demisto · thefrieddan1 · Jun 7, 2023 · Jun 7, 2023
diff --git a/Packs/ExtraHop/.pack-ignore b/Packs/ExtraHop/.pack-ignore
@@ -53,7 +53,140 @@ ignore=IF115
 extrahop
 mappers
 mapper
-reveal(x
+x
+unselected
+utc
+N
+pv
+VLAN
+DHCP
+suffixes
+s
+m
+h
+d
+w
+operand
+SNMP
+wireshark
+BPF
+SS
+vlans
+devicegroups
+activitygroups
+ipaddr
+CGP
+RTO
+DSCP
+Dups
+SDP
+HASSH
+Pipelined
+Recursion
+Rsp
+SQ
+suboperation
+XSS
+KEX
+MTU
+Opcode
+R
+Referer
+PDU
+SASL
+Redelivery
+SSRC
+TCP
+Msg
+v
+Vx
+VNI
+hr
+workflows
+Mware
+CBC
+br
+Macaddr
+Vlanid
+Cdp
+Netbios
+AAA
+amf
+CIFS
+DB
+DICOM
+IBMMQ
+IMAP
+Psec
+T
+IRC
+MQ
+AJP
+IPFIX
+SCSI
+Kerberos
+LDAP
+lync
+memcache
+Modbus
+MSMQ
+MSN
+MSRPC
+NFS
+NTP
+VPN
+P
+RDP
+Redis
+RFB
+RTCP
+RTP
+SMPP
+SMTP
+UDP
+Meraki
+pc
+lucent
+alcatel
+arista
+linksys
+citrix
+dellemc
+emc
+hp
+htc
+huawei
+kyocera
+netapp
+netgear
+nokia
+nortel
+paloalto
+samsung
+toshiba
+virtualbox
+zte
+icmp
+gt
+lt
+startswith
+f
+g
+px
+ft
+jg
+k
+qs
+b
+wgo
+wz
+xx
+nx
+xc
+j
+odk
+untagged
+assignee
 cve-2019-0708
 extrahop-detections-list
 extrahop-metrics-list
@@ -72,4 +205,3 @@ extrahop-watchlist-edit
 
 [file:ExtraHopTrackIncidents.yml]
 ignore=BA124
-
diff --git a/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.py b/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.py
@@ -93,7 +93,7 @@
 
 VALID_DETECTION_KEYS = ["filter", "limit", "offset", "from", "until", "sort", "mod_time"]
 
-VALID_FILTER_KEYS = ["assignee", "category", "resolution", "risk_score_min", "status", "ticket_id", "types"]
+VALID_FILTER_KEYS = ["assignee", "categories", "category", "resolution", "risk_score_min", "status", "ticket_id", "types"]
 
 DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
 
@@ -836,6 +836,25 @@ def validate_detections_list_arguments(body: Dict) -> None:
         body["offset"] = 0
 
 
+def add_default_category_for_filter_of_detection_list(_filter: Dict) -> None:
+    """Set a default category for filter argument.
+
+    Args:
+        _filter: Filter argument for detection list command.
+    """
+    if "category" not in _filter:
+        if "categories" not in _filter:
+            _filter["categories"] = ["sec.attack"]
+        elif isinstance(_filter.get("categories"), list):
+            valid_categories = []
+            for category in _filter.get("categories", []):
+                if isinstance(category, str):
+                    category = category.strip()
+                    if category:
+                        valid_categories.append(category)
+            _filter["categories"] = valid_categories if valid_categories else ["sec.attack"]
+
+
 def format_protocol_stack(protocol_list: List) -> str:
     """Formats the protocol stack.
 
@@ -1471,23 +1490,23 @@ def fetch_incidents(client: ExtraHopClient, params: Dict, last_run: Dict, on_clo
     if last_run.get("version_recheck_time", 1581852287000) < int(now.timestamp() * 1000):
         version = get_extrahop_server_version(client)
         last_run["version_recheck_time"] = int(next_day.timestamp() * 1000)
-        if version < "9.1.2":
+        if version < "9.3.0":
             raise DemistoException(
-                "This integration works with ExtraHop firmware version greater than or equal to 9.1.2")
+                "This integration works with ExtraHop firmware version greater than or equal to 9.3.0")
 
-    advanced_filter = params.get('advanced_filter', '{}')
-    try:
-        filter = json.loads(advanced_filter)
-    except json.JSONDecodeError as error:
-        raise ValueError("Invalid JSON string provided for advanced filter.") from error
+    advanced_filter = params.get("advanced_filter")
+    if advanced_filter and advanced_filter.strip():
+        try:
+            _filter = json.loads(advanced_filter)
+            add_default_category_for_filter_of_detection_list(_filter)
+        except json.JSONDecodeError as error:
+            raise ValueError("Invalid JSON string provided for advanced filter.") from error
+    else:
+        _filter = {"categories": ["sec.attack"]}
 
-    advanced_filter = {}
-    advanced_filter["filter"] = filter
-    advanced_filter["mod_time"] = fetch_params["detection_start_time"]
-    advanced_filter["until"] = 0
-    advanced_filter["limit"] = MAX_FETCH
-    advanced_filter["offset"] = fetch_params["offset"]
-    advanced_filter["sort"] = [{"direction": "asc", "field": "mod_time"}]
+    advanced_filter = {"filter": _filter, "mod_time": fetch_params["detection_start_time"], "until": 0,
+                       "limit": MAX_FETCH, "offset": fetch_params["offset"],
+                       "sort": [{"direction": "asc", "field": "mod_time"}]}
 
     incidents, next_run = fetch_extrahop_detections(client, advanced_filter, last_run, on_cloud)
     demisto.info(f"Extrahop next_run is {next_run}")
@@ -1995,13 +2014,12 @@ def detections_list_command(client: ExtraHopClient, args: Dict[str, Any], on_clo
         CommandResults object.
     """
     version = get_extrahop_server_version(client)
-    if version < "9.1.2":
+    if version < "9.3.0":
         raise DemistoException(
-            "This integration works with ExtraHop firmware version greater than or equal to 9.1.2")
+            "This integration works with ExtraHop firmware version greater than or equal to 9.3.0")
 
     body = {}
     if advanced_filter:
-        validate_detections_list_arguments(advanced_filter)
         body = advanced_filter
 
     else:
@@ -2012,12 +2030,15 @@ def detections_list_command(client: ExtraHopClient, args: Dict[str, Any], on_clo
         sort = args.get("sort")
         until_time = arg_to_number(args.get("until"))
         mod_time = arg_to_number(args.get("mod_time"))
-        if filter_query:
+        if filter_query and filter_query.strip():
             try:
                 filter_query = json.loads(filter_query)
+                add_default_category_for_filter_of_detection_list(filter_query)
                 body["filter"] = filter_query
             except json.JSONDecodeError:
                 raise ValueError("Invalid json string provided for filter.")
+        else:
+            body["filter"] = {"categories": ["sec.attack"]}
 
         if isinstance(from_time, int):
             body["from"] = from_time
@@ -2054,7 +2075,7 @@ def detections_list_command(client: ExtraHopClient, args: Dict[str, Any], on_clo
         if isinstance(mod_time, int):
             body["mod_time"] = mod_time
 
-        validate_detections_list_arguments(body)
+    validate_detections_list_arguments(body)
 
     detections = client.detections_list(body)
 
@@ -2191,8 +2212,8 @@ def test_module(client: ExtraHopClient) -> str:
     """
     response = client.test_connection()
     version = get_extrahop_server_version(client)
-    if version < "9.1.2":
-        raise DemistoException("This integration works with ExtraHop firmware version greater than or equal to 9.1.2")
+    if version < "9.3.0":
+        raise DemistoException("This integration works with ExtraHop firmware version greater than or equal to 9.3.0")
     if response:
         return "ok"
     raise ValueError("Failed to establish connection with provided credentials.")

diff --git a/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.yml b/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.yml
@@ -64,15 +64,16 @@ configuration:
   required: false
   type: 0
 - additionalinfo: |-
-    Applies a filter to the list of detections or metrics based on a JSON-specific query.
+    Applies a filter to the list of detections based on a JSON-specific query.
 
     Example for detections:
     {
-      "category": "sec",
+      "categories": ["sec.attack"],
       "risk_score_min": 51
     }
 
-    For a complete reference to the Extrahop detections  filter fields , please refer to the ExtraHop REST API documentation at
+    If the categories and category are not specified, then categories will be set to ["sec.attack"]. The category field is deprecated by the API, so please use the categories field instead.
+    For a complete reference to the Extrahop detections filter fields, please refer to the ExtraHop REST API documentation at
     https://docs.extrahop.com/current/rest-api-guide/
   display: Advanced Filter
   name: advanced_filter
@@ -1676,11 +1677,12 @@ script:
       description: |-
         Detection-specific filters.
         For eg:
-        filter={
-                "category": "sec",
-                "risk_score_min": 51
-            }
+        {
+          "categories": ["sec.attack"],
+          "risk_score_min": 51
+        }
 
+        If the categories and category are not specified, then categories will be set to ["sec.attack"]. The category field is deprecated by the API, so please use the categories field instead.
         Refer to the ExtraHop REST API guide at https://docs.extrahop.com/current/rest-api-guide/
       isArray: false
       name: filter