Deploy Resilient/resilient-community-apps to github.ibm.com/Resilient…

…/resilient-community-apps.git:gh-pages

_downloads/2a0fda0a4ac6ae7a4ed4764b8e60d0e8/LICENSE

@@ -1,4 +1,4 @@
-Copyright © IBM Corporation 2010, 2019
+Copyright © IBM Corporation 2010, 2024
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

_sources/fn_misp/README.md.txt

@@ -31,6 +31,7 @@
 -->
 | Version | Date | Notes |
 | ------- | ---- | ----- |
+| 3.0.3 | 11/2024 | Add proxy support to selftest. |
 | 3.0.2 | 12/2023 | Bug fix for selftest. Update code to use latest format. Remove rules/workflows and add playbooks. |
 | 3.0.1 | MM/YYYY | App Host support. Proxy Support |
 | 3.0.0 | MM/YYYY | There have been significant changes to the app for version 3, the community built a python3 compatible version of the app. This meant there was 2 different version in circulation. This version of the app is designed to reunify the fn-misp apps. To support both python2 and python3 automatically - using the latest recommended libraries from the MISP community. Finally, the Lookup Att&ck function has been removed, as MISP now stores Att&ck information as Tags - this is returned via the search attribute function, so no special function is required. The old separate apps are packaged inside the app directory, marked as ARCHIVE. They are unsupported and just for code documentation purposes. |

_sources/rc_data_feed_plugin_elasticfeed/README.md.txt

@@ -10,6 +10,7 @@ Refer to the documentation on the Data Feed extension for uses cases support and
 ## History
 | Version | Date | Notes |
 | ------- | ---- | ----- |
+| 1.2.0   | 09/2024 | Support for time series data |
 | 1.1.1   | 01/2024 | Updated base image rc_data_feed to 3.0.0 |
 | 1.1.0   | 07/2022 | New base images and functionality for attachments |
 | 1.0.1   | 08/2020 | App Host support |
@@ -25,11 +26,21 @@ This release modified the base portion of the Data Feeder which is controlled by
 | workspaces | "Default Workspace": ["sqlserver_feed"], "workspace A": ["kafka_feed", "resilient_feed"] | This setting allows for the partitioning of Data Feeder execution among different workspaces. The format is to specify the workspace name with the data feeder components to associated with it: "workspace": ["app.config section_name"]. If unused, data from all workspaces is accessed. |
 | include_attachment_data | true/false | set to true if attachment data should be part of the sent payload. When 'true', the attachment's byte data is saved in base64 format. |
 
-## Compatibility
+### 1.2.0 Changes
+Version 1.2.0 introduces incident timeseries data fields. These are custom select or boolean fields, as well as incident `Owner`, `Phase` and `Severity` fields, which record the duration in seconds each field contains a particular value.
+For instance, how many seconds `Severity` has a value of `Low` and `Medium`, etc.
+
+To use this capability, add the following app.config settings to the `[feeds]` configuration section. 
 
-SOAR Compatibilty: 30.0 or higher
+| Key | Values | Description |
+| :-- | :----- | :---------- |
+| timeseries | always \| onclose \| never | When to collect time-series data. Because of the extra API call needed to collect this data, it could be more impactful on SOAR when set to 'always'. default is 'never' |
+| timeseries_fields | owner_id, phase_id, severity_code, <custom_field> | A comma separated list of time-series fields to collect. Custom select and boolean fields are also possible. Specify wildcard fields with '?' or '*'. ex. ts_* will collect all time-series fields starting with "ts_". default is all timeseries fields |
+
+## Compatibility
+SOAR Compatibilty: 51.0.0 or higher
 
-CP4S Compatibility: 1.4 or higher
+CP4S Compatibility: 1.10 or higher
 
 
 ## License

_sources/rc_data_feed_plugin_splunkfeed/README.md.txt

@@ -16,6 +16,7 @@ Unless otherwise specified, contents of this repository are published under the
 
 | Version | Date | Notes |
 | ------- | ---- | ----- |
+| 1.3.0   | 09/2024 | Updated base rc_data_feed to 3.3.0. Support for time-series data. |
 | 1.2.0   | 04/2024 | Updated base rc_data_feed to 3.1.0. Added parallel execution. Added ability to exclude selective incident fields. |
 | 1.1.2   | 01/2024 | Updated base rc_data_feed to 3.0.0 |
 | 1.1.1   | 10/2022 | Fix to handle rare corrupt event.message |
@@ -42,6 +43,17 @@ To use this capability, add the following app.config setting, exclude_incident_f
 | parallel_execution | True, False | parallel execution for faster ingestion to Splunk |
 | exclude_incident_fields_file | /path/to/exclusion_file.txt | Specify incident fields, one per line, to exclude from the incident data sent to Splunk. Use wildcards such as '*' (multiple characters) or '?' (single character) to exclude patterns of fields. Ex. gdpr_*, custom_field_int |
 
+### 1.3.0 Changes
+Version 1.3.0 introduces incident time-series data fields. These custom select or boolean fields, as well as incident `Owner`, `Phase` and `Severity` fields which record the duration in seconds each field contains a particular value.
+For instance, how many seconds `Severity` has a value of `Low` and `Medium`, etc.
+
+To use this capability, add the following app.config settings to the `[feeds]` configuration section.
+
+| Key | Values | Description |
+| :-- | :----- | :---------- |
+| timeseries | always \| onclose \| never | When to collect time-series data. Because of the extra API call needed to collect this data, it could be more impactful on SOAR when set to 'always'. default is 'never' |
+| timeseries_fields | owner_id, phase_id, severity_code, <custom_field> | A comma separated list of time-series fields to collect. Custom select and boolean fields are also possible. Specify wildcard fields with '?' or '*'. ex. ts_* will collect all time-series fields starting with "ts_". default is all time-series fields |
+
 ## Compatibility
 SOAR: 45.0 or higher
 
@@ -65,7 +77,7 @@ Simply install the .zip file into the app. It includes:
 ```
 * Run the following commands to install the package:
 ```
-  unzip rc_data_feed-<version>.zip (must be at least version 2.1.0)
+  unzip rc_data_feed-<version>.zip (must be at least version 3.3.0)
   [sudo] pip install --upgrade rc_data_feed-<version>.tar.gz
   unzip rc_data_feed-plugin-splunkfeed-<version>.zip
   [sudo] pip install --upgrade rc_data_feed-plugin-splunkfeed-<version>.tar.gz
@@ -152,6 +164,7 @@ port | Ex. 8088 | The default is 8088 |
 
 ### Considerations
 * Enable the HTTP Event Collector within Splunk ES before using this data feed.
+* Do not use indexer acknowledgement
 * Splunk events are immutable. IBM SOAR object changes are represented as new events. No event deletion is possible.
 * Be aware that when using `reload=True`, all IBM SOAR records will be duplicated in Splunk each time resilient-circuits is re-started. Use the app.config setting `reload_types` to specify the data sent if you want to either limit the object types or to also include datatables.
 

fn_misp/README.html

@@ -463,31 +463,35 @@ <h2>Release Notes<a class="headerlink" href="#release-notes" title="Link to this
 </tr>
 </thead>
 <tbody>
-<tr class="row-even"><td><p>3.0.2</p></td>
+<tr class="row-even"><td><p>3.0.3</p></td>
+<td><p>11/2024</p></td>
+<td><p>Add proxy support to selftest.</p></td>
+</tr>
+<tr class="row-odd"><td><p>3.0.2</p></td>
 <td><p>12/2023</p></td>
 <td><p>Bug fix for selftest. Update code to use latest format. Remove rules/workflows and add playbooks.</p></td>
 </tr>
-<tr class="row-odd"><td><p>3.0.1</p></td>
+<tr class="row-even"><td><p>3.0.1</p></td>
 <td><p>MM/YYYY</p></td>
 <td><p>App Host support. Proxy Support</p></td>
 </tr>
-<tr class="row-even"><td><p>3.0.0</p></td>
+<tr class="row-odd"><td><p>3.0.0</p></td>
 <td><p>MM/YYYY</p></td>
 <td><p>There have been significant changes to the app for version 3, the community built a python3 compatible version of the app. This meant there was 2 different version in circulation. This version of the app is designed to reunify the fn-misp apps. To support both python2 and python3 automatically - using the latest recommended libraries from the MISP community. Finally, the Lookup Att&amp;ck function has been removed, as MISP now stores Att&amp;ck information as Tags - this is returned via the search attribute function, so no special function is required. The old separate apps are packaged inside the app directory, marked as ARCHIVE. They are unsupported and just for code documentation purposes.</p></td>
 </tr>
-<tr class="row-odd"><td><p>1.6.1</p></td>
+<tr class="row-even"><td><p>1.6.1</p></td>
 <td><p>MM/YYYY</p></td>
 <td><p>Fixed Issue with verify certs. Added support for tags in search attribute. Workflow update to show use of parsing tags, e.g. TLP etc. Packaged as zip for easy install (no unzip required).</p></td>
 </tr>
-<tr class="row-even"><td><p>1.5.1</p></td>
+<tr class="row-odd"><td><p>1.5.1</p></td>
 <td><p>MM/YYYY</p></td>
 <td><p>Full documentation for Att&amp;ck Support</p></td>
 </tr>
-<tr class="row-odd"><td><p>1.5.0</p></td>
+<tr class="row-even"><td><p>1.5.0</p></td>
 <td><p>MM/YYYY</p></td>
 <td><p>Added MITRE Att&amp;ck support</p></td>
 </tr>
-<tr class="row-even"><td><p>1.0.0</p></td>
+<tr class="row-odd"><td><p>1.0.0</p></td>
 <td><p>MM/YYYY</p></td>
 <td><p>Initial Release</p></td>
 </tr>

rc_data_feed_plugin_elasticfeed/README.html

@@ -430,19 +430,23 @@ <h2>History<a class="headerlink" href="#history" title="Link to this heading">¶
 </tr>
 </thead>
 <tbody>
-<tr class="row-even"><td><p>1.1.1</p></td>
+<tr class="row-even"><td><p>1.2.0</p></td>
+<td><p>09/2024</p></td>
+<td><p>Support for time series data</p></td>
+</tr>
+<tr class="row-odd"><td><p>1.1.1</p></td>
 <td><p>01/2024</p></td>
 <td><p>Updated base image rc_data_feed to 3.0.0</p></td>
 </tr>
-<tr class="row-odd"><td><p>1.1.0</p></td>
+<tr class="row-even"><td><p>1.1.0</p></td>
 <td><p>07/2022</p></td>
 <td><p>New base images and functionality for attachments</p></td>
 </tr>
-<tr class="row-even"><td><p>1.0.1</p></td>
+<tr class="row-odd"><td><p>1.0.1</p></td>
 <td><p>08/2020</p></td>
 <td><p>App Host support</p></td>
 </tr>
-<tr class="row-odd"><td><p>1.0.0</p></td>
+<tr class="row-even"><td><p>1.0.0</p></td>
 <td><p>12/2019</p></td>
 <td><p>Initial release</p></td>
 </tr>
@@ -477,11 +481,37 @@ <h3>1.1.0 Changes<a class="headerlink" href="#changes" title="Link to this headi
 </table>
 </div>
 </section>
+<section id="id1">
+<h3>1.2.0 Changes<a class="headerlink" href="#id1" title="Link to this heading">¶</a></h3>
+<p>Version 1.2.0 introduces incident timeseries data fields. These are custom select or boolean fields, as well as incident <code class="docutils literal notranslate"><span class="pre">Owner</span></code>, <code class="docutils literal notranslate"><span class="pre">Phase</span></code> and <code class="docutils literal notranslate"><span class="pre">Severity</span></code> fields, which record the duration in seconds each field contains a particular value.
+For instance, how many seconds <code class="docutils literal notranslate"><span class="pre">Severity</span></code> has a value of <code class="docutils literal notranslate"><span class="pre">Low</span></code> and <code class="docutils literal notranslate"><span class="pre">Medium</span></code>, etc.</p>
+<p>To use this capability, add the following app.config settings to the <code class="docutils literal notranslate"><span class="pre">[feeds]</span></code> configuration section.</p>
+<div class="table-wrapper colwidths-auto docutils container">
+<table class="docutils align-default">
+<thead>
+<tr class="row-odd"><th class="head text-left"><p>Key</p></th>
+<th class="head text-left"><p>Values</p></th>
+<th class="head text-left"><p>Description</p></th>
+</tr>
+</thead>
+<tbody>
+<tr class="row-even"><td class="text-left"><p>timeseries</p></td>
+<td class="text-left"><p>always | onclose | never</p></td>
+<td class="text-left"><p>When to collect time-series data. Because of the extra API call needed to collect this data, it could be more impactful on SOAR when set to ‘always’. default is ‘never’</p></td>
+</tr>
+<tr class="row-odd"><td class="text-left"><p>timeseries_fields</p></td>
+<td class="text-left"><p>owner_id, phase_id, severity_code, &lt;custom_field&gt;</p></td>
+<td class="text-left"><p>A comma separated list of time-series fields to collect. Custom select and boolean fields are also possible. Specify wildcard fields with ‘?’ or ‘<em>’. ex. ts_</em> will collect all time-series fields starting with “ts_”. default is all timeseries fields</p></td>
+</tr>
+</tbody>
+</table>
+</div>
+</section>
 </section>
 <section id="compatibility">
 <h2>Compatibility<a class="headerlink" href="#compatibility" title="Link to this heading">¶</a></h2>
-<p>SOAR Compatibilty: 30.0 or higher</p>
-<p>CP4S Compatibility: 1.4 or higher</p>
+<p>SOAR Compatibilty: 51.0.0 or higher</p>
+<p>CP4S Compatibility: 1.10 or higher</p>
 </section>
 <section id="license">
 <h2>License<a class="headerlink" href="#license" title="Link to this heading">¶</a></h2>
@@ -696,6 +726,7 @@ <h3>Considerations<a class="headerlink" href="#considerations" title="Link to th
 <li><a class="reference internal" href="#introduction">Introduction</a></li>
 <li><a class="reference internal" href="#history">History</a><ul>
 <li><a class="reference internal" href="#changes">1.1.0 Changes</a></li>
+<li><a class="reference internal" href="#id1">1.2.0 Changes</a></li>
 </ul>
 </li>
 <li><a class="reference internal" href="#compatibility">Compatibility</a></li>