From 04d6d2137c56748677d44e75044b11a0bf756721 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 16 Jan 2026 10:57:28 -0500 Subject: [PATCH 01/49] - Update to Fix a playbook pointing at the old Foundation - Error Handling in the common playbooks --- ...SOC_Endpoint_Enrichment_-_Generic_v2.1.yml | 2367 +++++++++++++++++ 1 file changed, 2367 insertions(+) create mode 100644 Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml new file mode 100644 index 0000000..27f23fa --- /dev/null +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml @@ -0,0 +1,2367 @@ +id: SOC Endpoint Enrichment - Generic v2.1 +version: 7 +contentitemexportablefields: + contentitemfields: + packID: soc-common-playbooks + packName: SOC Common Playbooks + itemVersion: 2.7.40 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix +vcShouldKeepItemLegacyProdMachine: false +name: SOC Endpoint Enrichment - Generic v2.1 +description: |- + Enrich an endpoint by hostname using one or more integrations. + Supported integrations: + - Active Directory Query v2 + - McAfee ePO v2 + - VMware Carbon Black EDR v2 + - Cylance Protect v2 + - CrowdStrike Falcon + - ExtraHop Reveal(x) + - Cortex XDR / Core (endpoint enrichment, reputation and risk) + - Endpoint reputation using !endpoint command. +tags: +- SOC +- SOC_Framework +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 29bcd70f-1953-4061-84ce-4cde781ad9f7 + type: start + task: + id: 29bcd70f-1953-4061-84ce-4cde781ad9f7 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 80 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 + type: title + task: + id: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 + version: -1 + name: Endpoint Products + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "16" + - "18" + - "20" + - "30" + - "40" + - "19" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1330, + "y": 410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: ddba13dd-92fc-47a3-8ffe-b849c626eb22 + type: condition + task: + id: ddba13dd-92fc-47a3-8ffe-b849c626eb22 + version: -1 + name: Is there an endpoint to enrich? + description: Checks whether there is at least one endpoint to enrich (by hostname). + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "24" + - "1" + - "35" + scriptarguments: + value: + simple: ${inputs.Hostname} + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Hostname + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 215 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: ea90c16b-6985-4f28-816f-78608df3fe51 + type: title + task: + id: ea90c16b-6985-4f28-816f-78608df3fe51 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1115 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 + type: condition + task: + id: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 + version: -1 + name: Is Carbon Black Enterprise Response enabled? + description: Checks if there is an active instance of the Carbon Black Enterprise + Response integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: containsGeneral + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: VMware Carbon Black EDR v2 + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 5e114375-db3d-4267-8f4d-0a411d4bb076 + type: regular + task: + id: 5e114375-db3d-4267-8f4d-0a411d4bb076 + version: -1 + name: Get host information from Carbon Black Enterprise Response + description: List the CarbonBlack sensors + script: '|||cb-edr-sensors-list' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + scriptarguments: + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + id: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + ip: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + reputationcalc: 1 + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1410, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 42f088e2-cb74-485a-8318-0dae68cde0f0 + type: condition + task: + id: 42f088e2-cb74-485a-8318-0dae68cde0f0 + version: -1 + name: Is CrowdStrike Falcon enabled? + description: Checks if there is an active instance of the CrowdStrike Falcon + Host integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "38" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: CrowdstrikeFalcon + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2350, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: d9d617d9-2efd-466e-8ce7-190f8db83b95 + type: title + task: + id: d9d617d9-2efd-466e-8ce7-190f8db83b95 + version: -1 + name: McAfee ePolicy Orchestrator + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "33" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 690, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 6cf08862-644d-479e-89ce-f9e173a8c562 + type: title + task: + id: 6cf08862-644d-479e-89ce-f9e173a8c562 + version: -1 + name: Carbon Black Enterprise Response + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 + type: title + task: + id: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 + version: -1 + name: Cylance Protect v2 + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "48" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 5d371f29-3a4c-43c5-8f71-b383db2e5320 + type: title + task: + id: 5d371f29-3a4c-43c5-8f71-b383db2e5320 + version: -1 + name: CrowdStrike Falcon + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2300, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + type: condition + task: + id: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + version: -1 + name: Is Active Directory Query v2 enabled? + description: Checks if there is an active instance of the Active Directory Query + v2 integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "23" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: Active Directory Query v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -180, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 + type: regular + task: + id: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 + version: -1 + name: Get host information from Active Directory + description: Retrieves detailed information about a computer account. The computer + can be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filters are provided, all computers are returned. + script: '|||ad-get-computer' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + name: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + reputationcalc: 1 + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -370, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 9706cc39-d338-44cd-8ee1-efc5ea95b04d + type: title + task: + id: 9706cc39-d338-44cd-8ee1-efc5ea95b04d + version: -1 + name: Active Directory + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "22" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -180, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: ec344482-77f7-42b5-8ee4-34317afd1179 + type: title + task: + id: ec344482-77f7-42b5-8ee4-34317afd1179 + version: -1 + name: ExtraHop Reveal(x) + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1760, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + type: condition + task: + id: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "32" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + reputationcalc: 1 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1760, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + type: regular + task: + id: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + version: -1 + name: Get host information from ExtraHop Reveal(x) + description: Search for devices in ExtraHop Reveal(x). + script: ExtraHop v2|||extrahop-devices-search + type: regular + iscommand: true + brand: ExtraHop v2 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + ip: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + name: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1950, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: bf7d9316-446b-452b-843a-3e5a13b8b741 + type: condition + task: + id: bf7d9316-446b-452b-843a-3e5a13b8b741 + version: -1 + name: is Mcafee ePolicy Orchestrator v2 enabled + description: Checks if there is an active Mcafee ePolicy Orchestrator v2 integration + instance enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "34" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isExists + left: + value: + simple: modules.brand + iscontext: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + accessor: brand + iscontext: true + right: + value: + simple: McAfee ePO v2 + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 8e881985-e5e1-4aec-ac66-0cbc1186879d + type: regular + task: + id: 8e881985-e5e1-4aec-ac66-0cbc1186879d + version: -1 + name: Get- host information from McAfee ePO v2 + description: Finds systems in the McAfee ePO system tree. + script: '|||epo-find-system' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + searchText: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + verbose: + simple: "false" + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 870, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 + type: title + task: + id: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 + version: -1 + name: Endpoint Reputation + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -730, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a + type: condition + task: + id: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a + version: -1 + name: Should use !endpoint command? + description: Check if should run endpoint reputation command + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "37" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UseReputationCommand + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -730, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: f8a264ea-5bb0-4a34-910b-7e0706f65f1f + type: regular + task: + id: f8a264ea-5bb0-4a34-910b-7e0706f65f1f + version: -1 + name: Check Reputation + description: Returns information about an endpoint. + script: '|||endpoint' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + id: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + ip: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -920, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 97c2d94e-2a74-48d9-9404-8049e310925c + type: regular + task: + id: 97c2d94e-2a74-48d9-9404-8049e310925c + version: -1 + name: Crowdstrike Search device + description: Searches for a device that matches the query. + script: CrowdstrikeFalcon|||cs-falcon-search-device + type: regular + iscommand: true + brand: CrowdstrikeFalcon + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + ids: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 2480, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c + type: condition + task: + id: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c + version: -1 + name: Is Cortex XDR enabled? + description: Checks if there is an active instance of the Cortex XDR integration + enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "41" + - "42" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Cortex XDR - IR + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2840, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 12dd4de8-094d-4760-8284-22e212b5b76d + type: title + task: + id: 12dd4de8-094d-4760-8284-22e212b5b76d + version: -1 + name: Cortex XDR / Core IR + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "39" + - "43" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 3180, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 28d5399e-9856-4c0e-ae6f-26790468a680 + type: regular + task: + id: 28d5399e-9856-4c0e-ae6f-26790468a680 + version: -1 + name: Cortex XDR Search device + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + script: '|||xdr-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + ip_list: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 3030, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 00b0ba80-bdc5-4012-8238-334800df9bbd + type: regular + task: + id: 00b0ba80-bdc5-4012-8238-334800df9bbd + version: -1 + name: Cortex XDR get endpoint risk score + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||xdr-list-risky-hosts' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + host_id: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 3420, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: adb8d36c-cdb3-4676-8d4a-da7fbc43188c + type: condition + task: + id: adb8d36c-cdb3-4676-8d4a-da7fbc43188c + version: -1 + name: Is Cortex Core - IR integration enabled? + description: Checks if there is an active instance of the Cortex Core integration + enabled. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "44" + - "45" + scriptarguments: + brandname: + simple: Cortex Core - IR + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 3780, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + type: regular + task: + id: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + version: -1 + name: Core IR Search device + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + script: '|||core-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + ip_list: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 3970, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: e24e0b83-679a-4e52-828f-b3637fedd2c1 + type: regular + task: + id: e24e0b83-679a-4e52-828f-b3637fedd2c1 + version: -1 + name: Core IR get endpoint risk score + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||core-list-risky-hosts' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + host_id: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 4360, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: Host Risk Level + output: + complex: + root: Core.RiskyHost + accessor: risk_level + - incidentfield: Host Risk Reasons + output: + complex: + root: Core.RiskyHost.reasons + accessor: description + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: a311d42a-1d50-4464-8a6b-2babd00963a2 + type: playbook + task: + id: a311d42a-1d50-4464-8a6b-2babd00963a2 + version: -1 + name: SOC Endpoint Enrichment - Cylance Protect v2 + playbookName: SOC Endpoint Enrichment - Cylance Protect v2 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 699918ad-f689-4054-8864-d2dae7a92fe5 + type: playbook + task: + id: 699918ad-f689-4054-8864-d2dae7a92fe5 + version: -1 + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 790, + "y": 1200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "10_4_#default#": 0.1, + "22_23_yes": 0.43, + "22_4_#default#": 0.2, + "31_32_yes": 0.64, + "31_4_#default#": 0.1, + "33_34_yes": 0.64, + "33_4_#default#": 0.1, + "34_49_#error#": 0.9, + "36_37_yes": 0.49, + "36_4_#default#": 0.1, + "38_49_#error#": 0.89, + "39_4_#default#": 0.1, + "3_1_yes": 0.3, + "3_24_yes": 0.41, + "3_4_#default#": 0.12, + "43_4_#default#": 0.1, + "8_4_#default#": 0.1, + "8_9_yes": 0.62 + }, + "paper": { + "dimensions": { + "height": 1195, + "width": 5660, + "x": -920, + "y": 80 + } + } + } +inputs: +- key: Hostname + value: + complex: + root: Endpoint + accessor: Hostname + transformers: + - operator: uniq + required: false + description: The hostname of the endpoint to enrich. + playbookInputQuery: null +- key: UseReputationCommand + value: + simple: "False" + required: true + description: |- + Define if you would like to use the !endpoint command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + playbookInputQuery: null +- key: IPAddress + value: + complex: + root: Endpoint + accessor: IPAddress + transformers: + - operator: uniq + required: false + description: The IP address of the endpoint to enrich. + playbookInputQuery: null +- key: EndpointID + value: + complex: + root: Endpoint + accessor: ID + transformers: + - operator: uniq + required: false + description: The endpoint ID of the endpoint to enrich. + playbookInputQuery: null +inputSections: +- inputs: + - Hostname + - UseReputationCommand + - IPAddress + - EndpointID + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Endpoint + - Endpoint.Hostname + - Endpoint.OS + - Endpoint.IP + - Endpoint.MAC + - Endpoint.Domain + - CylanceProtectDevice + - ExtraHop.Device.Macaddr + - ExtraHop.Device.DeviceClass + - ExtraHop.Device.UserModTime + - ExtraHop.Device.AutoRole + - ExtraHop.Device.ParentId + - ExtraHop.Device.Vendor + - ExtraHop.Device.Analysis + - ExtraHop.Device.DiscoveryId + - ExtraHop.Device.DefaultName + - ExtraHop.Device.DisplayName + - ExtraHop.Device.OnWatchlist + - ExtraHop.Device.ModTime + - ExtraHop.Device.IsL3 + - ExtraHop.Device.Role + - ExtraHop.Device.DiscoverTime + - ExtraHop.Device.Id + - ExtraHop.Device.Ipaddr4 + - ExtraHop.Device.Vlanid + - ExtraHop.Device.Ipaddr6 + - ExtraHop.Device.NodeId + - ExtraHop.Device.Description + - ExtraHop.Device.DnsName + - ExtraHop.Device.DhcpName + - ExtraHop.Device.CdpName + - ExtraHop.Device.NetbiosName + - ExtraHop.Device.Url + - Endpoint.IPAddress + - Endpoint.ID + - Endpoint.Status + - Endpoint.IsIsolated + - Endpoint.MACAddress + - Endpoint.Vendor + - Endpoint.Relationships + - Endpoint.Processor + - Endpoint.Processors + - Endpoint.Memory + - Endpoint.Model + - Endpoint.BIOSVersion + - Endpoint.OSVersion + - Endpoint.DHCPServer + - McAfee.ePO.Endpoint + - Endpoint.Groups + - ActiveDirectory.ComputersPageCookie + - ActiveDirectory.Computers.dn + - ActiveDirectory.Computers.memberOf + - ActiveDirectory.Computers.name + - CrowdStrike.Device + - ActiveDirectory.Computers + - CarbonBlackEDR.Sensor.systemvolume_total_size + - CarbonBlackEDR.Sensor.emet_telemetry_path + - CarbonBlackEDR.Sensor.os_environment_display_string + - CarbonBlackEDR.Sensor.emet_version + - CarbonBlackEDR.Sensor.emet_dump_flags + - CarbonBlackEDR.Sensor.clock_delta + - CarbonBlackEDR.Sensor.supports_cblr + - CarbonBlackEDR.Sensor.sensor_uptime + - CarbonBlackEDR.Sensor.last_update + - CarbonBlackEDR.Sensor.physical_memory_size + - CarbonBlackEDR.Sensor.build_id + - CarbonBlackEDR.Sensor.uptime + - CarbonBlackEDR.Sensor.is_isolating + - CarbonBlackEDR.Sensor.event_log_flush_time + - CarbonBlackEDR.Sensor.computer_dns_name + - CarbonBlackEDR.Sensor.emet_report_setting + - CarbonBlackEDR.Sensor.id + - CarbonBlackEDR.Sensor.emet_process_count + - CarbonBlackEDR.Sensor.emet_is_gpo + - CarbonBlackEDR.Sensor.power_state + - CarbonBlackEDR.Sensor.network_isolation_enabled + - CarbonBlackEDR.Sensor.systemvolume_free_size + - CarbonBlackEDR.Sensor.status + - CarbonBlackEDR.Sensor.num_eventlog_bytes + - CarbonBlackEDR.Sensor.sensor_health_message + - CarbonBlackEDR.Sensor.build_version_string + - CarbonBlackEDR.Sensor.computer_sid + - CarbonBlackEDR.Sensor.next_checkin_time + - CarbonBlackEDR.Sensor.node_id + - CarbonBlackEDR.Sensor.cookie + - CarbonBlackEDR.Sensor.emet_exploit_action + - CarbonBlackEDR.Sensor.computer_name + - CarbonBlackEDR.Sensor.license_expiration + - CarbonBlackEDR.Sensor.supports_isolation + - CarbonBlackEDR.Sensor.parity_host_id + - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + - CarbonBlackEDR.Sensor.network_adapters + - CarbonBlackEDR.Sensor.sensor_health_status + - CarbonBlackEDR.Sensor.registration_time + - CarbonBlackEDR.Sensor.restart_queued + - CarbonBlackEDR.Sensor.notes + - CarbonBlackEDR.Sensor.num_storefiles_bytes + - CarbonBlackEDR.Sensor.os_environment_id + - CarbonBlackEDR.Sensor.shard_id + - CarbonBlackEDR.Sensor.boot_id + - CarbonBlackEDR.Sensor.last_checkin_time + - CarbonBlackEDR.Sensor.os_type + - CarbonBlackEDR.Sensor.group_id + - CarbonBlackEDR.Sensor.uninstall + - PaloAltoNetworksXDR.Endpoint + - PaloAltoNetworksXDR.Endpoint.endpoint_id + - PaloAltoNetworksXDR.Endpoint.endpoint_name + - PaloAltoNetworksXDR.Endpoint.endpoint_type + - PaloAltoNetworksXDR.Endpoint.endpoint_status + - PaloAltoNetworksXDR.Endpoint.os_type + - PaloAltoNetworksXDR.Endpoint.ip + - PaloAltoNetworksXDR.Endpoint.users + - PaloAltoNetworksXDR.Endpoint.domain + - PaloAltoNetworksXDR.Endpoint.alias + - PaloAltoNetworksXDR.Endpoint.first_seen + - PaloAltoNetworksXDR.Endpoint.last_seen + - PaloAltoNetworksXDR.Endpoint.content_version + - PaloAltoNetworksXDR.Endpoint.installation_package + - PaloAltoNetworksXDR.Endpoint.active_directory + - PaloAltoNetworksXDR.Endpoint.install_date + - PaloAltoNetworksXDR.Endpoint.endpoint_version + - PaloAltoNetworksXDR.Endpoint.is_isolated + - PaloAltoNetworksXDR.Endpoint.group_name + - PaloAltoNetworksXDR.Endpoint.count + - Account + - Account.Username + - Account.Domain + - PaloAltoNetworksXDR.RiskyHost + - PaloAltoNetworksXDR.RiskyHost.type + - PaloAltoNetworksXDR.RiskyHost.id + - PaloAltoNetworksXDR.RiskyHost.score + - PaloAltoNetworksXDR.RiskyHost.reasons + - PaloAltoNetworksXDR.RiskyHost.reasons.date created + - PaloAltoNetworksXDR.RiskyHost.reasons.description + - PaloAltoNetworksXDR.RiskyHost.reasons.severity + - PaloAltoNetworksXDR.RiskyHost.reasons.status + - PaloAltoNetworksXDR.RiskyHost.reasons.points + - Core.Endpoint + - Core.Endpoint.endpoint_id + - Core.Endpoint.endpoint_name + - Core.Endpoint.endpoint_type + - Core.Endpoint.endpoint_status + - Core.Endpoint.os_type + - Core.Endpoint.ip + - Core.Endpoint.users + - Core.Endpoint.domain + - Core.Endpoint.alias + - Core.Endpoint.first_seen + - Core.Endpoint.last_seen + - Core.Endpoint.content_version + - Core.Endpoint.installation_package + - Core.Endpoint.active_directory + - Core.Endpoint.install_date + - Core.Endpoint.endpoint_version + - Core.Endpoint.is_isolated + - Core.Endpoint.group_name + - Core.RiskyHost + - Core.RiskyHost.type + - Core.RiskyHost.id + - Core.RiskyHost.score + - Core.RiskyHost.reasons + - Core.RiskyHost.reasons.date created + - Core.RiskyHost.reasons.description + - Core.RiskyHost.reasons.severity + - Core.RiskyHost.reasons.status + - Core.RiskyHost.reasons.points + - McAfee.ePO.Endpoint.ParentID + - McAfee.ePO.Endpoint.ComputerName + - McAfee.ePO.Endpoint.Description + - McAfee.ePO.Endpoint.SystemDescription + - McAfee.ePO.Endpoint.TimeZone + - McAfee.ePO.Endpoint.DefaultLangID + - McAfee.ePO.Endpoint.UserName + - McAfee.ePO.Endpoint.Domain + - McAfee.ePO.Endpoint.Hostname + - McAfee.ePO.Endpoint.IPV6 + - McAfee.ePO.Endpoint.IPAddress + - McAfee.ePO.Endpoint.IPSubnet + - McAfee.ePO.Endpoint.IPSubnetMask + - McAfee.ePO.Endpoint.IPV4x + - McAfee.ePO.Endpoint.IPXAddress + - McAfee.ePO.Endpoint.SubnetAddress + - McAfee.ePO.Endpoint.SubnetMask + - McAfee.ePO.Endpoint.NetAddress + - McAfee.ePO.Endpoint.OSType + - McAfee.ePO.Endpoint.OSVersion + - McAfee.ePO.Endpoint.OSServicePackVer + - McAfee.ePO.Endpoint.OSBuildNum + - McAfee.ePO.Endpoint.OSPlatform + - McAfee.ePO.Endpoint.OSOEMID + - McAfee.ePO.Endpoint.Processor + - McAfee.ePO.Endpoint.CPUSpeed + - McAfee.ePO.Endpoint.Processors + - McAfee.ePO.Endpoint.CPUSerialNum + - McAfee.ePO.Endpoint.Memory + - McAfee.ePO.Endpoint.FreeMemory + - McAfee.ePO.Endpoint.FreeDiskSpace + - McAfee.ePO.Endpoint.TotalDiskSpace + - McAfee.ePO.Endpoint.UserProperty1 + - McAfee.ePO.Endpoint.UserProperty2 + - McAfee.ePO.Endpoint.UserProperty3 + - McAfee.ePO.Endpoint.UserProperty4 + - McAfee.ePO.Endpoint.SysvolFreeSpace + - McAfee.ePO.Endpoint.SysvolTotalSpace + - McAfee.ePO.Endpoint.Tags + - McAfee.ePO.Endpoint.ExcludedTags + - McAfee.ePO.Endpoint.LastUpdate + - McAfee.ePO.Endpoint.ManagedState + - McAfee.ePO.Endpoint.AgentGUID + - McAfee.ePO.Endpoint.AgentVersion + - McAfee.ePO.Endpoint.AutoID + - CrowdStrike.Device.ID + - CrowdStrike.Device.LocalIP + - CrowdStrike.Device.ExternalIP + - CrowdStrike.Device.Hostname + - CrowdStrike.Device.OS + - CrowdStrike.Device.MacAddress + - CrowdStrike.Device.FirstSeen + - CrowdStrike.Device.LastSeen + - CrowdStrike.Device.PolicyType + - CrowdStrike.Device.Status + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Endpoint + description: The endpoint object of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Hostname + description: The hostnames of the endpoints that were enriched. + type: string +- contextPath: Endpoint.OS + description: The operating systems running on the endpoints that were enriched. + type: string +- contextPath: Endpoint.IP + description: A list of the IP addresses of the endpoints. + type: string +- contextPath: Endpoint.MAC + description: A list of the MAC addresses of the endpoints that were enriched. + type: string +- contextPath: Endpoint.Domain + description: The domain names of the endpoints that were enriched. + type: string +- contextPath: CylanceProtectDevice + description: The device information about the hostname that was enriched using Cylance + Protect v2. + type: string +- contextPath: ExtraHop.Device.Macaddr + description: The MAC Address of the device. + type: String +- contextPath: ExtraHop.Device.DeviceClass + description: The class of the device. + type: String +- contextPath: ExtraHop.Device.UserModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.AutoRole + description: The role automatically detected by the ExtraHop. + type: String +- contextPath: ExtraHop.Device.ParentId + description: The ID of the parent device. + type: Number +- contextPath: ExtraHop.Device.Vendor + description: The device vendor. + type: String +- contextPath: ExtraHop.Device.Analysis + description: The level of analysis preformed on the device. + type: string +- contextPath: ExtraHop.Device.DiscoveryId + description: The UUID given by the Discover appliance. + type: String +- contextPath: ExtraHop.Device.DefaultName + description: The default name of the device. + type: String +- contextPath: ExtraHop.Device.DisplayName + description: The display name of device. + type: String +- contextPath: ExtraHop.Device.OnWatchlist + description: Whether the device is on the advanced analysis allow list. + type: Boolean +- contextPath: ExtraHop.Device.ModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.IsL3 + description: Indicates whether the device is a Layer 3 device. + type: Boolean +- contextPath: ExtraHop.Device.Role + description: The role of the device. + type: String +- contextPath: ExtraHop.Device.DiscoverTime + description: The time that the device was discovered. + type: Number +- contextPath: ExtraHop.Device.Id + description: The ID of the device. + type: Number +- contextPath: ExtraHop.Device.Ipaddr4 + description: The IPv4 address of the device. + type: String +- contextPath: ExtraHop.Device.Vlanid + description: The ID of VLan. + type: Number +- contextPath: ExtraHop.Device.Ipaddr6 + description: The IPv6 address of the device. + type: string +- contextPath: ExtraHop.Device.NodeId + description: The Node ID of the Discover appliance. + type: number +- contextPath: ExtraHop.Device.Description + description: A user customizable description of the device. + type: string +- contextPath: ExtraHop.Device.DnsName + description: The DNS name associated with the device. + type: string +- contextPath: ExtraHop.Device.DhcpName + description: The DHCP name associated with the device. + type: string +- contextPath: ExtraHop.Device.CdpName + description: The Cisco Discovery Protocol name associated with the device. + type: string +- contextPath: ExtraHop.Device.NetbiosName + description: The NetBIOS name associated with the device. + type: string +- contextPath: ExtraHop.Device.Url + description: Link to the device details page in ExtraHop. + type: string +- contextPath: Endpoint.IPAddress + description: The endpoint IP address or list of IP addresses. + type: string +- contextPath: Endpoint.ID + description: The endpoint ID. + type: string +- contextPath: Endpoint.Status + description: The endpoint status. + type: string +- contextPath: Endpoint.IsIsolated + description: The endpoint isolation status. + type: string +- contextPath: Endpoint.MACAddress + description: The endpoint MAC address. + type: string +- contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: string +- contextPath: Endpoint.Relationships + description: The endpoint relationships of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Processor + description: The model of the processor. + type: string +- contextPath: Endpoint.Processors + description: The number of processors. + type: string +- contextPath: Endpoint.Memory + description: Memory on this endpoint. + type: string +- contextPath: Endpoint.Model + description: The model of the machine or device. + type: string +- contextPath: Endpoint.BIOSVersion + description: The endpoint's BIOS version. + type: string +- contextPath: Endpoint.OSVersion + description: The endpoint's operation system version. + type: string +- contextPath: Endpoint.DHCPServer + description: The DHCP server of the endpoint. + type: string +- contextPath: McAfee.ePO.Endpoint + description: The endpoint that was enriched. + type: string +- contextPath: Endpoint.Groups + description: Groups for which the computer is listed as a member. + type: string +- contextPath: ActiveDirectory.ComputersPageCookie + description: An opaque string received in a paged search, used for requesting subsequent + entries. + type: string +- contextPath: ActiveDirectory.Computers.dn + description: The computer distinguished name. + type: string +- contextPath: ActiveDirectory.Computers.memberOf + description: Groups for which the computer is listed. + type: string +- contextPath: ActiveDirectory.Computers.name + description: The computer name. + type: string +- contextPath: CrowdStrike.Device + description: The information about the endpoint. + type: string +- contextPath: ActiveDirectory.Computers + description: The information about the hostname that was enriched using Active Directory. + type: string +- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size + description: The size, in bytes, of the system volume of the endpoint on which the + sensor is installed. installed. + type: number +- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path + description: The path of the EMET telemetry associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string + description: Human-readable string of the installed OS. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_version + description: The EMET version associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags + description: The flags of the EMET dump associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.clock_delta + description: The clock delta associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_cblr + description: Whether the sensor supports Carbon Black Live Response (CbLR). + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_uptime + description: The uptime of the process. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_update + description: When the sensor was last updated. + type: string +- contextPath: CarbonBlackEDR.Sensor.physical_memory_size + description: The size in bytes of physical memory. + type: number +- contextPath: CarbonBlackEDR.Sensor.build_id + description: The sensor version installed on this endpoint. From the /api/builds/ + endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.uptime + description: Endpoint uptime in seconds. + type: string +- contextPath: CarbonBlackEDR.Sensor.is_isolating + description: Boolean representing sensor-reported isolation status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time + description: |- + If event_log_flush_time is set, the server will instruct the sensor to immediately + send all data before this date, ignoring all other throttling mechanisms. + To force a host current, set this value to a value far in the future. + When the sensor has finished sending its queued data, this value will be null. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_dns_name + description: The DNS name of the endpoint on which the sensor is installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_report_setting + description: The report setting of the EMET associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.id + description: The ID of this sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_process_count + description: The number of EMET processes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo + description: Whether the EMET is a GPO. + type: string +- contextPath: CarbonBlackEDR.Sensor.power_state + description: The sensor power state. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled + description: Boolean representing the network isolation request status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size + description: The amount of free bytes on the system volume. + type: string +- contextPath: CarbonBlackEDR.Sensor.status + description: The sensor status. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes + description: The number of event log bytes. + type: number +- contextPath: CarbonBlackEDR.Sensor.sensor_health_message + description: Human-readable string indicating the sensor’s self-reported status. + type: string +- contextPath: CarbonBlackEDR.Sensor.build_version_string + description: Human-readable string of the sensor version. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_sid + description: Machine SID of this host. + type: string +- contextPath: CarbonBlackEDR.Sensor.next_checkin_time + description: Next expected communication from this computer in server-local time + and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.node_id + description: The node ID associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.cookie + description: The cookie associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action + description: The EMET exploit action associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_name + description: NetBIOS name of this computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.license_expiration + description: When the license of the sensor expires. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_isolation + description: Whether the sensor supports isolation. + type: string +- contextPath: CarbonBlackEDR.Sensor.parity_host_id + description: The ID of the parity host associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + description: Whether the sensor support modload of 2nd generation. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_adapters + description: A pipe-delimited list of IP,MAC pairs for each network interface. + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_health_status + description: Self-reported health score, from 0 to 100. Higher numbers indicate + a better health status. + type: string +- contextPath: CarbonBlackEDR.Sensor.registration_time + description: Time this sensor was originally registered in server-local time and + zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.restart_queued + description: Whether a restart of the sensor is queued. + type: string +- contextPath: CarbonBlackEDR.Sensor.notes + description: The notes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes + description: Number of storefiles bytes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_id + description: The ID of the OS environment of the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.shard_id + description: The ID of the shard associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.boot_id + description: A sequential counter of boots since the sensor was installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_checkin_time + description: Last communication with this computer in server-local time and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_type + description: The operating system type of the computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.group_id + description: The sensor group ID this sensor is assigned to. + type: string +- contextPath: CarbonBlackEDR.Sensor.uninstall + description: When set, indicates that the sensor will be directed to uninstall on + next check-in. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint + description: The endpoint object of the endpoint that was enriched. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.users + description: A list of users. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.content_version + description: Content version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.count + description: Number of endpoints returned. + type: number +- contextPath: Account + description: The account object of the endpoint that was enriched. + type: string +- contextPath: Account.Username + description: The username in the relevant system. + type: string +- contextPath: Account.Domain + description: The domain of the account. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost + description: The endpoint object. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons + description: The endpoint risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created + description: Date when the incident was created. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points + description: The score. + type: string +- contextPath: Core.Endpoint + description: The endpoint object. + type: unknown +- contextPath: Core.Endpoint.endpoint_id + description: The endpoint ID. +- contextPath: Core.Endpoint.endpoint_name + description: The endpoint name. +- contextPath: Core.Endpoint.endpoint_type + description: The endpoint type. +- contextPath: Core.Endpoint.endpoint_status + description: The status of the endpoint. +- contextPath: Core.Endpoint.os_type + description: The endpoint OS type. +- contextPath: Core.Endpoint.ip + description: A list of IP addresses. +- contextPath: Core.Endpoint.users + description: A list of users. +- contextPath: Core.Endpoint.domain + description: The endpoint domain. +- contextPath: Core.Endpoint.alias + description: The endpoint's aliases. +- contextPath: Core.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). +- contextPath: Core.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). +- contextPath: Core.Endpoint.content_version + description: Content version. +- contextPath: Core.Endpoint.installation_package + description: Installation package. +- contextPath: Core.Endpoint.active_directory + description: Active directory. +- contextPath: Core.Endpoint.install_date + description: Install date in Epoch (milliseconds). +- contextPath: Core.Endpoint.endpoint_version + description: Endpoint version. +- contextPath: Core.Endpoint.is_isolated + description: Whether the endpoint is isolated. +- contextPath: Core.Endpoint.group_name + description: The name of the group to which the endpoint belongs. +- contextPath: Core.RiskyHost + description: The risky host object. + type: unknown +- contextPath: Core.RiskyHost.type + description: Form of identification element. +- contextPath: Core.RiskyHost.id + description: Identification value of the type field. +- contextPath: Core.RiskyHost.score + description: The score assigned to the host. +- contextPath: Core.RiskyHost.reasons + description: The reasons for the risk level. + type: unknown +- contextPath: Core.RiskyHost.reasons.date created + description: Date when the incident was created. +- contextPath: Core.RiskyHost.reasons.description + description: Description of the incident. +- contextPath: Core.RiskyHost.reasons.severity + description: The severity of the incident. +- contextPath: Core.RiskyHost.reasons.status + description: The incident status. +- contextPath: Core.RiskyHost.reasons.points + description: The score. +- contextPath: McAfee.ePO.Endpoint.ParentID + description: Endpoint parent ID. +- contextPath: McAfee.ePO.Endpoint.ComputerName + description: Endpoint computer name. +- contextPath: McAfee.ePO.Endpoint.Description + description: Endpoint description. +- contextPath: McAfee.ePO.Endpoint.SystemDescription + description: Endpoint system description. +- contextPath: McAfee.ePO.Endpoint.TimeZone + description: Endpoint time zone. +- contextPath: McAfee.ePO.Endpoint.DefaultLangID + description: Endpoint default language ID. +- contextPath: McAfee.ePO.Endpoint.UserName + description: Endpoint username. +- contextPath: McAfee.ePO.Endpoint.Domain + description: Endpoint domain name. +- contextPath: McAfee.ePO.Endpoint.Hostname + description: Endpoint IP host name. +- contextPath: McAfee.ePO.Endpoint.IPV6 + description: Endpoint IPv6 address. +- contextPath: McAfee.ePO.Endpoint.IPAddress + description: Endpoint IP address. +- contextPath: McAfee.ePO.Endpoint.IPSubnet + description: Endpoint IP subnet. +- contextPath: McAfee.ePO.Endpoint.IPSubnetMask + description: Endpoint IP subnet mask. +- contextPath: McAfee.ePO.Endpoint.IPV4x + description: Endpoint IPV4x address. +- contextPath: McAfee.ePO.Endpoint.IPXAddress + description: Endpoint IPX address. +- contextPath: McAfee.ePO.Endpoint.SubnetAddress + description: Endpoint subnet address. +- contextPath: McAfee.ePO.Endpoint.SubnetMask + description: Endpoint subnet mask. +- contextPath: McAfee.ePO.Endpoint.NetAddress + description: Endpoint net address. +- contextPath: McAfee.ePO.Endpoint.OSType + description: Endpoint OS type. +- contextPath: McAfee.ePO.Endpoint.OSVersion + description: Endpoint OS version. +- contextPath: McAfee.ePO.Endpoint.OSServicePackVer + description: Endpoint OS service pack version. +- contextPath: McAfee.ePO.Endpoint.OSBuildNum + description: Endpoint OS build number. +- contextPath: McAfee.ePO.Endpoint.OSPlatform + description: Endpoint OS platform. +- contextPath: McAfee.ePO.Endpoint.OSOEMID + description: Endpoint OS OEM ID. +- contextPath: McAfee.ePO.Endpoint.Processor + description: Endpoint CPU type. +- contextPath: McAfee.ePO.Endpoint.CPUSpeed + description: Endpoint CPU speed. +- contextPath: McAfee.ePO.Endpoint.Processors + description: Number of CPUs in the endpoint. +- contextPath: McAfee.ePO.Endpoint.CPUSerialNum + description: Endpoint CPU serial number. +- contextPath: McAfee.ePO.Endpoint.Memory + description: The total amount of physical memory in the endpoint. +- contextPath: McAfee.ePO.Endpoint.FreeMemory + description: The amount of free memory in the endpoint. +- contextPath: McAfee.ePO.Endpoint.FreeDiskSpace + description: The amount of free disk space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.TotalDiskSpace + description: The total amount of disk space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.UserProperty1 + description: Endpoint user property 1. +- contextPath: McAfee.ePO.Endpoint.UserProperty2 + description: Endpoint user property 2. +- contextPath: McAfee.ePO.Endpoint.UserProperty3 + description: Endpoint user property 3. +- contextPath: McAfee.ePO.Endpoint.UserProperty4 + description: Endpoint user property 4. +- contextPath: McAfee.ePO.Endpoint.SysvolFreeSpace + description: The amount of system volume free space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.SysvolTotalSpace + description: The total amount of system volume space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.Tags + description: Endpoint ePO tags. +- contextPath: McAfee.ePO.Endpoint.ExcludedTags + description: Endpoint EPO excluded tags. +- contextPath: McAfee.ePO.Endpoint.LastUpdate + description: The date the endpoint was last updated. +- contextPath: McAfee.ePO.Endpoint.ManagedState + description: Endpoint managed state. +- contextPath: McAfee.ePO.Endpoint.AgentGUID + description: Endpoint agent GUID. +- contextPath: McAfee.ePO.Endpoint.AgentVersion + description: Endpoint agent version. +- contextPath: McAfee.ePO.Endpoint.AutoID + description: Endpoint auto ID. +- contextPath: CrowdStrike.Device.ID + description: The ID of the device. +- contextPath: CrowdStrike.Device.LocalIP + description: The local IP address of the device. +- contextPath: CrowdStrike.Device.ExternalIP + description: The external IP address of the device. +- contextPath: CrowdStrike.Device.Hostname + description: The host name of the device. +- contextPath: CrowdStrike.Device.OS + description: The operating system of the device. +- contextPath: CrowdStrike.Device.MacAddress + description: The MAC address of the device. +- contextPath: CrowdStrike.Device.FirstSeen + description: The first time the device was seen. +- contextPath: CrowdStrike.Device.LastSeen + description: The last time the device was seen. +- contextPath: CrowdStrike.Device.PolicyType + description: The policy type of the device. +- contextPath: CrowdStrike.Device.Status + description: The device status. +sourceplaybookid: Endpoint Enrichment - Generic v2.1 +dirtyInputs: true +adopted: true From dd26b97bd07f090b761ea5691e873fe72952b2be Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 16 Jan 2026 10:59:13 -0500 Subject: [PATCH 02/49] - Update to Fix CrowdStrike Layout pointing at incorrect scripts. --- ...ner-CrowdStrike_Endpoint_Alert_Layout.json | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json b/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json index 72502e8..97b7ff4 100644 --- a/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json +++ b/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json @@ -25,7 +25,7 @@ "name": "Alert Details", "sections": [ { - "description": "CGO-> Parent or Grandparent Process (overall process responsible for the chain of events) \nParent Process-> Parent Process \nInitiator-> Process \nNOTE: Layout currently optimized for CRWD EPP/EDR Alerts ", + "description": "CGO-\u003e Parent or Grandparent Process (overall process responsible for the chain of events) \nParent Process-\u003e Parent Process \nInitiator-\u003e Process \nNOTE: Layout currently optimized for CRWD EPP/EDR Alerts ", "displayType": "ROW", "h": 6, "hideName": false, @@ -367,7 +367,7 @@ "maxW": 3, "minH": 1, "moved": false, - "name": "Host & User Details (at alert time)", + "name": "Host \u0026 User Details (at alert time)", "static": false, "w": 1, "x": 2, @@ -631,7 +631,7 @@ "minH": 1, "moved": false, "name": "Host Status (current)", - "query": "displayCrowdStrikeHostStatus_xsiam", + "query": "displayCrowdStrikeHostStatusxsiam", "queryType": "script", "static": false, "type": "dynamic", @@ -671,7 +671,7 @@ "minH": 1, "moved": false, "name": "⚠️ CrowdStrike - Raw Alert Data", - "query": "displayCrowdStrikeEvidence_xsiam", + "query": "displayCrowdStrikeEvidencexsiam", "queryType": "script", "showFullDescription": false, "static": false, @@ -698,7 +698,7 @@ "minH": 1, "moved": false, "name": "πŸ–₯️ Latest Host Record", - "query": "displayCrowdStrikeHostRecord_xsiam", + "query": "displayCrowdStrikeHostRecordxsiam", "queryType": "script", "showFullDescription": false, "static": false, @@ -716,7 +716,7 @@ "minH": 1, "moved": false, "name": "πŸ–₯️ Host Status", - "query": "displayCrowdStrikeHostStatus_xsiam", + "query": "displayCrowdStrikeHostStatusxsiam", "queryType": "script", "showFullDescription": false, "static": false, @@ -743,11 +743,11 @@ "edit": null, "fromServerVersion": "6.0.0", "group": "incident", - "id": "CrowdStrike Endpoint Alert Layout", + "id": "231934e1-8a1b-4d51-84b6-35df91125270", "indicatorsDetails": null, "indicatorsQuickView": null, "isOverridable": false, - "itemVersion": "1.0.6", + "itemVersion": "1.0.27", "locked": false, "mobile": null, "name": "CrowdStrike Endpoint Alert Layout", @@ -859,6 +859,7 @@ ], "isVisible": true, "name": "Labels", + "name": "Labels", "query": null, "queryType": "", "readOnly": true, @@ -869,7 +870,5 @@ "quickViewV2": null, "system": false, "toServerVersion": "99.99.99", - "version": -1, - "fromVersion": "6.0.0", - "adopted": true -} + "version": -1 +} \ No newline at end of file From 1580986abc8dece3a1ebdd1dc268aa8ed3336756 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 16 Jan 2026 11:01:09 -0500 Subject: [PATCH 03/49] - Bump Versions - Update Catalog --- Packs/soc-crowdstrike-falcon/pack_metadata.json | 2 +- Packs/soc-crowdstrike-falcon/xsoar_config.json | 2 +- Packs/soc-optimization-unified/pack_metadata.json | 2 +- Packs/soc-optimization-unified/xsoar_config.json | 2 +- pack_catalog.json | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Packs/soc-crowdstrike-falcon/pack_metadata.json b/Packs/soc-crowdstrike-falcon/pack_metadata.json index d4502f2..2b5aca8 100644 --- a/Packs/soc-crowdstrike-falcon/pack_metadata.json +++ b/Packs/soc-crowdstrike-falcon/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-crowdstrike-falcon", "description": "This contains the content for XSIAM CrowdStrike Falcon. This includes layouts, playbooks and incident fields", "support": "xsoar", - "currentVersion": "1.0.35", + "currentVersion": "1.0.36", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-crowdstrike-falcon/xsoar_config.json b/Packs/soc-crowdstrike-falcon/xsoar_config.json index 0436a14..99b42cf 100644 --- a/Packs/soc-crowdstrike-falcon/xsoar_config.json +++ b/Packs/soc-crowdstrike-falcon/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-crowdstrike-falcon.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.35/soc-crowdstrike-falcon-v1.0.35.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.36/soc-crowdstrike-falcon-v1.0.36.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index fcba430..125fe41 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.15", + "currentVersion": "3.0.16", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 773d0da..e889308 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.15/soc-optimization-unified-v3.0.15.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.16/soc-optimization-unified-v3.0.16.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 7553cb4..09d29f3 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -11,7 +11,7 @@ { "id": "soc-crowdstrike-falcon", "display_name": "SOC CrowdStrike Falcon Integration Enhancement for Cortex XSIAM", - "version": "1.0.35", + "version": "1.0.36", "path": "Packs/soc-crowdstrike-falcon", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-crowdstrike-falcon/xsoar_config.json" @@ -43,7 +43,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.15", + "version": "3.0.16", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" From fd2f82b766b494624f0a788dd0aff57fa613e916 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 16 Jan 2026 11:05:48 -0500 Subject: [PATCH 04/49] - Normalization needed for Layout --- ...utscontainer-CrowdStrike_Endpoint_Alert_Layout.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json b/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json index 97b7ff4..b5ebb88 100644 --- a/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json +++ b/Packs/soc-crowdstrike-falcon/Layouts/layoutscontainer-CrowdStrike_Endpoint_Alert_Layout.json @@ -25,7 +25,7 @@ "name": "Alert Details", "sections": [ { - "description": "CGO-\u003e Parent or Grandparent Process (overall process responsible for the chain of events) \nParent Process-\u003e Parent Process \nInitiator-\u003e Process \nNOTE: Layout currently optimized for CRWD EPP/EDR Alerts ", + "description": "CGO-> Parent or Grandparent Process (overall process responsible for the chain of events) \nParent Process-> Parent Process \nInitiator-> Process \nNOTE: Layout currently optimized for CRWD EPP/EDR Alerts ", "displayType": "ROW", "h": 6, "hideName": false, @@ -367,7 +367,7 @@ "maxW": 3, "minH": 1, "moved": false, - "name": "Host \u0026 User Details (at alert time)", + "name": "Host & User Details (at alert time)", "static": false, "w": 1, "x": 2, @@ -743,7 +743,7 @@ "edit": null, "fromServerVersion": "6.0.0", "group": "incident", - "id": "231934e1-8a1b-4d51-84b6-35df91125270", + "id": "CrowdStrike Endpoint Alert Layout", "indicatorsDetails": null, "indicatorsQuickView": null, "isOverridable": false, @@ -859,7 +859,6 @@ ], "isVisible": true, "name": "Labels", - "name": "Labels", "query": null, "queryType": "", "readOnly": true, @@ -870,5 +869,6 @@ "quickViewV2": null, "system": false, "toServerVersion": "99.99.99", - "version": -1 + "version": -1, + "fromVersion": "6.0.0" } \ No newline at end of file From 5e5c76afc3492325533cc7f3388c2a1e7362ccee Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 16 Jan 2026 11:14:32 -0500 Subject: [PATCH 05/49] - Playbook was in the wrong place - Updated correct common playbook - Normalized content --- ...SOC_Endpoint_Enrichment_-_Generic_v2.1.yml | 3372 +++++++++-------- ...SOC_Endpoint_Enrichment_-_Generic_v2.1.yml | 2367 ------------ 2 files changed, 1704 insertions(+), 4035 deletions(-) delete mode 100644 Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml diff --git a/Packs/soc-common-playbooks/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml b/Packs/soc-common-playbooks/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml index e1216d7..027d342 100644 --- a/Packs/soc-common-playbooks/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml +++ b/Packs/soc-common-playbooks/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml @@ -1,20 +1,23 @@ -adopted: true +id: SOC Endpoint Enrichment - Generic v2.1 +version: 7 contentitemexportablefields: contentitemfields: - definitionid: "" - fromServerVersion: 6.8.0 - isoverridable: false - itemVersion: 2.7.16 - packID: "" + packID: soc-common-playbooks packName: SOC Common Playbooks + itemVersion: 2.7.40 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" prevname: "" + isoverridable: false supportedModules: - X1 - X3 - X5 - ENT_PLUS - agentix - toServerVersion: "" +vcShouldKeepItemLegacyProdMachine: false +name: SOC Endpoint Enrichment - Generic v2.1 description: |- Enrich an endpoint by hostname using one or more integrations. Supported integrations: @@ -26,908 +29,28 @@ description: |- - ExtraHop Reveal(x) - Cortex XDR / Core (endpoint enrichment, reputation and risk) - Endpoint reputation using !endpoint command. -dirtyInputs: true -id: 'SOC Endpoint Enrichment - Generic v2.1' -inputSections: -- description: Generic group for inputs - inputs: - - Hostname - - UseReputationCommand - - IPAddress - - EndpointID - name: General (Inputs group) -inputs: -- description: The hostname of the endpoint to enrich. - key: Hostname - playbookInputQuery: - required: false - value: - complex: - accessor: Hostname - root: Endpoint - transformers: - - operator: uniq -- description: |- - Define if you would like to use the !endpoint command. - Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. - Possible values: True / False. - key: UseReputationCommand - playbookInputQuery: - required: true - value: - simple: "False" -- description: The IP address of the endpoint to enrich. - key: IPAddress - playbookInputQuery: - required: false - value: - complex: - accessor: IPAddress - root: Endpoint - transformers: - - operator: uniq -- description: The endpoint ID of the endpoint to enrich. - key: EndpointID - playbookInputQuery: - required: false - value: - complex: - accessor: ID - root: Endpoint - transformers: - - operator: uniq -name: SOC Endpoint Enrichment - Generic v2.1 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: - - Endpoint - - Endpoint.Hostname - - Endpoint.OS - - Endpoint.IP - - Endpoint.MAC - - Endpoint.Domain - - CylanceProtectDevice - - ExtraHop.Device.Macaddr - - ExtraHop.Device.DeviceClass - - ExtraHop.Device.UserModTime - - ExtraHop.Device.AutoRole - - ExtraHop.Device.ParentId - - ExtraHop.Device.Vendor - - ExtraHop.Device.Analysis - - ExtraHop.Device.DiscoveryId - - ExtraHop.Device.DefaultName - - ExtraHop.Device.DisplayName - - ExtraHop.Device.OnWatchlist - - ExtraHop.Device.ModTime - - ExtraHop.Device.IsL3 - - ExtraHop.Device.Role - - ExtraHop.Device.DiscoverTime - - ExtraHop.Device.Id - - ExtraHop.Device.Ipaddr4 - - ExtraHop.Device.Vlanid - - ExtraHop.Device.Ipaddr6 - - ExtraHop.Device.NodeId - - ExtraHop.Device.Description - - ExtraHop.Device.DnsName - - ExtraHop.Device.DhcpName - - ExtraHop.Device.CdpName - - ExtraHop.Device.NetbiosName - - ExtraHop.Device.Url - - Endpoint.IPAddress - - Endpoint.ID - - Endpoint.Status - - Endpoint.IsIsolated - - Endpoint.MACAddress - - Endpoint.Vendor - - Endpoint.Relationships - - Endpoint.Processor - - Endpoint.Processors - - Endpoint.Memory - - Endpoint.Model - - Endpoint.BIOSVersion - - Endpoint.OSVersion - - Endpoint.DHCPServer - - McAfee.ePO.Endpoint - - Endpoint.Groups - - ActiveDirectory.ComputersPageCookie - - ActiveDirectory.Computers.dn - - ActiveDirectory.Computers.memberOf - - ActiveDirectory.Computers.name - - CrowdStrike.Device - - ActiveDirectory.Computers - - CarbonBlackEDR.Sensor.systemvolume_total_size - - CarbonBlackEDR.Sensor.emet_telemetry_path - - CarbonBlackEDR.Sensor.os_environment_display_string - - CarbonBlackEDR.Sensor.emet_version - - CarbonBlackEDR.Sensor.emet_dump_flags - - CarbonBlackEDR.Sensor.clock_delta - - CarbonBlackEDR.Sensor.supports_cblr - - CarbonBlackEDR.Sensor.sensor_uptime - - CarbonBlackEDR.Sensor.last_update - - CarbonBlackEDR.Sensor.physical_memory_size - - CarbonBlackEDR.Sensor.build_id - - CarbonBlackEDR.Sensor.uptime - - CarbonBlackEDR.Sensor.is_isolating - - CarbonBlackEDR.Sensor.event_log_flush_time - - CarbonBlackEDR.Sensor.computer_dns_name - - CarbonBlackEDR.Sensor.emet_report_setting - - CarbonBlackEDR.Sensor.id - - CarbonBlackEDR.Sensor.emet_process_count - - CarbonBlackEDR.Sensor.emet_is_gpo - - CarbonBlackEDR.Sensor.power_state - - CarbonBlackEDR.Sensor.network_isolation_enabled - - CarbonBlackEDR.Sensor.systemvolume_free_size - - CarbonBlackEDR.Sensor.status - - CarbonBlackEDR.Sensor.num_eventlog_bytes - - CarbonBlackEDR.Sensor.sensor_health_message - - CarbonBlackEDR.Sensor.build_version_string - - CarbonBlackEDR.Sensor.computer_sid - - CarbonBlackEDR.Sensor.next_checkin_time - - CarbonBlackEDR.Sensor.node_id - - CarbonBlackEDR.Sensor.cookie - - CarbonBlackEDR.Sensor.emet_exploit_action - - CarbonBlackEDR.Sensor.computer_name - - CarbonBlackEDR.Sensor.license_expiration - - CarbonBlackEDR.Sensor.supports_isolation - - CarbonBlackEDR.Sensor.parity_host_id - - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads - - CarbonBlackEDR.Sensor.network_adapters - - CarbonBlackEDR.Sensor.sensor_health_status - - CarbonBlackEDR.Sensor.registration_time - - CarbonBlackEDR.Sensor.restart_queued - - CarbonBlackEDR.Sensor.notes - - CarbonBlackEDR.Sensor.num_storefiles_bytes - - CarbonBlackEDR.Sensor.os_environment_id - - CarbonBlackEDR.Sensor.shard_id - - CarbonBlackEDR.Sensor.boot_id - - CarbonBlackEDR.Sensor.last_checkin_time - - CarbonBlackEDR.Sensor.os_type - - CarbonBlackEDR.Sensor.group_id - - CarbonBlackEDR.Sensor.uninstall - - PaloAltoNetworksXDR.Endpoint - - PaloAltoNetworksXDR.Endpoint.endpoint_id - - PaloAltoNetworksXDR.Endpoint.endpoint_name - - PaloAltoNetworksXDR.Endpoint.endpoint_type - - PaloAltoNetworksXDR.Endpoint.endpoint_status - - PaloAltoNetworksXDR.Endpoint.os_type - - PaloAltoNetworksXDR.Endpoint.ip - - PaloAltoNetworksXDR.Endpoint.users - - PaloAltoNetworksXDR.Endpoint.domain - - PaloAltoNetworksXDR.Endpoint.alias - - PaloAltoNetworksXDR.Endpoint.first_seen - - PaloAltoNetworksXDR.Endpoint.last_seen - - PaloAltoNetworksXDR.Endpoint.content_version - - PaloAltoNetworksXDR.Endpoint.installation_package - - PaloAltoNetworksXDR.Endpoint.active_directory - - PaloAltoNetworksXDR.Endpoint.install_date - - PaloAltoNetworksXDR.Endpoint.endpoint_version - - PaloAltoNetworksXDR.Endpoint.is_isolated - - PaloAltoNetworksXDR.Endpoint.group_name - - PaloAltoNetworksXDR.Endpoint.count - - Account - - Account.Username - - Account.Domain - - PaloAltoNetworksXDR.RiskyHost - - PaloAltoNetworksXDR.RiskyHost.type - - PaloAltoNetworksXDR.RiskyHost.id - - PaloAltoNetworksXDR.RiskyHost.score - - PaloAltoNetworksXDR.RiskyHost.reasons - - PaloAltoNetworksXDR.RiskyHost.reasons.date created - - PaloAltoNetworksXDR.RiskyHost.reasons.description - - PaloAltoNetworksXDR.RiskyHost.reasons.severity - - PaloAltoNetworksXDR.RiskyHost.reasons.status - - PaloAltoNetworksXDR.RiskyHost.reasons.points - - Core.Endpoint - - Core.Endpoint.endpoint_id - - Core.Endpoint.endpoint_name - - Core.Endpoint.endpoint_type - - Core.Endpoint.endpoint_status - - Core.Endpoint.os_type - - Core.Endpoint.ip - - Core.Endpoint.users - - Core.Endpoint.domain - - Core.Endpoint.alias - - Core.Endpoint.first_seen - - Core.Endpoint.last_seen - - Core.Endpoint.content_version - - Core.Endpoint.installation_package - - Core.Endpoint.active_directory - - Core.Endpoint.install_date - - Core.Endpoint.endpoint_version - - Core.Endpoint.is_isolated - - Core.Endpoint.group_name - - Core.RiskyHost - - Core.RiskyHost.type - - Core.RiskyHost.id - - Core.RiskyHost.score - - Core.RiskyHost.reasons - - Core.RiskyHost.reasons.date created - - Core.RiskyHost.reasons.description - - Core.RiskyHost.reasons.severity - - Core.RiskyHost.reasons.status - - Core.RiskyHost.reasons.points - - McAfee.ePO.Endpoint.ParentID - - McAfee.ePO.Endpoint.ComputerName - - McAfee.ePO.Endpoint.Description - - McAfee.ePO.Endpoint.SystemDescription - - McAfee.ePO.Endpoint.TimeZone - - McAfee.ePO.Endpoint.DefaultLangID - - McAfee.ePO.Endpoint.UserName - - McAfee.ePO.Endpoint.Domain - - McAfee.ePO.Endpoint.Hostname - - McAfee.ePO.Endpoint.IPV6 - - McAfee.ePO.Endpoint.IPAddress - - McAfee.ePO.Endpoint.IPSubnet - - McAfee.ePO.Endpoint.IPSubnetMask - - McAfee.ePO.Endpoint.IPV4x - - McAfee.ePO.Endpoint.IPXAddress - - McAfee.ePO.Endpoint.SubnetAddress - - McAfee.ePO.Endpoint.SubnetMask - - McAfee.ePO.Endpoint.NetAddress - - McAfee.ePO.Endpoint.OSType - - McAfee.ePO.Endpoint.OSVersion - - McAfee.ePO.Endpoint.OSServicePackVer - - McAfee.ePO.Endpoint.OSBuildNum - - McAfee.ePO.Endpoint.OSPlatform - - McAfee.ePO.Endpoint.OSOEMID - - McAfee.ePO.Endpoint.Processor - - McAfee.ePO.Endpoint.CPUSpeed - - McAfee.ePO.Endpoint.Processors - - McAfee.ePO.Endpoint.CPUSerialNum - - McAfee.ePO.Endpoint.Memory - - McAfee.ePO.Endpoint.FreeMemory - - McAfee.ePO.Endpoint.FreeDiskSpace - - McAfee.ePO.Endpoint.TotalDiskSpace - - McAfee.ePO.Endpoint.UserProperty1 - - McAfee.ePO.Endpoint.UserProperty2 - - McAfee.ePO.Endpoint.UserProperty3 - - McAfee.ePO.Endpoint.UserProperty4 - - McAfee.ePO.Endpoint.SysvolFreeSpace - - McAfee.ePO.Endpoint.SysvolTotalSpace - - McAfee.ePO.Endpoint.Tags - - McAfee.ePO.Endpoint.ExcludedTags - - McAfee.ePO.Endpoint.LastUpdate - - McAfee.ePO.Endpoint.ManagedState - - McAfee.ePO.Endpoint.AgentGUID - - McAfee.ePO.Endpoint.AgentVersion - - McAfee.ePO.Endpoint.AutoID - - CrowdStrike.Device.ID - - CrowdStrike.Device.LocalIP - - CrowdStrike.Device.ExternalIP - - CrowdStrike.Device.Hostname - - CrowdStrike.Device.OS - - CrowdStrike.Device.MacAddress - - CrowdStrike.Device.FirstSeen - - CrowdStrike.Device.LastSeen - - CrowdStrike.Device.PolicyType - - CrowdStrike.Device.Status -outputs: -- contextPath: Endpoint - description: The endpoint object of the endpoint that was enriched. - type: string -- contextPath: Endpoint.Hostname - description: The hostnames of the endpoints that were enriched. - type: string -- contextPath: Endpoint.OS - description: The operating systems running on the endpoints that were enriched. - type: string -- contextPath: Endpoint.IP - description: A list of the IP addresses of the endpoints. - type: string -- contextPath: Endpoint.MAC - description: A list of the MAC addresses of the endpoints that were enriched. - type: string -- contextPath: Endpoint.Domain - description: The domain names of the endpoints that were enriched. - type: string -- contextPath: CylanceProtectDevice - description: The device information about the hostname that was enriched using Cylance - Protect v2. - type: string -- contextPath: ExtraHop.Device.Macaddr - description: The MAC Address of the device. - type: String -- contextPath: ExtraHop.Device.DeviceClass - description: The class of the device. - type: String -- contextPath: ExtraHop.Device.UserModTime - description: The time of the most recent update, expressed in milliseconds since - the epoch. - type: Number -- contextPath: ExtraHop.Device.AutoRole - description: The role automatically detected by the ExtraHop. - type: String -- contextPath: ExtraHop.Device.ParentId - description: The ID of the parent device. - type: Number -- contextPath: ExtraHop.Device.Vendor - description: The device vendor. - type: String -- contextPath: ExtraHop.Device.Analysis - description: The level of analysis preformed on the device. - type: string -- contextPath: ExtraHop.Device.DiscoveryId - description: The UUID given by the Discover appliance. - type: String -- contextPath: ExtraHop.Device.DefaultName - description: The default name of the device. - type: String -- contextPath: ExtraHop.Device.DisplayName - description: The display name of device. - type: String -- contextPath: ExtraHop.Device.OnWatchlist - description: Whether the device is on the advanced analysis allow list. - type: Boolean -- contextPath: ExtraHop.Device.ModTime - description: The time of the most recent update, expressed in milliseconds since - the epoch. - type: Number -- contextPath: ExtraHop.Device.IsL3 - description: Indicates whether the device is a Layer 3 device. - type: Boolean -- contextPath: ExtraHop.Device.Role - description: The role of the device. - type: String -- contextPath: ExtraHop.Device.DiscoverTime - description: The time that the device was discovered. - type: Number -- contextPath: ExtraHop.Device.Id - description: The ID of the device. - type: Number -- contextPath: ExtraHop.Device.Ipaddr4 - description: The IPv4 address of the device. - type: String -- contextPath: ExtraHop.Device.Vlanid - description: The ID of VLan. - type: Number -- contextPath: ExtraHop.Device.Ipaddr6 - description: The IPv6 address of the device. - type: string -- contextPath: ExtraHop.Device.NodeId - description: The Node ID of the Discover appliance. - type: number -- contextPath: ExtraHop.Device.Description - description: A user customizable description of the device. - type: string -- contextPath: ExtraHop.Device.DnsName - description: The DNS name associated with the device. - type: string -- contextPath: ExtraHop.Device.DhcpName - description: The DHCP name associated with the device. - type: string -- contextPath: ExtraHop.Device.CdpName - description: The Cisco Discovery Protocol name associated with the device. - type: string -- contextPath: ExtraHop.Device.NetbiosName - description: The NetBIOS name associated with the device. - type: string -- contextPath: ExtraHop.Device.Url - description: Link to the device details page in ExtraHop. - type: string -- contextPath: Endpoint.IPAddress - description: The endpoint IP address or list of IP addresses. - type: string -- contextPath: Endpoint.ID - description: The endpoint ID. - type: string -- contextPath: Endpoint.Status - description: The endpoint status. - type: string -- contextPath: Endpoint.IsIsolated - description: The endpoint isolation status. - type: string -- contextPath: Endpoint.MACAddress - description: The endpoint MAC address. - type: string -- contextPath: Endpoint.Vendor - description: The integration name of the endpoint vendor. - type: string -- contextPath: Endpoint.Relationships - description: The endpoint relationships of the endpoint that was enriched. - type: string -- contextPath: Endpoint.Processor - description: The model of the processor. - type: string -- contextPath: Endpoint.Processors - description: The number of processors. - type: string -- contextPath: Endpoint.Memory - description: Memory on this endpoint. - type: string -- contextPath: Endpoint.Model - description: The model of the machine or device. - type: string -- contextPath: Endpoint.BIOSVersion - description: The endpoint's BIOS version. - type: string -- contextPath: Endpoint.OSVersion - description: The endpoint's operation system version. - type: string -- contextPath: Endpoint.DHCPServer - description: The DHCP server of the endpoint. - type: string -- contextPath: McAfee.ePO.Endpoint - description: The endpoint that was enriched. - type: string -- contextPath: Endpoint.Groups - description: Groups for which the computer is listed as a member. - type: string -- contextPath: ActiveDirectory.ComputersPageCookie - description: An opaque string received in a paged search, used for requesting subsequent - entries. - type: string -- contextPath: ActiveDirectory.Computers.dn - description: The computer distinguished name. - type: string -- contextPath: ActiveDirectory.Computers.memberOf - description: Groups for which the computer is listed. - type: string -- contextPath: ActiveDirectory.Computers.name - description: The computer name. - type: string -- contextPath: CrowdStrike.Device - description: The information about the endpoint. - type: string -- contextPath: ActiveDirectory.Computers - description: The information about the hostname that was enriched using Active Directory. - type: string -- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size - description: The size, in bytes, of the system volume of the endpoint on which the - sensor is installed. installed. - type: number -- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path - description: The path of the EMET telemetry associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string - description: Human-readable string of the installed OS. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_version - description: The EMET version associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags - description: The flags of the EMET dump associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.clock_delta - description: The clock delta associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.supports_cblr - description: Whether the sensor supports Carbon Black Live Response (CbLR). - type: string -- contextPath: CarbonBlackEDR.Sensor.sensor_uptime - description: The uptime of the process. - type: string -- contextPath: CarbonBlackEDR.Sensor.last_update - description: When the sensor was last updated. - type: string -- contextPath: CarbonBlackEDR.Sensor.physical_memory_size - description: The size in bytes of physical memory. - type: number -- contextPath: CarbonBlackEDR.Sensor.build_id - description: The sensor version installed on this endpoint. From the /api/builds/ - endpoint. - type: string -- contextPath: CarbonBlackEDR.Sensor.uptime - description: Endpoint uptime in seconds. - type: string -- contextPath: CarbonBlackEDR.Sensor.is_isolating - description: Boolean representing sensor-reported isolation status. - type: boolean -- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time - description: |- - If event_log_flush_time is set, the server will instruct the sensor to immediately - send all data before this date, ignoring all other throttling mechanisms. - To force a host current, set this value to a value far in the future. - When the sensor has finished sending its queued data, this value will be null. - type: string -- contextPath: CarbonBlackEDR.Sensor.computer_dns_name - description: The DNS name of the endpoint on which the sensor is installed. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_report_setting - description: The report setting of the EMET associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.id - description: The ID of this sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_process_count - description: The number of EMET processes associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo - description: Whether the EMET is a GPO. - type: string -- contextPath: CarbonBlackEDR.Sensor.power_state - description: The sensor power state. - type: string -- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled - description: Boolean representing the network isolation request status. - type: boolean -- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size - description: The amount of free bytes on the system volume. - type: string -- contextPath: CarbonBlackEDR.Sensor.status - description: The sensor status. - type: string -- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes - description: The number of event log bytes. - type: number -- contextPath: CarbonBlackEDR.Sensor.sensor_health_message - description: Human-readable string indicating the sensor’s self-reported status. - type: string -- contextPath: CarbonBlackEDR.Sensor.build_version_string - description: Human-readable string of the sensor version. - type: string -- contextPath: CarbonBlackEDR.Sensor.computer_sid - description: Machine SID of this host. - type: string -- contextPath: CarbonBlackEDR.Sensor.next_checkin_time - description: Next expected communication from this computer in server-local time - and zone. - type: string -- contextPath: CarbonBlackEDR.Sensor.node_id - description: The node ID associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.cookie - description: The cookie associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action - description: The EMET exploit action associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.computer_name - description: NetBIOS name of this computer. - type: string -- contextPath: CarbonBlackEDR.Sensor.license_expiration - description: When the license of the sensor expires. - type: string -- contextPath: CarbonBlackEDR.Sensor.supports_isolation - description: Whether the sensor supports isolation. - type: string -- contextPath: CarbonBlackEDR.Sensor.parity_host_id - description: The ID of the parity host associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads - description: Whether the sensor support modload of 2nd generation. - type: string -- contextPath: CarbonBlackEDR.Sensor.network_adapters - description: A pipe-delimited list of IP,MAC pairs for each network interface. - type: string -- contextPath: CarbonBlackEDR.Sensor.sensor_health_status - description: Self-reported health score, from 0 to 100. Higher numbers indicate - a better health status. - type: string -- contextPath: CarbonBlackEDR.Sensor.registration_time - description: Time this sensor was originally registered in server-local time and - zone. - type: string -- contextPath: CarbonBlackEDR.Sensor.restart_queued - description: Whether a restart of the sensor is queued. - type: string -- contextPath: CarbonBlackEDR.Sensor.notes - description: The notes associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes - description: Number of storefiles bytes associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.os_environment_id - description: The ID of the OS environment of the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.shard_id - description: The ID of the shard associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.boot_id - description: A sequential counter of boots since the sensor was installed. - type: string -- contextPath: CarbonBlackEDR.Sensor.last_checkin_time - description: Last communication with this computer in server-local time and zone. - type: string -- contextPath: CarbonBlackEDR.Sensor.os_type - description: The operating system type of the computer. - type: string -- contextPath: CarbonBlackEDR.Sensor.group_id - description: The sensor group ID this sensor is assigned to. - type: string -- contextPath: CarbonBlackEDR.Sensor.uninstall - description: When set, indicates that the sensor will be directed to uninstall on - next check-in. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint - description: The endpoint object of the endpoint that was enriched. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id - description: The endpoint ID. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name - description: The endpoint name. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type - description: The endpoint type. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status - description: The status of the endpoint. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.os_type - description: The endpoint OS type. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.ip - description: A list of IP addresses. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.users - description: A list of users. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.domain - description: The endpoint domain. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.alias - description: The endpoint's aliases. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen - description: First seen date/time in Epoch (milliseconds). - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen - description: Last seen date/time in Epoch (milliseconds). - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.content_version - description: Content version. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package - description: Installation package. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory - description: Active directory. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.install_date - description: Install date in Epoch (milliseconds). - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version - description: Endpoint version. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated - description: Whether the endpoint is isolated. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.group_name - description: The name of the group to which the endpoint belongs. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.count - description: Number of endpoints returned. - type: number -- contextPath: Account - description: The account object of the endpoint that was enriched. - type: string -- contextPath: Account.Username - description: The username in the relevant system. - type: string -- contextPath: Account.Domain - description: The domain of the account. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost - description: The endpoint object. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.type - description: Form of identification element. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.id - description: Identification value of the type field. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.score - description: The score assigned to the host. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons - description: The endpoint risk objects. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created - description: Date when the incident was created. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description - description: Description of the incident. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity - description: The severity of the incident. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status - description: The incident status. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points - description: The score. - type: string -- contextPath: Core.Endpoint - description: The endpoint object. - type: unknown -- contextPath: Core.Endpoint.endpoint_id - description: The endpoint ID. -- contextPath: Core.Endpoint.endpoint_name - description: The endpoint name. -- contextPath: Core.Endpoint.endpoint_type - description: The endpoint type. -- contextPath: Core.Endpoint.endpoint_status - description: The status of the endpoint. -- contextPath: Core.Endpoint.os_type - description: The endpoint OS type. -- contextPath: Core.Endpoint.ip - description: A list of IP addresses. -- contextPath: Core.Endpoint.users - description: A list of users. -- contextPath: Core.Endpoint.domain - description: The endpoint domain. -- contextPath: Core.Endpoint.alias - description: The endpoint's aliases. -- contextPath: Core.Endpoint.first_seen - description: First seen date/time in Epoch (milliseconds). -- contextPath: Core.Endpoint.last_seen - description: Last seen date/time in Epoch (milliseconds). -- contextPath: Core.Endpoint.content_version - description: Content version. -- contextPath: Core.Endpoint.installation_package - description: Installation package. -- contextPath: Core.Endpoint.active_directory - description: Active directory. -- contextPath: Core.Endpoint.install_date - description: Install date in Epoch (milliseconds). -- contextPath: Core.Endpoint.endpoint_version - description: Endpoint version. -- contextPath: Core.Endpoint.is_isolated - description: Whether the endpoint is isolated. -- contextPath: Core.Endpoint.group_name - description: The name of the group to which the endpoint belongs. -- contextPath: Core.RiskyHost - description: The risky host object. - type: unknown -- contextPath: Core.RiskyHost.type - description: Form of identification element. -- contextPath: Core.RiskyHost.id - description: Identification value of the type field. -- contextPath: Core.RiskyHost.score - description: The score assigned to the host. -- contextPath: Core.RiskyHost.reasons - description: The reasons for the risk level. - type: unknown -- contextPath: Core.RiskyHost.reasons.date created - description: Date when the incident was created. -- contextPath: Core.RiskyHost.reasons.description - description: Description of the incident. -- contextPath: Core.RiskyHost.reasons.severity - description: The severity of the incident. -- contextPath: Core.RiskyHost.reasons.status - description: The incident status. -- contextPath: Core.RiskyHost.reasons.points - description: The score. -- contextPath: McAfee.ePO.Endpoint.ParentID - description: Endpoint parent ID. -- contextPath: McAfee.ePO.Endpoint.ComputerName - description: Endpoint computer name. -- contextPath: McAfee.ePO.Endpoint.Description - description: Endpoint description. -- contextPath: McAfee.ePO.Endpoint.SystemDescription - description: Endpoint system description. -- contextPath: McAfee.ePO.Endpoint.TimeZone - description: Endpoint time zone. -- contextPath: McAfee.ePO.Endpoint.DefaultLangID - description: Endpoint default language ID. -- contextPath: McAfee.ePO.Endpoint.UserName - description: Endpoint username. -- contextPath: McAfee.ePO.Endpoint.Domain - description: Endpoint domain name. -- contextPath: McAfee.ePO.Endpoint.Hostname - description: Endpoint IP host name. -- contextPath: McAfee.ePO.Endpoint.IPV6 - description: Endpoint IPv6 address. -- contextPath: McAfee.ePO.Endpoint.IPAddress - description: Endpoint IP address. -- contextPath: McAfee.ePO.Endpoint.IPSubnet - description: Endpoint IP subnet. -- contextPath: McAfee.ePO.Endpoint.IPSubnetMask - description: Endpoint IP subnet mask. -- contextPath: McAfee.ePO.Endpoint.IPV4x - description: Endpoint IPV4x address. -- contextPath: McAfee.ePO.Endpoint.IPXAddress - description: Endpoint IPX address. -- contextPath: McAfee.ePO.Endpoint.SubnetAddress - description: Endpoint subnet address. -- contextPath: McAfee.ePO.Endpoint.SubnetMask - description: Endpoint subnet mask. -- contextPath: McAfee.ePO.Endpoint.NetAddress - description: Endpoint net address. -- contextPath: McAfee.ePO.Endpoint.OSType - description: Endpoint OS type. -- contextPath: McAfee.ePO.Endpoint.OSVersion - description: Endpoint OS version. -- contextPath: McAfee.ePO.Endpoint.OSServicePackVer - description: Endpoint OS service pack version. -- contextPath: McAfee.ePO.Endpoint.OSBuildNum - description: Endpoint OS build number. -- contextPath: McAfee.ePO.Endpoint.OSPlatform - description: Endpoint OS platform. -- contextPath: McAfee.ePO.Endpoint.OSOEMID - description: Endpoint OS OEM ID. -- contextPath: McAfee.ePO.Endpoint.Processor - description: Endpoint CPU type. -- contextPath: McAfee.ePO.Endpoint.CPUSpeed - description: Endpoint CPU speed. -- contextPath: McAfee.ePO.Endpoint.Processors - description: Number of CPUs in the endpoint. -- contextPath: McAfee.ePO.Endpoint.CPUSerialNum - description: Endpoint CPU serial number. -- contextPath: McAfee.ePO.Endpoint.Memory - description: The total amount of physical memory in the endpoint. -- contextPath: McAfee.ePO.Endpoint.FreeMemory - description: The amount of free memory in the endpoint. -- contextPath: McAfee.ePO.Endpoint.FreeDiskSpace - description: The amount of free disk space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.TotalDiskSpace - description: The total amount of disk space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.UserProperty1 - description: Endpoint user property 1. -- contextPath: McAfee.ePO.Endpoint.UserProperty2 - description: Endpoint user property 2. -- contextPath: McAfee.ePO.Endpoint.UserProperty3 - description: Endpoint user property 3. -- contextPath: McAfee.ePO.Endpoint.UserProperty4 - description: Endpoint user property 4. -- contextPath: McAfee.ePO.Endpoint.SysvolFreeSpace - description: The amount of system volume free space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.SysvolTotalSpace - description: The total amount of system volume space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.Tags - description: Endpoint ePO tags. -- contextPath: McAfee.ePO.Endpoint.ExcludedTags - description: Endpoint EPO excluded tags. -- contextPath: McAfee.ePO.Endpoint.LastUpdate - description: The date the endpoint was last updated. -- contextPath: McAfee.ePO.Endpoint.ManagedState - description: Endpoint managed state. -- contextPath: McAfee.ePO.Endpoint.AgentGUID - description: Endpoint agent GUID. -- contextPath: McAfee.ePO.Endpoint.AgentVersion - description: Endpoint agent version. -- contextPath: McAfee.ePO.Endpoint.AutoID - description: Endpoint auto ID. -- contextPath: CrowdStrike.Device.ID - description: The ID of the device. -- contextPath: CrowdStrike.Device.LocalIP - description: The local IP address of the device. -- contextPath: CrowdStrike.Device.ExternalIP - description: The external IP address of the device. -- contextPath: CrowdStrike.Device.Hostname - description: The host name of the device. -- contextPath: CrowdStrike.Device.OS - description: The operating system of the device. -- contextPath: CrowdStrike.Device.MacAddress - description: The MAC address of the device. -- contextPath: CrowdStrike.Device.FirstSeen - description: The first time the device was seen. -- contextPath: CrowdStrike.Device.LastSeen - description: The last time the device was seen. -- contextPath: CrowdStrike.Device.PolicyType - description: The policy type of the device. -- contextPath: CrowdStrike.Device.Status - description: The device status. -sourceplaybookid: Endpoint Enrichment - Generic v2.1 -starttaskid: "0" tags: - SOC - SOC_Framework +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "3" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false + taskid: 29bcd70f-1953-4061-84ce-4cde781ad9f7 + type: start task: - brand: "" id: 29bcd70f-1953-4061-84ce-4cde781ad9f7 - iscommand: false + version: -1 name: "" + iscommand: false + brand: "" playbooktaskmissingcomponent: - version: -1 - taskid: 29bcd70f-1953-4061-84ce-4cde781ad9f7 - timertriggers: [] - type: start + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -935,12 +58,26 @@ tasks: "y": 80 } } - "1": - continueonerrortype: "" - id: "1" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 + type: title + task: + id: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 + version: -1 + name: Endpoint Products + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "16" @@ -949,21 +86,8 @@ tasks: - "30" - "40" - "19" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 - iscommand: false - name: Endpoint Products - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 - timertriggers: [] - type: title + continueonerrortype: "" view: |- { "position": { @@ -971,20 +95,27 @@ tasks: "y": 410 } } - "3": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.Hostname - operator: isNotEmpty - label: "yes" - continueonerrortype: "" - id: "3" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: ddba13dd-92fc-47a3-8ffe-b849c626eb22 + type: condition + task: + id: ddba13dd-92fc-47a3-8ffe-b849c626eb22 + version: -1 + name: Is there an endpoint to enrich? + description: Checks whether there is at least one endpoint to enrich (by hostname). + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "4" @@ -992,25 +123,19 @@ tasks: - "24" - "1" - "35" - note: false - quietmode: 0 scriptarguments: value: simple: ${inputs.Hostname} separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks whether there is at least one endpoint to enrich (by hostname). - id: ddba13dd-92fc-47a3-8ffe-b849c626eb22 - iscommand: false - name: Is there an endpoint to enrich? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: ddba13dd-92fc-47a3-8ffe-b849c626eb22 - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Hostname + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -1018,27 +143,28 @@ tasks: "y": 215 } } - "4": - continueonerrortype: "" - id: "4" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: ea90c16b-6985-4f28-816f-78608df3fe51 + type: title task: - brand: "" id: ea90c16b-6985-4f28-816f-78608df3fe51 - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: ea90c16b-6985-4f28-816f-78608df3fe51 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1046,58 +172,59 @@ tasks: "y": 1115 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": + id: "8" + taskid: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 + type: condition + task: + id: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 + version: -1 + name: Is Carbon Black Enterprise Response enabled? + description: Checks if there is an active instance of the Carbon Black Enterprise + Response integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "9" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "yes" + condition: + - - operator: isEqualString left: - iscontext: true value: complex: - accessor: state + root: modules filters: - - - ignorecase: true + - - operator: containsGeneral left: - iscontext: true value: simple: modules.brand - operator: containsGeneral + iscontext: true right: value: simple: VMware Carbon Black EDR v2 - root: modules - operator: isEqualString + ignorecase: true + accessor: state + iscontext: true right: value: simple: active - label: "yes" + ignorecase: true continueonerrortype: "" - id: "8" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "4" - "yes": - - "9" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the Carbon Black Enterprise - Response integration enabled. - id: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 - iscommand: false - name: Is Carbon Black Enterprise Response enabled? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 - timertriggers: [] - type: condition view: |- { "position": { @@ -1105,19 +232,31 @@ tasks: "y": 690 } } - "9": - continueonerror: true - continueonerrortype: "" - id: "9" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 5e114375-db3d-4267-8f4d-0a411d4bb076 + type: regular + task: + id: 5e114375-db3d-4267-8f4d-0a411d4bb076 + version: -1 + name: Get host information from Carbon Black Enterprise Response + description: List the CarbonBlack sensors + script: '|||cb-edr-sensors-list' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" - note: false - quietmode: 0 - reputationcalc: 1 scriptarguments: hostname: complex: @@ -1134,21 +273,10 @@ tasks: root: inputs.IPAddress transformers: - operator: uniq + reputationcalc: 1 separatecontext: false - skipunavailable: true - task: - brand: "" - description: List the CarbonBlack sensors - id: 5e114375-db3d-4267-8f4d-0a411d4bb076 - iscommand: true - name: Get host information from Carbon Black Enterprise Response - playbooktaskmissingcomponent: - script: '|||cb-edr-sensors-list' - type: regular - version: -1 - taskid: 5e114375-db3d-4267-8f4d-0a411d4bb076 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -1156,120 +284,123 @@ tasks: "y": 860 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "10": + id: "10" + taskid: 42f088e2-cb74-485a-8318-0dae68cde0f0 + type: condition + task: + id: 42f088e2-cb74-485a-8318-0dae68cde0f0 + version: -1 + name: Is CrowdStrike Falcon enabled? + description: Checks if there is an active instance of the CrowdStrike Falcon + Host integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "38" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "yes" + condition: + - - operator: isEqualString left: - iscontext: true value: complex: - accessor: state + root: modules filters: - - - ignorecase: true + - - operator: isEqualString left: - iscontext: true value: simple: modules.brand - operator: isEqualString + iscontext: true right: value: simple: CrowdstrikeFalcon - root: modules - operator: isEqualString + ignorecase: true + accessor: state + iscontext: true right: value: simple: active - label: "yes" + ignorecase: true continueonerrortype: "" - id: "10" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "4" - "yes": - - "38" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the CrowdStrike Falcon - Host integration enabled. - id: 42f088e2-cb74-485a-8318-0dae68cde0f0 - iscommand: false - name: Is CrowdStrike Falcon enabled? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 42f088e2-cb74-485a-8318-0dae68cde0f0 - timertriggers: [] - type: condition view: |- { "position": { - "x": 2300, + "x": 2350, "y": 690 } } - "16": - continueonerrortype: "" - id: "16" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "33" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: d9d617d9-2efd-466e-8ce7-190f8db83b95 + type: title task: - brand: "" id: d9d617d9-2efd-466e-8ce7-190f8db83b95 - iscommand: false + version: -1 name: McAfee ePolicy Orchestrator - playbooktaskmissingcomponent: type: title - version: -1 - taskid: d9d617d9-2efd-466e-8ce7-190f8db83b95 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "33" + separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 680, + "x": 690, "y": 550 } } - "18": - continueonerrortype: "" - id: "18" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "8" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 6cf08862-644d-479e-89ce-f9e173a8c562 + type: title task: - brand: "" id: 6cf08862-644d-479e-89ce-f9e173a8c562 - iscommand: false + version: -1 name: Carbon Black Enterprise Response - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 6cf08862-644d-479e-89ce-f9e173a8c562 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1277,30 +408,31 @@ tasks: "y": 550 } } - "19": - continueonerrortype: "" - id: "19" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "48" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 + type: title task: - brand: "" id: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 - iscommand: false + version: -1 name: Cylance Protect v2 - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "48" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1308,30 +440,31 @@ tasks: "y": 550 } } - "20": - continueonerrortype: "" - id: "20" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "10" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 5d371f29-3a4c-43c5-8f71-b383db2e5320 + type: title task: - brand: "" id: 5d371f29-3a4c-43c5-8f71-b383db2e5320 - iscommand: false + version: -1 name: CrowdStrike Falcon - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 5d371f29-3a4c-43c5-8f71-b383db2e5320 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1339,60 +472,61 @@ tasks: "y": 550 } } - "22": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - filters: - - - left: - iscontext: true - value: - simple: brand - operator: isEqualString - right: - value: - simple: Active Directory Query v2 - - - left: - iscontext: true - value: - simple: state - operator: isEqualString - right: - value: - simple: active - root: modules - operator: isExists - label: "yes" - continueonerrortype: "" - id: "22" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "4" - "yes": - - "23" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + type: condition task: - brand: "" + id: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + version: -1 + name: Is Active Directory Query v2 enabled? description: Checks if there is an active instance of the Active Directory Query v2 integration enabled. - id: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + type: condition iscommand: false - name: Is Active Directory Query v2 enabled? + brand: "" playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 - timertriggers: [] - type: condition + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "23" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: Active Directory Query v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -1400,44 +534,45 @@ tasks: "y": 690 } } - "23": - continueonerror: true - continueonerrortype: errorPath - id: "23" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 + type: regular + task: + id: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 + version: -1 + name: Get host information from Active Directory + description: Retrieves detailed information about a computer account. The computer + can be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filters are provided, all computers are returned. + script: '|||ad-get-computer' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 - reputationcalc: 1 scriptarguments: name: complex: root: inputs.Hostname transformers: - operator: uniq + reputationcalc: 1 separatecontext: false - skipunavailable: true - task: - brand: "" - description: Retrieves detailed information about a computer account. The computer - can be specified by name, email address, or as an Active Directory Distinguished - Name (DN). If no filters are provided, all computers are returned. - id: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 - iscommand: true - name: Get host information from Active Directory - playbooktaskmissingcomponent: - script: '|||ad-get-computer' - type: regular - version: -1 - taskid: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1445,30 +580,31 @@ tasks: "y": 860 } } - "24": - continueonerrortype: "" - id: "24" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "22" note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 9706cc39-d338-44cd-8ee1-efc5ea95b04d + type: title task: - brand: "" id: 9706cc39-d338-44cd-8ee1-efc5ea95b04d - iscommand: false + version: -1 name: Active Directory - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 9706cc39-d338-44cd-8ee1-efc5ea95b04d - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "22" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1476,30 +612,31 @@ tasks: "y": 550 } } - "30": - continueonerrortype: "" - id: "30" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "31" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: ec344482-77f7-42b5-8ee4-34317afd1179 + type: title task: - brand: "" id: ec344482-77f7-42b5-8ee4-34317afd1179 - iscommand: false + version: -1 name: ExtraHop Reveal(x) - playbooktaskmissingcomponent: type: title - version: -1 - taskid: ec344482-77f7-42b5-8ee4-34317afd1179 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1507,57 +644,58 @@ tasks: "y": 550 } } - "31": - continueonerrortype: "" - id: "31" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + type: condition + task: + id: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "4" "yes": - "32" - note: false - quietmode: 0 - reputationcalc: 1 scriptarguments: value: complex: + root: modules filters: - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: brand - operator: isEqualString + iscontext: true right: value: simple: ExtraHop v2 - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: state - operator: isEqualString + iscontext: true right: value: simple: active - root: modules + reputationcalc: 1 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the ExtraHop Reveal(x) - integration enabled. - id: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 - iscommand: false - name: Is ExtraHop Reveal(x) enabled? - playbooktaskmissingcomponent: - script: Exists - type: condition - version: -1 - taskid: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1565,20 +703,33 @@ tasks: "y": 690 } } - "32": - continueonerror: true - continueonerrortype: errorPath - id: "32" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + type: regular + task: + id: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + version: -1 + name: Get host information from ExtraHop Reveal(x) + description: Search for devices in ExtraHop Reveal(x). + script: ExtraHop v2|||extrahop-devices-search + type: regular + iscommand: true + brand: ExtraHop v2 + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: ip: complex: @@ -1591,20 +742,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: ExtraHop v2 - description: Search for devices in ExtraHop Reveal(x). - id: 03a8e3c0-2469-41ee-97c8-b0c792be32ec - iscommand: true - name: Get host information from ExtraHop Reveal(x) - playbooktaskmissingcomponent: - script: ExtraHop v2|||extrahop-devices-search - type: regular - version: -1 - taskid: 03a8e3c0-2469-41ee-97c8-b0c792be32ec - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1612,61 +751,62 @@ tasks: "y": 860 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "33": + id: "33" + taskid: bf7d9316-446b-452b-843a-3e5a13b8b741 + type: condition + task: + id: bf7d9316-446b-452b-843a-3e5a13b8b741 + version: -1 + name: is Mcafee ePolicy Orchestrator v2 enabled + description: Checks if there is an active Mcafee ePolicy Orchestrator v2 integration + instance enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "34" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isEqualString + left: value: complex: - accessor: brand + root: modules filters: - - - left: - iscontext: true + - - operator: isExists + left: value: simple: modules.brand - operator: isExists - - - left: iscontext: true + - - operator: isEqualString + left: value: simple: modules.state - operator: isEqualString + iscontext: true right: value: simple: active - root: modules - operator: isEqualString + accessor: brand + iscontext: true right: value: simple: McAfee ePO v2 - label: "yes" continueonerrortype: "" - id: "33" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "4" - "yes": - - "34" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active Mcafee ePolicy Orchestrator v2 integration - instance enabled. - id: bf7d9316-446b-452b-843a-3e5a13b8b741 - iscommand: false - name: is Mcafee ePolicy Orchestrator v2 enabled - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: bf7d9316-446b-452b-843a-3e5a13b8b741 - timertriggers: [] - type: condition view: |- { "position": { @@ -1674,20 +814,33 @@ tasks: "y": 690 } } - "34": - continueonerror: true - continueonerrortype: errorPath - id: "34" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 8e881985-e5e1-4aec-ac66-0cbc1186879d + type: regular + task: + id: 8e881985-e5e1-4aec-ac66-0cbc1186879d + version: -1 + name: Get- host information from McAfee ePO v2 + description: Finds systems in the McAfee ePO system tree. + script: '|||epo-find-system' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: searchText: complex: @@ -1697,20 +850,8 @@ tasks: verbose: simple: "false" separatecontext: false - skipunavailable: true - task: - brand: "" - description: Finds systems in the McAfee ePO system tree. - id: 8e881985-e5e1-4aec-ac66-0cbc1186879d - iscommand: true - name: Get- host information from McAfee ePO v2 - playbooktaskmissingcomponent: - script: '|||epo-find-system' - type: regular - version: -1 - taskid: 8e881985-e5e1-4aec-ac66-0cbc1186879d - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1718,30 +859,31 @@ tasks: "y": 860 } } - "35": - continueonerrortype: "" - id: "35" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "36" note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 + type: title task: - brand: "" id: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 - iscommand: false + version: -1 name: Endpoint Reputation - playbooktaskmissingcomponent: type: title - version: -1 - taskid: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1749,46 +891,47 @@ tasks: "y": 550 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "36": + id: "36" + taskid: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a + type: condition + task: + id: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a + version: -1 + name: Should use !endpoint command? + description: Check if should run endpoint reputation command + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "37" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "yes" + condition: + - - operator: isEqualString left: - iscontext: true value: complex: root: inputs.UseReputationCommand - operator: isEqualString + iscontext: true right: value: simple: "True" - label: "yes" + ignorecase: true continueonerrortype: "" - id: "36" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "4" - "yes": - - "37" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Check if should run endpoint reputation command - id: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a - iscommand: false - name: Should use !endpoint command? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a - timertriggers: [] - type: condition view: |- { "position": { @@ -1796,20 +939,33 @@ tasks: "y": 690 } } - "37": - continueonerror: true - continueonerrortype: errorPath - id: "37" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: f8a264ea-5bb0-4a34-910b-7e0706f65f1f + type: regular + task: + id: f8a264ea-5bb0-4a34-910b-7e0706f65f1f + version: -1 + name: Check Reputation + description: Returns information about an endpoint. + script: '|||endpoint' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: hostname: complex: @@ -1827,20 +983,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Returns information about an endpoint. - id: f8a264ea-5bb0-4a34-910b-7e0706f65f1f - iscommand: true - name: Check Reputation - playbooktaskmissingcomponent: - script: '|||endpoint' - type: regular - version: -1 - taskid: f8a264ea-5bb0-4a34-910b-7e0706f65f1f - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1848,20 +992,33 @@ tasks: "y": 860 } } - "38": - continueonerror: true - continueonerrortype: errorPath - id: "38" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 97c2d94e-2a74-48d9-9404-8049e310925c + type: regular + task: + id: 97c2d94e-2a74-48d9-9404-8049e310925c + version: -1 + name: Crowdstrike Search device + description: Searches for a device that matches the query. + script: CrowdstrikeFalcon|||cs-falcon-search-device + type: regular + iscommand: true + brand: CrowdstrikeFalcon + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: hostname: complex: @@ -1874,20 +1031,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: CrowdstrikeFalcon - description: Searches for a device that matches the query. - id: f47666ba-7f37-43aa-a93f-658ca592f44f - iscommand: true - name: Crowdstrike Search device - playbooktaskmissingcomponent: - script: CrowdstrikeFalcon|||cs-falcon-search-device - type: regular - version: -1 - taskid: f47666ba-7f37-43aa-a93f-658ca592f44f - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1895,59 +1040,60 @@ tasks: "y": 860 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "39": + id: "39" + taskid: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c + type: condition + task: + id: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c + version: -1 + name: Is Cortex XDR enabled? + description: Checks if there is an active instance of the Cortex XDR integration + enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "41" + - "42" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "yes" + condition: + - - operator: isEqualString left: - iscontext: true value: complex: - accessor: state + root: modules filters: - - - ignorecase: true + - - operator: isEqualString left: - iscontext: true value: simple: modules.brand - operator: isEqualString + iscontext: true right: value: simple: Cortex XDR - IR - root: modules - operator: isEqualString + ignorecase: true + accessor: state + iscontext: true right: value: simple: active - label: "yes" + ignorecase: true continueonerrortype: "" - id: "39" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "4" - "yes": - - "41" - - "42" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the Cortex XDR integration - enabled. - id: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c - iscommand: false - name: Is Cortex XDR enabled? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c - timertriggers: [] - type: condition view: |- { "position": { @@ -1955,31 +1101,32 @@ tasks: "y": 690 } } - "40": - continueonerrortype: "" - id: "40" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 12dd4de8-094d-4760-8284-22e212b5b76d + type: title + task: + id: 12dd4de8-094d-4760-8284-22e212b5b76d + version: -1 + name: Cortex XDR / Core IR + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "39" - "43" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 12dd4de8-094d-4760-8284-22e212b5b76d - iscommand: false - name: Cortex XDR / Core IR - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 12dd4de8-094d-4760-8284-22e212b5b76d - timertriggers: [] - type: title + continueonerrortype: "" view: |- { "position": { @@ -1987,20 +1134,37 @@ tasks: "y": 550 } } - "41": - continueonerror: true - continueonerrortype: errorPath - id: "41" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 28d5399e-9856-4c0e-ae6f-26790468a680 + type: regular + task: + id: 28d5399e-9856-4c0e-ae6f-26790468a680 + version: -1 + name: Cortex XDR Search device + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + script: '|||xdr-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: endpoint_id_list: complex: @@ -2018,24 +1182,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields will - be concatenated using AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of endpoint from the start - of the result set (start by counting from 0). - id: 28d5399e-9856-4c0e-ae6f-26790468a680 - iscommand: true - name: Cortex XDR Search device - playbooktaskmissingcomponent: - script: '|||xdr-get-endpoints' - type: regular - version: -1 - taskid: 28d5399e-9856-4c0e-ae6f-26790468a680 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -2043,20 +1191,35 @@ tasks: "y": 860 } } - "42": - continueonerror: true - continueonerrortype: errorPath - id: "42" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 00b0ba80-bdc5-4012-8238-334800df9bbd + type: regular + task: + id: 00b0ba80-bdc5-4012-8238-334800df9bbd + version: -1 + name: Cortex XDR get endpoint risk score + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||xdr-list-risky-hosts' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: host_id: complex: @@ -2064,22 +1227,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Retrieve the risk score of a specific host or list of hosts with - the highest risk score in the environment along with the reason affecting - each score. - id: 00b0ba80-bdc5-4012-8238-334800df9bbd - iscommand: true - name: Cortex XDR get endpoint risk score - playbooktaskmissingcomponent: - script: '|||xdr-list-risky-hosts' - type: regular - version: -1 - taskid: 00b0ba80-bdc5-4012-8238-334800df9bbd - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -2087,39 +1236,40 @@ tasks: "y": 860 } } - "43": - continueonerrortype: "" - id: "43" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: adb8d36c-cdb3-4676-8d4a-da7fbc43188c + type: condition + task: + id: adb8d36c-cdb3-4676-8d4a-da7fbc43188c + version: -1 + name: Is Cortex Core - IR integration enabled? + description: Checks if there is an active instance of the Cortex Core integration + enabled. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "4" "yes": - "44" - "45" - note: false - quietmode: 0 scriptarguments: brandname: simple: Cortex Core - IR separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the Cortex Core integration - enabled. - id: adb8d36c-cdb3-4676-8d4a-da7fbc43188c - iscommand: false - name: Is Cortex Core - IR integration enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: adb8d36c-cdb3-4676-8d4a-da7fbc43188c - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -2127,20 +1277,37 @@ tasks: "y": 690 } } - "44": - continueonerror: true - continueonerrortype: errorPath - id: "44" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + type: regular + task: + id: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + version: -1 + name: Core IR Search device + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + script: '|||core-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: endpoint_id_list: complex: @@ -2158,24 +1325,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields will - be concatenated using AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of endpoint from the start - of the result set (start by counting from 0). - id: 28ddac6d-c9fd-4997-9667-6bdd8538d69e - iscommand: true - name: Core IR Search device - playbooktaskmissingcomponent: - script: '|||core-get-endpoints' - type: regular - version: -1 - taskid: 28ddac6d-c9fd-4997-9667-6bdd8538d69e - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -2183,31 +1334,35 @@ tasks: "y": 860 } } - "45": - continueonerror: true - continueonerrortype: errorPath - fieldMapping: - - incidentfield: Host Risk Level - output: - complex: - accessor: risk_level - root: Core.RiskyHost - - incidentfield: Host Risk Reasons - output: - complex: - accessor: description - root: Core.RiskyHost.reasons - id: "45" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: e24e0b83-679a-4e52-828f-b3637fedd2c1 + type: regular + task: + id: e24e0b83-679a-4e52-828f-b3637fedd2c1 + version: -1 + name: Core IR get endpoint risk score + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||core-list-risky-hosts' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "46" + - "49" '#none#': - "4" - note: false - quietmode: 0 scriptarguments: host_id: complex: @@ -2215,22 +1370,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Retrieve the risk score of a specific host or list of hosts with - the highest risk score in the environment along with the reason affecting - each score. - id: e24e0b83-679a-4e52-828f-b3637fedd2c1 - iscommand: true - name: Core IR get endpoint risk score - playbooktaskmissingcomponent: - script: '|||core-list-risky-hosts' - type: regular - version: -1 - taskid: e24e0b83-679a-4e52-828f-b3637fedd2c1 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -2238,68 +1379,88 @@ tasks: "y": 860 } } - "46": - continueonerrortype: "" - id: "46" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: Host Risk Level + output: + complex: + root: Core.RiskyHost + accessor: risk_level + - incidentfield: Host Risk Reasons + output: + complex: + root: Core.RiskyHost.reasons + accessor: description + skipunavailable: true quietmode: 0 - separatecontext: true - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: a311d42a-1d50-4464-8a6b-2babd00963a2 + type: playbook task: - brand: "" - id: 1d871fe2-8ca6-4e9b-8165-12554326dcc7 + id: a311d42a-1d50-4464-8a6b-2babd00963a2 + version: -1 + name: SOC Endpoint Enrichment - Cylance Protect v2 + playbookName: SOC Endpoint Enrichment - Cylance Protect v2 + type: playbook iscommand: false - name: Foundation - Error Handling - playbookId: Foundation - Error Handling + brand: "" playbooktaskmissingcomponent: - type: playbook - version: -1 - taskid: 1d871fe2-8ca6-4e9b-8165-12554326dcc7 - timertriggers: [] - type: playbook + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 700, - "y": 1110 + "x": 270, + "y": 690 } } - "48": - continueonerrortype: "" - id: "48" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "4" note: false - quietmode: 0 - separatecontext: true + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 699918ad-f689-4054-8864-d2dae7a92fe5 + type: playbook task: - brand: "" - id: a311d42a-1d50-4464-8a6b-2babd00963a2 + id: 699918ad-f689-4054-8864-d2dae7a92fe5 + version: -1 + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook iscommand: false - name: SOC Endpoint Enrichment - Cylance Protect v2 - playbookId: SOC Endpoint Enrichment - Cylance Protect v2 + brand: "" playbooktaskmissingcomponent: - type: playbook - version: -1 - taskid: a311d42a-1d50-4464-8a6b-2babd00963a2 - timertriggers: [] - type: playbook + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 270, - "y": 690 + "x": 790, + "y": 1200 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -2310,8 +1471,10 @@ view: |- "31_4_#default#": 0.1, "33_34_yes": 0.64, "33_4_#default#": 0.1, + "34_49_#error#": 0.9, "36_37_yes": 0.49, "36_4_#default#": 0.1, + "38_49_#error#": 0.89, "39_4_#default#": 0.1, "3_1_yes": 0.3, "3_24_yes": 0.41, @@ -2322,11 +1485,884 @@ view: |- }, "paper": { "dimensions": { - "height": 1100, + "height": 1195, "width": 5660, "x": -920, "y": 80 } } } +inputs: +- key: Hostname + value: + complex: + root: Endpoint + accessor: Hostname + transformers: + - operator: uniq + required: false + description: The hostname of the endpoint to enrich. + playbookInputQuery: +- key: UseReputationCommand + value: + simple: "False" + required: true + description: |- + Define if you would like to use the !endpoint command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + playbookInputQuery: +- key: IPAddress + value: + complex: + root: Endpoint + accessor: IPAddress + transformers: + - operator: uniq + required: false + description: The IP address of the endpoint to enrich. + playbookInputQuery: +- key: EndpointID + value: + complex: + root: Endpoint + accessor: ID + transformers: + - operator: uniq + required: false + description: The endpoint ID of the endpoint to enrich. + playbookInputQuery: +inputSections: +- inputs: + - Hostname + - UseReputationCommand + - IPAddress + - EndpointID + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Endpoint + - Endpoint.Hostname + - Endpoint.OS + - Endpoint.IP + - Endpoint.MAC + - Endpoint.Domain + - CylanceProtectDevice + - ExtraHop.Device.Macaddr + - ExtraHop.Device.DeviceClass + - ExtraHop.Device.UserModTime + - ExtraHop.Device.AutoRole + - ExtraHop.Device.ParentId + - ExtraHop.Device.Vendor + - ExtraHop.Device.Analysis + - ExtraHop.Device.DiscoveryId + - ExtraHop.Device.DefaultName + - ExtraHop.Device.DisplayName + - ExtraHop.Device.OnWatchlist + - ExtraHop.Device.ModTime + - ExtraHop.Device.IsL3 + - ExtraHop.Device.Role + - ExtraHop.Device.DiscoverTime + - ExtraHop.Device.Id + - ExtraHop.Device.Ipaddr4 + - ExtraHop.Device.Vlanid + - ExtraHop.Device.Ipaddr6 + - ExtraHop.Device.NodeId + - ExtraHop.Device.Description + - ExtraHop.Device.DnsName + - ExtraHop.Device.DhcpName + - ExtraHop.Device.CdpName + - ExtraHop.Device.NetbiosName + - ExtraHop.Device.Url + - Endpoint.IPAddress + - Endpoint.ID + - Endpoint.Status + - Endpoint.IsIsolated + - Endpoint.MACAddress + - Endpoint.Vendor + - Endpoint.Relationships + - Endpoint.Processor + - Endpoint.Processors + - Endpoint.Memory + - Endpoint.Model + - Endpoint.BIOSVersion + - Endpoint.OSVersion + - Endpoint.DHCPServer + - McAfee.ePO.Endpoint + - Endpoint.Groups + - ActiveDirectory.ComputersPageCookie + - ActiveDirectory.Computers.dn + - ActiveDirectory.Computers.memberOf + - ActiveDirectory.Computers.name + - CrowdStrike.Device + - ActiveDirectory.Computers + - CarbonBlackEDR.Sensor.systemvolume_total_size + - CarbonBlackEDR.Sensor.emet_telemetry_path + - CarbonBlackEDR.Sensor.os_environment_display_string + - CarbonBlackEDR.Sensor.emet_version + - CarbonBlackEDR.Sensor.emet_dump_flags + - CarbonBlackEDR.Sensor.clock_delta + - CarbonBlackEDR.Sensor.supports_cblr + - CarbonBlackEDR.Sensor.sensor_uptime + - CarbonBlackEDR.Sensor.last_update + - CarbonBlackEDR.Sensor.physical_memory_size + - CarbonBlackEDR.Sensor.build_id + - CarbonBlackEDR.Sensor.uptime + - CarbonBlackEDR.Sensor.is_isolating + - CarbonBlackEDR.Sensor.event_log_flush_time + - CarbonBlackEDR.Sensor.computer_dns_name + - CarbonBlackEDR.Sensor.emet_report_setting + - CarbonBlackEDR.Sensor.id + - CarbonBlackEDR.Sensor.emet_process_count + - CarbonBlackEDR.Sensor.emet_is_gpo + - CarbonBlackEDR.Sensor.power_state + - CarbonBlackEDR.Sensor.network_isolation_enabled + - CarbonBlackEDR.Sensor.systemvolume_free_size + - CarbonBlackEDR.Sensor.status + - CarbonBlackEDR.Sensor.num_eventlog_bytes + - CarbonBlackEDR.Sensor.sensor_health_message + - CarbonBlackEDR.Sensor.build_version_string + - CarbonBlackEDR.Sensor.computer_sid + - CarbonBlackEDR.Sensor.next_checkin_time + - CarbonBlackEDR.Sensor.node_id + - CarbonBlackEDR.Sensor.cookie + - CarbonBlackEDR.Sensor.emet_exploit_action + - CarbonBlackEDR.Sensor.computer_name + - CarbonBlackEDR.Sensor.license_expiration + - CarbonBlackEDR.Sensor.supports_isolation + - CarbonBlackEDR.Sensor.parity_host_id + - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + - CarbonBlackEDR.Sensor.network_adapters + - CarbonBlackEDR.Sensor.sensor_health_status + - CarbonBlackEDR.Sensor.registration_time + - CarbonBlackEDR.Sensor.restart_queued + - CarbonBlackEDR.Sensor.notes + - CarbonBlackEDR.Sensor.num_storefiles_bytes + - CarbonBlackEDR.Sensor.os_environment_id + - CarbonBlackEDR.Sensor.shard_id + - CarbonBlackEDR.Sensor.boot_id + - CarbonBlackEDR.Sensor.last_checkin_time + - CarbonBlackEDR.Sensor.os_type + - CarbonBlackEDR.Sensor.group_id + - CarbonBlackEDR.Sensor.uninstall + - PaloAltoNetworksXDR.Endpoint + - PaloAltoNetworksXDR.Endpoint.endpoint_id + - PaloAltoNetworksXDR.Endpoint.endpoint_name + - PaloAltoNetworksXDR.Endpoint.endpoint_type + - PaloAltoNetworksXDR.Endpoint.endpoint_status + - PaloAltoNetworksXDR.Endpoint.os_type + - PaloAltoNetworksXDR.Endpoint.ip + - PaloAltoNetworksXDR.Endpoint.users + - PaloAltoNetworksXDR.Endpoint.domain + - PaloAltoNetworksXDR.Endpoint.alias + - PaloAltoNetworksXDR.Endpoint.first_seen + - PaloAltoNetworksXDR.Endpoint.last_seen + - PaloAltoNetworksXDR.Endpoint.content_version + - PaloAltoNetworksXDR.Endpoint.installation_package + - PaloAltoNetworksXDR.Endpoint.active_directory + - PaloAltoNetworksXDR.Endpoint.install_date + - PaloAltoNetworksXDR.Endpoint.endpoint_version + - PaloAltoNetworksXDR.Endpoint.is_isolated + - PaloAltoNetworksXDR.Endpoint.group_name + - PaloAltoNetworksXDR.Endpoint.count + - Account + - Account.Username + - Account.Domain + - PaloAltoNetworksXDR.RiskyHost + - PaloAltoNetworksXDR.RiskyHost.type + - PaloAltoNetworksXDR.RiskyHost.id + - PaloAltoNetworksXDR.RiskyHost.score + - PaloAltoNetworksXDR.RiskyHost.reasons + - PaloAltoNetworksXDR.RiskyHost.reasons.date created + - PaloAltoNetworksXDR.RiskyHost.reasons.description + - PaloAltoNetworksXDR.RiskyHost.reasons.severity + - PaloAltoNetworksXDR.RiskyHost.reasons.status + - PaloAltoNetworksXDR.RiskyHost.reasons.points + - Core.Endpoint + - Core.Endpoint.endpoint_id + - Core.Endpoint.endpoint_name + - Core.Endpoint.endpoint_type + - Core.Endpoint.endpoint_status + - Core.Endpoint.os_type + - Core.Endpoint.ip + - Core.Endpoint.users + - Core.Endpoint.domain + - Core.Endpoint.alias + - Core.Endpoint.first_seen + - Core.Endpoint.last_seen + - Core.Endpoint.content_version + - Core.Endpoint.installation_package + - Core.Endpoint.active_directory + - Core.Endpoint.install_date + - Core.Endpoint.endpoint_version + - Core.Endpoint.is_isolated + - Core.Endpoint.group_name + - Core.RiskyHost + - Core.RiskyHost.type + - Core.RiskyHost.id + - Core.RiskyHost.score + - Core.RiskyHost.reasons + - Core.RiskyHost.reasons.date created + - Core.RiskyHost.reasons.description + - Core.RiskyHost.reasons.severity + - Core.RiskyHost.reasons.status + - Core.RiskyHost.reasons.points + - McAfee.ePO.Endpoint.ParentID + - McAfee.ePO.Endpoint.ComputerName + - McAfee.ePO.Endpoint.Description + - McAfee.ePO.Endpoint.SystemDescription + - McAfee.ePO.Endpoint.TimeZone + - McAfee.ePO.Endpoint.DefaultLangID + - McAfee.ePO.Endpoint.UserName + - McAfee.ePO.Endpoint.Domain + - McAfee.ePO.Endpoint.Hostname + - McAfee.ePO.Endpoint.IPV6 + - McAfee.ePO.Endpoint.IPAddress + - McAfee.ePO.Endpoint.IPSubnet + - McAfee.ePO.Endpoint.IPSubnetMask + - McAfee.ePO.Endpoint.IPV4x + - McAfee.ePO.Endpoint.IPXAddress + - McAfee.ePO.Endpoint.SubnetAddress + - McAfee.ePO.Endpoint.SubnetMask + - McAfee.ePO.Endpoint.NetAddress + - McAfee.ePO.Endpoint.OSType + - McAfee.ePO.Endpoint.OSVersion + - McAfee.ePO.Endpoint.OSServicePackVer + - McAfee.ePO.Endpoint.OSBuildNum + - McAfee.ePO.Endpoint.OSPlatform + - McAfee.ePO.Endpoint.OSOEMID + - McAfee.ePO.Endpoint.Processor + - McAfee.ePO.Endpoint.CPUSpeed + - McAfee.ePO.Endpoint.Processors + - McAfee.ePO.Endpoint.CPUSerialNum + - McAfee.ePO.Endpoint.Memory + - McAfee.ePO.Endpoint.FreeMemory + - McAfee.ePO.Endpoint.FreeDiskSpace + - McAfee.ePO.Endpoint.TotalDiskSpace + - McAfee.ePO.Endpoint.UserProperty1 + - McAfee.ePO.Endpoint.UserProperty2 + - McAfee.ePO.Endpoint.UserProperty3 + - McAfee.ePO.Endpoint.UserProperty4 + - McAfee.ePO.Endpoint.SysvolFreeSpace + - McAfee.ePO.Endpoint.SysvolTotalSpace + - McAfee.ePO.Endpoint.Tags + - McAfee.ePO.Endpoint.ExcludedTags + - McAfee.ePO.Endpoint.LastUpdate + - McAfee.ePO.Endpoint.ManagedState + - McAfee.ePO.Endpoint.AgentGUID + - McAfee.ePO.Endpoint.AgentVersion + - McAfee.ePO.Endpoint.AutoID + - CrowdStrike.Device.ID + - CrowdStrike.Device.LocalIP + - CrowdStrike.Device.ExternalIP + - CrowdStrike.Device.Hostname + - CrowdStrike.Device.OS + - CrowdStrike.Device.MacAddress + - CrowdStrike.Device.FirstSeen + - CrowdStrike.Device.LastSeen + - CrowdStrike.Device.PolicyType + - CrowdStrike.Device.Status + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Endpoint + description: The endpoint object of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Hostname + description: The hostnames of the endpoints that were enriched. + type: string +- contextPath: Endpoint.OS + description: The operating systems running on the endpoints that were enriched. + type: string +- contextPath: Endpoint.IP + description: A list of the IP addresses of the endpoints. + type: string +- contextPath: Endpoint.MAC + description: A list of the MAC addresses of the endpoints that were enriched. + type: string +- contextPath: Endpoint.Domain + description: The domain names of the endpoints that were enriched. + type: string +- contextPath: CylanceProtectDevice + description: The device information about the hostname that was enriched using Cylance + Protect v2. + type: string +- contextPath: ExtraHop.Device.Macaddr + description: The MAC Address of the device. + type: String +- contextPath: ExtraHop.Device.DeviceClass + description: The class of the device. + type: String +- contextPath: ExtraHop.Device.UserModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.AutoRole + description: The role automatically detected by the ExtraHop. + type: String +- contextPath: ExtraHop.Device.ParentId + description: The ID of the parent device. + type: Number +- contextPath: ExtraHop.Device.Vendor + description: The device vendor. + type: String +- contextPath: ExtraHop.Device.Analysis + description: The level of analysis preformed on the device. + type: string +- contextPath: ExtraHop.Device.DiscoveryId + description: The UUID given by the Discover appliance. + type: String +- contextPath: ExtraHop.Device.DefaultName + description: The default name of the device. + type: String +- contextPath: ExtraHop.Device.DisplayName + description: The display name of device. + type: String +- contextPath: ExtraHop.Device.OnWatchlist + description: Whether the device is on the advanced analysis allow list. + type: Boolean +- contextPath: ExtraHop.Device.ModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.IsL3 + description: Indicates whether the device is a Layer 3 device. + type: Boolean +- contextPath: ExtraHop.Device.Role + description: The role of the device. + type: String +- contextPath: ExtraHop.Device.DiscoverTime + description: The time that the device was discovered. + type: Number +- contextPath: ExtraHop.Device.Id + description: The ID of the device. + type: Number +- contextPath: ExtraHop.Device.Ipaddr4 + description: The IPv4 address of the device. + type: String +- contextPath: ExtraHop.Device.Vlanid + description: The ID of VLan. + type: Number +- contextPath: ExtraHop.Device.Ipaddr6 + description: The IPv6 address of the device. + type: string +- contextPath: ExtraHop.Device.NodeId + description: The Node ID of the Discover appliance. + type: number +- contextPath: ExtraHop.Device.Description + description: A user customizable description of the device. + type: string +- contextPath: ExtraHop.Device.DnsName + description: The DNS name associated with the device. + type: string +- contextPath: ExtraHop.Device.DhcpName + description: The DHCP name associated with the device. + type: string +- contextPath: ExtraHop.Device.CdpName + description: The Cisco Discovery Protocol name associated with the device. + type: string +- contextPath: ExtraHop.Device.NetbiosName + description: The NetBIOS name associated with the device. + type: string +- contextPath: ExtraHop.Device.Url + description: Link to the device details page in ExtraHop. + type: string +- contextPath: Endpoint.IPAddress + description: The endpoint IP address or list of IP addresses. + type: string +- contextPath: Endpoint.ID + description: The endpoint ID. + type: string +- contextPath: Endpoint.Status + description: The endpoint status. + type: string +- contextPath: Endpoint.IsIsolated + description: The endpoint isolation status. + type: string +- contextPath: Endpoint.MACAddress + description: The endpoint MAC address. + type: string +- contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: string +- contextPath: Endpoint.Relationships + description: The endpoint relationships of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Processor + description: The model of the processor. + type: string +- contextPath: Endpoint.Processors + description: The number of processors. + type: string +- contextPath: Endpoint.Memory + description: Memory on this endpoint. + type: string +- contextPath: Endpoint.Model + description: The model of the machine or device. + type: string +- contextPath: Endpoint.BIOSVersion + description: The endpoint's BIOS version. + type: string +- contextPath: Endpoint.OSVersion + description: The endpoint's operation system version. + type: string +- contextPath: Endpoint.DHCPServer + description: The DHCP server of the endpoint. + type: string +- contextPath: McAfee.ePO.Endpoint + description: The endpoint that was enriched. + type: string +- contextPath: Endpoint.Groups + description: Groups for which the computer is listed as a member. + type: string +- contextPath: ActiveDirectory.ComputersPageCookie + description: An opaque string received in a paged search, used for requesting subsequent + entries. + type: string +- contextPath: ActiveDirectory.Computers.dn + description: The computer distinguished name. + type: string +- contextPath: ActiveDirectory.Computers.memberOf + description: Groups for which the computer is listed. + type: string +- contextPath: ActiveDirectory.Computers.name + description: The computer name. + type: string +- contextPath: CrowdStrike.Device + description: The information about the endpoint. + type: string +- contextPath: ActiveDirectory.Computers + description: The information about the hostname that was enriched using Active Directory. + type: string +- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size + description: The size, in bytes, of the system volume of the endpoint on which the + sensor is installed. installed. + type: number +- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path + description: The path of the EMET telemetry associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string + description: Human-readable string of the installed OS. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_version + description: The EMET version associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags + description: The flags of the EMET dump associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.clock_delta + description: The clock delta associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_cblr + description: Whether the sensor supports Carbon Black Live Response (CbLR). + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_uptime + description: The uptime of the process. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_update + description: When the sensor was last updated. + type: string +- contextPath: CarbonBlackEDR.Sensor.physical_memory_size + description: The size in bytes of physical memory. + type: number +- contextPath: CarbonBlackEDR.Sensor.build_id + description: The sensor version installed on this endpoint. From the /api/builds/ + endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.uptime + description: Endpoint uptime in seconds. + type: string +- contextPath: CarbonBlackEDR.Sensor.is_isolating + description: Boolean representing sensor-reported isolation status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time + description: |- + If event_log_flush_time is set, the server will instruct the sensor to immediately + send all data before this date, ignoring all other throttling mechanisms. + To force a host current, set this value to a value far in the future. + When the sensor has finished sending its queued data, this value will be null. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_dns_name + description: The DNS name of the endpoint on which the sensor is installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_report_setting + description: The report setting of the EMET associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.id + description: The ID of this sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_process_count + description: The number of EMET processes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo + description: Whether the EMET is a GPO. + type: string +- contextPath: CarbonBlackEDR.Sensor.power_state + description: The sensor power state. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled + description: Boolean representing the network isolation request status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size + description: The amount of free bytes on the system volume. + type: string +- contextPath: CarbonBlackEDR.Sensor.status + description: The sensor status. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes + description: The number of event log bytes. + type: number +- contextPath: CarbonBlackEDR.Sensor.sensor_health_message + description: Human-readable string indicating the sensor’s self-reported status. + type: string +- contextPath: CarbonBlackEDR.Sensor.build_version_string + description: Human-readable string of the sensor version. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_sid + description: Machine SID of this host. + type: string +- contextPath: CarbonBlackEDR.Sensor.next_checkin_time + description: Next expected communication from this computer in server-local time + and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.node_id + description: The node ID associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.cookie + description: The cookie associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action + description: The EMET exploit action associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_name + description: NetBIOS name of this computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.license_expiration + description: When the license of the sensor expires. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_isolation + description: Whether the sensor supports isolation. + type: string +- contextPath: CarbonBlackEDR.Sensor.parity_host_id + description: The ID of the parity host associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + description: Whether the sensor support modload of 2nd generation. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_adapters + description: A pipe-delimited list of IP,MAC pairs for each network interface. + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_health_status + description: Self-reported health score, from 0 to 100. Higher numbers indicate + a better health status. + type: string +- contextPath: CarbonBlackEDR.Sensor.registration_time + description: Time this sensor was originally registered in server-local time and + zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.restart_queued + description: Whether a restart of the sensor is queued. + type: string +- contextPath: CarbonBlackEDR.Sensor.notes + description: The notes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes + description: Number of storefiles bytes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_id + description: The ID of the OS environment of the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.shard_id + description: The ID of the shard associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.boot_id + description: A sequential counter of boots since the sensor was installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_checkin_time + description: Last communication with this computer in server-local time and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_type + description: The operating system type of the computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.group_id + description: The sensor group ID this sensor is assigned to. + type: string +- contextPath: CarbonBlackEDR.Sensor.uninstall + description: When set, indicates that the sensor will be directed to uninstall on + next check-in. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint + description: The endpoint object of the endpoint that was enriched. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.users + description: A list of users. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.content_version + description: Content version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.count + description: Number of endpoints returned. + type: number +- contextPath: Account + description: The account object of the endpoint that was enriched. + type: string +- contextPath: Account.Username + description: The username in the relevant system. + type: string +- contextPath: Account.Domain + description: The domain of the account. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost + description: The endpoint object. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons + description: The endpoint risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created + description: Date when the incident was created. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points + description: The score. + type: string +- contextPath: Core.Endpoint + description: The endpoint object. + type: unknown +- contextPath: Core.Endpoint.endpoint_id + description: The endpoint ID. +- contextPath: Core.Endpoint.endpoint_name + description: The endpoint name. +- contextPath: Core.Endpoint.endpoint_type + description: The endpoint type. +- contextPath: Core.Endpoint.endpoint_status + description: The status of the endpoint. +- contextPath: Core.Endpoint.os_type + description: The endpoint OS type. +- contextPath: Core.Endpoint.ip + description: A list of IP addresses. +- contextPath: Core.Endpoint.users + description: A list of users. +- contextPath: Core.Endpoint.domain + description: The endpoint domain. +- contextPath: Core.Endpoint.alias + description: The endpoint's aliases. +- contextPath: Core.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). +- contextPath: Core.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). +- contextPath: Core.Endpoint.content_version + description: Content version. +- contextPath: Core.Endpoint.installation_package + description: Installation package. +- contextPath: Core.Endpoint.active_directory + description: Active directory. +- contextPath: Core.Endpoint.install_date + description: Install date in Epoch (milliseconds). +- contextPath: Core.Endpoint.endpoint_version + description: Endpoint version. +- contextPath: Core.Endpoint.is_isolated + description: Whether the endpoint is isolated. +- contextPath: Core.Endpoint.group_name + description: The name of the group to which the endpoint belongs. +- contextPath: Core.RiskyHost + description: The risky host object. + type: unknown +- contextPath: Core.RiskyHost.type + description: Form of identification element. +- contextPath: Core.RiskyHost.id + description: Identification value of the type field. +- contextPath: Core.RiskyHost.score + description: The score assigned to the host. +- contextPath: Core.RiskyHost.reasons + description: The reasons for the risk level. + type: unknown +- contextPath: Core.RiskyHost.reasons.date created + description: Date when the incident was created. +- contextPath: Core.RiskyHost.reasons.description + description: Description of the incident. +- contextPath: Core.RiskyHost.reasons.severity + description: The severity of the incident. +- contextPath: Core.RiskyHost.reasons.status + description: The incident status. +- contextPath: Core.RiskyHost.reasons.points + description: The score. +- contextPath: McAfee.ePO.Endpoint.ParentID + description: Endpoint parent ID. +- contextPath: McAfee.ePO.Endpoint.ComputerName + description: Endpoint computer name. +- contextPath: McAfee.ePO.Endpoint.Description + description: Endpoint description. +- contextPath: McAfee.ePO.Endpoint.SystemDescription + description: Endpoint system description. +- contextPath: McAfee.ePO.Endpoint.TimeZone + description: Endpoint time zone. +- contextPath: McAfee.ePO.Endpoint.DefaultLangID + description: Endpoint default language ID. +- contextPath: McAfee.ePO.Endpoint.UserName + description: Endpoint username. +- contextPath: McAfee.ePO.Endpoint.Domain + description: Endpoint domain name. +- contextPath: McAfee.ePO.Endpoint.Hostname + description: Endpoint IP host name. +- contextPath: McAfee.ePO.Endpoint.IPV6 + description: Endpoint IPv6 address. +- contextPath: McAfee.ePO.Endpoint.IPAddress + description: Endpoint IP address. +- contextPath: McAfee.ePO.Endpoint.IPSubnet + description: Endpoint IP subnet. +- contextPath: McAfee.ePO.Endpoint.IPSubnetMask + description: Endpoint IP subnet mask. +- contextPath: McAfee.ePO.Endpoint.IPV4x + description: Endpoint IPV4x address. +- contextPath: McAfee.ePO.Endpoint.IPXAddress + description: Endpoint IPX address. +- contextPath: McAfee.ePO.Endpoint.SubnetAddress + description: Endpoint subnet address. +- contextPath: McAfee.ePO.Endpoint.SubnetMask + description: Endpoint subnet mask. +- contextPath: McAfee.ePO.Endpoint.NetAddress + description: Endpoint net address. +- contextPath: McAfee.ePO.Endpoint.OSType + description: Endpoint OS type. +- contextPath: McAfee.ePO.Endpoint.OSVersion + description: Endpoint OS version. +- contextPath: McAfee.ePO.Endpoint.OSServicePackVer + description: Endpoint OS service pack version. +- contextPath: McAfee.ePO.Endpoint.OSBuildNum + description: Endpoint OS build number. +- contextPath: McAfee.ePO.Endpoint.OSPlatform + description: Endpoint OS platform. +- contextPath: McAfee.ePO.Endpoint.OSOEMID + description: Endpoint OS OEM ID. +- contextPath: McAfee.ePO.Endpoint.Processor + description: Endpoint CPU type. +- contextPath: McAfee.ePO.Endpoint.CPUSpeed + description: Endpoint CPU speed. +- contextPath: McAfee.ePO.Endpoint.Processors + description: Number of CPUs in the endpoint. +- contextPath: McAfee.ePO.Endpoint.CPUSerialNum + description: Endpoint CPU serial number. +- contextPath: McAfee.ePO.Endpoint.Memory + description: The total amount of physical memory in the endpoint. +- contextPath: McAfee.ePO.Endpoint.FreeMemory + description: The amount of free memory in the endpoint. +- contextPath: McAfee.ePO.Endpoint.FreeDiskSpace + description: The amount of free disk space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.TotalDiskSpace + description: The total amount of disk space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.UserProperty1 + description: Endpoint user property 1. +- contextPath: McAfee.ePO.Endpoint.UserProperty2 + description: Endpoint user property 2. +- contextPath: McAfee.ePO.Endpoint.UserProperty3 + description: Endpoint user property 3. +- contextPath: McAfee.ePO.Endpoint.UserProperty4 + description: Endpoint user property 4. +- contextPath: McAfee.ePO.Endpoint.SysvolFreeSpace + description: The amount of system volume free space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.SysvolTotalSpace + description: The total amount of system volume space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.Tags + description: Endpoint ePO tags. +- contextPath: McAfee.ePO.Endpoint.ExcludedTags + description: Endpoint EPO excluded tags. +- contextPath: McAfee.ePO.Endpoint.LastUpdate + description: The date the endpoint was last updated. +- contextPath: McAfee.ePO.Endpoint.ManagedState + description: Endpoint managed state. +- contextPath: McAfee.ePO.Endpoint.AgentGUID + description: Endpoint agent GUID. +- contextPath: McAfee.ePO.Endpoint.AgentVersion + description: Endpoint agent version. +- contextPath: McAfee.ePO.Endpoint.AutoID + description: Endpoint auto ID. +- contextPath: CrowdStrike.Device.ID + description: The ID of the device. +- contextPath: CrowdStrike.Device.LocalIP + description: The local IP address of the device. +- contextPath: CrowdStrike.Device.ExternalIP + description: The external IP address of the device. +- contextPath: CrowdStrike.Device.Hostname + description: The host name of the device. +- contextPath: CrowdStrike.Device.OS + description: The operating system of the device. +- contextPath: CrowdStrike.Device.MacAddress + description: The MAC address of the device. +- contextPath: CrowdStrike.Device.FirstSeen + description: The first time the device was seen. +- contextPath: CrowdStrike.Device.LastSeen + description: The last time the device was seen. +- contextPath: CrowdStrike.Device.PolicyType + description: The policy type of the device. +- contextPath: CrowdStrike.Device.Status + description: The device status. +sourceplaybookid: Endpoint Enrichment - Generic v2.1 +dirtyInputs: true +adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml deleted file mode 100644 index 27f23fa..0000000 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml +++ /dev/null @@ -1,2367 +0,0 @@ -id: SOC Endpoint Enrichment - Generic v2.1 -version: 7 -contentitemexportablefields: - contentitemfields: - packID: soc-common-playbooks - packName: SOC Common Playbooks - itemVersion: 2.7.40 - fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" - isoverridable: false - supportedModules: - - X1 - - X3 - - X5 - - ENT_PLUS - - agentix -vcShouldKeepItemLegacyProdMachine: false -name: SOC Endpoint Enrichment - Generic v2.1 -description: |- - Enrich an endpoint by hostname using one or more integrations. - Supported integrations: - - Active Directory Query v2 - - McAfee ePO v2 - - VMware Carbon Black EDR v2 - - Cylance Protect v2 - - CrowdStrike Falcon - - ExtraHop Reveal(x) - - Cortex XDR / Core (endpoint enrichment, reputation and risk) - - Endpoint reputation using !endpoint command. -tags: -- SOC -- SOC_Framework -starttaskid: "0" -tasks: - "0": - id: "0" - taskid: 29bcd70f-1953-4061-84ce-4cde781ad9f7 - type: start - task: - id: 29bcd70f-1953-4061-84ce-4cde781ad9f7 - version: -1 - name: "" - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "3" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 80 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "1": - id: "1" - taskid: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 - type: title - task: - id: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 - version: -1 - name: Endpoint Products - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "16" - - "18" - - "20" - - "30" - - "40" - - "19" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1330, - "y": 410 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "3": - id: "3" - taskid: ddba13dd-92fc-47a3-8ffe-b849c626eb22 - type: condition - task: - id: ddba13dd-92fc-47a3-8ffe-b849c626eb22 - version: -1 - name: Is there an endpoint to enrich? - description: Checks whether there is at least one endpoint to enrich (by hostname). - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "24" - - "1" - - "35" - scriptarguments: - value: - simple: ${inputs.Hostname} - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: inputs.Hostname - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 215 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "4": - id: "4" - taskid: ea90c16b-6985-4f28-816f-78608df3fe51 - type: title - task: - id: ea90c16b-6985-4f28-816f-78608df3fe51 - version: -1 - name: Done - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1115 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "8": - id: "8" - taskid: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 - type: condition - task: - id: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 - version: -1 - name: Is Carbon Black Enterprise Response enabled? - description: Checks if there is an active instance of the Carbon Black Enterprise - Response integration enabled. - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "9" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - complex: - root: modules - filters: - - - operator: containsGeneral - left: - value: - simple: modules.brand - iscontext: true - right: - value: - simple: VMware Carbon Black EDR v2 - ignorecase: true - accessor: state - iscontext: true - right: - value: - simple: active - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1220, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "9": - id: "9" - taskid: 5e114375-db3d-4267-8f4d-0a411d4bb076 - type: regular - task: - id: 5e114375-db3d-4267-8f4d-0a411d4bb076 - version: -1 - name: Get host information from Carbon Black Enterprise Response - description: List the CarbonBlack sensors - script: '|||cb-edr-sensors-list' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "4" - scriptarguments: - hostname: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - id: - complex: - root: inputs.EndpointID - transformers: - - operator: uniq - ip: - complex: - root: inputs.IPAddress - transformers: - - operator: uniq - reputationcalc: 1 - separatecontext: false - continueonerror: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1410, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "10": - id: "10" - taskid: 42f088e2-cb74-485a-8318-0dae68cde0f0 - type: condition - task: - id: 42f088e2-cb74-485a-8318-0dae68cde0f0 - version: -1 - name: Is CrowdStrike Falcon enabled? - description: Checks if there is an active instance of the CrowdStrike Falcon - Host integration enabled. - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "38" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - complex: - root: modules - filters: - - - operator: isEqualString - left: - value: - simple: modules.brand - iscontext: true - right: - value: - simple: CrowdstrikeFalcon - ignorecase: true - accessor: state - iscontext: true - right: - value: - simple: active - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 2350, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "16": - id: "16" - taskid: d9d617d9-2efd-466e-8ce7-190f8db83b95 - type: title - task: - id: d9d617d9-2efd-466e-8ce7-190f8db83b95 - version: -1 - name: McAfee ePolicy Orchestrator - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "33" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 690, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "18": - id: "18" - taskid: 6cf08862-644d-479e-89ce-f9e173a8c562 - type: title - task: - id: 6cf08862-644d-479e-89ce-f9e173a8c562 - version: -1 - name: Carbon Black Enterprise Response - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "8" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1220, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "19": - id: "19" - taskid: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 - type: title - task: - id: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 - version: -1 - name: Cylance Protect v2 - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "48" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 270, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "20": - id: "20" - taskid: 5d371f29-3a4c-43c5-8f71-b383db2e5320 - type: title - task: - id: 5d371f29-3a4c-43c5-8f71-b383db2e5320 - version: -1 - name: CrowdStrike Falcon - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "10" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 2300, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "22": - id: "22" - taskid: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 - type: condition - task: - id: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 - version: -1 - name: Is Active Directory Query v2 enabled? - description: Checks if there is an active instance of the Active Directory Query - v2 integration enabled. - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "23" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isExists - left: - value: - complex: - root: modules - filters: - - - operator: isEqualString - left: - value: - simple: brand - iscontext: true - right: - value: - simple: Active Directory Query v2 - - - operator: isEqualString - left: - value: - simple: state - iscontext: true - right: - value: - simple: active - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": -180, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "23": - id: "23" - taskid: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 - type: regular - task: - id: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 - version: -1 - name: Get host information from Active Directory - description: Retrieves detailed information about a computer account. The computer - can be specified by name, email address, or as an Active Directory Distinguished - Name (DN). If no filters are provided, all computers are returned. - script: '|||ad-get-computer' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - name: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - reputationcalc: 1 - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": -370, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "24": - id: "24" - taskid: 9706cc39-d338-44cd-8ee1-efc5ea95b04d - type: title - task: - id: 9706cc39-d338-44cd-8ee1-efc5ea95b04d - version: -1 - name: Active Directory - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "22" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -180, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "30": - id: "30" - taskid: ec344482-77f7-42b5-8ee4-34317afd1179 - type: title - task: - id: ec344482-77f7-42b5-8ee4-34317afd1179 - version: -1 - name: ExtraHop Reveal(x) - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "31" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1760, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "31": - id: "31" - taskid: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 - type: condition - task: - id: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 - version: -1 - name: Is ExtraHop Reveal(x) enabled? - description: Checks if there is an active instance of the ExtraHop Reveal(x) - integration enabled. - scriptName: Exists - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "32" - scriptarguments: - value: - complex: - root: modules - filters: - - - operator: isEqualString - left: - value: - simple: brand - iscontext: true - right: - value: - simple: ExtraHop v2 - - - operator: isEqualString - left: - value: - simple: state - iscontext: true - right: - value: - simple: active - reputationcalc: 1 - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1760, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "32": - id: "32" - taskid: 03a8e3c0-2469-41ee-97c8-b0c792be32ec - type: regular - task: - id: 03a8e3c0-2469-41ee-97c8-b0c792be32ec - version: -1 - name: Get host information from ExtraHop Reveal(x) - description: Search for devices in ExtraHop Reveal(x). - script: ExtraHop v2|||extrahop-devices-search - type: regular - iscommand: true - brand: ExtraHop v2 - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - ip: - complex: - root: inputs.IPAddress - transformers: - - operator: uniq - name: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 1950, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "33": - id: "33" - taskid: bf7d9316-446b-452b-843a-3e5a13b8b741 - type: condition - task: - id: bf7d9316-446b-452b-843a-3e5a13b8b741 - version: -1 - name: is Mcafee ePolicy Orchestrator v2 enabled - description: Checks if there is an active Mcafee ePolicy Orchestrator v2 integration - instance enabled. - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "34" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - complex: - root: modules - filters: - - - operator: isExists - left: - value: - simple: modules.brand - iscontext: true - - - operator: isEqualString - left: - value: - simple: modules.state - iscontext: true - right: - value: - simple: active - accessor: brand - iscontext: true - right: - value: - simple: McAfee ePO v2 - continueonerrortype: "" - view: |- - { - "position": { - "x": 680, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "34": - id: "34" - taskid: 8e881985-e5e1-4aec-ac66-0cbc1186879d - type: regular - task: - id: 8e881985-e5e1-4aec-ac66-0cbc1186879d - version: -1 - name: Get- host information from McAfee ePO v2 - description: Finds systems in the McAfee ePO system tree. - script: '|||epo-find-system' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - searchText: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - verbose: - simple: "false" - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 870, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "35": - id: "35" - taskid: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 - type: title - task: - id: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 - version: -1 - name: Endpoint Reputation - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "36" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -730, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "36": - id: "36" - taskid: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a - type: condition - task: - id: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a - version: -1 - name: Should use !endpoint command? - description: Check if should run endpoint reputation command - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "37" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.UseReputationCommand - iscontext: true - right: - value: - simple: "True" - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": -730, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "37": - id: "37" - taskid: f8a264ea-5bb0-4a34-910b-7e0706f65f1f - type: regular - task: - id: f8a264ea-5bb0-4a34-910b-7e0706f65f1f - version: -1 - name: Check Reputation - description: Returns information about an endpoint. - script: '|||endpoint' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - hostname: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - id: - complex: - root: inputs.EndpointID - transformers: - - operator: uniq - ip: - complex: - root: inputs.IPAddress - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": -920, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "38": - id: "38" - taskid: 97c2d94e-2a74-48d9-9404-8049e310925c - type: regular - task: - id: 97c2d94e-2a74-48d9-9404-8049e310925c - version: -1 - name: Crowdstrike Search device - description: Searches for a device that matches the query. - script: CrowdstrikeFalcon|||cs-falcon-search-device - type: regular - iscommand: true - brand: CrowdstrikeFalcon - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - hostname: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - ids: - complex: - root: inputs.EndpointID - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 2480, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "39": - id: "39" - taskid: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c - type: condition - task: - id: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c - version: -1 - name: Is Cortex XDR enabled? - description: Checks if there is an active instance of the Cortex XDR integration - enabled. - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "41" - - "42" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - complex: - root: modules - filters: - - - operator: isEqualString - left: - value: - simple: modules.brand - iscontext: true - right: - value: - simple: Cortex XDR - IR - ignorecase: true - accessor: state - iscontext: true - right: - value: - simple: active - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 2840, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "40": - id: "40" - taskid: 12dd4de8-094d-4760-8284-22e212b5b76d - type: title - task: - id: 12dd4de8-094d-4760-8284-22e212b5b76d - version: -1 - name: Cortex XDR / Core IR - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "39" - - "43" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 3180, - "y": 550 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "41": - id: "41" - taskid: 28d5399e-9856-4c0e-ae6f-26790468a680 - type: regular - task: - id: 28d5399e-9856-4c0e-ae6f-26790468a680 - version: -1 - name: Cortex XDR Search device - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields will - be concatenated using AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of endpoint from the start - of the result set (start by counting from 0). - script: '|||xdr-get-endpoints' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - endpoint_id_list: - complex: - root: inputs.EndpointID - transformers: - - operator: uniq - hostname: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - ip_list: - complex: - root: inputs.IPAddress - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 3030, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "42": - id: "42" - taskid: 00b0ba80-bdc5-4012-8238-334800df9bbd - type: regular - task: - id: 00b0ba80-bdc5-4012-8238-334800df9bbd - version: -1 - name: Cortex XDR get endpoint risk score - description: Retrieve the risk score of a specific host or list of hosts with - the highest risk score in the environment along with the reason affecting - each score. - script: '|||xdr-list-risky-hosts' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - host_id: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 3420, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "43": - id: "43" - taskid: adb8d36c-cdb3-4676-8d4a-da7fbc43188c - type: condition - task: - id: adb8d36c-cdb3-4676-8d4a-da7fbc43188c - version: -1 - name: Is Cortex Core - IR integration enabled? - description: Checks if there is an active instance of the Cortex Core integration - enabled. - scriptName: IsIntegrationAvailable - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - "yes": - - "44" - - "45" - scriptarguments: - brandname: - simple: Cortex Core - IR - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 3780, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "44": - id: "44" - taskid: 28ddac6d-c9fd-4997-9667-6bdd8538d69e - type: regular - task: - id: 28ddac6d-c9fd-4997-9667-6bdd8538d69e - version: -1 - name: Core IR Search device - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields will - be concatenated using AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of endpoint from the start - of the result set (start by counting from 0). - script: '|||core-get-endpoints' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - endpoint_id_list: - complex: - root: inputs.EndpointID - transformers: - - operator: uniq - hostname: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - ip_list: - complex: - root: inputs.IPAddress - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 3970, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "45": - id: "45" - taskid: e24e0b83-679a-4e52-828f-b3637fedd2c1 - type: regular - task: - id: e24e0b83-679a-4e52-828f-b3637fedd2c1 - version: -1 - name: Core IR get endpoint risk score - description: Retrieve the risk score of a specific host or list of hosts with - the highest risk score in the environment along with the reason affecting - each score. - script: '|||core-list-risky-hosts' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#error#': - - "49" - '#none#': - - "4" - scriptarguments: - host_id: - complex: - root: inputs.Hostname - transformers: - - operator: uniq - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 4360, - "y": 860 - } - } - note: false - timertriggers: [] - ignoreworker: false - fieldMapping: - - incidentfield: Host Risk Level - output: - complex: - root: Core.RiskyHost - accessor: risk_level - - incidentfield: Host Risk Reasons - output: - complex: - root: Core.RiskyHost.reasons - accessor: description - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "48": - id: "48" - taskid: a311d42a-1d50-4464-8a6b-2babd00963a2 - type: playbook - task: - id: a311d42a-1d50-4464-8a6b-2babd00963a2 - version: -1 - name: SOC Endpoint Enrichment - Cylance Protect v2 - playbookName: SOC Endpoint Enrichment - Cylance Protect v2 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "4" - separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 270, - "y": 690 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "49": - id: "49" - taskid: 699918ad-f689-4054-8864-d2dae7a92fe5 - type: playbook - task: - id: 699918ad-f689-4054-8864-d2dae7a92fe5 - version: -1 - name: Foundation - Error Handling_V3 - playbookName: Foundation - Error Handling_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 790, - "y": 1200 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false -system: true -view: |- - { - "linkLabelsPosition": { - "10_4_#default#": 0.1, - "22_23_yes": 0.43, - "22_4_#default#": 0.2, - "31_32_yes": 0.64, - "31_4_#default#": 0.1, - "33_34_yes": 0.64, - "33_4_#default#": 0.1, - "34_49_#error#": 0.9, - "36_37_yes": 0.49, - "36_4_#default#": 0.1, - "38_49_#error#": 0.89, - "39_4_#default#": 0.1, - "3_1_yes": 0.3, - "3_24_yes": 0.41, - "3_4_#default#": 0.12, - "43_4_#default#": 0.1, - "8_4_#default#": 0.1, - "8_9_yes": 0.62 - }, - "paper": { - "dimensions": { - "height": 1195, - "width": 5660, - "x": -920, - "y": 80 - } - } - } -inputs: -- key: Hostname - value: - complex: - root: Endpoint - accessor: Hostname - transformers: - - operator: uniq - required: false - description: The hostname of the endpoint to enrich. - playbookInputQuery: null -- key: UseReputationCommand - value: - simple: "False" - required: true - description: |- - Define if you would like to use the !endpoint command. - Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. - Possible values: True / False. - playbookInputQuery: null -- key: IPAddress - value: - complex: - root: Endpoint - accessor: IPAddress - transformers: - - operator: uniq - required: false - description: The IP address of the endpoint to enrich. - playbookInputQuery: null -- key: EndpointID - value: - complex: - root: Endpoint - accessor: ID - transformers: - - operator: uniq - required: false - description: The endpoint ID of the endpoint to enrich. - playbookInputQuery: null -inputSections: -- inputs: - - Hostname - - UseReputationCommand - - IPAddress - - EndpointID - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: - - Endpoint - - Endpoint.Hostname - - Endpoint.OS - - Endpoint.IP - - Endpoint.MAC - - Endpoint.Domain - - CylanceProtectDevice - - ExtraHop.Device.Macaddr - - ExtraHop.Device.DeviceClass - - ExtraHop.Device.UserModTime - - ExtraHop.Device.AutoRole - - ExtraHop.Device.ParentId - - ExtraHop.Device.Vendor - - ExtraHop.Device.Analysis - - ExtraHop.Device.DiscoveryId - - ExtraHop.Device.DefaultName - - ExtraHop.Device.DisplayName - - ExtraHop.Device.OnWatchlist - - ExtraHop.Device.ModTime - - ExtraHop.Device.IsL3 - - ExtraHop.Device.Role - - ExtraHop.Device.DiscoverTime - - ExtraHop.Device.Id - - ExtraHop.Device.Ipaddr4 - - ExtraHop.Device.Vlanid - - ExtraHop.Device.Ipaddr6 - - ExtraHop.Device.NodeId - - ExtraHop.Device.Description - - ExtraHop.Device.DnsName - - ExtraHop.Device.DhcpName - - ExtraHop.Device.CdpName - - ExtraHop.Device.NetbiosName - - ExtraHop.Device.Url - - Endpoint.IPAddress - - Endpoint.ID - - Endpoint.Status - - Endpoint.IsIsolated - - Endpoint.MACAddress - - Endpoint.Vendor - - Endpoint.Relationships - - Endpoint.Processor - - Endpoint.Processors - - Endpoint.Memory - - Endpoint.Model - - Endpoint.BIOSVersion - - Endpoint.OSVersion - - Endpoint.DHCPServer - - McAfee.ePO.Endpoint - - Endpoint.Groups - - ActiveDirectory.ComputersPageCookie - - ActiveDirectory.Computers.dn - - ActiveDirectory.Computers.memberOf - - ActiveDirectory.Computers.name - - CrowdStrike.Device - - ActiveDirectory.Computers - - CarbonBlackEDR.Sensor.systemvolume_total_size - - CarbonBlackEDR.Sensor.emet_telemetry_path - - CarbonBlackEDR.Sensor.os_environment_display_string - - CarbonBlackEDR.Sensor.emet_version - - CarbonBlackEDR.Sensor.emet_dump_flags - - CarbonBlackEDR.Sensor.clock_delta - - CarbonBlackEDR.Sensor.supports_cblr - - CarbonBlackEDR.Sensor.sensor_uptime - - CarbonBlackEDR.Sensor.last_update - - CarbonBlackEDR.Sensor.physical_memory_size - - CarbonBlackEDR.Sensor.build_id - - CarbonBlackEDR.Sensor.uptime - - CarbonBlackEDR.Sensor.is_isolating - - CarbonBlackEDR.Sensor.event_log_flush_time - - CarbonBlackEDR.Sensor.computer_dns_name - - CarbonBlackEDR.Sensor.emet_report_setting - - CarbonBlackEDR.Sensor.id - - CarbonBlackEDR.Sensor.emet_process_count - - CarbonBlackEDR.Sensor.emet_is_gpo - - CarbonBlackEDR.Sensor.power_state - - CarbonBlackEDR.Sensor.network_isolation_enabled - - CarbonBlackEDR.Sensor.systemvolume_free_size - - CarbonBlackEDR.Sensor.status - - CarbonBlackEDR.Sensor.num_eventlog_bytes - - CarbonBlackEDR.Sensor.sensor_health_message - - CarbonBlackEDR.Sensor.build_version_string - - CarbonBlackEDR.Sensor.computer_sid - - CarbonBlackEDR.Sensor.next_checkin_time - - CarbonBlackEDR.Sensor.node_id - - CarbonBlackEDR.Sensor.cookie - - CarbonBlackEDR.Sensor.emet_exploit_action - - CarbonBlackEDR.Sensor.computer_name - - CarbonBlackEDR.Sensor.license_expiration - - CarbonBlackEDR.Sensor.supports_isolation - - CarbonBlackEDR.Sensor.parity_host_id - - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads - - CarbonBlackEDR.Sensor.network_adapters - - CarbonBlackEDR.Sensor.sensor_health_status - - CarbonBlackEDR.Sensor.registration_time - - CarbonBlackEDR.Sensor.restart_queued - - CarbonBlackEDR.Sensor.notes - - CarbonBlackEDR.Sensor.num_storefiles_bytes - - CarbonBlackEDR.Sensor.os_environment_id - - CarbonBlackEDR.Sensor.shard_id - - CarbonBlackEDR.Sensor.boot_id - - CarbonBlackEDR.Sensor.last_checkin_time - - CarbonBlackEDR.Sensor.os_type - - CarbonBlackEDR.Sensor.group_id - - CarbonBlackEDR.Sensor.uninstall - - PaloAltoNetworksXDR.Endpoint - - PaloAltoNetworksXDR.Endpoint.endpoint_id - - PaloAltoNetworksXDR.Endpoint.endpoint_name - - PaloAltoNetworksXDR.Endpoint.endpoint_type - - PaloAltoNetworksXDR.Endpoint.endpoint_status - - PaloAltoNetworksXDR.Endpoint.os_type - - PaloAltoNetworksXDR.Endpoint.ip - - PaloAltoNetworksXDR.Endpoint.users - - PaloAltoNetworksXDR.Endpoint.domain - - PaloAltoNetworksXDR.Endpoint.alias - - PaloAltoNetworksXDR.Endpoint.first_seen - - PaloAltoNetworksXDR.Endpoint.last_seen - - PaloAltoNetworksXDR.Endpoint.content_version - - PaloAltoNetworksXDR.Endpoint.installation_package - - PaloAltoNetworksXDR.Endpoint.active_directory - - PaloAltoNetworksXDR.Endpoint.install_date - - PaloAltoNetworksXDR.Endpoint.endpoint_version - - PaloAltoNetworksXDR.Endpoint.is_isolated - - PaloAltoNetworksXDR.Endpoint.group_name - - PaloAltoNetworksXDR.Endpoint.count - - Account - - Account.Username - - Account.Domain - - PaloAltoNetworksXDR.RiskyHost - - PaloAltoNetworksXDR.RiskyHost.type - - PaloAltoNetworksXDR.RiskyHost.id - - PaloAltoNetworksXDR.RiskyHost.score - - PaloAltoNetworksXDR.RiskyHost.reasons - - PaloAltoNetworksXDR.RiskyHost.reasons.date created - - PaloAltoNetworksXDR.RiskyHost.reasons.description - - PaloAltoNetworksXDR.RiskyHost.reasons.severity - - PaloAltoNetworksXDR.RiskyHost.reasons.status - - PaloAltoNetworksXDR.RiskyHost.reasons.points - - Core.Endpoint - - Core.Endpoint.endpoint_id - - Core.Endpoint.endpoint_name - - Core.Endpoint.endpoint_type - - Core.Endpoint.endpoint_status - - Core.Endpoint.os_type - - Core.Endpoint.ip - - Core.Endpoint.users - - Core.Endpoint.domain - - Core.Endpoint.alias - - Core.Endpoint.first_seen - - Core.Endpoint.last_seen - - Core.Endpoint.content_version - - Core.Endpoint.installation_package - - Core.Endpoint.active_directory - - Core.Endpoint.install_date - - Core.Endpoint.endpoint_version - - Core.Endpoint.is_isolated - - Core.Endpoint.group_name - - Core.RiskyHost - - Core.RiskyHost.type - - Core.RiskyHost.id - - Core.RiskyHost.score - - Core.RiskyHost.reasons - - Core.RiskyHost.reasons.date created - - Core.RiskyHost.reasons.description - - Core.RiskyHost.reasons.severity - - Core.RiskyHost.reasons.status - - Core.RiskyHost.reasons.points - - McAfee.ePO.Endpoint.ParentID - - McAfee.ePO.Endpoint.ComputerName - - McAfee.ePO.Endpoint.Description - - McAfee.ePO.Endpoint.SystemDescription - - McAfee.ePO.Endpoint.TimeZone - - McAfee.ePO.Endpoint.DefaultLangID - - McAfee.ePO.Endpoint.UserName - - McAfee.ePO.Endpoint.Domain - - McAfee.ePO.Endpoint.Hostname - - McAfee.ePO.Endpoint.IPV6 - - McAfee.ePO.Endpoint.IPAddress - - McAfee.ePO.Endpoint.IPSubnet - - McAfee.ePO.Endpoint.IPSubnetMask - - McAfee.ePO.Endpoint.IPV4x - - McAfee.ePO.Endpoint.IPXAddress - - McAfee.ePO.Endpoint.SubnetAddress - - McAfee.ePO.Endpoint.SubnetMask - - McAfee.ePO.Endpoint.NetAddress - - McAfee.ePO.Endpoint.OSType - - McAfee.ePO.Endpoint.OSVersion - - McAfee.ePO.Endpoint.OSServicePackVer - - McAfee.ePO.Endpoint.OSBuildNum - - McAfee.ePO.Endpoint.OSPlatform - - McAfee.ePO.Endpoint.OSOEMID - - McAfee.ePO.Endpoint.Processor - - McAfee.ePO.Endpoint.CPUSpeed - - McAfee.ePO.Endpoint.Processors - - McAfee.ePO.Endpoint.CPUSerialNum - - McAfee.ePO.Endpoint.Memory - - McAfee.ePO.Endpoint.FreeMemory - - McAfee.ePO.Endpoint.FreeDiskSpace - - McAfee.ePO.Endpoint.TotalDiskSpace - - McAfee.ePO.Endpoint.UserProperty1 - - McAfee.ePO.Endpoint.UserProperty2 - - McAfee.ePO.Endpoint.UserProperty3 - - McAfee.ePO.Endpoint.UserProperty4 - - McAfee.ePO.Endpoint.SysvolFreeSpace - - McAfee.ePO.Endpoint.SysvolTotalSpace - - McAfee.ePO.Endpoint.Tags - - McAfee.ePO.Endpoint.ExcludedTags - - McAfee.ePO.Endpoint.LastUpdate - - McAfee.ePO.Endpoint.ManagedState - - McAfee.ePO.Endpoint.AgentGUID - - McAfee.ePO.Endpoint.AgentVersion - - McAfee.ePO.Endpoint.AutoID - - CrowdStrike.Device.ID - - CrowdStrike.Device.LocalIP - - CrowdStrike.Device.ExternalIP - - CrowdStrike.Device.Hostname - - CrowdStrike.Device.OS - - CrowdStrike.Device.MacAddress - - CrowdStrike.Device.FirstSeen - - CrowdStrike.Device.LastSeen - - CrowdStrike.Device.PolicyType - - CrowdStrike.Device.Status - name: General (Outputs group) - description: Generic group for outputs -outputs: -- contextPath: Endpoint - description: The endpoint object of the endpoint that was enriched. - type: string -- contextPath: Endpoint.Hostname - description: The hostnames of the endpoints that were enriched. - type: string -- contextPath: Endpoint.OS - description: The operating systems running on the endpoints that were enriched. - type: string -- contextPath: Endpoint.IP - description: A list of the IP addresses of the endpoints. - type: string -- contextPath: Endpoint.MAC - description: A list of the MAC addresses of the endpoints that were enriched. - type: string -- contextPath: Endpoint.Domain - description: The domain names of the endpoints that were enriched. - type: string -- contextPath: CylanceProtectDevice - description: The device information about the hostname that was enriched using Cylance - Protect v2. - type: string -- contextPath: ExtraHop.Device.Macaddr - description: The MAC Address of the device. - type: String -- contextPath: ExtraHop.Device.DeviceClass - description: The class of the device. - type: String -- contextPath: ExtraHop.Device.UserModTime - description: The time of the most recent update, expressed in milliseconds since - the epoch. - type: Number -- contextPath: ExtraHop.Device.AutoRole - description: The role automatically detected by the ExtraHop. - type: String -- contextPath: ExtraHop.Device.ParentId - description: The ID of the parent device. - type: Number -- contextPath: ExtraHop.Device.Vendor - description: The device vendor. - type: String -- contextPath: ExtraHop.Device.Analysis - description: The level of analysis preformed on the device. - type: string -- contextPath: ExtraHop.Device.DiscoveryId - description: The UUID given by the Discover appliance. - type: String -- contextPath: ExtraHop.Device.DefaultName - description: The default name of the device. - type: String -- contextPath: ExtraHop.Device.DisplayName - description: The display name of device. - type: String -- contextPath: ExtraHop.Device.OnWatchlist - description: Whether the device is on the advanced analysis allow list. - type: Boolean -- contextPath: ExtraHop.Device.ModTime - description: The time of the most recent update, expressed in milliseconds since - the epoch. - type: Number -- contextPath: ExtraHop.Device.IsL3 - description: Indicates whether the device is a Layer 3 device. - type: Boolean -- contextPath: ExtraHop.Device.Role - description: The role of the device. - type: String -- contextPath: ExtraHop.Device.DiscoverTime - description: The time that the device was discovered. - type: Number -- contextPath: ExtraHop.Device.Id - description: The ID of the device. - type: Number -- contextPath: ExtraHop.Device.Ipaddr4 - description: The IPv4 address of the device. - type: String -- contextPath: ExtraHop.Device.Vlanid - description: The ID of VLan. - type: Number -- contextPath: ExtraHop.Device.Ipaddr6 - description: The IPv6 address of the device. - type: string -- contextPath: ExtraHop.Device.NodeId - description: The Node ID of the Discover appliance. - type: number -- contextPath: ExtraHop.Device.Description - description: A user customizable description of the device. - type: string -- contextPath: ExtraHop.Device.DnsName - description: The DNS name associated with the device. - type: string -- contextPath: ExtraHop.Device.DhcpName - description: The DHCP name associated with the device. - type: string -- contextPath: ExtraHop.Device.CdpName - description: The Cisco Discovery Protocol name associated with the device. - type: string -- contextPath: ExtraHop.Device.NetbiosName - description: The NetBIOS name associated with the device. - type: string -- contextPath: ExtraHop.Device.Url - description: Link to the device details page in ExtraHop. - type: string -- contextPath: Endpoint.IPAddress - description: The endpoint IP address or list of IP addresses. - type: string -- contextPath: Endpoint.ID - description: The endpoint ID. - type: string -- contextPath: Endpoint.Status - description: The endpoint status. - type: string -- contextPath: Endpoint.IsIsolated - description: The endpoint isolation status. - type: string -- contextPath: Endpoint.MACAddress - description: The endpoint MAC address. - type: string -- contextPath: Endpoint.Vendor - description: The integration name of the endpoint vendor. - type: string -- contextPath: Endpoint.Relationships - description: The endpoint relationships of the endpoint that was enriched. - type: string -- contextPath: Endpoint.Processor - description: The model of the processor. - type: string -- contextPath: Endpoint.Processors - description: The number of processors. - type: string -- contextPath: Endpoint.Memory - description: Memory on this endpoint. - type: string -- contextPath: Endpoint.Model - description: The model of the machine or device. - type: string -- contextPath: Endpoint.BIOSVersion - description: The endpoint's BIOS version. - type: string -- contextPath: Endpoint.OSVersion - description: The endpoint's operation system version. - type: string -- contextPath: Endpoint.DHCPServer - description: The DHCP server of the endpoint. - type: string -- contextPath: McAfee.ePO.Endpoint - description: The endpoint that was enriched. - type: string -- contextPath: Endpoint.Groups - description: Groups for which the computer is listed as a member. - type: string -- contextPath: ActiveDirectory.ComputersPageCookie - description: An opaque string received in a paged search, used for requesting subsequent - entries. - type: string -- contextPath: ActiveDirectory.Computers.dn - description: The computer distinguished name. - type: string -- contextPath: ActiveDirectory.Computers.memberOf - description: Groups for which the computer is listed. - type: string -- contextPath: ActiveDirectory.Computers.name - description: The computer name. - type: string -- contextPath: CrowdStrike.Device - description: The information about the endpoint. - type: string -- contextPath: ActiveDirectory.Computers - description: The information about the hostname that was enriched using Active Directory. - type: string -- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size - description: The size, in bytes, of the system volume of the endpoint on which the - sensor is installed. installed. - type: number -- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path - description: The path of the EMET telemetry associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string - description: Human-readable string of the installed OS. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_version - description: The EMET version associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags - description: The flags of the EMET dump associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.clock_delta - description: The clock delta associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.supports_cblr - description: Whether the sensor supports Carbon Black Live Response (CbLR). - type: string -- contextPath: CarbonBlackEDR.Sensor.sensor_uptime - description: The uptime of the process. - type: string -- contextPath: CarbonBlackEDR.Sensor.last_update - description: When the sensor was last updated. - type: string -- contextPath: CarbonBlackEDR.Sensor.physical_memory_size - description: The size in bytes of physical memory. - type: number -- contextPath: CarbonBlackEDR.Sensor.build_id - description: The sensor version installed on this endpoint. From the /api/builds/ - endpoint. - type: string -- contextPath: CarbonBlackEDR.Sensor.uptime - description: Endpoint uptime in seconds. - type: string -- contextPath: CarbonBlackEDR.Sensor.is_isolating - description: Boolean representing sensor-reported isolation status. - type: boolean -- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time - description: |- - If event_log_flush_time is set, the server will instruct the sensor to immediately - send all data before this date, ignoring all other throttling mechanisms. - To force a host current, set this value to a value far in the future. - When the sensor has finished sending its queued data, this value will be null. - type: string -- contextPath: CarbonBlackEDR.Sensor.computer_dns_name - description: The DNS name of the endpoint on which the sensor is installed. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_report_setting - description: The report setting of the EMET associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.id - description: The ID of this sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_process_count - description: The number of EMET processes associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo - description: Whether the EMET is a GPO. - type: string -- contextPath: CarbonBlackEDR.Sensor.power_state - description: The sensor power state. - type: string -- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled - description: Boolean representing the network isolation request status. - type: boolean -- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size - description: The amount of free bytes on the system volume. - type: string -- contextPath: CarbonBlackEDR.Sensor.status - description: The sensor status. - type: string -- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes - description: The number of event log bytes. - type: number -- contextPath: CarbonBlackEDR.Sensor.sensor_health_message - description: Human-readable string indicating the sensor’s self-reported status. - type: string -- contextPath: CarbonBlackEDR.Sensor.build_version_string - description: Human-readable string of the sensor version. - type: string -- contextPath: CarbonBlackEDR.Sensor.computer_sid - description: Machine SID of this host. - type: string -- contextPath: CarbonBlackEDR.Sensor.next_checkin_time - description: Next expected communication from this computer in server-local time - and zone. - type: string -- contextPath: CarbonBlackEDR.Sensor.node_id - description: The node ID associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.cookie - description: The cookie associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action - description: The EMET exploit action associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.computer_name - description: NetBIOS name of this computer. - type: string -- contextPath: CarbonBlackEDR.Sensor.license_expiration - description: When the license of the sensor expires. - type: string -- contextPath: CarbonBlackEDR.Sensor.supports_isolation - description: Whether the sensor supports isolation. - type: string -- contextPath: CarbonBlackEDR.Sensor.parity_host_id - description: The ID of the parity host associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads - description: Whether the sensor support modload of 2nd generation. - type: string -- contextPath: CarbonBlackEDR.Sensor.network_adapters - description: A pipe-delimited list of IP,MAC pairs for each network interface. - type: string -- contextPath: CarbonBlackEDR.Sensor.sensor_health_status - description: Self-reported health score, from 0 to 100. Higher numbers indicate - a better health status. - type: string -- contextPath: CarbonBlackEDR.Sensor.registration_time - description: Time this sensor was originally registered in server-local time and - zone. - type: string -- contextPath: CarbonBlackEDR.Sensor.restart_queued - description: Whether a restart of the sensor is queued. - type: string -- contextPath: CarbonBlackEDR.Sensor.notes - description: The notes associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes - description: Number of storefiles bytes associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.os_environment_id - description: The ID of the OS environment of the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.shard_id - description: The ID of the shard associated with the sensor. - type: string -- contextPath: CarbonBlackEDR.Sensor.boot_id - description: A sequential counter of boots since the sensor was installed. - type: string -- contextPath: CarbonBlackEDR.Sensor.last_checkin_time - description: Last communication with this computer in server-local time and zone. - type: string -- contextPath: CarbonBlackEDR.Sensor.os_type - description: The operating system type of the computer. - type: string -- contextPath: CarbonBlackEDR.Sensor.group_id - description: The sensor group ID this sensor is assigned to. - type: string -- contextPath: CarbonBlackEDR.Sensor.uninstall - description: When set, indicates that the sensor will be directed to uninstall on - next check-in. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint - description: The endpoint object of the endpoint that was enriched. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id - description: The endpoint ID. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name - description: The endpoint name. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type - description: The endpoint type. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status - description: The status of the endpoint. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.os_type - description: The endpoint OS type. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.ip - description: A list of IP addresses. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.users - description: A list of users. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.domain - description: The endpoint domain. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.alias - description: The endpoint's aliases. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen - description: First seen date/time in Epoch (milliseconds). - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen - description: Last seen date/time in Epoch (milliseconds). - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.content_version - description: Content version. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package - description: Installation package. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory - description: Active directory. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.install_date - description: Install date in Epoch (milliseconds). - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version - description: Endpoint version. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated - description: Whether the endpoint is isolated. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.group_name - description: The name of the group to which the endpoint belongs. - type: string -- contextPath: PaloAltoNetworksXDR.Endpoint.count - description: Number of endpoints returned. - type: number -- contextPath: Account - description: The account object of the endpoint that was enriched. - type: string -- contextPath: Account.Username - description: The username in the relevant system. - type: string -- contextPath: Account.Domain - description: The domain of the account. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost - description: The endpoint object. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.type - description: Form of identification element. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.id - description: Identification value of the type field. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.score - description: The score assigned to the host. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons - description: The endpoint risk objects. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created - description: Date when the incident was created. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description - description: Description of the incident. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity - description: The severity of the incident. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status - description: The incident status. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points - description: The score. - type: string -- contextPath: Core.Endpoint - description: The endpoint object. - type: unknown -- contextPath: Core.Endpoint.endpoint_id - description: The endpoint ID. -- contextPath: Core.Endpoint.endpoint_name - description: The endpoint name. -- contextPath: Core.Endpoint.endpoint_type - description: The endpoint type. -- contextPath: Core.Endpoint.endpoint_status - description: The status of the endpoint. -- contextPath: Core.Endpoint.os_type - description: The endpoint OS type. -- contextPath: Core.Endpoint.ip - description: A list of IP addresses. -- contextPath: Core.Endpoint.users - description: A list of users. -- contextPath: Core.Endpoint.domain - description: The endpoint domain. -- contextPath: Core.Endpoint.alias - description: The endpoint's aliases. -- contextPath: Core.Endpoint.first_seen - description: First seen date/time in Epoch (milliseconds). -- contextPath: Core.Endpoint.last_seen - description: Last seen date/time in Epoch (milliseconds). -- contextPath: Core.Endpoint.content_version - description: Content version. -- contextPath: Core.Endpoint.installation_package - description: Installation package. -- contextPath: Core.Endpoint.active_directory - description: Active directory. -- contextPath: Core.Endpoint.install_date - description: Install date in Epoch (milliseconds). -- contextPath: Core.Endpoint.endpoint_version - description: Endpoint version. -- contextPath: Core.Endpoint.is_isolated - description: Whether the endpoint is isolated. -- contextPath: Core.Endpoint.group_name - description: The name of the group to which the endpoint belongs. -- contextPath: Core.RiskyHost - description: The risky host object. - type: unknown -- contextPath: Core.RiskyHost.type - description: Form of identification element. -- contextPath: Core.RiskyHost.id - description: Identification value of the type field. -- contextPath: Core.RiskyHost.score - description: The score assigned to the host. -- contextPath: Core.RiskyHost.reasons - description: The reasons for the risk level. - type: unknown -- contextPath: Core.RiskyHost.reasons.date created - description: Date when the incident was created. -- contextPath: Core.RiskyHost.reasons.description - description: Description of the incident. -- contextPath: Core.RiskyHost.reasons.severity - description: The severity of the incident. -- contextPath: Core.RiskyHost.reasons.status - description: The incident status. -- contextPath: Core.RiskyHost.reasons.points - description: The score. -- contextPath: McAfee.ePO.Endpoint.ParentID - description: Endpoint parent ID. -- contextPath: McAfee.ePO.Endpoint.ComputerName - description: Endpoint computer name. -- contextPath: McAfee.ePO.Endpoint.Description - description: Endpoint description. -- contextPath: McAfee.ePO.Endpoint.SystemDescription - description: Endpoint system description. -- contextPath: McAfee.ePO.Endpoint.TimeZone - description: Endpoint time zone. -- contextPath: McAfee.ePO.Endpoint.DefaultLangID - description: Endpoint default language ID. -- contextPath: McAfee.ePO.Endpoint.UserName - description: Endpoint username. -- contextPath: McAfee.ePO.Endpoint.Domain - description: Endpoint domain name. -- contextPath: McAfee.ePO.Endpoint.Hostname - description: Endpoint IP host name. -- contextPath: McAfee.ePO.Endpoint.IPV6 - description: Endpoint IPv6 address. -- contextPath: McAfee.ePO.Endpoint.IPAddress - description: Endpoint IP address. -- contextPath: McAfee.ePO.Endpoint.IPSubnet - description: Endpoint IP subnet. -- contextPath: McAfee.ePO.Endpoint.IPSubnetMask - description: Endpoint IP subnet mask. -- contextPath: McAfee.ePO.Endpoint.IPV4x - description: Endpoint IPV4x address. -- contextPath: McAfee.ePO.Endpoint.IPXAddress - description: Endpoint IPX address. -- contextPath: McAfee.ePO.Endpoint.SubnetAddress - description: Endpoint subnet address. -- contextPath: McAfee.ePO.Endpoint.SubnetMask - description: Endpoint subnet mask. -- contextPath: McAfee.ePO.Endpoint.NetAddress - description: Endpoint net address. -- contextPath: McAfee.ePO.Endpoint.OSType - description: Endpoint OS type. -- contextPath: McAfee.ePO.Endpoint.OSVersion - description: Endpoint OS version. -- contextPath: McAfee.ePO.Endpoint.OSServicePackVer - description: Endpoint OS service pack version. -- contextPath: McAfee.ePO.Endpoint.OSBuildNum - description: Endpoint OS build number. -- contextPath: McAfee.ePO.Endpoint.OSPlatform - description: Endpoint OS platform. -- contextPath: McAfee.ePO.Endpoint.OSOEMID - description: Endpoint OS OEM ID. -- contextPath: McAfee.ePO.Endpoint.Processor - description: Endpoint CPU type. -- contextPath: McAfee.ePO.Endpoint.CPUSpeed - description: Endpoint CPU speed. -- contextPath: McAfee.ePO.Endpoint.Processors - description: Number of CPUs in the endpoint. -- contextPath: McAfee.ePO.Endpoint.CPUSerialNum - description: Endpoint CPU serial number. -- contextPath: McAfee.ePO.Endpoint.Memory - description: The total amount of physical memory in the endpoint. -- contextPath: McAfee.ePO.Endpoint.FreeMemory - description: The amount of free memory in the endpoint. -- contextPath: McAfee.ePO.Endpoint.FreeDiskSpace - description: The amount of free disk space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.TotalDiskSpace - description: The total amount of disk space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.UserProperty1 - description: Endpoint user property 1. -- contextPath: McAfee.ePO.Endpoint.UserProperty2 - description: Endpoint user property 2. -- contextPath: McAfee.ePO.Endpoint.UserProperty3 - description: Endpoint user property 3. -- contextPath: McAfee.ePO.Endpoint.UserProperty4 - description: Endpoint user property 4. -- contextPath: McAfee.ePO.Endpoint.SysvolFreeSpace - description: The amount of system volume free space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.SysvolTotalSpace - description: The total amount of system volume space in the endpoint. -- contextPath: McAfee.ePO.Endpoint.Tags - description: Endpoint ePO tags. -- contextPath: McAfee.ePO.Endpoint.ExcludedTags - description: Endpoint EPO excluded tags. -- contextPath: McAfee.ePO.Endpoint.LastUpdate - description: The date the endpoint was last updated. -- contextPath: McAfee.ePO.Endpoint.ManagedState - description: Endpoint managed state. -- contextPath: McAfee.ePO.Endpoint.AgentGUID - description: Endpoint agent GUID. -- contextPath: McAfee.ePO.Endpoint.AgentVersion - description: Endpoint agent version. -- contextPath: McAfee.ePO.Endpoint.AutoID - description: Endpoint auto ID. -- contextPath: CrowdStrike.Device.ID - description: The ID of the device. -- contextPath: CrowdStrike.Device.LocalIP - description: The local IP address of the device. -- contextPath: CrowdStrike.Device.ExternalIP - description: The external IP address of the device. -- contextPath: CrowdStrike.Device.Hostname - description: The host name of the device. -- contextPath: CrowdStrike.Device.OS - description: The operating system of the device. -- contextPath: CrowdStrike.Device.MacAddress - description: The MAC address of the device. -- contextPath: CrowdStrike.Device.FirstSeen - description: The first time the device was seen. -- contextPath: CrowdStrike.Device.LastSeen - description: The last time the device was seen. -- contextPath: CrowdStrike.Device.PolicyType - description: The policy type of the device. -- contextPath: CrowdStrike.Device.Status - description: The device status. -sourceplaybookid: Endpoint Enrichment - Generic v2.1 -dirtyInputs: true -adopted: true From 0c90a1a5ed85d70339ff4d2ebcb16702f1dc63db Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 16:53:40 -0500 Subject: [PATCH 06/49] - Update to soc-packs-release-v2.yml to use the demisto-sdk zip-file for creating packages. It does a better job - Also updating the soc-packs-release-debug.yml for the same reason. --- .github/workflows/soc-packs-release-debug.yml | 19 ++++++++- .github/workflows/soc-packs-release-v2.yml | 40 +++++++++++++------ 2 files changed, 46 insertions(+), 13 deletions(-) diff --git a/.github/workflows/soc-packs-release-debug.yml b/.github/workflows/soc-packs-release-debug.yml index b7290e1..9b40cde 100644 --- a/.github/workflows/soc-packs-release-debug.yml +++ b/.github/workflows/soc-packs-release-debug.yml @@ -132,7 +132,24 @@ jobs: zip_path = dist / f"{pack}.zip" if zip_path.exists(): zip_path.unlink() - run_cmd(["zip", "-r", str(zip_path), str(pack_path)]) + before = set(dist.glob("*.zip")) + + run_cmd([ + "demisto-sdk", "zip-packs", + "-i", str(pack_path), + "-o", str(dist) + ]) + + after = set(dist.glob("*.zip")) + created = sorted(after - before) + + if not created: + raise RuntimeError(f"{pack}: demisto-sdk zip-packs produced no zip in {dist}") + + candidates = [z for z in created if pack in z.name] + zip_path = (sorted(candidates) or created)[-1] + + print(f"Built demisto-sdk zip: {zip_path}") print(f"Built zip: {zip_path}") diff --git a/.github/workflows/soc-packs-release-v2.yml b/.github/workflows/soc-packs-release-v2.yml index 8f98aea..403802f 100644 --- a/.github/workflows/soc-packs-release-v2.yml +++ b/.github/workflows/soc-packs-release-v2.yml @@ -172,18 +172,28 @@ jobs: print(f"Processing pack={pack}, version={version}") - # Build zip with contents at top-level - zip_path = (dist / f"{pack}.zip").resolve() - if zip_path.exists(): - zip_path.unlink() - - # Run from inside Packs/ so '.' = its contents - run_cmd( - ["zip", "-r", str(zip_path), "."], - cwd=str(pack_path) - ) - - input_zip = zip_path + # Build zip the CORRECT way for core-api-install-packs + # (demisto-sdk removes junk files and writes metadata.json) + before = set(dist.glob("*.zip")) + + run_cmd([ + "demisto-sdk", "zip-packs", + "-i", str(pack_path), + "-o", str(dist) + ]) + + after = set(dist.glob("*.zip")) + created = sorted(after - before) + + if not created: + raise RuntimeError(f"{pack}: demisto-sdk zip-packs produced no zip in {dist}") + + # Prefer a zip that contains the pack name, otherwise take the newest + candidates = [z for z in created if pack in z.name] + input_zip = (sorted(candidates) or created)[-1] + + print("Created demisto-sdk pack zip:", input_zip) + print("Created pack zip:", input_zip) # Decide tag & asset name based on environment @@ -207,6 +217,12 @@ jobs: # Create or update GitHub Release exists = gh("release", "view", tag, check=False).returncode == 0 if exists: + exists = gh("release", "view", tag, check=False).returncode == 0 + if environment == "main": + raise RuntimeError( + f"Release tag {tag} already exists on main. Refusing to clobber. " + f"Bump the pack version to publish a new immutable release." + ) gh("release", "upload", tag, str(final_zip), "--clobber") else: args = ["release", "create", tag, str(final_zip), "-t", title] From 59e02548972022f2448c6f19913920a141688588 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 17:00:21 -0500 Subject: [PATCH 07/49] - Testing new package format with demisto-sdk - Will be used with the SOC Framework bootloader. --- Packs/soc-optimization/pack_metadata.json | 2 +- Packs/soc-optimization/xsoar_config.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/soc-optimization/pack_metadata.json b/Packs/soc-optimization/pack_metadata.json index 1b1d57e..cc33396 100644 --- a/Packs/soc-optimization/pack_metadata.json +++ b/Packs/soc-optimization/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "2.1.42", + "currentVersion": "2.1.43", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index fe7a892..6e565df 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.42/soc-optimization-v2.1.42.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.43/soc-optimization-v2.1.43.zip", "system": "yes" } ], From dd6f11f97490d33c42cd84c85cf09894f55fc37b Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 17:01:40 -0500 Subject: [PATCH 08/49] - Bump packing - Testing SOC Framework Old --- pack_catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pack_catalog.json b/pack_catalog.json index 09d29f3..478b750 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -35,7 +35,7 @@ { "id": "soc-optimization", "display_name": "SOC Framework", - "version": "2.1.42", + "version": "2.1.43", "path": "Packs/soc-optimization", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization/xsoar_config.json" From 6bf7b94616719fc894c989f3d95c087e450fd754 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 17:08:55 -0500 Subject: [PATCH 09/49] - Issue when a package is not created assuming all should be. --- .github/workflows/soc-packs-release-v2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/soc-packs-release-v2.yml b/.github/workflows/soc-packs-release-v2.yml index 403802f..595c303 100644 --- a/.github/workflows/soc-packs-release-v2.yml +++ b/.github/workflows/soc-packs-release-v2.yml @@ -186,7 +186,8 @@ jobs: created = sorted(after - before) if not created: - raise RuntimeError(f"{pack}: demisto-sdk zip-packs produced no zip in {dist}") + print(f"{pack}: no uploadable zip produced by demisto-sdk (skipping)") + continue # Prefer a zip that contains the pack name, otherwise take the newest candidates = [z for z in created if pack in z.name] From 14f5a92f5685443b78355e151285a371ca71bf7a Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 17:23:29 -0500 Subject: [PATCH 10/49] - Added Deprecation language to Package - Using package to test demist-sdk zip-file in CI. --- Packs/soc-optimization/pack_metadata.json | 6 +++--- Packs/soc-optimization/xsoar_config.json | 2 +- pack_catalog.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Packs/soc-optimization/pack_metadata.json b/Packs/soc-optimization/pack_metadata.json index cc33396..4a578d6 100644 --- a/Packs/soc-optimization/pack_metadata.json +++ b/Packs/soc-optimization/pack_metadata.json @@ -1,9 +1,9 @@ { - "name": "SOC Framework", + "name": "SOC Framework (DEPRECATED)", "id": "soc-optimization", - "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", + "description": "This Package has been deprecated. The new package is the SOC Framework Unified. This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "2.1.43", + "currentVersion": "2.1.44", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index 6e565df..d66af93 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.43/soc-optimization-v2.1.43.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.44/soc-optimization-v2.1.44.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 478b750..f5f8ff3 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -34,8 +34,8 @@ }, { "id": "soc-optimization", - "display_name": "SOC Framework", - "version": "2.1.43", + "display_name": "SOC Framework (DEPRECATED)", + "version": "2.1.44", "path": "Packs/soc-optimization", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization/xsoar_config.json" From d460a6e07e92e3eb4bff8102dbc34be023752478 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 17:37:15 -0500 Subject: [PATCH 11/49] - Using package to test demist-sdk zip-file in CI. - First try has some old code. --- .github/workflows/soc-packs-release-debug.yml | 35 ++++++++++++------- .github/workflows/soc-packs-release-v2.yml | 29 ++++++++++----- 2 files changed, 42 insertions(+), 22 deletions(-) diff --git a/.github/workflows/soc-packs-release-debug.yml b/.github/workflows/soc-packs-release-debug.yml index 9b40cde..7d24731 100644 --- a/.github/workflows/soc-packs-release-debug.yml +++ b/.github/workflows/soc-packs-release-debug.yml @@ -95,6 +95,7 @@ jobs: if: ${{ steps.changed.outputs.packs != '' }} env: CHANGED_PACKS: ${{ steps.changed.outputs.packs }} + DEMISTO_SDK_IGNORE_CONTENT_WARNING: "1" run: | python - << 'PY' import json, os, subprocess @@ -104,9 +105,15 @@ jobs: changed = os.environ["CHANGED_PACKS"].split() repo = os.environ["GITHUB_REPOSITORY"] + repo_root = Path.cwd() + dist = Path("dist") dist.mkdir(exist_ok=True) + # demisto-sdk zip-packs writes here by default when -o dist is used + uploadable_dir = dist / "uploadable_packs" + uploadable_dir.mkdir(parents=True, exist_ok=True) + def run_cmd(cmd, cwd=None, check=True): print("+", " ".join(cmd), f"(cwd={cwd or os.getcwd()})") return subprocess.run(cmd, check=check, cwd=cwd) @@ -128,30 +135,32 @@ jobs: print(f"=== DRY RUN for pack={pack}, version={version} ===") - # Build plain zip - zip_path = dist / f"{pack}.zip" - if zip_path.exists(): - zip_path.unlink() - before = set(dist.glob("*.zip")) + # Remove any prior zip-packs outputs for this pack so detection is reliable + for z in uploadable_dir.glob(f"*{pack}*.zip"): + try: + z.unlink() + except Exception: + pass + + before = set(uploadable_dir.glob("*.zip")) run_cmd([ "demisto-sdk", "zip-packs", "-i", str(pack_path), "-o", str(dist) - ]) + ], cwd=str(repo_root)) - after = set(dist.glob("*.zip")) + after = set(uploadable_dir.glob("*.zip")) created = sorted(after - before) if not created: - raise RuntimeError(f"{pack}: demisto-sdk zip-packs produced no zip in {dist}") + print(f"{pack}: demisto-sdk zip-packs produced no zip in {uploadable_dir} (skipping)") + continue candidates = [z for z in created if pack in z.name] - zip_path = (sorted(candidates) or created)[-1] - - print(f"Built demisto-sdk zip: {zip_path}") + built_zip = (sorted(candidates) or created)[-1] - print(f"Built zip: {zip_path}") + print(f"Built demisto-sdk zip: {built_zip}") # Show what release tag/asset would be tag = f"{pack}-v{version}-staging" @@ -180,7 +189,7 @@ jobs: if not found: print(f"Would set top-level cfg['url'] = {url}") - print(\"\\nDRY RUN COMPLETE (no releases created, no commits pushed)\") + print("\nDRY RUN COMPLETE (no releases created, no commits pushed)") PY - name: No packs changed diff --git a/.github/workflows/soc-packs-release-v2.yml b/.github/workflows/soc-packs-release-v2.yml index 595c303..ee6b43a 100644 --- a/.github/workflows/soc-packs-release-v2.yml +++ b/.github/workflows/soc-packs-release-v2.yml @@ -145,9 +145,15 @@ jobs: environment = os.environ["ENVIRONMENT"] repo = os.environ["GITHUB_REPOSITORY"] + repo_root = Path.cwd() + dist = Path("dist") dist.mkdir(exist_ok=True) + # demisto-sdk zip-packs writes here by default when -o dist is used + uploadable_dir = dist / "uploadable_packs" + uploadable_dir.mkdir(parents=True, exist_ok=True) + def run_cmd(cmd, cwd=None): print("+", " ".join(cmd), f"(cwd={cwd or os.getcwd()})") subprocess.run(cmd, check=True, cwd=cwd) @@ -172,21 +178,27 @@ jobs: print(f"Processing pack={pack}, version={version}") - # Build zip the CORRECT way for core-api-install-packs - # (demisto-sdk removes junk files and writes metadata.json) - before = set(dist.glob("*.zip")) + # ---- IMPORTANT: ensure we detect the zip produced by zip-packs ---- + # Remove any previous zip-packs output for this pack so before/after works reliably. + for z in uploadable_dir.glob(f"*{pack}*.zip"): + try: + z.unlink() + except Exception: + pass + + before = set(uploadable_dir.glob("*.zip")) run_cmd([ "demisto-sdk", "zip-packs", "-i", str(pack_path), "-o", str(dist) - ]) + ], cwd=str(repo_root)) - after = set(dist.glob("*.zip")) + after = set(uploadable_dir.glob("*.zip")) created = sorted(after - before) if not created: - print(f"{pack}: no uploadable zip produced by demisto-sdk (skipping)") + print(f"{pack}: demisto-sdk zip-packs produced no zip in {uploadable_dir} (skipping)") continue # Prefer a zip that contains the pack name, otherwise take the newest @@ -195,8 +207,6 @@ jobs: print("Created demisto-sdk pack zip:", input_zip) - print("Created pack zip:", input_zip) - # Decide tag & asset name based on environment if environment == "develop": tag = f"{pack}-v{version}-dev" @@ -212,13 +222,14 @@ jobs: final_zip = dist / asset if final_zip.exists(): final_zip.unlink() + + # Move the demisto-sdk produced zip to the release asset name/location input_zip.rename(final_zip) print("Final asset zip:", final_zip) # Create or update GitHub Release exists = gh("release", "view", tag, check=False).returncode == 0 if exists: - exists = gh("release", "view", tag, check=False).returncode == 0 if environment == "main": raise RuntimeError( f"Release tag {tag} already exists on main. Refusing to clobber. " From edd6a18ec7645511b477ac876445b2f9d9f22191 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 17:39:36 -0500 Subject: [PATCH 12/49] - Text bump --- Packs/soc-optimization/pack_metadata.json | 2 +- Packs/soc-optimization/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-optimization/pack_metadata.json b/Packs/soc-optimization/pack_metadata.json index 4a578d6..800b662 100644 --- a/Packs/soc-optimization/pack_metadata.json +++ b/Packs/soc-optimization/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization", "description": "This Package has been deprecated. The new package is the SOC Framework Unified. This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "2.1.44", + "currentVersion": "2.1.45", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index d66af93..96c0f67 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.44/soc-optimization-v2.1.44.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.45/soc-optimization-v2.1.45.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index f5f8ff3..3c69652 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -35,7 +35,7 @@ { "id": "soc-optimization", "display_name": "SOC Framework (DEPRECATED)", - "version": "2.1.44", + "version": "2.1.45", "path": "Packs/soc-optimization", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization/xsoar_config.json" From 76745610ab70c3e4c0bcdf0ff45e72b56711c186 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Tue, 20 Jan 2026 18:50:23 -0500 Subject: [PATCH 13/49] - Testing Trend Micro with Bootloader --- Packs/soc-trendmicro-visionone/pack_metadata.json | 2 +- Packs/soc-trendmicro-visionone/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-trendmicro-visionone/pack_metadata.json b/Packs/soc-trendmicro-visionone/pack_metadata.json index 55deef7..abccea2 100644 --- a/Packs/soc-trendmicro-visionone/pack_metadata.json +++ b/Packs/soc-trendmicro-visionone/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-trendmicro-visionone", "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", "support": "xsoar", - "currentVersion": "1.0.21", + "currentVersion": "1.0.22", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-trendmicro-visionone/xsoar_config.json b/Packs/soc-trendmicro-visionone/xsoar_config.json index 4fcf1c7..9f7b068 100644 --- a/Packs/soc-trendmicro-visionone/xsoar_config.json +++ b/Packs/soc-trendmicro-visionone/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-trendmicro-visionone.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.21/soc-trendmicro-visionone-v1.0.21.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.22/soc-trendmicro-visionone-v1.0.22.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 3c69652..5e42883 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -59,7 +59,7 @@ { "id": "soc-trendmicro-visionone", "display_name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "version": "1.0.21", + "version": "1.0.22", "path": "Packs/soc-trendmicro-visionone", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-trendmicro-visionone/xsoar_config.json" From 6e0dd9a72e57085cea5d2743bfc0a629de8df931 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 22 Jan 2026 14:48:53 -0500 Subject: [PATCH 14/49] - Created a bootloader script and integration for managing SOC Framework packs - Updated to CI Workflows to include demisto-sdk prepare-content in places of zip-packs. Zip-packs doesn't load XSIAM content that needs to be validated. --- .github/workflows/soc-packs-release-debug.yml | 66 ++- .github/workflows/soc-packs-release-v2.yml | 70 ++- Packs/soc-framework-manager/.pack-ignore | 0 Packs/soc-framework-manager/.secrets-ignore | 0 Packs/soc-framework-manager/Author_image.png | 0 .../SOCFrameworkBootloader.yml | 341 ++++++++++++ Packs/soc-framework-manager/README.md | 0 .../SOCFWIntegrationInstanceManager.yml | 154 +++++ .../Scripts/SOCFWJobManager.yml | 153 +++++ .../Scripts/SOCFWLookupManager.yml | 274 +++++++++ .../Scripts/SOCFWPackManager.yml | 524 ++++++++++++++++++ .../soc-framework-manager/pack_metadata.json | 18 + 12 files changed, 1549 insertions(+), 51 deletions(-) create mode 100644 Packs/soc-framework-manager/.pack-ignore create mode 100644 Packs/soc-framework-manager/.secrets-ignore create mode 100644 Packs/soc-framework-manager/Author_image.png create mode 100644 Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml create mode 100644 Packs/soc-framework-manager/README.md create mode 100644 Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml create mode 100644 Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml create mode 100644 Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml create mode 100644 Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml create mode 100644 Packs/soc-framework-manager/pack_metadata.json diff --git a/.github/workflows/soc-packs-release-debug.yml b/.github/workflows/soc-packs-release-debug.yml index 7d24731..6e2b294 100644 --- a/.github/workflows/soc-packs-release-debug.yml +++ b/.github/workflows/soc-packs-release-debug.yml @@ -26,6 +26,7 @@ jobs: - name: Install demisto-sdk run: | + python -m pip install --upgrade pip pip install "demisto-sdk>=1.0.0" # 1) Discover packs @@ -95,29 +96,36 @@ jobs: if: ${{ steps.changed.outputs.packs != '' }} env: CHANGED_PACKS: ${{ steps.changed.outputs.packs }} - DEMISTO_SDK_IGNORE_CONTENT_WARNING: "1" + # IMPORTANT: run SDK in a content-repo context (prevents "external-" rewrite issues) + DEMISTO_SDK_CONTENT_PATH: ${{ github.workspace }} run: | python - << 'PY' - import json, os, subprocess + import json, os, subprocess, time from pathlib import Path packs_dir = Path(os.environ["PACKS_DIR"]) changed = os.environ["CHANGED_PACKS"].split() repo = os.environ["GITHUB_REPOSITORY"] - repo_root = Path.cwd() dist = Path("dist") dist.mkdir(exist_ok=True) - # demisto-sdk zip-packs writes here by default when -o dist is used - uploadable_dir = dist / "uploadable_packs" - uploadable_dir.mkdir(parents=True, exist_ok=True) - def run_cmd(cmd, cwd=None, check=True): print("+", " ".join(cmd), f"(cwd={cwd or os.getcwd()})") return subprocess.run(cmd, check=check, cwd=cwd) + def newest_matching_zip(pack: str) -> Path | None: + # prepare-content output location can vary by SDK version/config; search dist recursively + zips = list(dist.rglob("*.zip")) + # Prefer zips that contain the pack name, otherwise take newest zip + candidates = [z for z in zips if pack in z.name] + pool = candidates or zips + if not pool: + return None + pool.sort(key=lambda p: p.stat().st_mtime) + return pool[-1] + for pack in changed: pack_path = packs_dir / pack meta_path = pack_path / "pack_metadata.json" @@ -135,33 +143,45 @@ jobs: print(f"=== DRY RUN for pack={pack}, version={version} ===") - # Remove any prior zip-packs outputs for this pack so detection is reliable - for z in uploadable_dir.glob(f"*{pack}*.zip"): - try: - z.unlink() - except Exception: - pass - - before = set(uploadable_dir.glob("*.zip")) + # Snapshot current zips so we can detect what got created + before = {p.resolve() for p in dist.rglob("*.zip")} + # Build using prepare-content for marketplacev2 (XSIAM) run_cmd([ - "demisto-sdk", "zip-packs", + "demisto-sdk", "prepare-content", "-i", str(pack_path), - "-o", str(dist) + "-o", str(dist), + "--marketplace", "marketplacev2", ], cwd=str(repo_root)) - after = set(uploadable_dir.glob("*.zip")) + after = {p.resolve() for p in dist.rglob("*.zip")} created = sorted(after - before) - if not created: - print(f"{pack}: demisto-sdk zip-packs produced no zip in {uploadable_dir} (skipping)") + built_zip = None + if created: + # Prefer a zip with the pack name if present + candidates = [z for z in created if pack in z.name] + built_zip = (sorted(candidates) or created)[-1] + else: + # Fallback: pick newest matching zip in dist + built_zip = newest_matching_zip(pack) + + if not built_zip or not built_zip.exists(): + print(f"{pack}: prepare-content produced no zip under dist/ (skipping)") continue - candidates = [z for z in created if pack in z.name] - built_zip = (sorted(candidates) or created)[-1] - print(f"Built demisto-sdk zip: {built_zip}") + # Optional sanity check: ensure XSIAM-specific content exists in the zip + try: + listing = subprocess.check_output(["unzip", "-l", str(built_zip)], text=True) + has_xsiam_bits = ("CorrelationRules" in listing) or ("XSIAMDashboards" in listing) + print(f"Zip contains CorrelationRules/XSIAMDashboards: {has_xsiam_bits}") + if not has_xsiam_bits: + print("WARNING: zip does not appear to include XSIAMDashboards/CorrelationRules") + except Exception as e: + print(f"WARNING: could not inspect zip contents ({e})") + # Show what release tag/asset would be tag = f"{pack}-v{version}-staging" asset = f"{pack}-v{version}-staging.zip" diff --git a/.github/workflows/soc-packs-release-v2.yml b/.github/workflows/soc-packs-release-v2.yml index ee6b43a..ce33885 100644 --- a/.github/workflows/soc-packs-release-v2.yml +++ b/.github/workflows/soc-packs-release-v2.yml @@ -42,6 +42,7 @@ jobs: - name: Install demisto-sdk run: | + python -m pip install --upgrade pip pip install "demisto-sdk>=1.0.0" ############################################ @@ -134,7 +135,9 @@ jobs: CHANGED_PACKS: ${{ steps.changed.outputs.packs }} ENVIRONMENT: ${{ steps.envinfo.outputs.environment }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DEMISTO_SDK_IGNORE_CONTENT_WARNING: "1" + + # IMPORTANT: run SDK in content-repo context to avoid "external-" rewrites + DEMISTO_SDK_CONTENT_PATH: ${{ github.workspace }} run: | python - << 'PY' import json, os, subprocess @@ -150,10 +153,6 @@ jobs: dist = Path("dist") dist.mkdir(exist_ok=True) - # demisto-sdk zip-packs writes here by default when -o dist is used - uploadable_dir = dist / "uploadable_packs" - uploadable_dir.mkdir(parents=True, exist_ok=True) - def run_cmd(cmd, cwd=None): print("+", " ".join(cmd), f"(cwd={cwd or os.getcwd()})") subprocess.run(cmd, check=True, cwd=cwd) @@ -162,6 +161,14 @@ jobs: print("+ gh", " ".join(args)) return subprocess.run(["gh", *args], check=check) + def newest_zip_created(before_set): + after = {p.resolve() for p in dist.rglob("*.zip")} + created = sorted(after - before_set) + if created: + created.sort(key=lambda p: p.stat().st_mtime) + return created[-1] + return None + for pack in changed: pack_path = packs_dir / pack meta_path = pack_path / "pack_metadata.json" @@ -178,34 +185,40 @@ jobs: print(f"Processing pack={pack}, version={version}") - # ---- IMPORTANT: ensure we detect the zip produced by zip-packs ---- - # Remove any previous zip-packs output for this pack so before/after works reliably. - for z in uploadable_dir.glob(f"*{pack}*.zip"): - try: - z.unlink() - except Exception: - pass - - before = set(uploadable_dir.glob("*.zip")) + # Snapshot zips so we can detect what prepare-content created + before = {p.resolve() for p in dist.rglob("*.zip")} + # Build pack zip for XSIAM (marketplacev2) run_cmd([ - "demisto-sdk", "zip-packs", + "demisto-sdk", "prepare-content", "-i", str(pack_path), - "-o", str(dist) + "-o", str(dist), + "--marketplace", "marketplacev2", ], cwd=str(repo_root)) - after = set(uploadable_dir.glob("*.zip")) - created = sorted(after - before) + built_zip = newest_zip_created(before) + if not built_zip or not built_zip.exists(): + # fallback: find newest zip in dist that contains pack name + candidates = [z for z in dist.rglob("*.zip") if pack in z.name] + if candidates: + candidates.sort(key=lambda p: p.stat().st_mtime) + built_zip = candidates[-1] - if not created: - print(f"{pack}: demisto-sdk zip-packs produced no zip in {uploadable_dir} (skipping)") + if not built_zip or not built_zip.exists(): + print(f"{pack}: prepare-content produced no zip under dist/ (skipping)") continue - # Prefer a zip that contains the pack name, otherwise take the newest - candidates = [z for z in created if pack in z.name] - input_zip = (sorted(candidates) or created)[-1] + print("Created demisto-sdk pack zip:", built_zip) - print("Created demisto-sdk pack zip:", input_zip) + # Optional sanity check: ensure XSIAM-specific folders appear in the zip + try: + listing = subprocess.check_output(["unzip", "-l", str(built_zip)], text=True) + has_xsiam = ("CorrelationRules" in listing) or ("XSIAMDashboards" in listing) + print(f"Zip contains CorrelationRules/XSIAMDashboards: {has_xsiam}") + if not has_xsiam: + print("WARNING: zip does not appear to include CorrelationRules/ or XSIAMDashboards/") + except Exception as e: + print(f"WARNING: could not inspect zip contents: {e}") # Decide tag & asset name based on environment if environment == "develop": @@ -223,8 +236,8 @@ jobs: if final_zip.exists(): final_zip.unlink() - # Move the demisto-sdk produced zip to the release asset name/location - input_zip.rename(final_zip) + # Move the prepare-content produced zip to the release asset name/location + built_zip.rename(final_zip) print("Final asset zip:", final_zip) # Create or update GitHub Release @@ -293,7 +306,6 @@ jobs: echo "PACK_UNDER_TEST=$PACK" >> "$GITHUB_ENV" echo "CONTENT_REPO_RAW_LINK=$URL" >> "$GITHUB_ENV" - - name: Checkout xsiam-pov-automation uses: actions/checkout@v4 with: @@ -317,7 +329,9 @@ jobs: DEMISTO_API_KEY: ${{ secrets.XSIAM_API_KEY }} XSIAM_AUTH_ID: ${{ secrets.XSIAM_API_ID }} CONTENT_REPO_RAW_LINK: ${{ env.CONTENT_REPO_RAW_LINK }} - DEMISTO_SDK_IGNORE_CONTENT_WARNING: "1" + + # Also run SDK in content-repo context in case setup.py calls SDK (some flows do) + DEMISTO_SDK_CONTENT_PATH: ${{ github.workspace }} run: | echo "Running POV setup against $DEMISTO_BASE_URL" echo "Using CONTENT_REPO_RAW_LINK=$CONTENT_REPO_RAW_LINK" diff --git a/Packs/soc-framework-manager/.pack-ignore b/Packs/soc-framework-manager/.pack-ignore new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-framework-manager/.secrets-ignore b/Packs/soc-framework-manager/.secrets-ignore new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-framework-manager/Author_image.png b/Packs/soc-framework-manager/Author_image.png new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml b/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml new file mode 100644 index 0000000..eb0442b --- /dev/null +++ b/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml @@ -0,0 +1,341 @@ +commonfields: + id: SOCFrameworkBootloader + version: -1 +vcShouldKeepItemLegacyProdMachine: false +name: SOCFrameworkBootloader +display: SOCFrameworkBootloader +category: Utilities +image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAYAAAAeP4ixAAAF8ElEQVRo3tVaa2wUVRQ+lUeolLZQHwQxEUIi/GgpakvTst2d7fax7RaEUFOIRW2x7e7cme220BawNSQ1MQZFgYaH8gvlFVAxUYIIJPxRA7FSLCpBJMYnL5FEyh8cvzttodvd6e527izpJCezO3Pn3Pvde853zzkzRKKPAmUOScp+Kg/MoVF7FCiZJLHz5JA1nL8jlzxzxLoklgw908iBc5xBZKPTSzqIAcmvPU3Ltk+NSc/S5vGUz9YASBd0XIXOb2jpKm+cQDAnOvw9CAQXm1ej0ubj9PW5yVHpaXplLJU3bKN83xA9+F+gtJAnkGAdCIm50dm1EBADYgeYrJrDlF0d2UTscj7ZfXcMdN2kJW2PWwPCIZdC/jYEESwHATopwsquHVZHgb9IPAinvhI3owTRJ5L8ITm8xisjye8N+7xLtQk2JyUHPnElJhB3CcB7hCpff9TATI8bPmfzXUCfqeJAuPyzoPinEYEYkMKGr8jtnztkhbmZ3gr1MYiTXaPFgWKRFDuenMpBUyD0wemsBGqVt2EVWmgRmMoh3wjTthdAdlGpP120cz8EO/7FNJBQswm95mR7qKTBoujAqUzADJ4QDiREWDe5lInWbn5FgWysyiEAOmNgDuZFkt+N107+AGw3hUrU6VSsLsTvo4LBHMFEJVDcD7syBh1vEQikFz5SRPflkNRU2PY5cebF/oBPLjM/sMWBVEShKpRuJxeLjsMdyibx/sL2UUXHCNmrtiUZ9n/0bhSaW3uL1A2RuVxiqy1ismvQvR7ycKxx1GuUP0hRdo1GLVvfjsK8NlpMzRdhbowKlSmRQVSumg/kt4csr0Y5dZepyvuEMXh/Ctr1kA1t56vDC28jmaLnbkQZ9VSoJhqxzzh08rmhguyXPqI9xxINzOotPsDkhbXavMZlWmZgeVjh93gbHYx5//kWYFZQkfLg0P2hAg3+M3xwQb1GFe0nacVaDz3XOB3m9xiU5UP64i/M9rzG5dq+6xnanqsZ2u4rc4OEX+P3eBt9ZYQRgnf/4IAwERe7IsyARnl1PBTX9IRKYteD7mNwfNb5gD+4nKG9/9fcIOHX+D3eRggQbp42Pp616wYBUVeaVtwPhM8+H/iuPzODhF/j94QB4RNaFviR1h1K6wPxYkcyZvqHUQckC2y6utN3bzWatzDKqtZGHZDcuh56oWNSH4h3dqRRSdP5frsfXUAkVn1vNTxyO+V5zfG6GGe/ohMIn1BOKFJEej5NBfKEwfHRAWE0OBL6ldh+0H4ussRpOqVXrfFQRdtJneqN+7qD+G9J8N7hbkzEalRBusynrDFuiE7lzbCbK990s6s/Ns732WGkweMMQgxs95JSB0BnzPF61CHKWVC+cY1rZWAG5fmuhs1Vlq96JprsbzLyZRmoL1gaADrZGxHHsiSwKagwwUtDLmV9rBEwKiasvb9sY0FezgIRx/BsUybCoN5Bz32G2CppZLlJTfNssrO94sEoG6MrCLIytN8KS/EB/CQBNS1WCflNIJgeOHvKfcrLlULd2YT5ibwZ5zHxB+JAicbBjgg1MV5KcjcuIk/TdFBrKnwzTsCcyk6LmIynBd04f0Lu1qctNi05CZ2dtbxkKiknyNmQaA0Il5qOTkLDmZyXrQDzMyRNLACPmgmlu+Ebt0MTG991Yhs6sUM34n6nvufYTfsMJ4G9VMjGigNR0+LRbTf84P4lW31wWdOtZlCx8qUpMPw9fZEyUxyI1rYpCA8uGQ5Kkr8I+5y39RFa4Ds8QiCXwVpZYk2q1C9FeIexw/BZm5yMmY01PbgBJ7egcF3oLxnWjl1Kc4Ty6USAPRBDSbTYGpZqacMGJf8TvnqBxEaS8yLqyKpJhnyqfzRgHPrzzzQsfIWweE0CuHw12euHMpVG5f7N+Nwiuh2Yf77hbj6mf84Rap6/YoO1x2cnL3m1Dp2e0h1RwtkuB5CSxhZGPL9zKj4UONX/NncAxEWS/E/FOcaSJ+mfHDlNhNFlrTP0l5x9weL38LF0GrWHq2m2/uLGpT4pWvX/zRDqQjZWrVoAAAAASUVORK5CYII= +imagepath: xsoar-files://xsoar/images/SOCFrameworkBootloader_9fa64812-26fa-40a0-8c66-9723a69e5bf5.png +description: |- + Resolves SOC Framework pack install manifests by reading pack_catalog.json and each pack's xsoar_config.json. + Designed for public GitHub today and proxy/token delivery later. +detaileddescription: |- + ### Community Contributed Integration + #### Integration Author: Cortex + No support or maintenance is provided by the author. Customers are encouraged to engage with the user community for questions and guidance at the [Cortex XSOAR Live Discussions](https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions). + *** + ## Hello World + - This section explains how to configure the instance of HelloWorld in Cortex: + - You can use the following API Key: `dummy-key` + + + --- + [View Integration Documentation](https://xsoar.pan.dev/docs/reference/integrations/hello-world) +sectionorder: +- Connect +- Collect +configuration: +- supportedModules: [] + display: Catalog URL + name: catalog_url + defaultvalue: https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json + type: 12 + required: true +- supportedModules: [] + display: Auth Token (optional) + name: auth_token + type: 4 + required: false +- supportedModules: [] + display: Auth Header Name (optional) + name: auth_header_name + defaultvalue: Authorization + type: 0 + required: false +- supportedModules: [] + display: Use Bearer Prefix + name: use_bearer + defaultvalue: "true" + type: 8 + required: false +- supportedModules: [] + display: Timeout (seconds) + name: timeout + type: 0 + required: false +- supportedModules: [] + display: Trust any certificate (insecure) + name: insecure + defaultvalue: "false" + type: 8 + required: false +- supportedModules: [] + display: Use system proxy settings + name: proxy + defaultvalue: "false" + type: 8 + required: false +script: + commands: + - supportedModules: [] + name: socfw-get-catalog + arguments: + - supportedModules: [] + name: catalog_url + description: Override the integration instance catalog_url for this call. + outputs: + - contextPath: SOCFW.Catalog + description: The full catalog JSON. + type: unknown + description: Fetch the pack_catalog.json from the configured catalog_url. + - supportedModules: [] + name: socfw-get-install-manifest + arguments: + - supportedModules: [] + name: pack_id + required: true + description: Pack ID from pack_catalog.json (e.g. soc-optimization-unified). + - supportedModules: [] + name: include_hidden + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Allow resolving packs with visible=false. + defaultValue: "False" + - supportedModules: [] + name: catalog_url + description: Override the integration instance catalog_url for this call. + outputs: + - contextPath: SOCFW.Manifest + description: 'Resolved install manifest (custom_packs, marketplace_packs, integration_instances). type: + Unknown' + description: Resolve a pack id to its xsoar_config.json and return the install + manifest. + script: | + import requests + + + def _arg_to_bool(val, default=False): + if val is None: + return default + if isinstance(val, bool): + return val + s = str(val).strip().lower() + return s in ("true", "1", "yes", "y", "on") + + + def _params(): + try: + return demisto.params() + except Exception: + return {} + + + def _args(): + try: + return demisto.args() + except Exception: + return {} + + + def _runtime_http_settings(): + p = _params() + timeout_raw = p.get("timeout", "30") + try: + timeout = int(timeout_raw) + except Exception: + timeout = 30 + + insecure = _arg_to_bool(p.get("insecure", False), False) + verify = not insecure + + use_proxy = _arg_to_bool(p.get("proxy", False), False) + return timeout, verify, use_proxy + + + def _http_get_json(url): + timeout, verify, use_proxy = _runtime_http_settings() + + session = requests.Session() + if not use_proxy: + session.trust_env = False # don't inherit proxy env vars + + try: + resp = session.get(url, timeout=timeout, verify=verify) + resp.raise_for_status() + except requests.exceptions.RequestException as e: + raise Exception(f"HTTP GET failed for {url}: {e}") + + try: + data = resp.json() + except Exception as e: + raise Exception(f"Response from {url} is not valid JSON: {e}") + + if not isinstance(data, dict): + raise Exception(f"Expected JSON object from {url}, got {type(data)}") + + return data + + + def _catalog_url(args_dict): + p = _params() + return (args_dict.get("catalog_url") or p.get("catalog_url") or "").strip() + + + def _result(contents, entry_context=None, readable=None): + entry = { + "Type": 1, # note + "ContentsFormat": "json", + "Contents": contents, + } + if entry_context is not None: + entry["EntryContext"] = entry_context + if readable is not None: + entry["HumanReadable"] = readable + entry["ContentsFormat"] = "json" + demisto.results(entry) + + + def _error(msg): + demisto.results({"Type": 4, "Contents": str(msg)}) + + + def cmd_get_catalog(): + args_dict = _args() + url = _catalog_url(args_dict) + if not url: + raise Exception("catalog_url is not configured on the instance (or passed as an argument).") + + catalog = _http_get_json(url) + packs = catalog.get("packs", []) + + if not isinstance(packs, list): + raise Exception("Catalog JSON does not contain a valid 'packs' list.") + + rows = [] + for p in packs: + if not isinstance(p, dict): + continue + rows.append({ + "id": p.get("id"), + "display_name": p.get("display_name"), + "version": p.get("version"), + "visible": p.get("visible"), + "path": p.get("path"), + }) + + readable = "### SOC Framework Pack Catalog\n" + if rows: + readable += tableToMarkdown( + "Available Packs", + rows, + headers=["id", "display_name", "version", "visible", "path"] + ) + else: + readable += "_No packs found in catalog._" + + _result( + contents=catalog, + entry_context={"SOCFW": {"Catalog": catalog, "CatalogPacks": rows}}, + readable=readable, + ) + + + def _find_pack(catalog, pack_id): + packs = catalog.get("packs", []) + if not isinstance(packs, list): + raise Exception("Catalog JSON does not contain a valid 'packs' list.") + for p in packs: + if isinstance(p, dict) and p.get("id") == pack_id: + return p + raise Exception(f"Pack not found in catalog: {pack_id}") + + + def cmd_get_install_manifest(): + args_dict = _args() + + pack_id = (args_dict.get("pack_id") or "").strip() + if not pack_id: + raise Exception("pack_id argument is required.") + + include_hidden = _arg_to_bool(args_dict.get("include_hidden", "true"), True) + + url = _catalog_url(args_dict) + if not url: + raise Exception("catalog_url is not configured on the instance (or passed as an argument).") + + catalog = _http_get_json(url) + pack = _find_pack(catalog, pack_id) + + visible = bool(pack.get("visible", True)) + if not include_hidden and not visible: + raise Exception(f"Pack '{pack_id}' is visible=false and include_hidden=false.") + + xsoar_config_url = (pack.get("xsoar_config") or "").strip() + if not xsoar_config_url: + raise Exception(f"Pack '{pack_id}' does not include xsoar_config URL.") + + xsoar_config = _http_get_json(xsoar_config_url) + + manifest = { + "pack_id": pack.get("id"), + "display_name": pack.get("display_name"), + "pack_version": pack.get("version"), + "visible": visible, + "path": pack.get("path"), + "xsoar_config_url": xsoar_config_url, + "custom_packs": xsoar_config.get("custom_packs", []), + "marketplace_packs": xsoar_config.get("marketplace_packs", []), + "integration_instances": xsoar_config.get("integration_instances", []), + } + + # Provide a human readable hint: list the custom pack urls + cp = manifest.get("custom_packs") or [] + urls = [] + if isinstance(cp, list): + for item in cp: + if isinstance(item, dict) and item.get("url"): + urls.append(item.get("url")) + + readable = "Resolved install manifest.\n" + if urls: + readable += "Custom pack ZIP URLs:\n- " + "\n- ".join(urls[:10]) + if len(urls) > 10: + readable += f"\n... and {len(urls) - 10} more" + else: + readable += "No custom_packs[].url entries found." + + _result( + contents=manifest, + entry_context={"SOCFW": {"Manifest": manifest}}, + readable=readable, + ) + + + def test_module(): + p = _params() + url = (p.get("catalog_url") or "").strip() + if not url: + raise Exception("catalog_url is not configured on the instance.") + catalog = _http_get_json(url) + packs = catalog.get("packs") + if not isinstance(packs, list): + raise Exception("Catalog fetched but does not include a valid 'packs' list.") + return "ok" + + + def main(): + try: + command = demisto.command() + if command == "test-module": + demisto.results(test_module()) + elif command == "socfw-get-catalog": + cmd_get_catalog() + elif command == "socfw-get-install-manifest": + cmd_get_install_manifest() + else: + raise Exception(f"Unsupported command: {command}") + except Exception as e: + _error(e) + + + if __name__ in ("__main__", "builtins"): + main() + type: python + dockerimage: demisto/python3:3.12.8.3296088 + subtype: python3 + runonce: false +signature: "" +restrictioncenter: {} diff --git a/Packs/soc-framework-manager/README.md b/Packs/soc-framework-manager/README.md new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml new file mode 100644 index 0000000..9403e0b --- /dev/null +++ b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml @@ -0,0 +1,154 @@ +commonfields: + id: 6216bfef-a27c-4081-89a8-77dd21766efa + version: 4 +vcShouldKeepItemLegacyProdMachine: false +name: SOCFWIntegrationInstanceManager +script: |- + register_module_line('IntegrationInstanceCreator', 'start', __line__()) + demisto.debug('pack name = POVContentPack, pack version = 1.0.0') + + + + SCRIPT_NAME = 'IntegrationInstanceCreator' + + + def configure_instance(integration_instance_name: str, existing_instance: Optional[Dict[str, Any]] = None, instance_name: str = None) -> str: + """Configures the integration instance in the XSOAR instance. + """ + context = demisto.context() + instance_params = existing_instance or {} + + config_setup = context.get("ConfigurationSetup", []) + if isinstance(config_setup, dict): + config_setup = [config_setup] + + for config in config_setup: + for instance in config.get('IntegrationInstances', []): + if instance.get('name') == integration_instance_name: + instance_params.update(instance) + break + if instance_params: + break + + if not instance_params: + return f"Failure. No integration instance definition found in context for {integration_instance_name}" + + args = {'uri': 'xsoar/public/v1/settings/integration', 'body': instance_params} + + if instance_name: + args['using'] = instance_name + + status, res = execute_command( + 'core-api-put', + args, + fail_on_error=False, + ) + + if not status: + error_message = f'{SCRIPT_NAME} - {res}' + demisto.debug(error_message) + raise Exception(f"POST to xsoar/public/v1/settings/integration failed with error: {error_message}") + + return "Success" + + + def search_existing_instance(integration_instance_name: str, instance_name: str = None) -> Dict[str, Any]: + """Searches the machine for previously configured integration instances with the given name. + + Args: + integration_instance_name (str): The name of the instance to update it's past configurations. + instance_name (str): Core REST API instance name. + + Returns: + Dict[str, Any]. The integration data as configured on the machine. + """ + + args = {'uri': 'xsoar/public/v1/settings/integration/search', 'body': {}} + + if instance_name: + args['using'] = instance_name + + status, res = execute_command( + 'core-api-post', + args, + fail_on_error=False, + ) + + if not status: + error_message = f'{SCRIPT_NAME} - {res}' + demisto.debug(error_message) + raise Exception(f"POST to xsoar/public/v1/settings/integration/search failed with error: {error_message}") + + if isinstance(res, list): + res = res[0] + + search_results = res.get('response', {}).get('instances', []) + name_results = [x for x in search_results if integration_instance_name in x.get('name')] + if name_results: + return name_results[0] + + return {} + + + def main(): + args = demisto.args() + instance_name = args.get('using') + integration_instance_name = args.get('integration_instance_name') + + try: + existing_instance = search_existing_instance(integration_instance_name, instance_name) + if existing_instance: + configuration_status = "Already existing on the machine." + else: + configuration_status = configure_instance(integration_instance_name, existing_instance, instance_name) + + return_results( + CommandResults( + outputs_prefix='ConfigurationSetup.IntegrationInstances', + outputs_key_field='name', + outputs={ + 'name': integration_instance_name, + 'integrationinstancename': integration_instance_name, + 'creationstatus': configuration_status, + }, + ) + ) + + except Exception as e: + return_error(f'{SCRIPT_NAME} - Error occurred while configuring integration instance "{integration_instance_name}".\n{e}') + + + if __name__ in ('__main__', '__builtin__', 'builtins'): + main() + + register_module_line('IntegrationInstanceCreator', 'end', __line__()) +type: python +tags: +- configuration +- Content Management +- SOC +- SOC_Framework +- SOC_Framework_Unified +- SOCFWBootloader +comment: Integration Instance Creator for the Content Management pack. +enabled: true +args: +- supportedModules: [] + name: integration_instance_name + required: true + default: true + description: The name of the integration instance to configure. +outputs: +- contextPath: ConfigurationSetup.IntegrationInstances.creationstatus + description: The creation status of the integration instance. + type: Unknown +scripttarget: 0 +subtype: python3 +pswd: "" +runonce: false +dockerimage: demisto/xsoar-tools:1.0.0.1902141 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} +restrictioncenter: {} +signature: "" diff --git a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml new file mode 100644 index 0000000..cca1c15 --- /dev/null +++ b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml @@ -0,0 +1,153 @@ +commonfields: + id: a565f683-d0a7-4181-82a6-3a11bc3ea0db + version: 5 +vcShouldKeepItemLegacyProdMachine: false +name: SOCFWJobManager +script: | + register_module_line('POVJobCreator', 'start', __line__()) + demisto.debug('pack name = POVContentPack, pack version = 1.0.0') + + SCRIPT_NAME = "POVJobCreator" + + + def configure_job(job_name: str, existing_job: Optional[Dict[str, Any]] = None, instance_name: str = None) -> bool: + """Configures the job in the XSOAR instance.""" + context = demisto.context() + job_params = existing_job or {} + is_scheduled = job_params.get("scheduled") + + config_setup = context.get("ConfigurationSetup", []) + if isinstance(config_setup, dict): + config_setup = [config_setup] + + for config in config_setup: + for job in config.get("Jobs", []): + if job.get("name") == job_name: + job_params.update(job) + break + if job_params: + break + + if not job_params: + return False + + if is_scheduled is False: + job_params["scheduled"] = False + + args = {"uri": "/jobs", "body": job_params} + + if instance_name: + args["using"] = instance_name + + status, res = execute_command( + "core-api-post", + args, + fail_on_error=False, + ) + + if not status: + error_message = f"{SCRIPT_NAME} - {res}" + demisto.debug(error_message) + return False + + return True + + + def search_existing_job(job_name: str, instance_name: str = None) -> Dict[str, Any]: + """Searches the machine for previously configured jobs with the given name. + + Args: + job_name (str): The name of the job to update it's past configurations. + instance_name (str): Core REST API instance name. + + Returns: + Dict[str, Any]. The job data as configured on the machine. + """ + body = { + "page": 0, + "size": 1, + "query": f'name:"{job_name}"', + } + + args = {"uri": "/jobs/search", "body": body} + + if instance_name: + args["using"] = instance_name + + status, res = execute_command( + "core-api-post", + args, + fail_on_error=False, + ) + + if not status: + error_message = f"{SCRIPT_NAME} - {res}" + demisto.debug(error_message) + return {} + + search_results = res.get("response", {}).get("data") + if search_results: + return search_results[0] + + return {} + + + def main(): + args = demisto.args() + instance_name = args.get("using") + job_name = args.get("job_name") + + try: + existing_job = search_existing_job(job_name, instance_name) + configuration_status = configure_job(job_name, existing_job, instance_name) + + return_results( + CommandResults( + outputs_prefix="ConfigurationSetup.Jobs", + outputs_key_field="name", + outputs={ + "name": job_name, + "jobname": job_name, + "creationstatus": "Success." if configuration_status else "Failure.", + }, + ) + ) + + except Exception as e: + return_error(f'{SCRIPT_NAME} - Error occurred while configuring job "{job_name}".\n{e}') + + + if __name__ in ("__main__", "__builtin__", "builtins"): + main() + + register_module_line('POVJobCreator', 'end', __line__()) +type: python +tags: +- configuration +- Content Management +- SOC +- SOC_Framework +- SOC_Framework_Unified +- SOCFWBootloader +comment: Job Creator for the POVContent pack. Extends the ContentManagement pack. +enabled: true +args: +- supportedModules: [] + name: job_name + required: true + default: true + description: The name of the job to configure. +outputs: +- contextPath: ConfigurationSetup.Jobs.creationstatus + description: The creation status of the job. + type: Unknown +scripttarget: 0 +subtype: python3 +pswd: "" +runonce: false +dockerimage: demisto/xsoar-tools:1.0.0.1902141 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} +restrictioncenter: {} +signature: "" diff --git a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml new file mode 100644 index 0000000..cb62144 --- /dev/null +++ b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml @@ -0,0 +1,274 @@ +commonfields: + id: b53aea4b-293a-47ad-8b37-3e4ece27d37a + version: 4 +vcShouldKeepItemLegacyProdMachine: false +name: SOCFWLookupManager +script: |- + register_module_line('LookupDatasetCreator', 'start', __line__()) + demisto.debug('pack name = POVContentPack, pack version = 1.0.0') + + + SCRIPT_NAME = 'LookupDatasetCreator' + OMITTED_FIELDS = ['_collector_name', '_collector_type', '_insert_time', '_update_time'] + + + def remove_omitted_fields(data: List[dict]) -> List[dict]: + for item in data: + for field in OMITTED_FIELDS: + item.pop(field, None) + return data + + + def parse_data_from_file(dataset_name: str) -> List[dict]: + """ + Parse a File from the demisto context to grab the Lookup Dataset dta + + :param dataset_name: str, name of the Lookup Dataset + :return: List of data + """ + dataset_file_entry_id = None + + instance_context = demisto.context() + context_files = instance_context.get('File', []) + if not isinstance(context_files, list): + context_files = [context_files] + + # Search through all Context Files to grab the File's EntryID + for file_in_context in context_files: + file_in_context_name = file_in_context.get('Name', '') + if file_in_context_name == dataset_name: + dataset_file_entry_id = file_in_context.get('EntryID') + dataset_file_entry_type = file_in_context.get('Type') + break + + if not dataset_file_entry_id: + error_message = f'Could not find file entry ID: {dataset_name} .' + demisto.debug(f'{SCRIPT_NAME}, "{dataset_name}" - {error_message}.') + raise Exception(error_message) + + # Use the entry ID to grab the file's path + try: + file_path = demisto.getFilePath(dataset_file_entry_id)['path'] + except Exception: + error_message = f'Could not find a file with entry ID {dataset_file_entry_id}' + demisto.debug(f'{SCRIPT_NAME}, "{dataset_file_entry_id}" - {error_message}.') + raise Exception(error_message) + + with open(file_path, 'r') as f: + raw_file_data = f.read() + + if dataset_file_entry_type == "JSON text data": + parsed_data = json.loads(raw_file_data) + elif dataset_file_entry_type == "New Line Delimited JSON text data": + parsed_data = [json.loads(x.strip()) for x in raw_file_data.split("\n") if x] + else: + error_message = f'Could not determine file type for entry ID {dataset_file_entry_id}' + demisto.debug(f'{SCRIPT_NAME}, "{dataset_file_entry_id}" - {error_message}.') + raise Exception(error_message) + + return parsed_data + + + def add_data(dataset_name: str, instance_name: str = None) -> str: + """Adds data from context to a specific lookup dataset. + """ + context = demisto.context() + instance_params = {} + + config_setup = context.get("ConfigurationSetup", []) + if isinstance(config_setup, dict): + config_setup = [config_setup] + + for config in config_setup: + for instance in config.get('LookupDatasets', []): + if instance.get('dataset_name') == dataset_name: + data = instance.get('data') + if not data: + data = parse_data_from_file(dataset_name) + + data = remove_omitted_fields(data) + + instance_params = { + 'dataset_name': dataset_name, + 'data': data + } + break + if instance_params: + break + + if not instance_params: + return f"Failure. No lookup dataset definition found in context for {dataset_name}" + + args = {'uri': '/public_api/v1/xql/lookups/add_data', 'body': {'request_data': instance_params}} + + if instance_name: + args['using'] = instance_name + + status, res = execute_command( + 'core-api-post', + args, + fail_on_error=False, + ) + + if not status: + error_message = f'{SCRIPT_NAME} - add_data - {res}' + demisto.debug(error_message) + raise Exception(f"POST to /public_api/v1/xql/lookups/add_data failed with error: {error_message}") + + if isinstance(res, list): + res = res[0] + + return str(res.get("response", {}).get("reply")) + + + def create_dataset(dataset_name: str, instance_name: str = None) -> str: + """Creates a new dataset in the XSOAR instance. + """ + context = demisto.context() + instance_params = {} + + config_setup = context.get("ConfigurationSetup", []) + if isinstance(config_setup, dict): + config_setup = [config_setup] + + for config in config_setup: + + for instance in config.get('LookupDatasets', []): + if instance.get('dataset_name') == dataset_name: + instance_params = { + 'dataset_name': dataset_name, + 'dataset_type': instance.get('dataset_type'), + 'dataset_schema': instance.get('dataset_schema') + } + break + if instance_params: + break + + if not instance_params: + return f"Failure. No lookup dataset definition found in context for {dataset_name}" + + args = {'uri': '/public_api/v1/xql/add_dataset', 'body': {'request_data': instance_params}} + + if instance_name: + args['using'] = instance_name + + status, res = execute_command( + 'core-api-post', + args, + fail_on_error=False, + ) + + if not status: + error_message = f'{SCRIPT_NAME} - create_dataset - {res}' + demisto.debug(error_message) + raise Exception(f"POST to /public_api/v1/xql/add_dataset failed with error: {error_message}") + + return "Success" + + + def search_existing_dataset(dataset_name: str, instance_name: str = None) -> Dict[str, Any]: + """Searches the machine for previously configured integration instances with the given name. + + Args: + integration_instance_name (str): The name of the instance to update it's past configurations. + instance_name (str): Core REST API instance name. + + Returns: + Dict[str, Any]. The integration data as configured on the machine. + """ + + args = {'uri': '/public_api/v1/xql/get_datasets', 'body': {}} + + if instance_name: + args['using'] = instance_name + + status, res = execute_command( + 'core-api-post', + args, + fail_on_error=False, + ) + + if not status: + error_message = f'{SCRIPT_NAME} - search_existing_dataset - {res}' + demisto.debug(error_message) + raise Exception(f"POST to /public_api/v1/xql/get_datasets failed with error: {error_message}") + + if isinstance(res, list): + res = res[0] + search_results = res.get('response', {}).get("reply", []) + name_results = [x for x in search_results if dataset_name == x.get('Dataset Name')] + if name_results: + return name_results[0] + + return {} + + + def main(): + args = demisto.args() + instance_name = args.get('using') + lookup_dataset_name = args.get('lookup_dataset_name') + + try: + # Check to see if the Dataset exists before adding data + existing_dataset = search_existing_dataset(lookup_dataset_name, instance_name) + if not existing_dataset: + dataset_creation_status = create_dataset(lookup_dataset_name, instance_name) + + # If dataset created successfully, add data to the dataset + if dataset_creation_status == "Success": + lookup_data_status = add_data(lookup_dataset_name, instance_name) + else: + lookup_data_status = dataset_creation_status + + else: + lookup_data_status = "Dataset already exists." + + return_results( + CommandResults( + outputs_prefix='ConfigurationSetup.LookupDatasets', + outputs_key_field='dataset_name', + outputs={ + 'dataset_name': lookup_dataset_name, + 'creationstatus': lookup_data_status, + }, + ) + ) + + except Exception as e: + return_error(f'{SCRIPT_NAME} - Error occurred while configuring lookup dataset "{lookup_dataset_name}".\n{e}') + + + if __name__ in ('__main__', '__builtin__', 'builtins'): + main() + + register_module_line('LookupDatasetCreator', 'end', __line__()) +type: python +tags: +- configuration +- Content Management +- SOC +- SOC_Framework +- SOC_Framework_Unified +- SOCFWBootloader +comment: Lookup Dataset Creator for the Content Management pack. +enabled: true +args: +- supportedModules: [] + name: lookup_dataset_name + required: true + default: true + description: The name of the lookup_dataset to configure. +outputs: +- contextPath: ConfigurationSetup.LookupDatasets.creationstatus + description: The creation status of the integration instance. + type: Unknown +scripttarget: 0 +subtype: python3 +pswd: "" +runonce: false +dockerimage: demisto/xsoar-tools:1.0.0.1902141 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} +restrictioncenter: {} +signature: "" diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml new file mode 100644 index 0000000..beea35d --- /dev/null +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -0,0 +1,524 @@ +commonfields: + id: e5c63c0b-e4ea-4928-8eed-5e51b9ad9ce8 + version: 37 +vcShouldKeepItemLegacyProdMachine: false +name: SOCFWPackManager +script: | + import json + import time + import requests + + # --------------------------- + # Helpers + # --------------------------- + def is_timeout_error(err_text: str) -> bool: + if not err_text: + return False + t = err_text.lower() + return ( + "timeout" in t + or "timed out" in t + or "read timed out" in t + or "request timed out" in t + or "context deadline exceeded" in t + ) + + + def core_api_post(path: str, body: dict, using: str = "", execution_timeout: int = 600): + """ + Wrapper around core-api-post. + """ + args = { + "uri": path, + "body": json.dumps(body or {}), + "execution-timeout": str(execution_timeout), + } + if using: + args["using"] = using + + res = demisto.executeCommand("core-api-post", args) + if not res or isError(res[0]): + raise Exception(get_error(res)) + return get_contents(res) or {} + + + def lookup_dataset_exists_via_get_datasets(dataset_name: str, using: str = "", execution_timeout: int = 600) -> bool: + """ + Uses /public_api/v1/xql/get_datasets to check dataset existence. + Returns True if dataset_name is present. + """ + data = core_api_post("/public_api/v1/xql/get_datasets", {}, using=using, execution_timeout=execution_timeout) + + candidates = [] + if isinstance(data, dict): + for k in ("datasets", "reply", "data", "result", "results"): + v = data.get(k) + if isinstance(v, list): + candidates = v + break + if not candidates and isinstance(data.get("Contents"), list): + candidates = data.get("Contents") + elif isinstance(data, list): + candidates = data + + target = (dataset_name or "").strip().lower() + for item in candidates or []: + if not isinstance(item, dict): + continue + dn = (item.get("dataset_name") or item.get("name") or "").strip().lower() + if dn == target: + return True + + return False + + + def arg_to_bool(val, default=False): + """ + Accepts: True/False, "True"/"False", "true"/"false", 1/0, yes/no, on/off. + """ + if val is None: + return default + if isinstance(val, bool): + return val + s = str(val).strip().lower() + if s == "": + return default + return s in ("true", "1", "yes", "y", "on") + + + def to_int(val, default): + try: + return int(val) + except Exception: + return default + + + def bool_str_tf(val: bool) -> str: + return "True" if bool(val) else "False" + + + def get_contents(res): + if not res or not isinstance(res, list) or not res[0]: + return {} + return res[0].get("Contents") or {} + + + def emit_progress(message: str, stage: str = None, data: dict = None): + """ + Emit a visible War Room note entry so the user sees progress. + """ + try: + title = "SOCFW Pack Manager" + if stage: + title = f"SOCFW Pack Manager β€” {stage}" + hr = f"### {title}\n{message}" + entry = { + "Type": 1, # note + "ContentsFormat": "json", + "Contents": data or {"message": message, "stage": stage}, + "HumanReadable": hr, + } + demisto.results(entry) + except Exception: + pass + + + def is_cluster_busy_error(err_text: str) -> bool: + if not err_text: + return False + t = err_text.lower() + return ( + "can't acquire cluster lock" in t + or "cannot acquire cluster lock" in t + or "state must be 'idle'" in t + or "state must be \"idle\"" in t + or "but is 'installing'" in t + or "but is \"installing\"" in t + or ("erruploadcontentpacks" in t and "installing" in t) + ) + + + def exec_with_retry(command_name: str, command_args: dict, retry_count: int, retry_sleep_seconds: int, context_for_error: str): + """ + Execute a command and retry only for transient errors (cluster lock/installing OR timeouts). + Returns the raw demisto.executeCommand result. + """ + retry_count = max(0, int(retry_count)) + retry_sleep_seconds = max(1, int(retry_sleep_seconds)) + + attempt = 0 + last_err = None + + while True: + attempt += 1 + res = demisto.executeCommand(command_name, command_args) + + if res and not isError(res[0]): + return res + + last_err = get_error(res) if res else "No response returned" + + # βœ… Retry on BOTH cluster busy and timeout-style errors + if (is_cluster_busy_error(last_err) or is_timeout_error(last_err)) and attempt <= retry_count: + sleep_s = retry_sleep_seconds * attempt + emit_progress( + message=( + f"Transient error detected. Retrying **{attempt}/{retry_count}** in **{sleep_s}s**.\n\n" + f"**Command:** `{command_name}`\n\n" + f"**Error:** {last_err}" + ), + stage="retry", + data={ + "command": command_name, + "attempt": attempt, + "retry_count": retry_count, + "sleep_seconds": sleep_s, + "error": last_err, + }, + ) + time.sleep(sleep_s) + continue + + raise Exception(f"{context_for_error}\nError: {last_err}") + + + def http_get_json(url: str, timeout: int = 60): + """ + Fetch JSON from URL. + Supports: + - standard JSON object or array + - NDJSON (newline-delimited JSON objects), returns a list + """ + try: + r = requests.get(url, timeout=timeout) + r.raise_for_status() + text = r.text.lstrip("\ufeff").strip() + + try: + return json.loads(text) + except Exception as e: + msg = str(e) + if "Extra data" in msg or "Expecting value" in msg: + items = [] + for line in text.splitlines(): + line = line.strip() + if not line: + continue + items.append(json.loads(line)) + if items: + return items + raise + except Exception as e: + raise Exception(f"Failed to fetch/parse JSON from {url}: {e}") + + + def set_configuration_setup_in_context(xsoar_config: dict, timeout: int = 60): + """ + Build ConfigurationSetup context in the shape expected by managers. + Also hydrates lookup_datasets[].url -> lookup_datasets[].data + """ + integration_instances = xsoar_config.get("integration_instances", []) or [] + jobs = xsoar_config.get("jobs", []) or [] + + lookup_datasets = xsoar_config.get("lookup_datasets", []) or [] + hydrated_lookups = [] + + for lk in lookup_datasets: + if not isinstance(lk, dict): + continue + + item = dict(lk) + url = (item.get("url") or "").strip() + + if not item.get("data") and url: + item["data"] = http_get_json(url, timeout=timeout) + + hydrated_lookups.append(item) + + cfg = { + "IntegrationInstances": integration_instances, + "Jobs": jobs, + "LookupDatasets": hydrated_lookups, + } + + demisto.setContext("ConfigurationSetup", [cfg]) + + + def _now_ms(): + return int(time.time() * 1000) + + + def main(): + start_ms = _now_ms() + args = demisto.args() + + action = (args.get("action") or "apply").strip().lower() + if action not in ("list", "apply"): + return_error("action must be one of: list, apply") + + include_hidden = arg_to_bool(args.get("include_hidden", "True"), True) + dry_run = arg_to_bool(args.get("dry_run", "False"), False) + catalog_url = (args.get("catalog_url") or "").strip() + + execution_timeout = to_int(args.get("execution_timeout", 600), 600) + retry_count = to_int(args.get("retry_count", 5), 5) + retry_sleep_seconds = to_int(args.get("retry_sleep_seconds", 15), 15) + + using = (args.get("using") or "").strip() + + # ------------------------- + # ACTION: LIST + # ------------------------- + if action == "list": + emit_progress("Fetching catalog…", stage="list") + + cat_args = {} + if catalog_url: + cat_args["catalog_url"] = catalog_url + + res = demisto.executeCommand("socfw-get-catalog", cat_args) + if not res or isError(res[0]): + return_error(f"Failed to fetch catalog: {get_error(res)}") + + return_results(res) + return + + # ------------------------- + # ACTION: APPLY + # ------------------------- + pack_id = (args.get("pack_id") or "").strip() + if not pack_id: + return_error("pack_id is required when action=apply") + + install_marketplace = arg_to_bool(args.get("install_marketplace", "True"), True) + + apply_configure = arg_to_bool(args.get("apply_configure", "True"), True) + configure_jobs = arg_to_bool(args.get("configure_jobs", "True"), True) + configure_integrations = arg_to_bool(args.get("configure_integrations", "True"), True) + configure_lookups = arg_to_bool(args.get("configure_lookups", "True"), True) + + overwrite_lookup = arg_to_bool(args.get("overwrite_lookup", "False"), False) + + skip_verify = arg_to_bool(args.get("skip_verify", "True"), True) + skip_validation = arg_to_bool(args.get("skip_validation", "True"), True) + + emit_progress( + message=( + f"Starting apply for **{pack_id}**\n\n" + f"- include_hidden={bool_str_tf(include_hidden)}\n" + f"- dry_run={bool_str_tf(dry_run)}\n" + f"- install_marketplace={bool_str_tf(install_marketplace)}\n" + f"- apply_configure={bool_str_tf(apply_configure)} " + f"(jobs={bool_str_tf(configure_jobs)}, integrations={bool_str_tf(configure_integrations)}, lookups={bool_str_tf(configure_lookups)})\n" + f"- overwrite_lookup={bool_str_tf(overwrite_lookup)}\n" + f"- retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}\n" + f"- using={(using or '(default)')}" + ), + stage="start", + ) + + # 1) Resolve manifest + emit_progress("Resolving install manifest…", stage="manifest") + + manifest_args = {"pack_id": pack_id, "include_hidden": bool_str_tf(include_hidden)} + if catalog_url: + manifest_args["catalog_url"] = catalog_url + + res = demisto.executeCommand("socfw-get-install-manifest", manifest_args) + if not res or isError(res[0]): + return_error(f"Failed to resolve install manifest for {pack_id}: {get_error(res)}") + + manifest = get_contents(res) or {} + custom_packs = manifest.get("custom_packs", []) or [] + marketplace_packs = manifest.get("marketplace_packs", []) or [] + xsoar_config_url = (manifest.get("xsoar_config_url") or "").strip() + + custom_urls = [] + for cp in custom_packs: + if isinstance(cp, dict) and cp.get("url"): + custom_urls.append(cp.get("url")) + + summary = { + "action": "apply", + "pack_id": manifest.get("pack_id") or pack_id, + "display_name": manifest.get("display_name"), + "pack_version": manifest.get("pack_version"), + "xsoar_config_url": xsoar_config_url, + "dry_run": dry_run, + "include_hidden": include_hidden, + "install_marketplace": install_marketplace, + "apply_configure": apply_configure, + "configure_jobs": configure_jobs, + "configure_integrations": configure_integrations, + "configure_lookups": configure_lookups, + "overwrite_lookup": overwrite_lookup, + "skip_verify": skip_verify, + "skip_validation": skip_validation, + "execution_timeout": execution_timeout, + "retry_count": retry_count, + "retry_sleep_seconds": retry_sleep_seconds, + "custom_pack_urls": custom_urls, + "using": using or None, + "timing_ms": {"total": None, "manifest": None, "marketplace": None, "custom": None, "configure": None}, + "results": { + "marketplace": {"status": "skipped"}, + "custom": {"total": len(custom_urls), "ok": 0, "failed": 0, "items": []}, + "configure": {"status": "skipped", "details": {}}, + }, + } + + emit_progress( + message=( + "Manifest resolved.\n\n" + f"- Pack: **{summary['pack_id']}** ({summary.get('display_name')}) v{summary.get('pack_version')}\n" + f"- Marketplace packs listed: **{len(marketplace_packs) if isinstance(marketplace_packs, list) else 0}**\n" + f"- Custom ZIP URLs: **{len(custom_urls)}**" + ), + stage="manifest", + ) + + summary["timing_ms"]["manifest"] = _now_ms() - start_ms + + # 2) Dry run + if dry_run: + md = ( + "### SOCFW Pack Manager (dry run)\n" + f"- Pack: **{summary['pack_id']}** ({summary.get('display_name')}) v{summary.get('pack_version')}\n" + f"- Marketplace listed: **{len(marketplace_packs) if isinstance(marketplace_packs, list) else 0}**\n" + f"- Custom ZIP URLs: **{len(custom_urls)}**\n" + ) + if custom_urls: + md += "\n" + "\n".join([f" - {u}" for u in custom_urls]) + + if apply_configure: + md += ( + "\n\n" + f"- Configure: **True** " + f"(jobs={bool_str_tf(configure_jobs)}, integrations={bool_str_tf(configure_integrations)}, " + f"lookups={bool_str_tf(configure_lookups)}, overwrite_lookup +type: python +tags: +- configuration +- Content Management +- SOC +- SOC_Framework +- SOC_Framework_Unified +- SOCFWBootloader +enabled: true +args: +- supportedModules: [] + name: action + required: true + auto: PREDEFINED + predefined: + - list + - apply + description: 'What to do. Suggested values: list or apply. Apply requires pack_id' + defaultValue: apply +- supportedModules: [] + name: pack_id + description: The pack ID from pack_catalog.json (e.g., soc-optimization-unified). + Required for Apply +- supportedModules: [] + name: catalog_url + description: Override the catalog URL without touching the integration instance + params. +- supportedModules: [] + name: include_hidden + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Allow installing packs where visible=false in the catalog. + defaultValue: "False" +- supportedModules: [] + name: dry_run + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Don’t install or configure β€” just show what would happen. + defaultValue: "False" +- supportedModules: [] + name: install_marketplace + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Whether to install marketplace_packs from xsoar_config.json. + defaultValue: "False" +- supportedModules: [] + name: execution_timeout + description: Timeout for the core installs and core-api REST calls. + defaultValue: "600" +- supportedModules: [] + name: skip_verify + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Passed through to core-api-install-packs for ZIP installs. + defaultValue: "True" +- supportedModules: [] + name: skip_validation + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Passed through to core-api-install-packs for ZIP installs. + defaultValue: "False" +- supportedModules: [] + name: apply_configure + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Whether to apply config sections from xsoar_config.json (instances, + jobs, lookups). + defaultValue: "True" +- supportedModules: [] + name: overwrite_lookup + auto: PREDEFINED + predefined: + - "True" + - "False" + description: To over-write the SOC Framework Lookup Table. If you have a custom + lookup table save it first. + defaultValue: "False" +- supportedModules: [] + name: configure_jobs + auto: PREDEFINED + predefined: + - "True" + - "False" + defaultValue: "True" +- supportedModules: [] + name: configure_integrations + auto: PREDEFINED + predefined: + - "True" + - "False" + defaultValue: "True" +- supportedModules: [] + name: configure_lookups + auto: PREDEFINED + predefined: + - "True" + - "False" + defaultValue: "True" +- supportedModules: [] + name: retry_count + defaultValue: "5" +- supportedModules: [] + name: retry_sleep_seconds + defaultValue: "15" +scripttarget: 0 +subtype: python3 +pswd: "" +runonce: false +dockerimage: demisto/python3:3.12.12.6796194 +runas: DBotWeakRole +engineinfo: {} +mainengineinfo: {} +restrictioncenter: {} +signature: "" diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json new file mode 100644 index 0000000..47ab2ba --- /dev/null +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -0,0 +1,18 @@ +{ + "name": "SOC Framework Package Manager", + "description": "This will install and configure any of the SOC Framework packages.", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Utilities" + ], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] +} \ No newline at end of file From 49140ec528b9b52e79a279f4f86ddabc3afe0340 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 22 Jan 2026 14:50:58 -0500 Subject: [PATCH 15/49] - bump soc-framework-manager version - Update Package Catalog --- .../soc-framework-manager/pack_metadata.json | 34 +++++++++---------- pack_catalog.json | 8 +++++ 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 47ab2ba..01a48ea 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -1,18 +1,18 @@ { - "name": "SOC Framework Package Manager", - "description": "This will install and configure any of the SOC Framework packages.", - "support": "xsoar", - "currentVersion": "1.0.0", - "author": "Cortex XSOAR", - "url": "https://www.paloaltonetworks.com/cortex", - "email": "", - "categories": [ - "Utilities" - ], - "tags": [], - "useCases": [], - "keywords": [], - "marketplaces": [ - "marketplacev2" - ] -} \ No newline at end of file + "name": "SOC Framework Package Manager", + "description": "This will install and configure any of the SOC Framework packages.", + "support": "xsoar", + "currentVersion": "1.0.1", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Utilities" + ], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] +} diff --git a/pack_catalog.json b/pack_catalog.json index 5e42883..e73e17e 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -16,6 +16,14 @@ "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-crowdstrike-falcon/xsoar_config.json" }, + { + "id": "soc-framework-manager", + "display_name": "SOC Framework Package Manager", + "version": "1.0.1", + "path": "Packs/soc-framework-manager", + "visible": false, + "xsoar_config": null + }, { "id": "soc-microsoft-defender", "display_name": "SOC Microsoft Defender Integration Enhancement for Cortex XSIAM", From d3a258781a2178b0af1d6f8011efdfafe8fa23ca Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 22 Jan 2026 14:58:11 -0500 Subject: [PATCH 16/49] - Fix Validation errors fromVerison and Name / ID match --- .../SOCFrameworkBootloader/SOCFrameworkBootloader.yml | 1 + .../Scripts/SOCFWIntegrationInstanceManager.yml | 4 +++- Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml | 4 +++- Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml | 4 +++- Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml | 4 +++- 5 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml b/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml index eb0442b..8813d6c 100644 --- a/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml +++ b/Packs/soc-framework-manager/Integrations/SOCFrameworkBootloader/SOCFrameworkBootloader.yml @@ -339,3 +339,4 @@ script: runonce: false signature: "" restrictioncenter: {} +fromversion: 5.0.0 \ No newline at end of file diff --git a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml index 9403e0b..0ba3575 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml @@ -1,5 +1,5 @@ commonfields: - id: 6216bfef-a27c-4081-89a8-77dd21766efa + id: SOCFWIntegrationInstanceManager version: 4 vcShouldKeepItemLegacyProdMachine: false name: SOCFWIntegrationInstanceManager @@ -152,3 +152,5 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" +id: SOCFWIntegrationInstanceManager +fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml index cca1c15..16ca1ee 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml @@ -1,5 +1,5 @@ commonfields: - id: a565f683-d0a7-4181-82a6-3a11bc3ea0db + id: SOCFWJobManager version: 5 vcShouldKeepItemLegacyProdMachine: false name: SOCFWJobManager @@ -151,3 +151,5 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" +id: SOCFWJobManager +fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml index cb62144..a1d7227 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml @@ -1,5 +1,5 @@ commonfields: - id: b53aea4b-293a-47ad-8b37-3e4ece27d37a + id: SOCFWLookupManager version: 4 vcShouldKeepItemLegacyProdMachine: false name: SOCFWLookupManager @@ -272,3 +272,5 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" +id: SOCFWLookupManager +fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index beea35d..3f48b2b 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,5 +1,5 @@ commonfields: - id: e5c63c0b-e4ea-4928-8eed-5e51b9ad9ce8 + id: SOCFWPackManager version: 37 vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager @@ -522,3 +522,5 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" +id: SOCFWPackManager +fromversion: 5.0.0 From 04aa751ee1e49aba085a493e6fc8f1d6246c2d09 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 22 Jan 2026 15:02:27 -0500 Subject: [PATCH 17/49] - Bump version on Trend and soc-optimization to test zip build. --- Packs/soc-optimization/pack_metadata.json | 2 +- Packs/soc-optimization/xsoar_config.json | 2 +- Packs/soc-trendmicro-visionone/pack_metadata.json | 2 +- Packs/soc-trendmicro-visionone/xsoar_config.json | 2 +- pack_catalog.json | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Packs/soc-optimization/pack_metadata.json b/Packs/soc-optimization/pack_metadata.json index 800b662..4a54da6 100644 --- a/Packs/soc-optimization/pack_metadata.json +++ b/Packs/soc-optimization/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization", "description": "This Package has been deprecated. The new package is the SOC Framework Unified. This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "2.1.45", + "currentVersion": "2.1.46", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index 96c0f67..cfd0b70 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.45/soc-optimization-v2.1.45.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.46/soc-optimization-v2.1.46.zip", "system": "yes" } ], diff --git a/Packs/soc-trendmicro-visionone/pack_metadata.json b/Packs/soc-trendmicro-visionone/pack_metadata.json index abccea2..80ddbf7 100644 --- a/Packs/soc-trendmicro-visionone/pack_metadata.json +++ b/Packs/soc-trendmicro-visionone/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-trendmicro-visionone", "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", "support": "xsoar", - "currentVersion": "1.0.22", + "currentVersion": "1.0.23", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-trendmicro-visionone/xsoar_config.json b/Packs/soc-trendmicro-visionone/xsoar_config.json index 9f7b068..4070000 100644 --- a/Packs/soc-trendmicro-visionone/xsoar_config.json +++ b/Packs/soc-trendmicro-visionone/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-trendmicro-visionone.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.22/soc-trendmicro-visionone-v1.0.22.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.23/soc-trendmicro-visionone-v1.0.23.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index e73e17e..a870c0a 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -43,7 +43,7 @@ { "id": "soc-optimization", "display_name": "SOC Framework (DEPRECATED)", - "version": "2.1.45", + "version": "2.1.46", "path": "Packs/soc-optimization", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization/xsoar_config.json" @@ -67,7 +67,7 @@ { "id": "soc-trendmicro-visionone", "display_name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "version": "1.0.22", + "version": "1.0.23", "path": "Packs/soc-trendmicro-visionone", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-trendmicro-visionone/xsoar_config.json" From e8fccd380b8a8a57d5ea528f3040300adfa90835 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 22 Jan 2026 17:59:45 -0500 Subject: [PATCH 18/49] - Install of Custom Packs - Market Place Packs - Configuration of Jobs, Integration Instances - Adding Lookup Tables --- .../Scripts/SOCFWPackManager.yml | 878 ++++++++++++------ 1 file changed, 573 insertions(+), 305 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 3f48b2b..dbfa6db 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,16 +1,66 @@ commonfields: - id: SOCFWPackManager - version: 37 + id: e5c63c0b-e4ea-4928-8eed-5e51b9ad9ce8 + version: 57 vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager script: | import json import time + from typing import Any, Dict, List, Optional + import requests + # ============================================================ + # SOCFWPackManager (bootloader) + # - list: shows SOC Framework pack catalog (like your screenshot) + # - apply: resolves pack_id via secops-framework pack_catalog.json (not "manifest URL only") + # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available + # - custom ZIP install: uses core-api-install-packs with file_url (NOT pack_url) + # - configure: runs your SOCFW* manager scripts (instances/jobs/lookups) + # ============================================================ + + SCRIPT_NAME = "SOCFWPackManager" + # --------------------------- - # Helpers + # Basic Demisto helpers # --------------------------- + + def get_error(res): + try: + return res[0].get("Contents") or res[0].get("HumanReadable") or str(res[0]) + except Exception: + return str(res) + + def is_error(res0): + try: + return bool(res0.get("Type") == 4) # entryTypes["error"] == 4 + except Exception: + return False + + def get_contents(res): + if not res or not isinstance(res, list) or not res[0]: + return {} + return res[0].get("Contents") or {} + + def arg_to_bool(val, default=False) -> bool: + if val is None: + return default + if isinstance(val, bool): + return val + s = str(val).strip().lower() + if s == "": + return default + return s in ("true", "1", "yes", "y", "on") + + def to_int(val, default: int) -> int: + try: + return int(val) + except Exception: + return default + + def bool_str_tf(val: bool) -> str: + return "True" if bool(val) else "False" + def is_timeout_error(err_text: str) -> bool: if not err_text: return False @@ -23,379 +73,598 @@ script: | or "context deadline exceeded" in t ) + def emit_progress(message: str, stage: Optional[str] = None): + title = f"{SCRIPT_NAME} β€” {stage}" if stage else SCRIPT_NAME + demisto.results( + { + "Type": 1, + "ContentsFormat": "markdown", + "Contents": message, + "HumanReadable": f"### {title}\n{message}", + } + ) - def core_api_post(path: str, body: dict, using: str = "", execution_timeout: int = 600): - """ - Wrapper around core-api-post. - """ - args = { - "uri": path, - "body": json.dumps(body or {}), - "execution-timeout": str(execution_timeout), - } + def exec_cmd(command: str, args: Dict[str, Any], fail_on_error: bool = True): + res = demisto.executeCommand(command, args) + if not res: + if fail_on_error: + raise Exception(f"{command} returned empty response") + return res + if is_error(res[0]): + if fail_on_error: + raise Exception(get_error(res)) + return res + return res + + def exec_with_retry( + command: str, + args: Dict[str, Any], + retry_count: int, + retry_sleep_seconds: int, + context_for_error: str, + fail_on_error: bool = True, + ): + last_err = None + for attempt in range(1, max(1, retry_count) + 1): + try: + return exec_cmd(command, args, fail_on_error=fail_on_error) + except Exception as e: + last_err = str(e) + if attempt >= retry_count: + break + # retry on timeouts, otherwise still retry after sleep (tenant flakiness) + time.sleep(max(1, retry_sleep_seconds)) + continue + if fail_on_error: + raise Exception(f"{context_for_error}\nError: {last_err}") + return None + + # --------------------------- + # Core API wrappers + # --------------------------- + + def core_api_get(path: str, using: str = "", execution_timeout: int = 600) -> Dict[str, Any]: + args = {"uri": path, "execution-timeout": str(execution_timeout)} if using: args["using"] = using + res = exec_cmd("core-api-get", args) + return get_contents(res) or {} - res = demisto.executeCommand("core-api-post", args) - if not res or isError(res[0]): - raise Exception(get_error(res)) + def core_api_post(path: str, body: Any, using: str = "", execution_timeout: int = 600) -> Dict[str, Any]: + args = {"uri": path, "body": json.dumps(body if body is not None else {}), "execution-timeout": str(execution_timeout)} + if using: + args["using"] = using + res = exec_cmd("core-api-post", args) return get_contents(res) or {} + # --------------------------- + # HTTP JSON helpers + # --------------------------- - def lookup_dataset_exists_via_get_datasets(dataset_name: str, using: str = "", execution_timeout: int = 600) -> bool: - """ - Uses /public_api/v1/xql/get_datasets to check dataset existence. - Returns True if dataset_name is present. - """ - data = core_api_post("/public_api/v1/xql/get_datasets", {}, using=using, execution_timeout=execution_timeout) - - candidates = [] - if isinstance(data, dict): - for k in ("datasets", "reply", "data", "result", "results"): - v = data.get(k) - if isinstance(v, list): - candidates = v - break - if not candidates and isinstance(data.get("Contents"), list): - candidates = data.get("Contents") - elif isinstance(data, list): - candidates = data - - target = (dataset_name or "").strip().lower() - for item in candidates or []: - if not isinstance(item, dict): - continue - dn = (item.get("dataset_name") or item.get("name") or "").strip().lower() - if dn == target: - return True + def http_get_json(url: str, timeout: int = 30) -> Any: + r = requests.get(url, timeout=timeout) + r.raise_for_status() + return r.json() + + # --------------------------- + # Catalog + Manifest resolver (RESTORED) + # --------------------------- - return False + DEFAULT_CATALOG_URL = "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json" + def fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, Any]: + data = http_get_json(catalog_url) + if not isinstance(data, dict): + raise Exception(f"pack_catalog.json unexpected format at {catalog_url}") + return data - def arg_to_bool(val, default=False): + def find_pack_in_catalog(catalog: Dict[str, Any], pack_id: str) -> Optional[Dict[str, Any]]: + packs = catalog.get("packs") or catalog.get("Packs") or catalog.get("items") or [] + if not isinstance(packs, list): + return None + for p in packs: + if isinstance(p, dict) and (p.get("id") == pack_id): + return p + return None + + def resolve_manifest(pack_id: str, include_hidden: bool) -> Dict[str, Any]: """ - Accepts: True/False, "True"/"False", "true"/"false", 1/0, yes/no, on/off. + Restored behavior: + - If pack_id is a URL -> treat it as a manifest JSON URL + - Else -> resolve using secops-framework pack_catalog.json + standard repo conventions """ - if val is None: - return default - if isinstance(val, bool): - return val - s = str(val).strip().lower() - if s == "": - return default - return s in ("true", "1", "yes", "y", "on") + if pack_id.startswith("http://") or pack_id.startswith("https://"): + return http_get_json(pack_id) + + catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL) + pack = find_pack_in_catalog(catalog, pack_id) + if not pack: + raise Exception(f"Pack '{pack_id}' not found in pack_catalog.json") + + visible = bool(pack.get("visible", True)) + if (not include_hidden) and (not visible): + # still allow apply for hidden packs if user explicitly provides it + # but list will hide it. For apply, we won’t block. + pass + + version = (pack.get("version") or "").strip() + if not version: + raise Exception(f"Pack '{pack_id}' missing version in pack_catalog.json") + + # Standard conventions you’ve been using: + # - xsoar_config.json lives in Packs/{pack_id}/xsoar_config.json on main + xsoar_config_url = f"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json" + + # - release ZIP asset/tag is {pack_id}-v{version}/{pack_id}-v{version}.zip + release_tag = f"{pack_id}-v{version}" + zip_url = f"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip" + + # If you need pack-specific marketplace dependencies later, add them to catalog and read them here. + # For now keep your known baseline behavior for soc-optimization. + marketplace_packs = [ + {"id": "Base", "version": "latest"}, + {"id": "CommonScripts", "version": "latest"}, + {"id": "CommonPlaybooks", "version": "latest"}, + {"id": "DemistoRESTAPI", "version": "latest"}, + {"id": "Whois", "version": "latest"}, + ] + + return { + "marketplace_packs": marketplace_packs, + "custom_zip_urls": [{"url": zip_url, "name": release_tag}], + "xsoar_config_url": xsoar_config_url, + "pack_catalog_entry": pack, + "pack_version": version, + } + # --------------------------- + # list action (RESTORED like screenshot) + # --------------------------- - def to_int(val, default): - try: - return int(val) - except Exception: - return default + def do_list(args: Dict[str, Any]): + using = (args.get("using") or "").strip() + include_hidden = arg_to_bool(args.get("include_hidden"), False) + emit_progress("Fetching catalog…", stage="list") - def bool_str_tf(val: bool) -> str: - return "True" if bool(val) else "False" + catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL) + packs = catalog.get("packs") or catalog.get("Packs") or catalog.get("items") or [] + if not isinstance(packs, list): + raise Exception("pack_catalog.json is missing 'packs' list") + + rows = [] + for p in packs: + if not isinstance(p, dict): + continue + visible = bool(p.get("visible", True)) + if (not include_hidden) and (not visible): + continue + rows.append( + { + "id": p.get("id", ""), + "display_name": p.get("display_name") or p.get("name") or "", + "version": p.get("version", ""), + "visible": str(visible).lower(), + "path": p.get("path") or f"Packs/{p.get('id','')}", + } + ) + rows.sort(key=lambda x: (x["id"] or "")) - def get_contents(res): - if not res or not isinstance(res, list) or not res[0]: - return {} - return res[0].get("Contents") or {} + # Render markdown table (matches your screenshot format) + header = "SOC Framework Pack Catalog\n\nAvailable Packs\n" + table = "| id | display_name | version | visible | path |\n|---|---|---:|---:|---|\n" + for r in rows: + table += f'| {r["id"]} | {r["display_name"]} | {r["version"]} | {r["visible"]} | {r["path"]} |\n' + emit_progress( + f"using: {(using or '(default)')}\ninclude_hidden: {include_hidden}\n\n{header}\n{table}", + stage="list", + ) + return - def emit_progress(message: str, stage: str = None, data: dict = None): - """ - Emit a visible War Room note entry so the user sees progress. - """ + # --------------------------- + # Marketplace install (USE ANNA’S SCRIPT) + # --------------------------- + + def install_marketplace_packs( + marketplace_packs: List[Dict[str, str]], + using: str, + retry_count: int, + retry_sleep_seconds: int, + ) -> Dict[str, Any]: + emit_progress( + "Installing marketplace packs via **XSIAMContentPackInstaller**…\n" + + "\n".join([f'{p.get("id")} @ {p.get("version")}' for p in marketplace_packs]), + stage="packs.marketplace", + ) + + args = { + "packs_data": marketplace_packs, + "pack_id_key": "id", + "pack_version_key": "version", + "install_dependencies": "true", + } + if using: + args["using"] = using + + res = exec_with_retry( + "XSIAMContentPackInstaller", + args, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + context_for_error="Failed installing marketplace packs via XSIAMContentPackInstaller", + fail_on_error=True, + ) + return get_contents(res) if res else {} + + def fetch_installed_marketplace_pack_ids(using: str) -> List[str]: try: - title = "SOCFW Pack Manager" - if stage: - title = f"SOCFW Pack Manager β€” {stage}" - hr = f"### {title}\n{message}" - entry = { - "Type": 1, # note - "ContentsFormat": "json", - "Contents": data or {"message": message, "stage": stage}, - "HumanReadable": hr, - } - demisto.results(entry) + r = core_api_get("/contentpacks/metadata/installed", using=using) + packs = (r.get("response") or []) if isinstance(r, dict) else [] + ids = [] + for p in packs: + pid = p.get("id") + if pid: + ids.append(pid) + return ids except Exception: - pass + return [] + # --------------------------- + # xsoar_config + # --------------------------- - def is_cluster_busy_error(err_text: str) -> bool: - if not err_text: - return False - t = err_text.lower() - return ( - "can't acquire cluster lock" in t - or "cannot acquire cluster lock" in t - or "state must be 'idle'" in t - or "state must be \"idle\"" in t - or "but is 'installing'" in t - or "but is \"installing\"" in t - or ("erruploadcontentpacks" in t and "installing" in t) - ) + def fetch_xsoar_config(xsoar_config_url: str) -> Dict[str, Any]: + data = http_get_json(xsoar_config_url) + if not isinstance(data, dict): + raise Exception(f"xsoar_config.json unexpected format at {xsoar_config_url}") + return data + # --------------------------- + # Custom packs install (FIXED: file_url, NOT pack_url) + # --------------------------- - def exec_with_retry(command_name: str, command_args: dict, retry_count: int, retry_sleep_seconds: int, context_for_error: str): - """ - Execute a command and retry only for transient errors (cluster lock/installing OR timeouts). - Returns the raw demisto.executeCommand result. - """ - retry_count = max(0, int(retry_count)) - retry_sleep_seconds = max(1, int(retry_sleep_seconds)) + def install_custom_pack_zip(url: str, using: str, execution_timeout: int, retry_count: int, retry_sleep_seconds: int): + args = {"file_url": url, "execution-timeout": str(max(1200, execution_timeout))} + if using: + args["using"] = using - attempt = 0 - last_err = None + exec_with_retry( + "core-api-install-packs", + args, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + context_for_error=f"Failed installing custom pack ZIP: {url}", + fail_on_error=True, + ) - while True: - attempt += 1 - res = demisto.executeCommand(command_name, command_args) + # --------------------------- + # Configure (jobs / integrations / lookups) + # --------------------------- - if res and not isError(res[0]): - return res + def configure_integrations_from_xsoar_config( + xsoar_cfg: Dict[str, Any], + using: str, + retry_count: int, + retry_sleep_seconds: int, + installed_pack_ids: List[str], + ): + emit_progress("Configuring integration instances…", stage="configure.integrations") + + for inst in xsoar_cfg.get("integration_instances", []) or []: + if not isinstance(inst, dict): + continue - last_err = get_error(res) if res else "No response returned" + name = (inst.get("name") or "").strip() + if not name: + continue - # βœ… Retry on BOTH cluster busy and timeout-style errors - if (is_cluster_busy_error(last_err) or is_timeout_error(last_err)) and attempt <= retry_count: - sleep_s = retry_sleep_seconds * attempt + required_pack = ( + (inst.get("required_pack_id") or inst.get("marketplace_pack") or inst.get("pack_id") or "").strip() + ) + if required_pack and required_pack not in installed_pack_ids: emit_progress( - message=( - f"Transient error detected. Retrying **{attempt}/{retry_count}** in **{sleep_s}s**.\n\n" - f"**Command:** `{command_name}`\n\n" - f"**Error:** {last_err}" - ), - stage="retry", - data={ - "command": command_name, - "attempt": attempt, - "retry_count": retry_count, - "sleep_seconds": sleep_s, - "error": last_err, - }, + f"Skipping integration instance **{name}** β€” marketplace pack **{required_pack}** not installed.", + stage="configure.integrations", ) - time.sleep(sleep_s) continue - raise Exception(f"{context_for_error}\nError: {last_err}") - + emit_progress(f"Configuring integration instance: **{name}**", stage="configure.integrations") - def http_get_json(url: str, timeout: int = 60): - """ - Fetch JSON from URL. - Supports: - - standard JSON object or array - - NDJSON (newline-delimited JSON objects), returns a list - """ - try: - r = requests.get(url, timeout=timeout) - r.raise_for_status() - text = r.text.lstrip("\ufeff").strip() + cmd_args = { + "integration_instance_name": name, + "integration_instance_data": json.dumps(inst), + } + if using: + cmd_args["using"] = using + + res = exec_with_retry( + "SOCFWIntegrationInstanceManager", + cmd_args, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + context_for_error=f"Failed configuring integration instance: {name}", + fail_on_error=True, + ) try: - return json.loads(text) - except Exception as e: - msg = str(e) - if "Extra data" in msg or "Expecting value" in msg: - items = [] - for line in text.splitlines(): - line = line.strip() - if not line: - continue - items.append(json.loads(line)) - if items: - return items - raise - except Exception as e: - raise Exception(f"Failed to fetch/parse JSON from {url}: {e}") - - - def set_configuration_setup_in_context(xsoar_config: dict, timeout: int = 60): - """ - Build ConfigurationSetup context in the shape expected by managers. - Also hydrates lookup_datasets[].url -> lookup_datasets[].data - """ - integration_instances = xsoar_config.get("integration_instances", []) or [] - jobs = xsoar_config.get("jobs", []) or [] - - lookup_datasets = xsoar_config.get("lookup_datasets", []) or [] - hydrated_lookups = [] + c = get_contents(res) + emit_progress( + f"Integration instance **{name}** result: Contents keys: {list((c or {}).keys())}", + stage="configure.integrations.result", + ) + except Exception: + pass + + def configure_jobs_from_xsoar_config( + xsoar_cfg: Dict[str, Any], + using: str, + retry_count: int, + retry_sleep_seconds: int, + ): + emit_progress("Configuring jobs…", stage="configure.jobs") + + for job in xsoar_cfg.get("jobs", []) or []: + if not isinstance(job, dict): + continue - for lk in lookup_datasets: - if not isinstance(lk, dict): + name = (job.get("name") or job.get("job_name") or "").strip() + if not name: continue - item = dict(lk) - url = (item.get("url") or "").strip() + emit_progress(f"Configuring job: **{name}**", stage="configure.jobs") - if not item.get("data") and url: - item["data"] = http_get_json(url, timeout=timeout) + cmd_args = { + "job_name": name, + "job_data": json.dumps(job), + } + if using: + cmd_args["using"] = using + + res = exec_with_retry( + "SOCFWJobManager", + cmd_args, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + context_for_error=f"Failed configuring job: {name}", + fail_on_error=True, + ) - hydrated_lookups.append(item) + try: + c = get_contents(res) + emit_progress( + f"Job **{name}** result: Contents keys: {list((c or {}).keys())}", + stage="configure.jobs.result", + ) + except Exception: + pass + + def configure_lookups_from_xsoar_config( + xsoar_cfg: Dict[str, Any], + using: str, + retry_count: int, + retry_sleep_seconds: int, + overwrite_lookup: bool, + ): + emit_progress("Configuring lookup datasets…", stage="configure.lookups") + + for ds in xsoar_cfg.get("lookup_datasets", []) or []: + if not isinstance(ds, dict): + continue - cfg = { - "IntegrationInstances": integration_instances, - "Jobs": jobs, - "LookupDatasets": hydrated_lookups, - } + name = (ds.get("name") or ds.get("dataset_name") or "").strip() + if not name: + continue - demisto.setContext("ConfigurationSetup", [cfg]) + emit_progress(f"Configuring lookup dataset: **{name}**", stage="configure.lookups") + cmd_args = { + "lookup_dataset_name": name, + "lookup_dataset_data": json.dumps(ds), + "overwrite_lookup": bool_str_tf(overwrite_lookup), + } + if using: + cmd_args["using"] = using + + res = exec_with_retry( + "SOCFWLookupManager", + cmd_args, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + context_for_error=f"Failed configuring lookup dataset: {name}", + fail_on_error=True, + ) - def _now_ms(): - return int(time.time() * 1000) + try: + c = get_contents(res) + emit_progress( + f"Lookup **{name}** result: Contents keys: {list((c or {}).keys())}", + stage="configure.lookups.result", + ) + except Exception: + pass + # --------------------------- + # Main + # --------------------------- def main(): - start_ms = _now_ms() args = demisto.args() action = (args.get("action") or "apply").strip().lower() - if action not in ("list", "apply"): - return_error("action must be one of: list, apply") - - include_hidden = arg_to_bool(args.get("include_hidden", "True"), True) - dry_run = arg_to_bool(args.get("dry_run", "False"), False) - catalog_url = (args.get("catalog_url") or "").strip() - - execution_timeout = to_int(args.get("execution_timeout", 600), 600) - retry_count = to_int(args.get("retry_count", 5), 5) - retry_sleep_seconds = to_int(args.get("retry_sleep_seconds", 15), 15) - + pack_id = (args.get("pack_id") or "").strip() + include_hidden = arg_to_bool(args.get("include_hidden"), False) + dry_run = arg_to_bool(args.get("dry_run"), False) + + install_marketplace_flag = arg_to_bool(args.get("install_marketplace"), True) + apply_configure = arg_to_bool(args.get("apply_configure"), True) + configure_jobs = arg_to_bool(args.get("configure_jobs"), True) + configure_integrations = arg_to_bool(args.get("configure_integrations"), True) + configure_lookups = arg_to_bool(args.get("configure_lookups"), True) + overwrite_lookup = arg_to_bool(args.get("overwrite_lookup"), False) + + retry_count = to_int(args.get("retry_count"), 5) + retry_sleep_seconds = to_int(args.get("retry_sleep_seconds"), 15) using = (args.get("using") or "").strip() + execution_timeout = to_int(args.get("execution_timeout"), 1200) - # ------------------------- - # ACTION: LIST - # ------------------------- - if action == "list": - emit_progress("Fetching catalog…", stage="list") - - cat_args = {} - if catalog_url: - cat_args["catalog_url"] = catalog_url + fail_on_marketplace_errors = arg_to_bool(args.get("fail_on_marketplace_errors"), False) - res = demisto.executeCommand("socfw-get-catalog", cat_args) - if not res or isError(res[0]): - return_error(f"Failed to fetch catalog: {get_error(res)}") + if action not in ("apply", "list"): + raise Exception(f"Unsupported action: {action}") - return_results(res) - return + if action == "list": + return do_list(args) - # ------------------------- - # ACTION: APPLY - # ------------------------- - pack_id = (args.get("pack_id") or "").strip() if not pack_id: - return_error("pack_id is required when action=apply") - - install_marketplace = arg_to_bool(args.get("install_marketplace", "True"), True) - - apply_configure = arg_to_bool(args.get("apply_configure", "True"), True) - configure_jobs = arg_to_bool(args.get("configure_jobs", "True"), True) - configure_integrations = arg_to_bool(args.get("configure_integrations", "True"), True) - configure_lookups = arg_to_bool(args.get("configure_lookups", "True"), True) - - overwrite_lookup = arg_to_bool(args.get("overwrite_lookup", "False"), False) - - skip_verify = arg_to_bool(args.get("skip_verify", "True"), True) - skip_validation = arg_to_bool(args.get("skip_validation", "True"), True) + raise Exception("pack_id is required for action=apply") emit_progress( - message=( - f"Starting apply for **{pack_id}**\n\n" - f"- include_hidden={bool_str_tf(include_hidden)}\n" - f"- dry_run={bool_str_tf(dry_run)}\n" - f"- install_marketplace={bool_str_tf(install_marketplace)}\n" - f"- apply_configure={bool_str_tf(apply_configure)} " - f"(jobs={bool_str_tf(configure_jobs)}, integrations={bool_str_tf(configure_integrations)}, lookups={bool_str_tf(configure_lookups)})\n" - f"- overwrite_lookup={bool_str_tf(overwrite_lookup)}\n" - f"- retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}\n" - f"- using={(using or '(default)')}" + "\n".join( + [ + f"Starting {action} for {pack_id}", + f"include_hidden={include_hidden}", + f"dry_run={dry_run}", + f"install_marketplace={install_marketplace_flag}", + f"apply_configure={apply_configure} (jobs={configure_jobs}, integrations={configure_integrations}, lookups={configure_lookups})", + f"overwrite_lookup={overwrite_lookup}", + f"retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}", + f"using={(using or '(default)')}", + f"execution_timeout={execution_timeout}", + f"fail_on_marketplace_errors={fail_on_marketplace_errors}", + ] ), stage="start", ) - # 1) Resolve manifest emit_progress("Resolving install manifest…", stage="manifest") + manifest = resolve_manifest(pack_id, include_hidden=include_hidden) - manifest_args = {"pack_id": pack_id, "include_hidden": bool_str_tf(include_hidden)} - if catalog_url: - manifest_args["catalog_url"] = catalog_url - - res = demisto.executeCommand("socfw-get-install-manifest", manifest_args) - if not res or isError(res[0]): - return_error(f"Failed to resolve install manifest for {pack_id}: {get_error(res)}") - - manifest = get_contents(res) or {} - custom_packs = manifest.get("custom_packs", []) or [] - marketplace_packs = manifest.get("marketplace_packs", []) or [] - xsoar_config_url = (manifest.get("xsoar_config_url") or "").strip() - - custom_urls = [] - for cp in custom_packs: - if isinstance(cp, dict) and cp.get("url"): - custom_urls.append(cp.get("url")) - - summary = { - "action": "apply", - "pack_id": manifest.get("pack_id") or pack_id, - "display_name": manifest.get("display_name"), - "pack_version": manifest.get("pack_version"), - "xsoar_config_url": xsoar_config_url, - "dry_run": dry_run, - "include_hidden": include_hidden, - "install_marketplace": install_marketplace, - "apply_configure": apply_configure, - "configure_jobs": configure_jobs, - "configure_integrations": configure_integrations, - "configure_lookups": configure_lookups, - "overwrite_lookup": overwrite_lookup, - "skip_verify": skip_verify, - "skip_validation": skip_validation, - "execution_timeout": execution_timeout, - "retry_count": retry_count, - "retry_sleep_seconds": retry_sleep_seconds, - "custom_pack_urls": custom_urls, - "using": using or None, - "timing_ms": {"total": None, "manifest": None, "marketplace": None, "custom": None, "configure": None}, - "results": { - "marketplace": {"status": "skipped"}, - "custom": {"total": len(custom_urls), "ok": 0, "failed": 0, "items": []}, - "configure": {"status": "skipped", "details": {}}, - }, - } + marketplace_packs = manifest.get("marketplace_packs") or [] + custom_zip_urls = manifest.get("custom_zip_urls") or [] + xsoar_config_url = manifest.get("xsoar_config_url") or "" emit_progress( - message=( - "Manifest resolved.\n\n" - f"- Pack: **{summary['pack_id']}** ({summary.get('display_name')}) v{summary.get('pack_version')}\n" - f"- Marketplace packs listed: **{len(marketplace_packs) if isinstance(marketplace_packs, list) else 0}**\n" - f"- Custom ZIP URLs: **{len(custom_urls)}**" + "\n".join( + [ + "Manifest resolved.", + f"marketplace_packs: {len(marketplace_packs)}", + f"custom ZIP URLs: {len(custom_zip_urls)}", + f"xsoar_config_url: {xsoar_config_url or '(none)'}", + ] ), - stage="manifest", + stage="manifest.summary", ) - summary["timing_ms"]["manifest"] = _now_ms() - start_ms + xsoar_cfg = {} + if xsoar_config_url: + emit_progress("Fetching xsoar_config.json…", stage="xsoar_config.fetch") + xsoar_cfg = fetch_xsoar_config(xsoar_config_url) or {} + emit_progress( + "\n".join( + [ + "xsoar_config loaded.", + f"integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}", + f"jobs: {len(xsoar_cfg.get('jobs', []) or [])}", + f"lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}", + ] + ), + stage="xsoar_config.summary", + ) - # 2) Dry run if dry_run: - md = ( - "### SOCFW Pack Manager (dry run)\n" - f"- Pack: **{summary['pack_id']}** ({summary.get('display_name')}) v{summary.get('pack_version')}\n" - f"- Marketplace listed: **{len(marketplace_packs) if isinstance(marketplace_packs, list) else 0}**\n" - f"- Custom ZIP URLs: **{len(custom_urls)}**\n" + emit_progress("dry_run=True β€” not installing or configuring anything.", stage="done") + return + + marketplace_errors: List[str] = [] + if install_marketplace_flag and marketplace_packs: + # normalize + mp = [] + for p in marketplace_packs: + if isinstance(p, dict) and p.get("id"): + mp.append({"id": p.get("id"), "version": p.get("version", "latest")}) + try: + install_marketplace_packs(mp, using, retry_count, retry_sleep_seconds) + except Exception as e: + marketplace_errors.append(str(e)) + emit_progress(f"Marketplace install failed.\nError: {e}", stage="packs.marketplace.error") + if fail_on_marketplace_errors: + raise + + if custom_zip_urls: + emit_progress("Installing custom pack ZIPs…", stage="packs.custom") + for item in custom_zip_urls: + url = None + label = None + if isinstance(item, str): + url = item + label = item + elif isinstance(item, dict): + url = item.get("url") or item.get("zip_url") + label = item.get("name") or url + if not url: + continue + emit_progress(f"Installing custom pack ZIP: **{label}**", stage="packs.custom") + install_custom_pack_zip(url, using, execution_timeout, retry_count, retry_sleep_seconds) + + if apply_configure and xsoar_cfg: + emit_progress("Configuring from xsoar_config…", stage="configure") + emit_progress( + "\n".join( + [ + "Configure plan from xsoar_config.json:", + f"integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}", + f"jobs: {len(xsoar_cfg.get('jobs', []) or [])}", + f"lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}", + ] + ), + stage="configure.plan", ) - if custom_urls: - md += "\n" + "\n".join([f" - {u}" for u in custom_urls]) - - if apply_configure: - md += ( - "\n\n" - f"- Configure: **True** " - f"(jobs={bool_str_tf(configure_jobs)}, integrations={bool_str_tf(configure_integrations)}, " - f"lookups={bool_str_tf(configure_lookups)}, overwrite_lookup + + installed_pack_ids = fetch_installed_marketplace_pack_ids(using) + + if configure_integrations: + configure_integrations_from_xsoar_config( + xsoar_cfg=xsoar_cfg, + using=using, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + installed_pack_ids=installed_pack_ids, + ) + + if configure_jobs: + configure_jobs_from_xsoar_config( + xsoar_cfg=xsoar_cfg, + using=using, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + ) + + if configure_lookups: + configure_lookups_from_xsoar_config( + xsoar_cfg=xsoar_cfg, + using=using, + retry_count=retry_count, + retry_sleep_seconds=retry_sleep_seconds, + overwrite_lookup=overwrite_lookup, + ) + + msg = "Done." + if marketplace_errors: + msg += f"\nMarketplace errors: {len(marketplace_errors)} (see logs above)." + emit_progress(msg, stage="done") + + return_results( + { + "pack_id": pack_id, + "xsoar_config_url": xsoar_config_url, + "marketplace_errors": marketplace_errors, + } + ) + + if __name__ in ("__main__", "__builtin__", "builtins"): + main() type: python tags: - configuration @@ -446,11 +715,11 @@ args: - "True" - "False" description: Whether to install marketplace_packs from xsoar_config.json. - defaultValue: "False" + defaultValue: "True" - supportedModules: [] name: execution_timeout description: Timeout for the core installs and core-api REST calls. - defaultValue: "600" + defaultValue: "1200" - supportedModules: [] name: skip_verify auto: PREDEFINED @@ -514,6 +783,7 @@ args: defaultValue: "15" scripttarget: 0 subtype: python3 +timeout: 30m0s pswd: "" runonce: false dockerimage: demisto/python3:3.12.12.6796194 @@ -522,5 +792,3 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -id: SOCFWPackManager -fromversion: 5.0.0 From c50af7084dffa956daa7c9c4e5b7cac667a221f4 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 23 Jan 2026 08:23:05 -0500 Subject: [PATCH 19/49] - Attempting to install the market place Unit 42 package - Attempting to configure an instance --- Packs/soc-optimization/xsoar_config.json | 183 +++++++++++++++++++++++ 1 file changed, 183 insertions(+) diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index cfd0b70..6277dab 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -37,6 +37,11 @@ "id": "Whois", "name": "Whois", "version": "latest" + }, + { + "id": "Unit 42 Threat Intelligence by Palo Alto Networks", + "name": "Unit 42 Threat Intelligence by Palo Alto Networks", + "version": "latest" } ], "lookup_datasets": [ @@ -320,6 +325,184 @@ } ], "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Unit 42 Intelligence", + "brand": "Unit 42 Intelligence", + "category": "Data Enrichment & Threat Intelligence", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Proxy URL", + "displayPassword": "", + "name": "proxy_url", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", + "hasvalue": false, + "value": null + }, + { + "section": "Collect", + "advanced": true, + "display": "Suppress Rate Limit errors", + "displayPassword": "", + "name": "rate_limit_errors_suppressed", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Whether Rate Limit errors should be supressed or not.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Retry Count", + "displayPassword": "", + "name": "rate_limit_retry_count", + "defaultValue": "0", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of times to try when getting a Rate Limit response.", + "hasvalue": true, + "value": "3" + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Wait Seconds", + "displayPassword": "", + "name": "rate_limit_wait_seconds", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", + "hasvalue": true, + "value": "120" + }, + { + "section": "Connect", + "advanced": true, + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "If set, failed command results will be returned as warnings instead of errors.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" + } + ], + "passwordProtected": false } ], "jobs": [ From 7c0983a5b7b6786747667f1e4f3acfa2cea9ed71 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 23 Jan 2026 09:48:27 -0500 Subject: [PATCH 20/49] - Update to soc-optimization Unit 42 Integration Pack ID and Name --- Packs/soc-optimization/xsoar_config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index 6277dab..619896c 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -39,7 +39,7 @@ "version": "latest" }, { - "id": "Unit 42 Threat Intelligence by Palo Alto Networks", + "id": "Unit42ThreatIntelligencebyPaloAltoNetworks", "name": "Unit 42 Threat Intelligence by Palo Alto Networks", "version": "latest" } @@ -334,7 +334,7 @@ "isOverridable": false, "enabled": "true", "name": "Unit 42 Intelligence", - "brand": "Unit 42 Intelligence", + "brand": "", "category": "Data Enrichment & Threat Intelligence", "engine": "", "engineGroup": "", From 597f3bb7946c223ac76c88b9148c085fec076253 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 23 Jan 2026 10:11:28 -0500 Subject: [PATCH 21/49] - Update brand to create instance --- Packs/soc-optimization/xsoar_config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index 619896c..3c523aa 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -334,7 +334,7 @@ "isOverridable": false, "enabled": "true", "name": "Unit 42 Intelligence", - "brand": "", + "brand": "Unit 42 Intelligence", "category": "Data Enrichment & Threat Intelligence", "engine": "", "engineGroup": "", From 882a766b180e80426351f58de053c5421926b07a Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 23 Jan 2026 10:44:05 -0500 Subject: [PATCH 22/49] - Fixing Integration Instance Name --- Packs/soc-optimization/xsoar_config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index 3c523aa..df5c448 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -155,7 +155,7 @@ ], "isOverridable": false, "enabled": "true", - "name": "Whois_instance_1", + "name": "Whois_instance_SOCFW", "brand": "Whois", "category": "Data Enrichment & Threat Intelligence", "engine": "", @@ -333,7 +333,7 @@ ], "isOverridable": false, "enabled": "true", - "name": "Unit 42 Intelligence", + "name": "Unit_42_Intelligence_SOCFW", "brand": "Unit 42 Intelligence", "category": "Data Enrichment & Threat Intelligence", "engine": "", From 469d39388d2d25cc824bdd40fd306362358fc055 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 23 Jan 2026 15:52:38 -0500 Subject: [PATCH 23/49] - Adding function to deal with long validation times - Adding filtering to list - Adding pre-config doc stop - Adding post-config doc print - Bump Revision number - Added new version number to Catalog --- .../Scripts/SOCFWPackManager.yml | 1278 ++++++++--------- .../soc-framework-manager/pack_metadata.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 610 insertions(+), 672 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index dbfa6db..8082f30 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,670 +1,516 @@ commonfields: id: e5c63c0b-e4ea-4928-8eed-5e51b9ad9ce8 - version: 57 + version: 86 vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager -script: | - import json - import time - from typing import Any, Dict, List, Optional - - import requests - - # ============================================================ - # SOCFWPackManager (bootloader) - # - list: shows SOC Framework pack catalog (like your screenshot) - # - apply: resolves pack_id via secops-framework pack_catalog.json (not "manifest URL only") - # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available - # - custom ZIP install: uses core-api-install-packs with file_url (NOT pack_url) - # - configure: runs your SOCFW* manager scripts (instances/jobs/lookups) - # ============================================================ - - SCRIPT_NAME = "SOCFWPackManager" - - # --------------------------- - # Basic Demisto helpers - # --------------------------- - - def get_error(res): - try: - return res[0].get("Contents") or res[0].get("HumanReadable") or str(res[0]) - except Exception: - return str(res) - - def is_error(res0): - try: - return bool(res0.get("Type") == 4) # entryTypes["error"] == 4 - except Exception: - return False - - def get_contents(res): - if not res or not isinstance(res, list) or not res[0]: - return {} - return res[0].get("Contents") or {} - - def arg_to_bool(val, default=False) -> bool: - if val is None: - return default - if isinstance(val, bool): - return val - s = str(val).strip().lower() - if s == "": - return default - return s in ("true", "1", "yes", "y", "on") - - def to_int(val, default: int) -> int: - try: - return int(val) - except Exception: - return default - - def bool_str_tf(val: bool) -> str: - return "True" if bool(val) else "False" - - def is_timeout_error(err_text: str) -> bool: - if not err_text: - return False - t = err_text.lower() - return ( - "timeout" in t - or "timed out" in t - or "read timed out" in t - or "request timed out" in t - or "context deadline exceeded" in t - ) - - def emit_progress(message: str, stage: Optional[str] = None): - title = f"{SCRIPT_NAME} β€” {stage}" if stage else SCRIPT_NAME - demisto.results( - { - "Type": 1, - "ContentsFormat": "markdown", - "Contents": message, - "HumanReadable": f"### {title}\n{message}", - } - ) - - def exec_cmd(command: str, args: Dict[str, Any], fail_on_error: bool = True): - res = demisto.executeCommand(command, args) - if not res: - if fail_on_error: - raise Exception(f"{command} returned empty response") - return res - if is_error(res[0]): - if fail_on_error: - raise Exception(get_error(res)) - return res - return res - - def exec_with_retry( - command: str, - args: Dict[str, Any], - retry_count: int, - retry_sleep_seconds: int, - context_for_error: str, - fail_on_error: bool = True, - ): - last_err = None - for attempt in range(1, max(1, retry_count) + 1): - try: - return exec_cmd(command, args, fail_on_error=fail_on_error) - except Exception as e: - last_err = str(e) - if attempt >= retry_count: - break - # retry on timeouts, otherwise still retry after sleep (tenant flakiness) - time.sleep(max(1, retry_sleep_seconds)) - continue - if fail_on_error: - raise Exception(f"{context_for_error}\nError: {last_err}") - return None - - # --------------------------- - # Core API wrappers - # --------------------------- - - def core_api_get(path: str, using: str = "", execution_timeout: int = 600) -> Dict[str, Any]: - args = {"uri": path, "execution-timeout": str(execution_timeout)} - if using: - args["using"] = using - res = exec_cmd("core-api-get", args) - return get_contents(res) or {} - - def core_api_post(path: str, body: Any, using: str = "", execution_timeout: int = 600) -> Dict[str, Any]: - args = {"uri": path, "body": json.dumps(body if body is not None else {}), "execution-timeout": str(execution_timeout)} - if using: - args["using"] = using - res = exec_cmd("core-api-post", args) - return get_contents(res) or {} - - # --------------------------- - # HTTP JSON helpers - # --------------------------- - - def http_get_json(url: str, timeout: int = 30) -> Any: - r = requests.get(url, timeout=timeout) - r.raise_for_status() - return r.json() - - # --------------------------- - # Catalog + Manifest resolver (RESTORED) - # --------------------------- - - DEFAULT_CATALOG_URL = "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json" - - def fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, Any]: - data = http_get_json(catalog_url) - if not isinstance(data, dict): - raise Exception(f"pack_catalog.json unexpected format at {catalog_url}") - return data - - def find_pack_in_catalog(catalog: Dict[str, Any], pack_id: str) -> Optional[Dict[str, Any]]: - packs = catalog.get("packs") or catalog.get("Packs") or catalog.get("items") or [] - if not isinstance(packs, list): - return None - for p in packs: - if isinstance(p, dict) and (p.get("id") == pack_id): - return p - return None - - def resolve_manifest(pack_id: str, include_hidden: bool) -> Dict[str, Any]: - """ - Restored behavior: - - If pack_id is a URL -> treat it as a manifest JSON URL - - Else -> resolve using secops-framework pack_catalog.json + standard repo conventions - """ - if pack_id.startswith("http://") or pack_id.startswith("https://"): - return http_get_json(pack_id) - - catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL) - pack = find_pack_in_catalog(catalog, pack_id) - if not pack: - raise Exception(f"Pack '{pack_id}' not found in pack_catalog.json") - - visible = bool(pack.get("visible", True)) - if (not include_hidden) and (not visible): - # still allow apply for hidden packs if user explicitly provides it - # but list will hide it. For apply, we won’t block. - pass - - version = (pack.get("version") or "").strip() - if not version: - raise Exception(f"Pack '{pack_id}' missing version in pack_catalog.json") - - # Standard conventions you’ve been using: - # - xsoar_config.json lives in Packs/{pack_id}/xsoar_config.json on main - xsoar_config_url = f"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json" - - # - release ZIP asset/tag is {pack_id}-v{version}/{pack_id}-v{version}.zip - release_tag = f"{pack_id}-v{version}" - zip_url = f"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip" - - # If you need pack-specific marketplace dependencies later, add them to catalog and read them here. - # For now keep your known baseline behavior for soc-optimization. - marketplace_packs = [ - {"id": "Base", "version": "latest"}, - {"id": "CommonScripts", "version": "latest"}, - {"id": "CommonPlaybooks", "version": "latest"}, - {"id": "DemistoRESTAPI", "version": "latest"}, - {"id": "Whois", "version": "latest"}, - ] - - return { - "marketplace_packs": marketplace_packs, - "custom_zip_urls": [{"url": zip_url, "name": release_tag}], - "xsoar_config_url": xsoar_config_url, - "pack_catalog_entry": pack, - "pack_version": version, - } - - # --------------------------- - # list action (RESTORED like screenshot) - # --------------------------- - - def do_list(args: Dict[str, Any]): - using = (args.get("using") or "").strip() - include_hidden = arg_to_bool(args.get("include_hidden"), False) - - emit_progress("Fetching catalog…", stage="list") - - catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL) - packs = catalog.get("packs") or catalog.get("Packs") or catalog.get("items") or [] - if not isinstance(packs, list): - raise Exception("pack_catalog.json is missing 'packs' list") - - rows = [] - for p in packs: - if not isinstance(p, dict): - continue - visible = bool(p.get("visible", True)) - if (not include_hidden) and (not visible): - continue - rows.append( - { - "id": p.get("id", ""), - "display_name": p.get("display_name") or p.get("name") or "", - "version": p.get("version", ""), - "visible": str(visible).lower(), - "path": p.get("path") or f"Packs/{p.get('id','')}", - } - ) - - rows.sort(key=lambda x: (x["id"] or "")) - - # Render markdown table (matches your screenshot format) - header = "SOC Framework Pack Catalog\n\nAvailable Packs\n" - table = "| id | display_name | version | visible | path |\n|---|---|---:|---:|---|\n" - for r in rows: - table += f'| {r["id"]} | {r["display_name"]} | {r["version"]} | {r["visible"]} | {r["path"]} |\n' - - emit_progress( - f"using: {(using or '(default)')}\ninclude_hidden: {include_hidden}\n\n{header}\n{table}", - stage="list", - ) - return - - # --------------------------- - # Marketplace install (USE ANNA’S SCRIPT) - # --------------------------- - - def install_marketplace_packs( - marketplace_packs: List[Dict[str, str]], - using: str, - retry_count: int, - retry_sleep_seconds: int, - ) -> Dict[str, Any]: - emit_progress( - "Installing marketplace packs via **XSIAMContentPackInstaller**…\n" - + "\n".join([f'{p.get("id")} @ {p.get("version")}' for p in marketplace_packs]), - stage="packs.marketplace", - ) - - args = { - "packs_data": marketplace_packs, - "pack_id_key": "id", - "pack_version_key": "version", - "install_dependencies": "true", - } - if using: - args["using"] = using - - res = exec_with_retry( - "XSIAMContentPackInstaller", - args, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - context_for_error="Failed installing marketplace packs via XSIAMContentPackInstaller", - fail_on_error=True, - ) - return get_contents(res) if res else {} - - def fetch_installed_marketplace_pack_ids(using: str) -> List[str]: - try: - r = core_api_get("/contentpacks/metadata/installed", using=using) - packs = (r.get("response") or []) if isinstance(r, dict) else [] - ids = [] - for p in packs: - pid = p.get("id") - if pid: - ids.append(pid) - return ids - except Exception: - return [] - - # --------------------------- - # xsoar_config - # --------------------------- - - def fetch_xsoar_config(xsoar_config_url: str) -> Dict[str, Any]: - data = http_get_json(xsoar_config_url) - if not isinstance(data, dict): - raise Exception(f"xsoar_config.json unexpected format at {xsoar_config_url}") - return data - - # --------------------------- - # Custom packs install (FIXED: file_url, NOT pack_url) - # --------------------------- - - def install_custom_pack_zip(url: str, using: str, execution_timeout: int, retry_count: int, retry_sleep_seconds: int): - args = {"file_url": url, "execution-timeout": str(max(1200, execution_timeout))} - if using: - args["using"] = using - - exec_with_retry( - "core-api-install-packs", - args, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - context_for_error=f"Failed installing custom pack ZIP: {url}", - fail_on_error=True, - ) - - # --------------------------- - # Configure (jobs / integrations / lookups) - # --------------------------- - - def configure_integrations_from_xsoar_config( - xsoar_cfg: Dict[str, Any], - using: str, - retry_count: int, - retry_sleep_seconds: int, - installed_pack_ids: List[str], - ): - emit_progress("Configuring integration instances…", stage="configure.integrations") - - for inst in xsoar_cfg.get("integration_instances", []) or []: - if not isinstance(inst, dict): - continue - - name = (inst.get("name") or "").strip() - if not name: - continue - - required_pack = ( - (inst.get("required_pack_id") or inst.get("marketplace_pack") or inst.get("pack_id") or "").strip() - ) - if required_pack and required_pack not in installed_pack_ids: - emit_progress( - f"Skipping integration instance **{name}** β€” marketplace pack **{required_pack}** not installed.", - stage="configure.integrations", - ) - continue - - emit_progress(f"Configuring integration instance: **{name}**", stage="configure.integrations") - - cmd_args = { - "integration_instance_name": name, - "integration_instance_data": json.dumps(inst), - } - if using: - cmd_args["using"] = using - - res = exec_with_retry( - "SOCFWIntegrationInstanceManager", - cmd_args, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - context_for_error=f"Failed configuring integration instance: {name}", - fail_on_error=True, - ) - - try: - c = get_contents(res) - emit_progress( - f"Integration instance **{name}** result: Contents keys: {list((c or {}).keys())}", - stage="configure.integrations.result", - ) - except Exception: - pass - - def configure_jobs_from_xsoar_config( - xsoar_cfg: Dict[str, Any], - using: str, - retry_count: int, - retry_sleep_seconds: int, - ): - emit_progress("Configuring jobs…", stage="configure.jobs") - - for job in xsoar_cfg.get("jobs", []) or []: - if not isinstance(job, dict): - continue - - name = (job.get("name") or job.get("job_name") or "").strip() - if not name: - continue - - emit_progress(f"Configuring job: **{name}**", stage="configure.jobs") - - cmd_args = { - "job_name": name, - "job_data": json.dumps(job), - } - if using: - cmd_args["using"] = using - - res = exec_with_retry( - "SOCFWJobManager", - cmd_args, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - context_for_error=f"Failed configuring job: {name}", - fail_on_error=True, - ) - - try: - c = get_contents(res) - emit_progress( - f"Job **{name}** result: Contents keys: {list((c or {}).keys())}", - stage="configure.jobs.result", - ) - except Exception: - pass - - def configure_lookups_from_xsoar_config( - xsoar_cfg: Dict[str, Any], - using: str, - retry_count: int, - retry_sleep_seconds: int, - overwrite_lookup: bool, - ): - emit_progress("Configuring lookup datasets…", stage="configure.lookups") - - for ds in xsoar_cfg.get("lookup_datasets", []) or []: - if not isinstance(ds, dict): - continue - - name = (ds.get("name") or ds.get("dataset_name") or "").strip() - if not name: - continue - - emit_progress(f"Configuring lookup dataset: **{name}**", stage="configure.lookups") - - cmd_args = { - "lookup_dataset_name": name, - "lookup_dataset_data": json.dumps(ds), - "overwrite_lookup": bool_str_tf(overwrite_lookup), - } - if using: - cmd_args["using"] = using - - res = exec_with_retry( - "SOCFWLookupManager", - cmd_args, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - context_for_error=f"Failed configuring lookup dataset: {name}", - fail_on_error=True, - ) - - try: - c = get_contents(res) - emit_progress( - f"Lookup **{name}** result: Contents keys: {list((c or {}).keys())}", - stage="configure.lookups.result", - ) - except Exception: - pass - - # --------------------------- - # Main - # --------------------------- - - def main(): - args = demisto.args() - - action = (args.get("action") or "apply").strip().lower() - pack_id = (args.get("pack_id") or "").strip() - include_hidden = arg_to_bool(args.get("include_hidden"), False) - dry_run = arg_to_bool(args.get("dry_run"), False) - - install_marketplace_flag = arg_to_bool(args.get("install_marketplace"), True) - apply_configure = arg_to_bool(args.get("apply_configure"), True) - configure_jobs = arg_to_bool(args.get("configure_jobs"), True) - configure_integrations = arg_to_bool(args.get("configure_integrations"), True) - configure_lookups = arg_to_bool(args.get("configure_lookups"), True) - overwrite_lookup = arg_to_bool(args.get("overwrite_lookup"), False) - - retry_count = to_int(args.get("retry_count"), 5) - retry_sleep_seconds = to_int(args.get("retry_sleep_seconds"), 15) - using = (args.get("using") or "").strip() - execution_timeout = to_int(args.get("execution_timeout"), 1200) - - fail_on_marketplace_errors = arg_to_bool(args.get("fail_on_marketplace_errors"), False) - - if action not in ("apply", "list"): - raise Exception(f"Unsupported action: {action}") - - if action == "list": - return do_list(args) - - if not pack_id: - raise Exception("pack_id is required for action=apply") - - emit_progress( - "\n".join( - [ - f"Starting {action} for {pack_id}", - f"include_hidden={include_hidden}", - f"dry_run={dry_run}", - f"install_marketplace={install_marketplace_flag}", - f"apply_configure={apply_configure} (jobs={configure_jobs}, integrations={configure_integrations}, lookups={configure_lookups})", - f"overwrite_lookup={overwrite_lookup}", - f"retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}", - f"using={(using or '(default)')}", - f"execution_timeout={execution_timeout}", - f"fail_on_marketplace_errors={fail_on_marketplace_errors}", - ] - ), - stage="start", - ) - - emit_progress("Resolving install manifest…", stage="manifest") - manifest = resolve_manifest(pack_id, include_hidden=include_hidden) - - marketplace_packs = manifest.get("marketplace_packs") or [] - custom_zip_urls = manifest.get("custom_zip_urls") or [] - xsoar_config_url = manifest.get("xsoar_config_url") or "" - - emit_progress( - "\n".join( - [ - "Manifest resolved.", - f"marketplace_packs: {len(marketplace_packs)}", - f"custom ZIP URLs: {len(custom_zip_urls)}", - f"xsoar_config_url: {xsoar_config_url or '(none)'}", - ] - ), - stage="manifest.summary", - ) - - xsoar_cfg = {} - if xsoar_config_url: - emit_progress("Fetching xsoar_config.json…", stage="xsoar_config.fetch") - xsoar_cfg = fetch_xsoar_config(xsoar_config_url) or {} - emit_progress( - "\n".join( - [ - "xsoar_config loaded.", - f"integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}", - f"jobs: {len(xsoar_cfg.get('jobs', []) or [])}", - f"lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}", - ] - ), - stage="xsoar_config.summary", - ) - - if dry_run: - emit_progress("dry_run=True β€” not installing or configuring anything.", stage="done") - return - - marketplace_errors: List[str] = [] - if install_marketplace_flag and marketplace_packs: - # normalize - mp = [] - for p in marketplace_packs: - if isinstance(p, dict) and p.get("id"): - mp.append({"id": p.get("id"), "version": p.get("version", "latest")}) - try: - install_marketplace_packs(mp, using, retry_count, retry_sleep_seconds) - except Exception as e: - marketplace_errors.append(str(e)) - emit_progress(f"Marketplace install failed.\nError: {e}", stage="packs.marketplace.error") - if fail_on_marketplace_errors: - raise - - if custom_zip_urls: - emit_progress("Installing custom pack ZIPs…", stage="packs.custom") - for item in custom_zip_urls: - url = None - label = None - if isinstance(item, str): - url = item - label = item - elif isinstance(item, dict): - url = item.get("url") or item.get("zip_url") - label = item.get("name") or url - if not url: - continue - emit_progress(f"Installing custom pack ZIP: **{label}**", stage="packs.custom") - install_custom_pack_zip(url, using, execution_timeout, retry_count, retry_sleep_seconds) - - if apply_configure and xsoar_cfg: - emit_progress("Configuring from xsoar_config…", stage="configure") - emit_progress( - "\n".join( - [ - "Configure plan from xsoar_config.json:", - f"integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}", - f"jobs: {len(xsoar_cfg.get('jobs', []) or [])}", - f"lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}", - ] - ), - stage="configure.plan", - ) - - installed_pack_ids = fetch_installed_marketplace_pack_ids(using) - - if configure_integrations: - configure_integrations_from_xsoar_config( - xsoar_cfg=xsoar_cfg, - using=using, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - installed_pack_ids=installed_pack_ids, - ) - - if configure_jobs: - configure_jobs_from_xsoar_config( - xsoar_cfg=xsoar_cfg, - using=using, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - ) - - if configure_lookups: - configure_lookups_from_xsoar_config( - xsoar_cfg=xsoar_cfg, - using=using, - retry_count=retry_count, - retry_sleep_seconds=retry_sleep_seconds, - overwrite_lookup=overwrite_lookup, - ) - - msg = "Done." - if marketplace_errors: - msg += f"\nMarketplace errors: {len(marketplace_errors)} (see logs above)." - emit_progress(msg, stage="done") - - return_results( - { - "pack_id": pack_id, - "xsoar_config_url": xsoar_config_url, - "marketplace_errors": marketplace_errors, - } - ) - - if __name__ in ("__main__", "__builtin__", "builtins"): - main() +script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport + requests\n\n# ============================================================\n# SOCFWPackManager + (bootloader)\n# - list: shows SOC Framework pack catalog (now supports paging/filtering)\n# + - apply: resolves pack_id via secops-framework pack_catalog.json\n# - marketplace + install: uses XSIAMContentPackInstaller (Anna’s) when available\n# - custom ZIP + install: uses core-api-install-packs with file_url (NOT pack_url)\n# - configure: + runs your SOCFW* manager scripts (jobs/lookups)\n#\n# FIX:\n# - Create integration + instances directly via core-api-put to\n# /xsoar/public/v1/settings/integration\n# + - Treat \"already exists (33)\" as success so reruns are idempotent.\n#\n# CHANGE:\n# + - Reduce logging by default + debug flag\n# - Fix Trend/large pack uploads by:\n# + \ - honoring skip_verify/skip_validation args\n# - adding install_timeout (default + 3600s) for core-api-install-packs\n# - if upload call times out: poll until pack + shows installed, then continue\n# - LOUD pre_config_docs + post_config_docs (+ optional + README previews)\n# - NEW: pre-config gate (default ON): print PRE docs then STOP + unless pre_config_done=true\n# - NEW: POST docs printed as the VERY LAST War Room + entry (after return_results)\n# ============================================================\n\nSCRIPT_NAME + = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n# ---------------------------\n\ndef + _norm(s: Any) -> str:\n return (str(s) if s is not None else \"\").strip()\n\ndef + _to_lower(s: Any) -> str:\n return _norm(s).lower()\n\ndef _parse_csv(val: Any) + -> List[str]:\n s = _norm(val)\n if not s:\n return []\n return + [x.strip() for x in s.split(\",\") if x.strip()]\n\ndef _safe_sort_key(row: Dict[str, + Any], key: str) -> str:\n return _norm(row.get(key, \"\")).lower()\n\n# ---------------------------\n# + Demisto helpers\n# ---------------------------\n\ndef get_error(res):\n try:\n + \ return res[0].get(\"Contents\") or res[0].get(\"HumanReadable\") or str(res[0])\n + \ except Exception:\n return str(res)\n\ndef is_error(res0):\n try:\n + \ return bool(res0.get(\"Type\") == 4) # entryTypes[\"error\"] == 4\n except + Exception:\n return False\n\ndef get_contents(res):\n if not res or not + isinstance(res, list) or not res[0]:\n return {}\n return res[0].get(\"Contents\") + or {}\n\ndef arg_to_bool(val, default=False) -> bool:\n if val is None:\n return + default\n if isinstance(val, bool):\n return val\n s = str(val).strip().lower()\n + \ if s == \"\":\n return default\n return s in (\"true\", \"1\", \"yes\", + \"y\", \"on\")\n\ndef to_int(val, default: int) -> int:\n try:\n return + int(val)\n except Exception:\n return default\n\ndef bool_str_tf(val: + bool) -> str:\n return \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: + str) -> bool:\n if not err_text:\n return False\n t = err_text.lower()\n + \ return (\n \"timeout\" in t\n or \"timed out\" in t\n or + \"read timed out\" in t\n or \"request timed out\" in t\n or \"context + deadline exceeded\" in t\n or \"client.timeout exceeded\" in t\n or + \"awaiting headers\" in t\n or \"context deadline exceeded (client.timeout + exceeded while awaiting headers)\" in t\n )\n\ndef emit_progress(message: str, + stage: Optional[str] = None):\n title = f\"{SCRIPT_NAME} β€” {stage}\" if stage + else SCRIPT_NAME\n demisto.results(\n {\n \"Type\": 1,\n \"ContentsFormat\": + \"markdown\",\n \"Contents\": message,\n \"HumanReadable\": + f\"### {title}\\n{message}\",\n }\n )\n\ndef log(message: str, stage: + Optional[str], debug: bool, always: bool = False):\n if always or debug:\n emit_progress(message, + stage=stage)\n\ndef exec_cmd(command: str, args: Dict[str, Any], fail_on_error: + bool = True):\n res = demisto.executeCommand(command, args)\n if not res:\n + \ if fail_on_error:\n raise Exception(f\"{command} returned empty + response\")\n return res\n if is_error(res[0]):\n if fail_on_error:\n + \ raise Exception(get_error(res))\n return res\n return res\n\ndef + exec_with_retry(\n command: str,\n args: Dict[str, Any],\n retry_count: + int,\n retry_sleep_seconds: int,\n context_for_error: str,\n fail_on_error: + bool = True,\n):\n last_err = None\n for attempt in range(1, max(1, retry_count) + + 1):\n try:\n return exec_cmd(command, args, fail_on_error=fail_on_error)\n + \ except Exception as e:\n last_err = str(e)\n if attempt + >= retry_count:\n break\n time.sleep(max(1, retry_sleep_seconds))\n + \ continue\n if fail_on_error:\n raise Exception(f\"{context_for_error}\\nError: + {last_err}\")\n return None\n\ndef is_instance_already_exists_error(err_text: + str) -> bool:\n if not err_text:\n return False\n return \"already + exists (33)\" in err_text.lower()\n\n# ---------------------------\n# Pre/Post docs + helpers (LOUD + optional content)\n# ---------------------------\n\ndef _md_link(name: + str, url: str) -> str:\n n = (name or \"\").strip() or url\n u = (url or \"\").strip()\n + \ if not u:\n return f\"- {n}\"\n return f\"- [{n}]({u})\"\n\ndef _github_blob_to_raw(url: + str) -> str:\n \"\"\"\n Convert:\n https://github.com/org/repo/blob/branch/path/file.md\n + \ To:\n https://raw.githubusercontent.com/org/repo/branch/path/file.md\n + \ If it's already a raw URL, return as-is.\n \"\"\"\n u = (url or \"\").strip()\n + \ if not u:\n return u\n if \"raw.githubusercontent.com\" in u:\n return + u\n if u.startswith(\"https://github.com/\") and \"/blob/\" in u:\n rest + = u[len(\"https://github.com/\"):]\n parts = rest.split(\"/\")\n if + len(parts) >= 5 and parts[2] == \"blob\":\n org = parts[0]\n repo + = parts[1]\n branch = parts[3]\n path = \"/\".join(parts[4:])\n + \ return f\"https://raw.githubusercontent.com/{org}/{repo}/{branch}/{path}\"\n + \ return u\n\ndef _fetch_text(url: str, timeout: int = 20) -> str:\n r = requests.get(url, + timeout=timeout)\n r.raise_for_status()\n return r.text or \"\"\n\ndef _truncate_text(s: + str, max_chars: int, max_lines: int) -> str:\n if not s:\n return \"\"\n + \ lines = s.splitlines()\n if max_lines and len(lines) > max_lines:\n lines + = lines[:max_lines]\n s = \"\\n\".join(lines) + \"\\n\\n... (truncated by + max_lines) ...\"\n if max_chars and len(s) > max_chars:\n s = s[:max_chars] + + \"\\n\\n... (truncated by max_chars) ...\"\n return s\n\ndef has_config_docs(xsoar_cfg: + Dict[str, Any], when: str) -> bool:\n key = \"pre_config_docs\" if when == \"pre\" + else \"post_config_docs\"\n docs = xsoar_cfg.get(key) or []\n if not isinstance(docs, + list):\n return False\n for d in docs:\n if isinstance(d, dict) + and _norm(d.get(\"url\") or d.get(\"name\")):\n return True\n if + isinstance(d, str) and _norm(d):\n return True\n return False\n\ndef + print_config_docs(\n xsoar_cfg: Dict[str, Any],\n when: str,\n debug: bool,\n + \ include_doc_content: bool = False,\n doc_content_max_chars: int = 6000,\n + \ doc_content_max_lines: int = 200,\n):\n \"\"\"\n when: \"pre\" or \"post\"\n + \ Prints docs listed in xsoar_config.json:\n pre_config_docs: [{name,url}, + ...]\n post_config_docs: [{name,url}, ...]\n If include_doc_content=True + (or debug=True), fetches and embeds doc text (truncated).\n \"\"\"\n key = + \"pre_config_docs\" if when == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) + or []\n if not isinstance(docs, list) or not docs:\n log(f\"No {key} found + in xsoar_config.json.\", stage=f\"docs.{when}\", debug=debug)\n return\n\n + \ banner_title = \"\U0001F6A7 PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when + == \"pre\" else \"βœ… POST-INSTALL / POST-CONFIG MANUAL STEPS\"\n banner_sub = + (\n \"_These docs usually contain prerequisites / manual steps you must complete + BEFORE install._\"\n if when == \"pre\"\n else \"_These docs usually + contain manual follow-ups and validation steps AFTER completion._\"\n )\n\n banner + = \"\\n\".join([\"---\", f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: + List[str] = []\n normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n + \ if isinstance(d, dict):\n name = _norm(d.get(\"name\") or \"\")\n + \ url = _norm(d.get(\"url\") or \"\")\n if url or name:\n link_lines.append(_md_link(name, + url))\n normalized_docs.append({\"name\": name or url, \"url\": url})\n + \ elif isinstance(d, str):\n s = _norm(d)\n if s:\n + \ link_lines.append(f\"- {s}\")\n normalized_docs.append({\"name\": + s, \"url\": s})\n\n if not link_lines:\n log(f\"No valid entries in {key}.\", + stage=f\"docs.{when}\", debug=debug)\n return\n\n want_content = bool(include_doc_content + or debug)\n\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if + want_content and normalized_docs:\n body += [\"\", \"### Doc contents (preview)\", + \"_Showing a truncated preview._\", \"\"]\n\n for d in normalized_docs:\n + \ name = d.get(\"name\") or \"\"\n url = d.get(\"url\") or + \"\"\n raw_url = _github_blob_to_raw(url)\n try:\n text + = _fetch_text(raw_url, timeout=20)\n text = _truncate_text(text, + max_chars=doc_content_max_chars, max_lines=doc_content_max_lines)\n\n body.append(\n + \ \"\\n\".join(\n [\n \"
\",\n + \ f\"{name} (click to expand)\",\n + \ \"\",\n \"```markdown\",\n + \ text,\n \"```\",\n \"\",\n + \ f\"_Source: {raw_url}_\",\n \"
\",\n + \ \"\",\n ]\n )\n + \ )\n except Exception as e:\n body.append(f\"- + **{name}**: could not fetch preview ({e})\")\n\n emit_progress(\"\\n\".join(body), + stage=f\"docs.{when}\")\n\n# ---------------------------\n# Core API wrappers\n# + ---------------------------\n\ndef core_api_get(path: str, using: str = \"\", execution_timeout: + int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"execution-timeout\": + str(execution_timeout)}\n if using:\n args[\"using\"] = using\n res + = exec_cmd(\"core-api-get\", args)\n return get_contents(res) or {}\n\ndef core_api_post(path: + str, body: Any, using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n + \ args = {\"uri\": path, \"body\": json.dumps(body if body is not None else {}), + \"execution-timeout\": str(execution_timeout)}\n if using:\n args[\"using\"] + = using\n res = exec_cmd(\"core-api-post\", args)\n return get_contents(res) + or {}\n\ndef core_api_put(path: str, body: Any, using: str = \"\", execution_timeout: + int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"body\": json.dumps(body + if body is not None else {}), \"execution-timeout\": str(execution_timeout)}\n if + using:\n args[\"using\"] = using\n res = exec_cmd(\"core-api-put\", args)\n + \ return get_contents(res) or {}\n\n# ---------------------------\n# HTTP JSON + helpers\n# ---------------------------\n\ndef http_get_json(url: str, timeout: int + = 30) -> Any:\n r = requests.get(url, timeout=timeout)\n r.raise_for_status()\n + \ return r.json()\n\n# ---------------------------\n# Catalog + Manifest resolver\n# + ---------------------------\n\nDEFAULT_CATALOG_URL = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\n\ndef + fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, Any]:\n + \ data = http_get_json(catalog_url)\n if not isinstance(data, dict):\n raise + Exception(f\"pack_catalog.json unexpected format at {catalog_url}\")\n return + data\n\ndef find_pack_in_catalog(catalog: Dict[str, Any], pack_id: str) -> Optional[Dict[str, + Any]]:\n packs = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") + or []\n if not isinstance(packs, list):\n return None\n for p in packs:\n + \ if isinstance(p, dict) and (p.get(\"id\") == pack_id):\n return + p\n return None\n\ndef resolve_manifest(pack_id: str, include_hidden: bool) -> + Dict[str, Any]:\n if pack_id.startswith(\"http://\") or pack_id.startswith(\"https://\"):\n + \ return http_get_json(pack_id)\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n + \ pack = find_pack_in_catalog(catalog, pack_id)\n if not pack:\n raise + Exception(f\"Pack '{pack_id}' not found in pack_catalog.json\")\n\n visible = + bool(pack.get(\"visible\", True))\n if (not include_hidden) and (not visible):\n + \ # Back-compat: allow resolution; list hides it unless include_hidden=True\n + \ pass\n\n version = (pack.get(\"version\") or \"\").strip()\n if not + version:\n raise Exception(f\"Pack '{pack_id}' missing version in pack_catalog.json\")\n\n + \ xsoar_config_url = f\"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json\"\n + \ release_tag = f\"{pack_id}-v{version}\"\n zip_url = f\"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip\"\n\n + \ marketplace_packs = [\n {\"id\": \"Base\", \"version\": \"latest\"},\n + \ {\"id\": \"CommonScripts\", \"version\": \"latest\"},\n {\"id\": + \"CommonPlaybooks\", \"version\": \"latest\"},\n {\"id\": \"DemistoRESTAPI\", + \"version\": \"latest\"},\n {\"id\": \"Whois\", \"version\": \"latest\"},\n + \ ]\n\n return {\n \"marketplace_packs\": marketplace_packs,\n \"custom_zip_urls\": + [{\"url\": zip_url, \"name\": release_tag}],\n \"xsoar_config_url\": xsoar_config_url,\n + \ \"pack_catalog_entry\": pack,\n \"pack_version\": version,\n }\n\n# + ---------------------------\n# list action (filter + paging)\n# ---------------------------\n\ndef + do_list(args: Dict[str, Any]):\n using = _norm(args.get(\"using\") or \"\")\n + \ include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n\n # list + args\n text_filter = _to_lower(args.get(\"filter\") or args.get(\"q\") or \"\")\n + \ visible_only = arg_to_bool(args.get(\"visible_only\"), True)\n limit = max(1, + to_int(args.get(\"limit\"), 50))\n offset = max(0, to_int(args.get(\"offset\"), + 0))\n sort_by = (_norm(args.get(\"sort_by\")) or \"id\").strip()\n sort_dir + = (_norm(args.get(\"sort_dir\")) or \"asc\").strip().lower()\n fields = _parse_csv(args.get(\"fields\")) + or [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n show_total + = arg_to_bool(args.get(\"show_total\"), True)\n\n emit_progress(\"Fetching catalog…\", + stage=\"list\")\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n packs + = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or + []\n if not isinstance(packs, list):\n raise Exception(\"pack_catalog.json + is missing 'packs' list\")\n\n rows: List[Dict[str, Any]] = []\n for p in + packs:\n if not isinstance(p, dict):\n continue\n\n visible + = bool(p.get(\"visible\", True))\n\n if (not include_hidden) and (not visible):\n + \ continue\n if visible_only and (not visible):\n continue\n\n + \ row = {\n \"id\": p.get(\"id\", \"\"),\n \"display_name\": + p.get(\"display_name\") or p.get(\"name\") or \"\",\n \"version\": p.get(\"version\", + \"\"),\n \"visible\": str(visible).lower(),\n \"path\": p.get(\"path\") + or f\"Packs/{p.get('id','')}\",\n }\n\n if text_filter:\n hay + = \" \".join([_to_lower(row.get(\"id\")), _to_lower(row.get(\"display_name\")), + _to_lower(row.get(\"path\"))])\n if text_filter not in hay:\n continue\n\n + \ rows.append(row)\n\n total = len(rows)\n\n allowed_sort = {\"id\", + \"display_name\", \"version\", \"visible\", \"path\"}\n if sort_by not in allowed_sort:\n + \ sort_by = \"id\"\n reverse = sort_dir == \"desc\"\n rows.sort(key=lambda + r: _safe_sort_key(r, sort_by), reverse=reverse)\n\n page = rows[offset: offset + + limit]\n start = offset + 1 if page else 0\n end = offset + len(page)\n\n + \ allowed_fields = [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n + \ fields = [f for f in fields if f in allowed_fields] or [\"id\", \"display_name\", + \"version\", \"visible\", \"path\"]\n\n header_line = \"| \" + \" | \".join(fields) + + \" |\\n\"\n sep_line = \"| \" + \" | \".join([\"---\"] * len(fields)) + \" + |\\n\"\n table = header_line + sep_line\n for r in page:\n table += + \"| \" + \" | \".join([_norm(r.get(f, \"\")) for f in fields]) + \" |\\n\"\n\n summary_lines + = [\n f\"using: {(using or '(default)')}\",\n f\"include_hidden: {include_hidden}\",\n + \ f\"visible_only: {visible_only}\",\n ]\n if text_filter:\n summary_lines.append(f\"filter: + `{text_filter}`\")\n summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n + \ summary_lines.append(f\"page: limit={limit}, offset={offset}\")\n if show_total:\n + \ summary_lines.append(f\"showing: {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) + + \"\\n\\n\" + table, stage=\"list\")\n return\n\n# ---------------------------\n# + Marketplace install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef install_marketplace_packs(\n + \ marketplace_packs: List[Dict[str, str]],\n using: str,\n retry_count: + int,\n retry_sleep_seconds: int,\n debug: bool,\n) -> Dict[str, Any]:\n if + debug:\n emit_progress(\n \"Installing marketplace packs via **XSIAMContentPackInstaller**…\\n\"\n + \ + \"\\n\".join([f'{p.get(\"id\")} @ {p.get(\"version\")}' for p in marketplace_packs]),\n + \ stage=\"packs.marketplace\",\n )\n else:\n emit_progress(\n + \ f\"Installing marketplace packs via **XSIAMContentPackInstaller**… ({len(marketplace_packs)} + pack(s))\",\n stage=\"packs.marketplace\",\n )\n\n args = {\n + \ \"packs_data\": marketplace_packs,\n \"pack_id_key\": \"id\",\n \"pack_version_key\": + \"version\",\n \"install_dependencies\": \"true\",\n }\n if using:\n + \ args[\"using\"] = using\n\n res = exec_with_retry(\n \"XSIAMContentPackInstaller\",\n + \ args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=\"Failed installing marketplace packs via XSIAMContentPackInstaller\",\n + \ fail_on_error=True,\n )\n return get_contents(res) if res else {}\n\ndef + fetch_installed_marketplace_pack_ids(using: str) -> List[str]:\n try:\n r + = core_api_get(\"/public/v1/contentpacks/metadata/installed\", using=using)\n packs + = (r.get(\"response\") or []) if isinstance(r, dict) else []\n ids = []\n + \ for p in packs:\n pid = p.get(\"id\")\n if pid:\n + \ ids.append(pid)\n return ids\n except Exception:\n return + []\n\n# ---------------------------\n# xsoar_config\n# ---------------------------\n\ndef + fetch_xsoar_config(xsoar_config_url: str) -> Dict[str, Any]:\n data = http_get_json(xsoar_config_url)\n + \ if not isinstance(data, dict):\n raise Exception(f\"xsoar_config.json + unexpected format at {xsoar_config_url}\")\n return data\n\n# ---------------------------\n# + Custom packs install (with timeout -> polling fallback)\n# ---------------------------\n\ndef + wait_for_pack_installed(\n pack_id: str,\n using: str,\n poll_seconds: + int,\n poll_interval_seconds: int,\n debug: bool,\n) -> bool:\n deadline + = time.time() + max(0, poll_seconds)\n interval = max(5, poll_interval_seconds)\n\n + \ log(\n f\"Polling for pack install completion: **{pack_id}** (up to {poll_seconds}s, + every {interval}s)…\",\n stage=\"packs.custom.poll\",\n debug=debug,\n + \ always=True,\n )\n\n while True:\n try:\n installed + = fetch_installed_marketplace_pack_ids(using)\n if pack_id in installed:\n + \ log(f\"Pack **{pack_id}** is now installed.\", stage=\"packs.custom.poll\", + debug=debug, always=True)\n return True\n except Exception + as e:\n log(f\"Poll check error (will retry): {e}\", stage=\"packs.custom.poll.debug\", + debug=debug)\n\n if time.time() >= deadline:\n log(\n f\"Polling + window expired; pack **{pack_id}** not detected as installed yet.\",\n stage=\"packs.custom.poll\",\n + \ debug=debug,\n always=True,\n )\n return + False\n\n time.sleep(interval)\n\ndef install_custom_pack_zip(\n url: + str,\n pack_id: str,\n using: str,\n execution_timeout: int,\n install_timeout: + int,\n retry_count: int,\n retry_sleep_seconds: int,\n skip_verify: bool,\n + \ skip_validation: bool,\n post_install_poll_seconds: int,\n post_install_poll_interval_seconds: + int,\n continue_on_install_timeout: bool,\n debug: bool,\n):\n effective_timeout + = max(1200, execution_timeout, install_timeout)\n\n args = {\n \"file_url\": + url,\n \"execution-timeout\": str(effective_timeout),\n \"skip_verify\": + bool_str_tf(skip_verify),\n \"skip_validation\": bool_str_tf(skip_validation),\n + \ }\n if using:\n args[\"using\"] = using\n\n if debug:\n emit_progress(\n + \ \"\\n\".join(\n [\n \"core-api-install-packs:\",\n + \ f\"- file_url: {url}\",\n f\"- execution-timeout: + {effective_timeout}\",\n f\"- skip_verify: {skip_verify}\",\n + \ f\"- skip_validation: {skip_validation}\",\n ]\n + \ ),\n stage=\"packs.custom.debug\",\n )\n\n try:\n + \ exec_with_retry(\n \"core-api-install-packs\",\n args,\n + \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=f\"Failed installing custom pack ZIP: {url}\",\n fail_on_error=True,\n + \ )\n return\n\n except Exception as e:\n err = str(e)\n\n + \ if is_timeout_error(err):\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Custom pack upload call timed out + (client-side).\",\n \"This often means the server is still + uploading/processing.\",\n f\"Switching to polling for installed + pack: **{pack_id}**\",\n ]\n ),\n stage=\"packs.custom.timeout\",\n + \ )\n\n ok = wait_for_pack_installed(\n pack_id=pack_id,\n + \ using=using,\n poll_seconds=post_install_poll_seconds,\n + \ poll_interval_seconds=post_install_poll_interval_seconds,\n debug=debug,\n + \ )\n\n if ok:\n return\n\n msg = + (\n \"Upload timed out and polling did not observe the pack as installed.\\n\"\n + \ f\"pack_id={pack_id}\\nurl={url}\\n\"\n f\"poll_seconds={post_install_poll_seconds}, + interval={post_install_poll_interval_seconds}\\n\"\n \"You can retry + or increase post_install_poll_seconds.\"\n )\n\n if continue_on_install_timeout:\n + \ emit_progress(msg + \"\\n\\ncontinue_on_install_timeout=True β€” continuing + anyway.\", stage=\"packs.custom.timeout\")\n return\n\n raise + Exception(msg)\n\n raise\n\n# ---------------------------\n# Configure (jobs + / integrations / lookups)\n# ---------------------------\n\ndef configure_integrations_from_xsoar_config(\n + \ xsoar_cfg: Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: + int,\n installed_pack_ids: List[str],\n debug: bool,\n) -> Dict[str, Any]:\n + \ items = [x for x in (xsoar_cfg.get(\"integration_instances\", []) or []) if + isinstance(x, dict)]\n emit_progress(f\"Configuring integration instances… ({len(items)} + instance(s))\", stage=\"configure.integrations\")\n\n summary = {\n \"attempted\": + 0,\n \"ok\": 0,\n \"already_exists\": 0,\n \"skipped_missing_pack\": + 0,\n \"skipped_missing_brand\": 0,\n \"failed\": 0,\n \"failed_items\": + [],\n }\n\n for inst in items:\n instance_name = (inst.get(\"name\") + or \"\").strip()\n if not instance_name:\n continue\n\n required_pack + = ((inst.get(\"required_pack_id\") or inst.get(\"marketplace_pack\") or inst.get(\"pack_id\") + or \"\").strip())\n if required_pack and required_pack not in installed_pack_ids:\n + \ summary[\"skipped_missing_pack\"] += 1\n log(\n f\"Skipping + integration instance **{instance_name}** β€” marketplace pack **{required_pack}** + not installed.\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n + \ )\n continue\n\n brand = (inst.get(\"brand\") or \"\").strip()\n + \ if not brand:\n summary[\"skipped_missing_brand\"] += 1\n log(\n + \ f\"Skipping integration instance **{instance_name}** β€” missing required + field `brand`.\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n + \ )\n continue\n\n summary[\"attempted\"] += 1\n\n payload + = {\n \"name\": instance_name,\n \"brand\": brand,\n \"enabled\": + inst.get(\"enabled\", \"true\"),\n \"category\": inst.get(\"category\") + or \"\",\n \"data\": inst.get(\"data\") or [],\n }\n\n log(\n + \ f\"Creating/updating integration instance: **{instance_name}** (brand: + **{brand}**)\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n + \ )\n\n def _do_put():\n return core_api_put(\"/xsoar/public/v1/settings/integration\", + payload, using=using, execution_timeout=600)\n\n last_err = None\n for + attempt in range(1, max(1, retry_count) + 1):\n try:\n resp + = _do_put()\n rid = (resp.get(\"id\") if isinstance(resp, dict) else + None) or \"\"\n summary[\"ok\"] += 1\n log(\n f\"Integration + instance **{instance_name}** created/updated. id={rid or '(unknown)'}\",\n stage=\"configure.integrations.result\",\n + \ debug=debug,\n )\n break\n except + Exception as e:\n last_err = str(e)\n\n if is_instance_already_exists_error(last_err):\n + \ summary[\"already_exists\"] += 1\n log(\n + \ f\"Integration instance **{instance_name}** already exists + β€” skipping (idempotent).\",\n stage=\"configure.integrations.result\",\n + \ debug=debug,\n )\n break\n\n + \ if attempt >= retry_count:\n summary[\"failed\"] + += 1\n summary[\"failed_items\"].append({\"name\": instance_name, + \"error\": last_err})\n emit_progress(f\"Failed configuring integration + instance **{instance_name}**.\\nError: {last_err}\", stage=\"configure.integrations.error\")\n + \ break\n\n time.sleep(max(1, retry_sleep_seconds))\n\n + \ emit_progress(\n \"\\n\".join(\n [\n \"Integration + instances summary:\",\n f\"- attempted: {summary['attempted']}\",\n + \ f\"- ok: {summary['ok']}\",\n f\"- already exists: + {summary['already_exists']}\",\n f\"- skipped (missing pack): {summary['skipped_missing_pack']}\",\n + \ f\"- skipped (missing brand): {summary['skipped_missing_brand']}\",\n + \ f\"- failed: {summary['failed']}\",\n \"\",\n \"_Note: + UI/index propagation can take a few minutes after instance create/update._\",\n + \ ]\n ),\n stage=\"configure.integrations.summary\",\n )\n\n + \ return summary\n\ndef configure_jobs_from_xsoar_config(\n xsoar_cfg: Dict[str, + Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: + bool,\n) -> Dict[str, Any]:\n jobs = [x for x in (xsoar_cfg.get(\"jobs\", []) + or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring jobs… ({len(jobs)} + job(s))\", stage=\"configure.jobs\")\n\n summary = {\"attempted\": 0, \"ok\": + 0, \"failed\": 0, \"failed_items\": []}\n\n for job in jobs:\n name = + (job.get(\"name\") or job.get(\"job_name\") or \"\").strip()\n if not name:\n + \ continue\n\n summary[\"attempted\"] += 1\n log(f\"Configuring + job: **{name}**\", stage=\"configure.jobs.debug\", debug=debug)\n\n cmd_args + = {\"job_name\": name, \"job_data\": json.dumps(job)}\n if using:\n cmd_args[\"using\"] + = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWJobManager\",\n + \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=f\"Failed configuring job: {name}\",\n fail_on_error=True,\n + \ )\n summary[\"ok\"] += 1\n log(f\"Job **{name}** + ok\", stage=\"configure.jobs.result\", debug=debug)\n except Exception as + e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"].append({\"name\": + name, \"error\": str(e)})\n emit_progress(f\"Failed configuring job **{name}**.\\nError: + {e}\", stage=\"configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Jobs summary:\",\n f\"- attempted: + {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- + failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.jobs.summary\",\n + \ )\n return summary\n\ndef configure_lookups_from_xsoar_config(\n xsoar_cfg: + Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: + int,\n overwrite_lookup: bool,\n debug: bool,\n) -> Dict[str, Any]:\n dsets + = [x for x in (xsoar_cfg.get(\"lookup_datasets\", []) or []) if isinstance(x, dict)]\n + \ emit_progress(f\"Configuring lookup datasets… ({len(dsets)} dataset(s))\", stage=\"configure.lookups\")\n\n + \ summary = {\"attempted\": 0, \"ok\": 0, \"failed\": 0, \"failed_items\": []}\n\n + \ for ds in dsets:\n name = (ds.get(\"name\") or ds.get(\"dataset_name\") + or \"\").strip()\n if not name:\n continue\n\n summary[\"attempted\"] + += 1\n log(f\"Configuring lookup dataset: **{name}**\", stage=\"configure.lookups.debug\", + debug=debug)\n\n cmd_args = {\n \"lookup_dataset_name\": name,\n + \ \"lookup_dataset_data\": json.dumps(ds),\n \"overwrite_lookup\": + bool_str_tf(overwrite_lookup),\n }\n if using:\n cmd_args[\"using\"] + = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWLookupManager\",\n + \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=f\"Failed configuring lookup dataset: {name}\",\n + \ fail_on_error=True,\n )\n summary[\"ok\"] + += 1\n log(f\"Lookup **{name}** ok\", stage=\"configure.lookups.result\", + debug=debug)\n except Exception as e:\n summary[\"failed\"] += + 1\n summary[\"failed_items\"].append({\"name\": name, \"error\": str(e)})\n + \ emit_progress(f\"Failed configuring lookup dataset **{name}**.\\nError: + {e}\", stage=\"configure.lookups.error\")\n\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Lookups summary:\",\n f\"- attempted: + {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- + failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.lookups.summary\",\n + \ )\n return summary\n\n# ---------------------------\n# Main\n# ---------------------------\n\ndef + main():\n args = demisto.args()\n\n action = (args.get(\"action\") or \"apply\").strip().lower()\n + \ pack_id = (args.get(\"pack_id\") or \"\").strip()\n include_hidden = arg_to_bool(args.get(\"include_hidden\"), + False)\n dry_run = arg_to_bool(args.get(\"dry_run\"), False)\n\n install_marketplace_flag + = arg_to_bool(args.get(\"install_marketplace\"), True)\n apply_configure = arg_to_bool(args.get(\"apply_configure\"), + True)\n configure_jobs = arg_to_bool(args.get(\"configure_jobs\"), True)\n configure_integrations + = arg_to_bool(args.get(\"configure_integrations\"), True)\n configure_lookups + = arg_to_bool(args.get(\"configure_lookups\"), True)\n overwrite_lookup = arg_to_bool(args.get(\"overwrite_lookup\"), + False)\n\n include_doc_content = arg_to_bool(args.get(\"include_doc_content\"), + False)\n doc_content_max_chars = to_int(args.get(\"doc_content_max_chars\"), + 6000)\n doc_content_max_lines = to_int(args.get(\"doc_content_max_lines\"), 200)\n\n + \ # NEW: pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"), + False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True) # + default True\n\n retry_count = to_int(args.get(\"retry_count\"), 5)\n retry_sleep_seconds + = to_int(args.get(\"retry_sleep_seconds\"), 15)\n using = (args.get(\"using\") + or \"\").strip()\n execution_timeout = to_int(args.get(\"execution_timeout\"), + 1200)\n\n skip_verify = arg_to_bool(args.get(\"skip_verify\"), True)\n skip_validation + = arg_to_bool(args.get(\"skip_validation\"), False)\n\n install_timeout = to_int(args.get(\"install_timeout\"), + 3600)\n\n post_install_poll_seconds = to_int(args.get(\"post_install_poll_seconds\"), + 1800)\n post_install_poll_interval_seconds = to_int(args.get(\"post_install_poll_interval_seconds\"), + 60)\n continue_on_install_timeout = arg_to_bool(args.get(\"continue_on_install_timeout\"), + False)\n\n fail_on_marketplace_errors = arg_to_bool(args.get(\"fail_on_marketplace_errors\"), + False)\n\n debug = arg_to_bool(args.get(\"debug\"), False)\n\n if action not + in (\"apply\", \"list\"):\n raise Exception(f\"Unsupported action: {action}\")\n\n + \ if action == \"list\":\n return do_list(args)\n\n if not pack_id:\n + \ raise Exception(\"pack_id is required for action=apply\")\n\n emit_progress(\n + \ \"\\n\".join(\n [\n f\"Starting {action} for **{pack_id}**\",\n + \ f\"- include_hidden={include_hidden}\",\n f\"- dry_run={dry_run}\",\n + \ f\"- install_marketplace={install_marketplace_flag}\",\n f\"- + apply_configure={apply_configure} (jobs={configure_jobs}, integrations={configure_integrations}, + lookups={configure_lookups})\",\n f\"- overwrite_lookup={overwrite_lookup}\",\n + \ f\"- retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}\",\n + \ f\"- using={(using or '(default)')}\",\n f\"- execution_timeout={execution_timeout}\",\n + \ f\"- install_timeout={install_timeout}\",\n f\"- + skip_verify={skip_verify}\",\n f\"- skip_validation={skip_validation}\",\n + \ f\"- post_install_poll_seconds={post_install_poll_seconds}\",\n + \ f\"- post_install_poll_interval_seconds={post_install_poll_interval_seconds}\",\n + \ f\"- continue_on_install_timeout={continue_on_install_timeout}\",\n + \ f\"- fail_on_marketplace_errors={fail_on_marketplace_errors}\",\n + \ f\"- include_doc_content={include_doc_content} (max_chars={doc_content_max_chars}, + max_lines={doc_content_max_lines})\",\n f\"- pre_config_gate={pre_config_gate}\",\n + \ f\"- pre_config_done={pre_config_done}\",\n f\"- + debug={debug}\",\n ]\n ),\n stage=\"start\",\n )\n\n + \ emit_progress(\"Resolving install manifest…\", stage=\"manifest\")\n manifest + = resolve_manifest(pack_id, include_hidden=include_hidden)\n\n marketplace_packs + = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls = manifest.get(\"custom_zip_urls\") + or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\") or \"\"\n\n emit_progress(\n + \ \"\\n\".join(\n [\n \"Manifest resolved.\",\n + \ f\"- marketplace_packs: {len(marketplace_packs)}\",\n f\"- + custom ZIP URLs: {len(custom_zip_urls)}\",\n f\"- xsoar_config_url: + {xsoar_config_url or '(none)'}\",\n ]\n ),\n stage=\"manifest.summary\",\n + \ )\n\n xsoar_cfg: Dict[str, Any] = {}\n if xsoar_config_url:\n emit_progress(\"Fetching + xsoar_config.json…\", stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) + or {}\n\n cfg_marketplace_packs = xsoar_cfg.get(\"marketplace_packs\") or + []\n if isinstance(cfg_marketplace_packs, list) and cfg_marketplace_packs:\n + \ marketplace_packs = cfg_marketplace_packs\n\n emit_progress(\n + \ \"\\n\".join(\n [\n \"xsoar_config + loaded.\",\n f\"- integration_instances: {len(xsoar_cfg.get('integration_instances', + []) or [])}\",\n f\"- jobs: {len(xsoar_cfg.get('jobs', []) or + [])}\",\n f\"- lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', + []) or [])}\",\n f\"- has_pre_config_docs: {has_config_docs(xsoar_cfg, + 'pre')}\",\n f\"- has_post_config_docs: {has_config_docs(xsoar_cfg, + 'post')}\",\n ]\n ),\n stage=\"xsoar_config.summary\",\n + \ )\n\n # Print PRE docs immediately\n print_config_docs(\n + \ xsoar_cfg,\n when=\"pre\",\n debug=debug,\n include_doc_content=include_doc_content,\n + \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n + \ )\n\n # DEFAULT: stop after printing PRE docs if they exist (unless + acknowledged/bypassed)\n if pre_config_gate and has_config_docs(xsoar_cfg, + \"pre\") and not pre_config_done:\n emit_progress(\n \"\\n\".join(\n + \ [\n \"\U0001F6D1 **Pre-config required**\",\n + \ \"Pre-config docs were printed above.\",\n \"\",\n + \ \"After completing those steps, rerun with:\",\n \"- + `pre_config_done=true`\",\n \"\",\n f\"Example:\\n`!SOCFWPackManager + action=apply pack_id={pack_id} pre_config_done=true`\",\n \"\",\n + \ \"To bypass this stop (not recommended), run with:\",\n + \ \"- `pre_config_gate=false`\",\n ]\n + \ ),\n stage=\"docs.pre.gate\",\n )\n return_results(\n + \ {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": + xsoar_config_url,\n \"stopped_after_pre_docs\": True,\n \"next_command_hint\": + f\"!SOCFWPackManager action=apply pack_id={pack_id} pre_config_done=true\",\n }\n + \ )\n return\n\n if dry_run:\n emit_progress(\"dry_run=True + β€” not installing or configuring anything.\", stage=\"done\")\n return\n\n + \ marketplace_errors: List[str] = []\n if install_marketplace_flag and marketplace_packs:\n + \ mp = []\n for p in marketplace_packs:\n if isinstance(p, + dict) and p.get(\"id\"):\n mp.append({\"id\": p.get(\"id\"), \"version\": + p.get(\"version\", \"latest\")})\n\n try:\n _ = install_marketplace_packs(mp, + using, retry_count, retry_sleep_seconds, debug=debug)\n except Exception + as e:\n marketplace_errors.append(str(e))\n emit_progress(f\"Marketplace + install failed.\\nError: {e}\", stage=\"packs.marketplace.error\")\n if + fail_on_marketplace_errors:\n raise\n\n if custom_zip_urls:\n + \ emit_progress(f\"Installing custom pack ZIPs… ({len(custom_zip_urls)} ZIP(s))\", + stage=\"packs.custom\")\n for item in custom_zip_urls:\n url = + None\n label = None\n if isinstance(item, str):\n url + = item\n label = item\n elif isinstance(item, dict):\n + \ url = item.get(\"url\") or item.get(\"zip_url\")\n label + = item.get(\"name\") or url\n if not url:\n continue\n\n + \ log(f\"Installing custom pack ZIP: **{label}**\", stage=\"packs.custom.debug\", + debug=debug)\n\n install_custom_pack_zip(\n url=url,\n + \ pack_id=pack_id,\n using=using,\n execution_timeout=execution_timeout,\n + \ install_timeout=install_timeout,\n retry_count=retry_count,\n + \ retry_sleep_seconds=retry_sleep_seconds,\n skip_verify=skip_verify,\n + \ skip_validation=skip_validation,\n post_install_poll_seconds=post_install_poll_seconds,\n + \ post_install_poll_interval_seconds=post_install_poll_interval_seconds,\n + \ continue_on_install_timeout=continue_on_install_timeout,\n debug=debug,\n + \ )\n\n integration_summary = None\n jobs_summary = None\n lookups_summary + = None\n\n if apply_configure and xsoar_cfg:\n emit_progress(\"Configuring + from xsoar_config…\", stage=\"configure\")\n\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Configure plan:\",\n f\"- + integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n + \ f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\"- + lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n ]\n + \ ),\n stage=\"configure.plan\",\n )\n\n installed_pack_ids + = fetch_installed_marketplace_pack_ids(using)\n\n if configure_integrations:\n + \ integration_summary = configure_integrations_from_xsoar_config(\n xsoar_cfg=xsoar_cfg,\n + \ using=using,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ installed_pack_ids=installed_pack_ids,\n debug=debug,\n + \ )\n\n if configure_jobs:\n jobs_summary = configure_jobs_from_xsoar_config(\n + \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n + \ retry_sleep_seconds=retry_sleep_seconds,\n debug=debug,\n + \ )\n\n if configure_lookups:\n lookups_summary = configure_lookups_from_xsoar_config(\n + \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n + \ retry_sleep_seconds=retry_sleep_seconds,\n overwrite_lookup=overwrite_lookup,\n + \ debug=debug,\n )\n\n emit_progress(\"Done.\", stage=\"done\")\n\n + \ results_obj = {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": + xsoar_config_url,\n \"marketplace_errors\": marketplace_errors,\n \"debug\": + debug,\n \"install_timeout\": install_timeout,\n \"skip_verify\": + skip_verify,\n \"skip_validation\": skip_validation,\n \"post_install_poll_seconds\": + post_install_poll_seconds,\n \"post_install_poll_interval_seconds\": post_install_poll_interval_seconds,\n + \ \"continue_on_install_timeout\": continue_on_install_timeout,\n \"configure_summary\": + {\n \"integrations\": integration_summary,\n \"jobs\": jobs_summary,\n + \ \"lookups\": lookups_summary,\n },\n }\n\n # Return the + machine-readable result first...\n return_results(results_obj)\n\n # ...then + print POST docs as the FINAL War Room entry (so users don't scroll)\n if xsoar_cfg:\n + \ print_config_docs(\n xsoar_cfg,\n when=\"post\",\n + \ debug=debug,\n include_doc_content=include_doc_content,\n + \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n + \ )\n\nif __name__ in (\"__main__\", \"__builtin__\", \"builtins\"):\n main()\n" type: python tags: - configuration @@ -716,10 +562,6 @@ args: - "False" description: Whether to install marketplace_packs from xsoar_config.json. defaultValue: "True" -- supportedModules: [] - name: execution_timeout - description: Timeout for the core installs and core-api REST calls. - defaultValue: "1200" - supportedModules: [] name: skip_verify auto: PREDEFINED @@ -760,6 +602,8 @@ args: predefined: - "True" - "False" + description: When action=apply, run job configuration from xsoar_config.json (via + SOCFWJobManager). If apply_configure=false, this is ignored. defaultValue: "True" - supportedModules: [] name: configure_integrations @@ -767,6 +611,9 @@ args: predefined: - "True" - "False" + description: When action=apply, create/update integration instances from xsoar_config.json + (via core-api-put /xsoar/public/v1/settings/integration). If apply_configure=false, + this is ignored. defaultValue: "True" - supportedModules: [] name: configure_lookups @@ -774,13 +621,104 @@ args: predefined: - "True" - "False" + description: When action=apply, create/update lookup datasets from xsoar_config.json + (via SOCFWLookupManager). If apply_configure=false, this is ignored. defaultValue: "True" -- supportedModules: [] - name: retry_count - defaultValue: "5" - supportedModules: [] name: retry_sleep_seconds + description: Seconds to wait between retry attempts for install/configure operations + (marketplace install, job/lookup managers, etc.). Used with retry_count. defaultValue: "15" +- supportedModules: [] + name: debug + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Enables verbose War Room logging and additional details (including + doc previews if doc preview logic treats debug as β€œshow content”). + defaultValue: "False" +- supportedModules: [] + name: filter + description: action=list only. Case-insensitive free-text filter applied to id, + display_name, and path. +- supportedModules: [] + name: limit + description: 'action=list only. Max number of rows to display per page. Must be + β‰₯ 1. Example: limit=10' + defaultValue: "50" +- supportedModules: [] + name: offset + description: action=list only. Row offset for paging. offset=0 shows the first page, + offset=50 shows the next page if limit=50. + defaultValue: "0" +- supportedModules: [] + name: sort_by + auto: PREDEFINED + predefined: + - id + - display_name + - version + - visible_path + description: 'action=list only. Column to sort by. Allowed: id, display_name, version, + visible, path.' + defaultValue: id +- supportedModules: [] + name: fields + description: 'caction=list only. Comma-separated list of columns to show. Unknown + fields are ignored. Example: fields=id,version,path' + defaultValue: id,display_name,version,visible,path +- supportedModules: [] + name: show_total + auto: PREDEFINED + predefined: + - "True" + - "False" + description: action=list only. If true, shows β€œshowing X–Y of Z” paging info. + defaultValue: "True" +- supportedModules: [] + name: include_doc_content + auto: PREDEFINED + predefined: + - "True" + - "False" + description: When printing pre_config_docs / post_config_docs, also fetch and embed + a truncated preview of the README content into the War Room output (best effort). + If false, only prints links (unless debug=true is treated as β€œinclude content”). + defaultValue: "False" +- supportedModules: [] + name: doc_content_max_chars + description: Max characters to include per doc preview when include_doc_content=true + (or when debug forces previews). Content beyond this is truncated. + defaultValue: "6000" +- supportedModules: [] + name: doc_content_max_lines + description: Max lines to include per doc preview when include_doc_content=true + (or when debug forces previews). Lines beyond this are truncated. + defaultValue: "200" +- supportedModules: [] + name: pre_config_done + default: true + auto: PREDEFINED + predefined: + - "True" + - "False" + description: 'Gate flag for β€œpre-install required steps.” If your new behavior is + β€œprint pre-config then stop by default,” this flag is what the user sets to continue + the install/configure run. Typical behavior: pre_config_done=false β†’ print PRE + section and exit early pre_config_done=true β†’ proceed with installs/configure + and print POST at the very end' + defaultValue: "False" +- supportedModules: [] + name: pre_config_gate + auto: PREDEFINED + predefined: + - "True" + - "False" + description: 'Enables/disables the pre-config gating behavior. Typical behavior: pre_config_gate=true + β†’ enforce the β€œprint pre then stop unless pre_config_done=true” flow pre_config_gate=false + β†’ don’t stop; run normally (still can print pre docs, depending on your logic)' + defaultValue: "True" scripttarget: 0 subtype: python3 timeout: 30m0s diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 01a48ea..4063b78 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -2,7 +2,7 @@ "name": "SOC Framework Package Manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.1", + "currentVersion": "1.0.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/pack_catalog.json b/pack_catalog.json index a870c0a..079a790 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.1", + "version": "1.0.2", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": null From 53c59dbc851e5a1b8918044fecca4a52d5a36e75 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 23 Jan 2026 16:04:59 -0500 Subject: [PATCH 24/49] - Fixed SOCFWPackManager.yml file - Fixed fix_errors.py file to fix SOCFWPackManager.yml --- .../Scripts/SOCFWPackManager.yml | 1019 +++++++++-------- tools/fix_errors.py | 212 +++- 2 files changed, 696 insertions(+), 535 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 8082f30..b594d7e 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,516 +1,551 @@ commonfields: - id: e5c63c0b-e4ea-4928-8eed-5e51b9ad9ce8 + id: SOCFWPackManager version: 86 vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager -script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport - requests\n\n# ============================================================\n# SOCFWPackManager - (bootloader)\n# - list: shows SOC Framework pack catalog (now supports paging/filtering)\n# - - apply: resolves pack_id via secops-framework pack_catalog.json\n# - marketplace - install: uses XSIAMContentPackInstaller (Anna’s) when available\n# - custom ZIP - install: uses core-api-install-packs with file_url (NOT pack_url)\n# - configure: - runs your SOCFW* manager scripts (jobs/lookups)\n#\n# FIX:\n# - Create integration - instances directly via core-api-put to\n# /xsoar/public/v1/settings/integration\n# - - Treat \"already exists (33)\" as success so reruns are idempotent.\n#\n# CHANGE:\n# - - Reduce logging by default + debug flag\n# - Fix Trend/large pack uploads by:\n# - \ - honoring skip_verify/skip_validation args\n# - adding install_timeout (default +script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\n + import requests\n\n# ============================================================\n + # SOCFWPackManager (bootloader)\n# - list: shows SOC Framework pack catalog (now + supports paging/filtering)\n# - apply: resolves pack_id via secops-framework pack_catalog.json\n + # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available\n + # - custom ZIP install: uses core-api-install-packs with file_url (NOT pack_url)\n + # - configure: runs your SOCFW* manager scripts (jobs/lookups)\n#\n# FIX:\n# - Create + integration instances directly via core-api-put to\n# /xsoar/public/v1/settings/integration\n + # - Treat \"already exists (33)\" as success so reruns are idempotent.\n#\n# CHANGE:\n + # - Reduce logging by default + debug flag\n# - Fix Trend/large pack uploads by:\n\ + # - honoring skip_verify/skip_validation args\n# - adding install_timeout (default 3600s) for core-api-install-packs\n# - if upload call times out: poll until pack shows installed, then continue\n# - LOUD pre_config_docs + post_config_docs (+ optional README previews)\n# - NEW: pre-config gate (default ON): print PRE docs then STOP unless pre_config_done=true\n# - NEW: POST docs printed as the VERY LAST War Room - entry (after return_results)\n# ============================================================\n\nSCRIPT_NAME - = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n# ---------------------------\n\ndef - _norm(s: Any) -> str:\n return (str(s) if s is not None else \"\").strip()\n\ndef - _to_lower(s: Any) -> str:\n return _norm(s).lower()\n\ndef _parse_csv(val: Any) - -> List[str]:\n s = _norm(val)\n if not s:\n return []\n return - [x.strip() for x in s.split(\",\") if x.strip()]\n\ndef _safe_sort_key(row: Dict[str, - Any], key: str) -> str:\n return _norm(row.get(key, \"\")).lower()\n\n# ---------------------------\n# - Demisto helpers\n# ---------------------------\n\ndef get_error(res):\n try:\n - \ return res[0].get(\"Contents\") or res[0].get(\"HumanReadable\") or str(res[0])\n - \ except Exception:\n return str(res)\n\ndef is_error(res0):\n try:\n - \ return bool(res0.get(\"Type\") == 4) # entryTypes[\"error\"] == 4\n except - Exception:\n return False\n\ndef get_contents(res):\n if not res or not - isinstance(res, list) or not res[0]:\n return {}\n return res[0].get(\"Contents\") - or {}\n\ndef arg_to_bool(val, default=False) -> bool:\n if val is None:\n return - default\n if isinstance(val, bool):\n return val\n s = str(val).strip().lower()\n - \ if s == \"\":\n return default\n return s in (\"true\", \"1\", \"yes\", - \"y\", \"on\")\n\ndef to_int(val, default: int) -> int:\n try:\n return - int(val)\n except Exception:\n return default\n\ndef bool_str_tf(val: - bool) -> str:\n return \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: - str) -> bool:\n if not err_text:\n return False\n t = err_text.lower()\n - \ return (\n \"timeout\" in t\n or \"timed out\" in t\n or - \"read timed out\" in t\n or \"request timed out\" in t\n or \"context - deadline exceeded\" in t\n or \"client.timeout exceeded\" in t\n or - \"awaiting headers\" in t\n or \"context deadline exceeded (client.timeout - exceeded while awaiting headers)\" in t\n )\n\ndef emit_progress(message: str, - stage: Optional[str] = None):\n title = f\"{SCRIPT_NAME} β€” {stage}\" if stage - else SCRIPT_NAME\n demisto.results(\n {\n \"Type\": 1,\n \"ContentsFormat\": - \"markdown\",\n \"Contents\": message,\n \"HumanReadable\": - f\"### {title}\\n{message}\",\n }\n )\n\ndef log(message: str, stage: - Optional[str], debug: bool, always: bool = False):\n if always or debug:\n emit_progress(message, - stage=stage)\n\ndef exec_cmd(command: str, args: Dict[str, Any], fail_on_error: - bool = True):\n res = demisto.executeCommand(command, args)\n if not res:\n - \ if fail_on_error:\n raise Exception(f\"{command} returned empty - response\")\n return res\n if is_error(res[0]):\n if fail_on_error:\n - \ raise Exception(get_error(res))\n return res\n return res\n\ndef - exec_with_retry(\n command: str,\n args: Dict[str, Any],\n retry_count: - int,\n retry_sleep_seconds: int,\n context_for_error: str,\n fail_on_error: - bool = True,\n):\n last_err = None\n for attempt in range(1, max(1, retry_count) - + 1):\n try:\n return exec_cmd(command, args, fail_on_error=fail_on_error)\n - \ except Exception as e:\n last_err = str(e)\n if attempt - >= retry_count:\n break\n time.sleep(max(1, retry_sleep_seconds))\n - \ continue\n if fail_on_error:\n raise Exception(f\"{context_for_error}\\nError: - {last_err}\")\n return None\n\ndef is_instance_already_exists_error(err_text: - str) -> bool:\n if not err_text:\n return False\n return \"already - exists (33)\" in err_text.lower()\n\n# ---------------------------\n# Pre/Post docs - helpers (LOUD + optional content)\n# ---------------------------\n\ndef _md_link(name: - str, url: str) -> str:\n n = (name or \"\").strip() or url\n u = (url or \"\").strip()\n - \ if not u:\n return f\"- {n}\"\n return f\"- [{n}]({u})\"\n\ndef _github_blob_to_raw(url: - str) -> str:\n \"\"\"\n Convert:\n https://github.com/org/repo/blob/branch/path/file.md\n - \ To:\n https://raw.githubusercontent.com/org/repo/branch/path/file.md\n - \ If it's already a raw URL, return as-is.\n \"\"\"\n u = (url or \"\").strip()\n - \ if not u:\n return u\n if \"raw.githubusercontent.com\" in u:\n return - u\n if u.startswith(\"https://github.com/\") and \"/blob/\" in u:\n rest - = u[len(\"https://github.com/\"):]\n parts = rest.split(\"/\")\n if - len(parts) >= 5 and parts[2] == \"blob\":\n org = parts[0]\n repo - = parts[1]\n branch = parts[3]\n path = \"/\".join(parts[4:])\n - \ return f\"https://raw.githubusercontent.com/{org}/{repo}/{branch}/{path}\"\n - \ return u\n\ndef _fetch_text(url: str, timeout: int = 20) -> str:\n r = requests.get(url, - timeout=timeout)\n r.raise_for_status()\n return r.text or \"\"\n\ndef _truncate_text(s: - str, max_chars: int, max_lines: int) -> str:\n if not s:\n return \"\"\n - \ lines = s.splitlines()\n if max_lines and len(lines) > max_lines:\n lines - = lines[:max_lines]\n s = \"\\n\".join(lines) + \"\\n\\n... (truncated by - max_lines) ...\"\n if max_chars and len(s) > max_chars:\n s = s[:max_chars] - + \"\\n\\n... (truncated by max_chars) ...\"\n return s\n\ndef has_config_docs(xsoar_cfg: - Dict[str, Any], when: str) -> bool:\n key = \"pre_config_docs\" if when == \"pre\" - else \"post_config_docs\"\n docs = xsoar_cfg.get(key) or []\n if not isinstance(docs, - list):\n return False\n for d in docs:\n if isinstance(d, dict) - and _norm(d.get(\"url\") or d.get(\"name\")):\n return True\n if - isinstance(d, str) and _norm(d):\n return True\n return False\n\ndef - print_config_docs(\n xsoar_cfg: Dict[str, Any],\n when: str,\n debug: bool,\n - \ include_doc_content: bool = False,\n doc_content_max_chars: int = 6000,\n - \ doc_content_max_lines: int = 200,\n):\n \"\"\"\n when: \"pre\" or \"post\"\n - \ Prints docs listed in xsoar_config.json:\n pre_config_docs: [{name,url}, - ...]\n post_config_docs: [{name,url}, ...]\n If include_doc_content=True - (or debug=True), fetches and embeds doc text (truncated).\n \"\"\"\n key = - \"pre_config_docs\" if when == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) - or []\n if not isinstance(docs, list) or not docs:\n log(f\"No {key} found - in xsoar_config.json.\", stage=f\"docs.{when}\", debug=debug)\n return\n\n - \ banner_title = \"\U0001F6A7 PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when - == \"pre\" else \"βœ… POST-INSTALL / POST-CONFIG MANUAL STEPS\"\n banner_sub = - (\n \"_These docs usually contain prerequisites / manual steps you must complete - BEFORE install._\"\n if when == \"pre\"\n else \"_These docs usually - contain manual follow-ups and validation steps AFTER completion._\"\n )\n\n banner - = \"\\n\".join([\"---\", f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: - List[str] = []\n normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n - \ if isinstance(d, dict):\n name = _norm(d.get(\"name\") or \"\")\n - \ url = _norm(d.get(\"url\") or \"\")\n if url or name:\n link_lines.append(_md_link(name, - url))\n normalized_docs.append({\"name\": name or url, \"url\": url})\n - \ elif isinstance(d, str):\n s = _norm(d)\n if s:\n - \ link_lines.append(f\"- {s}\")\n normalized_docs.append({\"name\": - s, \"url\": s})\n\n if not link_lines:\n log(f\"No valid entries in {key}.\", - stage=f\"docs.{when}\", debug=debug)\n return\n\n want_content = bool(include_doc_content - or debug)\n\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if - want_content and normalized_docs:\n body += [\"\", \"### Doc contents (preview)\", - \"_Showing a truncated preview._\", \"\"]\n\n for d in normalized_docs:\n + entry (after return_results)\n# ============================================================\n + \nSCRIPT_NAME = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n + # ---------------------------\n\ndef _norm(s: Any) -> str:\n return (str(s) if + s is not None else \"\").strip()\n\ndef _to_lower(s: Any) -> str:\n return _norm(s).lower()\n + \ndef _parse_csv(val: Any) -> List[str]:\n s = _norm(val)\n if not s:\n \ + \ return []\n return [x.strip() for x in s.split(\",\") if x.strip()]\n\n + def _safe_sort_key(row: Dict[str, Any], key: str) -> str:\n return _norm(row.get(key, + \"\")).lower()\n\n# ---------------------------\n# Demisto helpers\n# ---------------------------\n + \ndef get_error(res):\n try:\n return res[0].get(\"Contents\") or res[0].get(\"\ + HumanReadable\") or str(res[0])\n except Exception:\n return str(res)\n + \ndef is_error(res0):\n try:\n return bool(res0.get(\"Type\") == 4) # + entryTypes[\"error\"] == 4\n except Exception:\n return False\n\ndef get_contents(res):\n\ + \ if not res or not isinstance(res, list) or not res[0]:\n return {}\n\ + \ return res[0].get(\"Contents\") or {}\n\ndef arg_to_bool(val, default=False) + -> bool:\n if val is None:\n return default\n if isinstance(val, bool):\n\ + \ return val\n s = str(val).strip().lower()\n if s == \"\":\n \ + \ return default\n return s in (\"true\", \"1\", \"yes\", \"y\", \"on\")\n\n + def to_int(val, default: int) -> int:\n try:\n return int(val)\n except + Exception:\n return default\n\ndef bool_str_tf(val: bool) -> str:\n return + \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: str) -> bool:\n\ + \ if not err_text:\n return False\n t = err_text.lower()\n return + (\n \"timeout\" in t\n or \"timed out\" in t\n or \"read timed + out\" in t\n or \"request timed out\" in t\n or \"context deadline + exceeded\" in t\n or \"client.timeout exceeded\" in t\n or \"awaiting + headers\" in t\n or \"context deadline exceeded (client.timeout exceeded + while awaiting headers)\" in t\n )\n\ndef emit_progress(message: str, stage: + Optional[str] = None):\n title = f\"{SCRIPT_NAME} β€” {stage}\" if stage else SCRIPT_NAME\n\ + \ demisto.results(\n {\n \"Type\": 1,\n \"ContentsFormat\"\ + : \"markdown\",\n \"Contents\": message,\n \"HumanReadable\"\ + : f\"### {title}\\n{message}\",\n }\n )\n\ndef log(message: str, stage: + Optional[str], debug: bool, always: bool = False):\n if always or debug:\n \ + \ emit_progress(message, stage=stage)\n\ndef exec_cmd(command: str, args: Dict[str, + Any], fail_on_error: bool = True):\n res = demisto.executeCommand(command, args)\n\ + \ if not res:\n if fail_on_error:\n raise Exception(f\"{command} + returned empty response\")\n return res\n if is_error(res[0]):\n \ + \ if fail_on_error:\n raise Exception(get_error(res))\n return + res\n return res\n\ndef exec_with_retry(\n command: str,\n args: Dict[str, + Any],\n retry_count: int,\n retry_sleep_seconds: int,\n context_for_error: + str,\n fail_on_error: bool = True,\n):\n last_err = None\n for attempt + in range(1, max(1, retry_count) + 1):\n try:\n return exec_cmd(command, + args, fail_on_error=fail_on_error)\n except Exception as e:\n \ + \ last_err = str(e)\n if attempt >= retry_count:\n break\n\ + \ time.sleep(max(1, retry_sleep_seconds))\n continue\n \ + \ if fail_on_error:\n raise Exception(f\"{context_for_error}\\nError: {last_err}\"\ + )\n return None\n\ndef is_instance_already_exists_error(err_text: str) -> bool:\n\ + \ if not err_text:\n return False\n return \"already exists (33)\" + in err_text.lower()\n\n# ---------------------------\n# Pre/Post docs helpers (LOUD + + optional content)\n# ---------------------------\n\ndef _md_link(name: str, url: + str) -> str:\n n = (name or \"\").strip() or url\n u = (url or \"\").strip()\n\ + \ if not u:\n return f\"- {n}\"\n return f\"- [{n}]({u})\"\n\ndef _github_blob_to_raw(url: + str) -> str:\n \"\"\"\n Convert:\n https://github.com/org/repo/blob/branch/path/file.md\n\ + \ To:\n https://raw.githubusercontent.com/org/repo/branch/path/file.md\n\ + \ If it's already a raw URL, return as-is.\n \"\"\"\n u = (url or \"\"\ + ).strip()\n if not u:\n return u\n if \"raw.githubusercontent.com\"\ + \ in u:\n return u\n if u.startswith(\"https://github.com/\") and \"/blob/\"\ + \ in u:\n rest = u[len(\"https://github.com/\"):]\n parts = rest.split(\"\ + /\")\n if len(parts) >= 5 and parts[2] == \"blob\":\n org = parts[0]\n\ + \ repo = parts[1]\n branch = parts[3]\n path = + \"/\".join(parts[4:])\n return f\"https://raw.githubusercontent.com/{org}/{repo}/{branch}/{path}\"\ + \n return u\n\ndef _fetch_text(url: str, timeout: int = 20) -> str:\n r = + requests.get(url, timeout=timeout)\n r.raise_for_status()\n return r.text + or \"\"\n\ndef _truncate_text(s: str, max_chars: int, max_lines: int) -> str:\n\ + \ if not s:\n return \"\"\n lines = s.splitlines()\n if max_lines + and len(lines) > max_lines:\n lines = lines[:max_lines]\n s = \"\\\ + n\".join(lines) + \"\\n\\n... (truncated by max_lines) ...\"\n if max_chars and + len(s) > max_chars:\n s = s[:max_chars] + \"\\n\\n... (truncated by max_chars) + ...\"\n return s\n\ndef has_config_docs(xsoar_cfg: Dict[str, Any], when: str) + -> bool:\n key = \"pre_config_docs\" if when == \"pre\" else \"post_config_docs\"\ + \n docs = xsoar_cfg.get(key) or []\n if not isinstance(docs, list):\n \ + \ return False\n for d in docs:\n if isinstance(d, dict) and _norm(d.get(\"\ + url\") or d.get(\"name\")):\n return True\n if isinstance(d, str) + and _norm(d):\n return True\n return False\n\ndef print_config_docs(\n\ + \ xsoar_cfg: Dict[str, Any],\n when: str,\n debug: bool,\n include_doc_content: + bool = False,\n doc_content_max_chars: int = 6000,\n doc_content_max_lines: + int = 200,\n):\n \"\"\"\n when: \"pre\" or \"post\"\n Prints docs listed + in xsoar_config.json:\n pre_config_docs: [{name,url}, ...]\n post_config_docs: + [{name,url}, ...]\n If include_doc_content=True (or debug=True), fetches and + embeds doc text (truncated).\n \"\"\"\n key = \"pre_config_docs\" if when + == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) or []\n if + not isinstance(docs, list) or not docs:\n log(f\"No {key} found in xsoar_config.json.\"\ + , stage=f\"docs.{when}\", debug=debug)\n return\n\n banner_title = \" + 🚧 PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when == \"pre\" else \"βœ… POST-INSTALL + / POST-CONFIG MANUAL STEPS\"\n banner_sub = (\n \"_These docs usually + contain prerequisites / manual steps you must complete BEFORE install._\"\n \ + \ if when == \"pre\"\n else \"_These docs usually contain manual follow-ups + and validation steps AFTER completion._\"\n )\n\n banner = \"\\n\".join([\"\ + ---\", f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: List[str] + = []\n normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n \ + \ if isinstance(d, dict):\n name = _norm(d.get(\"name\") or \"\")\n\ + \ url = _norm(d.get(\"url\") or \"\")\n if url or name:\n\ + \ link_lines.append(_md_link(name, url))\n normalized_docs.append({\"\ + name\": name or url, \"url\": url})\n elif isinstance(d, str):\n \ + \ s = _norm(d)\n if s:\n link_lines.append(f\"- {s}\"\ + )\n normalized_docs.append({\"name\": s, \"url\": s})\n\n if not + link_lines:\n log(f\"No valid entries in {key}.\", stage=f\"docs.{when}\"\ + , debug=debug)\n return\n\n want_content = bool(include_doc_content or + debug)\n\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if want_content + and normalized_docs:\n body += [\"\", \"### Doc contents (preview)\", \" + _Showing a truncated preview._\", \"\"]\n\n for d in normalized_docs:\n \ \ name = d.get(\"name\") or \"\"\n url = d.get(\"url\") or - \"\"\n raw_url = _github_blob_to_raw(url)\n try:\n text - = _fetch_text(raw_url, timeout=20)\n text = _truncate_text(text, - max_chars=doc_content_max_chars, max_lines=doc_content_max_lines)\n\n body.append(\n - \ \"\\n\".join(\n [\n \"
\",\n - \ f\"{name} (click to expand)\",\n - \ \"\",\n \"```markdown\",\n - \ text,\n \"```\",\n \"\",\n - \ f\"_Source: {raw_url}_\",\n \"
\",\n - \ \"\",\n ]\n )\n - \ )\n except Exception as e:\n body.append(f\"- - **{name}**: could not fetch preview ({e})\")\n\n emit_progress(\"\\n\".join(body), - stage=f\"docs.{when}\")\n\n# ---------------------------\n# Core API wrappers\n# - ---------------------------\n\ndef core_api_get(path: str, using: str = \"\", execution_timeout: - int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"execution-timeout\": - str(execution_timeout)}\n if using:\n args[\"using\"] = using\n res - = exec_cmd(\"core-api-get\", args)\n return get_contents(res) or {}\n\ndef core_api_post(path: - str, body: Any, using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n - \ args = {\"uri\": path, \"body\": json.dumps(body if body is not None else {}), - \"execution-timeout\": str(execution_timeout)}\n if using:\n args[\"using\"] - = using\n res = exec_cmd(\"core-api-post\", args)\n return get_contents(res) - or {}\n\ndef core_api_put(path: str, body: Any, using: str = \"\", execution_timeout: - int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"body\": json.dumps(body - if body is not None else {}), \"execution-timeout\": str(execution_timeout)}\n if - using:\n args[\"using\"] = using\n res = exec_cmd(\"core-api-put\", args)\n - \ return get_contents(res) or {}\n\n# ---------------------------\n# HTTP JSON - helpers\n# ---------------------------\n\ndef http_get_json(url: str, timeout: int - = 30) -> Any:\n r = requests.get(url, timeout=timeout)\n r.raise_for_status()\n - \ return r.json()\n\n# ---------------------------\n# Catalog + Manifest resolver\n# - ---------------------------\n\nDEFAULT_CATALOG_URL = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\n\ndef - fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, Any]:\n - \ data = http_get_json(catalog_url)\n if not isinstance(data, dict):\n raise - Exception(f\"pack_catalog.json unexpected format at {catalog_url}\")\n return - data\n\ndef find_pack_in_catalog(catalog: Dict[str, Any], pack_id: str) -> Optional[Dict[str, - Any]]:\n packs = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") - or []\n if not isinstance(packs, list):\n return None\n for p in packs:\n - \ if isinstance(p, dict) and (p.get(\"id\") == pack_id):\n return - p\n return None\n\ndef resolve_manifest(pack_id: str, include_hidden: bool) -> - Dict[str, Any]:\n if pack_id.startswith(\"http://\") or pack_id.startswith(\"https://\"):\n - \ return http_get_json(pack_id)\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n - \ pack = find_pack_in_catalog(catalog, pack_id)\n if not pack:\n raise - Exception(f\"Pack '{pack_id}' not found in pack_catalog.json\")\n\n visible = - bool(pack.get(\"visible\", True))\n if (not include_hidden) and (not visible):\n - \ # Back-compat: allow resolution; list hides it unless include_hidden=True\n - \ pass\n\n version = (pack.get(\"version\") or \"\").strip()\n if not - version:\n raise Exception(f\"Pack '{pack_id}' missing version in pack_catalog.json\")\n\n - \ xsoar_config_url = f\"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json\"\n - \ release_tag = f\"{pack_id}-v{version}\"\n zip_url = f\"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip\"\n\n - \ marketplace_packs = [\n {\"id\": \"Base\", \"version\": \"latest\"},\n - \ {\"id\": \"CommonScripts\", \"version\": \"latest\"},\n {\"id\": - \"CommonPlaybooks\", \"version\": \"latest\"},\n {\"id\": \"DemistoRESTAPI\", - \"version\": \"latest\"},\n {\"id\": \"Whois\", \"version\": \"latest\"},\n - \ ]\n\n return {\n \"marketplace_packs\": marketplace_packs,\n \"custom_zip_urls\": - [{\"url\": zip_url, \"name\": release_tag}],\n \"xsoar_config_url\": xsoar_config_url,\n - \ \"pack_catalog_entry\": pack,\n \"pack_version\": version,\n }\n\n# - ---------------------------\n# list action (filter + paging)\n# ---------------------------\n\ndef - do_list(args: Dict[str, Any]):\n using = _norm(args.get(\"using\") or \"\")\n - \ include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n\n # list - args\n text_filter = _to_lower(args.get(\"filter\") or args.get(\"q\") or \"\")\n - \ visible_only = arg_to_bool(args.get(\"visible_only\"), True)\n limit = max(1, - to_int(args.get(\"limit\"), 50))\n offset = max(0, to_int(args.get(\"offset\"), - 0))\n sort_by = (_norm(args.get(\"sort_by\")) or \"id\").strip()\n sort_dir - = (_norm(args.get(\"sort_dir\")) or \"asc\").strip().lower()\n fields = _parse_csv(args.get(\"fields\")) - or [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n show_total - = arg_to_bool(args.get(\"show_total\"), True)\n\n emit_progress(\"Fetching catalog…\", - stage=\"list\")\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n packs - = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or - []\n if not isinstance(packs, list):\n raise Exception(\"pack_catalog.json - is missing 'packs' list\")\n\n rows: List[Dict[str, Any]] = []\n for p in - packs:\n if not isinstance(p, dict):\n continue\n\n visible - = bool(p.get(\"visible\", True))\n\n if (not include_hidden) and (not visible):\n - \ continue\n if visible_only and (not visible):\n continue\n\n - \ row = {\n \"id\": p.get(\"id\", \"\"),\n \"display_name\": - p.get(\"display_name\") or p.get(\"name\") or \"\",\n \"version\": p.get(\"version\", - \"\"),\n \"visible\": str(visible).lower(),\n \"path\": p.get(\"path\") - or f\"Packs/{p.get('id','')}\",\n }\n\n if text_filter:\n hay - = \" \".join([_to_lower(row.get(\"id\")), _to_lower(row.get(\"display_name\")), - _to_lower(row.get(\"path\"))])\n if text_filter not in hay:\n continue\n\n - \ rows.append(row)\n\n total = len(rows)\n\n allowed_sort = {\"id\", - \"display_name\", \"version\", \"visible\", \"path\"}\n if sort_by not in allowed_sort:\n - \ sort_by = \"id\"\n reverse = sort_dir == \"desc\"\n rows.sort(key=lambda - r: _safe_sort_key(r, sort_by), reverse=reverse)\n\n page = rows[offset: offset - + limit]\n start = offset + 1 if page else 0\n end = offset + len(page)\n\n - \ allowed_fields = [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n - \ fields = [f for f in fields if f in allowed_fields] or [\"id\", \"display_name\", - \"version\", \"visible\", \"path\"]\n\n header_line = \"| \" + \" | \".join(fields) - + \" |\\n\"\n sep_line = \"| \" + \" | \".join([\"---\"] * len(fields)) + \" - |\\n\"\n table = header_line + sep_line\n for r in page:\n table += - \"| \" + \" | \".join([_norm(r.get(f, \"\")) for f in fields]) + \" |\\n\"\n\n summary_lines - = [\n f\"using: {(using or '(default)')}\",\n f\"include_hidden: {include_hidden}\",\n - \ f\"visible_only: {visible_only}\",\n ]\n if text_filter:\n summary_lines.append(f\"filter: - `{text_filter}`\")\n summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n - \ summary_lines.append(f\"page: limit={limit}, offset={offset}\")\n if show_total:\n - \ summary_lines.append(f\"showing: {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) - + \"\\n\\n\" + table, stage=\"list\")\n return\n\n# ---------------------------\n# - Marketplace install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef install_marketplace_packs(\n - \ marketplace_packs: List[Dict[str, str]],\n using: str,\n retry_count: - int,\n retry_sleep_seconds: int,\n debug: bool,\n) -> Dict[str, Any]:\n if - debug:\n emit_progress(\n \"Installing marketplace packs via **XSIAMContentPackInstaller**…\\n\"\n - \ + \"\\n\".join([f'{p.get(\"id\")} @ {p.get(\"version\")}' for p in marketplace_packs]),\n - \ stage=\"packs.marketplace\",\n )\n else:\n emit_progress(\n - \ f\"Installing marketplace packs via **XSIAMContentPackInstaller**… ({len(marketplace_packs)} - pack(s))\",\n stage=\"packs.marketplace\",\n )\n\n args = {\n - \ \"packs_data\": marketplace_packs,\n \"pack_id_key\": \"id\",\n \"pack_version_key\": - \"version\",\n \"install_dependencies\": \"true\",\n }\n if using:\n - \ args[\"using\"] = using\n\n res = exec_with_retry(\n \"XSIAMContentPackInstaller\",\n - \ args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n - \ context_for_error=\"Failed installing marketplace packs via XSIAMContentPackInstaller\",\n - \ fail_on_error=True,\n )\n return get_contents(res) if res else {}\n\ndef - fetch_installed_marketplace_pack_ids(using: str) -> List[str]:\n try:\n r - = core_api_get(\"/public/v1/contentpacks/metadata/installed\", using=using)\n packs - = (r.get(\"response\") or []) if isinstance(r, dict) else []\n ids = []\n - \ for p in packs:\n pid = p.get(\"id\")\n if pid:\n - \ ids.append(pid)\n return ids\n except Exception:\n return - []\n\n# ---------------------------\n# xsoar_config\n# ---------------------------\n\ndef - fetch_xsoar_config(xsoar_config_url: str) -> Dict[str, Any]:\n data = http_get_json(xsoar_config_url)\n - \ if not isinstance(data, dict):\n raise Exception(f\"xsoar_config.json - unexpected format at {xsoar_config_url}\")\n return data\n\n# ---------------------------\n# - Custom packs install (with timeout -> polling fallback)\n# ---------------------------\n\ndef - wait_for_pack_installed(\n pack_id: str,\n using: str,\n poll_seconds: - int,\n poll_interval_seconds: int,\n debug: bool,\n) -> bool:\n deadline - = time.time() + max(0, poll_seconds)\n interval = max(5, poll_interval_seconds)\n\n - \ log(\n f\"Polling for pack install completion: **{pack_id}** (up to {poll_seconds}s, - every {interval}s)…\",\n stage=\"packs.custom.poll\",\n debug=debug,\n - \ always=True,\n )\n\n while True:\n try:\n installed - = fetch_installed_marketplace_pack_ids(using)\n if pack_id in installed:\n - \ log(f\"Pack **{pack_id}** is now installed.\", stage=\"packs.custom.poll\", - debug=debug, always=True)\n return True\n except Exception - as e:\n log(f\"Poll check error (will retry): {e}\", stage=\"packs.custom.poll.debug\", - debug=debug)\n\n if time.time() >= deadline:\n log(\n f\"Polling - window expired; pack **{pack_id}** not detected as installed yet.\",\n stage=\"packs.custom.poll\",\n - \ debug=debug,\n always=True,\n )\n return - False\n\n time.sleep(interval)\n\ndef install_custom_pack_zip(\n url: - str,\n pack_id: str,\n using: str,\n execution_timeout: int,\n install_timeout: - int,\n retry_count: int,\n retry_sleep_seconds: int,\n skip_verify: bool,\n - \ skip_validation: bool,\n post_install_poll_seconds: int,\n post_install_poll_interval_seconds: - int,\n continue_on_install_timeout: bool,\n debug: bool,\n):\n effective_timeout - = max(1200, execution_timeout, install_timeout)\n\n args = {\n \"file_url\": - url,\n \"execution-timeout\": str(effective_timeout),\n \"skip_verify\": - bool_str_tf(skip_verify),\n \"skip_validation\": bool_str_tf(skip_validation),\n - \ }\n if using:\n args[\"using\"] = using\n\n if debug:\n emit_progress(\n - \ \"\\n\".join(\n [\n \"core-api-install-packs:\",\n - \ f\"- file_url: {url}\",\n f\"- execution-timeout: - {effective_timeout}\",\n f\"- skip_verify: {skip_verify}\",\n - \ f\"- skip_validation: {skip_validation}\",\n ]\n - \ ),\n stage=\"packs.custom.debug\",\n )\n\n try:\n - \ exec_with_retry(\n \"core-api-install-packs\",\n args,\n - \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n - \ context_for_error=f\"Failed installing custom pack ZIP: {url}\",\n fail_on_error=True,\n - \ )\n return\n\n except Exception as e:\n err = str(e)\n\n - \ if is_timeout_error(err):\n emit_progress(\n \"\\n\".join(\n - \ [\n \"Custom pack upload call timed out - (client-side).\",\n \"This often means the server is still - uploading/processing.\",\n f\"Switching to polling for installed - pack: **{pack_id}**\",\n ]\n ),\n stage=\"packs.custom.timeout\",\n - \ )\n\n ok = wait_for_pack_installed(\n pack_id=pack_id,\n - \ using=using,\n poll_seconds=post_install_poll_seconds,\n - \ poll_interval_seconds=post_install_poll_interval_seconds,\n debug=debug,\n - \ )\n\n if ok:\n return\n\n msg = - (\n \"Upload timed out and polling did not observe the pack as installed.\\n\"\n - \ f\"pack_id={pack_id}\\nurl={url}\\n\"\n f\"poll_seconds={post_install_poll_seconds}, - interval={post_install_poll_interval_seconds}\\n\"\n \"You can retry - or increase post_install_poll_seconds.\"\n )\n\n if continue_on_install_timeout:\n - \ emit_progress(msg + \"\\n\\ncontinue_on_install_timeout=True β€” continuing - anyway.\", stage=\"packs.custom.timeout\")\n return\n\n raise - Exception(msg)\n\n raise\n\n# ---------------------------\n# Configure (jobs - / integrations / lookups)\n# ---------------------------\n\ndef configure_integrations_from_xsoar_config(\n + \"\"\n raw_url = _github_blob_to_raw(url)\n try:\n \ + \ text = _fetch_text(raw_url, timeout=20)\n text = _truncate_text(text, + max_chars=doc_content_max_chars, max_lines=doc_content_max_lines)\n\n \ + \ body.append(\n \"\\n\".join(\n \ + \ [\n \"
\",\n f\"\ + {name} (click to expand)\",\n \ + \ \"\",\n \"```markdown\",\n \ + \ text,\n \"```\",\n \ + \ \"\",\n f\"_Source: {raw_url}_\",\n \ + \ \"
\",\n \"\",\n \ + \ ]\n )\n )\n except Exception + as e:\n body.append(f\"- **{name}**: could not fetch preview ({e})\"\ + )\n\n emit_progress(\"\\n\".join(body), stage=f\"docs.{when}\")\n\n# ---------------------------\n + # Core API wrappers\n# ---------------------------\n\ndef core_api_get(path: str, + using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n args = + {\"uri\": path, \"execution-timeout\": str(execution_timeout)}\n if using:\n\ + \ args[\"using\"] = using\n res = exec_cmd(\"core-api-get\", args)\n \ + \ return get_contents(res) or {}\n\ndef core_api_post(path: str, body: Any, using: + str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n args = {\"uri\"\ + : path, \"body\": json.dumps(body if body is not None else {}), \"execution-timeout\"\ + : str(execution_timeout)}\n if using:\n args[\"using\"] = using\n res + = exec_cmd(\"core-api-post\", args)\n return get_contents(res) or {}\n\ndef core_api_put(path: + str, body: Any, using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n\ + \ args = {\"uri\": path, \"body\": json.dumps(body if body is not None else {}), + \"execution-timeout\": str(execution_timeout)}\n if using:\n args[\"using\"\ + ] = using\n res = exec_cmd(\"core-api-put\", args)\n return get_contents(res) + or {}\n\n# ---------------------------\n# HTTP JSON helpers\n# ---------------------------\n + \ndef http_get_json(url: str, timeout: int = 30) -> Any:\n r = requests.get(url, + timeout=timeout)\n r.raise_for_status()\n return r.json()\n\n# ---------------------------\n + # Catalog + Manifest resolver\n# ---------------------------\n\nDEFAULT_CATALOG_URL + = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\ + \n\ndef fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, + Any]:\n data = http_get_json(catalog_url)\n if not isinstance(data, dict):\n\ + \ raise Exception(f\"pack_catalog.json unexpected format at {catalog_url}\"\ + )\n return data\n\ndef find_pack_in_catalog(catalog: Dict[str, Any], pack_id: + str) -> Optional[Dict[str, Any]]:\n packs = catalog.get(\"packs\") or catalog.get(\"\ + Packs\") or catalog.get(\"items\") or []\n if not isinstance(packs, list):\n\ + \ return None\n for p in packs:\n if isinstance(p, dict) and (p.get(\"\ + id\") == pack_id):\n return p\n return None\n\ndef resolve_manifest(pack_id: + str, include_hidden: bool) -> Dict[str, Any]:\n if pack_id.startswith(\"http://\"\ + ) or pack_id.startswith(\"https://\"):\n return http_get_json(pack_id)\n\n\ + \ catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n pack = find_pack_in_catalog(catalog, + pack_id)\n if not pack:\n raise Exception(f\"Pack '{pack_id}' not found + in pack_catalog.json\")\n\n visible = bool(pack.get(\"visible\", True))\n \ + \ if (not include_hidden) and (not visible):\n # Back-compat: allow resolution; + list hides it unless include_hidden=True\n pass\n\n version = (pack.get(\"\ + version\") or \"\").strip()\n if not version:\n raise Exception(f\"Pack + '{pack_id}' missing version in pack_catalog.json\")\n\n xsoar_config_url = f\"\ + https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json\"\ + \n release_tag = f\"{pack_id}-v{version}\"\n zip_url = f\"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip\"\ + \n\n marketplace_packs = [\n {\"id\": \"Base\", \"version\": \"latest\"\ + },\n {\"id\": \"CommonScripts\", \"version\": \"latest\"},\n {\"id\"\ + : \"CommonPlaybooks\", \"version\": \"latest\"},\n {\"id\": \"DemistoRESTAPI\"\ + , \"version\": \"latest\"},\n {\"id\": \"Whois\", \"version\": \"latest\"\ + },\n ]\n\n return {\n \"marketplace_packs\": marketplace_packs,\n \ + \ \"custom_zip_urls\": [{\"url\": zip_url, \"name\": release_tag}],\n \ + \ \"xsoar_config_url\": xsoar_config_url,\n \"pack_catalog_entry\": pack,\n\ + \ \"pack_version\": version,\n }\n\n# ---------------------------\n# list + action (filter + paging)\n# ---------------------------\n\ndef do_list(args: Dict[str, + Any]):\n using = _norm(args.get(\"using\") or \"\")\n include_hidden = arg_to_bool(args.get(\"\ + include_hidden\"), False)\n\n # list args\n text_filter = _to_lower(args.get(\"\ + filter\") or args.get(\"q\") or \"\")\n visible_only = arg_to_bool(args.get(\"\ + visible_only\"), True)\n limit = max(1, to_int(args.get(\"limit\"), 50))\n \ + \ offset = max(0, to_int(args.get(\"offset\"), 0))\n sort_by = (_norm(args.get(\"\ + sort_by\")) or \"id\").strip()\n sort_dir = (_norm(args.get(\"sort_dir\")) or + \"asc\").strip().lower()\n fields = _parse_csv(args.get(\"fields\")) or [\"id\"\ + , \"display_name\", \"version\", \"visible\", \"path\"]\n show_total = arg_to_bool(args.get(\"\ + show_total\"), True)\n\n emit_progress(\"Fetching catalog…\", stage=\"list\"\ + )\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n packs = catalog.get(\"\ + packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or []\n if not isinstance(packs, + list):\n raise Exception(\"pack_catalog.json is missing 'packs' list\")\n\ + \n rows: List[Dict[str, Any]] = []\n for p in packs:\n if not isinstance(p, + dict):\n continue\n\n visible = bool(p.get(\"visible\", True))\n\ + \n if (not include_hidden) and (not visible):\n continue\n \ + \ if visible_only and (not visible):\n continue\n\n row = + {\n \"id\": p.get(\"id\", \"\"),\n \"display_name\": p.get(\"\ + display_name\") or p.get(\"name\") or \"\",\n \"version\": p.get(\"version\"\ + , \"\"),\n \"visible\": str(visible).lower(),\n \"path\": + p.get(\"path\") or f\"Packs/{p.get('id','')}\",\n }\n\n if text_filter:\n\ + \ hay = \" \".join([_to_lower(row.get(\"id\")), _to_lower(row.get(\"\ + display_name\")), _to_lower(row.get(\"path\"))])\n if text_filter not + in hay:\n continue\n\n rows.append(row)\n\n total = len(rows)\n\ + \n allowed_sort = {\"id\", \"display_name\", \"version\", \"visible\", \"path\"\ + }\n if sort_by not in allowed_sort:\n sort_by = \"id\"\n reverse = + sort_dir == \"desc\"\n rows.sort(key=lambda r: _safe_sort_key(r, sort_by), reverse=reverse)\n\ + \n page = rows[offset: offset + limit]\n start = offset + 1 if page else 0\n\ + \ end = offset + len(page)\n\n allowed_fields = [\"id\", \"display_name\" + , \"version\", \"visible\", \"path\"]\n fields = [f for f in fields if f in allowed_fields] + or [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n\n header_line + = \"| \" + \" | \".join(fields) + \" |\\n\"\n sep_line = \"| \" + \" | \".join([\"\ + ---\"] * len(fields)) + \" |\\n\"\n table = header_line + sep_line\n for r + in page:\n table += \"| \" + \" | \".join([_norm(r.get(f, \"\")) for f in + fields]) + \" |\\n\"\n\n summary_lines = [\n f\"using: {(using or '(default)')}\"\ + ,\n f\"include_hidden: {include_hidden}\",\n f\"visible_only: {visible_only}\"\ + ,\n ]\n if text_filter:\n summary_lines.append(f\"filter: `{text_filter}`\"\ + )\n summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n summary_lines.append(f\"\ + page: limit={limit}, offset={offset}\")\n if show_total:\n summary_lines.append(f\"\ + showing: {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) + + \"\\n\\n\" + table, stage=\"list\")\n return\n\n# ---------------------------\n + # Marketplace install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef + install_marketplace_packs(\n marketplace_packs: List[Dict[str, str]],\n using: + str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: bool,\n) + -> Dict[str, Any]:\n if debug:\n emit_progress(\n \"Installing + marketplace packs via **XSIAMContentPackInstaller**…\\n\"\n + \"\\n\"\ + .join([f'{p.get(\"id\")} @ {p.get(\"version\")}' for p in marketplace_packs]),\n\ + \ stage=\"packs.marketplace\",\n )\n else:\n emit_progress(\n\ + \ f\"Installing marketplace packs via **XSIAMContentPackInstaller**… + ({len(marketplace_packs)} pack(s))\",\n stage=\"packs.marketplace\",\n\ + \ )\n\n args = {\n \"packs_data\": marketplace_packs,\n \ + \ \"pack_id_key\": \"id\",\n \"pack_version_key\": \"version\",\n \ + \ \"install_dependencies\": \"true\",\n }\n if using:\n args[\"using\"\ + ] = using\n\n res = exec_with_retry(\n \"XSIAMContentPackInstaller\",\n\ + \ args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ + \ context_for_error=\"Failed installing marketplace packs via XSIAMContentPackInstaller\"\ + ,\n fail_on_error=True,\n )\n return get_contents(res) if res else + {}\n\ndef fetch_installed_marketplace_pack_ids(using: str) -> List[str]:\n try:\n\ + \ r = core_api_get(\"/public/v1/contentpacks/metadata/installed\", using=using)\n\ + \ packs = (r.get(\"response\") or []) if isinstance(r, dict) else []\n \ + \ ids = []\n for p in packs:\n pid = p.get(\"id\")\n \ + \ if pid:\n ids.append(pid)\n return ids\n except + Exception:\n return []\n\n# ---------------------------\n# xsoar_config\n + # ---------------------------\n\ndef fetch_xsoar_config(xsoar_config_url: str) -> + Dict[str, Any]:\n data = http_get_json(xsoar_config_url)\n if not isinstance(data, + dict):\n raise Exception(f\"xsoar_config.json unexpected format at {xsoar_config_url}\"\ + )\n return data\n\n# ---------------------------\n# Custom packs install (with + timeout -> polling fallback)\n# ---------------------------\n\ndef wait_for_pack_installed(\n\ + \ pack_id: str,\n using: str,\n poll_seconds: int,\n poll_interval_seconds: + int,\n debug: bool,\n) -> bool:\n deadline = time.time() + max(0, poll_seconds)\n\ + \ interval = max(5, poll_interval_seconds)\n\n log(\n f\"Polling for + pack install completion: **{pack_id}** (up to {poll_seconds}s, every {interval}s)…\"\ + ,\n stage=\"packs.custom.poll\",\n debug=debug,\n always=True,\n\ + \ )\n\n while True:\n try:\n installed = fetch_installed_marketplace_pack_ids(using)\n\ + \ if pack_id in installed:\n log(f\"Pack **{pack_id}** + is now installed.\", stage=\"packs.custom.poll\", debug=debug, always=True)\n \ + \ return True\n except Exception as e:\n log(f\" + Poll check error (will retry): {e}\", stage=\"packs.custom.poll.debug\", debug=debug)\n\ + \n if time.time() >= deadline:\n log(\n f\"Polling + window expired; pack **{pack_id}** not detected as installed yet.\",\n \ + \ stage=\"packs.custom.poll\",\n debug=debug,\n \ + \ always=True,\n )\n return False\n\n time.sleep(interval)\n + \ndef install_custom_pack_zip(\n url: str,\n pack_id: str,\n using: str,\n\ + \ execution_timeout: int,\n install_timeout: int,\n retry_count: int,\n\ + \ retry_sleep_seconds: int,\n skip_verify: bool,\n skip_validation: bool,\n\ + \ post_install_poll_seconds: int,\n post_install_poll_interval_seconds: int,\n\ + \ continue_on_install_timeout: bool,\n debug: bool,\n):\n effective_timeout + = max(1200, execution_timeout, install_timeout)\n\n args = {\n \"file_url\"\ + : url,\n \"execution-timeout\": str(effective_timeout),\n \"skip_verify\"\ + : bool_str_tf(skip_verify),\n \"skip_validation\": bool_str_tf(skip_validation),\n\ + \ }\n if using:\n args[\"using\"] = using\n\n if debug:\n \ + \ emit_progress(\n \"\\n\".join(\n [\n \ + \ \"core-api-install-packs:\",\n f\"- file_url: {url}\"\ + ,\n f\"- execution-timeout: {effective_timeout}\",\n \ + \ f\"- skip_verify: {skip_verify}\",\n f\"- skip_validation: + {skip_validation}\",\n ]\n ),\n stage=\"packs.custom.debug\"\ + ,\n )\n\n try:\n exec_with_retry(\n \"core-api-install-packs\"\ + ,\n args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ + \ context_for_error=f\"Failed installing custom pack ZIP: {url}\",\n\ + \ fail_on_error=True,\n )\n return\n\n except Exception + as e:\n err = str(e)\n\n if is_timeout_error(err):\n emit_progress(\n\ + \ \"\\n\".join(\n [\n \"\ + Custom pack upload call timed out (client-side).\",\n \" + This often means the server is still uploading/processing.\",\n \ + \ f\"Switching to polling for installed pack: **{pack_id}**\",\n \ + \ ]\n ),\n stage=\"packs.custom.timeout\"\ + ,\n )\n\n ok = wait_for_pack_installed(\n pack_id=pack_id,\n\ + \ using=using,\n poll_seconds=post_install_poll_seconds,\n\ + \ poll_interval_seconds=post_install_poll_interval_seconds,\n \ + \ debug=debug,\n )\n\n if ok:\n \ + \ return\n\n msg = (\n \"Upload timed out and polling + did not observe the pack as installed.\\n\"\n f\"pack_id={pack_id}\\\ + nurl={url}\\n\"\n f\"poll_seconds={post_install_poll_seconds}, interval={post_install_poll_interval_seconds}\\\ + n\"\n \"You can retry or increase post_install_poll_seconds.\"\n\ + \ )\n\n if continue_on_install_timeout:\n emit_progress(msg + + \"\\n\\ncontinue_on_install_timeout=True β€” continuing anyway.\", stage=\"packs.custom.timeout\"\ + )\n return\n\n raise Exception(msg)\n\n raise\n + \n# ---------------------------\n# Configure (jobs / integrations / lookups)\n# + ---------------------------\n\ndef configure_integrations_from_xsoar_config(\n \ \ xsoar_cfg: Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: - int,\n installed_pack_ids: List[str],\n debug: bool,\n) -> Dict[str, Any]:\n - \ items = [x for x in (xsoar_cfg.get(\"integration_instances\", []) or []) if + int,\n installed_pack_ids: List[str],\n debug: bool,\n) -> Dict[str, Any]:\n\ + \ items = [x for x in (xsoar_cfg.get(\"integration_instances\", []) or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring integration instances… ({len(items)} - instance(s))\", stage=\"configure.integrations\")\n\n summary = {\n \"attempted\": - 0,\n \"ok\": 0,\n \"already_exists\": 0,\n \"skipped_missing_pack\": - 0,\n \"skipped_missing_brand\": 0,\n \"failed\": 0,\n \"failed_items\": - [],\n }\n\n for inst in items:\n instance_name = (inst.get(\"name\") - or \"\").strip()\n if not instance_name:\n continue\n\n required_pack - = ((inst.get(\"required_pack_id\") or inst.get(\"marketplace_pack\") or inst.get(\"pack_id\") - or \"\").strip())\n if required_pack and required_pack not in installed_pack_ids:\n - \ summary[\"skipped_missing_pack\"] += 1\n log(\n f\"Skipping - integration instance **{instance_name}** β€” marketplace pack **{required_pack}** - not installed.\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n - \ )\n continue\n\n brand = (inst.get(\"brand\") or \"\").strip()\n - \ if not brand:\n summary[\"skipped_missing_brand\"] += 1\n log(\n - \ f\"Skipping integration instance **{instance_name}** β€” missing required - field `brand`.\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n - \ )\n continue\n\n summary[\"attempted\"] += 1\n\n payload - = {\n \"name\": instance_name,\n \"brand\": brand,\n \"enabled\": - inst.get(\"enabled\", \"true\"),\n \"category\": inst.get(\"category\") - or \"\",\n \"data\": inst.get(\"data\") or [],\n }\n\n log(\n - \ f\"Creating/updating integration instance: **{instance_name}** (brand: - **{brand}**)\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n - \ )\n\n def _do_put():\n return core_api_put(\"/xsoar/public/v1/settings/integration\", - payload, using=using, execution_timeout=600)\n\n last_err = None\n for - attempt in range(1, max(1, retry_count) + 1):\n try:\n resp - = _do_put()\n rid = (resp.get(\"id\") if isinstance(resp, dict) else - None) or \"\"\n summary[\"ok\"] += 1\n log(\n f\"Integration - instance **{instance_name}** created/updated. id={rid or '(unknown)'}\",\n stage=\"configure.integrations.result\",\n - \ debug=debug,\n )\n break\n except - Exception as e:\n last_err = str(e)\n\n if is_instance_already_exists_error(last_err):\n - \ summary[\"already_exists\"] += 1\n log(\n - \ f\"Integration instance **{instance_name}** already exists - β€” skipping (idempotent).\",\n stage=\"configure.integrations.result\",\n - \ debug=debug,\n )\n break\n\n - \ if attempt >= retry_count:\n summary[\"failed\"] - += 1\n summary[\"failed_items\"].append({\"name\": instance_name, + instance(s))\", stage=\"configure.integrations\")\n\n summary = {\n \"\ + attempted\": 0,\n \"ok\": 0,\n \"already_exists\": 0,\n \"\ + skipped_missing_pack\": 0,\n \"skipped_missing_brand\": 0,\n \"failed\"\ + : 0,\n \"failed_items\": [],\n }\n\n for inst in items:\n instance_name + = (inst.get(\"name\") or \"\").strip()\n if not instance_name:\n \ + \ continue\n\n required_pack = ((inst.get(\"required_pack_id\") or inst.get(\"\ + marketplace_pack\") or inst.get(\"pack_id\") or \"\").strip())\n if required_pack + and required_pack not in installed_pack_ids:\n summary[\"skipped_missing_pack\"\ + ] += 1\n log(\n f\"Skipping integration instance **{instance_name}** + β€” marketplace pack **{required_pack}** not installed.\",\n stage=\"\ + configure.integrations.debug\",\n debug=debug,\n )\n \ + \ continue\n\n brand = (inst.get(\"brand\") or \"\").strip()\n\ + \ if not brand:\n summary[\"skipped_missing_brand\"] += 1\n \ + \ log(\n f\"Skipping integration instance **{instance_name}** + β€” missing required field `brand`.\",\n stage=\"configure.integrations.debug\"\ + ,\n debug=debug,\n )\n continue\n\n \ + \ summary[\"attempted\"] += 1\n\n payload = {\n \"name\": instance_name,\n\ + \ \"brand\": brand,\n \"enabled\": inst.get(\"enabled\", \"\ + true\"),\n \"category\": inst.get(\"category\") or \"\",\n \ + \ \"data\": inst.get(\"data\") or [],\n }\n\n log(\n f\"\ + Creating/updating integration instance: **{instance_name}** (brand: **{brand}**)\"\ + ,\n stage=\"configure.integrations.debug\",\n debug=debug,\n\ + \ )\n\n def _do_put():\n return core_api_put(\"/xsoar/public/v1/settings/integration\"\ + , payload, using=using, execution_timeout=600)\n\n last_err = None\n \ + \ for attempt in range(1, max(1, retry_count) + 1):\n try:\n \ + \ resp = _do_put()\n rid = (resp.get(\"id\") if isinstance(resp, + dict) else None) or \"\"\n summary[\"ok\"] += 1\n \ + \ log(\n f\"Integration instance **{instance_name}** created/updated. + id={rid or '(unknown)'}\",\n stage=\"configure.integrations.result\"\ + ,\n debug=debug,\n )\n break\n\ + \ except Exception as e:\n last_err = str(e)\n\n \ + \ if is_instance_already_exists_error(last_err):\n \ + \ summary[\"already_exists\"] += 1\n log(\n \ + \ f\"Integration instance **{instance_name}** already exists β€” skipping (idempotent).\"\ + ,\n stage=\"configure.integrations.result\",\n \ + \ debug=debug,\n )\n break\n\n\ + \ if attempt >= retry_count:\n summary[\"failed\"\ + ] += 1\n summary[\"failed_items\"].append({\"name\": instance_name, \"error\": last_err})\n emit_progress(f\"Failed configuring integration - instance **{instance_name}**.\\nError: {last_err}\", stage=\"configure.integrations.error\")\n - \ break\n\n time.sleep(max(1, retry_sleep_seconds))\n\n - \ emit_progress(\n \"\\n\".join(\n [\n \"Integration - instances summary:\",\n f\"- attempted: {summary['attempted']}\",\n - \ f\"- ok: {summary['ok']}\",\n f\"- already exists: - {summary['already_exists']}\",\n f\"- skipped (missing pack): {summary['skipped_missing_pack']}\",\n - \ f\"- skipped (missing brand): {summary['skipped_missing_brand']}\",\n - \ f\"- failed: {summary['failed']}\",\n \"\",\n \"_Note: - UI/index propagation can take a few minutes after instance create/update._\",\n - \ ]\n ),\n stage=\"configure.integrations.summary\",\n )\n\n - \ return summary\n\ndef configure_jobs_from_xsoar_config(\n xsoar_cfg: Dict[str, - Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: - bool,\n) -> Dict[str, Any]:\n jobs = [x for x in (xsoar_cfg.get(\"jobs\", []) - or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring jobs… ({len(jobs)} - job(s))\", stage=\"configure.jobs\")\n\n summary = {\"attempted\": 0, \"ok\": - 0, \"failed\": 0, \"failed_items\": []}\n\n for job in jobs:\n name = - (job.get(\"name\") or job.get(\"job_name\") or \"\").strip()\n if not name:\n - \ continue\n\n summary[\"attempted\"] += 1\n log(f\"Configuring - job: **{name}**\", stage=\"configure.jobs.debug\", debug=debug)\n\n cmd_args - = {\"job_name\": name, \"job_data\": json.dumps(job)}\n if using:\n cmd_args[\"using\"] - = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWJobManager\",\n - \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n - \ context_for_error=f\"Failed configuring job: {name}\",\n fail_on_error=True,\n - \ )\n summary[\"ok\"] += 1\n log(f\"Job **{name}** - ok\", stage=\"configure.jobs.result\", debug=debug)\n except Exception as - e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"].append({\"name\": - name, \"error\": str(e)})\n emit_progress(f\"Failed configuring job **{name}**.\\nError: - {e}\", stage=\"configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n - \ [\n \"Jobs summary:\",\n f\"- attempted: - {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- - failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.jobs.summary\",\n - \ )\n return summary\n\ndef configure_lookups_from_xsoar_config(\n xsoar_cfg: + instance **{instance_name}**.\\nError: {last_err}\", stage=\"configure.integrations.error\"\ + )\n break\n\n time.sleep(max(1, retry_sleep_seconds))\n\ + \n emit_progress(\n \"\\n\".join(\n [\n \"Integration + instances summary:\",\n f\"- attempted: {summary['attempted']}\"\ + ,\n f\"- ok: {summary['ok']}\",\n f\"- already exists: + {summary['already_exists']}\",\n f\"- skipped (missing pack): {summary['skipped_missing_pack']}\"\ + ,\n f\"- skipped (missing brand): {summary['skipped_missing_brand']}\"\ + ,\n f\"- failed: {summary['failed']}\",\n \"\",\n\ + \ \"_Note: UI/index propagation can take a few minutes after instance + create/update._\",\n ]\n ),\n stage=\"configure.integrations.summary\"\ + ,\n )\n\n return summary\n\ndef configure_jobs_from_xsoar_config(\n xsoar_cfg: + Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: + int,\n debug: bool,\n) -> Dict[str, Any]:\n jobs = [x for x in (xsoar_cfg.get(\"\ + jobs\", []) or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring jobs… + ({len(jobs)} job(s))\", stage=\"configure.jobs\")\n\n summary = {\"attempted\"\ + : 0, \"ok\": 0, \"failed\": 0, \"failed_items\": []}\n\n for job in jobs:\n \ + \ name = (job.get(\"name\") or job.get(\"job_name\") or \"\").strip()\n \ + \ if not name:\n continue\n\n summary[\"attempted\"] += 1\n\ + \ log(f\"Configuring job: **{name}**\", stage=\"configure.jobs.debug\", debug=debug)\n\ + \n cmd_args = {\"job_name\": name, \"job_data\": json.dumps(job)}\n \ + \ if using:\n cmd_args[\"using\"] = using\n\n try:\n \ + \ _ = exec_with_retry(\n \"SOCFWJobManager\",\n \ + \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ + \ context_for_error=f\"Failed configuring job: {name}\",\n \ + \ fail_on_error=True,\n )\n summary[\"ok\"] += 1\n\ + \ log(f\"Job **{name}** ok\", stage=\"configure.jobs.result\", debug=debug)\n\ + \ except Exception as e:\n summary[\"failed\"] += 1\n \ + \ summary[\"failed_items\"].append({\"name\": name, \"error\": str(e)})\n \ + \ emit_progress(f\"Failed configuring job **{name}**.\\nError: {e}\", stage=\"\ + configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n \ + \ [\n \"Jobs summary:\",\n f\"- attempted: {summary['attempted']}\"\ + ,\n f\"- ok: {summary['ok']}\",\n f\"- failed: {summary['failed']}\"\ + ,\n ]\n ),\n stage=\"configure.jobs.summary\",\n )\n\ + \ return summary\n\ndef configure_lookups_from_xsoar_config(\n xsoar_cfg: Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n overwrite_lookup: bool,\n debug: bool,\n) -> Dict[str, Any]:\n dsets - = [x for x in (xsoar_cfg.get(\"lookup_datasets\", []) or []) if isinstance(x, dict)]\n - \ emit_progress(f\"Configuring lookup datasets… ({len(dsets)} dataset(s))\", stage=\"configure.lookups\")\n\n - \ summary = {\"attempted\": 0, \"ok\": 0, \"failed\": 0, \"failed_items\": []}\n\n - \ for ds in dsets:\n name = (ds.get(\"name\") or ds.get(\"dataset_name\") - or \"\").strip()\n if not name:\n continue\n\n summary[\"attempted\"] - += 1\n log(f\"Configuring lookup dataset: **{name}**\", stage=\"configure.lookups.debug\", - debug=debug)\n\n cmd_args = {\n \"lookup_dataset_name\": name,\n - \ \"lookup_dataset_data\": json.dumps(ds),\n \"overwrite_lookup\": - bool_str_tf(overwrite_lookup),\n }\n if using:\n cmd_args[\"using\"] - = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWLookupManager\",\n - \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n - \ context_for_error=f\"Failed configuring lookup dataset: {name}\",\n - \ fail_on_error=True,\n )\n summary[\"ok\"] - += 1\n log(f\"Lookup **{name}** ok\", stage=\"configure.lookups.result\", - debug=debug)\n except Exception as e:\n summary[\"failed\"] += - 1\n summary[\"failed_items\"].append({\"name\": name, \"error\": str(e)})\n - \ emit_progress(f\"Failed configuring lookup dataset **{name}**.\\nError: - {e}\", stage=\"configure.lookups.error\")\n\n emit_progress(\n \"\\n\".join(\n - \ [\n \"Lookups summary:\",\n f\"- attempted: - {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- - failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.lookups.summary\",\n - \ )\n return summary\n\n# ---------------------------\n# Main\n# ---------------------------\n\ndef - main():\n args = demisto.args()\n\n action = (args.get(\"action\") or \"apply\").strip().lower()\n - \ pack_id = (args.get(\"pack_id\") or \"\").strip()\n include_hidden = arg_to_bool(args.get(\"include_hidden\"), - False)\n dry_run = arg_to_bool(args.get(\"dry_run\"), False)\n\n install_marketplace_flag - = arg_to_bool(args.get(\"install_marketplace\"), True)\n apply_configure = arg_to_bool(args.get(\"apply_configure\"), - True)\n configure_jobs = arg_to_bool(args.get(\"configure_jobs\"), True)\n configure_integrations - = arg_to_bool(args.get(\"configure_integrations\"), True)\n configure_lookups - = arg_to_bool(args.get(\"configure_lookups\"), True)\n overwrite_lookup = arg_to_bool(args.get(\"overwrite_lookup\"), - False)\n\n include_doc_content = arg_to_bool(args.get(\"include_doc_content\"), - False)\n doc_content_max_chars = to_int(args.get(\"doc_content_max_chars\"), - 6000)\n doc_content_max_lines = to_int(args.get(\"doc_content_max_lines\"), 200)\n\n - \ # NEW: pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"), - False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True) # - default True\n\n retry_count = to_int(args.get(\"retry_count\"), 5)\n retry_sleep_seconds - = to_int(args.get(\"retry_sleep_seconds\"), 15)\n using = (args.get(\"using\") - or \"\").strip()\n execution_timeout = to_int(args.get(\"execution_timeout\"), - 1200)\n\n skip_verify = arg_to_bool(args.get(\"skip_verify\"), True)\n skip_validation - = arg_to_bool(args.get(\"skip_validation\"), False)\n\n install_timeout = to_int(args.get(\"install_timeout\"), - 3600)\n\n post_install_poll_seconds = to_int(args.get(\"post_install_poll_seconds\"), - 1800)\n post_install_poll_interval_seconds = to_int(args.get(\"post_install_poll_interval_seconds\"), - 60)\n continue_on_install_timeout = arg_to_bool(args.get(\"continue_on_install_timeout\"), - False)\n\n fail_on_marketplace_errors = arg_to_bool(args.get(\"fail_on_marketplace_errors\"), - False)\n\n debug = arg_to_bool(args.get(\"debug\"), False)\n\n if action not - in (\"apply\", \"list\"):\n raise Exception(f\"Unsupported action: {action}\")\n\n - \ if action == \"list\":\n return do_list(args)\n\n if not pack_id:\n - \ raise Exception(\"pack_id is required for action=apply\")\n\n emit_progress(\n - \ \"\\n\".join(\n [\n f\"Starting {action} for **{pack_id}**\",\n - \ f\"- include_hidden={include_hidden}\",\n f\"- dry_run={dry_run}\",\n - \ f\"- install_marketplace={install_marketplace_flag}\",\n f\"- - apply_configure={apply_configure} (jobs={configure_jobs}, integrations={configure_integrations}, - lookups={configure_lookups})\",\n f\"- overwrite_lookup={overwrite_lookup}\",\n - \ f\"- retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}\",\n - \ f\"- using={(using or '(default)')}\",\n f\"- execution_timeout={execution_timeout}\",\n - \ f\"- install_timeout={install_timeout}\",\n f\"- - skip_verify={skip_verify}\",\n f\"- skip_validation={skip_validation}\",\n - \ f\"- post_install_poll_seconds={post_install_poll_seconds}\",\n - \ f\"- post_install_poll_interval_seconds={post_install_poll_interval_seconds}\",\n - \ f\"- continue_on_install_timeout={continue_on_install_timeout}\",\n - \ f\"- fail_on_marketplace_errors={fail_on_marketplace_errors}\",\n - \ f\"- include_doc_content={include_doc_content} (max_chars={doc_content_max_chars}, - max_lines={doc_content_max_lines})\",\n f\"- pre_config_gate={pre_config_gate}\",\n - \ f\"- pre_config_done={pre_config_done}\",\n f\"- - debug={debug}\",\n ]\n ),\n stage=\"start\",\n )\n\n - \ emit_progress(\"Resolving install manifest…\", stage=\"manifest\")\n manifest + = [x for x in (xsoar_cfg.get(\"lookup_datasets\", []) or []) if isinstance(x, dict)]\n\ + \ emit_progress(f\"Configuring lookup datasets… ({len(dsets)} dataset(s))\", + stage=\"configure.lookups\")\n\n summary = {\"attempted\": 0, \"ok\": 0, \"failed\"\ + : 0, \"failed_items\": []}\n\n for ds in dsets:\n name = (ds.get(\"name\"\ + ) or ds.get(\"dataset_name\") or \"\").strip()\n if not name:\n \ + \ continue\n\n summary[\"attempted\"] += 1\n log(f\"Configuring + lookup dataset: **{name}**\", stage=\"configure.lookups.debug\", debug=debug)\n\n\ + \ cmd_args = {\n \"lookup_dataset_name\": name,\n \"\ + lookup_dataset_data\": json.dumps(ds),\n \"overwrite_lookup\": bool_str_tf(overwrite_lookup),\n\ + \ }\n if using:\n cmd_args[\"using\"] = using\n\n \ + \ try:\n _ = exec_with_retry(\n \"SOCFWLookupManager\"\ + ,\n cmd_args,\n retry_count=retry_count,\n \ + \ retry_sleep_seconds=retry_sleep_seconds,\n context_for_error=f\"\ + Failed configuring lookup dataset: {name}\",\n fail_on_error=True,\n\ + \ )\n summary[\"ok\"] += 1\n log(f\"Lookup **{name}** + ok\", stage=\"configure.lookups.result\", debug=debug)\n except Exception + as e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"\ + ].append({\"name\": name, \"error\": str(e)})\n emit_progress(f\"Failed + configuring lookup dataset **{name}**.\\nError: {e}\", stage=\"configure.lookups.error\"\ + )\n\n emit_progress(\n \"\\n\".join(\n [\n \"\ + Lookups summary:\",\n f\"- attempted: {summary['attempted']}\",\n\ + \ f\"- ok: {summary['ok']}\",\n f\"- failed: {summary['failed']}\"\ + ,\n ]\n ),\n stage=\"configure.lookups.summary\",\n \ + \ )\n return summary\n\n# ---------------------------\n# Main\n# ---------------------------\n + \ndef main():\n args = demisto.args()\n\n action = (args.get(\"action\") or + \"apply\").strip().lower()\n pack_id = (args.get(\"pack_id\") or \"\").strip()\n\ + \ include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n dry_run + = arg_to_bool(args.get(\"dry_run\"), False)\n\n install_marketplace_flag = arg_to_bool(args.get(\"\ + install_marketplace\"), True)\n apply_configure = arg_to_bool(args.get(\"apply_configure\"\ + ), True)\n configure_jobs = arg_to_bool(args.get(\"configure_jobs\"), True)\n\ + \ configure_integrations = arg_to_bool(args.get(\"configure_integrations\"), + True)\n configure_lookups = arg_to_bool(args.get(\"configure_lookups\"), True)\n\ + \ overwrite_lookup = arg_to_bool(args.get(\"overwrite_lookup\"), False)\n\n \ + \ include_doc_content = arg_to_bool(args.get(\"include_doc_content\"), False)\n\ + \ doc_content_max_chars = to_int(args.get(\"doc_content_max_chars\"), 6000)\n\ + \ doc_content_max_lines = to_int(args.get(\"doc_content_max_lines\"), 200)\n\n\ + \ # NEW: pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"\ + ), False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True)\ + \ # default True\n\n retry_count = to_int(args.get(\"retry_count\"), 5)\n \ + \ retry_sleep_seconds = to_int(args.get(\"retry_sleep_seconds\"), 15)\n using + = (args.get(\"using\") or \"\").strip()\n execution_timeout = to_int(args.get(\"\ + execution_timeout\"), 1200)\n\n skip_verify = arg_to_bool(args.get(\"skip_verify\"\ + ), True)\n skip_validation = arg_to_bool(args.get(\"skip_validation\"), False)\n\ + \n install_timeout = to_int(args.get(\"install_timeout\"), 3600)\n\n post_install_poll_seconds + = to_int(args.get(\"post_install_poll_seconds\"), 1800)\n post_install_poll_interval_seconds + = to_int(args.get(\"post_install_poll_interval_seconds\"), 60)\n continue_on_install_timeout + = arg_to_bool(args.get(\"continue_on_install_timeout\"), False)\n\n fail_on_marketplace_errors + = arg_to_bool(args.get(\"fail_on_marketplace_errors\"), False)\n\n debug = arg_to_bool(args.get(\"\ + debug\"), False)\n\n if action not in (\"apply\", \"list\"):\n raise Exception(f\"\ + Unsupported action: {action}\")\n\n if action == \"list\":\n return do_list(args)\n\ + \n if not pack_id:\n raise Exception(\"pack_id is required for action=apply\"\ + )\n\n emit_progress(\n \"\\n\".join(\n [\n f\"\ + Starting {action} for **{pack_id}**\",\n f\"- include_hidden={include_hidden}\"\ + ,\n f\"- dry_run={dry_run}\",\n f\"- install_marketplace={install_marketplace_flag}\"\ + ,\n f\"- apply_configure={apply_configure} (jobs={configure_jobs}, + integrations={configure_integrations}, lookups={configure_lookups})\",\n \ + \ f\"- overwrite_lookup={overwrite_lookup}\",\n f\"- retries={retry_count}, + retry_sleep_seconds={retry_sleep_seconds}\",\n f\"- using={(using + or '(default)')}\",\n f\"- execution_timeout={execution_timeout}\"\ + ,\n f\"- install_timeout={install_timeout}\",\n f\"\ + - skip_verify={skip_verify}\",\n f\"- skip_validation={skip_validation}\"\ + ,\n f\"- post_install_poll_seconds={post_install_poll_seconds}\"\ + ,\n f\"- post_install_poll_interval_seconds={post_install_poll_interval_seconds}\"\ + ,\n f\"- continue_on_install_timeout={continue_on_install_timeout}\"\ + ,\n f\"- fail_on_marketplace_errors={fail_on_marketplace_errors}\"\ + ,\n f\"- include_doc_content={include_doc_content} (max_chars={doc_content_max_chars}, + max_lines={doc_content_max_lines})\",\n f\"- pre_config_gate={pre_config_gate}\"\ + ,\n f\"- pre_config_done={pre_config_done}\",\n f\"\ + - debug={debug}\",\n ]\n ),\n stage=\"start\",\n )\n\ + \n emit_progress(\"Resolving install manifest…\", stage=\"manifest\")\n manifest = resolve_manifest(pack_id, include_hidden=include_hidden)\n\n marketplace_packs - = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls = manifest.get(\"custom_zip_urls\") - or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\") or \"\"\n\n emit_progress(\n - \ \"\\n\".join(\n [\n \"Manifest resolved.\",\n - \ f\"- marketplace_packs: {len(marketplace_packs)}\",\n f\"- - custom ZIP URLs: {len(custom_zip_urls)}\",\n f\"- xsoar_config_url: - {xsoar_config_url or '(none)'}\",\n ]\n ),\n stage=\"manifest.summary\",\n - \ )\n\n xsoar_cfg: Dict[str, Any] = {}\n if xsoar_config_url:\n emit_progress(\"Fetching - xsoar_config.json…\", stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) + = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls = manifest.get(\"\ + custom_zip_urls\") or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\"\ + ) or \"\"\n\n emit_progress(\n \"\\n\".join(\n [\n \ + \ \"Manifest resolved.\",\n f\"- marketplace_packs: {len(marketplace_packs)}\"\ + ,\n f\"- custom ZIP URLs: {len(custom_zip_urls)}\",\n \ + \ f\"- xsoar_config_url: {xsoar_config_url or '(none)'}\",\n ]\n\ + \ ),\n stage=\"manifest.summary\",\n )\n\n xsoar_cfg: Dict[str, + Any] = {}\n if xsoar_config_url:\n emit_progress(\"Fetching xsoar_config.json…\"\ + , stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) or {}\n\n cfg_marketplace_packs = xsoar_cfg.get(\"marketplace_packs\") or - []\n if isinstance(cfg_marketplace_packs, list) and cfg_marketplace_packs:\n - \ marketplace_packs = cfg_marketplace_packs\n\n emit_progress(\n - \ \"\\n\".join(\n [\n \"xsoar_config + []\n if isinstance(cfg_marketplace_packs, list) and cfg_marketplace_packs:\n\ + \ marketplace_packs = cfg_marketplace_packs\n\n emit_progress(\n\ + \ \"\\n\".join(\n [\n \"xsoar_config loaded.\",\n f\"- integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\"- lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n f\"- has_pre_config_docs: {has_config_docs(xsoar_cfg, 'pre')}\",\n f\"- has_post_config_docs: {has_config_docs(xsoar_cfg, - 'post')}\",\n ]\n ),\n stage=\"xsoar_config.summary\",\n - \ )\n\n # Print PRE docs immediately\n print_config_docs(\n - \ xsoar_cfg,\n when=\"pre\",\n debug=debug,\n include_doc_content=include_doc_content,\n - \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n - \ )\n\n # DEFAULT: stop after printing PRE docs if they exist (unless - acknowledged/bypassed)\n if pre_config_gate and has_config_docs(xsoar_cfg, - \"pre\") and not pre_config_done:\n emit_progress(\n \"\\n\".join(\n - \ [\n \"\U0001F6D1 **Pre-config required**\",\n - \ \"Pre-config docs were printed above.\",\n \"\",\n - \ \"After completing those steps, rerun with:\",\n \"- - `pre_config_done=true`\",\n \"\",\n f\"Example:\\n`!SOCFWPackManager - action=apply pack_id={pack_id} pre_config_done=true`\",\n \"\",\n - \ \"To bypass this stop (not recommended), run with:\",\n - \ \"- `pre_config_gate=false`\",\n ]\n - \ ),\n stage=\"docs.pre.gate\",\n )\n return_results(\n - \ {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": - xsoar_config_url,\n \"stopped_after_pre_docs\": True,\n \"next_command_hint\": - f\"!SOCFWPackManager action=apply pack_id={pack_id} pre_config_done=true\",\n }\n - \ )\n return\n\n if dry_run:\n emit_progress(\"dry_run=True - β€” not installing or configuring anything.\", stage=\"done\")\n return\n\n - \ marketplace_errors: List[str] = []\n if install_marketplace_flag and marketplace_packs:\n - \ mp = []\n for p in marketplace_packs:\n if isinstance(p, - dict) and p.get(\"id\"):\n mp.append({\"id\": p.get(\"id\"), \"version\": - p.get(\"version\", \"latest\")})\n\n try:\n _ = install_marketplace_packs(mp, + 'post')}\",\n ]\n ),\n stage=\"xsoar_config.summary\"\ + ,\n )\n\n # Print PRE docs immediately\n print_config_docs(\n\ + \ xsoar_cfg,\n when=\"pre\",\n debug=debug,\n \ + \ include_doc_content=include_doc_content,\n doc_content_max_chars=doc_content_max_chars,\n\ + \ doc_content_max_lines=doc_content_max_lines,\n )\n\n \ + \ # DEFAULT: stop after printing PRE docs if they exist (unless acknowledged/bypassed)\n\ + \ if pre_config_gate and has_config_docs(xsoar_cfg, \"pre\") and not pre_config_done:\n\ + \ emit_progress(\n \"\\n\".join(\n \ + \ [\n \"πŸ›‘ **Pre-config required**\",\n \ + \ \"Pre-config docs were printed above.\",\n \"\",\n\ + \ \"After completing those steps, rerun with:\",\n \ + \ \"- `pre_config_done=true`\",\n \"\",\n\ + \ f\"Example:\\n`!SOCFWPackManager action=apply pack_id={pack_id} + pre_config_done=true`\",\n \"\",\n \ + \ \"To bypass this stop (not recommended), run with:\",\n \ + \ \"- `pre_config_gate=false`\",\n ]\n ),\n\ + \ stage=\"docs.pre.gate\",\n )\n return_results(\n\ + \ {\n \"pack_id\": pack_id,\n \ + \ \"xsoar_config_url\": xsoar_config_url,\n \"stopped_after_pre_docs\"\ + : True,\n \"next_command_hint\": f\"!SOCFWPackManager action=apply + pack_id={pack_id} pre_config_done=true\",\n }\n )\n \ + \ return\n\n if dry_run:\n emit_progress(\"dry_run=True β€” not + installing or configuring anything.\", stage=\"done\")\n return\n\n marketplace_errors: + List[str] = []\n if install_marketplace_flag and marketplace_packs:\n \ + \ mp = []\n for p in marketplace_packs:\n if isinstance(p, dict) + and p.get(\"id\"):\n mp.append({\"id\": p.get(\"id\"), \"version\"\ + : p.get(\"version\", \"latest\")})\n\n try:\n _ = install_marketplace_packs(mp, using, retry_count, retry_sleep_seconds, debug=debug)\n except Exception - as e:\n marketplace_errors.append(str(e))\n emit_progress(f\"Marketplace - install failed.\\nError: {e}\", stage=\"packs.marketplace.error\")\n if - fail_on_marketplace_errors:\n raise\n\n if custom_zip_urls:\n - \ emit_progress(f\"Installing custom pack ZIPs… ({len(custom_zip_urls)} ZIP(s))\", - stage=\"packs.custom\")\n for item in custom_zip_urls:\n url = - None\n label = None\n if isinstance(item, str):\n url - = item\n label = item\n elif isinstance(item, dict):\n - \ url = item.get(\"url\") or item.get(\"zip_url\")\n label - = item.get(\"name\") or url\n if not url:\n continue\n\n - \ log(f\"Installing custom pack ZIP: **{label}**\", stage=\"packs.custom.debug\", - debug=debug)\n\n install_custom_pack_zip(\n url=url,\n - \ pack_id=pack_id,\n using=using,\n execution_timeout=execution_timeout,\n - \ install_timeout=install_timeout,\n retry_count=retry_count,\n - \ retry_sleep_seconds=retry_sleep_seconds,\n skip_verify=skip_verify,\n - \ skip_validation=skip_validation,\n post_install_poll_seconds=post_install_poll_seconds,\n - \ post_install_poll_interval_seconds=post_install_poll_interval_seconds,\n - \ continue_on_install_timeout=continue_on_install_timeout,\n debug=debug,\n - \ )\n\n integration_summary = None\n jobs_summary = None\n lookups_summary - = None\n\n if apply_configure and xsoar_cfg:\n emit_progress(\"Configuring - from xsoar_config…\", stage=\"configure\")\n\n emit_progress(\n \"\\n\".join(\n - \ [\n \"Configure plan:\",\n f\"- - integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n - \ f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\"- - lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n ]\n - \ ),\n stage=\"configure.plan\",\n )\n\n installed_pack_ids - = fetch_installed_marketplace_pack_ids(using)\n\n if configure_integrations:\n - \ integration_summary = configure_integrations_from_xsoar_config(\n xsoar_cfg=xsoar_cfg,\n - \ using=using,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n - \ installed_pack_ids=installed_pack_ids,\n debug=debug,\n - \ )\n\n if configure_jobs:\n jobs_summary = configure_jobs_from_xsoar_config(\n - \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n - \ retry_sleep_seconds=retry_sleep_seconds,\n debug=debug,\n - \ )\n\n if configure_lookups:\n lookups_summary = configure_lookups_from_xsoar_config(\n - \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n - \ retry_sleep_seconds=retry_sleep_seconds,\n overwrite_lookup=overwrite_lookup,\n - \ debug=debug,\n )\n\n emit_progress(\"Done.\", stage=\"done\")\n\n - \ results_obj = {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": - xsoar_config_url,\n \"marketplace_errors\": marketplace_errors,\n \"debug\": - debug,\n \"install_timeout\": install_timeout,\n \"skip_verify\": - skip_verify,\n \"skip_validation\": skip_validation,\n \"post_install_poll_seconds\": - post_install_poll_seconds,\n \"post_install_poll_interval_seconds\": post_install_poll_interval_seconds,\n - \ \"continue_on_install_timeout\": continue_on_install_timeout,\n \"configure_summary\": - {\n \"integrations\": integration_summary,\n \"jobs\": jobs_summary,\n - \ \"lookups\": lookups_summary,\n },\n }\n\n # Return the - machine-readable result first...\n return_results(results_obj)\n\n # ...then - print POST docs as the FINAL War Room entry (so users don't scroll)\n if xsoar_cfg:\n - \ print_config_docs(\n xsoar_cfg,\n when=\"post\",\n - \ debug=debug,\n include_doc_content=include_doc_content,\n - \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n - \ )\n\nif __name__ in (\"__main__\", \"__builtin__\", \"builtins\"):\n main()\n" + as e:\n marketplace_errors.append(str(e))\n emit_progress(f\"\ + Marketplace install failed.\\nError: {e}\", stage=\"packs.marketplace.error\")\n\ + \ if fail_on_marketplace_errors:\n raise\n\n if custom_zip_urls:\n\ + \ emit_progress(f\"Installing custom pack ZIPs… ({len(custom_zip_urls)} ZIP(s))\"\ + , stage=\"packs.custom\")\n for item in custom_zip_urls:\n url + = None\n label = None\n if isinstance(item, str):\n \ + \ url = item\n label = item\n elif isinstance(item, + dict):\n url = item.get(\"url\") or item.get(\"zip_url\")\n \ + \ label = item.get(\"name\") or url\n if not url:\n \ + \ continue\n\n log(f\"Installing custom pack ZIP: **{label}**\"\ + , stage=\"packs.custom.debug\", debug=debug)\n\n install_custom_pack_zip(\n\ + \ url=url,\n pack_id=pack_id,\n using=using,\n\ + \ execution_timeout=execution_timeout,\n install_timeout=install_timeout,\n\ + \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ + \ skip_verify=skip_verify,\n skip_validation=skip_validation,\n\ + \ post_install_poll_seconds=post_install_poll_seconds,\n \ + \ post_install_poll_interval_seconds=post_install_poll_interval_seconds,\n\ + \ continue_on_install_timeout=continue_on_install_timeout,\n \ + \ debug=debug,\n )\n\n integration_summary = None\n \ + \ jobs_summary = None\n lookups_summary = None\n\n if apply_configure and + xsoar_cfg:\n emit_progress(\"Configuring from xsoar_config…\", stage=\"configure\"\ + )\n\n emit_progress(\n \"\\n\".join(\n [\n \ + \ \"Configure plan:\",\n f\"- integration_instances: + {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n \ + \ f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\" + - lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n \ + \ ]\n ),\n stage=\"configure.plan\",\n )\n\ + \n installed_pack_ids = fetch_installed_marketplace_pack_ids(using)\n\n \ + \ if configure_integrations:\n integration_summary = configure_integrations_from_xsoar_config(\n\ + \ xsoar_cfg=xsoar_cfg,\n using=using,\n \ + \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ + \ installed_pack_ids=installed_pack_ids,\n debug=debug,\n\ + \ )\n\n if configure_jobs:\n jobs_summary = configure_jobs_from_xsoar_config(\n\ + \ xsoar_cfg=xsoar_cfg,\n using=using,\n \ + \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ + \ debug=debug,\n )\n\n if configure_lookups:\n\ + \ lookups_summary = configure_lookups_from_xsoar_config(\n \ + \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n\ + \ retry_sleep_seconds=retry_sleep_seconds,\n overwrite_lookup=overwrite_lookup,\n\ + \ debug=debug,\n )\n\n emit_progress(\"Done.\", stage=\"\ + done\")\n\n results_obj = {\n \"pack_id\": pack_id,\n \"xsoar_config_url\"\ + : xsoar_config_url,\n \"marketplace_errors\": marketplace_errors,\n \ + \ \"debug\": debug,\n \"install_timeout\": install_timeout,\n \"\ + skip_verify\": skip_verify,\n \"skip_validation\": skip_validation,\n \ + \ \"post_install_poll_seconds\": post_install_poll_seconds,\n \"post_install_poll_interval_seconds\"\ + : post_install_poll_interval_seconds,\n \"continue_on_install_timeout\": + continue_on_install_timeout,\n \"configure_summary\": {\n \"integrations\"\ + : integration_summary,\n \"jobs\": jobs_summary,\n \"lookups\"\ + : lookups_summary,\n },\n }\n\n # Return the machine-readable result + first...\n return_results(results_obj)\n\n # ...then print POST docs as the + FINAL War Room entry (so users don't scroll)\n if xsoar_cfg:\n print_config_docs(\n\ + \ xsoar_cfg,\n when=\"post\",\n debug=debug,\n\ + \ include_doc_content=include_doc_content,\n doc_content_max_chars=doc_content_max_chars,\n\ + \ doc_content_max_lines=doc_content_max_lines,\n )\n\nif __name__ + in (\"__main__\", \"__builtin__\", \"builtins\"):\n main()\n" type: python tags: - configuration @@ -730,3 +765,5 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" +id: SOCFWPackManager +fromversion: 5.0.0 diff --git a/tools/fix_errors.py b/tools/fix_errors.py index 6aec61c..ac6eef2 100644 --- a/tools/fix_errors.py +++ b/tools/fix_errors.py @@ -4,15 +4,16 @@ ------------- Automates fixing demisto-sdk validation and parsing errors. -This script is designed to run from any subdirectory (e.g., 'tools/') -and find content files relative to the current working directory, -based ONLY on the path extracted from the SDK error output. + +Design goals: +- Can run from ANY subdirectory (e.g., 'tools/') +- Auto-detect repo root (prefer git top-level; fallback to walking up until Packs/ exists) +- Resolve paths based ONLY on the path extracted from SDK output """ import argparse import json import os import re -import glob import subprocess # --- Optional YAML libs (ruamel preferred for formatting preservation) ------- @@ -32,9 +33,12 @@ # Strip ANSI color codes that may appear in demisto-sdk output ANSI_RE = re.compile(r'\x1b\[[0-9;]*m') + + def de_ansi(s: str) -> str: return ANSI_RE.sub('', s).strip() + # NEW AGGRESSIVE REGEXES (Note the leading '.*?' to ignore progress bar noise) # 1. Parsing Error (NoneType in Dashboard/Layout) @@ -62,8 +66,9 @@ def de_ansi(s: str) -> str: re.IGNORECASE ) +# Hardened BA101 matcher for the current demisto-sdk output format you showed BA101_RE = re.compile( - r'^(?P[^:]+):\s*\[BA101\].*?name attribute.*?\(currently (?P.+?)\).*?id.*?\((?P.+?)\)', + r'^(?P[^:]+):\s*\[BA101\]\s*-\s*The name attribute\s*\(currently\s*(?P.+?)\)\s*should be identical to its.*?id.*?\((?P[^)]+)\)', re.IGNORECASE ) @@ -79,6 +84,7 @@ def de_ansi(s: str) -> str: SEMVER_NUM_RE = re.compile(r'\d+') + def parse_semver(v: str): if not v or not isinstance(v, str): return (0, 0, 0) @@ -88,9 +94,50 @@ def parse_semver(v: str): nums.append(0) return tuple(nums[:3]) + def max_version(a: str, b: str) -> str: return a if parse_semver(a) >= parse_semver(b) else b + +def detect_repo_root(start_dir: str) -> str: + """ + Detect repo root robustly: + 1) prefer `git rev-parse --show-toplevel` + 2) otherwise walk up until a `Packs/` directory exists + """ + start_dir = os.path.abspath(start_dir) + + # 1) git top-level + try: + res = subprocess.run( + ["git", "rev-parse", "--show-toplevel"], + cwd=start_dir, + stdout=subprocess.PIPE, + stderr=subprocess.DEVNULL, + text=True, + check=True, + ) + root = (res.stdout or "").strip() + if root: + # If it's a real content repo, Packs/ should exist (but not strictly required) + if os.path.isdir(os.path.join(root, "Packs")): + return root + return root + except Exception: + pass + + # 2) walk up looking for Packs/ + cur = start_dir + while True: + if os.path.isdir(os.path.join(cur, "Packs")): + return cur + parent = os.path.dirname(cur) + if parent == cur: + # reached filesystem root + return start_dir + cur = parent + + def resolve_path(repo_root: str, rel_path: str) -> str: """ Resolves the absolute path to the content item, aggressively ensuring the path is valid. @@ -98,17 +145,16 @@ def resolve_path(repo_root: str, rel_path: str) -> str: # 1. Clean up and normalize the path extracted from the error log clean_rel_path = rel_path.strip().rstrip(':').replace('\\', os.sep).lstrip('/') - # 2. CRITICAL FIX: Find the 'Packs/' segment and discard everything before it. - # This handles the noise from the multiprocessing pool output. + # 2. Find the 'Packs/' segment and discard everything before it (handles noisy prefixes). if 'Packs' in clean_rel_path: clean_rel_path = clean_rel_path[clean_rel_path.index('Packs'):] - # 3. Join it directly to the determined repo_root (which defaults to CWD). + # 3. Join it directly to the determined repo_root resolved_path = os.path.normpath(os.path.join(repo_root, clean_rel_path)) - return resolved_path -# --- YAML/JSON IO (Rest of the script omitted for brevity, it's unchanged) --- + +# --- YAML/JSON IO ------------------------------------------------------------ def load_yaml(path): if _HAVE_RUAMEL: @@ -124,6 +170,7 @@ def load_yaml(path): else: raise RuntimeError("Need ruamel.yaml or PyYAML to parse YAML files.") + def dump_yaml(path, data, engine): if engine == 'ruamel': y = YAML() @@ -134,7 +181,8 @@ def dump_yaml(path, data, engine): with open(path, 'w', encoding='utf-8') as f: pyyaml.safe_dump(data, f, sort_keys=False) -# --- Parsing Error Fixer (JSON) -------------------------------------------- + +# --- Parsing Error Fixer (JSON) --------------------------------------------- def fix_json_layout_null(path: str, dry_run: bool): """ @@ -167,6 +215,7 @@ def fix_json_layout_null(path: str, dry_run: bool): return False, f"OK (no change): {path}" + # --- Layout Group Fixer (JSON) ----------------------------------------------- def fix_layout_group_alert(path: str, dry_run: bool): @@ -183,7 +232,7 @@ def fix_layout_group_alert(path: str, dry_run: bool): except Exception as e: return False, f"SKIP (bad JSON/read error): {path} -> {e}" - group_key = data.get('group', '').lower() + group_key = (data.get('group') or '').lower() # Define bad groups and their intended replacement bad_groups = {'alert': 'incident', 'incidents': 'incident'} @@ -196,16 +245,18 @@ def fix_layout_group_alert(path: str, dry_run: bool): with open(path, 'w', encoding='utf-8') as wf: json.dump(data, wf, indent=2, ensure_ascii=False) - return True, f"PATCHED: {path} -> Changed 'group': '{group_key}' to 'group': '{new_value}'" + return True, f"PATCHED: {path} -> Changed 'group': '{group_key}' to '{new_value}'" return False, f"OK (no change): {path}" + # --- Textual fallback for malformed YAML ------------------------------------ FROMVERSION_LINE_RE = re.compile(r'(?mi)^(?P\s*)fromversion\s*:\s*(?P[^\n#]+)') ID_LINE_RE = re.compile(r'(?mi)^(?P\s*)id\s*:\s*(?P[^\n#]+)') NAME_LINE_RE = re.compile(r'(?mi)^(?P\s*)name\s*:\s*(?P[^\n#]+)') + def textual_fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): """ Fallback when YAML parser fails. Tries to upgrade existing 'fromversion:' @@ -235,7 +286,7 @@ def textual_fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): insert_idx = 0 while insert_idx < len(lines): s = lines[insert_idx].lstrip() - if s.startswith('---') or s.startswith('#') or s == '': + if s.startswith('---') or s.startswith('#') or s.strip() == '': insert_idx += 1 continue break @@ -247,9 +298,14 @@ def textual_fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): f.write(''.join(new_lines)) return True, f"INSERTED (textual): {path} -> fromversion={min_version}" + def textual_fix_yaml_id_equals_name(path: str, dry_run: bool): """ - Fallback when YAML parser fails. Sets `id: ` via regex if both lines exist. + Fallback when YAML parser fails. + For Scripts, the real id is usually under: + commonfields: + id: <...> + This updates that (or inserts it) to match name. """ try: with open(path, 'r', encoding='utf-8') as f: @@ -262,19 +318,42 @@ def textual_fix_yaml_id_equals_name(path: str, dry_run: bool): return False, f"SKIP (no name found, textual): {path}" name_val = m_name.group('val').strip() + # Try to update "commonfields:\n id: ..." + COMMONFIELDS_BLOCK_RE = re.compile( + r'(?ms)^(?P\s*)commonfields\s*:\s*\n(?P(?:^(?P=indent)[ \t]+.*\n)*)' + ) + m_cf = COMMONFIELDS_BLOCK_RE.search(text) + if m_cf: + indent = m_cf.group('indent') + body = m_cf.group('body') or "" + # Replace id inside the commonfields body + ID_IN_COMMONFIELDS_RE = re.compile(r'(?mi)^(?P' + re.escape(indent) + r'[ \t]+)id\s*:\s*(?P[^\n#]+)') + if ID_IN_COMMONFIELDS_RE.search(body): + new_body = ID_IN_COMMONFIELDS_RE.sub(lambda m: f"{m.group('i')}id: {name_val}", body, count=1) + else: + # Insert id at top of the commonfields body + new_body = f"{indent} id: {name_val}\n" + body + + new_text = text[:m_cf.start('body')] + new_body + text[m_cf.end('body'):] + if not dry_run: + with open(path, 'w', encoding='utf-8') as wf: + wf.write(new_text) + return True, f"UPDATED (textual): {path} -> commonfields.id={name_val}" + + # No commonfields block found; fall back to top-level id behavior if ID_LINE_RE.search(text): new_text = ID_LINE_RE.sub(lambda m: f"{m.group('indent')}id: {name_val}", text, count=1) else: - # No id line: insert an id right after name idx = m_name.end() - new_text = text[:idx] + f"\n{m_name.group('indent')}id: {name_val}" + text[idx:] + new_text = text[:idx] + f"\nid: {name_val}" + text[idx:] if not dry_run: with open(path, 'w', encoding='utf-8') as wf: wf.write(new_text) return True, f"UPDATED (textual): {path} -> id={name_val}" -# --- BA106 fixers (rest of the functions omitted for brevity, they are unchanged) --- +# --- BA106 fixers ------------------------------------------------------------ + def fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): # Try structured YAML first; on failure, do textual fallback try: @@ -306,6 +385,7 @@ def fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): dump_yaml(path, data, engine) return True, f"UPDATED: {path} -> fromversion={new_val}" + def fix_json_fromversion(path: str, min_version: str, dry_run: bool): with open(path, 'r', encoding='utf-8') as f: try: @@ -341,6 +421,7 @@ def fix_json_fromversion(path: str, min_version: str, dry_run: bool): json.dump(data, wf, indent=2, ensure_ascii=False) return True, f"UPDATED: {path} -> fromVersion={new_val}" + def fix_file_ba106(path: str, min_version: str, dry_run: bool = False): ext = os.path.splitext(path)[1].lower() if not os.path.exists(path): @@ -351,7 +432,18 @@ def fix_file_ba106(path: str, min_version: str, dry_run: bool = False): return fix_json_fromversion(path, min_version, dry_run) return False, f"SKIP (unknown ext): {path}" + +# --- BA101 fixers ------------------------------------------------------------ + def fix_id_name(path: str, dry_run: bool = False): + """ + BA101 requires: name == id + + IMPORTANT: + - For Script YAMLs, the ID is typically `commonfields.id` + - For other items, it may be top-level `id` + This fixer updates whichever is present (prefers commonfields.id when available). + """ ext = os.path.splitext(path)[1].lower() if not os.path.exists(path): return False, f"SKIP (missing): {path}" @@ -364,10 +456,25 @@ def fix_id_name(path: str, dry_run: bool = False): return False, f"SKIP (bad JSON): {path} -> {e}" nm = data.get('name') - idv = data.get('id') if nm is None: return False, f"SKIP (no name): {path}" - if nm == idv: + + # Prefer commonfields.id when present + cf = data.get('commonfields') + if isinstance(cf, dict) and 'id' in cf: + cur = cf.get('id') + if cur == nm: + return False, f"OK (no change): {path} (commonfields.id=name={nm})" + if not dry_run: + cf['id'] = nm + data['commonfields'] = cf + with open(path, 'w', encoding='utf-8') as wf: + json.dump(data, wf, indent=2, ensure_ascii=False) + return True, f"UPDATED: {path} -> commonfields.id={nm}" + + # Fall back to top-level id + cur = data.get('id') + if cur == nm: return False, f"OK (no change): {path} (id=name={nm})" if not dry_run: data['id'] = nm @@ -375,26 +482,41 @@ def fix_id_name(path: str, dry_run: bool = False): json.dump(data, wf, indent=2, ensure_ascii=False) return True, f"UPDATED: {path} -> id={nm}" - elif ext in ('.yml', '.yaml'): - # Try structured first + if ext in ('.yml', '.yaml'): try: data, engine = load_yaml(path) nm = data.get('name') - idv = data.get('id') if nm is None: return False, f"SKIP (no name): {path}" - if nm == idv: + + # Prefer commonfields.id when present (Script YAMLs) + cf = data.get('commonfields') + if isinstance(cf, dict): + cur = cf.get('id') + if cur == nm: + return False, f"OK (no change): {path} (commonfields.id=name={nm})" + if not dry_run: + cf['id'] = nm + data['commonfields'] = cf + dump_yaml(path, data, engine) + return True, f"UPDATED: {path} -> commonfields.id={nm}" + + # Fall back to top-level id + cur = data.get('id') + if cur == nm: return False, f"OK (no change): {path} (id=name={nm})" if not dry_run: data['id'] = nm dump_yaml(path, data, engine) return True, f"UPDATED: {path} -> id={nm}" + except Exception: - # Fallback textual edit return textual_fix_yaml_id_equals_name(path, dry_run) return False, f"SKIP (unsupported ext): {path}" +# --- PA128 (pack required files) -------------------------------------------- + def fix_pack_required_files(pack_root: str, dry_run: bool = False): created = [] targets = { @@ -414,6 +536,9 @@ def fix_pack_required_files(pack_root: str, dry_run: bool = False): return True, f"CREATED in {pack_root}: {', '.join(created)}" return False, f"OK (no change): {pack_root} has required files" + +# --- BA102 (format) ---------------------------------------------------------- + def run_demisto_format(target_path: str, dry_run: bool = False): """ Runs `demisto-sdk format -i --assume-yes` to normalize items @@ -434,29 +559,32 @@ def run_demisto_format(target_path: str, dry_run: bool = False): if res.returncode == 0: tail = res.stdout.strip().splitlines()[-1] if res.stdout else "format completed" return True, f"FORMAT OK: {target_path} ({tail})" - else: - return False, f"FORMAT FAILED ({res.returncode}): {target_path}\n{res.stdout}" + return False, f"FORMAT FAILED ({res.returncode}): {target_path}\n{res.stdout}" except FileNotFoundError: return False, "ERROR: `demisto-sdk` not found in PATH. Install it or add to PATH." except Exception as e: return False, f"FORMAT ERROR: {target_path} -> {e}" + # --- Main -------------------------------------------------------------------- def main(): - ap = argparse.ArgumentParser(description="Fix common demisto-sdk errors (Parsing, Layout Group, BA106, BA101, PA128, BA102).") + ap = argparse.ArgumentParser( + description="Fix common demisto-sdk errors (Parsing, Layout Group, BA106, BA101, PA128, BA102)." + ) ap.add_argument("sdk_output", help="Path to saved SDK validation output (e.g., sdk_errors.txt)") - # We remove the use of --repo-root to fulfill the design goal of automatic resolution. - # We keep the argument but default it to '.', and rely on resolve_path's new logic. - ap.add_argument("--repo-root", default=".", help=argparse.SUPPRESS) + ap.add_argument("--repo-root", default=".", help=argparse.SUPPRESS) # kept for compatibility; ignored unless user sets it ap.add_argument("--dry-run", action="store_true", help="Show what would change without writing files") args = ap.parse_args() - # The repo_root is the directory from which the script is run (CWD) - repo_root = os.path.abspath(args.repo_root) + # Auto-detect repo root (fixes the 'run from tools/' problem) + # If user explicitly passes --repo-root, honor it. + explicit_root = os.path.abspath(args.repo_root) if args.repo_root and args.repo_root != "." else None + repo_root = explicit_root or detect_repo_root(os.getcwd()) total = 0 changes = 0 + with open(args.sdk_output, 'r', encoding='utf-8', errors='ignore') as f: for raw in f: line = de_ansi(raw) @@ -478,11 +606,9 @@ def main(): changes += 1 continue - # --- 2. LAYOUT GROUP FIX (ValueError: Unknown group "alert" / "incidents") --- + # --- 2. LAYOUT GROUP FIX (Unknown group "alert" / "incidents") ---------- m_layout_group_alert = LAYOUT_GROUP_RE.search(line) m_layout_group_plural = LAYOUT_PLURAL_GROUP_RE.search(line) - - # If either of the layout errors match, we proceed to fix it. if m_layout_group_alert or m_layout_group_plural: m_match = m_layout_group_alert or m_layout_group_plural total += 1 @@ -493,15 +619,13 @@ def main(): print(f"SKIP (missing): {rel_path} (Resolved: {resolved})") continue - # The fix_layout_group_alert function now handles both 'alert' and 'incidents' changed, msg = fix_layout_group_alert(resolved, args.dry_run) print(msg) if changed: changes += 1 continue - - # --- 3. PA128 (Pack Required Files) ------------------------------------- + # --- 3. PA128 (Pack Required Files) ------------------------------------ m128 = PA128_RE.search(line) if m128: total += 1 @@ -518,7 +642,7 @@ def main(): changes += 1 continue - # --- 4. BA101 (ID = Name) ----------------------------------------------- + # --- 4. BA101 (ID = Name) ---------------------------------------------- m101 = BA101_RE.search(line) if m101: total += 1 @@ -535,7 +659,7 @@ def main(): changes += 1 continue - # --- 5. BA106 (fromversion) --------------------------------------------- + # --- 5. BA106 (fromversion) -------------------------------------------- m106 = BA106_RE.search(line) if m106: total += 1 @@ -553,14 +677,13 @@ def main(): changes += 1 continue - # --- 6. BA102 (Run Format) ---------------------------------------------- + # --- 6. BA102 (Run Format) --------------------------------------------- m102 = BA102_RE.search(line) if m102: total += 1 rel_path = m102.group('path').strip() resolved = resolve_path(repo_root, rel_path) - # If the reported path is a pack root, formatting recursively is fine. if not os.path.exists(resolved): print(f"SKIP (missing): {rel_path} (Resolved: {resolved})") continue @@ -575,5 +698,6 @@ def main(): print(f"\nMatched lines (Parsing/Layout/BA101/BA102/BA106/PA128): {total}. Files changed: {changes}. Dry-run: {args.dry_run}") + if __name__ == "__main__": - main() \ No newline at end of file + main() From b5a4f807fa462e80735bd599741318c458ca43b2 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 10:45:37 -0500 Subject: [PATCH 25/49] - Updated Documentation for the SOCFWPackManager --- .../POST_CONFIG_README.md | 103 +++++++++++ .../PRE_CONFIG_README.md | 65 +++++++ Packs/soc-framework-manager/README.md | 76 ++++++++ .../soc-framework-manager/README_COMMANDS.md | 170 ++++++++++++++++++ .../soc-framework-manager/pack_metadata.json | 1 + Packs/soc-framework-manager/xsoar_config.json | 23 +++ 6 files changed, 438 insertions(+) create mode 100644 Packs/soc-framework-manager/POST_CONFIG_README.md create mode 100644 Packs/soc-framework-manager/PRE_CONFIG_README.md create mode 100644 Packs/soc-framework-manager/README_COMMANDS.md create mode 100644 Packs/soc-framework-manager/xsoar_config.json diff --git a/Packs/soc-framework-manager/POST_CONFIG_README.md b/Packs/soc-framework-manager/POST_CONFIG_README.md new file mode 100644 index 0000000..dd8c98f --- /dev/null +++ b/Packs/soc-framework-manager/POST_CONFIG_README.md @@ -0,0 +1,103 @@ +# SOC Framework Manager β€” Post-Install + +SOC Framework Manager is now installed and ready to use. + +All interactions with the manager are done through the **SOCFWPackManager** command in the Playground. + +--- + +## Basic Usage + +### List Available SOC Framework Packs + +Use this command to list all available packs from the configured catalog: + +`!SOCFWPackManager action=list` + +This returns the pack IDs that can be installed or updated. + +--- + +### Apply (Install or Update) a Pack by ID + +Use the pack ID from the list command to install or update a pack: + +`!SOCFWPackManager action=apply pack_id=` + +**Example:** + +`!SOCFWPackManager action=apply pack_id=soc-optimization-unified` + +--- + +## Notes +- The `apply` action is designed to be safe to re-run. +- Output will indicate which packs were installed, updated, or skipped. +- Additional options may be available depending on the pack being applied. + +--- + +You can now continue installing SOC Framework packs as needed. + +# SOC Framework Manager β€” Post-Install + +SOC Framework Manager is now installed and ready to use. + +All interactions with the manager are done through the **SOCFWPackManager** command in the Playground. + +--- + +## Basic Usage + +### List Available SOC Framework Packs + +Use this command to list all available packs from the configured catalog: + +`!SOCFWPackManager action=list` + +This returns the pack IDs that can be installed or updated. + +--- + +### Apply (Install or Update) a Pack by ID + +Use the pack ID from the list command to install or update a pack: + +`!SOCFWPackManager action=apply pack_id=` + +**Example:** + +`!SOCFWPackManager action=apply pack_id=soc-optimization` + +--- + +## Recommended Installation Order + +1. **Install the base framework pack** + + Start by installing the unified base framework: + + `!SOCFWPackManager action=apply pack_id=soc-framework-unified` + +2. **Install one or more product enhancement packs** + + After the base framework is installed, install product-specific enhancement packs as needed. + + **Example:** + + `!SOCFWPackManager action=apply pack_id=soc-crowdstrike-falcon` + +--- + +## Important Notes on Marketplace Integrations + +Product enhancement packs extend vendor capabilities but **do not replace the vendor’s Marketplace integration**. + +Before or alongside installing an enhancement pack, ensure that the corresponding **Marketplace integration is installed and configured** in the tenant. + +**Example:** +- `soc-crowdstrike-falcon` β†’ requires the **CrowdStrike Falcon** Marketplace integration to be installed and configured + +--- + +You can now continue installing SOC Framework packs based on your environment and use cases. diff --git a/Packs/soc-framework-manager/PRE_CONFIG_README.md b/Packs/soc-framework-manager/PRE_CONFIG_README.md new file mode 100644 index 0000000..aadb634 --- /dev/null +++ b/Packs/soc-framework-manager/PRE_CONFIG_README.md @@ -0,0 +1,65 @@ +# SOC Framework Manager β€” Pre-Install Requirements + +Before installing or using the **SOC Framework Manager** content pack, ensure the following prerequisites are met. +These are required for the pack to function correctly and are **not** created automatically. + +--- + +## Required Prerequisites + +### 1. Cortex REST API Integration Installed +Ensure the **Cortex REST API** integration is installed from the Marketplace and has **one enabled instance**. + +- Integration name: **Cortex REST API** +- Instance should be enabled and available to all playbooks/scripts. + +--- + +### 2. Generate a Standard XSIAM API Key + +Generate an API key with sufficient permissions for content and configuration operations. + +- Role required: **Instance Administrator** +- Copy both: + - **API Key** + - **API URL** + +You will need these in the next step. + +--- + +### 3. Create a Credential Named `Standard XSIAM API Key` + +Create a credential object using the API key you generated. + +**Path:** +`Settings β†’ Configuration β†’ Integrations β†’ Credentials` + +**Credential requirements:** +- **Name:** `Standard XSIAM API Key` *(must match exactly)* +- **Type:** API Key +- **API Key:** Paste the generated key +- **ID / Username:** Use the API Key ID (or appropriate identifier per your tenant) + +This credential is referenced by SOC Framework Manager for authenticated Core API operations. + +--- + +## Summary Checklist + +Before install, confirm: +- βœ… Cortex REST API integration is installed and enabled +- βœ… An API Key exists with the *Instance Administrator* role +- βœ… A Credential named **Standard XSIAM API Key** exists and is correctly populated + +Once these are complete, proceed with installing the **SOC Framework Manager** content pack. + +--- + +### βœ” Ready to Continue + +Once all pre-install requirements above are complete, continue the installation by running: + +`!SOCFWPackManager action=apply pack_id=soc-framework-manager pre_config_done=true` + +This confirms that pre-configuration is complete and allows the installer to proceed. diff --git a/Packs/soc-framework-manager/README.md b/Packs/soc-framework-manager/README.md index e69de29..1a81171 100644 --- a/Packs/soc-framework-manager/README.md +++ b/Packs/soc-framework-manager/README.md @@ -0,0 +1,76 @@ +# SOC Framework Package Manager + +The **SOC Framework Package Manager** provides a simple, repeatable way to install, update, and manage SOC Framework content packs directly from within XSIAM/XSOAR. + +It acts as a lightweight installer and orchestrator for SOC Framework packs, removing the need to manually upload zip files or manage complex dependencies by hand. + +--- + +## What This Pack Does + +- Installs the **SOCFWPackManager** command +- Allows you to: + - List available SOC Framework packs + - Apply (install or update) packs by ID +- Supports a modular, layered installation model: + - Base framework packs + - Product-specific enhancement packs + - Optional extensions over time + +This pack **does not automatically configure** integrations, jobs, or tenant settings unless explicitly implemented by the target pack. + +--- + +## How You Use It + +All interaction happens through the **SOCFWPackManager** command in the Playground. + +### List Available Packs + +Use this to see which SOC Framework packs are available for installation: + +`!SOCFWPackManager action=list` + +--- + +### Apply a Pack by ID + +Use the pack ID from the list command to install or update a pack: + +`!SOCFWPackManager action=apply pack_id=` + +**Example:** + +`!SOCFWPackManager action=apply pack_id=soc-framework-unified` + +--- + +## Recommended Starting Point + +For most environments: + +1. Install the base framework: + - `soc-framework-unified` +2. Install one or more product enhancement packs as needed: + - Example: `soc-crowdstrike-falcon` + +Product enhancement packs extend vendor capabilities but **require the corresponding Marketplace integration** to be installed and configured separately. + +--- + +## Design Philosophy + +- **Composable** β€” install only what you need +- **Idempotent** β€” safe to re-run apply commands +- **Vendor-agnostic** β€” works alongside existing Marketplace integrations +- **Field-driven** β€” optimized for real SOC workflows, not static templates + +--- + +For pre-install requirements and post-install usage examples, refer to the accompanying PRE and POST documentation included with this pack. + +## Command Reference + +For a complete list of supported commands and arguments, see: + +➑️ **[SOCFWPackManager Command Reference](README_COMMANDS.md)** diff --git a/Packs/soc-framework-manager/README_COMMANDS.md b/Packs/soc-framework-manager/README_COMMANDS.md new file mode 100644 index 0000000..2d9226c --- /dev/null +++ b/Packs/soc-framework-manager/README_COMMANDS.md @@ -0,0 +1,170 @@ +# SOCFWPackManager β€” Command Reference + +This document provides a complete reference for all supported **SOCFWPackManager** commands and arguments. + +All commands are executed from the **Playground**. + +--- + +## Command Syntax + +`!SOCFWPackManager ` + +All behavior is controlled via arguments. + +--- + +## Core Arguments + +### `action` (required) +Specifies the operation to perform. + +**Supported values:** +- `list` +- `apply` + +--- + +### `pack_id` +Specifies the SOC Framework pack to operate on. + +- Required for `action=apply` +- Optional for `action=list` when filtering + +**Example:** +`pack_id=soc-framework-unified` + +--- + +### `pre_config_done` +Confirms that required pre-install configuration has been completed. + +- Type: `true | false` +- Default: `false` +- Required when applying the SOC Framework Manager pack itself + +**Example:** +`pre_config_done=true` + +--- + +## Actions + +--- + +## `action=list` + +Lists SOC Framework packs available from the configured catalog. + +### Basic Usage +`!SOCFWPackManager action=list` + +--- + +### Filtered Listing (Development & Testing) + +You can narrow the list using optional filters. + +#### Filter by Pack ID (partial match) +`!SOCFWPackManager action=list pack_id=soc-framework` + +#### Filter by Environment (if supported by catalog) +`!SOCFWPackManager action=list environment=main` + +`!SOCFWPackManager action=list environment=develop` + +#### Filter by Category / Type (if supported) +`!SOCFWPackManager action=list category=enhancement` + +> Useful during development when validating which packs are exposed in a given environment. + +--- + +## `action=apply` + +Installs or updates a SOC Framework pack by ID. + +### Basic Usage +`!SOCFWPackManager action=apply pack_id=` + +**Example:** +`!SOCFWPackManager action=apply pack_id=soc-framework-unified` + +--- + +### Apply with Pre-Config Confirmation + +Required when installing **SOC Framework Manager** itself. + +`!SOCFWPackManager action=apply pack_id=soc-framework-manager pre_config_done=true` + +--- + +### Development & Testing Options + +#### Dry Run (no changes applied) +Runs validation and planning logic without installing anything. + +`!SOCFWPackManager action=apply pack_id=soc-framework-unified dry_run=true` + +--- + +#### Include Hidden / Dev Packs +Lists or applies packs marked as hidden or development-only. + +`!SOCFWPackManager action=list include_hidden=true` + +`!SOCFWPackManager action=apply pack_id=soc-framework-unified include_hidden=true` + +--- + +#### Skip Validation (Advanced / Testing) +Skips certain validation steps during development. + +`!SOCFWPackManager action=apply pack_id=soc-framework-unified skip_validation=true` + +> Intended for development and testing only. + +--- + +#### Retry Behavior (Large Packs / Network Issues) + +`retry_count` – Number of retries +`retry_sleep_seconds` – Delay between retries + +**Example:** +`!SOCFWPackManager action=apply pack_id=soc-framework-unified retry_count=5 retry_sleep_seconds=15` + +--- + +## Common Installation Flow + +### 1. List available packs +`!SOCFWPackManager action=list` + +--- + +### 2. Install the base framework +`!SOCFWPackManager action=apply pack_id=soc-framework-unified` + +--- + +### 3. Install product enhancement packs +`!SOCFWPackManager action=apply pack_id=soc-crowdstrike-falcon` + +> Product enhancement packs require the corresponding **Marketplace integration** +> to be installed and configured separately. + +--- + +## Notes & Best Practices + +- `apply` is designed to be **safe to re-run** +- Marketplace integrations are **not installed automatically** +- Behavior varies by pack depending on what automation it provides +- Development flags should not be used in production unless explicitly required + +--- + +This document is intended as a **quick reference**. +For installation prerequisites, see **README_PRE.md**. diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 4063b78..ca17b4e 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -1,5 +1,6 @@ { "name": "SOC Framework Package Manager", + "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", "currentVersion": "1.0.2", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json new file mode 100644 index 0000000..43a5426 --- /dev/null +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -0,0 +1,23 @@ +{ + "custom_packs": [ + { + "id": "soc-framework-manager.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.2/soc-framework-manager-v1.0.2.zip", + "system": "yes" + } + ], + "pre_config_docs": [ + { + "name": "SOC Framework Package Manager - Pre-Automation Steps", + "url": "https://github.com/Palo-Cortex/secops-framework/blob/main/Packs/soc-framework-manager/PRE_CONFIG_README.md" + } + ], + "post_config_docs": [ + { + "name": "SOC Framework Package Manager - Manual Steps", + "url": "https://github.com/Palo-Cortex/secops-framework/blob/main/Packs/soc-framework-manager/POST_CONFIG_README.md" + } + ], + "marketplace_packs": [], + "integration_instances": [ ] +} From 752f64da14cc1e7eaf24480e9b5feecd64eab4d5 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 10:47:10 -0500 Subject: [PATCH 26/49] - Bump version - Update Catalog --- Packs/soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index ca17b4e..da4301a 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 43a5426..cc4c4f7 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.2/soc-framework-manager-v1.0.2.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.3/soc-framework-manager-v1.0.3.zip", "system": "yes" } ], @@ -19,5 +19,5 @@ } ], "marketplace_packs": [], - "integration_instances": [ ] + "integration_instances": [] } From a5f209a5fbb2ad1f029d2643da2d47cf06c96682 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 11:04:36 -0500 Subject: [PATCH 27/49] - Fix to import requests line. Indentation was mugged. - Bump version - Update Catalog --- Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml | 3 +-- Packs/soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index b594d7e..0f0a261 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -3,8 +3,7 @@ commonfields: version: 86 vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager -script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\n - import requests\n\n# ============================================================\n +script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport requests\n\n# ============================================================\n # SOCFWPackManager (bootloader)\n# - list: shows SOC Framework pack catalog (now supports paging/filtering)\n# - apply: resolves pack_id via secops-framework pack_catalog.json\n # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available\n diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index da4301a..74fe2e6 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index cc4c4f7..7d66cf5 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.3/soc-framework-manager-v1.0.3.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.4/soc-framework-manager-v1.0.4.zip", "system": "yes" } ], From 7f7190981fdd3d32ff0e01ae55029b6dda98054b Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 11:24:05 -0500 Subject: [PATCH 28/49] - Fix multiple lines. Indentation was mugged. - Bump version - Update Catalog --- .../Scripts/SOCFWPackManager.yml | 20 ++++++++++++++----- .../soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 2 +- pack_catalog.json | 4 ++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 0f0a261..3d8a400 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,9 +1,21 @@ commonfields: id: SOCFWPackManager - version: 86 + version: 7 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-manager + packName: "" + itemVersion: "" + fromServerVersion: "" + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager -script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport requests\n\n# ============================================================\n +script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\n + import requests\n\n# ============================================================\n # SOCFWPackManager (bootloader)\n# - list: shows SOC Framework pack catalog (now supports paging/filtering)\n# - apply: resolves pack_id via secops-framework pack_catalog.json\n # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available\n @@ -554,6 +566,7 @@ tags: - SOC_Framework_Unified - SOCFWBootloader enabled: true +system: true args: - supportedModules: [] name: action @@ -762,7 +775,4 @@ dockerimage: demisto/python3:3.12.12.6796194 runas: DBotWeakRole engineinfo: {} mainengineinfo: {} -restrictioncenter: {} -signature: "" -id: SOCFWPackManager fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 74fe2e6..8905db3 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.4", + "currentVersion": "1.0.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 7d66cf5..a34e5e0 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.4/soc-framework-manager-v1.0.4.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.5/soc-framework-manager-v1.0.5.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 079a790..873f05a 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,10 +19,10 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.2", + "version": "1.0.5", "path": "Packs/soc-framework-manager", "visible": false, - "xsoar_config": null + "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" }, { "id": "soc-microsoft-defender", From c30d8e9f1c0fe4618b58317ec8cda7fb58b9d828 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 12:38:39 -0500 Subject: [PATCH 29/49] - fix_errors.py was the culprit. It was broken. Trying again - Bump version - Update Catalog --- .../SOCFWIntegrationInstanceManager.yml | 1 - .../Scripts/SOCFWJobManager.yml | 1 - .../Scripts/SOCFWLookupManager.yml | 1 - .../Scripts/SOCFWPackManager.yml | 19 +- .../soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 2 +- pack_catalog.json | 2 +- tools/fix_errors.py | 211 ++++++------------ 8 files changed, 71 insertions(+), 168 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml index 0ba3575..38ad509 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml @@ -152,5 +152,4 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -id: SOCFWIntegrationInstanceManager fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml index 16ca1ee..698d118 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml @@ -151,5 +151,4 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -id: SOCFWJobManager fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml index a1d7227..eda3165 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml @@ -272,5 +272,4 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -id: SOCFWLookupManager fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 3d8a400..3aba1d4 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,21 +1,9 @@ commonfields: id: SOCFWPackManager - version: 7 -contentitemexportablefields: - contentitemfields: - packID: soc-framework-manager - packName: "" - itemVersion: "" - fromServerVersion: "" - toServerVersion: "" - definitionid: "" - prevname: "" - isoverridable: false - supportedModules: [] + version: 86 vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager -script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\n - import requests\n\n# ============================================================\n +script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport requests\n\n# ============================================================\n # SOCFWPackManager (bootloader)\n# - list: shows SOC Framework pack catalog (now supports paging/filtering)\n# - apply: resolves pack_id via secops-framework pack_catalog.json\n # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available\n @@ -566,7 +554,6 @@ tags: - SOC_Framework_Unified - SOCFWBootloader enabled: true -system: true args: - supportedModules: [] name: action @@ -775,4 +762,6 @@ dockerimage: demisto/python3:3.12.12.6796194 runas: DBotWeakRole engineinfo: {} mainengineinfo: {} +restrictioncenter: {} +signature: "" fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 8905db3..5bc7a0c 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.5", + "currentVersion": "1.0.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index a34e5e0..6473b89 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.5/soc-framework-manager-v1.0.5.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.6/soc-framework-manager-v1.0.6.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 873f05a..edfa6dc 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.5", + "version": "1.0.6", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" diff --git a/tools/fix_errors.py b/tools/fix_errors.py index ac6eef2..1345ff1 100644 --- a/tools/fix_errors.py +++ b/tools/fix_errors.py @@ -9,6 +9,11 @@ - Can run from ANY subdirectory (e.g., 'tools/') - Auto-detect repo root (prefer git top-level; fallback to walking up until Packs/ exists) - Resolve paths based ONLY on the path extracted from SDK output + +CRITICAL SAFETY CHANGE (2026-01): +- NEVER re-serialize YAML for content items that may contain embedded Python (e.g. Script YMLs), + because YAML dumping can alter indentation inside block scalars (script: |-), breaking Python. +- Therefore, BA101 and BA106 YAML fixes are TEXTUAL ONLY (surgical line edits). """ import argparse import json @@ -16,15 +21,15 @@ import re import subprocess -# --- Optional YAML libs (ruamel preferred for formatting preservation) ------- +# --- Optional YAML libs (kept for potential future use; NOT used to rewrite YAML) ------- try: - from ruamel.yaml import YAML + from ruamel.yaml import YAML # noqa: F401 _HAVE_RUAMEL = True except Exception: _HAVE_RUAMEL = False try: - import yaml as pyyaml + import yaml as pyyaml # noqa: F401 _HAVE_PYYAML = True except Exception: _HAVE_PYYAML = False @@ -44,19 +49,19 @@ def de_ansi(s: str) -> str: # 1. Parsing Error (NoneType in Dashboard/Layout) # Grabs the path segment starting exactly at 'Packs/' PARSING_ERROR_RE = re.compile( - r'.*?(?PPacks/[^:]+):\s*\'NoneType\' object is not iterable', + r".*?(?PPacks/[^:]+):\s*'NoneType' object is not iterable", re.IGNORECASE ) # 2. Layout Group Error (e.g., "alert") LAYOUT_GROUP_RE = re.compile( - r'.*?(?PPacks/[^:]+):\s*Layout:.*?Unknown group \"alert\"', + r'.*?(?PPacks/[^:]+):\s*Layout:.*?Unknown group "alert"', re.IGNORECASE ) # 3. Layout Plural Group Error (e.g., "incidents") LAYOUT_PLURAL_GROUP_RE = re.compile( - r'.*?(?PPacks/[^:]+):\s*Layout:.*?Unknown group \"incidents\"', + r'.*?(?PPacks/[^:]+):\s*Layout:.*?Unknown group "incidents"', re.IGNORECASE ) @@ -119,9 +124,6 @@ def detect_repo_root(start_dir: str) -> str: ) root = (res.stdout or "").strip() if root: - # If it's a real content repo, Packs/ should exist (but not strictly required) - if os.path.isdir(os.path.join(root, "Packs")): - return root return root except Exception: pass @@ -142,44 +144,13 @@ def resolve_path(repo_root: str, rel_path: str) -> str: """ Resolves the absolute path to the content item, aggressively ensuring the path is valid. """ - # 1. Clean up and normalize the path extracted from the error log clean_rel_path = rel_path.strip().rstrip(':').replace('\\', os.sep).lstrip('/') - # 2. Find the 'Packs/' segment and discard everything before it (handles noisy prefixes). + # Find the 'Packs/' segment and discard everything before it (handles noisy prefixes). if 'Packs' in clean_rel_path: clean_rel_path = clean_rel_path[clean_rel_path.index('Packs'):] - # 3. Join it directly to the determined repo_root - resolved_path = os.path.normpath(os.path.join(repo_root, clean_rel_path)) - return resolved_path - - -# --- YAML/JSON IO ------------------------------------------------------------ - -def load_yaml(path): - if _HAVE_RUAMEL: - y = YAML() - y.preserve_quotes = True - with open(path, 'r', encoding='utf-8') as f: - data = y.load(f) - return (data if data is not None else {}), 'ruamel' - elif _HAVE_PYYAML: - with open(path, 'r', encoding='utf-8') as f: - data = pyyaml.safe_load(f) - return (data if data is not None else {}), 'pyyaml' - else: - raise RuntimeError("Need ruamel.yaml or PyYAML to parse YAML files.") - - -def dump_yaml(path, data, engine): - if engine == 'ruamel': - y = YAML() - y.preserve_quotes = True - with open(path, 'w', encoding='utf-8') as f: - y.dump(data, f) - else: - with open(path, 'w', encoding='utf-8') as f: - pyyaml.safe_dump(data, f, sort_keys=False) + return os.path.normpath(os.path.join(repo_root, clean_rel_path)) # --- Parsing Error Fixer (JSON) --------------------------------------------- @@ -193,12 +164,10 @@ def fix_json_layout_null(path: str, dry_run: bool): try: with open(path, 'r', encoding='utf-8') as f: - text = f.read() - data = json.loads(text) + data = json.loads(f.read()) except Exception as e: return False, f"SKIP (bad JSON/read error): {path} -> {e}" - # Target specific keys known to cause this issue if set to null keys_to_check = ['layout', 'content'] changed = False @@ -233,8 +202,6 @@ def fix_layout_group_alert(path: str, dry_run: bool): return False, f"SKIP (bad JSON/read error): {path} -> {e}" group_key = (data.get('group') or '').lower() - - # Define bad groups and their intended replacement bad_groups = {'alert': 'incident', 'incidents': 'incident'} if group_key in bad_groups: @@ -250,17 +217,17 @@ def fix_layout_group_alert(path: str, dry_run: bool): return False, f"OK (no change): {path}" -# --- Textual fallback for malformed YAML ------------------------------------ +# --- Textual YAML helpers (SAFE: do not reformat YAML) ----------------------- FROMVERSION_LINE_RE = re.compile(r'(?mi)^(?P\s*)fromversion\s*:\s*(?P[^\n#]+)') +# Top-level id/name lines (fallback only) ID_LINE_RE = re.compile(r'(?mi)^(?P\s*)id\s*:\s*(?P[^\n#]+)') NAME_LINE_RE = re.compile(r'(?mi)^(?P\s*)name\s*:\s*(?P[^\n#]+)') def textual_fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): """ - Fallback when YAML parser fails. Tries to upgrade existing 'fromversion:' - via regex; otherwise inserts a top-level 'fromversion: ' near the top. + SAFE TEXTUAL FIX: adjust/insert fromversion without rewriting YAML structure. """ try: with open(path, 'r', encoding='utf-8') as f: @@ -271,14 +238,14 @@ def textual_fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): m = FROMVERSION_LINE_RE.search(text) if m: cur_raw = (m.group('val') or '').strip().strip('"').strip("'") - new_val = max_version(cur_raw or '0.0.0', min_version) if parse_semver(cur_raw) >= parse_semver(min_version): return False, f"OK (no change, textual): {path} (fromversion={cur_raw})" + new_val = max_version(cur_raw or '0.0.0', min_version) start, end = m.span('val') new_text = text[:start] + new_val + text[end:] if not dry_run: - with open(path, 'w', encoding='utf-8') as f: - f.write(new_text) + with open(path, 'w', encoding='utf-8') as wf: + wf.write(new_text) return True, f"UPDATED (textual): {path} -> fromversion={new_val}" # Insert near the top (after comments/doc markers) @@ -294,18 +261,18 @@ def textual_fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): insert_line = f"fromversion: {min_version}\n" new_lines = lines[:insert_idx] + [insert_line] + lines[insert_idx:] if not dry_run: - with open(path, 'w', encoding='utf-8') as f: - f.write(''.join(new_lines)) + with open(path, 'w', encoding='utf-8') as wf: + wf.write(''.join(new_lines)) return True, f"INSERTED (textual): {path} -> fromversion={min_version}" def textual_fix_yaml_id_equals_name(path: str, dry_run: bool): """ - Fallback when YAML parser fails. - For Scripts, the real id is usually under: - commonfields: - id: <...> - This updates that (or inserts it) to match name. + SAFE TEXTUAL FIX for BA101: + - Prefer updating/adding commonfields.id to match name (Script YAMLs) + - Otherwise update/add top-level id to match name + + This does NOT rewrite YAML; it only replaces/inserts a single line. """ try: with open(path, 'r', encoding='utf-8') as f: @@ -318,18 +285,21 @@ def textual_fix_yaml_id_equals_name(path: str, dry_run: bool): return False, f"SKIP (no name found, textual): {path}" name_val = m_name.group('val').strip() - # Try to update "commonfields:\n id: ..." - COMMONFIELDS_BLOCK_RE = re.compile( + # Attempt: update commonfields block id first + commonfields_block_re = re.compile( r'(?ms)^(?P\s*)commonfields\s*:\s*\n(?P(?:^(?P=indent)[ \t]+.*\n)*)' ) - m_cf = COMMONFIELDS_BLOCK_RE.search(text) + m_cf = commonfields_block_re.search(text) if m_cf: indent = m_cf.group('indent') body = m_cf.group('body') or "" - # Replace id inside the commonfields body - ID_IN_COMMONFIELDS_RE = re.compile(r'(?mi)^(?P' + re.escape(indent) + r'[ \t]+)id\s*:\s*(?P[^\n#]+)') - if ID_IN_COMMONFIELDS_RE.search(body): - new_body = ID_IN_COMMONFIELDS_RE.sub(lambda m: f"{m.group('i')}id: {name_val}", body, count=1) + + id_in_commonfields_re = re.compile( + r'(?mi)^(?P' + re.escape(indent) + r'[ \t]+)id\s*:\s*(?P[^\n#]+)' + ) + + if id_in_commonfields_re.search(body): + new_body = id_in_commonfields_re.sub(lambda m: f"{m.group('i')}id: {name_val}", body, count=1) else: # Insert id at top of the commonfields body new_body = f"{indent} id: {name_val}\n" + body @@ -344,6 +314,7 @@ def textual_fix_yaml_id_equals_name(path: str, dry_run: bool): if ID_LINE_RE.search(text): new_text = ID_LINE_RE.sub(lambda m: f"{m.group('indent')}id: {name_val}", text, count=1) else: + # Insert an id line right after the name line idx = m_name.end() new_text = text[:idx] + f"\nid: {name_val}" + text[idx:] @@ -352,46 +323,24 @@ def textual_fix_yaml_id_equals_name(path: str, dry_run: bool): wf.write(new_text) return True, f"UPDATED (textual): {path} -> id={name_val}" + # --- BA106 fixers ------------------------------------------------------------ def fix_yaml_fromversion(path: str, min_version: str, dry_run: bool): - # Try structured YAML first; on failure, do textual fallback - try: - data, engine = load_yaml(path) - except Exception: - return textual_fix_yaml_fromversion(path, min_version, dry_run) - - lower = str(data.get('fromversion') or '') - camel = str(data.get('fromVersion') or '') - effective = lower or '' - if camel and parse_semver(camel) > parse_semver(effective or '0.0.0'): - effective = camel - - new_val = max_version(effective or '0.0.0', min_version) - - if effective and parse_semver(effective) >= parse_semver(min_version): - if 'fromVersion' in data and 'fromversion' not in data: - if not dry_run: - data['fromversion'] = camel - del data['fromVersion'] - dump_yaml(path, data, engine) - return True, f"NORMALIZED: {path} -> fromVersionβ†’fromversion={camel}" - return False, f"OK (no change): {path} (fromversion={effective})" - - if 'fromVersion' in data: - data.pop('fromVersion', None) - data['fromversion'] = new_val - if not dry_run: - dump_yaml(path, data, engine) - return True, f"UPDATED: {path} -> fromversion={new_val}" + """ + SAFE: Always textual for YAML to avoid breaking indentation inside script block scalars. + """ + return textual_fix_yaml_fromversion(path, min_version, dry_run) def fix_json_fromversion(path: str, min_version: str, dry_run: bool): - with open(path, 'r', encoding='utf-8') as f: - try: + try: + with open(path, 'r', encoding='utf-8') as f: data = json.load(f) - except json.JSONDecodeError: - return False, f"SKIP (invalid JSON): {path}" + except json.JSONDecodeError: + return False, f"SKIP (invalid JSON): {path}" + except Exception as e: + return False, f"SKIP (read error): {path} -> {e}" camel = str(data.get('fromVersion') or '') wrong = str(data.get('fromversion') or '') @@ -439,10 +388,9 @@ def fix_id_name(path: str, dry_run: bool = False): """ BA101 requires: name == id - IMPORTANT: - - For Script YAMLs, the ID is typically `commonfields.id` - - For other items, it may be top-level `id` - This fixer updates whichever is present (prefers commonfields.id when available). + SAFE BEHAVIOR: + - JSON: structured edit + rewrite is safe + - YAML: TEXTUAL ONLY (do not dump YAML; can break embedded Python indentation) """ ext = os.path.splitext(path)[1].lower() if not os.path.exists(path): @@ -456,14 +404,12 @@ def fix_id_name(path: str, dry_run: bool = False): return False, f"SKIP (bad JSON): {path} -> {e}" nm = data.get('name') - if nm is None: + if not nm: return False, f"SKIP (no name): {path}" - # Prefer commonfields.id when present cf = data.get('commonfields') if isinstance(cf, dict) and 'id' in cf: - cur = cf.get('id') - if cur == nm: + if cf.get('id') == nm: return False, f"OK (no change): {path} (commonfields.id=name={nm})" if not dry_run: cf['id'] = nm @@ -472,9 +418,7 @@ def fix_id_name(path: str, dry_run: bool = False): json.dump(data, wf, indent=2, ensure_ascii=False) return True, f"UPDATED: {path} -> commonfields.id={nm}" - # Fall back to top-level id - cur = data.get('id') - if cur == nm: + if data.get('id') == nm: return False, f"OK (no change): {path} (id=name={nm})" if not dry_run: data['id'] = nm @@ -483,38 +427,11 @@ def fix_id_name(path: str, dry_run: bool = False): return True, f"UPDATED: {path} -> id={nm}" if ext in ('.yml', '.yaml'): - try: - data, engine = load_yaml(path) - nm = data.get('name') - if nm is None: - return False, f"SKIP (no name): {path}" - - # Prefer commonfields.id when present (Script YAMLs) - cf = data.get('commonfields') - if isinstance(cf, dict): - cur = cf.get('id') - if cur == nm: - return False, f"OK (no change): {path} (commonfields.id=name={nm})" - if not dry_run: - cf['id'] = nm - data['commonfields'] = cf - dump_yaml(path, data, engine) - return True, f"UPDATED: {path} -> commonfields.id={nm}" - - # Fall back to top-level id - cur = data.get('id') - if cur == nm: - return False, f"OK (no change): {path} (id=name={nm})" - if not dry_run: - data['id'] = nm - dump_yaml(path, data, engine) - return True, f"UPDATED: {path} -> id={nm}" - - except Exception: - return textual_fix_yaml_id_equals_name(path, dry_run) + return textual_fix_yaml_id_equals_name(path, dry_run) return False, f"SKIP (unsupported ext): {path}" + # --- PA128 (pack required files) -------------------------------------------- def fix_pack_required_files(pack_root: str, dry_run: bool = False): @@ -522,7 +439,7 @@ def fix_pack_required_files(pack_root: str, dry_run: bool = False): targets = { ".secrets-ignore": "", ".pack-ignore": "# Add ignore rules here\n", - "README.md.md": f"# {os.path.basename(pack_root)}\n" + "README.md": f"# {os.path.basename(pack_root)}\n", } for fname, content in targets.items(): fpath = os.path.join(pack_root, fname) @@ -573,12 +490,11 @@ def main(): description="Fix common demisto-sdk errors (Parsing, Layout Group, BA106, BA101, PA128, BA102)." ) ap.add_argument("sdk_output", help="Path to saved SDK validation output (e.g., sdk_errors.txt)") - ap.add_argument("--repo-root", default=".", help=argparse.SUPPRESS) # kept for compatibility; ignored unless user sets it + ap.add_argument("--repo-root", default=".", help=argparse.SUPPRESS) # kept for compatibility ap.add_argument("--dry-run", action="store_true", help="Show what would change without writing files") args = ap.parse_args() - # Auto-detect repo root (fixes the 'run from tools/' problem) - # If user explicitly passes --repo-root, honor it. + # Auto-detect repo root; honor explicit --repo-root when user sets it. explicit_root = os.path.abspath(args.repo_root) if args.repo_root and args.repo_root != "." else None repo_root = explicit_root or detect_repo_root(os.getcwd()) @@ -694,9 +610,10 @@ def main(): changes += 1 continue - # ignore other lines - - print(f"\nMatched lines (Parsing/Layout/BA101/BA102/BA106/PA128): {total}. Files changed: {changes}. Dry-run: {args.dry_run}") + print( + f"\nMatched lines (Parsing/Layout/BA101/BA102/BA106/PA128): {total}. " + f"Files changed: {changes}. Dry-run: {args.dry_run}" + ) if __name__ == "__main__": From fcc72c538a75efe794e1ae36d1b77370d1d1931b Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 13:45:51 -0500 Subject: [PATCH 30/49] - fix_errors.py was the culprit. It was broken. Trying again - Bump version - Update Catalog --- .../SOCFWIntegrationInstanceManager.yml | 2 +- .../Scripts/SOCFWJobManager.yml | 2 +- .../Scripts/SOCFWLookupManager.yml | 2 +- .../Scripts/SOCFWPackManager.yml | 1032 ++++++++--------- .../soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 7 files changed, 510 insertions(+), 534 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml index 38ad509..2c6ff3b 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWIntegrationInstanceManager.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 commonfields: id: SOCFWIntegrationInstanceManager version: 4 @@ -152,4 +153,3 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml index 698d118..454f103 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWJobManager.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 commonfields: id: SOCFWJobManager version: 5 @@ -151,4 +152,3 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml index eda3165..89e2d17 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWLookupManager.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 commonfields: id: SOCFWLookupManager version: 4 @@ -272,4 +273,3 @@ engineinfo: {} mainengineinfo: {} restrictioncenter: {} signature: "" -fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 3aba1d4..36becca 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,550 +1,528 @@ +fromversion: 5.0.0 commonfields: id: SOCFWPackManager - version: 86 + version: 5 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-manager + packName: "" + itemVersion: "" + fromServerVersion: "" + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOCFWPackManager -script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport requests\n\n# ============================================================\n - # SOCFWPackManager (bootloader)\n# - list: shows SOC Framework pack catalog (now - supports paging/filtering)\n# - apply: resolves pack_id via secops-framework pack_catalog.json\n - # - marketplace install: uses XSIAMContentPackInstaller (Anna’s) when available\n - # - custom ZIP install: uses core-api-install-packs with file_url (NOT pack_url)\n - # - configure: runs your SOCFW* manager scripts (jobs/lookups)\n#\n# FIX:\n# - Create - integration instances directly via core-api-put to\n# /xsoar/public/v1/settings/integration\n - # - Treat \"already exists (33)\" as success so reruns are idempotent.\n#\n# CHANGE:\n - # - Reduce logging by default + debug flag\n# - Fix Trend/large pack uploads by:\n\ - # - honoring skip_verify/skip_validation args\n# - adding install_timeout (default +script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\n\nimport + requests\n\n# ============================================================\n# SOCFWPackManager + (bootloader)\n# - list: shows SOC Framework pack catalog (now supports paging/filtering)\n# + - apply: resolves pack_id via secops-framework pack_catalog.json\n# - marketplace + install: uses XSIAMContentPackInstaller (Anna’s) when available\n# - custom ZIP + install: uses core-api-install-packs with file_url (NOT pack_url)\n# - configure: + runs your SOCFW* manager scripts (jobs/lookups)\n#\n# FIX:\n# - Create integration + instances directly via core-api-put to\n# /xsoar/public/v1/settings/integration\n# + - Treat \"already exists (33)\" as success so reruns are idempotent.\n#\n# CHANGE:\n# + - Reduce logging by default + debug flag\n# - Fix Trend/large pack uploads by:\n# + \ - honoring skip_verify/skip_validation args\n# - adding install_timeout (default 3600s) for core-api-install-packs\n# - if upload call times out: poll until pack shows installed, then continue\n# - LOUD pre_config_docs + post_config_docs (+ optional README previews)\n# - NEW: pre-config gate (default ON): print PRE docs then STOP unless pre_config_done=true\n# - NEW: POST docs printed as the VERY LAST War Room - entry (after return_results)\n# ============================================================\n - \nSCRIPT_NAME = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n - # ---------------------------\n\ndef _norm(s: Any) -> str:\n return (str(s) if - s is not None else \"\").strip()\n\ndef _to_lower(s: Any) -> str:\n return _norm(s).lower()\n - \ndef _parse_csv(val: Any) -> List[str]:\n s = _norm(val)\n if not s:\n \ - \ return []\n return [x.strip() for x in s.split(\",\") if x.strip()]\n\n - def _safe_sort_key(row: Dict[str, Any], key: str) -> str:\n return _norm(row.get(key, - \"\")).lower()\n\n# ---------------------------\n# Demisto helpers\n# ---------------------------\n - \ndef get_error(res):\n try:\n return res[0].get(\"Contents\") or res[0].get(\"\ - HumanReadable\") or str(res[0])\n except Exception:\n return str(res)\n - \ndef is_error(res0):\n try:\n return bool(res0.get(\"Type\") == 4) # - entryTypes[\"error\"] == 4\n except Exception:\n return False\n\ndef get_contents(res):\n\ - \ if not res or not isinstance(res, list) or not res[0]:\n return {}\n\ - \ return res[0].get(\"Contents\") or {}\n\ndef arg_to_bool(val, default=False) - -> bool:\n if val is None:\n return default\n if isinstance(val, bool):\n\ - \ return val\n s = str(val).strip().lower()\n if s == \"\":\n \ - \ return default\n return s in (\"true\", \"1\", \"yes\", \"y\", \"on\")\n\n - def to_int(val, default: int) -> int:\n try:\n return int(val)\n except - Exception:\n return default\n\ndef bool_str_tf(val: bool) -> str:\n return - \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: str) -> bool:\n\ - \ if not err_text:\n return False\n t = err_text.lower()\n return - (\n \"timeout\" in t\n or \"timed out\" in t\n or \"read timed - out\" in t\n or \"request timed out\" in t\n or \"context deadline - exceeded\" in t\n or \"client.timeout exceeded\" in t\n or \"awaiting - headers\" in t\n or \"context deadline exceeded (client.timeout exceeded - while awaiting headers)\" in t\n )\n\ndef emit_progress(message: str, stage: - Optional[str] = None):\n title = f\"{SCRIPT_NAME} β€” {stage}\" if stage else SCRIPT_NAME\n\ - \ demisto.results(\n {\n \"Type\": 1,\n \"ContentsFormat\"\ - : \"markdown\",\n \"Contents\": message,\n \"HumanReadable\"\ - : f\"### {title}\\n{message}\",\n }\n )\n\ndef log(message: str, stage: - Optional[str], debug: bool, always: bool = False):\n if always or debug:\n \ - \ emit_progress(message, stage=stage)\n\ndef exec_cmd(command: str, args: Dict[str, - Any], fail_on_error: bool = True):\n res = demisto.executeCommand(command, args)\n\ - \ if not res:\n if fail_on_error:\n raise Exception(f\"{command} - returned empty response\")\n return res\n if is_error(res[0]):\n \ - \ if fail_on_error:\n raise Exception(get_error(res))\n return - res\n return res\n\ndef exec_with_retry(\n command: str,\n args: Dict[str, - Any],\n retry_count: int,\n retry_sleep_seconds: int,\n context_for_error: - str,\n fail_on_error: bool = True,\n):\n last_err = None\n for attempt - in range(1, max(1, retry_count) + 1):\n try:\n return exec_cmd(command, - args, fail_on_error=fail_on_error)\n except Exception as e:\n \ - \ last_err = str(e)\n if attempt >= retry_count:\n break\n\ - \ time.sleep(max(1, retry_sleep_seconds))\n continue\n \ - \ if fail_on_error:\n raise Exception(f\"{context_for_error}\\nError: {last_err}\"\ - )\n return None\n\ndef is_instance_already_exists_error(err_text: str) -> bool:\n\ - \ if not err_text:\n return False\n return \"already exists (33)\" - in err_text.lower()\n\n# ---------------------------\n# Pre/Post docs helpers (LOUD - + optional content)\n# ---------------------------\n\ndef _md_link(name: str, url: - str) -> str:\n n = (name or \"\").strip() or url\n u = (url or \"\").strip()\n\ - \ if not u:\n return f\"- {n}\"\n return f\"- [{n}]({u})\"\n\ndef _github_blob_to_raw(url: - str) -> str:\n \"\"\"\n Convert:\n https://github.com/org/repo/blob/branch/path/file.md\n\ - \ To:\n https://raw.githubusercontent.com/org/repo/branch/path/file.md\n\ - \ If it's already a raw URL, return as-is.\n \"\"\"\n u = (url or \"\"\ - ).strip()\n if not u:\n return u\n if \"raw.githubusercontent.com\"\ - \ in u:\n return u\n if u.startswith(\"https://github.com/\") and \"/blob/\"\ - \ in u:\n rest = u[len(\"https://github.com/\"):]\n parts = rest.split(\"\ - /\")\n if len(parts) >= 5 and parts[2] == \"blob\":\n org = parts[0]\n\ - \ repo = parts[1]\n branch = parts[3]\n path = - \"/\".join(parts[4:])\n return f\"https://raw.githubusercontent.com/{org}/{repo}/{branch}/{path}\"\ - \n return u\n\ndef _fetch_text(url: str, timeout: int = 20) -> str:\n r = - requests.get(url, timeout=timeout)\n r.raise_for_status()\n return r.text - or \"\"\n\ndef _truncate_text(s: str, max_chars: int, max_lines: int) -> str:\n\ - \ if not s:\n return \"\"\n lines = s.splitlines()\n if max_lines - and len(lines) > max_lines:\n lines = lines[:max_lines]\n s = \"\\\ - n\".join(lines) + \"\\n\\n... (truncated by max_lines) ...\"\n if max_chars and - len(s) > max_chars:\n s = s[:max_chars] + \"\\n\\n... (truncated by max_chars) - ...\"\n return s\n\ndef has_config_docs(xsoar_cfg: Dict[str, Any], when: str) - -> bool:\n key = \"pre_config_docs\" if when == \"pre\" else \"post_config_docs\"\ - \n docs = xsoar_cfg.get(key) or []\n if not isinstance(docs, list):\n \ - \ return False\n for d in docs:\n if isinstance(d, dict) and _norm(d.get(\"\ - url\") or d.get(\"name\")):\n return True\n if isinstance(d, str) - and _norm(d):\n return True\n return False\n\ndef print_config_docs(\n\ - \ xsoar_cfg: Dict[str, Any],\n when: str,\n debug: bool,\n include_doc_content: - bool = False,\n doc_content_max_chars: int = 6000,\n doc_content_max_lines: - int = 200,\n):\n \"\"\"\n when: \"pre\" or \"post\"\n Prints docs listed - in xsoar_config.json:\n pre_config_docs: [{name,url}, ...]\n post_config_docs: - [{name,url}, ...]\n If include_doc_content=True (or debug=True), fetches and - embeds doc text (truncated).\n \"\"\"\n key = \"pre_config_docs\" if when - == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) or []\n if - not isinstance(docs, list) or not docs:\n log(f\"No {key} found in xsoar_config.json.\"\ - , stage=f\"docs.{when}\", debug=debug)\n return\n\n banner_title = \" - 🚧 PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when == \"pre\" else \"βœ… POST-INSTALL - / POST-CONFIG MANUAL STEPS\"\n banner_sub = (\n \"_These docs usually - contain prerequisites / manual steps you must complete BEFORE install._\"\n \ - \ if when == \"pre\"\n else \"_These docs usually contain manual follow-ups - and validation steps AFTER completion._\"\n )\n\n banner = \"\\n\".join([\"\ - ---\", f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: List[str] - = []\n normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n \ - \ if isinstance(d, dict):\n name = _norm(d.get(\"name\") or \"\")\n\ - \ url = _norm(d.get(\"url\") or \"\")\n if url or name:\n\ - \ link_lines.append(_md_link(name, url))\n normalized_docs.append({\"\ - name\": name or url, \"url\": url})\n elif isinstance(d, str):\n \ - \ s = _norm(d)\n if s:\n link_lines.append(f\"- {s}\"\ - )\n normalized_docs.append({\"name\": s, \"url\": s})\n\n if not - link_lines:\n log(f\"No valid entries in {key}.\", stage=f\"docs.{when}\"\ - , debug=debug)\n return\n\n want_content = bool(include_doc_content or - debug)\n\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if want_content - and normalized_docs:\n body += [\"\", \"### Doc contents (preview)\", \" - _Showing a truncated preview._\", \"\"]\n\n for d in normalized_docs:\n \ + entry (after return_results)\n# ============================================================\n\nSCRIPT_NAME + = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n# ---------------------------\n\ndef + _norm(s: Any) -> str:\n return (str(s) if s is not None else \"\").strip()\n\ndef + _to_lower(s: Any) -> str:\n return _norm(s).lower()\n\ndef _parse_csv(val: Any) + -> List[str]:\n s = _norm(val)\n if not s:\n return []\n return + [x.strip() for x in s.split(\",\") if x.strip()]\n\ndef _safe_sort_key(row: Dict[str, + Any], key: str) -> str:\n return _norm(row.get(key, \"\")).lower()\n\n# ---------------------------\n# + Demisto helpers\n# ---------------------------\n\ndef get_error(res):\n try:\n + \ return res[0].get(\"Contents\") or res[0].get(\"HumanReadable\") or str(res[0])\n + \ except Exception:\n return str(res)\n\ndef is_error(res0):\n try:\n + \ return bool(res0.get(\"Type\") == 4) # entryTypes[\"error\"] == 4\n except + Exception:\n return False\n\ndef get_contents(res):\n if not res or not + isinstance(res, list) or not res[0]:\n return {}\n return res[0].get(\"Contents\") + or {}\n\ndef arg_to_bool(val, default=False) -> bool:\n if val is None:\n return + default\n if isinstance(val, bool):\n return val\n s = str(val).strip().lower()\n + \ if s == \"\":\n return default\n return s in (\"true\", \"1\", \"yes\", + \"y\", \"on\")\n\ndef to_int(val, default: int) -> int:\n try:\n return + int(val)\n except Exception:\n return default\n\ndef bool_str_tf(val: + bool) -> str:\n return \"True\" if bool(val) else \"False\"\n\ndef is_timeout_error(err_text: + str) -> bool:\n if not err_text:\n return False\n t = err_text.lower()\n + \ return (\n \"timeout\" in t\n or \"timed out\" in t\n or + \"read timed out\" in t\n or \"request timed out\" in t\n or \"context + deadline exceeded\" in t\n or \"client.timeout exceeded\" in t\n or + \"awaiting headers\" in t\n or \"context deadline exceeded (client.timeout + exceeded while awaiting headers)\" in t\n )\n\ndef emit_progress(message: str, + stage: Optional[str] = None):\n title = f\"{SCRIPT_NAME} β€” {stage}\" if stage + else SCRIPT_NAME\n demisto.results(\n {\n \"Type\": 1,\n \"ContentsFormat\": + \"markdown\",\n \"Contents\": message,\n \"HumanReadable\": + f\"### {title}\\n{message}\",\n }\n )\n\ndef log(message: str, stage: + Optional[str], debug: bool, always: bool = False):\n if always or debug:\n emit_progress(message, + stage=stage)\n\ndef exec_cmd(command: str, args: Dict[str, Any], fail_on_error: + bool = True):\n res = demisto.executeCommand(command, args)\n if not res:\n + \ if fail_on_error:\n raise Exception(f\"{command} returned empty + response\")\n return res\n if is_error(res[0]):\n if fail_on_error:\n + \ raise Exception(get_error(res))\n return res\n return res\n\ndef + exec_with_retry(\n command: str,\n args: Dict[str, Any],\n retry_count: + int,\n retry_sleep_seconds: int,\n context_for_error: str,\n fail_on_error: + bool = True,\n):\n last_err = None\n for attempt in range(1, max(1, retry_count) + + 1):\n try:\n return exec_cmd(command, args, fail_on_error=fail_on_error)\n + \ except Exception as e:\n last_err = str(e)\n if attempt + >= retry_count:\n break\n time.sleep(max(1, retry_sleep_seconds))\n + \ continue\n if fail_on_error:\n raise Exception(f\"{context_for_error}\\nError: + {last_err}\")\n return None\n\ndef is_instance_already_exists_error(err_text: + str) -> bool:\n if not err_text:\n return False\n return \"already + exists (33)\" in err_text.lower()\n\n# ---------------------------\n# Pre/Post docs + helpers (LOUD + optional content)\n# ---------------------------\n\ndef _md_link(name: + str, url: str) -> str:\n n = (name or \"\").strip() or url\n u = (url or \"\").strip()\n + \ if not u:\n return f\"- {n}\"\n return f\"- [{n}]({u})\"\n\ndef _github_blob_to_raw(url: + str) -> str:\n \"\"\"\n Convert:\n https://github.com/org/repo/blob/branch/path/file.md\n + \ To:\n https://raw.githubusercontent.com/org/repo/branch/path/file.md\n + \ If it's already a raw URL, return as-is.\n \"\"\"\n u = (url or \"\").strip()\n + \ if not u:\n return u\n if \"raw.githubusercontent.com\" in u:\n return + u\n if u.startswith(\"https://github.com/\") and \"/blob/\" in u:\n rest + = u[len(\"https://github.com/\"):]\n parts = rest.split(\"/\")\n if + len(parts) >= 5 and parts[2] == \"blob\":\n org = parts[0]\n repo + = parts[1]\n branch = parts[3]\n path = \"/\".join(parts[4:])\n + \ return f\"https://raw.githubusercontent.com/{org}/{repo}/{branch}/{path}\"\n + \ return u\n\ndef _fetch_text(url: str, timeout: int = 20) -> str:\n r = requests.get(url, + timeout=timeout)\n r.raise_for_status()\n return r.text or \"\"\n\ndef _truncate_text(s: + str, max_chars: int, max_lines: int) -> str:\n if not s:\n return \"\"\n + \ lines = s.splitlines()\n if max_lines and len(lines) > max_lines:\n lines + = lines[:max_lines]\n s = \"\\n\".join(lines) + \"\\n\\n... (truncated by + max_lines) ...\"\n if max_chars and len(s) > max_chars:\n s = s[:max_chars] + + \"\\n\\n... (truncated by max_chars) ...\"\n return s\n\ndef has_config_docs(xsoar_cfg: + Dict[str, Any], when: str) -> bool:\n key = \"pre_config_docs\" if when == \"pre\" + else \"post_config_docs\"\n docs = xsoar_cfg.get(key) or []\n if not isinstance(docs, + list):\n return False\n for d in docs:\n if isinstance(d, dict) + and _norm(d.get(\"url\") or d.get(\"name\")):\n return True\n if + isinstance(d, str) and _norm(d):\n return True\n return False\n\ndef + print_config_docs(\n xsoar_cfg: Dict[str, Any],\n when: str,\n debug: bool,\n + \ include_doc_content: bool = False,\n doc_content_max_chars: int = 6000,\n + \ doc_content_max_lines: int = 200,\n):\n \"\"\"\n when: \"pre\" or \"post\"\n + \ Prints docs listed in xsoar_config.json:\n pre_config_docs: [{name,url}, + ...]\n post_config_docs: [{name,url}, ...]\n If include_doc_content=True + (or debug=True), fetches and embeds doc text (truncated).\n \"\"\"\n key = + \"pre_config_docs\" if when == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) + or []\n if not isinstance(docs, list) or not docs:\n log(f\"No {key} found + in xsoar_config.json.\", stage=f\"docs.{when}\", debug=debug)\n return\n\n + \ banner_title = \" \U0001F6A7 PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when + == \"pre\" else \"βœ… POST-INSTALL / POST-CONFIG MANUAL STEPS\"\n banner_sub = + (\n \"_These docs usually contain prerequisites / manual steps you must complete + BEFORE install._\"\n if when == \"pre\"\n else \"_These docs usually + contain manual follow-ups and validation steps AFTER completion._\"\n )\n\n banner + = \"\\n\".join([\"---\", f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: + List[str] = []\n normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n + \ if isinstance(d, dict):\n name = _norm(d.get(\"name\") or \"\")\n + \ url = _norm(d.get(\"url\") or \"\")\n if url or name:\n link_lines.append(_md_link(name, + url))\n normalized_docs.append({\"name\": name or url, \"url\": url})\n + \ elif isinstance(d, str):\n s = _norm(d)\n if s:\n + \ link_lines.append(f\"- {s}\")\n normalized_docs.append({\"name\": + s, \"url\": s})\n\n if not link_lines:\n log(f\"No valid entries in {key}.\", + stage=f\"docs.{when}\", debug=debug)\n return\n\n want_content = bool(include_doc_content + or debug)\n\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if + want_content and normalized_docs:\n body += [\"\", \"### Doc contents (preview)\", + \" _Showing a truncated preview._\", \"\"]\n\n for d in normalized_docs:\n \ name = d.get(\"name\") or \"\"\n url = d.get(\"url\") or - \"\"\n raw_url = _github_blob_to_raw(url)\n try:\n \ - \ text = _fetch_text(raw_url, timeout=20)\n text = _truncate_text(text, - max_chars=doc_content_max_chars, max_lines=doc_content_max_lines)\n\n \ - \ body.append(\n \"\\n\".join(\n \ - \ [\n \"
\",\n f\"\ - {name} (click to expand)\",\n \ - \ \"\",\n \"```markdown\",\n \ - \ text,\n \"```\",\n \ - \ \"\",\n f\"_Source: {raw_url}_\",\n \ - \ \"
\",\n \"\",\n \ - \ ]\n )\n )\n except Exception - as e:\n body.append(f\"- **{name}**: could not fetch preview ({e})\"\ - )\n\n emit_progress(\"\\n\".join(body), stage=f\"docs.{when}\")\n\n# ---------------------------\n - # Core API wrappers\n# ---------------------------\n\ndef core_api_get(path: str, - using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n args = - {\"uri\": path, \"execution-timeout\": str(execution_timeout)}\n if using:\n\ - \ args[\"using\"] = using\n res = exec_cmd(\"core-api-get\", args)\n \ - \ return get_contents(res) or {}\n\ndef core_api_post(path: str, body: Any, using: - str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n args = {\"uri\"\ - : path, \"body\": json.dumps(body if body is not None else {}), \"execution-timeout\"\ - : str(execution_timeout)}\n if using:\n args[\"using\"] = using\n res - = exec_cmd(\"core-api-post\", args)\n return get_contents(res) or {}\n\ndef core_api_put(path: - str, body: Any, using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n\ - \ args = {\"uri\": path, \"body\": json.dumps(body if body is not None else {}), - \"execution-timeout\": str(execution_timeout)}\n if using:\n args[\"using\"\ - ] = using\n res = exec_cmd(\"core-api-put\", args)\n return get_contents(res) - or {}\n\n# ---------------------------\n# HTTP JSON helpers\n# ---------------------------\n - \ndef http_get_json(url: str, timeout: int = 30) -> Any:\n r = requests.get(url, - timeout=timeout)\n r.raise_for_status()\n return r.json()\n\n# ---------------------------\n - # Catalog + Manifest resolver\n# ---------------------------\n\nDEFAULT_CATALOG_URL - = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\ - \n\ndef fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, - Any]:\n data = http_get_json(catalog_url)\n if not isinstance(data, dict):\n\ - \ raise Exception(f\"pack_catalog.json unexpected format at {catalog_url}\"\ - )\n return data\n\ndef find_pack_in_catalog(catalog: Dict[str, Any], pack_id: - str) -> Optional[Dict[str, Any]]:\n packs = catalog.get(\"packs\") or catalog.get(\"\ - Packs\") or catalog.get(\"items\") or []\n if not isinstance(packs, list):\n\ - \ return None\n for p in packs:\n if isinstance(p, dict) and (p.get(\"\ - id\") == pack_id):\n return p\n return None\n\ndef resolve_manifest(pack_id: - str, include_hidden: bool) -> Dict[str, Any]:\n if pack_id.startswith(\"http://\"\ - ) or pack_id.startswith(\"https://\"):\n return http_get_json(pack_id)\n\n\ - \ catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n pack = find_pack_in_catalog(catalog, - pack_id)\n if not pack:\n raise Exception(f\"Pack '{pack_id}' not found - in pack_catalog.json\")\n\n visible = bool(pack.get(\"visible\", True))\n \ - \ if (not include_hidden) and (not visible):\n # Back-compat: allow resolution; - list hides it unless include_hidden=True\n pass\n\n version = (pack.get(\"\ - version\") or \"\").strip()\n if not version:\n raise Exception(f\"Pack - '{pack_id}' missing version in pack_catalog.json\")\n\n xsoar_config_url = f\"\ - https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json\"\ - \n release_tag = f\"{pack_id}-v{version}\"\n zip_url = f\"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip\"\ - \n\n marketplace_packs = [\n {\"id\": \"Base\", \"version\": \"latest\"\ - },\n {\"id\": \"CommonScripts\", \"version\": \"latest\"},\n {\"id\"\ - : \"CommonPlaybooks\", \"version\": \"latest\"},\n {\"id\": \"DemistoRESTAPI\"\ - , \"version\": \"latest\"},\n {\"id\": \"Whois\", \"version\": \"latest\"\ - },\n ]\n\n return {\n \"marketplace_packs\": marketplace_packs,\n \ - \ \"custom_zip_urls\": [{\"url\": zip_url, \"name\": release_tag}],\n \ - \ \"xsoar_config_url\": xsoar_config_url,\n \"pack_catalog_entry\": pack,\n\ - \ \"pack_version\": version,\n }\n\n# ---------------------------\n# list - action (filter + paging)\n# ---------------------------\n\ndef do_list(args: Dict[str, - Any]):\n using = _norm(args.get(\"using\") or \"\")\n include_hidden = arg_to_bool(args.get(\"\ - include_hidden\"), False)\n\n # list args\n text_filter = _to_lower(args.get(\"\ - filter\") or args.get(\"q\") or \"\")\n visible_only = arg_to_bool(args.get(\"\ - visible_only\"), True)\n limit = max(1, to_int(args.get(\"limit\"), 50))\n \ - \ offset = max(0, to_int(args.get(\"offset\"), 0))\n sort_by = (_norm(args.get(\"\ - sort_by\")) or \"id\").strip()\n sort_dir = (_norm(args.get(\"sort_dir\")) or - \"asc\").strip().lower()\n fields = _parse_csv(args.get(\"fields\")) or [\"id\"\ - , \"display_name\", \"version\", \"visible\", \"path\"]\n show_total = arg_to_bool(args.get(\"\ - show_total\"), True)\n\n emit_progress(\"Fetching catalog…\", stage=\"list\"\ - )\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n packs = catalog.get(\"\ - packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or []\n if not isinstance(packs, - list):\n raise Exception(\"pack_catalog.json is missing 'packs' list\")\n\ - \n rows: List[Dict[str, Any]] = []\n for p in packs:\n if not isinstance(p, - dict):\n continue\n\n visible = bool(p.get(\"visible\", True))\n\ - \n if (not include_hidden) and (not visible):\n continue\n \ - \ if visible_only and (not visible):\n continue\n\n row = - {\n \"id\": p.get(\"id\", \"\"),\n \"display_name\": p.get(\"\ - display_name\") or p.get(\"name\") or \"\",\n \"version\": p.get(\"version\"\ - , \"\"),\n \"visible\": str(visible).lower(),\n \"path\": - p.get(\"path\") or f\"Packs/{p.get('id','')}\",\n }\n\n if text_filter:\n\ - \ hay = \" \".join([_to_lower(row.get(\"id\")), _to_lower(row.get(\"\ - display_name\")), _to_lower(row.get(\"path\"))])\n if text_filter not - in hay:\n continue\n\n rows.append(row)\n\n total = len(rows)\n\ - \n allowed_sort = {\"id\", \"display_name\", \"version\", \"visible\", \"path\"\ - }\n if sort_by not in allowed_sort:\n sort_by = \"id\"\n reverse = - sort_dir == \"desc\"\n rows.sort(key=lambda r: _safe_sort_key(r, sort_by), reverse=reverse)\n\ - \n page = rows[offset: offset + limit]\n start = offset + 1 if page else 0\n\ - \ end = offset + len(page)\n\n allowed_fields = [\"id\", \"display_name\" - , \"version\", \"visible\", \"path\"]\n fields = [f for f in fields if f in allowed_fields] - or [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n\n header_line - = \"| \" + \" | \".join(fields) + \" |\\n\"\n sep_line = \"| \" + \" | \".join([\"\ - ---\"] * len(fields)) + \" |\\n\"\n table = header_line + sep_line\n for r - in page:\n table += \"| \" + \" | \".join([_norm(r.get(f, \"\")) for f in - fields]) + \" |\\n\"\n\n summary_lines = [\n f\"using: {(using or '(default)')}\"\ - ,\n f\"include_hidden: {include_hidden}\",\n f\"visible_only: {visible_only}\"\ - ,\n ]\n if text_filter:\n summary_lines.append(f\"filter: `{text_filter}`\"\ - )\n summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n summary_lines.append(f\"\ - page: limit={limit}, offset={offset}\")\n if show_total:\n summary_lines.append(f\"\ - showing: {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) - + \"\\n\\n\" + table, stage=\"list\")\n return\n\n# ---------------------------\n - # Marketplace install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef - install_marketplace_packs(\n marketplace_packs: List[Dict[str, str]],\n using: - str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: bool,\n) - -> Dict[str, Any]:\n if debug:\n emit_progress(\n \"Installing - marketplace packs via **XSIAMContentPackInstaller**…\\n\"\n + \"\\n\"\ - .join([f'{p.get(\"id\")} @ {p.get(\"version\")}' for p in marketplace_packs]),\n\ - \ stage=\"packs.marketplace\",\n )\n else:\n emit_progress(\n\ - \ f\"Installing marketplace packs via **XSIAMContentPackInstaller**… - ({len(marketplace_packs)} pack(s))\",\n stage=\"packs.marketplace\",\n\ - \ )\n\n args = {\n \"packs_data\": marketplace_packs,\n \ - \ \"pack_id_key\": \"id\",\n \"pack_version_key\": \"version\",\n \ - \ \"install_dependencies\": \"true\",\n }\n if using:\n args[\"using\"\ - ] = using\n\n res = exec_with_retry(\n \"XSIAMContentPackInstaller\",\n\ - \ args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ - \ context_for_error=\"Failed installing marketplace packs via XSIAMContentPackInstaller\"\ - ,\n fail_on_error=True,\n )\n return get_contents(res) if res else - {}\n\ndef fetch_installed_marketplace_pack_ids(using: str) -> List[str]:\n try:\n\ - \ r = core_api_get(\"/public/v1/contentpacks/metadata/installed\", using=using)\n\ - \ packs = (r.get(\"response\") or []) if isinstance(r, dict) else []\n \ - \ ids = []\n for p in packs:\n pid = p.get(\"id\")\n \ - \ if pid:\n ids.append(pid)\n return ids\n except - Exception:\n return []\n\n# ---------------------------\n# xsoar_config\n - # ---------------------------\n\ndef fetch_xsoar_config(xsoar_config_url: str) -> - Dict[str, Any]:\n data = http_get_json(xsoar_config_url)\n if not isinstance(data, - dict):\n raise Exception(f\"xsoar_config.json unexpected format at {xsoar_config_url}\"\ - )\n return data\n\n# ---------------------------\n# Custom packs install (with - timeout -> polling fallback)\n# ---------------------------\n\ndef wait_for_pack_installed(\n\ - \ pack_id: str,\n using: str,\n poll_seconds: int,\n poll_interval_seconds: - int,\n debug: bool,\n) -> bool:\n deadline = time.time() + max(0, poll_seconds)\n\ - \ interval = max(5, poll_interval_seconds)\n\n log(\n f\"Polling for - pack install completion: **{pack_id}** (up to {poll_seconds}s, every {interval}s)…\"\ - ,\n stage=\"packs.custom.poll\",\n debug=debug,\n always=True,\n\ - \ )\n\n while True:\n try:\n installed = fetch_installed_marketplace_pack_ids(using)\n\ - \ if pack_id in installed:\n log(f\"Pack **{pack_id}** - is now installed.\", stage=\"packs.custom.poll\", debug=debug, always=True)\n \ - \ return True\n except Exception as e:\n log(f\" - Poll check error (will retry): {e}\", stage=\"packs.custom.poll.debug\", debug=debug)\n\ - \n if time.time() >= deadline:\n log(\n f\"Polling - window expired; pack **{pack_id}** not detected as installed yet.\",\n \ - \ stage=\"packs.custom.poll\",\n debug=debug,\n \ - \ always=True,\n )\n return False\n\n time.sleep(interval)\n - \ndef install_custom_pack_zip(\n url: str,\n pack_id: str,\n using: str,\n\ - \ execution_timeout: int,\n install_timeout: int,\n retry_count: int,\n\ - \ retry_sleep_seconds: int,\n skip_verify: bool,\n skip_validation: bool,\n\ - \ post_install_poll_seconds: int,\n post_install_poll_interval_seconds: int,\n\ - \ continue_on_install_timeout: bool,\n debug: bool,\n):\n effective_timeout - = max(1200, execution_timeout, install_timeout)\n\n args = {\n \"file_url\"\ - : url,\n \"execution-timeout\": str(effective_timeout),\n \"skip_verify\"\ - : bool_str_tf(skip_verify),\n \"skip_validation\": bool_str_tf(skip_validation),\n\ - \ }\n if using:\n args[\"using\"] = using\n\n if debug:\n \ - \ emit_progress(\n \"\\n\".join(\n [\n \ - \ \"core-api-install-packs:\",\n f\"- file_url: {url}\"\ - ,\n f\"- execution-timeout: {effective_timeout}\",\n \ - \ f\"- skip_verify: {skip_verify}\",\n f\"- skip_validation: - {skip_validation}\",\n ]\n ),\n stage=\"packs.custom.debug\"\ - ,\n )\n\n try:\n exec_with_retry(\n \"core-api-install-packs\"\ - ,\n args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ - \ context_for_error=f\"Failed installing custom pack ZIP: {url}\",\n\ - \ fail_on_error=True,\n )\n return\n\n except Exception - as e:\n err = str(e)\n\n if is_timeout_error(err):\n emit_progress(\n\ - \ \"\\n\".join(\n [\n \"\ - Custom pack upload call timed out (client-side).\",\n \" - This often means the server is still uploading/processing.\",\n \ - \ f\"Switching to polling for installed pack: **{pack_id}**\",\n \ - \ ]\n ),\n stage=\"packs.custom.timeout\"\ - ,\n )\n\n ok = wait_for_pack_installed(\n pack_id=pack_id,\n\ - \ using=using,\n poll_seconds=post_install_poll_seconds,\n\ - \ poll_interval_seconds=post_install_poll_interval_seconds,\n \ - \ debug=debug,\n )\n\n if ok:\n \ - \ return\n\n msg = (\n \"Upload timed out and polling - did not observe the pack as installed.\\n\"\n f\"pack_id={pack_id}\\\ - nurl={url}\\n\"\n f\"poll_seconds={post_install_poll_seconds}, interval={post_install_poll_interval_seconds}\\\ - n\"\n \"You can retry or increase post_install_poll_seconds.\"\n\ - \ )\n\n if continue_on_install_timeout:\n emit_progress(msg - + \"\\n\\ncontinue_on_install_timeout=True β€” continuing anyway.\", stage=\"packs.custom.timeout\"\ - )\n return\n\n raise Exception(msg)\n\n raise\n - \n# ---------------------------\n# Configure (jobs / integrations / lookups)\n# - ---------------------------\n\ndef configure_integrations_from_xsoar_config(\n \ + \"\"\n raw_url = _github_blob_to_raw(url)\n try:\n text + = _fetch_text(raw_url, timeout=20)\n text = _truncate_text(text, + max_chars=doc_content_max_chars, max_lines=doc_content_max_lines)\n\n body.append(\n + \ \"\\n\".join(\n [\n \"
\",\n + \ f\"{name} (click to expand)\",\n + \ \"\",\n \"```markdown\",\n + \ text,\n \"```\",\n \"\",\n + \ f\"_Source: {raw_url}_\",\n \"
\",\n + \ \"\",\n ]\n )\n + \ )\n except Exception as e:\n body.append(f\"- + **{name}**: could not fetch preview ({e})\")\n\n emit_progress(\"\\n\".join(body), + stage=f\"docs.{when}\")\n\n# ---------------------------\n# Core API wrappers\n# + ---------------------------\n\ndef core_api_get(path: str, using: str = \"\", execution_timeout: + int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"execution-timeout\": + str(execution_timeout)}\n if using:\n args[\"using\"] = using\n res + = exec_cmd(\"core-api-get\", args)\n return get_contents(res) or {}\n\ndef core_api_post(path: + str, body: Any, using: str = \"\", execution_timeout: int = 600) -> Dict[str, Any]:\n + \ args = {\"uri\": path, \"body\": json.dumps(body if body is not None else {}), + \"execution-timeout\": str(execution_timeout)}\n if using:\n args[\"using\"] + = using\n res = exec_cmd(\"core-api-post\", args)\n return get_contents(res) + or {}\n\ndef core_api_put(path: str, body: Any, using: str = \"\", execution_timeout: + int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"body\": json.dumps(body + if body is not None else {}), \"execution-timeout\": str(execution_timeout)}\n if + using:\n args[\"using\"] = using\n res = exec_cmd(\"core-api-put\", args)\n + \ return get_contents(res) or {}\n\n# ---------------------------\n# HTTP JSON + helpers\n# ---------------------------\n\ndef http_get_json(url: str, timeout: int + = 30) -> Any:\n r = requests.get(url, timeout=timeout)\n r.raise_for_status()\n + \ return r.json()\n\n# ---------------------------\n# Catalog + Manifest resolver\n# + ---------------------------\n\nDEFAULT_CATALOG_URL = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\n\ndef + fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, Any]:\n + \ data = http_get_json(catalog_url)\n if not isinstance(data, dict):\n raise + Exception(f\"pack_catalog.json unexpected format at {catalog_url}\")\n return + data\n\ndef find_pack_in_catalog(catalog: Dict[str, Any], pack_id: str) -> Optional[Dict[str, + Any]]:\n packs = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") + or []\n if not isinstance(packs, list):\n return None\n for p in packs:\n + \ if isinstance(p, dict) and (p.get(\"id\") == pack_id):\n return + p\n return None\n\ndef resolve_manifest(pack_id: str, include_hidden: bool) -> + Dict[str, Any]:\n if pack_id.startswith(\"http://\") or pack_id.startswith(\"https://\"):\n + \ return http_get_json(pack_id)\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n + \ pack = find_pack_in_catalog(catalog, pack_id)\n if not pack:\n raise + Exception(f\"Pack '{pack_id}' not found in pack_catalog.json\")\n\n visible = + bool(pack.get(\"visible\", True))\n if (not include_hidden) and (not visible):\n + \ # Back-compat: allow resolution; list hides it unless include_hidden=True\n + \ pass\n\n version = (pack.get(\"version\") or \"\").strip()\n if not + version:\n raise Exception(f\"Pack '{pack_id}' missing version in pack_catalog.json\")\n\n + \ xsoar_config_url = f\"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json\"\n + \ release_tag = f\"{pack_id}-v{version}\"\n zip_url = f\"https://github.com/Palo-Cortex/secops-framework/releases/download/{release_tag}/{release_tag}.zip\"\n\n + \ marketplace_packs = [\n {\"id\": \"Base\", \"version\": \"latest\"},\n + \ {\"id\": \"CommonScripts\", \"version\": \"latest\"},\n {\"id\": + \"CommonPlaybooks\", \"version\": \"latest\"},\n {\"id\": \"DemistoRESTAPI\", + \"version\": \"latest\"},\n {\"id\": \"Whois\", \"version\": \"latest\"},\n + \ ]\n\n return {\n \"marketplace_packs\": marketplace_packs,\n \"custom_zip_urls\": + [{\"url\": zip_url, \"name\": release_tag}],\n \"xsoar_config_url\": xsoar_config_url,\n + \ \"pack_catalog_entry\": pack,\n \"pack_version\": version,\n }\n\n# + ---------------------------\n# list action (filter + paging)\n# ---------------------------\n\ndef + do_list(args: Dict[str, Any]):\n using = _norm(args.get(\"using\") or \"\")\n + \ include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n\n # list + args\n text_filter = _to_lower(args.get(\"filter\") or args.get(\"q\") or \"\")\n + \ visible_only = arg_to_bool(args.get(\"visible_only\"), True)\n limit = max(1, + to_int(args.get(\"limit\"), 50))\n offset = max(0, to_int(args.get(\"offset\"), + 0))\n sort_by = (_norm(args.get(\"sort_by\")) or \"id\").strip()\n sort_dir + = (_norm(args.get(\"sort_dir\")) or \"asc\").strip().lower()\n fields = _parse_csv(args.get(\"fields\")) + or [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n show_total + = arg_to_bool(args.get(\"show_total\"), True)\n\n emit_progress(\"Fetching catalog…\", + stage=\"list\")\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n packs + = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or + []\n if not isinstance(packs, list):\n raise Exception(\"pack_catalog.json + is missing 'packs' list\")\n\n rows: List[Dict[str, Any]] = []\n for p in + packs:\n if not isinstance(p, dict):\n continue\n\n visible + = bool(p.get(\"visible\", True))\n\n if (not include_hidden) and (not visible):\n + \ continue\n if visible_only and (not visible):\n continue\n\n + \ row = {\n \"id\": p.get(\"id\", \"\"),\n \"display_name\": + p.get(\"display_name\") or p.get(\"name\") or \"\",\n \"version\": p.get(\"version\", + \"\"),\n \"visible\": str(visible).lower(),\n \"path\": p.get(\"path\") + or f\"Packs/{p.get('id','')}\",\n }\n\n if text_filter:\n hay + = \" \".join([_to_lower(row.get(\"id\")), _to_lower(row.get(\"display_name\")), + _to_lower(row.get(\"path\"))])\n if text_filter not in hay:\n continue\n\n + \ rows.append(row)\n\n total = len(rows)\n\n allowed_sort = {\"id\", + \"display_name\", \"version\", \"visible\", \"path\"}\n if sort_by not in allowed_sort:\n + \ sort_by = \"id\"\n reverse = sort_dir == \"desc\"\n rows.sort(key=lambda + r: _safe_sort_key(r, sort_by), reverse=reverse)\n\n page = rows[offset: offset + + limit]\n start = offset + 1 if page else 0\n end = offset + len(page)\n\n + \ allowed_fields = [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n + \ fields = [f for f in fields if f in allowed_fields] or [\"id\", \"display_name\", + \"version\", \"visible\", \"path\"]\n\n header_line = \"| \" + \" | \".join(fields) + + \" |\\n\"\n sep_line = \"| \" + \" | \".join([\"---\"] * len(fields)) + \" + |\\n\"\n table = header_line + sep_line\n for r in page:\n table += + \"| \" + \" | \".join([_norm(r.get(f, \"\")) for f in fields]) + \" |\\n\"\n\n summary_lines + = [\n f\"using: {(using or '(default)')}\",\n f\"include_hidden: {include_hidden}\",\n + \ f\"visible_only: {visible_only}\",\n ]\n if text_filter:\n summary_lines.append(f\"filter: + `{text_filter}`\")\n summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n + \ summary_lines.append(f\"page: limit={limit}, offset={offset}\")\n if show_total:\n + \ summary_lines.append(f\"showing: {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) + + \"\\n\\n\" + table, stage=\"list\")\n return\n\n# ---------------------------\n# + Marketplace install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef install_marketplace_packs(\n + \ marketplace_packs: List[Dict[str, str]],\n using: str,\n retry_count: + int,\n retry_sleep_seconds: int,\n debug: bool,\n) -> Dict[str, Any]:\n if + debug:\n emit_progress(\n \"Installing marketplace packs via **XSIAMContentPackInstaller**…\\n\"\n + \ + \"\\n\".join([f'{p.get(\"id\")} @ {p.get(\"version\")}' for p in marketplace_packs]),\n + \ stage=\"packs.marketplace\",\n )\n else:\n emit_progress(\n + \ f\"Installing marketplace packs via **XSIAMContentPackInstaller**… ({len(marketplace_packs)} + pack(s))\",\n stage=\"packs.marketplace\",\n )\n\n args = {\n + \ \"packs_data\": marketplace_packs,\n \"pack_id_key\": \"id\",\n \"pack_version_key\": + \"version\",\n \"install_dependencies\": \"true\",\n }\n if using:\n + \ args[\"using\"] = using\n\n res = exec_with_retry(\n \"XSIAMContentPackInstaller\",\n + \ args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=\"Failed installing marketplace packs via XSIAMContentPackInstaller\",\n + \ fail_on_error=True,\n )\n return get_contents(res) if res else {}\n\ndef + fetch_installed_marketplace_pack_ids(using: str) -> List[str]:\n try:\n r + = core_api_get(\"/public/v1/contentpacks/metadata/installed\", using=using)\n packs + = (r.get(\"response\") or []) if isinstance(r, dict) else []\n ids = []\n + \ for p in packs:\n pid = p.get(\"id\")\n if pid:\n + \ ids.append(pid)\n return ids\n except Exception:\n return + []\n\n# ---------------------------\n# xsoar_config\n# ---------------------------\n\ndef + fetch_xsoar_config(xsoar_config_url: str) -> Dict[str, Any]:\n data = http_get_json(xsoar_config_url)\n + \ if not isinstance(data, dict):\n raise Exception(f\"xsoar_config.json + unexpected format at {xsoar_config_url}\")\n return data\n\n# ---------------------------\n# + Custom packs install (with timeout -> polling fallback)\n# ---------------------------\n\ndef + wait_for_pack_installed(\n pack_id: str,\n using: str,\n poll_seconds: + int,\n poll_interval_seconds: int,\n debug: bool,\n) -> bool:\n deadline + = time.time() + max(0, poll_seconds)\n interval = max(5, poll_interval_seconds)\n\n + \ log(\n f\"Polling for pack install completion: **{pack_id}** (up to {poll_seconds}s, + every {interval}s)…\",\n stage=\"packs.custom.poll\",\n debug=debug,\n + \ always=True,\n )\n\n while True:\n try:\n installed + = fetch_installed_marketplace_pack_ids(using)\n if pack_id in installed:\n + \ log(f\"Pack **{pack_id}** is now installed.\", stage=\"packs.custom.poll\", + debug=debug, always=True)\n return True\n except Exception + as e:\n log(f\" Poll check error (will retry): {e}\", stage=\"packs.custom.poll.debug\", + debug=debug)\n\n if time.time() >= deadline:\n log(\n f\"Polling + window expired; pack **{pack_id}** not detected as installed yet.\",\n stage=\"packs.custom.poll\",\n + \ debug=debug,\n always=True,\n )\n return + False\n\n time.sleep(interval)\n\ndef install_custom_pack_zip(\n url: + str,\n pack_id: str,\n using: str,\n execution_timeout: int,\n install_timeout: + int,\n retry_count: int,\n retry_sleep_seconds: int,\n skip_verify: bool,\n + \ skip_validation: bool,\n post_install_poll_seconds: int,\n post_install_poll_interval_seconds: + int,\n continue_on_install_timeout: bool,\n debug: bool,\n):\n effective_timeout + = max(1200, execution_timeout, install_timeout)\n\n args = {\n \"file_url\": + url,\n \"execution-timeout\": str(effective_timeout),\n \"skip_verify\": + bool_str_tf(skip_verify),\n \"skip_validation\": bool_str_tf(skip_validation),\n + \ }\n if using:\n args[\"using\"] = using\n\n if debug:\n emit_progress(\n + \ \"\\n\".join(\n [\n \"core-api-install-packs:\",\n + \ f\"- file_url: {url}\",\n f\"- execution-timeout: + {effective_timeout}\",\n f\"- skip_verify: {skip_verify}\",\n + \ f\"- skip_validation: {skip_validation}\",\n ]\n + \ ),\n stage=\"packs.custom.debug\",\n )\n\n try:\n + \ exec_with_retry(\n \"core-api-install-packs\",\n args,\n + \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=f\"Failed installing custom pack ZIP: {url}\",\n fail_on_error=True,\n + \ )\n return\n\n except Exception as e:\n err = str(e)\n\n + \ if is_timeout_error(err):\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Custom pack upload call timed out + (client-side).\",\n \" This often means the server is still + uploading/processing.\",\n f\"Switching to polling for installed + pack: **{pack_id}**\",\n ]\n ),\n stage=\"packs.custom.timeout\",\n + \ )\n\n ok = wait_for_pack_installed(\n pack_id=pack_id,\n + \ using=using,\n poll_seconds=post_install_poll_seconds,\n + \ poll_interval_seconds=post_install_poll_interval_seconds,\n debug=debug,\n + \ )\n\n if ok:\n return\n\n msg = + (\n \"Upload timed out and polling did not observe the pack as installed.\\n\"\n + \ f\"pack_id={pack_id}\\nurl={url}\\n\"\n f\"poll_seconds={post_install_poll_seconds}, + interval={post_install_poll_interval_seconds}\\n\"\n \"You can retry + or increase post_install_poll_seconds.\"\n )\n\n if continue_on_install_timeout:\n + \ emit_progress(msg + \"\\n\\ncontinue_on_install_timeout=True β€” continuing + anyway.\", stage=\"packs.custom.timeout\")\n return\n\n raise + Exception(msg)\n\n raise\n\n# ---------------------------\n# Configure (jobs + / integrations / lookups)\n# ---------------------------\n\ndef configure_integrations_from_xsoar_config(\n \ xsoar_cfg: Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: - int,\n installed_pack_ids: List[str],\n debug: bool,\n) -> Dict[str, Any]:\n\ - \ items = [x for x in (xsoar_cfg.get(\"integration_instances\", []) or []) if + int,\n installed_pack_ids: List[str],\n debug: bool,\n) -> Dict[str, Any]:\n + \ items = [x for x in (xsoar_cfg.get(\"integration_instances\", []) or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring integration instances… ({len(items)} - instance(s))\", stage=\"configure.integrations\")\n\n summary = {\n \"\ - attempted\": 0,\n \"ok\": 0,\n \"already_exists\": 0,\n \"\ - skipped_missing_pack\": 0,\n \"skipped_missing_brand\": 0,\n \"failed\"\ - : 0,\n \"failed_items\": [],\n }\n\n for inst in items:\n instance_name - = (inst.get(\"name\") or \"\").strip()\n if not instance_name:\n \ - \ continue\n\n required_pack = ((inst.get(\"required_pack_id\") or inst.get(\"\ - marketplace_pack\") or inst.get(\"pack_id\") or \"\").strip())\n if required_pack - and required_pack not in installed_pack_ids:\n summary[\"skipped_missing_pack\"\ - ] += 1\n log(\n f\"Skipping integration instance **{instance_name}** - β€” marketplace pack **{required_pack}** not installed.\",\n stage=\"\ - configure.integrations.debug\",\n debug=debug,\n )\n \ - \ continue\n\n brand = (inst.get(\"brand\") or \"\").strip()\n\ - \ if not brand:\n summary[\"skipped_missing_brand\"] += 1\n \ - \ log(\n f\"Skipping integration instance **{instance_name}** - β€” missing required field `brand`.\",\n stage=\"configure.integrations.debug\"\ - ,\n debug=debug,\n )\n continue\n\n \ - \ summary[\"attempted\"] += 1\n\n payload = {\n \"name\": instance_name,\n\ - \ \"brand\": brand,\n \"enabled\": inst.get(\"enabled\", \"\ - true\"),\n \"category\": inst.get(\"category\") or \"\",\n \ - \ \"data\": inst.get(\"data\") or [],\n }\n\n log(\n f\"\ - Creating/updating integration instance: **{instance_name}** (brand: **{brand}**)\"\ - ,\n stage=\"configure.integrations.debug\",\n debug=debug,\n\ - \ )\n\n def _do_put():\n return core_api_put(\"/xsoar/public/v1/settings/integration\"\ - , payload, using=using, execution_timeout=600)\n\n last_err = None\n \ - \ for attempt in range(1, max(1, retry_count) + 1):\n try:\n \ - \ resp = _do_put()\n rid = (resp.get(\"id\") if isinstance(resp, - dict) else None) or \"\"\n summary[\"ok\"] += 1\n \ - \ log(\n f\"Integration instance **{instance_name}** created/updated. - id={rid or '(unknown)'}\",\n stage=\"configure.integrations.result\"\ - ,\n debug=debug,\n )\n break\n\ - \ except Exception as e:\n last_err = str(e)\n\n \ - \ if is_instance_already_exists_error(last_err):\n \ - \ summary[\"already_exists\"] += 1\n log(\n \ - \ f\"Integration instance **{instance_name}** already exists β€” skipping (idempotent).\"\ - ,\n stage=\"configure.integrations.result\",\n \ - \ debug=debug,\n )\n break\n\n\ - \ if attempt >= retry_count:\n summary[\"failed\"\ - ] += 1\n summary[\"failed_items\"].append({\"name\": instance_name, + instance(s))\", stage=\"configure.integrations\")\n\n summary = {\n \"attempted\": + 0,\n \"ok\": 0,\n \"already_exists\": 0,\n \"skipped_missing_pack\": + 0,\n \"skipped_missing_brand\": 0,\n \"failed\": 0,\n \"failed_items\": + [],\n }\n\n for inst in items:\n instance_name = (inst.get(\"name\") + or \"\").strip()\n if not instance_name:\n continue\n\n required_pack + = ((inst.get(\"required_pack_id\") or inst.get(\"marketplace_pack\") or inst.get(\"pack_id\") + or \"\").strip())\n if required_pack and required_pack not in installed_pack_ids:\n + \ summary[\"skipped_missing_pack\"] += 1\n log(\n f\"Skipping + integration instance **{instance_name}** β€” marketplace pack **{required_pack}** + not installed.\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n + \ )\n continue\n\n brand = (inst.get(\"brand\") or \"\").strip()\n + \ if not brand:\n summary[\"skipped_missing_brand\"] += 1\n log(\n + \ f\"Skipping integration instance **{instance_name}** β€” missing required + field `brand`.\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n + \ )\n continue\n\n summary[\"attempted\"] += 1\n\n payload + = {\n \"name\": instance_name,\n \"brand\": brand,\n \"enabled\": + inst.get(\"enabled\", \"true\"),\n \"category\": inst.get(\"category\") + or \"\",\n \"data\": inst.get(\"data\") or [],\n }\n\n log(\n + \ f\"Creating/updating integration instance: **{instance_name}** (brand: + **{brand}**)\",\n stage=\"configure.integrations.debug\",\n debug=debug,\n + \ )\n\n def _do_put():\n return core_api_put(\"/xsoar/public/v1/settings/integration\", + payload, using=using, execution_timeout=600)\n\n last_err = None\n for + attempt in range(1, max(1, retry_count) + 1):\n try:\n resp + = _do_put()\n rid = (resp.get(\"id\") if isinstance(resp, dict) else + None) or \"\"\n summary[\"ok\"] += 1\n log(\n f\"Integration + instance **{instance_name}** created/updated. id={rid or '(unknown)'}\",\n stage=\"configure.integrations.result\",\n + \ debug=debug,\n )\n break\n except + Exception as e:\n last_err = str(e)\n\n if is_instance_already_exists_error(last_err):\n + \ summary[\"already_exists\"] += 1\n log(\n + \ f\"Integration instance **{instance_name}** already exists + β€” skipping (idempotent).\",\n stage=\"configure.integrations.result\",\n + \ debug=debug,\n )\n break\n\n + \ if attempt >= retry_count:\n summary[\"failed\"] + += 1\n summary[\"failed_items\"].append({\"name\": instance_name, \"error\": last_err})\n emit_progress(f\"Failed configuring integration - instance **{instance_name}**.\\nError: {last_err}\", stage=\"configure.integrations.error\"\ - )\n break\n\n time.sleep(max(1, retry_sleep_seconds))\n\ - \n emit_progress(\n \"\\n\".join(\n [\n \"Integration - instances summary:\",\n f\"- attempted: {summary['attempted']}\"\ - ,\n f\"- ok: {summary['ok']}\",\n f\"- already exists: - {summary['already_exists']}\",\n f\"- skipped (missing pack): {summary['skipped_missing_pack']}\"\ - ,\n f\"- skipped (missing brand): {summary['skipped_missing_brand']}\"\ - ,\n f\"- failed: {summary['failed']}\",\n \"\",\n\ - \ \"_Note: UI/index propagation can take a few minutes after instance - create/update._\",\n ]\n ),\n stage=\"configure.integrations.summary\"\ - ,\n )\n\n return summary\n\ndef configure_jobs_from_xsoar_config(\n xsoar_cfg: - Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: - int,\n debug: bool,\n) -> Dict[str, Any]:\n jobs = [x for x in (xsoar_cfg.get(\"\ - jobs\", []) or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring jobs… - ({len(jobs)} job(s))\", stage=\"configure.jobs\")\n\n summary = {\"attempted\"\ - : 0, \"ok\": 0, \"failed\": 0, \"failed_items\": []}\n\n for job in jobs:\n \ - \ name = (job.get(\"name\") or job.get(\"job_name\") or \"\").strip()\n \ - \ if not name:\n continue\n\n summary[\"attempted\"] += 1\n\ - \ log(f\"Configuring job: **{name}**\", stage=\"configure.jobs.debug\", debug=debug)\n\ - \n cmd_args = {\"job_name\": name, \"job_data\": json.dumps(job)}\n \ - \ if using:\n cmd_args[\"using\"] = using\n\n try:\n \ - \ _ = exec_with_retry(\n \"SOCFWJobManager\",\n \ - \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ - \ context_for_error=f\"Failed configuring job: {name}\",\n \ - \ fail_on_error=True,\n )\n summary[\"ok\"] += 1\n\ - \ log(f\"Job **{name}** ok\", stage=\"configure.jobs.result\", debug=debug)\n\ - \ except Exception as e:\n summary[\"failed\"] += 1\n \ - \ summary[\"failed_items\"].append({\"name\": name, \"error\": str(e)})\n \ - \ emit_progress(f\"Failed configuring job **{name}**.\\nError: {e}\", stage=\"\ - configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n \ - \ [\n \"Jobs summary:\",\n f\"- attempted: {summary['attempted']}\"\ - ,\n f\"- ok: {summary['ok']}\",\n f\"- failed: {summary['failed']}\"\ - ,\n ]\n ),\n stage=\"configure.jobs.summary\",\n )\n\ - \ return summary\n\ndef configure_lookups_from_xsoar_config(\n xsoar_cfg: + instance **{instance_name}**.\\nError: {last_err}\", stage=\"configure.integrations.error\")\n + \ break\n\n time.sleep(max(1, retry_sleep_seconds))\n\n + \ emit_progress(\n \"\\n\".join(\n [\n \"Integration + instances summary:\",\n f\"- attempted: {summary['attempted']}\",\n + \ f\"- ok: {summary['ok']}\",\n f\"- already exists: + {summary['already_exists']}\",\n f\"- skipped (missing pack): {summary['skipped_missing_pack']}\",\n + \ f\"- skipped (missing brand): {summary['skipped_missing_brand']}\",\n + \ f\"- failed: {summary['failed']}\",\n \"\",\n \"_Note: + UI/index propagation can take a few minutes after instance create/update._\",\n + \ ]\n ),\n stage=\"configure.integrations.summary\",\n )\n\n + \ return summary\n\ndef configure_jobs_from_xsoar_config(\n xsoar_cfg: Dict[str, + Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: + bool,\n) -> Dict[str, Any]:\n jobs = [x for x in (xsoar_cfg.get(\"jobs\", []) + or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring jobs… ({len(jobs)} + job(s))\", stage=\"configure.jobs\")\n\n summary = {\"attempted\": 0, \"ok\": + 0, \"failed\": 0, \"failed_items\": []}\n\n for job in jobs:\n name = + (job.get(\"name\") or job.get(\"job_name\") or \"\").strip()\n if not name:\n + \ continue\n\n summary[\"attempted\"] += 1\n log(f\"Configuring + job: **{name}**\", stage=\"configure.jobs.debug\", debug=debug)\n\n cmd_args + = {\"job_name\": name, \"job_data\": json.dumps(job)}\n if using:\n cmd_args[\"using\"] + = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWJobManager\",\n + \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=f\"Failed configuring job: {name}\",\n fail_on_error=True,\n + \ )\n summary[\"ok\"] += 1\n log(f\"Job **{name}** + ok\", stage=\"configure.jobs.result\", debug=debug)\n except Exception as + e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"].append({\"name\": + name, \"error\": str(e)})\n emit_progress(f\"Failed configuring job **{name}**.\\nError: + {e}\", stage=\"configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Jobs summary:\",\n f\"- attempted: + {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- + failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.jobs.summary\",\n + \ )\n return summary\n\ndef configure_lookups_from_xsoar_config(\n xsoar_cfg: Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n overwrite_lookup: bool,\n debug: bool,\n) -> Dict[str, Any]:\n dsets - = [x for x in (xsoar_cfg.get(\"lookup_datasets\", []) or []) if isinstance(x, dict)]\n\ - \ emit_progress(f\"Configuring lookup datasets… ({len(dsets)} dataset(s))\", - stage=\"configure.lookups\")\n\n summary = {\"attempted\": 0, \"ok\": 0, \"failed\"\ - : 0, \"failed_items\": []}\n\n for ds in dsets:\n name = (ds.get(\"name\"\ - ) or ds.get(\"dataset_name\") or \"\").strip()\n if not name:\n \ - \ continue\n\n summary[\"attempted\"] += 1\n log(f\"Configuring - lookup dataset: **{name}**\", stage=\"configure.lookups.debug\", debug=debug)\n\n\ - \ cmd_args = {\n \"lookup_dataset_name\": name,\n \"\ - lookup_dataset_data\": json.dumps(ds),\n \"overwrite_lookup\": bool_str_tf(overwrite_lookup),\n\ - \ }\n if using:\n cmd_args[\"using\"] = using\n\n \ - \ try:\n _ = exec_with_retry(\n \"SOCFWLookupManager\"\ - ,\n cmd_args,\n retry_count=retry_count,\n \ - \ retry_sleep_seconds=retry_sleep_seconds,\n context_for_error=f\"\ - Failed configuring lookup dataset: {name}\",\n fail_on_error=True,\n\ - \ )\n summary[\"ok\"] += 1\n log(f\"Lookup **{name}** - ok\", stage=\"configure.lookups.result\", debug=debug)\n except Exception - as e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"\ - ].append({\"name\": name, \"error\": str(e)})\n emit_progress(f\"Failed - configuring lookup dataset **{name}**.\\nError: {e}\", stage=\"configure.lookups.error\"\ - )\n\n emit_progress(\n \"\\n\".join(\n [\n \"\ - Lookups summary:\",\n f\"- attempted: {summary['attempted']}\",\n\ - \ f\"- ok: {summary['ok']}\",\n f\"- failed: {summary['failed']}\"\ - ,\n ]\n ),\n stage=\"configure.lookups.summary\",\n \ - \ )\n return summary\n\n# ---------------------------\n# Main\n# ---------------------------\n - \ndef main():\n args = demisto.args()\n\n action = (args.get(\"action\") or - \"apply\").strip().lower()\n pack_id = (args.get(\"pack_id\") or \"\").strip()\n\ - \ include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n dry_run - = arg_to_bool(args.get(\"dry_run\"), False)\n\n install_marketplace_flag = arg_to_bool(args.get(\"\ - install_marketplace\"), True)\n apply_configure = arg_to_bool(args.get(\"apply_configure\"\ - ), True)\n configure_jobs = arg_to_bool(args.get(\"configure_jobs\"), True)\n\ - \ configure_integrations = arg_to_bool(args.get(\"configure_integrations\"), - True)\n configure_lookups = arg_to_bool(args.get(\"configure_lookups\"), True)\n\ - \ overwrite_lookup = arg_to_bool(args.get(\"overwrite_lookup\"), False)\n\n \ - \ include_doc_content = arg_to_bool(args.get(\"include_doc_content\"), False)\n\ - \ doc_content_max_chars = to_int(args.get(\"doc_content_max_chars\"), 6000)\n\ - \ doc_content_max_lines = to_int(args.get(\"doc_content_max_lines\"), 200)\n\n\ - \ # NEW: pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"\ - ), False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True)\ - \ # default True\n\n retry_count = to_int(args.get(\"retry_count\"), 5)\n \ - \ retry_sleep_seconds = to_int(args.get(\"retry_sleep_seconds\"), 15)\n using - = (args.get(\"using\") or \"\").strip()\n execution_timeout = to_int(args.get(\"\ - execution_timeout\"), 1200)\n\n skip_verify = arg_to_bool(args.get(\"skip_verify\"\ - ), True)\n skip_validation = arg_to_bool(args.get(\"skip_validation\"), False)\n\ - \n install_timeout = to_int(args.get(\"install_timeout\"), 3600)\n\n post_install_poll_seconds - = to_int(args.get(\"post_install_poll_seconds\"), 1800)\n post_install_poll_interval_seconds - = to_int(args.get(\"post_install_poll_interval_seconds\"), 60)\n continue_on_install_timeout - = arg_to_bool(args.get(\"continue_on_install_timeout\"), False)\n\n fail_on_marketplace_errors - = arg_to_bool(args.get(\"fail_on_marketplace_errors\"), False)\n\n debug = arg_to_bool(args.get(\"\ - debug\"), False)\n\n if action not in (\"apply\", \"list\"):\n raise Exception(f\"\ - Unsupported action: {action}\")\n\n if action == \"list\":\n return do_list(args)\n\ - \n if not pack_id:\n raise Exception(\"pack_id is required for action=apply\"\ - )\n\n emit_progress(\n \"\\n\".join(\n [\n f\"\ - Starting {action} for **{pack_id}**\",\n f\"- include_hidden={include_hidden}\"\ - ,\n f\"- dry_run={dry_run}\",\n f\"- install_marketplace={install_marketplace_flag}\"\ - ,\n f\"- apply_configure={apply_configure} (jobs={configure_jobs}, - integrations={configure_integrations}, lookups={configure_lookups})\",\n \ - \ f\"- overwrite_lookup={overwrite_lookup}\",\n f\"- retries={retry_count}, - retry_sleep_seconds={retry_sleep_seconds}\",\n f\"- using={(using - or '(default)')}\",\n f\"- execution_timeout={execution_timeout}\"\ - ,\n f\"- install_timeout={install_timeout}\",\n f\"\ - - skip_verify={skip_verify}\",\n f\"- skip_validation={skip_validation}\"\ - ,\n f\"- post_install_poll_seconds={post_install_poll_seconds}\"\ - ,\n f\"- post_install_poll_interval_seconds={post_install_poll_interval_seconds}\"\ - ,\n f\"- continue_on_install_timeout={continue_on_install_timeout}\"\ - ,\n f\"- fail_on_marketplace_errors={fail_on_marketplace_errors}\"\ - ,\n f\"- include_doc_content={include_doc_content} (max_chars={doc_content_max_chars}, - max_lines={doc_content_max_lines})\",\n f\"- pre_config_gate={pre_config_gate}\"\ - ,\n f\"- pre_config_done={pre_config_done}\",\n f\"\ - - debug={debug}\",\n ]\n ),\n stage=\"start\",\n )\n\ - \n emit_progress(\"Resolving install manifest…\", stage=\"manifest\")\n manifest + = [x for x in (xsoar_cfg.get(\"lookup_datasets\", []) or []) if isinstance(x, dict)]\n + \ emit_progress(f\"Configuring lookup datasets… ({len(dsets)} dataset(s))\", stage=\"configure.lookups\")\n\n + \ summary = {\"attempted\": 0, \"ok\": 0, \"failed\": 0, \"failed_items\": []}\n\n + \ for ds in dsets:\n name = (ds.get(\"name\") or ds.get(\"dataset_name\") + or \"\").strip()\n if not name:\n continue\n\n summary[\"attempted\"] + += 1\n log(f\"Configuring lookup dataset: **{name}**\", stage=\"configure.lookups.debug\", + debug=debug)\n\n cmd_args = {\n \"lookup_dataset_name\": name,\n + \ \"lookup_dataset_data\": json.dumps(ds),\n \"overwrite_lookup\": + bool_str_tf(overwrite_lookup),\n }\n if using:\n cmd_args[\"using\"] + = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWLookupManager\",\n + \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ context_for_error=f\"Failed configuring lookup dataset: {name}\",\n + \ fail_on_error=True,\n )\n summary[\"ok\"] + += 1\n log(f\"Lookup **{name}** ok\", stage=\"configure.lookups.result\", + debug=debug)\n except Exception as e:\n summary[\"failed\"] += + 1\n summary[\"failed_items\"].append({\"name\": name, \"error\": str(e)})\n + \ emit_progress(f\"Failed configuring lookup dataset **{name}**.\\nError: + {e}\", stage=\"configure.lookups.error\")\n\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Lookups summary:\",\n f\"- attempted: + {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- + failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.lookups.summary\",\n + \ )\n return summary\n\n# ---------------------------\n# Main\n# ---------------------------\n\ndef + main():\n args = demisto.args()\n\n action = (args.get(\"action\") or \"apply\").strip().lower()\n + \ pack_id = (args.get(\"pack_id\") or \"\").strip()\n include_hidden = arg_to_bool(args.get(\"include_hidden\"), + False)\n dry_run = arg_to_bool(args.get(\"dry_run\"), False)\n\n install_marketplace_flag + = arg_to_bool(args.get(\"install_marketplace\"), True)\n apply_configure = arg_to_bool(args.get(\"apply_configure\"), + True)\n configure_jobs = arg_to_bool(args.get(\"configure_jobs\"), True)\n configure_integrations + = arg_to_bool(args.get(\"configure_integrations\"), True)\n configure_lookups + = arg_to_bool(args.get(\"configure_lookups\"), True)\n overwrite_lookup = arg_to_bool(args.get(\"overwrite_lookup\"), + False)\n\n include_doc_content = arg_to_bool(args.get(\"include_doc_content\"), + False)\n doc_content_max_chars = to_int(args.get(\"doc_content_max_chars\"), + 6000)\n doc_content_max_lines = to_int(args.get(\"doc_content_max_lines\"), 200)\n\n + \ # NEW: pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"), + False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True) # + default True\n\n retry_count = to_int(args.get(\"retry_count\"), 5)\n retry_sleep_seconds + = to_int(args.get(\"retry_sleep_seconds\"), 15)\n using = (args.get(\"using\") + or \"\").strip()\n execution_timeout = to_int(args.get(\"execution_timeout\"), + 1200)\n\n skip_verify = arg_to_bool(args.get(\"skip_verify\"), True)\n skip_validation + = arg_to_bool(args.get(\"skip_validation\"), False)\n\n install_timeout = to_int(args.get(\"install_timeout\"), + 3600)\n\n post_install_poll_seconds = to_int(args.get(\"post_install_poll_seconds\"), + 1800)\n post_install_poll_interval_seconds = to_int(args.get(\"post_install_poll_interval_seconds\"), + 60)\n continue_on_install_timeout = arg_to_bool(args.get(\"continue_on_install_timeout\"), + False)\n\n fail_on_marketplace_errors = arg_to_bool(args.get(\"fail_on_marketplace_errors\"), + False)\n\n debug = arg_to_bool(args.get(\"debug\"), False)\n\n if action not + in (\"apply\", \"list\"):\n raise Exception(f\"Unsupported action: {action}\")\n\n + \ if action == \"list\":\n return do_list(args)\n\n if not pack_id:\n + \ raise Exception(\"pack_id is required for action=apply\")\n\n emit_progress(\n + \ \"\\n\".join(\n [\n f\"Starting {action} for **{pack_id}**\",\n + \ f\"- include_hidden={include_hidden}\",\n f\"- dry_run={dry_run}\",\n + \ f\"- install_marketplace={install_marketplace_flag}\",\n f\"- + apply_configure={apply_configure} (jobs={configure_jobs}, integrations={configure_integrations}, + lookups={configure_lookups})\",\n f\"- overwrite_lookup={overwrite_lookup}\",\n + \ f\"- retries={retry_count}, retry_sleep_seconds={retry_sleep_seconds}\",\n + \ f\"- using={(using or '(default)')}\",\n f\"- execution_timeout={execution_timeout}\",\n + \ f\"- install_timeout={install_timeout}\",\n f\"- + skip_verify={skip_verify}\",\n f\"- skip_validation={skip_validation}\",\n + \ f\"- post_install_poll_seconds={post_install_poll_seconds}\",\n + \ f\"- post_install_poll_interval_seconds={post_install_poll_interval_seconds}\",\n + \ f\"- continue_on_install_timeout={continue_on_install_timeout}\",\n + \ f\"- fail_on_marketplace_errors={fail_on_marketplace_errors}\",\n + \ f\"- include_doc_content={include_doc_content} (max_chars={doc_content_max_chars}, + max_lines={doc_content_max_lines})\",\n f\"- pre_config_gate={pre_config_gate}\",\n + \ f\"- pre_config_done={pre_config_done}\",\n f\"- + debug={debug}\",\n ]\n ),\n stage=\"start\",\n )\n\n + \ emit_progress(\"Resolving install manifest…\", stage=\"manifest\")\n manifest = resolve_manifest(pack_id, include_hidden=include_hidden)\n\n marketplace_packs - = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls = manifest.get(\"\ - custom_zip_urls\") or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\"\ - ) or \"\"\n\n emit_progress(\n \"\\n\".join(\n [\n \ - \ \"Manifest resolved.\",\n f\"- marketplace_packs: {len(marketplace_packs)}\"\ - ,\n f\"- custom ZIP URLs: {len(custom_zip_urls)}\",\n \ - \ f\"- xsoar_config_url: {xsoar_config_url or '(none)'}\",\n ]\n\ - \ ),\n stage=\"manifest.summary\",\n )\n\n xsoar_cfg: Dict[str, - Any] = {}\n if xsoar_config_url:\n emit_progress(\"Fetching xsoar_config.json…\"\ - , stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) + = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls = manifest.get(\"custom_zip_urls\") + or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\") or \"\"\n\n emit_progress(\n + \ \"\\n\".join(\n [\n \"Manifest resolved.\",\n + \ f\"- marketplace_packs: {len(marketplace_packs)}\",\n f\"- + custom ZIP URLs: {len(custom_zip_urls)}\",\n f\"- xsoar_config_url: + {xsoar_config_url or '(none)'}\",\n ]\n ),\n stage=\"manifest.summary\",\n + \ )\n\n xsoar_cfg: Dict[str, Any] = {}\n if xsoar_config_url:\n emit_progress(\"Fetching + xsoar_config.json…\", stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) or {}\n\n cfg_marketplace_packs = xsoar_cfg.get(\"marketplace_packs\") or - []\n if isinstance(cfg_marketplace_packs, list) and cfg_marketplace_packs:\n\ - \ marketplace_packs = cfg_marketplace_packs\n\n emit_progress(\n\ - \ \"\\n\".join(\n [\n \"xsoar_config + []\n if isinstance(cfg_marketplace_packs, list) and cfg_marketplace_packs:\n + \ marketplace_packs = cfg_marketplace_packs\n\n emit_progress(\n + \ \"\\n\".join(\n [\n \"xsoar_config loaded.\",\n f\"- integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\"- lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n f\"- has_pre_config_docs: {has_config_docs(xsoar_cfg, 'pre')}\",\n f\"- has_post_config_docs: {has_config_docs(xsoar_cfg, - 'post')}\",\n ]\n ),\n stage=\"xsoar_config.summary\"\ - ,\n )\n\n # Print PRE docs immediately\n print_config_docs(\n\ - \ xsoar_cfg,\n when=\"pre\",\n debug=debug,\n \ - \ include_doc_content=include_doc_content,\n doc_content_max_chars=doc_content_max_chars,\n\ - \ doc_content_max_lines=doc_content_max_lines,\n )\n\n \ - \ # DEFAULT: stop after printing PRE docs if they exist (unless acknowledged/bypassed)\n\ - \ if pre_config_gate and has_config_docs(xsoar_cfg, \"pre\") and not pre_config_done:\n\ - \ emit_progress(\n \"\\n\".join(\n \ - \ [\n \"πŸ›‘ **Pre-config required**\",\n \ - \ \"Pre-config docs were printed above.\",\n \"\",\n\ - \ \"After completing those steps, rerun with:\",\n \ - \ \"- `pre_config_done=true`\",\n \"\",\n\ - \ f\"Example:\\n`!SOCFWPackManager action=apply pack_id={pack_id} - pre_config_done=true`\",\n \"\",\n \ - \ \"To bypass this stop (not recommended), run with:\",\n \ - \ \"- `pre_config_gate=false`\",\n ]\n ),\n\ - \ stage=\"docs.pre.gate\",\n )\n return_results(\n\ - \ {\n \"pack_id\": pack_id,\n \ - \ \"xsoar_config_url\": xsoar_config_url,\n \"stopped_after_pre_docs\"\ - : True,\n \"next_command_hint\": f\"!SOCFWPackManager action=apply - pack_id={pack_id} pre_config_done=true\",\n }\n )\n \ - \ return\n\n if dry_run:\n emit_progress(\"dry_run=True β€” not - installing or configuring anything.\", stage=\"done\")\n return\n\n marketplace_errors: - List[str] = []\n if install_marketplace_flag and marketplace_packs:\n \ - \ mp = []\n for p in marketplace_packs:\n if isinstance(p, dict) - and p.get(\"id\"):\n mp.append({\"id\": p.get(\"id\"), \"version\"\ - : p.get(\"version\", \"latest\")})\n\n try:\n _ = install_marketplace_packs(mp, + 'post')}\",\n ]\n ),\n stage=\"xsoar_config.summary\",\n + \ )\n\n # Print PRE docs immediately\n print_config_docs(\n + \ xsoar_cfg,\n when=\"pre\",\n debug=debug,\n include_doc_content=include_doc_content,\n + \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n + \ )\n\n # DEFAULT: stop after printing PRE docs if they exist (unless + acknowledged/bypassed)\n if pre_config_gate and has_config_docs(xsoar_cfg, + \"pre\") and not pre_config_done:\n emit_progress(\n \"\\n\".join(\n + \ [\n \"\U0001F6D1 **Pre-config required**\",\n + \ \"Pre-config docs were printed above.\",\n \"\",\n + \ \"After completing those steps, rerun with:\",\n \"- + `pre_config_done=true`\",\n \"\",\n f\"Example:\\n`!SOCFWPackManager + action=apply pack_id={pack_id} pre_config_done=true`\",\n \"\",\n + \ \"To bypass this stop (not recommended), run with:\",\n + \ \"- `pre_config_gate=false`\",\n ]\n + \ ),\n stage=\"docs.pre.gate\",\n )\n return_results(\n + \ {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": + xsoar_config_url,\n \"stopped_after_pre_docs\": True,\n \"next_command_hint\": + f\"!SOCFWPackManager action=apply pack_id={pack_id} pre_config_done=true\",\n }\n + \ )\n return\n\n if dry_run:\n emit_progress(\"dry_run=True + β€” not installing or configuring anything.\", stage=\"done\")\n return\n\n + \ marketplace_errors: List[str] = []\n if install_marketplace_flag and marketplace_packs:\n + \ mp = []\n for p in marketplace_packs:\n if isinstance(p, + dict) and p.get(\"id\"):\n mp.append({\"id\": p.get(\"id\"), \"version\": + p.get(\"version\", \"latest\")})\n\n try:\n _ = install_marketplace_packs(mp, using, retry_count, retry_sleep_seconds, debug=debug)\n except Exception - as e:\n marketplace_errors.append(str(e))\n emit_progress(f\"\ - Marketplace install failed.\\nError: {e}\", stage=\"packs.marketplace.error\")\n\ - \ if fail_on_marketplace_errors:\n raise\n\n if custom_zip_urls:\n\ - \ emit_progress(f\"Installing custom pack ZIPs… ({len(custom_zip_urls)} ZIP(s))\"\ - , stage=\"packs.custom\")\n for item in custom_zip_urls:\n url - = None\n label = None\n if isinstance(item, str):\n \ - \ url = item\n label = item\n elif isinstance(item, - dict):\n url = item.get(\"url\") or item.get(\"zip_url\")\n \ - \ label = item.get(\"name\") or url\n if not url:\n \ - \ continue\n\n log(f\"Installing custom pack ZIP: **{label}**\"\ - , stage=\"packs.custom.debug\", debug=debug)\n\n install_custom_pack_zip(\n\ - \ url=url,\n pack_id=pack_id,\n using=using,\n\ - \ execution_timeout=execution_timeout,\n install_timeout=install_timeout,\n\ - \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ - \ skip_verify=skip_verify,\n skip_validation=skip_validation,\n\ - \ post_install_poll_seconds=post_install_poll_seconds,\n \ - \ post_install_poll_interval_seconds=post_install_poll_interval_seconds,\n\ - \ continue_on_install_timeout=continue_on_install_timeout,\n \ - \ debug=debug,\n )\n\n integration_summary = None\n \ - \ jobs_summary = None\n lookups_summary = None\n\n if apply_configure and - xsoar_cfg:\n emit_progress(\"Configuring from xsoar_config…\", stage=\"configure\"\ - )\n\n emit_progress(\n \"\\n\".join(\n [\n \ - \ \"Configure plan:\",\n f\"- integration_instances: - {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n \ - \ f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\" - - lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n \ - \ ]\n ),\n stage=\"configure.plan\",\n )\n\ - \n installed_pack_ids = fetch_installed_marketplace_pack_ids(using)\n\n \ - \ if configure_integrations:\n integration_summary = configure_integrations_from_xsoar_config(\n\ - \ xsoar_cfg=xsoar_cfg,\n using=using,\n \ - \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ - \ installed_pack_ids=installed_pack_ids,\n debug=debug,\n\ - \ )\n\n if configure_jobs:\n jobs_summary = configure_jobs_from_xsoar_config(\n\ - \ xsoar_cfg=xsoar_cfg,\n using=using,\n \ - \ retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n\ - \ debug=debug,\n )\n\n if configure_lookups:\n\ - \ lookups_summary = configure_lookups_from_xsoar_config(\n \ - \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n\ - \ retry_sleep_seconds=retry_sleep_seconds,\n overwrite_lookup=overwrite_lookup,\n\ - \ debug=debug,\n )\n\n emit_progress(\"Done.\", stage=\"\ - done\")\n\n results_obj = {\n \"pack_id\": pack_id,\n \"xsoar_config_url\"\ - : xsoar_config_url,\n \"marketplace_errors\": marketplace_errors,\n \ - \ \"debug\": debug,\n \"install_timeout\": install_timeout,\n \"\ - skip_verify\": skip_verify,\n \"skip_validation\": skip_validation,\n \ - \ \"post_install_poll_seconds\": post_install_poll_seconds,\n \"post_install_poll_interval_seconds\"\ - : post_install_poll_interval_seconds,\n \"continue_on_install_timeout\": - continue_on_install_timeout,\n \"configure_summary\": {\n \"integrations\"\ - : integration_summary,\n \"jobs\": jobs_summary,\n \"lookups\"\ - : lookups_summary,\n },\n }\n\n # Return the machine-readable result - first...\n return_results(results_obj)\n\n # ...then print POST docs as the - FINAL War Room entry (so users don't scroll)\n if xsoar_cfg:\n print_config_docs(\n\ - \ xsoar_cfg,\n when=\"post\",\n debug=debug,\n\ - \ include_doc_content=include_doc_content,\n doc_content_max_chars=doc_content_max_chars,\n\ - \ doc_content_max_lines=doc_content_max_lines,\n )\n\nif __name__ - in (\"__main__\", \"__builtin__\", \"builtins\"):\n main()\n" + as e:\n marketplace_errors.append(str(e))\n emit_progress(f\"Marketplace + install failed.\\nError: {e}\", stage=\"packs.marketplace.error\")\n if + fail_on_marketplace_errors:\n raise\n\n if custom_zip_urls:\n + \ emit_progress(f\"Installing custom pack ZIPs… ({len(custom_zip_urls)} ZIP(s))\", + stage=\"packs.custom\")\n for item in custom_zip_urls:\n url = + None\n label = None\n if isinstance(item, str):\n url + = item\n label = item\n elif isinstance(item, dict):\n + \ url = item.get(\"url\") or item.get(\"zip_url\")\n label + = item.get(\"name\") or url\n if not url:\n continue\n\n + \ log(f\"Installing custom pack ZIP: **{label}**\", stage=\"packs.custom.debug\", + debug=debug)\n\n install_custom_pack_zip(\n url=url,\n + \ pack_id=pack_id,\n using=using,\n execution_timeout=execution_timeout,\n + \ install_timeout=install_timeout,\n retry_count=retry_count,\n + \ retry_sleep_seconds=retry_sleep_seconds,\n skip_verify=skip_verify,\n + \ skip_validation=skip_validation,\n post_install_poll_seconds=post_install_poll_seconds,\n + \ post_install_poll_interval_seconds=post_install_poll_interval_seconds,\n + \ continue_on_install_timeout=continue_on_install_timeout,\n debug=debug,\n + \ )\n\n integration_summary = None\n jobs_summary = None\n lookups_summary + = None\n\n if apply_configure and xsoar_cfg:\n emit_progress(\"Configuring + from xsoar_config…\", stage=\"configure\")\n\n emit_progress(\n \"\\n\".join(\n + \ [\n \"Configure plan:\",\n f\"- + integration_instances: {len(xsoar_cfg.get('integration_instances', []) or [])}\",\n + \ f\"- jobs: {len(xsoar_cfg.get('jobs', []) or [])}\",\n f\"- + lookup_datasets: {len(xsoar_cfg.get('lookup_datasets', []) or [])}\",\n ]\n + \ ),\n stage=\"configure.plan\",\n )\n\n installed_pack_ids + = fetch_installed_marketplace_pack_ids(using)\n\n if configure_integrations:\n + \ integration_summary = configure_integrations_from_xsoar_config(\n xsoar_cfg=xsoar_cfg,\n + \ using=using,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n + \ installed_pack_ids=installed_pack_ids,\n debug=debug,\n + \ )\n\n if configure_jobs:\n jobs_summary = configure_jobs_from_xsoar_config(\n + \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n + \ retry_sleep_seconds=retry_sleep_seconds,\n debug=debug,\n + \ )\n\n if configure_lookups:\n lookups_summary = configure_lookups_from_xsoar_config(\n + \ xsoar_cfg=xsoar_cfg,\n using=using,\n retry_count=retry_count,\n + \ retry_sleep_seconds=retry_sleep_seconds,\n overwrite_lookup=overwrite_lookup,\n + \ debug=debug,\n )\n\n emit_progress(\"Done.\", stage=\"done\")\n\n + \ results_obj = {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": + xsoar_config_url,\n \"marketplace_errors\": marketplace_errors,\n \"debug\": + debug,\n \"install_timeout\": install_timeout,\n \"skip_verify\": + skip_verify,\n \"skip_validation\": skip_validation,\n \"post_install_poll_seconds\": + post_install_poll_seconds,\n \"post_install_poll_interval_seconds\": post_install_poll_interval_seconds,\n + \ \"continue_on_install_timeout\": continue_on_install_timeout,\n \"configure_summary\": + {\n \"integrations\": integration_summary,\n \"jobs\": jobs_summary,\n + \ \"lookups\": lookups_summary,\n },\n }\n\n # Return the + machine-readable result first...\n return_results(results_obj)\n\n # ...then + print POST docs as the FINAL War Room entry (so users don't scroll)\n if xsoar_cfg:\n + \ print_config_docs(\n xsoar_cfg,\n when=\"post\",\n + \ debug=debug,\n include_doc_content=include_doc_content,\n + \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n + \ )\n\nif __name__ in (\"__main__\", \"__builtin__\", \"builtins\"):\n main()\n" type: python tags: - configuration @@ -554,6 +532,7 @@ tags: - SOC_Framework_Unified - SOCFWBootloader enabled: true +system: true args: - supportedModules: [] name: action @@ -762,6 +741,3 @@ dockerimage: demisto/python3:3.12.12.6796194 runas: DBotWeakRole engineinfo: {} mainengineinfo: {} -restrictioncenter: {} -signature: "" -fromversion: 5.0.0 diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 5bc7a0c..9c522a1 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.6", + "currentVersion": "1.0.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 6473b89..8aa13d7 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.6/soc-framework-manager-v1.0.6.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.7/soc-framework-manager-v1.0.7.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index edfa6dc..1e959af 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.6", + "version": "1.0.7", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" From a070ab75f66902ea578e4e2d7790ed3daf5b50b2 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 14:29:45 -0500 Subject: [PATCH 31/49] - Testing prepare-content with PoV companion - Bump version - Update Catalog --- Packs/soc-optimization/pack_metadata.json | 2 +- Packs/soc-optimization/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-optimization/pack_metadata.json b/Packs/soc-optimization/pack_metadata.json index 4a54da6..dc2cc0a 100644 --- a/Packs/soc-optimization/pack_metadata.json +++ b/Packs/soc-optimization/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization", "description": "This Package has been deprecated. The new package is the SOC Framework Unified. This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "2.1.46", + "currentVersion": "2.1.47", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization/xsoar_config.json b/Packs/soc-optimization/xsoar_config.json index df5c448..3d53da0 100644 --- a/Packs/soc-optimization/xsoar_config.json +++ b/Packs/soc-optimization/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.46/soc-optimization-v2.1.46.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-v2.1.47/soc-optimization-v2.1.47.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 1e959af..5467e13 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -43,7 +43,7 @@ { "id": "soc-optimization", "display_name": "SOC Framework (DEPRECATED)", - "version": "2.1.46", + "version": "2.1.47", "path": "Packs/soc-optimization", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization/xsoar_config.json" From 9f3df5f111fd160bf77238ef8dca4f5d1dd1e9b5 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 20:11:48 -0500 Subject: [PATCH 32/49] - Testing prepare-content with PoV companion - Bump version - Update Catalog --- Packs/soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index 9c522a1..e4d4c5f 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.7", + "currentVersion": "1.0.8", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 8aa13d7..6ec7f79 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.7/soc-framework-manager-v1.0.7.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.8/soc-framework-manager-v1.0.8.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 5467e13..172d0d3 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.7", + "version": "1.0.8", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" From 6ac34644aa959d92bbcea89c9bf3c08ce9dbe78c Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Mon, 26 Jan 2026 20:22:00 -0500 Subject: [PATCH 33/49] - Testing prepare-content with PoV companion - Bump version - Update Catalog --- Packs/soc-proofpoint-tap/pack_metadata.json | 2 +- Packs/soc-proofpoint-tap/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-proofpoint-tap/pack_metadata.json b/Packs/soc-proofpoint-tap/pack_metadata.json index d9e3aa1..b9cfb25 100644 --- a/Packs/soc-proofpoint-tap/pack_metadata.json +++ b/Packs/soc-proofpoint-tap/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-proofpoint-tap", "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.", "support": "xsoar", - "currentVersion": "1.0.8", + "currentVersion": "1.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-proofpoint-tap/xsoar_config.json b/Packs/soc-proofpoint-tap/xsoar_config.json index 2d13a6d..7510211 100644 --- a/Packs/soc-proofpoint-tap/xsoar_config.json +++ b/Packs/soc-proofpoint-tap/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-proofpoint-tap.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-proofpoint-tap-v1.0.8/soc-proofpoint-tap-v1.0.8.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-proofpoint-tap-v1.0.9/soc-proofpoint-tap-v1.0.9.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 172d0d3..a08cf0c 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -59,7 +59,7 @@ { "id": "soc-proofpoint-tap", "display_name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM", - "version": "1.0.8", + "version": "1.0.9", "path": "Packs/soc-proofpoint-tap", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-proofpoint-tap/xsoar_config.json" From c32e29a0ca79a6fb84890f3a3f075158c3810475 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Wed, 28 Jan 2026 17:12:16 -0500 Subject: [PATCH 34/49] - Fixed Jobs configuration and Integrations - Bump version - Update Catalog --- .../Scripts/SOCFWPackManager.yml | 295 ++++++++++++------ .../soc-framework-manager/pack_metadata.json | 2 +- Packs/soc-framework-manager/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 4 files changed, 209 insertions(+), 92 deletions(-) diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index 36becca..c590182 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,7 +1,7 @@ fromversion: 5.0.0 commonfields: id: SOCFWPackManager - version: 5 + version: 10 contentitemexportablefields: contentitemfields: packID: soc-framework-manager @@ -30,7 +30,11 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ shows installed, then continue\n# - LOUD pre_config_docs + post_config_docs (+ optional README previews)\n# - NEW: pre-config gate (default ON): print PRE docs then STOP unless pre_config_done=true\n# - NEW: POST docs printed as the VERY LAST War Room - entry (after return_results)\n# ============================================================\n\nSCRIPT_NAME + entry (after return_results)\n#\n# JOBS FIX (NO PARAM CHANGES):\n# - Stop trusting + SOCFWJobManager output alone.\n# - After running SOCFWJobManager, VERIFY via Jobs + API that the job exists.\n# - If SOCFWJobManager fails (or doesn't create the job), + FALL BACK to direct Jobs API upsert.\n# - If Jobs API cannot be reached, we will + NOT claim jobs were configured.\n# ============================================================\n\nSCRIPT_NAME = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n# ---------------------------\n\ndef _norm(s: Any) -> str:\n return (str(s) if s is not None else \"\").strip()\n\ndef _to_lower(s: Any) -> str:\n return _norm(s).lower()\n\ndef _parse_csv(val: Any) @@ -101,28 +105,25 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ isinstance(d, str) and _norm(d):\n return True\n return False\n\ndef print_config_docs(\n xsoar_cfg: Dict[str, Any],\n when: str,\n debug: bool,\n \ include_doc_content: bool = False,\n doc_content_max_chars: int = 6000,\n - \ doc_content_max_lines: int = 200,\n):\n \"\"\"\n when: \"pre\" or \"post\"\n - \ Prints docs listed in xsoar_config.json:\n pre_config_docs: [{name,url}, - ...]\n post_config_docs: [{name,url}, ...]\n If include_doc_content=True - (or debug=True), fetches and embeds doc text (truncated).\n \"\"\"\n key = - \"pre_config_docs\" if when == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) - or []\n if not isinstance(docs, list) or not docs:\n log(f\"No {key} found - in xsoar_config.json.\", stage=f\"docs.{when}\", debug=debug)\n return\n\n - \ banner_title = \" \U0001F6A7 PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when - == \"pre\" else \"βœ… POST-INSTALL / POST-CONFIG MANUAL STEPS\"\n banner_sub = - (\n \"_These docs usually contain prerequisites / manual steps you must complete - BEFORE install._\"\n if when == \"pre\"\n else \"_These docs usually - contain manual follow-ups and validation steps AFTER completion._\"\n )\n\n banner - = \"\\n\".join([\"---\", f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: - List[str] = []\n normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n - \ if isinstance(d, dict):\n name = _norm(d.get(\"name\") or \"\")\n - \ url = _norm(d.get(\"url\") or \"\")\n if url or name:\n link_lines.append(_md_link(name, + \ doc_content_max_lines: int = 200,\n):\n key = \"pre_config_docs\" if when + == \"pre\" else \"post_config_docs\"\n docs = xsoar_cfg.get(key) or []\n if + not isinstance(docs, list) or not docs:\n log(f\"No {key} found in xsoar_config.json.\", + stage=f\"docs.{when}\", debug=debug)\n return\n\n banner_title = \" \U0001F6A7 + PRE-INSTALL / PRE-CONFIG REQUIRED STEPS\" if when == \"pre\" else \"βœ… POST-INSTALL + / POST-CONFIG MANUAL STEPS\"\n banner_sub = (\n \"_These docs usually + contain prerequisites / manual steps you must complete BEFORE install._\"\n if + when == \"pre\"\n else \"_These docs usually contain manual follow-ups and + validation steps AFTER completion._\"\n )\n\n banner = \"\\n\".join([\"---\", + f\"## {banner_title}\", banner_sub, \"---\"])\n\n link_lines: List[str] = []\n + \ normalized_docs: List[Dict[str, str]] = []\n for d in docs:\n if isinstance(d, + dict):\n name = _norm(d.get(\"name\") or \"\")\n url = _norm(d.get(\"url\") + or \"\")\n if url or name:\n link_lines.append(_md_link(name, url))\n normalized_docs.append({\"name\": name or url, \"url\": url})\n \ elif isinstance(d, str):\n s = _norm(d)\n if s:\n \ link_lines.append(f\"- {s}\")\n normalized_docs.append({\"name\": s, \"url\": s})\n\n if not link_lines:\n log(f\"No valid entries in {key}.\", stage=f\"docs.{when}\", debug=debug)\n return\n\n want_content = bool(include_doc_content - or debug)\n\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if + or debug)\n body: List[str] = [banner, \"### Links\", *link_lines]\n\n if want_content and normalized_docs:\n body += [\"\", \"### Doc contents (preview)\", \" _Showing a truncated preview._\", \"\"]\n\n for d in normalized_docs:\n \ name = d.get(\"name\") or \"\"\n url = d.get(\"url\") or @@ -150,11 +151,78 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ int = 600) -> Dict[str, Any]:\n args = {\"uri\": path, \"body\": json.dumps(body if body is not None else {}), \"execution-timeout\": str(execution_timeout)}\n if using:\n args[\"using\"] = using\n res = exec_cmd(\"core-api-put\", args)\n - \ return get_contents(res) or {}\n\n# ---------------------------\n# HTTP JSON - helpers\n# ---------------------------\n\ndef http_get_json(url: str, timeout: int - = 30) -> Any:\n r = requests.get(url, timeout=timeout)\n r.raise_for_status()\n - \ return r.json()\n\n# ---------------------------\n# Catalog + Manifest resolver\n# - ---------------------------\n\nDEFAULT_CATALOG_URL = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\n\ndef + \ return get_contents(res) or {}\n\n# ---------------------------\n# Jobs verification + + upsert (NO NEW PARAMETERS)\n# ---------------------------\n\ndef _extract_list(resp: + Any) -> List[Dict[str, Any]]:\n if isinstance(resp, dict):\n # common + response shapes\n v = resp.get(\"response\")\n if isinstance(v, dict):\n + \ data = v.get(\"data\")\n if isinstance(data, list):\n return + [x for x in data if isinstance(x, dict)]\n if isinstance(v, list):\n return + [x for x in v if isinstance(x, dict)]\n for k in (\"data\", \"jobs\", \"result\"):\n + \ vv = resp.get(k)\n if isinstance(vv, list):\n return + [x for x in vv if isinstance(x, dict)]\n if isinstance(resp, list):\n return + [x for x in resp if isinstance(x, dict)]\n return []\n\ndef _job_name(job_obj: + Dict[str, Any]) -> str:\n return _norm(\n job_obj.get(\"name\")\n or + job_obj.get(\"jobName\")\n or job_obj.get(\"job_name\")\n or job_obj.get(\"displayName\")\n + \ or \"\"\n )\n\ndef _job_id(job_obj: Dict[str, Any]) -> str:\n return + _norm(job_obj.get(\"id\") or job_obj.get(\"_id\") or job_obj.get(\"jobId\") or \"\")\n\ndef + jobs_api_endpoints() -> Dict[str, str]:\n \"\"\"\n Centralize URIs so we can + try both /xsoar/public/v1 and /public/v1.\n \"\"\"\n return {\n \"search_xsoar\": + \"/xsoar/public/v1/jobs/search\",\n \"search_public\": \"/public/v1/jobs/search\",\n + \ \"create_xsoar\": \"/xsoar/public/v1/jobs\",\n \"create_public\": + \"/public/v1/jobs\",\n \"update_xsoar\": \"/xsoar/public/v1/jobs\", # + + /{id}\n \"update_public\": \"/public/v1/jobs\", # + /{id}\n }\n\ndef + jobs_api_search_probe(using: str) -> Optional[str]:\n \"\"\"\n Return the + working search endpoint path, or None.\n \"\"\"\n eps = jobs_api_endpoints()\n + \ probe_body = {\"page\": 0, \"size\": 1, \"query\": \"\", \"sort\": [{\"field\": + \"id\", \"asc\": True}]}\n for p in (eps[\"search_xsoar\"], eps[\"search_public\"]):\n + \ try:\n _ = core_api_post(p, body=probe_body, using=using, execution_timeout=600)\n + \ return p\n except Exception:\n continue\n return + None\n\ndef jobs_api_find_by_name(name: str, using: str, search_path: Optional[str], + debug: bool) -> Optional[Dict[str, Any]]:\n n = _norm(name).lower()\n\n if + search_path:\n try:\n body = {\"page\": 0, \"size\": 50, \"query\": + f'name:\"{name}\"', \"sort\": [{\"field\": \"id\", \"asc\": True}]}\n resp + = core_api_post(search_path, body=body, using=using, execution_timeout=600)\n rows + = _extract_list(resp)\n for r in rows:\n if _job_name(r).lower() + == n:\n return r\n except Exception as e:\n if + debug:\n emit_progress(f\"Job search failed on {search_path}: {e}\", + stage=\"configure.jobs.debug\")\n\n # last-resort: try empty query list via search + anyway (if we have it)\n if search_path:\n try:\n body = {\"page\": + 0, \"size\": 200, \"query\": \"\", \"sort\": [{\"field\": \"id\", \"asc\": True}]}\n + \ resp = core_api_post(search_path, body=body, using=using, execution_timeout=600)\n + \ rows = _extract_list(resp)\n for r in rows:\n if + _job_name(r).lower() == n:\n return r\n except Exception:\n + \ pass\n\n return None\n\ndef jobs_api_upsert(job: Dict[str, Any], + using: str, search_path: str, debug: bool) -> Dict[str, Any]:\n \"\"\"\n Upsert + via Jobs API:\n - search by name\n - if found, try PUT /jobs/{id}\n - + else, POST /jobs\n Returns a dict describing what we did.\n \"\"\"\n eps + = jobs_api_endpoints()\n name = _job_name(job)\n if not name:\n raise + Exception(\"Job object missing name\")\n\n existing = jobs_api_find_by_name(name, + using=using, search_path=search_path, debug=debug)\n existing_id = _job_id(existing) + if existing else \"\"\n\n # Prefer xsoar/public first; fall back to public\n + \ create_paths = [eps[\"create_xsoar\"], eps[\"create_public\"]]\n update_paths + = [eps[\"update_xsoar\"], eps[\"update_public\"]]\n\n if existing_id:\n # + try PUT update first\n last_err = None\n for base in update_paths:\n + \ try:\n resp = core_api_put(f\"{base}/{existing_id}\", + body=job, using=using, execution_timeout=600)\n return {\"action\": + \"updated\", \"endpoint\": f\"{base}/{existing_id}\", \"response\": resp, \"job_id\": + existing_id}\n except Exception as e:\n last_err = str(e)\n + \ continue\n\n # if PUT isn't supported, fall back to POST + (some tenants treat POST as upsert)\n for base in create_paths:\n try:\n + \ resp = core_api_post(base, body=job, using=using, execution_timeout=600)\n + \ return {\"action\": \"created_via_post_fallback\", \"endpoint\": + base, \"response\": resp, \"job_id\": existing_id, \"warning\": last_err}\n except + Exception as e:\n last_err = str(e)\n continue\n\n + \ raise Exception(f\"Failed updating job '{name}'. Last error: {last_err}\")\n\n + \ # create\n last_err = None\n for base in create_paths:\n try:\n + \ resp = core_api_post(base, body=job, using=using, execution_timeout=600)\n + \ return {\"action\": \"created\", \"endpoint\": base, \"response\": resp}\n + \ except Exception as e:\n last_err = str(e)\n continue\n\n + \ raise Exception(f\"Failed creating job '{name}'. Last error: {last_err}\")\n\n# + ---------------------------\n# HTTP JSON helpers\n# ---------------------------\n\ndef + http_get_json(url: str, timeout: int = 30) -> Any:\n r = requests.get(url, timeout=timeout)\n + \ r.raise_for_status()\n return r.json()\n\n# ---------------------------\n# + Catalog + Manifest resolver\n# ---------------------------\n\nDEFAULT_CATALOG_URL + = \"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/pack_catalog.json\"\n\ndef fetch_pack_catalog(catalog_url: str = DEFAULT_CATALOG_URL) -> Dict[str, Any]:\n \ data = http_get_json(catalog_url)\n if not isinstance(data, dict):\n raise Exception(f\"pack_catalog.json unexpected format at {catalog_url}\")\n return @@ -162,13 +230,12 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ Any]]:\n packs = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or []\n if not isinstance(packs, list):\n return None\n for p in packs:\n \ if isinstance(p, dict) and (p.get(\"id\") == pack_id):\n return - p\n return None\n\ndef resolve_manifest(pack_id: str, include_hidden: bool) -> - Dict[str, Any]:\n if pack_id.startswith(\"http://\") or pack_id.startswith(\"https://\"):\n - \ return http_get_json(pack_id)\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n + p\n return None\n\ndef resolve_manifest(pack_id: str, include_hidden: bool, catalog_url: + str) -> Dict[str, Any]:\n if pack_id.startswith(\"http://\") or pack_id.startswith(\"https://\"):\n + \ return http_get_json(pack_id)\n\n catalog = fetch_pack_catalog(catalog_url)\n \ pack = find_pack_in_catalog(catalog, pack_id)\n if not pack:\n raise Exception(f\"Pack '{pack_id}' not found in pack_catalog.json\")\n\n visible = bool(pack.get(\"visible\", True))\n if (not include_hidden) and (not visible):\n - \ # Back-compat: allow resolution; list hides it unless include_hidden=True\n \ pass\n\n version = (pack.get(\"version\") or \"\").strip()\n if not version:\n raise Exception(f\"Pack '{pack_id}' missing version in pack_catalog.json\")\n\n \ xsoar_config_url = f\"https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/{pack_id}/xsoar_config.json\"\n @@ -183,14 +250,17 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ ---------------------------\n# list action (filter + paging)\n# ---------------------------\n\ndef do_list(args: Dict[str, Any]):\n using = _norm(args.get(\"using\") or \"\")\n \ include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n\n # list - args\n text_filter = _to_lower(args.get(\"filter\") or args.get(\"q\") or \"\")\n - \ visible_only = arg_to_bool(args.get(\"visible_only\"), True)\n limit = max(1, - to_int(args.get(\"limit\"), 50))\n offset = max(0, to_int(args.get(\"offset\"), + args\n text_filter = _to_lower(args.get(\"filter\") or args.get(\"q\") or \"\")\n\n + \ # IMPORTANT FIX:\n # include_hidden=True MUST win. If include_hidden=True, + visible_only must behave as False.\n visible_only_raw = arg_to_bool(args.get(\"visible_only\"), + True)\n visible_only = bool(visible_only_raw) and (not include_hidden)\n\n limit + = max(1, to_int(args.get(\"limit\"), 50))\n offset = max(0, to_int(args.get(\"offset\"), 0))\n sort_by = (_norm(args.get(\"sort_by\")) or \"id\").strip()\n sort_dir = (_norm(args.get(\"sort_dir\")) or \"asc\").strip().lower()\n fields = _parse_csv(args.get(\"fields\")) or [\"id\", \"display_name\", \"version\", \"visible\", \"path\"]\n show_total - = arg_to_bool(args.get(\"show_total\"), True)\n\n emit_progress(\"Fetching catalog…\", - stage=\"list\")\n\n catalog = fetch_pack_catalog(DEFAULT_CATALOG_URL)\n packs + = arg_to_bool(args.get(\"show_total\"), True)\n\n # honor catalog_url parameter\n + \ catalog_url = _norm(args.get(\"catalog_url\") or DEFAULT_CATALOG_URL)\n\n emit_progress(\"Fetching + catalog…\", stage=\"list\")\n\n catalog = fetch_pack_catalog(catalog_url)\n packs = catalog.get(\"packs\") or catalog.get(\"Packs\") or catalog.get(\"items\") or []\n if not isinstance(packs, list):\n raise Exception(\"pack_catalog.json is missing 'packs' list\")\n\n rows: List[Dict[str, Any]] = []\n for p in @@ -214,13 +284,14 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ + \" |\\n\"\n sep_line = \"| \" + \" | \".join([\"---\"] * len(fields)) + \" |\\n\"\n table = header_line + sep_line\n for r in page:\n table += \"| \" + \" | \".join([_norm(r.get(f, \"\")) for f in fields]) + \" |\\n\"\n\n summary_lines - = [\n f\"using: {(using or '(default)')}\",\n f\"include_hidden: {include_hidden}\",\n - \ f\"visible_only: {visible_only}\",\n ]\n if text_filter:\n summary_lines.append(f\"filter: - `{text_filter}`\")\n summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n - \ summary_lines.append(f\"page: limit={limit}, offset={offset}\")\n if show_total:\n - \ summary_lines.append(f\"showing: {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) - + \"\\n\\n\" + table, stage=\"list\")\n return\n\n# ---------------------------\n# - Marketplace install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef install_marketplace_packs(\n + = [\n f\"using: {(using or '(default)')}\",\n f\"catalog_url: {catalog_url}\",\n + \ f\"include_hidden: {include_hidden}\",\n f\"visible_only: {visible_only}\",\n + \ ]\n if text_filter:\n summary_lines.append(f\"filter: `{text_filter}`\")\n + \ summary_lines.append(f\"sort: {sort_by} {sort_dir}\")\n summary_lines.append(f\"page: + limit={limit}, offset={offset}\")\n if show_total:\n summary_lines.append(f\"showing: + {start}-{end} of {total}\")\n\n emit_progress(\"\\n\".join(summary_lines) + \"\\n\\n\" + + table, stage=\"list\")\n return\n\n# ---------------------------\n# Marketplace + install (USE ANNA’S SCRIPT)\n# ---------------------------\n\ndef install_marketplace_packs(\n \ marketplace_packs: List[Dict[str, str]],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: bool,\n) -> Dict[str, Any]:\n if debug:\n emit_progress(\n \"Installing marketplace packs via **XSIAMContentPackInstaller**…\\n\"\n @@ -345,23 +416,68 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n debug: bool,\n) -> Dict[str, Any]:\n jobs = [x for x in (xsoar_cfg.get(\"jobs\", []) or []) if isinstance(x, dict)]\n emit_progress(f\"Configuring jobs… ({len(jobs)} - job(s))\", stage=\"configure.jobs\")\n\n summary = {\"attempted\": 0, \"ok\": - 0, \"failed\": 0, \"failed_items\": []}\n\n for job in jobs:\n name = - (job.get(\"name\") or job.get(\"job_name\") or \"\").strip()\n if not name:\n - \ continue\n\n summary[\"attempted\"] += 1\n log(f\"Configuring - job: **{name}**\", stage=\"configure.jobs.debug\", debug=debug)\n\n cmd_args - = {\"job_name\": name, \"job_data\": json.dumps(job)}\n if using:\n cmd_args[\"using\"] - = using\n\n try:\n _ = exec_with_retry(\n \"SOCFWJobManager\",\n + job(s))\", stage=\"configure.jobs\")\n\n summary = {\n \"attempted\": + 0,\n \"ok\": 0,\n \"failed\": 0,\n \"failed_items\": [],\n + \ \"notes\": [],\n }\n\n # Determine if we can verify jobs in this tenant\n + \ search_path = jobs_api_search_probe(using=using)\n if not search_path:\n + \ emit_progress(\n \"\\n\".join(\n [\n \"❌ + Jobs API is not reachable (permissions/endpoint).\",\n \"This + script will NOT claim jobs were configured if it cannot verify them.\",\n \"Fix + permissions/role or confirm the correct jobs endpoint, then rerun.\",\n ]\n + \ ),\n stage=\"configure.jobs.error\",\n )\n # + We still attempt SOCFWJobManager (for visibility), but we will mark failures because + we cannot verify.\n summary[\"notes\"].append(\"jobs_api_unreachable=true\")\n\n + \ for job in jobs:\n name = _norm(job.get(\"name\") or job.get(\"job_name\") + or \"\")\n if not name:\n continue\n\n summary[\"attempted\"] + += 1\n log(f\"Configuring job: **{name}**\", stage=\"configure.jobs.debug\", + debug=debug)\n\n # 1) Try SOCFWJobManager first (for backward compatibility)\n + \ manager_ran = False\n manager_err = None\n try:\n cmd_args + = {\"job_name\": name, \"job_data\": json.dumps(job)}\n if using:\n cmd_args[\"using\"] + = using\n\n res = exec_with_retry(\n \"SOCFWJobManager\",\n \ cmd_args,\n retry_count=retry_count,\n retry_sleep_seconds=retry_sleep_seconds,\n - \ context_for_error=f\"Failed configuring job: {name}\",\n fail_on_error=True,\n - \ )\n summary[\"ok\"] += 1\n log(f\"Job **{name}** - ok\", stage=\"configure.jobs.result\", debug=debug)\n except Exception as - e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"].append({\"name\": - name, \"error\": str(e)})\n emit_progress(f\"Failed configuring job **{name}**.\\nError: - {e}\", stage=\"configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n - \ [\n \"Jobs summary:\",\n f\"- attempted: - {summary['attempted']}\",\n f\"- ok: {summary['ok']}\",\n f\"- - failed: {summary['failed']}\",\n ]\n ),\n stage=\"configure.jobs.summary\",\n + \ context_for_error=f\"Failed running SOCFWJobManager for job: {name}\",\n + \ fail_on_error=False,\n )\n manager_ran = True\n\n + \ if debug:\n emit_progress(\n \"\\n\".join(\n + \ [\n f\"SOCFWJobManager response + for **{name}**:\",\n \"```json\",\n json.dumps(get_contents(res) + or {}, indent=2),\n \"```\",\n ]\n + \ ),\n stage=\"configure.jobs.debug\",\n )\n + \ except Exception as e:\n manager_err = str(e)\n\n # 2) + Verify job exists (required to count success)\n if not search_path:\n summary[\"failed\"] + += 1\n summary[\"failed_items\"].append(\n {\"name\": + name, \"error\": \"Jobs API verification unavailable; cannot confirm job creation/update.\"}\n + \ )\n continue\n\n # Give the platform a moment for + eventual consistency\n verified = None\n for _i in range(1, 8):\n + \ verified = jobs_api_find_by_name(name, using=using, search_path=search_path, + debug=debug)\n if verified:\n break\n time.sleep(2)\n\n + \ if verified:\n summary[\"ok\"] += 1\n log(f\"βœ… Job + **{name}** verified in tenant.\", stage=\"configure.jobs.result\", debug=debug, + always=True)\n continue\n\n # 3) If not verified, fall back to + direct Jobs API upsert\n try:\n upsert_result = jobs_api_upsert(job, + using=using, search_path=search_path, debug=debug)\n if debug:\n emit_progress(\n + \ \"\\n\".join(\n [\n f\"Jobs + API upsert result for **{name}**:\",\n \"```json\",\n + \ json.dumps(upsert_result, indent=2),\n \"```\",\n + \ ]\n ),\n stage=\"configure.jobs.debug\",\n + \ )\n\n # Verify again\n verified2 = None\n + \ for _i in range(1, 8):\n verified2 = jobs_api_find_by_name(name, + using=using, search_path=search_path, debug=debug)\n if verified2:\n + \ break\n time.sleep(2)\n\n if not verified2:\n + \ raise Exception(\"Upsert ran but job still not visible via Jobs + API.\")\n\n summary[\"ok\"] += 1\n log(f\"βœ… Job **{name}** + created/updated via Jobs API fallback and verified.\", stage=\"configure.jobs.result\", + debug=debug, always=True)\n\n except Exception as e:\n summary[\"failed\"] + += 1\n err_parts = []\n if manager_err:\n err_parts.append(f\"SOCFWJobManager + error: {manager_err}\")\n elif manager_ran:\n err_parts.append(\"SOCFWJobManager + ran but did not create/verify the job.\")\n err_parts.append(f\"Jobs + API fallback error: {e}\")\n summary[\"failed_items\"].append({\"name\": + name, \"error\": \" | \".join(err_parts)})\n emit_progress(f\"Failed + configuring job **{name}**.\\nError: {' | '.join(err_parts)}\", stage=\"configure.jobs.error\")\n\n + \ emit_progress(\n \"\\n\".join(\n [\n \"Jobs + summary:\",\n f\"- attempted: {summary['attempted']}\",\n f\"- + ok (verified): {summary['ok']}\",\n f\"- failed: {summary['failed']}\",\n + \ f\"- notes: {', '.join(summary['notes']) if summary['notes'] else + '(none)'}\",\n ]\n ),\n stage=\"configure.jobs.summary\",\n \ )\n return summary\n\ndef configure_lookups_from_xsoar_config(\n xsoar_cfg: Dict[str, Any],\n using: str,\n retry_count: int,\n retry_sleep_seconds: int,\n overwrite_lookup: bool,\n debug: bool,\n) -> Dict[str, Any]:\n dsets @@ -397,9 +513,9 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ False)\n\n include_doc_content = arg_to_bool(args.get(\"include_doc_content\"), False)\n doc_content_max_chars = to_int(args.get(\"doc_content_max_chars\"), 6000)\n doc_content_max_lines = to_int(args.get(\"doc_content_max_lines\"), 200)\n\n - \ # NEW: pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"), - False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True) # - default True\n\n retry_count = to_int(args.get(\"retry_count\"), 5)\n retry_sleep_seconds + \ # pre-config gate\n pre_config_done = arg_to_bool(args.get(\"pre_config_done\"), + False)\n pre_config_gate = arg_to_bool(args.get(\"pre_config_gate\"), True)\n\n + \ retry_count = to_int(args.get(\"retry_count\"), 5)\n retry_sleep_seconds = to_int(args.get(\"retry_sleep_seconds\"), 15)\n using = (args.get(\"using\") or \"\").strip()\n execution_timeout = to_int(args.get(\"execution_timeout\"), 1200)\n\n skip_verify = arg_to_bool(args.get(\"skip_verify\"), True)\n skip_validation @@ -408,11 +524,13 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ 1800)\n post_install_poll_interval_seconds = to_int(args.get(\"post_install_poll_interval_seconds\"), 60)\n continue_on_install_timeout = arg_to_bool(args.get(\"continue_on_install_timeout\"), False)\n\n fail_on_marketplace_errors = arg_to_bool(args.get(\"fail_on_marketplace_errors\"), - False)\n\n debug = arg_to_bool(args.get(\"debug\"), False)\n\n if action not - in (\"apply\", \"list\"):\n raise Exception(f\"Unsupported action: {action}\")\n\n - \ if action == \"list\":\n return do_list(args)\n\n if not pack_id:\n - \ raise Exception(\"pack_id is required for action=apply\")\n\n emit_progress(\n - \ \"\\n\".join(\n [\n f\"Starting {action} for **{pack_id}**\",\n + False)\n\n debug = arg_to_bool(args.get(\"debug\"), False)\n\n # honor catalog_url + parameter\n catalog_url = _norm(args.get(\"catalog_url\") or DEFAULT_CATALOG_URL)\n\n + \ if action not in (\"apply\", \"list\"):\n raise Exception(f\"Unsupported + action: {action}\")\n\n if action == \"list\":\n return do_list(args)\n\n + \ if not pack_id:\n raise Exception(\"pack_id is required for action=apply\")\n\n + \ emit_progress(\n \"\\n\".join(\n [\n f\"Starting + {action} for **{pack_id}**\",\n f\"- catalog_url={catalog_url}\",\n \ f\"- include_hidden={include_hidden}\",\n f\"- dry_run={dry_run}\",\n \ f\"- install_marketplace={install_marketplace_flag}\",\n f\"- apply_configure={apply_configure} (jobs={configure_jobs}, integrations={configure_integrations}, @@ -430,15 +548,16 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ \ f\"- pre_config_done={pre_config_done}\",\n f\"- debug={debug}\",\n ]\n ),\n stage=\"start\",\n )\n\n \ emit_progress(\"Resolving install manifest…\", stage=\"manifest\")\n manifest - = resolve_manifest(pack_id, include_hidden=include_hidden)\n\n marketplace_packs - = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls = manifest.get(\"custom_zip_urls\") - or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\") or \"\"\n\n emit_progress(\n - \ \"\\n\".join(\n [\n \"Manifest resolved.\",\n - \ f\"- marketplace_packs: {len(marketplace_packs)}\",\n f\"- - custom ZIP URLs: {len(custom_zip_urls)}\",\n f\"- xsoar_config_url: - {xsoar_config_url or '(none)'}\",\n ]\n ),\n stage=\"manifest.summary\",\n - \ )\n\n xsoar_cfg: Dict[str, Any] = {}\n if xsoar_config_url:\n emit_progress(\"Fetching - xsoar_config.json…\", stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) + = resolve_manifest(pack_id, include_hidden=include_hidden, catalog_url=catalog_url)\n\n + \ marketplace_packs = manifest.get(\"marketplace_packs\") or []\n custom_zip_urls + = manifest.get(\"custom_zip_urls\") or []\n xsoar_config_url = manifest.get(\"xsoar_config_url\") + or \"\"\n\n emit_progress(\n \"\\n\".join(\n [\n \"Manifest + resolved.\",\n f\"- marketplace_packs: {len(marketplace_packs)}\",\n + \ f\"- custom ZIP URLs: {len(custom_zip_urls)}\",\n f\"- + xsoar_config_url: {xsoar_config_url or '(none)'}\",\n ]\n ),\n + \ stage=\"manifest.summary\",\n )\n\n xsoar_cfg: Dict[str, Any] = {}\n + \ if xsoar_config_url:\n emit_progress(\"Fetching xsoar_config.json…\", + stage=\"xsoar_config.fetch\")\n xsoar_cfg = fetch_xsoar_config(xsoar_config_url) or {}\n\n cfg_marketplace_packs = xsoar_cfg.get(\"marketplace_packs\") or []\n if isinstance(cfg_marketplace_packs, list) and cfg_marketplace_packs:\n \ marketplace_packs = cfg_marketplace_packs\n\n emit_progress(\n @@ -449,12 +568,11 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ []) or [])}\",\n f\"- has_pre_config_docs: {has_config_docs(xsoar_cfg, 'pre')}\",\n f\"- has_post_config_docs: {has_config_docs(xsoar_cfg, 'post')}\",\n ]\n ),\n stage=\"xsoar_config.summary\",\n - \ )\n\n # Print PRE docs immediately\n print_config_docs(\n - \ xsoar_cfg,\n when=\"pre\",\n debug=debug,\n include_doc_content=include_doc_content,\n + \ )\n\n print_config_docs(\n xsoar_cfg,\n when=\"pre\",\n + \ debug=debug,\n include_doc_content=include_doc_content,\n \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n - \ )\n\n # DEFAULT: stop after printing PRE docs if they exist (unless - acknowledged/bypassed)\n if pre_config_gate and has_config_docs(xsoar_cfg, - \"pre\") and not pre_config_done:\n emit_progress(\n \"\\n\".join(\n + \ )\n\n if pre_config_gate and has_config_docs(xsoar_cfg, \"pre\") + and not pre_config_done:\n emit_progress(\n \"\\n\".join(\n \ [\n \"\U0001F6D1 **Pre-config required**\",\n \ \"Pre-config docs were printed above.\",\n \"\",\n \ \"After completing those steps, rerun with:\",\n \"- @@ -510,17 +628,16 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ \ retry_sleep_seconds=retry_sleep_seconds,\n overwrite_lookup=overwrite_lookup,\n \ debug=debug,\n )\n\n emit_progress(\"Done.\", stage=\"done\")\n\n \ results_obj = {\n \"pack_id\": pack_id,\n \"xsoar_config_url\": - xsoar_config_url,\n \"marketplace_errors\": marketplace_errors,\n \"debug\": - debug,\n \"install_timeout\": install_timeout,\n \"skip_verify\": - skip_verify,\n \"skip_validation\": skip_validation,\n \"post_install_poll_seconds\": - post_install_poll_seconds,\n \"post_install_poll_interval_seconds\": post_install_poll_interval_seconds,\n - \ \"continue_on_install_timeout\": continue_on_install_timeout,\n \"configure_summary\": - {\n \"integrations\": integration_summary,\n \"jobs\": jobs_summary,\n - \ \"lookups\": lookups_summary,\n },\n }\n\n # Return the - machine-readable result first...\n return_results(results_obj)\n\n # ...then - print POST docs as the FINAL War Room entry (so users don't scroll)\n if xsoar_cfg:\n - \ print_config_docs(\n xsoar_cfg,\n when=\"post\",\n - \ debug=debug,\n include_doc_content=include_doc_content,\n + xsoar_config_url,\n \"catalog_url\": catalog_url,\n \"marketplace_errors\": + marketplace_errors,\n \"debug\": debug,\n \"install_timeout\": install_timeout,\n + \ \"skip_verify\": skip_verify,\n \"skip_validation\": skip_validation,\n + \ \"post_install_poll_seconds\": post_install_poll_seconds,\n \"post_install_poll_interval_seconds\": + post_install_poll_interval_seconds,\n \"continue_on_install_timeout\": continue_on_install_timeout,\n + \ \"configure_summary\": {\n \"integrations\": integration_summary,\n + \ \"jobs\": jobs_summary,\n \"lookups\": lookups_summary,\n + \ },\n }\n\n # Return machine-readable first\n return_results(results_obj)\n\n + \ # Print POST docs last\n if xsoar_cfg:\n print_config_docs(\n xsoar_cfg,\n + \ when=\"post\",\n debug=debug,\n include_doc_content=include_doc_content,\n \ doc_content_max_chars=doc_content_max_chars,\n doc_content_max_lines=doc_content_max_lines,\n \ )\n\nif __name__ in (\"__main__\", \"__builtin__\", \"builtins\"):\n main()\n" type: python diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index e4d4c5f..627e719 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.8", + "currentVersion": "1.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index 6ec7f79..4ad2361 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.8/soc-framework-manager-v1.0.8.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.9/soc-framework-manager-v1.0.9.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index a08cf0c..aa82006 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.8", + "version": "1.0.9", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" From d131b1b44231cd9e52403daade81e16daf18f6d6 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 13:44:28 -0500 Subject: [PATCH 35/49] - Created New SOC Common Playbooks V3 - Fixed links between SOC Opt Unified and new SOC Common Playbooks - Fixed Jobs links in xsoar_config.json - Fixed Integrations in xsoar_config.json - Added Lookup table into xsoar_config.json - Bump version - Update Catalog --- .../soc-common-playbooks-unified/.pack-ignore | 0 .../.secrets-ignore | 0 .../SOC_Account_Enrichment_-_Generic_v2.1.yml | 2376 ++++++++ ...e_Directory_-_Get_User_Manager_Details.yml | 608 ++ .../SOC_Block_Account_-_Generic_v2.yml | 3287 +++++++++++ .../SOC_Block_Domain_-_Cisco_Stealthwatch.yml | 374 ++ .../SOC_Block_Domain_-_External_Dynamic.yml | 229 + ...C_Block_Domain_-_External_Dynamic_List.yml | 330 ++ ..._Block_Domain_-_FireEye_Email_Security.yml | 372 ++ .../SOC_Block_Domain_-_Generic_v2.yml | 381 ++ ...ck_Domain_-_Proofpoint_Threat_Response.yml | 399 ++ ...ck_Domain_-_Symantec_Messaging_Gateway.yml | 374 ++ ...OC_Block_Domain_-_Trend_Micro_Apex_One.yml | 387 ++ .../Playbooks/SOC_Block_Domain_-_Zscaler.yml | 374 ++ .../SOC_Block_Email_-_Generic_v2.yml | 873 +++ ...SOC_Block_File_-_Carbon_Black_Response.yml | 404 ++ .../Playbooks/SOC_Block_File_-_Cybereason.yml | 399 ++ .../SOC_Block_File_-_Cylance_Protect_v2.yml | 407 ++ .../Playbooks/SOC_Block_File_-_Generic_v2.yml | 597 ++ .../Playbooks/SOC_Block_IP_-_Generic_v2.yml | 1223 ++++ .../Playbooks/SOC_Block_IP_-_Generic_v3.yml | 5060 +++++++++++++++++ .../SOC_Block_Indicators_-_Generic_v3.yml | 1661 ++++++ .../Playbooks/SOC_Block_URL_-_Generic_v2.yml | 1695 ++++++ ...alculate_Severity_-_Critical_Assets_v2.yml | 1537 +++++ .../SOC_Calculate_Severity_-_Generic_v2.yml | 1009 ++++ ...alculate_Severity_By_Highest_DBotScore.yml | 551 ++ .../SOC_Cloud_IAM_Enrichment_-_Generic.yml | 1287 +++++ .../Playbooks/SOC_Containment_Plan.yml | 1744 ++++++ ...OC_Containment_Plan_-_Block_Indicators.yml | 1107 ++++ ...Containment_Plan_-_Clear_User_Sessions.yml | 924 +++ ...SOC_Containment_Plan_-_Disable_Account.yml | 356 ++ .../SOC_Containment_Plan_-_Isolate_Device.yml | 725 +++ ...SOC_Containment_Plan_-_Quarantine_File.yml | 1077 ++++ .../Playbooks/SOC_Cortex_XDR_-_Block_File.yml | 370 ++ .../SOC_CrowdStrike_Falcon_-_Block_File.yml | 622 ++ ..._Crowdstrike_Falcon_-_Isolate_Endpoint.yml | 417 ++ .../SOC_Domain_Enrichment_-_Generic_v2.yml | 544 ++ ...mail_Address_Enrichment_-_Generic_v2.1.yml | 1069 ++++ ...dpoint_Enrichment_-_Cylance_Protect_v2.yml | 415 ++ ...SOC_Endpoint_Enrichment_-_Generic_v2.1.yml | 2368 ++++++++ .../Playbooks/SOC_Eradication_Plan.yml | 733 +++ .../SOC_Eradication_Plan_-_Delete_File.yml | 390 ++ .../SOC_Eradication_Plan_-_Reset_Password.yml | 469 ++ ...C_Eradication_Plan_-_Terminate_Process.yml | 1099 ++++ .../SOC_File_Enrichment_-_File_reputation.yml | 467 ++ .../Playbooks/SOC_File_Reputation.yml | 1085 ++++ .../Playbooks/SOC_Get_prevalence_for_IOCs.yml | 991 ++++ ..._IP_Enrichment_-_External_-_Generic_v2.yml | 1056 ++++ .../SOC_IP_Enrichment_-_Generic_v2.yml | 1351 +++++ ..._IP_Enrichment_-_Internal_-_Generic_v2.yml | 1285 +++++ .../Playbooks/SOC_Isolation_Router.yml | 464 ++ .../Playbooks/SOC_MDE_-_Block_File.yml | 665 +++ ...fender_For_Endpoint_-_Isolate_Endpoint.yml | 1216 ++++ .../SOC_NIST_Detection_&_Analysis.yml | 1427 +++++ ..._PAN-OS_-_Block_IP_-_Custom_Block_Rule.yml | 672 +++ ...N-OS_-_Block_IP_-_Static_Address_Group.yml | 758 +++ ...N-OS_-_Block_URL_-_Custom_URL_Category.yml | 1095 ++++ .../SOC_PAN-OS_-_Create_Or_Edit_Rule.yml | 974 ++++ .../SOC_PAN-OS_Commit_Configuration_v2.yml | 731 +++ .../SOC_PAN-OS_DAG_Configuration.yml | 751 +++ .../Playbooks/SOC_Prisma_SASE_-_Block_URL.yml | 1011 ++++ ..._-_Create_or_Edit_Security_Policy_Rule.yml | 1159 ++++ .../Playbooks/SOC_Ready_Ticketing.yml | 303 + .../Playbooks/SOC_Recovery_Plan.yml | 507 ++ .../Playbooks/SOC_Symantec_block_Email.yml | 375 ++ .../SOC_URL_Enrichment_-_Generic_v2.yml | 773 +++ Packs/soc-common-playbooks-unified/README.md | 0 .../pack_metadata.json | 383 ++ .../xsoar_config.json | 1457 +++++ .../Foundation_-_Endpoint_Enrichment.yml | 8 +- .../Playbooks/Foundation_-_Enrichment.yml | 8 +- .../Playbooks/SOC_Endpoint_Containment.yml | 4 +- .../pack_metadata.json | 2 +- 73 files changed, 61590 insertions(+), 11 deletions(-) create mode 100644 Packs/soc-common-playbooks-unified/.pack-ignore create mode 100644 Packs/soc-common-playbooks-unified/.secrets-ignore create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Active_Directory_-_Get_User_Manager_Details.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Account_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Cisco_Stealthwatch.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic_List.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_FireEye_Email_Security.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Proofpoint_Threat_Response.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Symantec_Messaging_Gateway.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Trend_Micro_Apex_One.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Zscaler.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Email_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Carbon_Black_Response.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cybereason.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cylance_Protect_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v3.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Indicators_-_Generic_v3.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_URL_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Critical_Assets_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_By_Highest_DBotScore.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Cloud_IAM_Enrichment_-_Generic.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Block_Indicators.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Disable_Account.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Quarantine_File.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Cortex_XDR_-_Block_File.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_CrowdStrike_Falcon_-_Block_File.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Domain_Enrichment_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Email_Address_Enrichment_-_Generic_v2.1.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Delete_File.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Reset_Password.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Terminate_Process.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Enrichment_-_File_reputation.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Reputation.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Get_prevalence_for_IOCs.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_External_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Internal_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Isolation_Router.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_MDE_-_Block_File.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_NIST_Detection_&_Analysis.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Custom_Block_Rule.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Static_Address_Group.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_URL_-_Custom_URL_Category.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Create_Or_Edit_Rule.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_Commit_Configuration_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_DAG_Configuration.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Block_URL.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Create_or_Edit_Security_Policy_Rule.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Ready_Ticketing.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Recovery_Plan.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Symantec_block_Email.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/README.md create mode 100644 Packs/soc-common-playbooks-unified/pack_metadata.json create mode 100644 Packs/soc-common-playbooks-unified/xsoar_config.json diff --git a/Packs/soc-common-playbooks-unified/.pack-ignore b/Packs/soc-common-playbooks-unified/.pack-ignore new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-common-playbooks-unified/.secrets-ignore b/Packs/soc-common-playbooks-unified/.secrets-ignore new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml new file mode 100644 index 0000000..ed9e7f9 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml @@ -0,0 +1,2376 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Enrich accounts using one or more integrations. + Supported integrations: + - Active Directory + - Microsoft Graph User + - SailPoint IdentityNow + - SailPoint IdentityIQ + - PingOne + - Okta + - AWS IAM + - Cortex XDR (account enrichment and reputation) + + Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. +dirtyInputs: true +id: 'SOC Account Enrichment - Generic v2.1_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Username + - Domain + name: General (Inputs group) +inputs: +- description: |- + The usernames to enrich. This input supports multiple usernames. + Usernames can be with or without a domain prefix, in the format of "username" or "domain\username". + Domain usernames will only be enriched in integrations that support them. + key: Username + playbookInputQuery: + required: false + value: + complex: + accessor: Username + root: Account + transformers: + - operator: uniq +- description: |- + Optional - This input is needed for the IAM-get-user command (used in the Account Enrichment - IAM playbook). Please provide the domain name that the user is related to. + Example: @xsoar.com + key: Domain + playbookInputQuery: + required: false + value: {} +name: SOC Account Enrichment - Generic v2.1_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Account + - ActiveDirectory.Users.sAMAccountName + - ActiveDirectory.Users.userAccountControl + - ActiveDirectory.Users.mail + - ActiveDirectory.Users.memberOf + - IAM + - IdentityIQ.Identity + - PingOne.Account + - ActiveDirectory.Users.manager + - IAM.Vendor.active + - IAM.Vendor.brand + - IAM.Vendor.details + - IAM.Vendor.email + - IAM.Vendor.errorCode + - IAM.Vendor.errorMessage + - IAM.Vendor.id + - IAM.Vendor.instanceName + - IAM.Vendor.success + - IAM.Vendor.username + - IdentityIQ.Identity.userName + - IdentityIQ.Identity.id + - IdentityIQ.Identity.active + - IdentityIQ.Identity.lastModified + - IdentityIQ.Identity.displayName + - IdentityIQ.Identity.emails + - IdentityIQ.Identity.entitlements + - IdentityIQ.Identity.roles + - IdentityIQ.Identity.capabilities + - IdentityIQ.Identity.name + - IdentityIQ.Identity.name.formatted + - IdentityIQ.Identity.name.familyName + - IdentityIQ.Identity.name.givenName + - IdentityIQ.Identity.manager + - IdentityIQ.Identity.manager.userName + - IdentityIQ.Identity.emails.type + - IdentityIQ.Identity.emails.value + - IdentityIQ.Identity.emails.primary + - PingOne.Account.ID + - PingOne.Account.Username + - PingOne.Account.DisplayName + - PingOne.Account.Email + - PingOne.Account.Enabled + - PingOne.Account.CreatedAt + - PingOne.Account.UpdatedAt + - Account.PasswordChanged + - Account.StatusChanged + - Account.Activated + - Account.Created + - Account.Status + - Account.Username + - Account.Email + - Account.ID + - ActiveDirectory.Users.dn + - ActiveDirectory.Users.displayName + - ActiveDirectory.Users.name + - ActiveDirectory.Users.userAccountControlFields + - ActiveDirectory.Users.userAccountControlFields.SCRIPT + - ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE + - ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED + - ActiveDirectory.Users.userAccountControlFields.LOCKOUT + - ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD + - ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE + - ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED + - ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT + - Account.Manager + - Account.Groups + - Account.DisplayName + - ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION + - ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH + - ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY + - ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED + - ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION + - ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED + - ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT + - IAM.Vendor + - IAM.Vendor.action + - IAM.UserProfile + - SailPointIdentityNow.Account + - SailPointIdentityNow.Account.id + - SailPointIdentityNow.Account.name + - SailPointIdentityNow.Account.identityId + - SailPointIdentityNow.Account.nativeIdentity + - SailPointIdentityNow.Account.sourceId + - SailPointIdentityNow.Account.created + - SailPointIdentityNow.Account.modified + - SailPointIdentityNow.Account.attributes + - SailPointIdentityNow.Account.authoritative + - SailPointIdentityNow.Account.disabled + - SailPointIdentityNow.Account.locked + - SailPointIdentityNow.Account.systemAccount + - SailPointIdentityNow.Account.uncorrelated + - SailPointIdentityNow.Account.manuallyCorrelated + - SailPointIdentityNow.Account.hasEntitlements + - UserManagerEmail + - UserManagerDisplayName + - MSGraphUser.ID + - MSGraphUser.DisplayName + - MSGraphUser.GivenName + - MSGraphUser.JobTitle + - MSGraphUser.Mail + - MSGraphUser.Surname + - MSGraphUser.UserPrincipalName + - MSGraphUserManager.Manager.ID + - MSGraphUserManager.Manager.DisplayName + - MSGraphUserManager.Manager.GivenName + - MSGraphUserManager.Manager.Mail + - MSGraphUserManager.Manager.Surname + - MSGraphUserManager.Manager.UserPrincipalName + - PaloAltoNetworksXDR.RiskyUser + - PaloAltoNetworksXDR.RiskyUser.type + - PaloAltoNetworksXDR.RiskyUser.id + - PaloAltoNetworksXDR.RiskyUser.score + - PaloAltoNetworksXDR.RiskyUser.reasons + - PaloAltoNetworksXDR.RiskyUser.reasons.date created + - PaloAltoNetworksXDR.RiskyUser.reasons.description + - PaloAltoNetworksXDR.RiskyUser.reasons.severity + - PaloAltoNetworksXDR.RiskyUser.reasons.status + - PaloAltoNetworksXDR.RiskyUser.reasons.points + - ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD + - ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED + - Account.ManagerEmail + - AWS.IAM.Users + - AWS.IAM.Users.UserName + - AWS.IAM.Users.UserId + - AWS.IAM.Users.Arn + - AWS.IAM.Users.CreateDate + - AWS.IAM.Users.Path + - AWS.IAM.Users.PasswordLastUsed + - MSGraphUser.MobilePhone + - MSGraphUser.OfficeLocation + - Account.JobTitle + - Account.TelephoneNumber + - Account.Office + - Account.Type + - Account.Email.Address + - MSGraphUserManager.Manager.BusinessPhones + - MSGraphUser.BusinessPhones + - MSGraphUserManager.Manager.JobTitle + - MSGraphUserManager.Manager.MobilePhone + - MSGraphUserManager.Manager.OfficeLocation +outputs: +- contextPath: Account + description: The account object. + type: string +- contextPath: ActiveDirectory.Users.sAMAccountName + description: The user's SAM account name. + type: string +- contextPath: ActiveDirectory.Users.userAccountControl + description: The user's account control flag. + type: string +- contextPath: ActiveDirectory.Users.mail + description: The user's email address. + type: string +- contextPath: ActiveDirectory.Users.memberOf + description: Groups the user is a member of. + type: string +- contextPath: IAM + description: Generic IAM output. + type: string +- contextPath: IdentityIQ.Identity + description: Identity asset from IdentityIQ. + type: string +- contextPath: PingOne.Account + description: Account in PingID. + type: string +- contextPath: ActiveDirectory.Users.manager + description: The manager of the user. + type: string +- contextPath: IAM.Vendor.active + description: When true, indicates that the employee's status is active in the 3rd-party + integration. + type: string +- contextPath: IAM.Vendor.brand + description: Name of the integration. + type: string +- contextPath: IAM.Vendor.details + description: Provides the raw data from the 3rd-party integration. + type: string +- contextPath: IAM.Vendor.email + description: The employee's email address. + type: string +- contextPath: IAM.Vendor.errorCode + description: HTTP error response code. + type: string +- contextPath: IAM.Vendor.errorMessage + description: Reason why the API failed. + type: string +- contextPath: IAM.Vendor.id + description: The employee's user ID in the app. + type: string +- contextPath: IAM.Vendor.instanceName + description: Name of the integration instance. + type: string +- contextPath: IAM.Vendor.success + description: When true, indicates that the command was executed successfully. + type: string +- contextPath: IAM.Vendor.username + description: The employee's username in the app. + type: string +- contextPath: IdentityIQ.Identity.userName + description: The IdentityIQ username (primary ID). + type: string +- contextPath: IdentityIQ.Identity.id + description: The IdentityIQ internal ID (UUID). + type: string +- contextPath: IdentityIQ.Identity.active + description: Indicates whether the ID is active or inactive in IdentityIQ. + type: string +- contextPath: IdentityIQ.Identity.lastModified + description: Timestamp of when the identity was last modified. + type: string +- contextPath: IdentityIQ.Identity.displayName + description: The display name of the identity. + type: string +- contextPath: IdentityIQ.Identity.emails + description: Array of email objects. + type: string +- contextPath: IdentityIQ.Identity.entitlements + description: Array of entitlement objects that the identity has. + type: string +- contextPath: IdentityIQ.Identity.roles + description: Array of role objects that the identity has. + type: string +- contextPath: IdentityIQ.Identity.capabilities + description: Array of string representations of the IdentityIQ capabilities assigned + to this identity. + type: string +- contextPath: IdentityIQ.Identity.name + description: Account name. + type: string +- contextPath: IdentityIQ.Identity.name.formatted + description: The display name of the identity. + type: string +- contextPath: IdentityIQ.Identity.name.familyName + description: The last name of the identity. + type: string +- contextPath: IdentityIQ.Identity.name.givenName + description: The first name of the identity. + type: string +- contextPath: IdentityIQ.Identity.manager + description: The account's manager returned from IdentityIQ. + type: string +- contextPath: IdentityIQ.Identity.manager.userName + description: The IdentityIQ username (primary ID) of the identity's manager. + type: string +- contextPath: IdentityIQ.Identity.emails.type + description: Type of the email being returned. + type: string +- contextPath: IdentityIQ.Identity.emails.value + description: The email address of the identity. + type: string +- contextPath: IdentityIQ.Identity.emails.primary + description: Indicates if this email address is the identity's primary email. + type: string +- contextPath: PingOne.Account.ID + description: PingOne account ID. + type: string +- contextPath: PingOne.Account.Username + description: PingOne account username. + type: string +- contextPath: PingOne.Account.DisplayName + description: PingOne account display name. + type: string +- contextPath: PingOne.Account.Email + description: PingOne account email. + type: string +- contextPath: PingOne.Account.Enabled + description: PingOne account enabled status. + type: string +- contextPath: PingOne.Account.CreatedAt + description: PingOne account create date. + type: string +- contextPath: PingOne.Account.UpdatedAt + description: PingOne account updated date. + type: string +- contextPath: Account.PasswordChanged + description: Timestamp for when the user's password was last changed. + type: string +- contextPath: Account.StatusChanged + description: Timestamp for when the user's status was last changed. + type: string +- contextPath: Account.Activated + description: Timestamp for when the user was activated. + type: string +- contextPath: Account.Created + description: Timestamp for when the user was created. + type: string +- contextPath: Account.Status + description: Okta account status. + type: string +- contextPath: Account.Username + description: The user SAM account name. + type: string +- contextPath: Account.Email + description: The user email address. + type: string +- contextPath: Account.ID + description: The user distinguished name. + type: string +- contextPath: ActiveDirectory.Users.dn + description: The user distinguished name. + type: string +- contextPath: ActiveDirectory.Users.displayName + description: The user display name. + type: string +- contextPath: ActiveDirectory.Users.name + description: The user common name. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields + description: The user account control fields. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.SCRIPT + description: Whether the login script is run. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE + description: Whether the user account is disabled. Works for *Windows Server 2012 + R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED + description: Whether the home folder is required. Works for *Windows Server 2012 + R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.LOCKOUT + description: Whether the user is locked out. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD + description: Whether the password is required. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE + description: Whether the user can change the password. Works for *Windows Server + 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED + description: Whether the user can send an encrypted password. Works for *Windows + Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT + description: Whether this is an account for users whose primary account is in another + domain. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT + description: Whether this is a default account type that represents a typical user. + Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT + description: Whether the account is permitted to trust a system domain that trusts + other domains. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT + description: Whether this is a computer account for a computer running Microsoft + Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows + 2000 Professional, or Windows 2000 Server and is a member of this domain. + type: string +- contextPath: Account.Manager + description: The user manager. + type: string +- contextPath: Account.Groups + description: Groups for which the user is a member. + type: string +- contextPath: Account.DisplayName + description: The user display name. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT + description: Whether the account is a read-only domain controller (RODC). + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION + description: Whether the account is enabled for delegation. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH + description: Whether this account require Kerberos pre-authentication for logging + on. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY + description: Whether to restrict this principal to use only Data Encryption Standard + (DES) encryption types for keys. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED + description: Whether the security context of the user isn't delegated to a service + even if the service account is set as trusted for Kerberos delegation. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION + description: Whether the service account (the user or computer account) under which + a service runs is trusted for Kerberos delegation. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED + description: Whether to force the user to log in by using a smart card. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT + description: Whether this is an MNS login account. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT + description: Whether this is a computer account for a domain controller that is + a member of this domain. Works for *Windows Server 2012 R2*. + type: string +- contextPath: IAM.Vendor + description: The returning results vendor. + type: string +- contextPath: IAM.Vendor.action + description: The command name. + type: string +- contextPath: IAM.UserProfile + description: The user profile. + type: string +- contextPath: SailPointIdentityNow.Account + description: The IdentityNow account object. + type: string +- contextPath: SailPointIdentityNow.Account.id + description: The IdentityNow internal ID (UUID). + type: string +- contextPath: SailPointIdentityNow.Account.name + description: Name of the identity on this account. + type: string +- contextPath: SailPointIdentityNow.Account.identityId + description: The IdentityNow internal identity ID. + type: string +- contextPath: SailPointIdentityNow.Account.nativeIdentity + description: The IdentityNow internal native identity ID. + type: string +- contextPath: SailPointIdentityNow.Account.sourceId + description: Source ID that maps this account. + type: string +- contextPath: SailPointIdentityNow.Account.created + description: Timestamp when the account was created. + type: string +- contextPath: SailPointIdentityNow.Account.modified + description: Timestamp when the account was last modified. + type: string +- contextPath: SailPointIdentityNow.Account.attributes + description: Map of variable number of attributes unique to this account. + type: string +- contextPath: SailPointIdentityNow.Account.authoritative + description: Indicates whether the account is the true source for this identity. + type: string +- contextPath: SailPointIdentityNow.Account.disabled + description: Indicates whether the account is disabled. + type: string +- contextPath: SailPointIdentityNow.Account.locked + description: Indicates whether the account is locked. + type: string +- contextPath: SailPointIdentityNow.Account.systemAccount + description: Indicates whether the account is a system account. + type: string +- contextPath: SailPointIdentityNow.Account.uncorrelated + description: Indicates whether the account is uncorrelated. + type: string +- contextPath: SailPointIdentityNow.Account.manuallyCorrelated + description: Indicates whether the account was manually correlated. + type: string +- contextPath: SailPointIdentityNow.Account.hasEntitlements + description: Indicates whether the account has entitlement. + type: string +- contextPath: UserManagerEmail + description: The email of the user's manager. + type: string +- contextPath: UserManagerDisplayName + description: The display name of the user's manager. + type: string +- contextPath: MSGraphUser.ID + description: User's ID. + type: string +- contextPath: MSGraphUser.DisplayName + description: User's display name. + type: string +- contextPath: MSGraphUser.GivenName + description: User's given name. + type: string +- contextPath: MSGraphUser.JobTitle + description: User's job title. + type: string +- contextPath: MSGraphUser.Mail + description: User's mail address. + type: string +- contextPath: MSGraphUser.Surname + description: User's surname. + type: string +- contextPath: MSGraphUser.UserPrincipalName + description: User's principal name. + type: string +- contextPath: MSGraphUserManager.Manager.ID + description: Manager's user ID. + type: string +- contextPath: MSGraphUserManager.Manager.DisplayName + description: User's display name. + type: string +- contextPath: MSGraphUserManager.Manager.GivenName + description: User's given name. + type: string +- contextPath: MSGraphUserManager.Manager.Mail + description: User's mail address. + type: string +- contextPath: MSGraphUserManager.Manager.Surname + description: User's surname. + type: string +- contextPath: MSGraphUserManager.Manager.UserPrincipalName + description: User's principal name. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser + description: The account object. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.score + description: The score assigned to the user. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons + description: The account risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.date created + description: Date when the incident was created. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.severity + description: The severity of the incident + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.status + description: The incident status + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.points + description: The score. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD + description: Whether to never expire the password on the account. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED + description: Whether the user password expired. + type: string +- contextPath: Account.ManagerEmail + description: The manager email. + type: string +- contextPath: AWS.IAM.Users + description: AWS IAM output. + type: string +- contextPath: AWS.IAM.Users.UserName + description: The friendly name identifying the user. + type: string +- contextPath: AWS.IAM.Users.UserId + description: The stable and unique string identifying the user. + type: string +- contextPath: AWS.IAM.Users.Arn + description: The Amazon Resource Name (ARN) that identifies the user. + type: string +- contextPath: AWS.IAM.Users.CreateDate + description: The date and time when the user was created. + type: string +- contextPath: AWS.IAM.Users.Path + description: The path to the user. + type: string +- contextPath: AWS.IAM.Users.PasswordLastUsed + description: The date and time, when the user's password was last used to sign + in to an AWS website. + type: string +- contextPath: MSGraphUser.MobilePhone + description: User's mobile phone number. + type: string +- contextPath: MSGraphUser.OfficeLocation + description: User's office location. + type: string +- contextPath: Account.JobTitle + description: User’s job title. + type: string +- contextPath: Account.TelephoneNumber + description: User’s mobile phone number. + type: string +- contextPath: Account.Office + description: User’s office location. + type: string +- contextPath: Account.Type + description: The account entity type. + type: string +- contextPath: Account.Email.Address + description: User’s mail address. + type: string +- contextPath: MSGraphUserManager.Manager.BusinessPhones + description: User's business phone numbers. + type: string +- contextPath: MSGraphUser.BusinessPhones + description: User's business phone numbers. + type: string +- contextPath: MSGraphUserManager.Manager.JobTitle + description: User's job title. + type: string +- contextPath: MSGraphUserManager.Manager.MobilePhone + description: User's mobile phone number. + type: string +- contextPath: MSGraphUserManager.Manager.OfficeLocation + description: User's office location. + type: string +sourceplaybookid: Account Enrichment - Generic v2.1 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + - "68" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a6743119-6f7b-4ad2-86f8-d7e6f17415a3 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: a6743119-6f7b-4ad2-86f8-d7e6f17415a3 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": -1080, + "y": -200 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Username + operator: notContainsGeneral + right: + value: + simple: \ + root: inputs.Username + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "67" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is at least one username to enrich. + id: 7d3036d6-80da-4b4f-8534-c634c6264f50 + iscommand: false + name: Is there an account to enrich (without domain prefix)? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 7d3036d6-80da-4b4f-8534-c634c6264f50 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -1080, + "y": -7 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b5a047e4-ca2a-4881-8a80-de3d0886ea64 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: b5a047e4-ca2a-4881-8a80-de3d0886ea64 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1080, + "y": 1560 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: brand + operator: isEqualString + right: + value: + simple: Active Directory Query v2 + - - left: + iscontext: true + value: + simple: state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there’s an active instance of the Active Directory Query + v2 integration enabled. + id: 9b07e7c9-ff70-410d-881c-02389fbf4c1e + iscommand: false + name: Is Active Directory Query v2 enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 9b07e7c9-ff70-410d-881c-02389fbf4c1e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 230, + "y": 565 + } + } + "5": + continueonerror: true + continueonerrortype: errorPath + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "53" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + username: + complex: + root: Usernames + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Queries Active Directory and returns information for the specified + username. + id: 8ced86cc-67bc-45f8-b78c-f24b260cf615 + iscommand: true + name: Get account info from Active Directory + playbooktaskmissingcomponent: + script: '|||ad-get-user' + type: regular + version: -1 + taskid: 8ced86cc-67bc-45f8-b78c-f24b260cf615 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 230, + "y": 760 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 148faf68-5ced-41f4-82c0-f98fa9d82037 + iscommand: false + name: SailPoint IdentityIQ + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 148faf68-5ced-41f4-82c0-f98fa9d82037 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -640, + "y": 435 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 58620334-72c1-4be6-87a2-84ed544c4a8a + iscommand: false + name: PingOne + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 58620334-72c1-4be6-87a2-84ed544c4a8a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 650, + "y": 435 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b5887cbc-9c89-47ba-8802-86c66ed0c85a + iscommand: false + name: Microsoft Active Directory + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: b5887cbc-9c89-47ba-8802-86c66ed0c85a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 230, + "y": 435 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "29" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: SailPointIdentityIQ + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + id: 93b0d852-2215-4504-8179-64a62951fbcc + iscommand: false + name: Is SailPoint IdentityIQ Integration Enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 93b0d852-2215-4504-8179-64a62951fbcc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -640, + "y": 565 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "31" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: PingOne + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + id: 82adaccd-d799-44ae-85ec-ee4ca516aab6 + iscommand: false + name: Is PingOne Integration Enabled + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 82adaccd-d799-44ae-85ec-ee4ca516aab6 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 650, + "y": 565 + } + } + "29": + continueonerror: true + continueonerrortype: errorPath + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + id: + complex: + root: Usernames + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: SailPointIdentityIQ + description: Search identities by search/filter parameters (ID, email, risk + & active) using IdentityIQ SCIM APIs. + id: ce8794f6-be60-4731-b21f-f519ae6b530f + iscommand: true + name: Get account info from IdentityIQ + playbooktaskmissingcomponent: + script: SailPointIdentityIQ|||identityiq-search-identities + type: regular + version: -1 + taskid: ce8794f6-be60-4731-b21f-f519ae6b530f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -640, + "y": 760 + } + } + "31": + continueonerror: true + continueonerrortype: errorPath + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + username: + complex: + root: Usernames + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: PingOne + description: Returns a PingOne user. One of the following has to be given - + username or userId. + id: 1ec22e61-e06f-45d3-8134-ea9ebe1117bc + iscommand: true + name: Get account info from PingOne + playbooktaskmissingcomponent: + script: PingOne|||pingone-get-user + type: regular + version: -1 + taskid: 1ec22e61-e06f-45d3-8134-ea9ebe1117bc + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 650, + "y": 760 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4e5ba461-1f35-4898-8f03-940b3e3dd950 + iscommand: false + name: OKTA + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 4e5ba461-1f35-4898-8f03-940b3e3dd950 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1070, + "y": 435 + } + } + "33": + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "34" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Okta v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + id: e0b7f17c-70f7-4330-8f06-c3729e226adb + iscommand: false + name: Is OKTA v2 integration enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: e0b7f17c-70f7-4330-8f06-c3729e226adb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1070, + "y": 565 + } + } + "34": + continueonerror: true + continueonerrortype: errorPath + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + username: + complex: + root: Usernames + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Fetches information for a single user. You must enter one or more + parameters for the command to run. + id: 43c12bed-2852-4ae0-be49-0deb0073a779 + iscommand: true + name: Get account info from OKTA v2 + playbooktaskmissingcomponent: + script: '|||okta-get-user' + type: regular + version: -1 + taskid: 43c12bed-2852-4ae0-be49-0deb0073a779 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1070, + "y": 760 + } + } + "42": + continueonerrortype: "" + id: "42" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "43" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ced5695a-76e7-4f6a-81b8-598925a8ea9d + iscommand: false + name: AWS + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: ced5695a-76e7-4f6a-81b8-598925a8ea9d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1490, + "y": 435 + } + } + "43": + continueonerrortype: "" + id: "43" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "44" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: AWS - IAM + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + id: 0f630de1-9988-461a-883a-6113d3dd6d2a + iscommand: false + name: Is AWS integration enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 0f630de1-9988-461a-883a-6113d3dd6d2a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1490, + "y": 565 + } + } + "44": + continueonerror: true + continueonerrortype: errorPath + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + userName: + complex: + root: Usernames + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: AWS - IAM + description: Retrieves information about the specified IAM user, including the + user's creation date, path, unique ID, and ARN. + id: 52a7785d-4ab4-403e-8620-20756bd71cc1 + iscommand: true + name: Get account info from AWS + playbooktaskmissingcomponent: + script: AWS - IAM|||aws-iam-get-user + type: regular + version: -1 + taskid: 52a7785d-4ab4-403e-8620-20756bd71cc1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1490, + "y": 760 + } + } + "48": + continueonerrortype: "" + id: "48" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "63" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4f4d3e42-0ec6-4b22-89b2-0b275eedc3c5 + iscommand: false + name: IAM + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 4f4d3e42-0ec6-4b22-89b2-0b275eedc3c5 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1500, + "y": 425 + } + } + "50": + continueonerrortype: "" + id: "50" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "51" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 61ad53d6-a0fd-4e1e-8608-1c8a9596d965 + iscommand: false + name: SailPoint IdentityNow + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 61ad53d6-a0fd-4e1e-8608-1c8a9596d965 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -200, + "y": 435 + } + } + "51": + continueonerrortype: "" + id: "51" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "52" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: SailPointIdentityNow + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + id: 21d70bb7-8b40-4f49-80ca-b78cb05b24aa + iscommand: false + name: Is SailPoint IdentityNow integration enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 21d70bb7-8b40-4f49-80ca-b78cb05b24aa + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -200, + "y": 565 + } + } + "52": + continueonerror: true + continueonerrortype: errorPath + id: "52" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + name: + complex: + root: Usernames + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: SailPointIdentityNow + description: Get accounts by search/filter parameters (ID, name, native_identity). + id: c563f279-3529-481b-9a5d-1434947a9dad + iscommand: true + name: Get account info from IdentityNow + playbooktaskmissingcomponent: + script: SailPointIdentityNow|||identitynow-get-accounts + type: regular + version: -1 + taskid: c563f279-3529-481b-9a5d-1434947a9dad + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -200, + "y": 760 + } + } + "53": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Account.Manager + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "53" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "54" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Is there a manager? + id: f1700d16-6e63-4a56-8157-42cecfc24657 + iscommand: false + name: Is there a manager? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: f1700d16-6e63-4a56-8157-42cecfc24657 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 230, + "y": 930 + } + } + "54": + continueonerrortype: "" + id: "54" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + UserEmail: + complex: + accessor: Email + root: Account + transformers: + - operator: uniq + - operator: FirstArrayElement + Username: + complex: + accessor: Username + root: Account + transformers: + - operator: uniq + - operator: FirstArrayElement + separatecontext: true + skipunavailable: true + task: + brand: "" + description: Takes an email address or a username of a user account in Active + Directory, and returns the email address of the user's manager. + id: 06dcf79d-5c65-4a13-be65-d06b2c465038 + iscommand: false + name: Active Directory - Get User Manager Details + playbookId: Active Directory - Get User Manager Details + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 06dcf79d-5c65-4a13-be65-d06b2c465038 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -30, + "y": 1100 + } + } + "55": + continueonerrortype: "" + id: "55" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "56" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 285753ae-d884-4485-881c-3a99f77be4d0 + iscommand: false + name: MSGraph Users + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 285753ae-d884-4485-881c-3a99f77be4d0 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1910, + "y": 435 + } + } + "56": + continueonerrortype: "" + id: "56" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "57" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Microsoft Graph User + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + id: be533930-e327-4945-8fb7-c47ada329a2f + iscommand: false + name: Is Azure Active Directory Users integration enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: be533930-e327-4945-8fb7-c47ada329a2f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1910, + "y": 565 + } + } + "57": + continueonerror: true + continueonerrortype: errorPath + id: "57" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "58" + note: false + quietmode: 2 + scriptarguments: + user: + complex: + root: Usernames + separatecontext: false + skipunavailable: true + task: + brand: Microsoft Graph User + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). + Permissions: - User.Read (Delegated) - User.Read.All (Application) + id: a21eb31a-bab2-4069-8a3a-fa9f68a1f8b2 + iscommand: true + name: Get account info from Azure Active Directory + playbooktaskmissingcomponent: + script: Microsoft Graph User|||msgraph-user-get + type: regular + version: -1 + taskid: a21eb31a-bab2-4069-8a3a-fa9f68a1f8b2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1910, + "y": 760 + } + } + "58": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Account.Manager + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "58" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "59" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Is there a manager? + id: 56bea608-c34d-4914-8b16-594603971e22 + iscommand: false + name: Is there a manager? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 56bea608-c34d-4914-8b16-594603971e22 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1910, + "y": 930 + } + } + "59": + continueonerror: true + continueonerrortype: errorPath + id: "59" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "60" + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: ID + root: MSGraphUser + separatecontext: false + skipunavailable: true + task: + brand: Microsoft Graph User + description: Retrieves the properties from the manager of a user. + id: fcbb5279-9a7c-4230-a897-1e72796add0e + iscommand: true + name: Azure Active Directory - Get manager details + playbooktaskmissingcomponent: + script: Microsoft Graph User|||msgraph-user-get-manager + type: regular + version: -1 + taskid: fcbb5279-9a7c-4230-a897-1e72796add0e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1910, + "y": 1220 + } + } + "60": + continueonerrortype: "" + id: "60" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserManagerEmail + value: + complex: + accessor: Mail + root: MSGraphUserManager.Manager + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 83d6879d-694b-4091-84cd-6445167b9c75 + iscommand: false + name: Set manager email address to context + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 83d6879d-694b-4091-84cd-6445167b9c75 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1910, + "y": 1390 + } + } + "61": + continueonerror: true + continueonerrortype: errorPath + id: "61" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + user-profile: + complex: + root: Usernames + transformers: + - operator: Stringify + - args: + action_dt: {} + ignore_case: {} + multi_line: {} + output_format: {} + period_matches_newline: {} + regex: + value: + simple: '[\w.0-9]*\\' + operator: RegexReplace + - args: + prefix: + value: + simple: '{"username":"' + suffix: + value: + simple: '"}' + operator: concat + - operator: uniq + - args: + delimiter: {} + operator: split + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieves a single user resource. + id: 7b64280f-0fa6-48fb-8cce-58ae35c662ae + iscommand: true + name: IAM Get User - Without specifying a domain + playbooktaskmissingcomponent: + script: '|||iam-get-user' + type: regular + version: -1 + taskid: 7b64280f-0fa6-48fb-8cce-58ae35c662ae + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1700, + "y": 750 + } + } + "62": + continueonerror: true + continueonerrortype: errorPath + id: "62" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + user-profile: + complex: + root: Usernames + transformers: + - args: + action_dt: {} + ignore_case: {} + multi_line: {} + output_format: {} + period_matches_newline: {} + regex: + value: + simple: '[\w.0-9]*\\' + operator: RegexReplace + - args: + prefix: + iscontext: true + suffix: + iscontext: true + value: + simple: inputs.Domain + operator: concat + - args: + prefix: + value: + simple: '{"username":"' + suffix: + value: + simple: '"}' + operator: concat + - operator: uniq + - args: + delimiter: {} + operator: split + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieves a single user resource. + id: 75cd7da4-b58a-4bd0-a146-b3fc058836e1 + iscommand: true + name: IAM Get User - with a domain + playbooktaskmissingcomponent: + script: '|||iam-get-user' + type: regular + version: -1 + taskid: 75cd7da4-b58a-4bd0-a146-b3fc058836e1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1290, + "y": 750 + } + } + "63": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.Domain + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "63" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "61" + "yes": + - "62" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Was a domain provided? + id: e3d4077b-a586-494b-86b3-65e1f408c83a + iscommand: false + name: Was a domain provided? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e3d4077b-a586-494b-86b3-65e1f408c83a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -1500, + "y": 570 + } + } + "64": + continueonerrortype: "" + id: "64" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "65" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 30472917-7825-4a09-89d8-b531bf61958c + iscommand: false + name: Cortex XDR + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 30472917-7825-4a09-89d8-b531bf61958c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2330, + "y": 435 + } + } + "65": + continueonerrortype: "" + id: "65" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "66" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Cortex XDR - IR + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + id: ed860996-40a3-4e32-8c7d-e4a961c6b7d5 + iscommand: false + name: Is Cortex XDR - IR integration enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: ed860996-40a3-4e32-8c7d-e4a961c6b7d5 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2330, + "y": 565 + } + } + "66": + continueonerror: true + continueonerrortype: errorPath + id: "66" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "70" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + user_id: + complex: + root: UsernamesWithDomains + transformers: + - args: + item: + iscontext: true + value: + simple: Usernames + raw: {} + operator: AppendIfNotEmpty + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 9c968061-8a6f-4cf1-8647-0e31ce54b4a7 + iscommand: true + name: Get account risk score + playbooktaskmissingcomponent: + script: '|||xdr-list-risky-users' + type: regular + version: -1 + taskid: 9c968061-8a6f-4cf1-8647-0e31ce54b4a7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2330, + "y": 760 + } + } + "67": + continueonerrortype: "" + id: "67" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "48" + - "9" + - "50" + - "16" + - "11" + - "32" + - "42" + - "55" + - "64" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Usernames + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Username + operator: notContainsGeneral + right: + value: + simple: \ + root: inputs.Username + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Saves the usernames without domain prefixes under a new context + key.\n\nThis automation runs using the default Limited User role, unless you + explicitly change the permissions.\nFor more information, see the section + about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 7212ec41-fb6c-4d2b-86c1-140108b79c04 + iscommand: false + name: Save account usernames + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 7212ec41-fb6c-4d2b-86c1-140108b79c04 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1390, + "y": 180 + } + } + "68": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Username + operator: containsGeneral + right: + value: + simple: \ + root: inputs.Username + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "68" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "69" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is at least one username to enrich. + id: 2524ddf8-40ab-4b7e-8019-8fdf102afc08 + iscommand: false + name: Is there an account to enrich (with domain prefix)? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2524ddf8-40ab-4b7e-8019-8fdf102afc08 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -640, + "y": -7 + } + } + "69": + continueonerrortype: "" + id: "69" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "64" + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsernamesWithDomains + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Username + operator: containsGeneral + right: + value: + simple: \ + root: inputs.Username + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Saves the usernames with domain prefixes under a new context key.\n + \nThis automation runs using the default Limited User role, unless you explicitly + change the permissions.\nFor more information, see the section about permissions + here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 59883712-8f94-4316-870e-21a76ae75517 + iscommand: false + name: Save account usernames with domains + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 59883712-8f94-4316-870e-21a76ae75517 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2330, + "y": 190 + } + } + "70": + continueonerrortype: "" + id: "70" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 92271906-6bfb-4389-82c1-347902dd28e8 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 92271906-6bfb-4389-82c1-347902dd28e8 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -670, + "y": 1555 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "18_3_#default#": 0.1, + "1_3_#default#": 0.1, + "20_3_#default#": 0.1, + "33_3_#default#": 0.1, + "43_3_#default#": 0.1, + "4_3_#default#": 0.1, + "51_3_#default#": 0.1, + "56_3_#default#": 0.1, + "58_3_#default#": 0.1, + "65_66_yes": 0.59, + "68_3_#default#": 0.11, + "68_69_yes": 0.11 + }, + "paper": { + "dimensions": { + "height": 1825, + "width": 4410, + "x": -1700, + "y": -200 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Active_Directory_-_Get_User_Manager_Details.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Active_Directory_-_Get_User_Manager_Details.yml new file mode 100644 index 0000000..35da3ba --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Active_Directory_-_Get_User_Manager_Details.yml @@ -0,0 +1,608 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.6.56 + packID: "" + packName: Active Directory Query + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: Takes an email address or a username of a user account in Active Directory, + and returns the email address of the user's manager. +dirtyInputs: true +id: 'SOC Active Directory - Get User Manager Details_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Username + - UserEmail + name: General (Inputs group) +inputs: +- description: Search for user by the sAMAccountName attribute in Active Directory. + key: Username + playbookInputQuery: + required: false + value: {} +- description: Search for user by the email attribute in Active Directory. + key: UserEmail + playbookInputQuery: + required: false + value: + complex: + accessor: Email + root: Account + transformers: + - operator: uniq +name: SOC Active Directory - Get User Manager Details_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - UserManagerEmail + - UserManagerDisplayName +outputs: +- contextPath: UserManagerEmail + description: The email of the user's manager. +- contextPath: UserManagerDisplayName + description: The display name of the user's manager. + type: unknown +sourceplaybookid: Active Directory - Get User Manager Details +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 65b748f8-8d64-4ff1-8e55-f8050fefa13e + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 65b748f8-8d64-4ff1-8e55-f8050fefa13e + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: brand + operator: isEqualString + right: + value: + simple: Active Directory Query v2 + - - left: + iscontext: true + value: + simple: state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "13" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the Active Directory Query v2 integration is enabled. + id: 9c6dd8f5-91bb-406f-86c3-add4019fba2c + iscommand: false + name: Is Active Directory enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 9c6dd8f5-91bb-406f-86c3-add4019fba2c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 180 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.UserEmail + transformers: + - operator: uniq + operator: isNotEmpty + label: Email + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Username + transformers: + - operator: uniq + operator: isNotEmpty + label: Username + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "13" + Email: + - "5" + Username: + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Active Directory Query v2 + description: Retrieves detailed information about a user account. The user can + be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filter is specified, all users are returned. + id: c1c98615-ba19-44ef-8aa0-1d50a1ee1c3c + iscommand: false + name: By which attribute should the user be searched? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: c1c98615-ba19-44ef-8aa0-1d50a1ee1c3c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 410 + } + } + "4": + continueonerror: true + continueonerrortype: errorPath + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "6" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + ignore-outputs: + simple: "false" + username: + complex: + root: inputs.Username + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Active Directory Query v2 + description: Retrieves detailed information about a user account based on their + username. + id: 1052e99a-83b1-4978-b238-6a50ed63f068 + iscommand: true + name: Get user details by username + playbooktaskmissingcomponent: + script: Active Directory Query v2|||ad-get-user + type: regular + version: -1 + taskid: 1052e99a-83b1-4978-b238-6a50ed63f068 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 220, + "y": 620 + } + } + "5": + continueonerror: true + continueonerrortype: errorPath + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "6" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + email: + complex: + root: inputs.UserEmail + ignore-outputs: + simple: "false" + separatecontext: false + skipunavailable: false + task: + brand: Active Directory Query v2 + description: Retrieves detailed information about a user account based on their + email address. + id: fddf5cde-dd7d-4da4-892c-c71ccaf7ead8 + iscommand: true + name: Get user details by email + playbooktaskmissingcomponent: + script: Active Directory Query v2|||ad-get-user + type: regular + version: -1 + taskid: fddf5cde-dd7d-4da4-892c-c71ccaf7ead8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 670, + "y": 620 + } + } + "6": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Manager + root: Account + transformers: + - operator: uniq + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "13" + "yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a manager name was found for the user account. + id: da7d26a1-d686-4030-80a8-0500e919ec09 + iscommand: false + name: Was a manager found? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: da7d26a1-d686-4030-80a8-0500e919ec09 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 840 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "16" + - "10" + note: false + quietmode: 0 + reputationcalc: 3 + scriptarguments: + dn: + complex: + accessor: Manager + root: Account + transformers: + - operator: uniq + extend-context: + simple: ManagerDetails= + ignore-outputs: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: Active Directory Query v2 + description: Retrieves detailed information about the user's manager based on + their email or username. + id: 6be04fd9-00d5-45c6-badc-460efeee51cc + iscommand: true + name: Get manager details by user email or username + playbooktaskmissingcomponent: + script: Active Directory Query v2|||ad-get-user + tags: + - active_directory_manager_details + type: regular + version: -1 + taskid: 6be04fd9-00d5-45c6-badc-460efeee51cc + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 1070 + } + } + "10": + continueonerror: true + continueonerrortype: errorPath + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "12" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: UserManagerEmail + value: + complex: + accessor: mail + root: ManagerDetails.attributes + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 0ff49df3-e89d-45ef-9470-6f330da1f19d + iscommand: false + name: Set manager email to outputs + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0ff49df3-e89d-45ef-9470-6f330da1f19d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 660, + "y": 1290 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: cd103324-58ed-4ef2-8de4-ed223a0831c0 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: cd103324-58ed-4ef2-8de4-ed223a0831c0 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 1500 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 82beca2e-d6ae-43f2-8dbc-60d72893585c + iscommand: false + name: Cannot Retrieve Manager Email + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 82beca2e-d6ae-43f2-8dbc-60d72893585c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1370, + "y": 1120 + } + } + "16": + continueonerror: true + continueonerrortype: errorPath + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "12" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: UserManagerDisplayName + value: + complex: + accessor: displayName + root: ManagerDetails.attributes + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the specified value exists in context. If the value exists, + it will be set in context, otherwise no value will be set in context. + id: 2d85cfd8-8c13-441d-a550-a17099a55ea0 + iscommand: false + name: Set manager display name to outputs + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 2d85cfd8-8c13-441d-a550-a17099a55ea0 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 230, + "y": 1290 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 29387c43-9504-4bdc-8e9d-c6a0fdbb2356 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 29387c43-9504-4bdc-8e9d-c6a0fdbb2356 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -280, + "y": 1495 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_13_#default#": 0.3, + "1_2_yes": 0.58, + "2_13_#default#": 0.35, + "2_4_Username": 0.78, + "2_5_Email": 0.7, + "6_13_#default#": 0.5, + "6_7_yes": 0.47 + }, + "paper": { + "dimensions": { + "height": 1515, + "width": 2030, + "x": -280, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Account_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Account_-_Generic_v2.yml new file mode 100644 index 0000000..c04d7a8 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Account_-_Generic_v2.yml @@ -0,0 +1,3287 @@ +fromversion: 5.0.0 +id: SSOC Block Account - Generic v2_V3 +version: 1 +contentitemexportablefields: + contentitemfields: + packID: "" + packName: Common Playbooks + itemVersion: 2.7.14 + fromServerVersion: 6.5.0 + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false +name: SSOC Block Account - Generic v2_V3 +description: |- + This playbook blocks malicious usernames using all integrations that you have enabled. + + Supported integrations for this playbook: + * Active Directory + * PAN-OS - This requires PAN-OS 9.1 or higher. + * SailPoint + * PingOne + * AWS IAM + * Clarizen IAM + * Envoy IAM + * ExceedLMS IAM + * Okta + * Microsoft Graph User (Azure Active Directory Users) + * Google Workspace Admin + * Slack IAM + * ServiceNow IAM + * Prisma Cloud IAM + * Zoom IAM + * Atlassian IAM + * GitHub IAM. +tags: +- SOC +- SOC_Framework +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: cc38d57c-1f3a-4616-8fc3-b3d5b2beefb3 + type: start + task: + id: cc38d57c-1f3a-4616-8fc3-b3d5b2beefb3 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": -1450 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 78bcaa68-2a3d-4805-8e25-1bee31249d8f + type: title + task: + id: 78bcaa68-2a3d-4805-8e25-1bee31249d8f + version: -1 + name: Done + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1040, + "y": 1660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: df7e57df-4f26-4b41-8552-0d4068792d13 + type: title + task: + id: df7e57df-4f26-4b41-8552-0d4068792d13 + version: -1 + name: Block accounts + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "17" + - "18" + - "19" + - "20" + - "21" + - "22" + - "23" + - "25" + - "24" + - "54" + - "56" + - "58" + - "60" + - "66" + - "68" + - "71" + - "64" + - "73" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1960, + "y": 410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 84a222c3-d83f-4d9c-8f75-605f9c1cd233 + type: condition + task: + id: 84a222c3-d83f-4d9c-8f75-605f9c1cd233 + version: -1 + name: Is there a username to block? + description: Verify that the playbook input includes at least one username to + block. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "39" + "yes": + - "38" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Username + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": -1260 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: f5a0276b-741e-4f8a-a129-6a90be21d226 + type: regular + task: + id: f5a0276b-741e-4f8a-a129-6a90be21d226 + version: -1 + name: PAN-OS - Register Tag to User + description: Registers users to a tag. This command is only available for PAN-OS + version 9.x and above. + script: Panorama|||pan-os-register-user-tag + type: regular + iscommand: true + brand: Panorama + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + Users: + complex: + root: Blocklist + accessor: Final + tag: + complex: + root: inputs.Tag + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 2520, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 134ffe20-63fc-486a-8a79-685e3d206ae8 + type: condition + task: + id: 134ffe20-63fc-486a-8a79-685e3d206ae8 + version: -1 + name: Is there a Tag name to register? + description: Verify that the playbook input includes at least one tag to apply + to the user. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "91" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Tag + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 910 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: dd28a21a-8e77-4e94-8ebd-6b4dd2a40907 + type: title + task: + id: dd28a21a-8e77-4e94-8ebd-6b4dd2a40907 + version: -1 + name: OKTA + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "26" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1960, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 253e9206-6499-4698-81bc-4f6b405723e9 + type: title + task: + id: 253e9206-6499-4698-81bc-4f6b405723e9 + version: -1 + name: SailPoint + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "27" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 640, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 4665f43b-c357-46ab-8658-1f5307d73e34 + type: title + task: + id: 4665f43b-c357-46ab-8658-1f5307d73e34 + version: -1 + name: AWS IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "28" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -220, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 9f3e4789-ef65-4d8b-8142-b931aca2d1b8 + type: title + task: + id: 9f3e4789-ef65-4d8b-8142-b931aca2d1b8 + version: -1 + name: PingOne + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 210, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 5af0265d-f69a-47ef-8fdd-8be726ab8812 + type: title + task: + id: 5af0265d-f69a-47ef-8fdd-8be726ab8812 + version: -1 + name: Clarizen IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -640, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 8170d464-f524-484a-8578-d2d5c6b44c24 + type: title + task: + id: 8170d464-f524-484a-8578-d2d5c6b44c24 + version: -1 + name: Envoy IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1070, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 9426248c-bc57-4e2a-898c-333c705fe7c9 + type: title + task: + id: 9426248c-bc57-4e2a-898c-333c705fe7c9 + version: -1 + name: ExceedLMS IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "32" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1500, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: e3d46f19-bf96-4280-887d-c746b0e95976 + type: title + task: + id: e3d46f19-bf96-4280-887d-c746b0e95976 + version: -1 + name: PAN-OS + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 00761e97-8a6e-48f4-85fb-d894509a2c17 + type: title + task: + id: 00761e97-8a6e-48f4-85fb-d894509a2c17 + version: -1 + name: Microsoft Active Directory + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "37" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1060, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: ca29fc92-0b56-4eca-8fb4-285bf732a419 + type: condition + task: + id: ca29fc92-0b56-4eca-8fb4-285bf732a419 + version: -1 + name: Is OKTA Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Okta IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1960, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 692fc977-5dff-49fa-8ef9-4c0c53979786 + type: condition + task: + id: 692fc977-5dff-49fa-8ef9-4c0c53979786 + version: -1 + name: Is SailPoint Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "75" + scriptarguments: + brandname: + simple: SailPointIdentityIQ + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 640, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: c00031c8-63dc-447a-8064-458b8b89c0b9 + type: condition + task: + id: c00031c8-63dc-447a-8064-458b8b89c0b9 + version: -1 + name: Is AWS IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: AWS - IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -220, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 1dfdb5b5-b388-49f8-8778-b631675b5228 + type: condition + task: + id: 1dfdb5b5-b388-49f8-8778-b631675b5228 + version: -1 + name: Is PingOne Integration Enabled + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "83" + scriptarguments: + brandname: + simple: PingOne + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 210, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 1e40e759-f2e0-46f7-8c4c-e6c305ada2fe + type: condition + task: + id: 1e40e759-f2e0-46f7-8c4c-e6c305ada2fe + version: -1 + name: Is ClarizenIAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: ClarizenIAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -640, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: e69ec334-a883-4519-8b53-2d12a380819d + type: condition + task: + id: e69ec334-a883-4519-8b53-2d12a380819d + version: -1 + name: Is Envoy IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Envoy IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1070, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: d7750a59-552e-4fbe-8d72-6a0dbf2c50b2 + type: condition + task: + id: d7750a59-552e-4fbe-8d72-6a0dbf2c50b2 + version: -1 + name: Is ExceedLMS IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: ExceedLMS IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1500, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: f3afa983-9d12-4f8a-89eb-70e0ffbac1b7 + type: regular + task: + id: f3afa983-9d12-4f8a-89eb-70e0ffbac1b7 + version: -1 + name: IAM Disable User + description: Disable an active user. + script: '|||iam-disable-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + user-profile: + simple: ${Blocklist.Final} + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -1260, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 1d25df3a-4ff2-4e85-93ae-435a6b346b06 + type: regular + task: + id: 1d25df3a-4ff2-4e85-93ae-435a6b346b06 + version: -1 + name: PingOne - Deactivate user + description: Deactivate a user's account. + script: PingOne|||pingone-deactivate-user + type: regular + iscommand: true + brand: PingOne + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + username: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -440, + "y": 1190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 24dbd242-88dc-4d46-808a-baa9acff55f1 + type: regular + task: + id: 24dbd242-88dc-4d46-808a-baa9acff55f1 + version: -1 + name: SailPoint-Disable account + description: Disable account's active status by id using IdentityIQ SCIM API's. + script: SailPointIdentityIQ|||identityiq-disable-account + type: regular + iscommand: true + brand: SailPointIdentityIQ + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + id: + complex: + root: IdentityIQ.Account + accessor: id + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 120, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 90a2adf8-4f57-4b53-896d-44bddd4d064c + type: condition + task: + id: 90a2adf8-4f57-4b53-896d-44bddd4d064c + version: -1 + name: Is PAN-OS/Panorama Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "16" + scriptarguments: + brandname: + simple: Panorama + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 735 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: e31ad79c-5806-41f0-839b-f896c860d3cc + type: condition + task: + id: e31ad79c-5806-41f0-839b-f896c860d3cc + version: -1 + name: Is Active Directory Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "76" + scriptarguments: + brandname: + simple: Active Directory Query v2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1060, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: c34085c0-1974-4153-8f36-fb22e4ba0c4e + type: condition + task: + id: c34085c0-1974-4153-8f36-fb22e4ba0c4e + version: -1 + name: Is User Verification Required? + description: Check if manual verification is required before block + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "47" + "yes": + - "40" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.UserVerification + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": -1050 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: eda8a397-b0f5-4cb8-85a6-804bbbf59244 + type: title + task: + id: eda8a397-b0f5-4cb8-85a6-804bbbf59244 + version: -1 + name: No User to be blocked + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -5370, + "y": 1105 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 90c4e379-c164-495b-8bd0-74e807433506 + type: regular + task: + id: 90c4e379-c164-495b-8bd0-74e807433506 + version: -1 + name: Set Naming Convention to a key + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "42" + scriptarguments: + append: + simple: "true" + key: + simple: checks.common + value: + complex: + root: inputs.NamingConvention + transformers: + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ' ' + - operator: split + args: + delimiter: + value: + simple: ',' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 603550b4-89d3-4df1-84d9-1eb2951e0871 + type: regular + task: + id: 603550b4-89d3-4df1-84d9-1eb2951e0871 + version: -1 + name: Identify Potential Sensitive Users + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "45" + - "43" + scriptarguments: + key: + simple: Blocklist.Sensitive + value: + complex: + root: Blocklist.Potential + filters: + - - operator: StringContainsArray + left: + value: + simple: Blocklist.Potential + iscontext: true + right: + value: + simple: checks.common + iscontext: true + ignorecase: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -560 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 93dc1c23-81e4-40fd-8f62-9f4290882421 + type: regular + task: + id: 93dc1c23-81e4-40fd-8f62-9f4290882421 + version: -1 + name: Set User to a potential block list + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "41" + scriptarguments: + key: + simple: Blocklist.Potential + value: + complex: + root: inputs.Username + transformers: + - operator: split + args: + delimiter: + value: + simple: ',' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 39b3cf6c-5757-447b-8188-9ead6e21a445 + type: condition + task: + id: 39b3cf6c-5757-447b-8188-9ead6e21a445 + version: -1 + name: Check if there are any sensitive users to block + description: Check if there are any sensitive users to block + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "45" + "yes": + - "44" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: Blocklist.Sensitive + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -2670, + "y": -390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 6ab46eeb-8460-44ab-8b96-0c6a35e38581 + type: collection + task: + id: 6ab46eeb-8460-44ab-8b96-0c6a35e38581 + version: -1 + name: Ask the user for verification [Sensitive Users] + description: |- + Please note that in this form there are serval accounts that are listed as "Sensitive Accounts": + ${User.Sensetive} + type: collection + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "52" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2670, + "y": -190 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: Analyst + subject: + simple: Block Sensitive Account - User Verification Form + body: + simple: | +

Dear XSOAR user,

+

This notification informs you that the following list of sensitive accounts will be blocked on your XSOAR's integrated IDP/IAM devices.

+


(Note: the Accounts will be set to disabled on those XSOAR integrated devices).

+

Also, please note that the following accounts are listed as "Sensitive Accounts" based on a naming convention mentioned in the playbook:

+

${Blocklist.Sensitive}

+

 

+

For more information, click the link below.

+ methods: + - email + format: html + bcc: null + cc: null + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: 'Sensitive Users:' + required: false + gridcolumns: [] + defaultrows: [] + type: multiSelect + options: [] + optionsarg: + - simple: ${Blocklist.Sensitive} + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: 'Which sensitive users you would like to Block? Choose from the following + lists :' + description: "" + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 4d484404-eefc-4cf6-8f56-abdae89d61e6 + type: collection + task: + id: 4d484404-eefc-4cf6-8f56-abdae89d61e6 + version: -1 + name: Ask the user for verification [without Sensitive Users] + description: |- + Please note that in this form there are serval accounts that are listed as "Sensitive Accounts": + ${User.Sensetive} + type: collection + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "52" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -190 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: Analyst + subject: + simple: Block Account - User Verification Form + body: + simple: | +

Dear XSOAR user,

+

This notification informs you that the following list of accounts will be blocked on your XSOAR's integrated IDP/IAM devices.

+


(Note: the Accounts will be set to disabled on those XSOAR integrated devices).

+

 

+

For more information, click the link below.

+ methods: + - email + format: html + bcc: null + cc: null + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: false + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: 'Users to be blocked:' + required: false + gridcolumns: [] + defaultrows: [] + type: multiSelect + options: [] + optionsarg: + - complex: + root: Blocklist + accessor: Potential + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: 'Which Users you would like to Block? Choose from the following lists + :' + description: "" + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 9e174bd8-73a8-46ef-8a56-138a1cac0b61 + type: regular + task: + id: 9e174bd8-73a8-46ef-8a56-138a1cac0b61 + version: -1 + name: Set the final accounts list to be blocked + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "5" + scriptarguments: + append: + simple: "true" + key: + simple: Blocklist.Final + value: + complex: + root: ${Which Users you would like to Block? Choose from the following + lists :.Answers + accessor: 0} + transformers: + - operator: append + args: + item: + value: + simple: Which sensitive users you would like to Block? Choose from + the following lists :.Answers.0 + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": 170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "47": + id: "47" + taskid: f97632fd-1653-4fda-8222-e8dbe5c36646 + type: regular + task: + id: f97632fd-1653-4fda-8222-e8dbe5c36646 + version: -1 + name: Set the final accounts list to be blocked + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "5" + scriptarguments: + append: + simple: "true" + key: + simple: Blocklist.Final + value: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": 170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: de4b5f67-0713-4a24-933e-5ff0400428a7 + type: regular + task: + id: de4b5f67-0713-4a24-933e-5ff0400428a7 + version: -1 + name: Active Directory - Disable Account + description: Disables an Active Directory user account. + script: Active Directory Query v2|||ad-disable-account + type: regular + iscommand: true + brand: Active Directory Query v2 + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + username: + complex: + root: UserAD + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 950, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: 64ddf917-048c-444b-8fea-b9529a3ad0b3 + type: condition + task: + id: 64ddf917-048c-444b-8fea-b9529a3ad0b3 + version: -1 + name: Is Username selected? + description: Check if the analyst selected any users to block + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "39" + "yes": + - "46" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Which Users you would like to Block? Choose from the following + lists :.Answers.0 + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: Which sensitive users you would like to Block? Choose from + the following lists :.Answers.0 + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -10 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "53": + id: "53" + taskid: 8791822e-5e1e-4b28-82d9-a822aa17108d + type: condition + task: + id: 8791822e-5e1e-4b28-82d9-a822aa17108d + version: -1 + name: Is Slack IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Slack IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2410, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: e2aaa6e8-de1f-4399-8e89-2321fe4fa030 + type: title + task: + id: e2aaa6e8-de1f-4399-8e89-2321fe4fa030 + version: -1 + name: Slack IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "53" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2410, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "55": + id: "55" + taskid: e8b7f7a8-2b9c-44ef-8eff-ceb494799432 + type: condition + task: + id: e8b7f7a8-2b9c-44ef-8eff-ceb494799432 + version: -1 + name: Is ServiceNow IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: ServiceNow IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2840, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "56": + id: "56" + taskid: 6a694bcc-610d-46c4-8d22-dec644076b78 + type: title + task: + id: 6a694bcc-610d-46c4-8d22-dec644076b78 + version: -1 + name: ServiceNow IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "55" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2840, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "57": + id: "57" + taskid: 6345f42c-51a8-401f-8099-ecea5a0403c4 + type: condition + task: + id: 6345f42c-51a8-401f-8099-ecea5a0403c4 + version: -1 + name: Is Salesforce IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Salesforce IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3260, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "58": + id: "58" + taskid: dba2b9c1-cb47-41a9-8386-1de15a47de2d + type: title + task: + id: dba2b9c1-cb47-41a9-8386-1de15a47de2d + version: -1 + name: Salesforce IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "57" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3260, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "59": + id: "59" + taskid: c6cb894b-65a5-4e85-87f4-debe4d8cdbfe + type: condition + task: + id: c6cb894b-65a5-4e85-87f4-debe4d8cdbfe + version: -1 + name: Is PrismaCloud IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: PrismaCloud IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3690, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: de7c1b4f-0ecc-4782-8346-50b679dac66b + type: title + task: + id: de7c1b4f-0ecc-4782-8346-50b679dac66b + version: -1 + name: PrismaCloud IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "59" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3690, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: 1a19cd62-eafa-4b66-80aa-b397a439f52c + type: condition + task: + id: 1a19cd62-eafa-4b66-80aa-b397a439f52c + version: -1 + name: Is Microsoft Graph User Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "78" + scriptarguments: + brandname: + simple: Microsoft Graph User + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1480, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "64": + id: "64" + taskid: 31d15f37-d89d-4d09-8009-2a60c76d0b5e + type: title + task: + id: 31d15f37-d89d-4d09-8009-2a60c76d0b5e + version: -1 + name: Microsoft Graph User + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "63" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1480, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "65": + id: "65" + taskid: 31592372-486c-4648-8376-8889941df6c8 + type: condition + task: + id: 31592372-486c-4648-8376-8889941df6c8 + version: -1 + name: Is Zoom IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Zoom_IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4120, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "66": + id: "66" + taskid: b98574a0-93fc-423b-87e1-bf888db3881a + type: title + task: + id: b98574a0-93fc-423b-87e1-bf888db3881a + version: -1 + name: Zoom IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "65" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4120, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "67": + id: "67" + taskid: deb7235b-0e73-4aa7-8e3e-2b07ad73daf9 + type: condition + task: + id: deb7235b-0e73-4aa7-8e3e-2b07ad73daf9 + version: -1 + name: Is Atlassian IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Atlassian IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4550, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "68": + id: "68" + taskid: 5e5c6e1e-8c3a-42b8-85bd-3646e9b01531 + type: title + task: + id: 5e5c6e1e-8c3a-42b8-85bd-3646e9b01531 + version: -1 + name: Atlassian IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "67" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4550, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "69": + id: "69" + taskid: cb58e6b2-a32f-4fc2-ba81-b4f0720441be + type: regular + task: + id: cb58e6b2-a32f-4fc2-ba81-b4f0720441be + version: -1 + name: Microsoft Graph User - Disable Account + description: |- + Disables a user from all Office 365 applications, and prevents sign in. Note: This command disables user, + but does not terminate an existing session. Supported only in a self deployed app flow with the + Permission: Directory.AccessAsUser.All(Delegated) + script: Microsoft Graph User|||msgraph-user-account-disable + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + user: + complex: + root: UserMSGraph + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1760, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "70": + id: "70" + taskid: 909312b6-5f6e-451c-83dd-a00e31c49197 + type: condition + task: + id: 909312b6-5f6e-451c-83dd-a00e31c49197 + version: -1 + name: Is GitHub IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: GitHub IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4970, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "71": + id: "71" + taskid: 4f6321ef-dfb9-41fd-8a72-61bea5cff007 + type: title + task: + id: 4f6321ef-dfb9-41fd-8a72-61bea5cff007 + version: -1 + name: GitHub IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "70" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4970, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "72": + id: "72" + taskid: a274143d-2455-4679-8064-41a6cc01e1be + type: condition + task: + id: a274143d-2455-4679-8064-41a6cc01e1be + version: -1 + name: Is Google Workspace Admin Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "93" + scriptarguments: + brandname: + simple: GSuiteAdmin + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1900, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "73": + id: "73" + taskid: fa1e6574-7969-4b44-8593-b2244060cebe + type: title + task: + id: fa1e6574-7969-4b44-8593-b2244060cebe + version: -1 + name: Google Workspace Admin + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "72" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1900, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "74": + id: "74" + taskid: 4b7d31c1-6339-4d9f-8d1a-3ff4abe20efb + type: regular + task: + id: 4b7d31c1-6339-4d9f-8d1a-3ff4abe20efb + version: -1 + name: Google Workspace Admin - Disable Account + description: Updates a user. + script: GSuiteAdmin|||gsuite-user-update + type: regular + iscommand: true + brand: GSuiteAdmin + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "2" + scriptarguments: + suspended: + simple: "true" + user_key: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1900, + "y": 1100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "75": + id: "75" + taskid: 8aefedd7-a4f0-49ae-a63e-107b955fa96f + type: regular + task: + id: 8aefedd7-a4f0-49ae-a63e-107b955fa96f + version: -1 + name: Get Account IDs From SailPoint + description: Fetch accounts by search/filter parameters (id, display_name, last_refresh, + native_identity, last_target_agg, identity_name & application_name) using + IdentityIQ SCIM APIs. + script: SailPointIdentityIQ|||identityiq-get-accounts + type: regular + iscommand: true + brand: SailPointIdentityIQ + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "85" + scriptarguments: + display_name: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 640, + "y": 890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "76": + id: "76" + taskid: 0f3e3317-a5f1-4708-9100-71d8deee6269 + type: regular + task: + id: 0f3e3317-a5f1-4708-9100-71d8deee6269 + version: -1 + name: Active Directory - Get User + description: Retrieves detailed information about a user account. The user can + be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filter is specified, all users are returned. + script: '|||ad-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "77" + scriptarguments: + extend-context: + simple: UserAD=attributes.sAMAccountName + ignore-outputs: + simple: "true" + username: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1050, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "77": + id: "77" + taskid: 419df6f0-2416-4a48-8124-eb64ce5da93a + type: condition + task: + id: 419df6f0-2416-4a48-8124-eb64ce5da93a + version: -1 + name: Does the username exist? + description: Verify that the user exists. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "87" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: UserAD + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1050, + "y": 1090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "78": + id: "78" + taskid: b4f253c0-79aa-4f96-aea6-0b24102a78f9 + type: regular + task: + id: b4f253c0-79aa-4f96-aea6-0b24102a78f9 + version: -1 + name: Microsoft Graph User - Get User + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0. + Permissions: - User.Read (Delegated) - User.Read.All (Application). + script: Microsoft Graph User|||msgraph-user-get + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + nexttasks: + '#error#': + - "80" + '#none#': + - "79" + scriptarguments: + extend-context: + simple: UserMSGraph=id + ignore-outputs: + simple: "true" + user: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1480, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "79": + id: "79" + taskid: 6a4ebfcb-e506-4333-81b5-8889065e2fbe + type: condition + task: + id: 6a4ebfcb-e506-4333-81b5-8889065e2fbe + version: -1 + name: Does the username exist? + description: Verify that the user exists. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#default#': + - "2" + "yes": + - "89" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: UserMSGraph + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1480, + "y": 1090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "80": + id: "80" + taskid: 9c727ebc-c367-4d93-8c46-9a94e441cc3a + type: playbook + task: + id: 9c727ebc-c367-4d93-8c46-9a94e441cc3a + version: -1 + name: Foundation - Foundation - Error Handling_V3 + playbookName: Foundation - Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -500, + "y": 1650 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "81": + id: "81" + taskid: 32ae003a-1fa5-4b05-96c2-c8fa23554814 + type: condition + task: + id: 32ae003a-1fa5-4b05-96c2-c8fa23554814 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "33" + Shadow Mode: + - "82" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 990 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "82": + id: "82" + taskid: 4a7ea37e-8c02-4d25-9012-ba3bfabc15e6 + type: regular + task: + id: 4a7ea37e-8c02-4d25-9012-ba3bfabc15e6 + version: -1 + name: 'Shadow: IAM Disable User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: IAM Disable User + Command: iam-disable-user ${Blocklist.Final} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "83": + id: "83" + taskid: 096e41dc-b0ba-457c-a0ff-958eab5cad2b + type: condition + task: + id: 096e41dc-b0ba-457c-a0ff-958eab5cad2b + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "34" + Shadow Mode: + - "84" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 200, + "y": 1000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "84": + id: "84" + taskid: e83f7e76-e9f7-4278-9c78-c1efaac3b8c8 + type: regular + task: + id: e83f7e76-e9f7-4278-9c78-c1efaac3b8c8 + version: -1 + name: 'Shadow: PingOne Deactivate User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: PingOne Deactivate User + Command: pingone-deactivate-user + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -30, + "y": 1190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "85": + id: "85" + taskid: 0a07259b-b2fd-4202-802e-dca83c86e91a + type: condition + task: + id: 0a07259b-b2fd-4202-802e-dca83c86e91a + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "35" + Shadow Mode: + - "86" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 390, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "86": + id: "86" + taskid: a78dbb56-315e-4dcf-9099-e24e9c571cc9 + type: regular + task: + id: a78dbb56-315e-4dcf-9099-e24e9c571cc9 + version: -1 + name: 'Shadow: SailPoint Disable User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: SailPoint Disable User + Command: identityiq-disable-account + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 550, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "87": + id: "87" + taskid: 8f693a0b-31be-4a22-bcce-b5ba123f1fac + type: condition + task: + id: 8f693a0b-31be-4a22-bcce-b5ba123f1fac + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "48" + Shadow Mode: + - "88" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1050, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "88": + id: "88" + taskid: ed3e629c-2483-4afe-b75d-ccb79180b48b + type: regular + task: + id: ed3e629c-2483-4afe-b75d-ccb79180b48b + version: -1 + name: 'Shadow: Active Directory Disable Account' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: Active Directory Disable Account + Command: ad-disable-account ${UserAD} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "89": + id: "89" + taskid: 2bc496f7-3119-4341-8a3c-7330377148f7 + type: condition + task: + id: 2bc496f7-3119-4341-8a3c-7330377148f7 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "69" + Shadow Mode: + - "90" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1620, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "90": + id: "90" + taskid: d446c5e6-d5a2-4ce3-b0f9-3b56cca55d17 + type: regular + task: + id: d446c5e6-d5a2-4ce3-b0f9-3b56cca55d17 + version: -1 + name: 'Shadow: Microsoft Graph User Disable Account' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + user: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: msgraph-user-account-disable + value: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: ${UserMSGraph} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2170, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "91": + id: "91" + taskid: f5c259de-a8b6-4df6-be44-a9ee299b061b + type: condition + task: + id: f5c259de-a8b6-4df6-be44-a9ee299b061b + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "15" + Shadow Mode: + - "92" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "92": + id: "92" + taskid: 067be8bb-a616-4b36-b846-8314a63f9939 + type: regular + task: + id: 067be8bb-a616-4b36-b846-8314a63f9939 + version: -1 + name: 'Shadow: PAN-OS Register Tag to User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + user: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: msgraph-user-account-disable + value: + simple: |- + Shadow: PAN-OS Register Tag to User + Command: pan-os-register-user-tag ${Blocklist.Final} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2950, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "93": + id: "93" + taskid: 05d57e0f-4bdb-4f6b-aa39-473461333d71 + type: condition + task: + id: 05d57e0f-4bdb-4f6b-aa39-473461333d71 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + Full Run: + - "74" + Shadow Mode: + - "94" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1900, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "94": + id: "94" + taskid: 4145c31a-0721-4050-86fd-eca739f88df8 + type: regular + task: + id: 4145c31a-0721-4050-86fd-eca739f88df8 + version: -1 + name: 'Shadow: Google Workspace Admin - Disable User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + nexttasks: + '#none#': + - "2" + scriptarguments: + user: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: msgraph-user-account-disable + value: + simple: | + Shadow: Google Workspace Admin - Disable User + Command: gsuite-user-data
 separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2300, + "y": 1100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "16_2_#default#": 0.1, + "16_91_yes": 0.9, + "26_2_#default#": 0.11, + "26_81_yes": 0.84, + "27_2_#default#": 0.1, + "28_2_#default#": 0.15, + "28_81_yes": 0.1, + "29_2_#default#": 0.11, + "29_83_yes": 0.36, + "30_2_#default#": 0.26, + "30_81_yes": 0.11, + "31_2_#default#": 0.27, + "31_81_yes": 0.12, + "32_2_#default#": 0.18, + "32_81_yes": 0.85, + "36_2_#default#": 0.1, + "37_2_#default#": 0.12, + "43_44_yes": 0.49, + "52_39_#default#": 0.2, + "53_2_#default#": 0.1, + "53_81_yes": 0.79, + "55_2_#default#": 0.1, + "55_81_yes": 0.86, + "57_2_#default#": 0.1, + "57_81_yes": 0.18, + "59_2_#default#": 0.1, + "59_81_yes": 0.14, + "63_2_#default#": 0.1, + "65_2_#default#": 0.1, + "65_81_yes": 0.1, + "67_2_#default#": 0.1, + "67_81_yes": 0.1, + "70_2_#default#": 0.1, + "70_81_yes": 0.1, + "72_2_#default#": 0.1, + "72_93_yes": 0.44, + "79_89_yes": 0.85, + "8_38_yes": 0.65, + "8_39_#default#": 0.13 + }, + "paper": { + "dimensions": { + "height": 3170, + "width": 8700, + "x": -5370, + "y": -1450 + } + } + } +inputs: +- key: Username + value: {} + required: false + description: Array of malicious usernames to block. + playbookInputQuery: null +- key: Tag + value: + simple: Bad Account + required: false + description: PAN-OS Tag name to apply to the username that you want to block. + playbookInputQuery: null +- key: NamingConvention + value: {} + required: false + description: In case you are using naming convention in your IDP, please specify + a prefix for special/service accounts (use comma separated) + playbookInputQuery: null +- key: UserVerification + value: + simple: "True" + required: false + description: |- + Possible values:True/False. Default:True. + Specify if User Verification is Requrired + playbookInputQuery: null +- key: ShadowMode + value: + simple: "true" + required: false + description: "" + playbookInputQuery: null +inputSections: +- inputs: + - Username + - Tag + - NamingConvention + - UserVerification + - ShadowMode + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Blocklist.Final + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Blocklist.Final + description: Blocked accounts. + type: unknown +sourceplaybookid: Block Account - Generic v2 +dirtyInputs: true +adopted: true diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Cisco_Stealthwatch.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Cisco_Stealthwatch.yml new file mode 100644 index 0000000..c3fa8f6 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Cisco_Stealthwatch.yml @@ -0,0 +1,374 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 1.0.36 + packID: "" + packName: Cisco Secure Network Analytics (Stealthwatch) + prevname: "" + supportedModules: [] + toServerVersion: "" +description: This playbook blocks domains using Cisco Stealthwatch Cloud. +dirtyInputs: true +id: 'SOC Block Domain - Cisco Stealthwatch_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - Cisco Stealthwatch_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - Cisco Stealthwatch +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b124cfe7-a56f-4490-880b-78cf3274b99b + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: b124cfe7-a56f-4490-880b-78cf3274b99b + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -340 + } + } + "2": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Stealthwatch Cloud + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: 1268fa81-6e6d-4d75-8f22-f6893af3cb9c + iscommand: false + name: Is Cisco Stealthwatch enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 1268fa81-6e6d-4d75-8f22-f6893af3cb9c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 670, + "y": -40 + } + } + "3": + continueonerror: true + continueonerrortype: errorPath + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + root: inputs.Domain + separatecontext: false + skipunavailable: false + task: + brand: Stealthwatch Cloud + description: Add a domain or IP to the block list + id: ae728956-b777-4846-a4d3-5edbdf95af4b + iscommand: true + name: Block Domain + playbooktaskmissingcomponent: + script: Stealthwatch Cloud|||sw-block-domain-or-ip + type: regular + version: -1 + taskid: ae728956-b777-4846-a4d3-5edbdf95af4b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 670, + "y": 390 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 897a00db-2a04-48d5-8630-e55b5443f0b9 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 897a00db-2a04-48d5-8630-e55b5443f0b9 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 560 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the necessary inputs were provided + id: cfdef7e9-5188-4715-8a20-4cf22f75f1ee + iscommand: false + name: Check if Domain input was provided + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: cfdef7e9-5188-4715-8a20-4cf22f75f1ee + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -210 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 5801ed19-0f8a-47da-889f-b0034b1b1a76 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 5801ed19-0f8a-47da-889f-b0034b1b1a76 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1230, + "y": 555 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "3" + Shadow Mode: + - "8" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7179cdf6-d566-42b4-b908-71f84a7d5b1e + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 7179cdf6-d566-42b4-b908-71f84a7d5b1e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 860, + "y": 220 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Cisco Stealthwatch Block Domain + Command: sw-block-domain-or-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: e0f12968-7aaa-4c09-b4bb-41e2ba5b629d + iscommand: false + name: 'Shadow: Cisco Stealthwatch Block Domain' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: e0f12968-7aaa-4c09-b4bb-41e2ba5b629d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1110, + "y": 390 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "2_4_#default#": 0.27, + "5_2_yes": 0.61, + "5_4_#default#": 0.66 + }, + "paper": { + "dimensions": { + "height": 965, + "width": 1160, + "x": 450, + "y": -340 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic.yml new file mode 100644 index 0000000..3fafa5e --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic.yml @@ -0,0 +1,229 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 3.3.12 + packID: "" + packName: Generic Export Indicators Service + prevname: "" + toServerVersion: "" +description: |- + This playbook blocks domains using External Dynamic Link. + The playbook adds a tag to the inputs domain indicators. the tagged domains can be publish as External Dynamic list that can be added to blocklist using products like Panorama by Palo Alto Networks. + For Panorama - You can block the tagged domains by creating EDL(in Panorama) with the XSOAR EDL Url, and assign it to Anti-Spyware profile under "DNS Signature Policies" +adopted: true +id: 'SOC Block Domain - External Dynamic_V3' +inputs: +- description: The domains to block + key: Domains + playbookInputQuery: + required: false + value: {} +- description: Indicator tag to assign + key: Tag + playbookInputQuery: + required: false + value: {} +name: SOC Block Domain - External Dynamic_V3 +outputs: [] +quiet: true +sourceplaybookid: Block Domain - External Dynamic List +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b91dfe71-e177-4ca7-895f-1026172f5dea + iscommand: false + name: "" + version: -1 + taskid: b91dfe71-e177-4ca7-895f-1026172f5dea + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Tag + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + complex: + root: inputs.Domains + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "2" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 609eb07b-eea9-4735-83a6-3376a68b64af + iscommand: false + name: Use External Dynamic List? + type: condition + version: -1 + taskid: 609eb07b-eea9-4735-83a6-3376a68b64af + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 210 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "4" + '#none#': + - "3" + note: false + quietmode: 2 + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.Tag + indicatorsValues: + complex: + root: inputs.Domains + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.add.values.to.indicator.multi.select.field + id: 0aad424f-b0ce-4554-b331-e9ea121a0864 + iscommand: true + name: Update Indicator Tag for EDL + script: Builtin|||appendIndicatorField + type: regular + version: -1 + taskid: 0aad424f-b0ce-4554-b331-e9ea121a0864 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 195.25, + "y": 380 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bc8d3853-6554-4315-8a49-ebe6496d6160 + iscommand: false + name: Done + type: title + version: -1 + taskid: bc8d3853-6554-4315-8a49-ebe6496d6160 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 4842df3e-4c32-4561-8e92-17b81386b70d + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 4842df3e-4c32-4561-8e92-17b81386b70d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 340.5, + "y": 550 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 730, + "width": 671.5, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic_List.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic_List.yml new file mode 100644 index 0000000..72fcecf --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_External_Dynamic_List.yml @@ -0,0 +1,330 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 3.3.18 + packID: "" + packName: Generic Export Indicators Service + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook blocks domains using External Dynamic Link. + The playbook adds a tag to the inputs domain indicators. the tagged domains can be publish as External Dynamic list that can be added to blocklist using products like Panorama by Palo Alto Networks. + For Panorama - You can block the tagged domains by creating EDL(in Panorama) with the XSOAR EDL Url, and assign it to Anti-Spyware profile under "DNS Signature Policies" +dirtyInputs: true +id: 'SOC Block Domain - External Dynamic_V3 List_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domains + - Tag + - ShadowMode + name: General (Inputs group) +inputs: +- description: The domains to block + key: Domains + playbookInputQuery: + required: false + value: {} +- description: Indicator tag to assign + key: Tag + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - External Dynamic_V3 List_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - External Dynamic List +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b91dfe71-e177-4ca7-895f-1026172f5dea + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: b91dfe71-e177-4ca7-895f-1026172f5dea + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Tag + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + complex: + root: inputs.Domains + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "5" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 609eb07b-eea9-4735-83a6-3376a68b64af + iscommand: false + name: Use External Dynamic List? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 609eb07b-eea9-4735-83a6-3376a68b64af + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 180 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "4" + '#none#': + - "3" + note: false + quietmode: 2 + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.Tag + indicatorsValues: + complex: + root: inputs.Domains + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.add.values.to.indicator.multi.select.field + id: f01938b2-2926-4d8e-ad29-3677fb5281ed + iscommand: true + name: Update Indicator Tag for EDL + playbooktaskmissingcomponent: + script: Builtin|||appendIndicatorField + type: regular + version: -1 + taskid: f01938b2-2926-4d8e-ad29-3677fb5281ed + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 290, + "y": 500 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bc8d3853-6554-4315-8a49-ebe6496d6160 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: bc8d3853-6554-4315-8a49-ebe6496d6160 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 770 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: d693e9dc-8e41-4d1f-8162-5991e8c58f17 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: d693e9dc-8e41-4d1f-8162-5991e8c58f17 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 530, + "y": 760 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "6" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 474ca564-1539-4528-803d-ddea2e2aa1ff + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 474ca564-1539-4528-803d-ddea2e2aa1ff + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 490, + "y": 340 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "4" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: PANW Update Indicator Tag for EDL + Command: ${inputs.Domains} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: e2f1c719-682e-412b-8b04-16239f6b65f1 + iscommand: false + name: 'Shadow: PANW Update Indicator Tag for EDL' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: e2f1c719-682e-412b-8b04-16239f6b65f1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 690, + "y": 500 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 780, + "width": 1020, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_FireEye_Email_Security.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_FireEye_Email_Security.yml new file mode 100644 index 0000000..265ea36 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_FireEye_Email_Security.yml @@ -0,0 +1,372 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.0.0 + isoverridable: false + itemVersion: 2.0.35 + packID: "" + packName: FireEye Email Security (EX) + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook blocks domains using FireEye Email Security. + The playbook checks whether the FireEye Email Security integration is enabled, whether the Domain input has been provided and if so, blocks the domain. +dirtyInputs: true +id: 'SOC Block Domain - FireEye Email Security_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - FireEye Email Security_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - FireEye Email Security +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 94163ae0-f7a8-4641-803d-11ce2e35a27a + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 94163ae0-f7a8-4641-803d-11ce2e35a27a + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -250 + } + } + "1": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: FireEye Email Security + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: e1a529d9-ad4c-4392-8249-128a5b760eba + iscommand: false + name: Is FireEye Email Security enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e1a529d9-ad4c-4392-8249-128a5b760eba + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 670, + "y": 60 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "5" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + entry_value: + complex: + root: inputs.Domain + type: + simple: sender_domain + separatecontext: false + skipunavailable: false + task: + brand: FireEye Email Security + description: Creates the blocked sender domain. + id: 47c008a0-3e4a-47f5-a4ab-89b1f7fda908 + iscommand: true + name: Block Domain + playbooktaskmissingcomponent: + script: FireEye Email Security|||fireeye-ex-create-blockedlist + type: regular + version: -1 + taskid: 47c008a0-3e4a-47f5-a4ab-89b1f7fda908 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 710, + "y": 380 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3b6ec932-ffb3-43c5-8666-13b769935c00 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3b6ec932-ffb3-43c5-8666-13b769935c00 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 560 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the necessary inputs were provided + id: 8a98155b-9114-4772-8676-5dea5fa7809c + iscommand: false + name: Check if Domain input was provided + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 8a98155b-9114-4772-8676-5dea5fa7809c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -100 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 0985c48b-dbb2-406f-81fa-da7ed2b65954 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 0985c48b-dbb2-406f-81fa-da7ed2b65954 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1200, + "y": 555 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "7" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8eb42e90-87d1-4aaa-92bc-62d8d51a195f + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 8eb42e90-87d1-4aaa-92bc-62d8d51a195f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 820, + "y": 210 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: FireEye Email Security Block Domain + Command: fireeye-ex-create-blockedlist + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 3db1b406-a2dd-4b4e-aeaf-8209488d795a + iscommand: false + name: 'Shadow: FireEye Email Security Block Domain' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 3db1b406-a2dd-4b4e-aeaf-8209488d795a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1160, + "y": 380 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 875, + "width": 1130, + "x": 450, + "y": -250 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Generic_v2.yml new file mode 100644 index 0000000..02e15c4 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Generic_v2.yml @@ -0,0 +1,381 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: | + This playbook blocks malicious Domains using all integrations that are enabled. + + Supported integrations for this playbook: + * Zscaler + * Symantec Messaging Gateway + * FireEye EX + * Trend Micro Apex One + * Proofpoint Threat Response + * Cisco Stealthwatch Cloud +dirtyInputs: true +id: 'SOC Block Domain - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - DomainBlackListID + - Tag + - Expiration + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: |- + The Domain List ID to add the Domain to. + product: Proofpoint Threat Response + key: DomainBlackListID + playbookInputQuery: + required: false + value: {} +- description: |- + Tag to assign Domain to the External Dynamic List. + sub-playbook: Block Domain - External Dynamic List + key: Tag + playbookInputQuery: + required: false + value: {} +- description: "The UTC expiration date and time of the suspicious object, for example: + 2020-01-25T09:00:00Z.\nProducts: \nTrend Micro Apex One\nProofpoint Threat Response" + key: Expiration + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + - "16" + - "15" + - "14" + - "13" + - "12" + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 806d142e-f679-48c3-8e95-1bbc49ace64a + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 806d142e-f679-48c3-8e95-1bbc49ace64a + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1010, + "y": 160 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3c45a271-d018-4dfc-8673-429fb09bc06e + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3c45a271-d018-4dfc-8673-429fb09bc06e + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1010, + "y": 480 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 44e7a044-1f8e-48c5-825b-349091946c05 + iscommand: false + name: SOC Block Domain - Zscaler_V3 + playbookId: Block Domain - Zscaler + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 44e7a044-1f8e-48c5-825b-349091946c05 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -240, + "y": 310 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 31a3d910-b24a-44ef-8db7-44e8b3eb717d + iscommand: false + name: SOC Block Domain - Symantec Messaging Gateway_V3 + playbookId: Block Domain - Symantec Messaging Gateway + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 31a3d910-b24a-44ef-8db7-44e8b3eb717d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 170, + "y": 310 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 4d5f09d1-9911-4658-8551-ab5eba031c71 + iscommand: false + name: SOC Block Domain - FireEye Email Security_V3 + playbookId: Block Domain - FireEye Email Security + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 4d5f09d1-9911-4658-8551-ab5eba031c71 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 590, + "y": 310 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 67b3f8a0-5508-45ba-8b7f-06a99eeeee0a + iscommand: false + name: SOC Block Domain - Trend Micro Apex One_V3 + playbookId: Block Domain - Trend Micro Apex One + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 67b3f8a0-5508-45ba-8b7f-06a99eeeee0a + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1010, + "y": 310 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 3f71ce78-dc28-4bb2-82a5-aec91df370c6 + iscommand: false + name: SOC Block Domain - Proofpoint Threat Response_V3 + playbookId: Block Domain - Proofpoint Threat Response + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 3f71ce78-dc28-4bb2-82a5-aec91df370c6 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1430, + "y": 310 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 12209a16-1801-49f3-8b58-9bfc216b62d7 + iscommand: false + name: SOC Block Domain - Cisco Stealthwatch_V3 + playbookId: Block Domain - Cisco Stealthwatch + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 12209a16-1801-49f3-8b58-9bfc216b62d7 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1850, + "y": 310 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 8e29d096-dceb-48e5-82e6-71774d186005 + iscommand: false + name: SOC Block Domain - External Dynamic_V3 + playbookId: SOC Block Domain - External Dynamic_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 8e29d096-dceb-48e5-82e6-71774d186005 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2270, + "y": 310 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 380, + "width": 2890, + "x": -240, + "y": 160 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Proofpoint_Threat_Response.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Proofpoint_Threat_Response.yml new file mode 100644 index 0000000..7d8333c --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Proofpoint_Threat_Response.yml @@ -0,0 +1,399 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.5.0 + isoverridable: false + itemVersion: 2.0.28 + packID: "" + packName: Proofpoint Threat Response + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook blocks domains using Proofpoint Threat Response. + The playbook checks whether the Proofpoint Threat Response integration is enabled, whether the Domain input has been provided and if so, blocks the domain. +dirtyInputs: true +id: 'SOC Block Domain - Proofpoint Threat Response_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - DomainBlackListID + - Expiration + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: The ID of the block list to block the domain in. + key: DomainBlackListID + playbookInputQuery: + required: false + value: {} +- description: 'The UTC expiration date and time of the suspicious object, for example: + 2020-01-25T09:00:00Z.' + key: Expiration + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - Proofpoint Threat Response_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - Proofpoint Threat Response +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 74cfb49a-85e7-4d70-82df-6eec688b84b0 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 74cfb49a-85e7-4d70-82df-6eec688b84b0 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -400 + } + } + "1": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Proofpoint Threat Response + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: 480634cc-137e-4540-8320-57bede8c1434 + iscommand: false + name: Is Proofpoint Threat Response enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 480634cc-137e-4540-8320-57bede8c1434 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 680, + "y": -120 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "5" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + blacklist_domain: + complex: + root: inputs.DomainBlackListID + domain: + complex: + root: inputs.Domain + expiration: + complex: + root: inputs.Expiration + separatecontext: false + skipunavailable: false + task: + brand: Proofpoint Threat Response + description: Adds the supplied domains to the specified block list. + id: 4229de47-31e8-4c87-bcea-9bf972aed621 + iscommand: true + name: Block Domain + playbooktaskmissingcomponent: + script: Proofpoint Threat Response|||proofpoint-tr-block-domain + type: regular + version: -1 + taskid: 4229de47-31e8-4c87-bcea-9bf972aed621 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 710, + "y": 290 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d9d40cf1-5be4-4d84-8739-27b065949e57 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: d9d40cf1-5be4-4d84-8739-27b065949e57 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 550 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.DomainBlackListID + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the necessary inputs were provided + id: 43e0f76e-d745-4fd7-810d-761ceba711f2 + iscommand: false + name: Check if inputs were provided + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 43e0f76e-d745-4fd7-810d-761ceba711f2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -290 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 2f806767-8adb-4630-86bb-826484c4edd6 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 2f806767-8adb-4630-86bb-826484c4edd6 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1230, + "y": 545 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "7" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 99e5f3da-af3f-4df6-9066-ca587bbed325 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 99e5f3da-af3f-4df6-9066-ca587bbed325 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 910, + "y": 110 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Proofpoint Threat Response Block Domain + Command: proofpoint-tr-block-domain + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 613f2e01-7d09-4cf6-b255-bb60d80ae563 + iscommand: false + name: 'Shadow: Proofpoint Threat Response Block Domain' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 613f2e01-7d09-4cf6-b255-bb60d80ae563 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1150, + "y": 290 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_3_#default#": 0.35, + "4_1_yes": 0.65, + "4_3_#default#": 0.47 + }, + "paper": { + "dimensions": { + "height": 1015, + "width": 1160, + "x": 450, + "y": -400 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Symantec_Messaging_Gateway.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Symantec_Messaging_Gateway.yml new file mode 100644 index 0000000..d4f3d5b --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Symantec_Messaging_Gateway.yml @@ -0,0 +1,374 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.5.0 + isoverridable: false + itemVersion: 1.0.22 + packID: "" + packName: Symantec Messaging Gateway + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook blocks domains using Symantec Messaging Gateway. + The playbook checks whether the Symantec Messaging Gateway integration is enabled, whether the Domain input has been provided and if so, blocks the domain. +dirtyInputs: true +id: 'SOC Block Domain - Symantec Messaging Gateway_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - Symantec Messaging Gateway_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - Symantec Messaging Gateway +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1ff15490-2b31-4e36-896d-faddb7a98b9d + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 1ff15490-2b31-4e36-896d-faddb7a98b9d + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -210 + } + } + "1": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Symantec Messaging Gateway + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: cc4526d7-39ab-42ac-8569-feb37fa265fe + iscommand: false + name: Is Symantec Messaging Gateway enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: cc4526d7-39ab-42ac-8569-feb37fa265fe + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 680, + "y": 80 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "5" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + root: inputs.Domain + separatecontext: false + skipunavailable: false + task: + brand: Symantec Messaging Gateway + description: Adds domain to the Local Bad Sender Domains group. + id: 6de876c4-d943-4717-a863-bc92a9b61fb1 + iscommand: true + name: Block Domain + playbooktaskmissingcomponent: + script: Symantec Messaging Gateway|||smg-block-domain + type: regular + version: -1 + taskid: 6de876c4-d943-4717-a863-bc92a9b61fb1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 840, + "y": 420 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f3e2e096-cec3-4658-8bd0-517a7d4521fb + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: f3e2e096-cec3-4658-8bd0-517a7d4521fb + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 580 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the necessary inputs were provided + id: 90796878-1467-44fd-8bf6-55a869bd827d + iscommand: false + name: Check if Domain input was provided + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 90796878-1467-44fd-8bf6-55a869bd827d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -80 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: d37f8bb8-2a32-4ae8-8020-ba12ab0e0b59 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: d37f8bb8-2a32-4ae8-8020-ba12ab0e0b59 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1280, + "y": 575 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "7" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7b919c34-50cd-407f-b626-b731f4650156 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 7b919c34-50cd-407f-b626-b731f4650156 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 840, + "y": 260 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Symantec Message Gateway Block Domain + Command: smg-block-domain + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 311d3113-37d5-407e-bb02-449fa7bc3aaa + iscommand: false + name: 'Shadow: Symantec Message Gateway Block Domain' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 311d3113-37d5-407e-bb02-449fa7bc3aaa + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1290, + "y": 420 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_3_#default#": 0.42, + "4_1_yes": 0.63, + "4_3_#default#": 0.5 + }, + "paper": { + "dimensions": { + "height": 855, + "width": 1220, + "x": 450, + "y": -210 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Trend_Micro_Apex_One.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Trend_Micro_Apex_One.yml new file mode 100644 index 0000000..6678219 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Trend_Micro_Apex_One.yml @@ -0,0 +1,387 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.5.0 + isoverridable: false + itemVersion: 2.0.11 + packID: "" + packName: Trend Micro Apex One + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook blocks domains using Trend Micro Apex One. + The playbook checks whether the Trend Micro Apex One integration is enabled, whether the Domain input has been provided and if so, blocks the domain. +dirtyInputs: true +id: 'SOC Block Domain - Trend Micro Apex One_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - Expiration + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: 'The UTC expiration date and time of the suspicious object, for example: + 2020-01-25T09:00:00Z.' + key: Expiration + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - Trend Micro Apex One_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - Trend Micro Apex One +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d333e30b-b0ba-4578-820f-116443c2fa50 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: d333e30b-b0ba-4578-820f-116443c2fa50 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -320 + } + } + "1": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Trend Micro Apex + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: b414b6be-6e40-48a4-8612-d7cc449eb0cf + iscommand: false + name: Is Trend Micro Apex One enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: b414b6be-6e40-48a4-8612-d7cc449eb0cf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 700, + "y": -20 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "5" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + content: + complex: + root: inputs.Domain + expiration: + complex: + root: inputs.Expiration + scan_action: + simple: block + type: + simple: domain + separatecontext: false + skipunavailable: false + task: + brand: Trend Micro Apex + description: Add suspicious file SHA-1, IP address, domain, or URL objects to + the User-Defined Suspicious Object list. + id: 10ba9071-af0d-4729-b7d2-43b8440b292a + iscommand: true + name: Block Domain + playbooktaskmissingcomponent: + script: Trend Micro Apex|||trendmicro-apex-udso-add + type: regular + version: -1 + taskid: 10ba9071-af0d-4729-b7d2-43b8440b292a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 730, + "y": 360 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 410a42e0-2997-42fb-8b86-99085fe3168b + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 410a42e0-2997-42fb-8b86-99085fe3168b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 540 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the necessary inputs were provided + id: 36454014-dd62-4832-8cfe-f60877860910 + iscommand: false + name: Check if Domain input was provided + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 36454014-dd62-4832-8cfe-f60877860910 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -180 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 6a0fcac1-eb92-4fec-88c2-50c48b6b03fc + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 6a0fcac1-eb92-4fec-88c2-50c48b6b03fc + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1360, + "y": 550 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "7" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 44c5c5d3-873f-4ed2-8743-35fae5dce766 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 44c5c5d3-873f-4ed2-8743-35fae5dce766 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 800, + "y": 190 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Trend Micro Apex Block Domain + Command: trendmicro-apex-udso-add + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: fb2015e7-c26b-4b9b-be73-0115b47753bd + iscommand: false + name: 'Shadow: Trend Micro Apex Block Domain' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: fb2015e7-c26b-4b9b-be73-0115b47753bd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1210, + "y": 350 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_3_#default#": 0.4 + }, + "paper": { + "dimensions": { + "height": 940, + "width": 1290, + "x": 450, + "y": -320 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Zscaler.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Zscaler.yml new file mode 100644 index 0000000..4b10244 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Domain_-_Zscaler.yml @@ -0,0 +1,374 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.5.0 + isoverridable: false + itemVersion: 1.3.32 + packID: "" + packName: Zscaler Internet Access + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook blocks domains using Zscaler. + The playbook checks whether the Zscaler integration is enabled, whether the Domain input has been provided and if so, blocks the domain. +dirtyInputs: true +id: 'SOC Block Domain - Zscaler_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Domain + - ShadowMode + name: General (Inputs group) +inputs: +- description: The Domain to block. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Domain - Zscaler_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Domain - Zscaler +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b124cfe7-a56f-4490-880b-78cf3274b99b + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: b124cfe7-a56f-4490-880b-78cf3274b99b + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -210 + } + } + "2": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Zscaler + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: 566639bd-4b4b-47c5-81f5-1665ec447c34 + iscommand: false + name: Is Zscaler enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 566639bd-4b4b-47c5-81f5-1665ec447c34 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 700, + "y": 170 + } + } + "3": + continueonerror: true + continueonerrortype: errorPath + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + url: + complex: + root: inputs.Domain + separatecontext: false + skipunavailable: false + task: + brand: Zscaler + description: Adds the specified URLs to the block list. + id: 5c24626d-b1cd-4be5-8925-7d95ffc3b0ec + iscommand: true + name: Block Domain + playbooktaskmissingcomponent: + script: Zscaler|||zscaler-blacklist-url + type: regular + version: -1 + taskid: 5c24626d-b1cd-4be5-8925-7d95ffc3b0ec + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 780, + "y": 460 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 897a00db-2a04-48d5-8630-e55b5443f0b9 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 897a00db-2a04-48d5-8630-e55b5443f0b9 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 440, + "y": 670 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the necessary inputs were provided + id: cfdef7e9-5188-4715-8a20-4cf22f75f1ee + iscommand: false + name: Check if Domain input was provided + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: cfdef7e9-5188-4715-8a20-4cf22f75f1ee + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -20 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 6e77c9b1-f8b7-4d4b-8695-e37a7e1f3441 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 6e77c9b1-f8b7-4d4b-8695-e37a7e1f3441 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1020, + "y": 665 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "3" + Shadow Mode: + - "8" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c7719eeb-e2f2-4bcf-9227-6d17ecc3bd4a + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: c7719eeb-e2f2-4bcf-9227-6d17ecc3bd4a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 980, + "y": 300 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Zscaler Block Domain + Command: zscaler-blacklist-url + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 7827dd70-3caf-4cd1-8d7c-b3b955049ab8 + iscommand: false + name: 'Shadow: Zscaler Block Domain' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 7827dd70-3caf-4cd1-8d7c-b3b955049ab8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1310, + "y": 460 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "2_4_#default#": 0.47, + "5_2_yes": 0.71, + "5_4_#default#": 0.53 + }, + "paper": { + "dimensions": { + "height": 945, + "width": 1250, + "x": 440, + "y": -210 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Email_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Email_-_Generic_v2.yml new file mode 100644 index 0000000..582118e --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Email_-_Generic_v2.yml @@ -0,0 +1,873 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: | + This playbook will block emails at your mail relay integration. + + Supported integrations for this playbook: + * Mimecast + * FireEye Email Security (EX) + * Cisco Email Security + * Symantec Email Security +dirtyInputs: true +id: 'SOC Block Email - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - EmailToBlock + - ShadowMode + name: General (Inputs group) +inputs: +- description: The email address that will be blocked. + key: EmailToBlock + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Email - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block Email - Generic v2 +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d583e596-e160-4401-8bbf-544e34372f9e + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: d583e596-e160-4401-8bbf-544e34372f9e + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 960, + "y": -220 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2a7524dc-dfcd-4dce-8978-5bbb1ba94a67 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2a7524dc-dfcd-4dce-8978-5bbb1ba94a67 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 970, + "y": 990 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + EmailToBlock: + complex: + root: inputs.EmailToBlock + separatecontext: true + skipunavailable: true + task: + brand: "" + id: f2f94ec5-a4ef-4963-8382-9e334fc350c7 + iscommand: false + name: Symantec block Email + playbookId: Symantec block Email + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: f2f94ec5-a4ef-4963-8382-9e334fc350c7 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 750, + "y": 260 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "22" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: FireEye Email Security + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 2c065c72-23f4-41d6-8391-027a43640107 + iscommand: false + name: Is FireEye Email Security (EX) Available? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 2c065c72-23f4-41d6-8391-027a43640107 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1170, + "y": 260 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "24" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: MimecastV2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 75132291-3638-4f49-8d91-26b4021a87a7 + iscommand: false + name: Is Mimecast v2 Available? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 75132291-3638-4f49-8d91-26b4021a87a7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1770, + "y": 270 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "19" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + entry_value: + complex: + root: inputs.EmailToBlock + type: + simple: sender_email_address + separatecontext: false + skipunavailable: true + task: + brand: FireEye Email Security + description: Updates the blocked sender domain. + id: 7a10672f-b1a2-4910-b775-70fed70f2854 + iscommand: true + name: FireEye Update Blocklist + playbooktaskmissingcomponent: + script: FireEye Email Security|||fireeye-ex-update-blockedlist + type: regular + version: -1 + taskid: 7a10672f-b1a2-4910-b775-70fed70f2854 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1160, + "y": 760 + } + } + "10": + continueonerror: true + continueonerrortype: errorPath + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "19" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + description: + simple: Blocked accounts + fromType: + simple: individual_email_address + fromValue: + complex: + root: inputs.EmailToBlock + option: + simple: block_sender + toType: + simple: everyone + separatecontext: false + skipunavailable: true + task: + brand: MimecastV2 + description: Create a Blocked Sender Policy + id: 38a90692-985b-4b44-b475-6cea17fa1509 + iscommand: true + name: Mimecast - Block Sender Policy + playbooktaskmissingcomponent: + script: MimecastV2|||mimecast-create-policy + type: regular + version: -1 + taskid: 38a90692-985b-4b44-b475-6cea17fa1509 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2010, + "y": 750 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ba2daa5c-96f8-462d-8a50-86c84d4d80e8 + iscommand: false + name: Mimecast + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: ba2daa5c-96f8-462d-8a50-86c84d4d80e8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1770, + "y": 130 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e38a8e79-0254-4d88-8e98-8d023766523d + iscommand: false + name: FireEye Email Security (EX) + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: e38a8e79-0254-4d88-8e98-8d023766523d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1170, + "y": 130 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 45e2cbf1-08bc-4085-8d3e-a0fe2fd4553e + iscommand: false + name: Symantec Email Security + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 45e2cbf1-08bc-4085-8d3e-a0fe2fd4553e + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 750, + "y": 130 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ebbab30d-ccb0-4d3b-8eba-9c953cb7bdb3 + iscommand: false + name: Cisco Security Management Appliance + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: ebbab30d-ccb0-4d3b-8eba-9c953cb7bdb3 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 330, + "y": 130 + } + } + "16": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: CiscoSMA + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 614bc2e7-b289-44d7-8350-5bc69ace90fa + iscommand: false + name: Is Cisco Security Management Appliance Available? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 614bc2e7-b289-44d7-8350-5bc69ace90fa + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 330, + "y": 260 + } + } + "17": + continueonerror: true + continueonerrortype: errorPath + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "19" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + entry_type: + simple: blocklist + sender_addresses: + complex: + root: inputs.EmailToBlock + view_by: + simple: sender + separatecontext: false + skipunavailable: true + task: + brand: CiscoSMA + description: Append spam quarantine blocklist/safelist entry. + id: 7d0cea05-db05-433d-90fb-83f2ab126f12 + iscommand: true + name: Cisco SMA - Append to Blocklist + playbooktaskmissingcomponent: + script: CiscoSMA|||cisco-sma-list-entry-append + type: regular + version: -1 + taskid: 7d0cea05-db05-433d-90fb-83f2ab126f12 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 550, + "y": 760 + } + } + "18": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.EmailToBlock + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "15" + - "12" + - "11" + - "14" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9e4f3f09-0897-4f18-86ce-22dd8a09b18c + iscommand: false + name: Has emails to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 9e4f3f09-0897-4f18-86ce-22dd8a09b18c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 960, + "y": -80 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 531f4aeb-6142-4a24-8983-dfb2f9bb50a5 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 531f4aeb-6142-4a24-8983-dfb2f9bb50a5 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1480, + "y": 980 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "17" + Shadow Mode: + - "21" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 82633ac8-e5ed-444b-9249-8feab2db0ed0 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 82633ac8-e5ed-444b-9249-8feab2db0ed0 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 240, + "y": 550 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Cisco SMA Email Block List + Command: cisco-sma-list-entry-append ${inputs.EmailToBlock} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: b2ebb744-50f7-4ddf-b022-253a04c799a9 + iscommand: false + name: 'Shadow: Cisco SMA Email Block List' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: b2ebb744-50f7-4ddf-b022-253a04c799a9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 100, + "y": 760 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "9" + Shadow Mode: + - "23" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3fbb2e1c-d8ac-432b-84bc-d2f64a8d21ab + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 3fbb2e1c-d8ac-432b-84bc-d2f64a8d21ab + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1170, + "y": 540 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: FireEye Email Block List + Command: fireeye-ex-update-blockedlist ${inputs.EmailToBlock} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 0717ccc2-7515-41b7-97af-ddde85a23119 + iscommand: false + name: 'Shadow: FireEye Email Block List' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 0717ccc2-7515-41b7-97af-ddde85a23119 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1570, + "y": 760 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "10" + Shadow Mode: + - "25" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 644fff35-ada3-4337-8298-61368d09ce9f + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 644fff35-ada3-4337-8298-61368d09ce9f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2010, + "y": 550 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Mimecast Email Block List + Command: mimecast-create-policy ${inputs.EmailToBlock} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 05aaa92a-f72c-48bf-9421-32fba6f67104 + iscommand: false + name: 'Shadow: Mimecast Email Block List' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 05aaa92a-f72c-48bf-9421-32fba6f67104 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2430, + "y": 750 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "16_2_#default#": 0.24, + "18_2_#default#": 0.12, + "5_22_yes": 0.62, + "5_2_#default#": 0.16, + "6_24_yes": 0.62, + "6_2_#default#": 0.18 + }, + "paper": { + "dimensions": { + "height": 1270, + "width": 2710, + "x": 100, + "y": -220 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Carbon_Black_Response.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Carbon_Black_Response.yml new file mode 100644 index 0000000..df53a85 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Carbon_Black_Response.yml @@ -0,0 +1,404 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.1.53 + packID: "" + packName: Carbon Black Enterprise Response + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the hash is already on the block list, no action is taken on the MD5. + + The playbook uses the integration ''VMware Carbon Black EDR v2". +dirtyInputs: true +id: 'SOC Block File - Carbon Black Response_V3' +inputSections: +- description: Generic group for inputs + inputs: + - MD5 + - Text + - ShadowMode + name: General (Inputs group) +inputs: +- description: The MD5 hash of the file you want to block. + key: MD5 + playbookInputQuery: + required: false + value: + complex: + accessor: MD5 + root: File +- description: Text description of block list. + key: Text + playbookInputQuery: + required: false + value: + simple: Blocked by XSOAR +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block File - Carbon Black Response_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CbResponse.BlockedHashes.LastBlock.Time + - CbResponse.BlockedHashes.LastBlock.Hostname + - CbResponse.BlockedHashes.LastBlock.CbSensorID +outputs: +- contextPath: CbResponse.BlockedHashes.LastBlock.Time + description: Last block time +- contextPath: CbResponse.BlockedHashes.LastBlock.Hostname + description: Last block hostname +- contextPath: CbResponse.BlockedHashes.LastBlock.CbSensorID + description: Last block sensor ID +sourceplaybookid: Block File - Carbon Black Response +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5e4385e3-76c2-48e2-80a4-c3798cdae027 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 5e4385e3-76c2-48e2-80a4-c3798cdae027 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -340 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + md5: + complex: + root: inputs.MD5 + text: + complex: + root: inputs.Text + separatecontext: false + skipunavailable: false + task: + brand: VMware Carbon Black EDR v2 + description: Prevent execution of a specified md5 hash + id: 3abbd606-e6ac-41a4-a783-d0a76e14f3ff + iscommand: true + name: Get a list of blacklisted hashes + playbooktaskmissingcomponent: + script: VMware Carbon Black EDR v2|||cb-edr-binary-ban + type: regular + version: -1 + taskid: 3abbd606-e6ac-41a4-a783-d0a76e14f3ff + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1130, + "y": 150 + } + } + "6": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: VMware Carbon Black EDR v2 + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "2" + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if Carbon Black Enterprise Response integration is enabled. + id: 83cd8bdb-894a-436d-87df-45889e52da88 + iscommand: false + name: Is Carbon Black Enterprise Response enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 83cd8bdb-894a-436d-87df-45889e52da88 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 710, + "y": -30 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.MD5 + operator: isExists + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is a value for the MD5 input field. This task does + not verify that the value is actually an MD5 hash, just that the value for + the MD5 field exists. + id: ff0935b7-054b-4729-82a3-5588d553d9d0 + iscommand: false + name: Is there an MD5 to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ff0935b7-054b-4729-82a3-5588d553d9d0 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -200 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2c14bf01-7fd9-45f8-8554-86d0c1332d81 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2c14bf01-7fd9-45f8-8554-86d0c1332d81 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 350 + } + } + "10": + continueonerror: true + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "11" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7b5460df-d1b3-43a2-92b0-347c5ac4e68a + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 7b5460df-d1b3-43a2-92b0-347c5ac4e68a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1320, + "y": -70 + } + } + "11": + continueonerror: true + continueonerrortype: errorPath + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Carbon Black Ban Hash + Command: cb-edr-binary-ban ${inputs.MD5} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: e24e3cc8-5a36-4dc1-b7d9-3f227d38e6fd + iscommand: false + name: 'Shadow: Carbon Black Ban MD5 Hash' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: e24e3cc8-5a36-4dc1-b7d9-3f227d38e6fd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1570, + "y": 150 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 0887c687-1ca0-4651-8e75-c22495572248 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 0887c687-1ca0-4651-8e75-c22495572248 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1570, + "y": 345 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "6_9_#default#": 0.19, + "8_9_#default#": 0.16 + }, + "paper": { + "dimensions": { + "height": 755, + "width": 1500, + "x": 450, + "y": -340 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cybereason.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cybereason.yml new file mode 100644 index 0000000..33f0b52 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cybereason.yml @@ -0,0 +1,399 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.1.24 + packID: "" + packName: Cybereason + prevname: "" + supportedModules: [] + toServerVersion: "" +description: This playbook accepts an MD5 hash and blocks the file using the Cybereason + integration. +dirtyInputs: true +id: 'SOC Block File - Cybereason_V3' +inputSections: +- description: Generic group for inputs + inputs: + - MD5 + - ShadowMode + name: General (Inputs group) +inputs: +- description: The MD5 hash of the file to block. + key: MD5 + playbookInputQuery: + required: false + value: + complex: + accessor: MD5 + filters: + - - left: + iscontext: true + value: + simple: File.Malicious + operator: isExists + root: File + transformers: + - operator: uniq +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block File - Cybereason_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CbResponse.BlockedHashes.LastBlock.Time + - CbResponse.BlockedHashes.LastBlock.Hostname + - CbResponse.BlockedHashes.LastBlock.CbSensorID +outputs: +- contextPath: CbResponse.BlockedHashes.LastBlock.Time + description: Last block time. +- contextPath: CbResponse.BlockedHashes.LastBlock.Hostname + description: Last block hostname. +- contextPath: CbResponse.BlockedHashes.LastBlock.CbSensorID + description: Last block sensor ID. +sourceplaybookid: Block File - Cybereason +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5e4385e3-76c2-48e2-80a4-c3798cdae027 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 5e4385e3-76c2-48e2-80a4-c3798cdae027 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + "6": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Cybereason + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if Cybereason is enabled. + id: 9cf85355-9028-4a01-8304-3a371020c9b3 + iscommand: false + name: Is Cybereason integration enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 9cf85355-9028-4a01-8304-3a371020c9b3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 265, + "y": 200 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.MD5 + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is a value for the MD5 input field. This task does + not verify that the value is actually an MD5 hash, just that a value exists + in the MD5 field. + id: 0f02e921-eb9a-47bd-8d9c-93759602036f + iscommand: false + name: Is there an MD5 to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 0f02e921-eb9a-47bd-8d9c-93759602036f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 520, + "y": 370 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2c14bf01-7fd9-45f8-8554-86d0c1332d81 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2c14bf01-7fd9-45f8-8554-86d0c1332d81 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 260, + "y": 910 + } + } + "10": + continueonerror: true + continueonerrortype: errorPath + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + md5: + complex: + root: inputs.MD5 + separatecontext: false + skipunavailable: false + task: + brand: Cybereason + description: Prevent malop process file + id: 964932d8-a418-488c-ae60-225aec4a50b5 + iscommand: true + name: Cybereason Prevent File + playbooktaskmissingcomponent: + script: Cybereason|||cybereason-prevent-file + type: regular + version: -1 + taskid: 964932d8-a418-488c-ae60-225aec4a50b5 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 830, + "y": 640 + } + } + "11": + continueonerror: true + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "10" + Shadow Mode: + - "13" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0333bc63-330a-401b-9ebd-574a974b916f + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 0333bc63-330a-401b-9ebd-574a974b916f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1230, + "y": 410 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 4444bcde-43c6-4b09-8741-f6ab024cc3f1 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 4444bcde-43c6-4b09-8741-f6ab024cc3f1 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1230, + "y": 890 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Cybereason Ban File + Command: cybereason-prevent-file ${inputs.MD5} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 02ffb955-84eb-4ab1-b9f7-a919795491c8 + iscommand: false + name: 'Shadow: Cybereason Ban File' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 02ffb955-84eb-4ab1-b9f7-a919795491c8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1580, + "y": 640 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "6_8_yes": 0.55, + "6_9_#default#": 0.65, + "8_9_#default#": 0.35 + }, + "paper": { + "dimensions": { + "height": 920, + "width": 1700, + "x": 260, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cylance_Protect_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cylance_Protect_v2.yml new file mode 100644 index 0000000..3cb1aa9 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Cylance_Protect_v2.yml @@ -0,0 +1,407 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.1.41 + packID: "" + packName: Cylance Protect + prevname: "" + supportedModules: [] + toServerVersion: "" +description: This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine + list using the Cylance Protect v2 integration. +dirtyInputs: true +id: 'SOC Block File - Cylance Protect v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - SHA256 + - ListType + - ShadowMode + name: General (Inputs group) +inputs: +- description: The SHA256 hash of the file to block. + key: SHA256 + playbookInputQuery: + required: false + value: + complex: + accessor: SHA256 + filters: + - - left: + iscontext: true + value: + simple: File.Malicious + operator: isExists + root: File + transformers: + - operator: uniq +- description: The list type to which the threat belongs. Can be "GlobalQuarantine" + or "GlobalSafe". + key: ListType + playbookInputQuery: + required: false + value: + simple: GlobalQuarantine +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block File - Cylance Protect v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CbResponse.BlockedHashes.LastBlock.Time + - CbResponse.BlockedHashes.LastBlock.Hostname + - CbResponse.BlockedHashes.LastBlock.CbSensorID +outputs: +- contextPath: CbResponse.BlockedHashes.LastBlock.Time + description: Last block time +- contextPath: CbResponse.BlockedHashes.LastBlock.Hostname + description: Last block hostname +- contextPath: CbResponse.BlockedHashes.LastBlock.CbSensorID + description: Last block sensor ID +sourceplaybookid: Block File - Cylance Protect v2 +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5e4385e3-76c2-48e2-80a4-c3798cdae027 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 5e4385e3-76c2-48e2-80a4-c3798cdae027 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + "6": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Cylance Protect v2 + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if Cylance Protect is enabled. + id: df41aaaa-8055-4c59-8e9e-a167a7ef7819 + iscommand: false + name: Is Cylance Protect v2 enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: df41aaaa-8055-4c59-8e9e-a167a7ef7819 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 265, + "y": 195 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.SHA256 + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is a value for the SHA256 input field. This task + does not verify that the value is actually a SHA256 hash, just that the value + for the field exists. + id: 9b14005e-903d-4724-80ec-84e7c42a9e7b + iscommand: false + name: Is there a SHA256 to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 9b14005e-903d-4724-80ec-84e7c42a9e7b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 510, + "y": 370 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2c14bf01-7fd9-45f8-8554-86d0c1332d81 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2c14bf01-7fd9-45f8-8554-86d0c1332d81 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 265, + "y": 965 + } + } + "10": + continueonerror: true + continueonerrortype: errorPath + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "13" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + listType: + complex: + root: inputs.ListType + sha256: + complex: + root: inputs.SHA256 + separatecontext: false + skipunavailable: false + task: + brand: Cylance Protect v2 + description: Adds a convicted threat for a particular tenant to either the Global + Quarantine list or the Global Safe list. + id: ca946416-a22f-437e-b82f-42d8dab60c32 + iscommand: true + name: Add hash to Global Quarantine list + playbooktaskmissingcomponent: + script: Cylance Protect v2|||cylance-protect-add-hash-to-list + type: regular + version: -1 + taskid: ca946416-a22f-437e-b82f-42d8dab60c32 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 750, + "y": 705 + } + } + "11": + continueonerror: true + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "10" + Shadow Mode: + - "12" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 434ac536-a75f-4d51-9397-ac26ee5d419f + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 434ac536-a75f-4d51-9397-ac26ee5d419f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1070, + "y": 530 + } + } + "12": + continueonerror: true + continueonerrortype: errorPath + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "13" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Cylance Add Hash To Global Quarantine list + Command: cylance-protect-add-hash-to-list ${inputs.SHA256} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 9a7a7323-9af3-4955-aca8-c8fe59a63a15 + iscommand: false + name: 'Shadow: Cylance Add Hash to Global Quarantine list' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 9a7a7323-9af3-4955-aca8-c8fe59a63a15 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1380, + "y": 700 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: da48fb19-dd12-4fb0-8584-1a3fdfe3c6d9 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: da48fb19-dd12-4fb0-8584-1a3fdfe3c6d9 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1180, + "y": 960 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "6_9_#default#": 0.64, + "8_9_#default#": 0.32 + }, + "paper": { + "dimensions": { + "height": 980, + "width": 1495, + "x": 265, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Generic_v2.yml new file mode 100644 index 0000000..11a9f6b --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_File_-_Generic_v2.yml @@ -0,0 +1,597 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: "This playbook is used to block files from running on endpoints. \nThis + playbook supports the following integrations:\n- Palo Alto Networks Traps\n- Palo + Alto Networks Cortex XDR\n- Cybereason\n- Carbon Black Enterprise Response\n- Cylance + Protect v2\n- Crowdstrike Falcon\n- Microsoft Defender for Endpoint." +dirtyInputs: true +id: 'SOC Block File - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - MD5 + - SHA256 + - Hash + - ShadowMode + name: General (Inputs group) +inputs: +- description: The MD5 hash of the file you want to block. + key: MD5 + playbookInputQuery: + required: false + value: + complex: + accessor: MD5 + root: File +- description: The SHA256 hash of the file you want to block. + key: SHA256 + playbookInputQuery: + required: false + value: + complex: + accessor: SHA256 + root: File +- description: In this input you can insert either MD5 or SHA256 that you wish to + block. + key: Hash + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block File - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CbResponse.BlockedHashes.LastBlock.Time + - CbResponse.BlockedHashes.LastBlock.Hostname + - CbResponse.BlockedHashes.LastBlock.CbSensorID +outputs: +- contextPath: CbResponse.BlockedHashes.LastBlock.Time + description: Last block time. +- contextPath: CbResponse.BlockedHashes.LastBlock.Hostname + description: Last block hostname. +- contextPath: CbResponse.BlockedHashes.LastBlock.CbSensorID + description: Last block sensor ID. +sourceplaybookid: Block File - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + - "10" + - "11" + - "12" + - "17" + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 420a534c-a6e6-4cf5-8b86-ac7dd1a91441 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 420a534c-a6e6-4cf5-8b86-ac7dd1a91441 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 695, + "y": 50 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c8476a84-8d87-4ff2-8d6c-1dd1cccc503a + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: c8476a84-8d87-4ff2-8d6c-1dd1cccc503a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 695, + "y": 515 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 32d4b47a-e972-4e30-875b-b563130cc4ca + iscommand: false + name: Cybereason + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 32d4b47a-e972-4e30-875b-b563130cc4ca + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 480, + "y": 195 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0c07d0e1-59b1-436c-8e90-f2d0410df813 + iscommand: false + name: Carbon Black Enterprise Response + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 0c07d0e1-59b1-436c-8e90-f2d0410df813 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: dcc8e191-213c-4ffd-8bc7-a8e1bc8894d7 + iscommand: false + name: Cylance Protect v2 + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: dcc8e191-213c-4ffd-8bc7-a8e1bc8894d7 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 910, + "y": 195 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b42b03dd-99c1-4149-8c32-336d23b88cf0 + iscommand: false + name: Palo Alto Cortex XDR + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: b42b03dd-99c1-4149-8c32-336d23b88cf0 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1340, + "y": 195 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b6a4a1eb-e837-400c-890a-aa72fdd866d2 + iscommand: false + name: CrowdStrike Falcon + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: b6a4a1eb-e837-400c-890a-aa72fdd866d2 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1760, + "y": 195 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c463f54e-7a18-4dba-804f-acf83e449259 + iscommand: false + name: Microsoft Defender For Endpoint + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: c463f54e-7a18-4dba-804f-acf83e449259 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -380, + "y": 195 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + Hash: + simple: ${inputs.Hash} + 'Severity ': + simple: medium + ShadowMode: + simple: "true" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: "This playbook receives an MD5 or a SHA256 hash and adds it to + the block list in CrowdStrike Falcon. \nThe playbook uses the integration + \"CrowdStrike Falcon\"." + id: 93b14685-53e7-4a05-af58-99f2ddc4f9f7 + iscommand: false + name: SOC CrowdStrike Falcon - Block File_V3 + playbookId: SOC CrowdStrike Falcon - Block File_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 93b14685-53e7-4a05-af58-99f2ddc4f9f7 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1760, + "y": 330 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + GenerateAlert: + simple: "true" + Hash: + complex: + root: inputs.Hash + transformers: + - args: + item: + iscontext: true + value: + simple: inputs.MD5 + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.SHA256 + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.Hash + operator: append + - operator: uniq + IndicatorDescription: + simple: Added by Cortex + IndicatorTitle: + simple: Added by Cortex + ShadowMode: + simple: "True" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: "This playbook receives an MD5 or a SHA256 hash and adds it to + the block list in Microsoft Defender for Endpoint. \nThe playbook uses the + integration \"Microsoft Defender for Endpoint\"." + id: c0151a75-e757-43d0-97d0-22407c890dc0 + iscommand: false + name: SOC MDE - Block File_V3 + playbookId: SOC MDE - Block File_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: c0151a75-e757-43d0-97d0-22407c890dc0 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -380, + "y": 340 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + description: Use this playbook to add files to Cortex XDR block list with a + given file SHA256 playbook input. + id: 8552e4a4-8d86-47e5-8b7c-ee877eaf15d6 + iscommand: false + name: SOC Cortex XDR - Block File_V3 + playbookId: SOC Cortex XDR - Block File_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 8552e4a4-8d86-47e5-8b7c-ee877eaf15d6 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1340, + "y": 340 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the hash is already on the block list, no action is taken on the MD5. + + The playbook uses the integration ''VMware Carbon Black EDR v2". + id: ac3fa437-e615-4506-88ec-3b6afab83a58 + iscommand: false + name: SOC Block File - Carbon Black Response_V3 + playbookId: SOC Block File - Carbon Black Response_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: ac3fa437-e615-4506-88ec-3b6afab83a58 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 330 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 9c62ac19-3023-44af-8955-b5e2c3ea3b32 + iscommand: false + name: SOC Block File - Cybereason_V3 + playbookId: SOC Block File - Cybereason_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 9c62ac19-3023-44af-8955-b5e2c3ea3b32 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 480, + "y": 330 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: c7b6c19f-c4f2-4dfd-831c-2e4fd501069b + iscommand: false + name: SOC Block File - Cylance Protect v2_V3 + playbookId: SOC Block File - Cylance Protect v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: c7b6c19f-c4f2-4dfd-831c-2e4fd501069b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 910, + "y": 330 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 525, + "width": 2520, + "x": -380, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v2.yml new file mode 100644 index 0000000..2c8ee91 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v2.yml @@ -0,0 +1,1223 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: "Deprecated. Use the `Block IP - Generic v3` playbook instead. \nThis + playbook blocks malicious IPs using all integrations that are enabled.\n\nSupported + integrations for this playbook:\n* Check Point Firewall\n* Palo Alto Networks Minemeld\n + * Palo Alto Networks PAN-OS\n* Zscaler\n* FortiGate" +dirtyInputs: true +id: 'SOC Block IP - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IPBlacklistMiner + - IP + - CustomBlockRule + - LogForwarding + - AutoCommit + - StaticAddressGroup + - IPListName + - EDLServerIP + - DAG + - ShadowMode + name: General (Inputs group) +inputs: +- description: The name of the IP block list Miner in Minemeld. + key: IPBlacklistMiner + playbookInputQuery: + required: false + value: {} +- description: Array of malicious IPs to block. + key: IP + playbookInputQuery: + required: false + value: {} +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Custom Block Rules are used. + Specify True to use Custom Block Rules. + key: CustomBlockRule + playbookInputQuery: + required: false + value: + simple: "True" +- description: Panorama log forwarding object name. + key: LogForwarding + playbookInputQuery: + required: false + value: {} +- description: |- + This input determines whether to commit the configuration automatically. + Yes - Commit automatically. + No - Commit manually. + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used. + Specify the Static Address Group name for IP handling. + key: StaticAddressGroup + playbookInputQuery: + required: false + value: {} +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for blocking IPs. + Specify the EDL name for IP handling. + key: IPListName + playbookInputQuery: + required: false + value: {} +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used: + * The IP address of the web server on which the files are stored. + * The web server IP address is configured in the integration instance. + key: EDLServerIP + playbookInputQuery: + required: false + value: {} +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. + Specify the Dynamic Address Group tag name for IP handling. + key: DAG + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block IP - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CheckpointFWRule.Destination + - CheckpointFWRule.DestinationNegate + - PanoramaRule.Direction + - PanoramaRule.IP + - CheckpointFWRule.Name + - PanoramaRule.Name + - CheckpointFWRule.UID + - PanoramaRule + - CheckpointFWRule.Type + - CheckpointFWRule.Action + - CheckpointFWRule.ActionSetting + - CheckpointFWRule.CustomFields + - CheckpointFWRule.Data + - CheckpointFWRule.DataDirection + - CheckpointFWRule.DataNegate + - CheckpointFWRule.Domain + - CheckpointFWRule.Enabled + - CheckpointFWRule.Hits + - CheckpointFWRule.Data.Name + - CheckpointFWRule.Data.Domain + - CheckpointFWRule.Domain.Name + - CheckpointFWRule.Domain.UID + - CheckpointFWRule.Domain.Type + - CheckpointFWRule.Hits.FirstDate + - CheckpointFWRule.Hits.LastDate + - CheckpointFWRule.Hits.Level + - CheckpointFWRule.Hits.Percentage + - CheckpointFWRule.Hits.Value +outputs: +- contextPath: CheckpointFWRule.Destination + description: Rule Destination. +- contextPath: CheckpointFWRule.DestinationNegate + description: Rule destination negate status (True/False). +- contextPath: PanoramaRule.Direction + description: Direction of the Panorama rule. Can be 'to','from', 'both' + type: string +- contextPath: PanoramaRule.IP + description: The IP the Panorama rule blocks + type: string +- contextPath: CheckpointFWRule.Name + description: Rule name. +- contextPath: PanoramaRule.Name + description: Name of the Panorama rule + type: string +- contextPath: CheckpointFWRule.UID + description: Rule UID. +- contextPath: PanoramaRule + description: List of Panorama rules +- contextPath: CheckpointFWRule.Type + description: Rule Type. +- contextPath: CheckpointFWRule.Action + description: 'Rule action (Valid values are: Accept, Drop, Apply Layer, Ask, Info).' +- contextPath: CheckpointFWRule.ActionSetting + description: Rule action settings. +- contextPath: CheckpointFWRule.CustomFields + description: Rule custom fields. +- contextPath: CheckpointFWRule.Data + description: Rule data. +- contextPath: CheckpointFWRule.DataDirection + description: Rule data direction. +- contextPath: CheckpointFWRule.DataNegate + description: Rule data negate status (True/False). +- contextPath: CheckpointFWRule.Domain + description: Rule domain. +- contextPath: CheckpointFWRule.Enabled + description: Rule status. +- contextPath: CheckpointFWRule.Hits + description: Rule hits count. +- contextPath: CheckpointFWRule.Data.Name + description: Rule data object name. +- contextPath: CheckpointFWRule.Data.Domain + description: Information about the domain the data object belongs to. +- contextPath: CheckpointFWRule.Domain.Name + description: Rule domain name. +- contextPath: CheckpointFWRule.Domain.UID + description: Rule domain UID. +- contextPath: CheckpointFWRule.Domain.Type + description: Rule domain type. +- contextPath: CheckpointFWRule.Hits.FirstDate + description: The date of the first hit for the rule. +- contextPath: CheckpointFWRule.Hits.LastDate + description: The date of the last hit for the rule. +- contextPath: CheckpointFWRule.Hits.Level + description: Level of rule hits. +- contextPath: CheckpointFWRule.Hits.Percentage + description: Percentage of rule hits. +- contextPath: CheckpointFWRule.Hits.Value + description: Value of rule hits. +sourceplaybookid: Block IP - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 650804b8-1cd4-4c33-8d83-8f72c789f860 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 650804b8-1cd4-4c33-8d83-8f72c789f860 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 500, + "y": 10 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: cbdf2261-0bd1-4856-86f8-c5082a16f3ee + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: cbdf2261-0bd1-4856-86f8-c5082a16f3ee + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 510, + "y": 1300 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + - "18" + - "20" + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 47c2b776-5038-453b-8115-48141dbad596 + iscommand: false + name: Block IPs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 47c2b776-5038-453b-8115-48141dbad596 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 500, + "y": 370 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + direction: + simple: both + ip: + complex: + root: inputs.IP + ipname: + simple: IP-${inputs.IP} + rulename: + simple: Block-${inputs.IP} + separatecontext: false + skipunavailable: false + task: + brand: Check Point + description: Block the IPs using Check Point Firewall + id: 02cce821-5459-460c-be12-786ae1105409 + iscommand: true + name: Block IP with Check Point Firewall + playbooktaskmissingcomponent: + script: Check Point|||checkpoint-block-ip + type: regular + version: -1 + taskid: 02cce821-5459-460c-be12-786ae1105409 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 750, + "y": 970 + } + } + "7": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Check Point + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: Active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Check Point Firewall enabled. + id: f74fb6b5-f7c9-42ed-808a-d227355f1e9d + iscommand: false + name: Is Check Point Firewall enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: f74fb6b5-f7c9-42ed-808a-d227355f1e9d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 960, + "y": 650 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.IP + operator: isExists + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that the playbook input includes at least one IP to block. + id: 39db44de-9bb1-460e-8b42-023c12aa4778 + iscommand: false + name: Is there an IP to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 39db44de-9bb1-460e-8b42-023c12aa4778 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 500, + "y": 155 + } + } + "12": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Zscaler + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "32" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Zscaler enabled. + id: e8c51174-7d85-4248-86b4-6d14eba20ca6 + iscommand: false + name: Is Zscaler enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e8c51174-7d85-4248-86b4-6d14eba20ca6 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1780, + "y": 650 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + root: inputs.IP + separatecontext: false + skipunavailable: false + task: + brand: Zscaler + description: Block the IPs using Zscaler. + id: cb843505-bd86-4159-8f3a-0cdd97770c2c + iscommand: true + name: Block IP with Zscaler + playbooktaskmissingcomponent: + script: Zscaler|||zscaler-blacklist-ip + type: regular + version: -1 + taskid: cb843505-bd86-4159-8f3a-0cdd97770c2c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1570, + "y": 970 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: 9620e528-42f8-4c0d-8706-b46a73d188be + iscommand: false + name: PAN-OS - Block IP and URL - External Dynamic List + playbookId: PAN-OS - Block IP and URL - External Dynamic List + playbookName: PAN-OS - Block IP and URL - External Dynamic List + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 9620e528-42f8-4c0d-8706-b46a73d188be + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 60, + "y": 890 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9d73fbe9-6b72-4cd3-8a23-235fb61bc197 + iscommand: false + name: PAN-OS + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 9d73fbe9-6b72-4cd3-8a23-235fb61bc197 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -80, + "y": 515 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fa041b26-6524-4e1f-8aeb-6d6e77e75c5c + iscommand: false + name: CheckPoint FW + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: fa041b26-6524-4e1f-8aeb-6d6e77e75c5c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 960, + "y": 515 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ffef1804-3251-47ce-83d5-f398b82b8fa6 + iscommand: false + name: Zscaler + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: ffef1804-3251-47ce-83d5-f398b82b8fa6 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1780, + "y": 515 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: 6c3dfdb9-9ac3-4a32-831b-67fc7bec6fd1 + iscommand: false + name: PAN-OS DAG Configuration + playbookId: PAN-OS DAG Configuration + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 6c3dfdb9-9ac3-4a32-831b-67fc7bec6fd1 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -380, + "y": 890 + } + } + "24": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IPListName + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.EDLServerIP + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify if there is an EDL Server IP as a playbook input. + id: 156aee26-31e3-4cba-8846-767ee8a2dc6a + iscommand: false + name: Use External Dynamic List? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 156aee26-31e3-4cba-8846-767ee8a2dc6a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 40, + "y": 650 + } + } + "25": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.DAG + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify if there is a dynamic address group name set as a playbook + input. + id: 181b1519-8b3e-4296-8cb2-d0f91984b16b + iscommand: false + name: Use Dynamic Address Group? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 181b1519-8b3e-4296-8cb2-d0f91984b16b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -380, + "y": 650 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 65dca814-c04b-40ff-8e32-766432ee9f13 + iscommand: false + name: Fortinet + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 65dca814-c04b-40ff-8e32-766432ee9f13 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2590, + "y": 515 + } + } + "27": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: FortiGate + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of FortiGate enabled. + id: 5ec7ae21-1c50-4a72-8a86-daa39ac43f18 + iscommand: false + name: Is FortiGate enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 5ec7ae21-1c50-4a72-8a86-daa39ac43f18 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2590, + "y": 660 + } + } + "28": + continueonerror: true + continueonerrortype: errorPath + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ip_address: + complex: + root: inputs.IP + separatecontext: false + skipunavailable: false + task: + brand: FortiGate + description: Adds IP addresses to the banned list. + id: ac009747-08fb-4e87-ab50-94df18beb0c7 + iscommand: true + name: 'FortiGate Ban IP ' + playbooktaskmissingcomponent: + script: FortiGate|||fortigate-ban-ip + type: regular + version: -1 + taskid: ac009747-08fb-4e87-ab50-94df18beb0c7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2400, + "y": 960 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: fe0ffc2c-5608-4262-835c-9f324f6ecc0f + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: fe0ffc2c-5608-4262-835c-9f324f6ecc0f + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1340, + "y": 1295 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "28" + Shadow Mode: + - "31" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: deea2326-e463-4947-a6b3-2436c4f60e40 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: deea2326-e463-4947-a6b3-2436c4f60e40 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2590, + "y": 810 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: FortiGate Ban IP + Command: fortigate-ban-ip ${inputs.IP} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 3be3f200-a9c7-421b-8841-cfd614c727c5 + iscommand: false + name: 'Shadow: Fortigate Ban IP' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 3be3f200-a9c7-421b-8841-cfd614c727c5 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2790, + "y": 960 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "13" + Shadow Mode: + - "33" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: aa139b78-ee9c-4e80-ba18-2fec67326878 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: aa139b78-ee9c-4e80-ba18-2fec67326878 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1780, + "y": 820 + } + } + "33": + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Zscaler Block IP + Command: zscaler-blacklist-ip ${inputs.IP} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: e703caf6-6ff5-4e4f-956c-76db08b4ff62 + iscommand: false + name: 'Shadow: Zscaler Block IP' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: e703caf6-6ff5-4e4f-956c-76db08b4ff62 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1970, + "y": 970 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "6" + Shadow Mode: + - "35" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fa85af38-5950-4ff0-9590-21faf4c2caad + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: fa85af38-5950-4ff0-9590-21faf4c2caad + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 960, + "y": 810 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Check Point Block IP + Command: checkpoint-block-ip ${inputs.IP} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 2aa70143-90c6-46ed-88b9-3e99a9c189b6 + iscommand: false + name: 'Shadow: Check Point Block IP' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 2aa70143-90c6-46ed-88b9-3e99a9c189b6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1150, + "y": 970 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "12_2_#default#": 0.18, + "12_32_yes": 0.9, + "24_2_#default#": 0.1, + "25_2_#default#": 0.1, + "27_2_#default#": 0.16, + "7_2_#default#": 0.39, + "7_34_yes": 0.38, + "8_2_#default#": 0.48 + }, + "paper": { + "dimensions": { + "height": 1355, + "width": 3550, + "x": -380, + "y": 10 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v3.yml new file mode 100644 index 0000000..13187a7 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_IP_-_Generic_v3.yml @@ -0,0 +1,5060 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.0.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: "This playbook blocks malicious IP addresses using all integrations that + are enabled. The direction of the traffic that will be blocked is determined by + the XSOAR user (and set by default to outgoing)\nNote the following:\n- some of + those integrations require specific parameters to run, which are based on the playbook + inputs. Also, certain integrations use FW rules or appended network objects.\n- + Note that the appended network objects should be specified in blocking rules inside + the system later on. \n\n\nSupported integrations for this playbook [Network security + products such as FW/WAF/IPs/etc.]: \n\n* Check Point Firewall\n* Palo Alto Networks + PAN-OS\n* Zscaler\n* FortiGate\n* Aria Packet Intelligence\n* Cisco Firepower \n + * Cisco Secure Cloud Analytics\n* Cisco ASA\n* Akamai WAF\n* F5 SilverLine\n* ThreatX\n + * Signal Sciences WAF\n* Sophos Firewall." +dirtyInputs: true +id: 'SOC Block IP - Generic v3_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IP + - CustomBlockRule + - LogForwarding + - AutoCommit + - StaticAddressGroup + - Tag + - DAG + - UserVerification + - InternalRange + - SiteName + - AkamaiNetworkListID + - InputEnrichment + - RuleName + - RuleDirection + - DAGName + - Folder + - ShadowMode + name: General (Inputs group) +inputs: +- description: 'An array of malicious IPs to block. Enter a comma-separated list of + IPs (i.e.: 1.1.1.1,2.2.2.2).' + key: IP + playbookInputQuery: + required: false + value: {} +- description: "This input determines whether Palo Alto Networks Panorama or Firewall + Custom Block Rules are used.\nSpecify \"True\" to create new Custom Block Rules + (2 FW rules inside the PAN-OS device). \nFor \"False\" - no rules will be created." + key: CustomBlockRule + playbookInputQuery: + required: false + value: + simple: "True" +- description: Panorama log forwarding object name. Indicate what type of Log Forwarding + setting will be specified in the PAN-OS custom rules. + key: LogForwarding + playbookInputQuery: + required: false + value: {} +- description: "This input determines whether to commit the configuration automatically + on PAN-OS devices and other FWs. \nYes - Commit automatically.\nNo - Commit manually." + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used. + Specify the Static Address Group name for IPs list handling. + key: StaticAddressGroup + playbookInputQuery: + required: false + value: {} +- description: Insert a tag name with which indicators will get tagged. This tag can + be used later in the External Dynamic Lists integration by using the tag for filtering + IPs in the indicator query. + key: Tag + playbookInputQuery: + required: false + value: {} +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. + Determine the Dynamic Address Group tag for IPs list handling. + key: DAG + playbookInputQuery: + required: false + value: {} +- description: "Possible values: True/False. Default: True.\nWhether to provide user + verification for blocking those IPs. \n\nFalse - No prompt will be displayed to + the user.\nTrue - The server will ask the user for blocking verification and will + display the blocking list." + key: UserVerification + playbookInputQuery: + required: false + value: + simple: "True" +- description: 'A list of internal IP ranges to check IP addresses against. The comma-separated + list should be provided in CIDR notation. For example, a list of ranges would + be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).' + key: InternalRange + playbookInputQuery: + required: false + value: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join +- description: Signal Sciences WAF - Enter the site name for the integration to be + applied. The site name can be found in your instance console. + key: SiteName + playbookInputQuery: + required: false + value: {} +- description: Akamai's WAF network list ID, which is mandatory to be mentioned for + the integration. The chosen IPs will be added to this ID. + key: AkamaiNetworkListID + playbookInputQuery: + required: false + value: {} +- description: |- + Possible values: True/False . Default: False + Enrich the input IP address/es with reputation commands. + key: InputEnrichment + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + The rule name/description that will be presented on the created rule in certain integrations (if there is a need). + The supported integrations: PAN-OS, CheckPoint. + + Default input- "XSOAR - Block IP playbook - ${incident.id}" + key: RuleName + playbookInputQuery: + required: false + value: + simple: XSOAR - Block IP playbook - ${alert.id} +- description: |- + Determine if a newly created rule should be with the network direction of outbound or inbound blocked traffic. + Possible values: inbound or outbound + Default: outbound + key: RuleDirection + playbookInputQuery: + required: false + value: + simple: outbound +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. + Determine the Dynamic Address Group name for IPs list handling. + key: DAGName + playbookInputQuery: + required: false + value: {} +- description: |- + For prisma SASE usage - Specify the scope for a newly created security rule to be applied. + Remember, this input will only be used when there is no input to the CategoryName. + Default: Shared + key: Folder + playbookInputQuery: + required: false + value: + simple: Shared +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block IP - Generic v3_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Aria.BlockDestSubnet.Rule + - Aria.BlockDestSubnet.Status + - Stealthwatch.IP.id + - Stealthwatch.IP.identifier + - CiscoASA.Rules.ID + - CiscoASA.Rules.Source + - CiscoASA.Rules.Dest + - CiscoASA.Rules.IsActive + - SigSciences.Corp.Site.Blacklist.ID + - SigSciences.Corp.Site.Blacklist.Source + - SigSciences.Corp.Site.Blacklist.CreatedBy + - PrismaSase + - PrismaSase.AddressGroup + - PrismaSase.SecurityRule + - PrismaSase.SecurityRule.profile_setting + - PrismaSase.CandidateConfig + - PrismaSase.Address +outputs: +- contextPath: Aria.BlockDestSubnet.Rule + description: The rule name/ID which was created in the system for this playbook. + type: unknown +- contextPath: Aria.BlockDestSubnet.Status + description: The status of the command that created the rule above. + type: unknown +- contextPath: Stealthwatch.IP.id + description: The ID of the object created in Cisco Secure Cloud Analytics. + type: unknown +- contextPath: Stealthwatch.IP.identifier + description: The value of the object created in Cisco Secure Cloud Analytics. + type: unknown +- contextPath: CiscoASA.Rules.ID + description: The rule ID that was created in Cisco ASA for this playbook. + type: unknown +- contextPath: CiscoASA.Rules.Source + description: The rule's source object that was set in the associated rule. + type: unknown +- contextPath: CiscoASA.Rules.Dest + description: The rule's destination object that was set in the associated rule. + type: unknown +- contextPath: CiscoASA.Rules.IsActive + description: The rule's state that was set in the associated rule. + type: unknown +- contextPath: SigSciences.Corp.Site.Blacklist.ID + description: Signal Sciences created rule ID. + type: unknown +- contextPath: SigSciences.Corp.Site.Blacklist.Source + description: Signal Sciences blocked address in a dedicated rule. + type: unknown +- contextPath: SigSciences.Corp.Site.Blacklist.CreatedBy + description: Signal Sciences - the blocking rule's creator name. + type: unknown +- contextPath: PrismaSase + description: The root context key for Prisma SASE integration output. + type: unknown +- contextPath: PrismaSase.AddressGroup + description: The Prisma Access Address group object. + type: unknown +- contextPath: PrismaSase.SecurityRule + description: Created security rule. +- contextPath: PrismaSase.SecurityRule.profile_setting + description: The Security rule group object in the rule. + type: unknown +- contextPath: PrismaSase.CandidateConfig + description: Configuration job object. + type: unknown +- contextPath: PrismaSase.Address + description: Created address object. +sourceplaybookid: Block IP - Generic v3 +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "36" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b7fe6f18-9640-4161-87bd-c1ac609bf72d + iscommand: false + name: "" + version: -1 + taskid: b7fe6f18-9640-4161-87bd-c1ac609bf72d + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 8569.75, + "y": 50 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: eec033f1-46ff-4c08-886b-5622e622aa85 + iscommand: false + name: Done + type: title + version: -1 + taskid: eec033f1-46ff-4c08-886b-5622e622aa85 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 8629.25, + "y": 4250 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + - "18" + - "20" + - "26" + - "30" + - "55" + - "60" + - "64" + - "63" + - "67" + - "71" + - "79" + - "74" + - "104" + - "106" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 034d4a0b-ba68-4b79-80b6-def530a3ef4a + iscommand: false + name: Block IPs + type: title + version: -1 + taskid: 034d4a0b-ba68-4b79-80b6-def530a3ef4a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 8919.75, + "y": 3250 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "119" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: CheckPointFirewall_v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 3bfa1467-a97a-40e5-8795-aa2f8cd34a56 + iscommand: false + name: Is Check Point Firewall enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 3bfa1467-a97a-40e5-8795-aa2f8cd34a56 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 3200.25, + "y": 3740 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: BlockList.Input + operator: isExists + - left: + iscontext: true + value: + simple: BlockList.Malicious + operator: isExists + - left: + iscontext: true + value: + simple: BlockList.Suspicious + operator: isExists + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "96" + "yes": + - "43" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is at least one IP to block. + id: a711453b-2850-4493-8a69-a51cdaba5962 + iscommand: false + name: Is there an IP to block? + type: condition + version: -1 + taskid: a711453b-2850-4493-8a69-a51cdaba5962 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 8810.25, + "y": 1730 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "113" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Zscaler + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 6d71d465-7c2e-43d8-8367-04945ca4c3c3 + iscommand: false + name: Is Zscaler enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 6d71d465-7c2e-43d8-8367-04945ca4c3c3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 4167, + "y": 3570 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: Final + root: BlockList + transformers: + - operator: uniq + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: true + task: + brand: Zscaler + description: Block the IPs using Zscaler. + id: 83edb5ce-4aad-481e-b798-89d7244a8e5f + iscommand: true + name: Block IP with Zscaler + script: Zscaler|||zscaler-blacklist-ip + type: regular + version: -1 + taskid: 83edb5ce-4aad-481e-b798-89d7244a8e5f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 4167, + "y": 3910 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + - "23" + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 90146620-3c96-420d-8abb-c4e43df36c6c + iscommand: false + name: PAN-OS + type: title + version: -1 + taskid: 90146620-3c96-420d-8abb-c4e43df36c6c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1797.75, + "y": 3745 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bd4b2c1c-a1aa-4d90-87f0-2e11be406424 + iscommand: false + name: CheckPoint FW + type: title + version: -1 + taskid: bd4b2c1c-a1aa-4d90-87f0-2e11be406424 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 3200.25, + "y": 3575 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a7c00656-a5e1-4199-898d-adef07c33467 + iscommand: false + name: Zscaler + type: title + version: -1 + taskid: a7c00656-a5e1-4199-898d-adef07c33467 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 4167, + "y": 3410 + } + } + "22": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.CustomBlockRule + transformers: + - operator: toLowerCase + operator: isEqualString + right: + value: + simple: "true" + label: "yes" + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "111" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify if custom block rule playbook input is set to true. + id: 1cee05c9-29eb-4552-8833-d3670680620c + iscommand: false + name: Use Custom Block Rules? + type: condition + version: -1 + taskid: 1cee05c9-29eb-4552-8833-d3670680620c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1216.75, + "y": 3910 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.StaticAddressGroup + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "112" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify if there is a static address group name set as a playbook + input. + id: b141c107-3022-489f-8635-6907ad4240ee + iscommand: false + name: Use Static Address Group? + type: condition + version: -1 + taskid: b141c107-3022-489f-8635-6907ad4240ee + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1797.75, + "y": 3910 + } + } + "24": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Tag + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "139" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify if there is a tag to mark IPs for an EDL/EIS query. + id: 9eed4e5a-b732-4394-8264-05f071e51aeb + iscommand: false + name: Use External Dynamic List? + type: condition + version: -1 + taskid: 9eed4e5a-b732-4394-8264-05f071e51aeb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 15456, + "y": 3570 + } + } + "25": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.DAG + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "110" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify if there is a dynamic address group name set as a playbook + input. + id: f9198f7e-933d-4c93-82c5-d516fdd9ef0c + iscommand: false + name: Use Dynamic Address Group? + type: condition + version: -1 + taskid: f9198f7e-933d-4c93-82c5-d516fdd9ef0c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2378.75, + "y": 3910 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: db18a7c0-26ec-4316-8730-c19da3847291 + iscommand: false + name: Fortinet + type: title + version: -1 + taskid: db18a7c0-26ec-4316-8730-c19da3847291 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 5088.5, + "y": 3410 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "115" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: FortiGate + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 380e319e-a726-4445-84c7-b8c667f073d0 + iscommand: false + name: Is FortiGate enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 380e319e-a726-4445-84c7-b8c667f073d0 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 5088.5, + "y": 3570 + } + } + "28": + continueonerror: true + continueonerrortype: errorPath + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ip_address: + complex: + accessor: Final + root: BlockList + transformers: + - operator: uniq + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Adds IP addresses to the banned list. + id: 1ddd5bb9-2c0d-4ee5-9172-456c8024f750 + iscommand: true + name: 'FortiGate Ban IP ' + script: '|||fortigate-ban-ip' + type: regular + version: -1 + taskid: 1ddd5bb9-2c0d-4ee5-9172-456c8024f750 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 5088.5, + "y": 3910 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + IP: + simple: ${BlockList.Final} + block_IP_error_handling: + simple: Stop + checkpoint_error_handling: + simple: Stop + install_policy: + complex: + root: inputs.AutoCommit + transformers: + - args: + condition: {} + else: + value: + simple: "False" + equals: + value: + simple: "Yes" + lhs: {} + options: {} + rhs: {} + then: + value: + simple: "True" + operator: If-Then-Else + policy_package: + simple: Standard + rule_layer: + simple: Network + rule_name: + simple: ${inputs.RuleName} + rule_position: + simple: top + separatecontext: true + skipunavailable: true + task: + brand: "" + description: |- + This playbook blocks IP addresses using Custom Block Rules in Checkpoint Firewall. + The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and publishes the configuration. + id: e306cb07-b682-40af-8644-632cde5aa588 + iscommand: false + name: Checkpoint - Block IP - Custom Block Rule + playbookId: Checkpoint - Block IP - Custom Block Rule + type: playbook + version: -1 + taskid: e306cb07-b682-40af-8644-632cde5aa588 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 3105, + "y": 4080 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "32" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4a69e369-2577-45fb-83dd-75125547a4ab + iscommand: false + name: F5 Silverline + type: title + version: -1 + taskid: 4a69e369-2577-45fb-83dd-75125547a4ab + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 6010, + "y": 3410 + } + } + "31": + continueonerror: true + continueonerrortype: errorPath + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + cidr_range: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + list_type: + simple: denylist + note: + simple: ${inputs.RuleName} + separatecontext: false + skipunavailable: true + task: + brand: F5Silverline + description: Adds a new particular threatening IP address object by its IP address. + id: 621bedb5-2240-4aad-8716-41dc2612c34b + iscommand: true + name: 'F5 Silverline - add IP to deny list ' + script: F5Silverline|||f5-silverline-ip-object-add + type: regular + version: -1 + taskid: 621bedb5-2240-4aad-8716-41dc2612c34b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 6010, + "y": 3910 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "117" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: F5Silverline + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: df579a8d-7184-4b88-8beb-352e000cd072 + iscommand: false + name: Is F5 Silverline enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: df579a8d-7184-4b88-8beb-352e000cd072 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 6010, + "y": 3570 + } + } + "36": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.IP + operator: match + right: + value: + simple: + (\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} + root: inputs.IP + operator: isExists + label: "yes" + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "80" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there are any IPs mentioned in the inputs section. + id: ca84bd8d-a8f0-4627-8afe-61e0e70ff4d5 + iscommand: false + name: Are there IPs in Inputs? + type: condition + version: -1 + taskid: ca84bd8d-a8f0-4627-8afe-61e0e70ff4d5 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 8569.75, + "y": 210 + } + } + "41": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.Malicious + operator: isExists + root: IP + transformers: + - operator: uniq + operator: isExists + label: "yes" + continueonerrortype: "" + id: "41" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "42" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there are any malicious IPs from the input IPs. + id: 1c174167-6aa9-48c5-8c77-7b6ddfa3527a + iscommand: false + name: Are there any Malicious IPs? + type: condition + version: -1 + taskid: 1c174167-6aa9-48c5-8c77-7b6ddfa3527a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 1390 + } + } + "42": + continueonerror: true + continueonerrortype: errorPath + id: "42" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Malicious + value: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.Malicious + operator: isExists + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.Address + operator: inList + right: + iscontext: true + value: + simple: inputs.IP + root: IP + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: 281aec95-c3fb-462b-ac28-d93334f2508f + iscommand: false + name: Append Context List with IPs + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 281aec95-c3fb-462b-ac28-d93334f2508f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 195.25, + "y": 1560 + } + } + "43": + continueonerrortype: "" + id: "43" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "44" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0f39089b-9326-4a78-8de3-ec670ec8683d + iscommand: false + name: User Verification Prompt + type: title + version: -1 + taskid: 0f39089b-9326-4a78-8de3-ec670ec8683d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 8955.5, + "y": 1900 + } + } + "44": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.UserVerification + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "86" + "yes": + - "95" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if user verification is needed. Otherwise, proceed without + asking questions. + id: d3e2ec0f-17f8-4905-8a2e-cffb29513a53 + iscommand: false + name: Is User Verification required? + type: condition + version: -1 + taskid: d3e2ec0f-17f8-4905-8a2e-cffb29513a53 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 8955.5, + "y": 2060 + } + } + "45": + continueonerrortype: "" + form: + description: Please note that there are Internal IPs in this form! + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Do you approve the blocking request for "Malicious IPs"? + options: [] + optionsarg: + - complex: + accessor: Malicious + root: BlockList + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "1" + label: "" + labelarg: + simple: Do you approve the blocking request for "Suspicious IPs"? + options: [] + optionsarg: + - complex: + accessor: Suspicious + root: BlockList + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "2" + label: "" + labelarg: + simple: Do you approve the blocking request for "Other IPs from Input"? + options: [] + optionsarg: + - complex: + filters: + - - left: + iscontext: true + value: + simple: BlockList.Input + operator: notIn + right: + iscontext: true + value: + simple: BlockList.Suspicious + - - ignorecase: true + left: + iscontext: true + value: + simple: BlockList.Input + operator: notIn + right: + iscontext: true + value: + simple: BlockList.Malicious + - - ignorecase: true + left: + iscontext: true + value: + simple: BlockList.Input + operator: notIn + right: + iscontext: true + value: + simple: BlockList.PIIP + root: BlockList.Input + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "3" + label: "" + labelarg: + simple: Do you approve the blocking request or "Internal Address"? + options: [] + optionsarg: + - complex: + filters: + - - left: + iscontext: true + value: + simple: BlockList.PIIP + operator: notIn + right: + iscontext: true + value: + simple: BlockList.Suspicious + - - ignorecase: true + left: + iscontext: true + value: + simple: BlockList.PIIP + operator: notIn + right: + value: + simple: BlockList.Malicious + root: BlockList.PIIP + transformers: + - operator: uniq + - {} + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + sender: Your SOC team + title: Please answer the following + totalanswers: 0 + id: "45" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: |- +

Dear XSOAR user,

+

This notification informs you that the following list of IPs will be blocked on your XSOAR's integrated network devices.

+


(Note: the IPs will be added to your company block list or be blocked in individual rules based on the XSOAR integrated devices).

+

Also, please note that the following IPs are part of the internal range mentioned in the playbook:

+

${BlockList.PIIP}

+

 

+

For more information, click the link below.

+ cc: + format: html + methods: + - email + subject: + simple: Block IP Playbook - Analyst's Verification + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: false + retriescount: 2 + retriesinterval: 360 + to: + simple: Investigator + nexttasks: + '#none#': + - "102" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Ask the user what IPs should be blocked. + Note that in this task the following IPs are in your internal range: + ${BlockList.PIIP} + + Remember that the direction you have decided is - ${inputs.RuleDirection} + id: 4e143a2c-ef50-41f1-807d-088c46e5a538 + iscommand: false + name: 'Analyst Verification Prompt ' + type: collection + version: -1 + taskid: 4e143a2c-ef50-41f1-807d-088c46e5a538 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 17730, + "y": 2400 + } + } + "47": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: match + right: + value: + simple: + (\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: inputs.IP + root: DBotScore + operator: isEqualString + right: + value: + simple: "2" + label: "YES" + continueonerrortype: "" + id: "47" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "YES": + - "48" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if any suspicious IPs were found during the IP enrichment + process. + id: 41d0d39e-008f-438e-82c2-b5af7781eabf + iscommand: false + name: Are there any Suspicious IPs? + type: condition + version: -1 + taskid: 41d0d39e-008f-438e-82c2-b5af7781eabf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 17925.25, + "y": 1390 + } + } + "48": + continueonerror: true + continueonerrortype: errorPath + id: "48" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Suspicious + stringify: + simple: "false" + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: "2" + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: match + right: + value: + simple: + (\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: inputs.IP + root: DBotScore + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: e0d49f5e-8242-4e01-a094-0e646e625954 + iscommand: false + name: Append Context List with IPs + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: e0d49f5e-8242-4e01-a094-0e646e625954 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 18070.5, + "y": 1560 + } + } + "51": + continueonerrortype: "" + id: "51" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "41" + - "47" + - "85" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1dd62435-07b9-4e9a-86db-7a900c3dbd4e + iscommand: false + name: Finalize Verdict For IP/s + type: title + version: -1 + taskid: 1dd62435-07b9-4e9a-86db-7a900c3dbd4e + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 17384.75, + "y": 1230 + } + } + "53": + continueonerror: true + continueonerrortype: errorPath + id: "53" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "100" + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + indicatorsValues: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "No" + - - left: + iscontext: true + value: + simple: IP.Address + operator: inList + right: + iscontext: true + value: + simple: inputs.IP + root: IP + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.enrich.indicators + id: 19d72e22-7692-4c79-9103-fa97a4356f45 + iscommand: true + name: Enrich Indicators + script: Builtin|||enrichIndicators + type: regular + version: -1 + taskid: 19d72e22-7692-4c79-9103-fa97a4356f45 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 18892, + "y": 890 + } + } + "55": + continueonerrortype: "" + id: "55" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "56" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b56affc3-dc5f-4463-8599-d308363152bf + iscommand: false + name: Cisco ASA + type: title + version: -1 + taskid: b56affc3-dc5f-4463-8599-d308363152bf + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 6931.5, + "y": 3410 + } + } + "56": + continueonerrortype: "" + id: "56" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "121" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Cisco ASA + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: c8b3752a-ee90-47fb-888f-f8e9dbc3f15f + iscommand: false + name: Is Cisco ASA enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: c8b3752a-ee90-47fb-888f-f8e9dbc3f15f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 6931.5, + "y": 3570 + } + } + "57": + continueonerror: true + continueonerrortype: errorPath + id: "57" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + active: + complex: + root: inputs.AutoCommit + transformers: + - args: + condition: {} + else: + value: + simple: "False" + equals: + value: + simple: "Yes" + lhs: {} + options: {} + rhs: {} + then: + value: + simple: Ture + operator: If-Then-Else + destination: + complex: + root: inputs.RuleDirection + transformers: + - args: + condition: {} + else: + value: + simple: 0.0.0.0 + equals: + value: + simple: outbound + lhs: {} + options: {} + rhs: {} + then: + iscontext: true + value: + simple: ${BlockList.Final} + operator: If-Then-Else + interface_type: + simple: Global + log_level: + simple: Default + permit: + simple: "False" + position: + simple: top + source: + complex: + root: inputs.RuleDirection + transformers: + - args: + condition: {} + else: + iscontext: true + value: + simple: ${BlockList.Final} + equals: + value: + simple: outbound + lhs: {} + options: {} + rhs: {} + then: + value: + simple: 0.0.0.0 + operator: If-Then-Else + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Creates a rule. + id: 0fc02585-be8a-407e-b93f-3f2af10b8ef8 + iscommand: true + name: Cisco ASA - Create Blocking Rule + script: '|||cisco-asa-create-rule' + type: regular + version: -1 + taskid: 0fc02585-be8a-407e-b93f-3f2af10b8ef8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 6931.5, + "y": 3910 + } + } + "58": + continueonerrortype: "" + id: "58" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "123" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Stealthwatch Cloud + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 8f019569-55db-4d45-8642-52e45dba3c2d + iscommand: false + name: Is Cisco Secure Cloud Analytics enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 8f019569-55db-4d45-8642-52e45dba3c2d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 7853, + "y": 3570 + } + } + "59": + continueonerror: true + continueonerrortype: errorPath + id: "59" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: Final + root: BlockList + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Add a domain or IP to the block list. + id: 6f6356ab-11bf-4b91-9a92-63f77155a4e2 + iscommand: true + name: Cisco Secure Cloud Analytics - Add IP to Block List + script: '|||sw-block-domain-or-ip' + type: regular + version: -1 + taskid: 6f6356ab-11bf-4b91-9a92-63f77155a4e2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 7853, + "y": 3910 + } + } + "60": + continueonerrortype: "" + id: "60" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "58" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bd27b51c-e1cd-4371-8dfc-2d6d49c6c08c + iscommand: false + name: Cisco Secure Cloud Analytics + type: title + version: -1 + taskid: bd27b51c-e1cd-4371-8dfc-2d6d49c6c08c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 7853, + "y": 3410 + } + } + "61": + continueonerrortype: "" + id: "61" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "127" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Cisco Firepower + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: ff341c4e-cd9b-4516-8d8a-b6f2f97b30c4 + iscommand: false + name: Is Cisco Firepower enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: ff341c4e-cd9b-4516-8d8a-b6f2f97b30c4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 10031.75, + "y": 3740 + } + } + "63": + continueonerrortype: "" + id: "63" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "61" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9dac0912-fb55-4a3b-8d68-ebd2cdde784f + iscommand: false + name: 'Cisco Firepower ' + type: title + version: -1 + taskid: 9dac0912-fb55-4a3b-8d68-ebd2cdde784f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 10031.75, + "y": 3575 + } + } + "64": + continueonerrortype: "" + id: "64" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "65" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7605a78c-deb2-4a39-8a51-e42950bf736c + iscommand: false + name: Akamai WAF + type: title + version: -1 + taskid: 7605a78c-deb2-4a39-8a51-e42950bf736c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 8919.75, + "y": 3410 + } + } + "65": + continueonerrortype: "" + id: "65" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "125" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Akamai WAF + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: fdd8bddf-f40f-4e35-8bb4-ef79df9f4d8a + iscommand: false + name: Is Akamai WAF enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: fdd8bddf-f40f-4e35-8bb4-ef79df9f4d8a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 8919.75, + "y": 3570 + } + } + "66": + continueonerror: true + continueonerrortype: errorPath + id: "66" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + elements: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + network_list_id: + simple: ${inputs.AkamaiNetworkListID} + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Adds elements to the specified network list. + id: 7a21f18a-4d6b-4652-b081-a2082b9f3c82 + iscommand: true + name: Akamai WAF - Add IP to a block list + script: '|||akamai-add-elements-to-network-list' + type: regular + version: -1 + taskid: 7a21f18a-4d6b-4652-b081-a2082b9f3c82 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 8919.75, + "y": 3910 + } + } + "67": + continueonerrortype: "" + id: "67" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "68" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9688c755-ae0b-4dfa-8751-c927f6d7ae38 + iscommand: false + name: ThreatX + type: title + version: -1 + taskid: 9688c755-ae0b-4dfa-8751-c927f6d7ae38 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 11289, + "y": 3410 + } + } + "68": + continueonerrortype: "" + id: "68" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "129" + - "131" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: ThreatX + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: cffe6cff-03f5-43cc-89e9-c6b083ae4b53 + iscommand: false + name: Is ThreatX enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: cffe6cff-03f5-43cc-89e9-c6b083ae4b53 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 11289, + "y": 3570 + } + } + "69": + continueonerror: true + continueonerrortype: errorPath + id: "69" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + description: + simple: ${inputs.RuleName} + ip: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Temporarily blocks an IP address or CIDR. Default is 30 minutes. + id: 884ef320-2540-4235-9fb6-a3ae37cf0a29 + iscommand: true + name: ThreatX - Block IP for 30 min + script: '|||threatx-block-ip' + type: regular + version: -1 + taskid: 884ef320-2540-4235-9fb6-a3ae37cf0a29 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 10998.5, + "y": 3910 + } + } + "71": + continueonerrortype: "" + id: "71" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "72" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 53ea2c9b-dacb-456e-8c02-683e777bae76 + iscommand: false + name: 'Signal Sciences WAF ' + type: title + version: -1 + taskid: 53ea2c9b-dacb-456e-8c02-683e777bae76 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 12551, + "y": 3410 + } + } + "72": + continueonerrortype: "" + id: "72" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "133" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Signal Sciences WAF + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: e18ed541-babe-4ecf-85f9-d021aa99a0a9 + iscommand: false + name: Is Signal Sciences WAF enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: e18ed541-babe-4ecf-85f9-d021aa99a0a9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 12551, + "y": 3570 + } + } + "73": + continueonerror: true + continueonerrortype: errorPath + id: "73" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + note: + simple: ${inputs.RuleName} + siteName: + simple: ${inputs.SiteName} + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Adding IPs to the Signal Sciences WAF integration. + id: 9525c660-b19d-44c1-9c17-b00c11b21ecb + iscommand: true + name: Is Signal Sciences WAF - Blacklist IPs + script: '|||sigsci-blacklist-add-ip' + type: regular + version: -1 + taskid: 9525c660-b19d-44c1-9c17-b00c11b21ecb + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 12551, + "y": 3910 + } + } + "74": + continueonerrortype: "" + id: "74" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "76" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f0ec8621-f223-46dc-8a04-856aa31e77fd + iscommand: false + name: Sophos Firewall + type: title + version: -1 + taskid: f0ec8621-f223-46dc-8a04-856aa31e77fd + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 14489.25, + "y": 3575 + } + } + "75": + continueonerror: true + continueonerrortype: errorPath + id: "75" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + rule_name: + simple: ${inputs.RuleName} + target_ip: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Adds a rule that blocks packets destined for a specific IP address + or range of IP addresses. + id: da66be6c-13dc-4570-a61b-b76ec685d051 + iscommand: true + name: ARIA Packet Intelligence - Blacklist IPs + script: '|||aria-block-dest-subnet' + type: regular + version: -1 + taskid: da66be6c-13dc-4570-a61b-b76ec685d051 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 13472.5, + "y": 3910 + } + } + "76": + continueonerrortype: "" + id: "76" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "137" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: sophos_firewall + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 5ad1fa64-7966-44dd-8fb2-656e205dc05d + iscommand: false + name: Is Sophos Firewall enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 5ad1fa64-7966-44dd-8fb2-656e205dc05d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 14489.25, + "y": 3740 + } + } + "78": + continueonerrortype: "" + id: "78" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "135" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: ARIA Packet Intelligence + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: fab5e2cc-1d68-4bd7-867b-032814323d1a + iscommand: false + name: Is ARIA Packet Intelligence enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: fab5e2cc-1d68-4bd7-867b-032814323d1a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 13472.5, + "y": 3570 + } + } + "79": + continueonerrortype: "" + id: "79" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "78" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6e1e1f40-7e8e-422e-8910-c06271450ad8 + iscommand: false + name: 'ARIA Packet Intelligence ' + type: title + version: -1 + taskid: 6e1e1f40-7e8e-422e-8910-c06271450ad8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 13472.5, + "y": 3410 + } + } + "80": + continueonerror: true + continueonerrortype: errorPath + id: "80" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "105" + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + root: inputs.IP + transformers: + - args: + delimiter: + value: + simple: ',' + operator: split + ipRanges: + complex: + root: inputs.InternalRange + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Returns 'yes' if the IP is in one of the ranges provided. Otherwise + returns 'no' + id: e73ba673-76c6-4c3c-965e-f0d317a6baed + iscommand: false + name: Check if there are internal IP addresses + script: IsIPInRanges + type: regular + version: -1 + taskid: e73ba673-76c6-4c3c-965e-f0d317a6baed + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 8715, + "y": 380 + } + } + "85": + continueonerror: true + continueonerrortype: errorPath + id: "85" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Input + stringify: + simple: "false" + value: + complex: + root: inputs.IP + transformers: + - args: + delimiter: + value: + simple: ',' + operator: split + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add the IPs from the input. + id: a025fcfd-3d3c-44e6-a6b0-b4230f925132 + iscommand: false + name: Append Context List with Input IPs + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: a025fcfd-3d3c-44e6-a6b0-b4230f925132 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 18551.5, + "y": 1560 + } + } + "86": + continueonerror: true + continueonerrortype: errorPath + id: "86" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Final + value: + simple: ${BlockList.Input} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: cd9e4299-244c-4b4d-b76e-b2ab40418a45 + iscommand: false + name: Re-set the block list [Inputs] + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: cd9e4299-244c-4b4d-b76e-b2ab40418a45 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 585.75, + "y": 3080 + } + } + "89": + continueonerrortype: "" + id: "89" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + IP: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + Override: + simple: "False" + separatecontext: true + skipunavailable: true + task: + brand: "" + description: This playbook will append a network group object with new elements + (IPs or network objects). + id: 3b230eb6-3a09-41ec-82db-81daa78dee97 + iscommand: false + name: Cisco FirePower- Append network group object + playbookName: Cisco FirePower- Append network group object + type: playbook + version: -1 + taskid: 3b230eb6-3a09-41ec-82db-81daa78dee97 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 9936.5, + "y": 4080 + } + } + "90": + continueonerror: true + continueonerrortype: errorPath + id: "90" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "91" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Final + value: + complex: + accessor: "2" + root: Please answer the following.Answers + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: 9c29a8af-db66-4d6c-b6fa-95e14121c6b7 + iscommand: false + name: Re-set the block list [Inputs] + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9c29a8af-db66-4d6c-b6fa-95e14121c6b7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 8860.25, + "y": 2740 + } + } + "91": + continueonerror: true + continueonerrortype: errorPath + id: "91" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "92" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Final + value: + complex: + accessor: "0" + root: Please answer the following.Answers + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: 702c69ab-3f34-401d-b529-f541989aa016 + iscommand: false + name: Re-set the block list [Malicious] + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 702c69ab-3f34-401d-b529-f541989aa016 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 17199, + "y": 2910 + } + } + "92": + continueonerror: true + continueonerrortype: errorPath + id: "92" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Final + value: + complex: + accessor: "1" + root: Please answer the following.Answers + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: 3c0acc60-fe8a-4b28-ac00-3bba9d9da7c8 + iscommand: false + name: Re-set the block list [Suspicious] + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 3c0acc60-fe8a-4b28-ac00-3bba9d9da7c8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 17344.25, + "y": 3080 + } + } + "93": + continueonerror: true + continueonerrortype: errorPath + id: "93" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + description: + simple: ${inputs.RuleName} + ip: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Adds an IP address or CIDR to the block list. + id: ae3f5679-ba06-4676-8616-86da704c9b5c + iscommand: true + name: ThreatX - add IP to a block list + script: '|||threatx-blacklist-ip' + type: regular + version: -1 + taskid: ae3f5679-ba06-4676-8616-86da704c9b5c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 11629.5, + "y": 3910 + } + } + "94": + continueonerrortype: "" + id: "94" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + IP: + complex: + accessor: Final + root: BlockList + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: "" + description: |- + This playbook adds the IP address to a pre-configured firewall rule. (The target firewall rule can be changed as requested.) + Pre-Requisite: + 1) Create an IP host group. + 2) Create a firewall rule which refers to the IP host group created in the previous step. + id: f0ffc0b9-feef-4892-859c-a00b778cd8fe + iscommand: false + name: Sophos Firewall - Block IP + playbookName: Sophos Firewall - Block IP + type: playbook + version: -1 + taskid: f0ffc0b9-feef-4892-859c-a00b778cd8fe + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 14394, + "y": 4080 + } + } + "95": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: ${BlockList.PIIP} + operator: isExists + label: "yes" + continueonerrortype: "" + id: "95" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "98" + "yes": + - "45" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there are any internal IPs in the block requested IPs. + id: fec9b088-6d31-4eda-8b5f-3296bd257767 + iscommand: false + name: Are There Any Internal IPs? + type: condition + version: -1 + taskid: fec9b088-6d31-4eda-8b5f-3296bd257767 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 9100.75, + "y": 2230 + } + } + "96": + continueonerrortype: "" + id: "96" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 44121d41-e492-4b08-8789-34ee4160adfa + iscommand: false + name: No IP to block + type: title + version: -1 + taskid: 44121d41-e492-4b08-8789-34ee4160adfa + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 295.25, + "y": 4085 + } + } + "98": + continueonerrortype: "" + form: + description: "" + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Do you approve the blocking request for "Malicious IPs"? + options: [] + optionsarg: + - complex: + accessor: Malicious + root: BlockList + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "1" + label: "" + labelarg: + simple: Do you approve the blocking request for "Suspiocus IPs"? + options: [] + optionsarg: + - complex: + accessor: Suspicious + root: BlockList + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "2" + label: "" + labelarg: + simple: Do you approve the blocking request for "Other IPs from Input"? + options: [] + optionsarg: + - complex: + filters: + - - left: + iscontext: true + value: + simple: BlockList.Input + operator: notIn + right: + iscontext: true + value: + simple: BlockList.Suspicious + - - left: + iscontext: true + value: + simple: BlockList.Input + operator: notIn + right: + iscontext: true + value: + simple: BlockList.Malicious + root: BlockList.Input + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + sender: Your SOC team + title: Please answer the following + totalanswers: 0 + id: "98" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: |- +

Dear XSOAR user,

+

This notification informs you that the following list of IPs will be blocked on your XSOAR's integrated network devices.

+


(Note: the IPs will be added to your company block list or be blocked in individual rules based on the XSOAR integrated devices).

+

 

+

For more information, click the link below.

+ cc: + format: html + methods: + - email + subject: + simple: Block IP Playbook - Analyst's Verification + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: false + retriescount: 2 + retriesinterval: 360 + to: + simple: Investigator + nexttasks: + '#none#': + - "90" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Ask the user what IPs should be blocked. + + Remember that the direction you have decided is - ${inputs.RuleDirection} + id: 342e2d51-0427-4bc1-85dd-e53b274549f7 + iscommand: false + name: Analyst Verification Prompt (without IP Internal List) + type: collection + version: -1 + taskid: 342e2d51-0427-4bc1-85dd-e53b274549f7 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 8860.25, + "y": 2570 + } + } + "99": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.InputEnrichment + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "99" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "100" + "yes": + - "53" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if the user requests an IPs enrichment for determining if + those are malicious or suspicious. + id: 68b6a610-d4dc-4293-8bf6-015902b9e3dc + iscommand: false + name: Should Inputs be enriched? + type: condition + version: -1 + taskid: 68b6a610-d4dc-4293-8bf6-015902b9e3dc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 9005.5, + "y": 720 + } + } + "100": + continueonerror: true + continueonerrortype: errorPath + id: "100" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "51" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.PIIP + value: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "Yes" + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.Address + operator: inList + right: + iscontext: true + value: + simple: inputs.IP + root: IP + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: bdddf906-e02c-4004-9d85-4219a71e8550 + iscommand: false + name: Append Internal IPs to a possible block list + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: bdddf906-e02c-4004-9d85-4219a71e8550 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 8569.75, + "y": 1060 + } + } + "102": + continueonerror: true + continueonerrortype: errorPath + id: "102" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "90" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: BlockList.Final + value: + complex: + accessor: "3" + root: Please answer the following.Answers + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script does nothing. + id: 87408dab-183e-4756-90a0-44cad486c18f + iscommand: false + name: Re-set the block list [Internal Address] + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 87408dab-183e-4756-90a0-44cad486c18f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 17730, + "y": 2570 + } + } + "103": + continueonerror: true + continueonerrortype: errorPath + id: "103" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.Tag + indicatorsValues: + complex: + accessor: Final + root: BlockList + transformers: + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.add.values.to.indicator.multi.select.field + id: 59d1a99a-81e5-4bb9-ab9f-dcf85cec35e8 + iscommand: true + name: Update Indicator Tag for EDL + script: Builtin|||appendIndicatorField + type: regular + version: -1 + taskid: 59d1a99a-81e5-4bb9-ab9f-dcf85cec35e8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 15456, + "y": 3910 + } + } + "104": + continueonerrortype: "" + id: "104" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4f0503b7-bba7-45d9-8e73-3809af7e5d48 + iscommand: false + name: EDL/EIS + type: title + version: -1 + taskid: 4f0503b7-bba7-45d9-8e73-3809af7e5d48 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 15456, + "y": 3410 + } + } + "105": + continueonerror: true + continueonerrortype: errorPath + id: "105" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "109" + '#none#': + - "99" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + type: + simple: IP + value: + complex: + root: inputs.IP + transformers: + - args: + delimiter: + value: + simple: ',' + operator: split + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Create System indicators + id: 4d8877da-d559-4540-8973-37a41fc4c4f4 + iscommand: true + name: Create IP indicators in the system + script: Builtin|||createNewIndicator + type: regular + version: -1 + taskid: 4d8877da-d559-4540-8973-37a41fc4c4f4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 8860.25, + "y": 550 + } + } + "106": + continueonerrortype: "" + id: "106" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "108" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c4cee8d1-81c7-4c4e-8465-0b913bce5337 + iscommand: false + name: Prisma SASE + type: title + version: -1 + taskid: c4cee8d1-81c7-4c4e-8465-0b913bce5337 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 16472.75, + "y": 3575 + } + } + "107": + continueonerrortype: "" + id: "107" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + complex: + root: inputs.AutoCommit + Folder: + complex: + root: inputs.Folder + transformers: + - operator: uniq + IP: + complex: + accessor: Final + root: BlockList + transformers: + - operator: uniq + StaticAddressGroupName: + complex: + root: inputs.StaticAddressGroup + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: "" + description: |- + This playbook assists in blocking communication with the provided IPs in the Prisma SASE policy. + If a group name is provided, the IPs will be added to the mentioned static address group (there should be a rule associated with the group name to block communication with that group). + And if the group name is not provided, a new group will be created with a dedicated rule to block communication with those IPs. + id: 281f9d65-c396-4441-86f2-340da163d601 + iscommand: false + name: Prisma SASE - Block IP + playbookId: Prisma SASE - Block IP + type: playbook + version: -1 + taskid: 281f9d65-c396-4441-86f2-340da163d601 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 16377.5, + "y": 4080 + } + } + "108": + continueonerrortype: "" + id: "108" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "141" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Palo Alto Networks - Prisma SASE + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 4d7717be-2f2d-4962-8b96-18edd3a0977c + iscommand: false + name: Is Prisma SASE enabled? + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 4d7717be-2f2d-4962-8b96-18edd3a0977c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 16472.75, + "y": 3740 + } + } + "109": + continueonerrortype: "" + id: "109" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 99ad291f-c38f-4e26-870b-f1d54f1f3f45 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 99ad291f-c38f-4e26-870b-f1d54f1f3f45 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 8774.5, + "y": 4080 + } + } + "110": + continueonerrortype: "" + id: "110" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 7a34ea03-f70c-4354-8fcf-015185787ec1 + iscommand: false + name: SOC PAN-OS DAG Configuration_V3 + playbookId: SOC PAN-OS DAG Configuration_V3 + type: playbook + version: -1 + taskid: 7a34ea03-f70c-4354-8fcf-015185787ec1 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2524, + "y": 4080 + } + } + "111": + continueonerrortype: "" + id: "111" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: ba67efbf-9ee6-4500-8cf1-ea5ac090816b + iscommand: false + name: SOC PAN-OS - Block IP - Custom Block Rule_V3 + playbookId: SOC PAN-OS - Block IP - Custom Block Rule_V3 + type: playbook + version: -1 + taskid: ba67efbf-9ee6-4500-8cf1-ea5ac090816b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1362, + "y": 4080 + } + } + "112": + continueonerrortype: "" + id: "112" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 02bf7a1c-4217-4f3a-8501-8ee5b313f041 + iscommand: false + name: SOC PAN-OS - Block IP - Static Address Group_V3 + playbookId: SOC PAN-OS - Block IP - Static Address Group_V3 + type: playbook + version: -1 + taskid: 02bf7a1c-4217-4f3a-8501-8ee5b313f041 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1943, + "y": 4080 + } + } + "113": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "113" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "114" + "no": + - "13" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 04ea642b-c0ea-4878-80c2-316819ebb066 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 04ea642b-c0ea-4878-80c2-316819ebb066 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 4312.25, + "y": 3740 + } + } + "114": + continueonerrortype: "" + id: "114" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Zscaler Block IP + Command: zscaler-blacklist-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 06546b30-2176-4af9-9f63-99ea37603f11 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 06546b30-2176-4af9-9f63-99ea37603f11 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 4507.5, + "y": 4080 + } + } + "115": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "115" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "116" + "no": + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f45aa7e0-e268-46b6-9ffe-70bd5e585226 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: f45aa7e0-e268-46b6-9ffe-70bd5e585226 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 5233.75, + "y": 3740 + } + } + "116": + continueonerrortype: "" + id: "116" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Zscaler Block IP + Command: zscaler-blacklist-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 79a2c108-92d7-413a-89e4-c595c55f65cf + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 79a2c108-92d7-413a-89e4-c595c55f65cf + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 5429, + "y": 4080 + } + } + "117": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "117" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "118" + "no": + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9c180da7-ad10-4832-886d-eaa3a7848319 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 9c180da7-ad10-4832-886d-eaa3a7848319 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 6155.25, + "y": 3740 + } + } + "118": + continueonerrortype: "" + id: "118" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: F5 Silverline Block IP + Command: f5-silverline-ip-object-add + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 59c5eda3-e9a5-4f3c-a199-2d37c6b7841e + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 59c5eda3-e9a5-4f3c-a199-2d37c6b7841e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 6350.5, + "y": 4080 + } + } + "119": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "119" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "120" + "no": + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ebf8d15c-b196-494c-bd53-73013091c317 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: ebf8d15c-b196-494c-bd53-73013091c317 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 3345.5, + "y": 3910 + } + } + "120": + continueonerrortype: "" + id: "120" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Checkpoint Block IP + Command: + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 6b91f74b-5191-4e72-bdda-f3d2ad22b146 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 6b91f74b-5191-4e72-bdda-f3d2ad22b146 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 3586, + "y": 4080 + } + } + "121": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "121" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "122" + "no": + - "57" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bbd7a144-6ad4-4342-8d97-3439d95f2bbf + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: bbd7a144-6ad4-4342-8d97-3439d95f2bbf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 7076.75, + "y": 3740 + } + } + "122": + continueonerrortype: "" + id: "122" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Cisco ASA Block IP + Command: cisco-asa-create-rule + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: bc20f7cb-6a11-43b8-9354-a2aebc55ecd2 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: bc20f7cb-6a11-43b8-9354-a2aebc55ecd2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 7272, + "y": 4080 + } + } + "123": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "123" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "124" + "no": + - "59" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a46e5ed5-b8ea-4cd3-a64e-00118145164e + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: a46e5ed5-b8ea-4cd3-a64e-00118145164e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 7998.25, + "y": 3740 + } + } + "124": + continueonerrortype: "" + id: "124" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - Cisco Secure Cloud Analytics - Add IP to Block List + Command: sw-block-domain-or-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 0684b8a9-1303-4f8d-ae05-2dc951d66b72 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 0684b8a9-1303-4f8d-ae05-2dc951d66b72 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 8193.5, + "y": 4080 + } + } + "125": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "125" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "126" + "no": + - "66" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9736faf7-e23a-4b49-9a64-bb88fbc0642a + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 9736faf7-e23a-4b49-9a64-bb88fbc0642a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 9065, + "y": 3740 + } + } + "126": + continueonerrortype: "" + id: "126" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - Akamai WAF - Add IP to block list + Command: akamai-add-elements-to-network-list + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: a079d530-9c3d-488d-98f9-2e7b5625f572 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: a079d530-9c3d-488d-98f9-2e7b5625f572 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 9355.5, + "y": 4080 + } + } + "127": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "127" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "128" + "no": + - "89" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1ed77763-6fa6-4711-881a-a67c1800a09a + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 1ed77763-6fa6-4711-881a-a67c1800a09a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 10177, + "y": 3910 + } + } + "128": + continueonerrortype: "" + id: "128" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Shadow Mode: - Cisco FirePower - Append network\nCommand: " + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: b95fd78e-e81b-4e8b-82c7-f023a57e0d91 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: b95fd78e-e81b-4e8b-82c7-f023a57e0d91 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 10417.5, + "y": 4080 + } + } + "129": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "129" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "130" + "no": + - "69" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4340b60e-0155-4f1e-a2ec-5aec76864233 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 4340b60e-0155-4f1e-a2ec-5aec76864233 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 11143.75, + "y": 3740 + } + } + "130": + continueonerrortype: "" + id: "130" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - ThreatX - Block IP for 30 min + Command: threatx-block-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: cfc8fd00-47f7-4b29-8002-a3ca71ddf689 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: cfc8fd00-47f7-4b29-8002-a3ca71ddf689 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 11339, + "y": 4080 + } + } + "131": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "131" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "132" + "no": + - "93" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 69e2e1d1-e195-4170-be60-d5a73ff639ac + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 69e2e1d1-e195-4170-be60-d5a73ff639ac + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 11774.75, + "y": 3735 + } + } + "132": + continueonerrortype: "" + id: "132" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - ThreatX - add IP to a block list + Command: threatx-blacklist-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: dfa03823-f457-4e05-bbfc-657f5c157bbe + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: dfa03823-f457-4e05-bbfc-657f5c157bbe + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 11970, + "y": 4080 + } + } + "133": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "133" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "134" + "no": + - "73" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: effe19c9-8de1-4433-9aeb-837c8797a2a7 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: effe19c9-8de1-4433-9aeb-837c8797a2a7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 12696.25, + "y": 3740 + } + } + "134": + continueonerrortype: "" + id: "134" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - Signal Scienes WAF - Blacklist IPs + Command: sigsci-blacklist-add-ip + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 056bd27a-d626-475e-b03f-bf6d3b9abc40 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 056bd27a-d626-475e-b03f-bf6d3b9abc40 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 12891.5, + "y": 4080 + } + } + "135": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "135" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "136" + "no": + - "75" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 95f38047-16c9-40cd-aa69-e01d597573c1 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 95f38047-16c9-40cd-aa69-e01d597573c1 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 13617.75, + "y": 3740 + } + } + "136": + continueonerrortype: "" + id: "136" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - ARIA Packet Intelligence - Blacklist IP + Command: aria-block-dest-subnet + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 874a6c6e-ea6a-45a0-9ad1-f8038babde5a + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 874a6c6e-ea6a-45a0-9ad1-f8038babde5a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 13813, + "y": 4080 + } + } + "137": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "137" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "138" + "no": + - "94" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9e5fdc22-b5f4-4f83-846a-d7c227c84d0d + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 9e5fdc22-b5f4-4f83-846a-d7c227c84d0d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 14634.5, + "y": 3910 + } + } + "138": + continueonerrortype: "" + id: "138" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Shadow Mode: - Sophos Fireewall - Block IP\nCommand: " + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 4fe4e79f-a1fd-4422-a26f-81ee4f2d4632 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 4fe4e79f-a1fd-4422-a26f-81ee4f2d4632 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 14875, + "y": 4080 + } + } + "139": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "139" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "140" + "no": + - "103" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6ea3eeb7-ba8a-4f7e-9df6-1a7ebb2e2b8e + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 6ea3eeb7-ba8a-4f7e-9df6-1a7ebb2e2b8e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 15601.25, + "y": 3740 + } + } + "140": + continueonerrortype: "" + id: "140" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: - Update Indicator Tag of EDL + Command: appendindicatorfield + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 25035df1-141b-44e1-ae2f-5b26accabcaf + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 25035df1-141b-44e1-ae2f-5b26accabcaf + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 15796.5, + "y": 4080 + } + } + "141": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "141" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "142" + "no": + - "107" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5318f2b3-611b-451c-9661-2e489d41dad3 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 5318f2b3-611b-451c-9661-2e489d41dad3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 16618, + "y": 3910 + } + } + "142": + continueonerrortype: "" + id: "142" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Shadow Mode: Prisma SASE - Block IP\nCommand: " + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: ad297cdd-af75-4f09-9f39-9c79bd0e7cd2 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: ad297cdd-af75-4f09-9f39-9c79bd0e7cd2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 16858.5, + "y": 4080 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "108_141_yes": 0.78, + "12_2_#default#": 0.11, + "22_2_#default#": 0.1, + "23_112_yes": 0.9, + "23_2_#default#": 0.1, + "24_2_#default#": 0.1, + "25_110_yes": 0.82, + "25_2_#default#": 0.1, + "27_115_yes": 0.89, + "27_2_#default#": 0.1, + "32_117_yes": 0.67, + "32_2_#default#": 0.21, + "36_8_#default#": 0.19, + "41_42_yes": 0.59, + "41_8_#default#": 0.17, + "44_95_yes": 0.42, + "47_48_YES": 0.64, + "47_8_#default#": 0.24, + "56_121_yes": 0.83, + "56_2_#default#": 0.28, + "58_123_yes": 0.61, + "58_2_#default#": 0.38, + "61_127_yes": 0.88, + "61_2_#default#": 0.1, + "65_125_yes": 0.7, + "65_2_#default#": 0.11, + "68_129_yes": 0.7, + "68_131_yes": 0.87, + "68_2_#default#": 0.1, + "72_2_#default#": 0.16, + "76_137_yes": 0.85, + "76_2_#default#": 0.12, + "78_135_yes": 0.85, + "78_2_#default#": 0.14, + "7_119_yes": 0.89, + "7_2_#default#": 0.1, + "8_43_yes": 0.5, + "8_96_#default#": 0.1, + "99_100_#default#": 0.83, + "99_53_yes": 0.62 + }, + "paper": { + "dimensions": { + "height": 4260, + "width": 19222, + "x": 50, + "y": 50 + } + } + } +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Indicators_-_Generic_v3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Indicators_-_Generic_v3.yml new file mode 100644 index 0000000..6d29d33 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_Indicators_-_Generic_v3.yml @@ -0,0 +1,1661 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks: + + - Block URL - Generic v2 + - Block Account - Generic v2 + - Block IP - Generic v3 + - Block File - Generic v2 + - Block Email - Generic v2 + - Block Domain - Generic v2. +dirtyInputs: true +id: 'SOC Block Indicators - Generic v3_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IP + - URL + - Username + - MD5 + - SHA256 + - FilesToBlock + - DomainToBlock + - EmailToBlock + - AutoBlockIndicators + - CustomBlockRule + - LogForwarding + - AutoCommit + - StaticAddressGroup + - CustomURLCategory + - type + - device-group + - categories + - DomainBlackListID + - Tag + - DAG + - UserVerification + - InternalRange + - SiteName + - AkamaiNetworkListID + - CiscoFWSource + - InputEnrichment + - RuleName + - RuleDirection + - EDLServerIP + - ShadowMode + name: General (Inputs group) +inputs: +- description: 'An array of malicious IPs to block. Enter a comma-separated list of + IPs (i.e.: 1.1.1.1,2.2.2.2).' + key: IP + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq +- description: Array of malicious URLs to block. + key: URL + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq +- description: Array of malicious usernames to block. + key: Username + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: username + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq +- description: The MD5 hash of the file you want to block. + key: MD5 + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: stringHasLength + right: + value: + simple: "32" + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: file + - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: hash + root: DBotScore + transformers: + - operator: uniq +- description: The SHA256 hash of the file you want to block. + key: SHA256 + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: stringHasLength + right: + value: + simple: "64" + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: file + - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: hash + root: DBotScore + transformers: + - operator: uniq +- description: Array of malicious file hashes to block. + key: FilesToBlock + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: file + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq +- description: The domain that you wish to block. + key: DomainToBlock + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq +- description: The email address that you wish to block. + key: EmailToBlock + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: email + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq +- description: "Should the given indicators be automatically blocked, or should the + user be prompted to select whether to block them?\n\nPossible values: True/False. + \nDefault value: True.\n\nIf set to True - No prompt will appear. All of the provided + indicators will be blocked automatically.\n\nIf set to False - The user will be + prompted to select which indicators to block." + key: AutoBlockIndicators + playbookInputQuery: + required: false + value: + simple: "True" +- description: "This input determines whether Palo Alto Networks Panorama or Firewall + Custom Block Rules are used.\nSpecify \"True\" to create new Custom Block Rules + (2 FW rules inside the PAN-OS device). \nFor \"False\" - no rules will be created." + key: CustomBlockRule + playbookInputQuery: + required: false + value: + simple: "True" +- description: Panorama log forwarding object name. Indicate what type of Log Forwarding + setting will be specified in the PAN-OS custom rules. + key: LogForwarding + playbookInputQuery: + required: false + value: {} +- description: "This input determines whether to commit the configuration automatically + on PAN-OS devices and other FWs. \nYes - Commit automatically.\nNo - Commit manually." + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used. + Specify the Static Address Group name for IPs list handling. + key: StaticAddressGroup + playbookInputQuery: + required: false + value: {} +- description: Custom URL Category name. + key: CustomURLCategory + playbookInputQuery: + required: false + value: + simple: XSOAR Remediation - Malicious URLs +- description: Custom URL category type. Insert "URL List"/ "Category Match". + key: type + playbookInputQuery: + required: false + value: {} +- description: Device group for the Custom URL Category (Panorama instances). + key: device-group + playbookInputQuery: + required: false + value: {} +- description: The list of categories. Relevant from PAN-OS v9.x. + key: categories + playbookInputQuery: + required: false + value: {} +- description: |- + The Domain List ID to add the Domain to. + product: Proofpoint Threat Response + key: DomainBlackListID + playbookInputQuery: + required: false + value: {} +- description: Insert a tag name with which indicators will get tagged. This tag can + be used later in the External Dynamic Lists integration by using the tag for filtering + IPs in the indicator query. + key: Tag + playbookInputQuery: + required: false + value: + simple: Blocked Indicator In Systems +- description: |- + This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. + Specify the Dynamic Address Group tag name for IPs list handling. + key: DAG + playbookInputQuery: + required: false + value: {} +- description: "Possible values: True/False. Default: True.\nWhether to provide user + verification for blocking those IPs. \n\nFalse - No prompt will be displayed to + the user.\nTrue - The server will ask the user for blocking verification and will + display the blocking list." + key: UserVerification + playbookInputQuery: + required: false + value: + simple: "True" +- description: 'A list of internal IP ranges to check IP addresses against. The comma-separated + list should be provided in CIDR notation. For example, a list of ranges would + be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).' + key: InternalRange + playbookInputQuery: + required: false + value: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join +- description: Signal Sciences WAF - Enter the site name for the integration to be + applied. The site name can be found in your instance console. + key: SiteName + playbookInputQuery: + required: false + value: {} +- description: Akamai's WAF network list ID, which is mandatory to be mentioned for + the integration. The chosen IPs will be added to this ID. + key: AkamaiNetworkListID + playbookInputQuery: + required: false + value: {} +- description: Cisco ASA (firewall) value for the rule's source object in the created + blocking rule. Can be the value of an IPv4, an address block, or the name of a + network object. + key: CiscoFWSource + playbookInputQuery: + required: false + value: {} +- description: |- + The rule name/description that will be presented on the created rule in certain integrations (if there is a need). + The supported integrations: PAN-OS, CheckPoint. + + Default input- "XSOAR - Block IP playbook - ${incident.id}" + key: InputEnrichment + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + The rule name/description that will be presented on the created rule in certain integrations (if there is a need). + The supported integrations: PAN-OS, CheckPoint. + + Default input- "XSOAR - Block IP playbook - ${incident.id}" + key: RuleName + playbookInputQuery: + required: false + value: + simple: XSOAR - Block Indicators playbook - ${alert.id} +- description: |- + Determine if a newly created rule should be with the network direction of outbound or inbound blocked traffic. + Possible values: inbound or outbound + Default: outbound + key: RuleDirection + playbookInputQuery: + required: false + value: + simple: outbound +- description: EDL Server IP Address + key: EDLServerIP + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block Indicators - Generic v3_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CheckpointFWRule.Domain + - CheckpointFWRule.Enabled + - CheckpointFWRule.Name + - CheckpointFWRule.UID + - CheckpointFWRule.Type + - CheckpointFWRule.DestinationNegate + - CheckpointFWRule.Action + - CheckpointFWRule.Destination + - CheckpointFWRule.ActionSetting + - CheckpointFWRule.CustomFields + - CheckpointFWRule.Data + - CheckpointFWRule.DataDirection + - CheckpointFWRule.DataNegate + - CheckpointFWRule.Hits + - PanoramaRule.Direction + - PanoramaRule.IP + - PanoramaRule.Name + - CheckpointFWRule.Data.Name + - CheckpointFWRule.Data.Domain + - CheckpointFWRule.Domain.Name + - CheckpointFWRule.Domain.UID + - CheckpointFWRule.Domain.Type + - CheckpointFWRule.Hits.FirstDate + - CheckpointFWRule.Hits.LastDate + - CheckpointFWRule.Hits.Level + - CheckpointFWRule.Hits.Percentage + - CheckpointFWRule.Hits.Value + - IndicatorsToBlock +outputs: +- contextPath: CheckpointFWRule.Domain + description: Rule domain. +- contextPath: CheckpointFWRule.Enabled + description: Rule status. +- contextPath: CheckpointFWRule.Name + description: Rule name. +- contextPath: CheckpointFWRule.UID + description: Rule UID. +- contextPath: CheckpointFWRule.Type + description: Rule Type. +- contextPath: CheckpointFWRule.DestinationNegate + description: Rule destination negate status (True/False). +- contextPath: CheckpointFWRule.Action + description: 'Rule action (Valid values are: Accept, Drop, Apply Layer, Ask, Info).' +- contextPath: CheckpointFWRule.Destination + description: Rule Destination. +- contextPath: CheckpointFWRule.ActionSetting + description: Rule action settings. +- contextPath: CheckpointFWRule.CustomFields + description: Rule custom fields. +- contextPath: CheckpointFWRule.Data + description: Rule data. +- contextPath: CheckpointFWRule.DataDirection + description: Rule data direction. +- contextPath: CheckpointFWRule.DataNegate + description: Rule data negate status (True/False). +- contextPath: CheckpointFWRule.Hits + description: Rule hits count. +- contextPath: PanoramaRule.Direction + description: Direction of the Panorama rule. Can be 'to','from', 'both'. + type: string +- contextPath: PanoramaRule.IP + description: The IP the Panorama rule blocks. + type: string +- contextPath: PanoramaRule.Name + description: Name of the Panorama rule. + type: string +- contextPath: CheckpointFWRule.Data.Name + description: Rule data object name. +- contextPath: CheckpointFWRule.Data.Domain + description: Information about the domain the data object belongs to. +- contextPath: CheckpointFWRule.Domain.Name + description: Rule domain name. +- contextPath: CheckpointFWRule.Domain.UID + description: Rule domain UID. +- contextPath: CheckpointFWRule.Domain.Type + description: Rule domain type. +- contextPath: CheckpointFWRule.Hits.FirstDate + description: The date of the first hit for the rule. +- contextPath: CheckpointFWRule.Hits.LastDate + description: The date of the last hit for the rule. +- contextPath: CheckpointFWRule.Hits.Level + description: Level of rule hits. +- contextPath: CheckpointFWRule.Hits.Percentage + description: Percentage of rule hits. +- contextPath: CheckpointFWRule.Hits.Value + description: Value of rule hits. +- contextPath: IndicatorsToBlock + description: Selected indicators to block. + type: unknown +sourceplaybookid: Block Indicators - Generic v3 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: be855f8e-b0d6-4b33-8898-954bf9ba99cc + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: be855f8e-b0d6-4b33-8898-954bf9ba99cc + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1125, + "y": -870 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c155d55d-f7f3-4af2-8739-3cb6143e0e81 + iscommand: false + name: Tag Indicators + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: c155d55d-f7f3-4af2-8739-3cb6143e0e81 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1125, + "y": 515 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "32" + - "34" + - "35" + - "36" + - "37" + - "39" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 15d43128-6c48-4deb-8ed0-044d0454fa7b + iscommand: false + name: Block indicators + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 15d43128-6c48-4deb-8ed0-044d0454fa7b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1125, + "y": 195 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 22f0eb38-c4d3-4e67-889b-6abbff216ab8 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 22f0eb38-c4d3-4e67-889b-6abbff216ab8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1125, + "y": 1005 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "14" + note: false + quietmode: 0 + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.Tag + indicatorsValues: + complex: + filters: + - - left: + iscontext: true + value: + simple: IndicatorsToBlock + operator: isNotEqualString + right: + value: + simple: No indicators to block + root: IndicatorsToBlock + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.add.values.to.indicator.multi.select.field + id: 8e6165ed-cc2e-4820-8ae4-c73fd82a3088 + iscommand: true + name: Tag bad indicators + playbooktaskmissingcomponent: + script: Builtin|||appendIndicatorField + type: regular + version: -1 + taskid: 8e6165ed-cc2e-4820-8ae4-c73fd82a3088 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1390, + "y": 820 + } + } + "19": + continueonerrortype: "" + form: + description: Select which indicators to block. + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Select IPs to block + options: [] + optionsarg: + - complex: + root: inputs.IP + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "1" + label: "" + labelarg: + simple: Select URLs to block + options: [] + optionsarg: + - complex: + root: inputs.URL + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "2" + label: "" + labelarg: + simple: Select files to block + options: [] + optionsarg: + - complex: + root: inputs.MD5 + transformers: + - args: + item: + iscontext: true + value: + simple: inputs.SHA256 + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.FilesToBlock + operator: append + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "3" + label: "" + labelarg: + simple: Select users to block + options: [] + optionsarg: + - complex: + root: inputs.Username + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "4" + label: "" + labelarg: + simple: Select emails to block + options: [] + optionsarg: + - complex: + root: inputs.EmailToBlock + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "5" + label: "" + labelarg: + simple: Select domains to block + options: [] + optionsarg: + - complex: + root: inputs.DomainToBlock + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + sender: "" + title: Which indicators would you like to block? + totalanswers: 0 + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Select which indicators to block. + id: 0d20c35f-5bdf-4b27-8b63-f5334f9342f5 + iscommand: false + name: Which indicators would you like to block? + playbooktaskmissingcomponent: + type: collection + version: -1 + taskid: 0d20c35f-5bdf-4b27-8b63-f5334f9342f5 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 680, + "y": -330 + } + } + "20": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.AutoBlockIndicators + operator: isEqualString + right: + value: + simple: "true" + label: "yes" + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "19" + "yes": + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the AutoBlockIndicators input is set to 'True' + id: 8a156613-e43b-4bf2-857c-159220291b3b + iscommand: false + name: Block Indicators Automatically? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 8a156613-e43b-4bf2-857c-159220291b3b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1125, + "y": -500 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + key: + simple: IndicatorsToBlock + value: + complex: + accessor: "0" + root: Which indicators would you like to block?.Answers + transformers: + - args: + item: + iscontext: true + value: + simple: Which indicators would you like to block?.Answers.1 + operator: append + - args: + item: + iscontext: true + value: + simple: Which indicators would you like to block?.Answers.2 + operator: append + - args: + item: + iscontext: true + value: + simple: Which indicators would you like to block?.Answers.3 + operator: append + - args: + item: + iscontext: true + value: + simple: Which indicators would you like to block?.Answers.4 + operator: append + - args: + item: + iscontext: true + value: + simple: Which indicators would you like to block?.Answers.5 + operator: append + - operator: uniq + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: No indicators to block + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: ca92498f-ebc4-4e68-81e9-44e1c6907d9d + iscommand: false + name: Set indicators to block - Manual + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: ca92498f-ebc4-4e68-81e9-44e1c6907d9d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 680, + "y": -170 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + key: + simple: IndicatorsToBlock + value: + complex: + root: inputs.IP + transformers: + - args: + item: + iscontext: true + value: + simple: inputs.URL + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.Username + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.MD5 + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.SHA256 + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.EmailToBlock + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.DomainToBlock + operator: append + - args: + item: + iscontext: true + value: + simple: inputs.FilesToBlock + operator: append + - operator: uniq + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: No indicators to block + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 6cabb94a-1422-4d97-89ee-5b35b328c70b + iscommand: false + name: Set indicators to block - Auto + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 6cabb94a-1422-4d97-89ee-5b35b328c70b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1125, + "y": -170 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: IndicatorsToBlock + operator: isNotEqualString + right: + value: + simple: No indicators to block + label: "yes" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "14" + "yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there are indicators to block. + id: 92a68f14-96ed-4e6f-880f-dde5980b1fc2 + iscommand: false + name: Has indicators to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 92a68f14-96ed-4e6f-880f-dde5980b1fc2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1125, + "y": 30 + } + } + "26": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Tag + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "14" + "yes": + - "15" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a tag for blocked indicators was specified. + id: ee795eae-1fc0-4458-864b-91b2f224db89 + iscommand: false + name: Tag received from inputs? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ee795eae-1fc0-4458-864b-91b2f224db89 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1125, + "y": 650 + } + } + "27": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.URL + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.Username + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.MD5 + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.SHA256 + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.FilesToBlock + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.DomainToBlock + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.EmailToBlock + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "14" + "yes": + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Looks for available indicators to process + id: 4b64da5f-53b9-4fdd-8e65-5a133c6700d6 + iscommand: false + name: Are there indicators to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4b64da5f-53b9-4fdd-8e65-5a133c6700d6 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1125, + "y": -700 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: | + This playbook will block emails at your mail relay integration. + + Supported integrations for this playbook: + * Mimecast + * FireEye Email Security (EX) + * Cisco Email Security + * Symantec Email Security + id: ac1dcf02-1ea8-488a-ad60-b31434a0026d + iscommand: false + name: SOC Block Email - Generic v2_V3 + playbookId: SOC Block Email - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: ac1dcf02-1ea8-488a-ad60-b31434a0026d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1330, + "y": 340 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: | + This playbook blocks malicious Domains using all integrations that are enabled. + + Supported integrations for this playbook: + * Zscaler + * Symantec Messaging Gateway + * FireEye EX + * Trend Micro Apex One + * Proofpoint Threat Response + * Cisco Stealthwatch Cloud + id: 65f15302-fd9a-4ee3-9777-312c8350c3e9 + iscommand: false + name: SOC Block Domain - Generic v2_V3 + playbookId: SOC Block Domain - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 65f15302-fd9a-4ee3-9777-312c8350c3e9 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1760, + "y": 340 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: "No" + CustomURLCategory: + simple: XSOAR Remediation - Malicious URLs + Folder: + simple: Shared + ShadowMode: + simple: ${inputs.ShadowMode} + UserVerification: + simple: "True" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + This playbook blocks malicious URLs using all integrations that are enabled. + + Supported integrations for this playbook: + * Palo Alto Networks PAN-OS + * Zscaler + * Sophos + * Forcepoint + * Checkpoint + * Netcraft. + id: 114d89c6-d66a-4322-af15-50e41e979728 + iscommand: false + name: SOC Block URL - Generic v2_V3 + playbookId: SOC Block URL - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 114d89c6-d66a-4322-af15-50e41e979728 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 30, + "y": 340 + } + } + "36": + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + Tag: + simple: Bad Account + UserVerification: + simple: "True" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + This playbook blocks malicious usernames using all integrations that you have enabled. + + Supported integrations for this playbook: + * Active Directory + * PAN-OS - This requires PAN-OS 9.1 or higher. + * SailPoint + * PingOne + * AWS IAM + * Clarizen IAM + * Envoy IAM + * ExceedLMS IAM + * Okta + * Microsoft Graph User (Azure Active Directory Users) + * Google Workspace Admin + * Slack IAM + * ServiceNow IAM + * Prisma Cloud IAM + * Zoom IAM + * Atlassian IAM + * GitHub IAM. + id: bbcc49c4-52a8-400d-ac24-132c221bc0df + iscommand: false + name: SSOC Block Account - Generic v2_V3 + playbookId: SSOC Block Account - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: bbcc49c4-52a8-400d-ac24-132c221bc0df + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 460, + "y": 340 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + MD5: + complex: + accessor: MD5 + root: File + SHA256: + complex: + accessor: SHA256 + root: File + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: "This playbook is used to block files from running on endpoints. + \nThis playbook supports the following integrations:\n- Palo Alto Networks + Traps\n- Palo Alto Networks Cortex XDR\n- Cybereason\n- Carbon Black Enterprise + Response\n- Cylance Protect v2\n- Crowdstrike Falcon\n- Microsoft Defender + for Endpoint." + id: 7c49c3b9-313c-4282-abfd-235baaccd6a6 + iscommand: false + name: SOC Block File - Generic v2_V3 + playbookId: SOC Block File - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 7c49c3b9-313c-4282-abfd-235baaccd6a6 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 930, + "y": 340 + } + } + "39": + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: "No" + CustomBlockRule: + simple: "True" + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 312289eb-2251-4985-a7a0-7befe2235c5b + iscommand: false + name: SOC Block IP - Generic v2_V3 + playbookId: SOC Block IP - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 312289eb-2251-4985-a7a0-7befe2235c5b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2170, + "y": 340 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "27_14_#default#": 0.88, + "27_20_yes": 0.4 + }, + "paper": { + "dimensions": { + "height": 1935, + "width": 2520, + "x": 30, + "y": -870 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_URL_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_URL_-_Generic_v2.yml new file mode 100644 index 0000000..58c019a --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Block_URL_-_Generic_v2.yml @@ -0,0 +1,1695 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.5.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + This playbook blocks malicious URLs using all integrations that are enabled. + + Supported integrations for this playbook: + * Palo Alto Networks PAN-OS + * Zscaler + * Sophos + * Forcepoint + * Checkpoint + * Netcraft. +dirtyInputs: true +id: 'SOC Block URL - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - URL + - LogForwarding + - AutoCommit + - CustomURLCategory + - type + - categories + - UserVerification + - EDLServerIP + - device-group + - Tag + - Folder + - ShadowMode + name: General (Inputs group) +inputs: +- description: Array of malicious URLs to block. + key: URL + playbookInputQuery: + required: false + value: {} +- description: Log Forwarding object name. + key: LogForwarding + playbookInputQuery: + required: false + value: {} +- description: |- + This input establishes whether to commit the configuration automatically. + Yes - Commit automatically. + No - Commit manually. + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: Custom URL Category name. + key: CustomURLCategory + playbookInputQuery: + required: false + value: + simple: XSOAR Remediation - Malicious URLs +- description: Custom URL category type. Insert "URL List"/ "Category Match". + key: type + playbookInputQuery: + required: false + value: {} +- description: The list of categories. Relevant from PAN-OS v9.x. + key: categories + playbookInputQuery: + required: false + value: {} +- description: |- + Possible values:True/False. Default:True. + Specify if User Verification is Requrired + key: UserVerification + playbookInputQuery: + required: false + value: + simple: "True" +- description: EDL Server IP Address + key: EDLServerIP + playbookInputQuery: + required: false + value: {} +- description: Device group for the Custom URL Category (Panorama instances). + key: device-group + playbookInputQuery: + required: false + value: {} +- description: Insert a tag name with which indicators will get tagged. This tag can + be used later in the External Dynamic Lists integration by using the tag for filtering + IPs in the indicator query. + key: Tag + playbookInputQuery: + required: false + value: {} +- description: |- + For prisma SASE usage - Specify the scope for a newly created security rule to be applied. + Remember, this input will only be used when there is no input to the CategoryName. + Default: Shared + key: Folder + playbookInputQuery: + required: false + value: + simple: Shared +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Block URL - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Block URL - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "36" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f7a7452c-dafe-4b3e-8461-4ea61daf5e3b + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: f7a7452c-dafe-4b3e-8461-4ea61daf5e3b + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 377.5, + "y": -470 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8f968aa5-26ca-4471-891b-4ac7f9114147 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 8f968aa5-26ca-4471-891b-4ac7f9114147 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 377.5, + "y": 1385 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + - "18" + - "26" + - "28" + - "32" + - "38" + - "42" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ecece7aa-0eb6-4f67-8a9b-dfc77bcef34d + iscommand: false + name: Block URLs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: ecece7aa-0eb6-4f67-8a9b-dfc77bcef34d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 377.5, + "y": 425 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Blocklist.URL + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "25" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that the playbook input includes at least one URL to block. + id: 0e2e9b54-cbaa-4f8c-85b2-b5927f30f52a + iscommand: false + name: Is there a URL to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 0e2e9b54-cbaa-4f8c-85b2-b5927f30f52a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 377.5, + "y": 195 + } + } + "12": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Zscaler + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "50" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Zscaler enabled. + id: efeca267-b6d2-4a08-8325-e8fb7c1dd633 + iscommand: false + name: Is Zscaler enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: efeca267-b6d2-4a08-8325-e8fb7c1dd633 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 700, + "y": 700 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "45" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + url: + complex: + root: inputs.URL + separatecontext: false + skipunavailable: true + task: + brand: Zscaler + description: Adds the specified URLs to the block list. + id: 5f366f9a-ddac-4072-b304-ecbbbe74499e + iscommand: true + name: Block URL with Zscaler + playbooktaskmissingcomponent: + script: Zscaler|||zscaler-blacklist-url + type: regular + version: -1 + taskid: 5f366f9a-ddac-4072-b304-ecbbbe74499e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 570, + "y": 1100 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 90b64f91-6db0-4a69-86e3-80aa6fc36ebd + iscommand: false + name: Checkpoint + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 90b64f91-6db0-4a69-86e3-80aa6fc36ebd + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 140, + "y": 570 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9e331921-f00a-47d7-8f02-8ab4fbacc053 + iscommand: false + name: Zscaler + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 9e331921-f00a-47d7-8f02-8ab4fbacc053 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 700, + "y": 570 + } + } + "19": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.EDLServerIP + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "48" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if should use EDL or not + id: b9e7db2b-6985-4410-8e01-ccb9950cd8b7 + iscommand: false + name: Use EDL? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: b9e7db2b-6985-4410-8e01-ccb9950cd8b7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -310, + "y": 700 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "23" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: CheckPointFirewall_v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: da7121fa-715d-4010-81ac-e519b88b58e3 + iscommand: false + name: "Is CheckPoint Integration \nAavailable?" + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: da7121fa-715d-4010-81ac-e519b88b58e3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 140, + "y": 700 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + description: |- + This playbook blocks URLs using Checkpoint Firewall through Custom URL Categories. + The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and publish the configuration. + id: 195a51ea-2a0b-47e3-83f6-c6b6a4938847 + iscommand: false + name: Checkpoint - Block URL + playbookId: Checkpoint - Block URL + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 195a51ea-2a0b-47e3-83f6-c6b6a4938847 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 150, + "y": 915 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + description: "This playbook adds the URL to the Default Block URL Policy. (The + target\npolicy can be changed as requested).\nPre-Requisite: \n1) Create a + web policy rule that refers to the URL group you specified on the inputs of + the playbook.\n2) Create a new firewall rule and assign the web policy to + the one created in the previous step." + id: 0dd55a58-9d45-449e-8b9f-3c1630188951 + iscommand: false + name: Sophos Firewall - Block URL + playbookId: Sophos Firewall - Block URL + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 0dd55a58-9d45-449e-8b9f-3c1630188951 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1170, + "y": 915 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 21af0a6a-234a-4061-884a-86f3209ae79e + iscommand: false + name: No URL was definded + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 21af0a6a-234a-4061-884a-86f3209ae79e + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2080, + "y": 945 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 42362e33-89e4-4e9a-89ad-8fca62f06425 + iscommand: false + name: Sophos + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 42362e33-89e4-4e9a-89ad-8fca62f06425 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1170, + "y": 570 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "24" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: sophos_firewall + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: c08fd24c-0333-4f69-8700-69b92c530882 + iscommand: false + name: Is Sophos Integration Enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: c08fd24c-0333-4f69-8700-69b92c530882 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1170, + "y": 700 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 12ce6945-cd09-46e6-8661-748f50ed220c + iscommand: false + name: EDL + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 12ce6945-cd09-46e6-8661-748f50ed220c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -310, + "y": 570 + } + } + "29": + continueonerror: true + continueonerrortype: errorPath + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "45" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.Tag + indicatorsValues: + complex: + accessor: URL + root: Blocklist + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.add.values.to.indicator.multi.select.field + id: f5c64bf3-5853-428d-8f8c-8ede36080770 + iscommand: true + name: Update Tag For URLs + playbooktaskmissingcomponent: + script: Builtin|||appendIndicatorField + type: regular + version: -1 + taskid: f5c64bf3-5853-428d-8f8c-8ede36080770 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -320, + "y": 1100 + } + } + "30": + continueonerrortype: "" + form: + description: "" + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: 'Please select those URLs that you would like to block:' + options: [] + optionsarg: + - complex: + root: inputs.URL + - {} + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + sender: "" + title: Would you like to Block the following URLs? + totalanswers: 0 + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: Dear XSOAR user, Please approve those URLs that you would like to + block in your internal systems + cc: + format: "" + methods: + - email + subject: + simple: 'User Verification - Block URLs (Inc #${alert.id})' + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + simple: Analyst + nexttasks: + '#none#': + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Ask the analyst for verification of which URL to block + id: 7948896f-f14b-4e0b-865e-47a3a0c1da3f + iscommand: false + name: User Verification + playbooktaskmissingcomponent: + type: collection + version: -1 + taskid: 7948896f-f14b-4e0b-865e-47a3a0c1da3f + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 590, + "y": -160 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: Blocklist.URL + value: + simple: ${Would you like to Block the following URLs?.Answers.0} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything. + id: 6a38d62a-b597-4165-87e8-7b5b92953ca5 + iscommand: false + name: Append the URLs' blocking list + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 6a38d62a-b597-4165-87e8-7b5b92953ca5 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 590, + "y": 10 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d561f0f8-0d4c-4ba3-8560-187751ca5c85 + iscommand: false + name: Forcepoint + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: d561f0f8-0d4c-4ba3-8560-187751ca5c85 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1610, + "y": 570 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "52" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Forcepoint + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 08e14d34-e96d-422a-8640-f5ef9a6eaa7a + iscommand: false + name: Is Forcepoint Integration Enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 08e14d34-e96d-422a-8640-f5ef9a6eaa7a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1610, + "y": 700 + } + } + "35": + continueonerror: true + continueonerrortype: errorPath + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "45" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + urls: + simple: ${Blocklist.URL} + separatecontext: false + skipunavailable: true + task: + brand: Forcepoint + description: "Append a specific category in Forcepoint with the Blocked URLs. + \nYou can choose to add those to a default category (For more info - refer + to https://www.forcepoint.com/product/feature/master-database-url-categories)\n + or specify a custom/user-defined category." + id: 89279561-a8cd-4cc8-b0fc-98514ebb67a1 + iscommand: true + name: Forcepoint - Add URL's to a specific category + playbooktaskmissingcomponent: + script: Forcepoint|||fp-add-address-to-category + type: regular + version: -1 + taskid: 89279561-a8cd-4cc8-b0fc-98514ebb67a1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1410, + "y": 1100 + } + } + "36": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.UserVerification + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "37" + "yes": + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if should ask for user verification + id: 33d5bf90-736a-4228-8307-53b1d58d4550 + iscommand: false + name: Is User Verification Is Required? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 33d5bf90-736a-4228-8307-53b1d58d4550 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 377.5, + "y": -330 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Blocklist.URL + value: + complex: + root: inputs.URL + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything. + id: 76856aa5-7ff2-415b-8f6f-e4bd1e6798a9 + iscommand: false + name: Set Input URLs as Blocklist. + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 76856aa5-7ff2-415b-8f6f-e4bd1e6798a9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 170, + "y": -160 + } + } + "38": + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "40" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e889ae46-04a0-4514-8923-2291cec2883a + iscommand: false + name: Netcraft + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: e889ae46-04a0-4514-8923-2291cec2883a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1190, + "y": 570 + } + } + "40": + continueonerrortype: "" + id: "40" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "46" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Netcraft V2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: 35fcf7d9-19c6-48fe-831d-0b78cbf96323 + iscommand: false + name: Is Netcraft Integration Enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 35fcf7d9-19c6-48fe-831d-0b78cbf96323 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -1190, + "y": 700 + } + } + "41": + continueonerror: true + continueonerrortype: errorPath + id: "41" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "45" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + attack: + complex: + accessor: URL + root: Blocklist + comment: + simple: Malicious - Added by Netcraft Integration + separatecontext: false + skipunavailable: true + task: + brand: Netcraft V2 + description: | + Report a new attack or authorize an existing attack in the Takedown Service. + If a takedown for the attack already exists in the Netcraft system it will be authorized, otherwise, a new takedown will be added and authorized. + id: 1ec1007b-cee0-4042-9347-89d34dc15280 + iscommand: true + name: Block URL with Netcraft + playbooktaskmissingcomponent: + script: Netcraft V2|||netcraft-attack-report + type: regular + version: -1 + taskid: 1ec1007b-cee0-4042-9347-89d34dc15280 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1210, + "y": 1110 + } + } + "42": + continueonerrortype: "" + id: "42" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "43" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f840dbdd-478b-445f-8f0b-a5527a54467b + iscommand: false + name: Prisma SASE + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: f840dbdd-478b-445f-8f0b-a5527a54467b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1610, + "y": 570 + } + } + "43": + continueonerrortype: "" + id: "43" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "44" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Palo Alto Networks - Prisma SASE + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + id: e5de9af1-33df-4064-82d9-b5b87f472d7f + iscommand: false + name: Is Prisma SASE Enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: e5de9af1-33df-4064-82d9-b5b87f472d7f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -1610, + "y": 700 + } + } + "44": + continueonerrortype: "" + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + complex: + root: inputs.AutoCommit + CategoryName: + complex: + root: inputs.CustomURLCategory + Folder: + complex: + root: inputs.Folder + transformers: + - operator: uniq + ShadowMode: + simple: ${inputs.ShadowMode} + URL: + complex: + accessor: URL + root: Blocklist + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: "" + description: |- + The playbook will handle the operation of blocking a URL within the organization. + If a category is provided, the URL will be added to the list. + If not, a new URL category will be created, and a new security rule that blocks that category. + id: 44174e4f-4c2f-4b0d-bca9-2d20443cb14a + iscommand: false + name: Prisma SASE - Block URL + playbookId: Prisma SASE - Block URL + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 44174e4f-4c2f-4b0d-bca9-2d20443cb14a + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -1620, + "y": 1110 + } + } + "45": + continueonerrortype: "" + id: "45" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 4dfd2d90-734e-437d-8e77-09c381d690d4 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 4dfd2d90-734e-437d-8e77-09c381d690d4 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1320, + "y": 1250 + } + } + "46": + continueonerrortype: "" + id: "46" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "41" + Shadow Mode: + - "47" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1f389db9-44cc-4d31-8873-af3fabff91ee + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 1f389db9-44cc-4d31-8873-af3fabff91ee + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -1010, + "y": 930 + } + } + "47": + continueonerrortype: "" + id: "47" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Netcraft Block URL + Command: netcraft-attack-report ${inputs.URL} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 798987c4-a92a-4a46-81d7-8a75673cf91f + iscommand: false + name: 'Shadow: Netcraft Block URL' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 798987c4-a92a-4a46-81d7-8a75673cf91f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -800, + "y": 1110 + } + } + "48": + continueonerrortype: "" + id: "48" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "29" + Shadow Mode: + - "49" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 259b3342-c025-42fb-8968-19a973fc157f + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 259b3342-c025-42fb-8968-19a973fc157f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -310, + "y": 915 + } + } + "49": + continueonerrortype: "" + id: "49" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: PAN-OS Block URL + Command: ${inputs.URL} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 48b10ee6-14dc-4469-91dd-0c1a415df245 + iscommand: false + name: 'Shadow: PAN-OS Tag URLs' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 48b10ee6-14dc-4469-91dd-0c1a415df245 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 100, + "y": 1100 + } + } + "50": + continueonerrortype: "" + id: "50" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "13" + Shadow Mode: + - "51" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 83fd5a0e-d619-4718-8a3b-a522e6f8e90d + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 83fd5a0e-d619-4718-8a3b-a522e6f8e90d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 700, + "y": 900 + } + } + "51": + continueonerrortype: "" + id: "51" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Zscaler Block URL + Command: zscaler-blacklist-url ${inputs.URL} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 312361db-263e-4749-9b40-9e4ad4157c73 + iscommand: false + name: 'Shadow: Zscaler Block URL' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 312361db-263e-4749-9b40-9e4ad4157c73 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 970, + "y": 1100 + } + } + "52": + continueonerrortype: "" + id: "52" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "35" + Shadow Mode: + - "53" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5e1ec99e-33ed-4ea2-8193-132fe3afc301 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 5e1ec99e-33ed-4ea2-8193-132fe3afc301 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1610, + "y": 915 + } + } + "53": + continueonerrortype: "" + id: "53" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Force Add URL to Category + Command: fp-add-address-to-category ${inputs.URL} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 5556e965-ce5f-4845-b81a-30fbca83bdea + iscommand: false + name: 'Shadow: Force Add URL to Category' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 5556e965-ce5f-4845-b81a-30fbca83bdea + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1830, + "y": 1110 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "12_2_#default#": 0.18, + "12_50_yes": 0.77, + "19_2_#default#": 0.1, + "19_48_yes": 0.85, + "21_2_#default#": 0.18, + "27_2_#default#": 0.1, + "34_52_yes": 0.7, + "8_25_#default#": 0.1 + }, + "paper": { + "dimensions": { + "height": 1915, + "width": 4080, + "x": -1620, + "y": -470 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Critical_Assets_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Critical_Assets_v2.yml new file mode 100644 index 0000000..f6a550a --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Critical_Assets_v2.yml @@ -0,0 +1,1537 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.14 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. + Critical assets refer to: users, user groups, endpoints and endpoint groups. +id: 'SOC Calculate Severity - Critical Assets v2_V3' +inputs: +- description: CSV of critical users. + key: CriticalUsers + playbookInputQuery: + required: false + value: + simple: admin,administrator +- description: CSV of critical endpoints. + key: CriticalEndpoints + playbookInputQuery: + required: false + value: + simple: AdminPC +- description: CSV of DN names of critical AD groups. + key: CriticalGroups + playbookInputQuery: + required: false + value: + simple: Administrators, Domain Admins, Enterprise Admins, Schema Admins +- description: User accounts to check against the critical lists. + key: Account + playbookInputQuery: + required: false + value: + complex: + root: Account + transformers: + - operator: uniq +- description: Endpoints to check against the CriticalEndpoints list. + key: Endpoint + playbookInputQuery: + required: false + value: + complex: + root: Endpoint + transformers: + - operator: uniq +name: SOC Calculate Severity - Critical Assets v2_V3 +outputs: +- contextPath: Severities.CriticalAssetsSeverity + description: The score returned by the Calculate Severity - Critical Assets v2 playbook. + type: number +- contextPath: CriticalAssets + description: All critical assets involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalEndpoints + description: Critical endpoints involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalEndpointGroups + description: Critical endpoint-groups involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalUsers + description: Critical users involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalUserGroups + description: Critical user-groups involved in the incident. + type: unknown +sourceplaybookid: Calculate Severity - Critical Assets v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + - "19" + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3eded69b-617e-4212-86b7-2537474285f3 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 3eded69b-617e-4212-86b7-2537474285f3 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 612.5, + "y": -400 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.Account.Username + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: inputs.CriticalUsers + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "43" + "yes": + - "34" + - "50" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there is at least one user involved in the alert + and at least one user defined as a critical asset. + id: 424aaa79-feb8-4351-8818-b15b2999b7a6 + iscommand: false + name: Do required user inputs exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 424aaa79-feb8-4351-8818-b15b2999b7a6 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1680, + "y": -5 + } + } + "9": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalusers + operator: in + right: + iscontext: true + value: + simple: usernames + root: criticalusers + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "43" + "yes": + - "54" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if at least one of the usernames involved in the alert is + listed in the "CriticalUsers" list. + id: ae8f3642-3d2e-46e9-80e7-806b6cfbeca3 + iscommand: false + name: Is a critical user involved in the alert? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ae8f3642-3d2e-46e9-80e7-806b6cfbeca3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1680, + "y": 420 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3e771227-3718-4714-89ac-51e80b242f8b + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3e771227-3718-4714-89ac-51e80b242f8b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 612.5, + "y": 1631 + } + } + "13": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalendpoints + operator: in + right: + iscontext: true + value: + simple: hostnames + root: criticalendpoints + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "42" + "yes": + - "51" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if at least one of the endpoints involved in the alert is + listed in the "CriticalEndpoints" list. + id: e94c9609-239f-4032-827a-8dc4b44b987a + iscommand: false + name: Is a critical endpoint involved in the alert? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e94c9609-239f-4032-827a-8dc4b44b987a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -445, + "y": 420 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f62d3761-4856-44ee-80f1-668a0d53ce9d + iscommand: false + name: Critical Users + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: f62d3761-4856-44ee-80f1-668a0d53ce9d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1680, + "y": -215 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "37" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fd271425-66a0-48f9-8c71-fe1032820013 + iscommand: false + name: Critical Endpoints + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: fd271425-66a0-48f9-8c71-fe1032820013 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -445, + "y": -215 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c59f6491-e15c-43aa-86ed-dad7d70cdf22 + iscommand: false + name: Critical Groups + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: c59f6491-e15c-43aa-86ed-dad7d70cdf22 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 612.5, + "y": -245 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: endpointgroups + value: + complex: + accessor: Groups + root: inputs.Endpoint + transformers: + - operator: Stringify + - args: + limit: {} + replaceWith: + value: + simple: = + toReplace: + value: + simple: CN= + operator: replace + - args: + limit: {} + replaceWith: + value: + simple: = + toReplace: + value: + simple: DC= + operator: replace + - args: + delimiter: + value: + simple: ',' + operator: split + - args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: = + operator: replace + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets all endpoint groups to the context, as a list. + id: d199396a-b6cd-49e6-8eed-f8c40dbf6022 + iscommand: false + name: Get all endpoint groups + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: d199396a-b6cd-49e6-8eed-f8c40dbf6022 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 232.5, + "y": 577 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalgroups + operator: in + right: + iscontext: true + value: + simple: endpointgroups + root: criticalgroups + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "44" + "yes": + - "52" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if at least one critical endpoint group is involved in the + alert. + id: 3f7ea2b9-d2c9-400c-8972-e64ec0ec7863 + iscommand: false + name: Is a critical endpoint group involved in the alert? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 3f7ea2b9-d2c9-400c-8972-e64ec0ec7863 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 232.5, + "y": 742 + } + } + "24": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Groups + root: inputs.Account + operator: isExists + label: "yes" + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "44" + "yes": + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is at least one user group involved in the alert. + id: 7160e3e9-7200-4ba5-808f-ac28e7ef86f6 + iscommand: false + name: Is there a user group? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 7160e3e9-7200-4ba5-808f-ac28e7ef86f6 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 992.5, + "y": 385 + } + } + "25": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Groups + root: inputs.Endpoint + operator: isExists + label: "yes" + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "44" + "yes": + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there is at least one group for an involved endpoint. + id: babf3f91-5d9c-47e8-870d-c236b9c68346 + iscommand: false + name: Is there an endpoint group? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: babf3f91-5d9c-47e8-870d-c236b9c68346 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 232.5, + "y": 385 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "36" + - "35" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: criticalgroups + value: + complex: + root: inputs.CriticalGroups + transformers: + - args: + delimiter: + value: + simple: ',' + operator: splitAndTrim + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets user-defined critical groups to context, as a list. + id: a0e5a630-df39-4346-846b-d67653fee2ec + iscommand: false + name: Get all user-defined critical groups + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: a0e5a630-df39-4346-846b-d67653fee2ec + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 612.5, + "y": 90 + } + } + "27": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.CriticalGroups + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "44" + "yes": + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there are any user-defined critical groups in the playbook + inputs. + id: f43d598e-ba8f-4dc0-8405-46fbbd12ec79 + iscommand: false + name: Are there user-defined critical groups? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: f43d598e-ba8f-4dc0-8405-46fbbd12ec79 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 612.5, + "y": -100 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "30" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: accountgroups + value: + complex: + accessor: Groups + root: inputs.Account + transformers: + - operator: Stringify + - args: + limit: {} + replaceWith: + value: + simple: = + toReplace: + value: + simple: CN= + operator: replace + - args: + limit: {} + replaceWith: + value: + simple: = + toReplace: + value: + simple: DC= + operator: replace + - args: + delimiter: + value: + simple: ',' + operator: split + - args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: = + operator: replace + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets all user groups to the context, as a list. + id: 80d01617-682f-4dbb-8e9a-5bb7660d03b7 + iscommand: false + name: Get all user groups + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 80d01617-682f-4dbb-8e9a-5bb7660d03b7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 992.5, + "y": 577 + } + } + "30": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalgroups + operator: in + right: + iscontext: true + value: + simple: accountgroups + root: criticalgroups + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "44" + "yes": + - "53" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether at least one user group is involved in the alert. + id: 09afd6ef-f9b2-4be1-80a6-f294243dc89a + iscommand: false + name: Is a critical user group involved in the alert? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 09afd6ef-f9b2-4be1-80a6-f294243dc89a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 992.5, + "y": 742 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: usernames + value: + complex: + accessor: Username + root: inputs.Account + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets all usernames involved in the alert to context. + id: b93fb183-5e45-442b-8083-6706d301202c + iscommand: false + name: Get all usernames + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: b93fb183-5e45-442b-8083-6706d301202c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1890, + "y": 235 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 53feba0a-5f2f-410c-882f-b95cbd9c5fbb + iscommand: false + name: Critical Endpoint Groups + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 53feba0a-5f2f-410c-882f-b95cbd9c5fbb + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 232.5, + "y": 265 + } + } + "36": + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 37f291a8-8336-412f-8f0f-26bfa0fa7e7d + iscommand: false + name: Critical User Groups + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 37f291a8-8336-412f-8f0f-26bfa0fa7e7d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 992.5, + "y": 265 + } + } + "37": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Hostname + root: inputs.Endpoint + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: inputs.CriticalEndpoints + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "42" + "yes": + - "39" + - "49" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there is at least one endpoint involved in the alert + and at least one hostname defined as a critical asset. + id: d0e85e0c-9d5f-46a2-8f7d-37c5cccfb2af + iscommand: false + name: Do required endpoint inputs exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: d0e85e0c-9d5f-46a2-8f7d-37c5cccfb2af + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -445, + "y": -5 + } + } + "39": + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: hostnames + value: + complex: + accessor: Hostname + root: inputs.Endpoint + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets all hostnames to context. + id: 86e2054c-c8b2-4c83-8d2b-40afd339203a + iscommand: false + name: Get all hostnames + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 86e2054c-c8b2-4c83-8d2b-40afd339203a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -260, + "y": 220 + } + } + "42": + continueonerrortype: "" + id: "42" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fab539ae-ff25-486e-82b4-9c94f0426de4 + iscommand: false + name: No Critical Endpoints + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: fab539ae-ff25-486e-82b4-9c94f0426de4 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -875, + "y": 1200 + } + } + "43": + continueonerrortype: "" + id: "43" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 33b118b1-2ecc-47bc-8eed-ce8e53b5a160 + iscommand: false + name: No Critical Users + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 33b118b1-2ecc-47bc-8eed-ce8e53b5a160 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2140, + "y": 1200 + } + } + "44": + continueonerrortype: "" + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 008bea76-3889-4e55-894b-058dbb6dda36 + iscommand: false + name: No Critical Groups + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 008bea76-3889-4e55-894b-058dbb6dda36 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 612.5, + "y": 945 + } + } + "46": + continueonerrortype: "" + id: "46" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "55" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: Severities.CriticalAssetsSeverity + value: + simple: Critical + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the severity output of this playbook to "Critical". + id: 7f151914-046a-4f0a-8594-90ac5447ddca + iscommand: false + name: Set severity to critical + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 7f151914-046a-4f0a-8594-90ac5447ddca + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 612.5, + "y": 1265 + } + } + "49": + continueonerrortype: "" + id: "49" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: criticalendpoints + value: + complex: + root: inputs.CriticalEndpoints + transformers: + - args: + delimiter: + value: + simple: ',' + operator: splitAndTrim + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets all critical endpoints to context, as a list. + id: 5a9cf941-59dd-4d46-8153-8b76a30c4168 + iscommand: false + name: Get all critical endpoints + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 5a9cf941-59dd-4d46-8153-8b76a30c4168 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -670, + "y": 220 + } + } + "50": + continueonerrortype: "" + id: "50" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: criticalusers + value: + complex: + root: inputs.CriticalUsers + transformers: + - args: + delimiter: + value: + simple: ',' + operator: splitAndTrim + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets all critical usernames in context, as a list. + id: 0db98f70-66d9-4ba3-8616-5af419630189 + iscommand: false + name: Get all critical usernames + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 0db98f70-66d9-4ba3-8616-5af419630189 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1480, + "y": 235 + } + } + "51": + continueonerrortype: "" + id: "51" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "46" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + append: + simple: "true" + key: + simple: CriticalAssets.CriticalEndpoints + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalendpoints + operator: in + right: + iscontext: true + value: + simple: hostnames + root: criticalendpoints + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the critical endpoints to the CriticalAssets.CriticalEndpoints + context key, which is an output of this playbook. + id: a680f6b3-2306-407d-8a2b-a8a7bf1a4df6 + iscommand: false + name: Set critical endpoints to output + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: a680f6b3-2306-407d-8a2b-a8a7bf1a4df6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -445, + "y": 742 + } + } + "52": + continueonerrortype: "" + id: "52" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "46" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + append: + simple: "true" + key: + simple: CriticalAssets.CriticalEndpointGroups + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalgroups + operator: in + right: + iscontext: true + value: + simple: endpointgroups + root: criticalgroups + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the critical endpoint groups to the CriticalAssets.CriticalEndpointGroups + context key, which is an output of this playbook. + id: 7c4d5151-dc5e-40c3-8697-440b4e3e9cae + iscommand: false + name: Set critical endpoint groups to output + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 7c4d5151-dc5e-40c3-8697-440b4e3e9cae + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 232.5, + "y": 1040 + } + } + "53": + continueonerrortype: "" + id: "53" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "46" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: CriticalAssets.UserGroups + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalgroups + operator: in + right: + iscontext: true + value: + simple: accountgroups + root: criticalgroups + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the critical user groups to the CriticalAssets.CriticalUserGroups + context key, which is an output of this playbook. + id: 82bd69bb-ecc0-4438-8aa3-79626adf62a9 + iscommand: false + name: Set critical user groups to output + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 82bd69bb-ecc0-4438-8aa3-79626adf62a9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 992.5, + "y": 1040 + } + } + "54": + continueonerrortype: "" + id: "54" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "46" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + append: + simple: "true" + key: + simple: CriticalAssets.Users + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: criticalusers + operator: in + right: + iscontext: true + value: + simple: usernames + root: criticalusers + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the critical users to the CriticalAssets.CriticalUsers context + key, which is an output of this playbook. + id: 40a52d56-8468-4161-8832-9f3a8edbdc20 + iscommand: false + name: Set critical users to output + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 40a52d56-8468-4161-8832-9f3a8edbdc20 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1680, + "y": 742 + } + } + "55": + continueonerrortype: "" + id: "55" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + critical_assets: + complex: + root: CriticalAssets + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the critical assets to an alert field which can be displayed + in the alert layout. + id: 9337a013-1493-4943-8d8f-42fe0feb437e + iscommand: false + name: Set critical assets to alert field + playbooktaskmissingcomponent: + script: PopulateCriticalAssets + type: regular + version: -1 + taskid: 9337a013-1493-4943-8d8f-42fe0feb437e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 612.5, + "y": 1440 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "13_42_#default#": 0.34, + "13_51_yes": 0.53, + "23_44_#default#": 0.52, + "23_52_yes": 0.58, + "24_29_yes": 0.55, + "24_44_#default#": 0.32, + "25_22_yes": 0.61, + "25_44_#default#": 0.33, + "27_26_yes": 0.56, + "27_44_#default#": 0.58, + "30_44_#default#": 0.58, + "37_39_yes": 0.55, + "37_42_#default#": 0.45, + "8_34_yes": 0.34, + "8_43_#default#": 0.45, + "8_50_yes": 0.33, + "9_43_#default#": 0.36, + "9_54_yes": 0.43 + }, + "paper": { + "dimensions": { + "height": 2096, + "width": 3395, + "x": -875, + "y": -400 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Generic_v2.yml new file mode 100644 index 0000000..90bce32 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_-_Generic_v2.yml @@ -0,0 +1,1009 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.14 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Calculate and assign the alert severity based on the highest returned severity level from the following calculations: + + - DBotScores of indicators + - Critical assets + - Email authenticity + - Current alert severity + - Microsoft Headers + - Risky users (XDR) + - Risky hosts (XDR). +id: 'SOC Calculate Severity - Generic v2_V3' +inputs: +- description: 'Array of all indicator values associated with the incident. ' + key: DBotScoreIndicators + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + root: DBotScore + transformers: + - operator: uniq +- description: CSV of usernames of critical users. + key: CriticalUsers + playbookInputQuery: + required: false + value: + simple: admin,administrator +- description: CSV of hostnames of critical endpoints. + key: CriticalEndpoints + playbookInputQuery: + required: false + value: + simple: admin +- description: CSV of DN names of critical AD groups. + key: CriticalGroups + playbookInputQuery: + required: false + value: + simple: admins,administrators +- description: User accounts to check against the critical lists. + key: Account + playbookInputQuery: + required: false + value: + complex: + root: Account + transformers: + - operator: uniq +- description: Endpoints to check against the CriticalEndpoints list. + key: Endpoint + playbookInputQuery: + required: false + value: + complex: + root: Endpoint + transformers: + - operator: uniq +- description: 'Indicates the email authenticity resulting from the EmailAuthenticityCheck + script. Possible values are: Pass, Fail, Suspicious, and Undetermined.' + key: EmailAuthenticityCheck + playbookInputQuery: + required: false + value: + complex: + accessor: AuthenticityCheck + root: Email + transformers: + - operator: uniq +- description: The value is set by the "Process Microsoft's Anti-Spam Headers" Playbook, + which calculates the severity after processing the PCL, BCL and PCL values inside + Microsoft's headers. + key: MicrosoftHeadersSeverityCheck + playbookInputQuery: + required: false + value: + simple: ${Email.MicrosoftHeadersSeverityCheck} +- description: An object of risky users and their corresponding scores, as outputted + by the "xdr-list-risky-users" command. + key: XDRRiskyUsers + playbookInputQuery: + required: false + value: + complex: + accessor: RiskyUser + root: PaloAltoNetworksXDR + transformers: + - operator: uniq +- description: An object of risky hosts and their corresponding scores, as outputted + by the "xdr-list-risky-hosts" command. + key: XDRRiskyHosts + playbookInputQuery: + required: false + value: + complex: + accessor: RiskyHost + root: PaloAltoNetworksXDR + transformers: + - operator: uniq +- description: The highest score (number) that was given to a DBotScore indicator. + key: DBotScoreMaxScore + playbookInputQuery: + required: false + value: + complex: + accessor: Score + root: DBotScore + transformers: + - args: + descending: + value: + simple: "true" + operator: sort + - operator: uniq + - operator: FirstArrayElement +name: SOC Calculate Severity - Generic v2_V3 +outputs: +- contextPath: CriticalAssets + description: All critical assets involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalEndpoints + description: Critical endpoints involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalEndpointGroups + description: Critical endpoint-groups involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalUsers + description: Critical users involved in the incident. + type: unknown +- contextPath: CriticalAssets.CriticalUserGroups + description: Critical user-groups involved in the incident. + type: unknown +sourceplaybookid: Calculate Severity - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + - "16" + - "27" + - "28" + - "30" + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 04b74656-7f4c-43a2-83fb-b011ea67ddad + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 04b74656-7f4c-43a2-83fb-b011ea67ddad + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 910, + "y": 50 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + severity: + simple: low + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the alert severity to "Low". + id: 7545aa84-84de-4d25-8267-a4869df37f20 + iscommand: true + name: Set alert severity to "Low" + playbooktaskmissingcomponent: + script: Builtin|||setAlert + type: regular + version: -1 + taskid: 7545aa84-84de-4d25-8267-a4869df37f20 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 870 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + severity: + simple: medium + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the alert severity to "Medium". + id: e85a5537-be94-4bdf-80c5-ecf7578a3bf4 + iscommand: true + name: Set alert severity to "Medium" + playbooktaskmissingcomponent: + script: Builtin|||setAlert + type: regular + version: -1 + taskid: e85a5537-be94-4bdf-80c5-ecf7578a3bf4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 470, + "y": 870 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + severity: + simple: high + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the alert severity to "High". + id: 4bfe9fb2-b2fe-45fb-86ce-929ee39db485 + iscommand: true + name: Set alert severity to "High" + playbooktaskmissingcomponent: + script: Builtin|||setAlert + type: regular + version: -1 + taskid: 4bfe9fb2-b2fe-45fb-86ce-929ee39db485 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1340, + "y": 870 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 38bc2f72-5d8d-4de9-87bd-8661322de56f + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 38bc2f72-5d8d-4de9-87bd-8661322de56f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 910, + "y": 1100 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + severity: + simple: critical + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the alert severity to "Critical". + id: f8efdce3-590d-400b-8c57-2c759dd30b56 + iscommand: true + name: Set alert severity to "Critical" + playbooktaskmissingcomponent: + script: Builtin|||setAlert + type: regular + version: -1 + taskid: f8efdce3-590d-400b-8c57-2c759dd30b56 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1770, + "y": 870 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Severities.DBotScoreSeverity + operator: containsGeneral + right: + value: + simple: Critical + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.CriticalAssetsSeverity + operator: containsGeneral + right: + value: + simple: Critical + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.EmailAuthenticitySeverity + operator: containsGeneral + right: + value: + simple: Critical + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.IncidentSeverity + operator: isEqualString + right: + value: + simple: "4" + - left: + iscontext: true + value: + simple: Severities.MicrosoftHeadersSeverityCheck + operator: isEqualString + right: + value: + simple: "4" + root: Severities + operator: isNotEmpty + label: Critical + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Severities.DBotScoreSeverity + operator: containsGeneral + right: + value: + simple: High + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.CriticalAssetsSeverity + operator: containsGeneral + right: + value: + simple: High + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.EmailAuthenticitySeverity + operator: containsGeneral + right: + value: + simple: High + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.IncidentSeverity + operator: isEqualString + right: + value: + simple: "3" + - left: + iscontext: true + value: + simple: Severities.MicrosoftHeadersSeverityCheck + operator: isEqualString + right: + value: + simple: "3" + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.XDRUserSeverity + operator: isEqualString + right: + value: + simple: High + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.XDRHostSeverity + operator: isEqualString + right: + value: + simple: High + root: Severities + operator: isNotEmpty + label: High + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Severities.DBotScoreSeverity + operator: containsGeneral + right: + value: + simple: Medium + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.CriticalAssetsSeverity + operator: containsGeneral + right: + value: + simple: Medium + - left: + iscontext: true + value: + simple: Severities.EmailAuthenticitySeverity + operator: containsGeneral + right: + value: + simple: Medium + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.IncidentSeverity + operator: isEqualString + right: + value: + simple: "2" + - left: + iscontext: true + value: + simple: Severities.MicrosoftHeadersSeverityCheck + operator: containsGeneral + right: + value: + simple: "2" + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.XDRUserSeverity + operator: isEqualString + right: + value: + simple: Medium + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.XDRHostSeverity + operator: isEqualString + right: + value: + simple: Medium + root: Severities + operator: isNotEmpty + label: Medium + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Severities.DBotScoreSeverity + operator: containsGeneral + right: + value: + simple: Low + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.CriticalAssetsSeverity + operator: containsGeneral + right: + value: + simple: Low + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.EmailAuthenticitySeverity + operator: containsGeneral + right: + value: + simple: Low + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.IncidentSeverity + operator: isEqualString + right: + value: + simple: "1" + - left: + iscontext: true + value: + simple: Severities.MicrosoftHeadersSeverityCheck + operator: isEqualString + right: + value: + simple: "1" + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.XDRUserSeverity + operator: isEqualString + right: + value: + simple: Low + - ignorecase: true + left: + iscontext: true + value: + simple: Severities.XDRHostSeverity + operator: isEqualString + right: + value: + simple: Low + root: Severities + operator: isNotEmpty + label: Low + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "25" + Critical: + - "11" + High: + - "6" + Low: + - "4" + Medium: + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Determines the severity level based on the highest result of all + severity calculations. + id: b8bbb253-9e4b-406f-8253-31c2440b2338 + iscommand: false + name: Determine alert severity + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: b8bbb253-9e4b-406f-8253-31c2440b2338 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 910, + "y": 670 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + append: + simple: "true" + key: + simple: Severities.IncidentSeverity + value: + complex: + accessor: severity + root: alert + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the current severity of the alert in the context. + id: f1f90aa7-e463-4206-8f96-13c6ff993ffa + iscommand: false + name: Get current alert severity + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: f1f90aa7-e463-4206-8f96-13c6ff993ffa + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 910, + "y": 200 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + EmailAuthenticityCheck: + complex: + root: inputs.EmailAuthenticityCheck + separatecontext: true + skipunavailable: true + task: + brand: "" + description: Calculates a severity according to the verdict coming from the + CheckEmailAuthenticity script. + id: 86c4ba1f-fddb-4f6b-8712-c5b0fc6bb55a + iscommand: false + name: Calculate Severity By Email Authenticity + playbookId: Calculate Severity By Email Authenticity + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 86c4ba1f-fddb-4f6b-8712-c5b0fc6bb55a + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -20, + "y": 200 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + severity: + simple: unknown + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the alert severity to "Unknown". + id: 6f297d0f-4a63-4183-8414-75d3de056b23 + iscommand: true + name: Set alert severity level to "Unknown" + playbooktaskmissingcomponent: + script: Builtin|||setAlert + type: regular + version: -1 + taskid: 6f297d0f-4a63-4183-8414-75d3de056b23 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 910, + "y": 905 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Severities.MicrosoftHeadersSeverityCheck + value: + complex: + root: inputs.MicrosoftHeadersSeverityCheck + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Calculates the severity after processing the PCL, BCL and PCL values + inside Microsoft headers. If no value is entered, nothing is returned. + id: 2b705d3f-b982-4480-806a-42ab6f3026be + iscommand: false + name: Set Microsoft Headers Severity Check + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 2b705d3f-b982-4480-806a-42ab6f3026be + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1950, + "y": 450 + } + } + "27": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.MicrosoftHeadersSeverityCheck + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "15" + "yes": + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: This task verifies that the playbook input "MicrosoftHeadersSeverityCheck" + is not empty. + id: 6e24dd7e-cb39-474c-87e1-8a94d2e42577 + iscommand: false + name: Check if MicrosoftHeadersSeverityCheck is not empty + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 6e24dd7e-cb39-474c-87e1-8a94d2e42577 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1840, + "y": 200 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + XDRRiskyHosts: + complex: + root: inputs.XDRRiskyHosts + XDRRiskyUsers: + complex: + root: inputs.XDRRiskyUsers + separatecontext: true + skipunavailable: true + task: + brand: "" + id: b771e4bf-bbac-4d17-8a2d-e042e64cf9ec + iscommand: false + name: Calculate Severity - Cortex XDR Risky Assets + playbookName: Calculate Severity - Cortex XDR Risky Assets + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: b771e4bf-bbac-4d17-8a2d-e042e64cf9ec + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -450, + "y": 200 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 11374e30-23e5-4078-890c-d263f4fc8895 + iscommand: false + name: SOC Calculate Severity - Critical Assets v2_V3 + playbookId: 'SOC Calculate Severity - Critical Assets v2_V3' + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 11374e30-23e5-4078-890c-d263f4fc8895 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 440, + "y": 200 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: f84d36f6-b850-49c3-85e7-592c1dc09a5c + iscommand: false + name: SOC Calculate Severity By Highest DBotScore_V3 + playbookId: 'SOC Calculate Severity By Highest DBotScore_V3' + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: f84d36f6-b850-49c3-85e7-592c1dc09a5c + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1380, + "y": 200 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "15_11_Critical": 0.9, + "15_25_#default#": 0.59, + "15_4_Low": 0.9, + "15_5_Medium": 0.81, + "15_6_High": 0.82, + "27_26_yes": 0.62 + }, + "paper": { + "dimensions": { + "height": 1110, + "width": 2780, + "x": -450, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_By_Highest_DBotScore.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_By_Highest_DBotScore.yml new file mode 100644 index 0000000..9ccd658 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Calculate_Severity_By_Highest_DBotScore.yml @@ -0,0 +1,551 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.0.0 + isoverridable: false + itemVersion: 2.7.14 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: Calculates the alert severity level according to the highest DBotScore. +id: 'SOC Calculate Severity By Highest DBotScore_V3' +inputs: +- description: 'Array of all DBotScore indicator values associated with the incident. ' + key: DBotScoreIndicators + playbookInputQuery: + required: false + value: + complex: + accessor: Indicator + root: DBotScore + transformers: + - operator: uniq +- description: The highest score that was given to a DBotScore indicator. + key: DBotScoreMaxScore + playbookInputQuery: + required: false + value: + complex: + accessor: Score + root: DBotScore + transformers: + - args: + descending: + value: + simple: "true" + operator: sort + - operator: uniq + - operator: FirstArrayElement +name: SOC Calculate Severity By Highest DBotScore_V3 +outputs: +- contextPath: Severities.DBotScoreSeverity + description: The severity level of the incident identified and set in the Calculate + Severity By Highest DBotScore playbook. + type: string +sourceplaybookid: Calculate Severity By Highest DBotScore +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 79cbff50-3ae4-48f1-8f6d-785a4c8163de + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 79cbff50-3ae4-48f1-8f6d-785a4c8163de + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 240, + "y": -10 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9d087581-2976-4b96-887a-27a3a8edd630 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 9d087581-2976-4b96-887a-27a3a8edd630 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 240, + "y": 855 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.DBotScoreIndicators + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is a "DBotScore" in the playbook input. + id: 2166ae1b-bafb-478b-81f9-c68b98651a63 + iscommand: false + name: Is there a DBotScore in inputs? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2166ae1b-bafb-478b-81f9-c68b98651a63 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 240, + "y": 120 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d6b7eccb-3284-460d-8b20-197ea1c62f8a + iscommand: false + name: No DBotScore + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: d6b7eccb-3284-460d-8b20-197ea1c62f8a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -210, + "y": 290 + } + } + "25": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - left: + iscontext: true + value: + simple: DBotScoreCache.Score + operator: isEqualString + right: + value: + simple: "3" + root: DBotScoreCache + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.DBotScoreMaxScore + operator: isEqualString + right: + value: + simple: "3" + root: inputs.DBotScoreMaxScore + operator: isNotEmpty + label: High + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: DBotScoreCache.Score + operator: isEqualString + right: + value: + simple: "2" + root: DBotScoreCache.Score + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.DBotScoreMaxScore + operator: isEqualString + right: + value: + simple: "2" + root: inputs.DBotScoreMaxScore + operator: isNotEmpty + label: Medium + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: DBotScoreCache.Score + operator: isEqualString + right: + value: + simple: "1" + root: DBotScoreCache.Score + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.DBotScoreMaxScore + operator: isEqualString + right: + value: + simple: "1" + root: inputs.DBotScoreMaxScore + operator: isNotEmpty + label: Low + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "30" + High: + - "27" + Low: + - "29" + Medium: + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Determines a severity based on the DBotScores of the indicators involved with the alert. Severity level is assigned according to the corresponding DBotScore: + No DBotScores / 0 = Unknown + 1 = Low + 2 = Medium + 3 = High + id: e66f1b7a-bf4c-4b8c-8995-ba249d9f7600 + iscommand: false + name: Evaluate severity based on DBotScore of indicators + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e66f1b7a-bf4c-4b8c-8995-ba249d9f7600 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 592.5, + "y": 490 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: Severities.DBotScoreSeverity + value: + simple: High + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the severity of the alert to "High". This severity level means + that malicious indicators were identified. + id: 86bc9089-08a5-44e2-8a0f-03dd11411f9b + iscommand: false + name: Set severity to high + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 86bc9089-08a5-44e2-8a0f-03dd11411f9b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 990, + "y": 685 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: Severities.DBotScoreSeverity + value: + simple: Medium + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the severity of the alert to "Medium". This severity level + means that only suspicious indicators were identified (no malicious indicators). + id: 288ac730-e8e3-4782-805f-e54721977877 + iscommand: false + name: Set severity to medium + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 288ac730-e8e3-4782-805f-e54721977877 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 592.5, + "y": 685 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: Severities.DBotScoreSeverity + value: + simple: Low + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the severity of the alert to "Low". This severity level means + no suspicious or malicious indicators were identified. + id: 3132e114-0841-4c3f-800f-fab492944f7a + iscommand: false + name: Set severity to low + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 3132e114-0841-4c3f-800f-fab492944f7a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 190, + "y": 685 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: Severities.DBotScoreSeverity + value: + simple: Unknown + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the severity of the alert to "Unknown". This severity level + means that either unknown indicators were identified, or no indicators were + identified. + id: ca3d7b7e-95d9-48b6-87e1-c625b8f53c43 + iscommand: false + name: Set severity to unknown + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: ca3d7b7e-95d9-48b6-87e1-c625b8f53c43 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -210, + "y": 685 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "25" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + root: inputs.DBotScoreIndicators + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the overall score for the indicator as calculated by DBot. + id: 508c21c3-4362-4dd9-84a7-9efd305c0fef + iscommand: false + name: Get DBotScore from XSOAR + playbooktaskmissingcomponent: + script: GetIndicatorDBotScoreFromCache + type: regular + version: -1 + taskid: 508c21c3-4362-4dd9-84a7-9efd305c0fef + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 592.5, + "y": 310 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "23_24_#default#": 0.24, + "25_27_High": 0.82, + "25_28_Medium": 0.76, + "25_29_Low": 0.78, + "25_30_#default#": 0.87 + }, + "paper": { + "dimensions": { + "height": 930, + "width": 1580, + "x": -210, + "y": -10 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Cloud_IAM_Enrichment_-_Generic.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Cloud_IAM_Enrichment_-_Generic.yml new file mode 100644 index 0000000..34ec8f2 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Cloud_IAM_Enrichment_-_Generic.yml @@ -0,0 +1,1287 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.8.0 + isoverridable: false + itemVersion: 2.7.2 + packID: "" + packName: Common Playbooks + prevname: "" + toServerVersion: "" +description: This playbook is responsible for collecting and enriching data on Identity + Access Management (IAM) in cloud environments (AWS, Azure, and GCP). +adopted: true +id: 'SOC Cloud IAM Enrichment - Generic_V3' +inputs: +- description: User name. + key: username + playbookInputQuery: + required: false + value: {} +- description: The GCP project name. + key: GCPProjectName + playbookInputQuery: + required: false + value: {} +- description: The cloud service provider involved. + key: cloudProvider + playbookInputQuery: + required: false + value: {} +- description: The cloud identity type. + key: cloudIdentityType + playbookInputQuery: + required: false + value: {} +name: SOC Cloud IAM Enrichment - Generic_V3 +outputs: +- contextPath: AWS.IAM.Users + description: |- + AWS AM Users include: + UserId + Arn + CreateDate + Path + PasswordLastUsed. + type: unknown +- contextPath: AWS.IAM.Users.AccessKeys + description: |- + AWS IAM Users Access Keys include: + AccessKeyId + Status + CreateDate + UserName. + type: unknown +- contextPath: GCPIAM + description: GCP IAM information. + type: unknown +- contextPath: GSuite + description: GSuite user information. + type: unknown +- contextPath: GSuite.PageToken + description: Token to specify the next page in the list. + type: unknown +- contextPath: MSGraphUser + description: MSGraph user information. + type: unknown +- contextPath: MSGraphGroups + description: MSGraph groups information. + type: unknown +- contextPath: MSGraph.identityProtection + description: MSGraph identity protection - risky user history. + type: unknown +- contextPath: AWS.IAM.Users.AccessKeys.CreateDate + description: The date when the access key was created. +- contextPath: AWS.IAM.Users.AccessKeys.UserName + description: The name of the IAM user that the key is associated with. +- contextPath: AWS.IAM.Users.Groups + description: AWS IAM - User groups. + type: unknown +- contextPath: AWS.IAM.UserPolicies + description: AWS IAM - user inline policies. + type: unknown +- contextPath: AWS.IAM.AttachedUserPolicies + description: AWS IAM - User attached policies. + type: unknown +- contextPath: MSGraphGroup + description: MSGraph group information. + type: unknown +- contextPath: MSGraph.identityProtection.RiskyUserHistory + description: Risky user history. + type: unknown +- contextPath: MSGraph.identityProtection.RiskyUserHistory.userPrincipalName + description: Risky user principal name. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.userDisplayName + description: Risky user display name. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskDetail + description: Reason why the user is considered a risky user. The possible values + are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, + userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, + userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, + hidden, adminConfirmedUserCompromised, and unknownFutureValue. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskstate + description: State of the user's risk. The possible values are none, confirmedSafe, + remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskLevel + description: Risk level of the detected risky user. The possible values are low, + medium, high, hidden, none, and unknownFutureValue. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.riskLastUpdatedDateTime + description: The date and time that the risky user was last updated. The DateTimeOffset + type represents date and time information using the ISO 8601 format and is always + in UTC time. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.isProcessing + description: Indicates whether a user's risky state is being processed by the backend. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.isDeleted + description: Indicates whether the user is deleted. +- contextPath: MSGraph.identityProtection.RiskyUserHistory.id + description: Unique ID of the risky user. +quiet: true +sourceplaybookid: Cloud IAM Enrichment - Generic +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9de5923c-c321-4257-8432-398d992279fd + iscommand: false + name: "" + version: -1 + taskid: 9de5923c-c321-4257-8432-398d992279fd + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 440.5, + "y": 50 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 422b1bd0-3778-47d8-8d30-c9418c3b9a35 + iscommand: false + name: Azure Enrichment Done + type: title + version: -1 + taskid: 422b1bd0-3778-47d8-8d30-c9418c3b9a35 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 590.5, + "y": 1225 + } + } + "6": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.cloudProvider + operator: isEqualString + right: + value: + simple: AWS + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: state + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: AWS - IAM + root: modules + operator: isEqualString + right: + value: + simple: active + - - left: + iscontext: true + value: + simple: inputs.username + operator: isNotEmpty + label: AWS + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.cloudProvider + operator: isEqualString + right: + value: + simple: Azure + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: state + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: MicrosoftGraphIdentityandAccess + root: modules + operator: isEqualString + right: + value: + simple: active + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: state + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Microsoft Graph Groups + root: modules + operator: isEqualString + right: + value: + simple: active + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: state + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Microsoft Graph User + root: modules + operator: isEqualString + right: + value: + simple: active + - - left: + iscontext: true + value: + simple: inputs.username + operator: isNotEmpty + label: Azure + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.cloudProvider + operator: isEqualString + right: + value: + simple: GCP + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: state + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: GSuiteAdmin + root: modules + operator: isEqualString + right: + value: + simple: active + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: state + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: GCP-IAM + root: modules + operator: isEqualString + right: + value: + simple: active + - - left: + iscontext: true + value: + simple: inputs.username + operator: isNotEmpty + label: GCP + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "27" + AWS: + - "17" + Azure: + - "11" + GCP: + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks the cloud provider. + id: b8926391-3158-4b4e-880e-4c25beb4752f + iscommand: false + name: Select cloud provider + type: condition + version: -1 + taskid: b8926391-3158-4b4e-880e-4c25beb4752f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 440.5, + "y": 210 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "10" + note: false + quietmode: 2 + scriptarguments: + user: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). + Permissions: - User.Read (Delegated) - User.Read.All (Application) + id: 84d051a9-ee9d-4e66-a1ae-8690c388926a + iscommand: true + name: Azure IAM - Get user information + script: '|||msgraph-user-get' + type: regular + version: -1 + taskid: 84d051a9-ee9d-4e66-a1ae-8690c388926a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 826.25, + "y": 710 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "5" + note: false + quietmode: 2 + scriptarguments: + user_id: + complex: + accessor: ID + root: MSGraphUser + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieve the risky users history in active directory. + id: 5c1f2e7d-dcb5-418c-a48b-f4cecb3d2ba4 + iscommand: true + name: Azure IAM - List risky user history + script: '|||msgraph-identity-protection-risky-user-history-list' + type: regular + version: -1 + taskid: 5c1f2e7d-dcb5-418c-a48b-f4cecb3d2ba4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 826.25, + "y": 1050 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "5" + note: false + quietmode: 2 + scriptarguments: + filter: + simple: startsWith(Mail,'${inputs.username}') + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Provides a list of groups. + id: 3e23f003-ef1f-4df3-aeed-0ed5779dbf88 + iscommand: true + name: Azure IAM - List user groups + script: '|||msgraph-groups-list-groups' + type: regular + version: -1 + taskid: 3e23f003-ef1f-4df3-aeed-0ed5779dbf88 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1407.25, + "y": 1050 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: ID + root: MSGraphUser + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "8" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if MSGraph User ID exists. + id: 817df662-98b0-4a53-809b-2bd38f28f289 + iscommand: false + name: MSGraph User ID exists? + type: condition + version: -1 + taskid: 817df662-98b0-4a53-809b-2bd38f28f289 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 681, + "y": 880 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + - "9" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 81c59164-eb19-4eec-815c-87a7378443f5 + iscommand: false + name: 'Azure Enrichment ' + type: title + version: -1 + taskid: 81c59164-eb19-4eec-815c-87a7378443f5 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1066.75, + "y": 545 + } + } + "12": + continueonerror: true + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + userName: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: AWS - IAM + description: Retrieves information about the specified IAM user, including the + user's creation date, path, unique ID, and ARN. + id: d9ef2f89-4ea7-4552-8afd-b4daf0d04743 + iscommand: true + name: AWS IAM - Get user information + script: AWS - IAM|||aws-iam-get-user + type: regular + version: -1 + taskid: d9ef2f89-4ea7-4552-8afd-b4daf0d04743 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 540 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "14" + note: false + quietmode: 0 + scriptarguments: + userName: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: AWS - IAM + description: Returns information about the access key IDs associated with the + specified IAM user. + id: 219490f3-8185-4975-880b-0ea73d998606 + iscommand: true + name: AWS IAM - List user access keys + script: AWS - IAM|||aws-iam-list-access-keys-for-user + type: regular + version: -1 + taskid: 219490f3-8185-4975-880b-0ea73d998606 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 710 + } + } + "14": + continueonerror: true + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 2 + scriptarguments: + userName: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Lists the IAM groups that the specified IAM user belongs to. + id: b6cfc87d-ee97-4ad2-be6d-8fb2286c7cc9 + iscommand: true + name: AWS IAM - List user groups + script: '|||aws-iam-list-groups-for-user' + type: regular + version: -1 + taskid: b6cfc87d-ee97-4ad2-be6d-8fb2286c7cc9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 880 + } + } + "15": + continueonerror: true + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 2 + scriptarguments: + userName: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Lists all managed policies that are attached to the specified IAM + user. + id: ea8abb38-b691-4181-859d-2252edf73f06 + iscommand: true + name: AWS IAM - List user attached policies + script: '|||aws-iam-list-attached-user-policies' + type: regular + version: -1 + taskid: ea8abb38-b691-4181-859d-2252edf73f06 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 1050 + } + } + "16": + continueonerror: true + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 2 + scriptarguments: + userName: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Lists the names of the inline policies embedded in the specified + IAM user. + id: cea24de0-7d67-49a3-b8aa-539fc0a651ee + iscommand: true + name: AWS IAM - List user inline policies + script: '|||aws-iam-list-user-policies' + type: regular + version: -1 + taskid: cea24de0-7d67-49a3-b8aa-539fc0a651ee + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 1220 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 74b022cf-4364-4577-8b6c-86ea90f2c84a + iscommand: false + name: AWS Enrichment + type: title + version: -1 + taskid: 74b022cf-4364-4577-8b6c-86ea90f2c84a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 380 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9a3e648b-2540-41b8-8c66-61fab9915c09 + iscommand: false + name: AWS Enrichment Done + type: title + version: -1 + taskid: 9a3e648b-2540-41b8-8c66-61fab9915c09 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 1390 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 656df064-9845-4858-8437-546c2fc64cd5 + iscommand: false + name: GCP Enrichment + type: title + version: -1 + taskid: 656df064-9845-4858-8437-546c2fc64cd5 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2519.25, + "y": 380 + } + } + "20": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.cloudIdentityType + operator: isEqualString + right: + value: + simple: Service Account + - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.cloudIdentityType + operator: isEqualString + right: + value: + simple: SERVICE_ACCOUNT + label: Service Account + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "21" + Service Account: + - "23" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks the user type. + id: 140c8bf9-6f93-4f30-8a67-0e4e5340abcd + iscommand: false + name: Check the user type + type: condition + version: -1 + taskid: 140c8bf9-6f93-4f30-8a67-0e4e5340abcd + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2519.25, + "y": 540 + } + } + "21": + continueonerror: true + continueonerrortype: errorPath + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "28" + note: false + quietmode: 0 + scriptarguments: + user: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieve a user's details given a user key. + id: 4871b972-2cc3-47a5-a663-8723adc71078 + iscommand: true + name: G Suite - Get user information + script: '|||gsuite-user-get' + type: regular + version: -1 + taskid: 4871b972-2cc3-47a5-a663-8723adc71078 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1988.25, + "y": 710 + } + } + "22": + continueonerror: true + continueonerrortype: errorPath + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "26" + note: false + quietmode: 2 + scriptarguments: + customer_id: + complex: + accessor: customerId + root: GSuite.User + user_key: + complex: + accessor: primaryEmail + root: GSuite.User + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieves a paginated list of all role assignments. + id: 35cf1351-13b5-41b1-8d31-4bd543a8a920 + iscommand: true + name: G Suite - List user role assinments + script: '|||gsuite-role-assignment-list' + type: regular + version: -1 + taskid: 35cf1351-13b5-41b1-8d31-4bd543a8a920 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1988.25, + "y": 1050 + } + } + "23": + continueonerror: true + continueonerrortype: errorPath + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "24" + note: false + quietmode: 2 + scriptarguments: + project_name: + complex: + root: inputs.GCPProjectName + service_account_name: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: 'Lists service accounts in a project, or retrieves a specific service + account information. One of the arguments: ''service_account_name'' or ''project_name'' must + be provided.' + id: 8bb35490-21f7-4a98-b2bb-ea991d0d706d + iscommand: true + name: GCP IAM - Get service account information + script: '|||gcp-iam-service-accounts-get' + type: regular + version: -1 + taskid: 8bb35490-21f7-4a98-b2bb-ea991d0d706d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2859.75, + "y": 710 + } + } + "24": + continueonerror: true + continueonerrortype: errorPath + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "25" + note: false + quietmode: 2 + scriptarguments: + project_id: + complex: + accessor: projectId + root: GCPIAM.ServiceAccount + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Lists a project custom roles. + id: 4518b185-cff6-4eab-b5c8-e2a7a7aa08d8 + iscommand: true + name: GCP IAM - List roles for the user's project ID + script: '|||gcp-iam-project-role-list' + type: regular + version: -1 + taskid: 4518b185-cff6-4eab-b5c8-e2a7a7aa08d8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2714.5, + "y": 880 + } + } + "25": + continueonerror: true + continueonerrortype: errorPath + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "26" + note: false + quietmode: 2 + scriptarguments: + service_account_name: + complex: + root: inputs.username + separatecontext: false + skipunavailable: true + task: + brand: "" + description: 'Lists service account keys, or retrieves a specific service account + key information. One of the arguments: ''service_account_name'' or ''key_name'' must + be provided.' + id: 443dc9aa-4f03-4ff9-ba10-38d5f6d855b5 + iscommand: true + name: GCP IAM - List service account access keys + script: '|||gcp-iam-service-account-keys-get' + type: regular + version: -1 + taskid: 443dc9aa-4f03-4ff9-ba10-38d5f6d855b5 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2569.25, + "y": 1050 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c638f8a0-715c-442f-8b9b-66d7457dc8d8 + iscommand: false + name: GCP Enrichment Done + type: title + version: -1 + taskid: c638f8a0-715c-442f-8b9b-66d7457dc8d8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2564.5, + "y": 1225 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4ecfc3d0-1868-466b-8805-ec13817e5c08 + iscommand: false + name: Done + type: title + version: -1 + taskid: 4ecfc3d0-1868-466b-8805-ec13817e5c08 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 295.25, + "y": 1550 + } + } + "28": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: customerId + root: GSuite.User + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "26" + "yes": + - "22" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the Gsuite Customer ID exists. + id: 084173a0-9565-4d4e-899d-6c5cfc275d15 + iscommand: false + name: Gsuite Customer ID exists? + type: condition + version: -1 + taskid: 084173a0-9565-4d4e-899d-6c5cfc275d15 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1843, + "y": 880 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: b1e5ce7c-b55c-4b43-89cd-6aee82619286 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: b1e5ce7c-b55c-4b43-89cd-6aee82619286 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1602.5, + "y": 1220 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "10_5_#default#": 0.45, + "10_8_yes": 0.64, + "20_23_Service Account": 0.55, + "28_22_yes": 0.4, + "28_26_#default#": 0.42, + "6_11_Azure": 0.76, + "6_17_AWS": 0.59, + "6_27_#default#": 0.86 + }, + "paper": { + "dimensions": { + "height": 1560, + "width": 3190.75, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan.yml new file mode 100644 index 0000000..a96b159 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan.yml @@ -0,0 +1,1744 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.17 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: "This playbook handles the main containment actions available with Cortex + XSIAM, including the following sub-playbooks: \n* Containment Plan - Isolate endpoint\n + * Containment Plan - Disable account\n* Containment Plan - Quarantine file\n* Containment + Plan - Block indicators\n* Containment Plan - Clear user session (currently, the + playbook supports only Okta)\n\nNote: The playbook inputs enable manipulating the + execution flow. Read the input descriptions for details." +dirtyInputs: true +id: 'SOC Containment Plan_V3' +inputSections: +- description: Generic group for inputs + inputs: + - AutoContainment + - HostContainment + - UserContainment + - BlockIndicators + - FileContainment + - ClearUserSessions + - EndpointID + - Username + - FileHash + - FilePath + - IP + - Domain + - URL + - FileRemediation + - IAMUserDomain + - UserVerification + - AutoBlockIndicators + - ShadowMode + - Hostname + - FeaturedHost + - FeaturedUser + - FeaturedIP + - FeaturedAD + - FileVerdict + - IPVerdict + - DomainVerdict + - URLVerdict + name: General (Inputs group) +inputs: +- description: |- + Whether to execute containment plan (except isolation) automatically. + The specific containment playbook inputs should also be set to 'True'. + key: AutoContainment + playbookInputQuery: + required: false + value: + simple: "False" +- description: Whether to execute endpoint isolation. + key: HostContainment + playbookInputQuery: + required: false + value: + simple: "True" +- description: Set to 'True' to disable the user account. + key: UserContainment + playbookInputQuery: + required: false + value: + simple: "True" +- description: Set to 'True' to block the indicators. + key: BlockIndicators + playbookInputQuery: + required: false + value: + simple: "True" +- description: Set to 'True' to quarantine the identified file. + key: FileContainment + playbookInputQuery: + required: false + value: + simple: "True" +- description: Set to 'True' to clear the user active Okta sessions. + key: ClearUserSessions + playbookInputQuery: + required: false + value: + simple: "True" +- description: The endpoint ID to run commands over. + key: EndpointID + playbookInputQuery: + required: false + value: {} +- description: The username to disable. + key: Username + playbookInputQuery: + required: false + value: {} +- description: The file hash to block. + key: FileHash + playbookInputQuery: + required: false + value: {} +- description: The path of the file to block. + key: FilePath + playbookInputQuery: + required: false + value: {} +- description: The IP indicators. + key: IP + playbookInputQuery: + required: false + value: {} +- description: The domain indicators. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: The URL indicator. + key: URL + playbookInputQuery: + required: false + value: {} +- description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. + \nFor example, choosing 'Quarantine' ignores the 'Delete file' task under the + eradication playbook and will execute only file quarantine." + key: FileRemediation + playbookInputQuery: + required: false + value: + simple: Quarantine +- description: The Okta IAM users domain. The domain will be appended to the username. + e.g. username@IAMUserDomain. + key: IAMUserDomain + playbookInputQuery: + required: false + value: {} +- description: "Possible values: True/False.\nWhether to provide user verification + for blocking those IPs and disabling the users. \n\nFalse - No prompt will be + displayed to the user.\nTrue - The server will ask the user for blocking verification + and will display the blocking list." + key: UserVerification + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Possible values: True/False. Default: True. + Should the given indicators be automatically blocked, or should the user be given the option to choose? + + If set to False - no prompt will appear, and all provided indicators will be blocked automatically. + If set to True - the user will be prompted to select which indicators to block. + key: AutoBlockIndicators + playbookInputQuery: + required: false + value: + simple: "True" +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +- description: "" + key: Hostname + playbookInputQuery: + required: false + value: {} +- description: Is this a Featured Host? + key: FeaturedHost + playbookInputQuery: + required: false + value: + simple: "False" +- description: Is this a Featured User? + key: FeaturedUser + playbookInputQuery: + required: false + value: + simple: "False" +- description: Is this a Featured IP? + key: FeaturedIP + playbookInputQuery: + required: false + value: + simple: "False" +- description: Is this a Featured Active Directory Group? + key: FeaturedAD + playbookInputQuery: + required: false + value: + simple: "False" +- description: File Verdict from Enrichment + key: FileVerdict + playbookInputQuery: + required: false + value: {} +- description: IP Verdict from Enrichment + key: IPVerdict + playbookInputQuery: + required: false + value: {} +- description: Domain verdict from Enrichment + key: DomainVerdict + playbookInputQuery: + required: false + value: {} +- description: URL Verdict from Enrichment + key: URLVerdict + playbookInputQuery: + required: false + value: {} +name: SOC Containment Plan_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Blocklist.Final + - QuarantinedFilesFromEndpoints + - Core.blocklist.added_hashes + - Core.Isolation.endpoint_id +outputs: +- contextPath: Blocklist.Final + description: The blocked accounts. + type: unknown +- contextPath: QuarantinedFilesFromEndpoints + description: The quarantined files from endpoint. + type: unknown +- contextPath: Core.blocklist.added_hashes + description: The file Hash that was added to the blocklist. +- contextPath: Core.Isolation.endpoint_id + description: The isolated endpoint ID. +sourceplaybookid: Containment Plan +starttaskid: "0" +tags: +- SOC +- SOC_Framework +- Containment +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "150" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8b859cdc-d653-40d8-88b5-856b497221a5 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 8b859cdc-d653-40d8-88b5-856b497221a5 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1327.75, + "y": -200 + } + } + "48": + continueonerrortype: "" + id: "48" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "165" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5683bb61-e50c-4fee-8006-76a9d2cd15e6 + iscommand: false + name: Isolate Device + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 5683bb61-e50c-4fee-8006-76a9d2cd15e6 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 401, + "y": 1020 + } + } + "49": + continueonerrortype: "" + id: "49" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "164" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c1bd31ee-eb02-4d8c-87e1-ccdd6b893660 + iscommand: false + name: Disable Account + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: c1bd31ee-eb02-4d8c-87e1-ccdd6b893660 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -260, + "y": 1020 + } + } + "50": + continueonerrortype: "" + id: "50" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "168" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1cc8a082-9506-43d3-86ed-50836d2be721 + iscommand: false + name: Quarantine File + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 1cc8a082-9506-43d3-86ed-50836d2be721 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2063.5, + "y": 1030 + } + } + "51": + continueonerrortype: "" + id: "51" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "167" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5bafc4dc-d080-4f66-8d3b-6b540d65b60d + iscommand: false + name: Block Indicators + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 5bafc4dc-d080-4f66-8d3b-6b540d65b60d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1523, + "y": 1030 + } + } + "58": + continueonerrortype: "" + id: "58" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "166" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9ab00fc9-7241-4b38-83b8-d1bf0c1bf328 + iscommand: false + name: Clear User Sessions + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 9ab00fc9-7241-4b38-83b8-d1bf0c1bf328 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1012, + "y": 1030 + } + } + "138": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.AutoContainment + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "138" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "139" + "yes": + - "147" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |+ + Whether to perform containment actions automatically or manually. + + id: cb628d2d-29f6-4d2b-8250-f7d20b163239 + iscommand: false + name: Should containment automatically? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: cb628d2d-29f6-4d2b-8250-f7d20b163239 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 992, + "y": 470 + } + } + "139": + continueonerrortype: "" + form: + description: Select which containment actions to perform + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Select the Endpoint to isolate by Endpoint name + options: [] + optionsarg: + - complex: + accessor: endpoint_name + root: Core.Endpoint + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "1" + label: "" + labelarg: + simple: Select Endpoint to isolate by Endpoint ID + options: [] + optionsarg: + - complex: + root: inputs.EndpointID + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "2" + label: "" + labelarg: + simple: Select Users to disable + options: [] + optionsarg: + - complex: + root: inputs.Username + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "3" + label: "" + labelarg: + simple: Select Files to quarantine + options: [] + optionsarg: + - complex: + root: FilesList + transformers: + - operator: uniq + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FilePath + operator: SetIfEmpty + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "4" + label: "" + labelarg: + simple: Select IPs to block + options: [] + optionsarg: + - complex: + root: inputs.IP + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "5" + label: "" + labelarg: + simple: Select URLs to block + options: [] + optionsarg: + - complex: + root: inputs.URL + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "6" + label: "" + labelarg: + simple: 'Select Files Hash to block ' + options: [] + optionsarg: + - complex: + root: inputs.FileHash + transformers: + - operator: uniq + - {} + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "7" + label: "" + labelarg: + simple: 'Select Domains to block ' + options: [] + optionsarg: + - complex: + root: inputs.Domain + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "8" + label: "" + labelarg: + simple: Select Users to clear their sessions + options: [] + optionsarg: + - complex: + root: inputs.Username + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + sender: "" + title: Which containment actions would you like to perform? + totalanswers: 0 + id: "139" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "147" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Select which indicators to block. + id: 75cf7bea-9da6-4581-851e-0dea547d2e41 + iscommand: false + name: Which containment actions would you like to perform? + playbooktaskmissingcomponent: + type: collection + version: -1 + taskid: 75cf7bea-9da6-4581-851e-0dea547d2e41 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 1143, + "y": 640 + } + } + "147": + continueonerrortype: "" + id: "147" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "50" + - "49" + - "48" + - "51" + - "58" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f486236e-11d4-4d91-8f9d-252577239705 + iscommand: false + name: Containment + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: f486236e-11d4-4d91-8f9d-252577239705 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1030, + "y": 880 + } + } + "148": + continueonerrortype: "" + id: "148" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 48ad472b-5301-4524-899a-41e29d38151d + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 48ad472b-5301-4524-899a-41e29d38151d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 811.5, + "y": 1780 + } + } + "149": + continueonerror: true + continueonerrortype: errorPath + id: "149" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "151" + '#none#': + - "138" + note: false + quietmode: 0 + scriptarguments: + key: + simple: FilesList + stringify: + simple: "false" + value: + complex: + root: inputs.FilePath + transformers: + - args: + array1_key: + iscontext: true + array2: + iscontext: true + value: + simple: inputs.FileHash + array2_key: {} + determine_output_length_by: {} + merge_dict: {} + output_name1: + value: + simple: Path + output_name2: + value: + simple: Hash + operator: MakePair + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: f93cc26a-6b45-420b-8ec8-c33e920be3a7 + iscommand: false + name: Set Process list + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: f93cc26a-6b45-420b-8ec8-c33e920be3a7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1372, + "y": 130 + } + } + "150": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.FilePath + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + complex: + root: inputs.FileHash + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "150" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "138" + "yes": + - "149" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if the file path and file hash are defined. + id: d3750674-0c66-4ecc-8c51-8d01487249d7 + iscommand: false + name: The file path and file hash defined? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: d3750674-0c66-4ecc-8c51-8d01487249d7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1327.75, + "y": -40 + } + } + "151": + continueonerrortype: "" + id: "151" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: 2bd9441a-09d2-4286-8c0f-b3bfec13291e + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 2bd9441a-09d2-4286-8c0f-b3bfec13291e + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1713.5, + "y": 470 + } + } + "152": + continueonerrortype: "" + id: "152" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "148" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + UserContainment: + simple: "True" + UserVerification: + simple: "True" + Username: + simple: ${inputs.Username} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + ## Containment Plan - Disable Account + + This playbook is a sub-playbook within the containment plan playbook. + The playbook disables users by utilizing the sub-playbook "Block Account - Generic v2" + id: bbc1c9b5-3abb-4b20-acab-b19c36485fde + iscommand: false + name: SOC Containment Plan_V3 - Disable Account_V3 + playbookId: SOC Containment Plan_V3 - Disable Account_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: bbc1c9b5-3abb-4b20-acab-b19c36485fde + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -260, + "y": 1520 + } + } + "154": + continueonerrortype: "" + id: "154" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "148" + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: "True" + IAMUserDomain: + simple: ${inputs.IAMUserDomain} + ShadowMode: + simple: ${inputs.ShadowMode} + Username: + simple: ${inputs.Username} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + ## Containment Plan - Clear User Sessions + + This playbook is a sub-playbook within the containment plan playbook. + The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions. + id: 6db2a243-bb8c-41ae-ad4b-d398c3bdd469 + iscommand: false + name: SOC Containment Plan_V3 - Clear User Sessions_V3 + playbookId: SOC Containment Plan_V3 - Clear User Sessions_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 6db2a243-bb8c-41ae-ad4b-d398c3bdd469 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1052, + "y": 1610 + } + } + "155": + continueonerrortype: "" + id: "155" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "148" + note: false + quietmode: 0 + scriptarguments: + AutoBlockIndicators: + simple: "True" + AutoContainment: + simple: "True" + BlockIndicators: + simple: "True" + Domain: + simple: ${inputs.Domain} + FileHash: + simple: ${inputs.FileHash} + FilePath: + simple: ${inputs.FilePath} + IP: + simple: ${inputs.IP} + ShadowMode: + simple: ${inputs.ShadowMode} + URL: + simple: ${inputs.URL} + UserVerification: + simple: "False" + Username: + simple: ${inputs.Username} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + ## Containment Plan - Block Indicators + + This playbook is a sub-playbook within the containment plan playbook. + + ### Indicator Blocking + + The playbook block indicators by two methods: + + 1. It adds the malicious hashes into the XSIAM hash block list + 2. It utilizes the sub-playbook "Block Indicators - Generic v3" + id: 864aadfa-c592-42e0-8603-e66398b381c8 + iscommand: false + name: SOC Containment Plan_V3 - Block Indicators_V3 + playbookId: SOC Containment Plan_V3 - Block Indicators_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 864aadfa-c592-42e0-8603-e66398b381c8 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1533, + "y": 1610 + } + } + "156": + continueonerrortype: "" + id: "156" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "148" + note: false + quietmode: 0 + scriptarguments: + AutoContainment: + simple: "True" + EndpointID: + simple: ${inputs.EndpointID} + FileContainment: + simple: "True" + FileHash: + simple: ${inputs.FileHash} + FilePath: + simple: ${inputs.FilePath} + FileRemediation: + simple: Quarantine + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + ## Containment Plan - Quarantine File + + This playbook is a sub-playbook within the containment plan playbook. + The playbook quarantines files using core commands. + id: a23bdec7-a283-472e-8f0e-e2b5a9de1900 + iscommand: false + name: SOC Containment Plan_V3 - Quarantine File_V3 + playbookId: SOC Containment Plan_V3 - Quarantine File_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: a23bdec7-a283-472e-8f0e-e2b5a9de1900 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2014, + "y": 1610 + } + } + "157": + continueonerrortype: "" + id: "157" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: Would you like to Disable the account + cc: + format: "" + methods: [] + replyOptions: + - "Yes" + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + "No": + - "148" + "Yes": + - "152" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 27724d31-2a6c-4301-8d4a-53cbe0a9e2af + iscommand: false + name: Disable Account? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 27724d31-2a6c-4301-8d4a-53cbe0a9e2af + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -260, + "y": 1370 + } + } + "158": + continueonerrortype: "" + id: "158" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: Would you like to Isolate the device ${inputs.Hostname} + cc: + format: "" + methods: [] + replyOptions: + - "Yes" + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + "No": + - "148" + "Yes": + - "169" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6276c905-eedb-4266-8544-042d9051abb3 + iscommand: false + name: Isolate Device? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 6276c905-eedb-4266-8544-042d9051abb3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 531, + "y": 1370 + } + } + "159": + continueonerrortype: "" + id: "159" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: Would you like to clear the users sessions? + cc: + format: "" + methods: [] + replyOptions: + - "Yes" + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + "No": + - "148" + "Yes": + - "154" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d483fe6a-0a36-450f-8467-9de7bdf3c71e + iscommand: false + name: Clear User Sessions? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: d483fe6a-0a36-450f-8467-9de7bdf3c71e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1012, + "y": 1370 + } + } + "160": + continueonerrortype: "" + id: "160" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: Should we attempt to block these indicators/Add to EDL? + cc: + format: "" + methods: [] + replyOptions: + - "Yes" + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + "No": + - "148" + "Yes": + - "155" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4a454c57-2ae2-445e-8fe1-ef42e76f806b + iscommand: false + name: Block Indicators + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4a454c57-2ae2-445e-8fe1-ef42e76f806b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1493, + "y": 1370 + } + } + "161": + continueonerrortype: "" + id: "161" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + simple: Should we quarantine the file ${issue.filename} + cc: + format: "" + methods: [] + replyOptions: + - "Yes" + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + "No": + - "148" + "Yes": + - "156" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: dff486ba-3e4f-42f0-8c29-d767f19b36e2 + iscommand: false + name: Quarantine File? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: dff486ba-3e4f-42f0-8c29-d767f19b36e2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1974, + "y": 1370 + } + } + "164": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: issue.mitreattcktechnique + operator: match + right: + value: + simple: (T1078|T1110|T1136|T1098|T1556|T1021|T1041|T1070\.001|T1486|T1087|T1496) + label: "yes" + continueonerrortype: "" + id: "164" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "157" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Techniques Covered + T1078 – Valid Accounts + T1110 – Brute Force + T1136 – Create Account + T1098 – Account Manipulation + T1556 – Modify Authentication Process + T1021 – Remote Services + T1041 – Exfiltration Over C2 Channel + T1070.001 – Clear Windows Event Logs + T1486 – Data Encrypted for Impact + T1087 – Account Discovery + T1496 – Resource Hijacking + id: 6e17162a-b3bf-4324-861b-a3fee0bf791c + iscommand: false + name: Miter Technique for user account disablement + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 6e17162a-b3bf-4324-861b-a3fee0bf791c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -260, + "y": 1130 + } + } + "165": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: issue.mitreattcktechnique + operator: match + right: + value: + simple: (T1059|T1486|T1071|T1095|T1068|T1021|T1027|T1003|T1547|T1074|T1485|T1046|T1498) + label: "yes" + continueonerrortype: "" + id: "165" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "158" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Techniques Covered + T1059 – Command & Scripting Interpreter + T1486 – Data Encrypted for Impact + T1071 – Application Layer Protocol + T1095 – Non-Application Layer Protocol + T1068 – Exploitation for Privilege Escalation + T1021 – Remote Services + T1027 – Obfuscated Files or Information + T1003 – OS Credential Dumping + T1547 – Boot or Logon Autostart Execution + T1074 – Data Staged + T1485 – Data Destruction + T1046 – Network Service Discovery + T1498 – Network Denial of Service + id: ee42b9d3-f370-49c5-8a4e-ca754a7c2211 + iscommand: false + name: Miter Technique for Isolation + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ee42b9d3-f370-49c5-8a4e-ca754a7c2211 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 401, + "y": 1150 + } + } + "166": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: issue.mitreattcktechnique + operator: match + right: + value: + simple: (T1078|T1110|T1136|T1098|T1556|T1021|T1041|T1070\.001|T1486|T1087|T1496) + label: "yes" + continueonerrortype: "" + id: "166" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "159" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Techniques Covered + T1078 – Valid Accounts + T1110 – Brute Force + T1136 – Create Account + T1098 – Account Manipulation + T1556 – Modify Authentication Process + T1021 – Remote Services + T1041 – Exfiltration Over C2 Channel + T1070.001 – Clear Windows Event Logs + T1486 – Data Encrypted for Impact + T1087 – Account Discovery + T1496 – Resource Hijacking + id: c7bcb661-d702-44b3-8f74-0192cfe976d5 + iscommand: false + name: Miter Technique for clearing user session + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: c7bcb661-d702-44b3-8f74-0192cfe976d5 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1012, + "y": 1140 + } + } + "167": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.FileVerdict + operator: isEqualString + right: + value: + simple: Suspicious + - left: + iscontext: true + value: + simple: inputs.IPVerdict + operator: isEqualString + right: + value: + simple: Suspicious + - left: + iscontext: true + value: + simple: inputs.DomainVerdict + operator: isEqualString + right: + value: + simple: Suspicious + - left: + iscontext: true + value: + simple: inputs.URLVerdict + operator: isEqualString + right: + value: + simple: Suspicious + label: "yes" + continueonerrortype: "" + id: "167" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "160" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7d553915-22bf-4fab-8506-e41273cfb163 + iscommand: false + name: Suspicious Indicators found? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 7d553915-22bf-4fab-8506-e41273cfb163 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1523, + "y": 1140 + } + } + "168": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.FileVerdict + operator: isEqualString + right: + value: + simple: Suspicious + label: "yes" + continueonerrortype: "" + id: "168" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "161" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fe29a7f1-1dd7-4fb3-81af-00704151f661 + iscommand: false + name: Quarantine file needed? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: fe29a7f1-1dd7-4fb3-81af-00704151f661 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2063.5, + "y": 1140 + } + } + "169": + continueonerrortype: "" + id: "169" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "148" + note: false + quietmode: 0 + scriptarguments: + Endpoint ID: + simple: ${inputs.EndpointID} + Endpoint IP: + simple: ${inputs.IP} + Endpoint hostname: + simple: ${inputs.Hostname} + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: Determine the correct playbook to run for the correct endpoint + product. + id: a81256dd-ecc9-409b-9b9f-bea93c3844ab + iscommand: false + name: SOC Isolation Router_V3 + playbookId: SOC Isolation Router_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: a81256dd-ecc9-409b-9b9f-bea93c3844ab + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 531, + "y": 1580 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "138_139_#default#": 0.64, + "150_138_#default#": 0.9 + }, + "paper": { + "dimensions": { + "height": 2040, + "width": 2703.5, + "x": -260, + "y": -200 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Block_Indicators.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Block_Indicators.yml new file mode 100644 index 0000000..99f9bec --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Block_Indicators.yml @@ -0,0 +1,1107 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + toServerVersion: "" +description: |- + ## Containment Plan - Block Indicators + + This playbook is a sub-playbook within the containment plan playbook. + + ### Indicator Blocking + + The playbook block indicators by two methods: + + 1. It adds the malicious hashes into the XSIAM hash block list + 2. It utilizes the sub-playbook "Block Indicators - Generic v3" +dirtyInputs: true +id: 'SOC Containment Plan_V3 - Block Indicators_V3' +inputSections: +- description: Generic group for inputs + inputs: + - BlockIndicators + - UserVerification + - AutoBlockIndicators + - FileHash + - IP + - Domain + - URL + - Username + - FilePath + - AutoContainment + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to 'True' to block the indicators. + key: BlockIndicators + playbookInputQuery: + required: false + value: + simple: "True" +- description: "Possible values: True/False.\nWhether to provide user verification + for blocking those IPs. \n\nFalse - No prompt will be displayed to the user.\n + True - The server will ask the user for blocking verification and will display + the blocking list." + key: UserVerification + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Possible values: True/False. Default: True. + Should the given indicators be automatically blocked, or should the user be given the option to choose? + + If set to False - no prompt will appear, and all provided indicators will be blocked automatically. + If set to True - the user will be prompted to select which indicators to block. + key: AutoBlockIndicators + playbookInputQuery: + required: false + value: + simple: "True" +- description: The file hash to block. + key: FileHash + playbookInputQuery: + required: false + value: {} +- description: The IP indicators. + key: IP + playbookInputQuery: + required: false + value: {} +- description: The domain indicators. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: The URL indicator. + key: URL + playbookInputQuery: + required: false + value: {} +- description: The username to disable. + key: Username + playbookInputQuery: + required: false + value: {} +- description: The path of the file to block. + key: FilePath + playbookInputQuery: + required: false + value: {} +- description: Whether to execute containment plan automatically. + key: AutoContainment + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Containment Plan_V3 - Block Indicators_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Core.blocklist.added_hashes +outputs: +- contextPath: Core.blocklist.added_hashes + description: The file Hash that was added to the blocklist. +sourceplaybookid: Containment Plan - Block Indicators +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0eab88db-3b97-46e9-8040-fc0e5ccdd72b + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 0eab88db-3b97-46e9-8040-fc0e5ccdd72b + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 230, + "y": -190 + } + } + "1": + continueonerror: true + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "32" + note: false + quietmode: 0 + scriptarguments: + comment: + complex: + accessor: alertname + root: alert + hash_list: + complex: + accessor: initiatorsha256 + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.initiatorpath + operator: isNotEqualString + right: + value: + simple: c:\windows\explorer.exe + root: foundIncidents.CustomFields + transformers: + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FileHash + operator: SetIfEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Block lists requested files which have not already been block listed + or added to allow list. + id: 42177fdd-e676-4494-8430-473b77c4d326 + iscommand: true + name: Add to XSIAM hash block list + playbooktaskmissingcomponent: + script: '|||core-blocklist-files' + type: regular + version: -1 + taskid: 42177fdd-e676-4494-8430-473b77c4d326 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 470, + "y": 590 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6555f437-9362-4b64-8416-9a207801acc8 + iscommand: false + name: Done - Block Indicators + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 6555f437-9362-4b64-8416-9a207801acc8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 690, + "y": 1710 + } + } + "3": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.BlockIndicators + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to block the indicators based on the input values. + id: c769a542-379a-42a7-8cb0-325e6b48e2b4 + iscommand: false + name: Should block indicators? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: c769a542-379a-42a7-8cb0-325e6b48e2b4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 230, + "y": -50 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "34" + note: false + quietmode: 0 + scriptarguments: + key: + simple: BlockedFilesHash + value: + complex: + accessor: fileHash + root: Core.blocklist.added_hashes + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: 58da2cac-8a9e-4f4f-88de-623361cde61f + iscommand: true + name: Set Block list files to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: 58da2cac-8a9e-4f4f-88de-623361cde61f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 470, + "y": 990 + } + } + "11": + continueonerror: true + continueonerrortype: errorPath + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "35" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + key: + simple: IndicatorsToBlock + value: + complex: + root: IndicatorsToBlock + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: b111b0e2-c64f-4ab9-9a4f-772b44a01a20 + iscommand: true + name: Set Blocked Indicators to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: b111b0e2-c64f-4ab9-9a4f-772b44a01a20 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 230, + "y": 1530 + } + } + "24": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: initiatorsha256 + root: foundIncidents.CustomFields + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + complex: + root: inputs.FileHash + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "34" + "yes": + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the file hash exists. + id: df934c6a-4169-41f4-8cbe-76de251da626 + iscommand: false + name: Is file hash exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: df934c6a-4169-41f4-8cbe-76de251da626 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 470, + "y": 390 + } + } + "25": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.AutoContainment + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "26" + "yes": + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to disable the account automatically based on the input + values. + id: 56214186-2922-4165-820b-062ad475cf73 + iscommand: false + name: Should block indicators automatically? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 56214186-2922-4165-820b-062ad475cf73 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 230, + "y": 160 + } + } + "26": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.FileHash + transformers: + - operator: uniq + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "34" + "yes": + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the file hash exists. + id: 6401c6c9-8ff7-4f49-8676-fd99f48da60f + iscommand: false + name: Is file hash exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 6401c6c9-8ff7-4f49-8676-fd99f48da60f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -10, + "y": 390 + } + } + "27": + continueonerror: true + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "31" + note: false + quietmode: 0 + scriptarguments: + comment: + complex: + accessor: alertname + root: alert + hash_list: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.FileHash + operator: in + right: + iscontext: true + value: + simple: inputs.FileHash + - - left: + iscontext: true + value: + simple: inputs.FileHash + operator: stringHasLength + right: + value: + simple: "64" + root: inputs.FileHash + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Block lists requested files which have not already been block listed + or added to allow list. + id: fca5352e-ba68-4776-8b35-903387490051 + iscommand: true + name: Add to XSIAM hash block list + playbooktaskmissingcomponent: + script: '|||core-blocklist-files' + type: regular + version: -1 + taskid: fca5352e-ba68-4776-8b35-903387490051 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -10, + "y": 590 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "34" + note: false + quietmode: 0 + scriptarguments: + key: + simple: BlockedFilesHash + value: + complex: + accessor: fileHash + root: Core.blocklist.added_hashes + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: cb04e962-15e3-4189-8fcc-73efa9cb71fb + iscommand: true + name: Set Block list files to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: cb04e962-15e3-4189-8fcc-73efa9cb71fb + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -10, + "y": 990 + } + } + "30": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: IndicatorsToBlock + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there are any indicators that are blocked. + id: 0a63acdb-6497-4f96-8318-5231aefde427 + iscommand: false + name: Are there any indicators that are blocked? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 0a63acdb-6497-4f96-8318-5231aefde427 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 230, + "y": 1340 + } + } + "31": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.blocklist.added_hashes.fileHash + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "34" + "yes": + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the file hash exists. + id: 5e12fc6b-2fa0-43d0-8a46-d2f213525a45 + iscommand: false + name: Is the file hash was added to the block list? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 5e12fc6b-2fa0-43d0-8a46-d2f213525a45 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -10, + "y": 780 + } + } + "32": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.blocklist.added_hashes.fileHash + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "34" + "yes": + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the file hash exists. + id: 5df17f17-1825-4ac0-8edf-c0e89f437551 + iscommand: false + name: Is the file hash was added to the block list? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 5df17f17-1825-4ac0-8edf-c0e89f437551 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 470, + "y": 780 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "30" + note: false + quietmode: 0 + scriptarguments: + AutoBlockIndicators: + simple: "True" + AutoCommit: + simple: "No" + CustomBlockRule: + simple: "True" + CustomURLCategory: + simple: XSOAR Remediation - Malicious URLs + DomainToBlock: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq + EmailToBlock: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: email + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq + FilesToBlock: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: file + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq + IP: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq + InputEnrichment: + simple: "False" + InternalRange: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join + MD5: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: stringHasLength + right: + value: + simple: "32" + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: file + - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: hash + root: DBotScore + transformers: + - operator: uniq + RuleDirection: + simple: outbound + RuleName: + simple: XSOAR - Block Indicators playbook - ${alert.id} + SHA256: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: stringHasLength + right: + value: + simple: "64" + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: file + - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: hash + root: DBotScore + transformers: + - operator: uniq + ShadowMode: + simple: ${inputs.ShadowMode} + Tag: + simple: Blocked Indicator In Systems + URL: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq + UserVerification: + simple: "True" + Username: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: username + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: "3" + root: DBotScore + transformers: + - operator: uniq + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 29e6755d-f4a0-4f25-af8d-182c56e423d3 + iscommand: false + name: SOC Block Indicators - Generic v3_V3 + playbookId: Block Indicators - Generic v3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 29e6755d-f4a0-4f25-af8d-182c56e423d3 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 230, + "y": 1180 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 747af5d3-8599-4dc0-8c09-bd995d98e922 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 747af5d3-8599-4dc0-8c09-bd995d98e922 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 190, + "y": 1705 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "24_1_yes": 0.44, + "24_34_#default#": 0.89, + "26_34_#default#": 0.9, + "30_11_yes": 0.52, + "30_2_#default#": 0.38, + "31_29_yes": 0.51, + "31_34_#default#": 0.9, + "32_10_yes": 0.57, + "32_34_#default#": 0.9, + "3_25_yes": 0.43, + "3_2_#default#": 0.12 + }, + "paper": { + "dimensions": { + "height": 1965, + "width": 1080, + "x": -10, + "y": -190 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml new file mode 100644 index 0000000..2a6609c --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml @@ -0,0 +1,924 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + ## Containment Plan - Clear User Sessions + + This playbook is a sub-playbook within the containment plan playbook. + The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions. +dirtyInputs: true +id: 'SOC Containment Plan_V3 - Clear User Sessions_V3' +inputSections: +- description: Generic group for inputs. + inputs: + - ClearUserSessions + - Username + - IAMUserDomain + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to 'True' to clear the user active sessions. + key: ClearUserSessions + playbookInputQuery: + required: false + value: + simple: "True" +- description: The username to disable. + key: Username + playbookInputQuery: + required: false + value: {} +- description: The Okta IAM users domain. The domain will be appended to the username. + E.g., username@IAMUserDomain. + key: IAMUserDomain + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Containment Plan_V3 - Clear User Sessions_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Containment Plan - Clear User Sessions +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f2a578bb-7b26-4477-8391-2e40e77fb9d5 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: f2a578bb-7b26-4477-8391-2e40e77fb9d5 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 770, + "y": -150 + } + } + "1": + continueonerror: true + continueonerrortype: errorPath + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "28" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + userId: + complex: + accessor: ID + root: Account + separatecontext: false + skipunavailable: true + task: + brand: Okta v2 + description: |- + Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + For more information and examples: + https://developer.okta.com/docs/reference/api/users/#user-sessions + id: 0dbcce9a-afe8-4533-a5c4-368906fd2625 + iscommand: true + name: Okta clear user sessions + playbooktaskmissingcomponent: + script: Okta v2|||okta-clear-user-sessions + type: regular + version: -1 + taskid: 0dbcce9a-afe8-4533-a5c4-368906fd2625 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 530, + "y": 985 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 581b7da6-4c88-41a6-8175-a2116add396c + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 581b7da6-4c88-41a6-8175-a2116add396c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 770, + "y": 1320 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "28" + '#none#': + - "25" + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${OktaUsersSessionToClear} + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Fetches information for a single user. You must enter one or more + parameters for the command to run. + id: d70a5b0e-0686-4ad0-80c1-af9817310138 + iscommand: true + name: Get Okta user ID + playbooktaskmissingcomponent: + script: '|||okta-get-user' + type: regular + version: -1 + taskid: d70a5b0e-0686-4ad0-80c1-af9817310138 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 530, + "y": 590 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsersSessionCleared + value: + complex: + accessor: Username + root: Account + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: bda090c7-6749-46e5-8453-31f56d8b778c + iscommand: true + name: Set the username to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: bda090c7-6749-46e5-8453-31f56d8b778c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 530, + "y": 1145 + } + } + "11": + continueonerror: true + continueonerrortype: errorPath + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "28" + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + key: + simple: OktaUsersSessionToClear + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.Username + operator: notContainsGeneral + right: + value: + simple: administrator + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.Username + operator: notContainsGeneral + right: + value: + simple: system + root: inputs.Username + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 70665d82-a946-4a6c-9201-e8a8c7cfe79a + iscommand: false + name: Set users to clear the session with Okta + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 70665d82-a946-4a6c-9201-e8a8c7cfe79a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 530, + "y": 410 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "11" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Okta v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 4025c083-2630-4171-889e-5f05b1fc51eb + iscommand: false + name: Is Okta enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 4025c083-2630-4171-889e-5f05b1fc51eb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 530, + "y": 210 + } + } + "17": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.ClearUserSessions + operator: isEqualString + right: + value: + simple: "True" + - - left: + iscontext: true + value: + complex: + root: inputs.Username + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "15" + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to clear the user sessions based on the input values. + id: f1d3409f-55f4-4804-8a48-354971cae04e + iscommand: false + name: Should clear the user sessions? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: f1d3409f-55f4-4804-8a48-354971cae04e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 770, + "y": 0 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "27" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Microsoft Graph User + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 64c30075-eba8-4222-8251-cf075b841898 + iscommand: false + name: Is MsGraphUser enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 64c30075-eba8-4222-8251-cf075b841898 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1010, + "y": 210 + } + } + "20": + continueonerror: true + continueonerrortype: errorPath + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "28" + '#none#': + - "23" + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MsGraphUsersSessionToClear} + separatecontext: false + skipunavailable: true + task: + brand: Microsoft Graph User + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). + Permissions: - User.Read (Delegated) - User.Read.All (Application). + id: 95e4dd34-41f7-4300-a2d9-d021c6779085 + iscommand: true + name: Get MsGraph user ID + playbooktaskmissingcomponent: + script: Microsoft Graph User|||msgraph-user-get + type: regular + version: -1 + taskid: 95e4dd34-41f7-4300-a2d9-d021c6779085 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1010, + "y": 590 + } + } + "21": + continueonerror: true + continueonerrortype: errorPath + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "28" + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: Microsoft Graph User + description: |- + Revoke a user session - Invalidates all the refresh tokens issued to applications for a user. + Permission: Directory.AccessAsUser.All(Delegated). + id: e6092911-c270-4133-8a71-a0fe04050fbd + iscommand: true + name: MSGraph clear user sessions + playbooktaskmissingcomponent: + script: Microsoft Graph User|||msgraph-user-session-revoke + type: regular + version: -1 + taskid: e6092911-c270-4133-8a71-a0fe04050fbd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1010, + "y": 985 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsersSessionCleared + value: + simple: ${MSGraphUser.UserPrincipalName} + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: aaafcc54-e334-42a5-8a5c-f4dea1d0c158 + iscommand: true + name: Set the username to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: aaafcc54-e334-42a5-8a5c-f4dea1d0c158 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1010, + "y": 1145 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that the user exists. + id: 4655db74-8104-4510-88b0-d9a081911b34 + iscommand: false + name: Does the username exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4655db74-8104-4510-88b0-d9a081911b34 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1010, + "y": 785 + } + } + "25": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: ID + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Type + operator: isEqualString + right: + value: + simple: Okta + root: Account + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that the user exists. + id: c1ba5bf5-e37f-41ee-8392-7709acc40e8f + iscommand: false + name: Does the username exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: c1ba5bf5-e37f-41ee-8392-7709acc40e8f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 530, + "y": 785 + } + } + "27": + continueonerror: true + continueonerrortype: errorPath + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "28" + '#none#': + - "20" + note: false + quietmode: 0 + scriptarguments: + key: + simple: MsGraphUsersSessionToClear + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.Username + operator: notContainsGeneral + right: + value: + simple: administrator + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.Username + operator: notContainsGeneral + right: + value: + simple: system + root: inputs.Username + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 4e220d72-c0cf-4e44-b371-b41bea0fd859 + iscommand: false + name: Set users to clear the session with MsGraph + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 4e220d72-c0cf-4e44-b371-b41bea0fd859 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1010, + "y": 410 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 691bab1a-c00d-4a75-8735-043a9eec517b + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 691bab1a-c00d-4a75-8735-043a9eec517b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1450, + "y": 1315 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: MSGraph clear user sessions + Command: msgraph-user-session-revoke ${inputs.Username} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: d8d0bae3-cff1-4511-a902-f81f6f34d5a4 + iscommand: false + name: 'Shadow: MSGraph clear user sessions' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: d8d0bae3-cff1-4511-a902-f81f6f34d5a4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1720, + "y": 985 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "21" + Shadow Mode: + - "29" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0e13479a-07fc-4209-abb1-1ea6dfab3177 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 0e13479a-07fc-4209-abb1-1ea6dfab3177 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1720, + "y": 830 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "1" + Shadow Mode: + - "32" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a14222a1-2f3d-45db-80e7-864cde88d15c + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: a14222a1-2f3d-45db-80e7-864cde88d15c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 40, + "y": 870 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Okta clear user sessions + Command: okta-clear-user-sessions ${inputs.Username} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: f978e210-7ba2-467c-b20d-d4705a2703ba + iscommand: false + name: 'Shadow: Okta clear user sessions' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: f978e210-7ba2-467c-b20d-d4705a2703ba + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 40, + "y": 1030 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "15_2_#default#": 0.15, + "17_15_yes": 0.48, + "17_2_#default#": 0.11, + "18_2_#default#": 0.16, + "23_2_#default#": 0.25, + "25_2_#default#": 0.33, + "25_31_yes": 0.83 + }, + "paper": { + "dimensions": { + "height": 1535, + "width": 2060, + "x": 40, + "y": -150 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Disable_Account.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Disable_Account.yml new file mode 100644 index 0000000..beef93a --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Disable_Account.yml @@ -0,0 +1,356 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + ## Containment Plan - Disable Account + + This playbook is a sub-playbook within the containment plan playbook. + The playbook disables users by utilizing the sub-playbook "Block Account - Generic v2" +dirtyInputs: true +id: 'SOC Containment Plan_V3 - Disable Account_V3' +inputSections: +- description: Generic group for inputs + inputs: + - UserContainment + - Username + - UserVerification + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to 'True' to disable the user account. + key: UserContainment + playbookInputQuery: + required: false + value: + simple: "True" +- description: The username to disable. + key: Username + playbookInputQuery: + required: false + value: {} +- description: |- + Possible values:True/False. Default:True. + Specify if User Verification is required to disable users. + key: UserVerification + playbookInputQuery: + required: false + value: + simple: "True" +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Containment Plan_V3 - Disable Account_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Blocklist.Final +outputs: +- contextPath: Blocklist.Final + description: Blocked accounts + type: unknown +quiet: true +sourceplaybookid: Containment Plan - Disable Account +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9fb1ed1d-c22c-48bb-8a3c-4d58bbca6347 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 9fb1ed1d-c22c-48bb-8a3c-4d58bbca6347 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -140 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4d874c50-7a1f-489c-8397-3fc3304eeea6 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 4d874c50-7a1f-489c-8397-3fc3304eeea6 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 750 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsersBlockList + value: + complex: + accessor: Final + root: Blocklist + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: 73bc4723-d270-4e04-8a74-c13b5b1369f1 + iscommand: true + name: Set disabled users to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: 73bc4723-d270-4e04-8a74-c13b5b1369f1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 575 + } + } + "12": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.UserContainment + operator: isEqualString + right: + value: + simple: "True" + - - left: + iscontext: true + value: + complex: + root: inputs.Username + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "13" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to disable the account based on the input values. + id: 073f607c-a924-43c1-8852-d480e1454fdc + iscommand: false + name: Should disable the account? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 073f607c-a924-43c1-8852-d480e1454fdc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 0 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsersToDisable + value: + complex: + root: inputs.Username + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 32ec3207-df33-4d5f-8551-2a49ca677b62 + iscommand: false + name: Set users to disable + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 32ec3207-df33-4d5f-8551-2a49ca677b62 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 210 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + Tag: + simple: Bad Account + UserVerification: + simple: "True" + Username: + simple: ${inputs.Username} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + This playbook blocks malicious usernames using all integrations that you have enabled. + + Supported integrations for this playbook: + * Active Directory + * PAN-OS - This requires PAN-OS 9.1 or higher. + * SailPoint + * PingOne + * AWS IAM + * Clarizen IAM + * Envoy IAM + * ExceedLMS IAM + * Okta + * Microsoft Graph User (Azure Active Directory Users) + * Google Workspace Admin + * Slack IAM + * ServiceNow IAM + * Prisma Cloud IAM + * Zoom IAM + * Atlassian IAM + * GitHub IAM. + id: e950008b-81ae-43d2-94a8-ba011356d113 + iscommand: false + name: SSOC Block Account - Generic v2_V3 + playbookId: SSOC Block Account - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: e950008b-81ae-43d2-94a8-ba011356d113 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 450, + "y": 380 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "12_2_#default#": 0.16 + }, + "paper": { + "dimensions": { + "height": 950, + "width": 380, + "x": 450, + "y": -140 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml new file mode 100644 index 0000000..094bfae --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml @@ -0,0 +1,725 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + ## Containment Plan - Isolate Device + + This playbook is a sub-playbook within the containment plan playbook. + The playbook isolates devices using core commands. +dirtyInputs: true +id: 'SOC Containment Plan_V3 - Isolate Device_V3' +inputSections: +- description: Generic group for inputs + inputs: + - HostContainment + - EndpointID + - EndpointHostName + - ShadowMode + name: General (Inputs group) +inputs: +- description: Whether to execute endpoint isolation. + key: HostContainment + playbookInputQuery: + required: false + value: + simple: "True" +- description: The endpoint ID to run commands over. + key: EndpointID + playbookInputQuery: + required: false + value: {} +- description: The endpoint hostname. + key: EndpointHostName + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Containment Plan_V3 - Isolate Device_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Core.Isolation.endpoint_id +outputs: +- contextPath: Core.Isolation.endpoint_id + description: The isolated endpoint ID. +sourceplaybookid: Containment Plan - Isolate Device +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 972c3692-925c-4f6f-8d88-9f4c2598429d + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 972c3692-925c-4f6f-8d88-9f4c2598429d + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 490, + "y": -782 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + root: EndpointsIDToIsolate + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Isolates the specified endpoint. + id: c4eeae37-ad05-4376-a36e-961bddd29c14 + iscommand: true + name: Auto endpoint isolation + playbooktaskmissingcomponent: + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: c4eeae37-ad05-4376-a36e-961bddd29c14 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 255, + "y": 140 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + key: + simple: IsolatedEndpointsID + value: + complex: + accessor: endpoint_id + root: Core.Isolation + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: f1fa1236-07c7-4291-8230-fa48fb2e2d4a + iscommand: true + name: Set Isolated endpoint ID to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: f1fa1236-07c7-4291-8230-fa48fb2e2d4a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 255, + "y": 265 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6c786033-9c64-4365-83af-dec8a718764c + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 6c786033-9c64-4365-83af-dec8a718764c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 490, + "y": 444 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: "null" + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + id: a0690559-7fbb-4a1e-8eb1-051f88912afd + iscommand: true + name: Get endpoint info by endpoint ID + playbooktaskmissingcomponent: + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: a0690559-7fbb-4a1e-8eb1-051f88912afd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 30, + "y": -454 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + scriptarguments: + key: + simple: EndpointsIDToIsolate + value: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isNotEqualString + right: + value: + simple: DISCONNECTED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: containsGeneral + right: + value: + simple: AGENT_UNISOLATED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: containsGeneral + right: + value: + simple: WORKSTATION + root: Core.Endpoint + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: f2c0cd47-a6d1-4b54-baff-9111cc14c054 + iscommand: false + name: Set endpoint IDs to isolate + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: f2c0cd47-a6d1-4b54-baff-9111cc14c054 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 255, + "y": -120 + } + } + "17": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.HostContainment + operator: isEqualString + right: + value: + simple: "True" + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_type + root: Core.Endpoint + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: is_isolated + root: Core.Endpoint + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_status + root: Core.Endpoint + operator: isNotEqualString + right: + value: + simple: DISCONNECTED + label: "Yes" + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "25" + "Yes": + - "16" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to isolate the endpoint based on the input values. + id: 1b35e319-899a-4a2b-80e4-591c3b92a9ae + iscommand: false + name: Should isolate the device? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 1b35e319-899a-4a2b-80e4-591c3b92a9ae + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 255, + "y": -322 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + key: + simple: IsolatedEndpointsID + value: + complex: + accessor: endpoint_id + root: Core.Endpoint + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: No Values + operator: SetIfEmpty + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: 677be289-10e0-46ea-8380-a44f18e8a047 + iscommand: true + name: Set Isolated endpoint ID to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: 677be289-10e0-46ea-8380-a44f18e8a047 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -170, + "y": 90 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.EndpointID + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + root: inputs.EndpointHostName + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "10" + "yes": + - "24" + - "13" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the endpoint ID or name defined. + id: 65bfa257-2884-4787-8dd5-64589ea2ad55 + iscommand: false + name: Is the endpoint ID or the endpoint name defined? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 65bfa257-2884-4787-8dd5-64589ea2ad55 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 490, + "y": -653 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + hostname: + complex: + root: inputs.EndpointHostName + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: "null" + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + id: 6e3d0a66-444e-4d5d-803a-82f81ef2afdf + iscommand: true + name: Get endpoint info by endpoint name + playbooktaskmissingcomponent: + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 6e3d0a66-444e-4d5d-803a-82f81ef2afdf + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 490, + "y": -454 + } + } + "25": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: is_isolated + root: Core.Endpoint + operator: containsGeneral + right: + value: + simple: AGENT_ISOLATED + label: "yes" + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "10" + "yes": + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the endpoint is already isolated. + id: 28a11db5-8870-402e-8fee-8d815b2fc6a9 + iscommand: false + name: is the endpoint already isolated? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 28a11db5-8870-402e-8fee-8d815b2fc6a9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -170, + "y": -120 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: b1052b5d-3ea3-44ff-8bd6-ec753abf861a + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: b1052b5d-3ea3-44ff-8bd6-ec753abf861a + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 940, + "y": 439 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "28" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9de8445b-c4bf-4cb5-9932-e5c7ba0b99ad + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 9de8445b-c4bf-4cb5-9932-e5c7ba0b99ad + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 255, + "y": -20 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR Isolate Endpoint + Command: core-isolate-endpoint + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 76549c23-938a-4977-a2fa-a47a8ca8c01e + iscommand: false + name: 'Shadow: Palo XDR Isolate Endpoint' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 76549c23-938a-4977-a2fa-a47a8ca8c01e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 740, + "y": 140 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "17_16_Yes": 0.55, + "23_10_#default#": 0.11, + "25_22_yes": 0.48 + }, + "paper": { + "dimensions": { + "height": 1291, + "width": 1490, + "x": -170, + "y": -782 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Quarantine_File.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Quarantine_File.yml new file mode 100644 index 0000000..97dbb99 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Quarantine_File.yml @@ -0,0 +1,1077 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + toServerVersion: "" +description: |- + ## Containment Plan - Quarantine File + + This playbook is a sub-playbook within the containment plan playbook. + The playbook quarantines files using core commands. +dirtyInputs: true +id: 'SOC Containment Plan_V3 - Quarantine File_V3' +inputSections: +- description: Generic group for inputs + inputs: + - FileContainment + - FileRemediation + - FilePath + - FileHash + - EndpointID + - AutoContainment + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to 'True' to quarantine the identified file. + key: FileContainment + playbookInputQuery: + required: false + value: + simple: "True" +- description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. + \nFor example, choosing 'Quarantine' ignores the 'Delete file' task under the + eradication playbook and will execute only file quarantine." + key: FileRemediation + playbookInputQuery: + required: false + value: + simple: Quarantine +- description: The path of the file to block. + key: FilePath + playbookInputQuery: + required: false + value: {} +- description: The file hash to block. + key: FileHash + playbookInputQuery: + required: false + value: {} +- description: The endpoint ID to run commands over. + key: EndpointID + playbookInputQuery: + required: false + value: {} +- description: Whether to execute containment plan automatically. + key: AutoContainment + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Containment Plan_V3 - Quarantine File_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - QuarantinedFilesFromEndpoints +outputs: +- contextPath: QuarantinedFilesFromEndpoints + description: The quarantined files from endpoint. + type: unknown +sourceplaybookid: Containment Plan - Quarantine File +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0c4f76b8-840e-49d6-83ea-28853fed1128 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 0c4f76b8-840e-49d6-83ea-28853fed1128 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": -40, + "y": -369 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 397f4b57-3b4f-40ed-8871-59fb281d5a77 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 397f4b57-3b4f-40ed-8871-59fb281d5a77 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -254, + "y": 1026 + } + } + "7": + continueonerror: true + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + root: inputs.EndpointID + file_hash: + complex: + accessor: initiatorsha256 + root: foundIncidents.CustomFields + transformers: + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FileHash + operator: SetIfEmpty + file_path: + complex: + accessor: initiatorpath + root: foundIncidents.CustomFields + transformers: + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FilePath + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Retrieves the quarantine status for a selected file. + id: a0ceb1ef-9c66-4295-8ab8-8ff9b8cbbf2f + iscommand: true + name: Get file quarantine status + playbooktaskmissingcomponent: + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: a0ceb1ef-9c66-4295-8ab8-8ff9b8cbbf2f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 453, + "y": -83 + } + } + "8": + continueonerror: true + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + file_hash: + complex: + accessor: initiatorsha256 + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.initiatorpath + operator: isNotEqualString + right: + value: + simple: c:\windows\explorer.exe + root: foundIncidents.CustomFields + transformers: + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FileHash + operator: SetIfEmpty + file_path: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.initiatorpath + operator: isNotEqualString + right: + value: + simple: c:\windows\explorer.exe + root: foundIncidents.CustomFields.initiatorpath + transformers: + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FilePath + operator: SetIfEmpty + interval_in_seconds: + simple: "20" + timeout_in_seconds: + simple: "120" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Quarantines a file on selected endpoints. You can select up to + 1000 endpoints. + id: 30398ddb-5182-4c19-84f2-6f06e62eabca + iscommand: true + name: File quarantine + playbooktaskmissingcomponent: + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: 30398ddb-5182-4c19-84f2-6f06e62eabca + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 453, + "y": 399 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + key: + simple: QuarantinedFilesFromEndpoints + value: + complex: + accessor: actionIds + root: Core.quarantineFiles + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: ceb94556-4fbc-4a33-8cfe-3fbe2669a059 + iscommand: true + name: Set quarantine files per endpoints to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: ceb94556-4fbc-4a33-8cfe-3fbe2669a059 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 453, + "y": 887 + } + } + "13": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.FileContainment + operator: isEqualString + right: + value: + simple: "True" + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.FileRemediation + operator: isEqualString + right: + value: + simple: Quarantine + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.quarantineFiles.status + operator: isEqualString + right: + value: + simple: "False" + label: "yes" + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to quarantine the files based on the input values and the + alert context. + id: 1208d3af-a6d7-4126-86f2-1c84f8659895 + iscommand: false + name: Should quarantine file? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 1208d3af-a6d7-4126-86f2-1c84f8659895 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 453, + "y": 42 + } + } + "15": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.GetActionStatus + operator: isNotEqualString + right: + value: + simple: FAILED + - - left: + iscontext: true + value: + complex: + accessor: status + root: Core.GetActionStatus + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "25" + "yes": + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the quarantining of the file was successful. + id: 410c04ef-0afc-4578-8b1b-b1a3de96debf + iscommand: false + name: Was the file quarantined? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 410c04ef-0afc-4578-8b1b-b1a3de96debf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 227, + "y": 631 + } + } + "16": + continueonerror: true + continueonerrortype: errorPath + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + key: + simple: QuarantinedFilesFromEndpoints + value: + complex: + accessor: actionIds + root: Core.quarantineFiles + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: Set a value in context under the key you entered. + id: c5d82818-9538-471e-9ccc-98507a64ba2c + iscommand: false + name: Set quarantine files to the context + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: c5d82818-9538-471e-9ccc-98507a64ba2c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 453, + "y": 767 + } + } + "17": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.AutoContainment + operator: isEqualString + right: + value: + simple: "True" + - - left: + iscontext: true + value: + complex: + root: inputs.EndpointID + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.FilePath + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.FileHash + operator: isNotEmpty + label: Auto + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.AutoContainment + operator: isNotEqualString + right: + value: + simple: "True" + - - left: + iscontext: true + value: + complex: + root: inputs.EndpointID + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.FilePath + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.FileHash + operator: isNotEmpty + label: Manual + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + Auto: + - "7" + Manual: + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to isolate the device automatically based on the input + values. + id: fd83526a-3995-475b-8ea6-60233a3f1636 + iscommand: false + name: Should isolate automatically? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: fd83526a-3995-475b-8ea6-60233a3f1636 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -40, + "y": -251 + } + } + "18": + continueonerror: true + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + root: inputs.EndpointID + file_hash: + complex: + filters: + - - left: + iscontext: true + value: + simple: FileHash + operator: stringHasLength + right: + value: + simple: "64" + root: FileHash + file_path: + complex: + root: FilePath + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Retrieves the quarantine status for a selected file. + id: 8395bf84-b9be-42af-8c0b-cdf64c82b8fa + iscommand: true + name: Get file quarantine status + playbooktaskmissingcomponent: + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: 8395bf84-b9be-42af-8c0b-cdf64c82b8fa + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -40, + "y": 184 + } + } + "19": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.FileContainment + operator: isEqualString + right: + value: + simple: "True" + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.FileRemediation + operator: isEqualString + right: + value: + simple: Quarantine + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.quarantineFiles.status + operator: isEqualString + right: + value: + simple: "False" + label: "yes" + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to quarantine the files based on the input values and the + alert context. + id: a04c8ae8-b9a2-4a06-8d64-8463dd6582d9 + iscommand: false + name: Should quarantine file? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: a04c8ae8-b9a2-4a06-8d64-8463dd6582d9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -40, + "y": 329 + } + } + "20": + continueonerror: true + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + file_hash: + complex: + filters: + - - left: + iscontext: true + value: + simple: FileHash + operator: stringHasLength + right: + value: + simple: "64" + root: FileHash + file_path: + complex: + root: FilePath + interval_in_seconds: + simple: "20" + timeout_in_seconds: + simple: "120" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Quarantines a file on selected endpoints. You can select up to + 1000 endpoints. + id: 48f240fd-334d-4f88-8e66-726f9971ba3c + iscommand: true + name: File quarantine + playbooktaskmissingcomponent: + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: 48f240fd-334d-4f88-8e66-726f9971ba3c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -40, + "y": 497 + } + } + "23": + continueonerror: true + continueonerrortype: errorPath + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + key: + simple: FilePath + value: + complex: + root: inputs.FilePath + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: Path\":\"(.+?)\" + unpack_matches: {} + operator: RegexExtractAll + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: No value + operator: SetIfEmpty + - args: + limit: {} + replaceWith: + value: + simple: \ + toReplace: + value: + simple: \\ + operator: replace + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 20bedb31-7ad0-4de2-a1a1-ed12eabd305e + iscommand: false + name: Set file path to quarantine + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 20bedb31-7ad0-4de2-a1a1-ed12eabd305e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -40, + "y": -85 + } + } + "24": + continueonerror: true + continueonerrortype: errorPath + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "18" + note: false + quietmode: 0 + scriptarguments: + key: + simple: FileHash + value: + complex: + root: inputs.FileHash + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: Hash\":\"(.+?)\" + unpack_matches: {} + operator: RegexExtractAll + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: No value + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 68f2e56a-d26e-45a3-847d-75e10d287811 + iscommand: false + name: Set file hash to quarantine + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 68f2e56a-d26e-45a3-847d-75e10d287811 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -40, + "y": 40 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Dear Analyst, + + The playbook was unable to quarantine the file due to the following possible reasons: + + - The file is not located on the local host. + - The endpoint is currently disconnected. + + Please take manual action to quarantine the file. + id: 942487c5-0c60-4be2-aa56-4c85d6718a0f + iscommand: false + name: Manual action needed – file couldn't be quarantined + playbooktaskmissingcomponent: + type: regular + version: -1 + taskid: 942487c5-0c60-4be2-aa56-4c85d6718a0f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -37, + "y": 767 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: d461544a-86db-492d-8df1-aa928c0fd6b9 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: d461544a-86db-492d-8df1-aa928c0fd6b9 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -717, + "y": 1021 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "8" + Shadow Mode: + - "28" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8fb7eafb-23ef-461b-87ab-e1eaf7098eaa + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 8fb7eafb-23ef-461b-87ab-e1eaf7098eaa + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 453, + "y": 200 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR File Qurantine + Command: core-quarantine-file ${inputs.EndpointID} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 00c1159f-3a14-4cce-99d4-19615b7eedc3 + iscommand: false + name: 'Shadow: Palo XDR File Qurantine' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 00c1159f-3a14-4cce-99d4-19615b7eedc3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 870, + "y": 399 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "13_2_#default#": 0.88, + "15_16_yes": 0.6, + "17_23_Manual": 0.42, + "17_2_#default#": 0.12, + "19_20_yes": 0.44, + "19_2_#default#": 0.15 + }, + "paper": { + "dimensions": { + "height": 1460, + "width": 1967, + "x": -717, + "y": -369 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Cortex_XDR_-_Block_File.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Cortex_XDR_-_Block_File.yml new file mode 100644 index 0000000..b408591 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Cortex_XDR_-_Block_File.yml @@ -0,0 +1,370 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 6.2.33 + packID: "" + packName: Cortex XDR by Palo Alto Networks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: Use this playbook to add files to Cortex XDR block list with a given + file SHA256 playbook input. +dirtyInputs: true +id: 'SOC Cortex XDR - Block File_V3' +inputSections: +- description: Generic group for inputs + inputs: + - HashList + - ShadowMode + name: General (Inputs group) +inputs: +- description: List of hashed files you want to add to block list. Must be a valid + SHA256 hash. + key: HashList + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Cortex XDR - Block File_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Cortex XDR - Block File +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a93b6633-bfe0-4f17-8278-abb9a6ab931d + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: a93b6633-bfe0-4f17-8278-abb9a6ab931d + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 150, + "y": -180 + } + } + "1": + continueonerror: true + continueonerrortype: errorPath + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + hash_list: + complex: + root: inputs.HashList + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Block lists requested files which have not already been block listed + or added to allow lists. + id: fc4ecaac-87c0-4991-8072-edada376a47e + iscommand: true + name: Cortex XDR add a file SHA256 to block list + playbooktaskmissingcomponent: + script: '|||core-blocklist-files' + type: regular + version: -1 + taskid: fc4ecaac-87c0-4991-8072-edada376a47e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 560, + "y": 430 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.HashList + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '''''' + id: 73f0ad54-16ef-4e21-844f-d77e4b0d1af4 + iscommand: false + name: Is there a file to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 73f0ad54-16ef-4e21-844f-d77e4b0d1af4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 390, + "y": 110 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2f82d128-202d-45bd-803b-638abe146a38 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2f82d128-202d-45bd-803b-638abe146a38 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 150, + "y": 630 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isEqualString + right: + value: + simple: Cortex XDR - IR + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if Cortex XDR integration brand is available. Otherwise + returns 'no' + id: 4cc56c7e-927f-4219-8fec-ee36fa0fae5a + iscommand: false + name: Is Cortex XDR integration enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4cc56c7e-927f-4219-8fec-ee36fa0fae5a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 150, + "y": -40 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "1" + Shadow Mode: + - "7" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1cf1a934-5d44-4e09-a494-1195be570ae0 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 1cf1a934-5d44-4e09-a494-1195be570ae0 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 830, + "y": 260 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: c82f0d5f-77c6-47fd-8c34-b6e9eabaa67b + iscommand: false + name: Foundation - Foundation - Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: c82f0d5f-77c6-47fd-8c34-b6e9eabaa67b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 910, + "y": 625 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Cortex XDR Add file to SHA256 Block List + Command: core-blocklist-files ${inputs.HashList} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 02186a05-4cf9-46bc-90e6-969e2945c90a + iscommand: false + name: Cortex XDR Add file to SHA256 Block + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 02186a05-4cf9-46bc-90e6-969e2945c90a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1100, + "y": 430 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "2_3_#default#": 0.26 + }, + "paper": { + "dimensions": { + "height": 875, + "width": 1330, + "x": 150, + "y": -180 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_CrowdStrike_Falcon_-_Block_File.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_CrowdStrike_Falcon_-_Block_File.yml new file mode 100644 index 0000000..ae4b7d4 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_CrowdStrike_Falcon_-_Block_File.yml @@ -0,0 +1,622 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.10.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: "This playbook receives an MD5 or a SHA256 hash and adds it to the block + list in CrowdStrike Falcon. \nThe playbook uses the integration \"CrowdStrike Falcon\"\ + ." +dirtyInputs: true +id: 'SOC CrowdStrike Falcon - Block File_V3' +inputSections: +- description: Generic group for inputs + inputs: + - 'Severity ' + - Hash + - ShadowMode + name: General (Inputs group) +inputs: +- description: 'The severity of the indicator (informational, low, medium, high and + critical) ' + key: 'Severity ' + playbookInputQuery: + required: true + value: + simple: medium +- description: In this input you can insert either MD5 or SHA256 to block. + key: Hash + playbookInputQuery: + required: false + value: {} +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC CrowdStrike Falcon - Block File_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: CrowdStrike Falcon - Block File +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0d73b973-bbfc-453b-8f17-48573f846ef8 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 0d73b973-bbfc-453b-8f17-48573f846ef8 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 845.75, + "y": 60 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "9" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: CrowdstrikeFalcon + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + id: 6131ee7b-bdd9-48b7-8ef9-6f4f25520d57 + iscommand: false + name: 'Is CrowdStrike enabled? ' + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 6131ee7b-bdd9-48b7-8ef9-6f4f25520d57 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 845.75, + "y": 210 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: adf1831c-824c-4336-83f7-59df78cb904b + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: adf1831c-824c-4336-83f7-59df78cb904b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 680, + "y": 1290 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + action: + simple: prevent + applied_globally: + simple: "true" + ioc_type: + simple: sha256 + platforms: + simple: mac,windows,linux + severity: + complex: + root: 'inputs.Severity ' + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Hash + operator: stringHasLength + right: + value: + simple: "64" + root: inputs.Hash + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: CrowdstrikeFalcon + description: Uploads an indicator for CrowdStrike to monitor. + id: fdf5f2a5-206f-41fa-bf97-85c3d12c9860 + iscommand: true + name: Block by SHA256 + playbooktaskmissingcomponent: + script: CrowdstrikeFalcon|||cs-falcon-upload-custom-ioc + type: regular + version: -1 + taskid: fdf5f2a5-206f-41fa-bf97-85c3d12c9860 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 465.75, + "y": 890 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + action: + simple: prevent + applied_globally: + simple: "true" + ioc_type: + simple: md5 + platforms: + simple: windows,mac,linux + severity: + complex: + root: 'inputs.Severity ' + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Hash + operator: stringHasLength + right: + value: + simple: "32" + root: inputs.Hash + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: CrowdstrikeFalcon + description: Uploads an indicator for CrowdStrike to monitor. + id: e7d425f1-beef-4302-91d8-8fefaa1404e9 + iscommand: true + name: Block by MD5 + playbooktaskmissingcomponent: + script: CrowdstrikeFalcon|||cs-falcon-upload-custom-ioc + type: regular + version: -1 + taskid: e7d425f1-beef-4302-91d8-8fefaa1404e9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2070, + "y": 880 + } + } + "9": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "10" + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2cd3e8da-b26a-4d7e-8466-567b0c1727dc + iscommand: false + name: Is there any file to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2cd3e8da-b26a-4d7e-8466-567b0c1727dc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 960, + "y": 360 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + transformers: + - operator: uniq + operator: stringHasLength + right: + value: + simple: "64" + label: "Yes" + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "Yes": + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 03ec2d2d-fe08-4e24-83db-bb3511aa626b + iscommand: false + name: Has SHA256 Hashes? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 03ec2d2d-fe08-4e24-83db-bb3511aa626b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 340.5, + "y": 550 + } + } + "11": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + transformers: + - operator: uniq + operator: stringHasLength + right: + value: + simple: "32" + label: "Yes" + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "Yes": + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 68b13d2c-09d4-48d5-8607-8e9b922cc8ab + iscommand: false + name: Has MD5 Hashes? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 68b13d2c-09d4-48d5-8607-8e9b922cc8ab + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1552.5, + "y": 550 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: e7f16046-9c00-4832-8aec-37614f86ba41 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: e7f16046-9c00-4832-8aec-37614f86ba41 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1530, + "y": 1270 + } + } + "14": + continueonerror: true + continueonerrortype: errorPath + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Block by MD5 + Command: cs-falcon-upload-custom-ioc ${inputs.Hash} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: ea89ec84-b71f-416c-aeab-d109b842bf41 + iscommand: false + name: CrowdStrike Block by MD5 + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: ea89ec84-b71f-416c-aeab-d109b842bf41 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1567.25, + "y": 880 + } + } + "16": + continueonerror: true + continueonerrortype: errorPath + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Block by SHA256 + Command: cs-falcon-upload-custom-ioc ${inputs.Hash} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: caf0851a-94f3-489c-84d1-87b89cc9ca2e + iscommand: false + name: CrowdStrike Block by SHA256 + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: caf0851a-94f3-489c-84d1-87b89cc9ca2e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -60, + "y": 890 + } + } + "17": + continueonerror: true + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "7" + Shadow Mode: + - "16" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d7cd21f4-0e80-451e-bf0c-f879a14bcbfc + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: d7cd21f4-0e80-451e-bf0c-f879a14bcbfc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 210, + "y": 730 + } + } + "18": + continueonerror: true + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "8" + Shadow Mode: + - "14" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3f02c51f-6922-4418-8624-930d4280030e + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 3f02c51f-6922-4418-8624-930d4280030e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1810, + "y": 720 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "10_3_#default#": 0.24, + "11_3_#default#": 0.49, + "1_3_#default#": 0.37, + "9_11_yes": 0.64, + "9_3_#default#": 0.3 + }, + "paper": { + "dimensions": { + "height": 1290, + "width": 2510, + "x": -60, + "y": 60 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml new file mode 100644 index 0000000..8624297 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml @@ -0,0 +1,417 @@ +adopted: true +description: This playbook will auto isolate endpoints by the device ID that was provided + in the playbook. +dirtyInputs: true +id: 'SOC Crowdstrike Falcon - Isolate Endpoint_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Device_id + - ShadowMode + name: General (Inputs group) +inputs: +- description: The device ID to isolate. + key: Device_id + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Crowdstrike Falcon - Isolate Endpoint_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Crowdstrike Falcon - Isolate Endpoint +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d0e090fd-5e1f-4b5c-82e9-eb62105b6220 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: d0e090fd-5e1f-4b5c-82e9-eb62105b6220 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": 40 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "no": + - "2" + "yes": + - "3" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: CrowdstrikeFalcon + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + id: ee96dc16-3b22-4d74-83fe-b5a86fb60115 + iscommand: false + name: Is Crowdstrike Falcon enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: ee96dc16-3b22-4d74-83fe-b5a86fb60115 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 210 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 44f92e5b-01a2-4070-881c-c6a931266009 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 44f92e5b-01a2-4070-881c-c6a931266009 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 1760 + } + } + "3": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.Device_id + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1fd37726-4b11-46ea-802f-46fc9e2fe715 + iscommand: false + name: Is there Device ID? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 1fd37726-4b11-46ea-802f-46fc9e2fe715 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 810, + "y": 490 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + ids: + simple: ${inputs.Device_id} + separatecontext: false + skipunavailable: false + task: + brand: CrowdstrikeFalcon + description: Searches for a device that matches the query. + id: 66d5a0a9-f7c9-4f23-abf4-a8ab5d888534 + iscommand: true + name: Get device info + playbooktaskmissingcomponent: + script: CrowdstrikeFalcon|||cs-falcon-search-device + type: regular + version: -1 + taskid: 66d5a0a9-f7c9-4f23-abf4-a8ab5d888534 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 990, + "y": 690 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CrowdStrike.Device.Status + operator: isEqualString + right: + value: + simple: normal + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5255531d-7314-4223-8efc-ac53607d0b52 + iscommand: false + name: Is the device ready for isolation? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 5255531d-7314-4223-8efc-ac53607d0b52 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 990, + "y": 890 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + ids: + simple: ${inputs.Device_id} + separatecontext: false + skipunavailable: false + task: + brand: CrowdstrikeFalcon + description: Contains containment for a specified host. When contained, a host + can only communicate with the CrowdStrike cloud and any IPs specified in your + containment policy. + id: 8d83b1ad-dbe6-4fe7-ba1c-755241c23a84 + iscommand: true + name: Isolate endpoint + playbooktaskmissingcomponent: + script: CrowdstrikeFalcon|||cs-falcon-contain-host + type: regular + version: -1 + taskid: 8d83b1ad-dbe6-4fe7-ba1c-755241c23a84 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 990, + "y": 1330 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "6" + Shadow Mode: + - "8" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3e9098e5-20d2-40f9-abf9-800a6900cc58 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 3e9098e5-20d2-40f9-abf9-800a6900cc58 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 990, + "y": 1090 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: CrowdStrike Falcon Isolate EndPoint + Command: cs-falcon-contain-host + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: e46e3518-e612-4d9b-ad76-48a9e841cc5d + iscommand: false + name: 'Shadow: CrowdStrike Falcon Isolate EndPoint' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: e46e3518-e612-4d9b-ad76-48a9e841cc5d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1430, + "y": 1330 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: a5744034-b39d-4989-8e3f-e891bf98b1cb + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: a5744034-b39d-4989-8e3f-e891bf98b1cb + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1430, + "y": 1755 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_2_no": 0.85, + "3_2_#default#": 0.2, + "3_4_yes": 0.51, + "5_2_#default#": 0.38 + }, + "paper": { + "dimensions": { + "height": 1785, + "width": 1360, + "x": 450, + "y": 40 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Domain_Enrichment_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Domain_Enrichment_-_Generic_v2.yml new file mode 100644 index 0000000..70a55e2 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Domain_Enrichment_-_Generic_v2.yml @@ -0,0 +1,544 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: |- + Enrich domains using one or more integrations. + Domain enrichment includes: + * Threat information + * Domain reputation using !domain command +adopted: true +id: 'SOC Domain Enrichment - Generic v2_V3' +inputs: +- description: The domain name to enrich. + key: Domain + playbookInputQuery: + required: false + value: + complex: + accessor: Name + root: Domain + transformers: + - operator: uniq +- description: |- + Define if you would like to use the !url command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + key: UseReputationCommand + playbookInputQuery: + required: true + value: + simple: "False" +name: SOC Domain Enrichment - Generic v2_V3 +outputs: +- contextPath: Domain + description: The domain objects. + type: string +- contextPath: DBotScore + description: Indicator, Score, Type, and Vendor. + type: string +- contextPath: Domain.Name + description: Bad domain found. + type: string +- contextPath: Domain.Malicious.Vendor + description: For malicious domains, the vendor that made the decision. + type: string +- contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: string +- contextPath: DBotScore.Type + description: The indicator type. + type: string +- contextPath: DBotScore.Score + description: The actual DBot score. + type: number +- contextPath: Domain.SecurityCategories + description: The Umbrella security category, or categories, that match this domain + type: string +- contextPath: Domain.ContentCategories + description: The Umbrella content category or categories that match this domain + type: string +- contextPath: Domain.Malicious.Description + description: For malicious domains, the reason for the vendor to make the decision + type: string +- contextPath: Domain.CreationDate + description: The date on which the domain was created. + type: string +- contextPath: Domain.DomainStatus + description: The status of the domain. + type: string +- contextPath: Domain.UpdatedDate + description: The date on which the domain was last updated. + type: string +- contextPath: Domain.ExpirationDate + description: The expiration date of the domain. + type: string +- contextPath: Domain.Umbrella.RiskScore + description: The status will be "-1" if the domain is believed to be malicious, + "1" if the domain is believed to be benign, "0" if it hasn't been classified yet. + type: string +- contextPath: Domain.Umbrella.SecureRankΒ  + description: Suspicious rank for a domain that reviews based on the lookup behavior + of client IP for the domain. Securerank is designed to identify hostnames requested + by known infected clients but never requested by clean clients, assuming these + domains are more likely to be bad. Scores returned range from -100 (suspicious) + to 100 (benign). Note, this parameter is deprecated by the API, and will be equal + to 0. + type: string +- contextPath: Domain.Umbrella.FirstQueriedTime + description: The time when the attribution for this Domain was made. + type: string +- contextPath: Domain.Umbrella.ContentCategories + description: The Umbrella content category or categories that match this domain. + If none of them match, the return will be blank. + type: string +- contextPath: Domain.Umbrella.MalwareCategories + description: The Umbrella security category, or categories, that match this domain + or that this domain is associated with. If none match, the return will be blank. + type: string +- contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: string +- contextPath: Domain.Admin.Country + description: The country of the domain administrator. + type: string +- contextPath: Domain.Admin.Email + description: The email address of the domain administrator. + type: string +- contextPath: Domain.Admin.Name + description: The name of the domain administrator. + type: string +- contextPath: Domain.Admin.Phone + description: The phone number of the domain administrator. + type: string +- contextPath: Domain.Registrant.Country + description: The country of the registrant. + type: string +- contextPath: Domain.Registrant.Email + description: The email address of the registrant. + type: string +- contextPath: Domain.Registrant.Name + description: The name of the registrant. + type: string +- contextPath: Domain.Registrant.Phone + description: The phone number of the registrant. + type: string +- contextPath: Domain.Registrar.Name + description: The name of the registrar, such as "GoDaddy". + type: string +sourceplaybookid: Domain Enrichment - Generic v2 +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3f6b8522-c653-4608-800d-f7da232392fb + iscommand: false + name: "" + version: -1 + taskid: 3f6b8522-c653-4608-800d-f7da232392fb + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 54.75, + "y": 50 + } + } + "16": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.Domain + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "33" + - "32" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the playbook's input contains at least one domain + name to enrich. + id: 86e8324e-34fa-4726-8cc0-2f61e6de5395 + iscommand: false + name: Is there a domain to enrich? + type: condition + version: -1 + taskid: 86e8324e-34fa-4726-8cc0-2f61e6de5395 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 54.75, + "y": 210 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f6da103d-6baa-4afb-8b7d-65740714dcf2 + iscommand: false + name: Done + type: title + version: -1 + taskid: f6da103d-6baa-4afb-8b7d-65740714dcf2 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 885 + } + } + "29": + continueonerror: true + continueonerrortype: errorPath + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "36" + '#none#': + - "24" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + domain: + complex: + root: inputs.Domain + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Gets the category of the domain as found in Cisco Umbrella Investigation + records. + id: ce6ae1a5-a542-43ee-8fea-2bfa5b7c5f0e + iscommand: true + name: Get domain category + script: '|||umbrella-domain-categorization' + type: regular + version: -1 + taskid: ce6ae1a5-a542-43ee-8fea-2bfa5b7c5f0e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 340.5, + "y": 710 + } + } + "30": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Cisco Umbrella Investigate + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of the Cisco Umbrella Investigate + integration enabled. + id: ec9764d9-3eea-44d8-8da7-538766ac0670 + iscommand: false + name: Is Cisco Umbrella Investigate enabled? + type: condition + version: -1 + taskid: ec9764d9-3eea-44d8-8da7-538766ac0670 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 95.25, + "y": 540 + } + } + "32": + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 230be3d0-b15b-446e-8e9e-5eaf8aa47c2b + iscommand: false + name: Domain Reputation + type: title + version: -1 + taskid: 230be3d0-b15b-446e-8e9e-5eaf8aa47c2b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 781, + "y": 380 + } + } + "33": + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1dd7328d-b062-4a7c-8b80-55acc42bb92b + iscommand: false + name: Cisco Umbrella enrichment + type: title + version: -1 + taskid: 1dd7328d-b062-4a7c-8b80-55acc42bb92b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 95.25, + "y": 380 + } + } + "34": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.UseReputationCommand + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "35" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether to run domain reputation command. + id: 5b429a1c-ec97-4f6a-877b-0e5dbff30e9f + iscommand: false + name: Should use !domain command? + type: condition + version: -1 + taskid: 5b429a1c-ec97-4f6a-877b-0e5dbff30e9f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 781, + "y": 540 + } + } + "35": + continueonerror: true + continueonerrortype: errorPath + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "36" + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + root: inputs.Domain + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Checks the reputation of a domain. + id: d7e35314-a3b5-4bc3-ac5f-e71e00facd74 + iscommand: true + name: Check Reputation + script: '|||domain' + type: regular + version: -1 + taskid: d7e35314-a3b5-4bc3-ac5f-e71e00facd74 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 926.25, + "y": 710 + } + } + "36": + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: 1a30ec18-e26d-4c55-96a0-9accdc422fb5 + iscommand: false + name: Foundation - Upon Trigger + playbookId: Foundation - Upon Trigger + type: playbook + version: -1 + taskid: 1a30ec18-e26d-4c55-96a0-9accdc422fb5 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 976.25, + "y": 880 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "16_24_#default#": 0.13, + "30_24_#default#": 0.43, + "30_29_yes": 0.5, + "34_24_#default#": 0.41, + "34_35_yes": 0.47 + }, + "paper": { + "dimensions": { + "height": 900, + "width": 1307.25, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Email_Address_Enrichment_-_Generic_v2.1.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Email_Address_Enrichment_-_Generic_v2.1.yml new file mode 100644 index 0000000..eafdecb --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Email_Address_Enrichment_-_Generic_v2.1.yml @@ -0,0 +1,1069 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Enrich email addresses. + - Get information from Active Directory for internal addresses + - Get the domain-squatting reputation for external addresses + - Email address reputation using !email command. +id: 'SOC Email Address Enrichment - Generic v2.1_V3' +inputs: +- description: A CSV list of internal domains. The list will be used to determine + whether an email address is internal or external. + key: InternalDomains + playbookInputQuery: + required: false + value: {} +- description: The email addresses to enrich. + key: Email + playbookInputQuery: + required: false + value: + complex: + accessor: Email.Address + root: Account + transformers: + - operator: uniq +- description: The domains associated with the incident. These domains will be checked + for domain-squatting. + key: Domain + playbookInputQuery: + required: false + value: {} +- description: |- + Define if you would like to use the !email command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + The default value is false. + key: UseReputationCommand + playbookInputQuery: + required: true + value: + simple: "False" +name: SOC Email Address Enrichment - Generic v2.1_V3 +outputs: +- contextPath: Account + description: The Account object. + type: unknown +- contextPath: Account.Email.NetworkType + description: The email account NetworkType (Internal/External). + type: string +- contextPath: Account.Email.Distance.Domain + description: The compared domain. + type: string +- contextPath: Account.Email.Distance.Value + description: 'The distance between the email domain and the compared domain. ' + type: number +- contextPath: DBotScore + description: The DBotScore object. + type: unknown +- contextPath: Account.Email.Username + description: The Email account username. + type: string +- contextPath: Account.Email.Domain + description: The Email account domain. + type: string +- contextPath: ActiveDirectory.Users.dn + description: The user distinguished name. +- contextPath: ActiveDirectory.Users.displayName + description: The user display name. +- contextPath: ActiveDirectory.Users.name + description: The user common name. +- contextPath: ActiveDirectory.Users.sAMAccountName + description: The user sAMAccountName. +- contextPath: ActiveDirectory.Users.userAccountControl + description: The user account control flag. +- contextPath: ActiveDirectory.Users.manager + description: The manager of the user. +- contextPath: ActiveDirectory.Users.memberOf + description: Groups in which the user is a member. +- contextPath: ActiveDirectory.Users.userAccountControlFields.SCRIPT + description: Whether the login script is run. Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE + description: Whether the user account is disabled. Works for *Windows Server 2012 + R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED + description: Whether the home folder is required. Works for *Windows Server 2012 + R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.LOCKOUT + description: Whether the user is locked out. Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD + description: Whether the password is required. Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE + description: Whether the user can change the password. Works for *Windows Server + 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED + description: Whether the user can send an encrypted password. Works for *Windows + Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT + description: Whether this is an account for users whose primary account is in another + domain. Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT + description: Whether this is a default account type that represents a typical user. + Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT + description: Whether the account is permitted to trust a system domain that trusts + other domains. Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT + description: Whether this is a computer account for a computer running Microsoft + Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows + 2000 Professional, or Windows 2000 Server and is a member of this domain. +- contextPath: ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT + description: Whether this is a computer account for a domain controller that is + a member of this domain. Works for *Windows Server 2012 R2*. +- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD + description: Whether to never expire the password on the account. +- contextPath: ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT + description: Whether this is an MNS login account. +- contextPath: ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED + description: Whether to force the user to log in by using a smart card. +- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION + description: Whether the service account (the user or computer account) under which + a service runs is trusted for Kerberos delegation. +- contextPath: ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED + description: Whether the security context of the user isn't delegated to a service + even if the service account is set as trusted for Kerberos delegation. +- contextPath: ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY + description: Whether to restrict this principal to use only Data Encryption Standard + (DES) encryption types for keys. +- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH + description: Whether this account require Kerberos pre-authentication for logging + on. +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED + description: Whether the user password expired. +- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION + description: Whether the account is enabled for delegation. +- contextPath: ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT + description: Whether the account is a read-only domain controller (RODC). +- contextPath: ActiveDirectory.UsersPageCookie + description: An opaque string received in a paged search, used for requesting subsequent + entries. +- contextPath: Account.DisplayName + description: The user display name. +- contextPath: Account.Groups + description: Groups for which the user is a member. +- contextPath: Account.Manager + description: The user manager. +- contextPath: Account.ID + description: The user distinguished name. +- contextPath: Account.Username + description: The user samAccountName. +- contextPath: Account.Email + description: The user email address. +- contextPath: ActiveDirectory.Users.mail + description: The user email address. +- contextPath: Account.Email.Address + description: The Email account full address. + type: string +- contextPath: Account.Email.Distance + description: The email address distance compare to the domains in query. + type: number +- contextPath: DBotScore.Indicator + description: The Indicator. + type: string +- contextPath: DBotScore.Type + description: The Indicator Type. + type: string +- contextPath: DBotScore.Vendor + description: The DBot score vendor. + type: string +- contextPath: DBotScore.Score + description: The DBot score. + type: number +- contextPath: DBotScore.Reliability + description: The actual score. +- contextPath: Email.Relationships.EntityA + description: The source of the relationship. +- contextPath: Email.Relationships.EntityB + description: The destination of the relationship. +- contextPath: Email.Relationships.Relationship + description: The name of the relationship. +- contextPath: Email.Relationships.EntityAType + description: The type of the source of the relationship. +- contextPath: Email.Relationships.EntityBType + description: The type of the destination of the relationship. +- contextPath: EWS.ResolvedNames + description: EWS resolved name primary key output. + type: unknown +- contextPath: EWS.ResolvedNames.email_address + description: The primary SMTP address of a mailbox user. +- contextPath: EWS.ResolvedNames.mailbox_type + description: The type of mailbox that is represented by the email address. +- contextPath: EWS.ResolvedNames.name + description: The name of a mailbox user. +- contextPath: EWS.ResolvedNames.routing_type + description: The address type for the mailbox. +sourceplaybookid: Email Address Enrichment - Generic v2.1 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 22a55a7c-c942-4d12-84fb-76bce3695b83 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 22a55a7c-c942-4d12-84fb-76bce3695b83 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 497.5, + "y": 120 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + query: + simple: entry.contents:${Account.Username} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8970ccc7-3ca4-4f5a-879e-f9d0c07c3e5b + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 8970ccc7-3ca4-4f5a-879e-f9d0c07c3e5b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 497.5, + "y": 1470 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.Email + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "20" + "yes": + - "9" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Determines whether the playbook's input contains at least one email + address. + id: dce4e3b8-0986-4a8c-8436-0602977d9f8c + iscommand: false + name: Are there email addresses to check? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: dce4e3b8-0986-4a8c-8436-0602977d9f8c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 497.5, + "y": 250 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "25" + '#none#': + - "13" + - "14" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + domain: + complex: + root: inputs.InternalDomains + transformers: + - operator: uniq + email: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Email + operator: isNotEmpty + root: inputs.Email + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Adds a NetworkType attribute to all email addresses. The NetworkType + attribute determines whether the email address is an internal or external + email address, according to the domains that were passed as arguments to this + playbook. + id: e9c8194c-496a-4b3b-9a08-23d0b4844dc4 + iscommand: false + name: Classify email addresses as internal or external + playbooktaskmissingcomponent: + script: IsEmailAddressInternal + type: regular + version: -1 + taskid: e9c8194c-496a-4b3b-9a08-23d0b4844dc4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 497.5, + "y": 450 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1a9686bb-e22f-46a7-8f5e-adf7acffdf3b + iscommand: false + name: Internal + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 1a9686bb-e22f-46a7-8f5e-adf7acffdf3b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 22.5, + "y": 790 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7874c1a7-0bae-43cc-8f13-9234c337f491 + iscommand: false + name: External + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 7874c1a7-0bae-43cc-8f13-9234c337f491 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 950, + "y": 790 + } + } + "12": + continueonerror: true + continueonerrortype: errorPath + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "25" + '#none#': + - "4" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + email: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Email.NetworkType + operator: isEqualString + right: + value: + simple: Internal + root: Account.Email + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Uses Active Directory to get user information for internal email + addresses. + id: 7b02649a-5b72-4b6e-a00a-cb054523e36e + iscommand: true + name: Get email address info from Active Directory + playbooktaskmissingcomponent: + script: '|||ad-get-user' + type: regular + version: -1 + taskid: 7b02649a-5b72-4b6e-a00a-cb054523e36e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 222.5, + "y": 1135 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "11" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + accessor: Email + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Email.NetworkType + operator: isEqualString + right: + value: + simple: External + root: Account + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there are email addresses with a NetworkType attribute + value of "External". + id: 4dbbbdb8-0102-445f-8fc3-d3ed70c32aa3 + iscommand: false + name: Are there any external email addresses? + playbooktaskmissingcomponent: + script: Exists + type: condition + version: -1 + taskid: 4dbbbdb8-0102-445f-8fc3-d3ed70c32aa3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 710.5, + "y": 620 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + accessor: Email + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Email.NetworkType + operator: isEqualString + right: + value: + simple: Internal + root: Account + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there are email addresses with a NetworkType attribute + value of "Internal". + id: 4bb4197a-cd13-41a6-8882-b8e6c51312c3 + iscommand: false + name: Are there any internal email addresses? + playbooktaskmissingcomponent: + script: Exists + type: condition + version: -1 + taskid: 4bb4197a-cd13-41a6-8882-b8e6c51312c3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 292.5, + "y": 620 + } + } + "15": + continueonerror: true + continueonerrortype: errorPath + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "25" + '#none#': + - "4" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + domain: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Domain + operator: isNotEmpty + root: inputs.Domain + transformers: + - operator: uniq + email: + complex: + accessor: Email + filters: + - - left: + iscontext: true + value: + simple: Account.Email.Address + operator: isNotEmpty + root: Account + transformers: + - args: + equalTo: + value: + simple: External + field: + value: + simple: NetworkType + getField: + value: + simple: Address + stringify: + value: + simple: "false" + operator: WhereFieldEquals + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if an email address's domain is trying to squat other domains + using Levenshtein distance algorithm. + id: 4a1b521d-2b1a-44a3-bdb1-c65c3f1e52d6 + iscommand: false + name: Check email addresses for domain-squatting + playbooktaskmissingcomponent: + script: EmailDomainSquattingReputation + type: regular + version: -1 + taskid: 4a1b521d-2b1a-44a3-bdb1-c65c3f1e52d6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 750.5, + "y": 1135 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "12" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Active Directory Query v2 + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there's an active instance of the Active Directory Query + v2 integration enabled. + id: bc59d675-c18d-44ac-878f-bdc8dc7c578e + iscommand: false + name: Is Active Directory Query v2 enabled? + playbooktaskmissingcomponent: + script: Exists + type: condition + version: -1 + taskid: bc59d675-c18d-44ac-878f-bdc8dc7c578e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 222.5, + "y": 930 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "15" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Domain + operator: isNotEmpty + root: inputs.Domain + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is at least one domain to check for domain-squatting. + id: 82034885-dcb2-4c4a-8fa7-1c1514c27e46 + iscommand: false + name: Is there a domain list input? + playbooktaskmissingcomponent: + script: Exists + type: condition + version: -1 + taskid: 82034885-dcb2-4c4a-8fa7-1c1514c27e46 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 750.5, + "y": 930 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 358de9fa-efe5-47c2-801f-7c85db0d408b + iscommand: false + name: No Email Addresses + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 358de9fa-efe5-47c2-801f-7c85db0d408b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -400, + "y": 465 + } + } + "21": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.UseReputationCommand + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if should run email address reputation command + id: 047c804f-cc74-4eb3-8ea5-7776e5827088 + iscommand: false + name: Should use !email command? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 047c804f-cc74-4eb3-8ea5-7776e5827088 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1150, + "y": 930 + } + } + "22": + continueonerror: true + continueonerrortype: errorPath + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "25" + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + email: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Email.NetworkType + operator: isEqualString + right: + value: + simple: External + root: Account.Email + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Checks if an email address was compromised. + id: f9bd1a98-a377-42ff-9b44-beb648ba83fd + iscommand: true + name: Check Reputation + playbooktaskmissingcomponent: + script: '|||email' + type: regular + version: -1 + taskid: f9bd1a98-a377-42ff-9b44-beb648ba83fd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1160, + "y": 1135 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "24" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: EWS v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 766c0f6c-feff-49af-8bfd-62574133e61c + iscommand: false + name: Is EWS v2 enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 766c0f6c-feff-49af-8bfd-62574133e61c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -180, + "y": 930 + } + } + "24": + continueonerror: true + continueonerrortype: errorPath + fieldMapping: + - incidentfield: Additional Email Addresses + output: + simple: ${EWS.ResolvedNames.email_address} + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "25" + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + full-contact-data: + simple: "False" + identifier: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Email.NetworkType + operator: isEqualString + right: + value: + simple: Internal + root: Account.Email + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: EWS v2 + description: This operation verifies aliases and matches display names to the + correct mailbox user. It handles one ambiguous name at a time. If there are + multiple potential matches, all will be returned, but limited to a maximum + of 100 candidates. + id: 87d44412-38b6-4931-921f-851c0d88f6c7 + iscommand: true + name: Get full contact info + playbooktaskmissingcomponent: + script: EWS v2|||ews-resolve-name + type: regular + version: -1 + taskid: 87d44412-38b6-4931-921f-851c0d88f6c7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -180, + "y": 1135 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 2894fb80-c79e-44d2-8bb8-1a9a9e89e728 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 2894fb80-c79e-44d2-8bb8-1a9a9e89e728 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 960, + "y": 1465 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "13_11_yes": 0.64, + "13_4_#default#": 0.25, + "14_10_yes": 0.65, + "14_4_#default#": 0.17, + "17_4_#default#": 0.55, + "18_4_#default#": 0.25, + "21_4_#default#": 0.13, + "5_20_#default#": 0.35 + }, + "paper": { + "dimensions": { + "height": 1415, + "width": 1940, + "x": -400, + "y": 120 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml new file mode 100644 index 0000000..aa9e400 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml @@ -0,0 +1,415 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.1.41 + packID: "" + packName: Cylance Protect + prevname: "" + supportedModules: [] + toServerVersion: "" +description: Enriches endpoints using the Cylance Protect v2 integration. +dirtyInputs: true +id: 'SOC Endpoint Enrichment - Cylance Protect v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Hostname + name: General (Inputs group) +inputs: +- description: The hostname to enrich. + key: Hostname + playbookInputQuery: + required: false + value: + complex: + root: inputs.Hostname + transformers: + - operator: uniq +name: SOC Endpoint Enrichment - Cylance Protect v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - CylanceProtectDevice +outputs: +- contextPath: CylanceProtectDevice + description: The device information about the hostname that was enriched. + type: unknown +sourceplaybookid: Endpoint Enrichment - Cylance Protect v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1635626d-e92f-49c7-85a7-b4d1632d1e38 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 1635626d-e92f-49c7-85a7-b4d1632d1e38 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: brand + operator: isEqualString + right: + value: + simple: Cylance Protect v2 + - - left: + iscontext: true + value: + simple: state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "6" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of the Cylance Protect v2 + integration enabled. + id: 50264655-eac1-4439-809b-32f93a19c825 + iscommand: false + name: Is Cylance Protect v2 enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 50264655-eac1-4439-809b-32f93a19c825 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 190 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "7" + '#none#': + - "4" + note: false + quietmode: 0 + reputationcalc: 1 + separatecontext: false + skipunavailable: false + task: + brand: Cylance Protect v2 + description: Gets information about all devices that are available in Cylance + Protect. + id: 528d8f5d-cf61-4bc1-b4cc-75887b25ea8d + iscommand: true + name: Get all Cylance Protect devices + playbooktaskmissingcomponent: + script: Cylance Protect v2|||cylance-protect-get-devices + type: regular + version: -1 + taskid: 528d8f5d-cf61-4bc1-b4cc-75887b25ea8d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 370 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: CylanceProtectDevice + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: CylanceProtectAllDevices.Hostname + operator: in + right: + iscontext: true + value: + simple: inputs.Hostname + - - left: + iscontext: true + value: + simple: CylanceProtectAllDevices + operator: isNotEmpty + root: CylanceProtectAllDevices + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Cylance Protect v2 + description: Sets the device that was enriched in another context key. That + key will contain only the device that was enriched using the provided hostname, + and will be the output of the playbook. + id: ec7a9e06-60d0-4c25-8ed4-1cb9d0fe92f6 + iscommand: false + name: Set enriched device details + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: ec7a9e06-60d0-4c25-8ed4-1cb9d0fe92f6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 890 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + key: + simple: CylanceProtectAllDevices + value: + complex: + accessor: Device + filters: + - - left: + iscontext: true + value: + simple: CylanceProtect.Device + operator: isNotEmpty + root: CylanceProtect + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sets the devices in another context key - "CylanceProtectAllDevices". + Setting them under that key ensures proper filtering in the next tasks. + id: 83e2be36-d5ef-43df-80b3-c77e95e19780 + iscommand: false + name: Set device list + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 83e2be36-d5ef-43df-80b3-c77e95e19780 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 540 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: CylanceProtectAllDevices.Hostname + operator: in + right: + iscontext: true + value: + simple: inputs.Hostname + root: CylanceProtectAllDevices + transformers: + - operator: uniq + operator: isExists + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "6" + "yes": + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether any of the hostnames for enrichment were enriched + using Cylance Protect v2. + id: 8a61ee6d-786a-4ec3-8f9e-fe49f90c1930 + iscommand: false + name: Was a device found? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 8a61ee6d-786a-4ec3-8f9e-fe49f90c1930 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 700 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3849ea50-af6b-4ce4-8c43-c76f660fa7f6 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3849ea50-af6b-4ce4-8c43-c76f660fa7f6 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 1070 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 23787797-71ae-4d5d-897c-cda6c152c2dd + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 23787797-71ae-4d5d-897c-cda6c152c2dd + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 950, + "y": 1065 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_2_yes": 0.57, + "1_6_#default#": 0.34, + "5_3_yes": 0.54 + }, + "paper": { + "dimensions": { + "height": 1085, + "width": 880, + "x": 450, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml new file mode 100644 index 0000000..1c3a475 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml @@ -0,0 +1,2368 @@ +id: SOC Endpoint Enrichment - Generic v2.1_V3 +version: 7 +contentitemexportablefields: + contentitemfields: + packID: soc-common-playbooks + packName: SOC Common Playbooks + itemVersion: 2.7.40 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix +vcShouldKeepItemLegacyProdMachine: false +name: SOC Endpoint Enrichment - Generic v2.1_V3 +description: |- + Enrich an endpoint by hostname using one or more integrations. + Supported integrations: + - Active Directory Query v2 + - McAfee ePO v2 + - VMware Carbon Black EDR v2 + - Cylance Protect v2 + - CrowdStrike Falcon + - ExtraHop Reveal(x) + - Cortex XDR / Core (endpoint enrichment, reputation and risk) + - Endpoint reputation using !endpoint command. +tags: +- SOC +- SOC_Framework +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 29bcd70f-1953-4061-84ce-4cde781ad9f7 + type: start + task: + id: 29bcd70f-1953-4061-84ce-4cde781ad9f7 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 80 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 + type: title + task: + id: 54895e0d-9904-4e62-8f45-ebd0d17ad5c9 + version: -1 + name: Endpoint Products + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "16" + - "18" + - "20" + - "30" + - "40" + - "19" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1330, + "y": 410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: ddba13dd-92fc-47a3-8ffe-b849c626eb22 + type: condition + task: + id: ddba13dd-92fc-47a3-8ffe-b849c626eb22 + version: -1 + name: Is there an endpoint to enrich? + description: Checks whether there is at least one endpoint to enrich (by hostname). + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "24" + - "1" + - "35" + scriptarguments: + value: + simple: ${inputs.Hostname} + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Hostname + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 215 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: ea90c16b-6985-4f28-816f-78608df3fe51 + type: title + task: + id: ea90c16b-6985-4f28-816f-78608df3fe51 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1115 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 + type: condition + task: + id: 9fa921fa-d196-40ba-8419-ed0c4f838ab8 + version: -1 + name: Is Carbon Black Enterprise Response enabled? + description: Checks if there is an active instance of the Carbon Black Enterprise + Response integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: containsGeneral + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: VMware Carbon Black EDR v2 + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 5e114375-db3d-4267-8f4d-0a411d4bb076 + type: regular + task: + id: 5e114375-db3d-4267-8f4d-0a411d4bb076 + version: -1 + name: Get host information from Carbon Black Enterprise Response + description: List the CarbonBlack sensors + script: '|||cb-edr-sensors-list' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + scriptarguments: + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + id: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + ip: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + reputationcalc: 1 + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1410, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 42f088e2-cb74-485a-8318-0dae68cde0f0 + type: condition + task: + id: 42f088e2-cb74-485a-8318-0dae68cde0f0 + version: -1 + name: Is CrowdStrike Falcon enabled? + description: Checks if there is an active instance of the CrowdStrike Falcon + Host integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "38" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: CrowdstrikeFalcon + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2350, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: d9d617d9-2efd-466e-8ce7-190f8db83b95 + type: title + task: + id: d9d617d9-2efd-466e-8ce7-190f8db83b95 + version: -1 + name: McAfee ePolicy Orchestrator + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "33" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 690, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 6cf08862-644d-479e-89ce-f9e173a8c562 + type: title + task: + id: 6cf08862-644d-479e-89ce-f9e173a8c562 + version: -1 + name: Carbon Black Enterprise Response + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 + type: title + task: + id: 471d3862-a05c-42b1-871d-c1faa2fbb7a9 + version: -1 + name: Cylance Protect v2 + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "48" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 5d371f29-3a4c-43c5-8f71-b383db2e5320 + type: title + task: + id: 5d371f29-3a4c-43c5-8f71-b383db2e5320 + version: -1 + name: CrowdStrike Falcon + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2300, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + type: condition + task: + id: f7f190b9-5a39-4d8a-83a5-77d5a023f0d4 + version: -1 + name: Is Active Directory Query v2 enabled? + description: Checks if there is an active instance of the Active Directory Query + v2 integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "23" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: Active Directory Query v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -180, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 + type: regular + task: + id: 8da54a09-4c7e-4a26-a5eb-6fbe51fbf3f0 + version: -1 + name: Get host information from Active Directory + description: Retrieves detailed information about a computer account. The computer + can be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filters are provided, all computers are returned. + script: '|||ad-get-computer' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + name: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + reputationcalc: 1 + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -370, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 9706cc39-d338-44cd-8ee1-efc5ea95b04d + type: title + task: + id: 9706cc39-d338-44cd-8ee1-efc5ea95b04d + version: -1 + name: Active Directory + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "22" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -180, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: ec344482-77f7-42b5-8ee4-34317afd1179 + type: title + task: + id: ec344482-77f7-42b5-8ee4-34317afd1179 + version: -1 + name: ExtraHop Reveal(x) + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1760, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + type: condition + task: + id: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "32" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + reputationcalc: 1 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1760, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + type: regular + task: + id: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + version: -1 + name: Get host information from ExtraHop Reveal(x) + description: Search for devices in ExtraHop Reveal(x). + script: ExtraHop v2|||extrahop-devices-search + type: regular + iscommand: true + brand: ExtraHop v2 + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + ip: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + name: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1950, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: bf7d9316-446b-452b-843a-3e5a13b8b741 + type: condition + task: + id: bf7d9316-446b-452b-843a-3e5a13b8b741 + version: -1 + name: is Mcafee ePolicy Orchestrator v2 enabled + description: Checks if there is an active Mcafee ePolicy Orchestrator v2 integration + instance enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "34" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isExists + left: + value: + simple: modules.brand + iscontext: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + accessor: brand + iscontext: true + right: + value: + simple: McAfee ePO v2 + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 8e881985-e5e1-4aec-ac66-0cbc1186879d + type: regular + task: + id: 8e881985-e5e1-4aec-ac66-0cbc1186879d + version: -1 + name: Get- host information from McAfee ePO v2 + description: Finds systems in the McAfee ePO system tree. + script: '|||epo-find-system' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + searchText: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + verbose: + simple: "false" + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 870, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 + type: title + task: + id: f2dbaff5-7c92-47ad-80cc-991bfd80ff98 + version: -1 + name: Endpoint Reputation + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -730, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a + type: condition + task: + id: 50fed99c-1eb9-4a6f-85d0-f9d5ee74bc5a + version: -1 + name: Should use !endpoint command? + description: Check if should run endpoint reputation command + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "37" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UseReputationCommand + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -730, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: f8a264ea-5bb0-4a34-910b-7e0706f65f1f + type: regular + task: + id: f8a264ea-5bb0-4a34-910b-7e0706f65f1f + version: -1 + name: Check Reputation + description: Returns information about an endpoint. + script: '|||endpoint' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + id: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + ip: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -920, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 97c2d94e-2a74-48d9-9404-8049e310925c + type: regular + task: + id: 97c2d94e-2a74-48d9-9404-8049e310925c + version: -1 + name: Crowdstrike Search device + description: Searches for a device that matches the query. + script: CrowdstrikeFalcon|||cs-falcon-search-device + type: regular + iscommand: true + brand: CrowdstrikeFalcon + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + ids: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 2480, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c + type: condition + task: + id: 284d5ea3-58c1-4a0f-87c4-5c395d75a65c + version: -1 + name: Is Cortex XDR enabled? + description: Checks if there is an active instance of the Cortex XDR integration + enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "41" + - "42" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Cortex XDR - IR + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2840, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 12dd4de8-094d-4760-8284-22e212b5b76d + type: title + task: + id: 12dd4de8-094d-4760-8284-22e212b5b76d + version: -1 + name: Cortex XDR / Core IR + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "39" + - "43" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 3180, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 28d5399e-9856-4c0e-ae6f-26790468a680 + type: regular + task: + id: 28d5399e-9856-4c0e-ae6f-26790468a680 + version: -1 + name: Cortex XDR Search device + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + script: '|||xdr-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + ip_list: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 3030, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 00b0ba80-bdc5-4012-8238-334800df9bbd + type: regular + task: + id: 00b0ba80-bdc5-4012-8238-334800df9bbd + version: -1 + name: Cortex XDR get endpoint risk score + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||xdr-list-risky-hosts' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + host_id: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 3420, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: adb8d36c-cdb3-4676-8d4a-da7fbc43188c + type: condition + task: + id: adb8d36c-cdb3-4676-8d4a-da7fbc43188c + version: -1 + name: Is Cortex Core - IR integration enabled? + description: Checks if there is an active instance of the Cortex Core integration + enabled. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "4" + "yes": + - "44" + - "45" + scriptarguments: + brandname: + simple: Cortex Core - IR + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 3780, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + type: regular + task: + id: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + version: -1 + name: Core IR Search device + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + script: '|||core-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + transformers: + - operator: uniq + hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + ip_list: + complex: + root: inputs.IPAddress + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 3970, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: e24e0b83-679a-4e52-828f-b3637fedd2c1 + type: regular + task: + id: e24e0b83-679a-4e52-828f-b3637fedd2c1 + version: -1 + name: Core IR get endpoint risk score + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||core-list-risky-hosts' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "49" + '#none#': + - "4" + scriptarguments: + host_id: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 4360, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: Host Risk Level + output: + complex: + root: Core.RiskyHost + accessor: risk_level + - incidentfield: Host Risk Reasons + output: + complex: + root: Core.RiskyHost.reasons + accessor: description + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: a311d42a-1d50-4464-8a6b-2babd00963a2 + type: playbook + task: + id: a311d42a-1d50-4464-8a6b-2babd00963a2 + version: -1 + name: SOC Endpoint Enrichment - Cylance Protect v2_V3 + playbookName: SOC Endpoint Enrichment - Cylance Protect v2_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 699918ad-f689-4054-8864-d2dae7a92fe5 + type: playbook + task: + id: 699918ad-f689-4054-8864-d2dae7a92fe5 + version: -1 + name: Foundation - Foundation - Foundation - Error Handling_V3 + playbookName: Foundation - Foundation - Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 790, + "y": 1200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "10_4_#default#": 0.1, + "22_23_yes": 0.43, + "22_4_#default#": 0.2, + "31_32_yes": 0.64, + "31_4_#default#": 0.1, + "33_34_yes": 0.64, + "33_4_#default#": 0.1, + "34_49_#error#": 0.9, + "36_37_yes": 0.49, + "36_4_#default#": 0.1, + "38_49_#error#": 0.89, + "39_4_#default#": 0.1, + "3_1_yes": 0.3, + "3_24_yes": 0.41, + "3_4_#default#": 0.12, + "43_4_#default#": 0.1, + "8_4_#default#": 0.1, + "8_9_yes": 0.62 + }, + "paper": { + "dimensions": { + "height": 1195, + "width": 5660, + "x": -920, + "y": 80 + } + } + } +inputs: +- key: Hostname + value: + complex: + root: Endpoint + accessor: Hostname + transformers: + - operator: uniq + required: false + description: The hostname of the endpoint to enrich. + playbookInputQuery: +- key: UseReputationCommand + value: + simple: "False" + required: true + description: |- + Define if you would like to use the !endpoint command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + playbookInputQuery: +- key: IPAddress + value: + complex: + root: Endpoint + accessor: IPAddress + transformers: + - operator: uniq + required: false + description: The IP address of the endpoint to enrich. + playbookInputQuery: +- key: EndpointID + value: + complex: + root: Endpoint + accessor: ID + transformers: + - operator: uniq + required: false + description: The endpoint ID of the endpoint to enrich. + playbookInputQuery: +inputSections: +- inputs: + - Hostname + - UseReputationCommand + - IPAddress + - EndpointID + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Endpoint + - Endpoint.Hostname + - Endpoint.OS + - Endpoint.IP + - Endpoint.MAC + - Endpoint.Domain + - CylanceProtectDevice + - ExtraHop.Device.Macaddr + - ExtraHop.Device.DeviceClass + - ExtraHop.Device.UserModTime + - ExtraHop.Device.AutoRole + - ExtraHop.Device.ParentId + - ExtraHop.Device.Vendor + - ExtraHop.Device.Analysis + - ExtraHop.Device.DiscoveryId + - ExtraHop.Device.DefaultName + - ExtraHop.Device.DisplayName + - ExtraHop.Device.OnWatchlist + - ExtraHop.Device.ModTime + - ExtraHop.Device.IsL3 + - ExtraHop.Device.Role + - ExtraHop.Device.DiscoverTime + - ExtraHop.Device.Id + - ExtraHop.Device.Ipaddr4 + - ExtraHop.Device.Vlanid + - ExtraHop.Device.Ipaddr6 + - ExtraHop.Device.NodeId + - ExtraHop.Device.Description + - ExtraHop.Device.DnsName + - ExtraHop.Device.DhcpName + - ExtraHop.Device.CdpName + - ExtraHop.Device.NetbiosName + - ExtraHop.Device.Url + - Endpoint.IPAddress + - Endpoint.ID + - Endpoint.Status + - Endpoint.IsIsolated + - Endpoint.MACAddress + - Endpoint.Vendor + - Endpoint.Relationships + - Endpoint.Processor + - Endpoint.Processors + - Endpoint.Memory + - Endpoint.Model + - Endpoint.BIOSVersion + - Endpoint.OSVersion + - Endpoint.DHCPServer + - McAfee.ePO.Endpoint + - Endpoint.Groups + - ActiveDirectory.ComputersPageCookie + - ActiveDirectory.Computers.dn + - ActiveDirectory.Computers.memberOf + - ActiveDirectory.Computers.name + - CrowdStrike.Device + - ActiveDirectory.Computers + - CarbonBlackEDR.Sensor.systemvolume_total_size + - CarbonBlackEDR.Sensor.emet_telemetry_path + - CarbonBlackEDR.Sensor.os_environment_display_string + - CarbonBlackEDR.Sensor.emet_version + - CarbonBlackEDR.Sensor.emet_dump_flags + - CarbonBlackEDR.Sensor.clock_delta + - CarbonBlackEDR.Sensor.supports_cblr + - CarbonBlackEDR.Sensor.sensor_uptime + - CarbonBlackEDR.Sensor.last_update + - CarbonBlackEDR.Sensor.physical_memory_size + - CarbonBlackEDR.Sensor.build_id + - CarbonBlackEDR.Sensor.uptime + - CarbonBlackEDR.Sensor.is_isolating + - CarbonBlackEDR.Sensor.event_log_flush_time + - CarbonBlackEDR.Sensor.computer_dns_name + - CarbonBlackEDR.Sensor.emet_report_setting + - CarbonBlackEDR.Sensor.id + - CarbonBlackEDR.Sensor.emet_process_count + - CarbonBlackEDR.Sensor.emet_is_gpo + - CarbonBlackEDR.Sensor.power_state + - CarbonBlackEDR.Sensor.network_isolation_enabled + - CarbonBlackEDR.Sensor.systemvolume_free_size + - CarbonBlackEDR.Sensor.status + - CarbonBlackEDR.Sensor.num_eventlog_bytes + - CarbonBlackEDR.Sensor.sensor_health_message + - CarbonBlackEDR.Sensor.build_version_string + - CarbonBlackEDR.Sensor.computer_sid + - CarbonBlackEDR.Sensor.next_checkin_time + - CarbonBlackEDR.Sensor.node_id + - CarbonBlackEDR.Sensor.cookie + - CarbonBlackEDR.Sensor.emet_exploit_action + - CarbonBlackEDR.Sensor.computer_name + - CarbonBlackEDR.Sensor.license_expiration + - CarbonBlackEDR.Sensor.supports_isolation + - CarbonBlackEDR.Sensor.parity_host_id + - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + - CarbonBlackEDR.Sensor.network_adapters + - CarbonBlackEDR.Sensor.sensor_health_status + - CarbonBlackEDR.Sensor.registration_time + - CarbonBlackEDR.Sensor.restart_queued + - CarbonBlackEDR.Sensor.notes + - CarbonBlackEDR.Sensor.num_storefiles_bytes + - CarbonBlackEDR.Sensor.os_environment_id + - CarbonBlackEDR.Sensor.shard_id + - CarbonBlackEDR.Sensor.boot_id + - CarbonBlackEDR.Sensor.last_checkin_time + - CarbonBlackEDR.Sensor.os_type + - CarbonBlackEDR.Sensor.group_id + - CarbonBlackEDR.Sensor.uninstall + - PaloAltoNetworksXDR.Endpoint + - PaloAltoNetworksXDR.Endpoint.endpoint_id + - PaloAltoNetworksXDR.Endpoint.endpoint_name + - PaloAltoNetworksXDR.Endpoint.endpoint_type + - PaloAltoNetworksXDR.Endpoint.endpoint_status + - PaloAltoNetworksXDR.Endpoint.os_type + - PaloAltoNetworksXDR.Endpoint.ip + - PaloAltoNetworksXDR.Endpoint.users + - PaloAltoNetworksXDR.Endpoint.domain + - PaloAltoNetworksXDR.Endpoint.alias + - PaloAltoNetworksXDR.Endpoint.first_seen + - PaloAltoNetworksXDR.Endpoint.last_seen + - PaloAltoNetworksXDR.Endpoint.content_version + - PaloAltoNetworksXDR.Endpoint.installation_package + - PaloAltoNetworksXDR.Endpoint.active_directory + - PaloAltoNetworksXDR.Endpoint.install_date + - PaloAltoNetworksXDR.Endpoint.endpoint_version + - PaloAltoNetworksXDR.Endpoint.is_isolated + - PaloAltoNetworksXDR.Endpoint.group_name + - PaloAltoNetworksXDR.Endpoint.count + - Account + - Account.Username + - Account.Domain + - PaloAltoNetworksXDR.RiskyHost + - PaloAltoNetworksXDR.RiskyHost.type + - PaloAltoNetworksXDR.RiskyHost.id + - PaloAltoNetworksXDR.RiskyHost.score + - PaloAltoNetworksXDR.RiskyHost.reasons + - PaloAltoNetworksXDR.RiskyHost.reasons.date created + - PaloAltoNetworksXDR.RiskyHost.reasons.description + - PaloAltoNetworksXDR.RiskyHost.reasons.severity + - PaloAltoNetworksXDR.RiskyHost.reasons.status + - PaloAltoNetworksXDR.RiskyHost.reasons.points + - Core.Endpoint + - Core.Endpoint.endpoint_id + - Core.Endpoint.endpoint_name + - Core.Endpoint.endpoint_type + - Core.Endpoint.endpoint_status + - Core.Endpoint.os_type + - Core.Endpoint.ip + - Core.Endpoint.users + - Core.Endpoint.domain + - Core.Endpoint.alias + - Core.Endpoint.first_seen + - Core.Endpoint.last_seen + - Core.Endpoint.content_version + - Core.Endpoint.installation_package + - Core.Endpoint.active_directory + - Core.Endpoint.install_date + - Core.Endpoint.endpoint_version + - Core.Endpoint.is_isolated + - Core.Endpoint.group_name + - Core.RiskyHost + - Core.RiskyHost.type + - Core.RiskyHost.id + - Core.RiskyHost.score + - Core.RiskyHost.reasons + - Core.RiskyHost.reasons.date created + - Core.RiskyHost.reasons.description + - Core.RiskyHost.reasons.severity + - Core.RiskyHost.reasons.status + - Core.RiskyHost.reasons.points + - McAfee.ePO.Endpoint.ParentID + - McAfee.ePO.Endpoint.ComputerName + - McAfee.ePO.Endpoint.Description + - McAfee.ePO.Endpoint.SystemDescription + - McAfee.ePO.Endpoint.TimeZone + - McAfee.ePO.Endpoint.DefaultLangID + - McAfee.ePO.Endpoint.UserName + - McAfee.ePO.Endpoint.Domain + - McAfee.ePO.Endpoint.Hostname + - McAfee.ePO.Endpoint.IPV6 + - McAfee.ePO.Endpoint.IPAddress + - McAfee.ePO.Endpoint.IPSubnet + - McAfee.ePO.Endpoint.IPSubnetMask + - McAfee.ePO.Endpoint.IPV4x + - McAfee.ePO.Endpoint.IPXAddress + - McAfee.ePO.Endpoint.SubnetAddress + - McAfee.ePO.Endpoint.SubnetMask + - McAfee.ePO.Endpoint.NetAddress + - McAfee.ePO.Endpoint.OSType + - McAfee.ePO.Endpoint.OSVersion + - McAfee.ePO.Endpoint.OSServicePackVer + - McAfee.ePO.Endpoint.OSBuildNum + - McAfee.ePO.Endpoint.OSPlatform + - McAfee.ePO.Endpoint.OSOEMID + - McAfee.ePO.Endpoint.Processor + - McAfee.ePO.Endpoint.CPUSpeed + - McAfee.ePO.Endpoint.Processors + - McAfee.ePO.Endpoint.CPUSerialNum + - McAfee.ePO.Endpoint.Memory + - McAfee.ePO.Endpoint.FreeMemory + - McAfee.ePO.Endpoint.FreeDiskSpace + - McAfee.ePO.Endpoint.TotalDiskSpace + - McAfee.ePO.Endpoint.UserProperty1 + - McAfee.ePO.Endpoint.UserProperty2 + - McAfee.ePO.Endpoint.UserProperty3 + - McAfee.ePO.Endpoint.UserProperty4 + - McAfee.ePO.Endpoint.SysvolFreeSpace + - McAfee.ePO.Endpoint.SysvolTotalSpace + - McAfee.ePO.Endpoint.Tags + - McAfee.ePO.Endpoint.ExcludedTags + - McAfee.ePO.Endpoint.LastUpdate + - McAfee.ePO.Endpoint.ManagedState + - McAfee.ePO.Endpoint.AgentGUID + - McAfee.ePO.Endpoint.AgentVersion + - McAfee.ePO.Endpoint.AutoID + - CrowdStrike.Device.ID + - CrowdStrike.Device.LocalIP + - CrowdStrike.Device.ExternalIP + - CrowdStrike.Device.Hostname + - CrowdStrike.Device.OS + - CrowdStrike.Device.MacAddress + - CrowdStrike.Device.FirstSeen + - CrowdStrike.Device.LastSeen + - CrowdStrike.Device.PolicyType + - CrowdStrike.Device.Status + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Endpoint + description: The endpoint object of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Hostname + description: The hostnames of the endpoints that were enriched. + type: string +- contextPath: Endpoint.OS + description: The operating systems running on the endpoints that were enriched. + type: string +- contextPath: Endpoint.IP + description: A list of the IP addresses of the endpoints. + type: string +- contextPath: Endpoint.MAC + description: A list of the MAC addresses of the endpoints that were enriched. + type: string +- contextPath: Endpoint.Domain + description: The domain names of the endpoints that were enriched. + type: string +- contextPath: CylanceProtectDevice + description: The device information about the hostname that was enriched using Cylance + Protect v2. + type: string +- contextPath: ExtraHop.Device.Macaddr + description: The MAC Address of the device. + type: String +- contextPath: ExtraHop.Device.DeviceClass + description: The class of the device. + type: String +- contextPath: ExtraHop.Device.UserModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.AutoRole + description: The role automatically detected by the ExtraHop. + type: String +- contextPath: ExtraHop.Device.ParentId + description: The ID of the parent device. + type: Number +- contextPath: ExtraHop.Device.Vendor + description: The device vendor. + type: String +- contextPath: ExtraHop.Device.Analysis + description: The level of analysis preformed on the device. + type: string +- contextPath: ExtraHop.Device.DiscoveryId + description: The UUID given by the Discover appliance. + type: String +- contextPath: ExtraHop.Device.DefaultName + description: The default name of the device. + type: String +- contextPath: ExtraHop.Device.DisplayName + description: The display name of device. + type: String +- contextPath: ExtraHop.Device.OnWatchlist + description: Whether the device is on the advanced analysis allow list. + type: Boolean +- contextPath: ExtraHop.Device.ModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.IsL3 + description: Indicates whether the device is a Layer 3 device. + type: Boolean +- contextPath: ExtraHop.Device.Role + description: The role of the device. + type: String +- contextPath: ExtraHop.Device.DiscoverTime + description: The time that the device was discovered. + type: Number +- contextPath: ExtraHop.Device.Id + description: The ID of the device. + type: Number +- contextPath: ExtraHop.Device.Ipaddr4 + description: The IPv4 address of the device. + type: String +- contextPath: ExtraHop.Device.Vlanid + description: The ID of VLan. + type: Number +- contextPath: ExtraHop.Device.Ipaddr6 + description: The IPv6 address of the device. + type: string +- contextPath: ExtraHop.Device.NodeId + description: The Node ID of the Discover appliance. + type: number +- contextPath: ExtraHop.Device.Description + description: A user customizable description of the device. + type: string +- contextPath: ExtraHop.Device.DnsName + description: The DNS name associated with the device. + type: string +- contextPath: ExtraHop.Device.DhcpName + description: The DHCP name associated with the device. + type: string +- contextPath: ExtraHop.Device.CdpName + description: The Cisco Discovery Protocol name associated with the device. + type: string +- contextPath: ExtraHop.Device.NetbiosName + description: The NetBIOS name associated with the device. + type: string +- contextPath: ExtraHop.Device.Url + description: Link to the device details page in ExtraHop. + type: string +- contextPath: Endpoint.IPAddress + description: The endpoint IP address or list of IP addresses. + type: string +- contextPath: Endpoint.ID + description: The endpoint ID. + type: string +- contextPath: Endpoint.Status + description: The endpoint status. + type: string +- contextPath: Endpoint.IsIsolated + description: The endpoint isolation status. + type: string +- contextPath: Endpoint.MACAddress + description: The endpoint MAC address. + type: string +- contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: string +- contextPath: Endpoint.Relationships + description: The endpoint relationships of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Processor + description: The model of the processor. + type: string +- contextPath: Endpoint.Processors + description: The number of processors. + type: string +- contextPath: Endpoint.Memory + description: Memory on this endpoint. + type: string +- contextPath: Endpoint.Model + description: The model of the machine or device. + type: string +- contextPath: Endpoint.BIOSVersion + description: The endpoint's BIOS version. + type: string +- contextPath: Endpoint.OSVersion + description: The endpoint's operation system version. + type: string +- contextPath: Endpoint.DHCPServer + description: The DHCP server of the endpoint. + type: string +- contextPath: McAfee.ePO.Endpoint + description: The endpoint that was enriched. + type: string +- contextPath: Endpoint.Groups + description: Groups for which the computer is listed as a member. + type: string +- contextPath: ActiveDirectory.ComputersPageCookie + description: An opaque string received in a paged search, used for requesting subsequent + entries. + type: string +- contextPath: ActiveDirectory.Computers.dn + description: The computer distinguished name. + type: string +- contextPath: ActiveDirectory.Computers.memberOf + description: Groups for which the computer is listed. + type: string +- contextPath: ActiveDirectory.Computers.name + description: The computer name. + type: string +- contextPath: CrowdStrike.Device + description: The information about the endpoint. + type: string +- contextPath: ActiveDirectory.Computers + description: The information about the hostname that was enriched using Active Directory. + type: string +- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size + description: The size, in bytes, of the system volume of the endpoint on which the + sensor is installed. installed. + type: number +- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path + description: The path of the EMET telemetry associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string + description: Human-readable string of the installed OS. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_version + description: The EMET version associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags + description: The flags of the EMET dump associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.clock_delta + description: The clock delta associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_cblr + description: Whether the sensor supports Carbon Black Live Response (CbLR). + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_uptime + description: The uptime of the process. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_update + description: When the sensor was last updated. + type: string +- contextPath: CarbonBlackEDR.Sensor.physical_memory_size + description: The size in bytes of physical memory. + type: number +- contextPath: CarbonBlackEDR.Sensor.build_id + description: The sensor version installed on this endpoint. From the /api/builds/ + endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.uptime + description: Endpoint uptime in seconds. + type: string +- contextPath: CarbonBlackEDR.Sensor.is_isolating + description: Boolean representing sensor-reported isolation status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time + description: |- + If event_log_flush_time is set, the server will instruct the sensor to immediately + send all data before this date, ignoring all other throttling mechanisms. + To force a host current, set this value to a value far in the future. + When the sensor has finished sending its queued data, this value will be null. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_dns_name + description: The DNS name of the endpoint on which the sensor is installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_report_setting + description: The report setting of the EMET associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.id + description: The ID of this sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_process_count + description: The number of EMET processes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo + description: Whether the EMET is a GPO. + type: string +- contextPath: CarbonBlackEDR.Sensor.power_state + description: The sensor power state. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled + description: Boolean representing the network isolation request status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size + description: The amount of free bytes on the system volume. + type: string +- contextPath: CarbonBlackEDR.Sensor.status + description: The sensor status. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes + description: The number of event log bytes. + type: number +- contextPath: CarbonBlackEDR.Sensor.sensor_health_message + description: Human-readable string indicating the sensor’s self-reported status. + type: string +- contextPath: CarbonBlackEDR.Sensor.build_version_string + description: Human-readable string of the sensor version. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_sid + description: Machine SID of this host. + type: string +- contextPath: CarbonBlackEDR.Sensor.next_checkin_time + description: Next expected communication from this computer in server-local time + and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.node_id + description: The node ID associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.cookie + description: The cookie associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action + description: The EMET exploit action associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_name + description: NetBIOS name of this computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.license_expiration + description: When the license of the sensor expires. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_isolation + description: Whether the sensor supports isolation. + type: string +- contextPath: CarbonBlackEDR.Sensor.parity_host_id + description: The ID of the parity host associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + description: Whether the sensor support modload of 2nd generation. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_adapters + description: A pipe-delimited list of IP,MAC pairs for each network interface. + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_health_status + description: Self-reported health score, from 0 to 100. Higher numbers indicate + a better health status. + type: string +- contextPath: CarbonBlackEDR.Sensor.registration_time + description: Time this sensor was originally registered in server-local time and + zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.restart_queued + description: Whether a restart of the sensor is queued. + type: string +- contextPath: CarbonBlackEDR.Sensor.notes + description: The notes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes + description: Number of storefiles bytes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_id + description: The ID of the OS environment of the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.shard_id + description: The ID of the shard associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.boot_id + description: A sequential counter of boots since the sensor was installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_checkin_time + description: Last communication with this computer in server-local time and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_type + description: The operating system type of the computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.group_id + description: The sensor group ID this sensor is assigned to. + type: string +- contextPath: CarbonBlackEDR.Sensor.uninstall + description: When set, indicates that the sensor will be directed to uninstall on + next check-in. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint + description: The endpoint object of the endpoint that was enriched. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.users + description: A list of users. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.content_version + description: Content version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.count + description: Number of endpoints returned. + type: number +- contextPath: Account + description: The account object of the endpoint that was enriched. + type: string +- contextPath: Account.Username + description: The username in the relevant system. + type: string +- contextPath: Account.Domain + description: The domain of the account. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost + description: The endpoint object. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons + description: The endpoint risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created + description: Date when the incident was created. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points + description: The score. + type: string +- contextPath: Core.Endpoint + description: The endpoint object. + type: unknown +- contextPath: Core.Endpoint.endpoint_id + description: The endpoint ID. +- contextPath: Core.Endpoint.endpoint_name + description: The endpoint name. +- contextPath: Core.Endpoint.endpoint_type + description: The endpoint type. +- contextPath: Core.Endpoint.endpoint_status + description: The status of the endpoint. +- contextPath: Core.Endpoint.os_type + description: The endpoint OS type. +- contextPath: Core.Endpoint.ip + description: A list of IP addresses. +- contextPath: Core.Endpoint.users + description: A list of users. +- contextPath: Core.Endpoint.domain + description: The endpoint domain. +- contextPath: Core.Endpoint.alias + description: The endpoint's aliases. +- contextPath: Core.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). +- contextPath: Core.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). +- contextPath: Core.Endpoint.content_version + description: Content version. +- contextPath: Core.Endpoint.installation_package + description: Installation package. +- contextPath: Core.Endpoint.active_directory + description: Active directory. +- contextPath: Core.Endpoint.install_date + description: Install date in Epoch (milliseconds). +- contextPath: Core.Endpoint.endpoint_version + description: Endpoint version. +- contextPath: Core.Endpoint.is_isolated + description: Whether the endpoint is isolated. +- contextPath: Core.Endpoint.group_name + description: The name of the group to which the endpoint belongs. +- contextPath: Core.RiskyHost + description: The risky host object. + type: unknown +- contextPath: Core.RiskyHost.type + description: Form of identification element. +- contextPath: Core.RiskyHost.id + description: Identification value of the type field. +- contextPath: Core.RiskyHost.score + description: The score assigned to the host. +- contextPath: Core.RiskyHost.reasons + description: The reasons for the risk level. + type: unknown +- contextPath: Core.RiskyHost.reasons.date created + description: Date when the incident was created. +- contextPath: Core.RiskyHost.reasons.description + description: Description of the incident. +- contextPath: Core.RiskyHost.reasons.severity + description: The severity of the incident. +- contextPath: Core.RiskyHost.reasons.status + description: The incident status. +- contextPath: Core.RiskyHost.reasons.points + description: The score. +- contextPath: McAfee.ePO.Endpoint.ParentID + description: Endpoint parent ID. +- contextPath: McAfee.ePO.Endpoint.ComputerName + description: Endpoint computer name. +- contextPath: McAfee.ePO.Endpoint.Description + description: Endpoint description. +- contextPath: McAfee.ePO.Endpoint.SystemDescription + description: Endpoint system description. +- contextPath: McAfee.ePO.Endpoint.TimeZone + description: Endpoint time zone. +- contextPath: McAfee.ePO.Endpoint.DefaultLangID + description: Endpoint default language ID. +- contextPath: McAfee.ePO.Endpoint.UserName + description: Endpoint username. +- contextPath: McAfee.ePO.Endpoint.Domain + description: Endpoint domain name. +- contextPath: McAfee.ePO.Endpoint.Hostname + description: Endpoint IP host name. +- contextPath: McAfee.ePO.Endpoint.IPV6 + description: Endpoint IPv6 address. +- contextPath: McAfee.ePO.Endpoint.IPAddress + description: Endpoint IP address. +- contextPath: McAfee.ePO.Endpoint.IPSubnet + description: Endpoint IP subnet. +- contextPath: McAfee.ePO.Endpoint.IPSubnetMask + description: Endpoint IP subnet mask. +- contextPath: McAfee.ePO.Endpoint.IPV4x + description: Endpoint IPV4x address. +- contextPath: McAfee.ePO.Endpoint.IPXAddress + description: Endpoint IPX address. +- contextPath: McAfee.ePO.Endpoint.SubnetAddress + description: Endpoint subnet address. +- contextPath: McAfee.ePO.Endpoint.SubnetMask + description: Endpoint subnet mask. +- contextPath: McAfee.ePO.Endpoint.NetAddress + description: Endpoint net address. +- contextPath: McAfee.ePO.Endpoint.OSType + description: Endpoint OS type. +- contextPath: McAfee.ePO.Endpoint.OSVersion + description: Endpoint OS version. +- contextPath: McAfee.ePO.Endpoint.OSServicePackVer + description: Endpoint OS service pack version. +- contextPath: McAfee.ePO.Endpoint.OSBuildNum + description: Endpoint OS build number. +- contextPath: McAfee.ePO.Endpoint.OSPlatform + description: Endpoint OS platform. +- contextPath: McAfee.ePO.Endpoint.OSOEMID + description: Endpoint OS OEM ID. +- contextPath: McAfee.ePO.Endpoint.Processor + description: Endpoint CPU type. +- contextPath: McAfee.ePO.Endpoint.CPUSpeed + description: Endpoint CPU speed. +- contextPath: McAfee.ePO.Endpoint.Processors + description: Number of CPUs in the endpoint. +- contextPath: McAfee.ePO.Endpoint.CPUSerialNum + description: Endpoint CPU serial number. +- contextPath: McAfee.ePO.Endpoint.Memory + description: The total amount of physical memory in the endpoint. +- contextPath: McAfee.ePO.Endpoint.FreeMemory + description: The amount of free memory in the endpoint. +- contextPath: McAfee.ePO.Endpoint.FreeDiskSpace + description: The amount of free disk space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.TotalDiskSpace + description: The total amount of disk space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.UserProperty1 + description: Endpoint user property 1. +- contextPath: McAfee.ePO.Endpoint.UserProperty2 + description: Endpoint user property 2. +- contextPath: McAfee.ePO.Endpoint.UserProperty3 + description: Endpoint user property 3. +- contextPath: McAfee.ePO.Endpoint.UserProperty4 + description: Endpoint user property 4. +- contextPath: McAfee.ePO.Endpoint.SysvolFreeSpace + description: The amount of system volume free space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.SysvolTotalSpace + description: The total amount of system volume space in the endpoint. +- contextPath: McAfee.ePO.Endpoint.Tags + description: Endpoint ePO tags. +- contextPath: McAfee.ePO.Endpoint.ExcludedTags + description: Endpoint EPO excluded tags. +- contextPath: McAfee.ePO.Endpoint.LastUpdate + description: The date the endpoint was last updated. +- contextPath: McAfee.ePO.Endpoint.ManagedState + description: Endpoint managed state. +- contextPath: McAfee.ePO.Endpoint.AgentGUID + description: Endpoint agent GUID. +- contextPath: McAfee.ePO.Endpoint.AgentVersion + description: Endpoint agent version. +- contextPath: McAfee.ePO.Endpoint.AutoID + description: Endpoint auto ID. +- contextPath: CrowdStrike.Device.ID + description: The ID of the device. +- contextPath: CrowdStrike.Device.LocalIP + description: The local IP address of the device. +- contextPath: CrowdStrike.Device.ExternalIP + description: The external IP address of the device. +- contextPath: CrowdStrike.Device.Hostname + description: The host name of the device. +- contextPath: CrowdStrike.Device.OS + description: The operating system of the device. +- contextPath: CrowdStrike.Device.MacAddress + description: The MAC address of the device. +- contextPath: CrowdStrike.Device.FirstSeen + description: The first time the device was seen. +- contextPath: CrowdStrike.Device.LastSeen + description: The last time the device was seen. +- contextPath: CrowdStrike.Device.PolicyType + description: The policy type of the device. +- contextPath: CrowdStrike.Device.Status + description: The device status. +sourceplaybookid: Endpoint Enrichment - Generic v2.1 +dirtyInputs: true +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan.yml new file mode 100644 index 0000000..e6407f9 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan.yml @@ -0,0 +1,733 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + toServerVersion: "" +description: "This playbook handles all the eradication actions available with Cortex + XSIAM, including the following sub-playbooks:\n* Eradication Plan - Reset user password\n + * Eradication Plan - Delete file\n* Eradication Plan - Kill process (currently, + the playbook supports terminating a process by name) \n\nNote: The playbook inputs + enable manipulating the execution flow. Read the input descriptions for details." +dirtyInputs: true +id: 'SOC Eradication Plan_V3' +inputSections: +- description: Generic group for inputs + inputs: + - AutoEradicate + - EndpointID + - FilePath + - Username + - FileRemediation + - UserRemediation + - ProcessTermination + - ProcessID + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to True to execute the eradication playbook automatically. + key: AutoEradicate + playbookInputQuery: + required: false + value: + simple: "True" +- description: The endpoint ID. + key: EndpointID + playbookInputQuery: + required: false + value: + complex: + accessor: agentid + root: alert +- description: The file path for the file deletion and for the process termination + task. + key: FilePath + playbookInputQuery: + required: false + value: + complex: + accessor: initiatorpath + root: foundIncidents.CustomFields +- description: The username to reset the password for. + key: Username + playbookInputQuery: + required: false + value: + complex: + accessor: username + root: foundIncidents.CustomFields +- description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. + \nFor example, choosing 'Delete' ignores the 'Quarantine file' task under the + containment playbook and executes only file deletion." + key: FileRemediation + playbookInputQuery: + required: false + value: + simple: Delete +- description: Set to 'True' to reset the user's password. + key: UserRemediation + playbookInputQuery: + required: false + value: + simple: "True" +- description: "Choose 'PID' to terminate the process using the Process ID, or 'Name' + to terminate the process using its name.\nPlease note that providing the file + path is mandatory for the process termination. \nIf 'PID' is chosen, the input + `ProcessID` should not be empty; otherwise, the termination will not proceed." + key: ProcessTermination + playbookInputQuery: + required: false + value: + simple: Name +- description: The process ID to terminate. + key: ProcessID + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Eradication Plan_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - TerminatedProcessFromEndpoints +outputs: +- contextPath: TerminatedProcessFromEndpoints + description: The terminated process from endpoint + type: unknown +sourceplaybookid: Eradication Plan +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "57" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a565fd6d-2dd4-4f6f-8c41-d80d96fd1a58 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: a565fd6d-2dd4-4f6f-8c41-d80d96fd1a58 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 170, + "y": -470 + } + } + "46": + continueonerrortype: "" + form: + description: Select which eradication actions to perform. + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Select Users to reset their password + options: [] + optionsarg: + - complex: + root: inputs.Username + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "1" + label: "" + labelarg: + simple: Select Files to delete + options: [] + optionsarg: + - complex: + root: inputs.FilePath + transformers: + - operator: uniq + placeholder: "" + readonly: false + required: false + tooltip: Please consider carefully whether the file will be needed for further + investigation before deleting it. + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "2" + label: "" + labelarg: + simple: Select Process to terminate + options: [] + optionsarg: + - complex: + root: ProcessList + transformers: + - operator: uniq + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FilePath + operator: SetIfEmpty + placeholder: "" + readonly: false + required: false + tooltip: Please consider carefully whether the process termination could impact + system processes with a similar name. + type: multiSelect + sender: "" + title: Which Eradication actions would you like to perform? + totalanswers: 0 + id: "46" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "47" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Select which indicators to block. + id: 0b8d21a3-7d1d-44ac-898f-f7b9dd3c484e + iscommand: false + name: Which eradication actions would you like to perform? + playbooktaskmissingcomponent: + type: collection + version: -1 + taskid: 0b8d21a3-7d1d-44ac-898f-f7b9dd3c484e + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": -120, + "y": 240 + } + } + "47": + continueonerrortype: "" + id: "47" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "54" + - "52" + - "53" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: eac14d54-acee-4628-894b-c3f85ad56381 + iscommand: false + name: Eradication + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: eac14d54-acee-4628-894b-c3f85ad56381 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 170, + "y": 410 + } + } + "48": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.AutoEradicate + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "48" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "46" + "yes": + - "47" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to perform eradication actions automatically or manually. + id: 7e62a114-2f14-44b9-8fcb-e391078f8112 + iscommand: false + name: Should Eradicate automatically? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 7e62a114-2f14-44b9-8fcb-e391078f8112 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 170, + "y": 60 + } + } + "52": + continueonerrortype: "" + id: "52" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "61" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e2ca1e88-b318-4dd3-8cd0-e79bcea8b708 + iscommand: false + name: Reset Password + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: e2ca1e88-b318-4dd3-8cd0-e79bcea8b708 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -300, + "y": 560 + } + } + "53": + continueonerrortype: "" + id: "53" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "62" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 55eece77-4b85-418a-85b4-2df675bc6406 + iscommand: false + name: Delete File + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 55eece77-4b85-418a-85b4-2df675bc6406 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 170, + "y": 560 + } + } + "54": + continueonerrortype: "" + id: "54" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "63" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 85a5283a-4dcb-4be9-8994-cda1836b671a + iscommand: false + name: Terminate Process + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 85a5283a-4dcb-4be9-8994-cda1836b671a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 640, + "y": 560 + } + } + "55": + continueonerrortype: "" + id: "55" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: aca6dccc-d750-41e7-8303-cc4cb1d1e1d8 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: aca6dccc-d750-41e7-8303-cc4cb1d1e1d8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 170, + "y": 875 + } + } + "56": + continueonerrortype: "" + id: "56" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "48" + note: false + quietmode: 0 + scriptarguments: + key: + simple: ProcessList + stringify: + simple: "false" + value: + complex: + root: inputs.FilePath + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: '[^\\]+$' + unpack_matches: {} + operator: RegexExtractAll + - args: + array1_key: + iscontext: true + array2: + iscontext: true + value: + simple: inputs.ProcessID + array2_key: {} + determine_output_length_by: {} + merge_dict: {} + output_name1: + value: + simple: Path + output_name2: + value: + simple: PID + operator: MakePair + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: d459e56b-3290-44e3-81c7-0a69a339dbbf + iscommand: false + name: Set Process list + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: d459e56b-3290-44e3-81c7-0a69a339dbbf + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -120, + "y": -140 + } + } + "57": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.FilePath + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + complex: + root: inputs.ProcessID + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "57" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "48" + "yes": + - "56" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if the file path and PID are defined. + id: e5166636-3899-4c68-8dfa-b2b39ca764ed + iscommand: false + name: The file path and PID defined? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e5166636-3899-4c68-8dfa-b2b39ca764ed + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 170, + "y": -330 + } + } + "61": + continueonerrortype: "" + id: "61" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "55" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + UserRemediation: + simple: "True" + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 6135cf7c-381c-46aa-82ec-0bb7ea483d7d + iscommand: false + name: SOC Eradication Plan_V3 - Reset Password + playbookId: SOC Eradication Plan_V3 - Reset Password + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 6135cf7c-381c-46aa-82ec-0bb7ea483d7d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -300, + "y": 695 + } + } + "62": + continueonerrortype: "" + id: "62" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "55" + note: false + quietmode: 0 + scriptarguments: + EndpointID: + complex: + root: Endpoints + FilePath: + complex: + root: Path + FileRemediation: + simple: Delete + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 57716c22-5cef-4f80-bcc0-182cf01a9c05 + iscommand: false + name: SOC Eradication Plan_V3 - Delete File + playbookId: SOC Eradication Plan_V3 - Delete File + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 57716c22-5cef-4f80-bcc0-182cf01a9c05 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 170, + "y": 695 + } + } + "63": + continueonerrortype: "" + id: "63" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "55" + note: false + quietmode: 0 + scriptarguments: + ProcessTermination: + simple: Name + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + id: ad105024-74f8-4854-a9a1-bce917cb5dd1 + iscommand: false + name: SOC Eradication Plan_V3 - Terminate Process + playbookId: SOC Eradication Plan_V3 - Terminate Process + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: ad105024-74f8-4854-a9a1-bce917cb5dd1 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 640, + "y": 695 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "48_47_yes": 0.53 + }, + "paper": { + "dimensions": { + "height": 1405, + "width": 1320, + "x": -300, + "y": -470 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Delete_File.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Delete_File.yml new file mode 100644 index 0000000..7c1729c --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Delete_File.yml @@ -0,0 +1,390 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + toServerVersion: "" +description: "This playbook is one of the sub-playbooks in the eradication plan. \n + This playbook executes actions of file deletion, which is a crucial step in the + eradication process." +dirtyInputs: true +id: 'SOC Eradication Plan_V3 - Delete File' +inputSections: +- description: Generic group for inputs + inputs: + - FileRemediation + - EndpointID + - FilePath + - ShadowMode + name: General (Inputs group) +inputs: +- description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. + \nFor example, choosing 'Delete' ignores the 'Quarantine file' task under the + containment playbook and executes only file deletion." + key: FileRemediation + playbookInputQuery: + required: false + value: + simple: Delete +- description: The endpoint ID. + key: EndpointID + playbookInputQuery: + required: false + value: + complex: + root: Endpoints +- description: The file path for the file deletion task. + key: FilePath + playbookInputQuery: + required: false + value: + complex: + root: Path +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Eradication Plan_V3 - Delete File +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Eradication Plan - Delete File +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 48cbb13a-a0c0-4a27-815a-66e38f3387ff + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 48cbb13a-a0c0-4a27-815a-66e38f3387ff + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 360, + "y": -90 + } + } + "3": + continueonerror: true + continueonerrortype: errorPath + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "22" + '#none#': + - "19" + note: false + quietmode: 0 + scriptarguments: + endpoint_ids: + complex: + root: inputs.EndpointID + file_path: + complex: + root: inputs.FilePath + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Initiates a new endpoint script execution to delete the specified + file. + id: 62686350-448d-4781-9ec5-2276b50dd884 + iscommand: true + name: Auto file deletion + playbooktaskmissingcomponent: + script: '|||core-run-script-delete-file' + type: regular + version: -1 + taskid: 62686350-448d-4781-9ec5-2276b50dd884 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 350, + "y": 430 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 040279ae-6f3d-42a1-8def-2c0565fd669f + iscommand: false + name: Done - File Deletion + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 040279ae-6f3d-42a1-8def-2c0565fd669f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 350, + "y": 790 + } + } + "19": + continueonerror: true + continueonerrortype: errorPath + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "22" + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + action_id: + complex: + accessor: action_id + root: Core.GetActionStatus + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Retrieve the results of a script execution action. + id: ea39bf65-7f5c-4e0e-b47a-c23fcae7667f + iscommand: true + name: Get command result + playbooktaskmissingcomponent: + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: ea39bf65-7f5c-4e0e-b47a-c23fcae7667f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 350, + "y": 600 + } + } + "21": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.FilePath + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.EndpointID + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.FileRemediation + operator: isEqualString + right: + value: + simple: Delete + label: "yes" + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to delete the file based on the input values. + id: a1a09dd3-d1de-40ae-898b-6fe92bd93c6e + iscommand: false + name: Should delete the file? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: a1a09dd3-d1de-40ae-898b-6fe92bd93c6e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 360, + "y": 70 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: f70aec3b-d083-4117-832d-a75daa678c9b + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: f70aec3b-d083-4117-832d-a75daa678c9b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 800, + "y": 785 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "3" + Shadow Mode: + - "24" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a6bc0525-0fc3-42b5-82dc-f1e60c25a27d + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: a6bc0525-0fc3-42b5-82dc-f1e60c25a27d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 520, + "y": 250 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Palo XDR Auto File Deletion + Command: core-run-script-delete-file + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: ffb42258-a95d-40df-811c-b6790521e9d1 + iscommand: false + name: 'Shadow Mode: Palo XDR Auto File Deletion' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: ffb42258-a95d-40df-811c-b6790521e9d1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 770, + "y": 410 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 945, + "width": 830, + "x": 350, + "y": -90 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Reset_Password.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Reset_Password.yml new file mode 100644 index 0000000..41c743d --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Reset_Password.yml @@ -0,0 +1,469 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: "This playbook is one of the sub-playbooks in the eradication plan. \n + The playbook executes actions to reset the user's passwords, which is a crucial + step in the eradication process." +dirtyInputs: true +id: 'SOC Eradication Plan_V3 - Reset Password' +inputSections: +- description: Generic group for inputs + inputs: + - UserRemediation + - Username + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to 'True' to reset the user's password. + key: UserRemediation + playbookInputQuery: + required: false + value: + simple: "True" +- description: The username to reset the password for. + key: Username + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Eradication Plan_V3 - Reset Password +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Eradication Plan - Reset Password +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 09c31255-cc27-43a6-81db-fb416e7a41fc + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 09c31255-cc27-43a6-81db-fb416e7a41fc + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -20 + } + } + "1": + continueonerror: true + continueonerrortype: errorPath + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "15" + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + username: + complex: + root: ResetPasswordToUsers + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Invalidates the password of an Active Directory user. + id: f1dd9cb9-db2b-4b3e-8765-101a2fc3bc28 + iscommand: true + name: Auto password reset + playbooktaskmissingcomponent: + script: '|||ad-expire-password' + type: regular + version: -1 + taskid: f1dd9cb9-db2b-4b3e-8765-101a2fc3bc28 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 910 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 83bdf4fd-82e0-41c8-801a-7dacf7cc7cb7 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 83bdf4fd-82e0-41c8-801a-7dacf7cc7cb7 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 1300 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "14" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Active Directory Query v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: ed488801-2746-4d07-8abc-1dfb26c26f70 + iscommand: false + name: Is Active Directory Query v2 enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: ed488801-2746-4d07-8abc-1dfb26c26f70 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 360 + } + } + "9": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.UserRemediation + operator: isEqualString + right: + value: + simple: "True" + - - left: + iscontext: true + value: + complex: + root: inputs.Username + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "8" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |+ + Whether to reset the user's password based on the input values. + + + id: 948a893e-2686-482c-8662-cde9931f0644 + iscommand: false + name: Should reset the user password? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 948a893e-2686-482c-8662-cde9931f0644 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 155 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 2 + scriptarguments: + key: + simple: UserPasswordReset + value: + complex: + root: ResetPasswordToUsers + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: 11182b8c-325c-453c-8d1e-6890e1846610 + iscommand: true + name: Set the user with a password reset to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: 11182b8c-325c-453c-8d1e-6890e1846610 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 1080 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + scriptarguments: + key: + simple: ResetPasswordToUsers + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.Username + operator: isNotEqualString + right: + value: + simple: Administrator + root: inputs.Username + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 89912e2c-f160-47d2-8ea0-a03d2e7125eb + iscommand: false + name: Set users to reset password + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 89912e2c-f160-47d2-8ea0-a03d2e7125eb + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": 575 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 6bd5e706-d833-4da6-850f-9060f116dcbb + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 6bd5e706-d833-4da6-850f-9060f116dcbb + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 940, + "y": 1295 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "1" + Shadow Mode: + - "17" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fc1ab56a-cb19-4d9b-a11b-d9b6f9e61865 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: fc1ab56a-cb19-4d9b-a11b-d9b6f9e61865 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 730 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR Reset Password + Command: ad-expire-password + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 3bf20258-7132-4327-8c20-54ec53cfc508 + iscommand: false + name: 'Shadow: AD Reset Password' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 3bf20258-7132-4327-8c20-54ec53cfc508 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 940, + "y": 920 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "8_3_#default#": 0.16, + "9_3_#default#": 0.14 + }, + "paper": { + "dimensions": { + "height": 1385, + "width": 870, + "x": 450, + "y": -20 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Terminate_Process.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Terminate_Process.yml new file mode 100644 index 0000000..fcd45ba --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Eradication_Plan_-_Terminate_Process.yml @@ -0,0 +1,1099 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + toServerVersion: "" +description: "This playbook is one of the sub-playbooks in the eradication plan. \n + This playbook handles the termination of the processes as a crucial step in the + eradication action.\nThe playbook executes actions of process termination, which + is a crucial step in the eradication process.\nThe process termination can be performed + based on either the process ID or the process name." +dirtyInputs: true +id: 'SOC Eradication Plan_V3 - Terminate Process' +inputSections: +- description: Generic group for inputs + inputs: + - ProcessTermination + - EndpointID + - FilePath + - ProcessID + - ShadowMode + name: General (Inputs group) +inputs: +- description: "Choose 'PID' to terminate the process by PID or 'Name' to terminate + the process by process name. \nNote: If neither option is selected, the process + will not be terminated." + key: ProcessTermination + playbookInputQuery: + required: false + value: + simple: Name +- description: The endpoint ID to run commands over. + key: EndpointID + playbookInputQuery: + required: false + value: {} +- description: The file path for the process termination. + key: FilePath + playbookInputQuery: + required: false + value: {} +- description: The process ID to terminate. + key: ProcessID + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Eradication Plan_V3 - Terminate Process +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - TerminatedProcessFromEndpoints +outputs: +- contextPath: TerminatedProcessFromEndpoints + description: The terminated process from endpoint + type: unknown +sourceplaybookid: Eradication Plan - Terminate Process +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0c2bd2d8-2747-473f-873c-fdf0258c1425 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 0c2bd2d8-2747-473f-873c-fdf0258c1425 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 190, + "y": -180 + } + } + "1": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.EndpointID + operator: isNotEmpty + right: + value: {} + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.ProcessTermination + operator: isEqualString + right: + value: + simple: PID + - - left: + iscontext: true + value: + complex: + root: inputs.ProcessID + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.ProcessID + operator: notContainsGeneral + right: + value: + simple: \ + label: PID + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.ProcessTermination + operator: isEqualString + right: + value: + simple: Name + - - left: + iscontext: true + value: + complex: + root: inputs.EndpointID + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + root: inputs.FilePath + operator: isNotEmpty + label: Name + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + Name: + - "22" + PID: + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to terminate the process automatically, manually, or not + at all. + id: 387a0de2-f9a3-412a-8531-299ba47ac010 + iscommand: false + name: Should terminate the process? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 387a0de2-f9a3-412a-8531-299ba47ac010 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 190, + "y": -40 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b6c458a7-8533-4692-87af-498de4ea894f + iscommand: false + name: Done - Process Termination + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: b6c458a7-8533-4692-87af-498de4ea894f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 190, + "y": 1240 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + action_id: + complex: + accessor: action_id + root: Core.GetActionStatus + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Retrieve the results of a script execution action. + id: d1bf1eb3-8962-4fe0-8f37-dd1d6e67fc1d + iscommand: true + name: Get command result + playbooktaskmissingcomponent: + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: d1bf1eb3-8962-4fe0-8f37-dd1d6e67fc1d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -70, + "y": 500 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "23" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + endpoint_ids: + complex: + root: inputs.EndpointID + process_name: + complex: + root: FilePath + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: '[^\\]+$' + unpack_matches: {} + operator: RegexExtractAll + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Initiates a new endpoint script execution kill process. + id: 9fbfc5a0-d0b7-4354-a968-e8964e4ee45e + iscommand: true + name: process termination + playbooktaskmissingcomponent: + script: '|||core-run-script-kill-process' + type: regular + version: -1 + taskid: 9fbfc5a0-d0b7-4354-a968-e8964e4ee45e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -70, + "y": 320 + } + } + "10": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: standard_output + root: Core.ScriptResult.results + operator: notEndWith + right: + value: + simple: 'killed: 0.' + label: "yes" + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "20" + "yes": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the process was terminated. + id: 5bb3ab00-26df-4e11-89b2-a213d1eba8aa + iscommand: false + name: Was the process terminated? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 5bb3ab00-26df-4e11-89b2-a213d1eba8aa + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -70, + "y": 670 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: TerminatedProcessFromEndpoints= + ignore-outputs: + simple: "true" + key: + complex: + root: inputs.EndpointID + value: + complex: + accessor: standard_output + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results._return_value + operator: isEqualString + right: + value: + simple: "True" + root: Core.ScriptResult.results + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: .*name (.*) found.* + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 960374b2-8b4a-4577-8bf1-ac02f9ceccf4 + iscommand: false + name: Set terminated process per endpoint ID + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 960374b2-8b4a-4577-8bf1-ac02f9ceccf4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -70, + "y": 860 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: TerminatedProcessOnEndpoints= + key: + simple: TerminatedProcessPerEndpointsID + value: + complex: + root: TerminatedProcessFromEndpoints + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: 42d427fd-6d4a-4b70-8b1a-35c76fdd8d45 + iscommand: true + name: Set Deleted files per endpoint ID to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: 42d427fd-6d4a-4b70-8b1a-35c76fdd8d45 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -70, + "y": 1040 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "23" + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + commands: + simple: taskkill /F /PID ${ProcessID} + endpoint_ids: + complex: + root: inputs.EndpointID + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Initiate a new endpoint script execution of shell commands. + id: b55e14c5-51c9-455a-8560-36383f942676 + iscommand: true + name: process termination + playbooktaskmissingcomponent: + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: b55e14c5-51c9-455a-8560-36383f942676 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 440, + "y": 320 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + scriptarguments: + action_id: + complex: + accessor: action_id + root: Core.ScriptRun + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Retrieve the results of a script execution action. + id: 98faa8b1-1539-4e59-8274-c8434226eff7 + iscommand: true + name: Get command result + playbooktaskmissingcomponent: + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 98faa8b1-1539-4e59-8274-c8434226eff7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 440, + "y": 500 + } + } + "16": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: standard_output + root: Core.ScriptResult.results + operator: endWith + right: + value: + simple: has been terminated. + label: "yes" + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "19" + "yes": + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the termination of the process was successful. + id: 1a42b9b2-db4a-4905-8dd5-4b47d18449fc + iscommand: false + name: Was the process terminated? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 1a42b9b2-db4a-4905-8dd5-4b47d18449fc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 440, + "y": 670 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: TerminatedProcessFromEndpoints= + ignore-outputs: + simple: "true" + key: + complex: + root: inputs.EndpointID + value: + complex: + accessor: standard_output + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results._return_value + operator: isEqualString + right: + value: + simple: "True" + root: Core.ScriptResult.results + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: .*name (.*) found.* + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 800bc596-f674-43ff-84cf-91da9573954b + iscommand: false + name: Set terminated process per endpoint ID + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 800bc596-f674-43ff-84cf-91da9573954b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 440, + "y": 860 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: TerminatedProcessOnEndpoints= + key: + simple: TerminatedProcessPerEndpointsID + value: + complex: + root: TerminatedProcessFromEndpoints + separatecontext: false + skipunavailable: true + task: + brand: Builtin + description: commands.local.cmd.set.parent.alert.context + id: 0056cbe7-0eda-4bea-832f-9438e1f45936 + iscommand: true + name: Set Deleted files per endpoint ID to the Alert context + playbooktaskmissingcomponent: + script: Builtin|||setParentIncidentContext + type: regular + version: -1 + taskid: 0056cbe7-0eda-4bea-832f-9438e1f45936 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 440, + "y": 1040 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + message: + simple: The process termination has failed. + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an error entry with a given message + id: c7749af3-73ff-4422-87dd-e8caeb84c069 + iscommand: false + name: Print Error + playbooktaskmissingcomponent: + script: PrintErrorEntry + type: regular + version: -1 + taskid: c7749af3-73ff-4422-87dd-e8caeb84c069 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1020, + "y": 860 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + message: + simple: The process termination has failed. + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an error entry with a given message + id: 4e7794f3-70a6-4941-8e9e-65ef20777dca + iscommand: false + name: Print Error + playbooktaskmissingcomponent: + script: PrintErrorEntry + type: regular + version: -1 + taskid: 4e7794f3-70a6-4941-8e9e-65ef20777dca + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -490, + "y": 860 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "26" + note: false + quietmode: 0 + scriptarguments: + key: + simple: ProcessID + value: + complex: + root: inputs.ProcessID + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: PID\":\"(\d+?)\" + unpack_matches: {} + operator: RegexExtractAll + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.ProcessID + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: e5475bb4-564f-4364-892b-12b130016b7a + iscommand: false + name: Set PID + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: e5475bb4-564f-4364-892b-12b130016b7a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 440, + "y": 150 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + key: + simple: FilePath + value: + complex: + root: inputs.FilePath + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: Path\":\"(.+?)\" + unpack_matches: {} + operator: RegexExtractAll + - args: + applyIfEmpty: {} + defaultValue: + iscontext: true + value: + simple: inputs.FilePath + operator: SetIfEmpty + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 77d2329d-39ac-4e97-8490-b759589f91ad + iscommand: false + name: Set Path + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 77d2329d-39ac-4e97-8490-b759589f91ad + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -70, + "y": 150 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: ee7dd725-fe5f-4919-8e7f-46115af0617d + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: ee7dd725-fe5f-4919-8e7f-46115af0617d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 710, + "y": 1235 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "9" + Shadow Mode: + - "25" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 91d25756-3c88-49f7-8bf6-165ad92c912c + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 91d25756-3c88-49f7-8bf6-165ad92c912c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -560, + "y": 230 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR Kill Process + Command: core-run-script-kill-process ${inputs.FilePath} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 697fde5c-cab8-4724-96fb-5b82c3e8b5ca + iscommand: false + name: 'Shadow: Palo XDR Kill Process' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 697fde5c-cab8-4724-96fb-5b82c3e8b5ca + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -570, + "y": 410 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "13" + Shadow Mode: + - "27" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 923ab99c-7548-4d6e-8b62-b8c1f647b475 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 923ab99c-7548-4d6e-8b62-b8c1f647b475 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 900, + "y": 230 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR Kill Process + Command: core-run-script-execute-commands ${ProcessID} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 5cb2b236-1d62-4da0-9604-bbc62a733c8a + iscommand: false + name: 'Shadow: Palo XDR Kill Process' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 5cb2b236-1d62-4da0-9604-bbc62a733c8a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 910, + "y": 390 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "16_17_yes": 0.41, + "1_5_#default#": 0.14 + }, + "paper": { + "dimensions": { + "height": 1485, + "width": 1970, + "x": -570, + "y": -180 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Enrichment_-_File_reputation.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Enrichment_-_File_reputation.yml new file mode 100644 index 0000000..9c339d2 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Enrichment_-_File_reputation.yml @@ -0,0 +1,467 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: Get file reputation using one or more integrations +dirtyInputs: true +id: 'SOC File Enrichment - File reputation_V3' +inputSections: +- description: Generic group for inputs + inputs: + - MD5 + - SHA256 + - SHA1 + name: General (Inputs group) +inputs: +- description: File MD5 hash to enrich. + key: MD5 + playbookInputQuery: + required: false + value: + complex: + accessor: MD5 + root: File +- description: File SHA-256 hash to enrich. + key: SHA256 + playbookInputQuery: + required: false + value: + complex: + accessor: SHA256 + root: File +- description: File SHA-1 hash to enrich. + key: SHA1 + playbookInputQuery: + required: false + value: + complex: + accessor: SHA1 + root: File +name: SOC File Enrichment - File reputation_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - File + - File.MD5 + - File.SHA1 + - File.SHA256 + - File.Malicious.Vendor + - DBotScore + - DBotScore.Indicator + - DBotScore.Type + - DBotScore.Vendor + - DBotScore.Score +outputs: +- contextPath: File + description: The file's object + type: unknown +- contextPath: File.MD5 + description: MD5 hash of the file + type: string +- contextPath: File.SHA1 + description: SHA1 hash of the file + type: string +- contextPath: File.SHA256 + description: SHA256 hash of the file + type: string +- contextPath: File.Malicious.Vendor + description: For malicious files, the vendor that made the decision + type: string +- contextPath: DBotScore + description: The DBotScore's object + type: unknown +- contextPath: DBotScore.Indicator + description: The tested indicator + type: string +- contextPath: DBotScore.Type + description: The type of the indicator + type: string +- contextPath: DBotScore.Vendor + description: Vendor used to calculate the score + type: string +- contextPath: DBotScore.Score + description: The actual score + type: number +sourceplaybookid: file_enrichment_-_file_reputation +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 214ebf34-1312-43ec-873d-41d45094ba22 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 214ebf34-1312-43ec-873d-41d45094ba22 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 500, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "14" + - "15" + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4b42764c-31bd-4097-8721-159b73534347 + iscommand: false + name: Get file hash reputation + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 4b42764c-31bd-4097-8721-159b73534347 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 500, + "y": 195 + } + } + "5": + continueonerror: true + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + file: + complex: + root: inputs.MD5 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the MD5 hash reputation from every integration that supports + the `!file` command. + id: 61a4a533-980d-4b46-816e-75bbf2550d0a + iscommand: false + name: Get MD5 reputation + playbooktaskmissingcomponent: + script: FileReputation + type: regular + version: -1 + taskid: 61a4a533-980d-4b46-816e-75bbf2550d0a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 162.5, + "y": 515 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 66d74bf4-438c-40a8-840f-58052c181d0f + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 66d74bf4-438c-40a8-840f-58052c181d0f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 500, + "y": 690 + } + } + "14": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.MD5 + operator: isExists + label: "yes" + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "7" + "yes": + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: ${File.MD5} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there is an MD5 hash in context. + id: 63bff973-38e4-490f-830e-b9d68f2791ad + iscommand: false + name: Is there an MD5 hash? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 63bff973-38e4-490f-830e-b9d68f2791ad + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 340 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.SHA256 + operator: isExists + label: "yes" + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "7" + "yes": + - "16" + note: false + quietmode: 0 + scriptarguments: + value: + simple: ${File.SHA256} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there is a SHA-256 hash in context. + id: 8e16c355-ee0c-4b2b-86b1-0d2f5916430f + iscommand: false + name: Is there a SHA-256 hash? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 8e16c355-ee0c-4b2b-86b1-0d2f5916430f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 500, + "y": 340 + } + } + "16": + continueonerror: true + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + file: + complex: + root: inputs.SHA256 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the SHA-256 hash reputation from every integration that supports + the `!file` command. + id: 092a1e7e-b7d8-4d50-8f6e-021c31701974 + iscommand: false + name: Get SHA-256 reputation + playbooktaskmissingcomponent: + script: FileReputation + type: regular + version: -1 + taskid: 092a1e7e-b7d8-4d50-8f6e-021c31701974 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 612.5, + "y": 515 + } + } + "17": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.SHA1 + operator: isExists + label: "yes" + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "7" + "yes": + - "18" + note: false + quietmode: 0 + scriptarguments: + value: + simple: ${File.SHA256} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there is a SHA-1 hash in context. + id: ceddfccc-685c-4392-8955-2c116297ca5f + iscommand: false + name: Is there a SHA-1 hash? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ceddfccc-685c-4392-8955-2c116297ca5f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 950, + "y": 340 + } + } + "18": + continueonerror: true + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + file: + complex: + root: inputs.SHA1 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the SHA-1 hash reputation from every integration that supports + the `!file` command. + id: 9cd10068-c589-4c05-8a22-7ec3528b89de + iscommand: false + name: Get SHA-1 reputation + playbooktaskmissingcomponent: + script: FileReputation + type: regular + version: -1 + taskid: 9cd10068-c589-4c05-8a22-7ec3528b89de + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1062.5, + "y": 515 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "14_7_#default#": 0.52, + "15_7_#default#": 0.61 + }, + "paper": { + "dimensions": { + "height": 705, + "width": 1392.5, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Reputation.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Reputation.yml new file mode 100644 index 0000000..323f254 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_File_Reputation.yml @@ -0,0 +1,1085 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: "This playbook checks the file reputation and sets the verdict as a new + context key.\n\nThe verdict is composed by 3 main components:\n\n* VirusTotal detection + rate\n* Digital certificate signers\n* NSRL DB\n\nNote: a user can provide a list + of trusted signers of his own using the playbook inputs\n " +adopted: true +id: 'SOC File Reputation_V3' +inputs: +- description: The minimum number of positive engines needed to mark file as malicious. + key: DetectionThreshold + playbookInputQuery: + required: false + value: + simple: "5" +- description: A list of trusted publishers + key: TrustedPublishers + playbookInputQuery: + required: false + value: + simple: |- + Microsoft Root Authority,Microsoft Timestamping Service, + Microsoft Code Signing PCA, Microsoft Corporation +- description: The file SHA256. + key: FileSHA256 + playbookInputQuery: + required: false + value: {} +name: SOC File Reputation_V3 +outputs: +- contextPath: VTFileVerdict + description: VirusTotal file verdict. + type: unknown +- contextPath: NSRLFileVerdict + description: NSRL file verdict. + type: unknown +- contextPath: VTFileSigners + description: VirusTotal file signers. + type: unknown +- contextPath: XDRFileSigners + description: XDR file signers. + type: unknown +- contextPath: WildFire.Report + description: WildFire report details. + type: unknown +- contextPath: WildFire.Verdicts + description: WildFire verdict. + type: unknown +sourceplaybookid: File Reputation +starttaskid: "0" +tags: +- SOC +- Enrichment +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + - "4" + - "18" + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0036bf78-bb71-4cc0-8147-c1dcb446f610 + iscommand: false + name: "" + version: -1 + taskid: 0036bf78-bb71-4cc0-8147-c1dcb446f610 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 2269.25, + "y": 50 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9a0d46f3-35a0-4022-833b-6e33cda9114b + iscommand: false + name: Done + type: title + version: -1 + taskid: 9a0d46f3-35a0-4022-833b-6e33cda9114b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2509.75, + "y": 1055 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d188fc98-26aa-4ad3-8c92-d603b765f6ec + iscommand: false + name: VirusTotal Reputation + type: title + version: -1 + taskid: d188fc98-26aa-4ad3-8c92-d603b765f6ec + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1307.25, + "y": 210 + } + } + "5": + continueonerror: true + continueonerrortype: errorPath + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + file: + complex: + root: inputs.FileSHA256 + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieve results for a file hash using WildFire. + id: 4f29d47b-7ada-471d-b59a-086e88eb8c69 + iscommand: true + name: File enrichment + script: '|||file' + type: regular + version: -1 + taskid: 4f29d47b-7ada-471d-b59a-086e88eb8c69 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1307.25, + "y": 370 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 728d695a-84e4-41a4-8de6-2e8b792c24ee + iscommand: false + name: NSRL + type: title + version: -1 + taskid: 728d695a-84e4-41a4-8de6-2e8b792c24ee + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 290.5, + "y": 210 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: malicious + root: VirusTotal.File.attributes.last_analysis_stats + operator: lessThan + right: + iscontext: true + value: + complex: + root: inputs.DetectionThreshold + label: Benign + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "17" + Benign: + - "14" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check file detections. + id: 58df7ac3-e6e9-4da5-88ec-3a6b8268872b + iscommand: false + name: Check file detections + type: condition + version: -1 + taskid: 58df7ac3-e6e9-4da5-88ec-3a6b8268872b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2509.75, + "y": 710 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + ignore-outputs: + simple: "false" + method: + simple: GET + saveAsFile: + simple: test.txt + url: + simple: https://hashlookup.circl.lu/lookup/sha256/${inputs.FileSHA256} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Sends http request. Returns the response as json. + id: 657cdfbc-0d99-4fc1-8130-541ac61a46de + iscommand: false + name: Check the file hash against NSRL DB + script: http + type: regular + version: -1 + taskid: 657cdfbc-0d99-4fc1-8130-541ac61a46de + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 290.5, + "y": 370 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: NSRLCheckResults= + ignore-outputs: + simple: "true" + value: + complex: + accessor: Body + root: HttpRequest.Response + transformers: + - operator: Stringify + separatecontext: false + skipunavailable: false + task: + brand: "" + description: 'Parse a given JSON string "value" to a representative object. + Example: ''{"a": "value"}'' => {"a": "value"}.' + id: 83169b11-c3c4-452c-8a9b-e8cbb65740ce + iscommand: false + name: Parse HTTP response body + script: ParseJSON + type: regular + version: -1 + taskid: 83169b11-c3c4-452c-8a9b-e8cbb65740ce + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 290.5, + "y": 540 + } + } + "12": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: message + root: NSRLCheckResults + operator: isNotEqualString + right: + value: + simple: Non existing SHA-256 + label: Found Results + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "21" + Found Results: + - "13" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check NSRL search results. + id: 0daec705-f44f-4630-872a-ecfa3227ddab + iscommand: false + name: Check NSRL search results + type: condition + version: -1 + taskid: 0daec705-f44f-4630-872a-ecfa3227ddab + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 290.5, + "y": 710 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: NSRLFileVerdict + value: + simple: IsNSRL + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: d8857862-f9f8-4d41-b1b9-6c084b173d5a + iscommand: false + name: Set file verdict - IsNSRL + script: Set + type: regular + version: -1 + taskid: d8857862-f9f8-4d41-b1b9-6c084b173d5a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 581, + "y": 880 + } + } + "14": + continueonerror: true + continueonerrortype: errorPath + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: VTFileVerdict + value: + simple: Benign + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 4389c2e9-2557-45bb-be87-8d76c832a01b + iscommand: false + name: Set file verdict - VT-Benign + script: Set + type: regular + version: -1 + taskid: 4389c2e9-2557-45bb-be87-8d76c832a01b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2750.25, + "y": 880 + } + } + "15": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: organization + root: VirusTotal.SearchResults.attributes.trusted_verdict + operator: inList + right: + iscontext: true + value: + complex: + root: inputs.TrustedPublishers + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: verdict + root: VirusTotal.SearchResults.attributes.trusted_verdict + operator: isEqualString + right: + value: + simple: goodware + label: Trusted Signers + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "22" + Trusted Signers: + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check file signature. + id: df8ccfaa-c452-4c35-837c-4e80a383b1d1 + iscommand: false + name: Check file signature + type: condition + version: -1 + taskid: df8ccfaa-c452-4c35-837c-4e80a383b1d1 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1547.75, + "y": 710 + } + } + "16": + continueonerror: true + continueonerrortype: errorPath + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: VTFileSigners + value: + simple: Trusted + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 55b06558-6f82-4dfc-a196-c34f3b62e469 + iscommand: false + name: Set file verdict - VT-TrustedSigners + script: Set + type: regular + version: -1 + taskid: 55b06558-6f82-4dfc-a196-c34f3b62e469 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1743, + "y": 880 + } + } + "17": + continueonerror: true + continueonerrortype: errorPath + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: VTFileVerdict + value: + simple: Malicious + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 7206a5f3-ba50-4e13-a794-884021095866 + iscommand: false + name: Set file verdict - VT-Malicious + script: Set + type: regular + version: -1 + taskid: 7206a5f3-ba50-4e13-a794-884021095866 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2269.25, + "y": 880 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d51edea1-e13a-4342-83a1-804f7e2df09e + iscommand: false + name: Cortex XDR + type: title + version: -1 + taskid: d51edea1-e13a-4342-83a1-804f7e2df09e + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 3471.75, + "y": 545 + } + } + "19": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action_process_signature_vendor + root: PaloAltoNetworksXDR.Incident.alerts + transformers: + - args: + item: + iscontext: true + value: + simple: ${PaloAltoNetworksXDR.Incident.alerts.os_actor_process_signature_vendor} + operator: append + - args: + item: + iscontext: true + value: + simple: ${PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendor} + operator: append + - args: + item: + iscontext: true + value: + simple: ${PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_vendor} + operator: append + operator: inList + right: + iscontext: true + value: + complex: + root: inputs.TrustedPublishers + label: Trusted Signers + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "23" + Trusted Signers: + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check file signature. + id: 96728cac-a5cf-41e5-8cde-43882c9dd70f + iscommand: false + name: Check file signature + type: condition + version: -1 + taskid: 96728cac-a5cf-41e5-8cde-43882c9dd70f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 3471.75, + "y": 710 + } + } + "20": + continueonerror: true + continueonerrortype: errorPath + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: XDRFileSigners + value: + simple: Trusted + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: cae4954d-4e6d-432d-b5ea-7eab69b4b1e0 + iscommand: false + name: Set file verdict - XDR-TrustedSigners + script: Set + type: regular + version: -1 + taskid: cae4954d-4e6d-432d-b5ea-7eab69b4b1e0 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 3712.25, + "y": 880 + } + } + "21": + continueonerror: true + continueonerrortype: errorPath + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: NSRLFileVerdict + value: + simple: IsNotNSRL + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: b0d6fd46-903e-408a-abae-c1a0e98f0034 + iscommand: false + name: Set file verdict - IsNotNSRL + script: Set + type: regular + version: -1 + taskid: b0d6fd46-903e-408a-abae-c1a0e98f0034 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 880 + } + } + "22": + continueonerror: true + continueonerrortype: errorPath + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: VTFileSigners + value: + simple: UnTrusted + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: d1aae27e-bda1-4816-9af7-b8d375d8aae9 + iscommand: false + name: Set file verdict - VT-TrustedSigners + script: Set + type: regular + version: -1 + taskid: d1aae27e-bda1-4816-9af7-b8d375d8aae9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1262, + "y": 880 + } + } + "23": + continueonerror: true + continueonerrortype: errorPath + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + key: + simple: XDRFileSigners + value: + simple: UnTrusted + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: fe108c46-c4ae-462d-9e8c-ccf72fbbe028 + iscommand: false + name: Set file verdict - XDR-UnTrustedSigners + script: Set + type: regular + version: -1 + taskid: fe108c46-c4ae-462d-9e8c-ccf72fbbe028 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 3231.25, + "y": 880 + } + } + "24": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: VirusTotal + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "15" + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there are results from VirusTotal. + id: 5205d32a-2c3a-42ca-8586-04680de9bc5b + iscommand: false + name: Check for VT results + type: condition + version: -1 + taskid: 5205d32a-2c3a-42ca-8586-04680de9bc5b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1502.5, + "y": 540 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 825810e7-b8fb-4347-894b-51dae87fcb7f + iscommand: false + name: WildFire + type: title + version: -1 + taskid: 825810e7-b8fb-4347-894b-51dae87fcb7f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 4483.75, + "y": 715 + } + } + "27": + continueonerror: true + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + sha256: + complex: + root: inputs.FileSHA256 + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Retrieves results for a file hash using WildFire. + id: 04e3f233-3ddf-4ed1-bf58-a298d46658cd + iscommand: true + name: Get WildFire report + script: '|||wildfire-report' + type: regular + version: -1 + taskid: 04e3f233-3ddf-4ed1-bf58-a298d46658cd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 4193.25, + "y": 880 + } + } + "28": + continueonerror: true + continueonerrortype: errorPath + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "29" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + hash: + complex: + root: inputs.FileSHA256 + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Returns a verdict for a hash. + id: d8dddf61-ca65-4111-9c5c-8c82f784d18d + iscommand: true + name: Get WildFire verdict + script: '|||wildfire-get-verdict' + type: regular + version: -1 + taskid: d8dddf61-ca65-4111-9c5c-8c82f784d18d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 4724.25, + "y": 880 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: 2bb432ff-39d1-444e-b9e8-d002d7bd6cae + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 2bb432ff-39d1-444e-b9e8-d002d7bd6cae + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1838.25, + "y": 1050 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "12_13_Found Results": 0.64, + "12_21_#default#": 0.84, + "15_16_Trusted Signers": 0.64, + "15_22_#default#": 0.8, + "19_20_Trusted Signers": 0.66, + "19_23_#default#": 0.81, + "22_29_#error#": 0.64, + "8_14_Benign": 0.78, + "8_17_#default#": 0.8 + }, + "paper": { + "dimensions": { + "height": 1070, + "width": 5055.25, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Get_prevalence_for_IOCs.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Get_prevalence_for_IOCs.yml new file mode 100644 index 0000000..c079973 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Get_prevalence_for_IOCs.yml @@ -0,0 +1,991 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: |+ + The playbook queries the analytics module to receive the prevalence of an IOC. + + Supported IOC: + - Process by SHA256 + - Process by file name + - IP + - Domain + - CMD + - Registry (require key and value) + +adopted: true +id: 'SOC Get prevalence for IOCs_V3' +inputs: +- description: "" + key: IP + playbookInputQuery: + required: false + value: {} +- description: "" + key: Hash + playbookInputQuery: + required: false + value: {} +- description: "" + key: Commandline + playbookInputQuery: + required: false + value: {} +- description: "" + key: Process + playbookInputQuery: + required: false + value: {} +- description: "" + key: RegistryKey + playbookInputQuery: + required: false + value: {} +- description: "" + key: RegistryValue + playbookInputQuery: + required: false + value: {} +- description: "" + key: Domain + playbookInputQuery: + required: false + value: {} +name: SOC Get prevalence for IOCs_V3 +outputs: +- contextPath: Core.AnalyticsPrevalence.Ip + description: Whether the IP address is prevalent or not. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Ip.value + description: Whether the IP address is prevalent or not. +- contextPath: Core.AnalyticsPrevalence.Ip.data.global_prevalence + description: The global prevalence of the IP address. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Ip.data.global_prevalence.value + description: The global prevalence of the IP address. +- contextPath: Core.AnalyticsPrevalence.Ip.data.local_prevalence + description: The local prevalence of the IP address. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Ip.data.local_prevalence.value + description: The local prevalence of the IP address. +- contextPath: Core.AnalyticsPrevalence.Ip.data.prevalence + description: The prevalence of the IP address. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Ip.data.prevalence.value + description: The prevalence of the IP address. +- contextPath: Core.AnalyticsPrevalence.Hash + description: The prevalence of the hash. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Hash.value + description: Whether the hash is prevalent or not. +- contextPath: Core.AnalyticsPrevalence.Hash.data.global_prevalence + description: The prevalence of the hash. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Hash.data.global_prevalence.value + description: The global prevalence of the hash. +- contextPath: Core.AnalyticsPrevalence.Hash.data.local_prevalence + description: The local prevalence of the hash. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Hash.data.local_prevalence.value + description: The local prevalence of the hash. +- contextPath: Core.AnalyticsPrevalence.Hash.data.prevalence + description: The prevalence of the hash. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Hash.data.prevalence.value + description: The prevalence of the hash. +- contextPath: Core.AnalyticsPrevalence.Domain + description: The prevalence of the domain. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Domain.value + description: Whether the domain is prevalent or not. +- contextPath: Core.AnalyticsPrevalence.Domain.data.global_prevalence + description: The global prevalence of the domain. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Domain.data.global_prevalence.value + description: The global prevalence of the domain. +- contextPath: Core.AnalyticsPrevalence.Domain.data.local_prevalence + description: The local prevalence of the domain. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Domain.data.local_prevalence.value + description: The local prevalence of the domain. +- contextPath: Core.AnalyticsPrevalence.Domain.data.prevalence + description: The prevalence of the domain. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Domain.data.prevalence.value + description: The prevalence of the domain. +- contextPath: Core.AnalyticsPrevalence.Process + description: The prevalence of the process. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Process.value + description: Whether the process is prevalent or not. +- contextPath: Core.AnalyticsPrevalence.Process.data.global_prevalence + description: The global prevalence of the process. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Process.data.global_prevalence.value + description: The global prevalence of the process. +- contextPath: Core.AnalyticsPrevalence.Process.data.local_prevalence + description: The local prevalence of the process. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Process.data.local_prevalence.value + description: The local prevalence of the process. +- contextPath: Core.AnalyticsPrevalence.Process.data.prevalence + description: The prevalence of the process. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Process.data.prevalence.value + description: The prevalence of the process. +- contextPath: Core.AnalyticsPrevalence.Registry + description: The prevalence of the registry. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Registry.value + description: Whether the registry is prevalent or not. +- contextPath: Core.AnalyticsPrevalence.Registry.data.global_prevalence + description: The global prevalence of the registry. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Registry.data.global_prevalence.value + description: The global prevalence of the registry. +- contextPath: Core.AnalyticsPrevalence.Registry.data.local_prevalence + description: The local prevalence of the registry. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Registry.data.local_prevalence.value + description: The local prevalence of the registry. +- contextPath: Core.AnalyticsPrevalence.Registry.data.prevalence + description: The prevalence of the registry. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Registry.data.prevalence.value + description: The prevalence of the registry. +- contextPath: Core.AnalyticsPrevalence.Cmd + description: The prevalence of the CMD. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Cmd.value + description: Whether the CMD is prevalent or not. +- contextPath: Core.AnalyticsPrevalence.Cmd.data.global_prevalence + description: The global prevalence of the CMD. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Cmd.data.global_prevalence.value + description: The global prevalence of the CMD. +- contextPath: Core.AnalyticsPrevalence.Cmd.data.local_prevalence + description: The local prevalence of the CMD. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Cmd.data.local_prevalence.value + description: The local prevalence of the CMD. +- contextPath: Core.AnalyticsPrevalence.Cmd.data.prevalence + description: The prevalence of the CMD. + type: unknown +- contextPath: Core.AnalyticsPrevalence.Cmd.data.prevalence.value + description: The prevalence of the Cmd. +sourceplaybookid: Get prevalence for IOCs +starttaskid: "0" +tags: +- SOC +- Analytics +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + - "2" + - "3" + - "4" + - "5" + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d24981a6-e630-426a-8d47-97da09aa8fd8 + iscommand: false + name: "" + version: -1 + taskid: d24981a6-e630-426a-8d47-97da09aa8fd8 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1552.5, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 72bdab6d-8f44-4e6d-8074-2b929f75cc83 + iscommand: false + name: IP + type: title + version: -1 + taskid: 72bdab6d-8f44-4e6d-8074-2b929f75cc83 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 210 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7e51572a-d879-45d9-87a0-96e2c6cdc6de + iscommand: false + name: Hash + type: title + version: -1 + taskid: 7e51572a-d879-45d9-87a0-96e2c6cdc6de + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 681, + "y": 210 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ab430fa0-7f67-48bb-80c7-3aaf91a685f2 + iscommand: false + name: Domain + type: title + version: -1 + taskid: ab430fa0-7f67-48bb-80c7-3aaf91a685f2 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1262, + "y": 210 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: becb735c-ae39-492f-8029-fa445fbe89ca + iscommand: false + name: Command Line + type: title + version: -1 + taskid: becb735c-ae39-492f-8029-fa445fbe89ca + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1888.25, + "y": 210 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 372a4887-887e-44c7-8d8d-0ab2bc4dabfb + iscommand: false + name: Registry + type: title + version: -1 + taskid: 372a4887-887e-44c7-8d8d-0ab2bc4dabfb + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2469.25, + "y": 210 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "14" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 61dfc474-c507-47f7-8489-fea7f0e89a26 + iscommand: false + name: Process Name + type: title + version: -1 + taskid: 61dfc474-c507-47f7-8489-fea7f0e89a26 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 3050.25, + "y": 210 + } + } + "7": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a IP exist + id: 8d6f6781-0e11-4ba6-83d4-7a9edf5ca62f + iscommand: false + name: Is IP exist? + type: condition + version: -1 + taskid: 8d6f6781-0e11-4ba6-83d4-7a9edf5ca62f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + ip_address: + complex: + root: inputs.IP + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the prevalence of an ip, identified by ip_address. + id: 9b56b643-7831-4426-bed4-fc9eae543d72 + iscommand: true + name: Get prevalence for IP + script: '|||core-get-IP-analytics-prevalence' + type: regular + version: -1 + taskid: 9b56b643-7831-4426-bed4-fc9eae543d72 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 245.25, + "y": 540 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1229d65a-a5e5-4a24-82ff-26f05589888f + iscommand: false + name: Done + type: title + version: -1 + taskid: 1229d65a-a5e5-4a24-82ff-26f05589888f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1602.5, + "y": 715 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether hash exist + id: df3021a5-526b-4e96-8e9c-ffe1d652882f + iscommand: false + name: Is Hash exist? + type: condition + version: -1 + taskid: df3021a5-526b-4e96-8e9c-ffe1d652882f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 681, + "y": 370 + } + } + "11": + continueonerror: true + continueonerrortype: errorPath + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + sha256: + complex: + root: inputs.Hash + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the prevalence of a file, identified by sha256. + id: ba8c73e9-b718-4a13-8729-b1b43baccfb2 + iscommand: true + name: Get prevalence for Hash + script: '|||core-get-hash-analytics-prevalence' + type: regular + version: -1 + taskid: ba8c73e9-b718-4a13-8729-b1b43baccfb2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 826.25, + "y": 540 + } + } + "12": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Domain + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "13" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a domain exist + id: 094aa4d1-d89b-47e2-8a11-4aa551fcf73f + iscommand: false + name: Is Domain exist? + type: condition + version: -1 + taskid: 094aa4d1-d89b-47e2-8a11-4aa551fcf73f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1262, + "y": 370 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + domain_name: + complex: + root: inputs.Domain + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the prevalence of a domain, identified by domain_name. + id: 4aff0629-d38f-4bd6-9372-15e3ed373871 + iscommand: true + name: Get prevalence for Domain + script: '|||core-get-domain-analytics-prevalence' + type: regular + version: -1 + taskid: 4aff0629-d38f-4bd6-9372-15e3ed373871 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1407.25, + "y": 540 + } + } + "14": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Process + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "15" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a process name exist + id: 6f2eb04f-09d1-4bcc-8a97-27d761646cbf + iscommand: false + name: Is Process name exist? + type: condition + version: -1 + taskid: 6f2eb04f-09d1-4bcc-8a97-27d761646cbf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 3050.25, + "y": 370 + } + } + "15": + continueonerror: true + continueonerrortype: errorPath + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + root: inputs.Process + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the prevalence of a process, identified by process_name. + id: c5ac0610-3b14-4fb1-b8ad-2f657dd37200 + iscommand: true + name: Get prevalence for Process name + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: c5ac0610-3b14-4fb1-b8ad-2f657dd37200 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 3295.5, + "y": 540 + } + } + "16": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.RegistryKey + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + complex: + root: inputs.RegistryValue + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a registry values exist + id: 3f0071a0-d9c8-4cf5-8b52-df71fce0d72e + iscommand: false + name: Are Registry values exists? + type: condition + version: -1 + taskid: 3f0071a0-d9c8-4cf5-8b52-df71fce0d72e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2469.25, + "y": 370 + } + } + "17": + continueonerror: true + continueonerrortype: errorPath + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + key_name: + complex: + root: inputs.RegistryKey + value_name: + complex: + root: inputs.RegistryValue + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the prevalence of a registry_path, identified by key_name, + value_name. + id: 0e557e00-ec89-4d8e-a1a1-dcf249d3d38b + iscommand: true + name: Get prevalence for Registry key and value + script: '|||core-get-registry-analytics-prevalence' + type: regular + version: -1 + taskid: 0e557e00-ec89-4d8e-a1a1-dcf249d3d38b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2714.5, + "y": 540 + } + } + "18": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Commandline + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + "yes": + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether a command-line exist + id: e65afe0e-42d6-4114-81fa-d7347b5fabf9 + iscommand: false + name: Is Command-line exist? + type: condition + version: -1 + taskid: e65afe0e-42d6-4114-81fa-d7347b5fabf9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1888.25, + "y": 370 + } + } + "19": + continueonerror: true + continueonerrortype: errorPath + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + process_command_line: + complex: + root: inputs.Commandline + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get the prevalence of a process_command_line, identified by process_command_line. + id: 7291624f-7197-4603-8a82-31cc4114911f + iscommand: true + name: Get prevalence for Command-line + script: '|||core-get-cmd-analytics-prevalence' + type: regular + version: -1 + taskid: 7291624f-7197-4603-8a82-31cc4114911f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2133.5, + "y": 540 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: b28e99f5-3cac-4e32-b6c2-b6f365f8f556 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: b28e99f5-3cac-4e32-b6c2-b6f365f8f556 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2083.5, + "y": 710 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "10_9_#default#": 0.13, + "12_9_#default#": 0.28, + "14_9_#default#": 0.26, + "16_9_#default#": 0.1, + "18_19_yes": 0.71, + "18_9_#default#": 0.15, + "7_9_#default#": 0.1 + }, + "paper": { + "dimensions": { + "height": 730, + "width": 3626.5, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_External_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_External_-_Generic_v2.yml new file mode 100644 index 0000000..c695c66 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_External_-_Generic_v2.yml @@ -0,0 +1,1056 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Enrich IP addresses using one or more integrations. + + - Resolve IP addresses to hostnames (DNS). + - Provide threat information. + - IP address reputation using !ip command. + - Separate internal and external addresses. +dirtyInputs: true +id: 'SOC IP Enrichment - External - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IP + - InternalRange + - ResolveIP + - UseReputationCommand + - extended_data + - threat_model_association + - ExecutedFromParent + name: General (Inputs group) +inputs: +- description: The IP address to enrich. + key: IP + playbookInputQuery: + required: false + value: + complex: + accessor: Address + root: IP + transformers: + - operator: uniq +- description: 'A comma-separated list of IP address ranges (in CIDR notation). Use + this list to check if an IP address is found within a set of IP address ranges. + For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).' + key: InternalRange + playbookInputQuery: + required: false + value: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join +- description: |- + Whether to convert the IP address to a hostname using a DNS query (True/False). + The default value is true. + key: ResolveIP + playbookInputQuery: + required: true + value: + simple: "True" +- description: |- + Define if you would like to use the !IP command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + The default value is false. + key: UseReputationCommand + playbookInputQuery: + required: true + value: + simple: "False" +- description: |- + Define whether you want the generic reputation command to return extended data (last_analysis_results). + Possible values: True / False. + The default value is false. + key: extended_data + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Define whether you wish to enhance generic reputation command to include additional information such as Threat Bulletins, Attack patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. + Possible values: True / False. + The default value is false. + key: threat_model_association + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Whether to execute common logic, like the classification of IP addresses to ranges and resolving, in the the main (IP Enrichment - Generic v2) enrichment playbook, instead of in the sub-playbooks. + Possible values are: True, False. + + Setting this to True and using the parent playbook will execute the relevant commands in the main playbook instead of executing them in both sub-playbooks, improving the performance of the playbook and reducing the overfall size of the incident. + key: ExecutedFromParent + playbookInputQuery: + required: false + value: + simple: "False" +name: SOC IP Enrichment - External - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - IP + - DBotScore + - Endpoint + - Endpoint.Hostname + - Endpoint.IP + - IP.Address + - IP.InRange + - DBotScore.Indicator + - DBotScore.Type + - DBotScore.Vendor + - DBotScore.Score + - IP.ASN + - IP.Tags + - IP.ThreatTypes + - IP.Geo.Country + - IP.Geo.Location + - IP.Malicious.Vendor + - IP.Malicious.Description + - IP.VirusTotal.DownloadedHashes + - IP.VirusTotal.UnAVDetectedDownloadedHashes + - IP.VirusTotal.DetectedURLs + - IP.VirusTotal.CommunicatingHashes + - IP.VirusTotal.UnAVDetectedCommunicatingHashes + - IP.VirusTotal.Resolutions.hostname + - IP.VirusTotal.ReferrerHashes + - IP.VirusTotal.UnAVDetectedReferrerHashes + - IP.VirusTotal.Resolutions.last_resolved +outputs: +- contextPath: IP + description: The IP address objects. + type: unknown +- contextPath: DBotScore + description: Indicator, Score, Type, and Vendor. + type: unknown +- contextPath: Endpoint + description: The endpoint's object. + type: unknown +- contextPath: Endpoint.Hostname + description: The hostname to enrich. + type: string +- contextPath: Endpoint.IP + description: A list of endpoint IP addresses. + type: string +- contextPath: IP.Address + description: The IP Address. + type: string +- contextPath: IP.InRange + description: Is the IP in the input ranges? (could be 'yes' or 'no). + type: string +- contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: string +- contextPath: DBotScore.Type + description: The indicator type. + type: string +- contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: string +- contextPath: DBotScore.Score + description: The actual score. + type: string +- contextPath: IP.ASN + description: The Autonomous System (AS) number associated with the indicator. + type: string +- contextPath: IP.Tags + description: List of IP tags. + type: string +- contextPath: IP.ThreatTypes + description: Threat types associated with the IP. + type: string +- contextPath: IP.Geo.Country + description: The country associated with the indicator. + type: string +- contextPath: IP.Geo.Location + description: The longitude and latitude of the IP address. + type: string +- contextPath: IP.Malicious.Vendor + description: The vendor that reported the indicator as malicious. + type: string +- contextPath: IP.Malicious.Description + description: For malicious IPs, the reason that the vendor made the decision. + type: string +- contextPath: IP.VirusTotal.DownloadedHashes + description: Latest files that are detected by at least one antivirus solution and + were downloaded by VirusTotal from the IP address. + type: string +- contextPath: IP.VirusTotal.UnAVDetectedDownloadedHashes + description: Latest files that are not detected by any antivirus solution and were + downloaded by VirusTotal from the IP address provided. + type: string +- contextPath: IP.VirusTotal.DetectedURLs + description: Latest URLs hosted in this IP address detected by at least one URL + scanner. + type: string +- contextPath: IP.VirusTotal.CommunicatingHashes + description: Latest detected files that communicate with this IP address. + type: string +- contextPath: IP.VirusTotal.UnAVDetectedCommunicatingHashes + description: Latest undetected files that communicate with this IP address. + type: string +- contextPath: IP.VirusTotal.Resolutions.hostname + description: The following domains resolved to the given IP. + type: string +- contextPath: IP.VirusTotal.ReferrerHashes + description: Latest detected files that embed this IP address in their strings. + type: string +- contextPath: IP.VirusTotal.UnAVDetectedReferrerHashes + description: Latest undetected files that embed this IP address in their strings. + type: string +- contextPath: IP.VirusTotal.Resolutions.last_resolved + description: The last time the following domains resolved to the given IP. + type: string +sourceplaybookid: IP Enrichment - External - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "47" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6635b28b-bdf1-42cf-88bc-14ad75e9ebe0 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 6635b28b-bdf1-42cf-88bc-14ad75e9ebe0 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 550, + "y": 39 + } + } + "15": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "no" + root: IP + operator: isExists + label: "yes" + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "39" + "yes": + - "34" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "no" + root: IP + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the "InRange" attribute is set to "no". + id: c8d8906f-cbf4-4ddd-84e6-1e55570d00a0 + iscommand: false + name: Is there an external IP address? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: c8d8906f-cbf4-4ddd-84e6-1e55570d00a0 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 552.5, + "y": 670 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8149db7c-af8d-41e2-85ee-c9fe2efd5040 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 8149db7c-af8d-41e2-85ee-c9fe2efd5040 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 110, + "y": 1970 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "36" + - "44" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1734f24b-0b27-431e-81b6-89997f08894c + iscommand: false + name: Enrich external IP addresses + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 1734f24b-0b27-431e-81b6-89997f08894c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 100, + "y": 1240 + } + } + "29": + continueonerror: true + continueonerrortype: errorPath + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "49" + '#none#': + - "15" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + ignore-outputs: + simple: "false" + ip: + complex: + root: inputs.IP + transformers: + - operator: uniq + ipRanges: + complex: + root: inputs.InternalRange + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Checks if the IP address is in the internal IP address ranges.\n + If internal, sets the \"InRange\" attribute to \"yes\".\nIf external, sets + the \"InRange\" attribute to \"no\". " + id: 8f96dd19-92e0-421f-bf2c-c89fe6676684 + iscommand: false + name: Determine whether the IP address is internal or external + playbooktaskmissingcomponent: + script: IsIPInRanges + type: regular + version: -1 + taskid: 8f96dd19-92e0-421f-bf2c-c89fe6676684 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 552.5, + "y": 505 + } + } + "34": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.ResolveIP + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "27" + "yes": + - "35" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the "ResolveIP" parameter is set to "True". + id: 607dafbe-8ee1-47ad-810a-dacf03842673 + iscommand: false + name: Resolve the IP address? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 607dafbe-8ee1-47ad-810a-dacf03842673 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 550, + "y": 870 + } + } + "35": + continueonerror: true + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + ip: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "no" + - - left: + iscontext: true + value: + simple: IP.Address + operator: containsGeneral + right: + iscontext: true + value: + simple: inputs.IP + root: IP + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Convert the IP address to a hostname using DNS query. + id: 9a9092a5-a173-4c8d-8a0c-f63960c42451 + iscommand: false + name: IP to Hostname (DNS) + playbooktaskmissingcomponent: + script: IPToHost + type: regular + version: -1 + taskid: 9a9092a5-a173-4c8d-8a0c-f63960c42451 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 750, + "y": 1055 + } + } + "36": + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "37" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 22f7b81d-ea1a-44b3-8b73-c628afaf5cfc + iscommand: false + name: Enrich Using VirusTotal Private API + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 22f7b81d-ea1a-44b3-8b73-c628afaf5cfc + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 550, + "y": 1420 + } + } + "37": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: VirusTotal - Private API + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "38" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of the VirusTotal Private + API integration enabled. + id: 0df4420b-8119-4731-8cb3-4745fd044913 + iscommand: false + name: Is VirusTotal Private API enabled? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 0df4420b-8119-4731-8cb3-4745fd044913 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 550, + "y": 1553 + } + } + "38": + continueonerror: true + continueonerrortype: errorPath + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "49" + '#none#': + - "24" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + ip: + complex: + root: . + transformers: + - operator: uniq + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + iscontext: true + value: + simple: ${IP(val.InRange=="no").Address} + equals: {} + lhs: + iscontext: true + value: + simple: inputs.ExecutedFromParent + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: + iscontext: true + value: + simple: inputs.IP + operator: If-Then-Else + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: VirusTotal - Private API + description: | + Retrieves a report for a given IP address. + id: 2b536b08-f716-4b71-a54d-e0fdb7f1827e + iscommand: true + name: Get IP report from VirusTotal Private API + playbooktaskmissingcomponent: + script: VirusTotal - Private API|||vt-private-get-ip-report + type: regular + version: -1 + taskid: 2b536b08-f716-4b71-a54d-e0fdb7f1827e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 550, + "y": 1730 + } + } + "39": + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 67d938bf-2bd3-4dfd-885f-8dd190cd0b93 + iscommand: false + name: No External IP Address + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 67d938bf-2bd3-4dfd-885f-8dd190cd0b93 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1270, + "y": 1240 + } + } + "44": + continueonerrortype: "" + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "46" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9bda4dfe-35b9-40ac-8d8c-c6973b2d1d40 + iscommand: false + name: Check Reputation Using All Available Integrations + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 9bda4dfe-35b9-40ac-8d8c-c6973b2d1d40 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -340, + "y": 1420 + } + } + "45": + continueonerror: true + continueonerrortype: errorPath + id: "45" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "49" + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + extended_data: + complex: + root: inputs.extended_data + ip: + complex: + root: . + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + iscontext: true + value: + simple: ${IP(val.InRange=="no").Address} + equals: {} + lhs: + iscontext: true + value: + simple: inputs.ExecutedFromParent + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: + iscontext: true + value: + simple: inputs.IP + operator: If-Then-Else + - operator: uniq + threat_model_association: + complex: + root: inputs.threat_model_association + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Checks the reputation of an IP address using all available integrations. + id: 59d18af0-7677-4e10-907f-c480e88d98f9 + iscommand: true + name: Check Reputation + playbooktaskmissingcomponent: + script: '|||ip' + type: regular + version: -1 + taskid: 59d18af0-7677-4e10-907f-c480e88d98f9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -340, + "y": 1730 + } + } + "46": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.UseReputationCommand + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "46" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "45" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Should use !IP command? + id: c55e9651-e6f5-48ec-8bbc-995c4e87808b + iscommand: false + name: Should use !IP command? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: c55e9651-e6f5-48ec-8bbc-995c4e87808b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -340, + "y": 1553 + } + } + "47": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.IP + operator: isNotEmpty + right: + value: {} + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.ExecutedFromParent + operator: isEqualString + right: + value: + simple: "True" + label: "Yes" + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isNotEmpty + label: "No" + continueonerrortype: "" + id: "47" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "39" + "No": + - "48" + "Yes": + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the playbook's input contains at least one IP address. + id: ea6c64c9-4852-47c9-8cfd-d6d6907037cf + iscommand: false + name: Are the IPs already classified? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ea6c64c9-4852-47c9-8cfd-d6d6907037cf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 550, + "y": 170 + } + } + "48": + continueonerrortype: "" + id: "48" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2e4dbc75-e8f0-4478-8b16-523ba22e1621 + iscommand: false + name: Classify & Resolve IPs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2e4dbc75-e8f0-4478-8b16-523ba22e1621 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 552.5, + "y": 370 + } + } + "49": + continueonerrortype: "" + id: "49" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 87c933fe-d5a5-4724-8d7f-ffa5625da08d + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 87c933fe-d5a5-4724-8d7f-ffa5625da08d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 870, + "y": 1965 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "15_34_yes": 0.58, + "15_39_#default#": 0.29, + "34_27_#default#": 0.49, + "34_35_yes": 0.53, + "37_24_#default#": 0.28, + "37_38_yes": 0.52, + "46_24_#default#": 0.68, + "46_45_yes": 0.56, + "47_39_#default#": 0.3 + }, + "paper": { + "dimensions": { + "height": 1996, + "width": 1990, + "x": -340, + "y": 39 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Generic_v2.yml new file mode 100644 index 0000000..4294217 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Generic_v2.yml @@ -0,0 +1,1351 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Enrich IP addresses using one or more integrations. + + - Resolve IP addresses to hostnames (DNS) + - Provide threat information + - Determine IP address reputation using the !ip command + - Separate internal and external IP addresses + - For internal IP addresses, get host information. + + When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance. +dirtyInputs: true +id: 'SOC IP Enrichment - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IP + - InternalRange + - ResolveIP + - UseReputationCommand + - extended_data + - threat_model_association + - ExecutedFromParent + name: General (Inputs group) +inputs: +- description: The IP address to enrich. + key: IP + playbookInputQuery: + required: false + value: + complex: + accessor: Address + root: IP + transformers: + - operator: uniq +- description: 'A list of internal IP ranges to check IP addresses against. The comma-separated + list should be provided in CIDR notation. For example, a list of ranges would + be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).' + key: InternalRange + playbookInputQuery: + required: false + value: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join +- description: |- + Determines whether to convert the IP address to a hostname using a DNS query (True/ False). + The default value is true. + key: ResolveIP + playbookInputQuery: + required: true + value: + simple: "False" +- description: |- + Define if you would like to use the !IP command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + The default value is false. + key: UseReputationCommand + playbookInputQuery: + required: true + value: + simple: "False" +- description: |- + Define whether you want the generic reputation command to return extended data (last_analysis_results). + Possible values: True / False. + The default value is false. + key: extended_data + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Define whether you wish to enhance generic reputation command to include additional information such as Threat Bulletins, Attack patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. + Possible values: True / False. + The default value is false. + key: threat_model_association + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Whether to execute common logic, like the classification of IP addresses to ranges and resolving, in the the main (IP Enrichment - Generic v2) enrichment playbook, instead of in the sub-playbooks. + Possible values are: True, False. + + Setting this to True will execute the relevant commands in the main playbook instead of executing them in both sub-playbooks. + + Set this to True in the parent playbook if you are using the parent playbook, as opposed to using the sub-playbooks directly in your playbooks, as this will improve the performance of the playbook and reduce the overfall size of the incident. + key: ExecutedFromParent + playbookInputQuery: + required: false + value: + simple: "True" +name: SOC IP Enrichment - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - IP + - DBotScore + - Endpoint + - Endpoint.Hostname + - Endpoint.OS + - Endpoint.IP + - Endpoint.MAC + - Endpoint.Domain + - DBotScore.Indicator + - DBotScore.Type + - DBotScore.Vendor + - DBotScore.Score + - IP.ASN + - IP.Tags + - IP.ThreatTypes + - IP.Geo.Country + - IP.Geo.Location + - IP.Malicious.Vendor + - IP.Malicious.Description + - IP.VirusTotal.DownloadedHashes + - IP.VirusTotal.UnAVDetectedDownloadedHashes + - IP.VirusTotal.DetectedURLs + - IP.VirusTotal.CommunicatingHashes + - IP.VirusTotal.UnAVDetectedCommunicatingHashes + - IP.VirusTotal.Resolutions.hostname + - IP.VirusTotal.ReferrerHashes + - IP.VirusTotal.UnAVDetectedReferrerHashes + - IP.VirusTotal.Resolutions.last_resolved + - IP.Address + - IP.InRange + - Endpoint.ID + - Endpoint.Status + - Endpoint.IsIsolated + - Endpoint.MACAddress + - Endpoint.Vendor + - Endpoint.Relationships + - Endpoint.Processor + - Endpoint.Processors + - Endpoint.Memory + - Endpoint.Model + - Endpoint.BIOSVersion + - Endpoint.OSVersion + - Endpoint.DHCPServer + - Endpoint.Groups + - ExtraHop.Device.Macaddr + - ExtraHop.Device.DeviceClass + - ExtraHop.Device.UserModTime + - ExtraHop.Device.AutoRole + - ExtraHop.Device.ParentId + - ExtraHop.Device.Vendor + - ExtraHop.Device.Analysis + - ExtraHop.Device.DiscoveryId + - ExtraHop.Device.DefaultName + - ExtraHop.Device.DisplayName + - ExtraHop.Device.OnWatchlist + - ExtraHop.Device.ModTime + - ExtraHop.Device.IsL3 + - ExtraHop.Device.Role + - ExtraHop.Device.DiscoverTime + - ExtraHop.Device.Id + - ExtraHop.Device.Ipaddr4 + - ExtraHop.Device.Vlanid + - ExtraHop.Device.Ipaddr6 + - ExtraHop.Device.NodeId + - ExtraHop.Device.Description + - ExtraHop.Device.DnsName + - ExtraHop.Device.DhcpName + - ExtraHop.Device.CdpName + - ExtraHop.Device.NetbiosName + - ExtraHop.Device.Url + - McAfee.ePO.Endpoint + - ActiveDirectory.ComputersPageCookie + - ActiveDirectory.Computers + - ActiveDirectory.Computers.dn + - ActiveDirectory.Computers.memberOf + - ActiveDirectory.Computers.name + - CrowdStrike.Device + - CarbonBlackEDR.Sensor.systemvolume_total_size + - CarbonBlackEDR.Sensor.emet_telemetry_path + - CarbonBlackEDR.Sensor.os_environment_display_string + - CarbonBlackEDR.Sensor.emet_version + - CarbonBlackEDR.Sensor.emet_dump_flags + - CarbonBlackEDR.Sensor.clock_delta + - CarbonBlackEDR.Sensor.supports_cblr + - CarbonBlackEDR.Sensor.sensor_uptime + - CarbonBlackEDR.Sensor.last_update + - CarbonBlackEDR.Sensor.physical_memory_size + - CarbonBlackEDR.Sensor.build_id + - CarbonBlackEDR.Sensor.uptime + - CarbonBlackEDR.Sensor.is_isolating + - CarbonBlackEDR.Sensor.event_log_flush_time + - CarbonBlackEDR.Sensor.computer_dns_name + - CarbonBlackEDR.Sensor.emet_report_setting + - CarbonBlackEDR.Sensor.id + - CarbonBlackEDR.Sensor.emet_process_count + - CarbonBlackEDR.Sensor.emet_is_gpo + - CarbonBlackEDR.Sensor.power_state + - CarbonBlackEDR.Sensor.network_isolation_enabled + - CarbonBlackEDR.Sensor.systemvolume_free_size + - CarbonBlackEDR.Sensor.status + - CarbonBlackEDR.Sensor.num_eventlog_bytes + - CarbonBlackEDR.Sensor.sensor_health_message + - CarbonBlackEDR.Sensor.build_version_string + - CarbonBlackEDR.Sensor.computer_sid + - CarbonBlackEDR.Sensor.next_checkin_time + - CarbonBlackEDR.Sensor.node_id + - CarbonBlackEDR.Sensor.cookie + - CarbonBlackEDR.Sensor.emet_exploit_action + - CarbonBlackEDR.Sensor.computer_name + - CarbonBlackEDR.Sensor.license_expiration + - CarbonBlackEDR.Sensor.supports_isolation + - CarbonBlackEDR.Sensor.parity_host_id + - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + - CarbonBlackEDR.Sensor.network_adapters + - CarbonBlackEDR.Sensor.sensor_health_status + - CarbonBlackEDR.Sensor.registration_time + - CarbonBlackEDR.Sensor.restart_queued + - CarbonBlackEDR.Sensor.notes + - CarbonBlackEDR.Sensor.num_storefiles_bytes + - CarbonBlackEDR.Sensor.os_environment_id + - CarbonBlackEDR.Sensor.shard_id + - CarbonBlackEDR.Sensor.boot_id + - CarbonBlackEDR.Sensor.last_checkin_time + - CarbonBlackEDR.Sensor.os_type + - CarbonBlackEDR.Sensor.group_id + - CarbonBlackEDR.Sensor.uninstall + - PaloAltoNetworksXDR.Endpoint.endpoint_id + - PaloAltoNetworksXDR.Endpoint.endpoint_name + - PaloAltoNetworksXDR.Endpoint.endpoint_type + - PaloAltoNetworksXDR.Endpoint.endpoint_status + - PaloAltoNetworksXDR.Endpoint.os_type + - PaloAltoNetworksXDR.Endpoint.ip + - PaloAltoNetworksXDR.Endpoint.users + - PaloAltoNetworksXDR.Endpoint.domain + - PaloAltoNetworksXDR.Endpoint.alias + - PaloAltoNetworksXDR.Endpoint.first_seen + - PaloAltoNetworksXDR.Endpoint.last_seen + - PaloAltoNetworksXDR.Endpoint.content_version + - PaloAltoNetworksXDR.Endpoint.installation_package + - PaloAltoNetworksXDR.Endpoint.active_directory + - PaloAltoNetworksXDR.Endpoint.install_date + - PaloAltoNetworksXDR.Endpoint.endpoint_version + - PaloAltoNetworksXDR.Endpoint.is_isolated + - PaloAltoNetworksXDR.Endpoint.group_name + - PaloAltoNetworksXDR.Endpoint.count + - Account.Username + - Account.Domain + - PaloAltoNetworksXDR.RiskyHost.type + - PaloAltoNetworksXDR.RiskyHost.id + - PaloAltoNetworksXDR.RiskyHost.score + - PaloAltoNetworksXDR.RiskyHost.reasons + - PaloAltoNetworksXDR.RiskyHost.reasons.date created + - PaloAltoNetworksXDR.RiskyHost.reasons.description + - PaloAltoNetworksXDR.RiskyHost.reasons.severity + - PaloAltoNetworksXDR.RiskyHost.reasons.status + - PaloAltoNetworksXDR.RiskyHost.reasons.points + - Core.Endpoint.endpoint_id + - Core.Endpoint.endpoint_name + - Core.Endpoint.endpoint_type + - Core.Endpoint.endpoint_status + - Core.Endpoint.os_type + - Core.Endpoint.ip + - Core.Endpoint.users + - Core.Endpoint.domain + - Core.Endpoint.alias + - Core.Endpoint.first_seen + - Core.Endpoint.last_seen + - Core.Endpoint.content_version + - Core.Endpoint.installation_package + - Core.Endpoint.active_directory + - Core.Endpoint.install_date + - Core.Endpoint.endpoint_version + - Core.Endpoint.is_isolated + - Core.Endpoint.group_name + - Core.RiskyHost.type + - Core.RiskyHost.id + - Core.RiskyHost.score + - Core.RiskyHost.reasons + - Core.RiskyHost.reasons.date created + - Core.RiskyHost.reasons.description + - Core.RiskyHost.reasons.severity + - Core.RiskyHost.reasons.status + - Core.RiskyHost.reasons.points +outputs: +- contextPath: IP + description: The IP objects. + type: unknown +- contextPath: DBotScore + description: Indicator, Score, Type, Vendor. + type: unknown +- contextPath: Endpoint + description: The endpoint's object. + type: unknown +- contextPath: Endpoint.Hostname + description: The hostname to enrich. + type: string +- contextPath: Endpoint.OS + description: Endpoint OS. + type: string +- contextPath: Endpoint.IP + description: List of endpoint IP addresses. + type: string +- contextPath: Endpoint.MAC + description: List of endpoint MAC addresses. + type: string +- contextPath: Endpoint.Domain + description: Endpoint domain name. + type: string +- contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: string +- contextPath: DBotScore.Type + description: The indicator type. + type: string +- contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: string +- contextPath: DBotScore.Score + description: The actual score. + type: string +- contextPath: IP.ASN + description: The Autonomous System (AS) number associated with the indicator. + type: string +- contextPath: IP.Tags + description: List of IP tags. + type: string +- contextPath: IP.ThreatTypes + description: Threat types associated with the IP. + type: string +- contextPath: IP.Geo.Country + description: The country associated with the indicator. + type: string +- contextPath: IP.Geo.Location + description: The longitude and latitude of the IP address. + type: string +- contextPath: IP.Malicious.Vendor + description: The vendor that reported the indicator as malicious. + type: string +- contextPath: IP.Malicious.Description + description: For malicious IPs, the reason that the vendor made the decision. + type: string +- contextPath: IP.VirusTotal.DownloadedHashes + description: Latest files that are detected by at least one antivirus solution and + were downloaded by VirusTotal from the IP address. + type: string +- contextPath: IP.VirusTotal.UnAVDetectedDownloadedHashes + description: Latest files that are not detected by any antivirus solution and were + downloaded by VirusTotal from the IP address provided. + type: string +- contextPath: IP.VirusTotal.DetectedURLs + description: Latest URLs hosted in this IP address detected by at least one URL + scanner. + type: string +- contextPath: IP.VirusTotal.CommunicatingHashes + description: Latest detected files that communicate with this IP address. + type: string +- contextPath: IP.VirusTotal.UnAVDetectedCommunicatingHashes + description: Latest undetected files that communicate with this IP address. + type: string +- contextPath: IP.VirusTotal.Resolutions.hostname + description: The following domains resolved to the given IP. + type: string +- contextPath: IP.VirusTotal.ReferrerHashes + description: Latest detected files that embed this IP address in their strings. + type: string +- contextPath: IP.VirusTotal.UnAVDetectedReferrerHashes + description: Latest undetected files that embed this IP address in their strings. + type: string +- contextPath: IP.VirusTotal.Resolutions.last_resolved + description: The last time the following domains resolved to the given IP. + type: string +- contextPath: IP.Address + description: The IP address. + type: string +- contextPath: IP.InRange + description: Is the IP in the input ranges? (could be 'yes' or 'no). + type: string +- contextPath: Endpoint.ID + description: The endpoint ID. + type: string +- contextPath: Endpoint.Status + description: The endpoint status. + type: string +- contextPath: Endpoint.IsIsolated + description: The endpoint isolation status. + type: string +- contextPath: Endpoint.MACAddress + description: The endpoint MAC address. + type: string +- contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: string +- contextPath: Endpoint.Relationships + description: The endpoint relationships of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Processor + description: The model of the processor. + type: string +- contextPath: Endpoint.Processors + description: The number of processors. + type: string +- contextPath: Endpoint.Memory + description: Memory on this endpoint. + type: string +- contextPath: Endpoint.Model + description: The model of the machine or device. + type: string +- contextPath: Endpoint.BIOSVersion + description: The endpoint's BIOS version. + type: string +- contextPath: Endpoint.OSVersion + description: The endpoint's operation system version. + type: string +- contextPath: Endpoint.DHCPServer + description: The DHCP server of the endpoint. + type: string +- contextPath: Endpoint.Groups + description: Groups for which the computer is listed as a member. + type: string +- contextPath: ExtraHop.Device.Macaddr + description: The MAC Address of the device. + type: string +- contextPath: ExtraHop.Device.DeviceClass + description: The class of the device. + type: string +- contextPath: ExtraHop.Device.UserModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: number +- contextPath: ExtraHop.Device.AutoRole + description: The role automatically detected by the ExtraHop. + type: string +- contextPath: ExtraHop.Device.ParentId + description: The ID of the parent device. + type: number +- contextPath: ExtraHop.Device.Vendor + description: The device vendor. + type: string +- contextPath: ExtraHop.Device.Analysis + description: The level of analysis preformed on the device. + type: string +- contextPath: ExtraHop.Device.DiscoveryId + description: The UUID given by the Discover appliance. + type: string +- contextPath: ExtraHop.Device.DefaultName + description: The default name of the device. + type: string +- contextPath: ExtraHop.Device.DisplayName + description: The display name of device. + type: string +- contextPath: ExtraHop.Device.OnWatchlist + description: Whether the device is on the advanced analysis allow list. + type: boolean +- contextPath: ExtraHop.Device.ModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: number +- contextPath: ExtraHop.Device.IsL3 + description: Indicates whether the device is a Layer 3 device. + type: boolean +- contextPath: ExtraHop.Device.Role + description: The role of the device. + type: string +- contextPath: ExtraHop.Device.DiscoverTime + description: The time that the device was discovered. + type: number +- contextPath: ExtraHop.Device.Id + description: The ID of the device. + type: string +- contextPath: ExtraHop.Device.Ipaddr4 + description: The IPv4 address of the device. + type: string +- contextPath: ExtraHop.Device.Vlanid + description: The ID of VLan. + type: string +- contextPath: ExtraHop.Device.Ipaddr6 + description: The IPv6 address of the device. + type: string +- contextPath: ExtraHop.Device.NodeId + description: The Node ID of the Discover appliance. + type: string +- contextPath: ExtraHop.Device.Description + description: A user customizable description of the device. + type: string +- contextPath: ExtraHop.Device.DnsName + description: The DNS name associated with the device. + type: string +- contextPath: ExtraHop.Device.DhcpName + description: The DHCP name associated with the device. + type: string +- contextPath: ExtraHop.Device.CdpName + description: The Cisco Discovery Protocol name associated with the device. + type: string +- contextPath: ExtraHop.Device.NetbiosName + description: The NetBIOS name associated with the device. + type: string +- contextPath: ExtraHop.Device.Url + description: Link to the device details page in ExtraHop. + type: string +- contextPath: McAfee.ePO.Endpoint + description: The endpoint that was enriched. + type: string +- contextPath: ActiveDirectory.ComputersPageCookie + description: An opaque string received in a paged search, used for requesting subsequent + entries. + type: string +- contextPath: ActiveDirectory.Computers + description: The information about the hostname that was enriched using Active Directory. + type: string +- contextPath: ActiveDirectory.Computers.dn + description: The computer distinguished name. + type: string +- contextPath: ActiveDirectory.Computers.memberOf + description: Groups for which the computer is listed. + type: string +- contextPath: ActiveDirectory.Computers.name + description: The computer name. + type: string +- contextPath: CrowdStrike.Device + description: The information about the endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size + description: The size, in bytes, of the system volume of the endpoint on which the + sensor is installed. installed. + type: number +- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path + description: The path of the EMET telemetry associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string + description: Human-readable string of the installed OS. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_version + description: The EMET version associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags + description: The flags of the EMET dump associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.clock_delta + description: The clock delta associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_cblr + description: Whether the sensor supports Carbon Black Live Response (CbLR). + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_uptime + description: The uptime of the process. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_update + description: When the sensor was last updated. + type: string +- contextPath: CarbonBlackEDR.Sensor.physical_memory_size + description: The size in bytes of physical memory. + type: number +- contextPath: CarbonBlackEDR.Sensor.build_id + description: The sensor version installed on this endpoint. From the /api/builds/ + endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.uptime + description: Endpoint uptime in seconds. + type: string +- contextPath: CarbonBlackEDR.Sensor.is_isolating + description: Boolean representing sensor-reported isolation status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time + description: |- + If event_log_flush_time is set, the server will instruct the sensor to immediately + send all data before this date, ignoring all other throttling mechanisms. + To force a host current, set this value to a value far in the future. + When the sensor has finished sending its queued data, this value will be null. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_dns_name + description: The DNS name of the endpoint on which the sensor is installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_report_setting + description: The report setting of the EMET associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.id + description: The ID of this sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_process_count + description: The number of EMET processes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo + description: Whether the EMET is a GPO. + type: string +- contextPath: CarbonBlackEDR.Sensor.power_state + description: The sensor power state. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled + description: Boolean representing the network isolation request status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size + description: The amount of free bytes on the system volume. + type: string +- contextPath: CarbonBlackEDR.Sensor.status + description: The sensor status. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes + description: The number of event log bytes. + type: number +- contextPath: CarbonBlackEDR.Sensor.sensor_health_message + description: Human-readable string indicating the sensor’s self-reported status. + type: string +- contextPath: CarbonBlackEDR.Sensor.build_version_string + description: Human-readable string of the sensor version. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_sid + description: Machine SID of this host. + type: string +- contextPath: CarbonBlackEDR.Sensor.next_checkin_time + description: Next expected communication from this computer in server-local time + and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.node_id + description: The node ID associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.cookie + description: The cookie associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action + description: The EMET exploit action associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_name + description: NetBIOS name of this computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.license_expiration + description: When the license of the sensor expires. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_isolation + description: Whether the sensor supports isolation. + type: string +- contextPath: CarbonBlackEDR.Sensor.parity_host_id + description: The ID of the parity host associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + description: Whether the sensor support modload of 2nd generation. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_adapters + description: A pipe-delimited list of IP,MAC pairs for each network interface. + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_health_status + description: Self-reported health score, from 0 to 100. Higher numbers indicate + a better health status. + type: number +- contextPath: CarbonBlackEDR.Sensor.registration_time + description: Time this sensor was originally registered in server-local time and + zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.restart_queued + description: Whether a restart of the sensor is queued. + type: string +- contextPath: CarbonBlackEDR.Sensor.notes + description: The notes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes + description: Number of storefiles bytes associated with the sensor. + type: number +- contextPath: CarbonBlackEDR.Sensor.os_environment_id + description: The ID of the OS environment of the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.shard_id + description: The ID of the shard associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.boot_id + description: A sequential counter of boots since the sensor was installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_checkin_time + description: Last communication with this computer in server-local time and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_type + description: The operating system type of the computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.group_id + description: The sensor group ID this sensor is assigned to. + type: string +- contextPath: CarbonBlackEDR.Sensor.uninstall + description: When set, indicates that the sensor will be directed to uninstall on + next check-in. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.users + description: A list of users. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.content_version + description: Content version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: date +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.count + description: Number of endpoints returned. + type: number +- contextPath: Account.Username + description: The username in the relevant system. + type: string +- contextPath: Account.Domain + description: The domain of the account. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons + description: The endpoint risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created + description: Date when the incident was created. + type: date +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points + description: The score. + type: string +- contextPath: Core.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: Core.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: Core.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: Core.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: Core.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: Core.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: Core.Endpoint.users + description: A list of users. + type: string +- contextPath: Core.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: Core.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: Core.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: Core.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: Core.Endpoint.content_version + description: Content version. + type: string +- contextPath: Core.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: Core.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: Core.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: date +- contextPath: Core.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: Core.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: Core.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: Core.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: Core.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: Core.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: Core.RiskyHost.reasons + description: The reasons for the risk level. + type: string +- contextPath: Core.RiskyHost.reasons.date created + description: Date when the incident was created. + type: date +- contextPath: Core.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: Core.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: Core.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: Core.RiskyHost.reasons.points + description: The score. + type: string +sourceplaybookid: IP Enrichment - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: af133db3-bee0-4542-8d41-042900b926fc + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: af133db3-bee0-4542-8d41-042900b926fc + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7ae24ea0-00d1-4459-8c71-f2cfbaea117f + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 7ae24ea0-00d1-4459-8c71-f2cfbaea117f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 265, + "y": 1520 + } + } + "27": + continueonerror: true + continueonerrortype: errorPath + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "37" + '#none#': + - "34" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + ip: + complex: + root: inputs.IP + transformers: + - operator: uniq + ipRanges: + complex: + root: inputs.InternalRange + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Checks if the IP address is in the internal IP address ranges.\n + If internal, sets the \"InRange\" attribute to \"yes\".\nIf external, sets + the \"InRange\" attribute to \"no\". " + id: 07923c19-525b-441e-934e-3962dbbb097c + iscommand: false + name: Determine whether the IP address is internal or external + playbooktaskmissingcomponent: + script: IsIPInRanges + type: regular + version: -1 + taskid: 07923c19-525b-441e-934e-3962dbbb097c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 850, + "y": 530 + } + } + "28": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.ExecutedFromParent + operator: isEqualString + right: + value: + simple: "True" + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isNotEmpty + label: "Yes" + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isNotEmpty + label: No, execute in sub-playbooks + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + No, execute in sub-playbooks: + - "34" + "Yes": + - "33" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the playbook inputs specify that common logic like + the classification of IP addresses to ranges and resolving them should be + executed in the main (parent) enrichment playbook, instead of in the sub-playbooks. + id: 6c306aba-243f-4d13-888c-a142fcf86737 + iscommand: false + name: Can common logic be executed from the parent playbook? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 6c306aba-243f-4d13-888c-a142fcf86737 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 265, + "y": 220 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: be9d391d-3019-40bc-85da-e72e9e6813a8 + iscommand: false + name: Resolve IPs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: be9d391d-3019-40bc-85da-e72e9e6813a8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1270, + "y": 890 + } + } + "30": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.ResolveIP + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "34" + "yes": + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the ResolveIP parameter is set to "True". + id: e63254e7-c97e-4b24-8850-4221197dfc53 + iscommand: false + name: Resolve the IP addresses? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e63254e7-c97e-4b24-8850-4221197dfc53 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1270, + "y": 530 + } + } + "31": + continueonerror: true + continueonerrortype: errorPath + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "37" + '#none#': + - "34" + note: false + quietmode: 2 + reputationcalc: 1 + scriptarguments: + ip: + complex: + root: inputs.IP + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Convert the IP address to a hostname using DNS query. + id: e7607f9d-d6f9-4112-8b7a-4fb2889e6a92 + iscommand: false + name: IP to Hostname (DNS) + playbooktaskmissingcomponent: + script: IPToHost + type: regular + version: -1 + taskid: e7607f9d-d6f9-4112-8b7a-4fb2889e6a92 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1270, + "y": 1020 + } + } + "33": + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1acf343e-137c-4d5e-89e8-dcb88b2ba060 + iscommand: false + name: Classify & Resolve IPs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 1acf343e-137c-4d5e-89e8-dcb88b2ba060 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1060, + "y": 390 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "38" + - "39" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3d2c6283-7577-44b8-845f-9c3612c37711 + iscommand: false + name: Execute Sub-playbooks + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3d2c6283-7577-44b8-845f-9c3612c37711 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 850, + "y": 1210 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: fc1cfa94-37e8-4816-85eb-8cfbf493c385 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: fc1cfa94-37e8-4816-85eb-8cfbf493c385 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1520, + "y": 1515 + } + } + "38": + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: ddeee125-98ff-4d9e-840d-c817f825bf24 + iscommand: false + name: SOC IP Enrichment - Internal - Generic v2_V3 + playbookId: SOC IP Enrichment - Internal - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: ddeee125-98ff-4d9e-840d-c817f825bf24 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 620, + "y": 1340 + } + } + "39": + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 8c54652f-cc4e-4984-8366-4565590dee43 + iscommand: false + name: SOC IP Enrichment - External - Generic v2_V3 + playbookId: SOC IP Enrichment - External - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 8c54652f-cc4e-4984-8366-4565590dee43 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1110, + "y": 1340 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "28_24_#default#": 0.17, + "28_34_No, execute in sub-playbooks": 0.16, + "30_34_#default#": 0.31 + }, + "paper": { + "dimensions": { + "height": 1535, + "width": 1635, + "x": 265, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Internal_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Internal_-_Generic_v2.yml new file mode 100644 index 0000000..8d2a408 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_IP_Enrichment_-_Internal_-_Generic_v2.yml @@ -0,0 +1,1285 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.16 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Enrich Internal IP addresses using one or more integrations. + + - Resolve IP address to hostname (DNS) + - Separate internal and external IP addresses + - Get host information for IP addresses. +dirtyInputs: true +id: 'SOC IP Enrichment - Internal - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IP + - InternalRange + - ResolveIP + - ExecutedFromParent + - Hostnames + name: General (Inputs group) +inputs: +- description: The IP address to enrich. + key: IP + playbookInputQuery: + required: false + value: + complex: + accessor: Address + root: IP + transformers: + - operator: uniq +- description: "A comma-separated list of IP address ranges (in CIDR notation). Use + this list to check if an IP address is found within a set of IP address ranges. + \nFor example: \"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16\" (without quotes)." + key: InternalRange + playbookInputQuery: + required: false + value: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join +- description: |- + Whether to convert the IP address to a hostname using a DNS query (True/False). + The default value is true. + key: ResolveIP + playbookInputQuery: + required: true + value: + complex: + root: inputs.ResolveIP +- description: |- + Whether to execute common logic, like the classification of IP addresses to ranges and resolving, in the the main (IP Enrichment - Generic v2) enrichment playbook, instead of in the sub-playbooks. + + Possible values are: True, False. + Setting this to True will execute the relevant commands in the main playbook instead of executing them in both sub-playbooks. + + Set this to True in the parent playbook if you are using the parent playbook, as opposed to using the sub-playbooks directly in your playbooks, as this will improve the performance of the playbook and reduce the overfall size of the incident. + key: ExecutedFromParent + playbookInputQuery: + required: false + value: + simple: "False" +- description: Hostnames to enrich. If the ExecutedFromParent playbook is set to True + in the IP - Enrichment - Generic v2 playbook, and an internal IP resolves to an + endpoint hostname that you want to enrich, the hostnames defined here will be + used. + key: Hostnames + playbookInputQuery: + required: false + value: {} +name: SOC IP Enrichment - Internal - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - IP + - DBotScore + - Endpoint + - Endpoint.Hostname + - Endpoint.OS + - Endpoint.IP + - Endpoint.MAC + - Endpoint.Domain + - Endpoint.ID + - Endpoint.Status + - Endpoint.IsIsolated + - Endpoint.MACAddress + - Endpoint.Vendor + - Endpoint.Relationships + - Endpoint.Processor + - Endpoint.Processors + - Endpoint.Memory + - Endpoint.Model + - Endpoint.BIOSVersion + - Endpoint.OSVersion + - Endpoint.DHCPServer + - Endpoint.Groups + - ExtraHop.Device.Macaddr + - ExtraHop.Device.DeviceClass + - ExtraHop.Device.UserModTime + - ExtraHop.Device.AutoRole + - ExtraHop.Device.ParentId + - ExtraHop.Device.Vendor + - ExtraHop.Device.Analysis + - ExtraHop.Device.DiscoveryId + - ExtraHop.Device.DefaultName + - ExtraHop.Device.DisplayName + - ExtraHop.Device.OnWatchlist + - ExtraHop.Device.ModTime + - ExtraHop.Device.IsL3 + - ExtraHop.Device.Role + - ExtraHop.Device.DiscoverTime + - ExtraHop.Device.Id + - ExtraHop.Device.Ipaddr4 + - ExtraHop.Device.Vlanid + - ExtraHop.Device.Ipaddr6 + - ExtraHop.Device.NodeId + - ExtraHop.Device.Description + - ExtraHop.Device.DnsName + - ExtraHop.Device.DhcpName + - ExtraHop.Device.CdpName + - ExtraHop.Device.NetbiosName + - ExtraHop.Device.Url + - McAfee.ePO.Endpoint + - ActiveDirectory.ComputersPageCookie + - ActiveDirectory.Computers + - ActiveDirectory.Computers.dn + - ActiveDirectory.Computers.memberOf + - ActiveDirectory.Computers.name + - CrowdStrike.Device + - CarbonBlackEDR.Sensor.systemvolume_total_size + - CarbonBlackEDR.Sensor.emet_telemetry_path + - CarbonBlackEDR.Sensor.os_environment_display_string + - CarbonBlackEDR.Sensor.emet_version + - CarbonBlackEDR.Sensor.emet_dump_flags + - CarbonBlackEDR.Sensor.clock_delta + - CarbonBlackEDR.Sensor.supports_cblr + - CarbonBlackEDR.Sensor.sensor_uptime + - CarbonBlackEDR.Sensor.last_update + - CarbonBlackEDR.Sensor.physical_memory_size + - CarbonBlackEDR.Sensor.build_id + - CarbonBlackEDR.Sensor.uptime + - CarbonBlackEDR.Sensor.is_isolating + - CarbonBlackEDR.Sensor.event_log_flush_time + - CarbonBlackEDR.Sensor.computer_dns_name + - CarbonBlackEDR.Sensor.emet_report_setting + - CarbonBlackEDR.Sensor.id + - CarbonBlackEDR.Sensor.emet_process_count + - CarbonBlackEDR.Sensor.emet_is_gpo + - CarbonBlackEDR.Sensor.power_state + - CarbonBlackEDR.Sensor.network_isolation_enabled + - CarbonBlackEDR.Sensor.systemvolume_free_size + - CarbonBlackEDR.Sensor.status + - CarbonBlackEDR.Sensor.num_eventlog_bytes + - CarbonBlackEDR.Sensor.sensor_health_message + - CarbonBlackEDR.Sensor.build_version_string + - CarbonBlackEDR.Sensor.computer_sid + - CarbonBlackEDR.Sensor.next_checkin_time + - CarbonBlackEDR.Sensor.node_id + - CarbonBlackEDR.Sensor.cookie + - CarbonBlackEDR.Sensor.emet_exploit_action + - CarbonBlackEDR.Sensor.computer_name + - CarbonBlackEDR.Sensor.license_expiration + - CarbonBlackEDR.Sensor.supports_isolation + - CarbonBlackEDR.Sensor.parity_host_id + - CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + - CarbonBlackEDR.Sensor.network_adapters + - CarbonBlackEDR.Sensor.sensor_health_status + - CarbonBlackEDR.Sensor.registration_time + - CarbonBlackEDR.Sensor.restart_queued + - CarbonBlackEDR.Sensor.notes + - CarbonBlackEDR.Sensor.num_storefiles_bytes + - CarbonBlackEDR.Sensor.os_environment_id + - CarbonBlackEDR.Sensor.shard_id + - CarbonBlackEDR.Sensor.boot_id + - CarbonBlackEDR.Sensor.last_checkin_time + - CarbonBlackEDR.Sensor.os_type + - CarbonBlackEDR.Sensor.group_id + - CarbonBlackEDR.Sensor.uninstall + - PaloAltoNetworksXDR.Endpoint.endpoint_id + - PaloAltoNetworksXDR.Endpoint.endpoint_name + - PaloAltoNetworksXDR.Endpoint.endpoint_type + - PaloAltoNetworksXDR.Endpoint.endpoint_status + - PaloAltoNetworksXDR.Endpoint.os_type + - PaloAltoNetworksXDR.Endpoint.ip + - PaloAltoNetworksXDR.Endpoint.users + - PaloAltoNetworksXDR.Endpoint.domain + - PaloAltoNetworksXDR.Endpoint.alias + - PaloAltoNetworksXDR.Endpoint.first_seen + - PaloAltoNetworksXDR.Endpoint.last_seen + - PaloAltoNetworksXDR.Endpoint.content_version + - PaloAltoNetworksXDR.Endpoint.installation_package + - PaloAltoNetworksXDR.Endpoint.active_directory + - PaloAltoNetworksXDR.Endpoint.install_date + - PaloAltoNetworksXDR.Endpoint.endpoint_version + - PaloAltoNetworksXDR.Endpoint.is_isolated + - PaloAltoNetworksXDR.Endpoint.group_name + - PaloAltoNetworksXDR.Endpoint.count + - Account.Username + - Account.Domain + - PaloAltoNetworksXDR.RiskyHost.type + - PaloAltoNetworksXDR.RiskyHost.id + - PaloAltoNetworksXDR.RiskyHost.score + - PaloAltoNetworksXDR.RiskyHost.reasons + - PaloAltoNetworksXDR.RiskyHost.reasons.date created + - PaloAltoNetworksXDR.RiskyHost.reasons.description + - PaloAltoNetworksXDR.RiskyHost.reasons.severity + - PaloAltoNetworksXDR.RiskyHost.reasons.status + - PaloAltoNetworksXDR.RiskyHost.reasons.points + - Core.Endpoint.endpoint_id + - Core.Endpoint.endpoint_name + - Core.Endpoint.endpoint_type + - Core.Endpoint.endpoint_status + - Core.Endpoint.os_type + - Core.Endpoint.ip + - Core.Endpoint.users + - Core.Endpoint.domain + - Core.Endpoint.alias + - Core.Endpoint.first_seen + - Core.Endpoint.last_seen + - Core.Endpoint.content_version + - Core.Endpoint.installation_package + - Core.Endpoint.active_directory + - Core.Endpoint.install_date + - Core.Endpoint.endpoint_version + - Core.Endpoint.is_isolated + - Core.Endpoint.group_name + - Core.RiskyHost.type + - Core.RiskyHost.id + - Core.RiskyHost.score + - Core.RiskyHost.reasons + - Core.RiskyHost.reasons.date created + - Core.RiskyHost.reasons.description + - Core.RiskyHost.reasons.severity + - Core.RiskyHost.reasons.status + - Core.RiskyHost.reasons.points + - IP.Address + - IP.InRange +outputs: +- contextPath: IP + description: The IP objects. + type: unknown +- contextPath: DBotScore + description: Indicator, Score, Type and Vendor. + type: unknown +- contextPath: Endpoint + description: The endpoint's object. + type: unknown +- contextPath: Endpoint.Hostname + description: The hostname to enrich. + type: string +- contextPath: Endpoint.OS + description: Endpoint operating system. + type: string +- contextPath: Endpoint.IP + description: A list of endpoint IP addresses. +- contextPath: Endpoint.MAC + description: A list of endpoint MAC addresses. +- contextPath: Endpoint.Domain + description: Endpoint domain name. + type: string +- contextPath: Endpoint.ID + description: The endpoint ID. + type: string +- contextPath: Endpoint.Status + description: The endpoint status. + type: string +- contextPath: Endpoint.IsIsolated + description: The endpoint isolation status. + type: string +- contextPath: Endpoint.MACAddress + description: The endpoint MAC address. + type: string +- contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: string +- contextPath: Endpoint.Relationships + description: The endpoint relationships of the endpoint that was enriched. + type: string +- contextPath: Endpoint.Processor + description: The model of the processor. + type: string +- contextPath: Endpoint.Processors + description: The number of processors. + type: string +- contextPath: Endpoint.Memory + description: Memory on this endpoint. + type: string +- contextPath: Endpoint.Model + description: The model of the machine or device. + type: string +- contextPath: Endpoint.BIOSVersion + description: The endpoint's BIOS version. + type: string +- contextPath: Endpoint.OSVersion + description: The endpoint's operation system version. + type: string +- contextPath: Endpoint.DHCPServer + description: The DHCP server of the endpoint. + type: string +- contextPath: Endpoint.Groups + description: Groups for which the computer is listed as a member. + type: string +- contextPath: ExtraHop.Device.Macaddr + description: The MAC Address of the device. + type: String +- contextPath: ExtraHop.Device.DeviceClass + description: The class of the device. + type: String +- contextPath: ExtraHop.Device.UserModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.AutoRole + description: The role automatically detected by the ExtraHop. + type: String +- contextPath: ExtraHop.Device.ParentId + description: The ID of the parent device. + type: Number +- contextPath: ExtraHop.Device.Vendor + description: The device vendor. + type: String +- contextPath: ExtraHop.Device.Analysis + description: The level of analysis preformed on the device. + type: string +- contextPath: ExtraHop.Device.DiscoveryId + description: The UUID given by the Discover appliance. + type: String +- contextPath: ExtraHop.Device.DefaultName + description: The default name of the device. + type: String +- contextPath: ExtraHop.Device.DisplayName + description: The display name of device. + type: String +- contextPath: ExtraHop.Device.OnWatchlist + description: Whether the device is on the advanced analysis allow list. + type: Boolean +- contextPath: ExtraHop.Device.ModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.IsL3 + description: Indicates whether the device is a Layer 3 device. + type: Boolean +- contextPath: ExtraHop.Device.Role + description: The role of the device. + type: String +- contextPath: ExtraHop.Device.DiscoverTime + description: The time that the device was discovered. + type: Number +- contextPath: ExtraHop.Device.Id + description: The ID of the device. + type: Number +- contextPath: ExtraHop.Device.Ipaddr4 + description: The IPv4 address of the device. + type: String +- contextPath: ExtraHop.Device.Vlanid + description: The ID of VLan. + type: Number +- contextPath: ExtraHop.Device.Ipaddr6 + description: The IPv6 address of the device. + type: string +- contextPath: ExtraHop.Device.NodeId + description: The Node ID of the Discover appliance. + type: number +- contextPath: ExtraHop.Device.Description + description: A user customizable description of the device. + type: string +- contextPath: ExtraHop.Device.DnsName + description: The DNS name associated with the device. + type: string +- contextPath: ExtraHop.Device.DhcpName + description: The DHCP name associated with the device. + type: string +- contextPath: ExtraHop.Device.CdpName + description: The Cisco Discovery Protocol name associated with the device. + type: string +- contextPath: ExtraHop.Device.NetbiosName + description: The NetBIOS name associated with the device. + type: string +- contextPath: ExtraHop.Device.Url + description: Link to the device details page in ExtraHop. + type: string +- contextPath: McAfee.ePO.Endpoint + description: The endpoint that was enriched. + type: string +- contextPath: ActiveDirectory.ComputersPageCookie + description: An opaque string received in a paged search, used for requesting subsequent + entries. + type: string +- contextPath: ActiveDirectory.Computers + description: The information about the hostname that was enriched using Active Directory. + type: string +- contextPath: ActiveDirectory.Computers.dn + description: The computer distinguished name. + type: string +- contextPath: ActiveDirectory.Computers.memberOf + description: Groups for which the computer is listed. + type: string +- contextPath: ActiveDirectory.Computers.name + description: The computer name. + type: string +- contextPath: CrowdStrike.Device + description: The information about the endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.systemvolume_total_size + description: The size, in bytes, of the system volume of the endpoint on which the + sensor is installed. installed. + type: number +- contextPath: CarbonBlackEDR.Sensor.emet_telemetry_path + description: The path of the EMET telemetry associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_environment_display_string + description: Human-readable string of the installed OS. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_version + description: The EMET version associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_dump_flags + description: The flags of the EMET dump associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.clock_delta + description: The clock delta associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_cblr + description: Whether the sensor supports Carbon Black Live Response (CbLR). + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_uptime + description: The uptime of the process. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_update + description: When the sensor was last updated. + type: string +- contextPath: CarbonBlackEDR.Sensor.physical_memory_size + description: The size in bytes of physical memory. + type: number +- contextPath: CarbonBlackEDR.Sensor.build_id + description: The sensor version installed on this endpoint. From the /api/builds/ + endpoint. + type: string +- contextPath: CarbonBlackEDR.Sensor.uptime + description: Endpoint uptime in seconds. + type: string +- contextPath: CarbonBlackEDR.Sensor.is_isolating + description: Boolean representing sensor-reported isolation status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.event_log_flush_time + description: |- + If event_log_flush_time is set, the server will instruct the sensor to immediately + send all data before this date, ignoring all other throttling mechanisms. + To force a host current, set this value to a value far in the future. + When the sensor has finished sending its queued data, this value will be null. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_dns_name + description: The DNS name of the endpoint on which the sensor is installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_report_setting + description: The report setting of the EMET associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.id + description: The ID of this sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_process_count + description: The number of EMET processes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_is_gpo + description: Whether the EMET is a GPO. + type: string +- contextPath: CarbonBlackEDR.Sensor.power_state + description: The sensor power state. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_isolation_enabled + description: Boolean representing the network isolation request status. + type: boolean +- contextPath: CarbonBlackEDR.Sensor.systemvolume_free_size + description: The amount of free bytes on the system volume. + type: string +- contextPath: CarbonBlackEDR.Sensor.status + description: The sensor status. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_eventlog_bytes + description: The number of event log bytes. + type: number +- contextPath: CarbonBlackEDR.Sensor.sensor_health_message + description: Human-readable string indicating the sensor’s self-reported status. + type: string +- contextPath: CarbonBlackEDR.Sensor.build_version_string + description: Human-readable string of the sensor version. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_sid + description: Machine SID of this host. + type: string +- contextPath: CarbonBlackEDR.Sensor.next_checkin_time + description: Next expected communication from this computer in server-local time + and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.node_id + description: The node ID associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.cookie + description: The cookie associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.emet_exploit_action + description: The EMET exploit action associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.computer_name + description: NetBIOS name of this computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.license_expiration + description: When the license of the sensor expires. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_isolation + description: Whether the sensor supports isolation. + type: string +- contextPath: CarbonBlackEDR.Sensor.parity_host_id + description: The ID of the parity host associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.supports_2nd_gen_modloads + description: Whether the sensor support modload of 2nd generation. + type: string +- contextPath: CarbonBlackEDR.Sensor.network_adapters + description: A pipe-delimited list of IP,MAC pairs for each network interface. + type: string +- contextPath: CarbonBlackEDR.Sensor.sensor_health_status + description: Self-reported health score, from 0 to 100. Higher numbers indicate + a better health status. + type: number +- contextPath: CarbonBlackEDR.Sensor.registration_time + description: Time this sensor was originally registered in server-local time and + zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.restart_queued + description: Whether a restart of the sensor is queued. + type: string +- contextPath: CarbonBlackEDR.Sensor.notes + description: The notes associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.num_storefiles_bytes + description: Number of storefiles bytes associated with the sensor. + type: number +- contextPath: CarbonBlackEDR.Sensor.os_environment_id + description: The ID of the OS environment of the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.shard_id + description: The ID of the shard associated with the sensor. + type: string +- contextPath: CarbonBlackEDR.Sensor.boot_id + description: A sequential counter of boots since the sensor was installed. + type: string +- contextPath: CarbonBlackEDR.Sensor.last_checkin_time + description: Last communication with this computer in server-local time and zone. + type: string +- contextPath: CarbonBlackEDR.Sensor.os_type + description: The operating system type of the computer. + type: string +- contextPath: CarbonBlackEDR.Sensor.group_id + description: The sensor group ID this sensor is assigned to. + type: string +- contextPath: CarbonBlackEDR.Sensor.uninstall + description: When set, indicates that the sensor will be directed to uninstall on + next check-in. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.users + description: A list of users. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.content_version + description: Content version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: date +- contextPath: PaloAltoNetworksXDR.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: PaloAltoNetworksXDR.Endpoint.count + description: Number of endpoints returned. + type: number +- contextPath: Account.Username + description: The username in the relevant system. + type: string +- contextPath: Account.Domain + description: The domain of the account. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons + description: The endpoint risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.date created + description: Date when the incident was created. + type: date +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyHost.reasons.points + description: The score. + type: string +- contextPath: Core.Endpoint.endpoint_id + description: The endpoint ID. + type: string +- contextPath: Core.Endpoint.endpoint_name + description: The endpoint name. + type: string +- contextPath: Core.Endpoint.endpoint_type + description: The endpoint type. + type: string +- contextPath: Core.Endpoint.endpoint_status + description: The status of the endpoint. + type: string +- contextPath: Core.Endpoint.os_type + description: The endpoint OS type. + type: string +- contextPath: Core.Endpoint.ip + description: A list of IP addresses. + type: string +- contextPath: Core.Endpoint.users + description: A list of users. + type: string +- contextPath: Core.Endpoint.domain + description: The endpoint domain. + type: string +- contextPath: Core.Endpoint.alias + description: The endpoint's aliases. + type: string +- contextPath: Core.Endpoint.first_seen + description: First seen date/time in Epoch (milliseconds). + type: string +- contextPath: Core.Endpoint.last_seen + description: Last seen date/time in Epoch (milliseconds). + type: string +- contextPath: Core.Endpoint.content_version + description: Content version. + type: string +- contextPath: Core.Endpoint.installation_package + description: Installation package. + type: string +- contextPath: Core.Endpoint.active_directory + description: Active directory. + type: string +- contextPath: Core.Endpoint.install_date + description: Install date in Epoch (milliseconds). + type: date +- contextPath: Core.Endpoint.endpoint_version + description: Endpoint version. + type: string +- contextPath: Core.Endpoint.is_isolated + description: Whether the endpoint is isolated. + type: string +- contextPath: Core.Endpoint.group_name + description: The name of the group to which the endpoint belongs. + type: string +- contextPath: Core.RiskyHost.type + description: Form of identification element. + type: string +- contextPath: Core.RiskyHost.id + description: Identification value of the type field. + type: string +- contextPath: Core.RiskyHost.score + description: The score assigned to the host. + type: string +- contextPath: Core.RiskyHost.reasons + description: The reasons for the risk level. + type: string +- contextPath: Core.RiskyHost.reasons.date created + description: Date when the incident was created. + type: date +- contextPath: Core.RiskyHost.reasons.description + description: Description of the incident. + type: string +- contextPath: Core.RiskyHost.reasons.severity + description: The severity of the incident. + type: string +- contextPath: Core.RiskyHost.reasons.status + description: The incident status. + type: string +- contextPath: Core.RiskyHost.reasons.points + description: The score. + type: string +- contextPath: IP.Address + description: The IP address. + type: string +- contextPath: IP.InRange + description: Is the IP in the input ranges? (could be 'yes' or 'no). + type: string +sourceplaybookid: IP Enrichment - Internal - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6635b28b-bdf1-42cf-88bc-14ad75e9ebe0 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 6635b28b-bdf1-42cf-88bc-14ad75e9ebe0 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 170, + "y": 199 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8149db7c-af8d-41e2-85ee-c9fe2efd5040 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 8149db7c-af8d-41e2-85ee-c9fe2efd5040 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1010, + "y": 1770 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "47" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a22c2045-33e0-4ad3-8627-15886227f805 + iscommand: false + name: Enrich internal IP addresses + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: a22c2045-33e0-4ad3-8627-15886227f805 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 170, + "y": 1430 + } + } + "28": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.IP + operator: isNotEmpty + right: + value: {} + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.ExecutedFromParent + operator: isEqualString + right: + value: + simple: "True" + label: "Yes" + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isNotEmpty + label: "No" + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "41" + "No": + - "44" + "Yes": + - "26" + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the playbook's input contains at least one IP address. + id: cd79c4ac-4dec-4872-8ec8-35079ffe9e5d + iscommand: false + name: Are the IPs already classified? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: cd79c4ac-4dec-4872-8ec8-35079ffe9e5d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 170, + "y": 330 + } + } + "34": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.ResolveIP + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "26" + "yes": + - "35" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the ResolveIP parameter is set to "True". + id: 8556e257-fee3-46d6-8e63-e06c38c3b7af + iscommand: false + name: Resolve the IP address? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 8556e257-fee3-46d6-8e63-e06c38c3b7af + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 720, + "y": 1020 + } + } + "35": + continueonerror: true + continueonerrortype: errorPath + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "45" + '#none#': + - "26" + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + ip: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "yes" + - - left: + iscontext: true + value: + simple: IP.Address + operator: containsGeneral + right: + iscontext: true + value: + simple: inputs.IP + root: IP + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Convert the IP address to a hostname using DNS query. + id: 9e40d733-6661-4345-9947-653ff0872d69 + iscommand: false + name: IP to Hostname (DNS) + playbooktaskmissingcomponent: + script: IPToHost + type: regular + version: -1 + taskid: 9e40d733-6661-4345-9947-653ff0872d69 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 720, + "y": 1210 + } + } + "39": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Address + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: "yes" + root: IP + transformers: + - operator: uniq + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the "InRange" attribute is set to "yes". + id: ac707a9d-ef3d-4dbc-867d-1bef4287be9d + iscommand: false + name: Is there an internal IP address? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ac707a9d-ef3d-4dbc-867d-1bef4287be9d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 720, + "y": 840 + } + } + "40": + continueonerror: true + continueonerrortype: errorPath + id: "40" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "45" + '#none#': + - "39" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + ip: + complex: + root: inputs.IP + transformers: + - operator: uniq + ipRanges: + complex: + root: inputs.InternalRange + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Checks if the IP address is in the internal IP address ranges.\n + If internal, sets the \"InRange\" attribute to \"yes\".\nIf external, sets + the \"InRange\" attribute to \"no\". \n" + id: ce1db4c9-4be4-483f-9957-32fe35630b3d + iscommand: false + name: Determine whether the IP address is internal or external + playbooktaskmissingcomponent: + script: IsIPInRanges + type: regular + version: -1 + taskid: ce1db4c9-4be4-483f-9957-32fe35630b3d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 720, + "y": 680 + } + } + "41": + continueonerrortype: "" + id: "41" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3dbd6139-a053-466c-8abf-86544d804022 + iscommand: false + name: No Internal IP Address + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3dbd6139-a053-466c-8abf-86544d804022 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -580, + "y": 855 + } + } + "44": + continueonerrortype: "" + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "40" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7be14457-6daf-4880-8ab7-ddc7d9c5f5ea + iscommand: false + name: Classify & Resolve IPs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 7be14457-6daf-4880-8ab7-ddc7d9c5f5ea + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 720, + "y": 540 + } + } + "45": + continueonerrortype: "" + id: "45" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 01e806da-e272-4832-892f-d0f527a09255 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 01e806da-e272-4832-892f-d0f527a09255 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1510, + "y": 1765 + } + } + "47": + continueonerrortype: "" + id: "47" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 58a12bcd-7e4e-4f17-8325-650df12e52fe + iscommand: false + name: SOC Endpoint Enrichment - Generic v2.1_V3 + playbookId: SOC Endpoint Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 58a12bcd-7e4e-4f17-8325-650df12e52fe + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 170, + "y": 1610 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "28_26_Yes": 0.17, + "28_41_#default#": 0.27, + "34_26_#default#": 0.41, + "39_34_yes": 0.47 + }, + "paper": { + "dimensions": { + "height": 1636, + "width": 2470, + "x": -580, + "y": 199 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Isolation_Router.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Isolation_Router.yml new file mode 100644 index 0000000..423bd5f --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Isolation_Router.yml @@ -0,0 +1,464 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: "" + isoverridable: false + itemVersion: 2.7.18 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: Determine the correct playbook to run for the correct endpoint product. +dirtyInputs: true +id: 'SOC Isolation Router_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Endpoint ID + - Endpoint hostname + - Endpoint IP + - ShadowMode + name: General (Inputs group) +inputs: +- description: Device/Endpoint ID + key: Endpoint ID + playbookInputQuery: + required: false + value: {} +- description: "" + key: Endpoint hostname + playbookInputQuery: + required: false + value: {} +- description: "" + key: Endpoint IP + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Isolation Router_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: SOC Isolation Router_V3 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 44ba6af3-46b9-4441-84c1-53dff0085128 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 44ba6af3-46b9-4441-84c1-53dff0085128 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 460, + "y": -900 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + scriptarguments: + EndpointHostName: + simple: ${inputs.Endpoint hostname} + EndpointID: + simple: ${inputs.Endpoint ID} + HostContainment: + simple: "True" + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + ## Containment Plan - Isolate Device + + This playbook is a sub-playbook within the containment plan playbook. + The playbook isolates devices using core commands. + id: a9edc2b4-6d58-48d5-979f-2cb7a388a7ae + iscommand: false + name: SOC Containment Plan_V3 - Isolate Device_V3 + playbookId: SOC Containment Plan_V3 - Isolate Device_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: a9edc2b4-6d58-48d5-979f-2cb7a388a7ae + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 0, + "y": 510 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Manually isolated: + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4730edbe-fbf7-4b3e-8493-6412b77a541c + iscommand: false + name: No endpoint agent found + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4730edbe-fbf7-4b3e-8493-6412b77a541c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1310, + "y": 510 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e6bedef3-8f7b-4fb9-8362-137ad712aa79 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: e6bedef3-8f7b-4fb9-8362-137ad712aa79 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 850 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "no": + - "9" + "yes": + - "13" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: CrowdStrike Falcon + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 1ff7d8a6-af00-4ab7-8e0d-63860e481cdd + iscommand: false + name: Verify Crowdstrike integration + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 1ff7d8a6-af00-4ab7-8e0d-63860e481cdd + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -80 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "no": + - "5" + "yes": + - "12" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Microsoft Defender for Endpoint + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 7a5fbae4-f0b0-487b-84ef-956ad7c29b90 + iscommand: false + name: Verify MDE integration + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 7a5fbae4-f0b0-487b-84ef-956ad7c29b90 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 920, + "y": 160 + } + } + "10": + continueonerror: true + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + id: 09bcc377-61ab-48e5-843f-16cd3046d704 + iscommand: true + name: Check XDR for host + playbooktaskmissingcomponent: + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 09bcc377-61ab-48e5-843f-16cd3046d704 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 460, + "y": -630 + } + } + "11": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isExists + label: "yes" + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d3e1b590-48d4-440b-8fe5-4b93884ff37e + iscommand: false + name: XDR Agent found? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: d3e1b590-48d4-440b-8fe5-4b93884ff37e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 460, + "y": -450 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + scriptarguments: + Device_IP: + simple: ${inputs.Endpoint IP} + Device_id: + simple: ${issue.deviceid} + Hostname: + simple: ${inputs.Endpoint hostname} + Isolation_type: + simple: Full + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: This playbook accepts an endpoint ID, IP, or host name and isolates + it using the Microsoft Defender For Endpoint integration. + id: e40517f0-b04d-4d49-ba32-5aeb875ffafc + iscommand: false + name: SOC Microsoft Defender For Endpoint - Isolate Endpoint_V3 + playbookId: Microsoft Defender For Endpoint - Isolate Endpoint + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: e40517f0-b04d-4d49-ba32-5aeb875ffafc + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 890, + "y": 510 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + scriptarguments: + Device_id: + simple: ${inputs.Endpoint ID} + ShadowMode: + simple: "true" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: This playbook will auto isolate endpoints by the device ID that + was provided in the playbook. + id: fb81e1f1-8573-4018-a9e5-ac987199f858 + iscommand: false + name: SOC Crowdstrike Falcon - Isolate Endpoint_V3 + playbookId: SOC Crowdstrike Falcon - Isolate Endpoint_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: fb81e1f1-8573-4018-a9e5-ac987199f858 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 450, + "y": 510 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "8_13_yes": 0.84 + }, + "paper": { + "dimensions": { + "height": 1810, + "width": 1690, + "x": 0, + "y": -900 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_MDE_-_Block_File.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_MDE_-_Block_File.yml new file mode 100644 index 0000000..118c394 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_MDE_-_Block_File.yml @@ -0,0 +1,665 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.10.0 + isoverridable: false + itemVersion: 1.20.8 + packID: "" + packName: Microsoft Defender for Endpoint + prevname: "" + supportedModules: [] + toServerVersion: "" +description: "This playbook receives an MD5 or a SHA256 hash and adds it to the block + list in Microsoft Defender for Endpoint. \nThe playbook uses the integration \" + Microsoft Defender for Endpoint\"." +dirtyInputs: true +id: 'SOC MDE - Block File_V3' +inputSections: +- description: Generic group for inputs + inputs: + - 'Severity ' + - IndicatorDescription + - IndicatorTitle + - GenerateAlert + - Hash + - ShadowMode + name: General (Inputs group) +inputs: +- description: The severity of the malicious behavior identified by the data within + the indicator, where High is the most severe and Informational is not severe at + all. + key: 'Severity ' + playbookInputQuery: + required: false + value: {} +- description: Brief description (100 characters or less) of the threat represented + by the indicator. + key: IndicatorDescription + playbookInputQuery: + required: true + value: + simple: Added by Cortex +- description: The indicator alert title in Defender. + key: IndicatorTitle + playbookInputQuery: + required: true + value: + simple: Added by Cortex +- description: Whether to generate an alert or not. The default is true. + key: GenerateAlert + playbookInputQuery: + required: false + value: + simple: "true" +- description: In this input you can insert either MD5 or SHA256 to block. + key: Hash + playbookInputQuery: + required: false + value: {} +- description: |- + Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint or disable_user are logged but not executed in test scenarios. + - Made in the Upon Trigger playbook. + - Stored in the incident’s data context. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC MDE - Block File_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: MDE - Block File +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2301242c-19a0-41b2-8906-2a58c726a8ff + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 2301242c-19a0-41b2-8906-2a58c726a8ff + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 250, + "y": 90 + } + } + "1": + continueonerror: true + continueonerrortype: errorPath + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + '#error#': + - "9" + "yes": + - "6" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Microsoft Defender Advanced Threat Protection + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + id: 8ad41643-eae0-476f-82c8-2e2b3705f363 + iscommand: false + name: Is Microsoft Defender for Endpoint is enable? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 8ad41643-eae0-476f-82c8-2e2b3705f363 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 250, + "y": 240 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 32e7827d-3a6f-4154-8ef5-6e3a0d20a518 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 32e7827d-3a6f-4154-8ef5-6e3a0d20a518 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 150, + "y": 1270 + } + } + "4": + continueonerror: true + continueonerrortype: errorPath + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + action: + simple: Block + generate_alert: + complex: + root: inputs.GenerateAlert + indicator_description: + complex: + root: inputs.IndicatorDescription + indicator_title: + complex: + root: inputs.IndicatorTitle + indicator_type: + simple: FileSha256 + indicator_value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.SHA256 + operator: stringHasLength + right: + value: + simple: "64" + root: inputs.SHA256 + transformers: + - operator: uniq + severity: + complex: + root: 'inputs.Severity ' + separatecontext: false + skipunavailable: false + task: + brand: Microsoft Defender Advanced Threat Protection + description: Creates a new indicator. + id: f5cd6551-f1a0-47fa-b279-05b7678a6baf + iscommand: true + name: Block Indicators by SHA256 + playbooktaskmissingcomponent: + script: Microsoft Defender Advanced Threat Protection|||microsoft-atp-sc-indicator-create + type: regular + version: -1 + taskid: f5cd6551-f1a0-47fa-b279-05b7678a6baf + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1010, + "y": 1000 + } + } + "5": + continueonerror: true + continueonerrortype: errorPath + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + action: + simple: Block + generate_alert: + complex: + root: inputs.GenerateAlert + indicator_description: + complex: + root: inputs.IndicatorDescription + indicator_title: + complex: + root: inputs.IndicatorTitle + indicator_type: + simple: FileMd5 + indicator_value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.MD5 + operator: stringHasLength + right: + value: + simple: "32" + root: inputs.MD5 + transformers: + - operator: uniq + severity: + complex: + root: 'inputs.Severity ' + separatecontext: false + skipunavailable: false + task: + brand: Microsoft Defender Advanced Threat Protection + description: Creates a new indicator. + id: 752cb3d2-8431-4528-a094-c71252e2f269 + iscommand: true + name: Block Indicators by MD5 + playbooktaskmissingcomponent: + script: Microsoft Defender Advanced Threat Protection|||microsoft-atp-sc-indicator-create + type: regular + version: -1 + taskid: 752cb3d2-8431-4528-a094-c71252e2f269 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -50, + "y": 1000 + } + } + "6": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "7" + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: aeda8e30-f52c-4e9d-8f10-67e049054750 + iscommand: false + name: Is there any file to block? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: aeda8e30-f52c-4e9d-8f10-67e049054750 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 260, + "y": 410 + } + } + "7": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + transformers: + - operator: uniq + operator: stringHasLength + right: + value: + simple: "32" + label: "yes" + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4b1ab765-8f50-44ab-8f68-1649fec5095c + iscommand: false + name: Has MD5 hashes? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4b1ab765-8f50-44ab-8f68-1649fec5095c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -210, + "y": 580 + } + } + "8": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.Hash + transformers: + - operator: uniq + operator: stringHasLength + right: + value: + simple: "64" + label: "yes" + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "4" + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3d4dde8d-e1ec-4712-8a31-b18d40635b1f + iscommand: false + name: Has SHA256 hashes? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 3d4dde8d-e1ec-4712-8a31-b18d40635b1f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 702.5, + "y": 580 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 2b6efb40-1f3c-4936-8e3b-05f115ba4102 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 2b6efb40-1f3c-4936-8e3b-05f115ba4102 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 940, + "y": 1350 + } + } + "10": + continueonerror: true + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "4" + Shadow Mode: + - "11" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0b85e28d-9e0b-4fb1-ab17-90950d94511a + iscommand: false + name: Run Mode + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 0b85e28d-9e0b-4fb1-ab17-90950d94511a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1210, + "y": 810 + } + } + "11": + continueonerror: true + continueonerrortype: errorPath + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: MS Defender Block SHA256 + Command: microsoft-atp-sc-indicator-create ${inputs.SHA256} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 612406e4-1732-41b2-a11a-34480513f12f + iscommand: false + name: 'Shadow Mode: Block Indicators by SHA256' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 612406e4-1732-41b2-a11a-34480513f12f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1420, + "y": 1000 + } + } + "12": + continueonerror: true + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "5" + Shadow Mode: + - "13" + note: false + quietmode: 0 + scriptarguments: + Message: + simple: '"Shadow Mode: "' + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 08a0fe62-f065-4ddf-855d-8fbe789bb002 + iscommand: false + name: Run Mode + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 08a0fe62-f065-4ddf-855d-8fbe789bb002 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -250, + "y": 800 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Shadow: MS Defender Block MD5 \nCommand: microsoft-atp-sc-indicator-create + ${inputs.Hash}" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 5bfdd037-54bd-43d7-b247-626ef423219d + iscommand: false + name: 'Shadow Mode: Block Indicators by MD5' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 5bfdd037-54bd-43d7-b247-626ef423219d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -450, + "y": 1000 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_3_#default#": 0.42, + "6_3_#default#": 0.32, + "6_7_yes": 0.54, + "6_8_yes": 0.62, + "7_12_yes": 0.89, + "7_3_#default#": 0.43, + "8_3_#default#": 0.17, + "8_4_yes": 0.66 + }, + "paper": { + "dimensions": { + "height": 1330, + "width": 2250, + "x": -450, + "y": 90 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint.yml new file mode 100644 index 0000000..cf42989 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint.yml @@ -0,0 +1,1216 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.2.0 + isoverridable: false + itemVersion: 1.20.8 + packID: "" + packName: Microsoft Defender for Endpoint + prevname: "" + supportedModules: [] + toServerVersion: "" +description: This playbook accepts an endpoint ID, IP, or host name and isolates it + using the Microsoft Defender For Endpoint integration. +dirtyInputs: true +id: 'SOC Microsoft Defender For Endpoint - Isolate Endpoint_V3' +inputSections: +- description: Generic group for inputs + inputs: + - Device_id + - Hostname + - Device_IP + - Isolation_type + - ShadowMode + name: General (Inputs group) +inputs: +- description: |- + The device ID to isolate. + For more information about the device, you can use the following commands: + !microsoft-atp-get-machine-details + !microsoft-atp-get-machines + key: Device_id + playbookInputQuery: + required: false + value: {} +- description: The host name you want to isolate. + key: Hostname + playbookInputQuery: + required: false + value: {} +- description: The device IP you want to isolate. + key: Device_IP + playbookInputQuery: + required: false + value: {} +- description: |- + Optional Values: Full/Selective. Default is Full. + + For more information see Microsoft documentation: + https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network + key: Isolation_type + playbookInputQuery: + required: false + value: + simple: Full +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Microsoft Defender For Endpoint - Isolate Endpoint_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - MicrosoftATP.MachineAction.ID + - MicrosoftATP.IsolateList + - MicrosoftATP.NonIsolateList + - MicrosoftATP.IncorrectIDs + - MicrosoftATP.IncorrectHostnames + - MicrosoftATP.IncorrectIPs +outputs: +- contextPath: MicrosoftATP.MachineAction.ID + description: The machine action ID. + type: string +- contextPath: MicrosoftATP.IsolateList + description: The machine IDs that were isolated. + type: string +- contextPath: MicrosoftATP.NonIsolateList + description: The machine IDs that will not be isolated. + type: string +- contextPath: MicrosoftATP.IncorrectIDs + description: Incorrect device IDs entered. + type: string +- contextPath: MicrosoftATP.IncorrectHostnames + description: Incorrect device host names entered. + type: string +- contextPath: MicrosoftATP.IncorrectIPs + description: Incorrect device IPs entered. + type: string +sourceplaybookid: Microsoft Defender For Endpoint - Isolate Endpoint +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0c9a3619-7414-4966-860a-3b83f7ae3c9a + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 0c9a3619-7414-4966-860a-3b83f7ae3c9a + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": -350 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "32" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Microsoft Defender Advanced Threat Protection + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration is available. + id: f658a709-df9b-463e-8305-7c14c5b68512 + iscommand: false + name: Is Microsoft Defender For Endpoint Integration Enabled? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: f658a709-df9b-463e-8305-7c14c5b68512 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": -230 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2f36c13b-1511-485c-86e0-0bbf57eba943 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 2f36c13b-1511-485c-86e0-0bbf57eba943 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 1800 + } + } + "5": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: MicrosoftATP.IsolateList + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Is the device ready for isolation? + id: 2c229082-3fd9-43b2-83dc-5ff28a9be1b9 + iscommand: false + name: Is the device ready for isolation? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2c229082-3fd9-43b2-83dc-5ff28a9be1b9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1160, + "y": 805 + } + } + "7": + continueonerror: true + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + comment: + simple: 'XSOAR Microsoft Defender Isolate Endpoint - #Inc ${alert.id}' + isolation_type: + simple: ${inputs.Isolation_type} + machine_id: + simple: ${MicrosoftATP.IsolateList} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Isolates a machine from accessing external networks. + id: 4448d4cc-2c91-4b3a-8aa8-01705c810970 + iscommand: true + name: Isolate endpoint + playbooktaskmissingcomponent: + script: '|||microsoft-atp-isolate-machine' + type: regular + version: -1 + taskid: 4448d4cc-2c91-4b3a-8aa8-01705c810970 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1160, + "y": 1280 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "9" + note: false + quietmode: 0 + scriptarguments: + entryId: + simple: ${lastCompletedTaskEntries} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} + to check the previous task entries. For an array of entries, returns 'yes' + if one of the entries returned an error. + id: f4b67ca6-19e6-492d-84e9-3e93ef002e3e + iscommand: false + name: ' Check if Isolate Action Succeeded' + playbooktaskmissingcomponent: + script: isError + type: condition + version: -1 + taskid: f4b67ca6-19e6-492d-84e9-3e93ef002e3e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1160, + "y": 1430 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: MicrosoftATP.IsolateList + operator: notIn + right: + iscontext: true + value: + simple: MicrosoftATP.MachineAction.MachineID + root: MicrosoftATP.IsolateList + transformers: + - args: + prefix: + value: + simple: | + The Isolate Action did not succeed. Please validate your input or check if the machine is already in an Isolate state. The Device ID/s that were not Isolated + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints a device already isolated message to the War Room (Markdown + supported). + id: 6ee8a70d-bd1a-4fe0-8e3f-2ff1a9ac9b89 + iscommand: false + name: Print a warning to the war room - Device already isolated + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 6ee8a70d-bd1a-4fe0-8e3f-2ff1a9ac9b89 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1160, + "y": 1630 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + The following devices can't be isolated. Please validate that those devices are active in the system. + ${MicrosoftATP.NonIsolateList} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an inactive device message to the War Room (Markdown supported). + id: 913c4449-5898-4aaf-87d0-e4454d35c87b + iscommand: false + name: Print inactive device + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 913c4449-5898-4aaf-87d0-e4454d35c87b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 730, + "y": 1630 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: MicrosoftATP.IsolateList + value: + complex: + accessor: ID + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: MicrosoftATP.Machine.HealthStatus + operator: isEqualString + right: + value: + simple: Active + root: MicrosoftATP.Machine + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 7cc2d23d-784c-4029-8d0b-62aebc0b2abd + iscommand: false + name: Set Active Device + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 7cc2d23d-784c-4029-8d0b-62aebc0b2abd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1160, + "y": 620 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: MicrosoftATP.NonIsolateList + value: + complex: + accessor: ID + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: MicrosoftATP.Machine.HealthStatus + operator: isNotEqualString + right: + value: + simple: Active + root: MicrosoftATP.Machine + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9543301b-5b6c-4bb5-864c-3d40cd4152dd + iscommand: false + name: Set Non-valid Devices + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9543301b-5b6c-4bb5-864c-3d40cd4152dd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 730, + "y": 620 + } + } + "13": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: MicrosoftATP.NonIsolateList + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Are there any inactive devices? + id: ba1c6190-674a-44db-89cd-d8e982093c58 + iscommand: false + name: Is there any inactive device? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ba1c6190-674a-44db-89cd-d8e982093c58 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 730, + "y": 805 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Please note that the following ID / Hostname / IP are incorrect. + No action was taken on the following Device ID / hostname / IP: \n${MicrosoftATP.IncorrectIDs}\n\ + ${MicrosoftATP.IncorrectIPs}\n${MicrosoftATP.IncorrectHostnames}" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an incorrect device ID message to the War Room (Markdown + supported). + id: 30182da7-2783-468c-8d15-4305b8f01d5e + iscommand: false + name: Print incorrect Device ID + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 30182da7-2783-468c-8d15-4305b8f01d5e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 310, + "y": 1630 + } + } + "19": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Device_id + operator: notIn + right: + iscontext: true + value: + simple: MicrosoftATP.Machine.ID + root: inputs.Device_id + transformers: + - operator: uniq + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Hostname + operator: notIn + right: + iscontext: true + value: + simple: MicrosoftATP.Machine.ComputerDNSName + root: inputs.Hostname + transformers: + - operator: uniq + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Device_IP + operator: notIn + right: + iscontext: true + value: + simple: MicrosoftATP.Machine.NetworkInterfaces.IPAddresses + root: inputs.Device_IP + transformers: + - operator: uniq + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if there are any incorrect device IDs. + id: 2816c649-e7c3-4f09-8730-e20eb9346ac2 + iscommand: false + name: Check if there is any provided incorrect info + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2816c649-e7c3-4f09-8730-e20eb9346ac2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 310, + "y": 620 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: MicrosoftATP.IncorrectIDs + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Device_id + operator: notIn + right: + iscontext: true + value: + simple: MicrosoftATP.Machine.ID + root: inputs.Device_id + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9b159ca4-130c-4e62-88c4-8b797db390fd + iscommand: false + name: Set Incorrect ID + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9b159ca4-130c-4e62-88c4-8b797db390fd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 310, + "y": 805 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: MicrosoftATP.IncorrectIPs + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Device_IP + operator: isNotEmpty + root: inputs.Device_IP + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 66a8b331-c775-4263-8289-dcedbf3f2799 + iscommand: false + name: Set Incorrect IP + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 66a8b331-c775-4263-8289-dcedbf3f2799 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 310, + "y": 1350 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: MicrosoftATP.IncorrectHostnames + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.Hostname + operator: notIn + right: + iscontext: true + value: + simple: MicrosoftATP.Machine.ComputerDNSName + root: inputs.Hostname + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: f95ccb2e-09b5-4ae3-88d7-802940ec7bd1 + iscommand: false + name: Set Incorrect Hostname + playbooktaskmissingcomponent: + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: f95ccb2e-09b5-4ae3-88d7-802940ec7bd1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 310, + "y": 1180 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + - "30" + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 93070bb8-0dbd-4a97-842e-f851bba34472 + iscommand: false + name: Normalizing Device info + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 93070bb8-0dbd-4a97-842e-f851bba34472 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 730, + "y": 300 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 79a55f6a-7ab3-4d04-8b68-cfc13ab442dc + iscommand: false + name: Active Device + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 79a55f6a-7ab3-4d04-8b68-cfc13ab442dc + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1160, + "y": 450 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 74d28cdb-2cf4-4d2e-846c-762d094bf01f + iscommand: false + name: Inactive Device + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 74d28cdb-2cf4-4d2e-846c-762d094bf01f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 730, + "y": 450 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 59d101b0-bfca-443a-8cb7-8465d9e44521 + iscommand: false + name: Incorrect Input + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 59d101b0-bfca-443a-8cb7-8465d9e44521 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 310, + "y": 450 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 38e3795b-141d-4aba-820a-4f95e7eb47da + iscommand: false + name: Isolate Device + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 38e3795b-141d-4aba-820a-4f95e7eb47da + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1160, + "y": 1030 + } + } + "32": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.Device_id + operator: isNotEmpty + - left: + iscontext: true + value: + simple: inputs.Device_IP + operator: isNotEmpty + - left: + iscontext: true + value: + simple: inputs.Hostname + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + "yes": + - "33" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Validate/Enrich inputs through !endpoint + id: 361b1e36-d71c-4128-83a8-012269159fec + iscommand: false + name: Was any data provided? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 361b1e36-d71c-4128-83a8-012269159fec + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 730, + "y": -60 + } + } + "33": + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + scriptarguments: + hostname: + simple: ${inputs.Hostname} + id: + simple: ${inputs.Device_id} + ip: + simple: ${inputs.Device_IP} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns information about an endpoint. + id: 91926f31-cb8d-4e2a-8d36-11b6b491c6cd + iscommand: true + name: Enrich Endpoint info + playbooktaskmissingcomponent: + script: '|||endpoint' + type: regular + version: -1 + taskid: 91926f31-cb8d-4e2a-8d36-11b6b491c6cd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 730, + "y": 150 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "7" + Shadow Mode: + - "35" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6c848c0e-e355-4d76-9e2c-4a50f0e65d5d + iscommand: false + name: Mode Run? + playbooktaskmissingcomponent: + script: ShadowModeRouter_V3 + type: condition + version: -1 + taskid: 6c848c0e-e355-4d76-9e2c-4a50f0e65d5d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1160, + "y": 1140 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: CrowdStrike Isolate EndPoint + Command: microsoft-atp-isolate-machine + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: b89a6ed5-3c24-42fd-ae49-4e0a69a66654 + iscommand: false + name: 'Shadow: CrowdStrike Isolate EndPoint' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: b89a6ed5-3c24-42fd-ae49-4e0a69a66654 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1650, + "y": 1280 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "13_10_yes": 0.67, + "13_2_#default#": 0.1, + "19_2_#default#": 0.21, + "1_2_#default#": 0.1, + "5_2_#default#": 0.1, + "8_2_#default#": 0.1, + "8_9_yes": 0.62 + }, + "paper": { + "dimensions": { + "height": 2210, + "width": 1980, + "x": 50, + "y": -350 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_NIST_Detection_&_Analysis.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_NIST_Detection_&_Analysis.yml new file mode 100644 index 0000000..7ebde26 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_NIST_Detection_&_Analysis.yml @@ -0,0 +1,1427 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: "" + isoverridable: false + itemVersion: 2.7.17 + packID: "" + packName: SOC Common Playbooks + prevname: "" + supportedModules: [] + toServerVersion: "" +description: Detection & Analysis (Endpoint) β€” chooses actions based on normalized + entities and alert categories. +dirtyInputs: true +id: 'SOC NIST Detection & Analysis_V3' +inputSections: +- description: Generic group for inputs + inputs: + - sha256 + - hostname + - endpointIP + - username + - email + - url + - endpointID + name: General (Inputs group) +inputs: +- description: "" + key: sha256 + playbookInputQuery: + required: false + value: {} +- description: "" + key: hostname + playbookInputQuery: + required: false + value: {} +- description: "" + key: endpointIP + playbookInputQuery: + required: false + value: {} +- description: "" + key: username + playbookInputQuery: + required: false + value: {} +- description: "" + key: email + playbookInputQuery: + required: false + value: {} +- description: "" + key: url + playbookInputQuery: + required: false + value: {} +- description: "" + key: endpointID + playbookInputQuery: + required: false + value: {} +name: SOC NIST Detection & Analysis_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: auto-pb-detect-analyze-endpoint-11bcb85d-f5be-437d-a309-aeb1052386a2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + - "19" + - "20" + - "21" + - "27" + - "29" + - "30" + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 10a8914a-28e0-4af1-8982-086e30bedcf1 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 10a8914a-28e0-4af1-8982-086e30bedcf1 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1175, + "y": 50 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.sha256 + operator: isNotEmpty + right: + value: {} + label: "Yes" + - condition: + - - left: + iscontext: true + value: + simple: inputs.sha256 + operator: isEmpty + label: "No" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "22" + "Yes": + - "15" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check Normalized.process md5/sha256. + id: 300f4905-fdd7-48fd-99b3-ad76fff28466 + iscommand: false + name: Have a Process hash? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 300f4905-fdd7-48fd-99b3-ad76fff28466 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -780, + "y": 400 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.endpointIP + operator: isNotEmpty + label: "Yes" + - condition: + - - left: + iscontext: true + value: + simple: inputs.endpointIP + operator: isEmpty + label: "No" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "22" + "Yes": + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check Normalized.host.ip or Normalized.ip.ip. + id: 209fde33-66f9-4f67-a8c9-b5e17592cd0f + iscommand: false + name: Have an Endpoint IP? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 209fde33-66f9-4f67-a8c9-b5e17592cd0f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 110, + "y": 400 + } + } + "6": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.username + operator: isNotEmpty + right: + value: {} + label: "Yes" + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "22" + "Yes": + - "40" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check Normalized.user fields for correlation. + id: 80d0c66e-af12-43d1-b728-eed21b71d9fb + iscommand: false + name: Have a User tied to this endpoint? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 80d0c66e-af12-43d1-b728-eed21b71d9fb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 750, + "y": 400 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + EndpointID: + complex: + root: inputs.endpointID + transformers: + - operator: uniq + Hostname: + complex: + root: inputs.hostname + transformers: + - operator: uniq + IPAddress: + complex: + root: inputs.endpointIP + transformers: + - operator: uniq + UseReputationCommand: + simple: "False" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + Enrich an endpoint by hostname using one or more integrations. + Supported integrations: + - Active Directory Query v2 + - McAfee ePO v2 + - VMware Carbon Black EDR v2 + - Cylance Protect v2 + - CrowdStrike Falcon + - ExtraHop Reveal(x) + - Cortex XDR / Core (endpoint enrichment, reputation and risk) + - Endpoint reputation using !endpoint command. + id: a91231ac-2b8f-4e1b-a7c2-719c6761e8ad + iscommand: false + name: SOC Endpoint Enrichment - Generic v2.1_V3 + playbookId: SOC Endpoint Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: a91231ac-2b8f-4e1b-a7c2-719c6761e8ad + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -1607.5, + "y": 600 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + scriptarguments: + DetectionThreshold: + simple: "5" + FileSHA256: + simple: ${inputs.sha256} + TrustedPublishers: + simple: |- + Microsoft Root Authority,Microsoft Timestamping Service, + Microsoft Code Signing PCA, Microsoft Corporation + separatecontext: true + skipunavailable: false + task: + brand: "" + description: "This playbook checks the file reputation and sets the verdict + as a new context key.\n\nThe verdict is composed by 3 main components:\n\n + * VirusTotal detection rate\n* Digital certificate signers\n* NSRL DB\n\n + Note: a user can provide a list of trusted signers of his own using the playbook + inputs\n " + id: c6f46490-18f1-4db6-91b5-2281b25c50aa + iscommand: false + name: SOC File Reputation_V3 + playbookId: SOC File Reputation_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: c6f46490-18f1-4db6-91b5-2281b25c50aa + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": -650, + "y": 610 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "36" + note: false + quietmode: 0 + scriptarguments: + ExecutedFromParent: + simple: "True" + IP: + complex: + root: inputs.endpointIP + transformers: + - operator: uniq + InternalRange: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join + ResolveIP: + simple: "False" + UseReputationCommand: + simple: "False" + extended_data: + simple: "False" + threat_model_association: + simple: "False" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + Enrich IP addresses using one or more integrations. + + - Resolve IP addresses to hostnames (DNS) + - Provide threat information + - Determine IP address reputation using the !ip command + - Separate internal and external IP addresses + - For internal IP addresses, get host information. + + When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance. + id: 8ff042d7-1994-463d-b377-26482a3de95f + iscommand: false + name: SOC IP Enrichment - Generic v2_V3 + playbookId: SOC IP Enrichment - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 8ff042d7-1994-463d-b377-26482a3de95f + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 222.5, + "y": 580 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8d3ffcf1-eaa6-44fb-874a-837619d3c650 + iscommand: false + name: Host Enrichent + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 8d3ffcf1-eaa6-44fb-874a-837619d3c650 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1720, + "y": 250 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 86b589db-dff1-4110-8727-dacd5f226bf4 + iscommand: false + name: File Enrichment + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 86b589db-dff1-4110-8727-dacd5f226bf4 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -780, + "y": 230 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3a31d0d5-9931-448d-8a93-9982602f24ee + iscommand: false + name: IP Enrichment + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 3a31d0d5-9931-448d-8a93-9982602f24ee + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 110, + "y": 230 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4f6d81e1-cc0f-4ed4-8653-2e070219600f + iscommand: false + name: Identity Enrichment + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 4f6d81e1-cc0f-4ed4-8653-2e070219600f + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 720, + "y": 230 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 02d0cf85-2394-4ee3-82f3-185f0b5c6d98 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 02d0cf85-2394-4ee3-82f3-185f0b5c6d98 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1175, + "y": 1650 + } + } + "23": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.hostname + operator: isExists + right: + value: {} + label: "Yes" + - condition: + - - left: + iscontext: true + value: + simple: inputs.hostname + operator: isNotExists + label: "No" + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "22" + "Yes": + - "14" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check Normalized.host fields. + id: ef5348cb-eee3-479a-b094-6ad2a31f19e7 + iscommand: false + name: Have a Host entity? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: ef5348cb-eee3-479a-b094-6ad2a31f19e7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -1720, + "y": 420 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "38" + note: false + quietmode: 0 + scriptarguments: + Rasterize: + simple: "True" + URL: + complex: + root: inputs.url + transformers: + - operator: uniq + UseReputationCommand: + simple: "False" + VerifyURL: + simple: "False" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + Enrich URLs using one or more integrations. + + URL enrichment includes: + * SSL verification for URLs. + * Threat information. + * Providing of URL screenshots. + * URL Reputation using !url. + id: 451c9a9d-9f2d-4540-a291-36c4bdb9e7c5 + iscommand: false + name: SOC URL Enrichment - Generic v2_V3 + playbookId: SOC URL Enrichment - Generic v2_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 451c9a9d-9f2d-4540-a291-36c4bdb9e7c5 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2597.5, + "y": 570 + } + } + "26": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.email + operator: isExists + right: + value: {} + label: "Yes" + - condition: + - - left: + iscontext: true + value: + simple: inputs.email + operator: isNotExists + label: "No" + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "22" + "Yes": + - "41" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check Normalized.host.ip or Normalized.ip.ip. + id: 658fafbd-ce5c-47e9-adf1-a3426708e717 + iscommand: false + name: Have an Email? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 658fafbd-ce5c-47e9-adf1-a3426708e717 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2055, + "y": 390 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5094fe81-2bd3-4386-886c-255a6d7b977c + iscommand: false + name: Email Enrichment + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 5094fe81-2bd3-4386-886c-255a6d7b977c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2055, + "y": 220 + } + } + "28": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.url + operator: isExists + right: + value: {} + label: "Yes" + - condition: + - - left: + iscontext: true + value: + simple: inputs.url + operator: isNotExists + label: "No" + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "22" + "Yes": + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check Normalized.host.ip or Normalized.ip.ip. + id: 091aa348-f279-434e-9c7b-722a38adb456 + iscommand: false + name: Have an URL? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 091aa348-f279-434e-9c7b-722a38adb456 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2485, + "y": 390 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7b5316e5-b61f-4aa1-8a53-dc52d479be27 + iscommand: false + name: URL Enrichment + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 7b5316e5-b61f-4aa1-8a53-dc52d479be27 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2485, + "y": 220 + } + } + "30": + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 516edc35-1e34-4521-8c5d-fefed0bb0913 + iscommand: false + name: Domains + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 516edc35-1e34-4521-8c5d-fefed0bb0913 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1390, + "y": 220 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6ce4928b-bd06-4f76-8874-e62e23f6edf0 + iscommand: false + name: CVEs (Nice To Have) + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 6ce4928b-bd06-4f76-8874-e62e23f6edf0 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2940, + "y": 210 + } + } + "33": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: NSRLFileVerdict + operator: isEqualString + right: + value: + simple: IsNSRL + - - left: + iscontext: true + value: + simple: VTFileVerdict + operator: isEqualString + right: + value: + simple: Benign + - - left: + iscontext: true + value: + simple: XDRFileSigners + operator: isEqualString + right: + value: + simple: Trusted + label: "yes" + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "35" + "yes": + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a240b5f4-53e9-4014-81e0-fc318ef4c4de + iscommand: false + name: Was the file found as Benign + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: a240b5f4-53e9-4014-81e0-fc318ef4c4de + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -485, + "y": 830 + } + } + "34": + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + key: + simple: FileVerdict + value: + simple: Benign + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: ca5dbd81-70ba-4fc5-8e1c-31e0c4323763 + iscommand: false + name: Set file verdict benign + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: ca5dbd81-70ba-4fc5-8e1c-31e0c4323763 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -700, + "y": 990 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + key: + simple: FileVerdict + value: + simple: Suspicious + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 01cbeae6-1096-42c7-8b03-e54932c0f7c3 + iscommand: false + name: Set file verdict suspicious + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 01cbeae6-1096-42c7-8b03-e54932c0f7c3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -280, + "y": 990 + } + } + "36": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: inputs.endpointIP + - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: isEqualString + right: + value: + simple: Normalized.ip.ip + root: DBotScore + operator: greaterThanOrEqual + right: + value: + simple: "2" + - - left: + iscontext: true + value: + simple: DBotScore + operator: isExists + label: "yes" + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "22" + "yes": + - "37" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 49da9ca8-3c14-447b-851f-613f8a702f16 + iscommand: false + name: Was the IP found as Suspicious? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 49da9ca8-3c14-447b-851f-613f8a702f16 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 222.5, + "y": 760 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + key: + simple: IPVerdict + value: + simple: Suspicious + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 19aa39f4-4218-493f-83b1-e60d5e7bf014 + iscommand: false + name: Set SuspectedVerdict to Suspicious IP + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 19aa39f4-4218-493f-83b1-e60d5e7bf014 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 200, + "y": 930 + } + } + "38": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: inputs.endpointIP + - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: isEqualString + right: + value: + simple: Normalized.url.url + root: DBotScore + operator: isEqualString + right: + value: + simple: "2" + - - left: + iscontext: true + value: + simple: DBotScore + operator: isExists + label: "yes" + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "22" + "yes": + - "39" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 128e26f7-5e75-4d4d-817c-ce3bda9e06a2 + iscommand: false + name: Was the URL found as Suspicious? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 128e26f7-5e75-4d4d-817c-ce3bda9e06a2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2580, + "y": 750 + } + } + "39": + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + key: + simple: URLVerdict + value: + simple: Suspicous + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 54583fc0-d7bb-415e-8281-1c8b8fdbb319 + iscommand: false + name: Set Suspected Verdict to Suspicious URL + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 54583fc0-d7bb-415e-8281-1c8b8fdbb319 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2485, + "y": 980 + } + } + "40": + continueonerrortype: "" + id: "40" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + Domain: + complex: + root: inputs.username + transformers: + - operator: uniq + - args: + delimiter: + value: + simple: \ + operator: split + - operator: FirstArrayElement + Username: + complex: + root: inputs.username + transformers: + - operator: uniq + - args: + delimiter: + value: + simple: \ + operator: split + - operator: LastArrayElement + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + Enrich accounts using one or more integrations. + Supported integrations: + - Active Directory + - Microsoft Graph User + - SailPoint IdentityNow + - SailPoint IdentityIQ + - PingOne + - Okta + - AWS IAM + - Cortex XDR (account enrichment and reputation) + + Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. + id: beafab5d-1aa6-4977-ae00-c9000be07e93 + iscommand: false + name: SOC Account Enrichment - Generic v2.1_V3 + playbookId: SOC Account Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: beafab5d-1aa6-4977-ae00-c9000be07e93 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 910, + "y": 570 + } + } + "41": + continueonerrortype: "" + id: "41" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + Email: + complex: + root: inputs.email + transformers: + - operator: uniq + UseReputationCommand: + simple: "False" + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + Enrich email addresses. + - Get information from Active Directory for internal addresses + - Get the domain-squatting reputation for external addresses + - Email address reputation using !email command. + id: 8722b45a-2b50-44ac-8515-b6bf89af7ee1 + iscommand: false + name: SOC Email Address Enrichment - Generic v2.1_V3 + playbookId: SOC Email Address Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 8722b45a-2b50-44ac-8515-b6bf89af7ee1 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2022.5, + "y": 600 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "4_15_Yes": 0.82, + "5_16_Yes": 0.84, + "5_22_No": 0.84, + "6_40_Yes": 0.9 + }, + "paper": { + "dimensions": { + "height": 1660, + "width": 5040, + "x": -1720, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Custom_Block_Rule.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Custom_Block_Rule.yml new file mode 100644 index 0000000..435c217 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Custom_Block_Rule.yml @@ -0,0 +1,672 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: |- + This playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall. + The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration. +dirtyInputs: true +id: 'SOC PAN-OS - Block IP - Custom Block Rule_V3' +inputSections: +- description: Generic group for inputs + inputs: + - LogForwarding + - IP + - AutoCommit + - ShadowMode + name: General (Inputs group) +inputs: +- description: Panorama log forwarding object name + key: LogForwarding + playbookInputQuery: + required: false + value: {} +- description: IP address to block + key: IP + playbookInputQuery: + required: false + value: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.Malicious + operator: isExists + root: IP + transformers: + - operator: uniq +- description: |- + This input establishes whether to commit the configuration automatically. + Yes - Commit automatically. + No - Commit manually. + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC PAN-OS - Block IP - Custom Block Rule_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: PAN-OS - Block IP - Custom Block Rule +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 49a9b9d3-a97b-4473-8119-70300c0c01ed + iscommand: false + name: "" + version: -1 + taskid: 49a9b9d3-a97b-4473-8119-70300c0c01ed + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 481, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 957428b9-9a0c-4ae3-8917-83ae0a83de43 + iscommand: false + name: Palo Alto Networks PAN-OS enabled? + type: condition + version: -1 + taskid: 957428b9-9a0c-4ae3-8917-83ae0a83de43 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 481, + "y": 210 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "15" + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + log_forwarding: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.LogForwarding + operator: isNotEmpty + root: inputs.LogForwarding + object_type: + simple: ip + object_value: + complex: + root: inputs.IP + pre_post: + simple: pre-rulebase + rulename: + simple: Demisto - ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates a custom block policy rule in Panorama. + id: 4f2dd2a0-72aa-4a98-aa92-91e131db091f + iscommand: true + name: Panorama - Create custom block rule + script: '|||pan-os-custom-block-rule' + type: regular + version: -1 + taskid: 4f2dd2a0-72aa-4a98-aa92-91e131db091f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 962, + "y": 1230 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: da771405-12fa-4cf0-8e22-1ecfd2393812 + iscommand: false + name: Done + type: title + version: -1 + taskid: da771405-12fa-4cf0-8e22-1ecfd2393812 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 435.75, + "y": 1570 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.IP + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3ca4edaa-2ab1-4c17-b633-4ebf573a18e1 + iscommand: false + name: Is there an IP to block? + type: condition + version: -1 + taskid: 3ca4edaa-2ab1-4c17-b633-4ebf573a18e1 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 626.25, + "y": 380 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "15" + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + ip_netmask: + simple: 255.255.255.255 + name: + complex: + root: inputs.IP + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates an address object + id: 09a29c90-2d95-4fe8-90e5-e8125bfa706c + iscommand: true + name: PAN-OS - Create address object + script: '|||pan-os-create-address' + type: regular + version: -1 + taskid: 09a29c90-2d95-4fe8-90e5-e8125bfa706c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 531, + "y": 720 + } + } + "11": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "Yes" + label: "yes" + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "12" + "yes": + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4d41a27f-1818-4f90-8bba-39b3881a4af3 + iscommand: false + name: AutoCommit defined? + type: condition + version: -1 + taskid: 4d41a27f-1818-4f90-8bba-39b3881a4af3 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 721.5, + "y": 890 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5df6d93f-8c45-4a3b-840f-cd0a24cc7ae6 + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: 5df6d93f-8c45-4a3b-840f-cd0a24cc7ae6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 435.75, + "y": 1060 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "15" + '#none#': + - "14" + note: false + quietmode: 0 + scriptarguments: + log_forwarding: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.LogForwarding + operator: isNotEmpty + root: inputs.LogForwarding + object_type: + simple: ip + object_value: + complex: + root: inputs.IP + pre_post: + simple: pre-rulebase + rulename: + simple: Demisto - ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates a custom block policy rule in Panorama. + id: 132d398b-e8e2-4e96-bc18-698f7fc88385 + iscommand: true + name: Panorama - Create custom block rule + script: '|||pan-os-custom-block-rule' + type: regular + version: -1 + taskid: 132d398b-e8e2-4e96-bc18-698f7fc88385 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 435.75, + "y": 1230 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a1caf43e-5771-4591-8b0f-1653b0fd201a + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: a1caf43e-5771-4591-8b0f-1653b0fd201a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 531, + "y": 1400 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 267ba183-4090-44a6-84cf-67697b3675aa + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 267ba183-4090-44a6-84cf-67697b3675aa + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 1400 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: b9ffab74-7ee9-4b98-8f9c-6a32cfdfae58 + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: b9ffab74-7ee9-4b98-8f9c-6a32cfdfae58 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 962, + "y": 1060 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 68309d6a-c9f2-4165-8eb1-b517754d6c8a + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: 68309d6a-c9f2-4165-8eb1-b517754d6c8a + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1012, + "y": 1400 + } + } + "18": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "19" + "no": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8580095f-c402-4d1e-9308-a935b1165b0d + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 8580095f-c402-4d1e-9308-a935b1165b0d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 771.5, + "y": 550 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: Block IP on PAN-OS ${inputs.IP} + Command: pan-os-custom-block-rule + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: d51cceda-f8cf-4c3b-8509-5b823e58c533 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: d51cceda-f8cf-4c3b-8509-5b823e58c533 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1493, + "y": 1400 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "11_16_yes": 0.82, + "1_4_#default#": 0.15, + "5_4_#default#": 0.19 + }, + "paper": { + "dimensions": { + "height": 1580, + "width": 1823, + "x": 50, + "y": 50 + } + } + } +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Static_Address_Group.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Static_Address_Group.yml new file mode 100644 index 0000000..8425df9 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_IP_-_Static_Address_Group.yml @@ -0,0 +1,758 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.10.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: |- + This playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall. + The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, adds them and commits the configuration. + + ***Note - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook. +dirtyInputs: true +id: 'SOC PAN-OS - Block IP - Static Address Group_V3' +inputSections: +- description: Generic group for inputs + inputs: + - IP + - AddressGroupName + - AutoCommit + - IPDescription + - ShadowMode + name: General (Inputs group) +inputs: +- description: IP address to block + key: IP + playbookInputQuery: + required: false + value: + complex: + accessor: Address + filters: + - - left: + iscontext: true + value: + simple: IP.Malicious + operator: isExists + root: IP + transformers: + - operator: uniq +- description: Static address group name + key: AddressGroupName + playbookInputQuery: + required: false + value: + simple: Remediation - Static Address Group +- description: |- + This input establishes whether to commit the configuration automatically. + Yes - Commit automatically. + No - Commit manually. + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: The description of the IP in case it will get created by the playbook. + key: IPDescription + playbookInputQuery: + required: false + value: + simple: Automatically created using "PAN-OS - Block IP - Static Address Group" + playbook in Cortex XSIAM. +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC PAN-OS - Block IP - Static Address Group_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: PAN-OS - Block IP - Static Address Group +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 190b5447-4f35-40e2-83f3-8dd9753b0708 + iscommand: false + name: "" + version: -1 + taskid: 190b5447-4f35-40e2-83f3-8dd9753b0708 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 190.5, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 480942ef-335c-4e66-87f7-dc2b3ada2048 + iscommand: false + name: Palo Alto Networks PAN-OS enabled? + type: condition + version: -1 + taskid: 480942ef-335c-4e66-87f7-dc2b3ada2048 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 190.5, + "y": 210 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.IP + operator: isExists + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1ecb1e3c-a84b-40ce-8975-79f309bd0b07 + iscommand: false + name: Is there an IP to block? + type: condition + version: -1 + taskid: 1ecb1e3c-a84b-40ce-8975-79f309bd0b07 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 335.75, + "y": 380 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 36d25b97-4e69-4936-86da-72333275ad79 + iscommand: false + name: Done + type: title + version: -1 + taskid: 36d25b97-4e69-4936-86da-72333275ad79 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 1910 + } + } + "4": + continueonerror: true + continueonerrortype: errorPath + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + name: + complex: + root: inputs.AddressGroupName + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get details for the specified address group + id: 2fc992ff-4425-4463-9e48-3b56de20b719 + iscommand: true + name: PAN-OS - Get address group + script: '|||pan-os-get-address-group' + type: regular + version: -1 + taskid: 2fc992ff-4425-4463-9e48-3b56de20b719 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 481, + "y": 550 + } + } + "5": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Panorama.AddressGroups.Addresses + operator: containsGeneral + right: + iscontext: true + value: + simple: inputs.IP + label: "yes" + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "20" + "yes": + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 435dfd22-d2d5-4ccb-8116-20e0c9dab09f + iscommand: false + name: Check if the malicious IPs already exist in the address group + type: condition + version: -1 + taskid: 435dfd22-d2d5-4ccb-8116-20e0c9dab09f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 626.25, + "y": 720 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "19" + note: false + quietmode: 0 + scriptarguments: + element_to_add: + complex: + root: inputs.IP + transformers: + - args: + separator: + value: + simple: ',' + operator: join + name: + complex: + root: inputs.AddressGroupName + type: + simple: static + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add IP addresses to a static or dynamic address group. + id: fbfc998f-68e7-48fd-9439-2fbc06104cdc + iscommand: true + name: PAN OS - Add IP addresses to address group + script: '|||pan-os-edit-address-group' + type: regular + version: -1 + taskid: fbfc998f-68e7-48fd-9439-2fbc06104cdc + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 962, + "y": 1570 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "12" + note: false + quietmode: 0 + scriptarguments: + description: + simple: ${inputs.IPDescription} + ip_netmask: + simple: ${inputs.IP} + name: + complex: + root: inputs.IP + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates an address object + id: 1bc88997-e37a-426c-94af-31e6a0682e3d + iscommand: true + name: PAN-OS - Create address objects + script: '|||pan-os-create-address' + type: regular + version: -1 + taskid: 1bc88997-e37a-426c-94af-31e6a0682e3d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 531, + "y": 1060 + } + } + "12": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "Yes" + label: "yes" + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "13" + "yes": + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 52739aac-151a-484e-8ca0-cb85200d4a9b + iscommand: false + name: AutoCommit defined? + type: condition + version: -1 + taskid: 52739aac-151a-484e-8ca0-cb85200d4a9b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 721.5, + "y": 1230 + } + } + "13": + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "14" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 32cbe912-af9b-416f-8c8a-e54b58a88558 + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: 32cbe912-af9b-416f-8c8a-e54b58a88558 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 481, + "y": 1400 + } + } + "14": + continueonerror: true + continueonerrortype: errorPath + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + element_to_add: + complex: + root: inputs.IP + transformers: + - args: + separator: + value: + simple: ',' + operator: join + name: + complex: + root: inputs.AddressGroupName + type: + simple: static + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add IP addresses to a static or dynamic address group. + id: ac681976-9dfa-4593-8455-754493c186d1 + iscommand: true + name: PAN OS - Add IP addresses to address group + script: '|||pan-os-edit-address-group' + type: regular + version: -1 + taskid: ac681976-9dfa-4593-8455-754493c186d1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 481, + "y": 1570 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8a034a0d-ebea-401c-8b9d-e7e708d94fdb + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: 8a034a0d-ebea-401c-8b9d-e7e708d94fdb + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 531, + "y": 1740 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: ab1d1251-d394-4842-8bb4-1762c3c58e05 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: ab1d1251-d394-4842-8bb4-1762c3c58e05 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 1740 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 28c269e2-9df9-482e-8350-dee1079c6c41 + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: 28c269e2-9df9-482e-8350-dee1079c6c41 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 962, + "y": 1400 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: b68c8ca1-8dcb-4c3e-86f5-c3f70fc113f6 + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: b68c8ca1-8dcb-4c3e-86f5-c3f70fc113f6 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1012, + "y": 1740 + } + } + "20": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "21" + "no": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e202b413-caa0-4a10-826c-ef3b12cad984 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: e202b413-caa0-4a10-826c-ef3b12cad984 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 771.5, + "y": 890 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Block IP - Static Group + Command: pan-os-edit-address-group + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 57435235-3431-4233-905b-3663b2d68076 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 57435235-3431-4233-905b-3663b2d68076 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1493, + "y": 1740 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "12_18_yes": 0.84, + "1_3_#default#": 0.16, + "2_3_#default#": 0.17, + "5_3_yes": 0.29 + }, + "paper": { + "dimensions": { + "height": 1920, + "width": 1823, + "x": 50, + "y": 50 + } + } + } +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_URL_-_Custom_URL_Category.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_URL_-_Custom_URL_Category.yml new file mode 100644 index 0000000..69d01fb --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Block_URL_-_Custom_URL_Category.yml @@ -0,0 +1,1095 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.10.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: |- + This playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories. + The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration. +dirtyInputs: true +id: 'SOC PAN-OS - Block URL - Custom URL Category_V3' +inputSections: +- description: Generic group for inputs + inputs: + - URL + - CustomURLCategory + - LogForwarding + - AutoCommit + - type + - device-group + - categories + - pre-post + - ShadowMode + name: General (Inputs group) +inputs: +- description: URL to block + key: URL + playbookInputQuery: + required: false + value: + complex: + accessor: Data + filters: + - - left: + iscontext: true + value: + simple: URL.Malicious + operator: isExists + root: URL + transformers: + - operator: uniq +- description: Custom URL Category name + key: CustomURLCategory + playbookInputQuery: + required: false + value: + simple: Remediation - Malicious URLs +- description: Panorama log forwarding object name + key: LogForwarding + playbookInputQuery: + required: false + value: {} +- description: |- + This input establishes whether to commit the configuration automatically. + Yes - Commit automatically. + No - Commit manually. + key: AutoCommit + playbookInputQuery: + required: false + value: + simple: "No" +- description: Custom URL category type. Insert "URL List"/ "Category Match". + key: type + playbookInputQuery: + required: false + value: {} +- description: Device group for the Custom URL Category (Panorama instances). + key: device-group + playbookInputQuery: + required: false + value: {} +- description: The list of categories. Relevant from PAN-OS v9.x. + key: categories + playbookInputQuery: + required: false + value: {} +- description: Specify pre-rulebase or post-rulebase. (Panorama instances). + key: pre-post + playbookInputQuery: + required: false + value: + simple: pre-rulebase +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC PAN-OS - Block URL - Custom URL Category_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: PAN-OS - Block URL - Custom URL Category +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b04e828c-66a7-4f40-8753-90ba9a20ccf2 + iscommand: false + name: "" + version: -1 + taskid: b04e828c-66a7-4f40-8753-90ba9a20ccf2 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 962, + "y": 40 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e12beb96-60f4-4279-8122-884f57440b1e + iscommand: false + name: Is Palo Alto Networks PAN-OS enabled? + type: condition + version: -1 + taskid: e12beb96-60f4-4279-8122-884f57440b1e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 962, + "y": 210 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.URL + operator: isExists + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "9" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d8aa9ca9-1af0-4c39-81b4-46c18e53167b + iscommand: false + name: Is there a URL to block? + type: condition + version: -1 + taskid: d8aa9ca9-1af0-4c39-81b4-46c18e53167b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1107.25, + "y": 380 + } + } + "3": + continueonerror: true + continueonerrortype: errorPath + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "24" + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + categories: + complex: + root: inputs.categories + description: + simple: Malicious URLs + device-group: + complex: + root: inputs.device-group + name: + complex: + root: inputs.CustomURLCategory + sites: + complex: + root: inputs.URL + transformers: + - args: + separator: + value: + simple: ',' + operator: join + type: + complex: + root: inputs.type + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates a custom URL category + id: 54dd10c2-babf-4b0a-87fc-f3d729d276a0 + iscommand: true + name: PAN-OS - Create Custom URL Category + script: '|||pan-os-create-custom-url-category' + type: regular + version: -1 + taskid: 54dd10c2-babf-4b0a-87fc-f3d729d276a0 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2124, + "y": 1060 + } + } + "4": + continueonerror: true + continueonerrortype: errorPath + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "24" + '#none#': + - "26" + note: false + quietmode: 0 + scriptarguments: + device-group: + complex: + root: inputs.device-group + log_forwarding: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.LogForwarding + operator: isNotEmpty + root: inputs.LogForwarding + object_type: + simple: url-category + object_value: + complex: + root: inputs.CustomURLCategory + pre_post: + complex: + root: inputs.pre-post + rulename: + simple: Block Rule - ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates a custom block policy rule to block communication to URLs + in this category. + id: 0c911378-14f2-41a7-baf3-44fa42980251 + iscommand: true + name: PAN-OS - Block Malicious URL Category + script: '|||pan-os-custom-block-rule' + type: regular + version: -1 + taskid: 0c911378-14f2-41a7-baf3-44fa42980251 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2509.75, + "y": 1570 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4d893660-9b68-4b75-883f-6624620fb454 + iscommand: false + name: Done + type: title + version: -1 + taskid: 4d893660-9b68-4b75-883f-6624620fb454 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 916.75, + "y": 1910 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "24" + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + device-group: + complex: + root: inputs.device-group + name: + complex: + root: inputs.CustomURLCategory + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns information for a specified custom URL category + id: b04daec6-9e01-44f8-8f4c-ab9c7a1a9299 + iscommand: true + name: PAN-OS - Get Custom URL Category + script: '|||pan-os-get-custom-url-category' + type: regular + version: -1 + taskid: b04daec6-9e01-44f8-8f4c-ab9c7a1a9299 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1252.5, + "y": 550 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Panorama.CustomURLCategory.Sites + operator: containsGeneral + right: + iscontext: true + value: + simple: inputs.URL + label: "yes" + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "30" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0519c3cc-452b-4c33-8fc0-45e60f6edcb9 + iscommand: false + name: Malicious URLs already exist in the Custom URL Category? + type: condition + version: -1 + taskid: 0519c3cc-452b-4c33-8fc0-45e60f6edcb9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 95.25, + "y": 1060 + } + } + "11": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Panorama.CustomURLCategory.Name + operator: isExists + label: "yes" + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "28" + "yes": + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1d9d896f-0796-4e86-8dd9-d6072875a535 + iscommand: false + name: Custom URL Category exists? + type: condition + version: -1 + taskid: 1d9d896f-0796-4e86-8dd9-d6072875a535 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1397.75, + "y": 720 + } + } + "12": + continueonerror: true + continueonerrortype: errorPath + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "24" + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + action: + simple: add + categories: + complex: + root: inputs.categories + name: + complex: + root: inputs.CustomURLCategory + sites: + complex: + root: inputs.URL + transformers: + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add sites to, or remove sites from, a custom URL category + id: 82bc09a8-df14-48bf-8f66-48138a756cba + iscommand: true + name: PAN-OS - Add malicious URLs to Custom URL Category + script: '|||pan-os-edit-custom-url-category' + type: regular + version: -1 + taskid: 82bc09a8-df14-48bf-8f66-48138a756cba + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 290.5, + "y": 1400 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "Yes" + label: "yes" + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "16" + "yes": + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 80060245-606b-4c59-8baa-c985a309745f + iscommand: false + name: AutoCommit defined? + type: condition + version: -1 + taskid: 80060245-606b-4c59-8baa-c985a309745f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2269.25, + "y": 1230 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bc336c13-48d4-4f99-8225-9a6a53af8861 + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: bc336c13-48d4-4f99-8225-9a6a53af8861 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2028.75, + "y": 1400 + } + } + "17": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "Yes" + label: "yes" + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "18" + "yes": + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3c782409-7469-45c5-80e0-c95308ad57bf + iscommand: false + name: AutoCommit defined? + type: condition + version: -1 + taskid: 3c782409-7469-45c5-80e0-c95308ad57bf + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 435.75, + "y": 1570 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 73abf18f-a70f-4c67-81a3-3e9724cc9c5e + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: 73abf18f-a70f-4c67-81a3-3e9724cc9c5e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 1740 + } + } + "19": + continueonerror: true + continueonerrortype: errorPath + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "24" + '#none#': + - "20" + note: false + quietmode: 0 + scriptarguments: + device-group: + complex: + root: inputs.device-group + log_forwarding: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.LogForwarding + operator: isNotEmpty + root: inputs.LogForwarding + object_type: + simple: url-category + object_value: + complex: + root: inputs.CustomURLCategory + pre_post: + complex: + root: inputs.pre-post + rulename: + simple: Block Rule - ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates a custom block policy rule to block communication to URLs + in this category. + id: 03792349-cd68-4953-beff-45151f16c797 + iscommand: true + name: PAN-OS - Block Malicious URL Category + script: '|||pan-os-custom-block-rule' + type: regular + version: -1 + taskid: 03792349-cd68-4953-beff-45151f16c797 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2028.75, + "y": 1570 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ae0d8023-81e3-4c95-8ccb-08f02de687e7 + iscommand: false + name: Commit PAN-OS Instance manually + type: regular + version: -1 + taskid: ae0d8023-81e3-4c95-8ccb-08f02de687e7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2078.75, + "y": 1740 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: f2fd9c9a-592b-4c40-8214-b90c2d217054 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: f2fd9c9a-592b-4c40-8214-b90c2d217054 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1062, + "y": 1740 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: a14f9f99-7459-49b5-8b10-40583ab57527 + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: a14f9f99-7459-49b5-8b10-40583ab57527 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2509.75, + "y": 1400 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 75d96362-721d-4976-85f7-21d62143aca4 + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: 75d96362-721d-4976-85f7-21d62143aca4 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2559.75, + "y": 1740 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 3c63a355-b588-41ec-81e7-2e479c802c4c + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: 3c63a355-b588-41ec-81e7-2e479c802c4c + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 531, + "y": 1740 + } + } + "28": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "29" + "no": + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9a77efeb-a18e-4774-8e3c-0d570df2b7ff + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 9a77efeb-a18e-4774-8e3c-0d570df2b7ff + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2364.5, + "y": 890 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: 'Shadow Mode: PAN-OS Block Malicious URL' + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 797df12e-9225-48d8-b1c2-dca54b462524 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 797df12e-9225-48d8-b1c2-dca54b462524 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 3040.75, + "y": 1740 + } + } + "30": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "31" + "no": + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d5c1d824-2503-436e-880f-e0473b168fd4 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: d5c1d824-2503-436e-880f-e0473b168fd4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 771.5, + "y": 1230 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS - Add malicious URLs to Custom URL Category + Command: pan-os-edit-custom-url-category + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 655594f7-7570-4c05-9203-206769072c94 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 655594f7-7570-4c05-9203-206769072c94 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1593, + "y": 1740 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "10_30_#default#": 0.9, + "10_5_yes": 0.5, + "15_25_yes": 0.9, + "19_24_#error#": 0.47, + "1_2_yes": 0.55, + "1_5_#default#": 0.12, + "2_5_#default#": 0.23 + }, + "paper": { + "dimensions": { + "height": 1930, + "width": 3370.75, + "x": 50, + "y": 40 + } + } + } +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Create_Or_Edit_Rule.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Create_Or_Edit_Rule.yml new file mode 100644 index 0000000..99dbcaf --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_-_Create_Or_Edit_Rule.yml @@ -0,0 +1,974 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: Creates or edits a Panorama rule and moves it into the desired position +dirtyInputs: true +id: 'SOC PAN-OS - Create Or Edit Rule_V3' +inputSections: +- description: Generic group for inputs + inputs: + - device-group + - rule_name + - log-forwarding-object-name + - rule-position + - relative-rule-name + - inbound-or-outbound-rule + - element-to-add + - action-type + - pre-post-rulebase + - ShadowMode + name: General (Inputs group) +inputs: +- description: The device group to work on. Exists only in panorama! + key: device-group + playbookInputQuery: + required: false + value: {} +- description: The name of the rule to update, or the name of the rule that will be + created. + key: rule_name + playbookInputQuery: + required: true + value: {} +- description: The server address to which to forward logs. + key: log-forwarding-object-name + playbookInputQuery: + required: false + value: {} +- description: |- + The position of the rule in the ruleset. Valid values are: + * Top + * Bottom + * Before + * After + + The default is 'Bottom' + key: rule-position + playbookInputQuery: + required: false + value: {} +- description: If the rule-position that is chosen is before or after, specify the + rule name to which it is related. + key: relative-rule-name + playbookInputQuery: + required: false + value: {} +- description: Determines if the rule is inbound or outbound. + key: inbound-or-outbound-rule + playbookInputQuery: + required: false + value: {} +- description: the element to add to the rule + key: element-to-add + playbookInputQuery: + required: true + value: {} +- description: |- + The action that will be defined in the rule. Valid values are: + * allow + * deny + * drop + key: action-type + playbookInputQuery: + required: true + value: {} +- description: Determines whether the rule is a pre-rulebase or post-rulebase rule, + according to the rule structure. Exists only in panorama! + key: pre-post-rulebase + playbookInputQuery: + required: false + value: {} +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC PAN-OS - Create Or Edit Rule_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: PAN-OS - Create Or Edit Rule +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e69fbe1a-056a-4929-8dbe-d535f61246e6 + iscommand: false + name: "" + version: -1 + taskid: e69fbe1a-056a-4929-8dbe-d535f61246e6 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1838.25, + "y": 50 + } + } + "1": + continueonerror: true + continueonerrortype: errorPath + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + device-group: + complex: + root: inputs.device-group + pre_post: + complex: + root: inputs.pre-post-rulebase + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns a list of predefined security rules. + id: f59d5d01-6ca3-4559-88a3-d1ea84ba51fc + iscommand: true + name: List all rules + script: '|||pan-os-list-rules' + type: regular + version: -1 + taskid: f59d5d01-6ca3-4559-88a3-d1ea84ba51fc + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1838.25, + "y": 210 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Panorama.SecurityRule.Name + operator: isEqualString + right: + iscontext: true + value: + simple: inputs.rule_name + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the rule exists + id: f02513b5-9cd4-435b-8bc6-d326954e50db + iscommand: false + name: Does the rule exist? + type: condition + version: -1 + taskid: f02513b5-9cd4-435b-8bc6-d326954e50db + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1983.5, + "y": 380 + } + } + "3": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.inbound-or-outbound-rule + operator: isEqualString + right: + value: + simple: inbound + label: Inbound + - condition: + - - left: + iscontext: true + value: + simple: inputs.inbound-or-outbound-rule + operator: isEqualString + right: + value: + simple: outbound + label: Outbound + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Inbound: + - "19" + Outbound: + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the rule is inbound or outbound based on playbook + input + id: baccdbc9-eb31-4a3f-8e18-73996824ef3e + iscommand: false + name: Is the rule inbound or outbound? + type: condition + version: -1 + taskid: baccdbc9-eb31-4a3f-8e18-73996824ef3e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2709.75, + "y": 550 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.inbound-or-outbound-rule + operator: isEqualString + right: + value: + simple: inbound + label: Inbound + - condition: + - - left: + iscontext: true + value: + simple: inputs.inbound-or-outbound-rule + operator: isEqualString + right: + value: + simple: outbound + label: Outbound + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Inbound: + - "13" + Outbound: + - "15" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether the rule is inbound or outbound based on playbook + input + id: f6317490-2c98-48a3-8ff8-c87e7d441343 + iscommand: false + name: Is the rule inbound or outbound? + type: condition + version: -1 + taskid: f6317490-2c98-48a3-8ff8-c87e7d441343 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 776.25, + "y": 550 + } + } + "5": + continueonerror: true + continueonerrortype: errorPath + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + element_to_change: + simple: source + element_value: + complex: + root: inputs.element-to-add + pre_post: + complex: + root: inputs.pre-post-rulebase + rulename: + complex: + root: inputs.rule_name + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add the element in the input as the new source of the rule + id: 56b0853e-d401-484b-ac06-1bb678837642 + iscommand: true + name: Add new source to the rule + script: '|||pan-os-edit-rule' + type: regular + version: -1 + taskid: 56b0853e-d401-484b-ac06-1bb678837642 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2519.25, + "y": 890 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + element_to_change: + simple: destination + element_value: + complex: + root: inputs.element-to-add + pre_post: + complex: + root: inputs.pre-post-rulebase + rulename: + complex: + root: inputs.rule_name + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add the element in the input as the new destination of the rule + id: 9f165501-0785-45f1-a1d7-408a53ae32c2 + iscommand: true + name: Add the new destination to the rule + script: '|||pan-os-edit-rule' + type: regular + version: -1 + taskid: 9f165501-0785-45f1-a1d7-408a53ae32c2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1938.25, + "y": 890 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + action: + complex: + root: inputs.action-type + destination: + complex: + root: inputs.element-to-add + device-group: + complex: + root: inputs.device-group + log_forwarding: + complex: + root: inputs.log-forwarding-object-name + pre_post: + complex: + root: inputs.pre-post-rulebase + rulename: + complex: + root: inputs.rule_name + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add the element in the input as the new destination of the rule. + id: bea99e42-621e-4f22-ac22-9a8d376515a9 + iscommand: true + name: Create an outbound rule + script: '|||pan-os-create-rule' + type: regular + version: -1 + taskid: bea99e42-621e-4f22-ac22-9a8d376515a9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 631, + "y": 890 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + device-group: + complex: + root: inputs.device-group + dst: + complex: + root: inputs.relative-rule-name + pre_post: + complex: + root: inputs.pre-post-rulebase + rulename: + complex: + root: inputs.rule_name + where: + complex: + root: inputs.rule-position + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Changes the location of a policy rule. + id: f9abe134-ea32-41c1-8e00-7a3dd7f48a82 + iscommand: true + name: Move the rule into its position + script: '|||pan-os-move-rule' + type: regular + version: -1 + taskid: f9abe134-ea32-41c1-8e00-7a3dd7f48a82 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1547.75, + "y": 1060 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4cb1e4d5-8722-4b7b-825a-9742e42f8344 + iscommand: false + name: Done + type: title + version: -1 + taskid: 4cb1e4d5-8722-4b7b-825a-9742e42f8344 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1547.75, + "y": 1400 + } + } + "11": + continueonerror: true + continueonerrortype: errorPath + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "12" + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + action: + complex: + root: inputs.action-type + device-group: + complex: + root: inputs.device-group + log_forwarding: + simple: ${inputs.log-forwarding-object-name} + pre_post: + complex: + root: inputs.pre-post-rulebase + rulename: + complex: + root: inputs.rule_name + source: + complex: + root: inputs.element-to-add + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Add the element in the input as the new source of the rule + id: 6141ed67-8de6-4054-a808-2ee61aa63fc2 + iscommand: true + name: Create an inbound rule + script: '|||pan-os-create-rule' + type: regular + version: -1 + taskid: 6141ed67-8de6-4054-a808-2ee61aa63fc2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 890 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 58d2d031-5c72-435f-8e33-f4de6147b49b + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 58d2d031-5c72-435f-8e33-f4de6147b49b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1257.25, + "y": 1230 + } + } + "13": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "14" + "no": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 575f4b1a-1ec3-4c15-a1c7-3884f8916065 + iscommand: false + name: Shadown Run? + type: condition + version: -1 + taskid: 575f4b1a-1ec3-4c15-a1c7-3884f8916065 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 195.25, + "y": 720 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Create an inbound rule + Command: pan-os-create-rule + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 321ff9e1-8cbd-487b-9f71-244c8ec7c3b9 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 321ff9e1-8cbd-487b-9f71-244c8ec7c3b9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 195.25, + "y": 1230 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "16" + "no": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0c76690e-80e7-4961-a229-98b7daa926da + iscommand: false + name: Shadown Run? + type: condition + version: -1 + taskid: 0c76690e-80e7-4961-a229-98b7daa926da + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 776.25, + "y": 720 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Create an Outbound rule + Command: pan-os-create-rule + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 046f6607-343d-4b51-b804-150e85e8de62 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 046f6607-343d-4b51-b804-150e85e8de62 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 776.25, + "y": 1230 + } + } + "17": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: shadow_mode + operator: isFalse + label: "no" + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "18" + "no": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 28c2ed74-cfe9-41b2-8d03-fd4df981a6b2 + iscommand: false + name: Shadown Run? + type: condition + version: -1 + taskid: 28c2ed74-cfe9-41b2-8d03-fd4df981a6b2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2228.75, + "y": 720 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Add New Outbound Destination Rule + Command: pan-os-edit-rule + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 36f7eff2-e429-4d6a-8f1d-ee68b4d2fc05 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 36f7eff2-e429-4d6a-8f1d-ee68b4d2fc05 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2228.75, + "y": 1230 + } + } + "19": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "20" + "no": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 9e3762d3-f3c0-447d-bcf2-27bc08c2c8a8 + iscommand: false + name: Shadown Run? + type: condition + version: -1 + taskid: 9e3762d3-f3c0-447d-bcf2-27bc08c2c8a8 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2809.75, + "y": 720 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Add New Inbound Destination Rule + Command: pan-os-edit-rule + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 7831b2f0-4adc-4b8a-909a-77b2b9360e6b + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 7831b2f0-4adc-4b8a-909a-77b2b9360e6b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2809.75, + "y": 1230 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "2_3_yes": 0.6, + "2_4_#default#": 0.65, + "3_17_Outbound": 0.9, + "3_19_Inbound": 0.81, + "4_15_Outbound": 0.82 + }, + "paper": { + "dimensions": { + "height": 1410, + "width": 3139.75, + "x": 50, + "y": 50 + } + } + } +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_Commit_Configuration_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_Commit_Configuration_v2.yml new file mode 100644 index 0000000..40640b7 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_Commit_Configuration_v2.yml @@ -0,0 +1,731 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.10.0 + isoverridable: false + itemVersion: 2.3.11 + packID: "" + packName: PAN-OS by Palo Alto Networks + prevname: "" + toServerVersion: "" +description: Commit the PAN-OS Panorama or Firewall configuration. If specified as + Panorama, it also pushes the Policies to the specified Device Group in the instance. +adopted: true +id: 'SOC PAN-OS Commit Configuration v2_V3' +inputs: +- description: "" + key: device-group + playbookInputQuery: + required: false + value: {} +name: SOC PAN-OS Commit Configuration v2_V3 +outputs: +- contextPath: Panorama.Commit.JobID + description: The job ID to commit. +- contextPath: Panorama.Commit.Status + description: The commit status. +- contextPath: Panorama.Commit.Description + description: The commit description from the the command input. +- contextPath: Panorama.Push.DeviceGroup + description: The device group in which the policies were pushed. +- contextPath: Panorama.Push.JobID + description: The job ID of the policies that were pushed. +- contextPath: Panorama.Push.Status + description: The push status. +- contextPath: Panorama.Push.Warnings + description: The push warnings. +- contextPath: Panorama.Push.Errors + description: The push errors. +- contextPath: Panorama.Push.Details + description: The job ID details. +sourceplaybookid: PAN-OS Commit Configuration v2 +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '-' + id: 72f6ac89-7d29-48cd-8fc8-a87a469d368e + iscommand: false + name: "" + version: -1 + taskid: 72f6ac89-7d29-48cd-8fc8-a87a469d368e + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 585.75, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify that there is a valid instance of Palo Alto Networks PAN-OS + enabled. + id: 9c71e52d-9168-48c7-85bf-c1ed81ed2c16 + iscommand: false + name: Is Palo Alto Networks PAN-OS enabled? + type: condition + version: -1 + taskid: 9c71e52d-9168-48c7-85bf-c1ed81ed2c16 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 585.75, + "y": 210 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + interval_in_seconds: + simple: "60" + polling: + simple: "true" + timeout: + simple: "600" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Commit Palo Alto Firewall or Panorama + id: 47ca3754-4567-4ccf-99b4-9f2053bb84f3 + iscommand: true + name: Commit to Panorama + script: '|||pan-os-commit' + type: regular + version: -1 + taskid: 47ca3754-4567-4ccf-99b4-9f2053bb84f3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 731, + "y": 380 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '-' + id: 952b0224-dd79-4eca-8721-d93bd8edd76a + iscommand: false + name: Done + type: title + version: -1 + taskid: 952b0224-dd79-4eca-8721-d93bd8edd76a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 2250 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + device-group: + complex: + root: inputs.device-group + interval_in_seconds: + simple: "60" + polling: + simple: "true" + timeout: + simple: "600" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Push rules from Palo Alto Panorama to the Palo Alto configured + device group. + id: 0893c4a5-ca50-45fc-9ba2-d7b97a05523f + iscommand: true + name: Push rules to the Panorama device group + script: '|||pan-os-push-to-device-group' + type: regular + version: -1 + taskid: 0893c4a5-ca50-45fc-9ba2-d7b97a05523f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 295.25, + "y": 1570 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "14" + note: false + quietmode: 2 + scriptarguments: + job_id: + complex: + accessor: Commit.JobID + root: Panorama + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Get commit status + id: 11915f8b-5eca-42e1-aee9-3ec0ab14d279 + iscommand: true + name: Get Panorama commit status + script: '|||pan-os-commit-status' + type: regular + version: -1 + taskid: 11915f8b-5eca-42e1-aee9-3ec0ab14d279 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 585.75, + "y": 550 + } + } + "12": + continueonerror: true + continueonerrortype: errorPath + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + cmd: + simple: + extend-context: + simple: panorama.model=response.result.system.model + type: + simple: op + separatecontext: false + skipunavailable: false + task: + brand: Panorama + description: Run any command supported in the API. + id: c217d92e-b1cc-4713-9aa6-1f506adbe409 + iscommand: true + name: Fetch instance info + script: Panorama|||pan-os + type: regular + version: -1 + taskid: c217d92e-b1cc-4713-9aa6-1f506adbe409 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 295.25, + "y": 1230 + } + } + "13": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: panorama.model + operator: isEqualString + right: + value: + simple: Panorama + label: Panorama + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + Panorama: + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Automatically detects the product (Panorama/Firewall). + id: 0a67cd5e-291c-4cbf-8cf6-1898cd23ef39 + iscommand: false + name: Identify the instance type + type: condition + version: -1 + taskid: 0a67cd5e-291c-4cbf-8cf6-1898cd23ef39 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 150, + "y": 1400 + } + } + "14": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Panorama.Commit.Status + operator: isEqualString + right: + value: + simple: Completed + label: "yes" + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "16" + "yes": + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '-' + id: db94418c-0822-4d35-8bdc-6a323ac302d4 + iscommand: false + name: Was Panorama commit successful? + type: condition + version: -1 + taskid: db94418c-0822-4d35-8bdc-6a323ac302d4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 440.5, + "y": 720 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Panorama.Push.Status + operator: isEqualString + right: + value: + simple: Completed + label: "yes" + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "17" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '-' + id: e5e51f27-0ef7-4603-8ff4-6f29c327187f + iscommand: false + name: Was Panorama push successful? + type: condition + version: -1 + taskid: e5e51f27-0ef7-4603-8ff4-6f29c327187f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 150, + "y": 1740 + } + } + "16": + continueonerror: true + continueonerrortype: errorPath + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "18" + note: false + quietmode: 0 + scriptarguments: + message: + simple: Panorama Commit Failed + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an error entry with a given message + id: 887bd879-a4dc-4870-a1fc-b07b931781e3 + iscommand: false + name: Print commit error + script: PrintErrorEntry + type: regular + version: -1 + taskid: 887bd879-a4dc-4870-a1fc-b07b931781e3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 876.25, + "y": 890 + } + } + "17": + continueonerror: true + continueonerrortype: errorPath + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "20" + '#none#': + - "19" + note: false + quietmode: 0 + scriptarguments: + message: + simple: Panorama Commit Failed + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an error entry with a given message + id: 2f8737a3-3d68-449d-9756-050802e24895 + iscommand: false + name: Print push error + script: PrintErrorEntry + type: regular + version: -1 + taskid: 2f8737a3-3d68-449d-9756-050802e24895 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 295.25, + "y": 1910 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '-' + id: 3e46d493-9404-476d-8d95-68b8ad017a84 + iscommand: false + name: Fix errors and commit manually + type: regular + version: -1 + taskid: 3e46d493-9404-476d-8d95-68b8ad017a84 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 731, + "y": 1060 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: '-' + id: 6e3293ac-bae0-4627-8b89-b25f67466c9f + iscommand: false + name: Fix errors and push manually + type: regular + version: -1 + taskid: 6e3293ac-bae0-4627-8b89-b25f67466c9f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 245.25, + "y": 2080 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 8f471745-b3e3-405b-8212-4463e67e8e37 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 8f471745-b3e3-405b-8212-4463e67e8e37 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1112, + "y": 2080 + } + } + "21": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: shadow_mode + operator: isFalse + label: "no" + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "22" + "no": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4f19c583-8ab2-4949-a494-3821cd951d6a + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 4f19c583-8ab2-4949-a494-3821cd951d6a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 234, + "y": 358 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: 'Shadow Run: PAN-OS Commit Change' + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 5ff05dbb-9158-413e-a2a4-8974c70efffd + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: 5ff05dbb-9158-413e-a2a4-8974c70efffd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 153, + "y": 516 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "13_5_#default#": 0.1, + "13_6_Panorama": 0.73, + "14_12_yes": 0.24, + "15_17_#default#": 0.2, + "15_5_yes": 0.1, + "1_5_#default#": 0.17 + }, + "paper": { + "dimensions": { + "height": 2260, + "width": 1443, + "x": 50, + "y": 50 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_DAG_Configuration.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_DAG_Configuration.yml new file mode 100644 index 0000000..59b24e1 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_PAN-OS_DAG_Configuration.yml @@ -0,0 +1,751 @@ +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.10.0 + isoverridable: false + itemVersion: 1.0.0 + packID: "" + packName: SOC Common Playbooks + prevname: "" + toServerVersion: "" +description: "This playbook utilizes the Dynamic Address Group (DAG) capability of + PAN-OS.\nDAG enables analysts to create a rule one time, where the group is the + source/destination, and adds IP addresses dynamically without the need to commit + the configuration every time.\n\nThe playbook checks if the given tag already exists. + If the tag exists, then the IP address is added to the tag.\n\nIf the tag does not + exist, a new address group is created with the given tag and a matching rule, and + the configuration is committed. \n" +dirtyInputs: true +id: 'SOC PAN-OS DAG Configuration_V3' +inputSections: +- description: Generic group for inputs + inputs: + - tag_name + - ip_list + - address_group_name + - rule_name + - auto_commit + - log-forwarding-object-name + - rule-position + - relative-rule-name + - inbound-or-outbound-rule + - action-type + - pre-post-rulebase + - device-group + - ShadowMode + name: General (Inputs group) +inputs: +- description: The name of the tag to add to PAN-OS. This can be a single tag. + key: tag_name + playbookInputQuery: + required: true + value: {} +- description: The list of the IP addresses to block. + key: ip_list + playbookInputQuery: + required: true + value: {} +- description: The name of the group that will be created if the tag does not exist. + key: address_group_name + playbookInputQuery: + required: true + value: {} +- description: The name of the rule to update, or the name of the rule that will be + created. + key: rule_name + playbookInputQuery: + required: false + value: {} +- description: Whether the rule will be committed automatically. + key: auto_commit + playbookInputQuery: + required: false + value: {} +- description: The server address to which to forward logs. + key: log-forwarding-object-name + playbookInputQuery: + required: false + value: {} +- description: |- + The position of the rule in the ruleset. Valid values are: + * Top + * Bottom + * Before + * After + + The default position is 'Top' + key: rule-position + playbookInputQuery: + required: false + value: {} +- description: If the rule-position that is chosen is before or after, specify the + rule name to which it is related. + key: relative-rule-name + playbookInputQuery: + required: false + value: {} +- description: Determines if the rule is inbound or outbound. + key: inbound-or-outbound-rule + playbookInputQuery: + required: false + value: {} +- description: |- + The action that will be defined in the rule. Valid values are: + * allow + * deny + * drop + key: action-type + playbookInputQuery: + required: false + value: {} +- description: Determines whether the rule is a pre-rulebase or post-rulebase rule, + according to the rule structure. Exists only in panorama! + key: pre-post-rulebase + playbookInputQuery: + required: true + value: {} +- description: the device group for which to return results. for panorama only! + key: device-group + playbookInputQuery: + required: false + value: {} +- description: Shadow Mode is a key safety mechanism. It ensures actions like isolate_endpoint + or disable_user are logged but not executed in test scenarios. + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC PAN-OS DAG Configuration_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: PAN-OS DAG Configuration +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5ee527a7-506f-4f02-88c0-c8a2701138cd + iscommand: false + name: "" + version: -1 + taskid: 5ee527a7-506f-4f02-88c0-c8a2701138cd + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 385.75, + "y": 50 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of PAN-OS enabled. + id: e016bd2c-ae83-4cd4-878b-097fd9462b86 + iscommand: false + name: Is PAN-OS integration enabled? + type: condition + version: -1 + taskid: e016bd2c-ae83-4cd4-878b-097fd9462b86 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 385.75, + "y": 210 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "23" + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Lists all address groups in PAN-OS. + id: 322533d7-6f80-4740-9b5b-cc273fe6a78e + iscommand: true + name: List Address Groups + script: '|||pan-os-list-address-groups' + type: regular + version: -1 + taskid: 322533d7-6f80-4740-9b5b-cc273fe6a78e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 531, + "y": 380 + } + } + "3": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.tag_name + operator: inList + right: + iscontext: true + value: + complex: + accessor: AddressGroups.Match + root: Panorama + label: "yes" + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "26" + "yes": + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the given tag exists in the address groups. + id: 6523233b-4db1-4691-8ce8-51803456138b + iscommand: false + name: Check if tag exists in address groups + type: condition + version: -1 + taskid: 6523233b-4db1-4691-8ce8-51803456138b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 676.25, + "y": 550 + } + } + "4": + continueonerror: true + continueonerrortype: errorPath + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "23" + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + IPs: + simple: ${inputs.ip_list} + tag: + simple: ${inputs.tag_name} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Registers IP addresses to a tag. + id: 38d7697b-ea8a-4542-bf55-91862e67b8e6 + iscommand: true + name: Register IP address to a tag + script: '|||pan-os-register-ip-tag' + type: regular + version: -1 + taskid: 38d7697b-ea8a-4542-bf55-91862e67b8e6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 485.75, + "y": 1740 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7686cb45-06bb-4891-8aeb-8ff9b29f1fbf + iscommand: false + name: Done + type: title + version: -1 + taskid: 7686cb45-06bb-4891-8aeb-8ff9b29f1fbf + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 290.5, + "y": 2080 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "23" + '#none#': + - "25" + note: false + quietmode: 0 + scriptarguments: + match: + simple: ${inputs.tag_name} + name: + simple: ${inputs.address_group_name} + type: + simple: dynamic + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Creates an address group. Can be "static" or "dynamic". + id: 3e581c1a-129d-47a4-8225-9cfc16c30a24 + iscommand: true + name: Create Address Group + script: '|||pan-os-create-address-group' + type: regular + version: -1 + taskid: 3e581c1a-129d-47a4-8225-9cfc16c30a24 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 240.5, + "y": 890 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Allows the analyst to manually commit the changes. This will be + operational if auto-commit is "false". + id: ec9cdad5-afdf-46c8-8255-c3e6091753b5 + iscommand: false + name: Manually commit + type: regular + version: -1 + taskid: ec9cdad5-afdf-46c8-8255-c3e6091753b5 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 435.75, + "y": 1400 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "15" + "yes": + - "24" + note: false + quietmode: 0 + scriptarguments: + left: + simple: ${inputs.auto_commit} + right: + simple: "Yes" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the values provided in arguments are equal. If either + of the arguments are missing, "no" is returned. + id: 9c646c84-8ba3-4f49-8028-17e466d6f10e + iscommand: false + name: Is auto-commit defined? + script: AreValuesEqual + type: condition + version: -1 + taskid: 9c646c84-8ba3-4f49-8028-17e466d6f10e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 676.25, + "y": 1230 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 7fcc2fcd-2b91-4498-8c03-b597d3ef3167 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + type: playbook + version: -1 + taskid: 7fcc2fcd-2b91-4498-8c03-b597d3ef3167 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 1910 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: e12dd355-9fcf-40e0-86e2-4437f7e889b3 + iscommand: false + name: SOC PAN-OS Commit Configuration v2_V3 + playbookId: SOC PAN-OS Commit Configuration v2_V3 + type: playbook + version: -1 + taskid: e12dd355-9fcf-40e0-86e2-4437f7e889b3 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 916.75, + "y": 1400 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 782a6bc3-5f55-42d5-8bd2-f6f0de74534b + iscommand: false + name: SOC PAN-OS - Create Or Edit Rule_V3 + playbookId: SOC PAN-OS - Create Or Edit Rule_V3 + type: playbook + version: -1 + taskid: 782a6bc3-5f55-42d5-8bd2-f6f0de74534b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 676.25, + "y": 1060 + } + } + "26": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "27" + "no": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 82030d70-b28c-4c10-b963-07420b2c3298 + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: 82030d70-b28c-4c10-b963-07420b2c3298 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 531, + "y": 720 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "25" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Create Address Group + Command: pan-os-create-address-group + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: efd408e7-da40-4241-81b4-43484418656f + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: efd408e7-da40-4241-81b4-43484418656f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 916.75, + "y": 890 + } + } + "28": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ShadowMode + operator: isFalse + right: + value: {} + label: "no" + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "29" + "no": + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ee82376b-2f13-4296-9cc9-21f12240247f + iscommand: false + name: Shadow Run? + type: condition + version: -1 + taskid: ee82376b-2f13-4296-9cc9-21f12240247f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 871.5, + "y": 1570 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: PAN-OS Register IP address to a tag + Command: pan-os-register-ip-tag + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: adda4e55-ae69-480f-9087-f54a4c0e1569 + iscommand: false + name: Print To WarRoom + script: Print + type: regular + version: -1 + taskid: adda4e55-ae69-480f-9087-f54a4c0e1569 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1016.75, + "y": 1910 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "17_15_#default#": 0.54, + "17_24_yes": 0.85, + "1_5_#default#": 0.1, + "3_28_yes": 0.9 + }, + "paper": { + "dimensions": { + "height": 2090, + "width": 1346.75, + "x": 50, + "y": 50 + } + } + } +adopted: true +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Block_URL.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Block_URL.yml new file mode 100644 index 0000000..ac72a31 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Block_URL.yml @@ -0,0 +1,1011 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.8.0 + isoverridable: false + itemVersion: 2.1.21 + packID: "" + packName: Palo Alto Networks - Strata Cloud Manager + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + The playbook will handle the operation of blocking a URL within the organization. + If a category is provided, the URL will be added to the list. + If not, a new URL category will be created, and a new security rule that blocks that category. +dirtyInputs: true +id: 'SOC Prisma SASE - Block URL_V3' +inputSections: +- description: Generic group for inputs + inputs: + - URL + - CategoryName + - Folder + - TSGID + - AutoCommit + - ShadowMode + name: General (Inputs group) +inputs: +- description: List of URLs that are needed to be blocked. + key: URL + playbookInputQuery: + required: false + value: {} +- description: The name of the predefined custom URL category. + key: CategoryName + playbookInputQuery: + required: false + value: {} +- description: |- + Specify the scope for a newly created security rule to be applied. + Remember, this input will only be used when there is no input to the CategoryName. + Default: Shared + key: Folder + playbookInputQuery: + required: false + value: + simple: Shared +- description: Tenant services group ID. If not provided, the tsg_id integration parameter + will be used as the default. + key: TSGID + playbookInputQuery: + required: false + value: {} +- description: |- + Possible Values: + True -> Will Commit and Push Configuration + False -> Manual Push will be required. + Else --> Will ignore the push section and continue the playbook. + key: AutoCommit + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Prisma SASE - Block URL_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - PrismaSase + - PrismaSase.SecurityRule + - PrismaSase.SecurityRule.action + - PrismaSase.SecurityRule.application + - PrismaSase.SecurityRule.category + - PrismaSase.SecurityRule.description + - PrismaSase.SecurityRule.destination + - PrismaSase.SecurityRule.folder + - PrismaSase.SecurityRule.from + - PrismaSase.SecurityRule.id + - PrismaSase.SecurityRule.name + - PrismaSase.SecurityRule.position + - PrismaSase.SecurityRule.service + - PrismaSase.SecurityRule.source + - PrismaSase.SecurityRule.source_user + - PrismaSase.SecurityRule.to + - PrismaSase.SecurityRule.profile_setting + - PrismaSase.SecurityRule.profile_setting.group + - PrismaSase.CandidateConfig + - PrismaSase.CandidateConfig.job_id + - PrismaSase.CandidateConfig.result + - PrismaSase.CandidateConfig.details + - PrismaSase.CustomURLCategory + - PrismaSase.CustomURLCategory.id + - PrismaSase.CustomURLCategory.name + - PrismaSase.CustomURLCategory.folder + - PrismaSase.CustomURLCategory.type + - PrismaSase.CustomURLCategory.list + - PrismaSase.CustomURLCategory.description +outputs: +- contextPath: PrismaSase + description: The root context key for Prisma SASE integration output. + type: unknown +- contextPath: PrismaSase.SecurityRule + description: Created security rule. +- contextPath: PrismaSase.SecurityRule.action + description: Security rule action. +- contextPath: PrismaSase.SecurityRule.application + description: Security rule application. +- contextPath: PrismaSase.SecurityRule.category + description: Security rule category. +- contextPath: PrismaSase.SecurityRule.description + description: Security rule description. +- contextPath: PrismaSase.SecurityRule.destination + description: Security rule destination. +- contextPath: PrismaSase.SecurityRule.folder + description: Security rule folder. +- contextPath: PrismaSase.SecurityRule.from + description: Security rule from field (source zone(s)). +- contextPath: PrismaSase.SecurityRule.id + description: Security rule ID. +- contextPath: PrismaSase.SecurityRule.name + description: Security rule name. +- contextPath: PrismaSase.SecurityRule.position + description: Security rule position. +- contextPath: PrismaSase.SecurityRule.service + description: Security rule service. +- contextPath: PrismaSase.SecurityRule.source + description: Security rule source. +- contextPath: PrismaSase.SecurityRule.source_user + description: Security rule source user. +- contextPath: PrismaSase.SecurityRule.to + description: Security rule to field (destination zone(s)). +- contextPath: PrismaSase.SecurityRule.profile_setting + description: The Security rule group object in the rule. + type: unknown +- contextPath: PrismaSase.SecurityRule.profile_setting.group + description: Security rule group. +- contextPath: PrismaSase.CandidateConfig + description: Configuration job object. + type: unknown +- contextPath: PrismaSase.CandidateConfig.job_id + description: Configuration job ID. +- contextPath: PrismaSase.CandidateConfig.result + description: The configuration push result, e.g. OK, FAIL. +- contextPath: PrismaSase.CandidateConfig.details + description: The configuration push details. +- contextPath: PrismaSase.CustomURLCategory + description: The custom URL category object. + type: unknown +- contextPath: PrismaSase.CustomURLCategory.id + description: The URL category ID. +- contextPath: PrismaSase.CustomURLCategory.name + description: The URL category name. +- contextPath: PrismaSase.CustomURLCategory.folder + description: The URL category folder. +- contextPath: PrismaSase.CustomURLCategory.type + description: The URL category type. +- contextPath: PrismaSase.CustomURLCategory.list + description: The URL category match list. +- contextPath: PrismaSase.CustomURLCategory.description + description: The URL category description. +sourceplaybookid: Prisma SASE - Block URL +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3f502737-194b-4b60-8b41-49768b2f0897 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 3f502737-194b-4b60-8b41-49768b2f0897 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 470, + "y": -480 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.CategoryName + operator: isNotEmpty + right: + value: {} + label: "Yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "6" + "Yes": + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if the URL Custom Category was defined + id: a7b8b8df-e87f-4615-8c21-1473a9eb4c39 + iscommand: false + name: Check if the URL Custom Category was defined + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: a7b8b8df-e87f-4615-8c21-1473a9eb4c39 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 10, + "y": -90 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f62cd92a-b7d6-41eb-8d0b-82b272c25a91 + iscommand: false + name: Updating URL Predfiened Category List + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: f62cd92a-b7d6-41eb-8d0b-82b272c25a91 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -220, + "y": 130 + } + } + "3": + continueonerror: true + continueonerrortype: errorPath + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + folder: + complex: + root: inputs.Folder + name: + complex: + root: inputs.CategoryName + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Lists all custom URL categories. + id: dcbb36bb-ebca-4b0d-a4b2-9366a7db2d84 + iscommand: true + name: Get the URL category List + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-custom-url-category-list + type: regular + version: -1 + taskid: dcbb36bb-ebca-4b0d-a4b2-9366a7db2d84 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -220, + "y": 280 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.URL + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + "yes": + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Was a URL to Block provided? + id: 407eba27-5f42-4fe6-80ca-1ddaf41b870b + iscommand: false + name: Was a URL to Block provided? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 407eba27-5f42-4fe6-80ca-1ddaf41b870b + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 470, + "y": -270 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5abb3e14-5dce-4845-8d83-44ff4bfa5c11 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 5abb3e14-5dce-4845-8d83-44ff4bfa5c11 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 470, + "y": 1600 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 07b206b2-cab0-4eb1-8ce1-b1cbb870503d + iscommand: false + name: Creating a new Category + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 07b206b2-cab0-4eb1-8ce1-b1cbb870503d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 240, + "y": 130 + } + } + "7": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.URL + operator: in + right: + iscontext: true + value: + simple: PrismaSase.CustomURLCategory.list + label: "yes" + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "19" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Is the URL already exist? + id: 2c56fab1-5200-4cee-8ced-ef3ecda1a04d + iscommand: false + name: Is the URL already exist? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2c56fab1-5200-4cee-8ced-ef3ecda1a04d + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -220, + "y": 500 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + description: + simple: List of Blocked URL - XSOAR + folder: + complex: + root: inputs.Folder + name: + simple: List of Blocked URL - XSOAR + tsg_id: + complex: + root: inputs.TSGID + type: + simple: URL List + value: + complex: + root: inputs.URL + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Create a new URL category. + id: a1e0a7ac-2603-46a7-9d20-702e5af492ef + iscommand: true + name: Create a new Custom URL Category + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-custom-url-category-create + type: regular + version: -1 + taskid: a1e0a7ac-2603-46a7-9d20-702e5af492ef + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 240, + "y": 500 + } + } + "9": + continueonerror: true + continueonerrortype: errorPath + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + id: + complex: + accessor: id + root: PrismaSase.CustomURLCategory + overwrite: + simple: "false" + tsg_id: + complex: + root: inputs.TSGID + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: inputs.URL + operator: notIn + right: + iscontext: true + value: + simple: PrismaSase.CustomURLCategory.list + root: inputs.URL + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Update an existing url category. + id: ff806252-a58e-4ace-8a87-079745408745 + iscommand: true + name: Update the URL category + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-custom-url-category-update + type: regular + version: -1 + taskid: ff806252-a58e-4ace-8a87-079745408745 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -220, + "y": 980 + } + } + "12": + continueonerror: true + continueonerrortype: errorPath + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "17" + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + folders: + complex: + root: inputs.Folder + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Push the candidate configuration. + id: 69ae71ff-3a69-4ed5-9128-a736c2d8b475 + iscommand: true + name: Push Config + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-candidate-config-push + type: regular + version: -1 + taskid: 69ae71ff-3a69-4ed5-9128-a736c2d8b475 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 230, + "y": 1465 + } + } + "13": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "True" + label: Auto Commit + - condition: + - - left: + iscontext: true + value: + simple: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "False" + label: Manual + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + Auto Commit: + - "12" + Manual: + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Commit and push configuration to folders? + id: 55bb3e8b-0479-4c30-8e6a-3a3edebc5bce + iscommand: false + name: Commit and push configuration to folders? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 55bb3e8b-0479-4c30-8e6a-3a3edebc5bce + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 240, + "y": 1050 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + Action: + simple: drop + Application: + simple: any + AutoCommit: + simple: Else + Category: + complex: + accessor: name + root: PrismaSase.CustomURLCategory + Destination: + simple: any + Folder: + complex: + root: inputs.Folder + Overwrite: + simple: "False" + Position: + simple: pre + RuleName: + simple: Block URL Rule + Service: + simple: any + Source: + simple: any + TSGID: + complex: + root: inputs.TSGID + separatecontext: true + skipunavailable: false + task: + brand: "" + description: "This playbook handles the creation or editing of the Security + Policy Rule for Pisma SASE integration. \n" + id: ae2421c9-7bef-47f5-806b-149e3bef1a61 + iscommand: false + name: Prisma SASE - Create or Edit Security Policy Rule + playbookId: Prisma SASE - Create or Edit Security Policy Rule + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: ae2421c9-7bef-47f5-806b-149e3bef1a61 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 240, + "y": 670 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + replyOptions: + - Push + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#default#': + - "5" + Push: + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Choose to commit and push configuration automatically + id: af316618-dc9f-4475-89a4-b7fd5ad0e2f4 + iscommand: false + name: Choose to commit and push configuration automatically + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: af316618-dc9f-4475-89a4-b7fd5ad0e2f4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -80, + "y": 1260 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: c7325348-7c96-47b0-8e4e-c9fe042a0949 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: c7325348-7c96-47b0-8e4e-c9fe042a0949 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 930, + "y": 1610 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "8" + Shadow Mode: + - "21" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7f5ff5d6-143c-4f4d-8de1-fbb98068f6d2 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 7f5ff5d6-143c-4f4d-8de1-fbb98068f6d2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 240, + "y": 280 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "9" + Shadow Mode: + - "22" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7eac0f1d-8938-4d3b-8bff-4b9c9c39ec9e + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 7eac0f1d-8938-4d3b-8bff-4b9c9c39ec9e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -220, + "y": 700 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Prisma SASE Create new URL Category + Command: prisma-sase-custom-url-category-create + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: dc60e040-179d-4b92-a13b-c7094b3e54d9 + iscommand: false + name: 'Shadow: Prisma SASE Create new URL Category' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: dc60e040-179d-4b92-a13b-c7094b3e54d9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 690, + "y": 500 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Prisma SASE Create new URL Category + Command: prisma-sase-custom-url-category-update + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 682885e6-e34c-4ce7-b2c9-77d00e233310 + iscommand: false + name: 'Shadow: Prisma SASE Update URL Category' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 682885e6-e34c-4ce7-b2c9-77d00e233310 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -620, + "y": 980 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "13_12_Auto Commit": 0.68, + "16_12_Push": 0.85, + "4_5_#default#": 0.11, + "7_19_#default#": 0.76, + "7_5_yes": 0.27 + }, + "paper": { + "dimensions": { + "height": 2160, + "width": 1930, + "x": -620, + "y": -480 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Create_or_Edit_Security_Policy_Rule.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Create_or_Edit_Security_Policy_Rule.yml new file mode 100644 index 0000000..63d99e5 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Prisma_SASE_-_Create_or_Edit_Security_Policy_Rule.yml @@ -0,0 +1,1159 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.8.0 + isoverridable: false + itemVersion: 2.1.21 + packID: "" + packName: Palo Alto Networks - Strata Cloud Manager + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: "This playbook handles the creation or editing of the Security Policy + Rule for Prisma SASE integration. \n" +dirtyInputs: true +id: 'SOC Prisma SASE - Create or Edit Security Policy Rule_V3' +inputSections: +- description: Generic group for inputs + inputs: + - TSGID + - Folder + - Action + - Position + - Source + - Destination + - Service + - Application + - RuleName + - AutoCommit + - Overwrite + - Category + - ShadowMode + name: General (Inputs group) +inputs: +- description: Tenant services group ID. If not provided, the tsg_id integration parameter + will be used as the default. + key: TSGID + playbookInputQuery: + required: false + value: {} +- description: |- + The configuration folder group setting. + The default value is 'Shared'. + key: Folder + playbookInputQuery: + required: false + value: + simple: Shared +- description: |- + Possible values: + allow,deny,drop,reset-both,reset-client,reset-server. + key: Action + playbookInputQuery: + required: false + value: {} +- description: |- + Rule position. + The default value is 'pre'. + key: Position + playbookInputQuery: + required: false + value: + simple: pre +- description: |- + A comma-separated list of source networks. + The default value is 'any'. + key: Source + playbookInputQuery: + required: false + value: + simple: any +- description: |- + A comma-separated list of destination networks. + The default value is 'any'. + key: Destination + playbookInputQuery: + required: false + value: + simple: any +- description: |- + Services the rule applies to. + Default value is 'any'. + key: Service + playbookInputQuery: + required: false + value: + simple: any +- description: |- + A comma-separated list of applications. + Default value is 'any'. + key: Application + playbookInputQuery: + required: false + value: + simple: any +- description: The name of the security rule. + key: RuleName + playbookInputQuery: + required: true + value: {} +- description: |- + Possible values: + True -> Will commit and push configuration. + False -> Manual push will be required. + Else --> Will ignore the push section and continue the playbook. + key: AutoCommit + playbookInputQuery: + required: false + value: {} +- description: |- + Whether to overwrite the original rule values. + The default value is 'false'. + key: Overwrite + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + A comma-separated list of categories. You can get category values by running the prisma-sase-custom-url-category-list command. + Default value is 'any'. + key: Category + playbookInputQuery: + required: false + value: + simple: any +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Prisma SASE - Create or Edit Security Policy Rule_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - PrismaSase.CandidateConfig + - PrismaSase.CandidateConfig.job_id + - PrismaSase.CandidateConfig.result + - PrismaSase.CandidateConfig.details + - PrismaSase + - PrismaSase.SecurityRule + - PrismaSase.SecurityRule.action + - PrismaSase.SecurityRule.application + - PrismaSase.SecurityRule.category + - PrismaSase.SecurityRule.description + - PrismaSase.SecurityRule.destination + - PrismaSase.SecurityRule.folder + - PrismaSase.SecurityRule.from + - PrismaSase.SecurityRule.id + - PrismaSase.SecurityRule.log_setting + - PrismaSase.SecurityRule.name + - PrismaSase.SecurityRule.position + - PrismaSase.SecurityRule.service + - PrismaSase.SecurityRule.source + - PrismaSase.SecurityRule.source_user + - PrismaSase.SecurityRule.tag + - PrismaSase.SecurityRule.to + - PrismaSase.SecurityRule.negate_destination + - PrismaSase.SecurityRule.profile_setting + - PrismaSase.SecurityRule.profile_setting.group +outputs: +- contextPath: PrismaSase.CandidateConfig + description: Configuration job object. + type: unknown +- contextPath: PrismaSase.CandidateConfig.job_id + description: Configuration job ID. +- contextPath: PrismaSase.CandidateConfig.result + description: The configuration push result, e.g., OK, FAIL. +- contextPath: PrismaSase.CandidateConfig.details + description: The configuration push details. +- contextPath: PrismaSase + description: The root context key for Prisma SASE integration output. + type: unknown +- contextPath: PrismaSase.SecurityRule + description: Found security rule. +- contextPath: PrismaSase.SecurityRule.action + description: Security rule action. +- contextPath: PrismaSase.SecurityRule.application + description: Security rule application. +- contextPath: PrismaSase.SecurityRule.category + description: Security rule category. +- contextPath: PrismaSase.SecurityRule.description + description: Security rule description. +- contextPath: PrismaSase.SecurityRule.destination + description: Security rule destination. +- contextPath: PrismaSase.SecurityRule.folder + description: Security rule folder. +- contextPath: PrismaSase.SecurityRule.from + description: Security rule from field (source zone(s)). +- contextPath: PrismaSase.SecurityRule.id + description: Security rule ID. +- contextPath: PrismaSase.SecurityRule.log_setting + description: Security rule log setting. +- contextPath: PrismaSase.SecurityRule.name + description: Security rule name. +- contextPath: PrismaSase.SecurityRule.position + description: Security rule position. +- contextPath: PrismaSase.SecurityRule.service + description: Security rule service. +- contextPath: PrismaSase.SecurityRule.source + description: Security rule source. +- contextPath: PrismaSase.SecurityRule.source_user + description: Security rule source user. +- contextPath: PrismaSase.SecurityRule.tag + description: Security rule tag. +- contextPath: PrismaSase.SecurityRule.to + description: Security rule to field (destination zone(s)). +- contextPath: PrismaSase.SecurityRule.negate_destination + description: Security rule negate destination. +- contextPath: PrismaSase.SecurityRule.profile_setting + description: The Security rule group object in the rule. + type: unknown +- contextPath: PrismaSase.SecurityRule.profile_setting.group + description: Security rule group. +sourceplaybookid: Prisma SASE - Create or Edit Security Policy Rule +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0e6e9db1-9fbc-4c0f-862c-1faa0d7690da + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 0e6e9db1-9fbc-4c0f-862c-1faa0d7690da + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 450, + "y": -260 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "14" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + folder: + complex: + root: inputs.Folder + name: + complex: + root: inputs.RuleName + transformers: + - operator: uniq + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Lists all security rules. + id: fc7c383d-8d57-4161-97c8-1a00b9458e56 + iscommand: true + name: List Security Policy + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-security-rule-list + type: regular + version: -1 + taskid: fc7c383d-8d57-4161-97c8-1a00b9458e56 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 450, + "y": -60 + } + } + "3": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: PrismaSase.SecurityRule.name + operator: isEqualString + right: + iscontext: true + value: + simple: inputs.RuleName + label: "yes" + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "15" + "yes": + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if the rule was already created. + id: b2325c73-cbd4-49b6-83ab-9cf9eb086d2c + iscommand: false + name: Check if the rule was already created + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: b2325c73-cbd4-49b6-83ab-9cf9eb086d2c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 100 + } + } + "4": + continueonerror: true + continueonerrortype: errorPath + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "14" + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + action: + complex: + root: inputs.Action + application: + complex: + root: inputs.Application + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: any + operator: SetIfEmpty + category: + complex: + root: inputs.Category + destination: + complex: + root: inputs.Destination + folder: + complex: + root: inputs.Folder + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: Shared + operator: SetIfEmpty + name: + complex: + root: inputs.RuleName + position: + complex: + root: inputs.Position + service: + complex: + root: inputs.Service + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: any + operator: SetIfEmpty + source: + complex: + root: inputs.Source + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: any + operator: SetIfEmpty + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Create a new security rule. + id: 388d5fc9-294b-4923-9eb3-2c4b83c55f14 + iscommand: true + name: Create New Security Rule + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-security-rule-create + type: regular + version: -1 + taskid: 388d5fc9-294b-4923-9eb3-2c4b83c55f14 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 690, + "y": 490 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 903970f1-cd5d-4ca1-8226-bea09e658349 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 903970f1-cd5d-4ca1-8226-bea09e658349 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 440, + "y": 1880 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "14" + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + folder: + complex: + root: inputs.Folder + name: + complex: + root: inputs.RuleName + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Lists all security rules. + id: 646535b2-8393-488a-84b0-1002435ca0fb + iscommand: true + name: Check if the policy was pushed successfully. + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-security-rule-list + type: regular + version: -1 + taskid: 646535b2-8393-488a-84b0-1002435ca0fb + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 960, + "y": 1510 + } + } + "7": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.RuleName + operator: isEqualString + right: + iscontext: true + value: + simple: PrismaSase.SecurityRule.name + label: "yes" + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: The policy was created successfully? + id: 50d20336-62eb-4f43-8f6a-7fd4d56dbda9 + iscommand: false + name: The policy was created successfully? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 50d20336-62eb-4f43-8f6a-7fd4d56dbda9 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 890, + "y": 1650 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + message: + simple: The policy wasn't pushed properly + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints an error entry with a given message. + id: e06bf245-0bdc-4aa5-8c7f-59efd8e33aa7 + iscommand: false + name: Raise error on pushing config + playbooktaskmissingcomponent: + script: PrintErrorEntry + type: regular + version: -1 + taskid: e06bf245-0bdc-4aa5-8c7f-59efd8e33aa7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1180, + "y": 1875 + } + } + "10": + continueonerror: true + continueonerrortype: errorPath + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "14" + '#none#': + - "18" + note: false + quietmode: 0 + scriptarguments: + folders: + complex: + root: inputs.Folder + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Push the candidate configuration. + id: ffc15f7e-7a9b-48f6-a709-dd86717053a3 + iscommand: true + name: Push Config + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-candidate-config-push + type: regular + version: -1 + taskid: ffc15f7e-7a9b-48f6-a709-dd86717053a3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1210, + "y": 1220 + } + } + "11": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "True" + label: Auto Commit + - condition: + - - left: + iscontext: true + value: + simple: inputs.AutoCommit + operator: isEqualString + right: + value: + simple: "False" + label: Manual + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "5" + Auto Commit: + - "17" + Manual: + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Commit and push configuration to folders? + id: 041a6d58-e043-4069-8e6c-d109b95f81cc + iscommand: false + name: Commit and push configuration to folders? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 041a6d58-e043-4069-8e6c-d109b95f81cc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": 720 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + replyOptions: + - Push + - "No" + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#default#': + - "5" + Push: + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Choose to commit and push configuration automatically + id: 4c29e35e-13da-4951-85d0-eeafaa74fd2c + iscommand: false + name: Choose to commit and push configuration automatically + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 4c29e35e-13da-4951-85d0-eeafaa74fd2c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 670, + "y": 890 + } + } + "13": + continueonerror: true + continueonerrortype: errorPath + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "14" + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + action: + complex: + root: inputs.Action + application: + complex: + root: inputs.Application + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: any + operator: SetIfEmpty + category: + complex: + root: inputs.Category + destination: + complex: + root: inputs.Destination + folder: + complex: + root: inputs.Folder + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: Shared + operator: SetIfEmpty + overwrite: + complex: + root: inputs.Overwrite + position: + complex: + root: inputs.Position + rule_id: + complex: + accessor: id + root: PrismaSase.SecurityRule + service: + complex: + root: inputs.Service + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: any + operator: SetIfEmpty + source: + complex: + root: inputs.Source + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: any + operator: SetIfEmpty + tsg_id: + complex: + root: inputs.TSGID + separatecontext: false + skipunavailable: false + task: + brand: Palo Alto Networks - Prisma SASE + description: Update an existing security rule. + id: 30b51d0d-6252-4091-94b2-60d364157ffd + iscommand: true + name: Update Security Rule + playbooktaskmissingcomponent: + script: Palo Alto Networks - Prisma SASE|||prisma-sase-security-rule-update + type: regular + version: -1 + taskid: 30b51d0d-6252-4091-94b2-60d364157ffd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -180, + "y": 490 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 99eea0fb-aca8-4f8a-8dbc-bc00b324b8b3 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 99eea0fb-aca8-4f8a-8dbc-bc00b324b8b3 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1730, + "y": 1875 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "4" + Shadow Mode: + - "19" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2faa06ab-fbff-409e-827b-db6139172e20 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 2faa06ab-fbff-409e-827b-db6139172e20 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 880, + "y": 280 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "13" + Shadow Mode: + - "20" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: dde78d65-a1e1-491e-8e92-229260d2a969 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: dde78d65-a1e1-491e-8e92-229260d2a969 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 110, + "y": 270 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "10" + Shadow Mode: + - "21" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1bbe34e3-b713-464d-8d12-d545ce946591 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 1bbe34e3-b713-464d-8d12-d545ce946591 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 900, + "y": 1060 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "6" + Shadow Mode: + - "5" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6ad5e849-9411-4925-8f6b-3a37d8dbc465 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 6ad5e849-9411-4925-8f6b-3a37d8dbc465 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 960, + "y": 1370 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Create New Security Rule + Command: prisma-sase-security-rule-create ${inputs.RuleName} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 68989291-5a6d-47d6-8420-004870130c8d + iscommand: false + name: 'Shadow: Create New Security Rule' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 68989291-5a6d-47d6-8420-004870130c8d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1110, + "y": 490 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Update Security Rule + Command: prisma-sase-security-rule-update ${inputs.RuleName} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 09a42009-8e6c-44b0-9bef-d5f87dc4a3c0 + iscommand: false + name: 'Shadow: Update Security Rule' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 09a42009-8e6c-44b0-9bef-d5f87dc4a3c0 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 230, + "y": 490 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Prisma SASE Push Config + Command: prisma-sase-candidate-config-push + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: dba45511-5b19-4c46-9679-760366ecde71 + iscommand: false + name: 'Shadow: Prisma SASE Push Config' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: dba45511-5b19-4c46-9679-760366ecde71 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 730, + "y": 1220 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "11_17_Auto Commit": 0.74, + "12_17_Push": 0.89, + "3_15_#default#": 0.88, + "3_16_yes": 0.86 + }, + "paper": { + "dimensions": { + "height": 2205, + "width": 2290, + "x": -180, + "y": -260 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Ready_Ticketing.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Ready_Ticketing.yml new file mode 100644 index 0000000..2508619 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Ready_Ticketing.yml @@ -0,0 +1,303 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: "" + isoverridable: false + itemVersion: 2.0.9 + packID: "" + packName: SOC Framework + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This playbook is designed to insure ticketing is ready and an instance is configured. This will pick by they order they are in, so a first match is the ticketing system of choice. + Currently Supports: + -- Service Now + -- Jira +dirtyInputs: true +id: 'SOC Ready Ticketing_V3' +inputSections: +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) +inputs: [] +name: SOC Ready Ticketing_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: auto-soc_nist_ir_static-5665921e-797f-469f-a938-801fc03ce4b1 +starttaskid: "0" +tags: +- SOC_Framework +- SOC +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f2d8507e-c7b1-46a3-8716-3084a647eb5c + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: f2d8507e-c7b1-46a3-8716-3084a647eb5c + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 500, + "y": 270 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8b6dab24-5e99-4dbe-88db-034169678fda + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 8b6dab24-5e99-4dbe-88db-034169678fda + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 430, + "y": 1040 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "no": + - "22" + "yes": + - "24" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: ServiceNow v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: 467899ed-97d7-413c-9223-4800c7dea4a2 + iscommand: false + name: Service Now Integration Up? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 467899ed-97d7-413c-9223-4800c7dea4a2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 500, + "y": 440 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "no": + - "25" + "yes": + - "23" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Atlassian Jira v3 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + id: c140f091-de39-4990-aff7-404a5a5e0cab + iscommand: false + name: Jira Integration Up? + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: c140f091-de39-4990-aff7-404a5a5e0cab + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 500, + "y": 730 + } + } + "23": + continueonerror: true + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + key: + simple: TicketingSystem.Name + value: + simple: Atlassian Jira v3 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: f1a3fa68-cda1-4fff-b2e8-69060130392d + iscommand: false + name: Set Ticketing System (Jira) + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: f1a3fa68-cda1-4fff-b2e8-69060130392d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 120, + "y": 880 + } + } + "24": + continueonerror: true + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + key: + simple: TicketingSystem.Name + value: + simple: ServiceNow v2 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 5e090dbf-da3d-4519-a68a-4da8393868ee + iscommand: false + name: Set Ticketing System (Service Now) + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: 5e090dbf-da3d-4519-a68a-4da8393868ee + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 110, + "y": 590 + } + } + "25": + continueonerror: true + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + key: + simple: TicketingSystem.Name + value: + simple: No Ticketing + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: e26fd030-ce1a-49ba-8768-132e744bc308 + iscommand: false + name: Set Ticketing System (No Ticketing) + playbooktaskmissingcomponent: + script: Set + type: regular + version: -1 + taskid: e26fd030-ce1a-49ba-8768-132e744bc308 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 700, + "y": 880 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 830, + "width": 970, + "x": 110, + "y": 270 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Recovery_Plan.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Recovery_Plan.yml new file mode 100644 index 0000000..f79e156 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Recovery_Plan.yml @@ -0,0 +1,507 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 6.6.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + toServerVersion: "" +description: |- + This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks: + * Unisolate endpoint + * Restore quarantined file + + Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. +dirtyInputs: true +id: 'SOC Recovery Plan_V3' +inputSections: +- description: Generic group for inputs + inputs: + - unIsolateEndpoint + - releaseFile + - endpointID + - FileHash + - ShadowMode + name: General (Inputs group) +inputs: +- description: Set to True to cancel the endpoint isolation. + key: unIsolateEndpoint + playbookInputQuery: + required: false + value: + simple: "true" +- description: Set to True to release the quarantined file. + key: releaseFile + playbookInputQuery: + required: false + value: + simple: "false" +- description: The endpoint ID. + key: endpointID + playbookInputQuery: + required: false + value: {} +- description: The file hash. + key: FileHash + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: "true" +name: SOC Recovery Plan_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Recovery Plan +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6664776c-7209-42a0-8272-5f7f66756511 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 6664776c-7209-42a0-8272-5f7f66756511 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 440, + "y": -90 + } + } + "1": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.unIsolateEndpoint + operator: isEqualString + right: + value: + simple: "true" + label: "yes" + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to unisolate the endpoint. + id: 82bb4625-493c-4e79-8ba2-9ded7a609000 + iscommand: false + name: Should unisolate the endpoint? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 82bb4625-493c-4e79-8ba2-9ded7a609000 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 170, + "y": 50 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + root: inputs.endpointID + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Reverses the isolation of an endpoint. + id: 0259a747-30a5-4dab-b43c-931027b16cde + iscommand: true + name: Unisolate endpoint + playbooktaskmissingcomponent: + script: '|||core-unisolate-endpoint' + type: regular + version: -1 + taskid: 0259a747-30a5-4dab-b43c-931027b16cde + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 170, + "y": 400 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 10b17a6b-93a9-4d5a-8d84-7950f294732a + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 10b17a6b-93a9-4d5a-8d84-7950f294732a + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 450, + "y": 570 + } + } + "4": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.releaseFile + operator: isEqualString + right: + value: + simple: "true" + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Whether to restore the quarantined file. + id: 1f8e95ae-1cf7-44c0-896b-576fb895a635 + iscommand: false + name: Should restore the quarantined file? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 1f8e95ae-1cf7-44c0-896b-576fb895a635 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 740, + "y": 50 + } + } + "5": + continueonerror: true + continueonerrortype: errorPath + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + root: inputs.endpointID + file_hash: + complex: + root: inputs.FileHash + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Restores a quarantined file on requested endpoints. + id: 01b98d8e-63e2-44ca-be87-adfa21b676a0 + iscommand: true + name: Restore file + playbooktaskmissingcomponent: + script: '|||core-restore-file' + type: regular + version: -1 + taskid: 01b98d8e-63e2-44ca-be87-adfa21b676a0 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 740, + "y": 400 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: dce833e7-3768-46a4-8d45-cbce5ceae463 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: dce833e7-3768-46a4-8d45-cbce5ceae463 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 980, + "y": 565 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "5" + Shadow Mode: + - "10" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: be84d487-03e7-4ed1-a9a6-23aefc22ee93 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: be84d487-03e7-4ed1-a9a6-23aefc22ee93 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 740, + "y": 240 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "9" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c7794cb4-70ba-44b4-855b-b675abbd500f + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: c7794cb4-70ba-44b4-855b-b675abbd500f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 170, + "y": 240 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR Unisolate Endpoint + Command: core-unisolate-endpoint ${inputs.endpointID} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 8c955aa9-74ef-4c4d-a508-68f206650104 + iscommand: false + name: 'Shadow: Palo XDR Unisolate Endpoint' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 8c955aa9-74ef-4c4d-a508-68f206650104 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -230, + "y": 400 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Palo XDR Restore File + Command: core-restore-file ${inputs.FileHash} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: 735a815d-207c-49b2-adf5-de2567a58463 + iscommand: false + name: 'Shadow: Palo XDR Restore File' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: 735a815d-207c-49b2-adf5-de2567a58463 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1200, + "y": 400 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_3_#default#": 0.54, + "1_8_yes": 0.83, + "4_3_#default#": 0.54 + }, + "paper": { + "dimensions": { + "height": 725, + "width": 1810, + "x": -230, + "y": -90 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Symantec_block_Email.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Symantec_block_Email.yml new file mode 100644 index 0000000..06e548f --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Symantec_block_Email.yml @@ -0,0 +1,375 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.0.22 + packID: "" + packName: Symantec Messaging Gateway + prevname: "" + supportedModules: [] + toServerVersion: "" +description: This playbook will block email address at your email gateway. +dirtyInputs: true +id: 'SOC Symantec block Email_V3' +inputSections: +- description: Generic group for inputs + inputs: + - EmailToBlock + - ShadowMode + name: General (Inputs group) +inputs: +- description: The email address that will be blocked. + key: EmailToBlock + playbookInputQuery: + required: false + value: {} +- description: "" + key: ShadowMode + playbookInputQuery: + required: false + value: + simple: ${inputs.ShadowMode} +name: SOC Symantec block Email_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Symantec block Email +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7b8687ab-feda-41dd-8278-57eb915dc305 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: 7b8687ab-feda-41dd-8278-57eb915dc305 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 440, + "y": -260 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "no": + - "3" + "yes": + - "7" + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Symantec Messaging Gateway + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + id: 1e1d8837-f6b9-4e13-8764-7a6e3437f11a + iscommand: false + name: Is Symantec available + playbooktaskmissingcomponent: + script: IsIntegrationAvailable + type: condition + version: -1 + taskid: 1e1d8837-f6b9-4e13-8764-7a6e3437f11a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 860, + "y": 150 + } + } + "2": + continueonerror: true + continueonerrortype: errorPath + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "6" + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + email: + complex: + root: inputs.EmailToBlock + separatecontext: false + skipunavailable: false + task: + brand: Symantec Messaging Gateway + description: Adds email address to the Local Bad Sender domains. + id: 765d1cfc-e79f-46eb-baa7-77029eb133fe + iscommand: true + name: Block email + playbooktaskmissingcomponent: + script: Symantec Messaging Gateway|||smg-block-email + type: regular + version: -1 + taskid: 765d1cfc-e79f-46eb-baa7-77029eb133fe + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 680, + "y": 510 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ec96196e-14ac-4d19-826f-b68e4fc5fc86 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: ec96196e-14ac-4d19-826f-b68e4fc5fc86 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 420, + "y": 700 + } + } + "4": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.EmailToBlock + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b8c6256c-f6d0-41e6-8dca-c1a2096ccef7 + iscommand: false + name: 'Is there email to block? ' + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: b8c6256c-f6d0-41e6-8dca-c1a2096ccef7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 440, + "y": -130 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 281ad972-56f1-41e6-8e7d-00d400b079e4 + iscommand: false + name: Symantec + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 281ad972-56f1-41e6-8e7d-00d400b079e4 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 860, + "y": 25 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 75209827-3790-40b3-8a1b-452765fb148d + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 75209827-3790-40b3-8a1b-452765fb148d + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 940, + "y": 695 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "2" + Shadow Mode: + - "8" + note: false + quietmode: 0 + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 775b8b62-3493-4a55-8692-9335a4d070f7 + iscommand: false + name: Run Mode? + playbooktaskmissingcomponent: + script: 'ShadowModeRouter_V3' + type: condition + version: -1 + taskid: 775b8b62-3493-4a55-8692-9335a4d070f7 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 860, + "y": 320 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow: Symantec Block Email + Command: smg-block-email ${inputs.EmailToBlock} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: cd39f06b-3fe9-4d0d-b438-6f3902e386d7 + iscommand: false + name: 'Shadow: Symantec Block Email' + playbooktaskmissingcomponent: + script: Print + type: regular + version: -1 + taskid: cd39f06b-3fe9-4d0d-b438-6f3902e386d7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1080, + "y": 510 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "1_3_no": 0.51, + "4_3_#default#": 0.49 + }, + "paper": { + "dimensions": { + "height": 1025, + "width": 1040, + "x": 420, + "y": -260 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml new file mode 100644 index 0000000..08d1171 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml @@ -0,0 +1,773 @@ +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 2.7.15 + packID: "" + packName: Common Playbooks + prevname: "" + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS + - agentix + toServerVersion: "" +description: |- + Enrich URLs using one or more integrations. + + URL enrichment includes: + * SSL verification for URLs. + * Threat information. + * Providing of URL screenshots. + * URL Reputation using !url. +dirtyInputs: true +id: 'SOC URL Enrichment - Generic v2_V3' +inputSections: +- description: Generic group for inputs + inputs: + - URL + - Rasterize + - VerifyURL + - UseReputationCommand + name: General (Inputs group) +inputs: +- description: The URLs to enrich. + key: URL + playbookInputQuery: + required: false + value: + complex: + accessor: Data + root: URL + transformers: + - operator: uniq +- description: |- + Define if you would like the system take safe screenshots of input URLs. + Possible values: True / False. + The default value is true. + key: Rasterize + playbookInputQuery: + required: false + value: + simple: "True" +- description: |- + Define if you would like the system perform SSL certificate verification on the URLs. + Possible values: True / False. + The default value is false. + key: VerifyURL + playbookInputQuery: + required: false + value: + simple: "False" +- description: |- + Define if you would like to use the !url command. + Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. + Possible values: True / False. + The default value is false. + key: UseReputationCommand + playbookInputQuery: + required: true + value: + simple: "False" +name: SOC URL Enrichment - Generic v2_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - URL + - URL.Data + - DBotScore + - URL.Malicious + - URL.Malicious.Vendor + - URL.Malicious.Description + - DBotScore.Indicator + - DBotScore.Type + - DBotScore.Vendor + - DBotScore.Score + - DBotScore.Reliability + - URL.Relationships.EntityA + - URL.Relationships.EntityB + - URL.Relationships.Relationship + - URL.Relationships.EntityAType + - URL.Relationships.EntityBType + - InfoFile.EntryID + - InfoFile.Extension + - InfoFile.Name + - InfoFile.Info + - InfoFile.Size + - InfoFile.Type +outputs: +- contextPath: URL + description: The URL object. + type: uknown +- contextPath: URL.Data + description: The enriched URL. + type: string +- contextPath: DBotScore + description: The DBotScore object. + type: unknown +- contextPath: URL.Malicious + description: Whether the detected URL was malicious. + type: unknown +- contextPath: URL.Malicious.Vendor + description: For malicious URLs, the vendor that made the decision. +- contextPath: URL.Malicious.Description + description: For malicious URLs, the reason that the vendor made the decision. +- contextPath: DBotScore.Indicator + description: The indicator. + type: string +- contextPath: DBotScore.Type + description: The indicator's type. + type: string +- contextPath: DBotScore.Vendor + description: The reputation vendor. + type: string +- contextPath: DBotScore.Score + description: The reputation score. + type: number +- contextPath: DBotScore.Reliability + description: Reliability of the source providing the intelligence data. +- contextPath: URL.Relationships.EntityA + description: The source of the relationship. +- contextPath: URL.Relationships.EntityB + description: The destination of the relationship. +- contextPath: URL.Relationships.Relationship + description: The name of the relationship. +- contextPath: URL.Relationships.EntityAType + description: The type of the source of the relationship. +- contextPath: URL.Relationships.EntityBType + description: The type of the destination of the relationship. +- contextPath: InfoFile.EntryID + description: The EntryID of the image/pdf file. +- contextPath: InfoFile.Extension + description: The extension of the image/pdf file. +- contextPath: InfoFile.Name + description: The name of the image/pdf file. +- contextPath: InfoFile.Info + description: The info of the image/pdf file. +- contextPath: InfoFile.Size + description: The size of the image/pdf file. +- contextPath: InfoFile.Type + description: The type of the image/pdf file. +sourceplaybookid: URL Enrichment - Generic v2 +starttaskid: "0" +tags: +- SOC +- SOC_Framework +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "16" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e1a236ab-b35b-4b70-84a7-3ca08b9bbe95 + iscommand: false + name: "" + playbooktaskmissingcomponent: + version: -1 + taskid: e1a236ab-b35b-4b70-84a7-3ca08b9bbe95 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 490, + "y": 41 + } + } + "16": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.URL + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "37" + "yes": + - "29" + - "31" + - "38" + note: false + quietmode: 0 + scriptarguments: + value: + simple: inputs.URL + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks whether there is at least one URL to enrich. + id: 2e1b93fe-512d-4fba-80dd-2912bf3382f5 + iscommand: false + name: Is there a URL to enrich? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 2e1b93fe-512d-4fba-80dd-2912bf3382f5 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 490, + "y": 175 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7956570c-4a34-462b-84aa-0f8c6d01cf43 + iscommand: false + name: Done + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 7956570c-4a34-462b-84aa-0f8c6d01cf43 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 490, + "y": 1095 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "26" + note: false + quietmode: 0 + scriptarguments: + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: brand + operator: isEqualString + right: + value: + simple: Rasterize + - - left: + iscontext: true + value: + simple: state + operator: isEqualString + right: + value: + simple: active + root: modules + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of the Rasterize integration + enabled. + id: 426d5e5a-76ec-4310-8157-e3ce1795f88f + iscommand: false + name: 'Is Rasterize integration enabled? ' + playbooktaskmissingcomponent: + script: Exists + type: condition + version: -1 + taskid: 426d5e5a-76ec-4310-8157-e3ce1795f88f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -40, + "y": 710 + } + } + "26": + continueonerror: true + continueonerrortype: errorPath + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "41" + '#none#': + - "24" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + execution-timeout: + simple: "600" + url: + complex: + root: inputs.URL + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: Rasterize + description: Gets a screenshot of the URL page. + id: 45ed63d2-f583-48a3-8318-92317f597f06 + iscommand: true + name: Get URL screenshot + playbooktaskmissingcomponent: + script: Rasterize|||rasterize + tags: + - url_screenshots + type: regular + version: -1 + taskid: 45ed63d2-f583-48a3-8318-92317f597f06 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -40, + "y": 920 + } + } + "27": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.Rasterize + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the playbook's Rasterize input is set to "True", which + determines whether screenshots of the URLs are created. + id: 71af55e1-a11a-42f9-84f6-ce3ce93e17ce + iscommand: false + name: Capture screenshots of the URL? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 71af55e1-a11a-42f9-84f6-ce3ce93e17ce + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -40, + "y": 500 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7fc4755c-5a08-4f90-8bab-12c892b21df4 + iscommand: false + name: URL Screenshots + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 7fc4755c-5a08-4f90-8bab-12c892b21df4 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -40, + "y": 360 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 11224752-fee9-4a8f-82c0-5af370081779 + iscommand: false + name: URL Verification + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 11224752-fee9-4a8f-82c0-5af370081779 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 489.5, + "y": 360 + } + } + "32": + continueonerror: true + continueonerrortype: errorPath + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "41" + '#none#': + - "24" + note: false + quietmode: 0 + reputationcalc: 1 + scriptarguments: + url: + complex: + root: inputs.URL + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Verify URL SSL certificate. + id: 6238c2cb-a230-4546-9952-c7c51e78faf2 + iscommand: false + name: Verify SSL for URLs + playbooktaskmissingcomponent: + script: URLSSLVerification + type: regular + version: -1 + taskid: 6238c2cb-a230-4546-9952-c7c51e78faf2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 490, + "y": 710 + } + } + "33": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.VerifyURL + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "32" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if the playbook's VerifyURL input is set to "True", to determine + whether to perform SSL verification on the URLs. + id: 0a60d379-a6c4-449e-87e2-4939b8d0ad13 + iscommand: false + name: Verify URLs? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: 0a60d379-a6c4-449e-87e2-4939b8d0ad13 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 490, + "y": 500 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 395ad908-d5b6-4449-8665-b085546d0d42 + iscommand: false + name: No URLs + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 395ad908-d5b6-4449-8665-b085546d0d42 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -510, + "y": 360 + } + } + "38": + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "40" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 704516ae-95d9-4ef5-8772-1958046fcac7 + iscommand: false + name: URL Reputation + playbooktaskmissingcomponent: + type: title + version: -1 + taskid: 704516ae-95d9-4ef5-8772-1958046fcac7 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1010, + "y": 360 + } + } + "39": + continueonerror: true + continueonerrortype: errorPath + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "41" + '#none#': + - "24" + note: false + quietmode: 0 + scriptarguments: + url: + complex: + root: inputs.URL + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Checks the reputation of a URL. + id: 9c173500-98f2-46dd-8984-e0990a12ca73 + iscommand: true + name: Check Reputation + playbooktaskmissingcomponent: + script: '|||url' + type: regular + version: -1 + taskid: 9c173500-98f2-46dd-8984-e0990a12ca73 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1010, + "y": 710 + } + } + "40": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: inputs.UseReputationCommand + operator: isEqualString + right: + value: + simple: "True" + label: "yes" + continueonerrortype: "" + id: "40" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "24" + "yes": + - "39" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if should run URL reputation command + id: e0db6ab1-2c0e-4859-84eb-e764c3fd01e5 + iscommand: false + name: Should use !url command? + playbooktaskmissingcomponent: + type: condition + version: -1 + taskid: e0db6ab1-2c0e-4859-84eb-e764c3fd01e5 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1010, + "y": 500 + } + } + "41": + continueonerrortype: "" + id: "41" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 984fa8e7-a1bb-41f3-8980-b8fbc2556185 + iscommand: false + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: + type: playbook + version: -1 + taskid: 984fa8e7-a1bb-41f3-8980-b8fbc2556185 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1050, + "y": 1090 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "25_24_#default#": 0.53, + "25_26_yes": 0.47, + "27_25_yes": 0.5, + "33_24_#default#": 0.13, + "33_32_yes": 0.67, + "40_24_#default#": 0.31 + }, + "paper": { + "dimensions": { + "height": 1119, + "width": 1940, + "x": -510, + "y": 41 + } + } + } +fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/README.md b/Packs/soc-common-playbooks-unified/README.md new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-common-playbooks-unified/pack_metadata.json b/Packs/soc-common-playbooks-unified/pack_metadata.json new file mode 100644 index 0000000..1ad35ba --- /dev/null +++ b/Packs/soc-common-playbooks-unified/pack_metadata.json @@ -0,0 +1,383 @@ +{ + "name": "SOC Common Playbooks Unified", + "id": "soc-common-playbooks-unified", + "description": "Frequently used playbooks pack.", + "support": "xsoar", + "currentVersion": "2.7.51", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "created": "2020-05-14T08:33:25Z", + "categories": [ + "Utilities" + ], + "tags": [], + "useCases": [], + "keywords": [], + "dependencies": { + "Threat_Crowd": { + "mandatory": false, + "display_name": "Threat Crowd" + }, + "CiscoASA": { + "mandatory": false, + "display_name": "Cisco ASA" + }, + "fireeye": { + "mandatory": false, + "display_name": "FireEye (AX Series)" + }, + "Cylance_Protect": { + "mandatory": false, + "display_name": "Cylance Protect" + }, + "epo": { + "mandatory": false, + "display_name": "McAfee ePO" + }, + "CheckpointFirewall": { + "mandatory": false, + "display_name": "Check Point Firewall" + }, + "Carbon_Black_Enterprise_Response": { + "mandatory": false, + "display_name": "Carbon Black Enterprise Response" + }, + "PaloAltoNetworks_PAN_OS_EDL_Management": { + "mandatory": false, + "display_name": "Palo Alto Networks PAN-OS EDL Management" + }, + "WindowsForensics": { + "mandatory": false, + "display_name": "Windows Forensics" + }, + "SophosXGFirewall": { + "mandatory": false, + "display_name": "Sophos XG Firewall" + }, + "Akamai_WAF": { + "mandatory": false, + "display_name": "Akamai WAF" + }, + "ImageOCR": { + "mandatory": false, + "display_name": "Image OCR" + }, + "rasterize": { + "mandatory": true, + "display_name": "Rasterize" + }, + "QRadar": { + "mandatory": false, + "display_name": "IBM QRadar" + }, + "CrowdStrikeFalconSandbox": { + "mandatory": false, + "display_name": "CrowdStrike Falcon Sandbox" + }, + "ARIAPacketIntelligence": { + "mandatory": false, + "display_name": "ARIAPacketIntelligence" + }, + "Phishing": { + "mandatory": false, + "display_name": "Phishing" + }, + "RiskSense": { + "mandatory": false, + "display_name": "RiskSense" + }, + "FireEyeEX": { + "mandatory": false, + "display_name": "FireEye Email Security (EX)" + }, + "CrowdStrikeFalconX": { + "mandatory": false, + "display_name": "CrowdStrike Falcon Intelligence Sandbox" + }, + "VirusTotal-Private_API": { + "mandatory": false, + "display_name": "VirusTotal - Private API" + }, + "ThreatX": { + "mandatory": false, + "display_name": "ThreatX" + }, + "Polygon": { + "mandatory": false, + "display_name": "Polygon" + }, + "FireEyeHX": { + "mandatory": false, + "display_name": "FireEye HX" + }, + "PAN-OS": { + "mandatory": false, + "display_name": "PAN-OS" + }, + "ThreatGrid": { + "mandatory": false, + "display_name": "Cisco Threat Grid" + }, + "ExtraHop": { + "mandatory": false, + "display_name": "ExtraHop Reveal(x)" + }, + "PANWComprehensiveInvestigation": { + "mandatory": false, + "display_name": "PANW Comprehensive Investigation" + }, + "Stealthwatch_Cloud": { + "mandatory": false, + "display_name": "Cisco Secure Cloud Analytics (Stealthwatch Cloud)" + }, + "Kenna": { + "mandatory": false, + "display_name": "Kenna" + }, + "SplunkPy": { + "mandatory": false, + "display_name": "Splunk" + }, + "CrowdStrikeHost": { + "mandatory": false, + "display_name": "FalconHost" + }, + "ProofpointThreatResponse": { + "mandatory": false, + "display_name": "Proofpoint Threat Response (Beta)" + }, + "CortexXDR": { + "mandatory": false, + "display_name": "Palo Alto Networks Cortex XDR - Investigation and Response" + }, + "Rapid7_Nexpose": { + "mandatory": false, + "display_name": "Rapid7 Nexpose" + }, + "Active_Directory_Query": { + "mandatory": false, + "display_name": "Active Directory Query" + }, + "CrowdStrikeFalcon": { + "mandatory": false, + "display_name": "CrowdStrike Falcon" + }, + "Code42": { + "mandatory": false, + "display_name": "Code42" + }, + "SNDBOX": { + "mandatory": false, + "display_name": "SNDBOX" + }, + "SignalSciences": { + "mandatory": false, + "display_name": "Signal Sciences WAF" + }, + "XForceExchange": { + "mandatory": false, + "display_name": "IBM X-Force Exchange" + }, + "McAfee_Advanced_Threat_Defense": { + "mandatory": false, + "display_name": "McAfee Advanced Threat Defense" + }, + "F5Silverline": { + "mandatory": false, + "display_name": "F5 Silverline" + }, + "Zscaler": { + "mandatory": false, + "display_name": "Zscaler" + }, + "Traps": { + "mandatory": false, + "display_name": "Palo Alto Networks Traps" + }, + "VulnDB": { + "mandatory": false, + "display_name": "VulnDB" + }, + "Cisco-umbrella": { + "mandatory": false, + "display_name": "Cisco Umbrella Investigate" + }, + "HybridAnalysis": { + "mandatory": false, + "display_name": "Hybrid Analysis" + }, + "Lastline": { + "mandatory": false, + "display_name": "Lastline" + }, + "D2": { + "mandatory": false, + "display_name": "D2" + }, + "CiscoFirepower": { + "mandatory": false, + "display_name": "CiscoFirepower" + }, + "VMRay": { + "mandatory": false, + "display_name": "VMRay" + }, + "ANYRUN": { + "mandatory": false, + "display_name": "ANY.RUN" + }, + "Symantec_Messaging_Gateway": { + "mandatory": false, + "display_name": "Symantec Messaging Gateway" + }, + "CommonScripts": { + "mandatory": true, + "display_name": "Common Scripts" + }, + "Cybereason": { + "mandatory": false, + "display_name": "Cybereason" + }, + "TrendMicroApex": { + "mandatory": false, + "display_name": "Trend Micro Apex One" + }, + "Palo_Alto_Networks_WildFire": { + "mandatory": false, + "display_name": "Palo Alto Networks WildFire" + }, + "FortiGate": { + "mandatory": false, + "display_name": "FortiGate" + }, + "CuckooSandbox": { + "mandatory": false, + "display_name": "Cuckoo Sandbox" + }, + "CarbonBlackProtect": { + "mandatory": false, + "display_name": "Carbon Black Enterprise Protection" + }, + "Carbon_Black_Enterprise_Live_Response": { + "mandatory": false, + "display_name": "Carbon Black Enterprise Live Response" + }, + "JoeSecurity": { + "mandatory": false, + "display_name": "Joe Security" + }, + "IllusiveNetworks": { + "mandatory": false, + "display_name": "Illusive Networks" + }, + "McAfee-TIE": { + "mandatory": false, + "display_name": "McAfee Threat Intelligence Exchange" + }, + "EWS": { + "mandatory": false, + "display_name": "EWS" + }, + "FiltersAndTransformers": { + "mandatory": true, + "display_name": "Filters And Transformers" + }, + "SecneurXAnalysis": { + "mandatory": false, + "display_name": "SecneurX Analysis" + } + }, + "excludedDependencies": [ + "Attlasian", + "HelloIAMWorld", + "AWS-ILM", + "GitHub", + "SalesforceFusion", + "Salesforce", + "PrismaCloud", + "Okta", + "SAP_IAM", + "Oracle_IAM", + "Clarizen", + "Slack", + "Zoom", + "Envoy", + "ServiceNow", + "ExceedLMS" + ], + "displayedImages": [ + "Threat_Crowd", + "CiscoASA", + "fireeye", + "Cylance_Protect", + "epo", + "CheckpointFirewall", + "Carbon_Black_Enterprise_Response", + "PaloAltoNetworks_PAN_OS_EDL_Management", + "WindowsForensics", + "SophosXGFirewall", + "Akamai_WAF", + "ImageOCR", + "rasterize", + "QRadar", + "CrowdStrikeFalconSandbox", + "ARIAPacketIntelligence", + "Phishing", + "RiskSense", + "FireEyeEX", + "CrowdStrikeFalconX", + "VirusTotal-Private_API", + "ThreatX", + "Polygon", + "FireEyeHX", + "PAN-OS", + "ThreatGrid", + "ExtraHop", + "PANWComprehensiveInvestigation", + "Stealthwatch_Cloud", + "Kenna", + "SplunkPy", + "CrowdStrikeHost", + "ProofpointThreatResponse", + "CortexXDR", + "Rapid7_Nexpose", + "Active_Directory_Query", + "CrowdStrikeFalcon", + "Code42", + "SNDBOX", + "SignalSciences", + "XForceExchange", + "McAfee_Advanced_Threat_Defense", + "F5Silverline", + "Zscaler", + "Traps", + "VulnDB", + "Cisco-umbrella", + "HybridAnalysis", + "Lastline", + "D2", + "CiscoFirepower", + "VMRay", + "ANYRUN", + "Symantec_Messaging_Gateway", + "CommonScripts", + "Cybereason", + "TrendMicroApex", + "Palo_Alto_Networks_WildFire", + "FortiGate", + "CuckooSandbox", + "CarbonBlackProtect", + "Carbon_Black_Enterprise_Live_Response", + "JoeSecurity", + "IllusiveNetworks", + "McAfee-TIE", + "EWS", + "McAfee ePO v2", + "SecneurXAnalysis" + ], + "marketplaces": [ + "marketplacev2" + ], + "supportedModules": [] +} diff --git a/Packs/soc-common-playbooks-unified/xsoar_config.json b/Packs/soc-common-playbooks-unified/xsoar_config.json new file mode 100644 index 0000000..f0bed90 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/xsoar_config.json @@ -0,0 +1,1457 @@ +{ + "custom_packs": [ + { + "id": "soc-common-playbooks-unified.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.51/soc-common-playbooks-unified-v2.7.51.zip", + "system": "yes" + } + ], + "marketplace_packs": [ + { + "id": "Core", + "name": "Core - Investigation and Response", + "version": "latest" + }, + { + "id": "CommonPlaybooks", + "name": "Common Playbooks", + "version": "latest" + }, + { + "id": "CommonScripts", + "name": "Common Scripts", + "version": "latest" + }, + { + "id": "Whois", + "name": "Whois", + "version": "latest" + }, + { + "id": "VirusTotal", + "name": "VirusTotal", + "version": "latest" + }, + { + "id": "rasterize", + "name": "Rasterize", + "version": "latest" + }, + { + "id": "FiltersAndTransformers", + "name": "Filters And Transformers", + "version": "latest" + }, + { + "id": "Palo_Alto_Networks_WildFire", + "name": "WildFire by Palo Alto Networks", + "version": "latest" + }, + { + "id": "Base", + "name": "Base", + "version": "latest" + }, + { + "id": "DemistoRESTAPI", + "name": "Cortex REST API", + "version": "latest" + } + ], + "lookup_datasets": [ + { + "dataset_name": "value_tags", + "dataset_type": "lookup", + "url": "https://github.com/Palo-Cortex/secops-framework/blob/main/Packs/soc-optimization-unified/Lookup/value_tags.json", + "dataset_schema": { + "Product": "text", + "TaskName": "text", + "_insert_time": "number", + "Time": "text", + "ScriptID": "text", + "Tag": "text", + "_update_time": "number", + "_collector_name": "text", + "_collector_type": "text", + "PlaybookID": "text", + "Category": "text", + "Vendor": "text" + } + } + ], + "integration_instances": [ + { + "version": 21, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Cortex Core - IR_default_instance", + "brand": "Cortex Core - IR", + "category": "", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "display": "HTTP Timeout", + "displayPassword": "", + "name": "timeout", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The timeout of the HTTP requests sent to Cortex API (in seconds).", + "hasvalue": true, + "value": "120" + } + ], + "passwordProtected": false + }, + { + "version": 2, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Whois_instance_1", + "brand": "Whois", + "category": "Data Enrichment & Threat Intelligence", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Retry Count", + "displayPassword": "", + "name": "rate_limit_retry_count", + "defaultValue": "0", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of times to try when getting a Rate Limit response.", + "hasvalue": true, + "value": "3" + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Wait Seconds", + "displayPassword": "", + "name": "rate_limit_wait_seconds", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", + "hasvalue": true, + "value": "120" + }, + { + "section": "Connect", + "advanced": true, + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "If set, failed command results will be returned as warnings instead of errors.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" + }, + { + "section": "Collect", + "advanced": true, + "display": "Use legacy context", + "displayPassword": "", + "name": "old-version", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Get the Legacy output of context data for 'whois' and 'domain' commands.", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Proxy URL", + "displayPassword": "", + "name": "proxy_url", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", + "hasvalue": false, + "value": null + }, + { + "section": "Collect", + "advanced": true, + "display": "Suppress Rate Limit errors", + "displayPassword": "", + "name": "rate_limit_errors_suppressed", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Whether Rate Limit errors should be supressed or not.", + "hasvalue": true, + "value": false + } + ], + "passwordProtected": false + }, + { + "version": 3, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Rasterize_instance_1", + "brand": "Rasterize", + "category": "Utilities", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "display": "Rasterize Mode", + "displayPassword": "", + "name": "rasterize_mode", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Deprecated.", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "display": "Number of maximum tabs each Chrome will be allowed to open.", + "displayPassword": "", + "name": "max_chrome_tabs_count", + "defaultValue": "10", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "10" + }, + { + "section": "Connect", + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "display": "Time to wait before taking a screenshot (in seconds)", + "displayPassword": "", + "name": "wait_time", + "defaultValue": "0", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "0" + }, + { + "section": "Connect", + "display": "List of domains to block", + "displayPassword": "", + "name": "blocked_urls", + "defaultValue": "cloudflare.com", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "cloudflare.com" + }, + { + "section": "Connect", + "display": "Chrome options (Advanced. See [?])", + "displayPassword": "", + "name": "chrome_options", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Add or remove Chrome options used to rasterize. Use for advanced troubleshooting. See Help.", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "advanced": true, + "display": "Use secure requests protocol (HTTPS).", + "displayPassword": "", + "name": "is_https", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "display": "Number of maximum Chrome instances to keep running simultaneously.", + "displayPassword": "", + "name": "max_chromes_count", + "defaultValue": "64", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "64" + }, + { + "section": "Connect", + "display": "Maximum time to wait for a page to load (in seconds)", + "displayPassword": "", + "name": "max_page_load_time", + "defaultValue": "180", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "180" + } + ], + "passwordProtected": false + }, + { + "version": 2, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "WildFire-Reports_default_instance", + "brand": "WildFire-Reports", + "category": "Forensics & Malware Analysis", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": null + }, + { + "display": "Server base URL (e.g., https://192.168.0.1/publicapi)", + "displayPassword": "", + "name": "server", + "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "https://wildfire.paloaltonetworks.com/publicapi" + }, + { + "section": "Connect", + "display": "API Key", + "displayPassword": "", + "name": "token", + "defaultValue": "", + "type": 4, + "required": false, + "hidden": true, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "display": "", + "displayPassword": "API Key", + "name": "credentials", + "defaultValue": "", + "type": 9, + "required": false, + "hidden": false, + "hiddenUsername": true, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": { + "credential": "", + "credentials": { + "cacheVersn": 0, + "id": "", + "locked": false, + "modified": "0001-01-01T00:00:00Z", + "name": "", + "sizeInBytes": 0, + "user": "", + "vaultInstanceId": "", + "version": 0, + "workgroup": "" + }, + "identifier": "", + "passwordChanged": false + } + }, + { + "section": "Connect", + "advanced": true, + "display": "Trust any certificate (not secure)", + "displayPassword": "", + "name": "insecure", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": null + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "WildFire-v2_default_instance", + "brand": "WildFire-v2", + "category": "Forensics & Malware Analysis", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Collect", + "advanced": true, + "display": "Return warning entry for unsupported file types", + "displayPassword": "", + "name": "suppress_file_type_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Trust any certificate (not secure)", + "displayPassword": "", + "name": "insecure", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "API Key (Deprecated)", + "displayPassword": "", + "name": "token", + "defaultValue": "", + "type": 4, + "required": false, + "hidden": true, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": "" + }, + { + "section": "Connect", + "advanced": true, + "display": "API Key Type", + "displayPassword": "", + "name": "credentials_source", + "defaultValue": "other", + "type": 15, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "pcc", + "prismaaccessapi", + "xsoartim", + "xdr", + "other" + ], + "info": "Source of WildFire API Key - other = NGFW, WildFire API - pcc = Prisma Cloud Compute - prismaaccessapi = Prisma Access - xsoartim = XSOAR TIM API Key", + "hasvalue": true, + "value": "other" + }, + { + "section": "Connect", + "display": "Server base URL (e.g., https://192.168.0.1/publicapi)", + "displayPassword": "", + "name": "server", + "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "https://wildfire.paloaltonetworks.com/publicapi" + }, + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "advanced": true, + "display": "Create relationships", + "displayPassword": "", + "name": "create_relationships", + "defaultValue": "true", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Create relationships between indicators as part of enrichment.", + "hasvalue": true, + "value": true + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" + }, + { + "section": "Connect", + "display": "", + "displayPassword": "API Key", + "name": "credentials", + "defaultValue": "", + "type": 9, + "required": false, + "hidden": false, + "hiddenUsername": true, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": { + "credential": "Palo Alto Networks WildFire API Key", + "credentials": { + "cacheVersn": 0, + "id": "", + "locked": false, + "modified": "0001-01-01T00:00:00Z", + "name": "", + "sizeInBytes": 0, + "user": "", + "vaultInstanceId": "", + "version": 0, + "workgroup": "" + }, + "identifier": "", + "passwordChanged": false + } + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "PlaybookMetrics", + "brand": "System XQL HTTP Collector", + "category": "Utilities", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "display": "Product Name", + "displayPassword": "", + "name": "product", + "defaultValue": "PlaybookMetrics", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The name of the 'Product' to include in the event data", + "hasvalue": true, + "value": "PlaybookMetrics" + }, + { + "display": "vendor name", + "displayPassword": "", + "name": "vendor", + "defaultValue": "XSIAM", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The name of the 'Vendor' to include in the event data", + "hasvalue": true, + "value": "XSIAM" + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Whois_instance_SOCFW", + "brand": "Whois", + "category": "Data Enrichment & Threat Intelligence", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Proxy URL", + "displayPassword": "", + "name": "proxy_url", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", + "hasvalue": false, + "value": null + }, + { + "section": "Collect", + "advanced": true, + "display": "Suppress Rate Limit errors", + "displayPassword": "", + "name": "rate_limit_errors_suppressed", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Whether Rate Limit errors should be supressed or not.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Retry Count", + "displayPassword": "", + "name": "rate_limit_retry_count", + "defaultValue": "0", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of times to try when getting a Rate Limit response.", + "hasvalue": true, + "value": "3" + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Wait Seconds", + "displayPassword": "", + "name": "rate_limit_wait_seconds", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", + "hasvalue": true, + "value": "120" + }, + { + "section": "Connect", + "advanced": true, + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "If set, failed command results will be returned as warnings instead of errors.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Unit_42_Intelligence_SOCFW", + "brand": "Unit 42 Intelligence", + "category": "Data Enrichment & Threat Intelligence", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Proxy URL", + "displayPassword": "", + "name": "proxy_url", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", + "hasvalue": false, + "value": null + }, + { + "section": "Collect", + "advanced": true, + "display": "Suppress Rate Limit errors", + "displayPassword": "", + "name": "rate_limit_errors_suppressed", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Whether Rate Limit errors should be supressed or not.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Retry Count", + "displayPassword": "", + "name": "rate_limit_retry_count", + "defaultValue": "0", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of times to try when getting a Rate Limit response.", + "hasvalue": true, + "value": "3" + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Wait Seconds", + "displayPassword": "", + "name": "rate_limit_wait_seconds", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", + "hasvalue": true, + "value": "120" + }, + { + "section": "Connect", + "advanced": true, + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "If set, failed command results will be returned as warnings instead of errors.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" + } + ], + "passwordProtected": false + } + ], + "jobs": [ + { + "CustomFields": null, + "type": "##default##", + "name": "Auto Triage", + "severity": 0, + "labels": null, + "details": "This playbook accesses the API for XSIAM and by default must attract starred alerts within 6 hours or they will be closed as low fidelity alerts.", + "owner": "abarone@paloaltonetworks.com", + "playbookId": "JOB - Triage Alerts V3", + "phase": "", + "startDate": "2025-02-05T01:30:48.833Z", + "endingType": "never", + "times": 0, + "recurrent": true, + "endingDate": "2025-02-05T01:30:48.832Z", + "humanCron": { + "days": [ + "SUN", + "MON", + "TUE", + "WED", + "THU", + "FRI", + "SAT" + ], + "timePeriodType": "minutes", + "timePeriod": 10 + }, + "cronView": false, + "scheduled": false, + "tags": null, + "shouldTriggerNew": true, + "closePrevRun": false, + "notifyOwner": false, + "isFeed": false, + "selectedFeeds": null, + "isAllFeeds": false + }, + { + "CustomFields": null, + "type": "##default##", + "name": "Collect Playbook Metrics", + "severity": 0, + "labels": null, + "details": "", + "owner": "abarone@paloaltonetworks.com", + "playbookId": "JOB - Store Playbook Metrics in Dataset V3", + "phase": "", + "startDate": "2025-01-10T23:20:12Z", + "endingType": "never", + "times": 0, + "recurrent": true, + "endingDate": "2025-01-10T23:18:32Z", + "humanCron": { + "days": [ + "SUN", + "MON", + "TUE", + "WED", + "THU", + "FRI", + "SAT" + ], + "timePeriodType": "minutes", + "timePeriod": 15 + }, + "cronView": false, + "scheduled": true, + "tags": null, + "shouldTriggerNew": true, + "closePrevRun": false, + "notifyOwner": false, + "isFeed": false, + "selectedFeeds": null, + "isAllFeeds": false + } + ] +} diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml index 1f770bc..e46e240 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml @@ -395,7 +395,7 @@ tasks: task: id: 7864855e-b7d5-44c9-9c32-9f6f54c57368 version: -1 - name: SOC Account Enrichment - Generic v2.1 + name: SOC Account Enrichment - Generic v2.1_V3 description: |- Enrich accounts using one or more integrations. Supported integrations: @@ -409,7 +409,7 @@ tasks: - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. - playbookName: SOC Account Enrichment - Generic v2.1 + playbookName: SOC Account Enrichment - Generic v2.1_V3 type: playbook iscommand: false brand: "" @@ -486,8 +486,8 @@ tasks: task: id: ea064f3b-6272-4c60-84ab-c69bbfaa264c version: -1 - name: SOC Endpoint Enrichment - Generic v2.1 - playbookName: SOC Endpoint Enrichment - Generic v2.1 + name: SOC Endpoint Enrichment - Generic v2.1_V3 + playbookName: SOC Endpoint Enrichment - Generic v2.1_V3 type: playbook iscommand: false brand: "" diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml index 24b7ee7..0c08c22 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml @@ -498,7 +498,7 @@ tasks: task: id: 50ead786-58d9-47ba-82e2-c9d31c33bb15 version: -1 - name: SOC Account Enrichment - Generic v2.1 + name: SOC Account Enrichment - Generic v2.1_V3 description: |- Enrich accounts using one or more integrations. Supported integrations: @@ -512,7 +512,7 @@ tasks: - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. - playbookName: SOC Account Enrichment - Generic v2.1 + playbookName: SOC Account Enrichment - Generic v2.1_V3 type: playbook iscommand: false brand: "" @@ -544,13 +544,13 @@ tasks: task: id: 5ec185a1-60cf-4514-a2c0-21570463f4cf version: -1 - name: SOC Email Address Enrichment - Generic v2.1 + name: SOC Email Address Enrichment - Generic v2.1_V3 description: |- Enrich email addresses. - Get information from Active Directory for internal addresses - Get the domain-squatting reputation for external addresses - Email address reputation using !email command. - playbookName: SOC Email Address Enrichment - Generic v2.1 + playbookName: SOC Email Address Enrichment - Generic v2.1_V3 type: playbook iscommand: false brand: "" diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml index b077ded..91e7215 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml @@ -791,10 +791,10 @@ tasks: task: id: a81256dd-ecc9-409b-9b9f-bea93c3844ab version: -1 - name: SOC Isolation Router + name: SOC Isolation Router_V3 description: Determine the correct playbook to run for the correct endpoint product. - playbookName: SOC Isolation Router + playbookName: SOC Isolation Router_V3 type: playbook iscommand: false brand: "" diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 125fe41..3812293 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -22,7 +22,7 @@ "soc-common-playbooks": { "mandatory": true, "minVersion": "2.7.18", - "display_name": "SOC Common Playbooks" + "display_name": "SOC Common Playbooks Unified" } }, "marketplaces": [ From 6e76ef13afe565df054baa19badee482df653d67 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 13:49:35 -0500 Subject: [PATCH 36/49] - Made soc-common-playbooks non visible - Bump version - Update Catalog --- .../soc-common-playbooks-unified/pack_metadata.json | 2 +- Packs/soc-common-playbooks-unified/xsoar_config.json | 2 +- Packs/soc-optimization-unified/pack_metadata.json | 2 +- Packs/soc-optimization-unified/xsoar_config.json | 2 +- pack_catalog.json | 12 ++++++++++-- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/Packs/soc-common-playbooks-unified/pack_metadata.json b/Packs/soc-common-playbooks-unified/pack_metadata.json index 1ad35ba..fdde51d 100644 --- a/Packs/soc-common-playbooks-unified/pack_metadata.json +++ b/Packs/soc-common-playbooks-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-common-playbooks-unified", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.7.51", + "currentVersion": "2.7.52", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-common-playbooks-unified/xsoar_config.json b/Packs/soc-common-playbooks-unified/xsoar_config.json index f0bed90..d37ac08 100644 --- a/Packs/soc-common-playbooks-unified/xsoar_config.json +++ b/Packs/soc-common-playbooks-unified/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-common-playbooks-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.51/soc-common-playbooks-unified-v2.7.51.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.52/soc-common-playbooks-unified-v2.7.52.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 3812293..cf232cf 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.16", + "currentVersion": "3.0.17", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index e889308..c42794f 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.16/soc-optimization-unified-v3.0.16.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.17/soc-optimization-unified-v3.0.17.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index aa82006..eff64ae 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -5,9 +5,17 @@ "display_name": "SOC Common Playbooks", "version": "2.7.51", "path": "Packs/soc-common-playbooks", - "visible": true, + "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-common-playbooks/xsoar_config.json" }, + { + "id": "soc-common-playbooks-unified", + "display_name": "SOC Common Playbooks Unified", + "version": "2.7.52", + "path": "Packs/soc-common-playbooks-unified", + "visible": false, + "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-common-playbooks-unified/xsoar_config.json" + }, { "id": "soc-crowdstrike-falcon", "display_name": "SOC CrowdStrike Falcon Integration Enhancement for Cortex XSIAM", @@ -51,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.16", + "version": "3.0.17", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" From 33527cb869ba1747fd62626eb8437d212a2514cb Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 15:52:59 -0500 Subject: [PATCH 37/49] - Playbook Fixes - Broken Subplaybook links - Inputs not correctly defined - Bump version - Update Catalog --- ...> Foundation_-_Endpoint_Enrichment_V3.yml} | 193 ++++++------ ...ent.yml => Foundation_-_Enrichment_V3.yml} | 171 +++++++---- ...r.yml => Foundation_-_Upon_Trigger_V3.yml} | 141 +++++++-- ...Containment.yml => SOC_Containment_V3.yml} | 55 ++-- ...nt.yml => SOC_Endpoint_Containment_V3.yml} | 240 +++++++-------- ...nt.yml => SOC_Identity_Containment_V3.yml} | 288 +++++++++--------- 6 files changed, 613 insertions(+), 475 deletions(-) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Endpoint_Enrichment.yml => Foundation_-_Endpoint_Enrichment_V3.yml} (90%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Enrichment.yml => Foundation_-_Enrichment_V3.yml} (82%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Upon_Trigger.yml => Foundation_-_Upon_Trigger_V3.yml} (84%) rename Packs/soc-optimization-unified/Playbooks/{SOC_Containment.yml => SOC_Containment_V3.yml} (96%) rename Packs/soc-optimization-unified/Playbooks/{SOC_Endpoint_Containment.yml => SOC_Endpoint_Containment_V3.yml} (91%) rename Packs/soc-optimization-unified/Playbooks/{SOC_Identity_Containment.yml => SOC_Identity_Containment_V3.yml} (86%) diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml similarity index 90% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml index e46e240..9f10237 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml @@ -1,10 +1,10 @@ id: Foundation - Endpoint Enrichment_V3 -version: 19 +version: 5 contentitemexportablefields: contentitemfields: - packID: "" - _packName: SOC Framework Unified - itemVersion: 2.1.19 + packID: soc-optimization-unified + packName: SOC Framework Unified + itemVersion: 3.0.17 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -33,7 +33,7 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -68,7 +68,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -112,7 +112,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -141,7 +141,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -185,7 +185,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -219,7 +219,7 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': @@ -259,7 +259,7 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': @@ -298,7 +298,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -335,11 +335,11 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "21" + - "27" separatecontext: false continueonerrortype: "" view: |- @@ -367,11 +367,11 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "24" + - "25" separatecontext: false continueonerrortype: "" view: |- @@ -388,56 +388,29 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "21": - id: "21" - taskid: 7864855e-b7d5-44c9-9c32-9f6f54c57368 - type: playbook + "22": + id: "22" + taskid: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d + type: title task: - id: 7864855e-b7d5-44c9-9c32-9f6f54c57368 + id: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d version: -1 - name: SOC Account Enrichment - Generic v2.1_V3 - description: |- - Enrich accounts using one or more integrations. - Supported integrations: - - Active Directory - - Microsoft Graph User - - SailPoint IdentityNow - - SailPoint IdentityIQ - - PingOne - - Okta - - AWS IAM - - Cortex XDR (account enrichment and reputation) - - Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. - playbookName: SOC Account Enrichment - Generic v2.1_V3 - type: playbook + name: EndPoint Enrichment + type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "4" - scriptarguments: - Domain: - simple: ${inputs.Domain} - Username: - complex: - root: inputs.UserName - transformers: - - operator: uniq - separatecontext: true + - "26" + separatecontext: false continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 view: |- { "position": { - "x": 827.5, - "y": 1110 + "x": 1257.5, + "y": 935 } } note: false @@ -447,29 +420,45 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "22": - id: "22" - taskid: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d - type: title + "25": + id: "25" + taskid: 46f954a6-d134-4186-b23c-a553161ddd01 + type: playbook task: - id: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d + id: 46f954a6-d134-4186-b23c-a553161ddd01 version: -1 - name: EndPoint Enrichment - type: title + name: SOC File Enrichment - File reputation_V3 + description: Get file reputation using one or more integrations + playbookName: SOC File Enrichment - File reputation_V3 + type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "23" - separatecontext: false + - "4" + scriptarguments: + MD5: + simple: ${inputs.MD5} + SHA1: + complex: + root: File + accessor: SHA1 + SHA256: + simple: ${inputs.SHA256} + separatecontext: true continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 view: |- { "position": { - "x": 1257.5, - "y": 935 + "x": 1687.5, + "y": 1110 } } note: false @@ -479,19 +468,19 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "23": - id: "23" - taskid: ea064f3b-6272-4c60-84ab-c69bbfaa264c + "26": + id: "26" + taskid: 9ae147a2-2f2d-4a5f-863f-f2fb5cc5aa2f type: playbook task: - id: ea064f3b-6272-4c60-84ab-c69bbfaa264c + id: 9ae147a2-2f2d-4a5f-863f-f2fb5cc5aa2f version: -1 name: SOC Endpoint Enrichment - Generic v2.1_V3 playbookName: SOC Endpoint Enrichment - Generic v2.1_V3 type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -535,32 +524,44 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "24": - id: "24" - taskid: 8b75fd8d-2a9a-458e-9de3-2f9d50277c72 + "27": + id: "27" + taskid: 63ca32bd-6512-412a-b14e-9003333e8da4 type: playbook task: - id: 8b75fd8d-2a9a-458e-9de3-2f9d50277c72 + id: 63ca32bd-6512-412a-b14e-9003333e8da4 version: -1 - name: SOC File Enrichment - File reputation - playbookName: SOC File Enrichment - File reputation + name: SOC Account Enrichment - Generic v2.1_V3 + description: |- + Enrich accounts using one or more integrations. + Supported integrations: + - Active Directory + - Microsoft Graph User + - SailPoint IdentityNow + - SailPoint IdentityIQ + - PingOne + - Okta + - AWS IAM + - Cortex XDR (account enrichment and reputation) + + Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. + playbookName: SOC Account Enrichment - Generic v2.1_V3 type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" scriptarguments: - MD5: - simple: ${inputs.MD5} - SHA1: + Domain: + simple: ${inputs.Domain} + Username: complex: - root: File - accessor: SHA1 - SHA256: - simple: ${inputs.SHA256} + root: inputs.UserName + transformers: + - operator: uniq separatecontext: true continueonerrortype: "" loop: @@ -571,7 +572,7 @@ tasks: view: |- { "position": { - "x": 1687.5, + "x": 827.5, "y": 1110 } } @@ -582,6 +583,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": {}, @@ -600,49 +602,49 @@ inputs: simple: ${issue.hostip} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: RemoteIP value: simple: ${issue.remoteip} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: UserName value: simple: ${issue.username} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: EndpointID value: simple: ${issue.agentid} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: HostName value: simple: ${issue.hostname} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: Domain value: simple: ${issue.domain} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: MD5 value: simple: ${issue.initiatormd5} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: SHA256 value: simple: ${issue.initiatorsha256} required: false description: "" - playbookInputQuery: + playbookInputQuery: null inputSections: - inputs: - SourceIP @@ -663,4 +665,3 @@ outputs: [] sourceplaybookid: Foundation - Enrichment_V3 dirtyInputs: true adopted: true -fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml similarity index 82% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml index 0c08c22..e7c7ebf 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml @@ -1,10 +1,10 @@ id: Foundation - Enrichment_V3 -version: 21 +version: 13 contentitemexportablefields: contentitemfields: - packID: soc-optimization - _packName: SOC Framework Unified - itemVersion: 2.1.19 + packID: soc-optimization-unified + packName: SOC Framework Unified + itemVersion: 3.0.17 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -31,7 +31,7 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -63,7 +63,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -92,7 +92,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -124,7 +124,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -229,7 +229,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -252,10 +252,10 @@ tasks: isautoswitchedtoquietmode: false "24": id: "24" - taskid: a464e64f-dfef-4851-8381-66039eadc35b + taskid: fc7d9fe2-bcb2-45f8-865c-40e42c1eb3ce type: playbook task: - id: a464e64f-dfef-4851-8381-66039eadc35b + id: fc7d9fe2-bcb2-45f8-865c-40e42c1eb3ce version: -1 name: Foundation - Endpoint Enrichment_V3 description: | @@ -265,28 +265,28 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" scriptarguments: Domain: - simple: ${issue.domain} + simple: ${inputs.Domain} EndpointID: - simple: ${issue.agentid} + simple: ${inputs.EndpointID} HostName: - simple: ${issue.hostname} + simple: ${inputs.Hostname} MD5: - simple: ${issue.processmd5} + simple: ${inputs.MD5} RemoteIP: - simple: ${issue.remoteip} + simple: ${inputs.Remote_IP} SHA256: - simple: ${issue.filesha256} + simple: ${inputs.MD5} SourceIP: - simple: ${issue.hostip} + simple: ${inputs.Hostname} UserName: - simple: ${issue.username} + simple: ${inputs.UserName} separatecontext: true continueonerrortype: "" loop: @@ -319,7 +319,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -351,7 +351,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -383,7 +383,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -412,7 +412,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -435,10 +435,10 @@ tasks: isautoswitchedtoquietmode: false "29": id: "29" - taskid: 48b140df-d42c-4edb-8b04-5e157d87aafc + taskid: eb3116d8-1621-475a-93c9-85d9432de381 type: playbook task: - id: f15d206c-c1d0-4176-877f-dbd196753dc4 + id: eb3116d8-1621-475a-93c9-85d9432de381 version: -1 name: Foundation - Network Enrichment_V3 description: | @@ -448,28 +448,28 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" scriptarguments: Domain: - simple: ${issue.domain} + simple: ${inputs.Domain} EndpointID: - simple: ${issue.agentid} + simple: ${inputs.EndpointID} HostName: - simple: ${issue.hostname} + simple: ${inputs.Hostname} MD5: - simple: ${issue.processmd5} + simple: ${inputs.MD5} RemoteIP: - simple: ${issue.remoteip} + simple: ${inputs.Remote_IP} SHA256: - simple: ${issue.filesha256} + simple: ${inputs.SHA256} SourceIP: - simple: ${issue.hostip} + simple: ${inputs.Source_IP} UserName: - simple: ${issue.username} + simple: ${inputs.UserName} separatecontext: true continueonerrortype: "" loop: @@ -493,10 +493,10 @@ tasks: isautoswitchedtoquietmode: false "30": id: "30" - taskid: 50ead786-58d9-47ba-82e2-c9d31c33bb15 + taskid: 82feb219-ef0f-4c4d-89ff-234e257c3db4 type: playbook task: - id: 50ead786-58d9-47ba-82e2-c9d31c33bb15 + id: 82feb219-ef0f-4c4d-89ff-234e257c3db4 version: -1 name: SOC Account Enrichment - Generic v2.1_V3 description: |- @@ -516,13 +516,26 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" + scriptarguments: + Domain: + simple: ${inputs.Domain} + Username: + complex: + root: inputs.UserName + transformers: + - operator: uniq separatecontext: true continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 view: |- { "position": { @@ -539,10 +552,10 @@ tasks: isautoswitchedtoquietmode: false "31": id: "31" - taskid: 5ec185a1-60cf-4514-a2c0-21570463f4cf + taskid: ade0d98b-c10b-442c-a73b-73afb40bbb5c type: playbook task: - id: 5ec185a1-60cf-4514-a2c0-21570463f4cf + id: ade0d98b-c10b-442c-a73b-73afb40bbb5c version: -1 name: SOC Email Address Enrichment - Generic v2.1_V3 description: |- @@ -554,7 +567,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -564,8 +577,7 @@ tasks: simple: ${issue.domain} Email: complex: - root: issue - accessor: email + root: inputs.Email transformers: - operator: uniq UseReputationCommand: @@ -593,10 +605,10 @@ tasks: isautoswitchedtoquietmode: false "32": id: "32" - taskid: 488b7a66-6e90-4139-876e-4d9d5251231a + taskid: b13b43e7-c68e-43c5-9fba-ad2e719b4226 type: playbook task: - id: 488b7a66-6e90-4139-876e-4d9d5251231a + id: b13b43e7-c68e-43c5-9fba-ad2e719b4226 version: -1 name: Foundation - Endpoint Enrichment_V3 description: | @@ -606,28 +618,28 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" scriptarguments: Domain: - simple: ${issue.domain} + simple: ${inputs.Domain} EndpointID: - simple: ${issue.agentid} + simple: ${inputs.EndpointID} HostName: - simple: ${issue.hostname} + simple: ${inputs.Hostname} MD5: - simple: ${issue.processmd5} + simple: ${inputs.MD5} RemoteIP: - simple: ${issue.remoteip} + simple: ${inputs.Remote_IP} SHA256: - simple: ${issue.filesha256} + simple: ${inputs.SHA256} SourceIP: - simple: ${issue.hostip} + simple: ${inputs.Source_IP} UserName: - simple: ${issue.username} + simple: ${inputs.UserName} separatecontext: true continueonerrortype: "" loop: @@ -668,31 +680,73 @@ inputs: simple: ${issue.remoteip} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: File_Hash value: simple: ${issue.initiatorsha256} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: Remote_IP value: simple: ${issue.remoteip} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: UserName value: simple: ${issue.username} required: false description: "" - playbookInputQuery: + playbookInputQuery: null +- key: Email + value: + simple: ${issue.email} + required: false + description: "" + playbookInputQuery: null +- key: EndpointID + value: + simple: ${issue.agentid} + required: false + description: "" + playbookInputQuery: null +- key: Hostname + value: + simple: ${issue.hostname} + required: false + description: "" + playbookInputQuery: null +- key: Domain + value: + simple: ${issue.domain} + required: false + description: "" + playbookInputQuery: null +- key: MD5 + value: + simple: ${issue.filemd5} + required: false + description: "" + playbookInputQuery: null +- key: SHA256 + value: + simple: ${issue.filesha256} + required: false + description: "" + playbookInputQuery: null inputSections: - inputs: - Source_IP - File_Hash - Remote_IP - UserName + - Email + - EndpointID + - Hostname + - Domain + - MD5 + - SHA256 name: General (Inputs group) description: Generic group for inputs outputSections: @@ -703,4 +757,3 @@ outputs: [] sourceplaybookid: Foundation - Enrichment_V3 dirtyInputs: true adopted: true -fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml similarity index 84% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index 9840d73..130ba19 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,10 +1,10 @@ id: Foundation - Upon Trigger V3 -version: 3 +version: 6 contentitemexportablefields: contentitemfields: packID: soc-optimization-unified - _packName: SOC Framework Unified - itemVersion: 2.1.40 + packName: SOC Framework Unified + itemVersion: 3.0.17 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -28,7 +28,7 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -60,7 +60,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -92,7 +92,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -124,7 +124,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -156,7 +156,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -188,7 +188,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -220,7 +220,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -252,7 +252,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -284,7 +284,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -315,7 +315,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -343,10 +343,10 @@ tasks: isautoswitchedtoquietmode: false "23": id: "23" - taskid: 684841fc-35e6-4b43-af1f-4fae7ee4bdd4 + taskid: c5f48fdf-5a69-4392-8a11-332b1ddef033 type: playbook task: - id: 684841fc-35e6-4b43-af1f-4fae7ee4bdd4 + id: c5f48fdf-5a69-4392-8a11-332b1ddef033 version: -1 name: Foundation - Enrichment_V3 description: | @@ -356,20 +356,32 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "4" scriptarguments: + Domain: + simple: ${inputs.Domain} + Email: + simple: ${inputs.Email} + EndpointID: + simple: ${inputs.EndpointID} File_Hash: - simple: ${issue.filesha256} + simple: ${inputs.File_Hash} + Hostname: + simple: ${inputs.Hostname} + MD5: + simple: ${inputs.MD5} Remote_IP: - simple: ${issue.remoteip} + simple: ${inputs.Remote_IP} + SHA256: + simple: ${inputs.SHA256} Source_IP: - simple: ${issue.localip} + simple: ${inputs.Source_IP} UserName: - simple: ${issue.username} + simple: ${inputs.UserName} separatecontext: false continueonerrortype: "" loop: @@ -406,7 +418,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -448,7 +460,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -490,7 +502,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -526,7 +538,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -563,7 +575,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -600,7 +612,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -633,7 +645,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -667,9 +679,79 @@ view: |- } } } -inputs: [] +inputs: +- key: Source_IP + value: + simple: ${issue.localip} + required: false + description: "" + playbookInputQuery: null +- key: File_Hash + value: + simple: ${issue.filesha256} + required: false + description: "" + playbookInputQuery: null +- key: Remote_IP + value: + simple: ${issue.remoteip} + required: false + description: "" + playbookInputQuery: null +- key: UserName + value: + simple: ${issue.username} + required: false + description: "" + playbookInputQuery: null +- key: Email + value: + simple: ${issue.email} + required: false + description: "" + playbookInputQuery: null +- key: EndpointID + value: + simple: ${issue.agentid} + required: false + description: "" + playbookInputQuery: null +- key: Hostname + value: + simple: ${issue.hostname} + required: false + description: "" + playbookInputQuery: null +- key: Domain + value: + simple: ${issue.domain} + required: false + description: "" + playbookInputQuery: null +- key: MD5 + value: + simple: ${issue.filemd5} + required: false + description: "" + playbookInputQuery: null +- key: SHA256 + value: + simple: ${issue.filesha256} + required: false + description: "" + playbookInputQuery: null inputSections: -- inputs: [] +- inputs: + - Source_IP + - File_Hash + - Remote_IP + - UserName + - Email + - EndpointID + - Hostname + - Domain + - MD5 + - SHA256 name: General (Inputs group) description: Generic group for inputs outputSections: @@ -681,4 +763,3 @@ sourceplaybookid: Foundation - Upon Trigger quiet: true dirtyInputs: true adopted: true -fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Containment.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml similarity index 96% rename from Packs/soc-optimization-unified/Playbooks/SOC_Containment.yml rename to Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml index 6ea9b94..6c1c3ee 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Containment.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml @@ -1,10 +1,10 @@ id: SOC Containment_V3 -version: 32 +version: 3 contentitemexportablefields: contentitemfields: - packID: soc-optimization - _packName: SOC Framework Unified - itemVersion: 2.1.19 + packID: soc-optimization-unified + packName: SOC Framework Unified + itemVersion: 3.0.17 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -49,7 +49,7 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -86,7 +86,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -127,7 +127,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -164,7 +164,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -205,7 +205,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -237,7 +237,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -266,7 +266,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -391,7 +391,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -472,7 +472,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -537,7 +537,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -565,17 +565,17 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: eccfadbe-e639-4a42-8fce-ba7875399fc1 + taskid: 9a48b1d6-61e8-43aa-a346-ff821a332697 type: playbook task: - id: eccfadbe-e639-4a42-8fce-ba7875399fc1 + id: 9a48b1d6-61e8-43aa-a346-ff821a332697 version: -1 - name: SOC - Email Containment - RAF + name: SOC - Email Containment - Example playbookName: SOC - Email Containment - RAF type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -617,7 +617,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -698,7 +698,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -777,7 +777,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -856,7 +856,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -935,7 +935,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -1014,7 +1014,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: Default: @@ -1091,7 +1091,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -1181,13 +1181,13 @@ inputs: simple: ${SOCFramework.Product.category} required: false description: 'Get the Product Category ' - playbookInputQuery: + playbookInputQuery: null - key: ExecutionBranch value: simple: ${lists.SOCExecutionList_V3} required: false description: "" - playbookInputQuery: + playbookInputQuery: null inputSections: - inputs: - ProductCategory @@ -1201,4 +1201,3 @@ outputSections: outputs: [] dirtyInputs: true adopted: true -fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml similarity index 91% rename from Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml rename to Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml index 91e7215..c55a4d9 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml @@ -1,10 +1,10 @@ id: SOC Endpoint Containment_V3 -version: 10 +version: 4 contentitemexportablefields: contentitemfields: - packID: soc-optimization - _packName: SOC Framework Unified - itemVersion: 2.1.19 + packID: soc-optimization-unified + packName: SOC Framework Unified + itemVersion: 3.0.17 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -35,7 +35,7 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -67,7 +67,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -78,7 +78,7 @@ tasks: { "position": { "x": 622.5, - "y": 1110 + "y": 1130 } } note: false @@ -99,7 +99,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -110,7 +110,7 @@ tasks: { "position": { "x": 50, - "y": 1110 + "y": 1130 } } note: false @@ -134,7 +134,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -160,7 +160,7 @@ tasks: { "position": { "x": 285, - "y": 580 + "y": 590 } } note: false @@ -182,7 +182,7 @@ tasks: type: collection iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -193,20 +193,20 @@ tasks: { "position": { "x": 172.5, - "y": 760 + "y": 775 } } note: false timertriggers: [] ignoreworker: false message: - to: - subject: - body: + to: null + subject: null + body: null methods: [] format: "" - bcc: - cc: + bcc: null + cc: null timings: retriescount: 2 retriesinterval: 360 @@ -316,7 +316,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -328,7 +328,7 @@ tasks: { "position": { "x": 285, - "y": 940 + "y": 960 } } note: false @@ -349,7 +349,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -357,7 +357,7 @@ tasks: { "position": { "x": 387.5, - "y": 1820 + "y": 1855 } } note: false @@ -380,7 +380,7 @@ tasks: type: regular iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': @@ -420,7 +420,7 @@ tasks: { "position": { "x": 510, - "y": 400 + "y": 405 } } note: false @@ -442,7 +442,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -494,7 +494,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: true continueonerrortype: "" @@ -507,7 +507,7 @@ tasks: { "position": { "x": 715, - "y": 580 + "y": 590 } } note: false @@ -517,64 +517,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "156": - id: "156" - taskid: 73f0826b-6fdb-4641-9a02-c1b1fe784757 - type: playbook - task: - id: 73f0826b-6fdb-4641-9a02-c1b1fe784757 - version: -1 - name: SOC Containment_V3 Plan - Quarantine File - description: |- - ## Containment Plan - Quarantine File - - This playbook is a sub-playbook within the containment plan playbook. - The playbook quarantines files using core commands. - playbookName: SOC Containment_V3 Plan - Quarantine File - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "148" - scriptarguments: - AutoContainment: - simple: "True" - EndpointID: - simple: ${inputs.EndpointID} - FileContainment: - simple: "True" - FileHash: - simple: ${inputs.FileHash} - FilePath: - simple: ${inputs.FilePath} - FileRemediation: - simple: Quarantine - ShadowMode: - simple: ${inputs.ShadowMode} - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 285, - "y": 1640 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "158": id: "158" taskid: 6276c905-eedb-4266-8544-042d9051abb3 @@ -586,7 +528,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: "No": @@ -599,21 +541,21 @@ tasks: { "position": { "x": 745, - "y": 1460 + "y": 1485 } } note: false timertriggers: [] ignoreworker: false message: - to: - subject: + to: null + subject: null body: simple: Would you like to Isolate the device ${inputs.Hostname} methods: [] format: "" - bcc: - cc: + bcc: null + cc: null timings: retriescount: 2 retriesinterval: 360 @@ -638,34 +580,34 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: "No": - "148" "Yes": - - "156" + - "170" separatecontext: false continueonerrortype: "" view: |- { "position": { "x": 162.5, - "y": 1460 + "y": 1485 } } note: false timertriggers: [] ignoreworker: false message: - to: - subject: + to: null + subject: null body: simple: Should we quarantine the file ${issue.filename} methods: [] format: "" - bcc: - cc: + bcc: null + cc: null timings: retriescount: 2 retriesinterval: 360 @@ -705,7 +647,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -729,7 +671,7 @@ tasks: { "position": { "x": 622.5, - "y": 1280 + "y": 1300 } } note: false @@ -750,7 +692,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -774,7 +716,7 @@ tasks: { "position": { "x": 50, - "y": 1280 + "y": 1300 } } note: false @@ -786,10 +728,10 @@ tasks: isautoswitchedtoquietmode: false "169": id: "169" - taskid: a81256dd-ecc9-409b-9b9f-bea93c3844ab + taskid: 0034e537-0923-4d4c-a763-a21ac1993209 type: playbook task: - id: a81256dd-ecc9-409b-9b9f-bea93c3844ab + id: 0034e537-0923-4d4c-a763-a21ac1993209 version: -1 name: SOC Isolation Router_V3 description: Determine the correct playbook to run for the correct endpoint @@ -798,7 +740,7 @@ tasks: type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -823,7 +765,65 @@ tasks: { "position": { "x": 857.5, - "y": 1640 + "y": 1670 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "170": + id: "170" + taskid: 48b8dce7-7461-4030-b641-de2dce672c35 + type: playbook + task: + id: 48b8dce7-7461-4030-b641-de2dce672c35 + version: -1 + name: SOC Containment Plan_V3 - Quarantine File_V3 + description: |- + ## Containment Plan - Quarantine File + + This playbook is a sub-playbook within the containment plan playbook. + The playbook quarantines files using core commands. + playbookName: SOC Containment Plan_V3 - Quarantine File_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "148" + scriptarguments: + AutoContainment: + simple: ${inputs.AutoContainment} + EndpointID: + simple: ${inputs.EndpointID} + FileContainment: + simple: "True" + FileHash: + simple: ${inputs.FileHash} + FilePath: + simple: ${inputs.FilePath} + FileRemediation: + simple: Quarantine + ShadowMode: + simple: "true" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 285, + "y": 1670 } } note: false @@ -838,11 +838,12 @@ view: |- { "linkLabelsPosition": { "138_139_#default#": 0.64, - "150_138_#default#": 0.9 + "150_138_#default#": 0.9, + "161_170_Yes": 0.85 }, "paper": { "dimensions": { - "height": 1830, + "height": 1865, "width": 1187.5, "x": 50, "y": 50 @@ -857,37 +858,37 @@ inputs: description: |- Whether to execute containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'. - playbookInputQuery: + playbookInputQuery: null - key: HostContainment value: simple: "True" required: false description: Whether to execute endpoint isolation. - playbookInputQuery: + playbookInputQuery: null - key: FileContainment value: simple: "True" required: false description: Set to 'True' to quarantine the identified file. - playbookInputQuery: + playbookInputQuery: null - key: EndpointID value: simple: ${issue.agentsid} required: false description: The endpoint ID to run commands over. - playbookInputQuery: + playbookInputQuery: null - key: FileHash value: simple: ${issue.filehash} required: false description: The file hash to block. - playbookInputQuery: + playbookInputQuery: null - key: FilePath value: simple: ${issue.filepath} required: false description: The path of the file to block. - playbookInputQuery: + playbookInputQuery: null - key: FileRemediation value: simple: Quarantine @@ -895,31 +896,31 @@ inputs: description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. \nFor example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and will execute only file quarantine." - playbookInputQuery: + playbookInputQuery: null - key: ShadowMode value: simple: ${SOCFramework.shadow_mode} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: Hostname value: simple: ${issue.hostname} required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: FeaturedHost value: simple: "False" required: false description: Is this a Featured Host? - playbookInputQuery: + playbookInputQuery: null - key: FileVerdict value: simple: ${issue.verdict} required: false description: File Verdict from Enrichment - playbookInputQuery: + playbookInputQuery: null inputSections: - inputs: - AutoContainment @@ -957,4 +958,3 @@ outputs: sourceplaybookid: Containment Plan dirtyInputs: true adopted: true -fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml similarity index 86% rename from Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment.yml rename to Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml index 03bfeca..8145c81 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml @@ -2,9 +2,9 @@ id: SOC Identity Containment_V3 version: 5 contentitemexportablefields: contentitemfields: - packID: "" - packName: SOC Common Playbooks - itemVersion: 2.7.19 + packID: soc-optimization-unified + packName: SOC Framework Unified + itemVersion: 3.0.17 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -36,7 +36,8 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "138" @@ -67,7 +68,8 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "164" @@ -98,7 +100,8 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "166" @@ -132,7 +135,8 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "139" @@ -179,7 +183,8 @@ tasks: type: collection iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "147" @@ -196,13 +201,13 @@ tasks: timertriggers: [] ignoreworker: false message: - to: - subject: - body: + to: null + subject: null + body: null methods: [] format: "" - bcc: - cc: + bcc: null + cc: null timings: retriescount: 2 retriesinterval: 360 @@ -267,7 +272,8 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "49" @@ -299,7 +305,8 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" view: |- @@ -316,108 +323,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "152": - id: "152" - taskid: bbc1c9b5-3abb-4b20-acab-b19c36485fde - type: playbook - task: - id: bbc1c9b5-3abb-4b20-acab-b19c36485fde - version: -1 - name: SOC Containment_V3 Plan - Disable Account - description: |- - ## Containment Plan - Disable Account - - This playbook is a sub-playbook within the containment plan playbook. - The playbook disables users by utilizing the sub-playbook "Block Account - Generic v2" - playbookName: SOC Containment_V3 Plan - Disable Account - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: - nexttasks: - '#none#': - - "148" - scriptarguments: - ShadowMode: - simple: ${inputs.ShadowMode} - UserContainment: - simple: "True" - UserVerification: - simple: "True" - Username: - simple: ${inputs.Username} - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 275, - "y": 1280 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "154": - id: "154" - taskid: 6db2a243-bb8c-41ae-ad4b-d398c3bdd469 - type: playbook - task: - id: 6db2a243-bb8c-41ae-ad4b-d398c3bdd469 - version: -1 - name: SOC Containment_V3 Plan - Clear User Sessions - description: |- - ## Containment Plan - Clear User Sessions - - This playbook is a sub-playbook within the containment plan playbook. - The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions. - playbookName: SOC Containment_V3 Plan - Clear User Sessions - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: - nexttasks: - '#none#': - - "148" - scriptarguments: - ClearUserSessions: - simple: "True" - IAMUserDomain: - simple: ${inputs.IAMUserDomain} - ShadowMode: - simple: ${inputs.ShadowMode} - Username: - simple: ${inputs.Username} - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 847.5, - "y": 1280 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "157": id: "157" taskid: 27724d31-2a6c-4301-8d4a-53cbe0a9e2af @@ -429,12 +334,13 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: "No": - "148" "Yes": - - "152" + - "168" separatecontext: false continueonerrortype: "" view: |- @@ -448,14 +354,14 @@ tasks: timertriggers: [] ignoreworker: false message: - to: - subject: + to: null + subject: null body: simple: Would you like to Disable the account methods: [] format: "" - bcc: - cc: + bcc: null + cc: null timings: retriescount: 2 retriesinterval: 360 @@ -480,12 +386,13 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: "No": - "148" "Yes": - - "154" + - "167" separatecontext: false continueonerrortype: "" view: |- @@ -499,14 +406,14 @@ tasks: timertriggers: [] ignoreworker: false message: - to: - subject: + to: null + subject: null body: simple: Would you like to clear the users sessions? methods: [] format: "" - bcc: - cc: + bcc: null + cc: null timings: retriescount: 2 retriesinterval: 360 @@ -544,7 +451,8 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "148" @@ -601,7 +509,8 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "148" @@ -634,15 +543,111 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "167": + id: "167" + taskid: d757c687-b7cc-4035-86bf-a2e023c4798c + type: playbook + task: + id: d757c687-b7cc-4035-86bf-a2e023c4798c + version: -1 + name: SOC Containment Plan_V3 - Clear User Sessions_V3 + playbookName: SOC Containment Plan_V3 - Clear User Sessions_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "148" + scriptarguments: + ClearUserSessions: + simple: "True" + IAMUserDomain: + simple: ${inputs.IAMUserDomain} + ShadowMode: + simple: "true" + Username: + simple: ${inputs.Username} + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 735, + "y": 1295.95703125 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "168": + id: "168" + taskid: f80c0e12-695e-4bb0-8777-8361e943c06f + type: playbook + task: + id: f80c0e12-695e-4bb0-8777-8361e943c06f + version: -1 + name: SOC Containment Plan_V3 - Disable Account_V3 + playbookName: SOC Containment Plan_V3 - Disable Account_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "148" + scriptarguments: + ShadowMode: + simple: "true" + UserContainment: + simple: "True" + UserVerification: + simple: "True" + Username: + simple: ${inputs.Username} + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 162.5, + "y": 1295.95703125 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { - "138_139_#default#": 0.64 + "138_139_#default#": 0.64, + "157_168_Yes": 0.88 }, "paper": { "dimensions": { "height": 1470, - "width": 1177.5, + "width": 1065, "x": 50, "y": 50 } @@ -656,48 +661,48 @@ inputs: description: |- Whether to execute containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'. - playbookInputQuery: + playbookInputQuery: null - key: UserContainment value: simple: "True" required: false description: Set to 'True' to disable the user account. - playbookInputQuery: + playbookInputQuery: null - key: ClearUserSessions value: simple: "True" required: false description: Set to 'True' to clear the user active Okta sessions. - playbookInputQuery: + playbookInputQuery: null - key: Username value: {} required: false description: The username to disable. - playbookInputQuery: + playbookInputQuery: null - key: IAMUserDomain value: {} required: false description: The Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain. - playbookInputQuery: + playbookInputQuery: null - key: ShadowMode value: simple: SOCFramework.shadow_mode required: false description: "" - playbookInputQuery: + playbookInputQuery: null - key: FeaturedUser value: simple: "False" required: false description: Is this a Featured User? - playbookInputQuery: + playbookInputQuery: null - key: FeaturedAD value: simple: "False" required: false description: Is this a Featured Active Directory Group? - playbookInputQuery: + playbookInputQuery: null inputSections: - inputs: - AutoContainment @@ -732,4 +737,3 @@ outputs: sourceplaybookid: Containment Plan dirtyInputs: true adopted: true -fromversion: 5.0.0 From ba07bebdc833cdf1f2ab3e73ed7592f757334e90 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 15:54:02 -0500 Subject: [PATCH 38/49] - Playbook Fixes for Trend - Bump version - Update Catalog --- .../SOC_Trend_Micro_Alert_Enrichment.yml | 538 +++++++++--------- 1 file changed, 277 insertions(+), 261 deletions(-) diff --git a/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml b/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml index 4833ab6..35e6827 100644 --- a/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml +++ b/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml @@ -1,71 +1,44 @@ -adopted: true +id: SOC Trend Micro Alert Enrichment +version: 3 contentitemexportablefields: contentitemfields: - definitionid: "" - fromServerVersion: 5.0.0 - isoverridable: false - itemVersion: 1.0.3 - packID: "" + packID: soc-trendmicro-visionone packName: SOC Trend Micro Enhancement for Cortex XSIAM + itemVersion: 1.0.23 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" prevname: "" + isoverridable: false supportedModules: [] - toServerVersion: "" +vcShouldKeepItemLegacyProdMachine: false +name: SOC Trend Micro Alert Enrichment description: Read-only adapter to enrich an alert from Trend Micro Vision One (Workbench) and normalize into Alert.Enrichment.*. -dirtyInputs: true -id: 'SOC Trend Micro Alert Enrichment' -inputs: [] -name: SOC Trend Micro Alert Enrichment -outputs: -- contextPath: Alert.Enrichment.Provider - description: Provider summary (name, workbenchUrl, alertId). - type: unknown -- contextPath: Trend.V1.AlertDetailsRaw - description: Raw JSON returned by trendmicro-visionone-get-alert-details. - type: unknown -- contextPath: Alert.Enrichment.Entities - description: Entities extracted from Trend alert details. - type: unknown -- contextPath: Alert.Enrichment.Indicators - description: Indicators extracted from Trend alert details. - type: unknown -- contextPath: Alert.Enrichment.Mitre.Techniques - description: MITRE techniques (IDs) from Trend alert details. - type: unknown -- contextPath: Alert.Enrichment.Source.Trend - description: Adapter bookkeeping flags. - type: unknown -sourceplaybookid: SOC Trend Micro Alert Enrichment -starttaskid: "0" tags: - SOC - SOC_Framework - Enrichment - Trend Micro Vision One +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: 09ff7a99-ab25-4eea-8022-12c55d265799 + type: start + task: + id: 09ff7a99-ab25-4eea-8022-12c55d265799 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "5" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 09ff7a99-ab25-4eea-8022-12c55d265799 - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: 09ff7a99-ab25-4eea-8022-12c55d265799 - timertriggers: [] - type: start + continueonerrortype: "" view: |- { "position": { @@ -73,49 +46,50 @@ tasks: "y": 50 } } - "2": - continueonerror: true - continueonerrortype: errorPath - id: "2" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: f640a9af-d4ee-4c55-8af0-da08975e882d + type: condition + task: + id: f640a9af-d4ee-4c55-8af0-da08975e882d + version: -1 + name: Does VisionOne Key exist? + description: Check if a given value exists in the context. Will return 'no' + for empty empty arrays. To be used mostly with DQ and selectors. + scriptName: Exists + type: condition + iscommand: false + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "101" + - "103" "no": - "3" "yes": - "99" - note: false - quietmode: 0 scriptarguments: value: complex: - accessor: id + root: VisionOne.Alert_Details.alert filters: - - - left: - iscontext: true + - - operator: isNotEmpty + left: value: simple: VisionOne.Alert_Details.alert - operator: isNotEmpty - root: VisionOne.Alert_Details.alert + iscontext: true + accessor: id separatecontext: false - skipunavailable: true - task: - brand: Builtin - description: Check if a given value exists in the context. Will return 'no' - for empty empty arrays. To be used mostly with DQ and selectors. - id: f640a9af-d4ee-4c55-8af0-da08975e882d - iscommand: false - name: Does VisionOne Key exist? - playbooktaskmissingcomponent: - script: Exists - type: condition - version: -1 - taskid: f640a9af-d4ee-4c55-8af0-da08975e882d - timertriggers: [] - type: condition + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -123,53 +97,54 @@ tasks: "y": 570 } } - "3": - continueonerror: true - continueonerrortype: errorPath - id: "3" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: b570cf07-5371-4cff-9f59-432456f61ddd + type: regular + task: + id: b570cf07-5371-4cff-9f59-432456f61ddd + version: -1 + name: Set provider alertId + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "101" + - "103" '#none#': - "6" - note: false - quietmode: 0 scriptarguments: key: simple: Alert.Provider.alertId value: complex: - accessor: externallink root: issue + accessor: externallink transformers: - - args: + - operator: substringFrom + args: from: value: simple: /workbench/alerts/ - operator: substringFrom - - args: + - operator: substringTo + args: to: value: simple: '?' - operator: substringTo separatecontext: false - skipunavailable: true - task: - brand: Builtin - description: Set a value in context under the key you entered. - id: b570cf07-5371-4cff-9f59-432456f61ddd - iscommand: false - name: Set provider alertId - playbooktaskmissingcomponent: - script: Set - type: regular - version: -1 - taskid: b570cf07-5371-4cff-9f59-432456f61ddd - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -177,38 +152,39 @@ tasks: "y": 750 } } - "5": - continueonerror: true - continueonerrortype: errorPath - id: "5" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 22dbc7e1-ab76-41be-b04c-eacfc66e0ed4 + type: condition + task: + id: 22dbc7e1-ab76-41be-b04c-eacfc66e0ed4 + version: -1 + name: Trend Micro Vision One available? + description: Check for an enabled Trend Micro Vision One instance. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "101" + - "103" "yes": - "100" - note: false - quietmode: 0 scriptarguments: brandname: simple: Trend Micro Vision One V3 separatecontext: false - skipunavailable: true - task: - brand: "" - description: Check for an enabled Trend Micro Vision One instance. - id: 22dbc7e1-ab76-41be-b04c-eacfc66e0ed4 - iscommand: false - name: Trend Micro Vision One available? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 22dbc7e1-ab76-41be-b04c-eacfc66e0ed4 - timertriggers: [] - type: condition + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -216,42 +192,43 @@ tasks: "y": 220 } } - "6": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: Alert.Provider.alertId - operator: isNotEmpty - right: - value: {} - label: "yes" - continueonerrortype: "" - id: "6" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: b5af4b24-f4cf-4fac-8398-8394ebbb51c9 + type: condition + task: + id: b5af4b24-f4cf-4fac-8398-8394ebbb51c9 + version: -1 + name: Do we have a Trend alert/workbench ID? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "99" "yes": - "7" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: b5af4b24-f4cf-4fac-8398-8394ebbb51c9 - iscommand: false - name: Do we have a Trend alert/workbench ID? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: b5af4b24-f4cf-4fac-8398-8394ebbb51c9 - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Alert.Provider.alertId + iscontext: true + right: + value: {} + continueonerrortype: "" view: |- { "position": { @@ -259,39 +236,40 @@ tasks: "y": 930 } } - "7": - continueonerror: true - continueonerrortype: errorPath - id: "7" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 5660d7dd-e076-47e1-baf6-70e5a41c64b6 + type: regular + task: + id: 5660d7dd-e076-47e1-baf6-70e5a41c64b6 + version: -1 + name: Get Trend alert details (read-only) + description: Fetches details for a specific alert. + script: '|||trendmicro-visionone-get-alert-details' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "101" + - "103" '#none#': - "99" - "102" - note: false - quietmode: 0 scriptarguments: workbench_id: simple: ${Alert.Provider.alertId} separatecontext: false - skipunavailable: true - task: - brand: "" - description: Fetches details for a specific alert. - id: 5660d7dd-e076-47e1-baf6-70e5a41c64b6 - iscommand: true - name: Get Trend alert details (read-only) - playbooktaskmissingcomponent: - script: '|||trendmicro-visionone-get-alert-details' - type: regular - version: -1 - taskid: 5660d7dd-e076-47e1-baf6-70e5a41c64b6 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -299,27 +277,28 @@ tasks: "y": 1110 } } - "99": - continueonerrortype: "" - id: "99" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "99": + id: "99" + taskid: 91e48ade-1332-41f3-9283-a16723530564 + type: title task: - brand: "" id: 91e48ade-1332-41f3-9283-a16723530564 - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 91e48ade-1332-41f3-9283-a16723530564 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -327,30 +306,31 @@ tasks: "y": 1475 } } - "100": - continueonerrortype: "" - id: "100" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "2" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "100": + id: "100" + taskid: c1542e43-2164-4107-8f6d-5c97e7be06b1 + type: title task: - brand: "" id: c1542e43-2164-4107-8f6d-5c97e7be06b1 - iscommand: false + version: -1 name: Already Enriched - playbooktaskmissingcomponent: type: title - version: -1 - taskid: c1542e43-2164-4107-8f6d-5c97e7be06b1 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -358,86 +338,122 @@ tasks: "y": 400 } } - "101": - continueonerrortype: "" - id: "101" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: true + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "102": + id: "102" + taskid: f870a626-1087-423f-a4f7-cf38232371c6 + type: regular task: - brand: "" - id: ca6bec1c-2fbf-4cb1-8a66-285d7caed20f - iscommand: false - name: Foundation - Error Handling - playbookId: Foundation - Error Handling - playbooktaskmissingcomponent: - type: playbook + id: f870a626-1087-423f-a4f7-cf38232371c6 version: -1 - taskid: ca6bec1c-2fbf-4cb1-8a66-285d7caed20f - timertriggers: [] - type: playbook + name: Normalize Vision One Data Context + description: | + Normalize alert context into a single Normalized key for vendor-agnostic layouts. Extends with MITRE, Impact Scope, Artifacts, Timeline, and Model from VisionOne.Alert_Details.alert and merges ExtractedIndicators. Read-only; does not execute any response actions. + script: SOC_Normalize_TrendMicro_VisionOne + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "103" + '#none#': + - "99" + separatecontext: false + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { - "x": 182.5, - "y": 1470 + "x": 725, + "y": 1290 } } - "102": - continueonerror: true - continueonerrortype: errorPath - id: "102" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#error#': - - "101" - '#none#': - - "99" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "103": + id: "103" + taskid: 53376539-613b-4428-86a4-ebeb3b41c5f9 + type: playbook task: - brand: "" - description: | - Normalize alert context into a single Normalized key for vendor-agnostic layouts. Extends with MITRE, Impact Scope, Artifacts, Timeline, and Model from VisionOne.Alert_Details.alert and merges ExtractedIndicators. Read-only; does not execute any response actions. - id: f870a626-1087-423f-a4f7-cf38232371c6 - iscommand: false - name: Normalize Vision One Data Context - playbooktaskmissingcomponent: - script: 'SOC_Normalize_TrendMicro_VisionOne' - type: regular + id: 53376539-613b-4428-86a4-ebeb3b41c5f9 version: -1 - taskid: f870a626-1087-423f-a4f7-cf38232371c6 - timertriggers: [] - type: regular + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 725, - "y": 1290 + "x": 181.25, + "y": 1467.5 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { + "102_103_#error#": 0.89, + "2_103_#error#": 0.9, + "3_103_#error#": 0.9, "5_100_yes": 0.79, - "6_99_#default#": 0.82 + "5_103_#error#": 0.9, + "6_99_#default#": 0.82, + "7_103_#error#": 0.9 }, "paper": { "dimensions": { - "height": 1490, + "height": 1492.5, "width": 1055, "x": 50, "y": 50 } } } -fromversion: 5.0.0 +inputs: [] +outputs: +- contextPath: Alert.Enrichment.Provider + description: Provider summary (name, workbenchUrl, alertId). + type: unknown +- contextPath: Trend.V1.AlertDetailsRaw + description: Raw JSON returned by trendmicro-visionone-get-alert-details. + type: unknown +- contextPath: Alert.Enrichment.Entities + description: Entities extracted from Trend alert details. + type: unknown +- contextPath: Alert.Enrichment.Indicators + description: Indicators extracted from Trend alert details. + type: unknown +- contextPath: Alert.Enrichment.Mitre.Techniques + description: MITRE techniques (IDs) from Trend alert details. + type: unknown +- contextPath: Alert.Enrichment.Source.Trend + description: Adapter bookkeeping flags. + type: unknown +sourceplaybookid: SOC Trend Micro Alert Enrichment +dirtyInputs: true +adopted: true From 334c2258ff9e81652e1f544cf444ca9ef6a7eb20 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 15:55:48 -0500 Subject: [PATCH 39/49] - Playbook Fixes for Common Playbooks Unified - Bump version - Update Catalog --- ..._Account_Enrichment_-_Generic_v2.1_V3.yml} | 3229 ++++++++-------- ...ment_Plan_V3_-_Clear_User_Sessions_V3.yml} | 1081 +++--- ...ntainment_Plan_V3_-_Isolate_Device_V3.yml} | 841 ++-- ...wdstrike_Falcon_-_Isolate_Endpoint_V3.yml} | 508 +-- ...nt_Enrichment_-_Cylance_Protect_v2_V3.yml} | 501 +-- ...Endpoint_Enrichment_-_Generic_v2.1_V3.yml} | 201 +- .../SOC_URL_Enrichment_-_Generic_v2.yml | 773 ---- .../SSOC_Block_Account_-_Generic_v2_V3.yml | 3366 +++++++++++++++++ 8 files changed, 6608 insertions(+), 3892 deletions(-) rename Packs/soc-common-playbooks-unified/Playbooks/{SOC_Account_Enrichment_-_Generic_v2.1.yml => SOC_Account_Enrichment_-_Generic_v2.1_V3.yml} (90%) rename Packs/soc-common-playbooks-unified/Playbooks/{SOC_Containment_Plan_-_Clear_User_Sessions.yml => SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml} (83%) rename Packs/soc-common-playbooks-unified/Playbooks/{SOC_Containment_Plan_-_Isolate_Device.yml => SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml} (82%) rename Packs/soc-common-playbooks-unified/Playbooks/{SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml => SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml} (79%) rename Packs/soc-common-playbooks-unified/Playbooks/{SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml => SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml} (81%) rename Packs/soc-common-playbooks-unified/Playbooks/{SOC_Endpoint_Enrichment_-_Generic_v2.1.yml => SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml} (95%) delete mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml similarity index 90% rename from Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml rename to Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml index ed9e7f9..f817ff5 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml @@ -1,20 +1,23 @@ -adopted: true +id: SOC Account Enrichment - Generic v2.1_V3 +version: 3 contentitemexportablefields: contentitemfields: + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 + fromServerVersion: 5.0.0 + toServerVersion: "" definitionid: "" - fromServerVersion: 6.5.0 - isoverridable: false - itemVersion: 2.7.15 - packID: "" - packName: Common Playbooks prevname: "" + isoverridable: false supportedModules: - X1 - X3 - X5 - ENT_PLUS - agentix - toServerVersion: "" +vcShouldKeepItemLegacyProdMachine: false +name: SOC Account Enrichment - Generic v2.1_V3 description: |- Enrich accounts using one or more integrations. Supported integrations: @@ -28,668 +31,29 @@ description: |- - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. -dirtyInputs: true -id: 'SOC Account Enrichment - Generic v2.1_V3' -inputSections: -- description: Generic group for inputs - inputs: - - Username - - Domain - name: General (Inputs group) -inputs: -- description: |- - The usernames to enrich. This input supports multiple usernames. - Usernames can be with or without a domain prefix, in the format of "username" or "domain\username". - Domain usernames will only be enriched in integrations that support them. - key: Username - playbookInputQuery: - required: false - value: - complex: - accessor: Username - root: Account - transformers: - - operator: uniq -- description: |- - Optional - This input is needed for the IAM-get-user command (used in the Account Enrichment - IAM playbook). Please provide the domain name that the user is related to. - Example: @xsoar.com - key: Domain - playbookInputQuery: - required: false - value: {} -name: SOC Account Enrichment - Generic v2.1_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: - - Account - - ActiveDirectory.Users.sAMAccountName - - ActiveDirectory.Users.userAccountControl - - ActiveDirectory.Users.mail - - ActiveDirectory.Users.memberOf - - IAM - - IdentityIQ.Identity - - PingOne.Account - - ActiveDirectory.Users.manager - - IAM.Vendor.active - - IAM.Vendor.brand - - IAM.Vendor.details - - IAM.Vendor.email - - IAM.Vendor.errorCode - - IAM.Vendor.errorMessage - - IAM.Vendor.id - - IAM.Vendor.instanceName - - IAM.Vendor.success - - IAM.Vendor.username - - IdentityIQ.Identity.userName - - IdentityIQ.Identity.id - - IdentityIQ.Identity.active - - IdentityIQ.Identity.lastModified - - IdentityIQ.Identity.displayName - - IdentityIQ.Identity.emails - - IdentityIQ.Identity.entitlements - - IdentityIQ.Identity.roles - - IdentityIQ.Identity.capabilities - - IdentityIQ.Identity.name - - IdentityIQ.Identity.name.formatted - - IdentityIQ.Identity.name.familyName - - IdentityIQ.Identity.name.givenName - - IdentityIQ.Identity.manager - - IdentityIQ.Identity.manager.userName - - IdentityIQ.Identity.emails.type - - IdentityIQ.Identity.emails.value - - IdentityIQ.Identity.emails.primary - - PingOne.Account.ID - - PingOne.Account.Username - - PingOne.Account.DisplayName - - PingOne.Account.Email - - PingOne.Account.Enabled - - PingOne.Account.CreatedAt - - PingOne.Account.UpdatedAt - - Account.PasswordChanged - - Account.StatusChanged - - Account.Activated - - Account.Created - - Account.Status - - Account.Username - - Account.Email - - Account.ID - - ActiveDirectory.Users.dn - - ActiveDirectory.Users.displayName - - ActiveDirectory.Users.name - - ActiveDirectory.Users.userAccountControlFields - - ActiveDirectory.Users.userAccountControlFields.SCRIPT - - ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE - - ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED - - ActiveDirectory.Users.userAccountControlFields.LOCKOUT - - ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD - - ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE - - ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED - - ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT - - ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT - - ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT - - ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT - - Account.Manager - - Account.Groups - - Account.DisplayName - - ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT - - ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION - - ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH - - ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY - - ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED - - ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION - - ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED - - ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT - - ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT - - IAM.Vendor - - IAM.Vendor.action - - IAM.UserProfile - - SailPointIdentityNow.Account - - SailPointIdentityNow.Account.id - - SailPointIdentityNow.Account.name - - SailPointIdentityNow.Account.identityId - - SailPointIdentityNow.Account.nativeIdentity - - SailPointIdentityNow.Account.sourceId - - SailPointIdentityNow.Account.created - - SailPointIdentityNow.Account.modified - - SailPointIdentityNow.Account.attributes - - SailPointIdentityNow.Account.authoritative - - SailPointIdentityNow.Account.disabled - - SailPointIdentityNow.Account.locked - - SailPointIdentityNow.Account.systemAccount - - SailPointIdentityNow.Account.uncorrelated - - SailPointIdentityNow.Account.manuallyCorrelated - - SailPointIdentityNow.Account.hasEntitlements - - UserManagerEmail - - UserManagerDisplayName - - MSGraphUser.ID - - MSGraphUser.DisplayName - - MSGraphUser.GivenName - - MSGraphUser.JobTitle - - MSGraphUser.Mail - - MSGraphUser.Surname - - MSGraphUser.UserPrincipalName - - MSGraphUserManager.Manager.ID - - MSGraphUserManager.Manager.DisplayName - - MSGraphUserManager.Manager.GivenName - - MSGraphUserManager.Manager.Mail - - MSGraphUserManager.Manager.Surname - - MSGraphUserManager.Manager.UserPrincipalName - - PaloAltoNetworksXDR.RiskyUser - - PaloAltoNetworksXDR.RiskyUser.type - - PaloAltoNetworksXDR.RiskyUser.id - - PaloAltoNetworksXDR.RiskyUser.score - - PaloAltoNetworksXDR.RiskyUser.reasons - - PaloAltoNetworksXDR.RiskyUser.reasons.date created - - PaloAltoNetworksXDR.RiskyUser.reasons.description - - PaloAltoNetworksXDR.RiskyUser.reasons.severity - - PaloAltoNetworksXDR.RiskyUser.reasons.status - - PaloAltoNetworksXDR.RiskyUser.reasons.points - - ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD - - ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED - - Account.ManagerEmail - - AWS.IAM.Users - - AWS.IAM.Users.UserName - - AWS.IAM.Users.UserId - - AWS.IAM.Users.Arn - - AWS.IAM.Users.CreateDate - - AWS.IAM.Users.Path - - AWS.IAM.Users.PasswordLastUsed - - MSGraphUser.MobilePhone - - MSGraphUser.OfficeLocation - - Account.JobTitle - - Account.TelephoneNumber - - Account.Office - - Account.Type - - Account.Email.Address - - MSGraphUserManager.Manager.BusinessPhones - - MSGraphUser.BusinessPhones - - MSGraphUserManager.Manager.JobTitle - - MSGraphUserManager.Manager.MobilePhone - - MSGraphUserManager.Manager.OfficeLocation -outputs: -- contextPath: Account - description: The account object. - type: string -- contextPath: ActiveDirectory.Users.sAMAccountName - description: The user's SAM account name. - type: string -- contextPath: ActiveDirectory.Users.userAccountControl - description: The user's account control flag. - type: string -- contextPath: ActiveDirectory.Users.mail - description: The user's email address. - type: string -- contextPath: ActiveDirectory.Users.memberOf - description: Groups the user is a member of. - type: string -- contextPath: IAM - description: Generic IAM output. - type: string -- contextPath: IdentityIQ.Identity - description: Identity asset from IdentityIQ. - type: string -- contextPath: PingOne.Account - description: Account in PingID. - type: string -- contextPath: ActiveDirectory.Users.manager - description: The manager of the user. - type: string -- contextPath: IAM.Vendor.active - description: When true, indicates that the employee's status is active in the 3rd-party - integration. - type: string -- contextPath: IAM.Vendor.brand - description: Name of the integration. - type: string -- contextPath: IAM.Vendor.details - description: Provides the raw data from the 3rd-party integration. - type: string -- contextPath: IAM.Vendor.email - description: The employee's email address. - type: string -- contextPath: IAM.Vendor.errorCode - description: HTTP error response code. - type: string -- contextPath: IAM.Vendor.errorMessage - description: Reason why the API failed. - type: string -- contextPath: IAM.Vendor.id - description: The employee's user ID in the app. - type: string -- contextPath: IAM.Vendor.instanceName - description: Name of the integration instance. - type: string -- contextPath: IAM.Vendor.success - description: When true, indicates that the command was executed successfully. - type: string -- contextPath: IAM.Vendor.username - description: The employee's username in the app. - type: string -- contextPath: IdentityIQ.Identity.userName - description: The IdentityIQ username (primary ID). - type: string -- contextPath: IdentityIQ.Identity.id - description: The IdentityIQ internal ID (UUID). - type: string -- contextPath: IdentityIQ.Identity.active - description: Indicates whether the ID is active or inactive in IdentityIQ. - type: string -- contextPath: IdentityIQ.Identity.lastModified - description: Timestamp of when the identity was last modified. - type: string -- contextPath: IdentityIQ.Identity.displayName - description: The display name of the identity. - type: string -- contextPath: IdentityIQ.Identity.emails - description: Array of email objects. - type: string -- contextPath: IdentityIQ.Identity.entitlements - description: Array of entitlement objects that the identity has. - type: string -- contextPath: IdentityIQ.Identity.roles - description: Array of role objects that the identity has. - type: string -- contextPath: IdentityIQ.Identity.capabilities - description: Array of string representations of the IdentityIQ capabilities assigned - to this identity. - type: string -- contextPath: IdentityIQ.Identity.name - description: Account name. - type: string -- contextPath: IdentityIQ.Identity.name.formatted - description: The display name of the identity. - type: string -- contextPath: IdentityIQ.Identity.name.familyName - description: The last name of the identity. - type: string -- contextPath: IdentityIQ.Identity.name.givenName - description: The first name of the identity. - type: string -- contextPath: IdentityIQ.Identity.manager - description: The account's manager returned from IdentityIQ. - type: string -- contextPath: IdentityIQ.Identity.manager.userName - description: The IdentityIQ username (primary ID) of the identity's manager. - type: string -- contextPath: IdentityIQ.Identity.emails.type - description: Type of the email being returned. - type: string -- contextPath: IdentityIQ.Identity.emails.value - description: The email address of the identity. - type: string -- contextPath: IdentityIQ.Identity.emails.primary - description: Indicates if this email address is the identity's primary email. - type: string -- contextPath: PingOne.Account.ID - description: PingOne account ID. - type: string -- contextPath: PingOne.Account.Username - description: PingOne account username. - type: string -- contextPath: PingOne.Account.DisplayName - description: PingOne account display name. - type: string -- contextPath: PingOne.Account.Email - description: PingOne account email. - type: string -- contextPath: PingOne.Account.Enabled - description: PingOne account enabled status. - type: string -- contextPath: PingOne.Account.CreatedAt - description: PingOne account create date. - type: string -- contextPath: PingOne.Account.UpdatedAt - description: PingOne account updated date. - type: string -- contextPath: Account.PasswordChanged - description: Timestamp for when the user's password was last changed. - type: string -- contextPath: Account.StatusChanged - description: Timestamp for when the user's status was last changed. - type: string -- contextPath: Account.Activated - description: Timestamp for when the user was activated. - type: string -- contextPath: Account.Created - description: Timestamp for when the user was created. - type: string -- contextPath: Account.Status - description: Okta account status. - type: string -- contextPath: Account.Username - description: The user SAM account name. - type: string -- contextPath: Account.Email - description: The user email address. - type: string -- contextPath: Account.ID - description: The user distinguished name. - type: string -- contextPath: ActiveDirectory.Users.dn - description: The user distinguished name. - type: string -- contextPath: ActiveDirectory.Users.displayName - description: The user display name. - type: string -- contextPath: ActiveDirectory.Users.name - description: The user common name. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields - description: The user account control fields. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.SCRIPT - description: Whether the login script is run. Works for *Windows Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE - description: Whether the user account is disabled. Works for *Windows Server 2012 - R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED - description: Whether the home folder is required. Works for *Windows Server 2012 - R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.LOCKOUT - description: Whether the user is locked out. Works for *Windows Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD - description: Whether the password is required. Works for *Windows Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE - description: Whether the user can change the password. Works for *Windows Server - 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED - description: Whether the user can send an encrypted password. Works for *Windows - Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT - description: Whether this is an account for users whose primary account is in another - domain. Works for *Windows Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT - description: Whether this is a default account type that represents a typical user. - Works for *Windows Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT - description: Whether the account is permitted to trust a system domain that trusts - other domains. Works for *Windows Server 2012 R2*. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT - description: Whether this is a computer account for a computer running Microsoft - Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows - 2000 Professional, or Windows 2000 Server and is a member of this domain. - type: string -- contextPath: Account.Manager - description: The user manager. - type: string -- contextPath: Account.Groups - description: Groups for which the user is a member. - type: string -- contextPath: Account.DisplayName - description: The user display name. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT - description: Whether the account is a read-only domain controller (RODC). - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION - description: Whether the account is enabled for delegation. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH - description: Whether this account require Kerberos pre-authentication for logging - on. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY - description: Whether to restrict this principal to use only Data Encryption Standard - (DES) encryption types for keys. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED - description: Whether the security context of the user isn't delegated to a service - even if the service account is set as trusted for Kerberos delegation. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION - description: Whether the service account (the user or computer account) under which - a service runs is trusted for Kerberos delegation. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED - description: Whether to force the user to log in by using a smart card. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT - description: Whether this is an MNS login account. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT - description: Whether this is a computer account for a domain controller that is - a member of this domain. Works for *Windows Server 2012 R2*. - type: string -- contextPath: IAM.Vendor - description: The returning results vendor. - type: string -- contextPath: IAM.Vendor.action - description: The command name. - type: string -- contextPath: IAM.UserProfile - description: The user profile. - type: string -- contextPath: SailPointIdentityNow.Account - description: The IdentityNow account object. - type: string -- contextPath: SailPointIdentityNow.Account.id - description: The IdentityNow internal ID (UUID). - type: string -- contextPath: SailPointIdentityNow.Account.name - description: Name of the identity on this account. - type: string -- contextPath: SailPointIdentityNow.Account.identityId - description: The IdentityNow internal identity ID. - type: string -- contextPath: SailPointIdentityNow.Account.nativeIdentity - description: The IdentityNow internal native identity ID. - type: string -- contextPath: SailPointIdentityNow.Account.sourceId - description: Source ID that maps this account. - type: string -- contextPath: SailPointIdentityNow.Account.created - description: Timestamp when the account was created. - type: string -- contextPath: SailPointIdentityNow.Account.modified - description: Timestamp when the account was last modified. - type: string -- contextPath: SailPointIdentityNow.Account.attributes - description: Map of variable number of attributes unique to this account. - type: string -- contextPath: SailPointIdentityNow.Account.authoritative - description: Indicates whether the account is the true source for this identity. - type: string -- contextPath: SailPointIdentityNow.Account.disabled - description: Indicates whether the account is disabled. - type: string -- contextPath: SailPointIdentityNow.Account.locked - description: Indicates whether the account is locked. - type: string -- contextPath: SailPointIdentityNow.Account.systemAccount - description: Indicates whether the account is a system account. - type: string -- contextPath: SailPointIdentityNow.Account.uncorrelated - description: Indicates whether the account is uncorrelated. - type: string -- contextPath: SailPointIdentityNow.Account.manuallyCorrelated - description: Indicates whether the account was manually correlated. - type: string -- contextPath: SailPointIdentityNow.Account.hasEntitlements - description: Indicates whether the account has entitlement. - type: string -- contextPath: UserManagerEmail - description: The email of the user's manager. - type: string -- contextPath: UserManagerDisplayName - description: The display name of the user's manager. - type: string -- contextPath: MSGraphUser.ID - description: User's ID. - type: string -- contextPath: MSGraphUser.DisplayName - description: User's display name. - type: string -- contextPath: MSGraphUser.GivenName - description: User's given name. - type: string -- contextPath: MSGraphUser.JobTitle - description: User's job title. - type: string -- contextPath: MSGraphUser.Mail - description: User's mail address. - type: string -- contextPath: MSGraphUser.Surname - description: User's surname. - type: string -- contextPath: MSGraphUser.UserPrincipalName - description: User's principal name. - type: string -- contextPath: MSGraphUserManager.Manager.ID - description: Manager's user ID. - type: string -- contextPath: MSGraphUserManager.Manager.DisplayName - description: User's display name. - type: string -- contextPath: MSGraphUserManager.Manager.GivenName - description: User's given name. - type: string -- contextPath: MSGraphUserManager.Manager.Mail - description: User's mail address. - type: string -- contextPath: MSGraphUserManager.Manager.Surname - description: User's surname. - type: string -- contextPath: MSGraphUserManager.Manager.UserPrincipalName - description: User's principal name. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser - description: The account object. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.type - description: Form of identification element. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.id - description: Identification value of the type field. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.score - description: The score assigned to the user. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons - description: The account risk objects. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.date created - description: Date when the incident was created. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.description - description: Description of the incident. - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.severity - description: The severity of the incident - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.status - description: The incident status - type: string -- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.points - description: The score. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD - description: Whether to never expire the password on the account. - type: string -- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED - description: Whether the user password expired. - type: string -- contextPath: Account.ManagerEmail - description: The manager email. - type: string -- contextPath: AWS.IAM.Users - description: AWS IAM output. - type: string -- contextPath: AWS.IAM.Users.UserName - description: The friendly name identifying the user. - type: string -- contextPath: AWS.IAM.Users.UserId - description: The stable and unique string identifying the user. - type: string -- contextPath: AWS.IAM.Users.Arn - description: The Amazon Resource Name (ARN) that identifies the user. - type: string -- contextPath: AWS.IAM.Users.CreateDate - description: The date and time when the user was created. - type: string -- contextPath: AWS.IAM.Users.Path - description: The path to the user. - type: string -- contextPath: AWS.IAM.Users.PasswordLastUsed - description: The date and time, when the user's password was last used to sign - in to an AWS website. - type: string -- contextPath: MSGraphUser.MobilePhone - description: User's mobile phone number. - type: string -- contextPath: MSGraphUser.OfficeLocation - description: User's office location. - type: string -- contextPath: Account.JobTitle - description: User’s job title. - type: string -- contextPath: Account.TelephoneNumber - description: User’s mobile phone number. - type: string -- contextPath: Account.Office - description: User’s office location. - type: string -- contextPath: Account.Type - description: The account entity type. - type: string -- contextPath: Account.Email.Address - description: User’s mail address. - type: string -- contextPath: MSGraphUserManager.Manager.BusinessPhones - description: User's business phone numbers. - type: string -- contextPath: MSGraphUser.BusinessPhones - description: User's business phone numbers. - type: string -- contextPath: MSGraphUserManager.Manager.JobTitle - description: User's job title. - type: string -- contextPath: MSGraphUserManager.Manager.MobilePhone - description: User's mobile phone number. - type: string -- contextPath: MSGraphUserManager.Manager.OfficeLocation - description: User's office location. - type: string -sourceplaybookid: Account Enrichment - Generic v2.1 -starttaskid: "0" tags: - SOC - SOC_Framework +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: a6743119-6f7b-4ad2-86f8-d7e6f17415a3 + type: start + task: + id: a6743119-6f7b-4ad2-86f8-d7e6f17415a3 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "1" - "68" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: a6743119-6f7b-4ad2-86f8-d7e6f17415a3 - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: a6743119-6f7b-4ad2-86f8-d7e6f17415a3 - timertriggers: [] - type: start + continueonerrortype: "" view: |- { "position": { @@ -697,53 +61,54 @@ tasks: "y": -200 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "1": + id: "1" + taskid: 7d3036d6-80da-4b4f-8534-c634c6264f50 + type: condition + task: + id: 7d3036d6-80da-4b4f-8534-c634c6264f50 + version: -1 + name: Is there an account to enrich (without domain prefix)? + description: Checks if there is at least one username to enrich. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "3" + "yes": + - "67" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: inputs.Username filters: - - - left: - iscontext: true + - - operator: notContainsGeneral + left: value: simple: inputs.Username - operator: notContainsGeneral + iscontext: true right: value: simple: \ - root: inputs.Username - operator: isExists + iscontext: true right: value: {} - label: "yes" continueonerrortype: "" - id: "1" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "3" - "yes": - - "67" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is at least one username to enrich. - id: 7d3036d6-80da-4b4f-8534-c634c6264f50 - iscommand: false - name: Is there an account to enrich (without domain prefix)? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 7d3036d6-80da-4b4f-8534-c634c6264f50 - timertriggers: [] - type: condition view: |- { "position": { @@ -751,27 +116,28 @@ tasks: "y": -7 } } - "3": - continueonerrortype: "" - id: "3" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: b5a047e4-ca2a-4881-8a80-de3d0886ea64 + type: title task: - brand: "" id: b5a047e4-ca2a-4881-8a80-de3d0886ea64 - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: b5a047e4-ca2a-4881-8a80-de3d0886ea64 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -779,60 +145,61 @@ tasks: "y": 1560 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "4": + id: "4" + taskid: 9b07e7c9-ff70-410d-881c-02389fbf4c1e + type: condition + task: + id: 9b07e7c9-ff70-410d-881c-02389fbf4c1e + version: -1 + name: Is Active Directory Query v2 enabled? + description: Checks if there’s an active instance of the Active Directory Query + v2 integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "3" + "yes": + - "5" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: modules filters: - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: brand - operator: isEqualString + iscontext: true right: value: simple: Active Directory Query v2 - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: state - operator: isEqualString + iscontext: true right: value: simple: active - root: modules - operator: isExists - label: "yes" + iscontext: true continueonerrortype: "" - id: "4" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "3" - "yes": - - "5" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there’s an active instance of the Active Directory Query - v2 integration enabled. - id: 9b07e7c9-ff70-410d-881c-02389fbf4c1e - iscommand: false - name: Is Active Directory Query v2 enabled? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 9b07e7c9-ff70-410d-881c-02389fbf4c1e - timertriggers: [] - type: condition view: |- { "position": { @@ -840,74 +207,76 @@ tasks: "y": 565 } } - "5": - continueonerror: true - continueonerrortype: errorPath - id: "5" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 8ced86cc-67bc-45f8-b78c-f24b260cf615 + type: regular + task: + id: 8ced86cc-67bc-45f8-b78c-f24b260cf615 + version: -1 + name: Get account info from Active Directory + description: Queries Active Directory and returns information for the specified + username. + script: '|||ad-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "53" - note: false - quietmode: 0 - reputationcalc: 1 scriptarguments: username: complex: root: Usernames transformers: - operator: uniq + reputationcalc: 1 separatecontext: false - skipunavailable: true - task: - brand: "" - description: Queries Active Directory and returns information for the specified - username. - id: 8ced86cc-67bc-45f8-b78c-f24b260cf615 - iscommand: true - name: Get account info from Active Directory - playbooktaskmissingcomponent: - script: '|||ad-get-user' - type: regular - version: -1 - taskid: 8ced86cc-67bc-45f8-b78c-f24b260cf615 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { - "x": 230, - "y": 760 - } - } - "9": - continueonerrortype: "" - id: "9" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "18" + "x": 230, + "y": 760 + } + } note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 148faf68-5ced-41f4-82c0-f98fa9d82037 + type: title task: - brand: "" id: 148faf68-5ced-41f4-82c0-f98fa9d82037 - iscommand: false + version: -1 name: SailPoint IdentityIQ - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 148faf68-5ced-41f4-82c0-f98fa9d82037 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "18" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -915,30 +284,31 @@ tasks: "y": 435 } } - "11": - continueonerrortype: "" - id: "11" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "20" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 58620334-72c1-4be6-87a2-84ed544c4a8a + type: title task: - brand: "" id: 58620334-72c1-4be6-87a2-84ed544c4a8a - iscommand: false + version: -1 name: PingOne - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 58620334-72c1-4be6-87a2-84ed544c4a8a - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "20" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -946,30 +316,31 @@ tasks: "y": 435 } } - "16": - continueonerrortype: "" - id: "16" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "4" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: b5887cbc-9c89-47ba-8802-86c66ed0c85a + type: title task: - brand: "" id: b5887cbc-9c89-47ba-8802-86c66ed0c85a - iscommand: false + version: -1 name: Microsoft Active Directory - playbooktaskmissingcomponent: type: title - version: -1 - taskid: b5887cbc-9c89-47ba-8802-86c66ed0c85a - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -977,38 +348,39 @@ tasks: "y": 435 } } - "18": - continueonerrortype: "" - id: "18" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 93b0d852-2215-4504-8179-64a62951fbcc + type: condition + task: + id: 93b0d852-2215-4504-8179-64a62951fbcc + version: -1 + name: Is SailPoint IdentityIQ Integration Enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "29" - note: false - quietmode: 0 scriptarguments: brandname: simple: SailPointIdentityIQ separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no' - id: 93b0d852-2215-4504-8179-64a62951fbcc - iscommand: false - name: Is SailPoint IdentityIQ Integration Enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 93b0d852-2215-4504-8179-64a62951fbcc - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1016,38 +388,39 @@ tasks: "y": 565 } } - "20": - continueonerrortype: "" - id: "20" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 82adaccd-d799-44ae-85ec-ee4ca516aab6 + type: condition + task: + id: 82adaccd-d799-44ae-85ec-ee4ca516aab6 + version: -1 + name: Is PingOne Integration Enabled + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "31" - note: false - quietmode: 0 scriptarguments: brandname: simple: PingOne separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no' - id: 82adaccd-d799-44ae-85ec-ee4ca516aab6 - iscommand: false - name: Is PingOne Integration Enabled - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 82adaccd-d799-44ae-85ec-ee4ca516aab6 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1055,20 +428,34 @@ tasks: "y": 565 } } - "29": - continueonerror: true - continueonerrortype: errorPath - id: "29" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: ce8794f6-be60-4731-b21f-f519ae6b530f + type: regular + task: + id: ce8794f6-be60-4731-b21f-f519ae6b530f + version: -1 + name: Get account info from IdentityIQ + description: Search identities by search/filter parameters (ID, email, risk + & active) using IdentityIQ SCIM APIs. + script: SailPointIdentityIQ|||identityiq-search-identities + type: regular + iscommand: true + brand: SailPointIdentityIQ + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: id: complex: @@ -1076,21 +463,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: SailPointIdentityIQ - description: Search identities by search/filter parameters (ID, email, risk - & active) using IdentityIQ SCIM APIs. - id: ce8794f6-be60-4731-b21f-f519ae6b530f - iscommand: true - name: Get account info from IdentityIQ - playbooktaskmissingcomponent: - script: SailPointIdentityIQ|||identityiq-search-identities - type: regular - version: -1 - taskid: ce8794f6-be60-4731-b21f-f519ae6b530f - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1098,20 +472,34 @@ tasks: "y": 760 } } - "31": - continueonerror: true - continueonerrortype: errorPath - id: "31" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 1ec22e61-e06f-45d3-8134-ea9ebe1117bc + type: regular + task: + id: 1ec22e61-e06f-45d3-8134-ea9ebe1117bc + version: -1 + name: Get account info from PingOne + description: Returns a PingOne user. One of the following has to be given - + username or userId. + script: PingOne|||pingone-get-user + type: regular + iscommand: true + brand: PingOne + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: username: complex: @@ -1119,21 +507,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: PingOne - description: Returns a PingOne user. One of the following has to be given - - username or userId. - id: 1ec22e61-e06f-45d3-8134-ea9ebe1117bc - iscommand: true - name: Get account info from PingOne - playbooktaskmissingcomponent: - script: PingOne|||pingone-get-user - type: regular - version: -1 - taskid: 1ec22e61-e06f-45d3-8134-ea9ebe1117bc - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1141,30 +516,31 @@ tasks: "y": 760 } } - "32": - continueonerrortype: "" - id: "32" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "33" note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 4e5ba461-1f35-4898-8f03-940b3e3dd950 + type: title task: - brand: "" id: 4e5ba461-1f35-4898-8f03-940b3e3dd950 - iscommand: false + version: -1 name: OKTA - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 4e5ba461-1f35-4898-8f03-940b3e3dd950 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "33" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1172,38 +548,39 @@ tasks: "y": 435 } } - "33": - continueonerrortype: "" - id: "33" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: e0b7f17c-70f7-4330-8f06-c3729e226adb + type: condition + task: + id: e0b7f17c-70f7-4330-8f06-c3729e226adb + version: -1 + name: Is OKTA v2 integration enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "34" - note: false - quietmode: 0 scriptarguments: brandname: simple: Okta v2 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no' - id: e0b7f17c-70f7-4330-8f06-c3729e226adb - iscommand: false - name: Is OKTA v2 integration enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: e0b7f17c-70f7-4330-8f06-c3729e226adb - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1211,20 +588,34 @@ tasks: "y": 565 } } - "34": - continueonerror: true - continueonerrortype: errorPath - id: "34" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 43c12bed-2852-4ae0-be49-0deb0073a779 + type: regular + task: + id: 43c12bed-2852-4ae0-be49-0deb0073a779 + version: -1 + name: Get account info from OKTA v2 + description: Fetches information for a single user. You must enter one or more + parameters for the command to run. + script: '|||okta-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: username: complex: @@ -1232,21 +623,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Fetches information for a single user. You must enter one or more - parameters for the command to run. - id: 43c12bed-2852-4ae0-be49-0deb0073a779 - iscommand: true - name: Get account info from OKTA v2 - playbooktaskmissingcomponent: - script: '|||okta-get-user' - type: regular - version: -1 - taskid: 43c12bed-2852-4ae0-be49-0deb0073a779 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1254,30 +632,31 @@ tasks: "y": 760 } } - "42": - continueonerrortype: "" - id: "42" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "43" note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: ced5695a-76e7-4f6a-81b8-598925a8ea9d + type: title task: - brand: "" id: ced5695a-76e7-4f6a-81b8-598925a8ea9d - iscommand: false + version: -1 name: AWS - playbooktaskmissingcomponent: type: title - version: -1 - taskid: ced5695a-76e7-4f6a-81b8-598925a8ea9d - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "43" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1285,38 +664,39 @@ tasks: "y": 435 } } - "43": - continueonerrortype: "" - id: "43" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 0f630de1-9988-461a-883a-6113d3dd6d2a + type: condition + task: + id: 0f630de1-9988-461a-883a-6113d3dd6d2a + version: -1 + name: Is AWS integration enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "44" - note: false - quietmode: 0 scriptarguments: brandname: simple: AWS - IAM separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no' - id: 0f630de1-9988-461a-883a-6113d3dd6d2a - iscommand: false - name: Is AWS integration enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 0f630de1-9988-461a-883a-6113d3dd6d2a - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1324,20 +704,34 @@ tasks: "y": 565 } } - "44": - continueonerror: true - continueonerrortype: errorPath - id: "44" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 52a7785d-4ab4-403e-8620-20756bd71cc1 + type: regular + task: + id: 52a7785d-4ab4-403e-8620-20756bd71cc1 + version: -1 + name: Get account info from AWS + description: Retrieves information about the specified IAM user, including the + user's creation date, path, unique ID, and ARN. + script: AWS - IAM|||aws-iam-get-user + type: regular + iscommand: true + brand: AWS - IAM + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: userName: complex: @@ -1345,21 +739,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: AWS - IAM - description: Retrieves information about the specified IAM user, including the - user's creation date, path, unique ID, and ARN. - id: 52a7785d-4ab4-403e-8620-20756bd71cc1 - iscommand: true - name: Get account info from AWS - playbooktaskmissingcomponent: - script: AWS - IAM|||aws-iam-get-user - type: regular - version: -1 - taskid: 52a7785d-4ab4-403e-8620-20756bd71cc1 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1367,30 +748,31 @@ tasks: "y": 760 } } - "48": - continueonerrortype: "" - id: "48" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "63" note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: 4f4d3e42-0ec6-4b22-89b2-0b275eedc3c5 + type: title task: - brand: "" id: 4f4d3e42-0ec6-4b22-89b2-0b275eedc3c5 - iscommand: false + version: -1 name: IAM - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 4f4d3e42-0ec6-4b22-89b2-0b275eedc3c5 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "63" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1398,30 +780,31 @@ tasks: "y": 425 } } - "50": - continueonerrortype: "" - id: "50" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "51" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: 61ad53d6-a0fd-4e1e-8608-1c8a9596d965 + type: title task: - brand: "" id: 61ad53d6-a0fd-4e1e-8608-1c8a9596d965 - iscommand: false + version: -1 name: SailPoint IdentityNow - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 61ad53d6-a0fd-4e1e-8608-1c8a9596d965 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "51" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1429,38 +812,39 @@ tasks: "y": 435 } } - "51": - continueonerrortype: "" - id: "51" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "51": + id: "51" + taskid: 21d70bb7-8b40-4f49-80ca-b78cb05b24aa + type: condition + task: + id: 21d70bb7-8b40-4f49-80ca-b78cb05b24aa + version: -1 + name: Is SailPoint IdentityNow integration enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "52" - note: false - quietmode: 0 scriptarguments: brandname: simple: SailPointIdentityNow separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no' - id: 21d70bb7-8b40-4f49-80ca-b78cb05b24aa - iscommand: false - name: Is SailPoint IdentityNow integration enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 21d70bb7-8b40-4f49-80ca-b78cb05b24aa - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1468,20 +852,33 @@ tasks: "y": 565 } } - "52": - continueonerror: true - continueonerrortype: errorPath - id: "52" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: c563f279-3529-481b-9a5d-1434947a9dad + type: regular + task: + id: c563f279-3529-481b-9a5d-1434947a9dad + version: -1 + name: Get account info from IdentityNow + description: Get accounts by search/filter parameters (ID, name, native_identity). + script: SailPointIdentityNow|||identitynow-get-accounts + type: regular + iscommand: true + brand: SailPointIdentityNow + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: name: complex: @@ -1489,20 +886,8 @@ tasks: transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: SailPointIdentityNow - description: Get accounts by search/filter parameters (ID, name, native_identity). - id: c563f279-3529-481b-9a5d-1434947a9dad - iscommand: true - name: Get account info from IdentityNow - playbooktaskmissingcomponent: - script: SailPointIdentityNow|||identitynow-get-accounts - type: regular - version: -1 - taskid: c563f279-3529-481b-9a5d-1434947a9dad - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1510,43 +895,44 @@ tasks: "y": 760 } } - "53": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: Account.Manager - operator: isNotEmpty - right: - value: {} - label: "yes" - continueonerrortype: "" - id: "53" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "53": + id: "53" + taskid: f1700d16-6e63-4a56-8157-42cecfc24657 + type: condition + task: + id: f1700d16-6e63-4a56-8157-42cecfc24657 + version: -1 + name: Is there a manager? + description: Is there a manager? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "54" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Is there a manager? - id: f1700d16-6e63-4a56-8157-42cecfc24657 - iscommand: false - name: Is there a manager? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: f1700d16-6e63-4a56-8157-42cecfc24657 - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Account.Manager + iscontext: true + right: + value: {} + continueonerrortype: "" view: |- { "position": { @@ -1554,53 +940,54 @@ tasks: "y": 930 } } - "54": - continueonerrortype: "" - id: "54" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false - loop: - exitCondition: "" + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: 06dcf79d-5c65-4a13-be65-d06b2c465038 + type: playbook + task: + id: 06dcf79d-5c65-4a13-be65-d06b2c465038 + version: -1 + name: Active Directory - Get User Manager Details + description: Takes an email address or a username of a user account in Active + Directory, and returns the email address of the user's manager. + playbookName: Active Directory - Get User Manager Details + type: playbook iscommand: false - max: 100 - wait: 1 + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "3" - note: false - quietmode: 0 scriptarguments: UserEmail: complex: - accessor: Email root: Account + accessor: Email transformers: - operator: uniq - operator: FirstArrayElement Username: complex: - accessor: Username root: Account + accessor: Username transformers: - operator: uniq - operator: FirstArrayElement separatecontext: true - skipunavailable: true - task: - brand: "" - description: Takes an email address or a username of a user account in Active - Directory, and returns the email address of the user's manager. - id: 06dcf79d-5c65-4a13-be65-d06b2c465038 + continueonerrortype: "" + loop: iscommand: false - name: Active Directory - Get User Manager Details - playbookId: Active Directory - Get User Manager Details - playbooktaskmissingcomponent: - type: playbook - version: -1 - taskid: 06dcf79d-5c65-4a13-be65-d06b2c465038 - timertriggers: [] - type: playbook + exitCondition: "" + wait: 1 + max: 100 view: |- { "position": { @@ -1608,30 +995,31 @@ tasks: "y": 1100 } } - "55": - continueonerrortype: "" - id: "55" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "56" note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "55": + id: "55" + taskid: 285753ae-d884-4485-881c-3a99f77be4d0 + type: title task: - brand: "" id: 285753ae-d884-4485-881c-3a99f77be4d0 - iscommand: false + version: -1 name: MSGraph Users - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 285753ae-d884-4485-881c-3a99f77be4d0 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "56" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1639,38 +1027,39 @@ tasks: "y": 435 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "56": - continueonerrortype: "" id: "56" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: be533930-e327-4945-8fb7-c47ada329a2f + type: condition + task: + id: be533930-e327-4945-8fb7-c47ada329a2f + version: -1 + name: Is Azure Active Directory Users integration enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "57" - note: false - quietmode: 0 scriptarguments: brandname: simple: Microsoft Graph User separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no'. - id: be533930-e327-4945-8fb7-c47ada329a2f - iscommand: false - name: Is Azure Active Directory Users integration enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: be533930-e327-4945-8fb7-c47ada329a2f - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -1678,41 +1067,42 @@ tasks: "y": 565 } } - "57": - continueonerror: true - continueonerrortype: errorPath - id: "57" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "57": + id: "57" + taskid: a21eb31a-bab2-4069-8a3a-fa9f68a1f8b2 + type: regular + task: + id: a21eb31a-bab2-4069-8a3a-fa9f68a1f8b2 + version: -1 + name: Get account info from Azure Active Directory + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). + Permissions: - User.Read (Delegated) - User.Read.All (Application) + script: Microsoft Graph User|||msgraph-user-get + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "58" - note: false - quietmode: 2 scriptarguments: user: complex: root: Usernames separatecontext: false - skipunavailable: true - task: - brand: Microsoft Graph User - description: |- - Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). - Permissions: - User.Read (Delegated) - User.Read.All (Application) - id: a21eb31a-bab2-4069-8a3a-fa9f68a1f8b2 - iscommand: true - name: Get account info from Azure Active Directory - playbooktaskmissingcomponent: - script: Microsoft Graph User|||msgraph-user-get - type: regular - version: -1 - taskid: a21eb31a-bab2-4069-8a3a-fa9f68a1f8b2 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1720,48 +1110,49 @@ tasks: "y": 760 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false "58": + id: "58" + taskid: 56bea608-c34d-4914-8b16-594603971e22 + type: condition + task: + id: 56bea608-c34d-4914-8b16-594603971e22 + version: -1 + name: Is there a manager? + description: Is there a manager? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "3" + "yes": + - "59" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: value: simple: Account.Manager - operator: isNotEmpty + iscontext: true right: value: {} - - - left: - iscontext: true + - - operator: isNotEmpty + left: value: simple: MSGraphUser.ID - operator: isNotEmpty - label: "yes" + iscontext: true continueonerrortype: "" - id: "58" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "3" - "yes": - - "59" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Is there a manager? - id: 56bea608-c34d-4914-8b16-594603971e22 - iscommand: false - name: Is there a manager? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 56bea608-c34d-4914-8b16-594603971e22 - timertriggers: [] - type: condition view: |- { "position": { @@ -1769,40 +1160,41 @@ tasks: "y": 930 } } - "59": - continueonerror: true - continueonerrortype: errorPath - id: "59" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "59": + id: "59" + taskid: fcbb5279-9a7c-4230-a897-1e72796add0e + type: regular + task: + id: fcbb5279-9a7c-4230-a897-1e72796add0e + version: -1 + name: Azure Active Directory - Get manager details + description: Retrieves the properties from the manager of a user. + script: Microsoft Graph User|||msgraph-user-get-manager + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "60" - note: false - quietmode: 0 scriptarguments: user: complex: - accessor: ID root: MSGraphUser + accessor: ID separatecontext: false - skipunavailable: true - task: - brand: Microsoft Graph User - description: Retrieves the properties from the manager of a user. - id: fcbb5279-9a7c-4230-a897-1e72796add0e - iscommand: true - name: Azure Active Directory - Get manager details - playbooktaskmissingcomponent: - script: Microsoft Graph User|||msgraph-user-get-manager - type: regular - version: -1 - taskid: fcbb5279-9a7c-4230-a897-1e72796add0e - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1810,39 +1202,40 @@ tasks: "y": 1220 } } - "60": - continueonerrortype: "" - id: "60" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: 83d6879d-694b-4091-84cd-6445167b9c75 + type: regular + task: + id: 83d6879d-694b-4091-84cd-6445167b9c75 + version: -1 + name: Set manager email address to context + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "3" - note: false - quietmode: 0 scriptarguments: key: simple: UserManagerEmail value: complex: - accessor: Mail root: MSGraphUserManager.Manager + accessor: Mail separatecontext: false - skipunavailable: false - task: - brand: "" - description: Set a value in context under the key you entered. - id: 83d6879d-694b-4091-84cd-6445167b9c75 - iscommand: false - name: Set manager email address to context - playbooktaskmissingcomponent: - script: Set - type: regular - version: -1 - taskid: 83d6879d-694b-4091-84cd-6445167b9c75 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -1850,27 +1243,41 @@ tasks: "y": 1390 } } - "61": - continueonerror: true - continueonerrortype: errorPath - id: "61" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "61": + id: "61" + taskid: 7b64280f-0fa6-48fb-8cce-58ae35c662ae + type: regular + task: + id: 7b64280f-0fa6-48fb-8cce-58ae35c662ae + version: -1 + name: IAM Get User - Without specifying a domain + description: Retrieves a single user resource. + script: '|||iam-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: user-profile: complex: root: Usernames transformers: - operator: Stringify - - args: + - operator: RegexReplace + args: action_dt: {} ignore_case: {} multi_line: {} @@ -1879,34 +1286,21 @@ tasks: regex: value: simple: '[\w.0-9]*\\' - operator: RegexReplace - - args: + - operator: concat + args: prefix: value: simple: '{"username":"' suffix: value: simple: '"}' - operator: concat - operator: uniq - - args: + - operator: split + args: delimiter: {} - operator: split separatecontext: false - skipunavailable: true - task: - brand: "" - description: Retrieves a single user resource. - id: 7b64280f-0fa6-48fb-8cce-58ae35c662ae - iscommand: true - name: IAM Get User - Without specifying a domain - playbooktaskmissingcomponent: - script: '|||iam-get-user' - type: regular - version: -1 - taskid: 7b64280f-0fa6-48fb-8cce-58ae35c662ae - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1914,26 +1308,40 @@ tasks: "y": 750 } } - "62": - continueonerror: true - continueonerrortype: errorPath - id: "62" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: 75cd7da4-b58a-4bd0-a146-b3fc058836e1 + type: regular + task: + id: 75cd7da4-b58a-4bd0-a146-b3fc058836e1 + version: -1 + name: IAM Get User - with a domain + description: Retrieves a single user resource. + script: '|||iam-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: user-profile: complex: root: Usernames transformers: - - args: + - operator: RegexReplace + args: action_dt: {} ignore_case: {} multi_line: {} @@ -1942,42 +1350,29 @@ tasks: regex: value: simple: '[\w.0-9]*\\' - operator: RegexReplace - - args: + - operator: concat + args: prefix: iscontext: true suffix: - iscontext: true value: simple: inputs.Domain - operator: concat - - args: + iscontext: true + - operator: concat + args: prefix: value: simple: '{"username":"' suffix: value: simple: '"}' - operator: concat - operator: uniq - - args: + - operator: split + args: delimiter: {} - operator: split separatecontext: false - skipunavailable: true - task: - brand: "" - description: Retrieves a single user resource. - id: 75cd7da4-b58a-4bd0-a146-b3fc058836e1 - iscommand: true - name: IAM Get User - with a domain - playbooktaskmissingcomponent: - script: '|||iam-get-user' - type: regular - version: -1 - taskid: 75cd7da4-b58a-4bd0-a146-b3fc058836e1 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -1985,43 +1380,44 @@ tasks: "y": 750 } } - "63": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.Domain - operator: isNotEmpty - right: - value: {} - label: "yes" - continueonerrortype: "" - id: "63" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: e3d4077b-a586-494b-86b3-65e1f408c83a + type: condition + task: + id: e3d4077b-a586-494b-86b3-65e1f408c83a + version: -1 + name: Was a domain provided? + description: Was a domain provided? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "61" "yes": - "62" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Was a domain provided? - id: e3d4077b-a586-494b-86b3-65e1f408c83a - iscommand: false - name: Was a domain provided? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: e3d4077b-a586-494b-86b3-65e1f408c83a - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Domain + iscontext: true + right: + value: {} + continueonerrortype: "" view: |- { "position": { @@ -2029,30 +1425,31 @@ tasks: "y": 570 } } - "64": - continueonerrortype: "" - id: "64" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "65" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "64": + id: "64" + taskid: 30472917-7825-4a09-89d8-b531bf61958c + type: title task: - brand: "" id: 30472917-7825-4a09-89d8-b531bf61958c - iscommand: false + version: -1 name: Cortex XDR - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 30472917-7825-4a09-89d8-b531bf61958c - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "65" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -2060,38 +1457,39 @@ tasks: "y": 435 } } - "65": - continueonerrortype: "" - id: "65" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "65": + id: "65" + taskid: ed860996-40a3-4e32-8c7d-e4a961c6b7d5 + type: condition + task: + id: ed860996-40a3-4e32-8c7d-e4a961c6b7d5 + version: -1 + name: Is Cortex XDR - IR integration enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "3" "yes": - "66" - note: false - quietmode: 0 scriptarguments: brandname: simple: Cortex XDR - IR separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no' - id: ed860996-40a3-4e32-8c7d-e4a961c6b7d5 - iscommand: false - name: Is Cortex XDR - IR integration enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: ed860996-40a3-4e32-8c7d-e4a961c6b7d5 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -2099,50 +1497,51 @@ tasks: "y": 565 } } - "66": - continueonerror: true - continueonerrortype: errorPath - id: "66" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "66": + id: "66" + taskid: 9c968061-8a6f-4cf1-8647-0e31ce54b4a7 + type: regular + task: + id: 9c968061-8a6f-4cf1-8647-0e31ce54b4a7 + version: -1 + name: Get account risk score + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + script: '|||xdr-list-risky-users' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "70" + - "71" '#none#': - "3" - note: false - quietmode: 0 scriptarguments: user_id: complex: root: UsernamesWithDomains transformers: - - args: + - operator: AppendIfNotEmpty + args: item: - iscontext: true value: simple: Usernames + iscontext: true raw: {} - operator: AppendIfNotEmpty - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: "" - description: Retrieve the risk score of a specific user or list of users with - the highest risk score in the environment along with the reason affecting - each score. - id: 9c968061-8a6f-4cf1-8647-0e31ce54b4a7 - iscommand: true - name: Get account risk score - playbooktaskmissingcomponent: - script: '|||xdr-list-risky-users' - type: regular - version: -1 - taskid: 9c968061-8a6f-4cf1-8647-0e31ce54b4a7 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -2150,12 +1549,33 @@ tasks: "y": 760 } } - "67": - continueonerrortype: "" - id: "67" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "67": + id: "67" + taskid: 7212ec41-fb6c-4d2b-86c1-140108b79c04 + type: regular + task: + id: 7212ec41-fb6c-4d2b-86c1-140108b79c04 + version: -1 + name: Save account usernames + description: "Saves the usernames without domain prefixes under a new context + key.\n\nThis automation runs using the default Limited User role, unless you + explicitly change the permissions.\nFor more information, see the section + about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "48" @@ -2167,43 +1587,23 @@ tasks: - "42" - "55" - "64" - note: false - quietmode: 0 scriptarguments: key: - simple: Usernames - value: - complex: - filters: - - - left: - iscontext: true - value: - simple: inputs.Username - operator: notContainsGeneral - right: - value: - simple: \ - root: inputs.Username - separatecontext: false - skipunavailable: false - task: - brand: "" - description: "Saves the usernames without domain prefixes under a new context - key.\n\nThis automation runs using the default Limited User role, unless you - explicitly change the permissions.\nFor more information, see the section - about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 7212ec41-fb6c-4d2b-86c1-140108b79c04 - iscommand: false - name: Save account usernames - playbooktaskmissingcomponent: - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 7212ec41-fb6c-4d2b-86c1-140108b79c04 - timertriggers: [] - type: regular + simple: Usernames + value: + complex: + root: inputs.Username + filters: + - - operator: notContainsGeneral + left: + value: + simple: inputs.Username + iscontext: true + right: + value: + simple: \ + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -2211,53 +1611,54 @@ tasks: "y": 180 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "68": + id: "68" + taskid: 2524ddf8-40ab-4b7e-8019-8fdf102afc08 + type: condition + task: + id: 2524ddf8-40ab-4b7e-8019-8fdf102afc08 + version: -1 + name: Is there an account to enrich (with domain prefix)? + description: Checks if there is at least one username to enrich. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "3" + "yes": + - "69" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: inputs.Username filters: - - - left: - iscontext: true + - - operator: containsGeneral + left: value: simple: inputs.Username - operator: containsGeneral + iscontext: true right: value: simple: \ - root: inputs.Username - operator: isExists + iscontext: true right: value: {} - label: "yes" continueonerrortype: "" - id: "68" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "3" - "yes": - - "69" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is at least one username to enrich. - id: 2524ddf8-40ab-4b7e-8019-8fdf102afc08 - iscommand: false - name: Is there an account to enrich (with domain prefix)? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 2524ddf8-40ab-4b7e-8019-8fdf102afc08 - timertriggers: [] - type: condition view: |- { "position": { @@ -2265,52 +1666,53 @@ tasks: "y": -7 } } - "69": - continueonerrortype: "" - id: "69" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "69": + id: "69" + taskid: 59883712-8f94-4316-870e-21a76ae75517 + type: regular + task: + id: 59883712-8f94-4316-870e-21a76ae75517 + version: -1 + name: Save account usernames with domains + description: "Saves the usernames with domain prefixes under a new context key.\n + \nThis automation runs using the default Limited User role, unless you explicitly + change the permissions.\nFor more information, see the section about permissions + here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "64" - note: false - quietmode: 0 scriptarguments: key: simple: UsernamesWithDomains value: complex: + root: inputs.Username filters: - - - left: - iscontext: true + - - operator: containsGeneral + left: value: simple: inputs.Username - operator: containsGeneral + iscontext: true right: value: simple: \ - root: inputs.Username separatecontext: false - skipunavailable: false - task: - brand: "" - description: "Saves the usernames with domain prefixes under a new context key.\n - \nThis automation runs using the default Limited User role, unless you explicitly - change the permissions.\nFor more information, see the section about permissions - here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 59883712-8f94-4316-870e-21a76ae75517 - iscommand: false - name: Save account usernames with domains - playbooktaskmissingcomponent: - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 59883712-8f94-4316-870e-21a76ae75517 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -2318,59 +1720,702 @@ tasks: "y": 190 } } - "70": - continueonerrortype: "" - id: "70" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: true + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "71": + id: "71" + taskid: fcd39777-a6e7-42dd-8fed-7db25b482976 + type: playbook task: - brand: "" - id: 92271906-6bfb-4389-82c1-347902dd28e8 - iscommand: false - name: Foundation - Foundation - Error Handling_V3 - playbookId: Foundation - Foundation - Error Handling_V3 - playbooktaskmissingcomponent: - type: playbook + id: fcd39777-a6e7-42dd-8fed-7db25b482976 version: -1 - taskid: 92271906-6bfb-4389-82c1-347902dd28e8 - timertriggers: [] - type: playbook + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": -670, - "y": 1555 + "x": -630, + "y": 1552.5 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { "18_3_#default#": 0.1, "1_3_#default#": 0.1, "20_3_#default#": 0.1, + "31_71_#error#": 0.87, "33_3_#default#": 0.1, + "34_71_#error#": 0.9, "43_3_#default#": 0.1, "4_3_#default#": 0.1, "51_3_#default#": 0.1, + "52_71_#error#": 0.85, "56_3_#default#": 0.1, "58_3_#default#": 0.1, + "5_71_#error#": 0.86, "65_66_yes": 0.59, "68_3_#default#": 0.11, "68_69_yes": 0.11 }, "paper": { "dimensions": { - "height": 1825, + "height": 1827.5, "width": 4410, "x": -1700, "y": -200 } } } -fromversion: 5.0.0 +inputs: +- key: Username + value: + complex: + root: Account + accessor: Username + transformers: + - operator: uniq + required: false + description: |- + The usernames to enrich. This input supports multiple usernames. + Usernames can be with or without a domain prefix, in the format of "username" or "domain\username". + Domain usernames will only be enriched in integrations that support them. + playbookInputQuery: null +- key: Domain + value: {} + required: false + description: |- + Optional - This input is needed for the IAM-get-user command (used in the Account Enrichment - IAM playbook). Please provide the domain name that the user is related to. + Example: @xsoar.com + playbookInputQuery: null +inputSections: +- inputs: + - Username + - Domain + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Account + - ActiveDirectory.Users.sAMAccountName + - ActiveDirectory.Users.userAccountControl + - ActiveDirectory.Users.mail + - ActiveDirectory.Users.memberOf + - IAM + - IdentityIQ.Identity + - PingOne.Account + - ActiveDirectory.Users.manager + - IAM.Vendor.active + - IAM.Vendor.brand + - IAM.Vendor.details + - IAM.Vendor.email + - IAM.Vendor.errorCode + - IAM.Vendor.errorMessage + - IAM.Vendor.id + - IAM.Vendor.instanceName + - IAM.Vendor.success + - IAM.Vendor.username + - IdentityIQ.Identity.userName + - IdentityIQ.Identity.id + - IdentityIQ.Identity.active + - IdentityIQ.Identity.lastModified + - IdentityIQ.Identity.displayName + - IdentityIQ.Identity.emails + - IdentityIQ.Identity.entitlements + - IdentityIQ.Identity.roles + - IdentityIQ.Identity.capabilities + - IdentityIQ.Identity.name + - IdentityIQ.Identity.name.formatted + - IdentityIQ.Identity.name.familyName + - IdentityIQ.Identity.name.givenName + - IdentityIQ.Identity.manager + - IdentityIQ.Identity.manager.userName + - IdentityIQ.Identity.emails.type + - IdentityIQ.Identity.emails.value + - IdentityIQ.Identity.emails.primary + - PingOne.Account.ID + - PingOne.Account.Username + - PingOne.Account.DisplayName + - PingOne.Account.Email + - PingOne.Account.Enabled + - PingOne.Account.CreatedAt + - PingOne.Account.UpdatedAt + - Account.PasswordChanged + - Account.StatusChanged + - Account.Activated + - Account.Created + - Account.Status + - Account.Username + - Account.Email + - Account.ID + - ActiveDirectory.Users.dn + - ActiveDirectory.Users.displayName + - ActiveDirectory.Users.name + - ActiveDirectory.Users.userAccountControlFields + - ActiveDirectory.Users.userAccountControlFields.SCRIPT + - ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE + - ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED + - ActiveDirectory.Users.userAccountControlFields.LOCKOUT + - ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD + - ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE + - ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED + - ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT + - Account.Manager + - Account.Groups + - Account.DisplayName + - ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION + - ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH + - ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY + - ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED + - ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION + - ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED + - ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT + - ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT + - IAM.Vendor + - IAM.Vendor.action + - IAM.UserProfile + - SailPointIdentityNow.Account + - SailPointIdentityNow.Account.id + - SailPointIdentityNow.Account.name + - SailPointIdentityNow.Account.identityId + - SailPointIdentityNow.Account.nativeIdentity + - SailPointIdentityNow.Account.sourceId + - SailPointIdentityNow.Account.created + - SailPointIdentityNow.Account.modified + - SailPointIdentityNow.Account.attributes + - SailPointIdentityNow.Account.authoritative + - SailPointIdentityNow.Account.disabled + - SailPointIdentityNow.Account.locked + - SailPointIdentityNow.Account.systemAccount + - SailPointIdentityNow.Account.uncorrelated + - SailPointIdentityNow.Account.manuallyCorrelated + - SailPointIdentityNow.Account.hasEntitlements + - UserManagerEmail + - UserManagerDisplayName + - MSGraphUser.ID + - MSGraphUser.DisplayName + - MSGraphUser.GivenName + - MSGraphUser.JobTitle + - MSGraphUser.Mail + - MSGraphUser.Surname + - MSGraphUser.UserPrincipalName + - MSGraphUserManager.Manager.ID + - MSGraphUserManager.Manager.DisplayName + - MSGraphUserManager.Manager.GivenName + - MSGraphUserManager.Manager.Mail + - MSGraphUserManager.Manager.Surname + - MSGraphUserManager.Manager.UserPrincipalName + - PaloAltoNetworksXDR.RiskyUser + - PaloAltoNetworksXDR.RiskyUser.type + - PaloAltoNetworksXDR.RiskyUser.id + - PaloAltoNetworksXDR.RiskyUser.score + - PaloAltoNetworksXDR.RiskyUser.reasons + - PaloAltoNetworksXDR.RiskyUser.reasons.date created + - PaloAltoNetworksXDR.RiskyUser.reasons.description + - PaloAltoNetworksXDR.RiskyUser.reasons.severity + - PaloAltoNetworksXDR.RiskyUser.reasons.status + - PaloAltoNetworksXDR.RiskyUser.reasons.points + - ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD + - ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED + - Account.ManagerEmail + - AWS.IAM.Users + - AWS.IAM.Users.UserName + - AWS.IAM.Users.UserId + - AWS.IAM.Users.Arn + - AWS.IAM.Users.CreateDate + - AWS.IAM.Users.Path + - AWS.IAM.Users.PasswordLastUsed + - MSGraphUser.MobilePhone + - MSGraphUser.OfficeLocation + - Account.JobTitle + - Account.TelephoneNumber + - Account.Office + - Account.Type + - Account.Email.Address + - MSGraphUserManager.Manager.BusinessPhones + - MSGraphUser.BusinessPhones + - MSGraphUserManager.Manager.JobTitle + - MSGraphUserManager.Manager.MobilePhone + - MSGraphUserManager.Manager.OfficeLocation + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Account + description: The account object. + type: string +- contextPath: ActiveDirectory.Users.sAMAccountName + description: The user's SAM account name. + type: string +- contextPath: ActiveDirectory.Users.userAccountControl + description: The user's account control flag. + type: string +- contextPath: ActiveDirectory.Users.mail + description: The user's email address. + type: string +- contextPath: ActiveDirectory.Users.memberOf + description: Groups the user is a member of. + type: string +- contextPath: IAM + description: Generic IAM output. + type: string +- contextPath: IdentityIQ.Identity + description: Identity asset from IdentityIQ. + type: string +- contextPath: PingOne.Account + description: Account in PingID. + type: string +- contextPath: ActiveDirectory.Users.manager + description: The manager of the user. + type: string +- contextPath: IAM.Vendor.active + description: When true, indicates that the employee's status is active in the 3rd-party + integration. + type: string +- contextPath: IAM.Vendor.brand + description: Name of the integration. + type: string +- contextPath: IAM.Vendor.details + description: Provides the raw data from the 3rd-party integration. + type: string +- contextPath: IAM.Vendor.email + description: The employee's email address. + type: string +- contextPath: IAM.Vendor.errorCode + description: HTTP error response code. + type: string +- contextPath: IAM.Vendor.errorMessage + description: Reason why the API failed. + type: string +- contextPath: IAM.Vendor.id + description: The employee's user ID in the app. + type: string +- contextPath: IAM.Vendor.instanceName + description: Name of the integration instance. + type: string +- contextPath: IAM.Vendor.success + description: When true, indicates that the command was executed successfully. + type: string +- contextPath: IAM.Vendor.username + description: The employee's username in the app. + type: string +- contextPath: IdentityIQ.Identity.userName + description: The IdentityIQ username (primary ID). + type: string +- contextPath: IdentityIQ.Identity.id + description: The IdentityIQ internal ID (UUID). + type: string +- contextPath: IdentityIQ.Identity.active + description: Indicates whether the ID is active or inactive in IdentityIQ. + type: string +- contextPath: IdentityIQ.Identity.lastModified + description: Timestamp of when the identity was last modified. + type: string +- contextPath: IdentityIQ.Identity.displayName + description: The display name of the identity. + type: string +- contextPath: IdentityIQ.Identity.emails + description: Array of email objects. + type: string +- contextPath: IdentityIQ.Identity.entitlements + description: Array of entitlement objects that the identity has. + type: string +- contextPath: IdentityIQ.Identity.roles + description: Array of role objects that the identity has. + type: string +- contextPath: IdentityIQ.Identity.capabilities + description: Array of string representations of the IdentityIQ capabilities assigned + to this identity. + type: string +- contextPath: IdentityIQ.Identity.name + description: Account name. + type: string +- contextPath: IdentityIQ.Identity.name.formatted + description: The display name of the identity. + type: string +- contextPath: IdentityIQ.Identity.name.familyName + description: The last name of the identity. + type: string +- contextPath: IdentityIQ.Identity.name.givenName + description: The first name of the identity. + type: string +- contextPath: IdentityIQ.Identity.manager + description: The account's manager returned from IdentityIQ. + type: string +- contextPath: IdentityIQ.Identity.manager.userName + description: The IdentityIQ username (primary ID) of the identity's manager. + type: string +- contextPath: IdentityIQ.Identity.emails.type + description: Type of the email being returned. + type: string +- contextPath: IdentityIQ.Identity.emails.value + description: The email address of the identity. + type: string +- contextPath: IdentityIQ.Identity.emails.primary + description: Indicates if this email address is the identity's primary email. + type: string +- contextPath: PingOne.Account.ID + description: PingOne account ID. + type: string +- contextPath: PingOne.Account.Username + description: PingOne account username. + type: string +- contextPath: PingOne.Account.DisplayName + description: PingOne account display name. + type: string +- contextPath: PingOne.Account.Email + description: PingOne account email. + type: string +- contextPath: PingOne.Account.Enabled + description: PingOne account enabled status. + type: string +- contextPath: PingOne.Account.CreatedAt + description: PingOne account create date. + type: string +- contextPath: PingOne.Account.UpdatedAt + description: PingOne account updated date. + type: string +- contextPath: Account.PasswordChanged + description: Timestamp for when the user's password was last changed. + type: string +- contextPath: Account.StatusChanged + description: Timestamp for when the user's status was last changed. + type: string +- contextPath: Account.Activated + description: Timestamp for when the user was activated. + type: string +- contextPath: Account.Created + description: Timestamp for when the user was created. + type: string +- contextPath: Account.Status + description: Okta account status. + type: string +- contextPath: Account.Username + description: The user SAM account name. + type: string +- contextPath: Account.Email + description: The user email address. + type: string +- contextPath: Account.ID + description: The user distinguished name. + type: string +- contextPath: ActiveDirectory.Users.dn + description: The user distinguished name. + type: string +- contextPath: ActiveDirectory.Users.displayName + description: The user display name. + type: string +- contextPath: ActiveDirectory.Users.name + description: The user common name. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields + description: The user account control fields. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.SCRIPT + description: Whether the login script is run. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE + description: Whether the user account is disabled. Works for *Windows Server 2012 + R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED + description: Whether the home folder is required. Works for *Windows Server 2012 + R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.LOCKOUT + description: Whether the user is locked out. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD + description: Whether the password is required. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE + description: Whether the user can change the password. Works for *Windows Server + 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED + description: Whether the user can send an encrypted password. Works for *Windows + Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT + description: Whether this is an account for users whose primary account is in another + domain. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT + description: Whether this is a default account type that represents a typical user. + Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT + description: Whether the account is permitted to trust a system domain that trusts + other domains. Works for *Windows Server 2012 R2*. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT + description: Whether this is a computer account for a computer running Microsoft + Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows + 2000 Professional, or Windows 2000 Server and is a member of this domain. + type: string +- contextPath: Account.Manager + description: The user manager. + type: string +- contextPath: Account.Groups + description: Groups for which the user is a member. + type: string +- contextPath: Account.DisplayName + description: The user display name. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT + description: Whether the account is a read-only domain controller (RODC). + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION + description: Whether the account is enabled for delegation. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH + description: Whether this account require Kerberos pre-authentication for logging + on. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY + description: Whether to restrict this principal to use only Data Encryption Standard + (DES) encryption types for keys. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED + description: Whether the security context of the user isn't delegated to a service + even if the service account is set as trusted for Kerberos delegation. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION + description: Whether the service account (the user or computer account) under which + a service runs is trusted for Kerberos delegation. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED + description: Whether to force the user to log in by using a smart card. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT + description: Whether this is an MNS login account. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT + description: Whether this is a computer account for a domain controller that is + a member of this domain. Works for *Windows Server 2012 R2*. + type: string +- contextPath: IAM.Vendor + description: The returning results vendor. + type: string +- contextPath: IAM.Vendor.action + description: The command name. + type: string +- contextPath: IAM.UserProfile + description: The user profile. + type: string +- contextPath: SailPointIdentityNow.Account + description: The IdentityNow account object. + type: string +- contextPath: SailPointIdentityNow.Account.id + description: The IdentityNow internal ID (UUID). + type: string +- contextPath: SailPointIdentityNow.Account.name + description: Name of the identity on this account. + type: string +- contextPath: SailPointIdentityNow.Account.identityId + description: The IdentityNow internal identity ID. + type: string +- contextPath: SailPointIdentityNow.Account.nativeIdentity + description: The IdentityNow internal native identity ID. + type: string +- contextPath: SailPointIdentityNow.Account.sourceId + description: Source ID that maps this account. + type: string +- contextPath: SailPointIdentityNow.Account.created + description: Timestamp when the account was created. + type: string +- contextPath: SailPointIdentityNow.Account.modified + description: Timestamp when the account was last modified. + type: string +- contextPath: SailPointIdentityNow.Account.attributes + description: Map of variable number of attributes unique to this account. + type: string +- contextPath: SailPointIdentityNow.Account.authoritative + description: Indicates whether the account is the true source for this identity. + type: string +- contextPath: SailPointIdentityNow.Account.disabled + description: Indicates whether the account is disabled. + type: string +- contextPath: SailPointIdentityNow.Account.locked + description: Indicates whether the account is locked. + type: string +- contextPath: SailPointIdentityNow.Account.systemAccount + description: Indicates whether the account is a system account. + type: string +- contextPath: SailPointIdentityNow.Account.uncorrelated + description: Indicates whether the account is uncorrelated. + type: string +- contextPath: SailPointIdentityNow.Account.manuallyCorrelated + description: Indicates whether the account was manually correlated. + type: string +- contextPath: SailPointIdentityNow.Account.hasEntitlements + description: Indicates whether the account has entitlement. + type: string +- contextPath: UserManagerEmail + description: The email of the user's manager. + type: string +- contextPath: UserManagerDisplayName + description: The display name of the user's manager. + type: string +- contextPath: MSGraphUser.ID + description: User's ID. + type: string +- contextPath: MSGraphUser.DisplayName + description: User's display name. + type: string +- contextPath: MSGraphUser.GivenName + description: User's given name. + type: string +- contextPath: MSGraphUser.JobTitle + description: User's job title. + type: string +- contextPath: MSGraphUser.Mail + description: User's mail address. + type: string +- contextPath: MSGraphUser.Surname + description: User's surname. + type: string +- contextPath: MSGraphUser.UserPrincipalName + description: User's principal name. + type: string +- contextPath: MSGraphUserManager.Manager.ID + description: Manager's user ID. + type: string +- contextPath: MSGraphUserManager.Manager.DisplayName + description: User's display name. + type: string +- contextPath: MSGraphUserManager.Manager.GivenName + description: User's given name. + type: string +- contextPath: MSGraphUserManager.Manager.Mail + description: User's mail address. + type: string +- contextPath: MSGraphUserManager.Manager.Surname + description: User's surname. + type: string +- contextPath: MSGraphUserManager.Manager.UserPrincipalName + description: User's principal name. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser + description: The account object. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.type + description: Form of identification element. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.id + description: Identification value of the type field. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.score + description: The score assigned to the user. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons + description: The account risk objects. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.date created + description: Date when the incident was created. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.description + description: Description of the incident. + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.severity + description: The severity of the incident + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.status + description: The incident status + type: string +- contextPath: PaloAltoNetworksXDR.RiskyUser.reasons.points + description: The score. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD + description: Whether to never expire the password on the account. + type: string +- contextPath: ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED + description: Whether the user password expired. + type: string +- contextPath: Account.ManagerEmail + description: The manager email. + type: string +- contextPath: AWS.IAM.Users + description: AWS IAM output. + type: string +- contextPath: AWS.IAM.Users.UserName + description: The friendly name identifying the user. + type: string +- contextPath: AWS.IAM.Users.UserId + description: The stable and unique string identifying the user. + type: string +- contextPath: AWS.IAM.Users.Arn + description: The Amazon Resource Name (ARN) that identifies the user. + type: string +- contextPath: AWS.IAM.Users.CreateDate + description: The date and time when the user was created. + type: string +- contextPath: AWS.IAM.Users.Path + description: The path to the user. + type: string +- contextPath: AWS.IAM.Users.PasswordLastUsed + description: The date and time, when the user's password was last used to sign + in to an AWS website. + type: string +- contextPath: MSGraphUser.MobilePhone + description: User's mobile phone number. + type: string +- contextPath: MSGraphUser.OfficeLocation + description: User's office location. + type: string +- contextPath: Account.JobTitle + description: User’s job title. + type: string +- contextPath: Account.TelephoneNumber + description: User’s mobile phone number. + type: string +- contextPath: Account.Office + description: User’s office location. + type: string +- contextPath: Account.Type + description: The account entity type. + type: string +- contextPath: Account.Email.Address + description: User’s mail address. + type: string +- contextPath: MSGraphUserManager.Manager.BusinessPhones + description: User's business phone numbers. + type: string +- contextPath: MSGraphUser.BusinessPhones + description: User's business phone numbers. + type: string +- contextPath: MSGraphUserManager.Manager.JobTitle + description: User's job title. + type: string +- contextPath: MSGraphUserManager.Manager.MobilePhone + description: User's mobile phone number. + type: string +- contextPath: MSGraphUserManager.Manager.OfficeLocation + description: User's office location. + type: string +sourceplaybookid: Account Enrichment - Generic v2.1 +dirtyInputs: true +adopted: true diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml similarity index 83% rename from Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml rename to Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml index 2a6609c..5692ae9 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Clear_User_Sessions.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml @@ -1,89 +1,45 @@ -adopted: true +id: SOC Containment Plan_V3 - Clear User Sessions_V3 +version: 4 contentitemexportablefields: contentitemfields: + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 + fromServerVersion: 5.0.0 + toServerVersion: "" definitionid: "" - fromServerVersion: 6.6.0 - isoverridable: false - itemVersion: 2.7.15 - packID: "" - packName: Common Playbooks prevname: "" + isoverridable: false supportedModules: [] - toServerVersion: "" +vcShouldKeepItemLegacyProdMachine: false +name: SOC Containment Plan_V3 - Clear User Sessions_V3 description: |- ## Containment Plan - Clear User Sessions This playbook is a sub-playbook within the containment plan playbook. The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions. -dirtyInputs: true -id: 'SOC Containment Plan_V3 - Clear User Sessions_V3' -inputSections: -- description: Generic group for inputs. - inputs: - - ClearUserSessions - - Username - - IAMUserDomain - - ShadowMode - name: General (Inputs group) -inputs: -- description: Set to 'True' to clear the user active sessions. - key: ClearUserSessions - playbookInputQuery: - required: false - value: - simple: "True" -- description: The username to disable. - key: Username - playbookInputQuery: - required: false - value: {} -- description: The Okta IAM users domain. The domain will be appended to the username. - E.g., username@IAMUserDomain. - key: IAMUserDomain - playbookInputQuery: - required: false - value: {} -- description: "" - key: ShadowMode - playbookInputQuery: - required: false - value: - simple: "true" -name: SOC Containment Plan_V3 - Clear User Sessions_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: [] -outputs: [] -sourceplaybookid: Containment Plan - Clear User Sessions -starttaskid: "0" tags: - SOC - SOC_Framework +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: f2a578bb-7b26-4477-8391-2e40e77fb9d5 + type: start + task: + id: f2a578bb-7b26-4477-8391-2e40e77fb9d5 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "17" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: f2a578bb-7b26-4477-8391-2e40e77fb9d5 - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: f2a578bb-7b26-4477-8391-2e40e77fb9d5 - timertriggers: [] - type: start + continueonerrortype: "" view: |- { "position": { @@ -91,43 +47,44 @@ tasks: "y": -150 } } - "1": - continueonerror: true - continueonerrortype: errorPath - id: "1" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 0dbcce9a-afe8-4533-a5c4-368906fd2625 + type: regular + task: + id: 0dbcce9a-afe8-4533-a5c4-368906fd2625 + version: -1 + name: Okta clear user sessions + description: |- + Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + For more information and examples: + https://developer.okta.com/docs/reference/api/users/#user-sessions + script: Okta v2|||okta-clear-user-sessions + type: regular + iscommand: true + brand: Okta v2 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "28" + - "33" '#none#': - "9" - note: false - quietmode: 0 scriptarguments: userId: complex: - accessor: ID root: Account + accessor: ID separatecontext: false - skipunavailable: true - task: - brand: Okta v2 - description: |- - Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. - For more information and examples: - https://developer.okta.com/docs/reference/api/users/#user-sessions - id: 0dbcce9a-afe8-4533-a5c4-368906fd2625 - iscommand: true - name: Okta clear user sessions - playbooktaskmissingcomponent: - script: Okta v2|||okta-clear-user-sessions - type: regular - version: -1 - taskid: 0dbcce9a-afe8-4533-a5c4-368906fd2625 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -135,27 +92,28 @@ tasks: "y": 985 } } - "2": - continueonerrortype: "" - id: "2" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 581b7da6-4c88-41a6-8175-a2116add396c + type: title task: - brand: "" id: 581b7da6-4c88-41a6-8175-a2116add396c - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 581b7da6-4c88-41a6-8175-a2116add396c - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -163,39 +121,40 @@ tasks: "y": 1320 } } - "7": - continueonerror: true - continueonerrortype: errorPath - id: "7" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: d70a5b0e-0686-4ad0-80c1-af9817310138 + type: regular + task: + id: d70a5b0e-0686-4ad0-80c1-af9817310138 + version: -1 + name: Get Okta user ID + description: Fetches information for a single user. You must enter one or more + parameters for the command to run. + script: '|||okta-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "28" + - "33" '#none#': - "25" - note: false - quietmode: 0 scriptarguments: username: simple: ${OktaUsersSessionToClear} separatecontext: false - skipunavailable: true - task: - brand: "" - description: Fetches information for a single user. You must enter one or more - parameters for the command to run. - id: d70a5b0e-0686-4ad0-80c1-af9817310138 - iscommand: true - name: Get Okta user ID - playbooktaskmissingcomponent: - script: '|||okta-get-user' - type: regular - version: -1 - taskid: d70a5b0e-0686-4ad0-80c1-af9817310138 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -203,39 +162,40 @@ tasks: "y": 590 } } - "9": - continueonerrortype: "" - id: "9" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: bda090c7-6749-46e5-8453-31f56d8b778c + type: regular + task: + id: bda090c7-6749-46e5-8453-31f56d8b778c + version: -1 + name: Set the username to the Alert context + description: commands.local.cmd.set.parent.alert.context + script: Builtin|||setParentIncidentContext + type: regular + iscommand: true + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "2" - note: false - quietmode: 0 scriptarguments: key: simple: UsersSessionCleared value: complex: - accessor: Username root: Account + accessor: Username separatecontext: false - skipunavailable: true - task: - brand: Builtin - description: commands.local.cmd.set.parent.alert.context - id: bda090c7-6749-46e5-8453-31f56d8b778c - iscommand: true - name: Set the username to the Alert context - playbooktaskmissingcomponent: - script: Builtin|||setParentIncidentContext - type: regular - version: -1 - taskid: bda090c7-6749-46e5-8453-31f56d8b778c - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -243,62 +203,63 @@ tasks: "y": 1145 } } - "11": - continueonerror: true - continueonerrortype: errorPath - id: "11" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 70665d82-a946-4a6c-9201-e8a8c7cfe79a + type: regular + task: + id: 70665d82-a946-4a6c-9201-e8a8c7cfe79a + version: -1 + name: Set users to clear the session with Okta + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "28" + - "33" '#none#': - "7" - note: false - quietmode: 0 scriptarguments: key: simple: OktaUsersSessionToClear value: complex: + root: inputs.Username filters: - - - ignorecase: true + - - operator: notContainsGeneral left: - iscontext: true value: simple: inputs.Username - operator: notContainsGeneral + iscontext: true right: value: simple: administrator - - - ignorecase: true + ignorecase: true + - - operator: notContainsGeneral left: - iscontext: true value: simple: inputs.Username - operator: notContainsGeneral + iscontext: true right: value: simple: system - root: inputs.Username + ignorecase: true transformers: - operator: uniq separatecontext: false - skipunavailable: false - task: - brand: "" - description: Set a value in context under the key you entered. - id: 70665d82-a946-4a6c-9201-e8a8c7cfe79a - iscommand: false - name: Set users to clear the session with Okta - playbooktaskmissingcomponent: - script: Set - type: regular - version: -1 - taskid: 70665d82-a946-4a6c-9201-e8a8c7cfe79a - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -306,38 +267,39 @@ tasks: "y": 410 } } - "15": - continueonerrortype: "" - id: "15" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 4025c083-2630-4171-889e-5f05b1fc51eb + type: condition + task: + id: 4025c083-2630-4171-889e-5f05b1fc51eb + version: -1 + name: Is Okta enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "2" "yes": - "11" - note: false - quietmode: 0 scriptarguments: brandname: simple: Okta v2 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if integration brand is available. Otherwise returns - 'no'. - id: 4025c083-2630-4171-889e-5f05b1fc51eb - iscommand: false - name: Is Okta enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 4025c083-2630-4171-889e-5f05b1fc51eb - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -345,53 +307,54 @@ tasks: "y": 210 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "17": + id: "17" + taskid: f1d3409f-55f4-4804-8a48-354971cae04e + type: condition + task: + id: f1d3409f-55f4-4804-8a48-354971cae04e + version: -1 + name: Should clear the user sessions? + description: Whether to clear the user sessions based on the input values. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "15" + - "18" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "yes" + condition: + - - operator: isEqualString left: - iscontext: true value: complex: root: inputs.ClearUserSessions - operator: isEqualString + iscontext: true right: value: simple: "True" - - - left: - iscontext: true + ignorecase: true + - - operator: isNotEmpty + left: value: complex: root: inputs.Username - operator: isNotEmpty - label: "yes" + iscontext: true continueonerrortype: "" - id: "17" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "2" - "yes": - - "15" - - "18" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Whether to clear the user sessions based on the input values. - id: f1d3409f-55f4-4804-8a48-354971cae04e - iscommand: false - name: Should clear the user sessions? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: f1d3409f-55f4-4804-8a48-354971cae04e - timertriggers: [] - type: condition view: |- { "position": { @@ -399,38 +362,39 @@ tasks: "y": 0 } } - "18": - continueonerrortype: "" - id: "18" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 64c30075-eba8-4222-8251-cf075b841898 + type: condition + task: + id: 64c30075-eba8-4222-8251-cf075b841898 + version: -1 + name: Is MsGraphUser enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "2" "yes": - "27" - note: false - quietmode: 0 scriptarguments: brandname: simple: Microsoft Graph User separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if integration brand is available. Otherwise returns - 'no'. - id: 64c30075-eba8-4222-8251-cf075b841898 - iscommand: false - name: Is MsGraphUser enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: 64c30075-eba8-4222-8251-cf075b841898 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -438,40 +402,41 @@ tasks: "y": 210 } } - "20": - continueonerror: true - continueonerrortype: errorPath - id: "20" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 95e4dd34-41f7-4300-a2d9-d021c6779085 + type: regular + task: + id: 95e4dd34-41f7-4300-a2d9-d021c6779085 + version: -1 + name: Get MsGraph user ID + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). + Permissions: - User.Read (Delegated) - User.Read.All (Application). + script: Microsoft Graph User|||msgraph-user-get + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "28" + - "33" '#none#': - "23" - note: false - quietmode: 0 scriptarguments: user: simple: ${MsGraphUsersSessionToClear} separatecontext: false - skipunavailable: true - task: - brand: Microsoft Graph User - description: |- - Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0). - Permissions: - User.Read (Delegated) - User.Read.All (Application). - id: 95e4dd34-41f7-4300-a2d9-d021c6779085 - iscommand: true - name: Get MsGraph user ID - playbooktaskmissingcomponent: - script: Microsoft Graph User|||msgraph-user-get - type: regular - version: -1 - taskid: 95e4dd34-41f7-4300-a2d9-d021c6779085 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -479,40 +444,41 @@ tasks: "y": 590 } } - "21": - continueonerror: true - continueonerrortype: errorPath - id: "21" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: e6092911-c270-4133-8a71-a0fe04050fbd + type: regular + task: + id: e6092911-c270-4133-8a71-a0fe04050fbd + version: -1 + name: MSGraph clear user sessions + description: |- + Revoke a user session - Invalidates all the refresh tokens issued to applications for a user. + Permission: Directory.AccessAsUser.All(Delegated). + script: Microsoft Graph User|||msgraph-user-session-revoke + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "28" + - "33" '#none#': - "22" - note: false - quietmode: 0 scriptarguments: user: simple: ${MSGraphUser.ID} separatecontext: false - skipunavailable: true - task: - brand: Microsoft Graph User - description: |- - Revoke a user session - Invalidates all the refresh tokens issued to applications for a user. - Permission: Directory.AccessAsUser.All(Delegated). - id: e6092911-c270-4133-8a71-a0fe04050fbd - iscommand: true - name: MSGraph clear user sessions - playbooktaskmissingcomponent: - script: Microsoft Graph User|||msgraph-user-session-revoke - type: regular - version: -1 - taskid: e6092911-c270-4133-8a71-a0fe04050fbd - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -520,37 +486,38 @@ tasks: "y": 985 } } - "22": - continueonerrortype: "" - id: "22" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: aaafcc54-e334-42a5-8a5c-f4dea1d0c158 + type: regular + task: + id: aaafcc54-e334-42a5-8a5c-f4dea1d0c158 + version: -1 + name: Set the username to the Alert context + description: commands.local.cmd.set.parent.alert.context + script: Builtin|||setParentIncidentContext + type: regular + iscommand: true + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "2" - note: false - quietmode: 0 scriptarguments: key: simple: UsersSessionCleared value: simple: ${MSGraphUser.UserPrincipalName} separatecontext: false - skipunavailable: true - task: - brand: Builtin - description: commands.local.cmd.set.parent.alert.context - id: aaafcc54-e334-42a5-8a5c-f4dea1d0c158 - iscommand: true - name: Set the username to the Alert context - playbooktaskmissingcomponent: - script: Builtin|||setParentIncidentContext - type: regular - version: -1 - taskid: aaafcc54-e334-42a5-8a5c-f4dea1d0c158 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -558,43 +525,44 @@ tasks: "y": 1145 } } - "23": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: MSGraphUser.ID - operator: isExists - right: - value: {} - label: "yes" - continueonerrortype: "" - id: "23" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 4655db74-8104-4510-88b0-d9a081911b34 + type: condition + task: + id: 4655db74-8104-4510-88b0-d9a081911b34 + version: -1 + name: Does the username exist? + description: Verify that the user exists. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "2" "yes": - "30" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Verify that the user exists. - id: 4655db74-8104-4510-88b0-d9a081911b34 - iscommand: false - name: Does the username exist? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 4655db74-8104-4510-88b0-d9a081911b34 - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: MSGraphUser.ID + iscontext: true + right: + value: {} + continueonerrortype: "" view: |- { "position": { @@ -602,55 +570,56 @@ tasks: "y": 785 } } - "25": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - accessor: ID - filters: - - - ignorecase: true - left: - iscontext: true - value: - simple: Account.Type - operator: isEqualString - right: - value: - simple: Okta - root: Account - operator: isExists - right: - value: {} - label: "yes" - continueonerrortype: "" - id: "25" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: c1ba5bf5-e37f-41ee-8392-7709acc40e8f + type: condition + task: + id: c1ba5bf5-e37f-41ee-8392-7709acc40e8f + version: -1 + name: Does the username exist? + description: Verify that the user exists. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "2" "yes": - "31" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Verify that the user exists. - id: c1ba5bf5-e37f-41ee-8392-7709acc40e8f - iscommand: false - name: Does the username exist? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: c1ba5bf5-e37f-41ee-8392-7709acc40e8f - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: Account + filters: + - - operator: isEqualString + left: + value: + simple: Account.Type + iscontext: true + right: + value: + simple: Okta + ignorecase: true + accessor: ID + iscontext: true + right: + value: {} + continueonerrortype: "" view: |- { "position": { @@ -658,62 +627,63 @@ tasks: "y": 785 } } - "27": - continueonerror: true - continueonerrortype: errorPath - id: "27" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 4e220d72-c0cf-4e44-b371-b41bea0fd859 + type: regular + task: + id: 4e220d72-c0cf-4e44-b371-b41bea0fd859 + version: -1 + name: Set users to clear the session with MsGraph + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "28" + - "33" '#none#': - "20" - note: false - quietmode: 0 scriptarguments: key: simple: MsGraphUsersSessionToClear value: complex: + root: inputs.Username filters: - - - ignorecase: true + - - operator: notContainsGeneral left: - iscontext: true value: simple: inputs.Username - operator: notContainsGeneral + iscontext: true right: value: simple: administrator - - - ignorecase: true + ignorecase: true + - - operator: notContainsGeneral left: - iscontext: true value: simple: inputs.Username - operator: notContainsGeneral + iscontext: true right: value: simple: system - root: inputs.Username + ignorecase: true transformers: - operator: uniq separatecontext: false - skipunavailable: false - task: - brand: "" - description: Set a value in context under the key you entered. - id: 4e220d72-c0cf-4e44-b371-b41bea0fd859 - iscommand: false - name: Set users to clear the session with MsGraph - playbooktaskmissingcomponent: - script: Set - type: regular - version: -1 - taskid: 4e220d72-c0cf-4e44-b371-b41bea0fd859 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -721,66 +691,38 @@ tasks: "y": 410 } } - "28": - continueonerrortype: "" - id: "28" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: true - skipunavailable: false - task: - brand: "" - id: 691bab1a-c00d-4a75-8735-043a9eec517b - iscommand: false - name: Foundation - Foundation - Error Handling_V3 - playbookId: Foundation - Foundation - Error Handling_V3 - playbooktaskmissingcomponent: - type: playbook - version: -1 - taskid: 691bab1a-c00d-4a75-8735-043a9eec517b timertriggers: [] - type: playbook - view: |- - { - "position": { - "x": 1450, - "y": 1315 - } - } - "29": - continueonerrortype: "" - id: "29" ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: d8d0bae3-cff1-4511-a902-f81f6f34d5a4 + type: regular + task: + id: d8d0bae3-cff1-4511-a902-f81f6f34d5a4 + version: -1 + name: 'Shadow: MSGraph clear user sessions' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "22" - note: false - quietmode: 0 scriptarguments: value: simple: |- Shadow: MSGraph clear user sessions Command: msgraph-user-session-revoke ${inputs.Username} separatecontext: false - skipunavailable: false - task: - brand: "" - description: Prints text to war room (Markdown supported) - id: d8d0bae3-cff1-4511-a902-f81f6f34d5a4 - iscommand: false - name: 'Shadow: MSGraph clear user sessions' - playbooktaskmissingcomponent: - script: Print - type: regular - version: -1 - taskid: d8d0bae3-cff1-4511-a902-f81f6f34d5a4 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -788,36 +730,37 @@ tasks: "y": 985 } } - "30": - continueonerrortype: "" - id: "30" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 3995dd09-419e-49df-88ed-a907aac1755e + type: condition + task: + id: 3995dd09-419e-49df-88ed-a907aac1755e + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: Full Run: - "21" Shadow Mode: - "29" - note: false - quietmode: 0 scriptarguments: ShadowMode: simple: ${inputs.ShadowMode} separatecontext: false - skipunavailable: false - task: - brand: "" - id: 0e13479a-07fc-4209-abb1-1ea6dfab3177 - iscommand: false - name: Run Mode? - playbooktaskmissingcomponent: - script: 'ShadowModeRouter_V3' - type: condition - version: -1 - taskid: 0e13479a-07fc-4209-abb1-1ea6dfab3177 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -825,36 +768,37 @@ tasks: "y": 830 } } - "31": - continueonerrortype: "" - id: "31" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: a14222a1-2f3d-45db-80e7-864cde88d15c + type: condition + task: + id: a14222a1-2f3d-45db-80e7-864cde88d15c + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: Full Run: - "1" Shadow Mode: - "32" - note: false - quietmode: 0 scriptarguments: ShadowMode: simple: ${inputs.ShadowMode} separatecontext: false - skipunavailable: false - task: - brand: "" - id: a14222a1-2f3d-45db-80e7-864cde88d15c - iscommand: false - name: Run Mode? - playbooktaskmissingcomponent: - script: 'ShadowModeRouter_V3' - type: condition - version: -1 - taskid: a14222a1-2f3d-45db-80e7-864cde88d15c - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -862,45 +806,83 @@ tasks: "y": 870 } } - "32": - continueonerrortype: "" - id: "32" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: f978e210-7ba2-467c-b20d-d4705a2703ba + type: regular + task: + id: f978e210-7ba2-467c-b20d-d4705a2703ba + version: -1 + name: 'Shadow: Okta clear user sessions' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "9" - note: false - quietmode: 0 scriptarguments: value: simple: |- Shadow: Okta clear user sessions Command: okta-clear-user-sessions ${inputs.Username} separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 40, + "y": 1030 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: a04e5786-6e0f-40f1-85c5-10523271f210 + type: playbook task: - brand: "" - description: Prints text to war room (Markdown supported) - id: f978e210-7ba2-467c-b20d-d4705a2703ba - iscommand: false - name: 'Shadow: Okta clear user sessions' - playbooktaskmissingcomponent: - script: Print - type: regular + id: a04e5786-6e0f-40f1-85c5-10523271f210 version: -1 - taskid: f978e210-7ba2-467c-b20d-d4705a2703ba - timertriggers: [] - type: regular + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 40, - "y": 1030 + "x": 1390, + "y": 1260 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -914,11 +896,50 @@ view: |- }, "paper": { "dimensions": { - "height": 1535, + "height": 1530, "width": 2060, "x": 40, "y": -150 } } } -fromversion: 5.0.0 +inputs: +- key: ClearUserSessions + value: + simple: "True" + required: false + description: Set to 'True' to clear the user active sessions. + playbookInputQuery: null +- key: Username + value: {} + required: false + description: The username to disable. + playbookInputQuery: null +- key: IAMUserDomain + value: {} + required: false + description: The Okta IAM users domain. The domain will be appended to the username. + E.g., username@IAMUserDomain. + playbookInputQuery: null +- key: ShadowMode + value: + simple: "true" + required: false + description: "" + playbookInputQuery: null +inputSections: +- inputs: + - ClearUserSessions + - Username + - IAMUserDomain + - ShadowMode + name: General (Inputs group) + description: Generic group for inputs. +outputSections: +- outputs: [] + name: General (Outputs group) + description: Generic group for outputs +outputs: [] +sourceplaybookid: Containment Plan - Clear User Sessions +dirtyInputs: true +adopted: true diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml similarity index 82% rename from Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml rename to Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml index 094bfae..cb3843e 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_-_Isolate_Device.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml @@ -1,91 +1,45 @@ -adopted: true +id: SOC Containment Plan_V3 - Isolate Device_V3 +version: 3 contentitemexportablefields: contentitemfields: + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 + fromServerVersion: 5.0.0 + toServerVersion: "" definitionid: "" - fromServerVersion: 6.6.0 - isoverridable: false - itemVersion: 2.7.15 - packID: "" - packName: Common Playbooks prevname: "" + isoverridable: false supportedModules: [] - toServerVersion: "" +vcShouldKeepItemLegacyProdMachine: false +name: SOC Containment Plan_V3 - Isolate Device_V3 description: |- ## Containment Plan - Isolate Device This playbook is a sub-playbook within the containment plan playbook. The playbook isolates devices using core commands. -dirtyInputs: true -id: 'SOC Containment Plan_V3 - Isolate Device_V3' -inputSections: -- description: Generic group for inputs - inputs: - - HostContainment - - EndpointID - - EndpointHostName - - ShadowMode - name: General (Inputs group) -inputs: -- description: Whether to execute endpoint isolation. - key: HostContainment - playbookInputQuery: - required: false - value: - simple: "True" -- description: The endpoint ID to run commands over. - key: EndpointID - playbookInputQuery: - required: false - value: {} -- description: The endpoint hostname. - key: EndpointHostName - playbookInputQuery: - required: false - value: {} -- description: "" - key: ShadowMode - playbookInputQuery: - required: false - value: - simple: "true" -name: SOC Containment Plan_V3 - Isolate Device_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: - - Core.Isolation.endpoint_id -outputs: -- contextPath: Core.Isolation.endpoint_id - description: The isolated endpoint ID. -sourceplaybookid: Containment Plan - Isolate Device -starttaskid: "0" tags: - SOC - SOC_Framework +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: 972c3692-925c-4f6f-8d88-9f4c2598429d + type: start + task: + id: 972c3692-925c-4f6f-8d88-9f4c2598429d + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "23" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 972c3692-925c-4f6f-8d88-9f4c2598429d - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: 972c3692-925c-4f6f-8d88-9f4c2598429d - timertriggers: [] - type: start + continueonerrortype: "" view: |- { "position": { @@ -93,39 +47,40 @@ tasks: "y": -782 } } - "2": - continueonerror: true - continueonerrortype: errorPath - id: "2" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: c4eeae37-ad05-4376-a36e-961bddd29c14 + type: regular + task: + id: c4eeae37-ad05-4376-a36e-961bddd29c14 + version: -1 + name: Auto endpoint isolation + description: Isolates the specified endpoint. + script: '|||core-isolate-endpoint' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "26" + - "29" '#none#': - "8" - note: false - quietmode: 0 scriptarguments: endpoint_id: complex: root: EndpointsIDToIsolate separatecontext: false - skipunavailable: false - task: - brand: "" - description: Isolates the specified endpoint. - id: c4eeae37-ad05-4376-a36e-961bddd29c14 - iscommand: true - name: Auto endpoint isolation - playbooktaskmissingcomponent: - script: '|||core-isolate-endpoint' - type: regular - version: -1 - taskid: c4eeae37-ad05-4376-a36e-961bddd29c14 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -133,41 +88,42 @@ tasks: "y": 140 } } - "8": - continueonerrortype: "" - id: "8" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: f1fa1236-07c7-4291-8230-fa48fb2e2d4a + type: regular + task: + id: f1fa1236-07c7-4291-8230-fa48fb2e2d4a + version: -1 + name: Set Isolated endpoint ID to the Alert context + description: commands.local.cmd.set.parent.alert.context + script: Builtin|||setParentIncidentContext + type: regular + iscommand: true + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "10" - note: false - quietmode: 0 scriptarguments: key: simple: IsolatedEndpointsID value: complex: - accessor: endpoint_id root: Core.Isolation + accessor: endpoint_id transformers: - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: Builtin - description: commands.local.cmd.set.parent.alert.context - id: f1fa1236-07c7-4291-8230-fa48fb2e2d4a - iscommand: true - name: Set Isolated endpoint ID to the Alert context - playbooktaskmissingcomponent: - script: Builtin|||setParentIncidentContext - type: regular - version: -1 - taskid: f1fa1236-07c7-4291-8230-fa48fb2e2d4a - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -175,27 +131,28 @@ tasks: "y": 265 } } - "10": - continueonerrortype: "" - id: "10" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 6c786033-9c64-4365-83af-dec8a718764c + type: title task: - brand: "" id: 6c786033-9c64-4365-83af-dec8a718764c - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 6c786033-9c64-4365-83af-dec8a718764c - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -203,47 +160,48 @@ tasks: "y": 444 } } - "13": - continueonerrortype: "" - id: "13" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: a0690559-7fbb-4a1e-8eb1-051f88912afd + type: regular + task: + id: a0690559-7fbb-4a1e-8eb1-051f88912afd + version: -1 + name: Get endpoint info by endpoint ID + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + script: '|||core-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "17" - note: false - quietmode: 0 scriptarguments: endpoint_id_list: complex: root: inputs.EndpointID transformers: - - args: + - operator: SetIfEmpty + args: applyIfEmpty: {} defaultValue: value: simple: "null" - operator: SetIfEmpty separatecontext: false - skipunavailable: false - task: - brand: "" - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields is - concatenated using the AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of endpoints from the start - of the result set (start by counting from 0). - id: a0690559-7fbb-4a1e-8eb1-051f88912afd - iscommand: true - name: Get endpoint info by endpoint ID - playbooktaskmissingcomponent: - script: '|||core-get-endpoints' - type: regular - version: -1 - taskid: a0690559-7fbb-4a1e-8eb1-051f88912afd - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -251,75 +209,76 @@ tasks: "y": -454 } } - "16": - continueonerrortype: "" - id: "16" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: f2c0cd47-a6d1-4b54-baff-9111cc14c054 + type: regular + task: + id: f2c0cd47-a6d1-4b54-baff-9111cc14c054 + version: -1 + name: Set endpoint IDs to isolate + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "27" - note: false - quietmode: 0 scriptarguments: key: simple: EndpointsIDToIsolate value: complex: - accessor: endpoint_id + root: Core.Endpoint filters: - - - ignorecase: true + - - operator: isNotEqualString left: - iscontext: true value: simple: Core.Endpoint.endpoint_status - operator: isNotEqualString + iscontext: true right: value: simple: DISCONNECTED - - - ignorecase: true + ignorecase: true + - - operator: containsGeneral left: - iscontext: true value: simple: Core.Endpoint.is_isolated - operator: containsGeneral + iscontext: true right: value: simple: AGENT_UNISOLATED - - - ignorecase: true + ignorecase: true + - - operator: containsGeneral left: - iscontext: true value: simple: Core.Endpoint.endpoint_type - operator: containsGeneral + iscontext: true right: value: simple: WORKSTATION - root: Core.Endpoint + ignorecase: true + accessor: endpoint_id transformers: - operator: uniq separatecontext: false - skipunavailable: false - task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\n - For more information, see the section about permissions here:\n- For Cortex - XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: f2c0cd47-a6d1-4b54-baff-9111cc14c054 - iscommand: false - name: Set endpoint IDs to isolate - playbooktaskmissingcomponent: - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: f2c0cd47-a6d1-4b54-baff-9111cc14c054 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -327,79 +286,80 @@ tasks: "y": -120 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "17": + id: "17" + taskid: 1b35e319-899a-4a2b-80e4-591c3b92a9ae + type: condition + task: + id: 1b35e319-899a-4a2b-80e4-591c3b92a9ae + version: -1 + name: Should isolate the device? + description: Whether to isolate the endpoint based on the input values. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "25" + "Yes": + - "16" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "Yes" + condition: + - - operator: isEqualString left: - iscontext: true value: complex: root: inputs.HostContainment - operator: isEqualString + iscontext: true right: value: simple: "True" - - - ignorecase: true + ignorecase: true + - - operator: containsString left: - iscontext: true value: complex: - accessor: endpoint_type root: Core.Endpoint - operator: containsString + accessor: endpoint_type + iscontext: true right: value: simple: WORKSTATION - - - ignorecase: true + ignorecase: true + - - operator: isEqualString left: - iscontext: true value: complex: - accessor: is_isolated root: Core.Endpoint - operator: isEqualString + accessor: is_isolated + iscontext: true right: value: simple: AGENT_UNISOLATED - - - ignorecase: true + ignorecase: true + - - operator: isNotEqualString left: - iscontext: true value: complex: - accessor: endpoint_status root: Core.Endpoint - operator: isNotEqualString + accessor: endpoint_status + iscontext: true right: value: simple: DISCONNECTED - label: "Yes" + ignorecase: true continueonerrortype: "" - id: "17" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "25" - "Yes": - - "16" - note: false - quietmode: 2 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Whether to isolate the endpoint based on the input values. - id: 1b35e319-899a-4a2b-80e4-591c3b92a9ae - iscommand: false - name: Should isolate the device? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 1b35e319-899a-4a2b-80e4-591c3b92a9ae - timertriggers: [] - type: condition view: |- { "position": { @@ -407,47 +367,48 @@ tasks: "y": -322 } } - "22": - continueonerrortype: "" - id: "22" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 2 isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 677be289-10e0-46ea-8380-a44f18e8a047 + type: regular + task: + id: 677be289-10e0-46ea-8380-a44f18e8a047 + version: -1 + name: Set Isolated endpoint ID to the Alert context + description: commands.local.cmd.set.parent.alert.context + script: Builtin|||setParentIncidentContext + type: regular + iscommand: true + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "10" - note: false - quietmode: 0 scriptarguments: key: simple: IsolatedEndpointsID value: complex: - accessor: endpoint_id root: Core.Endpoint + accessor: endpoint_id transformers: - - args: + - operator: SetIfEmpty + args: applyIfEmpty: {} defaultValue: value: simple: No Values - operator: SetIfEmpty - operator: uniq separatecontext: false - skipunavailable: true - task: - brand: Builtin - description: commands.local.cmd.set.parent.alert.context - id: 677be289-10e0-46ea-8380-a44f18e8a047 - iscommand: true - name: Set Isolated endpoint ID to the Alert context - playbooktaskmissingcomponent: - script: Builtin|||setParentIncidentContext - type: regular - version: -1 - taskid: 677be289-10e0-46ea-8380-a44f18e8a047 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -455,49 +416,50 @@ tasks: "y": 90 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "23": + id: "23" + taskid: 65bfa257-2884-4787-8dd5-64589ea2ad55 + type: condition + task: + id: 65bfa257-2884-4787-8dd5-64589ea2ad55 + version: -1 + name: Is the endpoint ID or the endpoint name defined? + description: Checks if the endpoint ID or name defined. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "10" + "yes": + - "24" + - "13" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: value: complex: root: inputs.EndpointID - operator: isNotEmpty - - left: iscontext: true + - operator: isNotEmpty + left: value: complex: root: inputs.EndpointHostName - operator: isNotEmpty - label: "yes" + iscontext: true continueonerrortype: "" - id: "23" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "10" - "yes": - - "24" - - "13" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if the endpoint ID or name defined. - id: 65bfa257-2884-4787-8dd5-64589ea2ad55 - iscommand: false - name: Is the endpoint ID or the endpoint name defined? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 65bfa257-2884-4787-8dd5-64589ea2ad55 - timertriggers: [] - type: condition view: |- { "position": { @@ -505,47 +467,48 @@ tasks: "y": -653 } } - "24": - continueonerrortype: "" - id: "24" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 6e3d0a66-444e-4d5d-803a-82f81ef2afdf + type: regular + task: + id: 6e3d0a66-444e-4d5d-803a-82f81ef2afdf + version: -1 + name: Get endpoint info by endpoint name + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + script: '|||core-get-endpoints' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "17" - note: false - quietmode: 0 scriptarguments: hostname: complex: root: inputs.EndpointHostName transformers: - - args: + - operator: SetIfEmpty + args: applyIfEmpty: {} defaultValue: value: simple: "null" - operator: SetIfEmpty separatecontext: false - skipunavailable: false - task: - brand: "" - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields is - concatenated using the AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of endpoints from the start - of the result set (start by counting from 0). - id: 6e3d0a66-444e-4d5d-803a-82f81ef2afdf - iscommand: true - name: Get endpoint info by endpoint name - playbooktaskmissingcomponent: - script: '|||core-get-endpoints' - type: regular - version: -1 - taskid: 6e3d0a66-444e-4d5d-803a-82f81ef2afdf - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -553,47 +516,48 @@ tasks: "y": -454 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "25": + id: "25" + taskid: 28a11db5-8870-402e-8fee-8d815b2fc6a9 + type: condition + task: + id: 28a11db5-8870-402e-8fee-8d815b2fc6a9 + version: -1 + name: is the endpoint already isolated? + description: Checks if the endpoint is already isolated. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "10" + "yes": + - "22" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "yes" + condition: + - - operator: containsGeneral left: - iscontext: true value: complex: - accessor: is_isolated root: Core.Endpoint - operator: containsGeneral + accessor: is_isolated + iscontext: true right: value: simple: AGENT_ISOLATED - label: "yes" + ignorecase: true continueonerrortype: "" - id: "25" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "10" - "yes": - - "22" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if the endpoint is already isolated. - id: 28a11db5-8870-402e-8fee-8d815b2fc6a9 - iscommand: false - name: is the endpoint already isolated? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 28a11db5-8870-402e-8fee-8d815b2fc6a9 - timertriggers: [] - type: condition view: |- { "position": { @@ -601,65 +565,37 @@ tasks: "y": -120 } } - "26": - continueonerrortype: "" - id: "26" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: true - skipunavailable: false - task: - brand: "" - id: b1052b5d-3ea3-44ff-8bd6-ec753abf861a - iscommand: false - name: Foundation - Foundation - Error Handling_V3 - playbookId: Foundation - Foundation - Error Handling_V3 - playbooktaskmissingcomponent: - type: playbook - version: -1 - taskid: b1052b5d-3ea3-44ff-8bd6-ec753abf861a timertriggers: [] - type: playbook - view: |- - { - "position": { - "x": 940, - "y": 439 - } - } - "27": - continueonerrortype: "" - id: "27" ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 9de8445b-c4bf-4cb5-9932-e5c7ba0b99ad + type: condition + task: + id: 9de8445b-c4bf-4cb5-9932-e5c7ba0b99ad + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: Full Run: - "2" Shadow Mode: - "28" - note: false - quietmode: 0 scriptarguments: ShadowMode: simple: ${inputs.ShadowMode} separatecontext: false - skipunavailable: false - task: - brand: "" - id: 9de8445b-c4bf-4cb5-9932-e5c7ba0b99ad - iscommand: false - name: Run Mode? - playbooktaskmissingcomponent: - script: 'ShadowModeRouter_V3' - type: condition - version: -1 - taskid: 9de8445b-c4bf-4cb5-9932-e5c7ba0b99ad - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -667,45 +603,83 @@ tasks: "y": -20 } } - "28": - continueonerrortype: "" - id: "28" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: 76549c23-938a-4977-a2fa-a47a8ca8c01e + type: regular + task: + id: 76549c23-938a-4977-a2fa-a47a8ca8c01e + version: -1 + name: 'Shadow: Palo XDR Isolate Endpoint' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "10" - note: false - quietmode: 0 scriptarguments: value: simple: |- Shadow: Palo XDR Isolate Endpoint Command: core-isolate-endpoint separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 740, + "y": 140 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: c0fe23bb-09c8-49b3-8f53-c4c8d8e0cc88 + type: playbook task: - brand: "" - description: Prints text to war room (Markdown supported) - id: 76549c23-938a-4977-a2fa-a47a8ca8c01e - iscommand: false - name: 'Shadow: Palo XDR Isolate Endpoint' - playbooktaskmissingcomponent: - script: Print - type: regular + id: c0fe23bb-09c8-49b3-8f53-c4c8d8e0cc88 version: -1 - taskid: 76549c23-938a-4977-a2fa-a47a8ca8c01e - timertriggers: [] - type: regular + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 740, - "y": 140 + "x": 963.4374389648438, + "y": 436.5 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -715,11 +689,52 @@ view: |- }, "paper": { "dimensions": { - "height": 1291, - "width": 1490, + "height": 1293.5, + "width": 1513.4374389648438, "x": -170, "y": -782 } } } -fromversion: 5.0.0 +inputs: +- key: HostContainment + value: + simple: "True" + required: false + description: Whether to execute endpoint isolation. + playbookInputQuery: null +- key: EndpointID + value: {} + required: false + description: The endpoint ID to run commands over. + playbookInputQuery: null +- key: EndpointHostName + value: {} + required: false + description: The endpoint hostname. + playbookInputQuery: null +- key: ShadowMode + value: + simple: "true" + required: false + description: "" + playbookInputQuery: null +inputSections: +- inputs: + - HostContainment + - EndpointID + - EndpointHostName + - ShadowMode + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Core.Isolation.endpoint_id + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Core.Isolation.endpoint_id + description: The isolated endpoint ID. +sourceplaybookid: Containment Plan - Isolate Device +dirtyInputs: true +adopted: true diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml similarity index 79% rename from Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml rename to Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml index 8624297..2101c0f 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml @@ -1,61 +1,42 @@ -adopted: true +id: SOC Crowdstrike Falcon - Isolate Endpoint_V3 +version: 3 +contentitemexportablefields: + contentitemfields: + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false +name: SOC Crowdstrike Falcon - Isolate Endpoint_V3 description: This playbook will auto isolate endpoints by the device ID that was provided in the playbook. -dirtyInputs: true -id: 'SOC Crowdstrike Falcon - Isolate Endpoint_V3' -inputSections: -- description: Generic group for inputs - inputs: - - Device_id - - ShadowMode - name: General (Inputs group) -inputs: -- description: The device ID to isolate. - key: Device_id - playbookInputQuery: - required: false - value: {} -- description: "" - key: ShadowMode - playbookInputQuery: - required: false - value: - simple: "true" -name: SOC Crowdstrike Falcon - Isolate Endpoint_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: [] -outputs: [] -sourceplaybookid: Crowdstrike Falcon - Isolate Endpoint -starttaskid: "0" tags: - SOC - SOC_Framework +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: d0e090fd-5e1f-4b5c-82e9-eb62105b6220 + type: start + task: + id: d0e090fd-5e1f-4b5c-82e9-eb62105b6220 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "1" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: d0e090fd-5e1f-4b5c-82e9-eb62105b6220 - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: d0e090fd-5e1f-4b5c-82e9-eb62105b6220 - timertriggers: [] - type: start + continueonerrortype: "" view: |- { "position": { @@ -63,38 +44,39 @@ tasks: "y": 40 } } - "1": - continueonerrortype: "" - id: "1" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: ee96dc16-3b22-4d74-83fe-b5a86fb60115 + type: condition + task: + id: ee96dc16-3b22-4d74-83fe-b5a86fb60115 + version: -1 + name: Is Crowdstrike Falcon enabled? + description: Returns 'yes' if the integration brand is available. Otherwise + returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: "no": - "2" "yes": - "3" - note: false - quietmode: 0 scriptarguments: brandname: simple: CrowdstrikeFalcon separatecontext: false - skipunavailable: false - task: - brand: "" - description: Returns 'yes' if the integration brand is available. Otherwise - returns 'no'. - id: ee96dc16-3b22-4d74-83fe-b5a86fb60115 - iscommand: false - name: Is Crowdstrike Falcon enabled? - playbooktaskmissingcomponent: - script: IsIntegrationAvailable - type: condition - version: -1 - taskid: ee96dc16-3b22-4d74-83fe-b5a86fb60115 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -102,27 +84,28 @@ tasks: "y": 210 } } - "2": - continueonerrortype: "" - id: "2" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 44f92e5b-01a2-4070-881c-c6a931266009 + type: title task: - brand: "" id: 44f92e5b-01a2-4070-881c-c6a931266009 - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 44f92e5b-01a2-4070-881c-c6a931266009 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -130,40 +113,41 @@ tasks: "y": 1760 } } - "3": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.Device_id - operator: isNotEmpty - label: "yes" - continueonerrortype: "" - id: "3" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 1fd37726-4b11-46ea-802f-46fc9e2fe715 + type: condition + task: + id: 1fd37726-4b11-46ea-802f-46fc9e2fe715 + version: -1 + name: Is there Device ID? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "2" "yes": - "4" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 1fd37726-4b11-46ea-802f-46fc9e2fe715 - iscommand: false - name: Is there Device ID? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 1fd37726-4b11-46ea-802f-46fc9e2fe715 - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Device_id + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -171,35 +155,36 @@ tasks: "y": 490 } } - "4": - continueonerrortype: "" - id: "4" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 66d5a0a9-f7c9-4f23-abf4-a8ab5d888534 + type: regular + task: + id: 66d5a0a9-f7c9-4f23-abf4-a8ab5d888534 + version: -1 + name: Get device info + description: Searches for a device that matches the query. + script: CrowdstrikeFalcon|||cs-falcon-search-device + type: regular + iscommand: true + brand: CrowdstrikeFalcon + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "5" - note: false - quietmode: 0 scriptarguments: ids: simple: ${inputs.Device_id} separatecontext: false - skipunavailable: false - task: - brand: CrowdstrikeFalcon - description: Searches for a device that matches the query. - id: 66d5a0a9-f7c9-4f23-abf4-a8ab5d888534 - iscommand: true - name: Get device info - playbooktaskmissingcomponent: - script: CrowdstrikeFalcon|||cs-falcon-search-device - type: regular - version: -1 - taskid: 66d5a0a9-f7c9-4f23-abf4-a8ab5d888534 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -207,43 +192,44 @@ tasks: "y": 690 } } - "5": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: CrowdStrike.Device.Status - operator: isEqualString - right: - value: - simple: normal - label: "yes" - continueonerrortype: "" - id: "5" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 5255531d-7314-4223-8efc-ac53607d0b52 + type: condition + task: + id: 5255531d-7314-4223-8efc-ac53607d0b52 + version: -1 + name: Is the device ready for isolation? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - "2" "yes": - "7" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 5255531d-7314-4223-8efc-ac53607d0b52 - iscommand: false - name: Is the device ready for isolation? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 5255531d-7314-4223-8efc-ac53607d0b52 - timertriggers: [] - type: condition + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: CrowdStrike.Device.Status + iscontext: true + right: + value: + simple: normal + continueonerrortype: "" view: |- { "position": { @@ -251,40 +237,41 @@ tasks: "y": 890 } } - "6": - continueonerror: true - continueonerrortype: errorPath - id: "6" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 8d83b1ad-dbe6-4fe7-ba1c-755241c23a84 + type: regular + task: + id: 8d83b1ad-dbe6-4fe7-ba1c-755241c23a84 + version: -1 + name: Isolate endpoint + description: Contains containment for a specified host. When contained, a host + can only communicate with the CrowdStrike cloud and any IPs specified in your + containment policy. + script: CrowdstrikeFalcon|||cs-falcon-contain-host + type: regular + iscommand: true + brand: CrowdstrikeFalcon + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "9" + - "10" '#none#': - "2" - note: false - quietmode: 0 scriptarguments: ids: simple: ${inputs.Device_id} separatecontext: false - skipunavailable: false - task: - brand: CrowdstrikeFalcon - description: Contains containment for a specified host. When contained, a host - can only communicate with the CrowdStrike cloud and any IPs specified in your - containment policy. - id: 8d83b1ad-dbe6-4fe7-ba1c-755241c23a84 - iscommand: true - name: Isolate endpoint - playbooktaskmissingcomponent: - script: CrowdstrikeFalcon|||cs-falcon-contain-host - type: regular - version: -1 - taskid: 8d83b1ad-dbe6-4fe7-ba1c-755241c23a84 - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -292,36 +279,37 @@ tasks: "y": 1330 } } - "7": - continueonerrortype: "" - id: "7" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 3e9098e5-20d2-40f9-abf9-800a6900cc58 + type: condition + task: + id: 3e9098e5-20d2-40f9-abf9-800a6900cc58 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: Full Run: - "6" Shadow Mode: - "8" - note: false - quietmode: 0 scriptarguments: ShadowMode: simple: ${inputs.ShadowMode} separatecontext: false - skipunavailable: false - task: - brand: "" - id: 3e9098e5-20d2-40f9-abf9-800a6900cc58 - iscommand: false - name: Run Mode? - playbooktaskmissingcomponent: - script: ShadowModeRouter_V3 - type: condition - version: -1 - taskid: 3e9098e5-20d2-40f9-abf9-800a6900cc58 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { @@ -329,37 +317,38 @@ tasks: "y": 1090 } } - "8": - continueonerrortype: "" - id: "8" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: e46e3518-e612-4d9b-ad76-48a9e841cc5d + type: regular + task: + id: e46e3518-e612-4d9b-ad76-48a9e841cc5d + version: -1 + name: 'Shadow: CrowdStrike Falcon Isolate EndPoint' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "2" - note: false - quietmode: 0 scriptarguments: value: simple: |- Shadow: CrowdStrike Falcon Isolate EndPoint Command: cs-falcon-contain-host separatecontext: false - skipunavailable: false - task: - brand: "" - description: Prints text to war room (Markdown supported) - id: e46e3518-e612-4d9b-ad76-48a9e841cc5d - iscommand: false - name: 'Shadow: CrowdStrike Falcon Isolate EndPoint' - playbooktaskmissingcomponent: - script: Print - type: regular - version: -1 - taskid: e46e3518-e612-4d9b-ad76-48a9e841cc5d - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -367,36 +356,44 @@ tasks: "y": 1330 } } - "9": - continueonerrortype: "" - id: "9" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: true + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 19d3d20a-0aac-471b-82c0-0cd504f383aa + type: playbook task: - brand: "" - id: a5744034-b39d-4989-8e3f-e891bf98b1cb - iscommand: false - name: Foundation - Foundation - Error Handling_V3 - playbookId: Foundation - Foundation - Error Handling_V3 - playbooktaskmissingcomponent: - type: playbook + id: 19d3d20a-0aac-471b-82c0-0cd504f383aa version: -1 - taskid: a5744034-b39d-4989-8e3f-e891bf98b1cb - timertriggers: [] - type: playbook + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 1430, - "y": 1755 + "x": 1313.75, + "y": 1752.5 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -407,11 +404,36 @@ view: |- }, "paper": { "dimensions": { - "height": 1785, + "height": 1787.5, "width": 1360, "x": 450, "y": 40 } } } -fromversion: 5.0.0 +inputs: +- key: Device_id + value: {} + required: false + description: The device ID to isolate. + playbookInputQuery: null +- key: ShadowMode + value: + simple: "true" + required: false + description: "" + playbookInputQuery: null +inputSections: +- inputs: + - Device_id + - ShadowMode + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: [] + name: General (Outputs group) + description: Generic group for outputs +outputs: [] +sourceplaybookid: Crowdstrike Falcon - Isolate Endpoint +dirtyInputs: true +adopted: true diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml similarity index 81% rename from Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml rename to Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml index aa9e400..143371e 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml @@ -1,72 +1,41 @@ -adopted: true +id: SOC Endpoint Enrichment - Cylance Protect v2_V3 +version: 3 contentitemexportablefields: contentitemfields: - definitionid: "" + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 fromServerVersion: 5.0.0 - isoverridable: false - itemVersion: 1.1.41 - packID: "" - packName: Cylance Protect + toServerVersion: "" + definitionid: "" prevname: "" + isoverridable: false supportedModules: [] - toServerVersion: "" -description: Enriches endpoints using the Cylance Protect v2 integration. -dirtyInputs: true -id: 'SOC Endpoint Enrichment - Cylance Protect v2_V3' -inputSections: -- description: Generic group for inputs - inputs: - - Hostname - name: General (Inputs group) -inputs: -- description: The hostname to enrich. - key: Hostname - playbookInputQuery: - required: false - value: - complex: - root: inputs.Hostname - transformers: - - operator: uniq +vcShouldKeepItemLegacyProdMachine: false name: SOC Endpoint Enrichment - Cylance Protect v2_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: - - CylanceProtectDevice -outputs: -- contextPath: CylanceProtectDevice - description: The device information about the hostname that was enriched. - type: unknown -sourceplaybookid: Endpoint Enrichment - Cylance Protect v2 -starttaskid: "0" +description: Enriches endpoints using the Cylance Protect v2 integration. tags: - SOC - SOC_Framework +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + taskid: 1635626d-e92f-49c7-85a7-b4d1632d1e38 + type: start + task: + id: 1635626d-e92f-49c7-85a7-b4d1632d1e38 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "1" - note: false - quietmode: 0 separatecontext: false - skipunavailable: false - task: - brand: "" - id: 1635626d-e92f-49c7-85a7-b4d1632d1e38 - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: 1635626d-e92f-49c7-85a7-b4d1632d1e38 - timertriggers: [] - type: start + continueonerrortype: "" view: |- { "position": { @@ -74,60 +43,61 @@ tasks: "y": 50 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "1": + id: "1" + taskid: 50264655-eac1-4439-809b-32f93a19c825 + type: condition + task: + id: 50264655-eac1-4439-809b-32f93a19c825 + version: -1 + name: Is Cylance Protect v2 enabled? + description: Checks if there is an active instance of the Cylance Protect v2 + integration enabled. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "6" + "yes": + - "2" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: modules filters: - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: brand - operator: isEqualString + iscontext: true right: value: simple: Cylance Protect v2 - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: state - operator: isEqualString + iscontext: true right: value: simple: active - root: modules - operator: isExists - label: "yes" + iscontext: true continueonerrortype: "" - id: "1" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "6" - "yes": - - "2" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the Cylance Protect v2 - integration enabled. - id: 50264655-eac1-4439-809b-32f93a19c825 - iscommand: false - name: Is Cylance Protect v2 enabled? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 50264655-eac1-4439-809b-32f93a19c825 - timertriggers: [] - type: condition view: |- { "position": { @@ -135,37 +105,38 @@ tasks: "y": 190 } } - "2": - continueonerror: true - continueonerrortype: errorPath - id: "2" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 528d8f5d-cf61-4bc1-b4cc-75887b25ea8d + type: regular + task: + id: 528d8f5d-cf61-4bc1-b4cc-75887b25ea8d + version: -1 + name: Get all Cylance Protect devices + description: Gets information about all devices that are available in Cylance + Protect. + script: Cylance Protect v2|||cylance-protect-get-devices + type: regular + iscommand: true + brand: Cylance Protect v2 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "7" + - "8" '#none#': - "4" - note: false - quietmode: 0 reputationcalc: 1 separatecontext: false - skipunavailable: false - task: - brand: Cylance Protect v2 - description: Gets information about all devices that are available in Cylance - Protect. - id: 528d8f5d-cf61-4bc1-b4cc-75887b25ea8d - iscommand: true - name: Get all Cylance Protect devices - playbooktaskmissingcomponent: - script: Cylance Protect v2|||cylance-protect-get-devices - type: regular - version: -1 - taskid: 528d8f5d-cf61-4bc1-b4cc-75887b25ea8d - timertriggers: [] - type: regular + continueonerror: true + continueonerrortype: errorPath view: |- { "position": { @@ -173,58 +144,59 @@ tasks: "y": 370 } } - "3": - continueonerrortype: "" - id: "3" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: ec7a9e06-60d0-4c25-8ed4-1cb9d0fe92f6 + type: regular + task: + id: ec7a9e06-60d0-4c25-8ed4-1cb9d0fe92f6 + version: -1 + name: Set enriched device details + description: Sets the device that was enriched in another context key. That + key will contain only the device that was enriched using the provided hostname, + and will be the output of the playbook. + scriptName: Set + type: regular + iscommand: false + brand: Cylance Protect v2 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "6" - note: false - quietmode: 0 - reputationcalc: 1 scriptarguments: key: simple: CylanceProtectDevice value: complex: + root: CylanceProtectAllDevices filters: - - - left: - iscontext: true + - - operator: in + left: value: simple: CylanceProtectAllDevices.Hostname - operator: in - right: iscontext: true + right: value: simple: inputs.Hostname - - - left: iscontext: true + - - operator: isNotEmpty + left: value: simple: CylanceProtectAllDevices - operator: isNotEmpty - root: CylanceProtectAllDevices + iscontext: true transformers: - operator: uniq + reputationcalc: 1 separatecontext: false - skipunavailable: false - task: - brand: Cylance Protect v2 - description: Sets the device that was enriched in another context key. That - key will contain only the device that was enriched using the provided hostname, - and will be the output of the playbook. - id: ec7a9e06-60d0-4c25-8ed4-1cb9d0fe92f6 - iscommand: false - name: Set enriched device details - playbooktaskmissingcomponent: - script: Set - type: regular - version: -1 - taskid: ec7a9e06-60d0-4c25-8ed4-1cb9d0fe92f6 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -232,49 +204,50 @@ tasks: "y": 890 } } - "4": - continueonerrortype: "" - id: "4" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 83e2be36-d5ef-43df-80b3-c77e95e19780 + type: regular + task: + id: 83e2be36-d5ef-43df-80b3-c77e95e19780 + version: -1 + name: Set device list + description: Sets the devices in another context key - "CylanceProtectAllDevices". + Setting them under that key ensures proper filtering in the next tasks. + scriptName: Set + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - "5" - note: false - quietmode: 0 - reputationcalc: 1 scriptarguments: key: simple: CylanceProtectAllDevices value: complex: - accessor: Device + root: CylanceProtect filters: - - - left: - iscontext: true + - - operator: isNotEmpty + left: value: simple: CylanceProtect.Device - operator: isNotEmpty - root: CylanceProtect + iscontext: true + accessor: Device transformers: - operator: uniq + reputationcalc: 1 separatecontext: false - skipunavailable: false - task: - brand: "" - description: Sets the devices in another context key - "CylanceProtectAllDevices". - Setting them under that key ensures proper filtering in the next tasks. - id: 83e2be36-d5ef-43df-80b3-c77e95e19780 - iscommand: false - name: Set device list - playbooktaskmissingcomponent: - script: Set - type: regular - version: -1 - taskid: 83e2be36-d5ef-43df-80b3-c77e95e19780 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -282,55 +255,56 @@ tasks: "y": 540 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": + id: "5" + taskid: 8a61ee6d-786a-4ec3-8f9e-fe49f90c1930 + type: condition + task: + id: 8a61ee6d-786a-4ec3-8f9e-fe49f90c1930 + version: -1 + name: Was a device found? + description: Checks whether any of the hostnames for enrichment were enriched + using Cylance Protect v2. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "6" + "yes": + - "3" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isExists + left: value: complex: + root: CylanceProtectAllDevices filters: - - - left: - iscontext: true + - - operator: in + left: value: simple: CylanceProtectAllDevices.Hostname - operator: in - right: iscontext: true + right: value: simple: inputs.Hostname - root: CylanceProtectAllDevices + iscontext: true transformers: - operator: uniq - operator: isExists - label: "yes" + iscontext: true continueonerrortype: "" - id: "5" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "6" - "yes": - - "3" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks whether any of the hostnames for enrichment were enriched - using Cylance Protect v2. - id: 8a61ee6d-786a-4ec3-8f9e-fe49f90c1930 - iscommand: false - name: Was a device found? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 8a61ee6d-786a-4ec3-8f9e-fe49f90c1930 - timertriggers: [] - type: condition view: |- { "position": { @@ -338,27 +312,28 @@ tasks: "y": 700 } } - "6": - continueonerrortype: "" - id: "6" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 3849ea50-af6b-4ce4-8c43-c76f660fa7f6 + type: title task: - brand: "" id: 3849ea50-af6b-4ce4-8c43-c76f660fa7f6 - iscommand: false + version: -1 name: Done - playbooktaskmissingcomponent: type: title - version: -1 - taskid: 3849ea50-af6b-4ce4-8c43-c76f660fa7f6 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -366,36 +341,44 @@ tasks: "y": 1070 } } - "7": - continueonerrortype: "" - id: "7" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: true + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 92f8e328-1b28-4371-8d9d-4c75974fae23 + type: playbook task: - brand: "" - id: 23787797-71ae-4d5d-897c-cda6c152c2dd - iscommand: false - name: Foundation - Foundation - Error Handling_V3 - playbookId: Foundation - Foundation - Error Handling_V3 - playbooktaskmissingcomponent: - type: playbook + id: 92f8e328-1b28-4371-8d9d-4c75974fae23 version: -1 - taskid: 23787797-71ae-4d5d-897c-cda6c152c2dd - timertriggers: [] - type: playbook + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": 950, - "y": 1065 + "x": 927.5, + "y": 1062.5 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -405,11 +388,37 @@ view: |- }, "paper": { "dimensions": { - "height": 1085, - "width": 880, + "height": 1087.5, + "width": 857.5, "x": 450, "y": 50 } } } -fromversion: 5.0.0 +inputs: +- key: Hostname + value: + complex: + root: inputs.Hostname + transformers: + - operator: uniq + required: false + description: The hostname to enrich. + playbookInputQuery: null +inputSections: +- inputs: + - Hostname + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - CylanceProtectDevice + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: CylanceProtectDevice + description: The device information about the hostname that was enriched. + type: unknown +sourceplaybookid: Endpoint Enrichment - Cylance Protect v2 +dirtyInputs: true +adopted: true diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml similarity index 95% rename from Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml rename to Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml index 1c3a475..f25affe 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml @@ -1,10 +1,10 @@ id: SOC Endpoint Enrichment - Generic v2.1_V3 -version: 7 +version: 6 contentitemexportablefields: contentitemfields: - packID: soc-common-playbooks - packName: SOC Common Playbooks - itemVersion: 2.7.40 + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 fromServerVersion: 5.0.0 toServerVersion: "" definitionid: "" @@ -44,7 +44,7 @@ tasks: name: "" iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -76,7 +76,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -114,7 +114,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -161,7 +161,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: "" @@ -192,7 +192,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -241,18 +241,18 @@ tasks: isautoswitchedtoquietmode: false "9": id: "9" - taskid: 5e114375-db3d-4267-8f4d-0a411d4bb076 + taskid: ee47fb73-98f1-45bb-bae9-58c4e8da150b type: regular task: - id: 5e114375-db3d-4267-8f4d-0a411d4bb076 + id: ee47fb73-98f1-45bb-bae9-58c4e8da150b version: -1 name: Get host information from Carbon Black Enterprise Response description: List the CarbonBlack sensors - script: '|||cb-edr-sensors-list' + script: VMware Carbon Black EDR v2|||cb-edr-sensors-list type: regular iscommand: true - brand: "" - playbooktaskmissingcomponent: + brand: VMware Carbon Black EDR v2 + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -304,7 +304,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -362,7 +362,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -394,7 +394,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -426,11 +426,11 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "48" + - "51" separatecontext: false continueonerrortype: "" view: |- @@ -458,7 +458,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -492,7 +492,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -556,11 +556,11 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -598,7 +598,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -630,7 +630,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -665,7 +665,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -712,10 +712,10 @@ tasks: isautoswitchedtoquietmode: false "32": id: "32" - taskid: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + taskid: efb91abf-abd0-42c6-9e54-6e7e623bb6c2 type: regular task: - id: 03a8e3c0-2469-41ee-97c8-b0c792be32ec + id: efb91abf-abd0-42c6-9e54-6e7e623bb6c2 version: -1 name: Get host information from ExtraHop Reveal(x) description: Search for devices in ExtraHop Reveal(x). @@ -723,11 +723,11 @@ tasks: type: regular iscommand: true brand: ExtraHop v2 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -771,7 +771,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -823,10 +823,10 @@ tasks: isautoswitchedtoquietmode: false "34": id: "34" - taskid: 8e881985-e5e1-4aec-ac66-0cbc1186879d + taskid: 8810bf2d-bcc7-4f93-a220-959399d558b7 type: regular task: - id: 8e881985-e5e1-4aec-ac66-0cbc1186879d + id: 8810bf2d-bcc7-4f93-a220-959399d558b7 version: -1 name: Get- host information from McAfee ePO v2 description: Finds systems in the McAfee ePO system tree. @@ -834,11 +834,11 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -877,7 +877,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -910,7 +910,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -959,11 +959,11 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -1001,10 +1001,10 @@ tasks: isautoswitchedtoquietmode: false "38": id: "38" - taskid: 97c2d94e-2a74-48d9-9404-8049e310925c + taskid: 4712f7a7-d60b-4cde-90b0-2fd1e0eec5a0 type: regular task: - id: 97c2d94e-2a74-48d9-9404-8049e310925c + id: 4712f7a7-d60b-4cde-90b0-2fd1e0eec5a0 version: -1 name: Crowdstrike Search device description: Searches for a device that matches the query. @@ -1012,11 +1012,11 @@ tasks: type: regular iscommand: true brand: CrowdstrikeFalcon - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -1060,7 +1060,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -1119,7 +1119,7 @@ tasks: type: title iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': @@ -1143,10 +1143,10 @@ tasks: isautoswitchedtoquietmode: false "41": id: "41" - taskid: 28d5399e-9856-4c0e-ae6f-26790468a680 + taskid: 747937a8-31ae-41b5-8e16-b73bf1401c22 type: regular task: - id: 28d5399e-9856-4c0e-ae6f-26790468a680 + id: 747937a8-31ae-41b5-8e16-b73bf1401c22 version: -1 name: Cortex XDR Search device description: Gets a list of endpoints, according to the passed filters. If there @@ -1154,15 +1154,15 @@ tasks: be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0). - script: '|||xdr-get-endpoints' + script: Cortex XDR - IR|||xdr-get-endpoints type: regular iscommand: true - brand: "" - playbooktaskmissingcomponent: + brand: Cortex XDR - IR + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -1200,24 +1200,24 @@ tasks: isautoswitchedtoquietmode: false "42": id: "42" - taskid: 00b0ba80-bdc5-4012-8238-334800df9bbd + taskid: 23dde135-e619-4822-9729-3e225a93613d type: regular task: - id: 00b0ba80-bdc5-4012-8238-334800df9bbd + id: 23dde135-e619-4822-9729-3e225a93613d version: -1 name: Cortex XDR get endpoint risk score description: Retrieve the risk score of a specific host or list of hosts with the highest risk score in the environment along with the reason affecting each score. - script: '|||xdr-list-risky-hosts' + script: Cortex XDR - IR|||xdr-list-risky-hosts type: regular iscommand: true - brand: "" - playbooktaskmissingcomponent: + brand: Cortex XDR - IR + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -1257,7 +1257,7 @@ tasks: type: condition iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': @@ -1286,10 +1286,10 @@ tasks: isautoswitchedtoquietmode: false "44": id: "44" - taskid: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + taskid: 9a992a3d-9a84-41df-ab97-5ef712176a7b type: regular task: - id: 28ddac6d-c9fd-4997-9667-6bdd8538d69e + id: 9a992a3d-9a84-41df-ab97-5ef712176a7b version: -1 name: Core IR Search device description: Gets a list of endpoints, according to the passed filters. If there @@ -1301,11 +1301,11 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -1343,10 +1343,10 @@ tasks: isautoswitchedtoquietmode: false "45": id: "45" - taskid: e24e0b83-679a-4e52-828f-b3637fedd2c1 + taskid: 874ed64e-989b-460b-b5b7-818ddceaf247 type: regular task: - id: e24e0b83-679a-4e52-828f-b3637fedd2c1 + id: 874ed64e-989b-460b-b5b7-818ddceaf247 version: -1 name: Core IR get endpoint risk score description: Retrieve the risk score of a specific host or list of hosts with @@ -1356,11 +1356,11 @@ tasks: type: regular iscommand: true brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "49" + - "50" '#none#': - "4" scriptarguments: @@ -1397,30 +1397,27 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "48": - id: "48" - taskid: a311d42a-1d50-4464-8a6b-2babd00963a2 + "50": + id: "50" + taskid: 25768fa6-8b0e-4c2f-82b0-c5a6a982fd6c type: playbook task: - id: a311d42a-1d50-4464-8a6b-2babd00963a2 + id: 25768fa6-8b0e-4c2f-82b0-c5a6a982fd6c version: -1 - name: SOC Endpoint Enrichment - Cylance Protect v2_V3 - playbookName: SOC Endpoint Enrichment - Cylance Protect v2_V3 + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "4" separatecontext: true continueonerrortype: "" view: |- { "position": { - "x": 270, - "y": 690 + "x": 740, + "y": 1130 } } note: false @@ -1430,27 +1427,42 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "49": - id: "49" - taskid: 699918ad-f689-4054-8864-d2dae7a92fe5 + "51": + id: "51" + taskid: 0639f500-77f5-4fd9-af08-d5a26a8dbe5e type: playbook task: - id: 699918ad-f689-4054-8864-d2dae7a92fe5 + id: 0639f500-77f5-4fd9-af08-d5a26a8dbe5e version: -1 - name: Foundation - Foundation - Foundation - Error Handling_V3 - playbookName: Foundation - Foundation - Foundation - Error Handling_V3 + name: SOC Endpoint Enrichment - Cylance Protect v2_V3 + description: Enriches endpoints using the Cylance Protect v2 integration. + playbookName: SOC Endpoint Enrichment - Cylance Protect v2_V3 type: playbook iscommand: false brand: "" - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "4" + scriptarguments: + Hostname: + complex: + root: inputs.Hostname + transformers: + - operator: uniq separatecontext: true continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 view: |- { "position": { - "x": 790, - "y": 1200 + "x": 270, + "y": 690 } } note: false @@ -1471,10 +1483,10 @@ view: |- "31_4_#default#": 0.1, "33_34_yes": 0.64, "33_4_#default#": 0.1, - "34_49_#error#": 0.9, + "34_50_#error#": 0.9, "36_37_yes": 0.49, "36_4_#default#": 0.1, - "38_49_#error#": 0.89, + "38_50_#error#": 0.89, "39_4_#default#": 0.1, "3_1_yes": 0.3, "3_24_yes": 0.41, @@ -1485,7 +1497,7 @@ view: |- }, "paper": { "dimensions": { - "height": 1195, + "height": 1125, "width": 5660, "x": -920, "y": 80 @@ -1502,7 +1514,7 @@ inputs: - operator: uniq required: false description: The hostname of the endpoint to enrich. - playbookInputQuery: + playbookInputQuery: null - key: UseReputationCommand value: simple: "False" @@ -1511,7 +1523,7 @@ inputs: Define if you would like to use the !endpoint command. Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. Possible values: True / False. - playbookInputQuery: + playbookInputQuery: null - key: IPAddress value: complex: @@ -1521,7 +1533,7 @@ inputs: - operator: uniq required: false description: The IP address of the endpoint to enrich. - playbookInputQuery: + playbookInputQuery: null - key: EndpointID value: complex: @@ -1531,7 +1543,7 @@ inputs: - operator: uniq required: false description: The endpoint ID of the endpoint to enrich. - playbookInputQuery: + playbookInputQuery: null inputSections: - inputs: - Hostname @@ -2365,4 +2377,3 @@ outputs: sourceplaybookid: Endpoint Enrichment - Generic v2.1 dirtyInputs: true adopted: true -fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml deleted file mode 100644 index 08d1171..0000000 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_URL_Enrichment_-_Generic_v2.yml +++ /dev/null @@ -1,773 +0,0 @@ -adopted: true -contentitemexportablefields: - contentitemfields: - definitionid: "" - fromServerVersion: 5.0.0 - isoverridable: false - itemVersion: 2.7.15 - packID: "" - packName: Common Playbooks - prevname: "" - supportedModules: - - X1 - - X3 - - X5 - - ENT_PLUS - - agentix - toServerVersion: "" -description: |- - Enrich URLs using one or more integrations. - - URL enrichment includes: - * SSL verification for URLs. - * Threat information. - * Providing of URL screenshots. - * URL Reputation using !url. -dirtyInputs: true -id: 'SOC URL Enrichment - Generic v2_V3' -inputSections: -- description: Generic group for inputs - inputs: - - URL - - Rasterize - - VerifyURL - - UseReputationCommand - name: General (Inputs group) -inputs: -- description: The URLs to enrich. - key: URL - playbookInputQuery: - required: false - value: - complex: - accessor: Data - root: URL - transformers: - - operator: uniq -- description: |- - Define if you would like the system take safe screenshots of input URLs. - Possible values: True / False. - The default value is true. - key: Rasterize - playbookInputQuery: - required: false - value: - simple: "True" -- description: |- - Define if you would like the system perform SSL certificate verification on the URLs. - Possible values: True / False. - The default value is false. - key: VerifyURL - playbookInputQuery: - required: false - value: - simple: "False" -- description: |- - Define if you would like to use the !url command. - Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. - Possible values: True / False. - The default value is false. - key: UseReputationCommand - playbookInputQuery: - required: true - value: - simple: "False" -name: SOC URL Enrichment - Generic v2_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: - - URL - - URL.Data - - DBotScore - - URL.Malicious - - URL.Malicious.Vendor - - URL.Malicious.Description - - DBotScore.Indicator - - DBotScore.Type - - DBotScore.Vendor - - DBotScore.Score - - DBotScore.Reliability - - URL.Relationships.EntityA - - URL.Relationships.EntityB - - URL.Relationships.Relationship - - URL.Relationships.EntityAType - - URL.Relationships.EntityBType - - InfoFile.EntryID - - InfoFile.Extension - - InfoFile.Name - - InfoFile.Info - - InfoFile.Size - - InfoFile.Type -outputs: -- contextPath: URL - description: The URL object. - type: uknown -- contextPath: URL.Data - description: The enriched URL. - type: string -- contextPath: DBotScore - description: The DBotScore object. - type: unknown -- contextPath: URL.Malicious - description: Whether the detected URL was malicious. - type: unknown -- contextPath: URL.Malicious.Vendor - description: For malicious URLs, the vendor that made the decision. -- contextPath: URL.Malicious.Description - description: For malicious URLs, the reason that the vendor made the decision. -- contextPath: DBotScore.Indicator - description: The indicator. - type: string -- contextPath: DBotScore.Type - description: The indicator's type. - type: string -- contextPath: DBotScore.Vendor - description: The reputation vendor. - type: string -- contextPath: DBotScore.Score - description: The reputation score. - type: number -- contextPath: DBotScore.Reliability - description: Reliability of the source providing the intelligence data. -- contextPath: URL.Relationships.EntityA - description: The source of the relationship. -- contextPath: URL.Relationships.EntityB - description: The destination of the relationship. -- contextPath: URL.Relationships.Relationship - description: The name of the relationship. -- contextPath: URL.Relationships.EntityAType - description: The type of the source of the relationship. -- contextPath: URL.Relationships.EntityBType - description: The type of the destination of the relationship. -- contextPath: InfoFile.EntryID - description: The EntryID of the image/pdf file. -- contextPath: InfoFile.Extension - description: The extension of the image/pdf file. -- contextPath: InfoFile.Name - description: The name of the image/pdf file. -- contextPath: InfoFile.Info - description: The info of the image/pdf file. -- contextPath: InfoFile.Size - description: The size of the image/pdf file. -- contextPath: InfoFile.Type - description: The type of the image/pdf file. -sourceplaybookid: URL Enrichment - Generic v2 -starttaskid: "0" -tags: -- SOC -- SOC_Framework -tasks: - "0": - continueonerrortype: "" - id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "16" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - id: e1a236ab-b35b-4b70-84a7-3ca08b9bbe95 - iscommand: false - name: "" - playbooktaskmissingcomponent: - version: -1 - taskid: e1a236ab-b35b-4b70-84a7-3ca08b9bbe95 - timertriggers: [] - type: start - view: |- - { - "position": { - "x": 490, - "y": 41 - } - } - "16": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.URL - operator: isNotEmpty - right: - value: {} - label: "yes" - continueonerrortype: "" - id: "16" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "37" - "yes": - - "29" - - "31" - - "38" - note: false - quietmode: 0 - scriptarguments: - value: - simple: inputs.URL - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks whether there is at least one URL to enrich. - id: 2e1b93fe-512d-4fba-80dd-2912bf3382f5 - iscommand: false - name: Is there a URL to enrich? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 2e1b93fe-512d-4fba-80dd-2912bf3382f5 - timertriggers: [] - type: condition - view: |- - { - "position": { - "x": 490, - "y": 175 - } - } - "24": - continueonerrortype: "" - id: "24" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - id: 7956570c-4a34-462b-84aa-0f8c6d01cf43 - iscommand: false - name: Done - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 7956570c-4a34-462b-84aa-0f8c6d01cf43 - timertriggers: [] - type: title - view: |- - { - "position": { - "x": 490, - "y": 1095 - } - } - "25": - continueonerrortype: "" - id: "25" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "24" - "yes": - - "26" - note: false - quietmode: 0 - scriptarguments: - value: - complex: - filters: - - - left: - iscontext: true - value: - simple: brand - operator: isEqualString - right: - value: - simple: Rasterize - - - left: - iscontext: true - value: - simple: state - operator: isEqualString - right: - value: - simple: active - root: modules - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if there is an active instance of the Rasterize integration - enabled. - id: 426d5e5a-76ec-4310-8157-e3ce1795f88f - iscommand: false - name: 'Is Rasterize integration enabled? ' - playbooktaskmissingcomponent: - script: Exists - type: condition - version: -1 - taskid: 426d5e5a-76ec-4310-8157-e3ce1795f88f - timertriggers: [] - type: condition - view: |- - { - "position": { - "x": -40, - "y": 710 - } - } - "26": - continueonerror: true - continueonerrortype: errorPath - id: "26" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#error#': - - "41" - '#none#': - - "24" - note: false - quietmode: 0 - reputationcalc: 1 - scriptarguments: - execution-timeout: - simple: "600" - url: - complex: - root: inputs.URL - transformers: - - operator: uniq - separatecontext: false - skipunavailable: false - task: - brand: Rasterize - description: Gets a screenshot of the URL page. - id: 45ed63d2-f583-48a3-8318-92317f597f06 - iscommand: true - name: Get URL screenshot - playbooktaskmissingcomponent: - script: Rasterize|||rasterize - tags: - - url_screenshots - type: regular - version: -1 - taskid: 45ed63d2-f583-48a3-8318-92317f597f06 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": -40, - "y": 920 - } - } - "27": - conditions: - - condition: - - - ignorecase: true - left: - iscontext: true - value: - complex: - root: inputs.Rasterize - operator: isEqualString - right: - value: - simple: "True" - label: "yes" - continueonerrortype: "" - id: "27" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "24" - "yes": - - "25" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if the playbook's Rasterize input is set to "True", which - determines whether screenshots of the URLs are created. - id: 71af55e1-a11a-42f9-84f6-ce3ce93e17ce - iscommand: false - name: Capture screenshots of the URL? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 71af55e1-a11a-42f9-84f6-ce3ce93e17ce - timertriggers: [] - type: condition - view: |- - { - "position": { - "x": -40, - "y": 500 - } - } - "29": - continueonerrortype: "" - id: "29" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "27" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - id: 7fc4755c-5a08-4f90-8bab-12c892b21df4 - iscommand: false - name: URL Screenshots - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 7fc4755c-5a08-4f90-8bab-12c892b21df4 - timertriggers: [] - type: title - view: |- - { - "position": { - "x": -40, - "y": 360 - } - } - "31": - continueonerrortype: "" - id: "31" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "33" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - id: 11224752-fee9-4a8f-82c0-5af370081779 - iscommand: false - name: URL Verification - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 11224752-fee9-4a8f-82c0-5af370081779 - timertriggers: [] - type: title - view: |- - { - "position": { - "x": 489.5, - "y": 360 - } - } - "32": - continueonerror: true - continueonerrortype: errorPath - id: "32" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#error#': - - "41" - '#none#': - - "24" - note: false - quietmode: 0 - reputationcalc: 1 - scriptarguments: - url: - complex: - root: inputs.URL - transformers: - - operator: uniq - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Verify URL SSL certificate. - id: 6238c2cb-a230-4546-9952-c7c51e78faf2 - iscommand: false - name: Verify SSL for URLs - playbooktaskmissingcomponent: - script: URLSSLVerification - type: regular - version: -1 - taskid: 6238c2cb-a230-4546-9952-c7c51e78faf2 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 490, - "y": 710 - } - } - "33": - conditions: - - condition: - - - ignorecase: true - left: - iscontext: true - value: - complex: - root: inputs.VerifyURL - operator: isEqualString - right: - value: - simple: "True" - label: "yes" - continueonerrortype: "" - id: "33" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "24" - "yes": - - "32" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Checks if the playbook's VerifyURL input is set to "True", to determine - whether to perform SSL verification on the URLs. - id: 0a60d379-a6c4-449e-87e2-4939b8d0ad13 - iscommand: false - name: Verify URLs? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: 0a60d379-a6c4-449e-87e2-4939b8d0ad13 - timertriggers: [] - type: condition - view: |- - { - "position": { - "x": 490, - "y": 500 - } - } - "37": - continueonerrortype: "" - id: "37" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "24" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - id: 395ad908-d5b6-4449-8665-b085546d0d42 - iscommand: false - name: No URLs - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 395ad908-d5b6-4449-8665-b085546d0d42 - timertriggers: [] - type: title - view: |- - { - "position": { - "x": -510, - "y": 360 - } - } - "38": - continueonerrortype: "" - id: "38" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "40" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - id: 704516ae-95d9-4ef5-8772-1958046fcac7 - iscommand: false - name: URL Reputation - playbooktaskmissingcomponent: - type: title - version: -1 - taskid: 704516ae-95d9-4ef5-8772-1958046fcac7 - timertriggers: [] - type: title - view: |- - { - "position": { - "x": 1010, - "y": 360 - } - } - "39": - continueonerror: true - continueonerrortype: errorPath - id: "39" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#error#': - - "41" - '#none#': - - "24" - note: false - quietmode: 0 - scriptarguments: - url: - complex: - root: inputs.URL - transformers: - - operator: uniq - separatecontext: false - skipunavailable: true - task: - brand: "" - description: Checks the reputation of a URL. - id: 9c173500-98f2-46dd-8984-e0990a12ca73 - iscommand: true - name: Check Reputation - playbooktaskmissingcomponent: - script: '|||url' - type: regular - version: -1 - taskid: 9c173500-98f2-46dd-8984-e0990a12ca73 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 1010, - "y": 710 - } - } - "40": - conditions: - - condition: - - - ignorecase: true - left: - iscontext: true - value: - complex: - root: inputs.UseReputationCommand - operator: isEqualString - right: - value: - simple: "True" - label: "yes" - continueonerrortype: "" - id: "40" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "24" - "yes": - - "39" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: "" - description: Check if should run URL reputation command - id: e0db6ab1-2c0e-4859-84eb-e764c3fd01e5 - iscommand: false - name: Should use !url command? - playbooktaskmissingcomponent: - type: condition - version: -1 - taskid: e0db6ab1-2c0e-4859-84eb-e764c3fd01e5 - timertriggers: [] - type: condition - view: |- - { - "position": { - "x": 1010, - "y": 500 - } - } - "41": - continueonerrortype: "" - id: "41" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - note: false - quietmode: 0 - separatecontext: true - skipunavailable: false - task: - brand: "" - id: 984fa8e7-a1bb-41f3-8980-b8fbc2556185 - iscommand: false - name: Foundation - Foundation - Error Handling_V3 - playbookId: Foundation - Foundation - Error Handling_V3 - playbooktaskmissingcomponent: - type: playbook - version: -1 - taskid: 984fa8e7-a1bb-41f3-8980-b8fbc2556185 - timertriggers: [] - type: playbook - view: |- - { - "position": { - "x": 1050, - "y": 1090 - } - } -version: -1 -view: |- - { - "linkLabelsPosition": { - "25_24_#default#": 0.53, - "25_26_yes": 0.47, - "27_25_yes": 0.5, - "33_24_#default#": 0.13, - "33_32_yes": 0.67, - "40_24_#default#": 0.31 - }, - "paper": { - "dimensions": { - "height": 1119, - "width": 1940, - "x": -510, - "y": 41 - } - } - } -fromversion: 5.0.0 diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml new file mode 100644 index 0000000..7dfb9a2 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml @@ -0,0 +1,3366 @@ +id: SSOC Block Account - Generic v2_V3 +version: 4 +contentitemexportablefields: + contentitemfields: + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false +name: SSOC Block Account - Generic v2_V3 +description: |- + This playbook blocks malicious usernames using all integrations that you have enabled. + + Supported integrations for this playbook: + * Active Directory + * PAN-OS - This requires PAN-OS 9.1 or higher. + * SailPoint + * PingOne + * AWS IAM + * Clarizen IAM + * Envoy IAM + * ExceedLMS IAM + * Okta + * Microsoft Graph User (Azure Active Directory Users) + * Google Workspace Admin + * Slack IAM + * ServiceNow IAM + * Prisma Cloud IAM + * Zoom IAM + * Atlassian IAM + * GitHub IAM. +tags: +- SOC +- SOC_Framework +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: cc38d57c-1f3a-4616-8fc3-b3d5b2beefb3 + type: start + task: + id: cc38d57c-1f3a-4616-8fc3-b3d5b2beefb3 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": -1450 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 78bcaa68-2a3d-4805-8e25-1bee31249d8f + type: title + task: + id: 78bcaa68-2a3d-4805-8e25-1bee31249d8f + version: -1 + name: Done + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1040, + "y": 1660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: df7e57df-4f26-4b41-8552-0d4068792d13 + type: title + task: + id: df7e57df-4f26-4b41-8552-0d4068792d13 + version: -1 + name: Block accounts + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "17" + - "18" + - "19" + - "20" + - "21" + - "22" + - "23" + - "25" + - "24" + - "54" + - "56" + - "58" + - "60" + - "66" + - "68" + - "71" + - "64" + - "73" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1960, + "y": 410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 84a222c3-d83f-4d9c-8f75-605f9c1cd233 + type: condition + task: + id: 84a222c3-d83f-4d9c-8f75-605f9c1cd233 + version: -1 + name: Is there a username to block? + description: Verify that the playbook input includes at least one username to + block. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "39" + "yes": + - "38" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Username + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": -1260 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: f5a0276b-741e-4f8a-a129-6a90be21d226 + type: regular + task: + id: f5a0276b-741e-4f8a-a129-6a90be21d226 + version: -1 + name: PAN-OS - Register Tag to User + description: Registers users to a tag. This command is only available for PAN-OS + version 9.x and above. + script: Panorama|||pan-os-register-user-tag + type: regular + iscommand: true + brand: Panorama + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + Users: + complex: + root: Blocklist + accessor: Final + tag: + complex: + root: inputs.Tag + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 2520, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 134ffe20-63fc-486a-8a79-685e3d206ae8 + type: condition + task: + id: 134ffe20-63fc-486a-8a79-685e3d206ae8 + version: -1 + name: Is there a Tag name to register? + description: Verify that the playbook input includes at least one tag to apply + to the user. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "91" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.Tag + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 910 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: dd28a21a-8e77-4e94-8ebd-6b4dd2a40907 + type: title + task: + id: dd28a21a-8e77-4e94-8ebd-6b4dd2a40907 + version: -1 + name: OKTA + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "26" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1960, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 253e9206-6499-4698-81bc-4f6b405723e9 + type: title + task: + id: 253e9206-6499-4698-81bc-4f6b405723e9 + version: -1 + name: SailPoint + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "27" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 640, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 4665f43b-c357-46ab-8658-1f5307d73e34 + type: title + task: + id: 4665f43b-c357-46ab-8658-1f5307d73e34 + version: -1 + name: AWS IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "28" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -220, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 9f3e4789-ef65-4d8b-8142-b931aca2d1b8 + type: title + task: + id: 9f3e4789-ef65-4d8b-8142-b931aca2d1b8 + version: -1 + name: PingOne + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 210, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 5af0265d-f69a-47ef-8fdd-8be726ab8812 + type: title + task: + id: 5af0265d-f69a-47ef-8fdd-8be726ab8812 + version: -1 + name: Clarizen IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -640, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 8170d464-f524-484a-8578-d2d5c6b44c24 + type: title + task: + id: 8170d464-f524-484a-8578-d2d5c6b44c24 + version: -1 + name: Envoy IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1070, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 9426248c-bc57-4e2a-898c-333c705fe7c9 + type: title + task: + id: 9426248c-bc57-4e2a-898c-333c705fe7c9 + version: -1 + name: ExceedLMS IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "32" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1500, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: e3d46f19-bf96-4280-887d-c746b0e95976 + type: title + task: + id: e3d46f19-bf96-4280-887d-c746b0e95976 + version: -1 + name: PAN-OS + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 00761e97-8a6e-48f4-85fb-d894509a2c17 + type: title + task: + id: 00761e97-8a6e-48f4-85fb-d894509a2c17 + version: -1 + name: Microsoft Active Directory + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "37" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1060, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: ca29fc92-0b56-4eca-8fb4-285bf732a419 + type: condition + task: + id: ca29fc92-0b56-4eca-8fb4-285bf732a419 + version: -1 + name: Is OKTA Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Okta IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1960, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 692fc977-5dff-49fa-8ef9-4c0c53979786 + type: condition + task: + id: 692fc977-5dff-49fa-8ef9-4c0c53979786 + version: -1 + name: Is SailPoint Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "75" + scriptarguments: + brandname: + simple: SailPointIdentityIQ + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 640, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: c00031c8-63dc-447a-8064-458b8b89c0b9 + type: condition + task: + id: c00031c8-63dc-447a-8064-458b8b89c0b9 + version: -1 + name: Is AWS IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: AWS - IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -220, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 1dfdb5b5-b388-49f8-8778-b631675b5228 + type: condition + task: + id: 1dfdb5b5-b388-49f8-8778-b631675b5228 + version: -1 + name: Is PingOne Integration Enabled + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "83" + scriptarguments: + brandname: + simple: PingOne + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 210, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 1e40e759-f2e0-46f7-8c4c-e6c305ada2fe + type: condition + task: + id: 1e40e759-f2e0-46f7-8c4c-e6c305ada2fe + version: -1 + name: Is ClarizenIAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: ClarizenIAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -640, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: e69ec334-a883-4519-8b53-2d12a380819d + type: condition + task: + id: e69ec334-a883-4519-8b53-2d12a380819d + version: -1 + name: Is Envoy IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Envoy IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1070, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: d7750a59-552e-4fbe-8d72-6a0dbf2c50b2 + type: condition + task: + id: d7750a59-552e-4fbe-8d72-6a0dbf2c50b2 + version: -1 + name: Is ExceedLMS IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: ExceedLMS IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1500, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: f3afa983-9d12-4f8a-89eb-70e0ffbac1b7 + type: regular + task: + id: f3afa983-9d12-4f8a-89eb-70e0ffbac1b7 + version: -1 + name: IAM Disable User + description: Disable an active user. + script: '|||iam-disable-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + user-profile: + simple: ${Blocklist.Final} + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -1260, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 1d25df3a-4ff2-4e85-93ae-435a6b346b06 + type: regular + task: + id: 1d25df3a-4ff2-4e85-93ae-435a6b346b06 + version: -1 + name: PingOne - Deactivate user + description: Deactivate a user's account. + script: PingOne|||pingone-deactivate-user + type: regular + iscommand: true + brand: PingOne + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + username: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -440, + "y": 1190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 24dbd242-88dc-4d46-808a-baa9acff55f1 + type: regular + task: + id: 24dbd242-88dc-4d46-808a-baa9acff55f1 + version: -1 + name: SailPoint-Disable account + description: Disable account's active status by id using IdentityIQ SCIM API's. + script: SailPointIdentityIQ|||identityiq-disable-account + type: regular + iscommand: true + brand: SailPointIdentityIQ + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + id: + complex: + root: IdentityIQ.Account + accessor: id + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 120, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 90a2adf8-4f57-4b53-896d-44bddd4d064c + type: condition + task: + id: 90a2adf8-4f57-4b53-896d-44bddd4d064c + version: -1 + name: Is PAN-OS/Panorama Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "16" + scriptarguments: + brandname: + simple: Panorama + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 735 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: e31ad79c-5806-41f0-839b-f896c860d3cc + type: condition + task: + id: e31ad79c-5806-41f0-839b-f896c860d3cc + version: -1 + name: Is Active Directory Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "76" + scriptarguments: + brandname: + simple: Active Directory Query v2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1060, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: c34085c0-1974-4153-8f36-fb22e4ba0c4e + type: condition + task: + id: c34085c0-1974-4153-8f36-fb22e4ba0c4e + version: -1 + name: Is User Verification Required? + description: Check if manual verification is required before block + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "47" + "yes": + - "40" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.UserVerification + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": -1050 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: eda8a397-b0f5-4cb8-85a6-804bbbf59244 + type: title + task: + id: eda8a397-b0f5-4cb8-85a6-804bbbf59244 + version: -1 + name: No User to be blocked + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -5370, + "y": 1105 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 90c4e379-c164-495b-8bd0-74e807433506 + type: regular + task: + id: 90c4e379-c164-495b-8bd0-74e807433506 + version: -1 + name: Set Naming Convention to a key + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "42" + scriptarguments: + append: + simple: "true" + key: + simple: checks.common + value: + complex: + root: inputs.NamingConvention + transformers: + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ' ' + - operator: split + args: + delimiter: + value: + simple: ',' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 603550b4-89d3-4df1-84d9-1eb2951e0871 + type: regular + task: + id: 603550b4-89d3-4df1-84d9-1eb2951e0871 + version: -1 + name: Identify Potential Sensitive Users + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "45" + - "43" + scriptarguments: + key: + simple: Blocklist.Sensitive + value: + complex: + root: Blocklist.Potential + filters: + - - operator: StringContainsArray + left: + value: + simple: Blocklist.Potential + iscontext: true + right: + value: + simple: checks.common + iscontext: true + ignorecase: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -560 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 93dc1c23-81e4-40fd-8f62-9f4290882421 + type: regular + task: + id: 93dc1c23-81e4-40fd-8f62-9f4290882421 + version: -1 + name: Set User to a potential block list + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "41" + scriptarguments: + key: + simple: Blocklist.Potential + value: + complex: + root: inputs.Username + transformers: + - operator: split + args: + delimiter: + value: + simple: ',' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 39b3cf6c-5757-447b-8188-9ead6e21a445 + type: condition + task: + id: 39b3cf6c-5757-447b-8188-9ead6e21a445 + version: -1 + name: Check if there are any sensitive users to block + description: Check if there are any sensitive users to block + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "45" + "yes": + - "44" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: Blocklist.Sensitive + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -2670, + "y": -390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 6ab46eeb-8460-44ab-8b96-0c6a35e38581 + type: collection + task: + id: 6ab46eeb-8460-44ab-8b96-0c6a35e38581 + version: -1 + name: Ask the user for verification [Sensitive Users] + description: |- + Please note that in this form there are serval accounts that are listed as "Sensitive Accounts": + ${User.Sensetive} + type: collection + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "52" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2670, + "y": -190 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: Analyst + subject: + simple: Block Sensitive Account - User Verification Form + body: + simple: | +

Dear XSOAR user,

+

This notification informs you that the following list of sensitive accounts will be blocked on your XSOAR's integrated IDP/IAM devices.

+


(Note: the Accounts will be set to disabled on those XSOAR integrated devices).

+

Also, please note that the following accounts are listed as "Sensitive Accounts" based on a naming convention mentioned in the playbook:

+

${Blocklist.Sensitive}

+

 

+

For more information, click the link below.

+ methods: + - email + format: html + bcc: null + cc: null + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: 'Sensitive Users:' + required: false + gridcolumns: [] + defaultrows: [] + type: multiSelect + options: [] + optionsarg: + - simple: ${Blocklist.Sensitive} + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: 'Which sensitive users you would like to Block? Choose from the following + lists :' + description: "" + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 4d484404-eefc-4cf6-8f56-abdae89d61e6 + type: collection + task: + id: 4d484404-eefc-4cf6-8f56-abdae89d61e6 + version: -1 + name: Ask the user for verification [without Sensitive Users] + description: |- + Please note that in this form there are serval accounts that are listed as "Sensitive Accounts": + ${User.Sensetive} + type: collection + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "52" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -190 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: Analyst + subject: + simple: Block Account - User Verification Form + body: + simple: | +

Dear XSOAR user,

+

This notification informs you that the following list of accounts will be blocked on your XSOAR's integrated IDP/IAM devices.

+


(Note: the Accounts will be set to disabled on those XSOAR integrated devices).

+

 

+

For more information, click the link below.

+ methods: + - email + format: html + bcc: null + cc: null + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: false + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: 'Users to be blocked:' + required: false + gridcolumns: [] + defaultrows: [] + type: multiSelect + options: [] + optionsarg: + - complex: + root: Blocklist + accessor: Potential + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: 'Which Users you would like to Block? Choose from the following lists + :' + description: "" + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 9e174bd8-73a8-46ef-8a56-138a1cac0b61 + type: regular + task: + id: 9e174bd8-73a8-46ef-8a56-138a1cac0b61 + version: -1 + name: Set the final accounts list to be blocked + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "5" + scriptarguments: + append: + simple: "true" + key: + simple: Blocklist.Final + value: + complex: + root: ${Which Users you would like to Block? Choose from the following + lists :.Answers + accessor: 0} + transformers: + - operator: append + args: + item: + value: + simple: Which sensitive users you would like to Block? Choose from + the following lists :.Answers.0 + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": 170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "47": + id: "47" + taskid: f97632fd-1653-4fda-8222-e8dbe5c36646 + type: regular + task: + id: f97632fd-1653-4fda-8222-e8dbe5c36646 + version: -1 + name: Set the final accounts list to be blocked + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "5" + scriptarguments: + append: + simple: "true" + key: + simple: Blocklist.Final + value: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": 170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: de4b5f67-0713-4a24-933e-5ff0400428a7 + type: regular + task: + id: de4b5f67-0713-4a24-933e-5ff0400428a7 + version: -1 + name: Active Directory - Disable Account + description: Disables an Active Directory user account. + script: Active Directory Query v2|||ad-disable-account + type: regular + iscommand: true + brand: Active Directory Query v2 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + username: + complex: + root: UserAD + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 950, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: 64ddf917-048c-444b-8fea-b9529a3ad0b3 + type: condition + task: + id: 64ddf917-048c-444b-8fea-b9529a3ad0b3 + version: -1 + name: Is Username selected? + description: Check if the analyst selected any users to block + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "39" + "yes": + - "46" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Which Users you would like to Block? Choose from the following + lists :.Answers.0 + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: Which sensitive users you would like to Block? Choose from + the following lists :.Answers.0 + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -2230, + "y": -10 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "53": + id: "53" + taskid: 8791822e-5e1e-4b28-82d9-a822aa17108d + type: condition + task: + id: 8791822e-5e1e-4b28-82d9-a822aa17108d + version: -1 + name: Is Slack IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Slack IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2410, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: e2aaa6e8-de1f-4399-8e89-2321fe4fa030 + type: title + task: + id: e2aaa6e8-de1f-4399-8e89-2321fe4fa030 + version: -1 + name: Slack IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "53" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2410, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "55": + id: "55" + taskid: e8b7f7a8-2b9c-44ef-8eff-ceb494799432 + type: condition + task: + id: e8b7f7a8-2b9c-44ef-8eff-ceb494799432 + version: -1 + name: Is ServiceNow IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: ServiceNow IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2840, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "56": + id: "56" + taskid: 6a694bcc-610d-46c4-8d22-dec644076b78 + type: title + task: + id: 6a694bcc-610d-46c4-8d22-dec644076b78 + version: -1 + name: ServiceNow IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "55" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2840, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "57": + id: "57" + taskid: 6345f42c-51a8-401f-8099-ecea5a0403c4 + type: condition + task: + id: 6345f42c-51a8-401f-8099-ecea5a0403c4 + version: -1 + name: Is Salesforce IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Salesforce IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3260, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "58": + id: "58" + taskid: dba2b9c1-cb47-41a9-8386-1de15a47de2d + type: title + task: + id: dba2b9c1-cb47-41a9-8386-1de15a47de2d + version: -1 + name: Salesforce IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "57" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3260, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "59": + id: "59" + taskid: c6cb894b-65a5-4e85-87f4-debe4d8cdbfe + type: condition + task: + id: c6cb894b-65a5-4e85-87f4-debe4d8cdbfe + version: -1 + name: Is PrismaCloud IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: PrismaCloud IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3690, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: de7c1b4f-0ecc-4782-8346-50b679dac66b + type: title + task: + id: de7c1b4f-0ecc-4782-8346-50b679dac66b + version: -1 + name: PrismaCloud IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "59" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3690, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: 1a19cd62-eafa-4b66-80aa-b397a439f52c + type: condition + task: + id: 1a19cd62-eafa-4b66-80aa-b397a439f52c + version: -1 + name: Is Microsoft Graph User Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "78" + scriptarguments: + brandname: + simple: Microsoft Graph User + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1480, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "64": + id: "64" + taskid: 31d15f37-d89d-4d09-8009-2a60c76d0b5e + type: title + task: + id: 31d15f37-d89d-4d09-8009-2a60c76d0b5e + version: -1 + name: Microsoft Graph User + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "63" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1480, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "65": + id: "65" + taskid: 31592372-486c-4648-8376-8889941df6c8 + type: condition + task: + id: 31592372-486c-4648-8376-8889941df6c8 + version: -1 + name: Is Zoom IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Zoom_IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4120, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "66": + id: "66" + taskid: b98574a0-93fc-423b-87e1-bf888db3881a + type: title + task: + id: b98574a0-93fc-423b-87e1-bf888db3881a + version: -1 + name: Zoom IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "65" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4120, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "67": + id: "67" + taskid: deb7235b-0e73-4aa7-8e3e-2b07ad73daf9 + type: condition + task: + id: deb7235b-0e73-4aa7-8e3e-2b07ad73daf9 + version: -1 + name: Is Atlassian IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: Atlassian IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4550, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "68": + id: "68" + taskid: 5e5c6e1e-8c3a-42b8-85bd-3646e9b01531 + type: title + task: + id: 5e5c6e1e-8c3a-42b8-85bd-3646e9b01531 + version: -1 + name: Atlassian IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "67" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4550, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "69": + id: "69" + taskid: cb58e6b2-a32f-4fc2-ba81-b4f0720441be + type: regular + task: + id: cb58e6b2-a32f-4fc2-ba81-b4f0720441be + version: -1 + name: Microsoft Graph User - Disable Account + description: |- + Disables a user from all Office 365 applications, and prevents sign in. Note: This command disables user, + but does not terminate an existing session. Supported only in a self deployed app flow with the + Permission: Directory.AccessAsUser.All(Delegated) + script: Microsoft Graph User|||msgraph-user-account-disable + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + user: + complex: + root: UserMSGraph + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1760, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "70": + id: "70" + taskid: 909312b6-5f6e-451c-83dd-a00e31c49197 + type: condition + task: + id: 909312b6-5f6e-451c-83dd-a00e31c49197 + version: -1 + name: Is GitHub IAM Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "81" + scriptarguments: + brandname: + simple: GitHub IAM + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4970, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "71": + id: "71" + taskid: 4f6321ef-dfb9-41fd-8a72-61bea5cff007 + type: title + task: + id: 4f6321ef-dfb9-41fd-8a72-61bea5cff007 + version: -1 + name: GitHub IAM + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "70" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -4970, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "72": + id: "72" + taskid: a274143d-2455-4679-8064-41a6cc01e1be + type: condition + task: + id: a274143d-2455-4679-8064-41a6cc01e1be + version: -1 + name: Is Google Workspace Admin Integration Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns + 'no' + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "93" + scriptarguments: + brandname: + simple: GSuiteAdmin + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1900, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "73": + id: "73" + taskid: fa1e6574-7969-4b44-8593-b2244060cebe + type: title + task: + id: fa1e6574-7969-4b44-8593-b2244060cebe + version: -1 + name: Google Workspace Admin + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "72" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1900, + "y": 555 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "74": + id: "74" + taskid: 4b7d31c1-6339-4d9f-8d1a-3ff4abe20efb + type: regular + task: + id: 4b7d31c1-6339-4d9f-8d1a-3ff4abe20efb + version: -1 + name: Google Workspace Admin - Disable Account + description: Updates a user. + script: GSuiteAdmin|||gsuite-user-update + type: regular + iscommand: true + brand: GSuiteAdmin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "2" + scriptarguments: + suspended: + simple: "true" + user_key: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1900, + "y": 1100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "75": + id: "75" + taskid: 8aefedd7-a4f0-49ae-a63e-107b955fa96f + type: regular + task: + id: 8aefedd7-a4f0-49ae-a63e-107b955fa96f + version: -1 + name: Get Account IDs From SailPoint + description: Fetch accounts by search/filter parameters (id, display_name, last_refresh, + native_identity, last_target_agg, identity_name & application_name) using + IdentityIQ SCIM APIs. + script: SailPointIdentityIQ|||identityiq-get-accounts + type: regular + iscommand: true + brand: SailPointIdentityIQ + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "85" + scriptarguments: + display_name: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 640, + "y": 890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "76": + id: "76" + taskid: 0f3e3317-a5f1-4708-9100-71d8deee6269 + type: regular + task: + id: 0f3e3317-a5f1-4708-9100-71d8deee6269 + version: -1 + name: Active Directory - Get User + description: Retrieves detailed information about a user account. The user can + be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filter is specified, all users are returned. + script: '|||ad-get-user' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "77" + scriptarguments: + extend-context: + simple: UserAD=attributes.sAMAccountName + ignore-outputs: + simple: "true" + username: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1050, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "77": + id: "77" + taskid: 419df6f0-2416-4a48-8124-eb64ce5da93a + type: condition + task: + id: 419df6f0-2416-4a48-8124-eb64ce5da93a + version: -1 + name: Does the username exist? + description: Verify that the user exists. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "87" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: UserAD + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1050, + "y": 1090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "78": + id: "78" + taskid: b4f253c0-79aa-4f96-aea6-0b24102a78f9 + type: regular + task: + id: b4f253c0-79aa-4f96-aea6-0b24102a78f9 + version: -1 + name: Microsoft Graph User - Get User + description: |- + Retrieves the properties and relationships of a user object. For more information, visit: https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0. + Permissions: - User.Read (Delegated) - User.Read.All (Application). + script: Microsoft Graph User|||msgraph-user-get + type: regular + iscommand: true + brand: Microsoft Graph User + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "95" + '#none#': + - "79" + scriptarguments: + extend-context: + simple: UserMSGraph=id + ignore-outputs: + simple: "true" + user: + complex: + root: Blocklist + accessor: Final + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 1480, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "79": + id: "79" + taskid: 6a4ebfcb-e506-4333-81b5-8889065e2fbe + type: condition + task: + id: 6a4ebfcb-e506-4333-81b5-8889065e2fbe + version: -1 + name: Does the username exist? + description: Verify that the user exists. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "89" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: UserMSGraph + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1480, + "y": 1090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "81": + id: "81" + taskid: 32ae003a-1fa5-4b05-96c2-c8fa23554814 + type: condition + task: + id: 32ae003a-1fa5-4b05-96c2-c8fa23554814 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "33" + Shadow Mode: + - "82" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 990 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "82": + id: "82" + taskid: 4a7ea37e-8c02-4d25-9012-ba3bfabc15e6 + type: regular + task: + id: 4a7ea37e-8c02-4d25-9012-ba3bfabc15e6 + version: -1 + name: 'Shadow: IAM Disable User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: IAM Disable User + Command: iam-disable-user ${Blocklist.Final} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1700, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "83": + id: "83" + taskid: 096e41dc-b0ba-457c-a0ff-958eab5cad2b + type: condition + task: + id: 096e41dc-b0ba-457c-a0ff-958eab5cad2b + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "34" + Shadow Mode: + - "84" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 200, + "y": 1000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "84": + id: "84" + taskid: e83f7e76-e9f7-4278-9c78-c1efaac3b8c8 + type: regular + task: + id: e83f7e76-e9f7-4278-9c78-c1efaac3b8c8 + version: -1 + name: 'Shadow: PingOne Deactivate User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: PingOne Deactivate User + Command: pingone-deactivate-user + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -30, + "y": 1190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "85": + id: "85" + taskid: 0a07259b-b2fd-4202-802e-dca83c86e91a + type: condition + task: + id: 0a07259b-b2fd-4202-802e-dca83c86e91a + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "35" + Shadow Mode: + - "86" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 390, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "86": + id: "86" + taskid: a78dbb56-315e-4dcf-9099-e24e9c571cc9 + type: regular + task: + id: a78dbb56-315e-4dcf-9099-e24e9c571cc9 + version: -1 + name: 'Shadow: SailPoint Disable User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: SailPoint Disable User + Command: identityiq-disable-account + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 550, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "87": + id: "87" + taskid: 8f693a0b-31be-4a22-bcce-b5ba123f1fac + type: condition + task: + id: 8f693a0b-31be-4a22-bcce-b5ba123f1fac + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "48" + Shadow Mode: + - "88" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1050, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "88": + id: "88" + taskid: ed3e629c-2483-4afe-b75d-ccb79180b48b + type: regular + task: + id: ed3e629c-2483-4afe-b75d-ccb79180b48b + version: -1 + name: 'Shadow: Active Directory Disable Account' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: Active Directory Disable Account + Command: ad-disable-account ${UserAD} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "89": + id: "89" + taskid: 2bc496f7-3119-4341-8a3c-7330377148f7 + type: condition + task: + id: 2bc496f7-3119-4341-8a3c-7330377148f7 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "69" + Shadow Mode: + - "90" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1620, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "90": + id: "90" + taskid: d446c5e6-d5a2-4ce3-b0f9-3b56cca55d17 + type: regular + task: + id: d446c5e6-d5a2-4ce3-b0f9-3b56cca55d17 + version: -1 + name: 'Shadow: Microsoft Graph User Disable Account' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + user: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: msgraph-user-account-disable + value: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: ${UserMSGraph} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2170, + "y": 1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "91": + id: "91" + taskid: f5c259de-a8b6-4df6-be44-a9ee299b061b + type: condition + task: + id: f5c259de-a8b6-4df6-be44-a9ee299b061b + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "15" + Shadow Mode: + - "92" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2700, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "92": + id: "92" + taskid: 067be8bb-a616-4b36-b846-8314a63f9939 + type: regular + task: + id: 067be8bb-a616-4b36-b846-8314a63f9939 + version: -1 + name: 'Shadow: PAN-OS Register Tag to User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + user: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: msgraph-user-account-disable + value: + simple: |- + Shadow: PAN-OS Register Tag to User + Command: pan-os-register-user-tag ${Blocklist.Final} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2950, + "y": 1280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "93": + id: "93" + taskid: 05d57e0f-4bdb-4f6b-aa39-473461333d71 + type: condition + task: + id: 05d57e0f-4bdb-4f6b-aa39-473461333d71 + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "74" + Shadow Mode: + - "94" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1900, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "94": + id: "94" + taskid: 4145c31a-0721-4050-86fd-eca739f88df8 + type: regular + task: + id: 4145c31a-0721-4050-86fd-eca739f88df8 + version: -1 + name: 'Shadow: Google Workspace Admin - Disable User' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + user: + simple: |- + Shadow: Microsoft Graph User Disable Account + Command: msgraph-user-account-disable + value: + simple: | + Shadow: Google Workspace Admin - Disable User + Command: gsuite-user-data
 separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2300, + "y": 1100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "95": + id: "95" + taskid: 5c74b657-98a4-4b8a-8364-d7f8ba406552 + type: playbook + task: + id: 5c74b657-98a4-4b8a-8364-d7f8ba406552 + version: -1 + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -530, + "y": 1652.5 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "16_2_#default#": 0.1, + "16_91_yes": 0.9, + "26_2_#default#": 0.11, + "26_81_yes": 0.84, + "27_2_#default#": 0.1, + "28_2_#default#": 0.15, + "28_81_yes": 0.1, + "29_2_#default#": 0.11, + "29_83_yes": 0.36, + "30_2_#default#": 0.26, + "30_81_yes": 0.11, + "31_2_#default#": 0.27, + "31_81_yes": 0.12, + "32_2_#default#": 0.18, + "32_81_yes": 0.85, + "36_2_#default#": 0.1, + "37_2_#default#": 0.12, + "43_44_yes": 0.49, + "52_39_#default#": 0.2, + "53_2_#default#": 0.1, + "53_81_yes": 0.79, + "55_2_#default#": 0.1, + "55_81_yes": 0.86, + "57_2_#default#": 0.1, + "57_81_yes": 0.18, + "59_2_#default#": 0.1, + "59_81_yes": 0.14, + "63_2_#default#": 0.1, + "65_2_#default#": 0.1, + "65_81_yes": 0.1, + "67_2_#default#": 0.1, + "67_81_yes": 0.1, + "70_2_#default#": 0.1, + "70_81_yes": 0.1, + "72_2_#default#": 0.1, + "72_93_yes": 0.44, + "79_89_yes": 0.85, + "8_38_yes": 0.65, + "8_39_#default#": 0.13 + }, + "paper": { + "dimensions": { + "height": 3177.5, + "width": 8700, + "x": -5370, + "y": -1450 + } + } + } +inputs: +- key: Username + value: {} + required: false + description: Array of malicious usernames to block. + playbookInputQuery: null +- key: Tag + value: + simple: Bad Account + required: false + description: PAN-OS Tag name to apply to the username that you want to block. + playbookInputQuery: null +- key: NamingConvention + value: {} + required: false + description: In case you are using naming convention in your IDP, please specify + a prefix for special/service accounts (use comma separated) + playbookInputQuery: null +- key: UserVerification + value: + simple: "True" + required: false + description: |- + Possible values:True/False. Default:True. + Specify if User Verification is Requrired + playbookInputQuery: null +- key: ShadowMode + value: + simple: "true" + required: false + description: "" + playbookInputQuery: null +inputSections: +- inputs: + - Username + - Tag + - NamingConvention + - UserVerification + - ShadowMode + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - Blocklist.Final + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: Blocklist.Final + description: Blocked accounts. + type: unknown +sourceplaybookid: Block Account - Generic v2 +dirtyInputs: true +adopted: true From 63e07625d60e47471ac58bf66cb6df1e4f279483 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 15:59:02 -0500 Subject: [PATCH 40/49] - Fix Validation - Bump version - Update Catalog --- .../Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml | 1 + .../SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml | 1 + .../Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml | 1 + .../Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml | 1 + .../SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml | 1 + .../Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml | 1 + .../Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml | 1 + .../Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml | 1 + .../Playbooks/Foundation_-_Enrichment_V3.yml | 1 + .../Playbooks/Foundation_-_Upon_Trigger_V3.yml | 1 + Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml | 1 + .../Playbooks/SOC_Endpoint_Containment_V3.yml | 1 + .../Playbooks/SOC_Identity_Containment_V3.yml | 1 + .../Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml | 1 + 14 files changed, 14 insertions(+) diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml index f817ff5..de696f1 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Account_Enrichment_-_Generic_v2.1_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Account Enrichment - Generic v2.1_V3 version: 3 contentitemexportablefields: diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml index 5692ae9..adeeb74 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Clear_User_Sessions_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Containment Plan_V3 - Clear User Sessions_V3 version: 4 contentitemexportablefields: diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml index cb3843e..54314f4 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Isolate_Device_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Containment Plan_V3 - Isolate Device_V3 version: 3 contentitemexportablefields: diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml index 2101c0f..5235107 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Crowdstrike_Falcon_-_Isolate_Endpoint_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Crowdstrike Falcon - Isolate Endpoint_V3 version: 3 contentitemexportablefields: diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml index 143371e..7752cb5 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Cylance_Protect_v2_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Endpoint Enrichment - Cylance Protect v2_V3 version: 3 contentitemexportablefields: diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml index f25affe..fa83a67 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Endpoint_Enrichment_-_Generic_v2.1_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Endpoint Enrichment - Generic v2.1_V3 version: 6 contentitemexportablefields: diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml index 7dfb9a2..23eb60a 100644 --- a/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml +++ b/Packs/soc-common-playbooks-unified/Playbooks/SSOC_Block_Account_-_Generic_v2_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SSOC Block Account - Generic v2_V3 version: 4 contentitemexportablefields: diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml index 9f10237..f71136c 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: Foundation - Endpoint Enrichment_V3 version: 5 contentitemexportablefields: diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml index e7c7ebf..60e8135 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: Foundation - Enrichment_V3 version: 13 contentitemexportablefields: diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index 130ba19..b0c411e 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: Foundation - Upon Trigger V3 version: 6 contentitemexportablefields: diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml index 6c1c3ee..d7d3367 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Containment_V3 version: 3 contentitemexportablefields: diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml index c55a4d9..e44617d 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Endpoint Containment_V3 version: 4 contentitemexportablefields: diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml index 8145c81..4c3c535 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Identity Containment_V3 version: 5 contentitemexportablefields: diff --git a/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml b/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml index 35e6827..40080a1 100644 --- a/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml +++ b/Packs/soc-trendmicro-visionone/Playbooks/SOC_Trend_Micro_Alert_Enrichment.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: SOC Trend Micro Alert Enrichment version: 3 contentitemexportablefields: From e13590c3c06840ca6786701e60343abca6307bd5 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 16:19:32 -0500 Subject: [PATCH 41/49] - Fix Dedup playbook missing --- .../Foundation_-_Upon_Trigger_V3.yml | 77 +++++++++---------- 1 file changed, 35 insertions(+), 42 deletions(-) diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index b0c411e..28ef4a9 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,6 +1,5 @@ -fromversion: 5.0.0 id: Foundation - Upon Trigger V3 -version: 6 +version: 3 contentitemexportablefields: contentitemfields: packID: soc-optimization-unified @@ -161,7 +160,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "22" + - "35" separatecontext: false continueonerrortype: "" view: |- @@ -303,45 +302,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "22": - id: "22" - taskid: affbdad4-0d9f-4822-8ff0-30bdda250e0e - type: playbook - task: - id: affbdad4-0d9f-4822-8ff0-30bdda250e0e - version: -1 - name: Foundation - Dedup_V3 - description: A simple Dedup to insure alerts are not executed on more than once. - playbookName: Foundation - Dedup_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "6" - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 50, - "y": 1810 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "23": id: "23" taskid: c5f48fdf-5a69-4392-8a11-332b1ddef033 @@ -667,6 +627,39 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 1d4e4498-5b23-4b7f-89ba-646cd8f33034 + type: playbook + task: + id: 1d4e4498-5b23-4b7f-89ba-646cd8f33034 + version: -1 + name: Foundation - Dedup_V3 + playbookName: Foundation - Dedup_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "6" + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1802.20703125 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false system: true view: |- { From 78f4f656b3a973df816ad711755ba7d2ce1127c2 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Thu, 29 Jan 2026 16:26:44 -0500 Subject: [PATCH 42/49] - Playbook Validation Fix --- .../Playbooks/Foundation_-_Upon_Trigger_V3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index 28ef4a9..a2599bd 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,3 +1,4 @@ +fromversion: 5.0.0 id: Foundation - Upon Trigger V3 version: 3 contentitemexportablefields: From 93cd644f9e1d55668b677ecfa0522ce88a107e0b Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 14:14:48 -0500 Subject: [PATCH 43/49] - Fixed inputs and Error Handling issues --- ...ntainment_Plan_V3_-_Quarantine_File_V3.yml | 1172 +++++++++++++++++ .../Playbooks/SOC_Containment_V3.yml | 14 +- .../Playbooks/SOC_Identity_Containment_V3.yml | 8 +- 3 files changed, 1184 insertions(+), 10 deletions(-) create mode 100644 Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Quarantine_File_V3.yml diff --git a/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Quarantine_File_V3.yml b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Quarantine_File_V3.yml new file mode 100644 index 0000000..d7730a0 --- /dev/null +++ b/Packs/soc-common-playbooks-unified/Playbooks/SOC_Containment_Plan_V3_-_Quarantine_File_V3.yml @@ -0,0 +1,1172 @@ +fromversion: 5.0.0 +id: SOC Containment Plan_V3 - Quarantine File_V3 +version: 4 +contentitemexportablefields: + contentitemfields: + packID: soc-common-playbooks-unified + packName: SOC Common Playbooks Unified + itemVersion: 2.7.52 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" + prevname: "" + isoverridable: false + supportedModules: + - X1 + - X3 + - X5 + - ENT_PLUS +vcShouldKeepItemLegacyProdMachine: false +name: SOC Containment Plan_V3 - Quarantine File_V3 +description: |- + ## Containment Plan - Quarantine File + + This playbook is a sub-playbook within the containment plan playbook. + The playbook quarantines files using core commands. +tags: +- SOC +- SOC_Framework +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 0c4f76b8-840e-49d6-83ea-28853fed1128 + type: start + task: + id: 0c4f76b8-840e-49d6-83ea-28853fed1128 + version: -1 + name: "" + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "17" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": -369 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 397f4b57-3b4f-40ed-8871-59fb281d5a77 + type: title + task: + id: 397f4b57-3b4f-40ed-8871-59fb281d5a77 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -270, + "y": 1237.5 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: a0ceb1ef-9c66-4295-8ab8-8ff9b8cbbf2f + type: regular + task: + id: a0ceb1ef-9c66-4295-8ab8-8ff9b8cbbf2f + version: -1 + name: Get file quarantine status + description: Retrieves the quarantine status for a selected file. + script: '|||core-get-quarantine-status' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "13" + scriptarguments: + endpoint_id: + complex: + root: inputs.EndpointID + file_hash: + complex: + root: foundIncidents.CustomFields + accessor: initiatorsha256 + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: inputs.FileHash + iscontext: true + file_path: + complex: + root: foundIncidents.CustomFields + accessor: initiatorpath + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: inputs.FilePath + iscontext: true + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 453, + "y": -83 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 89dc07eb-a901-499e-b0c0-b304bee7166e + type: regular + task: + id: 89dc07eb-a901-499e-b0c0-b304bee7166e + version: -1 + name: File quarantine + description: Quarantines a file on selected endpoints. You can select up to + 1000 endpoints. + script: '|||core-quarantine-files' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "29" + '#none#': + - "15" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + file_hash: + complex: + root: foundIncidents.CustomFields + filters: + - - operator: isNotEqualString + left: + value: + simple: foundIncidents.CustomFields.initiatorpath + iscontext: true + right: + value: + simple: c:\windows\explorer.exe + ignorecase: true + accessor: initiatorsha256 + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: inputs.FileHash + iscontext: true + file_path: + complex: + root: foundIncidents.CustomFields.initiatorpath + filters: + - - operator: isNotEqualString + left: + value: + simple: foundIncidents.CustomFields.initiatorpath + iscontext: true + right: + value: + simple: c:\windows\explorer.exe + ignorecase: true + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: inputs.FilePath + iscontext: true + interval_in_seconds: + simple: "20" + timeout_in_seconds: + simple: "120" + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 453, + "y": 399 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: ceb94556-4fbc-4a33-8cfe-3fbe2669a059 + type: regular + task: + id: ceb94556-4fbc-4a33-8cfe-3fbe2669a059 + version: -1 + name: Set quarantine files per endpoints to the Alert context + description: commands.local.cmd.set.parent.alert.context + script: Builtin|||setParentIncidentContext + type: regular + iscommand: true + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "29" + '#none#': + - "2" + scriptarguments: + key: + simple: QuarantinedFilesFromEndpoints + value: + complex: + root: Core.quarantineFiles + accessor: actionIds + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 440, + "y": 1072 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 1208d3af-a6d7-4126-86f2-1c84f8659895 + type: condition + task: + id: 1208d3af-a6d7-4126-86f2-1c84f8659895 + version: -1 + name: Should quarantine file? + description: Whether to quarantine the files based on the input values and the + alert context. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "27" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.FileContainment + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - - operator: isEqualString + left: + value: + complex: + root: inputs.FileRemediation + iscontext: true + right: + value: + simple: Quarantine + ignorecase: true + - - operator: isEqualString + left: + value: + complex: + root: Core.quarantineFiles.status + accessor: status + iscontext: true + right: + value: + simple: "False" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 453, + "y": 42 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 410c04ef-0afc-4578-8b1b-b1a3de96debf + type: condition + task: + id: 410c04ef-0afc-4578-8b1b-b1a3de96debf + version: -1 + name: Was the file quarantined? + description: Checks if the quarantining of the file was successful. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "25" + "yes": + - "16" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEqualString + left: + value: + complex: + root: Core.GetActionStatus + accessor: status + iscontext: true + right: + value: + simple: FAILED + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: Core.GetActionStatus + accessor: status + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 200, + "y": 830 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: c5d82818-9538-471e-9ccc-98507a64ba2c + type: regular + task: + id: c5d82818-9538-471e-9ccc-98507a64ba2c + version: -1 + name: Set quarantine files to the context + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: Builtin + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "9" + scriptarguments: + key: + simple: QuarantinedFilesFromEndpoints + value: + complex: + root: Core.quarantineFiles + accessor: actionIds + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 440, + "y": 947 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: fd83526a-3995-475b-8ea6-60233a3f1636 + type: condition + task: + id: fd83526a-3995-475b-8ea6-60233a3f1636 + version: -1 + name: Should isolate automatically? + description: Whether to isolate the device automatically based on the input + values. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + Auto: + - "7" + Manual: + - "23" + separatecontext: false + conditions: + - label: Auto + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.AutoContainment + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.EndpointID + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.FilePath + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.FileHash + iscontext: true + - label: Manual + condition: + - - operator: isNotEqualString + left: + value: + complex: + root: inputs.AutoContainment + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.EndpointID + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.FilePath + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.FileHash + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": -251 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 8395bf84-b9be-42af-8c0b-cdf64c82b8fa + type: regular + task: + id: 8395bf84-b9be-42af-8c0b-cdf64c82b8fa + version: -1 + name: Get file quarantine status + description: Retrieves the quarantine status for a selected file. + script: '|||core-get-quarantine-status' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "19" + scriptarguments: + endpoint_id: + complex: + root: inputs.EndpointID + file_hash: + complex: + root: FileHash + filters: + - - operator: stringHasLength + left: + value: + simple: FileHash + iscontext: true + right: + value: + simple: "64" + file_path: + complex: + root: FilePath + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": 184 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: a04c8ae8-b9a2-4a06-8d64-8463dd6582d9 + type: condition + task: + id: a04c8ae8-b9a2-4a06-8d64-8463dd6582d9 + version: -1 + name: Should quarantine file? + description: Whether to quarantine the files based on the input values and the + alert context. + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "2" + "yes": + - "30" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.FileContainment + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - - operator: isEqualString + left: + value: + complex: + root: inputs.FileRemediation + iscontext: true + right: + value: + simple: Quarantine + ignorecase: true + - - operator: isEqualString + left: + value: + complex: + root: Core.quarantineFiles.status + accessor: status + iscontext: true + right: + value: + simple: "False" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": 329 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: af1efb6e-37dd-4944-84b2-7bfc93b6268f + type: regular + task: + id: af1efb6e-37dd-4944-84b2-7bfc93b6268f + version: -1 + name: File quarantine + description: Quarantines a file on selected endpoints. You can select up to + 1000 endpoints. + script: '|||core-quarantine-files' + type: regular + iscommand: true + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#error#': + - "29" + '#none#': + - "15" + scriptarguments: + endpoint_id_list: + complex: + root: inputs.EndpointID + file_hash: + complex: + root: FileHash + filters: + - - operator: stringHasLength + left: + value: + simple: FileHash + iscontext: true + right: + value: + simple: "64" + file_path: + complex: + root: FilePath + interval_in_seconds: + simple: "20" + timeout_in_seconds: + simple: "120" + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 110, + "y": 660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: e1bf241e-547f-4d6b-a4d4-e68ebe3caae2 + type: regular + task: + id: e1bf241e-547f-4d6b-a4d4-e68ebe3caae2 + version: -1 + name: Set file path to quarantine + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "24" + scriptarguments: + key: + simple: FilePath + value: + complex: + root: inputs.FilePath + transformers: + - operator: RegexExtractAll + args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: Path\":\"(.+?)\" + unpack_matches: {} + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: No value + - operator: replace + args: + limit: {} + replaceWith: + value: + simple: \ + toReplace: + value: + simple: \\ + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": -85 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 7bb125df-0044-4313-bdfe-d55a7e22349c + type: regular + task: + id: 7bb125df-0044-4313-bdfe-d55a7e22349c + version: -1 + name: Set file hash to quarantine + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "18" + scriptarguments: + key: + simple: FileHash + value: + complex: + root: inputs.FileHash + transformers: + - operator: RegexExtractAll + args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: Hash\":\"(.+?)\" + unpack_matches: {} + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: No value + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 942487c5-0c60-4be2-aa56-4c85d6718a0f + type: regular + task: + id: 942487c5-0c60-4be2-aa56-4c85d6718a0f + version: -1 + name: Manual action needed – file couldn't be quarantined + description: |- + Dear Analyst, + + The playbook was unable to quarantine the file due to the following possible reasons: + + - The file is not located on the local host. + - The endpoint is currently disconnected. + + Please take manual action to quarantine the file. + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": 977 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 8fb7eafb-23ef-461b-87ab-e1eaf7098eaa + type: condition + task: + id: 8fb7eafb-23ef-461b-87ab-e1eaf7098eaa + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "8" + Shadow Mode: + - "28" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 453, + "y": 200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: 00c1159f-3a14-4cce-99d4-19615b7eedc3 + type: regular + task: + id: 00c1159f-3a14-4cce-99d4-19615b7eedc3 + version: -1 + name: 'Shadow: Palo XDR File Qurantine' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "16" + scriptarguments: + value: + simple: |- + Shadow: Palo XDR File Qurantine + Command: core-quarantine-file ${inputs.EndpointID} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 870, + "y": 399 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: e8be217d-5a86-4ddf-84ba-e717a82ecb44 + type: playbook + task: + id: e8be217d-5a86-4ddf-84ba-e717a82ecb44 + version: -1 + name: Foundation - Error Handling_V3 + playbookName: Foundation - Error Handling_V3 + type: playbook + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -680, + "y": 1230 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: b55b9398-0238-4a75-869d-74f44171b89d + type: condition + task: + id: b55b9398-0238-4a75-869d-74f44171b89d + version: -1 + name: Run Mode? + scriptName: ShadowModeRouter_V3 + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + Full Run: + - "20" + Shadow Mode: + - "31" + scriptarguments: + ShadowMode: + simple: ${inputs.ShadowMode} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -50, + "y": 515 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: c9557ca4-bdf6-4ba7-ab9f-820e692c7898 + type: regular + task: + id: c9557ca4-bdf6-4ba7-ab9f-820e692c7898 + version: -1 + name: 'Shadow: Palo XDR File Qurantine' + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: |- + Shadow: Palo XDR File Qurantine + Command: core-quarantine-file ${inputs.EndpointID} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -490, + "y": 650 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "13_2_#default#": 0.88, + "15_16_yes": 0.6, + "17_23_Manual": 0.42, + "17_2_#default#": 0.12, + "19_2_#default#": 0.15, + "19_30_yes": 0.74 + }, + "paper": { + "dimensions": { + "height": 1674, + "width": 1930, + "x": -680, + "y": -369 + } + } + } +inputs: +- key: FileContainment + value: + simple: "True" + required: false + description: Set to 'True' to quarantine the identified file. + playbookInputQuery: null +- key: FileRemediation + value: + simple: Quarantine + required: false + description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. + \nFor example, choosing 'Quarantine' ignores the 'Delete file' task under the + eradication playbook and will execute only file quarantine." + playbookInputQuery: null +- key: FilePath + value: {} + required: false + description: The path of the file to block. + playbookInputQuery: null +- key: FileHash + value: {} + required: false + description: The file hash to block. + playbookInputQuery: null +- key: EndpointID + value: {} + required: false + description: The endpoint ID to run commands over. + playbookInputQuery: null +- key: AutoContainment + value: {} + required: false + description: Whether to execute containment plan automatically. + playbookInputQuery: null +- key: ShadowMode + value: + simple: "true" + required: false + description: "" + playbookInputQuery: null +inputSections: +- inputs: + - FileContainment + - FileRemediation + - FilePath + - FileHash + - EndpointID + - AutoContainment + - ShadowMode + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: + - QuarantinedFilesFromEndpoints + name: General (Outputs group) + description: Generic group for outputs +outputs: +- contextPath: QuarantinedFilesFromEndpoints + description: The quarantined files from endpoint. + type: unknown +sourceplaybookid: Containment Plan - Quarantine File +dirtyInputs: true +adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml index d7d3367..506253e 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml @@ -1,6 +1,6 @@ fromversion: 5.0.0 id: SOC Containment_V3 -version: 3 +version: 5 contentitemexportablefields: contentitemfields: packID: soc-optimization-unified @@ -375,10 +375,10 @@ tasks: isautoswitchedtoquietmode: false "10": id: "10" - taskid: 3da427bf-bd91-48ed-8d62-0db6b4320f14 + taskid: 6af8157c-0f1e-40d4-8cbf-c5e7f5701d23 type: playbook task: - id: 3da427bf-bd91-48ed-8d62-0db6b4320f14 + id: 6af8157c-0f1e-40d4-8cbf-c5e7f5701d23 version: -1 name: SOC Identity Containment_V3 description: "This playbook handles the main containment actions available with @@ -408,7 +408,7 @@ tasks: simple: "False" IAMUserDomain: complex: - root: inputs.Issue + root: Issue filters: - - operator: containsGeneral left: @@ -418,7 +418,7 @@ tasks: right: value: simple: '@' - accessor: username + accessor: domain transformers: - operator: RegexExtractAll args: @@ -459,10 +459,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: d7dfab3b-e1a2-4efa-929a-e5611480c15e + taskid: 5e3220b7-cd88-499a-9795-8e466fafb2d7 type: playbook task: - id: d7dfab3b-e1a2-4efa-929a-e5611480c15e + id: 5e3220b7-cd88-499a-9795-8e466fafb2d7 version: -1 name: SOC Endpoint Containment_V3 description: |- diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml index 4c3c535..945b980 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Identity_Containment_V3.yml @@ -1,6 +1,6 @@ fromversion: 5.0.0 id: SOC Identity Containment_V3 -version: 5 +version: 4 contentitemexportablefields: contentitemfields: packID: soc-optimization-unified @@ -676,12 +676,14 @@ inputs: description: Set to 'True' to clear the user active Okta sessions. playbookInputQuery: null - key: Username - value: {} + value: + simple: ${issue.username} required: false description: The username to disable. playbookInputQuery: null - key: IAMUserDomain - value: {} + value: + simple: ${issue.domain} required: false description: The Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain. From 422959e283fd5b9463679a6705701ab22a2a4781 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 15:12:10 -0500 Subject: [PATCH 44/49] - Update Unified - Bump Version - Bump Catalog --- Packs/soc-optimization-unified/pack_metadata.json | 2 +- Packs/soc-optimization-unified/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index cf232cf..abb06b9 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.17", + "currentVersion": "3.0.18", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index c42794f..87a385c 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.17/soc-optimization-unified-v3.0.17.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.18/soc-optimization-unified-v3.0.18.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index eff64ae..a634884 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.17", + "version": "3.0.18", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" From 319c0e38c6d097a722786039e88d1daa230c661d Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 15:40:50 -0500 Subject: [PATCH 45/49] - Clean Up xsoar_config.json files. Move all dependencies to soc-optimization-unified - Bump Version - Bump Catalog --- .../pack_metadata.json | 2 +- .../xsoar_config.json | 1454 +---------------- .../pack_metadata.json | 2 +- .../xsoar_config.json | 923 ++++++++++- pack_catalog.json | 4 +- 5 files changed, 913 insertions(+), 1472 deletions(-) diff --git a/Packs/soc-common-playbooks-unified/pack_metadata.json b/Packs/soc-common-playbooks-unified/pack_metadata.json index fdde51d..565d9c2 100644 --- a/Packs/soc-common-playbooks-unified/pack_metadata.json +++ b/Packs/soc-common-playbooks-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-common-playbooks-unified", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.7.52", + "currentVersion": "2.7.53", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-common-playbooks-unified/xsoar_config.json b/Packs/soc-common-playbooks-unified/xsoar_config.json index d37ac08..894d0eb 100644 --- a/Packs/soc-common-playbooks-unified/xsoar_config.json +++ b/Packs/soc-common-playbooks-unified/xsoar_config.json @@ -2,1456 +2,12 @@ "custom_packs": [ { "id": "soc-common-playbooks-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.52/soc-common-playbooks-unified-v2.7.52.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.53/soc-common-playbooks-unified-v2.7.53.zip", "system": "yes" } ], - "marketplace_packs": [ - { - "id": "Core", - "name": "Core - Investigation and Response", - "version": "latest" - }, - { - "id": "CommonPlaybooks", - "name": "Common Playbooks", - "version": "latest" - }, - { - "id": "CommonScripts", - "name": "Common Scripts", - "version": "latest" - }, - { - "id": "Whois", - "name": "Whois", - "version": "latest" - }, - { - "id": "VirusTotal", - "name": "VirusTotal", - "version": "latest" - }, - { - "id": "rasterize", - "name": "Rasterize", - "version": "latest" - }, - { - "id": "FiltersAndTransformers", - "name": "Filters And Transformers", - "version": "latest" - }, - { - "id": "Palo_Alto_Networks_WildFire", - "name": "WildFire by Palo Alto Networks", - "version": "latest" - }, - { - "id": "Base", - "name": "Base", - "version": "latest" - }, - { - "id": "DemistoRESTAPI", - "name": "Cortex REST API", - "version": "latest" - } - ], - "lookup_datasets": [ - { - "dataset_name": "value_tags", - "dataset_type": "lookup", - "url": "https://github.com/Palo-Cortex/secops-framework/blob/main/Packs/soc-optimization-unified/Lookup/value_tags.json", - "dataset_schema": { - "Product": "text", - "TaskName": "text", - "_insert_time": "number", - "Time": "text", - "ScriptID": "text", - "Tag": "text", - "_update_time": "number", - "_collector_name": "text", - "_collector_type": "text", - "PlaybookID": "text", - "Category": "text", - "Vendor": "text" - } - } - ], - "integration_instances": [ - { - "version": 21, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "Cortex Core - IR_default_instance", - "brand": "Cortex Core - IR", - "category": "", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Connect", - "display": "HTTP Timeout", - "displayPassword": "", - "name": "timeout", - "defaultValue": "120", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The timeout of the HTTP requests sent to Cortex API (in seconds).", - "hasvalue": true, - "value": "120" - } - ], - "passwordProtected": false - }, - { - "version": 2, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "Whois_instance_1", - "brand": "Whois", - "category": "Data Enrichment & Threat Intelligence", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Collect", - "advanced": true, - "display": "Rate Limit Retry Count", - "displayPassword": "", - "name": "rate_limit_retry_count", - "defaultValue": "0", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The number of times to try when getting a Rate Limit response.", - "hasvalue": true, - "value": "3" - }, - { - "section": "Collect", - "advanced": true, - "display": "Rate Limit Wait Seconds", - "displayPassword": "", - "name": "rate_limit_wait_seconds", - "defaultValue": "120", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", - "hasvalue": true, - "value": "120" - }, - { - "section": "Connect", - "advanced": true, - "display": "Return Errors", - "displayPassword": "", - "name": "with_error", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "If set, failed command results will be returned as warnings instead of errors.", - "hasvalue": true, - "value": false - }, - { - "section": "Collect", - "display": "Source Reliability", - "displayPassword": "", - "name": "integrationReliability", - "defaultValue": "B - Usually reliable", - "type": 15, - "required": true, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": [ - "A+ - 3rd party enrichment", - "A - Completely reliable", - "B - Usually reliable", - "C - Fairly reliable", - "D - Not usually reliable", - "E - Unreliable", - "F - Reliability cannot be judged" - ], - "info": "Reliability of the source providing the intelligence data.", - "hasvalue": true, - "value": "B - Usually reliable" - }, - { - "section": "Collect", - "advanced": true, - "display": "Use legacy context", - "displayPassword": "", - "name": "old-version", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Get the Legacy output of context data for 'whois' and 'domain' commands.", - "hasvalue": false, - "value": null - }, - { - "section": "Connect", - "advanced": true, - "display": "Use system proxy settings", - "displayPassword": "", - "name": "proxy", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "advanced": true, - "display": "Proxy URL", - "displayPassword": "", - "name": "proxy_url", - "defaultValue": "", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", - "hasvalue": false, - "value": null - }, - { - "section": "Collect", - "advanced": true, - "display": "Suppress Rate Limit errors", - "displayPassword": "", - "name": "rate_limit_errors_suppressed", - "defaultValue": "false", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Whether Rate Limit errors should be supressed or not.", - "hasvalue": true, - "value": false - } - ], - "passwordProtected": false - }, - { - "version": 3, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "Rasterize_instance_1", - "brand": "Rasterize", - "category": "Utilities", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Connect", - "display": "Return Errors", - "displayPassword": "", - "name": "with_error", - "defaultValue": "false", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "display": "Rasterize Mode", - "displayPassword": "", - "name": "rasterize_mode", - "defaultValue": "", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Deprecated.", - "hasvalue": false, - "value": null - }, - { - "section": "Connect", - "display": "Number of maximum tabs each Chrome will be allowed to open.", - "displayPassword": "", - "name": "max_chrome_tabs_count", - "defaultValue": "10", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "10" - }, - { - "section": "Connect", - "display": "Use system proxy settings", - "displayPassword": "", - "name": "proxy", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "display": "Time to wait before taking a screenshot (in seconds)", - "displayPassword": "", - "name": "wait_time", - "defaultValue": "0", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "0" - }, - { - "section": "Connect", - "display": "List of domains to block", - "displayPassword": "", - "name": "blocked_urls", - "defaultValue": "cloudflare.com", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "cloudflare.com" - }, - { - "section": "Connect", - "display": "Chrome options (Advanced. See [?])", - "displayPassword": "", - "name": "chrome_options", - "defaultValue": "", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Add or remove Chrome options used to rasterize. Use for advanced troubleshooting. See Help.", - "hasvalue": false, - "value": null - }, - { - "section": "Connect", - "advanced": true, - "display": "Use secure requests protocol (HTTPS).", - "displayPassword": "", - "name": "is_https", - "defaultValue": "false", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "display": "Number of maximum Chrome instances to keep running simultaneously.", - "displayPassword": "", - "name": "max_chromes_count", - "defaultValue": "64", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "64" - }, - { - "section": "Connect", - "display": "Maximum time to wait for a page to load (in seconds)", - "displayPassword": "", - "name": "max_page_load_time", - "defaultValue": "180", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "180" - } - ], - "passwordProtected": false - }, - { - "version": 2, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "WildFire-Reports_default_instance", - "brand": "WildFire-Reports", - "category": "Forensics & Malware Analysis", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Connect", - "advanced": true, - "display": "Use system proxy settings", - "displayPassword": "", - "name": "proxy", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": false, - "value": null - }, - { - "display": "Server base URL (e.g., https://192.168.0.1/publicapi)", - "displayPassword": "", - "name": "server", - "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi", - "type": 0, - "required": true, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "https://wildfire.paloaltonetworks.com/publicapi" - }, - { - "section": "Connect", - "display": "API Key", - "displayPassword": "", - "name": "token", - "defaultValue": "", - "type": 4, - "required": false, - "hidden": true, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": false, - "value": null - }, - { - "section": "Connect", - "display": "", - "displayPassword": "API Key", - "name": "credentials", - "defaultValue": "", - "type": 9, - "required": false, - "hidden": false, - "hiddenUsername": true, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": { - "credential": "", - "credentials": { - "cacheVersn": 0, - "id": "", - "locked": false, - "modified": "0001-01-01T00:00:00Z", - "name": "", - "sizeInBytes": 0, - "user": "", - "vaultInstanceId": "", - "version": 0, - "workgroup": "" - }, - "identifier": "", - "passwordChanged": false - } - }, - { - "section": "Connect", - "advanced": true, - "display": "Trust any certificate (not secure)", - "displayPassword": "", - "name": "insecure", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": false, - "value": null - } - ], - "passwordProtected": false - }, - { - "version": 1, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "WildFire-v2_default_instance", - "brand": "WildFire-v2", - "category": "Forensics & Malware Analysis", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Collect", - "advanced": true, - "display": "Return warning entry for unsupported file types", - "displayPassword": "", - "name": "suppress_file_type_error", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "advanced": true, - "display": "Trust any certificate (not secure)", - "displayPassword": "", - "name": "insecure", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "advanced": true, - "display": "API Key (Deprecated)", - "displayPassword": "", - "name": "token", - "defaultValue": "", - "type": 4, - "required": false, - "hidden": true, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": false, - "value": "" - }, - { - "section": "Connect", - "advanced": true, - "display": "API Key Type", - "displayPassword": "", - "name": "credentials_source", - "defaultValue": "other", - "type": 15, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": [ - "pcc", - "prismaaccessapi", - "xsoartim", - "xdr", - "other" - ], - "info": "Source of WildFire API Key - other = NGFW, WildFire API - pcc = Prisma Cloud Compute - prismaaccessapi = Prisma Access - xsoartim = XSOAR TIM API Key", - "hasvalue": true, - "value": "other" - }, - { - "section": "Connect", - "display": "Server base URL (e.g., https://192.168.0.1/publicapi)", - "displayPassword": "", - "name": "server", - "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi", - "type": 0, - "required": true, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": "https://wildfire.paloaltonetworks.com/publicapi" - }, - { - "section": "Connect", - "advanced": true, - "display": "Use system proxy settings", - "displayPassword": "", - "name": "proxy", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": false - }, - { - "section": "Collect", - "advanced": true, - "display": "Create relationships", - "displayPassword": "", - "name": "create_relationships", - "defaultValue": "true", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Create relationships between indicators as part of enrichment.", - "hasvalue": true, - "value": true - }, - { - "section": "Collect", - "display": "Source Reliability", - "displayPassword": "", - "name": "integrationReliability", - "defaultValue": "B - Usually reliable", - "type": 15, - "required": true, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": [ - "A+ - 3rd party enrichment", - "A - Completely reliable", - "B - Usually reliable", - "C - Fairly reliable", - "D - Not usually reliable", - "E - Unreliable", - "F - Reliability cannot be judged" - ], - "info": "Reliability of the source providing the intelligence data.", - "hasvalue": true, - "value": "B - Usually reliable" - }, - { - "section": "Connect", - "display": "", - "displayPassword": "API Key", - "name": "credentials", - "defaultValue": "", - "type": 9, - "required": false, - "hidden": false, - "hiddenUsername": true, - "hiddenPassword": false, - "options": null, - "info": "", - "hasvalue": true, - "value": { - "credential": "Palo Alto Networks WildFire API Key", - "credentials": { - "cacheVersn": 0, - "id": "", - "locked": false, - "modified": "0001-01-01T00:00:00Z", - "name": "", - "sizeInBytes": 0, - "user": "", - "vaultInstanceId": "", - "version": 0, - "workgroup": "" - }, - "identifier": "", - "passwordChanged": false - } - } - ], - "passwordProtected": false - }, - { - "version": 1, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "PlaybookMetrics", - "brand": "System XQL HTTP Collector", - "category": "Utilities", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "display": "Product Name", - "displayPassword": "", - "name": "product", - "defaultValue": "PlaybookMetrics", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The name of the 'Product' to include in the event data", - "hasvalue": true, - "value": "PlaybookMetrics" - }, - { - "display": "vendor name", - "displayPassword": "", - "name": "vendor", - "defaultValue": "XSIAM", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The name of the 'Vendor' to include in the event data", - "hasvalue": true, - "value": "XSIAM" - } - ], - "passwordProtected": false - }, - { - "version": 1, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "Whois_instance_SOCFW", - "brand": "Whois", - "category": "Data Enrichment & Threat Intelligence", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Connect", - "advanced": true, - "display": "Use system proxy settings", - "displayPassword": "", - "name": "proxy", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "advanced": true, - "display": "Proxy URL", - "displayPassword": "", - "name": "proxy_url", - "defaultValue": "", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", - "hasvalue": false, - "value": null - }, - { - "section": "Collect", - "advanced": true, - "display": "Suppress Rate Limit errors", - "displayPassword": "", - "name": "rate_limit_errors_suppressed", - "defaultValue": "false", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Whether Rate Limit errors should be supressed or not.", - "hasvalue": true, - "value": false - }, - { - "section": "Collect", - "advanced": true, - "display": "Rate Limit Retry Count", - "displayPassword": "", - "name": "rate_limit_retry_count", - "defaultValue": "0", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The number of times to try when getting a Rate Limit response.", - "hasvalue": true, - "value": "3" - }, - { - "section": "Collect", - "advanced": true, - "display": "Rate Limit Wait Seconds", - "displayPassword": "", - "name": "rate_limit_wait_seconds", - "defaultValue": "120", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", - "hasvalue": true, - "value": "120" - }, - { - "section": "Connect", - "advanced": true, - "display": "Return Errors", - "displayPassword": "", - "name": "with_error", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "If set, failed command results will be returned as warnings instead of errors.", - "hasvalue": true, - "value": false - }, - { - "section": "Collect", - "display": "Source Reliability", - "displayPassword": "", - "name": "integrationReliability", - "defaultValue": "B - Usually reliable", - "type": 15, - "required": true, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": [ - "A+ - 3rd party enrichment", - "A - Completely reliable", - "B - Usually reliable", - "C - Fairly reliable", - "D - Not usually reliable", - "E - Unreliable", - "F - Reliability cannot be judged" - ], - "info": "Reliability of the source providing the intelligence data.", - "hasvalue": true, - "value": "B - Usually reliable" - } - ], - "passwordProtected": false - }, - { - "version": 1, - "propagationLabels": [ - "all" - ], - "isOverridable": false, - "enabled": "true", - "name": "Unit_42_Intelligence_SOCFW", - "brand": "Unit 42 Intelligence", - "category": "Data Enrichment & Threat Intelligence", - "engine": "", - "engineGroup": "", - "isIntegrationScript": true, - "mappingId": "", - "outgoingMapperId": "", - "incomingMapperId": "", - "canSample": false, - "defaultIgnore": false, - "integrationLogLevel": "", - "configuration": { - "id": "", - "version": 0, - "cacheVersn": 0, - "modified": "0001-01-01T00:00:00Z", - "sizeInBytes": 0, - "packID": "", - "packName": "", - "itemVersion": "", - "fromServerVersion": "", - "toServerVersion": "", - "definitionId": "", - "isOverridable": false, - "vcShouldIgnore": false, - "vcShouldKeepItemLegacyProdMachine": false, - "commitMessage": "", - "shouldCommit": false, - "name": "", - "prevName": "", - "display": "", - "brand": "", - "category": "", - "icon": "", - "description": "", - "configuration": null, - "integrationScript": null, - "hidden": false, - "canGetSamples": false - }, - "data": [ - { - "section": "Connect", - "advanced": true, - "display": "Use system proxy settings", - "displayPassword": "", - "name": "proxy", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", - "hasvalue": true, - "value": false - }, - { - "section": "Connect", - "advanced": true, - "display": "Proxy URL", - "displayPassword": "", - "name": "proxy_url", - "defaultValue": "", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", - "hasvalue": false, - "value": null - }, - { - "section": "Collect", - "advanced": true, - "display": "Suppress Rate Limit errors", - "displayPassword": "", - "name": "rate_limit_errors_suppressed", - "defaultValue": "false", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "Whether Rate Limit errors should be supressed or not.", - "hasvalue": true, - "value": false - }, - { - "section": "Collect", - "advanced": true, - "display": "Rate Limit Retry Count", - "displayPassword": "", - "name": "rate_limit_retry_count", - "defaultValue": "0", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The number of times to try when getting a Rate Limit response.", - "hasvalue": true, - "value": "3" - }, - { - "section": "Collect", - "advanced": true, - "display": "Rate Limit Wait Seconds", - "displayPassword": "", - "name": "rate_limit_wait_seconds", - "defaultValue": "120", - "type": 0, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", - "hasvalue": true, - "value": "120" - }, - { - "section": "Connect", - "advanced": true, - "display": "Return Errors", - "displayPassword": "", - "name": "with_error", - "defaultValue": "", - "type": 8, - "required": false, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": null, - "info": "If set, failed command results will be returned as warnings instead of errors.", - "hasvalue": true, - "value": false - }, - { - "section": "Collect", - "display": "Source Reliability", - "displayPassword": "", - "name": "integrationReliability", - "defaultValue": "B - Usually reliable", - "type": 15, - "required": true, - "hidden": false, - "hiddenUsername": false, - "hiddenPassword": false, - "options": [ - "A+ - 3rd party enrichment", - "A - Completely reliable", - "B - Usually reliable", - "C - Fairly reliable", - "D - Not usually reliable", - "E - Unreliable", - "F - Reliability cannot be judged" - ], - "info": "Reliability of the source providing the intelligence data.", - "hasvalue": true, - "value": "B - Usually reliable" - } - ], - "passwordProtected": false - } - ], - "jobs": [ - { - "CustomFields": null, - "type": "##default##", - "name": "Auto Triage", - "severity": 0, - "labels": null, - "details": "This playbook accesses the API for XSIAM and by default must attract starred alerts within 6 hours or they will be closed as low fidelity alerts.", - "owner": "abarone@paloaltonetworks.com", - "playbookId": "JOB - Triage Alerts V3", - "phase": "", - "startDate": "2025-02-05T01:30:48.833Z", - "endingType": "never", - "times": 0, - "recurrent": true, - "endingDate": "2025-02-05T01:30:48.832Z", - "humanCron": { - "days": [ - "SUN", - "MON", - "TUE", - "WED", - "THU", - "FRI", - "SAT" - ], - "timePeriodType": "minutes", - "timePeriod": 10 - }, - "cronView": false, - "scheduled": false, - "tags": null, - "shouldTriggerNew": true, - "closePrevRun": false, - "notifyOwner": false, - "isFeed": false, - "selectedFeeds": null, - "isAllFeeds": false - }, - { - "CustomFields": null, - "type": "##default##", - "name": "Collect Playbook Metrics", - "severity": 0, - "labels": null, - "details": "", - "owner": "abarone@paloaltonetworks.com", - "playbookId": "JOB - Store Playbook Metrics in Dataset V3", - "phase": "", - "startDate": "2025-01-10T23:20:12Z", - "endingType": "never", - "times": 0, - "recurrent": true, - "endingDate": "2025-01-10T23:18:32Z", - "humanCron": { - "days": [ - "SUN", - "MON", - "TUE", - "WED", - "THU", - "FRI", - "SAT" - ], - "timePeriodType": "minutes", - "timePeriod": 15 - }, - "cronView": false, - "scheduled": true, - "tags": null, - "shouldTriggerNew": true, - "closePrevRun": false, - "notifyOwner": false, - "isFeed": false, - "selectedFeeds": null, - "isAllFeeds": false - } - ] + "marketplace_packs": [], + "lookup_datasets": [], + "integration_instances": [], + "jobs": [] } diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index abb06b9..4a76c3e 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.18", + "currentVersion": "3.0.19", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 87a385c..a95bc0e 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,11 +8,56 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.18/soc-optimization-unified-v3.0.18.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.19/soc-optimization-unified-v3.0.19.zip", + "system": "yes" + }, + { + "id": "soc-common-playbooks-unified.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.52/soc-common-playbooks-unified-v2.7.52.zip", "system": "yes" } ], "marketplace_packs": [ + { + "id": "Core", + "name": "Core - Investigation and Response", + "version": "latest" + }, + { + "id": "CommonPlaybooks", + "name": "Common Playbooks", + "version": "latest" + }, + { + "id": "CommonScripts", + "name": "Common Scripts", + "version": "latest" + }, + { + "id": "Whois", + "name": "Whois", + "version": "latest" + }, + { + "id": "VirusTotal", + "name": "VirusTotal", + "version": "latest" + }, + { + "id": "rasterize", + "name": "Rasterize", + "version": "latest" + }, + { + "id": "FiltersAndTransformers", + "name": "Filters And Transformers", + "version": "latest" + }, + { + "id": "Palo_Alto_Networks_WildFire", + "name": "WildFire by Palo Alto Networks", + "version": "latest" + }, { "id": "Base", "name": "Base", @@ -34,8 +79,8 @@ "version": "latest" }, { - "id": "Whois", - "name": "Whois", + "id": "Unit42ThreatIntelligencebyPaloAltoNetworks", + "name": "Unit 42 Threat Intelligence by Palo Alto Networks", "version": "latest" } ], @@ -61,6 +106,74 @@ } ], "integration_instances": [ + { + "version": 21, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Cortex Core - IR_default_instance", + "brand": "Cortex Core - IR", + "category": "", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "display": "HTTP Timeout", + "displayPassword": "", + "name": "timeout", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The timeout of the HTTP requests sent to Cortex API (in seconds).", + "hasvalue": true, + "value": "120" + } + ], + "passwordProtected": false + }, { "version": 1, "propagationLabels": [ @@ -68,9 +181,9 @@ ], "isOverridable": false, "enabled": "true", - "name": "PlaybookMetrics", - "brand": "System XQL HTTP Collector", - "category": "Utilities", + "name": "Whois_instance_SOCFW", + "brand": "Whois", + "category": "Data Enrichment & Threat Intelligence", "engine": "", "engineGroup": "", "isIntegrationScript": true, @@ -111,47 +224,819 @@ }, "data": [ { - "display": "Product Name", + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", "displayPassword": "", - "name": "product", - "defaultValue": "PlaybookMetrics", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Effect the `ip` command and the other commands only if the Proxy URL is not set.", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Proxy URL", + "displayPassword": "", + "name": "proxy_url", + "defaultValue": "", "type": 0, "required": false, "hidden": false, "hiddenUsername": false, "hiddenPassword": false, "options": null, - "info": "The name of the 'Product' to include in the event data", + "info": "Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.", + "hasvalue": false, + "value": null + }, + { + "section": "Collect", + "advanced": true, + "display": "Suppress Rate Limit errors", + "displayPassword": "", + "name": "rate_limit_errors_suppressed", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Whether Rate Limit errors should be supressed or not.", "hasvalue": true, - "value": "PlaybookMetrics" + "value": false }, { - "display": "vendor name", + "section": "Collect", + "advanced": true, + "display": "Rate Limit Retry Count", "displayPassword": "", - "name": "vendor", - "defaultValue": "XSIAM", + "name": "rate_limit_retry_count", + "defaultValue": "0", "type": 0, "required": false, "hidden": false, "hiddenUsername": false, "hiddenPassword": false, "options": null, - "info": "The name of the 'Vendor' to include in the event data", + "info": "The number of times to try when getting a Rate Limit response.", "hasvalue": true, - "value": "XSIAM" + "value": "3" + }, + { + "section": "Collect", + "advanced": true, + "display": "Rate Limit Wait Seconds", + "displayPassword": "", + "name": "rate_limit_wait_seconds", + "defaultValue": "120", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The number of seconds to wait each iteration when getting a Rate Limit response.", + "hasvalue": true, + "value": "120" + }, + { + "section": "Connect", + "advanced": true, + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "If set, failed command results will be returned as warnings instead of errors.", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" } ], "passwordProtected": false }, { - "version": 1, + "version": 3, "propagationLabels": [ "all" ], "isOverridable": false, "enabled": "true", - "name": "Whois_instance_1", - "brand": "Whois", + "name": "Rasterize_instance_1", + "brand": "Rasterize", + "category": "Utilities", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "display": "Return Errors", + "displayPassword": "", + "name": "with_error", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "display": "Rasterize Mode", + "displayPassword": "", + "name": "rasterize_mode", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Deprecated.", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "display": "Number of maximum tabs each Chrome will be allowed to open.", + "displayPassword": "", + "name": "max_chrome_tabs_count", + "defaultValue": "10", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "10" + }, + { + "section": "Connect", + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "display": "Time to wait before taking a screenshot (in seconds)", + "displayPassword": "", + "name": "wait_time", + "defaultValue": "0", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "0" + }, + { + "section": "Connect", + "display": "List of domains to block", + "displayPassword": "", + "name": "blocked_urls", + "defaultValue": "cloudflare.com", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "cloudflare.com" + }, + { + "section": "Connect", + "display": "Chrome options (Advanced. See [?])", + "displayPassword": "", + "name": "chrome_options", + "defaultValue": "", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Add or remove Chrome options used to rasterize. Use for advanced troubleshooting. See Help.", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "advanced": true, + "display": "Use secure requests protocol (HTTPS).", + "displayPassword": "", + "name": "is_https", + "defaultValue": "false", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "display": "Number of maximum Chrome instances to keep running simultaneously.", + "displayPassword": "", + "name": "max_chromes_count", + "defaultValue": "64", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "64" + }, + { + "section": "Connect", + "display": "Maximum time to wait for a page to load (in seconds)", + "displayPassword": "", + "name": "max_page_load_time", + "defaultValue": "180", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "180" + } + ], + "passwordProtected": false + }, + { + "version": 2, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "WildFire-Reports_default_instance", + "brand": "WildFire-Reports", + "category": "Forensics & Malware Analysis", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": null + }, + { + "display": "Server base URL (e.g., https://192.168.0.1/publicapi)", + "displayPassword": "", + "name": "server", + "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "https://wildfire.paloaltonetworks.com/publicapi" + }, + { + "section": "Connect", + "display": "API Key", + "displayPassword": "", + "name": "token", + "defaultValue": "", + "type": 4, + "required": false, + "hidden": true, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": null + }, + { + "section": "Connect", + "display": "", + "displayPassword": "API Key", + "name": "credentials", + "defaultValue": "", + "type": 9, + "required": false, + "hidden": false, + "hiddenUsername": true, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": { + "credential": "", + "credentials": { + "cacheVersn": 0, + "id": "", + "locked": false, + "modified": "0001-01-01T00:00:00Z", + "name": "", + "sizeInBytes": 0, + "user": "", + "vaultInstanceId": "", + "version": 0, + "workgroup": "" + }, + "identifier": "", + "passwordChanged": false + } + }, + { + "section": "Connect", + "advanced": true, + "display": "Trust any certificate (not secure)", + "displayPassword": "", + "name": "insecure", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": null + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "WildFire-v2_default_instance", + "brand": "WildFire-v2", + "category": "Forensics & Malware Analysis", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "section": "Collect", + "advanced": true, + "display": "Return warning entry for unsupported file types", + "displayPassword": "", + "name": "suppress_file_type_error", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "Trust any certificate (not secure)", + "displayPassword": "", + "name": "insecure", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Connect", + "advanced": true, + "display": "API Key (Deprecated)", + "displayPassword": "", + "name": "token", + "defaultValue": "", + "type": 4, + "required": false, + "hidden": true, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": false, + "value": "" + }, + { + "section": "Connect", + "advanced": true, + "display": "API Key Type", + "displayPassword": "", + "name": "credentials_source", + "defaultValue": "other", + "type": 15, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "pcc", + "prismaaccessapi", + "xsoartim", + "xdr", + "other" + ], + "info": "Source of WildFire API Key - other = NGFW, WildFire API - pcc = Prisma Cloud Compute - prismaaccessapi = Prisma Access - xsoartim = XSOAR TIM API Key", + "hasvalue": true, + "value": "other" + }, + { + "section": "Connect", + "display": "Server base URL (e.g., https://192.168.0.1/publicapi)", + "displayPassword": "", + "name": "server", + "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": "https://wildfire.paloaltonetworks.com/publicapi" + }, + { + "section": "Connect", + "advanced": true, + "display": "Use system proxy settings", + "displayPassword": "", + "name": "proxy", + "defaultValue": "", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": false + }, + { + "section": "Collect", + "advanced": true, + "display": "Create relationships", + "displayPassword": "", + "name": "create_relationships", + "defaultValue": "true", + "type": 8, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Create relationships between indicators as part of enrichment.", + "hasvalue": true, + "value": true + }, + { + "section": "Collect", + "display": "Source Reliability", + "displayPassword": "", + "name": "integrationReliability", + "defaultValue": "B - Usually reliable", + "type": 15, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": [ + "A+ - 3rd party enrichment", + "A - Completely reliable", + "B - Usually reliable", + "C - Fairly reliable", + "D - Not usually reliable", + "E - Unreliable", + "F - Reliability cannot be judged" + ], + "info": "Reliability of the source providing the intelligence data.", + "hasvalue": true, + "value": "B - Usually reliable" + }, + { + "section": "Connect", + "display": "", + "displayPassword": "API Key", + "name": "credentials", + "defaultValue": "", + "type": 9, + "required": false, + "hidden": false, + "hiddenUsername": true, + "hiddenPassword": false, + "options": null, + "info": "", + "hasvalue": true, + "value": { + "credential": "Palo Alto Networks WildFire API Key", + "credentials": { + "cacheVersn": 0, + "id": "", + "locked": false, + "modified": "0001-01-01T00:00:00Z", + "name": "", + "sizeInBytes": 0, + "user": "", + "vaultInstanceId": "", + "version": 0, + "workgroup": "" + }, + "identifier": "", + "passwordChanged": false + } + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "PlaybookMetrics", + "brand": "System XQL HTTP Collector", + "category": "Utilities", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "display": "Product Name", + "displayPassword": "", + "name": "product", + "defaultValue": "PlaybookMetrics", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The name of the 'Product' to include in the event data", + "hasvalue": true, + "value": "PlaybookMetrics" + }, + { + "display": "vendor name", + "displayPassword": "", + "name": "vendor", + "defaultValue": "XSIAM", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "The name of the 'Vendor' to include in the event data", + "hasvalue": true, + "value": "XSIAM" + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": [ + "all" + ], + "isOverridable": false, + "enabled": "true", + "name": "Unit_42_Intelligence_SOCFW", + "brand": "Unit 42 Intelligence", "category": "Data Enrichment & Threat Intelligence", "engine": "", "engineGroup": "", diff --git a/pack_catalog.json b/pack_catalog.json index a634884..9b9fa39 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -11,7 +11,7 @@ { "id": "soc-common-playbooks-unified", "display_name": "SOC Common Playbooks Unified", - "version": "2.7.52", + "version": "2.7.53", "path": "Packs/soc-common-playbooks-unified", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-common-playbooks-unified/xsoar_config.json" @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.18", + "version": "3.0.19", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" From 799b5b636781f514720be65e723adea87db859b0 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 15:42:24 -0500 Subject: [PATCH 46/49] - Updated soc-common-playbooks-unified zipfile link in soc-optimization-unified --- Packs/soc-optimization-unified/xsoar_config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index a95bc0e..eae2aaa 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -13,7 +13,7 @@ }, { "id": "soc-common-playbooks-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.52/soc-common-playbooks-unified-v2.7.52.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.53/soc-common-playbooks-unified-v2.7.5", "system": "yes" } ], From 1b26114d9b8508ea0a19d2bcdc7a1863cb52a197 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 16:08:49 -0500 Subject: [PATCH 47/49] - Bump Version - Bump Catalog - Testing --- Packs/soc-optimization-unified/pack_metadata.json | 2 +- Packs/soc-optimization-unified/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 4a76c3e..ba2928b 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.19", + "currentVersion": "3.0.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index eae2aaa..3768181 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.19/soc-optimization-unified-v3.0.19.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.20/soc-optimization-unified-v3.0.20.zip", "system": "yes" }, { diff --git a/pack_catalog.json b/pack_catalog.json index 9b9fa39..d8025da 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.19", + "version": "3.0.20", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" From 54a17935db4c6443df33d7b26eb04427126e6cc1 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 16:25:07 -0500 Subject: [PATCH 48/49] - Bump Version - Bump Catalog - Fixed SOC Common Unified Zip link - Updated Documentation --- Packs/soc-optimization-unified/README.md | 12 ++++++------ Packs/soc-optimization-unified/pack_metadata.json | 2 +- Packs/soc-optimization-unified/xsoar_config.json | 4 ++-- pack_catalog.json | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Packs/soc-optimization-unified/README.md b/Packs/soc-optimization-unified/README.md index de41c69..14cb7f0 100644 --- a/Packs/soc-optimization-unified/README.md +++ b/Packs/soc-optimization-unified/README.md @@ -11,13 +11,13 @@ This repository outlines a scalable SOC optimization approach tailored for Palo --- ## 1. Enable Auto Triage -1. Read πŸ‘‰ [Auto-Triage Usage](../../Documentation/Auto_Triage.md) To Understand How it Closes Cases +1. Read πŸ‘‰ [Auto-Triage Usage](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/Documentation/Auto_Triage.md) To Understand How it Closes Cases 2. Investigation & Response β†’ Automation β†’ Jobs 3. Check Auto Triage 4. Click Enable Button -![Auto_Triage_Enable.png](../../docs/soc-optimization/Auto_Triage_Enable.png) +![Auto_Triage_Enable.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Auto_Triage_Enable.png) --- ## 2. Configure Automation Rules @@ -26,7 +26,7 @@ This repository outlines a scalable SOC optimization approach tailored for Palo πŸ‘‰ [Learn more about Entry Point playbooks](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/EntryPoints.md) -![Default_Automation_Rules.png](../../docs/soc-optimization/Default_Automation_Rules.png) +![Default_Automation_Rules.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Default_Automation_Rules.png) - **EP_IR_NIST(800-61)** is the *Incident Response Catch-All*. - You can create more specific rules above this (e.g., Phishing based on MITRE Technique T1566). @@ -39,13 +39,13 @@ This repository outlines a scalable SOC optimization approach tailored for Palo - `Severity >= Medium` - `Has MITRE Tactic` -![Starring_NIST_IR.png](../../docs/soc-optimization/Starring_NIST_IR.png) +![Starring_NIST_IR.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Starring_NIST_IR.png) ## 4. XSIAM SOC Value Metric Dashboard ** Real-time metrics from PoV into production ** 1. Dashboards & Reports β†’ Dashboard β†’ XSIAM SOC Value Metrics 2. Select 7 Days (More realistic for SOC reporting) -![Value_Metrics.png](../../docs/soc-optimization/Value_Metrics.png) +![Value_Metrics.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Value_Metrics.png) *Tips:* - Alerts must fire playbooks and playbook tasks must run before this dash works. @@ -61,7 +61,7 @@ This repository outlines a scalable SOC optimization approach tailored for Palo - Incidents that are not marked with a star are automatically triaged using `JOB_-_Triage_Incidents.yml`. - Ensures that high-volume, low-risk alerts are handled without manual intervention. -πŸ‘‰ [Auto-Triage Usage](../../docs/soc-optimization/Auto_Triage.md) β€” Automatically closes non-priority incidents to reduce alert fatigue. +πŸ‘‰ [Auto-Triage Usage](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Auto_Triage.md) β€” Automatically closes non-priority incidents to reduce alert fatigue. ### 2. **Modular Playbooking with the `Upon Trigger`** - The `Upon Trigger` playbook is the engine of modular decision-making. diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index ba2928b..98a721b 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.20", + "currentVersion": "3.0.21", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 3768181..e7fa0b9 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,12 +8,12 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.20/soc-optimization-unified-v3.0.20.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.21/soc-optimization-unified-v3.0.21.zip", "system": "yes" }, { "id": "soc-common-playbooks-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.53/soc-common-playbooks-unified-v2.7.5", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-common-playbooks-unified-v2.7.53/soc-common-playbooks-unified-v2.7.53.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index d8025da..2afd593 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.20", + "version": "3.0.21", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" From 6fd1b6f1663d497ddec31416c696e3c045440c72 Mon Sep 17 00:00:00 2001 From: Scott Brumley Date: Fri, 30 Jan 2026 18:43:42 -0500 Subject: [PATCH 49/49] - Bump Version - Bump Catalog - Update Zip Format for CrowdStrike --- Packs/soc-crowdstrike-falcon/pack_metadata.json | 2 +- Packs/soc-crowdstrike-falcon/xsoar_config.json | 2 +- pack_catalog.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Packs/soc-crowdstrike-falcon/pack_metadata.json b/Packs/soc-crowdstrike-falcon/pack_metadata.json index 2b5aca8..148ba43 100644 --- a/Packs/soc-crowdstrike-falcon/pack_metadata.json +++ b/Packs/soc-crowdstrike-falcon/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-crowdstrike-falcon", "description": "This contains the content for XSIAM CrowdStrike Falcon. This includes layouts, playbooks and incident fields", "support": "xsoar", - "currentVersion": "1.0.36", + "currentVersion": "1.0.37", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-crowdstrike-falcon/xsoar_config.json b/Packs/soc-crowdstrike-falcon/xsoar_config.json index 99b42cf..2e482e7 100644 --- a/Packs/soc-crowdstrike-falcon/xsoar_config.json +++ b/Packs/soc-crowdstrike-falcon/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-crowdstrike-falcon.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.36/soc-crowdstrike-falcon-v1.0.36.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.37/soc-crowdstrike-falcon-v1.0.37.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 2afd593..c70046b 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-crowdstrike-falcon", "display_name": "SOC CrowdStrike Falcon Integration Enhancement for Cortex XSIAM", - "version": "1.0.36", + "version": "1.0.37", "path": "Packs/soc-crowdstrike-falcon", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-crowdstrike-falcon/xsoar_config.json"