Merge pull request #19 from splunk-soar-connectors/next

Merging next to main for release 3.6.2

.github/workflows/generate-doc.yml

@@ -0,0 +1,20 @@
+name: Generate Readme Doc
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - '*.json'
+      - 'readme.html'
+      - 'manual_readme_content.md'
+    tags-ignore:
+      - '**'
+    branches-ignore:
+      - next
+      - main
+jobs:
+  generate-doc:
+    runs-on: ubuntu-latest
+    steps:
+     - uses: 'phantomcyber/dev-cicd-tools/github-actions/generate-doc@main'
+       with:
+         GITHUB_TOKEN: ${{ secrets.SOAR_APPS_TOKEN }}

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.15
+    rev: v1.16
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (c) 2016-2023 Splunk Inc.
+   Copyright (c) 2016-2024 Splunk Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

NOTICE

@@ -1,5 +1,5 @@
 Splunk SOAR Phantom
-Copyright (c) 2016-2022 Splunk Inc.
+Copyright (c) 2016-2024 Splunk Inc.
 
 Third-party Software Attributions:
 
@@ -14,8 +14,3 @@ Library: python-magic
 Version: 0.4.18
 License: MIT
 Copyright 2001-2014 Adam Hupp
-
-Library: requests
-Version: 2.25.0
-License: Apache 2.0
-Kenneth Reitz

__init__.py

@@ -1,6 +1,6 @@
 # File: __init__.py
 #
-# Copyright (c) 2016-2023 Splunk Inc.
+# Copyright (c) 2016-2024 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

manual_readme_content.md

@@ -0,0 +1,117 @@
+[comment]: # " File: README.md"
+[comment]: # "  Copyright (c) 2016-2024 Splunk Inc."
+[comment]: # ""
+[comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');"
+[comment]: # "you may not use this file except in compliance with the License."
+[comment]: # "You may obtain a copy of the License at"
+[comment]: # ""
+[comment]: # "    http://www.apache.org/licenses/LICENSE-2.0"
+[comment]: # ""
+[comment]: # "Unless required by applicable law or agreed to in writing, software distributed under"
+[comment]: # "the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,"
+[comment]: # "either express or implied. See the License for the specific language governing permissions"
+[comment]: # "and limitations under the License."
+[comment]: # ""
+The auth_token config parameter is for use with Phantom instances. If both the token and
+username/password are given, the username and password will be used to authenticate to the Phantom
+instance.  
+
+Note that the IP (or name) being used must match the allowed IP in the remote Phantom instance's
+REST asset configuration.  
+
+In case the **phantom_server** configuration parameter is set to the current Phantom instance, i.e.,
+the Phantom server through which the app is being used, then the **verify_certificate** should be
+set to False in the asset configuration.  
+
+For information on how to obtain an authorization token, see Provisioning an Authorization Token in
+the Phantom REST Overview documentation.  
+
+If the value provided in the **phantom_server** configuration parameter is 0.0.0.0 then the **test
+connectivity** passes successfully and the actions will run on the current phantom instance, i.e.,
+the server through which the app is being used.  
+
+See [KB article 7](https://my.phantom.us/kb/7/) and [KB article 16](https://my.phantom.us/kb/16/) on
+how to create and verify a valid HTTPS certificate for your Phantom instance.  
+
+For security reasons, accessing 127.0.0.1 is not allowed.  
+
+For NRI instances, the Device IP/Hostname configuration parameter needs to specify the port number
+as well. (Eg. x.x.x.x:9999)
+
+## Playbook Backward Compatibility
+
+-   The existing action parameters have been modified in the actions given below. Hence, it is
+    requested to the end-user to please update their existing playbooks by re-inserting the
+    corresponding action blocks or by providing appropriate values to these action parameters to
+    ensure the correct functioning of the playbooks created on the earlier versions of the app.
+
+      
+
+    -   Update List - The **row_values_as_list** parameter, has been changed from the
+        comma-separated new values to a JSON formatted list of new values. This will allow the user
+        to provide a value containing a comma(',') character. The example for the same has been
+        updated in the example values.
+
+    -   Add Artifact - The **contains** parameter, can take a string(or a comma-separated list of
+        string) or a JSON dictionary, with the keys matching the keys of the **cef_dictionary** and
+        the values being lists of possible contains for the CEF field. In case, the **contains**
+        parameter is a string(or a comma-separated list of string), the provided value will map to
+        the **cef_name** parameter.  
+        The output datapaths, **action_result.summary.artifact id** and
+        **action_result.summary.container id** have been replaced with
+        **action_result.summary.artifact_id** and **action_result.summary.container_id** ,
+        respectively.
+
+    -   Find Artifacts - The **action_result.summary.artifacts found** datapath has been replaced
+        with **action_result.summary.artifacts_found.**
+
+    -   Find Listitem - The **action_result.summary.found matches** datapath has been replaced with
+        **action_result.summary.found_matches.**
+
+    -   Update Artifact Tags - The following output datapaths have been added:
+
+          
+
+        -   action_result.summary.tags_added
+        -   action_result.summary.tags_already_absent
+        -   action_result.summary.tags_already_present
+        -   action_result.summary.tags_removed
+
+    -   Update Artifact - The action parameters of this action have been modified. Please update
+        your existing playbooks according to the new parameters. Below is the list of the added
+        parameters:
+
+          
+
+        -   name: Artifact name (Always overwrites, if provided)
+        -   label: Artifact label (Always overwrites, if provided)
+        -   severity: Artifact severity (Always overwrites, if provided)
+        -   cef_types_json: JSON format of the CEF types (e.g., {'myIP': \['ip', 'ipv6'\]})
+        -   tags: Comma-separated list of tags to add or replace in the artifact
+        -   overwrite: Overwrite artifacts with provided input (applies to: cef_json, contains_json,
+            tags)
+        -   artifact_json: JSON format of entire artifact (Always overwrites provided keys)
+
+        For further details, check the **update artifact** section.
+
+## Port Information
+
+The app uses HTTP/ HTTPS protocol for communicating with the Phantom server. Below are the default
+ports used by Splunk SOAR.
+
+| SERVICE NAME | TRANSPORT PROTOCOL | PORT |
+|--------------|--------------------|------|
+| http         | tcp                | 80   |
+| https        | tcp                | 443  |
+
+## Known Issues
+
+-   The **find listitem** action is unable to fetch the list, where the **list name** contains a
+    forward slash('/') character.
+-   The **add listitem** action is unable to update the list, where the **list name** contains a
+    forward slash('/') character.
+-   The **find artifacts** action does not work as per the expectation, for the case where we have a
+    backslash('\\') character in the cef_value. This happens for both exact match and
+    non-exact-match.
+-   The **find artifacts** action is unable to fetch the artifacts, where cef values contain Unicode
+    character(s), on Phantom version 4.8.23319. The action works fine on Phantom version 4.5.15922.

phantom.json

@@ -6,7 +6,7 @@
     "publisher": "Splunk",
     "type": "information",
     "main_module": "phantom_connector.py",
-    "app_version": "3.6.1",
+    "app_version": "3.6.2",
     "latest_tested_versions": [
         "Splunk Phantom PlatformAPI v5.3.1",
         "SOAR On-prem v5.3.1.84890",
@@ -19,7 +19,7 @@
     "product_version_regex": ".*",
     "min_phantom_version": "5.2.0",
     "fips_compliant": true,
-    "license": "Copyright (c) 2016-2023 Splunk Inc.",
+    "license": "Copyright (c) 2016-2024 Splunk Inc.",
     "logo": "logo_splunk.svg",
     "contributors": [
         {
@@ -2481,32 +2481,28 @@
                 "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl"
             },
             {
-                "module": "certifi",
-                "input_file": "wheels/py3/certifi-2022.5.18.1-py3-none-any.whl"
+                "module": "python_magic",
+                "input_file": "wheels/shared/python_magic-0.4.18-py2.py3-none-any.whl"
             },
             {
-                "module": "chardet",
-                "input_file": "wheels/shared/chardet-3.0.4-py2.py3-none-any.whl"
-            },
+                "module": "soupsieve",
+                "input_file": "wheels/py3/soupsieve-2.3.2.post1-py3-none-any.whl"
+            }
+        ]
+    },
+    "pip39_dependencies": {
+        "wheel": [
             {
-                "module": "idna",
-                "input_file": "wheels/shared/idna-2.10-py2.py3-none-any.whl"
+                "module": "beautifulsoup4",
+                "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl"
             },
             {
                 "module": "python_magic",
                 "input_file": "wheels/shared/python_magic-0.4.18-py2.py3-none-any.whl"
             },
-            {
-                "module": "requests",
-                "input_file": "wheels/shared/requests-2.25.0-py2.py3-none-any.whl"
-            },
             {
                 "module": "soupsieve",
-                "input_file": "wheels/py3/soupsieve-2.3.2.post1-py3-none-any.whl"
-            },
-            {
-                "module": "urllib3",
-                "input_file": "wheels/shared/urllib3-1.26.9-py2.py3-none-any.whl"
+                "input_file": "wheels/py3/soupsieve-2.5-py3-none-any.whl"
             }
         ]
     }

phantom_connector.py

@@ -1,6 +1,6 @@
 # File: phantom_connector.py
 #
-# Copyright (c) 2016-2023 Splunk Inc.
+# Copyright (c) 2016-2024 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -746,9 +746,9 @@ def _add_file_to_vault(self, action_result, data_stream, file_name, recursive, c
             with open(save_path, 'wb') as uncompressed_file:
                 uncompressed_file.write(data_stream)
         except IOError as e:
-            error_msg = self._get_error_message_from_exception(e)
+            error_message = self._get_error_message_from_exception(e)
             try:
-                if "File name too long" in error_msg:
+                if "File name too long" in error_message:
                     new_file_name = "ph_long_file_name_{}{}".format(self._level, random_suffix)
                     save_path = os.path.join(vault_tmp_dir, new_file_name)
                     self.debug_print("Original filename: {}".format(file_name))
@@ -897,9 +897,9 @@ def _extract_file(self, action_result, file_path, file_name, recursive, containe
                         if phantom.is_fail(ret_val):
                             return ret_val
             except Exception as e:
-                error_msg = self._get_error_message_from_exception(e)
-                error_msg = error_msg.replace(compressed_file, file_name)
-                return action_result.set_status(phantom.APP_ERROR, "Unable to open the zip file: {}. {}".format(file_path, error_msg))
+                error_message = self._get_error_message_from_exception(e)
+                error_message = error_message.replace(compressed_file, file_name)
+                return action_result.set_status(phantom.APP_ERROR, "Unable to open the zip file: {}. {}".format(file_path, error_message))
 
             return (phantom.APP_SUCCESS)
 

phantom_consts.py

@@ -1,6 +1,6 @@
 # File: phantom_consts.py
 #
-# Copyright (c) 2016-2023 Splunk Inc.
+# Copyright (c) 2016-2024 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

phantom_multiple_actions.html

@@ -10,7 +10,7 @@
 {% block widget_content %} <!-- Main Start Block -->
 
 <!--  File: phantom_multiple_actions.html
-  Copyright (c) 2016-2023 Splunk Inc.
+  Copyright (c) 2016-2024 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

phantom_views.py

@@ -1,6 +1,6 @@
 # File: phantom_views.py
 #
-# Copyright (c) 2016-2023 Splunk Inc.
+# Copyright (c) 2016-2024 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

release_notes/3.6.2.md

@@ -0,0 +1 @@
+* Updated requests and certifi dependencies in order to use platform packages [PAPP-30822,PAPP-31096]