Bug fixes related to usernames in Account Enrichment (demisto#29024)

* - Fixed playbook input from malware to account enrichment
- Fixed account enrichment username input to support domain\user format too
- Fixed the XDR task in the account enrichment playbook to accept both username and domain\username
- Added playbooks and formatted them
- Added XDR to the account enrichment test in conf.json
- Updated the account enrichment test playbook to be from 6.8.0 (lowest supported version)
- Generated docs
- Updated accont enrichment playbook image

* Added RNs for both packs

* Bump pack from version CommonPlaybooks to 2.3.94.

* Fixed description

* description fixes

* Bump pack from version CortexXDR to 5.0.10.

* Updated description for username input

* Updated playbook readme with the new playbook input description

* Fixed a small typo

* Update Packs/CortexXDR/ReleaseNotes/5_0_10.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update Packs/CommonPlaybooks/ReleaseNotes/2_3_95.md

Co-authored-by: ShirleyDenkberg <[email protected]>

---------

Co-authored-by: Content Bot <[email protected]>
Co-authored-by: ShirleyDenkberg <[email protected]>

Author: 3 people

Packs/CommonPlaybooks/Playbooks/playbook-Account_Enrichment_-_Generic_v2.2.yml

@@ -26,27 +26,28 @@ This playbook does not use any integrations.
 
 * IsIntegrationAvailable
 * Set
+* SetAndHandleEmpty
 
 ### Commands
 
-* pingone-get-user
-* identitynow-get-accounts
-* ad-get-user
-* identityiq-search-identities
-* msgraph-user-get
 * okta-get-user
-* iam-get-user
+* msgraph-user-get
+* identityiq-search-identities
 * aws-iam-get-user
-* xdr-list-risky-users
+* ad-get-user
+* pingone-get-user
 * msgraph-user-get-manager
+* iam-get-user
+* xdr-list-risky-users
+* identitynow-get-accounts
 
 ## Playbook Inputs
 
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
 | --- | --- | --- | --- |
-| Username | The username to enrich. | Account.Username | Optional |
+| Username | The usernames to enrich. This input supports multiple usernames.<br/>Usernames can be with or without a domain prefix, in the format of "username" or "domain\\username".<br/>Domain usernames will only be enriched in integrations that support  them. | Account.Username | Optional |
 | Domain | Optional - This input is needed for the IAM-get-user command \(used in the Account Enrichment - IAM playbook\). Please provide the domain name that the user is related to.<br/>Example: @xsoar.com |  | Optional |
 
 ## Playbook Outputs

Packs/CommonPlaybooks/Playbooks/playbook-Account_Enrichment_-_Generic_v2.2_README.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Account Enrichment - Generic v2.1
+
+Fixed an issue where the playbook would fail to enrich accounts in the form of "domain\username". The playbook now makes a distinction and enriches usernames with or without a domain prefix.

Packs/CommonPlaybooks/ReleaseNotes/2_3_95.md

@@ -1,16 +1,16 @@
 id: Account Enrichment - Generic v2.1 - Test
 version: -1
-fromversion: 5.0.0
+fromversion: 6.8.0
 name: Account Enrichment - Generic v2.1 - Test
 description: A test for the Account Enrichment - Generic v2 playbook.
 starttaskid: "0"
 tasks:
   "0":
     id: "0"
-    taskid: 628ddf6f-d859-4b9b-8679-10571ea848fe
+    taskid: 938ee2b5-dae1-443e-8b36-b87b09db6ff2
     type: start
     task:
-      id: 628ddf6f-d859-4b9b-8679-10571ea848fe
+      id: 938ee2b5-dae1-443e-8b36-b87b09db6ff2
       version: -1
       name: ""
       iscommand: false
@@ -37,10 +37,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "8":
     id: "8"
-    taskid: 42e5ac7e-2b61-48d7-8988-16de9960f7f4
+    taskid: 648f1602-68e5-4e44-8783-2e1547e24d17
     type: regular
     task:
-      id: 42e5ac7e-2b61-48d7-8988-16de9960f7f4
+      id: 648f1602-68e5-4e44-8783-2e1547e24d17
       version: -1
       name: Users with a domain
       description: 'Will create an array object in context from given string input '
@@ -53,7 +53,7 @@ tasks:
       - "10"
     scriptarguments:
       arrayData:
-        simple: DEM449982,DEM531065
+        simple: DEM449982,DEM531065,desktop-s2455r8\demisto,Administrator
       contextKey:
         simple: Account.Username
     separatecontext: false
@@ -74,10 +74,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "10":
     id: "10"
-    taskid: be320151-f8bd-43c2-8dd6-b64f706a3462
+    taskid: 69c06083-9dd2-4286-8bbb-42cab5d95a6a
     type: playbook
     task:
-      id: be320151-f8bd-43c2-8dd6-b64f706a3462
+      id: 69c06083-9dd2-4286-8bbb-42cab5d95a6a
       version: -1
       name: Account Enrichment - Generic v2.1
       description: |-
@@ -124,10 +124,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "13":
     id: "13"
-    taskid: 372ee57a-43b3-4ace-8088-ddc94f526a3f
+    taskid: bbc74893-7273-4a63-8077-6f37627774ad
     type: title
     task:
-      id: 372ee57a-43b3-4ace-8088-ddc94f526a3f
+      id: bbc74893-7273-4a63-8077-6f37627774ad
       version: -1
       name: Checking with a Domain
       type: title
@@ -155,10 +155,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "14":
     id: "14"
-    taskid: a8b08f80-3b3b-4c97-8ac1-786542cfb260
+    taskid: c7223b7b-93f3-4b51-8a44-1895a5be5328
     type: regular
     task:
-      id: a8b08f80-3b3b-4c97-8ac1-786542cfb260
+      id: c7223b7b-93f3-4b51-8a44-1895a5be5328
       version: -1
       name: Delete Context
       description: Clear the context for a fresh start of the test.
@@ -191,10 +191,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "15":
     id: "15"
-    taskid: 9cffe0a3-76f9-4f91-81f9-cdc868cd6cf2
+    taskid: 7b0d6394-6784-4500-8f45-30f750c05f3c
     type: condition
     task:
-      id: 9cffe0a3-76f9-4f91-81f9-cdc868cd6cf2
+      id: 7b0d6394-6784-4500-8f45-30f750c05f3c
       version: -1
       name: Was the account enriched?
       description: Checks whether the account was enriched.
@@ -239,10 +239,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "16":
     id: "16"
-    taskid: 3088d8ca-4179-4815-8780-b53d275a2add
+    taskid: c19e900b-d8b0-48a6-897a-87c27e76e97e
     type: regular
     task:
-      id: 3088d8ca-4179-4815-8780-b53d275a2add
+      id: c19e900b-d8b0-48a6-897a-87c27e76e97e
       version: -1
       name: Make test fail
       description: Prints an error entry with a given message.
@@ -275,10 +275,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "17":
     id: "17"
-    taskid: f2c3b038-ac2b-4661-8f9f-1535fa5dba98
+    taskid: 1c9bcc76-5564-41e1-86bc-81fb64d94bb0
     type: title
     task:
-      id: f2c3b038-ac2b-4661-8f9f-1535fa5dba98
+      id: 1c9bcc76-5564-41e1-86bc-81fb64d94bb0
       version: -1
       name: Checking with a Domain
       type: title
@@ -303,10 +303,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "18":
     id: "18"
-    taskid: 6ada5f2c-bba8-423d-86e8-404b8df7658b
+    taskid: f1d64a8a-3589-4201-80ec-b87b7024bf93
     type: regular
     task:
-      id: 6ada5f2c-bba8-423d-86e8-404b8df7658b
+      id: f1d64a8a-3589-4201-80ec-b87b7024bf93
       version: -1
       name: Delete Context
       description: Clear the context for a fresh start of the test.
@@ -339,10 +339,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "19":
     id: "19"
-    taskid: f84b83dc-6451-4fdd-8eea-8e91279ea045
+    taskid: 582a5630-c097-46ac-8760-d370ad922477
     type: playbook
     task:
-      id: f84b83dc-6451-4fdd-8eea-8e91279ea045
+      id: 582a5630-c097-46ac-8760-d370ad922477
       version: -1
       name: Account Enrichment - Generic v2.1
       description: |-
@@ -381,10 +381,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "20":
     id: "20"
-    taskid: 43bec4b2-8eec-49bc-8059-cc9d0da80ca5
+    taskid: 71ace41d-837c-4b8b-8238-0c7bd6ba71f4
     type: title
     task:
-      id: 43bec4b2-8eec-49bc-8059-cc9d0da80ca5
+      id: 71ace41d-837c-4b8b-8238-0c7bd6ba71f4
       version: -1
       name: Test Without any Inputs
       type: title

Packs/CommonPlaybooks/TestPlaybooks/playbook-Account_Enrichment_-_Generic_v2.1_-_Test.yml

@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.3.94",
+    "currentVersion": "2.3.95",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CommonPlaybooks/doc_files/Account_Enrichment_-_Generic_v2.1.png

@@ -56,7 +56,8 @@ tasks:
     isoversize: false
     nexttasks:
       '#none#':
-      - '2'
+      - "27"
+      - "2"
     note: false
     quietmode: 0
     separatecontext: false
@@ -1047,14 +1048,14 @@ tasks:
         complex:
           root: UserManagerEmail
           filters:
-            - - operator: isNotEmpty
-                left:
-                  value:
-                    simple: UserManagerEmail
-                  iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: UserManagerEmail
+                iscontext: true
           transformers:
-            - operator: uniq
-            - operator: FirstArrayElement
+          - operator: uniq
+          - operator: FirstArrayElement
     separatecontext: false
     continueonerror: true
     continueonerrortype: ""
@@ -1074,40 +1075,38 @@ tasks:
     isautoswitchedtoquietmode: false
   "29":
     id: "29"
-    taskid: 456021f6-5586-4e7d-871d-e5f074c0a666
+    taskid: 779567f1-efb5-4c7c-86e8-47217bd39bef
     type: playbook
     task:
-      id: 456021f6-5586-4e7d-871d-e5f074c0a666
+      id: 779567f1-efb5-4c7c-86e8-47217bd39bef
       version: -1
       name: Account Enrichment - Generic v2.1
       playbookName: Account Enrichment - Generic v2.1
       type: playbook
       iscommand: false
       brand: ""
-      description: ''
+      description: |-
+        Enrich accounts using one or more integrations.
+        Supported integrations:
+        - Active Directory
+        - SailPoint IdentityNow
+        - SailPoint IdentityIQ
+        - PingOne
+        - Okta
+        - AWS IAM
+        - Cortex XDR (account enrichment and reputation)
+
+        Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations. For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
     nexttasks:
       '#none#':
       - "28"
     scriptarguments:
       Username:
         complex:
-          root: incident.users
-          filters:
-          - - operator: isNotEmpty
-              left:
-                value:
-                  simple: incident.users
-                iscontext: true
+          root: incident
           transformers:
           - operator: uniq
-          - operator: FirstArrayElement
-          - operator: splitAndTrim
-            args:
-              delimiter:
-                value:
-                  simple: \
-          - operator: uniq
-          - operator: LastArrayElement
+          accessor: users
     separatecontext: true
     continueonerrortype: ""
     loop:
@@ -1303,11 +1302,11 @@ view: |-
     }
   }
 tests:
+- Test Playbook - Cortex XDR Malware - Incident Enrichment
 - Test XDR Playbook general commands
 - Test XDR Playbook
-- Test Playbook - Cortex XDR Malware - Incident Enrichment
 fromversion: 6.5.0
 description: |-
   This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.
   This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.
-system: true
+system: true

Packs/CommonPlaybooks/pack_metadata.json

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Cortex XDR Malware - Incident Enrichment
+
+Fixed an issue where usernames tied to specific domains were not enriched as expected.

Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "5.0.9",
+    "currentVersion": "5.0.10",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexXDR/ReleaseNotes/5_0_10.md

@@ -2824,7 +2824,10 @@
         },
         {
             "playbookID": "Account Enrichment - Generic v2.1 - Test",
-            "integrations": "Active Directory Query v2",
+            "integrations": [
+            "Active Directory Query v2",
+            "Cortex XDR - IR"
+            ],
             "instance_names": "active_directory_80k",
             "has_api": false
         },