XDR Expandr-3361

Packs/ApiModules/ReleaseNotes/2_2_21.md

@@ -0,0 +1,4 @@
+
+#### Scripts
+##### CoreIRApiModule
+Added the *public_ip_list* argument for the ***get_endpoints()*** API call.

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py

@@ -152,6 +152,7 @@ def get_endpoints(self,
                       endpoint_id_list=None,
                       dist_name=None,
                       ip_list=None,
+                      public_ip_list=None,
                       group_name=None,
                       platform=None,
                       alias_name=None,
@@ -181,7 +182,7 @@ def get_endpoints(self,
             status=status, username=username, endpoint_id_list=endpoint_id_list, dist_name=dist_name,
             ip_list=ip_list, group_name=group_name, platform=platform, alias_name=alias_name, isolate=isolate,
             hostname=hostname, first_seen_gte=first_seen_gte, first_seen_lte=first_seen_lte,
-            last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte
+            last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte, public_ip_list=public_ip_list
         )
 
         if search_from:
@@ -1809,6 +1810,7 @@ def get_endpoints_command(client, args):
     endpoint_id_list = argToList(args.get('endpoint_id_list'))
     dist_name = argToList(args.get('dist_name'))
     ip_list = argToList(args.get('ip_list'))
+    public_ip_list = argToList(args.get('public_ip_list'))
     group_name = argToList(args.get('group_name'))
     platform = argToList(args.get('platform'))
     alias_name = argToList(args.get('alias_name'))
@@ -1845,6 +1847,7 @@ def get_endpoints_command(client, args):
         endpoint_id_list=endpoint_id_list,
         dist_name=dist_name,
         ip_list=ip_list,
+        public_ip_list=public_ip_list,
         group_name=group_name,
         platform=platform,
         alias_name=alias_name,
@@ -3454,6 +3457,7 @@ def create_request_filters(
     endpoint_id_list: Optional[List] = None,
     dist_name: Optional[List] = None,
     ip_list: Optional[List] = None,
+    public_ip_list: Optional[List] = None,
     group_name: Optional[List] = None,
     platform: Optional[List] = None,
     alias_name: Optional[List] = None,
@@ -3502,6 +3506,13 @@ def create_request_filters(
             'value': ip_list
         })
 
+    if public_ip_list:
+        filters.append({
+            'field': 'public_ip_list',
+            'operator': 'in',
+            'value': public_ip_list
+        })
+
     if group_name:
         filters.append({
             'field': 'group_name',

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml

@@ -12,5 +12,7 @@ comment: Common Core IR Client, provides generic Infrastructure.
 scripttarget: 0
 dependson: {}
 timeout: 0s
-dockerimage: demisto/python3:3.10.1.27636
+dockerimage: demisto/python3:3.10.13.78960
 fromversion: 5.0.0
+tests:
+- No tests (auto formatted)

Packs/ApiModules/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ApiModules",
     "description": "API Modules",
     "support": "xsoar",
-    "currentVersion": "2.2.20",
+    "currentVersion": "2.2.21",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -13,6 +13,7 @@
     "keywords": [],
     "marketplaces": [
         "xsoar",
-        "marketplacev2"
+        "marketplacev2",
+        "xpanse"
     ]
 }

Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml

@@ -100,19 +100,24 @@ script:
       isArray: true
       name: dist_name
     - description: |-
-        A comma-separated list of IP addresses.
-        Example: 8.8.8.8,1.1.1.1.
+        A comma-separated list of private IP addresses.
+        Example: 10.1.1.1,192.168.1.1.
       isArray: true
       name: ip_list
+    - description: |-
+        A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).
+        Example: 8.8.8.8,1.1.1.1.
+      isArray: true
+      name: public_ip_list
     - description: |-
         The group name to which the agent belongs.
         Example: group_name1,group_name2.
       isArray: true
       name: group_name
-    - auto: PREDEFINED
-      description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
+    - description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
       isArray: true
       name: platform
+      auto: PREDEFINED
       predefined:
       - windows
       - linux
@@ -121,19 +126,20 @@ script:
     - description: |-
         A comma-separated list of alias names.
         Examples: alias_name1,alias_name2.
-      isArray: true
       name: alias_name
-    - auto: PREDEFINED
-      description: Specifies whether the endpoint was isolated or unisolated.
+      isArray: true
+    - description: |-
+        Specifies whether the endpoint was isolated or unisolated.
       name: isolate
+      auto: PREDEFINED
       predefined:
       - isolated
       - unisolated
     - description: |-
         Hostname
         Example: hostname1,hostname2.
-      isArray: true
       name: hostname
+      isArray: true
     - description: |-
         All the agents that were first seen after {first_seen_gte}.
         Supported values:
@@ -165,26 +171,26 @@ script:
     - defaultValue: '0'
       description: Page number (for pagination). The default is 0 (the first page).
       name: page
-    - defaultValue: '30'
-      description: Maximum number of endpoints to return per page. The default and maximum is 30.
+    - description: Maximum number of endpoints to return per page. The default and maximum is 30.
       name: limit
+      defaultValue: '30'
     - auto: PREDEFINED
       description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
       name: sort_by
       predefined:
       - first_seen
       - last_seen
     - auto: PREDEFINED
-      defaultValue: asc
       description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
       name: sort_order
       predefined:
       - asc
       - desc
-    - auto: PREDEFINED
+      defaultValue: asc
+    - name: status
       description: A comma-separated list of endpoints statuses to filter.
-      name: status
       isArray: true
+      auto: PREDEFINED
       predefined:
       - connected
       - disconnected

Packs/Core/Integrations/CortexCoreIR/README.md

@@ -84,7 +84,8 @@ Gets a list of endpoints, according to the passed filters. If there are no filte
 | --- | --- | --- |
 | endpoint_id_list | A comma-separated list of endpoint IDs. | Optional | 
 | dist_name | A comma-separated list of distribution package names or installation package names. <br/>Example: dist_name1,dist_name2. | Optional | 
-| ip_list | A comma-separated list of IP addresses.<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
+| ip_list | A comma-separated list of private IP addresses.<br/> Example: 10.1.1.1,192.168.1.1. | Optional | 
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
 | group_name | The group name to which the agent belongs.<br/>Example: group_name1,group_name2. | Optional | 
 | platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional | 
 | alias_name | A comma-separated list of alias names.<br/>Examples: alias_name1,alias_name2. | Optional | 

Packs/Core/ReleaseNotes/2_1_1.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+
+Added the *public_ip_list* argument for the ***core-get-endpoints*** command.

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "2.1.0",
+    "currentVersion": "2.1.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json

@@ -21,5 +21,8 @@
 	"weeks": 0,
 	"weeksR": 0,
 	"fromVersion": "6.0.0",
-	"layout": "Cortex XDR Incident"
+	"layout": "Cortex XDR Incident",
+	"marketplaces": [
+        "xsoar"
+    ]
 }

Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json

@@ -22,5 +22,8 @@
 	"weeksR": 0,
 	"fromVersion": "5.0.0",
 	"toVersion": "5.9.9",
-	"layout": "Cortex XDR Incident"
+	"layout": "Cortex XDR Incident",
+	"marketplaces": [
+        "xsoar"
+    ]
 }

Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json

@@ -26,5 +26,8 @@
         "mode": "Specific",
         "fieldCliNameToExtractSettings": {}
     },
-    "fromVersion": "6.5.0"
+    "fromVersion": "6.5.0",
+    "marketplaces": [
+        "xsoar"
+    ]
 }

Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json

@@ -18,5 +18,8 @@
     "version": -1,
     "weeks": 0,
     "weeksR": 0,
-    "fromVersion": "5.5.0"
+    "fromVersion": "5.5.0",
+    "marketplaces": [
+        "xsoar"
+    ]
 }

Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml

@@ -777,10 +777,15 @@ script:
       isArray: true
       name: dist_name
     - description: |-
-        A comma-separated list of IP addresses.
-        Example: 8.8.8.8,1.1.1.1.
+        A comma-separated list of private IP addresses.
+        Example: 10.1.1.1,192.168.1.1.
       isArray: true
       name: ip_list
+    - description: |-
+        A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).
+        Example: 8.8.8.8,1.1.1.1.
+      isArray: true
+      name: public_ip_list
     - description: |-
         The group name to which the agent belongs.
         Example: group_name1,group_name2.
@@ -798,19 +803,20 @@ script:
     - description: |-
         A comma-separated list of alias names.
         Examples: alias_name1,alias_name2.
-      isArray: true
       name: alias_name
-    - auto: PREDEFINED
-      description: Specifies whether the endpoint was isolated or unisolated.
+      isArray: true
+    - description: |-
+        Specifies whether the endpoint was isolated or unisolated.
       name: isolate
+      auto: PREDEFINED
       predefined:
       - isolated
       - unisolated
     - description: |-
         Hostname
         Example: hostname1,hostname2.
-      isArray: true
       name: hostname
+      isArray: true
     - description: |-
         All the agents that were first seen after {first_seen_gte}.
         Supported values:
@@ -842,19 +848,19 @@ script:
     - defaultValue: '0'
       description: Page number (for pagination). The default is 0 (the first page).
       name: page
-    - defaultValue: '30'
-      description: Maximum number of endpoints to return per page. The default and maximum is 30.
+    - description: Maximum number of endpoints to return per page. The default and maximum is 30.
       name: limit
+      defaultValue: '30'
     - auto: PREDEFINED
       description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
       name: sort_by
       predefined:
       - first_seen
       - last_seen
-    - auto: PREDEFINED
-      defaultValue: asc
+    - name: sort_order
       description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
-      name: sort_order
+      auto: PREDEFINED
+      defaultValue: asc
       predefined:
       - asc
       - desc
@@ -2728,8 +2734,8 @@ script:
       auto: PREDEFINED
       defaultValue: 'true'
       predefined:
-        - 'true'
-        - 'false'
+      - 'true'
+      - 'false'
     description: Returns information about each alert ID.
     name: xdr-get-cloud-original-alerts
     outputs:

Packs/CortexXDR/Integrations/CortexXDRIR/README.md

@@ -689,7 +689,8 @@ Builtin Roles with this permission includes: "Privileged Responder", "Viewer" an
 | status | A comma-separated list of endpoints statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated. | Optional |
 | endpoint_id_list | A comma-separated list of endpoint IDs. | Optional | 
 | dist_name | A comma-separated list of distribution package names or installation package names.<br/>Example: dist_name1,dist_name2. | Optional | 
-| ip_list | A comma-separated list of IP addresses.<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
+| ip_list | A comma-separated list of private IP addresses.<br/>Example: Example: 10.1.1.1,192.168.1.1. | Optional | 
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).<br/>Example: 8.8.8.8,1.1.1.1. | Optional | 
 | group_name | The group name to which the agent belongs.<br/>Example: group_name1,group_name2. | Optional | 
 | platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional | 
 | alias_name | A comma-separated list of alias names.<br/>Examples: alias_name1,alias_name2. | Optional | 

Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml

@@ -1,7 +1,7 @@
 id: Cortex XDR - Port Scan - Adjusted
 version: -1
 name: Cortex XDR - Port Scan - Adjusted
-description: "The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. \n\nThe playbook consists of the following procedures:\n- Enrichment and investigation of the scanner and scanned hostname and IP address.\n- Enrichment and investigation of the initiator user, process, file, or command if it exists.\n- Detection of related indicators and analysis of the relationship between the detected indicators.\n- Utilize the detected indicators to conduct threat hunting.\n- Blocks detected malicious indicators.\n- Endpoint isolation.\n\nThis playbook supports the following Cortex XDR alert names:\n- Suspicious port scan\n- Port scan by suspicious process\n- Highly suspicious port scan\n- Port scan"
+description: "The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. \n\nThe playbook consists of the following procedures:\n- Enrichment and investigation of the scanner and scanned hostname and IP address.\n- Enrichment and investigation of the initiator user, process, file, or command if it exists.\n- Detection of related indicators and analysis of the relationship between the detected indicators.\n- Utilize the detected indicators to conduct threat hunting.\n- Blocks detected malicious indicators.\n- Endpoint isolation.\n\nThis playbook supports the following Cortex XDR alert names:\n- Suspicious port scan\n- Port scan by suspicious process\n- Highly suspicious port scan\n- Port scan."
 starttaskid: "0"
 tasks:
   "0":
@@ -2755,7 +2755,7 @@ outputs:
   description: Lateral Movement First Date time from the port scan alert.
   type: unknown
 - contextPath: PortScan.PortScanFirstDatetime
-  description: Port Scan First Date time
+  description: Port Scan First Date time.
   type: unknown
 tests:
 - Test XDR Playbook general commands
@@ -2764,3 +2764,5 @@ tests:
 fromversion: 5.0.0
 contentitemexportablefields:
   contentitemfields: {}
+marketplaces:
+- xsoar