From 509903b7641cd238d7577974314830b5821c7b94 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Sun, 7 Sep 2025 15:59:29 +0300 Subject: [PATCH 01/10] Commit --- Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py index bae5d5cf60f6..18d4dfbd0d45 100644 --- a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py +++ b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py @@ -642,7 +642,7 @@ def main(): modules=modules, brand_name="Active Directory Query v2", command_name="ad-get-user", - arg_name="username", + arg_name="name", arg_value=user_name, cmd=ad_get_user, additional_fields=additional_fields, From b457422ed1bddce9ea5c0160b45862421f4f765f Mon Sep 17 00:00:00 2001 From: almog2296 Date: Mon, 8 Sep 2025 10:56:17 +0300 Subject: [PATCH 02/10] Commit --- Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py index 18d4dfbd0d45..bae5d5cf60f6 100644 --- a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py +++ b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py @@ -642,7 +642,7 @@ def main(): modules=modules, brand_name="Active Directory Query v2", command_name="ad-get-user", - arg_name="name", + arg_name="username", arg_value=user_name, cmd=ad_get_user, additional_fields=additional_fields, From ee8f235d895b76f7e4073ce64e18981462e5cf1c Mon Sep 17 00:00:00 2001 From: almog2296 Date: Mon, 8 Sep 2025 16:24:59 +0300 Subject: [PATCH 03/10] Chnaged argname under ad-get-user --- Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py index bae5d5cf60f6..993537b401a5 100644 --- a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py +++ b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData.py @@ -767,7 +767,7 @@ def main(): modules=modules, brand_name="Active Directory Query v2", command_name="ad-get-user", - arg_name="name", + arg_name="username", arg_value=user_name.split("\\")[1], cmd=ad_get_user, additional_fields=additional_fields, From 440b08108a466aec5fd736b64c0a6cfbf3ec1d56 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Mon, 8 Sep 2025 16:30:28 +0300 Subject: [PATCH 04/10] Update release notes --- Packs/AggregatedScripts/ReleaseNotes/1_1_10.md | 6 ++++++ Packs/AggregatedScripts/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/AggregatedScripts/ReleaseNotes/1_1_10.md diff --git a/Packs/AggregatedScripts/ReleaseNotes/1_1_10.md b/Packs/AggregatedScripts/ReleaseNotes/1_1_10.md new file mode 100644 index 000000000000..8bd4493e3cf6 --- /dev/null +++ b/Packs/AggregatedScripts/ReleaseNotes/1_1_10.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### get-user-data + +- Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument. diff --git a/Packs/AggregatedScripts/pack_metadata.json b/Packs/AggregatedScripts/pack_metadata.json index 4cada985a137..5f19cadaf3d5 100644 --- a/Packs/AggregatedScripts/pack_metadata.json +++ b/Packs/AggregatedScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Aggregated Scripts", "description": "A pack containing all aggregated scripts.", "support": "xsoar", - "currentVersion": "1.1.7", + "currentVersion": "1.1.10", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 450498d842f83052963a245e7c8abf817f623c9f Mon Sep 17 00:00:00 2001 From: almog2296 Date: Wed, 10 Sep 2025 10:00:48 +0300 Subject: [PATCH 05/10] Merged From Master --- Packs/AggregatedScripts/ReleaseNotes/1_1_11.md | 6 ++++++ Packs/AggregatedScripts/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/AggregatedScripts/ReleaseNotes/1_1_11.md diff --git a/Packs/AggregatedScripts/ReleaseNotes/1_1_11.md b/Packs/AggregatedScripts/ReleaseNotes/1_1_11.md new file mode 100644 index 000000000000..8bd4493e3cf6 --- /dev/null +++ b/Packs/AggregatedScripts/ReleaseNotes/1_1_11.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### get-user-data + +- Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument. diff --git a/Packs/AggregatedScripts/pack_metadata.json b/Packs/AggregatedScripts/pack_metadata.json index 5f19cadaf3d5..2e481d061cc1 100644 --- a/Packs/AggregatedScripts/pack_metadata.json +++ b/Packs/AggregatedScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Aggregated Scripts", "description": "A pack containing all aggregated scripts.", "support": "xsoar", - "currentVersion": "1.1.10", + "currentVersion": "1.1.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 3e78fdff149b6f76dd320aec71baad981a6c651f Mon Sep 17 00:00:00 2001 From: Content Bot Date: Wed, 10 Sep 2025 07:22:55 +0000 Subject: [PATCH 06/10] Bump pack from version AggregatedScripts to 1.1.12. --- Packs/AggregatedScripts/ReleaseNotes/1_1_12.md | 6 ++++++ Packs/AggregatedScripts/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/AggregatedScripts/ReleaseNotes/1_1_12.md diff --git a/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md b/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md new file mode 100644 index 000000000000..8bd4493e3cf6 --- /dev/null +++ b/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### get-user-data + +- Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument. diff --git a/Packs/AggregatedScripts/pack_metadata.json b/Packs/AggregatedScripts/pack_metadata.json index 2e481d061cc1..2c722613f6f5 100644 --- a/Packs/AggregatedScripts/pack_metadata.json +++ b/Packs/AggregatedScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Aggregated Scripts", "description": "A pack containing all aggregated scripts.", "support": "xsoar", - "currentVersion": "1.1.11", + "currentVersion": "1.1.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 9688fd72bc7e38afc19b4de4cf935bd361cb3551 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Thu, 11 Sep 2025 14:08:28 +0300 Subject: [PATCH 07/10] Update Packs/AggregatedScripts/ReleaseNotes/1_1_12.md Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> --- Packs/AggregatedScripts/ReleaseNotes/1_1_12.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md b/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md index 8bd4493e3cf6..eabe2bbd2139 100644 --- a/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md +++ b/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md @@ -3,4 +3,4 @@ ##### get-user-data -- Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument. +- Fixed the **get-user-data** script to search Active Directory using the *username* argument instead of the name argument. From d63510597af950e9d244ecf76c33e72d0c13bbf2 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Sun, 14 Sep 2025 09:18:12 +0300 Subject: [PATCH 08/10] added tests --- .../Scripts/GetUserData/GetUserData_test.py | 194 ++++++++++++++++++ 1 file changed, 194 insertions(+) diff --git a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData_test.py b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData_test.py index 892f0884778f..8d89f79030d7 100644 --- a/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData_test.py +++ b/Packs/AggregatedScripts/Scripts/GetUserData/GetUserData_test.py @@ -1,4 +1,5 @@ import demistomock as demisto +import pytest from CommonServerPython import * from GetUserData import ( Command, @@ -2138,3 +2139,196 @@ def test_run_list_users_command_empty_outputs_from_api(mocker: MockerFixture): assert len(users) == 2 # Both emails marked as not found assert all(user["Status"] == "not found" for user in users) assert {user["Email"] for user in users} == set(email_list) + + +# --- helpers to mute all other adapters so main can run quietly --- +def _mute_all_other_adapters(mocker: MockerFixture, except_fn: str | None = None): + fns = { + "ad_get_user", + "okta_get_user", + "aws_iam_get_user", + "msgraph_user_get", + "prisma_cloud_get_user", + "iam_get_user", # <- shared by Okta IAM and AWS-ILM + "gsuite_get_user", + "azure_get_risky_user", + } + for fn in fns: + if fn == except_fn: + continue + mocker.patch(f"GetUserData.{fn}", return_value=([], [])) + + +# -------------- Testing Calling the right argument per command -------------- +# ---------- Username flows (no domain) ---------- +@pytest.mark.parametrize( + "brand_name,command_name,adapter_fn,expected_key,expected_value", + [ + ("Active Directory Query v2", "ad-get-user", "ad_get_user", "username", "alice"), + ("Okta v2", "okta-get-user", "okta_get_user", "username", "alice"), + ("AWS - IAM", "aws-iam-get-user", "aws_iam_get_user", "userName", "alice"), + ("Microsoft Graph User", "msgraph-user-get", "msgraph_user_get", "user", "alice"), + ("PrismaCloud v2", "prisma-cloud-users-list", "prisma_cloud_get_user", "usernames", "alice"), + ("Okta IAM", "iam-get-user", "iam_get_user", "user-profile", '{"login":"alice"}'), + ("AWS-ILM", "iam-get-user", "iam_get_user", "user-profile", '{"login":"alice"}'), + ], +) +def test_username_arg_mapping_to_adapter( + mocker: MockerFixture, brand_name, command_name, adapter_fn, expected_key, expected_value +): + """ + Given: + - calling get-user-data with username = alice. + - brand_name = brand_name. + When: + - main() executes by username flows. + Then: + - The right command is being called with the right argument name. + """ + mocker.patch.object(demisto, "args", return_value={"user_name": ["alice"]}) + mocker.patch.object(demisto, "getModules", return_value={}) + mocker.patch.object(Modules, "is_brand_in_brands_to_run", return_value=True) + mocker.patch.object(Modules, "is_brand_available", return_value=True) + mocker.patch("GetUserData.get_core_and_xdr_data", return_value=([], [])) + mocker.patch("GetUserData.return_results") + + _mute_all_other_adapters(mocker, except_fn=adapter_fn) + seen = {"ok": False} + + def _assert_adapter(command: Command, additional_fields: bool): + # Only assert for the exact brand+command under test; ignore other calls to the same adapter. + if command.brand != brand_name or command.name != command_name: + return ([], []) + assert command.args.get(expected_key) == expected_value + assert command.args.get("using-brand") == brand_name + if expected_key == "username": + assert "name" not in command.args # regression guard + seen["ok"] = True + return ([], []) + + mocker.patch(f"GetUserData.{adapter_fn}", side_effect=_assert_adapter) + main() + assert seen["ok"] is True + + +# ---------- Username flow with domain prefix (DOMAIN\\username) ---------- +def test_domain_username_branch_uses_username_key_for_ad(mocker: MockerFixture): + """ + Given: + - calling get-user-data with username = ACME\\alice. + - brand_name = brand_name. + When: + - main() executes by username flows. + Then: + - The right command is being called with the right argument name. + """ + mocker.patch.object(demisto, "args", return_value={"user_name": ["ACME\\alice"]}) + mocker.patch.object(demisto, "getModules", return_value={}) + mocker.patch.object(Modules, "is_brand_in_brands_to_run", return_value=True) + mocker.patch.object(Modules, "is_brand_available", return_value=True) + mocker.patch("GetUserData.get_core_and_xdr_data", return_value=([], [])) + mocker.patch("GetUserData.return_results") + + _mute_all_other_adapters(mocker, except_fn="ad_get_user") + hit = {"seen": False} + + def _assert_ad(command: Command, additional_fields: bool): + if command.brand != "Active Directory Query v2" or command.name != "ad-get-user": + return ([], []) + assert command.args.get("username") == "alice" + assert "name" not in command.args + assert command.args.get("using-brand") == "Active Directory Query v2" + hit["seen"] = True + return ([], []) + + mocker.patch("GetUserData.ad_get_user", side_effect=_assert_ad) + main() + assert hit["seen"] is True + + +# ---------- User ID flows ---------- +@pytest.mark.parametrize( + "brand_name,command_name,adapter_fn,expected_key,expected_value", + [ + ("Okta v2", "okta-get-user", "okta_get_user", "userId", "u123"), + ("Microsoft Graph User", "msgraph-user-get", "msgraph_user_get", "user", "u123"), + ("AzureRiskyUsers", "azure-risky-user-get", "azure_get_risky_user", "id", "u123"), + ("Okta IAM", "iam-get-user", "iam_get_user", "user-profile", '{"id":"u123"}'), + ("AWS-ILM", "iam-get-user", "iam_get_user", "user-profile", '{"id":"u123"}'), + ("GSuiteAdmin", "gsuite-user-get", "gsuite_get_user", "user", "u123"), + ], +) +def test_userid_arg_mapping_to_adapter(mocker: MockerFixture, brand_name, command_name, adapter_fn, expected_key, expected_value): + """ + Given: + - calling get-user-data with user_id = u123. + - brand_name = brand_name. + When: + -main() executes by user ID flows. + Then: + - The right command is being called with the right argument name. + """ + mocker.patch.object(demisto, "args", return_value={"user_id": ["u123"]}) + mocker.patch.object(demisto, "getModules", return_value={}) + mocker.patch.object(Modules, "is_brand_in_brands_to_run", return_value=True) + mocker.patch.object(Modules, "is_brand_available", return_value=True) + mocker.patch("GetUserData.get_core_and_xdr_data", return_value=([], [])) + mocker.patch("GetUserData.return_results") + + _mute_all_other_adapters(mocker, except_fn=adapter_fn) + seen = {"ok": False} + + def _assert_adapter(command: Command, additional_fields: bool): + if command.brand != brand_name or command.name != command_name: + return ([], []) + assert command.args.get(expected_key) == expected_value + assert command.args.get("using-brand") == brand_name + seen["ok"] = True + return ([], []) + + mocker.patch(f"GetUserData.{adapter_fn}", side_effect=_assert_adapter) + main() + assert seen["ok"] is True + + +# ---------- Email flows ---------- +@pytest.mark.parametrize( + "brand_name,command_name,adapter_fn,expected_key,expected_value", + [ + ("Active Directory Query v2", "ad-get-user", "ad_get_user", "email", "john@example.com"), + ("Okta IAM", "iam-get-user", "iam_get_user", "user-profile", '{"email":"john@example.com"}'), + ("AWS-ILM", "iam-get-user", "iam_get_user", "user-profile", '{"email":"john@example.com"}'), + ("GSuiteAdmin", "gsuite-user-get", "gsuite_get_user", "user", "john@example.com"), + ], +) +def test_email_arg_mapping_to_adapter(mocker: MockerFixture, brand_name, command_name, adapter_fn, expected_key, expected_value): + """ + Given: + - calling get-user-data with user_email = john@example.com. + - brand_name = brand_name. + When: + - main() executes by email flows. + Then: + - The right command is being called with the right argument name. + """ + mocker.patch.object(demisto, "args", return_value={"user_email": ["john@example.com"]}) + mocker.patch.object(demisto, "getModules", return_value={}) + mocker.patch.object(Modules, "is_brand_in_brands_to_run", return_value=True) + mocker.patch.object(Modules, "is_brand_available", return_value=True) + mocker.patch("GetUserData.get_core_and_xdr_data", return_value=([], [])) + mocker.patch("GetUserData.return_results") + + _mute_all_other_adapters(mocker, except_fn=adapter_fn) + seen = {"ok": False} + + def _assert_adapter(command: Command, additional_fields: bool): + if command.brand != brand_name or command.name != command_name: + return ([], []) + assert command.args.get(expected_key) == expected_value + assert command.args.get("using-brand") == brand_name + seen["ok"] = True + return ([], []) + + mocker.patch(f"GetUserData.{adapter_fn}", side_effect=_assert_adapter) + main() + assert seen["ok"] is True From 100055090cd769efc2d3f821e871fd509b527060 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Sun, 14 Sep 2025 11:15:06 +0000 Subject: [PATCH 09/10] Bump pack from version AggregatedScripts to 1.1.14. --- Packs/AggregatedScripts/ReleaseNotes/1_1_14.md | 6 ++++++ Packs/AggregatedScripts/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/AggregatedScripts/ReleaseNotes/1_1_14.md diff --git a/Packs/AggregatedScripts/ReleaseNotes/1_1_14.md b/Packs/AggregatedScripts/ReleaseNotes/1_1_14.md new file mode 100644 index 000000000000..eabe2bbd2139 --- /dev/null +++ b/Packs/AggregatedScripts/ReleaseNotes/1_1_14.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### get-user-data + +- Fixed the **get-user-data** script to search Active Directory using the *username* argument instead of the name argument. diff --git a/Packs/AggregatedScripts/pack_metadata.json b/Packs/AggregatedScripts/pack_metadata.json index b32dbc65226b..c7602556eda5 100644 --- a/Packs/AggregatedScripts/pack_metadata.json +++ b/Packs/AggregatedScripts/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Aggregated Scripts", "description": "A pack containing all aggregated scripts.", "support": "xsoar", - "currentVersion": "1.1.13", + "currentVersion": "1.1.14", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From d16e52fb6a728329b297db46d49ae902ae555c9a Mon Sep 17 00:00:00 2001 From: almog2296 Date: Mon, 15 Sep 2025 10:50:41 +0300 Subject: [PATCH 10/10] update relesae notes --- Packs/AggregatedScripts/ReleaseNotes/1_1_12.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md b/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md index eabe2bbd2139..fc4c270ac56f 100644 --- a/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md +++ b/Packs/AggregatedScripts/ReleaseNotes/1_1_12.md @@ -3,4 +3,4 @@ ##### get-user-data -- Fixed the **get-user-data** script to search Active Directory using the *username* argument instead of the name argument. +- Added the option to search for a user by email using the `Okta v2` integration.