demisto · tomer-pan · Jun 28, 2023 · Jun 20, 2023 · Jun 20, 2023 · Jun 21, 2023
@@ -327,6 +327,12 @@ ignore=IF100
 [file:incidentfield-Original_Events.json]
 ignore=IF100
 
+[file:incidentfield-Failed_Logon_Events.json]
+ignore=IF100
+
+[file:incidentfield-Failed_Logon_Events_Timeframe.json]
+ignore=IF100
+
 [file:classifier-Mail-listener.json]
 ignore=BA101
 

@@ -0,0 +1,29 @@
+{
+    "id": "incident_failedlogonevents",
+    "version": -1,
+    "modified": "2023-06-13T21:19:00.853901858Z",
+    "name": "Failed Logon Events",
+    "ownerOnly": false,
+    "description": "The number of failed logon events in a specific timeframe. Can be used with reference to the \"Failed Logon Events Timeframe\" field.",
+    "cliName": "failedlogonevents",
+    "type": "number",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedToAll": true,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.8.0"
+}
@@ -0,0 +1,29 @@
+{
+    "id": "incident_failedlogoneventstimeframe",
+    "version": -1,
+    "modified": "2023-06-13T21:20:01.302001465Z",
+    "name": "Failed Logon Events Timeframe",
+    "ownerOnly": false,
+    "description": "The timeframe which the failed logon events occurred in.",
+    "cliName": "failedlogoneventstimeframe",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedToAll": true,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.8.0"
+}
@@ -0,0 +1,31 @@
+{
+    "id": "incident_usergroups",
+    "version": -1,
+    "modified": "2023-06-13T21:36:13.191337431Z",
+    "name": "User Groups",
+    "ownerOnly": false,
+    "cliName": "usergroups",
+    "type": "multiSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": true,
+    "associatedTypes": [
+        "Data Loss Prevention"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.8.0"
+}
@@ -0,0 +1,6 @@
+
+#### Incident Fields
+
+- New: **Failed Logon Events Timeframe**
+- New: **User Groups**
+- New: **Failed Logon Events**
@@ -2,7 +2,7 @@
     "name": "Common Types",
     "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
     "support": "xsoar",
-    "currentVersion": "3.3.76",
+    "currentVersion": "3.3.77",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

@@ -4,6 +4,8 @@ ignore=PA125
 [file:Palo_Alto_Networks_Enterprise_DLP.yml]
 ignore=BA108,BA109,IN145
 
-
 [file:Palo_Alto_Networks_Enterprise_DLP_image.png]
-ignore=IM111
+ignore=IM111
+
+[file:DLP_Incident_Feedback_Loop_6_8.yml]
+ignore=PB106
@@ -0,0 +1 @@
+SailPoint
@@ -0,0 +1,32 @@
+{
+    "id": "incident_dlpdetections",
+    "version": -1,
+    "modified": "2023-06-21T06:56:52.858570445Z",
+    "name": "DLP Detections",
+    "ownerOnly": false,
+    "description": "Detected violations snippets.",
+    "cliName": "dlpdetections",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "Data Loss Prevention"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.8.0"
+}
@@ -43,6 +43,7 @@ class FeedbackStatus(Enum):
     EXCEPTION_GRANTED = 'EXCEPTION_GRANTED'
     EXCEPTION_NOT_REQUESTED = 'EXCEPTION_NOT_REQUESTED'
     SEND_NOTIFICATION_FAILURE = 'SEND_NOTIFICATION_FAILURE'
+    EXCEPTION_DENIED = 'EXCEPTION_DENIED'
 
 
 class Client(BaseClient):

@@ -41,7 +41,7 @@ configuration:
   type: 12
   required: false
   additionalinfo: The message to send to the user to ask for feedback.
-  defaultvalue: Hi $user🔔, \n\n*We need your feedback:* \n\nYour upload of *$file_name* on *$app_name* was blocked due to company policy. This file contains sensitive information which violates *$data_profile_name* policy. \n\n $snippets\n\n
+  defaultvalue: Hi $user🔔, \n\n*We need your feedback:* \n\nYour activity on *$app_name* was blocked due to company policy. The data in this activity contains sensitive information which violates *$data_profile_name* policy.\n\nfilename - *$file_name* \n\n $snippets\n\n
 - display: Fetch incidents
   name: isFetch
   type: 8
@@ -94,6 +94,7 @@ script:
       - EXCEPTION_NOT_REQUESTED
       - OPERATIONAL_ERROR
       - SEND_NOTIFICATION_FAILURE
+      - EXCEPTION_DENIED
       description: The user feedback
     - name: user_id
       required: true
@@ -141,7 +142,7 @@ script:
       description: The snippets of the violation.
     - name: app_name
       required: true
-      description: The name of the application that performed the upload.
+      description: The name of the application that performed the activity.
     outputs:
     - contextPath: DLP.slack_message
       description: The Slack bot message.

@@ -0,0 +1,9 @@
+## Palo Alto Networks Enterprise DLP
+Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.
+
+### Authentication
+There are 2 methods to authenticate.
+1. Use Enterprise DLP API **Access Token** and **Refresh Token**.
+2. Use Cortex XSOAR's credentials store with a **Client ID** and **Client Secret** as the `username` and `password` in case you are using Enterprise DLP through a SASE platform.
+
+For more information on how to create the above credentials, see [the documentation](https://docs.paloaltonetworks.com/enterprise-dlp/enterprise-dlp-admin/configure-enterprise-dlp/configure-exact-data-matching/configure-connectivity-to-the-dlp-cloud-service).
@@ -60,15 +60,15 @@ Updates a DLP incident with user feedback.
 `pan-dlp-update-incident`
 #### Input
 
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| incident_id | The ID of the incident to update. | Required | 
-| feedback | The user feedback. Possible values are: PENDING_RESPONSE, CONFIRMED_SENSITIVE, CONFIRMED_FALSE_POSITIVE, EXCEPTION_REQUESTED, EXCEPTION_GRANTED, EXCEPTION_NOT_REQUESTED, OPERATIONAL_ERROR, SEND_NOTIFICATION_FAILURE. | Required | 
-| user_id | The ID of the user the feedback is collected from. | Required | 
-| region | The region where the incident originated. | Optional | 
-| report_id | The DLP report ID, needed only for granting exemptions. | Optional | 
-| dlp_channel | The DLP channel, needed only for granting exemptions. | Optional | 
-| error_details | Error details if status is SEND_NOTIFICATION_FAILURE. | Optional | 
+| **Argument Name** | **Description**                                                                                                                                                                                                           | **Required** |
+| --- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- |
+| incident_id | The ID of the incident to update.                                                                                                                                                                                         | Required | 
+| feedback | The user feedback. Possible values are: PENDING_RESPONSE, CONFIRMED_SENSITIVE, CONFIRMED_FALSE_POSITIVE, EXCEPTION_REQUESTED, EXCEPTION_GRANTED, EXCEPTION_NOT_REQUESTED, OPERATIONAL_ERROR, SEND_NOTIFICATION_FAILURE, EXCEPTION_DENIED. | Required | 
+| user_id | The ID of the user the feedback is collected from.                                                                                                                                                                        | Required | 
+| region | The region where the incident originated.                                                                                                                                                                                 | Optional | 
+| report_id | The DLP report ID, needed only for granting exemptions.                                                                                                                                                                   | Optional | 
+| dlp_channel | The DLP channel, needed only for granting exemptions.                                                                                                                                                                     | Optional | 
+| error_details | Error details if status is SEND_NOTIFICATION_FAILURE.                                                                                                                                                                     | Optional | 
 
 
 #### Context Output
@@ -109,13 +109,13 @@ Gets the Slack bot message to send to the user for gathering feedback.
 `pan-dlp-slack-message`
 #### Input
 
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| user | The name of the user that receives this message. | Required | 
-| file_name | The name of the file that triggered the incident. | Required | 
-| data_profile_name | The data profile name associated with the incident. | Required | 
-| snippets | The snippets of the violation. | Optional | 
-| app_name | The name of the application that performed the upload. | Required | 
+| **Argument Name** | **Description**                                          | **Required** |
+| --- |----------------------------------------------------------| --- |
+| user | The name of the user that receives this message.         | Required | 
+| file_name | The name of the file that triggered the incident.        | Required | 
+| data_profile_name | The data profile name associated with the incident.      | Required | 
+| snippets | The snippets of the violation.                           | Optional | 
+| app_name | The name of the application that performed the activity. | Required | 
 
 
 #### Context Output

@@ -393,6 +393,7 @@
     "name": "Palo Alto Networks Enterprise DLP Incident Layout",
     "system": false,
     "fromVersion": "6.0.0",
+    "toVersion": "6.7.9",
     "version": -1,
     "description": "",
     "marketplaces": ["xsoar"]