demisto · ssokolovich · Dec 24, 2023 · Nov 26, 2023 · Nov 26, 2023 · Nov 26, 2023
diff --git a/Packs/CloudIncidentResponse/LayoutRules/layoutrule-Cloud_Alerts.json b/Packs/CloudIncidentResponse/LayoutRules/layoutrule-Cloud_Alerts.json
@@ -0,0 +1,46 @@
+{
+    "rule_id": "Cloud_Alerts_rule",
+    "layout_id": "Cloud Alerts",
+    "description": "Default display for Cloud Alerts generated by XDR Analytics.",
+    "rule_name": "Cloud Alerts Layout Rule",
+    "alerts_filter": {
+        "filter": {
+                "AND": [
+                    {
+                      "OR": [
+                        {
+                          "SEARCH_FIELD": "cloud_provider",
+                          "SEARCH_TYPE": "EQ",
+                          "SEARCH_VALUE": "AWS"
+                        },
+                        {
+                          "SEARCH_FIELD": "cloud_provider",
+                          "SEARCH_TYPE": "EQ",
+                          "SEARCH_VALUE": "AZURE"
+                        },
+                        {
+                          "SEARCH_FIELD": "cloud_provider",
+                          "SEARCH_TYPE": "EQ",
+                          "SEARCH_VALUE": "GCP"
+                        }
+                      ]
+                    },
+                    {
+                      "OR": [
+                        {
+                          "SEARCH_FIELD": "alert_source",
+                          "SEARCH_TYPE": "EQ",
+                          "SEARCH_VALUE": "ANALYTICS_BIOC"
+                        },
+                        {
+                          "SEARCH_FIELD": "alert_source",
+                          "SEARCH_TYPE": "EQ",
+                          "SEARCH_VALUE": "MAGNIFIER"
+                        }
+                      ]
+                    }
+                  ]
+        }
+    },
+    "fromVersion": "6.10.0"
+}
diff --git a/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cloud_Alerts.json b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cloud_Alerts.json
diff --git a/Packs/CloudIncidentResponse/ReleaseNotes/1_0_10.md b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_10.md
@@ -0,0 +1,18 @@
+
+#### Layout Rules
+
+##### New: Cloud Alerts Layout Rule
+
+- New: Cloud Alerts layout Rule (Available from Cortex XSIAM 2.0).
+
+#### Layouts
+
+##### New: Cloud Alerts
+
+- New: Cloud Alerts layout  (Available from Cortex XSIAM 2.0).
+
+#### Scripts
+
+##### New: XCloudAdditionalAlertInformationWidget
+
+- New: This script retrieves additional original alert information from the context. (Available from Cortex XCLOUD).
diff --git a/.../CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/README.md b/.../CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/README.md
@@ -0,0 +1,30 @@
+This script retrieves additional original alert information from the context.
+
+## Script Data
+
+---
+
+| **Name** | **Description** |
+| --- | --- |
+| Script Type | python3 |
+| Tags | dynamic-section |
+| Cortex XSOAR Version | 6.10.0 |
+
+## Dependencies
+
+---
+This script uses the following commands and scripts.
+
+* SetByIncidentId
+* core-get-cloud-original-alerts
+* Cortex Core - IR
+
+## Inputs
+
+---
+There are no inputs for this script.
+
+## Outputs
+
+---
+There are no outputs for this script.
diff --git a/.../Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.py b/.../Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.py
@@ -0,0 +1,72 @@
+from CommonServerPython import *  # noqa: F401
+
+
+''' COMMAND FUNCTION '''
+
+
+def get_additonal_info() -> List[Dict]:
+    alerts = demisto.context().get('Core', {}).get('OriginalAlert')
+    if not alerts:
+        raise DemistoException('Original Alert is not configured in context')
+    if not isinstance(alerts, list):
+        alerts = [alerts]
+
+    results = []
+    for alert in alerts:
+        alert_event = alert.get('event')
+        res = {'Alert Full Description': alert.get('alert_full_description'),
+               'Detection Module': alert.get('detection_modules'),
+               'Vendor': alert_event.get('vendor'),
+               'Provider': alert_event.get('cloud_provider'),
+               'Log Name': alert_event.get('log_name'),
+               'Event Type': demisto.get(alert_event, 'raw_log.eventType'),
+               'Caller IP': alert_event.get('caller_ip'),
+               'Caller IP Geo Location': alert_event.get('caller_ip_geolocation'),
+               'Resource Type': alert_event.get('resource_type'),
+               'Identity Name': alert_event.get('identity_name'),
+               'Operation Name': alert_event.get('operation_name'),
+               'Operation Status': alert_event.get('operation_status'),
+               'User Agent': alert_event.get('user_agent')}
+        results.append(res)
+    indicators = [res.get('Caller IP') for res in results]
+    indicators_callable = indicators_value_to_clickable(indicators)
+    for res in results:
+        res['Caller IP'] = indicators_callable.get(res.get('Caller IP'))
+    return results
+
+
+def verify_list_type(original_alert_data):
+    if isinstance(original_alert_data, list):
+        res = original_alert_data[0].get('EntryContext')
+        res['OriginalAlert'] = res.pop('Core.OriginalAlert(val.internal_id && val.internal_id == obj.internal_id)')
+        if isinstance(res['OriginalAlert'], list):
+            res['OriginalAlert'] = res['OriginalAlert'][0]
+        return res
+    return None
+
+
+''' MAIN FUNCTION '''
+
+
+def main():  # pragma: no cover
+    try:
+        alert_context = demisto.investigation()
+        core_alert_context = demisto.context().get('Core', {})
+        if not core_alert_context.get('OriginalAlert'):
+            original_alert_data = demisto.executeCommand('core-get-cloud-original-alerts', {"alert_ids": alert_context.get('id')})
+            if original_alert_data:
+                res = verify_list_type(original_alert_data)
+                demisto.executeCommand('SetByIncidentId', {"key": "Core", "value": res, "id": alert_context.get('id')})
+        results = get_additonal_info()
+        command_results = CommandResults(
+            readable_output=tableToMarkdown('Original Alert Additional Information', results,
+                                            headers=list(results[0].keys()) if results else None))
+        return_results(command_results)
+    except Exception as ex:
+        return_error(f'Failed to execute AdditionalAlertInformationWidget. Error: {str(ex)}')
+
+
+''' ENTRY POINT '''
+
+if __name__ in ('__main__', '__builtin__', 'builtins'):
+    main()
diff --git a/...Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.yml b/...Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.yml
@@ -0,0 +1,21 @@
+commonfields:
+  id: XCloudAdditionalAlertInformationWidget
+  version: -1
+name: XCloudAdditionalAlertInformationWidget
+script: ''
+type: python
+tags:
+- dynamic-section
+comment: This script retrieves additional original alert information from the context.
+enabled: true
+scripttarget: 0
+subtype: python3
+runonce: false
+dockerimage: demisto/python3:3.10.13.83255
+runas: DBotWeakRole
+engineinfo: {}
+fromversion: 6.10.0
+marketplaces:
+- marketplacev2
+tests:
+- No tests (auto formatted)
diff --git a/...pts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget_test.py b/...pts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget_test.py
@@ -0,0 +1,62 @@
+import unittest
+from unittest.mock import patch
+from XCloudAdditionalAlertInformationWidget import *
+
+
+class TestXCloudAdditionalAlertInformationWidget(unittest.TestCase):
+
+    @patch('demistomock.context', return_value={'Core': {'OriginalAlert': [{'event': {'alert_full_description': None,
+                                                                                      'detection_modules': None,
+                                                                                      'vendor': 'Vendor1',
+                                                                                      'cloud_provider': 'AWS',
+                                                                                      'log_name': 'SecurityLog',
+                                                                                      'raw_log': {'eventType': 'Event1'},
+                                                                                      'caller_ip': '192.168.1.1',
+                                                                                      'caller_ip_geolocation': 'Location1',
+                                                                                      'resource_type': 'ResourceType1',
+                                                                                      'identity_name': 'User1',
+                                                                                      'operation_name': 'Operation1',
+                                                                                      'operation_status': 'Success',
+                                                                                      'user_agent': 'Browser1'}}]}})
+    def test_get_additonal_info(self, mock_context):
+        # Test with a mock context containing one original alert
+        expected_result = [{'Alert Full Description': None,
+                            'Detection Module': None,
+                            'Vendor': 'Vendor1',
+                            'Provider': 'AWS',
+                            'Log Name': 'SecurityLog',
+                            'Event Type': 'Event1',
+                            'Caller IP': None,
+                            'Caller IP Geo Location': 'Location1',
+                            'Resource Type': 'ResourceType1',
+                            'Identity Name': 'User1',
+                            'Operation Name': 'Operation1',
+                            'Operation Status': 'Success',
+                            'User Agent': 'Browser1'}]
+
+        result = get_additonal_info()  # Corrected function name
+        assert result == expected_result
+
+    def test_verify_list_type_dict(self):
+        input_dict = [{
+            "EntryContext": {"Core.OriginalAlert(val.internal_id && val.internal_id == obj.internal_id)": {"id": "123"}}}]
+        expected_output = {"OriginalAlert": {"id": "123"}}
+        output = verify_list_type(input_dict)
+        assert output == expected_output
+
+    def test_verify_list_type_list(self):
+        input_list = [
+            {"EntryContext": {"Core.OriginalAlert(val.internal_id && val.internal_id == obj.internal_id)": {"id": "123"}}}]
+        expected_output = {"OriginalAlert": {"id": "123"}}
+        output = verify_list_type(input_list)
+        assert output == expected_output
+
+    def test_verify_list_type_empty(self):
+        input = None
+        expected_output = None
+        output = verify_list_type(input)
+        assert output == expected_output
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/Packs/CloudIncidentResponse/pack_metadata.json b/Packs/CloudIncidentResponse/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cloud Incident Response",
     "description": "This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.",
     "support": "xsoar",
-    "currentVersion": "1.0.9",
+    "currentVersion": "1.0.10",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",