IBM HA - add "haIntegrationEventID" to ms ATP

Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py

@@ -3734,7 +3734,8 @@ def fetch_incidents(client: MsClient, last_run, fetch_evidence):
             'rawJSON': json.dumps(alert),
             'name': f'{INTEGRATION_NAME} Alert {alert["id"]}',
             'occurred': alert['alertCreationTime'],
-            'dbotMirrorId': alert["id"]
+            'dbotMirrorId': alert["id"],
+            'haIntegrationEventID': alert["id"]
         })
 
         # Update last run and add incident if the incident is newer than last fetch

Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml

@@ -39,6 +39,7 @@ configuration:
   type: 9
   hiddenusername: true
   required: false
+  section: Connect
 - display: Certificate Thumbprint
   name: creds_certificate
   type: 9
@@ -5665,7 +5666,7 @@ script:
     execution: false
     name: microsoft-atp-auth-reset
     arguments: []
-  dockerimage: demisto/crypto:1.0.0.117163
+  dockerimage: demisto/crypto:1.0.0.2005673
   isfetch: true
   runonce: false
   script: '-'

Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection_test.py

@@ -75,7 +75,8 @@ def test_second_fetch_incidents(mocker):
                    '"machineId": "43df73d1dac43593d1275e20422f44a949f6dfc3", "alertUser": null, "comments": [], '
                    '"alertFiles": [], "alertDomains": [], "alertIps": []}',
         'name': 'Microsoft Defender ATP Alert da637029414680409372_735564929',
-        'occurred': '2019-09-01T13:31:08.0252869Z', 'dbotMirrorId': 'da637029414680409372_735564929'}]
+        'occurred': '2019-09-01T13:31:08.0252869Z', 'dbotMirrorId': 'da637029414680409372_735564929',
+        'haIntegrationEventID': 'da637029414680409372_735564929'}]
 
 
 def test_third_fetch_incidents(mocker):

Packs/MicrosoftDefenderAdvancedThreatProtection/ParsingRules/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.xif

@@ -4,4 +4,5 @@ filter to_string(lastEventTime) ~= "\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d*Z"
 | alter tmp_timestamp_1 = parse_timestamp("%Y-%m-%dT%H:%M:%E3S", arrayindex(regextract(to_string(lastEventTime), "(\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3})"),0)),
         tmp_timestamp_2 = parse_timestamp("%Y-%m-%dT%H:%M:%SZ", to_string(lastEventTime))
 | alter _time  = coalesce(tmp_timestamp_1, tmp_timestamp_2)
-| fields -tmp_timestamp_1, tmp_timestamp_2;
+| fields -tmp_timestamp_1, tmp_timestamp_2
+| alter haIntegrationEventID = id;

Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_18_2.md

@@ -0,0 +1,13 @@
+
+#### Integrations
+
+##### Microsoft Defender for Endpoint
+
+- Added the **haIntegrationEventID** field to Microsoft Defender for Endpoint alerts.
+- Updated the Docker image to: *demisto/crypto:1.0.0.2005673*.
+
+#### Parsing Rules
+
+##### Microsoft Defender Advanced Threat Protection Parsing Rule
+
+- Updated the Microsoft Defender Advanced Threat Protection Parsing Rule Parsing Rule to include the **haIntegrationEventID** field.

Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Defender for Endpoint",
     "description": "Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.",
     "support": "xsoar",
-    "currentVersion": "1.18.1",
+    "currentVersion": "1.18.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",