Claroty xdome updates (demisto#36475)

* Claroty xdome updates (demisto#36335)

* edge-case bug fix

* make alert_class & alert_type searchable

* add MITRE fields

* change the default fetch limit from 50K to 5K

* fixes

* fixes

* fix

* generate release note

* fix typo

* typo fix

* add alert_description fields

* add a test

* undo the 50K -> 5K change

* update docker-image version

* regenerate README

* update RN

* add mapping for OOTB fields MITRE TECHNIQUE ID & MITRE TECHNIQUE NAME

---------

Co-authored-by: adi88d <adaud@paloaltonetworks.com>

* Update .pack-ignore

---------

Co-authored-by: tomlandes <126682705+tomlandes@users.noreply.github.com>
Co-authored-by: adi88d <adaud@paloaltonetworks.com>
Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

Packs/ClarotyXDome/.pack-ignore

@@ -0,0 +1,2 @@
+[file:1_0_1.md]
+ignore=RN115

Packs/ClarotyXDome/Classifiers/classifier-mapper-incoming-XDome.json

@@ -23,6 +23,50 @@
                 "Device Name": {
                     "simple": "device_name"
                 },
+                "MITRE Technique ID": {
+					"complex": {
+						"filters": [],
+						"root": "mitre_technique_ics_ids",
+						"transformers": [
+							{
+								"args": {
+									"item": {
+										"isContext": true,
+										"value": {
+											"simple": "mitre_technique_enterprise_ids"
+										}
+									}
+								},
+								"operator": "append"
+							},
+							{
+								"operator": "uniq"
+							}
+						]
+					}
+				},
+				"MITRE Technique Name": {
+					"complex": {
+						"filters": [],
+						"root": "mitre_technique_ics_names",
+						"transformers": [
+							{
+								"args": {
+									"item": {
+										"isContext": true,
+										"value": {
+											"simple": "mitre_technique_enterprise_names"
+										}
+									}
+								},
+								"operator": "append"
+							},
+							{
+								"operator": "uniq"
+							}
+						]
+					}
+				},
                 "Claroty xDome Alert Assignees": {
                     "simple": "alert_assignees"
                 },
@@ -35,6 +79,9 @@
                 "Claroty xDome Alert Type": {
                     "simple": "alert_type_name"
                 },
+                "Claroty xDome Alert Description": {
+                    "simple": "alert_description"
+                },
                 "Claroty xDome Device Assignees": {
                     "simple": "device_assignees"
                 },
@@ -121,6 +168,18 @@
                 },
                 "Claroty xDome Device-Alert Updated Time": {
                     "simple": "device_alert_updated_time"
+                },
+                "Claroty xDome Mitre Technique Enterprise IDs": {
+                    "simple": "mitre_technique_enterprise_ids"
+                },
+                "Claroty xDome Mitre Technique Enterprise Names": {
+                    "simple": "mitre_technique_enterprise_names"
+                },
+                "Claroty xDome Mitre Technique ICS IDs": {
+                    "simple": "mitre_technique_ics_ids"
+                },
+                "Claroty xDome Mitre Technique ICS Names": {
+                    "simple": "mitre_technique_ics_names"
                 }
             }
         }

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Alert_Class.json

@@ -24,7 +24,7 @@
     ],
     "associatedToAll": false,
     "unmapped": false,
-    "unsearchable": true,
+    "unsearchable": false,
     "caseInsensitive": true,
     "sla": 0,
     "threshold": 72,

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Alert_Description.json

@@ -0,0 +1,32 @@
+{
+    "id": "incident_clarotyxdomealertdescription",
+    "version": -1,
+    "modified": "2024-09-16T10:25:25.209772537Z",
+    "name": "Claroty xDome Alert Description",
+    "ownerOnly": false,
+    "description": "The alert description, such as \"SMBv1 Communication was detected by 2 OT Device devices\"",
+    "cliName": "clarotyxdomealertdescription",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "Claroty xDome Alert"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Alert_Type.json

@@ -24,7 +24,7 @@
     ],
     "associatedToAll": false,
     "unmapped": false,
-    "unsearchable": true,
+    "unsearchable": false,
     "caseInsensitive": true,
     "sla": 0,
     "threshold": 72,

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Mitre_Technique_Enterprise_IDs.json

@@ -0,0 +1,32 @@
+{
+    "id": "incident_clarotyxdomemitretechniqueenterpriseids",
+    "version": -1,
+    "modified": "2024-09-16T10:25:25.209772537Z",
+    "name": "Claroty xDome Mitre Technique Enterprise IDs",
+    "ownerOnly": false,
+    "description": "MITRE ATT&CK Enterprise technique IDs mapped to the alert",
+    "cliName": "clarotyxdomemitretechniqueenterpriseids",
+    "type": "multiSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": true,
+    "associatedTypes": [
+        "Claroty xDome Alert"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Mitre_Technique_Enterprise_Names.json

@@ -0,0 +1,32 @@
+{
+    "id": "incident_clarotyxdomemitretechniqueenterprisenames",
+    "version": -1,
+    "modified": "2024-09-16T10:25:25.209772537Z",
+    "name": "Claroty xDome Mitre Technique Enterprise Names",
+    "ownerOnly": false,
+    "description": "MITRE ATT&CK Enterprise technique names mapped to the alert",
+    "cliName": "clarotyxdomemitretechniqueenterprisenames",
+    "type": "multiSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": true,
+    "associatedTypes": [
+        "Claroty xDome Alert"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Mitre_Technique_ICS_IDs.json

@@ -0,0 +1,32 @@
+{
+    "id": "incident_clarotyxdomemitretechniqueicsids",
+    "version": -1,
+    "modified": "2024-09-16T10:25:25.209772537Z",
+    "name": "Claroty xDome Mitre Technique ICS IDs",
+    "ownerOnly": false,
+    "description": "MITRE ATT&CK ICS technique IDs mapped to the alert",
+    "cliName": "clarotyxdomemitretechniqueicsids",
+    "type": "multiSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": true,
+    "associatedTypes": [
+        "Claroty xDome Alert"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}

Packs/ClarotyXDome/IncidentFields/incidentfield-Claroty_xDome_Mitre_Technique_ICS_Names.json

@@ -0,0 +1,32 @@
+{
+    "id": "incident_clarotyxdomemitretechniqueicsnames",
+    "version": -1,
+    "modified": "2024-09-16T10:25:25.209772537Z",
+    "name": "Claroty xDome Mitre Technique ICS Names",
+    "ownerOnly": false,
+    "description": "MITRE ATT&CK ICS technique names mapped to the alert",
+    "cliName": "clarotyxdomemitretechniqueicsnames",
+    "type": "multiSelect",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": true,
+    "associatedTypes": [
+        "Claroty xDome Alert"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.10.0"
+}

Packs/ClarotyXDome/Integrations/XDome/README.md

@@ -37,7 +37,7 @@ Gets all device-alert pairs from xDome. You can apply a query-filter.
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| fields | Fields to return. Possible values are: all, alert_assignees, alert_category, alert_class, alert_id, alert_labels, alert_name, alert_type_name, device_alert_detected_time, device_alert_status, device_alert_updated_time, device_assignees, device_category, device_effective_likelihood_subscore, device_effective_likelihood_subscore_points, device_first_seen_list, device_impact_subscore, device_impact_subscore_points, device_insecure_protocols, device_insecure_protocols_points, device_internet_communication, device_ip_list, device_known_vulnerabilities, device_known_vulnerabilities_points, device_labels, device_last_seen_list, device_likelihood_subscore, device_likelihood_subscore_points, device_mac_list, device_manufacturer, device_name, device_network_list, device_purdue_level, device_retired, device_risk_score, device_risk_score_points, device_site_name, device_subcategory, device_type, device_uid. Default is all. | Optional | 
+| fields | Fields to return. Possible values are: all, alert_assignees, alert_category, alert_class, alert_id, alert_labels, alert_name, alert_type_name, alert_description, device_alert_detected_time, device_alert_status, device_alert_updated_time, device_assignees, device_category, device_effective_likelihood_subscore, device_effective_likelihood_subscore_points, device_first_seen_list, device_impact_subscore, device_impact_subscore_points, device_insecure_protocols, device_insecure_protocols_points, device_internet_communication, device_ip_list, device_known_vulnerabilities, device_known_vulnerabilities_points, device_labels, device_last_seen_list, device_likelihood_subscore, device_likelihood_subscore_points, device_mac_list, device_manufacturer, device_name, device_network_list, device_purdue_level, device_retired, device_risk_score, device_risk_score_points, device_site_name, device_subcategory, device_type, device_uid, mitre_technique_enterprise_ids, mitre_technique_enterprise_names, mitre_technique_ics_ids, mitre_technique_ics_names. Default is all. | Optional | 
 | filter_by | A filter_by object, refer to the xDome API documentation. | Optional | 
 | offset | An offset in the data. This can be used to fetch all data in a paginated manner, by e.g requesting (offset=0, limit=100) followed by (offset=100, limit=100), (offset=200, limit=100), etc. | Optional | 
 | limit | Maximum amount of items to fetch. | Optional | 
@@ -54,6 +54,7 @@ Gets all device-alert pairs from xDome. You can apply a query-filter.
 | XDome.DeviceAlert.alert_category | String | Alert category such as "Risk" or "Segmentation". | 
 | XDome.DeviceAlert.alert_labels | String | The labels added to the alert manually or automatically. | 
 | XDome.DeviceAlert.alert_assignees | String | The users and or groups the alert is assigned to. | 
+| XDome.DeviceAlert.alert_description | String | The alert description, such as "SMBv1 Communication was detected by 2 OT Device devices". | 
 | XDome.DeviceAlert.device_alert_detected_time | Date | Date and time when the Alert was first detected. | 
 | XDome.DeviceAlert.device_alert_updated_time | Date | Date and time of last Alert update. | 
 | XDome.DeviceAlert.device_alert_status | String | Device-Alert relation status \(Resolved or Unresolved\). | 
@@ -86,6 +87,10 @@ Gets all device-alert pairs from xDome. You can apply a query-filter.
 | XDome.DeviceAlert.device_known_vulnerabilities | String | The calculated level of the device’s ‘known vulnerabilities’ likelihood factor, such as "Critical", or "High". | 
 | XDome.DeviceAlert.device_known_vulnerabilities_points | Number | The calculated points for ‘known vulnerabilities’ likelihood factor of a device, such as "54.1". | 
 | XDome.DeviceAlert.device_manufacturer | String | Manufacturer of the device, such as "Alaris". | 
+| XDome.DeviceAlert.mitre_technique_enterprise_ids | List | MITRE ATT&CK® Enterprise technique IDs mapped to the alert. | 
+| XDome.DeviceAlert.mitre_technique_enterprise_names | List | MITRE ATT&CK® Enterprise technique names mapped to the alert. | 
+| XDome.DeviceAlert.mitre_technique_ics_ids | List | MITRE ATT&CK® ICS technique IDs mapped to the alert. | 
+| XDome.DeviceAlert.mitre_technique_ics_names | List | MITRE ATT&CK® ICS technique names mapped to the alert. | 
 
 ### xdome-set-status-for-device-alert-relations
 
@@ -198,4 +203,4 @@ Get details of devices with their related vulnerabilities from the database. The
 | XDome.DeviceVulnerability.device_impact_subscore_points | Number | The calculated impact subscore points of a device, such as "54.1". | 
 | XDome.DeviceVulnerability.device_suspicious | List | The reasons for which the device was marked as suspicious. | 
 | XDome.DeviceVulnerability.device_authentication_user_list | List | The User name used to authenticate the device to the network using Radius/802.1x is extracted from the NAC integration and the traffic. | 
-| XDome.DeviceVulnerability.device_software_or_firmware_version | String | The application version running on the device. | 
+| XDome.DeviceVulnerability.device_software_or_firmware_version | String | The application version running on the device. |