riskive · figarrido · Jun 2, 2023 · May 31, 2023
diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py
@@ -4,11 +4,12 @@
 
 ''' IMPORTS '''
 import requests
+from urllib3 import disable_warnings
 from typing import Dict, List, Any, cast, Union
 from datetime import datetime, timedelta
 
 # Disable insecure warnings
-requests.packages.urllib3.disable_warnings()
+disable_warnings()
 
 ''' GLOBALS/PARAMS '''
 
@@ -479,6 +480,34 @@ def modify_alert_tags_command():
     )
 
 
+def modify_alert_notes(alert_id: int, notes: str) -> Dict:
+    """
+    :param alert_id: The ID of the alert.
+    :param notes: The notes for the alert.
+    :return: HTTP request content.
+    """
+    url_suffix: str = f'/alerts/{alert_id}/'
+    request_body: Dict = {'notes': notes}
+    data: str = json.dumps(request_body)
+    response_content: Dict = http_request('POST', url_suffix, data=data)
+    return response_content
+
+
+def modify_alert_notes_command():
+    args = demisto.args()
+    alert_id: int = dict_value_to_integer(args, 'alert_id')
+    alert_notes: str = args.get('notes', '')
+    response_content: Dict = modify_alert_notes(alert_id, alert_notes)
+    alert: Dict = response_content.get('alert', {})
+    contents: Dict = get_alert_contents(alert)
+    results = CommandResults(
+        readable_output=f'Successful note modification of alert with ID: {alert_id}',
+        outputs=contents,
+        outputs_prefix='ZeroFox.Alert',
+    )
+    return_results(results)
+
+
 def get_alert(alert_id: int) -> Dict:
     """
     :param alert_id: The ID of the alert.
@@ -742,6 +771,7 @@ def main():
         'zerofox-get-entity-types': get_entity_types_command,
         'zerofox-get-policy-types': get_policy_types_command,
         'fetch-incidents': fetch_incidents,
+        'zerofox-modify-alert-notes': modify_alert_notes_command,
     }
     try:
         handle_proxy()

diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml
@@ -336,18 +336,134 @@ script:
     - contextPath: ZeroFox.Alert.EntityAccount
       description: The account associated with the entity.
       type: String
+  - arguments:
+    - default: false
+      description: The ID of an alert. Can be retrieved by running the zerofox-list-alerts command.
+      isArray: false
+      name: alert_id
+      required: true
+      secret: false
+    - default: false
+      description: The modified notes to update in the alert
+      isArray: false
+      name: notes
+      required: true
+      secret: false
+    deprecated: false
+    description: Modify the notes from a specified alert.
+    execution: false
+    name: zerofox-modify-alert-notes
+    outputs:
+    - contextPath: ZeroFox.Alert.AlertType
+      description: The type of an alert.
+      type: String
+    - contextPath: ZeroFox.Alert.OffendingContentURL
+      description: The URL to the site containing content that triggered an alert.
+      type: String
+    - contextPath: ZeroFox.Alert.Assignee
+      description: The user to which an alert is assigned.
+      type: String
+    - contextPath: ZeroFox.Alert.Entity.ID
+      description: The ID of the entity corresponding to the triggered alert.
+      type: Number
+    - contextPath: ZeroFox.Alert.Entity.Name
+      description: The name of the entity corresponding to the triggered alert.
+      type: String
+    - contextPath: ZeroFox.Alert.Entity.Image
+      description: The URL to the profile image of the entity on which an alert was created.
+      type: String
+    - contextPath: ZeroFox.Alert.EntityTerm.ID
+      description: The ID of the entity term corresponding to the triggered alert.
+      type: Number
+    - contextPath: ZeroFox.Alert.EntityTerm.Name
+      description: The name of the entity term corresponding to the triggered alert.
+      type: String
+    - contextPath: ZeroFox.Alert.EntityTerm.Deleted
+      description: Whether an entity term was deleted.
+      type: Boolean
+    - contextPath: ZeroFox.Alert.ContentCreatedAt
+      description: The date-time string indicating when the alerted content was created, in ISO-8601 format.
+      type: Date
+    - contextPath: ZeroFox.Alert.ID
+      description: The ID of an alert.
+      type: Number
+    - contextPath: ZeroFox.Alert.RiskRating
+      description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
+      type: Number
+    - contextPath: ZeroFox.Alert.Perpetrator.Name
+      description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
+      type: String
+    - contextPath: ZeroFox.Alert.Perpetrator.URL
+      description: The URL at which you can view the basic details of the perpetrator.
+      type: String
+    - contextPath: ZeroFox.Alert.Perpetrator.Timestamp
+      description: The timestamp of a post created by a perpetrator.
+      type: Date
+    - contextPath: ZeroFox.Alert.Perpetrator.Type
+      description: The type of perpetrator on which an alert was created. Can be an account, page, or post.
+      type: String
+    - contextPath: ZeroFox.Alert.Perpetrator.ID
+      description: The ZeroFox resource ID of the alert perpetrator.
+      type: Number
+    - contextPath: ZeroFox.Alert.Perpetrator.Network
+      description: The network containing the offending content.
+      type: String
+    - contextPath: ZeroFox.Alert.RuleGroupID
+      description: The ID of the rule group.
+      type: Number
+    - contextPath: ZeroFox.Alert.Status
+      description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted".
+      type: String
+    - contextPath: ZeroFox.Alert.Timestamp
+      description: The date-time string when an alert was created, in ISO-8601 format.
+      type: Date
+    - contextPath: ZeroFox.Alert.RuleName
+      description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
+      type: String
+    - contextPath: ZeroFox.Alert.LastModified
+      description: The date and time at which an alert was last modified.
+      type: Date
+    - contextPath: ZeroFox.Alert.DarkwebTerm
+      description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
+      type: String
+    - contextPath: ZeroFox.Alert.Reviewed
+      description: Whether an alert was reviewed.
+      type: Boolean
+    - contextPath: ZeroFox.Alert.Escalated
+      description: Whether an alert was escalated.
+      type: Boolean
+    - contextPath: ZeroFox.Alert.Network
+      description: The network on which an alert was created.
+      type: String
+    - contextPath: ZeroFox.Alert.ProtectedSocialObject
+      description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
+      type: String
+    - contextPath: ZeroFox.Alert.Notes
+      description: Notes made on an alert.
+      type: String
+    - contextPath: ZeroFox.Alert.RuleID
+      description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
+      type: Number
+    - contextPath: ZeroFox.Alert.Tags
+      description: A list of an alert's tags.
+      type: String
+    - contextPath: ZeroFox.Alert.EntityAccount
+      description: The account associated with the entity.
+      type: String
   - arguments:
     - default: false
       description: The account number of the social network (unique ID).
       isArray: false
       name: account
       required: false
       secret: false
-    - auto: PREDEFINED
-      default: false
+    - default: false
       description: A CSV list of alert types.
       isArray: false
       name: alert_type
+      required: false
+      secret: false
+      auto: PREDEFINED
       predefined:
       - account_information
       - entity_discovery_content
@@ -364,10 +480,9 @@ script:
       - search_query
       - location
       - email
-      required: false
-      secret: false
     - default: false
-      description: The name of the user assigned to an alert.
+      description: |-
+        The name of the user assigned to an alert.
       isArray: false
       name: assignee
       required: false
@@ -670,7 +785,7 @@ script:
       secret: false
     - default: false
       description: |-
-        Comma-separated list of string tags for tagging the entity. 
+        Comma-separated list of string tags for tagging the entity.
         For example:
         label1,label2,label3
       isArray: false
@@ -750,7 +865,11 @@ script:
     - contextPath: ZeroFox.Alert.Status
       description: The status of an alert.
       type: String
-  - arguments:
+  - deprecated: false
+    description: Lists all entities associated with the company of the authorized user.
+    execution: false
+    name: zerofox-list-entities
+    arguments:
     - default: false
       description: Filters by matching email_address substrings.
       isArray: false
@@ -799,10 +918,6 @@ script:
       name: type
       required: false
       secret: false
-    deprecated: false
-    description: Lists all entities associated with the company of the authorized user.
-    execution: false
-    name: zerofox-list-entities
     outputs:
     - contextPath: ZeroFox.Entity.ID
       description: The ID of the entity.
@@ -848,7 +963,7 @@ script:
     description: Shows a table of all policy type names and IDs in the War Room.
     execution: false
     name: zerofox-get-policy-types
-  dockerimage: demisto/python3:3.10.7.33922
+  dockerimage: demisto/python3:3.10.11.61265
   isfetch: true
   longRunning: false
   longRunningPort: false

diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py
@@ -1,16 +1,22 @@
+import os
 import json
 import demistomock as demisto
 
+cwd = os.path.dirname(os.path.realpath(__file__))
+test_data_path = os.path.join(cwd, 'TestData')
+
 
 def test_get_alert_contents(mocker):
     mocker.patch.object(demisto, 'params', return_value={
         'url': 'https://api.zerofox.com/1.0'
     })
     from ZeroFox import get_alert_contents
-    with open('./TestData/alert.json') as f:
+    alerts_file_path = os.path.join(test_data_path, 'alert.json')
+    with open(alerts_file_path) as f:
         alert_input = json.load(f)
     result = get_alert_contents(alert_input)
-    with open('./TestData/alert_result.json') as f:
+    alert_result_file_path = os.path.join(test_data_path, 'alert_result.json')
+    with open(alert_result_file_path) as f:
         expected_output = json.load(f)
     assert result == expected_output
 
@@ -20,9 +26,11 @@ def test_get_alert_contents_war_room(mocker):
         'url': 'https://api.zerofox.com/1.0'
     })
     from ZeroFox import get_alert_human_readable_outputs
-    with open('./TestData/alert_result.json') as f:
+    alert_result_file_path = os.path.join(test_data_path, 'alert_result.json')
+    with open(alert_result_file_path) as f:
         contents_input = json.load(f)
     result = get_alert_human_readable_outputs(contents_input)
-    with open('./TestData/contents_result.json') as f:
+    contents_result_file_path = os.path.join(test_data_path, 'contents_result.json')
+    with open(contents_result_file_path) as f:
         expected_output = json.load(f)
     assert expected_output == result
diff --git a/Packs/ZeroFox/pack_metadata.json b/Packs/ZeroFox/pack_metadata.json
@@ -16,5 +16,7 @@
     "marketplaces": [
         "xsoar",
         "marketplacev2"
-    ]
-}
+    ],
+    "dependencies": {},
+    "displayedImages": []
+}