From 10983c1a059879a52559a2bbf3b90e7c5be3b251 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 12:46:22 +0000 Subject: [PATCH 01/26] Add search alert command --- Packs/Code42/Integrations/Code42/Code42.py | 28 +++++++- Packs/Code42/Integrations/Code42/Code42.yml | 41 ++++++++++- .../Code42/integration-Code42.yml | 69 ++++++++++++++++++- .../Code42GetDepartingEmployees/CHANGELOG.md | 2 + .../Code42GetDepartingEmployees.py | 16 +++++ .../Code42GetDepartingEmployees.yml | 17 +++++ .../Code42GetDepartingEmployees/README.md | 0 .../widget-Departing_Employees_Alerts.json | 35 ++++++++++ 8 files changed, 204 insertions(+), 4 deletions(-) create mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md create mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py create mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml create mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md create mode 100644 Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 8d83633fe331..de3f2f00e056 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -20,7 +20,7 @@ FileCategory, ) from py42.sdk.queries.alerts.alert_query import AlertQuery -from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState +from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState, Actor as AlertActor # Disable insecure warnings requests.packages.urllib3.disable_warnings() @@ -216,6 +216,10 @@ def fetch_alerts(self, start_time, event_severity_filter): res = self._sdk.alerts.search(query) return res["alerts"] + def search_alerts(self, username): + query = AlertQuery(AlertActor.eq(username)) + return self._sdk.alerts.search(query)["alerts"] + def get_alert_details(self, alert_id): res = self._sdk.alerts.get_details(alert_id)["alerts"] if not res: @@ -509,6 +513,27 @@ def alert_resolve_command(client, args): return_error(create_command_error_message(demisto.command(), e)) +def alert_search_command(client, args): + username = args["username"] + try: + alerts = client.search_alerts(username) + alert_context = [] + for alert in alerts: + alert_context.append(map_to_code42_alert_context(alert)) + readable_outputs = tableToMarkdown( + "Code42 Security Alert Search", + alert_context, + headers=SECURITY_ALERT_HEADERS, + ) + return ( + readable_outputs, + {"Code42.SecurityAlert": alert_context}, + alerts + ) + + except Exception as e: + return_error(create_command_error_message(demisto.command(), e)) + @logger def departingemployee_add_command(client, args): departing_date = args.get("departuredate") @@ -815,6 +840,7 @@ def main(): commands = { "code42-alert-get": alert_get_command, "code42-alert-resolve": alert_resolve_command, + "code42-alert-search": alert_search_command, "code42-securitydata-search": securitydata_search_command, "code42-departingemployee-add": departingemployee_add_command, "code42-departingemployee-remove": departingemployee_remove_command, diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index e914c2b7feaa..822032a33c8e 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -240,7 +240,7 @@ script: - contextPath: Code42.SecurityAlert.Severity description: The severity of the alert. type: string - description: Retrieve alert details by alert ID + description: Retrieve alert details by alert ID. - name: code42-alert-resolve arguments: - name: id @@ -252,6 +252,43 @@ script: description: The alert ID of the resolved alert. type: string description: Resolves a Code42 Security alert. + - name: code42-alert-search + arguments: + - name: username + required: true + description: The username for the user to search alerts for. + outputs: + - contextPath: Code42.SecurityAlert.Username + description: The username associated with the alert. + type: string + - contextPath: Code42.SecurityAlert.Occurred + description: The timestamp when the alert occurred. + type: date + - contextPath: Code42.SecurityAlert.Description + description: The description of the alert. + type: string + - contextPath: Code42.SecurityAlert.ID + description: The alert ID. + type: string + - contextPath: Code42.SecurityAlert.Name + description: The alert rule name that generated the alert. + type: string + - contextPath: Code42.SecurityAlert.State + description: The alert state. + type: string + - contextPath: Code42.SecurityAlert.Type + description: The alert type. + type: string + - contextPath: Code42.SecurityAlert.Severity + description: The severity of the alert. + type: string + description: Search alerts by username. + + + + + + - name: code42-departingemployee-add arguments: - name: username @@ -362,6 +399,7 @@ script: type: string - contextPath: Code42.HighRiskEmployee.RiskTags description: Risk tags to associate with the High Risk Employee. + description: Add the given risk tags to the user with the given username. - name: code42-highriskemployee-remove-risk-tags arguments: - name: username @@ -379,6 +417,7 @@ script: type: string - contextPath: Code42.HighRiskEmployee.RiskTags description: Risk tags to disassociate from the High Risk Employee. + description: Remove the given risk tags from the user with the given username. dockerimage: demisto/py42:1.0.0.9242 isfetch: true runonce: false diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index 1bf98b61977e..b3e16f927b89 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -81,7 +81,7 @@ script: from py42.sdk.queries.alerts.alert_query import AlertQuery - from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState + from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState, Actor as AlertActor # Disable insecure warnings @@ -287,6 +287,10 @@ script: res = self._sdk.alerts.search(query) return res["alerts"] + def search_alerts(self, username): + query = AlertQuery(AlertActor.eq(username)) + return self._sdk.alerts.search(query)["alerts"] + def get_alert_details(self, alert_id): res = self._sdk.alerts.get_details(alert_id)["alerts"] if not res: @@ -588,6 +592,27 @@ script: return_error(create_command_error_message(demisto.command(), e)) + def alert_search_command(client, args): + username = args["username"] + try: + alerts = client.search_alerts(username) + alert_context = [] + for alert in alerts: + alert_context.append(map_to_code42_alert_context(alert)) + readable_outputs = tableToMarkdown( + "Code42 Security Alert Search", + alert_context, + headers=SECURITY_ALERT_HEADERS, + ) + return ( + readable_outputs, + {"Code42.SecurityAlert": alert_context}, + alerts + ) + + except Exception as e: + return_error(create_command_error_message(demisto.command(), e)) + @logger def departingemployee_add_command(client, args): @@ -903,6 +928,7 @@ script: commands = { "code42-alert-get": alert_get_command, "code42-alert-resolve": alert_resolve_command, + "code42-alert-search": alert_search_command, "code42-securitydata-search": securitydata_search_command, "code42-departingemployee-add": departingemployee_add_command, "code42-departingemployee-remove": departingemployee_remove_command, @@ -1128,7 +1154,7 @@ script: - contextPath: Code42.SecurityAlert.Severity description: The severity of the alert. type: string - description: Retrieve alert details by alert ID + description: Retrieve alert details by alert ID. - name: code42-alert-resolve arguments: - name: id @@ -1139,6 +1165,43 @@ script: description: The alert ID of the resolved alert. type: string description: Resolves a Code42 Security alert. + - name: code42-alert-search + arguments: + - name: username + required: true + description: The username for the user to search alerts for. + outputs: + - contextPath: Code42.SecurityAlert.Username + description: The username associated with the alert. + type: string + - contextPath: Code42.SecurityAlert.Occurred + description: The timestamp when the alert occurred. + type: date + - contextPath: Code42.SecurityAlert.Description + description: The description of the alert. + type: string + - contextPath: Code42.SecurityAlert.ID + description: The alert ID. + type: string + - contextPath: Code42.SecurityAlert.Name + description: The alert rule name that generated the alert. + type: string + - contextPath: Code42.SecurityAlert.State + description: The alert state. + type: string + - contextPath: Code42.SecurityAlert.Type + description: The alert type. + type: string + - contextPath: Code42.SecurityAlert.Severity + description: The severity of the alert. + type: string + description: Search alerts by username. + + + + + + - name: code42-departingemployee-add arguments: - name: username @@ -1249,6 +1312,7 @@ script: type: string - contextPath: Code42.HighRiskEmployee.RiskTags description: Risk tags to associate with the High Risk Employee. + description: Add the given risk tags to the user with the given username. - name: code42-highriskemployee-remove-risk-tags arguments: - name: username @@ -1266,6 +1330,7 @@ script: type: string - contextPath: Code42.HighRiskEmployee.RiskTags description: Risk tags to disassociate from the High Risk Employee. + description: Remove the given risk tags from the user with the given username. dockerimage: demisto/py42:1.0.0.9242 isfetch: true runonce: false diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md b/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md new file mode 100644 index 000000000000..63439c17f377 --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +- diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py new file mode 100644 index 000000000000..5e031b0c412b --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py @@ -0,0 +1,16 @@ +import demistomock as demisto +from CommonServerPython import * + +res = {"total": 0, "data": []} +employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] +res["total"] = len(employees) + +for employee in employees: + user_id = employee["userId"] + + + + employee_res = {"Username": employee["userName"]} + res["data"].append(employee_res) + +demisto.results(res) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml new file mode 100644 index 000000000000..4fd66c3c8437 --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml @@ -0,0 +1,17 @@ +comment: Gets all departing employees and alerts for each. +commonfields: + id: 468c8e6f-6f50-486f-8cde-7dabe4cbeb2b + version: -1 +dependson: + must: + - Code42|||code42-departingemployee-get-all +dockerimage: demisto/py42:1.0.0.9242 +enabled: true +name: Code42GetDepartingEmployees +pswd: "" +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +type: python diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md b/Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json new file mode 100644 index 000000000000..75fbc8f1c16d --- /dev/null +++ b/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json @@ -0,0 +1,35 @@ +{ + "category": "", + "dataType": "scripts", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "fromDateLicense": "0001-01-01T00:00:00Z", + "period": { + "by": "", + "byFrom": "days", + "byTo": "", + "field": "", + "fromValue": null, + "toValue": null + }, + "toDate": "0001-01-01T00:00:00Z" + }, + "id": "570ec235-7ee4-43ea-8fc7-eba94a0cca71", + "isPredefined": false, + "name": "Departing Employees Alerts", + "params": { + "tableColumns": [ + { + "displayed": true, + "isDefault": true, + "key": "Username" + } + ] + }, + "query": "Code42GetDepartingEmployees", + "size": 0, + "sort": null, + "sortValues": null, + "version": -1, + "widgetType": "table" +} \ No newline at end of file From 7000efb570fc73193d304dca818d8d121537be25 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 13:09:53 +0000 Subject: [PATCH 02/26] Save progress --- Packs/Code42/Integrations/Code42/CHANGELOG.md | 2 ++ .../Code42GetDepartingEmployees.py | 22 +++++++++++-------- .../Code42GetDepartingEmployees.yml | 1 + .../widget-Departing_Employees_Alerts.json | 5 +++++ 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/CHANGELOG.md b/Packs/Code42/Integrations/Code42/CHANGELOG.md index 244b5e76f237..d04b1c3823ab 100644 --- a/Packs/Code42/Integrations/Code42/CHANGELOG.md +++ b/Packs/Code42/Integrations/Code42/CHANGELOG.md @@ -1,5 +1,7 @@ ## [Unreleased] Added new commands: + - **Code42GetDepartingEmployees** which gets departing employees and alerts for each employee. + - **code42-alert-search** that searches alerts by username. - **code42-departingemployee-get-all** that gets all the employees on the Departing Employee List. - **code42-highriskemployee-add** that takes a username and adds the employee to the High Risk Employee List. - **code42-highriskemployee-remove** that takes a username and remove the employee from the High Risk Employee List. diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py index 5e031b0c412b..d518a75efe66 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py @@ -2,15 +2,19 @@ from CommonServerPython import * res = {"total": 0, "data": []} -employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] -res["total"] = len(employees) -for employee in employees: - user_id = employee["userId"] +try: + employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] + res["total"] = len(employees) + for employee in employees: + username = employee["userName"] + alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] + alerts_count = len(alerts) + if alerts_count: + employee_res = {"Username": username, "Alerts Count": alerts_count} + res["data"].append(employee_res) - - employee_res = {"Username": employee["userName"]} - res["data"].append(employee_res) - -demisto.results(res) + demisto.results(res) +except Exception as e: + demisto.results(e) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml index 4fd66c3c8437..41bfc6673381 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml @@ -5,6 +5,7 @@ commonfields: dependson: must: - Code42|||code42-departingemployee-get-all + - Code42|||code42-alerts-search dockerimage: demisto/py42:1.0.0.9242 enabled: true name: Code42GetDepartingEmployees diff --git a/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json index 75fbc8f1c16d..2f256486b03b 100644 --- a/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json +++ b/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json @@ -23,6 +23,11 @@ "displayed": true, "isDefault": true, "key": "Username" + }, + { + "displayed": true, + "isDefault": true, + "key": "Alerts Count" } ] }, From 4affd1b0fac5b11c2e057f9a1778b0e872c468f9 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 17:21:05 +0000 Subject: [PATCH 03/26] Rename --- .../CHANGELOG.md | 0 .../Code42GetDepartingEmployeeAlerts.py | 30 +++++++++++++++++++ .../Code42GetDepartingEmployeeAlerts.yml} | 0 .../README.md | 0 .../Code42GetDepartingEmployees.py | 20 ------------- ... => widget-Departing_Employee_Alerts.json} | 0 6 files changed, 30 insertions(+), 20 deletions(-) rename Packs/Code42/Scripts/{Code42GetDepartingEmployees => Code42GetDepartingEmployeeAlerts}/CHANGELOG.md (100%) create mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py rename Packs/Code42/Scripts/{Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml => Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml} (100%) rename Packs/Code42/Scripts/{Code42GetDepartingEmployees => Code42GetDepartingEmployeeAlerts}/README.md (100%) delete mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py rename Packs/Code42/Widgets/{widget-Departing_Employees_Alerts.json => widget-Departing_Employee_Alerts.json} (100%) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/CHANGELOG.md similarity index 100% rename from Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md rename to Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/CHANGELOG.md diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py new file mode 100644 index 000000000000..a06cd3c05458 --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py @@ -0,0 +1,30 @@ +import demistomock as demisto +from CommonServerPython import * + +res = {"total": 0} +res_data = [] + +try: + employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] + res["total"] = len(employees) + + # Get each employee on the Departing Employee List and their total alerts. + for employee in employees: + username = employee["userName"] + alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] + alerts_count = len(alerts) + employee_res = {"Username": username, "Alerts Count": alerts_count} + res_data.append(employee_res) + + # Sort such that highest alert counts are first. + res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True) + demisto.results(res) +except Exception as e: + res = { + "Type": entryTypes["error"], + "ContentsFormat": formats["text"], + "Contents": "Exception info:\n{0}".format(str(ex)) + } + +# Submit final results to Cortex XSOAR +demisto.results(res) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml similarity index 100% rename from Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml rename to Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/README.md similarity index 100% rename from Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md rename to Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/README.md diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py deleted file mode 100644 index d518a75efe66..000000000000 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py +++ /dev/null @@ -1,20 +0,0 @@ -import demistomock as demisto -from CommonServerPython import * - -res = {"total": 0, "data": []} - -try: - employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] - res["total"] = len(employees) - - for employee in employees: - username = employee["userName"] - alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] - alerts_count = len(alerts) - if alerts_count: - employee_res = {"Username": username, "Alerts Count": alerts_count} - res["data"].append(employee_res) - - demisto.results(res) -except Exception as e: - demisto.results(e) diff --git a/Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json similarity index 100% rename from Packs/Code42/Widgets/widget-Departing_Employees_Alerts.json rename to Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json From f54c3b6db214e9b5f2a9f6e3297c41b375ef5d03 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 17:21:13 +0000 Subject: [PATCH 04/26] Rename --- .../Code42GetDepartingEmployeeAlerts.yml | 2 +- Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml index 41bfc6673381..e6e5d6e60798 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml @@ -8,7 +8,7 @@ dependson: - Code42|||code42-alerts-search dockerimage: demisto/py42:1.0.0.9242 enabled: true -name: Code42GetDepartingEmployees +name: Code42GetDepartingEmployeeAlerts pswd: "" runas: DBotWeakRole runonce: false diff --git a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json index 2f256486b03b..1b097e32e9af 100644 --- a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json +++ b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json @@ -16,7 +16,7 @@ }, "id": "570ec235-7ee4-43ea-8fc7-eba94a0cca71", "isPredefined": false, - "name": "Departing Employees Alerts", + "name": "Departing Employee Alerts", "params": { "tableColumns": [ { @@ -31,7 +31,7 @@ } ] }, - "query": "Code42GetDepartingEmployees", + "query": "Code42GetDepartingEmployeeAlerts", "size": 0, "sort": null, "sortValues": null, From 4aa37910558051fbbbe450ef6f86fc103585cf26 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 17:26:44 +0000 Subject: [PATCH 05/26] Test alert search command --- Packs/Code42/Integrations/Code42/Code42_test.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index e2d7dba7ce58..328a11c3f257 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -12,6 +12,7 @@ map_to_file_context, alert_get_command, alert_resolve_command, + alert_search_command, departingemployee_add_command, departingemployee_remove_command, departingemployee_get_all_command, @@ -994,6 +995,12 @@ def test_alert_resolve_command(code42_alerts_mock): assert res["id"] == "36fb8ca5-0533-4d25-9763-e09d35d60610" +def test_alert_search_command(code42_alerts_mock): + client = create_client(code42_alerts_mock) + _, _, res = alert_search_command(client, {"username": "user1@example.com"}) + assert res == json.loads(MOCK_ALERTS_RESPONSE)["alerts"] + + def test_departingemployee_add_command(code42_sdk_mock): client = create_client(code42_sdk_mock) _, _, res = departingemployee_add_command( From 3d50bd0727a2935871586836c7144268d243805b Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:02:55 +0000 Subject: [PATCH 06/26] Handle getting only top x number --- .../Code42GetDepartingEmployeeAlerts.py | 13 ++++++------- .../Code42GetDepartingEmployeeAlerts.yml | 6 ++++++ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py index a06cd3c05458..b1eb3c4feace 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py @@ -1,8 +1,10 @@ import demistomock as demisto from CommonServerPython import * + res = {"total": 0} res_data = [] +top = demisto.args().get("top") or 10 try: employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] @@ -16,15 +18,12 @@ employee_res = {"Username": username, "Alerts Count": alerts_count} res_data.append(employee_res) - # Sort such that highest alert counts are first. - res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True) + # Sort such that highest alert counts are first and get top. + res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True)[:top] demisto.results(res) except Exception as e: - res = { - "Type": entryTypes["error"], - "ContentsFormat": formats["text"], - "Contents": "Exception info:\n{0}".format(str(ex)) - } + res["total"] = -1 + res["data"] = str(e) # Submit final results to Cortex XSOAR demisto.results(res) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml index e6e5d6e60798..6b6f9f495d2a 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml @@ -1,3 +1,8 @@ +args: +- defaultValue: 10 + description: To limit results to x number of employees with the highest alert count. + name: top + type: number comment: Gets all departing employees and alerts for each. commonfields: id: 468c8e6f-6f50-486f-8cde-7dabe4cbeb2b @@ -15,4 +20,5 @@ runonce: false script: '' scripttarget: 0 subtype: python3 +tags: [] type: python From 515e438395d40fd51d27c2fe55c36480e13d602b Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:16:02 +0000 Subject: [PATCH 07/26] ignore 0 --- .../Code42GetDepartingEmployeeAlerts.py | 7 +++++-- Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json | 7 ++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py index b1eb3c4feace..83e457d30c59 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py @@ -15,8 +15,11 @@ username = employee["userName"] alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] alerts_count = len(alerts) - employee_res = {"Username": username, "Alerts Count": alerts_count} - res_data.append(employee_res) + + # Ignores employees without alerts + if alerts_count: + employee_res = {"Username": username, "Alerts Count": alerts_count} + res_data.append(employee_res) # Sort such that highest alert counts are first and get top. res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True)[:top] diff --git a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json index 1b097e32e9af..14f85e30ebde 100644 --- a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json +++ b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json @@ -24,12 +24,17 @@ "isDefault": true, "key": "Username" }, + { + "displayed": true, + "isDefault": true, + "key": "Alerts Count" + }, { "displayed": true, "isDefault": true, "key": "Alerts Count" } - ] + ] }, "query": "Code42GetDepartingEmployeeAlerts", "size": 0, From c7dca90467bd6c214ad88e28f1a5adc90faf1fc7 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:17:03 +0000 Subject: [PATCH 08/26] Fix cl --- Packs/Code42/Integrations/Code42/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Integrations/Code42/CHANGELOG.md b/Packs/Code42/Integrations/Code42/CHANGELOG.md index d04b1c3823ab..3226c1a1b14f 100644 --- a/Packs/Code42/Integrations/Code42/CHANGELOG.md +++ b/Packs/Code42/Integrations/Code42/CHANGELOG.md @@ -1,6 +1,6 @@ ## [Unreleased] Added new commands: - - **Code42GetDepartingEmployees** which gets departing employees and alerts for each employee. + - **Code42GetDepartingEmployees** automation script which gets departing employees with alerts. - **code42-alert-search** that searches alerts by username. - **code42-departingemployee-get-all** that gets all the employees on the Departing Employee List. - **code42-highriskemployee-add** that takes a username and adds the employee to the High Risk Employee List. From d38b5e90f2de3fa70a857aba988a77c8d4be79aa Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:17:16 +0000 Subject: [PATCH 09/26] Fix cl --- Packs/Code42/Integrations/Code42/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Integrations/Code42/CHANGELOG.md b/Packs/Code42/Integrations/Code42/CHANGELOG.md index 3226c1a1b14f..dd10bb0a433f 100644 --- a/Packs/Code42/Integrations/Code42/CHANGELOG.md +++ b/Packs/Code42/Integrations/Code42/CHANGELOG.md @@ -1,6 +1,6 @@ ## [Unreleased] Added new commands: - - **Code42GetDepartingEmployees** automation script which gets departing employees with alerts. + - **Code42GetDepartingEmployeeAlerts** automation script which gets departing employees with alerts. - **code42-alert-search** that searches alerts by username. - **code42-departingemployee-get-all** that gets all the employees on the Departing Employee List. - **code42-highriskemployee-add** that takes a username and adds the employee to the High Risk Employee List. From b84049f9d581fd6ed48917dbeb2842aa1ee94b81 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:18:02 +0000 Subject: [PATCH 10/26] Remove whitespace in yml --- Packs/Code42/Integrations/Code42/Code42.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index 822032a33c8e..a5b742574476 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -283,12 +283,6 @@ script: description: The severity of the alert. type: string description: Search alerts by username. - - - - - - - name: code42-departingemployee-add arguments: - name: username From 6f7ebc526d1d95e91d3e756cfbf9c071adf75c45 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:19:01 +0000 Subject: [PATCH 11/26] Gen yml --- Packs/Code42/Integrations/Code42/integration-Code42.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index b3e16f927b89..a04731a12049 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -1196,12 +1196,6 @@ script: description: The severity of the alert. type: string description: Search alerts by username. - - - - - - - name: code42-departingemployee-add arguments: - name: username From 752883895d04676e9db15c8e1ed5c62904c74748 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 23 Jun 2020 18:21:34 +0000 Subject: [PATCH 12/26] Main --- .../Code42GetDepartingEmployeeAlerts.py | 56 ++++++++++--------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py index 83e457d30c59..8f428d0bfa92 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py @@ -2,31 +2,35 @@ from CommonServerPython import * -res = {"total": 0} -res_data = [] -top = demisto.args().get("top") or 10 - -try: - employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] - res["total"] = len(employees) - - # Get each employee on the Departing Employee List and their total alerts. - for employee in employees: - username = employee["userName"] - alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] - alerts_count = len(alerts) - - # Ignores employees without alerts - if alerts_count: - employee_res = {"Username": username, "Alerts Count": alerts_count} - res_data.append(employee_res) - - # Sort such that highest alert counts are first and get top. - res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True)[:top] +def main(): + res = {"total": 0} + res_data = [] + top = demisto.args().get("top") or 10 + + try: + employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] + res["total"] = len(employees) + + # Get each employee on the Departing Employee List and their total alerts. + for employee in employees: + username = employee["userName"] + alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] + alerts_count = len(alerts) + + # Ignores employees without alerts + if alerts_count: + employee_res = {"Username": username, "Alerts Count": alerts_count} + res_data.append(employee_res) + + # Sort such that highest alert counts are first and get top. + res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True)[:top] + demisto.results(res) + except Exception as e: + res["total"] = -1 + res["data"] = str(e) + + # Submit final results to Cortex XSOAR demisto.results(res) -except Exception as e: - res["total"] = -1 - res["data"] = str(e) -# Submit final results to Cortex XSOAR -demisto.results(res) +if __name__ in ("__main__", "__builtin__", "builtins"): + main() From 4af651b362849010691f62595c02a0c139e840fd Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 24 Jun 2020 13:13:46 +0000 Subject: [PATCH 13/26] Tags --- .../Code42GetDepartingEmployeeAlerts.yml | 2 +- Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml index 6b6f9f495d2a..67d299bd84c3 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml @@ -20,5 +20,5 @@ runonce: false script: '' scripttarget: 0 subtype: python3 -tags: [] +tags: ['dynamic-section', 'widget'] type: python diff --git a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json index 14f85e30ebde..426a1ba23c79 100644 --- a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json +++ b/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json @@ -24,11 +24,6 @@ "isDefault": true, "key": "Username" }, - { - "displayed": true, - "isDefault": true, - "key": "Alerts Count" - }, { "displayed": true, "isDefault": true, From 7da6aac3c35c4e5b13cb0aedbfaa8f725f534f25 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 8 Jul 2020 19:31:54 +0000 Subject: [PATCH 14/26] Save --- .../CHANGELOG.md | 0 .../Code42GetDepartingEmployees.py} | 13 ++--- .../Code42GetDepartingEmployees.yml} | 12 ++--- .../README.md | 0 .../Code42GetHighRiskEmployees/CHANGELOG.md | 2 + .../Code42GetHighRiskEmployees.py | 54 +++++++++++++++++++ .../Code42GetHighRiskEmployees.yml | 23 ++++++++ .../Code42GetHighRiskEmployees/README.md | 0 ...n => widget-Departing_Employees_List.json} | 6 +-- .../widget-High_Risk_Employees_List.json | 40 ++++++++++++++ 10 files changed, 128 insertions(+), 22 deletions(-) rename Packs/Code42/Scripts/{Code42GetDepartingEmployeeAlerts => Code42GetDepartingEmployees}/CHANGELOG.md (100%) rename Packs/Code42/Scripts/{Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py => Code42GetDepartingEmployees/Code42GetDepartingEmployees.py} (54%) rename Packs/Code42/Scripts/{Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml => Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml} (50%) rename Packs/Code42/Scripts/{Code42GetDepartingEmployeeAlerts => Code42GetDepartingEmployees}/README.md (100%) create mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md create mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py create mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml create mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/README.md rename Packs/Code42/Widgets/{widget-Departing_Employee_Alerts.json => widget-Departing_Employees_List.json} (86%) create mode 100644 Packs/Code42/Widgets/widget-High_Risk_Employees_List.json diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/CHANGELOG.md b/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md similarity index 100% rename from Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/CHANGELOG.md rename to Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py similarity index 54% rename from Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py rename to Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py index 8f428d0bfa92..3a76113a8a3f 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.py +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py @@ -5,7 +5,6 @@ def main(): res = {"total": 0} res_data = [] - top = demisto.args().get("top") or 10 try: employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] @@ -14,16 +13,10 @@ def main(): # Get each employee on the Departing Employee List and their total alerts. for employee in employees: username = employee["userName"] - alerts = demisto.executeCommand("code42-alert-search", {"username": username})[0]["Contents"] - alerts_count = len(alerts) + employee_res = {"Username": username} + res_data.append(employee_res) - # Ignores employees without alerts - if alerts_count: - employee_res = {"Username": username, "Alerts Count": alerts_count} - res_data.append(employee_res) - - # Sort such that highest alert counts are first and get top. - res["data"] = sorted(res_data, key=lambda x: x["Alerts Count"], reverse=True)[:top] + res["data"] = res_data demisto.results(res) except Exception as e: res["total"] = -1 diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml similarity index 50% rename from Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml rename to Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml index 67d299bd84c3..88e08fdfa6fd 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/Code42GetDepartingEmployeeAlerts.yml +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml @@ -1,19 +1,13 @@ -args: -- defaultValue: 10 - description: To limit results to x number of employees with the highest alert count. - name: top - type: number comment: Gets all departing employees and alerts for each. commonfields: - id: 468c8e6f-6f50-486f-8cde-7dabe4cbeb2b + id: Code42GetDepartingEmployees version: -1 dependson: must: - Code42|||code42-departingemployee-get-all - - Code42|||code42-alerts-search -dockerimage: demisto/py42:1.0.0.9242 +dockerimage: demisto/py42:1.0.0.9653 enabled: true -name: Code42GetDepartingEmployeeAlerts +name: Code42GetDepartingEmployees pswd: "" runas: DBotWeakRole runonce: false diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/README.md b/Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md similarity index 100% rename from Packs/Code42/Scripts/Code42GetDepartingEmployeeAlerts/README.md rename to Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md new file mode 100644 index 000000000000..63439c17f377 --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +- diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py new file mode 100644 index 000000000000..9e3c995630f9 --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py @@ -0,0 +1,54 @@ +import demistomock as demisto +from CommonServerPython import * + + +def _get_departing_employees(risktags): + tags = {} if not risktags else {"risktags": risktags.split(",")} + command_result = demisto.executeCommand("code42-highriskemployee-get-all", tags) + if not command_result: + return [] + + return command_result[0]["Contents"] + + +def _get_file_events_for_user(username): + command_result = demisto.executeCommand("code42-securitydata-search", {"username": username}) + if not command_result: + return + return command_result + + +def get_departing_employees(): + res = {"total": 0} + res_data = [] + risktags = demisto.args().get("risktags") + + try: + employees = _get_departing_employees(risktags) + res["total"] = len(employees) + + # TODO: Extract to separate script Code42SearchExposureEvents + for employee in employees: + username = employee.get("userName") + employee_res = {"Username": username, "ExposureEvents": 0} + file_events = _get_file_events_for_user(username) + for e in file_events: + event_data = e.get("Contents") + if event_data and isinstance(event_data, list): + for data in event_data: + if data.get("exposure"): + employee_res["ExposureEvents"] += 1 + + res_data.append(employee_res) + + res["data"] = res_data + demisto.results(res) + except Exception as e: + res["total"] = -1 + res["data"] = str(e) + + # Submit final results to Cortex XSOAR + demisto.results(res) + +if __name__ in ("__main__", "__builtin__", "builtins"): + get_departing_employees() diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml new file mode 100644 index 000000000000..14612b678b76 --- /dev/null +++ b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml @@ -0,0 +1,23 @@ +args: +- defaultValue: + description: To limit results to those with the given risk tags. + name: risktags + type: number +comment: Gets all high risk employees and alerts for each. +commonfields: + id: Code42GetHighRiskEmployees + version: -1 +dependson: + must: + - Code42|||code42-highriskemployee-get-all +dockerimage: demisto/py42:1.0.0.9653 +enabled: true +name: Code42GetHighRiskEmployees +pswd: "" +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: ['dynamic-section', 'widget'] +type: python diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/README.md b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json b/Packs/Code42/Widgets/widget-Departing_Employees_List.json similarity index 86% rename from Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json rename to Packs/Code42/Widgets/widget-Departing_Employees_List.json index 426a1ba23c79..ad67a4bf6af8 100644 --- a/Packs/Code42/Widgets/widget-Departing_Employee_Alerts.json +++ b/Packs/Code42/Widgets/widget-Departing_Employees_List.json @@ -14,9 +14,9 @@ }, "toDate": "0001-01-01T00:00:00Z" }, - "id": "570ec235-7ee4-43ea-8fc7-eba94a0cca71", + "id": "Departing Employees List", "isPredefined": false, - "name": "Departing Employee Alerts", + "name": "Departing Employees", "params": { "tableColumns": [ { @@ -31,7 +31,7 @@ } ] }, - "query": "Code42GetDepartingEmployeeAlerts", + "query": "Code42GetDepartingEmployees", "size": 0, "sort": null, "sortValues": null, diff --git a/Packs/Code42/Widgets/widget-High_Risk_Employees_List.json b/Packs/Code42/Widgets/widget-High_Risk_Employees_List.json new file mode 100644 index 000000000000..b4625108314a --- /dev/null +++ b/Packs/Code42/Widgets/widget-High_Risk_Employees_List.json @@ -0,0 +1,40 @@ +{ + "category": "", + "dataType": "scripts", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "fromDateLicense": "0001-01-01T00:00:00Z", + "period": { + "by": "", + "byFrom": "days", + "byTo": "", + "field": "", + "fromValue": null, + "toValue": null + }, + "toDate": "0001-01-01T00:00:00Z" + }, + "id": "High Risk Employees List", + "isPredefined": false, + "name": "High Risk Employees", + "params": { + "tableColumns": [ + { + "displayed": true, + "isDefault": true, + "key": "Username" + }, + { + "displayed": true, + "isDefault": true, + "key": "ExposureEvents" + } + ] + }, + "query": "Code42GetHighRiskEmployees", + "size": 0, + "sort": null, + "sortValues": null, + "version": -1, + "widgetType": "table" +} \ No newline at end of file From 6f1794293d77a0eeaa8a7a32c82d0282d14cf302 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 13:48:58 +0000 Subject: [PATCH 15/26] hr last 30 days --- Packs/Code42/Integrations/Code42/Code42.py | 7 ++-- Packs/Code42/Integrations/Code42/Code42.yml | 12 +++++++ .../CHANGELOG.md | 2 ++ ...hRiskEmployeeExfiltrationLastThirtyDays.py | 15 +++++++++ ...RiskEmployeeExfiltrationLastThirtyDays.yml | 20 +++++++++++ .../README.md | 0 ...2aa4-Code42_Exfiltration_Last_30_Days.json | 33 +++++++++++++++++++ 7 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/README.md create mode 100644 Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 06640ee23368..024e6e6953a3 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -230,11 +230,11 @@ def remove_user_risk_tags(self, username, risk_tags): self._get_sdk().detectionlists.remove_user_risk_tags(user_id, risk_tags) return user_id - def get_all_high_risk_employees(self, risk_tags, results): + def get_all_high_risk_employees(self, risk_tags, results, filter_type): risk_tags = _try_convert_str_list_to_list(risk_tags) results = int(results) if results else None res = [] - pages = self._get_sdk().detectionlists.high_risk_employee.get_all() + pages = self._get_sdk().detectionlists.high_risk_employee.get_all(filter_type=filter_type) for page in pages: employees = _get_all_high_risk_employees_from_page(page, risk_tags) for employee in employees: @@ -798,7 +798,8 @@ def highriskemployee_remove_command(client, args): def highriskemployee_get_all_command(client, args): tags = args.get("risktags") results = args.get("results") or 50 - employees = client.get_all_high_risk_employees(tags, results) + filter_type = args.get("filtertype") + employees = client.get_all_high_risk_employees(tags, results, filter_type) if not employees: return CommandResults( readable_output="No results found", diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index 7f9602dc00c5..28dbeeb017a4 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -441,6 +441,18 @@ script: name: results required: false secret: false + - auto: PREDEFINED + default: true + defaultValue: OPEN + description: Filters the results based on specific filters. + isArray: false + name: filtertype + predefined: + - EXFILTRATION_30_DAYS + - EXFILTRATION_24_HOURS + - OPEN + required: false + secret: false deprecated: false description: Get all employees on the High Risk Employee List. execution: false diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md new file mode 100644 index 000000000000..63439c17f377 --- /dev/null +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +- diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py new file mode 100644 index 000000000000..a42dd21241fe --- /dev/null +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py @@ -0,0 +1,15 @@ +import demistomock as demisto +from CommonServerPython import * + + +def main(): + try: + employees = demisto.executeCommand("code42-highriskemployee-get-all", + {"filtertype": "EXFILTRATION_30_DAYS", "using": "c42_demisto"})[0]["Contents"] + demisto.results(len(employees)) + except Exception as e: + demisto.results(-1) + + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml new file mode 100644 index 000000000000..5e976d76039b --- /dev/null +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml @@ -0,0 +1,20 @@ +comment: Gets the total number of high-risk employees who exfiltrated files in the + last 30 days. +commonfields: + id: 17bc7e3e-f5fd-4efa-8041-398ed2b93b8a + version: -1 +dependson: + must: + - Code42|||code42-departingemployee-get-all +dockerimage: demisto/py42:1.0.0.9653 +enabled: true +name: Code42HighRiskEmployeeExfiltrationLastThirtyDays +pswd: "" +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: +- widget +type: python diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/README.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json b/Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json new file mode 100644 index 000000000000..664c1c35030b --- /dev/null +++ b/Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json @@ -0,0 +1,33 @@ +{ + "category": "", + "dataType": "scripts", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "fromDateLicense": "0001-01-01T00:00:00Z", + "period": { + "by": "", + "byFrom": "days", + "byTo": "", + "field": "", + "fromValue": null, + "toValue": null + }, + "toDate": "0001-01-01T00:00:00Z" + }, + "fromServerVersion": "", + "id": "570051a4-2376-4da0-8a90-594672622aa4", + "isPredefined": false, + "itemVersion": "", + "name": "Code42 Exfiltration Last 30 Days", + "packID": "", + "params": { + "tableColumns": [] + }, + "query": "Code42HighRiskEmployeeExfiltrationLastThirtyDays", + "size": 0, + "sort": null, + "sortValues": null, + "toServerVersion": "", + "version": -1, + "widgetType": "number" +} \ No newline at end of file From cc5ff9529135ea0fc8fea376f2817d0c26664348 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 14:49:50 +0000 Subject: [PATCH 16/26] Save --- .../Code42GetDepartingEmployees.py | 18 +++++++--- .../Code42GetHighRiskEmployees.py | 34 ++++++------------ ...hRiskEmployeeExfiltrationLastThirtyDays.py | 6 ++-- ...RiskEmployeeExfiltrationLastThirtyDays.yml | 2 +- .../CHANGELOG.md | 2 ++ ...EmployeeExfiltrationLastTwentyFourHours.py | 15 ++++++++ ...mployeeExfiltrationLastTwentyFourHours.yml | 20 +++++++++++ .../README.md | 0 ...2aa4-Code42_Exfiltration_Last_30_Days.json | 33 ----------------- ...dget-Code42_Departing_Employees_List.json} | 9 ++--- ...k_Employee_Exfiltration_Last_24_Hours.json | 35 +++++++++++++++++++ ...sk_Employee_Exfiltration_Last_30_Days.json | 35 +++++++++++++++++++ ...dget-Code42_High_Risk_Employees_List.json} | 4 +-- 13 files changed, 139 insertions(+), 74 deletions(-) create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml create mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/README.md delete mode 100644 Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json rename Packs/Code42/Widgets/{widget-Departing_Employees_List.json => widget-Code42_Departing_Employees_List.json} (78%) create mode 100644 Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json create mode 100644 Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json rename Packs/Code42/Widgets/{widget-High_Risk_Employees_List.json => widget-Code42_High_Risk_Employees_List.json} (91%) diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py index 3a76113a8a3f..c7e79d211cfd 100644 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py +++ b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py @@ -2,17 +2,25 @@ from CommonServerPython import * -def main(): +def _get_departing_employees(): + command_result = demisto.executeCommand("code42-departingemployee-get-all", {}) + if not command_result: + return [] + + return command_result[0]["Contents"] + + +def get_departing_employees(): res = {"total": 0} res_data = [] try: - employees = demisto.executeCommand("code42-departingemployee-get-all", {})[0]["Contents"] + employees = _get_departing_employees() res["total"] = len(employees) - # Get each employee on the Departing Employee List and their total alerts. + # Get each employee on the Departing Employee List. for employee in employees: - username = employee["userName"] + username = employee.get("userName") employee_res = {"Username": username} res_data.append(employee_res) @@ -26,4 +34,4 @@ def main(): demisto.results(res) if __name__ in ("__main__", "__builtin__", "builtins"): - main() + get_departing_employees() diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py index 9e3c995630f9..8039c6200c04 100644 --- a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py +++ b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py @@ -2,43 +2,31 @@ from CommonServerPython import * -def _get_departing_employees(risktags): - tags = {} if not risktags else {"risktags": risktags.split(",")} - command_result = demisto.executeCommand("code42-highriskemployee-get-all", tags) +def _get_departing_employees(risk_tags, filter_type): + tags = risk_tags.split(",") if risk_tags else None + filter_type = "OPEN" if not filter_type else filter_type + command_args = {"risktags": tags, "filtertype": filter_type} + command_result = demisto.executeCommand("code42-highriskemployee-get-all", command_args) if not command_result: return [] return command_result[0]["Contents"] -def _get_file_events_for_user(username): - command_result = demisto.executeCommand("code42-securitydata-search", {"username": username}) - if not command_result: - return - return command_result - - def get_departing_employees(): res = {"total": 0} res_data = [] - risktags = demisto.args().get("risktags") + risk_tags = demisto.args().get("risktags") + filter_type = demisto.args().get("filtertype") try: - employees = _get_departing_employees(risktags) + employees = _get_departing_employees(risk_tags, filter_type) res["total"] = len(employees) - # TODO: Extract to separate script Code42SearchExposureEvents + # Get each employee on the High Risk Employee List. for employee in employees: - username = employee.get("userName") - employee_res = {"Username": username, "ExposureEvents": 0} - file_events = _get_file_events_for_user(username) - for e in file_events: - event_data = e.get("Contents") - if event_data and isinstance(event_data, list): - for data in event_data: - if data.get("exposure"): - employee_res["ExposureEvents"] += 1 - + username = employee["userName"] + employee_res = {"Username": username} res_data.append(employee_res) res["data"] = res_data diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py index a42dd21241fe..b42cf31b73b8 100644 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py @@ -4,9 +4,9 @@ def main(): try: - employees = demisto.executeCommand("code42-highriskemployee-get-all", - {"filtertype": "EXFILTRATION_30_DAYS", "using": "c42_demisto"})[0]["Contents"] - demisto.results(len(employees)) + employees = demisto.executeCommand("Code42GetHighRiskEmployees", + {"filtertype": "EXFILTRATION_30_DAYS"})[0]["Contents"] + demisto.results(employees) except Exception as e: demisto.results(-1) diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml index 5e976d76039b..9136dba57fb9 100644 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml @@ -1,7 +1,7 @@ comment: Gets the total number of high-risk employees who exfiltrated files in the last 30 days. commonfields: - id: 17bc7e3e-f5fd-4efa-8041-398ed2b93b8a + id: Code42HighRiskEmployeeExfiltrationLastThirtyDays version: -1 dependson: must: diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md new file mode 100644 index 000000000000..63439c17f377 --- /dev/null +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +- diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py new file mode 100644 index 000000000000..bbaca19c84d4 --- /dev/null +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py @@ -0,0 +1,15 @@ +import demistomock as demisto +from CommonServerPython import * + + +def main(): + try: + employees = demisto.executeCommand("Code42GetHighRiskEmployees", + {"filtertype": "EXFILTRATION_24_HOURS"})[0]["Contents"] + demisto.results(employees) + except Exception as e: + demisto.results(-1) + + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml new file mode 100644 index 000000000000..f99e001eada8 --- /dev/null +++ b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml @@ -0,0 +1,20 @@ +comment: Gets the total number of high-risk employees who exfiltrated files in the + last 30 days. +commonfields: + id: Code42HighRiskEmployeeExfiltrationLastTwentyFourHours + version: -1 +dependson: + must: + - Code42|||code42-departingemployee-get-all +dockerimage: demisto/py42:1.0.0.9653 +enabled: true +name: Code42HighRiskEmployeeExfiltrationLastTwentyFourHours +pswd: "" +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: +- widget +type: python diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/README.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json b/Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json deleted file mode 100644 index 664c1c35030b..000000000000 --- a/Packs/Code42/Widgets/widget-570051a4-2376-4da0-8a90-594672622aa4-Code42_Exfiltration_Last_30_Days.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "category": "", - "dataType": "scripts", - "dateRange": { - "fromDate": "0001-01-01T00:00:00Z", - "fromDateLicense": "0001-01-01T00:00:00Z", - "period": { - "by": "", - "byFrom": "days", - "byTo": "", - "field": "", - "fromValue": null, - "toValue": null - }, - "toDate": "0001-01-01T00:00:00Z" - }, - "fromServerVersion": "", - "id": "570051a4-2376-4da0-8a90-594672622aa4", - "isPredefined": false, - "itemVersion": "", - "name": "Code42 Exfiltration Last 30 Days", - "packID": "", - "params": { - "tableColumns": [] - }, - "query": "Code42HighRiskEmployeeExfiltrationLastThirtyDays", - "size": 0, - "sort": null, - "sortValues": null, - "toServerVersion": "", - "version": -1, - "widgetType": "number" -} \ No newline at end of file diff --git a/Packs/Code42/Widgets/widget-Departing_Employees_List.json b/Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json similarity index 78% rename from Packs/Code42/Widgets/widget-Departing_Employees_List.json rename to Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json index ad67a4bf6af8..e8b1e71a48db 100644 --- a/Packs/Code42/Widgets/widget-Departing_Employees_List.json +++ b/Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json @@ -14,20 +14,15 @@ }, "toDate": "0001-01-01T00:00:00Z" }, - "id": "Departing Employees List", + "id": "Code42 Departing Employees List", "isPredefined": false, - "name": "Departing Employees", + "name": "Code42 Departing Employees", "params": { "tableColumns": [ { "displayed": true, "isDefault": true, "key": "Username" - }, - { - "displayed": true, - "isDefault": true, - "key": "Alerts Count" } ] }, diff --git a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json new file mode 100644 index 000000000000..803669f6e47c --- /dev/null +++ b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json @@ -0,0 +1,35 @@ +{ + "category": "", + "dataType": "scripts", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "fromDateLicense": "0001-01-01T00:00:00Z", + "period": { + "by": "", + "byFrom": "days", + "byTo": "", + "field": "", + "fromValue": null, + "toValue": null + }, + "toDate": "0001-01-01T00:00:00Z" + }, + "id": "Code42 High Risk Employee Exfiltration Last 24 Hours", + "isPredefined": false, + "name": "Code42 High Risk Employee Exfiltration Last 24 Hours", + "params": { + "tableColumns": [ + { + "displayed": true, + "isDefault": true, + "key": "Username" + } + ] + }, + "query": "Code42HighRiskEmployeeExfiltrationLastTwentyFourHours", + "size": 0, + "sort": null, + "sortValues": null, + "version": -1, + "widgetType": "table" +} \ No newline at end of file diff --git a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json new file mode 100644 index 000000000000..b798c41ad688 --- /dev/null +++ b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json @@ -0,0 +1,35 @@ +{ + "category": "", + "dataType": "scripts", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "fromDateLicense": "0001-01-01T00:00:00Z", + "period": { + "by": "", + "byFrom": "days", + "byTo": "", + "field": "", + "fromValue": null, + "toValue": null + }, + "toDate": "0001-01-01T00:00:00Z" + }, + "id": "Code42 High Risk Employee Exfiltration Last 30 Days", + "isPredefined": false, + "name": "Code42 High Risk Employee Exfiltration Last 30 Days", + "params": { + "tableColumns": [ + { + "displayed": true, + "isDefault": true, + "key": "Username" + } + ] + }, + "query": "Code42HighRiskEmployeeExfiltrationLastThirtyDays", + "size": 0, + "sort": null, + "sortValues": null, + "version": -1, + "widgetType": "table" +} \ No newline at end of file diff --git a/Packs/Code42/Widgets/widget-High_Risk_Employees_List.json b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json similarity index 91% rename from Packs/Code42/Widgets/widget-High_Risk_Employees_List.json rename to Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json index b4625108314a..a74e644c4f67 100644 --- a/Packs/Code42/Widgets/widget-High_Risk_Employees_List.json +++ b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json @@ -14,9 +14,9 @@ }, "toDate": "0001-01-01T00:00:00Z" }, - "id": "High Risk Employees List", + "id": "Code42 High Risk Employees List", "isPredefined": false, - "name": "High Risk Employees", + "name": "Code42 High Risk Employees", "params": { "tableColumns": [ { From 4b4648910a6cbf45401f0cc04700da4afd1f955d Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 15:19:53 +0000 Subject: [PATCH 17/26] Remove paid content --- .../Code42GetDepartingEmployees/CHANGELOG.md | 2 - .../Code42GetDepartingEmployees.py | 37 ---------------- .../Code42GetDepartingEmployees.yml | 18 -------- .../Code42GetDepartingEmployees/README.md | 0 .../Code42GetHighRiskEmployees/CHANGELOG.md | 2 - .../Code42GetHighRiskEmployees.py | 42 ------------------- .../Code42GetHighRiskEmployees.yml | 23 ---------- .../Code42GetHighRiskEmployees/README.md | 0 .../CHANGELOG.md | 2 - ...hRiskEmployeeExfiltrationLastThirtyDays.py | 15 ------- ...RiskEmployeeExfiltrationLastThirtyDays.yml | 20 --------- .../README.md | 0 .../CHANGELOG.md | 2 - ...EmployeeExfiltrationLastTwentyFourHours.py | 15 ------- ...mployeeExfiltrationLastTwentyFourHours.yml | 20 --------- .../README.md | 0 ...idget-Code42_Departing_Employees_List.json | 35 ---------------- ...k_Employee_Exfiltration_Last_24_Hours.json | 35 ---------------- ...sk_Employee_Exfiltration_Last_30_Days.json | 35 ---------------- ...idget-Code42_High_Risk_Employees_List.json | 40 ------------------ 20 files changed, 343 deletions(-) delete mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md delete mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py delete mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml delete mode 100644 Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md delete mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md delete mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py delete mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml delete mode 100644 Packs/Code42/Scripts/Code42GetHighRiskEmployees/README.md delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/README.md delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml delete mode 100644 Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/README.md delete mode 100644 Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json delete mode 100644 Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json delete mode 100644 Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json delete mode 100644 Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md b/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md deleted file mode 100644 index 63439c17f377..000000000000 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/CHANGELOG.md +++ /dev/null @@ -1,2 +0,0 @@ -## [Unreleased] -- diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py deleted file mode 100644 index c7e79d211cfd..000000000000 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.py +++ /dev/null @@ -1,37 +0,0 @@ -import demistomock as demisto -from CommonServerPython import * - - -def _get_departing_employees(): - command_result = demisto.executeCommand("code42-departingemployee-get-all", {}) - if not command_result: - return [] - - return command_result[0]["Contents"] - - -def get_departing_employees(): - res = {"total": 0} - res_data = [] - - try: - employees = _get_departing_employees() - res["total"] = len(employees) - - # Get each employee on the Departing Employee List. - for employee in employees: - username = employee.get("userName") - employee_res = {"Username": username} - res_data.append(employee_res) - - res["data"] = res_data - demisto.results(res) - except Exception as e: - res["total"] = -1 - res["data"] = str(e) - - # Submit final results to Cortex XSOAR - demisto.results(res) - -if __name__ in ("__main__", "__builtin__", "builtins"): - get_departing_employees() diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml b/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml deleted file mode 100644 index 88e08fdfa6fd..000000000000 --- a/Packs/Code42/Scripts/Code42GetDepartingEmployees/Code42GetDepartingEmployees.yml +++ /dev/null @@ -1,18 +0,0 @@ -comment: Gets all departing employees and alerts for each. -commonfields: - id: Code42GetDepartingEmployees - version: -1 -dependson: - must: - - Code42|||code42-departingemployee-get-all -dockerimage: demisto/py42:1.0.0.9653 -enabled: true -name: Code42GetDepartingEmployees -pswd: "" -runas: DBotWeakRole -runonce: false -script: '' -scripttarget: 0 -subtype: python3 -tags: ['dynamic-section', 'widget'] -type: python diff --git a/Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md b/Packs/Code42/Scripts/Code42GetDepartingEmployees/README.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md deleted file mode 100644 index 63439c17f377..000000000000 --- a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/CHANGELOG.md +++ /dev/null @@ -1,2 +0,0 @@ -## [Unreleased] -- diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py deleted file mode 100644 index 8039c6200c04..000000000000 --- a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.py +++ /dev/null @@ -1,42 +0,0 @@ -import demistomock as demisto -from CommonServerPython import * - - -def _get_departing_employees(risk_tags, filter_type): - tags = risk_tags.split(",") if risk_tags else None - filter_type = "OPEN" if not filter_type else filter_type - command_args = {"risktags": tags, "filtertype": filter_type} - command_result = demisto.executeCommand("code42-highriskemployee-get-all", command_args) - if not command_result: - return [] - - return command_result[0]["Contents"] - - -def get_departing_employees(): - res = {"total": 0} - res_data = [] - risk_tags = demisto.args().get("risktags") - filter_type = demisto.args().get("filtertype") - - try: - employees = _get_departing_employees(risk_tags, filter_type) - res["total"] = len(employees) - - # Get each employee on the High Risk Employee List. - for employee in employees: - username = employee["userName"] - employee_res = {"Username": username} - res_data.append(employee_res) - - res["data"] = res_data - demisto.results(res) - except Exception as e: - res["total"] = -1 - res["data"] = str(e) - - # Submit final results to Cortex XSOAR - demisto.results(res) - -if __name__ in ("__main__", "__builtin__", "builtins"): - get_departing_employees() diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml deleted file mode 100644 index 14612b678b76..000000000000 --- a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/Code42GetHighRiskEmployees.yml +++ /dev/null @@ -1,23 +0,0 @@ -args: -- defaultValue: - description: To limit results to those with the given risk tags. - name: risktags - type: number -comment: Gets all high risk employees and alerts for each. -commonfields: - id: Code42GetHighRiskEmployees - version: -1 -dependson: - must: - - Code42|||code42-highriskemployee-get-all -dockerimage: demisto/py42:1.0.0.9653 -enabled: true -name: Code42GetHighRiskEmployees -pswd: "" -runas: DBotWeakRole -runonce: false -script: '' -scripttarget: 0 -subtype: python3 -tags: ['dynamic-section', 'widget'] -type: python diff --git a/Packs/Code42/Scripts/Code42GetHighRiskEmployees/README.md b/Packs/Code42/Scripts/Code42GetHighRiskEmployees/README.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md deleted file mode 100644 index 63439c17f377..000000000000 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/CHANGELOG.md +++ /dev/null @@ -1,2 +0,0 @@ -## [Unreleased] -- diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py deleted file mode 100644 index b42cf31b73b8..000000000000 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.py +++ /dev/null @@ -1,15 +0,0 @@ -import demistomock as demisto -from CommonServerPython import * - - -def main(): - try: - employees = demisto.executeCommand("Code42GetHighRiskEmployees", - {"filtertype": "EXFILTRATION_30_DAYS"})[0]["Contents"] - demisto.results(employees) - except Exception as e: - demisto.results(-1) - - -if __name__ in ("__main__", "__builtin__", "builtins"): - main() diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml deleted file mode 100644 index 9136dba57fb9..000000000000 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/Code42HighRiskEmployeeExfiltrationLastThirtyDays.yml +++ /dev/null @@ -1,20 +0,0 @@ -comment: Gets the total number of high-risk employees who exfiltrated files in the - last 30 days. -commonfields: - id: Code42HighRiskEmployeeExfiltrationLastThirtyDays - version: -1 -dependson: - must: - - Code42|||code42-departingemployee-get-all -dockerimage: demisto/py42:1.0.0.9653 -enabled: true -name: Code42HighRiskEmployeeExfiltrationLastThirtyDays -pswd: "" -runas: DBotWeakRole -runonce: false -script: '' -scripttarget: 0 -subtype: python3 -tags: -- widget -type: python diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/README.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastThirtyDays/README.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md deleted file mode 100644 index 63439c17f377..000000000000 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/CHANGELOG.md +++ /dev/null @@ -1,2 +0,0 @@ -## [Unreleased] -- diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py deleted file mode 100644 index bbaca19c84d4..000000000000 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.py +++ /dev/null @@ -1,15 +0,0 @@ -import demistomock as demisto -from CommonServerPython import * - - -def main(): - try: - employees = demisto.executeCommand("Code42GetHighRiskEmployees", - {"filtertype": "EXFILTRATION_24_HOURS"})[0]["Contents"] - demisto.results(employees) - except Exception as e: - demisto.results(-1) - - -if __name__ in ("__main__", "__builtin__", "builtins"): - main() diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml deleted file mode 100644 index f99e001eada8..000000000000 --- a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours.yml +++ /dev/null @@ -1,20 +0,0 @@ -comment: Gets the total number of high-risk employees who exfiltrated files in the - last 30 days. -commonfields: - id: Code42HighRiskEmployeeExfiltrationLastTwentyFourHours - version: -1 -dependson: - must: - - Code42|||code42-departingemployee-get-all -dockerimage: demisto/py42:1.0.0.9653 -enabled: true -name: Code42HighRiskEmployeeExfiltrationLastTwentyFourHours -pswd: "" -runas: DBotWeakRole -runonce: false -script: '' -scripttarget: 0 -subtype: python3 -tags: -- widget -type: python diff --git a/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/README.md b/Packs/Code42/Scripts/Code42HighRiskEmployeeExfiltrationLastTwentyFourHours/README.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json b/Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json deleted file mode 100644 index e8b1e71a48db..000000000000 --- a/Packs/Code42/Widgets/widget-Code42_Departing_Employees_List.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "category": "", - "dataType": "scripts", - "dateRange": { - "fromDate": "0001-01-01T00:00:00Z", - "fromDateLicense": "0001-01-01T00:00:00Z", - "period": { - "by": "", - "byFrom": "days", - "byTo": "", - "field": "", - "fromValue": null, - "toValue": null - }, - "toDate": "0001-01-01T00:00:00Z" - }, - "id": "Code42 Departing Employees List", - "isPredefined": false, - "name": "Code42 Departing Employees", - "params": { - "tableColumns": [ - { - "displayed": true, - "isDefault": true, - "key": "Username" - } - ] - }, - "query": "Code42GetDepartingEmployees", - "size": 0, - "sort": null, - "sortValues": null, - "version": -1, - "widgetType": "table" -} \ No newline at end of file diff --git a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json deleted file mode 100644 index 803669f6e47c..000000000000 --- a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_24_Hours.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "category": "", - "dataType": "scripts", - "dateRange": { - "fromDate": "0001-01-01T00:00:00Z", - "fromDateLicense": "0001-01-01T00:00:00Z", - "period": { - "by": "", - "byFrom": "days", - "byTo": "", - "field": "", - "fromValue": null, - "toValue": null - }, - "toDate": "0001-01-01T00:00:00Z" - }, - "id": "Code42 High Risk Employee Exfiltration Last 24 Hours", - "isPredefined": false, - "name": "Code42 High Risk Employee Exfiltration Last 24 Hours", - "params": { - "tableColumns": [ - { - "displayed": true, - "isDefault": true, - "key": "Username" - } - ] - }, - "query": "Code42HighRiskEmployeeExfiltrationLastTwentyFourHours", - "size": 0, - "sort": null, - "sortValues": null, - "version": -1, - "widgetType": "table" -} \ No newline at end of file diff --git a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json deleted file mode 100644 index b798c41ad688..000000000000 --- a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employee_Exfiltration_Last_30_Days.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "category": "", - "dataType": "scripts", - "dateRange": { - "fromDate": "0001-01-01T00:00:00Z", - "fromDateLicense": "0001-01-01T00:00:00Z", - "period": { - "by": "", - "byFrom": "days", - "byTo": "", - "field": "", - "fromValue": null, - "toValue": null - }, - "toDate": "0001-01-01T00:00:00Z" - }, - "id": "Code42 High Risk Employee Exfiltration Last 30 Days", - "isPredefined": false, - "name": "Code42 High Risk Employee Exfiltration Last 30 Days", - "params": { - "tableColumns": [ - { - "displayed": true, - "isDefault": true, - "key": "Username" - } - ] - }, - "query": "Code42HighRiskEmployeeExfiltrationLastThirtyDays", - "size": 0, - "sort": null, - "sortValues": null, - "version": -1, - "widgetType": "table" -} \ No newline at end of file diff --git a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json b/Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json deleted file mode 100644 index a74e644c4f67..000000000000 --- a/Packs/Code42/Widgets/widget-Code42_High_Risk_Employees_List.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "category": "", - "dataType": "scripts", - "dateRange": { - "fromDate": "0001-01-01T00:00:00Z", - "fromDateLicense": "0001-01-01T00:00:00Z", - "period": { - "by": "", - "byFrom": "days", - "byTo": "", - "field": "", - "fromValue": null, - "toValue": null - }, - "toDate": "0001-01-01T00:00:00Z" - }, - "id": "Code42 High Risk Employees List", - "isPredefined": false, - "name": "Code42 High Risk Employees", - "params": { - "tableColumns": [ - { - "displayed": true, - "isDefault": true, - "key": "Username" - }, - { - "displayed": true, - "isDefault": true, - "key": "ExposureEvents" - } - ] - }, - "query": "Code42GetHighRiskEmployees", - "size": 0, - "sort": null, - "sortValues": null, - "version": -1, - "widgetType": "table" -} \ No newline at end of file From c68202b7387ba3eed27fa971112b30e71ebc3533 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 15:27:26 +0000 Subject: [PATCH 18/26] Update search alerts --- Packs/Code42/Integrations/Code42/Code42.py | 36 +++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 024e6e6953a3..c4649aba6132 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -671,25 +671,24 @@ def alert_resolve_command(client, args): def alert_search_command(client, args): - username = args["username"] - try: - alerts = client.search_alerts(username) - alert_context = [] - for alert in alerts: - alert_context.append(map_to_code42_alert_context(alert)) - readable_outputs = tableToMarkdown( - "Code42 Security Alert Search", - alert_context, - headers=SECURITY_ALERT_HEADERS, - ) - return ( - readable_outputs, - {"Code42.SecurityAlert": alert_context}, - alerts - ) + username = args.get("username") + alerts = client.search_alerts(username) + alert_context = [] + for alert in alerts: + alert_context.append(map_to_code42_alert_context(alert)) + readable_outputs = tableToMarkdown( + "Code42 Security Alert Search", + alert_context, + headers=SECURITY_ALERT_HEADERS, + ) + return CommandResults( + outputs_prefix="Code42.SecurityAlert", + outputs_key_field="ID", + outputs=alert_context, + readable_output=readable_outputs, + raw_response=alerts + ) - except Exception as e: - return_error(create_command_error_message(demisto.command(), e)) @logger def departingemployee_add_command(client, args): @@ -1131,6 +1130,7 @@ def get_command_map(): return { "code42-alert-get": alert_get_command, "code42-alert-resolve": alert_resolve_command, + "code42-alert-search": alert_search_command, "code42-securitydata-search": securitydata_search_command, "code42-departingemployee-add": departingemployee_add_command, "code42-departingemployee-remove": departingemployee_remove_command, From b8f7dd5da0889ea31fade2f3c0bcd900664ff19d Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 15:37:47 +0000 Subject: [PATCH 19/26] Test --- .../Code42/Integrations/Code42/Code42_test.py | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index 166a97880f31..c55e7f9bac2f 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -355,45 +355,43 @@ "type$": "ALERT_SUMMARY", "tenantId": "1d700000-af5b-4231-9d8e-df6434d00000", "type": "FED_ENDPOINT_EXFILTRATION", - "name": "Exposure on an endpoint", - "description": "This default rule alerts you when departing employees move data from an endpoint.", - "actor": "test.testerson@example.com", + "name": "Departing Employee Alert", + "description": "Cortex XSOAR is cool.", + "actor": "user1@example.com", "target": "N/A", "severity": "HIGH", "ruleId": "9befe477-3487-40b7-89a6-bbcced4cf1fe", "ruleSource": "Departing Employee", - "id": "fbeaabc1-9205-4620-ad53-95d0633429a3", - "createdAt": "2020-05-04T20:46:45.8106280Z", + "id": "36fb8ca5-0533-4d25-9763-e09d35d60610", + "createdAt": "2019-10-02T17:02:23.5867670Z", "state": "OPEN" }, { "type$": "ALERT_SUMMARY", "tenantId": "1d700000-af5b-4231-9d8e-df6434d00000", - "type": "FED_ENDPOINT_EXFILTRATION", - "name": "Exposure on an endpoint", - "description": "This default rule alerts you when departing employees move data from an endpoint.", - "actor": "test.testerson@example.com", + "type": "FED_CLOUD_SHARE_PERMISSIONS", + "name": "High-Risk Employee Alert", + "actor": "user2@example.com", "target": "N/A", - "severity": "LOW", + "severity": "MEDIUM", "ruleId": "9befe477-3487-40b7-89a6-bbcced4cf1fe", "ruleSource": "Departing Employee", - "id": "6bb7ca1e-c8cf-447d-a732-9652869e42d0", - "createdAt": "2020-05-04T20:35:54.2400240Z", + "id": "18ac641d-7d9c-4d37-a48f-c89396c07d03", + "createdAt": "2019-10-02T17:02:24.2071980Z", "state": "OPEN" }, { "type$": "ALERT_SUMMARY", "tenantId": "1d700000-af5b-4231-9d8e-df6434d00000", "type": "FED_ENDPOINT_EXFILTRATION", - "name": "Exposure on an endpoint", - "description": "This default rule alerts you when departing employees move data from an endpoint.", - "actor": "test.testerson@example.com", + "name": "Custom Alert 1", + "actor": "user3@example.com", "target": "N/A", - "severity": "HIGH", + "severity": "LOW", "ruleId": "9befe477-3487-40b7-89a6-bbcced4cf1fe", "ruleSource": "Departing Employee", - "id": "c2c3aef3-8fd9-4e7a-a04e-16bec9e27625", - "createdAt": "2020-05-04T20:19:34.7121300Z", + "id": "3137ff1b-b824-42e4-a476-22bccdd8ddb8", + "createdAt": "2019-10-02T17:03:28.2885720Z", "state": "OPEN" } ], @@ -1286,8 +1284,9 @@ def test_alert_resolve_command(code42_alerts_mock): def test_alert_search_command(code42_alerts_mock): client = create_client(code42_alerts_mock) - _, _, res = alert_search_command(client, {"username": "user1@example.com"}) - assert res == json.loads(MOCK_ALERTS_RESPONSE)["alerts"] + cmd_res = alert_search_command(client, {"username": "user1@example.com"}) + assert cmd_res.raw_response == json.loads(MOCK_ALERTS_RESPONSE)["alerts"] + assert cmd_res.outputs == MOCK_CODE42_ALERT_CONTEXT def test_departingemployee_add_command(code42_sdk_mock): From dfd4fd3985e1bc979170fc71dc7446b90e118404 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 15:44:31 +0000 Subject: [PATCH 20/26] Filter type param to de get all --- Packs/Code42/Integrations/Code42/Code42.py | 7 ++++--- Packs/Code42/Integrations/Code42/Code42.yml | 12 ++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index c4649aba6132..1632d76b77e9 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -193,10 +193,10 @@ def remove_user_from_departing_employee(self, username): self._get_sdk().detectionlists.departing_employee.remove(user_id) return user_id - def get_all_departing_employees(self, results): + def get_all_departing_employees(self, results, filter_type): res = [] results = int(results) if results else None - pages = self._get_sdk().detectionlists.departing_employee.get_all() + pages = self._get_sdk().detectionlists.departing_employee.get_all(filter_type=filter_type) for page in pages: # Note: page is a `Py42Response` and has no `get()` method. employees = page["items"] @@ -733,7 +733,8 @@ def departingemployee_remove_command(client, args): @logger def departingemployee_get_all_command(client, args): results = args.get("results") or 50 - employees = client.get_all_departing_employees(results) + filter_type = args.get("filtertype") + employees = client.get_all_departing_employees(results, filter_type) if not employees: return CommandResults( readable_output="No results found", diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index e7e9479a7a60..7b80afd63512 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -356,6 +356,18 @@ script: name: results required: false secret: false + - auto: PREDEFINED + default: true + defaultValue: OPEN + description: Filters the results based on specific filters. + isArray: false + name: filtertype + predefined: + - EXFILTRATION_30_DAYS + - EXFILTRATION_24_HOURS + - OPEN + required: false + secret: false deprecated: false description: Get all employees on the Departing Employee List. execution: false From 8e797530da3e195d0ac1a3f9b4994b7f43bc01c2 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 17:09:50 +0000 Subject: [PATCH 21/26] Remove alert search from pr --- Packs/Code42/Integrations/Code42/Code42.py | 25 --------- .../Code42/Integrations/Code42/Code42_test.py | 8 --- Packs/Code42/Integrations/Code42/README.md | 51 +++++++++++++++++++ 3 files changed, 51 insertions(+), 33 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 1632d76b77e9..3e8587b73b49 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -248,10 +248,6 @@ def fetch_alerts(self, start_time, event_severity_filter): res = self._get_sdk().alerts.search(query) return res["alerts"] - def search_alerts(self, username): - query = AlertQuery(AlertActor.eq(username)) - return self._sdk.alerts.search(query)["alerts"] - def get_alert_details(self, alert_id): res = self._get_sdk().alerts.get_details(alert_id)["alerts"] if not res: @@ -670,26 +666,6 @@ def alert_resolve_command(client, args): ) -def alert_search_command(client, args): - username = args.get("username") - alerts = client.search_alerts(username) - alert_context = [] - for alert in alerts: - alert_context.append(map_to_code42_alert_context(alert)) - readable_outputs = tableToMarkdown( - "Code42 Security Alert Search", - alert_context, - headers=SECURITY_ALERT_HEADERS, - ) - return CommandResults( - outputs_prefix="Code42.SecurityAlert", - outputs_key_field="ID", - outputs=alert_context, - readable_output=readable_outputs, - raw_response=alerts - ) - - @logger def departingemployee_add_command(client, args): departing_date = args.get("departuredate") @@ -1131,7 +1107,6 @@ def get_command_map(): return { "code42-alert-get": alert_get_command, "code42-alert-resolve": alert_resolve_command, - "code42-alert-search": alert_search_command, "code42-securitydata-search": securitydata_search_command, "code42-departingemployee-add": departingemployee_add_command, "code42-departingemployee-remove": departingemployee_remove_command, diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index c55e7f9bac2f..ebac4768b895 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -12,7 +12,6 @@ map_to_file_context, alert_get_command, alert_resolve_command, - alert_search_command, departingemployee_add_command, departingemployee_remove_command, departingemployee_get_all_command, @@ -1282,13 +1281,6 @@ def test_alert_resolve_command(code42_alerts_mock): assert cmd_res.outputs_key_field == "ID" -def test_alert_search_command(code42_alerts_mock): - client = create_client(code42_alerts_mock) - cmd_res = alert_search_command(client, {"username": "user1@example.com"}) - assert cmd_res.raw_response == json.loads(MOCK_ALERTS_RESPONSE)["alerts"] - assert cmd_res.outputs == MOCK_CODE42_ALERT_CONTEXT - - def test_departingemployee_add_command(code42_sdk_mock): client = create_client(code42_sdk_mock) date = "2020-01-01" diff --git a/Packs/Code42/Integrations/Code42/README.md b/Packs/Code42/Integrations/Code42/README.md index d9f6ed54fcb5..1991438fe8f6 100644 --- a/Packs/Code42/Integrations/Code42/README.md +++ b/Packs/Code42/Integrations/Code42/README.md @@ -170,6 +170,57 @@ Resolves a Code42 Security alert. | eb272d18-bc82-4680-b570-ac5d61c6cca6 | +### code42-alert-get +*** +Retrieve alert details by alert ID + + +#### Base Command + +`code42-alert-search` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| Code42.SecurityAlert.Username | string | The username associated with the alert. | +| Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. | +| Code42.SecurityAlert.Description | string | The description of the alert. | +| Code42.SecurityAlert.ID | string | The alert ID. | +| Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. | +| Code42.SecurityAlert.State | string | The alert state. | +| Code42.SecurityAlert.Type | string | The alert type. | +| Code42.SecurityAlert.Severity | string | The severity of the alert. | + + +#### Command Example +```!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"``` + +#### Human Readable Output + +| **Type** | **Occurred** | **Username** | **Name** | **Description** | **State** | **ID** | +| --- | --- | --- | --- | --- | --- | --- | +| FED\_CLOUD\_SHARE_PERMISSIONS | 2019-10-08T17:38:19.0801650Z | john.user@123.org | Google Drive - Public via Direct Link | Alert for public Google Drive files | OPEN | a23557a7-8ca9-4ec6-803f-6a46a2aeca62 | + + + + + + + + + + + + + + ### code42-departingemployee-add *** Adds a user to the Departing Employee List. From 27a2f134b834fd3d816bae2188c42dd49bf52c92 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 17:10:13 +0000 Subject: [PATCH 22/26] Remove readme changes --- Packs/Code42/Integrations/Code42/README.md | 51 ---------------------- 1 file changed, 51 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/README.md b/Packs/Code42/Integrations/Code42/README.md index 1991438fe8f6..d9f6ed54fcb5 100644 --- a/Packs/Code42/Integrations/Code42/README.md +++ b/Packs/Code42/Integrations/Code42/README.md @@ -170,57 +170,6 @@ Resolves a Code42 Security alert. | eb272d18-bc82-4680-b570-ac5d61c6cca6 | -### code42-alert-get -*** -Retrieve alert details by alert ID - - -#### Base Command - -`code42-alert-search` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| id | The alert ID to retrieve. Alert IDs are associated with alerts that are fetched via fetch-incidents. | Required | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| Code42.SecurityAlert.Username | string | The username associated with the alert. | -| Code42.SecurityAlert.Occurred | date | The timestamp when the alert occurred. | -| Code42.SecurityAlert.Description | string | The description of the alert. | -| Code42.SecurityAlert.ID | string | The alert ID. | -| Code42.SecurityAlert.Name | string | The alert rule name that generated the alert. | -| Code42.SecurityAlert.State | string | The alert state. | -| Code42.SecurityAlert.Type | string | The alert type. | -| Code42.SecurityAlert.Severity | string | The severity of the alert. | - - -#### Command Example -```!code42-alert-get id="a23557a7-8ca9-4ec6-803f-6a46a2aeca62"``` - -#### Human Readable Output - -| **Type** | **Occurred** | **Username** | **Name** | **Description** | **State** | **ID** | -| --- | --- | --- | --- | --- | --- | --- | -| FED\_CLOUD\_SHARE_PERMISSIONS | 2019-10-08T17:38:19.0801650Z | john.user@123.org | Google Drive - Public via Direct Link | Alert for public Google Drive files | OPEN | a23557a7-8ca9-4ec6-803f-6a46a2aeca62 | - - - - - - - - - - - - - - ### code42-departingemployee-add *** Adds a user to the Departing Employee List. From c39dcb679344614e07eb322e7f7d660f00f73493 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 17:11:12 +0000 Subject: [PATCH 23/26] Remove unused import --- Packs/Code42/Integrations/Code42/Code42.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 3e8587b73b49..12a486d1a8ac 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -20,7 +20,7 @@ FileCategory, ) from py42.sdk.queries.alerts.alert_query import AlertQuery -from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState, Actor as AlertActor +from py42.sdk.queries.alerts.filters import DateObserved, Severity, AlertState # Disable insecure warnings requests.packages.urllib3.disable_warnings() From cfded62f87ac79435b48ded5f7adf13c7d62239b Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 17:38:25 +0000 Subject: [PATCH 24/26] Add leaving today option --- Packs/Code42/Integrations/Code42/Code42.yml | 61 +-------------------- 1 file changed, 1 insertion(+), 60 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index 24b3683ac57b..dcadbcf6ecc1 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -366,6 +366,7 @@ script: - EXFILTRATION_30_DAYS - EXFILTRATION_24_HOURS - OPEN + - LEAVING_TODAY required: false secret: false deprecated: false @@ -648,66 +649,6 @@ script: - contextPath: Code42.User.UserID description: The ID of a Code42 User. type: String - - arguments: - - default: false - description: The username of the user to add to the given legal hold matter. - isArray: false - name: username - required: true - secret: false - - default: false - description: The name of the legal hold matter to which to which the user will be added. - isArray: false - name: mattername - required: true - secret: false - deprecated: false - description: Adds a Code42 user to a legal hold matter. - execution: false - name: code42-legalhold-add-user - outputs: - - contextPath: Code42.LegalHold.UserID - description: The ID of a Code42 user. - type: Unknown - - contextPath: Code42.LegalHold.MatterID - description: The ID of a Code42 legal hold matter. - type: String - - contextPath: Code42.LegalHold.Username - description: A username for a Code42 user. - type: String - - contextPath: Code42.LegalHold.MatterName - description: A name for a Code42 legal hold matter. - type: String - - arguments: - - default: false - description: The username of the user to remove from the given legal hold matter. - isArray: false - name: username - required: true - secret: false - - default: false - description: The name of the legal hold matter from which to which the user will be removed. - isArray: false - name: mattername - required: true - secret: false - deprecated: false - description: Removes a Code42 user from a legal hold matter. - execution: false - name: code42-legalhold-remove-user - outputs: - - contextPath: Code42.LegalHold.UserID - description: The ID of a Code42 user. - type: Unknown - - contextPath: Code42.LegalHold.MatterID - description: The ID of a Code42 legal hold matter. - type: String - - contextPath: Code42.LegalHold.Username - description: A username for a Code42 user. - type: String - - contextPath: Code42.LegalHold.MatterName - description: A name for a Code42 legal hold matter. - type: String - arguments: - default: false description: Either the SHA256 or MD5 hash of the file. From 8ad02cad055ed990ba048f157bbc45aa09dac868 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 17:56:16 +0000 Subject: [PATCH 25/26] Default value enforcements --- Packs/Code42/Integrations/Code42/Code42.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index ddd4e935f862..0b67b11a0251 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -195,7 +195,8 @@ def remove_user_from_departing_employee(self, username): def get_all_departing_employees(self, results, filter_type): res = [] - results = int(results) if results else None + results = int(results) if results else 50 + filter_type = filter_type if filter_type else "OPEN" pages = self._get_sdk().detectionlists.departing_employee.get_all(filter_type=filter_type) for page in pages: # Note: page is a `Py42Response` and has no `get()` method. @@ -232,7 +233,8 @@ def remove_user_risk_tags(self, username, risk_tags): def get_all_high_risk_employees(self, risk_tags, results, filter_type): risk_tags = _try_convert_str_list_to_list(risk_tags) - results = int(results) if results else None + results = int(results) if results else 50 + filter_type = filter_type if filter_type else "OPEN" res = [] pages = self._get_sdk().detectionlists.high_risk_employee.get_all(filter_type=filter_type) for page in pages: @@ -759,8 +761,8 @@ def departingemployee_remove_command(client, args): @logger def departingemployee_get_all_command(client, args): - results = args.get("results") or 50 - filter_type = args.get("filtertype") + results = args.get("results", 50) + filter_type = args.get("filtertype", "OPEN") employees = client.get_all_departing_employees(results, filter_type) if not employees: return CommandResults( @@ -824,8 +826,8 @@ def highriskemployee_remove_command(client, args): @logger def highriskemployee_get_all_command(client, args): tags = args.get("risktags") - results = args.get("results") or 50 - filter_type = args.get("filtertype") + results = args.get("results", 50) + filter_type = args.get("filtertype", "OPEN") employees = client.get_all_high_risk_employees(tags, results, filter_type) if not employees: return CommandResults( From 8fc1388df8933337f7b80d1cea35080ca2cd114f Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 9 Jul 2020 18:24:03 +0000 Subject: [PATCH 26/26] Put back? --- Packs/Code42/Integrations/Code42/Code42.yml | 60 +++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index dcadbcf6ecc1..b1a4a0d73cc9 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -649,6 +649,66 @@ script: - contextPath: Code42.User.UserID description: The ID of a Code42 User. type: String + - arguments: + - default: false + description: The username of the user to add to the given legal hold matter. + isArray: false + name: username + required: true + secret: false + - default: false + description: The name of the legal hold matter to which to which the user will be added. + isArray: false + name: mattername + required: true + secret: false + deprecated: false + description: Adds a Code42 user to a legal hold matter. + execution: false + name: code42-legalhold-add-user + outputs: + - contextPath: Code42.LegalHold.UserID + description: The ID of a Code42 user. + type: Unknown + - contextPath: Code42.LegalHold.MatterID + description: The ID of a Code42 legal hold matter. + type: String + - contextPath: Code42.LegalHold.Username + description: A username for a Code42 user. + type: String + - contextPath: Code42.LegalHold.MatterName + description: A name for a Code42 legal hold matter. + type: String + - arguments: + - default: false + description: The username of the user to remove from the given legal hold matter. + isArray: false + name: username + required: true + secret: false + - default: false + description: The name of the legal hold matter from which to which the user will be removed. + isArray: false + name: mattername + required: true + secret: false + deprecated: false + description: Removes a Code42 user from a legal hold matter. + execution: false + name: code42-legalhold-remove-user + outputs: + - contextPath: Code42.LegalHold.UserID + description: The ID of a Code42 user. + type: Unknown + - contextPath: Code42.LegalHold.MatterID + description: The ID of a Code42 legal hold matter. + type: String + - contextPath: Code42.LegalHold.Username + description: A username for a Code42 user. + type: String + - contextPath: Code42.LegalHold.MatterName + description: A name for a Code42 legal hold matter. + type: String - arguments: - default: false description: Either the SHA256 or MD5 hash of the file.