Xpanse api updates (#29339)

* improve classifier setup

* release notes

* release notes style

* remove field applicability

* Apply suggestions from code review

Co-authored-by: johnnywilkes <[email protected]>

---------

Co-authored-by: johnnywilkes <[email protected]>

Author: andrew-paloalto

Packs/CortexXpanse/Classifiers/classifier-Xpanse_-_Incoming_Mapper.json

@@ -9,7 +9,7 @@
 				"Xpanse Alert ID": {
 					"complex": {
 						"filters": [],
-						"root": "external_id",
+						"root": "alert_id",
 						"transformers": []
 					}
 				},
@@ -78,19 +78,10 @@
 				"Xpanse IP": {
 					"complex": {
 						"filters": [],
-						"root": "action_remote_ip",
+						"root": "ipv4_addresses",
 						"transformers": [
 							{
-								"args": {
-									"applyIfEmpty": {},
-									"defaultValue": {
-										"isContext": true,
-										"value": {
-											"simple": "ipv4_addresses[0]"
-										}
-									}
-								},
-								"operator": "SetIfEmpty"
+								"operator": "FirstArrayElement"
 							}
 						]
 					}
@@ -175,14 +166,35 @@
         "dbot_classification_incident_type_all": {
             "dontMapEventToLabels": false,
             "internalMapping": {
-                "Tags": {
-                    "complex": {
+				"Description": {
+					"simple": "description"
+				},
+				"Destination IP": {
+					"complex": {
+						"filters": [],
+						"root": "ipv4_addresses",
+						"transformers": [
+							{
+								"operator": "FirstArrayElement"
+							}
+						]
+					}
+				},
+				"Protocol": {
+					"complex": {
+						"filters": [],
+						"root": "port_protocol",
+						"transformers": []
+					}
+				},
+				"Tags": {
+					"complex": {
                         "filters": [],
                         "root": "tags",
                         "transformers": []
                     }
-                }
-            }
+				}
+			}
         }
     },
     "name": "Xpanse - Incoming Mapper",

Packs/CortexXpanse/IncidentFields/incidentfield-Xpanse_Tags.json

@@ -22,7 +22,7 @@
     "threshold": 72,
     "type": "shortText",
     "unmapped": false,
-    "unsearchable": true,
+    "unsearchable": false,
     "useAsKpi": true,
     "version": -1,
     "fromVersion": "6.5.0"

Packs/CortexXpanse/IncidentFields/incidentfields-Xpanse_Provider.json

@@ -19,9 +19,12 @@
     "group": 0,
     "hidden": false,
     "openEnded": false,
-    "associatedToAll": true,
+    "associatedToAll": false,
+    "associatedTypes": [
+        "Xpanse Alert"
+    ],
     "unmapped": false,
-    "unsearchable": true,
+    "unsearchable": false,
     "caseInsensitive": true,
     "sla": 0,
     "threshold": 72,

Packs/CortexXpanse/Integrations/CortexXpanse/CortexXpanse.yml

@@ -686,6 +686,8 @@ script:
   script: ''
   subtype: python3
   type: python
+defaultmapperin: Xpanse - Incoming Mapper
+defaultclassifier: Xpanse - Classifier
 fromversion: 6.5.0
 tests:
 - CortexXpanse_Test

Packs/CortexXpanse/ReleaseNotes/1_0_10.md

@@ -0,0 +1,18 @@
+
+#### Integrations
+##### Cortex Xpanse
+
+- Updated the default classifier and incoming mapper for the integration.
+
+#### Mappers
+##### Xpanse - Incoming Mapper
+
+- Updated the targets for several fields for improved accuracy and formatting.
+
+#### Incident Fields
+##### Xpanse Tags
+Updated the field to be searchable.
+
+##### Xpanse Provider
+Updated the field to be searchable and to not be scoped to all incident types.
+

Packs/CortexXpanse/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex Xpanse",
     "description": "Content for working with Attack Surface Management (ASM).",
     "support": "xsoar",
-    "currentVersion": "1.0.9",
+    "currentVersion": "1.0.10",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",