From 4f817e7b00b548c351f6f2fc6ebaa55bbef3e1cd Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:03:17 +0300 Subject: [PATCH] Cybersixgill aa mssp multi tenancy issue (#28535) (#28635) * Passing Organization ID where applicable. * Generated and updated changelogs * Updated docker image tag * Added full stop in changelogs file. * Fixing CI issues * CVSS score is none * MAX_DAYS_BACK 30 * Added known_words section and release notes rewording * Added known_words section and release notes rewording Co-authored-by: syed-loginsoft <97145640+syed-loginsoft@users.noreply.github.com> Co-authored-by: Menachem Weinfeld --- .../.pack-ignore | 2 + .../CybersixgillActionableAlerts.py | 35 ++++---- .../CybersixgillActionableAlerts.yml | 2 +- .../CybersixgillActionableAlerts_test.py | 88 ++++++++++++++++++- .../ReleaseNotes/1_2_1.md | 6 ++ .../pack_metadata.json | 2 +- 6 files changed, 114 insertions(+), 21 deletions(-) create mode 100644 Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_1.md diff --git a/Packs/Cybersixgill-ActionableAlerts/.pack-ignore b/Packs/Cybersixgill-ActionableAlerts/.pack-ignore index 6a1b1c4c7348..91de8b33fd81 100644 --- a/Packs/Cybersixgill-ActionableAlerts/.pack-ignore +++ b/Packs/Cybersixgill-ActionableAlerts/.pack-ignore @@ -19,3 +19,5 @@ ignore=IF115 [file:CybersixgillActionableAlertStatusUpdate.yml] ignore=BA124 +[known_words] +Cybersixgill \ No newline at end of file diff --git a/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.py b/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.py index 712da75336a1..1e176e979820 100644 --- a/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.py +++ b/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.py @@ -49,7 +49,7 @@ def get_incident_init_params(): def item_to_incidents(item_info, sixgill_alerts_client): - incident: Dict[str, Any] = dict() + incident: Dict[str, Any] = {} incidents = [] items = [] # get fields that are shared in case of sub alerts @@ -130,8 +130,10 @@ def get_alert_content(content_item, item_info, incident, sixgill_alerts_client): content_item['content'] = f'https://portal.cybersixgill.com/#/cve/{cve_id}' additional_info = item_info.get("additional_info", {}) incident['CustomFields']['cve'] = cve_id - incident['CustomFields']['cybersixgillcvss31'] = additional_info.get("nvd", {}).get("v3", {}).get("current", -1) - incident['CustomFields']['cybersixgillcvss20'] = additional_info.get("nvd", {}).get("v2", {}).get("current", -1) + cybersixgillcvss31 = additional_info.get("nvd", {}).get("v3", {}).get("current") + cybersixgillcvss20 = additional_info.get("nvd", {}).get("v2", {}).get("current") + incident['CustomFields']['cybersixgillcvss31'] = cybersixgillcvss31 or -1 + incident['CustomFields']['cybersixgillcvss20'] = cybersixgillcvss20 or -1 incident['CustomFields']['cybersixgilldvescore'] = additional_info.get("score", {}).get("current") attributes = [] for attribute in additional_info.get("attributes", []): @@ -141,7 +143,8 @@ def get_alert_content(content_item, item_info, incident, sixgill_alerts_client): incident['CustomFields']['cybersixgillattributes'] = attributes elif es_id == "Not Applicable": content = sixgill_alerts_client.get_actionable_alert_content(actionable_alert_id=item_info.get('id'), - fetch_only_current_item=True) + fetch_only_current_item=True, + organization_id=demisto.params().get('org_id', None)) content_items = content.get('items') if content_items: for item in content_items: @@ -175,16 +178,16 @@ def get_alert_content(content_item, item_info, incident, sixgill_alerts_client): aggregate_alert_id = None content = sixgill_alerts_client.get_actionable_alert_content(actionable_alert_id=item_info.get('id'), aggregate_alert_id=aggregate_alert_id, - fetch_only_current_item=True) + fetch_only_current_item=True, + organization_id=demisto.params().get('org_id', None)) # get item full content content = content.get('items', None) - if content: - if content[0].get('_id'): - es_items = content[0].get('_source') - if es_items: - content_item['title'] = es_items.get('title') - content_item['content'] = es_items.get('content') - content_item['creator'] = es_items.get('creator') + if content and content[0].get('_id'): + es_items = content[0].get('_source') + if es_items: + content_item['title'] = es_items.get('title') + content_item['content'] = es_items.get('content') + content_item['creator'] = es_items.get('creator') ''' COMMANDS + REQUESTS FUNCTIONS ''' @@ -240,7 +243,8 @@ def fetch_incidents(): incidents = [] for item in items: try: - item_info = sixgill_alerts_client.get_actionable_alert(actionable_alert_id=item.get('id')) + item_info = sixgill_alerts_client.get_actionable_alert(actionable_alert_id=item.get('id'), + organization_id=demisto.params().get('org_id', None)) item_info['date'] = item.get('date') new_incidents = item_to_incidents(item_info, sixgill_alerts_client) incidents.extend(new_incidents) @@ -289,7 +293,8 @@ def update_alert_status(): verify=VERIFY) res = sixgill_alerts_client.update_actionable_alert(actionable_alert_id=alert_id, json_body=alert_body, - sub_alert_indexes=aggregate_alert_id) + sub_alert_indexes=aggregate_alert_id, + organization_id=demisto.params().get('org_id', None)) if res.get('status') == 200: demisto.results("Actionable alert status updated") @@ -313,4 +318,4 @@ def update_alert_status(): update_alert_status() except Exception as e: - return_error("Failed to execute {} command. Error: {}".format(demisto.command(), str(e))) + return_error(f"Failed to execute {demisto.command()} command. Error: {str(e)}") diff --git a/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml b/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml index 87cb97ba47b6..d09f886dd403 100644 --- a/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml +++ b/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml @@ -109,7 +109,7 @@ script: name: alert_status - description: The aggregate alert id. name: aggregate_alert_id - dockerimage: demisto/sixgill:1.0.0.50510 + dockerimage: demisto/sixgill:1.0.0.66910 isfetch: true runonce: false script: '-' diff --git a/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts_test.py b/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts_test.py index 746042faa463..c912c573ca02 100644 --- a/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts_test.py +++ b/Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts_test.py @@ -14,7 +14,7 @@ "status": {"name": "in_treatment", "user": "60b604a048ce2cb294629a2d"}, "threat_level": "imminent", "threats": ["Brand Protection", "Data Leak"], - "title": "Your organization was potentially targeted " "by a ransomware group", + "title": "Your organization was potentially targeted by a ransomware group", "user_id": "5d233575f8db38787dbe24b6", }, { @@ -219,7 +219,23 @@ "cybersixgillcvss31": -1, "cybersixgilldvescore": None, }, - "alert_name": "Your organization was potentially targeted by a ransomware " "group", + "alert_name": "Your organization was potentially targeted by a ransomware group", + "content": "text", + "date": "2021-11-08 06:01:05", + "id": "6188bd21017198385e228437", + "read": True, + "severity": 1, + "site": "rw_everest", + "status": {"name": "in_treatment", "user": "60b604a048ce2cb294629a2d"}, + "threat_level": "imminent", + "threats": ["Brand Protection", "Data Leak"], + "title": "Your organization was potentially targeted by a ransomware group", + "user_id": "5d233575f8db38787dbe24b6", +} + +expected_alert_output_es_id_na = { + "CustomFields": {}, + "alert_name": "Your organization was potentially targeted by a ransomware group", "content": "text", "date": "2021-11-08 06:01:05", "id": "6188bd21017198385e228437", @@ -234,10 +250,10 @@ } -class MockedResponse(object): +class MockedResponse: def __init__(self, status_code): self.status_code = status_code - self.ok = True if self.status_code == 200 else False + self.ok = self.status_code == 200 def get_incidents_list(): @@ -293,6 +309,23 @@ def get_content_with_cve_id(): return content_info_item +def get_content_es_id_na(): + content_info_item = copy.deepcopy(info_item) + content_info_item["es_id"] = "Not Applicable" + + return content_info_item + + +def get_content_item_es_id_na(): + cloned_content_item = copy.deepcopy(content_item) + cloned_content_item["content"]["items"][1]["Additional Keywords"] = "Items" + cloned_content_item["content"]["items"][1]['Repository name'] = "Repository name" + cloned_content_item["content"]["items"][1]['Customer Keywords'] = "Customer Keywords" + cloned_content_item["content"]["items"][1]['GitURL'] = "GitURL" + + return cloned_content_item["content"] + + def test_test_module_raise_exception(mocker): mocker.patch.object(demisto, "params", return_value=init_params()) mocker.patch("requests.sessions.Session.send", return_value=MockedResponse(400)) @@ -348,6 +381,29 @@ def test_fetch_incidents(mocker): assert incidents == expected_alert_output +def test_fetch_incidents_no_last_run(mocker): + mocker.patch.object(demisto, "params", return_value=init_params()) + mocker.patch.object( + demisto, "getLastRun", return_value={} + ) + mocker.patch.object(demisto, "incidents") + + from sixgill.sixgill_actionable_alert_client import SixgillActionableAlertClient + + mocker.patch.object( + SixgillActionableAlertClient, + "get_actionable_alerts_bulk", + return_value=[], + ) + + from CybersixgillActionableAlerts import fetch_incidents + fetch_incidents() + assert demisto.incidents.call_count == 1 + incidents = demisto.incidents.call_args[0][0] + + assert len(incidents) == 0 + + def test_update_alert_status(mocker): mocker.patch.object(demisto, "params", return_value=init_params()) mocker.patch.object(demisto, "args", return_value=init_args()) @@ -387,3 +443,27 @@ def test_get_alert_content(mocker): ) assert alert_content is None assert incident == expected_alert_output_with_custom_fields + + +def test_get_alert_content_es_id_na(mocker): + + from sixgill.sixgill_actionable_alert_client import SixgillActionableAlertClient + + mocker.patch.object( + SixgillActionableAlertClient, + "get_actionable_alert_content", + return_value=get_content_item_es_id_na(), + ) + + from CybersixgillActionableAlerts import get_alert_content + + content = get_content() + incident = get_incident() + alert_content = get_alert_content( + content, + get_content_es_id_na(), + incident, + SixgillActionableAlertClient, + ) + assert alert_content is None + assert incident == expected_alert_output_es_id_na diff --git a/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_1.md b/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_1.md new file mode 100644 index 000000000000..1e0a4c2d9981 --- /dev/null +++ b/Packs/Cybersixgill-ActionableAlerts/ReleaseNotes/1_2_1.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Cybersixgill Actionable Alerts +- Updated the Docker image to: *demisto/sixgill:1.0.0.66910*. +- Fixed an issue where Organization ID passed from UI was not used for all API calls. \ No newline at end of file diff --git a/Packs/Cybersixgill-ActionableAlerts/pack_metadata.json b/Packs/Cybersixgill-ActionableAlerts/pack_metadata.json index 404a369faf34..04fb84af6185 100644 --- a/Packs/Cybersixgill-ActionableAlerts/pack_metadata.json +++ b/Packs/Cybersixgill-ActionableAlerts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cybersixgill Actionable Alerts", "description": "The integration allow retrieving Cybersixgill's actionable alerts based on organization assets", "support": "partner", - "currentVersion": "1.2.0", + "currentVersion": "1.2.1", "author": "Cybersixgill", "url": "https://www.cybersixgill.com/", "email": "getstarted@cybersixgill.com",