Ys add 'get-machine-by-ip- command (#34814)

* Added new command * enhance endpoint command * Readme * release notes * pre commit * pre commit * fix yml * format * rn * remove the dev * Build * fix yml * fix yml * generate docs * test description * readme * little fixes * fixes * fixes * fixes * code review fixes * fix yml * format * remove the dev * fix yml * fixes * / * code review fixes * change command's name * more fixes * add documentation * more code review fixes * more fixes * Update Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py * added 'Dev' to name of integration * / * pre commit * Build effort * release notes * rebuild * fix --------- Co-authored-by: Jasmine Beilin <71636766+JasBeilin@users.noreply.github.com> Co-authored-by: yrosenberg <yrosenberg@paloaltonetworks.com>
demisto · Jun 20, 2024 · fa56ca8 · fa56ca8
1 parent a8628ef
commit fa56ca8
Show file tree

Hide file tree

Showing 7 changed files with 490 additions and 311 deletions.
diff --git a/...ns/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py b/...ns/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py
@@ -1263,6 +1263,20 @@ def get_machines(self, filter_req, page_size='', page_num=''):
 
         return self.ms_client.http_request(method='GET', url_suffix=cmd_url, params=params)
 
+    def get_machines_for_get_machine_by_ip_command(self, filter_req):
+        """
+
+        Args:
+            filter_req string: a query request to use to filter machines,
+            for example: "(ip='8.8.8.8',timestamp=2024-05-19T01:00:05Z)".
+            Link to documentation: https://learn.microsoft.com/en-us/defender-endpoint/api/find-machines-by-ip?view=o365-worldwide
+        Returns:
+            dict: Machines info
+        """
+        demisto.debug(f'current request is: api/machines/findbyip{filter_req}')
+        cmd_url = 'machines/findbyip' + filter_req
+        return self.ms_client.http_request(method='GET', url_suffix=cmd_url)
+
     def get_file_related_machines(self, file):
         """Retrieves a collection of Machines related to a given file hash.
 
@@ -5080,21 +5094,19 @@ def validate_args_endpoint_command(hostnames, ips, ids):
             f'{INTEGRATION_NAME} - In order to run this command, please provide valid id, ip or hostname')
 
 
-def endpoint_command(client: MsClient, args: dict) -> list[CommandResults]:
-    """Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days
-
+def handle_machines(machines_response: list) -> list[CommandResults]:
+    """Converts the raw response of the API to a CommandResults list with relevant keys.
+    Args:
+        The raw API response, a list of machines.
     Returns:
         CommandResults list.
     """
+
     headers = ['ID', 'Hostname', 'OS', 'OSVersion', 'IPAddress', 'Status', 'MACAddress', 'Vendor']
-    hostnames = argToList(args.get('hostname', ''))
-    ips = argToList(args.get('ip', ''))
-    ids = argToList(args.get('id', ''))
-    validate_args_endpoint_command(hostnames, ips, ids)
-    machines_response = client.get_machines(create_filter_for_endpoint_command(hostnames, ips, ids))
+
     machines_outputs = []
 
-    for machine in machines_response.get('value', []):
+    for machine in machines_response:
         machine_data = get_machine_data(machine)
         machine_data['MACAddress'] = get_machine_mac_address(machine)
         endpoint_indicator = create_endpoint_verdict(machine_data)
@@ -5118,6 +5130,47 @@ def endpoint_command(client: MsClient, args: dict) -> list[CommandResults]:
     return machines_outputs
 
 
+def get_machine_by_ip_command(client: MsClient, args: dict) -> list[CommandResults]:
+    """Retreives Machines that were seen with the requested internal IP
+    in the time range of 15 minutes prior and aftera given timestamp.
+    Args:
+        client: MsClient
+        args: dict
+    Returns:
+        CommandResults list.
+    """
+    ip = args['ip']
+    timestamp = args['timestamp']
+    limit = arg_to_number(args.get('limit', 50))
+    should_limit_result = not argToBoolean(args.get('all_results', False))
+
+    filter = f"(ip='{ip}',timestamp={timestamp})"
+
+    machines_response = client.get_machines_for_get_machine_by_ip_command(filter)
+    machines_response = machines_response.get('value', [])
+
+    demisto.debug(f'limit is set to: {limit}')
+    limited_machines_response = machines_response[:limit] if should_limit_result else machines_response
+
+    demisto.debug('Calling handle_machines function to convert raw response to CommandResults list')
+    return handle_machines(limited_machines_response)
+
+
+def endpoint_command(client: MsClient, args: dict) -> list[CommandResults]:
+    """Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days
+
+    Returns:
+        CommandResults list.
+    """
+    hostnames = argToList(args.get('hostname', ''))
+    ips = argToList(args.get('ip', ''))
+    ids = argToList(args.get('id', ''))
+    validate_args_endpoint_command(hostnames, ips, ids)
+    machines_response = client.get_machines(create_filter_for_endpoint_command(hostnames, ips, ids))
+
+    return handle_machines(machines_response.get('value', []))
+
+
 def get_machine_users_command(client: MsClient, args: dict) -> CommandResults:
     """Retrieves a collection of logon users on a given machine
 
@@ -5567,6 +5620,9 @@ def main():  # pragma: no cover
             demisto.setLastRun(last_run)
             demisto.incidents(incidents)
 
+        elif command == 'microsoft-atp-get-machine-by-ip':
+            return_results(get_machine_by_ip_command(client, args))
+
         elif command == 'microsoft-atp-isolate-machine':
             return_outputs(*isolate_machine_command(client, args))