From f96448e7676b89d1189d8357379421f076a8028a Mon Sep 17 00:00:00 2001 From: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:45:30 +0200 Subject: [PATCH 1/3] [Marketplace Contribution] Abnormal Security - Content Pack Update (#32959) * "contribution update to pack "Abnormal Security"" * Update Packs/AbnormalSecurity/ReleaseNotes/2_3_0.md * Rename 2_3_0.md to 2_2_7.md --------- Co-authored-by: JudithB <132264628+jbabazadeh@users.noreply.github.com> --- .../AbnormalSecurity/AbnormalSecurity.py | 39 +- .../AbnormalSecurity/AbnormalSecurity.yml | 1402 +++++++++-------- .../AbnormalSecurity_description.md | 4 +- Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md | 6 + Packs/AbnormalSecurity/pack_metadata.json | 2 +- 5 files changed, 768 insertions(+), 685 deletions(-) create mode 100644 Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py index 013307fb217f..461900e07933 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py @@ -1,4 +1,7 @@ -from CommonServerPython import * +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + + from typing import Dict, Any import logging from datetime import datetime @@ -69,8 +72,9 @@ def get_a_list_of_abnormal_cases_identified_by_abnormal_security_request(self, f return response def get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(self, filter_='', page_size=None, page_number=None, - subtenant=None): - params = assign_params(filter=filter_, pageSize=page_size, pageNumber=page_number, subtenant=subtenant) + subtenant=None, subject=None, sender=None, recipient=None, reporter=None, attackType=None, threatType=None): + params = assign_params(filter=filter_, pageSize=page_size, pageNumber=page_number, subtenant=subtenant, subject=subject, + sender=sender, recipient=recipient, reporter=reporter, attackType=attackType, threatType=threatType) headers = self._headers @@ -78,8 +82,9 @@ def get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(self, filter_='', return response - def get_a_list_of_threats_request(self, filter_='', page_size=None, page_number=None, source=None, subtenant=None): - params = assign_params(filter=filter_, pageSize=page_size, pageNumber=page_number, source=source, subtenant=subtenant) + def get_a_list_of_threats_request(self, filter_='', page_size=None, page_number=None, source=None, subtenant=None, subject=None, sender=None, recipient=None, topic=None, attackType=None, attackVector=None): + params = assign_params(filter=filter_, pageSize=page_size, pageNumber=page_number, source=source, subtenant=subtenant, + subject=subject, sender=sender, recipient=recipient, topic=topic, attackType=attackType, attackVector=attackVector) headers = self._headers @@ -335,8 +340,15 @@ def get_a_list_of_campaigns_submitted_to_abuse_mailbox_command(client, args): page_size = args.get('page_size', None) page_number = args.get('page_number', None) subtenant = args.get('subtenant', None) - - response = client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(filter_, page_size, page_number, subtenant) + subject = args.get('subject', None) + sender = args.get('sender', None) + recipient = args.get('recipient', None) + reporter = args.get('reporter', None) + attackType = args.get('attackType', None) + threatType = args.get('threatType', None) + + response = client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request( + filter_, page_size, page_number, subtenant, subject, sender, recipient, reporter, attackType, threatType) markdown = tableToMarkdown('Campaign IDs', response.get('campaigns', []), headers=['campaignId'], removeNull=True) command_results = CommandResults( @@ -356,8 +368,15 @@ def get_a_list_of_threats_command(client, args): page_number = args.get('page_number', None) source = str(args.get('source', '')) subtenant = args.get('subtenant', None) - - response = client.get_a_list_of_threats_request(filter_, page_size, page_number, source, subtenant) + subject = args.get('subject', None) + sender = args.get('sender', None) + recipient = args.get('recipient', None) + topic = args.get('topic', None) + attackType = args.get('attackType', None) + attackVector = args.get('attackVector', None) + + response = client.get_a_list_of_threats_request( + filter_, page_size, page_number, source, subtenant, subject, sender, recipient, topic, attackType, attackVector) markdown = tableToMarkdown('Threat IDs', response.get('threats'), headers=['threatId'], removeNull=True) command_results = CommandResults( readable_output=markdown, @@ -455,7 +474,7 @@ def get_details_of_an_abuse_mailbox_campaign_command(client, args): response = client.get_details_of_an_abuse_mailbox_campaign_request(campaign_id, subtenant) command_results = CommandResults( - outputs_prefix='AbnormalSecurity.AbuseCampaign.campaigns', + outputs_prefix='AbnormalSecurity.AbuseCampaign', outputs_key_field='campaignId', outputs=response, raw_response=response diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml index 60f51f315d23..64ce473836cb 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml @@ -3,699 +3,755 @@ commonfields: id: Abnormal Security version: -1 configuration: - - defaultvalue: https://api.abnormalplatform.com/v1 - display: Server URL (e.g. https://api.abnormalplatform.com/v1) - name: url - required: true - type: 0 - - defaultvalue: "" - display: API Key - name: api_key - required: true - type: 4 - - display: Trust any certificate (not secure) - name: insecure - type: 8 - required: false - - display: Use system proxy settings - name: proxy - type: 8 - required: false - - display: Fetch incidents - name: isFetch - required: false - type: 8 - - additionalinfo: Maximum number of incidents per fetch. The default value is 200. - defaultvalue: 200 - display: Maximum incidents to fetch. - name: max_fetch - type: 0 - required: false - - display: Fetch Threats - name: fetch_threats - type: 8 - - display: Fetch Abuse Campaigns - name: fetch_abuse_campaigns - type: 8 - - display: Fetch Account Takeover Cases - name: fetch_account_takeover_cases - type: 8 - - defaultvalue: 3 days - display: First fetch time - additionalinfo: First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" - name: first_fetch - type: 0 - required: false - - display: Incident type - name: incidentType - type: 13 - required: false +- defaultvalue: https://api.abnormalplatform.com/v1 + display: Server URL (e.g. https://api.abnormalplatform.com/v1) + name: url + required: true + type: 0 +- display: API Key + name: api_key + required: true + type: 4 +- display: Trust any certificate (not secure) + name: insecure + type: 8 + required: false +- display: Use system proxy settings + name: proxy + type: 8 + required: false +- display: Fetch incidents + name: isFetch + required: false + type: 8 +- additionalinfo: Maximum number of incidents per fetch. The default value is 200. + defaultvalue: '200' + display: Maximum incidents to fetch. + name: max_fetch + type: 0 + required: false +- display: Fetch Threats + name: fetch_threats + type: 8 + required: false +- display: Fetch Abuse Campaigns + name: fetch_abuse_campaigns + type: 8 + required: false +- display: Fetch Account Takeover Cases + name: fetch_account_takeover_cases + type: 8 + required: false +- defaultvalue: 3 days + display: First fetch time + additionalinfo: First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" + name: first_fetch + type: 0 + required: false +- display: Incident type + name: incidentType + type: 13 + required: false +- defaultvalue: '1' + display: Incidents Fetch Interval + name: incidentFetchInterval + required: false + type: 19 description: Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies. display: Abnormal Security name: Abnormal Security script: commands: - - arguments: - - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently the only keys that are supported for `/threats` are `receivedTime` and `lastModifiedTime`. At least 1 of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ format`. - name: filter - - description: Number of threats that on in each page. Each page of data will have at most page_size threats. Has no effect if filter is not specified. - name: page_size - - description: 1-indexed page number to get a particular page of threats. Has no effect if filter is not specified. - name: page_number - - description: Returns test data if set to `True`. - name: mock-data - - description: Filters threats based on the source of detection. - name: source - - description: Subtenant of the user (if applicable). - name: subtenant - description: Get a list of threats. - name: abnormal-security-list-threats - outputs: - - contextPath: AbnormalSecurity.inline_response_200.threats.threatId - description: An id which maps to a threat campaign. A threat campaign might be received by multiple users. - type: String - - contextPath: AbnormalSecurity.inline_response_200.pageNumber - description: The current page number. Will not be be in the response if no filter query meter is passed in via the request. - type: Number - - contextPath: AbnormalSecurity.inline_response_200.nextpageNumber - description: The next page number. Will not be included in the response if there are no more pages of data or if no filter query meter is passed in via the request. - type: Number + - arguments: + - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently the only keys that are supported for `/threats` are `receivedTime` and `lastModifiedTime`. At least 1 of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ format`. + name: filter + - description: Filters threats based on the email subject + name: subject + - description: Filters threats based on the name or email address of the sender + name: sender + - description: Filters threats based on the name or email address of the recipient + name: recipient + - description: 'Filters threats based on the topic of email contents Available values : Billing Account Update, Covid-19 Related Attack, Cryptocurrency, Invoice, Invoice Inquiry' + name: topic + auto: PREDEFINED + predefined: + - Billing Account Update + - description: 'Filters threats based on the type of attack Available values : Internal-to-Internal Attacks (Email Account Takeover), Spam, Reconnaissance, Scam, Social Engineering (BEC), Phishing: Credential, Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Other' + name: attackType + auto: PREDEFINED + predefined: + - Internal-to-Internal Attacks (Email Account Takeover) + - auto: PREDEFINED + description: 'Filters threats based on the attack vector Available values : Link, Attachment, Text, Others, Attachment with Zipped File' + name: attackVector + predefined: + - Link + - Attachment + - Text + - Others + - Attachment with Zipped File + - description: Number of threats that on in each page. Each page of data will have at most page_size threats. Has no effect if filter is not specified. + name: page_size + - description: 1-indexed page number to get a particular page of threats. Has no effect if filter is not specified. + name: page_number + - description: Returns test data if set to `True`. + name: mock-data + - description: Filters threats based on the source of detection. + name: source + - description: Subtenant of the user (if applicable). + name: subtenant + description: Get a list of threats. + name: abnormal-security-list-threats + outputs: + - contextPath: AbnormalSecurity.inline_response_200.threats.threatId + description: An id which maps to a threat campaign. A threat campaign might be received by multiple users. + type: String + - contextPath: AbnormalSecurity.inline_response_200.pageNumber + description: The current page number. Will not be be in the response if no filter query meter is passed in via the request. + type: Number + - contextPath: AbnormalSecurity.inline_response_200.nextpageNumber + description: The next page number. Will not be included in the response if there are no more pages of data or if no filter query meter is passed in via the request. + type: Number - - arguments: - - description: A UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat. - name: threat_id - required: true - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Get details of a threat. - name: abnormal-security-get-threat - outputs: - - contextPath: AbnormalSecurity.ThreatDetails.threatId - description: An id which maps to a threat campaign. A threat campaign might be received by multiple users. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.threatId - description: An id which maps to a threat campaign. A threat campaign might be received by multiple users. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.abxMessageId - description: A unique identifier for an individual message within a threat (i.e email campaign). - type: Number - - contextPath: AbnormalSecurity.ThreatDetails.messages.abxPortalUrl - description: The URL at which the specific message details are viewable in Abnormal Security's Portal web interface. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.subject - description: The email subject. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.fromAddress - description: The email address of the sender. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.fromName - description: The display name of the sender. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.toAddresses - description: All the email addresses to which the message was sent, comma-se ted & truncated at 255 chars. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.recipientAddress - description: the email address of the user who actually received the message. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.receivedTime - description: The timestamp at which this message arrived. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.sentTime - description: The timestamp at which this message was sent. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.internetMessageId - description: The internet message ID, per RFC 822. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.autoRemediated - description: Abnormal has automatically detected and remediated this message from the user's mailbox. - type: Boolean - - contextPath: AbnormalSecurity.ThreatDetails.messages.postRemediated - description: Email campaigns that were remediated at a later time, after landing in user's mailbox. - type: Boolean - - contextPath: AbnormalSecurity.ThreatDetails.messages.attackType - description: The type of threat the message represents. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.attackStrategy - description: The attack strategy identified to be used by a threat campaign. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.returnPath - description: The potential path where information is returned to the attacker. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.senderIpAddress - description: IP address of sender. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.impersonatedParty - description: Impersonated party, if any. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.attackVector - description: The attack medium. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.remediationTimestamp - description: The timestamp at which this message was remediated, or empty if it has not been remediated. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.isRead - description: Whether an email has been read. - type: Boolean - - contextPath: AbnormalSecurity.ThreatDetails.messages.attackedParty - description: The party that was targeted by an attack. - type: String + - arguments: + - description: A UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat. + name: threat_id + required: true + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Get details of a threat. + name: abnormal-security-get-threat + outputs: + - contextPath: AbnormalSecurity.ThreatDetails.threatId + description: An id which maps to a threat campaign. A threat campaign might be received by multiple users. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.threatId + description: An id which maps to a threat campaign. A threat campaign might be received by multiple users. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.abxMessageId + description: A unique identifier for an individual message within a threat (i.e email campaign). + type: Number + - contextPath: AbnormalSecurity.ThreatDetails.messages.abxPortalUrl + description: The URL at which the specific message details are viewable in Abnormal Security's Portal web interface. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.subject + description: The email subject. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.fromAddress + description: The email address of the sender. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.fromName + description: The display name of the sender. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.toAddresses + description: All the email addresses to which the message was sent, comma-se ted & truncated at 255 chars. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.recipientAddress + description: the email address of the user who actually received the message. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.receivedTime + description: The timestamp at which this message arrived. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.sentTime + description: The timestamp at which this message was sent. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.internetMessageId + description: The internet message ID, per RFC 822. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.autoRemediated + description: Abnormal has automatically detected and remediated this message from the user's mailbox. + type: Boolean + - contextPath: AbnormalSecurity.ThreatDetails.messages.postRemediated + description: Email campaigns that were remediated at a later time, after landing in user's mailbox. + type: Boolean + - contextPath: AbnormalSecurity.ThreatDetails.messages.attackType + description: The type of threat the message represents. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.attackStrategy + description: The attack strategy identified to be used by a threat campaign. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.returnPath + description: The potential path where information is returned to the attacker. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.senderIpAddress + description: IP address of sender. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.impersonatedParty + description: Impersonated party, if any. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.attackVector + description: The attack medium. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.remediationTimestamp + description: The timestamp at which this message was remediated, or empty if it has not been remediated. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.isRead + description: Whether an email has been read. + type: Boolean + - contextPath: AbnormalSecurity.ThreatDetails.messages.attackedParty + description: The party that was targeted by an attack. + type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.attachmentCount - description: The number of attachments in the message. - type: Number - - contextPath: AbnormalSecurity.ThreatDetails.messages.attachmentNames - description: List of attachment names in the message. - type: Unknown - - contextPath: AbnormalSecurity.ThreatDetails.messages.ccEmails - description: List of CC'd email addresses. - type: Unknown - - contextPath: AbnormalSecurity.ThreatDetails.messages.replyToEmails - description: List of email addresses to reply to. - type: Unknown - - contextPath: AbnormalSecurity.ThreatDetails.messages.senderDomain - description: The domain of the sender's email address. - type: String - - contextPath: AbnormalSecurity.ThreatDetails.messages.summaryInsights - description: Summary insights of the message. - type: Unknown - - contextPath: AbnormalSecurity.ThreatDetails.messages.urlCount - description: Count of URLs in the message. - type: Number - - contextPath: AbnormalSecurity.ThreatDetails.messages.urls - description: List of URLs in the message. - type: Unknown - - contextPath: AbnormalSecurity.ThreatDetails.messages.remediationStatus - description: The status of remediation for the message. - type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.attachmentCount + description: The number of attachments in the message. + type: Number + - contextPath: AbnormalSecurity.ThreatDetails.messages.attachmentNames + description: List of attachment names in the message. + type: Unknown + - contextPath: AbnormalSecurity.ThreatDetails.messages.ccEmails + description: List of CC'd email addresses. + type: Unknown + - contextPath: AbnormalSecurity.ThreatDetails.messages.replyToEmails + description: List of email addresses to reply to. + type: Unknown + - contextPath: AbnormalSecurity.ThreatDetails.messages.senderDomain + description: The domain of the sender's email address. + type: String + - contextPath: AbnormalSecurity.ThreatDetails.messages.summaryInsights + description: Summary insights of the message. + type: Unknown + - contextPath: AbnormalSecurity.ThreatDetails.messages.urlCount + description: Count of URLs in the message. + type: Number + - contextPath: AbnormalSecurity.ThreatDetails.messages.urls + description: List of URLs in the message. + type: Unknown + - contextPath: AbnormalSecurity.ThreatDetails.messages.remediationStatus + description: The status of remediation for the message. + type: String - - arguments: - - description: A UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat. - name: threat_id - required: true - - description: Action to perform on threat. - name: action - required: true - - description: Returns test data if set to `True`. - name: mock-data - description: Manage a Threat identified by Abnormal Security. - name: abnormal-security-manage-threat - outputs: - - contextPath: AbnormalSecurity.ThreatManageResults.action_id - description: ID of the action taken. - type: String - - contextPath: AbnormalSecurity.ThreatManageResults.status_url - description: URL of the status of the action. - type: String + - arguments: + - description: A UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat. + name: threat_id + required: true + - description: Action to perform on threat. + name: action + required: true + - description: Returns test data if set to `True`. + name: mock-data + description: Manage a Threat identified by Abnormal Security. + name: abnormal-security-manage-threat + outputs: + - contextPath: AbnormalSecurity.ThreatManageResults.action_id + description: ID of the action taken. + type: String + - contextPath: AbnormalSecurity.ThreatManageResults.status_url + description: URL of the status of the action. + type: String - - arguments: - - description: A UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat. - name: threat_id - required: true - - description: A UUID representing the action id for a threat. Can be obtained from payload after performing an action on the threat. - name: action_id - required: true - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Check the status of an action requested on a threat. - name: abnormal-security-check-threat-action-status - outputs: - - contextPath: AbnormalSecurity.ActionStatus.status - description: The status of a threat after performing an action on it. - type: String - - contextPath: AbnormalSecurity.ActionStatus.description - description: The description of the status. - type: String - - arguments: - - description: Filter the results based on a filter key. Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. Supported keys - [`receivedTime`]. - name: filter - - description: Returns test data if set to `True`. - name: mock-data - - description: Filters threats based on the source of detection. - name: source - - description: Subtenant of the user (if applicable). - name: subtenant - description: Download data from Threat Log in .csv format. - name: abnormal-security-download-threat-log-csv - - arguments: - - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently the only key that is supported for `/cases` is `lastModifiedTime`. At least 1 of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ` format. - name: filter - - description: Number of cases that are on each page. Each page of data will have at most page_size threats. Has no effect if filter is not specified. - name: page_size - - description: 1-indexed page number to get a particular page of cases. Has no effect if filter is not specified. - name: page_number - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Get a list of Abnormal cases identified by Abnormal Security. - name: abnormal-security-list-abnormal-cases - outputs: - - contextPath: AbnormalSecurity.inline_response_200_1.cases.caseId - description: A unique identifier for this case. - type: String - - contextPath: AbnormalSecurity.inline_response_200_1.cases.description - description: Description of the severity level for this case. - type: String - - contextPath: AbnormalSecurity.inline_response_200_1.pageNumber - description: The current page number. Will not be be in the response if no filter query meter is passed in via the request. - type: Number - - contextPath: AbnormalSecurity.inline_response_200_1.nextpageNumber - description: The next page number. Will not be included in the response if there are no more pages of data or if no filter query meter is passed in via the request. - type: Number + - arguments: + - description: A UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat. + name: threat_id + required: true + - description: A UUID representing the action id for a threat. Can be obtained from payload after performing an action on the threat. + name: action_id + required: true + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Check the status of an action requested on a threat. + name: abnormal-security-check-threat-action-status + outputs: + - contextPath: AbnormalSecurity.ActionStatus.status + description: The status of a threat after performing an action on it. + type: String + - contextPath: AbnormalSecurity.ActionStatus.description + description: The description of the status. + type: String + - arguments: + - description: Filter the results based on a filter key. Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. Supported keys - [`receivedTime`]. + name: filter + - description: Returns test data if set to `True`. + name: mock-data + - description: Filters threats based on the source of detection. + name: source + - description: Subtenant of the user (if applicable). + name: subtenant + description: Download data from Threat Log in .csv format. + name: abnormal-security-download-threat-log-csv + - arguments: + - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently the only key that is supported for `/cases` is `lastModifiedTime`. At least 1 of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ` format. + name: filter + - description: Number of cases that are on each page. Each page of data will have at most page_size threats. Has no effect if filter is not specified. + name: page_size + - description: 1-indexed page number to get a particular page of cases. Has no effect if filter is not specified. + name: page_number + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Get a list of Abnormal cases identified by Abnormal Security. + name: abnormal-security-list-abnormal-cases + outputs: + - contextPath: AbnormalSecurity.inline_response_200_1.cases.caseId + description: A unique identifier for this case. + type: String + - contextPath: AbnormalSecurity.inline_response_200_1.cases.description + description: Description of the severity level for this case. + type: String + - contextPath: AbnormalSecurity.inline_response_200_1.pageNumber + description: The current page number. Will not be be in the response if no filter query meter is passed in via the request. + type: Number + - contextPath: AbnormalSecurity.inline_response_200_1.nextpageNumber + description: The next page number. Will not be included in the response if there are no more pages of data or if no filter query meter is passed in via the request. + type: Number - - arguments: - - description: A string representing the email case. Can be retrieved by first running command to list cases. - name: case_id - required: true - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Get details of an Abnormal case. - name: abnormal-security-get-abnormal-case - outputs: - - contextPath: AbnormalSecurity.AbnormalCaseDetails.caseId - description: A unique identifier for this case. - type: String - - contextPath: AbnormalSecurity.AbnormalCaseDetails.severity - description: Description of the severity level for this case. - type: String - - contextPath: AbnormalSecurity.AbnormalCaseDetails.affectedEmployee - description: Which employee this case pertains to. - type: String - - contextPath: AbnormalSecurity.AbnormalCaseDetails.firstObserved - description: First time suspicious behavior was observed. - type: String - - arguments: - - description: A string representing the email case. Can be retrieved by first running command to list cases. - name: case_id - required: true - - description: Action to perform on case. - name: action - required: true - - description: Returns test data if set to `True`. - name: mock-data - description: Manage an Abnormal Case. - name: abnormal-security-manage-abnormal-case - outputs: - - contextPath: AbnormalSecurity.CaseManageResults.action_id - description: ID of the action taken. - type: String - - contextPath: AbnormalSecurity.CaseManageResults.status_url - description: URL of the status of the action. - type: String - - arguments: - - description: A string representing the email case. Can be retrieved by first running command to list cases. - name: case_id - required: true - - description: A string representing the email case. Can be retrieved from payload after performing an action on a case. - name: action_id - required: true - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Check the status of an action requested on a case. - name: abnormal-security-check-case-action-status - outputs: - - contextPath: AbnormalSecurity.ActionStatus.status - description: Status of the case after an action is performed. - type: String - - contextPath: AbnormalSecurity.ActionStatus.description - description: Detailed description of the status. - type: String - - arguments: - - description: A string representing the email case. Can be retrieved by first running command to list cases. - name: case_id - required: true - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Provides the analysis and timeline details of a case. - name: abnormal-security-get-case-analysis-and-timeline - outputs: - - contextPath: AbnormalSecurity.CaseAnalysis.insights.signal - description: Insight signal or highlight of a case. - type: String - - contextPath: AbnormalSecurity.CaseAnalysis.insights.description - description: Description of insight signal or highlight. - type: String - - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.event_timestamp - description: Time when event occurred. - type: String - - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.category - description: Type of event. - type: String - - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.title - description: Title of the event. - type: String - - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.ip_address - description: IP Address where user accessed mail from. - type: String - - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.field_labels - description: Analysis labels associated with the fields in the timeline event. - type: Unknown - - arguments: - - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently only the key `lastReportedTime` is supported for `/abusecampaigns`. At least one of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ` format. Do note that provided filter time is in UTC. - name: filter - - description: Number of abuse campaigns shown on each page. Each page of data will have at most page_size abuse campaign IDs. - name: page_size - - description: 1-indexed page number to get a particular page of threats. Has no effect if filter is not specified. - name: page_number - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Get a list of campaigns submitted to Abuse Mailbox. - name: abnormal-security-list-abuse-mailbox-campaigns - outputs: - - contextPath: AbnormalSecurity.AbuseCampaign.campaigns.campaignId - description: An id which maps to an abuse campaign. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.pageNumber - description: The current page number. - type: Number - - contextPath: AbnormalSecurity.AbuseCampaign.nextPageNumber - description: The next page number. - type: Number - - arguments: - - description: A UUID representing the abuse campaign id. Can be Can be retrieved by first running command to list abuse mailbox campaigns. - name: campaign_id - required: true - - description: Returns test data if set to `True`. - name: mock-data - - description: Subtenant of the user (if applicable). - name: subtenant - description: Get details of an Abuse Mailbox campaign. - name: abnormal-security-get-abuse-mailbox-campaign - outputs: - - contextPath: AbnormalSecurity.AbuseCampaign.campaignId - description: An id which maps to an abuse campaign. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.firstReported - description: Date abuse campaign was first reported. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.lastReported - description: Date abuse campaign was last reported. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.messageId - description: A unique identifier for the first message in the abuse campaign. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.subject - description: Subject of the first email in the abuse campaign. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.fromName - description: The display name of the sender. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.fromAddress - description: The email address of the sender. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.recipientName - description: The email address of the recipient. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.recipientAddress - description: The email address of the recipient. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.judgementStatus - description: Judgement status of message. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.overallStatus - description: Overall status of message. - type: String - - contextPath: AbnormalSecurity.AbuseCampaign.attackType - description: The type of threat the message represents. - type: String + - arguments: + - description: A string representing the email case. Can be retrieved by first running command to list cases. + name: case_id + required: true + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Get details of an Abnormal case. + name: abnormal-security-get-abnormal-case + outputs: + - contextPath: AbnormalSecurity.AbnormalCaseDetails.caseId + description: A unique identifier for this case. + type: String + - contextPath: AbnormalSecurity.AbnormalCaseDetails.severity + description: Description of the severity level for this case. + type: String + - contextPath: AbnormalSecurity.AbnormalCaseDetails.affectedEmployee + description: Which employee this case pertains to. + type: String + - contextPath: AbnormalSecurity.AbnormalCaseDetails.firstObserved + description: First time suspicious behavior was observed. + type: String + - arguments: + - description: A string representing the email case. Can be retrieved by first running command to list cases. + name: case_id + required: true + - description: Action to perform on case. + name: action + required: true + - description: Returns test data if set to `True`. + name: mock-data + description: Manage an Abnormal Case. + name: abnormal-security-manage-abnormal-case + outputs: + - contextPath: AbnormalSecurity.CaseManageResults.action_id + description: ID of the action taken. + type: String + - contextPath: AbnormalSecurity.CaseManageResults.status_url + description: URL of the status of the action. + type: String + - arguments: + - description: A string representing the email case. Can be retrieved by first running command to list cases. + name: case_id + required: true + - description: A string representing the email case. Can be retrieved from payload after performing an action on a case. + name: action_id + required: true + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Check the status of an action requested on a case. + name: abnormal-security-check-case-action-status + outputs: + - contextPath: AbnormalSecurity.ActionStatus.status + description: Status of the case after an action is performed. + type: String + - contextPath: AbnormalSecurity.ActionStatus.description + description: Detailed description of the status. + type: String + - arguments: + - description: A string representing the email case. Can be retrieved by first running command to list cases. + name: case_id + required: true + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Provides the analysis and timeline details of a case. + name: abnormal-security-get-case-analysis-and-timeline + outputs: + - contextPath: AbnormalSecurity.CaseAnalysis.insights.signal + description: Insight signal or highlight of a case. + type: String + - contextPath: AbnormalSecurity.CaseAnalysis.insights.description + description: Description of insight signal or highlight. + type: String + - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.event_timestamp + description: Time when event occurred. + type: String + - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.category + description: Type of event. + type: String + - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.title + description: Title of the event. + type: String + - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.ip_address + description: IP Address where user accessed mail from. + type: String + - contextPath: AbnormalSecurity.CaseAnalysis.eventTimeline.field_labels + description: Analysis labels associated with the fields in the timeline event. + type: Unknown + - arguments: + - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently only the key `lastReportedTime` is supported for `/abusecampaigns`. At least one of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ` format. Do note that provided filter time is in UTC. + name: filter + - description: Number of abuse campaigns shown on each page. Each page of data will have at most page_size abuse campaign IDs. + name: page_size + - description: 1-indexed page number to get a particular page of threats. Has no effect if filter is not specified. + name: page_number + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + - description: Filters threats based on the email subject + name: subject + - description: Filters threats based on the name or email address of the sender + name: sender + - description: Filters threats based on the name or email address of the recipient + name: recipient + - description: Filters threats based on the reporter name or email address + name: reporter + - auto: PREDEFINED + description: Filters threats based on the type of attack + name: attackType + predefined: + - Internal-to-Internal Attacks (Email Account Takeover) + - Spam + - Reconnaissance + - Scam + - Social Engineering (BEC) + - 'Phishing: Credential' + - Invoice/Payment Fraud (BEC) + - Malware + - Extortion + - 'Phishing: Sensitive Data' + - Other + - auto: PREDEFINED + description: Filters threats based on the type of attack + name: threatType + predefined: + - All + - Malicious + - Safe + - Spam + description: Get a list of campaigns submitted to Abuse Mailbox. + name: abnormal-security-list-abuse-mailbox-campaigns + outputs: + - contextPath: AbnormalSecurity.AbuseCampaign.campaigns.campaignId + description: An id which maps to an abuse campaign. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.pageNumber + description: The current page number. + type: Number + - contextPath: AbnormalSecurity.AbuseCampaign.nextPageNumber + description: The next page number. + type: Number + - arguments: + - description: A UUID representing the abuse campaign id. Can be Can be retrieved by first running command to list abuse mailbox campaigns. + name: campaign_id + required: true + - description: Returns test data if set to `True`. + name: mock-data + - description: Subtenant of the user (if applicable). + name: subtenant + description: Get details of an Abuse Mailbox campaign. + name: abnormal-security-get-abuse-mailbox-campaign + outputs: + - contextPath: AbnormalSecurity.AbuseCampaign.campaignId + description: An id which maps to an abuse campaign. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.firstReported + description: Date abuse campaign was first reported. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.lastReported + description: Date abuse campaign was last reported. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.messageId + description: A unique identifier for the first message in the abuse campaign. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.subject + description: Subject of the first email in the abuse campaign. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.fromName + description: The display name of the sender. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.fromAddress + description: The email address of the sender. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.recipientName + description: The email address of the recipient. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.recipientAddress + description: The email address of the recipient. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.judgementStatus + description: Judgement status of message. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.overallStatus + description: Overall status of message. + type: String + - contextPath: AbnormalSecurity.AbuseCampaign.attackType + description: The type of threat the message represents. + type: String # Employee commands - - arguments: - - description: Email address of the employee you want to retrieve data for. - name: email_address - required: true - - description: Returns test data if set to `True`. - name: mock-data - description: Get employee identity analysis (Genome) data. - name: abnormal-security-get-employee-identity-analysis - outputs: - - contextPath: AbnormalSecurity.Employee.email - description: Employee email. - type: String - - contextPath: AbnormalSecurity.Employee.histograms.key - description: Genome key name. - type: String - - contextPath: AbnormalSecurity.Employee.histograms.name - description: Genome title. - type: String - - contextPath: AbnormalSecurity.Employee.histograms.description - description: Description of genome object. - type: String - - contextPath: AbnormalSecurity.Employee.histograms.values.value - description: Category value. - type: String - - contextPath: AbnormalSecurity.Employee.histograms.values.percentage - description: Ratio of this category relative to others. - type: Number - - contextPath: AbnormalSecurity.Employee.histograms.values.total_count - description: Number of occurences for this category. - type: Number + - arguments: + - description: Email address of the employee you want to retrieve data for. + name: email_address + required: true + - description: Returns test data if set to `True`. + name: mock-data + description: Get employee identity analysis (Genome) data. + name: abnormal-security-get-employee-identity-analysis + outputs: + - contextPath: AbnormalSecurity.Employee.email + description: Employee email. + type: String + - contextPath: AbnormalSecurity.Employee.histograms.key + description: Genome key name. + type: String + - contextPath: AbnormalSecurity.Employee.histograms.name + description: Genome title. + type: String + - contextPath: AbnormalSecurity.Employee.histograms.description + description: Description of genome object. + type: String + - contextPath: AbnormalSecurity.Employee.histograms.values.value + description: Category value. + type: String + - contextPath: AbnormalSecurity.Employee.histograms.values.percentage + description: Ratio of this category relative to others. + type: Number + - contextPath: AbnormalSecurity.Employee.histograms.values.total_count + description: Number of occurences for this category. + type: Number - - arguments: - - description: Email address of the employee you want to retrieve data for. - name: email_address - required: true - - description: Returns test data if set to `True`. - name: mock-data - description: Get employee information. - name: abnormal-security-get-employee-information - outputs: - - contextPath: AbnormalSecurity.Employee.name - description: Name of the employee. - type: String - - contextPath: AbnormalSecurity.Employee.email - description: Email of the employee. - type: String - - contextPath: AbnormalSecurity.Employee.title - description: Job title of the employee. - type: String - - contextPath: AbnormalSecurity.Employee.manager - description: Email address of the employee's manager. - type: String + - arguments: + - description: Email address of the employee you want to retrieve data for. + name: email_address + required: true + - description: Returns test data if set to `True`. + name: mock-data + description: Get employee information. + name: abnormal-security-get-employee-information + outputs: + - contextPath: AbnormalSecurity.Employee.name + description: Name of the employee. + type: String + - contextPath: AbnormalSecurity.Employee.email + description: Email of the employee. + type: String + - contextPath: AbnormalSecurity.Employee.title + description: Job title of the employee. + type: String + - contextPath: AbnormalSecurity.Employee.manager + description: Email address of the employee's manager. + type: String - - arguments: - - description: Email address of the employee you want to retrieve data for. - name: email_address - required: true - - description: Returns test data if set to `True`. - name: mock-data - description: Get employee login information for last 30 days in csv format. - name: abnormal-security-get-employee-last-30-days-login-csv - - arguments: - - description: Returns test data if set to `True`. - name: mock-data - - description: Email of the reporter. - name: reporter - required: true - - description: Type of misjudgement reported. - name: report_type - required: true - description: Submit an Inquiry to request a report on misjudgement by Abnormal Security. - name: abnormal-security-submit-inquiry-to-request-a-report-on-misjudgement - outputs: - - contextPath: AbnormalSecurity.SubmitInquiry.detail - description: Confirmation of inquiry sent. - type: String + - arguments: + - description: Email address of the employee you want to retrieve data for. + name: email_address + required: true + - description: Returns test data if set to `True`. + name: mock-data + description: Get employee login information for last 30 days in csv format. + name: abnormal-security-get-employee-last-30-days-login-csv + - arguments: + - description: Returns test data if set to `True`. + name: mock-data + - description: Email of the reporter. + name: reporter + required: true + - description: Type of misjudgement reported. + name: report_type + required: true + description: Submit an Inquiry to request a report on misjudgement by Abnormal Security. + name: abnormal-security-submit-inquiry-to-request-a-report-on-misjudgement + outputs: + - contextPath: AbnormalSecurity.SubmitInquiry.detail + description: Confirmation of inquiry sent. + type: String - - arguments: - - description: Email address of the sender. - name: sender_email - required: true - - description: Email address of the recipient. - name: recipient_email - required: true - - description: Subject of email. - name: subject - required: true - description: Submit a False Negative Report. - name: abnormal-security-submit-false-negative-report + - arguments: + - description: Email address of the sender. + name: sender_email + required: true + - description: Email address of the recipient. + name: recipient_email + required: true + - description: Subject of email. + name: subject + required: true + description: Submit a False Negative Report. + name: abnormal-security-submit-false-negative-report - - arguments: - - description: URL link of threat log in abnormal security portal. - name: portal_link - required: true - description: Submit a False Positive Report. - name: abnormal-security-submit-false-positive-report + - arguments: + - description: URL link of threat log in abnormal security portal. + name: portal_link + required: true + description: Submit a False Positive Report. + name: abnormal-security-submit-false-positive-report - - arguments: - - description: Number of vendors that should appear on each page. Each page of data will have at most this many vendors. - name: page_size - required: false - - description: 1-indexed page number to get a particular page of vendors. - name: page_number - required: false - description: Get a list of vendors. - name: abnormal-security-list-vendors - outputs: - - contextPath: AbnormalSecurity.VendorsList - description: List of vendors. - type: Unknown - - contextPath: AbnormalSecurity.VendorsList.vendorDomain - description: The domain of the vendor. - type: String + - arguments: + - description: Number of vendors that should appear on each page. Each page of data will have at most this many vendors. + name: page_size + - description: 1-indexed page number to get a particular page of vendors. + name: page_number + description: Get a list of vendors. + name: abnormal-security-list-vendors + outputs: + - contextPath: AbnormalSecurity.VendorsList + description: List of vendors. + type: Unknown + - contextPath: AbnormalSecurity.VendorsList.vendorDomain + description: The domain of the vendor. + type: String - - arguments: - - description: The domain name of the specific vendor for which you want to get details. - name: vendor_domain - required: true - description: Get the details of a specific vendor. - name: abnormal-security-get-vendor-details - outputs: - - contextPath: AbnormalSecurity.VendorDetails.vendorDomain - description: The domain name of the vendor. - type: String - - contextPath: AbnormalSecurity.VendorDetails.riskLevel - description: The risk level associated with the vendor. - type: String - - contextPath: AbnormalSecurity.VendorDetails.vendorContacts - description: List of contacts related to the vendor. - type: Unknown - - contextPath: AbnormalSecurity.VendorDetails.companyContacts - description: List of contacts related to the company. - type: Unknown - - contextPath: AbnormalSecurity.VendorDetails.vendorCountries - description: List of countries associated with the vendor. - type: Unknown - - contextPath: AbnormalSecurity.VendorDetails.analysis - description: List of analyses associated with the vendor. - type: Unknown - - contextPath: AbnormalSecurity.VendorDetails.vendorIpAddresses - description: List of IP addresses associated with the vendor. - type: Unknown + - arguments: + - description: The domain name of the specific vendor for which you want to get details. + name: vendor_domain + required: true + description: Get the details of a specific vendor. + name: abnormal-security-get-vendor-details + outputs: + - contextPath: AbnormalSecurity.VendorDetails.vendorDomain + description: The domain name of the vendor. + type: String + - contextPath: AbnormalSecurity.VendorDetails.riskLevel + description: The risk level associated with the vendor. + type: String + - contextPath: AbnormalSecurity.VendorDetails.vendorContacts + description: List of contacts related to the vendor. + type: Unknown + - contextPath: AbnormalSecurity.VendorDetails.companyContacts + description: List of contacts related to the company. + type: Unknown + - contextPath: AbnormalSecurity.VendorDetails.vendorCountries + description: List of countries associated with the vendor. + type: Unknown + - contextPath: AbnormalSecurity.VendorDetails.analysis + description: List of analyses associated with the vendor. + type: Unknown + - contextPath: AbnormalSecurity.VendorDetails.vendorIpAddresses + description: List of IP addresses associated with the vendor. + type: Unknown - - arguments: - - description: Domain name for the vendor whose activity is to be retrieved. - name: vendor_domain - required: true - description: Get the activity for a specific vendor. - name: abnormal-security-get-vendor-activity - outputs: - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline - description: Event timeline for the vendor. - type: Unknown - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.eventTimestamp - description: Timestamp of the event in the vendor's activity timeline. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.eventType - description: Type of event in the vendor's activity timeline. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.suspiciousDomain - description: Suspicious domain involved in the event. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.domainIp - description: IP address of the suspicious domain. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.ipGeolocation - description: Geolocation of the IP address. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.attackGoal - description: The goal of the attack. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.actionTaken - description: Action taken in response to the event. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.hasEngagement - description: Indicates whether the event involved any form of engagement. - type: Boolean - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.recipient - description: The recipient targeted by the event, if applicable. - type: String - - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.threatId - description: Unique identifier for the threat. - type: String + - arguments: + - description: Domain name for the vendor whose activity is to be retrieved. + name: vendor_domain + required: true + description: Get the activity for a specific vendor. + name: abnormal-security-get-vendor-activity + outputs: + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline + description: Event timeline for the vendor. + type: Unknown + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.eventTimestamp + description: Timestamp of the event in the vendor's activity timeline. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.eventType + description: Type of event in the vendor's activity timeline. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.suspiciousDomain + description: Suspicious domain involved in the event. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.domainIp + description: IP address of the suspicious domain. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.ipGeolocation + description: Geolocation of the IP address. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.attackGoal + description: The goal of the attack. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.actionTaken + description: Action taken in response to the event. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.hasEngagement + description: Indicates whether the event involved any form of engagement. + type: Boolean + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.recipient + description: The recipient targeted by the event, if applicable. + type: String + - contextPath: AbnormalSecurity.VendorActivity.eventTimeline.threatId + description: Unique identifier for the threat. + type: String - - arguments: - - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently only the keys `firstObservedTime` and `lastModifiedTime` are supported for `/vendor-cases`. At least one of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ` format. Do note that provided filter time is in UTC. - name: filter - required: false - - description: Number of vendor cases that should appear on each page. Each page of data will have at most this many vendor cases. - name: page_size - required: false - - description: 1-indexed page number to get a particular page of vendor cases. - name: page_number - required: false - description: Get a list of vendor cases. - name: abnormal-security-list-vendor-cases - outputs: - - contextPath: AbnormalSecurity.VendorCases - description: List of vendor cases. - type: Unknown - - contextPath: AbnormalSecurity.VendorCases.vendorCaseId - description: The identifier of the vendor case. - type: Number + - arguments: + - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently only the keys `firstObservedTime` and `lastModifiedTime` are supported for `/vendor-cases`. At least one of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ` format. Do note that provided filter time is in UTC. + name: filter + - description: Number of vendor cases that should appear on each page. Each page of data will have at most this many vendor cases. + name: page_size + - description: 1-indexed page number to get a particular page of vendor cases. + name: page_number + description: Get a list of vendor cases. + name: abnormal-security-list-vendor-cases + outputs: + - contextPath: AbnormalSecurity.VendorCases + description: List of vendor cases. + type: Unknown + - contextPath: AbnormalSecurity.VendorCases.vendorCaseId + description: The identifier of the vendor case. + type: Number - - arguments: - - description: The identifier of the vendor case to retrieve details for. - name: case_id - required: true - description: Get the details of a vendor case. - name: abnormal-security-get-vendor-case-details - outputs: - - contextPath: AbnormalSecurity.VendorCaseDetails.vendorCaseId - description: The identifier of the vendor case. - type: String - - contextPath: AbnmoralSecurity.VendorCaseDetails.vendorDomain - description: The vendor domain associated with the case. - type: String - - contextPath: AbnormalSecurity.VendorCaseDetails.firstObservedTime - description: The time the vendor case was first observed. - type: String - - contextPath: AbnormalSecurity.VendorCaseDetails.lastModifiedTime - description: The last time the vendor case was modified. - type: String - - contextPath: AbnormalSecurity.VendorCaseDetails.insights - description: List of insights related to the vendor case. - type: Unknown - - contextPath: AbnormalSecurity.VendorCaseDetails.timeline - description: Timeline of events related to the vendor case. - type: Unknown + - arguments: + - description: The identifier of the vendor case to retrieve details for. + name: case_id + required: true + description: Get the details of a vendor case. + name: abnormal-security-get-vendor-case-details + outputs: + - contextPath: AbnormalSecurity.VendorCaseDetails.vendorCaseId + description: The identifier of the vendor case. + type: String + - contextPath: AbnmoralSecurity.VendorCaseDetails.vendorDomain + description: The vendor domain associated with the case. + type: String + - contextPath: AbnormalSecurity.VendorCaseDetails.firstObservedTime + description: The time the vendor case was first observed. + type: String + - contextPath: AbnormalSecurity.VendorCaseDetails.lastModifiedTime + description: The last time the vendor case was modified. + type: String + - contextPath: AbnormalSecurity.VendorCaseDetails.insights + description: List of insights related to the vendor case. + type: Unknown + - contextPath: AbnormalSecurity.VendorCaseDetails.timeline + description: Timeline of events related to the vendor case. + type: Unknown - - arguments: - - description: The start time for retrieving the list of unanalyzed abuse mailbox campaigns. - name: start - required: false - - description: The end time for retrieving the list of unanalyzed abuse mailbox campaigns. - name: end - required: false - description: Get a list of unanalyzed abuse mailbox campaigns. - name: abnormal-security-list-unanalyzed-abuse-mailbox-campaigns - outputs: - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.abx_message_id - description: An id which maps to an abuse campaign. - type: Number - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.recipient.name - description: The name of the recipient. - type: String - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.recipient.email - description: The email address of the recipient. - type: String - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.reported_datetime - description: The datetime the report was made. - type: String - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.reporter.email - description: The email address of the reporter. - type: String - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.reporter.name - description: The name of the reporter. - type: String - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.subject - description: The subject of the message. - type: String - - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.not_analyzed_reason - description: The reason the message was not analyzed. - type: String + - arguments: + - description: The start time for retrieving the list of unanalyzed abuse mailbox campaigns. + name: start + - description: The end time for retrieving the list of unanalyzed abuse mailbox campaigns. + name: end + description: Get a list of unanalyzed abuse mailbox campaigns. + name: abnormal-security-list-unanalyzed-abuse-mailbox-campaigns + outputs: + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.abx_message_id + description: An id which maps to an abuse campaign. + type: Number + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.recipient.name + description: The name of the recipient. + type: String + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.recipient.email + description: The email address of the recipient. + type: String + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.reported_datetime + description: The datetime the report was made. + type: String + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.reporter.email + description: The email address of the reporter. + type: String + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.reporter.name + description: The name of the reporter. + type: String + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.subject + description: The subject of the message. + type: String + - contextPath: AbnormalSecurity.UnanalyzedAbuseCampaigns.results.not_analyzed_reason + description: The reason the message was not analyzed. + type: String - arguments: - description: Returns test data if set to `True`. @@ -708,7 +764,7 @@ script: subtype: python3 type: python isfetch: true + runonce: false fromversion: 6.0.0 tests: - - No tests (auto formatted) -defaultmapperin: Abnormal Security - Incoming Mapper +- No tests (auto formatted) diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_description.md b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_description.md index 0433703639c8..1c99ca7b0ce1 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_description.md +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_description.md @@ -9,4 +9,6 @@ To configure an instance of Abnormal Security integration in Cortex XSOAR: Retrieve your authentication token via the [Abnormal Portal](https://portal.abnormalsecurity.com/home/settings/integrations) Keep the token safe, as it grants access to sensitive threat data related to your organization. Store it in a secure place, such as an encrypted password vault, and do not share it unless absolutely necessary. If you feel that the token has been compromised, please contact your Account Manager immediately. - \ No newline at end of file + + + --- \ No newline at end of file diff --git a/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md b/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md new file mode 100644 index 000000000000..6dd25eb2dc4b --- /dev/null +++ b/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Abnormal Security + +- Added an additional search filters arguments (such as sender, recipient, subject, etc.) for the **abnormal-security-list-abuse-mailbox-campaigns** and **abnormal-security-list-threats** commands. diff --git a/Packs/AbnormalSecurity/pack_metadata.json b/Packs/AbnormalSecurity/pack_metadata.json index 0aa35530b30d..dc0ae32b4319 100644 --- a/Packs/AbnormalSecurity/pack_metadata.json +++ b/Packs/AbnormalSecurity/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Abnormal Security", "description": "Abnormal Security detects and protects against the whole spectrum of email attacks", "support": "partner", - "currentVersion": "2.2.6", + "currentVersion": "2.2.7", "author": "Abnormal Security", "url": "", "email": "support@abnormalsecurity.com", From 38c1d4fda31d00512df4db08492c4947dc8e6972 Mon Sep 17 00:00:00 2001 From: jbabazadeh Date: Sun, 24 Mar 2024 14:40:56 +0200 Subject: [PATCH 2/3] pre commit --- .../AbnormalSecurity/AbnormalSecurity.py | 5 +-- .../AbnormalSecurity/AbnormalSecurity.yml | 38 +++++++++---------- .../AbnormalSecurity/AbnormalSecurity_test.py | 7 ++-- Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md | 1 + 4 files changed, 25 insertions(+), 26 deletions(-) diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py index 461900e07933..bd866daa09d9 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py @@ -2,7 +2,7 @@ from CommonServerPython import * # noqa: F401 -from typing import Dict, Any +from typing import Any import logging from datetime import datetime @@ -30,7 +30,6 @@ class FetchIncidentsError(Exception): """Raised when there's an error in fetching incidents.""" - pass class Client(BaseClient): @@ -788,7 +787,7 @@ def generate_account_takeover_cases_incidents(client, cases): def fetch_incidents( client: Client, - last_run: Dict[str, Any], + last_run: dict[str, Any], first_fetch_time: str, fetch_threats: bool, fetch_abuse_campaigns: bool, diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml index 64ce473836cb..7540d24a4f89 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml @@ -65,24 +65,24 @@ script: - arguments: - description: Value must be of the format `filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ`. A `{FILTER KEY}` must be specified, and currently the only keys that are supported for `/threats` are `receivedTime` and `lastModifiedTime`. At least 1 of `gte`/`lte` must be specified, with a datetime string following the `YYYY-MM-DDTHH:MM:SSZ format`. name: filter - - description: Filters threats based on the email subject + - description: Filters threats based on the email subject. name: subject - - description: Filters threats based on the name or email address of the sender + - description: Filters threats based on the name or email address of the sender. name: sender - - description: Filters threats based on the name or email address of the recipient + - description: Filters threats based on the name or email address of the recipient. name: recipient - - description: 'Filters threats based on the topic of email contents Available values : Billing Account Update, Covid-19 Related Attack, Cryptocurrency, Invoice, Invoice Inquiry' + - description: 'Filters threats based on the topic of email contents Available values : Billing Account Update, Covid-19 Related Attack, Cryptocurrency, Invoice, Invoice Inquiry.' name: topic auto: PREDEFINED predefined: - Billing Account Update - - description: 'Filters threats based on the type of attack Available values : Internal-to-Internal Attacks (Email Account Takeover), Spam, Reconnaissance, Scam, Social Engineering (BEC), Phishing: Credential, Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Other' + - description: 'Filters threats based on the type of attack Available values : Internal-to-Internal Attacks (Email Account Takeover), Spam, Reconnaissance, Scam, Social Engineering (BEC), Phishing: Credential, Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Other.' name: attackType auto: PREDEFINED predefined: - Internal-to-Internal Attacks (Email Account Takeover) - auto: PREDEFINED - description: 'Filters threats based on the attack vector Available values : Link, Attachment, Text, Others, Attachment with Zipped File' + description: 'Filters threats based on the attack vector Available values : Link, Attachment, Text, Others, Attachment with Zipped File.' name: attackVector predefined: - Link @@ -403,16 +403,16 @@ script: name: mock-data - description: Subtenant of the user (if applicable). name: subtenant - - description: Filters threats based on the email subject + - description: Filters threats based on the email subject. name: subject - - description: Filters threats based on the name or email address of the sender + - description: Filters threats based on the name or email address of the sender. name: sender - - description: Filters threats based on the name or email address of the recipient + - description: Filters threats based on the name or email address of the recipient. name: recipient - - description: Filters threats based on the reporter name or email address + - description: Filters threats based on the reporter name or email address. name: reporter - auto: PREDEFINED - description: Filters threats based on the type of attack + description: Filters threats based on the type of attack. name: attackType predefined: - Internal-to-Internal Attacks (Email Account Takeover) @@ -427,7 +427,7 @@ script: - 'Phishing: Sensitive Data' - Other - auto: PREDEFINED - description: Filters threats based on the type of attack + description: Filters threats based on the type of attack. name: threatType predefined: - All @@ -753,13 +753,13 @@ script: description: The reason the message was not analyzed. type: String - - arguments: - - description: Returns test data if set to `True`. - name: mock-data - description: Get the latest threat intel feed. - name: abnormal-security-get-latest-threat-intel-feed - deprecated: true - dockerimage: demisto/python3:3.10.13.88772 + - arguments: + - description: Returns test data if set to `True`. + name: mock-data + description: Get the latest threat intel feed. + name: abnormal-security-get-latest-threat-intel-feed + deprecated: true + dockerimage: demisto/python3:3.10.14.90585 script: "" subtype: python3 type: python diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py index b89916c47b7e..56e3632220b6 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py @@ -1,6 +1,5 @@ import pytest import demistomock as demisto -import io import json from AbnormalSecurity import (Client, check_the_status_of_an_action_requested_on_a_case_command, check_the_status_of_an_action_requested_on_a_threat_command, @@ -44,12 +43,12 @@ def __init__(self, data, status_code): def util_load_json(path): - with io.open(path, mode='r', encoding='utf-8') as f: + with open(path, encoding='utf-8') as f: return json.loads(f.read()) def util_load_response(path): - with io.open(path, mode='r', encoding='utf-8') as f: + with open(path, encoding='utf-8') as f: return MockResponse(f.read(), 200) @@ -412,7 +411,7 @@ def test_get_details_of_an_abuse_mailbox_campaign_command(mocker): results = get_details_of_an_abuse_mailbox_campaign_command(client, {}) assert results.outputs.get('campaignId') == 'fff51768-c446-34e1-97a8-9802c29c3ebd' assert results.outputs.get('attackType') == 'Attack Type: Spam' - assert results.outputs_prefix == 'AbnormalSecurity.AbuseCampaign.campaigns' + assert results.outputs_prefix == 'AbnormalSecurity.AbuseCampaign' def test_get_employee_identity_analysis_genome_data_command(mocker): diff --git a/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md b/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md index 6dd25eb2dc4b..72fd5ef47e1a 100644 --- a/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md +++ b/Packs/AbnormalSecurity/ReleaseNotes/2_2_7.md @@ -4,3 +4,4 @@ ##### Abnormal Security - Added an additional search filters arguments (such as sender, recipient, subject, etc.) for the **abnormal-security-list-abuse-mailbox-campaigns** and **abnormal-security-list-threats** commands. +- Updated the Docker image to: *demisto/python3:3.10.14.90585*. From 7b7c23cd55631e6fbb8ddf3631c33d8b0f7242ba Mon Sep 17 00:00:00 2001 From: jbabazadeh Date: Sun, 24 Mar 2024 14:56:04 +0200 Subject: [PATCH 3/3] pre commit --- .../AbnormalSecurity/AbnormalSecurity.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py index bd866daa09d9..019c33864d0c 100644 --- a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py +++ b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py @@ -71,9 +71,11 @@ def get_a_list_of_abnormal_cases_identified_by_abnormal_security_request(self, f return response def get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(self, filter_='', page_size=None, page_number=None, - subtenant=None, subject=None, sender=None, recipient=None, reporter=None, attackType=None, threatType=None): + subtenant=None, subject=None, sender=None, recipient=None, + reporter=None, attackType=None, threatType=None): params = assign_params(filter=filter_, pageSize=page_size, pageNumber=page_number, subtenant=subtenant, subject=subject, - sender=sender, recipient=recipient, reporter=reporter, attackType=attackType, threatType=threatType) + sender=sender, recipient=recipient, reporter=reporter, attackType=attackType, + threatType=threatType) headers = self._headers @@ -81,9 +83,11 @@ def get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(self, filter_='', return response - def get_a_list_of_threats_request(self, filter_='', page_size=None, page_number=None, source=None, subtenant=None, subject=None, sender=None, recipient=None, topic=None, attackType=None, attackVector=None): + def get_a_list_of_threats_request(self, filter_='', page_size=None, page_number=None, source=None, subtenant=None, + subject=None, sender=None, recipient=None, topic=None, attackType=None, attackVector=None): params = assign_params(filter=filter_, pageSize=page_size, pageNumber=page_number, source=source, subtenant=subtenant, - subject=subject, sender=sender, recipient=recipient, topic=topic, attackType=attackType, attackVector=attackVector) + subject=subject, sender=sender, recipient=recipient, topic=topic, attackType=attackType, + attackVector=attackVector) headers = self._headers