From c38d131ca9b65e6fd30a396aed7db74c8d2f7127 Mon Sep 17 00:00:00 2001
From: content-bot <55035720+content-bot@users.noreply.github.com>
Date: Wed, 15 Jan 2025 13:15:01 +0200
Subject: [PATCH] [ASM] - UVEM-790 - RankServiceOwners Update (#38091) (#38164)

* Update RankSO Script and Release Notes

* Update alertsource to ownerrelatedfield

* Refactor output logic to write_output_to_context_key function

* Refactor variables and update ReadMe

* add error for wrong tenant

* predefined/stringify

* Apply suggestions from code review



* changed wording

---------

Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com>
Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com>
Co-authored-by: jwilkes <jwilkes@paloaltonetworks.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
---
 .../ReleaseNotes/1_7_65.md                    |  5 ++
 .../Scripts/RankServiceOwners/README.md       |  3 +
 .../RankServiceOwners/RankServiceOwners.py    | 57 +++++++++++--------
 .../RankServiceOwners/RankServiceOwners.yml   | 11 ++++
 .../pack_metadata.json                        |  2 +-
 5 files changed, 53 insertions(+), 25 deletions(-)
 create mode 100644 Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_65.md

diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_65.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_65.md
new file mode 100644
index 000000000000..167f7255e1d2
--- /dev/null
+++ b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_65.md
@@ -0,0 +1,5 @@
+#### Scripts
+
+##### RankServiceOwners
+
+Updated the script to accept an argument that determines the outputs depending on the source that generated an alert or issue.
\ No newline at end of file
diff --git a/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/README.md b/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/README.md
index 6daf264d4e18..c1f9f26e94f6 100644
--- a/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/README.md
+++ b/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/README.md
@@ -17,6 +17,9 @@ Recommend most likely service owners from those surfaced by Cortex ASM Enrichmen
 | --- | --- |
 | owners | List of potential service owners |
 | asmsystemids | System IDs or names associated with the compute instance |
+| owners | List of potential service owners. |
+| ownerrelatedfield | The field of the alert or issue that owners should be stored. |
+| tenantcommand | False will use !setAlert, True will use !setIssue. |
 
 ## Outputs
 
diff --git a/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.py b/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.py
index 8feed257fcc0..8e1e63e4c709 100644
--- a/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.py
+++ b/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.py
@@ -1,26 +1,25 @@
+from collections.abc import Iterable, Callable
+from typing import Any
+import google.cloud.storage
+import numpy as np
+import posixpath
+import dill as pickle
+import os
+import itertools
+import string
+import re
+import math
+from itertools import groupby
+import traceback
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
+demisto.debug('pack name = Cortex Attack Surface Management, pack version = 1.7.65')
+
+
 """Script for identifying and recommending the most likely owners of a discovered service
 from those surfaced by Cortex ASM Enrichment.
 """
 
-import traceback
-from itertools import groupby
-import math
-
-import re
-import string
-import itertools
-import os
-import dill as pickle
-import posixpath
-import numpy as np
-import google.cloud.storage
-
-
-from typing import Any
-from collections.abc import Iterable, Callable
-
 
 STRING_DELIMITER = ' | '  # delimiter used for joining source fields and any additional fields of type string
 
@@ -614,6 +613,18 @@ def featurize(self, service_identifiers: Iterable[str], owners: list[dict[str, A
         return X
 
 
+def write_output_to_context_key(final_owners: list[dict[str, str]], owner_related_field: str, platform_tenant: str):
+    stringify_platform_tenant = str(platform_tenant)
+    set_alert_issue_map = {"True": "setIssue", "False": "setAlert"}
+    if final_owners and owner_related_field:
+        res = demisto.executeCommand(set_alert_issue_map[stringify_platform_tenant], {owner_related_field: final_owners})
+        if isError(res):
+            raise ValueError('Unable to update field')
+        return_results(CommandResults(readable_output=f"Owners ranked and written to {owner_related_field}"))
+    else:
+        return_results(CommandResults(readable_output='No owners found'))
+
+
 def main():
     try:
         # parse inputs
@@ -621,17 +632,15 @@ def main():
         if isinstance(unranked, dict):
             unranked = [unranked]
         asm_system_ids = demisto.args().get("asmsystemids", [])
-
+        owner_related_field = demisto.args().get("ownerrelatedfield", "asmserviceowner")
+        platform_tenant_usage = demisto.args().get("tenantcommand", "False")
         # deduplicate/normalize, score, and rank owners
         normalized = aggregate(canonicalize(unranked))
         final_owners = justify(rank(score(owners=normalized, asm_system_ids=asm_system_ids)))
 
-        # write output to context
-        if final_owners:
-            demisto.executeCommand("setAlert", {"asmserviceowner": final_owners})
-            return_results(CommandResults(readable_output='Service owners ranked and written to asmserviceowner'))
-        else:
-            return_results(CommandResults(readable_output='No service owners found'))
+        write_output_to_context_key(final_owners=final_owners,
+                                    owner_related_field=owner_related_field,
+                                    platform_tenant=platform_tenant_usage)
 
     except Exception as ex:
         demisto.error(traceback.format_exc())  # print the traceback
diff --git a/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.yml b/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.yml
index 3d37a1c8be2b..a53b851668dd 100644
--- a/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.yml
+++ b/Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.yml
@@ -5,6 +5,16 @@ args:
 - description: System IDs or names associated with the compute instance.
   isArray: true
   name: asmsystemids
+- defaultValue: asmserviceowner
+  description: The field of the alert or issue in which the owners should be stored.
+  name: ownerrelatedfield
+- defaultValue: "False"
+  description: False will use !setAlert, True will use !setIssue.
+  name: tenantcommand
+  auto: PREDEFINED
+  predefined:
+  - "True"
+  - "False"
 comment: Recommend most likely service owners from those surfaced by Cortex ASM Enrichment.
 commonfields:
   id: RankServiceOwners
@@ -22,3 +32,4 @@ fromversion: 6.5.0
 tests:
 - No tests (auto formatted)
 runonce: false
+engineinfo: {}
diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json
index f45e9157eea8..fc10ec28bf65 100644
--- a/Packs/CortexAttackSurfaceManagement/pack_metadata.json
+++ b/Packs/CortexAttackSurfaceManagement/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex Attack Surface Management",
     "description": "Content for working with Attack Surface Management (ASM).",
     "support": "xsoar",
-    "currentVersion": "1.7.64",
+    "currentVersion": "1.7.65",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",