CheckPointSW
diff --git a/‎Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.py‎
Lines changed: 225 additions & 0 deletions b/‎Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.py‎
Lines changed: 225 additions & 0 deletions
diff --git a/‎Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml‎
Lines changed: 20 additions & 1 deletion b/‎Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml‎
Lines changed: 20 additions & 1 deletion
@@ -38,6 +38,17 @@
     "endpoint_name",
     "endpoint_status",
 ]
+ERROR_CODE_MAP = {
+    -199: "IP_BLOCK_DISABLED_BY_POLICY",
+    -198: "INVALID_IP_ADDRESS",
+    -197: "IP_ADDRESS_ALREADY_BLOCKED",
+    -196: "IP_ADDRESS_WHITELISTED",
+    -195: "IP_ADDRESS_NOT_BLOCKED",
+    -194: "IP_ADDRESS_NOT_BLOCKED_BUT_WHITELISTED",
+    -193: "IP_IS_LOOPBACK",
+    -192: "IPV6_BLOCKING_IS_DISABLED",
+    -191: "IP_IS_LOCAL_ADDRESS",
+}
 
 
 class Client(CoreClient):
@@ -87,6 +98,105 @@ def create_indicator_rule_request(self, request_data: Union[dict, str], suffix:
         )
         return reply
 
+    def _is_endpoint_connected(self, endpoint_id: str) -> bool:
+        """
+        Helper method to check if an endpoint is connected
+        """
+        endpoint_status = self.get_endpoints(endpoint_id_list=[endpoint_id], status="connected")
+        return bool(endpoint_status)
+
+    def block_ip_request(self, endpoint_id: str, ip_list: list[str], duration: int) -> list[dict[str, Any]]:
+        """
+        Block one or more IPs on a given endpoint and collect action IDs.
+        If endpoint disconnected/not exists the group id will be None.
+        Args:
+            endpoint_id (str): ID of the endpoint to apply the block.
+            ip_list (list[str]): IP addresses to block.
+            duration (int): Block duration in seconds.
+
+        Returns:
+            list[dict]: A list of action records, each containing:
+                - ip_address (str): The blocked IP.
+                - endpoint_id (str): The endpoint where the block was applied.
+                - group_id (str): ID of the block action for status polling.
+        """
+        results = []
+        if not self._is_endpoint_connected(endpoint_id):
+            demisto.debug(f"Cannot block ip list. Endpoint {endpoint_id} is not connected.")
+            return [{"ip_address": ip_address, "group_id": None, "endpoint_id": endpoint_id} for ip_address in ip_list]
+
+        for ip_address in ip_list:
+            demisto.debug(f"Blocking ip address: {ip_address}")
+            response = self._http_request(
+                method="POST",
+                headers=self._headers,
+                url_suffix="/endpoints/block_ip",
+                json_data={
+                    "request_data": {
+                        "addresses": [ip_address],
+                        "endpoint_id": endpoint_id,
+                        "direction": "both",
+                        "duration": duration,
+                    }
+                },
+            )
+            group_id = response.get("reply", {}).get("group_action_id")
+            demisto.debug(f"Block request for {ip_address} returned with group_id {group_id}")
+            results.append(
+                {
+                    "ip_address": ip_address,
+                    "group_id": group_id,
+                    "endpoint_id": endpoint_id,
+                }
+            )
+
+        return results
+
+    def fetch_block_status(self, group_id: int, endpoint_id: str) -> tuple[str, str]:
+        """
+        Check for status of blocking ip action.
+
+        Args:
+            group_id (int): The group id returned from the block request.
+            endpoint_id (str): The ID of the endpoint whose block status is being checked.
+
+        Returns:
+            tuple[str, str]:
+                - status: The returned status from the api.
+                - message: The returned error text.
+        """
+        if not self._is_endpoint_connected(endpoint_id) or not group_id:
+            demisto.debug(f"Cannot fetch status. Endpoint {endpoint_id} is not connected.")
+            return "Failure", "Endpoint Disconnected"
+
+        if group_id == "INVALID_IP":
+            return "Failure", "INVALID_IP"
+
+        reply = self.action_status_get(group_id)
+        status = reply.get("data", {}).get(endpoint_id)
+        error_reasons = reply.get("errorReasons", {})
+        if status == "FAILED":
+            reason = error_reasons.get(endpoint_id, {})
+            text = reason.get("errorText")
+
+            if not text and reason.get("errorData"):
+                try:
+                    payload = json.loads(reason["errorData"])
+                    text = payload.get("errorText")
+                except (ValueError, TypeError):
+                    text = reason["errorData"]
+
+            match = re.search(r"error code\s*(-?\d+)", text or "")
+            error_number = int(match.group(1)) if match else 0
+
+            demisto.debug(f"Error number {error_number}")
+            return "Failure", ERROR_CODE_MAP.get(error_number) or text or "Unknown error"
+
+        if status == "COMPLETED_SUCCESSFULLY":
+            return "Success", ""
+
+        return status or "Unknown", ""
+
     def get_contributing_event_by_alert_id(self, alert_id: int):
         """_summary_
 
@@ -583,6 +693,118 @@ def core_get_contributing_event_command(client: Client, args: Dict) -> CommandRe
     )
 
 
+def polling_block_ip_status(args, client) -> PollResult:
+    """
+    Check action status for each endpoint id and ip address.
+    Due limitation of the polling each time will check all combinations.
+    Will stop polling when all statuses of the requests are Success/Failure.
+
+    Args:
+        args (dict):
+            ip_list list[str]: IPs to block.
+            endpoint_list list[str]: Endpoint IDs.
+            duration (int, optional): Block time in seconds (default: 300).
+            blocked_list list[str]: Action IDs to poll.
+        client (Client): Integration client.
+    """
+    polling_queue = argToList(args.get("blocked_list", []))
+    demisto.debug(f"polling queue length:{len(polling_queue)}")
+
+    results = []
+    for polled_action in polling_queue:
+        demisto.debug(
+            f"Polled action: endpoint={polled_action['endpoint_id']}, "
+            f"group={polled_action['group_id']}, address={polled_action['ip_address']}"
+        )
+        status, message = client.fetch_block_status(polled_action["group_id"], polled_action["endpoint_id"])
+        demisto.debug(f"polled action status:{status}, with message:{message}")
+        if status == "Success":
+            results.append(
+                {"ip_address": polled_action["ip_address"], "endpoint_id": polled_action["endpoint_id"], "reason": "Success"}
+            )
+
+        elif status == "Failure":
+            results.append(
+                {
+                    "ip_address": polled_action["ip_address"],
+                    "endpoint_id": polled_action["endpoint_id"],
+                    "reason": f"{status}: {message}",
+                }
+            )
+
+        else:
+            demisto.debug("Polling continue")
+            return PollResult(
+                response=None,
+                partial_result=CommandResults(readable_output="Blocking in progress..."),
+                continue_to_poll=True,
+                args_for_next_run=args,
+            )
+
+    response = CommandResults(
+        readable_output=tableToMarkdown(
+            name="Results",
+            t=results,
+        ),
+        outputs_prefix="Core.ip_block_results",
+        outputs=results,
+    )
+
+    return PollResult(response=response, continue_to_poll=False, args_for_next_run=args)
+
+
+@polling_function("core-block-ip", interval=10, timeout=60, requires_polling_arg=False)
+def core_block_ip_command(args: dict, client: Client) -> PollResult:
+    """
+    Send block IP requests for each IP address on each endpoint.
+    Polls status of the requests until all status are Success/Failure or until timeout.
+
+    Args:
+        args (dict):
+            addresses list[str]: IPs to block.
+            endpoint_list list[str]: Endpoint IDs.
+            duration (int, optional): Block time in seconds (default: 300).
+            blocked_list list[dict]: list of dicts each holds 3 fields: ip_address, group_id, endpoint_id
+            for polling status of requests only.
+        client (Client): client.
+
+    Returns:
+        PollResult: Schedules or returns poll status/result.
+    """
+    if not args.get("blocked_list"):
+        # First call when no block ip request has done
+        ip_list = argToList(args.get("addresses", []))
+        endpoint_list = argToList(args.get("endpoint_list", []))
+        duration = arg_to_number(args.get("duration")) or 300
+
+        if duration <= 0 or duration >= 518400:
+            raise DemistoException("Duration must be greater than 0 and less than 518,400 minutes (approx 12 months).")
+
+        is_ip_list_valid(ip_list)
+
+        blocked_list = []
+
+        for endpoint_id in endpoint_list:
+            blocked_list.extend(client.block_ip_request(endpoint_id, ip_list, duration))
+        args_for_next_run = {"blocked_list": blocked_list, **args}
+        return polling_block_ip_status(args_for_next_run, client)
+    else:
+        # all other calls after the block ip requests sent
+        return polling_block_ip_status(args, client)
+
+
+def is_ip_list_valid(ip_list: list[str]):
+    """
+    Validates all the ip addresses.
+    Return error in case one of the inputs is invalid.
+    Args:
+        ip_list (list[str]): list of ip address to check.
+    """
+    for ip_address in ip_list:
+        if not is_ip_valid(ip_address) and not is_ipv6_valid(ip_address):
+            raise DemistoException(f"ip address {ip_address} is invalid")
+
+
 def main():  # pragma: no cover
     """
     Executes an integration command
@@ -976,6 +1198,9 @@ def main():  # pragma: no cover
         elif command == "core-get-contributing-event":
             return_results(core_get_contributing_event_command(client, args))
 
+        elif command == "core-block-ip":
+            return_results(core_block_ip_command(args, client))
+
         elif command in PREVALENCE_COMMANDS:
             return_results(handle_prevalence_command(client, command, args))
 
 
@@ -4286,11 +4286,30 @@ script:
     - contextPath: Core.ContributingEvent.events
       description: The contributing events.
       type: Unknown
+  - arguments:
+    - description: List of agent IDs that support the operation.
+      name: endpoint_list
+      required: true
+    - description: List of IPv6 or IPv4 addresses to be added to the blocklist.
+      name: addresses
+      required: true
+    - description: Number of minutes to block (Max 518,400). The default is 300.
+      name: duration
+    - description: The blocked IP address lists required for polling that are not visible to the user.
+      name: blocked_list
+      hidden: true
+    polling: true
+    name: core-block-ip
+    description: Block malicious or suspicious IP addresses.  
+    outputs:
+    - contextPath: Core.ip_block_results
+      description: List of Dictionaries, each containing ip_address, end_point, and reason (status and error message).
+      type: List
   runonce: false
   script: '-'
   subtype: python3
   type: python
-  dockerimage: demisto/google-cloud-storage:1.0.0.3708421
+  dockerimage: demisto/google-cloud-storage:1.0.0.4088897
 tests:
 - No tests
 supportsquickactions: true