demisto · jbabazadeh · Mar 24, 2024 · Mar 6, 2024 · Mar 8, 2024 · Mar 11, 2024
diff --git a/Packs/Cybereason/Integrations/Cybereason/Cybereason.py b/Packs/Cybereason/Integrations/Cybereason/Cybereason.py
@@ -63,6 +63,9 @@
 MALOP_HEADERS = [
     'GUID', 'Link', 'CreationTime', 'Status', 'LastUpdateTime', 'DecisionFailure', 'Suspects', 'AffectedMachine', 'InvolvedHash']
 
+SINGLE_MALOP_HEADERS = [
+    'GUID', 'Link', 'CreationTime', 'Status', 'LastUpdateTime', 'InvolvedHash']
+
 DOMAIN_HEADERS = [
     'Name', 'Reputation', 'IsInternalDomain', 'WasEverResolved', 'WasEverResolvedAsASecondLevelDomain', 'Malicious',
     'SuspicionsCount']
@@ -71,6 +74,8 @@
 
 SENSOR_HEADERS = ['MachineID', 'MachineName', 'MachineFQDN', 'GroupID', 'GroupName']
 
+PROCESS_URL_HEADERS = ['URL', 'ProcessID']
+
 CONNECTION_INFO = [
     {'field': 'elementDisplayName', 'header': 'Name', 'type': 'simple'},
     {'field': 'direction', 'header': 'Direction', 'type': 'simple'},
@@ -1939,6 +1944,73 @@ def get_machine_details_command(client: Client, args: dict):
             outputs=outputs)
 
 
+def query_malop_management_command(client: Client, args: dict):
+    malop_guid = args.get('malopGuid')
+    json_body = {
+        "search": {
+            "malop": {
+                "guid": f'{malop_guid}'
+            }
+        },
+        "pagination": {
+            "offset": 0
+        },
+        "range": {
+            "from": 0,
+            "to": 9999999999999
+        }
+    }
+    response = client.cybereason_api_call('POST', '/rest/mmng/v2/malops', json_body=json_body)
+    if dict_safe_get(response, ['data', 'data']) == []:
+        raise DemistoException(f"Could not find details for the provided MalopGuid {malop_guid}")
+    else:
+        outputs = []
+        for single_malop in response["data"]["data"]:
+            guid = single_malop.get("guid", "")
+            creation_time = single_malop.get("creationTime", "")
+            malop_last_update_time = single_malop.get("lastUpdateTime", "")
+            management_status = single_malop.get("investigationStatus", "")
+            involved_hashes = single_malop.get("rootCauseElementHashes", [])
+            if single_malop["isEdr"]:
+                link = SERVER + '/#/malop/' + guid
+            else:
+                link = SERVER + '/#/detection-malop/' + guid
+            malop_output = {
+                'GUID': guid,
+                'Link': link,
+                'CreationTime': creation_time,
+                'LastUpdateTime': malop_last_update_time,
+                'Status': management_status,
+                'InvolvedHash': involved_hashes
+            }
+            outputs.append(malop_output)
+        return CommandResults(
+            readable_output=tableToMarkdown('Cybereason Malop', outputs, headers=SINGLE_MALOP_HEADERS)
+            if outputs else 'No malop found',
+            outputs_prefix='Cybereason.Malops',
+            outputs_key_field='GUID',
+            outputs=outputs)
+
+
+def cybereason_process_attack_tree_command(client: Client, args: dict):
+    process_guid_list = argToList(args.get('processGuid'))
+    outputs = []
+    for guid in process_guid_list:
+        url = SERVER + "/#/processTree?guid=" + guid + "&viewedGuids=" + guid + "&rootType=Process"
+        process_output = {
+            'ProcessID': guid,
+            'URL': url,
+        }
+        outputs.append(process_output)
+    empty_output_message = 'No Process Details found for the given ProcessID'
+    return CommandResults(
+        readable_output=tableToMarkdown('Process Attack Tree URL', outputs, headers=PROCESS_URL_HEADERS)
+        if outputs else empty_output_message,
+        outputs_prefix='Cybereason.Process',
+        outputs_key_field='ProcessID',
+        outputs=outputs)
+
+
 def get_machine_details_command_pagination_params(args: dict) -> dict:
     '''
         Generate pagination parameters for fetching machine details based on the given arguments.
@@ -2107,6 +2179,12 @@ def main():
         elif demisto.command() == 'cybereason-get-machine-details':
             return_results(get_machine_details_command(client, args))
 
+        elif demisto.command() == 'cybereason-query-malop-management':
+            return_results(query_malop_management_command(client, args))
+
+        elif demisto.command() == 'cybereason-process-attack-tree':
+            return_results(cybereason_process_attack_tree_command(client, args))
+
         else:
             raise NotImplementedError(f'Command {demisto.command()} is not implemented.')
 

diff --git a/Packs/Cybereason/Integrations/Cybereason/Cybereason.yml b/Packs/Cybereason/Integrations/Cybereason/Cybereason.yml
@@ -362,6 +362,44 @@ script:
     - contextPath: Cybereason.Malops.Status
       description: Malop managemant status.
       type: string
+  - arguments:
+    - description: malopGuid of the Cybereason Malop.
+      name: malopGuid
+      required: true
+    description: Get Management Malop details.
+    name: cybereason-query-malop-management
+    outputs:
+    - contextPath: Cybereason.Malops.GUID
+      description: The unique globally unique identifier (guid) for the Malop.
+      type: string
+    - contextPath: Cybereason.Malops.CreationTime
+      description: The time reported as when the malicious behavior began on the system. This is not the time that the Malop was first detected by Cybereason.
+      type: string
+    - contextPath: Cybereason.Malops.Link
+      description: Link to the Malop on Cybereason.
+      type: string
+    - contextPath: Cybereason.Malops.LastUpdatedTime
+      description: Last updated time of malop.
+      type: string
+    - contextPath: Cybereason.Malops.InvolvedHash
+      description: List of file hashes involved in this Malop.
+      type: string
+    - contextPath: Cybereason.Malops.Status
+      description: Malop managemant status.
+      type: string
+  - arguments:
+    - description: processGuid of the Cybereason Malop (can accept multiple guids separated by comma).
+      name: processGuid
+      required: true
+    description: Get Process Attack Tree URL.
+    name: cybereason-process-attack-tree
+    outputs:
+    - contextPath: Cybereason.Process.ProcessID
+      description: Cybereason Process ID.
+      type: string
+    - contextPath: Cybereason.Process.URL
+      description: Attack tree url for a given Process.
+      type: string
   - arguments:
     - description: Array of malop GUIDs separated by comma. (Malop GUID can be retrieved with the command cybereason-query-malops command).
       name: malopGuids
@@ -799,7 +837,7 @@ script:
   script: '-'
   type: python
   subtype: python3
-  dockerimage: demisto/python3:3.10.13.84405
+  dockerimage: demisto/python3:3.10.13.89009
 tests:
 - Cybereason Test
 fromversion: 5.0.0
diff --git a/Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py b/Packs/Cybereason/Integrations/Cybereason/Cybereason_test.py
@@ -283,6 +283,47 @@ def test_query_malops_command(mocker):
     assert command_output.outputs[0]['AffectedMachine'] == ['desktop-j60ivd0']
 
 
+def test_query_malop_management_command(mocker):
+    from Cybereason import query_malop_management_command
+    from Cybereason import Client
+    HEADERS = {'Content-Type': 'application/json', 'Connection': 'close'}
+    client = Client(
+        base_url="https://test.server.com:8888",
+        verify=False,
+        headers=HEADERS,
+        proxy=True)
+    args = {"guid": "AAAA0w7GERjl3oae"}
+    query_malop_management_raw_response = json.loads(load_mock_response('query_malop_management_raw_response.json'))
+    mocker.patch("Cybereason.Client.cybereason_api_call", return_value=query_malop_management_raw_response)
+    command_output = query_malop_management_command(client, args)
+    assert command_output.outputs[0]['GUID'] == 'AAAA0w7GERjl3oae'
+
+
+def test_cybereason_process_attack_tree_command(mocker):
+    from Cybereason import cybereason_process_attack_tree_command, Client
+    HEADERS = {'Content-Type': 'application/json', 'Connection': 'close'}
+    client = Client(
+        base_url="https://test.server.com:8888",
+        verify=False,
+        headers=HEADERS,
+        proxy=True)
+    args = {
+        "processGuid": "HobXaEWU0CZ6S6LC"
+    }
+    url = "https://test.server.com:8888/#/processTree?guid=HobXaEWU0CZ6S6LC&viewedGuids=HobXaEWU0CZ6S6LC&rootType=Process"
+    expected_response = [
+        {
+            'ProcessID': "HobXaEWU0CZ6S6LC",
+            'URL': url,
+        }
+    ]
+
+    mocker.patch('Cybereason.Client.cybereason_api_call', return_value=expected_response)
+    mocker.patch('Cybereason.SERVER', new='https://test.server.com:8888')
+    command_output = cybereason_process_attack_tree_command(client, args)
+    assert command_output.outputs[0] == expected_response[0]
+
+
 def test_update_malop_status_command(mocker):
     from Cybereason import update_malop_status_command
     from Cybereason import Client

diff --git a/Packs/Cybereason/Integrations/Cybereason/README.md b/Packs/Cybereason/Integrations/Cybereason/README.md
@@ -1611,3 +1611,82 @@ Get the results related to machines.
     "GroupName": "example-group-name"
 }
 ```
+
+#### Base Command
+
+`cybereason-query-malop-management`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| malopGuid | malopGuid of the Cybereason Malop. | Required | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Cybereason.Malops.GUID | string | The unique globally unique identifier \(guid\) for the Malop. | 
+| Cybereason.Malops.CreationTime | string | The time reported as when the malicious behavior began on the system. This is not the time that the Malop was first detected by Cybereason. |
+| Cybereason.Malops.Link | string | Link to the Malop on Cybereason. | 
+| Cybereason.Malops.LastUpdatedTime | string | Last updated time of malop | 
+| Cybereason.Malops.InvolvedHash | string | List of file hashes involved in this Malop | 
+| Cybereason.Malops.Status | string | Malop managemant status | 
+
+#### Command example
+
+```!cybereason-query-malop-management malopGuid=<malop-guid>```
+
+#### Context Example
+
+```json
+{
+    "GUID": "malop-guid",
+    "Link": "malop-url",
+    "CreationTime": 1686720403740,
+    "LastUpdateTime": 1686720403743,
+    "Status": "Pending",
+    "InvolvedHash": "involed-hash"
+}
+```
+
+#### Base Command
+
+`cybereason_process_attack_tree_command`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| malopGuid | malopGuid of the Cybereason Malop | Required | 
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+|Cybereason.Process.ProcessID | string | Cybereason Process ID |
+|Cybereason.Process.URL | string | Attack tree url for a given Process |
+
+#### Command example
+
+```!cybereason-process-attack-tree processGuid=<process-guid>```
+
+#### Context Example
+
+```json
+{
+    "Process": [
+        {
+        "ProcessID": "<process-id>",
+        "URL": "<url>"
+        },
+        {
+        "ProcessID": "<process-id>",
+        "URL": "<url>"
+        } 
+    ]
+}
+```
+
diff --git a/Packs/Cybereason/Integrations/Cybereason/test_data/query_malop_management_raw_response.json b/Packs/Cybereason/Integrations/Cybereason/test_data/query_malop_management_raw_response.json
@@ -0,0 +1,76 @@
+{
+    "data": {
+        "pageSize": 100,
+        "pages": 0,
+        "offset": 0,
+        "totalHits": 1,
+        "token": "",
+        "data": [
+            {
+                "guid": "AAAA0w7GERjl3oae",
+                "displayName": "aasiapp.pdf.exe",
+                "creationTime": 1686720403740,
+                "lastUpdateTime": 1686720403743,
+                "metadataUpdateTime": 1686720403743,
+                "decisionStatuses": [],
+                "detectionEngines": [
+                    "EDR"
+                ],
+                "mitreTactics": [],
+                "mitreTechniques": [],
+                "mitreSubTechniques": [],
+                "rootCauseElementHashes": [
+                    "a541fb35b0b750501717df708f1ccade7c176e1d"
+                ],
+                "iocs": [
+                    "File"
+                ],
+                "detectionTypes": [
+                    "Malicious by Obscured Extension"
+                ],
+                "labels": [
+                    {
+                        "id": 108,
+                        "labelText": "IT-Closed",
+                        "count": 47,
+                        "empty": false
+                    }
+                ],
+                "investigationStatus": "Pending",
+                "closerName": "<email>",
+                "priority": "MEDIUM",
+                "status": "Active",
+                "severity": "High",
+                "detectionType": "EXTENSION_MANIPULATION",
+                "escalated": false,
+                "iconBase64": "",
+                "isEdr": true,
+                "groups": [
+                    "<group-ids>"
+                ],
+                "rootCauseElementType": "File",
+                "machines": [
+                    {
+                        "guid": "<machine-guid>",
+                        "displayName": "<machine-display-name>",
+                        "connected": false,
+                        "isolated": false,
+                        "osType": "WINDOWS",
+                        "lastConnected": 1698818040437,
+                        "pylumId": "<pylum-id>"
+                    }
+                ],
+                "users": [
+                    {
+                        "guid": "<user-guid>",
+                        "displayName": "<user-display-name>",
+                        "admin": true,
+                        "domainUser": false,
+                        "localSystem": false
+                    }
+                ]
+            }
+        ]
+    },
+    "status": "SUCCESS"
+}
diff --git a/Packs/Cybereason/ReleaseNotes/2_1_17.md b/Packs/Cybereason/ReleaseNotes/2_1_17.md
@@ -0,0 +1,13 @@
+
+#### Integrations
+
+##### Cybereason
+- Updated the Docker image to: *demisto/python3:3.10.13.89009*.
+
+- Added a new command ***cybereason-process-attack-tree*** to return Attack tree url for a given Process.
+- Added a new command ***cybereason-query-malop-management*** to fetch details of a single management Malop.
+
+#### Scripts
+
+##### CybereasonPreProcessingExample
+
diff --git a/Packs/Cybereason/Scripts/CybereasonPreProcessingExample/CybereasonPreProcessingExample.py b/Packs/Cybereason/Scripts/CybereasonPreProcessingExample/CybereasonPreProcessingExample.py
@@ -1,8 +1,9 @@
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
+from typing import Dict
 
 
-def get_guid_from_system_incident(incident: dict[str, Any]) -> str:
+def get_guid_from_system_incident(incident: Dict[str, Any]) -> str:
     malop_guid = ''
     for label in incident['labels']:
         if label['type'] == 'guidString':

diff --git a/Packs/Cybereason/Scripts/CybereasonPreProcessingExample/CybereasonPreProcessingExample.yml b/Packs/Cybereason/Scripts/CybereasonPreProcessingExample/CybereasonPreProcessingExample.yml
@@ -19,4 +19,4 @@ runas: DBotWeakRole
 tests:
     - Cybereason Pre Processing Test
 fromversion: 5.0.0
-dockerimage: demisto/python3:3.10.13.81631
+dockerimage: demisto/python3:3.10.13.89009