Add support for IoC Incident Feed (#38473)

* Add support for IoC Incident Feed (#37021) * - Fixed mirroring feature - Added support for IoC Incident Feed - Added internal identifier of alert to incident fields * minor fixes * code fixes according to the review comments * updated release notes: added information about breaking changes * update release notes * update release notes * update cyberint alerts test * code refactoring * code refactoring * improve tests * improve tests * improve tests * improve tests * fix commit details * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix commit * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit * fix pre-commit issues * fix pre-commit issues * fix pre-commit issues * fix pre-commit issues * fix pre-commit issues * pc * bc fle * rn --------- Co-authored-by: klevitskiy-cyberint <[email protected]> Co-authored-by: MLainer1 <[email protected]> Co-authored-by: MLainer1 <[email protected]>
demisto · Feb 12, 2025 · a62c8ff · a62c8ff
1 parent 9515144
commit a62c8ff
Show file tree

Hide file tree

Showing 34 changed files with 2,975 additions and 413 deletions.
diff --git a/Packs/Cyberint/.pack-ignore b/Packs/Cyberint/.pack-ignore
@@ -1,5 +1,5 @@
 [file:classifier-mapper-incoming-CyberInt.json]
-ignore=BA101
+ignore=BA101,GR103
 
 [file:incidentfield-Cyberint_CyberInt_Alert_ID.json]
 ignore=IF100
@@ -10,6 +10,15 @@ ignore=IF100
 [file:incidentfield-Cyberint_CyberInt_Vulnerable_CName_Record.json]
 ignore=BA116
 
+[file:incidentfield-Cyberint_CyberInt_ID.json]
+ignore=IF115,IF106,BA116,IF113
+
+[file:Packs/Cyberint/ReleaseNotes/1_1_4.md]
+ignore=RN115
+
+[file:Packs/Cyberint/ReleaseNotes/1_1_5.md]
+ignore=RN115,RN114
+
 [known_words]
 Cyberint
 

diff --git a/Packs/Cyberint/.secrets-ignore b/Packs/Cyberint/.secrets-ignore
@@ -8,4 +8,6 @@ [email protected].
 [email protected]
 https://test.cyberint.io
 http://website.com
-https://cyberint.com
+https://cyberint.com
+http://www.tal1.com/
+https://yourcompany.cyberint.io
diff --git a/Packs/Cyberint/Classifiers/classifier-mapper-incoming-CyberInt.json b/Packs/Cyberint/Classifiers/classifier-mapper-incoming-CyberInt.json
@@ -7,6 +7,9 @@
             "dontMapEventToLabels": false,
             "internalMapping": {
                 "Alert ID": {
+                    "simple": "id"
+                },
+                "CyberInt Alert ID": {
                     "simple": "ref_id"
                 },
                 "Alert Name": {
@@ -29,9 +32,6 @@
 						]
 					}
 				},
-                "CyberInt Alert ID": {
-                    "simple": "ref_id"
-                },
                 "CyberInt Attachments": {
                     "complex": {
                         "filters": [],
@@ -96,7 +96,8 @@
                             }
                         ]
                     }
-                },"CyberInt Impacts": {
+                },
+                "CyberInt Impacts": {
                     "complex": {
                         "filters": [],
                         "root": "impacts",
@@ -171,6 +172,9 @@
                 "CyberInt Threat Actor": {
                     "simple": "threat_actor"
                 },
+                "name": {
+                    "simple": "alert_name"
+                },
                 "CyberInt Ticket ID": {
                     "simple": "ticket_id"
                 },
@@ -219,9 +223,6 @@
                 "Threat Actor": {
                     "simple": "threat_actor"
                 },
-                "name": {
-                    "simple": "alert_name"
-                },
                 "occurred": {
                     "complex": {
                         "filters": [],
@@ -242,7 +243,31 @@
                     }
                 },
                 "severity": {
-                    "simple": "severity"
+                    "complex": {
+                        "filters": [],
+                        "root": "severity",
+                        "transformers": [
+                            {
+                                "args": {
+                                    "input_values": {
+                                        "isContext": false,
+                                        "value": {
+                                            "complex": null,
+                                            "simple": "low,medium,high,very_high"
+                                        }
+                                    },
+                                    "mapped_values": {
+                                        "isContext": false,
+                                        "value": {
+                                            "complex": null,
+                                            "simple": "1,2,3,4"
+                                        }
+                                    }
+                                },
+                                "operator": "MapValuesTransformer"
+                            }
+                        ]
+                    }
                 },
                 "source": {
                     "simple": "source"
@@ -253,14 +278,14 @@
             "dontMapEventToLabels": false,
             "internalMapping": {
                 "Alert ID": {
+                    "simple": "id"
+                },
+                "CyberInt Alert ID": {
                     "simple": "ref_id"
                 },
                 "Alert Name": {
                     "simple": "title"
                 },
-                "CyberInt Alert ID": {
-                    "simple": "ref_id"
-                },
                 "CyberInt Attachments": {
                     "complex": {
                         "filters": [],
@@ -271,6 +296,9 @@
                 "CyberInt Closure reason": {
                     "simple": "closure_reason"
                 },
+                "CyberInt Closure reason Description": {
+                    "simple": "closure_reason_description"
+                },
                 "CyberInt Confidence": {
                     "simple": "confidence"
                 },
@@ -371,7 +399,8 @@
                         "root": "tags",
                         "transformers": []
                     }
-                },"CyberInt Descriptors": {
+                },
+                "CyberInt Descriptors": {
                     "complex": {
                         "filters": [],
                         "root": "tags",
@@ -479,7 +508,7 @@
                     "simple": "mirror_instance"
                 },
                 "name": {
-                    "simple": "alert_name"
+                    "simple": "title"
                 },
                 "occurred": {
                     "complex": {
@@ -504,7 +533,27 @@
                     "complex": {
                         "filters": [],
                         "root": "severity",
-                        "transformers": []
+                        "transformers": [
+                            {
+                                "args": {
+                                    "input_values": {
+                                        "isContext": false,
+                                        "value": {
+                                            "complex": null,
+                                            "simple": "low,medium,high,very_high"
+                                        }
+                                    },
+                                    "mapped_values": {
+                                        "isContext": false,
+                                        "value": {
+                                            "complex": null,
+                                            "simple": "1,2,3,4"
+                                        }
+                                    }
+                                },
+                                "operator": "MapValuesTransformer"
+                            }
+                        ]
                     }
                 },
                 "source": {
@@ -513,7 +562,7 @@
             }
         }
     },
-    "name": "CyberInt (mapper)",
+    "name": "abcd-5678",
     "type": "mapping-incoming",
     "version": -1,
     "fromVersion": "6.0.0"

diff --git a/Packs/Cyberint/Classifiers/classifier-mapper-outgoing-CyberInt.json b/Packs/Cyberint/Classifiers/classifier-mapper-outgoing-CyberInt.json
@@ -1,34 +1,36 @@
 {
-    "description": "",
-    "feed": false,
-    "id": "CyberInt Outgoing (mapper)",
-    "mapping": {
-        "Cyberint Incident": {
-            "dontMapEventToLabels": true,
-            "internalMapping": {
-                "closure_reason": {
-                    "simple": "cyberintclosurereason"
-                },
-                "closure_reason_description": {
-                    "simple": "cyberintclosurereasondescription"
-                },
-                "mirror_direction": {
-                    "simple": "dbotMirrorDirection"
-                },
-                "mirror_instance": {
-                    "simple": "dbotMirrorInstance"
-                },
-                "ref_id": {
-                    "simple": "dbotMirrorId"
-                },
-                "status": {
-                    "simple": "cyberintstatus"
-                }
-            }
-        }
-    },
-    "name": "CyberInt Outgoing (mapper)",
-    "type": "mapping-outgoing",
-    "version": -1,
+	"defaultIncidentType": "",
+	"definitionId": "",
+	"description": "",
+	"feed": false,
+	"id": "CyberInt Outgoing (mapper)",
+	"mapping": {
+		"Cyberint Incident": {
+			"dontMapEventToLabels": true,
+			"internalMapping": {
+				"closure_reason": {
+					"simple": "cyberintclosurereason"
+				},
+				"closure_reason_description": {
+					"simple": "cyberintclosurereasondescription"
+				},
+				"mirror_direction": {
+					"simple": "dbotMirrorDirection"
+				},
+				"mirror_instance": {
+					"simple": "dbotMirrorInstance"
+				},
+				"ref_id": {
+					"simple": "dbotMirrorId"
+				},
+				"status": {
+					"simple": "cyberintstatus"
+				}
+			}
+		}
+	},
+	"name": "CyberInt Outgoing (mapper)",
+	"type": "mapping-outgoing",
+	"version": -1,
     "fromVersion": "6.0.0"
-}
+}
diff --git a/Packs/Cyberint/IncidentFields/incidentfield-CyberInt_Related_entity.json b/Packs/Cyberint/IncidentFields/incidentfield-CyberInt_Related_entity.json
@@ -1,7 +1,7 @@
 {
     "id": "incident_cyberintrelatedentity",
     "version": -1,
-    "name": "CyberInt Related Entity",
+    "name": "Cyberint Related Entity",
     "ownerOnly": false,
     "cliName": "cyberintrelatedentity",
     "type": "multiSelect",
@@ -27,4 +27,4 @@
     "threshold": 72,
     "fromVersion": "6.0.0",
     "openEnded": true
-}
+}
diff --git a/Packs/Cyberint/IncidentFields/incidentfield-CyberInt_Targeted_Brands.json b/Packs/Cyberint/IncidentFields/incidentfield-CyberInt_Targeted_Brands.json
@@ -1,7 +1,7 @@
 {
     "id": "incident_cyberinttargetedbrands",
     "version": -1,
-    "name": "CyberInt Targeted Brands",
+    "name": "Cyberint Targeted Brands",
     "ownerOnly": false,
     "cliName": "cyberinttargetedbrands",
     "type": "multiSelect",

diff --git a/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_Closure_reason.json b/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_Closure_reason.json
@@ -13,7 +13,7 @@
     "id": "incident_cyberintclosurereason",
     "isReadOnly": false,
     "locked": false,
-    "name": "CyberInt Closure reason",
+    "name": "Cyberint Closure reason",
     "neverSetAsRequired": false,
     "openEnded": false,
     "ownerOnly": false,

diff --git a/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_Closure_reason_Description.json b/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_Closure_reason_Description.json
@@ -24,7 +24,7 @@
     "threshold": 72,
     "type": "shortText",
     "unmapped": false,
-    "unsearchable": true,
+    "unsearchable": false,
     "useAsKpi": false,
     "version": -1,
     "fromVersion": "6.0.0"

diff --git a/...tfield-Cyberint_CyberInt_Created_by .json → ...ntfield-Cyberint_CyberInt_Created_by.json b/...tfield-Cyberint_CyberInt_Created_by .json → ...ntfield-Cyberint_CyberInt_Created_by.json
diff --git a/...lds/incidentfield-CyberInt_File_Type.json → ...entfield-Cyberint_CyberInt_File_Type.json b/...lds/incidentfield-CyberInt_File_Type.json → ...entfield-Cyberint_CyberInt_File_Type.json
@@ -13,7 +13,7 @@
     "id": "incident_cyberintfiletype",
     "isReadOnly": false,
     "locked": false,
-    "name": "CyberInt File Type",
+    "name": "Cyberint File Type",
     "neverSetAsRequired": false,
     "openEnded": false,
     "ownerOnly": false,

diff --git a/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_CyberInt_ID.json b/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_CyberInt_ID.json
@@ -0,0 +1,30 @@
+{
+    "id": "incident_cyberintincidentid",
+    "version": -1,
+    "modified": "2024-10-27T20:50:43.871414193+02:00",
+    "name": "CyberInt Alert URL ID",
+    "ownerOnly": false,
+    "cliName": "cyberintincidentid",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "associatedTypes": [
+        "Cyberint Incident"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72,
+    "fromVersion": "6.0.0"
+}
diff --git a/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_CyberInt_Vulnerable_CName_Record.json b/Packs/Cyberint/IncidentFields/incidentfield-Cyberint_CyberInt_Vulnerable_CName_Record.json
@@ -4,7 +4,7 @@
     "modified": "2021-02-22T21:50:43.871414193+02:00",
     "name": "CyberInt Vulnerable CName Record",
     "ownerOnly": false,
-    "cliName": "vulnerablecnamerecord",
+    "cliName": "cyberinvulnerablecnamerecord",
     "type": "shortText",
     "closeForm": false,
     "editForm": true,