Feature/splunk/edit disposition (demisto#24520)

* Feature/splunk/edit disposition (demisto#24308)

* Added support for changing notable disposition

* Fixed accidental indentation change

* Another indentation fix

* Fixed typo and added argument information to README

* Fixed validation error in release notes

* Update Packs/SplunkPy/ReleaseNotes/3_0_9.md

---------

Co-authored-by: Yaakov Praisler <[email protected]>

* Updated docker image

* updated docker - release notes

* Update SplunkPy.yml

* Update 3_0_9.md

---------

Co-authored-by: Chris Balmer <[email protected]>
Co-authored-by: Yaakov Praisler <[email protected]>

Author: 3 people

Packs/SplunkPy/Integrations/SplunkPy/README.md

@@ -146,7 +146,7 @@ Run the ***splunk-reset-enriching-fetch-mechanism*** command and the mechanism w
 - The drilldown search, does not support Splunk's advanced syntax. For example: Splunk filters (**|s**, **|h**, etc.)  
 
 ### Incident Mirroring
-**Imporatnt Notes*** 
+**Important Notes*** 
  - This feature is available from Cortex XSOAR version 6.0.0.
  - This feature is supported by Splunk Enterprise Security only.
  - In order for the mirroring to work, the *Incident Mirroring Direction* parameter needs to be set before the incident is fetched.
@@ -391,6 +391,7 @@ Update an existing notable event in Splunk ES.
 | comment | The comment to add to the notable events. | Required | 
 | urgency | The urgency of the notable events. | Optional | 
 | status | The status of the notable events. Can be 0 - 5, where 0 - Unassigned, 1 - Assigned, 2 - In Progress, 3 - Pending, 4 - Resolved, 5 - Closed. | Optional | 
+| disposition | The disposition of the notable events. Can be one of the default options: True Positive - Suspicious Activity, Benign Positive - Suspicious But Expected, False Positive - Incorrect Analytic Logic, False Positive - Inaccurate Data, Other, Undetermined. Or you can specify custom dispositions as `disposition:#` where `#` is the number of the custom configured disposition on Splunk. | Optional | 
 
 
 ##### Context Output

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py

@@ -31,6 +31,14 @@
 PROXIES = handle_proxy()
 TIME_UNIT_TO_MINUTES = {'minute': 1, 'hour': 60, 'day': 24 * 60, 'week': 7 * 24 * 60, 'month': 30 * 24 * 60,
                         'year': 365 * 24 * 60}
+DEFAULT_DISPOSITIONS = {
+    'True Positive - Suspicious Activity': 'disposition:1',
+    'Benign Positive - Suspicious But Expected': 'disposition:2',
+    'False Positive - Incorrect Analytic Logic': 'disposition:3',
+    'False Positive - Inaccurate Data': 'disposition:4',
+    'Other': 'disposition:5',
+    'Undetermined': 'disposition:6'
+}
 
 # =========== Mirroring Mechanism Globals ===========
 MIRROR_DIRECTION = {
@@ -2269,10 +2277,17 @@ def splunk_edit_notable_event_command(base_url: str, token: str, auth_token: str
     if args.get('status'):
         status = int(args['status'])
 
+    # Map the label to the disposition id
+    disposition = args.get('disposition', '')
+    if disposition:
+        if disposition in DEFAULT_DISPOSITIONS:
+            disposition = DEFAULT_DISPOSITIONS[disposition]
+
     response_info = update_notable_events(baseurl=base_url,
                                           comment=args.get('comment'), status=status,
                                           urgency=args.get('urgency'),
                                           owner=args.get('owner'), eventIDs=event_ids,
+                                          disposition=disposition,
                                           auth_token=auth_token, sessionKey=session_key)
 
     if 'success' not in response_info or not response_info['success']:

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml

@@ -376,6 +376,18 @@ script:
       - informational
     - description: Notable event status. 0 - Unassigned, 1 - Assigned, 2 - In Progress, 3 - Pending, 4 - Resolved, 5 - Closed.
       name: status
+    - name: disposition
+      auto: PREDEFINED
+      predefined:
+      - True Positive - Suspicious Activity
+      - Benign Positive - Suspicious But Expected
+      - False Positive - Incorrect Analytic Logic
+      - False Positive - Inaccurate Data
+      - Other
+      - Undetermined
+      description: Disposition of the notable. If the more options exist on the server,
+        specifying the disposition as `disposition:#` will work in place of choosing
+        one of the default values from the list.
     description: Updates existing notable events in Splunk ES.
     execution: true
     name: splunk-notable-event-edit
@@ -610,7 +622,7 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.46376
+  dockerimage: demisto/splunksdk-py3:1.0.0.48191
   isfetch: true
   ismappable: true
   isremotesyncin: true

Packs/SplunkPy/ReleaseNotes/3_0_9.md

@@ -0,0 +1,5 @@
+
+#### Integrations
+##### SplunkPy
+- Added the new argument *disposition* in the command ***splunk-notable-event-edit*** to support changing notable disposition.
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.48191*.

Packs/SplunkPy/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.0.8",
+    "currentVersion": "3.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",