IBM HA - add "haIntegrationEventID" to multiple integrations (demisto#38846)

* add haIntegrationEventID key to qradar incidents

* added rn

* fixes

* in progress

* reverts & preperation

* tests fixes

* added haIntegrationEventID to more itnegrations

* added rns

* fixes

* fixes

* added sections to uptycs

* work in progress, save before testing

* working windows integration

* done all 9 integrations

* added rns

* fix proof point

* fix unit test

* validations fixes

* validations fixes

* reverts

* update uptycs contacts

* update rns

* update rns

* revert ms atp

* reverts

* reverts

* updated docker

* fixed empty offset issue

* added rn

* reverts

Author: YuvHayun

Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py

@@ -181,6 +181,8 @@ async def get_events_concurrently(
         events: list[str] = raw_response.split("\n")
         new_offset = None
         try:
+            if events and events[-1] == "":
+                events.pop()
             offset_context = events.pop()
             loaded_offset_context = json.loads(offset_context)
             new_offset = loaded_offset_context.get("offset")

Packs/Akamai_SIEM/ParsingRules/Akamai_WAF_ParsingRules/Akamai_WAF_ParsingRules.xif

@@ -1,3 +1,4 @@
 [INGEST:vendor="Akamai", product="WAF", target_dataset="akamai_waf_raw", no_hit=keep]
 // Support only 10 digit epoch date time format. For example: "1669420445".
-alter _time = httpMessage -> start;
+alter _time = httpMessage -> start
+| alter haIntegrationEventID = httpMessage -> requestId;

Packs/Akamai_SIEM/ReleaseNotes/1_2_6.md

@@ -0,0 +1,12 @@
+
+#### Parsing Rules
+
+##### Akamai_WAF Parsing Rule
+
+- Updated the Akamai_WAF Parsing Rule to include the **haIntegrationEventID** field.
+
+#### Integrations
+
+##### Akamai WAF SIEM
+
+- Fixed an issue where the offset extraction would fail on the long-running execution due to empty response.

Packs/Akamai_SIEM/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Akamai WAF SIEM",
     "description": "Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.",
     "support": "xsoar",
-    "currentVersion": "1.2.5",
+    "currentVersion": "1.2.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/IBMSecurityVerify/ParsingRules/IBM_Security_Verify_ParsingRules/IBM_Security_Verify_ParsingRules.xif

@@ -0,0 +1,2 @@
+[INGEST:vendor="ibm", product="security verify", target_dataset="ibm_security_verify_raw", no_hit=keep]
+alter haIntegrationEventID = id;

Packs/IBMSecurityVerify/ParsingRules/IBM_Security_Verify_ParsingRules/IBM_Security_Verify_ParsingRules.yml

@@ -0,0 +1,6 @@
+name:  IBM_Security_Verify Parsing Rule
+id:  IBM_Security_Verify_ParsingRule
+fromversion: 6.10.0
+tags: []
+rules: ''
+samples: ''

Packs/IBMSecurityVerify/ReleaseNotes/1_0_3.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### New: IBM_Security_Verify Parsing Rule
+
+<~XSIAM> Added parsing rule for haIntegrationEventID extraction.</~XSIAM>

Packs/IBMSecurityVerify/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "IBM Security Verify",
     "description": "Centralize and streamline your identity and access management processes with IBM Security Verify. This content pack provides comprehensive tools and integrations to manage and protect user identities, enforce security policies, and ensure compliance across your organization. Leverage automated workflows and API integrations to enhance your security posture and simplify identity governance and administration.",
     "support": "xsoar",
-    "currentVersion": "1.0.2",
+    "currentVersion": "1.0.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/QRadar/Integrations/QRadar_v3/QRadar_v3.py

@@ -2460,7 +2460,8 @@ def create_incidents_from_offenses(offenses: List[dict], incident_type: Optional
         'name': f'''{offense.get('id')} {offense.get('description', '')}''',
         'rawJSON': json.dumps(offense),
         'occurred': get_time_parameter(offense.get('start_time'), iso_format=True),
-        'type': incident_type
+        'type': incident_type,
+        "haIntegrationEventID": str(offense.get("id"))
     } for offense in offenses]
 
 

Packs/QRadar/Integrations/QRadar_v3/QRadar_v3_test.py

@@ -616,7 +616,8 @@ def test_create_incidents_from_offenses():
         'name': f'''{offense.get('id')} {offense.get('description', '')}''',
         'rawJSON': json.dumps(offense),
         'occurred': get_time_parameter(offense.get('start_time'), iso_format=True),
-        'type': 'QRadar Incident'
+        'type': 'QRadar Incident',
+        'haIntegrationEventID': str(offense.get('id'))
     } for offense in offenses]
 
 

Packs/QRadar/Integrations/QRadar_v3/test_data/integration_context_tests.json

@@ -648,13 +648,15 @@
                 "name": "16 Session Closed\n",
                 "rawJSON": "{\"username_count\": 1, \"description\": \"Session Closed\\n\", \"rules\": [{\"id\": 100405, \"type\": \"CRE_RULE\"}], \"event_count\": 1, \"flow_count\": 0, \"security_category_count\": 1, \"follow_up\": false, \"source_address_ids\": [10], \"source_count\": 1, \"inactive\": true, \"protected\": false, \"destination_networks\": [\"Net-16-182-192.Net_182_10_0_0\"], \"source_network\": \"other\", \"category_count\": 1, \"remote_destination_count\": 0, \"start_time\": \"2021-02-15T14:24:11.536000+00:00\", \"magnitude\": 1, \"last_updated_time\": \"2021-02-15T14:24:11.536000+00:00\", \"credibility\": 2, \"id\": 16, \"categories\": [\"Session Closed\"], \"severity\": 2, \"policy_category_count\": 0, \"log_sources\": [{\"type_name\": \"WindowsAuthServer\", \"type_id\": 12, \"name\": \"WindowsAuthServer @ 192.168.1.3\", \"id\": 112}], \"device_count\": 1, \"offense_type\": 0, \"relevance\": 0, \"domain_id\": 0, \"offense_source\": \"192.168.1.3\", \"local_destination_address_ids\": [1], \"local_destination_count\": 1, \"status\": \"OPEN\"}",
                 "occurred": "2021-02-15T14:24:11.536000+00:00",
-                "type": null
+                "type": null,
+                "haIntegrationEventID": "16"
             },
             {
                 "name": "15 Multiple Login Failures for the Same User\n containing Failure Audit: The domain controller failed to validate the credentials for an account\n",
                 "rawJSON": "{\"username_count\": 1, \"description\": \"Multiple Login Failures for the Same User\\n containing Failure Audit: The domain controller failed to validate the credentials for an account\\n\", \"rules\": [{\"id\": 100056, \"type\": \"CRE_RULE\"}], \"event_count\": 15, \"flow_count\": 0, \"security_category_count\": 2, \"follow_up\": false, \"source_address_ids\": [2, 1], \"source_count\": 2, \"inactive\": true, \"protected\": false, \"destination_networks\": [\"Net-16-182-192.Net_182_10_0_0\"], \"source_network\": \"Net-16-182-192.Net_182_10_0_0\", \"category_count\": 2, \"remote_destination_count\": 0, \"start_time\": \"2021-02-15T13:21:36.537000+00:00\", \"magnitude\": 1, \"last_updated_time\": \"2021-02-15T13:21:46.948000+00:00\", \"credibility\": 2, \"id\": 15, \"categories\": [\"General Authentication Failed\", \"User Login Failure\"], \"severity\": 3, \"policy_category_count\": 0, \"log_sources\": [{\"type_name\": \"WindowsAuthServer\", \"type_id\": 12, \"name\": \"WindowsAuthServer @ 192.168.1.3\", \"id\": 112}, {\"type_name\": \"EventCRE\", \"type_id\": 18, \"name\": \"Custom Rule Engine-8 :: ip-162-21-12-77\", \"id\": 63}], \"device_count\": 2, \"offense_type\": 3, \"relevance\": 0, \"domain_id\": 0, \"offense_source\": \"yarden\", \"local_destination_address_ids\": [1], \"local_destination_count\": 1, \"status\": \"OPEN\"}",
                 "occurred": "2021-02-15T13:21:36.537000+00:00",
-                "type": null
+                "type": null,
+                "haIntegrationEventID": "15"
             }
         ],
         "id": 15
@@ -665,13 +667,15 @@
                 "name": "18 Session Closed\n",
                 "rawJSON": "{\"username_count\": 1, \"description\": \"Session Closed\\n\", \"rules\": [{\"id\": 100405, \"type\": \"CRE_RULE\"}], \"event_count\": 1, \"flow_count\": 0, \"security_category_count\": 1, \"follow_up\": false, \"source_address_ids\": [10], \"source_count\": 1, \"inactive\": true, \"protected\": false, \"destination_networks\": [\"Net-16-182-192.Net_182_10_0_0\"], \"source_network\": \"other\", \"category_count\": 1, \"remote_destination_count\": 0, \"start_time\": \"2021-02-15T14:24:11.536000+00:00\", \"magnitude\": 1, \"last_updated_time\": \"2021-02-15T14:24:11.536000+00:00\", \"credibility\": 2, \"id\": 18, \"categories\": [\"Session Closed\"], \"severity\": 2, \"policy_category_count\": 0, \"log_sources\": [{\"type_name\": \"WindowsAuthServer\", \"type_id\": 12, \"name\": \"WindowsAuthServer @ 192.168.1.3\", \"id\": 112}], \"device_count\": 1, \"offense_type\": 0, \"relevance\": 0, \"domain_id\": 0, \"offense_source\": \"192.168.1.3\", \"local_destination_address_ids\": [1], \"local_destination_count\": 1, \"status\": \"OPEN\"}",
                 "occurred": "2021-02-15T14:24:11.536000+00:00",
-                "type": null
+                "type": null,
+                "haIntegrationEventID": "18"
             },
             {
                 "name": "19 Multiple Login Failures for the Same User\n containing Failure Audit: The domain controller failed to validate the credentials for an account\n",
                 "rawJSON": "{\"username_count\": 1, \"description\": \"Multiple Login Failures for the Same User\\n containing Failure Audit: The domain controller failed to validate the credentials for an account\\n\", \"rules\": [{\"id\": 100056, \"type\": \"CRE_RULE\"}], \"event_count\": 15, \"flow_count\": 0, \"security_category_count\": 2, \"follow_up\": false, \"source_address_ids\": [2, 1], \"source_count\": 2, \"inactive\": true, \"protected\": false, \"destination_networks\": [\"Net-16-182-192.Net_182_10_0_0\"], \"source_network\": \"Net-16-182-192.Net_182_10_0_0\", \"category_count\": 2, \"remote_destination_count\": 0, \"start_time\": \"2021-02-15T13:21:36.537000+00:00\", \"magnitude\": 1, \"last_updated_time\": \"2021-02-15T13:21:46.948000+00:00\", \"credibility\": 2, \"id\": 19, \"categories\": [\"General Authentication Failed\", \"User Login Failure\"], \"severity\": 3, \"policy_category_count\": 0, \"log_sources\": [{\"type_name\": \"WindowsAuthServer\", \"type_id\": 12, \"name\": \"WindowsAuthServer @ 192.168.1.3\", \"id\": 112}, {\"type_name\": \"EventCRE\", \"type_id\": 18, \"name\": \"Custom Rule Engine-8 :: ip-162-21-12-77\", \"id\": 63}], \"device_count\": 2, \"offense_type\": 3, \"relevance\": 0, \"domain_id\": 0, \"offense_source\": \"yarden\", \"local_destination_address_ids\": [1], \"local_destination_count\": 1, \"status\": \"OPEN\"}",
                 "occurred": "2021-02-15T13:21:36.537000+00:00",
-                "type": null
+                "type": null,
+                "haIntegrationEventID": "19"
             }
         ],
         "id": 19

Packs/QRadar/ReleaseNotes/2_5_14.md

@@ -0,0 +1,5 @@
+#### Integrations
+
+##### IBM QRadar v3
+
+- Added the **haIntegrationEventID** field to qradar incidents.

Packs/QRadar/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "IBM QRadar",
     "description": "Fetch offenses as incidents and search QRadar",
     "support": "xsoar",
-    "currentVersion": "2.5.13",
+    "currentVersion": "2.5.14",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Uptycs/Integrations/Uptycs/Uptycs.py

@@ -2401,7 +2401,8 @@ def uptycs_fetch_incidents():
                 "Occurred": alert_time,
                 "Severity": severity_to_int(context.get('severity')),
                 "Details": json.dumps(context, indent=4),
-                "rawJSON": json.dumps(context)
+                "rawJSON": json.dumps(context),
+                "haIntegrationEventID": context.get('alertId')
             }
             incidents.insert(0, incident)
 

Packs/Uptycs/Integrations/Uptycs/Uptycs.yml

@@ -1,4 +1,7 @@
 fromversion: 5.0.0
+sectionOrder:
+- Connect
+- Collect
 category: Analytics & SIEM
 commonfields:
   id: Uptycs
@@ -8,39 +11,48 @@ configuration:
   name: key
   required: true
   type: 4
+  section: Connect
 - display: API secret
   name: secret
   required: true
   type: 4
+  section: Connect
 - display: API domain (e.g. teststack.uptycs.io)
   name: domain
   required: true
   type: 0
+  section: Connect
 - display: API Customer ID
   name: customer_id
   required: true
   type: 4
+  section: Connect
 - display: Fetch incidents
   name: isFetch
   type: 8
   required: false
+  section: Collect
 - display: Incident type
   name: incidentType
   type: 13
   required: false
+  section: Collect
 - display: Trust any certificate (not secure)
   name: insecure
   type: 8
   required: false
+  section: Connect
 - display: Use system proxy settings
   name: proxy
   type: 8
   required: false
+  section: Connect
 - defaultvalue: 1 day
   display: First fetch since (<number> <time unit>, e.g., 12 hours, 7 days)
   name: fetch_time
   type: 0
   required: false
+  section: Collect
 description: Fetches data from the Uptycs database.
 display: Uptycs
 name: Uptycs
@@ -1518,7 +1530,7 @@ script:
     - name: filename
       required: true
       description: The name of the file being uploaded. This file should be uploaded to Cortex XSOAR in the Playground War Room using the paperclip icon next to the CLI.
-  dockerimage: demisto/auth-utils:1.0.0.1839651
+  dockerimage: demisto/auth-utils:1.0.0.2025089
   isfetch: true
   runonce: true
   script: '-'

Packs/Uptycs/ReleaseNotes/1_0_17.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Uptycs
+
+- Added the **haIntegrationEventID** field to Uptycs alerts.
+- Updated the Docker image to: *demisto/auth-utils:1.0.0.2025089*.

Packs/Uptycs/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Uptycs",
     "description": "Fetches data from the Uptycs database.",
     "support": "partner",
-    "currentVersion": "1.0.16",
+    "currentVersion": "1.0.17",
     "author": "Uptycs Inc.",
     "url": "https://www.uptycs.com",
     "email": "support@uptycs.com",
@@ -14,8 +14,7 @@
     "useCases": [],
     "keywords": [],
     "githubUser": [
-        "bkschmoll-uptycs",
-        "cgadde-uptycs"
+        "bkschmoll-uptycs"
     ],
     "certification": "certified",
     "marketplaces": [