From 39068d1fe44b1b7ac9a75d8f4c83b53c0e7e44cb Mon Sep 17 00:00:00 2001
From: Ali Sawyer <asawyer@paloaltonetworks.com>
Date: Mon, 3 Mar 2025 13:13:45 -0700
Subject: [PATCH 1/5] update with new command

---
 .../CortexDataLake/CortexDataLake.py          |  95 +++-
 .../CortexDataLake/CortexDataLake.yml         | 405 +++++++++++-------
 2 files changed, 339 insertions(+), 161 deletions(-)

diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.py b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.py
index 80da83606836..dc39b3846357 100644
--- a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.py
+++ b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.py
@@ -671,6 +671,73 @@ def files_context_transformer(row_content: dict) -> dict:
     }
 
 
+def gp_context_transformer(row_content):
+    """
+        This function retrieves data from a row of raw data into context path locations.
+        Documentation: https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-globalprotect-log
+
+        Args:
+            row_content: a dict representing raw data of a row
+
+        Returns:
+            a dict with context paths and their corresponding value
+        """
+    return {
+        'AttemptedGateways': row_content.get('attempted_gateways'),
+        'AuthMethod': row_content.get('auth_method'),
+        'ConnectMethod': row_content.get('connect_method'),
+        'ConnectionErrorID': row_content.get('connection_error', {}).get('id'),
+        'ConnectionErrorValue': row_content.get('connection_error', {}).get('value'),
+        'CountOfRepeats': row_content.get('count_of_repeats'),
+        'CustomerID': row_content.get('customer_id'),
+        'EndpointDeviceName': row_content.get('endpoint_device_name'),
+        'EndpointGPVersion': row_content.get('endpoint_gp_version'),
+        'EndpointOSType': row_content.get('endpoint_os_type'),
+        'EndpointOSVersion': row_content.get('endpoint_os_version'),
+        'EndpointSN': row_content.get('endpoint_serial_number'),
+        'EventID': row_content.get('event_id', {}).get('value'),
+        'Gateway': row_content.get('gateway'),
+        'GatewayPriority': row_content.get('gateway_priority', {}).get('value'),
+        'GatewaySelectionType': row_content.get('gateway_selection_type'),
+        'GPGatewayLocation': row_content.get('gpg_location'),
+        'HostID': row_content.get('host_id'),
+        'IsDuplicateLog': row_content.get('is_dup_log'),
+        'IsExported': row_content.get('is_exported'),
+        'IsForwarded': row_content.get('is_forwarded'),
+        'IsPrismaBranch': row_content.get('is_prisma_branch'),
+        'IsPrismaMobile': row_content.get('is_prisma_mobile'),
+        'LogSource': row_content.get('log_source'),
+        'LogSourceID': row_content.get('log_source_id'),
+        'LogSourceName': row_content.get('log_source_name'),
+        'LogTime': human_readable_time_from_epoch_time(row_content.get('log_time', 0)),
+        'LogType': row_content.get('log_type', {}).get('value'),
+        'LoginDuration': row_content.get('login_duration'),
+        'Opaque': row_content.get('opaque'),
+        'PanoramaSN': row_content.get('panorama_serial'),
+        'PlatformType': row_content.get('platform_type'),
+        'Portal': row_content.get('portal'),
+        'PrivateIPv4': row_content.get('private_ip', {}).get('value'),
+        'PrivateIPv6': row_content.get('private_ipv6', {}).get('value'),
+        'ProjectName': row_content.get('project_name'),
+        'PublicIPv4': row_content.get('public_ip', {}).get('value'),
+        'PublicIPv6': row_content.get('public_ipv6', {}).get('value'),
+        'QuarantineReason': row_content.get('quarantine_reason'),
+        'SequenceNo': row_content.get('sequence_no'),
+        'SourceRegion': row_content.get('source_region'),
+        'SourceUser': row_content.get('source_user'),
+        'SourceUserDomain': row_content.get('source_user_info', {}).get('domain'),
+        'SourceUserName': row_content.get('source_user_info', {}).get('name'),
+        'SourceUserUUID': row_content.get('source_user_info', {}).get('uuid'),
+        'SSLResponseTime': row_content.get('ssl_response_time'),
+        'Stage': row_content.get('stage'),
+        'EventStatus': row_content.get('status', {}).get('value'),
+        'Subtype': row_content.get('sub_type', {}).get('value'),
+        'TimeGenerated': human_readable_time_from_epoch_time(row_content.get('time_generated', 0)),
+        'TunnelType': row_content.get('tunnel'),
+        'VendorName': row_content.get('vendor_name'),
+    }
+
+
 def records_to_human_readable_output(fields: str, table_name: str, results: list) -> str:
     """
     This function gets all relevant data for the human readable output of a specific table.
@@ -796,7 +863,16 @@ def build_where_clause(args: dict) -> str:
         'sub_type': 'sub_type.value',
         'time_generated': 'time_generated',
         'url_category': 'url_category',
-        'url_domain': 'url_domain'
+        'url_domain': 'url_domain',
+        'event_name': 'event_id.value',
+        'gateway': 'gateway',
+        'private_ipv4': 'private_ip.value',
+        'private_ipv6': 'private_ipv6.value',
+        'public_ipv4': 'public_ip.value',
+        'public_ipv6': 'public_ipv6.value',
+        'event_status': 'status.value',
+        'portal': 'portal'
+
     }
     if args.get('ip') and (args.get('source_ip') or args.get('dest_ip')):
         raise DemistoException('Error: "ip" argument cannot appear with either "source_ip" nor "dest_ip"')
@@ -1134,6 +1210,18 @@ def query_file_data_command(args: dict, client: Client) -> tuple[str, dict, list
     return query_table_logs(args, client, query_table_name, context_transformer_function, table_context_path)
 
 
+def query_gp_logs_command(args: dict, client: Client):
+    """
+    The function of the command that queries firewall.globalprotect table
+
+        Returns: a Demisto's entry with all the parsed data
+    """
+    table_name: str = 'globalprotect'
+    context_transformer_function = gp_context_transformer
+    table_context_path: str = 'CDL.Logging.GlobalProtect'
+    return query_table_logs(args, client, table_name, context_transformer_function, table_context_path)
+
+
 def query_table_logs(args: dict,
                      client: Client,
                      table_name: str,
@@ -1222,7 +1310,8 @@ def main():
     enc_key = params.get('credentials_auth_key', {}).get('password') or params.get('auth_key')
     if not enc_key or not refresh_token or not registration_id_and_url:
         raise DemistoException('Key, Token and ID must be provided.')
-    is_fr = ('federal.paloaltonetworks.com' in demisto.getLicenseCustomField('Http_Connector.url'))
+    # is_fr = ('federal.paloaltonetworks.com' in demisto.getLicenseCustomField('Http_Connector.url'))
+    is_fr = False
     demisto.debug(f"working on tenant with {is_fr=}")
     registration_id_and_url = registration_id_and_url.split('@')
     if len(registration_id_and_url) != 2:
@@ -1269,6 +1358,8 @@ def main():
             return_outputs(*query_url_logs_command(args, client))
         elif command == 'cdl-query-file-data':
             return_outputs(*query_file_data_command(args, client))
+        elif command == 'cdl-query-gp-logs':
+            return_outputs(*query_gp_logs_command(args, client))
         elif command == 'fetch-incidents':
             first_fetch_timestamp = params.get('first_fetch_timestamp', '24 hours').strip()
             fetch_severity = params.get('firewall_severity')
diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
index 3e81baee20af..717ae4e0d242 100644
--- a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
+++ b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
@@ -4,46 +4,49 @@ commonfields:
   version: -1
 configuration:
 - display: Token
-  name: refresh_token
-  type: 4
   hidden: true
+  name: refresh_token
   required: false
-- display: ID
-  name: reg_id
   type: 4
+- display: ID
   hidden: true
+  name: reg_id
   required: false
-- display: Key
-  name: auth_key
   type: 4
+- display: Key
   hidden: true
+  name: auth_key
   required: false
-- displaypassword: Encryption Key
-  name: credentials_auth_key
+  type: 4
+- display: ""
+  displaypassword: Encryption Key
   hiddenusername: true
-  type: 9
+  name: credentials_auth_key
   required: false
-- displaypassword: Authentication Token
-  additionalinfo: The API Key to use for connection
-  name: credentials_refresh_token
-  hiddenusername: true
   type: 9
+- additionalinfo: The API Key to use for connection
+  display: ""
+  displaypassword: Authentication Token
+  hiddenusername: true
+  name: credentials_refresh_token
   required: false
-- displaypassword: Registration ID
-  name: credentials_reg_id
   type: 9
+- display: ""
+  displaypassword: Registration ID
   hiddenusername: true
-  section: Connect
+  name: credentials_reg_id
   required: false
+  section: Connect
+  type: 9
 - display: Fetch incidents
   name: isFetch
-  type: 8
   required: false
+  type: 8
 - defaultvalue: 24 hours
   display: First fetch time (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
   name: first_fetch_timestamp
-  type: 0
   required: false
+  type: 0
 - additionalinfo: Choose which table incidents will be fetched from.
   defaultvalue: firewall.threat
   display: Fetch Table
@@ -62,8 +65,8 @@ configuration:
   - firewall.userid
   - log.system
   - log.config
-  type: 15
   required: false
+  type: 15
 - display: Severity of events to fetch (Firewall)
   name: firewall_severity
   options:
@@ -74,8 +77,8 @@ configuration:
   - Low
   - Informational
   - Unused
-  type: 16
   required: false
+  type: 16
 - display: Subtype of events to fetch (Firewall)
   name: firewall_subtype
   options:
@@ -108,42 +111,47 @@ configuration:
   - spyware-wpc-raven
   - wpc-virus
   - sctp
-  type: 16
   required: false
+  type: 16
 - additionalinfo: Comma-separated fields that will be fetched with every incident, e.g., "pcap,session_id". Enter "*" for all possible fields.
   defaultvalue: '*'
   display: Fetch Fields
   name: fetch_fields
-  type: 12
   required: false
+  type: 12
 - additionalinfo: 'Filter the fetched incidents according to the given query. Query example: "source_ip.value LIKE `192.168.1.*` AND dst = `192.168.1.12`" Note: Can not be used in combination with `Severity` and `Subtype` parameters.'
   display: Fetch Filter
   name: filter_query
-  type: 12
   required: false
+  type: 12
 - display: Incident type
   name: incidentType
-  type: 13
   required: false
+  type: 13
 - additionalinfo: "The maximum number of incidents to fetch per query.\t\nCaution: A large number could create overload. Default is 10."
-  defaultvalue: '10'
+  defaultvalue: "10"
   display: Max. number of incidents fetched per query
   name: limit
-  type: 0
   required: false
-- defaultvalue: 'false'
+  type: 0
+- defaultvalue: "false"
   display: Use system proxy settings
   name: proxy
-  type: 8
   required: false
-- defaultvalue: 'false'
+  type: 8
+- defaultvalue: "false"
   display: Trust any certificate (not secure)
   name: insecure
+  required: false
   type: 8
+- defaultvalue: "1"
+  display: Incidents Fetch Interval
+  name: incidentFetchInterval
   required: false
+  type: 19
 description: Palo Alto Networks Strata Logging Service XSOAR Connector provides cloud-based, centralized log storage and aggregation for your organization on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.
-display: Strata Logging Service XSOAR Connector
-name: Cortex Data Lake
+display: Cortex Data Lake
+name: Cortex Data Lake_copy
 script:
   commands:
   - arguments:
@@ -153,28 +161,20 @@ script:
         There are multiple tables in Loggings, for example: threat, traffic, and so on.
         Refer to the Cortex Logging service schema reference for the full list.
       name: query
-    - defaultValue: '10'
+    - defaultValue: "10"
       description: The maximum number of logs to return. Default is 10.
       name: limit
     - auto: PREDEFINED
-      defaultValue: 'true'
+      defaultValue: "true"
       description: If set to false, query results are not mapped into the standard command context. Default is "true".
       name: transform_results
       predefined:
-      - 'true'
-      - 'false'
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+      - "true"
+      - "false"
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     description: Runs a query on  any table or field.
     execution: true
     name: cdl-query-logs
@@ -239,31 +239,22 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - defaultValue: '10'
+    - defaultValue: "10"
       description: The maximum number of logs to return. Default is 10.
       name: limit
-    - auto: PREDEFINED
-      description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
+    - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
     - auto: PREDEFINED
-      defaultValue: 'true'
+      defaultValue: "true"
       description: If set to false, query results are not mapped into the standard command context. Default is "true".
       name: transform_results
       predefined:
-      - 'true'
-      - 'false'
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+      - "true"
+      - "false"
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     description: Runs a query on the threat table according to preset queries.
     name: cdl-get-critical-threat-logs
     outputs:
@@ -399,24 +390,15 @@ script:
       name: start_time
     - description: Query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - defaultValue: '10'
+    - defaultValue: "10"
       description: The maximum number of logs to return. Default is 10.
       name: limit
-    - auto: PREDEFINED
-      description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
+    - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     description: Runs a query on traffic table where app_sub_category = "social networking".
     name: cdl-get-social-applications
     outputs:
@@ -540,27 +522,18 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - defaultValue: '10'
+    - defaultValue: "10"
       description: The maximum number of logs to return. Default is 10.
       name: limit
-    - auto: PREDEFINED
-      description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
+    - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
     - description: The SHA256 hash of the file for the query. For example, SHA256="503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86b8645d6572dc" would return all logs associated with this file.
       name: SHA256
       required: true
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     description: Runs a query on the threat table with the query 'SELECT * FROM `firewall.threat` WHERE file_sha_256 = <file_hash>'.
     name: cdl-search-by-file-hash
     outputs:
@@ -849,24 +822,15 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - auto: PREDEFINED
-      description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
+    - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - defaultValue: '5'
+    - defaultValue: "5"
       description: The maximum number of logs to return. Default is 5.
       name: limit
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     - description: A destination IP address or an array of destination IPs addresses for which to search, for example 1.1.1.1,2.2.2.2.
       name: dest_ip
     - description: Destination port utilized by the session. Can be port number or an array of destination port numbers to search. For example '443' or '443,445'.
@@ -1043,7 +1007,7 @@ script:
       name: query
     - auto: PREDEFINED
       defaultValue: all
-      description: The fields that are selected in the query. Selection can be "all" (same as *) or or a comma-separated list of specific fields. The list of fields can be found after viewing all the outputted fields with "all".
+      description: The fields selected in the query. Selection can be "all" (same as *) or a comma-separated list of specific fields. The list of fields can be found after viewing all the outputted fields with "all".
       isArray: true
       name: fields
       predefined:
@@ -1183,24 +1147,15 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - auto: PREDEFINED
-      description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
+    - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - defaultValue: '5'
+    - defaultValue: "5"
       description: The maximum number of logs to return. Default is 5.
       name: limit
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     - description: The IP address or an array of IP addresses for which to search. For example 1.1.1.1,2.2.2.2. Used instead of the source/destination IP address.
       name: ip
     - description: The port or array of ports to search. Used instead of the source/destination port.
@@ -1381,7 +1336,7 @@ script:
       name: query
     - auto: PREDEFINED
       defaultValue: all
-      description: The fields that are selected in the query. Selection can be "all" (same as *) or a comma-separated list of specific fields. List of fields can be found after viewing all the outputted fields with "all".
+      description: The fields selected in the query. Selection can be "all" (same as *) or a comma-separated list of specific fields. The list of fields can be found after viewing all the outputted fields with "all".
       isArray: true
       name: fields
       predefined:
@@ -1521,23 +1476,14 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - auto: PREDEFINED
-      description: First log time (<number> <time unit>. For example, 12 minutes, 7 days, 3 weeks).
+    - description: First log time (<number> <time unit>. For example, 12 minutes, 7 days, 3 weeks).
       name: time_range
     - description: The maximum number of logs to return. Default is 5.
       name: limit
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     - description: The IP address or an array of IP addresses for which to search. For example 1.1.1.1,2.2.2.2. Used instead of the source/destination IP address.
       name: ip
     - description: The port or array of ports to search. Used instead of the source/destination port.
@@ -1829,21 +1775,13 @@ script:
       name: end_time
     - description: First log time (<number> <time unit>. For example, 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - defaultValue: '5'
+    - defaultValue: "5"
       description: The maximum number of logs to return. Default is 5.
       name: limit
-    - name: page
-      isArray: false
-      description: Page to return.
-      required: false
-      secret: false
-      default: false
-    - name: page_size
-      isArray: false
-      description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      required: false
-      secret: false
-      default: false
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
     description: Searches the Cortex firewall.file_data table.
     name: cdl-query-file-data
     outputs:
@@ -2086,14 +2024,163 @@ script:
     - contextPath: CDL.Logging.File.LogSource
       description: Identifies the origin of the data (the system that produced the data.
       type: String
-  - description: Use this command in case your authentication calls fail due to internal call-limit, the command will reset the limit cache.
+  - arguments: []
+    description: Use this command in case your authentication calls fail due to internal call-limit, the command will reset the limit cache.
     name: cdl-reset-authentication-timeout
+  - arguments:
+    - defaultValue: "10"
+      description: The maximum number of logs to return. Default is 10.
+      name: limit
+    - description: Page to return.
+      name: page
+    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
+      name: page_size
+    - auto: PREDEFINED
+      defaultValue: "true"
+      description: If set to false, query results are not mapped into the standard command context. Default is "true".
+      name: transform_results
+      predefined:
+      - "true"
+      - "false"
+    - defaultValue: all
+      description: The fields selected in the query. Selection can be "all" (same as *) or a comma-separated list of specific fields. The list of fields can be found after viewing all the outputted fields with "all".
+      name: fields
+    - description: The query end time. For example, end_time="2018-04-26 00:00:00".
+      name: end_time
+    - defaultValue: '''1970-01-01 00:00:00'''
+      description: The query start time. For example, start_time="2018-04-26 00:00:00". Default is 1970-01-01 00:00:00.
+      name: start_time
+    - description: First log time (<number> <time unit>. For example, 12 minutes, 7 days, 3 weeks).
+      name: time_range
+    - description: Event name for which to search.
+      name: event_name
+    - description: GlobalProtect gateway for which to search.
+      name: gateway
+    - description: Private IP address (v4) of the user that connected for which to search.
+      name: private_ipv4
+    - description: Private IP address (v6) of the user that connected for which to search.
+      name: private_ipv6
+    - description: Public IP address (v4) of the user that connected for which to search.
+      name: public_ipv4
+    - description: Public IP address (v6) of the user that connected for which to search.
+      name: public_ipv6
+    - description: The source username for which to search.
+      name: source_user
+    - description: Event status (success or failure) for which to search.
+      name: event_status
+    - description: GlobalProtect portal for which to search.
+      name: portal
+    description: Searches the GlobalProtect VPN log table.
+    name: cdl-query-gp-logs
+    outputs:
+    - contextPath: CDL.Logging.GlobalProtect.AttemptedGateways
+      description: All gateways that were available and attempted for the client location.
+    - contextPath: CDL.Logging.GlobalProtect.AuthMethod
+      description: Authentication method used for the GlobalProtect connection.
+    - contextPath: CDL.Logging.GlobalProtect.ConnectMethod
+      description: Identifies how the GlobalProtect app connected to the the Gateway.
+    - contextPath: CDL.Logging.GlobalProtect.ConnectionErrorID
+      description: Enumeration integer assigned to the connection_error field value.
+    - contextPath: CDL.Logging.GlobalProtect.ConnectionErrorValue
+      description: Error information for unsuccessful connection.
+    - contextPath: CDL.Logging.GlobalProtect.CountOfRepeats
+      description: Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
+    - contextPath: CDL.Logging.GlobalProtect.CustomerID
+      description: The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
+    - contextPath: CDL.Logging.GlobalProtect.EndpointDeviceName
+      description: Name of the device that the user used for the connection.
+    - contextPath: CDL.Logging.GlobalProtect.EndpointGPVersion
+      description: GlobalProtect client version number.
+    - contextPath: CDL.Logging.GlobalProtect.EndpointOSType
+      description: OS type of the endpoint on which the GlobalProtect client is deployed.
+    - contextPath: CDL.Logging.GlobalProtect.EndpointOSVersion
+      description: OS version of the endpoint on which the GlobalProtect client is deployed.
+    - contextPath: CDL.Logging.GlobalProtect.EndpointSN
+      description: ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
+    - contextPath: CDL.Logging.GlobalProtect.EventID
+      description: The name of the event.
+    - contextPath: CDL.Logging.GlobalProtect.Gateway
+      description: Gateway for the connection.
+    - contextPath: CDL.Logging.GlobalProtect.GatewayPriority
+      description: Priority of gateway.
+    - contextPath: CDL.Logging.GlobalProtect.GatewaySelectionType
+      description: Gateway Selection Method i.e automatic, preferred or manual.
+    - contextPath: CDL.Logging.GlobalProtect.GPGatewayLocation
+      description: Location of the Global Protect Gateway.
+    - contextPath: CDL.Logging.GlobalProtect.HostID
+      description: Unique identifier GlobalProtect has assigned to the host.
+    - contextPath: CDL.Logging.GlobalProtect.IsDuplicateLog
+      description: Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log collector.
+    - contextPath: CDL.Logging.GlobalProtect.IsExported
+      description: Indicates if this log was exported from the firewall using the firewall's log export function.
+    - contextPath: CDL.Logging.GlobalProtect.IsForwarded
+      description: Internal-use field that indicates if the log is being forwarded.
+    - contextPath: CDL.Logging.GlobalProtect.IsPrismaBranch
+      description: Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
+    - contextPath: CDL.Logging.GlobalProtect.IsPrismaMobile
+      description: Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
+    - contextPath: CDL.Logging.GlobalProtect.LogSource
+      description: Identifies the origin of the data.
+    - contextPath: CDL.Logging.GlobalProtect.LogSourceID
+      description: ID that uniquely identifies the source of the log.
+    - contextPath: CDL.Logging.GlobalProtect.LogSourceName
+      description: Name of the source of the log.
+    - contextPath: CDL.Logging.GlobalProtect.LogTime
+      description: Time the log was received in Strata Logging Service XSOAR Connector.
+    - contextPath: CDL.Logging.GlobalProtect.LogType
+      description: Identifies the log type.
+    - contextPath: CDL.Logging.GlobalProtect.LoginDuration
+      description: Duration for which the connected user was logged on.
+    - contextPath: CDL.Logging.GlobalProtect.Opaque
+      description: Additional information regarding the event.
+    - contextPath: CDL.Logging.GlobalProtect.PanoramaSN
+      description: Panorama Serial associated with CDL.
+    - contextPath: CDL.Logging.GlobalProtect.PlatformType
+      description: The platform type.
+    - contextPath: CDL.Logging.GlobalProtect.Portal
+      description: Global Protect Portal or Gateway that the user connected to.
+    - contextPath: CDL.Logging.GlobalProtect.PrivateIPv4
+      description: Private IP address (v4) of the user that connected.
+    - contextPath: CDL.Logging.GlobalProtect.PrivateIPv6
+      description: Private IP address (v6) of the user that connected.
+    - contextPath: CDL.Logging.GlobalProtect.ProjectName
+      description: Project name.
+    - contextPath: CDL.Logging.GlobalProtect.PublicIPv4
+      description: Public IP address (v4) of the user that connected.
+    - contextPath: CDL.Logging.GlobalProtect.PublicIPv6
+      description: Public IP address (v6) of the user that connected.
+    - contextPath: CDL.Logging.GlobalProtect.QuarantineReason
+      description: Quarantine reason.
+    - contextPath: CDL.Logging.GlobalProtect.SequenceNo
+      description: The log entry identifier, which is incremented sequentially.
+    - contextPath: CDL.Logging.GlobalProtect.SourceRegion
+      description: Region of the Gateway (or User) that connected.
+    - contextPath: CDL.Logging.GlobalProtect.SourceUser
+      description: The username that connected.
+    - contextPath: CDL.Logging.GlobalProtect.SourceUserDomain
+      description: Domain to which the Source User belongs.
+    - contextPath: CDL.Logging.GlobalProtect.SourceUserName
+      description: The Source User username.
+    - contextPath: CDL.Logging.GlobalProtect.SourceUserUUID
+      description: Unique identifier assigned to the Source User.
+    - contextPath: CDL.Logging.GlobalProtect.SSLResponseTime
+      description: SSL Response Time in milliseconds.
+    - contextPath: CDL.Logging.GlobalProtect.Stage
+      description: Name of the stage in the GlobalProtect connection workflow.
+    - contextPath: CDL.Logging.GlobalProtect.EventStatus
+      description: The status (success or failure) of the event.
+    - contextPath: CDL.Logging.GlobalProtect.Subtype
+      description: The log subtype.
+    - contextPath: CDL.Logging.GlobalProtect.TimeGenerated
+      description: Time when the log was generated on the firewall's data plane.
+    - contextPath: CDL.Logging.GlobalProtect.TunnelType
+      description: Tunnel Type i.e. SSL or VPN.
+    - contextPath: CDL.Logging.GlobalProtect.VendorName
+      description: The vendor that produced the data.
   dockerimage: demisto/python_pancloud_v2:1.0.0.117311
   isfetch: true
   runonce: false
-  script: '-'
+  script: ''
   subtype: python3
   type: python
-tests:
-- Cortex Data Lake Test
-fromversion: 5.0.0
+sourcemoduleid: Cortex Data Lake

From 50ab187e205885de036576b0f935679282c1b7dd Mon Sep 17 00:00:00 2001
From: Ali Sawyer <asawyer@paloaltonetworks.com>
Date: Mon, 3 Mar 2025 13:15:51 -0700
Subject: [PATCH 2/5] fix validation issues

---
 .../Integrations/CortexDataLake/CortexDataLake.yml           | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
index 717ae4e0d242..72ffbf6a6d9f 100644
--- a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
+++ b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
@@ -151,7 +151,7 @@ configuration:
   type: 19
 description: Palo Alto Networks Strata Logging Service XSOAR Connector provides cloud-based, centralized log storage and aggregation for your organization on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.
 display: Cortex Data Lake
-name: Cortex Data Lake_copy
+name: Cortex Data Lake
 script:
   commands:
   - arguments:
@@ -2184,3 +2184,6 @@ script:
   subtype: python3
   type: python
 sourcemoduleid: Cortex Data Lake
+tests:
+- Cortex Data Lake Test
+fromversion: 5.0.0
\ No newline at end of file

From d57c7d76716c8dc307e0f92776991d29d4ec0566 Mon Sep 17 00:00:00 2001
From: Ali Sawyer <asawyer@paloaltonetworks.com>
Date: Mon, 3 Mar 2025 13:24:44 -0700
Subject: [PATCH 3/5] update docs and RNs

---
 .../Integrations/CortexDataLake/README.md     | 87 +++++++++++++++++++
 .../CortexDataLake/command_examples.txt       |  3 +-
 Packs/CortexDataLake/ReleaseNotes/1_5_0.md    |  6 ++
 Packs/CortexDataLake/pack_metadata.json       |  2 +-
 4 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 Packs/CortexDataLake/ReleaseNotes/1_5_0.md

diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/README.md b/Packs/CortexDataLake/Integrations/CortexDataLake/README.md
index b20177247383..7791a37908e6 100644
--- a/Packs/CortexDataLake/Integrations/CortexDataLake/README.md
+++ b/Packs/CortexDataLake/Integrations/CortexDataLake/README.md
@@ -1320,3 +1320,90 @@ against. That is, log types must be fully qualified and the instance ID is a par
 However in this integration the instance ID is added automatically to the query so the name `firewall.traffic` is a valid table name
 * The SQL syntax supported for queries is `csql`
 * The provided authentication items ([configuration step 4](#configure-cortex-data-lake-on-cortex-xsoar)) can only be used once for each Strata Logging Service XSOAR Connector tenant (but can be shared for different Cortex XSOAR instances). Trying to re-generate those items will revoke any previously generated set of authentication items.
+
+### cdl-query-gp-logs
+***
+Searches the GlobalProtect VPN log table.
+
+#### Base Command
+
+`cdl-query-gp-logs`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| limit | The maximum number of logs to return. Default is 10. Default is 10. | Optional | 
+| page | Page to return. | Optional | 
+| page_size | Number of entries per page. Defaults to 50 (in case only page was provided). | Optional | 
+| transform_results | If set to false, query results are not mapped into the standard command context. Default is "true". Possible values are: true, false. Default is true. | Optional | 
+| fields | The fields selected in the query. Selection can be "all" (same as *) or a comma-separated list of specific fields. The list of fields can be found after viewing all the outputted fields with "all". Default is all. | Optional | 
+| end_time | The query end time. For example, end_time="2018-04-26 00:00:00". | Optional | 
+| start_time | The query start time. For example, start_time="2018-04-26 00:00:00". Default is 1970-01-01 00:00:00. Default is '1970-01-01 00:00:00'. | Optional | 
+| time_range | First log time (&lt;number&gt; &lt;time unit&gt;. For example, 12 minutes, 7 days, 3 weeks). | Optional | 
+| event_name | Event name for which to search. | Optional | 
+| gateway | GlobalProtect gateway for which to search. | Optional | 
+| private_ipv4 | Private IP address (v4) of the user that connected for which to search. | Optional | 
+| private_ipv6 | Private IP address (v6) of the user that connected for which to search. | Optional | 
+| public_ipv4 | Public IP address (v4) of the user that connected for which to search. | Optional | 
+| public_ipv6 | Public IP address (v6) of the user that connected for which to search. | Optional | 
+| source_user | The source username for which to search. | Optional | 
+| event_status | Event status (success or failure) for which to search. | Optional | 
+| portal | GlobalProtect portal for which to search. | Optional | 
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| CDL.Logging.GlobalProtect.AttemptedGateways | unknown | All gateways that were available and attempted for the client location. | 
+| CDL.Logging.GlobalProtect.AuthMethod | unknown | Authentication method used for the GlobalProtect connection. | 
+| CDL.Logging.GlobalProtect.ConnectMethod | unknown | Identifies how the GlobalProtect app connected to the the Gateway. | 
+| CDL.Logging.GlobalProtect.ConnectionErrorID | unknown | Enumeration integer assigned to the connection_error field value. | 
+| CDL.Logging.GlobalProtect.ConnectionErrorValue | unknown | Error information for unsuccessful connection. | 
+| CDL.Logging.GlobalProtect.CountOfRepeats | unknown | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. | 
+| CDL.Logging.GlobalProtect.CustomerID | unknown | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. | 
+| CDL.Logging.GlobalProtect.EndpointDeviceName | unknown | Name of the device that the user used for the connection. | 
+| CDL.Logging.GlobalProtect.EndpointGPVersion | unknown | GlobalProtect client version number. | 
+| CDL.Logging.GlobalProtect.EndpointOSType | unknown | OS type of the endpoint on which the GlobalProtect client is deployed. | 
+| CDL.Logging.GlobalProtect.EndpointOSVersion | unknown | OS version of the endpoint on which the GlobalProtect client is deployed. | 
+| CDL.Logging.GlobalProtect.EndpointSN | unknown | ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed. | 
+| CDL.Logging.GlobalProtect.EventID | unknown | The name of the event. | 
+| CDL.Logging.GlobalProtect.Gateway | unknown | Gateway for the connection. | 
+| CDL.Logging.GlobalProtect.GatewayPriority | unknown | Priority of gateway. | 
+| CDL.Logging.GlobalProtect.GatewaySelectionType | unknown | Gateway Selection Method i.e automatic, preferred or manual. | 
+| CDL.Logging.GlobalProtect.GPGatewayLocation | unknown | Location of the Global Protect Gateway. | 
+| CDL.Logging.GlobalProtect.HostID | unknown | Unique identifier GlobalProtect has assigned to the host. | 
+| CDL.Logging.GlobalProtect.IsDuplicateLog | unknown | Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log collector. | 
+| CDL.Logging.GlobalProtect.IsExported | unknown | Indicates if this log was exported from the firewall using the firewall's log export function. | 
+| CDL.Logging.GlobalProtect.IsForwarded | unknown | Internal-use field that indicates if the log is being forwarded. | 
+| CDL.Logging.GlobalProtect.IsPrismaBranch | unknown | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. | 
+| CDL.Logging.GlobalProtect.IsPrismaMobile | unknown | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. | 
+| CDL.Logging.GlobalProtect.LogSource | unknown | Identifies the origin of the data. | 
+| CDL.Logging.GlobalProtect.LogSourceID | unknown | ID that uniquely identifies the source of the log. | 
+| CDL.Logging.GlobalProtect.LogSourceName | unknown | Name of the source of the log. | 
+| CDL.Logging.GlobalProtect.LogTime | unknown | Time the log was received in Strata Logging Service XSOAR Connector. | 
+| CDL.Logging.GlobalProtect.LogType | unknown | Identifies the log type. | 
+| CDL.Logging.GlobalProtect.LoginDuration | unknown | Duration for which the connected user was logged on. | 
+| CDL.Logging.GlobalProtect.Opaque | unknown | Additional information regarding the event. | 
+| CDL.Logging.GlobalProtect.PanoramaSN | unknown | Panorama Serial associated with CDL. | 
+| CDL.Logging.GlobalProtect.PlatformType | unknown | The platform type. | 
+| CDL.Logging.GlobalProtect.Portal | unknown | Global Protect Portal or Gateway that the user connected to. | 
+| CDL.Logging.GlobalProtect.PrivateIPv4 | unknown | Private IP address \(v4\) of the user that connected. | 
+| CDL.Logging.GlobalProtect.PrivateIPv6 | unknown | Private IP address \(v6\) of the user that connected. | 
+| CDL.Logging.GlobalProtect.ProjectName | unknown | Project name. | 
+| CDL.Logging.GlobalProtect.PublicIPv4 | unknown | Public IP address \(v4\) of the user that connected. | 
+| CDL.Logging.GlobalProtect.PublicIPv6 | unknown | Public IP address \(v6\) of the user that connected. | 
+| CDL.Logging.GlobalProtect.QuarantineReason | unknown | Quarantine reason. | 
+| CDL.Logging.GlobalProtect.SequenceNo | unknown | The log entry identifier, which is incremented sequentially. | 
+| CDL.Logging.GlobalProtect.SourceRegion | unknown | Region of the Gateway \(or User\) that connected. | 
+| CDL.Logging.GlobalProtect.SourceUser | unknown | The username that connected. | 
+| CDL.Logging.GlobalProtect.SourceUserDomain | unknown | Domain to which the Source User belongs. | 
+| CDL.Logging.GlobalProtect.SourceUserName | unknown | The Source User username. | 
+| CDL.Logging.GlobalProtect.SourceUserUUID | unknown | Unique identifier assigned to the Source User. | 
+| CDL.Logging.GlobalProtect.SSLResponseTime | unknown | SSL Response Time in milliseconds. | 
+| CDL.Logging.GlobalProtect.Stage | unknown | Name of the stage in the GlobalProtect connection workflow. | 
+| CDL.Logging.GlobalProtect.EventStatus | unknown | The status \(success or failure\) of the event. | 
+| CDL.Logging.GlobalProtect.Subtype | unknown | The log subtype. | 
+| CDL.Logging.GlobalProtect.TimeGenerated | unknown | Time when the log was generated on the firewall's data plane. | 
+| CDL.Logging.GlobalProtect.TunnelType | unknown | Tunnel Type i.e. SSL or VPN. | 
+| CDL.Logging.GlobalProtect.VendorName | unknown | The vendor that produced the data. | 
diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/command_examples.txt b/Packs/CortexDataLake/Integrations/CortexDataLake/command_examples.txt
index c870dccc5882..aa6dbbf79417 100644
--- a/Packs/CortexDataLake/Integrations/CortexDataLake/command_examples.txt
+++ b/Packs/CortexDataLake/Integrations/CortexDataLake/command_examples.txt
@@ -6,4 +6,5 @@
 !cdl-query-threat-logs action="allow" fields="vendor_name,log_source,rule_matched,dest_location,log_time" time_range="10 days" limit="1"
 !cdl-query-url-logs action="alert" ip="1.1.1.1" limit="1"
 !cdl-query-file-data source_ip="10.10.10.101" time_range="6 months" limit="1"
-!cdl-reset-authentication-timeout
\ No newline at end of file
+!cdl-reset-authentication-timeout
+!cdl-query-gp-logs time_range="10 days" limit="1"
diff --git a/Packs/CortexDataLake/ReleaseNotes/1_5_0.md b/Packs/CortexDataLake/ReleaseNotes/1_5_0.md
new file mode 100644
index 000000000000..13773eb48dae
--- /dev/null
+++ b/Packs/CortexDataLake/ReleaseNotes/1_5_0.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Cortex Data Lake
+
+- Added a new command **cdl-query-gp-logs** to query GlobalProtect VPN logs.
diff --git a/Packs/CortexDataLake/pack_metadata.json b/Packs/CortexDataLake/pack_metadata.json
index 09e35ff33324..779c92b60dbb 100644
--- a/Packs/CortexDataLake/pack_metadata.json
+++ b/Packs/CortexDataLake/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Strata Logging Service by Palo Alto Networks",
     "description": "Palo Alto Networks Strata Logging Service XSOAR Connector provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR",
     "support": "xsoar",
-    "currentVersion": "1.4.16",
+    "currentVersion": "1.5.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

From 1b7b07278ab3f02751b7468b5313ffe866a5a80f Mon Sep 17 00:00:00 2001
From: Ali Sawyer <asawyer@paloaltonetworks.com>
Date: Mon, 3 Mar 2025 14:19:08 -0700
Subject: [PATCH 4/5] increment docker img version

---
 .../CortexDataLake/CortexDataLake.yml         | 163 +++++++++---------
 1 file changed, 81 insertions(+), 82 deletions(-)

diff --git a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
index 72ffbf6a6d9f..ca76f8477331 100644
--- a/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
+++ b/Packs/CortexDataLake/Integrations/CortexDataLake/CortexDataLake.yml
@@ -4,49 +4,49 @@ commonfields:
   version: -1
 configuration:
 - display: Token
-  hidden: true
   name: refresh_token
-  required: false
   type: 4
-- display: ID
   hidden: true
-  name: reg_id
   required: false
+- display: ID
+  name: reg_id
   type: 4
-- display: Key
   hidden: true
-  name: auth_key
   required: false
+- display: Key
+  name: auth_key
   type: 4
-- display: ""
-  displaypassword: Encryption Key
-  hiddenusername: true
-  name: credentials_auth_key
+  hidden: true
   required: false
+- displaypassword: Encryption Key
+  name: credentials_auth_key
+  hiddenusername: true
   type: 9
-- additionalinfo: The API Key to use for connection
+  required: false
   display: ""
-  displaypassword: Authentication Token
-  hiddenusername: true
+- displaypassword: Authentication Token
+  additionalinfo: The API Key to use for connection
   name: credentials_refresh_token
+  hiddenusername: true
+  type: 9
   required: false
+  display: ""
+- displaypassword: Registration ID
+  name: credentials_reg_id
   type: 9
-- display: ""
-  displaypassword: Registration ID
   hiddenusername: true
-  name: credentials_reg_id
-  required: false
   section: Connect
-  type: 9
+  required: false
+  display: ""
 - display: Fetch incidents
   name: isFetch
-  required: false
   type: 8
+  required: false
 - defaultvalue: 24 hours
   display: First fetch time (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
   name: first_fetch_timestamp
-  required: false
   type: 0
+  required: false
 - additionalinfo: Choose which table incidents will be fetched from.
   defaultvalue: firewall.threat
   display: Fetch Table
@@ -65,8 +65,8 @@ configuration:
   - firewall.userid
   - log.system
   - log.config
-  required: false
   type: 15
+  required: false
 - display: Severity of events to fetch (Firewall)
   name: firewall_severity
   options:
@@ -77,8 +77,8 @@ configuration:
   - Low
   - Informational
   - Unused
-  required: false
   type: 16
+  required: false
 - display: Subtype of events to fetch (Firewall)
   name: firewall_subtype
   options:
@@ -111,39 +111,39 @@ configuration:
   - spyware-wpc-raven
   - wpc-virus
   - sctp
-  required: false
   type: 16
+  required: false
 - additionalinfo: Comma-separated fields that will be fetched with every incident, e.g., "pcap,session_id". Enter "*" for all possible fields.
   defaultvalue: '*'
   display: Fetch Fields
   name: fetch_fields
-  required: false
   type: 12
+  required: false
 - additionalinfo: 'Filter the fetched incidents according to the given query. Query example: "source_ip.value LIKE `192.168.1.*` AND dst = `192.168.1.12`" Note: Can not be used in combination with `Severity` and `Subtype` parameters.'
   display: Fetch Filter
   name: filter_query
-  required: false
   type: 12
+  required: false
 - display: Incident type
   name: incidentType
-  required: false
   type: 13
+  required: false
 - additionalinfo: "The maximum number of incidents to fetch per query.\t\nCaution: A large number could create overload. Default is 10."
-  defaultvalue: "10"
+  defaultvalue: '10'
   display: Max. number of incidents fetched per query
   name: limit
-  required: false
   type: 0
-- defaultvalue: "false"
+  required: false
+- defaultvalue: 'false'
   display: Use system proxy settings
   name: proxy
-  required: false
   type: 8
-- defaultvalue: "false"
+  required: false
+- defaultvalue: 'false'
   display: Trust any certificate (not secure)
   name: insecure
-  required: false
   type: 8
+  required: false
 - defaultvalue: "1"
   display: Incidents Fetch Interval
   name: incidentFetchInterval
@@ -161,20 +161,20 @@ script:
         There are multiple tables in Loggings, for example: threat, traffic, and so on.
         Refer to the Cortex Logging service schema reference for the full list.
       name: query
-    - defaultValue: "10"
+    - defaultValue: '10'
       description: The maximum number of logs to return. Default is 10.
       name: limit
     - auto: PREDEFINED
-      defaultValue: "true"
+      defaultValue: 'true'
       description: If set to false, query results are not mapped into the standard command context. Default is "true".
       name: transform_results
       predefined:
-      - "true"
-      - "false"
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+      - 'true'
+      - 'false'
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     description: Runs a query on  any table or field.
     execution: true
     name: cdl-query-logs
@@ -239,22 +239,22 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - defaultValue: "10"
+    - defaultValue: '10'
       description: The maximum number of logs to return. Default is 10.
       name: limit
     - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
     - auto: PREDEFINED
-      defaultValue: "true"
+      defaultValue: 'true'
       description: If set to false, query results are not mapped into the standard command context. Default is "true".
       name: transform_results
       predefined:
-      - "true"
-      - "false"
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+      - 'true'
+      - 'false'
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     description: Runs a query on the threat table according to preset queries.
     name: cdl-get-critical-threat-logs
     outputs:
@@ -390,15 +390,15 @@ script:
       name: start_time
     - description: Query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - defaultValue: "10"
+    - defaultValue: '10'
       description: The maximum number of logs to return. Default is 10.
       name: limit
     - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     description: Runs a query on traffic table where app_sub_category = "social networking".
     name: cdl-get-social-applications
     outputs:
@@ -522,7 +522,7 @@ script:
       name: start_time
     - description: The query end time. For example, end_time="2018-04-26 00:00:00".
       name: end_time
-    - defaultValue: "10"
+    - defaultValue: '10'
       description: The maximum number of logs to return. Default is 10.
       name: limit
     - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
@@ -530,10 +530,10 @@ script:
     - description: The SHA256 hash of the file for the query. For example, SHA256="503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86b8645d6572dc" would return all logs associated with this file.
       name: SHA256
       required: true
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     description: Runs a query on the threat table with the query 'SELECT * FROM `firewall.threat` WHERE file_sha_256 = <file_hash>'.
     name: cdl-search-by-file-hash
     outputs:
@@ -824,13 +824,13 @@ script:
       name: end_time
     - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - defaultValue: "5"
+    - defaultValue: '5'
       description: The maximum number of logs to return. Default is 5.
       name: limit
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     - description: A destination IP address or an array of destination IPs addresses for which to search, for example 1.1.1.1,2.2.2.2.
       name: dest_ip
     - description: Destination port utilized by the session. Can be port number or an array of destination port numbers to search. For example '443' or '443,445'.
@@ -1149,13 +1149,13 @@ script:
       name: end_time
     - description: First log time (<number> <time unit>, e.g., 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - defaultValue: "5"
+    - defaultValue: '5'
       description: The maximum number of logs to return. Default is 5.
       name: limit
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     - description: The IP address or an array of IP addresses for which to search. For example 1.1.1.1,2.2.2.2. Used instead of the source/destination IP address.
       name: ip
     - description: The port or array of ports to search. Used instead of the source/destination port.
@@ -1480,10 +1480,10 @@ script:
       name: time_range
     - description: The maximum number of logs to return. Default is 5.
       name: limit
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     - description: The IP address or an array of IP addresses for which to search. For example 1.1.1.1,2.2.2.2. Used instead of the source/destination IP address.
       name: ip
     - description: The port or array of ports to search. Used instead of the source/destination port.
@@ -1775,13 +1775,13 @@ script:
       name: end_time
     - description: First log time (<number> <time unit>. For example, 12 minutes, 7 days, 3 weeks).
       name: time_range
-    - defaultValue: "5"
+    - defaultValue: '5'
       description: The maximum number of logs to return. Default is 5.
       name: limit
-    - description: Page to return.
-      name: page
-    - description: Number of entries per page. Defaults to 50 (in case only page was provided).
-      name: page_size
+    - name: page
+      description: Page to return.
+    - name: page_size
+      description: Number of entries per page. Defaults to 50 (in case only page was provided).
     description: Searches the Cortex firewall.file_data table.
     name: cdl-query-file-data
     outputs:
@@ -2024,9 +2024,9 @@ script:
     - contextPath: CDL.Logging.File.LogSource
       description: Identifies the origin of the data (the system that produced the data.
       type: String
-  - arguments: []
-    description: Use this command in case your authentication calls fail due to internal call-limit, the command will reset the limit cache.
+  - description: Use this command in case your authentication calls fail due to internal call-limit, the command will reset the limit cache.
     name: cdl-reset-authentication-timeout
+    arguments: []
   - arguments:
     - defaultValue: "10"
       description: The maximum number of logs to return. Default is 10.
@@ -2177,13 +2177,12 @@ script:
       description: Tunnel Type i.e. SSL or VPN.
     - contextPath: CDL.Logging.GlobalProtect.VendorName
       description: The vendor that produced the data.
-  dockerimage: demisto/python_pancloud_v2:1.0.0.117311
+  dockerimage: demisto/python_pancloud_v2:1.0.0.2027056
   isfetch: true
   runonce: false
   script: ''
   subtype: python3
   type: python
-sourcemoduleid: Cortex Data Lake
 tests:
 - Cortex Data Lake Test
-fromversion: 5.0.0
\ No newline at end of file
+fromversion: 5.0.0

From 53f37135127d0bb05714f933c0912ab6a12bba8f Mon Sep 17 00:00:00 2001
From: Ali Sawyer <asawyer@paloaltonetworks.com>
Date: Mon, 3 Mar 2025 14:41:32 -0700
Subject: [PATCH 5/5] add docker update note to RNs

---
 Packs/CortexDataLake/ReleaseNotes/1_5_0.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Packs/CortexDataLake/ReleaseNotes/1_5_0.md b/Packs/CortexDataLake/ReleaseNotes/1_5_0.md
index 13773eb48dae..d45866bcae77 100644
--- a/Packs/CortexDataLake/ReleaseNotes/1_5_0.md
+++ b/Packs/CortexDataLake/ReleaseNotes/1_5_0.md
@@ -4,3 +4,4 @@
 ##### Cortex Data Lake
 
 - Added a new command **cdl-query-gp-logs** to query GlobalProtect VPN logs.
+- Updated the Docker image to: *demisto/python_pancloud_v2:1.0.0.2027056*.