Merge branch 'repo_sync_2024_07_15' into public_main

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$|update_set.*\\.xml|export.res",
     "lines": null
   },
-  "generated_at": "2024-07-01T05:22:42Z",
+  "generated_at": "2024-07-03T06:22:11Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -6606,15 +6606,15 @@
         "hashed_secret": "927b6987f42a829d30ce80b06ae2e6c51065a033",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 648,
+        "line_number": 650,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "7cca0cc86a5d65214a6310a29e1a608380c99ffd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 660,
+        "line_number": 662,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -6624,15 +6624,15 @@
         "hashed_secret": "927b6987f42a829d30ce80b06ae2e6c51065a033",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 79,
+        "line_number": 80,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "7cca0cc86a5d65214a6310a29e1a608380c99ffd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 91,
+        "line_number": 92,
         "type": "Hex High Entropy String",
         "verified_result": null
       }

cp_breach_best_practices/Data_Breach_Best_Practices_for_Resilient.md

@@ -0,0 +1,87 @@
+# Data Breach Best Practices for QRadar SOAR
+
+A thorough data breach response plan that can be executed quickly is essential to comply with regulatory requirements, enhance customer trust and loyalty, and protect your brand.  Even though every data compromise has its own challenges and extenuating circumstances, there are some best-practice guidelines for how to best respond. 
+
+## Overview
+
+This package contains 23 tasks that prescribe suggested non-regulatory activities for responding to breaches of personal data. Data Breach Best Practices are tasks that, while not mandated by any specific regulator, are recommended and are supplemental to the privacy-specific tasks derived from the specific reporting requirements. 
+
+To help accelerate your response efforts, these tasks can be easily assigned rules and conditions to ensure that they only appear in your privacy playbooks as necessary. 
+
+This package includes an example custom field, rule, and condition to demonstrate how to make Data Breach Best Practices tasks appear using customizations. Specifically, a new field ‘High Volume Privacy Event’ has been created, and when ‘High Volume Privacy Event’ is equal to ‘Yes’, all 23 tasks will appear within your incident’s playbook. 
+
+## Installation
+
+Before installing, verify that your environment meets the following prerequisites: 
+
+- QRadar SOAR platform is version 34 or later. 
+- You have a QRadar SOAR account to use for the App. This can be any account that has the permission to view and modify administrator and customization settings, and read and update incidents. You need to know the account username and password. 
+
+Complete the following steps to Install Data Breach Best Practices: 
+
+1. Download data\_breach\_best\_practices\_playbook.zip from the App Exchange. 
+1. Run the unzip command line command to expose the data\_breach\_best\_practices\_playbook.res file. 
+1. Import the .res file into the QRadar SOAR platform. 
+
+Log in to the QRadar SOAR platform and navigate to the Administrator Settings tab. 
+
+![Administrator Settings](./doc/snapshots/snapshot.001.png)
+
+Navigate to Organization and click on Import then select Import Settings. 
+
+![Organization Import Settings](./doc/snapshots/snapshot.002.png) ![](./doc/snapshots/snapshot.003.png) ![](./doc/snapshots/snapshot.004.png)
+
+Select the .res file from Downloads and click proceed. 
+
+![select .res file](./doc/snapshots/snapshot.005.png)
+
+4. Follow the Configurations instructions to add the new custom field. 
+4. If necessary, modify the custom field name, rule, and/or condition to match your business needs. 
+
+## QRadar SOAR Configurations
+
+Add Custom Field 
+
+To add a custom field to incident tabs, use the following steps. 
+
+1. Log in to the QRadar SOAR platform and navigate to the Customization Settings tab. 
+
+![Customization Settings](./doc/snapshots/snapshot.006.png)
+
+2. Navigate to Layout settings and click on Incident Tabs then select the Breach Incident Tab. 
+
+![Breach Incident Tab](./doc/snapshots/snapshot.007.png)
+
+3. Drag and drop the custom field, High Volume Privacy Event. When done, save the tab. 
+
+![Drag and drop the custom field](./doc/snapshots/snapshot.008.png) ![](./doc/snapshots/snapshot.009.png) ![](./doc/snapshots/snapshot.010.png)
+
+4. Create an incident and select yes for High Volume Privacy Event to receive the 23 tasks. 
+
+![new tasks](./doc/snapshots/snapshot.011.png)
+
+Modify Custom Fields, Rules, Conditions 
+
+To modify a custom field, use the following steps. 
+
+1. Navigate to Layouts and click on edit icon next to High Volume Privacy Event. 
+
+![Navigate to Layouts](./doc/snapshots/snapshot.012.png)
+
+2. Edit Incident Field as appropriate to your business needs. Click save when done. 
+
+![Edit Incident Field as appropriate](./doc/snapshots/snapshot.014.png)
+
+To modify a rule and condition, use the following steps. 
+
+1. Navigate to Rules and select High Volume Privacy Event. 
+
+![select High Volume Privacy Event](./doc/snapshots/snapshot.015.png)
+
+2. Edit the Rule and Condition as appropriate to your business needs. Click Save when done. 
+
+![Edit the Rule and Condition](./doc/snapshots/snapshot.016.png)
+
+## Support
+
+For additional support, contact [My Support](https://ibm.com/mysupport). 

cp_breach_best_practices/make_zip.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+now=`date '+%Y%m%d_%H%M'`
+mv Data_Breach_Best_Practices_for_Resilient.zip Data_Breach_Best_Practices_for_Resilient_$now.zip
+zip -r Data_Breach_Best_Practices_for_Resilient.zip Data_Breach_Best_Practices_for_Resilient.md data_breach_best_practices_playbook.res doc

fn_qradar_advisor/Dockerfile

@@ -1,67 +1,16 @@
-# docker build -t ibmresilient/fn_qradar_advisor:2.1.0 -t ibmresilient/fn_qradar_advisor:latest .
+# Generated with resilient-sdk v52.0.0.0.1053
+# docker build -t ibmresilient/fn_qradar_advisor:2.1.1 .
+ARG BASE_IMAGE_REPO=quay.io
+# BASE_IMAGE_TAG options: latest, python-39, python-311. See https://quay.io/repository/ibmresilient/soarapps-base-docker-image?tab=tags for all options
+# use --build-arg BASE_IMAGE_TAG=<tag> to set base image to be built from
+ARG BASE_IMAGE_TAG=latest
 
-# Base image using Red Hat's universal base image (rhel 8) for python
-FROM registry.access.redhat.com/ubi8/python-39:latest
+FROM ${BASE_IMAGE_REPO}/ibmresilient/soarapps-base-docker-image:${BASE_IMAGE_TAG}
 
 ARG APPLICATION=fn_qradar_advisor
-ARG RESILIENT_CIRCUITS_VERSION=46.0.0
-ARG PATH_RESILIENT_CIRCUITS=rescircuits
 
-# Environment variable for any app to check if running in a container
-ARG APP_HOST_CONTAINER=1
-ENV APP_HOST_CONTAINER=${APP_HOST_CONTAINER}
-
-# Update to latest packages, user 0 for root privilege
-USER 0
-
-# Update to latest pip
-RUN pip install --upgrade pip
-
-# install resilient-circuits
-RUN pip install "resilient-circuits>=${RESILIENT_CIRCUITS_VERSION}"
-
-## ---- section for changes ----
-# uncomment and replicate if additional os libraries are needed
-#RUN yum -y update && yum clean all
-#RUN yum -y install <package>
-
-# install the base package
 COPY ./dist /tmp/packages
+USER 0
+RUN yum -y update && yum clean all
 RUN pip install /tmp/packages/${APPLICATION}-*.tar.gz
-
-# uncomment and replicate if additional pypi packages are needed
-#RUN pip install <package>
-
-# uncomment and replicate if additional local packages are needed
-#COPY /path/to/extra_package /tmp/packages/.
-#RUN pip install /tmp/packages/<extra_package>*.tar.gz
-
-## ---- end section for changes ----
-
-# set up configuration and log locations using /etc and /var/log, the conventional locations for config and logs
-RUN mkdir /etc/${PATH_RESILIENT_CIRCUITS}
-ENV APP_CONFIG_FILE /etc/${PATH_RESILIENT_CIRCUITS}/app.config
-
-# create arbitrary group for user 1001
-RUN groupadd -g 1001 default && usermod -g 1001 default
-
-# create directory for logs and set to be root group to allow access by non root processes
-# See https://docs.openshift.com/container-platform/4.2/openshift_images/create-images.html#images-create-guide-openshift_create-images
-RUN mkdir /var/log/${PATH_RESILIENT_CIRCUITS} && \
-    chgrp -R 1001 /var/log/${PATH_RESILIENT_CIRCUITS} && \
-    chmod -R g=u /var/log/${PATH_RESILIENT_CIRCUITS}
-ENV APP_LOG_DIR /var/log/${PATH_RESILIENT_CIRCUITS}
-
-# setup entrypoint for read-only enterprise data used by integration, if needed
-RUN mkdir /var/${PATH_RESILIENT_CIRCUITS}
-
-# entrypoint for resilient-circuits.  Use /opt, the conventional location for optional software on Linux
-RUN mkdir /opt/${PATH_RESILIENT_CIRCUITS}
-COPY entrypoint.sh /opt/${PATH_RESILIENT_CIRCUITS}/entrypoint.sh
-
-# remove temporary python files
-RUN rm -rf /tmp/packages /tmp/lib
-
-# arbitrary user, support running as non-root. Required on OpenShift. Generally a good practice.
 USER 1001
-ENTRYPOINT [ "sh", "/opt/rescircuits/entrypoint.sh" ]