Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SentinelOne 2.1.0 #18609

Merged
merged 36 commits into from Jun 2, 2022
Merged

SentinelOne 2.1.0 #18609

merged 36 commits into from Jun 2, 2022

Conversation

CraigWampler
Copy link
Contributor

@CraigWampler CraigWampler commented Apr 15, 2022
edited by MLainer1

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

  • In Progress
  • Ready
  • In Hold - (Reason for hold)

Related Issues

None

Description

Integrations
SentinelOne v2
Added the following commands:
sentinelone-get-blocklist - List out contents of a block list
sentinelone-add-hash-to-blocklist - Add a hash to a block list
sentinelone-remove-hash-from-blocklist - Remove a hash from a block list
sentinelone-fetch-file - Initiate a file fetch command against an endpoint
sentinelone-download-fetched-file - Download a file fetched with the sentinelone-fetch-file command.
Note: SentinelOne uses the term "blacklist" in their documentation/API. This was modified to use the term "blocklist" in the integration commands.

  • Updated the Docker image to: demisto/python3:3.10.1.26972.
  • Added three playbooks to show how to use the sentinelone-fetch-file and sentinelone-download-fetched-file commands

Screenshots

Paste here any images that will help the reviewer

Minimum version of Cortex XSOAR

  • 6.0.0
  • 6.1.0
  • 6.2.0
  • 6.5.0 (only tested with this version)

Does it break backward compatibility?

  • Maybe?
    • Further details:
      I noticed that for the SentinelOne Integration, the name field is SentinelOne V2, but the display is SentinelOne v2. This change in upper/lower casing made it unintuitive to filter to see if the integration was enabled using modules.brand. I changed the case to match (went with lower case). Not sure if that will break code for someone who assumed it would be uppercase or not.
  • Yes
    • Further details:
  • No

Must have

  • [ x] Tests
    The only additional "test" I created are the three attached playbook that validate the file download capability
  • [ x ] Documentation

@CLAassistant
Copy link

CLAassistant commented Apr 15, 2022
edited

CLA assistant check
All committers have signed the CLA.

@content-bot content-bot added Community Contribution Form Filled Whether contribution form filled or not. Contribution Thank you! Contributions are always welcome! labels Apr 15, 2022
@content-bot content-bot changed the base branch from master to contrib/CraigWampler_CraigWampler_SentinelOne2_1_0 April 15, 2022 21:56
@content-bot
Copy link
Collaborator

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @yaakovi will know he can start review the proposed changes.

@CraigWampler CraigWampler changed the title Craig wampler sentinel one2 1 0 SentinelOne 2.1.0 Apr 15, 2022
@content-bot
Copy link
Collaborator

The CircleCI check from your latest pushed commit was unsuccessful. @CraigWampler take a look at the build by clicking this link.

Failed Build Steps

  • Validate Files and Yaml

Try and address the listed CircleCI build step failures at your earliest convenience. This will greatly expedite the process of getting your proposed changes merged into master. Happy coding and may the force be with you.

@yaakovi yaakovi requested review from MLainer1 and removed request for yaakovi April 18, 2022 07:51
@yaakovi yaakovi assigned MLainer1 and unassigned yaakovi Apr 18, 2022
MLainer1
MLainer1 requested changes Apr 18, 2022
View reviewed changes
Copy link
Contributor

@MLainer1 MLainer1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work, make sure to look at my suggestions.
Please add a test for each new command, and modify the pack-metadata for the new version.
Also make sure to add the new playbooks to the release notes and look at the checks fails in the pr and fix them.

Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml Outdated Show resolved Hide resolved
Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.yml Outdated Show resolved Hide resolved
Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.py Outdated Show resolved Hide resolved
Packs/SentinelOne/Integrations/SentinelOne-V2/SentinelOne-V2.py Show resolved Hide resolved
@MLainer1 MLainer1 requested a review from tomer-pan April 18, 2022 13:17
@CraigWampler
Copy link
Contributor Author

Regarding the failing checks:

Unit tests are failing (before I added any tests) due to the register_module_line('SentinelOne V2', 'start', __line__()) line. I'm assuming this is an issue for all integrations? How do you normally work around this for testing?

Validation is failing because of many different YAML validation errors. The YAML itself was generated by XSOAR.... so I'm assuming those are okay to ignore?

@MLainer1
Copy link
Contributor

MLainer1 commented Apr 24, 2022
edited

Regarding the failing checks:

Unit tests are failing (before I added any tests) due to the register_module_line('SentinelOne V2', 'start', __line__()) line. I'm assuming this is an issue for all integrations? How do you normally work around this for testing?

Validation is failing because of many different YAML validation errors. The YAML itself was generated by XSOAR.... so I'm assuming those are okay to ignore?

@CraigWampler Make sure to address all of the validation errors, and I'll check about the line error. Make sure to merge from master

@CraigWampler
Copy link
Contributor Author

Regarding the failing checks:
Unit tests are failing (before I added any tests) due to the register_module_line('SentinelOne V2', 'start', __line__()) line. I'm assuming this is an issue for all integrations? How do you normally work around this for testing?
Validation is failing because of many different YAML validation errors. The YAML itself was generated by XSOAR.... so I'm assuming those are okay to ignore?

@CraigWampler Make sure to address all of the validation errors, and I'll check about the line error. Make sure to merge from master

I fixed what I think are all the issues I can fix.

I also merged in master, but now it's saying that 253 files were changed, so I'm thinking maybe I did the merge wrong? Here's what I did:

<pulled lastest master into CraigWampler:master>
git checkout master
git pull
git checkout CraigWampler_SentinelOne2_1_0
git merge master
git push

Was I supposed to do something different?

@content-bot
Copy link
Collaborator

The CircleCI build failed again. @CraigWampler take a look at the build details here - and try and fix the issues so that we can merge your proposed changes as soon as possible.

Failed Build Steps

  • Validate Files and Yaml

@MLainer1 MLainer1 added pending-demo Demo pending and removed pending-contributor The PR is pending the response of its creator labels May 23, 2022
@content-bot
Copy link
Collaborator

The CircleCI build failed again. @CraigWampler take a look at the build details here - and try and fix the issues so that we can merge your proposed changes as soon as possible.

Failed Build Steps

  • Validate Files and Yaml

@idovandijk
Copy link
Contributor

I just pushed a new commit that removes the playbooks to make this submission simpler. I also left a note in Slack about some times to perform a demo.

Cool, in the demo we can simply observe the updated PR in action, for me it would be sufficient if you have an incident that ran with the playbooks that you are contributiing. Messaged back in DFIR

@MLainer1 MLainer1 added post-demo and removed pending-demo Demo pending labels May 25, 2022
@content-bot
Copy link
Collaborator

The CircleCI build failed again. @CraigWampler take a look at the build details here - and try and fix the issues so that we can merge your proposed changes as soon as possible.

Failed Build Steps

  • Validate Files and Yaml

@MLainer1 MLainer1 added the ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. label May 29, 2022
@content-bot
Copy link
Collaborator

Successfully created a pipeline in Gitlab with url: https://code.pan.run/xsoar/content/-/pipelines/3000863

@content-bot
Copy link
Collaborator

The CircleCI build failed again. @CraigWampler take a look at the build details here - and try and fix the issues so that we can merge your proposed changes as soon as possible.

Failed Build Steps

  • Validate Files and Yaml

@MLainer1 MLainer1 added ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. and removed ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. labels May 30, 2022
@content-bot
Copy link
Collaborator

Successfully created a pipeline in Gitlab with url: https://code.pan.run/xsoar/content/-/pipelines/3004514

@MLainer1 MLainer1 added ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. and removed ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR. labels Jun 1, 2022
@content-bot
Copy link
Collaborator

Successfully created a pipeline in Gitlab with url: https://code.pan.run/xsoar/content/-/pipelines/3014988

@MLainer1 MLainer1 merged commit caac274 into demisto:contrib/CraigWampler_CraigWampler_SentinelOne2_1_0 Jun 2, 2022
@content-bot content-bot mentioned this pull request Jun 2, 2022
Merged
10 tasks
ShahafBenYakir pushed a commit that referenced this pull request Jun 8, 2022
@content-bot @CraigWampler
@MLainer1 @ShirleyDenkberg
SentinelOne 2.1.0 (#19373)
d2a511d 
* SentinelOne 2.1.0 (#18609)

* Updates to SentinelOne V2

* Renaming to match case for README.md files

* Updates to fix merge issues

* Modified package metadata and added unit tests for new actions

* Fix Flak8 errors in SentinelOne-V2_test.py

* Fix new Flake8 errors

* Fixing validation errors. Specifically in yml files

* Fixed validation issues on description field missing

* Update 2_1_0.md

* Updated ReleaseNotes

* Updated docker image version

* Removed commented out register_line callas

* Try to fix not found commands in README

* Try to fix not found commands in README

* Update 2_1_0.md

* Removed blank line at the end of the file

* updated readme

* Updating playbooks to address feedback

* adding in examples.txt changes

* Added command examples to README

* Removing playbooks from submission

* Revert playbooks to origin/master

* Updated outputs in integration YAML for sentinelone-get-blocklist. Updated success messages for adding/removing from blocklist

* Removing Playbooks added in by merge

* Removed trailing white space

* Update README with new context data output

* Revert playbook to origin

* Removed png files

Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>
Co-authored-by: MLainer1 <maylainer96@gmail.com>

* Update README.md

Done.

* Update SentinelOne-V2.yml

Done.

Co-authored-by: Craig Wampler <1719280+CraigWampler@users.noreply.github.com>
Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>
Co-authored-by: MLainer1 <maylainer96@gmail.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@idovandijk idovandijk idovandijk approved these changes

@MLainer1 MLainer1 MLainer1 approved these changes

Assignees

@idovandijk idovandijk

@MLainer1 MLainer1

Labels
Community Contribution Form Filled Whether contribution form filled or not. Contribution Thank you! Contributions are always welcome! post-demo ready-for-instance-test In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR.
Projects
None yet
Milestone
No milestone
9 participants
@CraigWampler @CLAassistant @content-bot @MLainer1 @David-BMS @idovandijk @yaakovi @ShahafBenYakir @tomer-pan