From addd1245f34d4a7d7c475a64e032ba9817e69638 Mon Sep 17 00:00:00 2001 From: Guy Afik <53861351+GuyAfik@users.noreply.github.com> Date: Thu, 28 Dec 2023 08:46:06 +0200 Subject: [PATCH] Carbon black xsup 31609 (#31781) * added a modeling rule (#22875) * added a modeling rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * added a parsing rule * Update README.md (#23810) Edit the file to remove duplication of command names in the right pane. * Modeling rules fixes (#24259) * save * save no exit_code * save not fail on test-modeling-rules * remove ciscoasa changes * Update Docker Image To demisto/chromium (#24291) * Updated Metadata Of Pack ExpanseV2 * Added release notes to pack ExpanseV2 * Packs/ExpanseV2/Scripts/ExpanseGenerateIssueMapWidgetScript/ExpanseGenerateIssueMapWidgetScript.yml Docker image update * Deprecated GitHub TestData (#31573) * get - devices make rows int * handle last location * bump rn * add ut * update docker image --------- Co-authored-by: guytamir10 <106061479+guytamir10@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Darya Koval <72339940+daryakoval@users.noreply.github.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: eepstain <116078117+eepstain@users.noreply.github.com> --- .../CarbonBlackEndpointStandard.py | 30 ++++++++++++------- .../CarbonBlackEndpointStandard.yml | 6 ++-- .../CarbonBlackEndpointStandard_test.py | 11 +++++-- .../CarbonBlackDefense/ReleaseNotes/3_0_42.md | 7 +++++ Packs/CarbonBlackDefense/pack_metadata.json | 2 +- 5 files changed, 38 insertions(+), 18 deletions(-) create mode 100644 Packs/CarbonBlackDefense/ReleaseNotes/3_0_42.md diff --git a/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.py b/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.py index 25cafef6cbb4..873a7ef86f21 100644 --- a/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.py +++ b/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.py @@ -2,7 +2,7 @@ from CommonServerPython import * # noqa # pylint: disable=unused-wildcard-import from CommonServerUserPython import * # noqa -from typing import Dict, Any, Tuple +from typing import Any import json import urllib3 @@ -42,7 +42,7 @@ def __init__(self, base_url, verify, proxies, api_key, api_secret_key, policy_ap self.headers = {'X-Auth-Token': f'{api_secret_key}/{api_key}', 'Content-Type': 'application/json'} self.policy_headers = {'X-Auth-Token': f'{policy_api_secret_key}/{policy_api_key}', 'Content-Type': 'application/json'} - super(Client, self).__init__(base_url, verify, proxies) + super().__init__(base_url, verify, proxies) def test_module_request(self) -> dict: """ Tests connectivity with the application, for some API's. @@ -62,7 +62,7 @@ def policy_test_module_request(self) -> dict: suffix_url = 'integrationServices/v3/policy' return self._http_request('GET', url_suffix=suffix_url, headers=self.policy_headers) - def search_alerts_request(self, suffix_url_path: str = None, minimum_severity: int = None, create_time: Dict = None, + def search_alerts_request(self, suffix_url_path: str = None, minimum_severity: int = None, create_time: dict = None, policy_id: List = None, device_username: List = None, device_id: List = None, query: str = None, alert_category: List = None, sort_field: str = "create_time", sort_order: str = "ASC", limit: int = 50) -> dict: @@ -822,8 +822,8 @@ def get_alert_by_id(self, alert_id: str = None) -> dict: # Devices API def get_devices(self, device_id: List = None, status: List = None, device_os: List = None, - last_contact_time: Dict[str, Optional[Any]] = None, target_priority: List = None, query: str = None, - rows: int = None) -> Dict: + last_contact_time: dict[str, Optional[Any]] = None, target_priority: List = None, query: str = None, + rows: int = None) -> dict: """Searches for Carbon Black devices using the 'appservices/v6/orgs/{org_key}/devices/_search' API endpoint @@ -866,7 +866,7 @@ def get_devices(self, device_id: List = None, status: List = None, device_os: Li target_priority=target_priority ), query=query, - rows=rows + rows=arg_to_number(rows) ) return self._http_request(method='POST', url_suffix=suffix_url, headers=self.headers, json_data=body) @@ -1021,7 +1021,7 @@ def convert_to_demisto_severity(severity: int) -> int: def fetch_incidents(client: Client, fetch_time: str, fetch_limit: int, last_run: dict, filters: dict) -> \ - Tuple[List[dict], Dict[str, int]]: + tuple[List[dict], dict[str, int]]: """This function retrieves new alerts every interval (default is 1 minute). This function has to implement the logic of making sure that incidents are @@ -1479,10 +1479,18 @@ def device_search_command(client: Client, args: dict): device_id = argToList(args.get('device_id')) device_os = argToList(args.get('os')) device_status = argToList(args.get('status')) - last_location = { - 'start': args.get('start_time'), - 'end': args.get('end_time') - } + start_time, end_time = args.get("start_time"), args.get("end_time") + + if start_time and end_time: + last_location = { + 'start': start_time, + 'end': end_time + } + elif (not start_time and end_time) or (start_time and not end_time): + raise ValueError("both start_time and end_time must be set") + else: + last_location = None + target_priority = argToList(args.get('target_priority')) query = args.get('query') rows = args.get('rows') diff --git a/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.yml b/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.yml index 05c5c3edd362..aebc248ac9df 100644 --- a/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.yml +++ b/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard.yml @@ -808,7 +808,7 @@ script: name: rows - description: The first row to use for pagination. name: start - - description: 'The time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp' + - description: 'The time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp.' name: time_range description: 'Creates an enriched events search job. The results for the search job may be requested using the returned job ID. At least one of the arguments (not including: rows, start, time_range) is required).' name: cbd-find-events @@ -1357,7 +1357,7 @@ script: - MONITORED - description: The device ID. name: device_id - - description: 'The time of the first event associated with the alert. The syntax is {"start": "", "range": "", "end": "" }. For example: { "start": "2010-09-25T00:10:50.277Z", "end": "2015-01-20T10:40:00.00Z"}' + - description: 'The time of the first event associated with the alert. The syntax is {"start": "", "range": "", "end": "" }. For example: { "start": "2010-09-25T00:10:50.277Z", "end": "2015-01-20T10:40:00.00Z"}.' name: first_event_time - description: The policy ID. name: policy_id @@ -1567,7 +1567,7 @@ script: - contextPath: CarbonBlackDefense.Alert.policy_applied description: Whether a policy was applied. (APPLIED, NOT_APPLIED). type: String - dockerimage: demisto/python3:3.10.13.72123 + dockerimage: demisto/python3:3.10.13.83255 isfetch: true runonce: false script: '-' diff --git a/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard_test.py b/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard_test.py index 2592eed58714..b3d3da2bcda5 100644 --- a/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard_test.py +++ b/Packs/CarbonBlackDefense/Integrations/CarbonBlackEndpointStandard/CarbonBlackEndpointStandard_test.py @@ -43,7 +43,8 @@ def test_device_search_command(mocker): When: get_devices is running Then: - Assert that the output is we are expected + - make sure that the output is what we expect + - make sure the body request is sent properly """ mocker_result = { "results": [ @@ -56,13 +57,17 @@ def test_device_search_command(mocker): ] } client = create_client() - mocker.patch.object(client, 'get_devices', return_value=mocker_result) + http_request_mocker = mocker.patch.object(client, '_http_request', return_value=mocker_result) + from CarbonBlackEndpointStandard import device_search_command - command_results = device_search_command(client, {'device_id': '1234', 'os': 'MAC', 'status': 'sleep'}) + command_results = device_search_command(client, {'device_id': '1234', 'os': 'MAC', 'status': 'sleep', 'rows': '20'}) output = command_results.to_context().get('EntryContext', {}) assert output == expected_result + assert http_request_mocker.call_args.kwargs["json_data"] == { + 'criteria': {'id': ['1234'], 'status': ['sleep'], 'os': ['MAC']}, 'rows': 20 + } def test_find_events_command(mocker): diff --git a/Packs/CarbonBlackDefense/ReleaseNotes/3_0_42.md b/Packs/CarbonBlackDefense/ReleaseNotes/3_0_42.md new file mode 100644 index 000000000000..1acbb2bf3f3d --- /dev/null +++ b/Packs/CarbonBlackDefense/ReleaseNotes/3_0_42.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### Carbon Black Endpoint Standard v2 + +- Fixed an issue in the **cbd-device-search** command where the *rows*, *start_time* and *end_time* arguments were not parsed correctly. +- Updated the Docker image to: *demisto/python3:3.10.13.83255*. diff --git a/Packs/CarbonBlackDefense/pack_metadata.json b/Packs/CarbonBlackDefense/pack_metadata.json index 88f8a256b1ba..d3bf97ff905d 100644 --- a/Packs/CarbonBlackDefense/pack_metadata.json +++ b/Packs/CarbonBlackDefense/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Carbon Black Endpoint Standard", "description": "Next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks and ransomware.", "support": "xsoar", - "currentVersion": "3.0.41", + "currentVersion": "3.0.42", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",