SPNs Cleared From a Machine Account - Refactor (demisto#40962)

idovandijk · mikejrizzo · nbensalm-palo · web-flow · commit 6c1a58bfa60e · 2025-09-16T09:21:25.000-07:00
* pb + format * rn * removed playbook * Bump pack version. (demisto#40999) * Nbensalmon/ciac 10618/collection app sentinels.ai (demisto#39982) Appsentinels.ai offers a platform for collecting, analyzing, and managing security events to provide comprehensive application protection. * Updated Relationship names in Mandiant Enrich and Feed Mandiant Integ… (demisto#40947) (demisto#41113) * Updated Relationship names in Mandiant Enrich and Feed Mandiant Integration * Fixed typo in FeedMandiantThreatIntelligence.py * Increment pack version and Docker tags --------- Co-authored-by: adamlevymandiant <93735185+adamlevymandiant@users.noreply.github.com> Co-authored-by: Adam Levy <adamhlevy@google.com> * XSUP-54313 (demisto#40991) * Initial implementation * Fix UT * ruff chagnes * UT * ruff * RN and UT * ruff * Update Packs/CrowdStrikeFalcon/ReleaseNotes/2_3_7.md Co-authored-by: Richard Bluestone <53567272+richardbluestone@users.noreply.github.com> * Minor fix * Fix UT * Apply suggestion from @AradCarmi Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> * Apply suggestion from @AradCarmi Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> * Delete Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/integration-CrowdStrikeFalcon.yml * final CR * Change user key * Raise version * RN * Fix --------- Co-authored-by: Richard Bluestone <53567272+richardbluestone@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> * Xsup 55040 (demisto#41063) * required yml fields to allow mapping * yml changes * return results * return results * pre-commit * pre-commit * pr comments * pr comments * pre commot * Mark remaining internal scripts with isInternal (demisto#41083) * Add missing isInternal to agentix scripts * Bump versions and RN * Update docker * Remove list notation from rn * Apply suggestions from doc review Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * Fix rn * Bump pack from version CrowdStrikeFalcon to 2.3.9. * replace rn with generic message --------- Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> * fix get-endpoint-data action inputs (demisto#41118) * bump version of aggregated scripts * Update 1_1_3.md * Whois - adding another regex for registrant_regexes (demisto#41116) * add one log to see the raw-response as is * adding another regex for registrant_regexes * CRTX-165828 - Mapping Tigera Calico Secure (demisto#40925) * create all files * remove unwanted files * update readme according to tech writer suggestions * update readme * create files * fix timestamp parsing rule * fix timestamp parsing rule * fix timestamp parsing rule * fix readme * fix readme * fix metadata - add platform * fix time parsing * fix time parsing * fix readme precommit error * fix readme precommit error * fix xif * readme file error * readme file error * fix xif * change ip_protocol * cisco umbrella - use risk score for domain verdict (demisto#41000) * domaine verdict update to use risk score * update rn * Update Packs/Cisco-umbrella/ReleaseNotes/2_0_5.md Co-authored-by: yuvalbenshalom <ybenshalom@paloaltonetworks.com> * sectionOrder and docker image * add docker update to release note * send risk_score and improve threshold logic * update Threshold default value --------- Co-authored-by: yuvalbenshalom <ybenshalom@paloaltonetworks.com> * Updating Trend Micro Vision One pack (demisto#41079) * Updating Trend Micro Vision One pack * Updating RN * fixing rn and md * fixing fields in modeling rules * TIM/Improve the removal of trailing characters in the format URL script (demisto#41075) * TIM/Improve the removal of trailing characters in the format URL script * Bump pack from version CommonScripts to 1.20.7. * Bump pack from version CommonScripts to 1.20.8. * cr fixes * Bump pack from version CommonScripts to 1.20.9. * Bump pack from version CommonScripts to 1.20.10. * empty commit * fixes --------- Co-authored-by: Content Bot <bot@demisto.com> * Microsoft Management Activity API (O365/Azure Events) integration request to have case insensitive for Operations to fetch (demisto#41070) * Operation filter changed to lowercase * Operation filter changed to lowercase * formatter * formatter * formatter * back to doc change only * back to doc change only * Small change * Small change * Small change * Small change * merged from master * review changes * Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity.yml Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity.yml Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_description.md Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * Update Packs/MicrosoftManagementActivity/ReleaseNotes/1_3_60.md Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_description.md Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * Update Packs/MicrosoftManagementActivity/Integrations/MicrosoftManagementActivity/MicrosoftManagementActivity_description.md Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> * small changes * small changes * small changes * small changes * small changes * small changes * added to readme * added to readme * Update Packs/MicrosoftManagementActivity/ReleaseNotes/1_3_60.md Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> --------- Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> * Fix get user data ad missing args (demisto#41125) * fix the arg name username is directed to when calling ad-get-user * added rn * Asavenok/logos added (demisto#41122) * Asavenok/logos added (demisto#41049) * Added logos: add dark and light SVG icons for CyberArk and Alibaba integrations * add dark mode SVG logos for FireEye integration packs --------- Co-authored-by: Yael Shamai <111040837+YaelShamai@users.noreply.github.com> * docker images, description files and dots in yml * pre commit * revert all changes * revert --------- Co-authored-by: asavenokPAN <asavenok@paloaltonetworks.com> Co-authored-by: Yael Shamai <111040837+YaelShamai@users.noreply.github.com> Co-authored-by: yshamai <yshamai@paloaltonetworks.com> * Tigera Calico fix the README file (demisto#41134) * PAN-OS Agentix Action Updates (demisto#41078) * Added handling of download errors. * Fixed issue in script "PanOSAnalyzeRuleHitCounts" when imported context data contained single items instead of lists. * Updated release notes. * Readd inputs and new outputs to Security Advisories playbook. * Updated release notes for docker image and playbook inputs/outputs. * Bump pack from version PAN-OS to 2.6.8. --------- Co-authored-by: aneeshamore <amore@paloaltonetworks.com> Co-authored-by: Content Bot <bot@demisto.com> * [GetUserData] Fix output for Active Directory users (demisto#41136) * init * UTs * Aruba Collector new command 'aruba-auth-test' alternatively to 'test-module' (demisto#41058) * adding a new command 'aruba-auth-test' * UTs and RN with BC * ruff * README * DO * DO * RN * change desc of the new command * new bucket * Bitsight-Event-Collector/CIAC-12152 (demisto#41052) * init * todo * add images * description * rename * readme * tests and more * ruff * pre commit * move * validations * improvements * rn * ruff * fix tests * improve * 2 days * limit 5 * fixes * ruff * fixes * demo fixes * fix tests * improve * cr * [Microsoft Defender XDR] Close Redirected Incidents (demisto#41107) (demisto#41148) Redirected incidents are also considered "closed". They should be closed. --------- Co-authored-by: enes-oezdemir <151725756+enes-oezdemir@users.noreply.github.com> Co-authored-by: Niv Ben Salmon <nbensalmon@paloaltonetworks.com> * CIAC-9227 - 'Monday' [collection] new pack (demisto#40684) * Initialize new Monday Pack + Implement auth logic for activity logs * Draft - fetch audit logs * DRAFT - fetch audit log (implement new last_run structure) * DRAFT: audit logs fetching - fix pagination and deduplication logic * fetch version for Audit logs after test+implement log deduplication mechanism using SHA-256 hashing * DRAFT: implement activity logs fetching and improve audit logs fetching logic * DRAFT: save access token to integration context and improve activity logs fetching * DRAFT: fix: handle duplicate logs and subtract epsilon timestamp from start parameter filter for including the same time logs * setting xsiam _time field by removing decimal places * improve logic + change parameter to single board id + add README files * refactor: support multiple board IDs for activity log fetching and improve duplicate log handling * refactor: standardize timestamp handling and improve debug logs in Monday integration * Adding tests for Audit logs * improve and fix logic + add type and time fields to dataset * implement test-connection command * Adding tests for Activity logs * refactor audit and activity log limit * refactor: clean up and improve code documentation after running pre-commit * refactor: implement ActivityLogsClient - BaseClient class * refactor: implement AuditLogsClient - BaseClient class * Fix TestGetAuditLogs according to the new Client change * refactor: fix tests according to the new client audit and activity class * fixing after pre-commit * update Monday pack metadata with supported modules and marketplaces * revert cs changes (mistake) * add debug prefix to Monday pack secrets ignore list * add secret to ignore * test: add connection testing and utility functions for Monday Event Collector * fix tests * update Monday integration Docker image to python3:3.12.11.4508456 * chore: add new secret pattern to Monday pack ignore list * fix secret error * fix: update start fetch time to 1 minute * remove TODO comments * fix: improve test connection error handling * fix: update secret field types from 4 to 9 * Bump pack version. (demisto#40999) * empty commit * revert * Update Packs/Monday/README.md Co-authored-by: Richard Bluestone <53567272+richardbluestone@users.noreply.github.com> * fixing after doc review * refactor: improve credentials handling and UI for Monday Event Collector integration * fix: revert triggers * fix: update test according to yml changes --------- Co-authored-by: Mike Rizzo <mrizzo@paloaltonetworks.com> Co-authored-by: Richard Bluestone <53567272+richardbluestone@users.noreply.github.com> * New Scripts: MissingElements (demisto#41094) (demisto#41124) * Initial commit * Typing resolved * Release notes updated * From version and no tests added * Changes Added --------- Co-authored-by: Mandar Naik <mandarnaik016@gmail.com> Co-authored-by: Yael Shamai <111040837+YaelShamai@users.noreply.github.com> * bug-fix (demisto#41156) * bug-fix - remove $top from unsupported urls. * Auto Updated Docker PR from 2025-09-04 GitLab Pipeline ID 4758737 (demisto#41158) * Updated Docker Images. * Updated Release Notes. * Bump pack from version CommunityCommonScripts to 1.3.21. --------- Co-authored-by: content-bot <content-bot@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> * Added Documentation (demisto#41151) * Added Documentation * Fixed images path in README * Added Documentation * Fixed images path in README * Updated readme and playbook image * rn * rn * 1 1 99 --------- Co-authored-by: Mike Rizzo <mrizzo@paloaltonetworks.com> Co-authored-by: Niv Ben Salmon <nbensalmon@paloaltonetworks.com> Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: adamlevymandiant <93735185+adamlevymandiant@users.noreply.github.com> Co-authored-by: Adam Levy <adamhlevy@google.com> Co-authored-by: Tal Zichlinsky <35036457+talzich@users.noreply.github.com> Co-authored-by: Richard Bluestone <53567272+richardbluestone@users.noreply.github.com> Co-authored-by: Arad Carmi <62752352+AradCarmi@users.noreply.github.com> Co-authored-by: Maya Goldman <94686128+mayyagoldman@users.noreply.github.com> Co-authored-by: Sapir Malka <44067957+itssapir@users.noreply.github.com> Co-authored-by: julieschwartz18 <91824591+julieschwartz18@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com> Co-authored-by: rshunim <102469772+rshunim@users.noreply.github.com> Co-authored-by: akshotiamit-pa <aakshoti@paloaltonetworks.com> Co-authored-by: yedidyacohenpalo <162107504+yedidyacohenpalo@users.noreply.github.com> Co-authored-by: yuvalbenshalom <ybenshalom@paloaltonetworks.com> Co-authored-by: ellopez777 <159898322+ellopez777@users.noreply.github.com> Co-authored-by: Moshe Eichler <78307768+MosheEichler@users.noreply.github.com> Co-authored-by: almog2296 <alabudi@paloaltonetworks.com> Co-authored-by: Shelly Tzohar <45915502+Shellyber@users.noreply.github.com> Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com> Co-authored-by: asavenokPAN <asavenok@paloaltonetworks.com> Co-authored-by: Yael Shamai <111040837+YaelShamai@users.noreply.github.com> Co-authored-by: yshamai <yshamai@paloaltonetworks.com> Co-authored-by: aneeshamore <amore@paloaltonetworks.com> Co-authored-by: Jacob Levy <129657918+jlevypaloalto@users.noreply.github.com> Co-authored-by: Yehuda Rosenberg <90599084+RosenbergYehuda@users.noreply.github.com> Co-authored-by: enes-oezdemir <151725756+enes-oezdemir@users.noreply.github.com> Co-authored-by: lironcohen272 <lircohen@paloaltonetworks.com> Co-authored-by: Mandar Naik <mandarnaik016@gmail.com> Co-authored-by: hyaffe839 <hyaffe@paloaltonetworks.com> Co-authored-by: content-bot <content-bot@users.noreply.github.com>
diff --git a/Packs/CortexResponseAndRemediation/Playbooks/playbook-SPNs_cleared_from_a_machine_account_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-SPNs_cleared_from_a_machine_account_README.md
@@ -8,7 +8,6 @@ Playbook Stages:
 Triage:
 
 - Retrieve additional data about the Account Changed event, including the Machine Account whose SPNs were cleared and the number of times the user cleared SPNs in the last 30 days.
-
 Investigation:
 
 - Search for creation of suspicious account on the Domain Controller.
@@ -42,13 +41,14 @@ This playbook does not use any integrations.
 
 ### Scripts
 
+* IncreaseAlertSeverity
 * SearchAlertsV2
 * Set
 * SetAndHandleEmpty
+* disable-user
 
 ### Commands
 
-* ad-disable-account
 * closeInvestigation
 * core-get-cloud-original-alerts
 
diff --git a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_2_19.md b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_2_19.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### SPNs cleared from a machine account
+
+- Updated the SPNs cleared from a machine account playbook with general improvements.
diff --git a/Packs/CortexResponseAndRemediation/doc_files/SPNs_cleared_from_a_machine_account.png b/Packs/CortexResponseAndRemediation/doc_files/SPNs_cleared_from_a_machine_account.png
diff --git a/Packs/CortexResponseAndRemediation/pack_metadata.json b/Packs/CortexResponseAndRemediation/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex Response And Remediation",
     "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.",
     "support": "xsoar",
-    "currentVersion": "1.2.18",
+    "currentVersion": "1.2.19",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
