splunk-soar-sdk 3.5.0__py3-none-any.whl → 3.6.0__py3-none-any.whl

soar_sdk/actions_manager.py

@@ -24,6 +24,7 @@ class ActionsManager(BaseConnector):
 
         self._actions: dict[str, Action] = {}
         self.__app_dir: Path | None = None
+        self.supports_es_polling: bool = False
 
     def get_action(self, identifier: str) -> Action | None:
         """Convenience method for getting an Action callable from its identifier.
@@ -123,13 +124,6 @@ class ActionsManager(BaseConnector):
         # For non-broker just proceed as we did before
         return super().get_app_dir()
 
-    def send_finding_to_es(self, finding: dict[str, Any]) -> str:
-        """Send finding to ES.
-
-        Returns finding_id: ID for the finding in ES.
-        """
-        return ""
-
     @classmethod
     def get_soar_base_url(cls) -> str:
         """Get the base URL of the Splunk SOAR instance this app is running on."""

soar_sdk/apis/es/findings.py

@@ -0,0 +1,27 @@
+import httpx
+from pydantic import Field
+
+from soar_sdk.models.finding import Finding
+
+
+class CreateFindingResponse(Finding):
+    """The return type from creating a Finding."""
+
+    time: str = Field(alias="_time")
+    finding_id: str
+
+
+class Findings:
+    """Client for ES Findings API."""
+
+    def __init__(self, client: httpx.Client) -> None:
+        self._client = client
+
+    def create(self, finding: Finding) -> CreateFindingResponse:
+        """Create a new Finding."""
+        res = self._client.post(
+            "/services/public/v2/findings",
+            data=finding.model_dump(),
+        )
+        res.raise_for_status()
+        return CreateFindingResponse(**res.json())

soar_sdk/cli/manifests/processors.py

@@ -74,6 +74,8 @@ class ManifestProcessor:
                 f"{module_name}.{app_instance_name}.handle_webhook"
             )
 
+        app_meta.supports_es_polling = app.actions_manager.supports_es_polling
+
         return app_meta
 
     def create(self) -> None:

soar_sdk/decorators/on_es_poll.py

@@ -1,15 +1,17 @@
+import asyncio
 import inspect
-from collections.abc import Callable, Iterator
+from collections.abc import Callable
 from functools import wraps
-from typing import TYPE_CHECKING, Any
+from typing import TYPE_CHECKING, Any, get_args
+
+from pydantic import ValidationError
 
 from soar_sdk.abstract import SOARClient
 from soar_sdk.action_results import ActionResult
-from soar_sdk.async_utils import run_async_if_needed
+from soar_sdk.es_client import ESClient
 from soar_sdk.exceptions import ActionFailure
 from soar_sdk.logging import getLogger
 from soar_sdk.meta.actions import ActionMeta
-from soar_sdk.models.attachment_input import AttachmentInput
 from soar_sdk.models.container import Container
 from soar_sdk.models.finding import Finding
 from soar_sdk.params import OnESPollParams
@@ -19,6 +21,10 @@ if TYPE_CHECKING:
     from soar_sdk.app import App
 
 
+ESPollingYieldType = Finding
+ESPollingSendType = int | None
+
+
 class OnESPollDecorator:
     """Class-based decorator for tagging a function as the special 'on es poll' action."""
 
@@ -26,12 +32,12 @@ class OnESPollDecorator:
         self.app = app
 
     def __call__(self, function: Callable) -> Action:
-        """Decorator for the 'on es poll' action.
-
-        The decorated function must be a generator (using yield) or return an Iterator that yields tuples of (Finding, list[AttachmentInput]). Only one on_es_poll action is allowed per app.
+        """Decorator for the 'on es poll' action. The decorated function must be a Generator or AsyncGenerator. Only one on_es_poll action is allowed per app.
 
         Usage:
-        Each yielded tuple creates a Container from the Finding metadata. All AttachmentInput items in the list are added as vault attachments to that container.
+        The generator should yield a `Finding`. Upon receiving an event from the generator, the SDK will submit the Finding to Splunk Enterprise Security and create a linked SOAR Container.
+        The generator should accept a "send type" of `int | None`. When a Finding is successfully delivered to ES and linked to a Container, the SDK will send the Container ID back into the generator. The Container is useful for storing large attachments included with the Finding.
+        If the Finding cannot be successfully delivered to ES, the SDK will stop polling and return a failed result for the action run.
         """
         if self.app.actions_manager.get_action("on_es_poll"):
             raise TypeError(
@@ -40,16 +46,25 @@ class OnESPollDecorator:
 
         is_generator = inspect.isgeneratorfunction(function)
         is_async_generator = inspect.isasyncgenfunction(function)
-        signature = inspect.signature(function)
 
-        has_iterator_return = (
-            signature.return_annotation != inspect.Signature.empty
-            and getattr(signature.return_annotation, "__origin__", None) is Iterator
-        )
+        generator_type = inspect.signature(function).return_annotation
+        generator_type_args = get_args(generator_type)
+
+        if not (is_generator or is_async_generator) or len(generator_type_args) < 2:
+            raise TypeError(
+                "The on_es_poll function must be a Generator or AsyncGenerator (use 'yield')."
+            )
+
+        yield_type = generator_type_args[0]
+        send_type = generator_type_args[1]
 
-        if not (is_generator or is_async_generator or has_iterator_return):
+        if yield_type != ESPollingYieldType:
             raise TypeError(
-                "The on_es_poll function must be a generator (use 'yield') or return an Iterator."
+                f"@on_es_poll generator should have yield type {ESPollingYieldType}."
+            )
+        if send_type != ESPollingSendType:
+            raise TypeError(
+                f"@on_es_poll generator should have send type {ESPollingSendType}."
             )
 
         action_identifier = "on_es_poll"
@@ -67,129 +82,85 @@ class OnESPollDecorator:
             **kwargs: Any,  # noqa: ANN401
         ) -> bool:
             try:
+                action_params = validated_params_class.model_validate(params)
+            except ValidationError as e:
+                logger.info(f"Parameter validation error: {e!s}")
+                return self.app._adapt_action_result(
+                    ActionResult(status=False, message=f"Invalid parameters: {e!s}"),
+                    self.app.actions_manager,
+                )
+            es = ESClient(params.es_base_url, params.es_session_key)
+            kwargs = self.app._build_magic_args(function, soar=soar, **kwargs)
+            generator = function(action_params, *args, **kwargs)
+
+            if is_async_generator:
+
+                def polling_step(
+                    last_container_id: ESPollingSendType,
+                ) -> ESPollingYieldType:
+                    return asyncio.run(generator.asend(last_container_id))
+            else:
+
+                def polling_step(
+                    last_container_id: ESPollingSendType,
+                ) -> ESPollingYieldType:
+                    return generator.send(last_container_id)
+
+            last_container_id = None
+            while True:
                 try:
-                    action_params = validated_params_class.parse_obj(params)
-                except Exception as e:
-                    logger.info(f"Parameter validation error: {e!s}")
+                    item = polling_step(last_container_id)
+                except (StopIteration, StopAsyncIteration):
                     return self.app._adapt_action_result(
                         ActionResult(
-                            status=False, message=f"Invalid parameters: {e!s}"
+                            status=True, message="Finding processing complete"
                         ),
                         self.app.actions_manager,
                     )
+                except ActionFailure as e:
+                    e.set_action_name(action_name)
+                    return self.app._adapt_action_result(
+                        ActionResult(status=False, message=str(e)),
+                        self.app.actions_manager,
+                    )
+                except Exception as e:
+                    self.app.actions_manager.add_exception(e)
+                    logger.info(f"Error during finding processing: {e!s}")
+                    return self.app._adapt_action_result(
+                        ActionResult(status=False, message=str(e)),
+                        self.app.actions_manager,
+                    )
 
-                kwargs = self.app._build_magic_args(function, soar=soar, **kwargs)
-
-                result = function(action_params, *args, **kwargs)
-                result = run_async_if_needed(result)
-
-                for item in result:
-                    if not isinstance(item, tuple) or len(item) != 2:
-                        logger.info(
-                            f"Warning: Expected tuple of (Finding, list[AttachmentInput]), got: {type(item)}"
-                        )
-                        continue
-
-                    finding, attachments = item
-
-                    if not isinstance(finding, Finding):
-                        logger.info(
-                            f"Warning: First element must be Finding, got: {type(finding)}"
-                        )
-                        continue
-
-                    if not isinstance(attachments, list):
-                        logger.info(
-                            f"Warning: Second element must be list[AttachmentInput], got: {type(attachments)}"
-                        )
-                        continue
-
-                    for attachment in attachments:
-                        if not isinstance(attachment, AttachmentInput):
-                            logger.info(
-                                f"Warning: Attachment must be AttachmentInput, got: {type(attachment)}"
-                            )
-                            break
-                    else:
-                        finding_dict = finding.to_dict()
-                        logger.info(
-                            f"Processing finding: {finding_dict.get('rule_title', 'Unnamed finding')}"
-                        )
-
-                        # Send finding to ES and get finding_id back
-                        finding_id = self.app.actions_manager.send_finding_to_es(
-                            finding_dict
-                        )
-
-                        container = Container(
-                            name=finding.rule_title,
-                            description=finding.rule_description,
-                            severity=finding.urgency or "medium",
-                            status=finding.status,
-                            owner_id=finding.owner,
-                            sensitivity=finding.disposition,
-                            tags=finding.source,
-                            external_id=finding_id,
-                            data={
-                                "security_domain": finding.security_domain,
-                                "risk_score": finding.risk_score,
-                                "risk_object": finding.risk_object,
-                                "risk_object_type": finding.risk_object_type,
-                            },
-                        )
-
-                        ret_val, message, container_id = (
-                            self.app.actions_manager.save_container(container.to_dict())
-                        )
-                        logger.info(
-                            f"Creating container for finding: {finding.rule_title}"
-                        )
-
-                        if not ret_val:
-                            logger.info(f"Failed to create container: {message}")
-                            continue
-
-                        for attachment in attachments:
-                            try:
-                                if attachment.file_content is not None:
-                                    vault_id = soar.vault.create_attachment(
-                                        container_id=container_id,
-                                        file_content=attachment.file_content,
-                                        file_name=attachment.file_name,
-                                        metadata=attachment.metadata,
-                                    )
-                                else:
-                                    vault_id = soar.vault.add_attachment(
-                                        container_id=container_id,
-                                        file_location=attachment.file_location,
-                                        file_name=attachment.file_name,
-                                        metadata=attachment.metadata,
-                                    )
-                                logger.info(
-                                    f"Added attachment {attachment.file_name} with vault_id: {vault_id}"
-                                )
-                            except Exception as e:
-                                logger.info(
-                                    f"Failed to add attachment {attachment.file_name}: {e!s}"
-                                )
-
-                return self.app._adapt_action_result(
-                    ActionResult(status=True, message="Finding processing complete"),
-                    self.app.actions_manager,
-                )
-            except ActionFailure as e:
-                e.set_action_name(action_name)
-                return self.app._adapt_action_result(
-                    ActionResult(status=False, message=str(e)),
-                    self.app.actions_manager,
+                if type(item) is not ESPollingYieldType:
+                    logger.info(
+                        f"Warning: expected {ESPollingYieldType}, got {type(item)}, skipping"
+                    )
+                    continue
+                finding = es.findings.create(item)
+                logger.info(f"Created finding {finding.finding_id}")
+
+                container = Container(
+                    name=finding.rule_title,
+                    description=finding.rule_description,
+                    severity=finding.urgency or "medium",
+                    status=finding.status,
+                    owner_id=finding.owner,
+                    sensitivity=finding.disposition,
+                    tags=finding.source,
+                    external_id=finding.finding_id,
+                    data={
+                        "security_domain": finding.security_domain,
+                        "risk_score": finding.risk_score,
+                        "risk_object": finding.risk_object,
+                        "risk_object_type": finding.risk_object_type,
+                    },
                 )
-            except Exception as e:
-                self.app.actions_manager.add_exception(e)
-                logger.info(f"Error during finding processing: {e!s}")
-                return self.app._adapt_action_result(
-                    ActionResult(status=False, message=str(e)),
-                    self.app.actions_manager,
+                ret_val, message, last_container_id = (
+                    self.app.actions_manager.save_container(container.to_dict())
                 )
+                logger.info(f"Creating container for finding: {finding.rule_title}")
+                if not ret_val:
+                    raise ActionFailure(f"Failed to create container: {message}")
 
         inner.params_class = validated_params_class
 
@@ -211,5 +182,6 @@ class OnESPollDecorator:
         )
 
         self.app.actions_manager.set_action(action_identifier, inner)
+        self.app.actions_manager.supports_es_polling = True
         self.app._dev_skip_in_pytest(function, inner)
         return inner

soar_sdk/es_client.py

@@ -0,0 +1,43 @@
+import httpx
+from httpx_retries import Retry, RetryTransport
+from httpx_retries.retry import HTTPMethod, HTTPStatus
+
+from soar_sdk.apis.es.findings import Findings
+
+RETRYABLE_METHODS = [
+    HTTPMethod.GET,
+    HTTPMethod.PUT,
+    HTTPMethod.POST,
+    HTTPMethod.PATCH,
+    HTTPMethod.DELETE,
+]
+RETRYABLE_STATUSES = [
+    HTTPStatus.TOO_MANY_REQUESTS,
+    HTTPStatus.BAD_GATEWAY,
+    HTTPStatus.SERVICE_UNAVAILABLE,
+    HTTPStatus.GATEWAY_TIMEOUT,
+]
+
+
+class ESClient:
+    """A client for accessing Splunk Enterprise Security APIs."""
+
+    def __init__(self, base_url: str, session_key: str, verify: bool = True) -> None:
+        transport = RetryTransport(
+            transport=httpx.HTTPTransport(verify=verify),
+            retry=Retry(
+                allowed_methods=RETRYABLE_METHODS,
+                status_forcelist=RETRYABLE_STATUSES,
+                total=5,
+            ),
+        )
+        self._client = httpx.Client(
+            base_url=base_url,
+            transport=transport,
+            headers={"Authorization": f"Splunk {session_key}"},
+        )
+
+    @property
+    def findings(self) -> Findings:
+        """The ES /public/v2/findings API."""
+        return Findings(self._client)

soar_sdk/meta/app.py

@@ -45,6 +45,7 @@ class AppMeta(BaseModel):
     pip314_dependencies: DependencyList = Field(default_factory=DependencyList)
 
     webhook: WebhookMeta | None = None
+    supports_es_polling: bool = False
 
     @field_validator("python_version", mode="before")
     @classmethod

soar_sdk/meta/dependencies.py

@@ -52,7 +52,8 @@ remove_when_soar_newer_than(
     "If the Splunk SDK is available as a wheel now, remove it, and remove all of the code for building wheels from source.",
 )
 DEPENDENCIES_TO_BUILD = {
-    "splunk_sdk",  # https://github.com/splunk/splunk-sdk-python/pull/656
+    "splunk_sdk",  # https://github.com/splunk/splunk-sdk-python/pull/656,
+    "splunk_soar_sdk",  # Useful to build from source when developing the SDK
 }
 
 
@@ -189,6 +190,23 @@ class UvSourceDistribution(BaseModel):
                 return Path(wheel_path).name, f.read()
 
 
+class UvSourceDirectory(BaseModel):
+    """Represents a Python dependency to be built from a source directory on the local filesystem."""
+
+    directory: str
+
+    def build(self) -> tuple[str, bytes]:
+        """Build a wheel from a local source directory."""
+        with TemporaryDirectory() as build_dir:
+            builder = build.ProjectBuilder(
+                self.directory,
+                runner=UvSourceDistribution._builder_runner,
+            )
+            wheel_path = builder.build("wheel", build_dir)
+            with open(wheel_path, "rb") as f:
+                return Path(wheel_path).name, f.read()
+
+
 class DependencyWheel(BaseModel):
     """Represents a Python package dependency with all the information required to fetch its wheel(s) from the CDN."""
 
@@ -199,6 +217,7 @@ class DependencyWheel(BaseModel):
     wheel: UvWheel | None = Field(exclude=True, default=None)
     wheel_aarch64: UvWheel | None = Field(exclude=True, default=None)
     sdist: UvSourceDistribution | None = Field(exclude=True, default=None)
+    source_dir: UvSourceDirectory | None = Field(exclude=True, default=None)
 
     async def collect_wheels(self) -> AsyncGenerator[tuple[str, bytes]]:
         """Collect a list of wheel files to fetch for this dependency across all platforms."""
@@ -208,6 +227,12 @@ class DependencyWheel(BaseModel):
             yield (f"wheels/shared/{wheel_name}", wheel_bytes)
             return
 
+        if self.wheel is None and self.source_dir is not None:
+            logger.info(f"Building local sources for {self.input_file}")
+            wheel_name, wheel_bytes = self.source_dir.build()
+            yield (f"wheels/shared/{wheel_name}", wheel_bytes)
+            return
+
         if self.wheel is None:
             raise ValueError(
                 f"Could not find a suitable wheel or source distribution for {self.module} in uv.lock"
@@ -247,6 +272,13 @@ class UvDependency(BaseModel):
     name: str
 
 
+class UvSource(BaseModel):
+    """Represents the source of a Python package in the uv lock."""
+
+    registry: str | None = None
+    directory: str | None = None
+
+
 class UvPackage(BaseModel):
     """Represents a Python package loaded from the uv lock."""
 
@@ -258,6 +290,7 @@ class UvPackage(BaseModel):
     )
     wheels: list[UvWheel] = []
     sdist: UvSourceDistribution | None = None
+    source: UvSource
 
     def _find_wheel(
         self,
@@ -366,6 +399,12 @@ class UvPackage(BaseModel):
         ):
             wheel.sdist = self.sdist
 
+        if (
+            self.source.directory is not None
+            and UvLock.normalize_package_name(self.name) in DEPENDENCIES_TO_BUILD
+        ):
+            wheel.source_dir = UvSourceDirectory(directory=self.source.directory)
+
         try:
             wheel_x86_64 = self._find_wheel(
                 abi_precedence, python_precedence, self.platform_precedence_x86_64
@@ -373,7 +412,7 @@ class UvPackage(BaseModel):
             wheel.input_file = f"{wheel_x86_64.basename}.whl"
             wheel.wheel = wheel_x86_64
         except FileNotFoundError as e:
-            if wheel.sdist is None:
+            if wheel.sdist is None and wheel.source_dir is None:
                 raise FileNotFoundError(
                     f"Could not find a suitable x86_64 wheel or source distribution for {self.name}"
                 ) from e

soar_sdk/models/finding.py

@@ -1,6 +1,6 @@
 from typing import Any
 
-from pydantic import BaseModel
+from pydantic import BaseModel, ConfigDict
 
 
 class DrilldownSearch(BaseModel):
@@ -27,10 +27,7 @@ class Finding(BaseModel):
     for investigation workflow.
     """
 
-    class Config:
-        """Pydantic config."""
-
-        extra = "forbid"
+    model_config = ConfigDict(extra="forbid")
 
     rule_title: str
     rule_description: str
@@ -52,4 +49,4 @@ class Finding(BaseModel):
 
     def to_dict(self) -> dict[str, Any]:
         """Convert the finding to a dictionary."""
-        return self.dict(exclude_none=True)
+        return self.model_dump(exclude_none=True)

soar_sdk/params.py

@@ -207,17 +207,24 @@ class OnESPollParams(Params):
         description="Start of time range, in epoch time (milliseconds).",
         required=False,
     )
-
     end_time: int = Param(
         description="End of time range, in epoch time (milliseconds).",
         required=False,
     )
-
     container_count: int = Param(
         description="Maximum number of container records to query for.",
         required=False,
     )
 
+    es_base_url: str = Param(
+        description="Base URL for the Splunk Enterprise Security API",
+        required=True,
+    )
+    es_session_key: str = Param(
+        description="Session token for the Splunk Enterprise Security API",
+        required=True,
+    )
+
 
 class MakeRequestParams(Params):
     """Canonical parameters for the special make request action."""

{splunk_soar_sdk-3.5.0.dist-info → splunk_soar_sdk-3.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: splunk-soar-sdk
-Version: 3.5.0
+Version: 3.6.0
 Summary: The official framework for developing and testing Splunk SOAR Apps
 Project-URL: Homepage, https://github.com/phantomcyber/splunk-soar-sdk
 Project-URL: Documentation, https://github.com/phantomcyber/splunk-soar-sdk
@@ -22,6 +22,8 @@ Requires-Dist: bleach>=6.2.0
 Requires-Dist: build>=1.3.0
 Requires-Dist: click<8.2.0,>=8.0.0
 Requires-Dist: distro>=1.8.0
+Requires-Dist: hatchling>=1.28.0
+Requires-Dist: httpx-retries>=0.4.5
 Requires-Dist: httpx>=0.28.1
 Requires-Dist: humanize>=4.12.2
 Requires-Dist: jinja2>=3.1.0

{splunk_soar_sdk-3.5.0.dist-info → splunk_soar_sdk-3.6.0.dist-info}/RECORD

@@ -1,7 +1,7 @@
 soar_sdk/__init__.py,sha256=RzAng-ARqpK01SY82lNy4uYJFVG0yW6Q3CccEqbToJ4,726
 soar_sdk/abstract.py,sha256=GycJhTrSNDa7eDg8hOD7hJjIt5eHEykZhpza-jh_Veo,7787
 soar_sdk/action_results.py,sha256=eL4qBj2nXDKurzs733z_nnpNREc0SLLYJP2lPTpMKf0,11911
-soar_sdk/actions_manager.py,sha256=DUCaNaKxI-nl-WBNb-fn7o4HyNV9-gF5jlQsfdQKY54,5820
+soar_sdk/actions_manager.py,sha256=jfTTa8Rq06GXpJ_UHCA0MFli5bLgYFbcjpgbAW-ZSKo,5684
 soar_sdk/app.py,sha256=1tPd1bFe9abSzNJCqAmw7sexeuSHwSKGdggyrPjkVQA,35122
 soar_sdk/app_cli_runner.py,sha256=K1ATWyGs0iNgPfIjMthsN72laOXqXCFZNEXfuzAMOM4,11645
 soar_sdk/app_client.py,sha256=hbe1R2QwXDmoS4959a-ay9oylD1Qk-oPJvJRnxvICz0,6281
@@ -11,11 +11,12 @@ soar_sdk/async_utils.py,sha256=Dz7RagIRjyIagA9vivHWSb18S96J2WOuDB8B5Zy64AE,1428
 soar_sdk/colors.py,sha256=--i_iXqfyITUz4O95HMjfZQGbwFZ34bLmBhtfpXXqlQ,1095
 soar_sdk/compat.py,sha256=N4bG1wqISICV92K1jLx7v5JGrHC08Bdn3Gx3Cx1lEmE,3062
 soar_sdk/crypto.py,sha256=qiBMHUQqgn5lPI1DbujSj700s89FuLJrkQgCO9_eBn4,392
+soar_sdk/es_client.py,sha256=U2NhPwGcciCfZM7ofBnfbkbHivna7rkTScwXwa39_bg,1204
 soar_sdk/exceptions.py,sha256=413-AcIM7IMixoyVk_0yDaqsUhommb784uH5vSv18lU,2129
 soar_sdk/field_utils.py,sha256=Jb0HteUPd-CtuDM7rNXVLy4uRxl419zeDxY_oOpU8GM,287
 soar_sdk/input_spec.py,sha256=vvmE8AWk2VFRgsvh-Bn1eIMDAHkV-1Y73_8xM_8qVZI,4678
 soar_sdk/logging.py,sha256=Y_5RLT1Z0UcRTxDZpwXwDae7ZtwOs91Hs-UU4UOiMuk,11425
-soar_sdk/params.py,sha256=IpBRYI5aNXesjU_vs7_YPFINeJEHWEpNc3p92D5F-0Q,10569
+soar_sdk/params.py,sha256=pvcQwzEJSSOM95RQ-JTfQrExzJMIKCKOVFdka6P9yYQ,10836
 soar_sdk/paths.py,sha256=XhpanQCAiTXaulRx440oKu36mnll7P05TethHXgMpgQ,239
 soar_sdk/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 soar_sdk/types.py,sha256=wN-zV27IamDR67hj4QDqOWA04EVnJwcFhWOighMYEJc,616
@@ -24,6 +25,7 @@ soar_sdk/apis/artifact.py,sha256=d2-5U5DSBMpTYf8CJsd2y5rTaDjN3jMG8jDg9mbkRqU,471
 soar_sdk/apis/container.py,sha256=99Y6ZZaQR_wSFuy5824_Lpfa5z3pS9mCG62jbsXz4JU,8747
 soar_sdk/apis/utils.py,sha256=HQkfmaFixyIGXRrGKc7mYNHflYNopOxBM77KBEW9cvQ,958
 soar_sdk/apis/vault.py,sha256=m7xcu5xzPizrSM6sDUyhRNaJiCeKB1X7kPo2yZ9dco8,8519
+soar_sdk/apis/es/findings.py,sha256=02drgxFclcSfmwbpz1hxFTwKJZfwwsscAn41_BLB1e8,685
 soar_sdk/app_templates/basic_app/.gitignore,sha256=CwSrCn9YISq7Q2EJVc7o1kdkXqysZngGJfz-4pOMMdY,3517
 soar_sdk/app_templates/basic_app/.pre-commit-config.yaml,sha256=0sFjnoC-scXm80ZgA4TPyc6BN1VaF4eY9p8qwEchB38,2526
 soar_sdk/app_templates/basic_app/logo.svg,sha256=_JTop6spn5oPWPk-w6Tzumx_FTSBanOYra3vE2FO-6c,285
@@ -39,7 +41,7 @@ soar_sdk/cli/init/cli.py,sha256=HymS_a-5iNuYLI9FTSqboZt4lnrxXQmIaHqcSA0TBzw,1461
 soar_sdk/cli/manifests/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 soar_sdk/cli/manifests/cli.py,sha256=cly5xVdj4bBIdZVMQPIWTXRgUfd1ON3qKO-76Fwql18,524
 soar_sdk/cli/manifests/deserializers.py,sha256=kwgPAMgUEXtIn4AuQOh1nkLfWFqe4qnYPZ1czB-FQTU,16516
-soar_sdk/cli/manifests/processors.py,sha256=mX7ArmZDxb8ieZBXS933xVByXDN1kRnv7xuuQ0-lNKM,5061
+soar_sdk/cli/manifests/processors.py,sha256=soiRTbfLQuetstt1Xk7vKmWzOUhgVON5JxjWMvnGN7w,5141
 soar_sdk/cli/manifests/serializers.py,sha256=ulpq3nS8g1YrIP371XoQC3_kpz-9v2Ln_mqPyMtpWn8,3632
 soar_sdk/cli/package/cli.py,sha256=Vb6vdDszWLEOuBrAe4BLoxzdmr8luwA0_FbsvjjYhhM,9578
 soar_sdk/cli/package/utils.py,sha256=fl6PMcrdC2zA7A16byQuxxPyAI2Z-BqBLfLlF2ZNnQ4,1712
@@ -55,7 +57,7 @@ soar_sdk/code_renderers/templates/pyproject.toml.jinja,sha256=uH7SJhFD9_-kYzGHob
 soar_sdk/decorators/__init__.py,sha256=h-9GesqZRySCUNP-ktAzjVEW55e5W6l95NTBYKz6cQE,580
 soar_sdk/decorators/action.py,sha256=7NNHjq-8yZBkgcvOrCpVQftd9ecunNDc7iJQxnlgs9Y,6569
 soar_sdk/decorators/make_request.py,sha256=sKLbg5l3yXSryrxBiCl4uIDmVdnpyOhf1iBPwqQAfOM,5942
-soar_sdk/decorators/on_es_poll.py,sha256=SBWMdpoZ3L0XiiHTCzqhDUIbMhPFc67QkmNdMPhBHXU,9391
+soar_sdk/decorators/on_es_poll.py,sha256=27LdzjTIdIJej0_POEWBi5FCYBDGJ5C02p_iP7Bo3iU,7899
 soar_sdk/decorators/on_poll.py,sha256=2glXawGJcdbu1s5yaI-SSJtp0HGu60NWEaY1E9LX1uU,8229
 soar_sdk/decorators/test_connectivity.py,sha256=agoMP2-iFsfBUJH6_uc907o1duQVUlmC_Jgu4s-ou-Y,3563
 soar_sdk/decorators/view_handler.py,sha256=OOALnXJrLTAs_GsYUYSgKVjWrmVXWop4pH-56aCDjbY,7057
@@ -68,15 +70,15 @@ soar_sdk/extras/email/utils.py,sha256=njTYBCaVs2F3DlEHV2R1YSbVf5qJS86j6swHED6dAM
 soar_sdk/meta/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 soar_sdk/meta/actions.py,sha256=qOXFChYxOVTt1d0gBffyw8ahJ3E4w7GsVoD4yzJN8Vc,2189
 soar_sdk/meta/adapters.py,sha256=KjSYIUtkCz2eesA_vhsNCjfi5C-Uz71tbSuDIjhuB8U,1112
-soar_sdk/meta/app.py,sha256=eZlM8GIY1B_o-RzJrRNCNVEQSx0sFupxZqCM7sIWGv4,2777
+soar_sdk/meta/app.py,sha256=KbDiq1JgRiH4hudyKr95wMfcPN7YLyOkRjf4JIoFihs,2815
 soar_sdk/meta/datatypes.py,sha256=piR-oBVAATiRciXSdVE7XaqjUZTgSaOvTEqcOcNvCS0,795
-soar_sdk/meta/dependencies.py,sha256=xPZQjJVNTGbFTjJlevpcyCopbRZoSsm6vyHPTjhneAw,20443
+soar_sdk/meta/dependencies.py,sha256=1Jsdurc77zCMVSA_dePQfdNi2tpplnhuEnSnMs87Ibo,21949
 soar_sdk/meta/webhooks.py,sha256=ILKP9pNalKG9DLdNQNoDlu5KUnm0m7PyA2O0fbkqVrA,1217
 soar_sdk/models/__init__.py,sha256=YZVAcBguAlUsxAnBBL6jSguJEzf5PYCtdvbNyU1XfEU,380
 soar_sdk/models/artifact.py,sha256=G8hv9wPPoRgrAQzIf-YlCSjAlkHEcIPF389T1bo4yHw,1087
 soar_sdk/models/attachment_input.py,sha256=s2mkEsRVb52yqHtb4Q7FzC9j8A4-Q8W4wCDqMJQZ8cc,1043
 soar_sdk/models/container.py,sha256=Cnn-Grha8qUFHHBxLUcEvo81sC3z483oItJ4GhRiTmg,1528
-soar_sdk/models/finding.py,sha256=HRH94akM57jEyaybT5TydjWLP-c4F4T_opq3oTI8e9Q,1415
+soar_sdk/models/finding.py,sha256=Evga9Jrp3TfSVdAQlAkZ7UHDkUjaQYicYYY1S5bIruY,1404
 soar_sdk/models/vault_attachment.py,sha256=sdRnQdPiwgaZDojpap4ohH7u1Q5TYGP-drs8Ko4p_aU,1073
 soar_sdk/models/view.py,sha256=BUuz6VVVe78hg7irGgZCbvBcycOmuPqplkagdi3T4Dg,779
 soar_sdk/shims/phantom/action_result.py,sha256=Nddc9oswAfHU7I2q0pLm3HZ2YiLUQZUEIqqAjToZWnM,1606
@@ -108,8 +110,8 @@ soar_sdk/views/components/pie_chart.py,sha256=LVTeHVJN6nf2vjUs9y7PDBhS0U1fKW750l
 soar_sdk/webhooks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 soar_sdk/webhooks/models.py,sha256=j3kbvYmcOlcj3gQYKtrv7iS-lDavMKYNLdCNMy_I2Hc,4542
 soar_sdk/webhooks/routing.py,sha256=OjezhuAb8wzW0MnbGSnIWeAH3uJcu-Sb7s3w9zoiPVM,6873
-splunk_soar_sdk-3.5.0.dist-info/METADATA,sha256=snxUdZt6O1aN7Kqyxg3i0szCCdTXRnh_r0LAYWZTsZo,7409
-splunk_soar_sdk-3.5.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-splunk_soar_sdk-3.5.0.dist-info/entry_points.txt,sha256=CgBjo2ZWpYNkt9TgvToL26h2Tg1yt8FbvYTb5NVgNuc,51
-splunk_soar_sdk-3.5.0.dist-info/licenses/LICENSE,sha256=gNCGrGhrSQb1PUzBOByVUN1tvaliwLZfna-QU2r2hQ8,11345
-splunk_soar_sdk-3.5.0.dist-info/RECORD,,
+splunk_soar_sdk-3.6.0.dist-info/METADATA,sha256=B68IqabYE-9dIw_KGpE_UETtUF-W0rmTWt-gjYbHM7M,7478
+splunk_soar_sdk-3.6.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+splunk_soar_sdk-3.6.0.dist-info/entry_points.txt,sha256=CgBjo2ZWpYNkt9TgvToL26h2Tg1yt8FbvYTb5NVgNuc,51
+splunk_soar_sdk-3.6.0.dist-info/licenses/LICENSE,sha256=gNCGrGhrSQb1PUzBOByVUN1tvaliwLZfna-QU2r2hQ8,11345
+splunk_soar_sdk-3.6.0.dist-info/RECORD,,