Fetuars/security engineer

Packs/AMP/Integrations/AMPv2/AMPv2.yml

@@ -2003,7 +2003,7 @@ script:
     - contextPath: DBotScore.Score
       description: The actual score.
       type: Number
-  dockerimage: demisto/python3:3.10.9.46032
+  dockerimage: demisto/python3:3.10.10.48392
   feed: false
   isfetch: true
   longRunning: false

Packs/AMP/ReleaseNotes/2_0_2.md

@@ -0,0 +1,3 @@
+#### Integrations
+##### Cisco AMP v2
+- Updated the Docker image to: *demisto/python3:3.10.10.48392*.

Packs/AMP/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cisco AMP",
     "description": "Uses CISCO AMP Endpoint",
     "support": "xsoar",
-    "currentVersion": "2.0.1",
+    "currentVersion": "2.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/AWS-GuardDuty/ModelingRules/AWSGuardDutyModelingRules_1_3/AWSGuardDutyModelingRules_1_3.xif

@@ -1,22 +1,20 @@
 [MODEL: dataset="aws_guardduty_raw"]
-alter
+alter targetIP1 = json_extract_scalar(Service, "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4"),
+    targetIP2 = json_extract_scalar(Service, "$.Action.KubernetesApiCallAction.RemoteIpDetails.IpAddressV4"),
+    username1 = trim(json_extract_scalar(Resource,"$.AccessKeyDetails.UserName"), "\""),
+    username2 = json_extract_scalar(Resource, "$.KubernetesDetails.KubernetesUserDetails.Username"),
+    userType = json_extract_scalar(Resource, "$.AccessKeyDetails.UserType")
+| alter
     xdm.alert.category = json_extract_scalar(Resource, "$.ResourceType"),
     xdm.alert.subcategory = Type,
     xdm.alert.description = Description,
     xdm.event.outcome_reason = Title,
     xdm.alert.severity = to_string(Severity),
     xdm.target.host.hostname = json_extract_scalar(Resource, "$.EksClusterDetails.Name"),
-    xdm.source.user.user_type = json_extract_scalar(Resource, "$.AccessKeyDetails.UserType"),
+    xdm.source.user.user_type = if(userType in("Root","IAMUser","Role","FederatedUser","AWSAccount"),XDM_CONST.USER_TYPE_REGULAR , userType in("Directory","AWSService") ,XDM_CONST.USER_TYPE_SERVICE_ACCOUNT,userType in("AssumedRole") ,XDM_CONST.USER_TYPE_MACHINE_ACCOUNT ,to_string(userType)),
     xdm.source.user.employee_id = json_extract_scalar(Resource, "$.AccessKeyDetails.PrincipalId"),
     xdm.target.process.name = json_extract_scalar(Service, "$.ServiceName"),
     xdm.source.host.ipv4_addresses = arraycreate(coalesce(json_extract_scalar(Service,  "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4"), "")),
-    xdm.source.ipv4 = json_extract_scalar(Service, "$.Action.NetworkConnectionAction.LocalIpDetails.IpAddressV4")
-    | alter targetIP1 = json_extract_scalar(Service, "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4"),
-            targetIP2 = json_extract_scalar(Service, "$.Action.KubernetesApiCallAction.RemoteIpDetails.IpAddressV4")
-    | alter
-        xdm.target.ipv4 = coalesce(targetIP1, targetIP2)
-    // UseNameExtraction
-    | alter
-        username1 = trim(json_extract_scalar(Resource,"$.AccessKeyDetails.UserName"), "\""),
-        username2 = json_extract_scalar(Resource, "$.KubernetesDetails.KubernetesUserDetails.Username")
-    | alter xdm.source.user.username = coalesce(username1, username2 );
+    xdm.source.ipv4 = json_extract_scalar(Service, "$.Action.NetworkConnectionAction.LocalIpDetails.IpAddressV4"),
+    xdm.target.ipv4 = coalesce(targetIP1, targetIP2),
+    xdm.source.user.username = coalesce(username1, username2 );

Packs/AWS-GuardDuty/ReleaseNotes/1_3_13.md

@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### AWSGuardDuty Modeling Rule
+- Update modeling rules.

Packs/AWS-GuardDuty/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "AWS - GuardDuty",
     "description": "Amazon Web Services Guard Duty Service (gd)",
     "support": "xsoar",
-    "currentVersion": "1.3.12",
+    "currentVersion": "1.3.13",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/AWS-IAM/Integrations/AWS-IAM/AWS-IAM.yml

@@ -2304,7 +2304,7 @@ script:
     - contextPath: AWS.IAM.Users.LoginProfile.PasswordResetRequired
       description: Specifies whether the user is required to set a new password on next sign-in.
       type: Boolean
-  dockerimage: demisto/boto3py3:1.0.0.46675
+  dockerimage: demisto/boto3py3:1.0.0.48904
   feed: false
   isfetch: false
   longRunning: false

Packs/AWS-IAM/ReleaseNotes/1_1_23.md

@@ -0,0 +1,3 @@
+#### Integrations
+##### AWS - Identity and Access Management
+- Updated the Docker image to: *demisto/boto3py3:1.0.0.48904*.

Packs/AWS-IAM/pack_metadata.json

@@ -3,7 +3,7 @@
     "description": "Amazon Web Services Identity and Access Management (IAM)",
     "support": "xsoar",
     "author": "Cortex XSOAR",
-    "currentVersion": "1.1.22",
+    "currentVersion": "1.1.23",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "created": "2020-04-14T00:00:00Z",

Packs/AbnormalSecurity/ModelingRules/AbnormalSecurityEventCollector_1_3/AbnormalSecurityEventCollector_1_3.xif

@@ -7,7 +7,7 @@ alter
     senderIpAddress = coalesce(arraycreate(senderIpAddress))
 | alter
     xdm.event.id = threatId,
-    xdm.event.outcome = remediationStatus,
+    xdm.event.outcome = if(remediationStatus = "Auto-Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "Post Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "No Action Done", XDM_CONST.OUTCOME_FAILED, remediationStatus = "Would Remediate", XDM_CONST.OUTCOME_PARTIAL, remediationStatus = "Remediation Attempted", XDM_CONST.OUTCOME_PARTIAL, remediationStatus = null, null, to_string(remediationStatus)),
     xdm.email.recipients = toAddresses,
     xdm.email.attachment.filename = attachmentNames,
     xdm.email.subject = subject,
@@ -18,6 +18,5 @@ alter
     xdm.alert.category = attackType,
     xdm.alert.name = attackStrategy,
     xdm.alert.description = summaryInsights,
-    xdm.observer.product = abxPortalUrl,
     xdm.observer.unique_identifier = to_string(abxMessageId),
     xdm.target.host.ipv4_addresses = senderIpAddress;

Packs/AbnormalSecurity/ReleaseNotes/2_0_7.md

@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### Abnormal Security Event Collector
+- Updated Modeling Rules

Packs/AbnormalSecurity/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Abnormal Security",
     "description": "Abnormal Security detects and protects against the whole spectrum of email attacks",
     "support": "partner",
-    "currentVersion": "2.0.6",
+    "currentVersion": "2.0.7",
     "author": "Abnormal Security",
     "url": "",
     "email": "support@abnormalsecurity.com",

Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3.xif

@@ -9,10 +9,10 @@ filter
     xdm.target.resource.name = event_resourcename,
     xdm.target.resource.type = event_resourcetype,
     xdm.source.ipv4 = event_sourceipaddress,
-    xdm.source.user.user_type = event_useridentity_type,
+    xdm.source.user.user_type = if(event_useridentity_type in("root-account","cloudsso-user","saml-user","alibaba-cloud-account"),XDM_CONST.USER_TYPE_REGULAR, event_useridentity_type in("ram-user","assumed-role"),XDM_CONST.USER_TYPE_SERVICE_ACCOUNT ,to_string(event_useridentity_type)),
     xdm.source.user.identifier = event_useridentity_principalid,
     xdm.source.user.username = event_useridentity_username,
-    xdm.event.outcome=event_errormessage,
+    xdm.event.description=event_errormessage,
     xdm.observer.vendor=_vendor,
     xdm.observer.product=_product;
 
@@ -23,10 +23,10 @@ filter
     xdm.event.id = event_eventid,
     xdm.event.operation = event_eventname,
     xdm.source.ipv4 = event_sourceipaddress,
-    xdm.source.user.user_type = event_useridentity_type,
+    xdm.source.user.user_type = if(event_useridentity_type in("root-account","cloudsso-user","saml-user","alibaba-cloud-account"),XDM_CONST.USER_TYPE_REGULAR, event_useridentity_type in("ram-user","assumed-role"),XDM_CONST.USER_TYPE_SERVICE_ACCOUNT ,to_string(event_useridentity_type)),
     xdm.source.user.identifier = event_useridentity_principalid,
     xdm.source.user.username = event_useridentity_username,
     xdm.session_context_id=event_useridentity_accesskeyid,
-    xdm.event.outcome=event_errormessage,
+    xdm.event.description=event_errormessage,
     xdm.observer.vendor=_vendor,
     xdm.observer.product=_product;

Packs/AlibabaActionTrail/ModelingRules/AlibabaModelingRules_1_3/AlibabaModelingRules_1_3_testdata.json

@@ -45,7 +45,7 @@
         "xdm.event.operation": "DescribeDBClusters",
         "xdm.target.resource.name": null,
         "xdm.target.resource.type": null,
-        "xdm.event.outcome": null,
+        "xdm.event.description": null,
         "xdm.target.cloud.region": "TLV",
         "xdm.source.user.username": "aliyunserviceroleforslsaudit:Common_Data_Access",
         "xdm.source.user.user_type": "testuser:Common_Data_Access",

Packs/AlibabaActionTrail/ReleaseNotes/1_0_12.md

@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### Alibaba Modeling Rule
+- Updated Modeling Rules

Packs/AlibabaActionTrail/ReleaseNotes/1_0_13.md

@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### Alibaba Modeling Rule
+- Update Modeling Rules.

Packs/AlibabaActionTrail/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Alibaba Action Trail",
     "description": "An Integration Pack to fetch Alibaba action trail events.",
     "support": "xsoar",
-    "currentVersion": "1.0.11",
+    "currentVersion": "1.0.13",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py

@@ -212,6 +212,26 @@ def get_endpoints(self,
         endpoints = reply.get('reply').get('endpoints', [])
         return endpoints
 
+    def set_endpoints_alias(self, filters: list[dict[str, str]], new_alias_name: str | None) -> dict:      # pragma: no cover
+        """
+        This func is used to set the alias name of an endpoint.
+
+        args:
+            filters: list of filters to get the endpoints
+            new_alias_name: the new alias name to set
+
+        returns: dict of the response(True if success else error message)
+        """
+
+        request_data = {'filters': filters, 'alias': new_alias_name}
+
+        return self._http_request(
+            method='POST',
+            url_suffix='/endpoints/update_agent_name/',
+            json_data={'request_data': request_data},
+            timeout=self.timeout,
+        )
+
     def isolate_endpoint(self, endpoint_id, incident_id=None):
         request_data = {
             'endpoint_id': endpoint_id,
@@ -1769,6 +1789,63 @@ def get_endpoints_command(client, args):
     )
 
 
+def endpoint_alias_change_command(client: CoreClient, **args) -> CommandResults:
+    # get arguments
+    endpoint_id_list = argToList(args.get('endpoint_id_list'))
+    dist_name_list = argToList(args.get('dist_name'))
+    ip_list = argToList(args.get('ip_list'))
+    group_name_list = argToList(args.get('group_name'))
+    platform_list = argToList(args.get('platform'))
+    alias_name_list = argToList(args.get('alias_name'))
+    isolate = args.get('isolate')
+    hostname_list = argToList(args.get('hostname'))
+    status = args.get('status')
+    scan_status = args.get('scan_status')
+    username_list = argToList(args.get('username'))
+    new_alias_name = args.get('new_alias_name')
+
+    # This is a workaround that is needed because of a specific behaviour of the system
+    # that converts an empty string to a string with double quotes.
+    if new_alias_name == '""':
+        new_alias_name = ""
+
+    first_seen_gte = arg_to_timestamp(
+        arg=args.get('first_seen_gte'),
+        arg_name='first_seen_gte'
+    )
+
+    first_seen_lte = arg_to_timestamp(
+        arg=args.get('first_seen_lte'),
+        arg_name='first_seen_lte'
+    )
+
+    last_seen_gte = arg_to_timestamp(
+        arg=args.get('last_seen_gte'),
+        arg_name='last_seen_gte'
+    )
+
+    last_seen_lte = arg_to_timestamp(
+        arg=args.get('last_seen_lte'),
+        arg_name='last_seen_lte'
+    )
+
+    # create filters
+    filters: list[dict[str, str]] = create_request_filters(
+        status=status, username=username_list, endpoint_id_list=endpoint_id_list, dist_name=dist_name_list,
+        ip_list=ip_list, group_name=group_name_list, platform=platform_list, alias_name=alias_name_list, isolate=isolate,
+        hostname=hostname_list, first_seen_gte=first_seen_gte, first_seen_lte=first_seen_lte,
+        last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte, scan_status=scan_status
+    )
+    if not filters:
+        raise DemistoException('Please provide at least one filter.')
+    # importent: the API will return True even if the endpoint does not exist, so its a good idea to check
+    # the results by a get_endpoints command
+    client.set_endpoints_alias(filters=filters, new_alias_name=new_alias_name)
+
+    return CommandResults(
+        readable_output="The endpoint alias was changed successfully.")
+
+
 def unisolate_endpoint_command(client, args):
     endpoint_id = args.get('endpoint_id')
     incident_id = arg_to_number(args.get('incident_id'))
@@ -3267,6 +3344,7 @@ def create_request_filters(
     first_seen_lte=None,
     last_seen_gte=None,
     last_seen_lte=None,
+    scan_status=None,
 ):
     filters = []
 
@@ -3368,6 +3446,13 @@ def create_request_filters(
             'value': last_seen_lte
         })
 
+    if scan_status:
+        filters.append({
+            'field': 'scan_status',
+            'operator': 'IN',
+            'value': [scan_status]
+        })
+
     return filters
 
 

Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py

@@ -3058,3 +3058,48 @@ def test_add_or_remove_tag_endpoint_command(requests_mock, args, expected_filter
             'tag': 'test'
         }
     }
+
+
+excepted_output_1 = {'filters': [{'field': 'endpoint_status',
+                                  'operator': 'IN', 'value': ['connected']}], 'new_alias_name': 'test'}
+excepted_output_2 = {'filters': [{'field': 'endpoint_status',
+                                  'operator': 'IN', 'value': ['connected']}], 'new_alias_name': ""}
+
+
+@pytest.mark.parametrize('input, expected_output', [("test", excepted_output_1),
+                                                    ('""', excepted_output_2)])
+def test_endpoint_alias_change_command__diffrent_alias_new_names(mocker, input, expected_output):
+    """
+    Given:
+    - valid new alias name as string - empty new alias name (due to xsoar limitation,
+    represented by a string of double quote)
+
+    When:
+    - executing the endpoint-alias-change command
+
+    Then:
+    - Makes sure the request body is created correctly.
+
+    """
+    client = CoreClient(base_url=f'{Core_URL}/public_api/v1/', headers={})
+    mocker_set = mocker.patch.object(client, 'set_endpoints_alias')
+    from CoreIRApiModule import endpoint_alias_change_command
+    endpoint_alias_change_command(client=client, status="connected", new_alias_name=input)
+    assert mocker_set.call_args[1] == expected_output
+
+
+def test_endpoint_alias_change_command__no_filters(mocker):
+    """
+    Given:
+    - command withot endpoint filters
+    when:
+    - executing the endpoint-alias-change command
+    then:
+    - make sure the correct error message wil raise.
+    """
+    client = CoreClient(base_url=f'{Core_URL}/public_api/v1/', headers={})
+    mocker.patch.object(client, 'set_endpoints_alias')
+    from CoreIRApiModule import endpoint_alias_change_command
+    with pytest.raises(Exception) as e:
+        endpoint_alias_change_command(client=client, new_alias_name='test')
+    assert e.value.message == "Please provide at least one filter."

Packs/AppNovi/Integrations/appNovi/appNovi.yml

@@ -401,7 +401,7 @@ script:
       type: textArea
       description: Server IP to search
     description: Search for servers using IP address
-  dockerimage: demisto/python3:3.10.9.46032
+  dockerimage: demisto/python3:3.10.10.48392
 tests:
 - No tests (auto formatted)
 fromversion: 6.5.0

Packs/AppNovi/ReleaseNotes/1_0_3.md

@@ -0,0 +1,3 @@
+#### Integrations
+##### appNovi
+- Updated the Docker image to: *demisto/python3:3.10.10.48392*.

Packs/AppNovi/pack_metadata.json

@@ -2,7 +2,7 @@
   "name": "AppNovi",
   "description": "Search your combined security data in appNovi via simplified search or search via the appNovi security graph.",
   "support": "partner",
-  "currentVersion": "1.0.2",
+  "currentVersion": "1.0.3",
   "author": "appNovi",
   "url": "https://appnovi.com/support",
   "email": "",

Packs/AtlassianConfluenceCloud/Integrations/AtlassianConfluenceCloud/AtlassianConfluenceCloud.yml

@@ -2140,7 +2140,7 @@ script:
     - contextPath: ConfluenceCloud.Group._links.self
       description: Link to the group.
       type: String
-  dockerimage: demisto/python3:3.10.9.46032
+  dockerimage: demisto/python3:3.10.10.48392
   feed: false
   isfetch: false
   longRunning: false

Packs/AtlassianConfluenceCloud/ReleaseNotes/1_0_7.md

@@ -0,0 +1,3 @@
+#### Integrations
+##### Atlassian Confluence Cloud
+- Updated the Docker image to: *demisto/python3:3.10.10.48392*.

Packs/AtlassianConfluenceCloud/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Atlassian Confluence Cloud",
     "description": "Atlassian Confluence Cloud allows users to interact with confluence entities like content, space, users and groups. Users can also manage the space permissions.",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.0.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Auditd/ModelingRules/Auditd_1_3/Auditd_1_3.xif

@@ -13,11 +13,13 @@ addr = arrayindex(regextract(_raw_log ,"\saddr\=(\d+\.\d+\.\d+\.\d+)\s"),0),
 pid = arrayindex(regextract(_raw_log ,"\spid\=(\S+)\s"),0),
 comm = arrayindex(regextract(_raw_log ,"\scomm\=\"*([^\"]+)\"*\s"),0),
 exe = arrayindex(regextract(_raw_log ,"\sexe\=\"*([^\"]+)\"*\s"),0)
+| alter
+    outcome_result = coalesce(res,success)
 | alter
     xdm.event.id = eventid,
 	xdm.event.type = type,
     xdm.session_context_id = ses,
-    xdm.event.outcome = coalesce(res,success),
+    xdm.event.outcome = if(outcome_result = "failed", XDM_CONST.OUTCOME_FAILED, outcome_result = "no", XDM_CONST.OUTCOME_FAILED, outcome_result = "success", XDM_CONST.OUTCOME_SUCCESS, outcome_result = "yes", XDM_CONST.OUTCOME_SUCCESS, outcome_result = null, null, to_string(outcome_result)),
     xdm.event.operation = coalesce(op,key),
 	xdm.source.user.username = acct,
 	xdm.source.user.identifier = uid,