Crtx 146119 bitwarden pm (demisto#38775)

* create modeling rules

* update release notes

* update modeling rules

* update readme,metadata

Packs/BitwardenPasswordManager/ModelingRules/BitwardenPasswordManager/BitwardenPasswordManager.xif

@@ -0,0 +1,13 @@
+[MODEL: dataset = "bitwarden_password_manager_raw"]
+alter 
+    IPV4 = if(ipAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",ipAddress ,null),
+    IPV6 = if(ipAddress ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",ipAddress ,null)
+| alter 
+    xdm.source.user.identifier = actingUserId,
+    xdm.source.ipv4 = IPV4,
+    xdm.source.ipv6 = IPV6,
+    xdm.target.user.identifier = memberId,
+    xdm.target.user.groups = arraycreate(groupId),
+    xdm.target.resource.id = itemId,
+    xdm.event.type = if(type=1000, "Logged In", type=1001,"Changed account password", type=1002,"Enabled/updated twostep login", type=1003,"Disabled twostep login", type=1004,"Recovered account from twostep login", type=1005,"Login attempted failed with incorrect password", type=1006,"Login attempt failed with incorrect twostep login", type=1007,"User exported their individual vault items", type=1008,"User updated a password issued through account recovery", type=1009,"User migrated their decryption key with Key Connector", type=1010,"User requested device approval", type=1100,"Created Item", type=1101,"Edited Item", type=1102,"Permanently Deleted Item", type=1103,"Created attachment for item", type=1104,"Deleted attachment for item", type=1105,"Moved item to an organization", type=1106,"Edited collections for item", type=1107,"Viewed Item", type=1108,"Viewed password for item", type=1109,"Viewed hidden field for item", type=1110,"Viewed security code for item", type=1111,"Copied password for item", type=1112,"Copied hidden field for item", type=1113,"Copied security code for item", type=1114,"Autofilled Item", type=1115,"Sent item to trash", type=1116,"Restored Item", type=1117,"Viewed Card Number for item", type=1300,"Created Collection", type=1301,"Edited Collection", type=1302,"Deleted Collection", type=1400,"Created Group", type=1401,"Edited Group", type=1402,"Deleted Group", type=1500,"Invited User", type=1501,"Confirmed User", type=1502,"Edited User", type=1503,"Removed User", type=1504,"Edited groups for user", type=1505,"Unlinked SSO for user", type=1506,"User enrolled in account recovery", type=1507,"User withdrew from account recovery", type=1508,"Master Password reset for", type=1509,"Reset SSO link for user", type=1510,"User logged in using SSO for the first time", type=1511,"Revoked organization access for", type=1512,"Restores organization access for", type=1513,"Approved device for", type=1514,"Denied device for", type=1600,"Edited organization settings", type=1601,"Purged organization vault", type=1602,"Exported organization vault", type=1603,"Organization Vault access by a managing Provider", type=1604,"Organization enabled SSO", type=1609,"Modified collection management setting", type=1605,"Organization disabled SSO", type=1606,"Organization enabled Key Connector", type=1607,"Organization disabled Key Connector", type=1608,"Families Sponsorships synced", type=1700,"Modified Policy", type=2000,"Added Domain", type=2001,"Removed Domain", type=2002,"Domain name verified", type=2003,"Domain name not verified", type=2100,"Accessed Secret", to_string(type)),
+    xdm.event.original_event_type = if(type in (1000,1001,1002,1003,1004,1005,1006,1007,1008,1009,1010),"User Events", type in (1100,1101,1102,1103,1104,1105,1106,1107,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117),"Item Events" ,type in (1300,1301,1302),"Collection events", type in (1400,1401,1402), "Group Events", type in (1500,1501,1502,1503,1504,1505,1506,1507,1508,1509,1510,1511,1512,1513,1514,1600,1601,1602,1603,1604,1605,1606,1607,1608,1700,2000,2001,2002,2003,1609), "Organization Events", type=2100, "Secrets Manager Events", to_string(type));

Packs/BitwardenPasswordManager/ModelingRules/BitwardenPasswordManager/BitwardenPasswordManager.yml

@@ -0,0 +1,6 @@
+fromversion: 8.4.0  # Will be updated with XSIAM version updates
+id: Bitwarden_Password_Manager_ModelingRule
+name: Bitwarden PasswordManager Modeling Rule
+rules: ''
+schema: ''
+tags: ''

Packs/BitwardenPasswordManager/ModelingRules/BitwardenPasswordManager/BitwardenPasswordManager_schema.json

@@ -0,0 +1,28 @@
+{
+    "bitwarden_password_manager_raw": {
+      "actingUserId": {
+        "type": "string",
+        "is_array": false
+      },
+      "ipAddress": {
+        "type": "string",
+        "is_array": false
+      },
+      "memberId": {
+        "type": "string",
+        "is_array": false
+      },
+      "groupId": {
+        "type": "string",
+        "is_array": false
+      },
+      "itemId": {
+        "type": "string",
+        "is_array": false
+      },
+      "type": {
+        "type": "int",
+        "is_array": false
+      }
+    }
+  }

Packs/BitwardenPasswordManager/README.md

@@ -1,5 +1,34 @@
 # Bitwarden Password Manager
+## Overview
 
-Bitwarden Password Manager integrates with Palo Alto Network’s Cortex XSIAM to fetch records of events that occur within your Teams or Enterprise organization.
+Bitwarden Password Manager integrates with Palo Alto Network’s Cortex XSIAM to fetch records of events that occur within your Teams or Enterprise organization.<br>
+Password Manager helps organizations store their passwords and other sensitive data securely in an encrypted vault and has the abilities to identify compromised passwords.
 
-For more information, see the integration documentation.
+<~XSIAM>
+
+## What does this pack contain?
+
+- Rest API integration for your Bitwarden Password Manager.
+- Modeling Rules for all security events:
+  - User Events
+  - Collection Events
+  - Organization Events
+  - Item Events
+  - Group Events
+  - Secrets Manager Events
+
+## How to integrate with XSIAM?
+
+### Generate API Keys in Bitwarden Password Manager
+1. Log in to **Bitwarden Admin Console** and go to **Settings** -> **Organization info** -> **View API key**
+2. Copy the **client_id** and **client_secret**
+
+For more information, check the Bitwarden Public API documentation -> [Click here](https://bitwarden.com/help/public-api/#authentication).
+
+### XSIAM Configuration
+
+1. In Cortex XSIAM, click **Marketplace** and install the **Bitwarden Password Manager** content pack.
+2. Go to **Settings** > **Data Sources** and look for the **Bitwarden Password Manager** Data Source.
+3. Enter your **client_id**, **client_secret** and **Bitwwarden API Server URL**
+
+</~XSIAM>

Packs/BitwardenPasswordManager/ReleaseNotes/1_0_3.md

@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### New: Bitwarden PasswordManager Modeling Rule
+
+New: Added a new modeling rule - Bitwarden PasswordManager Modeling Rule.

Packs/BitwardenPasswordManager/pack_metadata.json

@@ -2,16 +2,22 @@
     "name": "Bitwarden Password Manager",
     "description": "Bitwarden Password Manager is a secure, open-source tool for storing and managing passwords and sensitive information across devices.",
     "support": "xsoar",
-    "currentVersion": "1.0.2",
+    "currentVersion": "1.0.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Analytics & SIEM"
     ],
-    "tags": [],
+    "tags": [
+        "IT"
+    ],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "Vault",
+        "Password Management",
+        "Credentials"
+    ],
     "marketplaces": [
         "marketplacev2"
     ]