From d81c9b0d9ef16d3d90541a80e45f581be972453b Mon Sep 17 00:00:00 2001 From: content-bot <55035720+content-bot@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:21:30 +0200 Subject: [PATCH] V 1.1.0 (#37026) * V 1.1.0 (#36767) * V 1.1.0 - Added statistics fields - Added fetching incidents with filtering by minimum probability * Fix tests * Set unsearchable * RAN Review * ohh * update RN --------- Co-authored-by: Max Nosko <152783467+chkp-maxn@users.noreply.github.com> Co-authored-by: Aaron <4101535@gmail.com> --- ...tfield-CheckPointNDR_ApplicationNames.json | 32 ++++ ...dentfield-CheckPointNDR_ReceivedBytes.json | 32 ++++ ...incidentfield-CheckPointNDR_SentBytes.json | 32 ++++ .../CheckPointNDR/CheckPointNDR.py | 27 ++- .../CheckPointNDR/CheckPointNDR.yml | 9 +- .../CheckPointNDR/CheckPointNDR_test.py | 4 +- .../Integrations/CheckPointNDR/README.md | 64 +------ .../checkpointndr-get_insight_event.json | 73 +++++--- .../checkpointndr-parse_insights-output.json | 14 +- ...ntainer-CheckPointNDR_Incident_Layout.json | 172 +++++++++++------- Packs/CheckPointNDR/README.md | 6 +- Packs/CheckPointNDR/ReleaseNotes/1_1_0.md | 31 ++++ Packs/CheckPointNDR/pack_metadata.json | 3 +- 13 files changed, 339 insertions(+), 160 deletions(-) create mode 100644 Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json create mode 100644 Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json create mode 100644 Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json create mode 100644 Packs/CheckPointNDR/ReleaseNotes/1_1_0.md diff --git a/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json new file mode 100644 index 000000000000..85ad3c9a195f --- /dev/null +++ b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json @@ -0,0 +1,32 @@ +{ + "id": "incident_appiname", + "version": -1, + "modified": "2024-10-20T22:22:45.48967185Z", + "name": "CheckPointNDR Application Names", + "ownerOnly": false, + "description": "", + "cliName": "appiname", + "type": "multiSelect", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Check Point NDR Insight" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json new file mode 100644 index 000000000000..57a7498d159a --- /dev/null +++ b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json @@ -0,0 +1,32 @@ +{ + "id": "incident_receivedbytes", + "version": -1, + "modified": "2024-10-01T19:26:46.346683Z", + "name": "CheckPointNDR Received Bytes", + "ownerOnly": false, + "description": "The total number of bytes received in the event.", + "cliName": "receivedbytes", + "type": "number", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Check Point NDR Insight" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json new file mode 100644 index 000000000000..e0097d420b5a --- /dev/null +++ b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json @@ -0,0 +1,32 @@ +{ + "id": "incident_sentbytes", + "version": -1, + "modified": "2024-10-07T15:36:49.667762Z", + "name": "CheckPointNDR Sent Bytes", + "ownerOnly": false, + "description": "The total number of bytes sent in the event.", + "cliName": "sentbytes", + "type": "number", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Check Point NDR Insight" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py index 3593d391c42b..73176eac1a71 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py @@ -74,24 +74,27 @@ def get_insights(self, startTS: int, max_fetch: int): def test_module(client: Client, last_run: dict[str, str], first_fetch: datetime, domain: str): try: - fetch_incidents(client, last_run, first_fetch, domain, 1) + fetch_incidents(client, last_run, first_fetch, domain, 1, 0) return 'ok' except DemistoException as e: return e.message -def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, max_fetch: int): +def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, max_fetch: int, min_probability: int): incidents: list[dict[str, Any]] = [] for insight in insights: for event in insight['events']: if event['updated'] <= startTS: continue + if event['probability'] < min_probability: + continue id = f"{insight['id']}_{event['id']}" name = insight['data'].get('name', insight['criteria']) updated = int(event['data'].get('discovery_date', event['updated'])) desc_i = insight['data'].get('description', '') desc_e = event['data'].get('description', '') + statistics = event['data'].get('statistics', {}) description = desc_i + "\n" + desc_e if desc_e else desc_i link = f"{NDR_URL}/#/insights?id={insight['id']}&domain={domain}&startDate={event['from']}&endDate={event['to']}" severity = 3 @@ -113,7 +116,17 @@ def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, ma 'externalendtime': datetime.utcfromtimestamp(event['to'] / 1000).strftime("%Y-%m-%dT%H:%M:%S.%fZ"), 'externallink': link, 'description': desc_i, - 'eventdescriptions': desc_e + 'eventdescriptions': desc_e, + 'sourceips': statistics.get('top_src', []), + 'sourceexternalips': statistics.get('top_proxy_src_ip', []), + 'destinationips': statistics.get('top_dst', []), + 'dstports': statistics.get('top_service', []), + 'filemd5': statistics.get('top_file_md5', []), + 'appiName': statistics.get('top_appi_name', []), + 'users': statistics.get('top_src_user_name', []), + 'hostnames': statistics.get('top_src_machine_name', []), + 'sentbytes': statistics.get('total_bytes_sent', 0), + 'receivedbytes': statistics.get('total_bytes_received', 0) }, 'rawJSON': json.dumps(event) }) @@ -125,7 +138,8 @@ def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, ma return incidents, last_time -def fetch_incidents(client: Client, last_run: dict[str, str], first_fetch: datetime, domain: str, max_fetch: int): +def fetch_incidents(client: Client, last_run: dict[str, str], first_fetch: datetime, domain: str, max_fetch: int, + min_probability: int): last_fetch = last_run.get('last_fetch', first_fetch.isoformat()) last_fetch_time = dateparser.parse(last_fetch) if not last_fetch_time: @@ -133,7 +147,7 @@ def fetch_incidents(client: Client, last_run: dict[str, str], first_fetch: datet startTS = int(last_fetch_time.timestamp() * 1000) insights = client.get_insights(startTS, max_fetch) - incidents, last_insight_time = parse_insights(insights, domain, startTS, max_fetch) + incidents, last_insight_time = parse_insights(insights, domain, startTS, max_fetch, min_probability) return {'last_fetch': last_insight_time}, incidents @@ -148,6 +162,7 @@ def main() -> None: # pragma: no cover verify = not params.get('insecure', False) proxy = params.get('proxy', False) max_fetch = int(params.get('max_fetch', 1000)) + min_probability = int(params.get('min_probability', 0)) fetch_time = params.get('first_fetch', '3 days').strip() first_fetch = dateparser.parse(fetch_time, settings={'TIMEZONE': 'UTC'}) @@ -163,7 +178,7 @@ def main() -> None: # pragma: no cover if command == 'test-module': return_results(test_module(client, last_run, first_fetch, domain)) elif command == 'fetch-incidents': - next_run, incidents = fetch_incidents(client, last_run, first_fetch, domain, max_fetch) + next_run, incidents = fetch_incidents(client, last_run, first_fetch, domain, max_fetch, min_probability) demisto.incidents(incidents) demisto.debug(f"Set last run to {next_run.get('last_fetch')}") demisto.setLastRun(next_run) diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml index a0f330a3a06a..cda4efff4c26 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml @@ -49,6 +49,13 @@ configuration: defaultvalue: 'true' type: 8 required: false +- section: Collect + display: Minimum probability level + additionalinfo: Filter out NDR insights with probability lower than this value + name: min_probability + defaultvalue: "0" + type: 0 + required: false - section: Collect display: Incidents Fetch Interval name: incidentFetchInterval @@ -75,7 +82,7 @@ script: script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.14.91134 + dockerimage: demisto/python3:3.11.10.113941 fromversion: 6.9.0 tests: - No tests (auto formatted) diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py index e782efc43432..73e5da4eff36 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py @@ -49,7 +49,7 @@ def test_parse_insights(): mock_result = (util_load_json('./test_data/checkpointndr-parse_insights-output.json'), datetime.datetime.fromtimestamp(1703387404.364).isoformat()) - result = parse_insights(mock_insights, 'test', 0, 10) + result = parse_insights(mock_insights, 'test', 0, 10, 0) assert result == mock_result @@ -80,7 +80,7 @@ def test_fetch_incidents(mocker): return_value=None, ) - fetch_incidents(client, {}, datetime.datetime(2024, 1, 1), 'test', 10) + fetch_incidents(client, {}, datetime.datetime(2024, 1, 1), 'test', 10, 0) login.assert_called_once() query_insights.assert_called() logout.assert_called_once() diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md b/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md index 23d97864ac26..a9c6c18bf2e8 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md @@ -1,5 +1,5 @@ Collect network security events from Check Point Infinity NDR for your secured SaaS periodically -This integration was integrated and tested with version 1.0.0 of CheckPointNDR +This integration was integrated and tested with version 1.1.0 of CheckPointNDR ## Configure Check Point Network Detection and Response (Infinity NDR) on Cortex XSOAR @@ -18,65 +18,3 @@ This integration was integrated and tested with version 1.0.0 of CheckPointNDR | Incidents Fetch Interval | False | 4. Click **Test** to validate the URLs, token, and connection. - -## Commands - -You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. -After you successfully execute a command, a DBot message appears in the War Room with the command details. - -### check-point-ndr-fetch-insights - -*** -Retrieve all NDR Insights - -#### Base Command - -`check-point-ndr-fetch-insights` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| from | Date and time from which to fetch insights. Default is Last 24 hours.| Optional | -| create_events | If true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false. | Optional | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| CheckPointHEC.Entity.internetMessageId | String | Email message id in internet. | -| CheckPointHEC.Entity.subject | String | Email subject. | -| CheckPointHEC.Entity.received | String | Datetime email was received in iso 8601 format. | -| CheckPointHEC.Entity.size | String | Email size. | -| CheckPointHEC.Entity.emailLinks | unknown | Links in email. | -| CheckPointHEC.Entity.attachmentCount | Number | Number of attachments in email. | -| CheckPointHEC.Entity.attachments | unknown | File attachments in email. | -| CheckPointHEC.Entity.mode | String | Internal policy rule. | -| CheckPointHEC.Entity.recipients | unknown | Recipient email addresses. | -| CheckPointHEC.Entity.subject | String | Email subject. | -| CheckPointHEC.Entity.fromEmail | String | Email sender. | -| CheckPointHEC.Entity.fromDomain | String | Domain where the email was sent from. | -| CheckPointHEC.Entity.fromUser | unknown | Sender user details. | -| CheckPointHEC.Entity.fromName | String | Sender name. | -| CheckPointHEC.Entity.to | unknown | Email main recipients. | -| CheckPointHEC.Entity.toUser | unknown | User details for main recipients. | -| CheckPointHEC.Entity.cc | unknown | Email carbon copy recipients. | -| CheckPointHEC.Entity.ccUser | unknown | User details for carbon copy recipients. | -| CheckPointHEC.Entity.bcc | unknown | Email blind carbon copy recipients. | -| CheckPointHEC.Entity.bccUser | unknown | User details for blind carbon copy recipients. | -| CheckPointHEC.Entity.replyToEmail | String | Email reply. | -| CheckPointHEC.Entity.replyToNickname | String | Email reply nickname. | -| CheckPointHEC.Entity.isRead | Boolean | Email has been read. | -| CheckPointHEC.Entity.isDeleted | Boolean | Email has been deleted. | -| CheckPointHEC.Entity.isIncoming | Boolean | Email is from external organization. | -| CheckPointHEC.Entity.isInternal | Boolean | Email is from same organization. | -| CheckPointHEC.Entity.isOutgoing | Boolean | Email is to an external organization. | -| CheckPointHEC.Entity.isQuarantined | Boolean | Email has been quarantined. | -| CheckPointHEC.Entity.isQuarantineNotification | Boolean | Email is a notification of another quarantined email. | -| CheckPointHEC.Entity.isRestored | Boolean | Email is restored from quarantine. | -| CheckPointHEC.Entity.isRestoreRequested | Boolean | Email is a request to restore. | -| CheckPointHEC.Entity.isRestoreDeclined | Boolean | Email is a declined restore request. | -| CheckPointHEC.Entity.saasSpamVerdict | String | Spam verdict. | -| CheckPointHEC.Entity.SpfResult | String | Sender Policy Framework check result. | -| CheckPointHEC.Entity.restoreRequestTime | String | Restore request datetime in iso 8601 format. | diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json b/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json index 27f1ab312db8..412413cc15e6 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json @@ -1,26 +1,57 @@ { "objects": [ - { - "id": 950961, - "domain": "test", - "from": 1703258128000, - "to": 1703261728000, - "filter": "src:\"127.0.0.1\"", - "targetDomain": "test", - "type": "Behavioral", - "insight": "Behavioral.Geo.Bulgaria", - "count": 1, - "data": { - "discovery_date": "1703387402954" - }, - "user": "Analytics", - "created": 1703387404364, - "updated": 1703387404364, - "mdr": false, - "probability": 64, - "externalId": null, - "editable": true - } + { + "id": 950961, + "domain": "test", + "from": 1703258128000, + "to": 1703261728000, + "filter": "src:\"127.0.0.1\"", + "targetDomain": "test", + "type": "Behavioral", + "insight": "Behavioral.Geo.Bulgaria", + "count": 1, + "data": { + "discovery_date": "1703387402954", + "statistics": { + "count": 1, + "top_dst": [ + "192.168.0.1" + ], + "top_src": [ + "127.0.0.1" + ], + "total_dst": 1, + "total_src": 1, + "top_service": [ + "1434" + ], + "top_file_md5": ["098f6bcd4621d373cade4e832627b4f6"], + "top_appi_name": ["TeamViewer", "google.com"], + "total_service": 1, + "total_file_md5": 1, + "total_appi_name": 2, + "top_proxy_src_ip": ["1.2.3.4"], + "total_bytes_sent": 512, + "top_src_user_name": ["maxn"], + "total_proxy_src_ip": 1, + "top_protection_name": [ + "MS-SQL Monitor Protocol" + ], + "total_src_user_name": 1, + "top_src_machine_name": ["DESKTOP1"], + "total_bytes_received": 1024, + "total_protection_name": 1, + "total_src_machine_name": 1 + } + }, + "user": "Analytics", + "created": 1703387404364, + "updated": 1703387404364, + "mdr": false, + "probability": 64, + "externalId": null, + "editable": true + } ], "count": 1 } \ No newline at end of file diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-parse_insights-output.json b/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-parse_insights-output.json index b786da42e65a..d87f46e33401 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-parse_insights-output.json +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-parse_insights-output.json @@ -12,8 +12,18 @@ "externalendtime": "2023-12-22T16:15:28.000000Z", "externallink": "https://now.checkpoint.com/#/insights?id=636750&domain=test&startDate=1703258128000&endDate=1703261728000", "description": "An anomaly detected from 127.0.0.1", - "eventdescriptions": "" + "eventdescriptions": "", + "sourceips": ["127.0.0.1"], + "sourceexternalips": ["1.2.3.4"], + "destinationips": ["192.168.0.1"], + "dstports": ["1434"], + "filemd5": ["098f6bcd4621d373cade4e832627b4f6"], + "appiName": ["TeamViewer", "google.com"], + "users": ["maxn"], + "hostnames": ["DESKTOP1"], + "sentbytes": 512, + "receivedbytes": 1024 }, - "rawJSON": "{\"id\": 950961, \"domain\": \"test\", \"from\": 1703258128000, \"to\": 1703261728000, \"filter\": \"src:\\\"127.0.0.1\\\"\", \"targetDomain\": \"test\", \"type\": \"Behavioral\", \"insight\": \"Behavioral.Geo.Bulgaria\", \"count\": 1, \"data\": {\"discovery_date\": \"1703387402954\"}, \"user\": \"Analytics\", \"created\": 1703387404364, \"updated\": 1703387404364, \"mdr\": false, \"probability\": 64, \"externalId\": null, \"editable\": true}" + "rawJSON": "{\"id\": 950961, \"domain\": \"test\", \"from\": 1703258128000, \"to\": 1703261728000, \"filter\": \"src:\\\"127.0.0.1\\\"\", \"targetDomain\": \"test\", \"type\": \"Behavioral\", \"insight\": \"Behavioral.Geo.Bulgaria\", \"count\": 1, \"data\": {\"discovery_date\": \"1703387402954\", \"statistics\": {\"count\": 1, \"top_dst\": [\"192.168.0.1\"], \"top_src\": [\"127.0.0.1\"], \"total_dst\": 1, \"total_src\": 1, \"top_service\": [\"1434\"], \"top_file_md5\": [\"098f6bcd4621d373cade4e832627b4f6\"], \"top_appi_name\": [\"TeamViewer\", \"google.com\"], \"total_service\": 1, \"total_file_md5\": 1, \"total_appi_name\": 2, \"top_proxy_src_ip\": [\"1.2.3.4\"], \"total_bytes_sent\": 512, \"top_src_user_name\": [\"maxn\"], \"total_proxy_src_ip\": 1, \"top_protection_name\": [\"MS-SQL Monitor Protocol\"], \"total_src_user_name\": 1, \"top_src_machine_name\": [\"DESKTOP1\"], \"total_bytes_received\": 1024, \"total_protection_name\": 1, \"total_src_machine_name\": 1}}, \"user\": \"Analytics\", \"created\": 1703387404364, \"updated\": 1703387404364, \"mdr\": false, \"probability\": 64, \"externalId\": null, \"editable\": true}" } ] \ No newline at end of file diff --git a/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json b/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json index 00d462fc9fd2..9dfb56b5ab5a 100644 --- a/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json +++ b/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json @@ -99,7 +99,7 @@ "y": 0 }, { - "h": 2, + "h": 4, "i": "zsgh4yoppk-caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", "maxW": 3, "moved": false, @@ -108,11 +108,11 @@ "type": "notes", "w": 1, "x": 2, - "y": 0 + "y": 3 }, { "displayType": "ROW", - "h": 3, + "h": 2, "i": "zsgh4yoppk-caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", "maxW": 3, "moved": false, @@ -121,7 +121,7 @@ "type": "workplan", "w": 1, "x": 1, - "y": 0 + "y": 3 }, { "displayType": "ROW", @@ -133,22 +133,9 @@ "name": "Linked Incidents", "static": false, "type": "linkedIncidents", - "w": 1, + "w": 2, "x": 1, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "zsgh4yoppk-caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Child Incidents", - "static": false, - "type": "childInv", - "w": 1, - "x": 2, - "y": 4 + "y": 9 }, { "displayType": "ROW", @@ -160,8 +147,8 @@ "static": false, "type": "evidence", "w": 1, - "x": 2, - "y": 2 + "x": 0, + "y": 9 }, { "displayType": "ROW", @@ -174,8 +161,8 @@ "static": false, "type": "team", "w": 1, - "x": 2, - "y": 6 + "x": 0, + "y": 5 }, { "displayType": "ROW", @@ -194,13 +181,13 @@ }, { "displayType": "CARD", - "h": 3, + "h": 2, "i": "zsgh4yoppk-caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", "items": [ { "endCol": 1, "fieldId": "occurred", - "height": 22, + "height": 53, "id": "incident-occurred-field", "index": 0, "sectionItemType": "field", @@ -210,9 +197,9 @@ "endCol": 1, "fieldId": "externalstarttime", "name": "NDR Event Start Time", - "height": 22, + "height": 53, "id": "incident-externalstarttime", - "index": 2, + "index": 1, "sectionItemType": "field", "startCol": 0 }, @@ -220,45 +207,36 @@ "endCol": 1, "fieldId": "externalendtime", "name": "NDR Event End Time", - "height": 22, + "height": 53, "id": "incident-externalendtime", - "index": 3, + "index": 2, "sectionItemType": "field", "startCol": 0 }, { "endCol": 1, "fieldId": "dbotmodified", - "height": 22, + "height": 53, "id": "incident-modified-field", - "index": 4, - "sectionItemType": "field", - "startCol": 1 - }, - { - "endCol": 2, - "fieldId": "dbotduedate", - "height": 22, - "id": "incident-dueDate-field", - "index": 5, + "index": 0, "sectionItemType": "field", "startCol": 1 }, { "endCol": 2, "fieldId": "dbotcreated", - "height": 22, + "height": 53, "id": "incident-created-field", - "index": 6, + "index": 1, "sectionItemType": "field", "startCol": 1 }, { "endCol": 2, "fieldId": "dbotclosed", - "height": 22, + "height": 53, "id": "incident-closed-field", - "index": 7, + "index": 2, "sectionItemType": "field", "startCol": 1 } @@ -269,7 +247,7 @@ "static": false, "w": 1, "x": 0, - "y": 2 + "y": 3 }, { "displayType": "ROW", @@ -310,50 +288,122 @@ "name": "Closing Information", "static": false, "w": 1, - "x": 0, - "y": 6 + "x": 1, + "y": 5 }, { - "displayType": "CARD", + "displayType": "ROW", "h": 3, "i": "zsgh4yoppk-caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", "isVisible": true, "items": [ { - "endCol": 2, + "endCol": 4, "fieldId": "details", - "height": 22, + "height": 44, "id": "incident-details-field", "index": 0, "sectionItemType": "field", "startCol": 0 }, - { - "endCol": 2, - "fieldId": "description", + { + "endCol": 4, + "fieldId": "sourceips", + "height": 22, + "id": "1b62fd50-8bad-11ef-afb5-214168f0d65e", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "sourceexternalips", "height": 22, - "id": "incident-description", + "id": "22d1e9c0-8bad-11ef-afb5-214168f0d65e", "index": 2, "sectionItemType": "field", "startCol": 0 }, - { - "endCol": 2, - "fieldId": "eventdescriptions", + { + "endCol": 4, + "fieldId": "destinationips", "height": 22, - "id": "incident-eventdescriptions", + "id": "1d6ab430-8bad-11ef-afb5-214168f0d65e", "index": 3, "sectionItemType": "field", "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "dstports", + "height": 22, + "id": "8e168ba0-8bad-11ef-afb5-214168f0d65e", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "filemd5", + "height": 22, + "id": "a5d8b2e0-8bad-11ef-afb5-214168f0d65e", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "appiname", + "height": 22, + "id": "40c6de80-8bae-11ef-afb5-214168f0d65e", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "users", + "height": 22, + "id": "50283f40-8bae-11ef-afb5-214168f0d65e", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "hostnames", + "height": 22, + "id": "5d1a4db0-8bae-11ef-afb5-214168f0d65e", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "sentbytes", + "height": 22, + "id": "5d1a4db0-8bae-11ef-afb5-214168f0d65e", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "receivedbytes", + "height": 22, + "id": "5d1a4db0-8bae-11ef-afb5-214168f0d65e", + "index": 10, + "sectionItemType": "field", + "startCol": 0 } ], "maxW": 3, "moved": false, - "name": "Investigation Data", + "name": "Details and Statistics", "static": false, - "w": 1, + "w": 2, "x": 1, - "y": 2 + "y": 0 } ], "type": "custom" diff --git a/Packs/CheckPointNDR/README.md b/Packs/CheckPointNDR/README.md index 830e916cefc0..5d99cd432225 100644 --- a/Packs/CheckPointNDR/README.md +++ b/Packs/CheckPointNDR/README.md @@ -1,11 +1,11 @@ -# Check Point Horizon NDR +# Check Point Infinity NDR -[Network Detection and Response (NDR)](https://www.checkpoint.com/horizon/ndr/) solutions are designed to detect cyber threats on corporate networks using artificial intelligence (AI), machine learning (ML) and data analytics. +[Network Detection and Response (NDR)](https://www.checkpoint.com/Infinity/ndr/) solutions are designed to detect cyber threats on corporate networks using artificial intelligence (AI), machine learning (ML) and data analytics. These tools build models of normal behavior by continuously analyzing network north/south traffic that crosses the enterprise perimeter as well as east/west lateral traffic and then use these models to identify anomalous or suspicious traffic patterns. ## What does this pack do? -This pack and its resources implement the integration with Check Point Horizon NDR allowing: +This pack and its resources implement the integration with Check Point Infinity NDR allowing: * Collect security events for your secured SaaS periodically. diff --git a/Packs/CheckPointNDR/ReleaseNotes/1_1_0.md b/Packs/CheckPointNDR/ReleaseNotes/1_1_0.md new file mode 100644 index 000000000000..1d23562b83f1 --- /dev/null +++ b/Packs/CheckPointNDR/ReleaseNotes/1_1_0.md @@ -0,0 +1,31 @@ + +#### Integrations + +##### Check Point Network Detection and Response (Infinity NDR) +- Updated the Docker image to: *demisto/python3:3.11.10.113941*. + +- Added statistics fields +- Added fetching incidents with filtering by minimum probability + + +#### Incident Fields + +##### New: CheckPointNDR Application Names + +- New: A list of application names detected by Check Point NDR. + +##### New: CheckPointNDR Received Bytes + +- New: The total number of bytes received in the event. + +##### New: CheckPointNDR Sent Bytes + +- New: The total number of bytes sent in the event. + + +#### Layouts + +##### Check Point NDR Insight Layout + +- Added the statistics fields to the layout + diff --git a/Packs/CheckPointNDR/pack_metadata.json b/Packs/CheckPointNDR/pack_metadata.json index 087cb2060f79..df0f6a23eee8 100644 --- a/Packs/CheckPointNDR/pack_metadata.json +++ b/Packs/CheckPointNDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Check Point Infinity NDR", "description": "Collect network security events from Check Point Infinity NDR for your secured SaaS periodically", "support": "partner", - "currentVersion": "1.0.0", + "currentVersion": "1.1.0", "author": "Check Point", "url": "https://supportcenter.checkpoint.com/", "email": "ndr@checkpoint.com", @@ -11,6 +11,7 @@ ], "tags": [], "useCases": [], + "itemPrefix": "CheckPointNDR", "keywords": [ "Check Point", "CheckPoint",