Support multiple drilldown searches response (demisto#34327)

* handled more than one drilldown search * Change the Submitted condition * Edited handle submitted notables * Edited SplunkShowDrilldown script * Fixed the to_incident function to keep BC * Present Results by Search Query * limit results table to a const * Use time frame of multiple drilldowns * added query name to the context and layout * added query name to the layout * Changed comment wordings * Removed unnecessary function * removed unnecessary loop * parse query name * Improved layout * Comments Improvements * Added docs * Added the RN file * fix comment * Updated the docker image * pre-commit changes * Fixed too long lines * Fixed timeframe test * Improve readme reference * fixed drilldown_enrichment function * Fixed drilldown_enrichment function for unsuccessful enrichments * Fixed RN * pre commit fixes * Removed unnecessary debug message * failed_to_submit condition change * added unit tests * Added Unit Tests * pre commit fixes * pre commit fixes * pre comit more fixes * pre commit more fixes * Added unit tests for SplunkShowDrilldown script * pre commit fixes * Fixed the Submitted condition * Improved logs * pre commit fixes * fixed explanation * Added info level log * Pre commit fixes * Improved the call to parse a query name * Update Packs/SplunkPy/Integrations/SplunkPy/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_description.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_description.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_description.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/SplunkPy/ReleaseNotes/3_1_28.md Co-authored-by: ShirleyDenkberg <[email protected]> * Edited the description of 'Number of Events Per Enrichment Type' param * change info level to error level * Changed the structure of the drilldown search results * Pre-commit fixes * Update Packs/SplunkPy/Integrations/SplunkPy/README.md Co-authored-by: yuvalbenshalom <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/README.md Co-authored-by: yuvalbenshalom <[email protected]> * Update Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py Co-authored-by: yuvalbenshalom <[email protected]> * Removed temp const * Added BC json to the RN * Added ids to the unit tests --------- Co-authored-by: ShirleyDenkberg <[email protected]> Co-authored-by: yuvalbenshalom <[email protected]>
CheckPointSW · Jun 6, 2024 · bd9739e · bd9739e
1 parent f7bc008
commit bd9739e
Show file tree

Hide file tree

Showing 12 changed files with 1,014 additions and 93 deletions.
diff --git a/Packs/SplunkPy/.pack-ignore b/Packs/SplunkPy/.pack-ignore
@@ -18,6 +18,7 @@ splunk
 splunkpy
 hec
 splunk-search
+drilldown
 
 [file:classifier-SplunkPy.json]
 ignore=BA101

diff --git a/Packs/SplunkPy/Integrations/SplunkPy/README.md b/Packs/SplunkPy/Integrations/SplunkPy/README.md
@@ -3,7 +3,7 @@ Use the SplunkPy integration to:
 - Push events from Cortex XSOAR to SplunkPy
 - Fetch SplunkPy ES notable events as Cortex XSOAR incidents.
 
-This integration was integrated and tested with Splunk Enterprise v9.0.4 and Enterprise Security v7.1.1.
+This integration was integrated and tested with Splunk Enterprise v9.0.4 and Enterprise Security v7.2.0.
 
 ## Use Cases
 ---
@@ -46,11 +46,11 @@ This integration was integrated and tested with Splunk Enterprise v9.0.4 and Ent
     | HEC Token (HTTP Event Collector) |  | False |
     | HEC Token (HTTP Event Collector) |  | False |
     | HEC BASE URL (e.g: https://localhost:8088 or https://example.splunkcloud.com/). |  | False |
-    | Enrichment Types | Enrichment types to enrich each fetched notable. If none are selected, the integration will fetch notables as usual \(without enrichment\). For more info about enrichment types see the integration additional info. | False |
+    | Enrichment Types | Enrichment types to enrich each fetched notable. If none are selected, the integration will fetch notables as usual \(without enrichment\). Multiple drilldown searches enrichment is supported from Enterprise Security v7.2.0. For more info about enrichment types see [Enriching Notable Events](#enriching-notable-events). | False |
     | Asset enrichment lookup tables | CSV of the Splunk lookup tables from which to take the Asset enrichment data. | False |
     | Identity enrichment lookup tables | CSV of the Splunk lookup tables from which to take the Identity enrichment data. | False |
     | Enrichment Timeout (Minutes) | When the selected timeout was reached, notable events that were not enriched will be saved without the enrichment. | False |
-    | Number of Events Per Enrichment Type | The limit of how many events to retrieve per each one of the enrichment types \(Drilldown, Asset, and Identity\). To retrieve all events, enter "0" \(not recommended\). | False |
+    | Number of Events Per Enrichment Type | The limit of how many events to retrieve per each one of the enrichment types \(Drilldown, Asset, and Identity\). In a case of multiple drilldown enrichments the limit will apply for each drilldown search query. To retrieve all events, enter "0" \(not recommended\). | False |
     | Advanced: Extensive logging (for debugging purposes). Do not use this option unless advised otherwise. |  | False |
     | Advanced: Fetch backwards window for the events occurrence time (minutes) | The fetch time range will be at least the size specified here. This will support events that have a gap between their occurrence time and their index time in Splunk. To decide how long the backwards window should be, you need to determine the average time between them both in your Splunk environment. | False |
     | Advanced: Unique ID fields | A comma-separated list of fields, which together are a unique identifier for the events to fetch in order to avoid fetching duplicates incidents. | False |
@@ -78,7 +78,8 @@ The integration allows for fetching Splunk notable events using a default query.
 This integration allows 3 types of enrichments for fetched notables: Drilldown, Asset, and Identity.
 
 #### Enrichment types
-1. **Drilldown search enrichment**: fetches the drilldown search configured by the user in the rule name that triggered the notable event and performs this search. The results are stored in the context of the incident under the **Drilldown** field.
+1. **Drilldown search enrichment**: Fetches the drilldown search configured by the user in the rule name that triggered the notable event and performs this search. The results are stored in the context of the incident under the **Drilldown** field as follows: [{result1}, {result2}, {result3}].
+Getting results from multiple drilldown searches is supported from Enterprise Security v7.2.0. In that case, the results are stored in the context of the incident under the **Drilldown** field as follows: [{'query_name':<query_name>, 'query_search': <query_search>, 'query_results': [{result1}, {result2}, {result3}], 'enrichment_status': <enrichment_status>}].
 2. **Asset search enrichment**: Runs the following query:
 *| inputlookup append=T asset_lookup_by_str where asset=$ASSETS_VALUE | inputlookup append=t asset_lookup_by_cidr where asset=$ASSETS_VALUE | rename _key as asset_id | stats values(*) as * by asset_id*
 where the **$ASSETS_VALUE** is replaced with the **src**, **dest**, **src_ip** and **dst_ip** from the fetched notable. The results are stored in the context of the incident under the **Asset** field.
@@ -91,7 +92,7 @@ where the **$IDENTITY_VALUE** is replaced with the **user** and **src_user** fro
 2. *Enrichment Types*: Select the enrichment types you want to enrich each fetched notable with. If none are selected, the integration will fetch notables as usual (without enrichment).
 3. *Fetch events query*: The query for fetching events. The default query is for fetching notable events. You can edit this query to fetch other types of events. Note that to fetch notable events, make sure the query uses the \`notable\` macro.  
 4. *Enrichment Timeout (Minutes)*:  The timeout for each enrichment (default is 5min). When the selected timeout was reached, notable events that were not enriched will be saved without the enrichment.
-5. *Number of Events Per Enrichment Type*: The maximal amount of events to fetch per enrichment type (default to 20).
+5. *Number of Events Per Enrichment Type*: The maximal amount of events to fetch per enrichment type (Drilldown, Asset, and Identity). In a case of multiple drilldown enrichments the limit will apply for each drilldown search query. (default to 20).
 
 #### Configure User Mapping between Splunk and Cortex XSOAR  
 When fetching incidents from Splunk to Cortex XSOAR and when mirroring incidents between Splunk and Cortex XSOAR, the Splunk Owner Name (user) associated with an incident needs to be mapped to the relevant Cortex XSOAR Owner Name (user).  
@@ -135,7 +136,7 @@ Define the lookup table in Splunk.
 
 #### Troubleshooting enrichment status
 Each enriched incident contains the following fields in the incident context:
-- **successful_drilldown_enrichment**: whether the drill down enrichment was successful.
+- **successful_drilldown_enrichment**: whether the drilldown enrichment was successful. In a case of multiple drilldown enrichments, the status is successful if at least one drilldown search enrichment was successful.
 - **successful_asset_enrichment**: whether the asset enrichment was successful.
 - **successful_identity_enrichment**: whether the identity enrichment was successful.