Gem Security pack

[liormgem]

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Related Issues

fixes: link to the issue

Description

Pack Gem integrates with the Gem Security platform.
Pack includes:

• 1 Automation
• 3 Classifiers
• 16 Incident Fields
• 1 Incident Type
• 1 Integration
• 1 Layout
• 3 Playbooks
• 1 Pre-process Rule

Must have

• Tests
• Documentation

[CLAassistant]

All committers have signed the CLA.

[kgal-pan]

@liormgem - Thanks for the contribution. When filling out the Contribution Form, use gem-security-18933 as your Partner ID.

[merit-maita]

@liormgem - Thanks for the contribution. When filling out the Contribution Form, use gem-security-18933 as your Partner ID.

@liormgem can you please address this comment, so i can go ahead and review the pr

[melamedbn]

Hi @liormgem,

I've reviewed your contribution. Thank you for your effort and dedication. I would appreciate it if you could address the following feedback:

Classification and Mapping

1. Classifier Functionality: It may be beneficial to review the classifier to ensure it correctly classifies alerts. If there are any improvements needed, we can work on them together.
2. Mapping Differences: Could you help me understand if there are any differences between the mapping done in 'Gem Mapper' and 'Gem Mapper Webhook'? This would help us ensure consistency and efficiency in our mapping process.

Playbooks

Gem Handle Alert for Root Usage

1. Task '1' Adjustment: To ensure the playbook closes automatically, let's adjust the else path to lead either to the Done section header or to an error handling path.
2. Inputs and Outputs Clarification: I noticed that the playbook has no inputs and outputs. Is this intended? If so, could you explain the reasoning behind it?
3. Question Marks Addition: Let's add question marks where needed, such as in Task '1', to ensure clarity and understanding for anyone reviewing the playbook.
4. Grid Alignment: Could you please fix the arrow exiting task '4' so that it leads correctly to task '11' on the grid?
5. Task '10' and '11' Clarification: It would be helpful to clarify the need for both tasks '10' and '11'. Additionally, let's enhance the title of Task '10' to provide more context and clarity.
6. Task '2' Adjustment: For Task '2', let's remove the index position ".[1]" and ".[0]" and use the path instead.
7. Task '6' Enhancement: For Task '6', let's first deduplicate and then count the number of unique values. Additionally, add a conditional task that counts the usernames and checks using 'greater or equals to'.
8. Task '7' Adjustment: Similar to Task '1', let's ensure the else path in Task '7' leads either to the Done section header or to an error handling path.

Gem Handle ec2

1. Task '7' Clarification: What happens if it's not an EC2 instance?
2. Task '1' Title Enhancement: Let's put a more descriptive title for Task '1'.
3. Task '1' Slack User Check: We need to make sure the Slack user is provided via the inputs or else the ASK task might not be relevant.

Gem Validate triggering event

1. Grid Alignment: Please fix the arrow exiting the Playbook Triggered header directing to task '10' on the grid.
2. Question Marks Addition: Add question marks where needed for clarity.
3. Task '10' Adjustment: To ensure the playbook closes automatically, let's adjust the else path in Task '10' to lead either to the Done section header or to an error handling path.

Incident Fields

1. New Incident Fields: Why were new incident fields created if most are available in our common types (OOTB)? When using OOTB fields, they will be mapped in a way that fits more OOTB content items.

Layout

1. Section Width Adjustment: Let's adjust the width of the sections so we won't have blank spaces.

Please let me know if there are any more revisions needed or if there's anything else I can assist you with.

Best regards,
Ben

[liormgem]

Hi @melamedbn,
Thank you for the feedback.
The new Incident Fields were changed to the relevant OOTB fields in case we found one.

All your remarks were addressed and fixed, answers to your clarification questions are below:

Classification and Mapping
2. Mapping Differences: Could you help me understand if there are any differences between the mapping done in 'Gem Mapper' and 'Gem Mapper Webhook'? This would help us ensure consistency and efficiency in our mapping process.

There are small differences in the way the webhook sends the Gem alerts and the way the fetching Endpoint serves it.
For example - the Gem Alert ID in the webhook is mapped from event.alert_id and in the regular mapper from metadata.alert_id

Playbooks
Gem Handle Alert for Root Usage
2. Inputs and Outputs Clarification: I noticed that the playbook has no inputs and outputs. Is this intended? If so, could you explain the reasoning behind it?

It is.
It gets all the information it needs from the relevant Gem Alert and is meant to be attached to one.

Gem Handle ec2

1. Task '7' Clarification: What happens if it's not an EC2 instance?

The playbook is not relevant in this case.
Will add a Done section header.

3. Task '1' Slack User Check: We need to make sure the Slack user is provided via the inputs or else the ASK task might not be relevant.

It’s still relevant manually and I think that’s ok

Thanks,
Lior

[melamedbn]

Hi @melamedbn, Thank you for the feedback. The new Incident Fields were changed to the relevant OOTB fields in case we found one.

All your remarks were addressed and fixed, answers to your clarification questions are below:

Classification and Mapping
2. Mapping Differences: Could you help me understand if there are any differences between the mapping done in 'Gem Mapper' and 'Gem Mapper Webhook'? This would help us ensure consistency and efficiency in our mapping process.

There are small differences in the way the webhook sends the Gem alerts and the way the fetching Endpoint serves it. For example - the Gem Alert ID in the webhook is mapped from event.alert_id and in the regular mapper from metadata.alert_id

Playbooks
Gem Handle Alert for Root Usage
2. Inputs and Outputs Clarification: I noticed that the playbook has no inputs and outputs. Is this intended? If so, could you explain the reasoning behind it?

It is. It gets all the information it needs from the relevant Gem Alert and is meant to be attached to one.

Gem Handle ec2

1. Task '7' Clarification: What happens if it's not an EC2 instance?

The playbook is not relevant in this case. Will add a Done section header.

3. Task '1' Slack User Check: We need to make sure the Slack user is provided via the inputs or else the ASK task might not be relevant.

It’s still relevant manually and I think that’s ok

Thanks, Lior

Great. Please modify the content items and ping me back for review verification.

Ben

[liormgem]

Hi @melamedbn, Thank you for the feedback. The new Incident Fields were changed to the relevant OOTB fields in case we found one.
All your remarks were addressed and fixed, answers to your clarification questions are below:

Classification and Mapping
2. Mapping Differences: Could you help me understand if there are any differences between the mapping done in 'Gem Mapper' and 'Gem Mapper Webhook'? This would help us ensure consistency and efficiency in our mapping process.

There are small differences in the way the webhook sends the Gem alerts and the way the fetching Endpoint serves it. For example - the Gem Alert ID in the webhook is mapped from event.alert_id and in the regular mapper from metadata.alert_id

Playbooks
Gem Handle Alert for Root Usage
2. Inputs and Outputs Clarification: I noticed that the playbook has no inputs and outputs. Is this intended? If so, could you explain the reasoning behind it?

It is. It gets all the information it needs from the relevant Gem Alert and is meant to be attached to one.

Gem Handle ec2

1. Task '7' Clarification: What happens if it's not an EC2 instance?

The playbook is not relevant in this case. Will add a Done section header.

3. Task '1' Slack User Check: We need to make sure the Slack user is provided via the inputs or else the ASK task might not be relevant.

It’s still relevant manually and I think that’s ok
Thanks, Lior

Great. Please modify the content items and ping me back for review verification.

Ben

Hi @melamedbn,
Items modified.

[kgal-pan]

@liormgem - See https://app.circleci.com/pipelines/github/demisto/content/359788/workflows/d8957b00-e011-469b-abea-dcd1ab231f03/jobs/747032?invite=true#step-116-217_45. Can you please sync your fork with upstream?

[maimorag]

Hi @liormgem,
Thank you for your contribution!
Good work :)

[maimorag]

Type 4 is deprecated, please use type 9 instead.
For example:

Suggested change

	- display: Service Account ID
	additionalinfo: The Service Account ID to use for connection
	name: client_id
	type: 0
	section: Connect
	required: true
	- display: Service Account Secret
	additionalinfo: The Service Account Secret to use for connection
	name: client_secret
	type: 4
	section: Connect
	required: true
	- display: Service Account ID
	name: credentials
	defaultvalue: ""
	type: 9
	required: true
	section: Connect
	displaypassword: Service Account Secret

[maimorag]

After changing to type 9 since type 4 is deprecated:

Suggested change

	client_id=params['client_id'],
	client_secret=params['client_secret']
	client_id=demisto.getParam('credentials')['identifier'],
	client_secret=demisto.getParam('credentials')['password']

[maimorag]

you can use http_request from the CommonServerPython http_request and to add error handler which outputs the new formatted error message.

[liormgem]

I'm using this function to add the Authorization header to the request

[maimorag]

@liormgem I still recommend using the 'http_request' function from CommonServerPython.
It's supported within XSOAR, ensuring compatibility, and we actively maintain it, promptly adapting it to any changes that may arise.

Additionally, I'm available to assist you in integrating it into your code if needed.

However, if you still prefer to use your own 'http_request', you can proceed with that choice and resolve this note.

[maimorag]

If start_time and end_time is required parameters then the user can't run the command without them.

[maimorag]

same as above

[maimorag]

Please make sure those required in the command as well

[maimorag]

Please make sure those required in the command as well

[liormgem]

Hi @maimorag,
Thank you for the review.
All comments were fixed.

I'm working on uploading the example video to the demisto-assets repo and then I'll submit the Contribution form.

Lior

[ssokolovich]

Hey @liormgem

A couple of notes from my side.

1. Note that I usually suggest not using the exact brand GEM in the commands. In case a customer would like to copy your integration, he will need to change all the OOTB playbooks as well (there is an option to choose the non-brand command from the PB itself). This isn't required, however, a tip from my experience.
   
2. Usually we add a Done task at the end. Just a cosmetic tip.
   
3. Note that you don't have a playbook associated with your incident type. Once the investigation started the user would need to choose how to handle it automatically.
   
4. Extracting all indicators from all fields might impact server performance, hence, suggesting to extract indicators from only necessary fields (basically the ones that you mapped).
   

Let me know if you need me to elaborate more on a point or help with anything else.
Cheers!

[ssokolovich]

Would like to suggest moving some of the fields under the case details to the investigation data (or even expanding the case details section), since if all the fields may be mapped, the user might miss that info.
Not mandatory but nice to have (of course analysts will appreciate it :) ).

[liormgem]

Hi @ssokolovich,
Thank you for the review.

1. I think that would be fine with the amount of content we have.
2. Will be Added
3. Customers we consulted prefer to not have a default playbook
4. There are indicators in other parts of the incident, not just in the mapped fields and we would like it to be processed. The number of incidents is low enough (not less than 10 a day) to not have an impact.
5. We will leave it as it is, for now, it's extra information.

Lior

[ssokolovich]

Cool! so just let me know when you fix # 2 and also please remember to update the playbook images.
Then waiting for your update @liormgem.
Cheers!

[liormgem]

Great, done.
@ssokolovich

[maimorag]

Hey @liormgem, the code looks good!

We're ready for a demo. Please check this page, and let me know when you're available for one over DFIR.
Feel free also to send me a recording of a demo.

I'll be on PTO from May 12th to May 19th. Apologies for any delay in advance.

[github-actions]

Thank you for your contribution. Your external PR has been merged and the changes are now included in an internal PR for further review. The internal PR will be merged to the master branch within 3 business days.