demisto · ShahafBenYakir · May 11, 2023 · May 9, 2023 · May 9, 2023 · May 9, 2023
diff --git a/Packs/PrismaCloud/Integrations/PrismaCloudV2/PrismaCloudV2.py b/Packs/PrismaCloud/Integrations/PrismaCloudV2/PrismaCloudV2.py
@@ -193,10 +193,11 @@ def config_search_request(self, time_range: Dict[str, Any], query: str, limit: O
 
         return self._http_request('POST', 'search/config', json_data=data)
 
-    def event_search_request(self, time_range: Dict[str, Any], query: str, limit: Optional[int] = None):
+    def event_search_request(self, time_range: Dict[str, Any], query: str, limit: Optional[int] = None, sort_by: Optional[List[Dict[str, str]]] = None):
         data = remove_empty_values({'limit': limit,
                                     'query': query,
                                     'timeRange': time_range,
+                                    'sort': sort_by,
                                     })
 
         return self._http_request('POST', 'search/event', json_data=data)
@@ -936,8 +937,11 @@ def alert_search_command(client: Client, args: Dict[str, Any]) -> CommandResults
                                      amount_value=arg_to_number(args.get('time_range_value')),
                                      time_from=args.get('time_range_date_from'),
                                      time_to=args.get('time_range_date_to'))
+    sort_by = [f'{sort_field}:{args.get("sort_direction")}']\
+              if (sort_field := args.get('sort_field'))\
+              else None
 
-    response = client.alert_search_request(time_filter, filters, limit, detailed, next_token)
+    response = client.alert_search_request(time_filter, filters, limit, detailed, next_token, sort_by)
     response_items = response.get('items', [])
     next_page_token = response.get('nextPageToken')
     for response_item in response_items:
@@ -1202,8 +1206,14 @@ def event_search_command(client: Client, args: Dict[str, Any]) -> CommandResults
                                      amount_value=arg_to_number(args.get('time_range_value')),
                                      time_from=args.get('time_range_date_from'),
                                      time_to=args.get('time_range_date_to'))
+    sort_by = [
+        {
+            'field': sort_field,
+            'direction': args.get('sort_direction'),
+        }
+    ] if (sort_field := args.get('sort_field')) else None
 
-    response = client.event_search_request(time_filter, str(query), limit)
+    response = client.event_search_request(time_filter, str(query), limit, sort_by)
     response_items = response.get('data', {}).get('items', [])
     for response_item in response_items:
         change_timestamp_to_datestring_in_dict(response_item)

diff --git a/Packs/PrismaCloud/Integrations/PrismaCloudV2/PrismaCloudV2.yml b/Packs/PrismaCloud/Integrations/PrismaCloudV2/PrismaCloudV2.yml
@@ -500,6 +500,29 @@ script:
       name: next_token
       required: false
       secret: false
+    - default: false
+      description: 'The field to sort the results by. Possible values are: alertTime,firstSeen,lastSeen,lastUpdated.'
+      isArray: false
+      name: sort_field
+      required: false
+      secret: false
+      auto: PREDEFINED
+      predefined:
+        - alertTime
+        - firstSeen
+        - lastSeen
+        - lastUpdated
+    - default: false
+      description: 'The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc.'
+      isArray: false
+      name: sort_direction
+      required: false
+      secret: false
+      defaultValue: asc
+      auto: PREDEFINED
+      predefined:
+        - asc
+        - desc
     description: Search alerts on the Prisma Cloud platform. When no absolute time nor relative time arguments are provided, the search will show alerts from the last 7 days.
     execution: false
     name: prisma-cloud-alert-search
@@ -772,6 +795,33 @@ script:
       name: limit
       required: false
       secret: false
+    - default: false
+      description: 'The field to sort the results by. Possible values are: cloudService, operation, cloudAccount, cloudRegion, id, time, crud, user.'
+      isArray: false
+      name: sort_field
+      required: false
+      secret: false
+      auto: PREDEFINED
+      predefined:
+        - cloudService
+        - operation
+        - cloudAccount
+        - cloudRegion
+        - id
+        - time
+        - crud
+        - user
+    - default: false
+      description: 'The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc.'
+      isArray: false
+      name: sort_direction
+      required: false
+      secret: false
+      defaultValue: asc
+      auto: PREDEFINED
+      predefined:
+        - asc
+        - desc
     description: Search events inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "event". When no absolute time nor relative time arguments are provided, the default time range is all times.
     execution: false
     name: prisma-cloud-event-search

diff --git a/Packs/PrismaCloud/Integrations/PrismaCloudV2/README.md b/Packs/PrismaCloud/Integrations/PrismaCloudV2/README.md
@@ -752,6 +752,8 @@ Search alerts on the Prisma Cloud platform. When no absolute time nor relative t
 | detailed | Whether to retrieve the entire / trimmed alert model. Possible values are: true, false. Default is true. | Optional | 
 | limit | Maximum number of entries to return. Default is 50. | Optional | 
 | next_token | Token of the next page to retrive. When provided, other arguments are ignored. | Optional | 
+| sort_field | The field to sort the results by. Possible values are: alertTime,firstSeen,lastSeen,lastUpdated. | Optional | 
+| sort_direction | The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc. | Optional | 
 
 #### Context Output
 
@@ -1154,6 +1156,8 @@ Search events inventory on the Prisma Cloud platform using RQL language. Use thi
 | time_range_value | The amount of "time_range_unit" to go back in time. For example, 3 days, 5 weeks, etc. | Optional | 
 | query | Query to run in Prisma Cloud event API using RQL language. For more information see: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/event-query. | Required | 
 | limit | Maximum number of entries to return. Default is 50. | Optional | 
+| sort_field | The field to sort the results by. Possible values are: cloudService, operation, cloudAccount, cloudRegion, id, time, crud, user. | Optional | 
+| sort_direction | The direction to sort the results by. Sort field must be specified if sorting. Possible values are: asc, desc. Default is asc. | Optional | 
 
 #### Context Output