Trend micro vision one

Packs/TrendMicroVisionOne/.secrets-ignore

@@ -10,13 +10,15 @@ https://apimock-dev.trendmicro.com
 http://someotherurl.com
 http://adsd.com
 10.211.55.36
+SUPPORT@PCTUTORDETROIT.COM
 xxxx@gmail.com
 ghost@trendmicro.com
 https://www.trendmicro.com
 https://somelink.com
 https://tmv1-mock.trendmicro.com
 https://THE_WORKBENCH_URL
 https://THE_TI_REPORT_URL
+10.10.58.51
 10.64.25.134
 10.64.18.27
 192.169.1.1

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOneV3/README.md

@@ -396,6 +396,11 @@ Retrieves information about a specific endpoint.
 | VisionOne.Endpoint_Info.os_description | string | Description of the Operating System of the endpoint queried. | 
 | VisionOne.Endpoint_Info.product_code | string | Product code of the Trend Micro product running on the endpoint. | 
 | VisionOne.Endpoint_Info.installed_product_codes | string | Product code of the Trend Micro product installed on the endpoint. | 
+| VisionOne.Endpoint_Info.component_update_policy | string | The update policy for the module/pattern of the agent installed on the endpoint. | 
+| VisionOne.Endpoint_Info.component_update_status | string | The status of the module/pattern updates of the agent installed on the endpoint. | 
+| VisionOne.Endpoint_Info.component_version | string | The agent component version. | 
+| VisionOne.Endpoint_Info.policy_name | string | The name of a policy for an event. |
+| VisionOne.Endpoint_Info.protection_manager | string | The name of your protection manager. |
 
 ### trendmicro-visionone-get-endpoint-activity-data
 
@@ -903,6 +908,14 @@ Fetches details for a specific alert.
 | VisionOne.Alert_Details.alert.created_date_time | string | Datetime in ISO 8601 format \(yyyy-MM-ddThh:mm:ssZ in UTC\) that indicates the created date time of the alert. | 
 | VisionOne.Alert_Details.alert.updated_date_time | string | Datetime in ISO 8601 format \(yyyy-MM-ddThh:mm:ssZ in UTC\) that indicates the last updated date time of the alert. | 
 | VisionOne.Alert_Details.alert.investigation_status | string | Workbench alert status. | 
+| VisionOne.Alert_Details.alert.first_investigated_date_time | string | The date and time the case status was changed to 'In progress' in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ, UTC). | 
+| VisionOne.Alert_Details.alert.incident_id | string | The unique identifier of an incident. | 
+| VisionOne.Alert_Details.alert.case_id | string | The unique identifier of a case. | 
+| VisionOne.Alert_Details.alert.owner_ids | string | The owners of the Workbench alert. | 
+| VisionOne.Alert_Details.alert.model_id | string | ID of the detection model that triggered the alert. | 
+| VisionOne.Alert_Details.alert.model_type | string | Type of the detection model that triggered the alert. | 
+| VisionOne.Alert_Details.alert.status | string | The status of a case or investigation. | 
+| VisionOne.Alert_Details.alert.investigation_result | string | The findings of a case or investigation. | 
 
 ### trendmicro-visionone-run-sandbox-submission-polling
 
@@ -1013,7 +1026,9 @@ Updates the status of a workbench alert.
 | --- | --- | --- |
 | workbench_id | ID of the workbench you would like to update the status for. e.g. workbench_id="WB-14-20190709-00003". | Required | 
 | if_match | Target resource will be updated only if it matches ETag of the target one. Etag is one of the outputs from get_alert_details. e.g. if_match="d41d8cd98f00b204e9800998ecf8427e". | Required | 
-| status | Status to assign to the workbench alert. e.g. status="true_positive". Possible values are: new, in_progress, true_positive, false_positive, benign_true_positive, closed. | Required | 
+| status | Status to assign to the workbench alert. e.g. status="true_positive". Possible values are: open, in_progress, closed. | Required | 
+| inv_status | The status of an investigation. *NOTE: THIS FIELD IS DEPRECATED!* e.g. inv_status="true_positive". Possible values are: new, in_progress, true_positive, false_positive, benign_true_positive, closed. | Optional | 
+| inv_result | The findings of a case or investigation. e.g. status="noteworthy". Possible values are: noteworthy, in_progress, true_positive, false_positive, benign_true_positive, other_findings, no_findings. | Optional | 
 
 #### Context Output
 

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOneV3/TrendMicroVisionOneV3.py

@@ -6,30 +6,31 @@
 """IMPORTS"""
 
 import json
-import urllib3
-from datetime import datetime, timedelta, UTC
+from datetime import UTC, datetime, timedelta
 from typing import Any, TypeVar
+
 import pytmv1
+import urllib3
 from pytmv1 import (
-    TiAlert,
-    SaeAlert,
-    ObjectType,
-    ResultCode,
-    ObjectRequest,
-    EmailActivity,
     AccountRequest,
-    EndpointRequest,
-    ExceptionObject,
-    EndpointActivity,
-    SuspiciousObject,
+    AlertStatus,
     CollectFileRequest,
     CollectFileTaskResp,
     CustomScriptRequest,
-    InvestigationStatus,
+    EmailActivity,
     EmailMessageIdRequest,
     EmailMessageUIdRequest,
+    EndpointActivity,
+    EndpointRequest,
+    ExceptionObject,
+    ObjectRequest,
+    ObjectType,
+    ResultCode,
+    SaeAlert,
+    SuspiciousObject,
     SuspiciousObjectRequest,
     TerminateProcessRequest,
+    TiAlert,
 )
 
 """CONSTANTS"""
@@ -48,6 +49,8 @@
 NAME = "name"
 PATH = "path"
 IF_MATCH = "if_match"
+INV_RESULT = "inv_result"
+INV_STATUS = "inv_status"
 FALSE = "false"
 TRUE = "true"
 POLL = "poll"
@@ -2426,14 +2429,20 @@ def update_status(
     workbench_id = args.get(WORKBENCH_ID, EMPTY_STRING)
     status = args.get(STATUS, EMPTY_STRING)
     if_match = args.get(IF_MATCH, EMPTY_STRING)
+    inv_res = args.get(INV_RESULT, None)
+    inv_sts = args.get(INV_STATUS, None)
     message: dict[str, Any] = {}
     # Choose Status Enum
     sts = status.upper()
     # Assign enum status
-    status = InvestigationStatus[sts]
+    status = AlertStatus[sts]
     # Make rest call
     resp = v1_client.alert.update_status(
-        alert_id=workbench_id, status=status, if_match=if_match
+        alert_id=workbench_id,
+        status=status,
+        etag=if_match,
+        inv_result=inv_res,
+        inv_status=inv_sts,
     )
     # Check if an error occurred during rest call
     if _is_pytmv1_error(resp.result_code):

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOneV3/TrendMicroVisionOneV3.yml

@@ -359,6 +359,21 @@ script:
     - contextPath: VisionOne.Endpoint_Info.installed_product_codes
       description: Product code of the Trend Micro product installed on the endpoint.
       type: string
+    - contextPath: VisionOne.Endpoint_Info.component_update_policy
+      description: The update policy for the module/pattern of the agent installed on the endpoint.
+      type: string
+    - contextPath: VisionOne.Endpoint_Info.component_update_status
+      description: The status of the module/pattern updates of the agent installed on the endpoint.
+      type: string
+    - contextPath: VisionOne.Endpoint_Info.component_version
+      description: The agent component version.
+      type: string
+    - contextPath: VisionOne.Endpoint_Info.policy_name
+      description: The name of a policy for an event.
+      type: string
+    - contextPath: VisionOne.Endpoint_Info.protection_manager
+      description: The name of your protection manager.
+      type: string
   - arguments:
     - description: 'Filter (A dictionary object with key/value used to create a query string) for retrieving a subset of endpoint activity data e.g. {"endpointName":"sample-host","macAddress":"00:11:22:33:44:55"}. Complete list of supported fields (https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1endpointActivities/get).'
       name: fields
@@ -1051,6 +1066,30 @@ script:
     - contextPath: VisionOne.Alert_Details.alert.investigation_status
       description: Workbench alert status.
       type: string
+    - contextPath: VisionOne.Alert_Details.alert.first_investigated_date_time
+      description: The date and time the case status was changed to 'In progress' in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ, UTC).
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.incident_id
+      description: The unique identifier of an incident.
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.case_id
+      description: The unique identifier of a case.
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.owner_ids
+      description: The owners of the Workbench alert.
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.model_id
+      description: ID of the detection model that triggered the alert.
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.model_type
+      description: Type of the detection model that triggered the alert.
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.status
+      description: The status of a case or investigation.
+      type: string
+    - contextPath: VisionOne.Alert_Details.alert.investigation_result
+      description: The findings of a case or investigation.
+      type: string
     description: Fetches details for a specific alert.
     name: trendmicro-visionone-get-alert-details
   - arguments:
@@ -1187,17 +1226,37 @@ script:
     - description: Target resource will be updated only if it matches ETag of the target one. Etag is one of the outputs from get_alert_details. e.g. if_match="d41d8cd98f00b204e9800998ecf8427e".
       name: if_match
       required: true
-    - description: Status to assign to the workbench alert. e.g. status="true_positive".
+    - description: Status to assign to the workbench alert. e.g. status="in_progress".
       name: status
       required: true
       auto: PREDEFINED
       predefined:
+      - open
+      - in_progress
+      - closed
+    - description: The status of an investigation, this field is deprecated. e.g. inv_status="in_progress".
+      name: inv_status
+      required: false
+      auto: PREDEFINED
+      predefined:
       - new
+      - closed
       - in_progress
       - true_positive
       - false_positive
       - benign_true_positive
-      - closed
+    - description: The findings of a case or investigation. e.g. inv_result="true_positive".
+      name: inv_result
+      required: false
+      auto: PREDEFINED
+      predefined:
+      - no_findings
+      - noteworthy
+      - in_progress
+      - true_positive
+      - false_positive
+      - other_findings
+      - benign_true_positive
     outputs:
     - contextPath: VisionOne.Update_Status.Workbench_Id
       description: The ID of the workbench that had the status updated.
@@ -1372,7 +1431,7 @@ script:
       type: string
     description: Displays a list of Observed Attack Techniques events that match the specified criteria.
     name: trendmicro-visionone-get-observed-attack-techniques
-  dockerimage: demisto/pytmv1:0.8.7.104820
+  dockerimage: demisto/pytmv1:0.9.1.117354
   isFetchSamples: true
   isfetch: true
   script: ''

Packs/TrendMicroVisionOne/Integrations/TrendMicroVisionOneV3/TrendMicroVisionOneV3_test.py

@@ -1566,11 +1566,9 @@ def test_delete_custom_script(mocker):
 
 # Mock function to add custom script
 def add_custom_script_mock_response(*args, **kwargs):
-    with open("./test_data/add_custom_script.json") as f:
-        return_value: dict[str, str] = json.load(f)
     return Result(
         result_code=ResultCode.SUCCESS,
-        response=AddCustomScriptResp(**return_value),
+        response=AddCustomScriptResp(script_id="44c99cb0-8c5f-4182-af55-62135dbe32f1"),
     )