demisto · DorZion51 · Jan 26, 2026 · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026
diff --git a/Packs/CAS/.pack-ignore b/Packs/CAS/.pack-ignore
diff --git a/Packs/CAS/.secrets-ignore b/Packs/CAS/.secrets-ignore
diff --git a/Packs/CAS/AgentixActions/CreateIACAppsecRule.yml b/Packs/CAS/AgentixActions/CreateIACAppsecRule.yml
@@ -0,0 +1,116 @@
+commonfields:
+  id: CortexCreateIACAppsecRule
+  version: -1
+name: CortexCreateIACAppsecRule
+display: Cortex - Create Iac Appsec Rule 
+description: Creates a new IAC Application Security rule in Cortex Platform. An AppSec rule defines the specific criteria and scanners used to detect vulnerabilities or misconfigurations across your application lifecycle.
+category: Utilities
+requiresuserapproval: true
+fromversion: 8.14.0
+marketplaces:
+  - platform
+supportedModules:
+  - cloud
+  - cloud_posture
+  - cloud_runtime_security
+tags:
+  - Appsec
+  - Rules
+args:
+- name: rule_name
+  underlyingargname: rule_name
+  description: >
+    A unique name for the AppSec rule.
+  type: string
+  required: true
+  isgeneratable: true
+- name: description
+  underlyingargname: description
+  description: >
+    A descriptive summary of the rule's objective and expected outcomes.
+  type: string
+  required: true
+  isgeneratable: true
+- name: labels
+  underlyingargname: labels
+  description: >
+    A comma-separated list of rule labels to apply the rule to.
+  type: string
+  required: true
+  isgeneratable: true
+- name: severity
+  underlyingargname: severity
+  description: >
+    Defines the severity level for rule findings.
+    Options: CRITICAL, HIGH, MEDIUM, LOW.
+  type: string
+  required: true
+  isgeneratable: true
+- name: scanner
+  underlyingargname: scanner
+  description: >
+    The type of security scanner used to detect findings of this rule. 
+    Always set to IAC.
+  type: string
+  required: true
+  defaultvalue: "IAC"
+  isgeneratable: true
+- name: category
+  underlyingargname: category
+  description: >
+    Custom rule IAC category
+    Options: AI_ML, COMPUTE, IAM, KUBERNETES, LOGGING, MONITORING, NETWORKING, PUBLIC, STORAGE
+  type: string
+  required: true
+  isgeneratable: true
+- name: sub_category
+  underlyingargname: sub_category
+  description: >
+    Custom rule IAC sub_category
+    Options: 
+    if category is AI_ML: GUARDRAILS, RISKY_MODELS, PUBLIC_EXPOSURE, PERMISSIONS.
+    if category is COMPUTE: OVERPROVISIONED, STARTUP_SCRIPT_LEAKS, DEFAULT_CREDENTIALS_OR_AUTH, UNSANCTIONED_RESOURCE_OR_TYPE.
+    if category is IAM: OVERLY_PERMISSIVE, UNUSED, CREDENTIAL_EXPOSURE, MFA, ROLE_SEPARATION, SHARED, EXPIRED_KEY_CONTROLS, AUTHENTICATION_POLICIES.
+    if category is KUBERNETES: NETWORK_POLICIES, ACCESS_CONTROL, LOGGING_AND_MONITORING, RESOURCE_MANAGEMENT, NATIVE_SECURITY_CONTROLS, MANAGEMENT_SERVICES_EXPOSURE.
+    if category is LOGGING: ENCRYPTION, PERMISSIONS, RETENTION, FORMATS, DISABLED_OR_MISSING, PUBLIC_EXPOSURE, UNDER_USE.
+    if category is MONITORING: TAGS_AND_METADATA, RESOURCE_HEALTH, PERFORMANCE_MONITORING, ALERTING_AND_NOTIFICATIONS, UNINTEGRATED, STORAGE.
+    if category is NETWORKING: LOAD_BALANCING, INGRESS_CONTROLS, EGRESS_CONTROLS, ENCRYPTION_AND_PROTOCOLS, VPC_VCN_VNET, FLOW_LOGS.
+    if category is PUBLIC: ADMIN_INTERFACES, DATABASE_ENDPOINTS, STORAGE_BUCKETS, APIS, SENSITIVE_PORTS.
+    if category is STORAGE: ENCRYPTION, PERMISSIONS, BACKUPS, VERSIONING, REPLICATION, ALERTING, REDUNDANCY.
+  type: string
+  required: true
+  isgeneratable: true
+- name: frameworks
+  underlyingargname: frameworks
+  description: >
+    An array of JSON objects defining framework-specific rules.
+    Each object requires:
+    - 'name': Framework type (Options: ARM, BICEP, CLOUDFORMATION, KUBERNETES, TERRAFORM).
+    - 'remediationDescription': String explaining how to fix the violation.
+    - 'definition': A stringified YAML block. If missing, you MUST generate it based on the security goal using this structure:
+
+        scope:
+            provider: "String (alibaba_cloud|aws|azure|gcp|oci)" # Optional
+        definition:
+            [and|or|not]:
+                - cond_type: "attribute"
+                    resource_types: ["String"]
+                    attribute: "String"
+                    operator: "String"
+                    value: "String"
+
+    Example 'definition' string:
+    "scope:\n  provider: 'aws'\ndefinition:\n  or:\n      - cond_type: 'attribute'\n          resource_types: ['aws_instance']\n          attribute: 'instance_type'\n          operator: 'equals'\n          value: 't3.micro'"  
+  type: string
+  isgeneratable: true
+outputs:
+- name: Appsec.Rule.RULE_NAME
+  description: The name of the Rule.
+  type: string
+  underlyingoutputcontextpath: Appsec.Rule.RULE_NAME
+underlyingcontentitem:
+  id: CreateAppsecRule
+  name: CreateAppsecRule
+  type: script
+  version: -1
+  command: ""
diff --git a/Packs/CAS/AgentixActions/CreateSecretAppsecRule.yml b/Packs/CAS/AgentixActions/CreateSecretAppsecRule.yml
@@ -0,0 +1,91 @@
+commonfields:
+  id: CortexCreateSecretAppsecRule
+  version: -1
+name: CortexCreateSecretAppsecRule
+display: Cortex - Create Secret Appsec Rule 
+description: Creates a new Secret Application Security rule in Cortex Platform. An AppSec rule defines the specific criteria and scanners used to detect vulnerabilities or misconfigurations across your application lifecycle.
+category: Utilities
+requiresuserapproval: true
+fromversion: 8.14.0
+marketplaces:
+  - platform
+supportedModules:
+  - cloud
+  - cloud_posture
+  - cloud_runtime_security
+tags:
+  - Appsec
+  - Rules
+args:
+- name: rule_name
+  underlyingargname: rule_name
+  description: >
+    A unique name for the AppSec rule.
+  type: string
+  required: true
+  isgeneratable: true
+- name: description
+  underlyingargname: description
+  description: >
+    A descriptive summary of the rule's objective and expected outcomes.
+  type: string
+  required: true
+  isgeneratable: true
+- name: labels
+  underlyingargname: labels
+  description: >
+    A comma-separated list of rule labels to apply the rule to.
+  type: string
+  required: true
+  isgeneratable: true
+- name: severity
+  underlyingargname: severity
+  description: >
+    Defines the severity level for rule findings.
+    Options: CRITICAL, HIGH, MEDIUM, LOW.
+  type: string
+  required: true
+  isgeneratable: true
+- name: scanner
+  underlyingargname: scanner
+  description: >
+    The type of security scanner used to detect findings of this rule. 
+    Always set to SECRETS.
+  type: string
+  required: true
+  defaultvalue: "SECRETS"
+  isgeneratable: true
+- name: category
+  underlyingargname: category
+  description: >
+    Custom rule secret category
+    Options: API_KEYS, DATABASE_CREDENTIALS, ENCRYPTION_KEYS, CLOUD_SERVICE_PROVIDER_KEYS, SSH_KEYS, ENVIRONMENT_VARIABLES, SENSITIVE_TOKENS, THIRD_PARTY_SERVICES.
+  type: string
+  required: true
+  isgeneratable: true
+- name: frameworks
+  underlyingargname: frameworks
+  description: >
+    An array of JSON objects defining framework-specific rules.
+    Each object requires:
+    - 'name': Framework type (Options: GIT).
+    - 'remediationDescription': String explaining how to fix the violation.
+    - 'definition': A stringified YAML block. If missing, you MUST generate it based on the security goal using this structure:
+        definition:
+          cond_type: 'String'
+          value:     - "Regex String"
+    Example 'definition' string:
+    "definition:\n   cond_type: 'secrets'\n   value:\n     - '(?<![A-Za-z0-9])[AK][A-Z0-9]{20}(?![A-Za-z0-9])'"
+  type: string
+  isgeneratable: true
+outputs:
+- name: Appsec.Rule.RULE_NAME
+  description: The name of the Rule.
+  type: string
+  underlyingoutputcontextpath: Appsec.Rule.RULE_NAME
+underlyingcontentitem:
+  id: CreateAppsecRule
+  name: CreateAppsecRule
+  type: script
+  version: -1
+  command: ""
diff --git a/Packs/CAS/README.md b/Packs/CAS/README.md
@@ -0,0 +1,53 @@
+# CAS Pack Guide & Contribution Example
+
+## Contribution Flow - Overview
+
+This pack serves as an example for contributors on how to interact with the Cortex APIs without modifying the Core integration directly.
+
+### The Solution
+
+1. **Generic API Command**: A new command `core-generic-api-call` has been implemented.
+2. **Tenant-Specific Core**: An enhanced version of the Core integration (containing this command) is uploaded manually to the developer's tenant (it will not be merged to the main repository).
+3. **Isolated Pack**: Contributors write their scripts and actions in a dedicated pack (like this CAS pack).
+4. **Execution**: Instead of calling platform APIs directly, scripts in this pack use `demisto.executeCommand('core-generic-api-call', ...)` to perform API requests.
+
+---
+
+## How to Clone the Forked Repo
+
+To clone the forked repository, use the following command:
+
+```bash
+git clone https://github.com/mayyagoldman/content.git
+cd content
+```
+
+---
+
+## How to use demisto-sdk upload (Cortex Platform)
+
+### Overview
+
+Upload a content entity to Cortex.
+
+In order to run the command, `DEMISTO_BASE_URL` environment variable should contain the Cortex XSIAM instance URL, and `DEMISTO_API_KEY` environment variable should contain a valid Cortex XSIAM API Key.
+
+### Notes for Cortex XSIAM
+
+* **Cortex Base URL** should be retrieved from Settings -> Configurations -> API Keys -> Copy URL button in the top right corner.
+* **API key** should be of a standard security level, and have the Instance Administrator role.
+* To use the command the `XSIAM_AUTH_ID` environment variable **must** be set.
+
+### Configuration
+
+```bash
+export DEMISTO_BASE_URL=<YOUR_BASE_URL>
+export DEMISTO_API_KEY=<YOUR_API_KEY>
+export XSIAM_AUTH_ID=<THE_XSIAM_AUTH_ID>
+```
+
+### Uploading the CAS Pack
+
+```bash
+demisto-sdk upload --marketplace platform -i Packs/CAS
+```
diff --git a/Packs/CAS/Scripts/CreateAppsecRule/CreateAppsecRule.py b/Packs/CAS/Scripts/CreateAppsecRule/CreateAppsecRule.py
@@ -0,0 +1,108 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+from datetime import datetime
+import json
+
+
+def main():
+    try:
+        """
+        Creates a new rule in Cortex Platform with defined conditions, scope, and triggers.
+        Args:
+            client: The Cortex Platform client instance.
+            args: Dictionary containing rule configuration parameters including:
+                - rule_name: Required name for the new rule
+                - description: Optional rule description
+                - severity: Required severity for the new rule
+                - labels: Optional labels to be assigned to the rule
+                - scanner: Required The type of security scanner used to detect findings of this rule IaC/secret
+                - category: Required Custom rule IaC/secret category
+                - subCategory: Required for IaC scanner only 
+                - frameworks: Required An array of JSON objects defining framework-specific rules. name , definition and remediationDescription
+
+        Returns:
+            CommandResults: Results object containing the created rule information with
+            readable output, outputs prefix, and raw response data.
+
+        Raises:
+            DemistoException: If rule name is missing.
+        """
+        args = demisto.args()
+
+        rule_name = args.get("rule_name")
+        severity = args.get("severity")
+        scanner = args.get("scanner")
+        category = args.get("category")
+        sub_category = args.get("sub_category")
+        frameworks = argToList(args.get("frameworks"))
+
+        if not rule_name:
+            raise DemistoException("Rule name is required.")
+
+        if not severity:
+            raise DemistoException("Severity is required.")
+
+        if not scanner:
+            raise DemistoException("Scanner is required.")
+
+        if not category:
+            raise DemistoException("Category is required.")
+
+        if scanner == 'IAC' and not sub_category:
+            raise DemistoException("Sub Category is required for IaC scanner.")
+
+        if len(frameworks) == 0 :
+            raise DemistoException("Frameworks is required.")
+
+        now = datetime.now()
+        date_time_str = now.strftime("%Y%m%d%H%M%S")
+
+        description = args.get("description", "")
+        labels = argToList(args.get("labels"))
+        payload = {
+            "name": rule_name+'-'+date_time_str,
+            "description": description,
+            "severity": severity,
+            "labels": labels,
+            "scanner": scanner,
+            "category": category,
+            "frameworks": frameworks,
+            "subCategory": sub_category # Might be None
+        }
+
+        # Remove any keys where the value is None
+        payload = {k: v for k, v in payload.items() if v is not None}
+
+        payload = json.dumps(payload)
+
+        res = demisto.executeCommand(
+            "core-generic-api-call",
+            {
+                "path": "/api/webapp/public_api/appsec/v1/rules",
+                "method": "POST",
+                "data": payload,
+                "headers":{"content-type": 'application/json'}
+            },
+        )
+
+        if is_error(res):
+            return_error(res)
+
+        else:
+            context = res[0]["EntryContext"]
+            data = context.get("data" , {})
+            data = json.loads(data)
+
+            return_results(
+                CommandResults(
+                    outputs_prefix="Appsec.Rule",
+                    outputs=data,
+                    raw_response=data,
+                )
+            )
+    except Exception as ex:
+        return_error(f"Failed to execute CreateAppsecRule. Error:\n{str(ex)}")
+
+
+if __name__ in ("__main__", "__builtin__", "builtins"):  # pragma: no cover
+    main()