From d85b25e8f47d4d192febec475ba7c75225c2f725 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 1 Sep 2020 14:47:22 +0000 Subject: [PATCH 1/6] Update docker tag --- Packs/Code42/Integrations/Code42/Code42.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index c1efed0529d0..91f1dde2e469 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -805,7 +805,7 @@ script: - contextPath: Code42.DepartingEmployee.DepartureDate description: The departure date for the Departing Employee. type: Unknown - dockerimage: demisto/py42:1.0.0.10664 + dockerimage: demisto/py42:1.0.0.11140 feed: false isfetch: true longRunning: false From 3cdeba6bff8911b1f94cf71fe43e4a78f37d7cd2 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 1 Sep 2020 14:47:32 +0000 Subject: [PATCH 2/6] Use FileCategory constants --- Packs/Code42/Integrations/Code42/Code42.py | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 0347abbc3263..dee591708131 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -87,18 +87,18 @@ } CODE42_FILE_CATEGORY_MAPPER = { - "SourceCode": "SOURCE_CODE", - "Audio": "AUDIO", - "Executable": "EXECUTABLE", - "Document": "DOCUMENT", - "Image": "IMAGE", - "PDF": "PDF", - "Presentation": "PRESENTATION", - "Script": "SCRIPT", - "Spreadsheet": "SPREADSHEET", - "Video": "VIDEO", - "VirtualDiskImage": "VIRTUAL_DISK_IMAGE", - "Archive": "ARCHIVE", + "SourceCode": FileCategory.SOURCE_CODE, + "Audio": FileCategory.AUDIO, + "Executable": FileCategory.EXECUTABLE, + "Document": FileCategory.DOCUMENT, + "Image": FileCategory.IMAGE, + "PDF": FileCategory.PDF, + "Presentation": FileCategory.PRESENTATION, + "Script": FileCategory.SCRIPT, + "Spreadsheet": FileCategory.SPREADSHEET, + "Video": FileCategory.VIDEO, + "VirtualDiskImage": FileCategory.VIRTUAL_DISK_IMAGE, + "Archive": FileCategory.ZIP, } SECURITY_EVENT_HEADERS = [ From be1aee9f1a55844531446482c6ae51882e057875 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 1 Sep 2020 14:52:14 +0000 Subject: [PATCH 3/6] Use Detection List filter constants --- Packs/Code42/Integrations/Code42/Code42.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index dee591708131..3a6d3e61e369 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -8,6 +8,8 @@ import py42.sdk import py42.settings from datetime import datetime +from py42.services.detectionlists.departing_employee import DepartingEmployeeFilters +from py42.services.detectionlists.high_risk_employee import HighRiskEmployeeFilters from py42.sdk.queries.fileevents.file_event_query import FileEventQuery from py42.sdk.queries.fileevents.filters import ( MD5, @@ -198,7 +200,7 @@ def remove_user_from_departing_employee(self, username): def get_all_departing_employees(self, results, filter_type): res = [] results = int(results) if results else 50 - filter_type = filter_type if filter_type else "OPEN" + filter_type = filter_type if filter_type else DepartingEmployeeFilters.OPEN pages = self._get_sdk().detectionlists.departing_employee.get_all(filter_type=filter_type) for page in pages: page_json = json.loads(page.text) @@ -236,7 +238,7 @@ def remove_user_risk_tags(self, username, risk_tags): def get_all_high_risk_employees(self, risk_tags, results, filter_type): risk_tags = argToList(risk_tags) results = int(results) if results else 50 - filter_type = filter_type if filter_type else "OPEN" + filter_type = filter_type if filter_type else HighRiskEmployeeFilters.OPEN res = [] pages = self._get_sdk().detectionlists.high_risk_employee.get_all(filter_type=filter_type) for page in pages: @@ -801,7 +803,7 @@ def departingemployee_remove_command(client, args): @logger def departingemployee_get_all_command(client, args): results = args.get("results", 50) - filter_type = args.get("filtertype", "OPEN") + filter_type = args.get("filtertype", DepartingEmployeeFilters.OPEN) employees = client.get_all_departing_employees(results, filter_type) if not employees: return CommandResults( @@ -905,7 +907,7 @@ def highriskemployee_remove_command(client, args): def highriskemployee_get_all_command(client, args): tags = args.get("risktags") results = args.get("results", 50) - filter_type = args.get("filtertype", "OPEN") + filter_type = args.get("filtertype", HighRiskEmployeeFilters.OPEN) employees = client.get_all_high_risk_employees(tags, results, filter_type) if not employees: return CommandResults( From 9335eb8bb5c5727e4e77bdc6dcc0442dd160b19c Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 1 Sep 2020 16:17:49 +0000 Subject: [PATCH 4/6] Update release notes --- Packs/Code42/ReleaseNotes/2_0_4.md | 4 ++++ Packs/Code42/pack_metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 Packs/Code42/ReleaseNotes/2_0_4.md diff --git a/Packs/Code42/ReleaseNotes/2_0_4.md b/Packs/Code42/ReleaseNotes/2_0_4.md new file mode 100644 index 000000000000..e3a06fe6cb2d --- /dev/null +++ b/Packs/Code42/ReleaseNotes/2_0_4.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Code42 +- Upgrade py42 dependency and internal code improvements. diff --git a/Packs/Code42/pack_metadata.json b/Packs/Code42/pack_metadata.json index 95e6a37217a1..2be3799f53c8 100644 --- a/Packs/Code42/pack_metadata.json +++ b/Packs/Code42/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Code42", "description": "Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.", "support": "partner", - "currentVersion": "2.0.3", + "currentVersion": "2.0.4", "author": "Code42", "url": "https://support.code42.com/Administrator/Cloud/Monitoring_and_managing", "email": "", From 08e2d6979a7155dd5ceb05b6bff7cb0e72d7eb61 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 3 Sep 2020 20:52:32 +0000 Subject: [PATCH 5/6] Update release notes --- .../playbook-Code42_File_Download.yml | 381 +++++++++--------- Packs/Code42/ReleaseNotes/2_0_4.md | 1 + 2 files changed, 190 insertions(+), 192 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index bfc58cd65030..e5e640b54151 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -1,75 +1,25 @@ -description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. id: Code42 File Download -inputs: -- description: MD5 hash to search for - key: MD5 - playbookInputQuery: - required: false - value: - complex: - accessor: MD5 - root: File - transformers: - - operator: uniq -- description: SHA256 hash to search for - key: SHA256 - playbookInputQuery: - required: false - value: - complex: - accessor: SHA256 - root: File - transformers: - - operator: uniq -- description: The name of the file to save as. - key: Filename - playbookInputQuery: - required: false - value: {} +version: 10 +vcShouldKeepItemLegacyProdMachine: false name: Code42 File Download -outputs: -- contextPath: File.Size - description: The size of the file. -- contextPath: File.SHA1 - description: The SHA1 hash of the file. -- contextPath: File.SHA256 - description: The SHA256 hash of the file. -- contextPath: File.Name - description: The name of the file. -- contextPath: File.SSDeep - description: The SSDeep hash of the file. -- contextPath: File.EntryID - description: The entry ID of the file. -- contextPath: File.Info - description: File information. -- contextPath: File.Type - description: The file type. -- contextPath: File.MD5 - description: The MD5 hash of the file. -- contextPath: File.Extension - description: The file extension. +description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. starttaskid: "0" tasks: "0": id: "0" - ignoreworker: false + taskid: f45944a7-0362-48e3-8adb-7022ef46ef0e + type: start + task: + id: f45944a7-0362-48e3-8adb-7022ef46ef0e + version: -1 + name: "" + iscommand: false + brand: "" nexttasks: '#none#': - "1" - note: false - quietmode: 0 + - "7" separatecontext: false - skipunavailable: false - task: - brand: "" - description: "" - id: f45944a7-0362-48e3-8adb-7022ef46ef0e - iscommand: false - name: "" - version: -1 - taskid: f45944a7-0362-48e3-8adb-7022ef46ef0e - timertriggers: [] - type: start view: |- { "position": { @@ -77,78 +27,78 @@ tasks: "y": 50 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "1": + id: "1" + taskid: 22138dd2-186a-4001-83b5-006026235ffc + type: condition + task: + id: 22138dd2-186a-4001-83b5-006026235ffc + version: -1 + name: Is Code42 Integration Active? + description: Checks to see if a Code42 Integration is active. + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "3" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: modules filters: - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: brand - operator: isEqualString + iscontext: true right: value: simple: Code42 - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: state - operator: isEqualString + iscontext: true right: value: simple: active - root: modules - operator: isExists - label: "yes" - id: "1" - ignoreworker: false - nexttasks: - "yes": - - "3" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks to see if a Code42 Integration is active. - id: 22138dd2-186a-4001-83b5-006026235ffc - iscommand: false - name: Is Code42 Integration Active? - type: condition - version: -1 - taskid: 22138dd2-186a-4001-83b5-006026235ffc - timertriggers: [] - type: condition + iscontext: true view: |- { "position": { - "x": 377.5, + "x": 50, "y": 195 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "3": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.MD5 - operator: isNotEmpty - label: MD5 - - condition: - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: isNotEmpty - label: SHA256 id: "3" - ignoreworker: false + taskid: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 + type: condition + task: + id: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 + version: -1 + name: What type of hash was supplied? + description: Check whether the values provided in arguments are equal. If either + of the arguments are missing, no is returned. + type: condition + iscommand: false + brand: "" nexttasks: '#default#': - "7" @@ -156,145 +106,192 @@ tasks: - "6" SHA256: - "5" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Check whether the values provided in arguments are equal. If either - of the arguments are missing, no is returned. - id: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 - iscommand: false - name: What type of hash was supplied? - type: condition - version: -1 - taskid: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 - timertriggers: [] - type: condition + conditions: + - label: MD5 + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.MD5 + iscontext: true + - label: SHA256 + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.SHA256 + iscontext: true view: |- { "position": { - "x": 377.5, + "x": 50, "y": 370 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "5": - continueonerror: true - evidencedata: - customfields: {} - description: - simple: The file that caused the alert. id: "5" - ignoreworker: false + taskid: 3b2c3188-d267-4e9d-8f27-54993aa266ee + type: regular + task: + id: 3b2c3188-d267-4e9d-8f27-54993aa266ee + version: -1 + name: Code42 Download by SHA256 + description: Downloads a file from Code42 servers. + script: Code42|||code42-download-file + type: regular + iscommand: true + brand: Code42 nexttasks: '#none#': - "7" - note: false - quietmode: 0 scriptarguments: filename: simple: ${inputs.Filename} hash: simple: ${inputs.SHA256} + continueonerror: true separatecontext: false - skipunavailable: false - task: - brand: Code42 - description: Downloads a file from Code42 servers. - id: 3b2c3188-d267-4e9d-8f27-54993aa266ee - iscommand: true - name: Code42 Download by SHA256 - script: Code42|||code42-download-file - type: regular - version: -1 - taskid: 3b2c3188-d267-4e9d-8f27-54993aa266ee - timertriggers: [] - type: regular view: |- { "position": { - "x": 630, - "y": 600 + "x": 50, + "y": 545 } } - "6": - continueonerror: true + note: false evidencedata: - customfields: {} description: simple: The file that caused the alert. - id: "6" + customfields: {} + timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: 6b09d948-56b3-4236-87d5-06469c6a67b2 + type: regular + task: + id: 6b09d948-56b3-4236-87d5-06469c6a67b2 + version: -1 + name: Code42 Download by MD5 + description: Downloads a file from Code42 servers. + script: Code42|||code42-download-file + type: regular + iscommand: true + brand: Code42 nexttasks: '#none#': - "7" - note: false - quietmode: 0 scriptarguments: filename: simple: ${inputs.Filename} hash: simple: ${inputs.MD5} + continueonerror: true separatecontext: false - skipunavailable: false - task: - brand: Code42 - description: Downloads a file from Code42 servers. - id: 6b09d948-56b3-4236-87d5-06469c6a67b2 - iscommand: true - name: Code42 Download by MD5 - script: Code42|||code42-download-file - type: regular - version: -1 - taskid: 6b09d948-56b3-4236-87d5-06469c6a67b2 - timertriggers: [] - type: regular view: |- { "position": { - "x": 100, - "y": 590 + "x": 480, + "y": 545 } } - "7": - id: "7" - ignoreworker: false note: false - quietmode: 0 - separatecontext: false + evidencedata: + description: + simple: The file that caused the alert. + customfields: {} + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + "7": + id: "7" + taskid: a31058a7-f7d7-4c3b-8d52-633b15b8b385 + type: title task: - brand: "" - description: "" id: a31058a7-f7d7-4c3b-8d52-633b15b8b385 - iscommand: false + version: -1 name: Complete type: title - version: -1 - taskid: a31058a7-f7d7-4c3b-8d52-633b15b8b385 - timertriggers: [] - type: title + iscommand: false + brand: "" + separatecontext: false view: |- { "position": { - "x": 377.5, - "y": 775 + "x": 265, + "y": 720 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 790, - "width": 910, - "x": 100, + "height": 735, + "width": 810, + "x": 50, "y": 50 } } } -fromversion: 5.0.0 -tests: -- No Test +inputs: +- key: MD5 + value: + complex: + root: File + accessor: MD5 + transformers: + - operator: uniq + required: false + description: MD5 hash to search for + playbookInputQuery: null +- key: SHA256 + value: + complex: + root: File + accessor: SHA256 + transformers: + - operator: uniq + required: false + description: SHA256 hash to search for + playbookInputQuery: null +- key: Filename + value: {} + required: false + description: The name of the file to save as. + playbookInputQuery: null +outputs: +- contextPath: File.Size + description: The size of the file. +- contextPath: File.SHA1 + description: The SHA1 hash of the file. +- contextPath: File.SHA256 + description: The SHA256 hash of the file. +- contextPath: File.Name + description: The name of the file. +- contextPath: File.SSDeep + description: The SSDeep hash of the file. +- contextPath: File.EntryID + description: The entry ID of the file. +- contextPath: File.Info + description: File information. +- contextPath: File.Type + description: The file type. +- contextPath: File.MD5 + description: The MD5 hash of the file. +- contextPath: File.Extension + description: The file extension. diff --git a/Packs/Code42/ReleaseNotes/2_0_4.md b/Packs/Code42/ReleaseNotes/2_0_4.md index e3a06fe6cb2d..4f108bf6588a 100644 --- a/Packs/Code42/ReleaseNotes/2_0_4.md +++ b/Packs/Code42/ReleaseNotes/2_0_4.md @@ -2,3 +2,4 @@ #### Integrations ##### Code42 - Upgrade py42 dependency and internal code improvements. +- Add missing Else case to the Code42 Download File playbooks. From 9d821744f716b7daf23cd3c69c1e2dd451473eda Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Thu, 3 Sep 2020 20:53:40 +0000 Subject: [PATCH 6/6] Format playbook --- .../Playbooks/playbook-Code42_File_Download.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index e5e640b54151..0a9fc6166f74 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -1,6 +1,5 @@ id: Code42 File Download -version: 10 -vcShouldKeepItemLegacyProdMachine: false +version: -1 name: Code42 File Download description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. starttaskid: "0" @@ -15,6 +14,7 @@ tasks: name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" @@ -223,6 +223,7 @@ tasks: type: title iscommand: false brand: "" + description: '' separatecontext: false view: |- { @@ -258,7 +259,7 @@ inputs: - operator: uniq required: false description: MD5 hash to search for - playbookInputQuery: null + playbookInputQuery: - key: SHA256 value: complex: @@ -268,12 +269,12 @@ inputs: - operator: uniq required: false description: SHA256 hash to search for - playbookInputQuery: null + playbookInputQuery: - key: Filename value: {} required: false description: The name of the file to save as. - playbookInputQuery: null + playbookInputQuery: outputs: - contextPath: File.Size description: The size of the file. @@ -295,3 +296,6 @@ outputs: description: The MD5 hash of the file. - contextPath: File.Extension description: The file extension. +fromversion: 5.0.0 +tests: +- No Test