Merge branch 'contrib/epartington_epartington-prisma-cloud-compute-lo…

…go-upate' into epartington-prisma-cloud-compute-logo-upate

.github/content_roles.json

@@ -7,8 +7,8 @@
     "CONTRIBUTION_TL": "thefrieddan1",
     "CONTRIBUTION_SECURITY_REVIEWER": "ssokolovich",
     "ON_CALL_DEVS": [
-        "acarmi",
-        "ypreisler"
+        "skidorball",
+        "ayousef"
     ],
     "DOC_REVIEWER": "ShirleyDenkberg",
     "TIM_REVIEWER": "MLainer1"

.github/github_workflow_scripts/autobump_rn.py

@@ -192,6 +192,10 @@ def manage(self):
         for pr in self.github_repo_obj.get_pulls(
             state="open", sort="created", base=BASE
         ):
+            if pr.draft:
+                # The bot does not go through a PR that is in draft
+                continue
+
             print(
                 f"{t.yellow}Looking on pr number [{pr.number}]: last updated: "
                 f"{str(pr.updated_at)}, branch={pr.head.ref}"

Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.py

@@ -3076,6 +3076,10 @@ def main():
 
         demisto.debug(f'Command being called is {command}')
 
+        if (ROLE_NAME and not IS_ARN_PROVIDED):
+            support_multithreading()
+            demisto.debug('using multiple accounts')
+
         match command:
             case 'test-module':
                 return_results(test_module())

Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml

@@ -4130,7 +4130,7 @@ script:
       type: String
     description: Creates a VPC endpoint.
     name: aws-ec2-create-vpc-endpoint
-  dockerimage: demisto/boto3py3:1.0.0.91323
+  dockerimage: demisto/boto3py3:1.0.0.100294
   runonce: false
   script: '-'
   subtype: python3

Packs/AWS-EC2/ReleaseNotes/1_4_10.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### AWS - EC2
+
+- Fixed an issue where running commands on a large amount of accounts would result in a timeout.
+- Updated the Docker image to: *demisto/boto3py3:1.0.0.100294*.

Packs/AWS-EC2/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "AWS - EC2",
     "description": "Amazon Web Services Elastic Compute Cloud (EC2)",
     "support": "xsoar",
-    "currentVersion": "1.4.9",
+    "currentVersion": "1.4.10",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/AWS-Enrichment-Remediation/Playbooks/AWS_-_Enrichment.yml

@@ -53,7 +53,7 @@ tasks:
       {
         "position": {
           "x": 210,
-          "y": 1730
+          "y": 2170
         }
       }
     note: false
@@ -78,7 +78,7 @@ tasks:
       brand: AWS - EC2
     nexttasks:
       '#none#':
-      - "2"
+      - "25"
     scriptarguments:
       groupIds:
         complex:
@@ -702,8 +702,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 880,
-          "y": 1370
+          "x": 940,
+          "y": 1350
         }
       }
   "24":
@@ -714,7 +714,7 @@ tasks:
     isoversize: false
     nexttasks:
       '#none#':
-      - "2"
+      - "25"
     note: false
     quietmode: 0
     scriptarguments:
@@ -742,7 +742,111 @@ tasks:
       {
         "position": {
           "x": 880,
-          "y": 1550
+          "y": 1610
+        }
+      }
+  "25":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              complex:
+                filters:
+                - - left:
+                      iscontext: true
+                      value:
+                        simple: modules.brand
+                    operator: isEqualString
+                    right:
+                      value:
+                        simple: AWS - System Manager
+                - - left:
+                      iscontext: true
+                      value:
+                        simple: modules.state
+                    operator: isEqualString
+                    right:
+                      value:
+                        simple: active
+                root: modules
+          operator: isExists
+          right:
+            value: {}
+      label: "yes"
+    continueonerrortype: ""
+    id: "25"
+    ignoreworker: false
+    isautoswitchedtoquietmode: false
+    isoversize: false
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "26"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      description: Determines if the AWS - Systems Manager integration instance is configured.
+      id: 25c42040-ec5b-4942-85c9-50aa659a4842
+      iscommand: false
+      name: Is AWS - Systems Manager enabled?
+      type: condition
+      version: -1
+    taskid: 25c42040-ec5b-4942-85c9-50aa659a4842
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 470,
+          "y": 1820
+        }
+      }
+  "26":
+    continueonerrortype: ""
+    id: "26"
+    ignoreworker: false
+    isautoswitchedtoquietmode: false
+    isoversize: false
+    nexttasks:
+      '#none#':
+      - "2"
+    note: false
+    quietmode: 0
+    scriptarguments:
+      instance_id:
+        simple: ${AWS.EC2.Instances.InstanceId}
+      region:
+        simple: ${AWS.EC2.Instances.Region}
+      roleArn:
+        simple: ${AssumeRoleArn}
+      roleSessionName:
+        simple: AWS-SSM-Command
+      type_name:
+        simple: Instance Information
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: AWS - System Manager
+      description: A list of inventory items returned by the request.
+      id: 47310a34-97d6-406b-884c-6c98a5855f45
+      iscommand: true
+      name: Get Instance ID information from SSM Inventory list.
+      script: AWS - System Manager|||aws-ssm-inventory-entry-list
+      type: regular
+      version: -1
+    taskid: 47310a34-97d6-406b-884c-6c98a5855f45
+    timertriggers: []
+    type: regular
+    view: |-
+      {
+        "position": {
+          "x": 480,
+          "y": 2000
         }
       }
 view: |-
@@ -753,50 +857,49 @@ view: |-
       "13_16_#default#": 0.35,
       "15_16_#default#": 0.22,
       "18_16_#default#": 0.35,
-      "20_21_#default#": 0.31,
-      "23_2_#default#": 0.33
+      "20_21_#default#": 0.31
     },
     "paper": {
       "dimensions": {
-        "height": 2575,
+        "height": 3015,
         "width": 1190,
         "x": 210,
         "y": -780
       }
     }
   }
 inputs:
-- key: ""
+- key: "AwsIP"
+  value:
+    complex:
+      accessor: remoteip
+      root: alert
+  required: true
+  description: AWS IP address in the alert.
+  playbookInputQuery:
+- key: AWSAssumeRoleName
   value: {}
   required: false
-  description: ""
+  description: If assuming roles for AWS, this is the name of the role to assume (should be the same for all organizations).
+  playbookInputQuery:
+- description: ""
+  key: ""
   playbookInputQuery:
-    query: ""
-    queryEntity: indicators
-    results:
     daterange:
       fromdate: "0001-01-01T00:00:00Z"
-      todate: "0001-01-01T00:00:00Z"
+      fromdatelicenseval: "0001-01-01T00:00:00Z"
       period:
         by: ""
-        byto: ""
         byfrom: ""
-        tovalue:
-        fromvalue:
+        byto: ""
         field: ""
-      fromdatelicenseval: "0001-01-01T00:00:00Z"
+        fromvalue:
+        tovalue:
+      todate: "0001-01-01T00:00:00Z"
+    query: ""
+    queryEntity: indicators
+    results:
     runFromLastJobTime: true
-- key: AwsIP
-  value:
-    complex:
-      root: alert
-      accessor: remoteip
-  required: true
-  description: AWS IP in alert
-  playbookInputQuery:
-- description: If assuming roles for AWS, this is the name of the role to assume (should be the same for all organizations).
-  key: AWSAssumeRoleName
-  playbookInputQuery:
   required: false
   value: {}
 outputs:
@@ -809,7 +912,25 @@ outputs:
 - contextPath: AWSHierarchy
   description: AWS account hierarchy information.
   type: unknown
-quiet: true
+- contextPath: AWS.SSM
+  description: AWS SSM information.
+  type: unknown
 fromversion: 6.5.0
 tests:
 - No tests (auto formatted)
+contentitemexportablefields:
+  contentitemfields: {}
+inputSections:
+- description: Generic group for inputs.
+  inputs:
+  - AwsIP
+  - AWSAssumeRoleName
+  name: General (Inputs group)
+outputSections:
+- description: Generic group for outputs.
+  name: General (Outputs group)
+  outputs:
+  - AWS.EC2.Instances
+  - AWS.EC2.SecurityGroups
+  - AWSHierarchy
+  - AWS.SSM

Packs/AWS-Enrichment-Remediation/Playbooks/AWS_-_Enrichment_README.md

@@ -11,29 +11,31 @@ This playbook does not use any sub-playbooks.
 ### Integrations
 
 * AWS - EC2
+* AWS - System Manager
 
 ### Scripts
 
-* AWSAccountHierarchy
 * Set
+* AWSAccountHierarchy
 
 ### Commands
 
-* aws-ec2-describe-ipam-resource-discoveries
+* aws-ec2-describe-instances
 * aws-ec2-describe-security-groups
-* aws-ec2-get-ipam-discovered-public-addresses
 * aws-ec2-describe-regions
-* aws-ec2-describe-instances
+* aws-ec2-get-ipam-discovered-public-addresses
+* aws-ssm-inventory-entry-list
+* aws-ec2-describe-ipam-resource-discoveries
 
 ## Playbook Inputs
 
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
 | --- | --- | --- | --- |
-| Indicator Query | Indicators matching the indicator query will be used as playbook input |  | Optional |
 | AwsIP | AWS IP in alert | alert.remoteip | Required |
 | AWSAssumeRoleName | If assuming roles for AWS, this is the name of the role to assume \(should be the same for all organizations\). |  | Optional |
+| Indicator Query | Indicators matching the indicator query will be used as playbook input. |  | Optional |
 
 ## Playbook Outputs
 
@@ -44,6 +46,7 @@ This playbook does not use any sub-playbooks.
 | AWS.EC2.Instances | AWS EC2 information. | unknown |
 | AWS.EC2.SecurityGroups | AWS Security group information. | unknown |
 | AWSHierarchy | AWS account hierarchy information. | unknown |
+| AWS.SSM | AWS SSM information. | unknown |
 
 ## Playbook Image
 

Packs/AWS-Enrichment-Remediation/README.md

@@ -1,12 +1,12 @@
 ##### What does this pack do?
 
 The pack contains AWS playbooks that conduct enrichment and/or remediation and can use multiple other AWS content packs:
-- Enrichment: Give an IP address, see if there is a EC2 instance associated and if so pull information on the security group associated.
-- Remediation: Give the information collected from enrichment, replace the security group with a "quarantine" security group until vulnerabilities are resolved.
+- Enrichment: Given an IP address, see if there is an associated EC2 instance and if so pull information on the associated security group. If an SSM agent is installed on the instance, pull information from the SSM agent.
+- Remediation: Given the information collected from enrichment, replace the security group with a "quarantine" security group until vulnerabilities are resolved.
 - Unclaimed S3 Bucket Validation: The playbook sends a HTTP get response to the domain and validates the missing bucket information.
 - Unclaimed S3 Bucket Remediation: The playbook will create the unclaimed S3 bucket.
 
-There are multiple AWS content packs for multiple AWS products (EC2, IAM, Route53, S3, etc).  The intent was that users can install and use only the packs they need.  However, if an AWS playbook uses multiple pack integrations (such as EC2, S3 and IAM), the integrations can't reside in one of the current packs because they include content from multiple pack integrations.  This pack was created as a place to put AWS playbooks that use AWS integrations from multiple packs with a focus on enrichment and remediation.
+There are multiple AWS content packs for multiple AWS products (EC2, IAM, Route53, S3, SSM, etc.).  The intent was that users can install and use only the packs they need. However, if an AWS playbook uses multiple pack integrations (such as EC2, S3, SSM, and IAM), the integrations can't reside in one of the current packs because they include content from multiple pack integrations. This pack was created as a place to put AWS playbooks that use AWS integrations from multiple packs with a focus on enrichment and remediation.
 
 ### Playbooks
 

Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_18.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### AWS - Enrichment
+
+Updated the playbook to enrich EC2 and IAM information using AWS SSM.