Carbon Black Enterprise Protection - Content Pack Update

Packs/CarbonBlackProtect/Integrations/CarbonBlackProtect/CarbonBlackProtect.py

@@ -2076,6 +2076,53 @@ def resolve_approval_request(id, resolution, requestor_email=None, res_comments=
     return http_request("POST", "/approvalRequest", data=body_params)
 
 
+def retrieve_user_data():
+    """
+    Sends request to get user information
+    :param user_email: user email address
+    :return: Result of the request
+    """
+    args = demisto.args()
+    user_email = args.get("user_email")
+    query = f"name:{user_email}"
+    params = {'q': query}
+
+    user_data = http_request("GET", f"/user", params=params)
+
+    human_readable = tableToMarkdown("User Data", user_data, headers=[])
+
+    result = CommandResults(
+        readable_output=human_readable,
+        outputs_prefix="CBP.UserData",
+        outputs=user_data)
+
+    return_results(result)
+
+
+def disable_user_command():
+    """
+    Sends request to disable user account
+    :param user_id: ID of user to disable - retrieved from cbp-retrieve-user-data
+    :return: Result of the request
+    """
+    args = demisto.args()
+    user_id = args.get("user_id")
+    payload = {
+        "enabled": False
+    }
+
+    user_data = http_request("PUT", f"/user/{user_id}", data=json.dumps(payload))
+
+    human_readable = tableToMarkdown("User Data", user_data, headers=[])
+
+    result = CommandResults(
+        readable_output=human_readable,
+        outputs_prefix="CBP.UserDisable",
+        outputs=user_data)
+
+    return_results(result)
+
+
 def fetch_incidents():
     """
     Fetches incident using the events API
@@ -2176,6 +2223,10 @@ def main():
                 search_connector_command()
             elif command == "cbp-approvalRequest-resolve":
                 resolve_approval_request_command()
+            elif command == "cbp-user-disable":
+                disable_user_command()
+            elif command == "cbp-user-data-retrieve":
+                retrieve_user_data()
             else:
                 return_error(f"Command {command} is not supported.")
         # Log exceptions

Packs/CarbonBlackProtect/Integrations/CarbonBlackProtect/CarbonBlackProtect.yml

@@ -1477,7 +1477,51 @@ script:
     - contextPath: CBP.FileRule.ReportOnly
       description: Is this rule "reporting only" or is it also "enforcing".
       type: String
-  dockerimage: demisto/python3:3.12.12.5490952
+  - arguments:
+    - description: ID of the user to disable. Retrieved from cbp-user-data-retrieve.
+      name: user_id
+      required: true
+    description: Sends request to disable user account.
+    name: cbp-user-disable
+    outputs:
+    - contextPath: CBP.UserDisable.Department
+      description: The department of the user.
+      type: String
+    - contextPath: CBP.UserDisable.EmailAddress
+      description: The email of the user.
+      type: String
+    - contextPath: CBP.UserDisable.Enabled
+      description: Whether the account is enabled or disabled.
+      type: String
+    - contextPath: CBP.UserDisable.ID
+      description: The ID of the user in Carbon Black.
+      type: String 
+    - contextPath: CBP.UserDisable.Name
+      description: The name of the user account.
+      type: String 
+  - arguments:
+    - description: Email address of user account to retrieve data for.
+      name: user_email
+      required: true
+    description: Retrieve all user account data.
+    name: cbp-user-data-retrieve
+    outputs:
+    - contextPath: CBP.UserDisable.Department
+      description: The department of the user.
+      type: String
+    - contextPath: CBP.UserDisable.EmailAddress
+      description: The email of the user.
+      type: String
+    - contextPath: CBP.UserDisable.Enabled
+      description: Whether the account is enabled or disabled.
+      type: String
+    - contextPath: CBP.UserDisable.ID
+      description: The ID of the user in Carbon Black.
+      type: String 
+    - contextPath: CBP.UserDisable.Name
+      description: The name of the user account.
+      type: String 
+  dockerimage: demisto/python3:3.12.13.7444307
   subtype: python3
   isfetch: true
   script: ''

Packs/CarbonBlackProtect/Integrations/CarbonBlackProtect/README.md

@@ -844,3 +844,40 @@ Creates or updates a file rule. For more information, see the Carbon Black docum
 | CBP.FileRule.Name | String | The rule name. |
 | CBP.FileRule.PolicyIDs | String | The policies this rule belongs to. |
 | CBP.FileRule.ReportOnly | String | Is this rule "reporting only" or is it also "enforcing". |
+
+### cbp-disable-user
+
+***
+Sends request to disable user account
+
+#### Base Command
+
+`cbp-disable-user`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| user_id | ID of the user to disable. Retrieved from cbp-retrieve-user-data. | Required | 
+
+#### Context Output
+
+There is no context output for this command.
+### cbp-retrieve-user-data
+
+***
+Retrieve all user account data
+
+#### Base Command
+
+`cbp-retrieve-user-data`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| user_email | Email address of user account to retrieve data for. | Required | 
+
+#### Context Output
+
+There is no context output for this command.

Packs/CarbonBlackProtect/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Carbon Black Enterprise Protection",
     "description": "Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.",
     "support": "xsoar",
-    "currentVersion": "1.0.49",
+    "currentVersion": "1.0.50",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -25,4 +25,4 @@
         "cloud",
         "cloud_runtime_security"
     ]
-}
+}