Field mappings + Alert Details Widget

Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Description.json

@@ -0,0 +1,41 @@
+{
+  "associatedToAll": false,
+  "associatedTypes": [
+    "Code42 Security Alert"
+  ],
+  "breachScript": "",
+  "caseInsensitive": true,
+  "cliName": "code42alertdescription",
+  "closeForm": false,
+  "columns": null,
+  "content": false,
+  "defaultRows": null,
+  "description": "",
+  "editForm": true,
+  "fieldCalcScript": "",
+  "group": 0,
+  "hidden": false,
+  "id": "incident_code42alertdescription",
+  "isReadOnly": false,
+  "locked": false,
+  "mergeStrategy": "",
+  "name": "Code42 Alert Description",
+  "neverSetAsRequired": false,
+  "ownerOnly": false,
+  "placeholder": "",
+  "required": false,
+  "script": "",
+  "selectValues": null,
+  "sla": 0,
+  "sortValues": null,
+  "system": false,
+  "systemAssociatedTypes": null,
+  "threshold": 72,
+  "type": "shortText",
+  "unmapped": false,
+  "unsearchable": false,
+  "useAsKpi": false,
+  "validatedError": "",
+  "validationRegex": "",
+  "version": -1
+}

Packs/Code42/IncidentFields/incidentfield-Code42_Alert_ID.json

@@ -0,0 +1,41 @@
+{
+  "associatedToAll": false,
+  "associatedTypes": [
+    "Code42 Security Alert"
+  ],
+  "breachScript": "",
+  "caseInsensitive": true,
+  "cliName": "code42alertid",
+  "closeForm": false,
+  "columns": null,
+  "content": false,
+  "defaultRows": null,
+  "description": "",
+  "editForm": true,
+  "fieldCalcScript": "",
+  "group": 0,
+  "hidden": false,
+  "id": "incident_code42alertid",
+  "isReadOnly": false,
+  "locked": false,
+  "mergeStrategy": "",
+  "name": "Code42 Alert ID",
+  "neverSetAsRequired": false,
+  "ownerOnly": false,
+  "placeholder": "",
+  "required": false,
+  "script": "",
+  "selectValues": null,
+  "sla": 0,
+  "sortValues": null,
+  "system": false,
+  "systemAssociatedTypes": null,
+  "threshold": 72,
+  "type": "shortText",
+  "unmapped": false,
+  "unsearchable": false,
+  "useAsKpi": false,
+  "validatedError": "",
+  "validationRegex": "",
+  "version": -1
+}

Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Name.json

@@ -0,0 +1,41 @@
+{
+  "associatedToAll": false,
+  "associatedTypes": [
+    "Code42 Security Alert"
+  ],
+  "breachScript": "",
+  "caseInsensitive": true,
+  "cliName": "code42alertname",
+  "closeForm": false,
+  "columns": null,
+  "content": false,
+  "defaultRows": null,
+  "description": "",
+  "editForm": true,
+  "fieldCalcScript": "",
+  "group": 0,
+  "hidden": false,
+  "id": "incident_code42alertname",
+  "isReadOnly": false,
+  "locked": false,
+  "mergeStrategy": "",
+  "name": "Code42 Alert Name",
+  "neverSetAsRequired": false,
+  "ownerOnly": false,
+  "placeholder": "",
+  "required": false,
+  "script": "",
+  "selectValues": null,
+  "sla": 0,
+  "sortValues": null,
+  "system": false,
+  "systemAssociatedTypes": null,
+  "threshold": 72,
+  "type": "shortText",
+  "unmapped": false,
+  "unsearchable": false,
+  "useAsKpi": false,
+  "validatedError": "",
+  "validationRegex": "",
+  "version": -1
+}

Packs/Code42/IncidentFields/incidentfield-Code42_Alert_State.json

@@ -0,0 +1,41 @@
+{
+	"associatedToAll": false,
+	"associatedTypes": [
+		"Code42 Security Alert"
+	],
+	"breachScript": "",
+	"caseInsensitive": true,
+	"cliName": "code42alertstate",
+	"closeForm": false,
+	"columns": null,
+	"content": false,
+	"defaultRows": null,
+	"description": "",
+	"editForm": true,
+	"fieldCalcScript": "",
+	"group": 0,
+	"hidden": false,
+	"id": "incident_code42alertstate",
+	"isReadOnly": false,
+	"locked": false,
+	"mergeStrategy": "",
+	"name": "Code42 Alert State",
+	"neverSetAsRequired": false,
+	"ownerOnly": false,
+	"placeholder": "",
+	"required": false,
+	"script": "",
+	"selectValues": [],
+	"sla": 0,
+	"sortValues": null,
+	"system": false,
+	"systemAssociatedTypes": null,
+	"threshold": 72,
+	"type": "shortText",
+	"unmapped": false,
+	"unsearchable": false,
+	"useAsKpi": false,
+	"validatedError": "",
+	"validationRegex": "",
+	"version": -1
+}

Packs/Code42/IncidentFields/incidentfield-Code42_Alert_Timestamp.json

@@ -0,0 +1,41 @@
+{
+  "associatedToAll": false,
+  "associatedTypes": [
+    "Code42 Security Alert"
+  ],
+  "breachScript": "",
+  "caseInsensitive": true,
+  "cliName": "code42alerttimestamp",
+  "closeForm": false,
+  "columns": null,
+  "content": false,
+  "defaultRows": null,
+  "description": "",
+  "editForm": true,
+  "fieldCalcScript": "",
+  "group": 0,
+  "hidden": false,
+  "id": "incident_code42alerttimestamp",
+  "isReadOnly": false,
+  "locked": false,
+  "mergeStrategy": "",
+  "name": "Code42 Alert Timestamp",
+  "neverSetAsRequired": false,
+  "ownerOnly": false,
+  "placeholder": "",
+  "required": false,
+  "script": "",
+  "selectValues": null,
+  "sla": 0,
+  "sortValues": null,
+  "system": false,
+  "systemAssociatedTypes": null,
+  "threshold": 72,
+  "type": "shortText",
+  "unmapped": false,
+  "unsearchable": false,
+  "useAsKpi": false,
+  "validatedError": "",
+  "validationRegex": "",
+  "version": -1
+}

Packs/Code42/IncidentFields/incidentfield-Code42_Severity.json

@@ -0,0 +1,41 @@
+{
+  "associatedToAll": false,
+  "associatedTypes": [
+    "Code42 Security Alert"
+  ],
+  "breachScript": "",
+  "caseInsensitive": true,
+  "cliName": "code42severity",
+  "closeForm": false,
+  "columns": null,
+  "content": false,
+  "defaultRows": null,
+  "description": "",
+  "editForm": true,
+  "fieldCalcScript": "",
+  "group": 0,
+  "hidden": false,
+  "id": "incident_code42severity",
+  "isReadOnly": false,
+  "locked": false,
+  "mergeStrategy": "",
+  "name": "Code42 Severity",
+  "neverSetAsRequired": false,
+  "ownerOnly": false,
+  "placeholder": "",
+  "required": false,
+  "script": "",
+  "selectValues": [],
+  "sla": 0,
+  "sortValues": null,
+  "system": false,
+  "systemAssociatedTypes": null,
+  "threshold": 72,
+  "type": "shortText",
+  "unmapped": false,
+  "unsearchable": false,
+  "useAsKpi": false,
+  "validatedError": "",
+  "validationRegex": "",
+  "version": -1
+}

Packs/Code42/IncidentFields/incidentfield-Code42_Username.json

@@ -0,0 +1,39 @@
+{
+ "associatedToAll": true,
+ "associatedTypes": null,
+ "breachScript": "",
+ "caseInsensitive": true,
+ "cliName": "code42username",
+ "closeForm": false,
+ "columns": null,
+ "content": false,
+ "defaultRows": null,
+ "description": "",
+ "editForm": true,
+ "fieldCalcScript": "",
+ "group": 0,
+ "hidden": false,
+ "id": "incident_code42username",
+ "isReadOnly": false,
+ "locked": false,
+ "mergeStrategy": "",
+ "name": "Code42 Username",
+ "neverSetAsRequired": false,
+ "ownerOnly": false,
+ "placeholder": "",
+ "required": false,
+ "script": "",
+ "selectValues": null,
+ "sla": 0,
+ "sortValues": null,
+ "system": false,
+ "systemAssociatedTypes": null,
+ "threshold": 72,
+ "type": "shortText",
+ "unmapped": false,
+ "unsearchable": false,
+ "useAsKpi": false,
+ "validatedError": "",
+ "validationRegex": "",
+ "version": -1
+}

Packs/Code42/IncidentTypes/incidenttype-Code42_Security_Alert.json

@@ -21,5 +21,4 @@
 	"weeks": 0,
 	"weeksR": 0,
 	"fromVersion": "5.0.0"
-
 }

Packs/Code42/Integrations/Code42/Code42.py

@@ -684,11 +684,11 @@ def _stringify_lists_if_needed(event):
         event["sharedWith"] = str(shared_list)
     if private_ip_addresses:
         event["privateIpAddresses"] = str(private_ip_addresses)
+    return event
 
 
 def _process_event_from_observation(event):
-    _stringify_lists_if_needed(event)
-    return event
+    return _stringify_lists_if_needed(event)
 
 
 class Code42SecurityIncidentFetcher(object):
@@ -754,14 +754,15 @@ def _fetch_alerts(self, start_query_time):
     def _create_incident_from_alert(self, alert):
         details = self._client.get_alert_details(alert["id"])
         incident = _create_incident_from_alert_details(details)
-        self._relate_files_to_alert(details)
+        details = self._relate_files_to_alert(details)
         incident["rawJSON"] = json.dumps(details)
         return incident
 
     def _relate_files_to_alert(self, alert_details):
         for obs in alert_details["observations"]:
             file_events = self._get_file_events_from_alert_details(obs, alert_details)
             alert_details["fileevents"] = [_process_event_from_observation(e) for e in file_events]
+        return alert_details
 
     def _get_file_events_from_alert_details(self, observation, alert_details):
         security_data_query = map_observation_to_security_query(observation, alert_details["actor"])
@@ -842,7 +843,7 @@ def main():
     # Remove trailing slash to prevent wrong URL path to service
     verify_certificate = not demisto.params().get("insecure", False)
     proxy = demisto.params().get("proxy", False)
-    LOG(f"Command being called is {demisto.command()}")
+    LOG("Command being called is {0}.".format(demisto.command()))
     try:
         client = Code42Client(
             base_url=base_url,
@@ -890,7 +891,7 @@ def main():
             return_outputs(*commands[command](client, demisto.args()))
     # Log exceptions
     except Exception as e:
-        return_error(f"Failed to execute {demisto.command()} command. Error: {str(e)}")
+        return_error("Failed to execute {0} command. Error: {1}".format(demisto.command(), str(e)))
 
 
 if __name__ in ("__main__", "__builtin__", "builtins"):

Packs/Code42/Integrations/Code42/integration-Code42.yml

@@ -764,11 +764,11 @@ script:
             event["sharedWith"] = str(shared_list)
         if private_ip_addresses:
             event["privateIpAddresses"] = str(private_ip_addresses)
+        return event
 
 
     def _process_event_from_observation(event):
-        _stringify_lists_if_needed(event)
-        return event
+        return _stringify_lists_if_needed(event)
 
 
     class Code42SecurityIncidentFetcher(object):
@@ -834,14 +834,15 @@ script:
         def _create_incident_from_alert(self, alert):
             details = self._client.get_alert_details(alert["id"])
             incident = _create_incident_from_alert_details(details)
-            self._relate_files_to_alert(details)
+            details = self._relate_files_to_alert(details)
             incident["rawJSON"] = json.dumps(details)
             return incident
 
         def _relate_files_to_alert(self, alert_details):
             for obs in alert_details["observations"]:
                 file_events = self._get_file_events_from_alert_details(obs, alert_details)
                 alert_details["fileevents"] = [_process_event_from_observation(e) for e in file_events]
+            return alert_details
 
         def _get_file_events_from_alert_details(self, observation, alert_details):
             security_data_query = map_observation_to_security_query(observation, alert_details["actor"])