From 2a9247ea8aaca5ff00d896082952fedf61286489 Mon Sep 17 00:00:00 2001 From: maxn Date: Sun, 20 Oct 2024 18:01:15 +0300 Subject: [PATCH] V 1.1.0 - Added statistics fields - Added fetching incidents with filtering by minimum probability --- ...tfield-CheckPointNDR_ApplicationNames.json | 32 ++++ ...dentfield-CheckPointNDR_ReceivedBytes.json | 32 ++++ ...incidentfield-CheckPointNDR_SentBytes.json | 32 ++++ .../CheckPointNDR/CheckPointNDR.py | 26 ++- .../CheckPointNDR/CheckPointNDR.yml | 6 + .../CheckPointNDR/CheckPointNDR_test.py | 4 +- .../Integrations/CheckPointNDR/README.md | 39 +--- .../checkpointndr-get_insight_event.json | 73 +++++--- ...ntainer-CheckPointNDR_Incident_Layout.json | 172 +++++++++++------- Packs/CheckPointNDR/README.md | 6 +- Packs/CheckPointNDR/ReleaseNotes/1_1_0.md | 8 + Packs/CheckPointNDR/pack_metadata.json | 2 +- 12 files changed, 300 insertions(+), 132 deletions(-) create mode 100644 Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json create mode 100644 Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json create mode 100644 Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json create mode 100644 Packs/CheckPointNDR/ReleaseNotes/1_1_0.md diff --git a/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json new file mode 100644 index 000000000000..c42cb8f34c0f --- /dev/null +++ b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ApplicationNames.json @@ -0,0 +1,32 @@ +{ + "id": "incident_appiname", + "version": -1, + "modified": "2024-10-20T22:22:45.48967185Z", + "name": "Application Names", + "ownerOnly": false, + "description": "", + "cliName": "appiname", + "type": "multiSelect", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Check Point NDR Insight" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json new file mode 100644 index 000000000000..e29a0b3afb1b --- /dev/null +++ b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_ReceivedBytes.json @@ -0,0 +1,32 @@ +{ + "id": "incident_receivedbytes", + "version": -1, + "modified": "2024-10-01T19:26:46.346683Z", + "name": "Received Bytes", + "ownerOnly": false, + "description": "The total number of bytes received in the event.", + "cliName": "receivedbytes", + "type": "number", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Check Point NDR Insight" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json new file mode 100644 index 000000000000..a0f1f5eac6c8 --- /dev/null +++ b/Packs/CheckPointNDR/IncidentFields/incidentfield-CheckPointNDR_SentBytes.json @@ -0,0 +1,32 @@ +{ + "id": "incident_sentbytes", + "version": -1, + "modified": "2024-10-07T15:36:49.667762Z", + "name": "Sent Bytes", + "ownerOnly": false, + "description": "The total number of bytes sent in the event.", + "cliName": "sentbytes", + "type": "number", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Check Point NDR Insight" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py index 3593d391c42b..41380a5cea63 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.py @@ -74,24 +74,27 @@ def get_insights(self, startTS: int, max_fetch: int): def test_module(client: Client, last_run: dict[str, str], first_fetch: datetime, domain: str): try: - fetch_incidents(client, last_run, first_fetch, domain, 1) + fetch_incidents(client, last_run, first_fetch, domain, 1, 0) return 'ok' except DemistoException as e: return e.message -def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, max_fetch: int): +def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, max_fetch: int, min_probability: int): incidents: list[dict[str, Any]] = [] for insight in insights: for event in insight['events']: if event['updated'] <= startTS: continue + if event['probability'] < min_probability: + continue id = f"{insight['id']}_{event['id']}" name = insight['data'].get('name', insight['criteria']) updated = int(event['data'].get('discovery_date', event['updated'])) desc_i = insight['data'].get('description', '') desc_e = event['data'].get('description', '') + statistics = event['data'].get('statistics', {}) description = desc_i + "\n" + desc_e if desc_e else desc_i link = f"{NDR_URL}/#/insights?id={insight['id']}&domain={domain}&startDate={event['from']}&endDate={event['to']}" severity = 3 @@ -113,7 +116,17 @@ def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, ma 'externalendtime': datetime.utcfromtimestamp(event['to'] / 1000).strftime("%Y-%m-%dT%H:%M:%S.%fZ"), 'externallink': link, 'description': desc_i, - 'eventdescriptions': desc_e + 'eventdescriptions': desc_e, + 'sourceips': statistics.get('top_src', []), + 'sourceexternalips': statistics.get('top_proxy_src_ip', []), + 'destinationips': statistics.get('top_dst', []), + 'dstports': statistics.get('top_service', []), + 'filemd5': statistics.get('top_file_md5', []), + 'appiName': statistics.get('top_appi_name', []), + 'users': statistics.get('top_src_user_name', []), + 'hostnames': statistics.get('top_src_machine_name', []), + 'sentbytes': statistics.get('total_bytes_sent', 0), + 'receivedbytes': statistics.get('total_bytes_received', 0) }, 'rawJSON': json.dumps(event) }) @@ -125,7 +138,7 @@ def parse_insights(insights: list[dict[str, Any]], domain: str, startTS: int, ma return incidents, last_time -def fetch_incidents(client: Client, last_run: dict[str, str], first_fetch: datetime, domain: str, max_fetch: int): +def fetch_incidents(client: Client, last_run: dict[str, str], first_fetch: datetime, domain: str, max_fetch: int, min_probability: int): last_fetch = last_run.get('last_fetch', first_fetch.isoformat()) last_fetch_time = dateparser.parse(last_fetch) if not last_fetch_time: @@ -133,7 +146,7 @@ def fetch_incidents(client: Client, last_run: dict[str, str], first_fetch: datet startTS = int(last_fetch_time.timestamp() * 1000) insights = client.get_insights(startTS, max_fetch) - incidents, last_insight_time = parse_insights(insights, domain, startTS, max_fetch) + incidents, last_insight_time = parse_insights(insights, domain, startTS, max_fetch, min_probability) return {'last_fetch': last_insight_time}, incidents @@ -148,6 +161,7 @@ def main() -> None: # pragma: no cover verify = not params.get('insecure', False) proxy = params.get('proxy', False) max_fetch = int(params.get('max_fetch', 1000)) + min_probability = int(params.get('min_probability', 0)) fetch_time = params.get('first_fetch', '3 days').strip() first_fetch = dateparser.parse(fetch_time, settings={'TIMEZONE': 'UTC'}) @@ -163,7 +177,7 @@ def main() -> None: # pragma: no cover if command == 'test-module': return_results(test_module(client, last_run, first_fetch, domain)) elif command == 'fetch-incidents': - next_run, incidents = fetch_incidents(client, last_run, first_fetch, domain, max_fetch) + next_run, incidents = fetch_incidents(client, last_run, first_fetch, domain, max_fetch, min_probability) demisto.incidents(incidents) demisto.debug(f"Set last run to {next_run.get('last_fetch')}") demisto.setLastRun(next_run) diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml index a0f330a3a06a..34f35dcc36b9 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR.yml @@ -49,6 +49,12 @@ configuration: defaultvalue: 'true' type: 8 required: false +- section: Collect + display: Minimum probability level + name: min_probability + defaultvalue: "0" + type: 0 + required: false - section: Collect display: Incidents Fetch Interval name: incidentFetchInterval diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py index e782efc43432..73e5da4eff36 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/CheckPointNDR_test.py @@ -49,7 +49,7 @@ def test_parse_insights(): mock_result = (util_load_json('./test_data/checkpointndr-parse_insights-output.json'), datetime.datetime.fromtimestamp(1703387404.364).isoformat()) - result = parse_insights(mock_insights, 'test', 0, 10) + result = parse_insights(mock_insights, 'test', 0, 10, 0) assert result == mock_result @@ -80,7 +80,7 @@ def test_fetch_incidents(mocker): return_value=None, ) - fetch_incidents(client, {}, datetime.datetime(2024, 1, 1), 'test', 10) + fetch_incidents(client, {}, datetime.datetime(2024, 1, 1), 'test', 10, 0) login.assert_called_once() query_insights.assert_called() logout.assert_called_once() diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md b/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md index 23d97864ac26..24eaa4ba6d8f 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/README.md @@ -1,5 +1,5 @@ Collect network security events from Check Point Infinity NDR for your secured SaaS periodically -This integration was integrated and tested with version 1.0.0 of CheckPointNDR +This integration was integrated and tested with version 1.1.0 of CheckPointNDR ## Configure Check Point Network Detection and Response (Infinity NDR) on Cortex XSOAR @@ -37,46 +37,9 @@ Retrieve all NDR Insights | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| from | Date and time from which to fetch insights. Default is Last 24 hours.| Optional | -| create_events | If true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false. | Optional | #### Context Output | **Path** | **Type** | **Description** | | --- | --- | --- | -| CheckPointHEC.Entity.internetMessageId | String | Email message id in internet. | -| CheckPointHEC.Entity.subject | String | Email subject. | -| CheckPointHEC.Entity.received | String | Datetime email was received in iso 8601 format. | -| CheckPointHEC.Entity.size | String | Email size. | -| CheckPointHEC.Entity.emailLinks | unknown | Links in email. | -| CheckPointHEC.Entity.attachmentCount | Number | Number of attachments in email. | -| CheckPointHEC.Entity.attachments | unknown | File attachments in email. | -| CheckPointHEC.Entity.mode | String | Internal policy rule. | -| CheckPointHEC.Entity.recipients | unknown | Recipient email addresses. | -| CheckPointHEC.Entity.subject | String | Email subject. | -| CheckPointHEC.Entity.fromEmail | String | Email sender. | -| CheckPointHEC.Entity.fromDomain | String | Domain where the email was sent from. | -| CheckPointHEC.Entity.fromUser | unknown | Sender user details. | -| CheckPointHEC.Entity.fromName | String | Sender name. | -| CheckPointHEC.Entity.to | unknown | Email main recipients. | -| CheckPointHEC.Entity.toUser | unknown | User details for main recipients. | -| CheckPointHEC.Entity.cc | unknown | Email carbon copy recipients. | -| CheckPointHEC.Entity.ccUser | unknown | User details for carbon copy recipients. | -| CheckPointHEC.Entity.bcc | unknown | Email blind carbon copy recipients. | -| CheckPointHEC.Entity.bccUser | unknown | User details for blind carbon copy recipients. | -| CheckPointHEC.Entity.replyToEmail | String | Email reply. | -| CheckPointHEC.Entity.replyToNickname | String | Email reply nickname. | -| CheckPointHEC.Entity.isRead | Boolean | Email has been read. | -| CheckPointHEC.Entity.isDeleted | Boolean | Email has been deleted. | -| CheckPointHEC.Entity.isIncoming | Boolean | Email is from external organization. | -| CheckPointHEC.Entity.isInternal | Boolean | Email is from same organization. | -| CheckPointHEC.Entity.isOutgoing | Boolean | Email is to an external organization. | -| CheckPointHEC.Entity.isQuarantined | Boolean | Email has been quarantined. | -| CheckPointHEC.Entity.isQuarantineNotification | Boolean | Email is a notification of another quarantined email. | -| CheckPointHEC.Entity.isRestored | Boolean | Email is restored from quarantine. | -| CheckPointHEC.Entity.isRestoreRequested | Boolean | Email is a request to restore. | -| CheckPointHEC.Entity.isRestoreDeclined | Boolean | Email is a declined restore request. | -| CheckPointHEC.Entity.saasSpamVerdict | String | Spam verdict. | -| CheckPointHEC.Entity.SpfResult | String | Sender Policy Framework check result. | -| CheckPointHEC.Entity.restoreRequestTime | String | Restore request datetime in iso 8601 format. | diff --git a/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json b/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json index 27f1ab312db8..412413cc15e6 100644 --- a/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json +++ b/Packs/CheckPointNDR/Integrations/CheckPointNDR/test_data/checkpointndr-get_insight_event.json @@ -1,26 +1,57 @@ { "objects": [ - { - "id": 950961, - "domain": "test", - "from": 1703258128000, - "to": 1703261728000, - "filter": "src:\"127.0.0.1\"", - "targetDomain": "test", - "type": "Behavioral", - "insight": "Behavioral.Geo.Bulgaria", - "count": 1, - "data": { - "discovery_date": "1703387402954" - }, - "user": "Analytics", - "created": 1703387404364, - "updated": 1703387404364, - "mdr": false, - "probability": 64, - "externalId": null, - "editable": true - } + { + "id": 950961, + "domain": "test", + "from": 1703258128000, + "to": 1703261728000, + "filter": "src:\"127.0.0.1\"", + "targetDomain": "test", + "type": "Behavioral", + "insight": "Behavioral.Geo.Bulgaria", + "count": 1, + "data": { + "discovery_date": "1703387402954", + "statistics": { + "count": 1, + "top_dst": [ + "192.168.0.1" + ], + "top_src": [ + "127.0.0.1" + ], + "total_dst": 1, + "total_src": 1, + "top_service": [ + "1434" + ], + "top_file_md5": ["098f6bcd4621d373cade4e832627b4f6"], + "top_appi_name": ["TeamViewer", "google.com"], + "total_service": 1, + "total_file_md5": 1, + "total_appi_name": 2, + "top_proxy_src_ip": ["1.2.3.4"], + "total_bytes_sent": 512, + "top_src_user_name": ["maxn"], + "total_proxy_src_ip": 1, + "top_protection_name": [ + "MS-SQL Monitor Protocol" + ], + "total_src_user_name": 1, + "top_src_machine_name": ["DESKTOP1"], + "total_bytes_received": 1024, + "total_protection_name": 1, + "total_src_machine_name": 1 + } + }, + "user": "Analytics", + "created": 1703387404364, + "updated": 1703387404364, + "mdr": false, + "probability": 64, + "externalId": null, + "editable": true + } ], "count": 1 } \ No newline at end of file diff --git a/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json b/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json index 00d462fc9fd2..9dfb56b5ab5a 100644 --- a/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json +++ b/Packs/CheckPointNDR/Layouts/layoutscontainer-CheckPointNDR_Incident_Layout.json @@ -99,7 +99,7 @@ "y": 0 }, { - "h": 2, + "h": 4, "i": "zsgh4yoppk-caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", "maxW": 3, "moved": false, @@ -108,11 +108,11 @@ "type": "notes", "w": 1, "x": 2, - "y": 0 + "y": 3 }, { "displayType": "ROW", - "h": 3, + "h": 2, "i": "zsgh4yoppk-caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", "maxW": 3, "moved": false, @@ -121,7 +121,7 @@ "type": "workplan", "w": 1, "x": 1, - "y": 0 + "y": 3 }, { "displayType": "ROW", @@ -133,22 +133,9 @@ "name": "Linked Incidents", "static": false, "type": "linkedIncidents", - "w": 1, + "w": 2, "x": 1, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "zsgh4yoppk-caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Child Incidents", - "static": false, - "type": "childInv", - "w": 1, - "x": 2, - "y": 4 + "y": 9 }, { "displayType": "ROW", @@ -160,8 +147,8 @@ "static": false, "type": "evidence", "w": 1, - "x": 2, - "y": 2 + "x": 0, + "y": 9 }, { "displayType": "ROW", @@ -174,8 +161,8 @@ "static": false, "type": "team", "w": 1, - "x": 2, - "y": 6 + "x": 0, + "y": 5 }, { "displayType": "ROW", @@ -194,13 +181,13 @@ }, { "displayType": "CARD", - "h": 3, + "h": 2, "i": "zsgh4yoppk-caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", "items": [ { "endCol": 1, "fieldId": "occurred", - "height": 22, + "height": 53, "id": "incident-occurred-field", "index": 0, "sectionItemType": "field", @@ -210,9 +197,9 @@ "endCol": 1, "fieldId": "externalstarttime", "name": "NDR Event Start Time", - "height": 22, + "height": 53, "id": "incident-externalstarttime", - "index": 2, + "index": 1, "sectionItemType": "field", "startCol": 0 }, @@ -220,45 +207,36 @@ "endCol": 1, "fieldId": "externalendtime", "name": "NDR Event End Time", - "height": 22, + "height": 53, "id": "incident-externalendtime", - "index": 3, + "index": 2, "sectionItemType": "field", "startCol": 0 }, { "endCol": 1, "fieldId": "dbotmodified", - "height": 22, + "height": 53, "id": "incident-modified-field", - "index": 4, - "sectionItemType": "field", - "startCol": 1 - }, - { - "endCol": 2, - "fieldId": "dbotduedate", - "height": 22, - "id": "incident-dueDate-field", - "index": 5, + "index": 0, "sectionItemType": "field", "startCol": 1 }, { "endCol": 2, "fieldId": "dbotcreated", - "height": 22, + "height": 53, "id": "incident-created-field", - "index": 6, + "index": 1, "sectionItemType": "field", "startCol": 1 }, { "endCol": 2, "fieldId": "dbotclosed", - "height": 22, + "height": 53, "id": "incident-closed-field", - "index": 7, + "index": 2, "sectionItemType": "field", "startCol": 1 } @@ -269,7 +247,7 @@ "static": false, "w": 1, "x": 0, - "y": 2 + "y": 3 }, { "displayType": "ROW", @@ -310,50 +288,122 @@ "name": "Closing Information", "static": false, "w": 1, - "x": 0, - "y": 6 + "x": 1, + "y": 5 }, { - "displayType": "CARD", + "displayType": "ROW", "h": 3, "i": "zsgh4yoppk-caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", "isVisible": true, "items": [ { - "endCol": 2, + "endCol": 4, "fieldId": "details", - "height": 22, + "height": 44, "id": "incident-details-field", "index": 0, "sectionItemType": "field", "startCol": 0 }, - { - "endCol": 2, - "fieldId": "description", + { + "endCol": 4, + "fieldId": "sourceips", + "height": 22, + "id": "1b62fd50-8bad-11ef-afb5-214168f0d65e", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "sourceexternalips", "height": 22, - "id": "incident-description", + "id": "22d1e9c0-8bad-11ef-afb5-214168f0d65e", "index": 2, "sectionItemType": "field", "startCol": 0 }, - { - "endCol": 2, - "fieldId": "eventdescriptions", + { + "endCol": 4, + "fieldId": "destinationips", "height": 22, - "id": "incident-eventdescriptions", + "id": "1d6ab430-8bad-11ef-afb5-214168f0d65e", "index": 3, "sectionItemType": "field", "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "dstports", + "height": 22, + "id": "8e168ba0-8bad-11ef-afb5-214168f0d65e", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "filemd5", + "height": 22, + "id": "a5d8b2e0-8bad-11ef-afb5-214168f0d65e", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "appiname", + "height": 22, + "id": "40c6de80-8bae-11ef-afb5-214168f0d65e", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "users", + "height": 22, + "id": "50283f40-8bae-11ef-afb5-214168f0d65e", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "hostnames", + "height": 22, + "id": "5d1a4db0-8bae-11ef-afb5-214168f0d65e", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "sentbytes", + "height": 22, + "id": "5d1a4db0-8bae-11ef-afb5-214168f0d65e", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "receivedbytes", + "height": 22, + "id": "5d1a4db0-8bae-11ef-afb5-214168f0d65e", + "index": 10, + "sectionItemType": "field", + "startCol": 0 } ], "maxW": 3, "moved": false, - "name": "Investigation Data", + "name": "Details and Statistics", "static": false, - "w": 1, + "w": 2, "x": 1, - "y": 2 + "y": 0 } ], "type": "custom" diff --git a/Packs/CheckPointNDR/README.md b/Packs/CheckPointNDR/README.md index 830e916cefc0..5d99cd432225 100644 --- a/Packs/CheckPointNDR/README.md +++ b/Packs/CheckPointNDR/README.md @@ -1,11 +1,11 @@ -# Check Point Horizon NDR +# Check Point Infinity NDR -[Network Detection and Response (NDR)](https://www.checkpoint.com/horizon/ndr/) solutions are designed to detect cyber threats on corporate networks using artificial intelligence (AI), machine learning (ML) and data analytics. +[Network Detection and Response (NDR)](https://www.checkpoint.com/Infinity/ndr/) solutions are designed to detect cyber threats on corporate networks using artificial intelligence (AI), machine learning (ML) and data analytics. These tools build models of normal behavior by continuously analyzing network north/south traffic that crosses the enterprise perimeter as well as east/west lateral traffic and then use these models to identify anomalous or suspicious traffic patterns. ## What does this pack do? -This pack and its resources implement the integration with Check Point Horizon NDR allowing: +This pack and its resources implement the integration with Check Point Infinity NDR allowing: * Collect security events for your secured SaaS periodically. diff --git a/Packs/CheckPointNDR/ReleaseNotes/1_1_0.md b/Packs/CheckPointNDR/ReleaseNotes/1_1_0.md new file mode 100644 index 000000000000..d14601e72a01 --- /dev/null +++ b/Packs/CheckPointNDR/ReleaseNotes/1_1_0.md @@ -0,0 +1,8 @@ + +#### Integrations + +##### Check Point Infinity NDR + +- Added statistics fields +- Added fetching incidents with filtering by minimum probability + diff --git a/Packs/CheckPointNDR/pack_metadata.json b/Packs/CheckPointNDR/pack_metadata.json index 087cb2060f79..c7da7294a006 100644 --- a/Packs/CheckPointNDR/pack_metadata.json +++ b/Packs/CheckPointNDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Check Point Infinity NDR", "description": "Collect network security events from Check Point Infinity NDR for your secured SaaS periodically", "support": "partner", - "currentVersion": "1.0.0", + "currentVersion": "1.1.0", "author": "Check Point", "url": "https://supportcenter.checkpoint.com/", "email": "ndr@checkpoint.com",