diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 0347abbc326..3a6d3e61e36 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -8,6 +8,8 @@ import py42.sdk import py42.settings from datetime import datetime +from py42.services.detectionlists.departing_employee import DepartingEmployeeFilters +from py42.services.detectionlists.high_risk_employee import HighRiskEmployeeFilters from py42.sdk.queries.fileevents.file_event_query import FileEventQuery from py42.sdk.queries.fileevents.filters import ( MD5, @@ -87,18 +89,18 @@ } CODE42_FILE_CATEGORY_MAPPER = { - "SourceCode": "SOURCE_CODE", - "Audio": "AUDIO", - "Executable": "EXECUTABLE", - "Document": "DOCUMENT", - "Image": "IMAGE", - "PDF": "PDF", - "Presentation": "PRESENTATION", - "Script": "SCRIPT", - "Spreadsheet": "SPREADSHEET", - "Video": "VIDEO", - "VirtualDiskImage": "VIRTUAL_DISK_IMAGE", - "Archive": "ARCHIVE", + "SourceCode": FileCategory.SOURCE_CODE, + "Audio": FileCategory.AUDIO, + "Executable": FileCategory.EXECUTABLE, + "Document": FileCategory.DOCUMENT, + "Image": FileCategory.IMAGE, + "PDF": FileCategory.PDF, + "Presentation": FileCategory.PRESENTATION, + "Script": FileCategory.SCRIPT, + "Spreadsheet": FileCategory.SPREADSHEET, + "Video": FileCategory.VIDEO, + "VirtualDiskImage": FileCategory.VIRTUAL_DISK_IMAGE, + "Archive": FileCategory.ZIP, } SECURITY_EVENT_HEADERS = [ @@ -198,7 +200,7 @@ def remove_user_from_departing_employee(self, username): def get_all_departing_employees(self, results, filter_type): res = [] results = int(results) if results else 50 - filter_type = filter_type if filter_type else "OPEN" + filter_type = filter_type if filter_type else DepartingEmployeeFilters.OPEN pages = self._get_sdk().detectionlists.departing_employee.get_all(filter_type=filter_type) for page in pages: page_json = json.loads(page.text) @@ -236,7 +238,7 @@ def remove_user_risk_tags(self, username, risk_tags): def get_all_high_risk_employees(self, risk_tags, results, filter_type): risk_tags = argToList(risk_tags) results = int(results) if results else 50 - filter_type = filter_type if filter_type else "OPEN" + filter_type = filter_type if filter_type else HighRiskEmployeeFilters.OPEN res = [] pages = self._get_sdk().detectionlists.high_risk_employee.get_all(filter_type=filter_type) for page in pages: @@ -801,7 +803,7 @@ def departingemployee_remove_command(client, args): @logger def departingemployee_get_all_command(client, args): results = args.get("results", 50) - filter_type = args.get("filtertype", "OPEN") + filter_type = args.get("filtertype", DepartingEmployeeFilters.OPEN) employees = client.get_all_departing_employees(results, filter_type) if not employees: return CommandResults( @@ -905,7 +907,7 @@ def highriskemployee_remove_command(client, args): def highriskemployee_get_all_command(client, args): tags = args.get("risktags") results = args.get("results", 50) - filter_type = args.get("filtertype", "OPEN") + filter_type = args.get("filtertype", HighRiskEmployeeFilters.OPEN) employees = client.get_all_high_risk_employees(tags, results, filter_type) if not employees: return CommandResults( diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index c1efed0529d..91f1dde2e46 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -805,7 +805,7 @@ script: - contextPath: Code42.DepartingEmployee.DepartureDate description: The departure date for the Departing Employee. type: Unknown - dockerimage: demisto/py42:1.0.0.10664 + dockerimage: demisto/py42:1.0.0.11140 feed: false isfetch: true longRunning: false diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index bfc58cd6503..0a9fc6166f7 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -1,75 +1,25 @@ -description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. id: Code42 File Download -inputs: -- description: MD5 hash to search for - key: MD5 - playbookInputQuery: - required: false - value: - complex: - accessor: MD5 - root: File - transformers: - - operator: uniq -- description: SHA256 hash to search for - key: SHA256 - playbookInputQuery: - required: false - value: - complex: - accessor: SHA256 - root: File - transformers: - - operator: uniq -- description: The name of the file to save as. - key: Filename - playbookInputQuery: - required: false - value: {} +version: -1 name: Code42 File Download -outputs: -- contextPath: File.Size - description: The size of the file. -- contextPath: File.SHA1 - description: The SHA1 hash of the file. -- contextPath: File.SHA256 - description: The SHA256 hash of the file. -- contextPath: File.Name - description: The name of the file. -- contextPath: File.SSDeep - description: The SSDeep hash of the file. -- contextPath: File.EntryID - description: The entry ID of the file. -- contextPath: File.Info - description: File information. -- contextPath: File.Type - description: The file type. -- contextPath: File.MD5 - description: The MD5 hash of the file. -- contextPath: File.Extension - description: The file extension. +description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. starttaskid: "0" tasks: "0": id: "0" - ignoreworker: false + taskid: f45944a7-0362-48e3-8adb-7022ef46ef0e + type: start + task: + id: f45944a7-0362-48e3-8adb-7022ef46ef0e + version: -1 + name: "" + iscommand: false + brand: "" + description: '' nexttasks: '#none#': - "1" - note: false - quietmode: 0 + - "7" separatecontext: false - skipunavailable: false - task: - brand: "" - description: "" - id: f45944a7-0362-48e3-8adb-7022ef46ef0e - iscommand: false - name: "" - version: -1 - taskid: f45944a7-0362-48e3-8adb-7022ef46ef0e - timertriggers: [] - type: start view: |- { "position": { @@ -77,78 +27,78 @@ tasks: "y": 50 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "1": + id: "1" + taskid: 22138dd2-186a-4001-83b5-006026235ffc + type: condition + task: + id: 22138dd2-186a-4001-83b5-006026235ffc + version: -1 + name: Is Code42 Integration Active? + description: Checks to see if a Code42 Integration is active. + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "3" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: modules filters: - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: brand - operator: isEqualString + iscontext: true right: value: simple: Code42 - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: state - operator: isEqualString + iscontext: true right: value: simple: active - root: modules - operator: isExists - label: "yes" - id: "1" - ignoreworker: false - nexttasks: - "yes": - - "3" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks to see if a Code42 Integration is active. - id: 22138dd2-186a-4001-83b5-006026235ffc - iscommand: false - name: Is Code42 Integration Active? - type: condition - version: -1 - taskid: 22138dd2-186a-4001-83b5-006026235ffc - timertriggers: [] - type: condition + iscontext: true view: |- { "position": { - "x": 377.5, + "x": 50, "y": 195 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "3": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.MD5 - operator: isNotEmpty - label: MD5 - - condition: - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: isNotEmpty - label: SHA256 id: "3" - ignoreworker: false + taskid: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 + type: condition + task: + id: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 + version: -1 + name: What type of hash was supplied? + description: Check whether the values provided in arguments are equal. If either + of the arguments are missing, no is returned. + type: condition + iscommand: false + brand: "" nexttasks: '#default#': - "7" @@ -156,145 +106,196 @@ tasks: - "6" SHA256: - "5" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Check whether the values provided in arguments are equal. If either - of the arguments are missing, no is returned. - id: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 - iscommand: false - name: What type of hash was supplied? - type: condition - version: -1 - taskid: 3d40417b-2a78-4c8d-877c-10fa9b4d9d84 - timertriggers: [] - type: condition + conditions: + - label: MD5 + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.MD5 + iscontext: true + - label: SHA256 + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.SHA256 + iscontext: true view: |- { "position": { - "x": 377.5, + "x": 50, "y": 370 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 "5": - continueonerror: true - evidencedata: - customfields: {} - description: - simple: The file that caused the alert. id: "5" - ignoreworker: false + taskid: 3b2c3188-d267-4e9d-8f27-54993aa266ee + type: regular + task: + id: 3b2c3188-d267-4e9d-8f27-54993aa266ee + version: -1 + name: Code42 Download by SHA256 + description: Downloads a file from Code42 servers. + script: Code42|||code42-download-file + type: regular + iscommand: true + brand: Code42 nexttasks: '#none#': - "7" - note: false - quietmode: 0 scriptarguments: filename: simple: ${inputs.Filename} hash: simple: ${inputs.SHA256} + continueonerror: true separatecontext: false - skipunavailable: false - task: - brand: Code42 - description: Downloads a file from Code42 servers. - id: 3b2c3188-d267-4e9d-8f27-54993aa266ee - iscommand: true - name: Code42 Download by SHA256 - script: Code42|||code42-download-file - type: regular - version: -1 - taskid: 3b2c3188-d267-4e9d-8f27-54993aa266ee - timertriggers: [] - type: regular view: |- { "position": { - "x": 630, - "y": 600 + "x": 50, + "y": 545 } } - "6": - continueonerror: true + note: false evidencedata: - customfields: {} description: simple: The file that caused the alert. - id: "6" + customfields: {} + timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + "6": + id: "6" + taskid: 6b09d948-56b3-4236-87d5-06469c6a67b2 + type: regular + task: + id: 6b09d948-56b3-4236-87d5-06469c6a67b2 + version: -1 + name: Code42 Download by MD5 + description: Downloads a file from Code42 servers. + script: Code42|||code42-download-file + type: regular + iscommand: true + brand: Code42 nexttasks: '#none#': - "7" - note: false - quietmode: 0 scriptarguments: filename: simple: ${inputs.Filename} hash: simple: ${inputs.MD5} + continueonerror: true separatecontext: false - skipunavailable: false - task: - brand: Code42 - description: Downloads a file from Code42 servers. - id: 6b09d948-56b3-4236-87d5-06469c6a67b2 - iscommand: true - name: Code42 Download by MD5 - script: Code42|||code42-download-file - type: regular - version: -1 - taskid: 6b09d948-56b3-4236-87d5-06469c6a67b2 - timertriggers: [] - type: regular view: |- { "position": { - "x": 100, - "y": 590 + "x": 480, + "y": 545 } } - "7": - id: "7" - ignoreworker: false note: false - quietmode: 0 - separatecontext: false + evidencedata: + description: + simple: The file that caused the alert. + customfields: {} + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + "7": + id: "7" + taskid: a31058a7-f7d7-4c3b-8d52-633b15b8b385 + type: title task: - brand: "" - description: "" id: a31058a7-f7d7-4c3b-8d52-633b15b8b385 - iscommand: false + version: -1 name: Complete type: title - version: -1 - taskid: a31058a7-f7d7-4c3b-8d52-633b15b8b385 - timertriggers: [] - type: title + iscommand: false + brand: "" + description: '' + separatecontext: false view: |- { "position": { - "x": 377.5, - "y": 775 + "x": 265, + "y": 720 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 790, - "width": 910, - "x": 100, + "height": 735, + "width": 810, + "x": 50, "y": 50 } } } +inputs: +- key: MD5 + value: + complex: + root: File + accessor: MD5 + transformers: + - operator: uniq + required: false + description: MD5 hash to search for + playbookInputQuery: +- key: SHA256 + value: + complex: + root: File + accessor: SHA256 + transformers: + - operator: uniq + required: false + description: SHA256 hash to search for + playbookInputQuery: +- key: Filename + value: {} + required: false + description: The name of the file to save as. + playbookInputQuery: +outputs: +- contextPath: File.Size + description: The size of the file. +- contextPath: File.SHA1 + description: The SHA1 hash of the file. +- contextPath: File.SHA256 + description: The SHA256 hash of the file. +- contextPath: File.Name + description: The name of the file. +- contextPath: File.SSDeep + description: The SSDeep hash of the file. +- contextPath: File.EntryID + description: The entry ID of the file. +- contextPath: File.Info + description: File information. +- contextPath: File.Type + description: The file type. +- contextPath: File.MD5 + description: The MD5 hash of the file. +- contextPath: File.Extension + description: The file extension. fromversion: 5.0.0 tests: - No Test diff --git a/Packs/Code42/ReleaseNotes/2_0_4.md b/Packs/Code42/ReleaseNotes/2_0_4.md new file mode 100644 index 00000000000..4f108bf6588 --- /dev/null +++ b/Packs/Code42/ReleaseNotes/2_0_4.md @@ -0,0 +1,5 @@ + +#### Integrations +##### Code42 +- Upgrade py42 dependency and internal code improvements. +- Add missing Else case to the Code42 Download File playbooks. diff --git a/Packs/Code42/pack_metadata.json b/Packs/Code42/pack_metadata.json index 95e6a37217a..2be3799f53c 100644 --- a/Packs/Code42/pack_metadata.json +++ b/Packs/Code42/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Code42", "description": "Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.", "support": "partner", - "currentVersion": "2.0.3", + "currentVersion": "2.0.4", "author": "Code42", "url": "https://support.code42.com/Administrator/Cloud/Monitoring_and_managing", "email": "",