SPNs Cleared From a Machine Account - Refactor (#40962)

* pb + format

* rn

* removed playbook

* Bump pack version. (#40999)

* Nbensalmon/ciac 10618/collection app sentinels.ai (#39982)

Appsentinels.ai offers a platform for collecting, analyzing, and managing security events to provide comprehensive application protection.

* Updated Relationship names in Mandiant Enrich and Feed Mandiant Integ… (#40947) (#41113)

* Updated Relationship names in Mandiant Enrich and Feed Mandiant Integration

* Fixed typo in FeedMandiantThreatIntelligence.py

* Increment pack version and Docker tags

---------

Co-authored-by: adamlevymandiant <[email protected]>
Co-authored-by: Adam Levy <[email protected]>

* XSUP-54313 (#40991)

* Initial implementation

* Fix UT

* ruff chagnes

* UT

* ruff

* RN and UT

* ruff

* Update Packs/CrowdStrikeFalcon/ReleaseNotes/2_3_7.md

Co-authored-by: Richard Bluestone <[email protected]>

* Minor fix

* Fix UT

* Apply suggestion from @AradCarmi

Co-authored-by: Arad Carmi <[email protected]>

* Apply suggestion from @AradCarmi

Co-authored-by: Arad Carmi <[email protected]>

* Delete Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/integration-CrowdStrikeFalcon.yml

* final CR

* Change user key

* Raise version

* RN

* Fix

---------

Co-authored-by: Richard Bluestone <[email protected]>
Co-authored-by: Arad Carmi <[email protected]>

* Xsup 55040 (#41063)

* required yml fields to allow mapping

* yml changes

* return results

* return results

* pre-commit

* pre-commit

* pr comments

* pr comments

* pre commot

* Mark remaining internal scripts with isInternal (#41083)

* Add missing isInternal to agentix scripts

* Bump versions and RN

* Update docker

* Remove list notation from rn

* Apply suggestions from doc review

Co-authored-by: julieschwartz18 <[email protected]>

* Fix rn

* Bump pack from version CrowdStrikeFalcon to 2.3.9.

* replace rn with generic message

---------

Co-authored-by: julieschwartz18 <[email protected]>
Co-authored-by: Content Bot <[email protected]>

* fix get-endpoint-data action inputs (#41118)

* bump version of aggregated scripts

* Update 1_1_3.md

* Whois - adding another regex for registrant_regexes (#41116)

* add one log to see the raw-response as is

* adding another regex for registrant_regexes

* CRTX-165828 - Mapping Tigera Calico Secure (#40925)

* create all files

* remove unwanted files

* update readme according to tech writer suggestions

* update readme

* create files

* fix timestamp parsing rule

* fix timestamp parsing rule

* fix timestamp parsing rule

* fix readme

* fix readme

* fix metadata - add platform

* fix time parsing

* fix time parsing

* fix readme precommit error

* fix readme precommit error

* fix xif

* readme file error

* readme file error

* fix xif

* change ip_protocol

* cisco umbrella - use risk score for domain verdict (#41000)

* domaine verdict update to use risk score

* update rn

* Update Packs/Cisco-umbrella/ReleaseNotes/2_0_5.md

Co-authored-by: yuvalbenshalom <[email protected]>

* sectionOrder and docker image

* add docker update to release note

* send risk_score and improve threshold logic

* update Threshold default value

---------

Co-authored-by: yuvalbenshalom <[email protected]>

* Updating Trend Micro Vision One pack (#41079)

* Updating Trend Micro Vision One pack

* Updating RN

* fixing rn and md

* fixing fields in modeling rules

* TIM/Improve the removal of trailing characters in the format URL script (#41075)

* TIM/Improve the removal of trailing characters in the format URL script

* Bump pack from version CommonScripts to 1.20.7.

* Bump pack from version CommonScripts to 1.20.8.

* cr fixes

* Bump pack from version CommonScripts to 1.20.9.

* Bump pack from version CommonScripts to 1.20.10.

* empty commit

* fixes

---------

Co-authored-by: Content Bot <[email protected]>

* Microsoft Management Activity API (O365/Azure Events) integration request to have case insensitive for Operations to fetch (#41070)

* Operation filter changed to lowercase

* Operation filter changed to lowercase

* formatter

* formatter

* formatter

* back to doc change only

* back to doc change only

* Small change

* Small change

* Small change

* Small change

* merged from master

* review changes

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity.yml

Co-authored-by: julieschwartz18 <[email protected]>

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity.yml

Co-authored-by: julieschwartz18 <[email protected]>

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_description.md

Co-authored-by: julieschwartz18 <[email protected]>

* Update Packs/MicrosoftManagementActivity/ReleaseNotes/1_3_60.md

Co-authored-by: julieschwartz18 <[email protected]>

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_description.md

Co-authored-by: julieschwartz18 <[email protected]>

* Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_description.md

Co-authored-by: julieschwartz18 <[email protected]>

* small changes

* small changes

* small changes

* small changes

* small changes

* small changes

* added to readme

* added to readme

* Update Packs/MicrosoftManagementActivity/ReleaseNotes/1_3_60.md

Co-authored-by: Shelly Tzohar <[email protected]>

---------

Co-authored-by: julieschwartz18 <[email protected]>
Co-authored-by: Shelly Tzohar <[email protected]>

* Fix get user data ad missing args (#41125)

* fix the arg name username is directed to when calling ad-get-user

* added rn

* Asavenok/logos added (#41122)

* Asavenok/logos added (#41049)

* Added logos: add dark and light SVG icons for CyberArk and Alibaba integrations

* add dark mode SVG logos for FireEye integration packs

---------

Co-authored-by: Yael Shamai <[email protected]>

* docker images, description files and dots in yml

* pre commit

* revert all changes

* revert

---------

Co-authored-by: asavenokPAN <[email protected]>
Co-authored-by: Yael Shamai <[email protected]>
Co-authored-by: yshamai <[email protected]>

* Tigera Calico fix the README file (#41134)

* PAN-OS Agentix Action Updates (#41078)

* Added handling of download errors.

* Fixed issue in script "PanOSAnalyzeRuleHitCounts" when imported context data contained single items instead of lists.

* Updated release notes.

* Readd inputs and new outputs to Security Advisories playbook.

* Updated release notes for docker image and playbook inputs/outputs.

* Bump pack from version PAN-OS to 2.6.8.

---------

Co-authored-by: aneeshamore <[email protected]>
Co-authored-by: Content Bot <[email protected]>

* [GetUserData] Fix output for Active Directory users (#41136)

* init

* UTs

* Aruba Collector new command 'aruba-auth-test' alternatively to 'test-module' (#41058)

* adding a new command 'aruba-auth-test'

* UTs and RN with BC

* ruff

* README

* DO

* DO

* RN

* change desc of the new command

* new bucket

* Bitsight-Event-Collector/CIAC-12152 (#41052)

* init

* todo

* add images

* description

* rename

* readme

* tests and more

* ruff

* pre commit

* move

* validations

* improvements

* rn

* ruff

* fix tests

* improve

* 2 days

* limit 5

* fixes

* ruff

* fixes

* demo fixes

* fix tests

* improve

* cr

* [Microsoft Defender XDR] Close Redirected Incidents (#41107) (#41148)

Redirected incidents are also considered "closed". They should be closed.
---------

Co-authored-by: enes-oezdemir <[email protected]>
Co-authored-by: Niv Ben Salmon <[email protected]>

* CIAC-9227 - 'Monday' [collection]  new pack (#40684)

* Initialize new Monday Pack + Implement auth logic for activity logs

* Draft - fetch audit logs

* DRAFT - fetch audit log (implement new last_run structure)

* DRAFT:  audit logs fetching - fix pagination and deduplication logic

* fetch version for Audit logs after test+implement log deduplication mechanism using SHA-256 hashing

* DRAFT: implement activity logs fetching and improve audit logs fetching logic

* DRAFT: save access token to integration context and improve activity logs fetching

* DRAFT: fix: handle duplicate logs and subtract epsilon timestamp from start parameter filter for including the same time logs

* setting xsiam _time field by removing decimal places

* improve logic + change parameter to single board id + add README files

* refactor: support multiple board IDs for activity log fetching and improve duplicate log handling

* refactor: standardize timestamp handling and improve debug logs in Monday integration

* Adding tests for Audit logs

* improve and fix logic + add type and time fields to dataset

* implement test-connection command

* Adding tests for Activity logs

* refactor audit and activity log limit

* refactor: clean up and improve code documentation after running pre-commit

* refactor: implement ActivityLogsClient - BaseClient class

* refactor: implement AuditLogsClient - BaseClient class

* Fix TestGetAuditLogs according to the  new Client change

* refactor: fix tests according to the new client audit and activity class

* fixing after pre-commit

* update Monday pack metadata with supported modules and marketplaces

* revert cs changes (mistake)

* add debug prefix to Monday pack secrets ignore list

* add secret to ignore

* test: add connection testing and utility functions for Monday Event Collector

* fix tests

* update Monday integration Docker image to python3:3.12.11.4508456

* chore: add new secret pattern to Monday pack ignore list

* fix secret error

* fix: update start fetch time to 1 minute

* remove TODO comments

* fix: improve test connection error handling

* fix: update secret field types from 4 to 9

* Bump pack version. (#40999)

* empty commit

* revert

* Update Packs/Monday/README.md

Co-authored-by: Richard Bluestone <[email protected]>

* fixing after doc review

* refactor: improve credentials handling and UI for Monday Event Collector integration

* fix: revert triggers

* fix: update test according to yml changes

---------

Co-authored-by: Mike Rizzo <[email protected]>
Co-authored-by: Richard Bluestone <[email protected]>

* New Scripts: MissingElements (#41094) (#41124)

* Initial commit

* Typing resolved

* Release notes updated

* From version and no tests added

* Changes Added

---------

Co-authored-by: Mandar Naik <[email protected]>
Co-authored-by: Yael Shamai <[email protected]>

* bug-fix (#41156)

* bug-fix - remove $top from unsupported urls.

* Auto Updated Docker PR from 2025-09-04 GitLab Pipeline ID 4758737 (#41158)

* Updated Docker Images.

* Updated Release Notes.

* Bump pack from version CommunityCommonScripts to 1.3.21.

---------

Co-authored-by: content-bot <[email protected]>
Co-authored-by: Content Bot <[email protected]>

* Added Documentation (#41151)

* Added Documentation

* Fixed images path in README

* Added Documentation

* Fixed images path in README

* Updated readme and playbook image

* rn

* rn

* 1 1 99

---------

Co-authored-by: Mike Rizzo <[email protected]>
Co-authored-by: Niv Ben Salmon <[email protected]>
Co-authored-by: content-bot <[email protected]>
Co-authored-by: adamlevymandiant <[email protected]>
Co-authored-by: Adam Levy <[email protected]>
Co-authored-by: Tal Zichlinsky <[email protected]>
Co-authored-by: Richard Bluestone <[email protected]>
Co-authored-by: Arad Carmi <[email protected]>
Co-authored-by: Maya Goldman <[email protected]>
Co-authored-by: Sapir Malka <[email protected]>
Co-authored-by: julieschwartz18 <[email protected]>
Co-authored-by: Content Bot <[email protected]>
Co-authored-by: Dan Tavori <[email protected]>
Co-authored-by: rshunim <[email protected]>
Co-authored-by: akshotiamit-pa <[email protected]>
Co-authored-by: yedidyacohenpalo <[email protected]>
Co-authored-by: yuvalbenshalom <[email protected]>
Co-authored-by: ellopez777 <[email protected]>
Co-authored-by: Moshe Eichler <[email protected]>
Co-authored-by: almog2296 <[email protected]>
Co-authored-by: Shelly Tzohar <[email protected]>
Co-authored-by: Yuval Hayun <[email protected]>
Co-authored-by: asavenokPAN <[email protected]>
Co-authored-by: Yael Shamai <[email protected]>
Co-authored-by: yshamai <[email protected]>
Co-authored-by: aneeshamore <[email protected]>
Co-authored-by: Jacob Levy <[email protected]>
Co-authored-by: Yehuda Rosenberg <[email protected]>
Co-authored-by: enes-oezdemir <[email protected]>
Co-authored-by: lironcohen272 <[email protected]>
Co-authored-by: Mandar Naik <[email protected]>
Co-authored-by: hyaffe839 <[email protected]>
Co-authored-by: content-bot <[email protected]>

Author: 32 people

Packs/CortexResponseAndRemediation/Playbooks/playbook-SPNs_cleared_from_a_machine_account_README.md

@@ -8,7 +8,6 @@ Playbook Stages:
 Triage:
 
 - Retrieve additional data about the Account Changed event, including the Machine Account whose SPNs were cleared and the number of times the user cleared SPNs in the last 30 days.
-
 Investigation:
 
 - Search for creation of suspicious account on the Domain Controller.
@@ -42,13 +41,14 @@ This playbook does not use any integrations.
 
 ### Scripts
 
+* IncreaseAlertSeverity
 * SearchAlertsV2
 * Set
 * SetAndHandleEmpty
+* disable-user
 
 ### Commands
 
-* ad-disable-account
 * closeInvestigation
 * core-get-cloud-original-alerts
 

Packs/CortexResponseAndRemediation/ReleaseNotes/1_2_19.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### SPNs cleared from a machine account
+
+- Updated the SPNs cleared from a machine account playbook with general improvements.

Packs/CortexResponseAndRemediation/doc_files/SPNs_cleared_from_a_machine_account.png

@@ -2,7 +2,7 @@
     "name": "Cortex Response And Remediation",
     "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.",
     "support": "xsoar",
-    "currentVersion": "1.2.18",
+    "currentVersion": "1.2.19",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",