From 49c4ba0e3b404ba678c5f8a6fd1396a1a0bc379b Mon Sep 17 00:00:00 2001 From: MLainer1 Date: Mon, 8 Sep 2025 12:05:39 +0300 Subject: [PATCH 1/5] fix: update Microsoft Defender ATP integration parameters to use encrypted types --- .../MicrosoftDefenderAdvancedThreatProtection.yml | 4 ++-- .../ReleaseNotes/1_20_9.md | 6 ++++++ .../pack_metadata.json | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml index 45322f4b1ac3..597d40cf997f 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml @@ -26,12 +26,12 @@ configuration: required: false - display: ID name: _auth_id - type: 0 + type: 4 section: Connect required: false - display: Token name: _tenant_id - type: 0 + type: 4 section: Connect required: false - displaypassword: Key diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md new file mode 100644 index 000000000000..05ac3447a268 --- /dev/null +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Microsoft Defender for Endpoint + +- Updated the Microsoft Defender Advanced Threat Protection integration parameters: *ID*, *Token* to an encrypted types diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json b/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json index 5e87352f4325..2b74dfd88685 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Defender for Endpoint", "description": "Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.", "support": "xsoar", - "currentVersion": "1.20.8", + "currentVersion": "1.20.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 866da381c13449f2641fa3dda7669cb8f5fe0d73 Mon Sep 17 00:00:00 2001 From: MLainer1 Date: Mon, 8 Sep 2025 13:02:56 +0300 Subject: [PATCH 2/5] fix: update auth parameter types to encrypted and fix password retrieval in Microsoft Defender ATP --- .../MicrosoftDefenderAdvancedThreatProtection.py | 4 ++-- .../MicrosoftDefenderAdvancedThreatProtection.yml | 8 +++++--- .../ReleaseNotes/1_20_9.md | 1 + 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py index fc941c8f9f92..be6f3b6bd529 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py @@ -6129,8 +6129,8 @@ def main(): # pragma: no cover params_endpoint_type = params.get("endpoint_type") or "Worldwide" params_url = params.get("url") is_gcc = params.get("is_gcc", False) - tenant_id = params.get("tenant_id") or params.get("_tenant_id") - auth_id = params.get("_auth_id") or params.get("auth_id") + tenant_id = params.get("tenant_id") or params.get("_tenant_id", {}).get("password") + auth_id = params.get("_auth_id", {}).get("password") or params.get("auth_id") enc_key = (params.get("credentials") or {}).get("password") or params.get("enc_key") use_ssl: bool = not params.get("insecure", False) proxy: bool = params.get("proxy", False) diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml index 597d40cf997f..8f2cf266376c 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml @@ -26,12 +26,14 @@ configuration: required: false - display: ID name: _auth_id - type: 4 + type: 9 + hiddenusername: true section: Connect required: false - display: Token name: _tenant_id - type: 4 + type: 9 + hiddenusername: true section: Connect required: false - displaypassword: Key @@ -5815,7 +5817,7 @@ script: - contextPath: MicrosoftATP.PublicVulnerability.UpdatedOn description: The date and time when this vulnerability was last updated. type: String - dockerimage: demisto/crypto:1.0.0.3539024 + dockerimage: demisto/crypto:1.0.0.4578119 isfetch: true runonce: false script: '-' diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md index 05ac3447a268..f830d4c545c1 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md @@ -3,4 +3,5 @@ ##### Microsoft Defender for Endpoint +- Updated the Docker image to: *demisto/crypto:1.0.0.4578119*. - Updated the Microsoft Defender Advanced Threat Protection integration parameters: *ID*, *Token* to an encrypted types From 2a5f39774bb2485082fbc67e184d3fe0dadce01c Mon Sep 17 00:00:00 2001 From: MLainer1 Date: Mon, 8 Sep 2025 13:22:49 +0300 Subject: [PATCH 3/5] fix: change display to displaypassword for hidden auth fields in Microsoft Defender ATP integration --- .../MicrosoftDefenderAdvancedThreatProtection.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml index 8f2cf266376c..bf27b37f62da 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml @@ -24,13 +24,13 @@ configuration: - Custom advanced: true required: false -- display: ID +- displaypassword: ID name: _auth_id type: 9 hiddenusername: true section: Connect required: false -- display: Token +- displaypassword: Token name: _tenant_id type: 9 hiddenusername: true From baa4bd80600109039e69abf608520f8c3f416eb5 Mon Sep 17 00:00:00 2001 From: MLainer1 Date: Mon, 8 Sep 2025 13:40:58 +0300 Subject: [PATCH 4/5] fix: replace deprecated _pytest.python_api.raises with pytest.raises --- .../MicrosoftDefenderAdvancedThreatProtection_test.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection_test.py b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection_test.py index 65c87e97543d..67916da24f86 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection_test.py +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection_test.py @@ -5,7 +5,6 @@ import demistomock as demisto import pytest import requests_mock -from _pytest.python_api import raises from CommonServerPython import DemistoException, snakify from freezegun import freeze_time from MicrosoftDefenderAdvancedThreatProtection import ( @@ -1081,7 +1080,9 @@ def test_add_error_message(failed_devices, all_requested_devices, expected_resul def test_add_error_message_raise_error(failed_devices, all_requested_devices): from MicrosoftDefenderAdvancedThreatProtection import add_error_message - with raises(DemistoException, match=f"Microsoft Defender ATP The command was failed with the errors: {failed_devices}"): + with pytest.raises( + DemistoException, match=f"Microsoft Defender ATP The command was failed with the errors: {failed_devices}" + ): add_error_message(failed_devices, all_requested_devices) From 17bc77201a86d01c05a6a3dea2a5202b5d616eba Mon Sep 17 00:00:00 2001 From: MLainer1 Date: Wed, 10 Sep 2025 14:05:20 +0300 Subject: [PATCH 5/5] Creating new parameters to avoid BC --- .../MicrosoftDefenderAdvancedThreatProtection.py | 4 ++-- ...MicrosoftDefenderAdvancedThreatProtection.yml | 16 ++++++++++++++-- .../ReleaseNotes/1_20_9.md | 2 +- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py index be6f3b6bd529..ee01be7f0e5e 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.py @@ -6129,8 +6129,8 @@ def main(): # pragma: no cover params_endpoint_type = params.get("endpoint_type") or "Worldwide" params_url = params.get("url") is_gcc = params.get("is_gcc", False) - tenant_id = params.get("tenant_id") or params.get("_tenant_id", {}).get("password") - auth_id = params.get("_auth_id", {}).get("password") or params.get("auth_id") + tenant_id = params.get("tenant_id") or params.get("_tenant_id") or params.get("_tenant_id_encrypted", {}).get("password") + auth_id = params.get("_auth_id") or params.get("auth_id") or params.get("_auth_id_encrypted", {}).get("password") enc_key = (params.get("credentials") or {}).get("password") or params.get("enc_key") use_ssl: bool = not params.get("insecure", False) proxy: bool = params.get("proxy", False) diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml index bf27b37f62da..36248e743988 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml @@ -25,17 +25,29 @@ configuration: advanced: true required: false - displaypassword: ID - name: _auth_id + name: _auth_id_encrypted type: 9 hiddenusername: true section: Connect required: false - displaypassword: Token - name: _tenant_id + name: _tenant_id_encrypted type: 9 hiddenusername: true section: Connect required: false +- display: ID + name: _auth_id + type: 0 + section: Connect + required: false + hidden: true +- display: Token + name: _tenant_id + type: 0 + section: Connect + required: false + hidden: true - displaypassword: Key section: Connect name: credentials diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md index f830d4c545c1..a603ec74fe2b 100644 --- a/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md +++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_20_9.md @@ -4,4 +4,4 @@ ##### Microsoft Defender for Endpoint - Updated the Docker image to: *demisto/crypto:1.0.0.4578119*. -- Updated the Microsoft Defender Advanced Threat Protection integration parameters: *ID*, *Token* to an encrypted types +- Updated the Microsoft Defender Advanced Threat Protection integration parameters: *ID* and *Token* to be encrypted.