Cloud iam enrichment review fixes (#30753)

idovandijk · Content Bot · web-flow · commit df519528a90b · 2023-11-14T15:01:56.000+02:00
* Added playbook with fixes

* Formatted playbook and updated playbook readme

* RN

* Revert pb

* Revert pb readme

* newline

* Added formatted playbook and updated playbook readme

* Bump pack from version CommonPlaybooks to 2.4.15.

* Bump pack from version CommonPlaybooks to 2.4.16.

* Bump pack from version CommonPlaybooks to 2.4.17.

* Bump pack from version CommonPlaybooks to 2.4.18.

---------

Co-authored-by: Content Bot &lt;bot@demisto.com&gt;
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_IAM_Enrichment_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_IAM_Enrichment_-_Generic.yml
@@ -67,10 +67,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "6":
     id: "6"
-    taskid: ee5711c0-603e-4de7-8bea-b19f6f61e124
+    taskid: b8926391-3158-4b4e-880e-4c25beb4752f
     type: condition
     task:
-      id: ee5711c0-603e-4de7-8bea-b19f6f61e124
+      id: b8926391-3158-4b4e-880e-4c25beb4752f
       version: -1
       name: Select cloud provider
       description: Checks the cloud provider.
@@ -121,6 +121,11 @@ tasks:
             value:
               simple: active
           ignorecase: true
+      - - operator: isNotEmpty
+          left:
+            value:
+              simple: inputs.username
+            iscontext: true
     - label: Azure
       condition:
       - - operator: isEqualString
@@ -196,6 +201,11 @@ tasks:
             value:
               simple: active
           ignorecase: true
+      - - operator: isNotEmpty
+          left:
+            value:
+              simple: inputs.username
+            iscontext: true
     - label: GCP
       condition:
       - - operator: isEqualString
@@ -249,6 +259,11 @@ tasks:
             value:
               simple: active
           ignorecase: true
+      - - operator: isNotEmpty
+          left:
+            value:
+              simple: inputs.username
+            iscontext: true
     continueonerrortype: ""
     view: |-
       {
@@ -1128,15 +1143,15 @@ outputs:
     Arn
     CreateDate
     Path
-    PasswordLastUsed
+    PasswordLastUsed.
   type: unknown
 - contextPath: AWS.IAM.Users.AccessKeys
   description: |-
     AWS IAM Users Access Keys include:
     AccessKeyId
     Status
     CreateDate
-    UserName
+    UserName.
   type: unknown
 - contextPath: GCPIAM
   description: GCP IAM information.
@@ -1172,7 +1187,30 @@ outputs:
 - contextPath: MSGraphGroup
   description: MSGraph group information.
   type: unknown
+- contextPath: MSGraph.identityProtection.RiskyUserHistory
+  description: Risky user history.
+  type: unknown
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.userPrincipalName
+  description: Risky user principal name.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.userDisplayName
+  description: Risky user display name.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskDetail
+  description: Reason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskstate
+  description: State of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskLevel
+  description: Risk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskLastUpdatedDateTime
+  description: The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.isProcessing
+  description: Indicates whether a user's risky state is being processed by the backend.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.isDeleted
+  description: Indicates whether the user is deleted.
+- contextPath: MSGraph.identityProtection.RiskyUserHistory.id
+  description: Unique ID of the risky user.
 quiet: true
 tests:
 - No tests (auto formatted)
-fromversion: 6.8.0
+fromversion: 6.8.0
+contentitemexportablefields:
+  contentitemfields: {}
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_IAM_Enrichment_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_IAM_Enrichment_-_Generic_README.md
@@ -18,19 +18,19 @@ This playbook does not use any scripts.
 
 ### Commands
 
-* aws-iam-get-user
-* gcp-iam-service-accounts-get
+* msgraph-identity-protection-risky-user-history-list
+* aws-iam-list-access-keys-for-user
 * gsuite-user-get
-* gcp-iam-service-account-keys-get
-* gcp-iam-project-role-list
+* aws-iam-get-user
 * gsuite-role-assignment-list
-* aws-iam-list-user-policies
 * aws-iam-list-groups-for-user
-* msgraph-user-get
-* msgraph-identity-protection-risky-user-history-list
-* msgraph-groups-list-groups
-* aws-iam-list-access-keys-for-user
 * aws-iam-list-attached-user-policies
+* gcp-iam-service-account-keys-get
+* gcp-iam-service-accounts-get
+* aws-iam-list-user-policies
+* msgraph-groups-list-groups
+* gcp-iam-project-role-list
+* msgraph-user-get
 
 ## Playbook Inputs
 
@@ -49,8 +49,8 @@ This playbook does not use any scripts.
 
 | **Path** | **Description** | **Type** |
 | --- | --- | --- |
-| AWS.IAM.Users | AWS AM Users include:<br/>UserId<br/>Arn<br/>CreateDate<br/>Path<br/>PasswordLastUsed | unknown |
-| AWS.IAM.Users.AccessKeys | AWS IAM Users Access Keys include:<br/>AccessKeyId<br/>Status<br/>CreateDate<br/>UserName | unknown |
+| AWS.IAM.Users | AWS AM Users include:<br/>UserId<br/>Arn<br/>CreateDate<br/>Path<br/>PasswordLastUsed. | unknown |
+| AWS.IAM.Users.AccessKeys | AWS IAM Users Access Keys include:<br/>AccessKeyId<br/>Status<br/>CreateDate<br/>UserName. | unknown |
 | GCPIAM | GCP IAM information. | unknown |
 | GSuite | GSuite user information. | unknown |
 | GSuite.PageToken | Token to specify the next page in the list. | unknown |
@@ -63,6 +63,16 @@ This playbook does not use any scripts.
 | AWS.IAM.UserPolicies | AWS IAM - user inline policies. | unknown |
 | AWS.IAM.AttachedUserPolicies | AWS IAM - User attached policies. | unknown |
 | MSGraphGroup | MSGraph group information. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory | Risky user history. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.userPrincipalName | Risky user principal name. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.userDisplayName | Risky user display name. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.riskDetail | Reason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.riskstate | State of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.riskLevel | Risk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.riskLastUpdatedDateTime | The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.isProcessing | Indicates whether a user's risky state is being processed by the backend. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.isDeleted | Indicates whether the user is deleted. | unknown |
+| MSGraph.identityProtection.RiskyUserHistory.id | Unique ID of the risky user. | unknown |
 
 ## Playbook Image
 
diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_4_18.md b/Packs/CommonPlaybooks/ReleaseNotes/2_4_18.md
@@ -0,0 +1,7 @@
+
+#### Playbooks
+
+##### Cloud IAM Enrichment - Generic
+
+- Fixed an issue where the playbook would attempt to enrich users even when the username input was empty.
+- Added additional sub-outputs related to the risky user history to the declared outputs of the playbook.
diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.4.17",
+    "currentVersion": "2.4.18",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
