Skip to content
Merged
Original file line number Diff line number Diff line change
Expand Up @@ -2076,6 +2076,53 @@ def resolve_approval_request(id, resolution, requestor_email=None, res_comments=
return http_request("POST", "/approvalRequest", data=body_params)


def retrieve_user_data():
"""
Sends request to get user information
:param user_email: user email address
:return: Result of the request
"""
args = demisto.args()
user_email = args.get("user_email")
query = f"name:{user_email}"
params = {'q': query}

user_data = http_request("GET", f"/user", params=params)

human_readable = tableToMarkdown("User Data", user_data, headers=[])

result = CommandResults(
readable_output=human_readable,
outputs_prefix="CBP.UserData",
outputs=user_data)

return_results(result)


def disable_user_command():
"""
Sends request to disable user account
:param user_id: ID of user to disable - retrieved from cbp-retrieve-user-data
:return: Result of the request
"""
args = demisto.args()
user_id = args.get("user_id")
payload = {
"enabled": False
}

user_data = http_request("PUT", f"/user/{user_id}", data=json.dumps(payload))

human_readable = tableToMarkdown("User Data", user_data, headers=[])

result = CommandResults(
readable_output=human_readable,
outputs_prefix="CBP.UserDisable",
outputs=user_data)

return_results(result)


def fetch_incidents():
"""
Fetches incident using the events API
Expand Down Expand Up @@ -2176,6 +2223,10 @@ def main():
search_connector_command()
elif command == "cbp-approvalRequest-resolve":
resolve_approval_request_command()
elif command == "cbp-user-disable":
disable_user_command()
elif command == "cbp-user-data-retrieve":
retrieve_user_data()
else:
return_error(f"Command {command} is not supported.")
# Log exceptions
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1477,7 +1477,51 @@ script:
- contextPath: CBP.FileRule.ReportOnly
description: Is this rule "reporting only" or is it also "enforcing".
type: String
dockerimage: demisto/python3:3.12.12.5490952
- arguments:
- description: ID of the user to disable. Retrieved from cbp-user-data-retrieve.
name: user_id
required: true
description: Sends request to disable user account.
name: cbp-user-disable
Comment thread
whsmith1223 marked this conversation as resolved.
outputs:
- contextPath: CBP.UserDisable.Department
description: The department of the user.
type: String
- contextPath: CBP.UserDisable.EmailAddress
description: The email of the user.
type: String
- contextPath: CBP.UserDisable.Enabled
description: Whether the account is enabled or disabled.
type: String
- contextPath: CBP.UserDisable.ID
description: The ID of the user in Carbon Black.
type: String
- contextPath: CBP.UserDisable.Name
description: The name of the user account.
type: String
- arguments:
- description: Email address of user account to retrieve data for.
name: user_email
required: true
description: Retrieve all user account data.
name: cbp-user-data-retrieve
Comment thread
whsmith1223 marked this conversation as resolved.
outputs:
- contextPath: CBP.UserDisable.Department
description: The department of the user.
type: String
- contextPath: CBP.UserDisable.EmailAddress
description: The email of the user.
type: String
- contextPath: CBP.UserDisable.Enabled
description: Whether the account is enabled or disabled.
type: String
- contextPath: CBP.UserDisable.ID
description: The ID of the user in Carbon Black.
type: String
- contextPath: CBP.UserDisable.Name
description: The name of the user account.
type: String
dockerimage: demisto/python3:3.12.13.7444307
subtype: python3
isfetch: true
script: ''
Expand Down
37 changes: 37 additions & 0 deletions Packs/CarbonBlackProtect/Integrations/CarbonBlackProtect/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -844,3 +844,40 @@ Creates or updates a file rule. For more information, see the Carbon Black docum
| CBP.FileRule.Name | String | The rule name. |
| CBP.FileRule.PolicyIDs | String | The policies this rule belongs to. |
| CBP.FileRule.ReportOnly | String | Is this rule "reporting only" or is it also "enforcing". |

### cbp-disable-user

***
Sends request to disable user account

#### Base Command

`cbp-disable-user`

#### Input

| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| user_id | ID of the user to disable. Retrieved from cbp-retrieve-user-data. | Required |

#### Context Output

There is no context output for this command.
### cbp-retrieve-user-data

***
Retrieve all user account data

#### Base Command

`cbp-retrieve-user-data`

#### Input

| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| user_email | Email address of user account to retrieve data for. | Required |

#### Context Output

There is no context output for this command.
4 changes: 2 additions & 2 deletions Packs/CarbonBlackProtect/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Carbon Black Enterprise Protection",
"description": "Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.",
"support": "xsoar",
"currentVersion": "1.0.49",
"currentVersion": "1.0.50",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand All @@ -25,4 +25,4 @@
"cloud",
"cloud_runtime_security"
]
}
}
Loading