From 8438642033d20da55d2db35a3715bedc77bb2a5d Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 12:56:14 +0300 Subject: [PATCH 01/10] changes --- Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index cd72f114f36e..cec3f0549898 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -3561,6 +3561,9 @@ def filter_general_fields(alert: dict, filter_fields: bool = True) -> dict: result = {k: v for k, v in alert.items() if k in ALERT_GENERAL_FIELDS} else: result = alert + + if events_from_decider := alert.get("stateful_raw_data", {}).get("events_from_decider", {}): + alert["stateful_raw_data"]["events_from_decider_list"] = list(events_from_decider.values()) if not (event := alert.get('raw_abioc', {}).get('event', {})): return_warning('No XDR cloud analytics event.') From 25a3b7a4ded3016312a066e1cf747902cc7f7ce7 Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 13:51:31 +0300 Subject: [PATCH 02/10] added rn --- .../Scripts/CoreIRApiModule/CoreIRApiModule.py | 1 - Packs/Core/ReleaseNotes/3_0_55.md | 10 ++++++++++ Packs/Core/pack_metadata.json | 2 +- Packs/CortexXDR/ReleaseNotes/6_1_66.md | 6 ++++++ Packs/CortexXDR/pack_metadata.json | 2 +- Packs/ctf01/ReleaseNotes/1_0_27.md | 6 ++++++ Packs/ctf01/pack_metadata.json | 2 +- 7 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 Packs/Core/ReleaseNotes/3_0_55.md create mode 100644 Packs/CortexXDR/ReleaseNotes/6_1_66.md create mode 100644 Packs/ctf01/ReleaseNotes/1_0_27.md diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index cec3f0549898..1f5277543204 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -3561,7 +3561,6 @@ def filter_general_fields(alert: dict, filter_fields: bool = True) -> dict: result = {k: v for k, v in alert.items() if k in ALERT_GENERAL_FIELDS} else: result = alert - if events_from_decider := alert.get("stateful_raw_data", {}).get("events_from_decider", {}): alert["stateful_raw_data"]["events_from_decider_list"] = list(events_from_decider.values()) diff --git a/Packs/Core/ReleaseNotes/3_0_55.md b/Packs/Core/ReleaseNotes/3_0_55.md new file mode 100644 index 000000000000..d0e3ee4b50c5 --- /dev/null +++ b/Packs/Core/ReleaseNotes/3_0_55.md @@ -0,0 +1,10 @@ + +#### Integrations + +##### Indicators detection + +- Added the **events_from_decider_list** context path to **core-get-cloud-original-alerts** command to show the events_from_decider as a list. + +##### Investigation & Response + +- Added the **events_from_decider_list** context path to **core-get-cloud-original-alerts** command to show the events_from_decider as a list. diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index a31018fc3844..e113920a5520 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "3.0.54", + "currentVersion": "3.0.55", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_66.md b/Packs/CortexXDR/ReleaseNotes/6_1_66.md new file mode 100644 index 000000000000..7241cc6cea28 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/6_1_66.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Palo Alto Networks Cortex XDR - Investigation and Response + +- Added the **events_from_decider_list** context path to **xdr-get-cloud-original-alerts** command to show the events_from_decider as a list. diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index affbbcf401d4..20e9300547d2 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "6.1.65", + "currentVersion": "6.1.66", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ctf01/ReleaseNotes/1_0_27.md b/Packs/ctf01/ReleaseNotes/1_0_27.md new file mode 100644 index 000000000000..ad64f4795516 --- /dev/null +++ b/Packs/ctf01/ReleaseNotes/1_0_27.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Cortex XDR - IR CTF + +- Added the **events_from_decider_list** context path to **xdr-get-cloud-original-alerts** command to show the events_from_decider as a list. diff --git a/Packs/ctf01/pack_metadata.json b/Packs/ctf01/pack_metadata.json index a9bd560e0f0a..9e835f1487d4 100644 --- a/Packs/ctf01/pack_metadata.json +++ b/Packs/ctf01/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Capture The Flag - 01", "description": "XSOAR's Capture the flag (CTF)", "support": "xsoar", - "currentVersion": "1.0.26", + "currentVersion": "1.0.27", "serverMinVersion": "8.2.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", From ccbd35ff9f08ef58c9491fdcc81956aa39b3f7bb Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 14:52:30 +0300 Subject: [PATCH 03/10] added arg --- .../Scripts/CoreIRApiModule/CoreIRApiModule.py | 11 +++++++---- Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml | 7 +++++++ .../Integrations/CortexXDRIR/CortexXDRIR.yml | 7 +++++++ 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index 1f5277543204..cac9879b0436 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -3546,12 +3546,13 @@ def decode_dict_values(dict_to_decode: dict): continue -def filter_general_fields(alert: dict, filter_fields: bool = True) -> dict: +def filter_general_fields(alert: dict, filter_fields: bool = True, alter_events_from_decider: bool = False) -> dict: """filter only relevant general fields from a given alert. Args: alert (dict): The alert to filter filter_fields (bool): Whether to return a subset of the fields. + alter_events_from_decider (bool): Whether to return events_from_decider context endpoint as a dictionary or as a list. Returns: dict: The filtered alert @@ -3561,8 +3562,9 @@ def filter_general_fields(alert: dict, filter_fields: bool = True) -> dict: result = {k: v for k, v in alert.items() if k in ALERT_GENERAL_FIELDS} else: result = alert - if events_from_decider := alert.get("stateful_raw_data", {}).get("events_from_decider", {}): - alert["stateful_raw_data"]["events_from_decider_list"] = list(events_from_decider.values()) + + if (events_from_decider := alert.get("stateful_raw_data", {}).get("events_from_decider", {})) and alter_events_from_decider: + alert["stateful_raw_data"]["events_from_decider"] = list(events_from_decider.values()) if not (event := alert.get('raw_abioc', {}).get('event', {})): return_warning('No XDR cloud analytics event.') @@ -3603,6 +3605,7 @@ def filter_vendor_fields(alert: dict): def get_original_alerts_command(client: CoreClient, args: Dict) -> CommandResults: alert_id_list = argToList(args.get('alert_ids', [])) + alter_events_from_decider = argToBoolean(args.get('alter_events_from_decider', False)) raw_response = client.get_original_alerts(alert_id_list) reply = copy.deepcopy(raw_response) alerts = reply.get('alerts', []) @@ -3627,7 +3630,7 @@ def get_original_alerts_command(client: CoreClient, args: Dict) -> CommandResult alert.update(alert.pop('original_alert_json', {})) # Process the alert (with without filetring fields) - processed_alerts.append(filter_general_fields(alert, filter_fields=False)) + processed_alerts.append(filter_general_fields(alert, filter_fields=False, alter_events_from_decider)) # Create a filtered version (used either for output when filter_fields is False, or for readable output) filtered_alert = filter_general_fields(alert, filter_fields=True) diff --git a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml index cc1e48175697..4ae605cb2e5c 100644 --- a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml +++ b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml @@ -1978,6 +1978,13 @@ script: predefined: - 'true' - 'false' + - description: Whether to return Core.OriginalAlert.stateful_raw_data.events_from_decider context endpoint as a dictionary (the raw data) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. + name: alter_events_from_decider + auto: PREDEFINED + defaultValue: 'false' + predefined: + - 'true' + - 'false' description: Returns information about each alert ID. name: core-get-cloud-original-alerts outputs: diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml index 3ee69cf545d0..41cf2384d79f 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml @@ -2786,6 +2786,13 @@ script: predefined: - 'true' - 'false' + - description: Whether to return PaloAltoNetworksXDR.OriginalAlert.stateful_raw_data.events_from_decider context endpoint as a dictionary (the raw data) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. + name: alter_events_from_decider + auto: PREDEFINED + defaultValue: 'false' + predefined: + - 'true' + - 'false' description: Returns information about each alert ID. name: xdr-get-cloud-original-alerts outputs: From 738296a7be8fb22a3fe725b36a9cd42ca4bdd26d Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 14:56:33 +0300 Subject: [PATCH 04/10] updated rns --- Packs/Core/ReleaseNotes/3_0_55.md | 6 +----- Packs/CortexXDR/ReleaseNotes/6_1_66.md | 2 +- Packs/ctf01/ReleaseNotes/1_0_27.md | 6 ------ Packs/ctf01/pack_metadata.json | 2 +- 4 files changed, 3 insertions(+), 13 deletions(-) delete mode 100644 Packs/ctf01/ReleaseNotes/1_0_27.md diff --git a/Packs/Core/ReleaseNotes/3_0_55.md b/Packs/Core/ReleaseNotes/3_0_55.md index d0e3ee4b50c5..de67603c2fea 100644 --- a/Packs/Core/ReleaseNotes/3_0_55.md +++ b/Packs/Core/ReleaseNotes/3_0_55.md @@ -1,10 +1,6 @@ #### Integrations -##### Indicators detection - -- Added the **events_from_decider_list** context path to **core-get-cloud-original-alerts** command to show the events_from_decider as a list. - ##### Investigation & Response -- Added the **events_from_decider_list** context path to **core-get-cloud-original-alerts** command to show the events_from_decider as a list. +- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original raw data). diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_66.md b/Packs/CortexXDR/ReleaseNotes/6_1_66.md index 7241cc6cea28..e1b9bbd284d6 100644 --- a/Packs/CortexXDR/ReleaseNotes/6_1_66.md +++ b/Packs/CortexXDR/ReleaseNotes/6_1_66.md @@ -3,4 +3,4 @@ ##### Palo Alto Networks Cortex XDR - Investigation and Response -- Added the **events_from_decider_list** context path to **xdr-get-cloud-original-alerts** command to show the events_from_decider as a list. +- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original raw data). diff --git a/Packs/ctf01/ReleaseNotes/1_0_27.md b/Packs/ctf01/ReleaseNotes/1_0_27.md deleted file mode 100644 index ad64f4795516..000000000000 --- a/Packs/ctf01/ReleaseNotes/1_0_27.md +++ /dev/null @@ -1,6 +0,0 @@ - -#### Integrations - -##### Cortex XDR - IR CTF - -- Added the **events_from_decider_list** context path to **xdr-get-cloud-original-alerts** command to show the events_from_decider as a list. diff --git a/Packs/ctf01/pack_metadata.json b/Packs/ctf01/pack_metadata.json index 9e835f1487d4..a9bd560e0f0a 100644 --- a/Packs/ctf01/pack_metadata.json +++ b/Packs/ctf01/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Capture The Flag - 01", "description": "XSOAR's Capture the flag (CTF)", "support": "xsoar", - "currentVersion": "1.0.27", + "currentVersion": "1.0.26", "serverMinVersion": "8.2.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", From 2e10190f33f8d65a4776d2014f0c457868887bab Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 15:32:39 +0300 Subject: [PATCH 05/10] fixes --- Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py | 3 ++- Packs/Core/.pack-ignore | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index cac9879b0436..ca9e58aecea1 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -3630,7 +3630,8 @@ def get_original_alerts_command(client: CoreClient, args: Dict) -> CommandResult alert.update(alert.pop('original_alert_json', {})) # Process the alert (with without filetring fields) - processed_alerts.append(filter_general_fields(alert, filter_fields=False, alter_events_from_decider)) + processed_alerts.append(filter_general_fields(alert, filter_fields=False, + alter_events_from_decider=alter_events_from_decider)) # Create a filtered version (used either for output when filter_fields is False, or for readable output) filtered_alert = filter_general_fields(alert, filter_fields=True) diff --git a/Packs/Core/.pack-ignore b/Packs/Core/.pack-ignore index 4b9f4becc21c..9b32f7878e16 100644 --- a/Packs/Core/.pack-ignore +++ b/Packs/Core/.pack-ignore @@ -2,7 +2,7 @@ ignore=IN139 [file:README.md] -ignore=RM104 +ignore=RM104,RM106 [file:1_3_23.md] ignore=RN115,RN113 From 5f5a64d92852c24d17ed08fea4b126d761be9e01 Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 17:43:51 +0300 Subject: [PATCH 06/10] added test --- .../CoreIRApiModule/CoreIRApiModule_test.py | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py index 9ad84d29aa73..047bf1cad884 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py @@ -2534,6 +2534,97 @@ def test_filter_general_fields(): 'identity_sub_type': 'subtype', } } + + +def test_filter_general_fields_with_stateful_raw_data(): + """ + Given: + - An alert dict with stateful_raw_data section + When + - Running filter_general_fields command once with alter_events_from_decider as False and once as True. + Then + - Verify expected output + """ + from CoreIRApiModule import filter_general_fields + alert = { + 'detection_modules': 'test1', + "content_version": "version1", + "detector_id": 'ID', + 'raw_abioc': { + 'event': { + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } + }, + 'stateful_raw_data': { + 'events_from_decider': { + "test_1": { + "story_id": "test_1", + "additional_info": "this is a test." + }, + "test_2": { + "story_id": "test_2", + "additional_info": "this is a test." + } + } + } + } + assert filter_general_fields(alert, False, False) == { + 'detection_modules': 'test1', + "content_version": "version1", + "detector_id": 'ID', + 'raw_abioc': { + 'event': { + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } + }, + 'stateful_raw_data': { + 'events_from_decider': { + "test_1": { + "story_id": "test_1", + "additional_info": "this is a test." + }, + "test_2": { + "story_id": "test_2", + "additional_info": "this is a test." + } + } + }, + 'event': { + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } + } + assert filter_general_fields(alert, False, True) == { + 'detection_modules': 'test1', + "content_version": "version1", + "detector_id": 'ID', + 'raw_abioc': { + 'event': { + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } + }, + 'stateful_raw_data': { + 'events_from_decider': [{ + "story_id": "test_1", + "additional_info": "this is a test." + },{ + "story_id": "test_2", + "additional_info": "this is a test." + }] + }, + 'event': { + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } + } def test_filter_general_fields_no_event(mocker): From e93d70db28ad0b67219dd69f1db383fbf9dbfee3 Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Mon, 26 Aug 2024 17:46:58 +0300 Subject: [PATCH 07/10] pre commit fixes --- .../CoreIRApiModule/CoreIRApiModule_test.py | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py index 047bf1cad884..6babda944955 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py @@ -2534,8 +2534,8 @@ def test_filter_general_fields(): 'identity_sub_type': 'subtype', } } - - + + def test_filter_general_fields_with_stateful_raw_data(): """ Given: @@ -2594,10 +2594,10 @@ def test_filter_general_fields_with_stateful_raw_data(): } }, 'event': { - 'event_type': 'type', - 'event_id': 'id', - 'identity_sub_type': 'subtype', - } + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } } assert filter_general_fields(alert, False, True) == { 'detection_modules': 'test1', @@ -2612,18 +2612,18 @@ def test_filter_general_fields_with_stateful_raw_data(): }, 'stateful_raw_data': { 'events_from_decider': [{ - "story_id": "test_1", - "additional_info": "this is a test." - },{ - "story_id": "test_2", - "additional_info": "this is a test." - }] + "story_id": "test_1", + "additional_info": "this is a test." + }, { + "story_id": "test_2", + "additional_info": "this is a test." + }] }, 'event': { - 'event_type': 'type', - 'event_id': 'id', - 'identity_sub_type': 'subtype', - } + 'event_type': 'type', + 'event_id': 'id', + 'identity_sub_type': 'subtype', + } } From 9a293a8323910c25e9550e95d680aeb3eaa322c1 Mon Sep 17 00:00:00 2001 From: YuvHayun Date: Tue, 27 Aug 2024 18:03:36 +0300 Subject: [PATCH 08/10] cr fixes --- .../Scripts/CoreIRApiModule/CoreIRApiModule.py | 12 ++++++------ .../Scripts/CoreIRApiModule/CoreIRApiModule_test.py | 2 +- .../Core/Integrations/CortexCoreIR/CortexCoreIR.yml | 10 +++++----- Packs/Core/Integrations/CortexCoreIR/README.md | 1 + Packs/Core/ReleaseNotes/3_0_55.md | 2 +- .../Integrations/CortexXDRIR/CortexXDRIR.yml | 10 +++++----- Packs/CortexXDR/Integrations/CortexXDRIR/README.md | 1 + Packs/CortexXDR/ReleaseNotes/6_1_66.md | 2 +- 8 files changed, 21 insertions(+), 19 deletions(-) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py index ca9e58aecea1..4f66cbb52b39 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py @@ -3546,13 +3546,13 @@ def decode_dict_values(dict_to_decode: dict): continue -def filter_general_fields(alert: dict, filter_fields: bool = True, alter_events_from_decider: bool = False) -> dict: +def filter_general_fields(alert: dict, filter_fields: bool = True, events_from_decider_as_list: bool = False) -> dict: """filter only relevant general fields from a given alert. Args: alert (dict): The alert to filter filter_fields (bool): Whether to return a subset of the fields. - alter_events_from_decider (bool): Whether to return events_from_decider context endpoint as a dictionary or as a list. + events_from_decider_as_list (bool): Whether to return events_from_decider context endpoint as a dictionary or as a list. Returns: dict: The filtered alert @@ -3563,7 +3563,7 @@ def filter_general_fields(alert: dict, filter_fields: bool = True, alter_events_ else: result = alert - if (events_from_decider := alert.get("stateful_raw_data", {}).get("events_from_decider", {})) and alter_events_from_decider: + if (events_from_decider := alert.get("stateful_raw_data", {}).get("events_from_decider", {})) and events_from_decider_as_list: alert["stateful_raw_data"]["events_from_decider"] = list(events_from_decider.values()) if not (event := alert.get('raw_abioc', {}).get('event', {})): @@ -3605,7 +3605,7 @@ def filter_vendor_fields(alert: dict): def get_original_alerts_command(client: CoreClient, args: Dict) -> CommandResults: alert_id_list = argToList(args.get('alert_ids', [])) - alter_events_from_decider = argToBoolean(args.get('alter_events_from_decider', False)) + events_from_decider_as_list = bool(args.get('events_from_decider_format', '') == 'list') raw_response = client.get_original_alerts(alert_id_list) reply = copy.deepcopy(raw_response) alerts = reply.get('alerts', []) @@ -3631,10 +3631,10 @@ def get_original_alerts_command(client: CoreClient, args: Dict) -> CommandResult # Process the alert (with without filetring fields) processed_alerts.append(filter_general_fields(alert, filter_fields=False, - alter_events_from_decider=alter_events_from_decider)) + events_from_decider_as_list=events_from_decider_as_list)) # Create a filtered version (used either for output when filter_fields is False, or for readable output) - filtered_alert = filter_general_fields(alert, filter_fields=True) + filtered_alert = filter_general_fields(alert, filter_fields=True, events_from_decider_as_list=False) filter_vendor_fields(filtered_alert) # changes in-place filtered_alerts.append(filtered_alert) diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py index 6babda944955..420d6193cbbe 100644 --- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py +++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule_test.py @@ -2541,7 +2541,7 @@ def test_filter_general_fields_with_stateful_raw_data(): Given: - An alert dict with stateful_raw_data section When - - Running filter_general_fields command once with alter_events_from_decider as False and once as True. + - Running filter_general_fields command once with events_from_decider_as_list as False and once as True. Then - Verify expected output """ diff --git a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml index 4ae605cb2e5c..8f9fbae12f79 100644 --- a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml +++ b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml @@ -1978,13 +1978,13 @@ script: predefined: - 'true' - 'false' - - description: Whether to return Core.OriginalAlert.stateful_raw_data.events_from_decider context endpoint as a dictionary (the raw data) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. - name: alter_events_from_decider + - description: Whether to return events_from_decider context output as a dictionary (the raw API response) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. + name: events_from_decider_format auto: PREDEFINED - defaultValue: 'false' + defaultValue: 'dict' predefined: - - 'true' - - 'false' + - 'list' + - 'dict' description: Returns information about each alert ID. name: core-get-cloud-original-alerts outputs: diff --git a/Packs/Core/Integrations/CortexCoreIR/README.md b/Packs/Core/Integrations/CortexCoreIR/README.md index 3631faf6acdc..d4ae81995213 100644 --- a/Packs/Core/Integrations/CortexCoreIR/README.md +++ b/Packs/Core/Integrations/CortexCoreIR/README.md @@ -1870,6 +1870,7 @@ Returns information about each alert ID. | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | alert_ids | A comma-separated list of alert IDs. | Required | +| events_from_decider_format | Whether to return events_from_decider context output as a dictionary (the raw API response) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. | Optional | #### Context Output diff --git a/Packs/Core/ReleaseNotes/3_0_55.md b/Packs/Core/ReleaseNotes/3_0_55.md index de67603c2fea..fc73784814d0 100644 --- a/Packs/Core/ReleaseNotes/3_0_55.md +++ b/Packs/Core/ReleaseNotes/3_0_55.md @@ -3,4 +3,4 @@ ##### Investigation & Response -- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original raw data). +- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response). diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml index 41cf2384d79f..43f88170c58e 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml @@ -2786,13 +2786,13 @@ script: predefined: - 'true' - 'false' - - description: Whether to return PaloAltoNetworksXDR.OriginalAlert.stateful_raw_data.events_from_decider context endpoint as a dictionary (the raw data) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. - name: alter_events_from_decider + - description: Whether to return events_from_decider context output as a dictionary (the raw API response) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. + name: events_from_decider_format auto: PREDEFINED - defaultValue: 'false' + defaultValue: 'dict' predefined: - - 'true' - - 'false' + - 'list' + - 'dict' description: Returns information about each alert ID. name: xdr-get-cloud-original-alerts outputs: diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md index 5487c2fac346..3de01520aca4 100644 --- a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md +++ b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md @@ -2280,6 +2280,7 @@ Builtin Roles with this permission includes: "Investigator", "Responder", "Privi | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | alert_ids | A comma-separated list of alert IDs. | Required | +| events_from_decider_format | Whether to return events_from_decider context output as a dictionary (the raw API response) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False. | Optional | #### Context Output diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_66.md b/Packs/CortexXDR/ReleaseNotes/6_1_66.md index e1b9bbd284d6..4760e917832c 100644 --- a/Packs/CortexXDR/ReleaseNotes/6_1_66.md +++ b/Packs/CortexXDR/ReleaseNotes/6_1_66.md @@ -3,4 +3,4 @@ ##### Palo Alto Networks Cortex XDR - Investigation and Response -- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original raw data). +- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response). From adfb69d4e8de813e5dead2fcbd5ac6a00eeadc79 Mon Sep 17 00:00:00 2001 From: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:06:36 +0300 Subject: [PATCH 09/10] Update Packs/CortexXDR/ReleaseNotes/6_1_66.md Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> --- Packs/CortexXDR/ReleaseNotes/6_1_66.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_66.md b/Packs/CortexXDR/ReleaseNotes/6_1_66.md index 4760e917832c..92b2c8da5442 100644 --- a/Packs/CortexXDR/ReleaseNotes/6_1_66.md +++ b/Packs/CortexXDR/ReleaseNotes/6_1_66.md @@ -3,4 +3,4 @@ ##### Palo Alto Networks Cortex XDR - Investigation and Response -- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response). +- Added the ***events_from_decider_format*** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response). From 73fe2b593541c2aac009880f4a8bc206bcb8be9e Mon Sep 17 00:00:00 2001 From: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Date: Tue, 27 Aug 2024 19:06:42 +0300 Subject: [PATCH 10/10] Update Packs/Core/ReleaseNotes/3_0_55.md Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com> --- Packs/Core/ReleaseNotes/3_0_55.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Core/ReleaseNotes/3_0_55.md b/Packs/Core/ReleaseNotes/3_0_55.md index fc73784814d0..fad96db1a0dd 100644 --- a/Packs/Core/ReleaseNotes/3_0_55.md +++ b/Packs/Core/ReleaseNotes/3_0_55.md @@ -3,4 +3,4 @@ ##### Investigation & Response -- Added the **alter_events_from_decider** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response). +- Added the ***alter_events_from_decider*** argument, use this argument to obtain **events_from_decider** context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response).