demisto
Group-IB new integration
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
- [ ] In Progress
- [x] Ready
- [ ] In Hold - (Reason for hold)
Related Issues
fixes: -
Description
Our team is ready to release a new integration with our Digital Risk Protection product
Must have
- [x] Tests
- [x] Documentation
Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @itssapir will know the proposed changes are ready to be reviewed. For your convenience, here is a link to the contributions SLAs document.
Hi @Kchekh, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.
Hi @Kchekh, Thank you for your contribution.
Please make sure to fill the contribution registration form so we can carry on handling this PR. Thanks!
Hello @itssapir and @Benimanela ! We have filled out the Contributor Details form. Kindly reopen this ticket for our further collaboration
Hi @Kchekh, Thank you for the work on this contribution. The implementation looks good overall.
I have a few comments from a security perspective at this stage:
General
- Please add a description in the
pack_metadatafile for clarity and documentation.- Run
demisto-sdk formaton all files to ensure proper formatting and alignment with XSOAR standards.- In the README (Step 5), users are instructed to create a new Pre-Process Rule, but it appears this rule already exists. Please clarify or update the instructions as needed.
- Add
additionalinfofor theViolation Section to filter the received Violationparameter in instance settings.Pre-Process Rule
- The Pre-Process Rule appears incomplete—no action is defined. Should it be running the
GIBDRPIncidentUpdatescript? Please review and update as required.Incident Fields
For performance reasons, please mark all custom incident fields as
unsearchable: trueunless searching is specifically needed.Avoid creating new fields when suitable common fields already exist. For example:
- Use the standard Occurred field instead of
GIB DRP Created.- Use the standard Title field instead of
GIB DRP Title.- Please review all incident fields and reuse existing fields where possible.
Playbook
- Change the playbook name to:
Group-IB Digital Risk Protection - Violation Incident Postprocessingfor consistency.- The first step should check if the Group-IB integration is enabled to avoid errors.
- The "done" task is currently set to close the investigation. Please update the task name to clearly indicate this.
- Please add an end step (Section Header task type) at the end of the playbook for better clarity.
Let me know once you've addressed the above so I can take another look!
Hi @Kchekh,
Thanks for resolving some of the points! Have you had a chance to look at my other comments as well?
@Kchekh unfortunately i have to close the pr for the lack of update, feel free to reopen in case there's some. thanks!
Hello @merit-maita , Thank you very much for your review, I have prepared all the changes. Could we reopen the PR? For the final step, I am waiting for the Docker image update, here https://github.com/demisto/dockerfiles/pull/40577, and it has moved here https://github.com/demisto/dockerfiles/pull/40654 Otherwise, everything is ready
Hello @merit-maita and @Benimanela , The Docker image has been updated and I have added it to the current version. Could you please review the changes made based on your comments?
Hello @merit-maita and @Benimanela , Please advise, should I create a new PR to promote the launch of the new integration and transfer the current changes achieved in this PR to it?