diff --git a/.github/content_roles.json b/.github/content_roles.json index 04edef36496d..404c98a71de4 100644 --- a/.github/content_roles.json +++ b/.github/content_roles.json @@ -6,16 +6,16 @@ "TIM_REVIEWER": "The GitHub username for TIM reviews owner" }, "CONTRIBUTION_REVIEWERS": [ - "tcarmeli1", - "yaakovpraisler", - "aaron1535" + "MLainer1", + "YairGlik", + "amshamah419" ], - "CONTRIBUTION_TL": "jbabazadeh", + "CONTRIBUTION_TL": "samuelFain", "CONTRIBUTION_SECURITY_REVIEWER": ["idovandijk"], "ON_CALL_DEVS": [ "sshuker", - "yhayun" + "sberman" ], - "DOC_REVIEWER": "richardbluestone", + "DOC_REVIEWER": "ShirleyDenkberg", "TIM_REVIEWER": "MLainer1" } diff --git a/.github/workflows/security-label-check.yml b/.github/workflows/security-label-check.yml new file mode 100644 index 000000000000..cd669c90d134 --- /dev/null +++ b/.github/workflows/security-label-check.yml @@ -0,0 +1,27 @@ +name: Security Label Check +on: + pull_request: + types: [opened, edited, labeled, synchronize, unlabeled] +jobs: + security-check: + runs-on: ubuntu-latest + if: github.repository == 'demisto/content' && github.event.pull_request.head.repo.fork == true && contains(github.head_ref, 'xsoar-bot-contrib-ContributionTestPack') == false + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Check if PR base branch starts with "contrib" and labels are correct + id: security_check + run: | + BASE_BRANCH=$(jq --raw-output .pull_request.base.ref "$GITHUB_EVENT_PATH") + LABELS=$(jq --raw-output '.pull_request.labels | map(.name) | join(",")' "$GITHUB_EVENT_PATH") + if [[ "$LABELS" == *"Security Review"* ]]; then + echo "Security Review label present. Checking if Security Approved label is added..." + if [[ "$LABELS" != *"Security Approved"* ]]; then + echo "Security Approved label is missing. The PR still requires a review from the security team." + exit 1 + else + echo "Security Approved label is present." + fi + else + echo "Security Review label is not added. Security review is not required." + fi diff --git a/Packs/AHA/Integrations/AHA/README.md b/Packs/AHA/Integrations/AHA/README.md index 5a23e95b3632..7f4bab0f41b6 100644 --- a/Packs/AHA/Integrations/AHA/README.md +++ b/Packs/AHA/Integrations/AHA/README.md @@ -142,4 +142,4 @@ Edit an idea status to Shipped. | AHA.Idea.created_at | Date | The idea creation date. | #### Command example -```!aha-edit-idea idea_name=DEMO-I-2895``` +```!aha-edit-idea idea_name=DEMO-I-2895``` \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/README.md b/Packs/AMP/Integrations/AMPv2/README.md index 5b1706507cd1..54e1e042c1cd 100644 --- a/Packs/AMP/Integrations/AMPv2/README.md +++ b/Packs/AMP/Integrations/AMPv2/README.md @@ -1,28 +1,24 @@ Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. This integration was integrated and tested with version 1 of CiscoAMP. -## Configure Cisco AMP Secure Endpoint on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for Cisco AMP Secure Endpoint. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | Server URL | | True | - | 3rd Party API Client ID | | True | - | API Key | | True | - | Trust any certificate (unsecure) | | False | - | Use system proxy | | False | - | Maximum incidents to fetch. | Maximum number of incidents per fetch. The maximum is 200. | False | - | Incident severity to fetch. | | False | - | First fetch time | First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" | False | - | Event types | Comma-separated list of Event Type IDs. | False | - | Create relationships | Create relationships between indicators as part of Enrichment. | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure Cisco AMP Secure Endpoint in Cortex + + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| Server URL | | True | +| 3rd Party API Client ID | | True | +| API Key | | True | +| Trust any certificate (unsecure) | | False | +| Use system proxy | | False | +| Maximum incidents to fetch. | Maximum number of incidents per fetch. The maximum is 200. | False | +| Incident severity to fetch. | | False | +| First fetch time | First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" | False | +| Event types | Comma-separated list of Event Type IDs. | False | +| Create relationships | Create relationships between indicators as part of Enrichment. | False | + ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### cisco-amp-computer-list *** @@ -5058,4 +5054,4 @@ Runs reputation on files. ### Cisco AMP - Hash Reputation for: 4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F >|Hashes|Hostname|Name|SHA256| >|---|---|---|---| ->| {'type': 'SHA256', 'value': '4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F'} | Demo_AMP_Exploit_Prevention | firefox.exe | 4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F | +>| {'type': 'SHA256', 'value': '4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F'} | Demo_AMP_Exploit_Prevention | firefox.exe | 4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F | \ No newline at end of file diff --git a/Packs/AMP/Integrations/CiscoAMPEventCollector/README.md b/Packs/AMP/Integrations/CiscoAMPEventCollector/README.md index 03426befd82a..9c01adf81900 100644 --- a/Packs/AMP/Integrations/CiscoAMPEventCollector/README.md +++ b/Packs/AMP/Integrations/CiscoAMPEventCollector/README.md @@ -3,26 +3,22 @@ This integration was integrated and tested with version v1 of CiscoAMPEventColle This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM. -## Configure Cisco AMP Event Collector on Cortex XSIAM +## Configure Cisco AMP Event Collector in Cortex -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for Cisco AMP Event Collector. -3. Click **Add instance** to create and configure a new integration instance. - | **Parameter** | **Required** | - |-----------------------------------------| --- | - | Server URL (e.g., https://some_url.com) | True | - | Client ID | True | - | API Key | True | - | Max events number per fetch | False | - | Trust any certificate (not secure) | False | - | Use system proxy settings | False | +| **Parameter** | **Required** | +|-----------------------------------------| --- | +| Server URL (e.g., https://some_url.com) | True | +| Client ID | True | +| API Key | True | +| Max events number per fetch | False | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | -4. Click **Test** to validate the URLs, token, and connection. ## Commands -You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### cisco-amp-get-events @@ -44,4 +40,4 @@ Gets events from Cisco AMP. #### Context Output -There is no context output for this command. +There is no context output for this command. \ No newline at end of file diff --git a/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml b/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml index 60c9d5121ef5..4926a754724c 100644 --- a/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml +++ b/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml @@ -1639,7 +1639,7 @@ script: description: '' type: boolean description: A smart API that accurately checks a website's trustworthiness. - dockerimage: demisto/python3:3.10.13.72123 + dockerimage: demisto/python3:3.11.10.116439 runonce: false subtype: python3 fromversion: 5.0.0 diff --git a/Packs/APIVoid/Integrations/APIVoid/README.md b/Packs/APIVoid/Integrations/APIVoid/README.md index 54cc66cf9719..97c931f11dab 100644 --- a/Packs/APIVoid/Integrations/APIVoid/README.md +++ b/Packs/APIVoid/Integrations/APIVoid/README.md @@ -1,24 +1,20 @@ APIVoid wraps up a number of services such as ipvoid & urlvoid. -## Configure APIVoid on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for APIVoid. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | API KEY | | True | - | Benign Reputation (Percentage) | If the percentage of detections is BELOW this value, the indicator is considered Benign | True | - | Suspicious Reputation (Percentage) | If the percentage of detections is ABOVE this value, the indicator is considered Suspicious | True | - | Malicious Reputation (Percentage) | If the percentage of detections is ABOVE this value, the indicator is considered Malicious | True | - | Malicious | Consider the indicator malicious if either Suspicious or Malicious | True | - | Trust any certificate (not secure) | | False | - | Use system proxy settings | | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure APIVoid in Cortex + + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| API KEY | | True | +| Benign Reputation (Percentage) | If the percentage of detections is BELOW this value, the indicator is considered Benign | True | +| Suspicious Reputation (Percentage) | If the percentage of detections is ABOVE this value, the indicator is considered Suspicious | True | +| Malicious Reputation (Percentage) | If the percentage of detections is ABOVE this value, the indicator is considered Malicious | True | +| Malicious | Consider the indicator malicious if either Suspicious or Malicious | True | +| Trust any certificate (not secure) | | False | +| Use system proxy settings | | False | + ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### apivoid-ip *** @@ -816,4 +812,4 @@ A smart API that accurately checks a website's trustworthiness. | APIVoid.SiteTrust.targeted_brands.gucci | boolean | | | APIVoid.SiteTrust.targeted_brands.salomon | boolean | | | APIVoid.SiteTrust.targeted_brands.liujo | boolean | | -| APIVoid.SiteTrust.targeted_brands.truereligion | boolean | | +| APIVoid.SiteTrust.targeted_brands.truereligion | boolean | | \ No newline at end of file diff --git a/Packs/APIVoid/ReleaseNotes/1_0_37.md b/Packs/APIVoid/ReleaseNotes/1_0_37.md new file mode 100644 index 000000000000..7fdd3aa71348 --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_37.md @@ -0,0 +1,10 @@ + +#### Integrations + +##### APIVoid +- Updated the Docker image to: *demisto/python3:3.11.10.116439*. + + + + + diff --git a/Packs/APIVoid/pack_metadata.json b/Packs/APIVoid/pack_metadata.json index c8513c223ab0..d4b2f90f0c4c 100644 --- a/Packs/APIVoid/pack_metadata.json +++ b/Packs/APIVoid/pack_metadata.json @@ -2,7 +2,7 @@ "name": "APIVoid", "description": "APIVoid wraps up a number of services such as ipvoid & urlvoid", "support": "xsoar", - "currentVersion": "1.0.36", + "currentVersion": "1.0.37", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/README.md b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/README.md index 331674d4144d..2a31393ecf1f 100644 --- a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/README.md +++ b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/README.md @@ -1,10 +1,7 @@ The ARIA Cybesecurity Solutions Software-Defined Security (SDS) platform integrates with Cortex XSOAR to add robustness when responding to incidents. The combination of ARIA hardware, in the form of a Secure Intelligent Adapter (SIA), and software, specifically Packet Intelligence and SDS orchestrator (SDSo), provides the elements required to react instantly when an incident is detected. When integrated with the ARIA solution, you can create playbooks that instruct one or more SIAs to add, modify, or delete rules automatically. These rule changes, which take effect immediately, can block conversations, redirect packets to a recorder or VLAN, or perform a variety of other actions. This integration was integrated and tested with version 1.0.9 of ARIA Packet Intelligence -## Configure ARIA Packet Intelligence on Cortex XSOAR +## Configure ARIA Packet Intelligence in Cortex -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for ARIA Packet Intelligence. -3. Click **Add instance** to create and configure a new integration instance. | **Parameter** | **Description** | **Required** | | --- | --- | --- | @@ -12,9 +9,8 @@ This integration was integrated and tested with version 1.0.9 of ARIA Packet Int | proxy | Use system proxy settings | False | | insecure | Trust any certificate \(not secure\) | False | -4. Click **Test** to validate the URLs, token, and connection. ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. Note that all commands support a remediation configuration string (RCS). It is a set of parameters that defines how and @@ -2308,4 +2304,4 @@ equivalent to using the wildcard. For example, MA.all.all is equivalent to "MA.\ > | securityDomain@ARIA-NORTH@
PIdevice@MA.HR.sia1,sia2,^ARIA-SOUTH| This RCS will select the SIA with a region label of "MA", group label of "HR", and name label of "sia1". It will also select the SIA named "sia2" as well as any SIAs that are members of both domains (i.e., ARIA-NORTH and ARIA-SOUTH). | ## Additional Information -For more information, please see the ARIA_SOAR_Integration_Guide_XSOAR. +For more information, please see the ARIA_SOAR_Integration_Guide_XSOAR. \ No newline at end of file diff --git a/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml b/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml index 3d2cc82e0004..1bf0ec74b2ba 100644 --- a/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml +++ b/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml @@ -469,7 +469,7 @@ script: description: The certificate chain that contains the root certificate issued by the certificate authority (CA). type: string description: Retrieves a certificate specified by an ARN and its certificate chain . The chain is an ordered list of certificates that contains the end entity certificate, intermediate certificates of subordinate CAs, and the root certificate in that order. The certificate and certificate chain are base64 encoded. If you want to decode the certificate to see the individual fields, you can use OpenSSL. - dockerimage: demisto/boto3py3:1.0.0.100496 + dockerimage: demisto/boto3py3:1.0.0.115129 subtype: python3 tests: - ACM-Test diff --git a/Packs/AWS-ACM/Integrations/AWS-ACM/README.md b/Packs/AWS-ACM/Integrations/AWS-ACM/README.md index 5b2d05ad6927..57d4b9b31c73 100644 --- a/Packs/AWS-ACM/Integrations/AWS-ACM/README.md +++ b/Packs/AWS-ACM/Integrations/AWS-ACM/README.md @@ -4,28 +4,24 @@ For more information regarding the AWS ACM service, please visit the official do For detailed instructions about setting up authentication, see: [AWS Integrations - Authentication](https://xsoar.pan.dev/docs/reference/articles/aws-integrations---authentication). -## Configure AWS - ACM on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS - ACM. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | roleArn | role ARN | False | - | roleSessionName | Role Session Name | False | - | defaultRegion | AWS Default Region | False | - | sessionDuration | Role Session Duration | False | - | access_key | Access Key | False | - | secret_key | Secret Key | False | - | timeout | The time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified a default of 10 second will be used. | False | - | retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. More details about the retries strategy is available [here](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html). | False | - | Trust any certificate (not secure) | | False | - | Use system proxy settings | | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure AWS - ACM in Cortex + + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| roleArn | role ARN | False | +| roleSessionName | Role Session Name | False | +| defaultRegion | AWS Default Region | False | +| sessionDuration | Role Session Duration | False | +| access_key | Access Key | False | +| secret_key | Secret Key | False | +| timeout | The time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified a default of 10 second will be used. | False | +| retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. More details about the retries strategy is available [here](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html). | False | +| Trust any certificate (not secure) | | False | +| Use system proxy settings | | False | + ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### aws-acm-describe-certificate *** @@ -228,4 +224,3 @@ Retrieves a certificate specified by an ARN and its certificate chain . The chai | AWS.ACM.Certificates.Certificate | string | String that contains the ACM certificate represented by the ARN specified at input. | | AWS.ACM.Certificates.CertificateChain | string | The certificate chain that contains the root certificate issued by the certificate authority \(CA\). | - diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_39.md b/Packs/AWS-ACM/ReleaseNotes/1_1_39.md new file mode 100644 index 000000000000..91b10fd712c8 --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_39.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS - ACM + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-ACM/pack_metadata.json b/Packs/AWS-ACM/pack_metadata.json index d19d322d3fbd..9787ac3994da 100644 --- a/Packs/AWS-ACM/pack_metadata.json +++ b/Packs/AWS-ACM/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - ACM", "description": "Amazon Web Services Certificate Manager Service (acm)", "support": "xsoar", - "currentVersion": "1.1.38", + "currentVersion": "1.1.39", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml index 94c49dc36ee5..162ba97da956 100644 --- a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml +++ b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml @@ -310,7 +310,7 @@ script: name: roleSessionDuration description: Updates findings with the new values provided in the request. name: aws-access-analyzer-update-findings - dockerimage: demisto/boto3py3:1.0.0.100468 + dockerimage: demisto/boto3py3:1.0.0.115129 isfetch: true runonce: false script: '-' diff --git a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/README.md b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/README.md index 07325b9582cf..30968587f867 100644 --- a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/README.md +++ b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/README.md @@ -1,35 +1,31 @@ Amazon Web Services IAM Access Analyzer For detailed instructions about setting up authentication, see: [AWS Integrations - Authentication](https://xsoar.pan.dev/docs/reference/articles/aws-integrations---authentication). -## Configure AWS - AccessAnalyzer on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS - AccessAnalyzer. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | AWS Default Region | | False | - | Role Arn | | False | - | Role Session Name | | False | - | Role Session Duration | | False | - | Fetch incidents | | False | - | Incident type | | False | - | Access Key | | False | - | Secret Key | | False | - | Fetch Analyzer ARN (Required for fetching incidents) | The ARN to fetch findings for | False | - | Trust any certificate (not secure) | Trust any certificate \(not secure\). | False | - | Use system proxy settings | Use system proxy settings. | False | - | Timeout | The time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used. | False | - | Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure AWS - AccessAnalyzer in Cortex + + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| AWS Default Region | | False | +| Role Arn | | False | +| Role Session Name | | False | +| Role Session Duration | | False | +| Fetch incidents | | False | +| Incident type | | False | +| Access Key | | False | +| Secret Key | | False | +| Fetch Analyzer ARN (Required for fetching incidents) | The ARN to fetch findings for | False | +| Trust any certificate (not secure) | Trust any certificate \(not secure\). | False | +| Use system proxy settings | Use system proxy settings. | False | +| Timeout | The time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used. | False | +| Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | + ## Fetch Incidents The integration fetches findings, generated by the analyzer specified in the ***Fetch Analyzer ARN*** parameter, as incidents. ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### aws-access-analyzer-list-analyzers @@ -429,4 +425,4 @@ There is no context output for this command. ```!aws-access-analyzer-update-findings analyzerArn=arn:aws:access-analyzer:us-east-2:123456789012:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 findingIds=78eb6782-5387-49k0-bpe5-39am61c3baee status=ACTIVE``` #### Human Readable Output ->Findings updated +>Findings updated \ No newline at end of file diff --git a/Packs/AWS-AccessAnalyzer/ReleaseNotes/1_1_36.md b/Packs/AWS-AccessAnalyzer/ReleaseNotes/1_1_36.md new file mode 100644 index 000000000000..024721ce91c5 --- /dev/null +++ b/Packs/AWS-AccessAnalyzer/ReleaseNotes/1_1_36.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS - AccessAnalyzer + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-AccessAnalyzer/pack_metadata.json b/Packs/AWS-AccessAnalyzer/pack_metadata.json index 581490221f56..2ea212e4e0d7 100644 --- a/Packs/AWS-AccessAnalyzer/pack_metadata.json +++ b/Packs/AWS-AccessAnalyzer/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - AccessAnalyzer", "description": "Amazon Web Services IAM Access Analyzer", "support": "xsoar", - "currentVersion": "1.1.35", + "currentVersion": "1.1.36", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-Athena/Integrations/AWS-Athena/AWS-Athena.yml b/Packs/AWS-Athena/Integrations/AWS-Athena/AWS-Athena.yml index ee55bd20cb2c..43312efe0aa2 100644 --- a/Packs/AWS-Athena/Integrations/AWS-Athena/AWS-Athena.yml +++ b/Packs/AWS-Athena/Integrations/AWS-Athena/AWS-Athena.yml @@ -430,7 +430,7 @@ script: - contextPath: AWS.Athena.QueryResults description: List of query results. type: List - dockerimage: demisto/boto3py3:1.0.0.89670 + dockerimage: demisto/boto3py3:1.0.0.115129 subtype: python3 tests: - No tests diff --git a/Packs/AWS-Athena/Integrations/AWS-Athena/README.md b/Packs/AWS-Athena/Integrations/AWS-Athena/README.md index 374c14fd8720..9a6594ce592d 100644 --- a/Packs/AWS-Athena/Integrations/AWS-Athena/README.md +++ b/Packs/AWS-Athena/Integrations/AWS-Athena/README.md @@ -1,29 +1,25 @@ Amazon Web Services Athena. -## Configure AWS - Athena on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS - Athena. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | Role Arn | | False | - | Role Session Name | | False | - | Role Session Duration | | False | - | AWS Default Region | | False | - | Access Key | | True | - | Secret Key | | True | - | Timeout | The time in seconds until a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 second will be used. | False | - | Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | - | Trust any certificate (not secure) | | False | - | Use system proxy settings | | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure AWS - Athena in Cortex + + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| Role Arn | | False | +| Role Session Name | | False | +| Role Session Duration | | False | +| AWS Default Region | | False | +| Access Key | | True | +| Secret Key | | True | +| Timeout | The time in seconds until a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 second will be used. | False | +| Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | +| Trust any certificate (not secure) | | False | +| Use system proxy settings | | False | + ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### aws-athena-execute-query @@ -229,4 +225,4 @@ Return the results of a query. | **Path** | **Type** | **Description** | | --- | --- | --- | -| AWS.Athena.QueryResults | List | List of query results. | +| AWS.Athena.QueryResults | List | List of query results. | \ No newline at end of file diff --git a/Packs/AWS-Athena/ReleaseNotes/2_0_4.md b/Packs/AWS-Athena/ReleaseNotes/2_0_4.md new file mode 100644 index 000000000000..c3033d7c2e9d --- /dev/null +++ b/Packs/AWS-Athena/ReleaseNotes/2_0_4.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS - Athena + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-Athena/pack_metadata.json b/Packs/AWS-Athena/pack_metadata.json index 5e9d27466332..107d50e7036a 100644 --- a/Packs/AWS-Athena/pack_metadata.json +++ b/Packs/AWS-Athena/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - Athena", "description": "Amazon Web Services Athena", "support": "xsoar", - "currentVersion": "2.0.3", + "currentVersion": "2.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/AWS-CloudTrail.yml b/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/AWS-CloudTrail.yml index c9ca20c25224..e5c04605ab45 100644 --- a/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/AWS-CloudTrail.yml +++ b/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/AWS-CloudTrail.yml @@ -431,7 +431,7 @@ script: - contextPath: AWS.CloudTrail.TrailStatus.LatestDigestDeliveryError description: Displays any Amazon S3 error that CloudTrail encountered when attempting to deliver a digest file to the designated bucket. type: string - dockerimage: demisto/boto3py3:1.0.0.100468 + dockerimage: demisto/boto3py3:1.0.0.115129 runonce: false script: '' subtype: python3 diff --git a/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/README.md b/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/README.md index 42c7017dd569..4a355bb603e9 100644 --- a/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/README.md +++ b/Packs/AWS-CloudTrail/Integrations/AWS-CloudTrail/README.md @@ -1,30 +1,26 @@ Amazon Web Services CloudTrail. This integration was integrated and tested with version 1.0.11 of AWS - CloudTrail. -## Configure AWS - CloudTrail on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS - CloudTrail. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Required** | - | --- | --- | - | AWS Default Region | False | - | Role Arn | False | - | Role Session Name | False | - | Role Session Duration | False | - | Access Key | False | - | Secret Key | False | - | Access Key | False | - | Secret Key | False | - | Trust any certificate (not secure) | False | - | Use system proxy settings | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure AWS - CloudTrail in Cortex + + +| **Parameter** | **Required** | +| --- | --- | +| AWS Default Region | False | +| Role Arn | False | +| Role Session Name | False | +| Role Session Duration | False | +| Access Key | False | +| Secret Key | False | +| Access Key | False | +| Secret Key | False | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | + ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### aws-cloudtrail-create-trail @@ -286,4 +282,4 @@ Returns a JSON-formatted list of information about the specified trail. Fields i | AWS.CloudTrail.TrailStatus.LatestCloudWatchLogsDeliveryError | string | Displays any CloudWatch Logs error that CloudTrail encountered when attempting to deliver logs to CloudWatch Logs. | | AWS.CloudTrail.TrailStatus.LatestCloudWatchLogsDeliveryTime | date | Displays the most recent date and time when CloudTrail delivered logs to CloudWatch Logs. | | AWS.CloudTrail.TrailStatus.LatestDigestDeliveryTime | date | Specifies the date and time that CloudTrail last delivered a digest file to an account’s Amazon S3 bucket. | -| AWS.CloudTrail.TrailStatus.LatestDigestDeliveryError | string | Displays any Amazon S3 error that CloudTrail encountered when attempting to deliver a digest file to the designated bucket. | +| AWS.CloudTrail.TrailStatus.LatestDigestDeliveryError | string | Displays any Amazon S3 error that CloudTrail encountered when attempting to deliver a digest file to the designated bucket. | \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif new file mode 100644 index 000000000000..971ce38d560a --- /dev/null +++ b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.xif @@ -0,0 +1,51 @@ +[MODEL: dataset = amazon_aws_raw] +/* + CloudTrail Audit Logs + AWS event schema version: 1.11 + https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html +*/ +filter _log_type = "Cloud Audit Log" +| alter // initializations + resource_arn = arraystring(arraymap(resources -> [], "@element" -> ARN), ","), + resource_account_id = arraystring(arraymap(resources -> [], "@element" -> accountId), ","), + resource_name = arraystring(arraymap(resources -> [], arrayindex(regextract("@element" -> ARN, "/([^\/]+)$"), -1)), ","), // extract last segment from ARN after last / + resource_type = arraystring(arraymap(resources -> [], "@element" -> type), ","), + user_identity_arn = userIdentity -> arn, + user_identity_type = userIdentity -> type, + source_ipv4 = if(sourceIPAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", sourceIPAddress), // The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. + source_ipv6 = if(sourceIPAddress ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", sourceIPAddress) +| alter // XDM Mappings + xdm.event.description = object_create("requestParameters", requestParameters, "additionalEventData", additionalEventData, "responseElements", responseElements), + xdm.event.id = eventId, + xdm.event.operation_sub_type = eventName, + xdm.event.original_event_type = eventType, + xdm.event.outcome = if(errorCode = null, XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED), + xdm.event.outcome_reason = if(errorMessage != null and errorMessage != "", concat(errorCode, ": ", errorMessage), errorCode), + xdm.event.type = eventName, + xdm.network.session_id = requestID, + xdm.network.tls.cipher = tlsDetails -> cipherSuite, + xdm.network.tls.protocol_version = tlsDetails -> tlsVersion, + xdm.observer.content_version = eventVersion, + xdm.observer.name = eventSource, + xdm.observer.type = eventCategory, + xdm.session_context_id = sharedEventID, + xdm.source.cloud.project_id = userIdentity -> accountId, + xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS, + xdm.source.host.device_id = vpcEndpointId, + xdm.source.host.ipv4_public_addresses = if(source_ipv4 != null and not incidr(source_ipv4, "10.0.0.0/8") and not incidr(source_ipv4, "172.16.0.0/12") and not incidr(source_ipv4, "192.168.0.0/16") and not incidr(source_ipv4, "127.0.0.0/8") and not incidr(source_ipv4, "169.254.0.0/16") and not incidr(source_ipv4, "100.64.0.0/10"), arraycreate(source_ipv4)), + xdm.source.host.fqdn = if(source_ipv4 = null and source_ipv6 = null and sourceIPAddress !~= "AWS Internal", sourceIPAddress), // For services in AWS, only the DNS name is displayed. + xdm.source.ipv4 = source_ipv4, + xdm.source.ipv6 = source_ipv6, + xdm.source.user_agent = userAgent, + xdm.source.user.groups = if(user_identity_type in ("Role", "AssumedRole"), arraycreate(userIdentity -> sessionContext.sessionIssuer.userName)), + xdm.source.user.identifier = coalesce(userIdentity -> principalId, userIdentity -> onBehalfOf.userId), + xdm.source.user.username = coalesce(userIdentity -> userName, userIdentity -> sessionContext.sessionIssuer.userName, user_identity_arn), + xdm.source.user.user_type = if(user_identity_type = "Unknown", XDM_CONST.IDENTITY_TYPE_UNKNOWN, user_identity_type), + xdm.target.cloud.project_id = if(resource_account_id != null and resource_account_id != "", resource_account_id, coalesce(recipientAccountId, vpcEndpointAccountId)), + xdm.target.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AWS, + xdm.target.cloud.region = awsRegion, + xdm.target.host.fqdn = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader), + xdm.target.host.hostname = coalesce(requestParameters -> Host, tlsDetails -> clientProvidedHostHeader), + xdm.target.resource.id = if(resource_arn != "", resource_arn), + xdm.target.resource.name = if(resource_name != null and resource_name != "", resource_name, resource_arn), + xdm.target.resource.type = if(resource_type != "", resource_type); \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml new file mode 100644 index 000000000000..a07285987084 --- /dev/null +++ b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail.yml @@ -0,0 +1,6 @@ +fromversion: 8.7.0 +id: Amazon_AWS_CloudTrail_ModelingRule +name: Amazon AWS CloudTrail Modeling Rule +rules: '' +schema: '' +tags: \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json new file mode 100644 index 000000000000..f84dc442c29d --- /dev/null +++ b/Packs/AWS-CloudTrail/ModelingRules/AWSCloudTrail/AWSCloudTrail_schema.json @@ -0,0 +1,96 @@ +{ + "amazon_aws_raw": { + "_log_type": { + "type": "string", + "is_array": false + }, + "additionalEventData": { + "type": "string", + "is_array": false + }, + "awsRegion": { + "type": "string", + "is_array": false + }, + "errorCode": { + "type": "string", + "is_array": false + }, + "errorMessage": { + "type": "string", + "is_array": false + }, + "eventCategory": { + "type": "string", + "is_array": false + }, + "eventID": { + "type": "string", + "is_array": false + }, + "eventName": { + "type": "string", + "is_array": false + }, + "eventSource": { + "type": "string", + "is_array": false + }, + "eventType": { + "type": "string", + "is_array": false + }, + "eventVersion": { + "type": "string", + "is_array": false + }, + "recipientAccountId": { + "type": "string", + "is_array": false + }, + "requestID": { + "type": "string", + "is_array": false + }, + "requestParameters": { + "type": "string", + "is_array": false + }, + "responseElements": { + "type": "string", + "is_array": false + }, + "resources": { + "type": "string", + "is_array": false + }, + "sharedEventID": { + "type": "string", + "is_array": false + }, + "sourceIPAddress": { + "type": "string", + "is_array": false + }, + "tlsDetails": { + "type": "string", + "is_array": false + }, + "userAgent": { + "type": "string", + "is_array": false + }, + "userIdentity": { + "type": "string", + "is_array": false + }, + "vpcEndpointAccountId": { + "type": "string", + "is_array": false + }, + "vpcEndpointId": { + "type": "string", + "is_array": false + } + } +} \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif new file mode 100644 index 000000000000..b84261e26982 --- /dev/null +++ b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.xif @@ -0,0 +1,8 @@ +[INGEST:vendor="amazon", product="aws", target_dataset="amazon_aws_raw", no_hit = keep] +// Cloud Trail Audit Logs: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html +filter _log_type = "Cloud Audit Log" and to_string(eventTime) ~= "\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z" +| alter _time = parse_timestamp("%FT%H:%M:%E*SZ", to_string(eventTime)); // zulu time notation, e.g. "2024-09-27T11:18:59Z + +// Flow Log Records: https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html +filter _log_type = "Cloud Flow Log" and len(to_string(start)) = 10 // The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval. +| alter _time = to_timestamp(to_integer(start), "SECONDS"); \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml new file mode 100644 index 000000000000..18bf4cc94d02 --- /dev/null +++ b/Packs/AWS-CloudTrail/ParsingRules/AWSCloudTrail/AWSCloudTrail.yml @@ -0,0 +1,6 @@ +id: Amazon_AWS_CloudTrail_ParsingRule +name: Amazon AWS CloudTrail Parsing Rule +fromversion: 8.7.0 +tags: [] +rules: '' +samples: '' diff --git a/Packs/AWS-CloudTrail/README.md b/Packs/AWS-CloudTrail/README.md index e69de29bb2d1..a908bf985063 100644 --- a/Packs/AWS-CloudTrail/README.md +++ b/Packs/AWS-CloudTrail/README.md @@ -0,0 +1,9 @@ +<~XSIAM> +## What does this pack do + +The AWS CloudTrail pack contains the following: +* Integration for interacting with a trail on AWS via an automation (Playbooks, Playground, etc.). See the [*AWS - CloudTrail*](https://xsoar.pan.dev/docs/reference/integrations/aws---cloud-trail#configure-aws---cloudtrail-on-cortex-xsoar) integration docs for additional details. +* Data normalization rules for parsing and modeling [*AWS CloudTrail Audit Logs*](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) that are ingested into the *`amazon_aws_raw`* dataset via the *Amazon S3* data source on Cortex XSIAM. See [Ingest audit logs from AWS Cloud Trail](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) for configuration details. When configuring the Amazon S3 data source on Cortex XSIAM, select the **Audit Logs** log type: +![Amazon S3 Data Source Log Type Selection](https://raw.githubusercontent.com/demisto/content/3d7aa25b8df1d343beb17f67afce837050a180f4/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png) + + \ No newline at end of file diff --git a/Packs/AWS-CloudTrail/ReleaseNotes/1_1_5.md b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_5.md new file mode 100644 index 000000000000..17456d94a2d5 --- /dev/null +++ b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_5.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS - CloudTrail + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md new file mode 100644 index 000000000000..e6686011cef8 --- /dev/null +++ b/Packs/AWS-CloudTrail/ReleaseNotes/1_1_6.md @@ -0,0 +1,16 @@ + +#### Modeling Rules + +##### New: Amazon AWS CloudTrail Modeling Rule + +<~XSIAM> +Added an XDM mapping for AWS CloudTrail audit logs which are ingested via the [AWS S3 Data Source](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) (Available from Cortex XSIAM 2.4). + + +#### Parsing Rules + +##### New: Amazon AWS CloudTrail Parsing Rule + +<~XSIAM> +Added an assignment of the ingested Audit logs *`eventTime`* timestamp field to the *`_time`* field for audit logs ingested via the [AWS S3 Data Source](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-audit-logs-from-AWS-Cloud-Trail) (Available from Cortex XSIAM 2.4). + diff --git a/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png b/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png new file mode 100644 index 000000000000..0271be6376b6 Binary files /dev/null and b/Packs/AWS-CloudTrail/doc_files/Amazon_S3_DataSource_Config.png differ diff --git a/Packs/AWS-CloudTrail/pack_metadata.json b/Packs/AWS-CloudTrail/pack_metadata.json index b682d3997d57..784b7178327a 100644 --- a/Packs/AWS-CloudTrail/pack_metadata.json +++ b/Packs/AWS-CloudTrail/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - CloudTrail", "description": "Amazon Web Services CloudTrail.", "support": "xsoar", - "currentVersion": "1.1.4", + "currentVersion": "1.1.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,9 +10,16 @@ "categories": [ "Cloud Service Provider" ], - "tags": [], + "tags": [ + "marketplacev2:Data Source" + ], "useCases": [], - "keywords": [], + "keywords": [ + "Amazon", + "AWS", + "CloudTrail", + "Cloud Trail" + ], "marketplaces": [ "xsoar", "marketplacev2", diff --git a/Packs/AWS-CloudWatchLogs/Integrations/AWS-CloudWatchLogs/AWS-CloudWatchLogs.yml b/Packs/AWS-CloudWatchLogs/Integrations/AWS-CloudWatchLogs/AWS-CloudWatchLogs.yml index 1584b2bffb10..4f8104917ce1 100644 --- a/Packs/AWS-CloudWatchLogs/Integrations/AWS-CloudWatchLogs/AWS-CloudWatchLogs.yml +++ b/Packs/AWS-CloudWatchLogs/Integrations/AWS-CloudWatchLogs/AWS-CloudWatchLogs.yml @@ -461,7 +461,7 @@ script: description: The name of the log group. type: string description: Lists the specified metric filters. You can list all the metric filters or filter the results by log name, prefix, metric name, or metric namespace. - dockerimage: demisto/boto3py3:1.0.0.100468 + dockerimage: demisto/boto3py3:1.0.0.115129 tests: - No Tests fromversion: 5.0.0 diff --git a/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_25.md b/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_25.md new file mode 100644 index 000000000000..27327de88e48 --- /dev/null +++ b/Packs/AWS-CloudWatchLogs/ReleaseNotes/1_2_25.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS - CloudWatchLogs + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-CloudWatchLogs/pack_metadata.json b/Packs/AWS-CloudWatchLogs/pack_metadata.json index d682e8ca893a..bc2b7dfaa9b2 100644 --- a/Packs/AWS-CloudWatchLogs/pack_metadata.json +++ b/Packs/AWS-CloudWatchLogs/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - CloudWatchLogs", "description": "Amazon Web Services CloudWatch Logs (logs).", "support": "xsoar", - "currentVersion": "1.2.24", + "currentVersion": "1.2.25", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml index 5d353fe7f7d0..1c0baca7edb5 100644 --- a/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml +++ b/Packs/AWS-EC2/Integrations/AWS-EC2/AWS-EC2.yml @@ -4130,7 +4130,7 @@ script: type: String description: Creates a VPC endpoint. name: aws-ec2-create-vpc-endpoint - dockerimage: demisto/boto3py3:1.0.0.100468 + dockerimage: demisto/boto3py3:1.0.0.115129 runonce: false script: '-' subtype: python3 diff --git a/Packs/AWS-EC2/Integrations/AWS-EC2/README.md b/Packs/AWS-EC2/Integrations/AWS-EC2/README.md index 21db2d9ad986..a6810a7a6105 100644 --- a/Packs/AWS-EC2/Integrations/AWS-EC2/README.md +++ b/Packs/AWS-EC2/Integrations/AWS-EC2/README.md @@ -1,30 +1,26 @@ Amazon Web Services Elastic Compute Cloud (EC2). -## Configure AWS - EC2 on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS - EC2. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | AWS Default Region | | False | - | Role Arn | | False | - | Role Session Name | | False | - | Role Session Duration | | False | - | Access Key | | False | - | Secret Key | | False | - | Timeout | The time in seconds until a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 second will be used. | False | - | Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | - | PrivateLink service URL | | False | - | STS PrivateLink URL | | False | - | AWS organization accounts | A comma-separated list of AWS Organization accounts to use when running EC2 commands. A role name for cross-organization account access must be provided to use this feature. This feature is explained below. | False | - | Role name for cross-organization account access | The role name used to access accounts in the organization. This role name must exist in the accounts provided in "AWS Organization accounts" and be assumable with the credentials provided. This feature is explained below. | False | - | Max concurrent command calls | The maximum number of concurrent calls to allow when running a command on all accounts provided in "AWS Organization accounts". | False | - | Use system proxy settings | | False | - | Trust any certificate (not secure) | | False | - -4. Click **Test** to validate the URLs, token, and connection. +## Configure AWS - EC2 in Cortex + + +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| AWS Default Region | | False | +| Role Arn | | False | +| Role Session Name | | False | +| Role Session Duration | | False | +| Access Key | | False | +| Secret Key | | False | +| Timeout | The time in seconds until a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 second will be used. | False | +| Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | +| PrivateLink service URL | | False | +| STS PrivateLink URL | | False | +| AWS organization accounts | A comma-separated list of AWS Organization accounts to use when running EC2 commands. A role name for cross-organization account access must be provided to use this feature. This feature is explained below. | False | +| Role name for cross-organization account access | The role name used to access accounts in the organization. This role name must exist in the accounts provided in "AWS Organization accounts" and be assumable with the credentials provided. This feature is explained below. | False | +| Max concurrent command calls | The maximum number of concurrent calls to allow when running a command on all accounts provided in "AWS Organization accounts". | False | +| Use system proxy settings | | False | +| Trust any certificate (not secure) | | False | + ### Run commands in multiple AWS accounts @@ -53,7 +49,7 @@ The script ***AwsEC2SyncAccounts*** can be used to configure an AWS - EC2 instan ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### aws-ec2-describe-instances @@ -3606,4 +3602,4 @@ Creates a VPC endpoint. >### VPC Endpoint >|Service Name|State|Vpc Endpoint Id|Vpc Endpoint Type|Vpc Id| >|---|---|---|---|---| ->| test_service_name | PendingAcceptance | test_endpoint_id | Interface | test_id | +>| test_service_name | PendingAcceptance | test_endpoint_id | Interface | test_id | \ No newline at end of file diff --git a/Packs/AWS-EC2/ReleaseNotes/1_4_15.md b/Packs/AWS-EC2/ReleaseNotes/1_4_15.md new file mode 100644 index 000000000000..317222ffd0da --- /dev/null +++ b/Packs/AWS-EC2/ReleaseNotes/1_4_15.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS - EC2 + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-EC2/pack_metadata.json b/Packs/AWS-EC2/pack_metadata.json index dc56f545e828..b61bb3d6621d 100644 --- a/Packs/AWS-EC2/pack_metadata.json +++ b/Packs/AWS-EC2/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - EC2", "description": "Amazon Web Services Elastic Compute Cloud (EC2)", "support": "xsoar", - "currentVersion": "1.4.14", + "currentVersion": "1.4.15", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-EKS/Integrations/AWSEKS/AWSEKS.yml b/Packs/AWS-EKS/Integrations/AWSEKS/AWSEKS.yml index a538e577f212..1ac01783e7ae 100644 --- a/Packs/AWS-EKS/Integrations/AWSEKS/AWSEKS.yml +++ b/Packs/AWS-EKS/Integrations/AWSEKS/AWSEKS.yml @@ -538,7 +538,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/boto3py3:1.0.0.98661 + dockerimage: demisto/boto3py3:1.0.0.115129 fromversion: 6.9.0 tests: - AWSEKS-Test diff --git a/Packs/AWS-EKS/Integrations/AWSEKS/README.md b/Packs/AWS-EKS/Integrations/AWSEKS/README.md index 2bf07fc5ff2f..93c1f1750a46 100644 --- a/Packs/AWS-EKS/Integrations/AWSEKS/README.md +++ b/Packs/AWS-EKS/Integrations/AWSEKS/README.md @@ -1,27 +1,23 @@ The AWS EKS integration allows for the management and operation of Amazon Elastic Kubernetes Service (EKS) clusters. This integration was integrated and tested with version 1.29 of AWS-EKS. -## Configure AWS-EKS on Cortex XSOAR +## Configure AWS-EKS in Cortex -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS-EKS. -3. Click **Add instance** to create and configure a new integration instance. - | **Parameter** | **Description** | **Required** | - | --- | --- | --- | - | AWS Default Region | AWS Default Region | True | - | Access Key | | True | - | Secret Key | | True | - | Timeout | The time in seconds till a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 seconds will be used. | False | - | Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | - | Trust any certificate (not secure) | Trust any certificate \(not secure\) | False | - | Use system proxy settings | Use system proxy settings | False | +| **Parameter** | **Description** | **Required** | +| --- | --- | --- | +| AWS Default Region | AWS Default Region | True | +| Access Key | | True | +| Secret Key | | True | +| Timeout | The time in seconds till a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 seconds will be used. | False | +| Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | +| Trust any certificate (not secure) | Trust any certificate \(not secure\) | False | +| Use system proxy settings | Use system proxy settings | False | -4. Click **Test** to validate the URLs, token, and connection. ## Commands -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. ### aws-eks-list-clusters @@ -476,4 +472,3 @@ Updates an access entry. >|Cluster Name|Principal Arn|Username|Type|Modified At| >|---|---|---|---|---| >| CLUSTER_NAME | principal_arn | username | STANDARD | 2024-02-26 09:38:11.578000+00:00 | - diff --git a/Packs/AWS-EKS/ReleaseNotes/1_0_6.md b/Packs/AWS-EKS/ReleaseNotes/1_0_6.md new file mode 100644 index 000000000000..1ffeb29d4792 --- /dev/null +++ b/Packs/AWS-EKS/ReleaseNotes/1_0_6.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### AWS-EKS + + +- Updated the Docker image to: *demisto/boto3py3:1.0.0.115129*. diff --git a/Packs/AWS-EKS/pack_metadata.json b/Packs/AWS-EKS/pack_metadata.json index b33398f2cba6..d8f951e28252 100644 --- a/Packs/AWS-EKS/pack_metadata.json +++ b/Packs/AWS-EKS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - EKS", "description": "The AWS EKS integration allows for the management and operation of Amazon Elastic Kubernetes Service (EKS) clusters.", "support": "xsoar", - "currentVersion": "1.0.5", + "currentVersion": "1.0.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml b/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml index f10f3b201a25..621e3f1cb254 100644 --- a/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml +++ b/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml @@ -880,7 +880,7 @@ script: - contextPath: AWS.GuardDuty.Members.UpdatedAt description: The time a member was last updated. type: string - dockerimage: demisto/boto3py3:1.0.0.100468 + dockerimage: demisto/boto3py3:1.0.0.115129 isfetch: true runonce: false script: '-' diff --git a/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/README.md b/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/README.md index d4777db7ca92..bc10583f918c 100644 --- a/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/README.md +++ b/Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/README.md @@ -16,33 +16,29 @@ the [Amazon AWS Integrations Configuration Guide](https://xsoar.pan.dev/docs/ref Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see [Breaking Changes](#breaking-changes-from-the-previous-version-of-this-integration---aws-guardduty). -## Configure AWS - GuardDuty on Cortex XSOAR - -1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for AWS - GuardDuty. -3. Click **Add instance** to create and configure a new integration instance. - - | **Parameter** | **Description** | **Required** | - | --- |------| --- | - | AWS Default Region | The AWS Region for this instance of the integration. For example, us-west-2 | True | - | Role Arn | The Amazon Resource Name (ARN) role used for EC2 instance authentication. If this is used, an access key and secret key are not required. | False | - | Fetch incidents | | False | - | Incident type | Incident type | False | - | Role Session Name | A descriptive name for the assumed role session. For example, xsiam-IAM.integration-Role_SESSION | False | - | Role Session Duration | The maximum length of each session in seconds. Default: 900 seconds. The Cortex XSOAR integration will have the permissions assigned only when the session is initiated and for the defined duration. | False | - | Access Key | The access key ID used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required. | False | - | Secret Key | The secret key used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required. | False | - | Timeout | The time in seconds until a timeout exception is reached. You can specify just the read timeout \(for example 60\) or also the connect timeout followed after a comma \(for example 60,10\). If a connect timeout is not specified, a default of 10 second will be used. | False | - | Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False | - | How many incidents to fetch each time | Default `10` | False | - | First fetch timestamp | First fetch query `