Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
import demistomock as demisto # noqa: F401
from CommonServerPython import * # noqa: F401
import json
import urllib.parse
from collections import defaultdict

import demistomock as demisto # noqa: F401
from CommonServerPython import * # noqa: F401

""" IMPORTS """
import ipaddress
Expand Down Expand Up @@ -1375,6 +1375,37 @@ def add_custom_malware_feeds(client: PrismaCloudComputeClient, args: dict) -> Co
return CommandResults(readable_output="Successfully updated the custom md5 malware feeds")


def remove_custom_malware_feeds(client: PrismaCloudComputeClient, args) -> CommandResults:
"""
Remove a single hash and description from the system's malware list.
Implements the command 'prisma-cloud-compute-custom-feeds-malware-remove'

Args:
client (PrismaCloudComputeClient): prisma-cloud-compute client.
args: prisma-cloud-compute-custom-feeds-malware-remove command arguments.

Returns:
CommandResults: command-results object.
"""
# Cast to sets for faster operations and to remove duplicates
current_md5_feeds = (client.get_custom_md5_malware() or {}).get("feed") or []

# populate variable for md5 input
md5 = args.get("md5")

# if md5 input is in current feed, remove it.
for i in range(len(current_md5_feeds) - 1, -1, -1):
if current_md5_feeds[i].get("md5") == md5:
current_md5_feeds.pop(i)
# send updated list with removed md5 to Prisma
client.add_custom_md5_malware(feeds=current_md5_feeds)
return CommandResults(
readable_output="Successfully removed the md5 hash value " + md5 + " from custom md5 malware feed."
)

return CommandResults(readable_output=f"Could not find {md5} in the custom malware feeds.")


def get_cves(client: PrismaCloudComputeClient, args: dict, reliability: str = "B - Usually reliable") -> List[CommandResults]:
"""
Get cves information, implement the command 'cve'.
Expand Down Expand Up @@ -2832,6 +2863,8 @@ def main():
return_results(results=get_custom_malware_feeds(client=client, args=demisto.args()))
elif requested_command == "prisma-cloud-compute-custom-feeds-malware-add":
return_results(results=add_custom_malware_feeds(client=client, args=demisto.args()))
elif requested_command == "prisma-cloud-compute-custom-feeds-malware-remove":
return_results(results=remove_custom_malware_feeds(client=client, args=demisto.args()))
elif requested_command == "cve":
return_results(results=get_cves(client=client, args=demisto.args(), reliability=reliability))
elif requested_command == "prisma-cloud-compute-defenders-list":
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ description: Use the Prisma Cloud Compute integration to fetch incidents from yo
display: Palo Alto Networks - Prisma Cloud Compute
name: PaloAltoNetworks_PrismaCloudCompute
script:
dockerimage: demisto/python3:3.12.8.3296088
dockerimage: demisto/python3:3.12.11.4819260
isfetch: true
runonce: false
script: "-"
Expand Down Expand Up @@ -2916,6 +2916,12 @@ script:
- contextPath: PrismaCloudCompute.Policies.RuntimeContainerPolicy.modified
description: The audited event modified time.
type: Date
- name: prisma-cloud-compute-custom-feeds-malware-remove
arguments:
- description: The MD5 value to be removed from Prisma.
name: md5
required: true
description: Remove custom MD5 malware hashes.
tests:
- PaloAltoNetworks_PrismaCloudCompute-Test
fromversion: 5.0.0
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5207,3 +5207,22 @@ Retrieves the runtime policy for containers protected by Defender. A policy cons

* Do not use the reset last run button as it will cause incidents duplications to the instance.
* In case you pressed reset last run button and you get duplicated incidents, run **prisma-cloud-compute-unstuck-fetch-stream** command.

### prisma-cloud-compute-custom-feeds-malware-remove

***
Remove custom MD5 malware hashes.

#### Base Command

`prisma-cloud-compute-custom-feeds-malware-remove`

#### Input

| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| md5 | The MD5 value to be removed from Prisma. | Required |

#### Context Output

There is no context output for this command.
7 changes: 7 additions & 0 deletions Packs/PrismaCloudCompute/ReleaseNotes/1_7_22.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@

#### Integrations

##### Palo Alto Networks - Prisma Cloud Compute

- Updated the Docker image to: *demisto/python3:3.12.11.4819260*.
- Added support for **prisma-cloud-compute-custom-feeds-malware-remove** command that remove custom md5 malware hashes.
2 changes: 1 addition & 1 deletion Packs/PrismaCloudCompute/pack_metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Prisma Cloud Compute by Palo Alto Networks",
"description": "Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.",
"support": "xsoar",
"currentVersion": "1.7.21",
"currentVersion": "1.7.22",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
Loading