From b6a6c58d11379b345e1ea09cc5b5a9a202f37736 Mon Sep 17 00:00:00 2001 From: Casey Boyd Date: Mon, 14 Oct 2024 04:17:31 -0600 Subject: [PATCH 1/2] Phantom: Feature - Add option to toggle "determine contains" on add artifact action (#24) * add ability to disable the ability for SOAR to determine contains when adding an artifact * added release_notes and output datapaths * pre-commit changes * changes done for json file --------- Co-authored-by: Casey Boyd Co-authored-by: gdelavadiya-crest --- .pre-commit-config.yaml | 2 +- LICENSE | 2 +- README.md | 1 + phantom.json | 23 ++++++++++++++--------- phantom_connector.py | 29 ++++++++++++++++------------- pyproject.toml | 1 + release_notes/unreleased.md | 1 + tox.ini | 5 +---- 8 files changed, 36 insertions(+), 28 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9f16778..c460965 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/phantomcyber/dev-cicd-tools - rev: v1.19 + rev: v1.23 hooks: - id: org-hook - id: package-app-dependencies diff --git a/LICENSE b/LICENSE index b7b3c69..12536c5 100644 --- a/LICENSE +++ b/LICENSE @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file + limitations under the License. diff --git a/README.md b/README.md index 0444673..cb6bf57 100644 --- a/README.md +++ b/README.md @@ -404,6 +404,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **cef_dictionary** | optional | CEF JSON | string | **contains** | optional | Data type for each CEF field | string | **run_automation** | optional | Run automation on newly created artifact(s) (default: false) | boolean | +**determine_contains** | optional | Determine contains for any CEF fields without a provided contains value. (default: true) | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES diff --git a/phantom.json b/phantom.json index f08f073..fc223e7 100644 --- a/phantom.json +++ b/phantom.json @@ -6,7 +6,7 @@ "publisher": "Splunk", "type": "information", "main_module": "phantom_connector.py", - "app_version": "3.7.0", + "app_version": "3.7.1", "latest_tested_versions": [ "Splunk Phantom PlatformAPI v5.3.1", "SOAR On-prem v5.3.1.84890", @@ -401,8 +401,7 @@ "data_path": "action_result.parameter.title", "data_type": "string", "example_values": [ - "Note test", - "Testing note" + "Note test" ] }, { @@ -1234,8 +1233,12 @@ "run_automation": { "description": "Run automation on newly created artifact(s) (default: false)", "data_type": "boolean", - "default": false, "order": 8 + }, + "determine_contains": { + "description": "Determine contains for any CEF fields without a provided contains value (default: true)", + "data_type": "boolean", + "order": 9 } }, "render": { @@ -1315,6 +1318,10 @@ "data_path": "action_result.parameter.source_data_identifier", "data_type": "string" }, + { + "data_path": "action_result.parameter.determine_contains", + "data_type": "boolean" + }, { "data_path": "action_result.data.*.existing_artifact_id", "data_type": "numeric" @@ -1957,16 +1964,14 @@ "data_path": "action_result.summary.artifact_count", "data_type": "numeric", "example_values": [ - 3, - 5 + 3 ] }, { "data_path": "action_result.summary.container_id", "data_type": "numeric", - "example_values": [ - 82, - 77 + "exampsle_values": [ + 82 ], "contains": [ "phantom container id" diff --git a/phantom_connector.py b/phantom_connector.py index 7043172..ced759b 100644 --- a/phantom_connector.py +++ b/phantom_connector.py @@ -682,15 +682,17 @@ def _add_artifact(self, param): name = param.get("name") container_id = param.get("container_id", self.get_container_id()) - sdi = param.get("source_data_identifier") + sdi = param["source_data_identifier"] label = param.get("label", "event") contains = param.get("contains") cef_name = param.get("cef_name") cef_value = param.get("cef_value") cef_dict = param.get("cef_dictionary") run_automation = param.get("run_automation", False) + should_determine_contains = param.get("determine_contains", True) ret_val, container_id = self._validate_integer(action_result, container_id, "container_id") + if phantom.is_fail(ret_val): return action_result.get_status() @@ -737,20 +739,21 @@ def _add_artifact(self, param): artifact["source_data_identifier"] = sdi artifact["run_automation"] = run_automation - for cef_name in loaded_cef: + if should_determine_contains: + for cef_name in loaded_cef: - if loaded_contains.get(cef_name): - continue + if loaded_contains.get(cef_name): + continue - if cef_name not in CEF_NAME_MAPPING: - determined_contains = determine_contains(loaded_cef[cef_name]) if loaded_cef[cef_name] else None - if determined_contains: - artifact["cef_types"][cef_name] = determined_contains - else: - try: - artifact["cef_types"][cef_name] = CEF_JSON[cef_name]["contains"] - except Exception: - pass + if cef_name not in CEF_NAME_MAPPING: + determined_contains = determine_contains(loaded_cef[cef_name]) if loaded_cef[cef_name] else None + if determined_contains: + artifact["cef_types"][cef_name] = determined_contains + else: + try: + artifact["cef_types"][cef_name] = CEF_JSON[cef_name]["contains"] + except Exception: + pass success, response, resp_data = self._make_rest_call("/rest/artifact", action_result, method="post", data=artifact) diff --git a/pyproject.toml b/pyproject.toml index 474efd9..4c594fc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,3 +5,4 @@ verbose = true [tool.isort] line_length = 145 +profile = "black" diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index fbcb2fd..6116a0c 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1 +1,2 @@ **Unreleased** +* Added addtional 'determine_contains' parameter to disable the ability for SOAR to determine contains when adding an artifact.[PAPP-34715] \ No newline at end of file diff --git a/tox.ini b/tox.ini index 04a3cec..720a141 100644 --- a/tox.ini +++ b/tox.ini @@ -1,7 +1,4 @@ [flake8] max-line-length = 145 max-complexity = 28 -extend-ignore = F403,E128,E126,E121,E127,E731,E201,E202,F405,E722,D - -[isort] -line_length = 145 +extend-ignore = F403,E128,E126,E121,E127,E731,E201,E202,E203,E701,F405,E722,D,W503 From 094294ed662491b7db56d4b3cea0771286a1028b Mon Sep 17 00:00:00 2001 From: root Date: Mon, 14 Oct 2024 03:18:35 -0700 Subject: [PATCH 2/2] Release notes for version 3.7.1 --- LICENSE | 2 +- README.md | 11 ++++++----- release_notes/3.7.1.md | 1 + release_notes/unreleased.md | 1 - 4 files changed, 8 insertions(+), 7 deletions(-) create mode 100644 release_notes/3.7.1.md diff --git a/LICENSE b/LICENSE index 12536c5..b7b3c69 100644 --- a/LICENSE +++ b/LICENSE @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md index cb6bf57..1a64e95 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Phantom Publisher: Splunk -Connector Version: 3.7.0 +Connector Version: 3.7.1 Product Vendor: Phantom Product Name: Phantom Product Version Supported (regex): ".\*" @@ -244,7 +244,7 @@ action_result.status | string | | success failed action_result.parameter.container_id | numeric | `phantom container id` | 35 action_result.parameter.content | string | | Adding a note via app action action_result.parameter.phase_id | string | | -action_result.parameter.title | string | | Note test Testing note +action_result.parameter.title | string | | Note test action_result.data | string | | action_result.summary | string | | action_result.message | string | | Note created @@ -404,7 +404,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **cef_dictionary** | optional | CEF JSON | string | **contains** | optional | Data type for each CEF field | string | **run_automation** | optional | Run automation on newly created artifact(s) (default: false) | boolean | -**determine_contains** | optional | Determine contains for any CEF fields without a provided contains value. (default: true) | boolean | +**determine_contains** | optional | Determine contains for any CEF fields without a provided contains value (default: true) | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES @@ -419,6 +419,7 @@ action_result.parameter.label | string | | event action_result.parameter.name | string | | Artifact_demo action_result.parameter.run_automation | string | | True False action_result.parameter.source_data_identifier | string | | +action_result.parameter.determine_contains | boolean | | action_result.data.\*.existing_artifact_id | numeric | | action_result.data.\*.failed | boolean | | action_result.data.\*.id | numeric | | 123 @@ -559,8 +560,8 @@ action_result.status | string | | success failed action_result.parameter.container_artifacts | string | | [{"name": "A human friendly name for artifact (1)", "label": "event", "source_data_identifier": 1},{"name": "A human friendly name for artifact (2)", "label": "event", "source_data_identifier": 2},{"name": "A human friendly name for artifact (3)", "label": "event", "source_data_identifier": 3}] action_result.parameter.container_json | string | | {"severity": "medium", "label": "events", "version": 1, "asset": 7, "status": "new", "description": "New Container from Phantom Helper", "tags": [], "data": {}, "name": "This is a container"} action_result.data | string | | -action_result.summary.artifact_count | numeric | | 3 5 -action_result.summary.container_id | numeric | `phantom container id` | 82 77 +action_result.summary.artifact_count | numeric | | 3 +action_result.summary.container_id | numeric | `phantom container id` | action_result.summary.failed_artifact_count | numeric | | 7 action_result.message | string | | Container id: 82, Artifact count: 3 summary.total_objects | numeric | | 1 diff --git a/release_notes/3.7.1.md b/release_notes/3.7.1.md new file mode 100644 index 0000000..5cff2c4 --- /dev/null +++ b/release_notes/3.7.1.md @@ -0,0 +1 @@ +* Added addtional 'determine_contains' parameter to disable the ability for SOAR to determine contains when adding an artifact.[PAPP-34715] \ No newline at end of file diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index 6116a0c..fbcb2fd 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1,2 +1 @@ **Unreleased** -* Added addtional 'determine_contains' parameter to disable the ability for SOAR to determine contains when adding an artifact.[PAPP-34715] \ No newline at end of file