + incident_data: dict[str, Any] = sort_incident_data(raw_incident) if raw_incident.get('incident') else raw_incident incident_id = incident_data.get('incident_id') alert_count = arg_to_number(incident_data.get('alert_count')) or 0 if alert_count > ALERTS_LIMIT_PER_INCIDENTS: - incident_data = client.get_incident_extra_data(client, {"incident_id": incident_id, - "alerts_limit": 1000})[0].get('incident')\ - or {} - + demisto.debug(f'for incident:{incident_id} using the old call since alert_count:{alert_count} >" \ + "limit:{ALERTS_LIMIT_PER_INCIDENTS}') + raw_incident_ = client.get_incident_extra_data(incident_id=incident_id) + incident_data = sort_incident_data(raw_incident_) sort_all_list_incident_fields(incident_data) - incident_data['mirror_direction'] = MIRROR_DIRECTION.get(demisto.params().get('mirror_direction', 'None'), None) incident_data['mirror_instance'] = integration_instance @@ -1021,14 +1040,11 @@ def fetch_incidents(client, first_fetch_time, integration_instance, last_run: di 'occurred': occurred, 'rawJSON': json.dumps(incident_data), } - if demisto.params().get('sync_owners') and incident_data.get('assigned_user_mail'): incident['owner'] = demisto.findUser(email=incident_data.get('assigned_user_mail')).get('username') - # Update last run and add incident if the incident is newer than last fetch - if incident_data['creation_time'] > last_fetch: + if incident_data.get('creation_time', 0) > last_fetch: last_fetch = incident_data['creation_time'] - incidents.append(incident) non_created_incidents.remove(raw_incident) @@ -1045,6 +1061,7 @@ def fetch_incidents(client, first_fetch_time, integration_instance, last_run: di if non_created_incidents: next_run['incidents_from_previous_run'] = non_created_incidents + next_run['alerts_limit_per_incident'] = ALERTS_LIMIT_PER_INCIDENTS # type: ignore[assignment] else: next_run['incidents_from_previous_run'] = [] diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py index df21e36225ac..09d7be7147bf 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR_test.py @@ -94,8 +94,8 @@ def test_fetch_incidents_filtered_by_status(requests_mock, mocker): client = Client( base_url=f'{XDR_URL}/public_api/v1', verify=False, timeout=120, proxy=False) incident_extra_data_under_investigation = load_test_data('./test_data/get_incident_extra_data_host_id_array.json')\ - .get('reply', {}).get('incidents')[0] - incident_extra_data_new = load_test_data('./test_data/get_incident_extra_data_new_status.json').get('reply') + .get('reply', {}).get('incidents') + incident_extra_data_new = load_test_data('./test_data/get_incident_extra_data_new_status.json').get('reply').get('incidents') mocker.patch.object(Client, 'get_multiple_incidents_extra_data', side_effect=[incident_extra_data_under_investigation, incident_extra_data_new]) mocker.patch("CortexXDRIR.ALERTS_LIMIT_PER_INCIDENTS", new=50) @@ -724,7 +724,7 @@ def test_fetch_incidents_extra_data(requests_mock, mocker): """ from CortexXDRIR import fetch_incidents, Client raw_multiple_extra_data = load_test_data('./test_data/get_multiple_incidents_extra_data.json') - raw_all_alerts_incident_2 = load_test_data('./test_data/get_extra_data_all_alerts.json').get('reply', {}).get('incidents', []) + raw_all_alerts_incident_2 = load_test_data('./test_data/get_extra_data_all_alerts.json').get('reply', {}) client = Client( base_url=f'{XDR_URL}/public_api/v1', verify=False, timeout=10, proxy=False) @@ -1267,3 +1267,24 @@ def test_get_incident_extra_data_incident_not_exist(mocker): with pytest.raises(DemistoException) as e: _, outputs, raw_incident = get_incident_extra_data_command(client, args) assert str(e.value) == 'Incident 1 is not found' + + +def test_sort_all_incident_data_fields_fetch_case_get_multiple_incidents_extra_data_format(mocker): + """ + Given: + - raw incident in get_incident_extra_data format- alerts and artifacts not in + incident data information + When + - Running sort_all_list_incident_fields + Then + - Verify that alerts and artifacts are found. + """ + from CortexXDRIR import sort_incident_data, sort_all_list_incident_fields + incident_case_get_multiple_incidents_extra_data = load_test_data('./test_data/get_multiple_incidents_extra_data.json')\ + .get('reply').get('incidents')[0] + incident_data = sort_incident_data(incident_case_get_multiple_incidents_extra_data) + sort_all_list_incident_fields(incident_data) + assert incident_data.get('alerts') + assert incident_data.get('incident_sources') == ['XDR Agent'] + assert incident_data.get('status') == 'new' + assert len(incident_data.get('file_artifacts')) == 1 diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_extra_data_all_alerts.json b/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_extra_data_all_alerts.json index e64d08316c04..410027645882 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_extra_data_all_alerts.json +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_extra_data_all_alerts.json @@ -1,10 +1,6 @@ { "reply": { - "total_count": 2, - "result_count": 2, - "alerts_limit_per_incident": 2, - "incidents": [ - { + "incident": { "incident_id": "2", "incident_name": null, @@ -589,76 +585,7 @@ } ] } - } - ], - "alerts": { - "total_count": 1, - "data": [ - { - "alert_id": "1", - "detection_timestamp": 1575806904222, - "source": "XDR Agent", - "severity": "medium", - "name": "Local Analysis Malware", - "category": "Malware", - "action": "BLOCKED", - "action_pretty": "Prevented (Blocked)", - "description": "Suspicious executable detected", - "host_ip": "1.1.1.1.", - "host_name": "AAAAAA", - "user_name": "Administrator", - "event_type": "Process Execution", - "actor_process_image_name": "wildfire-test-pe-file.exe", - "actor_process_command_line": "address", - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": "N/A", - "causality_actor_process_image_name": null, - "causality_actor_process_command_line": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": "N/A", - "causality_actor_causality_id": null, - "action_process_image_name": null, - "action_process_image_command_line": null, - "action_process_image_sha256": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": "N/A", - "action_file_path": null, - "action_file_md5": null, - "action_file_sha256": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_local_ip": null, - "action_local_port": null, - "action_remote_ip": null, - "action_remote_port": null, - "action_external_hostname": null, - "fw_app_id": null, - "is_whitelisted": "No", - "starred": false - } - ] - } - }, + - "network_artifacts": { - "total_count": 0, - "data": [] - }, - "file_artifacts": { - "total_count": 1, - "data": [ - { - "type": "HASH", - "alert_count": 1, - "is_manual": false, - "is_malicious": false, - "is_process": true, - "file_name": "file_name_2.exe", - "file_sha256": "file_sha256_2", - "file_signature_status": "SIGNATURE_UNAVAILABLE", - "file_signature_vendor_name": null, - "file_wildfire_verdict": "UNKNOWN" - } - ] - } } +} diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_incident_extra_data_new_status.json b/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_incident_extra_data_new_status.json index dd06a51ef164..d8deea0f8edd 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_incident_extra_data_new_status.json +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/test_data/get_incident_extra_data_new_status.json @@ -1,5 +1,8 @@ { "reply": { + "incidents": + [ + { "incident": { "incident_id": "2", "creation_time": 1575806909185, @@ -92,4 +95,6 @@ ] } } + ] + } } \ No newline at end of file diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_27.md b/Packs/CortexXDR/ReleaseNotes/6_1_27.md new file mode 100644 index 000000000000..2d30b6b1e2c0 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/6_1_27.md @@ -0,0 +1,8 @@ + +#### Integrations + +##### Palo Alto Networks Cortex XDR - Investigation and Response + +- Fixed an issue where ***alerts***, ***network_artifacts***, ***file_artifacts*** is not being populated on new incidents when bringing them into XSOAR. +- Fixed an issue where the alert count was reset after docker timeout. +- Fixed a bug where the response from the API was not parsed correctly. diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index 2107e134d18e..8668b4e2b4dc 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "6.1.26", + "currentVersion": "6.1.27", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",