New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rsa netwitness mirroring #29220
Rsa netwitness mirroring #29220
Conversation
support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log
patch encoding issue and add mirroring function in the yml list
Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @MichaelYochpaz will know the proposed changes are ready to be reviewed. |
…etwitness_mirroring
…atum/content into RSANetwitness_mirroring
@MichaelYochpaz the format of the "old" field may cause some issue, I don't know how to refresh them so I just add the line script inside the commit 5954e03 For example if I import the field in the UI I got this error: |
Dear @Winultimatum, I hope this message finds you well. Thank you for your content contribution. |
Hi @melamedbn, |
…tent into pr/Winultimatum/29220
…atum/content into RSANetwitness_mirroring
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great Job with the tests! They look very good.
They are almost done, but please add the checks that I requested before.
Packs/RSANetWitness_v11_1/Integrations/RSANetWitnessv115/RSANetWitnessv115_test.py
Outdated
Show resolved
Hide resolved
Packs/RSANetWitness_v11_1/Integrations/RSANetWitnessv115/RSANetWitnessv115_test.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job on the mirroring feature and it's test!
Thank you very much for your contribution! It is highly appreciated!
e784d2c
into
demisto:contrib/Winultimatum_RSANetwitness_mirroring
* Implement mirror in and out for RSANetwitness 11.5 support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log * change version patch encoding issue and add mirroring function in the yml list * forgot to modify a field * remove wrong modification * missing required parameters during merge * patch CI/CD error * add mirroring in README + change name parameter + add mirrorid in test data * implement correction asked by palo * generated README files for the scripts * remove strange ' inside the file improve readme add some define to better set the mirror date range * add parameter to set mirroring duration time * Add return after return_result * Create test units for RSA Get Raw logs and display scripts * Add return after return_result of RSAGetRawLog.py, Create unit tests for RSA scripts * Apply suggestions from code review * remove duplicate instructions in README * Implement mirror in and out for RSANetwitness 11.5 support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log * change version patch encoding issue and add mirroring function in the yml list * forgot to modify a field * remove wrong modification * missing required parameters during merge * patch CI/CD error * add mirroring in README + change name parameter + add mirrorid in test data * implement correction asked by palo * generated README files for the scripts * remove strange ' inside the file improve readme add some define to better set the mirror date range * add parameter to set mirroring duration time * Add return after return_result * Create test units for RSA Get Raw logs and display scripts * Apply suggestions from code review * remove duplicate instructions in README * line too long... + error in README * line too long... * patch Ci/cd error * patch ci/cd error * patch ci/cd error * Add first version of tests units for RSA Netwitness Mirroring * patch flake8 error script RSADisplayMetasEvents * patch flake8 error script RSAGetRawLog * patch flake8 error integration RSANetWitness 11_5 * Add get_modified_remote_data_command unit test * Add unit test for command get_modified_remote_data_command * Fix function name * Fix flake8 issue * Remove unused class * docker version + ignore secret fake ip * Delete get-pip.py * Remove unused test files * format updates * pre-commit and format updates * Apply suggestions from code review * add doc string to get_mapping_fields_command * Fix bracket error * Add 2 test functions to check update_remote_system_command * remove possible duplicate changed inc id * Fix minor error in return tests functions * Add units tests to get remote data command * rename metasevents to rsametasevents * flake8 space missing * default config value not set correctly * Update unit test of get_modified_remote_data_command * Add unit test for expired and non expired incident * remove unused line * update release note * update release note * update release note * change comparaison for pulling new alert * Update Packs/RSANetWitness_v11_1/Integrations/RSANetWitnessv115/RSANetWitnessv115_test.py * remove comment in the release note * Apply suggestions from code review * Resolv issue of unit tests * updated the release notes and pack-ignore * pre-commit updates * Fix all suggestions * Fix flake8 errors * Add mirrored object in test_get_modified_remote_data_command_from_timestamp * patch flake8 error * added = in get_remote_data_command * patch unit test * Fix token string in incident old clean test * Fix indent * Fix indent * patch flake8 * updated the release notes * pre-commit changes * added the file CONTRIBUTORS.json --------- Co-authored-by: Pierre <Winultimatum@users.noreply.github.com> Co-authored-by: Pierre SOLER <9917674+Winultimatum@users.noreply.github.com> Co-authored-by: RotemAmit <ramit@paloaltonetworks.com> Co-authored-by: Sébastien Guisnet <sebastien.guisnet@nucleon-security.com> Co-authored-by: Sébastien Guisnet <sebastien.guisnet@gmail.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
* Implement mirror in and out for RSANetwitness 11.5 support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log * change version patch encoding issue and add mirroring function in the yml list * forgot to modify a field * remove wrong modification * missing required parameters during merge * patch CI/CD error * add mirroring in README + change name parameter + add mirrorid in test data * implement correction asked by palo * generated README files for the scripts * remove strange ' inside the file improve readme add some define to better set the mirror date range * add parameter to set mirroring duration time * Add return after return_result * Create test units for RSA Get Raw logs and display scripts * Add return after return_result of RSAGetRawLog.py, Create unit tests for RSA scripts * Apply suggestions from code review * remove duplicate instructions in README * Implement mirror in and out for RSANetwitness 11.5 support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log * change version patch encoding issue and add mirroring function in the yml list * forgot to modify a field * remove wrong modification * missing required parameters during merge * patch CI/CD error * add mirroring in README + change name parameter + add mirrorid in test data * implement correction asked by palo * generated README files for the scripts * remove strange ' inside the file improve readme add some define to better set the mirror date range * add parameter to set mirroring duration time * Add return after return_result * Create test units for RSA Get Raw logs and display scripts * Apply suggestions from code review * remove duplicate instructions in README * line too long... + error in README * line too long... * patch Ci/cd error * patch ci/cd error * patch ci/cd error * Add first version of tests units for RSA Netwitness Mirroring * patch flake8 error script RSADisplayMetasEvents * patch flake8 error script RSAGetRawLog * patch flake8 error integration RSANetWitness 11_5 * Add get_modified_remote_data_command unit test * Add unit test for command get_modified_remote_data_command * Fix function name * Fix flake8 issue * Remove unused class * docker version + ignore secret fake ip * Delete get-pip.py * Remove unused test files * format updates * pre-commit and format updates * Apply suggestions from code review * add doc string to get_mapping_fields_command * Fix bracket error * Add 2 test functions to check update_remote_system_command * remove possible duplicate changed inc id * Fix minor error in return tests functions * Add units tests to get remote data command * rename metasevents to rsametasevents * flake8 space missing * default config value not set correctly * Update unit test of get_modified_remote_data_command * Add unit test for expired and non expired incident * remove unused line * update release note * update release note * update release note * change comparaison for pulling new alert * Update Packs/RSANetWitness_v11_1/Integrations/RSANetWitnessv115/RSANetWitnessv115_test.py * remove comment in the release note * Apply suggestions from code review * Resolv issue of unit tests * updated the release notes and pack-ignore * pre-commit updates * Fix all suggestions * Fix flake8 errors * Add mirrored object in test_get_modified_remote_data_command_from_timestamp * patch flake8 error * added = in get_remote_data_command * patch unit test * Fix token string in incident old clean test * Fix indent * Fix indent * patch flake8 * updated the release notes * pre-commit changes * added the file CONTRIBUTORS.json --------- Co-authored-by: Pierre <Winultimatum@users.noreply.github.com> Co-authored-by: Pierre SOLER <9917674+Winultimatum@users.noreply.github.com> Co-authored-by: RotemAmit <ramit@paloaltonetworks.com> Co-authored-by: Sébastien Guisnet <sebastien.guisnet@nucleon-security.com> Co-authored-by: Sébastien Guisnet <sebastien.guisnet@gmail.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
* Implement mirror in and out for RSANetwitness 11.5 support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log * change version patch encoding issue and add mirroring function in the yml list * forgot to modify a field * remove wrong modification * missing required parameters during merge * patch CI/CD error * add mirroring in README + change name parameter + add mirrorid in test data * implement correction asked by palo * generated README files for the scripts * remove strange ' inside the file improve readme add some define to better set the mirror date range * add parameter to set mirroring duration time * Add return after return_result * Create test units for RSA Get Raw logs and display scripts * Add return after return_result of RSAGetRawLog.py, Create unit tests for RSA scripts * Apply suggestions from code review * remove duplicate instructions in README * Implement mirror in and out for RSANetwitness 11.5 support mirror in and out Add a dedicated layout to view alerts, raws logs and events use RSA Netwitness Packet & Logs to get raw log * change version patch encoding issue and add mirroring function in the yml list * forgot to modify a field * remove wrong modification * missing required parameters during merge * patch CI/CD error * add mirroring in README + change name parameter + add mirrorid in test data * implement correction asked by palo * generated README files for the scripts * remove strange ' inside the file improve readme add some define to better set the mirror date range * add parameter to set mirroring duration time * Add return after return_result * Create test units for RSA Get Raw logs and display scripts * Apply suggestions from code review * remove duplicate instructions in README * line too long... + error in README * line too long... * patch Ci/cd error * patch ci/cd error * patch ci/cd error * Add first version of tests units for RSA Netwitness Mirroring * patch flake8 error script RSADisplayMetasEvents * patch flake8 error script RSAGetRawLog * patch flake8 error integration RSANetWitness 11_5 * Add get_modified_remote_data_command unit test * Add unit test for command get_modified_remote_data_command * Fix function name * Fix flake8 issue * Remove unused class * docker version + ignore secret fake ip * Delete get-pip.py * Remove unused test files * format updates * pre-commit and format updates * Apply suggestions from code review * add doc string to get_mapping_fields_command * Fix bracket error * Add 2 test functions to check update_remote_system_command * remove possible duplicate changed inc id * Fix minor error in return tests functions * Add units tests to get remote data command * rename metasevents to rsametasevents * flake8 space missing * default config value not set correctly * Update unit test of get_modified_remote_data_command * Add unit test for expired and non expired incident * remove unused line * update release note * update release note * update release note * change comparaison for pulling new alert * Update Packs/RSANetWitness_v11_1/Integrations/RSANetWitnessv115/RSANetWitnessv115_test.py * remove comment in the release note * Apply suggestions from code review * Resolv issue of unit tests * updated the release notes and pack-ignore * pre-commit updates * Fix all suggestions * Fix flake8 errors * Add mirrored object in test_get_modified_remote_data_command_from_timestamp * patch flake8 error * added = in get_remote_data_command * patch unit test * Fix token string in incident old clean test * Fix indent * Fix indent * patch flake8 * updated the release notes * pre-commit changes * added the file CONTRIBUTORS.json --------- Co-authored-by: Pierre <Winultimatum@users.noreply.github.com> Co-authored-by: Pierre SOLER <9917674+Winultimatum@users.noreply.github.com> Co-authored-by: RotemAmit <ramit@paloaltonetworks.com> Co-authored-by: Sébastien Guisnet <sebastien.guisnet@nucleon-security.com> Co-authored-by: Sébastien Guisnet <sebastien.guisnet@gmail.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Description
Add mirroring to RSA Netwitness 11.5.
In order to do so and because the RSA API don't tell us when a new alerts are aggregated to an incident, I store inside the context data of the incident when the incident was last pull and how many alerts + events was retrieved. After a 24 days (time fixed by RSA), another alert cannot be aggregated and a new incident is created on RSA. A subroutine clean every incident >24 days inside the context data in order to not saturate the context data of the integration.
Improve SIEM RSA layout in investigate the incident with data:
Must have