Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBM HA - add "haIntegrationEventID" to ms ATP #39051

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3734,7 +3734,8 @@ def fetch_incidents(client: MsClient, last_run, fetch_evidence):
'rawJSON': json.dumps(alert),
'name': f'{INTEGRATION_NAME} Alert {alert["id"]}',
'occurred': alert['alertCreationTime'],
'dbotMirrorId': alert["id"]
'dbotMirrorId': alert["id"],
'haIntegrationEventID': alert["id"]
})

# Update last run and add incident if the incident is newer than last fetch
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ configuration:
type: 9
hiddenusername: true
required: false
section: Connect
- display: Certificate Thumbprint
name: creds_certificate
type: 9
Expand Down Expand Up @@ -5665,7 +5666,7 @@ script:
execution: false
name: microsoft-atp-auth-reset
arguments: []
dockerimage: demisto/crypto:1.0.0.117163
dockerimage: demisto/crypto:1.0.0.2005673
isfetch: true
runonce: false
script: '-'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ def test_second_fetch_incidents(mocker):
'"machineId": "43df73d1dac43593d1275e20422f44a949f6dfc3", "alertUser": null, "comments": [], '
'"alertFiles": [], "alertDomains": [], "alertIps": []}',
'name': 'Microsoft Defender ATP Alert da637029414680409372_735564929',
'occurred': '2019-09-01T13:31:08.0252869Z', 'dbotMirrorId': 'da637029414680409372_735564929'}]
'occurred': '2019-09-01T13:31:08.0252869Z', 'dbotMirrorId': 'da637029414680409372_735564929',
'haIntegrationEventID': 'da637029414680409372_735564929'}]


def test_third_fetch_incidents(mocker):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,5 @@ filter to_string(lastEventTime) ~= "\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d*Z"
| alter tmp_timestamp_1 = parse_timestamp("%Y-%m-%dT%H:%M:%E3S", arrayindex(regextract(to_string(lastEventTime), "(\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3})"),0)),
tmp_timestamp_2 = parse_timestamp("%Y-%m-%dT%H:%M:%SZ", to_string(lastEventTime))
| alter _time = coalesce(tmp_timestamp_1, tmp_timestamp_2)
| fields -tmp_timestamp_1, tmp_timestamp_2;
| fields -tmp_timestamp_1, tmp_timestamp_2
| alter haIntegrationEventID = id;
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@

#### Integrations

##### Microsoft Defender for Endpoint

- Added the **haIntegrationEventID** field to Microsoft Defender for Endpoint alerts.
- Updated the Docker image to: *demisto/crypto:1.0.0.2005673*.

#### Parsing Rules

##### Microsoft Defender Advanced Threat Protection Parsing Rule

- Updated the Microsoft Defender Advanced Threat Protection Parsing Rule Parsing Rule to include the **haIntegrationEventID** field.
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Microsoft Defender for Endpoint",
"description": "Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.",
"support": "xsoar",
"currentVersion": "1.18.1",
"currentVersion": "1.18.2",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
Loading