[ASM] - UVEM-790 - RankServiceOwners Update (#38091) (#38164)

* Update RankSO Script and Release Notes

* Update alertsource to ownerrelatedfield

* Refactor output logic to write_output_to_context_key function

* Refactor variables and update ReadMe

* add error for wrong tenant

* predefined/stringify

* Apply suggestions from code review



* changed wording

---------

Co-authored-by: John <[email protected]>
Co-authored-by: johnnywilkes <[email protected]>
Co-authored-by: jwilkes <[email protected]>
Co-authored-by: ShirleyDenkberg <[email protected]>

Author: 4 people

Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_65.md

@@ -0,0 +1,5 @@
+#### Scripts
+
+##### RankServiceOwners
+
+Updated the script to accept an argument that determines the outputs depending on the source that generated an alert or issue.

Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/README.md

@@ -17,6 +17,9 @@ Recommend most likely service owners from those surfaced by Cortex ASM Enrichmen
 | --- | --- |
 | owners | List of potential service owners |
 | asmsystemids | System IDs or names associated with the compute instance |
+| owners | List of potential service owners. |
+| ownerrelatedfield | The field of the alert or issue that owners should be stored. |
+| tenantcommand | False will use !setAlert, True will use !setIssue. |
 
 ## Outputs
 

Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.py

@@ -1,26 +1,25 @@
+from collections.abc import Iterable, Callable
+from typing import Any
+import google.cloud.storage
+import numpy as np
+import posixpath
+import dill as pickle
+import os
+import itertools
+import string
+import re
+import math
+from itertools import groupby
+import traceback
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
+demisto.debug('pack name = Cortex Attack Surface Management, pack version = 1.7.65')
+
+
 """Script for identifying and recommending the most likely owners of a discovered service
 from those surfaced by Cortex ASM Enrichment.
 """
 
-import traceback
-from itertools import groupby
-import math
-
-import re
-import string
-import itertools
-import os
-import dill as pickle
-import posixpath
-import numpy as np
-import google.cloud.storage
-
-
-from typing import Any
-from collections.abc import Iterable, Callable
-
 
 STRING_DELIMITER = ' | '  # delimiter used for joining source fields and any additional fields of type string
 
@@ -614,24 +613,34 @@ def featurize(self, service_identifiers: Iterable[str], owners: list[dict[str, A
         return X
 
 
+def write_output_to_context_key(final_owners: list[dict[str, str]], owner_related_field: str, platform_tenant: str):
+    stringify_platform_tenant = str(platform_tenant)
+    set_alert_issue_map = {"True": "setIssue", "False": "setAlert"}
+    if final_owners and owner_related_field:
+        res = demisto.executeCommand(set_alert_issue_map[stringify_platform_tenant], {owner_related_field: final_owners})
+        if isError(res):
+            raise ValueError('Unable to update field')
+        return_results(CommandResults(readable_output=f"Owners ranked and written to {owner_related_field}"))
+    else:
+        return_results(CommandResults(readable_output='No owners found'))
+
+
 def main():
     try:
         # parse inputs
         unranked = demisto.args().get("owners", [])
         if isinstance(unranked, dict):
             unranked = [unranked]
         asm_system_ids = demisto.args().get("asmsystemids", [])
-
+        owner_related_field = demisto.args().get("ownerrelatedfield", "asmserviceowner")
+        platform_tenant_usage = demisto.args().get("tenantcommand", "False")
         # deduplicate/normalize, score, and rank owners
         normalized = aggregate(canonicalize(unranked))
         final_owners = justify(rank(score(owners=normalized, asm_system_ids=asm_system_ids)))
 
-        # write output to context
-        if final_owners:
-            demisto.executeCommand("setAlert", {"asmserviceowner": final_owners})
-            return_results(CommandResults(readable_output='Service owners ranked and written to asmserviceowner'))
-        else:
-            return_results(CommandResults(readable_output='No service owners found'))
+        write_output_to_context_key(final_owners=final_owners,
+                                    owner_related_field=owner_related_field,
+                                    platform_tenant=platform_tenant_usage)
 
     except Exception as ex:
         demisto.error(traceback.format_exc())  # print the traceback

Packs/CortexAttackSurfaceManagement/Scripts/RankServiceOwners/RankServiceOwners.yml

@@ -5,6 +5,16 @@ args:
 - description: System IDs or names associated with the compute instance.
   isArray: true
   name: asmsystemids
+- defaultValue: asmserviceowner
+  description: The field of the alert or issue in which the owners should be stored.
+  name: ownerrelatedfield
+- defaultValue: "False"
+  description: False will use !setAlert, True will use !setIssue.
+  name: tenantcommand
+  auto: PREDEFINED
+  predefined:
+  - "True"
+  - "False"
 comment: Recommend most likely service owners from those surfaced by Cortex ASM Enrichment.
 commonfields:
   id: RankServiceOwners
@@ -22,3 +32,4 @@ fromversion: 6.5.0
 tests:
 - No tests (auto formatted)
 runonce: false
+engineinfo: {}

Packs/CortexAttackSurfaceManagement/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex Attack Surface Management",
     "description": "Content for working with Attack Surface Management (ASM).",
     "support": "xsoar",
-    "currentVersion": "1.7.64",
+    "currentVersion": "1.7.65",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",