Merge branch 'repo_sync_2024_08_19' into public_main

fn_qradar_enhanced_data/Dockerfile

@@ -1,5 +1,5 @@
 # Generated with resilient-sdk v51.0.1.0.695
-# docker build -t ibmresilient/fn_qradar_enhanced_data:2.4.0 .
+# docker build -t ibmresilient/fn_qradar_enhanced_data:2.5.0 .
 ARG BASE_IMAGE_REPO=quay.io
 # BASE_IMAGE_TAG options: latest, python-39, python-311. See https://quay.io/repository/ibmresilient/soarapps-base-docker-image?tab=tags for all options
 # use --build-arg BASE_IMAGE_TAG=<tag> to set base image to be built from
@@ -9,5 +9,8 @@ FROM ${BASE_IMAGE_REPO}/ibmresilient/soarapps-base-docker-image:${BASE_IMAGE_TAG
 
 ARG APPLICATION=fn_qradar_enhanced_data
 
+USER 0
+
+RUN yum -y update && yum clean all
 COPY ./dist /tmp/packages
 RUN pip install /tmp/packages/${APPLICATION}-*.tar.gz

fn_qradar_enhanced_data/data/pb_create_artifact_from_assets_info_pb.md

@@ -0,0 +1,63 @@
+<!--
+    DO NOT MANUALLY EDIT THIS FILE
+    THIS FILE IS AUTOMATICALLY GENERATED WITH resilient-sdk codegen
+    Generated with resilient-sdk v51.0.2.2.1096
+-->
+
+# Playbook - Create Artifact from Assets info (PB)
+
+### API Name
+`create_artifact_from_assets_info_pb`
+
+### Status
+`enabled`
+
+### Activation Type
+`Manual`
+
+### Activation Conditions
+`-`
+
+### Activation Form Elements
+| Input Field Label | API Name | Element Type | Tooltip | Requirement |
+| ----------------- | -------- | ------------ | ------- | ----------- |
+| Select to create artifact from asset info | `select_to_create_artifact_from_asset_info` | multiselect | - | Optional |
+
+### Object Type
+`qr_assets`
+
+### Description
+Create artifact from Assets info for the selected row
+
+
+---
+
+## Local script - Create Artifact from Assets info PB
+
+### Description
+
+
+### Script Type
+`Local script`
+
+### Object Type
+`qr_assets`
+
+### Script Content
+```python
+# We create artifacts according to how they can be mapped to
+# SOAR default artifacts. If user has custom artifacts, and wants
+# to map them as well, please modify the following mapping dict.
+
+type_mapping = { "IP Address": "IP Address", "Name": "String" }
+
+for artifact_type in playbook.inputs.select_to_create_artifact_from_asset_info:
+  if artifact_type in type_mapping:
+    incident.addArtifact(type_mapping.get(artifact_type),
+      row.ip_address.get("content") if artifact_type == "IP Address" else row.asset_name.get("content"),
+      f"QRadar Offense {artifact_type}"
+    )
+```
+
+---
+

fn_qradar_enhanced_data/data/pb_create_artifact_from_destination_ip_info_pb.md

@@ -0,0 +1,64 @@
+<!--
+    DO NOT MANUALLY EDIT THIS FILE
+    THIS FILE IS AUTOMATICALLY GENERATED WITH resilient-sdk codegen
+    Generated with resilient-sdk v51.0.2.2.1096
+-->
+
+# Playbook - Create artifact from Destination IP info (PB)
+
+### API Name
+`create_artifact_from_destination_ip_info_pb`
+
+### Status
+`enabled`
+
+### Activation Type
+`Manual`
+
+### Activation Conditions
+`-`
+
+### Activation Form Elements
+| Input Field Label | API Name | Element Type | Tooltip | Requirement |
+| ----------------- | -------- | ------------ | ------- | ----------- |
+| Select to create artifact from destination info | `select_to_create_artifact_from_destination_info` | multiselect | - | Optional |
+
+### Object Type
+`qr_top_destination_ips`
+
+### Description
+Create artifact from Destination IP info for the selected row
+
+
+---
+
+## Local script - Create Artifact from Destination IP info PB
+
+### Description
+
+
+### Script Type
+`Local script`
+
+### Object Type
+`qr_top_destination_ips`
+
+### Script Content
+```python
+# We create artifacts for those observables according to how they can be mapped to
+# SOAR default artifacts. If user has custom artifacts, and wants
+# to map them as well, please modify the following mapping dict.
+import re
+
+type_mapping = { "Destination IP": "IP Address", }
+
+for artifact_type in playbook.inputs.select_to_create_artifact_from_destination_info:
+  if artifact_type in type_mapping:
+    incident.addArtifact(type_mapping.get(artifact_type),
+      re.sub("<[^<>]+>", "", row.destination_ip.get("content")),
+      f"QRadar Offense {artifact_type}"
+    )
+```
+
+---
+

fn_qradar_enhanced_data/data/pb_create_artifact_from_events_info_pb.md

@@ -0,0 +1,66 @@
+<!--
+    DO NOT MANUALLY EDIT THIS FILE
+    THIS FILE IS AUTOMATICALLY GENERATED WITH resilient-sdk codegen
+    Generated with resilient-sdk v51.0.2.2.1096
+-->
+
+# Playbook - Create Artifact from Events info (PB)
+
+### API Name
+`create_artifact_from_events_info_pb`
+
+### Status
+`enabled`
+
+### Activation Type
+`Manual`
+
+### Activation Conditions
+`-`
+
+### Activation Form Elements
+| Input Field Label | API Name | Element Type | Tooltip | Requirement |
+| ----------------- | -------- | ------------ | ------- | ----------- |
+| Select to create artifact from events info | `select_to_create_artifact_from_events_info` | multiselect | - | Always |
+
+### Object Type
+`qr_offense_top_events`
+
+### Description
+Create artifact from the Events info of the selected row
+
+
+---
+
+## Local script - Create Artifact from Events info PB
+
+### Description
+
+
+### Script Type
+`Local script`
+
+### Object Type
+`qr_offense_top_events`
+
+### Script Content
+```python
+# We create artifacts for those observables according to how they can be mapped to
+# SOAR default artifacts. If user has custom artifacts, and wants
+# to map them as well, please modify the following mapping dict.
+import re
+
+type_mapping = { "Source IP": "IP Address", "Destination IP": "IP Address", "Username": "User Account" }
+
+for artifact_type in playbook.inputs.select_to_create_artifact_from_events_info:
+  if artifact_type in type_mapping:
+    if artifact_type in ["Source IP", "Destination IP"]:
+      value = re.sub("<[^<>]+>", "", row.source_ip.get("content") if artifact_type == "Source IP" else row.destination_ip.get("content"))
+    else:
+      value = row.username
+
+    incident.addArtifact(type_mapping.get(artifact_type), value, f"QRadar Offense {artifact_type}")
+```
+
+---
+

fn_qradar_enhanced_data/data/pb_create_artifact_from_source_ip_info_pb.md

@@ -0,0 +1,64 @@
+<!--
+    DO NOT MANUALLY EDIT THIS FILE
+    THIS FILE IS AUTOMATICALLY GENERATED WITH resilient-sdk codegen
+    Generated with resilient-sdk v51.0.2.2.1096
+-->
+
+# Playbook - Create artifact from Source IP info (PB)
+
+### API Name
+`create_artifact_from_source_ip_info_pb`
+
+### Status
+`enabled`
+
+### Activation Type
+`Manual`
+
+### Activation Conditions
+`-`
+
+### Activation Form Elements
+| Input Field Label | API Name | Element Type | Tooltip | Requirement |
+| ----------------- | -------- | ------------ | ------- | ----------- |
+| Select to create artifact from source info | `select_to_create_artifact_from_source_info` | multiselect | - | Optional |
+
+### Object Type
+`qr_top_source_ips`
+
+### Description
+Create artifact from Source IP info for the selected row
+
+
+---
+
+## Local script - Create Artifact from Source IP info PB
+
+### Description
+
+
+### Script Type
+`Local script`
+
+### Object Type
+`qr_top_source_ips`
+
+### Script Content
+```python
+# We create artifacts for those observables according to how they can be mapped to
+# SOAR default artifacts. If user has custom artifacts, and wants
+# to map them as well, please modify the following mapping dict.
+import re
+
+type_mapping = { "Source IP": "IP Address", "MAC": "MAC Address", }
+
+for artifact_type in playbook.inputs.select_to_create_artifact_from_source_info:
+  if artifact_type in type_mapping:
+    incident.addArtifact(type_mapping.get(artifact_type),
+      row.mac if artifact_type == "MAC" else re.sub("<[^<>]+>", "", row.source_ip.get("content")),
+      f"QRadar Offense {artifact_type}"
+    )
+```
+
+---
+

fn_qradar_enhanced_data/data/pb_create_artifacts_from_flows_info_pb.md

@@ -0,0 +1,69 @@
+<!--
+    DO NOT MANUALLY EDIT THIS FILE
+    THIS FILE IS AUTOMATICALLY GENERATED WITH resilient-sdk codegen
+    Generated with resilient-sdk v51.0.2.2.1096
+-->
+
+# Playbook - Create Artifacts from Flows Info (PB)
+
+### API Name
+`create_artifacts_from_flows_info_pb`
+
+### Status
+`enabled`
+
+### Activation Type
+`Manual`
+
+### Activation Conditions
+`-`
+
+### Activation Form Elements
+| Input Field Label | API Name | Element Type | Tooltip | Requirement |
+| ----------------- | -------- | ------------ | ------- | ----------- |
+| Select to create artifact from flows info | `select_to_create_artifact_from_flows_info` | multiselect | - | Always |
+
+### Object Type
+`qr_flows`
+
+### Description
+Create artifact from the Flows info of the selected row
+
+
+---
+
+## Local script - Create Artifact from Flows info PB
+
+### Description
+
+
+### Script Type
+`Local script`
+
+### Object Type
+`qr_flows`
+
+### Script Content
+```python
+# We create artifacts for those observables according to how they can be mapped to
+# SOAR default artifacts. If user has custom artifacts, and wants
+# to map them as well, please modify the following mapping dict.
+import re
+
+type_mapping = {
+  "Source IP": "IP Address",
+  "Destination IP": "IP Address",
+  "Source Port": "Port",
+  "Destination Port": "Port"
+}
+
+for artifact_type in playbook.inputs.select_to_create_artifact_from_flows_info:
+  if artifact_type in type_mapping:
+    incident.addArtifact(type_mapping.get(artifact_type),
+      re.sub("<[^<>]+>", "", row.source_ip.get("content") if artifact_type in ["Source IP", "Source Port"] else row.destination_ip.get("content")),
+      f"QRadar Offense {artifact_type}"
+    )
+```
+
+---
+

fn_qradar_enhanced_data/data/pb_qradar_create_note.md

@@ -1,7 +1,7 @@
 <!--
     DO NOT MANUALLY EDIT THIS FILE
     THIS FILE IS AUTOMATICALLY GENERATED WITH resilient-sdk codegen
-    Generated with resilient-sdk v51.0.1.0.695
+    Generated with resilient-sdk v51.0.2.2.1096
 -->
 
 # Playbook - QRadar Create Note