From 414b5668d9cf73d38c476da084009694e8ee000c Mon Sep 17 00:00:00 2001 From: arvidb Date: Tue, 21 Apr 2026 11:57:28 -0400 Subject: [PATCH 1/2] Adding Checkpoint HEC response integration --- .../community/check_point_hec/__init__.py | 0 .../check_point_hec/actions/__init__.py | 0 .../actions/create_anomaly_exc.py | 47 + .../actions/create_anomaly_exc.yaml | 17 + .../check_point_hec/actions/create_ap_exc.py | 170 ++++ .../actions/create_ap_exc.yaml | 135 +++ .../actions/create_avdlp_exc.py | 24 + .../actions/create_avdlp_exc.yaml | 61 ++ .../actions/create_avurl_exc.py | 24 + .../actions/create_avurl_exc.yaml | 61 ++ .../check_point_hec/actions/create_cp2_exc.py | 35 + .../actions/create_cp2_exc.yaml | 61 ++ .../actions/create_ctp_list_item.py | 55 ++ .../actions/create_ctp_list_item.yaml | 26 + .../actions/delete_anomaly_excs.py | 33 + .../actions/delete_anomaly_excs.yaml | 12 + .../check_point_hec/actions/delete_ap_exc.py | 40 + .../actions/delete_ap_exc.yaml | 21 + .../actions/delete_avdlp_exc.py | 24 + .../actions/delete_avdlp_exc.yaml | 32 + .../actions/delete_avdlp_excs.py | 24 + .../actions/delete_avdlp_excs.yaml | 32 + .../actions/delete_avurl_exc.py | 24 + .../actions/delete_avurl_exc.yaml | 32 + .../actions/delete_avurl_excs.py | 24 + .../actions/delete_avurl_excs.yaml | 32 + .../check_point_hec/actions/delete_cp2_exc.py | 24 + .../actions/delete_cp2_exc.yaml | 32 + .../actions/delete_cp2_excs.py | 24 + .../actions/delete_cp2_excs.yaml | 32 + .../actions/delete_ctp_list_item.py | 34 + .../actions/delete_ctp_list_item.yaml | 12 + .../actions/delete_ctp_list_items.py | 34 + .../actions/delete_ctp_list_items.yaml | 12 + .../actions/delete_ctp_lists.py | 24 + .../actions/delete_ctp_lists.yaml | 7 + .../check_point_hec/actions/download_email.py | 39 + .../actions/download_email.yaml | 17 + .../actions/get_action_result.py | 32 + .../actions/get_action_result.yaml | 12 + .../actions/get_anomaly_excs.py | 24 + .../actions/get_anomaly_excs.yaml | 7 + .../check_point_hec/actions/get_ap_excs.py | 41 + .../check_point_hec/actions/get_ap_excs.yaml | 21 + .../check_point_hec/actions/get_avdlp_exc.py | 24 + .../actions/get_avdlp_exc.yaml | 22 + .../check_point_hec/actions/get_avdlp_excs.py | 24 + .../actions/get_avdlp_excs.yaml | 57 ++ .../check_point_hec/actions/get_avurl_exc.py | 24 + .../actions/get_avurl_exc.yaml | 22 + .../check_point_hec/actions/get_avurl_excs.py | 24 + .../actions/get_avurl_excs.yaml | 57 ++ .../check_point_hec/actions/get_cp2_exc.py | 24 + .../check_point_hec/actions/get_cp2_exc.yaml | 22 + .../check_point_hec/actions/get_cp2_excs.py | 24 + .../check_point_hec/actions/get_cp2_excs.yaml | 57 ++ .../check_point_hec/actions/get_ctp_list.py | 33 + .../check_point_hec/actions/get_ctp_list.yaml | 12 + .../actions/get_ctp_list_item.py | 33 + .../actions/get_ctp_list_item.yaml | 12 + .../actions/get_ctp_list_items.py | 24 + .../actions/get_ctp_list_items.yaml | 7 + .../check_point_hec/actions/get_ctp_lists.py | 24 + .../actions/get_ctp_lists.yaml | 7 + .../check_point_hec/actions/get_entity.py | 33 + .../check_point_hec/actions/get_entity.yaml | 12 + .../check_point_hec/actions/get_events.py | 81 ++ .../check_point_hec/actions/get_events.yaml | 69 ++ .../check_point_hec/actions/get_scan_info.py | 54 ++ .../actions/get_scan_info.yaml | 17 + .../community/check_point_hec/actions/ping.py | 34 + .../check_point_hec/actions/ping.yaml | 7 + .../actions/report_mis_classification.py | 53 ++ .../actions/report_mis_classification.yaml | 31 + .../check_point_hec/actions/search_emails.py | 239 +++++ .../actions/search_emails.yaml | 179 ++++ .../check_point_hec/actions/send_action.py | 59 ++ .../check_point_hec/actions/send_action.yaml | 34 + .../check_point_hec/actions/update_ap_exc.py | 181 ++++ .../actions/update_ap_exc.yaml | 140 +++ .../actions/update_avdlp_exc.py | 24 + .../actions/update_avdlp_exc.yaml | 36 + .../actions/update_avurl_exc.py | 24 + .../actions/update_avurl_exc.yaml | 36 + .../check_point_hec/actions/update_cp2_exc.py | 24 + .../actions/update_cp2_exc.yaml | 36 + .../actions/update_ctp_list_item.py | 60 ++ .../actions/update_ctp_list_item.yaml | 27 + .../check_point_hec/core/__init__.py | 0 .../check_point_hec/core/api_clients.py | 826 ++++++++++++++++++ .../community/check_point_hec/core/auth.py | 57 ++ .../check_point_hec/core/auth_managers.py | 118 +++ .../check_point_hec/core/base_action.py | 31 + .../check_point_hec/core/constants.py | 119 +++ .../core/create_sectool_exc.py | 96 ++ .../check_point_hec/core/data_models.py | 9 + .../core/delete_sectool_exc.py | 57 ++ .../core/delete_sectool_excs.py | 57 ++ .../check_point_hec/core/exceptions.py | 6 + .../check_point_hec/core/get_sectool_exc.py | 40 + .../check_point_hec/core/get_sectool_excs.py | 80 ++ .../core/update_sectool_exc.py | 60 ++ .../community/check_point_hec/definition.yaml | 28 + .../community/check_point_hec/pyproject.toml | 30 + .../check_point_hec/release_notes.yaml | 7 + .../resources/checkpoint-image.png | Bin 0 -> 5377 bytes .../resources/checkpoint-logo.svg | 1 + 107 files changed, 5119 insertions(+) create mode 100644 content/response_integrations/third_party/community/check_point_hec/__init__.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/__init__.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/download_email.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/download_email.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_entity.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_entity.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_events.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_events.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/ping.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/ping.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/search_emails.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/send_action.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/send_action.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/__init__.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/api_clients.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/auth.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/base_action.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/constants.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/create_sectool_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/data_models.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/exceptions.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/get_sectool_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/get_sectool_excs.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/core/update_sectool_exc.py create mode 100644 content/response_integrations/third_party/community/check_point_hec/definition.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/pyproject.toml create mode 100644 content/response_integrations/third_party/community/check_point_hec/release_notes.yaml create mode 100644 content/response_integrations/third_party/community/check_point_hec/resources/checkpoint-image.png create mode 100644 content/response_integrations/third_party/community/check_point_hec/resources/checkpoint-logo.svg diff --git a/content/response_integrations/third_party/community/check_point_hec/__init__.py b/content/response_integrations/third_party/community/check_point_hec/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/__init__.py b/content/response_integrations/third_party/community/check_point_hec/actions/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py new file mode 100644 index 000000000..08588199e --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py @@ -0,0 +1,47 @@ +import json + +from TIPCommon.validation import ParameterValidator + +from ..core.base_action import BaseAction +from ..core.constants import CREATE_ANOMALY_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully created Anomaly exception!" +ERROR_MESSAGE: str = "Failed creating Anomaly exception!" + + +class CreateAnomalyException(BaseAction): + + def __init__(self) -> None: + super().__init__(CREATE_ANOMALY_EXC_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.request_json = self.soar_action.parameters.get( + siemplify=self.soar_action, + param_name="Request JSON", + print_value=True, + is_mandatory=True + ) + self.params.added_by = self.soar_action.extract_action_param( + param_name="Added By", + print_value=True, + is_mandatory=False + ) + + def _validate_params(self) -> None: + validator: ParameterValidator = ParameterValidator(self.soar_action) + validator.validate_json(param_name="Request JSON", json_string=self.params.request_json) + + def _perform_action(self, _=None) -> None: + request_json = json.loads(self.params.request_json) + added_by = self.params.added_by + self.json_results = self.api_client.create_anomaly_exception(request_json=request_json, added_by=added_by) + + +def main() -> None: + CreateAnomalyException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.yaml new file mode 100644 index 000000000..6c34f7448 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.yaml @@ -0,0 +1,17 @@ +creator: admin +description: Create an exception for Anomaly Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Create Anomaly Exception +parameters: +- default_value: '{}' + description: Anomaly exception request in JSON format. + is_mandatory: true + name: Request JSON + type: string +- default_value: '' + description: User id exception creator + is_mandatory: false + name: Added By + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.py new file mode 100644 index 000000000..be5baa2ed --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.py @@ -0,0 +1,170 @@ +from ..core.base_action import BaseAction +from ..core.constants import CREATE_AP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully created Anti-Phishing exception!" +ERROR_MESSAGE: str = "Failed creating Anti-Phishing exception!" + + +class CreateAPException(BaseAction): + + def __init__(self) -> None: + super().__init__(CREATE_AP_EXC_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=False + ) + self.params.attachment_md5 = self.soar_action.extract_action_param( + param_name="Attachment MD5", + print_value=True, + is_mandatory=False + ) + self.params.from_email = self.soar_action.extract_action_param( + param_name="From Email", + print_value=True, + is_mandatory=False + ) + self.params.nickname = self.soar_action.extract_action_param( + param_name="Nickname", + print_value=True, + is_mandatory=False + ) + self.params.recipient = self.soar_action.extract_action_param( + param_name="Recipient", + print_value=True, + is_mandatory=False + ) + self.params.sender_client_ip = self.soar_action.extract_action_param( + param_name="Sender Client IP", + print_value=True, + is_mandatory=False + ) + self.params.from_domain_ends_with = self.soar_action.extract_action_param( + param_name="From Domain Ends With", + print_value=True, + is_mandatory=False + ) + self.params.sender_ip = self.soar_action.extract_action_param( + param_name="Sender IP", + print_value=True, + is_mandatory=False + ) + self.params.email_link = self.soar_action.extract_action_param( + param_name="Email Link", + print_value=True, + is_mandatory=False + ) + self.params.subject = self.soar_action.extract_action_param( + param_name="Subject", + print_value=True, + is_mandatory=False + ) + self.params.comment = self.soar_action.extract_action_param( + param_name="Comment", + print_value=True, + is_mandatory=False + ) + self.params.action_needed = self.soar_action.extract_action_param( + param_name="Action Needed", + print_value=True, + is_mandatory=False + ) + self.params.ignoring_spf_check = self.soar_action.extract_action_param( + param_name="Ignoring SPF Check", + print_value=True, + is_mandatory=False, + input_type=bool + ) + self.params.subject_matching = self.soar_action.extract_action_param( + param_name="Subject Matching", + print_value=True, + is_mandatory=False + ) + self.params.email_link_matching = self.soar_action.extract_action_param( + param_name="Email Link Matching", + print_value=True, + is_mandatory=False + ) + self.params.from_name_matching = self.soar_action.extract_action_param( + param_name="From Name Matching", + print_value=True, + is_mandatory=False + ) + self.params.from_domain_matching = self.soar_action.extract_action_param( + param_name="From Domain Matching", + print_value=True, + is_mandatory=False + ) + self.params.from_email_matching = self.soar_action.extract_action_param( + param_name="From Email Matching", + print_value=True, + is_mandatory=False + ) + self.params.recipient_matching = self.soar_action.extract_action_param( + param_name="Recipient Matching", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + entity_id = self.params.entity_id + attachment_md5 = self.params.attachment_md5 + from_email = self.params.from_email + nickname = self.params.nickname + recipient = self.params.recipient + sender_client_ip = self.params.sender_client_ip + from_domain_ends_with = self.params.from_domain_ends_with + sender_ip = self.params.sender_ip + email_link = self.params.email_link + subject = self.params.subject + comment = self.params.comment + action_needed = self.params.action_needed + ignoring_spf_check = self.params.ignoring_spf_check + subject_matching = self.params.subject_matching + email_link_matching = self.params.email_link_matching + from_name_matching = self.params.from_name_matching + from_domain_matching = self.params.from_domain_matching + from_email_matching = self.params.from_email_matching + recipient_matching = self.params.recipient_matching + + exception = { + "entityId": entity_id, + "attachmentMd5": attachment_md5, + "senderEmail": from_email, + "senderName": nickname, + "recipient": recipient, + "senderClientIp": sender_client_ip, + "senderDomain": from_domain_ends_with, + "senderIp": sender_ip, + "linkDomains": email_link, + "subject": subject, + "comment": comment, + "actionNeeded": action_needed, + "ignoringSpfCheck": ignoring_spf_check, + "subjectMatching": subject_matching, + "linkDomainMatching": email_link_matching, + "senderNameMatching": from_name_matching, + "senderDomainMatching": from_domain_matching, + "senderEmailMatching": from_email_matching, + "recipientMatching": recipient_matching, + } + self.api_client.create_ap_exception(exception_type, exception) + + +def main() -> None: + CreateAPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.yaml new file mode 100644 index 000000000..418961939 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_ap_exc.yaml @@ -0,0 +1,135 @@ +creator: admin +description: Create an exception for Anti-Phishing or Anti-Spam Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Create Anti-Phishing Exception +parameters: +- default_value: '' + description: Anti-Phishing or Anti-Spam exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - whitelist + - blacklist + - spam_whitelist +- default_value: '' + description: Entity ID. + is_mandatory: false + name: Entity ID + type: string +- default_value: '' + description: File attachment MD5 checksum. + is_mandatory: false + name: Attachment MD5 + type: string +- default_value: '' + description: Sender email. + is_mandatory: false + name: From Email + type: string +- default_value: '' + description: Sender name. + is_mandatory: false + name: Sender Name + type: string +- default_value: '' + description: Email recipient. + is_mandatory: false + name: Recipient Email + type: string +- default_value: '' + description: Sender client IP. + is_mandatory: false + name: Sender Client IP + type: string +- default_value: '' + description: From domain ends with. + is_mandatory: false + name: From Domain Ends With + type: string +- default_value: '' + description: Sender IP. + is_mandatory: false + name: Sender IP + type: string +- default_value: '' + description: Email link or links separated by comma. + is_mandatory: false + name: Email Link + type: string +- default_value: '' + description: Email subject. + is_mandatory: false + name: Subject + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Action needed. + is_mandatory: false + name: Action Needed + type: string +- default_value: false + description: Ignoring SPF check. + is_mandatory: false + name: Ignoring SPF Check + type: boolean +- default_value: '' + description: Subject field condition. + is_mandatory: false + name: Subject Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: Email link field condition. + is_mandatory: false + name: Email Link Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: From name field condition. + is_mandatory: false + name: From Name Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: From domain field condition. + is_mandatory: false + name: From Domain Matching + type: ddl + optional_values: + - contains + - ends_with + - exact +- default_value: '' + description: From email field condition. + is_mandatory: false + name: From Email Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: Recipient field condition. + is_mandatory: false + name: Recipient Matching + type: ddl + optional_values: + - matching + - contains + - exact +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.py new file mode 100644 index 000000000..85ff92de7 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.py @@ -0,0 +1,24 @@ +from ..core.create_sectool_exc import CreateSectoolException +from ..core.constants import AVANAN_DLP_SAAS_NAME, CREATE_AVDLP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully created Avanan DLP exception!" +ERROR_MESSAGE: str = "Failed creating Avanan DLP exception!" + + +class CreateAVDLPException(CreateSectoolException): + + def __init__(self) -> None: + super().__init__( + name=CREATE_AVDLP_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_DLP_SAAS_NAME + ) + + +def main() -> None: + CreateAVDLPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.yaml new file mode 100644 index 000000000..0d7537356 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_avdlp_exc.yaml @@ -0,0 +1,61 @@ +creator: admin +description: Create an exception for Avanan DLP Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Create Avanan DLP Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - text_content + - sender_email + - recipient_email +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Exception payload condition. + is_mandatory: false + name: Exception Payload Condition + type: ddl + optional_values: + - with_or_without_link + - with_link + - without_link +- default_value: '' + description: File name. + is_mandatory: false + name: File Name + type: string +- default_value: '' + description: Exception creator email. + is_mandatory: false + name: Created By Email + type: string +- default_value: false + description: Exclusive exception. + is_mandatory: false + name: Is Exclusive + type: boolean +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.py new file mode 100644 index 000000000..755b2e850 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.py @@ -0,0 +1,24 @@ +from ..core.create_sectool_exc import CreateSectoolException +from ..core.constants import AVANAN_URL_SAAS_NAME, CREATE_AVURL_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully created Avanan URL exception!" +ERROR_MESSAGE: str = "Failed creating Avanan URL exception!" + + +class CreateAVURLException(CreateSectoolException): + + def __init__(self) -> None: + super().__init__( + name=CREATE_AVURL_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_URL_SAAS_NAME + ) + + +def main() -> None: + CreateAVURLException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.yaml new file mode 100644 index 000000000..eb1091b15 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_avurl_exc.yaml @@ -0,0 +1,61 @@ +creator: admin +description: Create an exception for Avanan URL Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Create Avanan URL Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - allow-url + - allow-domain + - block-url + - block-domain +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Exception payload condition. + is_mandatory: false + name: Exception Payload Condition + type: ddl + optional_values: + - with_or_without_link + - with_link + - without_link +- default_value: '' + description: File name. + is_mandatory: false + name: File Name + type: string +- default_value: '' + description: Exception creator email. + is_mandatory: false + name: Created By Email + type: string +- default_value: false + description: Exclusive exception. + is_mandatory: false + name: Is Exclusive + type: boolean +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.py new file mode 100644 index 000000000..1d2ac411f --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.py @@ -0,0 +1,35 @@ +from ..core.create_sectool_exc import CreateSectoolException +from ..core.constants import ANTI_MALWARE_SAAS_NAME, CREATE_CP2_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully created Anti-Malware exception!" +ERROR_MESSAGE: str = "Failed creating Anti-Malware exception!" + + +class CreateCP2Exception(CreateSectoolException): + + def __init__(self) -> None: + super().__init__( + name=CREATE_CP2_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=ANTI_MALWARE_SAAS_NAME + ) + + def _extract_action_parameters(self): + super()._extract_action_parameters() + valid_file_types = ['.aac', '.aif', '.au','.avi','.avif', '.bcpio','.bin','.bmp', + '.cdf','cpio','.csh', '.css','.csv','.doc', '.dvi','.eml', + '.etx', '.gif','.hdf','.heif', '.html','.ico','.ief', '.jpg','.js',] + + if self.params.exception_type == 'allow_file_type': + if self.params.exception_string not in valid_file_types: + raise ValueError(f"Incorrect file type, pick one of {valid_file_types}") + elif not self.params.exception_payload_condition: + self.params.exception_payload_condition = "with_or_without_link" + +def main() -> None: + CreateCP2Exception().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.yaml new file mode 100644 index 000000000..0bedc1fde --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_cp2_exc.yaml @@ -0,0 +1,61 @@ +creator: admin +description: Create an exception for Anti-Malware Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Create Anti-Malware Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - macro_hash + - allow_file_type + - ppat_sender_name +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Exception payload condition. + is_mandatory: false + name: Exception Payload Condition + type: ddl + optional_values: + - with_or_without_link + - with_link + - without_link +- default_value: '' + description: File name. + is_mandatory: false + name: File Name + type: string +- default_value: '' + description: Exception creator email. + is_mandatory: false + name: Created By Email + type: string +- default_value: false + description: Exclusive exception. + is_mandatory: false + name: Is Exclusive + type: boolean +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.py new file mode 100644 index 000000000..9f5a994db --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.py @@ -0,0 +1,55 @@ +from ..core.base_action import BaseAction +from ..core.constants import CREATE_CTP_LIST_ITEM_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully created Click Time Protection List Item!" +ERROR_MESSAGE: str = "Failed creating Click Time Protection List Item!" + + +class CreateCTPListItem(BaseAction): + + def __init__(self) -> None: + super().__init__(CREATE_CTP_LIST_ITEM_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.list_id = self.soar_action.extract_action_param( + param_name="Exception List Type", + print_value=True, + is_mandatory=True, + default_value=None + ) + self.params.list_item_name = self.soar_action.extract_action_param( + param_name="List Item Name", + print_value=True, + is_mandatory=True, + default_value=None + ) + self.params.created_by = self.soar_action.extract_action_param( + param_name="Created By", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + list_id = self.params.list_id + list_name_to_id = {"allow-list": "0", "block-list": "1", "ignore-list": "2"} + + list_item_name = self.params.list_item_name + created_by = self.params.created_by + + list_item = { + "listId": list_name_to_id[list_id], + "listItemName": list_item_name, + "createdBy": created_by + } + self.json_results = self.api_client.create_ctp_list_item(list_item=list_item) + + +def main() -> None: + CreateCTPListItem().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.yaml new file mode 100644 index 000000000..01043af8a --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_ctp_list_item.yaml @@ -0,0 +1,26 @@ +creator: admin +description: Create a List Item for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Create CTP List Item +parameters: +- default_value: '' + description: List ID. + is_mandatory: true + name: Exception List Type + type: ddl + optional_values: + - ignore-list + - allow-list + - block-list +- default_value: '' + description: List Item Name. + is_mandatory: true + name: List Item Name + type: string +- default_value: '' + description: Created By. + is_mandatory: true + name: Created By + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.py new file mode 100644 index 000000000..ce284bcc3 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.py @@ -0,0 +1,33 @@ +from ..core.base_action import BaseAction +from ..core.constants import DELETE_ANOMALY_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Anomaly exceptions!" +ERROR_MESSAGE: str = "Failed deleting Anomaly exceptions!" + + +class DeleteAnomalyExceptions(BaseAction): + + def __init__(self) -> None: + super().__init__(DELETE_ANOMALY_EXCS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.rule_ids = self.soar_action.extract_action_param( + param_name="Rule IDs", + print_value=True, + is_mandatory=True, + default_value=None, + ) + + def _perform_action(self, _=None) -> None: + rule_ids = self.params.rule_ids.split(',') + self.json_results = self.api_client.delete_anomaly_exceptions(rule_ids=rule_ids) + + +def main() -> None: + DeleteAnomalyExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.yaml new file mode 100644 index 000000000..98692e5e1 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_anomaly_excs.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Delete exceptions for Anomaly Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Anomaly Exceptions +parameters: +- default_value: '' + description: Exceptions to delete, separated by comma. + is_mandatory: true + name: Rule IDs + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.py new file mode 100644 index 000000000..25a348207 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.py @@ -0,0 +1,40 @@ +from ..core.base_action import BaseAction +from ..core.constants import DELETE_AP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Anti-Phishing exception!" +ERROR_MESSAGE: str = "Failed deleting Anti-Phishing exception!" + + +class DeleteAPException(BaseAction): + + def __init__(self) -> None: + super().__init__(DELETE_AP_EXC_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exc_id = self.soar_action.extract_action_param( + param_name="Exc ID", + print_value=True, + is_mandatory=True, + default_value=None, + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exc_id = self.params.exc_id + self.json_results = self.api_client.delete_ap_exception(exception_type=exception_type, exc_id=exc_id) + + +def main() -> None: + DeleteAPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.yaml new file mode 100644 index 000000000..f69193b7a --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ap_exc.yaml @@ -0,0 +1,21 @@ +creator: admin +description: Delete an exception for Anti-Phishing or Anti-Spam Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Anti-Phishing Exception +parameters: +- default_value: '' + description: Anti-Phishing or Anti-Spam exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - whitelist + - blacklist + - spam_whitelist +- default_value: '' + description: Exception ID. + is_mandatory: true + name: Exc ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.py new file mode 100644 index 000000000..d05a31374 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.py @@ -0,0 +1,24 @@ +from ..core.delete_sectool_exc import DeleteSectoolException +from ..core.constants import AVANAN_DLP_SAAS_NAME, DELETE_AVDLP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Avanan DLP exception!" +ERROR_MESSAGE: str = "Failed deleting Avanan DLP exception!" + + +class DeleteAVDLPException(DeleteSectoolException): + + def __init__(self) -> None: + super().__init__( + name=DELETE_AVDLP_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_DLP_SAAS_NAME + ) + + +def main() -> None: + DeleteAVDLPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.yaml new file mode 100644 index 000000000..0e589e04b --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_exc.yaml @@ -0,0 +1,32 @@ +creator: admin +description: Delete an exception for Avanan DLP Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Avanan DLP Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - text_content + - sender_email + - recipient_email +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.py new file mode 100644 index 000000000..5262b4a25 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.py @@ -0,0 +1,24 @@ +from ..core.delete_sectool_excs import DeleteSectoolExceptions +from ..core.constants import AVANAN_DLP_SAAS_NAME, DELETE_AVDLP_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Avanan DLP exception!" +ERROR_MESSAGE: str = "Failed deleting Avanan DLP exception!" + + +class DeleteAVDLPExceptions(DeleteSectoolExceptions): + + def __init__(self) -> None: + super().__init__( + name=DELETE_AVDLP_EXCS_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_DLP_SAAS_NAME + ) + + +def main() -> None: + DeleteAVDLPExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.yaml new file mode 100644 index 000000000..99bca213f --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avdlp_excs.yaml @@ -0,0 +1,32 @@ +creator: admin +description: Delete exceptions for Avanan DLP Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Avanan DLP Exceptions +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - text_content + - sender_email + - recipient_email +- default_value: '' + description: Exception string list, separated by comma. + is_mandatory: true + name: Exception String List + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.py new file mode 100644 index 000000000..4b3b79e0b --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.py @@ -0,0 +1,24 @@ +from ..core.delete_sectool_exc import DeleteSectoolException +from ..core.constants import AVANAN_URL_SAAS_NAME, DELETE_AVURL_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Avanan URL exception!" +ERROR_MESSAGE: str = "Failed deleting Avanan URL exception!" + + +class DeleteAVURLException(DeleteSectoolException): + + def __init__(self) -> None: + super().__init__( + name=DELETE_AVURL_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_URL_SAAS_NAME + ) + + +def main() -> None: + DeleteAVURLException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.yaml new file mode 100644 index 000000000..2dd373f6b --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_exc.yaml @@ -0,0 +1,32 @@ +creator: admin +description: Delete an exception for Avanan URL Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Avanan URL Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - allow-url + - allow-domain + - block-url + - block-domain +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.py new file mode 100644 index 000000000..0454d0e65 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.py @@ -0,0 +1,24 @@ +from ..core.delete_sectool_excs import DeleteSectoolExceptions +from ..core.constants import AVANAN_URL_SAAS_NAME, DELETE_AVURL_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Avanan URL exception!" +ERROR_MESSAGE: str = "Failed deleting Avanan URL exception!" + + +class DeleteAVURLExceptions(DeleteSectoolExceptions): + + def __init__(self) -> None: + super().__init__( + name=DELETE_AVURL_EXCS_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_URL_SAAS_NAME + ) + + +def main() -> None: + DeleteAVURLExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.yaml new file mode 100644 index 000000000..81867c2c0 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_avurl_excs.yaml @@ -0,0 +1,32 @@ +creator: admin +description: Delete exceptions for Avanan URL Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Avanan URL Exceptions +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - allow-url + - allow-domain + - block-url + - block-domain +- default_value: '' + description: Exception string list, separated by comma. + is_mandatory: true + name: Exception String List + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.py new file mode 100644 index 000000000..06df50bbd --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.py @@ -0,0 +1,24 @@ +from ..core.delete_sectool_exc import DeleteSectoolException +from ..core.constants import ANTI_MALWARE_SAAS_NAME, DELETE_CP2_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Anti-Malware exception!" +ERROR_MESSAGE: str = "Failed deleting Anti-Malware exception!" + + +class DeleteCP2Exception(DeleteSectoolException): + + def __init__(self) -> None: + super().__init__( + name=DELETE_CP2_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=ANTI_MALWARE_SAAS_NAME + ) + + +def main() -> None: + DeleteCP2Exception().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.yaml new file mode 100644 index 000000000..4c0b84641 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_exc.yaml @@ -0,0 +1,32 @@ +creator: admin +description: Delete an exception for Anti-Malware Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Anti-Malware Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - macro_hash + - file_type + - ppat_sender_name +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.py new file mode 100644 index 000000000..bcd3df549 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.py @@ -0,0 +1,24 @@ +from ..core.delete_sectool_excs import DeleteSectoolExceptions +from ..core.constants import ANTI_MALWARE_SAAS_NAME, DELETE_CP2_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Anti-Malware exceptions!" +ERROR_MESSAGE: str = "Failed deleting Anti-Malware exceptions!" + + +class DeleteCP2Exceptions(DeleteSectoolExceptions): + + def __init__(self) -> None: + super().__init__( + name=DELETE_CP2_EXCS_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=ANTI_MALWARE_SAAS_NAME + ) + + +def main() -> None: + DeleteCP2Exceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.yaml new file mode 100644 index 000000000..4703befb3 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_cp2_excs.yaml @@ -0,0 +1,32 @@ +creator: admin +description: Delete exceptions for Anti-Malware Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete Anti-Malware Exceptions +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - macro_hash + - file_type + - ppat_sender_name +- default_value: '' + description: Exception string list, separated by comma. + is_mandatory: true + name: Exception String List + type: string +- default_value: '' + description: Entity type. + is_mandatory: false + name: Entity Type + type: string +- default_value: '' + description: Entity id. + is_mandatory: false + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.py new file mode 100644 index 000000000..b520733d5 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.py @@ -0,0 +1,34 @@ +from ..core.base_action import BaseAction +from ..core.constants import DELETE_CTP_LIST_ITEM_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Click Time Protection List Item!" +ERROR_MESSAGE: str = "Failed deleting Click Time Protection List Item!" + + +class DeleteCTPListItem(BaseAction): + + def __init__(self) -> None: + super().__init__(DELETE_CTP_LIST_ITEM_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.item_id = self.soar_action.extract_action_param( + param_name="Item ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + item_id = self.params.item_id + + self.api_client.delete_ctp_list_item(item_id) + + +def main() -> None: + DeleteCTPListItem().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.yaml new file mode 100644 index 000000000..5dcafd830 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_item.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Delete a List Item for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete CTP List Item +parameters: +- default_value: '' + description: Item ID. + is_mandatory: true + name: Item ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.py new file mode 100644 index 000000000..b65ae69b1 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.py @@ -0,0 +1,34 @@ +from ..core.base_action import BaseAction +from ..core.constants import DELETE_CTP_LIST_ITEMS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Click Time Protection List Items!" +ERROR_MESSAGE: str = "Failed deleting Click Time Protection List Items!" + + +class DeleteCTPListItems(BaseAction): + + def __init__(self) -> None: + super().__init__(DELETE_CTP_LIST_ITEMS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.list_item_ids = self.soar_action.extract_action_param( + param_name="List Item IDs", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + list_item_ids = self.params.list_item_ids.split(",") + + self.json_results = self.api_client.delete_ctp_list_items(list_item_ids) + + +def main() -> None: + DeleteCTPListItems().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.yaml new file mode 100644 index 000000000..12431ed11 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_list_items.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Delete List Items for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete CTP List Items +parameters: +- default_value: '' + description: Item IDs separated by comma. + is_mandatory: true + name: List Item IDs + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.py b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.py new file mode 100644 index 000000000..4a599f65d --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.py @@ -0,0 +1,24 @@ +from ..core.base_action import BaseAction +from ..core.constants import DELETE_CTP_LISTS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Click Time Protection Lists!" +ERROR_MESSAGE: str = "Failed deleting Click Time Protection Lists!" + + +class DeleteCTPLists(BaseAction): + + def __init__(self) -> None: + super().__init__(DELETE_CTP_LISTS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _perform_action(self, _=None) -> None: + self.json_results = self.api_client.delete_ctp_lists() + + +def main() -> None: + DeleteCTPLists().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.yaml new file mode 100644 index 000000000..3df81094a --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/delete_ctp_lists.yaml @@ -0,0 +1,7 @@ +creator: admin +description: Delete Lists for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Delete CTP Lists +parameters: [] +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/download_email.py b/content/response_integrations/third_party/community/check_point_hec/actions/download_email.py new file mode 100644 index 000000000..2fc395e28 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/download_email.py @@ -0,0 +1,39 @@ +from ..core.base_action import BaseAction +from ..core.constants import DOWNLOAD_EMAIL_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully downloaded email file!" +ERROR_MESSAGE: str = "Failed downloading email file!" + + +class DownloadEmail(BaseAction): + + def __init__(self) -> None: + super().__init__(DOWNLOAD_EMAIL_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=True + ) + self.params.original = self.soar_action.extract_action_param( + param_name="Original", + print_value=True, + is_mandatory=False, + input_type=bool + ) + + def _perform_action(self, _=None) -> None: + entity_id = self.params.entity_id + original = self.params.original + self.json_results = self.api_client.download_email(entity_id=entity_id, original=original) + + +def main() -> None: + DownloadEmail().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/download_email.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/download_email.yaml new file mode 100644 index 000000000..8aeab4b92 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/download_email.yaml @@ -0,0 +1,17 @@ +creator: admin +description: Download email file. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Download Email +parameters: +- default_value: '' + description: Email entity id. + is_mandatory: true + name: Entity ID + type: string +- default_value: false + description: Whether to download original email or with modifications. + is_mandatory: false + name: Original + type: boolean +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.py new file mode 100644 index 000000000..af0b15110 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.py @@ -0,0 +1,32 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_ACTION_RESULT_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got action result!" +ERROR_MESSAGE: str = "Failed getting action result!" + + +class GetActionResult(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_ACTION_RESULT_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.task_id = self.soar_action.extract_action_param( + param_name="Task ID", + print_value=True, + is_mandatory=True + ) + + def _perform_action(self, _=None) -> None: + task_id = self.params.task_id + self.json_results = self.api_client.get_task(task_id=task_id) + + +def main() -> None: + GetActionResult().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.yaml new file mode 100644 index 000000000..13d440175 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_action_result.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Get task info related to a sent action. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Action Result +parameters: +- default_value: '' + description: Task id from action response. + is_mandatory: true + name: Task ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.py new file mode 100644 index 000000000..e674c61b8 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.py @@ -0,0 +1,24 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_ANOMALY_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Anomaly exceptions!" +ERROR_MESSAGE: str = "Failed getting Anomaly exceptions!" + + +class GetAnomalyExceptions(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_ANOMALY_EXCS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _perform_action(self, _=None) -> None: + self.json_results = self.api_client.get_anomaly_exceptions() + + +def main() -> None: + GetAnomalyExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.yaml new file mode 100644 index 000000000..35cbccb32 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_anomaly_excs.yaml @@ -0,0 +1,7 @@ +creator: admin +description: Get exceptions for Anomaly Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Anomaly Exceptions +parameters: [] +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.py new file mode 100644 index 000000000..38c55a365 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.py @@ -0,0 +1,41 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_AP_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Anti-Phishing exceptions!" +ERROR_MESSAGE: str = "Failed getting Anti-Phishing exceptions!" + + +class GetAPExceptions(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_AP_EXCS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exc_id = self.soar_action.extract_action_param( + param_name="Exc ID", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + if exc_id := self.params.exc_id: + self.json_results = self.api_client.get_ap_exception(exception_type, exc_id) + else: + self.json_results = self.api_client.get_ap_exceptions(exception_type) + + +def main() -> None: + GetAPExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.yaml new file mode 100644 index 000000000..848745071 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ap_excs.yaml @@ -0,0 +1,21 @@ +creator: admin +description: Get one or more exceptions for Anti-Phishing or Anti-Spam Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Anti-Phishing Exceptions +parameters: +- default_value: '' + description: Anti-Phishing or Anti-Spam exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - whitelist + - blacklist + - spam_whitelist +- default_value: '' + description: Exception ID. + is_mandatory: false + name: Exc ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.py new file mode 100644 index 000000000..aef0fa536 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.py @@ -0,0 +1,24 @@ +from ..core.get_sectool_exc import GetSectoolException +from ..core.constants import AVANAN_DLP_SAAS_NAME, GET_AVDLP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully deleted Avanan DLP exception!" +ERROR_MESSAGE: str = "Failed deleting Avanan DLP exception!" + + +class GetAVDLPException(GetSectoolException): + + def __init__(self) -> None: + super().__init__( + name=GET_AVDLP_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_DLP_SAAS_NAME + ) + + +def main() -> None: + GetAVDLPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.yaml new file mode 100644 index 000000000..a215ee3e7 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_exc.yaml @@ -0,0 +1,22 @@ +creator: admin +description: Get an exception for Avanan DLP Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Avanan DLP Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - text_content + - sender_email + - recipient_email +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.py new file mode 100644 index 000000000..a0168ec27 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.py @@ -0,0 +1,24 @@ +from ..core.get_sectool_excs import GetSectoolExceptions +from ..core.constants import AVANAN_DLP_SAAS_NAME, GET_AVDLP_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Avanan DLP exceptions!" +ERROR_MESSAGE: str = "Failed getting Avanan DLP exceptions!" + + +class GetAVDLPExceptions(GetSectoolExceptions): + + def __init__(self) -> None: + super().__init__( + name=GET_AVDLP_EXCS_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_DLP_SAAS_NAME + ) + + +def main() -> None: + GetAVDLPExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.yaml new file mode 100644 index 000000000..2b824614d --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avdlp_excs.yaml @@ -0,0 +1,57 @@ +creator: admin +description: Get exceptions for Avanan DLP Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Avanan DLP Exceptions +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - text_content + - sender_email + - recipient_email +- default_value: '' + description: Search string. + is_mandatory: false + name: Filter String + type: string +- default_value: '' + description: Search index. + is_mandatory: false + name: Filter Index + type: ddl + optional_values: + - insert_time + - entity_type_id + - exception_str + - file_name + - created_by_email + - comment +- default_value: '' + description: Sort direction. + is_mandatory: false + name: Sort Direction + type: ddl + optional_values: + - asc + - desc +- default_value: '' + description: Last evaluated key. + is_mandatory: false + name: Last Evaluated Key + type: string +- default_value: false + description: Insert time field condition. + is_mandatory: false + name: Insert Time GTE + type: boolean +- default_value: '0' + description: Number of exceptions to retrieve. + is_mandatory: false + name: Limit + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.py new file mode 100644 index 000000000..cd96365d7 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.py @@ -0,0 +1,24 @@ +from ..core.get_sectool_exc import GetSectoolException +from ..core.constants import AVANAN_URL_SAAS_NAME, GET_AVURL_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Avanan URL exception!" +ERROR_MESSAGE: str = "Failed getting Avanan URL exception!" + + +class GetAVURLException(GetSectoolException): + + def __init__(self) -> None: + super().__init__( + name=GET_AVURL_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_URL_SAAS_NAME + ) + + +def main() -> None: + GetAVURLException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.yaml new file mode 100644 index 000000000..431715794 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_exc.yaml @@ -0,0 +1,22 @@ +creator: admin +description: Get an exception for Avanan URL Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Avanan URL Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - allow-url + - allow-domain + - block-url + - block-domain +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.py new file mode 100644 index 000000000..249f6e3ef --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.py @@ -0,0 +1,24 @@ +from ..core.get_sectool_excs import GetSectoolExceptions +from ..core.constants import AVANAN_URL_SAAS_NAME, GET_AVURL_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Avanan URL exceptions!" +ERROR_MESSAGE: str = "Failed getting Avanan URL exceptions!" + + +class GetAVURLExceptions(GetSectoolExceptions): + + def __init__(self) -> None: + super().__init__( + name=GET_AVURL_EXCS_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_URL_SAAS_NAME + ) + + +def main() -> None: + GetAVURLExceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.yaml new file mode 100644 index 000000000..70925d2a2 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_avurl_excs.yaml @@ -0,0 +1,57 @@ +creator: admin +description: Get exceptions for Avanan URL Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Avanan URL Exceptions +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - allow-url + - allow-domain + - block-url + - block-domain +- default_value: '' + description: Search string. + is_mandatory: false + name: Filter String + type: string +- default_value: '' + description: Search index. + is_mandatory: false + name: Filter Index + type: ddl + optional_values: + - insert_time + - entity_type_id + - exception_str + - file_name + - created_by_email + - comment +- default_value: '' + description: Sort direction. + is_mandatory: false + name: Sort Direction + type: ddl + optional_values: + - asc + - desc +- default_value: '' + description: Last evaluated key. + is_mandatory: false + name: Last Evaluated Key + type: string +- default_value: false + description: Insert time field condition. + is_mandatory: false + name: Insert Time GTE + type: boolean +- default_value: '0' + description: Number of exceptions to retrieve. + is_mandatory: false + name: Limit + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.py new file mode 100644 index 000000000..6721e3dcd --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.py @@ -0,0 +1,24 @@ +from ..core.get_sectool_exc import GetSectoolException +from ..core.constants import ANTI_MALWARE_SAAS_NAME, GET_CP2_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Anti-Malware exception!" +ERROR_MESSAGE: str = "Failed getting Anti-Malware exception!" + + +class GetCP2Exception(GetSectoolException): + + def __init__(self) -> None: + super().__init__( + name=GET_CP2_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=ANTI_MALWARE_SAAS_NAME + ) + + +def main() -> None: + GetCP2Exception().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.yaml new file mode 100644 index 000000000..de1e3f64f --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_exc.yaml @@ -0,0 +1,22 @@ +creator: admin +description: Get an exception for Anti-Malware Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Anti-Malware Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - macro_hash + - file_type + - ppat_sender_name +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.py new file mode 100644 index 000000000..feddfe431 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.py @@ -0,0 +1,24 @@ +from ..core.get_sectool_excs import GetSectoolExceptions +from ..core.constants import ANTI_MALWARE_SAAS_NAME, GET_CP2_EXCS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Anti-Malware exceptions!" +ERROR_MESSAGE: str = "Failed getting Anti-Malware exceptions!" + + +class GetCP2Exceptions(GetSectoolExceptions): + + def __init__(self) -> None: + super().__init__( + name=GET_CP2_EXCS_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=ANTI_MALWARE_SAAS_NAME + ) + + +def main() -> None: + GetCP2Exceptions().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.yaml new file mode 100644 index 000000000..209dd42f2 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_cp2_excs.yaml @@ -0,0 +1,57 @@ +creator: admin +description: Get exceptions for Anti-Malware Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Anti-Malware Exceptions +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - macro_hash + - file_type + - ppat_sender_name +- default_value: '' + description: Search string. + is_mandatory: false + name: Filter String + type: string +- default_value: '' + description: Search index. + is_mandatory: false + name: Filter Index + type: ddl + optional_values: + - insert_time + - entity_type_id + - exception_str + - file_name + - created_by_email + - comment +- default_value: '' + description: Sort direction. + is_mandatory: false + name: Sort Direction + type: ddl + optional_values: + - asc + - desc +- default_value: '' + description: Last evaluated key. + is_mandatory: false + name: Last Evaluated Key + type: string +- default_value: false + description: Insert time field condition. + is_mandatory: false + name: Insert Time GTE + type: boolean +- default_value: '0' + description: Number of exceptions to retrieve. + is_mandatory: false + name: Limit + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.py new file mode 100644 index 000000000..97346acbb --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.py @@ -0,0 +1,33 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_CTP_LIST_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Click Time Protection List!" +ERROR_MESSAGE: str = "Failed getting Click Time Protection List!" + + +class GetCTPList(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_CTP_LIST_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.list_id = self.soar_action.extract_action_param( + param_name="List ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + list_id = self.params.list_id + self.json_results = self.api_client.get_ctp_list(list_id) + + +def main() -> None: + GetCTPList().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.yaml new file mode 100644 index 000000000..14e0d7851 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Get a List for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get CTP List +parameters: +- default_value: '' + description: List ID. + is_mandatory: true + name: List ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.py new file mode 100644 index 000000000..5d5941d19 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.py @@ -0,0 +1,33 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_CTP_LIST_ITEM_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Click Time Protection List Item!" +ERROR_MESSAGE: str = "Failed getting Click Time Protection List Item!" + + +class GetCTPListItem(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_CTP_LIST_ITEM_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.item_id = self.soar_action.extract_action_param( + param_name="Item ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + item_id = self.params.item_id + self.json_results = self.api_client.get_ctp_list_item(item_id) + + +def main() -> None: + GetCTPListItem().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.yaml new file mode 100644 index 000000000..424d2abc5 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_item.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Get a List Item for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get CTP List Item +parameters: +- default_value: '' + description: Item ID. + is_mandatory: true + name: Item ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.py new file mode 100644 index 000000000..50ba971b2 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.py @@ -0,0 +1,24 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_CTP_LIST_ITEMS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Click Time Protection List Items!" +ERROR_MESSAGE: str = "Failed getting Click Time Protection List Items!" + + +class GetCTPListItems(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_CTP_LIST_ITEMS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _perform_action(self, _=None) -> None: + self.json_results = self.api_client.get_ctp_list_items() + + +def main() -> None: + GetCTPListItems().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.yaml new file mode 100644 index 000000000..b1c88f36c --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_list_items.yaml @@ -0,0 +1,7 @@ +creator: admin +description: Get List Items for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get CTP List Items +parameters: [] +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.py new file mode 100644 index 000000000..b791c733e --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.py @@ -0,0 +1,24 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_CTP_LISTS_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Click Time Protection Lists!" +ERROR_MESSAGE: str = "Failed getting Click Time Protection Lists!" + + +class GetCTPLists(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_CTP_LISTS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _perform_action(self, _=None) -> None: + self.json_results = self.api_client.get_ctp_lists() + + +def main() -> None: + GetCTPLists().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.yaml new file mode 100644 index 000000000..d8102c927 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_ctp_lists.yaml @@ -0,0 +1,7 @@ +creator: admin +description: Get Lists for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get CTP Lists +parameters: [] +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_entity.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_entity.py new file mode 100644 index 000000000..4cd971ee9 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_entity.py @@ -0,0 +1,33 @@ +from ..core.base_action import BaseAction +from ..core.constants import GET_ENTITY_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Entity!" +ERROR_MESSAGE: str = "Failed getting Entity!" + + +class GetEntity(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_ENTITY_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + entity_id = self.params.entity_id + self.json_results = self.api_client.get_entity(entity_id) + + +def main() -> None: + GetEntity().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_entity.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_entity.yaml new file mode 100644 index 000000000..d7224fe30 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_entity.yaml @@ -0,0 +1,12 @@ +creator: admin +description: Get an email entity. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Entity +parameters: +- default_value: '' + description: Entity ID. + is_mandatory: true + name: Entity ID + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py new file mode 100644 index 000000000..2eda7713e --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py @@ -0,0 +1,81 @@ +import json + +from ..core.base_action import BaseAction +from ..core.constants import GET_EVENTS_SCRIPT_NAME, SAAS_APPS_TO_SAAS_NAMES, SEVERITY_VALUES + +SUCCESS_MESSAGE: str = "Successfully got Events!" +ERROR_MESSAGE: str = "Failed getting Events!" + + +class GetEvents(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_EVENTS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.start_date = self.soar_action.extract_action_param( + param_name="Start Date", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.end_date = self.soar_action.extract_action_param( + param_name="End Date", + print_value=True, + is_mandatory=False, + ) + self.params.saas_apps = self.soar_action.extract_action_param( + param_name="SaaS Apps", + print_value=True, + is_mandatory=False, + ) + self.params.states = self.soar_action.extract_action_param( + param_name="States", + print_value=True, + is_mandatory=False, + ) + self.params.severities = self.soar_action.extract_action_param( + param_name="Severities", + print_value=True, + is_mandatory=False, + ) + self.params.threat_types = self.soar_action.extract_action_param( + param_name="Threat Types", + print_value=True, + is_mandatory=False, + ) + self.params.limit = self.soar_action.extract_action_param( + param_name="Limit", + print_value=True, + is_mandatory=False, + default_value=1000, + input_type=int, + ) + + def _perform_action(self, _=None) -> dict: + start_date = self.params.start_date + end_date = self.params.end_date + saas_apps = [SAAS_APPS_TO_SAAS_NAMES[saas] for saas in json.loads(self.params.saas_apps)] + states = [state.lower() for state in json.loads(self.params.states)] + severities = [SEVERITY_VALUES[severity.lower()] for severity in json.loads(self.params.severities)] + threat_types = [threat_type.lower().replace(" ", "_") for threat_type in json.loads(self.params.threat_types)] + limit = self.params.limit + + self.json_results = self.api_client.query_events( + start_date=start_date, + end_date=end_date, + saas_apps=saas_apps, + states=states, + severities=severities, + threat_types=threat_types, + ) + + +def main() -> None: + GetEvents().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_events.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_events.yaml new file mode 100644 index 000000000..8414442d9 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_events.yaml @@ -0,0 +1,69 @@ +creator: admin +description: Retrieve security events. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Get Events +parameters: +- default_value: '' + description: Start date in ISO 8601 format. + is_mandatory: true + name: Start Date + type: string +- default_value: '' + description: End date in ISO 8601 format, now by default. + is_mandatory: false + name: End Date + type: string +- default_value: '' + description: SaaS application to retrieve events from. + is_mandatory: false + name: SaaS Apps + optional_values: + - Microsoft Exchange + - Gmail + type: multi_choice_parameter +- default_value: '' + description: Event states to be retrieved. + is_mandatory: false + name: States + optional_values: + - New + - Remediated + - Detected + - Exception + - Dismissed + type: multi_choice_parameter +- default_value: '' + description: Severity levels to be retrieved. + is_mandatory: false + name: Severities + optional_values: + - Critical + - High + - Medium + - Low + - Very Low + type: multi_choice_parameter +- default_value: '' + description: Threat types to be retrieved. + is_mandatory: false + name: Threat Types + optional_values: + - DLP + - Malware + - Phishing + - Anomaly + - Suspicious Phishing + - Suspicious Malware + - Shadow IT + - Alert + - Spam + - Malicious URL + - Malicious URL Click + type: multi_choice_parameter +- default_value: '1000' + description: Limit number of events to be retrieved. + is_mandatory: false + name: Limit + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.py new file mode 100644 index 000000000..8f75c2ddf --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.py @@ -0,0 +1,54 @@ +import json + +from ..core.base_action import BaseAction +from ..core.constants import GET_SCAN_INFO_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully got Scan Info!" +ERROR_MESSAGE: str = "Failed getting Scan Info!" + + +class GetScanInfo(BaseAction): + + def __init__(self) -> None: + super().__init__(GET_SCAN_INFO_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + self.params.include_clean = self.soar_action.extract_action_param( + param_name="Include Clean", + print_value=True, + is_mandatory=False, + default_value=False, + input_type=bool + ) + + def _perform_action(self, _=None) -> dict: + entity_id = self.params.entity_id + include_clean = self.params.include_clean + + result = self.api_client.get_entity(entity_id) + self.json_results = result + outputs = {} + + if entities := result.get("responseData"): + sec_result = entities[0]["entitySecurityResult"] + for tool, verdict in sec_result["combinedVerdict"].items(): + if verdict is not None and (include_clean or verdict != "clean"): + outputs[tool] = json.dumps(sec_result[tool]) + + return outputs + + +def main() -> None: + GetScanInfo().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.yaml new file mode 100644 index 000000000..9efc858a9 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_scan_info.yaml @@ -0,0 +1,17 @@ +creator: admin +description: Retrieve specific email scan with positive threats. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Email Scan Info +parameters: +- default_value: '' + description: Entity ID. + is_mandatory: true + name: Entity ID + type: string +- default_value: false + description: Include clean scans. + is_mandatory: false + name: Include Clean + type: boolean +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/ping.py b/content/response_integrations/third_party/community/check_point_hec/actions/ping.py new file mode 100644 index 000000000..17642c77e --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/ping.py @@ -0,0 +1,34 @@ +from ..core.base_action import BaseAction +from ..core.constants import PING_SCRIPT_NAME +from ..core.exceptions import CheckPointHECPermissionsError + +SUCCESS_MESSAGE: str = ( + "Successfully connected to the Smart API Service with the provided connection parameters!" +) +ERROR_MESSAGE: str = "Failed to connect to the Smart API Service!" + + + +class Ping(BaseAction): + + def __init__(self) -> None: + super().__init__(PING_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _perform_action(self, _=None) -> None: + result = self.api_client.get_scopes() + scopes = result.get("responseData") + + if not isinstance(scopes, list) or len(scopes) != 1 or len(scopes[0].split(":")) != 2: + raise CheckPointHECPermissionsError( + "The provided API Key does not have sufficient permissions to access the Smart API Service." + ) + + +def main() -> None: + Ping().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/ping.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/ping.yaml new file mode 100644 index 000000000..5fe313ac1 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/ping.yaml @@ -0,0 +1,7 @@ +creator: admin +description: Use the Ping action to test the connectivity and permissions to Smart API Service. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Ping +parameters: [] +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.py b/content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.py new file mode 100644 index 000000000..1f9bfe9a8 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.py @@ -0,0 +1,53 @@ +from ..core.base_action import BaseAction +from ..core.constants import REPORT_MIS_CLASSIFICATION_SCRIPT_NAME, MIS_CLASSIFICATION_OPTIONS, \ + MIS_CLASSIFICATION_CONFIDENCE + +SUCCESS_MESSAGE: str = "Successfully Reported Mis Classification!" +ERROR_MESSAGE: str = "Failed Reporting Mis Classification!" + + +class ReportMisClassification(BaseAction): + + def __init__(self) -> None: + super().__init__(REPORT_MIS_CLASSIFICATION_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.entities_list = self.soar_action.extract_action_param( + param_name="Entities", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.classification = self.soar_action.extract_action_param( + param_name="Classification", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.confident = self.soar_action.extract_action_param( + param_name="Confident", + print_value=True, + is_mandatory=True, + default_value=None, + ) + + def _perform_action(self, _=None) -> None: + entities = self.params.entities_list.split(',') + classification = MIS_CLASSIFICATION_OPTIONS[self.params.classification] + confident = MIS_CLASSIFICATION_CONFIDENCE[self.params.confident] + + self.json_results = self.api_client.report_mis_classification( + entities=entities, + classification=classification, + confident=confident + ) + + +def main() -> None: + ReportMisClassification().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.yaml new file mode 100644 index 000000000..a6f24ac25 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/report_mis_classification.yaml @@ -0,0 +1,31 @@ +creator: admin +description: Retrieve specific email scan with positive threats. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Scan Info +parameters: +- default_value: '' + description: Entities list, separated by comma. + is_mandatory: true + name: Entities + type: string +- default_value: '' + description: New classification. + is_mandatory: true + name: Classification + type: ddl + optional_values: + - Clean Email + - Spam + - Phishing + - Legit Marketing Email +- default_value: '' + description: Confidence level. + is_mandatory: true + name: Confident + type: ddl + optional_values: + - Not so sure + - Medium Confidence + - High Confidence +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py b/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py new file mode 100644 index 000000000..515317cee --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py @@ -0,0 +1,239 @@ +import json + +import dateparser + +from ..core.base_action import BaseAction +from ..core.constants import SEARCH_EMAILS_SCRIPT_NAME, DATE_FORMAT, SAAS_APPS_TO_SAAS_NAMES, \ + CP_DETECTION_VALUES, MS_DETECTION_VALUES, CP_QUARANTINED_VALUES, MS_QUARANTINED_VALUES + +SUCCESS_MESSAGE: str = "Successfully got Emails!" +ERROR_MESSAGE: str = "Failed getting Emails!" + + +class SearchEmails(BaseAction): + + def __init__(self) -> None: + super().__init__(SEARCH_EMAILS_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.start_date = self.soar_action.extract_action_param( + param_name="Date From", + print_value=True, + is_mandatory=True, + ) + self.params.end_date = self.soar_action.extract_action_param( + param_name="Date To", + print_value=True, + is_mandatory=False, + ) + self.params.saas = self.soar_action.extract_action_param( + param_name="SaaS", + print_value=True, + is_mandatory=True, + ) + self.params.direction = self.soar_action.extract_action_param( + param_name="Direction", + print_value=True, + is_mandatory=False, + ) + self.params.subject_contains = self.soar_action.extract_action_param( + param_name="Subject Contains", + print_value=True, + is_mandatory=False, + ) + self.params.subject_match = self.soar_action.extract_action_param( + param_name="Subject Match", + print_value=True, + is_mandatory=False, + ) + self.params.sender_contains = self.soar_action.extract_action_param( + param_name="Sender Contains", + print_value=True, + is_mandatory=False, + ) + self.params.sender_match = self.soar_action.extract_action_param( + param_name="Sender Match", + print_value=True, + is_mandatory=False, + ) + self.params.domain = self.soar_action.extract_action_param( + param_name="Domain", + print_value=True, + is_mandatory=False, + ) + self.params.cp_detection = self.soar_action.extract_action_param( + param_name="CP Detection", + print_value=True, + is_mandatory=False, + default_value="", + ) + self.params.ms_detection = self.soar_action.extract_action_param( + param_name="MS Detection", + print_value=True, + is_mandatory=False, + default_value="", + ) + self.params.detection_op = self.soar_action.extract_action_param( + param_name="Detection Op", + print_value=True, + is_mandatory=False, + default_value="OR", + ) + self.params.server_ip = self.soar_action.extract_action_param( + param_name="Server IP", + print_value=True, + is_mandatory=False, + ) + self.params.recipients_contains = self.soar_action.extract_action_param( + param_name="Recipients Contains", + print_value=True, + is_mandatory=False, + ) + self.params.recipients_match = self.soar_action.extract_action_param( + param_name="Recipients Match", + print_value=True, + is_mandatory=False, + ) + self.params.links = self.soar_action.extract_action_param( + param_name="Links", + print_value=True, + is_mandatory=False, + ) + self.params.message_id = self.soar_action.extract_action_param( + param_name="Message ID", + print_value=True, + is_mandatory=False, + ) + self.params.cp_quarantined_state = self.soar_action.extract_action_param( + param_name="CP Quarantined State", + print_value=True, + is_mandatory=False, + ) + self.params.ms_quarantined_state = self.soar_action.extract_action_param( + param_name="MS Quarantined State", + print_value=True, + is_mandatory=False, + ) + self.params.quarantined_state_op = self.soar_action.extract_action_param( + param_name="Quarantined State Op", + print_value=True, + is_mandatory=False, + default_value="OR", + ) + self.params.name_contains = self.soar_action.extract_action_param( + param_name="Name Contains", + print_value=True, + is_mandatory=False, + ) + self.params.name_match = self.soar_action.extract_action_param( + param_name="Name Match", + print_value=True, + is_mandatory=False, + ) + self.params.client_ip = self.soar_action.extract_action_param( + param_name="Client IP", + print_value=True, + is_mandatory=False, + ) + self.params.attachment_md5 = self.soar_action.extract_action_param( + param_name="Attachment MD5", + print_value=True, + is_mandatory=False, + ) + + # def _validate_params(self) -> None: + # if start_date := self.params.start_date: + # self.params.start_date = start_date + # if end_date := self.params.end_date: + # self.params.end_date = end_date + # else: + # ... + # # error + # + # if (subject_contains := self.params.subject_contains) and \ + # (subject_match := self.params.subject_match): + # ... + # # error + # + # if (sender_contains := self.params.sender_contains) and \ + # (sender_match := self.params.sender_match): + # ... + # # error + # + # if (recipients_contains := self.params.recipients_contains) and \ + # (recipient_match := self.params.recipients_match): + # ... + # # error + # + # if (name_contains := self.params.name_contains) and (name_match := self.params.name_match): + # ... + # # error + + def _perform_action(self, _=None) -> None: + start_date = self.params.start_date + end_date = self.params.end_date + saas = SAAS_APPS_TO_SAAS_NAMES[self.params.saas] if self.params.saas else None + direction = self.params.direction + subject_contains = self.params.subject_contains + subject_match = self.params.subject_match + sender_contains = self.params.sender_contains + sender_match = self.params.sender_match + domain = self.params.domain + cp_detection = [CP_DETECTION_VALUES[detection] for detection in \ + json.loads(self.params.cp_detection) if detection != ''] if (self.params.cp_detection != '') else None + if cp_detection == ['']: + cp_detection = None + ms_detection = [MS_DETECTION_VALUES[detection] for detection in \ + json.loads(self.params.ms_detection) if detection != ''] if (self.params.ms_detection != '') else None + if ms_detection == ['']: + ms_detection = None + detection_op = self.params.detection_op + server_ip = self.params.server_ip + recipients_contains = self.params.recipients_contains + recipients_match = self.params.recipients_match + links = self.params.links + message_id = self.params.message_id + cp_quarantined_state = CP_QUARANTINED_VALUES.get(self.params.cp_quarantined_state) + ms_quarantined_state = MS_QUARANTINED_VALUES.get(self.params.ms_quarantined_state) + quarantined_state_op = self.params.quarantined_state_op + name_contains = self.params.name_contains + name_match = self.params.name_match + client_ip = self.params.client_ip + attachment_md5 = self.params.attachment_md5 + + self.json_results = self.api_client.search_emails( + start_date, + end_date, + saas, + direction, + subject_contains, + subject_match, + sender_contains, + sender_match, + domain, + cp_detection, + ms_detection, + detection_op, + server_ip, + recipients_contains, + recipients_match, + links, + message_id, + cp_quarantined_state, + ms_quarantined_state, + quarantined_state_op, + name_contains, + name_match, + client_ip, + attachment_md5, + ) + + +def main() -> None: + SearchEmails().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.yaml new file mode 100644 index 000000000..13efadf84 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.yaml @@ -0,0 +1,179 @@ +creator: admin +description: Search for emails. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Search Emails +parameters: +- default_value: '' + description: 'Start date to get emails in ISO 8601 format. The arguments `date_last` and `date_from` with + `date_to` are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: true + name: Date From + type: string +- default_value: '' + description: 'End date to get emails in ISO 8601 format. The arguments `date_last` and `date_from` with + `date_to` are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Date To + type: string +- default_value: '' + description: SaaS application to retrieve emails from. + is_mandatory: true + name: SaaS + optional_values: + - Microsoft Exchange + - Gmail + type: ddl +- default_value: '' + description: Email precedence. + is_mandatory: false + name: Direction + optional_values: + - Internal + - Incoming + - Outgoing + type: ddl +- default_value: '' + description: 'Emails with subject containing the given value. The arguments `subject_contains` and `subject_match` + are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Subject Contains + type: string +- default_value: '' + description: 'Emails with subject matching the given value. The arguments `subject_contains` and `subject_match` + are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Subject Match + type: string +- default_value: '' + description: 'Emails with sender email containing the given value. The arguments `sender_contains` and + `sender_match` are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Sender Contains + type: string +- default_value: '' + description: 'Emails with sender email matching the given value. The arguments `sender_contains` and `sender_match` + are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Sender Match + type: string +- default_value: '' + description: Emails with sender domain matching the given value. + is_mandatory: false + name: Domain + type: string +- default_value: '' + description: Detection by Check Point. + is_mandatory: false + name: CP Detection + optional_values: + - Phishing + - Suspected Phishing + - Malware + - Suspected Malware + - Spam + - Clean + - DLP + - Malicious URL Click + - Malicious URL + type: multi_choice_parameter +- default_value: '' + description: Detection by Microsoft. + is_mandatory: false + name: MS Detection + optional_values: + - Malware + - High Confidence Phishing + - Phishing + - High Confidence Spam + - Spam + - Bulk + - Clean + type: multi_choice_parameter +- default_value: OR + description: Detection operator. + is_mandatory: false + name: Detection Op + optional_values: + - OR + - AND + type: ddl +- default_value: '' + description: Sender server ip. + is_mandatory: false + name: Server IP + type: string +- default_value: '' + description: 'Emails with recipients containing the given value. The arguments `recipients_contains` and + `recipients_match` are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Recipients Contains + type: string +- default_value: '' + description: 'Emails with recipients matching the given value. The arguments `recipients_contains` and + `recipients_match` are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Recipients Match + type: string +- default_value: '' + description: Emails with links in body matching the given value. + is_mandatory: false + name: Links + type: string +- default_value: '' + description: Get specific email by message id. + is_mandatory: false + name: Message ID + type: string +- default_value: '' + description: Quarantine authored by Check Point. + is_mandatory: false + name: CP Quarantined State + optional_values: + - Quarantined (Any source) + - Not Quarantined + - Quarantined by Check Point + - Quarantined by CP Analyst + - Quarantined by Admin + type: ddl +- default_value: '' + description: Quarantine authored by Microsoft. + is_mandatory: false + name: MS Quarantined State + optional_values: + - Quarantined + - Not Quarantined + - Not Quarantined Delivered to Inbox + - Not Quarantined Delivered to Junk + type: ddl +- default_value: OR + description: Quarantine state operator. + is_mandatory: false + name: Quarantined State Op + optional_values: + - OR + - AND + type: ddl +- default_value: '' + description: 'Emails with sender name containing the given value. The arguments `name_contains` and `name_match` + are mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Name Contains + type: string +- default_value: '' + description: 'Emails with sender name matching the given value. The arguments `name_contains` and `name_match` are + mutually exclusive and cannot be specified together in the same request.' + is_mandatory: false + name: Name Match + type: string +- default_value: '' + description: Sender client IP. + is_mandatory: false + name: Client IP + type: string +- default_value: '' + description: Attachment MD5 checksum. + is_mandatory: false + name: Attachment MD5 + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/send_action.py b/content/response_integrations/third_party/community/check_point_hec/actions/send_action.py new file mode 100644 index 000000000..656f69ec4 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/send_action.py @@ -0,0 +1,59 @@ +from ..core.base_action import BaseAction +from ..core.constants import SEND_ACTION_SCRIPT_NAME, SAAS_APPS_TO_SAAS_NAMES + +SUCCESS_MESSAGE: str = "Action sent successfully!" +ERROR_MESSAGE: str = "Failed sending action!" + + +class SendAction(BaseAction): + + def __init__(self) -> None: + super().__init__(SEND_ACTION_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.entity_list = self.soar_action.extract_action_param( + param_name="Entities", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.saas = self.soar_action.extract_action_param( + param_name="SaaS", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.action = self.soar_action.extract_action_param( + param_name="Action", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.restore_decline_reason = self.soar_action.extract_action_param( + param_name="Restore Decline Reason", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + entities = self.params.entity_list.split(',') + entity_type = SAAS_APPS_TO_SAAS_NAMES[self.params.saas] + "_email" + action = self.params.action + restore_decline_reason = self.params.restore_decline_reason + + self.json_results = self.api_client.entity_action( + entity_list=entities, + entity_type=entity_type, + action=action, + restore_decline_reason=restore_decline_reason + ) + + +def main() -> None: + SendAction().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/send_action.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/send_action.yaml new file mode 100644 index 000000000..13eff27ca --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/send_action.yaml @@ -0,0 +1,34 @@ +creator: admin +description: Use Send Action to quarantine, restore or decline restore requests for emails. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Send Action +parameters: +- default_value: '' + description: One or multiple Email ids to apply action over. Use comma to separate multiple IDs. + is_mandatory: true + name: Entities + type: string +- default_value: '' + description: SaaS application to apply action over. + is_mandatory: true + name: SaaS + type: ddl + optional_values: + - Microsoft Exchange + - Gmail +- default_value: '' + description: Action to perform. + is_mandatory: true + name: Action + type: ddl + optional_values: + - quarantine + - restore + - decline_restore_request +- default_value: '' + description: Reason to decline restore request. + is_mandatory: false + name: Restore Decline Reason + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.py new file mode 100644 index 000000000..f9e9e3848 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.py @@ -0,0 +1,181 @@ +from ..core.base_action import BaseAction +from ..core.constants import UPDATE_AP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully updated Anti-Phishing exception!" +ERROR_MESSAGE: str = "Failed updating Anti-Phishing exception!" + + +class UpdateAPException(BaseAction): + + def __init__(self) -> None: + super().__init__(UPDATE_AP_EXC_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exception_id = self.soar_action.extract_action_param( + param_name="Exception ID", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=False + ) + self.params.attachment_md5 = self.soar_action.extract_action_param( + param_name="Attachment MD5", + print_value=True, + is_mandatory=False + ) + self.params.from_email = self.soar_action.extract_action_param( + param_name="From Email", + print_value=True, + is_mandatory=False + ) + self.params.nickname = self.soar_action.extract_action_param( + param_name="Nickname", + print_value=True, + is_mandatory=False + ) + self.params.recipient = self.soar_action.extract_action_param( + param_name="Recipient", + print_value=True, + is_mandatory=False + ) + self.params.sender_client_ip = self.soar_action.extract_action_param( + param_name="Sender Client IP", + print_value=True, + is_mandatory=False + ) + self.params.from_domain_ends_with = self.soar_action.extract_action_param( + param_name="From Domain Ends With", + print_value=True, + is_mandatory=False + ) + self.params.sender_ip = self.soar_action.extract_action_param( + param_name="Sender IP", + print_value=True, + is_mandatory=False + ) + self.params.email_link = self.soar_action.extract_action_param( + param_name="Email Link", + print_value=True, + is_mandatory=False + ) + self.params.subject = self.soar_action.extract_action_param( + param_name="Subject", + print_value=True, + is_mandatory=False + ) + self.params.comment = self.soar_action.extract_action_param( + param_name="Comment", + print_value=True, + is_mandatory=False + ) + self.params.action_needed = self.soar_action.extract_action_param( + param_name="Action Needed", + print_value=True, + is_mandatory=False + ) + self.params.ignoring_spf_check = self.soar_action.extract_action_param( + param_name="Ignoring SPF Check", + print_value=True, + is_mandatory=False, + input_type=bool + ) + self.params.subject_matching = self.soar_action.extract_action_param( + param_name="Subject Matching", + print_value=True, + is_mandatory=False + ) + self.params.email_link_matching = self.soar_action.extract_action_param( + param_name="Email Link Matching", + print_value=True, + is_mandatory=False + ) + self.params.from_name_matching = self.soar_action.extract_action_param( + param_name="From Name Matching", + print_value=True, + is_mandatory=False + ) + self.params.from_domain_matching = self.soar_action.extract_action_param( + param_name="From Domain Matching", + print_value=True, + is_mandatory=False + ) + self.params.from_email_matching = self.soar_action.extract_action_param( + param_name="From Email Matching", + print_value=True, + is_mandatory=False + ) + self.params.recipient_matching = self.soar_action.extract_action_param( + param_name="Recipient Matching", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exception_id = self.params.exception_id + entity_id = self.params.entity_id + attachment_md5 = self.params.attachment_md5 + from_email = self.params.from_email + nickname = self.params.nickname + recipient = self.params.recipient + sender_client_ip = self.params.sender_client_ip + from_domain_ends_with = self.params.from_domain_ends_with + sender_ip = self.params.sender_ip + email_link = self.params.email_link + subject = self.params.subject + comment = self.params.comment + action_needed = self.params.action_needed + ignoring_spf_check = self.params.ignoring_spf_check + subject_matching = self.params.subject_matching + email_link_matching = self.params.email_link_matching + from_name_matching = self.params.from_name_matching + from_domain_matching = self.params.from_domain_matching + from_email_matching = self.params.from_email_matching + recipient_matching = self.params.recipient_matching + + exception = { + "entityId": entity_id, + "attachmentMd5": attachment_md5, + "senderEmail": from_email, + "senderName": nickname, + "recipient": recipient, + "senderClientIp": sender_client_ip, + "senderDomain": from_domain_ends_with, + "senderIp": sender_ip, + "linkDomains": email_link, + "subject": subject, + "comment": comment, + "actionNeeded": action_needed, + "ignoringSpfCheck": ignoring_spf_check, + "subjectMatching": subject_matching, + "linkDomainMatching": email_link_matching, + "senderNameMatching": from_name_matching, + "senderDomainMatching": from_domain_matching, + "senderEmailMatching": from_email_matching, + "recipientMatching": recipient_matching, + } + self.api_client.update_ap_exception( + exception_type=exception_type, + exception_id=exception_id, + exception=exception + ) + + +def main() -> None: + UpdateAPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.yaml new file mode 100644 index 000000000..e710b9af4 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_ap_exc.yaml @@ -0,0 +1,140 @@ +creator: admin +description: Update an exception for Anti-Phishing or Anti-Spam Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Update Anti-Phishing Exception +parameters: +- default_value: '' + description: Anti-Phishing or Anti-Spam exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - whitelist + - blacklist + - spam_whitelist +- default_value: '' + description: Exception ID. + is_mandatory: true + name: Exception ID + type: string +- default_value: '' + description: Entity ID. + is_mandatory: false + name: Entity ID + type: string +- default_value: '' + description: File attachment MD5 checksum. + is_mandatory: false + name: Attachment MD5 + type: string +- default_value: '' + description: Sender email. + is_mandatory: false + name: From Email + type: string +- default_value: '' + description: Sender name. + is_mandatory: false + name: Nickname + type: string +- default_value: '' + description: Email recipient. + is_mandatory: false + name: Recipient + type: string +- default_value: '' + description: Sender client IP. + is_mandatory: false + name: Sender Client IP + type: string +- default_value: '' + description: From domain ends with. + is_mandatory: false + name: From Domain Ends With + type: string +- default_value: '' + description: Sender IP. + is_mandatory: false + name: Sender IP + type: string +- default_value: '' + description: Email link or links separated by comma. + is_mandatory: false + name: Email Link + type: string +- default_value: '' + description: Email subject. + is_mandatory: false + name: Subject + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Action needed. + is_mandatory: false + name: Action Needed + type: string +- default_value: false + description: Ignoring SPF check. + is_mandatory: false + name: Ignoring SPF Check + type: boolean +- default_value: '' + description: Subject field condition. + is_mandatory: false + name: Subject Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: Email link field condition. + is_mandatory: false + name: Email Link Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: From name field condition. + is_mandatory: false + name: From Name Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: From domain field condition. + is_mandatory: false + name: From Domain Matching + type: ddl + optional_values: + - contains + - ends_with + - exact +- default_value: '' + description: From email field condition. + is_mandatory: false + name: From Email Matching + type: ddl + optional_values: + - matching + - contains + - exact +- default_value: '' + description: Recipient field condition. + is_mandatory: false + name: Recipient Matching + type: ddl + optional_values: + - matching + - contains + - exact +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.py new file mode 100644 index 000000000..a62fc9515 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.py @@ -0,0 +1,24 @@ +from ..core.update_sectool_exc import UpdateSectoolException +from ..core.constants import AVANAN_DLP_SAAS_NAME, UPDATE_AVDLP_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully updated Avanan DLP exception!" +ERROR_MESSAGE: str = "Failed updating Avanan DLP exception!" + + +class UpdateAVDLPException(UpdateSectoolException): + + def __init__(self) -> None: + super().__init__( + name=UPDATE_AVDLP_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_DLP_SAAS_NAME + ) + + +def main() -> None: + UpdateAVDLPException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.yaml new file mode 100644 index 000000000..eb95ee4a5 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_avdlp_exc.yaml @@ -0,0 +1,36 @@ +creator: admin +description: Update an exception for Avanan DLP Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Update Avanan DLP Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - text_content + - sender_email + - recipient_email +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Exception payload condition. + is_mandatory: false + name: Exception Payload Condition + type: ddl + optional_values: + - with_or_without_link + - with_link + - without_link +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.py new file mode 100644 index 000000000..92a301874 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.py @@ -0,0 +1,24 @@ +from ..core.update_sectool_exc import UpdateSectoolException +from ..core.constants import AVANAN_URL_SAAS_NAME, UPDATE_AVURL_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully updated Avanan URL exception!" +ERROR_MESSAGE: str = "Failed updating Avanan URL exception!" + + +class UpdateAVURLException(UpdateSectoolException): + + def __init__(self) -> None: + super().__init__( + name=UPDATE_AVURL_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=AVANAN_URL_SAAS_NAME + ) + + +def main() -> None: + UpdateAVURLException().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.yaml new file mode 100644 index 000000000..a25bcf015 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_avurl_exc.yaml @@ -0,0 +1,36 @@ +creator: admin +description: Update an exception for Avanan URL Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Update Avanan URL Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - allow-url + - allow-domain + - block-url + - block-domain +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Exception payload condition. + is_mandatory: false + name: Exception Payload Condition + type: ddl + optional_values: + - with_or_without_link + - with_link + - without_link +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.py new file mode 100644 index 000000000..a79a75543 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.py @@ -0,0 +1,24 @@ +from ..core.update_sectool_exc import UpdateSectoolException +from ..core.constants import ANTI_MALWARE_SAAS_NAME, UPDATE_CP2_EXC_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully updated Anti-Malware exception!" +ERROR_MESSAGE: str = "Failed updating Anti-Malware exception!" + + +class UpdateCP2Exception(UpdateSectoolException): + + def __init__(self) -> None: + super().__init__( + name=UPDATE_CP2_EXC_SCRIPT_NAME, + output_message=SUCCESS_MESSAGE, + error_output=ERROR_MESSAGE, + sectool_name=ANTI_MALWARE_SAAS_NAME + ) + + +def main() -> None: + UpdateCP2Exception().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.yaml new file mode 100644 index 000000000..c530c0b26 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_cp2_exc.yaml @@ -0,0 +1,36 @@ +creator: admin +description: Update an exception for Anti-Malware Security Tool. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Update Anti-Malware Exception +parameters: +- default_value: '' + description: Exception type. + is_mandatory: true + name: Exception Type + type: ddl + optional_values: + - hash + - macro_hash + - file_type + - ppat_sender_name +- default_value: '' + description: Exception string. + is_mandatory: true + name: Exception String + type: string +- default_value: '' + description: Exception comment. + is_mandatory: false + name: Comment + type: string +- default_value: '' + description: Exception payload condition. + is_mandatory: false + name: Exception Payload Condition + type: ddl + optional_values: + - with_or_without_link + - with_link + - without_link +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.py b/content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.py new file mode 100644 index 000000000..bbfd34a9f --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.py @@ -0,0 +1,60 @@ +from ..core.base_action import BaseAction +from ..core.constants import UPDATE_CTP_LIST_ITEM_SCRIPT_NAME + +SUCCESS_MESSAGE: str = "Successfully updated Click Time Protection List Item!" +ERROR_MESSAGE: str = "Failed updating Click Time Protection List Item!" + + +class UpdateCTPListItem(BaseAction): + + def __init__(self) -> None: + super().__init__(UPDATE_CTP_LIST_ITEM_SCRIPT_NAME) + self.output_message: str = SUCCESS_MESSAGE + self.error_output_message: str = ERROR_MESSAGE + + def _extract_action_parameters(self) -> None: + self.params.item_id = self.soar_action.extract_action_param( + param_name="Item ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + self.params.list_id = self.soar_action.extract_action_param( + param_name="List ID", + print_value=True, + is_mandatory=True, + default_value=None + ) + self.params.list_item_name = self.soar_action.extract_action_param( + param_name="List Item Name", + print_value=True, + is_mandatory=True, + default_value=None + ) + self.params.created_by = self.soar_action.extract_action_param( + param_name="Created By", + print_value=True, + is_mandatory=True, + default_value=None + ) + + def _perform_action(self, _=None) -> None: + item_id = self.params.item_id + list_id = self.params.list_id + list_item_name = self.params.list_item_name + created_by = self.params.created_by + + list_item = { + "listId": list_id, + "listItemName": list_item_name, + "createdBy": created_by + } + self.json_results = self.api_client.update_ctp_list_item(item_id, list_item=list_item) + + +def main() -> None: + UpdateCTPListItem().run() + + +if __name__ == "__main__": + main() diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.yaml b/content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.yaml new file mode 100644 index 000000000..03bbb9da8 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/actions/update_ctp_list_item.yaml @@ -0,0 +1,27 @@ +creator: admin +description: Update a List Item for Click Time Protection. +dynamic_results_metadata: [] +integration_identifier: CheckPointHEC +name: Update CTP List Item +parameters: +- default_value: '' + description: Item ID. + is_mandatory: true + name: Item ID + type: string +- default_value: '' + description: List ID. + is_mandatory: true + name: List ID + type: string +- default_value: '' + description: List Item Name. + is_mandatory: true + name: List Item Name + type: string +- default_value: '' + description: Created By. + is_mandatory: true + name: Created By + type: string +script_result_name: is_success diff --git a/content/response_integrations/third_party/community/check_point_hec/core/__init__.py b/content/response_integrations/third_party/community/check_point_hec/core/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py b/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py new file mode 100644 index 000000000..414be4701 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py @@ -0,0 +1,826 @@ +from abc import ABC, abstractmethod +from typing import List +from urllib.parse import urlencode + +import requests +from TIPCommon.types import Contains +from cached_property import cached_property + +from .auth_managers import AuthManager, CloudInfraAuthManager, SmartAPIAuthManager + + +class APIBaseClient(ABC): + + auth_manager: Contains[AuthManager] + verify_ssl: bool + + @cached_property + def api_version(self): + return self.auth_manager.api_version + + @cached_property + def host(self): + return self.auth_manager.host + + @abstractmethod + def get_path(self, endpoint: str) -> str: + pass + + @abstractmethod + def get_request_string(self, endpoint: str, params: dict = None) -> str: + pass + + def call_api( + self, + method: str, + endpoint: str, + params: dict = None, + body: dict = None, + headers: dict = None + ) -> dict: + """ + Perform call to the Smart API + + :param method: HTTP method - post, get + :param endpoint: API Endpoint + :param params: GET parameters + :param body: JSON Body + :param headers: Custom headers + :return: Response JSON + """ + headers = headers or self.auth_manager.headers(self.get_request_string(endpoint, params)) + res = requests.request( + method, + f'https://{self.host}/{self.get_path(endpoint)}', + headers=headers, + params=params, + json=body, + verify=self.verify_ssl + ) + try: + res.raise_for_status() + + except requests.exceptions.HTTPError as e: + print(f'request exception: status_code[{e.response.status_code}] response[{e.response.content}]') + raise e + + self.json_results = res.json() + return res.json() + + @staticmethod + def strip_none(payload: dict): + for key, value in dict(payload).items(): + if value is None: + del payload[key] + + def get_scopes(self): + """ + Get list of scopes available for app client (client_id + client_secret) + Scopes are made of 2 values separated by ":", for example, mt-prod-3:customer1 + The first is the farm (internal designation), the second is your customer name used to access the + portal. + + :return: List of scopes as : + """ + return self.call_api('get', 'scopes') + + def get_event(self, event_id: str): + """ + Get single SaaS entity + + :param event_id: Security Event ID + :return: Security Event + """ + return self.call_api('get', f'event/{event_id}') + + def query_events( + self, + start_date: str, + end_date: str = None, + event_types: List[str] = None, + event_states: List[str] = None, + severities: List[str] = None, + saas: List[str] = None, + description: str = None, + event_ids: List[str] = None, + scroll_id: str = None, + scopes: List[str] = None + ): + """ + Query Security Events + + :param start_date: Start date (iso 8601) + :param end_date: End date (iso 8601) + :param event_types: List of event types + :param event_states: List of event states + :param severities: List of severities + :param saas: SaaS Name + :param description: Description + :param event_ids: List of Event ID + :param scroll_id: Scroll ID for pagination + :param scopes: List of scopes as : + :return: Security events + """ + request_data = { + 'scopes': scopes, + 'eventTypes': event_types, + 'eventStates': event_states, + 'severities': severities, + 'startDate': start_date, + 'endDate': end_date, + 'saas': saas, + 'description': description, + 'eventIds': event_ids, + 'scrollId': scroll_id + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'event/query', body=payload) + + def get_entity(self, entity_id: str): + """ + Get single SaaS entity + + :param entity_id: SaaS Entity ID + :return: Entity + """ + return self.call_api('get', f'search/entity/{entity_id}') + + def query_entities( + self, + saas: str, + start_date: str, + end_date: str = None, + entity_type: str = None, + extended_filter: List[dict] = None, + scroll_id: str = None, + scopes: List[str] = None + ): + """ + Query SaaS entities + + :param saas: SaaS Name + :param start_date: Start date (iso 8601) + :param end_date: End date (iso 8601) + :param entity_type: SaaS Entity Type + :param extended_filter: Extended filters list + :param scroll_id: Scroll ID for pagination + :param scopes: List of scopes as : + :return: Entities + """ + entity_filter = { + 'saas': saas, + 'saasEntity': entity_type, + 'startDate': start_date, + 'endDate': end_date, + } + self.strip_none(entity_filter) + request_data = { + 'scopes': scopes, + 'entityFilter': entity_filter, + 'entityExtendedFilter': extended_filter, + 'scrollId': scroll_id + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'search/query', body=payload) + + def search_emails( + self, + start_date: str, + end_date: str = None, + saas: str = None, + direction: str = None, + subject_contains: str = None, + subject_match: str = None, + sender_contains: str = None, + sender_match: str = None, + domain: str = None, + cp_detection: List[str] = None, + ms_detection: List[str] = None, + detection_op: str = None, + server_ip: str = None, + recipients_contains: str = None, + recipients_match: str = None, + links: str = None, + message_id: str = None, + cp_quarantined_state: str = None, + ms_quarantined_state: str = None, + quarantined_state_op: str = None, + name_contains: str = None, + name_match: str = None, + client_ip: str = None, + attachment_md5: str = None, + ): + """ + Search email entities with various filters + + :param start_date: Start date (iso 8601) + :param end_date: End date (iso 8601) + :param saas: SaaS Name + :param direction: Email direction (internal/incoming/outgoing) + :param subject_contains: Subject contains string + :param subject_match: Subject match string + :param sender_contains: Sender email contains string + :param sender_match: Sender email match string + :param domain: Sender domain + :param cp_detection: Check Point detection categories + :param ms_detection: Microsoft detection categories + :param detection_op: Operator for combining Check Point and Microsoft detections (and/or) + :param server_ip: Sender server IP + :param recipients_contains: Recipients contains string + :param recipients_match: Recipients match string + :param links: Email links contains string + :param message_id: Internet message ID + :param cp_quarantined_state: Check Point quarantined state + :param ms_quarantined_state: Microsoft quarantined state + :param quarantined_state_op: Operator for combining Check Point and Microsoft quarantined states (and/or) + :param name_contains: Sender name contains string + :param name_match: Sender name match string + :param client_ip: Sender client IP + :param attachment_md5: Attachment MD5 hash + return: Email entities matching the filters + """ + + entity_filter = { + "saas": saas, + "startDate": start_date, + } + if end_date: + entity_filter["endDate"] = end_date + extended_filter = [] + detection_resolution_filter = {} + if direction: + extended_filter.append( + { + "saasAttrName": f"entityPayload.is{direction}", + "saasAttrOp": "is", + "saasAttrValue": "true", + } + ) + if subject_contains: + extended_filter.append( + {"saasAttrName": "entityPayload.subject", "saasAttrOp": "contains", "saasAttrValue": subject_contains} + ) + elif subject_match: + extended_filter.append({"saasAttrName": "entityPayload.subject", "saasAttrOp": "is", "saasAttrValue": subject_match}) + if sender_contains: + extended_filter.append( + {"saasAttrName": "entityPayload.fromEmail", "saasAttrOp": "contains", "saasAttrValue": sender_contains} + ) + elif sender_match: + extended_filter.append({"saasAttrName": "entityPayload.fromEmail", "saasAttrOp": "is", "saasAttrValue": sender_match}) + if domain: + extended_filter.append({"saasAttrName": "entityPayload.fromDomain", "saasAttrOp": "is", "saasAttrValue": domain}) + if cp_detection: + detection_resolution_filter["cpDetection"] = cp_detection + if ms_detection: + detection_resolution_filter["msDetection"] = ms_detection + if cp_detection and ms_detection: + detection_resolution_filter["detectionOp"] = detection_op + if server_ip: + extended_filter.append( + {"saasAttrName": "entityPayload.senderServerIp", "saasAttrOp": "is", "saasAttrValue": server_ip} + ) + if recipients_contains: + extended_filter.append( + {"saasAttrName": "entityPayload.recipients", "saasAttrOp": "contains", "saasAttrValue": recipients_contains} + ) + elif recipients_match: + extended_filter.append( + {"saasAttrName": "entityPayload.recipients", "saasAttrOp": "is", "saasAttrValue": recipients_match} + ) + if links: + extended_filter.append({"saasAttrName": "entityPayload.emailLinks", "saasAttrOp": "is", "saasAttrValue": links}) + if message_id: + extended_filter.append( + {"saasAttrName": "entityPayload.internetMessageId", "saasAttrOp": "is", "saasAttrValue": message_id} + ) + if cp_quarantined_state: + detection_resolution_filter["cpQuarantinedState"] = cp_quarantined_state + if ms_quarantined_state: + detection_resolution_filter["msQuarantinedState"] = ms_quarantined_state + if cp_quarantined_state and ms_quarantined_state: + detection_resolution_filter["quarantinedStateOp"] = quarantined_state_op + if name_contains: + extended_filter.append( + {"saasAttrName": "entityPayload.fromName", "saasAttrOp": "contains", "saasAttrValue": name_contains} + ) + elif name_match: + extended_filter.append({"saasAttrName": "entityPayload.fromName", "saasAttrOp": "is", "saasAttrValue": name_match}) + if client_ip: + extended_filter.append( + {"saasAttrName": "entityPayload.senderClientIp", "saasAttrOp": "is", "saasAttrValue": client_ip} + ) + if attachment_md5: + extended_filter.append( + {"saasAttrName": "entityPayload.attachments.MD5", "saasAttrOp": "is", "saasAttrValue": attachment_md5} + ) + request_data = { + "entityFilter": entity_filter, + } + if extended_filter: + request_data["entityExtendedFilter"] = extended_filter + if detection_resolution_filter: + request_data["entityDetectionResolutionFilter"] = detection_resolution_filter + payload = {"requestData": request_data} + print(payload) + return self.call_api('post', 'search/query', body=payload) + + def event_action(self, event_ids: List[str], action: str, scope: str = None): + """ + Perform action on the entities associated with a security event + + :param event_ids: List of Event ID + :param action: Action to perform ('quarantine' or 'restore') + :param scope: Single scope (mandatory for multi scope app clients) + :return: Task information + """ + request_data = { + 'scope': scope, + 'eventIds': event_ids, + 'eventActionName': action + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'action/event', body=payload) + + def entity_action(self, entity_ids: List[str], entity_type: str, action: str, restore_decline_reason: str = None): + """ + Enqueues an action on SaaS entity + + :param entity_ids: List of Entity ID + :param entity_type: SaaS Entity Type + :param action: Action to perform ('quarantine' or 'restore') + :param restore_decline_reason: Reason for declining restore action (used if action is "decline_restore_request") + :return: Task information + """ + request_data = { + 'entityIds': entity_ids, + 'entityType': entity_type, + 'entityActionName': action, + } + if action == 'decline_restore_request': + request_data['restoreDeclineReason'] = restore_decline_reason + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'action/entity', body=payload) + + def get_task(self, task_id: int, scope: str = None): + """ + Returns the state of actions enqueued with "entity_action". + + :param task_id: Task ID from "Task Information" (returned by the action endpoints) + :param scope: Single scope (mandatory for multi scope app clients) + :return: Updated Task Information + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'task/{task_id}', params=params) + + def send_email(self, entity_id: str, emails: List[str]): + request_data = { + 'entityId': entity_id, + 'emails': emails, + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'soar/notify', body=payload) + + def download_email(self, entity_id: str, original: bool = False, scope: str = None): + """ + Download email file associated with the entity ID. + + :param entity_id: Email Entity ID + :param original: Whether to download original email or with modifications + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = { + 'scope': scope, + 'original': original + } + self.strip_none(params) + return self.call_api('get', f'download/entity/{entity_id}', params=params) + + def report_mis_classification(self, entities: List[str], classification: str, confident: str): + """ + Report misclassification for given entities. + + :param entities: List of entity IDs + :param classification: Classification + :param confident: Confidence level + """ + request_data = { + 'entityIds': entities, + 'classification': classification, + 'confident': confident + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'report/mis-classification', body=payload) + + def get_sectool_exception(self, sectool: str, exception_type: str, exception_string: str, scope: str = None): + """ + Returns a single sectool exception. + + :param sectool: Sectool name - avanan_dlp, avanan_url, checkpoint2 + :param exception_type: Exception type + :param exception_string: Exception string + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api( + 'get', + f'sectool-exceptions/{sectool}/exceptions/{exception_type}/{exception_string}', + params=params + ) + + def get_sectool_exceptions(self, sectool: str, exception_type: str, exception_data: dict, scope: str = None): + """ + Returns list of sectool exceptions. + + :param sectool: Sectool name - avanan_dlp, avanan_url, checkpoint2 + :param exception_type: Exception type + :param exception_data: Exception data for filtering + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + self.strip_none(exception_data) + payload = { + 'requestData': exception_data + } + return self.call_api('get', f'sectool-exceptions/{sectool}/exceptions/{exception_type}', params=params, body=payload) + + def create_sectool_exception(self, sectool: str, exc: dict, scopes: List[str] = None): + """ + Create a sectool exception. + + :param sectool: Sectool name - avanan_dlp, avanan_url, checkpoint2 + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', f'sectool-exceptions/{sectool}', body=payload) + + def update_sectool_exception(self, sectool: str, exc: dict, scopes: List[str] = None): + """ + Update a sectool exception. + + :param sectool: Sectool name - avanan_dlp, avanan_url, checkpoint2 + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('put', f'sectool-exceptions/{sectool}', body=payload) + + def delete_sectool_exception(self, sectool: str, exc: dict, scopes: List[str] = None): + """ + Delete a sectool exception. + + :param sectool: Sectool name - avanan_dlp, avanan_url, checkpoint2 + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('delete', f'sectool-exceptions/{sectool}', body=payload) + + def delete_sectool_exceptions(self, sectool: str, exc: dict, scopes: List[str] = None): + """ + Delete multiple sectool exceptions. + + :param sectool: Sectool name - avanan_dlp, avanan_url, checkpoint2 + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('delete', f'sectool-exceptions/{sectool}/exceptions', body=payload) + + def get_exceptions(self, exc_type: str, scope: str = None): + """ + Returns list of exception by the type (whitelist/blacklist). + + :param exc_type: Exception type - whitelist/blacklist + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'exceptions/{exc_type}', params=params) + + def get_ap_exception(self, exc_type: str, exc_id: str, scope: str = None): + """ + Returns a single exception by the type (whitelist/blacklist) and ID. + + :param exc_type: Exception type - whitelist/blacklist + :param exc_id: Exception ID + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'exceptions/{exc_type}/{exc_id}', params=params) + + def get_ap_exceptions(self, exc_type: str, scope: str = None): + """ + Returns list of exceptions by the type (whitelist/blacklist). + + :param exc_type: Exception type - whitelist/blacklist + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api('get', f'exceptions/{exc_type}', params=params) + + def create_ap_exception(self, exc_type: str, exc: dict, scopes: List[str] = None): + """ + Create an exception of type (whitelist/blacklist). + + :param exc_type: Exception type - whitelist/blacklist + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', f'exceptions/{exc_type}', body=payload) + + def update_ap_exception(self, exc_type: str, exc_id: str, exc: dict, scopes: List[str] = None): + """ + Returns a single exception by the type (whitelist/blacklist) and ID. + + :param exc_type: Exception type - whitelist/blacklist + :param exc_id: Exception ID + :param exc: Exception data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **exc + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('put', f'exceptions/{exc_type}/{exc_id}', body=payload) + + def delete_ap_exception(self, exc_type: str, exc_id: str, scopes: List[str] = None): + """ + Delete a single exception by the type (whitelist/blacklist) and ID. + + :param exc_type: Exception type - whitelist/blacklist + :param exc_id: Exception ID + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', f'exceptions/{exc_type}/delete/{exc_id}', body=payload) + + def get_anomaly_exceptions(self, scope: str = None): + """ + Get anomaly exceptions. + + :param scope: Single scope (mandatory for multi scope app clients) + """ + params = {'scope': scope} if scope else None + return self.call_api('get', 'sectools/anomaly/exceptions', params=params) + + def create_anomaly_exception(self, exc: dict, added_by: str = None, scopes: List[str] = None): + """ + Create an anomaly exception. + + :param exc: Exception data + :param added_by: Name of the user who added the exception + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + 'addedBy': added_by, + 'requestJson': exc + } + payload = { + 'requestData': request_data + } + return self.call_api('post', 'sectools/anomaly/exceptions', body=payload) + + def delete_anomaly_exceptions(self, list_ids: List[str], scopes: List[str] = None): + """ + Delete anomaly exceptions. + + :param list_ids: List of exception IDs to delete + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + 'listIds': list_ids + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('delete', 'sectools/anomaly/exceptions', body=payload) + + def create_ctp_list_item(self, list_item: dict, scopes: List[str] = None): + """ + Create a CTP list item. + + :param list_item: List item data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **list_item + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('post', 'sectools/click_time_protection/exceptions/items', body=payload) + + def get_ctp_list(self, list_id: str, scopes: List[str] = None): + """ + Get a CTP list. + + :param list_id: List ID + :param scopes: List of scopes as : + """ + params = { + 'scopes': scopes + } + self.strip_none(params) + return self.call_api('get', f'sectools/click_time_protection/exceptions/{list_id}', params=params) + + def get_ctp_list_item(self, item_id: str, scopes: List[str] = None): + """ + Get a CTP list item. + + :param item_id: List item ID + :param scopes: List of scopes as : + """ + params = { + 'scopes': scopes + } + self.strip_none(params) + return self.call_api('get', f'sectools/click_time_protection/exceptions/items/{item_id}', params=params) + + def get_ctp_list_items(self, scopes: List[str] = None): + """ + Get CTP list items. + + :param scopes: List of scopes as : + """ + params = { + 'scopes': scopes + } + self.strip_none(params) + return self.call_api('get', 'sectools/click_time_protection/exceptions/items', params=params) + + def get_ctp_lists(self, scopes: List[str] = None): + """ + Get CTP lists. + + :param scopes: List of scopes as : + """ + params = { + 'scopes': scopes + } + self.strip_none(params) + return self.call_api('get', 'sectools/click_time_protection/exceptions', params=params) + + def update_ctp_list_item(self, item_id: str, list_item: dict, scopes: List[str] = None): + """ + Update a CTP list item. + + :param item_id: List item ID + :param list_item: List item data + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + **list_item + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('put', f'sectools/click_time_protection/exceptions/items/{item_id}', body=payload) + + def delete_ctp_list_item(self, item_id: str, scopes: List[str] = None): + """ + Delete a CTP list item. + + :param item_id: List item ID + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('delete', f'sectools/click_time_protection/exceptions/items/{item_id}', body=payload) + + def delete_ctp_list_items(self, list_item_ids: List[str], scopes: List[str] = None): + """ + Delete multiple CTP list items. + + :param list_item_ids: List of item IDs + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes, + 'listItemIds': list_item_ids + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('delete', 'sectools/click_time_protection/exceptions/items', body=payload) + + def delete_ctp_lists(self, scopes: List[str] = None): + """ + Delete all CTP lists. + + :param scopes: List of scopes as : + """ + request_data = { + 'scopes': scopes + } + self.strip_none(request_data) + payload = { + 'requestData': request_data + } + return self.call_api('delete', 'sectools/click_time_protection/exceptions', body=payload) + + +class CloudInfraApiClient(APIBaseClient): + + def __init__(self, host: str, client_id: str, client_secret: str, verify_ssl: bool): + self.auth_manager = CloudInfraAuthManager(host, client_id, client_secret) + self.verify_ssl = verify_ssl + + def get_path(self, endpoint: str) -> str: + return '/'.join(['app', 'hec-api', self.api_version, endpoint]) + + def get_request_string(self, endpoint: str, params: dict = None) -> str: + return '' + + +class SmartAPIClient(APIBaseClient): + + def __init__(self, host: str, client_id: str, client_secret: str, verify_ssl: bool): + self.auth_manager = SmartAPIAuthManager(host, client_id, client_secret) + self.verify_ssl = verify_ssl + + def get_path(self, endpoint: str) -> str: + return '/'.join([self.api_version, endpoint]) + + def get_request_string(self, endpoint: str, params: dict = None) -> str: + request_string = f'/{self.api_version}/{endpoint}' + if params: + request_string += f'?{urlencode(params)}' + return request_string diff --git a/content/response_integrations/third_party/community/check_point_hec/core/auth.py b/content/response_integrations/third_party/community/check_point_hec/core/auth.py new file mode 100644 index 000000000..f3bd2b81d --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/auth.py @@ -0,0 +1,57 @@ +from TIPCommon.extraction import extract_script_param +from TIPCommon.types import ChronicleSOAR +from soar_sdk.SiemplifyAction import SiemplifyAction +from soar_sdk.SiemplifyConnectors import SiemplifyConnectorExecution +from soar_sdk.SiemplifyJob import SiemplifyJob + +from .constants import INTEGRATION_IDENTIFIER +from .data_models import IntegrationParameters +from .exceptions import CheckPointHECIntegrationError + + +def build_auth_params(soar_sdk_object: ChronicleSOAR) -> IntegrationParameters: + sdk_class = type(soar_sdk_object).__name__ + if sdk_class == SiemplifyAction.__name__: + input_dictionary = soar_sdk_object.get_configuration(INTEGRATION_IDENTIFIER) + elif sdk_class in ( + SiemplifyConnectorExecution.__name__, + SiemplifyJob.__name__, + ): + input_dictionary = soar_sdk_object.parameters + else: + raise CheckPointHECIntegrationError( + f"Provided SOAR instance is not supported! type: {sdk_class}.", + ) + + host = extract_script_param( + soar_sdk_object, + input_dictionary=input_dictionary, + param_name="Host", + ) + client_id = extract_script_param( + soar_sdk_object, + input_dictionary=input_dictionary, + param_name="Client ID", + ) + client_secret = extract_script_param( + soar_sdk_object, + input_dictionary=input_dictionary, + param_name="Client Secret", + ) + verify_ssl = extract_script_param( + soar_sdk_object, + input_dictionary=input_dictionary, + param_name="Verify SSL", + default_value=True, + input_type=bool, + is_mandatory=True, + print_value=True, + ) + + return IntegrationParameters( + host=host, + client_id=client_id, + client_secret=client_secret, + verify_ssl=verify_ssl, + is_infinity='cloudinfra' in host + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py b/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py new file mode 100644 index 000000000..b968276eb --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py @@ -0,0 +1,118 @@ +import base64 +import datetime +import hashlib +import time +import uuid +from abc import ABC, abstractmethod + +import requests +from cached_property import cached_property +from jose import jwt + +from constants import SMART_API_VERSION + + +class AuthManager(ABC): + api_version = SMART_API_VERSION + + def __init__(self, host: str, client_id: str, client_secret: str): + self.host = host + self.client_id = client_id + self.client_secret = client_secret + self.token = None + self.token_expiry = None + + @abstractmethod + def get_token(self) -> str: + pass + + @abstractmethod + def headers(self, request_string: str = None, auth: bool = False) -> dict: + pass + + +class CloudInfraAuthManager(AuthManager): + + def get_token(self) -> str: + if self._should_refresh_token(): + payload = { + "clientId": self.client_id, + "accessKey": self.client_secret + } + timestamp = time.time() + + res = requests.post(f'https://{self.host}/auth/external', json=payload) + res.raise_for_status() + data = res.json()['data'] + self.token = data.get('token') + self.token_expiry = timestamp + float(data.get('expiresIn')) + + return self.token + + def headers(self, request_string: str = None, auth: bool = False) -> dict: + request_id = str(uuid.uuid4()) + token = self.get_token() + return { + 'Authorization': f'Bearer {token}', + 'x-av-req-id': request_id, + } + + def _should_refresh_token(self) -> bool: + return not self.token or time.time() >= self.token_expiry + + +class SmartAPIAuthManager(AuthManager): + + def __init__(self, host: str, client_id: str, client_secret: str): + super().__init__(host, client_id, client_secret) + self.token_buffer = 60 + + def get_token(self) -> str: + if not self._should_refresh_token(): + return self.token + + res = requests.get( + f'https://{self.host}/{self.api_version}/auth', + headers=self.headers(auth=True) + ) + res.raise_for_status() + self.token = res.content.decode('utf-8') + decoded_token = jwt.decode(self.token, self.public_key) + self.token_expiry = decoded_token['exp'] + return self.token + + def headers(self, request_string: str = None, auth: bool = False) -> dict: + request_id = str(uuid.uuid4()) + timestamp = datetime.datetime.now(datetime.timezone.utc).replace(tzinfo=None).isoformat() + headers = { + 'x-av-req-id': request_id, + 'x-av-app-id': self.client_id, + 'x-av-date': timestamp, + 'x-av-sig': self._generate_signature(request_id, timestamp, request_string) + } + if not auth: + headers['x-av-token'] = self.get_token() + return headers + + @cached_property + def public_key(self) -> dict: + res = requests.get(f'https://{self.host}/{self.api_version}/public_key') + res.raise_for_status() + return res.json() + + def _should_refresh_token(self) -> bool: + if not self.token: + return True + + return time.time() + self.token_buffer > self.token_expiry + + def _generate_signature(self, request_id: str, timestamp: str, request_string: str = None) -> str: + if request_string: + signature_string = f'{request_id}{self.client_id}{timestamp}{request_string}' \ + f'{self.client_secret}' + else: + signature_string = f'{request_id}{self.client_id}{timestamp}{self.client_secret}' + signature_bytes = signature_string.encode('utf-8') + signature_base64_bytes = base64.b64encode(signature_bytes) + signature_hash = hashlib.sha256(signature_base64_bytes).hexdigest() + return signature_hash diff --git a/content/response_integrations/third_party/community/check_point_hec/core/base_action.py b/content/response_integrations/third_party/community/check_point_hec/core/base_action.py new file mode 100644 index 000000000..fcef862d5 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/base_action.py @@ -0,0 +1,31 @@ +from abc import ABC + +from TIPCommon.base.action import Action +from TIPCommon.types import Contains + +from .api_clients import APIBaseClient, CloudInfraApiClient, SmartAPIClient +from .auth import build_auth_params + + +class BaseAction(Action, ABC): + + def _init_api_clients(self) -> Contains[APIBaseClient]: + auth_params = build_auth_params(self.soar_action) + _APIClient = CloudInfraApiClient if auth_params.is_infinity else SmartAPIClient + + return _APIClient( + host=auth_params.host, + client_id=auth_params.client_id, + client_secret=auth_params.client_secret, + verify_ssl=auth_params.verify_ssl + ) + + + + @property + def result_value(self) -> bool: + return self._result_value + + @result_value.setter + def result_value(self, value: bool) -> None: + self._result_value = value diff --git a/content/response_integrations/third_party/community/check_point_hec/core/constants.py b/content/response_integrations/third_party/community/check_point_hec/core/constants.py new file mode 100644 index 000000000..d6eb2841d --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/constants.py @@ -0,0 +1,119 @@ + +INTEGRATION_IDENTIFIER: str = "CheckPointHEC" +INTEGRATION_DISPLAY_NAME: str = "Check Point HEC" + +SMART_API_VERSION = "v1.0" + +# Sectools +ANTI_MALWARE_SAAS_NAME = "checkpoint2" +AVANAN_URL_SAAS_NAME = "avanan_url" +AVANAN_DLP_SAAS_NAME = "avanan_dlp" + +# Script names +CREATE_ANOMALY_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Create Anomaly Exception" +CREATE_AP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Create Anti-Phishing Exception" +CREATE_AVDLP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Create Avanan DLP Exception" +CREATE_AVURL_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Create Avanan URL Exception" +CREATE_CP2_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Create Anti-Malware Exception" +CREATE_CTP_LIST_ITEM_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Create CTP List Item" + +DELETE_ANOMALY_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Anomaly Exceptions" +DELETE_AP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Anti-Phishing Exception" +DELETE_AVDLP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Avanan DLP Exception" +DELETE_AVDLP_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Avanan DLP Exceptions" +DELETE_AVURL_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Avanan URL Exception" +DELETE_AVURL_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Avanan URL Exceptions" +DELETE_CP2_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Anti-Malware Exception" +DELETE_CP2_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete Anti-Malware Exceptions" +DELETE_CTP_LIST_ITEM_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete CTP List Item" +DELETE_CTP_LIST_ITEMS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete CTP List Items" +DELETE_CTP_LISTS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Delete CTP Lists" + +DOWNLOAD_EMAIL_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Download Email" +GET_ACTION_RESULT_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Action Result" + +GET_ANOMALY_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Anomaly Exceptions" +GET_AP_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Anti-Phishing Exceptions" +GET_AVDLP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Avanan DLP Exception" +GET_AVDLP_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Avanan DLP Exceptions" +GET_AVURL_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Avanan URL Exception" +GET_AVURL_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Avanan URL Exceptions" +GET_CP2_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Anti-Malware Exception" +GET_CP2_EXCS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Anti-Malware Exceptions" +GET_CTP_LIST_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get CTP List" +GET_CTP_LIST_ITEM_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get CTP List Item" +GET_CTP_LIST_ITEMS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get CTP List Items" +GET_CTP_LISTS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get CTP Lists" + +GET_ENTITY_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Entity" +GET_EVENTS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Events" +GET_SCAN_INFO_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Get Scan Info" +PING_SCRIPT_NAME: str = f"{INTEGRATION_IDENTIFIER} - Ping" +REPORT_MIS_CLASSIFICATION_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Report Mis-classification" +SEARCH_EMAILS_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Search Emails" +SEND_ACTION_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Send Action" + +UPDATE_AP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Update Anti-Phishing Exception" +UPDATE_AVDLP_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Update Avanan DLP Exception" +UPDATE_AVURL_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Update Avanan URL Exception" +UPDATE_CP2_EXC_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Update Anti-Malware Exception" +UPDATE_CTP_LIST_ITEM_SCRIPT_NAME = f"{INTEGRATION_IDENTIFIER} - Update CTP List Item" + +DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ" + +# Maps +CP_DETECTION_VALUES = { + "Phishing": "cp_phishing", + "Suspected Phishing": "cp_ap_suspicious", + "Malware": "cp_malicious", + "Suspected Malware": "cp_av_suspicious", + "Spam": "cp_spam", + "Clean": "cp_clean", + "DLP": "cp_leak", + "Malicious URL Click": "cp_malicious_url_click", + "Malicious URL": "cp_malicious_url", +} +MS_DETECTION_VALUES = { + "Malware": "ms_malware", + "High Confidence Phishing": "ms_high_confidence_phishing", + "Phishing": "ms_phishing", + "High Confidence Spam": "ms_high_confidence_spam", + "Spam": "ms_spam", + "Bulk": "ms_bulk", + "Clean": "ms_clean", +} +CP_QUARANTINED_VALUES = { + "Quarantined (Any source)": "all", + "Not Quarantined": "cp_not_quarantined", + "Quarantined by Check Point": "cp_quarantined_by_cp", + "Quarantined by CP Analyst": "cp_quarantined_by_analyst", + "Quarantined by Admin": "cp_quarantined_by_admin", +} +MS_QUARANTINED_VALUES = { + "Quarantined": "ms_quarantined", + "Not Quarantined": "ms_not_quarantined", + "Not Quarantined Delivered to Inbox": "ms_delivered_inbox", + "Not Quarantined Delivered to Junk": "ms_delivered_junk", +} +MIS_CLASSIFICATION_CONFIDENCE = { + "Not so sure": "not_so_sure", + "Medium Confidence": "medium", + "High Confidence": "very", +} +MIS_CLASSIFICATION_OPTIONS = { + "Clean Email": "clean", + "Spam": "spam", + "Phishing": "phishing", + "Legit Marketing Email": "marketing_email", +} +SAAS_APPS_TO_SAAS_NAMES = { + "Microsoft Exchange": "office365_emails", + "Gmail": "google_mail" +} +SEVERITY_VALUES = { + "critical": 5, + "high": 4, + "medium": 3, + "low": 2, + "very low": 1 +} diff --git a/content/response_integrations/third_party/community/check_point_hec/core/create_sectool_exc.py b/content/response_integrations/third_party/community/check_point_hec/core/create_sectool_exc.py new file mode 100644 index 000000000..05f3b92fc --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/create_sectool_exc.py @@ -0,0 +1,96 @@ +from .base_action import BaseAction + + +class CreateSectoolException(BaseAction): + + def __init__( + self, + name: str, + output_message: str, + error_output: str, + sectool_name: str + ) -> None: + super().__init__(name) + self.output_message: str = output_message + self.error_output_message: str = error_output + self.sectool_name: str = sectool_name + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exception_string = self.soar_action.extract_action_param( + param_name="Exception String", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.entity_type = self.soar_action.extract_action_param( + param_name="Entity Type", + print_value=True, + is_mandatory=False + ) + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=False + ) + self.params.comment = self.soar_action.extract_action_param( + param_name="Comment", + print_value=True, + is_mandatory=False + ) + self.params.exception_payload_condition = self.soar_action.extract_action_param( + param_name="Exception Payload Condition", + print_value=True, + is_mandatory=False + ) + self.params.file_name = self.soar_action.extract_action_param( + param_name="File Name", + print_value=True, + is_mandatory=False + ) + self.params.created_by_email = self.soar_action.extract_action_param( + param_name="Created By Email", + print_value=True, + is_mandatory=False + ) + self.params.is_exclusive = self.soar_action.extract_action_param( + param_name="Is Exclusive", + print_value=True, + is_mandatory=False, + input_type=bool + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exception_string = self.params.exception_string + entity_type = self.params.entity_type + entity_id = self.params.entity_id + comment = self.params.comment + exception_payload_condition = self.params.exception_payload_condition + file_name = self.params.file_name + created_by_email = self.params.created_by_email + is_exclusive = self.params.is_exclusive + + exception = { + 'exceptionType':exception_type, + 'exceptionStr':exception_string, + 'entityType':entity_type, + 'entityId':entity_id, + 'fileName':file_name, + 'createdByEmail':created_by_email, + 'isExclusive':is_exclusive, + 'comment':comment + } + if exception_payload_condition: + exception["exceptionPayload"] = { + "condition": exception_payload_condition + } + self.json_results = self.api_client.create_sectool_exception( + self.sectool_name, + exception + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/core/data_models.py b/content/response_integrations/third_party/community/check_point_hec/core/data_models.py new file mode 100644 index 000000000..3836025fb --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/data_models.py @@ -0,0 +1,9 @@ +from typing import NamedTuple + + +class IntegrationParameters(NamedTuple): + host: str + client_id: str + client_secret: str + verify_ssl: bool + is_infinity: bool diff --git a/content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_exc.py b/content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_exc.py new file mode 100644 index 000000000..dca1b8a3e --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_exc.py @@ -0,0 +1,57 @@ +from .base_action import BaseAction + + +class DeleteSectoolException(BaseAction): + + def __init__( + self, + name: str, + output_message: str, + error_output: str, + sectool_name: str + ) -> None: + super().__init__(name) + self.output_message: str = output_message + self.error_output_message: str = error_output + self.sectool_name: str = sectool_name + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exception_string = self.soar_action.extract_action_param( + param_name="Exception String", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.entity_type = self.soar_action.extract_action_param( + param_name="Entity Type", + print_value=True, + is_mandatory=False + ) + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exception_string = self.params.exception_string + entity_type = self.params.entity_type + entity_id = self.params.entity_id + + exception = { + 'exceptionType':exception_type, + 'exceptionStr':exception_string, + 'entityType':entity_type, + 'entityId':entity_id + } + self.json_results = self.api_client.delete_sectool_exception( + sectool=self.sectool_name, + exception=exception + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_excs.py b/content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_excs.py new file mode 100644 index 000000000..fcf58dc29 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/delete_sectool_excs.py @@ -0,0 +1,57 @@ +from .base_action import BaseAction + + +class DeleteSectoolExceptions(BaseAction): + + def __init__( + self, + name: str, + output_message: str, + error_output: str, + sectool_name: str + ) -> None: + super().__init__(name) + self.output_message: str = output_message + self.error_output_message: str = error_output + self.sectool_name: str = sectool_name + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exception_string_list = self.soar_action.extract_action_param( + param_name="Exception String List", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.entity_type = self.soar_action.extract_action_param( + param_name="Entity Type", + print_value=True, + is_mandatory=False + ) + self.params.entity_id = self.soar_action.extract_action_param( + param_name="Entity ID", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exception_string_list = self.params.exception_string_list.split(',') + entity_type = self.params.entity_type + entity_id = self.params.entity_id + + exception = { + 'exceptionType':exception_type, + 'exceptionStrList':exception_string_list, + 'entityType':entity_type, + 'entityId':entity_id + } + self.json_results = self.api_client.delete_sectool_exceptions( + sectool=self.sectool_name, + exception=exception + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/core/exceptions.py b/content/response_integrations/third_party/community/check_point_hec/core/exceptions.py new file mode 100644 index 000000000..6cc62927b --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/exceptions.py @@ -0,0 +1,6 @@ +class CheckPointHECIntegrationError(Exception): + """General exception for Check Point HEC Integration.""" + + +class CheckPointHECPermissionsError(CheckPointHECIntegrationError): + """Exception for permission-related errors in Check Point HEC Integration.""" diff --git a/content/response_integrations/third_party/community/check_point_hec/core/get_sectool_exc.py b/content/response_integrations/third_party/community/check_point_hec/core/get_sectool_exc.py new file mode 100644 index 000000000..018c89fe9 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/get_sectool_exc.py @@ -0,0 +1,40 @@ +from .base_action import BaseAction + + +class GetSectoolException(BaseAction): + + def __init__( + self, + name: str, + output_message: str, + error_output: str, + sectool_name: str + ) -> None: + super().__init__(name) + self.output_message: str = output_message + self.error_output_message: str = error_output + self.sectool_name: str = sectool_name + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exception_string = self.soar_action.extract_action_param( + param_name="Exception String", + print_value=True, + is_mandatory=True, + default_value=None, + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exception_string = self.params.exception_string + + self.json_results = self.api_client.get_sectool_exception( + sectool=self.sectool_name, + exception_type=exception_type, + exception_string=exception_string + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/core/get_sectool_excs.py b/content/response_integrations/third_party/community/check_point_hec/core/get_sectool_excs.py new file mode 100644 index 000000000..90aa70178 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/get_sectool_excs.py @@ -0,0 +1,80 @@ +from .base_action import BaseAction + + +class GetSectoolExceptions(BaseAction): + + def __init__( + self, + name: str, + output_message: str, + error_output: str, + sectool_name: str + ) -> None: + super().__init__(name) + self.output_message: str = output_message + self.error_output_message: str = error_output + self.sectool_name: str = sectool_name + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.filter_string = self.soar_action.extract_action_param( + param_name="Filter String", + print_value=True, + is_mandatory=False + ) + self.params.filter_index = self.soar_action.extract_action_param( + param_name="Filter Index", + print_value=True, + is_mandatory=False + ) + self.params.sort_direction = self.soar_action.extract_action_param( + param_name="Sort Direction", + print_value=True, + is_mandatory=False + ) + self.params.last_evaluated_key = self.soar_action.extract_action_param( + param_name="Last Evaluated Key", + print_value=True, + is_mandatory=False + ) + self.params.insert_time_gte = self.soar_action.extract_action_param( + param_name="Insert Time GTE", + print_value=True, + is_mandatory=False, + default_value=False, + input_type=bool + ) + self.params.limit = self.soar_action.extract_action_param( + param_name="Limit", + print_value=True, + is_mandatory=False, + input_type=int + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + filter_string = self.params.filter_string + filter_index = self.params.filter_index + sort_direction = self.params.sort_direction + last_evaluated_key = self.params.last_evaluated_key + insert_time_gte = self.params.insert_time_gte + limit = self.params.limit + + exception_data = { + 'filterStr': filter_string, + 'filterIndex': filter_index, + 'sortDir': sort_direction, + 'lastEvaluatedKey': last_evaluated_key, + 'insertTimeGte': insert_time_gte, + 'limit': limit + } + self.json_results = self.api_client.get_sectool_exceptions( + sectool=self.sectool_name, + exception_type=exception_type, + exception_data=exception_data + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/core/update_sectool_exc.py b/content/response_integrations/third_party/community/check_point_hec/core/update_sectool_exc.py new file mode 100644 index 000000000..e9c599ff0 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/core/update_sectool_exc.py @@ -0,0 +1,60 @@ +from .base_action import BaseAction + + +class UpdateSectoolException(BaseAction): + + def __init__( + self, + name: str, + output_message: str, + error_output: str, + sectool_name: str + ) -> None: + super().__init__(name) + self.output_message: str = output_message + self.error_output_message: str = error_output + self.sectool_name: str = sectool_name + + def _extract_action_parameters(self) -> None: + self.params.exception_type = self.soar_action.extract_action_param( + param_name="Exception Type", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.exception_string = self.soar_action.extract_action_param( + param_name="Exception String", + print_value=True, + is_mandatory=True, + default_value=None, + ) + self.params.comment = self.soar_action.extract_action_param( + param_name="Comment", + print_value=True, + is_mandatory=False + ) + self.params.exception_payload_condition = self.soar_action.extract_action_param( + param_name="Exception Payload Condition", + print_value=True, + is_mandatory=False + ) + + def _perform_action(self, _=None) -> None: + exception_type = self.params.exception_type + exception_string = self.params.exception_string + comment = self.params.comment + exception_payload_condition = self.params.exception_payload_condition + + exception = { + 'exceptionType':exception_type, + 'exceptionStr':exception_string, + 'comment':comment + } + if exception_payload_condition: + exception["exceptionPayload"] = { + "condition": exception_payload_condition + } + self.json_results = self.api_client.update_sectool_exception( + sectool=self.sectool_name, + exception=exception + ) diff --git a/content/response_integrations/third_party/community/check_point_hec/definition.yaml b/content/response_integrations/third_party/community/check_point_hec/definition.yaml new file mode 100644 index 000000000..86653330a --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/definition.yaml @@ -0,0 +1,28 @@ +identifier: CheckPointHEC +name: Check Point HEC +parameters: + - name: Host + type: string + description: Smart API Server Host, this can be different for the same region depending on the type of credentials used to authenticate. + is_mandatory: false + integration_identifier: CheckPointHEC + - name: Client ID + type: password + description: Client Identifier, together with Client Secret used for authentication. + is_mandatory: false + integration_identifier: CheckPointHEC + - name: Client Secret + type: password + description: Client Secret, together with Client Identifier used for authentication. + is_mandatory: false + integration_identifier: CheckPointHEC + - name: Verify SSL + default_value: true + type: boolean + description: If selected, the integration validates the SSL certificate when connecting to Smart API Service. Selected by default. + is_mandatory: false + integration_identifier: CheckPointHEC +documentation_link: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/CheckPointHEC +categories: [] +svg_logo_path: resources/checkpoint-logo.svg +image_path: resources/checkpoint-image.png diff --git a/content/response_integrations/third_party/community/check_point_hec/pyproject.toml b/content/response_integrations/third_party/community/check_point_hec/pyproject.toml new file mode 100644 index 000000000..3210c6f1f --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/pyproject.toml @@ -0,0 +1,30 @@ +[project] +name = "CheckPointHEC" +version = "1.0" +description = "Add your description here" +requires-python = ">=3.11,<3.12" +dependencies = [ + "cached-property>=2.0.1", + "dateparser>=1.3.0", + "environmentcommon", + "python-jose>=3.5.0", + "requests>=2.32.5", + "tipcommon", +] + +[dependency-groups] +dev = [ + "pytest>=9.0.2", + "soar-sdk", + "integration-testing", + "pytest-json-report>=1.5.0", +] + +[tool.pytest.ini_options] +pythonpath = "." + +[tool.uv.sources] +soar-sdk = { git = "https://github.com/chronicle/soar-sdk" } +tipcommon = { path = "../../../../../packages/tipcommon/whls/TIPCommon-2.3.1-py3-none-any.whl" } +environmentcommon = { path = "../../../../../packages/envcommon/whls/EnvironmentCommon-1.0.3-py3-none-any.whl" } +integration-testing = { path = "../../../../../packages/integration_testing_whls/integration_testing-2.3.1-py3-none-any.whl" } diff --git a/content/response_integrations/third_party/community/check_point_hec/release_notes.yaml b/content/response_integrations/third_party/community/check_point_hec/release_notes.yaml new file mode 100644 index 000000000..07aecfc07 --- /dev/null +++ b/content/response_integrations/third_party/community/check_point_hec/release_notes.yaml @@ -0,0 +1,7 @@ +- description: New Integration Added - Check Point HEC. + integration_version: 1.0 + item_name: Check Point HEC + item_type: Integration + publish_time: '2025-12-20' + ticket_number: '429552537' + new: true diff --git a/content/response_integrations/third_party/community/check_point_hec/resources/checkpoint-image.png b/content/response_integrations/third_party/community/check_point_hec/resources/checkpoint-image.png new file mode 100644 index 0000000000000000000000000000000000000000..6c214963e6b5abc7a961a2f1a5b0feddd1257be3 GIT binary patch literal 5377 zcma)=bx;)0x5q&`m!-QKrICdNK|&T-8fgJ(30b99I+m7@#)Ty$M1-ZgyBiUZSW-Yj zRC0mG`@Q$~oA<}Pcji0y%$)BzXYS1X#Omv6P>?c{;^5#=XhPHs@6R9iOO=@Lem{40 zW5B_o9nw^LY7DnNd_fdw+<&&y9u2UmR(Lg2M5Go+`;_YGUW{?shbbVjOejIoId@yM znoxm)&@(PvUMm0N_Gos0x>Wa?Mfa4IoV&o<=7rW;Kg*bF8~C3aP$xw|=}PwHPL7<{ z(F!Xs7Z*lqi>fm@Ir(CflSF_EqYCNKgj`Uiz^JL8Ab4{S2msgrQ|^<}Xj*RcoJ~=W zcfo#tBkkG;`6&5Hl1(0-EGa43S42%69PJzh8y+5(K0tbY_D}y}EN&AloOb6UJXSe_d6|{jyfr=H)n=a zm?lY52?C+S9YCCk(%oZ8`cS>dt0g#v+_3qj_9kRs`L`U{080ja8#K~kpCXccr*tI7 zCM2o>)`Az4@y#HICt3ZGFQ0Taw;GR9A9X0ZAmA%qIk*vm4xFUg5A0p4_1t=C674^17*xuC;H;s%K=$uG*|0 z&Bu#nwg!sIxVx1&1+?6JjMyUO9c?hO^P#4mWK-bJk=c37w{@JY81UFYx#_39UHbp( zWp^r0S`B`@+P;v9LM^Hz zC2U4A+A}M$@xB}Y)#`&(KnW)q3=%e{o5|bRxI)~Cc%akXn4?lULrrJC*GdQ^I^-8 zPr`10ghAUoY5~fR8HF4#3@zC`p<|uiMRk13aNsMt7_c{Aak$)EytK4P52)kea-$b_{@_va3E&vgHQ=LVU)$aR60;sYIKo6Sw~w&0kfr~fbV`|&_^@T(f)jm+0O>}X)f4j z6fT{snUlg6MBP{GVl~P+pfDPPSkNgKf#1dD123vxTp0=I84`=o9I`8(x~+tUdO1&?hT_hxq4hW{XqfggyfpwE z7{|i)r85A4No%%L=hILOq$T7Sl{JnlYv)<@1gWzU-f|M~YUVT0$9)Yo@Sa)y`uvb4 zwY)0`>wMN}u0-y5$OtXfTjJoUux!mBJUgDe4pdCicR0gWA9jHMPKFMf}3s2O;&&Sm{OgktLwmY`%Fs@G@Xd!zexfX7y{(RDRE zj!t+?wL7haFaC_=q&Lps3=sK6XU8__c!baS) z<4c(YaLT%l<#3QJs}3|ebQU~r(YCr^?Vl|lIFrHtB+w=E8K6nFuGZFinPv9ZQS=IU zX)fy#{s$n?&V-KBw_;xg?q3H)k546bBa87sWygC|3?Hk^Q~BG_HaCOXb%~EuETA97 zKb*@fMF?pBy`uTKSOIQ7I~B1SNM!#MoJ4@LhUuVvifnS}h{$JeLjf-i8`lI~Z~S%J zrroEBEt~Wo83A6CIFq7wA)sf33Q?)_9nr`DN{Du8-@c7RN}Ug9R_@ja@6oUuw3v4p zB@e4H-NM+6mjY!a+PmgOOv`jD&f$YEImMgqdzr80nO-W%r~M~v(6Uqfw2{g->aHgh+rRCt5#5;V^{Ror7tUGtE;KWXl6~6NwEKl`1va0+> z!ogi87pP8?9j^E5fOBZFGJAK4Ra9uRr&YjlW)zPD*Ik<@i=M zI@+&nZ>XEAkX;Oh%6hIA^+r?9UR2wgH%B&`fC6^je_UX~ysi#Bu8q{-vOJ)F#KvDQ zB8Z4EhS##nViMUDN0#2km^`%9{bv?nAaGQFOT=MlXIJ>q?-->hJbe3%X`x6uy^JZ)=Of$xJ zb1z1*^*lxsB)%uBu}uGvfE!cwKs8>*<2!_p1@*PdZi|Apr@+eWK@x{zO>6M!1xbha zx;%6-oIs+P#1qG z>1-qTi)qEc8ha)iOdB+tEWV2{8tNKC)PnvXU`K-8)yi*?dk%^rshPO5Qq8?kt+lt| zk}2b9A6&Rc6Q$CAyKy`IxJf53CX$!oo0q?xL%n}mpmLDYJ0i`+%I#T&+oSwS zOlZtkJmV7>|^tkk&N4a3%g=q#@xS-Q!L&f7HDQi`9GR|R7D%-@#)-X+F z`%M(i}>GWpAE#`7Rew?u?YV)+doyQcsHg@oo*J{*> z<4-y>yRPUjPZ!xN??BJZa99?MA}f2opn|{i**dN<>}pP^QYek2#cPmKC-$g-it@7j zc_p+v==%5L^(U?-={n)%tVBu=da z*W)R4Qpoltj2v%Pmp56;Rw=qpuzVt*UP#UhurGv}DmCKQ+1R{$UBBND?7Y_K{EhM} z$@^FvnhF2k^nA2Gx4*Tc1;k|%Je*_Imm&`TSv{*!t}=B9P#7&UlV~(j2*zds6yzyV zDM}J#sYr+_j4Gk#9i=m*3O+}~(FbP#)~HWa!5cII5P}7?O=%mXKPH zP~Y<*!!KqM4FW$NIeC#yYn#Wd0FE>l8--G7@}3Wk#|H|rSv%h_$!Kb|;I>v?pCA$m;gd=XbUbpI@0$g%Fj)InB*T=G9om#}fX zyu6>^!77cAI#9=|-Vm&TQDJ}!NwnlgY4^T;kPe6JP0TsoIrq1lP<9esfZr4~Wq3_p zI7vdkeRnv4?^P49k2)q)vGhefl^*3sk*i0Dy zr8;m>h>O; zOM4n;RtiyQS!tG;%L2Eo0nkDa(c8X(0un~|cfWuzUJ+08OohhzsxdCKw|0W{V8`GF z&r)W0yH9A&`n3wj(#u*c5NAgA9*nU-EZs}Klb<#D%ELILj`hrG*u%L-=XskMuleLk zeqS6H?RmHtw`yy)^Ri#1tXYc#3EhNe{I@P3?wR_d@Aya4^(-MIKvoe(HFBIJ>E>79 zks;llm!V4VPRgWwm&-R^M3(mv~>YUNK6OQ?^B2DBTWlPUilp`0`2_)YN%-`<{ZjP*~0O z!KPKb-nxqVMbTVg$Xf6ZX~Ut3gE=6AmJ4n|=F+}rRC+obChgk#XZdvf?lXg$RkK~B ze?~NwL>K95kQ_wF z&X$zmJ$bb94xUaALWi4DEWFIvKg5Xd<$F}gn+jScHV~Ifq9nWURdOrwEo1|WJG}5w z4f$Ql9iBbwB8ShA`D~&&owk|mm{(0vzC2OJysWVGE?g9$1BIYLoSumvv)k-|i!f^M zVfVYDMg-pLwT}LJ(hb&hi7Eo6-R&j%>+Ya{e|d~u59S(t+>mEZ@kke)v79HW35R{v zq3p^QF7q|Tc<>gc*^+oo1+>bwn=&a zq|Gnh;)8-y7_TE`fFH2>i;JW75+K;{pjDGHgT3g!JfpZK+NxQF!Hl`6mq*cJeY>7h zZ7huAt$t#M ztL;d=fzs}XYd}-%xe*++;N-UO6*I_H8G5Vacf=YZCNvf>{lWWO^y*51!SsW46M!#Q zWSlbm6Mzebbyz^}`|E%tOAWP#>~6^|vGE}|d&&)+zJ+PP(V=Alyn8glwn{?@(c$@1 zL~Pkr-H6g=ppLG|+L4|#+nhJTz5kn&-s2BwQLSQbfpN$(7+O<} z1)|Lo?(soHDL1QaJ3Ja1L2smTYyEhmn`uLn(QN0B_fTqbE4cW*mF73(s=5*cqTmL1 z?GeKHJ(g->V3<3dqs&RI(t43f$jLPnxxlv$#xmNkvZoneyJQvUJW9N-KAc9 z2BLEhahCJRHSAnb-uW;({MTHN?;D${CdGi!+l9O2cYn3CENdbjmfAPtJyY2TAz9P| zk&uv-CL`{#92YN!mp71D^IqXlq1ILDiT*$3Tfm{QBVcyom%}~U#L-mORjX974gW7z C? \ No newline at end of file From 35cf29413c73dd3de435b7706b18a021f17f549b Mon Sep 17 00:00:00 2001 From: arvidb Date: Tue, 21 Apr 2026 14:23:40 -0400 Subject: [PATCH 2/2] Address checks --- .../actions/create_anomaly_exc.py | 8 ++--- .../check_point_hec/actions/get_events.py | 10 +++--- .../community/check_point_hec/actions/ping.py | 5 +-- .../check_point_hec/actions/search_emails.py | 36 ++----------------- .../check_point_hec/core/api_clients.py | 1 - .../check_point_hec/core/auth_managers.py | 2 +- .../community/check_point_hec/pyproject.toml | 2 +- 7 files changed, 15 insertions(+), 49 deletions(-) diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py b/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py index 08588199e..2bb1a8f56 100644 --- a/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py +++ b/content/response_integrations/third_party/community/check_point_hec/actions/create_anomaly_exc.py @@ -1,4 +1,5 @@ -import json +from __future__ import annotations +import yaml from TIPCommon.validation import ParameterValidator @@ -17,8 +18,7 @@ def __init__(self) -> None: self.error_output_message: str = ERROR_MESSAGE def _extract_action_parameters(self) -> None: - self.params.request_json = self.soar_action.parameters.get( - siemplify=self.soar_action, + self.params.request_json = self.soar_action.extract_action_param( param_name="Request JSON", print_value=True, is_mandatory=True @@ -34,7 +34,7 @@ def _validate_params(self) -> None: validator.validate_json(param_name="Request JSON", json_string=self.params.request_json) def _perform_action(self, _=None) -> None: - request_json = json.loads(self.params.request_json) + request_json = yaml.safe_load(self.params.request_json) added_by = self.params.added_by self.json_results = self.api_client.create_anomaly_exception(request_json=request_json, added_by=added_by) diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py b/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py index 2eda7713e..48754a2b8 100644 --- a/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py +++ b/content/response_integrations/third_party/community/check_point_hec/actions/get_events.py @@ -1,4 +1,4 @@ -import json +import yaml from ..core.base_action import BaseAction from ..core.constants import GET_EVENTS_SCRIPT_NAME, SAAS_APPS_TO_SAAS_NAMES, SEVERITY_VALUES @@ -57,10 +57,10 @@ def _extract_action_parameters(self) -> None: def _perform_action(self, _=None) -> dict: start_date = self.params.start_date end_date = self.params.end_date - saas_apps = [SAAS_APPS_TO_SAAS_NAMES[saas] for saas in json.loads(self.params.saas_apps)] - states = [state.lower() for state in json.loads(self.params.states)] - severities = [SEVERITY_VALUES[severity.lower()] for severity in json.loads(self.params.severities)] - threat_types = [threat_type.lower().replace(" ", "_") for threat_type in json.loads(self.params.threat_types)] + saas_apps = [SAAS_APPS_TO_SAAS_NAMES[saas] for saas in yaml.safe_load(self.params.saas_apps)] + states = [state.lower() for state in yaml.safe_load(self.params.states)] + severities = [SEVERITY_VALUES[severity.lower()] for severity in yaml.safe_load(self.params.severities)] + threat_types = [threat_type.lower().replace(" ", "_") for threat_type in yaml.safe_load(self.params.threat_types)] limit = self.params.limit self.json_results = self.api_client.query_events( diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/ping.py b/content/response_integrations/third_party/community/check_point_hec/actions/ping.py index 17642c77e..629da06ae 100644 --- a/content/response_integrations/third_party/community/check_point_hec/actions/ping.py +++ b/content/response_integrations/third_party/community/check_point_hec/actions/ping.py @@ -2,13 +2,10 @@ from ..core.constants import PING_SCRIPT_NAME from ..core.exceptions import CheckPointHECPermissionsError -SUCCESS_MESSAGE: str = ( - "Successfully connected to the Smart API Service with the provided connection parameters!" -) +SUCCESS_MESSAGE: str = "Successfully connected to the Smart API Service with the provided connection parameters!" ERROR_MESSAGE: str = "Failed to connect to the Smart API Service!" - class Ping(BaseAction): def __init__(self) -> None: diff --git a/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py b/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py index 515317cee..0a3e6520d 100644 --- a/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py +++ b/content/response_integrations/third_party/community/check_point_hec/actions/search_emails.py @@ -1,6 +1,4 @@ -import json - -import dateparser +import yaml from ..core.base_action import BaseAction from ..core.constants import SEARCH_EMAILS_SCRIPT_NAME, DATE_FORMAT, SAAS_APPS_TO_SAAS_NAMES, \ @@ -143,34 +141,6 @@ def _extract_action_parameters(self) -> None: is_mandatory=False, ) - # def _validate_params(self) -> None: - # if start_date := self.params.start_date: - # self.params.start_date = start_date - # if end_date := self.params.end_date: - # self.params.end_date = end_date - # else: - # ... - # # error - # - # if (subject_contains := self.params.subject_contains) and \ - # (subject_match := self.params.subject_match): - # ... - # # error - # - # if (sender_contains := self.params.sender_contains) and \ - # (sender_match := self.params.sender_match): - # ... - # # error - # - # if (recipients_contains := self.params.recipients_contains) and \ - # (recipient_match := self.params.recipients_match): - # ... - # # error - # - # if (name_contains := self.params.name_contains) and (name_match := self.params.name_match): - # ... - # # error - def _perform_action(self, _=None) -> None: start_date = self.params.start_date end_date = self.params.end_date @@ -182,11 +152,11 @@ def _perform_action(self, _=None) -> None: sender_match = self.params.sender_match domain = self.params.domain cp_detection = [CP_DETECTION_VALUES[detection] for detection in \ - json.loads(self.params.cp_detection) if detection != ''] if (self.params.cp_detection != '') else None + yaml.safe_load(self.params.cp_detection) if detection != ''] if (self.params.cp_detection != '') else None if cp_detection == ['']: cp_detection = None ms_detection = [MS_DETECTION_VALUES[detection] for detection in \ - json.loads(self.params.ms_detection) if detection != ''] if (self.params.ms_detection != '') else None + yaml.safe_load(self.params.ms_detection) if detection != ''] if (self.params.ms_detection != '') else None if ms_detection == ['']: ms_detection = None detection_op = self.params.detection_op diff --git a/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py b/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py index 414be4701..ac3fa7664 100644 --- a/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py +++ b/content/response_integrations/third_party/community/check_point_hec/core/api_clients.py @@ -61,7 +61,6 @@ def call_api( res.raise_for_status() except requests.exceptions.HTTPError as e: - print(f'request exception: status_code[{e.response.status_code}] response[{e.response.content}]') raise e self.json_results = res.json() diff --git a/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py b/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py index b968276eb..a841bc5da 100644 --- a/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py +++ b/content/response_integrations/third_party/community/check_point_hec/core/auth_managers.py @@ -9,7 +9,7 @@ from cached_property import cached_property from jose import jwt -from constants import SMART_API_VERSION +from .constants import SMART_API_VERSION class AuthManager(ABC): diff --git a/content/response_integrations/third_party/community/check_point_hec/pyproject.toml b/content/response_integrations/third_party/community/check_point_hec/pyproject.toml index 3210c6f1f..47a9d035f 100644 --- a/content/response_integrations/third_party/community/check_point_hec/pyproject.toml +++ b/content/response_integrations/third_party/community/check_point_hec/pyproject.toml @@ -1,7 +1,7 @@ [project] name = "CheckPointHEC" version = "1.0" -description = "Add your description here" +description = "The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc." requires-python = ">=3.11,<3.12" dependencies = [ "cached-property>=2.0.1",