Align Credentials for Akamai SIEM, GSuite Security Alert Center, Thre…

…atX, RedCanary (#27679) * RedCanary complete * ThreatX complete * GSuiteSecurityAlertCenter complete * Akamai_SIEM complete * fixed integrations * fixed integrations 2 * update ThreatX * update ThreatX
demisto · Jun 25, 2023 · 1e2e7a0 · 1e2e7a0
1 parent c92bf0b
commit 1e2e7a0
Show file tree

Hide file tree

Showing 20 changed files with 189 additions and 135 deletions.
diff --git a/Packs/Akamai_SIEM/.pack-ignore b/Packs/Akamai_SIEM/.pack-ignore
@@ -1,6 +1,7 @@
 [file:Akamai_SIEM.yml]
-ignore=IN126,BA108,BA109,IN145
+ignore=IN126,BA108,BA109
 
 [known_words]
-Akamai
-WAF
+akamai
+waf
+
diff --git a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.py
@@ -163,47 +163,47 @@ def events_to_ec(raw_response: List) -> Tuple[List, List, List]:
     for event in raw_response:
         events_ec.append(
             {
-                "AttackData": assign_params(**{
-                    "ConfigID": event.get('attackData', {}).get('configId'),
-                    "PolicyID": event.get('attackData', {}).get('policyId'),
-                    "ClientIP": event.get('attackData', {}).get('clientIP'),
-                    "Rules": decode_message(event.get('attackData', {}).get('rules')),
-                    "RuleMessages": decode_message(event.get('attackData', {}).get('ruleMessages')),
-                    "RuleTags": decode_message(event.get('attackData', {}).get('ruleTags')),
-                    "RuleData": decode_message(event.get('attackData', {}).get('ruleData')),
-                    "RuleSelectors": decode_message(event.get('attackData', {}).get('ruleSelectors')),
-                    "RuleActions": decode_message(event.get('attackData', {}).get('ruleActions'))
-                }),
-                "HttpMessage": assign_params(**{
-                    "RequestId": event.get('httpMessage', {}).get('requestId'),
-                    "Start": event.get('httpMessage', {}).get('start'),
-                    "Protocol": event.get('httpMessage', {}).get('protocol'),
-                    "Method": event.get('httpMessage', {}).get('method'),
-                    "Host": event.get('httpMessage', {}).get('host'),
-                    "Port": event.get('httpMessage', {}).get('port'),
-                    "Path": event.get('httpMessage', {}).get('path'),
-                    "RequestHeaders": event.get('httpMessage', {}).get('requestHeaders'),
-                    "Status": event.get('httpMessage', {}).get('status'),
-                    "Bytes": event.get('httpMessage', {}).get('bytes'),
-                    "ResponseHeaders": event.get('httpMessage', {}).get('responseHeaders')
-                }),
-                "Geo": assign_params(**{
-                    "Continent": event.get('geo', {}).get('continent'),
-                    "Country": event.get('geo', {}).get('country'),
-                    "City": event.get('geo', {}).get('city'),
-                    "RegionCode": event.get('geo', {}).get('regionCode'),
-                    "Asn": event.get('geo', {}).get('asn')
-                })
+                "AttackData": assign_params(
+                    ConfigID=event.get('attackData', {}).get('configId'),
+                    PolicyID=event.get('attackData', {}).get('policyId'),
+                    ClientIP=event.get('attackData', {}).get('clientIP'),
+                    Rules=decode_message(event.get('attackData', {}).get('rules')),
+                    RuleMessages=decode_message(event.get('attackData', {}).get('ruleMessages')),
+                    RuleTags=decode_message(event.get('attackData', {}).get('ruleTags')),
+                    RuleData=decode_message(event.get('attackData', {}).get('ruleData')),
+                    RuleSelectors=decode_message(event.get('attackData', {}).get('ruleSelectors')),
+                    RuleActions=decode_message(event.get('attackData', {}).get('ruleActions'))
+                ),
+                "HttpMessage": assign_params(
+                    RequestId=event.get('httpMessage', {}).get('requestId'),
+                    Start=event.get('httpMessage', {}).get('start'),
+                    Protocol=event.get('httpMessage', {}).get('protocol'),
+                    Method=event.get('httpMessage', {}).get('method'),
+                    Host=event.get('httpMessage', {}).get('host'),
+                    Port=event.get('httpMessage', {}).get('port'),
+                    Path=event.get('httpMessage', {}).get('path'),
+                    RequestHeaders=event.get('httpMessage', {}).get('requestHeaders'),
+                    Status=event.get('httpMessage', {}).get('status'),
+                    Bytes=event.get('httpMessage', {}).get('bytes'),
+                    ResponseHeaders=event.get('httpMessage', {}).get('responseHeaders')
+                ),
+                "Geo": assign_params(
+                    Continent=event.get('geo', {}).get('continent'),
+                    Country=event.get('geo', {}).get('country'),
+                    City=event.get('geo', {}).get('city'),
+                    RegionCode=event.get('geo', {}).get('regionCode'),
+                    Asn=event.get('geo', {}).get('asn')
+                )
             }
         )
 
-        ip_ec.append(assign_params(**{
-            "Address": event.get('attackData', {}).get('clientIP'),
-            "ASN": event.get('geo', {}).get('asn'),
-            "Geo": {
+        ip_ec.append(assign_params(
+            Address=event.get('attackData', {}).get('clientIP'),
+            ASN=event.get('geo', {}).get('asn'),
+            Geo={
                 "Country": event.get('geo', {}).get('country')
             }
-        }))
+        ))
 
         events_human_readable.append(assign_params(**{
             'Attacking IP': event.get('attackData', {}).get('clientIP'),
@@ -354,9 +354,9 @@ def main():
         verify=not params.get('insecure', False),
         proxy=params.get('proxy'),
         auth=EdgeGridAuth(
-            client_token=params.get('clientToken'),
-            access_token=params.get('accessToken'),
-            client_secret=params.get('clientSecret')
+            client_token=params.get('clienttoken_creds', {}).get('password') or params.get('clientToken'),
+            access_token=params.get('accesstoken_creds', {}).get('password') or params.get('accessToken'),
+            client_secret=params.get('clientsecret_creds', {}).get('password') or params.get('clientSecret'),
         )
     )
     commands = {

diff --git a/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.yml b/Packs/Akamai_SIEM/Integrations/Akamai_SIEM/Akamai_SIEM.yml
@@ -10,16 +10,28 @@ configuration:
   type: 0
 - display: Client token
   name: clientToken
-  required: true
   type: 4
+  hidden: true
+- name: clienttoken_creds
+  type: 9
+  displaypassword: Client token
+  hiddenusername: true
 - display: Access token
   name: accessToken
-  required: true
   type: 4
+  hidden: true
+- name: accesstoken_creds
+  type: 9
+  displaypassword: Access token
+  hiddenusername: true
 - display: Client secret
   name: clientSecret
-  required: true
   type: 4
+  hidden: true
+- name: clientsecret_creds
+  type: 9
+  displaypassword: Client secret
+  hiddenusername: true
 - defaultvalue: '50170'
   display: Config IDs to fetch
   name: configIds
@@ -29,16 +41,16 @@ configuration:
   name: incidentType
   required: false
   type: 13
-- defaultvalue: 1 hours
-  display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
+- display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
   name: fetchTime
   required: false
   type: 0
-- defaultvalue: '20'
-  display: Fetch limit (minimum is 20)
+  defaultvalue: 1 hours
+- display: Fetch limit (minimum is 20)
   name: fetchLimit
   required: false
   type: 0
+  defaultvalue: '20'
 - display: Fetch incidents
   name: isFetch
   required: false
@@ -171,7 +183,7 @@ script:
     - contextPath: IP.Geo.Country
       description: The country in which the IP address is located.
       type: String
-  dockerimage: demisto/akamai:1.0.0.45817
+  dockerimage: demisto/akamai:1.0.0.63810
   isfetch: true
   longRunning: false
   longRunningPort: false

diff --git a/Packs/Akamai_SIEM/ReleaseNotes/1_0_11.md b/Packs/Akamai_SIEM/ReleaseNotes/1_0_11.md
@@ -0,0 +1,10 @@
+
+#### Integrations
+
+##### Akamai WAF SIEM
+
+- You can now use credentials when configuring the following fields:
+  - *Client token*
+  - *Access token*
+  - *Client secret*
+- Updated the Docker image to: *demisto/akamai:1.0.0.63810*.
diff --git a/Packs/Akamai_SIEM/pack_metadata.json b/Packs/Akamai_SIEM/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Akamai WAF SIEM",
     "description": "Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.",
     "support": "xsoar",
-    "currentVersion": "1.0.10",
+    "currentVersion": "1.0.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/GSuiteSecurityAlertCenter/.pack-ignore b/Packs/GSuiteSecurityAlertCenter/.pack-ignore
@@ -1,4 +1,3 @@
-
 [file:incidentfield-GSuiteSAC-Alert-ID.json]
 ignore=IF100
 
@@ -14,8 +13,6 @@ ignore=IF100
 [file:incidentfield-GSuiteSAC-Alert-Type.json]
 ignore=IF100
 
-[file:GSuiteSecurityAlertCenter.yml]
-ignore=IN145
-
 [file:GSuiteSecurityAlertCenter_image.png]
-ignore=IM111
+ignore=IM111
+
diff --git a/...teSecurityAlertCenter/Integrations/GSuiteSecurityAlertCenter/GSuiteSecurityAlertCenter.py b/...teSecurityAlertCenter/Integrations/GSuiteSecurityAlertCenter/GSuiteSecurityAlertCenter.py
@@ -322,7 +322,10 @@ def test_module(gsuite_client, last_run: Dict, params: Dict[str, Any]) -> str:
         list_alerts_params = {
             'pageSize': 1,
         }
-        gsuite_client.set_authorized_http(scopes=SCOPES['ALERT'], subject=params.get('admin_email', ''))
+        gsuite_client.set_authorized_http(
+            scopes=SCOPES['ALERT'],
+            subject=params.get('admin_email_creds', {}).get('identifier') or params.get('admin_email', '')
+        )
         gsuite_client.http_request(url_suffix=URL_SUFFIX['LIST_ALERTS'], method='GET', params=list_alerts_params)
 
         if not gsuite_client.credentials.valid:
@@ -617,7 +620,7 @@ def fetch_incidents(client, last_run: Dict, params: Dict, is_test: bool = False)
             incidents (``List[dict]``): List of incidents that will be created in XSOAR.
     """
 
-    admin_email = params.get('admin_email')
+    admin_email = params.get('admin_email_creds', {}).get('identifier') or params.get('admin_email')
 
     fetch_feedback = params.get('fetch_feedback', False)
     # Validate arguments
@@ -683,7 +686,9 @@ def main() -> None:
 
     try:
         params = demisto.params()
-        service_account_dict = GSuiteClient.safe_load_non_strict_json(params.get('user_service_account_json'))
+        service_account_dict = GSuiteClient.safe_load_non_strict_json(
+            params.get('admin_email_creds', {}).get('password')
+            or params.get('user_service_account_json'))
         verify_certificate = not params.get('insecure', False)
         proxy = params.get('proxy', False)
 
@@ -693,7 +698,8 @@ def main() -> None:
 
         # prepare client class object
         gsuite_client = GSuiteClient(service_account_dict,
-                                     base_url=BASE_URL, verify=verify_certificate,
+                                     base_url=BASE_URL,
+                                     verify=verify_certificate,
                                      proxy=proxy,
                                      headers=headers)
 
@@ -712,7 +718,7 @@ def main() -> None:
             demisto.setLastRun(next_run)
             demisto.incidents(incidents)
         elif command in commands:
-            args['admin_email'] = params.get('admin_email', '')
+            args['admin_email'] = params.get('admin_email_creds', {}).get('identifier') or params.get('admin_email', '')
             return_results(commands[command](gsuite_client, args))
 
     # Log exceptions

diff --git a/...eSecurityAlertCenter/Integrations/GSuiteSecurityAlertCenter/GSuiteSecurityAlertCenter.yml b/...eSecurityAlertCenter/Integrations/GSuiteSecurityAlertCenter/GSuiteSecurityAlertCenter.yml
@@ -20,37 +20,48 @@ configuration:
 - additionalinfo: User's Service Account JSON key.
   display: Service Account JSON
   name: user_service_account_json
-  required: true
   type: 4
   section: Connect
+  hidden: true
+- display: Admin Email
+  name: admin_email_creds
+  type: 9
+  section: Connect
+  displaypassword: Service Account JSON
 - additionalinfo: G Suite domain administrator's email ID that acts on behalf of the end-user
   display: Admin Email
   name: admin_email
-  required: true
   type: 0
   section: Connect
-- additionalinfo: The maximum allowed value is 1000.
+  hidden: true
+- additionalinfo: |-
+    The maximum allowed value is 1000.
   defaultvalue: '15'
   display: Maximum number of incidents per fetch
   name: max_fetch
   required: true
   type: 0
   section: Collect
-- additionalinfo: |-
-    The time range to consider for the initial data fetch.
+- additionalinfo: 'The time range to consider for the initial data fetch.
+
     Formats accepted: YYYY-MM-dd, YYYY-MM-ddTHH:mm:ss, 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years.
-    Accepted timezone: UTC
-  defaultvalue: 3 days
+
+    Accepted timezone: UTC'
   display: First fetch time interval
   name: first_fetch
   required: false
   type: 0
   section: Collect
-- additionalinfo: |-
-    Add a new type or choose existing multiple alert types. Fetches all types of alerts if left empty.
-    Note: If type is present in the Filter parameter this value will be overwritten.
+  defaultvalue: 3 days
+- additionalinfo: 'Add a new type or choose existing multiple alert types. Fetches all types of alerts if left empty.
+
+    Note: If type is present in the Filter parameter this value will be overwritten.'
   display: Alert Type
   name: alert_type
+  required: false
+  type: 16
+  section: Collect
+  advanced: true
   options:
   - Customer takeout initiated
   - Malware reclassification
@@ -74,39 +85,37 @@ configuration:
   - AppMaker Default Cloud SQL setup
   - Activity Rule
   - Data Loss Prevention
-  required: false
-  type: 16
-  section: Collect
-  advanced: true
-- additionalinfo: |-
-    An advanced filter to fetch the list of alerts.
+- additionalinfo: 'An advanced filter to fetch the list of alerts.
+
     For example: source:"Google" AND type="Suspicious login".
-    Note: This value takes precedence over any filter arguments. To fetch alerts using createTime, use the first fetch time interval parameter.
+
+    Note: This value takes precedence over any filter arguments. To fetch alerts using createTime, use the first fetch time interval parameter.'
   display: Filter
   name: filter
   required: false
   type: 12
   section: Collect
   advanced: true
-- additionalinfo: Fetches the latest type of feedback for each alert.
-  display: Fetch feedback
+- display: Fetch feedback
   name: fetch_feedback
   required: false
   type: 8
   section: Collect
   advanced: true
+  additionalinfo: Fetches the latest type of feedback for each alert.
 - display: Trust any certificate (not secure)
   name: insecure
   required: false
   type: 8
   section: Connect
   advanced: true
-- display: Use system proxy settings
+- advanced: true
+  display: Use system proxy settings
   name: proxy
   required: false
-  type: 8
   section: Connect
-  advanced: true
+  type: 8
+
 description: G Suite Security Alert Center allows users to fetch different alert types such as Suspicious login, Device compromised, Leaked password, and more. Users can delete or recover a single alert or a batch of alerts and retrieve the alert's metadata. This integration allows users to provide feedback for alerts and fetch existing feedback for a particular alert.
 display: G Suite Security Alert Center
 name: G Suite Security Alert Center
@@ -807,7 +816,7 @@ script:
     - contextPath: GSuiteSecurityAlert.Recover.failedAlerts.status
       description: Status of the failed alert recovery.
       type: String
-  dockerimage: demisto/googleapi-python3:1.0.0.63394
+  dockerimage: demisto/googleapi-python3:1.0.0.64077
   feed: false
   isfetch: true
   longRunning: false

diff --git a/Packs/GSuiteSecurityAlertCenter/ReleaseNotes/1_1_29.md b/Packs/GSuiteSecurityAlertCenter/ReleaseNotes/1_1_29.md
@@ -0,0 +1,9 @@
+
+#### Integrations
+
+##### G Suite Security Alert Center
+
+- You can now use credentials when configuring the following fields:
+  - *Admin Email*
+  - *Service Account JSON*
+- Updated the Docker image to: *demisto/googleapi-python3:1.0.0.64077*.
diff --git a/Packs/GSuiteSecurityAlertCenter/pack_metadata.json b/Packs/GSuiteSecurityAlertCenter/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "G Suite Security Alert Center",
     "description": "Fetch alert types, delete or recover alerts, retrieve an alert's metadata, and create or view alert feedback.",
     "support": "xsoar",
-    "currentVersion": "1.1.28",
+    "currentVersion": "1.1.29",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/RedCanary/.pack-ignore b/Packs/RedCanary/.pack-ignore
@@ -1,2 +1,3 @@
 [file:RedCanary.yml]
-ignore=IN126,IN145
+ignore=IN126
+