[SOAR-17793] Abnormal Security - Case ID issue (#2751)

* Possible solution to caseId * changes * Fixing get_case_details action. SDK Bump and Plugin refresh * Keeping conor happy * changing references in help.md
rapid7 · Oct 4, 2024 · 5f435a5 · 5f435a5
1 parent 2817c1f
commit 5f435a5
Show file tree

Hide file tree

Showing 8 changed files with 103 additions and 72 deletions.
diff --git a/plugins/abnormal_security/.CHECKSUM b/plugins/abnormal_security/.CHECKSUM
@@ -1,7 +1,7 @@
 {
-	"spec": "54821dd0f7e13a2ff4d93f0c05db1108",
-	"manifest": "42a45d3adc43907a028ba7ac0a2b3059",
-	"setup": "8447e8fc54f08c59ec4e4c585e395d88",
+	"spec": "82ca94bdef396a13ad6f7bd2906d6c94",
+	"manifest": "0b2490848001bba1d2e3304d5dcccdab",
+	"setup": "c2fad45b2ef6292be0a797d2449d3613",
 	"schemas": [
 		{
 			"identifier": "get_case_details/schema.py",

diff --git a/plugins/abnormal_security/Dockerfile b/plugins/abnormal_security/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:latest
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.1.3
 
 LABEL organization=rapid7
 LABEL sdk=python
@@ -12,7 +12,7 @@ RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
 
 ADD . /python/src
 
-RUN	python setup.py build && python setup.py install
+RUN python setup.py build && python setup.py install
 
 # User to run plugin code. The two supported users are: root, nobody
 USER nobody

diff --git a/plugins/abnormal_security/bin/icon_abnormal_security b/plugins/abnormal_security/bin/icon_abnormal_security
@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Abnormal Security"
 Vendor = "rapid7"
-Version = "2.0.2"
+Version = "2.0.3"
 Description = "Protect your Microsoft Office 365 and G-Suite environments with next-generation email security that uses the most advanced AI detection techniques to stop targeted phishing attacks"
 
 

diff --git a/plugins/abnormal_security/help.md b/plugins/abnormal_security/help.md
@@ -3,28 +3,30 @@
 Protect your Microsoft Office 365 and G-Suite environments with next-generation email security that uses the most advanced AI detection techniques to stop targeted phishing attacks
 
 # Key Features
-
-*This plugin does not contain any key features.*
+
+* Retrieve details of an individual case and list up to 100 cases identified by Abnormal Security.
+* Retrieve details of a single threat and list up to 100 threats identified by Abnormal Security.
+* Manage a case or threat.
 
 # Requirements
-  
-*This plugin does not contain any requirements.*
+
+* This plugin does not contain any Requirements.
 
 # Supported Product Versions
-  
+
 * abnormal-security API abx v1.4.2
 
 # Documentation
 
 ## Setup
-  
+
 The connection configuration accepts the following parameters:  
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|URL|string|https://api.abnormalplatform.com|True|Abnormal Security URL|None|https://api.abnormalplatform.com|
-|api_key|credential_secret_key|None|True|Abnormal Security API Key|None|9de5069c5afe602b2ea0a04b66beb2c0|
-  
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|URL|string|https://api.abnormalplatform.com|True|Abnormal Security URL|None|https://api.abnormalplatform.com|None|None|
+|api_key|credential_secret_key|None|True|Abnormal Security API Key|None|9de5069c5afe602b2ea0a04b66beb2c0|None|None|
+
 Example input:
 
 ```
@@ -40,14 +42,14 @@ Example input:
 
 
 #### Get Case Details
-  
+
 This action is used to get details of a case identified by Abnormal Security
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|case_id|string|None|True|A string representing the case|None|19377|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|case_id|string|None|True|A string representing the case|None|19377|None|None|
 
 Example input:
 
@@ -77,17 +79,17 @@ Example output:
 ```
 
 #### Get Cases
-  
+
 This action is used to get a list of up to 100 cases identified by Abnormal Security, if no input filter dates are 
 provided, it will return up to 100 latest results
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|filter_key|string|lastModifiedTime|False|This input enables you to select what timestamp to filter on, default is lastModifiedTime|['lastModifiedTime', 'createdTime', 'customerVisableTime', '']|lastModifiedTime|
-|from_date|string|None|False|This input enables you to filter your results from a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-01 21:11:38+00:00|
-|to_date|string|None|False|This input enables you to filter your results to a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-11 21:11:38+00:00|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|filter_key|string|lastModifiedTime|False|This input enables you to select what timestamp to filter on, default is lastModifiedTime|["lastModifiedTime", "createdTime", "customerVisableTime", ""]|lastModifiedTime|None|None|
+|from_date|string|None|False|This input enables you to filter your results from a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-01 21:11:38+00:00|None|None|
+|to_date|string|None|False|This input enables you to filter your results to a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-11 21:11:38+00:00|None|None|
 
 Example input:
 
@@ -109,22 +111,24 @@ Example output:
 
 ```
 {
-  "cases": {
-    "caseId": "19377",
-    "severity": "Potential Account Takeover"
-  }
+  "cases": [
+    {
+      "caseId": "19377",
+      "severity": "Potential Account Takeover"
+    }
+  ]
 }
 ```
 
 #### Get Threat Details
-  
+
 This action is used to get details of a threat identified by Abnormal Security
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|threat_id|string|None|True|A UUID representing the threat|None|184712ab-6d8b-47b3-89d3-a314efef79e2|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|threat_id|string|None|True|A UUID representing the threat|None|184712ab-6d8b-47b3-89d3-a314efef79e2|None|None|
 
 Example input:
 
@@ -248,16 +252,16 @@ Example output:
 ```
 
 #### Get Threats
-  
+
 This action is used to get a list of up to 100 threats identified in the Abnormal Security Threat Log, if no input 
 filter dates are provided, it will return up to 100 latest results
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|from_date|string|None|False|This input enables you to filter your results from a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-01 21:11:38+00:00|
-|to_date|string|None|False|This input enables you to filter your results to a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-11 21:11:38+00:00|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|from_date|string|None|False|This input enables you to filter your results from a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-01 21:11:38+00:00|None|None|
+|to_date|string|None|False|This input enables you to filter your results to a certain date, the date has to be in ISO 8601 format - YYYY-MM-DDTHH:MM:SSZ|None|2021-03-11 21:11:38+00:00|None|None|
 
 Example input:
 
@@ -278,22 +282,24 @@ Example output:
 
 ```
 {
-  "threats": {
-    "threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2"
-  }
+  "threats": [
+    {
+      "threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2"
+    }
+  ]
 }
 ```
 
 #### Manage Case
-  
+
 This action is used to manage an Abnormal Case
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|action|string|None|True|Acknowledge or take another remediation action on a case|['Action Required', 'Acknowledge in Progress', 'Acknowledge Resolved', 'Acknowledge not an Attack']|Action Required|
-|case_id|string|None|True|An ID representing the case|None|12345|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|action|string|None|True|Acknowledge or take another remediation action on a case|["Action Required", "Acknowledge in Progress", "Acknowledge Resolved", "Acknowledge not an Attack"]|Action Required|None|None|
+|case_id|string|None|True|An ID representing the case|None|12345|None|None|
 
 Example input:
 
@@ -324,15 +330,15 @@ Example output:
 ```
 
 #### Manage Threat
-  
+
 This action is used to manage a Threat identified by Abnormal Security
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|action|string|None|True|Remediate or unremediate a threat|['remediate', 'unremediate']|remediate|
-|threat_id|string|None|True|A UUID representing the threat|None|184712ab-6d8b-47b3-89d3-a314efef79e2|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|action|string|None|True|Remediate or unremediate a threat|["remediate", "unremediate"]|remediate|None|None|
+|threat_id|string|None|True|A UUID representing the threat|None|184712ab-6d8b-47b3-89d3-a314efef79e2|None|None|
 
 Example input:
 
@@ -448,16 +454,17 @@ Example output:
 
 ## Troubleshooting
 
-*There is no troubleshooting for this plugin.*
+*This plugin does not contain a troubleshooting.*
 
 # Version History
 
-* 2.0.2 - Fix bug where toTime was being used as gte rather than lte in requests, used in the `get_cases` and `get_threats` actions  
-* 2.0.1 - To remove formatting of the fromTime or toTime values used in the `get_cases` and `get_threats` actions  
-* 2.0.0 - Add support to select the time filter filed in `get_cases` action | bump SDK version  
-* 1.3.0 - New logo and requirements update  
-* 1.2.0 - New actions Manage Case and Manage Threat  
-* 1.1.0 - New actions Get Cases and Get Case Details  
+* 2.0.3 - Fix issue where Case ID was being returned as an integer in the `get_cases` and `get_case_details` action
+* 2.0.2 - Fix bug where toTime was being used as gte rather than lte in requests, used in the `get_cases` and `get_threats` actions
+* 2.0.1 - To remove formatting of the fromTime or toTime values used in the `get_cases` and `get_threats` actions
+* 2.0.0 - Add support to select the time filter filed in `get_cases` action | bump SDK version
+* 1.3.0 - New logo and requirements update
+* 1.2.0 - New actions Manage Case and Manage Threat
+* 1.1.0 - New actions Get Cases and Get Case Details
 * 1.0.0 - Initial plugin
 
 # Links
@@ -466,4 +473,4 @@ Example output:
 
 ## References
 
-* [Abnormal Security](https://abnormalsecurity.com/)
+* [Abnormal Security](https://app.swaggerhub.com/apis-docs/abnormal-security/abx/1.4.1)
diff --git a/plugins/abnormal_security/icon_abnormal_security/actions/get_case_details/action.py b/plugins/abnormal_security/icon_abnormal_security/actions/get_case_details/action.py
@@ -14,4 +14,11 @@ def __init__(self):
         )
 
     def run(self, params={}):
-        return {Output.CASE_DETAILS: self.connection.api.get_case_details(params.get(Input.CASE_ID))}
+
+        # Solution to convert Case ID to string if it gets returned as an integer
+        case_id = params.get(Input.CASE_ID, "")
+
+        response = self.connection.api.get_case_details(case_id)
+        if isinstance(response.get("caseId"), int):
+            response["caseId"] = str(response.get("caseId"))
+        return {Output.CASE_DETAILS: response}
diff --git a/plugins/abnormal_security/icon_abnormal_security/actions/get_cases/action.py b/plugins/abnormal_security/icon_abnormal_security/actions/get_cases/action.py
@@ -11,10 +11,13 @@ def __init__(self):
         )
 
     def run(self, params={}):
-        return {
-            Output.CASES: self.connection.api.get_cases(
-                from_date=params.get(Input.FROM_DATE),
-                to_date=params.get(Input.TO_DATE),
-                filter_key=params.get(Input.FILTER_KEY, "lastModifiedTime"),
-            )
-        }
+        response = self.connection.api.get_cases(
+            from_date=params.get(Input.FROM_DATE),
+            to_date=params.get(Input.TO_DATE),
+            filter_key=params.get(Input.FILTER_KEY, "lastModifiedTime"),
+        )
+        # Solution to convert Case ID to string if it gets returned as an integer
+        for case in response:
+            if isinstance(case.get("caseId"), int):
+                case["caseId"] = str(case["caseId"])
+        return {Output.CASES: response}
diff --git a/plugins/abnormal_security/plugin.spec.yaml b/plugins/abnormal_security/plugin.spec.yaml
@@ -4,11 +4,16 @@ products: [insightconnect]
 name: abnormal_security
 title: Abnormal Security
 description: Protect your Microsoft Office 365 and G-Suite environments with next-generation email security that uses the most advanced AI detection techniques to stop targeted phishing attacks
-version: 2.0.2
+version: 2.0.3
+connection_version: 2
 supported_versions: ["abnormal-security API abx v1.4.2"]
 vendor: rapid7
 support: rapid7
 status: []
+sdk:
+  type: slim
+  version: 6.1.3
+  user: nobody
 tags: [investigate, malware, threat intel]
 hub_tags:
   use_cases: [threat_detection_and_response, vulnerability_management]
@@ -19,7 +24,14 @@ resources:
   license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
   vendor_url: https://abnormalsecurity.com/
 enable_cache: true
+key_features:
+  - "Retrieve details of an individual case and list up to 100 cases identified by Abnormal Security."
+  - "Retrieve details of a single threat and list up to 100 threats identified by Abnormal Security."
+  - "Manage a case or threat."
+requirements:
+  - "This plugin does not contain any Requirements."
 version_history:
+  - '2.0.3 - Fix issue where Case ID was being returned as an integer in the `get_cases` and `get_case_details` action'
   - '2.0.2 - Fix bug where toTime was being used as gte rather than lte in requests, used in the `get_cases` and `get_threats` actions'
   - '2.0.1 - To remove formatting of the fromTime or toTime values used in the `get_cases` and `get_threats` actions'
   - '2.0.0 - Add support to select the time filter filed in `get_cases` action | bump SDK version'
@@ -28,7 +40,9 @@ version_history:
   - '1.1.0 - New actions Get Cases and Get Case Details'
   - '1.0.0 - Initial plugin'
 references:
-  - '[Abnormal Security](https://abnormalsecurity.com/)'
+  - '[Abnormal Security](https://app.swaggerhub.com/apis-docs/abnormal-security/abx/1.4.1)'
+links:
+  - "[Abnormal Security](https://abnormalsecurity.com/)"
 types:
   threat:
     threatId:

diff --git a/plugins/abnormal_security/setup.py b/plugins/abnormal_security/setup.py
@@ -3,7 +3,7 @@
 
 
 setup(name="abnormal_security-rapid7-plugin",
-      version="2.0.2",
+      version="2.0.3",
       description="Protect your Microsoft Office 365 and G-Suite environments with next-generation email security that uses the most advanced AI detection techniques to stop targeted phishing attacks",
       author="rapid7",
       author_email="",