Add command prisma-cloud-compute-get-file-integrity-events

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.py

@@ -419,6 +419,32 @@ def get_logs_defender_download_request(self, hostname, lines):
         headers = self._headers
         return self._http_request('get', 'logs/defender/download', params=params, headers=headers, resp_type="content")
 
+    def get_file_integrity_events(self, limit, sort, hostname=None, event_id=None, from_date=None,
+                                  to_date=None, search_term=None):
+        """
+        Get runtime file integrity audit events
+
+        Args:
+            hostname (str): The hostname for which to get runtime file integrity events
+
+        Returns:
+            HTTP response
+        """
+        endpoint = "audits/runtime/file-integrity"
+
+        headers = self._headers
+        params = {
+            "hostname": hostname,
+            "id": event_id,
+            "limit": limit,
+            "from": from_date,
+            "to": to_date,
+            "search": search_term,
+            "sort": "time",
+            "reverse": sort == "desc"
+        }
+        return self._http_request('get', endpoint, params=params, headers=headers)
+
 
 def format_context(context):
     """
@@ -1967,6 +1993,42 @@ def get_logs_defender_download_command(client: PrismaCloudComputeClient, args: d
     return fileResult(f"{hostname}-logs.tar.gz", response, entryTypes["entryInfoFile"])
 
 
+def get_file_integrity_events_command(client: PrismaCloudComputeClient, args: dict):
+    """
+    Get runtime file integrity audit events for the given hostname
+
+    Args:
+        client (PrismaCloudComputeClient): prisma-cloud-compute client.
+        args (dict): prisma-cloud-compute-get-file-integrity-events command arguments
+
+    Returns:
+        HTTP Response object
+    """
+    hostname = args.get('hostname')
+    event_id = args.get('event_id')
+    limit = args.get('limit')
+    from_date = args.get('from_date')
+    to_date = args.get('to_date')
+    search_term = args.get('search_term')
+    sort = args.get('sort')
+
+    response = client.get_file_integrity_events(
+        limit, sort, hostname=hostname, event_id=event_id,
+        from_date=from_date, to_date=to_date, search_term=search_term
+    )
+    if not response:
+        readable_output = "No results for the given search."
+    else:
+        readable_output = None
+    return CommandResults(
+        outputs_prefix='PrismaCloudCompute.FileIntegrity',
+        outputs_key_field='_id',
+        outputs=format_context(response),
+        raw_response=response,
+        readable_output=readable_output
+    )
+
+
 def unstuck_fetch_stream_command():
     """
     Adds a field to ensure that is_command_is_fetch will recognize the next fetch incidents run as fetch.
@@ -2100,6 +2162,8 @@ def main():
             return_results(results=get_logs_defender_download_command(client=client, args=demisto.args()))
         elif requested_command == "prisma-cloud-compute-unstuck-fetch-stream":
             return_results(unstuck_fetch_stream_command())
+        elif requested_command == "prisma-cloud-compute-get-file-integrity-events":
+            return_results(results=get_file_integrity_events_command(client=client, args=demisto.args()))
     # Log exceptions
     except Exception as e:
         return_error(f'Failed to execute {requested_command} command. Error: {str(e)}')

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute.yml

@@ -74,7 +74,7 @@ description: Use the Prisma Cloud Compute integration to fetch incidents from yo
 display: Palo Alto Networks - Prisma Cloud Compute
 name: PaloAltoNetworks_PrismaCloudCompute
 script:
-  dockerimage: demisto/python3:3.10.13.73190
+  dockerimage: demisto/python3:3.10.13.74666
   isfetch: true
   runonce: false
   script: "-"
@@ -1960,6 +1960,71 @@ script:
     - contextPath: PrismaCloudCompute.Backups.Time
       description: The time of the backup.
       type: Date
+  - description: Get runtime file integrity audit events.
+    name: prisma-cloud-compute-get-file-integrity-events
+    arguments:
+    - name: hostname
+      description: Hostname for which to get runtime file integrity audit events. Either event_id or hostname is required.
+    - name: event_id
+      description: Event ID of runtime file integrity audit event for which to get details. Either event_id or hostname is required.
+    - name: limit
+      description: Limit on number of events to return. Only relevant if filtering by hostname.
+      defaultValue: "10"
+    - description: 'Minimum timestamp for event search. Format: YYYY-mm-ddTHH:MM:SSZ.'
+      name: from_date
+    - description: 'Maximum timestamp for event search. Format: YYYY-mm-ddTHH:MM:SSZ.'
+      name: to_date
+    - description: Search term to search events for.
+      name: search_term
+    - auto: PREDEFINED
+      defaultValue: desc
+      description: Whether to sort by ascending or descending time.
+      name: sort
+      predefined:
+      - asc
+      - desc
+    outputs:
+    - contextPath: PrismaCloudCompute.FileIntegrity.Path
+      description: The absolute path of the event.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.RuleName
+      description: The name of the applied rule for auditing file integrity rules.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.AccountID
+      description: The cloud account ID.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.User
+      description: The user that initiated the event.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.Time
+      description: The time of the event.
+      type: date
+    - contextPath: PrismaCloudCompute.FileIntegrity.Hostname
+      description: The hostname on which the event was found.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.EventType
+      description: 'Represents the type of the file integrity event. Possible values: [metadata,read,write].'
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.Collections
+      description: Collections to which this event applies.
+    - contextPath: PrismaCloudCompute.FileIntegrity.Fqdn
+      description: The current fully qualified domain name used in audit alerts.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.FileType
+      description: Represents the file type.
+      type: number
+    - contextPath: PrismaCloudCompute.FileIntegrity.ProcessName
+      description: The name of the process that initiated the event.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.Cluster
+      description: The cluster on which the event was found.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity._Id
+      description: The activity's unique identifier.
+      type: string
+    - contextPath: PrismaCloudCompute.FileIntegrity.Description
+      description: A human readable description of the action performed on the path.
+      type: string
   - description: Use this command to unstuck the fetch stream in case it's getting duplicated incidents.
     name: prisma-cloud-compute-unstuck-fetch-stream
 tests:

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_description.md

@@ -11,3 +11,7 @@ This integration provides the ability to import **Palo Alto Networks - Prisma Cl
 5. On the right, select the alert triggers. Alert triggers specify which alerts are sent to Cortex XSOAR.
 6. Click **Save** to save the alert profile.
 7. Make sure you configure the user role to be at least `auditor`, otherwise you will not be able to fetch the alerts.
+
+
+---
+[View Integration Documentation](https://xsoar.pan.dev/docs/reference/integrations/palo-alto-networks-prisma-cloud-compute)

Packs/PrismaCloudCompute/Integrations/PaloAltoNetworks_PrismaCloudCompute/PaloAltoNetworks_PrismaCloudCompute_test.py

@@ -1559,6 +1559,30 @@ def test_get_logs_defender_download_command(requests_mock):
     assert r["File"] == f"{args.get('hostname')}-logs.tar.gz"
 
 
+def test_get_file_integrity_events_command(requests_mock):
+    """
+    Given:
+        - An app client object
+        - Relevant arguments
+    When:
+        - Calling 'prisma-cloud-compute-get-file-integrity-events' command
+    Then:
+        - Ensure the file integrity events output equals the raw_response object which is mocked
+    """
+    from PaloAltoNetworks_PrismaCloudCompute import get_file_integrity_events_command, PrismaCloudComputeClient
+    with open("test_data/file_integrity_events.json") as f:
+        d = json.load(f)
+
+    requests_mock.get(url=BASE_URL + '/audits/runtime/file-integrity', json=d)
+    client = PrismaCloudComputeClient(base_url=BASE_URL, verify='False', project='', auth=('test', 'test'))
+    args = {
+        "hostname": "test123",
+        "limit": 3
+    }
+
+    assert get_file_integrity_events_command(client, args).raw_response == d
+
+
 EXAMPLE_CVES = [
     {
         "cve": "cve1",