From 980ade9b529199170827a780e6b79c95675f670a Mon Sep 17 00:00:00 2001 From: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Date: Tue, 27 Jun 2023 15:35:32 +0300 Subject: [PATCH] [Marketplace Contribution] ExtraHop Reveal(x) - Content Pack Update (#27587) * "contribution update to pack "ExtraHop Reveal(x)"" * Update 2_2_0.md * Fix flake8 line too long error. * Revert type to title * Update docker image. * Revert marketplace changes to yml file. --------- Co-authored-by: RFC1918 <61937657+RFC1918-hub@users.noreply.github.com> Co-authored-by: Danny_Fried --- .../Integrations/ExtraHop_v2/ExtraHop_v2.py | 13 ++++++++++++- .../Integrations/ExtraHop_v2/ExtraHop_v2.yml | 2 +- Packs/ExtraHop/ReleaseNotes/2_2_0.md | 6 ++++++ Packs/ExtraHop/pack_metadata.json | 2 +- 4 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 Packs/ExtraHop/ReleaseNotes/2_2_0.md diff --git a/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.py b/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.py index 57593e7f0888..e6202891f190 100644 --- a/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.py +++ b/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.py @@ -1,3 +1,6 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 + import json import traceback from collections import defaultdict @@ -7,7 +10,6 @@ import urllib3 -from CommonServerPython import * # Disable insecure warnings urllib3.disable_warnings() @@ -69,6 +71,13 @@ "3": "acknowledged" # archived } +TICKET_SEVERITY = { + "0-39": 1, # low + "40-69": 2, # medium + "70-89": 3, # high + "90-100": 4 # critical +} + VALID_ALERT_RULE_REFIRE_INTERVALS = ["300", "600", "900", "1800", "3600", "7200", "14400"] VALID_ALERT_RULE_TYPE = ["threshold", "detection"] @@ -1446,6 +1455,8 @@ def fetch_extrahop_detections(client: ExtraHopClient, advanced_filter: Dict, las 'name': str(detection.get("type", "")), 'occurred': datetime.utcfromtimestamp(detection['start_time'] / 1000).strftime( DATE_FORMAT), + 'severity': next((severity for range_str, severity in TICKET_SEVERITY.items() if + detection.get("risk_score") in range(*map(int, range_str.split("-")))), None), 'rawJSON': json.dumps(detection) } incidents.append(incident) diff --git a/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.yml b/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.yml index daaa33dd7c64..57803440ff51 100644 --- a/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.yml +++ b/Packs/ExtraHop/Integrations/ExtraHop_v2/ExtraHop_v2.yml @@ -5473,7 +5473,7 @@ script: description: Use extrahop-packets-search instead. Search for specific packets in Reveal(x). execution: false name: extrahop-search-packets - dockerimage: demisto/python3:3.10.11.61265 + dockerimage: demisto/python3:3.10.12.63474 feed: false isfetch: true longRunning: false diff --git a/Packs/ExtraHop/ReleaseNotes/2_2_0.md b/Packs/ExtraHop/ReleaseNotes/2_2_0.md new file mode 100644 index 000000000000..55439024b8c3 --- /dev/null +++ b/Packs/ExtraHop/ReleaseNotes/2_2_0.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### ExtraHop Reveal(x) +- Updated the Docker image to: *demisto/python3:3.10.12.63474*. +- Updated ***fetch_incidents*** to incorporate severity from detection risk score. diff --git a/Packs/ExtraHop/pack_metadata.json b/Packs/ExtraHop/pack_metadata.json index aa1a6b9ef22d..9125ffd3f989 100644 --- a/Packs/ExtraHop/pack_metadata.json +++ b/Packs/ExtraHop/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ExtraHop Reveal(x)", "description": "Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.", "support": "partner", - "currentVersion": "2.1.1", + "currentVersion": "2.2.0", "author": "ExtraHop", "url": "", "email": "support@extrahop.com",