splunk-soar-connectors · phantom-jacob · Jan 15, 2025 · Oct 14, 2024 · Oct 14, 2024
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.19
+    rev: v1.23
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 # Phantom
 
 Publisher: Splunk  
-Connector Version: 3.7.0  
+Connector Version: 3.7.1  
 Product Vendor: Phantom  
 Product Name: Phantom  
 Product Version Supported (regex): ".\*"  
@@ -244,7 +244,7 @@ action_result.status | string |  |   success  failed
 action_result.parameter.container_id | numeric |  `phantom container id`  |   35 
 action_result.parameter.content | string |  |   Adding a note via app action 
 action_result.parameter.phase_id | string |  |  
-action_result.parameter.title | string |  |   Note test  Testing note 
+action_result.parameter.title | string |  |   Note test 
 action_result.data | string |  |  
 action_result.summary | string |  |  
 action_result.message | string |  |   Note created 
@@ -404,6 +404,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
 **cef_dictionary** |  optional  | CEF JSON | string | 
 **contains** |  optional  | Data type for each CEF field | string | 
 **run_automation** |  optional  | Run automation on newly created artifact(s) (default: false) | boolean | 
+**determine_contains** |  optional  | Determine contains for any CEF fields without a provided contains value (default: true) | boolean | 
 
 #### Action Output
 DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
@@ -418,6 +419,7 @@ action_result.parameter.label | string |  |   event
 action_result.parameter.name | string |  |   Artifact_demo 
 action_result.parameter.run_automation | string |  |   True  False 
 action_result.parameter.source_data_identifier | string |  |  
+action_result.parameter.determine_contains | boolean |  |  
 action_result.data.\*.existing_artifact_id | numeric |  |  
 action_result.data.\*.failed | boolean |  |  
 action_result.data.\*.id | numeric |  |   123 
@@ -558,8 +560,8 @@ action_result.status | string |  |   success  failed
 action_result.parameter.container_artifacts | string |  |   [{"name": "A human friendly name for artifact (1)", "label": "event", "source_data_identifier": 1},{"name": "A human friendly name for artifact (2)", "label": "event", "source_data_identifier": 2},{"name": "A human friendly name for artifact (3)", "label": "event", "source_data_identifier": 3}] 
 action_result.parameter.container_json | string |  |   {"severity": "medium", "label": "events", "version": 1, "asset": 7, "status": "new", "description": "New Container from Phantom Helper", "tags": [],  "data": {}, "name": "This is a container"} 
 action_result.data | string |  |  
-action_result.summary.artifact_count | numeric |  |   3  5 
-action_result.summary.container_id | numeric |  `phantom container id`  |   82  77 
+action_result.summary.artifact_count | numeric |  |   3 
+action_result.summary.container_id | numeric |  `phantom container id`  |  
 action_result.summary.failed_artifact_count | numeric |  |   7 
 action_result.message | string |  |   Container id: 82, Artifact count: 3 
 summary.total_objects | numeric |  |   1 

diff --git a/phantom.json b/phantom.json
@@ -6,7 +6,7 @@
     "publisher": "Splunk",
     "type": "information",
     "main_module": "phantom_connector.py",
-    "app_version": "3.7.0",
+    "app_version": "3.7.1",
     "latest_tested_versions": [
         "Splunk Phantom PlatformAPI v5.3.1",
         "SOAR On-prem v5.3.1.84890",
@@ -401,8 +401,7 @@
                     "data_path": "action_result.parameter.title",
                     "data_type": "string",
                     "example_values": [
-                        "Note test",
-                        "Testing note"
+                        "Note test"
                     ]
                 },
                 {
@@ -1234,8 +1233,12 @@
                 "run_automation": {
                     "description": "Run automation on newly created artifact(s) (default: false)",
                     "data_type": "boolean",
-                    "default": false,
                     "order": 8
+                },
+                "determine_contains": {
+                    "description": "Determine contains for any CEF fields without a provided contains value (default: true)",
+                    "data_type": "boolean",
+                    "order": 9
                 }
             },
             "render": {
@@ -1315,6 +1318,10 @@
                     "data_path": "action_result.parameter.source_data_identifier",
                     "data_type": "string"
                 },
+                {
+                    "data_path": "action_result.parameter.determine_contains",
+                    "data_type": "boolean"
+                },
                 {
                     "data_path": "action_result.data.*.existing_artifact_id",
                     "data_type": "numeric"
@@ -1957,16 +1964,14 @@
                     "data_path": "action_result.summary.artifact_count",
                     "data_type": "numeric",
                     "example_values": [
-                        3,
-                        5
+                        3
                     ]
                 },
                 {
                     "data_path": "action_result.summary.container_id",
                     "data_type": "numeric",
-                    "example_values": [
-                        82,
-                        77
+                    "exampsle_values": [
+                        82
                     ],
                     "contains": [
                         "phantom container id"

diff --git a/phantom_connector.py b/phantom_connector.py
@@ -682,15 +682,17 @@ def _add_artifact(self, param):
 
         name = param.get("name")
         container_id = param.get("container_id", self.get_container_id())
-        sdi = param.get("source_data_identifier")
+        sdi = param["source_data_identifier"]
         label = param.get("label", "event")
         contains = param.get("contains")
         cef_name = param.get("cef_name")
         cef_value = param.get("cef_value")
         cef_dict = param.get("cef_dictionary")
         run_automation = param.get("run_automation", False)
+        should_determine_contains = param.get("determine_contains", True)
 
         ret_val, container_id = self._validate_integer(action_result, container_id, "container_id")
+
         if phantom.is_fail(ret_val):
             return action_result.get_status()
 
@@ -737,20 +739,21 @@ def _add_artifact(self, param):
         artifact["source_data_identifier"] = sdi
         artifact["run_automation"] = run_automation
 
-        for cef_name in loaded_cef:
+        if should_determine_contains:
+            for cef_name in loaded_cef:
 
-            if loaded_contains.get(cef_name):
-                continue
+                if loaded_contains.get(cef_name):
+                    continue
 
-            if cef_name not in CEF_NAME_MAPPING:
-                determined_contains = determine_contains(loaded_cef[cef_name]) if loaded_cef[cef_name] else None
-                if determined_contains:
-                    artifact["cef_types"][cef_name] = determined_contains
-            else:
-                try:
-                    artifact["cef_types"][cef_name] = CEF_JSON[cef_name]["contains"]
-                except Exception:
-                    pass
+                if cef_name not in CEF_NAME_MAPPING:
+                    determined_contains = determine_contains(loaded_cef[cef_name]) if loaded_cef[cef_name] else None
+                    if determined_contains:
+                        artifact["cef_types"][cef_name] = determined_contains
+                else:
+                    try:
+                        artifact["cef_types"][cef_name] = CEF_JSON[cef_name]["contains"]
+                    except Exception:
+                        pass
 
         success, response, resp_data = self._make_rest_call("/rest/artifact", action_result, method="post", data=artifact)
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -5,3 +5,4 @@ verbose = true
 
 [tool.isort]
 line_length = 145
+profile = "black"
diff --git a/release_notes/3.7.1.md b/release_notes/3.7.1.md
@@ -0,0 +1 @@
+* Added addtional 'determine_contains' parameter to disable the ability for SOAR to determine contains when adding an artifact.[PAPP-34715]
diff --git a/tox.ini b/tox.ini
@@ -1,7 +1,4 @@
 [flake8]
 max-line-length = 145
 max-complexity = 28
-extend-ignore = F403,E128,E126,E121,E127,E731,E201,E202,F405,E722,D
-
-[isort]
-line_length = 145
+extend-ignore = F403,E128,E126,E121,E127,E731,E201,E202,E203,E701,F405,E722,D,W503
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,3 +5,4 @@ verbose = true

		[tool.isort]
		line_length = 145
		profile = "black"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Added addtional 'determine_contains' parameter to disable the ability for SOAR to determine contains when adding an artifact.[PAPP-34715]