Implement additional parameters for restore requests incidents

Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.py

@@ -75,10 +75,11 @@
 }
 
 
-def arg_to_bool(arg: Optional[str]) -> Union[bool, None]:
-    if arg:
+def arg_to_bool(arg: Optional[str]) -> bool:
+    try:
         return argToBoolean(arg)
-    return None
+    except ValueError:
+        return False
 
 
 class Client(BaseClient):
@@ -180,11 +181,15 @@ def test_api(self) -> dict[str, Any]:
             url_suffix='scopes'
         )
 
-    def restore_requests(self, start_date: str, saas: str) -> dict[str, Any]:
+    def restore_requests(self, start_date: str, saas: str, include_denied: bool, include_accepted: bool) -> dict[str, Any]:
+        denied_attr_op = 'is' if include_denied else 'isNot'
+        accepted_attr_op = 'is' if include_accepted else 'isNot'
+        fifteen_days_ago = (datetime.now(timezone.utc).replace(tzinfo=None) - timedelta(days=15)).isoformat()
         entity_filter = {
             'saas': saas,
-            'startDate': start_date,
+            'startDate': fifteen_days_ago,
         }
+
         request_data: dict[str, Any] = {
             'entityFilter': entity_filter,
             'entityExtendedFilter': [
@@ -193,20 +198,20 @@ def restore_requests(self, start_date: str, saas: str) -> dict[str, Any]:
                     'saasAttrOp': 'is',
                     'saasAttrValue': 'true'
                 },
+                {
+                    'saasAttrName': 'entityPayload.restoreRequestTime',
+                    'saasAttrOp': 'greaterThan',
+                    'saasAttrValue': start_date
+                },
                 {
                     'saasAttrName': 'entityPayload.isRestoreDeclined',
-                    'saasAttrOp': 'isNot',
+                    'saasAttrOp': denied_attr_op,
                     'saasAttrValue': 'true'
                 },
                 {
                     'saasAttrName': 'entityPayload.isRestored',
-                    'saasAttrOp': 'isNot',
+                    'saasAttrOp': accepted_attr_op,
                     'saasAttrValue': 'true'
-                },
-                {
-                    'saasAttrName': 'entityPayload.restoreRequestTime',
-                    'saasAttrOp': 'greaterThan',
-                    'saasAttrValue': (datetime.now(timezone.utc).replace(tzinfo=None) - timedelta(minutes=15)).isoformat()
                 }
             ]
         }
@@ -759,8 +764,10 @@ def fetch_restore_requests(client: Client, params: dict):
     counter = 0
     incidents: List[dict[str, Any]] = []
 
+    include_denied_rr = arg_to_bool(params.get('include_denied_requests'))
+    include_accepted_rr = arg_to_bool(params.get('include_accepted_requests'))
     for saas in saas_apps:
-        result = client.restore_requests(last_fetch, saas)
+        result = client.restore_requests(last_fetch, saas, include_denied_rr, include_accepted_rr)
         for restore_request in result['responseData']:
             entity_info = restore_request.get('entityInfo')
             entity_payload = restore_request.get('entityPayload')

Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.yml

@@ -5,6 +5,7 @@ commonfields:
 configuration:
 - section: Connect
   display: Smart API URL or Check Point Infinity API URL
+  additionalinfo: The URL of the Smart API or Check Point Infinity API.
   name: url
   defaultvalue: ""
   type: 15
@@ -24,48 +25,50 @@ configuration:
   - https://cloudinfra-gw.me.portal.checkpoint.com
   - https://cloudinfra-gw.in.portal.checkpoint.com
   required: true
-  additionalinfo: The URL of the Smart API or Check Point Infinity API.
 - section: Collect
   display: Fetch incidents
+  additionalinfo: Enable fetching incidents from the selected SaaS application.
   name: isFetch
   type: 8
   required: false
 - section: Collect
   display: Incident type
+  additionalinfo: Fetch incidents of the selected types.
   name: incidentType
   type: 13
   required: false
 - section: Connect
   display: ""
+  additionalinfo: The client ID of the Smart API or Check Point Infinity API.
   name: client_id
   type: 9
   required: true
   displaypassword: Client ID
   hiddenusername: true
-  additionalinfo: The client ID of the Smart API or Check Point Infinity API.
 - display: ""
+  additionalinfo: The client secret of the Smart API or Check Point Infinity API.
   displaypassword: Client Secret
   name: client_secret
   type: 9
   required: true
   hiddenusername: true
-  additionalinfo: The client secret of the Smart API or Check Point Infinity API.
 - display: "First fetch time"
+  additionalinfo: The time range for the first fetch. The default is 1 hour.
   name: first_fetch
   type: 0
   required: false
   section: Collect
   defaultvalue: 1 hour
-  additionalinfo: The time range for the first fetch. The default is 1 hour.
 - display: SaaS Application
+  additionalinfo: Get incidents from the selected SaaS
   name: saas_apps
   type: 16
   required: false
   options:
   - Microsoft Exchange
   - Gmail
-  additionalinfo: Get incidents from the selected SaaS
 - display: State
+  additionalinfo: Get incidents with only the selected states.
   name: event_state
   type: 16
   required: false
@@ -75,8 +78,8 @@ configuration:
   - Detected
   - Exception
   - Dismissed
-  additionalinfo: Get incidents with only the selected states
 - display: Severity
+  additionalinfo: Get incidents with only the selected severities.
   name: event_severity
   type: 16
   required: false
@@ -86,8 +89,8 @@ configuration:
   - Medium
   - Low
   - Very Low
-  additionalinfo: Get incidents with only the selected severities
 - display: Threat Type
+  additionalinfo: Get incidents with only the selected types.
   name: threat_type
   type: 16
   required: false
@@ -103,34 +106,45 @@ configuration:
   - Spam
   - Malicious URL
   - Malicious URL Click
-  additionalinfo: Get incidents with only the selected types
 - display: Maximum number of incidents per fetch
+  additionalinfo: The maximum number of incidents to fetch per fetch. The default is 10.
   name: max_fetch
   defaultvalue: "10"
   type: 0
   required: false
   section: Collect
-  additionalinfo: The maximum number of incidents to fetch per fetch. The default is 10.
-- section: Collect
-  display: Collect restore requests
+- display: Collect restore requests
+  additionalinfo: Collect restore requests as incidents.
   name: collect_restore_requests
   type: 8
   required: false
-  additionalinfo: Collect restore requests as incidents.
+  section: Restore requests
+- display: Include denied requests
+  additionalinfo: Denied restore requests will be in the results (they are not by default).
+  name: include_denied_requests
+  type: 8
+  required: false
+  section: Restore requests
+- display: Include accepted requests
+  additionalinfo: Accepted restore requests will be in the results (they are not by default).
+  name: include_accepted_requests
+  type: 8
+  required: false
+  section: Restore requests
 - section: Connect
+  additionalinfo: Trust server certificate.
   advanced: true
   display: Trust any certificate (not secure)
   name: insecure
   type: 8
   required: false
-  additionalinfo: Trust server certificate.
-- display: Use system proxy settings
+- section: Connect
+  additionalinfo: Use system proxy settings.
+  advanced: true
+  display: Use system proxy settings
   name: proxy
   type: 8
   required: false
-  section: Connect
-  additionalinfo: Use system proxy settings.
-  advanced: true
 - display: Incidents Fetch Interval
   additionalinfo: The interval in minutes to fetch incidents. The default is 1 minute.
   name: incidentFetchInterval

Packs/CheckPointHEC/Integrations/CheckPointHEC/README.md

@@ -1,5 +1,5 @@
 The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc.
-This integration was integrated and tested with version 1.1.4 of CheckPointHEC
+This integration was integrated and tested with version 1.1.5 of CheckPointHEC
 
 ## Configure Check Point Harmony Email and Collaboration (HEC) on Cortex XSOAR
 
@@ -16,11 +16,13 @@ This integration was integrated and tested with version 1.1.4 of CheckPointHEC
     | Client Secret | The client secret of the Smart API or Check Point Infinity API. | True |
     | First fetch time | The time range for the first fetch. The default is 1 hour. | False |
     | SaaS Application | Get incidents from the selected SaaS | False |
-    | State | Get incidents with only the selected states | False |
-    | Severity | Get incidents with only the selected severities | False |
-    | Threat Type | Get incidents with only the selected types | False |
+    | State | Get incidents with only the selected states. | False |
+    | Severity | Get incidents with only the selected severities. | False |
+    | Threat Type | Get incidents with only the selected types. | False |
     | Maximum number of incidents per fetch | The maximum number of incidents to fetch per fetch. The default is 10. | False |
     | Collect restore requests | Collect restore requests as incidents. | False |
+    | Include denied requests | Denied restore requests will be in the results \(they are not by default\). | False |
+    | Include accepted requests | Accepted restore requests will be in the results \(they are not by default\). | False |
     | Trust any certificate (not secure) | Trust server certificate. | False |
     | Use system proxy settings | Use system proxy settings. | False |
     | Incidents Fetch Interval | The interval in minutes to fetch incidents. The default is 1 minute. | False |
@@ -30,6 +32,7 @@ This integration was integrated and tested with version 1.1.4 of CheckPointHEC
 
 
 
+
 ## Commands
 
 You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
@@ -1220,4 +1223,4 @@ Delete Avanan DLP exceptions.
 
 #### Context Output
 
-There is no context output for this command.
+There is no context output for this command.

Packs/CheckPointHEC/ReleaseNotes/1_1_5.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Check Point Harmony Email and Collaboration (HEC)
+
+- Added support to include/exclude accepted/declined restore requests in the fetch incidents of restore request type.

Packs/CheckPointHEC/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Check Point Harmony Email and Collaboration (HEC)",
     "description": "The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc.",
     "support": "partner",
-    "currentVersion": "1.1.4",
+    "currentVersion": "1.1.5",
     "author": "Check Point Harmony Email & Collaboration (HEC)",
     "url": "https://supportcenter.checkpoint.com/",
     "email": "[email protected]",