Xsiam layout rule (#23481)

* poetry

* revert

* debug logs added

* revert

* added layout rule

* Update Tests/scripts/collect_tests/constants.py

Co-authored-by: dorschw <[email protected]>

* CR fixes

* bug fix

* removed from SIEM RULES OBJECT

* added code pan run to secrets ignore

* release notes

---------

Co-authored-by: dorschw <[email protected]>

Author: eyalpalo

Packs/AccessInvestigation/LayoutRules/Access.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "Access_layout_rule",
+  "layout_id": "Access",
+  "description": "",
+  "rule_name": "Access Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "Access"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/AccessInvestigation/ReleaseNotes/1_2_3.md

@@ -0,0 +1,4 @@
+
+#### Layout Rules
+##### New: Access Layout Rule
+- Added support for layouts and layout rules in XSIAM.

Packs/AccessInvestigation/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Access Investigation",
     "description": "This Content Pack automates response to unauthorised access incidents and contains customer access incident views and layouts to aid investigation.",
     "support": "xsoar",
-    "currentVersion": "1.2.2",
+    "currentVersion": "1.2.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -37,4 +37,4 @@
         "xsoar",
         "marketplacev2"
     ]
-}
+}

Packs/CommonTypes/LayoutRules/Indicator_Feed.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "Indicator_Feed_layout_rule",
+  "layout_id": "Indicator Feed",
+  "description": "",
+  "rule_name": "Indicator Feed Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "Indicator Feed"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/CommonTypes/LayoutRules/Vulnerability.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "Vulnerability_layout_rule",
+  "layout_id": "Vulnerability",
+  "description": "",
+  "rule_name": "Vulnerability Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "Vulnerability"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/CommonTypes/ReleaseNotes/3_3_49.md

@@ -0,0 +1,6 @@
+
+#### Layout Rules
+##### New: Vulnerability Layout Rule
+- Added support for layouts and layout rules in XSIAM.
+##### New: Indicator Feed Layout Rule
+- Added support for layouts and layout rules in XSIAM.

Packs/CommonTypes/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Common Types",
     "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
     "support": "xsoar",
-    "currentVersion": "3.3.48",
+    "currentVersion": "3.3.49",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CrisisManagement/LayoutRules/Employee_Health_Check.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "Employee_Health_Check_layout_rule",
+  "layout_id": "Employee Health Check",
+  "description": "",
+  "rule_name": "Employee Health Check Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "Employee Health Check"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/CrisisManagement/ReleaseNotes/1_2_3.md

@@ -0,0 +1,4 @@
+
+#### Layout Rules
+##### New: Employee Health Check Layout Rule
+- Added support for layouts and layout rules in XSIAM.

Packs/CrisisManagement/pack_metadata.json

@@ -2,11 +2,13 @@
     "name": "Crisis Management",
     "description": "This Content Pack helps you automate data collection and crisis event communications such as monitoring remote employee health and safety well being.",
     "support": "xsoar",
-    "currentVersion": "1.2.2",
+    "currentVersion": "1.2.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
-    "videos": ["https://www.youtube.com/watch?v=J6DcD5y5B_U"],
+    "videos": [
+        "https://www.youtube.com/watch?v=J6DcD5y5B_U"
+    ],
     "categories": [
         "Case Management"
     ],

Packs/IronDefense/LayoutRules/IronDefense_Alert_Notification.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "IronDefense_Alert_Notification_layout_rule",
+  "layout_id": "IronDefense Alert Notification",
+  "description": "",
+  "rule_name": "IronDefense Alert Notification Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "IronDefense Alert Notification"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/IronDefense/LayoutRules/IronDefense_Event_Notification.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "IronDefense_Event_Notification_layout_rule",
+  "layout_id": "IronDefense Event Notification",
+  "description": "",
+  "rule_name": "IronDefense Event Notification Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "IronDefense Event Notification"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/IronDefense/LayoutRules/IronDefense_IronDome_Notification.json

@@ -0,0 +1,18 @@
+{
+  "rule_id": "IronDome_Notification_layout_rule",
+  "layout_id": "IronDefense IronDome Notification",
+  "description": "",
+  "rule_name": "IronDome Notification Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "IronDefense IronDome Notification"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}

Packs/IronDefense/ReleaseNotes/1_1_15.md

@@ -0,0 +1,8 @@
+
+#### Layout Rules
+##### New: IronDome Notification Layout Rule
+- Added support for layouts and layout rules in XSIAM.
+##### New: IronDefense Alert Notification Layout Rule
+- Added support for layouts and layout rules in XSIAM.
+##### New: IronDefense Event Notification Layout Rule
+- Added support for layouts and layout rules in XSIAM.

Packs/IronDefense/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "IronNet",
     "description": "The IronDefense Integration allows users to interact with IronDefense alerts within Demisto. The Integration provides the ability to rate alerts, update alert statuses, add comments to alerts, and to report observed bad activity.",
     "support": "partner",
-    "currentVersion": "1.1.14",
+    "currentVersion": "1.1.15",
     "author": "Iron Defense",
     "url": "https://ironnet.atlassian.net/servicedesk/customer/portal/4",
     "email": "[email protected]",

Tests/Marketplace/marketplace_constants.py

@@ -222,6 +222,7 @@ class PackFolders(enum.Enum):
     TRIGGERS = 'Triggers'
     WIZARDS = 'Wizards'
     XDRC_TEMPLATES = 'XDRCTemplates'
+    LAYOUT_RULES = 'LayoutRules'
 
     @classmethod
     def pack_displayed_items(cls):
@@ -234,7 +235,7 @@ def pack_displayed_items(cls):
             PackFolders.GENERIC_TYPES.value, PackFolders.LISTS.value, PackFolders.JOBS.value,
             PackFolders.PARSING_RULES.value, PackFolders.MODELING_RULES.value, PackFolders.CORRELATION_RULES.value,
             PackFolders.XSIAM_DASHBOARDS.value, PackFolders.XSIAM_REPORTS.value, PackFolders.TRIGGERS.value,
-            PackFolders.WIZARDS.value, PackFolders.XDRC_TEMPLATES.value,
+            PackFolders.WIZARDS.value, PackFolders.XDRC_TEMPLATES.value, PackFolders.LAYOUT_RULES.value
         }
 
     @classmethod
@@ -253,7 +254,7 @@ def json_supported_folders(cls):
             PackFolders.GENERIC_MODULES.value, PackFolders.GENERIC_TYPES.value, PackFolders.LISTS.value,
             PackFolders.PREPROCESS_RULES.value, PackFolders.JOBS.value, PackFolders.XSIAM_DASHBOARDS.value,
             PackFolders.XSIAM_REPORTS.value, PackFolders.TRIGGERS.value, PackFolders.WIZARDS.value,
-            PackFolders.XDRC_TEMPLATES.value,
+            PackFolders.XDRC_TEMPLATES.value, PackFolders.LAYOUT_RULES.value
         }
 
 
@@ -306,6 +307,7 @@ class PackIgnored(object):
     PackFolders.TRIGGERS.value: "Triggers",
     PackFolders.WIZARDS.value: "Wizards",
     PackFolders.XDRC_TEMPLATES.value: "XDRCTemplates",
+    PackFolders.LAYOUT_RULES.value: "LayoutRules"
 }
 
 
@@ -390,6 +392,7 @@ class Changelog(object):
     'Triggers Recommendations': 'Triggers',
     'Wizards': 'Wizards',
     'XDRC Templates': 'XDRCTemplates',
+    'Layout Rules': 'LayoutRules'
 }
 
 
@@ -422,6 +425,7 @@ class Changelog(object):
     PackFolders.TRIGGERS.value: "trigger",
     PackFolders.WIZARDS.value: "wizard",
     PackFolders.XDRC_TEMPLATES.value: "xdrctemplate",
+    PackFolders.LAYOUT_RULES.value: "layoutrule"
 }
 
 ITEMS_NAMES_TO_DISPLAY_MAPPING = {
@@ -452,4 +456,5 @@ class Changelog(object):
     CONTENT_ITEM_NAME_MAPPING[PackFolders.TRIGGERS.value]: "Trigger",
     CONTENT_ITEM_NAME_MAPPING[PackFolders.WIZARDS.value]: "Wizard",
     CONTENT_ITEM_NAME_MAPPING[PackFolders.XDRC_TEMPLATES.value]: "XDRC Template",
+    CONTENT_ITEM_NAME_MAPPING[PackFolders.LAYOUT_RULES.value]: "Layout Rule"
 }

Tests/Marketplace/marketplace_services.py

@@ -2344,6 +2344,19 @@ def collect_content_items(self):
                             'marketplaces': content_item.get('marketplaces', ["marketplacev2"]),
                         })
 
+                    elif current_directory == PackFolders.LAYOUT_RULES.value and pack_file_name.startswith(
+                            "external-"):
+                        self.add_pack_type_tags(content_item, 'LayoutRule')
+                        layout_rule_metadata = {
+                            'id': content_item.get('id', ''),
+                            'name': content_item.get('name', ''),
+                            'marketplaces': content_item.get('marketplaces', ["marketplacev2"]),
+                        }
+                        layout_rule_description = content_item.get('description')
+                        if layout_rule_description is not None:
+                            layout_rule_metadata['description'] = layout_rule_description
+                        folder_collected_items.append(layout_rule_metadata)
+
                     else:
                         logging.info(f'Failed to collect: {current_directory}')
 

Tests/scripts/collect_tests/utils.py

@@ -196,6 +196,8 @@ def id_(self) -> Optional[str]:  # Optional as some content items don't have an
             return self['trigger_id']
         if self.path.parent.parent.name == 'XDRCTemplates' and self.path.suffix == '.json':
             return self['content_global_id']
+        if self.path.parent.name == 'LayoutRules' and self.path.suffix == '.json':
+            return self['rule_id']
         return self['id']
 
     @property